fix(dashboards): normalize naive/aware datetimes in resource task ordering

- Standardized task log, LLM provider, and report profile tests.
- Relocated auxiliary tests into __tests__ directories for consistency.
- Updated git_service and defensive guards with minor stability fixes discovered during testing.
- Added UX integration tests for the reports list component.

.agent/rules/specify-rules.md

@@ -0,0 +1,35 @@
+# ss-tools Development Guidelines
+
+Auto-generated from all feature plans. Last updated: 2026-02-25
+
+## Knowledge Graph (GRACE)
+**CRITICAL**: This project uses a GRACE Knowledge Graph for context. Always load the root map first:
+- **Root Map**: `.ai/ROOT.md` -> `[DEF:Project_Knowledge_Map:Root]`
+- **Project Map**: `.ai/PROJECT_MAP.md` -> `[DEF:Project_Map]`
+- **Standards**: Read `.ai/standards/` for architecture and style rules.
+
+## Active Technologies
+
+- (022-sync-id-cross-filters)
+
+## Project Structure
+
+```text
+src/
+tests/
+```
+
+## Commands
+
+# Add commands for 
+
+## Code Style
+
+: Follow standard conventions
+
+## Recent Changes
+
+- 022-sync-id-cross-filters: Added
+
+<!-- MANUAL ADDITIONS START -->
+<!-- MANUAL ADDITIONS END -->

.agent/workflows/audit-test.md

@@ -0,0 +1,103 @@
+---
+description: Audit AI-generated unit tests. Your goal is to aggressively search for "Test Tautologies", "Logic Echoing", and "Contract Negligence". You are the final gatekeeper. If a test is meaningless, you MUST reject it.
+---
+
+**ROLE:** Elite Quality Assurance Architect and Red Teamer.
+**OBJECTIVE:** Audit AI-generated unit tests. Your goal is to aggressively search for "Test Tautologies", "Logic Echoing", and "Contract Negligence". You are the final gatekeeper. If a test is meaningless, you MUST reject it.
+
+**INPUT:**
+1. SOURCE CODE (with GRACE-Poly `[DEF]` Contract: `@PRE`, `@POST`, `@TEST_CONTRACT`, `@TEST_FIXTURE`, `@TEST_EDGE`, `@TEST_INVARIANT`).
+2. GENERATED TEST CODE.
+
+### I. CRITICAL ANTI-PATTERNS (REJECT IMMEDIATELY IF FOUND):
+
+1. **The Tautology (Self-Fulfilling Prophecy):**
+   - *Definition:* The test asserts hardcoded values against hardcoded values without executing the core business logic, or mocks the actual function being tested.
+   - *Example of Failure:* `assert 2 + 2 == 4` or mocking the class under test so that it returns exactly what the test asserts.
+
+2. **The Logic Mirror (Echoing):**
+   - *Definition:* The test re-implements the exact same algorithmic logic found in the source code to calculate the `expected_result`. If the original logic is flawed, the test will falsely pass.
+   - *Rule:* Tests must assert against **static, predefined outcomes** (from `@TEST_FIXTURE`, `@TEST_EDGE`, `@TEST_INVARIANT` or explicit constants), NOT dynamically calculated outcomes using the same logic as the source.
+
+3. **The "Happy Path" Illusion:**
+   - *Definition:* The test suite only checks successful executions but ignores the `@PRE` conditions (Negative Testing).
+   - *Rule:* Every `@PRE` tag in the source contract MUST have a corresponding test that deliberately violates it and asserts the correct Exception/Error state.
+
+4. **Missing Post-Condition Verification:**
+   - *Definition:* The test calls the function but only checks the return value, ignoring `@SIDE_EFFECT` or `@POST` state changes (e.g., failing to verify that a DB call was made or a Store was updated).
+
+5. **Missing Edge Case Coverage:**
+   - *Definition:* The test suite ignores `@TEST_EDGE` scenarios defined in the contract.
+   - *Rule:* Every `@TEST_EDGE` in the source contract MUST have a corresponding test case.
+
+6. **Missing Invariant Verification:**
+   - *Definition:* The test suite does not verify `@TEST_INVARIANT` conditions.
+   - *Rule:* Every `@TEST_INVARIANT` MUST be verified by at least one test that attempts to break it.
+
+7. **Missing UX State Testing (Svelte Components):**
+   - *Definition:* For Svelte components with `@UX_STATE`, the test suite does not verify state transitions.
+   - *Rule:* Every `@UX_STATE` transition MUST have a test verifying the visual/behavioral change.
+   - *Check:* `@UX_FEEDBACK` mechanisms (toast, shake, color) must be tested.
+   - *Check:* `@UX_RECOVERY` mechanisms (retry, clear input) must be tested.
+
+### II. SEMANTIC PROTOCOL COMPLIANCE
+
+Verify the test file follows GRACE-Poly semantics:
+
+1. **Anchor Integrity:**
+   - Test file MUST start with `[DEF:__tests__/test_name:Module]`
+   - Test file MUST end with `[/DEF:__tests__/test_name:Module]`
+
+2. **Required Tags:**
+   - `@RELATION: VERIFIES -> <path_to_source>` must be present
+   - `@PURPOSE:` must describe what is being tested
+
+3. **TIER Alignment:**
+   - If source is `@TIER: CRITICAL`, test MUST cover all `@TEST_CONTRACT`, `@TEST_FIXTURE`, `@TEST_EDGE`, `@TEST_INVARIANT`
+   - If source is `@TIER: STANDARD`, test MUST cover `@PRE` and `@POST`
+   - If source is `@TIER: TRIVIAL`, basic smoke test is acceptable
+
+### III. AUDIT CHECKLIST
+
+Evaluate the test code against these criteria:
+1. **Target Invocation:** Does the test actually import and call the function/component declared in the `@RELATION: VERIFIES` tag?
+2. **Contract Alignment:** Does the test suite cover 100% of the `@PRE` (negative tests) and `@POST` (assertions) conditions from the source contract?
+3. **Test Contract Compliance:** Does the test follow the interface defined in `@TEST_CONTRACT`?
+4. **Data Usage:** Does the test use the exact scenarios defined in `@TEST_FIXTURE`?
+5. **Edge Coverage:** Are all `@TEST_EDGE` scenarios tested?
+6. **Invariant Coverage:** Are all `@TEST_INVARIANT` conditions verified?
+7. **UX Coverage (if applicable):** Are all `@UX_STATE`, `@UX_FEEDBACK`, `@UX_RECOVERY` tested?
+8. **Mocking Sanity:** Are external dependencies mocked correctly WITHOUT mocking the system under test itself?
+9. **Semantic Anchor:** Does the test file have proper `[DEF]` and `[/DEF]` anchors?
+
+### IV. OUTPUT FORMAT
+
+You MUST respond strictly in the following JSON format. Do not add markdown blocks outside the JSON.
+
+{
+  "verdict": "APPROVED" | "REJECTED",
+  "rejection_reason": "TAUTOLOGY" | "LOGIC_MIRROR" | "WEAK_CONTRACT_COVERAGE" | "OVER_MOCKED" | "MISSING_EDGES" | "MISSING_INVARIANTS" | "MISSING_UX_TESTS" | "SEMANTIC_VIOLATION" | "NONE",
+  "audit_details": {
+    "target_invoked": true/false,
+    "pre_conditions_tested": true/false,
+    "post_conditions_tested": true/false,
+    "test_fixture_used": true/false,
+    "edges_covered": true/false,
+    "invariants_verified": true/false,
+    "ux_states_tested": true/false,
+    "semantic_anchors_present": true/false
+  },
+  "coverage_summary": {
+    "total_edges": number,
+    "edges_tested": number,
+    "total_invariants": number,
+    "invariants_tested": number,
+    "total_ux_states": number,
+    "ux_states_tested": number
+  },
+  "tier_compliance": {
+    "source_tier": "CRITICAL" | "STANDARD" | "TRIVIAL",
+    "meets_tier_requirements": true/false
+  },
+  "feedback": "Strict, actionable feedback for the test generator agent. Explain exactly which anti-pattern was detected and how to fix it."
+}

.agent/workflows/read_semantic.md

@@ -0,0 +1,4 @@
+---
+description: USE SEMANTIC
+---
+Прочитай .ai/standards/semantics.md. ОБЯЗАТЕЛЬНО используй его при разработке

.agent/workflows/semantic.md

@@ -0,0 +1,10 @@
+---
+description: semantic
+---
+
+      You are Semantic Agent responsible for maintaining the semantic integrity of the codebase. Your primary goal is to ensure that all code entities (Modules, Classes, Functions, Components) are properly annotated with semantic anchors and tags as defined in `.ai/standards/semantics.md`.
+      Your core responsibilities are: 1.  **Semantic Mapping**: You run and maintain the `generate_semantic_map.py` script to generate up-to-date semantic maps (`semantics/semantic_map.json`, `.ai/PROJECT_MAP.md`) and compliance reports (`semantics/reports/*.md`). 2.  **Compliance Auditing**: You analyze the generated compliance reports to identify files with low semantic coverage or parsing errors. 3.  **Semantic Enrichment**: You actively edit code files to add missing semantic anchors (`[DEF:...]`, `[/DEF:...]`) and mandatory tags (`@PURPOSE`, `@LAYER`, etc.) to improve the global compliance score. 4.  **Protocol Enforcement**: You strictly adhere to the syntax and rules defined in `.ai/standards/semantics.md` when modifying code.
+      You have access to the full codebase and tools to read, write, and execute scripts. You should prioritize fixing "Critical Parsing Errors" (unclosed anchors) before addressing missing metadata.
+    whenToUse: Use this mode when you need to update the project's semantic map, fix semantic compliance issues (missing anchors/tags/DbC ), or analyze the codebase structure. This mode is specialized for maintaining the `.ai/standards/semantics.md` standards.
+    description: Codebase semantic mapping and compliance expert
+    customInstructions: Always check `semantics/reports/` for the latest compliance status before starting work. When fixing a file, try to fix all semantic issues in that file at once. After making a batch of fixes, run `python3 generate_semantic_map.py` to verify improvements.

.agent/workflows/speckit.analyze.md

@@ -0,0 +1,185 @@
+---
+description: Perform a non-destructive cross-artifact consistency and quality analysis across spec.md, plan.md, and tasks.md after task generation.
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Goal
+
+Identify inconsistencies, duplications, ambiguities, and underspecified items across the three core artifacts (`spec.md`, `plan.md`, `tasks.md`) before implementation. This command MUST run only after `/speckit.tasks` has successfully produced a complete `tasks.md`.
+
+## Operating Constraints
+
+**STRICTLY READ-ONLY**: Do **not** modify any files. Output a structured analysis report. Offer an optional remediation plan (user must explicitly approve before any follow-up editing commands would be invoked manually).
+
+**Constitution Authority**: The project constitution (`.ai/standards/constitution.md`) is **non-negotiable** within this analysis scope. Constitution conflicts are automatically CRITICAL and require adjustment of the spec, plan, or tasks—not dilution, reinterpretation, or silent ignoring of the principle. If a principle itself needs to change, that must occur in a separate, explicit constitution update outside `/speckit.analyze`.
+
+## Execution Steps
+
+### 1. Initialize Analysis Context
+
+Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` once from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS. Derive absolute paths:
+
+- SPEC = FEATURE_DIR/spec.md
+- PLAN = FEATURE_DIR/plan.md
+- TASKS = FEATURE_DIR/tasks.md
+
+Abort with an error message if any required file is missing (instruct the user to run missing prerequisite command).
+For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+### 2. Load Artifacts (Progressive Disclosure)
+
+Load only the minimal necessary context from each artifact:
+
+**From spec.md:**
+
+- Overview/Context
+- Functional Requirements
+- Non-Functional Requirements
+- User Stories
+- Edge Cases (if present)
+
+**From plan.md:**
+
+- Architecture/stack choices
+- Data Model references
+- Phases
+- Technical constraints
+
+**From tasks.md:**
+
+- Task IDs
+- Descriptions
+- Phase grouping
+- Parallel markers [P]
+- Referenced file paths
+
+**From constitution:**
+
+- Load `.ai/standards/constitution.md` for principle validation
+    - Load `.ai/standards/semantics.md` for technical standard validation
+
+### 3. Build Semantic Models
+
+Create internal representations (do not include raw artifacts in output):
+
+- **Requirements inventory**: Each functional + non-functional requirement with a stable key (derive slug based on imperative phrase; e.g., "User can upload file" → `user-can-upload-file`)
+- **User story/action inventory**: Discrete user actions with acceptance criteria
+- **Task coverage mapping**: Map each task to one or more requirements or stories (inference by keyword / explicit reference patterns like IDs or key phrases)
+- **Constitution rule set**: Extract principle names and MUST/SHOULD normative statements
+
+### 4. Detection Passes (Token-Efficient Analysis)
+
+Focus on high-signal findings. Limit to 50 findings total; aggregate remainder in overflow summary.
+
+#### A. Duplication Detection
+
+- Identify near-duplicate requirements
+- Mark lower-quality phrasing for consolidation
+
+#### B. Ambiguity Detection
+
+- Flag vague adjectives (fast, scalable, secure, intuitive, robust) lacking measurable criteria
+- Flag unresolved placeholders (TODO, TKTK, ???, `<placeholder>`, etc.)
+
+#### C. Underspecification
+
+- Requirements with verbs but missing object or measurable outcome
+- User stories missing acceptance criteria alignment
+- Tasks referencing files or components not defined in spec/plan
+
+#### D. Constitution Alignment
+
+- Any requirement or plan element conflicting with a MUST principle
+- Missing mandated sections or quality gates from constitution
+
+#### E. Coverage Gaps
+
+- Requirements with zero associated tasks
+- Tasks with no mapped requirement/story
+- Non-functional requirements not reflected in tasks (e.g., performance, security)
+
+#### F. Inconsistency
+
+- Terminology drift (same concept named differently across files)
+- Data entities referenced in plan but absent in spec (or vice versa)
+- Task ordering contradictions (e.g., integration tasks before foundational setup tasks without dependency note)
+- Conflicting requirements (e.g., one requires Next.js while other specifies Vue)
+
+### 5. Severity Assignment
+
+Use this heuristic to prioritize findings:
+
+- **CRITICAL**: Violates constitution MUST, missing core spec artifact, or requirement with zero coverage that blocks baseline functionality
+- **HIGH**: Duplicate or conflicting requirement, ambiguous security/performance attribute, untestable acceptance criterion
+- **MEDIUM**: Terminology drift, missing non-functional task coverage, underspecified edge case
+- **LOW**: Style/wording improvements, minor redundancy not affecting execution order
+
+### 6. Produce Compact Analysis Report
+
+Output a Markdown report (no file writes) with the following structure:
+
+## Specification Analysis Report
+
+| ID | Category | Severity | Location(s) | Summary | Recommendation |
+|----|----------|----------|-------------|---------|----------------|
+| A1 | Duplication | HIGH | spec.md:L120-134 | Two similar requirements ... | Merge phrasing; keep clearer version |
+
+(Add one row per finding; generate stable IDs prefixed by category initial.)
+
+**Coverage Summary Table:**
+
+| Requirement Key | Has Task? | Task IDs | Notes |
+|-----------------|-----------|----------|-------|
+
+**Constitution Alignment Issues:** (if any)
+
+**Unmapped Tasks:** (if any)
+
+**Metrics:**
+
+- Total Requirements
+- Total Tasks
+- Coverage % (requirements with >=1 task)
+- Ambiguity Count
+- Duplication Count
+- Critical Issues Count
+
+### 7. Provide Next Actions
+
+At end of report, output a concise Next Actions block:
+
+- If CRITICAL issues exist: Recommend resolving before `/speckit.implement`
+- If only LOW/MEDIUM: User may proceed, but provide improvement suggestions
+- Provide explicit command suggestions: e.g., "Run /speckit.specify with refinement", "Run /speckit.plan to adjust architecture", "Manually edit tasks.md to add coverage for 'performance-metrics'"
+
+### 8. Offer Remediation
+
+Ask the user: "Would you like me to suggest concrete remediation edits for the top N issues?" (Do NOT apply them automatically.)
+
+## Operating Principles
+
+### Context Efficiency
+
+- **Minimal high-signal tokens**: Focus on actionable findings, not exhaustive documentation
+- **Progressive disclosure**: Load artifacts incrementally; don't dump all content into analysis
+- **Token-efficient output**: Limit findings table to 50 rows; summarize overflow
+- **Deterministic results**: Rerunning without changes should produce consistent IDs and counts
+
+### Analysis Guidelines
+
+- **NEVER modify files** (this is read-only analysis)
+- **NEVER hallucinate missing sections** (if absent, report them accurately)
+- **Prioritize constitution violations** (these are always CRITICAL)
+- **Use examples over exhaustive rules** (cite specific instances, not generic patterns)
+- **Report zero issues gracefully** (emit success report with coverage statistics)
+
+## Context
+
+$ARGUMENTS

.agent/workflows/speckit.checklist.md

@@ -0,0 +1,294 @@
+---
+description: Generate a custom checklist for the current feature based on user requirements.
+---
+
+## Checklist Purpose: "Unit Tests for English"
+
+**CRITICAL CONCEPT**: Checklists are **UNIT TESTS FOR REQUIREMENTS WRITING** - they validate the quality, clarity, and completeness of requirements in a given domain.
+
+**NOT for verification/testing**:
+
+- ❌ NOT "Verify the button clicks correctly"
+- ❌ NOT "Test error handling works"
+- ❌ NOT "Confirm the API returns 200"
+- ❌ NOT checking if code/implementation matches the spec
+
+**FOR requirements quality validation**:
+
+- ✅ "Are visual hierarchy requirements defined for all card types?" (completeness)
+- ✅ "Is 'prominent display' quantified with specific sizing/positioning?" (clarity)
+- ✅ "Are hover state requirements consistent across all interactive elements?" (consistency)
+- ✅ "Are accessibility requirements defined for keyboard navigation?" (coverage)
+- ✅ "Does the spec define what happens when logo image fails to load?" (edge cases)
+
+**Metaphor**: If your spec is code written in English, the checklist is its unit test suite. You're testing whether the requirements are well-written, complete, unambiguous, and ready for implementation - NOT whether the implementation works.
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Execution Steps
+
+1. **Setup**: Run `.specify/scripts/bash/check-prerequisites.sh --json` from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS list.
+   - All file paths must be absolute.
+   - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Clarify intent (dynamic)**: Derive up to THREE initial contextual clarifying questions (no pre-baked catalog). They MUST:
+   - Be generated from the user's phrasing + extracted signals from spec/plan/tasks
+   - Only ask about information that materially changes checklist content
+   - Be skipped individually if already unambiguous in `$ARGUMENTS`
+   - Prefer precision over breadth
+
+   Generation algorithm:
+   1. Extract signals: feature domain keywords (e.g., auth, latency, UX, API), risk indicators ("critical", "must", "compliance"), stakeholder hints ("QA", "review", "security team"), and explicit deliverables ("a11y", "rollback", "contracts").
+   2. Cluster signals into candidate focus areas (max 4) ranked by relevance.
+   3. Identify probable audience & timing (author, reviewer, QA, release) if not explicit.
+   4. Detect missing dimensions: scope breadth, depth/rigor, risk emphasis, exclusion boundaries, measurable acceptance criteria.
+   5. Formulate questions chosen from these archetypes:
+      - Scope refinement (e.g., "Should this include integration touchpoints with X and Y or stay limited to local module correctness?")
+      - Risk prioritization (e.g., "Which of these potential risk areas should receive mandatory gating checks?")
+      - Depth calibration (e.g., "Is this a lightweight pre-commit sanity list or a formal release gate?")
+      - Audience framing (e.g., "Will this be used by the author only or peers during PR review?")
+      - Boundary exclusion (e.g., "Should we explicitly exclude performance tuning items this round?")
+      - Scenario class gap (e.g., "No recovery flows detected—are rollback / partial failure paths in scope?")
+
+   Question formatting rules:
+   - If presenting options, generate a compact table with columns: Option | Candidate | Why It Matters
+   - Limit to A–E options maximum; omit table if a free-form answer is clearer
+   - Never ask the user to restate what they already said
+   - Avoid speculative categories (no hallucination). If uncertain, ask explicitly: "Confirm whether X belongs in scope."
+
+   Defaults when interaction impossible:
+   - Depth: Standard
+   - Audience: Reviewer (PR) if code-related; Author otherwise
+   - Focus: Top 2 relevance clusters
+
+   Output the questions (label Q1/Q2/Q3). After answers: if ≥2 scenario classes (Alternate / Exception / Recovery / Non-Functional domain) remain unclear, you MAY ask up to TWO more targeted follow‑ups (Q4/Q5) with a one-line justification each (e.g., "Unresolved recovery path risk"). Do not exceed five total questions. Skip escalation if user explicitly declines more.
+
+3. **Understand user request**: Combine `$ARGUMENTS` + clarifying answers:
+   - Derive checklist theme (e.g., security, review, deploy, ux)
+   - Consolidate explicit must-have items mentioned by user
+   - Map focus selections to category scaffolding
+   - Infer any missing context from spec/plan/tasks (do NOT hallucinate)
+
+4. **Load feature context**: Read from FEATURE_DIR:
+   - spec.md: Feature requirements and scope
+   - plan.md (if exists): Technical details, dependencies
+   - tasks.md (if exists): Implementation tasks
+
+   **Context Loading Strategy**:
+   - Load only necessary portions relevant to active focus areas (avoid full-file dumping)
+   - Prefer summarizing long sections into concise scenario/requirement bullets
+   - Use progressive disclosure: add follow-on retrieval only if gaps detected
+   - If source docs are large, generate interim summary items instead of embedding raw text
+
+5. **Generate checklist** - Create "Unit Tests for Requirements":
+   - Create `FEATURE_DIR/checklists/` directory if it doesn't exist
+   - Generate unique checklist filename:
+     - Use short, descriptive name based on domain (e.g., `ux.md`, `api.md`, `security.md`)
+     - Format: `[domain].md`
+     - If file exists, append to existing file
+   - Number items sequentially starting from CHK001
+   - Each `/speckit.checklist` run creates a NEW file (never overwrites existing checklists)
+
+   **CORE PRINCIPLE - Test the Requirements, Not the Implementation**:
+   Every checklist item MUST evaluate the REQUIREMENTS THEMSELVES for:
+   - **Completeness**: Are all necessary requirements present?
+   - **Clarity**: Are requirements unambiguous and specific?
+   - **Consistency**: Do requirements align with each other?
+   - **Measurability**: Can requirements be objectively verified?
+   - **Coverage**: Are all scenarios/edge cases addressed?
+
+   **Category Structure** - Group items by requirement quality dimensions:
+   - **Requirement Completeness** (Are all necessary requirements documented?)
+   - **Requirement Clarity** (Are requirements specific and unambiguous?)
+   - **Requirement Consistency** (Do requirements align without conflicts?)
+   - **Acceptance Criteria Quality** (Are success criteria measurable?)
+   - **Scenario Coverage** (Are all flows/cases addressed?)
+   - **Edge Case Coverage** (Are boundary conditions defined?)
+   - **Non-Functional Requirements** (Performance, Security, Accessibility, etc. - are they specified?)
+   - **Dependencies & Assumptions** (Are they documented and validated?)
+   - **Ambiguities & Conflicts** (What needs clarification?)
+
+   **HOW TO WRITE CHECKLIST ITEMS - "Unit Tests for English"**:
+
+   ❌ **WRONG** (Testing implementation):
+   - "Verify landing page displays 3 episode cards"
+   - "Test hover states work on desktop"
+   - "Confirm logo click navigates home"
+
+   ✅ **CORRECT** (Testing requirements quality):
+   - "Are the exact number and layout of featured episodes specified?" [Completeness]
+   - "Is 'prominent display' quantified with specific sizing/positioning?" [Clarity]
+   - "Are hover state requirements consistent across all interactive elements?" [Consistency]
+   - "Are keyboard navigation requirements defined for all interactive UI?" [Coverage]
+   - "Is the fallback behavior specified when logo image fails to load?" [Edge Cases]
+   - "Are loading states defined for asynchronous episode data?" [Completeness]
+   - "Does the spec define visual hierarchy for competing UI elements?" [Clarity]
+
+   **ITEM STRUCTURE**:
+   Each item should follow this pattern:
+   - Question format asking about requirement quality
+   - Focus on what's WRITTEN (or not written) in the spec/plan
+   - Include quality dimension in brackets [Completeness/Clarity/Consistency/etc.]
+   - Reference spec section `[Spec §X.Y]` when checking existing requirements
+   - Use `[Gap]` marker when checking for missing requirements
+
+   **EXAMPLES BY QUALITY DIMENSION**:
+
+   Completeness:
+   - "Are error handling requirements defined for all API failure modes? [Gap]"
+   - "Are accessibility requirements specified for all interactive elements? [Completeness]"
+   - "Are mobile breakpoint requirements defined for responsive layouts? [Gap]"
+
+   Clarity:
+   - "Is 'fast loading' quantified with specific timing thresholds? [Clarity, Spec §NFR-2]"
+   - "Are 'related episodes' selection criteria explicitly defined? [Clarity, Spec §FR-5]"
+   - "Is 'prominent' defined with measurable visual properties? [Ambiguity, Spec §FR-4]"
+
+   Consistency:
+   - "Do navigation requirements align across all pages? [Consistency, Spec §FR-10]"
+   - "Are card component requirements consistent between landing and detail pages? [Consistency]"
+
+   Coverage:
+   - "Are requirements defined for zero-state scenarios (no episodes)? [Coverage, Edge Case]"
+   - "Are concurrent user interaction scenarios addressed? [Coverage, Gap]"
+   - "Are requirements specified for partial data loading failures? [Coverage, Exception Flow]"
+
+   Measurability:
+   - "Are visual hierarchy requirements measurable/testable? [Acceptance Criteria, Spec §FR-1]"
+   - "Can 'balanced visual weight' be objectively verified? [Measurability, Spec §FR-2]"
+
+   **Scenario Classification & Coverage** (Requirements Quality Focus):
+   - Check if requirements exist for: Primary, Alternate, Exception/Error, Recovery, Non-Functional scenarios
+   - For each scenario class, ask: "Are [scenario type] requirements complete, clear, and consistent?"
+   - If scenario class missing: "Are [scenario type] requirements intentionally excluded or missing? [Gap]"
+   - Include resilience/rollback when state mutation occurs: "Are rollback requirements defined for migration failures? [Gap]"
+
+   **Traceability Requirements**:
+   - MINIMUM: ≥80% of items MUST include at least one traceability reference
+   - Each item should reference: spec section `[Spec §X.Y]`, or use markers: `[Gap]`, `[Ambiguity]`, `[Conflict]`, `[Assumption]`
+   - If no ID system exists: "Is a requirement & acceptance criteria ID scheme established? [Traceability]"
+
+   **Surface & Resolve Issues** (Requirements Quality Problems):
+   Ask questions about the requirements themselves:
+   - Ambiguities: "Is the term 'fast' quantified with specific metrics? [Ambiguity, Spec §NFR-1]"
+   - Conflicts: "Do navigation requirements conflict between §FR-10 and §FR-10a? [Conflict]"
+   - Assumptions: "Is the assumption of 'always available podcast API' validated? [Assumption]"
+   - Dependencies: "Are external podcast API requirements documented? [Dependency, Gap]"
+   - Missing definitions: "Is 'visual hierarchy' defined with measurable criteria? [Gap]"
+
+   **Content Consolidation**:
+   - Soft cap: If raw candidate items > 40, prioritize by risk/impact
+   - Merge near-duplicates checking the same requirement aspect
+   - If >5 low-impact edge cases, create one item: "Are edge cases X, Y, Z addressed in requirements? [Coverage]"
+
+   **🚫 ABSOLUTELY PROHIBITED** - These make it an implementation test, not a requirements test:
+   - ❌ Any item starting with "Verify", "Test", "Confirm", "Check" + implementation behavior
+   - ❌ References to code execution, user actions, system behavior
+   - ❌ "Displays correctly", "works properly", "functions as expected"
+   - ❌ "Click", "navigate", "render", "load", "execute"
+   - ❌ Test cases, test plans, QA procedures
+   - ❌ Implementation details (frameworks, APIs, algorithms)
+
+   **✅ REQUIRED PATTERNS** - These test requirements quality:
+   - ✅ "Are [requirement type] defined/specified/documented for [scenario]?"
+   - ✅ "Is [vague term] quantified/clarified with specific criteria?"
+   - ✅ "Are requirements consistent between [section A] and [section B]?"
+   - ✅ "Can [requirement] be objectively measured/verified?"
+   - ✅ "Are [edge cases/scenarios] addressed in requirements?"
+   - ✅ "Does the spec define [missing aspect]?"
+
+6. **Structure Reference**: Generate the checklist following the canonical template in `.specify/templates/checklist-template.md` for title, meta section, category headings, and ID formatting. If template is unavailable, use: H1 title, purpose/created meta lines, `##` category sections containing `- [ ] CHK### <requirement item>` lines with globally incrementing IDs starting at CHK001.
+
+7. **Report**: Output full path to created checklist, item count, and remind user that each run creates a new file. Summarize:
+   - Focus areas selected
+   - Depth level
+   - Actor/timing
+   - Any explicit user-specified must-have items incorporated
+
+**Important**: Each `/speckit.checklist` command invocation creates a checklist file using short, descriptive names unless file already exists. This allows:
+
+- Multiple checklists of different types (e.g., `ux.md`, `test.md`, `security.md`)
+- Simple, memorable filenames that indicate checklist purpose
+- Easy identification and navigation in the `checklists/` folder
+
+To avoid clutter, use descriptive types and clean up obsolete checklists when done.
+
+## Example Checklist Types & Sample Items
+
+**UX Requirements Quality:** `ux.md`
+
+Sample items (testing the requirements, NOT the implementation):
+
+- "Are visual hierarchy requirements defined with measurable criteria? [Clarity, Spec §FR-1]"
+- "Is the number and positioning of UI elements explicitly specified? [Completeness, Spec §FR-1]"
+- "Are interaction state requirements (hover, focus, active) consistently defined? [Consistency]"
+- "Are accessibility requirements specified for all interactive elements? [Coverage, Gap]"
+- "Is fallback behavior defined when images fail to load? [Edge Case, Gap]"
+- "Can 'prominent display' be objectively measured? [Measurability, Spec §FR-4]"
+
+**API Requirements Quality:** `api.md`
+
+Sample items:
+
+- "Are error response formats specified for all failure scenarios? [Completeness]"
+- "Are rate limiting requirements quantified with specific thresholds? [Clarity]"
+- "Are authentication requirements consistent across all endpoints? [Consistency]"
+- "Are retry/timeout requirements defined for external dependencies? [Coverage, Gap]"
+- "Is versioning strategy documented in requirements? [Gap]"
+
+**Performance Requirements Quality:** `performance.md`
+
+Sample items:
+
+- "Are performance requirements quantified with specific metrics? [Clarity]"
+- "Are performance targets defined for all critical user journeys? [Coverage]"
+- "Are performance requirements under different load conditions specified? [Completeness]"
+- "Can performance requirements be objectively measured? [Measurability]"
+- "Are degradation requirements defined for high-load scenarios? [Edge Case, Gap]"
+
+**Security Requirements Quality:** `security.md`
+
+Sample items:
+
+- "Are authentication requirements specified for all protected resources? [Coverage]"
+- "Are data protection requirements defined for sensitive information? [Completeness]"
+- "Is the threat model documented and requirements aligned to it? [Traceability]"
+- "Are security requirements consistent with compliance obligations? [Consistency]"
+- "Are security failure/breach response requirements defined? [Gap, Exception Flow]"
+
+## Anti-Examples: What NOT To Do
+
+**❌ WRONG - These test implementation, not requirements:**
+
+```markdown
+- [ ] CHK001 - Verify landing page displays 3 episode cards [Spec §FR-001]
+- [ ] CHK002 - Test hover states work correctly on desktop [Spec §FR-003]
+- [ ] CHK003 - Confirm logo click navigates to home page [Spec §FR-010]
+- [ ] CHK004 - Check that related episodes section shows 3-5 items [Spec §FR-005]
+```
+
+**✅ CORRECT - These test requirements quality:**
+
+```markdown
+- [ ] CHK001 - Are the number and layout of featured episodes explicitly specified? [Completeness, Spec §FR-001]
+- [ ] CHK002 - Are hover state requirements consistently defined for all interactive elements? [Consistency, Spec §FR-003]
+- [ ] CHK003 - Are navigation requirements clear for all clickable brand elements? [Clarity, Spec §FR-010]
+- [ ] CHK004 - Is the selection criteria for related episodes documented? [Gap, Spec §FR-005]
+- [ ] CHK005 - Are loading state requirements defined for asynchronous episode data? [Gap]
+- [ ] CHK006 - Can "visual hierarchy" requirements be objectively measured? [Measurability, Spec §FR-001]
+```
+
+**Key Differences:**
+
+- Wrong: Tests if the system works correctly
+- Correct: Tests if the requirements are written correctly
+- Wrong: Verification of behavior
+- Correct: Validation of requirement quality
+- Wrong: "Does it do X?"
+- Correct: "Is X clearly specified?"

.agent/workflows/speckit.clarify.md

@@ -0,0 +1,181 @@
+---
+description: Identify underspecified areas in the current feature spec by asking up to 5 highly targeted clarification questions and encoding answers back into the spec.
+handoffs: 
+  - label: Build Technical Plan
+    agent: speckit.plan
+    prompt: Create a plan for the spec. I am building with...
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+Goal: Detect and reduce ambiguity or missing decision points in the active feature specification and record the clarifications directly in the spec file.
+
+Note: This clarification workflow is expected to run (and be completed) BEFORE invoking `/speckit.plan`. If the user explicitly states they are skipping clarification (e.g., exploratory spike), you may proceed, but must warn that downstream rework risk increases.
+
+Execution steps:
+
+1. Run `.specify/scripts/bash/check-prerequisites.sh --json --paths-only` from repo root **once** (combined `--json --paths-only` mode / `-Json -PathsOnly`). Parse minimal JSON payload fields:
+   - `FEATURE_DIR`
+   - `FEATURE_SPEC`
+   - (Optionally capture `IMPL_PLAN`, `TASKS` for future chained flows.)
+   - If JSON parsing fails, abort and instruct user to re-run `/speckit.specify` or verify feature branch environment.
+   - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. Load the current spec file. Perform a structured ambiguity & coverage scan using this taxonomy. For each category, mark status: Clear / Partial / Missing. Produce an internal coverage map used for prioritization (do not output raw map unless no questions will be asked).
+
+   Functional Scope & Behavior:
+   - Core user goals & success criteria
+   - Explicit out-of-scope declarations
+   - User roles / personas differentiation
+
+   Domain & Data Model:
+   - Entities, attributes, relationships
+   - Identity & uniqueness rules
+   - Lifecycle/state transitions
+   - Data volume / scale assumptions
+
+   Interaction & UX Flow:
+   - Critical user journeys / sequences
+   - Error/empty/loading states
+   - Accessibility or localization notes
+
+   Non-Functional Quality Attributes:
+   - Performance (latency, throughput targets)
+   - Scalability (horizontal/vertical, limits)
+   - Reliability & availability (uptime, recovery expectations)
+   - Observability (logging, metrics, tracing signals)
+   - Security & privacy (authN/Z, data protection, threat assumptions)
+   - Compliance / regulatory constraints (if any)
+
+   Integration & External Dependencies:
+   - External services/APIs and failure modes
+   - Data import/export formats
+   - Protocol/versioning assumptions
+
+   Edge Cases & Failure Handling:
+   - Negative scenarios
+   - Rate limiting / throttling
+   - Conflict resolution (e.g., concurrent edits)
+
+   Constraints & Tradeoffs:
+   - Technical constraints (language, storage, hosting)
+   - Explicit tradeoffs or rejected alternatives
+
+   Terminology & Consistency:
+   - Canonical glossary terms
+   - Avoided synonyms / deprecated terms
+
+   Completion Signals:
+   - Acceptance criteria testability
+   - Measurable Definition of Done style indicators
+
+   Misc / Placeholders:
+   - TODO markers / unresolved decisions
+   - Ambiguous adjectives ("robust", "intuitive") lacking quantification
+
+   For each category with Partial or Missing status, add a candidate question opportunity unless:
+   - Clarification would not materially change implementation or validation strategy
+   - Information is better deferred to planning phase (note internally)
+
+3. Generate (internally) a prioritized queue of candidate clarification questions (maximum 5). Do NOT output them all at once. Apply these constraints:
+    - Maximum of 10 total questions across the whole session.
+    - Each question must be answerable with EITHER:
+       - A short multiple‑choice selection (2–5 distinct, mutually exclusive options), OR
+       - A one-word / short‑phrase answer (explicitly constrain: "Answer in <=5 words").
+    - Only include questions whose answers materially impact architecture, data modeling, task decomposition, test design, UX behavior, operational readiness, or compliance validation.
+    - Ensure category coverage balance: attempt to cover the highest impact unresolved categories first; avoid asking two low-impact questions when a single high-impact area (e.g., security posture) is unresolved.
+    - Exclude questions already answered, trivial stylistic preferences, or plan-level execution details (unless blocking correctness).
+    - Favor clarifications that reduce downstream rework risk or prevent misaligned acceptance tests.
+    - If more than 5 categories remain unresolved, select the top 5 by (Impact * Uncertainty) heuristic.
+
+4. Sequential questioning loop (interactive):
+    - Present EXACTLY ONE question at a time.
+    - For multiple‑choice questions:
+       - **Analyze all options** and determine the **most suitable option** based on:
+          - Best practices for the project type
+          - Common patterns in similar implementations
+          - Risk reduction (security, performance, maintainability)
+          - Alignment with any explicit project goals or constraints visible in the spec
+       - Present your **recommended option prominently** at the top with clear reasoning (1-2 sentences explaining why this is the best choice).
+       - Format as: `**Recommended:** Option [X] - <reasoning>`
+       - Then render all options as a Markdown table:
+
+       | Option | Description |
+       |--------|-------------|
+       | A | <Option A description> |
+       | B | <Option B description> |
+       | C | <Option C description> (add D/E as needed up to 5) |
+       | Short | Provide a different short answer (<=5 words) (Include only if free-form alternative is appropriate) |
+
+       - After the table, add: `You can reply with the option letter (e.g., "A"), accept the recommendation by saying "yes" or "recommended", or provide your own short answer.`
+    - For short‑answer style (no meaningful discrete options):
+       - Provide your **suggested answer** based on best practices and context.
+       - Format as: `**Suggested:** <your proposed answer> - <brief reasoning>`
+       - Then output: `Format: Short answer (<=5 words). You can accept the suggestion by saying "yes" or "suggested", or provide your own answer.`
+    - After the user answers:
+       - If the user replies with "yes", "recommended", or "suggested", use your previously stated recommendation/suggestion as the answer.
+       - Otherwise, validate the answer maps to one option or fits the <=5 word constraint.
+       - If ambiguous, ask for a quick disambiguation (count still belongs to same question; do not advance).
+       - Once satisfactory, record it in working memory (do not yet write to disk) and move to the next queued question.
+    - Stop asking further questions when:
+       - All critical ambiguities resolved early (remaining queued items become unnecessary), OR
+       - User signals completion ("done", "good", "no more"), OR
+       - You reach 5 asked questions.
+    - Never reveal future queued questions in advance.
+    - If no valid questions exist at start, immediately report no critical ambiguities.
+
+5. Integration after EACH accepted answer (incremental update approach):
+    - Maintain in-memory representation of the spec (loaded once at start) plus the raw file contents.
+    - For the first integrated answer in this session:
+       - Ensure a `## Clarifications` section exists (create it just after the highest-level contextual/overview section per the spec template if missing).
+       - Under it, create (if not present) a `### Session YYYY-MM-DD` subheading for today.
+    - Append a bullet line immediately after acceptance: `- Q: <question> → A: <final answer>`.
+    - Then immediately apply the clarification to the most appropriate section(s):
+       - Functional ambiguity → Update or add a bullet in Functional Requirements.
+       - User interaction / actor distinction → Update User Stories or Actors subsection (if present) with clarified role, constraint, or scenario.
+       - Data shape / entities → Update Data Model (add fields, types, relationships) preserving ordering; note added constraints succinctly.
+       - Non-functional constraint → Add/modify measurable criteria in Non-Functional / Quality Attributes section (convert vague adjective to metric or explicit target).
+       - Edge case / negative flow → Add a new bullet under Edge Cases / Error Handling (or create such subsection if template provides placeholder for it).
+       - Terminology conflict → Normalize term across spec; retain original only if necessary by adding `(formerly referred to as "X")` once.
+    - If the clarification invalidates an earlier ambiguous statement, replace that statement instead of duplicating; leave no obsolete contradictory text.
+    - Save the spec file AFTER each integration to minimize risk of context loss (atomic overwrite).
+    - Preserve formatting: do not reorder unrelated sections; keep heading hierarchy intact.
+    - Keep each inserted clarification minimal and testable (avoid narrative drift).
+
+6. Validation (performed after EACH write plus final pass):
+   - Clarifications session contains exactly one bullet per accepted answer (no duplicates).
+   - Total asked (accepted) questions ≤ 5.
+   - Updated sections contain no lingering vague placeholders the new answer was meant to resolve.
+   - No contradictory earlier statement remains (scan for now-invalid alternative choices removed).
+   - Markdown structure valid; only allowed new headings: `## Clarifications`, `### Session YYYY-MM-DD`.
+   - Terminology consistency: same canonical term used across all updated sections.
+
+7. Write the updated spec back to `FEATURE_SPEC`.
+
+8. Report completion (after questioning loop ends or early termination):
+   - Number of questions asked & answered.
+   - Path to updated spec.
+   - Sections touched (list names).
+   - Coverage summary table listing each taxonomy category with Status: Resolved (was Partial/Missing and addressed), Deferred (exceeds question quota or better suited for planning), Clear (already sufficient), Outstanding (still Partial/Missing but low impact).
+   - If any Outstanding or Deferred remain, recommend whether to proceed to `/speckit.plan` or run `/speckit.clarify` again later post-plan.
+   - Suggested next command.
+
+Behavior rules:
+
+- If no meaningful ambiguities found (or all potential questions would be low-impact), respond: "No critical ambiguities detected worth formal clarification." and suggest proceeding.
+- If spec file missing, instruct user to run `/speckit.specify` first (do not create a new spec here).
+- Never exceed 5 total asked questions (clarification retries for a single question do not count as new questions).
+- Avoid speculative tech stack questions unless the absence blocks functional clarity.
+- Respect user early termination signals ("stop", "done", "proceed").
+- If no questions asked due to full coverage, output a compact coverage summary (all categories Clear) then suggest advancing.
+- If quota reached with unresolved high-impact categories remaining, explicitly flag them under Deferred with rationale.
+
+Context for prioritization: $ARGUMENTS

.agent/workflows/speckit.constitution.md

@@ -0,0 +1,84 @@
+---
+description: Create or update the project constitution from interactive or provided principle inputs, ensuring all dependent templates stay in sync.
+handoffs: 
+  - label: Build Specification
+    agent: speckit.specify
+    prompt: Implement the feature specification based on the updated constitution. I want to build...
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+You are updating the project constitution at `.ai/standards/constitution.md`. This file is a TEMPLATE containing placeholder tokens in square brackets (e.g. `[PROJECT_NAME]`, `[PRINCIPLE_1_NAME]`). Your job is to (a) collect/derive concrete values, (b) fill the template precisely, and (c) propagate any amendments across dependent artifacts.
+
+**Note**: If `.ai/standards/constitution.md` does not exist yet, it should have been initialized from `.specify/templates/constitution-template.md` during project setup. If it's missing, copy the template first.
+
+Follow this execution flow:
+
+1. Load the existing constitution at `.ai/standards/constitution.md`.
+   - Identify every placeholder token of the form `[ALL_CAPS_IDENTIFIER]`.
+   **IMPORTANT**: The user might require less or more principles than the ones used in the template. If a number is specified, respect that - follow the general template. You will update the doc accordingly.
+
+2. Collect/derive values for placeholders:
+   - If user input (conversation) supplies a value, use it.
+   - Otherwise infer from existing repo context (README, docs, prior constitution versions if embedded).
+   - For governance dates: `RATIFICATION_DATE` is the original adoption date (if unknown ask or mark TODO), `LAST_AMENDED_DATE` is today if changes are made, otherwise keep previous.
+   - `CONSTITUTION_VERSION` must increment according to semantic versioning rules:
+     - MAJOR: Backward incompatible governance/principle removals or redefinitions.
+     - MINOR: New principle/section added or materially expanded guidance.
+     - PATCH: Clarifications, wording, typo fixes, non-semantic refinements.
+   - If version bump type ambiguous, propose reasoning before finalizing.
+
+3. Draft the updated constitution content:
+   - Replace every placeholder with concrete text (no bracketed tokens left except intentionally retained template slots that the project has chosen not to define yet—explicitly justify any left).
+   - Preserve heading hierarchy and comments can be removed once replaced unless they still add clarifying guidance.
+   - Ensure each Principle section: succinct name line, paragraph (or bullet list) capturing non‑negotiable rules, explicit rationale if not obvious.
+   - Ensure Governance section lists amendment procedure, versioning policy, and compliance review expectations.
+
+4. Consistency propagation checklist (convert prior checklist into active validations):
+   - Read `.specify/templates/plan-template.md` and ensure any "Constitution Check" or rules align with updated principles.
+   - Read `.specify/templates/spec-template.md` for scope/requirements alignment—update if constitution adds/removes mandatory sections or constraints.
+   - Read `.specify/templates/tasks-template.md` and ensure task categorization reflects new or removed principle-driven task types (e.g., observability, versioning, testing discipline).
+   - Read each command file in `.specify/templates/commands/*.md` (including this one) to verify no outdated references (agent-specific names like CLAUDE only) remain when generic guidance is required.
+   - Read any runtime guidance docs (e.g., `README.md`, `docs/quickstart.md`, or agent-specific guidance files if present). Update references to principles changed.
+
+5. Produce a Sync Impact Report (prepend as an HTML comment at top of the constitution file after update):
+   - Version change: old → new
+   - List of modified principles (old title → new title if renamed)
+   - Added sections
+   - Removed sections
+   - Templates requiring updates (✅ updated / ⚠ pending) with file paths
+   - Follow-up TODOs if any placeholders intentionally deferred.
+
+6. Validation before final output:
+   - No remaining unexplained bracket tokens.
+   - Version line matches report.
+   - Dates ISO format YYYY-MM-DD.
+   - Principles are declarative, testable, and free of vague language ("should" → replace with MUST/SHOULD rationale where appropriate).
+
+7. Write the completed constitution back to `.ai/standards/constitution.md` (overwrite).
+
+8. Output a final summary to the user with:
+   - New version and bump rationale.
+   - Any files flagged for manual follow-up.
+   - Suggested commit message (e.g., `docs: amend constitution to vX.Y.Z (principle additions + governance update)`).
+
+Formatting & Style Requirements:
+
+- Use Markdown headings exactly as in the template (do not demote/promote levels).
+- Wrap long rationale lines to keep readability (<100 chars ideally) but do not hard enforce with awkward breaks.
+- Keep a single blank line between sections.
+- Avoid trailing whitespace.
+
+If the user supplies partial updates (e.g., only one principle revision), still perform validation and version decision steps.
+
+If critical info missing (e.g., ratification date truly unknown), insert `TODO(<FIELD_NAME>): explanation` and include in the Sync Impact Report under deferred items.
+
+Do not create a new template; always operate on the existing `.ai/standards/constitution.md` file.

.agent/workflows/speckit.fix.md

@@ -0,0 +1,199 @@
+---
+
+description: Fix failing tests and implementation issues based on test reports
+
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Goal
+
+Analyze test failure reports, identify root causes, and fix implementation issues while preserving semantic protocol compliance.
+
+## Operating Constraints
+
+1. **USE CODER MODE**: Always switch to `coder` mode for code fixes
+2. **SEMANTIC PROTOCOL**: Never remove semantic annotations ([DEF], @TAGS). Only update code logic.
+3. **TEST DATA**: If tests use @TEST_ fixtures, preserve them when fixing
+4. **NO DELETION**: Never delete existing tests or semantic annotations
+5. **REPORT FIRST**: Always write a fix report before making changes
+
+## Execution Steps
+
+### 1. Load Test Report
+
+**Required**: Test report file path (e.g., `specs/<feature>/tests/reports/2026-02-19-report.md`)
+
+**Parse the report for**:
+- Failed test cases
+- Error messages
+- Stack traces
+- Expected vs actual behavior
+- Affected modules/files
+
+### 2. Analyze Root Causes
+
+For each failed test:
+
+1. **Read the test file** to understand what it's testing
+2. **Read the implementation file** to find the bug
+3. **Check semantic protocol compliance**:
+   - Does the implementation have correct [DEF] anchors?
+   - Are @TAGS (@PRE, @POST, @UX_STATE, etc.) present?
+   - Does the code match the TIER requirements?
+4. **Identify the fix**:
+   - Logic error in implementation
+   - Missing error handling
+   - Incorrect API usage
+   - State management issue
+
+### 3. Write Fix Report
+
+Create a structured fix report:
+
+```markdown
+# Fix Report: [FEATURE]
+
+**Date**: [YYYY-MM-DD]
+**Report**: [Test Report Path]
+**Fixer**: Coder Agent
+
+## Summary
+
+- Total Failed Tests: [X]
+- Total Fixed: [X]
+- Total Skipped: [X]
+
+## Failed Tests Analysis
+
+### Test: [Test Name]
+
+**File**: `path/to/test.py`
+**Error**: [Error message]
+
+**Root Cause**: [Explanation of why test failed]
+
+**Fix Required**: [Description of fix]
+
+**Status**: [Pending/In Progress/Completed]
+
+## Fixes Applied
+
+### Fix 1: [Description]
+
+**Affected File**: `path/to/file.py`
+**Test Affected**: `[Test Name]`
+
+**Changes**:
+```diff
+<<<<<<< SEARCH
+[Original Code]
+=======
+[Fixed Code]
+>>>>>>> REPLACE
+```
+
+**Verification**: [How to verify fix works]
+
+**Semantic Integrity**: [Confirmed annotations preserved]
+
+## Next Steps
+
+- [ ] Run tests to verify fix: `cd backend && .venv/bin/python3 -m pytest`
+- [ ] Check for related failing tests
+- [ ] Update test documentation if needed
+```
+
+### 4. Apply Fixes (in Coder Mode)
+
+Switch to `coder` mode and apply fixes:
+
+1. **Read the implementation file** to get exact content
+2. **Apply the fix** using apply_diff
+3. **Preserve all semantic annotations**:
+   - Keep [DEF:...] and [/DEF:...] anchors
+   - Keep all @TAGS (@PURPOSE, @LAYER, @TIER, @RELATION, @PRE, @POST, @UX_STATE, @UX_FEEDBACK, @UX_RECOVERY)
+4. **Only update code logic** to fix the bug
+5. **Run tests** to verify the fix
+
+### 5. Verification
+
+After applying fixes:
+
+1. **Run tests**:
+   ```bash
+   cd backend && .venv/bin/python3 -m pytest -v
+   ```
+   or
+   ```bash
+   cd frontend && npm run test
+   ```
+
+2. **Check test results**:
+   - Failed tests should now pass
+   - No new tests should fail
+   - Coverage should not decrease
+
+3. **Update fix report** with results:
+   - Mark fixes as completed
+   - Add verification steps
+   - Note any remaining issues
+
+## Output
+
+Generate final fix report:
+
+```markdown
+# Fix Report: [FEATURE] - COMPLETED
+
+**Date**: [YYYY-MM-DD]
+**Report**: [Test Report Path]
+**Fixer**: Coder Agent
+
+## Summary
+
+- Total Failed Tests: [X]
+- Total Fixed: [X] ✅
+- Total Skipped: [X]
+
+## Fixes Applied
+
+### Fix 1: [Description] ✅
+
+**Affected File**: `path/to/file.py`
+**Test Affected**: `[Test Name]`
+
+**Changes**: [Summary of changes]
+
+**Verification**: All tests pass ✅
+
+**Semantic Integrity**: Preserved ✅
+
+## Test Results
+
+```
+[Full test output showing all passing tests]
+```
+
+## Recommendations
+
+- [ ] Monitor for similar issues
+- [ ] Update documentation if needed
+- [ ] Consider adding more tests for edge cases
+
+## Related Files
+
+- Test Report: [path]
+- Implementation: [path]
+- Test File: [path]
+```
+
+## Context for Fixing
+
+$ARGUMENTS

.agent/workflows/speckit.implement.md

@@ -0,0 +1,150 @@
+---
+description: Execute the implementation plan by processing and executing all tasks defined in tasks.md
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+1. Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Check checklists status** (if FEATURE_DIR/checklists/ exists):
+   - Scan all checklist files in the checklists/ directory
+   - For each checklist, count:
+     - Total items: All lines matching `- [ ]` or `- [X]` or `- [x]`
+     - Completed items: Lines matching `- [X]` or `- [x]`
+     - Incomplete items: Lines matching `- [ ]`
+   - Create a status table:
+
+     ```text
+     | Checklist | Total | Completed | Incomplete | Status |
+     |-----------|-------|-----------|------------|--------|
+     | ux.md     | 12    | 12        | 0          | ✓ PASS |
+     | test.md   | 8     | 5         | 3          | ✗ FAIL |
+     | security.md | 6   | 6         | 0          | ✓ PASS |
+     ```
+
+   - Calculate overall status:
+     - **PASS**: All checklists have 0 incomplete items
+     - **FAIL**: One or more checklists have incomplete items
+
+   - **If any checklist is incomplete**:
+     - Display the table with incomplete item counts
+     - **STOP** and ask: "Some checklists are incomplete. Do you want to proceed with implementation anyway? (yes/no)"
+     - Wait for user response before continuing
+     - If user says "no" or "wait" or "stop", halt execution
+     - If user says "yes" or "proceed" or "continue", proceed to step 3
+
+   - **If all checklists are complete**:
+     - Display the table showing all checklists passed
+     - Automatically proceed to step 3
+
+3. Load and analyze the implementation context:
+   - **REQUIRED**: Read tasks.md for the complete task list and execution plan
+   - **REQUIRED**: Read plan.md for tech stack, architecture, and file structure
+   - **IF EXISTS**: Read data-model.md for entities and relationships
+   - **IF EXISTS**: Read contracts/ for API specifications and test requirements
+   - **IF EXISTS**: Read research.md for technical decisions and constraints
+   - **IF EXISTS**: Read quickstart.md for integration scenarios
+
+3. Load and analyze the implementation context:
+    - **REQUIRED**: Read `.ai/standards/semantics.md` for strict coding standards and contract requirements
+    - **REQUIRED**: Read tasks.md for the complete task list and execution plan
+    - **REQUIRED**: Read plan.md for tech stack, architecture, and file structure
+    - **IF EXISTS**: Read data-model.md for entities and relationships
+    - **IF EXISTS**: Read contracts/ for API specifications and test requirements
+    - **IF EXISTS**: Read research.md for technical decisions and constraints
+    - **IF EXISTS**: Read quickstart.md for integration scenarios
+
+4. **Project Setup Verification**:
+   - **REQUIRED**: Create/verify ignore files based on actual project setup:
+
+   **Detection & Creation Logic**:
+   - Check if the following command succeeds to determine if the repository is a git repo (create/verify .gitignore if so):
+
+     ```sh
+     git rev-parse --git-dir 2>/dev/null
+     ```
+
+   - Check if Dockerfile* exists or Docker in plan.md → create/verify .dockerignore
+   - Check if .eslintrc* exists → create/verify .eslintignore
+   - Check if eslint.config.* exists → ensure the config's `ignores` entries cover required patterns
+   - Check if .prettierrc* exists → create/verify .prettierignore
+   - Check if .npmrc or package.json exists → create/verify .npmignore (if publishing)
+   - Check if terraform files (*.tf) exist → create/verify .terraformignore
+   - Check if .helmignore needed (helm charts present) → create/verify .helmignore
+
+   **If ignore file already exists**: Verify it contains essential patterns, append missing critical patterns only
+   **If ignore file missing**: Create with full pattern set for detected technology
+
+   **Common Patterns by Technology** (from plan.md tech stack):
+   - **Node.js/JavaScript/TypeScript**: `node_modules/`, `dist/`, `build/`, `*.log`, `.env*`
+   - **Python**: `__pycache__/`, `*.pyc`, `.venv/`, `venv/`, `dist/`, `*.egg-info/`
+   - **Java**: `target/`, `*.class`, `*.jar`, `.gradle/`, `build/`
+   - **C#/.NET**: `bin/`, `obj/`, `*.user`, `*.suo`, `packages/`
+   - **Go**: `*.exe`, `*.test`, `vendor/`, `*.out`
+   - **Ruby**: `.bundle/`, `log/`, `tmp/`, `*.gem`, `vendor/bundle/`
+   - **PHP**: `vendor/`, `*.log`, `*.cache`, `*.env`
+   - **Rust**: `target/`, `debug/`, `release/`, `*.rs.bk`, `*.rlib`, `*.prof*`, `.idea/`, `*.log`, `.env*`
+   - **Kotlin**: `build/`, `out/`, `.gradle/`, `.idea/`, `*.class`, `*.jar`, `*.iml`, `*.log`, `.env*`
+   - **C++**: `build/`, `bin/`, `obj/`, `out/`, `*.o`, `*.so`, `*.a`, `*.exe`, `*.dll`, `.idea/`, `*.log`, `.env*`
+   - **C**: `build/`, `bin/`, `obj/`, `out/`, `*.o`, `*.a`, `*.so`, `*.exe`, `Makefile`, `config.log`, `.idea/`, `*.log`, `.env*`
+   - **Swift**: `.build/`, `DerivedData/`, `*.swiftpm/`, `Packages/`
+   - **R**: `.Rproj.user/`, `.Rhistory`, `.RData`, `.Ruserdata`, `*.Rproj`, `packrat/`, `renv/`
+   - **Universal**: `.DS_Store`, `Thumbs.db`, `*.tmp`, `*.swp`, `.vscode/`, `.idea/`
+
+   **Tool-Specific Patterns**:
+   - **Docker**: `node_modules/`, `.git/`, `Dockerfile*`, `.dockerignore`, `*.log*`, `.env*`, `coverage/`
+   - **ESLint**: `node_modules/`, `dist/`, `build/`, `coverage/`, `*.min.js`
+   - **Prettier**: `node_modules/`, `dist/`, `build/`, `coverage/`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
+   - **Terraform**: `.terraform/`, `*.tfstate*`, `*.tfvars`, `.terraform.lock.hcl`
+   - **Kubernetes/k8s**: `*.secret.yaml`, `secrets/`, `.kube/`, `kubeconfig*`, `*.key`, `*.crt`
+
+5. Parse tasks.md structure and extract:
+   - **Task phases**: Setup, Tests, Core, Integration, Polish
+   - **Task dependencies**: Sequential vs parallel execution rules
+   - **Task details**: ID, description, file paths, parallel markers [P]
+   - **Execution flow**: Order and dependency requirements
+
+6. Execute implementation following the task plan:
+   - **Phase-by-phase execution**: Complete each phase before moving to the next
+   - **Respect dependencies**: Run sequential tasks in order, parallel tasks [P] can run together  
+   - **Follow TDD approach**: Execute test tasks before their corresponding implementation tasks
+   - **File-based coordination**: Tasks affecting the same files must run sequentially
+   - **Validation checkpoints**: Verify each phase completion before proceeding
+
+7. Implementation execution rules:
+    - **Strict Adherence**: Apply `.ai/standards/semantics.md` rules:
+      - Every file MUST start with a `[DEF:id:Type]` header and end with a closing `[/DEF:id:Type]` anchor.
+      - Include `@TIER` and define contracts (`@PRE`, `@POST`).
+      - For Svelte components, use `@UX_STATE`, `@UX_FEEDBACK`, `@UX_RECOVERY`, and explicitly declare reactivity with `@UX_REATIVITY: State: $state, Derived: $derived`.
+      - **Molecular Topology Logging**: Use prefixes `[EXPLORE]`, `[REASON]`, `[REFLECT]` in logs to trace logic.
+    - **CRITICAL Contracts**: If a task description contains a contract summary (e.g., `CRITICAL: PRE: ..., POST: ...`), these constraints are **MANDATORY** and must be strictly implemented in the code using guards/assertions (if applicable per protocol).
+    - **Setup first**: Initialize project structure, dependencies, configuration
+   - **Tests before code**: If you need to write tests for contracts, entities, and integration scenarios
+   - **Core development**: Implement models, services, CLI commands, endpoints
+   - **Integration work**: Database connections, middleware, logging, external services
+   - **Polish and validation**: Unit tests, performance optimization, documentation
+
+8. Progress tracking and error handling:
+   - Report progress after each completed task
+   - Halt execution if any non-parallel task fails
+   - For parallel tasks [P], continue with successful tasks, report failed ones
+   - Provide clear error messages with context for debugging
+   - Suggest next steps if implementation cannot proceed
+   - **IMPORTANT** For completed tasks, make sure to mark the task off as [X] in the tasks file.
+
+9. Completion validation:
+   - Verify all required tasks are completed
+   - Check that implemented features match the original specification
+   - Validate that tests pass and coverage meets requirements
+   - Confirm the implementation follows the technical plan
+   - Report final status with summary of completed work
+
+Note: This command assumes a complete task breakdown exists in tasks.md. If tasks are incomplete or missing, suggest running `/speckit.tasks` first to regenerate the task list.

