From 4782fad5b9610b28664ce59561f91f452e78b48a Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 15:13:55 +0100
Subject: [PATCH 01/10] feat(auth): validate Authelia tokens in FastAPI

---
 backend/innercontext/api/auth.py      | 166 +++++++++++
 backend/innercontext/api/auth_deps.py |  57 ++++
 backend/innercontext/auth.py          | 384 ++++++++++++++++++++++++++
 backend/main.py                       |  56 +++-
 backend/pyproject.toml                |   1 +
 backend/tests/conftest.py             |  22 ++
 backend/tests/test_auth.py            | 275 ++++++++++++++++++
 7 files changed, 953 insertions(+), 8 deletions(-)
 create mode 100644 backend/innercontext/api/auth.py
 create mode 100644 backend/innercontext/api/auth_deps.py
 create mode 100644 backend/innercontext/auth.py
 create mode 100644 backend/tests/test_auth.py

diff --git a/backend/innercontext/api/auth.py b/backend/innercontext/api/auth.py
new file mode 100644
index 0000000..877289e
--- /dev/null
+++ b/backend/innercontext/api/auth.py
@@ -0,0 +1,166 @@
+from __future__ import annotations
+
+from datetime import date, datetime
+from uuid import UUID
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlmodel import Field, Session, SQLModel, select
+
+from db import get_session
+from innercontext.api.auth_deps import get_current_user
+from innercontext.auth import CurrentUser, IdentityData, sync_current_user
+from innercontext.models import HouseholdRole, Role, UserProfile
+
+router = APIRouter()
+
+
+class SessionSyncRequest(SQLModel):
+    iss: str | None = None
+    sub: str | None = None
+    email: str | None = None
+    name: str | None = None
+    preferred_username: str | None = None
+    groups: list[str] | None = None
+
+
+class AuthHouseholdMembershipPublic(SQLModel):
+    household_id: UUID
+    role: HouseholdRole
+
+
+class AuthUserPublic(SQLModel):
+    id: UUID
+    role: Role
+    household_membership: AuthHouseholdMembershipPublic | None = None
+
+
+class AuthIdentityPublic(SQLModel):
+    issuer: str
+    subject: str
+    email: str | None = None
+    name: str | None = None
+    preferred_username: str | None = None
+    groups: list[str] = Field(default_factory=list)
+
+
+class AuthProfilePublic(SQLModel):
+    id: UUID
+    user_id: UUID | None
+    birth_date: date | None = None
+    sex_at_birth: str | None = None
+    created_at: datetime
+    updated_at: datetime
+
+
+class AuthSessionResponse(SQLModel):
+    user: AuthUserPublic
+    identity: AuthIdentityPublic
+    profile: AuthProfilePublic | None = None
+
+
+def _build_identity(
+    current_user: CurrentUser,
+    payload: SessionSyncRequest | None,
+) -> IdentityData:
+    if payload is None:
+        return current_user.identity
+
+    if payload.iss is not None and payload.iss != current_user.identity.issuer:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Session sync issuer does not match bearer token",
+        )
+    if payload.sub is not None and payload.sub != current_user.identity.subject:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Session sync subject does not match bearer token",
+        )
+
+    return IdentityData(
+        issuer=current_user.identity.issuer,
+        subject=current_user.identity.subject,
+        email=(
+            payload.email if payload.email is not None else current_user.identity.email
+        ),
+        name=payload.name if payload.name is not None else current_user.identity.name,
+        preferred_username=(
+            payload.preferred_username
+            if payload.preferred_username is not None
+            else current_user.identity.preferred_username
+        ),
+        groups=(
+            tuple(payload.groups)
+            if payload.groups is not None
+            else current_user.identity.groups
+        ),
+    )
+
+
+def _get_profile(session: Session, user_id: UUID) -> UserProfile | None:
+    return session.exec(
+        select(UserProfile).where(UserProfile.user_id == user_id)
+    ).first()
+
+
+def _profile_public(profile: UserProfile | None) -> AuthProfilePublic | None:
+    if profile is None:
+        return None
+
+    return AuthProfilePublic(
+        id=profile.id,
+        user_id=profile.user_id,
+        birth_date=profile.birth_date,
+        sex_at_birth=(
+            profile.sex_at_birth.value if profile.sex_at_birth is not None else None
+        ),
+        created_at=profile.created_at,
+        updated_at=profile.updated_at,
+    )
+
+
+def _response(session: Session, current_user: CurrentUser) -> AuthSessionResponse:
+    household_membership = None
+    if current_user.household_membership is not None:
+        household_membership = AuthHouseholdMembershipPublic(
+            household_id=current_user.household_membership.household_id,
+            role=current_user.household_membership.role,
+        )
+
+    return AuthSessionResponse(
+        user=AuthUserPublic(
+            id=current_user.user_id,
+            role=current_user.role,
+            household_membership=household_membership,
+        ),
+        identity=AuthIdentityPublic(
+            issuer=current_user.identity.issuer,
+            subject=current_user.identity.subject,
+            email=current_user.identity.email,
+            name=current_user.identity.name,
+            preferred_username=current_user.identity.preferred_username,
+            groups=list(current_user.identity.groups),
+        ),
+        profile=_profile_public(_get_profile(session, current_user.user_id)),
+    )
+
+
+@router.post("/session/sync", response_model=AuthSessionResponse)
+def sync_session(
+    payload: SessionSyncRequest | None = None,
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    synced_user = sync_current_user(
+        session,
+        current_user.claims,
+        identity=_build_identity(current_user, payload),
+    )
+    return _response(session, synced_user)
+
+
+@router.get("/me", response_model=AuthSessionResponse)
+def get_me(
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    return _response(session, current_user)
diff --git a/backend/innercontext/api/auth_deps.py b/backend/innercontext/api/auth_deps.py
new file mode 100644
index 0000000..a71a57a
--- /dev/null
+++ b/backend/innercontext/api/auth_deps.py
@@ -0,0 +1,57 @@
+from __future__ import annotations
+
+from typing import Annotated
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from sqlmodel import Session
+
+from db import get_session
+from innercontext.auth import (
+    AuthConfigurationError,
+    CurrentUser,
+    TokenValidationError,
+    sync_current_user,
+    validate_access_token,
+)
+from innercontext.models import Role
+
+_bearer_scheme = HTTPBearer(auto_error=False)
+
+
+def _unauthorized(detail: str) -> HTTPException:
+    return HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail=detail,
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+
+
+def get_current_user(
+    credentials: Annotated[
+        HTTPAuthorizationCredentials | None, Depends(_bearer_scheme)
+    ],
+    session: Session = Depends(get_session),
+) -> CurrentUser:
+    if credentials is None or credentials.scheme.lower() != "bearer":
+        raise _unauthorized("Missing bearer token")
+
+    try:
+        claims = validate_access_token(credentials.credentials)
+        return sync_current_user(session, claims)
+    except AuthConfigurationError as exc:
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail=str(exc),
+        ) from exc
+    except TokenValidationError as exc:
+        raise _unauthorized(str(exc)) from exc
+
+
+def require_admin(current_user: CurrentUser = Depends(get_current_user)) -> CurrentUser:
+    if current_user.role is not Role.ADMIN:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin role required",
+        )
+    return current_user
diff --git a/backend/innercontext/auth.py b/backend/innercontext/auth.py
new file mode 100644
index 0000000..b672d43
--- /dev/null
+++ b/backend/innercontext/auth.py
@@ -0,0 +1,384 @@
+from __future__ import annotations
+
+import os
+import time
+from dataclasses import dataclass, field
+from datetime import UTC, datetime
+from functools import lru_cache
+from threading import Lock
+from typing import Any, Mapping
+from uuid import UUID
+
+import httpx
+import jwt
+from jwt import InvalidTokenError, PyJWKSet
+from sqlmodel import Session, select
+
+from innercontext.models import HouseholdMembership, HouseholdRole, Role, User
+
+_DISCOVERY_PATH = "/.well-known/openid-configuration"
+_SUPPORTED_ALGORITHMS = frozenset(
+    {"RS256", "RS384", "RS512", "ES256", "ES384", "ES512"}
+)
+
+
+class AuthConfigurationError(RuntimeError):
+    pass
+
+
+class TokenValidationError(ValueError):
+    pass
+
+
+@dataclass(frozen=True, slots=True)
+class AuthSettings:
+    issuer: str
+    client_id: str
+    audiences: tuple[str, ...]
+    discovery_url: str
+    jwks_url: str | None
+    groups_claim: str
+    admin_groups: tuple[str, ...]
+    member_groups: tuple[str, ...]
+    jwks_cache_ttl_seconds: int
+    http_timeout_seconds: float
+    clock_skew_seconds: int
+
+
+@dataclass(frozen=True, slots=True)
+class TokenClaims:
+    issuer: str
+    subject: str
+    audience: tuple[str, ...]
+    expires_at: datetime
+    groups: tuple[str, ...] = ()
+    email: str | None = None
+    name: str | None = None
+    preferred_username: str | None = None
+    raw_claims: Mapping[str, Any] = field(default_factory=dict, repr=False)
+
+    @classmethod
+    def from_payload(
+        cls, payload: Mapping[str, Any], settings: AuthSettings
+    ) -> "TokenClaims":
+        audience = payload.get("aud")
+        if isinstance(audience, str):
+            audiences = (audience,)
+        elif isinstance(audience, list):
+            audiences = tuple(str(item) for item in audience)
+        else:
+            audiences = ()
+
+        groups = _normalize_groups(payload.get(settings.groups_claim))
+        exp = payload.get("exp")
+        if not isinstance(exp, (int, float)):
+            raise TokenValidationError("Access token missing exp claim")
+
+        return cls(
+            issuer=str(payload["iss"]),
+            subject=str(payload["sub"]),
+            audience=audiences,
+            expires_at=datetime.fromtimestamp(exp, tz=UTC),
+            groups=groups,
+            email=_optional_str(payload.get("email")),
+            name=_optional_str(payload.get("name")),
+            preferred_username=_optional_str(payload.get("preferred_username")),
+            raw_claims=dict(payload),
+        )
+
+
+@dataclass(frozen=True, slots=True)
+class IdentityData:
+    issuer: str
+    subject: str
+    email: str | None = None
+    name: str | None = None
+    preferred_username: str | None = None
+    groups: tuple[str, ...] = ()
+
+    @classmethod
+    def from_claims(cls, claims: TokenClaims) -> "IdentityData":
+        return cls(
+            issuer=claims.issuer,
+            subject=claims.subject,
+            email=claims.email,
+            name=claims.name,
+            preferred_username=claims.preferred_username,
+            groups=claims.groups,
+        )
+
+
+@dataclass(frozen=True, slots=True)
+class CurrentHouseholdMembership:
+    household_id: UUID
+    role: HouseholdRole
+
+
+@dataclass(frozen=True, slots=True)
+class CurrentUser:
+    user_id: UUID
+    role: Role
+    identity: IdentityData
+    claims: TokenClaims = field(repr=False)
+    household_membership: CurrentHouseholdMembership | None = None
+
+
+def _split_csv(value: str | None) -> tuple[str, ...]:
+    if value is None:
+        return ()
+    return tuple(item.strip() for item in value.split(",") if item.strip())
+
+
+def _optional_str(value: Any) -> str | None:
+    if value is None:
+        return None
+    if isinstance(value, str):
+        return value
+    return str(value)
+
+
+def _normalize_groups(value: Any) -> tuple[str, ...]:
+    if value is None:
+        return ()
+    if isinstance(value, str):
+        return (value,)
+    if isinstance(value, list):
+        return tuple(str(item) for item in value)
+    if isinstance(value, tuple):
+        return tuple(str(item) for item in value)
+    return (str(value),)
+
+
+def _required_env(name: str) -> str:
+    value = os.environ.get(name)
+    if value:
+        return value
+    raise AuthConfigurationError(f"Missing required auth environment variable: {name}")
+
+
+@lru_cache
+def get_auth_settings() -> AuthSettings:
+    issuer = _required_env("OIDC_ISSUER")
+    client_id = _required_env("OIDC_CLIENT_ID")
+    audiences = _split_csv(os.environ.get("OIDC_AUDIENCE")) or (client_id,)
+    discovery_url = os.environ.get("OIDC_DISCOVERY_URL") or (
+        issuer.rstrip("/") + _DISCOVERY_PATH
+    )
+
+    return AuthSettings(
+        issuer=issuer,
+        client_id=client_id,
+        audiences=audiences,
+        discovery_url=discovery_url,
+        jwks_url=os.environ.get("OIDC_JWKS_URL"),
+        groups_claim=os.environ.get("OIDC_GROUPS_CLAIM", "groups"),
+        admin_groups=_split_csv(os.environ.get("OIDC_ADMIN_GROUPS")),
+        member_groups=_split_csv(os.environ.get("OIDC_MEMBER_GROUPS")),
+        jwks_cache_ttl_seconds=int(
+            os.environ.get("OIDC_JWKS_CACHE_TTL_SECONDS", "300")
+        ),
+        http_timeout_seconds=float(os.environ.get("OIDC_HTTP_TIMEOUT_SECONDS", "5")),
+        clock_skew_seconds=int(os.environ.get("OIDC_CLOCK_SKEW_SECONDS", "30")),
+    )
+
+
+class CachedJwksClient:
+    def __init__(self, settings: AuthSettings):
+        self._settings = settings
+        self._lock = Lock()
+        self._jwks: PyJWKSet | None = None
+        self._jwks_fetched_at = 0.0
+        self._discovery_jwks_url: str | None = None
+        self._discovery_fetched_at = 0.0
+
+    def get_signing_key(self, kid: str) -> Any:
+        with self._lock:
+            jwks = self._get_jwks_locked()
+            key = self._find_key(jwks, kid)
+            if key is not None:
+                return key
+
+            self._refresh_jwks_locked(
+                force_discovery_refresh=self._settings.jwks_url is None
+            )
+            if self._jwks is None:
+                raise TokenValidationError("JWKS cache is empty")
+
+            key = self._find_key(self._jwks, kid)
+            if key is None:
+                raise TokenValidationError(f"No signing key found for kid '{kid}'")
+            return key
+
+    def _get_jwks_locked(self) -> PyJWKSet:
+        if self._jwks is None or self._is_stale(self._jwks_fetched_at):
+            self._refresh_jwks_locked(force_discovery_refresh=False)
+        if self._jwks is None:
+            raise TokenValidationError("Unable to load JWKS")
+        return self._jwks
+
+    def _refresh_jwks_locked(self, force_discovery_refresh: bool) -> None:
+        jwks_url = self._resolve_jwks_url_locked(force_refresh=force_discovery_refresh)
+        data = self._fetch_json(jwks_url)
+        try:
+            self._jwks = PyJWKSet.from_dict(data)
+        except Exception as exc:
+            raise TokenValidationError(
+                "OIDC provider returned an invalid JWKS payload"
+            ) from exc
+        self._jwks_fetched_at = time.monotonic()
+
+    def _resolve_jwks_url_locked(self, force_refresh: bool) -> str:
+        if self._settings.jwks_url:
+            return self._settings.jwks_url
+
+        if (
+            force_refresh
+            or self._discovery_jwks_url is None
+            or self._is_stale(self._discovery_fetched_at)
+        ):
+            discovery = self._fetch_json(self._settings.discovery_url)
+            jwks_uri = discovery.get("jwks_uri")
+            if not isinstance(jwks_uri, str) or not jwks_uri:
+                raise TokenValidationError("OIDC discovery document missing jwks_uri")
+            self._discovery_jwks_url = jwks_uri
+            self._discovery_fetched_at = time.monotonic()
+
+        if self._discovery_jwks_url is None:
+            raise TokenValidationError("Unable to resolve JWKS URL")
+        return self._discovery_jwks_url
+
+    def _fetch_json(self, url: str) -> dict[str, Any]:
+        try:
+            response = httpx.get(url, timeout=self._settings.http_timeout_seconds)
+            response.raise_for_status()
+        except httpx.HTTPError as exc:
+            raise TokenValidationError(
+                f"Failed to fetch OIDC metadata from {url}"
+            ) from exc
+
+        data = response.json()
+        if not isinstance(data, dict):
+            raise TokenValidationError(
+                f"OIDC metadata from {url} must be a JSON object"
+            )
+        return data
+
+    def _is_stale(self, fetched_at: float) -> bool:
+        return (time.monotonic() - fetched_at) >= self._settings.jwks_cache_ttl_seconds
+
+    @staticmethod
+    def _find_key(jwks: PyJWKSet, kid: str) -> Any | None:
+        for jwk in jwks.keys:
+            if jwk.key_id == kid:
+                return jwk.key
+        return None
+
+
+@lru_cache
+def get_jwks_client() -> CachedJwksClient:
+    return CachedJwksClient(get_auth_settings())
+
+
+def reset_auth_caches() -> None:
+    get_auth_settings.cache_clear()
+    get_jwks_client.cache_clear()
+
+
+def validate_access_token(token: str) -> TokenClaims:
+    settings = get_auth_settings()
+
+    try:
+        unverified_header = jwt.get_unverified_header(token)
+    except InvalidTokenError as exc:
+        raise TokenValidationError("Malformed access token header") from exc
+
+    kid = unverified_header.get("kid")
+    algorithm = unverified_header.get("alg")
+    if not isinstance(kid, str) or not kid:
+        raise TokenValidationError("Access token missing kid header")
+    if not isinstance(algorithm, str) or algorithm not in _SUPPORTED_ALGORITHMS:
+        raise TokenValidationError("Access token uses an unsupported signing algorithm")
+
+    signing_key = get_jwks_client().get_signing_key(kid)
+
+    try:
+        payload = jwt.decode(
+            token,
+            key=signing_key,
+            algorithms=[algorithm],
+            audience=settings.audiences,
+            issuer=settings.issuer,
+            options={"require": ["exp", "iss", "sub"]},
+            leeway=settings.clock_skew_seconds,
+        )
+    except InvalidTokenError as exc:
+        raise TokenValidationError("Invalid access token") from exc
+
+    return TokenClaims.from_payload(payload, settings)
+
+
+def sync_current_user(
+    session: Session,
+    claims: TokenClaims,
+    identity: IdentityData | None = None,
+) -> CurrentUser:
+    effective_identity = identity or IdentityData.from_claims(claims)
+    statement = select(User).where(
+        User.oidc_issuer == effective_identity.issuer,
+        User.oidc_subject == effective_identity.subject,
+    )
+    user = session.exec(statement).first()
+    existing_role = user.role if user is not None else None
+    resolved_role = resolve_role(effective_identity.groups, existing_role=existing_role)
+    needs_commit = False
+
+    if user is None:
+        user = User(
+            oidc_issuer=effective_identity.issuer,
+            oidc_subject=effective_identity.subject,
+            role=resolved_role,
+        )
+        session.add(user)
+        needs_commit = True
+    elif user.role != resolved_role:
+        user.role = resolved_role
+        session.add(user)
+        needs_commit = True
+
+    if needs_commit:
+        session.commit()
+        session.refresh(user)
+
+    membership = session.exec(
+        select(HouseholdMembership).where(HouseholdMembership.user_id == user.id)
+    ).first()
+
+    household_membership = None
+    if membership is not None:
+        household_membership = CurrentHouseholdMembership(
+            household_id=membership.household_id,
+            role=membership.role,
+        )
+
+    return CurrentUser(
+        user_id=user.id,
+        role=user.role,
+        identity=effective_identity,
+        claims=claims,
+        household_membership=household_membership,
+    )
+
+
+def resolve_role(groups: tuple[str, ...], existing_role: Role | None = None) -> Role:
+    settings = get_auth_settings()
+    if groups:
+        group_set = set(groups)
+        if settings.admin_groups and group_set.intersection(settings.admin_groups):
+            return Role.ADMIN
+        if settings.member_groups:
+            if group_set.intersection(settings.member_groups):
+                return Role.MEMBER
+            return Role.MEMBER
+        return Role.MEMBER
+
+    return existing_role or Role.MEMBER
diff --git a/backend/main.py b/backend/main.py
index 10fb73b..55280aa 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -5,13 +5,14 @@ from dotenv import load_dotenv
 
 load_dotenv()  # load .env before db.py reads DATABASE_URL
 
-from fastapi import FastAPI  # noqa: E402
+from fastapi import Depends, FastAPI  # noqa: E402
 from fastapi.middleware.cors import CORSMiddleware  # noqa: E402
 from sqlmodel import Session  # noqa: E402
 
 from db import create_db_and_tables, engine  # noqa: E402
 from innercontext.api import (  # noqa: E402
     ai_logs,
+    auth,
     health,
     inventory,
     products,
@@ -19,6 +20,7 @@ from innercontext.api import (  # noqa: E402
     routines,
     skincare,
 )
+from innercontext.api.auth_deps import get_current_user  # noqa: E402
 from innercontext.services.pricing_jobs import enqueue_pricing_recalc  # noqa: E402
 
