Updates

2026-05-10 09:46:07 +12:00
parent cfc193b713
commit 2f2466ecac
81 changed files with 2571 additions and 413 deletions
@@ -7,7 +7,7 @@ the current user has, then use those keys to hide/show navigation items.
 """
 from __future__ import annotations

-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Request, Response, status
 from pydantic import BaseModel
 from sqlalchemy import select
 from sqlalchemy.orm import Session, selectinload
@@ -21,12 +21,19 @@ from app.core.access import (
    require_permission,
 )
 from app.core.config import settings
+from app.core.http import CLIENT_AUTH_COOKIE
+from app.core.rate_limit import SlidingWindowRateLimiter, request_client_key
+from app.core.security_logging import log_security_event
 from app.core.security import hash_password, issue_token, verify_password
 from app.db.session import get_db
 from app.models.access import Permission, Role, User


 router = APIRouter(prefix="/api/access", tags=["access"])
+login_rate_limiter = SlidingWindowRateLimiter(
+    limit=settings.login_rate_limit_attempts,
+    window_seconds=settings.login_rate_limit_window_seconds,
+)


 class LoginRequest(BaseModel):
@@ -75,7 +82,10 @@ def _serialize_session(user: User, *, include_token: bool = False) -> UserSessio
    role_name = user.role.name if user.role else None
    token = None
    if include_token:
-        token = issue_token({"sub": INTERNAL_USER_SUBJECT, "user_id": user.id, "email": user.email})
+        token = issue_token(
+            {"sub": INTERNAL_USER_SUBJECT, "user_id": user.id, "email": user.email},
+            ttl_seconds=settings.session_ttl_seconds,
+        )
    # role="internal" is a marker the shared auth deps recognise so internal
    # users can hit the same routes as client-portal users without being
    # confused with them. Display name lives in role_name / client_role.
@@ -96,14 +106,16 @@ def _serialize_session(user: User, *, include_token: bool = False) -> UserSessio


@router.post("/login", response_model=UserSession)
-def login(payload: LoginRequest, db: Session = Depends(get_db)):
+def login(payload: LoginRequest, response: Response, request: Request, db: Session = Depends(get_db)):
    """Internal-user login.

    Authenticates against a shared internal password (``ADMIN_PASSWORD``) and
    looks up the user by email. Inactive or unknown users are rejected with
    a generic 401 to avoid leaking which emails are valid.
    """
+    login_rate_limiter.hit(request_client_key(request, suffix="internal-login"))
    if payload.password != settings.admin_password:
+        log_security_event("auth.login_failed", audience="internal", ip=request_client_key(request))
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid email or password")

    email = payload.email.strip().lower()
@@ -113,15 +125,20 @@ def login(payload: LoginRequest, db: Session = Depends(get_db)):
        .options(selectinload(User.role).selectinload(Role.permissions))
    )
    if user is None or not user.is_active:
+        log_security_event("auth.login_failed", audience="internal", ip=request_client_key(request))
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid email or password")

-    return _serialize_session(user, include_token=True)
+    session = _serialize_session(user, include_token=True)
+    if session.token:
+        CLIENT_AUTH_COOKIE.apply(response, session.token)
+    log_security_event("auth.login_succeeded", audience="internal", role=user.role.name if user.role else None, user_id=user.id)
+    return session.model_copy(update={"token": None})


@router.get("/me", response_model=UserSession)
 def read_me(user: User = Depends(get_current_user)):
    """Return the current user with permission keys for UI navigation gating."""
-    return _serialize_session(user)
+    return _serialize_session(user).model_copy(update={"token": None})


@router.get("/me/permissions", response_model=list[str])
@@ -181,7 +198,14 @@ def update_me(

    db.commit()
    db.refresh(user)
-    return _serialize_session(user, include_token=True)
+    return _serialize_session(user, include_token=True).model_copy(update={"token": None})
+
+
+@router.post("/logout", status_code=status.HTTP_204_NO_CONTENT)
+def logout(response: Response):
+    CLIENT_AUTH_COOKIE.clear(response)
+    response.status_code = status.HTTP_204_NO_CONTENT
+    return None


 # Permission-enforced administrative endpoints. Route bodies should not check
@@ -1,16 +1,23 @@
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Request, Response, status
 from pydantic import BaseModel, Field
 from sqlalchemy import select
 from sqlalchemy.orm import Session

 from app.api.deps import AuthSession, require_admin_session, require_client_session
 from app.core.config import settings
+from app.core.http import ADMIN_AUTH_COOKIE, CLIENT_AUTH_COOKIE
+from app.core.rate_limit import SlidingWindowRateLimiter, request_client_key
+from app.core.security_logging import log_security_event
 from app.core.security import issue_token
 from app.db.session import get_db
 from app.models.client_access import ClientAccount
 from app.services.client_access_service import get_client_user_by_email, module_access_map

 router = APIRouter(prefix="/api/auth", tags=["auth"])
+login_rate_limiter = SlidingWindowRateLimiter(
+    limit=settings.login_rate_limit_attempts,
+    window_seconds=settings.login_rate_limit_window_seconds,
+)


 class LoginRequest(BaseModel):
@@ -27,7 +34,7 @@ class SessionResponse(BaseModel):
    user_id: int | None = None
    client_account_id: int | None = None
    module_permissions: dict[str, str] = Field(default_factory=dict)
-    token: str
+    token: str | None = None


 def _build_session_response(
@@ -50,7 +57,8 @@ def _build_session_response(
            "client_role": client_role,
            "user_id": user_id,
            "client_account_id": client_account_id,
-        }
+        },
+        ttl_seconds=settings.session_ttl_seconds,
    )
    return SessionResponse(
        name=name,
@@ -66,19 +74,22 @@ def _build_session_response(


@router.post("/client/login", response_model=SessionResponse)
-def client_login(payload: LoginRequest, db: Session = Depends(get_db)):
+def client_login(payload: LoginRequest, response: Response, request: Request, db: Session = Depends(get_db)):
+    login_rate_limiter.hit(request_client_key(request, suffix="client-login"))
    if payload.password != settings.client_password:
+        log_security_event("auth.login_failed", audience="client", ip=request_client_key(request))
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid client email or password")

    user = get_client_user_by_email(db, email=payload.email.strip().lower())
    if user is None:
+        log_security_event("auth.login_failed", audience="client", ip=request_client_key(request))
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid client email or password")

    client_account = db.scalar(select(ClientAccount).where(ClientAccount.id == user.client_account_id))
    if client_account is None:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Client account is not configured for this user")

-    return _build_session_response(
+    session_response = _build_session_response(
        name=user.full_name,
        email=user.email,
        role="client",
@@ -88,14 +99,24 @@ def client_login(payload: LoginRequest, db: Session = Depends(get_db)):
        client_account_id=client_account.id,
        module_permissions=module_access_map(user),
    )
+    if session_response.token:
+        CLIENT_AUTH_COOKIE.apply(response, session_response.token)
+    log_security_event("auth.login_succeeded", audience="client", role="client", user_id=user.id, tenant_id=client_account.tenant_id)
+    return session_response.model_copy(update={"token": None})


@router.post("/admin/login", response_model=SessionResponse)
-def admin_login(payload: LoginRequest):
+def admin_login(payload: LoginRequest, response: Response, request: Request):
+    login_rate_limiter.hit(request_client_key(request, suffix="admin-login"))
    if payload.email.strip().lower() != settings.admin_email.lower() or payload.password != settings.admin_password:
+        log_security_event("auth.login_failed", audience="admin", ip=request_client_key(request))
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid admin email or password")

-    return _build_session_response(name=settings.admin_name, email=settings.admin_email, role="admin")
+    session_response = _build_session_response(name=settings.admin_name, email=settings.admin_email, role="admin")
+    if session_response.token:
+        ADMIN_AUTH_COOKIE.apply(response, session_response.token)
+    log_security_event("auth.login_succeeded", audience="admin", role="admin")
+    return session_response.model_copy(update={"token": None})


@router.get("/client/session", response_model=SessionResponse)
@@ -112,9 +133,23 @@ def read_client_session(session: AuthSession = Depends(require_client_session),
        user_id=user.id,
        client_account_id=user.client_account_id,
        module_permissions=module_access_map(user),
-    )
+    ).model_copy(update={"token": None})