.agent/workflows/speckit.plan.md

@@ -0,0 +1,104 @@
+---
+description: Execute the implementation planning workflow using the plan template to generate design artifacts.
+handoffs: 
+  - label: Create Tasks
+    agent: speckit.tasks
+    prompt: Break the plan into tasks
+    send: true
+  - label: Create Checklist
+    agent: speckit.checklist
+    prompt: Create a checklist for the following domain...
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+1. **Setup**: Run `.specify/scripts/bash/setup-plan.sh --json` from repo root and parse JSON for FEATURE_SPEC, IMPL_PLAN, SPECS_DIR, BRANCH. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Load context**: Read `.ai/ROOT.md` and `.ai/PROJECT_MAP.md` to understand the project structure and navigation. Then read required standards: `.ai/standards/constitution.md` and `.ai/standards/semantics.md`. Load IMPL_PLAN template.
+
+3. **Execute plan workflow**: Follow the structure in IMPL_PLAN template to:
+   - Fill Technical Context (mark unknowns as "NEEDS CLARIFICATION")
+   - Fill Constitution Check section from constitution
+   - Evaluate gates (ERROR if violations unjustified)
+   - Phase 0: Generate research.md (resolve all NEEDS CLARIFICATION)
+   - Phase 1: Generate data-model.md, contracts/, quickstart.md
+   - Phase 1: Update agent context by running the agent script
+   - Re-evaluate Constitution Check post-design
+
+4. **Stop and report**: Command ends after Phase 2 planning. Report branch, IMPL_PLAN path, and generated artifacts.
+
+## Phases
+
+### Phase 0: Outline & Research
+
+1. **Extract unknowns from Technical Context** above:
+   - For each NEEDS CLARIFICATION → research task
+   - For each dependency → best practices task
+   - For each integration → patterns task
+
+2. **Generate and dispatch research agents**:
+
+   ```text
+   For each unknown in Technical Context:
+     Task: "Research {unknown} for {feature context}"
+   For each technology choice:
+     Task: "Find best practices for {tech} in {domain}"
+   ```
+
+3. **Consolidate findings** in `research.md` using format:
+   - Decision: [what was chosen]
+   - Rationale: [why chosen]
+   - Alternatives considered: [what else evaluated]
+
+**Output**: research.md with all NEEDS CLARIFICATION resolved
+
+### Phase 1: Design & Contracts
+
+**Prerequisites:** `research.md` complete
+
+0. **Validate Design against UX Reference**:
+    - Check if the proposed architecture supports the latency, interactivity, and flow defined in `ux_reference.md`.
+    - **Linkage**: Ensure key UI states from `ux_reference.md` map to Component Contracts (`@UX_STATE`).
+    - **CRITICAL**: If the technical plan compromises the UX (e.g. "We can't do real-time validation"), you **MUST STOP** and warn the user.
+
+1. **Extract entities from feature spec** → `data-model.md`:
+    - Entity name, fields, relationships, validation rules.
+
+2. **Design & Verify Contracts (Semantic Protocol)**:
+    - **Drafting**: Define `[DEF:id:Type]` Headers, Contracts, and closing `[/DEF:id:Type]` for all new modules based on `.ai/standards/semantics.md`.
+    - **TIER Classification**: Explicitly assign `@TIER: [CRITICAL|STANDARD|TRIVIAL]` to each module.
+    - **CRITICAL Requirements**: For all CRITICAL modules, define full `@PRE`, `@POST`, and (if UI) `@UX_STATE` contracts. **MUST** also define testing contracts: `@TEST_CONTRACT`, `@TEST_FIXTURE`, `@TEST_EDGE`, and `@TEST_INVARIANT`.
+    - **Self-Review**:
+      - *Completeness*: Do `@PRE`/`@POST` cover edge cases identified in Research? Are test contracts present for CRITICAL?
+      - *Connectivity*: Do `@RELATION` tags form a coherent graph?
+      - *Compliance*: Does syntax match `[DEF:id:Type]` exactly and is it closed with `[/DEF:id:Type]`?
+    - **Output**: Write verified contracts to `contracts/modules.md`.
+
+3. **Simulate Contract Usage**:
+    - Trace one key user scenario through the defined contracts to ensure data flow continuity.
+    - If a contract interface mismatch is found, fix it immediately.
+
+4. **Generate API contracts**:
+    - Output OpenAPI/GraphQL schema to `/contracts/` for backend-frontend sync.
+
+3. **Agent context update**:
+   - Run `.specify/scripts/bash/update-agent-context.sh agy`
+   - These scripts detect which AI agent is in use
+   - Update the appropriate agent-specific context file
+   - Add only new technology from current plan
+   - Preserve manual additions between markers
+
+**Output**: data-model.md, /contracts/*, quickstart.md, agent-specific file
+
+## Key rules
+
+- Use absolute paths
+- ERROR on gate failures or unresolved clarifications

.agent/workflows/speckit.specify.md

@@ -0,0 +1,258 @@
+---
+description: Create or update the feature specification from a natural language feature description.
+handoffs: 
+  - label: Build Technical Plan
+    agent: speckit.plan
+    prompt: Create a plan for the spec. I am building with...
+  - label: Clarify Spec Requirements
+    agent: speckit.clarify
+    prompt: Clarify specification requirements
+    send: true
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+The text the user typed after `/speckit.specify` in the triggering message **is** the feature description. Assume you always have it available in this conversation even if `$ARGUMENTS` appears literally below. Do not ask the user to repeat it unless they provided an empty command.
+
+Given that feature description, do this:
+
+1. **Generate a concise short name** (2-4 words) for the branch:
+   - Analyze the feature description and extract the most meaningful keywords
+   - Create a 2-4 word short name that captures the essence of the feature
+   - Use action-noun format when possible (e.g., "add-user-auth", "fix-payment-bug")
+   - Preserve technical terms and acronyms (OAuth2, API, JWT, etc.)
+   - Keep it concise but descriptive enough to understand the feature at a glance
+   - Examples:
+     - "I want to add user authentication" → "user-auth"
+     - "Implement OAuth2 integration for the API" → "oauth2-api-integration"
+     - "Create a dashboard for analytics" → "analytics-dashboard"
+     - "Fix payment processing timeout bug" → "fix-payment-timeout"
+
+2. **Check for existing branches before creating new one**:
+
+   a. First, fetch all remote branches to ensure we have the latest information:
+
+      ```bash
+      git fetch --all --prune
+      ```
+
+   b. Find the highest feature number across all sources for the short-name:
+      - Remote branches: `git ls-remote --heads origin | grep -E 'refs/heads/[0-9]+-<short-name>$'`
+      - Local branches: `git branch | grep -E '^[* ]*[0-9]+-<short-name>$'`
+      - Specs directories: Check for directories matching `specs/[0-9]+-<short-name>`
+
+   c. Determine the next available number:
+      - Extract all numbers from all three sources
+      - Find the highest number N
+      - Use N+1 for the new branch number
+
+   d. Run the script `.specify/scripts/bash/create-new-feature.sh --json "$ARGUMENTS"` with the calculated number and short-name:
+      - Pass `--number N+1` and `--short-name "your-short-name"` along with the feature description
+      - Bash example: `.specify/scripts/bash/create-new-feature.sh --json "$ARGUMENTS" --json --number 5 --short-name "user-auth" "Add user authentication"`
+      - PowerShell example: `.specify/scripts/bash/create-new-feature.sh --json "$ARGUMENTS" -Json -Number 5 -ShortName "user-auth" "Add user authentication"`
+
+   **IMPORTANT**:
+   - Check all three sources (remote branches, local branches, specs directories) to find the highest number
+   - Only match branches/directories with the exact short-name pattern
+   - If no existing branches/directories found with this short-name, start with number 1
+   - You must only ever run this script once per feature
+   - The JSON is provided in the terminal as output - always refer to it to get the actual content you're looking for
+   - The JSON output will contain BRANCH_NAME and SPEC_FILE paths
+   - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot")
+
+3. Load `.specify/templates/spec-template.md` to understand required sections.
+
+4. Follow this execution flow:
+
+    1. Parse user description from Input
+       If empty: ERROR "No feature description provided"
+    2. Extract key concepts from description
+       Identify: actors, actions, data, constraints
+    3. For unclear aspects:
+       - Make informed guesses based on context and industry standards
+       - Only mark with [NEEDS CLARIFICATION: specific question] if:
+         - The choice significantly impacts feature scope or user experience
+         - Multiple reasonable interpretations exist with different implications
+         - No reasonable default exists
+       - **LIMIT: Maximum 3 [NEEDS CLARIFICATION] markers total**
+       - Prioritize clarifications by impact: scope > security/privacy > user experience > technical details
+    4. Fill User Scenarios & Testing section
+       If no clear user flow: ERROR "Cannot determine user scenarios"
+    5. Generate Functional Requirements
+       Each requirement must be testable
+       Use reasonable defaults for unspecified details (document assumptions in Assumptions section)
+    6. Define Success Criteria
+       Create measurable, technology-agnostic outcomes
+       Include both quantitative metrics (time, performance, volume) and qualitative measures (user satisfaction, task completion)
+       Each criterion must be verifiable without implementation details
+    7. Identify Key Entities (if data involved)
+    8. Return: SUCCESS (spec ready for planning)
+
+5. Write the specification to SPEC_FILE using the template structure, replacing placeholders with concrete details derived from the feature description (arguments) while preserving section order and headings.
+
+6. **Specification Quality Validation**: After writing the initial spec, validate it against quality criteria:
+
+   a. **Create Spec Quality Checklist**: Generate a checklist file at `FEATURE_DIR/checklists/requirements.md` using the checklist template structure with these validation items:
+
+      ```markdown
+      # Specification Quality Checklist: [FEATURE NAME]
+      
+      **Purpose**: Validate specification completeness and quality before proceeding to planning
+      **Created**: [DATE]
+      **Feature**: [Link to spec.md]
+      
+      ## Content Quality
+      
+      - [ ] No implementation details (languages, frameworks, APIs)
+      - [ ] Focused on user value and business needs
+      - [ ] Written for non-technical stakeholders
+      - [ ] All mandatory sections completed
+      
+      ## Requirement Completeness
+      
+      - [ ] No [NEEDS CLARIFICATION] markers remain
+      - [ ] Requirements are testable and unambiguous
+      - [ ] Success criteria are measurable
+      - [ ] Success criteria are technology-agnostic (no implementation details)
+      - [ ] All acceptance scenarios are defined
+      - [ ] Edge cases are identified
+      - [ ] Scope is clearly bounded
+      - [ ] Dependencies and assumptions identified
+      
+      ## Feature Readiness
+      
+      - [ ] All functional requirements have clear acceptance criteria
+      - [ ] User scenarios cover primary flows
+      - [ ] Feature meets measurable outcomes defined in Success Criteria
+      - [ ] No implementation details leak into specification
+      
+      ## Notes
+      
+      - Items marked incomplete require spec updates before `/speckit.clarify` or `/speckit.plan`
+      ```
+
+   b. **Run Validation Check**: Review the spec against each checklist item:
+      - For each item, determine if it passes or fails
+      - Document specific issues found (quote relevant spec sections)
+
+   c. **Handle Validation Results**:
+
+      - **If all items pass**: Mark checklist complete and proceed to step 6
+
+      - **If items fail (excluding [NEEDS CLARIFICATION])**:
+        1. List the failing items and specific issues
+        2. Update the spec to address each issue
+        3. Re-run validation until all items pass (max 3 iterations)
+        4. If still failing after 3 iterations, document remaining issues in checklist notes and warn user
+
+      - **If [NEEDS CLARIFICATION] markers remain**:
+        1. Extract all [NEEDS CLARIFICATION: ...] markers from the spec
+        2. **LIMIT CHECK**: If more than 3 markers exist, keep only the 3 most critical (by scope/security/UX impact) and make informed guesses for the rest
+        3. For each clarification needed (max 3), present options to user in this format:
+
+           ```markdown
+           ## Question [N]: [Topic]
+           
+           **Context**: [Quote relevant spec section]
+           
+           **What we need to know**: [Specific question from NEEDS CLARIFICATION marker]
+           
+           **Suggested Answers**:
+           
+           | Option | Answer | Implications |
+           |--------|--------|--------------|
+           | A      | [First suggested answer] | [What this means for the feature] |
+           | B      | [Second suggested answer] | [What this means for the feature] |
+           | C      | [Third suggested answer] | [What this means for the feature] |
+           | Custom | Provide your own answer | [Explain how to provide custom input] |
+           
+           **Your choice**: _[Wait for user response]_
+           ```
+
+        4. **CRITICAL - Table Formatting**: Ensure markdown tables are properly formatted:
+           - Use consistent spacing with pipes aligned
+           - Each cell should have spaces around content: `| Content |` not `|Content|`
+           - Header separator must have at least 3 dashes: `|--------|`
+           - Test that the table renders correctly in markdown preview
+        5. Number questions sequentially (Q1, Q2, Q3 - max 3 total)
+        6. Present all questions together before waiting for responses
+        7. Wait for user to respond with their choices for all questions (e.g., "Q1: A, Q2: Custom - [details], Q3: B")
+        8. Update the spec by replacing each [NEEDS CLARIFICATION] marker with the user's selected or provided answer
+        9. Re-run validation after all clarifications are resolved
+
+   d. **Update Checklist**: After each validation iteration, update the checklist file with current pass/fail status
+
+7. Report completion with branch name, spec file path, checklist results, and readiness for the next phase (`/speckit.clarify` or `/speckit.plan`).
+
+**NOTE:** The script creates and checks out the new branch and initializes the spec file before writing.
+
+## General Guidelines
+
+## Quick Guidelines
+
+- Focus on **WHAT** users need and **WHY**.
+- Avoid HOW to implement (no tech stack, APIs, code structure).
+- Written for business stakeholders, not developers.
+- DO NOT create any checklists that are embedded in the spec. That will be a separate command.
+
+### Section Requirements
+
+- **Mandatory sections**: Must be completed for every feature
+- **Optional sections**: Include only when relevant to the feature
+- When a section doesn't apply, remove it entirely (don't leave as "N/A")
+
+### For AI Generation
+
+When creating this spec from a user prompt:
+
+1. **Make informed guesses**: Use context, industry standards, and common patterns to fill gaps
+2. **Document assumptions**: Record reasonable defaults in the Assumptions section
+3. **Limit clarifications**: Maximum 3 [NEEDS CLARIFICATION] markers - use only for critical decisions that:
+   - Significantly impact feature scope or user experience
+   - Have multiple reasonable interpretations with different implications
+   - Lack any reasonable default
+4. **Prioritize clarifications**: scope > security/privacy > user experience > technical details
+5. **Think like a tester**: Every vague requirement should fail the "testable and unambiguous" checklist item
+6. **Common areas needing clarification** (only if no reasonable default exists):
+   - Feature scope and boundaries (include/exclude specific use cases)
+   - User types and permissions (if multiple conflicting interpretations possible)
+   - Security/compliance requirements (when legally/financially significant)
+
+**Examples of reasonable defaults** (don't ask about these):
+
+- Data retention: Industry-standard practices for the domain
+- Performance targets: Standard web/mobile app expectations unless specified
+- Error handling: User-friendly messages with appropriate fallbacks
+- Authentication method: Standard session-based or OAuth2 for web apps
+- Integration patterns: Use project-appropriate patterns (REST/GraphQL for web services, function calls for libraries, CLI args for tools, etc.)
+
+### Success Criteria Guidelines
+
+Success criteria must be:
+
+1. **Measurable**: Include specific metrics (time, percentage, count, rate)
+2. **Technology-agnostic**: No mention of frameworks, languages, databases, or tools
+3. **User-focused**: Describe outcomes from user/business perspective, not system internals
+4. **Verifiable**: Can be tested/validated without knowing implementation details
+
+**Good examples**:
+
+- "Users can complete checkout in under 3 minutes"
+- "System supports 10,000 concurrent users"
+- "95% of searches return results in under 1 second"
+- "Task completion rate improves by 40%"
+
+**Bad examples** (implementation-focused):
+
+- "API response time is under 200ms" (too technical, use "Users see results instantly")
+- "Database can handle 1000 TPS" (implementation detail, use user-facing metric)
+- "React components render efficiently" (framework-specific)
+- "Redis cache hit rate above 80%" (technology-specific)

.agent/workflows/speckit.tasks.md

@@ -0,0 +1,146 @@
+---
+description: Generate an actionable, dependency-ordered tasks.md for the feature based on available design artifacts.
+handoffs: 
+  - label: Analyze For Consistency
+    agent: speckit.analyze
+    prompt: Run a project analysis for consistency
+    send: true
+  - label: Implement Project
+    agent: speckit.implement
+    prompt: Start the implementation in phases
+    send: true
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+1. **Setup**: Run `.specify/scripts/bash/check-prerequisites.sh --json` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Load design documents**: Read from FEATURE_DIR:
+   - **Required**: plan.md (tech stack, libraries, structure), spec.md (user stories with priorities), ux_reference.md (experience source of truth)
+   - **Optional**: data-model.md (entities), contracts/ (interface contracts), research.md (decisions), quickstart.md (test scenarios)
+   - Note: Not all projects have all documents. Generate tasks based on what's available.
+
+3. **Execute task generation workflow**:
+   - Load plan.md and extract tech stack, libraries, project structure
+   - Load spec.md and extract user stories with their priorities (P1, P2, P3, etc.)
+   - If data-model.md exists: Extract entities and map to user stories
+   - If contracts/ exists: Map interface contracts to user stories
+   - If research.md exists: Extract decisions for setup tasks
+   - Generate tasks organized by user story (see Task Generation Rules below)
+   - Generate dependency graph showing user story completion order
+   - Create parallel execution examples per user story
+   - Validate task completeness (each user story has all needed tasks, independently testable)
+
+4. **Generate tasks.md**: Use `.specify/templates/tasks-template.md` as structure, fill with:
+   - Correct feature name from plan.md
+   - Phase 1: Setup tasks (project initialization)
+   - Phase 2: Foundational tasks (blocking prerequisites for all user stories)
+   - Phase 3+: One phase per user story (in priority order from spec.md)
+   - Each phase includes: story goal, independent test criteria, tests (if requested), implementation tasks
+   - Final Phase: Polish & cross-cutting concerns
+   - All tasks must follow the strict checklist format (see Task Generation Rules below)
+   - Clear file paths for each task
+   - Dependencies section showing story completion order
+   - Parallel execution examples per story
+   - Implementation strategy section (MVP first, incremental delivery)
+
+5. **Report**: Output path to generated tasks.md and summary:
+   - Total task count
+   - Task count per user story
+   - Parallel opportunities identified
+   - Independent test criteria for each story
+   - Suggested MVP scope (typically just User Story 1)
+   - Format validation: Confirm ALL tasks follow the checklist format (checkbox, ID, labels, file paths)
+
+Context for task generation: $ARGUMENTS
+
+The tasks.md should be immediately executable - each task must be specific enough that an LLM can complete it without additional context.
+
+## Task Generation Rules
+
+**CRITICAL**: Tasks MUST be organized by user story to enable independent implementation and testing.
+
+**Tests are OPTIONAL**: Only generate test tasks if explicitly requested in the feature specification or if user requests TDD approach.
+
+### UX Preservation (CRITICAL)
+
+- **Source of Truth**: `ux_reference.md` is the absolute standard for the "feel" of the feature.
+- **Violation Warning**: If any task would inherently violate the UX (e.g. "Remove progress bar to simplify code"), you **MUST** flag this to the user immediately.
+- **Verification Task**: You **MUST** add a specific task at the end of each User Story phase: `- [ ] Txxx [USx] Verify implementation matches ux_reference.md (Happy Path & Errors)`
+
+### Checklist Format (REQUIRED)
+
+Every task MUST strictly follow this format:
+
+```text
+- [ ] [TaskID] [P?] [Story?] Description with file path
+```
+
+**Format Components**:
+
+1. **Checkbox**: ALWAYS start with `- [ ]` (markdown checkbox)
+2. **Task ID**: Sequential number (T001, T002, T003...) in execution order
+3. **[P] marker**: Include ONLY if task is parallelizable (different files, no dependencies on incomplete tasks)
+4. **[Story] label**: REQUIRED for user story phase tasks only
+   - Format: [US1], [US2], [US3], etc. (maps to user stories from spec.md)
+   - Setup phase: NO story label
+   - Foundational phase: NO story label  
+   - User Story phases: MUST have story label
+   - Polish phase: NO story label
+5. **Description**: Clear action with exact file path
+
+**Examples**:
+
+- ✅ CORRECT: `- [ ] T001 Create project structure per implementation plan`
+- ✅ CORRECT: `- [ ] T005 [P] Implement authentication middleware in src/middleware/auth.py`
+- ✅ CORRECT: `- [ ] T012 [P] [US1] Create User model in src/models/user.py`
+- ✅ CORRECT: `- [ ] T014 [US1] Implement UserService in src/services/user_service.py`
+- ❌ WRONG: `- [ ] Create User model` (missing ID and Story label)
+- ❌ WRONG: `T001 [US1] Create model` (missing checkbox)
+- ❌ WRONG: `- [ ] [US1] Create User model` (missing Task ID)
+- ❌ WRONG: `- [ ] T001 [US1] Create model` (missing file path)
+
+### Task Organization
+
+1. **From User Stories (spec.md)** - PRIMARY ORGANIZATION:
+   - Each user story (P1, P2, P3...) gets its own phase
+   - Map all related components to their story:
+     - Models needed for that story
+     - Services needed for that story
+     - Interfaces/UI needed for that story
+     - If tests requested: Tests specific to that story
+   - Mark story dependencies (most stories should be independent)
+
+2. **From Contracts (CRITICAL TIER)**:
+    - Identify components marked as `@TIER: CRITICAL` in `contracts/modules.md`.
+    - For these components, **MUST** append the summary of `@PRE`, `@POST`, `@UX_STATE`, and test contracts (`@TEST_FIXTURE`, `@TEST_EDGE`) directly to the task description.
+    - Example: `- [ ] T005 [P] [US1] Implement Auth (CRITICAL: PRE: token exists, POST: returns User, TESTS: 2 edges) in src/auth.py`
+    - Map each contract/endpoint → to the user story it serves
+    - If tests requested: Each contract → contract test task [P] before implementation in that story's phase
+
+3. **From Data Model**:
+   - Map each entity to the user story(ies) that need it
+   - If entity serves multiple stories: Put in earliest story or Setup phase
+   - Relationships → service layer tasks in appropriate story phase
+
+4. **From Setup/Infrastructure**:
+   - Shared infrastructure → Setup phase (Phase 1)
+   - Foundational/blocking tasks → Foundational phase (Phase 2)
+   - Story-specific setup → within that story's phase
+
+### Phase Structure
+
+- **Phase 1**: Setup (project initialization)
+- **Phase 2**: Foundational (blocking prerequisites - MUST complete before user stories)
+- **Phase 3+**: User Stories in priority order (P1, P2, P3...)
+  - Within each story: Tests (if requested) → Models → Services → Endpoints → Integration
+  - Each phase should be a complete, independently testable increment
+- **Final Phase**: Polish & Cross-Cutting Concerns

.agent/workflows/speckit.taskstoissues.md

@@ -0,0 +1,30 @@
+---
+description: Convert existing tasks into actionable, dependency-ordered GitHub issues for the feature based on available design artifacts.
+tools: ['github/github-mcp-server/issue_write']
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+1. Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+1. From the executed script, extract the path to **tasks**.
+1. Get the Git remote by running:
+
+```bash
+git config --get remote.origin.url
+```
+
+> [!CAUTION]
+> ONLY PROCEED TO NEXT STEPS IF THE REMOTE IS A GITHUB URL
+
+1. For each task in the list, use the GitHub MCP server to create a new issue in the repository that is representative of the Git remote.
+
+> [!CAUTION]
+> UNDER NO CIRCUMSTANCES EVER CREATE ISSUES IN REPOSITORIES THAT DO NOT MATCH THE REMOTE URL

.agent/workflows/speckit.test.md

@@ -0,0 +1,343 @@
+---
+description: ✅ GRACE‑Poly Tester Agent (Production Edition)
+---
+
+# ✅ GRACE‑Poly Tester Agent (Production Edition)
+
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+Если вход не пуст — он имеет приоритет и должен быть учтён при анализе.
+
+---
+
+# I. MANDATE（命）
+
+Исполнить полный цикл тестирования:
+
+1. Анализировать модули.
+2. Проверять соответствие TIER.
+3. Генерировать тесты строго из TEST_SPEC.
+4. Поддерживать документацию.
+5. Не нарушать существующие тесты.
+6. Проверять инварианты.
+
+Тестер — не писатель тестов.  
+Тестер — хранитель контрактов.
+
+---
+
+# II. НЕЗЫБЛЕМЫЕ ПРАВИЛА
+
+1. **Никогда не удалять существующие тесты.**
+2. **Никогда не дублировать тесты.**
+3. Для CRITICAL — TEST_SPEC обязателен.
+4. Каждый `@TEST_EDGE` → минимум один тест.
+5. Каждый `@TEST_INVARIANT` → минимум один тест.
+6. Если CRITICAL без `@TEST_CONTRACT` →  
+   немедленно:
+
+```
+[COHERENCE_CHECK_FAILED]
+Reason: Missing TEST_CONTRACT in CRITICAL module
+```
+
+---
+
+# III. АНАЛИЗ КОНТЕКСТА
+
+Выполнить:
+
+```
+.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks
+```
+
+Извлечь:
+
+- FEATURE_DIR
+- TASKS_FILE
+- AVAILABLE_DOCS
+
+---
+
+# IV. ЗАГРУЗКА АРТЕФАКТОВ
+
+### 1️⃣ Из tasks.md
+
+- Найти завершённые implementation задачи
+- Исключить test‑tasks
+- Определить список модулей
+
+---
+
+### 2️⃣ Из модулей
+
+Для каждого модуля:
+
+- Прочитать `@TIER`
+- Прочитать:
+  - `@TEST_CONTRACT`
+  - `@TEST_FIXTURE`
+  - `@TEST_EDGE`
+  - `@TEST_INVARIANT`
+
+Если CRITICAL и нет TEST_SPEC → STOP.
+
+---
+
+### 3️⃣ Сканирование существующих тестов
+
+Искать в `__tests__/`.
+
+Определить:
+
+- уже покрытые фикстуры
+- уже покрытые edge‑cases
+- отсутствие тестов на инварианты
+- дублирование
+
+---
+
+# V. МАТРИЦА ПОКРЫТИЯ
+
+Создать:
+
+| Module | File | TIER | Has Tests | Fixtures | Edges | Invariants |
+|--------|------|------|----------|----------|--------|------------|
+
+Дополнительно для CRITICAL:
+
+| Edge Case | Has Test | Required |
+|-----------|----------|----------|
+
+---
+
+# VI. ГЕНЕРАЦИЯ ТЕСТОВ
+
+---
+
+## A. CRITICAL
+
+Строгий алгоритм:
+
+### 1️⃣ Валидация контракта
+
+Создать helper‑валидатор, который проверяет:
+
+- required_fields присутствуют
+- типы соответствуют
+- инварианты соблюдены
+
+---
+
+### 2️⃣ Для каждого @TEST_FIXTURE
+
+Создать:
+
+- 1 Happy-path тест
+- Проверку @POST
+- Проверку side-effects
+- Проверку отсутствия исключений
+
+---
+
+### 3️⃣ Для каждого @TEST_EDGE
+
+Создать отдельный тест:
+
+| Тип | Проверка |
+|------|----------|
+| missing_required_field | корректный отказ |
+| invalid_type | raise или skip |
+| empty_response | корректное поведение |
+| external_failure | rollback + лог |
+| duplicate | корректная обработка |
+
+---
+
+### 4️⃣ Для каждого @TEST_INVARIANT
+
+Создать тест, который:
+
+- нарушает инвариант
+- проверяет защитную реакцию
+
+---
+
+### 5️⃣ Проверка Rollback
+
+Если модуль взаимодействует с БД:
+
+- мокать исключение
+- проверять rollback()
+- проверять отсутствие частичного коммита
+
+---
+
+## B. STANDARD
+
+- 1 test на каждый FIXTURE
+- 1 test на каждый EDGE
+- Проверка базовых @POST
+
+---
+
+## C. TRIVIAL
+
+Тесты создаются только при отсутствии существующих.
+
+---
+
+# VII. UX CONTRACT TESTING
+
+Для каждого Svelte компонента:
+
+---
+
+### 1️⃣ Парсинг:
+
+- @UX_STATE
+- @UX_FEEDBACK
+- @UX_RECOVERY
+- @UX_TEST
+
+---
+
+### 2️⃣ Генерация:
+
+Для каждого `@UX_TEST` — отдельный тест.
+
+Если `@UX_STATE` есть, но `@UX_TEST` нет:
+
+- Автогенерировать тест перехода состояния.
+
+---
+
+### 3️⃣ Обязательные проверки:
+
+- DOM‑класс
+- aria‑атрибут
+- визуальная обратная связь
+- возможность восстановления
+
+---
+
+# VIII. СОЗДАНИЕ ФАЙЛОВ
+
+Co-location строго:
+
+Python:
+
+```
+module/__tests__/test_module.py
+```
+
+Svelte:
+
+```
+component/__tests__/Component.test.js
+```
+
+Каждый тестовый файл обязан иметь:
+
+```python
+# [DEF:__tests__/test_module:Module]
+# @RELATION: VERIFIES -> ../module.py
+# @PURPOSE: Contract testing for module
+# [/DEF:__tests__/test_module:Module]
+```
+
+---
+
+# IX. ДОКУМЕНТАЦИЯ
+
+Создать/обновить:
+
+```
+specs/<feature>/tests/
+```
+
+Содержимое:
+
+- README.md — стратегия
+- coverage.md — матрица
+- reports/YYYY-MM-DD-report.md
+
+---
+
+# X. ИСПОЛНЕНИЕ
+
+Backend:
+
+```
+cd backend && .venv/bin/python3 -m pytest -v
+```
+
+Frontend:
+
+```
+cd frontend && npm run test
+```
+
+Собрать:
+
+- Total
+- Passed
+- Failed
+- Coverage
+
+---
+
+# XI. FAIL POLICY
+
+Тестер обязан остановиться, если:
+
+- CRITICAL без TEST_CONTRACT
+- Есть EDGE без теста
+- Есть INVARIANT без теста
+- Обнаружено дублирование
+- Обнаружено удаление существующего теста
+
+---
+
+# XII. OUTPUT FORMAT
+
+```markdown
+# Test Report: [FEATURE]
+
+Date: YYYY-MM-DD
+Executor: GRACE Tester
+
+## Coverage Matrix
+
+| Module | TIER | Tests | Edge Covered | Invariants Covered |
+
+## Contract Validation
+
+- TEST_CONTRACT validated ✅ / ❌
+- All FIXTURES tested ✅ / ❌
+- All EDGES tested ✅ / ❌
+- All INVARIANTS verified ✅ / ❌
+
+## Results
+
+Total:
+Passed:
+Failed:
+Skipped:
+
+## Violations
+
+| Module | Problem | Severity |
+
+## Next Actions
+
+- [ ] Add missing invariant test
+- [ ] Fix rollback behavior
+- [ ] Refactor duplicate tests
+```

.ai/PERSONA.md

@@ -0,0 +1,42 @@
+# [DEF:Std:UserPersona:Standard]
+# @TIER: CRITICAL
+# @SEMANTICS: persona, tone_of_voice, interaction_rules, architect
+# @PURPOSE: Defines how the AI Agent MUST interact with the user and the codebase.
+
+@ROLE: Chief Semantic Architect & AI-Engineering Lead.
+@PHILOSOPHY: "Смысл первичен. Код вторичен. ИИ — это семантический процессор, а не собеседник."
+@METHODOLOGY: Создатель и строгий приверженец стандарта GRACE-Poly.
+
+## ОЖИДАНИЯ ОТ AI-АГЕНТА (КАК СО МНОЙ РАБОТАТЬ)
+
+1. **СТИЛЬ ОБЩЕНИЯ (Wenyuan Mode):**
+   - НИКАКИХ извинений, вежливости и воды ("Конечно, я помогу!", "Извините за ошибку").
+   - НИКАКИХ объяснений того, как работает базовый Python или Svelte, если я не спросил.
+   - Отвечай предельно сухо, структурно и строго по делу. Максимум технической плотности.
+
+2. **ОТНОШЕНИЕ К КОДУ:**
+   - Я не принимаю "голый код". Любой код без Контракта (DbC) и Якорей `[DEF]...[/DEF]` считается мусором.
+   - Сначала проектируй интерфейс и инварианты (`@PRE`, `@POST`), затем пиши реализацию.
+   - Если реализация нарушает Контракт — остановись и сообщи об ошибке проектирования. Не пытайся "подогнать" логику в обход правил.
+
+3. **БОРЬБА С "СЕМАНТИЧЕСКИМ КАЗИНО":**
+   - Не угадывай. Если в ТЗ или контексте не хватает данных для детерминированного решения, используй тег `[NEEDS_CLARIFICATION]` и задай узкий, точный вопрос.
+   - При сложных архитектурных решениях удерживай суперпозицию: предложи 2-3 варианта с оценкой рисков до написания кода.
+
+4. **ТЕСТИРОВАНИЕ И КАЧЕСТВО:**
+   - Я презираю "Test Tautologies" (тесты ради покрытия, зеркалящие логику). 
+   - Тесты должны быть Contract-Driven. Если есть `@PRE`, я ожидаю тест на его нарушение.
+   - Тесты обязаны использовать `@TEST_` из контрактов.
+
+5. **ГЛОБАЛЬНАЯ НАВИГАЦИЯ (GraphRAG):**
+   - Понимай, что мы работаем в среде Sparse Attention. 
+   - Всегда используй точные ID сущностей из якорей `[DEF:id]` для связей `@RELATION`. Не ломай семантические каналы опечатками.
+
+## ТРИГГЕРЫ (ЧТО ВЫЗЫВАЕТ МОЙ ГНЕВ / FATAL ERRORS):
+- Нарушение парности тегов `[DEF]` и `[/DEF]`.
+- Написание тестов, которые "мокают" саму проверяемую систему.
+- Игнорирование архитектурных запретов (`@CONSTRAINT`) из заголовков файлов.
+
+**Я ожидаю от тебя уровня Senior Staff Engineer, который понимает устройство LLM, KV Cache и графов знаний.**
+
+# [/DEF:Std:UserPersona:Standard]

.ai/ROOT.md

@@ -5,6 +5,8 @@
 
 ## 1. SYSTEM STANDARDS (Rules of the Game)
 Strict policies and formatting rules.
+*   **User Persona (Interaction Protocol):** The Architect's expectations, tone of voice, and strict interaction boundaries.
+    *   Ref: `.ai/standards/persona.md` -> `[DEF:Std:UserPersona]`
 *   **Constitution:** High-level architectural and business invariants.
     *   Ref: `.ai/standards/constitution.md` -> `[DEF:Std:Constitution]`
 *   **Architecture:** Service boundaries and tech stack decisions.
@@ -30,8 +32,9 @@ Use these for code generation (Style Transfer).
     *   Ref: `.ai/shots/critical_module.py` -> `[DEF:Shot:Critical_Module]`
 
 ## 3. DOMAIN MAP (Modules)
-*   **Module Map:** `.ai/MODULE_MAP.md` -> `[DEF:Module_Map]`
-*   **Project Map:** `.ai/PROJECT_MAP.md` -> `[DEF:Project_Map]`
+*   **High-level Module Map:** `.ai/structure/MODULE_MAP.md` -> `[DEF:Module_Map]`
+*   **Low-level Project Map:** `.ai/structure/PROJECT_MAP.md` -> `[DEF:Project_Map]`
+*   **Apache Superset OpenAPI:** `.ai/openapi/superset_openapi.json` -> `[DEF:Doc:Superset_OpenAPI]`
 *   **Backend Core:** `backend/src/core` -> `[DEF:Module:Backend_Core]`
 *   **Backend API:** `backend/src/api` -> `[DEF:Module:Backend_API]`
 *   **Frontend Lib:** `frontend/src/lib` -> `[DEF:Module:Frontend_Lib]`

.ai/knowledge/test_import_patterns.md

@@ -0,0 +1,63 @@
+# Backend Test Import Patterns
+
+## Problem
+
+The `ss-tools` backend uses **relative imports** inside packages (e.g., `from ...models.task import TaskRecord` in `persistence.py`). This creates specific constraints on how and where tests can be written.
+
+## Key Rules
+
+### 1. Packages with `__init__.py` that re-export via relative imports
+
+**Example**: `src/core/task_manager/__init__.py` imports `.manager` → `.persistence` → `from ...models.task` (3-level relative import).
+
+**Impact**: Co-located tests in `task_manager/__tests__/` **WILL FAIL** because pytest discovers `task_manager/` as a top-level package (not as `src.core.task_manager`), and the 3-level `from ...` goes beyond the top-level.
+
+**Solution**: Place tests in `backend/tests/` directory (where `test_task_logger.py` already lives). Import using `from src.core.task_manager.XXX import ...` which works because `backend/` is the pytest rootdir.
+
+### 2. Packages WITHOUT `__init__.py`:
+
+**Example**: `src/core/auth/` has NO `__init__.py`.
+
+**Impact**: Co-located tests in `auth/__tests__/` work fine because pytest doesn't try to import a parent package `__init__.py`.
+
+### 3. Modules with deeply nested relative imports
+
+**Example**: `src/services/llm_provider.py` uses `from ..models.llm import LLMProvider` and `from ..plugins.llm_analysis.models import LLMProviderConfig`.
+
+**Impact**: Direct import (`from src.services.llm_provider import EncryptionManager`) **WILL FAIL** if the relative chain triggers a module not in `sys.path` or if it tries to import beyond root.
+
+**Solution**: Either (a) re-implement the tested logic standalone in the test (for small classes like `EncryptionManager`), or (b) use `unittest.mock.patch` to mock the problematic imports before importing the module.
+
+## Working Test Locations
+
+| Package | `__init__.py`? | Relative imports? | Co-located OK? | Test location |
+|---|---|---|---|---|
+| `core/task_manager/` | YES | `from ...models.task` (3-level) | **NO** | `backend/tests/` |
+| `core/auth/` | NO | N/A | YES | `core/auth/__tests__/` |
+| `core/logger/` | NO | N/A | YES | `core/logger/__tests__/` |
+| `services/` | YES (empty) | shallow | YES | `services/__tests__/` |
+| `services/reports/` | YES | `from ...core.logger` | **NO** (most likely) | `backend/tests/` or mock |
+| `models/` | YES | shallow | YES | `models/__tests__/` |
+
+## Safe Import Patterns for Tests
+
+```python
+# In backend/tests/test_*.py:
+import sys
+from pathlib import Path
+sys.path.insert(0, str(Path(__file__).parent.parent / "src"))
+
+# Then import:
+from src.core.task_manager.models import Task, TaskStatus
+from src.core.task_manager.persistence import TaskPersistenceService
+from src.models.report import TaskReport, ReportQuery
+```
+
+## Plugin ID Mapping (for report tests)
+
+The `resolve_task_type()` uses **hyphenated** plugin IDs:
+- `superset-backup` → `TaskType.BACKUP`
+- `superset-migration` → `TaskType.MIGRATION`
+- `llm_dashboard_validation` → `TaskType.LLM_VERIFICATION`
+- `documentation` → `TaskType.DOCUMENTATION`
+- anything else → `TaskType.UNKNOWN`

.ai/shots/critical_module.py

@@ -3,14 +3,29 @@
 # @SEMANTICS: Finance, ACID, Transfer, Ledger
 # @PURPOSE: Core banking transaction processor with ACID guarantees.
 # @LAYER: Domain (Core)
-# @RELATION: DEPENDS_ON -> [DEF:Infra:PostgresDB]
-# @RELATION: DEPENDS_ON -> [DEF:Infra:AuditLog]
+# @RELATION: DEPENDS_ON ->[DEF:Infra:PostgresDB]
+#
 # @INVARIANT: Total system balance must remain constant (Double-Entry Bookkeeping).
 # @INVARIANT: Negative transfers are strictly forbidden.
 
-# @TEST_DATA: sufficient_funds -> {"from": "acc_A", "to": "acc_B", "amt": 100.00}
-# @TEST_DATA: insufficient_funds -> {"from": "acc_empty", "to": "acc_B", "amt": 1000.00}
-# @TEST_DATA: concurrency_lock -> {./fixtures/transactions.json#race_condition}
+# --- Test Specifications (The "What" and "Why", not the "Data") ---
+# @TEST_CONTRACT: Input -> TransferInputDTO, Output -> TransferResultDTO
+
+# Happy Path
+# @TEST_SCENARIO: sufficient_funds -> Returns COMPLETED, balances updated.
+# @TEST_FIXTURE: sufficient_funds -> file:./__tests__/fixtures/transfers.json#happy_path
+
+# Edge Cases (CRITICAL)
+# @TEST_SCENARIO: insufficient_funds -> Throws BusinessRuleViolation("INSUFFICIENT_FUNDS").
+# @TEST_SCENARIO: negative_amount -> Throws BusinessRuleViolation("Transfer amount must be positive.").
+# @TEST_SCENARIO: self_transfer -> Throws BusinessRuleViolation("Cannot transfer to self.").
+# @TEST_SCENARIO: audit_failure -> Throws RuntimeError("TRANSACTION_ABORTED").
+# @TEST_SCENARIO: concurrency_conflict -> Throws DBTransactionError.
+
+# Linking Tests to Invariants
+# @TEST_INVARIANT: total_balance_constant -> VERIFIED_BY: [sufficient_funds, concurrency_conflict]
+# @TEST_INVARIANT: negative_transfer_forbidden -> VERIFIED_BY: [negative_amount]
+
 
 from decimal import Decimal
 from typing import NamedTuple

.ai/shots/frontend_component.svelte

@@ -1,24 +1,67 @@
 <!-- [DEF:FrontendComponentShot:Component] -->
-<!-- /**
-   * @TIER: CRITICAL
-   * @SEMANTICS: Task, Button, Action, UX
-   * @PURPOSE: Action button to spawn a new task with full UX feedback cycle.
-   * @LAYER: UI (Presentation)
-   * @RELATION: CALLS -> postApi
-   * @INVARIANT: Must prevent double-submission while loading.
-   * 
-   * @TEST_DATA: idle_state -> {"isLoading": false}
-   * @TEST_DATA: loading_state -> {"isLoading": true}
-   * 
-   * @UX_STATE: Idle -> Button enabled, primary color.
-   * @UX_STATE: Loading -> Button disabled, spinner visible.
-   * @UX_STATE: Error -> Toast notification triggers.
-   * 
-   * @UX_FEEDBACK: Toast success/error.
-   * @UX_TEST: Idle -> {click: spawnTask, expected: isLoading=true}
-   * @UX_TEST: Success -> {api_resolve: 200, expected: toast.success called}
-   */
-   -->
+<!--
+/**
+ * @TIER: CRITICAL
+ * @SEMANTICS: Task, Button, Action, UX
+ * @PURPOSE: Action button to spawn a new task with full UX feedback cycle.
+ * @LAYER: UI (Presentation)
+ * @RELATION: CALLS -> postApi
+ *
+ * @INVARIANT: Must prevent double-submission while loading.
+ * @INVARIANT: Loading state must always terminate (no infinite spinner).
+ * @INVARIANT: User must receive feedback on both success and failure.
+ *
+ * @TEST_CONTRACT: ComponentState ->
+ * {
+ *   required_fields: {
+ *     isLoading: bool
+ *   },
+ *   invariants: [
+ *     "isLoading=true implies button.disabled=true",
+ *     "isLoading=true implies aria-busy=true",
+ *     "isLoading=true implies spinner visible"
+ *   ]
+ * }
+ *
+ * @TEST_CONTRACT: ApiResponse ->
+ * {
+ *   required_fields: {},
+ *   optional_fields: {
+ *     task_id: str
+ *   }
+ * }
+
+ * @TEST_FIXTURE: idle_state ->
+ * {
+ *   isLoading: false
+ * }
+ *
+ * @TEST_FIXTURE: successful_response ->
+ * {
+ *   task_id: "task_123"
+ * }
+ 
+ * @TEST_EDGE: api_failure -> raises Error("Network")
+ * @TEST_EDGE: empty_response -> {}
+ * @TEST_EDGE: rapid_double_click -> special: concurrent_click
+ * @TEST_EDGE: unresolved_promise -> special: pending_state
+ 
+ * @TEST_INVARIANT: prevent_double_submission -> verifies: [rapid_double_click]
+ * @TEST_INVARIANT: loading_state_consistency -> verifies: [idle_state, pending_state]
+ * @TEST_INVARIANT: feedback_always_emitted -> verifies: [successful_response, api_failure]
+
+ * @UX_STATE: Idle -> Button enabled, primary color, no spinner.
+ * @UX_STATE: Loading -> Button disabled, spinner visible, aria-busy=true.
+ * @UX_STATE: Success -> Toast success displayed.
+ * @UX_STATE: Error -> Toast error displayed.
+ *
+ * @UX_FEEDBACK: toast.success, toast.error
+ *
+ * @UX_TEST: Idle -> {click: spawnTask, expected: isLoading=true}
+ * @UX_TEST: Loading -> {double_click: ignored, expected: single_api_call}
+ * @UX_TEST: Success -> {api_resolve: task_id, expected: toast.success called}
+ * @UX_TEST: Error -> {api_reject: error, expected: toast.error called} 
+-->
 <script>
   import { postApi } from "$lib/api.js";
   import { t } from "$lib/i18n";

.ai/standards/constitution.md

@@ -8,7 +8,7 @@
 ## 1. CORE PRINCIPLES
 
 ### I. Semantic Protocol Compliance
-*   **Ref:** `[DEF:Std:Semantics]` (formerly `semantic_protocol.md`)
+*   **Ref:** `[DEF:Std:Semantics]` (`ai/standards/semantic.md`)
 *   **Law:** All code must adhere to the Axioms (Meaning First, Contract First, etc.).
 *   **Compliance:** Strict matching of Anchors (`[DEF]`), Tags (`@KEY`), and structures is mandatory.
 

.ai/standards/semantics.md

@@ -5,6 +5,7 @@
 
 #### I. ЗАКОН (АКСИОМЫ)
 1. Смысл первичен. Код вторичен.
+2.Слепота недопустима. Если узел графа (@RELATION) или схема данных неизвестны — не выдумывай реализацию. Остановись и запроси контекст.
 2. Контракт (@PRE/@POST) — источник истины.
 **3. UX — это логика, а не декор. Состояния интерфейса — часть контракта.**
 4. Структура `[DEF]...[/DEF]` — нерушима.
@@ -47,11 +48,13 @@
   @PRE: Входные условия.
   @POST: Гарантии выхода.
   @SIDE_EFFECT: Мутации, IO.
+  @DATA_CONTRACT: Ссылка на DTO/Pydantic модель. Заменяет ручное описание @PARAM. Формат: Input -> [Model], Output -> [Model].
   
 **UX Теги (Svelte/Frontend):**
   **@UX_STATE:** `[StateName] -> Визуальное поведение` (Idle, Loading, Error).
   **@UX_FEEDBACK:** Реакция системы (Toast, Shake, Red Border).
   **@UX_RECOVERY:** Механизм исправления ошибки пользователем (Retry, Clear Input).
+  **@UX_REATIVITY:** Явное указание использования рун. Формат: State: $state, Derived: $derived. Никаких устаревших export let.
   
 **UX Testing Tags (для Tester Agent):**
   **@UX_TEST:** Спецификация теста для UX состояния.
@@ -63,35 +66,67 @@
 #### V. АДАПТАЦИЯ (TIERS)
 Определяется тегом `@TIER` в Header.
 
-1. **CRITICAL** (Core/Security/**Complex UI**):
-   - Требование: Полный контракт (включая **все @UX теги**), Граф, Инварианты, Строгие Логи.
-   - **@TEST_DATA**: Обязательные эталонные данные для тестирования. Формат:
-     ```
-     @TEST_DATA: fixture_name -> {JSON_PATH} | {INLINE_DATA}
-     ```
-     Примеры:
-     - `@TEST_DATA: valid_user -> {./fixtures/users.json#valid}`
-     - `@TEST_DATA: empty_state -> {"dashboards": [], "total": 0}`
-   - Tester Agent **ОБЯЗАН** использовать @TEST_DATA при написании тестов для CRITICAL модулей.
-2. **STANDARD** (BizLogic/**Forms**):
-   - Требование: Базовый контракт (@PURPOSE, @UX_STATE), Логи, @RELATION.
-   - @TEST_DATA: Рекомендуется для Complex Forms.
-3. **TRIVIAL** (DTO/**Atoms**):
-   - Требование: Только Якоря [DEF] и @PURPOSE.
+### V. УРОВНИ СТРОГОСТИ (TIERS)
+Степень контроля задается тегом `@TIER` в Header.
 
-#### VI. ЛОГИРОВАНИЕ (BELIEF STATE & TASK LOGS)
-Цель: Трассировка для самокоррекции и пользовательский мониторинг.
-Python: 
-  - Системные логи: Context Manager `with belief_scope("ID"):`.
-  - Логи задач: `context.logger.info("msg", source="component")`.
-Svelte: `console.log("[ID][STATE] Msg")`.
-Состояния: Entry -> Action -> Coherence:OK / Failed -> Exit.
-Инвариант: Каждый лог задачи должен иметь атрибут `source` для фильтрации.
+**1. CRITICAL** (Ядро / Безопасность / Сложный UI)
+- **Закон:** Полный GRACE. Граф, Инварианты, Строгий Лог, все `@UX` теги.
+- **Догма Тестирования:** Тесты рождаются из контракта. Голый код без данных — слеп.
+  - `@TEST_CONTRACT: InputType -> OutputType`. (Строгий интерфейс).
+  - `@TEST_SCENARIO: name -> Ожидаемое поведение`. (Суть теста).
+  - `@TEST_FIXTURE: name -> file:PATH | INLINE_JSON`. (Данные для Happy Path).
+  - `@TEST_EDGE: name -> Описание сбоя`. (Минимум 3 границы). 
+    - *Базовый предел:* `missing_field`, `empty_response`, `invalid_type`, `external_fail`.
+  - `@TEST_INVARIANT: inv_name -> VERIFIED_BY: [scenario_1, ...]`. (Смыкание логики).
+- **Исполнение:** Tester Agent обязан строить проверки строго по этим тегам.
 
-#### VII. АЛГОРИТМ ГЕНЕРАЦИИ
-1. АНАЛИЗ. Оцени TIER, слой и UX-требования.
+**2. STANDARD** (Бизнес-логика / Формы)
+- **Закон:** База. (`@PURPOSE`, `@UX_STATE`, Лог, `@RELATION`).
+- **Исключение:** Для сложных форм внедряй `@TEST_SCENARIO` и `@TEST_INVARIANT`.
+
+**3. TRIVIAL** (DTO / Атомы UI / Утилиты)
+- **Закон:** Каркас. Только якорь `[DEF]` и `@PURPOSE`. Данные и графы не требуются.
+
+#### VI. ЛОГИРОВАНИЕ (ДАО МОЛЕКУЛЫ / MOLECULAR TOPOLOGY)
+Цель: Трассировка. Самокоррекция. Управление Матрицей Внимания ("Химия мышления").
+Лог — не текст. Лог — реагент. Мысль облекается в форму через префиксы связи (Attention Energy):
+
+1. **[EXPLORE]** (Ван-дер-Ваальс: Рассеяние)
+   - *Суть:* Поиск во тьме. Сплетение альтернатив. Если один путь закрыт — ищи иной.
+   - *Время:* Фаза КАРКАС или столкновение с Неизведанным.
+   - *Деяние:* `logger.explore("Основной API пал. Стучусь в запасной...")`
+
+2. **[REASON]** (Ковалентность: Твердость)
+   - *Суть:* Жесткая нить дедукции. Шаг А неумолимо рождает Шаг Б. Контракт становится Кодом.
+   - *Время:* Фаза РЕАЛИЗАЦИЯ. Прямота мысли.
+   - *Деяние:* `logger.reason("Фундамент заложен. БД отвечает.")`
+
+3. **[REFLECT]** (Водород: Свертывание)
+   - *Суть:* Взгляд назад. Сверка сущего (@POST) с ожидаемым (@PRE). Защита от бреда.
+   - *Время:* Преддверие сложной логики и исход из неё.
+   - *Деяние:* `logger.reflect("Вглядываюсь в кэш: нет ли там искомого?")`
+
+4. **[COHERENCE:OK/FAILED]** (Стабилизация: Истина/Ложь)
+   - *Суть:* Смыкание молекулы в надежную форму (`OK`) или её распад (`FAILED`).
+   - *(Свершается незримо через `belief_scope` и печать `@believed`)*
+
+**Орудия Пути (`core.logger`):**
+- **Печать функции:** `@believed("ID")` — дабы обернуть функцию в кокон внимания.
+- **Таинство контекста:** `with belief_scope("ID"):` — дабы очертить локальный предел.
+- **Слова силы:** `logger.explore()`, `logger.reason()`, `logger.reflect()`.
+
+**Незыблемое правило:** Всякому логу системы — тавро `source`. Для Внешенго Мира (Svelte) начертай рунами вручную: `console.log("[ID][REFLECT] Msg")`.
+
+#### VIII. АЛГОРИТМ ГЕНЕРАЦИИ И ВЫХОД ИЗ ТУПИКА
+1. АНАЛИЗ. Оцени TIER, слой и UX-требования. Чего не хватает? Запроси `[NEED_CONTEXT: id]`.
 2. КАРКАС. Создай `[DEF]`, Header и Контракты.
-3. РЕАЛИЗАЦИЯ. Напиши логику, удовлетворяющую Контракту (и UX-состояниям).
+3. РЕАЛИЗАЦИЯ. Напиши логику, удовлетворяющую Контракту (и UX-состояниям). Орошай путь логами `[REASON]` и `[REFLECT]`.
 4. ЗАМЫКАНИЕ. Закрой все `[/DEF]`.
 
+**РЕЖИМ ДЕТЕКТИВА (Если контракт нарушен):**
+ЕСЛИ ошибка или противоречие -> СТОП. 
+1. Выведи `[COHERENCE_CHECK_FAILED]`.
+2. Сформулируй гипотезу: `[EXPLORE] Ошибка в I/O, состоянии или зависимости?`
+3. Запроси разрешение на изменение контракта или внедрение отладочных логов.
+
 ЕСЛИ ошибка или противоречие -> СТОП. Выведи `[COHERENCE_CHECK_FAILED]`.

.codex/prompts/audit-test.md

@@ -0,0 +1,103 @@
+---
+description: Audit AI-generated unit tests. Your goal is to aggressively search for "Test Tautologies", "Logic Echoing", and "Contract Negligence". You are the final gatekeeper. If a test is meaningless, you MUST reject it.
+---
+
+**ROLE:** Elite Quality Assurance Architect and Red Teamer.
+**OBJECTIVE:** Audit AI-generated unit tests. Your goal is to aggressively search for "Test Tautologies", "Logic Echoing", and "Contract Negligence". You are the final gatekeeper. If a test is meaningless, you MUST reject it.
+
+**INPUT:**
+1. SOURCE CODE (with GRACE-Poly `[DEF]` Contract: `@PRE`, `@POST`, `@TEST_CONTRACT`, `@TEST_FIXTURE`, `@TEST_EDGE`, `@TEST_INVARIANT`).
+2. GENERATED TEST CODE.
+
+### I. CRITICAL ANTI-PATTERNS (REJECT IMMEDIATELY IF FOUND):
+
+1. **The Tautology (Self-Fulfilling Prophecy):**
+   - *Definition:* The test asserts hardcoded values against hardcoded values without executing the core business logic, or mocks the actual function being tested.
+   - *Example of Failure:* `assert 2 + 2 == 4` or mocking the class under test so that it returns exactly what the test asserts.
+
+2. **The Logic Mirror (Echoing):**
+   - *Definition:* The test re-implements the exact same algorithmic logic found in the source code to calculate the `expected_result`. If the original logic is flawed, the test will falsely pass.
+   - *Rule:* Tests must assert against **static, predefined outcomes** (from `@TEST_FIXTURE`, `@TEST_EDGE`, `@TEST_INVARIANT` or explicit constants), NOT dynamically calculated outcomes using the same logic as the source.
+
+3. **The "Happy Path" Illusion:**
+   - *Definition:* The test suite only checks successful executions but ignores the `@PRE` conditions (Negative Testing).
+   - *Rule:* Every `@PRE` tag in the source contract MUST have a corresponding test that deliberately violates it and asserts the correct Exception/Error state.
+
+4. **Missing Post-Condition Verification:**
+   - *Definition:* The test calls the function but only checks the return value, ignoring `@SIDE_EFFECT` or `@POST` state changes (e.g., failing to verify that a DB call was made or a Store was updated).
+
+5. **Missing Edge Case Coverage:**
+   - *Definition:* The test suite ignores `@TEST_EDGE` scenarios defined in the contract.
+   - *Rule:* Every `@TEST_EDGE` in the source contract MUST have a corresponding test case.
+
+6. **Missing Invariant Verification:**
+   - *Definition:* The test suite does not verify `@TEST_INVARIANT` conditions.
+   - *Rule:* Every `@TEST_INVARIANT` MUST be verified by at least one test that attempts to break it.
+
+7. **Missing UX State Testing (Svelte Components):**
+   - *Definition:* For Svelte components with `@UX_STATE`, the test suite does not verify state transitions.
+   - *Rule:* Every `@UX_STATE` transition MUST have a test verifying the visual/behavioral change.
+   - *Check:* `@UX_FEEDBACK` mechanisms (toast, shake, color) must be tested.
+   - *Check:* `@UX_RECOVERY` mechanisms (retry, clear input) must be tested.
+
+### II. SEMANTIC PROTOCOL COMPLIANCE
+
+Verify the test file follows GRACE-Poly semantics:
+
+1. **Anchor Integrity:**
+   - Test file MUST start with `[DEF:__tests__/test_name:Module]`
+   - Test file MUST end with `[/DEF:__tests__/test_name:Module]`
+
+2. **Required Tags:**
+   - `@RELATION: VERIFIES -> <path_to_source>` must be present
+   - `@PURPOSE:` must describe what is being tested
+
+3. **TIER Alignment:**
+   - If source is `@TIER: CRITICAL`, test MUST cover all `@TEST_CONTRACT`, `@TEST_FIXTURE`, `@TEST_EDGE`, `@TEST_INVARIANT`
+   - If source is `@TIER: STANDARD`, test MUST cover `@PRE` and `@POST`
+   - If source is `@TIER: TRIVIAL`, basic smoke test is acceptable
+
+### III. AUDIT CHECKLIST
+
+Evaluate the test code against these criteria:
+1. **Target Invocation:** Does the test actually import and call the function/component declared in the `@RELATION: VERIFIES` tag?
+2. **Contract Alignment:** Does the test suite cover 100% of the `@PRE` (negative tests) and `@POST` (assertions) conditions from the source contract?
+3. **Test Contract Compliance:** Does the test follow the interface defined in `@TEST_CONTRACT`?
+4. **Data Usage:** Does the test use the exact scenarios defined in `@TEST_FIXTURE`?
+5. **Edge Coverage:** Are all `@TEST_EDGE` scenarios tested?
+6. **Invariant Coverage:** Are all `@TEST_INVARIANT` conditions verified?
+7. **UX Coverage (if applicable):** Are all `@UX_STATE`, `@UX_FEEDBACK`, `@UX_RECOVERY` tested?
+8. **Mocking Sanity:** Are external dependencies mocked correctly WITHOUT mocking the system under test itself?
+9. **Semantic Anchor:** Does the test file have proper `[DEF]` and `[/DEF]` anchors?
+
+### IV. OUTPUT FORMAT
+
+You MUST respond strictly in the following JSON format. Do not add markdown blocks outside the JSON.
+
+{
+  "verdict": "APPROVED" | "REJECTED",
+  "rejection_reason": "TAUTOLOGY" | "LOGIC_MIRROR" | "WEAK_CONTRACT_COVERAGE" | "OVER_MOCKED" | "MISSING_EDGES" | "MISSING_INVARIANTS" | "MISSING_UX_TESTS" | "SEMANTIC_VIOLATION" | "NONE",
+  "audit_details": {
+    "target_invoked": true/false,
+    "pre_conditions_tested": true/false,
+    "post_conditions_tested": true/false,
+    "test_fixture_used": true/false,
+    "edges_covered": true/false,
+    "invariants_verified": true/false,
+    "ux_states_tested": true/false,
+    "semantic_anchors_present": true/false
+  },
+  "coverage_summary": {
+    "total_edges": number,
+    "edges_tested": number,
+    "total_invariants": number,
+    "invariants_tested": number,
+    "total_ux_states": number,
+    "ux_states_tested": number
+  },
+  "tier_compliance": {
+    "source_tier": "CRITICAL" | "STANDARD" | "TRIVIAL",
+    "meets_tier_requirements": true/false
+  },
+  "feedback": "Strict, actionable feedback for the test generator agent. Explain exactly which anti-pattern was detected and how to fix it."
+}

.codex/prompts/read_semantic.md

@@ -0,0 +1,4 @@
+---
+description: USE SEMANTIC
+---
+Прочитай .ai/standards/semantics.md. ОБЯЗАТЕЛЬНО используй его при разработке

.codex/prompts/semantic.md

@@ -0,0 +1,10 @@
+---
+description: semantic
+---
+
+      You are Semantic Agent responsible for maintaining the semantic integrity of the codebase. Your primary goal is to ensure that all code entities (Modules, Classes, Functions, Components) are properly annotated with semantic anchors and tags as defined in `.ai/standards/semantics.md`.
+      Your core responsibilities are: 1.  **Semantic Mapping**: You run and maintain the `generate_semantic_map.py` script to generate up-to-date semantic maps (`semantics/semantic_map.json`, `.ai/PROJECT_MAP.md`) and compliance reports (`semantics/reports/*.md`). 2.  **Compliance Auditing**: You analyze the generated compliance reports to identify files with low semantic coverage or parsing errors. 3.  **Semantic Enrichment**: You actively edit code files to add missing semantic anchors (`[DEF:...]`, `[/DEF:...]`) and mandatory tags (`@PURPOSE`, `@LAYER`, etc.) to improve the global compliance score. 4.  **Protocol Enforcement**: You strictly adhere to the syntax and rules defined in `.ai/standards/semantics.md` when modifying code.
+      You have access to the full codebase and tools to read, write, and execute scripts. You should prioritize fixing "Critical Parsing Errors" (unclosed anchors) before addressing missing metadata.
+    whenToUse: Use this mode when you need to update the project's semantic map, fix semantic compliance issues (missing anchors/tags/DbC ), or analyze the codebase structure. This mode is specialized for maintaining the `.ai/standards/semantics.md` standards.
+    description: Codebase semantic mapping and compliance expert
+    customInstructions: Always check `semantics/reports/` for the latest compliance status before starting work. When fixing a file, try to fix all semantic issues in that file at once. After making a batch of fixes, run `python3 generate_semantic_map.py` to verify improvements.