 
@@ -47,13 +49,51 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
-app.include_router(products.router, prefix="/products", tags=["products"])
-app.include_router(inventory.router, prefix="/inventory", tags=["inventory"])
-app.include_router(profile.router, prefix="/profile", tags=["profile"])
-app.include_router(health.router, prefix="/health", tags=["health"])
-app.include_router(routines.router, prefix="/routines", tags=["routines"])
-app.include_router(skincare.router, prefix="/skincare", tags=["skincare"])
-app.include_router(ai_logs.router, prefix="/ai-logs", tags=["ai-logs"])
+protected = [Depends(get_current_user)]
+
+app.include_router(auth.router, prefix="/auth", tags=["auth"])
+app.include_router(
+    products.router,
+    prefix="/products",
+    tags=["products"],
+    dependencies=protected,
+)
+app.include_router(
+    inventory.router,
+    prefix="/inventory",
+    tags=["inventory"],
+    dependencies=protected,
+)
+app.include_router(
+    profile.router,
+    prefix="/profile",
+    tags=["profile"],
+    dependencies=protected,
+)
+app.include_router(
+    health.router,
+    prefix="/health",
+    tags=["health"],
+    dependencies=protected,
+)
+app.include_router(
+    routines.router,
+    prefix="/routines",
+    tags=["routines"],
+    dependencies=protected,
+)
+app.include_router(
+    skincare.router,
+    prefix="/skincare",
+    tags=["skincare"],
+    dependencies=protected,
+)
+app.include_router(
+    ai_logs.router,
+    prefix="/ai-logs",
+    tags=["ai-logs"],
+    dependencies=protected,
+)
 
 
 @app.get("/health-check")
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
index eeddb55..6b9a55c 100644
--- a/backend/pyproject.toml
+++ b/backend/pyproject.toml
@@ -8,6 +8,7 @@ dependencies = [
     "alembic>=1.14",
     "fastapi>=0.132.0",
     "google-genai>=1.65.0",
+    "pyjwt[crypto]>=2.10.1",
     "psycopg[binary]>=3.3.3",
     "python-dotenv>=1.2.1",
     "python-multipart>=0.0.22",
diff --git a/backend/tests/conftest.py b/backend/tests/conftest.py
index 3c4f465..e35dfba 100644
--- a/backend/tests/conftest.py
+++ b/backend/tests/conftest.py
@@ -1,4 +1,6 @@
 import os
+from datetime import UTC, datetime, timedelta
+from uuid import uuid4
 
 # Must be set before importing db (which calls create_engine at module level)
 os.environ.setdefault("DATABASE_URL", "sqlite://")
@@ -10,6 +12,9 @@ from sqlmodel.pool import StaticPool
 
 import db as db_module
 from db import get_session
+from innercontext.api.auth_deps import get_current_user
+from innercontext.auth import CurrentUser, IdentityData, TokenClaims
+from innercontext.models import Role
 from main import app
 
 
@@ -38,7 +43,24 @@ def client(session, monkeypatch):
     def _override():
         yield session
 
+    def _current_user_override():
+        claims = TokenClaims(
+            issuer="https://auth.test",
+            subject="test-user",
+            audience=("innercontext-web",),
+            expires_at=datetime.now(UTC) + timedelta(hours=1),
+            groups=("innercontext-admin",),
+            raw_claims={"iss": "https://auth.test", "sub": "test-user"},
+        )
+        return CurrentUser(
+            user_id=uuid4(),
+            role=Role.ADMIN,
+            identity=IdentityData.from_claims(claims),
+            claims=claims,
+        )
+
     app.dependency_overrides[get_session] = _override
+    app.dependency_overrides[get_current_user] = _current_user_override
     with TestClient(app) as c:
         yield c
     app.dependency_overrides.clear()
diff --git a/backend/tests/test_auth.py b/backend/tests/test_auth.py
new file mode 100644
index 0000000..0ed16a5
--- /dev/null
+++ b/backend/tests/test_auth.py
@@ -0,0 +1,275 @@
+from __future__ import annotations
+
+import json
+from datetime import UTC, datetime, timedelta
+from uuid import UUID, uuid4
+
+import jwt
+import pytest
+from cryptography.hazmat.primitives.asymmetric import rsa
+from fastapi import HTTPException
+from fastapi.testclient import TestClient
+from jwt import algorithms
+from sqlmodel import Session, SQLModel, create_engine
+from sqlmodel.pool import StaticPool
+
+import db as db_module
+from db import get_session
+from innercontext.api.auth_deps import require_admin
+from innercontext.auth import (
+    CurrentHouseholdMembership,
+    CurrentUser,
+    IdentityData,
+    TokenClaims,
+    reset_auth_caches,
+    validate_access_token,
+)
+from innercontext.models import (
+    Household,
+    HouseholdMembership,
+    HouseholdRole,
+    Role,
+    User,
+)
+from main import app
+
+
+class _MockResponse:
+    def __init__(self, payload: dict[str, object], status_code: int = 200):
+        self._payload = payload
+        self.status_code = status_code
+
+    def raise_for_status(self) -> None:
+        if self.status_code >= 400:
+            raise RuntimeError(f"unexpected status {self.status_code}")
+
+    def json(self) -> dict[str, object]:
+        return self._payload
+
+
+@pytest.fixture()
+def auth_env(monkeypatch):
+    monkeypatch.setenv("OIDC_ISSUER", "https://auth.example.test")
+    monkeypatch.setenv("OIDC_CLIENT_ID", "innercontext-web")
+    monkeypatch.setenv(
+        "OIDC_DISCOVERY_URL",
+        "https://auth.example.test/.well-known/openid-configuration",
+    )
+    monkeypatch.setenv("OIDC_ADMIN_GROUPS", "innercontext-admin")
+    monkeypatch.setenv("OIDC_MEMBER_GROUPS", "innercontext-member")
+    monkeypatch.setenv("OIDC_JWKS_CACHE_TTL_SECONDS", "3600")
+    reset_auth_caches()
+    yield
+    reset_auth_caches()
+
+
+@pytest.fixture()
+def rsa_keypair():
+    private_key = rsa.generate_private_key(
+        public_exponent=65537,
+        key_size=2048,
+    )
+    return private_key, private_key.public_key()
+
+
+@pytest.fixture()
+def auth_session(monkeypatch):
+    engine = create_engine(
+        "sqlite://",
+        connect_args={"check_same_thread": False},
+        poolclass=StaticPool,
+    )
+    monkeypatch.setattr(db_module, "engine", engine)
+    import innercontext.models  # noqa: F401
+
+    SQLModel.metadata.create_all(engine)
+    with Session(engine) as session:
+        yield session
+
+
+@pytest.fixture()
+def auth_client(auth_session):
+    def _override():
+        yield auth_session
+
+    app.dependency_overrides[get_session] = _override
+    with TestClient(app) as client:
+        yield client
+    app.dependency_overrides.clear()
+
+
+def _public_jwk(public_key, kid: str) -> dict[str, object]:
+    jwk = json.loads(algorithms.RSAAlgorithm.to_jwk(public_key))
+    jwk["kid"] = kid
+    jwk["use"] = "sig"
+    jwk["alg"] = "RS256"
+    return jwk
+
+
+def _sign_token(private_key, kid: str, **claims_overrides: object) -> str:
+    now = datetime.now(UTC)
+    payload: dict[str, object] = {
+        "iss": "https://auth.example.test",
+        "sub": "user-123",
+        "aud": "innercontext-web",
+        "exp": int((now + timedelta(hours=1)).timestamp()),
+        "iat": int(now.timestamp()),
+        "groups": ["innercontext-admin"],
+        "email": "user@example.test",
+        "name": "Inner Context User",
+        "preferred_username": "ictx-user",
+    }
+    payload.update(claims_overrides)
+    return jwt.encode(payload, private_key, algorithm="RS256", headers={"kid": kid})
+
+
+def _mock_oidc(monkeypatch, public_key, *, fetch_counts: dict[str, int] | None = None):
+    def _fake_get(url: str, timeout: float):
+        if fetch_counts is not None:
+            fetch_counts[url] = fetch_counts.get(url, 0) + 1
+        if url.endswith("/.well-known/openid-configuration"):
+            return _MockResponse({"jwks_uri": "https://auth.example.test/jwks.json"})
+        if url.endswith("/jwks.json"):
+            return _MockResponse({"keys": [_public_jwk(public_key, "kid-1")]})
+        raise AssertionError(f"unexpected URL {url} with timeout {timeout}")
+
+    monkeypatch.setattr("innercontext.auth.httpx.get", _fake_get)
+
+
+def test_validate_access_token_uses_cached_jwks(auth_env, rsa_keypair, monkeypatch):
+    private_key, public_key = rsa_keypair
+    fetch_counts: dict[str, int] = {}
+    _mock_oidc(monkeypatch, public_key, fetch_counts=fetch_counts)
+
+    validate_access_token(_sign_token(private_key, "kid-1", sub="user-a"))
+    validate_access_token(_sign_token(private_key, "kid-1", sub="user-b"))
+
+    assert (
+        fetch_counts["https://auth.example.test/.well-known/openid-configuration"] == 1
+    )
+    assert fetch_counts["https://auth.example.test/jwks.json"] == 1
+
+
+@pytest.mark.parametrize(
+    ("path", "payload"),
+    [
+        (
+            "/auth/session/sync",
+            {
+                "email": "sync@example.test",
+                "name": "Synced User",
+                "preferred_username": "synced-user",
+                "groups": ["innercontext-admin"],
+            },
+        ),
+        ("/auth/me", None),
+    ],
+    ids=["/auth/session/sync", "/auth/me"],
+)
+def test_sync_protected_endpoints_create_or_resolve_current_user(
+    auth_env,
+    auth_client,
+    auth_session,
+    rsa_keypair,
+    monkeypatch,
+    path: str,
+    payload: dict[str, object] | None,
+):
+    private_key, public_key = rsa_keypair
+    _mock_oidc(monkeypatch, public_key)
+    token = _sign_token(private_key, "kid-1")
+
+    if path == "/auth/me":
+        user = User(
+            oidc_issuer="https://auth.example.test",
+            oidc_subject="user-123",
+            role=Role.ADMIN,
+        )
+        auth_session.add(user)
+        auth_session.commit()
+        auth_session.refresh(user)
+
+        household = Household()
+        auth_session.add(household)
+        auth_session.commit()
+        auth_session.refresh(household)
+
+        membership = HouseholdMembership(
+            user_id=user.id,
+            household_id=household.id,
+            role=HouseholdRole.OWNER,
+        )
+        auth_session.add(membership)
+        auth_session.commit()
+
+    response = auth_client.request(
+        "POST" if path.endswith("sync") else "GET",
+        path,
+        headers={"Authorization": f"Bearer {token}"},
+        json=payload,
+    )
+
+    assert response.status_code == 200
+    data = response.json()
+    assert data["user"]["role"] == "admin"
+    assert data["identity"]["issuer"] == "https://auth.example.test"
+    assert data["identity"]["subject"] == "user-123"
+
+    synced_user = auth_session.get(User, UUID(data["user"]["id"]))
+    assert synced_user is not None
+    assert synced_user.oidc_issuer == "https://auth.example.test"
+    assert synced_user.oidc_subject == "user-123"
+
+    if path == "/auth/session/sync":
+        assert data["identity"]["email"] == "sync@example.test"
+        assert data["identity"]["groups"] == ["innercontext-admin"]
+    else:
+        assert data["user"]["household_membership"]["role"] == "owner"
+
+
+@pytest.mark.parametrize(
+    "path",
+    ["/auth/me", "/profile"],
+    ids=["/auth/me expects 401", "/profile expects 401"],
+)
+def test_unauthorized_protected_endpoints_return_401(auth_env, auth_client, path: str):
+    response = auth_client.get(path)
+    assert response.status_code == 401
+    assert response.json()["detail"] == "Missing bearer token"
+
+
+def test_unauthorized_invalid_bearer_token_is_rejected(
+    auth_env, auth_client, rsa_keypair, monkeypatch
+):
+    _, public_key = rsa_keypair
+    _mock_oidc(monkeypatch, public_key)
+    response = auth_client.get(
+        "/auth/me",
+        headers={"Authorization": "Bearer not-a-jwt"},
+    )
+    assert response.status_code == 401
+
+
+def test_require_admin_raises_for_member():
+    claims = TokenClaims(
+        issuer="https://auth.example.test",
+        subject="member-1",
+        audience=("innercontext-web",),
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        raw_claims={"iss": "https://auth.example.test", "sub": "member-1"},
+    )
+    current_user = CurrentUser(
+        user_id=uuid4(),
+        role=Role.MEMBER,
+        identity=IdentityData.from_claims(claims),
+        claims=claims,
+        household_membership=CurrentHouseholdMembership(
+            household_id=uuid4(),
+            role=HouseholdRole.MEMBER,
+        ),
+    )
+
+    with pytest.raises(HTTPException) as exc_info:
+        require_admin(current_user)
+
+    assert exc_info.value.status_code == 403

From 1f47974f4826f4b4f5ebeeff3c56d1a6c9e461ac Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 15:26:06 +0100
Subject: [PATCH 02/10] refactor(api): centralize tenant authorization helpers

---
 backend/innercontext/api/authz.py | 173 ++++++++++++++++++
 backend/innercontext/api/utils.py |  46 +++++
 backend/tests/test_authz.py       | 293 ++++++++++++++++++++++++++++++
 3 files changed, 512 insertions(+)
 create mode 100644 backend/innercontext/api/authz.py
 create mode 100644 backend/tests/test_authz.py

diff --git a/backend/innercontext/api/authz.py b/backend/innercontext/api/authz.py
new file mode 100644
index 0000000..23f71dc
--- /dev/null
+++ b/backend/innercontext/api/authz.py
@@ -0,0 +1,173 @@
+from __future__ import annotations
+
+from typing import TypeVar, cast
+from uuid import UUID
+
+from fastapi import HTTPException
+from sqlmodel import Session, select
+
+from innercontext.auth import CurrentUser
+from innercontext.models import HouseholdMembership, Product, ProductInventory, Role
+
+_T = TypeVar("_T")
+
+
+def _not_found(model_name: str) -> HTTPException:
+    return HTTPException(status_code=404, detail=f"{model_name} not found")
+
+
+def _user_scoped_model_name(model: type[object]) -> str:
+    return getattr(model, "__name__", str(model))
+
+
+def _record_user_id(model: type[object], record: object) -> object:
+    if not hasattr(record, "user_id"):
+        model_name = _user_scoped_model_name(model)
+        raise TypeError(f"{model_name} does not expose user_id")
+    return cast(object, getattr(record, "user_id"))
+
+
+def _is_admin(current_user: CurrentUser) -> bool:
+    return current_user.role is Role.ADMIN
+
+
+def _owner_household_id(session: Session, owner_user_id: UUID) -> UUID | None:
+    membership = session.exec(
+        select(HouseholdMembership).where(HouseholdMembership.user_id == owner_user_id)
+    ).first()
+    if membership is None:
+        return None
+    return membership.household_id
+
+
+def _is_same_household(
+    session: Session,
+    owner_user_id: UUID,
+    current_user: CurrentUser,
+) -> bool:
+    if current_user.household_membership is None:
+        return False
+    owner_household_id = _owner_household_id(session, owner_user_id)
+    return owner_household_id == current_user.household_membership.household_id
+
+
+def get_owned_or_404(
+    session: Session,
+    model: type[_T],
+    record_id: object,
+    current_user: CurrentUser,
+) -> _T:
+    obj = session.get(model, record_id)
+    model_name = _user_scoped_model_name(model)
+    if obj is None:
+        raise _not_found(model_name)
+    if _record_user_id(model, obj) != current_user.user_id:
+        raise _not_found(model_name)
+    return obj
+
+
+def get_owned_or_404_admin_override(
+    session: Session,
+    model: type[_T],
+    record_id: object,
+    current_user: CurrentUser,
+) -> _T:
+    obj = session.get(model, record_id)
+    model_name = _user_scoped_model_name(model)
+    if obj is None:
+        raise _not_found(model_name)
+    if _is_admin(current_user):
+        return obj
+    if _record_user_id(model, obj) != current_user.user_id:
+        raise _not_found(model_name)
+    return obj
+
+
+def list_owned(
+    session: Session, model: type[_T], current_user: CurrentUser
+) -> list[_T]:
+    model_name = _user_scoped_model_name(model)
+    if not hasattr(model, "user_id"):
+        raise TypeError(f"{model_name} does not expose user_id")
+    records = cast(list[_T], session.exec(select(model)).all())
+    return [
+        record
+        for record in records
+        if _record_user_id(model, record) == current_user.user_id
+    ]
+
+
+def list_owned_admin_override(
+    session: Session,
+    model: type[_T],
+    current_user: CurrentUser,
+) -> list[_T]:
+    if _is_admin(current_user):
+        statement = select(model)
+        return cast(list[_T], session.exec(statement).all())
+    return list_owned(session, model, current_user)
+
+
+def check_household_inventory_access(
+    session: Session,
+    inventory_id: UUID,
+    current_user: CurrentUser,
+) -> ProductInventory:
+    inventory = session.get(ProductInventory, inventory_id)
+    if inventory is None:
+        raise _not_found(ProductInventory.__name__)
+
+    if _is_admin(current_user):
+        return inventory
+
+    owner_user_id = inventory.user_id
+    if owner_user_id == current_user.user_id:
+        return inventory
+
+    if not inventory.is_household_shared or owner_user_id is None:
+        raise _not_found(ProductInventory.__name__)
+
+    if not _is_same_household(session, owner_user_id, current_user):
+        raise _not_found(ProductInventory.__name__)
+
+    return inventory
+
+
+def can_update_inventory(
+    session: Session,
+    inventory_id: UUID,
+    current_user: CurrentUser,
+) -> bool:
+    inventory = session.get(ProductInventory, inventory_id)
+    if inventory is None:
+        return False
+    if _is_admin(current_user):
+        return True
+    return inventory.user_id == current_user.user_id
+
+
+def is_product_visible(
+    session: Session, product_id: UUID, current_user: CurrentUser
+) -> bool:
+    product = session.get(Product, product_id)
+    if product is None:
+        return False
+
+    if _is_admin(current_user):
+        return True
+
+    if product.user_id == current_user.user_id:
+        return True
+
+    if current_user.household_membership is None:
+        return False
+
+    inventories = session.exec(
+        select(ProductInventory).where(ProductInventory.product_id == product_id)
+    ).all()
+    for inventory in inventories:
+        if not inventory.is_household_shared or inventory.user_id is None:
+            continue
+        if _is_same_household(session, inventory.user_id, current_user):
+            return True
+    return False
diff --git a/backend/innercontext/api/utils.py b/backend/innercontext/api/utils.py
index 6321f07..af40248 100644
--- a/backend/innercontext/api/utils.py
+++ b/backend/innercontext/api/utils.py
@@ -3,6 +3,18 @@ from typing import TypeVar
 from fastapi import HTTPException
 from sqlmodel import Session
 
