docker-deploy-smoke

frontend-roles-ux
work-order-hardening
2026-05-16 19:35:07 +09:00 · 2026-05-16 19:35:04 +09:00 · 2026-05-16 19:35:01 +09:00 · 2026-05-16 19:34:56 +09:00
15 changed files with 217 additions and 14 deletions
--- a/.env.example
+++ b/.env.example
@@ -20,7 +20,5 @@ SECRET_KEY=change-this-long-random-secret
 REDIS_URL=redis://redis:6379/0
 OCR_PROVIDER=tesseract
 OCR_LANGUAGES=eng+rus+kor
-LLM_BASE_URL=
-LLM_MODEL=
 ADMIN_TELEGRAM_IDS=
 ADMIN_BOOTSTRAP_TOKEN=
--- a/DEPLOY.md
+++ b/DEPLOY.md
@@ -19,7 +19,7 @@ Edit `.env` and set real secrets:
 - `INTERNAL_API_TOKEN`
 - `SECRET_KEY`
 - `REDIS_URL` if Redis is external
- `VAPID_PUBLIC_KEY` / `VAPID_PRIVATE_KEY` when browser push is enabled
+- `VAPID_PUBLIC_KEY` / `VAPID_PRIVATE_KEY` only when browser push beta is enabled
 - `ADMIN_TELEGRAM_IDS`

 Production must use public HTTPS URLs and `ALLOW_DEV_AUTH=false`.
@@ -34,6 +34,7 @@ curl -fsS http://127.0.0.1:8000/ready
 ```

 The default compose stack includes Postgres, Redis, API and bot services with health checks, restart policies and log rotation.
+Telegram notifications are the primary pilot notification channel. Browser push currently stores subscriptions and is treated as beta until server-side Web Push delivery is enabled.

 ## Git-Based Update

@@ -51,7 +52,7 @@ The script runs:
 - Docker build/up
 - `alembic upgrade head`
 - Python smoke compile
- `/ready` health check
+- `/health`, `/ready` and `/metrics` smoke checks

 Do not use rsync as the primary deploy mechanism.

@@ -75,12 +76,24 @@ Create a compressed custom-format dump before risky deploys:
 BACKUP_DIR=/opt/carpass/backups ./scripts/backup_db.sh
 ```

+Compatibility wrapper:
+
+```bash
+BACKUP_DIR=/opt/carpass/backups ./scripts/backup.sh
+```
+
 Restore only during a maintenance window:

 ```bash
 ./scripts/restore_db.sh /opt/carpass/backups/carpass-drivers-YYYYMMDDTHHMMSSZ.dump
 ```

+Compatibility wrapper:
+
+```bash
+./scripts/restore.sh /opt/carpass/backups/carpass-drivers-YYYYMMDDTHHMMSSZ.dump
+```
+
 For volume-level recovery, back up the Docker named volumes `pgdata` and `redisdata` according to the host backup policy.

 ## Logs
--- a/README.md
+++ b/README.md
@@ -63,6 +63,8 @@ CarPass создает рекомендации обслуживания из д

 Уведомления имеют статусы `pending`, `processing`, `sent`, `failed`, `retrying`, `abandoned`, `read`, счетчик повторов и idempotency key, чтобы не плодить дубли.

+Telegram-уведомления являются основным каналом закрытого пилота. Browser push уже умеет сохранять подписки в Mini App и принимать push-события в service worker, но серверная Web Push-доставка помечена как beta и не считается критическим каналом пилота.
+
 ## Безопасность данных

 CarPass не раскрывает историю автомобиля по одному VIN или госномеру. СТО видит только разрешенный владельцем объем данных: базовую карточку, историю обслуживания или полный доступ. Любые чувствительные изменения, включая VIN, номер, пробег и технические параметры, проходят подтверждение владельца.
--- a/app/api/work_orders.py
+++ b/app/api/work_orders.py
@@ -88,6 +88,13 @@ async def get_work_order_with_items(session: AsyncSession, work_order_id: int) -
    return visit