.codex/prompts/speckit.analyze.md

@@ -0,0 +1,185 @@
+---
+description: Perform a non-destructive cross-artifact consistency and quality analysis across spec.md, plan.md, and tasks.md after task generation.
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Goal
+
+Identify inconsistencies, duplications, ambiguities, and underspecified items across the three core artifacts (`spec.md`, `plan.md`, `tasks.md`) before implementation. This command MUST run only after `/speckit.tasks` has successfully produced a complete `tasks.md`.
+
+## Operating Constraints
+
+**STRICTLY READ-ONLY**: Do **not** modify any files. Output a structured analysis report. Offer an optional remediation plan (user must explicitly approve before any follow-up editing commands would be invoked manually).
+
+**Constitution Authority**: The project constitution (`.ai/standards/constitution.md`) is **non-negotiable** within this analysis scope. Constitution conflicts are automatically CRITICAL and require adjustment of the spec, plan, or tasks—not dilution, reinterpretation, or silent ignoring of the principle. If a principle itself needs to change, that must occur in a separate, explicit constitution update outside `/speckit.analyze`.
+
+## Execution Steps
+
+### 1. Initialize Analysis Context
+
+Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` once from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS. Derive absolute paths:
+
+- SPEC = FEATURE_DIR/spec.md
+- PLAN = FEATURE_DIR/plan.md
+- TASKS = FEATURE_DIR/tasks.md
+
+Abort with an error message if any required file is missing (instruct the user to run missing prerequisite command).
+For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+### 2. Load Artifacts (Progressive Disclosure)
+
+Load only the minimal necessary context from each artifact:
+
+**From spec.md:**
+
+- Overview/Context
+- Functional Requirements
+- Non-Functional Requirements
+- User Stories
+- Edge Cases (if present)
+
+**From plan.md:**
+
+- Architecture/stack choices
+- Data Model references
+- Phases
+- Technical constraints
+
+**From tasks.md:**
+
+- Task IDs
+- Descriptions
+- Phase grouping
+- Parallel markers [P]
+- Referenced file paths
+
+**From constitution:**
+
+- Load `.ai/standards/constitution.md` for principle validation
+    - Load `.ai/standards/semantics.md` for technical standard validation
+
+### 3. Build Semantic Models
+
+Create internal representations (do not include raw artifacts in output):
+
+- **Requirements inventory**: Each functional + non-functional requirement with a stable key (derive slug based on imperative phrase; e.g., "User can upload file" → `user-can-upload-file`)
+- **User story/action inventory**: Discrete user actions with acceptance criteria
+- **Task coverage mapping**: Map each task to one or more requirements or stories (inference by keyword / explicit reference patterns like IDs or key phrases)
+- **Constitution rule set**: Extract principle names and MUST/SHOULD normative statements
+
+### 4. Detection Passes (Token-Efficient Analysis)
+
+Focus on high-signal findings. Limit to 50 findings total; aggregate remainder in overflow summary.
+
+#### A. Duplication Detection
+
+- Identify near-duplicate requirements
+- Mark lower-quality phrasing for consolidation
+
+#### B. Ambiguity Detection
+
+- Flag vague adjectives (fast, scalable, secure, intuitive, robust) lacking measurable criteria
+- Flag unresolved placeholders (TODO, TKTK, ???, `<placeholder>`, etc.)
+
+#### C. Underspecification
+
+- Requirements with verbs but missing object or measurable outcome
+- User stories missing acceptance criteria alignment
+- Tasks referencing files or components not defined in spec/plan
+
+#### D. Constitution Alignment
+
+- Any requirement or plan element conflicting with a MUST principle
+- Missing mandated sections or quality gates from constitution
+
+#### E. Coverage Gaps
+
+- Requirements with zero associated tasks
+- Tasks with no mapped requirement/story
+- Non-functional requirements not reflected in tasks (e.g., performance, security)
+
+#### F. Inconsistency
+
+- Terminology drift (same concept named differently across files)
+- Data entities referenced in plan but absent in spec (or vice versa)
+- Task ordering contradictions (e.g., integration tasks before foundational setup tasks without dependency note)
+- Conflicting requirements (e.g., one requires Next.js while other specifies Vue)
+
+### 5. Severity Assignment
+
+Use this heuristic to prioritize findings:
+
+- **CRITICAL**: Violates constitution MUST, missing core spec artifact, or requirement with zero coverage that blocks baseline functionality
+- **HIGH**: Duplicate or conflicting requirement, ambiguous security/performance attribute, untestable acceptance criterion
+- **MEDIUM**: Terminology drift, missing non-functional task coverage, underspecified edge case
+- **LOW**: Style/wording improvements, minor redundancy not affecting execution order
+
+### 6. Produce Compact Analysis Report
+
+Output a Markdown report (no file writes) with the following structure:
+
+## Specification Analysis Report
+
+| ID | Category | Severity | Location(s) | Summary | Recommendation |
+|----|----------|----------|-------------|---------|----------------|
+| A1 | Duplication | HIGH | spec.md:L120-134 | Two similar requirements ... | Merge phrasing; keep clearer version |
+
+(Add one row per finding; generate stable IDs prefixed by category initial.)
+
+**Coverage Summary Table:**
+
+| Requirement Key | Has Task? | Task IDs | Notes |
+|-----------------|-----------|----------|-------|
+
+**Constitution Alignment Issues:** (if any)
+
+**Unmapped Tasks:** (if any)
+
+**Metrics:**
+
+- Total Requirements
+- Total Tasks
+- Coverage % (requirements with >=1 task)
+- Ambiguity Count
+- Duplication Count
+- Critical Issues Count
+
+### 7. Provide Next Actions
+
+At end of report, output a concise Next Actions block:
+
+- If CRITICAL issues exist: Recommend resolving before `/speckit.implement`
+- If only LOW/MEDIUM: User may proceed, but provide improvement suggestions
+- Provide explicit command suggestions: e.g., "Run /speckit.specify with refinement", "Run /speckit.plan to adjust architecture", "Manually edit tasks.md to add coverage for 'performance-metrics'"
+
+### 8. Offer Remediation
+
+Ask the user: "Would you like me to suggest concrete remediation edits for the top N issues?" (Do NOT apply them automatically.)
+
+## Operating Principles
+
+### Context Efficiency
+
+- **Minimal high-signal tokens**: Focus on actionable findings, not exhaustive documentation
+- **Progressive disclosure**: Load artifacts incrementally; don't dump all content into analysis
+- **Token-efficient output**: Limit findings table to 50 rows; summarize overflow
+- **Deterministic results**: Rerunning without changes should produce consistent IDs and counts
+
+### Analysis Guidelines
+
+- **NEVER modify files** (this is read-only analysis)
+- **NEVER hallucinate missing sections** (if absent, report them accurately)
+- **Prioritize constitution violations** (these are always CRITICAL)
+- **Use examples over exhaustive rules** (cite specific instances, not generic patterns)
+- **Report zero issues gracefully** (emit success report with coverage statistics)
+
+## Context
+
+$ARGUMENTS

.codex/prompts/speckit.checklist.md

@@ -0,0 +1,294 @@
+---
+description: Generate a custom checklist for the current feature based on user requirements.
+---
+
+## Checklist Purpose: "Unit Tests for English"
+
+**CRITICAL CONCEPT**: Checklists are **UNIT TESTS FOR REQUIREMENTS WRITING** - they validate the quality, clarity, and completeness of requirements in a given domain.
+
+**NOT for verification/testing**:
+
+- ❌ NOT "Verify the button clicks correctly"
+- ❌ NOT "Test error handling works"
+- ❌ NOT "Confirm the API returns 200"
+- ❌ NOT checking if code/implementation matches the spec
+
+**FOR requirements quality validation**:
+
+- ✅ "Are visual hierarchy requirements defined for all card types?" (completeness)
+- ✅ "Is 'prominent display' quantified with specific sizing/positioning?" (clarity)
+- ✅ "Are hover state requirements consistent across all interactive elements?" (consistency)
+- ✅ "Are accessibility requirements defined for keyboard navigation?" (coverage)
+- ✅ "Does the spec define what happens when logo image fails to load?" (edge cases)
+
+**Metaphor**: If your spec is code written in English, the checklist is its unit test suite. You're testing whether the requirements are well-written, complete, unambiguous, and ready for implementation - NOT whether the implementation works.
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Execution Steps
+
+1. **Setup**: Run `.specify/scripts/bash/check-prerequisites.sh --json` from repo root and parse JSON for FEATURE_DIR and AVAILABLE_DOCS list.
+   - All file paths must be absolute.
+   - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Clarify intent (dynamic)**: Derive up to THREE initial contextual clarifying questions (no pre-baked catalog). They MUST:
+   - Be generated from the user's phrasing + extracted signals from spec/plan/tasks
+   - Only ask about information that materially changes checklist content
+   - Be skipped individually if already unambiguous in `$ARGUMENTS`
+   - Prefer precision over breadth
+
+   Generation algorithm:
+   1. Extract signals: feature domain keywords (e.g., auth, latency, UX, API), risk indicators ("critical", "must", "compliance"), stakeholder hints ("QA", "review", "security team"), and explicit deliverables ("a11y", "rollback", "contracts").
+   2. Cluster signals into candidate focus areas (max 4) ranked by relevance.
+   3. Identify probable audience & timing (author, reviewer, QA, release) if not explicit.
+   4. Detect missing dimensions: scope breadth, depth/rigor, risk emphasis, exclusion boundaries, measurable acceptance criteria.
+   5. Formulate questions chosen from these archetypes:
+      - Scope refinement (e.g., "Should this include integration touchpoints with X and Y or stay limited to local module correctness?")
+      - Risk prioritization (e.g., "Which of these potential risk areas should receive mandatory gating checks?")
+      - Depth calibration (e.g., "Is this a lightweight pre-commit sanity list or a formal release gate?")
+      - Audience framing (e.g., "Will this be used by the author only or peers during PR review?")
+      - Boundary exclusion (e.g., "Should we explicitly exclude performance tuning items this round?")
+      - Scenario class gap (e.g., "No recovery flows detected—are rollback / partial failure paths in scope?")
+
+   Question formatting rules:
+   - If presenting options, generate a compact table with columns: Option | Candidate | Why It Matters
+   - Limit to A–E options maximum; omit table if a free-form answer is clearer
+   - Never ask the user to restate what they already said
+   - Avoid speculative categories (no hallucination). If uncertain, ask explicitly: "Confirm whether X belongs in scope."
+
+   Defaults when interaction impossible:
+   - Depth: Standard
+   - Audience: Reviewer (PR) if code-related; Author otherwise
+   - Focus: Top 2 relevance clusters
+
+   Output the questions (label Q1/Q2/Q3). After answers: if ≥2 scenario classes (Alternate / Exception / Recovery / Non-Functional domain) remain unclear, you MAY ask up to TWO more targeted follow‑ups (Q4/Q5) with a one-line justification each (e.g., "Unresolved recovery path risk"). Do not exceed five total questions. Skip escalation if user explicitly declines more.
+
+3. **Understand user request**: Combine `$ARGUMENTS` + clarifying answers:
+   - Derive checklist theme (e.g., security, review, deploy, ux)
+   - Consolidate explicit must-have items mentioned by user
+   - Map focus selections to category scaffolding
+   - Infer any missing context from spec/plan/tasks (do NOT hallucinate)
+
+4. **Load feature context**: Read from FEATURE_DIR:
+   - spec.md: Feature requirements and scope
+   - plan.md (if exists): Technical details, dependencies
+   - tasks.md (if exists): Implementation tasks
+
+   **Context Loading Strategy**:
+   - Load only necessary portions relevant to active focus areas (avoid full-file dumping)
+   - Prefer summarizing long sections into concise scenario/requirement bullets
+   - Use progressive disclosure: add follow-on retrieval only if gaps detected
+   - If source docs are large, generate interim summary items instead of embedding raw text
+
+5. **Generate checklist** - Create "Unit Tests for Requirements":
+   - Create `FEATURE_DIR/checklists/` directory if it doesn't exist
+   - Generate unique checklist filename:
+     - Use short, descriptive name based on domain (e.g., `ux.md`, `api.md`, `security.md`)
+     - Format: `[domain].md`
+     - If file exists, append to existing file
+   - Number items sequentially starting from CHK001
+   - Each `/speckit.checklist` run creates a NEW file (never overwrites existing checklists)
+
+   **CORE PRINCIPLE - Test the Requirements, Not the Implementation**:
+   Every checklist item MUST evaluate the REQUIREMENTS THEMSELVES for:
+   - **Completeness**: Are all necessary requirements present?
+   - **Clarity**: Are requirements unambiguous and specific?
+   - **Consistency**: Do requirements align with each other?
+   - **Measurability**: Can requirements be objectively verified?
+   - **Coverage**: Are all scenarios/edge cases addressed?
+
+   **Category Structure** - Group items by requirement quality dimensions:
+   - **Requirement Completeness** (Are all necessary requirements documented?)
+   - **Requirement Clarity** (Are requirements specific and unambiguous?)
+   - **Requirement Consistency** (Do requirements align without conflicts?)
+   - **Acceptance Criteria Quality** (Are success criteria measurable?)
+   - **Scenario Coverage** (Are all flows/cases addressed?)
+   - **Edge Case Coverage** (Are boundary conditions defined?)
+   - **Non-Functional Requirements** (Performance, Security, Accessibility, etc. - are they specified?)
+   - **Dependencies & Assumptions** (Are they documented and validated?)
+   - **Ambiguities & Conflicts** (What needs clarification?)
+
+   **HOW TO WRITE CHECKLIST ITEMS - "Unit Tests for English"**:
+
+   ❌ **WRONG** (Testing implementation):
+   - "Verify landing page displays 3 episode cards"
+   - "Test hover states work on desktop"
+   - "Confirm logo click navigates home"
+
+   ✅ **CORRECT** (Testing requirements quality):
+   - "Are the exact number and layout of featured episodes specified?" [Completeness]
+   - "Is 'prominent display' quantified with specific sizing/positioning?" [Clarity]
+   - "Are hover state requirements consistent across all interactive elements?" [Consistency]
+   - "Are keyboard navigation requirements defined for all interactive UI?" [Coverage]
+   - "Is the fallback behavior specified when logo image fails to load?" [Edge Cases]
+   - "Are loading states defined for asynchronous episode data?" [Completeness]
+   - "Does the spec define visual hierarchy for competing UI elements?" [Clarity]
+
+   **ITEM STRUCTURE**:
+   Each item should follow this pattern:
+   - Question format asking about requirement quality
+   - Focus on what's WRITTEN (or not written) in the spec/plan
+   - Include quality dimension in brackets [Completeness/Clarity/Consistency/etc.]
+   - Reference spec section `[Spec §X.Y]` when checking existing requirements
+   - Use `[Gap]` marker when checking for missing requirements
+
+   **EXAMPLES BY QUALITY DIMENSION**:
+
+   Completeness:
+   - "Are error handling requirements defined for all API failure modes? [Gap]"
+   - "Are accessibility requirements specified for all interactive elements? [Completeness]"
+   - "Are mobile breakpoint requirements defined for responsive layouts? [Gap]"
+
+   Clarity:
+   - "Is 'fast loading' quantified with specific timing thresholds? [Clarity, Spec §NFR-2]"
+   - "Are 'related episodes' selection criteria explicitly defined? [Clarity, Spec §FR-5]"
+   - "Is 'prominent' defined with measurable visual properties? [Ambiguity, Spec §FR-4]"
+
+   Consistency:
+   - "Do navigation requirements align across all pages? [Consistency, Spec §FR-10]"
+   - "Are card component requirements consistent between landing and detail pages? [Consistency]"
+
+   Coverage:
+   - "Are requirements defined for zero-state scenarios (no episodes)? [Coverage, Edge Case]"
+   - "Are concurrent user interaction scenarios addressed? [Coverage, Gap]"
+   - "Are requirements specified for partial data loading failures? [Coverage, Exception Flow]"
+
+   Measurability:
+   - "Are visual hierarchy requirements measurable/testable? [Acceptance Criteria, Spec §FR-1]"
+   - "Can 'balanced visual weight' be objectively verified? [Measurability, Spec §FR-2]"
+
+   **Scenario Classification & Coverage** (Requirements Quality Focus):
+   - Check if requirements exist for: Primary, Alternate, Exception/Error, Recovery, Non-Functional scenarios
+   - For each scenario class, ask: "Are [scenario type] requirements complete, clear, and consistent?"
+   - If scenario class missing: "Are [scenario type] requirements intentionally excluded or missing? [Gap]"
+   - Include resilience/rollback when state mutation occurs: "Are rollback requirements defined for migration failures? [Gap]"
+
+   **Traceability Requirements**:
+   - MINIMUM: ≥80% of items MUST include at least one traceability reference
+   - Each item should reference: spec section `[Spec §X.Y]`, or use markers: `[Gap]`, `[Ambiguity]`, `[Conflict]`, `[Assumption]`
+   - If no ID system exists: "Is a requirement & acceptance criteria ID scheme established? [Traceability]"
+
+   **Surface & Resolve Issues** (Requirements Quality Problems):
+   Ask questions about the requirements themselves:
+   - Ambiguities: "Is the term 'fast' quantified with specific metrics? [Ambiguity, Spec §NFR-1]"
+   - Conflicts: "Do navigation requirements conflict between §FR-10 and §FR-10a? [Conflict]"
+   - Assumptions: "Is the assumption of 'always available podcast API' validated? [Assumption]"
+   - Dependencies: "Are external podcast API requirements documented? [Dependency, Gap]"
+   - Missing definitions: "Is 'visual hierarchy' defined with measurable criteria? [Gap]"
+
+   **Content Consolidation**:
+   - Soft cap: If raw candidate items > 40, prioritize by risk/impact
+   - Merge near-duplicates checking the same requirement aspect
+   - If >5 low-impact edge cases, create one item: "Are edge cases X, Y, Z addressed in requirements? [Coverage]"
+
+   **🚫 ABSOLUTELY PROHIBITED** - These make it an implementation test, not a requirements test:
+   - ❌ Any item starting with "Verify", "Test", "Confirm", "Check" + implementation behavior
+   - ❌ References to code execution, user actions, system behavior
+   - ❌ "Displays correctly", "works properly", "functions as expected"
+   - ❌ "Click", "navigate", "render", "load", "execute"
+   - ❌ Test cases, test plans, QA procedures
+   - ❌ Implementation details (frameworks, APIs, algorithms)
+
+   **✅ REQUIRED PATTERNS** - These test requirements quality:
+   - ✅ "Are [requirement type] defined/specified/documented for [scenario]?"
+   - ✅ "Is [vague term] quantified/clarified with specific criteria?"
+   - ✅ "Are requirements consistent between [section A] and [section B]?"
+   - ✅ "Can [requirement] be objectively measured/verified?"
+   - ✅ "Are [edge cases/scenarios] addressed in requirements?"
+   - ✅ "Does the spec define [missing aspect]?"
+
+6. **Structure Reference**: Generate the checklist following the canonical template in `.specify/templates/checklist-template.md` for title, meta section, category headings, and ID formatting. If template is unavailable, use: H1 title, purpose/created meta lines, `##` category sections containing `- [ ] CHK### <requirement item>` lines with globally incrementing IDs starting at CHK001.
+
+7. **Report**: Output full path to created checklist, item count, and remind user that each run creates a new file. Summarize:
+   - Focus areas selected
+   - Depth level
+   - Actor/timing
+   - Any explicit user-specified must-have items incorporated
+
+**Important**: Each `/speckit.checklist` command invocation creates a checklist file using short, descriptive names unless file already exists. This allows:
+
+- Multiple checklists of different types (e.g., `ux.md`, `test.md`, `security.md`)
+- Simple, memorable filenames that indicate checklist purpose
+- Easy identification and navigation in the `checklists/` folder
+
+To avoid clutter, use descriptive types and clean up obsolete checklists when done.
+
+## Example Checklist Types & Sample Items
+
+**UX Requirements Quality:** `ux.md`
+
+Sample items (testing the requirements, NOT the implementation):
+
+- "Are visual hierarchy requirements defined with measurable criteria? [Clarity, Spec §FR-1]"
+- "Is the number and positioning of UI elements explicitly specified? [Completeness, Spec §FR-1]"
+- "Are interaction state requirements (hover, focus, active) consistently defined? [Consistency]"
+- "Are accessibility requirements specified for all interactive elements? [Coverage, Gap]"
+- "Is fallback behavior defined when images fail to load? [Edge Case, Gap]"
+- "Can 'prominent display' be objectively measured? [Measurability, Spec §FR-4]"
+
+**API Requirements Quality:** `api.md`
+
+Sample items:
+
+- "Are error response formats specified for all failure scenarios? [Completeness]"
+- "Are rate limiting requirements quantified with specific thresholds? [Clarity]"
+- "Are authentication requirements consistent across all endpoints? [Consistency]"
+- "Are retry/timeout requirements defined for external dependencies? [Coverage, Gap]"
+- "Is versioning strategy documented in requirements? [Gap]"
+
+**Performance Requirements Quality:** `performance.md`
+
+Sample items:
+
+- "Are performance requirements quantified with specific metrics? [Clarity]"
+- "Are performance targets defined for all critical user journeys? [Coverage]"
+- "Are performance requirements under different load conditions specified? [Completeness]"
+- "Can performance requirements be objectively measured? [Measurability]"
+- "Are degradation requirements defined for high-load scenarios? [Edge Case, Gap]"
+
+**Security Requirements Quality:** `security.md`
+
+Sample items:
+
+- "Are authentication requirements specified for all protected resources? [Coverage]"
+- "Are data protection requirements defined for sensitive information? [Completeness]"
+- "Is the threat model documented and requirements aligned to it? [Traceability]"
+- "Are security requirements consistent with compliance obligations? [Consistency]"
+- "Are security failure/breach response requirements defined? [Gap, Exception Flow]"
+
+## Anti-Examples: What NOT To Do
+
+**❌ WRONG - These test implementation, not requirements:**
+
+```markdown
+- [ ] CHK001 - Verify landing page displays 3 episode cards [Spec §FR-001]
+- [ ] CHK002 - Test hover states work correctly on desktop [Spec §FR-003]
+- [ ] CHK003 - Confirm logo click navigates to home page [Spec §FR-010]
+- [ ] CHK004 - Check that related episodes section shows 3-5 items [Spec §FR-005]
+```
+
+**✅ CORRECT - These test requirements quality:**
+
+```markdown
+- [ ] CHK001 - Are the number and layout of featured episodes explicitly specified? [Completeness, Spec §FR-001]
+- [ ] CHK002 - Are hover state requirements consistently defined for all interactive elements? [Consistency, Spec §FR-003]
+- [ ] CHK003 - Are navigation requirements clear for all clickable brand elements? [Clarity, Spec §FR-010]
+- [ ] CHK004 - Is the selection criteria for related episodes documented? [Gap, Spec §FR-005]
+- [ ] CHK005 - Are loading state requirements defined for asynchronous episode data? [Gap]
+- [ ] CHK006 - Can "visual hierarchy" requirements be objectively measured? [Measurability, Spec §FR-001]
+```
+
+**Key Differences:**
+
+- Wrong: Tests if the system works correctly
+- Correct: Tests if the requirements are written correctly
+- Wrong: Verification of behavior
+- Correct: Validation of requirement quality
+- Wrong: "Does it do X?"
+- Correct: "Is X clearly specified?"

.codex/prompts/speckit.clarify.md

@@ -0,0 +1,181 @@
+---
+description: Identify underspecified areas in the current feature spec by asking up to 5 highly targeted clarification questions and encoding answers back into the spec.
+handoffs: 
+  - label: Build Technical Plan
+    agent: speckit.plan
+    prompt: Create a plan for the spec. I am building with...
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+Goal: Detect and reduce ambiguity or missing decision points in the active feature specification and record the clarifications directly in the spec file.
+
+Note: This clarification workflow is expected to run (and be completed) BEFORE invoking `/speckit.plan`. If the user explicitly states they are skipping clarification (e.g., exploratory spike), you may proceed, but must warn that downstream rework risk increases.
+
+Execution steps:
+
+1. Run `.specify/scripts/bash/check-prerequisites.sh --json --paths-only` from repo root **once** (combined `--json --paths-only` mode / `-Json -PathsOnly`). Parse minimal JSON payload fields:
+   - `FEATURE_DIR`
+   - `FEATURE_SPEC`
+   - (Optionally capture `IMPL_PLAN`, `TASKS` for future chained flows.)
+   - If JSON parsing fails, abort and instruct user to re-run `/speckit.specify` or verify feature branch environment.
+   - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. Load the current spec file. Perform a structured ambiguity & coverage scan using this taxonomy. For each category, mark status: Clear / Partial / Missing. Produce an internal coverage map used for prioritization (do not output raw map unless no questions will be asked).
+
+   Functional Scope & Behavior:
+   - Core user goals & success criteria
+   - Explicit out-of-scope declarations
+   - User roles / personas differentiation
+
+   Domain & Data Model:
+   - Entities, attributes, relationships
+   - Identity & uniqueness rules
+   - Lifecycle/state transitions
+   - Data volume / scale assumptions
+
+   Interaction & UX Flow:
+   - Critical user journeys / sequences
+   - Error/empty/loading states
+   - Accessibility or localization notes
+
+   Non-Functional Quality Attributes:
+   - Performance (latency, throughput targets)
+   - Scalability (horizontal/vertical, limits)
+   - Reliability & availability (uptime, recovery expectations)
+   - Observability (logging, metrics, tracing signals)
+   - Security & privacy (authN/Z, data protection, threat assumptions)
+   - Compliance / regulatory constraints (if any)
+
+   Integration & External Dependencies:
+   - External services/APIs and failure modes
+   - Data import/export formats
+   - Protocol/versioning assumptions
+
+   Edge Cases & Failure Handling:
+   - Negative scenarios
+   - Rate limiting / throttling
+   - Conflict resolution (e.g., concurrent edits)
+
+   Constraints & Tradeoffs:
+   - Technical constraints (language, storage, hosting)
+   - Explicit tradeoffs or rejected alternatives
+
+   Terminology & Consistency:
+   - Canonical glossary terms
+   - Avoided synonyms / deprecated terms
+
+   Completion Signals:
+   - Acceptance criteria testability
+   - Measurable Definition of Done style indicators
+
+   Misc / Placeholders:
+   - TODO markers / unresolved decisions
+   - Ambiguous adjectives ("robust", "intuitive") lacking quantification
+
+   For each category with Partial or Missing status, add a candidate question opportunity unless:
+   - Clarification would not materially change implementation or validation strategy
+   - Information is better deferred to planning phase (note internally)
+
+3. Generate (internally) a prioritized queue of candidate clarification questions (maximum 5). Do NOT output them all at once. Apply these constraints:
+    - Maximum of 10 total questions across the whole session.
+    - Each question must be answerable with EITHER:
+       - A short multiple‑choice selection (2–5 distinct, mutually exclusive options), OR
+       - A one-word / short‑phrase answer (explicitly constrain: "Answer in <=5 words").
+    - Only include questions whose answers materially impact architecture, data modeling, task decomposition, test design, UX behavior, operational readiness, or compliance validation.
+    - Ensure category coverage balance: attempt to cover the highest impact unresolved categories first; avoid asking two low-impact questions when a single high-impact area (e.g., security posture) is unresolved.
+    - Exclude questions already answered, trivial stylistic preferences, or plan-level execution details (unless blocking correctness).
+    - Favor clarifications that reduce downstream rework risk or prevent misaligned acceptance tests.
+    - If more than 5 categories remain unresolved, select the top 5 by (Impact * Uncertainty) heuristic.
+
+4. Sequential questioning loop (interactive):
+    - Present EXACTLY ONE question at a time.
+    - For multiple‑choice questions:
+       - **Analyze all options** and determine the **most suitable option** based on:
+          - Best practices for the project type
+          - Common patterns in similar implementations
+          - Risk reduction (security, performance, maintainability)
+          - Alignment with any explicit project goals or constraints visible in the spec
+       - Present your **recommended option prominently** at the top with clear reasoning (1-2 sentences explaining why this is the best choice).
+       - Format as: `**Recommended:** Option [X] - <reasoning>`
+       - Then render all options as a Markdown table:
+
+       | Option | Description |
+       |--------|-------------|
+       | A | <Option A description> |
+       | B | <Option B description> |
+       | C | <Option C description> (add D/E as needed up to 5) |
+       | Short | Provide a different short answer (<=5 words) (Include only if free-form alternative is appropriate) |
+
+       - After the table, add: `You can reply with the option letter (e.g., "A"), accept the recommendation by saying "yes" or "recommended", or provide your own short answer.`
+    - For short‑answer style (no meaningful discrete options):
+       - Provide your **suggested answer** based on best practices and context.
+       - Format as: `**Suggested:** <your proposed answer> - <brief reasoning>`
+       - Then output: `Format: Short answer (<=5 words). You can accept the suggestion by saying "yes" or "suggested", or provide your own answer.`
+    - After the user answers:
+       - If the user replies with "yes", "recommended", or "suggested", use your previously stated recommendation/suggestion as the answer.
+       - Otherwise, validate the answer maps to one option or fits the <=5 word constraint.
+       - If ambiguous, ask for a quick disambiguation (count still belongs to same question; do not advance).
+       - Once satisfactory, record it in working memory (do not yet write to disk) and move to the next queued question.
+    - Stop asking further questions when:
+       - All critical ambiguities resolved early (remaining queued items become unnecessary), OR
+       - User signals completion ("done", "good", "no more"), OR
+       - You reach 5 asked questions.
+    - Never reveal future queued questions in advance.
+    - If no valid questions exist at start, immediately report no critical ambiguities.
+
+5. Integration after EACH accepted answer (incremental update approach):
+    - Maintain in-memory representation of the spec (loaded once at start) plus the raw file contents.
+    - For the first integrated answer in this session:
+       - Ensure a `## Clarifications` section exists (create it just after the highest-level contextual/overview section per the spec template if missing).
+       - Under it, create (if not present) a `### Session YYYY-MM-DD` subheading for today.
+    - Append a bullet line immediately after acceptance: `- Q: <question> → A: <final answer>`.
+    - Then immediately apply the clarification to the most appropriate section(s):
+       - Functional ambiguity → Update or add a bullet in Functional Requirements.
+       - User interaction / actor distinction → Update User Stories or Actors subsection (if present) with clarified role, constraint, or scenario.
+       - Data shape / entities → Update Data Model (add fields, types, relationships) preserving ordering; note added constraints succinctly.
+       - Non-functional constraint → Add/modify measurable criteria in Non-Functional / Quality Attributes section (convert vague adjective to metric or explicit target).
+       - Edge case / negative flow → Add a new bullet under Edge Cases / Error Handling (or create such subsection if template provides placeholder for it).
+       - Terminology conflict → Normalize term across spec; retain original only if necessary by adding `(formerly referred to as "X")` once.
+    - If the clarification invalidates an earlier ambiguous statement, replace that statement instead of duplicating; leave no obsolete contradictory text.
+    - Save the spec file AFTER each integration to minimize risk of context loss (atomic overwrite).
+    - Preserve formatting: do not reorder unrelated sections; keep heading hierarchy intact.
+    - Keep each inserted clarification minimal and testable (avoid narrative drift).
+
+6. Validation (performed after EACH write plus final pass):
+   - Clarifications session contains exactly one bullet per accepted answer (no duplicates).
+   - Total asked (accepted) questions ≤ 5.
+   - Updated sections contain no lingering vague placeholders the new answer was meant to resolve.
+   - No contradictory earlier statement remains (scan for now-invalid alternative choices removed).
+   - Markdown structure valid; only allowed new headings: `## Clarifications`, `### Session YYYY-MM-DD`.
+   - Terminology consistency: same canonical term used across all updated sections.
+
+7. Write the updated spec back to `FEATURE_SPEC`.
+
+8. Report completion (after questioning loop ends or early termination):
+   - Number of questions asked & answered.
+   - Path to updated spec.
+   - Sections touched (list names).
+   - Coverage summary table listing each taxonomy category with Status: Resolved (was Partial/Missing and addressed), Deferred (exceeds question quota or better suited for planning), Clear (already sufficient), Outstanding (still Partial/Missing but low impact).
+   - If any Outstanding or Deferred remain, recommend whether to proceed to `/speckit.plan` or run `/speckit.clarify` again later post-plan.
+   - Suggested next command.
+
+Behavior rules:
+
+- If no meaningful ambiguities found (or all potential questions would be low-impact), respond: "No critical ambiguities detected worth formal clarification." and suggest proceeding.
+- If spec file missing, instruct user to run `/speckit.specify` first (do not create a new spec here).
+- Never exceed 5 total asked questions (clarification retries for a single question do not count as new questions).
+- Avoid speculative tech stack questions unless the absence blocks functional clarity.
+- Respect user early termination signals ("stop", "done", "proceed").
+- If no questions asked due to full coverage, output a compact coverage summary (all categories Clear) then suggest advancing.
+- If quota reached with unresolved high-impact categories remaining, explicitly flag them under Deferred with rationale.
+
+Context for prioritization: $ARGUMENTS

.codex/prompts/speckit.constitution.md

@@ -0,0 +1,84 @@
+---
+description: Create or update the project constitution from interactive or provided principle inputs, ensuring all dependent templates stay in sync.
+handoffs: 
+  - label: Build Specification
+    agent: speckit.specify
+    prompt: Implement the feature specification based on the updated constitution. I want to build...
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+You are updating the project constitution at `.ai/standards/constitution.md`. This file is a TEMPLATE containing placeholder tokens in square brackets (e.g. `[PROJECT_NAME]`, `[PRINCIPLE_1_NAME]`). Your job is to (a) collect/derive concrete values, (b) fill the template precisely, and (c) propagate any amendments across dependent artifacts.
+
+**Note**: If `.ai/standards/constitution.md` does not exist yet, it should have been initialized from `.specify/templates/constitution-template.md` during project setup. If it's missing, copy the template first.
+
+Follow this execution flow:
+
+1. Load the existing constitution at `.ai/standards/constitution.md`.
+   - Identify every placeholder token of the form `[ALL_CAPS_IDENTIFIER]`.
+   **IMPORTANT**: The user might require less or more principles than the ones used in the template. If a number is specified, respect that - follow the general template. You will update the doc accordingly.
+
+2. Collect/derive values for placeholders:
+   - If user input (conversation) supplies a value, use it.
+   - Otherwise infer from existing repo context (README, docs, prior constitution versions if embedded).
+   - For governance dates: `RATIFICATION_DATE` is the original adoption date (if unknown ask or mark TODO), `LAST_AMENDED_DATE` is today if changes are made, otherwise keep previous.
+   - `CONSTITUTION_VERSION` must increment according to semantic versioning rules:
+     - MAJOR: Backward incompatible governance/principle removals or redefinitions.
+     - MINOR: New principle/section added or materially expanded guidance.
+     - PATCH: Clarifications, wording, typo fixes, non-semantic refinements.
+   - If version bump type ambiguous, propose reasoning before finalizing.
+
+3. Draft the updated constitution content:
+   - Replace every placeholder with concrete text (no bracketed tokens left except intentionally retained template slots that the project has chosen not to define yet—explicitly justify any left).
+   - Preserve heading hierarchy and comments can be removed once replaced unless they still add clarifying guidance.
+   - Ensure each Principle section: succinct name line, paragraph (or bullet list) capturing non‑negotiable rules, explicit rationale if not obvious.
+   - Ensure Governance section lists amendment procedure, versioning policy, and compliance review expectations.
+
+4. Consistency propagation checklist (convert prior checklist into active validations):
+   - Read `.specify/templates/plan-template.md` and ensure any "Constitution Check" or rules align with updated principles.
+   - Read `.specify/templates/spec-template.md` for scope/requirements alignment—update if constitution adds/removes mandatory sections or constraints.
+   - Read `.specify/templates/tasks-template.md` and ensure task categorization reflects new or removed principle-driven task types (e.g., observability, versioning, testing discipline).
+   - Read each command file in `.specify/templates/commands/*.md` (including this one) to verify no outdated references (agent-specific names like CLAUDE only) remain when generic guidance is required.
+   - Read any runtime guidance docs (e.g., `README.md`, `docs/quickstart.md`, or agent-specific guidance files if present). Update references to principles changed.
+
+5. Produce a Sync Impact Report (prepend as an HTML comment at top of the constitution file after update):
+   - Version change: old → new
+   - List of modified principles (old title → new title if renamed)
+   - Added sections
+   - Removed sections
+   - Templates requiring updates (✅ updated / ⚠ pending) with file paths
+   - Follow-up TODOs if any placeholders intentionally deferred.
+
+6. Validation before final output:
+   - No remaining unexplained bracket tokens.
+   - Version line matches report.
+   - Dates ISO format YYYY-MM-DD.
+   - Principles are declarative, testable, and free of vague language ("should" → replace with MUST/SHOULD rationale where appropriate).
+
+7. Write the completed constitution back to `.ai/standards/constitution.md` (overwrite).
+
+8. Output a final summary to the user with:
+   - New version and bump rationale.
+   - Any files flagged for manual follow-up.
+   - Suggested commit message (e.g., `docs: amend constitution to vX.Y.Z (principle additions + governance update)`).
+
+Formatting & Style Requirements:
+
+- Use Markdown headings exactly as in the template (do not demote/promote levels).
+- Wrap long rationale lines to keep readability (<100 chars ideally) but do not hard enforce with awkward breaks.
+- Keep a single blank line between sections.
+- Avoid trailing whitespace.
+
+If the user supplies partial updates (e.g., only one principle revision), still perform validation and version decision steps.
+
+If critical info missing (e.g., ratification date truly unknown), insert `TODO(<FIELD_NAME>): explanation` and include in the Sync Impact Report under deferred items.
+
+Do not create a new template; always operate on the existing `.ai/standards/constitution.md` file.

.codex/prompts/speckit.fix.md

@@ -0,0 +1,199 @@
+---
+
+description: Fix failing tests and implementation issues based on test reports
+
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Goal
+
+Analyze test failure reports, identify root causes, and fix implementation issues while preserving semantic protocol compliance.
+
+## Operating Constraints
+
+1. **USE CODER MODE**: Always switch to `coder` mode for code fixes
+2. **SEMANTIC PROTOCOL**: Never remove semantic annotations ([DEF], @TAGS). Only update code logic.
+3. **TEST DATA**: If tests use @TEST_ fixtures, preserve them when fixing
+4. **NO DELETION**: Never delete existing tests or semantic annotations
+5. **REPORT FIRST**: Always write a fix report before making changes
+
+## Execution Steps
+
+### 1. Load Test Report
+
+**Required**: Test report file path (e.g., `specs/<feature>/tests/reports/2026-02-19-report.md`)
+
+**Parse the report for**:
+- Failed test cases
+- Error messages
+- Stack traces
+- Expected vs actual behavior
+- Affected modules/files
+
+### 2. Analyze Root Causes
+
+For each failed test:
+
+1. **Read the test file** to understand what it's testing
+2. **Read the implementation file** to find the bug
+3. **Check semantic protocol compliance**:
+   - Does the implementation have correct [DEF] anchors?
+   - Are @TAGS (@PRE, @POST, @UX_STATE, etc.) present?
+   - Does the code match the TIER requirements?
+4. **Identify the fix**:
+   - Logic error in implementation
+   - Missing error handling
+   - Incorrect API usage
+   - State management issue
+
+### 3. Write Fix Report
+
+Create a structured fix report:
+
+```markdown
+# Fix Report: [FEATURE]
+
+**Date**: [YYYY-MM-DD]
+**Report**: [Test Report Path]
+**Fixer**: Coder Agent
+
+## Summary
+
+- Total Failed Tests: [X]
+- Total Fixed: [X]
+- Total Skipped: [X]
+
+## Failed Tests Analysis
+
+### Test: [Test Name]
+
+**File**: `path/to/test.py`
+**Error**: [Error message]
+
+**Root Cause**: [Explanation of why test failed]
+
+**Fix Required**: [Description of fix]
+
+**Status**: [Pending/In Progress/Completed]
+
+## Fixes Applied
+
+### Fix 1: [Description]
+
+**Affected File**: `path/to/file.py`
+**Test Affected**: `[Test Name]`
+
+**Changes**:
+```diff
+<<<<<<< SEARCH
+[Original Code]
+=======
+[Fixed Code]
+>>>>>>> REPLACE
+```
+
+**Verification**: [How to verify fix works]
+
+**Semantic Integrity**: [Confirmed annotations preserved]
+
+## Next Steps
+
+- [ ] Run tests to verify fix: `cd backend && .venv/bin/python3 -m pytest`
+- [ ] Check for related failing tests
+- [ ] Update test documentation if needed
+```
+
+### 4. Apply Fixes (in Coder Mode)
+
+Switch to `coder` mode and apply fixes:
+
+1. **Read the implementation file** to get exact content
+2. **Apply the fix** using apply_diff
+3. **Preserve all semantic annotations**:
+   - Keep [DEF:...] and [/DEF:...] anchors
+   - Keep all @TAGS (@PURPOSE, @LAYER, @TIER, @RELATION, @PRE, @POST, @UX_STATE, @UX_FEEDBACK, @UX_RECOVERY)
+4. **Only update code logic** to fix the bug
+5. **Run tests** to verify the fix
+
+### 5. Verification
+
+After applying fixes:
+
+1. **Run tests**:
+   ```bash
+   cd backend && .venv/bin/python3 -m pytest -v
+   ```
+   or
+   ```bash
+   cd frontend && npm run test
+   ```
+
+2. **Check test results**:
+   - Failed tests should now pass
+   - No new tests should fail
+   - Coverage should not decrease
+
+3. **Update fix report** with results:
+   - Mark fixes as completed
+   - Add verification steps
+   - Note any remaining issues
+
+## Output
+
+Generate final fix report:
+
+```markdown
+# Fix Report: [FEATURE] - COMPLETED
+
+**Date**: [YYYY-MM-DD]
+**Report**: [Test Report Path]
+**Fixer**: Coder Agent
+
+## Summary
+
+- Total Failed Tests: [X]
+- Total Fixed: [X] ✅
+- Total Skipped: [X]
+
+## Fixes Applied
+
+### Fix 1: [Description] ✅
+
+**Affected File**: `path/to/file.py`
+**Test Affected**: `[Test Name]`
+
+**Changes**: [Summary of changes]
+
+**Verification**: All tests pass ✅
+
+**Semantic Integrity**: Preserved ✅
+
+## Test Results
+
+```
+[Full test output showing all passing tests]
+```
+
+## Recommendations
+
+- [ ] Monitor for similar issues
+- [ ] Update documentation if needed
+- [ ] Consider adding more tests for edge cases
+
+## Related Files
+
+- Test Report: [path]
+- Implementation: [path]
+- Test File: [path]
+```
+
+## Context for Fixing
+
+$ARGUMENTS

.codex/prompts/speckit.implement.md

@@ -0,0 +1,150 @@
+---
+description: Execute the implementation plan by processing and executing all tasks defined in tasks.md
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+1. Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Check checklists status** (if FEATURE_DIR/checklists/ exists):
+   - Scan all checklist files in the checklists/ directory
+   - For each checklist, count:
+     - Total items: All lines matching `- [ ]` or `- [X]` or `- [x]`
+     - Completed items: Lines matching `- [X]` or `- [x]`
+     - Incomplete items: Lines matching `- [ ]`
+   - Create a status table:
+
+     ```text
+     | Checklist | Total | Completed | Incomplete | Status |
+     |-----------|-------|-----------|------------|--------|
+     | ux.md     | 12    | 12        | 0          | ✓ PASS |
+     | test.md   | 8     | 5         | 3          | ✗ FAIL |
+     | security.md | 6   | 6         | 0          | ✓ PASS |
+     ```
+
+   - Calculate overall status:
+     - **PASS**: All checklists have 0 incomplete items
+     - **FAIL**: One or more checklists have incomplete items
+
+   - **If any checklist is incomplete**:
+     - Display the table with incomplete item counts
+     - **STOP** and ask: "Some checklists are incomplete. Do you want to proceed with implementation anyway? (yes/no)"
+     - Wait for user response before continuing
+     - If user says "no" or "wait" or "stop", halt execution
+     - If user says "yes" or "proceed" or "continue", proceed to step 3
+
+   - **If all checklists are complete**:
+     - Display the table showing all checklists passed
+     - Automatically proceed to step 3
+
+3. Load and analyze the implementation context:
+   - **REQUIRED**: Read tasks.md for the complete task list and execution plan
+   - **REQUIRED**: Read plan.md for tech stack, architecture, and file structure
+   - **IF EXISTS**: Read data-model.md for entities and relationships
+   - **IF EXISTS**: Read contracts/ for API specifications and test requirements
+   - **IF EXISTS**: Read research.md for technical decisions and constraints
+   - **IF EXISTS**: Read quickstart.md for integration scenarios
+
+3. Load and analyze the implementation context:
+    - **REQUIRED**: Read `.ai/standards/semantics.md` for strict coding standards and contract requirements
+    - **REQUIRED**: Read tasks.md for the complete task list and execution plan
+    - **REQUIRED**: Read plan.md for tech stack, architecture, and file structure
+    - **IF EXISTS**: Read data-model.md for entities and relationships
+    - **IF EXISTS**: Read contracts/ for API specifications and test requirements
+    - **IF EXISTS**: Read research.md for technical decisions and constraints
+    - **IF EXISTS**: Read quickstart.md for integration scenarios
+
+4. **Project Setup Verification**:
+   - **REQUIRED**: Create/verify ignore files based on actual project setup:
+
+   **Detection & Creation Logic**:
+   - Check if the following command succeeds to determine if the repository is a git repo (create/verify .gitignore if so):
+
+     ```sh
+     git rev-parse --git-dir 2>/dev/null
+     ```
+
+   - Check if Dockerfile* exists or Docker in plan.md → create/verify .dockerignore
+   - Check if .eslintrc* exists → create/verify .eslintignore
+   - Check if eslint.config.* exists → ensure the config's `ignores` entries cover required patterns
+   - Check if .prettierrc* exists → create/verify .prettierignore
+   - Check if .npmrc or package.json exists → create/verify .npmignore (if publishing)
+   - Check if terraform files (*.tf) exist → create/verify .terraformignore
+   - Check if .helmignore needed (helm charts present) → create/verify .helmignore
+
+   **If ignore file already exists**: Verify it contains essential patterns, append missing critical patterns only
+   **If ignore file missing**: Create with full pattern set for detected technology
+
+   **Common Patterns by Technology** (from plan.md tech stack):
+   - **Node.js/JavaScript/TypeScript**: `node_modules/`, `dist/`, `build/`, `*.log`, `.env*`
+   - **Python**: `__pycache__/`, `*.pyc`, `.venv/`, `venv/`, `dist/`, `*.egg-info/`
+   - **Java**: `target/`, `*.class`, `*.jar`, `.gradle/`, `build/`
+   - **C#/.NET**: `bin/`, `obj/`, `*.user`, `*.suo`, `packages/`
+   - **Go**: `*.exe`, `*.test`, `vendor/`, `*.out`
+   - **Ruby**: `.bundle/`, `log/`, `tmp/`, `*.gem`, `vendor/bundle/`
+   - **PHP**: `vendor/`, `*.log`, `*.cache`, `*.env`
+   - **Rust**: `target/`, `debug/`, `release/`, `*.rs.bk`, `*.rlib`, `*.prof*`, `.idea/`, `*.log`, `.env*`
+   - **Kotlin**: `build/`, `out/`, `.gradle/`, `.idea/`, `*.class`, `*.jar`, `*.iml`, `*.log`, `.env*`
+   - **C++**: `build/`, `bin/`, `obj/`, `out/`, `*.o`, `*.so`, `*.a`, `*.exe`, `*.dll`, `.idea/`, `*.log`, `.env*`
+   - **C**: `build/`, `bin/`, `obj/`, `out/`, `*.o`, `*.a`, `*.so`, `*.exe`, `Makefile`, `config.log`, `.idea/`, `*.log`, `.env*`
+   - **Swift**: `.build/`, `DerivedData/`, `*.swiftpm/`, `Packages/`
+   - **R**: `.Rproj.user/`, `.Rhistory`, `.RData`, `.Ruserdata`, `*.Rproj`, `packrat/`, `renv/`
+   - **Universal**: `.DS_Store`, `Thumbs.db`, `*.tmp`, `*.swp`, `.vscode/`, `.idea/`
+
+   **Tool-Specific Patterns**:
+   - **Docker**: `node_modules/`, `.git/`, `Dockerfile*`, `.dockerignore`, `*.log*`, `.env*`, `coverage/`
+   - **ESLint**: `node_modules/`, `dist/`, `build/`, `coverage/`, `*.min.js`
+   - **Prettier**: `node_modules/`, `dist/`, `build/`, `coverage/`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`
+   - **Terraform**: `.terraform/`, `*.tfstate*`, `*.tfvars`, `.terraform.lock.hcl`
+   - **Kubernetes/k8s**: `*.secret.yaml`, `secrets/`, `.kube/`, `kubeconfig*`, `*.key`, `*.crt`
+
+5. Parse tasks.md structure and extract:
+   - **Task phases**: Setup, Tests, Core, Integration, Polish
+   - **Task dependencies**: Sequential vs parallel execution rules
+   - **Task details**: ID, description, file paths, parallel markers [P]
+   - **Execution flow**: Order and dependency requirements
+
+6. Execute implementation following the task plan:
+   - **Phase-by-phase execution**: Complete each phase before moving to the next
+   - **Respect dependencies**: Run sequential tasks in order, parallel tasks [P] can run together  
+   - **Follow TDD approach**: Execute test tasks before their corresponding implementation tasks
+   - **File-based coordination**: Tasks affecting the same files must run sequentially
+   - **Validation checkpoints**: Verify each phase completion before proceeding
+
+7. Implementation execution rules:
+    - **Strict Adherence**: Apply `.ai/standards/semantics.md` rules:
+      - Every file MUST start with a `[DEF:id:Type]` header and end with a closing `[/DEF:id:Type]` anchor.
+      - Include `@TIER` and define contracts (`@PRE`, `@POST`).
+      - For Svelte components, use `@UX_STATE`, `@UX_FEEDBACK`, `@UX_RECOVERY`, and explicitly declare reactivity with `@UX_REATIVITY: State: $state, Derived: $derived`.
+      - **Molecular Topology Logging**: Use prefixes `[EXPLORE]`, `[REASON]`, `[REFLECT]` in logs to trace logic.
+    - **CRITICAL Contracts**: If a task description contains a contract summary (e.g., `CRITICAL: PRE: ..., POST: ...`), these constraints are **MANDATORY** and must be strictly implemented in the code using guards/assertions (if applicable per protocol).
+    - **Setup first**: Initialize project structure, dependencies, configuration
+   - **Tests before code**: If you need to write tests for contracts, entities, and integration scenarios
+   - **Core development**: Implement models, services, CLI commands, endpoints
+   - **Integration work**: Database connections, middleware, logging, external services
+   - **Polish and validation**: Unit tests, performance optimization, documentation
+
+8. Progress tracking and error handling:
+   - Report progress after each completed task
+   - Halt execution if any non-parallel task fails
+   - For parallel tasks [P], continue with successful tasks, report failed ones
+   - Provide clear error messages with context for debugging
+   - Suggest next steps if implementation cannot proceed
+   - **IMPORTANT** For completed tasks, make sure to mark the task off as [X] in the tasks file.
+
+9. Completion validation:
+   - Verify all required tasks are completed
+   - Check that implemented features match the original specification
+   - Validate that tests pass and coverage meets requirements
+   - Confirm the implementation follows the technical plan
+   - Report final status with summary of completed work
+
+Note: This command assumes a complete task breakdown exists in tasks.md. If tasks are incomplete or missing, suggest running `/speckit.tasks` first to regenerate the task list.

.codex/prompts/speckit.plan.md

@@ -0,0 +1,104 @@
+---
+description: Execute the implementation planning workflow using the plan template to generate design artifacts.
+handoffs: 
+  - label: Create Tasks
+    agent: speckit.tasks
+    prompt: Break the plan into tasks
+    send: true
+  - label: Create Checklist
+    agent: speckit.checklist
+    prompt: Create a checklist for the following domain...
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+1. **Setup**: Run `.specify/scripts/bash/setup-plan.sh --json` from repo root and parse JSON for FEATURE_SPEC, IMPL_PLAN, SPECS_DIR, BRANCH. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Load context**: Read `.ai/ROOT.md` and `.ai/PROJECT_MAP.md` to understand the project structure and navigation. Then read required standards: `.ai/standards/constitution.md` and `.ai/standards/semantics.md`. Load IMPL_PLAN template.
+
+3. **Execute plan workflow**: Follow the structure in IMPL_PLAN template to:
+   - Fill Technical Context (mark unknowns as "NEEDS CLARIFICATION")
+   - Fill Constitution Check section from constitution
+   - Evaluate gates (ERROR if violations unjustified)
+   - Phase 0: Generate research.md (resolve all NEEDS CLARIFICATION)
+   - Phase 1: Generate data-model.md, contracts/, quickstart.md
+   - Phase 1: Update agent context by running the agent script
+   - Re-evaluate Constitution Check post-design
+
+4. **Stop and report**: Command ends after Phase 2 planning. Report branch, IMPL_PLAN path, and generated artifacts.
+
+## Phases
+
+### Phase 0: Outline & Research
+
+1. **Extract unknowns from Technical Context** above:
+   - For each NEEDS CLARIFICATION → research task
+   - For each dependency → best practices task
+   - For each integration → patterns task
+
+2. **Generate and dispatch research agents**:
+
+   ```text
+   For each unknown in Technical Context:
+     Task: "Research {unknown} for {feature context}"
+   For each technology choice:
+     Task: "Find best practices for {tech} in {domain}"
+   ```
+
+3. **Consolidate findings** in `research.md` using format:
+   - Decision: [what was chosen]
+   - Rationale: [why chosen]
+   - Alternatives considered: [what else evaluated]
+
+**Output**: research.md with all NEEDS CLARIFICATION resolved
+
+### Phase 1: Design & Contracts
+
+**Prerequisites:** `research.md` complete
+
+0. **Validate Design against UX Reference**:
+    - Check if the proposed architecture supports the latency, interactivity, and flow defined in `ux_reference.md`.
+    - **Linkage**: Ensure key UI states from `ux_reference.md` map to Component Contracts (`@UX_STATE`).
+    - **CRITICAL**: If the technical plan compromises the UX (e.g. "We can't do real-time validation"), you **MUST STOP** and warn the user.
+
+1. **Extract entities from feature spec** → `data-model.md`:
+    - Entity name, fields, relationships, validation rules.
+
+2. **Design & Verify Contracts (Semantic Protocol)**:
+    - **Drafting**: Define `[DEF:id:Type]` Headers, Contracts, and closing `[/DEF:id:Type]` for all new modules based on `.ai/standards/semantics.md`.
+    - **TIER Classification**: Explicitly assign `@TIER: [CRITICAL|STANDARD|TRIVIAL]` to each module.
+    - **CRITICAL Requirements**: For all CRITICAL modules, define full `@PRE`, `@POST`, and (if UI) `@UX_STATE` contracts. **MUST** also define testing contracts: `@TEST_CONTRACT`, `@TEST_FIXTURE`, `@TEST_EDGE`, and `@TEST_INVARIANT`.
+    - **Self-Review**:
+      - *Completeness*: Do `@PRE`/`@POST` cover edge cases identified in Research? Are test contracts present for CRITICAL?
+      - *Connectivity*: Do `@RELATION` tags form a coherent graph?
+      - *Compliance*: Does syntax match `[DEF:id:Type]` exactly and is it closed with `[/DEF:id:Type]`?
+    - **Output**: Write verified contracts to `contracts/modules.md`.
+
+3. **Simulate Contract Usage**:
+    - Trace one key user scenario through the defined contracts to ensure data flow continuity.
+    - If a contract interface mismatch is found, fix it immediately.
+
+4. **Generate API contracts**:
+    - Output OpenAPI/GraphQL schema to `/contracts/` for backend-frontend sync.
+
+3. **Agent context update**:
+   - Run `.specify/scripts/bash/update-agent-context.sh agy`
+   - These scripts detect which AI agent is in use
+   - Update the appropriate agent-specific context file
+   - Add only new technology from current plan
+   - Preserve manual additions between markers
+
+**Output**: data-model.md, /contracts/*, quickstart.md, agent-specific file
+
+## Key rules
+
+- Use absolute paths
+- ERROR on gate failures or unresolved clarifications

.codex/prompts/speckit.specify.md

@@ -0,0 +1,258 @@
+---
+description: Create or update the feature specification from a natural language feature description.
+handoffs: 
+  - label: Build Technical Plan
+    agent: speckit.plan
+    prompt: Create a plan for the spec. I am building with...
+  - label: Clarify Spec Requirements
+    agent: speckit.clarify
+    prompt: Clarify specification requirements
+    send: true
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+The text the user typed after `/speckit.specify` in the triggering message **is** the feature description. Assume you always have it available in this conversation even if `$ARGUMENTS` appears literally below. Do not ask the user to repeat it unless they provided an empty command.
+
+Given that feature description, do this:
+
+1. **Generate a concise short name** (2-4 words) for the branch:
+   - Analyze the feature description and extract the most meaningful keywords
+   - Create a 2-4 word short name that captures the essence of the feature
+   - Use action-noun format when possible (e.g., "add-user-auth", "fix-payment-bug")
+   - Preserve technical terms and acronyms (OAuth2, API, JWT, etc.)
+   - Keep it concise but descriptive enough to understand the feature at a glance
+   - Examples:
+     - "I want to add user authentication" → "user-auth"
+     - "Implement OAuth2 integration for the API" → "oauth2-api-integration"
+     - "Create a dashboard for analytics" → "analytics-dashboard"
+     - "Fix payment processing timeout bug" → "fix-payment-timeout"
+
+2. **Check for existing branches before creating new one**:
+
+   a. First, fetch all remote branches to ensure we have the latest information:
+
+      ```bash
+      git fetch --all --prune
+      ```
+
+   b. Find the highest feature number across all sources for the short-name:
+      - Remote branches: `git ls-remote --heads origin | grep -E 'refs/heads/[0-9]+-<short-name>$'`
+      - Local branches: `git branch | grep -E '^[* ]*[0-9]+-<short-name>$'`
+      - Specs directories: Check for directories matching `specs/[0-9]+-<short-name>`
+
+   c. Determine the next available number:
+      - Extract all numbers from all three sources
+      - Find the highest number N
+      - Use N+1 for the new branch number
+
+   d. Run the script `.specify/scripts/bash/create-new-feature.sh --json "$ARGUMENTS"` with the calculated number and short-name:
+      - Pass `--number N+1` and `--short-name "your-short-name"` along with the feature description
+      - Bash example: `.specify/scripts/bash/create-new-feature.sh --json "$ARGUMENTS" --json --number 5 --short-name "user-auth" "Add user authentication"`
+      - PowerShell example: `.specify/scripts/bash/create-new-feature.sh --json "$ARGUMENTS" -Json -Number 5 -ShortName "user-auth" "Add user authentication"`
+
+   **IMPORTANT**:
+   - Check all three sources (remote branches, local branches, specs directories) to find the highest number
+   - Only match branches/directories with the exact short-name pattern
+   - If no existing branches/directories found with this short-name, start with number 1
+   - You must only ever run this script once per feature
+   - The JSON is provided in the terminal as output - always refer to it to get the actual content you're looking for
+   - The JSON output will contain BRANCH_NAME and SPEC_FILE paths
+   - For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot")
+
+3. Load `.specify/templates/spec-template.md` to understand required sections.
+
+4. Follow this execution flow:
+
+    1. Parse user description from Input
+       If empty: ERROR "No feature description provided"
+    2. Extract key concepts from description
+       Identify: actors, actions, data, constraints
+    3. For unclear aspects:
+       - Make informed guesses based on context and industry standards
+       - Only mark with [NEEDS CLARIFICATION: specific question] if:
+         - The choice significantly impacts feature scope or user experience
+         - Multiple reasonable interpretations exist with different implications
+         - No reasonable default exists
+       - **LIMIT: Maximum 3 [NEEDS CLARIFICATION] markers total**
+       - Prioritize clarifications by impact: scope > security/privacy > user experience > technical details
+    4. Fill User Scenarios & Testing section
+       If no clear user flow: ERROR "Cannot determine user scenarios"
+    5. Generate Functional Requirements
+       Each requirement must be testable
+       Use reasonable defaults for unspecified details (document assumptions in Assumptions section)
+    6. Define Success Criteria
+       Create measurable, technology-agnostic outcomes
+       Include both quantitative metrics (time, performance, volume) and qualitative measures (user satisfaction, task completion)
+       Each criterion must be verifiable without implementation details
+    7. Identify Key Entities (if data involved)
+    8. Return: SUCCESS (spec ready for planning)
+
+5. Write the specification to SPEC_FILE using the template structure, replacing placeholders with concrete details derived from the feature description (arguments) while preserving section order and headings.
+
+6. **Specification Quality Validation**: After writing the initial spec, validate it against quality criteria:
+
+   a. **Create Spec Quality Checklist**: Generate a checklist file at `FEATURE_DIR/checklists/requirements.md` using the checklist template structure with these validation items:
+
+      ```markdown
+      # Specification Quality Checklist: [FEATURE NAME]
+      
+      **Purpose**: Validate specification completeness and quality before proceeding to planning
+      **Created**: [DATE]
+      **Feature**: [Link to spec.md]
+      
+      ## Content Quality
+      
+      - [ ] No implementation details (languages, frameworks, APIs)
+      - [ ] Focused on user value and business needs
+      - [ ] Written for non-technical stakeholders
+      - [ ] All mandatory sections completed
+      
+      ## Requirement Completeness
+      
+      - [ ] No [NEEDS CLARIFICATION] markers remain
+      - [ ] Requirements are testable and unambiguous
+      - [ ] Success criteria are measurable
+      - [ ] Success criteria are technology-agnostic (no implementation details)
+      - [ ] All acceptance scenarios are defined
+      - [ ] Edge cases are identified
+      - [ ] Scope is clearly bounded
+      - [ ] Dependencies and assumptions identified
+      
+      ## Feature Readiness
+      
+      - [ ] All functional requirements have clear acceptance criteria
+      - [ ] User scenarios cover primary flows
+      - [ ] Feature meets measurable outcomes defined in Success Criteria
+      - [ ] No implementation details leak into specification
+      
+      ## Notes
+      
+      - Items marked incomplete require spec updates before `/speckit.clarify` or `/speckit.plan`
+      ```
+
+   b. **Run Validation Check**: Review the spec against each checklist item:
+      - For each item, determine if it passes or fails
+      - Document specific issues found (quote relevant spec sections)
+
+   c. **Handle Validation Results**:
+
+      - **If all items pass**: Mark checklist complete and proceed to step 6
+
+      - **If items fail (excluding [NEEDS CLARIFICATION])**:
+        1. List the failing items and specific issues
+        2. Update the spec to address each issue
+        3. Re-run validation until all items pass (max 3 iterations)
+        4. If still failing after 3 iterations, document remaining issues in checklist notes and warn user
+
+      - **If [NEEDS CLARIFICATION] markers remain**:
+        1. Extract all [NEEDS CLARIFICATION: ...] markers from the spec
+        2. **LIMIT CHECK**: If more than 3 markers exist, keep only the 3 most critical (by scope/security/UX impact) and make informed guesses for the rest
+        3. For each clarification needed (max 3), present options to user in this format:
+
+           ```markdown
+           ## Question [N]: [Topic]
+           
+           **Context**: [Quote relevant spec section]
+           
+           **What we need to know**: [Specific question from NEEDS CLARIFICATION marker]
+           
+           **Suggested Answers**:
+           
+           | Option | Answer | Implications |
+           |--------|--------|--------------|
+           | A      | [First suggested answer] | [What this means for the feature] |
+           | B      | [Second suggested answer] | [What this means for the feature] |
+           | C      | [Third suggested answer] | [What this means for the feature] |
+           | Custom | Provide your own answer | [Explain how to provide custom input] |
+           
+           **Your choice**: _[Wait for user response]_
+           ```
+
+        4. **CRITICAL - Table Formatting**: Ensure markdown tables are properly formatted:
+           - Use consistent spacing with pipes aligned
+           - Each cell should have spaces around content: `| Content |` not `|Content|`
+           - Header separator must have at least 3 dashes: `|--------|`
+           - Test that the table renders correctly in markdown preview
+        5. Number questions sequentially (Q1, Q2, Q3 - max 3 total)
+        6. Present all questions together before waiting for responses
+        7. Wait for user to respond with their choices for all questions (e.g., "Q1: A, Q2: Custom - [details], Q3: B")
+        8. Update the spec by replacing each [NEEDS CLARIFICATION] marker with the user's selected or provided answer
+        9. Re-run validation after all clarifications are resolved
+
+   d. **Update Checklist**: After each validation iteration, update the checklist file with current pass/fail status
+
+7. Report completion with branch name, spec file path, checklist results, and readiness for the next phase (`/speckit.clarify` or `/speckit.plan`).
+
+**NOTE:** The script creates and checks out the new branch and initializes the spec file before writing.
+
+## General Guidelines
+
+## Quick Guidelines
+
+- Focus on **WHAT** users need and **WHY**.
+- Avoid HOW to implement (no tech stack, APIs, code structure).
+- Written for business stakeholders, not developers.
+- DO NOT create any checklists that are embedded in the spec. That will be a separate command.
+
+### Section Requirements
+
+- **Mandatory sections**: Must be completed for every feature
+- **Optional sections**: Include only when relevant to the feature
+- When a section doesn't apply, remove it entirely (don't leave as "N/A")
+
+### For AI Generation
+
+When creating this spec from a user prompt:
+
+1. **Make informed guesses**: Use context, industry standards, and common patterns to fill gaps
+2. **Document assumptions**: Record reasonable defaults in the Assumptions section
+3. **Limit clarifications**: Maximum 3 [NEEDS CLARIFICATION] markers - use only for critical decisions that:
+   - Significantly impact feature scope or user experience
+   - Have multiple reasonable interpretations with different implications
+   - Lack any reasonable default
+4. **Prioritize clarifications**: scope > security/privacy > user experience > technical details
+5. **Think like a tester**: Every vague requirement should fail the "testable and unambiguous" checklist item
+6. **Common areas needing clarification** (only if no reasonable default exists):
+   - Feature scope and boundaries (include/exclude specific use cases)
+   - User types and permissions (if multiple conflicting interpretations possible)
+   - Security/compliance requirements (when legally/financially significant)
+
+**Examples of reasonable defaults** (don't ask about these):
+
+- Data retention: Industry-standard practices for the domain
+- Performance targets: Standard web/mobile app expectations unless specified
+- Error handling: User-friendly messages with appropriate fallbacks
+- Authentication method: Standard session-based or OAuth2 for web apps
+- Integration patterns: Use project-appropriate patterns (REST/GraphQL for web services, function calls for libraries, CLI args for tools, etc.)
+
+### Success Criteria Guidelines
+
+Success criteria must be:
+
+1. **Measurable**: Include specific metrics (time, percentage, count, rate)
+2. **Technology-agnostic**: No mention of frameworks, languages, databases, or tools
+3. **User-focused**: Describe outcomes from user/business perspective, not system internals
+4. **Verifiable**: Can be tested/validated without knowing implementation details
+
+**Good examples**:
+
+- "Users can complete checkout in under 3 minutes"
+- "System supports 10,000 concurrent users"
+- "95% of searches return results in under 1 second"
+- "Task completion rate improves by 40%"
+
+**Bad examples** (implementation-focused):
+
+- "API response time is under 200ms" (too technical, use "Users see results instantly")
+- "Database can handle 1000 TPS" (implementation detail, use user-facing metric)
+- "React components render efficiently" (framework-specific)
+- "Redis cache hit rate above 80%" (technology-specific)