+from innercontext.api.authz import (
+    get_owned_or_404 as authz_get_owned_or_404,
+)
+from innercontext.api.authz import (
+    get_owned_or_404_admin_override as authz_get_owned_or_404_admin_override,
+)
+from innercontext.api.authz import list_owned as authz_list_owned
+from innercontext.api.authz import (
+    list_owned_admin_override as authz_list_owned_admin_override,
+)
+from innercontext.auth import CurrentUser
+
 _T = TypeVar("_T")
 
 
@@ -11,3 +23,37 @@ def get_or_404(session: Session, model: type[_T], record_id: object) -> _T:
     if obj is None:
         raise HTTPException(status_code=404, detail=f"{model.__name__} not found")
     return obj
+
+
+def get_owned_or_404(
+    session: Session,
+    model: type[_T],
+    record_id: object,
+    current_user: CurrentUser,
+) -> _T:
+    return authz_get_owned_or_404(session, model, record_id, current_user)
+
+
+def get_owned_or_404_admin_override(
+    session: Session,
+    model: type[_T],
+    record_id: object,
+    current_user: CurrentUser,
+) -> _T:
+    return authz_get_owned_or_404_admin_override(
+        session, model, record_id, current_user
+    )
+
+
+def list_owned(
+    session: Session, model: type[_T], current_user: CurrentUser
+) -> list[_T]:
+    return authz_list_owned(session, model, current_user)
+
+
+def list_owned_admin_override(
+    session: Session,
+    model: type[_T],
+    current_user: CurrentUser,
+) -> list[_T]:
+    return authz_list_owned_admin_override(session, model, current_user)
diff --git a/backend/tests/test_authz.py b/backend/tests/test_authz.py
new file mode 100644
index 0000000..d870678
--- /dev/null
+++ b/backend/tests/test_authz.py
@@ -0,0 +1,293 @@
+from __future__ import annotations
+
+from datetime import UTC, datetime, timedelta
+from uuid import UUID, uuid4
+
+import pytest
+from fastapi import HTTPException
+from sqlmodel import Session
+
+from innercontext.api.authz import (
+    can_update_inventory,
+    check_household_inventory_access,
+    get_owned_or_404,
+    get_owned_or_404_admin_override,
+    is_product_visible,
+    list_owned,
+    list_owned_admin_override,
+)
+from innercontext.auth import (
+    CurrentHouseholdMembership,
+    CurrentUser,
+    IdentityData,
+    TokenClaims,
+)
+from innercontext.models import (
+    Household,
+    HouseholdMembership,
+    HouseholdRole,
+    DayTime,
+    MedicationEntry,
+    MedicationKind,
+    Product,
+    ProductCategory,
+    ProductInventory,
+    Role,
+)
+
+
+def _claims(subject: str) -> TokenClaims:
+    return TokenClaims(
+        issuer="https://auth.example.test",
+        subject=subject,
+        audience=("innercontext-web",),
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        raw_claims={"iss": "https://auth.example.test", "sub": subject},
+    )
+
+
+def _current_user(
+    user_id: UUID,
+    *,
+    role: Role = Role.MEMBER,
+    household_id: UUID | None = None,
+) -> CurrentUser:
+    claims = _claims(str(user_id))
+    membership = None
+    if household_id is not None:
+        membership = CurrentHouseholdMembership(
+            household_id=household_id,
+            role=HouseholdRole.MEMBER,
+        )
+    return CurrentUser(
+        user_id=user_id,
+        role=role,
+        identity=IdentityData.from_claims(claims),
+        claims=claims,
+        household_membership=membership,
+    )
+
+
+def _create_household(session: Session) -> Household:
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    return household
+
+
+def _create_membership(
+    session: Session, user_id: UUID, household_id: UUID
+) -> HouseholdMembership:
+    membership = HouseholdMembership(user_id=user_id, household_id=household_id)
+    session.add(membership)
+    session.commit()
+    session.refresh(membership)
+    return membership
+
+
+def _create_medication(session: Session, user_id: UUID) -> MedicationEntry:
+    entry = MedicationEntry(
+        user_id=user_id,
+        kind=MedicationKind.PRESCRIPTION,
+        product_name="Test medication",
+    )
+    session.add(entry)
+    session.commit()
+    session.refresh(entry)
+    return entry
+
+
+def _create_product(session: Session, user_id: UUID, short_id: str) -> Product:
+    product = Product(
+        user_id=user_id,
+        short_id=short_id,
+        name="Shared product",
+        brand="Test brand",
+        category=ProductCategory.MOISTURIZER,
+        recommended_time=DayTime.BOTH,
+        leave_on=True,
+    )
+    setattr(product, "product_effect_profile", {})
+    session.add(product)
+    session.commit()
+    session.refresh(product)
+    return product
+
+
+def _create_inventory(
+    session: Session,
+    *,
+    user_id: UUID,
+    product_id: UUID,
+    is_household_shared: bool,
+) -> ProductInventory:
+    inventory = ProductInventory(
+        user_id=user_id,
+        product_id=product_id,
+        is_household_shared=is_household_shared,
+    )
+    session.add(inventory)
+    session.commit()
+    session.refresh(inventory)
+    return inventory
+
+
+def test_owner_helpers_return_only_owned_records(session: Session):
+    owner_id = uuid4()
+    other_id = uuid4()
+    owner_user = _current_user(owner_id)
+    owner_entry = _create_medication(session, owner_id)
+    _ = _create_medication(session, other_id)
+
+    fetched = get_owned_or_404(
+        session, MedicationEntry, owner_entry.record_id, owner_user
+    )
+    owned_entries = list_owned(session, MedicationEntry, owner_user)
+
+    assert fetched.record_id == owner_entry.record_id
+    assert len(owned_entries) == 1
+    assert owned_entries[0].user_id == owner_id
+
+
+def test_admin_helpers_allow_admin_override_for_lookup_and_list(session: Session):
+    owner_id = uuid4()
+    admin_user = _current_user(uuid4(), role=Role.ADMIN)
+    owner_entry = _create_medication(session, owner_id)
+
+    fetched = get_owned_or_404_admin_override(
+        session,
+        MedicationEntry,
+        owner_entry.record_id,
+        admin_user,
+    )
+    listed = list_owned_admin_override(session, MedicationEntry, admin_user)
+
+    assert fetched.record_id == owner_entry.record_id
+    assert len(listed) == 1
+
+
+def test_owner_denied_for_non_owned_lookup_returns_404(session: Session):
+    owner_id = uuid4()
+    intruder = _current_user(uuid4())
+    owner_entry = _create_medication(session, owner_id)
+
+    with pytest.raises(HTTPException) as exc_info:
+        _ = get_owned_or_404(session, MedicationEntry, owner_entry.record_id, intruder)
+
+    assert exc_info.value.status_code == 404
+
+
+def test_household_shared_inventory_access_allows_same_household_member(
+    session: Session,
+):
+    owner_id = uuid4()
+    household_member_id = uuid4()
+    household = _create_household(session)
+    _ = _create_membership(session, owner_id, household.id)
+    _ = _create_membership(session, household_member_id, household.id)
+
+    product = _create_product(session, owner_id, short_id="abcd0001")
+    inventory = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+
+    current_user = _current_user(household_member_id, household_id=household.id)
+    fetched = check_household_inventory_access(session, inventory.id, current_user)
+
+    assert fetched.id == inventory.id
+
+
+def test_household_shared_inventory_denied_for_cross_household_member(session: Session):
+    owner_id = uuid4()
+    outsider_id = uuid4()
+    owner_household = _create_household(session)
+    outsider_household = _create_household(session)
+    _ = _create_membership(session, owner_id, owner_household.id)
+    _ = _create_membership(session, outsider_id, outsider_household.id)
+
+    product = _create_product(session, owner_id, short_id="abcd0002")
+    inventory = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+
+    outsider = _current_user(outsider_id, household_id=outsider_household.id)
+
+    with pytest.raises(HTTPException) as exc_info:
+        _ = check_household_inventory_access(session, inventory.id, outsider)
+
+    assert exc_info.value.status_code == 404
+
+
+def test_household_inventory_update_rules_owner_admin_and_member(session: Session):
+    owner_id = uuid4()
+    member_id = uuid4()
+    household = _create_household(session)
+    _ = _create_membership(session, owner_id, household.id)
+    _ = _create_membership(session, member_id, household.id)
+
+    product = _create_product(session, owner_id, short_id="abcd0003")
+    inventory = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+
+    owner = _current_user(owner_id, household_id=household.id)
+    admin = _current_user(uuid4(), role=Role.ADMIN)
+    member = _current_user(member_id, household_id=household.id)
+
+    assert can_update_inventory(session, inventory.id, owner) is True
+    assert can_update_inventory(session, inventory.id, admin) is True
+    assert can_update_inventory(session, inventory.id, member) is False
+
+
+def test_product_visibility_for_owner_admin_and_household_shared(session: Session):
+    owner_id = uuid4()
+    member_id = uuid4()
+    household = _create_household(session)
+    _ = _create_membership(session, owner_id, household.id)
+    _ = _create_membership(session, member_id, household.id)
+
+    product = _create_product(session, owner_id, short_id="abcd0004")
+    _ = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+
+    owner = _current_user(owner_id, household_id=household.id)
+    admin = _current_user(uuid4(), role=Role.ADMIN)
+    member = _current_user(member_id, household_id=household.id)
+
+    assert is_product_visible(session, product.id, owner) is True
+    assert is_product_visible(session, product.id, admin) is True
+    assert is_product_visible(session, product.id, member) is True
+
+
+def test_product_visibility_denied_for_cross_household_member(session: Session):
+    owner_id = uuid4()
+    outsider_id = uuid4()
+    owner_household = _create_household(session)
+    outsider_household = _create_household(session)
+    _ = _create_membership(session, owner_id, owner_household.id)
+    _ = _create_membership(session, outsider_id, outsider_household.id)
+
+    product = _create_product(session, owner_id, short_id="abcd0005")
+    _ = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+    outsider = _current_user(outsider_id, household_id=outsider_household.id)
+
+    assert is_product_visible(session, product.id, outsider) is False

From 803bc3b4cdf911fd24b9edc40daa04157ef24f08 Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 15:37:39 +0100
Subject: [PATCH 03/10] feat(api): scope products and inventory by owner and
 household

---
 backend/innercontext/api/authz.py     |   6 +-
 backend/innercontext/api/inventory.py |  34 ++-
 backend/innercontext/api/products.py  | 152 ++++++++---
 backend/tests/test_authz.py           |   2 +-
 backend/tests/test_products_auth.py   | 370 ++++++++++++++++++++++++++
 5 files changed, 520 insertions(+), 44 deletions(-)
 create mode 100644 backend/tests/test_products_auth.py

diff --git a/backend/innercontext/api/authz.py b/backend/innercontext/api/authz.py
index 23f71dc..82558e3 100644
--- a/backend/innercontext/api/authz.py
+++ b/backend/innercontext/api/authz.py
@@ -143,7 +143,11 @@ def can_update_inventory(
         return False
     if _is_admin(current_user):
         return True
-    return inventory.user_id == current_user.user_id
+    if inventory.user_id == current_user.user_id:
+        return True
+    if not inventory.is_household_shared or inventory.user_id is None:
+        return False
+    return _is_same_household(session, inventory.user_id, current_user)
 
 
 def is_product_visible(
diff --git a/backend/innercontext/api/inventory.py b/backend/innercontext/api/inventory.py
index 9d50034..6c3d797 100644
--- a/backend/innercontext/api/inventory.py
+++ b/backend/innercontext/api/inventory.py
@@ -1,19 +1,29 @@
 from uuid import UUID
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException
 from sqlmodel import Session
 
 from db import get_session
+from innercontext.api.auth_deps import get_current_user
+from innercontext.api.authz import (
+    can_update_inventory,
+    check_household_inventory_access,
+)
 from innercontext.api.products import InventoryUpdate
-from innercontext.api.utils import get_or_404
+from innercontext.api.utils import get_or_404, get_owned_or_404_admin_override
+from innercontext.auth import CurrentUser
 from innercontext.models import ProductInventory
 
 router = APIRouter()
 
 
 @router.get("/{inventory_id}", response_model=ProductInventory)
-def get_inventory(inventory_id: UUID, session: Session = Depends(get_session)):
-    return get_or_404(session, ProductInventory, inventory_id)
+def get_inventory(
+    inventory_id: UUID,
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    return check_household_inventory_access(session, inventory_id, current_user)
 
 
 @router.patch("/{inventory_id}", response_model=ProductInventory)
@@ -21,7 +31,10 @@ def update_inventory(
     inventory_id: UUID,
     data: InventoryUpdate,
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
+    if not can_update_inventory(session, inventory_id, current_user):
+        raise HTTPException(status_code=404, detail="ProductInventory not found")
     entry = get_or_404(session, ProductInventory, inventory_id)
     for key, value in data.model_dump(exclude_unset=True).items():
         setattr(entry, key, value)
@@ -32,7 +45,16 @@ def update_inventory(
 
 
 @router.delete("/{inventory_id}", status_code=204)
-def delete_inventory(inventory_id: UUID, session: Session = Depends(get_session)):
-    entry = get_or_404(session, ProductInventory, inventory_id)
+def delete_inventory(
+    inventory_id: UUID,
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    entry = get_owned_or_404_admin_override(
+        session,
+        ProductInventory,
+        inventory_id,
+        current_user,
+    )
     session.delete(entry)
     session.commit()
diff --git a/backend/innercontext/api/products.py b/backend/innercontext/api/products.py
index 7391a42..b453c14 100644
--- a/backend/innercontext/api/products.py
+++ b/backend/innercontext/api/products.py
@@ -1,3 +1,5 @@
+# pyright: reportImportCycles=false, reportIncompatibleVariableOverride=false
+
 import json
 import logging
 from datetime import date
@@ -13,6 +15,8 @@ from sqlalchemy import select as sa_select
 from sqlmodel import Field, Session, SQLModel, col, select
 
 from db import get_session
+from innercontext.api.auth_deps import get_current_user
+from innercontext.api.authz import is_product_visible
 from innercontext.api.llm_context import build_user_profile_context
 from innercontext.api.product_llm_tools import (
     PRODUCT_DETAILS_FUNCTION_DECLARATION,
@@ -24,7 +28,8 @@ from innercontext.api.product_llm_tools import (
     build_last_used_on_by_product,
     build_product_details_tool_handler,
 )
-from innercontext.api.utils import get_or_404
+from innercontext.api.utils import get_or_404, get_owned_or_404_admin_override
+from innercontext.auth import CurrentUser
 from innercontext.llm import (
     call_gemini,
     call_gemini_with_function_tools,
@@ -42,6 +47,7 @@ from innercontext.models import (
     SkinConcern,
     SkinConditionSnapshot,
 )
+from innercontext.models import Role
 from innercontext.models.ai_log import AICallLog
 from innercontext.models.api_metadata import ResponseMetadata, TokenMetrics
 from innercontext.models.enums import (
@@ -67,6 +73,34 @@ logger = logging.getLogger(__name__)
 router = APIRouter()
 
 
+def _is_inventory_visible_to_user(
+    inventory: ProductInventory,
+    session: Session,
+    current_user: CurrentUser,
+) -> bool:
+    if current_user.role is Role.ADMIN:
+        return True
+    if inventory.user_id == current_user.user_id:
+        return True
+    if not inventory.is_household_shared:
+        return False
+    if inventory.user_id is None:
+        return False
+    return is_product_visible(session, inventory.product_id, current_user)
+
+
+def _visible_inventory_for_product(
+    inventories: list[ProductInventory],
+    session: Session,
+    current_user: CurrentUser,
+) -> list[ProductInventory]:
+    return [
+        inventory
+        for inventory in inventories
+        if _is_inventory_visible_to_user(inventory, session, current_user)
+    ]
+
+
 def _build_response_metadata(session: Session, log_id: Any) -> ResponseMetadata | None:
     """Build ResponseMetadata from AICallLog for Phase 3 observability."""
     if not log_id:
@@ -214,15 +248,15 @@ class ProductListItem(SQLModel):
 
 class AIActiveIngredient(ActiveIngredient):
     # Gemini API rejects int-enum values in response_schema; override with plain int.
-    strength_level: Optional[int] = None  # type: ignore[assignment]
-    irritation_potential: Optional[int] = None  # type: ignore[assignment]
+    strength_level: Optional[int] = None  # pyright: ignore[reportIncompatibleVariableOverride]
+    irritation_potential: Optional[int] = None  # pyright: ignore[reportIncompatibleVariableOverride]
 
 
 class ProductParseLLMResponse(ProductParseResponse):
     # Gemini response schema currently requires enum values to be strings.
     # Strength fields are numeric in our domain (1-3), so keep them as ints here
     # and convert via ProductParseResponse validation afterward.
-    actives: Optional[list[AIActiveIngredient]] = None  # type: ignore[assignment]
+    actives: Optional[list[AIActiveIngredient]] = None  # pyright: ignore[reportIncompatibleVariableOverride]
 
 
 class InventoryCreate(SQLModel):
@@ -610,6 +644,7 @@ def list_products(
     is_medication: Optional[bool] = None,
     is_tool: Optional[bool] = None,
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
     stmt = select(Product)
     if category is not None:
@@ -622,6 +657,12 @@ def list_products(
         stmt = stmt.where(Product.is_tool == is_tool)
 
     products = list(session.exec(stmt).all())
+    if current_user.role is not Role.ADMIN:
+        products = [
+            product
+            for product in products
+            if is_product_visible(session, product.id, current_user)
+        ]
 
     # Filter by targets (JSON column — done in Python)
     if targets:
@@ -646,20 +687,28 @@ def list_products(
         if product_ids
         else []
     )
-    inv_by_product: dict = {}
+    inv_by_product: dict[UUID, list[ProductInventory]] = {}
     for inv in inventory_rows:
         inv_by_product.setdefault(inv.product_id, []).append(inv)
 
     results = []
     for p in products:
         r = ProductWithInventory.model_validate(p, from_attributes=True)
-        r.inventory = inv_by_product.get(p.id, [])
+        r.inventory = _visible_inventory_for_product(
+            inv_by_product.get(p.id, []),
+            session,
+            current_user,
+        )
         results.append(r)
     return results
 
 
 @router.post("", response_model=ProductPublic, status_code=201)
-def create_product(data: ProductCreate, session: Session = Depends(get_session)):
+def create_product(
+    data: ProductCreate,
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
     payload = data.model_dump()
     if payload.get("price_currency"):
         payload["price_currency"] = str(payload["price_currency"]).upper()
@@ -667,6 +716,7 @@ def create_product(data: ProductCreate, session: Session = Depends(get_session))
     product_id = uuid4()
     product = Product(
         id=product_id,
+        user_id=current_user.user_id,
         short_id=str(product_id)[:8],
         **payload,
     )
@@ -849,10 +899,12 @@ def list_products_summary(
     is_medication: Optional[bool] = None,
     is_tool: Optional[bool] = None,
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
     product_table = inspect(Product).local_table
     stmt = sa_select(
         product_table.c.id,
+        product_table.c.user_id,
         product_table.c.name,
         product_table.c.brand,
         product_table.c.category,
@@ -872,6 +924,10 @@ def list_products_summary(
         stmt = stmt.where(product_table.c.is_tool == is_tool)
 
     rows = list(session.execute(stmt).all())
+    if current_user.role is not Role.ADMIN:
+        rows = [
+            row for row in rows if is_product_visible(session, row[0], current_user)
+        ]
 
     if targets:
         target_values = {t.value for t in targets}
@@ -884,26 +940,11 @@ def list_products_summary(
             )
         ]
 