+async def get_work_order_correction(session: AsyncSession, correction_id: int) -> WorkOrderCorrection:
+    correction = await session.get(WorkOrderCorrection, correction_id)
+    if correction is None:
+        raise HTTPException(status_code=404, detail="Work order correction not found")
+    return correction
+
+
 async def ensure_work_order_sto_access(
    session: AsyncSession, visit: ServiceVisit, user: User, allowed_roles: set[str] | None = None
 ) -> None:
@@ -539,6 +546,26 @@ async def request_vehicle_profile_details(
    return visit


+@router.get("/{work_order_id}/corrections", response_model=list[WorkOrderCorrectionRead])
+async def list_work_order_corrections(
+    work_order_id: int,
+    session: AsyncSession = Depends(get_session),
+    current_user: User = Depends(get_current_telegram_user),
+) -> list[WorkOrderCorrection]:
+    visit = await get_work_order(session, work_order_id)
+    vehicle = await session.get(Car, visit.vehicle_id)
+    if vehicle is None:
+        raise HTTPException(status_code=404, detail="Vehicle not found")
+    if vehicle.owner_id != current_user.id:
+        await ensure_work_order_sto_access(session, visit, current_user)
+    result = await session.execute(
+        select(WorkOrderCorrection)
+        .where(WorkOrderCorrection.service_visit_id == visit.id)
+        .order_by(WorkOrderCorrection.created_at.desc(), WorkOrderCorrection.id.desc())
+    )
+    return list(result.scalars())
+
+
@router.post("/{work_order_id}/corrections", response_model=WorkOrderCorrectionRead, status_code=status.HTTP_201_CREATED)
 async def create_work_order_correction(
    work_order_id: int,
@@ -559,6 +586,19 @@ async def create_work_order_correction(
        created_version=visit.version or 1,
    )
    session.add(correction)
+    vehicle = await session.get(Car, visit.vehicle_id)
+    if payload.owner_approval_required and vehicle is not None:
+        await create_service_notification(
+            session,
+            recipient_user_id=vehicle.owner_id,
+            service_center_id=visit.service_center_id,
+            notification_type="work_order.correction_waiting_owner_approval",
+            title="СТО просит согласовать правку заказ-наряда",
+            body=payload.reason,
+            idempotency_key=f"work_order:{visit.id}:correction:{visit.version or 1}:{payload.reason[:80]}",
+            web_app_url=work_order_webapp_url(visit.id),
+            button_text="Открыть заказ-наряд",
+        )
    await log_audit(
        session,
        actor=current_user,
@@ -572,6 +612,60 @@ async def create_work_order_correction(
    return correction