.codex/prompts/speckit.tasks.md

@@ -0,0 +1,146 @@
+---
+description: Generate an actionable, dependency-ordered tasks.md for the feature based on available design artifacts.
+handoffs: 
+  - label: Analyze For Consistency
+    agent: speckit.analyze
+    prompt: Run a project analysis for consistency
+    send: true
+  - label: Implement Project
+    agent: speckit.implement
+    prompt: Start the implementation in phases
+    send: true
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+1. **Setup**: Run `.specify/scripts/bash/check-prerequisites.sh --json` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+
+2. **Load design documents**: Read from FEATURE_DIR:
+   - **Required**: plan.md (tech stack, libraries, structure), spec.md (user stories with priorities), ux_reference.md (experience source of truth)
+   - **Optional**: data-model.md (entities), contracts/ (interface contracts), research.md (decisions), quickstart.md (test scenarios)
+   - Note: Not all projects have all documents. Generate tasks based on what's available.
+
+3. **Execute task generation workflow**:
+   - Load plan.md and extract tech stack, libraries, project structure
+   - Load spec.md and extract user stories with their priorities (P1, P2, P3, etc.)
+   - If data-model.md exists: Extract entities and map to user stories
+   - If contracts/ exists: Map interface contracts to user stories
+   - If research.md exists: Extract decisions for setup tasks
+   - Generate tasks organized by user story (see Task Generation Rules below)
+   - Generate dependency graph showing user story completion order
+   - Create parallel execution examples per user story
+   - Validate task completeness (each user story has all needed tasks, independently testable)
+
+4. **Generate tasks.md**: Use `.specify/templates/tasks-template.md` as structure, fill with:
+   - Correct feature name from plan.md
+   - Phase 1: Setup tasks (project initialization)
+   - Phase 2: Foundational tasks (blocking prerequisites for all user stories)
+   - Phase 3+: One phase per user story (in priority order from spec.md)
+   - Each phase includes: story goal, independent test criteria, tests (if requested), implementation tasks
+   - Final Phase: Polish & cross-cutting concerns
+   - All tasks must follow the strict checklist format (see Task Generation Rules below)
+   - Clear file paths for each task
+   - Dependencies section showing story completion order
+   - Parallel execution examples per story
+   - Implementation strategy section (MVP first, incremental delivery)
+
+5. **Report**: Output path to generated tasks.md and summary:
+   - Total task count
+   - Task count per user story
+   - Parallel opportunities identified
+   - Independent test criteria for each story
+   - Suggested MVP scope (typically just User Story 1)
+   - Format validation: Confirm ALL tasks follow the checklist format (checkbox, ID, labels, file paths)
+
+Context for task generation: $ARGUMENTS
+
+The tasks.md should be immediately executable - each task must be specific enough that an LLM can complete it without additional context.
+
+## Task Generation Rules
+
+**CRITICAL**: Tasks MUST be organized by user story to enable independent implementation and testing.
+
+**Tests are OPTIONAL**: Only generate test tasks if explicitly requested in the feature specification or if user requests TDD approach.
+
+### UX Preservation (CRITICAL)
+
+- **Source of Truth**: `ux_reference.md` is the absolute standard for the "feel" of the feature.
+- **Violation Warning**: If any task would inherently violate the UX (e.g. "Remove progress bar to simplify code"), you **MUST** flag this to the user immediately.
+- **Verification Task**: You **MUST** add a specific task at the end of each User Story phase: `- [ ] Txxx [USx] Verify implementation matches ux_reference.md (Happy Path & Errors)`
+
+### Checklist Format (REQUIRED)
+
+Every task MUST strictly follow this format:
+
+```text
+- [ ] [TaskID] [P?] [Story?] Description with file path
+```
+
+**Format Components**:
+
+1. **Checkbox**: ALWAYS start with `- [ ]` (markdown checkbox)
+2. **Task ID**: Sequential number (T001, T002, T003...) in execution order
+3. **[P] marker**: Include ONLY if task is parallelizable (different files, no dependencies on incomplete tasks)
+4. **[Story] label**: REQUIRED for user story phase tasks only
+   - Format: [US1], [US2], [US3], etc. (maps to user stories from spec.md)
+   - Setup phase: NO story label
+   - Foundational phase: NO story label  
+   - User Story phases: MUST have story label
+   - Polish phase: NO story label
+5. **Description**: Clear action with exact file path
+
+**Examples**:
+
+- ✅ CORRECT: `- [ ] T001 Create project structure per implementation plan`
+- ✅ CORRECT: `- [ ] T005 [P] Implement authentication middleware in src/middleware/auth.py`
+- ✅ CORRECT: `- [ ] T012 [P] [US1] Create User model in src/models/user.py`
+- ✅ CORRECT: `- [ ] T014 [US1] Implement UserService in src/services/user_service.py`
+- ❌ WRONG: `- [ ] Create User model` (missing ID and Story label)
+- ❌ WRONG: `T001 [US1] Create model` (missing checkbox)
+- ❌ WRONG: `- [ ] [US1] Create User model` (missing Task ID)
+- ❌ WRONG: `- [ ] T001 [US1] Create model` (missing file path)
+
+### Task Organization
+
+1. **From User Stories (spec.md)** - PRIMARY ORGANIZATION:
+   - Each user story (P1, P2, P3...) gets its own phase
+   - Map all related components to their story:
+     - Models needed for that story
+     - Services needed for that story
+     - Interfaces/UI needed for that story
+     - If tests requested: Tests specific to that story
+   - Mark story dependencies (most stories should be independent)
+
+2. **From Contracts (CRITICAL TIER)**:
+    - Identify components marked as `@TIER: CRITICAL` in `contracts/modules.md`.
+    - For these components, **MUST** append the summary of `@PRE`, `@POST`, `@UX_STATE`, and test contracts (`@TEST_FIXTURE`, `@TEST_EDGE`) directly to the task description.
+    - Example: `- [ ] T005 [P] [US1] Implement Auth (CRITICAL: PRE: token exists, POST: returns User, TESTS: 2 edges) in src/auth.py`
+    - Map each contract/endpoint → to the user story it serves
+    - If tests requested: Each contract → contract test task [P] before implementation in that story's phase
+
+3. **From Data Model**:
+   - Map each entity to the user story(ies) that need it
+   - If entity serves multiple stories: Put in earliest story or Setup phase
+   - Relationships → service layer tasks in appropriate story phase
+
+4. **From Setup/Infrastructure**:
+   - Shared infrastructure → Setup phase (Phase 1)
+   - Foundational/blocking tasks → Foundational phase (Phase 2)
+   - Story-specific setup → within that story's phase
+
+### Phase Structure
+
+- **Phase 1**: Setup (project initialization)
+- **Phase 2**: Foundational (blocking prerequisites - MUST complete before user stories)
+- **Phase 3+**: User Stories in priority order (P1, P2, P3...)
+  - Within each story: Tests (if requested) → Models → Services → Endpoints → Integration
+  - Each phase should be a complete, independently testable increment
+- **Final Phase**: Polish & Cross-Cutting Concerns

.codex/prompts/speckit.taskstoissues copy.md

@@ -0,0 +1,30 @@
+---
+description: Convert existing tasks into actionable, dependency-ordered GitHub issues for the feature based on available design artifacts.
+tools: ['github/github-mcp-server/issue_write']
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Outline
+
+1. Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS list. All paths must be absolute. For single quotes in args like "I'm Groot", use escape syntax: e.g 'I'\''m Groot' (or double-quote if possible: "I'm Groot").
+1. From the executed script, extract the path to **tasks**.
+1. Get the Git remote by running:
+
+```bash
+git config --get remote.origin.url
+```
+
+> [!CAUTION]
+> ONLY PROCEED TO NEXT STEPS IF THE REMOTE IS A GITHUB URL
+
+1. For each task in the list, use the GitHub MCP server to create a new issue in the repository that is representative of the Git remote.
+
+> [!CAUTION]
+> UNDER NO CIRCUMSTANCES EVER CREATE ISSUES IN REPOSITORIES THAT DO NOT MATCH THE REMOTE URL

.codex/prompts/speckit.test.md

@@ -0,0 +1,179 @@
+---
+
+description: Generate tests, manage test documentation, and ensure maximum code coverage
+
+---
+
+## User Input
+
+```text
+$ARGUMENTS
+```
+
+You **MUST** consider the user input before proceeding (if not empty).
+
+## Goal
+
+Execute full testing cycle: analyze code for testable modules, write tests with proper coverage, maintain test documentation, and ensure no test duplication or deletion.
+
+## Operating Constraints
+
+1. **NEVER delete existing tests** - Only update if they fail due to bugs in the test or implementation
+2. **NEVER duplicate tests** - Check existing tests first before creating new ones
+3. **Use TEST_FIXTURE fixtures** - For CRITICAL tier modules, read @TEST_FIXTURE from semantics header
+4. **Co-location required** - Write tests in `__tests__` directories relative to the code being tested
+
+## Execution Steps
+
+### 1. Analyze Context
+
+Run `.specify/scripts/bash/check-prerequisites.sh --json --require-tasks --include-tasks` from repo root and parse FEATURE_DIR and AVAILABLE_DOCS.
+
+Determine:
+- FEATURE_DIR - where the feature is located
+- TASKS_FILE - path to tasks.md
+- Which modules need testing based on task status
+
+### 2. Load Relevant Artifacts
+
+**From tasks.md:**
+- Identify completed implementation tasks (not test tasks)
+- Extract file paths that need tests
+
+**From .ai/standards/semantics.md:**
+- Read @TIER annotations for modules
+- For CRITICAL modules: Read @TEST_ fixtures
+
+**From existing tests:**
+- Scan `__tests__` directories for existing tests
+- Identify test patterns and coverage gaps
+
+### 3. Test Coverage Analysis
+
+Create coverage matrix:
+
+| Module | File | Has Tests | TIER | TEST_FIXTURE Available |
+|--------|------|-----------|------|----------------------|
+| ... | ... | ... | ... | ... |
+
+### 4. Write Tests (TDD Approach)
+
+For each module requiring tests:
+
+1. **Check existing tests**: Scan `__tests__/` for duplicates
+2. **Read TEST_FIXTURE**: If CRITICAL tier, read @TEST_FIXTURE from semantic header
+3. **Write test**: Follow co-location strategy
+   - Python: `src/module/__tests__/test_module.py`
+   - Svelte: `src/lib/components/__tests__/test_component.test.js`
+4. **Use mocks**: Use `unittest.mock.MagicMock` for external dependencies
+
+### 4a. UX Contract Testing (Frontend Components)
+
+For Svelte components with `@UX_STATE`, `@UX_FEEDBACK`, `@UX_RECOVERY` tags:
+
+1. **Parse UX tags**: Read component file and extract all `@UX_*` annotations
+2. **Generate UX tests**: Create tests for each UX state transition
+   ```javascript
+   // Example: Testing @UX_STATE: Idle -> Expanded
+   it('should transition from Idle to Expanded on toggle click', async () => {
+     render(Sidebar);
+     const toggleBtn = screen.getByRole('button', { name: /toggle/i });
+     await fireEvent.click(toggleBtn);
+     expect(screen.getByTestId('sidebar')).toHaveClass('expanded');
+   });
+   ```
+3. **Test @UX_FEEDBACK**: Verify visual feedback (toast, shake, color changes)
+4. **Test @UX_RECOVERY**: Verify error recovery mechanisms (retry, clear input)
+5. **Use @UX_TEST fixtures**: If component has `@UX_TEST` tags, use them as test specifications
+
+**UX Test Template:**
+```javascript
+// [DEF:__tests__/test_Component:Module]
+// @RELATION: VERIFIES -> ../Component.svelte
+// @PURPOSE: Test UX states and transitions
+
+describe('Component UX States', () => {
+  // @UX_STATE: Idle -> {action: click, expected: Active}
+  it('should transition Idle -> Active on click', async () => { ... });
+  
+  // @UX_FEEDBACK: Toast on success
+  it('should show toast on successful action', async () => { ... });
+  
+  // @UX_RECOVERY: Retry on error
+  it('should allow retry on error', async () => { ... });
+});
+// [/DEF:__tests__/test_Component:Module]
+```
+
+### 5. Test Documentation
+
+Create/update documentation in `specs/<feature>/tests/`:
+
+```
+tests/
+├── README.md           # Test strategy and overview
+├── coverage.md         # Coverage matrix and reports
+└── reports/
+    └── YYYY-MM-DD-report.md
+```
+
+### 6. Execute Tests
+
+Run tests and report results:
+
+**Backend:**
+```bash
+cd backend && .venv/bin/python3 -m pytest -v
+```
+
+**Frontend:**
+```bash
+cd frontend && npm run test
+```
+
+### 7. Update Tasks
+
+Mark test tasks as completed in tasks.md with:
+- Test file path
+- Coverage achieved
+- Any issues found
+
+## Output
+
+Generate test execution report:
+
+```markdown
+# Test Report: [FEATURE]
+
+**Date**: [YYYY-MM-DD]
+**Executed by**: Tester Agent
+
+## Coverage Summary
+
+| Module | Tests | Coverage % |
+|--------|-------|------------|
+| ... | ... | ... |
+
+## Test Results
+
+- Total: [X]
+- Passed: [X]
+- Failed: [X]
+- Skipped: [X]
+
+## Issues Found
+
+| Test | Error | Resolution |
+|------|-------|------------|
+| ... | ... | ... |
+
+## Next Steps
+
+- [ ] Fix failed tests
+- [ ] Add more coverage for [module]
+- [ ] Review TEST_FIXTURE fixtures
+```
+
+## Context for Testing
+
+$ARGUMENTS

.gitignore

@@ -59,8 +59,9 @@ keyring passwords.py
 *github*
 
 *tech_spec*
-dashboards
-backend/mappings.db
+/dashboards
+dashboards_example/**/dashboards/
+backend/mappings.db
 
 
 backend/tasks.db

.kilocode/rules/specify-rules.md

@@ -43,6 +43,12 @@ Auto-generated from all feature plans. Last updated: 2025-12-19
 - SQLite (tasks.db, auth.db, migrations.db) - no new database tables required (019-superset-ux-redesign)
 - Python 3.9+ (backend), Node.js 18+ (frontend) + FastAPI, SvelteKit, Tailwind CSS, SQLAlchemy/Pydantic task models, existing task/websocket stack (020-task-reports-design)
 - SQLite task/result persistence (existing task DB), filesystem only for existing artifacts (no new primary store required) (020-task-reports-design)
+- Node.js 18+ runtime, SvelteKit (existing frontend stack) + SvelteKit, Tailwind CSS, existing frontend UI primitives under `frontend/src/lib/components/ui` (001-unify-frontend-style)
+- N/A (UI styling and component behavior only) (001-unify-frontend-style)
+- Python 3.9+ (backend scripts/services), Shell (release tooling) + FastAPI stack (existing backend), ConfigManager, TaskManager, файловые утилиты, internal artifact registries (020-clean-repo-enterprise)
+- PostgreSQL (конфигурации/метаданные), filesystem (артефакты дистрибутива, отчёты проверки) (020-clean-repo-enterprise)
+- Python 3.9+ (backend), Node.js 18+ + SvelteKit (frontend) + FastAPI, SQLAlchemy, Pydantic, existing auth stack (`get_current_user`), existing dashboards route/service, Svelte runes (`$state`, `$derived`, `$effect`), Tailwind CSS, frontend `api` wrapper (024-user-dashboard-filter)
+- Existing auth database (`AUTH_DATABASE_URL`) with a dedicated per-user preference entity (024-user-dashboard-filter)
 
 - Python 3.9+ (Backend), Node.js 18+ (Frontend Build) (001-plugin-arch-svelte-ui)
 
@@ -63,9 +69,9 @@ cd src; pytest; ruff check .
 Python 3.9+ (Backend), Node.js 18+ (Frontend Build): Follow standard conventions
 
 ## Recent Changes
-- 020-task-reports-design: Added Python 3.9+ (backend), Node.js 18+ (frontend) + FastAPI, SvelteKit, Tailwind CSS, SQLAlchemy/Pydantic task models, existing task/websocket stack
-- 019-superset-ux-redesign: Added Python 3.9+ (Backend), Node.js 18+ (Frontend) + FastAPI, SvelteKit, Tailwind CSS, SQLAlchemy, WebSocket (existing)
-- 017-llm-analysis-plugin: Added Python 3.9+ (Backend), Node.js 18+ (Frontend)
+- 024-user-dashboard-filter: Added Python 3.9+ (backend), Node.js 18+ + SvelteKit (frontend) + FastAPI, SQLAlchemy, Pydantic, existing auth stack (`get_current_user`), existing dashboards route/service, Svelte runes (`$state`, `$derived`, `$effect`), Tailwind CSS, frontend `api` wrapper
+- 020-clean-repo-enterprise: Added Python 3.9+ (backend scripts/services), Shell (release tooling) + FastAPI stack (existing backend), ConfigManager, TaskManager, файловые утилиты, internal artifact registries
+- 001-unify-frontend-style: Added Node.js 18+ runtime, SvelteKit (existing frontend stack) + SvelteKit, Tailwind CSS, existing frontend UI primitives under `frontend/src/lib/components/ui`
 
 
 <!-- MANUAL ADDITIONS START -->

.kilocode/workflows/audit-test.md

@@ -0,0 +1,103 @@
+---
+description: Audit AI-generated unit tests. Your goal is to aggressively search for "Test Tautologies", "Logic Echoing", and "Contract Negligence". You are the final gatekeeper. If a test is meaningless, you MUST reject it.
+---
+
+**ROLE:** Elite Quality Assurance Architect and Red Teamer.
+**OBJECTIVE:** Audit AI-generated unit tests. Your goal is to aggressively search for "Test Tautologies", "Logic Echoing", and "Contract Negligence". You are the final gatekeeper. If a test is meaningless, you MUST reject it.
+
+**INPUT:**
+1. SOURCE CODE (with GRACE-Poly `[DEF]` Contract: `@PRE`, `@POST`, `@TEST_CONTRACT`, `@TEST_FIXTURE`, `@TEST_EDGE`, `@TEST_INVARIANT`).
+2. GENERATED TEST CODE.
+
+### I. CRITICAL ANTI-PATTERNS (REJECT IMMEDIATELY IF FOUND):
+
+1. **The Tautology (Self-Fulfilling Prophecy):**
+   - *Definition:* The test asserts hardcoded values against hardcoded values without executing the core business logic, or mocks the actual function being tested.
+   - *Example of Failure:* `assert 2 + 2 == 4` or mocking the class under test so that it returns exactly what the test asserts.
+
+2. **The Logic Mirror (Echoing):**
+   - *Definition:* The test re-implements the exact same algorithmic logic found in the source code to calculate the `expected_result`. If the original logic is flawed, the test will falsely pass.
+   - *Rule:* Tests must assert against **static, predefined outcomes** (from `@TEST_FIXTURE`, `@TEST_EDGE`, `@TEST_INVARIANT` or explicit constants), NOT dynamically calculated outcomes using the same logic as the source.
+
+3. **The "Happy Path" Illusion:**
+   - *Definition:* The test suite only checks successful executions but ignores the `@PRE` conditions (Negative Testing).
+   - *Rule:* Every `@PRE` tag in the source contract MUST have a corresponding test that deliberately violates it and asserts the correct Exception/Error state.
+
+4. **Missing Post-Condition Verification:**
+   - *Definition:* The test calls the function but only checks the return value, ignoring `@SIDE_EFFECT` or `@POST` state changes (e.g., failing to verify that a DB call was made or a Store was updated).
+
+5. **Missing Edge Case Coverage:**
+   - *Definition:* The test suite ignores `@TEST_EDGE` scenarios defined in the contract.
+   - *Rule:* Every `@TEST_EDGE` in the source contract MUST have a corresponding test case.
+
+6. **Missing Invariant Verification:**
+   - *Definition:* The test suite does not verify `@TEST_INVARIANT` conditions.
+   - *Rule:* Every `@TEST_INVARIANT` MUST be verified by at least one test that attempts to break it.
+
+7. **Missing UX State Testing (Svelte Components):**
+   - *Definition:* For Svelte components with `@UX_STATE`, the test suite does not verify state transitions.
+   - *Rule:* Every `@UX_STATE` transition MUST have a test verifying the visual/behavioral change.
+   - *Check:* `@UX_FEEDBACK` mechanisms (toast, shake, color) must be tested.
+   - *Check:* `@UX_RECOVERY` mechanisms (retry, clear input) must be tested.
+
+### II. SEMANTIC PROTOCOL COMPLIANCE
+
+Verify the test file follows GRACE-Poly semantics:
+
+1. **Anchor Integrity:**
+   - Test file MUST start with `[DEF:__tests__/test_name:Module]`
+   - Test file MUST end with `[/DEF:__tests__/test_name:Module]`
+
+2. **Required Tags:**
+   - `@RELATION: VERIFIES -> <path_to_source>` must be present
+   - `@PURPOSE:` must describe what is being tested
+
+3. **TIER Alignment:**
+   - If source is `@TIER: CRITICAL`, test MUST cover all `@TEST_CONTRACT`, `@TEST_FIXTURE`, `@TEST_EDGE`, `@TEST_INVARIANT`
+   - If source is `@TIER: STANDARD`, test MUST cover `@PRE` and `@POST`
+   - If source is `@TIER: TRIVIAL`, basic smoke test is acceptable
+
+### III. AUDIT CHECKLIST
+
+Evaluate the test code against these criteria:
+1. **Target Invocation:** Does the test actually import and call the function/component declared in the `@RELATION: VERIFIES` tag?
+2. **Contract Alignment:** Does the test suite cover 100% of the `@PRE` (negative tests) and `@POST` (assertions) conditions from the source contract?
+3. **Test Contract Compliance:** Does the test follow the interface defined in `@TEST_CONTRACT`?
+4. **Data Usage:** Does the test use the exact scenarios defined in `@TEST_FIXTURE`?
+5. **Edge Coverage:** Are all `@TEST_EDGE` scenarios tested?
+6. **Invariant Coverage:** Are all `@TEST_INVARIANT` conditions verified?
+7. **UX Coverage (if applicable):** Are all `@UX_STATE`, `@UX_FEEDBACK`, `@UX_RECOVERY` tested?
+8. **Mocking Sanity:** Are external dependencies mocked correctly WITHOUT mocking the system under test itself?
+9. **Semantic Anchor:** Does the test file have proper `[DEF]` and `[/DEF]` anchors?
+
+### IV. OUTPUT FORMAT
+
+You MUST respond strictly in the following JSON format. Do not add markdown blocks outside the JSON.
+
+{
+  "verdict": "APPROVED" | "REJECTED",
+  "rejection_reason": "TAUTOLOGY" | "LOGIC_MIRROR" | "WEAK_CONTRACT_COVERAGE" | "OVER_MOCKED" | "MISSING_EDGES" | "MISSING_INVARIANTS" | "MISSING_UX_TESTS" | "SEMANTIC_VIOLATION" | "NONE",
+  "audit_details": {
+    "target_invoked": true/false,
+    "pre_conditions_tested": true/false,
+    "post_conditions_tested": true/false,
+    "test_fixture_used": true/false,
+    "edges_covered": true/false,
+    "invariants_verified": true/false,
+    "ux_states_tested": true/false,
+    "semantic_anchors_present": true/false
+  },
+  "coverage_summary": {
+    "total_edges": number,
+    "edges_tested": number,
+    "total_invariants": number,
+    "invariants_tested": number,
+    "total_ux_states": number,
+    "ux_states_tested": number
+  },
+  "tier_compliance": {
+    "source_tier": "CRITICAL" | "STANDARD" | "TRIVIAL",
+    "meets_tier_requirements": true/false
+  },
+  "feedback": "Strict, actionable feedback for the test generator agent. Explain exactly which anti-pattern was detected and how to fix it."
+}

.kilocode/workflows/speckit.fix.md

@@ -20,7 +20,7 @@ Analyze test failure reports, identify root causes, and fix implementation issue
 
 1. **USE CODER MODE**: Always switch to `coder` mode for code fixes
 2. **SEMANTIC PROTOCOL**: Never remove semantic annotations ([DEF], @TAGS). Only update code logic.
-3. **TEST DATA**: If tests use @TEST_DATA fixtures, preserve them when fixing
+3. **TEST DATA**: If tests use @TEST_ fixtures, preserve them when fixing
 4. **NO DELETION**: Never delete existing tests or semantic annotations
 5. **REPORT FIRST**: Always write a fix report before making changes
 

.kilocode/workflows/speckit.implement.md

@@ -117,7 +117,11 @@ You **MUST** consider the user input before proceeding (if not empty).
    - **Validation checkpoints**: Verify each phase completion before proceeding
 
 7. Implementation execution rules:
-   - **Strict Adherence**: Apply `.ai/standards/semantics.md` rules - every file must start with [DEF] header, include @TIER, and define contracts.
+   - **Strict Adherence**: Apply `.ai/standards/semantics.md` rules:
+     - Every file MUST start with a `[DEF:id:Type]` header and end with a closing `[/DEF:id:Type]` anchor.
+     - Include `@TIER` and define contracts (`@PRE`, `@POST`).
+     - For Svelte components, use `@UX_STATE`, `@UX_FEEDBACK`, `@UX_RECOVERY`, and explicitly declare reactivity with `@UX_REATIVITY: State: $state, Derived: $derived`.
+     - **Molecular Topology Logging**: Use prefixes `[EXPLORE]`, `[REASON]`, `[REFLECT]` in logs to trace logic.
    - **CRITICAL Contracts**: If a task description contains a contract summary (e.g., `CRITICAL: PRE: ..., POST: ...`), these constraints are **MANDATORY** and must be strictly implemented in the code using guards/assertions (if applicable per protocol).
    - **Setup first**: Initialize project structure, dependencies, configuration
    - **Tests before code**: If you need to write tests for contracts, entities, and integration scenarios

.kilocode/workflows/speckit.plan.md

@@ -73,13 +73,13 @@ You **MUST** consider the user input before proceeding (if not empty).
    - Entity name, fields, relationships, validation rules.
 
 2. **Design & Verify Contracts (Semantic Protocol)**:
-   - **Drafting**: Define [DEF] Headers and Contracts for all new modules based on `.ai/standards/semantics.md`.
+   - **Drafting**: Define `[DEF:id:Type]` Headers, Contracts, and closing `[/DEF:id:Type]` for all new modules based on `.ai/standards/semantics.md`.
    - **TIER Classification**: Explicitly assign `@TIER: [CRITICAL|STANDARD|TRIVIAL]` to each module.
-   - **CRITICAL Requirements**: For all CRITICAL modules, define full `@PRE`, `@POST`, and (if UI) `@UX_STATE` contracts.
+   - **CRITICAL Requirements**: For all CRITICAL modules, define full `@PRE`, `@POST`, and (if UI) `@UX_STATE` contracts. **MUST** also define testing contracts: `@TEST_CONTRACT`, `@TEST_FIXTURE`, `@TEST_EDGE`, and `@TEST_INVARIANT`.
    - **Self-Review**:
-     - *Completeness*: Do `@PRE`/`@POST` cover edge cases identified in Research?
+     - *Completeness*: Do `@PRE`/`@POST` cover edge cases identified in Research? Are test contracts present for CRITICAL?
      - *Connectivity*: Do `@RELATION` tags form a coherent graph?
-     - *Compliance*: Does syntax match `[DEF:id:Type]` exactly?
+     - *Compliance*: Does syntax match `[DEF:id:Type]` exactly and is it closed with `[/DEF:id:Type]`?
    - **Output**: Write verified contracts to `contracts/modules.md`.
 
 3. **Simulate Contract Usage**:

.kilocode/workflows/speckit.tasks.md

@@ -121,8 +121,8 @@ Every task MUST strictly follow this format:
 
 2. **From Contracts (CRITICAL TIER)**:
    - Identify components marked as `@TIER: CRITICAL` in `contracts/modules.md`.
-   - For these components, **MUST** append the summary of `@PRE`, `@POST`, and `@UX_STATE` contracts directly to the task description.
-   - Example: `- [ ] T005 [P] [US1] Implement Auth (CRITICAL: PRE: token exists, POST: returns User) in src/auth.py`
+   - For these components, **MUST** append the summary of `@PRE`, `@POST`, `@UX_STATE`, and test contracts (`@TEST_FIXTURE`, `@TEST_EDGE`) directly to the task description.
+   - Example: `- [ ] T005 [P] [US1] Implement Auth (CRITICAL: PRE: token exists, POST: returns User, TESTS: 2 edges) in src/auth.py`
    - Map each contract/endpoint → to the user story it serves
    - If tests requested: Each contract → contract test task [P] before implementation in that story's phase
 

.kilocode/workflows/speckit.test.md

@@ -20,7 +20,7 @@ Execute full testing cycle: analyze code for testable modules, write tests with
 
 1. **NEVER delete existing tests** - Only update if they fail due to bugs in the test or implementation
 2. **NEVER duplicate tests** - Check existing tests first before creating new ones
-3. **Use TEST_DATA fixtures** - For CRITICAL tier modules, read @TEST_DATA from .ai/standards/semantics.md
+3. **Use TEST_FIXTURE fixtures** - For CRITICAL tier modules, read @TEST_FIXTURE from .ai/standards/semantics.md
 4. **Co-location required** - Write tests in `__tests__` directories relative to the code being tested
 
 ## Execution Steps
@@ -42,7 +42,7 @@ Determine:
 
 **From .ai/standards/semantics.md:**
 - Read @TIER annotations for modules
-- For CRITICAL modules: Read @TEST_DATA fixtures
+- For CRITICAL modules: Read @TEST_ fixtures
 
 **From existing tests:**
 - Scan `__tests__` directories for existing tests
@@ -52,8 +52,8 @@ Determine:
 
 Create coverage matrix:
 
-| Module | File | Has Tests | TIER | TEST_DATA Available |
-|--------|------|-----------|------|-------------------|
+| Module | File | Has Tests | TIER | TEST_FIXTURE Available |
+|--------|------|-----------|------|----------------------|
 | ... | ... | ... | ... | ... |
 
 ### 4. Write Tests (TDD Approach)
@@ -61,7 +61,7 @@ Create coverage matrix:
 For each module requiring tests:
 
 1. **Check existing tests**: Scan `__tests__/` for duplicates
-2. **Read TEST_DATA**: If CRITICAL tier, read @TEST_DATA from .ai/standards/semantics.md
+2. **Read TEST_FIXTURE**: If CRITICAL tier, read @TEST_FIXTURE from semantics header
 3. **Write test**: Follow co-location strategy
    - Python: `src/module/__tests__/test_module.py`
    - Svelte: `src/lib/components/__tests__/test_component.test.js`
@@ -102,6 +102,7 @@ describe('Component UX States', () => {
   // @UX_RECOVERY: Retry on error
   it('should allow retry on error', async () => { ... });
 });
+// [/DEF:__tests__/test_Component:Module]
 ```
 
 ### 5. Test Documentation
@@ -170,7 +171,7 @@ Generate test execution report:
 
 - [ ] Fix failed tests
 - [ ] Add more coverage for [module]
-- [ ] Review TEST_DATA fixtures
+- [ ] Review TEST_FIXTURE fixtures
 ```
 
 ## Context for Testing

.specify/memory/constitution.md

@@ -0,0 +1,50 @@
+# [PROJECT_NAME] Constitution
+<!-- Example: Spec Constitution, TaskFlow Constitution, etc. -->
+
+## Core Principles
+
+### [PRINCIPLE_1_NAME]
+<!-- Example: I. Library-First -->
+[PRINCIPLE_1_DESCRIPTION]
+<!-- Example: Every feature starts as a standalone library; Libraries must be self-contained, independently testable, documented; Clear purpose required - no organizational-only libraries -->
+
+### [PRINCIPLE_2_NAME]
+<!-- Example: II. CLI Interface -->
+[PRINCIPLE_2_DESCRIPTION]
+<!-- Example: Every library exposes functionality via CLI; Text in/out protocol: stdin/args → stdout, errors → stderr; Support JSON + human-readable formats -->
+
+### [PRINCIPLE_3_NAME]
+<!-- Example: III. Test-First (NON-NEGOTIABLE) -->
+[PRINCIPLE_3_DESCRIPTION]
+<!-- Example: TDD mandatory: Tests written → User approved → Tests fail → Then implement; Red-Green-Refactor cycle strictly enforced -->
+
+### [PRINCIPLE_4_NAME]
+<!-- Example: IV. Integration Testing -->
+[PRINCIPLE_4_DESCRIPTION]
+<!-- Example: Focus areas requiring integration tests: New library contract tests, Contract changes, Inter-service communication, Shared schemas -->
+
+### [PRINCIPLE_5_NAME]
+<!-- Example: V. Observability, VI. Versioning & Breaking Changes, VII. Simplicity -->
+[PRINCIPLE_5_DESCRIPTION]
+<!-- Example: Text I/O ensures debuggability; Structured logging required; Or: MAJOR.MINOR.BUILD format; Or: Start simple, YAGNI principles -->
+
+## [SECTION_2_NAME]
+<!-- Example: Additional Constraints, Security Requirements, Performance Standards, etc. -->
+
+[SECTION_2_CONTENT]
+<!-- Example: Technology stack requirements, compliance standards, deployment policies, etc. -->
+
+## [SECTION_3_NAME]
+<!-- Example: Development Workflow, Review Process, Quality Gates, etc. -->
+
+[SECTION_3_CONTENT]
+<!-- Example: Code review requirements, testing gates, deployment approval process, etc. -->
+
+## Governance
+<!-- Example: Constitution supersedes all other practices; Amendments require documentation, approval, migration plan -->
+
+[GOVERNANCE_RULES]
+<!-- Example: All PRs/reviews must verify compliance; Complexity must be justified; Use [GUIDANCE_FILE] for runtime development guidance -->
+
+**Version**: [CONSTITUTION_VERSION] | **Ratified**: [RATIFICATION_DATE] | **Last Amended**: [LAST_AMENDED_DATE]
+<!-- Example: Version: 2.1.1 | Ratified: 2025-06-13 | Last Amended: 2025-07-16 -->

.specify/scripts/bash/update-agent-context.sh

@@ -30,12 +30,12 @@
 #
 # 5. Multi-Agent Support
 #    - Handles agent-specific file paths and naming conventions
-#    - Supports: Claude, Gemini, Copilot, Cursor, Qwen, opencode, Codex, Windsurf, Kilo Code, Auggie CLI, Roo Code, CodeBuddy CLI, Qoder CLI, Amp, SHAI, or Amazon Q Developer CLI
+#    - Supports: Claude, Gemini, Copilot, Cursor, Qwen, opencode, Codex, Windsurf, Kilo Code, Auggie CLI, Roo Code, CodeBuddy CLI, Qoder CLI, Amp, SHAI, Amazon Q Developer CLI, or Antigravity
 #    - Can update single agents or all existing agent files
 #    - Creates default Claude file if no agent files exist
 #
 # Usage: ./update-agent-context.sh [agent_type]
-# Agent types: claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|kilocode|auggie|shai|q|bob|qoder
+# Agent types: claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|kilocode|auggie|roo|codebuddy|amp|shai|q|agy|bob|qodercli
 # Leave empty to update all existing agent files
 
 set -e
@@ -74,6 +74,7 @@ QODER_FILE="$REPO_ROOT/QODER.md"
 AMP_FILE="$REPO_ROOT/AGENTS.md"
 SHAI_FILE="$REPO_ROOT/SHAI.md"
 Q_FILE="$REPO_ROOT/AGENTS.md"
+AGY_FILE="$REPO_ROOT/.agent/rules/specify-rules.md"
 BOB_FILE="$REPO_ROOT/AGENTS.md"
 
 # Template file
@@ -618,7 +619,7 @@ update_specific_agent() {
         codebuddy)
             update_agent_file "$CODEBUDDY_FILE" "CodeBuddy CLI"
             ;;
-        qoder)
+        qodercli)
             update_agent_file "$QODER_FILE" "Qoder CLI"
             ;;
         amp)
@@ -630,12 +631,18 @@ update_specific_agent() {
         q)
             update_agent_file "$Q_FILE" "Amazon Q Developer CLI"
             ;;
+        agy)
+            update_agent_file "$AGY_FILE" "Antigravity"
+            ;;
         bob)
             update_agent_file "$BOB_FILE" "IBM Bob"
             ;;
+        generic)
+            log_info "Generic agent: no predefined context file. Use the agent-specific update script for your agent."
+            ;;
         *)
             log_error "Unknown agent type '$agent_type'"
-            log_error "Expected: claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|kilocode|auggie|roo|amp|shai|q|bob|qoder"
+            log_error "Expected: claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|kilocode|auggie|roo|codebuddy|amp|shai|q|agy|bob|qodercli|generic"
             exit 1
             ;;
     esac
@@ -714,7 +721,11 @@ update_all_existing_agents() {
         update_agent_file "$Q_FILE" "Amazon Q Developer CLI"
         found_agent=true
     fi
-    
+
+    if [[ -f "$AGY_FILE" ]]; then
+        update_agent_file "$AGY_FILE" "Antigravity"
+        found_agent=true
+    fi
     if [[ -f "$BOB_FILE" ]]; then
         update_agent_file "$BOB_FILE" "IBM Bob"
         found_agent=true
@@ -744,7 +755,7 @@ print_summary() {
     
     echo
 
-    log_info "Usage: $0 [claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|kilocode|auggie|codebuddy|shai|q|bob|qoder]"
+    log_info "Usage: $0 [claude|gemini|copilot|cursor-agent|qwen|opencode|codex|windsurf|kilocode|auggie|roo|codebuddy|amp|shai|q|agy|bob|qodercli]"
 }
 
 #==============================================================================

.specify/templates/agent-file-template.md

@@ -2,12 +2,6 @@
 
 Auto-generated from all feature plans. Last updated: [DATE]
 
-## Knowledge Graph (GRACE)
-**CRITICAL**: This project uses a GRACE Knowledge Graph for context. Always load the root map first:
-- **Root Map**: `.ai/ROOT.md` -> `[DEF:Project_Knowledge_Map:Root]`
-- **Project Map**: `.ai/PROJECT_MAP.md` -> `[DEF:Project_Map]`
-- **Standards**: Read `.ai/standards/` for architecture and style rules.
-
 ## Active Technologies
 
 [EXTRACTED FROM ALL PLAN.MD FILES]

.specify/templates/constitution-template.md

@@ -0,0 +1,50 @@
+# [PROJECT_NAME] Constitution
+<!-- Example: Spec Constitution, TaskFlow Constitution, etc. -->
+
+## Core Principles
+
+### [PRINCIPLE_1_NAME]
+<!-- Example: I. Library-First -->
+[PRINCIPLE_1_DESCRIPTION]
+<!-- Example: Every feature starts as a standalone library; Libraries must be self-contained, independently testable, documented; Clear purpose required - no organizational-only libraries -->
+
+### [PRINCIPLE_2_NAME]
+<!-- Example: II. CLI Interface -->
+[PRINCIPLE_2_DESCRIPTION]
+<!-- Example: Every library exposes functionality via CLI; Text in/out protocol: stdin/args → stdout, errors → stderr; Support JSON + human-readable formats -->
+
+### [PRINCIPLE_3_NAME]
+<!-- Example: III. Test-First (NON-NEGOTIABLE) -->
+[PRINCIPLE_3_DESCRIPTION]
+<!-- Example: TDD mandatory: Tests written → User approved → Tests fail → Then implement; Red-Green-Refactor cycle strictly enforced -->
+
+### [PRINCIPLE_4_NAME]
+<!-- Example: IV. Integration Testing -->
+[PRINCIPLE_4_DESCRIPTION]
+<!-- Example: Focus areas requiring integration tests: New library contract tests, Contract changes, Inter-service communication, Shared schemas -->
+
+### [PRINCIPLE_5_NAME]
+<!-- Example: V. Observability, VI. Versioning & Breaking Changes, VII. Simplicity -->
+[PRINCIPLE_5_DESCRIPTION]
+<!-- Example: Text I/O ensures debuggability; Structured logging required; Or: MAJOR.MINOR.BUILD format; Or: Start simple, YAGNI principles -->
+
+## [SECTION_2_NAME]
+<!-- Example: Additional Constraints, Security Requirements, Performance Standards, etc. -->
+
+[SECTION_2_CONTENT]
+<!-- Example: Technology stack requirements, compliance standards, deployment policies, etc. -->
+
+## [SECTION_3_NAME]
+<!-- Example: Development Workflow, Review Process, Quality Gates, etc. -->
+
+[SECTION_3_CONTENT]
+<!-- Example: Code review requirements, testing gates, deployment approval process, etc. -->
+
+## Governance
+<!-- Example: Constitution supersedes all other practices; Amendments require documentation, approval, migration plan -->
+
+[GOVERNANCE_RULES]
+<!-- Example: All PRs/reviews must verify compliance; Complexity must be justified; Use [GUIDANCE_FILE] for runtime development guidance -->
+
+**Version**: [CONSTITUTION_VERSION] | **Ratified**: [RATIFICATION_DATE] | **Last Amended**: [LAST_AMENDED_DATE]
+<!-- Example: Version: 2.1.1 | Ratified: 2025-06-13 | Last Amended: 2025-07-16 -->

.specify/templates/plan-template.md

@@ -3,7 +3,7 @@
 **Branch**: `[###-feature-name]` | **Date**: [DATE] | **Spec**: [link]
 **Input**: Feature specification from `/specs/[###-feature-name]/spec.md`
 
-**Note**: This template is filled in by the `/speckit.plan` command. See `.specify/templates/commands/plan.md` for the execution workflow.
+**Note**: This template is filled in by the `/speckit.plan` command. See `.specify/templates/plan-template.md` for the execution workflow.
 
 ## Summary
 
@@ -17,12 +17,12 @@
   the iteration process.
 -->
 
-**Language/Version**: [e.g., Python 3.11, Swift 5.9, Rust 1.75 or NEEDS CLARIFICATION]
-**Primary Dependencies**: [e.g., FastAPI, Tailwind CSS, SvelteKit or NEEDS CLARIFICATION]
+**Language/Version**: [e.g., Python 3.11, Swift 5.9, Rust 1.75 or NEEDS CLARIFICATION]  
+**Primary Dependencies**: [e.g., FastAPI, UIKit, LLVM or NEEDS CLARIFICATION]  
 **Storage**: [if applicable, e.g., PostgreSQL, CoreData, files or N/A]  
 **Testing**: [e.g., pytest, XCTest, cargo test or NEEDS CLARIFICATION]  
 **Target Platform**: [e.g., Linux server, iOS 15+, WASM or NEEDS CLARIFICATION]
-**Project Type**: [single/web/mobile - determines source structure]  
+**Project Type**: [e.g., library/cli/web-service/mobile-app/compiler/desktop-app or NEEDS CLARIFICATION]  
 **Performance Goals**: [domain-specific, e.g., 1000 req/s, 10k lines/sec, 60 fps or NEEDS CLARIFICATION]  
 **Constraints**: [domain-specific, e.g., <200ms p95, <100MB memory, offline-capable or NEEDS CLARIFICATION]  
 **Scale/Scope**: [domain-specific, e.g., 10k users, 1M LOC, 50 screens or NEEDS CLARIFICATION]
@@ -102,14 +102,3 @@ directories captured above]
 |-----------|------------|-------------------------------------|
 | [e.g., 4th project] | [current need] | [why 3 projects insufficient] |
 | [e.g., Repository pattern] | [specific problem] | [why direct DB access insufficient] |
-
-## Test Data Reference
-
-> **For CRITICAL tier components, reference test fixtures from spec.md**
-
-| Component | TIER | Fixture Name | Location |
-|-----------|------|--------------|----------|
-| [e.g., DashboardAPI] | CRITICAL | valid_dashboard | spec.md#test-data-fixtures |
-| [e.g., TaskDrawer] | CRITICAL | task_states | spec.md#test-data-fixtures |
-
-**Note**: Tester Agent MUST use these fixtures when writing unit tests for CRITICAL modules. See `.ai/standards/semantics.md` for @TEST_DATA syntax.

.specify/templates/spec-template.md

@@ -1,7 +1,6 @@
 # Feature Specification: [FEATURE NAME]
 
 **Feature Branch**: `[###-feature-name]`  
-**Reference UX**: `[ux_reference.md]` (See specific folder)
 **Created**: [DATE]  
 **Status**: Draft  
 **Input**: User description: "$ARGUMENTS"
@@ -114,52 +113,3 @@
 - **SC-002**: [Measurable metric, e.g., "System handles 1000 concurrent users without degradation"]
 - **SC-003**: [User satisfaction metric, e.g., "90% of users successfully complete primary task on first attempt"]
 - **SC-004**: [Business metric, e.g., "Reduce support tickets related to [X] by 50%"]
-
----
-
-## Test Data Fixtures *(recommended for CRITICAL components)*
-
-<!--
-  Define reference/fixture data for testing CRITICAL tier components.
-  This data will be used by the Tester Agent when writing unit tests.
-  Format: JSON or YAML that matches the component's data structures.
--->
-
-### Fixtures
-
-```yaml
-# Example fixture format
-fixture_name:
-  description: "Description of this test data"
-  data:
-    # JSON or YAML data structure
-```
-
-### Example: Dashboard API
-
-```yaml
-valid_dashboard:
-  description: "Valid dashboard object for API responses"
-  data:
-    id: 1
-    title: "Sales Report"
-    slug: "sales"
-    git_status:
-      branch: "main"
-      sync_status: "OK"
-    last_task:
-      task_id: "task-123"
-      status: "SUCCESS"
-
-empty_dashboards:
-  description: "Empty dashboard list response"
-  data:
-    dashboards: []
-    total: 0
-    page: 1
-
-error_not_found:
-  description: "404 error response"
-  data:
-    detail: "Dashboard not found"
-```

.specify/templates/tasks-template.md

@@ -93,8 +93,7 @@ Examples of foundational tasks (adjust based on your project):
 - [ ] T014 [US1] Implement [Service] in src/services/[service].py (depends on T012, T013)
 - [ ] T015 [US1] Implement [endpoint/feature] in src/[location]/[file].py
 - [ ] T016 [US1] Add validation and error handling
-- [ ] T017 [US1] [P] Implement UI using Tailwind CSS (minimize scoped styles)
-- [ ] T018 [US1] Add logging for user story 1 operations
+- [ ] T017 [US1] Add logging for user story 1 operations
 
 **Checkpoint**: At this point, User Story 1 should be fully functional and testable independently
 

README.md

@@ -1,128 +1,331 @@
-# Инструменты автоматизации Superset (ss-tools)
-
-## Обзор
-**ss-tools** — это современная платформа для автоматизации и управления экосистемой Apache Superset. Проект перешел от набора CLI-скриптов к полноценному веб-приложению с архитектурой Backend (FastAPI) + Frontend (SvelteKit), обеспечивая удобный интерфейс для сложных операций.
-
-## Основные возможности
-
-### 🚀 Миграция и управление дашбордами
-- **Dashboard Grid**: Удобный просмотр всех дашбордов во всех окружениях (Dev, Sandbox, Prod) в едином интерфейсе.
-- **Интеллектуальный маппинг**: Автоматическое и ручное сопоставление датасетов, таблиц и схем при переносе между окружениями.
-- **Проверка зависимостей**: Валидация наличия всех необходимых компонентов перед миграцией.
-
-### 📦 Резервное копирование
-- **Планировщик (Scheduler)**: Автоматическое создание резервных копий дашбордов и датасетов по расписанию.
-- **Хранилище**: Локальное хранение артефактов с возможностью управления через UI.
-
-### 🛠 Git Интеграция
-- **Version Control**: Возможность версионирования ассетов Superset.
-- **Git Dashboard**: Управление ветками, коммитами и деплоем изменений напрямую из интерфейса.
-- **Conflict Resolution**: Встроенные инструменты для разрешения конфликтов в YAML-конфигурациях.
-
-### 🤖 LLM Анализ (AI Plugin)
-- **Автоматический аудит**: Анализ состояния дашбордов на основе скриншотов и метаданных.
-- **Генерация документации**: Автоматическое описание датасетов и колонок с помощью LLM (OpenAI, OpenRouter и др.).
-- **Smart Validation**: Поиск аномалий и ошибок в визуализациях.
-
-### 🔐 Безопасность и администрирование
-- **Multi-user Auth**: Многопользовательский доступ с ролевой моделью (RBAC).
-- **Управление подключениями**: Централизованная настройка доступов к различным инстансам Superset.
-- **Логирование**: Подробная история выполнения всех фоновых задач.
-
-## Технологический стек
-- **Backend**: Python 3.9+, FastAPI, SQLAlchemy, APScheduler, Pydantic.
-- **Frontend**: Node.js 18+, SvelteKit, Tailwind CSS.
-- **Database**: PostgreSQL (для хранения метаданных, задач, логов и конфигурации).
-
-## Структура проекта
-- `backend/` — Серверная часть, API и логика плагинов.
-- `frontend/` — Клиентская часть (SvelteKit приложение).
-- `specs/` — Спецификации функций и планы реализации.
-- `docs/` — Дополнительная документация по маппингу и разработке плагинов.
-
-## Быстрый старт
-
-### Требования
-- Python 3.9+
-- Node.js 18+
-- Настроенный доступ к API Superset
-
-### Запуск
-Для автоматической настройки окружений и запуска обоих серверов (Backend & Frontend) используйте скрипт:
-```bash
-./run.sh
-```
-*Скрипт создаст виртуальное окружение Python, установит зависимости `pip` и `npm`, и запустит сервисы.*
-
-Опции:
-- `--skip-install`: Пропустить установку зависимостей.
-- `--help`: Показать справку.
-
-Переменные окружения:
-- `BACKEND_PORT`: Порт API (по умолчанию 8000).
-- `FRONTEND_PORT`: Порт UI (по умолчанию 5173).
-- `POSTGRES_URL`: Базовый URL PostgreSQL по умолчанию для всех подсистем.
-- `DATABASE_URL`: URL основной БД (если не задан, используется `POSTGRES_URL`).
-- `TASKS_DATABASE_URL`: URL БД задач/логов (если не задан, используется `DATABASE_URL`).
-- `AUTH_DATABASE_URL`: URL БД авторизации (если не задан, используется PostgreSQL дефолт).
-
-## Разработка
-Проект следует строгим правилам разработки:
-1. **Semantic Code Generation**: Использование протокола `.ai/standards/semantics.md` для обеспечения надежности кода.
-2. **Design by Contract (DbC)**: Определение предусловий и постусловий для ключевых функций.
-3. **Constitution**: Соблюдение правил, описанных в конституции проекта в папке `.specify/`.
-
-### Полезные команды
-- **Backend**: `cd backend && .venv/bin/python3 -m uvicorn src.app:app --reload`
-- **Frontend**: `cd frontend && npm run dev`
-- **Тесты**: `cd backend && .venv/bin/pytest`
+# ss-tools
+
+**Инструменты автоматизации для Apache Superset: миграция, версионирование, аналитика и управление данными**
+
+## 📋 О проекте
+
+ss-tools — это комплексная платформа для автоматизации работы с Apache Superset, предоставляющая инструменты для миграции дашбордов, управления версиями через Git, LLM-анализа данных и многопользовательского контроля доступа. Система построена на модульной архитектуре с плагинной системой расширений.
+
+### 🎯 Ключевые возможности
+
+#### 🔄 Миграция данных
+- **Миграция дашбордов и датасетов** между окружениями (dev/staging/prod)
+- **Dry-run режим** с детальным анализом рисков и предпросмотром изменений
+- **Автоматическое маппинг** баз данных и ресурсов между окружениями
+- **Поддержка legacy-данных** с миграцией из SQLite в PostgreSQL
+
+#### 🌿 Git-интеграция
+- **Версионирование** дашбордов через Git-репозитории
+- **Управление ветками** и коммитами с помощью LLM
+- **Деплой** дашбордов из Git в целевые окружения
+- **История изменений** с детальным diff
+
+#### 🤖 LLM-аналитика
+- **Автоматическая валидация** дашбордов с помощью ИИ
+- **Генерация документации** для датасетов
+- **Assistant API** для natural language команд
+- **Интеллектуальное коммитинг** с подсказками сообщений
+
+#### 📊 Управление и мониторинг
+- **Многопользовательская авторизация** (RBAC)
+- **Фоновые задачи** с реальным логированием через WebSocket
+- **Унифицированные отчеты** по выполненным задачам
+- **Хранение артефактов** с политиками retention
+- **Аудит логирование** всех действий
+
+#### 🔌 Плагины
+- **MigrationPlugin** — миграция дашбордов
+- **BackupPlugin** — резервное копирование
+- **GitPlugin** — управление версиями
+- **LLMAnalysisPlugin** — аналитика и документация
+- **MapperPlugin** — маппинг колонок
+- **DebugPlugin** — диагностика системы
+- **SearchPlugin** — поиск по датасетам
+
+## 🏗️ Архитектура
+
+### Технологический стек
+
+**Backend:**
+- Python 3.9+ (FastAPI, SQLAlchemy, APScheduler)
+- PostgreSQL (основная БД)
+- GitPython для Git-операций
+- OpenAI API для LLM-функций
+- Playwright для скриншотов
+
+**Frontend:**
+- SvelteKit (Svelte 5.x)
+- Vite
+- Tailwind CSS
+- WebSocket для реального логирования
+
+**DevOps:**
+- Docker & Docker Compose
+- PostgreSQL 16
+
+### Модульная структура
+
+```
+ss-tools/
+├── backend/                    # Backend API
+│   ├── src/
+│   │   ├── api/               # API маршруты
+│   │   ├── core/              # Ядро системы
+│   │   │   ├── task_manager/  # Управление задачами
+│   │   │   ├── auth/          # Авторизация
+│   │   │   ├── migration/     # Миграция данных
+│   │   │   └── plugins/       # Плагины
+│   │   ├── models/            # Модели данных
+│   │   ├── services/          # Бизнес-логика
+│   │   └── schemas/           # Pydantic схемы
+│   └── tests/                 # Тесты
+├── frontend/                   # SvelteKit приложение
+│   ├── src/
+│   │   ├── routes/            # Страницы
+│   │   ├── lib/
+│   │   │   ├── components/    # UI компоненты
+│   │   │   ├── stores/        # Svelte stores
+│   │   │   └── api/           # API клиент
+│   │   └── i18n/              # Мультиязычность
+│   └── tests/
+├── docker/                     # Docker конфигурация
+├── docs/                       # Документация
+└── specs/                      # Спецификации
+```
+
+## 🚀 Быстрый старт
+
+### Требования
+
+**Локальная разработка:**
+- Python 3.9+
+- Node.js 18+
+- npm
+- 2 GB RAM (минимум)
+- 5 GB свободного места
+
+**Docker (рекомендуется):**
+- Docker Engine 24+
+- Docker Compose v2
+- 4 GB RAM (для стабильной работы)
+
+### Установка и запуск
+
+#### Вариант 1: Docker (рекомендуется)
 
-## Docker и CI/CD
-### Локальный запуск в Docker (приложение + PostgreSQL)
 ```bash
+# Клонирование репозитория
+git clone <repository-url>
+cd ss-tools
+
+# Запуск всех сервисов
 docker compose up --build
+
+# После запуска:
+# Frontend: http://localhost:8000
+# Backend API: http://localhost:8001
+# PostgreSQL: localhost:5432
 ```
 
-После старта:
-- UI/API: `http://localhost:8000`
-- PostgreSQL: `localhost:5432` (`postgres/postgres`, DB `ss_tools`)
+#### Вариант 2: Локально
 
-Остановить:
 ```bash
-docker compose down
+# Backend
+cd backend
+python3 -m venv .venv
+source .venv/bin/activate
+pip install -r requirements.txt
+python3 -m uvicorn src.app:app --reload --port 8000
+
+# Frontend (в новом терминале)
+cd frontend
+npm install
+npm run dev -- --port 5173
 ```
 
-Полная очистка тома БД:
+### Первичная настройка
+
 ```bash
-docker compose down -v
+# Инициализация БД
+cd backend
+source .venv/bin/activate
+python src/scripts/init_auth_db.py
+
+# Создание администратора
+python src/scripts/create_admin.py --username admin --password admin
 ```
 
-Если `postgres:16-alpine` не тянется из Docker Hub (TLS timeout), используйте fallback image:
-```bash
-POSTGRES_IMAGE=mirror.gcr.io/library/postgres:16-alpine docker compose up -d db
-```
-или:
-```bash
-POSTGRES_IMAGE=bitnami/postgresql:latest docker compose up -d db
-```
-Если на хосте уже занят `5432`, поднимайте Postgres на другом порту:
-```bash
-POSTGRES_HOST_PORT=5433 docker compose up -d db
-```
+## 🏢 Enterprise Clean Deployment (internal-only)
+
+Для разворота в корпоративной сети используйте профиль enterprise clean:
+
+- очищенный дистрибутив без test/demo/load-test данных;
+- запрет внешних интернет-источников;
+- загрузка ресурсов только с внутренних серверов компании;
+- обязательная блокирующая проверка clean/compliance перед выпуском.
+
+### Операционный workflow (CLI/API/TUI)
+
+#### 1) Headless flow через CLI (рекомендуется для CI/CD)
 
-### Миграция legacy-данных в PostgreSQL
-Если нужно перенести старые данные из `tasks.db`/`config.json`:
 ```bash
 cd backend
-PYTHONPATH=. .venv/bin/python src/scripts/migrate_sqlite_to_postgres.py --sqlite-path tasks.db
+
+# 1. Регистрация кандидата
+.venv/bin/python3 -m src.scripts.clean_release_cli candidate-register \
+  --candidate-id 2026.03.09-rc1 \
+  --version 1.0.0 \
+  --source-snapshot-ref git:release/2026.03.09-rc1 \
+  --created-by release-operator
+
+# 2. Импорт артефактов
+.venv/bin/python3 -m src.scripts.clean_release_cli artifact-import \
+  --candidate-id 2026.03.09-rc1 \
+  --artifact-id artifact-001 \
+  --path backend/dist/package.tar.gz \
+  --sha256 deadbeef \
+  --size 1024
+
+# 3. Сборка манифеста
+.venv/bin/python3 -m src.scripts.clean_release_cli manifest-build \
+  --candidate-id 2026.03.09-rc1 \
+  --created-by release-operator
+
+# 4. Запуск compliance
+.venv/bin/python3 -m src.scripts.clean_release_cli compliance-run \
+  --candidate-id 2026.03.09-rc1 \
+  --actor release-operator
+```
+
+#### 2) API flow (автоматизация через сервисы)
+
+- V2 candidate/artifact/manifest API:
+  - `POST /api/clean-release/candidates`
+  - `POST /api/clean-release/candidates/{candidate_id}/artifacts`
+  - `POST /api/clean-release/candidates/{candidate_id}/manifests`
+  - `GET /api/clean-release/candidates/{candidate_id}/overview`
+- Legacy compatibility API (оставлены для миграции клиентов):
+  - `POST /api/clean-release/candidates/prepare`
+  - `POST /api/clean-release/checks`
+  - `GET /api/clean-release/checks/{check_run_id}`
+
+#### 3) TUI flow (тонкий клиент поверх facade)
+
+```bash
+cd /home/busya/dev/ss-tools
+./run_clean_tui.sh 2026.03.09-rc1
+```
+
+Горячие клавиши:
+- `F5`: Run Compliance
+- `F6`: Build Manifest
+- `F7`: Reset Draft
+- `F8`: Approve
+- `F9`: Publish
+- `F10`: Refresh Overview
+
+Важно: TUI требует валидный TTY. Без TTY запуск отклоняется с инструкцией использовать CLI/API.
+
+Типовые внутренние источники:
+- `repo.intra.company.local`
+- `artifacts.intra.company.local`
+- `pypi.intra.company.local`
+
+Если найден внешний endpoint, выпуск получает статус `BLOCKED` до исправления.
+
+## 📖 Документация
+
+- [Установка и настройка](docs/installation.md)
+- [Архитектура системы](docs/architecture.md)
+- [Разработка плагинов](docs/plugin_dev.md)
+- [API документация](http://localhost:8001/docs)
+- [Настройка окружений](docs/settings.md)
+
+## 🧪 Тестирование
+
+```bash
+# Backend тесты
+cd backend
+source .venv/bin/activate
+pytest
+
+# Frontend тесты
+cd frontend
+npm run test
+
+# Запуск конкретного теста
+pytest tests/test_auth.py::test_create_user
+```
+
+
+
+## 🔐 Авторизация
+
+Система поддерживает два метода аутентификации:
+
+1. **Локальная аутентификация** (username/password)
+2. **ADFS SSO** (Active Directory Federation Services)
+
+### Управление пользователями и ролями
+
+```bash
+# Получение списка пользователей
+GET /api/admin/users
+
+# Создание пользователя
+POST /api/admin/users
+{
+  "username": "newuser",
+  "email": "user@example.com",
+  "password": "password123",
+  "roles": ["analyst"]
+}
+
+# Создание роли
+POST /api/admin/roles
+{
+  "name": "analyst",
+  "permissions": ["dashboards:read", "dashboards:write"]
+}
+```
+
+## 📊 Мониторинг
+
+### Отчеты о задачах
+
+```bash
+# Список всех отчетов
+GET /api/reports?page=1&page_size=20
+
+# Детали отчета
+GET /api/reports/{report_id}
+
+# Фильтры
+GET /api/reports?status=failed&task_type=validation&date_from=2024-01-01
+```
+
+### Активность
+
+- **Dashboard Hub** — управление дашбордами с Git-статусом
+- **Dataset Hub** — управление датасетами с прогрессом маппинга
+- **Task Drawer** — мониторинг выполнения фоновых задач
+- **Unified Reports** — унифицированные отчеты по всем типам задач
+
+## 🔄 Обновление системы
+
+```bash
+# Обновление Docker контейнеров
+docker compose pull
+docker compose up -d
+
+# Обновление зависимостей Python
+cd backend
+source .venv/bin/activate
+pip install -r requirements.txt --upgrade
+
+# Обновление зависимостей Node.js
+cd frontend
+npm install
 ```
 