-    product_ids = [row[0] for row in rows]
-    inventory_rows = (
-        session.exec(
-            select(ProductInventory).where(
-                col(ProductInventory.product_id).in_(product_ids)
-            )
-        ).all()
-        if product_ids
-        else []
-    )
-    owned_ids = {
-        inv.product_id
-        for inv in inventory_rows
-        if inv.product_id is not None and inv.finished_at is None
-    }
-
     results: list[ProductListItem] = []
     for row in rows:
         (
             product_id,
+            product_user_id,
             name,
             brand_value,
             category_value,
@@ -921,7 +962,7 @@ def list_products_summary(
                 category=category_value,
                 recommended_time=recommended_time,
                 targets=row_targets or [],
-                is_owned=product_id in owned_ids,
+                is_owned=product_user_id == current_user.user_id,
                 price_tier=price_tier,
                 price_per_use_pln=price_per_use_pln,
                 price_tier_source=price_tier_source,
@@ -932,22 +973,35 @@ def list_products_summary(
 
 
 @router.get("/{product_id}", response_model=ProductWithInventory)
-def get_product(product_id: UUID, session: Session = Depends(get_session)):
+def get_product(
+    product_id: UUID,
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
     product = get_or_404(session, Product, product_id)
+    if not is_product_visible(session, product_id, current_user):
+        raise HTTPException(status_code=404, detail="Product not found")
 
     inventory = session.exec(
         select(ProductInventory).where(ProductInventory.product_id == product_id)
     ).all()
     result = ProductWithInventory.model_validate(product, from_attributes=True)
-    result.inventory = list(inventory)
+    result.inventory = _visible_inventory_for_product(
+        list(inventory), session, current_user
+    )
     return result
 
 
 @router.patch("/{product_id}", response_model=ProductPublic)
 def update_product(
-    product_id: UUID, data: ProductUpdate, session: Session = Depends(get_session)
+    product_id: UUID,
+    data: ProductUpdate,
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    product = get_or_404(session, Product, product_id)
+    product = get_owned_or_404_admin_override(
+        session, Product, product_id, current_user
+    )
     patch_data = data.model_dump(exclude_unset=True)
     if patch_data.get("price_currency"):
         patch_data["price_currency"] = str(patch_data["price_currency"]).upper()
@@ -962,8 +1016,14 @@ def update_product(
 
 
 @router.delete("/{product_id}", status_code=204)
-def delete_product(product_id: UUID, session: Session = Depends(get_session)):
-    product = get_or_404(session, Product, product_id)
+def delete_product(
+    product_id: UUID,
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    product = get_owned_or_404_admin_override(
+        session, Product, product_id, current_user
+    )
     session.delete(product)
     enqueue_pricing_recalc(session)
     session.commit()
@@ -975,10 +1035,17 @@ def delete_product(product_id: UUID, session: Session = Depends(get_session)):
 
 
 @router.get("/{product_id}/inventory", response_model=list[ProductInventory])
-def list_product_inventory(product_id: UUID, session: Session = Depends(get_session)):
+def list_product_inventory(
+    product_id: UUID,
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
     get_or_404(session, Product, product_id)
+    if not is_product_visible(session, product_id, current_user):
+        raise HTTPException(status_code=404, detail="Product not found")
     stmt = select(ProductInventory).where(ProductInventory.product_id == product_id)
-    return session.exec(stmt).all()
+    inventories = list(session.exec(stmt).all())
+    return _visible_inventory_for_product(inventories, session, current_user)
 
 
 @router.post(
@@ -988,10 +1055,14 @@ def create_product_inventory(
     product_id: UUID,
     data: InventoryCreate,
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    get_or_404(session, Product, product_id)
+    product = get_owned_or_404_admin_override(
+        session, Product, product_id, current_user
+    )
     entry = ProductInventory(
         id=uuid4(),
+        user_id=product.user_id or current_user.user_id,
         product_id=product_id,
         **data.model_dump(),
     )
@@ -1018,11 +1089,16 @@ def _ev(v: object) -> str:
 def _build_shopping_context(
     session: Session,
     reference_date: date,
+    current_user: CurrentUser,
     *,
     products: list[Product] | None = None,
     last_used_on_by_product: dict[str, date] | None = None,
 ) -> str:
-    profile_ctx = build_user_profile_context(session, reference_date=reference_date)
+    profile_ctx = build_user_profile_context(
+        session,
+        reference_date=reference_date,
+        current_user=current_user,
+    )
     snapshot = session.exec(
         select(SkinConditionSnapshot).order_by(
             col(SkinConditionSnapshot.snapshot_date).desc()
@@ -1061,7 +1137,7 @@ def _build_shopping_context(
         if product_ids
         else []
     )
-    inv_by_product: dict = {}
+    inv_by_product: dict[UUID, list[ProductInventory]] = {}
     for inv in inventory_rows:
         inv_by_product.setdefault(inv.product_id, []).append(inv)
 
@@ -1213,7 +1289,10 @@ Format odpowiedzi - zwróć wyłącznie JSON zgodny z podanym schematem."""
 
 
 @router.post("/suggest", response_model=ShoppingSuggestionResponse)
-def suggest_shopping(session: Session = Depends(get_session)):
+def suggest_shopping(
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
     reference_date = date.today()
     shopping_products = _get_shopping_products(session)
     last_used_on_by_product = build_last_used_on_by_product(
@@ -1223,6 +1302,7 @@ def suggest_shopping(session: Session = Depends(get_session)):
     context = _build_shopping_context(
         session,
         reference_date=reference_date,
+        current_user=current_user,
         products=shopping_products,
         last_used_on_by_product=last_used_on_by_product,
     )
diff --git a/backend/tests/test_authz.py b/backend/tests/test_authz.py
index d870678..34a59c0 100644
--- a/backend/tests/test_authz.py
+++ b/backend/tests/test_authz.py
@@ -246,7 +246,7 @@ def test_household_inventory_update_rules_owner_admin_and_member(session: Sessio
 
     assert can_update_inventory(session, inventory.id, owner) is True
     assert can_update_inventory(session, inventory.id, admin) is True
-    assert can_update_inventory(session, inventory.id, member) is False
+    assert can_update_inventory(session, inventory.id, member) is True
 
 
 def test_product_visibility_for_owner_admin_and_household_shared(session: Session):
diff --git a/backend/tests/test_products_auth.py b/backend/tests/test_products_auth.py
new file mode 100644
index 0000000..c5cc18a
--- /dev/null
+++ b/backend/tests/test_products_auth.py
@@ -0,0 +1,370 @@
+from __future__ import annotations
+
+from datetime import UTC, datetime, timedelta
+from uuid import UUID, uuid4
+
+import pytest
+from fastapi.testclient import TestClient
+
+from db import get_session
+from innercontext.api.auth_deps import get_current_user
+from innercontext.auth import (
+    CurrentHouseholdMembership,
+    CurrentUser,
+    IdentityData,
+    TokenClaims,
+)
+from innercontext.models import (
+    DayTime,
+    Household,
+    HouseholdMembership,
+    HouseholdRole,
+    Product,
+    ProductCategory,
+    ProductInventory,
+    Role,
+)
+from main import app
+
+
+def _current_user(
+    user_id: UUID,
+    *,
+    role: Role = Role.MEMBER,
+    household_id: UUID | None = None,
+) -> CurrentUser:
+    claims = TokenClaims(
+        issuer="https://auth.test",
+        subject=str(user_id),
+        audience=("innercontext-web",),
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        groups=("innercontext-member",),
+        raw_claims={"iss": "https://auth.test", "sub": str(user_id)},
+    )
+    membership = None
+    if household_id is not None:
+        membership = CurrentHouseholdMembership(
+            household_id=household_id,
+            role=HouseholdRole.MEMBER,
+        )
+    return CurrentUser(
+        user_id=user_id,
+        role=role,
+        identity=IdentityData.from_claims(claims),
+        claims=claims,
+        household_membership=membership,
+    )
+
+
+def _create_membership(session, user_id: UUID, household_id: UUID) -> None:
+    membership = HouseholdMembership(
+        user_id=user_id,
+        household_id=household_id,
+        role=HouseholdRole.MEMBER,
+    )
+    session.add(membership)
+    session.commit()
+
+
+def _create_product(session, *, user_id: UUID, short_id: str, name: str) -> Product:
+    product = Product(
+        user_id=user_id,
+        short_id=short_id,
+        name=name,
+        brand="Brand",
+        category=ProductCategory.SERUM,
+        recommended_time=DayTime.BOTH,
+        leave_on=True,
+    )
+    setattr(product, "product_effect_profile", {})
+    session.add(product)
+    session.commit()
+    session.refresh(product)
+    return product
+
+
+def _create_inventory(
+    session,
+    *,
+    user_id: UUID,
+    product_id: UUID,
+    is_household_shared: bool,
+) -> ProductInventory:
+    entry = ProductInventory(
+        user_id=user_id,
+        product_id=product_id,
+        is_household_shared=is_household_shared,
+    )
+    session.add(entry)
+    session.commit()
+    session.refresh(entry)
+    return entry
+
+
+@pytest.fixture()
+def auth_client(session):
+    auth_state = {"current_user": _current_user(uuid4(), role=Role.ADMIN)}
+
+    def _session_override():
+        yield session
+
+    def _current_user_override():
+        return auth_state["current_user"]
+
+    app.dependency_overrides[get_session] = _session_override
+    app.dependency_overrides[get_current_user] = _current_user_override
+    with TestClient(app) as client:
+        yield client, auth_state
+    app.dependency_overrides.clear()
+
+
+def test_product_endpoints_require_authentication(session):
+    def _session_override():
+        yield session
+
+    app.dependency_overrides[get_session] = _session_override
+    app.dependency_overrides.pop(get_current_user, None)
+    with TestClient(app) as client:
+        response = client.get("/products")
+    app.dependency_overrides.clear()
+
+    assert response.status_code == 401
+    assert response.json()["detail"] == "Missing bearer token"
+
+
+def test_shared_product_visible_in_summary_marks_is_owned_false(auth_client, session):
+    client, auth_state = auth_client
+
+    owner_id = uuid4()
+    member_id = uuid4()
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    _create_membership(session, owner_id, household.id)
+    _create_membership(session, member_id, household.id)
+
+    shared_product = _create_product(
+        session,
+        user_id=owner_id,
+        short_id="shprd001",
+        name="Shared Product",
+    )
+    _ = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=shared_product.id,
+        is_household_shared=True,
+    )
+
+    auth_state["current_user"] = _current_user(member_id, household_id=household.id)
+    response = client.get("/products/summary")
+
+    assert response.status_code == 200
+    items = response.json()
+    shared_item = next(item for item in items if item["id"] == str(shared_product.id))
+    assert shared_item["is_owned"] is False
+
+
+def test_shared_product_visible_filters_private_inventory_rows(auth_client, session):
+    client, auth_state = auth_client
+
+    owner_id = uuid4()
+    member_id = uuid4()
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    _create_membership(session, owner_id, household.id)
+    _create_membership(session, member_id, household.id)
+
+    product = _create_product(
+        session,
+        user_id=owner_id,
+        short_id="shprd002",
+        name="Shared Inventory Product",
+    )
+    shared_row = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+    _ = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=False,
+    )
+
+    auth_state["current_user"] = _current_user(member_id, household_id=household.id)
+    response = client.get(f"/products/{product.id}")
+
+    assert response.status_code == 200
+    inventory_ids = {entry["id"] for entry in response.json()["inventory"]}
+    assert str(shared_row.id) in inventory_ids
+    assert len(inventory_ids) == 1
+
+
+def test_shared_inventory_update_allows_household_member(auth_client, session):
+    client, auth_state = auth_client
+
+    owner_id = uuid4()
+    member_id = uuid4()
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    _create_membership(session, owner_id, household.id)
+    _create_membership(session, member_id, household.id)
+
+    product = _create_product(
+        session,
+        user_id=owner_id,
+        short_id="shprd003",
+        name="Shared Update Product",
+    )
+    inventory = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+
+    auth_state["current_user"] = _current_user(member_id, household_id=household.id)
+    response = client.patch(
+        f"/inventory/{inventory.id}",
+        json={"is_opened": True, "remaining_level": "low"},
+    )
+
+    assert response.status_code == 200
+    assert response.json()["is_opened"] is True
+    assert response.json()["remaining_level"] == "low"
+
+
+def test_household_member_cannot_edit_shared_product(auth_client, session):
+    client, auth_state = auth_client
+
+    owner_id = uuid4()
+    member_id = uuid4()
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    _create_membership(session, owner_id, household.id)
+    _create_membership(session, member_id, household.id)
+
+    product = _create_product(
+        session,
+        user_id=owner_id,
+        short_id="shprd004",
+        name="Shared No Edit",
+    )
+    _ = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+
+    auth_state["current_user"] = _current_user(member_id, household_id=household.id)
+    response = client.patch(f"/products/{product.id}", json={"name": "Intrusion"})
+
+    assert response.status_code == 404
+
+
+def test_household_member_cannot_delete_shared_product(auth_client, session):
+    client, auth_state = auth_client
+
+    owner_id = uuid4()
+    member_id = uuid4()
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    _create_membership(session, owner_id, household.id)
+    _create_membership(session, member_id, household.id)
+
+    product = _create_product(
+        session,
+        user_id=owner_id,
+        short_id="shprd005",
+        name="Shared No Delete",
+    )
+    _ = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+
+    auth_state["current_user"] = _current_user(member_id, household_id=household.id)
+    response = client.delete(f"/products/{product.id}")
+
+    assert response.status_code == 404
+
+
+def test_household_member_cannot_create_or_delete_inventory_on_shared_product(
+    auth_client, session
+):
+    client, auth_state = auth_client
+
+    owner_id = uuid4()
+    member_id = uuid4()
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    _create_membership(session, owner_id, household.id)
+    _create_membership(session, member_id, household.id)
+
+    product = _create_product(
+        session,
+        user_id=owner_id,
+        short_id="shprd006",
+        name="Shared Inventory Restrictions",
+    )
+    inventory = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=True,
+    )
+
+    auth_state["current_user"] = _current_user(member_id, household_id=household.id)
+    create_response = client.post(f"/products/{product.id}/inventory", json={})
+    delete_response = client.delete(f"/inventory/{inventory.id}")
+
+    assert create_response.status_code == 404
+    assert delete_response.status_code == 404
+
+
+def test_household_member_cannot_update_non_shared_inventory(auth_client, session):
+    client, auth_state = auth_client
+
+    owner_id = uuid4()
+    member_id = uuid4()
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    _create_membership(session, owner_id, household.id)
+    _create_membership(session, member_id, household.id)
+
+    product = _create_product(
+        session,
+        user_id=owner_id,
+        short_id="shprd007",
+        name="Private Inventory",
+    )
+    inventory = _create_inventory(
+        session,
+        user_id=owner_id,
+        product_id=product.id,
+        is_household_shared=False,
+    )
+
+    auth_state["current_user"] = _current_user(member_id, household_id=household.id)
+    response = client.patch(f"/inventory/{inventory.id}", json={"is_opened": True})
+
+    assert response.status_code == 404

From cd8e39939a5491d91118b9080b240bdaf3a79fc2 Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 15:40:55 +0100
Subject: [PATCH 04/10] feat(frontend): add Authelia OIDC session flow

---
 frontend/src/app.d.ts                        |   8 +-
 frontend/src/hooks.server.ts                 |  36 +-
 frontend/src/lib/server/auth.ts              | 695 +++++++++++++++++++
 frontend/src/routes/auth/callback/+server.ts |  30 +
 frontend/src/routes/auth/login/+server.ts    |   8 +
 frontend/src/routes/auth/logout/+server.ts   |  10 +
 6 files changed, 784 insertions(+), 3 deletions(-)
 create mode 100644 frontend/src/lib/server/auth.ts
 create mode 100644 frontend/src/routes/auth/callback/+server.ts
 create mode 100644 frontend/src/routes/auth/login/+server.ts
 create mode 100644 frontend/src/routes/auth/logout/+server.ts

diff --git a/frontend/src/app.d.ts b/frontend/src/app.d.ts
index 520c421..33ab713 100644
--- a/frontend/src/app.d.ts
+++ b/frontend/src/app.d.ts
@@ -1,9 +1,15 @@
+import type { AppSession } from "$lib/server/auth";
+import type { AuthUserPublic } from "$lib/api/generated/types.gen";
+
 // See https://svelte.dev/docs/kit/types#app.d.ts
 // for information about these interfaces
 declare global {
   namespace App {
     // interface Error {}
-    // interface Locals {}
+    interface Locals {
+      session: AppSession | null;
+      user: AuthUserPublic | null;
+    }
     // interface PageData {}
     // interface PageState {}
     // interface Platform {}
diff --git a/frontend/src/hooks.server.ts b/frontend/src/hooks.server.ts
index cb5906d..1983535 100644
--- a/frontend/src/hooks.server.ts
+++ b/frontend/src/hooks.server.ts
@@ -1,6 +1,38 @@
 import { paraglideMiddleware } from "$lib/paraglide/server.js";
-import type { Handle } from "@sveltejs/kit";
+import {
+  buildLoginPath,
+  getRequestSession,
+  isBackendRequest,
+  isProtectedPath,
+  loadAuthenticatedSession,
+} from "$lib/server/auth";
+import type { Handle, HandleFetch } from "@sveltejs/kit";
+import { redirect } from "@sveltejs/kit";
 