+@router.post("/corrections/{correction_id}/approve", response_model=WorkOrderCorrectionRead)
+async def approve_work_order_correction(
+    correction_id: int,
+    payload: WorkOrderDecision,
+    session: AsyncSession = Depends(get_session),
+    current_user: User = Depends(get_current_telegram_user),
+) -> WorkOrderCorrection:
+    correction = await get_work_order_correction(session, correction_id)
+    visit = await get_work_order(session, correction.service_visit_id)
+    await ensure_work_order_owner_access(session, visit, current_user)
+    if correction.status != "pending":
+        raise HTTPException(status_code=409, detail="Correction is already resolved")
+    correction.status = "approved"
+    correction.resolved_at = datetime.now(UTC)
+    await log_audit(
+        session,
+        actor=current_user,
+        action="work_order.correction.approve",
+        target_type="work_order_correction",
+        target_id=correction.id,
+        metadata={"comment": payload.comment},
+    )
+    await session.commit()
+    await session.refresh(correction)
+    return correction
+
+
+@router.post("/corrections/{correction_id}/reject", response_model=WorkOrderCorrectionRead)
+async def reject_work_order_correction(
+    correction_id: int,
+    payload: WorkOrderDecision,
+    session: AsyncSession = Depends(get_session),
+    current_user: User = Depends(get_current_telegram_user),
+) -> WorkOrderCorrection:
+    correction = await get_work_order_correction(session, correction_id)
+    visit = await get_work_order(session, correction.service_visit_id)
+    await ensure_work_order_owner_access(session, visit, current_user)
+    if correction.status != "pending":
+        raise HTTPException(status_code=409, detail="Correction is already resolved")
+    correction.status = "rejected"
+    correction.resolved_at = datetime.now(UTC)
+    await log_audit(
+        session,
+        actor=current_user,
+        action="work_order.correction.reject",
+        target_type="work_order_correction",
+        target_id=correction.id,
+        metadata={"comment": payload.comment},
+    )
+    await session.commit()
+    await session.refresh(correction)
+    return correction
+
+
@router.get("/{work_order_id}/status-history", response_model=list[WorkOrderStatusHistoryRead])
 async def work_order_status_history(
    work_order_id: int,
--- a/app/core/config.py
+++ b/app/core/config.py
@@ -22,8 +22,6 @@ class Settings(BaseSettings):
    allow_dev_auth: bool = False
    ocr_provider: str = "tesseract"
    ocr_languages: str = "eng+rus+kor"
-    llm_base_url: str = ""
-    llm_model: str = ""
    admin_telegram_ids: str = ""
    admin_bootstrap_token: str = ""

--- a/bot/main.py
+++ b/bot/main.py
@@ -25,7 +25,7 @@ dp = Dispatcher()
 api = ApiClient()

 APPROVED_SERVICE_STATUSES = {"approved", "verified"}
-STO_WORKPLACE_ROLES = {"owner", "mechanic"}
+STO_WORKPLACE_ROLES = {"owner", "manager", "receptionist", "mechanic"}