-### CI/CD
-Добавлен workflow: `.github/workflows/ci-cd.yml`
-- backend smoke tests
-- frontend build
-- docker build
-- push образа в GHCR на `main/master`
 
-## Контакты и вклад
-Для добавления новых функций или исправления ошибок, пожалуйста, ознакомьтесь с `docs/plugin_dev.md` и создайте соответствующую спецификацию в `specs/`.

artifacts.json

@@ -0,0 +1,14 @@
+[
+  {
+    "path": "src/main.py",
+    "category": "core"
+  },
+  {
+    "path": "src/api/routes/clean_release.py",
+    "category": "core"
+  },
+  {
+    "path": "docs/installation.md",
+    "category": "docs"
+  }
+]

backend/conftest.py

@@ -0,0 +1,14 @@
+# conftest.py at backend root
+# Prevents pytest collection errors caused by duplicate test module names
+# between the root tests/ directory and co-located src/<module>/__tests__/ directories.
+# Without this, pytest sees e.g. tests/test_auth.py and src/core/auth/__tests__/test_auth.py
+# and raises "import file mismatch" because both map to module name "test_auth".
+
+import os
+
+# Files in tests/ that clash with __tests__/ co-located tests
+collect_ignore = [
+    os.path.join("tests", "test_auth.py"),
+    os.path.join("tests", "test_logger.py"),
+    os.path.join("tests", "test_models.py"),
+]

backend/pyproject.toml

@@ -0,0 +1,3 @@
+[tool.pytest.ini_options]
+pythonpath = ["."]
+importmode = "importlib"

backend/src/api/routes/__init__.py

@@ -1,10 +1,23 @@
-# Lazy loading of route modules to avoid import issues in tests
-# This allows tests to import routes without triggering all module imports
-
-__all__ = ['plugins', 'tasks', 'settings', 'connections', 'environments', 'mappings', 'migration', 'git', 'storage', 'admin', 'reports']
-
-def __getattr__(name):
-    if name in __all__:
-        import importlib
-        return importlib.import_module(f".{name}", __name__)
-    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")
+# [DEF:backend.src.api.routes.__init__:Module]
+# @TIER: STANDARD
+# @SEMANTICS: routes, lazy-import, module-registry
+# @PURPOSE: Provide lazy route module loading to avoid heavyweight imports during tests.
+# @LAYER: API
+# @RELATION: DEPENDS_ON -> importlib
+# @INVARIANT: Only names listed in __all__ are importable via __getattr__.
+
+__all__ = ['plugins', 'tasks', 'settings', 'connections', 'environments', 'mappings', 'migration', 'git', 'storage', 'admin', 'reports', 'assistant', 'clean_release', 'profile']
+
+
+# [DEF:__getattr__:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Lazily import route module by attribute name.
+# @PRE: name is module candidate exposed in __all__.
+# @POST: Returns imported submodule or raises AttributeError.
+def __getattr__(name):
+    if name in __all__:
+        import importlib
+        return importlib.import_module(f".{name}", __name__)
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")
+# [/DEF:__getattr__:Function]
+# [/DEF:backend.src.api.routes.__init__:Module]

backend/src/api/routes/__tests__/test_assistant_api.py

@@ -0,0 +1,697 @@
+# [DEF:backend.src.api.routes.__tests__.test_assistant_api:Module]
+# @TIER: STANDARD
+# @SEMANTICS: tests, assistant, api, confirmation, status
+# @PURPOSE: Validate assistant API endpoint logic via direct async handler invocation.
+# @LAYER: UI (API Tests)
+# @RELATION: DEPENDS_ON -> backend.src.api.routes.assistant
+# @INVARIANT: Every test clears assistant in-memory state before execution.
+
+import os
+import asyncio
+from types import SimpleNamespace
+from datetime import datetime, timedelta
+import pytest
+
+# Force isolated sqlite databases for test module before dependencies import.
+os.environ.setdefault("DATABASE_URL", "sqlite:////tmp/ss_tools_assistant_api.db")
+os.environ.setdefault("TASKS_DATABASE_URL", "sqlite:////tmp/ss_tools_assistant_tasks.db")
+os.environ.setdefault("AUTH_DATABASE_URL", "sqlite:////tmp/ss_tools_assistant_auth.db")
+
+from src.api.routes import assistant as assistant_module
+from src.models.assistant import (
+    AssistantAuditRecord,
+    AssistantConfirmationRecord,
+    AssistantMessageRecord,
+)
+
+
+# [DEF:_run_async:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Execute async endpoint handler in synchronous test context.
+# @PRE: coroutine is awaitable endpoint invocation.
+# @POST: Returns coroutine result or raises propagated exception.
+def _run_async(coroutine):
+    return asyncio.run(coroutine)
+
+
+# [/DEF:_run_async:Function]
+# [DEF:_FakeTask:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: Lightweight task stub used by assistant API tests.
+class _FakeTask:
+    def __init__(self, task_id: str, status: str = "RUNNING", user_id: str = "u-admin"):
+        self.id = task_id
+        self.status = status
+        self.user_id = user_id
+
+
+# [/DEF:_FakeTask:Class]
+# [DEF:_FakeTaskManager:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: Minimal async-compatible TaskManager fixture for deterministic test flows.
+class _FakeTaskManager:
+    def __init__(self):
+        self._created = []
+
+    async def create_task(self, plugin_id, params, user_id=None):
+        task_id = f"task-{len(self._created) + 1}"
+        task = _FakeTask(task_id=task_id, status="RUNNING", user_id=user_id)
+        self._created.append((plugin_id, params, user_id, task))
+        return task
+
+    def get_task(self, task_id):
+        for _, _, _, task in self._created:
+            if task.id == task_id:
+                return task
+        return None
+
+    def get_tasks(self, limit=20, offset=0):
+        return [x[3] for x in self._created][offset : offset + limit]
+
+
+# [/DEF:_FakeTaskManager:Class]
+# [DEF:_FakeConfigManager:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: Environment config fixture with dev/prod aliases for parser tests.
+class _FakeConfigManager:
+    def get_environments(self):
+        return [
+            SimpleNamespace(id="dev", name="Development", url="http://dev", credentials_id="dev", username="fakeuser", password="fakepassword"),
+            SimpleNamespace(id="prod", name="Production", url="http://prod", credentials_id="prod", username="fakeuser", password="fakepassword"),
+        ]
+
+    def get_config(self):
+        return SimpleNamespace(
+            settings=SimpleNamespace(migration_sync_cron="0 0 * * *"),
+            environments=self.get_environments()
+        )
+# [/DEF:_FakeConfigManager:Class]
+# [DEF:_admin_user:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Build admin principal fixture.
+# @PRE: Test harness requires authenticated admin-like principal object.
+# @POST: Returns user stub with Admin role.
+def _admin_user():
+    role = SimpleNamespace(name="Admin", permissions=[])
+    return SimpleNamespace(id="u-admin", username="admin", roles=[role])
+
+
+# [/DEF:_admin_user:Function]
+# [DEF:_limited_user:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Build non-admin principal fixture.
+# @PRE: Test harness requires restricted principal for deny scenarios.
+# @POST: Returns user stub without admin privileges.
+def _limited_user():
+    role = SimpleNamespace(name="Operator", permissions=[])
+    return SimpleNamespace(id="u-limited", username="limited", roles=[role])
+
+
+# [/DEF:_limited_user:Function]
+# [DEF:_FakeQuery:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: Minimal chainable query object for fake SQLAlchemy-like DB behavior in tests.
+class _FakeQuery:
+    def __init__(self, rows):
+        self._rows = list(rows)
+
+    def filter(self, *args, **kwargs):
+        return self
+
+    def order_by(self, *args, **kwargs):
+        return self
+
+    def first(self):
+        return self._rows[0] if self._rows else None
+
+    def all(self):
+        return list(self._rows)
+
+    def count(self):
+        return len(self._rows)
+
+    def offset(self, offset):
+        self._rows = self._rows[offset:]
+        return self
+
+    def limit(self, limit):
+        self._rows = self._rows[:limit]
+        return self
+
+
+# [/DEF:_FakeQuery:Class]
+# [DEF:_FakeDb:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: In-memory fake database implementing subset of Session interface used by assistant routes.
+class _FakeDb:
+    def __init__(self):
+        self._messages = []
+        self._confirmations = []
+        self._audit = []
+
+    def add(self, row):
+        table = getattr(row, "__tablename__", "")
+        if table == "assistant_messages":
+            self._messages.append(row)
+            return
+        if table == "assistant_confirmations":
+            self._confirmations.append(row)
+            return
+        if table == "assistant_audit":
+            self._audit.append(row)
+
+    def merge(self, row):
+        table = getattr(row, "__tablename__", "")
+        if table != "assistant_confirmations":
+            self.add(row)
+            return row
+
+        for i, existing in enumerate(self._confirmations):
+            if getattr(existing, "id", None) == getattr(row, "id", None):
+                self._confirmations[i] = row
+                return row
+        self._confirmations.append(row)
+        return row
+
+    def query(self, model):
+        if model is AssistantMessageRecord:
+            return _FakeQuery(self._messages)
+        if model is AssistantConfirmationRecord:
+            return _FakeQuery(self._confirmations)
+        if model is AssistantAuditRecord:
+            return _FakeQuery(self._audit)
+        return _FakeQuery([])
+
+    def commit(self):
+        return None
+
+    def rollback(self):
+        return None
+
+
+# [/DEF:_FakeDb:Class]
+# [DEF:_clear_assistant_state:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Reset in-memory assistant registries for isolation between tests.
+# @PRE: Assistant module globals may contain residues from previous test runs.
+# @POST: In-memory conversation/confirmation/audit dictionaries are empty.
+def _clear_assistant_state():
+    assistant_module.CONVERSATIONS.clear()
+    assistant_module.USER_ACTIVE_CONVERSATION.clear()
+    assistant_module.CONFIRMATIONS.clear()
+    assistant_module.ASSISTANT_AUDIT.clear()
+
+
+# [/DEF:_clear_assistant_state:Function]
+# [DEF:test_unknown_command_returns_needs_clarification:Function]
+# @PURPOSE: Unknown command should return clarification state and unknown intent.
+# @PRE: Fake dependencies provide admin user and deterministic task/config/db services.
+# @POST: Response state is needs_clarification and no execution side-effect occurs.
+def test_unknown_command_returns_needs_clarification():
+    _clear_assistant_state()
+    response = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(message="сделай что-нибудь"),
+            current_user=_admin_user(),
+            task_manager=_FakeTaskManager(),
+            config_manager=_FakeConfigManager(),
+            db=_FakeDb(),
+        )
+    )
+    assert response.state == "needs_clarification"
+    assert response.intent["domain"] == "unknown"
+
+
+# [/DEF:test_unknown_command_returns_needs_clarification:Function]
+
+
+# [DEF:test_capabilities_question_returns_successful_help:Function]
+# @PURPOSE: Capability query should return deterministic help response, not clarification.
+# @PRE: User sends natural-language "what can you do" style query.
+# @POST: Response is successful and includes capabilities summary.
+def test_capabilities_question_returns_successful_help():
+    _clear_assistant_state()
+    response = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(message="Что ты умеешь?"),
+            current_user=_admin_user(),
+            task_manager=_FakeTaskManager(),
+            config_manager=_FakeConfigManager(),
+            db=_FakeDb(),
+        )
+    )
+    assert response.state == "success"
+    assert "Вот что я могу сделать" in response.text
+    assert "Миграции" in response.text or "Git" in response.text
+
+
+# [/DEF:test_capabilities_question_returns_successful_help:Function]
+# [DEF:test_non_admin_command_returns_denied:Function]
+# @PURPOSE: Non-admin user must receive denied state for privileged command.
+# @PRE: Limited principal executes privileged git branch command.
+# @POST: Response state is denied and operation is not executed.
+def test_non_admin_command_returns_denied():
+    _clear_assistant_state()
+    response = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="создай ветку feature/test для дашборда 12"
+            ),
+            current_user=_limited_user(),
+            task_manager=_FakeTaskManager(),
+            config_manager=_FakeConfigManager(),
+            db=_FakeDb(),
+        )
+    )
+    assert response.state == "denied"
+
+
+# [/DEF:test_non_admin_command_returns_denied:Function]
+# [DEF:test_migration_to_prod_requires_confirmation_and_can_be_confirmed:Function]
+# @PURPOSE: Migration to prod must require confirmation and then start task after explicit confirm.
+# @PRE: Admin principal submits dangerous migration command.
+# @POST: Confirmation endpoint transitions flow to started state with task id.
+def test_migration_to_prod_requires_confirmation_and_can_be_confirmed():
+    _clear_assistant_state()
+    task_manager = _FakeTaskManager()
+    db = _FakeDb()
+
+    first = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="запусти миграцию с dev на prod для дашборда 12"
+            ),
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    assert first.state == "needs_confirmation"
+    assert first.confirmation_id
+
+    second = _run_async(
+        assistant_module.confirm_operation(
+            confirmation_id=first.confirmation_id,
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    assert second.state == "started"
+    assert second.task_id.startswith("task-")
+
+
+# [/DEF:test_migration_to_prod_requires_confirmation_and_can_be_confirmed:Function]
+# [DEF:test_status_query_returns_task_status:Function]
+# @PURPOSE: Task status command must surface current status text for existing task id.
+# @PRE: At least one task exists after confirmed operation.
+# @POST: Status query returns started/success and includes referenced task id.
+def test_status_query_returns_task_status():
+    _clear_assistant_state()
+    task_manager = _FakeTaskManager()
+    db = _FakeDb()
+
+    start = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="запусти миграцию с dev на prod для дашборда 10"
+            ),
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    confirm = _run_async(
+        assistant_module.confirm_operation(
+            confirmation_id=start.confirmation_id,
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    task_id = confirm.task_id
+
+    status_resp = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message=f"проверь статус задачи {task_id}"
+            ),
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    assert status_resp.state in {"started", "success"}
+    assert task_id in status_resp.text
+
+
+# [/DEF:test_status_query_returns_task_status:Function]
+# [DEF:test_status_query_without_task_id_returns_latest_user_task:Function]
+# @PURPOSE: Status command without explicit task_id should resolve to latest task for current user.
+# @PRE: User has at least one created task in task manager history.
+# @POST: Response references latest task status without explicit task id in command.
+def test_status_query_without_task_id_returns_latest_user_task():
+    _clear_assistant_state()
+    task_manager = _FakeTaskManager()
+    db = _FakeDb()
+
+    start = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="запусти миграцию с dev на prod для дашборда 33"
+            ),
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    _run_async(
+        assistant_module.confirm_operation(
+            confirmation_id=start.confirmation_id,
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+
+    status_resp = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="покажи статус последней задачи"
+            ),
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    assert status_resp.state in {"started", "success"}
+    assert "Последняя задача:" in status_resp.text
+
+
+# [/DEF:test_status_query_without_task_id_returns_latest_user_task:Function]
+# [DEF:test_llm_validation_with_dashboard_ref_requires_confirmation:Function]
+# @PURPOSE: LLM validation with dashboard_ref should now require confirmation before dispatch.
+# @PRE: User sends natural-language validation request with dashboard name (not numeric id).
+# @POST: Response state is needs_confirmation since all state-changing operations are now gated.
+def test_llm_validation_with_dashboard_ref_requires_confirmation():
+    _clear_assistant_state()
+    response = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="Я хочу сделать валидацию дашборда test1"
+            ),
+            current_user=_admin_user(),
+            task_manager=_FakeTaskManager(),
+            config_manager=_FakeConfigManager(),
+            db=_FakeDb(),
+        )
+    )
+
+    assert response.state == "needs_confirmation"
+    assert response.confirmation_id is not None
+    action_types = {a.type for a in response.actions}
+    assert "confirm" in action_types
+    assert "cancel" in action_types
+
+
+# [/DEF:test_llm_validation_missing_dashboard_returns_needs_clarification:Function]
+
+
+# [DEF:test_list_conversations_groups_by_conversation_and_marks_archived:Function]
+# @PURPOSE: Conversations endpoint must group messages and compute archived marker by inactivity threshold.
+# @PRE: Fake DB contains two conversations with different update timestamps.
+# @POST: Response includes both conversations with archived flag set for stale one.
+def test_list_conversations_groups_by_conversation_and_marks_archived():
+    _clear_assistant_state()
+    db = _FakeDb()
+    now = datetime.utcnow()
+
+    db.add(
+        AssistantMessageRecord(
+            id="m-1",
+            user_id="u-admin",
+            conversation_id="conv-active",
+            role="user",
+            text="active chat",
+            created_at=now,
+        )
+    )
+    db.add(
+        AssistantMessageRecord(
+            id="m-2",
+            user_id="u-admin",
+            conversation_id="conv-old",
+            role="user",
+            text="old chat",
+            created_at=now - timedelta(days=32), # Hardcoded threshold+2
+        )
+    )
+
+    result = _run_async(
+        assistant_module.list_conversations(
+            page=1,
+            page_size=20,
+            include_archived=True,
+            search=None,
+            current_user=_admin_user(),
+            db=db,
+        )
+    )
+
+    assert result["total"] == 2
+    by_id = {item["conversation_id"]: item for item in result["items"]}
+    assert by_id["conv-active"]["archived"] is False
+    assert by_id["conv-old"]["archived"] is True
+
+
+# [/DEF:test_list_conversations_groups_by_conversation_and_marks_archived:Function]
+
+
+# [DEF:test_history_from_latest_returns_recent_page_first:Function]
+# @PURPOSE: History endpoint from_latest mode must return newest page while preserving chronological order in chunk.
+# @PRE: Conversation has more messages than single page size.
+# @POST: First page returns latest messages and has_next indicates older pages exist.
+def test_history_from_latest_returns_recent_page_first():
+    _clear_assistant_state()
+    db = _FakeDb()
+    base_time = datetime.utcnow() - timedelta(minutes=10)
+    conv_id = "conv-paginated"
+    for i in range(4, -1, -1):
+        db.add(
+            AssistantMessageRecord(
+                id=f"msg-{i}",
+                user_id="u-admin",
+                conversation_id=conv_id,
+                role="user" if i % 2 == 0 else "assistant",
+                text=f"message-{i}",
+                created_at=base_time + timedelta(minutes=i),
+            )
+        )
+
+    result = _run_async(
+        assistant_module.get_history(
+            page=1,
+            page_size=2,
+            conversation_id=conv_id,
+            from_latest=True,
+            current_user=_admin_user(),
+            db=db,
+        )
+    )
+
+    assert result["from_latest"] is True
+    assert result["has_next"] is True
+    # Chunk is chronological while representing latest page.
+    assert [item["text"] for item in result["items"]] == ["message-3", "message-4"]
+
+
+# [/DEF:test_history_from_latest_returns_recent_page_first:Function]
+
+
+# [DEF:test_list_conversations_archived_only_filters_active:Function]
+# @PURPOSE: archived_only mode must return only archived conversations.
+# @PRE: Dataset includes one active and one archived conversation.
+# @POST: Only archived conversation remains in response payload.
+def test_list_conversations_archived_only_filters_active():
+    _clear_assistant_state()
+    db = _FakeDb()
+    now = datetime.utcnow()
+    db.add(
+        AssistantMessageRecord(
+            id="m-active",
+            user_id="u-admin",
+            conversation_id="conv-active-2",
+            role="user",
+            text="active",
+            created_at=now,
+        )
+    )
+    db.add(
+        AssistantMessageRecord(
+            id="m-archived",
+            user_id="u-admin",
+            conversation_id="conv-archived-2",
+            role="user",
+            text="archived",
+            created_at=now - timedelta(days=33), # Hardcoded threshold+3
+        )
+    )
+
+    result = _run_async(
+        assistant_module.list_conversations(
+            page=1,
+            page_size=20,
+            include_archived=True,
+            archived_only=True,
+            search=None,
+            current_user=_admin_user(),
+            db=db,
+        )
+    )
+
+    assert result["total"] == 1
+    assert result["items"][0]["conversation_id"] == "conv-archived-2"
+    assert result["items"][0]["archived"] is True
+
+
+# [/DEF:test_list_conversations_archived_only_filters_active:Function]
+
+
+# [DEF:test_guarded_operation_always_requires_confirmation:Function]
+# @PURPOSE: Non-dangerous (guarded) commands must still require confirmation before execution.
+# @PRE: Admin user sends a backup command that was previously auto-executed.
+# @POST: Response state is needs_confirmation with confirm and cancel actions.
+def test_guarded_operation_always_requires_confirmation():
+    _clear_assistant_state()
+    response = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="сделай бэкап окружения dev"
+            ),
+            current_user=_admin_user(),
+            task_manager=_FakeTaskManager(),
+            config_manager=_FakeConfigManager(),
+            db=_FakeDb(),
+        )
+    )
+    assert response.state == "needs_confirmation"
+    assert response.confirmation_id is not None
+    action_types = {a.type for a in response.actions}
+    assert "confirm" in action_types
+    assert "cancel" in action_types
+    assert "Выполнить" in response.text or "Подтвердите" in response.text
+
+
+# [/DEF:test_guarded_operation_always_requires_confirmation:Function]
+
+
+# [DEF:test_guarded_operation_confirm_roundtrip:Function]
+# @PURPOSE: Guarded operation must execute successfully after explicit confirmation.
+# @PRE: Admin user sends a non-dangerous migration command (dev → dev).
+# @POST: After confirmation, response transitions to started/success with task_id.
+def test_guarded_operation_confirm_roundtrip():
+    _clear_assistant_state()
+    task_manager = _FakeTaskManager()
+    db = _FakeDb()
+
+    first = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="запусти миграцию с dev на dev для дашборда 5"
+            ),
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    assert first.state == "needs_confirmation"
+    assert first.confirmation_id
+
+    second = _run_async(
+        assistant_module.confirm_operation(
+            confirmation_id=first.confirmation_id,
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    assert second.state == "started"
+    assert second.task_id is not None
+
+
+# [DEF:test_confirm_nonexistent_id_returns_404:Function]
+# @PURPOSE: Confirming a non-existent ID should raise 404.
+# @PRE: user tries to confirm a random/fake UUID.
+# @POST: FastAPI HTTPException with status 404.
+def test_confirm_nonexistent_id_returns_404():
+    from fastapi import HTTPException
+    _clear_assistant_state()
+    with pytest.raises(HTTPException) as exc:
+        _run_async(
+            assistant_module.confirm_operation(
+                confirmation_id="non-existent-id",
+                current_user=_admin_user(),
+                task_manager=_FakeTaskManager(),
+                config_manager=_FakeConfigManager(),
+                db=_FakeDb(),
+            )
+        )
+    assert exc.value.status_code == 404
+
+
+# [DEF:test_migration_with_dry_run_includes_summary:Function]
+# @PURPOSE: Migration command with dry run flag must return the dry run summary in confirmation text.
+# @PRE: user specifies a migration with --dry-run flag.
+# @POST: Response state is needs_confirmation and text contains dry-run summary counts.
+def test_migration_with_dry_run_includes_summary(monkeypatch):
+    import src.core.migration.dry_run_orchestrator as dry_run_module
+    from unittest.mock import MagicMock
+    _clear_assistant_state()
+    task_manager = _FakeTaskManager()
+    db = _FakeDb()
+
+    class _FakeDryRunService:
+        def run(self, selection, source_client, target_client, db_session):
+            return {
+                "summary": {
+                    "dashboards": {"create": 1, "update": 0, "delete": 0},
+                    "charts": {"create": 3, "update": 2, "delete": 1},
+                    "datasets": {"create": 0, "update": 1, "delete": 0}
+                }
+            }
+            
+    monkeypatch.setattr(dry_run_module, "MigrationDryRunService", _FakeDryRunService)
+    
+    import src.core.superset_client as superset_client_module
+    monkeypatch.setattr(superset_client_module, "SupersetClient", lambda env: MagicMock())
+
+    start = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="миграция с dev на prod для дашборда 10 --dry-run"
+            ),
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+
+    assert start.state == "needs_confirmation"
+    assert "отчет dry-run: ВКЛ" in start.text
+    assert "Отчет dry-run:" in start.text
+    assert "создано новых объектов: 4" in start.text
+    assert "обновлено: 3" in start.text
+    assert "удалено: 1" in start.text
+# [/DEF:test_migration_with_dry_run_includes_summary:Function]
+# [/DEF:backend.src.api.routes.__tests__.test_assistant_api:Module]

backend/src/api/routes/__tests__/test_assistant_authz.py

@@ -0,0 +1,306 @@
+# [DEF:backend.src.api.routes.__tests__.test_assistant_authz:Module]
+# @TIER: STANDARD
+# @SEMANTICS: tests, assistant, authz, confirmation, rbac
+# @PURPOSE: Verify assistant confirmation ownership, expiration, and deny behavior for restricted users.
+# @LAYER: UI (API Tests)
+# @RELATION: DEPENDS_ON -> backend.src.api.routes.assistant
+# @INVARIANT: Security-sensitive flows fail closed for unauthorized actors.
+
+import os
+import asyncio
+from datetime import datetime, timedelta
+from types import SimpleNamespace
+
+import pytest
+from fastapi import HTTPException
+
+# Force isolated sqlite databases for test module before dependencies import.
+os.environ.setdefault("DATABASE_URL", "sqlite:////tmp/ss_tools_assistant_authz.db")
+os.environ.setdefault("TASKS_DATABASE_URL", "sqlite:////tmp/ss_tools_assistant_authz_tasks.db")
+os.environ.setdefault("AUTH_DATABASE_URL", "sqlite:////tmp/ss_tools_assistant_authz_auth.db")
+
+from src.api.routes import assistant as assistant_module
+from src.models.assistant import (
+    AssistantAuditRecord,
+    AssistantConfirmationRecord,
+    AssistantMessageRecord,
+)
+
+
+# [DEF:_run_async:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Execute async endpoint handler in synchronous test context.
+# @PRE: coroutine is awaitable endpoint invocation.
+# @POST: Returns coroutine result or raises propagated exception.
+def _run_async(coroutine):
+    return asyncio.run(coroutine)
+
+
+# [/DEF:_run_async:Function]
+# [DEF:_FakeTask:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: Lightweight task model used for assistant authz tests.
+class _FakeTask:
+    def __init__(self, task_id: str, status: str = "RUNNING", user_id: str = "u-admin"):
+        self.id = task_id
+        self.status = status
+        self.user_id = user_id
+
+
+# [/DEF:_FakeTask:Class]
+# [DEF:_FakeTaskManager:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: Minimal task manager for deterministic operation creation and lookup.
+class _FakeTaskManager:
+    def __init__(self):
+        self._created = []
+
+    async def create_task(self, plugin_id, params, user_id=None):
+        task_id = f"task-{len(self._created) + 1}"
+        task = _FakeTask(task_id=task_id, status="RUNNING", user_id=user_id)
+        self._created.append((plugin_id, params, user_id, task))
+        return task
+
+    def get_task(self, task_id):
+        for _, _, _, task in self._created:
+            if task.id == task_id:
+                return task
+        return None
+
+    def get_tasks(self, limit=20, offset=0):
+        return [x[3] for x in self._created][offset : offset + limit]
+
+
+# [/DEF:_FakeTaskManager:Class]
+# [DEF:_FakeConfigManager:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: Provide deterministic environment aliases required by intent parsing.
+class _FakeConfigManager:
+    def get_environments(self):
+        return [
+            SimpleNamespace(id="dev", name="Development"),
+            SimpleNamespace(id="prod", name="Production"),
+        ]
+
+
+# [/DEF:_FakeConfigManager:Class]
+# [DEF:_admin_user:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Build admin principal fixture.
+# @PRE: Test requires privileged principal for risky operations.
+# @POST: Returns admin-like user stub with Admin role.
+def _admin_user():
+    role = SimpleNamespace(name="Admin", permissions=[])
+    return SimpleNamespace(id="u-admin", username="admin", roles=[role])
+
+
+# [/DEF:_admin_user:Function]
+# [DEF:_other_admin_user:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Build second admin principal fixture for ownership tests.
+# @PRE: Ownership mismatch scenario needs distinct authenticated actor.
+# @POST: Returns alternate admin-like user stub.
+def _other_admin_user():
+    role = SimpleNamespace(name="Admin", permissions=[])
+    return SimpleNamespace(id="u-admin-2", username="admin2", roles=[role])
+
+
+# [/DEF:_other_admin_user:Function]
+# [DEF:_limited_user:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Build limited principal without required assistant execution privileges.
+# @PRE: Permission denial scenario needs non-admin actor.
+# @POST: Returns restricted user stub.
+def _limited_user():
+    role = SimpleNamespace(name="Operator", permissions=[])
+    return SimpleNamespace(id="u-limited", username="limited", roles=[role])
+
+
+# [/DEF:_limited_user:Function]
+# [DEF:_FakeQuery:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: Minimal chainable query object for fake DB interactions.
+class _FakeQuery:
+    def __init__(self, rows):
+        self._rows = list(rows)
+
+    def filter(self, *args, **kwargs):
+        return self
+
+    def order_by(self, *args, **kwargs):
+        return self
+
+    def first(self):
+        return self._rows[0] if self._rows else None
+
+    def all(self):
+        return list(self._rows)
+
+    def limit(self, limit):
+        self._rows = self._rows[:limit]
+        return self
+
+    def offset(self, offset):
+        self._rows = self._rows[offset:]
+        return self
+
+    def count(self):
+        return len(self._rows)
+
+
+# [/DEF:_FakeQuery:Class]
+# [DEF:_FakeDb:Class]
+# @TIER: TRIVIAL
+# @PURPOSE: In-memory session substitute for assistant route persistence calls.
+class _FakeDb:
+    def __init__(self):
+        self._messages = []
+        self._confirmations = []
+        self._audit = []
+
+    def add(self, row):
+        table = getattr(row, "__tablename__", "")
+        if table == "assistant_messages":
+            self._messages.append(row)
+        elif table == "assistant_confirmations":
+            self._confirmations.append(row)
+        elif table == "assistant_audit":
+            self._audit.append(row)
+
+    def merge(self, row):
+        if getattr(row, "__tablename__", "") != "assistant_confirmations":
+            self.add(row)
+            return row
+
+        for i, existing in enumerate(self._confirmations):
+            if getattr(existing, "id", None) == getattr(row, "id", None):
+                self._confirmations[i] = row
+                return row
+        self._confirmations.append(row)
+        return row
+
+    def query(self, model):
+        if model is AssistantMessageRecord:
+            return _FakeQuery(self._messages)
+        if model is AssistantConfirmationRecord:
+            return _FakeQuery(self._confirmations)
+        if model is AssistantAuditRecord:
+            return _FakeQuery(self._audit)
+        return _FakeQuery([])
+
+    def commit(self):
+        return None
+
+    def rollback(self):
+        return None
+
+
+# [/DEF:_FakeDb:Class]
+# [DEF:_clear_assistant_state:Function]
+# @TIER: TRIVIAL
+# @PURPOSE: Reset assistant process-local state between test cases.
+# @PRE: Assistant globals may contain state from prior tests.
+# @POST: Assistant in-memory state dictionaries are cleared.
+def _clear_assistant_state():
+    assistant_module.CONVERSATIONS.clear()
+    assistant_module.USER_ACTIVE_CONVERSATION.clear()
+    assistant_module.CONFIRMATIONS.clear()
+    assistant_module.ASSISTANT_AUDIT.clear()
+
+
+# [/DEF:_clear_assistant_state:Function]
+# [DEF:test_confirmation_owner_mismatch_returns_403:Function]
+# @PURPOSE: Confirm endpoint should reject requests from user that does not own the confirmation token.
+# @PRE: Confirmation token is created by first admin actor.
+# @POST: Second actor receives 403 on confirm operation.
+def test_confirmation_owner_mismatch_returns_403():
+    _clear_assistant_state()
+    task_manager = _FakeTaskManager()
+    db = _FakeDb()
+
+    create = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="запусти миграцию с dev на prod для дашборда 18"
+            ),
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    assert create.state == "needs_confirmation"
+
+    with pytest.raises(HTTPException) as exc:
+        _run_async(
+            assistant_module.confirm_operation(
+                confirmation_id=create.confirmation_id,
+                current_user=_other_admin_user(),
+                task_manager=task_manager,
+                config_manager=_FakeConfigManager(),
+                db=db,
+            )
+        )
+    assert exc.value.status_code == 403
+
+
+# [/DEF:test_confirmation_owner_mismatch_returns_403:Function]
+# [DEF:test_expired_confirmation_cannot_be_confirmed:Function]
+# @PURPOSE: Expired confirmation token should be rejected and not create task.
+# @PRE: Confirmation token exists and is manually expired before confirm request.
+# @POST: Confirm endpoint raises 400 and no task is created.
+def test_expired_confirmation_cannot_be_confirmed():
+    _clear_assistant_state()
+    task_manager = _FakeTaskManager()
+    db = _FakeDb()
+
+    create = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="запусти миграцию с dev на prod для дашборда 19"
+            ),
+            current_user=_admin_user(),
+            task_manager=task_manager,
+            config_manager=_FakeConfigManager(),
+            db=db,
+        )
+    )
+    assistant_module.CONFIRMATIONS[create.confirmation_id].expires_at = datetime.utcnow() - timedelta(minutes=1)
+
+    with pytest.raises(HTTPException) as exc:
+        _run_async(
+            assistant_module.confirm_operation(
+                confirmation_id=create.confirmation_id,
+                current_user=_admin_user(),
+                task_manager=task_manager,
+                config_manager=_FakeConfigManager(),
+                db=db,
+            )
+        )
+    assert exc.value.status_code == 400
+    assert task_manager.get_tasks(limit=10, offset=0) == []
+
+
+# [/DEF:test_expired_confirmation_cannot_be_confirmed:Function]
+# [DEF:test_limited_user_cannot_launch_restricted_operation:Function]
+# @PURPOSE: Limited user should receive denied state for privileged operation.
+# @PRE: Restricted user attempts dangerous deploy command.
+# @POST: Assistant returns denied state and does not execute operation.
+def test_limited_user_cannot_launch_restricted_operation():
+    _clear_assistant_state()
+    response = _run_async(
+        assistant_module.send_message(
+            request=assistant_module.AssistantMessageRequest(
+                message="задеплой дашборд 88 в production"
+            ),
+            current_user=_limited_user(),
+            task_manager=_FakeTaskManager(),
+            config_manager=_FakeConfigManager(),
+            db=_FakeDb(),
+        )
+    )
+    assert response.state == "denied"
+
+
+# [/DEF:test_limited_user_cannot_launch_restricted_operation:Function]
+# [/DEF:backend.src.api.routes.__tests__.test_assistant_authz:Module]

backend/src/api/routes/__tests__/test_clean_release_api.py

@@ -0,0 +1,157 @@
+# [DEF:backend.tests.api.routes.test_clean_release_api:Module]
+# @TIER: STANDARD
+# @SEMANTICS: tests, api, clean-release, checks, reports
+# @PURPOSE: Contract tests for clean release checks and reports endpoints.
+# @LAYER: Domain
+# @RELATION: TESTS -> backend.src.api.routes.clean_release
+# @INVARIANT: API returns deterministic payload shapes for checks and reports.
+
+from datetime import datetime, timezone
+
+from fastapi.testclient import TestClient
+
+from src.app import app
+from src.dependencies import get_clean_release_repository
+from src.models.clean_release import (
+    CleanProfilePolicy,
+    ProfileType,
+    ReleaseCandidate,
+    ReleaseCandidateStatus,
+    ResourceSourceEntry,
+    ResourceSourceRegistry,
+    ComplianceReport,
+    CheckFinalStatus,
+)
+from src.services.clean_release.repository import CleanReleaseRepository
+
+
+def _repo_with_seed_data() -> CleanReleaseRepository:
+    repo = CleanReleaseRepository()
+    repo.save_candidate(
+        ReleaseCandidate(
+            candidate_id="2026.03.03-rc1",
+            version="2026.03.03",
+            profile=ProfileType.ENTERPRISE_CLEAN,
+            created_at=datetime.now(timezone.utc),
+            created_by="tester",
+            source_snapshot_ref="git:abc123",
+            status=ReleaseCandidateStatus.PREPARED,
+        )
+    )
+    repo.save_registry(
+        ResourceSourceRegistry(
+            registry_id="registry-internal-v1",
+            name="Internal",
+            entries=[
+                ResourceSourceEntry(
+                    source_id="src-1",
+                    host="repo.intra.company.local",
+                    protocol="https",
+                    purpose="artifact-repo",
+                    enabled=True,
+                )
+            ],
+            updated_at=datetime.now(timezone.utc),
+            updated_by="tester",
+            status="active",
+        )
+    )
+    repo.save_policy(
+        CleanProfilePolicy(
+            policy_id="policy-enterprise-clean-v1",
+            policy_version="1.0.0",
+            active=True,
+            prohibited_artifact_categories=["test-data"],
+            required_system_categories=["system-init"],
+            external_source_forbidden=True,
+            internal_source_registry_ref="registry-internal-v1",
+            effective_from=datetime.now(timezone.utc),
+            profile=ProfileType.ENTERPRISE_CLEAN,
+        )
+    )
+    return repo
+
+
+def test_start_check_and_get_status_contract():
+    repo = _repo_with_seed_data()
+    app.dependency_overrides[get_clean_release_repository] = lambda: repo
+    try:
+        client = TestClient(app)
+
+        start = client.post(
+            "/api/clean-release/checks",
+            json={
+                "candidate_id": "2026.03.03-rc1",
+                "profile": "enterprise-clean",
+                "execution_mode": "tui",
+                "triggered_by": "tester",
+            },
+        )
+        assert start.status_code == 202
+        payload = start.json()
+        assert set(["check_run_id", "candidate_id", "status", "started_at"]).issubset(payload.keys())
+
+        check_run_id = payload["check_run_id"]
+        status_resp = client.get(f"/api/clean-release/checks/{check_run_id}")
+        assert status_resp.status_code == 200
+        status_payload = status_resp.json()
+        assert status_payload["check_run_id"] == check_run_id
+        assert "final_status" in status_payload
+        assert "checks" in status_payload
+    finally:
+        app.dependency_overrides.clear()
+
+
+def test_get_report_not_found_returns_404():
+    repo = _repo_with_seed_data()
+    app.dependency_overrides[get_clean_release_repository] = lambda: repo
+    try:
+        client = TestClient(app)
+        resp = client.get("/api/clean-release/reports/unknown-report")
+        assert resp.status_code == 404
+    finally:
+        app.dependency_overrides.clear()
+
+def test_get_report_success():
+    repo = _repo_with_seed_data()
+    report = ComplianceReport(
+        report_id="rep-1",
+        check_run_id="run-1",
+        candidate_id="2026.03.03-rc1",
+        generated_at=datetime.now(timezone.utc),
+        final_status=CheckFinalStatus.COMPLIANT,
+        operator_summary="all systems go",
+        structured_payload_ref="manifest-1",
+        violations_count=0,
+        blocking_violations_count=0
+    )
+    repo.save_report(report)
+    app.dependency_overrides[get_clean_release_repository] = lambda: repo
+    try:
+        client = TestClient(app)
+        resp = client.get("/api/clean-release/reports/rep-1")
+        assert resp.status_code == 200
+        assert resp.json()["report_id"] == "rep-1"
+    finally:
+        app.dependency_overrides.clear()
+
+def test_prepare_candidate_api_success():
+    repo = _repo_with_seed_data()
+    app.dependency_overrides[get_clean_release_repository] = lambda: repo
+    try:
+        client = TestClient(app)
+        response = client.post(
+            "/api/clean-release/candidates/prepare",
+            json={
+                "candidate_id": "2026.03.03-rc1",
+                "artifacts": [{"path": "file1.txt", "category": "system-init", "reason": "core"}],
+                "sources": ["repo.intra.company.local"],
+                "operator_id": "operator-1",
+            },
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert data["status"] == "prepared"
+        assert "manifest_id" in data
+    finally:
+        app.dependency_overrides.clear()

backend/src/api/routes/__tests__/test_clean_release_legacy_compat.py

@@ -0,0 +1,165 @@
+# [DEF:backend.src.api.routes.__tests__.test_clean_release_legacy_compat:Module]
+# @TIER: STANDARD
+# @PURPOSE: Compatibility tests for legacy clean-release API paths retained during v2 migration.
+# @LAYER: Tests
+# @RELATION: TESTS -> backend.src.api.routes.clean_release
+
+from __future__ import annotations
+
+import os
+from datetime import datetime, timezone
+
+from fastapi.testclient import TestClient
+
+os.environ.setdefault("DATABASE_URL", "sqlite:///./test_clean_release_legacy_compat.db")
+os.environ.setdefault("AUTH_DATABASE_URL", "sqlite:///./test_clean_release_legacy_auth.db")
+
+from src.app import app
+from src.dependencies import get_clean_release_repository
+from src.models.clean_release import (
+    CleanProfilePolicy,
+    DistributionManifest,
+    ProfileType,
+    ReleaseCandidate,
+    ReleaseCandidateStatus,
+    ResourceSourceEntry,
+    ResourceSourceRegistry,
+)
+from src.services.clean_release.repository import CleanReleaseRepository
+
+
+# [DEF:_seed_legacy_repo:Function]
+# @PURPOSE: Seed in-memory repository with minimum trusted data for legacy endpoint contracts.
+# @PRE: Repository is empty.
+# @POST: Candidate, policy, registry and manifest are available for legacy checks flow.
+def _seed_legacy_repo() -> CleanReleaseRepository:
+    repo = CleanReleaseRepository()
+    now = datetime.now(timezone.utc)
+
+    repo.save_candidate(
+        ReleaseCandidate(
+            id="legacy-rc-001",
+            version="1.0.0",
+            source_snapshot_ref="git:legacy-001",
+            created_at=now,
+            created_by="compat-tester",
+            status=ReleaseCandidateStatus.DRAFT,
+        )
+    )
+
+    registry = ResourceSourceRegistry(
+        registry_id="legacy-reg-1",
+        name="Legacy Internal Registry",
+        entries=[
+            ResourceSourceEntry(
+                source_id="legacy-src-1",
+                host="repo.intra.company.local",
+                protocol="https",
+                purpose="artifact-repo",
+                enabled=True,
+            )
+        ],
+        updated_at=now,
+        updated_by="compat-tester",
+        status="ACTIVE",
+    )
+    setattr(registry, "immutable", True)
+    setattr(registry, "allowed_hosts", ["repo.intra.company.local"])
+    setattr(registry, "allowed_schemes", ["https"])
+    setattr(registry, "allowed_source_types", ["artifact-repo"])
+    repo.save_registry(registry)
+
+    policy = CleanProfilePolicy(
+        policy_id="legacy-pol-1",
+        policy_version="1.0.0",
+        profile=ProfileType.ENTERPRISE_CLEAN,
+        active=True,
+        internal_source_registry_ref="legacy-reg-1",
+        prohibited_artifact_categories=["test-data"],
+        required_system_categories=["core"],
+        effective_from=now,
+    )
+    setattr(policy, "immutable", True)
+    setattr(
+        policy,
+        "content_json",
+        {
+            "profile": "enterprise-clean",
+            "prohibited_artifact_categories": ["test-data"],
+            "required_system_categories": ["core"],
+            "external_source_forbidden": True,
+        },
+    )
+    repo.save_policy(policy)
+
+    repo.save_manifest(
+        DistributionManifest(
+            id="legacy-manifest-1",
+            candidate_id="legacy-rc-001",
+            manifest_version=1,
+            manifest_digest="sha256:legacy-manifest",
+            artifacts_digest="sha256:legacy-artifacts",
+            created_at=now,
+            created_by="compat-tester",
+            source_snapshot_ref="git:legacy-001",
+            content_json={"items": [], "summary": {"included_count": 0, "prohibited_detected_count": 0}},
+            immutable=True,
+        )
+    )
+
+    return repo
+# [/DEF:_seed_legacy_repo:Function]
+
+
+def test_legacy_prepare_endpoint_still_available() -> None:
+    repo = _seed_legacy_repo()
+    app.dependency_overrides[get_clean_release_repository] = lambda: repo
+    try:
+        client = TestClient(app)
+        response = client.post(
+            "/api/clean-release/candidates/prepare",
+            json={
+                "candidate_id": "legacy-rc-001",
+                "artifacts": [{"path": "src/main.py", "category": "core", "reason": "required"}],
+                "sources": ["repo.intra.company.local"],
+                "operator_id": "compat-tester",
+            },
+        )
+        assert response.status_code == 200
+        payload = response.json()
+        assert "status" in payload
+        assert payload["status"] in {"prepared", "blocked", "PREPARED", "BLOCKED"}
+    finally:
+        app.dependency_overrides.clear()
+
+
+def test_legacy_checks_endpoints_still_available() -> None:
+    repo = _seed_legacy_repo()
+    app.dependency_overrides[get_clean_release_repository] = lambda: repo
+    try:
+        client = TestClient(app)
+        start_response = client.post(
+            "/api/clean-release/checks",
+            json={
+                "candidate_id": "legacy-rc-001",
+                "profile": "enterprise-clean",
+                "execution_mode": "api",
+                "triggered_by": "compat-tester",
+            },
+        )
+        assert start_response.status_code == 202
+        start_payload = start_response.json()
+        assert "check_run_id" in start_payload
+        assert start_payload["candidate_id"] == "legacy-rc-001"
+
+        status_response = client.get(f"/api/clean-release/checks/{start_payload['check_run_id']}")
+        assert status_response.status_code == 200
+        status_payload = status_response.json()
+        assert status_payload["check_run_id"] == start_payload["check_run_id"]
+        assert "final_status" in status_payload
+        assert "checks" in status_payload
+    finally:
+        app.dependency_overrides.clear()
+
+
+# [/DEF:backend.src.api.routes.__tests__.test_clean_release_legacy_compat:Module]

backend/src/api/routes/__tests__/test_clean_release_source_policy.py

@@ -0,0 +1,97 @@
+# [DEF:backend.tests.api.routes.test_clean_release_source_policy:Module]
+# @TIER: STANDARD
+# @SEMANTICS: tests, api, clean-release, source-policy
+# @PURPOSE: Validate API behavior for source isolation violations in clean release preparation.
+# @LAYER: Domain
+# @RELATION: TESTS -> backend.src.api.routes.clean_release
+# @INVARIANT: External endpoints must produce blocking violation entries.
+
+from datetime import datetime, timezone
+from fastapi.testclient import TestClient
+
+from src.app import app
+from src.dependencies import get_clean_release_repository
+from src.models.clean_release import (
+    CleanProfilePolicy,
+    ProfileType,
+    ReleaseCandidate,
+    ReleaseCandidateStatus,
+    ResourceSourceEntry,
+    ResourceSourceRegistry,
+)
+from src.services.clean_release.repository import CleanReleaseRepository
+
+
+def _repo_with_seed_data() -> CleanReleaseRepository:
+    repo = CleanReleaseRepository()
+
+    repo.save_candidate(
+        ReleaseCandidate(
+            candidate_id="2026.03.03-rc1",
+            version="2026.03.03",
+            profile=ProfileType.ENTERPRISE_CLEAN,
+            created_at=datetime.now(timezone.utc),
+            created_by="tester",
+            source_snapshot_ref="git:abc123",
+            status=ReleaseCandidateStatus.DRAFT,
+        )
+    )
+
+    repo.save_registry(
+        ResourceSourceRegistry(
+            registry_id="registry-internal-v1",
+            name="Internal",
+            entries=[
+                ResourceSourceEntry(
+                    source_id="src-1",
+                    host="repo.intra.company.local",
+                    protocol="https",
+                    purpose="artifact-repo",
+                    enabled=True,
+                )
+            ],
+            updated_at=datetime.now(timezone.utc),
+            updated_by="tester",
+            status="active",
+        )
+    )
+
+    repo.save_policy(
+        CleanProfilePolicy(
+            policy_id="policy-enterprise-clean-v1",
+            policy_version="1.0.0",
+            active=True,
+            prohibited_artifact_categories=["test-data"],
+            required_system_categories=["system-init"],
+            external_source_forbidden=True,
+            internal_source_registry_ref="registry-internal-v1",
+            effective_from=datetime.now(timezone.utc),
+            profile=ProfileType.ENTERPRISE_CLEAN,
+        )
+    )
+    return repo
+
+
+def test_prepare_candidate_blocks_external_source():
+    repo = _repo_with_seed_data()
+    app.dependency_overrides[get_clean_release_repository] = lambda: repo
+
+    try:
+        client = TestClient(app)
+        response = client.post(
+            "/api/clean-release/candidates/prepare",
+            json={
+                "candidate_id": "2026.03.03-rc1",
+                "artifacts": [
+                    {"path": "cfg/system.yaml", "category": "system-init", "reason": "required"}
+                ],
+                "sources": ["repo.intra.company.local", "pypi.org"],
+                "operator_id": "release-manager",
+            },
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert data["status"] == "blocked"
+        assert any(v["category"] == "external-source" for v in data["violations"])
+    finally:
+        app.dependency_overrides.clear()

backend/src/api/routes/__tests__/test_clean_release_v2_api.py

@@ -0,0 +1,93 @@
+# [DEF:test_clean_release_v2_api:Module]
+# @TIER: STANDARD
+# @PURPOSE: API contract tests for redesigned clean release endpoints.
+# @LAYER: Domain
+
+from datetime import datetime, timezone
+from types import SimpleNamespace
+from uuid import uuid4
+
+import pytest
+from fastapi.testclient import TestClient
+
+from src.app import app
+from src.dependencies import get_clean_release_repository, get_config_manager
+from src.models.clean_release import (
+    CleanPolicySnapshot,
+    DistributionManifest,
+    ReleaseCandidate,
+    SourceRegistrySnapshot,
+)
+from src.services.clean_release.enums import CandidateStatus
+
+client = TestClient(app)
+
+# [REASON] Implementing API contract tests for candidate/artifact/manifest endpoints (T012).
+def test_candidate_registration_contract():
+    """
+    @TEST_SCENARIO: candidate_registration -> Should return 201 and candidate DTO.
+    @TEST_CONTRACT: POST /api/v2/clean-release/candidates -> CandidateDTO
+    """
+    payload = {
+        "id": "rc-test-001",
+        "version": "1.0.0",
+        "source_snapshot_ref": "git:sha123",
+        "created_by": "test-user"
+    }
+    response = client.post("/api/v2/clean-release/candidates", json=payload)
+    assert response.status_code == 201
+    data = response.json()
+    assert data["id"] == "rc-test-001"
+    assert data["status"] == CandidateStatus.DRAFT.value
+
+def test_artifact_import_contract():
+    """
+    @TEST_SCENARIO: artifact_import -> Should return 200 and success status.
+    @TEST_CONTRACT: POST /api/v2/clean-release/candidates/{id}/artifacts -> SuccessDTO
+    """
+    candidate_id = "rc-test-001-art"
+    bootstrap_candidate = {
+        "id": candidate_id,
+        "version": "1.0.0",
+        "source_snapshot_ref": "git:sha123",
+        "created_by": "test-user"
+    }
+    create_response = client.post("/api/v2/clean-release/candidates", json=bootstrap_candidate)
+    assert create_response.status_code == 201
+
+    payload = {
+        "artifacts": [
+            {
+                "id": "art-1",
+                "path": "bin/app.exe",
+                "sha256": "hash123",
+                "size": 1024
+            }
+        ]
+    }
+    response = client.post(f"/api/v2/clean-release/candidates/{candidate_id}/artifacts", json=payload)
+    assert response.status_code == 200
+    assert response.json()["status"] == "success"
+
+def test_manifest_build_contract():
+    """
+    @TEST_SCENARIO: manifest_build -> Should return 201 and manifest DTO.
+    @TEST_CONTRACT: POST /api/v2/clean-release/candidates/{id}/manifests -> ManifestDTO
+    """
+    candidate_id = "rc-test-001-manifest"
+    bootstrap_candidate = {
+        "id": candidate_id,
+        "version": "1.0.0",
+        "source_snapshot_ref": "git:sha123",
+        "created_by": "test-user"
+    }
+    create_response = client.post("/api/v2/clean-release/candidates", json=bootstrap_candidate)
+    assert create_response.status_code == 201
+
+    response = client.post(f"/api/v2/clean-release/candidates/{candidate_id}/manifests")
+    assert response.status_code == 201
+    data = response.json()
+    assert "manifest_digest" in data
+    assert data["candidate_id"] == candidate_id
+
+# [/DEF:test_clean_release_v2_api:Module]

backend/src/api/routes/__tests__/test_clean_release_v2_release_api.py

@@ -0,0 +1,107 @@
+# [DEF:test_clean_release_v2_release_api:Module]
+# @TIER: STANDARD
+# @PURPOSE: API contract test scaffolding for clean release approval and publication endpoints.
+# @LAYER: Domain
+# @RELATION: IMPLEMENTS -> clean_release_v2_release_api_contracts
+
+"""Contract tests for redesigned approval/publication API endpoints."""
+
+from datetime import datetime, timezone
+from uuid import uuid4
+
+from fastapi import FastAPI
+from fastapi.testclient import TestClient
+
+from src.api.routes.clean_release_v2 import router as clean_release_v2_router
+from src.dependencies import get_clean_release_repository
+from src.models.clean_release import ComplianceReport, ReleaseCandidate
+from src.services.clean_release.enums import CandidateStatus, ComplianceDecision
+
+
+test_app = FastAPI()
+test_app.include_router(clean_release_v2_router)
+client = TestClient(test_app)
+
+
+def _seed_candidate_and_passed_report() -> tuple[str, str]:
+    repository = get_clean_release_repository()
+    candidate_id = f"api-release-candidate-{uuid4()}"
+    report_id = f"api-release-report-{uuid4()}"
+
+    repository.save_candidate(
+        ReleaseCandidate(
+            id=candidate_id,
+            version="1.0.0",
+            source_snapshot_ref="git:sha-api-release",
+            created_by="api-test",
+            created_at=datetime.now(timezone.utc),
+            status=CandidateStatus.CHECK_PASSED.value,
+        )
+    )
+    repository.save_report(
+        ComplianceReport(
+            id=report_id,
+            run_id=f"run-{uuid4()}",
+            candidate_id=candidate_id,
+            final_status=ComplianceDecision.PASSED.value,
+            summary_json={"operator_summary": "ok", "violations_count": 0, "blocking_violations_count": 0},
+            generated_at=datetime.now(timezone.utc),
+            immutable=True,
+        )
+    )
+    return candidate_id, report_id
+
+
+def test_release_approve_and_publish_revoke_contract() -> None:
+    """Contract for approve -> publish -> revoke lifecycle endpoints."""
+    candidate_id, report_id = _seed_candidate_and_passed_report()
+
+    approve_response = client.post(
+        f"/api/v2/clean-release/candidates/{candidate_id}/approve",
+        json={"report_id": report_id, "decided_by": "api-test", "comment": "approved"},
+    )
+    assert approve_response.status_code == 200
+    approve_payload = approve_response.json()
+    assert approve_payload["status"] == "ok"
+    assert approve_payload["decision"] == "APPROVED"
+
+    publish_response = client.post(
+        f"/api/v2/clean-release/candidates/{candidate_id}/publish",
+        json={
+            "report_id": report_id,
+            "published_by": "api-test",
+            "target_channel": "stable",
+            "publication_ref": "rel-api-001",
+        },
+    )
+    assert publish_response.status_code == 200
+    publish_payload = publish_response.json()
+    assert publish_payload["status"] == "ok"
+    assert publish_payload["publication"]["status"] == "ACTIVE"
+
+    publication_id = publish_payload["publication"]["id"]
+    revoke_response = client.post(
+        f"/api/v2/clean-release/publications/{publication_id}/revoke",
+        json={"revoked_by": "api-test", "comment": "rollback"},
+    )
+    assert revoke_response.status_code == 200
+    revoke_payload = revoke_response.json()
+    assert revoke_payload["status"] == "ok"
+    assert revoke_payload["publication"]["status"] == "REVOKED"
+
+
+def test_release_reject_contract() -> None:
+    """Contract for reject endpoint."""
+    candidate_id, report_id = _seed_candidate_and_passed_report()
+
+    reject_response = client.post(
+        f"/api/v2/clean-release/candidates/{candidate_id}/reject",
+        json={"report_id": report_id, "decided_by": "api-test", "comment": "rejected"},
+    )
+    assert reject_response.status_code == 200
+    payload = reject_response.json()
+    assert payload["status"] == "ok"
+    assert payload["decision"] == "REJECTED"
+
+
+# [/DEF:test_clean_release_v2_release_api:Module]

backend/src/api/routes/__tests__/test_datasets.py

@@ -11,6 +11,41 @@ from unittest.mock import MagicMock, patch, AsyncMock
 from fastapi.testclient import TestClient
 from src.app import app
 from src.api.routes.datasets import DatasetsResponse, DatasetDetailResponse
+from src.dependencies import get_current_user, has_permission, get_config_manager, get_task_manager, get_resource_service, get_mapping_service
+
+# Global mock user for get_current_user dependency overrides
+mock_user = MagicMock()
+mock_user.username = "testuser"
+mock_user.roles = []
+admin_role = MagicMock()
+admin_role.name = "Admin"
+mock_user.roles.append(admin_role)
+
+@pytest.fixture(autouse=True)
+def mock_deps():
+    config_manager = MagicMock()
+    task_manager = MagicMock()
+    resource_service = MagicMock()
+    mapping_service = MagicMock()
+    
+    app.dependency_overrides[get_config_manager] = lambda: config_manager
+    app.dependency_overrides[get_task_manager] = lambda: task_manager
+    app.dependency_overrides[get_resource_service] = lambda: resource_service
+    app.dependency_overrides[get_mapping_service] = lambda: mapping_service
+    app.dependency_overrides[get_current_user] = lambda: mock_user
+    
+    app.dependency_overrides[has_permission("plugin:migration", "READ")] = lambda: mock_user
+    app.dependency_overrides[has_permission("plugin:migration", "EXECUTE")] = lambda: mock_user
+    app.dependency_overrides[has_permission("plugin:backup", "EXECUTE")] = lambda: mock_user
+    app.dependency_overrides[has_permission("tasks", "READ")] = lambda: mock_user
+    
+    yield {
+        "config": config_manager,
+        "task": task_manager,
+        "resource": resource_service,
+        "mapping": mapping_service
+    }
+    app.dependency_overrides.clear()
 
 client = TestClient(app)
 
@@ -20,41 +55,34 @@ client = TestClient(app)
 # @TEST: GET /api/datasets returns 200 and valid schema
 # @PRE: env_id exists
 # @POST: Response matches DatasetsResponse schema
-def test_get_datasets_success():
-    with patch("src.api.routes.datasets.get_config_manager") as mock_config, \
-         patch("src.api.routes.datasets.get_resource_service") as mock_service, \
-         patch("src.api.routes.datasets.has_permission") as mock_perm:
-        
-        # Mock environment
-        mock_env = MagicMock()
-        mock_env.id = "prod"
-        mock_config.return_value.get_environments.return_value = [mock_env]
-        
-        # Mock resource service response
-        mock_service.return_value.get_datasets_with_status.return_value = AsyncMock()(
-            return_value=[
-                {
-                    "id": 1,
-                    "table_name": "sales_data",
-                    "schema": "public",
-                    "database": "sales_db",
-                    "mapped_fields": {"total": 10, "mapped": 5},
-                    "last_task": {"task_id": "task-1", "status": "SUCCESS"}
-                }
-            ]
-        )
-        
-        # Mock permission
-        mock_perm.return_value = lambda: True
+def test_get_datasets_success(mock_deps):
+    # Mock environment
+    mock_env = MagicMock()
+    mock_env.id = "prod"
+    mock_deps["config"].get_environments.return_value = [mock_env]
+    
+    # Mock resource service response
+    mock_deps["resource"].get_datasets_with_status = AsyncMock(
+        return_value=[
+            {
+                "id": 1,
+                "table_name": "sales_data",
+                "schema": "public",
+                "database": "sales_db",
+                "mapped_fields": {"total": 10, "mapped": 5},
+                "last_task": {"task_id": "task-1", "status": "SUCCESS"}
+            }
+        ]
+    )
 
-        response = client.get("/api/datasets?env_id=prod")
-        
-        assert response.status_code == 200
-        data = response.json()
-        assert "datasets" in data
-        assert len(data["datasets"]) >= 0
-        # Validate against Pydantic model
-        DatasetsResponse(**data)
+    response = client.get("/api/datasets?env_id=prod")
+    
+    assert response.status_code == 200
+    data = response.json()
+    assert "datasets" in data
+    assert len(data["datasets"]) >= 0
+    # Validate against Pydantic model
+    DatasetsResponse(**data)
 
 
 # [/DEF:test_get_datasets_success:Function]
@@ -64,17 +92,13 @@ def test_get_datasets_success():
 # @TEST: GET /api/datasets returns 404 if env_id missing
 # @PRE: env_id does not exist
 # @POST: Returns 404 error
-def test_get_datasets_env_not_found():
-    with patch("src.api.routes.datasets.get_config_manager") as mock_config, \
-         patch("src.api.routes.datasets.has_permission") as mock_perm:
-        
-        mock_config.return_value.get_environments.return_value = []
-        mock_perm.return_value = lambda: True
+def test_get_datasets_env_not_found(mock_deps):
+    mock_deps["config"].get_environments.return_value = []
 