@router.get("/admin/session", response_model=SessionResponse)
 def read_admin_session(session: AuthSession = Depends(require_admin_session)):
-    return _build_session_response(name=session.name, email=session.email, role=session.role)
+    return _build_session_response(name=session.name, email=session.email, role=session.role).model_copy(update={"token": None})
+
+
+@router.post("/client/logout", status_code=status.HTTP_204_NO_CONTENT)
+def client_logout(response: Response):
+    CLIENT_AUTH_COOKIE.clear(response)
+    response.status_code = status.HTTP_204_NO_CONTENT
+    return None
+
+
+@router.post("/admin/logout", status_code=status.HTTP_204_NO_CONTENT)
+def admin_logout(response: Response):
+    ADMIN_AUTH_COOKIE.clear(response)
+    response.status_code = status.HTTP_204_NO_CONTENT
+    return None
@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlalchemy import select
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.orm import Session, selectinload
@@ -78,10 +78,11 @@ def _actor_metadata(session: AuthSession) -> dict[str, str]:

@router.get("", response_model=list[ClientAccessRead])
 def get_client_access(
+    limit: int = Query(default=100, ge=1, le=200),
    db: Session = Depends(get_db),
    session: AuthSession = Depends(require_client_access_manager_session),
 ):
-    return [serialize_client_account(client) for client in _authorized_client_scope(db, session)]
+    return [serialize_client_account(client) for client in _authorized_client_scope(db, session)[:limit]]


@router.post("/users", response_model=ClientAccessRead, status_code=status.HTTP_201_CREATED)
@@ -11,7 +11,7 @@ from fastapi import APIRouter, Depends
 from sqlalchemy import select
 from sqlalchemy.orm import Session, selectinload

-from app.api.deps import AuthSession, require_client_session
+from app.api.deps import AuthSession, require_client_module_access
 from app.db.session import get_db
 from app.models.mix import Mix
 from app.models.product import Product
@@ -35,7 +35,7 @@ def _can(session: AuthSession, module_key: str) -> bool:

@router.get("/summary")
 def dashboard_summary(
-    session: AuthSession = Depends(require_client_session),
+    session: AuthSession = Depends(require_client_module_access("dashboard")),
    db: Session = Depends(get_db),
 ):
    raw_materials_summary: dict | None = None
@@ -2,8 +2,7 @@ from __future__ import annotations

 from dataclasses import dataclass

-from fastapi import Depends, HTTPException, status
-from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from fastapi import Depends, HTTPException, Request, status
 from sqlalchemy import select
 from sqlalchemy.orm import Session, selectinload

@@ -13,14 +12,14 @@ from app.core.access import (
    get_user_permissions,
    permissions_to_module_map,
 )
+from app.core.http import ADMIN_AUTH_COOKIE, CLIENT_AUTH_COOKIE, get_bearer_or_cookie_token
+from app.core.security_logging import log_security_event
 from app.core.security import verify_token
 from app.db.session import get_db
 from app.models.access import Role, User
 from app.models.client_access import ClientFeatureAccess, ClientUser
 from app.services.client_access_service import has_access_level, module_access_map

-bearer_scheme = HTTPBearer(auto_error=False)
-

@dataclass(frozen=True)
 class AuthSession:
@@ -67,13 +66,16 @@ def _build_internal_auth_session(db: Session, payload: dict) -> AuthSession:


 def get_auth_session(
-    credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
+    request: Request,
    db: Session = Depends(get_db),
 ) -> AuthSession:
-    if credentials is None:
+    token = get_bearer_or_cookie_token(request, cookie_name=CLIENT_AUTH_COOKIE.name) or get_bearer_or_cookie_token(
+        request, cookie_name=ADMIN_AUTH_COOKIE.name
+    )
+    if token is None:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication required")

-    payload = verify_token(credentials.credentials)
+    payload = verify_token(token)

    # Internal Hunter Stock Feeds users get an auth session derived from the
    # role/permission tables rather than the client-portal ClientUser tables.
@@ -111,6 +113,7 @@ def require_client_session(session: AuthSession = Depends(get_auth_session)) ->

 def require_admin_session(session: AuthSession = Depends(get_auth_session)) -> AuthSession:
    if session.role != "admin":
+        log_security_event("authz.denied", role=session.role, required="admin")
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin access required")
    return session

@@ -143,6 +146,7 @@ def require_client_module_access(module_key: str, minimum_level: str = "view"):
        if session.role == "internal":
            permissions = session.module_permissions or {}
            if not has_access_level(permissions.get(module_key), minimum_level):
+                log_security_event("authz.denied", role=session.role, module=module_key, access_level=minimum_level)
                raise HTTPException(
                    status_code=status.HTTP_403_FORBIDDEN,
                    detail=f"{module_key} access is not permitted",
@@ -158,10 +162,12 @@ def require_client_module_access(module_key: str, minimum_level: str = "view"):
            )
        )
        if feature is not None and not feature.enabled:
+            log_security_event("authz.denied", role=session.role, module=module_key, reason="feature_disabled")
            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"{module_key} is disabled for this client")

        permissions = module_access_map(user)
        if not has_access_level(permissions.get(module_key), minimum_level):
+            log_security_event("authz.denied", role=session.role, module=module_key, access_level=minimum_level)
            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=f"{module_key} access is not permitted")

        return AuthSession(
@@ -190,6 +196,7 @@ def require_client_access_manager_session(
    user = load_current_client_user(db, require_client_session(session))
    permissions = module_access_map(user)
    if user.role != "superadmin" or not has_access_level(permissions.get("client_access"), "manage"):
+        log_security_event("authz.denied", role=session.role, module="client_access", access_level="manage")
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Superadmin client access is required")

    return AuthSession(
@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, Response, status
+from fastapi import APIRouter, Depends, HTTPException, Query, Response, status
 from sqlalchemy.orm import Session

 from app.api.deps import AuthSession, require_client_module_access
@@ -37,10 +37,11 @@ def mix_calculator_options(

@router.get("", response_model=list[MixCalculatorSessionSummaryRead])
 def mix_calculator_sessions(
+    limit: int = Query(default=100, ge=1, le=200),
    session: AuthSession = Depends(require_client_module_access("mix_calculator")),
    db: Session = Depends(get_db),
 ):
-    return list_mix_calculator_sessions(db, auth_session=session)
+    return list_mix_calculator_sessions(db, auth_session=session, limit=limit)


@router.post("/preview", response_model=MixCalculatorPreviewRead)
@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlalchemy import select
 from sqlalchemy.orm import Session

@@ -13,8 +13,12 @@ router = APIRouter(prefix="/api/mixes", tags=["mixes"])


@router.get("", response_model=list[MixRead])
-def list_mixes(session: AuthSession = Depends(require_client_module_access("mix_master")), db: Session = Depends(get_db)):
-    mixes = db.scalars(select(Mix).where(Mix.tenant_id == session.tenant_id).order_by(Mix.name)).all()
+def list_mixes(
+    limit: int = Query(default=100, ge=1, le=200),
+    session: AuthSession = Depends(require_client_module_access("mix_master")),
+    db: Session = Depends(get_db),
+):
+    mixes = db.scalars(select(Mix).where(Mix.tenant_id == session.tenant_id).order_by(Mix.name).limit(limit)).all()
    return [calculate_mix_cost(db, mix.id) for mix in mixes]


@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlalchemy import select
 from sqlalchemy.orm import Session

@@ -23,6 +23,7 @@ def _serialize_product(product: Product) -> dict:
        "mix_name": product.mix.name if product.mix else "",
        "sale_type": product.sale_type,
        "own_bag": product.own_bag,
+        "visible": product.visible,
        "unit_of_measure": product.unit_of_measure,
        "items_per_pallet": product.items_per_pallet,
        "bagging_process": product.bagging_process,
@@ -34,8 +35,12 @@ def _serialize_product(product: Product) -> dict:


@router.get("", response_model=list[ProductRead])
-def list_products(session: AuthSession = Depends(require_client_module_access("products")), db: Session = Depends(get_db)):
-    products = db.scalars(select(Product).where(Product.tenant_id == session.tenant_id).order_by(Product.name)).all()
+def list_products(
+    limit: int = Query(default=100, ge=1, le=200),
+    session: AuthSession = Depends(require_client_module_access("products")),
+    db: Session = Depends(get_db),
+):
+    products = db.scalars(select(Product).where(Product.tenant_id == session.tenant_id).order_by(Product.name).limit(limit)).all()
    return [_serialize_product(product) for product in products]