 def webapp_url(path: str = "") -> str:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -54,8 +54,6 @@ services:
      ALLOW_DEV_AUTH: ${ALLOW_DEV_AUTH:-false}
      OCR_PROVIDER: ${OCR_PROVIDER:-tesseract}
      OCR_LANGUAGES: ${OCR_LANGUAGES:-eng+rus+kor}
-      LLM_BASE_URL: ${LLM_BASE_URL:-}
-      LLM_MODEL: ${LLM_MODEL:-}
      REDIS_URL: ${REDIS_URL:-redis://redis:6379/0}
      SECRET_KEY: ${SECRET_KEY:-}
      VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY:-}
@@ -91,8 +89,6 @@ services:
      APP_ENV: ${APP_ENV:-development}
      OCR_PROVIDER: ${OCR_PROVIDER:-tesseract}
      OCR_LANGUAGES: ${OCR_LANGUAGES:-eng+rus+kor}
-      LLM_BASE_URL: ${LLM_BASE_URL:-}
-      LLM_MODEL: ${LLM_MODEL:-}
      REDIS_URL: ${REDIS_URL:-redis://redis:6379/0}
      SECRET_KEY: ${SECRET_KEY:-}
    depends_on:
--- a/docs/production_pilot_entity_map.md
+++ b/docs/production_pilot_entity_map.md
@@ -0,0 +1,47 @@
+# CarPass Production Pilot Entity Map
+
+This map captures the closed-pilot domain model as implemented in the codebase.
+
+## Owner Domain
+
+- `User` owns `Car` records and authenticates through Telegram.
+- `Car` is the vehicle/passport entity. It owns `FuelEntry`, `ServiceEntry`, `ExpenseEntry`, `OdometerHistory`, `CarServiceLink`, `ServiceAppointment`, `ServiceVisit`, and `MaintenanceRecommendation`.
+- `FuelEntry`, `ServiceEntry`, and `ExpenseEntry` update ownership analytics and can update the vehicle odometer through `OdometerHistory`.
+- `OwnershipAnalytics` is computed on demand from entries, expenses, depreciation settings, and loan settings.
+- `VehicleAccess` grants non-owner user access to a vehicle for selected backend flows.
+
+## STO Domain
+
+- `ServiceCenter` is the STO profile and tenant boundary.
+- `ServiceCenterVerification` stores moderation applications and review decisions.
+- `ServiceEmployee` links users to a service center with one of `owner`, `manager`, `receptionist`, or `mechanic`.
+- `CarServiceLink` is the owner-approved connection between a vehicle and an STO.
+- `ServiceCenterBookingSettings` and `ServiceCenterHoliday` define the appointment calendar.
+- `ServiceAppointment` is the customer booking request and can become one `ServiceVisit`.
+- `ServiceCenterReview` and `ServiceCenterReviewComment` store public feedback.
+
+## Work Order Domain
+
+- `ServiceVisit` is the work order. It links `ServiceCenter`, `Car`, owner user, employee, appointment, labor items, product items, status history, and corrections.
+- `ServiceWorkItem` stores labor/repair work and next-service intervals.
+- `ServiceProductItem` stores parts, fluids, materials, SKU and quantity.
+- `WorkOrderCatalogItem` is the STO price/catalog item source.
+- `InventoryTransaction` records consumed products on work-order completion.
+- `WorkOrderStatusHistory` audits status transitions.
+- `WorkOrderCorrection` records post-completion correction requests and owner decisions.
+- Completion creates immutable owner records: `ServiceEntry`, `ExpenseEntry`, `OdometerHistory`, `MaintenanceRecommendation` when applicable, `ServiceNotification`, and `AuditLog`.
+
+## Trust, Notifications, And Exchange
+
+- `MaintenanceRecommendation` is connected to a vehicle and optionally a service center/appointment.
+- `ServiceNotification` is the internal notification queue with best-effort Telegram delivery and idempotency keys.
+- `AuditLog` records sensitive and operational actions.
+- `Achievement`, `UserAchievement`, `VehicleScore`, `ServiceCenterScore`, and `EngagementEvent` power passport quality, trust, and timeline features.
+- Import/export is synchronous API work, not a persisted `ImportExportJob`; schema is `carpass.exchange.v1`.
+- OCR returns preview candidates through API responses; no persisted `OCRResult` table exists and OCR never writes vehicle data directly.
+
+## Pilot Gaps To Keep Explicit
+
+- Browser Web Push stores subscriptions and has a service worker listener, but server-side Web Push delivery is beta and not part of the pilot-critical notification path.
+- Inventory exists as consumption transactions and catalog products, not as full stock-level management.
+- Correction requests record decisions; they do not mutate completed work-order snapshots automatically.
--- a/scripts/backup.sh
+++ b/scripts/backup.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+exec "$(dirname "$0")/backup_db.sh" "$@"
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -44,6 +44,7 @@ for attempt in {1..30}; do
  if curl -fsS "$HEALTH_URL" >/tmp/carpass-ready.json; then
    cat /tmp/carpass-ready.json
    echo
+    BASE_URL="${BASE_URL:-${HEALTH_URL%/ready}}" ./scripts/smoke_test.sh
    $COMPOSE ps
    exit 0
  fi
--- a/scripts/restore.sh
+++ b/scripts/restore.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+exec "$(dirname "$0")/restore_db.sh" "$@"
--- a/scripts/smoke_test.sh
+++ b/scripts/smoke_test.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+BASE_URL="${BASE_URL:-http://127.0.0.1:8000}"
+
+echo "Checking health..."
+curl -fsS "$BASE_URL/health"
+echo
+
+echo "Checking readiness..."
+curl -fsS "$BASE_URL/ready"
+echo
+
+echo "Checking metrics..."
+curl -fsS "$BASE_URL/metrics" | grep -q "carpass_requests_total"
+echo "Smoke test passed."
--- a/tests/test_production_flows.py
+++ b/tests/test_production_flows.py
@@ -50,6 +50,19 @@ async def test_employee_invite_activation_revoked_and_expired(
    dashboard = await client.get(f"/api/sto/dashboard?service_center_id={center['id']}", headers=other_auth_headers)
    assert dashboard.status_code == 200