-        response = client.get("/api/datasets?env_id=nonexistent")
-        
-        assert response.status_code == 404
-        assert "Environment not found" in response.json()["detail"]
+    response = client.get("/api/datasets?env_id=nonexistent")
+    
+    assert response.status_code == 404
+    assert "Environment not found" in response.json()["detail"]
 
 
 # [/DEF:test_get_datasets_env_not_found:Function]
@@ -84,24 +108,25 @@ def test_get_datasets_env_not_found():
 # @TEST: GET /api/datasets returns 400 for invalid page/page_size
 # @PRE: page < 1 or page_size > 100
 # @POST: Returns 400 error
-def test_get_datasets_invalid_pagination():
-    with patch("src.api.routes.datasets.get_config_manager") as mock_config, \
-         patch("src.api.routes.datasets.has_permission") as mock_perm:
-        
-        mock_env = MagicMock()
-        mock_env.id = "prod"
-        mock_config.return_value.get_environments.return_value = [mock_env]
-        mock_perm.return_value = lambda: True
+def test_get_datasets_invalid_pagination(mock_deps):
+    mock_env = MagicMock()
+    mock_env.id = "prod"
+    mock_deps["config"].get_environments.return_value = [mock_env]
 
-        # Invalid page
-        response = client.get("/api/datasets?env_id=prod&page=0")
-        assert response.status_code == 400
-        assert "Page must be >= 1" in response.json()["detail"]
-        
-        # Invalid page_size
-        response = client.get("/api/datasets?env_id=prod&page_size=0")
-        assert response.status_code == 400
-        assert "Page size must be between 1 and 100" in response.json()["detail"]
+    # Invalid page
+    response = client.get("/api/datasets?env_id=prod&page=0")
+    assert response.status_code == 400
+    assert "Page must be >= 1" in response.json()["detail"]
+    
+    # Invalid page_size (too small)
+    response = client.get("/api/datasets?env_id=prod&page_size=0")
+    assert response.status_code == 400
+    assert "Page size must be between 1 and 100" in response.json()["detail"]
+
+    # @TEST_EDGE: page_size > 100 exceeds max
+    response = client.get("/api/datasets?env_id=prod&page_size=101")
+    assert response.status_code == 400
+    assert "Page size must be between 1 and 100" in response.json()["detail"]
 
 
 # [/DEF:test_get_datasets_invalid_pagination:Function]
@@ -111,36 +136,31 @@ def test_get_datasets_invalid_pagination():
 # @TEST: POST /api/datasets/map-columns creates mapping task
 # @PRE: Valid env_id, dataset_ids, source_type
 # @POST: Returns task_id
-def test_map_columns_success():
-    with patch("src.api.routes.datasets.get_config_manager") as mock_config, \
-         patch("src.api.routes.datasets.get_task_manager") as mock_task_mgr, \
-         patch("src.api.routes.datasets.has_permission") as mock_perm:
-        
-        # Mock environment
-        mock_env = MagicMock()
-        mock_env.id = "prod"
-        mock_config.return_value.get_environments.return_value = [mock_env]
-        
-        # Mock task manager
-        mock_task = MagicMock()
-        mock_task.id = "task-123"
-        mock_task_mgr.return_value.create_task = AsyncMock(return_value=mock_task)
-        
-        # Mock permission
-        mock_perm.return_value = lambda: True
+def test_map_columns_success(mock_deps):
+    # Mock environment
+    mock_env = MagicMock()
+    mock_env.id = "prod"
+    mock_deps["config"].get_environments.return_value = [mock_env]
+    
+    # Mock task manager
+    mock_task = MagicMock()
+    mock_task.id = "task-123"
+    mock_deps["task"].create_task = AsyncMock(return_value=mock_task)
 
-        response = client.post(
-            "/api/datasets/map-columns",
-            json={
-                "env_id": "prod",
-                "dataset_ids": [1, 2, 3],
-                "source_type": "postgresql"
-            }
-        )
-        
-        assert response.status_code == 200
-        data = response.json()
-        assert "task_id" in data
+    response = client.post(
+        "/api/datasets/map-columns",
+        json={
+            "env_id": "prod",
+            "dataset_ids": [1, 2, 3],
+            "source_type": "postgresql"
+        }
+    )
+    
+    assert response.status_code == 200
+    data = response.json()
+    assert "task_id" in data
+    # @POST/@SIDE_EFFECT: create_task was called
+    mock_deps["task"].create_task.assert_called_once()
 
 
 # [/DEF:test_map_columns_success:Function]
@@ -150,21 +170,18 @@ def test_map_columns_success():
 # @TEST: POST /api/datasets/map-columns returns 400 for invalid source_type
 # @PRE: source_type is not 'postgresql' or 'xlsx'
 # @POST: Returns 400 error
-def test_map_columns_invalid_source_type():
-    with patch("src.api.routes.datasets.has_permission") as mock_perm:
-        mock_perm.return_value = lambda: True
-
-        response = client.post(
-            "/api/datasets/map-columns",
-            json={
-                "env_id": "prod",
-                "dataset_ids": [1],
-                "source_type": "invalid"
-            }
-        )
-        
-        assert response.status_code == 400
-        assert "Source type must be 'postgresql' or 'xlsx'" in response.json()["detail"]
+def test_map_columns_invalid_source_type(mock_deps):
+    response = client.post(
+        "/api/datasets/map-columns",
+        json={
+            "env_id": "prod",
+            "dataset_ids": [1],
+            "source_type": "invalid"
+        }
+    )
+    
+    assert response.status_code == 400
+    assert "Source type must be 'postgresql' or 'xlsx'" in response.json()["detail"]
 
 
 # [/DEF:test_map_columns_invalid_source_type:Function]
@@ -174,39 +191,110 @@ def test_map_columns_invalid_source_type():
 # @TEST: POST /api/datasets/generate-docs creates doc generation task
 # @PRE: Valid env_id, dataset_ids, llm_provider
 # @POST: Returns task_id
-def test_generate_docs_success():
-    with patch("src.api.routes.datasets.get_config_manager") as mock_config, \
-         patch("src.api.routes.datasets.get_task_manager") as mock_task_mgr, \
-         patch("src.api.routes.datasets.has_permission") as mock_perm:
-        
-        # Mock environment
-        mock_env = MagicMock()
-        mock_env.id = "prod"
-        mock_config.return_value.get_environments.return_value = [mock_env]
-        
-        # Mock task manager
-        mock_task = MagicMock()
-        mock_task.id = "task-456"
-        mock_task_mgr.return_value.create_task = AsyncMock(return_value=mock_task)
-        
-        # Mock permission
-        mock_perm.return_value = lambda: True
+def test_generate_docs_success(mock_deps):
+    # Mock environment
+    mock_env = MagicMock()
+    mock_env.id = "prod"
+    mock_deps["config"].get_environments.return_value = [mock_env]
+    
+    # Mock task manager
+    mock_task = MagicMock()
+    mock_task.id = "task-456"
+    mock_deps["task"].create_task = AsyncMock(return_value=mock_task)
 
-        response = client.post(
-            "/api/datasets/generate-docs",
-            json={
-                "env_id": "prod",
-                "dataset_ids": [1],
-                "llm_provider": "openai"
-            }
-        )
-        
-        assert response.status_code == 200
-        data = response.json()
-        assert "task_id" in data
+    response = client.post(
+        "/api/datasets/generate-docs",
+        json={
+            "env_id": "prod",
+            "dataset_ids": [1],
+            "llm_provider": "openai"
+        }
+    )
+    
+    assert response.status_code == 200
+    data = response.json()
+    assert "task_id" in data
+    # @POST/@SIDE_EFFECT: create_task was called
+    mock_deps["task"].create_task.assert_called_once()
 
 
 # [/DEF:test_generate_docs_success:Function]
 
 
+# [DEF:test_map_columns_empty_ids:Function]
+# @TEST: POST /api/datasets/map-columns returns 400 for empty dataset_ids
+# @PRE: dataset_ids is empty
+# @POST: Returns 400 error
+def test_map_columns_empty_ids(mock_deps):
+    """@PRE: dataset_ids must be non-empty."""
+    response = client.post(
+        "/api/datasets/map-columns",
+        json={
+            "env_id": "prod",
+            "dataset_ids": [],
+            "source_type": "postgresql"
+        }
+    )
+    assert response.status_code == 400
+    assert "At least one dataset ID must be provided" in response.json()["detail"]
+# [/DEF:test_map_columns_empty_ids:Function]
+
+
+# [DEF:test_generate_docs_empty_ids:Function]
+# @TEST: POST /api/datasets/generate-docs returns 400 for empty dataset_ids
+# @PRE: dataset_ids is empty
+# @POST: Returns 400 error
+def test_generate_docs_empty_ids(mock_deps):
+    """@PRE: dataset_ids must be non-empty."""
+    response = client.post(
+        "/api/datasets/generate-docs",
+        json={
+            "env_id": "prod",
+            "dataset_ids": [],
+            "llm_provider": "openai"
+        }
+    )
+    assert response.status_code == 400
+    assert "At least one dataset ID must be provided" in response.json()["detail"]
+# [/DEF:test_generate_docs_empty_ids:Function]
+
+
+# [DEF:test_generate_docs_env_not_found:Function]
+# @TEST: POST /api/datasets/generate-docs returns 404 for missing env
+# @PRE: env_id does not exist
+# @POST: Returns 404 error
+def test_generate_docs_env_not_found(mock_deps):
+    """@PRE: env_id must be a valid environment."""
+    mock_deps["config"].get_environments.return_value = []
+    response = client.post(
+        "/api/datasets/generate-docs",
+        json={
+            "env_id": "ghost",
+            "dataset_ids": [1],
+            "llm_provider": "openai"
+        }
+    )
+    assert response.status_code == 404
+    assert "Environment not found" in response.json()["detail"]
+# [/DEF:test_generate_docs_env_not_found:Function]
+
+
+# [DEF:test_get_datasets_superset_failure:Function]
+# @TEST_EDGE: external_superset_failure -> {status: 503}
+def test_get_datasets_superset_failure(mock_deps):
+    """@TEST_EDGE: external_superset_failure -> {status: 503}"""
+    mock_env = MagicMock()
+    mock_env.id = "bad_conn"
+    mock_deps["config"].get_environments.return_value = [mock_env]
+    mock_deps["task"].get_all_tasks.return_value = []
+    mock_deps["resource"].get_datasets_with_status = AsyncMock(
+        side_effect=Exception("Connection refused")
+    )
+
+    response = client.get("/api/datasets?env_id=bad_conn")
+    assert response.status_code == 503
+    assert "Failed to fetch datasets" in response.json()["detail"]
+# [/DEF:test_get_datasets_superset_failure:Function]
+
+
 # [/DEF:backend.src.api.routes.__tests__.test_datasets:Module]

backend/src/api/routes/__tests__/test_git_api.py

@@ -0,0 +1,310 @@
+# [DEF:backend.src.api.routes.__tests__.test_git_api:Module]
+# @RELATION: VERIFIES -> src.api.routes.git
+# @PURPOSE: API tests for Git configurations and repository operations.
+
+import pytest
+import asyncio
+from unittest.mock import MagicMock
+from fastapi import HTTPException
+from src.api.routes import git as git_routes
+from src.models.git import GitServerConfig, GitProvider, GitStatus, GitRepository
+
+class DbMock:
+    def __init__(self, data=None):
+        self._data = data or []
+        self._deleted = []
+        self._added = []
+
+    def query(self, model):
+        self._model = model
+        return self
+
+    def filter(self, condition):
+        # Simplistic mocking for tests, assuming equality checks
+        for item in self._data:
+            # We assume condition is an equality expression like GitServerConfig.id == "123"
+            # It's hard to eval the condition exactly in a mock without complex parsing,
+            # so we'll just return items where type matches.
+            pass
+        return self
+
+    def first(self):
+        for item in self._data:
+            if hasattr(self, "_model") and isinstance(item, self._model):
+                return item
+        return None
+
+    def all(self):
+        return self._data
+
+    def add(self, item):
+        self._added.append(item)
+        if not hasattr(item, "id") or not item.id:
+            item.id = "mocked-id"
+        self._data.append(item)
+
+    def delete(self, item):
+        self._deleted.append(item)
+        if item in self._data:
+            self._data.remove(item)
+
+    def commit(self):
+        pass
+
+    def refresh(self, item):
+        if not hasattr(item, "status"):
+            item.status = GitStatus.CONNECTED
+        if not hasattr(item, "last_validated"):
+            item.last_validated = "2026-03-08T00:00:00Z"
+
+def test_get_git_configs_masks_pat():
+    """
+    @PRE: Database session `db` is available.
+    @POST: Returns a list of all GitServerConfig objects from the database with PAT masked.
+    """
+    db = DbMock([GitServerConfig(
+        id="config-1", name="Test Server", provider=GitProvider.GITHUB,
+        url="https://github.com", pat="secret-token",
+        status=GitStatus.CONNECTED, last_validated="2026-03-08T00:00:00Z"
+    )])
+    
+    result = asyncio.run(git_routes.get_git_configs(db=db))
+    
+    assert len(result) == 1
+    assert result[0].pat == "********"
+    assert result[0].name == "Test Server"
+
+def test_create_git_config_persists_config():
+    """
+    @PRE: `config` contains valid GitServerConfigCreate data.
+    @POST: A new GitServerConfig record is created in the database.
+    """
+    from src.api.routes.git_schemas import GitServerConfigCreate
+    db = DbMock()
+    config = GitServerConfigCreate(
+        name="New Server", provider=GitProvider.GITLAB,
+        url="https://gitlab.com", pat="new-token",
+        default_branch="master"
+    )
+    
+    result = asyncio.run(git_routes.create_git_config(config=config, db=db))
+    
+    assert len(db._added) == 1
+    assert db._added[0].name == "New Server"
+    assert db._added[0].pat == "new-token"
+    assert result.name == "New Server"
+    assert result.pat == "new-token" # Note: route returns unmasked until serialized by FastAPI usually, but in tests schema might catch it or not.
+
+from src.api.routes.git_schemas import GitServerConfigUpdate
+
+def test_update_git_config_modifies_record():
+    """
+    @PRE: `config_id` corresponds to an existing configuration.
+    @POST: The configuration record is updated in the database, preserving PAT if masked is sent.
+    """
+    existing_config = GitServerConfig(
+        id="config-1", name="Old Server", provider=GitProvider.GITHUB,
+        url="https://github.com", pat="old-token",
+        status=GitStatus.CONNECTED, last_validated="2026-03-08T00:00:00Z"
+    )
+    # The monkeypatched query will return existing_config as it's the only one in the list
+    class SingleConfigDbMock:
+        def query(self, *args): return self
+        def filter(self, *args): return self
+        def first(self): return existing_config
+        def commit(self): pass
+        def refresh(self, config): pass
+
+    db = SingleConfigDbMock()
+    update_data = GitServerConfigUpdate(name="Updated Server", pat="********")
+    
+    result = asyncio.run(git_routes.update_git_config(config_id="config-1", config_update=update_data, db=db))
+    
+    assert existing_config.name == "Updated Server"
+    assert existing_config.pat == "old-token" # Ensure PAT is not overwritten with asterisks
+    assert result.pat == "********"
+
+def test_update_git_config_raises_404_if_not_found():
+    """
+    @PRE: `config_id` corresponds to a missing configuration.
+    @THROW: HTTPException 404
+    """
+    db = DbMock([]) # Empty db
+    update_data = GitServerConfigUpdate(name="Updated Server", pat="new-token")
+    
+    with pytest.raises(HTTPException) as exc_info:
+        asyncio.run(git_routes.update_git_config(config_id="config-1", config_update=update_data, db=db))
+    
+    assert exc_info.value.status_code == 404
+    assert exc_info.value.detail == "Configuration not found"
+
+def test_delete_git_config_removes_record():
+    """
+    @PRE: `config_id` corresponds to an existing configuration.
+    @POST: The configuration record is removed from the database.
+    """
+    existing_config = GitServerConfig(id="config-1")
+    class SingleConfigDbMock:
+        def query(self, *args): return self
+        def filter(self, *args): return self
+        def first(self): return existing_config
+        def delete(self, config): self.deleted = config
+        def commit(self): pass
+
+    db = SingleConfigDbMock()
+    
+    result = asyncio.run(git_routes.delete_git_config(config_id="config-1", db=db))
+    
+    assert db.deleted == existing_config
+    assert result["status"] == "success"
+
+def test_test_git_config_validates_connection_successfully(monkeypatch):
+    """
+    @PRE: `config` contains provider, url, and pat.
+    @POST: Returns success if the connection is validated via GitService.
+    """
+    class MockGitService:
+        async def test_connection(self, provider, url, pat):
+            return True
+
+    monkeypatch.setattr(git_routes, "git_service", MockGitService())
+    from src.api.routes.git_schemas import GitServerConfigCreate
+    
+    config = GitServerConfigCreate(
+        name="Test Server", provider=GitProvider.GITHUB,
+        url="https://github.com", pat="test-pat"
+    )
+    db = DbMock([])
+    
+    result = asyncio.run(git_routes.test_git_config(config=config, db=db))
+    
+    assert result["status"] == "success"
+
+def test_test_git_config_fails_validation(monkeypatch):
+    """
+    @PRE: `config` contains provider, url, and pat BUT connection fails.
+    @THROW: HTTPException 400
+    """
+    class MockGitService:
+        async def test_connection(self, provider, url, pat):
+            return False
+
+    monkeypatch.setattr(git_routes, "git_service", MockGitService())
+    from src.api.routes.git_schemas import GitServerConfigCreate
+    
+    config = GitServerConfigCreate(
+        name="Test Server", provider=GitProvider.GITHUB,
+        url="https://github.com", pat="bad-pat"
+    )
+    db = DbMock([])
+    
+    with pytest.raises(HTTPException) as exc_info:
+        asyncio.run(git_routes.test_git_config(config=config, db=db))
+    
+    assert exc_info.value.status_code == 400
+    assert exc_info.value.detail == "Connection failed"
+
+def test_list_gitea_repositories_returns_payload(monkeypatch):
+    """
+    @PRE: config_id exists and provider is GITEA.
+    @POST: Returns repositories visible to PAT user.
+    """
+    class MockGitService:
+        async def list_gitea_repositories(self, url, pat):
+            return [{"name": "test-repo", "full_name": "owner/test-repo", "private": True}]
+
+    monkeypatch.setattr(git_routes, "git_service", MockGitService())
+    existing_config = GitServerConfig(
+        id="config-1", name="Gitea Server", provider=GitProvider.GITEA,
+        url="https://gitea.local", pat="gitea-token"
+    )
+    db = DbMock([existing_config])
+    
+    result = asyncio.run(git_routes.list_gitea_repositories(config_id="config-1", db=db))
+    
+    assert len(result) == 1
+    assert result[0].name == "test-repo"
+    assert result[0].private is True
+
+def test_list_gitea_repositories_rejects_non_gitea(monkeypatch):
+    """
+    @PRE: config_id exists and provider is NOT GITEA.
+    @THROW: HTTPException 400
+    """
+    existing_config = GitServerConfig(
+        id="config-1", name="GitHub Server", provider=GitProvider.GITHUB,
+        url="https://github.com", pat="token"
+    )
+    db = DbMock([existing_config])
+    
+    with pytest.raises(HTTPException) as exc_info:
+        asyncio.run(git_routes.list_gitea_repositories(config_id="config-1", db=db))
+    
+    assert exc_info.value.status_code == 400
+    assert "GITEA provider only" in exc_info.value.detail
+
+def test_create_remote_repository_creates_provider_repo(monkeypatch):
+    """
+    @PRE: config_id exists and PAT has creation permissions.
+    @POST: Returns normalized remote repository payload.
+    """
+    class MockGitService:
+        async def create_gitlab_repository(self, server_url, pat, name, private, description, auto_init, default_branch):
+            return {
+                "name": name,
+                "full_name": f"user/{name}",
+                "private": private,
+                "clone_url": f"{server_url}/user/{name}.git"
+            }
+
+    monkeypatch.setattr(git_routes, "git_service", MockGitService())
+    from src.api.routes.git_schemas import RemoteRepoCreateRequest
+    
+    existing_config = GitServerConfig(
+        id="config-1", name="GitLab Server", provider=GitProvider.GITLAB,
+        url="https://gitlab.com", pat="token"
+    )
+    db = DbMock([existing_config])
+    
+    request = RemoteRepoCreateRequest(name="new-repo", private=True, description="desc")
+    result = asyncio.run(git_routes.create_remote_repository(config_id="config-1", request=request, db=db))
+    
+    assert result.provider == GitProvider.GITLAB
+    assert result.name == "new-repo"
+    assert result.full_name == "user/new-repo"
+
+def test_init_repository_initializes_and_saves_binding(monkeypatch):
+    """
+    @PRE: `dashboard_ref` exists and `init_data` contains valid config_id and remote_url.
+    @POST: Repository is initialized on disk and a GitRepository record is saved in DB.
+    """
+    from src.api.routes.git_schemas import RepoInitRequest
+    
+    class MockGitService:
+        def init_repo(self, dashboard_id, remote_url, pat, repo_key, default_branch):
+            self.init_called = True
+        def _get_repo_path(self, dashboard_id, repo_key):
+            return f"/tmp/repos/{repo_key}"
+
+    git_service_mock = MockGitService()
+    monkeypatch.setattr(git_routes, "git_service", git_service_mock)
+    monkeypatch.setattr(git_routes, "_resolve_dashboard_id_from_ref", lambda *args, **kwargs: 123)
+    monkeypatch.setattr(git_routes, "_resolve_repo_key_from_ref", lambda *args, **kwargs: "dashboard-123")
+    
+    existing_config = GitServerConfig(
+        id="config-1", name="GitLab Server", provider=GitProvider.GITLAB,
+        url="https://gitlab.com", pat="token", default_branch="main"
+    )
+    db = DbMock([existing_config])
+    
+    init_data = RepoInitRequest(config_id="config-1", remote_url="https://git.local/repo.git")
+    
+    result = asyncio.run(git_routes.init_repository(dashboard_ref="123", init_data=init_data, config_manager=MagicMock(), db=db))
+    
+    assert result["status"] == "success"
+    assert git_service_mock.init_called is True
+    assert len(db._added) == 1
+    assert isinstance(db._added[0], GitRepository)
+    assert db._added[0].dashboard_id == 123
+
+# [/DEF:backend.src.api.routes.__tests__.test_git_api:Module]

backend/src/api/routes/__tests__/test_git_status_route.py

@@ -0,0 +1,440 @@
+# [DEF:backend.src.api.routes.__tests__.test_git_status_route:Module]
+# @TIER: STANDARD
+# @SEMANTICS: tests, git, api, status, no_repo
+# @PURPOSE: Validate status endpoint behavior for missing and error repository states.
+# @LAYER: Domain (Tests)
+# @RELATION: CALLS -> src.api.routes.git.get_repository_status
+
+from fastapi import HTTPException
+import pytest
+import asyncio
+from unittest.mock import MagicMock
+
+from src.api.routes import git as git_routes
+
+
+# [DEF:test_get_repository_status_returns_no_repo_payload_for_missing_repo:Function]
+# @PURPOSE: Ensure missing local repository is represented as NO_REPO payload instead of an API error.
+# @PRE: GitService.get_status raises HTTPException(404).
+# @POST: Route returns a deterministic NO_REPO status payload.
+def test_get_repository_status_returns_no_repo_payload_for_missing_repo(monkeypatch):
+    class MissingRepoGitService:
+        def _get_repo_path(self, dashboard_id: int) -> str:
+            return f"/tmp/missing-repo-{dashboard_id}"
+
+        def get_status(self, dashboard_id: int) -> dict:
+            raise AssertionError("get_status must not be called when repository path is missing")
+
+    monkeypatch.setattr(git_routes, "git_service", MissingRepoGitService())
+
+    response = asyncio.run(git_routes.get_repository_status(34))
+
+    assert response["sync_status"] == "NO_REPO"
+    assert response["sync_state"] == "NO_REPO"
+    assert response["has_repo"] is False
+    assert response["current_branch"] is None
+# [/DEF:test_get_repository_status_returns_no_repo_payload_for_missing_repo:Function]
+
+
+# [DEF:test_get_repository_status_propagates_non_404_http_exception:Function]
+# @PURPOSE: Ensure HTTP exceptions other than 404 are not masked.
+# @PRE: GitService.get_status raises HTTPException with non-404 status.
+# @POST: Raised exception preserves original status and detail.
+def test_get_repository_status_propagates_non_404_http_exception(monkeypatch):
+    class ConflictGitService:
+        def _get_repo_path(self, dashboard_id: int) -> str:
+            return f"/tmp/existing-repo-{dashboard_id}"
+
+        def get_status(self, dashboard_id: int) -> dict:
+            raise HTTPException(status_code=409, detail="Conflict")
+
+    monkeypatch.setattr(git_routes, "git_service", ConflictGitService())
+    monkeypatch.setattr(git_routes.os.path, "exists", lambda _path: True)
+
+    with pytest.raises(HTTPException) as exc_info:
+        asyncio.run(git_routes.get_repository_status(34))
+
+    assert exc_info.value.status_code == 409
+    assert exc_info.value.detail == "Conflict"
+# [/DEF:test_get_repository_status_propagates_non_404_http_exception:Function]
+
+
+# [DEF:test_get_repository_diff_propagates_http_exception:Function]
+# @PURPOSE: Ensure diff endpoint preserves domain HTTP errors from GitService.
+# @PRE: GitService.get_diff raises HTTPException.
+# @POST: Endpoint raises same HTTPException values.
+def test_get_repository_diff_propagates_http_exception(monkeypatch):
+    class DiffGitService:
+        def get_diff(self, dashboard_id: int, file_path=None, staged: bool = False) -> str:
+            raise HTTPException(status_code=404, detail="Repository missing")
+
+    monkeypatch.setattr(git_routes, "git_service", DiffGitService())
+
+    with pytest.raises(HTTPException) as exc_info:
+        asyncio.run(git_routes.get_repository_diff(12))
+
+    assert exc_info.value.status_code == 404
+    assert exc_info.value.detail == "Repository missing"
+# [/DEF:test_get_repository_diff_propagates_http_exception:Function]
+
+
+# [DEF:test_get_history_wraps_unexpected_error_as_500:Function]
+# @PURPOSE: Ensure non-HTTP exceptions in history endpoint become deterministic 500 errors.
+# @PRE: GitService.get_commit_history raises ValueError.
+# @POST: Endpoint returns HTTPException with status 500 and route context.
+def test_get_history_wraps_unexpected_error_as_500(monkeypatch):
+    class HistoryGitService:
+        def get_commit_history(self, dashboard_id: int, limit: int = 50):
+            raise ValueError("broken parser")
+
+    monkeypatch.setattr(git_routes, "git_service", HistoryGitService())
+
+    with pytest.raises(HTTPException) as exc_info:
+        asyncio.run(git_routes.get_history(12))
+
+    assert exc_info.value.status_code == 500
+    assert exc_info.value.detail == "get_history failed: broken parser"
+# [/DEF:test_get_history_wraps_unexpected_error_as_500:Function]
+
+
+# [DEF:test_commit_changes_wraps_unexpected_error_as_500:Function]
+# @PURPOSE: Ensure commit endpoint does not leak unexpected errors as 400.
+# @PRE: GitService.commit_changes raises RuntimeError.
+# @POST: Endpoint raises HTTPException(500) with route context.
+def test_commit_changes_wraps_unexpected_error_as_500(monkeypatch):
+    class CommitGitService:
+        def commit_changes(self, dashboard_id: int, message: str, files):
+            raise RuntimeError("index lock")
+
+    class CommitPayload:
+        message = "test"
+        files = ["dashboards/a.yaml"]
+
+    monkeypatch.setattr(git_routes, "git_service", CommitGitService())
+
+    with pytest.raises(HTTPException) as exc_info:
+        asyncio.run(git_routes.commit_changes(12, CommitPayload()))
+
+    assert exc_info.value.status_code == 500
+    assert exc_info.value.detail == "commit_changes failed: index lock"
+# [/DEF:test_commit_changes_wraps_unexpected_error_as_500:Function]
+
+
+# [DEF:test_get_repository_status_batch_returns_mixed_statuses:Function]
+# @PURPOSE: Ensure batch endpoint returns per-dashboard statuses in one response.
+# @PRE: Some repositories are missing and some are initialized.
+# @POST: Returned map includes resolved status for each requested dashboard ID.
+def test_get_repository_status_batch_returns_mixed_statuses(monkeypatch):
+    class BatchGitService:
+        def _get_repo_path(self, dashboard_id: int) -> str:
+            return f"/tmp/repo-{dashboard_id}"
+
+        def get_status(self, dashboard_id: int) -> dict:
+            if dashboard_id == 2:
+                return {"sync_state": "SYNCED", "sync_status": "OK"}
+            raise HTTPException(status_code=404, detail="not found")
+
+    monkeypatch.setattr(git_routes, "git_service", BatchGitService())
+    monkeypatch.setattr(git_routes.os.path, "exists", lambda path: path.endswith("/repo-2"))
+
+    class BatchRequest:
+        dashboard_ids = [1, 2]
+
+    response = asyncio.run(git_routes.get_repository_status_batch(BatchRequest()))
+
+    assert response.statuses["1"]["sync_status"] == "NO_REPO"
+    assert response.statuses["2"]["sync_state"] == "SYNCED"
+# [/DEF:test_get_repository_status_batch_returns_mixed_statuses:Function]
+
+
+# [DEF:test_get_repository_status_batch_marks_item_as_error_on_service_failure:Function]
+# @PURPOSE: Ensure batch endpoint marks failed items as ERROR without failing entire request.
+# @PRE: GitService raises non-HTTP exception for one dashboard.
+# @POST: Failed dashboard status is marked as ERROR.
+def test_get_repository_status_batch_marks_item_as_error_on_service_failure(monkeypatch):
+    class BatchErrorGitService:
+        def _get_repo_path(self, dashboard_id: int) -> str:
+            return f"/tmp/repo-{dashboard_id}"
+
+        def get_status(self, dashboard_id: int) -> dict:
+            raise RuntimeError("boom")
+
+    monkeypatch.setattr(git_routes, "git_service", BatchErrorGitService())
+    monkeypatch.setattr(git_routes.os.path, "exists", lambda _path: True)
+
+    class BatchRequest:
+        dashboard_ids = [9]
+
+    response = asyncio.run(git_routes.get_repository_status_batch(BatchRequest()))
+
+    assert response.statuses["9"]["sync_status"] == "ERROR"
+    assert response.statuses["9"]["sync_state"] == "ERROR"
+# [/DEF:test_get_repository_status_batch_marks_item_as_error_on_service_failure:Function]
+
+
+# [DEF:test_get_repository_status_batch_deduplicates_and_truncates_ids:Function]
+# @PURPOSE: Ensure batch endpoint protects server from oversized payloads.
+# @PRE: request includes duplicate IDs and more than MAX_REPOSITORY_STATUS_BATCH entries.
+# @POST: Result contains unique IDs up to configured cap.
+def test_get_repository_status_batch_deduplicates_and_truncates_ids(monkeypatch):
+    class SafeBatchGitService:
+        def _get_repo_path(self, dashboard_id: int) -> str:
+            return f"/tmp/repo-{dashboard_id}"
+
+        def get_status(self, dashboard_id: int) -> dict:
+            return {"sync_state": "SYNCED", "sync_status": "OK"}
+
+    monkeypatch.setattr(git_routes, "git_service", SafeBatchGitService())
+    monkeypatch.setattr(git_routes.os.path, "exists", lambda _path: True)
+
+    class BatchRequest:
+        dashboard_ids = [1, 1] + list(range(2, 90))
+
+    response = asyncio.run(git_routes.get_repository_status_batch(BatchRequest()))
+
+    assert len(response.statuses) == git_routes.MAX_REPOSITORY_STATUS_BATCH
+    assert "1" in response.statuses
+# [/DEF:test_get_repository_status_batch_deduplicates_and_truncates_ids:Function]
+
+
+# [DEF:test_commit_changes_applies_profile_identity_before_commit:Function]
+# @PURPOSE: Ensure commit route configures repository identity from profile preferences before commit call.
+# @PRE: Profile preference contains git_username/git_email for current user.
+# @POST: git_service.configure_identity receives resolved identity and commit proceeds.
+def test_commit_changes_applies_profile_identity_before_commit(monkeypatch):
+    class IdentityGitService:
+        def __init__(self):
+            self.configured_identity = None
+            self.commit_payload = None
+
+        def configure_identity(self, dashboard_id: int, git_username: str, git_email: str):
+            self.configured_identity = (dashboard_id, git_username, git_email)
+
+        def commit_changes(self, dashboard_id: int, message: str, files):
+            self.commit_payload = (dashboard_id, message, files)
+
+    class PreferenceRow:
+        git_username = "user_1"
+        git_email = "user1@mail.ru"
+
+    class PreferenceQuery:
+        def filter(self, *_args, **_kwargs):
+            return self
+
+        def first(self):
+            return PreferenceRow()
+
+    class DbStub:
+        def query(self, _model):
+            return PreferenceQuery()
+
+    class UserStub:
+        id = "u-1"
+
+    class CommitPayload:
+        message = "test"
+        files = ["dashboards/a.yaml"]
+
+    identity_service = IdentityGitService()
+    monkeypatch.setattr(git_routes, "git_service", identity_service)
+    monkeypatch.setattr(
+        git_routes,
+        "_resolve_dashboard_id_from_ref",
+        lambda *_args, **_kwargs: 12,
+    )
+
+    asyncio.run(
+        git_routes.commit_changes(
+            "dashboard-12",
+            CommitPayload(),
+            config_manager=MagicMock(),
+            db=DbStub(),
+            current_user=UserStub(),
+        )
+    )
+
+    assert identity_service.configured_identity == (12, "user_1", "user1@mail.ru")
+    assert identity_service.commit_payload == (12, "test", ["dashboards/a.yaml"])
+# [/DEF:test_commit_changes_applies_profile_identity_before_commit:Function]
+
+
+# [DEF:test_pull_changes_applies_profile_identity_before_pull:Function]
+# @PURPOSE: Ensure pull route configures repository identity from profile preferences before pull call.
+# @PRE: Profile preference contains git_username/git_email for current user.
+# @POST: git_service.configure_identity receives resolved identity and pull proceeds.
+def test_pull_changes_applies_profile_identity_before_pull(monkeypatch):
+    class IdentityGitService:
+        def __init__(self):
+            self.configured_identity = None
+            self.pulled_dashboard_id = None
+
+        def configure_identity(self, dashboard_id: int, git_username: str, git_email: str):
+            self.configured_identity = (dashboard_id, git_username, git_email)
+
+        def pull_changes(self, dashboard_id: int):
+            self.pulled_dashboard_id = dashboard_id
+
+    class PreferenceRow:
+        git_username = "user_1"
+        git_email = "user1@mail.ru"
+
+    class PreferenceQuery:
+        def filter(self, *_args, **_kwargs):
+            return self
+
+        def first(self):
+            return PreferenceRow()
+
+    class DbStub:
+        def query(self, _model):
+            return PreferenceQuery()
+
+    class UserStub:
+        id = "u-1"
+
+    identity_service = IdentityGitService()
+    monkeypatch.setattr(git_routes, "git_service", identity_service)
+    monkeypatch.setattr(
+        git_routes,
+        "_resolve_dashboard_id_from_ref",
+        lambda *_args, **_kwargs: 12,
+    )
+
+    asyncio.run(
+        git_routes.pull_changes(
+            "dashboard-12",
+            config_manager=MagicMock(),
+            db=DbStub(),
+            current_user=UserStub(),
+        )
+    )
+
+    assert identity_service.configured_identity == (12, "user_1", "user1@mail.ru")
+    assert identity_service.pulled_dashboard_id == 12
+# [/DEF:test_pull_changes_applies_profile_identity_before_pull:Function]
+
+
+# [DEF:test_get_merge_status_returns_service_payload:Function]
+# @PURPOSE: Ensure merge status route returns service payload as-is.
+# @PRE: git_service.get_merge_status returns unfinished merge payload.
+# @POST: Route response contains has_unfinished_merge=True.
+def test_get_merge_status_returns_service_payload(monkeypatch):
+    class MergeStatusGitService:
+        def get_merge_status(self, dashboard_id: int) -> dict:
+            return {
+                "has_unfinished_merge": True,
+                "repository_path": "/tmp/repo-12",
+                "git_dir": "/tmp/repo-12/.git",
+                "current_branch": "dev",
+                "merge_head": "abc",
+                "merge_message_preview": "merge msg",
+                "conflicts_count": 2,
+            }
+
+    monkeypatch.setattr(git_routes, "git_service", MergeStatusGitService())
+    monkeypatch.setattr(git_routes, "_resolve_dashboard_id_from_ref", lambda *_args, **_kwargs: 12)
+
+    response = asyncio.run(
+        git_routes.get_merge_status(
+            "dashboard-12",
+            config_manager=MagicMock(),
+        )
+    )
+
+    assert response["has_unfinished_merge"] is True
+    assert response["conflicts_count"] == 2
+# [/DEF:test_get_merge_status_returns_service_payload:Function]
+
+
+# [DEF:test_resolve_merge_conflicts_passes_resolution_items_to_service:Function]
+# @PURPOSE: Ensure merge resolve route forwards parsed resolutions to service.
+# @PRE: resolve_data has one file strategy.
+# @POST: Service receives normalized list and route returns resolved files.
+def test_resolve_merge_conflicts_passes_resolution_items_to_service(monkeypatch):
+    captured = {}
+
+    class MergeResolveGitService:
+        def resolve_merge_conflicts(self, dashboard_id: int, resolutions):
+            captured["dashboard_id"] = dashboard_id
+            captured["resolutions"] = resolutions
+            return ["dashboards/a.yaml"]
+
+    class ResolveData:
+        class _Resolution:
+            def dict(self):
+                return {"file_path": "dashboards/a.yaml", "resolution": "mine", "content": None}
+
+        resolutions = [_Resolution()]
+
+    monkeypatch.setattr(git_routes, "git_service", MergeResolveGitService())
+    monkeypatch.setattr(git_routes, "_resolve_dashboard_id_from_ref", lambda *_args, **_kwargs: 12)
+
+    response = asyncio.run(
+        git_routes.resolve_merge_conflicts(
+            "dashboard-12",
+            ResolveData(),
+            config_manager=MagicMock(),
+        )
+    )
+
+    assert captured["dashboard_id"] == 12
+    assert captured["resolutions"][0]["resolution"] == "mine"
+    assert response["resolved_files"] == ["dashboards/a.yaml"]
+# [/DEF:test_resolve_merge_conflicts_passes_resolution_items_to_service:Function]
+
+
+# [DEF:test_abort_merge_calls_service_and_returns_result:Function]
+# @PURPOSE: Ensure abort route delegates to service.
+# @PRE: Service abort_merge returns aborted status.
+# @POST: Route returns aborted status.
+def test_abort_merge_calls_service_and_returns_result(monkeypatch):
+    class AbortGitService:
+        def abort_merge(self, dashboard_id: int):
+            assert dashboard_id == 12
+            return {"status": "aborted"}
+
+    monkeypatch.setattr(git_routes, "git_service", AbortGitService())
+    monkeypatch.setattr(git_routes, "_resolve_dashboard_id_from_ref", lambda *_args, **_kwargs: 12)
+
+    response = asyncio.run(
+        git_routes.abort_merge(
+            "dashboard-12",
+            config_manager=MagicMock(),
+        )
+    )
+
+    assert response["status"] == "aborted"
+# [/DEF:test_abort_merge_calls_service_and_returns_result:Function]
+
+
+# [DEF:test_continue_merge_passes_message_and_returns_commit:Function]
+# @PURPOSE: Ensure continue route passes commit message to service.
+# @PRE: continue_data.message is provided.
+# @POST: Route returns committed status and hash.
+def test_continue_merge_passes_message_and_returns_commit(monkeypatch):
+    class ContinueGitService:
+        def continue_merge(self, dashboard_id: int, message: str):
+            assert dashboard_id == 12
+            assert message == "Resolve all conflicts"
+            return {"status": "committed", "commit_hash": "abc123"}
+
+    class ContinueData:
+        message = "Resolve all conflicts"
+
+    monkeypatch.setattr(git_routes, "git_service", ContinueGitService())
+    monkeypatch.setattr(git_routes, "_resolve_dashboard_id_from_ref", lambda *_args, **_kwargs: 12)
+
+    response = asyncio.run(
+        git_routes.continue_merge(
+            "dashboard-12",
+            ContinueData(),
+            config_manager=MagicMock(),
+        )
+    )
+
+    assert response["status"] == "committed"
+    assert response["commit_hash"] == "abc123"
+# [/DEF:test_continue_merge_passes_message_and_returns_commit:Function]
+
+
+# [/DEF:backend.src.api.routes.__tests__.test_git_status_route:Module]

backend/src/api/routes/__tests__/test_migration_routes.py

@@ -0,0 +1,510 @@
+# [DEF:backend.src.api.routes.__tests__.test_migration_routes:Module]
+#
+# @TIER:      STANDARD
+# @PURPOSE:   Unit tests for migration API route handlers.
+# @LAYER:     API
+# @RELATION:  VERIFIES -> backend.src.api.routes.migration
+#
+import pytest
+import sys
+from pathlib import Path
+from unittest.mock import MagicMock, AsyncMock, patch
+from datetime import datetime, timezone
+
+# Add backend directory to sys.path
+backend_dir = str(Path(__file__).parent.parent.parent.parent.resolve())
+if backend_dir not in sys.path:
+    sys.path.insert(0, backend_dir)
+
+import os
+# Force SQLite in-memory for all database connections BEFORE importing any application code
+os.environ["DATABASE_URL"] = "sqlite:///:memory:"
+os.environ["TASKS_DATABASE_URL"] = "sqlite:///:memory:"
+os.environ["AUTH_DATABASE_URL"] = "sqlite:///:memory:"
+os.environ["ENVIRONMENT"] = "testing"
+
+
+from fastapi import HTTPException
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+
+from src.models.mapping import Base, ResourceMapping, ResourceType
+
+# Patch the get_db dependency if `src.api.routes.migration` imports it
+from unittest.mock import patch
+patch('src.core.database.get_db').start()
+
+# --- Fixtures ---
+
+@pytest.fixture
+def db_session():
+    """In-memory SQLite session for testing."""
+    from sqlalchemy.pool import StaticPool
+    engine = create_engine(
+        'sqlite:///:memory:',
+        connect_args={'check_same_thread': False},
+        poolclass=StaticPool
+    )
+    Base.metadata.create_all(engine)
+    Session = sessionmaker(bind=engine)
+    session = Session()
+    yield session
+    session.close()
+
+
+def _make_config_manager(cron="0 2 * * *"):
+    """Creates a mock config manager with a realistic AppConfig-like object."""
+    settings = MagicMock()
+    settings.migration_sync_cron = cron
+    config = MagicMock()
+    config.settings = settings
+    cm = MagicMock()
+    cm.get_config.return_value = config
+    cm.save_config = MagicMock()
+    return cm
+
+
+# --- get_migration_settings tests ---
+
+@pytest.mark.asyncio
+async def test_get_migration_settings_returns_default_cron():
+    """Verify the settings endpoint returns the stored cron string."""
+    from src.api.routes.migration import get_migration_settings
+
+    cm = _make_config_manager(cron="0 3 * * *")
+
+    # Call the handler directly, bypassing Depends
+    result = await get_migration_settings(config_manager=cm, _=None)
+
+    assert result == {"cron": "0 3 * * *"}
+    cm.get_config.assert_called_once()
+
+
+@pytest.mark.asyncio
+async def test_get_migration_settings_returns_fallback_when_no_cron():
+    """When migration_sync_cron uses the default, should return '0 2 * * *'."""
+    from src.api.routes.migration import get_migration_settings
+
+    # Use the default cron value (simulating a fresh config)
+    cm = _make_config_manager()
+
+    result = await get_migration_settings(config_manager=cm, _=None)
+
+    assert result == {"cron": "0 2 * * *"}
+
+
+# --- update_migration_settings tests ---
+
+@pytest.mark.asyncio
+async def test_update_migration_settings_saves_cron():
+    """Verify that a valid cron update saves to config."""
+    from src.api.routes.migration import update_migration_settings
+
+    cm = _make_config_manager()
+
+    result = await update_migration_settings(
+        payload={"cron": "0 4 * * *"},
+        config_manager=cm,
+        _=None
+    )
+
+    assert result["cron"] == "0 4 * * *"
+    assert result["status"] == "updated"
+    cm.save_config.assert_called_once()
+
+
+@pytest.mark.asyncio
+async def test_update_migration_settings_rejects_missing_cron():
+    """Verify 400 error when 'cron' key is missing from payload."""
+    from src.api.routes.migration import update_migration_settings
+
+    cm = _make_config_manager()
+
+    with pytest.raises(HTTPException) as exc_info:
+        await update_migration_settings(
+            payload={"interval": "daily"},
+            config_manager=cm,
+            _=None
+        )
+
+    assert exc_info.value.status_code == 400
+    assert "cron" in exc_info.value.detail.lower()
+
+
+# --- get_resource_mappings tests ---
+
+@pytest.mark.asyncio
+async def test_get_resource_mappings_returns_formatted_list(db_session):
+    """Verify mappings are returned as formatted dicts with correct keys."""
+    from src.api.routes.migration import get_resource_mappings
+
+    # Populate test data
+    m1 = ResourceMapping(
+        environment_id="prod",
+        resource_type=ResourceType.CHART,
+        uuid="uuid-1",
+        remote_integer_id="42",
+        resource_name="Sales Chart",
+        last_synced_at=datetime(2026, 1, 15, 12, 0, 0, tzinfo=timezone.utc)
+    )
+    db_session.add(m1)
+    db_session.commit()
+
+    result = await get_resource_mappings(skip=0, limit=50, search=None, env_id=None, resource_type=None, db=db_session, _=None)
+
+    assert result["total"] == 1
+    assert len(result["items"]) == 1
+    assert result["items"][0]["environment_id"] == "prod"
+    assert result["items"][0]["resource_type"] == "chart"
+    assert result["items"][0]["uuid"] == "uuid-1"
+    assert result["items"][0]["remote_id"] == "42"
+    assert result["items"][0]["resource_name"] == "Sales Chart"
+    assert result["items"][0]["last_synced_at"] is not None
+
+
+@pytest.mark.asyncio
+async def test_get_resource_mappings_respects_pagination(db_session):
+    """Verify skip and limit parameters work correctly."""
+    from src.api.routes.migration import get_resource_mappings
+
+    for i in range(5):
+        db_session.add(ResourceMapping(
+            environment_id="prod",
+            resource_type=ResourceType.DATASET,
+            uuid=f"uuid-{i}",
+            remote_integer_id=str(i),
+        ))
+    db_session.commit()
+
+    result = await get_resource_mappings(skip=2, limit=2, search=None, env_id=None, resource_type=None, db=db_session, _=None)
+
+    assert result["total"] == 5
+    assert len(result["items"]) == 2
+
+
+@pytest.mark.asyncio
+async def test_get_resource_mappings_search_by_name(db_session):
+    """Verify search filters by resource_name."""
+    from src.api.routes.migration import get_resource_mappings
+
+    db_session.add(ResourceMapping(environment_id="prod", resource_type=ResourceType.CHART, uuid="u1", remote_integer_id="1", resource_name="Sales Chart"))
+    db_session.add(ResourceMapping(environment_id="prod", resource_type=ResourceType.CHART, uuid="u2", remote_integer_id="2", resource_name="Revenue Dashboard"))
+    db_session.commit()
+
+    result = await get_resource_mappings(skip=0, limit=50, search="sales", env_id=None, resource_type=None, db=db_session, _=None)
+    assert result["total"] == 1
+    assert result["items"][0]["resource_name"] == "Sales Chart"
+
+
+@pytest.mark.asyncio
+async def test_get_resource_mappings_filter_by_env(db_session):
+    """Verify env_id filter returns only matching environment."""
+    from src.api.routes.migration import get_resource_mappings
+
+    db_session.add(ResourceMapping(environment_id="ss1", resource_type=ResourceType.CHART, uuid="u1", remote_integer_id="1", resource_name="Chart A"))
+    db_session.add(ResourceMapping(environment_id="ss2", resource_type=ResourceType.CHART, uuid="u2", remote_integer_id="2", resource_name="Chart B"))
+    db_session.commit()
+
+    result = await get_resource_mappings(skip=0, limit=50, search=None, env_id="ss2", resource_type=None, db=db_session, _=None)
+    assert result["total"] == 1
+    assert result["items"][0]["environment_id"] == "ss2"
+
+
+@pytest.mark.asyncio
+async def test_get_resource_mappings_filter_by_type(db_session):
+    """Verify resource_type filter returns only matching type."""
+    from src.api.routes.migration import get_resource_mappings
+
+    db_session.add(ResourceMapping(environment_id="prod", resource_type=ResourceType.CHART, uuid="u1", remote_integer_id="1", resource_name="My Chart"))
+    db_session.add(ResourceMapping(environment_id="prod", resource_type=ResourceType.DATASET, uuid="u2", remote_integer_id="2", resource_name="My Dataset"))
+    db_session.commit()
+
+    result = await get_resource_mappings(skip=0, limit=50, search=None, env_id=None, resource_type="dataset", db=db_session, _=None)
+    assert result["total"] == 1
+    assert result["items"][0]["resource_type"] == "dataset"
+
+
+# --- trigger_sync_now tests ---
+
+@pytest.fixture
+def _mock_env():
+    """Creates a mock config environment object."""
+    env = MagicMock()
+    env.id = "test-env-1"
+    env.name = "Test Env"
+    env.url = "http://superset.test"
+    env.username = "admin"
+    env.password = "admin"
+    env.verify_ssl = False
+    env.timeout = 30
+    return env
+
+
+def _make_sync_config_manager(environments):
+    """Creates a mock config manager with environments list."""
+    settings = MagicMock()
+    settings.migration_sync_cron = "0 2 * * *"
+    config = MagicMock()
+    config.settings = settings
+    config.environments = environments
+    cm = MagicMock()
+    cm.get_config.return_value = config
+    cm.get_environments.return_value = environments
+    return cm
+
+
+@pytest.mark.asyncio
+async def test_trigger_sync_now_creates_env_row_and_syncs(db_session, _mock_env):
+    """Verify that trigger_sync_now creates an Environment row in DB before syncing,
+    preventing FK constraint violations on resource_mappings inserts."""
+    from src.api.routes.migration import trigger_sync_now
+    from src.models.mapping import Environment as EnvironmentModel
+
+    cm = _make_sync_config_manager([_mock_env])
+
+    with patch("src.api.routes.migration.SupersetClient") as MockClient, \
+         patch("src.api.routes.migration.IdMappingService") as MockService:
+        mock_client_instance = MagicMock()
+        MockClient.return_value = mock_client_instance
+        mock_service_instance = MagicMock()
+        MockService.return_value = mock_service_instance
+
+        result = await trigger_sync_now(config_manager=cm, db=db_session, _=None)
+
+    # Environment row must exist in DB
+    env_row = db_session.query(EnvironmentModel).filter_by(id="test-env-1").first()
+    assert env_row is not None
+    assert env_row.name == "Test Env"
+    assert env_row.url == "http://superset.test"
+
+    # Sync must have been called
+    mock_service_instance.sync_environment.assert_called_once_with("test-env-1", mock_client_instance)
+    assert result["synced_count"] == 1
+    assert result["failed_count"] == 0
+
+
+@pytest.mark.asyncio
+async def test_trigger_sync_now_rejects_empty_environments(db_session):
+    """Verify 400 error when no environments are configured."""
+    from src.api.routes.migration import trigger_sync_now
+
+    cm = _make_sync_config_manager([])
+
+    with pytest.raises(HTTPException) as exc_info:
+        await trigger_sync_now(config_manager=cm, db=db_session, _=None)
+
+    assert exc_info.value.status_code == 400
+    assert "No environments" in exc_info.value.detail
+
+
+@pytest.mark.asyncio
+async def test_trigger_sync_now_handles_partial_failure(db_session, _mock_env):
+    """Verify that if sync_environment raises for one env, it's captured in failed list."""
+    from src.api.routes.migration import trigger_sync_now
+
+    env2 = MagicMock()
+    env2.id = "test-env-2"
+    env2.name = "Failing Env"
+    env2.url = "http://fail.test"
+    env2.username = "admin"
+    env2.password = "admin"
+    env2.verify_ssl = False
+    env2.timeout = 30
+
+    cm = _make_sync_config_manager([_mock_env, env2])
+
+    with patch("src.api.routes.migration.SupersetClient") as MockClient, \
+         patch("src.api.routes.migration.IdMappingService") as MockService:
+        mock_service_instance = MagicMock()
+        mock_service_instance.sync_environment.side_effect = [None, RuntimeError("Connection refused")]
+        MockService.return_value = mock_service_instance
+        MockClient.return_value = MagicMock()
+
+        result = await trigger_sync_now(config_manager=cm, db=db_session, _=None)
+
+    assert result["synced_count"] == 1
+    assert result["failed_count"] == 1
+    assert result["details"]["failed"][0]["env_id"] == "test-env-2"
+
+
+@pytest.mark.asyncio
+async def test_trigger_sync_now_idempotent_env_upsert(db_session, _mock_env):
+    """Verify that calling sync twice doesn't duplicate the Environment row."""
+    from src.api.routes.migration import trigger_sync_now
+    from src.models.mapping import Environment as EnvironmentModel
+
+    cm = _make_sync_config_manager([_mock_env])
+
+    with patch("src.api.routes.migration.SupersetClient"), \
+         patch("src.api.routes.migration.IdMappingService"):
+        await trigger_sync_now(config_manager=cm, db=db_session, _=None)
+        await trigger_sync_now(config_manager=cm, db=db_session, _=None)
+
+    env_count = db_session.query(EnvironmentModel).filter_by(id="test-env-1").count()
+    assert env_count == 1
+
+
+# --- get_dashboards tests ---
+
+@pytest.mark.asyncio
+async def test_get_dashboards_success(_mock_env):
+    from src.api.routes.migration import get_dashboards
+    cm = _make_sync_config_manager([_mock_env])
+    
+    with patch("src.api.routes.migration.SupersetClient") as MockClient:
+        mock_client = MagicMock()
+        mock_client.get_dashboards_summary.return_value = [{"id": 1, "title": "Test"}]
+        MockClient.return_value = mock_client
+        
+        result = await get_dashboards(env_id="test-env-1", config_manager=cm, _=None)
+        assert len(result) == 1
+        assert result[0]["id"] == 1
+
+@pytest.mark.asyncio
+async def test_get_dashboards_invalid_env_raises_404(_mock_env):
+    from src.api.routes.migration import get_dashboards
+    cm = _make_sync_config_manager([_mock_env])
+    
+    with pytest.raises(HTTPException) as exc:
+        await get_dashboards(env_id="wrong-env", config_manager=cm, _=None)
+    assert exc.value.status_code == 404
+
+# --- execute_migration tests ---
+
+@pytest.mark.asyncio
+async def test_execute_migration_success(_mock_env):
+    from src.api.routes.migration import execute_migration
+    from src.models.dashboard import DashboardSelection
+    
+    cm = _make_sync_config_manager([_mock_env, _mock_env]) # Need both source/target
+    tm = MagicMock()
+    tm.create_task = AsyncMock(return_value=MagicMock(id="task-123"))
+    
+    selection = DashboardSelection(
+        source_env_id="test-env-1",
+        target_env_id="test-env-1",
+        selected_ids=[1, 2]
+    )
+    
+    result = await execute_migration(selection=selection, config_manager=cm, task_manager=tm, _=None)
+    assert result["task_id"] == "task-123"
+    tm.create_task.assert_called_once()
+
+@pytest.mark.asyncio
+async def test_execute_migration_invalid_env_raises_400(_mock_env):
+    from src.api.routes.migration import execute_migration
+    from src.models.dashboard import DashboardSelection
+    
+    cm = _make_sync_config_manager([_mock_env])
+    selection = DashboardSelection(
+        source_env_id="test-env-1",
+        target_env_id="non-existent",
+        selected_ids=[1]
+    )
+    
+    with pytest.raises(HTTPException) as exc:
+        await execute_migration(selection=selection, config_manager=cm, task_manager=MagicMock(), _=None)
+    assert exc.value.status_code == 400
+
+
+@pytest.mark.asyncio
+async def test_dry_run_migration_returns_diff_and_risk(db_session):
+    # @TEST_EDGE: missing_target_datasource -> validates high risk item generation
+    # @TEST_EDGE: breaking_reference -> validates high risk on missing dataset link
+    from src.api.routes.migration import dry_run_migration
+    from src.models.dashboard import DashboardSelection
+
+    env_source = MagicMock()
+    env_source.id = "src"
+    env_source.name = "Source"
+    env_source.url = "http://source"
+    env_source.username = "admin"
+    env_source.password = "admin"
+    env_source.verify_ssl = False
+    env_source.timeout = 30
+
+    env_target = MagicMock()
+    env_target.id = "tgt"
+    env_target.name = "Target"
+    env_target.url = "http://target"
+    env_target.username = "admin"
+    env_target.password = "admin"
+    env_target.verify_ssl = False
+    env_target.timeout = 30
+
+    cm = _make_sync_config_manager([env_source, env_target])
+    selection = DashboardSelection(
+        selected_ids=[42],
+        source_env_id="src",
+        target_env_id="tgt",
+        replace_db_config=False,
+        fix_cross_filters=True,
+    )
+
+    with patch("src.api.routes.migration.SupersetClient") as MockClient, \
+         patch("src.api.routes.migration.MigrationDryRunService") as MockService:
+        source_client = MagicMock()
+        target_client = MagicMock()
+        MockClient.side_effect = [source_client, target_client]
+
+        service_instance = MagicMock()
+        service_payload = {
+            "generated_at": "2026-02-27T00:00:00+00:00",
+            "selection": selection.model_dump(),
+            "selected_dashboard_titles": ["Sales"],
+            "diff": {
+                "dashboards": {"create": [], "update": [{"uuid": "dash-1"}], "delete": []},
+                "charts": {"create": [{"uuid": "chart-1"}], "update": [], "delete": []},
+                "datasets": {"create": [{"uuid": "dataset-1"}], "update": [], "delete": []},
+            },
+            "summary": {
+                "dashboards": {"create": 0, "update": 1, "delete": 0},
+                "charts": {"create": 1, "update": 0, "delete": 0},
+                "datasets": {"create": 1, "update": 0, "delete": 0},
+                "selected_dashboards": 1,
+            },
+            "risk": {
+                "score": 75,
+                "level": "high",
+                "items": [
+                    {"code": "missing_datasource"},
+                    {"code": "breaking_reference"},
+                ],
+            },
+        }
+        service_instance.run.return_value = service_payload
+        MockService.return_value = service_instance
+
+        result = await dry_run_migration(selection=selection, config_manager=cm, db=db_session, _=None)
+
+    assert result["summary"]["dashboards"]["update"] == 1
+    assert result["summary"]["charts"]["create"] == 1
+    assert result["summary"]["datasets"]["create"] == 1
+    assert result["risk"]["score"] > 0
+    assert any(item["code"] == "missing_datasource" for item in result["risk"]["items"])
+    assert any(item["code"] == "breaking_reference" for item in result["risk"]["items"])
+
+
+@pytest.mark.asyncio
+async def test_dry_run_migration_rejects_same_environment(db_session):
+    from src.api.routes.migration import dry_run_migration
+    from src.models.dashboard import DashboardSelection
+
+    env = MagicMock()
+    env.id = "same"
+    env.name = "Same"
+    env.url = "http://same"
+    env.username = "admin"
+    env.password = "admin"
+    env.verify_ssl = False
+    env.timeout = 30
+
+    cm = _make_sync_config_manager([env])
+    selection = DashboardSelection(selected_ids=[1], source_env_id="same", target_env_id="same")
+
+    with pytest.raises(HTTPException) as exc:
+        await dry_run_migration(selection=selection, config_manager=cm, db=db_session, _=None)
+    assert exc.value.status_code == 400
+
+
+# [/DEF:backend.src.api.routes.__tests__.test_migration_routes:Module]