 export const handle: Handle = async ({ event, resolve }) => {
-  return paraglideMiddleware(event.request, () => resolve(event));
+  return paraglideMiddleware(event.request, async () => {
+    const session = await loadAuthenticatedSession(event);
+    event.locals.session = session;
+    event.locals.user = session?.user ?? null;
+
+    if (!session && isProtectedPath(event.url.pathname)) {
+      throw redirect(303, buildLoginPath(event.url));
+    }
+
+    return resolve(event);
+  });
+};
+
+export const handleFetch: HandleFetch = async ({ event, request, fetch }) => {
+  const session = getRequestSession(event);
+  if (!session || !isBackendRequest(new URL(request.url), event)) {
+    return fetch(request);
+  }
+
+  const headers = new Headers(request.headers);
+  if (!headers.has("authorization")) {
+    headers.set("authorization", `Bearer ${session.accessToken}`);
+  }
+
+  return fetch(new Request(request, { headers }));
 };
diff --git a/frontend/src/lib/server/auth.ts b/frontend/src/lib/server/auth.ts
new file mode 100644
index 0000000..41f4154
--- /dev/null
+++ b/frontend/src/lib/server/auth.ts
@@ -0,0 +1,695 @@
+import { dev } from "$app/environment";
+import { env as privateEnv } from "$env/dynamic/private";
+import { env as publicEnv } from "$env/dynamic/public";
+import type { Cookies, RequestEvent } from "@sveltejs/kit";
+import {
+  createCipheriv,
+  createDecipheriv,
+  createHash,
+  randomBytes,
+  timingSafeEqual,
+} from "node:crypto";
+import type {
+  AuthIdentityPublic,
+  AuthProfilePublic,
+  AuthSessionResponse,
+  AuthUserPublic,
+} from "$lib/api/generated/types.gen";
+
+const AUTH_COOKIE_NAME = "innercontext_session";
+const LOGIN_COOKIE_NAME = "innercontext_login";
+const DISCOVERY_PATH = "/.well-known/openid-configuration";
+const AUTH_FLOW_TTL_SECONDS = 600;
+const SESSION_REFRESH_WINDOW_SECONDS = 60;
+const DEFAULT_SESSION_MAX_AGE_SECONDS = 60 * 60 * 24 * 30;
+const DEFAULT_API_BASE = "http://localhost:8000";
+const DEFAULT_SCOPES = "openid profile email groups offline_access";
+const CIPHER_ALGORITHM = "aes-256-gcm";
+const CURRENT_VERSION = 1;
+
+type SameSite = "lax" | "strict" | "none";
+
+interface AuthConfig {
+  issuer: string;
+  clientId: string;
+  clientSecret: string | null;
+  discoveryUrl: string;
+  scopes: string;
+  sessionSecret: string;
+}
+
+interface DiscoveryDocument {
+  authorization_endpoint: string;
+  token_endpoint: string;
+  userinfo_endpoint: string;
+  end_session_endpoint?: string;
+}
+
+interface TokenResponse {
+  access_token: string;
+  expires_in?: number;
+  refresh_token?: string;
+  refresh_token_expires_in?: number;
+  refresh_expires_in?: number;
+  token_type?: string;
+  scope?: string;
+  id_token?: string;
+}
+
+interface UserInfoClaims {
+  iss?: string;
+  sub: string;
+  email?: string | null;
+  name?: string | null;
+  preferred_username?: string | null;
+  groups?: string[];
+}
+
+interface LoginFlowState {
+  state: string;
+  codeVerifier: string;
+  returnTo: string;
+}
+
+export interface AppSession {
+  accessToken: string;
+  refreshToken: string | null;
+  tokenType: string;
+  scope: string | null;
+  expiresAt: number;
+  refreshExpiresAt: number | null;
+  user: AuthUserPublic;
+  identity: AuthIdentityPublic;
+  profile: AuthProfilePublic | null;
+}
+
+interface SerializedPayload<T> {
+  v: number;
+  data: T;
+}
+
+let cachedDiscovery: Promise<DiscoveryDocument> | null = null;
+
+function getAuthConfig(): AuthConfig {
+  const issuer = requiredEnv("OIDC_ISSUER");
+
+  return {
+    issuer,
+    clientId: requiredEnv("OIDC_CLIENT_ID"),
+    clientSecret: optionalEnv("OIDC_CLIENT_SECRET"),
+    discoveryUrl:
+      optionalEnv("OIDC_DISCOVERY_URL") ??
+      `${issuer.replace(/\/+$/, "")}${DISCOVERY_PATH}`,
+    scopes: optionalEnv("OIDC_SCOPES") ?? DEFAULT_SCOPES,
+    sessionSecret: requiredEnv("SESSION_SECRET"),
+  };
+}
+
+function requiredEnv(name: string): string {
+  const value = privateEnv[name]?.trim();
+  if (!value) {
+    throw new Error(`Missing required auth environment variable: ${name}`);
+  }
+  return value;
+}
+
+function optionalEnv(name: string): string | null {
+  const value = privateEnv[name]?.trim();
+  return value ? value : null;
+}
+
+function getApiBase(): string {
+  return publicEnv.PUBLIC_API_BASE?.trim() || DEFAULT_API_BASE;
+}
+
+function cookieOptions(maxAge: number) {
+  return {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax" as SameSite,
+    secure: !dev,
+    maxAge,
+  };
+}
+
+function getSecretKey(): Buffer {
+  const configured = getAuthConfig().sessionSecret;
+
+  if (/^[0-9a-fA-F]{64}$/.test(configured)) {
+    return Buffer.from(configured, "hex");
+  }
+
+  if (/^[A-Za-z0-9_-]{43,44}$/.test(configured)) {
+    const decoded = Buffer.from(configured, "base64url");
+    if (decoded.length === 32) {
+      return decoded;
+    }
+  }
+
+  const utf8 = Buffer.from(configured, "utf8");
+  if (utf8.length >= 32) {
+    return createHash("sha256").update(utf8).digest();
+  }
+
+  throw new Error(
+    "SESSION_SECRET must contain at least 32 bytes or encode exactly 32 bytes",
+  );
+}
+
+function encryptValue<T>(value: T): string {
+  const key = getSecretKey();
+  const iv = randomBytes(12);
+  const cipher = createCipheriv(CIPHER_ALGORITHM, key, iv);
+  const plaintext = Buffer.from(
+    JSON.stringify({
+      v: CURRENT_VERSION,
+      data: value,
+    } satisfies SerializedPayload<T>),
+    "utf8",
+  );
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return Buffer.concat([
+    Buffer.from([CURRENT_VERSION]),
+    iv,
+    authTag,
+    ciphertext,
+  ]).toString("base64url");
+}
+
+function decryptValue<T>(value: string): T | null {
+  try {
+    const payload = Buffer.from(value, "base64url");
+    if (payload.length < 29 || payload[0] !== CURRENT_VERSION) {
+      return null;
+    }
+
+    const iv = payload.subarray(1, 13);
+    const authTag = payload.subarray(13, 29);
+    const ciphertext = payload.subarray(29);
+    const decipher = createDecipheriv(CIPHER_ALGORITHM, getSecretKey(), iv);
+    decipher.setAuthTag(authTag);
+
+    const plaintext = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final(),
+    ]).toString("utf8");
+    const parsed = JSON.parse(plaintext) as SerializedPayload<T>;
+    if (parsed.v !== CURRENT_VERSION) {
+      return null;
+    }
+    return parsed.data;
+  } catch {
+    return null;
+  }
+}
+
+function nowInSeconds(): number {
+  return Math.floor(Date.now() / 1000);
+}
+
+function getSessionCookieMaxAge(session: AppSession): number {
+  const expiresAt =
+    session.refreshExpiresAt ??
+    (session.refreshToken
+      ? nowInSeconds() + DEFAULT_SESSION_MAX_AGE_SECONDS
+      : session.expiresAt);
+  return Math.max(expiresAt - nowInSeconds(), 0);
+}
+
+function sanitizeReturnTo(value: string | null | undefined): string {
+  if (!value) {
+    return "/";
+  }
+
+  if (!value.startsWith("/") || value.startsWith("//")) {
+    return "/";
+  }
+
+  if (value.startsWith("/auth")) {
+    return "/";
+  }
+
+  return value;
+}
+
+function normalizeGroups(value: unknown): string[] | undefined {
+  if (value === undefined || value === null) {
+    return undefined;
+  }
+  if (typeof value === "string") {
+    return [value];
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => String(entry));
+  }
+  return [String(value)];
+}
+
+function decodeJwtExpiry(token: string): number | null {
+  try {
+    const [, payload] = token.split(".");
+    if (!payload) {
+      return null;
+    }
+    const decoded = JSON.parse(
+      Buffer.from(payload, "base64url").toString("utf8"),
+    ) as {
+      exp?: unknown;
+    };
+    return typeof decoded.exp === "number" ? decoded.exp : null;
+  } catch {
+    return null;
+  }
+}
+
+function sessionNeedsRefresh(session: AppSession): boolean {
+  return session.expiresAt - nowInSeconds() <= SESSION_REFRESH_WINDOW_SECONDS;
+}
+
+function stateMatches(expected: string, actual: string): boolean {
+  const expectedBuffer = Buffer.from(expected, "utf8");
+  const actualBuffer = Buffer.from(actual, "utf8");
+  if (expectedBuffer.length !== actualBuffer.length) {
+    return false;
+  }
+  return timingSafeEqual(expectedBuffer, actualBuffer);
+}
+
+function getRedirectUri(url: URL): string {
+  return new URL("/auth/callback", url.origin).toString();
+}
+
+function getLogoutReturnUri(url: URL): string {
+  return new URL("/", url.origin).toString();
+}
+
+async function parseJsonResponse(response: Response): Promise<unknown> {
+  const text = await response.text();
+  if (!text) {
+    return null;
+  }
+  return JSON.parse(text) as unknown;
+}
+
+async function requestJson<T>(input: string, init?: RequestInit): Promise<T> {
+  const response = await fetch(input, init);
+  if (!response.ok) {
+    const text = await response.text().catch(() => response.statusText);
+    throw new Error(text || response.statusText);
+  }
+  return (await parseJsonResponse(response)) as T;
+}
+
+async function getDiscoveryDocument(): Promise<DiscoveryDocument> {
+  cachedDiscovery ??= requestJson<DiscoveryDocument>(
+    getAuthConfig().discoveryUrl,
+  ).catch((error) => {
+    cachedDiscovery = null;
+    throw error;
+  });
+  return cachedDiscovery;
+}
+
+function buildAuthorizationUrl(
+  url: URL,
+  state: string,
+  codeChallenge: string,
+): Promise<URL> {
+  return getDiscoveryDocument().then((discovery) => {
+    const authUrl = new URL(discovery.authorization_endpoint);
+    const config = getAuthConfig();
+    authUrl.searchParams.set("client_id", config.clientId);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("redirect_uri", getRedirectUri(url));
+    authUrl.searchParams.set("scope", config.scopes);
+    authUrl.searchParams.set("state", state);
+    authUrl.searchParams.set("code_challenge", codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    return authUrl;
+  });
+}
+
+function createPkceVerifier(): string {
+  return randomBytes(32).toString("base64url");
+}
+
+function createPkceChallenge(verifier: string): string {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+
+function createState(): string {
+  return randomBytes(24).toString("base64url");
+}
+
+function buildTokenRequestBody(
+  values: Record<string, string>,
+): URLSearchParams {
+  const body = new URLSearchParams();
+  for (const [key, value] of Object.entries(values)) {
+    body.set(key, value);
+  }
+
+  const config = getAuthConfig();
+  body.set("client_id", config.clientId);
+  if (config.clientSecret) {
+    body.set("client_secret", config.clientSecret);
+  }
+
+  return body;
+}
+
+async function exchangeCodeForTokens(
+  code: string,
+  codeVerifier: string,
+  redirectUri: string,
+): Promise<TokenResponse> {
+  const discovery = await getDiscoveryDocument();
+  return requestJson<TokenResponse>(discovery.token_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: buildTokenRequestBody({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: redirectUri,
+      code_verifier: codeVerifier,
+    }),
+  });
+}
+
+async function refreshToken(refreshToken: string): Promise<TokenResponse> {
+  const discovery = await getDiscoveryDocument();
+  return requestJson<TokenResponse>(discovery.token_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: buildTokenRequestBody({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+    }),
+  });
+}
+
+async function fetchUserInfo(accessToken: string): Promise<UserInfoClaims> {
+  const discovery = await getDiscoveryDocument();
+  const payload = await requestJson<Record<string, unknown>>(
+    discovery.userinfo_endpoint,
+    {
+      headers: { Authorization: `Bearer ${accessToken}` },
+    },
+  );
+
+  const subject = payload.sub;
+  if (typeof subject !== "string" || !subject) {
+    throw new Error("OIDC userinfo payload is missing sub");
+  }
+
+  return {
+    iss: typeof payload.iss === "string" ? payload.iss : undefined,
+    sub: subject,
+    email: typeof payload.email === "string" ? payload.email : null,
+    name: typeof payload.name === "string" ? payload.name : null,
+    preferred_username:
+      typeof payload.preferred_username === "string"
+        ? payload.preferred_username
+        : null,
+    groups: normalizeGroups(payload.groups),
+  };
+}
+
+async function syncBackendSession(
+  accessToken: string,
+  claims: UserInfoClaims,
+): Promise<AuthSessionResponse> {
+  return requestJson<AuthSessionResponse>(`${getApiBase()}/auth/session/sync`, {
+    method: "POST",
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify({
+      iss: claims.iss ?? getAuthConfig().issuer,
+      sub: claims.sub,
+      email: claims.email,
+      name: claims.name,
+      preferred_username: claims.preferred_username,
+      groups: claims.groups,
+    }),
+  });
+}
+
+function buildAppSession(
+  tokenResponse: TokenResponse,
+  backendSession: AuthSessionResponse,
+  previousSession?: AppSession,
+): AppSession {
+  const currentTime = nowInSeconds();
+  const accessToken = tokenResponse.access_token;
+  const accessTokenExpiry =
+    typeof tokenResponse.expires_in === "number"
+      ? currentTime + tokenResponse.expires_in
+      : decodeJwtExpiry(accessToken);
+
+  if (!accessTokenExpiry) {
+    throw new Error(
+      "OIDC token response is missing access token expiry information",
+    );
+  }
+
+  const refreshExpiresIn =
+    typeof tokenResponse.refresh_token_expires_in === "number"
+      ? tokenResponse.refresh_token_expires_in
+      : typeof tokenResponse.refresh_expires_in === "number"
+        ? tokenResponse.refresh_expires_in
+        : null;
+
+  return {
+    accessToken,
+    refreshToken:
+      tokenResponse.refresh_token ?? previousSession?.refreshToken ?? null,
+    tokenType:
+      tokenResponse.token_type ?? previousSession?.tokenType ?? "Bearer",
+    scope: tokenResponse.scope ?? previousSession?.scope ?? null,
+    expiresAt: accessTokenExpiry,
+    refreshExpiresAt:
+      refreshExpiresIn !== null
+        ? currentTime + refreshExpiresIn
+        : (previousSession?.refreshExpiresAt ?? null),
+    user: backendSession.user,
+    identity: backendSession.identity,
+    profile: backendSession.profile ?? null,
+  };
+}
+
+export function loadSession(cookies: Cookies): AppSession | null {
+  const raw = cookies.get(AUTH_COOKIE_NAME);
+  if (!raw) {
+    return null;
+  }
+  return decryptValue<AppSession>(raw);
+}
+
+export function setSessionCookie(cookies: Cookies, session: AppSession): void {
+  cookies.set(
+    AUTH_COOKIE_NAME,
+    encryptValue(session),
+    cookieOptions(Math.max(getSessionCookieMaxAge(session), 1)),
+  );
+}
+
+export function clearSessionCookie(cookies: Cookies): void {
+  cookies.delete(AUTH_COOKIE_NAME, { path: "/" });
+}
+
+function loadLoginFlow(cookies: Cookies): LoginFlowState | null {
+  const raw = cookies.get(LOGIN_COOKIE_NAME);
+  if (!raw) {
+    return null;
+  }
+  return decryptValue<LoginFlowState>(raw);
+}
+
+function setLoginFlowCookie(cookies: Cookies, flow: LoginFlowState): void {
+  cookies.set(
+    LOGIN_COOKIE_NAME,
+    encryptValue(flow),
+    cookieOptions(AUTH_FLOW_TTL_SECONDS),
+  );
+}
+
+export function clearLoginFlowCookie(cookies: Cookies): void {
+  cookies.delete(LOGIN_COOKIE_NAME, { path: "/" });
+}
+
+export function clearAuthCookies(cookies: Cookies): void {
+  clearSessionCookie(cookies);
+  clearLoginFlowCookie(cookies);
+}
+
+export async function createLoginRedirect(event: RequestEvent): Promise<URL> {
+  const returnTo = sanitizeReturnTo(event.url.searchParams.get("returnTo"));
+  const codeVerifier = createPkceVerifier();
+  const state = createState();
+
+  setLoginFlowCookie(event.cookies, {
+    state,
+    codeVerifier,
+    returnTo,
+  });
+
+  return buildAuthorizationUrl(
+    event.url,
+    state,
+    createPkceChallenge(codeVerifier),
+  );
+}
+
+export async function finishLogin(event: RequestEvent): Promise<string> {
+  const flow = loadLoginFlow(event.cookies);
+  clearLoginFlowCookie(event.cookies);
+
+  if (!flow) {
+    throw new Error("Missing or invalid login flow state");
+  }
+
+  const state = event.url.searchParams.get("state");
+  const code = event.url.searchParams.get("code");
+
+  if (!state || !stateMatches(flow.state, state)) {
+    throw new Error("OIDC callback state check failed");
+  }
+
+  if (!code) {
+    throw new Error("OIDC callback is missing authorization code");
+  }
+
+  const tokenResponse = await exchangeCodeForTokens(
+    code,
+    flow.codeVerifier,
+    getRedirectUri(event.url),
+  );
+  const userInfo = await fetchUserInfo(tokenResponse.access_token);
+  const backendSession = await syncBackendSession(
+    tokenResponse.access_token,
+    userInfo,
+  );
+  const session = buildAppSession(tokenResponse, backendSession);
+  setSessionCookie(event.cookies, session);
+
+  return flow.returnTo;
+}
+
+export async function refreshSession(session: AppSession): Promise<AppSession> {
+  if (!session.refreshToken) {
+    throw new Error("App session cannot be refreshed without a refresh token");
+  }
+
+  if (
+    session.refreshExpiresAt !== null &&
+    session.refreshExpiresAt <= nowInSeconds()
+  ) {
+    throw new Error("Refresh token has expired");
+  }
+
+  const tokenResponse = await refreshToken(session.refreshToken);
+  const userInfo = await fetchUserInfo(tokenResponse.access_token);
+  const backendSession = await syncBackendSession(
+    tokenResponse.access_token,
+    userInfo,
+  );
+  return buildAppSession(tokenResponse, backendSession, session);
+}
+
+export async function loadAuthenticatedSession(
+  event: RequestEvent,
+): Promise<AppSession | null> {
+  const session = loadSession(event.cookies);
+  if (!session && event.cookies.get(AUTH_COOKIE_NAME)) {
+    clearAuthCookies(event.cookies);
+    return null;
+  }
+
+  if (!session) {
+    return null;
+  }
+
+  if (!sessionNeedsRefresh(session)) {
+    return session;
+  }
+
+  try {
+    const refreshed = await refreshSession(session);
+    setSessionCookie(event.cookies, refreshed);
+    return refreshed;
+  } catch {
+    clearAuthCookies(event.cookies);
+    return null;
+  }
+}
+
+export function isProtectedPath(pathname: string): boolean {
+  if (pathname.startsWith("/auth")) {
+    return false;
+  }
+  if (pathname.startsWith("/_app") || pathname.startsWith("/api")) {
+    return false;
+  }
+  if (
+    pathname === "/favicon.ico" ||
+    pathname === "/robots.txt" ||
+    pathname === "/manifest.webmanifest"
+  ) {
+    return false;
+  }
+  return !/\.[a-zA-Z0-9]+$/.test(pathname);
+}
+
+export function buildLoginPath(url: URL): string {
+  const loginUrl = new URL("/auth/login", url.origin);
+  const returnTo = sanitizeReturnTo(`${url.pathname}${url.search}`);
+  if (returnTo !== "/") {
+    loginUrl.searchParams.set("returnTo", returnTo);
+  }
+  return `${loginUrl.pathname}${loginUrl.search}`;
+}
+
+export async function buildLogoutUrl(url: URL): Promise<string> {
+  let discovery: DiscoveryDocument;
+  try {
+    discovery = await getDiscoveryDocument();
+  } catch {
+    return "/auth/login";
+  }
+
+  if (!discovery.end_session_endpoint) {
+    return "/auth/login";
+  }
+
+  const logoutUrl = new URL(discovery.end_session_endpoint);
+  logoutUrl.searchParams.set("client_id", getAuthConfig().clientId);
+  logoutUrl.searchParams.set(
+    "post_logout_redirect_uri",
+    getLogoutReturnUri(url),
+  );
+  return logoutUrl.toString();
+}
+
+export function getRequestSession(event: RequestEvent): AppSession | null {
+  return event.locals.session ?? null;
+}
+
+export function isBackendRequest(url: URL, event: RequestEvent): boolean {
+  if (url.origin === event.url.origin && url.pathname.startsWith("/api")) {
+    return true;
+  }
+
+  const apiBase = getApiBase();
+  try {
+    const backendUrl = new URL(apiBase);
+    return (
+      url.origin === backendUrl.origin &&
+      url.pathname.startsWith(backendUrl.pathname)
+    );
+  } catch {
+    return false;
+  }
+}
diff --git a/frontend/src/routes/auth/callback/+server.ts b/frontend/src/routes/auth/callback/+server.ts
new file mode 100644
index 0000000..88261c7
--- /dev/null
+++ b/frontend/src/routes/auth/callback/+server.ts
@@ -0,0 +1,30 @@
+import { clearLoginFlowCookie, finishLogin } from "$lib/server/auth";
+import { error, redirect } from "@sveltejs/kit";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async (event) => {
+  const providerError = event.url.searchParams.get("error");
+  if (providerError) {
+    clearLoginFlowCookie(event.cookies);
+    const providerErrorDescription =
+      event.url.searchParams.get("error_description");
+    throw error(
+      400,
+      providerErrorDescription
+        ? `${providerError}: ${providerErrorDescription}`
+        : `OIDC callback failed: ${providerError}`,
+    );
+  }
+
+  let returnTo: string;
+  try {
+    returnTo = await finishLogin(event);
+  } catch (cause) {
+    throw error(
+      400,
+      cause instanceof Error ? cause.message : "OIDC callback failed",
+    );
+  }
+
+  throw redirect(303, returnTo);
+};
diff --git a/frontend/src/routes/auth/login/+server.ts b/frontend/src/routes/auth/login/+server.ts
new file mode 100644
index 0000000..604db3d
--- /dev/null
+++ b/frontend/src/routes/auth/login/+server.ts
@@ -0,0 +1,8 @@
+import { createLoginRedirect } from "$lib/server/auth";
+import { redirect } from "@sveltejs/kit";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async (event) => {
+  const loginUrl = await createLoginRedirect(event);
+  throw redirect(303, loginUrl.toString());
+};
diff --git a/frontend/src/routes/auth/logout/+server.ts b/frontend/src/routes/auth/logout/+server.ts
new file mode 100644
index 0000000..94540b7
--- /dev/null
+++ b/frontend/src/routes/auth/logout/+server.ts
@@ -0,0 +1,10 @@
+import { buildLogoutUrl, clearAuthCookies } from "$lib/server/auth";
+import { redirect } from "@sveltejs/kit";
+import type { RequestHandler } from "./$types";
+
+export const GET: RequestHandler = async (event) => {
+  clearAuthCookies(event.cookies);
+
+  const logoutUrl = await buildLogoutUrl(event.url);
+  throw redirect(303, logoutUrl);
+};