+    other_center = await create_verified_center(
+        client,
+        auth_headers,
+        admin_auth_headers,
+        internal_headers,
+        "Other Tenant Service",
+    )
+    cross_tenant_dashboard = await client.get(
+        f"/api/sto/dashboard?service_center_id={other_center['id']}",
+        headers=other_auth_headers,
+    )
+    assert cross_tenant_dashboard.status_code == 403
+
    revoked_invite = (
        await client.post(
            f"/api/service-centers/{center['id']}/employees/invite",
@@ -193,6 +206,22 @@ async def test_work_order_completion_creates_vehicle_records_and_updates_costs(
    )
    assert correction.status_code == 201
    assert correction.json()["created_version"] == completed.json()["version"]
+    corrections = await client.get(f"/api/work-orders/{work_order['id']}/corrections", headers=other_auth_headers)
+    assert corrections.status_code == 200
+    assert corrections.json()[0]["id"] == correction.json()["id"]
+    approved_correction = await client.post(
+        f"/api/work-orders/corrections/{correction.json()['id']}/approve",
+        headers=other_auth_headers,
+        json={"comment": "Correction accepted"},
+    )
+    assert approved_correction.status_code == 200
+    assert approved_correction.json()["status"] == "approved"
+    repeated_correction_decision = await client.post(
+        f"/api/work-orders/corrections/{correction.json()['id']}/reject",
+        headers=other_auth_headers,
+        json={"comment": "Too late"},
+    )
+    assert repeated_correction_decision.status_code == 409

    service_history = await client.get(
        f"/api/my/vehicles/{vehicle['id']}/service-history",
--- a/web/static/app.js
+++ b/web/static/app.js
@@ -602,7 +602,7 @@ function hideAuthOverlay() {
 }

 const APPROVED_SERVICE_STATUSES = new Set(["approved", "verified"]);
-const STO_WORKPLACE_ROLES = new Set(["owner", "mechanic"]);
+const STO_WORKPLACE_ROLES = new Set(["owner", "manager", "receptionist", "mechanic"]);
 const STO_CALENDAR_ROLES = new Set(["owner", "manager", "receptionist"]);

 function isPlatformAdmin() {
--- a/web/static/sto.js
+++ b/web/static/sto.js
@@ -3,7 +3,7 @@ tg?.ready();
 tg?.expand();

 const APPROVED_SERVICE_STATUSES = new Set(["approved", "verified"]);
-const STO_WORKPLACE_ROLES = new Set(["owner", "mechanic"]);
+const STO_WORKPLACE_ROLES = new Set(["owner", "manager", "receptionist", "mechanic"]);

 const state = {
  user: null,
@@ -250,7 +250,8 @@ function renderDashboard(dashboard) {
 }

 function renderAppointments() {
-  const canManage = (activeCenter()?.employee_role || "owner") === "owner";
+  const role = activeCenter()?.employee_role || "owner";
+  const canManage = ["owner", "manager", "receptionist"].includes(role);
  document.querySelector("#appointmentsList").innerHTML = state.appointments.length
    ? state.appointments.map((item) => `
      <div class="stack-item work-order-card">
Author	SHA1	Message	Date
VPN SaaS Dev	9fe172702f	docker-deploy-smoke Some checks failed ci / test (push) Has been cancelled Details	2026-05-16 19:35:07 +09:00
VPN SaaS Dev	8efac3a844	frontend-roles-ux	2026-05-16 19:35:04 +09:00
VPN SaaS Dev	b03b63a5cc	work-order-hardening	2026-05-16 19:35:01 +09:00
VPN SaaS Dev	4ee83690f6	audit/entity-map	2026-05-16 19:34:56 +09:00