@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlalchemy import select
 from sqlalchemy.orm import Session, selectinload

@@ -34,12 +34,17 @@ def _serialize_price(material: RawMaterial, price: RawMaterialPriceVersion) -> d


@router.get("", response_model=list[RawMaterialRead])
-def list_raw_materials(session: AuthSession = Depends(require_client_module_access("raw_materials")), db: Session = Depends(get_db)):
+def list_raw_materials(
+    limit: int = Query(default=100, ge=1, le=200),
+    session: AuthSession = Depends(require_client_module_access("raw_materials")),
+    db: Session = Depends(get_db),
+):
    materials = db.scalars(
        select(RawMaterial)
        .where(RawMaterial.tenant_id == session.tenant_id)
        .options(selectinload(RawMaterial.price_versions))
        .order_by(RawMaterial.name)
+        .limit(limit)
    ).all()
    return [serialize_raw_material(material) for material in materials]

@@ -130,7 +135,12 @@ def add_price_version(


@router.get("/{raw_material_id}/price-history", response_model=list[RawMaterialPriceVersionRead])
-def get_price_history(raw_material_id: int, session: AuthSession = Depends(require_client_module_access("raw_materials")), db: Session = Depends(get_db)):
+def get_price_history(
+    raw_material_id: int,
+    limit: int = Query(default=100, ge=1, le=200),
+    session: AuthSession = Depends(require_client_module_access("raw_materials")),
+    db: Session = Depends(get_db),
+):
    material = db.scalar(select(RawMaterial).where(RawMaterial.id == raw_material_id, RawMaterial.tenant_id == session.tenant_id))
    if material is None:
        raise HTTPException(status_code=404, detail="Raw material not found")
@@ -141,6 +151,7 @@ def get_price_history(raw_material_id: int, session: AuthSession = Depends(requi
            RawMaterialPriceVersion.tenant_id == session.tenant_id,
        )
        .order_by(RawMaterialPriceVersion.effective_date.desc())
+        .limit(limit)
    ).all()
    items = []
    for price in prices:
@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlalchemy import select
 from sqlalchemy.orm import Session

@@ -12,8 +12,12 @@ router = APIRouter(prefix="/api/scenarios", tags=["scenarios"])


@router.get("", response_model=list[ScenarioRead])
-def list_scenarios(session: AuthSession = Depends(require_client_module_access("scenarios")), db: Session = Depends(get_db)):
-    return db.scalars(select(Scenario).where(Scenario.tenant_id == session.tenant_id).order_by(Scenario.created_at.desc())).all()
+def list_scenarios(
+    limit: int = Query(default=100, ge=1, le=200),
+    session: AuthSession = Depends(require_client_module_access("scenarios")),
+    db: Session = Depends(get_db),
+):
+    return db.scalars(select(Scenario).where(Scenario.tenant_id == session.tenant_id).order_by(Scenario.created_at.desc()).limit(limit)).all()


@router.post("", response_model=ScenarioRead, status_code=status.HTTP_201_CREATED)
@@ -16,18 +16,16 @@ from __future__ import annotations

 from typing import Iterable

-from fastapi import Depends, HTTPException, status
-from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from fastapi import Depends, HTTPException, Request, status
 from sqlalchemy import select
 from sqlalchemy.orm import Session, selectinload

 from app.core.security import verify_token
+from app.core.http import CLIENT_AUTH_COOKIE, get_bearer_or_cookie_token
+from app.core.security_logging import log_security_event
 from app.db.session import get_db
 from app.models.access import Permission, Role, User

-
-bearer_scheme = HTTPBearer(auto_error=False)
-
 # Subject claim used by tokens issued for internal Hunter Stock Feeds users.
 # Distinct from the existing client-portal/admin tokens so the two systems
 # cannot impersonate each other.
@@ -103,7 +101,7 @@ def _load_user(db: Session, user_id: int) -> User | None:


 def get_current_user(
-    credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
+    request: Request,
    db: Session = Depends(get_db),
 ) -> User:
    """Resolve the current internal user from the bearer token.
@@ -111,10 +109,11 @@ def get_current_user(
    Raises 401 for missing/invalid tokens or unknown users, 403 for inactive
    users.
    """
-    if credentials is None:
+    token = get_bearer_or_cookie_token(request, cookie_name=CLIENT_AUTH_COOKIE.name)
+    if token is None:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Authentication required")

-    payload = verify_token(credentials.credentials)
+    payload = verify_token(token)
    if payload.get("sub") != INTERNAL_USER_SUBJECT:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid authentication token")

@@ -136,6 +135,7 @@ def require_permission(permission_key: str):

    def dependency(user: User = Depends(get_current_user)) -> User:
        if not user_has_permission(user, permission_key):
+            log_security_event("authz.denied", role=user.role.name if user.role else None, permission=permission_key)
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail=f"Missing required permission: {permission_key}",
@@ -152,6 +152,7 @@ def require_any_permission(permission_keys: Iterable[str]):
    def dependency(user: User = Depends(get_current_user)) -> User:
        granted = get_user_permissions(user)
        if not any(key in granted for key in keys):
+            log_security_event("authz.denied", role=user.role.name if user.role else None, permissions=list(keys))
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail=f"Requires any of: {list(keys)}",
@@ -169,6 +170,7 @@ def require_all_permissions(permission_keys: Iterable[str]):
        granted = get_user_permissions(user)
        missing = [key for key in keys if key not in granted]
        if missing:
+            log_security_event("authz.denied", role=user.role.name if user.role else None, permissions=missing)
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail=f"Missing required permissions: {missing}",
@@ -16,9 +16,21 @@ def _parse_csv_env(value: str) -> tuple[str, ...]:
    return tuple(part.strip() for part in value.split(",") if part.strip())


+def _env_flag(name: str, default: bool = False) -> bool:
+    value = os.getenv(name)
+    if value is None:
+        return default
+    return value.strip().lower() in {"1", "true", "yes", "on"}
+
+
@dataclass(frozen=True)
 class Settings:
    app_name: str
+    app_env: str
+    host: str
+    port: int
+    log_level: str
+    log_verbose: bool
    database_url: str
    client_name: str
    client_email: str
@@ -30,11 +42,27 @@ class Settings:
    auth_secret: str
    cors_allow_origins: tuple[str, ...]
    cors_allow_origin_regex: str
+    session_ttl_seconds: int
+    session_cookie_name: str
+    admin_session_cookie_name: str
+    session_cookie_secure: bool
+    session_cookie_samesite: str
+    session_cookie_domain: str | None
+    request_body_max_bytes: int
+    login_rate_limit_attempts: int
+    login_rate_limit_window_seconds: int
+    trusted_hosts: tuple[str, ...]
+    docs_enabled: bool