From ffa3b71309f3ad62b1f2872f2050365c85b26b50 Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 15:48:13 +0100
Subject: [PATCH 05/10] feat(api): enforce ownership across health routines and
 profile flows

---
 backend/innercontext/api/ai_logs.py           |  36 +-
 backend/innercontext/api/health.py            | 271 ++++++++---
 backend/innercontext/api/llm_context.py       |  55 ++-
 backend/innercontext/api/profile.py           |  25 +-
 backend/innercontext/api/routines.py          | 438 +++++++++++++++---
 backend/innercontext/api/skincare.py          | 100 +++-
 backend/innercontext/services/pricing_jobs.py |  47 +-
 backend/tests/conftest.py                     |  35 +-
 backend/tests/test_ai_logs.py                 |   6 +-
 backend/tests/test_routines.py                |  11 +-
 backend/tests/test_routines_auth.py           | 112 +++++
 backend/tests/test_routines_helpers.py        | 193 ++++++--
 backend/tests/test_skincare.py                |   2 +-
 backend/tests/test_tenancy_domains.py         | 100 ++++
 14 files changed, 1225 insertions(+), 206 deletions(-)
 create mode 100644 backend/tests/test_routines_auth.py
 create mode 100644 backend/tests/test_tenancy_domains.py

diff --git a/backend/innercontext/api/ai_logs.py b/backend/innercontext/api/ai_logs.py
index 040d47e..b407006 100644
--- a/backend/innercontext/api/ai_logs.py
+++ b/backend/innercontext/api/ai_logs.py
@@ -2,10 +2,13 @@ import json
 from typing import Any, Optional
 from uuid import UUID
 
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlmodel import Session, SQLModel, col, select
 
 from db import get_session
+from innercontext.api.auth_deps import get_current_user
+from innercontext.auth import CurrentUser
+from innercontext.models.enums import Role
 from innercontext.models.ai_log import AICallLog
 
 router = APIRouter()
@@ -43,14 +46,33 @@ class AICallLogPublic(SQLModel):
     error_detail: Optional[str] = None
 
 
+def _resolve_target_user_id(
+    current_user: CurrentUser,
+    user_id: UUID | None,
+) -> UUID:
+    if user_id is None:
+        return current_user.user_id
+    if current_user.role is not Role.ADMIN:
+        raise HTTPException(status_code=403, detail="Admin role required")
+    return user_id
+
+
 @router.get("", response_model=list[AICallLogPublic])
 def list_ai_logs(
     endpoint: Optional[str] = None,
     success: Optional[bool] = None,
     limit: int = 50,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    stmt = select(AICallLog).order_by(col(AICallLog.created_at).desc()).limit(limit)
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    stmt = (
+        select(AICallLog)
+        .where(AICallLog.user_id == target_user_id)
+        .order_by(col(AICallLog.created_at).desc())
+        .limit(limit)
+    )
     if endpoint is not None:
         stmt = stmt.where(AICallLog.endpoint == endpoint)
     if success is not None:
@@ -75,9 +97,17 @@ def list_ai_logs(
 
 
 @router.get("/{log_id}", response_model=AICallLog)
-def get_ai_log(log_id: UUID, session: Session = Depends(get_session)):
+def get_ai_log(
+    log_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = _resolve_target_user_id(current_user, user_id)
     log = session.get(AICallLog, log_id)
     if log is None:
         raise HTTPException(status_code=404, detail="Log not found")
+    if log.user_id != target_user_id:
+        raise HTTPException(status_code=404, detail="Log not found")
     log.tool_trace = _normalize_tool_trace(getattr(log, "tool_trace", None))
     return log
diff --git a/backend/innercontext/api/health.py b/backend/innercontext/api/health.py
index d3e8064..9f2334e 100644
--- a/backend/innercontext/api/health.py
+++ b/backend/innercontext/api/health.py
@@ -3,15 +3,17 @@ from datetime import datetime
 from typing import Optional
 from uuid import UUID, uuid4
 
-from fastapi import APIRouter, Depends, Query
+from fastapi import APIRouter, Depends, HTTPException, Query
 from pydantic import field_validator
 from sqlalchemy import Integer, cast, func, or_
 from sqlmodel import Session, SQLModel, col, select
 
 from db import get_session
-from innercontext.api.utils import get_or_404
+from innercontext.api.auth_deps import get_current_user
+from innercontext.api.utils import get_owned_or_404
+from innercontext.auth import CurrentUser
 from innercontext.models import LabResult, MedicationEntry, MedicationUsage
-from innercontext.models.enums import MedicationKind, ResultFlag
+from innercontext.models.enums import MedicationKind, ResultFlag, Role
 
 router = APIRouter()
 
@@ -133,6 +135,34 @@ class LabResultListResponse(SQLModel):
 # ---------------------------------------------------------------------------
 
 
+def _resolve_target_user_id(
+    current_user: CurrentUser,
+    user_id: UUID | None,
+) -> UUID:
+    if user_id is None:
+        return current_user.user_id
+    if current_user.role is not Role.ADMIN:
+        raise HTTPException(status_code=403, detail="Admin role required")
+    return user_id
+
+
+def _get_owned_or_admin_override(
+    session: Session,
+    model: type[MedicationEntry] | type[MedicationUsage] | type[LabResult],
+    record_id: UUID,
+    current_user: CurrentUser,
+    user_id: UUID | None,
+):
+    if user_id is None:
+        return get_owned_or_404(session, model, record_id, current_user)
+    record = session.get(model, record_id)
+    if record is None or record.user_id != _resolve_target_user_id(
+        current_user, user_id
+    ):
+        raise HTTPException(status_code=404, detail=f"{model.__name__} not found")
+    return record
+
+
 # ---------------------------------------------------------------------------
 # Medication routes
 # ---------------------------------------------------------------------------
@@ -142,9 +172,12 @@ class LabResultListResponse(SQLModel):
 def list_medications(
     kind: Optional[MedicationKind] = None,
     product_name: Optional[str] = None,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    stmt = select(MedicationEntry)
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    stmt = select(MedicationEntry).where(MedicationEntry.user_id == target_user_id)
     if kind is not None:
         stmt = stmt.where(MedicationEntry.kind == kind)
     if product_name is not None:
@@ -153,8 +186,18 @@ def list_medications(
 
 
 @router.post("/medications", response_model=MedicationEntry, status_code=201)
-def create_medication(data: MedicationCreate, session: Session = Depends(get_session)):
-    entry = MedicationEntry(record_id=uuid4(), **data.model_dump())
+def create_medication(
+    data: MedicationCreate,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    entry = MedicationEntry(
+        record_id=uuid4(),
+        user_id=target_user_id,
+        **data.model_dump(),
+    )
     session.add(entry)
     session.commit()
     session.refresh(entry)
@@ -162,17 +205,36 @@ def create_medication(data: MedicationCreate, session: Session = Depends(get_ses
 
 
 @router.get("/medications/{medication_id}", response_model=MedicationEntry)
-def get_medication(medication_id: UUID, session: Session = Depends(get_session)):
-    return get_or_404(session, MedicationEntry, medication_id)
+def get_medication(
+    medication_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    return _get_owned_or_admin_override(
+        session,
+        MedicationEntry,
+        medication_id,
+        current_user,
+        user_id,
+    )
 
 
 @router.patch("/medications/{medication_id}", response_model=MedicationEntry)
 def update_medication(
     medication_id: UUID,
     data: MedicationUpdate,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    entry = get_or_404(session, MedicationEntry, medication_id)
+    entry = _get_owned_or_admin_override(
+        session,
+        MedicationEntry,
+        medication_id,
+        current_user,
+        user_id,
+    )
     for key, value in data.model_dump(exclude_unset=True).items():
         setattr(entry, key, value)
     session.add(entry)
@@ -182,13 +244,25 @@ def update_medication(
 
 
 @router.delete("/medications/{medication_id}", status_code=204)
-def delete_medication(medication_id: UUID, session: Session = Depends(get_session)):
-    entry = get_or_404(session, MedicationEntry, medication_id)
+def delete_medication(
+    medication_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    entry = _get_owned_or_admin_override(
+        session,
+        MedicationEntry,
+        medication_id,
+        current_user,
+        user_id,
+    )
     # Delete usages first (no cascade configured at DB level)
     usages = session.exec(
-        select(MedicationUsage).where(
-            MedicationUsage.medication_record_id == medication_id
-        )
+        select(MedicationUsage)
+        .where(MedicationUsage.medication_record_id == medication_id)
+        .where(MedicationUsage.user_id == target_user_id)
     ).all()
     for u in usages:
         session.delete(u)
@@ -202,10 +276,24 @@ def delete_medication(medication_id: UUID, session: Session = Depends(get_sessio
 
 
 @router.get("/medications/{medication_id}/usages", response_model=list[MedicationUsage])
-def list_usages(medication_id: UUID, session: Session = Depends(get_session)):
-    get_or_404(session, MedicationEntry, medication_id)
-    stmt = select(MedicationUsage).where(
-        MedicationUsage.medication_record_id == medication_id
+def list_usages(
+    medication_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    _ = _get_owned_or_admin_override(
+        session,
+        MedicationEntry,
+        medication_id,
+        current_user,
+        user_id,
+    )
+    stmt = (
+        select(MedicationUsage)
+        .where(MedicationUsage.medication_record_id == medication_id)
+        .where(MedicationUsage.user_id == target_user_id)
     )
     return session.exec(stmt).all()
 
@@ -218,11 +306,21 @@ def list_usages(medication_id: UUID, session: Session = Depends(get_session)):
 def create_usage(
     medication_id: UUID,
     data: UsageCreate,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    get_or_404(session, MedicationEntry, medication_id)
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    _ = _get_owned_or_admin_override(
+        session,
+        MedicationEntry,
+        medication_id,
+        current_user,
+        user_id,
+    )
     usage = MedicationUsage(
         record_id=uuid4(),
+        user_id=target_user_id,
         medication_record_id=medication_id,
         **data.model_dump(),
     )
@@ -236,9 +334,17 @@ def create_usage(
 def update_usage(
     usage_id: UUID,
     data: UsageUpdate,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    usage = get_or_404(session, MedicationUsage, usage_id)
+    usage = _get_owned_or_admin_override(
+        session,
+        MedicationUsage,
+        usage_id,
+        current_user,
+        user_id,
+    )
     for key, value in data.model_dump(exclude_unset=True).items():
         setattr(usage, key, value)
     session.add(usage)
@@ -248,8 +354,19 @@ def update_usage(
 
 
 @router.delete("/usages/{usage_id}", status_code=204)
-def delete_usage(usage_id: UUID, session: Session = Depends(get_session)):
-    usage = get_or_404(session, MedicationUsage, usage_id)
+def delete_usage(
+    usage_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    usage = _get_owned_or_admin_override(
+        session,
+        MedicationUsage,
+        usage_id,
+        current_user,
+        user_id,
+    )
     session.delete(usage)
     session.commit()
 
@@ -271,29 +388,35 @@ def list_lab_results(
     latest_only: bool = False,
     limit: int = Query(default=50, ge=1, le=200),
     offset: int = Query(default=0, ge=0),
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    filters = []
-    if q is not None and q.strip():
-        query = f"%{q.strip()}%"
-        filters.append(
-            or_(
-                col(LabResult.test_code).ilike(query),
-                col(LabResult.test_name_original).ilike(query),
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+
+    def _apply_filters(statement):
+        statement = statement.where(col(LabResult.user_id) == target_user_id)
+        if q is not None and q.strip():
+            query = f"%{q.strip()}%"
+            statement = statement.where(
+                or_(
+                    col(LabResult.test_code).ilike(query),
+                    col(LabResult.test_name_original).ilike(query),
+                )
             )
-        )
-    if test_code is not None:
-        filters.append(LabResult.test_code == test_code)
-    if flag is not None:
-        filters.append(LabResult.flag == flag)
-    if flags:
-        filters.append(col(LabResult.flag).in_(flags))
-    if without_flag:
-        filters.append(col(LabResult.flag).is_(None))
-    if from_date is not None:
-        filters.append(LabResult.collected_at >= from_date)
-    if to_date is not None:
-        filters.append(LabResult.collected_at <= to_date)
+        if test_code is not None:
+            statement = statement.where(col(LabResult.test_code) == test_code)
+        if flag is not None:
+            statement = statement.where(col(LabResult.flag) == flag)
+        if flags:
+            statement = statement.where(col(LabResult.flag).in_(flags))
+        if without_flag:
+            statement = statement.where(col(LabResult.flag).is_(None))
+        if from_date is not None:
+            statement = statement.where(col(LabResult.collected_at) >= from_date)
+        if to_date is not None:
+            statement = statement.where(col(LabResult.collected_at) <= to_date)
+        return statement
 
     if latest_only:
         ranked_stmt = select(
@@ -309,8 +432,7 @@ def list_lab_results(
             )
             .label("rank"),
         )
-        if filters:
-            ranked_stmt = ranked_stmt.where(*filters)
+        ranked_stmt = _apply_filters(ranked_stmt)
 
         ranked_subquery = ranked_stmt.subquery()
         latest_ids = select(ranked_subquery.c.record_id).where(
@@ -323,11 +445,8 @@ def list_lab_results(
             .subquery()
         )
     else:
-        stmt = select(LabResult)
-        count_stmt = select(func.count()).select_from(LabResult)
-        if filters:
-            stmt = stmt.where(*filters)
-            count_stmt = count_stmt.where(*filters)
+        stmt = _apply_filters(select(LabResult))
+        count_stmt = _apply_filters(select(func.count()).select_from(LabResult))
 
     test_code_numeric = cast(
         func.replace(col(LabResult.test_code), "-", ""),
@@ -345,8 +464,18 @@ def list_lab_results(
 
 
 @router.post("/lab-results", response_model=LabResult, status_code=201)
-def create_lab_result(data: LabResultCreate, session: Session = Depends(get_session)):
-    result = LabResult(record_id=uuid4(), **data.model_dump())
+def create_lab_result(
+    data: LabResultCreate,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    result = LabResult(
+        record_id=uuid4(),
+        user_id=target_user_id,
+        **data.model_dump(),
+    )
     session.add(result)
     session.commit()
     session.refresh(result)
@@ -354,17 +483,36 @@ def create_lab_result(data: LabResultCreate, session: Session = Depends(get_sess
 
 
 @router.get("/lab-results/{result_id}", response_model=LabResult)
-def get_lab_result(result_id: UUID, session: Session = Depends(get_session)):
-    return get_or_404(session, LabResult, result_id)
+def get_lab_result(
+    result_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    return _get_owned_or_admin_override(
+        session,
+        LabResult,
+        result_id,
+        current_user,
+        user_id,
+    )
 
 
 @router.patch("/lab-results/{result_id}", response_model=LabResult)
 def update_lab_result(
     result_id: UUID,
     data: LabResultUpdate,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    result = get_or_404(session, LabResult, result_id)
+    result = _get_owned_or_admin_override(
+        session,
+        LabResult,
+        result_id,
+        current_user,
+        user_id,
+    )
     for key, value in data.model_dump(exclude_unset=True).items():
         setattr(result, key, value)
     session.add(result)
@@ -374,7 +522,18 @@ def update_lab_result(
 
 
 @router.delete("/lab-results/{result_id}", status_code=204)
-def delete_lab_result(result_id: UUID, session: Session = Depends(get_session)):
-    result = get_or_404(session, LabResult, result_id)
+def delete_lab_result(
+    result_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    result = _get_owned_or_admin_override(
+        session,
+        LabResult,
+        result_id,
+        current_user,
+        user_id,
+    )
     session.delete(result)
     session.commit()
diff --git a/backend/innercontext/api/llm_context.py b/backend/innercontext/api/llm_context.py
index 6ffc68e..40e7dcf 100644
--- a/backend/innercontext/api/llm_context.py
+++ b/backend/innercontext/api/llm_context.py
@@ -2,14 +2,41 @@ from datetime import date
 from typing import Any
 from uuid import UUID
 
+from fastapi import HTTPException
 from sqlmodel import Session, col, select
 
+from innercontext.auth import CurrentUser
 from innercontext.models import Product, UserProfile
+from innercontext.models.enums import Role
 
 
-def get_user_profile(session: Session) -> UserProfile | None:
+def _resolve_target_user_id(
+    current_user: CurrentUser,
+    user_id: UUID | None,
+) -> UUID:
+    if user_id is None:
+        return current_user.user_id
+    if current_user.role is not Role.ADMIN:
+        raise HTTPException(status_code=403, detail="Admin role required")
+    return user_id
+
+
+def get_user_profile(
+    session: Session,
+    current_user: CurrentUser | None = None,
+    *,
+    user_id: UUID | None = None,
+) -> UserProfile | None:
+    if current_user is None:
+        return session.exec(
+            select(UserProfile).order_by(col(UserProfile.created_at).desc())
+        ).first()
+
+    target_user_id = _resolve_target_user_id(current_user, user_id)
     return session.exec(
-        select(UserProfile).order_by(col(UserProfile.created_at).desc())
+        select(UserProfile)
+        .where(UserProfile.user_id == target_user_id)
+        .order_by(col(UserProfile.created_at).desc())
     ).first()
 