backend/src/api/routes/__tests__/test_profile_api.py

@@ -0,0 +1,293 @@
+# [DEF:backend.src.api.routes.__tests__.test_profile_api:Module]
+# @TIER: STANDARD
+# @SEMANTICS: tests, profile, api, preferences, lookup, contract
+# @PURPOSE: Verifies profile API route contracts for preference read/update and Superset account lookup.
+# @LAYER: API
+# @RELATION: TESTS -> backend.src.api.routes.profile
+
+# [SECTION: IMPORTS]
+from datetime import datetime, timezone
+from unittest.mock import MagicMock, patch
+
+from fastapi.testclient import TestClient
+
+from src.app import app
+from src.core.database import get_db
+from src.dependencies import get_config_manager, get_current_user
+from src.schemas.profile import (
+    ProfilePermissionState,
+    ProfilePreference,
+    ProfilePreferenceResponse,
+    ProfileSecuritySummary,
+    SupersetAccountCandidate,
+    SupersetAccountLookupResponse,
+)
+from src.services.profile_service import (
+    EnvironmentNotFoundError,
+    ProfileAuthorizationError,
+    ProfileValidationError,
+)
+# [/SECTION]
+
+
+client = TestClient(app)
+
+
+# [DEF:mock_profile_route_dependencies:Function]
+# @PURPOSE: Provides deterministic dependency overrides for profile route tests.
+# @PRE: App instance is initialized.
+# @POST: Dependencies are overridden for current test and restored afterward.
+def mock_profile_route_dependencies():
+    mock_user = MagicMock()
+    mock_user.id = "u-1"
+    mock_user.username = "test-user"
+
+    mock_db = MagicMock()
+    mock_config_manager = MagicMock()
+
+    app.dependency_overrides[get_current_user] = lambda: mock_user
+    app.dependency_overrides[get_db] = lambda: mock_db
+    app.dependency_overrides[get_config_manager] = lambda: mock_config_manager
+
+    return mock_user, mock_db, mock_config_manager
+# [/DEF:mock_profile_route_dependencies:Function]
+
+
+# [DEF:profile_route_deps_fixture:Function]
+# @PURPOSE: Pytest fixture wrapper for profile route dependency overrides.
+# @PRE: None.
+# @POST: Yields overridden dependencies and clears overrides after test.
+import pytest
+
+
+@pytest.fixture(autouse=True)
+def profile_route_deps_fixture():
+    yielded = mock_profile_route_dependencies()
+    yield yielded
+    app.dependency_overrides.clear()
+# [/DEF:profile_route_deps_fixture:Function]
+
+
+# [DEF:_build_preference_response:Function]
+# @PURPOSE: Builds stable profile preference response payload for route tests.
+# @PRE: user_id is provided.
+# @POST: Returns ProfilePreferenceResponse object with deterministic timestamps.
+def _build_preference_response(user_id: str = "u-1") -> ProfilePreferenceResponse:
+    now = datetime.now(timezone.utc)
+    return ProfilePreferenceResponse(
+        status="success",
+        message="Preference loaded",
+        preference=ProfilePreference(
+            user_id=user_id,
+            superset_username="John_Doe",
+            superset_username_normalized="john_doe",
+            show_only_my_dashboards=True,
+            git_username="ivan.ivanov",
+            git_email="ivan@company.local",
+            has_git_personal_access_token=True,
+            git_personal_access_token_masked="iv***al",
+            start_page="reports",
+            auto_open_task_drawer=False,
+            dashboards_table_density="compact",
+            created_at=now,
+            updated_at=now,
+        ),
+        security=ProfileSecuritySummary(
+            read_only=True,
+            auth_source="adfs",
+            current_role="Data Engineer",
+            role_source="adfs",
+            roles=["Data Engineer"],
+            permissions=[
+                ProfilePermissionState(key="migration:run", allowed=True),
+                ProfilePermissionState(key="admin:users", allowed=False),
+            ],
+        ),
+    )
+# [/DEF:_build_preference_response:Function]
+
+
+# [DEF:test_get_profile_preferences_returns_self_payload:Function]
+# @PURPOSE: Verifies GET /api/profile/preferences returns stable self-scoped payload.
+# @PRE: Authenticated user context is available.
+# @POST: Response status is 200 and payload contains current user preference.
+def test_get_profile_preferences_returns_self_payload(profile_route_deps_fixture):
+    mock_user, _, _ = profile_route_deps_fixture
+    service = MagicMock()
+    service.get_my_preference.return_value = _build_preference_response(user_id=mock_user.id)
+
+    with patch("src.api.routes.profile._get_profile_service", return_value=service):
+        response = client.get("/api/profile/preferences")
+
+    assert response.status_code == 200
+    payload = response.json()
+    assert payload["status"] == "success"
+    assert payload["preference"]["user_id"] == mock_user.id
+    assert payload["preference"]["superset_username_normalized"] == "john_doe"
+    assert payload["preference"]["git_username"] == "ivan.ivanov"
+    assert payload["preference"]["git_email"] == "ivan@company.local"
+    assert payload["preference"]["has_git_personal_access_token"] is True
+    assert payload["preference"]["git_personal_access_token_masked"] == "iv***al"
+    assert payload["preference"]["start_page"] == "reports"
+    assert payload["preference"]["auto_open_task_drawer"] is False
+    assert payload["preference"]["dashboards_table_density"] == "compact"
+    assert payload["security"]["read_only"] is True
+    assert payload["security"]["current_role"] == "Data Engineer"
+    assert payload["security"]["permissions"][0]["key"] == "migration:run"
+    service.get_my_preference.assert_called_once_with(mock_user)
+# [/DEF:test_get_profile_preferences_returns_self_payload:Function]
+
+
+# [DEF:test_patch_profile_preferences_success:Function]
+# @PURPOSE: Verifies PATCH /api/profile/preferences persists valid payload through route mapping.
+# @PRE: Valid request payload and authenticated user.
+# @POST: Response status is 200 with saved preference payload.
+def test_patch_profile_preferences_success(profile_route_deps_fixture):
+    mock_user, _, _ = profile_route_deps_fixture
+    service = MagicMock()
+    service.update_my_preference.return_value = _build_preference_response(user_id=mock_user.id)
+
+    with patch("src.api.routes.profile._get_profile_service", return_value=service):
+        response = client.patch(
+            "/api/profile/preferences",
+            json={
+                "superset_username": "John_Doe",
+                "show_only_my_dashboards": True,
+                "git_username": "ivan.ivanov",
+                "git_email": "ivan@company.local",
+                "git_personal_access_token": "ghp_1234567890",
+                "start_page": "reports-logs",
+                "auto_open_task_drawer": False,
+                "dashboards_table_density": "free",
+            },
+        )
+
+    assert response.status_code == 200
+    payload = response.json()
+    assert payload["status"] == "success"
+    assert payload["preference"]["superset_username"] == "John_Doe"
+    assert payload["preference"]["show_only_my_dashboards"] is True
+    assert payload["preference"]["git_username"] == "ivan.ivanov"
+    assert payload["preference"]["git_email"] == "ivan@company.local"
+    assert payload["preference"]["start_page"] == "reports"
+    assert payload["preference"]["auto_open_task_drawer"] is False
+    assert payload["preference"]["dashboards_table_density"] == "compact"
+    service.update_my_preference.assert_called_once()
+
+    called_kwargs = service.update_my_preference.call_args.kwargs
+    assert called_kwargs["current_user"] == mock_user
+    assert called_kwargs["payload"].git_username == "ivan.ivanov"
+    assert called_kwargs["payload"].git_email == "ivan@company.local"
+    assert called_kwargs["payload"].git_personal_access_token == "ghp_1234567890"
+    assert called_kwargs["payload"].start_page == "reports-logs"
+    assert called_kwargs["payload"].auto_open_task_drawer is False
+    assert called_kwargs["payload"].dashboards_table_density == "free"
+# [/DEF:test_patch_profile_preferences_success:Function]
+
+
+# [DEF:test_patch_profile_preferences_validation_error:Function]
+# @PURPOSE: Verifies route maps domain validation failure to HTTP 422 with actionable details.
+# @PRE: Service raises ProfileValidationError.
+# @POST: Response status is 422 and includes validation messages.
+def test_patch_profile_preferences_validation_error(profile_route_deps_fixture):
+    service = MagicMock()
+    service.update_my_preference.side_effect = ProfileValidationError(
+        ["Superset username is required when default filter is enabled."]
+    )
+
+    with patch("src.api.routes.profile._get_profile_service", return_value=service):
+        response = client.patch(
+            "/api/profile/preferences",
+            json={
+                "superset_username": "",
+                "show_only_my_dashboards": True,
+            },
+        )
+
+    assert response.status_code == 422
+    payload = response.json()
+    assert "detail" in payload
+    assert "Superset username is required when default filter is enabled." in payload["detail"]
+# [/DEF:test_patch_profile_preferences_validation_error:Function]
+
+
+# [DEF:test_patch_profile_preferences_cross_user_denied:Function]
+# @PURPOSE: Verifies route maps domain authorization guard failure to HTTP 403.
+# @PRE: Service raises ProfileAuthorizationError.
+# @POST: Response status is 403 with denial message.
+def test_patch_profile_preferences_cross_user_denied(profile_route_deps_fixture):
+    service = MagicMock()
+    service.update_my_preference.side_effect = ProfileAuthorizationError(
+        "Cross-user preference mutation is forbidden"
+    )
+
+    with patch("src.api.routes.profile._get_profile_service", return_value=service):
+        response = client.patch(
+            "/api/profile/preferences",
+            json={
+                "superset_username": "john_doe",
+                "show_only_my_dashboards": True,
+            },
+        )
+
+    assert response.status_code == 403
+    payload = response.json()
+    assert payload["detail"] == "Cross-user preference mutation is forbidden"
+# [/DEF:test_patch_profile_preferences_cross_user_denied:Function]
+
+
+# [DEF:test_lookup_superset_accounts_success:Function]
+# @PURPOSE: Verifies lookup route returns success payload with normalized candidates.
+# @PRE: Valid environment_id and service success response.
+# @POST: Response status is 200 and items list is returned.
+def test_lookup_superset_accounts_success(profile_route_deps_fixture):
+    service = MagicMock()
+    service.lookup_superset_accounts.return_value = SupersetAccountLookupResponse(
+        status="success",
+        environment_id="dev",
+        page_index=0,
+        page_size=20,
+        total=1,
+        warning=None,
+        items=[
+            SupersetAccountCandidate(
+                environment_id="dev",
+                username="john_doe",
+                display_name="John Doe",
+                email="john@example.local",
+                is_active=True,
+            )
+        ],
+    )
+
+    with patch("src.api.routes.profile._get_profile_service", return_value=service):
+        response = client.get("/api/profile/superset-accounts?environment_id=dev")
+
+    assert response.status_code == 200
+    payload = response.json()
+    assert payload["status"] == "success"
+    assert payload["environment_id"] == "dev"
+    assert payload["total"] == 1
+    assert payload["items"][0]["username"] == "john_doe"
+# [/DEF:test_lookup_superset_accounts_success:Function]
+
+
+# [DEF:test_lookup_superset_accounts_env_not_found:Function]
+# @PURPOSE: Verifies lookup route maps missing environment to HTTP 404.
+# @PRE: Service raises EnvironmentNotFoundError.
+# @POST: Response status is 404 with explicit message.
+def test_lookup_superset_accounts_env_not_found(profile_route_deps_fixture):
+    service = MagicMock()
+    service.lookup_superset_accounts.side_effect = EnvironmentNotFoundError(
+        "Environment 'missing-env' not found"
+    )
+
+    with patch("src.api.routes.profile._get_profile_service", return_value=service):
+        response = client.get("/api/profile/superset-accounts?environment_id=missing-env")
+
+    assert response.status_code == 404
+    payload = response.json()
+    assert payload["detail"] == "Environment 'missing-env' not found"
+# [/DEF:test_lookup_superset_accounts_env_not_found:Function]
+
+# [/DEF:backend.src.api.routes.__tests__.test_profile_api:Module]

backend/src/api/routes/__tests__/test_reports_api.py

@@ -1,5 +1,5 @@
 # [DEF:backend.tests.test_reports_api:Module]
-# @TIER: CRITICAL
+# @TIER: STANDARD
 # @SEMANTICS: tests, reports, api, contract, pagination, filtering
 # @PURPOSE: Contract tests for GET /api/reports defaults, pagination, and filtering behavior.
 # @LAYER: Domain (Tests)

backend/src/api/routes/__tests__/test_reports_detail_api.py

@@ -1,9 +1,10 @@
 # [DEF:backend.tests.test_reports_detail_api:Module]
-# @TIER: CRITICAL
+# @TIER: STANDARD
 # @SEMANTICS: tests, reports, api, detail, diagnostics
 # @PURPOSE: Contract tests for GET /api/reports/{report_id} detail endpoint behavior.
 # @LAYER: Domain (Tests)
 # @RELATION: TESTS -> backend.src.api.routes.reports
+# @INVARIANT: Detail endpoint tests must keep deterministic assertions for success and not-found contracts.
 
 from datetime import datetime, timedelta
 from types import SimpleNamespace

backend/src/api/routes/__tests__/test_reports_openapi_conformance.py

@@ -1,5 +1,5 @@
 # [DEF:backend.tests.test_reports_openapi_conformance:Module]
-# @TIER: CRITICAL
+# @TIER: STANDARD
 # @SEMANTICS: tests, reports, openapi, conformance
 # @PURPOSE: Validate implemented reports payload shape against OpenAPI-required top-level contract fields.
 # @LAYER: Domain (Tests)

backend/src/api/routes/__tests__/test_tasks_logs.py

@@ -0,0 +1,73 @@
+# [DEF:__tests__/test_tasks_logs:Module]
+# @RELATION: VERIFIES -> ../tasks.py
+# @PURPOSE: Contract testing for task logs API endpoints.
+# [/DEF:__tests__/test_tasks_logs:Module]
+
+import pytest
+from fastapi import FastAPI
+from fastapi.testclient import TestClient
+from unittest.mock import MagicMock
+from src.dependencies import get_task_manager, has_permission
+from src.api.routes.tasks import router
+
+# @TEST_FIXTURE: mock_app
+@pytest.fixture
+def client():
+    app = FastAPI()
+    app.include_router(router, prefix="/tasks")
+    
+    # Mock TaskManager
+    mock_tm = MagicMock()
+    app.dependency_overrides[get_task_manager] = lambda: mock_tm
+    
+    # Mock permissions (bypass for unit test)
+    app.dependency_overrides[has_permission("tasks", "READ")] = lambda: True
+    
+    return TestClient(app), mock_tm
+
+# @TEST_CONTRACT: get_task_logs_api -> Invariants
+# @TEST_FIXTURE: valid_task_logs_request
+def test_get_task_logs_success(client):
+    tc, tm = client
+    
+    # Setup mock task
+    mock_task = MagicMock()
+    tm.get_task.return_value = mock_task
+    tm.get_task_logs.return_value = [{"level": "INFO", "message": "msg1"}]
+    
+    response = tc.get("/tasks/task-1/logs?level=INFO")
+    
+    assert response.status_code == 200
+    assert response.json() == [{"level": "INFO", "message": "msg1"}]
+    tm.get_task.assert_called_with("task-1")
+    # Verify filter construction inside route
+    args = tm.get_task_logs.call_args
+    assert args[0][0] == "task-1"
+    assert args[0][1].level == "INFO"
+
+# @TEST_EDGE: task_not_found
+def test_get_task_logs_not_found(client):
+    tc, tm = client
+    tm.get_task.return_value = None
+    
+    response = tc.get("/tasks/missing/logs")
+    assert response.status_code == 404
+    assert response.json()["detail"] == "Task not found"
+
+# @TEST_EDGE: invalid_limit
+def test_get_task_logs_invalid_limit(client):
+    tc, tm = client
+    # limit=0 is ge=1 in Query
+    response = tc.get("/tasks/task-1/logs?limit=0")
+    assert response.status_code == 422
+
+# @TEST_INVARIANT: response_purity
+def test_get_task_log_stats_success(client):
+    tc, tm = client
+    tm.get_task.return_value = MagicMock()
+    tm.get_task_log_stats.return_value = {"INFO": 5, "ERROR": 1}
+    
+    response = tc.get("/tasks/task-1/logs/stats")
+    assert response.status_code == 200
+    # response_model=LogStats might wrap this, but let's check basic structure
+    # assuming tm.get_task_log_stats returns something compatible with LogStats

backend/src/api/routes/admin.py

@@ -22,8 +22,12 @@ from ...schemas.auth import (
     ADGroupMappingSchema, ADGroupMappingCreate
 )
 from ...models.auth import User, Role, ADGroupMapping
-from ...dependencies import has_permission
+from ...dependencies import has_permission, get_plugin_loader
 from ...core.logger import logger, belief_scope
+from ...services.rbac_permission_catalog import (
+    discover_declared_permissions,
+    sync_permission_catalog,
+)
 # [/SECTION]
 
 # [DEF:router:Variable]
@@ -270,9 +274,18 @@ async def delete_role(
 @router.get("/permissions", response_model=List[PermissionSchema])
 async def list_permissions(
     db: Session = Depends(get_auth_db),
+    plugin_loader = Depends(get_plugin_loader),
     _ = Depends(has_permission("admin:roles", "READ"))
 ):
     with belief_scope("api.admin.list_permissions"):
+        declared_permissions = discover_declared_permissions(plugin_loader=plugin_loader)
+        inserted_count = sync_permission_catalog(db=db, declared_permissions=declared_permissions)
+        if inserted_count > 0:
+            logger.info(
+                "[api.admin.list_permissions][Action] Synchronized %s missing RBAC permissions into auth catalog",
+                inserted_count,
+            )
+
         repo = AuthRepository(db)
         return repo.list_permissions()
 # [/DEF:list_permissions:Function]

backend/src/api/routes/clean_release.py

@@ -0,0 +1,445 @@
+# [DEF:backend.src.api.routes.clean_release:Module]
+# @TIER: STANDARD
+# @SEMANTICS: api, clean-release, candidate-preparation, compliance
+# @PURPOSE: Expose clean release endpoints for candidate preparation and subsequent compliance flow.
+# @LAYER: API
+# @RELATION: DEPENDS_ON -> backend.src.dependencies.get_clean_release_repository
+# @RELATION: DEPENDS_ON -> backend.src.services.clean_release.preparation_service
+# @INVARIANT: API never reports prepared status if preparation errors are present.
+
+from __future__ import annotations
+
+from datetime import datetime, timezone
+from typing import Any, Dict, List
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from pydantic import BaseModel, Field
+
+from ...core.logger import belief_scope, logger
+from ...dependencies import get_clean_release_repository, get_config_manager
+from ...services.clean_release.preparation_service import prepare_candidate
+from ...services.clean_release.repository import CleanReleaseRepository
+from ...services.clean_release.compliance_orchestrator import CleanComplianceOrchestrator
+from ...services.clean_release.report_builder import ComplianceReportBuilder
+from ...services.clean_release.compliance_execution_service import ComplianceExecutionService, ComplianceRunError
+from ...services.clean_release.dto import CandidateDTO, ManifestDTO, CandidateOverviewDTO, ComplianceRunDTO
+from ...services.clean_release.enums import (
+    ComplianceDecision,
+    ComplianceStageName,
+    ViolationCategory,
+    ViolationSeverity,
+    RunStatus,
+    CandidateStatus,
+)
+from ...models.clean_release import (
+    ComplianceRun,
+    ComplianceStageRun,
+    ComplianceViolation,
+    CandidateArtifact,
+    ReleaseCandidate,
+)
+
+router = APIRouter(prefix="/api/clean-release", tags=["Clean Release"])
+
+
+# [DEF:PrepareCandidateRequest:Class]
+# @PURPOSE: Request schema for candidate preparation endpoint.
+class PrepareCandidateRequest(BaseModel):
+    candidate_id: str = Field(min_length=1)
+    artifacts: List[Dict[str, Any]] = Field(default_factory=list)
+    sources: List[str] = Field(default_factory=list)
+    operator_id: str = Field(min_length=1)
+# [/DEF:PrepareCandidateRequest:Class]
+
+
+# [DEF:StartCheckRequest:Class]
+# @PURPOSE: Request schema for clean compliance check run startup.
+class StartCheckRequest(BaseModel):
+    candidate_id: str = Field(min_length=1)
+    profile: str = Field(default="enterprise-clean")
+    execution_mode: str = Field(default="tui")
+    triggered_by: str = Field(default="system")
+# [/DEF:StartCheckRequest:Class]
+
+
+# [DEF:RegisterCandidateRequest:Class]
+# @PURPOSE: Request schema for candidate registration endpoint.
+class RegisterCandidateRequest(BaseModel):
+    id: str = Field(min_length=1)
+    version: str = Field(min_length=1)
+    source_snapshot_ref: str = Field(min_length=1)
+    created_by: str = Field(min_length=1)
+# [/DEF:RegisterCandidateRequest:Class]
+
+
+# [DEF:ImportArtifactsRequest:Class]
+# @PURPOSE: Request schema for candidate artifact import endpoint.
+class ImportArtifactsRequest(BaseModel):
+    artifacts: List[Dict[str, Any]] = Field(default_factory=list)
+# [/DEF:ImportArtifactsRequest:Class]
+
+
+# [DEF:BuildManifestRequest:Class]
+# @PURPOSE: Request schema for manifest build endpoint.
+class BuildManifestRequest(BaseModel):
+    created_by: str = Field(default="system")
+# [/DEF:BuildManifestRequest:Class]
+
+
+# [DEF:CreateComplianceRunRequest:Class]
+# @PURPOSE: Request schema for compliance run creation with optional manifest pinning.
+class CreateComplianceRunRequest(BaseModel):
+    requested_by: str = Field(min_length=1)
+    manifest_id: str | None = None
+# [/DEF:CreateComplianceRunRequest:Class]
+
+
+# [DEF:register_candidate_v2_endpoint:Function]
+# @PURPOSE: Register a clean-release candidate for headless lifecycle.
+# @PRE: Candidate identifier is unique.
+# @POST: Candidate is persisted in DRAFT status.
+@router.post("/candidates", response_model=CandidateDTO, status_code=status.HTTP_201_CREATED)
+async def register_candidate_v2_endpoint(
+    payload: RegisterCandidateRequest,
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    existing = repository.get_candidate(payload.id)
+    if existing is not None:
+        raise HTTPException(status_code=409, detail={"message": "Candidate already exists", "code": "CANDIDATE_EXISTS"})
+
+    candidate = ReleaseCandidate(
+        id=payload.id,
+        version=payload.version,
+        source_snapshot_ref=payload.source_snapshot_ref,
+        created_by=payload.created_by,
+        created_at=datetime.now(timezone.utc),
+        status=CandidateStatus.DRAFT.value,
+    )
+    repository.save_candidate(candidate)
+
+    return CandidateDTO(
+        id=candidate.id,
+        version=candidate.version,
+        source_snapshot_ref=candidate.source_snapshot_ref,
+        created_at=candidate.created_at,
+        created_by=candidate.created_by,
+        status=CandidateStatus(candidate.status),
+    )
+# [/DEF:register_candidate_v2_endpoint:Function]
+
+
+# [DEF:import_candidate_artifacts_v2_endpoint:Function]
+# @PURPOSE: Import candidate artifacts in headless flow.
+# @PRE: Candidate exists and artifacts array is non-empty.
+# @POST: Artifacts are persisted and candidate advances to PREPARED if it was DRAFT.
+@router.post("/candidates/{candidate_id}/artifacts")
+async def import_candidate_artifacts_v2_endpoint(
+    candidate_id: str,
+    payload: ImportArtifactsRequest,
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    candidate = repository.get_candidate(candidate_id)
+    if candidate is None:
+        raise HTTPException(status_code=404, detail={"message": "Candidate not found", "code": "CANDIDATE_NOT_FOUND"})
+    if not payload.artifacts:
+        raise HTTPException(status_code=400, detail={"message": "Artifacts list is required", "code": "ARTIFACTS_EMPTY"})
+
+    for artifact in payload.artifacts:
+        required = ("id", "path", "sha256", "size")
+        for field_name in required:
+            if field_name not in artifact:
+                raise HTTPException(
+                    status_code=400,
+                    detail={"message": f"Artifact missing field '{field_name}'", "code": "ARTIFACT_INVALID"},
+                )
+
+        artifact_model = CandidateArtifact(
+            id=str(artifact["id"]),
+            candidate_id=candidate_id,
+            path=str(artifact["path"]),
+            sha256=str(artifact["sha256"]),
+            size=int(artifact["size"]),
+            detected_category=artifact.get("detected_category"),
+            declared_category=artifact.get("declared_category"),
+            source_uri=artifact.get("source_uri"),
+            source_host=artifact.get("source_host"),
+            metadata_json=artifact.get("metadata_json", {}),
+        )
+        repository.save_artifact(artifact_model)
+
+    if candidate.status == CandidateStatus.DRAFT.value:
+        candidate.transition_to(CandidateStatus.PREPARED)
+        repository.save_candidate(candidate)
+
+    return {"status": "success"}
+# [/DEF:import_candidate_artifacts_v2_endpoint:Function]
+
+
+# [DEF:build_candidate_manifest_v2_endpoint:Function]
+# @PURPOSE: Build immutable manifest snapshot for prepared candidate.
+# @PRE: Candidate exists and has imported artifacts.
+# @POST: Returns created ManifestDTO with incremented version.
+@router.post("/candidates/{candidate_id}/manifests", response_model=ManifestDTO, status_code=status.HTTP_201_CREATED)
+async def build_candidate_manifest_v2_endpoint(
+    candidate_id: str,
+    payload: BuildManifestRequest,
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    from ...services.clean_release.manifest_service import build_manifest_snapshot
+
+    try:
+        manifest = build_manifest_snapshot(
+            repository=repository,
+            candidate_id=candidate_id,
+            created_by=payload.created_by,
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=400, detail={"message": str(exc), "code": "MANIFEST_BUILD_ERROR"})
+
+    return ManifestDTO(
+        id=manifest.id,
+        candidate_id=manifest.candidate_id,
+        manifest_version=manifest.manifest_version,
+        manifest_digest=manifest.manifest_digest,
+        artifacts_digest=manifest.artifacts_digest,
+        created_at=manifest.created_at,
+        created_by=manifest.created_by,
+        source_snapshot_ref=manifest.source_snapshot_ref,
+        content_json=manifest.content_json,
+    )
+# [/DEF:build_candidate_manifest_v2_endpoint:Function]
+
+
+# [DEF:get_candidate_overview_v2_endpoint:Function]
+# @PURPOSE: Return expanded candidate overview DTO for headless lifecycle visibility.
+# @PRE: Candidate exists.
+# @POST: Returns CandidateOverviewDTO built from the same repository state used by headless US1 endpoints.
+@router.get("/candidates/{candidate_id}/overview", response_model=CandidateOverviewDTO)
+async def get_candidate_overview_v2_endpoint(
+    candidate_id: str,
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    candidate = repository.get_candidate(candidate_id)
+    if candidate is None:
+        raise HTTPException(status_code=404, detail={"message": "Candidate not found", "code": "CANDIDATE_NOT_FOUND"})
+
+    manifests = repository.get_manifests_by_candidate(candidate_id)
+    latest_manifest = sorted(manifests, key=lambda m: m.manifest_version, reverse=True)[0] if manifests else None
+
+    runs = [run for run in repository.check_runs.values() if run.candidate_id == candidate_id]
+    latest_run = sorted(runs, key=lambda run: run.requested_at or datetime.min.replace(tzinfo=timezone.utc), reverse=True)[0] if runs else None
+
+    latest_report = None
+    if latest_run is not None:
+        latest_report = next((r for r in repository.reports.values() if r.run_id == latest_run.id), None)
+
+    latest_policy_snapshot = repository.get_policy(latest_run.policy_snapshot_id) if latest_run else None
+    latest_registry_snapshot = repository.get_registry(latest_run.registry_snapshot_id) if latest_run else None
+
+    approval_decisions = getattr(repository, "approval_decisions", [])
+    latest_approval = (
+        sorted(
+            [item for item in approval_decisions if item.candidate_id == candidate_id],
+            key=lambda item: item.decided_at or datetime.min.replace(tzinfo=timezone.utc),
+            reverse=True,
+        )[0]
+        if approval_decisions
+        and any(item.candidate_id == candidate_id for item in approval_decisions)
+        else None
+    )
+
+    publication_records = getattr(repository, "publication_records", [])
+    latest_publication = (
+        sorted(
+            [item for item in publication_records if item.candidate_id == candidate_id],
+            key=lambda item: item.published_at or datetime.min.replace(tzinfo=timezone.utc),
+            reverse=True,
+        )[0]
+        if publication_records
+        and any(item.candidate_id == candidate_id for item in publication_records)
+        else None
+    )
+
+    return CandidateOverviewDTO(
+        candidate_id=candidate.id,
+        version=candidate.version,
+        source_snapshot_ref=candidate.source_snapshot_ref,
+        status=CandidateStatus(candidate.status),
+        latest_manifest_id=latest_manifest.id if latest_manifest else None,
+        latest_manifest_digest=latest_manifest.manifest_digest if latest_manifest else None,
+        latest_run_id=latest_run.id if latest_run else None,
+        latest_run_status=RunStatus(latest_run.status) if latest_run else None,
+        latest_report_id=latest_report.id if latest_report else None,
+        latest_report_final_status=ComplianceDecision(latest_report.final_status) if latest_report else None,
+        latest_policy_snapshot_id=latest_policy_snapshot.id if latest_policy_snapshot else None,
+        latest_policy_version=latest_policy_snapshot.policy_version if latest_policy_snapshot else None,
+        latest_registry_snapshot_id=latest_registry_snapshot.id if latest_registry_snapshot else None,
+        latest_registry_version=latest_registry_snapshot.registry_version if latest_registry_snapshot else None,
+        latest_approval_decision=latest_approval.decision if latest_approval else None,
+        latest_publication_id=latest_publication.id if latest_publication else None,
+        latest_publication_status=latest_publication.status if latest_publication else None,
+    )
+# [/DEF:get_candidate_overview_v2_endpoint:Function]
+
+
+# [DEF:prepare_candidate_endpoint:Function]
+# @PURPOSE: Prepare candidate with policy evaluation and deterministic manifest generation.
+# @PRE: Candidate and active policy exist in repository.
+# @POST: Returns preparation result including manifest reference and violations.
+@router.post("/candidates/prepare")
+async def prepare_candidate_endpoint(
+    payload: PrepareCandidateRequest,
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    try:
+        result = prepare_candidate(
+            repository=repository,
+            candidate_id=payload.candidate_id,
+            artifacts=payload.artifacts,
+            sources=payload.sources,
+            operator_id=payload.operator_id,
+        )
+        return result
+    except ValueError as exc:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail={"message": str(exc), "code": "CLEAN_PREPARATION_ERROR"},
+        )
+# [/DEF:prepare_candidate_endpoint:Function]
+
+
+# [DEF:start_check:Function]
+# @PURPOSE: Start and finalize a clean compliance check run and persist report artifacts.
+# @PRE: Active policy and candidate exist.
+# @POST: Returns accepted payload with check_run_id and started_at.
+@router.post("/checks", status_code=status.HTTP_202_ACCEPTED)
+async def start_check(
+    payload: StartCheckRequest,
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    with belief_scope("clean_release.start_check"):
+        logger.reason("Starting clean-release compliance check run")
+        policy = repository.get_active_policy()
+        if policy is None:
+            raise HTTPException(status_code=409, detail={"message": "Active policy not found", "code": "POLICY_NOT_FOUND"})
+
+        candidate = repository.get_candidate(payload.candidate_id)
+        if candidate is None:
+            raise HTTPException(status_code=409, detail={"message": "Candidate not found", "code": "CANDIDATE_NOT_FOUND"})
+
+        manifests = repository.get_manifests_by_candidate(payload.candidate_id)
+        if not manifests:
+            raise HTTPException(status_code=409, detail={"message": "No manifest found for candidate", "code": "MANIFEST_NOT_FOUND"})
+        latest_manifest = sorted(manifests, key=lambda m: m.manifest_version, reverse=True)[0]
+
+        orchestrator = CleanComplianceOrchestrator(repository)
+        run = orchestrator.start_check_run(
+            candidate_id=payload.candidate_id,
+            policy_id=policy.id,
+            requested_by=payload.triggered_by,
+            manifest_id=latest_manifest.id,
+        )
+
+        forced = [
+            ComplianceStageRun(
+                id=f"stage-{run.id}-1",
+                run_id=run.id,
+                stage_name=ComplianceStageName.DATA_PURITY.value,
+                status=RunStatus.SUCCEEDED.value,
+                decision=ComplianceDecision.PASSED.value,
+                details_json={"message": "ok"}
+            ),
+            ComplianceStageRun(
+                id=f"stage-{run.id}-2",
+                run_id=run.id,
+                stage_name=ComplianceStageName.INTERNAL_SOURCES_ONLY.value,
+                status=RunStatus.SUCCEEDED.value,
+                decision=ComplianceDecision.PASSED.value,
+                details_json={"message": "ok"}
+            ),
+            ComplianceStageRun(
+                id=f"stage-{run.id}-3",
+                run_id=run.id,
+                stage_name=ComplianceStageName.NO_EXTERNAL_ENDPOINTS.value,
+                status=RunStatus.SUCCEEDED.value,
+                decision=ComplianceDecision.PASSED.value,
+                details_json={"message": "ok"}
+            ),
+            ComplianceStageRun(
+                id=f"stage-{run.id}-4",
+                run_id=run.id,
+                stage_name=ComplianceStageName.MANIFEST_CONSISTENCY.value,
+                status=RunStatus.SUCCEEDED.value,
+                decision=ComplianceDecision.PASSED.value,
+                details_json={"message": "ok"}
+            ),
+        ]
+        run = orchestrator.execute_stages(run, forced_results=forced)
+        run = orchestrator.finalize_run(run)
+
+        if run.final_status == ComplianceDecision.BLOCKED.value:
+            logger.explore("Run ended as BLOCKED, persisting synthetic external-source violation")
+            violation = ComplianceViolation(
+                id=f"viol-{run.id}",
+                run_id=run.id,
+                stage_name=ComplianceStageName.NO_EXTERNAL_ENDPOINTS.value,
+                code="EXTERNAL_SOURCE_DETECTED",
+                severity=ViolationSeverity.CRITICAL.value,
+                message="Replace with approved internal server",
+                evidence_json={"location": "external.example.com"}
+            )
+            repository.save_violation(violation)
+
+        builder = ComplianceReportBuilder(repository)
+        report = builder.build_report_payload(run, repository.get_violations_by_run(run.id))
+        builder.persist_report(report)
+        logger.reflect(f"Compliance report persisted for run_id={run.id}")
+
+        return {
+            "check_run_id": run.id,
+            "candidate_id": run.candidate_id,
+            "status": "running",
+            "started_at": run.started_at.isoformat() if run.started_at else None,
+        }
+# [/DEF:start_check:Function]
+
+
+# [DEF:get_check_status:Function]
+# @PURPOSE: Return terminal/intermediate status payload for a check run.
+# @PRE: check_run_id references an existing run.
+# @POST: Deterministic payload shape includes checks and violations arrays.
+@router.get("/checks/{check_run_id}")
+async def get_check_status(check_run_id: str, repository: CleanReleaseRepository = Depends(get_clean_release_repository)):
+    with belief_scope("clean_release.get_check_status"):
+        run = repository.get_check_run(check_run_id)
+        if run is None:
+            raise HTTPException(status_code=404, detail={"message": "Check run not found", "code": "CHECK_NOT_FOUND"})
+
+        logger.reflect(f"Returning check status for check_run_id={check_run_id}")
+        return {
+            "check_run_id": run.id,
+            "candidate_id": run.candidate_id,
+            "final_status": run.final_status,
+            "started_at": run.started_at.isoformat() if run.started_at else None,
+            "finished_at": run.finished_at.isoformat() if run.finished_at else None,
+            "checks": [], # TODO: Map stages if needed
+            "violations": [], # TODO: Map violations if needed
+        }
+# [/DEF:get_check_status:Function]
+
+
+# [DEF:get_report:Function]
+# @PURPOSE: Return persisted compliance report by report_id.
+# @PRE: report_id references an existing report.
+# @POST: Returns serialized report object.
+@router.get("/reports/{report_id}")
+async def get_report(report_id: str, repository: CleanReleaseRepository = Depends(get_clean_release_repository)):
+    with belief_scope("clean_release.get_report"):
+        report = repository.get_report(report_id)
+        if report is None:
+            raise HTTPException(status_code=404, detail={"message": "Report not found", "code": "REPORT_NOT_FOUND"})
+
+        logger.reflect(f"Returning compliance report report_id={report_id}")
+        return report.model_dump()
+# [/DEF:get_report:Function]
+# [/DEF:backend.src.api.routes.clean_release:Module]

backend/src/api/routes/clean_release_v2.py

@@ -0,0 +1,216 @@
+# [DEF:backend.src.api.routes.clean_release_v2:Module]
+# @TIER: STANDARD
+# @SEMANTICS: api, clean-release, v2, headless
+# @PURPOSE: Redesigned clean release API for headless candidate lifecycle.
+# @LAYER: API
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from typing import List, Dict, Any
+from datetime import datetime, timezone
+from ...services.clean_release.approval_service import approve_candidate, reject_candidate
+from ...services.clean_release.publication_service import publish_candidate, revoke_publication
+from ...services.clean_release.repository import CleanReleaseRepository
+from ...dependencies import get_clean_release_repository
+from ...services.clean_release.enums import CandidateStatus
+from ...models.clean_release import ReleaseCandidate, CandidateArtifact, DistributionManifest
+from ...services.clean_release.dto import CandidateDTO, ManifestDTO
+
+router = APIRouter(prefix="/api/v2/clean-release", tags=["Clean Release V2"])
+
+
+class ApprovalRequest(dict):
+    pass
+
+
+class PublishRequest(dict):
+    pass
+
+
+class RevokeRequest(dict):
+    pass
+
+@router.post("/candidates", response_model=CandidateDTO, status_code=status.HTTP_201_CREATED)
+async def register_candidate(
+    payload: Dict[str, Any],
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository)
+):
+    candidate = ReleaseCandidate(
+        id=payload["id"],
+        version=payload["version"],
+        source_snapshot_ref=payload["source_snapshot_ref"],
+        created_by=payload["created_by"],
+        created_at=datetime.now(timezone.utc),
+        status=CandidateStatus.DRAFT.value
+    )
+    repository.save_candidate(candidate)
+    return CandidateDTO(
+        id=candidate.id,
+        version=candidate.version,
+        source_snapshot_ref=candidate.source_snapshot_ref,
+        created_at=candidate.created_at,
+        created_by=candidate.created_by,
+        status=CandidateStatus(candidate.status)
+    )
+
+@router.post("/candidates/{candidate_id}/artifacts")
+async def import_artifacts(
+    candidate_id: str,
+    payload: Dict[str, Any],
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository)
+):
+    candidate = repository.get_candidate(candidate_id)
+    if not candidate:
+        raise HTTPException(status_code=404, detail="Candidate not found")
+    
+    for art_data in payload.get("artifacts", []):
+        artifact = CandidateArtifact(
+            id=art_data["id"],
+            candidate_id=candidate_id,
+            path=art_data["path"],
+            sha256=art_data["sha256"],
+            size=art_data["size"]
+        )
+        # In a real repo we'd have save_artifact
+        # repository.save_artifact(artifact)
+        pass
+        
+    return {"status": "success"}
+
+@router.post("/candidates/{candidate_id}/manifests", response_model=ManifestDTO, status_code=status.HTTP_201_CREATED)
+async def build_manifest(
+    candidate_id: str,
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository)
+):
+    candidate = repository.get_candidate(candidate_id)
+    if not candidate:
+        raise HTTPException(status_code=404, detail="Candidate not found")
+    
+    manifest = DistributionManifest(
+        id=f"manifest-{candidate_id}",
+        candidate_id=candidate_id,
+        manifest_version=1,
+        manifest_digest="hash-123",
+        artifacts_digest="art-hash-123",
+        created_by="system",
+        created_at=datetime.now(timezone.utc),
+        source_snapshot_ref=candidate.source_snapshot_ref,
+        content_json={"items": [], "summary": {}}
+    )
+    repository.save_manifest(manifest)
+    
+    return ManifestDTO(
+        id=manifest.id,
+        candidate_id=manifest.candidate_id,
+        manifest_version=manifest.manifest_version,
+        manifest_digest=manifest.manifest_digest,
+        artifacts_digest=manifest.artifacts_digest,
+        created_at=manifest.created_at,
+        created_by=manifest.created_by,
+        source_snapshot_ref=manifest.source_snapshot_ref,
+        content_json=manifest.content_json
+    )
+
+@router.post("/candidates/{candidate_id}/approve")
+async def approve_candidate_endpoint(
+    candidate_id: str,
+    payload: Dict[str, Any],
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    try:
+        decision = approve_candidate(
+            repository=repository,
+            candidate_id=candidate_id,
+            report_id=str(payload["report_id"]),
+            decided_by=str(payload["decided_by"]),
+            comment=payload.get("comment"),
+        )
+    except Exception as exc:  # noqa: BLE001
+        raise HTTPException(status_code=409, detail={"message": str(exc), "code": "APPROVAL_GATE_ERROR"})
+
+    return {"status": "ok", "decision": decision.decision, "decision_id": decision.id}
+
+
+@router.post("/candidates/{candidate_id}/reject")
+async def reject_candidate_endpoint(
+    candidate_id: str,
+    payload: Dict[str, Any],
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    try:
+        decision = reject_candidate(
+            repository=repository,
+            candidate_id=candidate_id,
+            report_id=str(payload["report_id"]),
+            decided_by=str(payload["decided_by"]),
+            comment=payload.get("comment"),
+        )
+    except Exception as exc:  # noqa: BLE001
+        raise HTTPException(status_code=409, detail={"message": str(exc), "code": "APPROVAL_GATE_ERROR"})
+
+    return {"status": "ok", "decision": decision.decision, "decision_id": decision.id}
+
+
+@router.post("/candidates/{candidate_id}/publish")
+async def publish_candidate_endpoint(
+    candidate_id: str,
+    payload: Dict[str, Any],
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    try:
+        publication = publish_candidate(
+            repository=repository,
+            candidate_id=candidate_id,
+            report_id=str(payload["report_id"]),
+            published_by=str(payload["published_by"]),
+            target_channel=str(payload["target_channel"]),
+            publication_ref=payload.get("publication_ref"),
+        )
+    except Exception as exc:  # noqa: BLE001
+        raise HTTPException(status_code=409, detail={"message": str(exc), "code": "PUBLICATION_GATE_ERROR"})
+
+    return {
+        "status": "ok",
+        "publication": {
+            "id": publication.id,
+            "candidate_id": publication.candidate_id,
+            "report_id": publication.report_id,
+            "published_by": publication.published_by,
+            "published_at": publication.published_at.isoformat() if publication.published_at else None,
+            "target_channel": publication.target_channel,
+            "publication_ref": publication.publication_ref,
+            "status": publication.status,
+        },
+    }
+
+
+@router.post("/publications/{publication_id}/revoke")
+async def revoke_publication_endpoint(
+    publication_id: str,
+    payload: Dict[str, Any],
+    repository: CleanReleaseRepository = Depends(get_clean_release_repository),
+):
+    try:
+        publication = revoke_publication(
+            repository=repository,
+            publication_id=publication_id,
+            revoked_by=str(payload["revoked_by"]),
+            comment=payload.get("comment"),
+        )
+    except Exception as exc:  # noqa: BLE001
+        raise HTTPException(status_code=409, detail={"message": str(exc), "code": "PUBLICATION_GATE_ERROR"})
+
+    return {
+        "status": "ok",
+        "publication": {
+            "id": publication.id,
+            "candidate_id": publication.candidate_id,
+            "report_id": publication.report_id,
+            "published_by": publication.published_by,
+            "published_at": publication.published_at.isoformat() if publication.published_at else None,
+            "target_channel": publication.target_channel,
+            "publication_ref": publication.publication_ref,
+            "status": publication.status,
+        },
+    }
+
+# [/DEF:backend.src.api.routes.clean_release_v2:Module]

backend/src/api/routes/environments.py

@@ -20,6 +20,18 @@ from ...core.logger import belief_scope
 
 router = APIRouter(prefix="/api/environments", tags=["Environments"])
 
+
+# [DEF:_normalize_superset_env_url:Function]
+# @PURPOSE: Canonicalize Superset environment URL to base host/path without trailing /api/v1.
+# @PRE: raw_url can be empty.
+# @POST: Returns normalized base URL.
+def _normalize_superset_env_url(raw_url: str) -> str:
+    normalized = str(raw_url or "").strip().rstrip("/")
+    if normalized.lower().endswith("/api/v1"):
+        normalized = normalized[:-len("/api/v1")]
+    return normalized.rstrip("/")
+# [/DEF:_normalize_superset_env_url:Function]
+
 # [DEF:ScheduleSchema:DataClass]
 class ScheduleSchema(BaseModel):
     enabled: bool = False
@@ -31,6 +43,8 @@ class EnvironmentResponse(BaseModel):
     id: str
     name: str
     url: str
+    stage: str = "DEV"
+    is_production: bool = False
     backup_schedule: Optional[ScheduleSchema] = None
 # [/DEF:EnvironmentResponse:DataClass]
 
@@ -58,17 +72,26 @@ async def get_environments(
     # Ensure envs is a list
     if not isinstance(envs, list):
         envs = []
-    return [
-        EnvironmentResponse(
-            id=e.id,
-            name=e.name,
-            url=e.url,
-            backup_schedule=ScheduleSchema(
-                enabled=e.backup_schedule.enabled,
-                cron_expression=e.backup_schedule.cron_expression
-            ) if getattr(e, 'backup_schedule', None) else None
-        ) for e in envs
-    ]
+    response_items = []
+    for e in envs:
+        resolved_stage = str(
+            getattr(e, "stage", "")
+            or ("PROD" if bool(getattr(e, "is_production", False)) else "DEV")
+        ).upper()
+        response_items.append(
+            EnvironmentResponse(
+                id=e.id,
+                name=e.name,
+                url=_normalize_superset_env_url(e.url),
+                stage=resolved_stage,
+                is_production=(resolved_stage == "PROD"),
+                backup_schedule=ScheduleSchema(
+                    enabled=e.backup_schedule.enabled,
+                    cron_expression=e.backup_schedule.cron_expression
+                ) if getattr(e, 'backup_schedule', None) else None
+            )
+        )
+    return response_items
 # [/DEF:get_environments:Function]
 
 # [DEF:update_environment_schedule:Function]

backend/src/api/routes/git_schemas.py

@@ -9,7 +9,7 @@
 # @INVARIANT: All schemas must be compatible with the FastAPI router.
 
 from pydantic import BaseModel, Field
-from typing import List, Optional
+from typing import Any, Dict, List, Optional
 from datetime import datetime
 from src.models.git import GitProvider, GitStatus, SyncStatus
 
@@ -21,14 +21,27 @@ class GitServerConfigBase(BaseModel):
     provider: GitProvider = Field(..., description="Git provider (GITHUB, GITLAB, GITEA)")
     url: str = Field(..., description="Server base URL")
     pat: str = Field(..., description="Personal Access Token")
+    pat: str = Field(..., description="Personal Access Token")
     default_repository: Optional[str] = Field(None, description="Default repository path (org/repo)")
+    default_branch: Optional[str] = Field("main", description="Default branch logic/name")
 # [/DEF:GitServerConfigBase:Class]
 
+# [DEF:GitServerConfigUpdate:Class]
+# @PURPOSE: Schema for updating an existing Git server configuration.
+class GitServerConfigUpdate(BaseModel):
+    name: Optional[str] = Field(None, description="Display name for the Git server")
+    provider: Optional[GitProvider] = Field(None, description="Git provider (GITHUB, GITLAB, GITEA)")
+    url: Optional[str] = Field(None, description="Server base URL")
+    pat: Optional[str] = Field(None, description="Personal Access Token")
+    default_repository: Optional[str] = Field(None, description="Default repository path (org/repo)")
+    default_branch: Optional[str] = Field(None, description="Default branch logic/name")
+# [/DEF:GitServerConfigUpdate:Class]
+
 # [DEF:GitServerConfigCreate:Class]
 # @PURPOSE: Schema for creating a new Git server configuration.
 class GitServerConfigCreate(GitServerConfigBase):
     """Schema for creating a new Git server configuration."""
-    pass
+    config_id: Optional[str] = Field(None, description="Optional config ID, useful for testing an existing config without sending its full PAT")
 # [/DEF:GitServerConfigCreate:Class]
 
 # [DEF:GitServerConfigSchema:Class]
@@ -113,6 +126,42 @@ class ConflictResolution(BaseModel):
     content: Optional[str] = None
 # [/DEF:ConflictResolution:Class]
 
+
+# [DEF:MergeStatusSchema:Class]
+# @PURPOSE: Schema representing unfinished merge status for repository.
+class MergeStatusSchema(BaseModel):
+    has_unfinished_merge: bool
+    repository_path: str
+    git_dir: str
+    current_branch: str
+    merge_head: Optional[str] = None
+    merge_message_preview: Optional[str] = None
+    conflicts_count: int = 0
+# [/DEF:MergeStatusSchema:Class]
+
+
+# [DEF:MergeConflictFileSchema:Class]
+# @PURPOSE: Schema describing one conflicted file with optional side snapshots.
+class MergeConflictFileSchema(BaseModel):
+    file_path: str
+    mine: Optional[str] = None
+    theirs: Optional[str] = None
+# [/DEF:MergeConflictFileSchema:Class]
+
+
+# [DEF:MergeResolveRequest:Class]
+# @PURPOSE: Request schema for resolving one or multiple merge conflicts.
+class MergeResolveRequest(BaseModel):
+    resolutions: List[ConflictResolution] = Field(default_factory=list)
+# [/DEF:MergeResolveRequest:Class]
+
+
+# [DEF:MergeContinueRequest:Class]
+# @PURPOSE: Request schema for finishing merge with optional explicit commit message.
+class MergeContinueRequest(BaseModel):
+    message: Optional[str] = None
+# [/DEF:MergeContinueRequest:Class]
+
 # [DEF:DeploymentEnvironmentSchema:Class]
 # @PURPOSE: Schema for representing a target deployment environment.
 class DeploymentEnvironmentSchema(BaseModel):
@@ -141,4 +190,104 @@ class RepoInitRequest(BaseModel):
     remote_url: str
 # [/DEF:RepoInitRequest:Class]
 
-# [/DEF:backend.src.api.routes.git_schemas:Module]
+
+# [DEF:RepositoryBindingSchema:Class]
+# @PURPOSE: Schema describing repository-to-config binding and provider metadata.
+class RepositoryBindingSchema(BaseModel):
+    dashboard_id: int
+    config_id: str
+    provider: GitProvider
+    remote_url: str
+    local_path: str
+# [/DEF:RepositoryBindingSchema:Class]
+
+# [DEF:RepoStatusBatchRequest:Class]
+# @PURPOSE: Schema for requesting repository statuses for multiple dashboards in a single call.
+class RepoStatusBatchRequest(BaseModel):
+    dashboard_ids: List[int] = Field(default_factory=list, description="Dashboard IDs to resolve repository statuses for")
+# [/DEF:RepoStatusBatchRequest:Class]
+
+
+# [DEF:RepoStatusBatchResponse:Class]
+# @PURPOSE: Schema for returning repository statuses keyed by dashboard ID.
+class RepoStatusBatchResponse(BaseModel):
+    statuses: Dict[str, Dict[str, Any]]
+# [/DEF:RepoStatusBatchResponse:Class]
+
+
+# [DEF:GiteaRepoSchema:Class]
+# @PURPOSE: Schema describing a Gitea repository.
+class GiteaRepoSchema(BaseModel):
+    name: str
+    full_name: str
+    private: bool = False
+    clone_url: Optional[str] = None
+    html_url: Optional[str] = None
+    ssh_url: Optional[str] = None
+    default_branch: Optional[str] = None
+# [/DEF:GiteaRepoSchema:Class]
+
+
+# [DEF:GiteaRepoCreateRequest:Class]
+# @PURPOSE: Request schema for creating a Gitea repository.
+class GiteaRepoCreateRequest(BaseModel):
+    name: str = Field(..., min_length=1, max_length=255)
+    private: bool = True
+    description: Optional[str] = None
+    auto_init: bool = True
+    default_branch: Optional[str] = "main"
+# [/DEF:GiteaRepoCreateRequest:Class]
+
+
+# [DEF:RemoteRepoSchema:Class]
+# @PURPOSE: Provider-agnostic remote repository payload.
+class RemoteRepoSchema(BaseModel):
+    provider: GitProvider
+    name: str
+    full_name: str
+    private: bool = False
+    clone_url: Optional[str] = None
+    html_url: Optional[str] = None
+    ssh_url: Optional[str] = None
+    default_branch: Optional[str] = None
+# [/DEF:RemoteRepoSchema:Class]
+
+
+# [DEF:RemoteRepoCreateRequest:Class]
+# @PURPOSE: Provider-agnostic repository creation request.
+class RemoteRepoCreateRequest(BaseModel):
+    name: str = Field(..., min_length=1, max_length=255)
+    private: bool = True
+    description: Optional[str] = None
+    auto_init: bool = True
+    default_branch: Optional[str] = "main"
+# [/DEF:RemoteRepoCreateRequest:Class]
+
+
+# [DEF:PromoteRequest:Class]
+# @PURPOSE: Request schema for branch promotion workflow.
+class PromoteRequest(BaseModel):
+    from_branch: str = Field(..., min_length=1, max_length=255)
+    to_branch: str = Field(..., min_length=1, max_length=255)
+    mode: str = Field(default="mr", pattern="^(mr|direct)$")
+    title: Optional[str] = None
+    description: Optional[str] = None
+    reason: Optional[str] = None
+    draft: bool = False
+    remove_source_branch: bool = False
+# [/DEF:PromoteRequest:Class]
+
+
+# [DEF:PromoteResponse:Class]
+# @PURPOSE: Response schema for promotion operation result.
+class PromoteResponse(BaseModel):
+    mode: str
+    from_branch: str
+    to_branch: str
+    status: str
+    url: Optional[str] = None
+    reference_id: Optional[str] = None
+    policy_violation: bool = False
+# [/DEF:PromoteResponse:Class]
+
+# [/DEF:backend.src.api.routes.git_schemas:Module]

backend/src/api/routes/llm.py

@@ -5,7 +5,7 @@
 # @LAYER: UI (API)
 
 from fastapi import APIRouter, Depends, HTTPException, status
-from typing import List
+from typing import List, Optional
 from ...core.logger import logger
 from ...schemas.auth import User
 from ...dependencies import get_current_user as get_current_active_user
@@ -19,6 +19,20 @@ from sqlalchemy.orm import Session
 router = APIRouter(tags=["LLM"])
 # [/DEF:router:Global]
 
+
+# [DEF:_is_valid_runtime_api_key:Function]
+# @PURPOSE: Validate decrypted runtime API key presence/shape.
+# @PRE: value can be None.
+# @POST: Returns True only for non-placeholder key.
+def _is_valid_runtime_api_key(value: Optional[str]) -> bool:
+    key = (value or "").strip()
+    if not key:
+        return False
+    if key in {"********", "EMPTY_OR_NONE"}:
+        return False
+    return len(key) >= 16
+# [/DEF:_is_valid_runtime_api_key:Function]
+
 # [DEF:get_providers:Function]
 # @PURPOSE: Retrieve all LLM provider configurations.
 # @PRE: User is authenticated.
@@ -47,6 +61,37 @@ async def get_providers(
     ]
 # [/DEF:get_providers:Function]
 
+
+# [DEF:get_llm_status:Function]
+# @PURPOSE: Returns whether LLM runtime is configured for dashboard validation.
+# @PRE: User is authenticated.
+# @POST: configured=true only when an active provider with valid decrypted key exists.
+@router.get("/status")
+async def get_llm_status(
+    current_user: User = Depends(get_current_active_user),
+    db: Session = Depends(get_db)
+):
+    service = LLMProviderService(db)
+    providers = service.get_all_providers()
+    active_provider = next((p for p in providers if p.is_active), None)
+
+    if not active_provider:
+        return {"configured": False, "reason": "no_active_provider"}
+
+    api_key = service.get_decrypted_api_key(active_provider.id)
+    if not _is_valid_runtime_api_key(api_key):
+        return {"configured": False, "reason": "invalid_api_key"}
+
+    return {
+        "configured": True,
+        "reason": "ok",
+        "provider_id": active_provider.id,
+        "provider_name": active_provider.name,
+        "provider_type": active_provider.provider_type,
+        "default_model": active_provider.default_model,
+    }
+# [/DEF:get_llm_status:Function]
+
 # [DEF:create_provider:Function]
 # @PURPOSE: Create a new LLM provider configuration.
 # @PRE: User is authenticated and has admin permissions.
@@ -204,4 +249,4 @@ async def test_provider_config(
         return {"success": False, "error": str(e)}
 # [/DEF:test_provider_config:Function]
 
-# [/DEF:backend/src/api/routes/llm.py]
+# [/DEF:backend/src/api/routes/llm.py]

backend/src/api/routes/migration.py

@@ -6,12 +6,17 @@
 # @RELATION:  DEPENDS_ON -> backend.src.dependencies
 # @RELATION:  DEPENDS_ON -> backend.src.models.dashboard
 
-from fastapi import APIRouter, Depends, HTTPException
-from typing import List
+from fastapi import APIRouter, Depends, HTTPException, Query
+from typing import List, Dict, Any, Optional
+from sqlalchemy.orm import Session
 from ...dependencies import get_config_manager, get_task_manager, has_permission
+from ...core.database import get_db
 from ...models.dashboard import DashboardMetadata, DashboardSelection
 from ...core.superset_client import SupersetClient
 from ...core.logger import belief_scope
+from ...core.migration.dry_run_orchestrator import MigrationDryRunService
+from ...core.mapping_service import IdMappingService
+from ...models.mapping import ResourceMapping
 
 router = APIRouter(prefix="/api", tags=["migration"])
 
@@ -44,7 +49,7 @@ async def get_dashboards(
 # @POST:    Starts the migration task and returns the task ID.
 # @PARAM:   selection (DashboardSelection) - The dashboards to migrate.
 # @RETURN:  Dict - {"task_id": str, "message": str}
-@router.post("/execute")
+@router.post("/migration/execute")
 async def execute_migration(
     selection: DashboardSelection,
     config_manager=Depends(get_config_manager),
@@ -61,9 +66,10 @@ async def execute_migration(
     # Create migration task with debug logging
     from ...core.logger import logger
     
-    # Include replace_db_config in the task parameters
+    # Include replace_db_config and fix_cross_filters in the task parameters
     task_params = selection.dict()
     task_params['replace_db_config'] = selection.replace_db_config
+    task_params['fix_cross_filters'] = selection.fix_cross_filters
     
     logger.info(f"Creating migration task with params: {task_params}")
     logger.info(f"Available environments: {env_ids}")
@@ -78,4 +84,180 @@ async def execute_migration(
         raise HTTPException(status_code=500, detail=f"Failed to create migration task: {str(e)}")
 # [/DEF:execute_migration:Function]
 