    @classmethod
    def from_env(cls) -> "Settings":
-        return cls(
+        settings = cls(
            app_name=os.getenv("APP_NAME", "Data Entry App API"),
+            app_env=os.getenv("APP_ENV", os.getenv("ENVIRONMENT", "development")),
+            host=os.getenv("HOST", "0.0.0.0"),
+            port=int(os.getenv("PORT", "8000")),
+            log_level=os.getenv("LOG_LEVEL", "DEBUG" if os.getenv("LOG_VERBOSE") in {"1", "true", "TRUE", "yes", "on"} else "INFO"),
+            log_verbose=_env_flag("LOG_VERBOSE"),
            database_url=os.getenv("DATABASE_URL", "sqlite:///./data_entry_app.db"),
            client_name=os.getenv("CLIENT_NAME", "Hunter Premium Produce"),
            client_email=os.getenv("CLIENT_EMAIL", "operator@example.com"),
@@ -51,7 +79,47 @@ class Settings:
                )
            ),
            cors_allow_origin_regex=os.getenv("CORS_ALLOW_ORIGIN_REGEX", DEFAULT_CORS_ALLOW_ORIGIN_REGEX),
+            session_ttl_seconds=int(os.getenv("SESSION_TTL_SECONDS", str(60 * 60 * 12))),
+            session_cookie_name=os.getenv("SESSION_COOKIE_NAME", "client_session"),
+            admin_session_cookie_name=os.getenv("ADMIN_SESSION_COOKIE_NAME", "admin_session"),
+            session_cookie_secure=_env_flag("SESSION_COOKIE_SECURE"),
+            session_cookie_samesite=os.getenv("SESSION_COOKIE_SAMESITE", "lax").lower(),
+            session_cookie_domain=os.getenv("SESSION_COOKIE_DOMAIN", "").strip() or None,
+            request_body_max_bytes=int(os.getenv("REQUEST_BODY_MAX_BYTES", str(1024 * 1024))),
+            login_rate_limit_attempts=int(os.getenv("LOGIN_RATE_LIMIT_ATTEMPTS", "8")),
+            login_rate_limit_window_seconds=int(os.getenv("LOGIN_RATE_LIMIT_WINDOW_SECONDS", "300")),
+            trusted_hosts=_parse_csv_env(os.getenv("TRUSTED_HOSTS", "localhost,127.0.0.1,testserver")),
+            docs_enabled=_env_flag("DOCS_ENABLED", default=os.getenv("APP_ENV", os.getenv("ENVIRONMENT", "development")).lower() != "production"),
        )
+        settings._validate()
+        return settings
+
+    def _validate(self) -> None:
+        if self.session_cookie_samesite not in {"lax", "strict", "none"}:
+            raise ValueError("SESSION_COOKIE_SAMESITE must be one of: lax, strict, none")
+
+        is_production = self.app_env.lower() == "production"
+        if not is_production:
+            return
+
+        if self.client_password in {"changeme", "", "replace-with-strong-password"}:
+            raise ValueError("CLIENT_PASSWORD must be set to a non-default value in production")
+        if self.admin_password in {"lean101-admin", "", "replace-with-strong-password"}:
+            raise ValueError("ADMIN_PASSWORD must be set to a non-default value in production")
+        if self.auth_secret in {"lean-101-local-dev-secret", "change-me-in-production", "", "replace-with-a-long-random-secret"}:
+            raise ValueError("AUTH_SECRET must be set to a strong production secret")
+        if len(self.auth_secret) < 32:
+            raise ValueError("AUTH_SECRET must be at least 32 characters in production")
+        if not self.session_cookie_secure:
+            raise ValueError("SESSION_COOKIE_SECURE must be enabled in production")
+        if not self.cors_allow_origins:
+            raise ValueError("CORS_ALLOW_ORIGINS must explicitly list production origins")
+        if "localhost" in ",".join(self.cors_allow_origins).lower():
+            raise ValueError("CORS_ALLOW_ORIGINS cannot include localhost in production")
+        if self.cors_allow_origin_regex == DEFAULT_CORS_ALLOW_ORIGIN_REGEX:
+            raise ValueError("CORS_ALLOW_ORIGIN_REGEX must be overridden or blank in production")
+        if self.docs_enabled:
+            raise ValueError("DOCS_ENABLED must be false in production")