 
@@ -20,8 +47,14 @@ def calculate_age(birth_date: date, reference_date: date) -> int:
     return years
 
 
-def build_user_profile_context(session: Session, reference_date: date) -> str:
-    profile = get_user_profile(session)
+def build_user_profile_context(
+    session: Session,
+    reference_date: date,
+    current_user: CurrentUser | None = None,
+    *,
+    user_id: UUID | None = None,
+) -> str:
+    profile = get_user_profile(session, current_user, user_id=user_id)
     if profile is None:
         return "USER PROFILE: no data\n"
 
@@ -69,8 +102,9 @@ def build_product_context_summary(product: Product, has_inventory: bool = False)
 
     # Get effect profile scores if available
     effects = []
-    if hasattr(product, "effect_profile") and product.effect_profile:
-        profile = product.effect_profile
+    effect_profile = getattr(product, "effect_profile", None)
+    if effect_profile:
+        profile = effect_profile
         # Only include notable effects (score > 0)
         # Handle both dict (from DB) and object (from Pydantic)
         if isinstance(profile, dict):
@@ -165,11 +199,12 @@ def build_product_context_detailed(
 
     # Effect profile
     effect_profile = None
-    if hasattr(product, "effect_profile") and product.effect_profile:
-        if isinstance(product.effect_profile, dict):
-            effect_profile = product.effect_profile
+    product_effect_profile = getattr(product, "effect_profile", None)
+    if product_effect_profile:
+        if isinstance(product_effect_profile, dict):
+            effect_profile = product_effect_profile
         else:
-            effect_profile = product.effect_profile.model_dump()
+            effect_profile = product_effect_profile.model_dump()
 
     # Context rules
     context_rules = None
diff --git a/backend/innercontext/api/profile.py b/backend/innercontext/api/profile.py
index 52e8e14..ebadbd4 100644
--- a/backend/innercontext/api/profile.py
+++ b/backend/innercontext/api/profile.py
@@ -1,11 +1,14 @@
 from datetime import date, datetime
 from typing import Optional
+from uuid import UUID
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, Query
 from sqlmodel import Session, SQLModel
 
 from db import get_session
 from innercontext.api.llm_context import get_user_profile
+from innercontext.api.auth_deps import get_current_user
+from innercontext.auth import CurrentUser
 from innercontext.models import SexAtBirth, UserProfile
 
 router = APIRouter()
@@ -25,8 +28,12 @@ class UserProfilePublic(SQLModel):
 
 
 @router.get("", response_model=UserProfilePublic | None)
-def get_profile(session: Session = Depends(get_session)):
-    profile = get_user_profile(session)
+def get_profile(
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    profile = get_user_profile(session, current_user, user_id=user_id)
     if profile is None:
         return None
     return UserProfilePublic(
@@ -39,12 +46,18 @@ def get_profile(session: Session = Depends(get_session)):
 
 
 @router.patch("", response_model=UserProfilePublic)
-def upsert_profile(data: UserProfileUpdate, session: Session = Depends(get_session)):
-    profile = get_user_profile(session)
+def upsert_profile(
+    data: UserProfileUpdate,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = user_id if user_id is not None else current_user.user_id
+    profile = get_user_profile(session, current_user, user_id=user_id)
     payload = data.model_dump(exclude_unset=True)
 
     if profile is None:
-        profile = UserProfile(**payload)
+        profile = UserProfile(user_id=target_user_id, **payload)
     else:
         for key, value in payload.items():
             setattr(profile, key, value)
diff --git a/backend/innercontext/api/routines.py b/backend/innercontext/api/routines.py
index 9f98b27..3b825ff 100644
--- a/backend/innercontext/api/routines.py
+++ b/backend/innercontext/api/routines.py
@@ -5,12 +5,15 @@ from datetime import date, timedelta
 from typing import Any, Optional
 from uuid import UUID, uuid4
 
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Depends, HTTPException, Query
 from google.genai import types as genai_types
 from pydantic import BaseModel as PydanticBase
+from sqlalchemy import or_
 from sqlmodel import Field, Session, SQLModel, col, select
 
 from db import get_session
+from innercontext.api.auth_deps import get_current_user
+from innercontext.api.authz import is_product_visible
 from innercontext.api.llm_context import (
     build_products_context_summary_list,
     build_user_profile_context,
@@ -25,7 +28,8 @@ from innercontext.api.product_llm_tools import (
     build_last_used_on_by_product,
     build_product_details_tool_handler,
 )
-from innercontext.api.utils import get_or_404
+from innercontext.api.utils import get_owned_or_404
+from innercontext.auth import CurrentUser
 from innercontext.llm import (
     call_gemini,
     call_gemini_with_function_tools,
@@ -33,6 +37,7 @@ from innercontext.llm import (
 )
 from innercontext.llm_safety import isolate_user_input, sanitize_user_input
 from innercontext.models import (
+    HouseholdMembership,
     GroomingSchedule,
     Product,
     ProductInventory,
@@ -43,6 +48,7 @@ from innercontext.models import (
 from innercontext.models.ai_log import AICallLog
 from innercontext.models.api_metadata import ResponseMetadata, TokenMetrics
 from innercontext.models.enums import GroomingAction, PartOfDay
+from innercontext.models.enums import Role
 from innercontext.validators import BatchValidator, RoutineSuggestionValidator
 from innercontext.validators.batch_validator import BatchValidationContext
 from innercontext.validators.routine_validator import RoutineValidationContext
@@ -86,6 +92,47 @@ def _build_response_metadata(session: Session, log_id: Any) -> ResponseMetadata
 router = APIRouter()
 
 
+def _resolve_target_user_id(
+    current_user: CurrentUser,
+    user_id: UUID | None,
+) -> UUID:
+    if user_id is None:
+        return current_user.user_id
+    if current_user.role is not Role.ADMIN:
+        raise HTTPException(status_code=403, detail="Admin role required")
+    return user_id
+
+
+def _shared_household_user_ids(
+    session: Session, current_user: CurrentUser
+) -> set[UUID]:
+    membership = current_user.household_membership
+    if membership is None:
+        return set()
+    user_ids = session.exec(
+        select(HouseholdMembership.user_id).where(
+            HouseholdMembership.household_id == membership.household_id
+        )
+    ).all()
+    return {uid for uid in user_ids if uid != current_user.user_id}
+
+
+def _get_owned_or_admin_override(
+    session: Session,
+    model: type[Routine] | type[RoutineStep] | type[GroomingSchedule],
+    record_id: UUID,
+    current_user: CurrentUser,
+    user_id: UUID | None,
+):
+    if user_id is None:
+        return get_owned_or_404(session, model, record_id, current_user)
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    record = session.get(model, record_id)
+    if record is None or record.user_id != target_user_id:
+        raise HTTPException(status_code=404, detail=f"{model.__name__} not found")
+    return record
+
+
 # ---------------------------------------------------------------------------
 # Schemas
 # ---------------------------------------------------------------------------
@@ -289,6 +336,7 @@ def _ev(v: object) -> str:
 
 def _get_recent_skin_snapshot(
     session: Session,
+    target_user_id: UUID,
     reference_date: date,
     window_days: int = HISTORY_WINDOW_DAYS,
     fallback_days: int = SNAPSHOT_FALLBACK_DAYS,
@@ -298,6 +346,7 @@ def _get_recent_skin_snapshot(
 
     snapshot = session.exec(
         select(SkinConditionSnapshot)
+        .where(SkinConditionSnapshot.user_id == target_user_id)
         .where(SkinConditionSnapshot.snapshot_date <= reference_date)
         .where(SkinConditionSnapshot.snapshot_date >= window_cutoff)
         .order_by(col(SkinConditionSnapshot.snapshot_date).desc())
@@ -307,6 +356,7 @@ def _get_recent_skin_snapshot(
 
     return session.exec(
         select(SkinConditionSnapshot)
+        .where(SkinConditionSnapshot.user_id == target_user_id)
         .where(SkinConditionSnapshot.snapshot_date <= reference_date)
         .where(SkinConditionSnapshot.snapshot_date >= fallback_cutoff)
         .order_by(col(SkinConditionSnapshot.snapshot_date).desc())
@@ -315,12 +365,14 @@ def _get_recent_skin_snapshot(
 
 def _get_latest_skin_snapshot_within_days(
     session: Session,
+    target_user_id: UUID,
     reference_date: date,
     max_age_days: int = SNAPSHOT_FALLBACK_DAYS,
 ) -> SkinConditionSnapshot | None:
     cutoff = reference_date - timedelta(days=max_age_days)
     return session.exec(
         select(SkinConditionSnapshot)
+        .where(SkinConditionSnapshot.user_id == target_user_id)
         .where(SkinConditionSnapshot.snapshot_date <= reference_date)
         .where(SkinConditionSnapshot.snapshot_date >= cutoff)
         .order_by(col(SkinConditionSnapshot.snapshot_date).desc())
@@ -329,12 +381,14 @@ def _get_latest_skin_snapshot_within_days(
 
 def _build_skin_context(
     session: Session,
+    target_user_id: UUID,
     reference_date: date,
     window_days: int = HISTORY_WINDOW_DAYS,
     fallback_days: int = SNAPSHOT_FALLBACK_DAYS,
 ) -> str:
     snapshot = _get_recent_skin_snapshot(
         session,
+        target_user_id=target_user_id,
         reference_date=reference_date,
         window_days=window_days,
         fallback_days=fallback_days,
@@ -354,10 +408,14 @@ def _build_skin_context(
 
 
 def _build_grooming_context(
-    session: Session, weekdays: Optional[list[int]] = None
+    session: Session,
+    target_user_id: UUID,
+    weekdays: Optional[list[int]] = None,
 ) -> str:
     entries = session.exec(
-        select(GroomingSchedule).order_by(col(GroomingSchedule.day_of_week))
+        select(GroomingSchedule)
+        .where(GroomingSchedule.user_id == target_user_id)
+        .order_by(col(GroomingSchedule.day_of_week))
     ).all()
     if not entries:
         return "GROOMING SCHEDULE: none\n"
@@ -378,11 +436,14 @@ def _build_grooming_context(
 
 def _build_upcoming_grooming_context(
     session: Session,
+    target_user_id: UUID,
     start_date: date,
     days: int = 7,
 ) -> str:
     entries = session.exec(
-        select(GroomingSchedule).order_by(col(GroomingSchedule.day_of_week))
+        select(GroomingSchedule)
+        .where(GroomingSchedule.user_id == target_user_id)
+        .order_by(col(GroomingSchedule.day_of_week))
     ).all()
     if not entries:
         return f"UPCOMING GROOMING (next {days} days): none\n"
@@ -420,12 +481,14 @@ def _build_upcoming_grooming_context(
 
 def _build_recent_history(
     session: Session,
+    target_user_id: UUID,
     reference_date: date,
     window_days: int = HISTORY_WINDOW_DAYS,
 ) -> str:
     cutoff = reference_date - timedelta(days=window_days)
     routines = session.exec(
         select(Routine)
+        .where(Routine.user_id == target_user_id)
         .where(Routine.routine_date <= reference_date)
         .where(Routine.routine_date >= cutoff)
         .order_by(col(Routine.routine_date).desc())
@@ -437,6 +500,7 @@ def _build_recent_history(
         steps = session.exec(
             select(RoutineStep)
             .where(RoutineStep.routine_id == r.id)
+            .where(RoutineStep.user_id == target_user_id)
             .order_by(col(RoutineStep.order_index))
         ).all()
         step_names = []
@@ -458,11 +522,37 @@ def _build_recent_history(
 
 def _get_available_products(
     session: Session,
+    current_user: CurrentUser,
     time_filter: Optional[str] = None,
     include_minoxidil: bool = True,
 ) -> list[Product]:
     stmt = select(Product).where(col(Product.is_tool).is_(False))
-    products = session.exec(stmt).all()
+    if current_user.role is not Role.ADMIN:
+        owned_products = session.exec(
+            stmt.where(col(Product.user_id) == current_user.user_id)
+        ).all()
+        shared_user_ids = _shared_household_user_ids(session, current_user)
+        shared_product_ids = (
+            session.exec(
+                select(ProductInventory.product_id)
+                .where(col(ProductInventory.is_household_shared).is_(True))
+                .where(col(ProductInventory.user_id).in_(list(shared_user_ids)))
+                .distinct()
+            ).all()
+            if shared_user_ids
+            else []
+        )
+        shared_products = (
+            session.exec(stmt.where(col(Product.id).in_(shared_product_ids))).all()
+            if shared_product_ids
+            else []
+        )
+        products_by_id = {p.id: p for p in owned_products}
+        for product in shared_products:
+            products_by_id.setdefault(product.id, product)
+        products = list(products_by_id.values())
+    else:
+        products = session.exec(stmt).all()
     result: list[Product] = []
     for p in products:
         if p.is_medication and not _is_minoxidil_product(p):
@@ -517,7 +607,9 @@ def _extract_requested_product_ids(
 
 
 def _get_products_with_inventory(
-    session: Session, product_ids: list[UUID]
+    session: Session,
+    current_user: CurrentUser,
+    product_ids: list[UUID],
 ) -> set[UUID]:
     """
     Return set of product IDs that have active (non-finished) inventory.
@@ -527,17 +619,33 @@ def _get_products_with_inventory(
     if not product_ids:
         return set()
 
-    inventory_rows = session.exec(
+    stmt = (
         select(ProductInventory.product_id)
         .where(col(ProductInventory.product_id).in_(product_ids))
         .where(col(ProductInventory.finished_at).is_(None))
-        .distinct()
-    ).all()
-
+    )
+    if current_user.role is not Role.ADMIN:
+        owned_inventory_rows = session.exec(
+            stmt.where(col(ProductInventory.user_id) == current_user.user_id).distinct()
+        ).all()
+        shared_user_ids = _shared_household_user_ids(session, current_user)
+        shared_inventory_rows = session.exec(
+            stmt.where(col(ProductInventory.is_household_shared).is_(True))
+            .where(col(ProductInventory.user_id).in_(list(shared_user_ids)))
+            .distinct()
+        ).all()
+        inventory_rows = set(owned_inventory_rows)
+        inventory_rows.update(shared_inventory_rows)
+        return inventory_rows
+    inventory_rows = session.exec(stmt.distinct()).all()
     return set(inventory_rows)
 
 
-def _expand_product_id(session: Session, short_or_full_id: str) -> UUID | None:
+def _expand_product_id(
+    session: Session,
+    current_user: CurrentUser,
+    short_or_full_id: str,
+) -> UUID | None:
     """
     Expand 8-char short_id to full UUID, or validate full UUID.
 
@@ -558,7 +666,13 @@ def _expand_product_id(session: Session, short_or_full_id: str) -> UUID | None:
             uuid_obj = UUID(short_or_full_id)
             # Verify it exists
             product = session.get(Product, uuid_obj)
-            return uuid_obj if product else None
+            if product is None:
+                return None
+            return (
+                uuid_obj
+                if is_product_visible(session, uuid_obj, current_user)
+                else None
+            )
         except (ValueError, TypeError):
             return None
 
@@ -567,7 +681,13 @@ def _expand_product_id(session: Session, short_or_full_id: str) -> UUID | None:
         product = session.exec(
             select(Product).where(Product.short_id == short_or_full_id)
         ).first()
-        return product.id if product else None
+        if product is None:
+            return None
+        return (
+            product.id
+            if is_product_visible(session, product.id, current_user)
+            else None
+        )
 
     # Invalid length
     return None
@@ -590,6 +710,17 @@ def _build_day_context(leaving_home: Optional[bool]) -> str:
     return f"DAY CONTEXT:\n  Leaving home: {val}\n"
 
 
+def _coerce_action_type(value: object) -> GroomingAction | None:
+    if isinstance(value, GroomingAction):
+        return value
+    if isinstance(value, str):
+        try:
+            return GroomingAction(value)
+        except ValueError:
+            return None
+    return None
+
+
 _ROUTINES_SYSTEM_PROMPT = """\
 Jesteś ekspertem planowania pielęgnacji.
 
@@ -676,9 +807,12 @@ def list_routines(
     from_date: Optional[date] = None,
     to_date: Optional[date] = None,
     part_of_day: Optional[PartOfDay] = None,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    stmt = select(Routine)
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    stmt = select(Routine).where(Routine.user_id == target_user_id)
     if from_date is not None:
         stmt = stmt.where(Routine.routine_date >= from_date)
     if to_date is not None:
@@ -688,10 +822,12 @@ def list_routines(
     routines = session.exec(stmt).all()
 
     routine_ids = [r.id for r in routines]
-    steps_by_routine: dict = {}
+    steps_by_routine: dict[UUID, list[RoutineStep]] = {}
     if routine_ids:
         all_steps = session.exec(
-            select(RoutineStep).where(col(RoutineStep.routine_id).in_(routine_ids))
+            select(RoutineStep)
+            .where(col(RoutineStep.routine_id).in_(routine_ids))
+            .where(RoutineStep.user_id == target_user_id)
         ).all()
         for step in all_steps:
             steps_by_routine.setdefault(step.routine_id, []).append(step)
@@ -707,8 +843,14 @@ def list_routines(
 
 
 @router.post("", response_model=Routine, status_code=201)
-def create_routine(data: RoutineCreate, session: Session = Depends(get_session)):
-    routine = Routine(id=uuid4(), **data.model_dump())
+def create_routine(
+    data: RoutineCreate,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    routine = Routine(id=uuid4(), user_id=target_user_id, **data.model_dump())
     session.add(routine)
     session.commit()
     session.refresh(routine)
@@ -724,19 +866,35 @@ def create_routine(data: RoutineCreate, session: Session = Depends(get_session))
 def suggest_routine(
     data: SuggestRoutineRequest,
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
+    target_user_id = current_user.user_id
     weekday = data.routine_date.weekday()
-    skin_ctx = _build_skin_context(session, reference_date=data.routine_date)
-    profile_ctx = build_user_profile_context(session, reference_date=data.routine_date)
+    skin_ctx = _build_skin_context(
+        session,
+        target_user_id=target_user_id,
+        reference_date=data.routine_date,
+    )
+    profile_ctx = build_user_profile_context(
+        session,
+        reference_date=data.routine_date,
+        current_user=current_user,
+    )
     upcoming_grooming_ctx = _build_upcoming_grooming_context(
         session,
+        target_user_id=target_user_id,
         start_date=data.routine_date,
         days=7,
     )
-    history_ctx = _build_recent_history(session, reference_date=data.routine_date)
+    history_ctx = _build_recent_history(
+        session,
+        target_user_id=target_user_id,
+        reference_date=data.routine_date,
+    )
     day_ctx = _build_day_context(data.leaving_home)
     available_products = _get_available_products(
         session,
+        current_user=current_user,
         time_filter=data.part_of_day.value,
         include_minoxidil=data.include_minoxidil_beard,
     )
@@ -752,7 +910,9 @@ def suggest_routine(
 
     # Phase 2: Use tiered context (summary mode for initial prompt)
     products_with_inventory = _get_products_with_inventory(
-        session, [p.id for p in available_products]
+        session,
+        current_user,
+        [p.id for p in available_products],
     )
     products_ctx = build_products_context_summary_list(
         available_products, products_with_inventory
@@ -865,22 +1025,35 @@ def suggest_routine(
 
     # Translation layer: Expand short_ids (8 chars) to full UUIDs (36 chars)
     steps = []
-    for s in parsed.get("steps", []):
+    raw_steps = parsed.get("steps", [])
+    if not isinstance(raw_steps, list):
+        raw_steps = []
+    for s in raw_steps:
+        if not isinstance(s, dict):
+            continue
         product_id_str = s.get("product_id")
         product_id_uuid = None
 