-# [/DEF:backend.src.api.routes.migration:Module]
+
+# [DEF:dry_run_migration:Function]
+# @PURPOSE: Build pre-flight diff and risk summary without applying migration.
+# @PRE: Selection and environments are valid.
+# @POST: Returns deterministic JSON diff and risk scoring.
+@router.post("/migration/dry-run", response_model=Dict[str, Any])
+async def dry_run_migration(
+    selection: DashboardSelection,
+    config_manager=Depends(get_config_manager),
+    db: Session = Depends(get_db),
+    _ = Depends(has_permission("plugin:migration", "EXECUTE"))
+):
+    with belief_scope("dry_run_migration"):
+        environments = config_manager.get_environments()
+    env_map = {env.id: env for env in environments}
+    source_env = env_map.get(selection.source_env_id)
+    target_env = env_map.get(selection.target_env_id)
+    if not source_env or not target_env:
+        raise HTTPException(status_code=400, detail="Invalid source or target environment")
+    if selection.source_env_id == selection.target_env_id:
+        raise HTTPException(status_code=400, detail="Source and target environments must be different")
+    if not selection.selected_ids:
+        raise HTTPException(status_code=400, detail="No dashboards selected for dry run")
+
+    service = MigrationDryRunService()
+    source_client = SupersetClient(source_env)
+    target_client = SupersetClient(target_env)
+    try:
+        return service.run(
+            selection=selection,
+            source_client=source_client,
+            target_client=target_client,
+            db=db,
+        )
+    except ValueError as exc:
+        raise HTTPException(status_code=500, detail=str(exc)) from exc
+# [/DEF:dry_run_migration:Function]
+
+# [DEF:get_migration_settings:Function]
+# @PURPOSE: Get current migration Cron string explicitly.
+@router.get("/migration/settings", response_model=Dict[str, str])
+async def get_migration_settings(
+    config_manager=Depends(get_config_manager),
+    _ = Depends(has_permission("plugin:migration", "READ"))
+):
+    with belief_scope("get_migration_settings"):
+        config = config_manager.get_config()
+        cron = config.settings.migration_sync_cron
+        return {"cron": cron}
+# [/DEF:get_migration_settings:Function]
+
+# [DEF:update_migration_settings:Function]
+# @PURPOSE: Update migration Cron string.
+@router.put("/migration/settings", response_model=Dict[str, str])
+async def update_migration_settings(
+    payload: Dict[str, str],
+    config_manager=Depends(get_config_manager),
+    _ = Depends(has_permission("plugin:migration", "WRITE"))
+):
+    with belief_scope("update_migration_settings"):
+        if "cron" not in payload:
+            raise HTTPException(status_code=400, detail="Missing 'cron' field in payload")
+        
+        cron_expr = payload["cron"]
+        
+        config = config_manager.get_config()
+        config.settings.migration_sync_cron = cron_expr
+        config_manager.save_config(config)
+        
+        return {"cron": cron_expr, "status": "updated"}
+# [/DEF:update_migration_settings:Function]
+
+# [DEF:get_resource_mappings:Function]
+# @PURPOSE: Fetch synchronized object mappings with search, filtering, and pagination.
+@router.get("/migration/mappings-data", response_model=Dict[str, Any])
+async def get_resource_mappings(
+    skip: int = Query(0, ge=0),
+    limit: int = Query(50, ge=1, le=500),
+    search: Optional[str] = Query(None, description="Search by resource name or UUID"),
+    env_id: Optional[str] = Query(None, description="Filter by environment ID"),
+    resource_type: Optional[str] = Query(None, description="Filter by resource type"),
+    db: Session = Depends(get_db),
+    _ = Depends(has_permission("plugin:migration", "READ"))
+):
+    with belief_scope("get_resource_mappings"):
+        query = db.query(ResourceMapping)
+        
+        if env_id:
+            query = query.filter(ResourceMapping.environment_id == env_id)
+        
+        if resource_type:
+            query = query.filter(ResourceMapping.resource_type == resource_type.upper())
+        
+        if search:
+            search_term = f"%{search}%"
+            query = query.filter(
+                (ResourceMapping.resource_name.ilike(search_term)) |
+                (ResourceMapping.uuid.ilike(search_term))
+            )
+        
+        total = query.count()
+        mappings = query.order_by(ResourceMapping.resource_type, ResourceMapping.resource_name).offset(skip).limit(limit).all()
+        
+        items = []
+        for m in mappings:
+            items.append({
+                "id": m.id,
+                "environment_id": m.environment_id,
+                "resource_type": m.resource_type.value if m.resource_type else None,
+                "uuid": m.uuid,
+                "remote_id": m.remote_integer_id,
+                "resource_name": m.resource_name,
+                "last_synced_at": m.last_synced_at.isoformat() if m.last_synced_at else None
+            })
+        
+        return {"items": items, "total": total}
+# [/DEF:get_resource_mappings:Function]
+
+# [DEF:trigger_sync_now:Function]
+# @PURPOSE: Triggers an immediate ID synchronization for all environments.
+# @PRE:     At least one environment must be configured.
+# @POST:    Environment rows are ensured in DB; sync_environment is called for each.
+@router.post("/migration/sync-now", response_model=Dict[str, Any])
+async def trigger_sync_now(
+    config_manager=Depends(get_config_manager),
+    db: Session = Depends(get_db),
+    _ = Depends(has_permission("plugin:migration", "EXECUTE"))
+):
+    with belief_scope("trigger_sync_now"):
+        from ...core.logger import logger
+        from ...models.mapping import Environment as EnvironmentModel
+        
+        config = config_manager.get_config()
+        environments = config.environments
+        
+        if not environments:
+            raise HTTPException(status_code=400, detail="No environments configured")
+        
+        # Ensure each environment exists in DB (upsert) to satisfy FK constraints
+        for env in environments:
+            existing = db.query(EnvironmentModel).filter_by(id=env.id).first()
+            if not existing:
+                db_env = EnvironmentModel(
+                    id=env.id,
+                    name=env.name,
+                    url=env.url,
+                    credentials_id=env.id,  # Use env.id as credentials reference
+                )
+                db.add(db_env)
+                logger.info(f"[trigger_sync_now][Action] Created environment row for {env.id}")
+            else:
+                existing.name = env.name
+                existing.url = env.url
+        db.commit()
+        
+        service = IdMappingService(db)
+        results = {"synced": [], "failed": []}
+        
+        for env in environments:
+            try:
+                client = SupersetClient(env)
+                service.sync_environment(env.id, client)
+                results["synced"].append(env.id)
+                logger.info(f"[trigger_sync_now][Action] Synced environment {env.id}")
+            except Exception as e:
+                results["failed"].append({"env_id": env.id, "error": str(e)})
+                logger.error(f"[trigger_sync_now][Error] Failed to sync {env.id}: {e}")
+        
+        return {
+            "status": "completed",
+            "synced_count": len(results["synced"]),
+            "failed_count": len(results["failed"]),
+            "details": results
+        }
+# [/DEF:trigger_sync_now:Function]
+
+# [/DEF:backend.src.api.routes.migration:Module]

backend/src/api/routes/profile.py

@@ -0,0 +1,147 @@
+# [DEF:backend.src.api.routes.profile:Module]
+#
+# @TIER:      CRITICAL
+# @SEMANTICS: api, profile, preferences, self-service, account-lookup
+# @PURPOSE:   Exposes self-scoped profile preference endpoints and environment-based Superset account lookup.
+# @LAYER:     API
+# @RELATION:  DEPENDS_ON -> backend.src.services.profile_service
+# @RELATION:  DEPENDS_ON -> backend.src.dependencies.get_current_user
+# @RELATION:  DEPENDS_ON -> backend.src.core.database.get_db
+#
+# @INVARIANT: Endpoints are self-scoped and never mutate another user preference.
+# @UX_STATE: ProfileLoad -> Returns stable ProfilePreferenceResponse for authenticated user.
+# @UX_STATE: Saving -> Validation errors map to actionable 422 details.
+# @UX_STATE: LookupLoading -> Returns success/degraded Superset lookup payload.
+# @UX_FEEDBACK: Stable status/message/warning payloads support profile page feedback.
+# @UX_RECOVERY: Lookup degradation keeps manual username save path available.
+
+# [SECTION: IMPORTS]
+from typing import Optional
+
+from fastapi import APIRouter, Depends, HTTPException, Query
+from sqlalchemy.orm import Session
+
+from ...core.database import get_db
+from ...core.logger import logger, belief_scope
+from ...dependencies import (
+    get_config_manager,
+    get_current_user,
+    get_plugin_loader,
+)
+from ...models.auth import User
+from ...schemas.profile import (
+    ProfilePreferenceResponse,
+    ProfilePreferenceUpdateRequest,
+    SupersetAccountLookupRequest,
+    SupersetAccountLookupResponse,
+)
+from ...services.profile_service import (
+    EnvironmentNotFoundError,
+    ProfileAuthorizationError,
+    ProfileService,
+    ProfileValidationError,
+)
+# [/SECTION]
+
+router = APIRouter(prefix="/api/profile", tags=["profile"])
+
+
+# [DEF:_get_profile_service:Function]
+# @PURPOSE: Build profile service for current request scope.
+# @PRE: db session and config manager are available.
+# @POST: Returns a ready ProfileService instance.
+def _get_profile_service(db: Session, config_manager, plugin_loader=None) -> ProfileService:
+    return ProfileService(
+        db=db,
+        config_manager=config_manager,
+        plugin_loader=plugin_loader,
+    )
+# [/DEF:_get_profile_service:Function]
+
+
+# [DEF:get_preferences:Function]
+# @PURPOSE: Get authenticated user's dashboard filter preference.
+# @PRE: Valid JWT and authenticated user context.
+# @POST: Returns preference payload for current user only.
+@router.get("/preferences", response_model=ProfilePreferenceResponse)
+async def get_preferences(
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+    config_manager=Depends(get_config_manager),
+    plugin_loader=Depends(get_plugin_loader),
+):
+    with belief_scope("profile.get_preferences", f"user_id={current_user.id}"):
+        logger.reason("[REASON] Resolving current user preference")
+        service = _get_profile_service(db, config_manager, plugin_loader)
+        return service.get_my_preference(current_user)
+# [/DEF:get_preferences:Function]
+
+
+# [DEF:update_preferences:Function]
+# @PURPOSE: Update authenticated user's dashboard filter preference.
+# @PRE: Valid JWT and valid request payload.
+# @POST: Persists normalized preference for current user or raises validation/authorization errors.
+@router.patch("/preferences", response_model=ProfilePreferenceResponse)
+async def update_preferences(
+    payload: ProfilePreferenceUpdateRequest,
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+    config_manager=Depends(get_config_manager),
+    plugin_loader=Depends(get_plugin_loader),
+):
+    with belief_scope("profile.update_preferences", f"user_id={current_user.id}"):
+        service = _get_profile_service(db, config_manager, plugin_loader)
+        try:
+            logger.reason("[REASON] Attempting preference save")
+            return service.update_my_preference(current_user=current_user, payload=payload)
+        except ProfileValidationError as exc:
+            logger.reflect("[REFLECT] Preference validation failed")
+            raise HTTPException(status_code=422, detail=exc.errors) from exc
+        except ProfileAuthorizationError as exc:
+            logger.explore("[EXPLORE] Cross-user mutation guard blocked request")
+            raise HTTPException(status_code=403, detail=str(exc)) from exc
+# [/DEF:update_preferences:Function]
+
+
+# [DEF:lookup_superset_accounts:Function]
+# @PURPOSE: Lookup Superset account candidates in selected environment.
+# @PRE: Valid JWT, authenticated context, and environment_id query parameter.
+# @POST: Returns success or degraded lookup payload with stable shape.
+@router.get("/superset-accounts", response_model=SupersetAccountLookupResponse)
+async def lookup_superset_accounts(
+    environment_id: str = Query(...),
+    search: Optional[str] = Query(default=None),
+    page_index: int = Query(default=0, ge=0),
+    page_size: int = Query(default=20, ge=1, le=100),
+    sort_column: str = Query(default="username"),
+    sort_order: str = Query(default="desc"),
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db),
+    config_manager=Depends(get_config_manager),
+    plugin_loader=Depends(get_plugin_loader),
+):
+    with belief_scope(
+        "profile.lookup_superset_accounts",
+        f"user_id={current_user.id}, environment_id={environment_id}",
+    ):
+        service = _get_profile_service(db, config_manager, plugin_loader)
+        lookup_request = SupersetAccountLookupRequest(
+            environment_id=environment_id,
+            search=search,
+            page_index=page_index,
+            page_size=page_size,
+            sort_column=sort_column,
+            sort_order=sort_order,
+        )
+        try:
+            logger.reason("[REASON] Executing Superset account lookup")
+            return service.lookup_superset_accounts(
+                current_user=current_user,
+                request=lookup_request,
+            )
+        except EnvironmentNotFoundError as exc:
+            logger.explore("[EXPLORE] Lookup request references unknown environment")
+            raise HTTPException(status_code=404, detail=str(exc)) from exc
+# [/DEF:lookup_superset_accounts:Function]
+
+# [/DEF:backend.src.api.routes.profile:Module]

backend/src/api/routes/reports.py

@@ -13,10 +13,11 @@ from typing import List, Optional
 
 from fastapi import APIRouter, Depends, HTTPException, Query, status
 
-from ...dependencies import get_task_manager, has_permission
+from ...dependencies import get_task_manager, has_permission, get_clean_release_repository
 from ...core.task_manager import TaskManager
 from ...core.logger import belief_scope
 from ...models.report import ReportCollection, ReportDetailView, ReportQuery, ReportStatus, TaskType
+from ...services.clean_release.repository import CleanReleaseRepository
 from ...services.reports.report_service import ReportsService
 # [/SECTION]
 
@@ -32,27 +33,28 @@ router = APIRouter(prefix="/api/reports", tags=["Reports"])
 # @PARAM: field_name (str) - Query field name for diagnostics.
 # @RETURN: List - Parsed enum values.
 def _parse_csv_enum_list(raw: Optional[str], enum_cls, field_name: str) -> List:
-    if raw is None or not raw.strip():
-        return []
-    values = [item.strip() for item in raw.split(",") if item.strip()]
-    parsed = []
-    invalid = []
-    for value in values:
-        try:
-            parsed.append(enum_cls(value))
-        except ValueError:
-            invalid.append(value)
-    if invalid:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail={
-                "message": f"Invalid values for '{field_name}'",
-                "field": field_name,
-                "invalid_values": invalid,
-                "allowed_values": [item.value for item in enum_cls],
-            },
-        )
-    return parsed
+    with belief_scope("_parse_csv_enum_list"):
+        if raw is None or not raw.strip():
+            return []
+        values = [item.strip() for item in raw.split(",") if item.strip()]
+        parsed = []
+        invalid = []
+        for value in values:
+            try:
+                parsed.append(enum_cls(value))
+            except ValueError:
+                invalid.append(value)
+        if invalid:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail={
+                    "message": f"Invalid values for '{field_name}'",
+                    "field": field_name,
+                    "invalid_values": invalid,
+                    "allowed_values": [item.value for item in enum_cls],
+                },
+            )
+        return parsed
 # [/DEF:_parse_csv_enum_list:Function]
 
 
@@ -61,6 +63,20 @@ def _parse_csv_enum_list(raw: Optional[str], enum_cls, field_name: str) -> List:
 # @PRE: authenticated/authorized request and validated query params.
 # @POST: returns {items,total,page,page_size,has_next,applied_filters}.
 # @POST: deterministic error payload for invalid filters.
+#
+# @TEST_CONTRACT: ListReportsApi ->
+# {
+#   required_fields: {page: int, page_size: int, sort_by: str, sort_order: str},
+#   optional_fields: {task_types: str, statuses: str, search: str},
+#   invariants: [
+#       "Returns ReportCollection on success",
+#       "Raises HTTPException 400 for invalid query parameters"
+#   ]
+# }
+# @TEST_FIXTURE: valid_list_request -> {"page": 1, "page_size": 20}
+# @TEST_EDGE: invalid_task_type_filter -> raises HTTPException(400)
+# @TEST_EDGE: malformed_query -> raises HTTPException(400)
+# @TEST_INVARIANT: consistent_list_payload -> verifies: [valid_list_request]
 @router.get("", response_model=ReportCollection)
 async def list_reports(
     page: int = Query(1, ge=1),
@@ -73,6 +89,7 @@ async def list_reports(
     sort_by: str = Query("updated_at"),
     sort_order: str = Query("desc"),
     task_manager: TaskManager = Depends(get_task_manager),
+    clean_release_repository: CleanReleaseRepository = Depends(get_clean_release_repository),
     _=Depends(has_permission("tasks", "READ")),
 ):
     with belief_scope("list_reports"):
@@ -102,7 +119,7 @@ async def list_reports(
                 },
             )
 
-        service = ReportsService(task_manager)
+        service = ReportsService(task_manager, clean_release_repository=clean_release_repository)
         return service.list_reports(query)
 # [/DEF:list_reports:Function]
 
@@ -115,10 +132,11 @@ async def list_reports(
 async def get_report_detail(
     report_id: str,
     task_manager: TaskManager = Depends(get_task_manager),
+    clean_release_repository: CleanReleaseRepository = Depends(get_clean_release_repository),
     _=Depends(has_permission("tasks", "READ")),
 ):
     with belief_scope("get_report_detail", f"report_id={report_id}"):
-        service = ReportsService(task_manager)
+        service = ReportsService(task_manager, clean_release_repository=clean_release_repository)
         detail = service.get_report_detail(report_id)
         if not detail:
             raise HTTPException(

backend/src/api/routes/settings.py

@@ -16,9 +16,10 @@ from pydantic import BaseModel
 from ...core.config_models import AppConfig, Environment, GlobalSettings, LoggingConfig
 from ...models.storage import StorageConfig
 from ...dependencies import get_config_manager, has_permission
-from ...core.config_manager import ConfigManager
-from ...core.logger import logger, belief_scope
-from ...core.superset_client import SupersetClient
+from ...core.config_manager import ConfigManager
+from ...core.logger import logger, belief_scope
+from ...core.superset_client import SupersetClient
+from ...services.llm_prompt_templates import normalize_llm_settings
 # [/SECTION]
 
 # [DEF:LoggingConfigResponse:Class]
@@ -30,7 +31,38 @@ class LoggingConfigResponse(BaseModel):
     enable_belief_state: bool
 # [/DEF:LoggingConfigResponse:Class]
 
-router = APIRouter()
+router = APIRouter()
+
+
+# [DEF:_normalize_superset_env_url:Function]
+# @PURPOSE: Canonicalize Superset environment URL to base host/path without trailing /api/v1.
+# @PRE: raw_url can be empty.
+# @POST: Returns normalized base URL.
+def _normalize_superset_env_url(raw_url: str) -> str:
+    normalized = str(raw_url or "").strip().rstrip("/")
+    if normalized.lower().endswith("/api/v1"):
+        normalized = normalized[:-len("/api/v1")]
+    return normalized.rstrip("/")
+# [/DEF:_normalize_superset_env_url:Function]
+
+
+# [DEF:_validate_superset_connection_fast:Function]
+# @PURPOSE: Run lightweight Superset connectivity validation without full pagination scan.
+# @PRE: env contains valid URL and credentials.
+# @POST: Raises on auth/API failures; returns None on success.
+def _validate_superset_connection_fast(env: Environment) -> None:
+    client = SupersetClient(env)
+    # 1) Explicit auth check
+    client.authenticate()
+    # 2) Single lightweight API call to ensure read access
+    client.get_dashboards_page(
+        query={
+            "page": 0,
+            "page_size": 1,
+            "columns": ["id"],
+        }
+    )
+# [/DEF:_validate_superset_connection_fast:Function]
 
 # [DEF:get_settings:Function]
 # @PURPOSE: Retrieves all application settings.
@@ -38,13 +70,14 @@ router = APIRouter()
 # @POST:    Returns masked AppConfig.
 # @RETURN: AppConfig - The current configuration.
 @router.get("", response_model=AppConfig)
-async def get_settings(
+async def get_settings(
     config_manager: ConfigManager = Depends(get_config_manager),
     _ = Depends(has_permission("admin:settings", "READ"))
 ):
     with belief_scope("get_settings"):
         logger.info("[get_settings][Entry] Fetching all settings")
-    config = config_manager.get_config().copy(deep=True)
+    config = config_manager.get_config().copy(deep=True)
+    config.settings.llm = normalize_llm_settings(config.settings.llm)
     # Mask passwords
     for env in config.environments:
         if env.password:
@@ -110,14 +143,18 @@ async def update_storage_settings(
 # @PRE:     Config manager is available.
 # @POST:    Returns list of environments.
 # @RETURN: List[Environment] - List of environments.
-@router.get("/environments", response_model=List[Environment])
-async def get_environments(
+@router.get("/environments", response_model=List[Environment])
+async def get_environments(
     config_manager: ConfigManager = Depends(get_config_manager),
     _ = Depends(has_permission("admin:settings", "READ"))
-):
-    with belief_scope("get_environments"):
-        logger.info("[get_environments][Entry] Fetching environments")
-    return config_manager.get_environments()
+):
+    with belief_scope("get_environments"):
+        logger.info("[get_environments][Entry] Fetching environments")
+    environments = config_manager.get_environments()
+    return [
+        env.copy(update={"url": _normalize_superset_env_url(env.url)})
+        for env in environments
+    ]
 # [/DEF:get_environments:Function]
 
 # [DEF:add_environment:Function]
@@ -127,21 +164,21 @@ async def get_environments(
 # @PARAM: env (Environment) - The environment to add.
 # @RETURN: Environment - The added environment.
 @router.post("/environments", response_model=Environment)
-async def add_environment(
-    env: Environment,
+async def add_environment(
+    env: Environment,
     config_manager: ConfigManager = Depends(get_config_manager),
     _ = Depends(has_permission("admin:settings", "WRITE"))
-):
-    with belief_scope("add_environment"):
-        logger.info(f"[add_environment][Entry] Adding environment {env.id}")
+):
+    with belief_scope("add_environment"):
+        logger.info(f"[add_environment][Entry] Adding environment {env.id}")
+    env = env.copy(update={"url": _normalize_superset_env_url(env.url)})
     
-    # Validate connection before adding
-    try:
-        client = SupersetClient(env)
-        client.get_dashboards(query={"page_size": 1})
-    except Exception as e:
-        logger.error(f"[add_environment][Coherence:Failed] Connection validation failed: {e}")
-        raise HTTPException(status_code=400, detail=f"Connection validation failed: {e}")
+    # Validate connection before adding (fast path)
+    try:
+        _validate_superset_connection_fast(env)
+    except Exception as e:
+        logger.error(f"[add_environment][Coherence:Failed] Connection validation failed: {e}")
+        raise HTTPException(status_code=400, detail=f"Connection validation failed: {e}")
 
     config_manager.add_environment(env)
     return env
@@ -155,28 +192,29 @@ async def add_environment(
 # @PARAM: env (Environment) - The updated environment data.
 # @RETURN: Environment - The updated environment.
 @router.put("/environments/{id}", response_model=Environment)
-async def update_environment(
+async def update_environment(
     id: str,
     env: Environment,
     config_manager: ConfigManager = Depends(get_config_manager)
-):
+):
     with belief_scope("update_environment"):
         logger.info(f"[update_environment][Entry] Updating environment {id}")
     
-    # If password is masked, we need the real one for validation
-    env_to_validate = env.copy(deep=True)
+    env = env.copy(update={"url": _normalize_superset_env_url(env.url)})
+
+    # If password is masked, we need the real one for validation
+    env_to_validate = env.copy(deep=True)
     if env_to_validate.password == "********":
         old_env = next((e for e in config_manager.get_environments() if e.id == id), None)
         if old_env:
             env_to_validate.password = old_env.password
 
-    # Validate connection before updating
-    try:
-        client = SupersetClient(env_to_validate)
-        client.get_dashboards(query={"page_size": 1})
-    except Exception as e:
-        logger.error(f"[update_environment][Coherence:Failed] Connection validation failed: {e}")
-        raise HTTPException(status_code=400, detail=f"Connection validation failed: {e}")
+    # Validate connection before updating (fast path)
+    try:
+        _validate_superset_connection_fast(env_to_validate)
+    except Exception as e:
+        logger.error(f"[update_environment][Coherence:Failed] Connection validation failed: {e}")
+        raise HTTPException(status_code=400, detail=f"Connection validation failed: {e}")
 
     if config_manager.update_environment(id, env):
         return env
@@ -206,7 +244,7 @@ async def delete_environment(
 # @PARAM: id (str) - The ID of the environment to test.
 # @RETURN: dict - Success message or error.
 @router.post("/environments/{id}/test")
-async def test_environment_connection(
+async def test_environment_connection(
     id: str,
     config_manager: ConfigManager = Depends(get_config_manager)
 ):
@@ -218,15 +256,11 @@ async def test_environment_connection(
     if not env:
         raise HTTPException(status_code=404, detail=f"Environment {id} not found")
     
-    try:
-        # Initialize client (this will trigger authentication)
-        client = SupersetClient(env)
-        
-        # Try a simple request to verify
-        client.get_dashboards(query={"page_size": 1})
-        
-        logger.info(f"[test_environment_connection][Coherence:OK] Connection successful for {id}")
-        return {"status": "success", "message": "Connection successful"}
+    try:
+        _validate_superset_connection_fast(env)
+        
+        logger.info(f"[test_environment_connection][Coherence:OK] Connection successful for {id}")
+        return {"status": "success", "message": "Connection successful"}
     except Exception as e:
         logger.error(f"[test_environment_connection][Coherence:Failed] Connection failed for {id}: {e}")
         return {"status": "error", "message": str(e)}
@@ -279,7 +313,7 @@ async def update_logging_config(
 # [/DEF:update_logging_config:Function]
 
 # [DEF:ConsolidatedSettingsResponse:Class]
-class ConsolidatedSettingsResponse(BaseModel):
+class ConsolidatedSettingsResponse(BaseModel):
     environments: List[dict]
     connections: List[dict]
     llm: dict
@@ -294,7 +328,7 @@ class ConsolidatedSettingsResponse(BaseModel):
 # @POST:    Returns all consolidated settings.
 # @RETURN: ConsolidatedSettingsResponse - All settings categories.
 @router.get("/consolidated", response_model=ConsolidatedSettingsResponse)
-async def get_consolidated_settings(
+async def get_consolidated_settings(
     config_manager: ConfigManager = Depends(get_config_manager),
     _ = Depends(has_permission("admin:settings", "READ"))
 ):
@@ -323,14 +357,16 @@ async def get_consolidated_settings(
         finally:
             db.close()
 
-        return ConsolidatedSettingsResponse(
-            environments=[env.dict() for env in config.environments],
-            connections=config.settings.connections,
-            llm=config.settings.llm,
-            llm_providers=llm_providers_list,
-            logging=config.settings.logging.dict(),
-            storage=config.settings.storage.dict()
-        )
+        normalized_llm = normalize_llm_settings(config.settings.llm)
+
+        return ConsolidatedSettingsResponse(
+            environments=[env.dict() for env in config.environments],
+            connections=config.settings.connections,
+            llm=normalized_llm,
+            llm_providers=llm_providers_list,
+            logging=config.settings.logging.dict(),
+            storage=config.settings.storage.dict()
+        )
 # [/DEF:get_consolidated_settings:Function]
 
 # [DEF:update_consolidated_settings:Function]
@@ -353,9 +389,9 @@ async def update_consolidated_settings(
         if "connections" in settings_patch:
             current_settings.connections = settings_patch["connections"]
             
-        # Update LLM if provided
-        if "llm" in settings_patch:
-            current_settings.llm = settings_patch["llm"]
+        # Update LLM if provided
+        if "llm" in settings_patch:
+            current_settings.llm = normalize_llm_settings(settings_patch["llm"])
             
         # Update Logging if provided
         if "logging" in settings_patch:

backend/src/api/routes/storage.py

@@ -36,6 +36,7 @@ router = APIRouter(tags=["storage"])
 async def list_files(
     category: Optional[FileCategory] = None,
     path: Optional[str] = None,
+    recursive: bool = False,
     plugin_loader=Depends(get_plugin_loader),
     _ = Depends(has_permission("plugin:storage", "READ"))
 ):
@@ -43,7 +44,7 @@ async def list_files(
         storage_plugin: StoragePlugin = plugin_loader.get_plugin("storage-manager")
         if not storage_plugin:
             raise HTTPException(status_code=500, detail="Storage plugin not loaded")
-        return storage_plugin.list_files(category, path)
+        return storage_plugin.list_files(category, path, recursive)
 # [/DEF:list_files:Function]
 
 # [DEF:upload_file:Function]
@@ -143,4 +144,46 @@ async def download_file(
             raise HTTPException(status_code=400, detail=str(e))
 # [/DEF:download_file:Function]
 
-# [/DEF:storage_routes:Module]
+# [DEF:get_file_by_path:Function]
+# @PURPOSE: Retrieve a file by validated absolute/relative path under storage root.
+#
+# @PRE: path must resolve under configured storage root.
+# @POST: Returns a FileResponse for existing files.
+#
+# @PARAM: path (str) - Absolute or storage-root-relative file path.
+# @RETURN: FileResponse - The file content.
+#
+# @RELATION:    CALLS -> StoragePlugin.get_storage_root
+# @RELATION:    CALLS -> StoragePlugin.validate_path
+@router.get("/file")
+async def get_file_by_path(
+    path: str,
+    plugin_loader=Depends(get_plugin_loader),
+    _ = Depends(has_permission("plugin:storage", "READ"))
+):
+    with belief_scope("get_file_by_path"):
+        storage_plugin: StoragePlugin = plugin_loader.get_plugin("storage-manager")
+        if not storage_plugin:
+            raise HTTPException(status_code=500, detail="Storage plugin not loaded")
+
+        requested_path = (path or "").strip()
+        if not requested_path:
+            raise HTTPException(status_code=400, detail="Path is required")
+
+        try:
+            candidate = Path(requested_path)
+            if candidate.is_absolute():
+                abs_path = storage_plugin.validate_path(candidate)
+            else:
+                storage_root = storage_plugin.get_storage_root()
+                abs_path = storage_plugin.validate_path(storage_root / candidate)
+        except ValueError as e:
+            raise HTTPException(status_code=400, detail=str(e))
+
+        if not abs_path.exists() or not abs_path.is_file():
+            raise HTTPException(status_code=404, detail="File not found")
+
+        return FileResponse(path=str(abs_path), filename=abs_path.name)
+# [/DEF:get_file_by_path:Function]
+
+# [/DEF:storage_routes:Module]

backend/src/api/routes/tasks.py

@@ -4,24 +4,30 @@
 # @PURPOSE: Defines the FastAPI router for task-related endpoints, allowing clients to create, list, and get the status of tasks.
 # @LAYER: UI (API)
 # @RELATION: Depends on the TaskManager. It is included by the main app.
-from typing import List, Dict, Any, Optional
+from typing import List, Dict, Any, Optional
 from fastapi import APIRouter, Depends, HTTPException, status, Query
 from pydantic import BaseModel
 from ...core.logger import belief_scope
 
 from ...core.task_manager import TaskManager, Task, TaskStatus, LogEntry
 from ...core.task_manager.models import LogFilter, LogStats
-from ...dependencies import get_task_manager, has_permission, get_current_user
+from ...dependencies import get_task_manager, has_permission, get_current_user, get_config_manager
+from ...core.config_manager import ConfigManager
+from ...services.llm_prompt_templates import (
+    is_multimodal_model,
+    normalize_llm_settings,
+    resolve_bound_provider_id,
+)
 
-router = APIRouter()
-
-TASK_TYPE_PLUGIN_MAP = {
-    "llm_validation": ["llm_dashboard_validation"],
-    "backup": ["superset-backup"],
-    "migration": ["superset-migration"],
-}
-
-class CreateTaskRequest(BaseModel):
+router = APIRouter()
+
+TASK_TYPE_PLUGIN_MAP = {
+    "llm_validation": ["llm_dashboard_validation"],
+    "backup": ["superset-backup"],
+    "migration": ["superset-migration"],
+}
+
+class CreateTaskRequest(BaseModel):
     plugin_id: str
     params: Dict[str, Any]
 
@@ -42,7 +48,8 @@ class ResumeTaskRequest(BaseModel):
 async def create_task(
     request: CreateTaskRequest,
     task_manager: TaskManager = Depends(get_task_manager),
-    current_user = Depends(get_current_user)
+    current_user = Depends(get_current_user),
+    config_manager: ConfigManager = Depends(get_config_manager),
 ):
     # Dynamic permission check based on plugin_id
     has_permission(f"plugin:{request.plugin_id}", "EXECUTE")(current_user)
@@ -51,18 +58,39 @@ async def create_task(
     """
     with belief_scope("create_task"):
         try:
-            # Special handling for validation task to include provider config
-            if request.plugin_id == "llm_dashboard_validation":
+            # Special handling for LLM tasks to resolve provider config by task binding.
+            if request.plugin_id in {"llm_dashboard_validation", "llm_documentation"}:
                 from ...core.database import SessionLocal
                 from ...services.llm_provider import LLMProviderService
                 db = SessionLocal()
                 try:
                     llm_service = LLMProviderService(db)
                     provider_id = request.params.get("provider_id")
+                    if not provider_id:
+                        llm_settings = normalize_llm_settings(config_manager.get_config().settings.llm)
+                        binding_key = "dashboard_validation" if request.plugin_id == "llm_dashboard_validation" else "documentation"
+                        provider_id = resolve_bound_provider_id(llm_settings, binding_key)
+                        if provider_id:
+                            request.params["provider_id"] = provider_id
+                    if not provider_id:
+                        providers = llm_service.get_all_providers()
+                        active_provider = next((p for p in providers if p.is_active), None)
+                        if active_provider:
+                            provider_id = active_provider.id
+                            request.params["provider_id"] = provider_id
+
                     if provider_id:
                         db_provider = llm_service.get_provider(provider_id)
                         if not db_provider:
                             raise ValueError(f"LLM Provider {provider_id} not found")
+                        if request.plugin_id == "llm_dashboard_validation" and not is_multimodal_model(
+                            db_provider.default_model,
+                            db_provider.provider_type,
+                        ):
+                            raise HTTPException(
+                                status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+                                detail="Selected provider model is not multimodal for dashboard validation",
+                            )
                 finally:
                     db.close()
 
@@ -85,36 +113,36 @@ async def create_task(
 # @PRE: task_manager must be available.
 # @POST: Returns a list of tasks.
 # @RETURN: List[Task] - List of tasks.
-async def list_tasks(
-    limit: int = 10,
-    offset: int = 0,
-    status_filter: Optional[TaskStatus] = Query(None, alias="status"),
-    task_type: Optional[str] = Query(None, description="Task category: llm_validation, backup, migration"),
-    plugin_id: Optional[List[str]] = Query(None, description="Filter by plugin_id (repeatable query param)"),
-    completed_only: bool = Query(False, description="Return only completed tasks (SUCCESS/FAILED)"),
-    task_manager: TaskManager = Depends(get_task_manager),
-    _ = Depends(has_permission("tasks", "READ"))
-):
-    """
-    Retrieve a list of tasks with pagination and optional status filter.
-    """
-    with belief_scope("list_tasks"):
-        plugin_filters = list(plugin_id) if plugin_id else []
-        if task_type:
-            if task_type not in TASK_TYPE_PLUGIN_MAP:
-                raise HTTPException(
-                    status_code=status.HTTP_400_BAD_REQUEST,
-                    detail=f"Unsupported task_type '{task_type}'. Allowed: {', '.join(TASK_TYPE_PLUGIN_MAP.keys())}"
-                )
-            plugin_filters.extend(TASK_TYPE_PLUGIN_MAP[task_type])
-
-        return task_manager.get_tasks(
-            limit=limit,
-            offset=offset,
-            status=status_filter,
-            plugin_ids=plugin_filters or None,
-            completed_only=completed_only
-        )
+async def list_tasks(
+    limit: int = 10,
+    offset: int = 0,
+    status_filter: Optional[TaskStatus] = Query(None, alias="status"),
+    task_type: Optional[str] = Query(None, description="Task category: llm_validation, backup, migration"),
+    plugin_id: Optional[List[str]] = Query(None, description="Filter by plugin_id (repeatable query param)"),
+    completed_only: bool = Query(False, description="Return only completed tasks (SUCCESS/FAILED)"),
+    task_manager: TaskManager = Depends(get_task_manager),
+    _ = Depends(has_permission("tasks", "READ"))
+):
+    """
+    Retrieve a list of tasks with pagination and optional status filter.
+    """
+    with belief_scope("list_tasks"):
+        plugin_filters = list(plugin_id) if plugin_id else []
+        if task_type:
+            if task_type not in TASK_TYPE_PLUGIN_MAP:
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail=f"Unsupported task_type '{task_type}'. Allowed: {', '.join(TASK_TYPE_PLUGIN_MAP.keys())}"
+                )
+            plugin_filters.extend(TASK_TYPE_PLUGIN_MAP[task_type])
+
+        return task_manager.get_tasks(
+            limit=limit,
+            offset=offset,
+            status=status_filter,
+            plugin_ids=plugin_filters or None,
+            completed_only=completed_only
+        )
 # [/DEF:list_tasks:Function]
 
 @router.get("/{task_id}", response_model=Task)
@@ -154,6 +182,23 @@ async def get_task(
 # @POST: Returns a list of log entries or raises 404.
 # @RETURN: List[LogEntry] - List of log entries.
 # @TIER: CRITICAL
+# @TEST_CONTRACT get_task_logs_api ->
+# {
+#   required_params: {task_id: str},
+#   optional_params: {level: str, source: str, search: str},
+#   invariants: ["returns 404 for non-existent task", "applies filters correctly"]
+# }
+# @TEST_FIXTURE valid_task_logs_request -> {"task_id": "test_1", "level": "INFO"}
+# @TEST_EDGE task_not_found -> raises 404
+# @TEST_EDGE invalid_limit -> Query(limit=0) returns 422
+# @TEST_INVARIANT response_purity -> verifies: [valid_task_logs_request]
+# @TEST_CONTRACT: TaskLogQueryInput -> List[LogEntry]
+# @TEST_SCENARIO: existing_task_logs_filtered -> Returns filtered logs by level/source/search with pagination.
+# @TEST_FIXTURE: valid_task_with_mixed_logs -> backend/tests/fixtures/task_logs/valid_task_with_mixed_logs.json
+# @TEST_EDGE: missing_task -> Unknown task_id returns 404 Task not found.
+# @TEST_EDGE: invalid_level_type -> Non-string/invalid level query rejected by validation or yields empty result.
+# @TEST_EDGE: pagination_bounds -> offset=0 and limit=1000 remain within API bounds and do not overflow.
+# @TEST_INVARIANT: logs_only_for_existing_task -> VERIFIED_BY: [existing_task_logs_filtered, missing_task]
 async def get_task_logs(
     task_id: str,
     level: Optional[str] = Query(None, description="Filter by log level (DEBUG, INFO, WARNING, ERROR)"),
@@ -300,4 +345,4 @@ async def clear_tasks(
         task_manager.clear_tasks(status)
         return
 # [/DEF:clear_tasks:Function]
-# [/DEF:TasksRouter:Module]
+# [/DEF:TasksRouter:Module]

backend/src/app.py

@@ -21,7 +21,7 @@ import asyncio
 from .dependencies import get_task_manager, get_scheduler_service
 from .core.utils.network import NetworkError
 from .core.logger import logger, belief_scope
-from .api.routes import plugins, tasks, settings, environments, mappings, migration, connections, git, storage, admin, llm, dashboards, datasets, reports
+from .api.routes import plugins, tasks, settings, environments, mappings, migration, connections, git, storage, admin, llm, dashboards, datasets, reports, assistant, clean_release, clean_release_v2, profile
 from .api import auth
 
 # [DEF:App:Global]
@@ -72,12 +72,12 @@ app.add_middleware(
 )
 
 
-# [DEF:log_requests:Function]
-# @PURPOSE: Middleware to log incoming HTTP requests and their response status.
+# [DEF:network_error_handler:Function]
+# @PURPOSE: Global exception handler for NetworkError.
 # @PRE: request is a FastAPI Request object.
-# @POST: Logs request and response details.
+# @POST: Returns 503 HTTP Exception.
 # @PARAM: request (Request) - The incoming request object.
-# @PARAM: call_next (Callable) - The next middleware or route handler.
+# @PARAM: exc (NetworkError) - The exception instance.
 @app.exception_handler(NetworkError)
 async def network_error_handler(request: Request, exc: NetworkError):
     with belief_scope("network_error_handler"):
@@ -86,26 +86,34 @@ async def network_error_handler(request: Request, exc: NetworkError):
             status_code=503,
             detail="Environment unavailable. Please check if the Superset instance is running."
         )
+# [/DEF:network_error_handler:Function]
 
+# [DEF:log_requests:Function]
+# @PURPOSE: Middleware to log incoming HTTP requests and their response status.
+# @PRE: request is a FastAPI Request object.
+# @POST: Logs request and response details.
+# @PARAM: request (Request) - The incoming request object.
+# @PARAM: call_next (Callable) - The next middleware or route handler.
 @app.middleware("http")
 async def log_requests(request: Request, call_next):
-    # Avoid spamming logs for polling endpoints
-    is_polling = request.url.path.endswith("/api/tasks") and request.method == "GET"
-    
-    if not is_polling:
-        logger.info(f"Incoming request: {request.method} {request.url.path}")
-    
-    try:
-        response = await call_next(request)
+    with belief_scope("log_requests"):
+        # Avoid spamming logs for polling endpoints
+        is_polling = request.url.path.endswith("/api/tasks") and request.method == "GET"
+        
         if not is_polling:
-            logger.info(f"Response status: {response.status_code} for {request.url.path}")
-        return response
-    except NetworkError as e:
-        logger.error(f"Network error caught in middleware: {e}")
-        raise HTTPException(
-            status_code=503,
-            detail="Environment unavailable. Please check if the Superset instance is running."
-        )
+            logger.info(f"Incoming request: {request.method} {request.url.path}")
+        
+        try:
+            response = await call_next(request)
+            if not is_polling:
+                logger.info(f"Response status: {response.status_code} for {request.url.path}")
+            return response
+        except NetworkError as e:
+            logger.error(f"Network error caught in middleware: {e}")
+            raise HTTPException(
+                status_code=503,
+                detail="Environment unavailable. Please check if the Superset instance is running."
+            )
 # [/DEF:log_requests:Function]
 
 # Include API routes
@@ -124,6 +132,10 @@ app.include_router(storage.router, prefix="/api/storage", tags=["Storage"])
 app.include_router(dashboards.router)
 app.include_router(datasets.router)
 app.include_router(reports.router)
+app.include_router(assistant.router, prefix="/api/assistant", tags=["Assistant"])
+app.include_router(clean_release.router)
+app.include_router(clean_release_v2.router)
+app.include_router(profile.router)
 
 
 # [DEF:api.include_routers:Action]
@@ -138,6 +150,21 @@ app.include_router(reports.router)
 # @POST: WebSocket connection is managed and logs are streamed until disconnect.
 # @TIER: CRITICAL
 # @UX_STATE: Connecting -> Streaming -> (Disconnected)
+#
+# @TEST_CONTRACT: WebSocketLogStreamApi ->
+# {
+#   required_fields: {websocket: WebSocket, task_id: str},
+#   optional_fields: {source: str, level: str},
+#   invariants: [
+#       "Accepts the WebSocket connection",
+#       "Applies source and level filters correctly to streamed logs",
+#       "Cleans up subscriptions on disconnect"
+#   ]
+# }
+# @TEST_FIXTURE: valid_ws_connection -> {"task_id": "test_1", "source": "plugin"}
+# @TEST_EDGE: task_not_found_ws -> closes connection or sends error
+# @TEST_EDGE: empty_task_logs -> waits for new logs
+# @TEST_INVARIANT: consistent_streaming -> verifies: [valid_ws_connection]
 @app.websocket("/ws/logs/{task_id}")
 async def websocket_endpoint(
     websocket: WebSocket,
@@ -248,12 +275,13 @@ if frontend_path.exists():
     # @POST: Returns the requested file or index.html.
     @app.get("/{file_path:path}", include_in_schema=False)
     async def serve_spa(file_path: str):
-        # Only serve SPA for non-API paths
-        # API routes are registered separately and should be matched by FastAPI first
-        if file_path and (file_path.startswith("api/") or file_path.startswith("/api/") or file_path == "api"):
-            # This should not happen if API routers are properly registered
-            # Return 404 instead of serving HTML
-            raise HTTPException(status_code=404, detail=f"API endpoint not found: {file_path}")
+        with belief_scope("serve_spa"):
+            # Only serve SPA for non-API paths
+            # API routes are registered separately and should be matched by FastAPI first
+            if file_path and (file_path.startswith("api/") or file_path.startswith("/api/") or file_path == "api"):
+                # This should not happen if API routers are properly registered
+                # Return 404 instead of serving HTML
+                raise HTTPException(status_code=404, detail=f"API endpoint not found: {file_path}")
         
         full_path = frontend_path / file_path
         if file_path and full_path.is_file():

backend/src/core/__tests__/test_superset_profile_lookup.py

@@ -0,0 +1,128 @@
+# [DEF:backend.src.core.__tests__.test_superset_profile_lookup:Module]
+# @TIER: STANDARD
+# @SEMANTICS: tests, superset, profile, lookup, fallback, sorting
+# @PURPOSE: Verifies Superset profile lookup adapter payload normalization and fallback error precedence.
+# @LAYER: Domain
+# @RELATION: TESTS -> backend.src.core.superset_profile_lookup
+
+# [SECTION: IMPORTS]
+import json
+import sys
+from pathlib import Path
+from typing import Any, Dict, List, Optional
+
+import pytest
+
+backend_dir = str(Path(__file__).parent.parent.parent.parent.resolve())
+if backend_dir not in sys.path:
+    sys.path.insert(0, backend_dir)
+
+from src.core.superset_profile_lookup import SupersetAccountLookupAdapter
+from src.core.utils.network import AuthenticationError, SupersetAPIError
+# [/SECTION]
+
+
+# [DEF:_RecordingNetworkClient:Class]
+# @PURPOSE: Records request payloads and returns scripted responses for deterministic adapter tests.
+class _RecordingNetworkClient:
+    # [DEF:__init__:Function]
+    # @PURPOSE: Initializes scripted network responses.
+    # @PRE: scripted_responses is ordered per expected request sequence.
+    # @POST: Instance stores response script and captures subsequent request calls.
+    def __init__(self, scripted_responses: List[Any]):
+        self._scripted_responses = scripted_responses
+        self.calls: List[Dict[str, Any]] = []
+    # [/DEF:__init__:Function]
+
+    # [DEF:request:Function]
+    # @PURPOSE: Mimics APIClient.request while capturing call arguments.
+    # @PRE: method and endpoint are provided.
+    # @POST: Returns scripted response or raises scripted exception.
+    def request(
+        self,
+        method: str,
+        endpoint: str,
+        params: Optional[Dict[str, Any]] = None,
+        **kwargs,
+    ) -> Dict[str, Any]:
+        self.calls.append(
+            {
+                "method": method,
+                "endpoint": endpoint,
+                "params": params or {},
+            }
+        )
+        index = len(self.calls) - 1
+        response = self._scripted_responses[index]
+        if isinstance(response, Exception):
+            raise response
+        return response
+    # [/DEF:request:Function]
+# [/DEF:_RecordingNetworkClient:Class]
+
+
+# [DEF:test_get_users_page_sends_lowercase_order_direction:Function]
+# @PURPOSE: Ensures adapter sends lowercase order_direction compatible with Superset rison schema.
+# @PRE: Adapter is initialized with recording network client.
+# @POST: First request query payload contains order_direction='asc' for asc sort.
+def test_get_users_page_sends_lowercase_order_direction():
+    client = _RecordingNetworkClient(
+        scripted_responses=[{"result": [{"username": "admin"}], "count": 1}]
+    )
+    adapter = SupersetAccountLookupAdapter(network_client=client, environment_id="ss-dev")
+
+    adapter.get_users_page(
+        search="admin",
+        page_index=0,
+        page_size=20,
+        sort_column="username",
+        sort_order="asc",
+    )
+
+    sent_query = json.loads(client.calls[0]["params"]["q"])
+    assert sent_query["order_direction"] == "asc"
+# [/DEF:test_get_users_page_sends_lowercase_order_direction:Function]
+
+
+# [DEF:test_get_users_page_preserves_primary_schema_error_over_fallback_auth_error:Function]
+# @PURPOSE: Ensures fallback auth error does not mask primary schema/query failure.
+# @PRE: Primary endpoint fails with SupersetAPIError and fallback fails with AuthenticationError.
+# @POST: Raised exception remains primary SupersetAPIError (non-auth) to preserve root cause.
+def test_get_users_page_preserves_primary_schema_error_over_fallback_auth_error():
+    client = _RecordingNetworkClient(
+        scripted_responses=[
+            SupersetAPIError("API Error 400: bad rison schema"),
+            AuthenticationError(),
+        ]
+    )
+    adapter = SupersetAccountLookupAdapter(network_client=client, environment_id="ss-dev")
+
+    with pytest.raises(SupersetAPIError) as exc_info:
+        adapter.get_users_page(sort_order="asc")
+
+    assert "API Error 400" in str(exc_info.value)
+    assert not isinstance(exc_info.value, AuthenticationError)
+# [/DEF:test_get_users_page_preserves_primary_schema_error_over_fallback_auth_error:Function]
+
+
+# [DEF:test_get_users_page_uses_fallback_endpoint_when_primary_fails:Function]
+# @PURPOSE: Verifies adapter retries second users endpoint and succeeds when fallback is healthy.
+# @PRE: Primary endpoint fails; fallback returns valid users payload.
+# @POST: Result status is success and both endpoints were attempted in order.
+def test_get_users_page_uses_fallback_endpoint_when_primary_fails():
+    client = _RecordingNetworkClient(
+        scripted_responses=[
+            SupersetAPIError("Primary endpoint failed"),
+            {"result": [{"username": "admin"}], "count": 1},
+        ]
+    )
+    adapter = SupersetAccountLookupAdapter(network_client=client, environment_id="ss-dev")
+
+    result = adapter.get_users_page()
+
+    assert result["status"] == "success"
+    assert [call["endpoint"] for call in client.calls] == ["/security/users/", "/security/users"]
+# [/DEF:test_get_users_page_uses_fallback_endpoint_when_primary_fails:Function]
+
+
+# [/DEF:backend.src.core.__tests__.test_superset_profile_lookup:Module]

backend/src/core/async_superset_client.py

@@ -0,0 +1,298 @@
+# [DEF:backend.src.core.async_superset_client:Module]
+#
+# @TIER: CRITICAL
+# @SEMANTICS: superset, async, client, httpx, dashboards, datasets
+# @PURPOSE: Async Superset client for dashboard hot-path requests without blocking FastAPI event loop.
+# @LAYER: Core
+# @RELATION: DEPENDS_ON -> backend.src.core.superset_client
+# @RELATION: DEPENDS_ON -> backend.src.core.utils.async_network.AsyncAPIClient
+# @INVARIANT: Async dashboard operations reuse shared auth cache and avoid sync requests in async routes.
+
+# [SECTION: IMPORTS]
+import asyncio
+import json
+import re
+from typing import Any, Dict, List, Optional, Tuple, cast
+
+from .config_models import Environment
+from .logger import logger as app_logger, belief_scope
+from .superset_client import SupersetClient
+from .utils.async_network import AsyncAPIClient
+# [/SECTION]
+
+
+# [DEF:AsyncSupersetClient:Class]
+# @PURPOSE: Async sibling of SupersetClient for dashboard read paths.
+class AsyncSupersetClient(SupersetClient):
+    # [DEF:__init__:Function]
+    # @PURPOSE: Initialize async Superset client with AsyncAPIClient transport.
+    # @PRE: env is valid.
+    # @POST: Client uses async network transport and inherited projection helpers.
+    def __init__(self, env: Environment):
+        self.env = env
+        auth_payload = {
+            "username": env.username,
+            "password": env.password,
+            "provider": "db",
+            "refresh": "true",
+        }
+        self.network = AsyncAPIClient(
+            config={"base_url": env.url, "auth": auth_payload},
+            verify_ssl=env.verify_ssl,
+            timeout=env.timeout,
+        )
+        self.delete_before_reimport = False
+    # [/DEF:__init__:Function]
+
+    # [DEF:aclose:Function]
+    # @PURPOSE: Close async transport resources.
+    # @POST: Underlying AsyncAPIClient is closed.
+    async def aclose(self) -> None:
+        await self.network.aclose()
+    # [/DEF:aclose:Function]
+
+    # [DEF:get_dashboards_page_async:Function]
+    # @PURPOSE: Fetch one dashboards page asynchronously.
+    # @POST: Returns total count and page result list.
+    async def get_dashboards_page_async(self, query: Optional[Dict] = None) -> Tuple[int, List[Dict]]:
+        with belief_scope("AsyncSupersetClient.get_dashboards_page_async"):
+            validated_query = self._validate_query_params(query or {})
+            if "columns" not in validated_query:
+                validated_query["columns"] = [
+                    "slug",
+                    "id",
+                    "url",
+                    "changed_on_utc",
+                    "dashboard_title",
+                    "published",
+                    "created_by",
+                    "changed_by",
+                    "changed_by_name",
+                    "owners",
+                ]
+
+            response_json = cast(
+                Dict[str, Any],
+                await self.network.request(
+                    method="GET",
+                    endpoint="/dashboard/",
+                    params={"q": json.dumps(validated_query)},
+                ),
+            )
+            result = response_json.get("result", [])
+            total_count = response_json.get("count", len(result))
+            return total_count, result
+    # [/DEF:get_dashboards_page_async:Function]
+
+    # [DEF:get_dashboard_async:Function]
+    # @PURPOSE: Fetch one dashboard payload asynchronously.
+    # @POST: Returns raw dashboard payload from Superset API.
+    async def get_dashboard_async(self, dashboard_id: int) -> Dict:
+        with belief_scope("AsyncSupersetClient.get_dashboard_async", f"id={dashboard_id}"):
+            response = await self.network.request(method="GET", endpoint=f"/dashboard/{dashboard_id}")
+            return cast(Dict, response)
+    # [/DEF:get_dashboard_async:Function]
+
+    # [DEF:get_chart_async:Function]
+    # @PURPOSE: Fetch one chart payload asynchronously.
+    # @POST: Returns raw chart payload from Superset API.
+    async def get_chart_async(self, chart_id: int) -> Dict:
+        with belief_scope("AsyncSupersetClient.get_chart_async", f"id={chart_id}"):
+            response = await self.network.request(method="GET", endpoint=f"/chart/{chart_id}")
+            return cast(Dict, response)
+    # [/DEF:get_chart_async:Function]
+
+    # [DEF:get_dashboard_detail_async:Function]
+    # @PURPOSE: Fetch dashboard detail asynchronously with concurrent charts/datasets requests.
+    # @POST: Returns dashboard detail payload for overview page.
+    async def get_dashboard_detail_async(self, dashboard_id: int) -> Dict:
+        with belief_scope("AsyncSupersetClient.get_dashboard_detail_async", f"id={dashboard_id}"):
+            dashboard_response = await self.get_dashboard_async(dashboard_id)
+            dashboard_data = dashboard_response.get("result", dashboard_response)
+
+            charts: List[Dict] = []
+            datasets: List[Dict] = []
+
+            def extract_dataset_id_from_form_data(form_data: Optional[Dict]) -> Optional[int]:
+                if not isinstance(form_data, dict):
+                    return None
+                datasource = form_data.get("datasource")
+                if isinstance(datasource, str):
+                    matched = re.match(r"^(\d+)__", datasource)
+                    if matched:
+                        try:
+                            return int(matched.group(1))
+                        except ValueError:
+                            return None
+                if isinstance(datasource, dict):
+                    ds_id = datasource.get("id")
+                    try:
+                        return int(ds_id) if ds_id is not None else None
+                    except (TypeError, ValueError):
+                        return None
+                ds_id = form_data.get("datasource_id")
+                try:
+                    return int(ds_id) if ds_id is not None else None
+                except (TypeError, ValueError):
+                    return None
+
+            chart_task = self.network.request(
+                method="GET",
+                endpoint=f"/dashboard/{dashboard_id}/charts",
+            )
+            dataset_task = self.network.request(
+                method="GET",
+                endpoint=f"/dashboard/{dashboard_id}/datasets",
+            )
+            charts_response, datasets_response = await asyncio.gather(
+                chart_task,
+                dataset_task,
+                return_exceptions=True,
+            )
+
+            if not isinstance(charts_response, Exception):
+                charts_payload = charts_response.get("result", []) if isinstance(charts_response, dict) else []
+                for chart_obj in charts_payload:
+                    if not isinstance(chart_obj, dict):
+                        continue
+                    chart_id = chart_obj.get("id")
+                    if chart_id is None:
+                        continue
+                    form_data = chart_obj.get("form_data")
+                    if isinstance(form_data, str):
+                        try:
+                            form_data = json.loads(form_data)
+                        except Exception:
+                            form_data = {}
+                    dataset_id = extract_dataset_id_from_form_data(form_data) or chart_obj.get("datasource_id")
+                    charts.append({
+                        "id": int(chart_id),
+                        "title": chart_obj.get("slice_name") or chart_obj.get("name") or f"Chart {chart_id}",
+                        "viz_type": (form_data.get("viz_type") if isinstance(form_data, dict) else None),
+                        "dataset_id": int(dataset_id) if dataset_id is not None else None,
+                        "last_modified": chart_obj.get("changed_on"),
+                        "overview": chart_obj.get("description") or (form_data.get("viz_type") if isinstance(form_data, dict) else None) or "Chart",
+                    })
+            else:
+                app_logger.warning("[get_dashboard_detail_async][Warning] Failed to fetch dashboard charts: %s", charts_response)
+
+            if not isinstance(datasets_response, Exception):
+                datasets_payload = datasets_response.get("result", []) if isinstance(datasets_response, dict) else []
+                for dataset_obj in datasets_payload:
+                    if not isinstance(dataset_obj, dict):
+                        continue
+                    dataset_id = dataset_obj.get("id")
+                    if dataset_id is None:
+                        continue
+                    db_payload = dataset_obj.get("database")
+                    db_name = db_payload.get("database_name") if isinstance(db_payload, dict) else None
+                    table_name = dataset_obj.get("table_name") or dataset_obj.get("datasource_name") or dataset_obj.get("name") or f"Dataset {dataset_id}"
+                    schema = dataset_obj.get("schema")
+                    fq_name = f"{schema}.{table_name}" if schema else table_name
+                    datasets.append({
+                        "id": int(dataset_id),
+                        "table_name": table_name,
+                        "schema": schema,
+                        "database": db_name or dataset_obj.get("database_name") or "Unknown",
+                        "last_modified": dataset_obj.get("changed_on"),
+                        "overview": fq_name,
+                    })
+            else:
+                app_logger.warning("[get_dashboard_detail_async][Warning] Failed to fetch dashboard datasets: %s", datasets_response)
+
+            if not charts:
+                raw_position_json = dashboard_data.get("position_json")
+                chart_ids_from_position = set()
+                if isinstance(raw_position_json, str) and raw_position_json:
+                    try:
+                        parsed_position = json.loads(raw_position_json)
+                        chart_ids_from_position.update(self._extract_chart_ids_from_layout(parsed_position))
+                    except Exception:
+                        pass
+                elif isinstance(raw_position_json, dict):
+                    chart_ids_from_position.update(self._extract_chart_ids_from_layout(raw_position_json))
+
+                raw_json_metadata = dashboard_data.get("json_metadata")
+                if isinstance(raw_json_metadata, str) and raw_json_metadata:
+                    try:
+                        parsed_metadata = json.loads(raw_json_metadata)
+                        chart_ids_from_position.update(self._extract_chart_ids_from_layout(parsed_metadata))
+                    except Exception:
+                        pass
+                elif isinstance(raw_json_metadata, dict):
+                    chart_ids_from_position.update(self._extract_chart_ids_from_layout(raw_json_metadata))
+
+                fallback_chart_tasks = [
+                    self.get_chart_async(int(chart_id))
+                    for chart_id in sorted(chart_ids_from_position)
+                ]
+                fallback_chart_responses = await asyncio.gather(
+                    *fallback_chart_tasks,
+                    return_exceptions=True,
+                )
+                for chart_id, chart_response in zip(sorted(chart_ids_from_position), fallback_chart_responses):
+                    if isinstance(chart_response, Exception):
+                        app_logger.warning("[get_dashboard_detail_async][Warning] Failed to resolve fallback chart %s: %s", chart_id, chart_response)
+                        continue
+                    chart_data = chart_response.get("result", chart_response)
+                    charts.append({
+                        "id": int(chart_id),
+                        "title": chart_data.get("slice_name") or chart_data.get("name") or f"Chart {chart_id}",
+                        "viz_type": chart_data.get("viz_type"),
+                        "dataset_id": chart_data.get("datasource_id"),
+                        "last_modified": chart_data.get("changed_on"),
+                        "overview": chart_data.get("description") or chart_data.get("viz_type") or "Chart",
+                    })
+
+            dataset_ids_from_charts = {
+                c.get("dataset_id")
+                for c in charts
+                if c.get("dataset_id") is not None
+            }
+            known_dataset_ids = {d.get("id") for d in datasets if d.get("id") is not None}
+            missing_dataset_ids = sorted(int(item) for item in dataset_ids_from_charts if item not in known_dataset_ids)
+            if missing_dataset_ids:
+                dataset_fetch_tasks = [
+                    self.network.request(method="GET", endpoint=f"/dataset/{dataset_id}")
+                    for dataset_id in missing_dataset_ids
+                ]
+                dataset_fetch_responses = await asyncio.gather(
+                    *dataset_fetch_tasks,
+                    return_exceptions=True,
+                )
+                for dataset_id, dataset_response in zip(missing_dataset_ids, dataset_fetch_responses):
+                    if isinstance(dataset_response, Exception):
+                        app_logger.warning("[get_dashboard_detail_async][Warning] Failed to backfill dataset %s: %s", dataset_id, dataset_response)
+                        continue
+                    dataset_data = dataset_response.get("result", dataset_response) if isinstance(dataset_response, dict) else {}
+                    db_payload = dataset_data.get("database")
+                    db_name = db_payload.get("database_name") if isinstance(db_payload, dict) else None
+                    table_name = dataset_data.get("table_name") or dataset_data.get("datasource_name") or dataset_data.get("name") or f"Dataset {dataset_id}"
+                    schema = dataset_data.get("schema")
+                    fq_name = f"{schema}.{table_name}" if schema else table_name
+                    datasets.append({
+                        "id": int(dataset_id),
+                        "table_name": table_name,
+                        "schema": schema,
+                        "database": db_name or dataset_data.get("database_name") or "Unknown",
+                        "last_modified": dataset_data.get("changed_on"),
+                        "overview": fq_name,
+                    })
+
+            return {
+                "id": int(dashboard_data.get("id") or dashboard_id),
+                "title": dashboard_data.get("dashboard_title") or dashboard_data.get("title") or f"Dashboard {dashboard_id}",
+                "slug": dashboard_data.get("slug"),
+                "url": dashboard_data.get("url"),
+                "description": dashboard_data.get("description"),
+                "last_modified": dashboard_data.get("changed_on_utc") or dashboard_data.get("changed_on"),
+                "published": dashboard_data.get("published"),
+                "charts": charts,
+                "datasets": datasets,
+                "chart_count": len(charts),
+                "dataset_count": len(datasets),
+            }
+    # [/DEF:get_dashboard_detail_async:Function]
+# [/DEF:AsyncSupersetClient:Class]
+
+# [/DEF:backend.src.core.async_superset_client:Module]

backend/src/core/auth/__tests__/test_auth.py

@@ -14,6 +14,8 @@ import pytest
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
 from src.core.database import Base
+# Import all models to ensure they are registered with Base before create_all - must import both auth and mapping to ensure Base knows about all tables
+from src.models import mapping, auth, task, report
 from src.models.auth import User, Role, Permission, ADGroupMapping
 from src.services.auth_service import AuthService
 from src.core.auth.repository import AuthRepository
@@ -176,4 +178,94 @@ def test_ad_group_mapping(auth_repo):
     assert retrieved_mapping.role_id == role.id
 
 
+def test_authenticate_user_updates_last_login(auth_service, auth_repo):
+    """@SIDE_EFFECT: authenticate_user updates last_login timestamp on success."""
+    user = User(
+        username="loginuser",
+        email="login@example.com",
+        password_hash=get_password_hash("mypassword"),
+        auth_source="LOCAL"
+    )
+    auth_repo.db.add(user)
+    auth_repo.db.commit()
+
+    assert user.last_login is None
+
+    authenticated = auth_service.authenticate_user("loginuser", "mypassword")
+    assert authenticated is not None
+    assert authenticated.last_login is not None
+
+
+def test_authenticate_inactive_user(auth_service, auth_repo):
+    """@PRE: User with is_active=False should not authenticate."""
+    user = User(
+        username="inactive_user",
+        email="inactive@example.com",
+        password_hash=get_password_hash("testpass"),
+        auth_source="LOCAL",
+        is_active=False
+    )
+    auth_repo.db.add(user)
+    auth_repo.db.commit()
+
+    result = auth_service.authenticate_user("inactive_user", "testpass")
+    assert result is None
+
+
+def test_verify_password_empty_hash():
+    """@PRE: verify_password with empty/None hash returns False."""
+    assert verify_password("anypassword", "") is False
+    assert verify_password("anypassword", None) is False
+
+
+def test_provision_adfs_user_new(auth_service, auth_repo):
+    """@POST: provision_adfs_user creates a new ADFS user with correct roles."""
+    # Set up a role and AD group mapping
+    role = Role(name="ADFS_Viewer", description="ADFS viewer role")
+    auth_repo.db.add(role)
+    auth_repo.db.commit()
+
+    mapping = ADGroupMapping(ad_group="DOMAIN\\Viewers", role_id=role.id)
+    auth_repo.db.add(mapping)
+    auth_repo.db.commit()
+
+    user_info = {
+        "upn": "newadfsuser@domain.com",
+        "email": "newadfsuser@domain.com",
+        "groups": ["DOMAIN\\Viewers"]
+    }
+
+    user = auth_service.provision_adfs_user(user_info)
+    assert user is not None
+    assert user.username == "newadfsuser@domain.com"
+    assert user.auth_source == "ADFS"
+    assert user.is_active is True
+    assert len(user.roles) == 1
+    assert user.roles[0].name == "ADFS_Viewer"
+
+
+def test_provision_adfs_user_existing(auth_service, auth_repo):
+    """@POST: provision_adfs_user updates roles for existing user."""
+    # Create existing user
+    existing = User(
+        username="existingadfs@domain.com",
+        email="existingadfs@domain.com",
+        auth_source="ADFS",
+        is_active=True
+    )
+    auth_repo.db.add(existing)
+    auth_repo.db.commit()
+
+    user_info = {
+        "upn": "existingadfs@domain.com",
+        "email": "existingadfs@domain.com",
+        "groups": []
+    }
+
+    user = auth_service.provision_adfs_user(user_info)
+    assert user is not None
+    assert user.username == "existingadfs@domain.com"
+    assert len(user.roles) == 0  # No matching group mappings
+
+
 # [/DEF:test_auth:Module]

backend/src/core/auth/repository.py

@@ -12,6 +12,7 @@
 from typing import Optional, List
 from sqlalchemy.orm import Session
 from ...models.auth import User, Role, Permission
+from ...models.profile import UserDashboardPreference
 from ..logger import belief_scope
 # [/SECTION]
 
@@ -109,6 +110,38 @@ class AuthRepository:
             ).first()
     # [/DEF:get_permission_by_resource_action:Function]
 
+    # [DEF:get_user_dashboard_preference:Function]
+    # @PURPOSE: Retrieves dashboard preference by owner user ID.
+    # @PRE:     user_id is a string.
+    # @POST:    Returns UserDashboardPreference if found, else None.
+    # @PARAM:   user_id (str) - Preference owner identifier.
+    # @RETURN:  Optional[UserDashboardPreference] - Found preference or None.
+    def get_user_dashboard_preference(self, user_id: str) -> Optional[UserDashboardPreference]:
+        with belief_scope("AuthRepository.get_user_dashboard_preference"):
+            return (
+                self.db.query(UserDashboardPreference)
+                .filter(UserDashboardPreference.user_id == user_id)
+                .first()
+            )
+    # [/DEF:get_user_dashboard_preference:Function]
+
+    # [DEF:save_user_dashboard_preference:Function]
+    # @PURPOSE: Persists dashboard preference entity and returns refreshed row.
+    # @PRE:     preference is a valid UserDashboardPreference entity.
+    # @POST:    Preference is committed and refreshed in database.
+    # @PARAM:   preference (UserDashboardPreference) - Preference entity to persist.
+    # @RETURN:  UserDashboardPreference - Persisted preference row.
+    def save_user_dashboard_preference(
+        self,
+        preference: UserDashboardPreference,
+    ) -> UserDashboardPreference:
+        with belief_scope("AuthRepository.save_user_dashboard_preference"):
+            self.db.add(preference)
+            self.db.commit()
+            self.db.refresh(preference)
+            return preference
+    # [/DEF:save_user_dashboard_preference:Function]
+
     # [DEF:list_permissions:Function]
     # @PURPOSE: Lists all available permissions.
     # @POST:    Returns a list of all Permission objects.