 settings = Settings.from_env()
@@ -0,0 +1,51 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Final
+
+from fastapi import Request, Response
+
+from app.core.config import settings
+
+
+COOKIE_PATH: Final[str] = "/"
+
+
+@dataclass(frozen=True)
+class AuthCookie:
+    name: str
+
+    def apply(self, response: Response, token: str) -> None:
+        response.set_cookie(
+            key=self.name,
+            value=token,
+            httponly=True,
+            secure=settings.session_cookie_secure,
+            samesite=settings.session_cookie_samesite,
+            domain=settings.session_cookie_domain,
+            path=COOKIE_PATH,
+            max_age=settings.session_ttl_seconds,
+        )
+
+    def clear(self, response: Response) -> None:
+        response.delete_cookie(
+            key=self.name,
+            domain=settings.session_cookie_domain,
+            path=COOKIE_PATH,
+        )
+
+
+CLIENT_AUTH_COOKIE = AuthCookie(settings.session_cookie_name)
+ADMIN_AUTH_COOKIE = AuthCookie(settings.admin_session_cookie_name)
+
+
+def get_bearer_or_cookie_token(request: Request, *, cookie_name: str) -> str | None:
+    authorization = request.headers.get("authorization", "").strip()
+    if authorization.lower().startswith("bearer "):
+        token = authorization[7:].strip()
+        if token:
+            return token
+    cookie_value = request.cookies.get(cookie_name)
+    if cookie_value:
+        return cookie_value
+    return None
@@ -0,0 +1,372 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from datetime import datetime
+import logging
+import os
+import sys
+import time
+from typing import Iterable
+
+try:
+    from rich.console import Console
+    from rich.logging import RichHandler
+    from rich.table import Table
+    from rich.text import Text
+except ImportError:  # pragma: no cover - exercised only before dependency install
+    Console = None
+    RichHandler = None
+    Table = None
+    Text = None
+
+
+@dataclass(frozen=True)
+class LoggingSettings:
+    app_name: str
+    app_env: str
+    host: str
+    port: int
+    log_level: str
+    log_verbose: bool
+    database_url: str
+    version: str
+
+
+@dataclass(frozen=True)
+class StartupStatus:
+    app_name: str
+    version: str
+    environment: str
+    host: str
+    port: int
+    database: str
+    mode: str
+    started_at: str
+    local_url: str
+    network_url: str
+
+
+class PlainFormatter(logging.Formatter):
+    default_time_format = "%Y-%m-%d %H:%M:%S"
+
+    def format(self, record: logging.LogRecord) -> str:
+        if not hasattr(record, "component"):
+            record.component = record.name.rsplit(".", 1)[-1]
+        return super().format(record)
+
+
+def _allow_color() -> bool:
+    if RichHandler is None or Console is None:
+        return False
+    if os.getenv("NO_COLOR"):
+        return False
+    if os.getenv("TERM") == "dumb":
+        return False
+    return hasattr(sys.stderr, "isatty") and sys.stderr.isatty()
+
+
+def _allow_unicode() -> bool:
+    encoding = (getattr(sys.stdout, "encoding", None) or "").lower()
+    if not encoding:
+        return False
+    return "utf" in encoding
+
+
+def _console() -> Console:
+    return Console(
+        stderr=True,
+        soft_wrap=False,
+        highlight=False,
+        force_terminal=_allow_color(),
+        no_color=not _allow_color(),
+        emoji=False,
+    )
+
+
+def _rich_handler(level: str) -> RichHandler:
+    return RichHandler(
+        level=level,
+        console=_console(),
+        show_time=True,
+        show_level=True,
+        show_path=False,
+        omit_repeated_times=False,
+        markup=True,
+        rich_tracebacks=True,
+        tracebacks_show_locals=False,
+        log_time_format="%H:%M:%S",
+    )
+
+
+def _plain_handler(level: str) -> logging.StreamHandler:
+    handler = logging.StreamHandler()
+    handler.setLevel(level)
+    handler.setFormatter(
+        PlainFormatter("%(asctime)s | %(levelname)-7s | %(component)-10s | %(message)s")
+    )
+    return handler
+
+
+def _handler(level: str) -> logging.Handler:
+    return _rich_handler(level) if _allow_color() else _plain_handler(level)
+
+
+def configure_logging(settings: LoggingSettings) -> None:
+    level = settings.log_level.upper()
+    root = logging.getLogger()
+    root.handlers.clear()
+    root.setLevel(level)
+    root.addHandler(_handler(level))
+
+    for name in ("uvicorn", "uvicorn.error", "fastapi"):
+        logger = logging.getLogger(name)
+        logger.handlers.clear()
+        logger.setLevel(level)
+        logger.propagate = True
+
+    access_logger = logging.getLogger("uvicorn.access")
+    access_logger.handlers.clear()
+    access_logger.propagate = False
+    access_logger.disabled = True
+
+
+def get_logger(name: str) -> logging.LoggerAdapter[logging.Logger]:
+    component = name.rsplit(".", 1)[-1]
+    return logging.LoggerAdapter(logging.getLogger(name), {"component": component})
+
+
+def _icon(name: str) -> str:
+    ascii_icons = {
+        "app": "#",
+        "info": "i",
+        "success": "+",
+        "warning": "!",
+        "error": "x",
+        "debug": ".",
+        "section": "=",
+        "url": ">",
+        "shutdown": "-",
+    }
+    unicode_icons = {
+        "app": "◆",
+        "info": "ℹ",
+        "success": "✓",
+        "warning": "▲",
+        "error": "✖",
+        "debug": "•",
+        "section": "─",
+        "url": "↳",
+        "shutdown": "◦",
+    }
+    icons = unicode_icons if _allow_unicode() else ascii_icons
+    return icons[name]
+
+
+def _style(name: str) -> str:
+    return {
+        "info": "bold cyan",
+        "success": "bold green",
+        "warning": "bold yellow",
+        "error": "bold red",
+        "debug": "dim",
+        "section": "bold bright_blue",
+        "muted": "grey62",
+    }[name]
+
+
+def section_heading(title: str) -> None:
+    logger = get_logger("data_entry_app.section")
+    if _allow_color():
+        _console().rule(Text(f" {title.upper()} ", style=_style("section")))
+        return
+    logger.info("%s %s %s", _icon("section") * 10, title.upper(), _icon("section") * 10)
+
+
+def startup_banner(status: StartupStatus) -> None:
+    logger = get_logger("data_entry_app.startup")
+    if _allow_color():
+        console = _console()
+        table = Table.grid(expand=False)
+        table.add_column(style="bold white", justify="left")
+        table.add_column(style="white", justify="left")
+        table.add_row("Environment", status.environment)
+        table.add_row("Version", status.version)
+        table.add_row("Host", status.host)
+        table.add_row("Port", str(status.port))
+        table.add_row("Database", status.database)
+        table.add_row("Mode", status.mode)
+        table.add_row("Started", status.started_at)
+
+        console.rule(Text(f" {status.app_name} ", style="bold white"))
+        console.print(Text("Clean startup. Clear status. Ready.", style="italic cyan"))
+        console.print(table)
+        console.print()
+        console.print(Text("App is running at:", style="bold white"))
+        console.print(Text(f"  Local:   {status.local_url}", style="cyan"))
+        console.print(Text(f"  Network: {status.network_url}", style="cyan"))
+        console.print()
+        return
+
+    logger.info("%s %s", _icon("app"), "Startup banner")
+    logger.info("App         : %s", status.app_name)
+    logger.info("Environment : %s", status.environment)
+    logger.info("Version     : %s", status.version)
+    logger.info("Host        : %s", status.host)
+    logger.info("Port        : %s", status.port)
+    logger.info("Database    : %s", status.database)
+    logger.info("Mode        : %s", status.mode)
+    logger.info("Started     : %s", status.started_at)
+    logger.info("Local       : %s", status.local_url)
+    logger.info("Network     : %s", status.network_url)
+
+
+def status_message(level: str, message: str, *args: object, logger_name: str = "data_entry_app.status") -> None:
+    palette = {
+        "debug": logging.DEBUG,
+        "info": logging.INFO,
+        "success": logging.INFO,
+        "warning": logging.WARNING,
+        "error": logging.ERROR,
+    }
+    labels = {
+        "debug": f"[{_icon('debug')}]",
+        "info": f"[{_icon('info')}]",
+        "success": f"[{_icon('success')}]",
+        "warning": f"[{_icon('warning')}]",
+        "error": f"[{_icon('error')}]",
+    }
+    styles = {
+        "debug": _style("debug"),
+        "info": _style("info"),
+        "success": _style("success"),
+        "warning": _style("warning"),
+        "error": _style("error"),
+    }
+    logger = get_logger(logger_name)
+    rendered = message % args if args else message
+    if _allow_color():
+        logger.log(palette[level], f"[{styles[level]}]{labels[level]}[/] {rendered}")
+    else:
+        logger.log(palette[level], "%s %s", labels[level], rendered)
+
+
+def success(message: str, *args: object, logger_name: str = "data_entry_app.status") -> None:
+    status_message("success", message, *args, logger_name=logger_name)
+
+
+def warning(message: str, *args: object, logger_name: str = "data_entry_app.status") -> None:
+    status_message("warning", message, *args, logger_name=logger_name)
+
+
+def info(message: str, *args: object, logger_name: str = "data_entry_app.status") -> None:
+    status_message("info", message, *args, logger_name=logger_name)
+
+
+def debug(message: str, *args: object, logger_name: str = "data_entry_app.status") -> None:
+    status_message("debug", message, *args, logger_name=logger_name)
+
+
+def fatal(message: str, *args: object, exc_info: bool = False, logger_name: str = "data_entry_app.status") -> None:
+    logger = get_logger(logger_name)
+    rendered = message % args if args else message
+    if _allow_color():
+        logger.error(f"[{_style('error')}][{_icon('error')}][/] {rendered}", exc_info=exc_info)
+    else:
+        logger.error("[%s] %s", _icon("error"), rendered, exc_info=exc_info)
+
+
+def shutdown_summary(*, uptime_seconds: float, requests_served: int, host: str, port: int) -> None:
+    section_heading("Shutdown")
+    logger = get_logger("data_entry_app.shutdown")
+    summary = f"Uptime {uptime_seconds:.1f}s | Requests {requests_served} | Endpoint http://{host}:{port}"
+    if _allow_color():
+        logger.info(f"[{_style('debug')}]{_icon('shutdown')}[/] {summary}")
+    else:
+        logger.info("%s %s", _icon("shutdown"), summary)
+
+
+def describe_database(url: str) -> str:
+    if url.startswith("sqlite"):
+        return "sqlite"
+    if "postgresql" in url:
+        return "postgresql"
+    if "mysql" in url:
+        return "mysql"
+    return url.split(":", 1)[0]
+
+
+def sanitize_database_target(url: str) -> str:
+    if url.startswith("sqlite:///"):
+        return url.removeprefix("sqlite:///")
+    if "@" in url:
+        return url.split("@", 1)[1]
+    return url
+
+
+def startup_status(settings: LoggingSettings) -> StartupStatus:
+    host = settings.host
+    local_host = "localhost" if host in {"0.0.0.0", "::"} else host
+    timestamp = datetime.now().astimezone().strftime("%Y-%m-%d %H:%M:%S %Z")
+    return StartupStatus(
+        app_name=settings.app_name,
+        version=settings.version,
+        environment=settings.app_env,
+        host=settings.host,
+        port=settings.port,
+        database=f"{describe_database(settings.database_url)} ({sanitize_database_target(settings.database_url)})",
+        mode="verbose" if settings.log_verbose else "normal",
+        started_at=timestamp,
+        local_url=f"http://{local_host}:{settings.port}",
+        network_url=f"http://{host}:{settings.port}",
+    )
+
+
+def route_summary(routes: Iterable[object]) -> tuple[int, list[str]]:
+    lines: list[str] = []
+    count = 0
+    for route in routes:
+        path = getattr(route, "path", None)
+        methods = getattr(route, "methods", None)
+        if not path or not methods:
+            continue
+        filtered_methods = sorted(method for method in methods if method not in {"HEAD", "OPTIONS"})
+        if not filtered_methods:
+            continue
+        count += 1
+        lines.append(f"{','.join(filtered_methods):<7} {path}")
+    return count, lines
+
+
+def log_request(
+    *,
+    method: str,
+    path: str,
+    status_code: int,
+    duration_ms: float,
+    client: str,
+    content_length: str | None,
+) -> None:
+    level = "info"
+    if status_code >= 500:
+        level = "error"
+    elif status_code >= 400:
+        level = "warning"
+    elif path == "/health":
+        level = "debug"
+
+    message = (
+        f"{method:<6} {status_code:>3} {duration_ms:>7.1f}ms "
+        f"{path:<36} client={client}"
+    )
+    if content_length:
+        message += f" bytes={content_length}"
+    status_message(level, message, logger_name="data_entry_app.http")
+
+
+class RequestTimer:
+    def __init__(self) -> None:
+        self.started = time.perf_counter()
+
+    @property
+    def elapsed_ms(self) -> float:
+        return (time.perf_counter() - self.started) * 1000
@@ -0,0 +1,39 @@
+from __future__ import annotations
+
+import time
+from collections import deque
+from dataclasses import dataclass
+from threading import Lock
+
+from fastapi import HTTPException, Request, status
+
+
+@dataclass
+class SlidingWindowRateLimiter:
+    limit: int
+    window_seconds: int
+
+    def __post_init__(self) -> None:
+        self._events: dict[str, deque[float]] = {}
+        self._lock = Lock()
+
+    def hit(self, key: str) -> None:
+        now = time.time()
+        floor = now - self.window_seconds
+
+        with self._lock:
+            bucket = self._events.setdefault(key, deque())
+            while bucket and bucket[0] <= floor:
+                bucket.popleft()
+            if len(bucket) >= self.limit:
+                raise HTTPException(
+                    status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+                    detail="Too many requests. Please try again later.",
+                )
+            bucket.append(now)
+
+
+def request_client_key(request: Request, *, suffix: str = "") -> str:
+    forwarded_for = request.headers.get("x-forwarded-for", "")
+    client_ip = forwarded_for.split(",", 1)[0].strip() if forwarded_for else (request.client.host if request.client else "unknown")
+    return f"{client_ip}:{suffix}" if suffix else client_ip
@@ -0,0 +1,15 @@
+from __future__ import annotations
+
+import logging
+
+
+logger = logging.getLogger("data_entry_app.security")
+
+
+def log_security_event(event: str, **fields: object) -> None:
+    safe_fields = {
+        key: value
+        for key, value in fields.items()
+        if key not in {"password", "token", "cookie", "authorization"}
+    }
+    logger.info("%s | %s", event, safe_fields)
@@ -2,9 +2,19 @@ from __future__ import annotations

 from dataclasses import dataclass, field

-from sqlalchemy import MetaData, inspect, text
+from sqlalchemy import MetaData, bindparam, inspect, text
 from sqlalchemy.engine import Engine

+HIDDEN_PRODUCT_CLIENTS = (
+    "Bird Grits",
+    "Chaff",
+    "Hay & Straw",
+    "Hunter Premium Produce",
+    "Straight Grain",
+    "Uncategorized",
+    "Uncategorised",
+)
+

 TENANT_TABLES = {
    "client_users": None,
@@ -88,6 +98,7 @@ def ensure_tenant_columns(engine: Engine) -> tuple[str, ...]:
 # introduced on the model. Each entry is (table, column, DDL fragment).
 _LEGACY_COLUMN_PATCHES: tuple[tuple[str, str, str], ...] = (
    ("users", "password_hash", "VARCHAR(255)"),
+    ("products", "visible", "BOOLEAN NOT NULL DEFAULT TRUE"),
 )


@@ -359,6 +370,24 @@ def sync_tenant_ids(engine: Engine) -> dict[str, int]:
    return synced_rows


+def sync_product_visibility(engine: Engine) -> int:
+    if not _table_exists(engine, "products") or not _has_column(engine, "products", "visible"):
+        return 0
+
+    with engine.begin() as connection:
+        result = connection.execute(
+            text(
+                """
+                UPDATE products
+                SET visible = FALSE
+                WHERE client_name IN :hidden_clients
+                  AND (visible IS NULL OR visible != FALSE)
+                """
+            ).bindparams(bindparam("hidden_clients", value=HIDDEN_PRODUCT_CLIENTS, expanding=True))
+        )
+    return result.rowcount or 0
+
+
 def bootstrap_schema(engine: Engine, metadata: MetaData) -> MigrationReport:
    created_tables = ensure_metadata_tables(engine, metadata)
    added_columns = ensure_tenant_columns(engine) + ensure_legacy_columns(engine)
@@ -1,17 +1,23 @@
 import logging
-import os
+import re
 import sys
 from contextlib import asynccontextmanager
+from importlib.metadata import PackageNotFoundError, version as package_version
 from pathlib import Path
 from threading import Lock
+from typing import Final

 if __package__ in {None, ""}:
    sys.path.insert(0, str(Path(__file__).resolve().parents[1]))

-from fastapi import FastAPI
+from fastapi import Request
+from fastapi import FastAPI, HTTPException, status
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware.trustedhost import TrustedHostMiddleware
+from fastapi.responses import JSONResponse
 import uvicorn

+from app import models as _models  # noqa: F401 - ensure all SQLAlchemy models are registered
 from app.api.access import router as access_router
 from app.api.auth import router as auth_router
 from app.api.client_access import router as client_access_router
@@ -23,13 +29,64 @@ from app.api.products import router as products_router
 from app.api.raw_materials import router as raw_materials_router
 from app.api.scenarios import router as scenarios_router
 from app.core.config import settings
+from app.core.logging import (
+    LoggingSettings,
+    RequestTimer,
+    configure_logging,
+    debug,
+    fatal,
+    info,
+    log_request,
+    route_summary,
+    section_heading,
+    shutdown_summary,
+    startup_banner,
+    startup_status,
+    success,
+)
 from app.db.session import Base, engine
-from app.db.migrations import MigrationReport, bootstrap_schema, sync_tenant_ids
+from app.db.migrations import MigrationReport, bootstrap_schema, sync_product_visibility, sync_tenant_ids
 from app.seed import seed_if_empty

+
+def _resolve_version() -> str:
+    try:
+        return package_version("data-entry-app-backend")
+    except PackageNotFoundError:
+        return "0.0.0"
+
+
+APP_VERSION: Final[str] = _resolve_version()
+_logging_settings = LoggingSettings(
+    app_name=settings.app_name,
+    app_env=settings.app_env,
+    host=settings.host,
+    port=settings.port,
+    log_level=settings.log_level,
+    log_verbose=settings.log_verbose,
+    database_url=settings.database_url,
+    version=APP_VERSION,
+)
+
+configure_logging(_logging_settings)
+
 logger = logging.getLogger("data_entry_app.startup")
 _database_ready = False
 _database_ready_lock = Lock()
+_requests_served = 0
+
+
+def _origin_is_allowed(origin: str | None) -> bool:
+    if not origin:
+        return True
+
+    if origin in settings.cors_allow_origins:
+        return True
+
+    if settings.cors_allow_origin_regex:
+        return re.fullmatch(settings.cors_allow_origin_regex, origin) is not None
+
+    return False


 def ensure_database_ready() -> MigrationReport:
@@ -45,11 +102,15 @@ def ensure_database_ready() -> MigrationReport:
        schema_report = bootstrap_schema(engine, Base.metadata)
        seed_if_empty()
        tenant_sync_report = sync_tenant_ids(engine)
+        hidden_product_count = sync_product_visibility(engine)

        report = MigrationReport(
            created_tables=schema_report.created_tables,
            added_columns=schema_report.added_columns,
-            synced_tenant_rows=tenant_sync_report,
+            synced_tenant_rows={
+                **tenant_sync_report,
+                **({"products_visibility": hidden_product_count} if hidden_product_count else {}),
+            },
        )
        logger.info("Database startup checks complete: %s", report.summary())
        _database_ready = True
@@ -57,20 +118,72 @@ def ensure_database_ready() -> MigrationReport:


@asynccontextmanager
-async def lifespan(_: FastAPI):
-    ensure_database_ready()
+async def lifespan(app: FastAPI):
+    started = startup_status(_logging_settings)
+    launch_time = RequestTimer()
+
+    startup_banner(started)
+    section_heading("Startup")
+    info("Booting %s", settings.app_name, logger_name="data_entry_app.startup")
+
+    section_heading("Configuration")
+    success("Configuration loaded")
+    info("CORS origins: %s", ", ".join(settings.cors_allow_origins), logger_name="data_entry_app.config")
+    if settings.cors_allow_origin_regex:
+        debug("CORS regex: %s", settings.cors_allow_origin_regex, logger_name="data_entry_app.config")
+
+    section_heading("Database")
+    try:
+        report = ensure_database_ready()
+    except Exception:
+        fatal("Database startup failed", exc_info=True, logger_name="data_entry_app.database")
+        raise
+    success("Database connected")
+    if report.has_changes():
+        info(report.summary(), logger_name="data_entry_app.database")
+    else:
+        debug(report.summary(), logger_name="data_entry_app.database")
+
+    section_heading("Routes")
+    route_count, route_lines = route_summary(app.routes)
+    success("Routes registered (%s endpoints)", route_count)
+    if settings.log_verbose:
+        for route_line in route_lines:
+            debug(route_line, logger_name="data_entry_app.routes")
+
+    section_heading("Services")
+    success("HTTP API ready")
+    info("Docs available at /docs", logger_name="data_entry_app.services")
+    info("Health probe available at /health", logger_name="data_entry_app.services")
+
    yield

+    shutdown_summary(
+        uptime_seconds=launch_time.elapsed_ms / 1000,
+        requests_served=_requests_served,
+        host=settings.host,
+        port=settings.port,
+    )

-app = FastAPI(title=settings.app_name, lifespan=lifespan)
+
+app = FastAPI(
+    title=settings.app_name,
+    version=APP_VERSION,
+    lifespan=lifespan,
+    docs_url="/docs" if settings.docs_enabled else None,
+    redoc_url=None,
+    openapi_url="/openapi.json" if settings.docs_enabled else None,
+)
+
+app.add_middleware(TrustedHostMiddleware, allowed_hosts=list(settings.trusted_hosts) or ["*"])

 app.add_middleware(
    CORSMiddleware,
    allow_origins=list(settings.cors_allow_origins),
-    allow_origin_regex=settings.cors_allow_origin_regex,
+    allow_origin_regex=settings.cors_allow_origin_regex or None,
    allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PATCH", "DELETE", "OPTIONS"],
+    allow_headers=["Authorization", "Content-Type", "X-Requested-With"],
 )

 app.include_router(auth_router)
@@ -85,6 +198,89 @@ app.include_router(scenarios_router)
 app.include_router(powerbi_router)


+@app.middleware("http")
+async def log_http_requests(request: Request, call_next):
+    global _requests_served
+
+    timer = RequestTimer()
+    try:
+        response = await call_next(request)
+    except Exception:
+        log_request(
+            method=request.method,
+            path=request.url.path,
+            status_code=500,
+            duration_ms=timer.elapsed_ms,
+            client=request.client.host if request.client else "-",
+            content_length=None,
+        )
+        raise
+
+    _requests_served += 1
+    log_request(
+        method=request.method,
+        path=request.url.path,
+        status_code=response.status_code,
+        duration_ms=timer.elapsed_ms,
+        client=request.client.host if request.client else "-",
+        content_length=response.headers.get("content-length"),
+    )
+    return response
+
+
+@app.middleware("http")
+async def enforce_request_limits_and_csrf(request: Request, call_next):
+    content_length = request.headers.get("content-length")
+    if content_length:
+        try:
+            if int(content_length) > settings.request_body_max_bytes:
+                return JSONResponse(
+                    status_code=status.HTTP_413_REQUEST_ENTITY_TOO_LARGE,
+                    content={"detail": "Request body is too large"},
+                )
+        except ValueError:
+            pass
+
+    if request.method in {"POST", "PUT", "PATCH", "DELETE"} and request.cookies:
+        origin = request.headers.get("origin")
+        if not _origin_is_allowed(origin):
+            return JSONResponse(
+                status_code=status.HTTP_403_FORBIDDEN,
+                content={"detail": "Origin is not allowed"},
+            )
+
+    response = await call_next(request)
+    response.headers["Content-Security-Policy"] = (
+        "default-src 'self'; "
+        "img-src 'self' data:; "
+        "style-src 'self' 'unsafe-inline'; "
+        "script-src 'self'; "
+        "font-src 'self' data:; "
+        "connect-src 'self'; "
+        "frame-ancestors 'self'; "
+        "base-uri 'self'; "
+        "form-action 'self'"
+    )
+    response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+    response.headers["X-Content-Type-Options"] = "nosniff"
+    response.headers["X-Frame-Options"] = "SAMEORIGIN"
+    response.headers["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
+    if settings.app_env.lower() == "production":
+        response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
+    return response
+
+
+@app.exception_handler(HTTPException)
+async def http_exception_handler(_: Request, exc: HTTPException):
+    return JSONResponse(status_code=exc.status_code, content={"detail": exc.detail})
+
+
+@app.exception_handler(Exception)
+async def unhandled_exception_handler(_: Request, exc: Exception):
+    fatal("Unhandled server error", exc_info=True, logger_name="data_entry_app.http")
+    return JSONResponse(status_code=500, content={"detail": "Internal server error"})
+
+
@app.get("/")
 def root():
    return {
@@ -117,9 +313,10 @@ def healthcheck():

 if __name__ == "__main__":
    report = ensure_database_ready()
-    print(f"Database startup checks complete: {report.summary()}")
+    success("Database startup checks complete: %s", report.summary(), logger_name="data_entry_app.startup")
    uvicorn.run(
        app,
-        host=os.getenv("HOST", "0.0.0.0"),
-        port=int(os.getenv("PORT", "8000")),
+        host=settings.host,
+        port=settings.port,
+        access_log=False,
    )
@@ -19,6 +19,7 @@ class Product(Base):
    mix_id: Mapped[int] = mapped_column(ForeignKey("mixes.id"))
    sale_type: Mapped[str] = mapped_column(String(64), default="standard")
    own_bag: Mapped[bool] = mapped_column(Boolean, default=False)
+    visible: Mapped[bool] = mapped_column(Boolean, default=True)
    unit_of_measure: Mapped[str] = mapped_column(String(64), default="20kg bag")
    items_per_pallet: Mapped[int] = mapped_column(Integer, default=50)
    bagging_process: Mapped[str | None] = mapped_column(String(64), nullable=True)
@@ -31,4 +32,3 @@ class Product(Base):


 from app.models.mix import Mix  # noqa: E402
-
@@ -1,30 +1,34 @@
 from datetime import datetime

-from pydantic import BaseModel
+from pydantic import BaseModel, ConfigDict, Field


 class ClientUserCreate(BaseModel):
+    model_config = ConfigDict(extra="forbid")
    client_account_id: int
-    full_name: str
-    email: str
+    full_name: str = Field(min_length=1, max_length=255)
+    email: str = Field(min_length=3, max_length=255)
    role: str = "viewer"
    status: str = "invited"
    is_new_user: bool = True


 class ClientUserUpdate(BaseModel):
-    full_name: str | None = None
-    email: str | None = None
+    model_config = ConfigDict(extra="forbid")
+    full_name: str | None = Field(default=None, min_length=1, max_length=255)
+    email: str | None = Field(default=None, min_length=3, max_length=255)
    role: str | None = None
    status: str | None = None
    is_new_user: bool | None = None


 class ClientFeatureUpdate(BaseModel):
+    model_config = ConfigDict(extra="forbid")
    enabled: bool


 class ClientUserModulePermissionUpdate(BaseModel):
+    model_config = ConfigDict(extra="forbid")
    access_level: str


@@ -4,14 +4,16 @@ from pydantic import BaseModel, ConfigDict, Field


 class MixIngredientCreate(BaseModel):
+    model_config = ConfigDict(extra="forbid")
    raw_material_id: int
    quantity_kg: float = Field(gt=0)
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=1000)


 class MixIngredientUpdate(BaseModel):
+    model_config = ConfigDict(extra="forbid")
    quantity_kg: float | None = Field(default=None, gt=0)
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=1000)


 class MixIngredientRead(BaseModel):
@@ -26,20 +28,22 @@ class MixIngredientRead(BaseModel):


 class MixCreate(BaseModel):
-    client_name: str
-    name: str
+    model_config = ConfigDict(extra="forbid")
+    client_name: str = Field(min_length=1, max_length=255)
+    name: str = Field(min_length=1, max_length=255)
    status: str = "draft"
    version: int = 1
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=2000)
    ingredients: list[MixIngredientCreate]


 class MixUpdate(BaseModel):
-    client_name: str | None = None
-    name: str | None = None
+    model_config = ConfigDict(extra="forbid")
+    client_name: str | None = Field(default=None, min_length=1, max_length=255)
+    name: str | None = Field(default=None, min_length=1, max_length=255)
    status: str | None = None
    version: int | None = None
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=2000)


 class MixRead(BaseModel):
@@ -57,4 +61,3 @@ class MixRead(BaseModel):
    mix_cost_per_kg: float | None
    warnings: list[str]
    model_config = ConfigDict(from_attributes=True)
-
@@ -30,13 +30,14 @@ class MixCalculatorSessionLineRead(BaseModel):


 class MixCalculatorSessionBase(BaseModel):
+    model_config = ConfigDict(extra="forbid")
    mix_date: date
-    client_name: str
+    client_name: str = Field(min_length=1, max_length=255)
    product_id: int
    batch_size_kg: float = Field(gt=0)
    prepared_by_name: str = Field(min_length=1, max_length=255)
    status: str = "saved"
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=2000)


 class MixCalculatorSessionCreate(MixCalculatorSessionBase):
@@ -44,13 +45,14 @@ class MixCalculatorSessionCreate(MixCalculatorSessionBase):


 class MixCalculatorSessionUpdate(BaseModel):
+    model_config = ConfigDict(extra="forbid")
    mix_date: date | None = None
-    client_name: str | None = None
+    client_name: str | None = Field(default=None, min_length=1, max_length=255)
    product_id: int | None = None
    batch_size_kg: float | None = Field(default=None, gt=0)
    prepared_by_name: str | None = Field(default=None, min_length=1, max_length=255)
    status: str | None = None
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=2000)


 class MixCalculatorPreviewRead(BaseModel):
@@ -4,33 +4,37 @@ from pydantic import BaseModel, ConfigDict, Field


 class ProductCreate(BaseModel):
-    client_name: str
-    item_id: str | None = None
-    name: str
+    model_config = ConfigDict(extra="forbid")
+    client_name: str = Field(min_length=1, max_length=255)
+    item_id: str | None = Field(default=None, max_length=128)
+    name: str = Field(min_length=1, max_length=255)
    mix_id: int
    sale_type: str = "standard"
    own_bag: bool = False
-    unit_of_measure: str = "20kg bag"
+    visible: bool = True
+    unit_of_measure: str = Field(default="20kg bag", min_length=1, max_length=64)
    items_per_pallet: int = Field(default=50, gt=0)
-    bagging_process: str | None = None
+    bagging_process: str | None = Field(default=None, max_length=128)
    distributor_margin: float | None = Field(default=None, gt=0, lt=1)
    wholesale_margin: float | None = Field(default=None, gt=0, lt=1)
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=2000)


 class ProductUpdate(BaseModel):
-    client_name: str | None = None
-    item_id: str | None = None
-    name: str | None = None
+    model_config = ConfigDict(extra="forbid")
+    client_name: str | None = Field(default=None, min_length=1, max_length=255)
+    item_id: str | None = Field(default=None, max_length=128)
+    name: str | None = Field(default=None, min_length=1, max_length=255)
    mix_id: int | None = None
    sale_type: str | None = None
    own_bag: bool | None = None
-    unit_of_measure: str | None = None
+    visible: bool | None = None
+    unit_of_measure: str | None = Field(default=None, min_length=1, max_length=64)
    items_per_pallet: int | None = Field(default=None, gt=0)
-    bagging_process: str | None = None
+    bagging_process: str | None = Field(default=None, max_length=128)
    distributor_margin: float | None = Field(default=None, gt=0, lt=1)
    wholesale_margin: float | None = Field(default=None, gt=0, lt=1)
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=2000)


 class ProductRead(BaseModel):
@@ -43,6 +47,7 @@ class ProductRead(BaseModel):
    mix_name: str
    sale_type: str
    own_bag: bool
+    visible: bool
    unit_of_measure: str
    items_per_pallet: int
    bagging_process: str | None
@@ -4,11 +4,12 @@ from pydantic import BaseModel, ConfigDict, Field


 class RawMaterialPriceVersionCreate(BaseModel):
+    model_config = ConfigDict(extra="forbid")
    market_value: float = Field(gt=0)
    waste_percentage: float = Field(ge=0, default=0.0)
    effective_date: date
    status: str = "active"
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=2000)


 class RawMaterialPriceVersionRead(RawMaterialPriceVersionCreate):
@@ -21,21 +22,23 @@ class RawMaterialPriceVersionRead(RawMaterialPriceVersionCreate):


 class RawMaterialCreate(BaseModel):
-    name: str
-    supplier: str | None = None
-    unit_of_measure: str
+    model_config = ConfigDict(extra="forbid")
+    name: str = Field(min_length=1, max_length=255)
+    supplier: str | None = Field(default=None, max_length=255)
+    unit_of_measure: str = Field(min_length=1, max_length=64)
    kg_per_unit: float = Field(gt=0)
    status: str = "active"
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=2000)
    initial_price: RawMaterialPriceVersionCreate


 class RawMaterialUpdate(BaseModel):
-    supplier: str | None = None
-    unit_of_measure: str | None = None
+    model_config = ConfigDict(extra="forbid")
+    supplier: str | None = Field(default=None, max_length=255)
+    unit_of_measure: str | None = Field(default=None, min_length=1, max_length=64)
    kg_per_unit: float | None = Field(default=None, gt=0)
    status: str | None = None
-    notes: str | None = None
+    notes: str | None = Field(default=None, max_length=2000)


 class RawMaterialRead(BaseModel):
@@ -50,4 +53,3 @@ class RawMaterialRead(BaseModel):
    created_at: datetime
    current_price: RawMaterialPriceVersionRead | None
    model_config = ConfigDict(from_attributes=True)
-
@@ -6,8 +6,9 @@ from app.schemas.product import ProductCostBreakdown


 class ScenarioCreate(BaseModel):
-    name: str
-    description: str | None = None
+    model_config = ConfigDict(extra="forbid")
+    name: str = Field(min_length=1, max_length=255)
+    description: str | None = Field(default=None, max_length=2000)
    overrides: dict = Field(default_factory=dict)


@@ -25,6 +25,17 @@ WORKBOOK_EFFECTIVE_DATE = date(2025, 9, 1)
 WORKBOOK_SENTINEL_ITEM_ID = "404266"
 WORKBOOK_FILENAME = "Input Cost Spreadsheet(1).xlsx"
 logger = logging.getLogger("data_entry_app.seed")
+HIDDEN_PRODUCT_CLIENTS = frozenset(
+    {
+        "Bird Grits",
+        "Chaff",
+        "Hay & Straw",
+        "Hunter Premium Produce",
+        "Straight Grain",
+        "Uncategorized",
+        "Uncategorised",
+    }
+)


 def _workbook_candidates() -> list[Path]:
@@ -287,6 +298,7 @@ def _read_product_rows(workbook) -> list[dict]:
                "wholesale_margin": _derive_margin(round(_number(row[17]) or 0.0, 4), row[20]),
                "process_label": _text(row[8]),
                "sheet_own_bag": _text(row[5]),
+                "visible": (_text(row[0]) or "General") not in HIDDEN_PRODUCT_CLIENTS,
            }
        )

@@ -569,6 +581,7 @@ def _upsert_products(db, products: list[dict], mix_lookup: dict[tuple[str, str],
                mix_id=mix.id,
                sale_type=row["sale_type"],
                own_bag=row["own_bag"],
+                visible=row["visible"],
                unit_of_measure=row["unit_of_measure"],
                items_per_pallet=row["items_per_pallet"],
                bagging_process=row["bagging_process"],
@@ -584,6 +597,7 @@ def _upsert_products(db, products: list[dict], mix_lookup: dict[tuple[str, str],
            product.mix_id = mix.id
            product.sale_type = row["sale_type"]
            product.own_bag = row["own_bag"]
+            product.visible = row["visible"]
            product.unit_of_measure = row["unit_of_measure"]
            product.items_per_pallet = row["items_per_pallet"]
            product.bagging_process = row["bagging_process"]
@@ -27,7 +27,7 @@ def _build_session_access_query(session: AuthSession):
 def _load_product_for_calculation(db: Session, tenant_id: str, product_id: int) -> Product | None:
    return db.scalar(
        select(Product)
-        .where(Product.id == product_id, Product.tenant_id == tenant_id)
+        .where(Product.id == product_id, Product.tenant_id == tenant_id, Product.visible.is_(True))
        .options(selectinload(Product.mix).selectinload(Mix.ingredients).selectinload(MixIngredient.raw_material))
    )

@@ -122,7 +122,7 @@ def build_mix_calculator_options(db: Session, *, tenant_id: str) -> dict:

    products = db.scalars(
        select(Product)
-        .where(Product.tenant_id == tenant_id)
+        .where(Product.tenant_id == tenant_id, Product.visible.is_(True))
        .options(joinedload(Product.mix))
        .order_by(Product.client_name, Product.name)
    ).all()
@@ -191,11 +191,12 @@ def serialize_mix_calculator_session(session_record: MixCalculatorSession, auth_
    }


-def list_mix_calculator_sessions(db: Session, *, auth_session: AuthSession) -> list[dict]:
+def list_mix_calculator_sessions(db: Session, *, auth_session: AuthSession, limit: int = 100) -> list[dict]:
    sessions = db.scalars(
        _build_session_access_query(auth_session)
        .options(selectinload(MixCalculatorSession.lines))
        .order_by(MixCalculatorSession.created_at.desc(), MixCalculatorSession.id.desc())
+        .limit(limit)
    ).all()
    return [serialize_mix_calculator_session(session_record, auth_session) for session_record in sessions]