-        if product_id_str:
+        if isinstance(product_id_str, str) and product_id_str:
             # Expand short_id or validate full UUID
-            product_id_uuid = _expand_product_id(session, product_id_str)
+            product_id_uuid = _expand_product_id(session, current_user, product_id_str)
+
+        action_type = s.get("action_type")
+        action_notes = s.get("action_notes")
+        region = s.get("region")
+        why_this_step = s.get("why_this_step")
+        optional = s.get("optional")
 
         steps.append(
             SuggestedStep(
                 product_id=product_id_uuid,
-                action_type=s.get("action_type") or None,
-                action_notes=s.get("action_notes"),
-                region=s.get("region"),
-                why_this_step=s.get("why_this_step"),
-                optional=s.get("optional"),
+                action_type=_coerce_action_type(action_type),
+                action_notes=action_notes if isinstance(action_notes, str) else None,
+                region=region if isinstance(region, str) else None,
+                why_this_step=(
+                    why_this_step if isinstance(why_this_step, str) else None
+                ),
+                optional=optional if isinstance(optional, bool) else None,
             )
         )
 
@@ -904,6 +1077,7 @@ def suggest_routine(
     # Get skin snapshot for barrier state
     skin_snapshot = _get_latest_skin_snapshot_within_days(
         session,
+        target_user_id=target_user_id,
         reference_date=data.routine_date,
     )
 
@@ -964,7 +1138,9 @@ def suggest_routine(
 def suggest_batch(
     data: SuggestBatchRequest,
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
+    target_user_id = current_user.user_id
     delta = (data.to_date - data.from_date).days + 1
     if delta > 14:
         raise HTTPException(
@@ -976,18 +1152,37 @@ def suggest_batch(
     weekdays = list(
         {(data.from_date + timedelta(days=i)).weekday() for i in range(delta)}
     )
-    profile_ctx = build_user_profile_context(session, reference_date=data.from_date)
-    skin_ctx = _build_skin_context(session, reference_date=data.from_date)
-    grooming_ctx = _build_grooming_context(session, weekdays=weekdays)
-    history_ctx = _build_recent_history(session, reference_date=data.from_date)
+    profile_ctx = build_user_profile_context(
+        session,
+        reference_date=data.from_date,
+        current_user=current_user,
+    )
+    skin_ctx = _build_skin_context(
+        session,
+        target_user_id=target_user_id,
+        reference_date=data.from_date,
+    )
+    grooming_ctx = _build_grooming_context(
+        session,
+        target_user_id=target_user_id,
+        weekdays=weekdays,
+    )
+    history_ctx = _build_recent_history(
+        session,
+        target_user_id=target_user_id,
+        reference_date=data.from_date,
+    )
     batch_products = _get_available_products(
         session,
+        current_user=current_user,
         include_minoxidil=data.include_minoxidil_beard,
     )
 
     # Phase 2: Use tiered context (summary mode for batch planning)
     products_with_inventory = _get_products_with_inventory(
-        session, [p.id for p in batch_products]
+        session,
+        current_user,
+        [p.id for p in batch_products],
     )
     products_ctx = build_products_context_summary_list(
         batch_products, products_with_inventory
@@ -1045,25 +1240,39 @@ def suggest_batch(
     except json.JSONDecodeError as e:
         raise HTTPException(status_code=502, detail=f"LLM returned invalid JSON: {e}")
 
-    def _parse_steps(raw_steps: list) -> list[SuggestedStep]:
+    def _parse_steps(raw_steps: list[dict[str, object]]) -> list[SuggestedStep]:
         """Parse steps and expand short_ids to full UUIDs."""
         result = []
         for s in raw_steps:
             product_id_str = s.get("product_id")
             product_id_uuid = None
 
-            if product_id_str:
+            if isinstance(product_id_str, str) and product_id_str:
                 # Translation layer: expand short_id to full UUID
-                product_id_uuid = _expand_product_id(session, product_id_str)
+                product_id_uuid = _expand_product_id(
+                    session,
+                    current_user,
+                    product_id_str,
+                )
+
+            action_type = s.get("action_type")
+            action_notes = s.get("action_notes")
+            region = s.get("region")
+            why_this_step = s.get("why_this_step")
+            optional = s.get("optional")
 
             result.append(
                 SuggestedStep(
                     product_id=product_id_uuid,
-                    action_type=s.get("action_type") or None,
-                    action_notes=s.get("action_notes"),
-                    region=s.get("region"),
-                    why_this_step=s.get("why_this_step"),
-                    optional=s.get("optional"),
+                    action_type=_coerce_action_type(action_type),
+                    action_notes=(
+                        action_notes if isinstance(action_notes, str) else None
+                    ),
+                    region=region if isinstance(region, str) else None,
+                    why_this_step=(
+                        why_this_step if isinstance(why_this_step, str) else None
+                    ),
+                    optional=optional if isinstance(optional, bool) else None,
                 )
             )
         return result
@@ -1086,6 +1295,7 @@ def suggest_batch(
     # Get skin snapshot for barrier state
     skin_snapshot = _get_latest_skin_snapshot_within_days(
         session,
+        target_user_id=target_user_id,
         reference_date=data.from_date,
     )
 
@@ -1140,15 +1350,36 @@ def suggest_batch(
 
 # Grooming-schedule GET must appear before /{routine_id} to avoid being shadowed
 @router.get("/grooming-schedule", response_model=list[GroomingSchedule])
-def list_grooming_schedule(session: Session = Depends(get_session)):
-    return session.exec(select(GroomingSchedule)).all()
+def list_grooming_schedule(
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    return session.exec(
+        select(GroomingSchedule).where(GroomingSchedule.user_id == target_user_id)
+    ).all()
 
 
 @router.get("/{routine_id}")
-def get_routine(routine_id: UUID, session: Session = Depends(get_session)):
-    routine = get_or_404(session, Routine, routine_id)
+def get_routine(
+    routine_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    routine = _get_owned_or_admin_override(
+        session,
+        Routine,
+        routine_id,
+        current_user,
+        user_id,
+    )
     steps = session.exec(
-        select(RoutineStep).where(RoutineStep.routine_id == routine_id)
+        select(RoutineStep)
+        .where(RoutineStep.routine_id == routine_id)
+        .where(RoutineStep.user_id == target_user_id)
     ).all()
     data = routine.model_dump(mode="json")
     data["steps"] = [step.model_dump(mode="json") for step in steps]
@@ -1159,9 +1390,17 @@ def get_routine(routine_id: UUID, session: Session = Depends(get_session)):
 def update_routine(
     routine_id: UUID,
     data: RoutineUpdate,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    routine = get_or_404(session, Routine, routine_id)
+    routine = _get_owned_or_admin_override(
+        session,
+        Routine,
+        routine_id,
+        current_user,
+        user_id,
+    )
     for key, value in data.model_dump(exclude_unset=True).items():
         setattr(routine, key, value)
     session.add(routine)
@@ -1171,8 +1410,19 @@ def update_routine(
 
 
 @router.delete("/{routine_id}", status_code=204)
-def delete_routine(routine_id: UUID, session: Session = Depends(get_session)):
-    routine = get_or_404(session, Routine, routine_id)
+def delete_routine(
+    routine_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    routine = _get_owned_or_admin_override(
+        session,
+        Routine,
+        routine_id,
+        current_user,
+        user_id,
+    )
     session.delete(routine)
     session.commit()
 
@@ -1186,10 +1436,28 @@ def delete_routine(routine_id: UUID, session: Session = Depends(get_session)):
 def add_step(
     routine_id: UUID,
     data: RoutineStepCreate,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    get_or_404(session, Routine, routine_id)
-    step = RoutineStep(id=uuid4(), routine_id=routine_id, **data.model_dump())
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    _ = _get_owned_or_admin_override(
+        session,
+        Routine,
+        routine_id,
+        current_user,
+        user_id,
+    )
+    if data.product_id and not is_product_visible(
+        session, data.product_id, current_user
+    ):
+        raise HTTPException(status_code=404, detail="Product not found")
+    step = RoutineStep(
+        id=uuid4(),
+        user_id=target_user_id,
+        routine_id=routine_id,
+        **data.model_dump(),
+    )
     session.add(step)
     session.commit()
     session.refresh(step)
@@ -1200,9 +1468,21 @@ def add_step(
 def update_step(
     step_id: UUID,
     data: RoutineStepUpdate,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    step = get_or_404(session, RoutineStep, step_id)
+    step = _get_owned_or_admin_override(
+        session,
+        RoutineStep,
+        step_id,
+        current_user,
+        user_id,
+    )
+    if data.product_id and not is_product_visible(
+        session, data.product_id, current_user
+    ):
+        raise HTTPException(status_code=404, detail="Product not found")
     for key, value in data.model_dump(exclude_unset=True).items():
         setattr(step, key, value)
     session.add(step)
@@ -1212,8 +1492,19 @@ def update_step(
 
 
 @router.delete("/steps/{step_id}", status_code=204)
-def delete_step(step_id: UUID, session: Session = Depends(get_session)):
-    step = get_or_404(session, RoutineStep, step_id)
+def delete_step(
+    step_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    step = _get_owned_or_admin_override(
+        session,
+        RoutineStep,
+        step_id,
+        current_user,
+        user_id,
+    )
     session.delete(step)
     session.commit()
 
@@ -1225,9 +1516,13 @@ def delete_step(step_id: UUID, session: Session = Depends(get_session)):
 
 @router.post("/grooming-schedule", response_model=GroomingSchedule, status_code=201)
 def create_grooming_schedule(
-    data: GroomingScheduleCreate, session: Session = Depends(get_session)
+    data: GroomingScheduleCreate,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    entry = GroomingSchedule(id=uuid4(), **data.model_dump())
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    entry = GroomingSchedule(id=uuid4(), user_id=target_user_id, **data.model_dump())
     session.add(entry)
     session.commit()
     session.refresh(entry)
@@ -1238,9 +1533,17 @@ def create_grooming_schedule(
 def update_grooming_schedule(
     entry_id: UUID,
     data: GroomingScheduleUpdate,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    entry = get_or_404(session, GroomingSchedule, entry_id)
+    entry = _get_owned_or_admin_override(
+        session,
+        GroomingSchedule,
+        entry_id,
+        current_user,
+        user_id,
+    )
     for key, value in data.model_dump(exclude_unset=True).items():
         setattr(entry, key, value)
     session.add(entry)
@@ -1250,7 +1553,18 @@ def update_grooming_schedule(
 
 
 @router.delete("/grooming-schedule/{entry_id}", status_code=204)
-def delete_grooming_schedule(entry_id: UUID, session: Session = Depends(get_session)):
-    entry = get_or_404(session, GroomingSchedule, entry_id)
+def delete_grooming_schedule(
+    entry_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    entry = _get_owned_or_admin_override(
+        session,
+        GroomingSchedule,
+        entry_id,
+        current_user,
+        user_id,
+    )
     session.delete(entry)
     session.commit()
diff --git a/backend/innercontext/api/skincare.py b/backend/innercontext/api/skincare.py
index 730db1e..4984bf9 100644
--- a/backend/innercontext/api/skincare.py
+++ b/backend/innercontext/api/skincare.py
@@ -4,15 +4,17 @@ from datetime import date
 from typing import Optional
 from uuid import UUID, uuid4
 
-from fastapi import APIRouter, Depends, File, HTTPException, UploadFile
+from fastapi import APIRouter, Depends, File, HTTPException, Query, UploadFile
 from google.genai import types as genai_types
 from pydantic import BaseModel as PydanticBase
 from pydantic import ValidationError
 from sqlmodel import Session, SQLModel, select
 
 from db import get_session
+from innercontext.api.auth_deps import get_current_user
 from innercontext.api.llm_context import build_user_profile_context
-from innercontext.api.utils import get_or_404
+from innercontext.api.utils import get_owned_or_404
+from innercontext.auth import CurrentUser
 from innercontext.llm import call_gemini, get_extraction_config
 from innercontext.models import (
     SkinConditionSnapshot,
@@ -26,6 +28,7 @@ from innercontext.models.enums import (
     SkinTexture,
     SkinType,
 )
+from innercontext.models.enums import Role
 from innercontext.validators import PhotoValidator
 
 logger = logging.getLogger(__name__)
@@ -135,6 +138,34 @@ OUTPUT (all fields optional):
 # ---------------------------------------------------------------------------
 
 
+def _resolve_target_user_id(
+    current_user: CurrentUser,
+    user_id: UUID | None,
+) -> UUID:
+    if user_id is None:
+        return current_user.user_id
+    if current_user.role is not Role.ADMIN:
+        raise HTTPException(status_code=403, detail="Admin role required")
+    return user_id
+
+
+def _get_owned_or_admin_override(
+    session: Session,
+    snapshot_id: UUID,
+    current_user: CurrentUser,
+    user_id: UUID | None,
+) -> SkinConditionSnapshot:
+    if user_id is None:
+        return get_owned_or_404(
+            session, SkinConditionSnapshot, snapshot_id, current_user
+        )
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    snapshot = session.get(SkinConditionSnapshot, snapshot_id)
+    if snapshot is None or snapshot.user_id != target_user_id:
+        raise HTTPException(status_code=404, detail="SkinConditionSnapshot not found")
+    return snapshot
+
+
 MAX_IMAGE_BYTES = 5 * 1024 * 1024  # 5 MB
 
 
@@ -142,6 +173,7 @@ MAX_IMAGE_BYTES = 5 * 1024 * 1024  # 5 MB
 async def analyze_skin_photos(
     photos: list[UploadFile] = File(...),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ) -> SkinPhotoAnalysisResponse:
     if not (1 <= len(photos) <= 3):
         raise HTTPException(status_code=422, detail="Send between 1 and 3 photos.")
@@ -174,7 +206,11 @@ async def analyze_skin_photos(
     )
     parts.append(
         genai_types.Part.from_text(
-            text=build_user_profile_context(session, reference_date=date.today())
+            text=build_user_profile_context(
+                session,
+                reference_date=date.today(),
+                current_user=current_user,
+            )
         )
     )
 
@@ -224,9 +260,14 @@ def list_snapshots(
     from_date: Optional[date] = None,
     to_date: Optional[date] = None,
     overall_state: Optional[OverallSkinState] = None,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    stmt = select(SkinConditionSnapshot)
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    stmt = select(SkinConditionSnapshot).where(
+        SkinConditionSnapshot.user_id == target_user_id
+    )
     if from_date is not None:
         stmt = stmt.where(SkinConditionSnapshot.snapshot_date >= from_date)
     if to_date is not None:
@@ -237,8 +278,18 @@ def list_snapshots(
 
 
 @router.post("", response_model=SkinConditionSnapshotPublic, status_code=201)
-def create_snapshot(data: SnapshotCreate, session: Session = Depends(get_session)):
-    snapshot = SkinConditionSnapshot(id=uuid4(), **data.model_dump())
+def create_snapshot(
+    data: SnapshotCreate,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    target_user_id = _resolve_target_user_id(current_user, user_id)
+    snapshot = SkinConditionSnapshot(
+        id=uuid4(),
+        user_id=target_user_id,
+        **data.model_dump(),
+    )
     session.add(snapshot)
     session.commit()
     session.refresh(snapshot)
@@ -246,17 +297,34 @@ def create_snapshot(data: SnapshotCreate, session: Session = Depends(get_session
 
 
 @router.get("/{snapshot_id}", response_model=SkinConditionSnapshotPublic)
-def get_snapshot(snapshot_id: UUID, session: Session = Depends(get_session)):
-    return get_or_404(session, SkinConditionSnapshot, snapshot_id)
+def get_snapshot(
+    snapshot_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    return _get_owned_or_admin_override(
+        session,
+        snapshot_id,
+        current_user,
+        user_id,
+    )
 
 
 @router.patch("/{snapshot_id}", response_model=SkinConditionSnapshotPublic)
 def update_snapshot(
     snapshot_id: UUID,
     data: SnapshotUpdate,
+    user_id: UUID | None = Query(default=None),
     session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
 ):
-    snapshot = get_or_404(session, SkinConditionSnapshot, snapshot_id)
+    snapshot = _get_owned_or_admin_override(
+        session,
+        snapshot_id,
+        current_user,
+        user_id,
+    )
     for key, value in data.model_dump(exclude_unset=True).items():
         setattr(snapshot, key, value)
     session.add(snapshot)
@@ -266,7 +334,17 @@ def update_snapshot(
 
 
 @router.delete("/{snapshot_id}", status_code=204)
-def delete_snapshot(snapshot_id: UUID, session: Session = Depends(get_session)):
-    snapshot = get_or_404(session, SkinConditionSnapshot, snapshot_id)
+def delete_snapshot(
+    snapshot_id: UUID,
+    user_id: UUID | None = Query(default=None),
+    session: Session = Depends(get_session),
+    current_user: CurrentUser = Depends(get_current_user),
+):
+    snapshot = _get_owned_or_admin_override(
+        session,
+        snapshot_id,
+        current_user,
+        user_id,
+    )
     session.delete(snapshot)
     session.commit()
diff --git a/backend/innercontext/services/pricing_jobs.py b/backend/innercontext/services/pricing_jobs.py
index 9e9c9dd..9d6a24e 100644
--- a/backend/innercontext/services/pricing_jobs.py
+++ b/backend/innercontext/services/pricing_jobs.py
@@ -1,4 +1,5 @@
 from datetime import datetime
+from uuid import UUID
 
 from sqlmodel import Session, col, select
 
@@ -66,9 +67,53 @@ def _apply_pricing_snapshot(session: Session, computed_at: datetime) -> int:
     return len(products)
 
 
+def _scope_user_id(scope: str) -> UUID | None:
+    prefix = "user:"
+    if not scope.startswith(prefix):
+        return None
+    raw_user_id = scope[len(prefix) :].strip()
+    if not raw_user_id:
+        return None
+    try:
+        return UUID(raw_user_id)
+    except ValueError:
+        return None
+
+
+def _apply_pricing_snapshot_for_scope(
+    session: Session,
+    *,
+    computed_at: datetime,
+    scope: str,
+) -> int:
+    from innercontext.api.products import _compute_pricing_outputs
+
+    scoped_user_id = _scope_user_id(scope)
+    stmt = select(Product)
+    if scoped_user_id is not None:
+        stmt = stmt.where(Product.user_id == scoped_user_id)
+    products = list(session.exec(stmt).all())
+    pricing_outputs = _compute_pricing_outputs(products)
+
+    for product in products:
+        tier, price_per_use_pln, tier_source = pricing_outputs.get(
+            product.id, (None, None, None)
+        )
+        product.price_tier = tier
+        product.price_per_use_pln = price_per_use_pln
+        product.price_tier_source = tier_source
+        product.pricing_computed_at = computed_at
+
+    return len(products)
+
+
 def process_pricing_job(session: Session, job: PricingRecalcJob) -> int:
     try:
-        updated_count = _apply_pricing_snapshot(session, computed_at=utc_now())
+        updated_count = _apply_pricing_snapshot_for_scope(
+            session,
+            computed_at=utc_now(),
+            scope=job.scope,
+        )
         job.status = "succeeded"
         job.finished_at = utc_now()
         job.error = None
diff --git a/backend/tests/conftest.py b/backend/tests/conftest.py
index e35dfba..b8831bb 100644
--- a/backend/tests/conftest.py
+++ b/backend/tests/conftest.py
@@ -37,27 +37,32 @@ def session(monkeypatch):
 
 
 @pytest.fixture()
-def client(session, monkeypatch):
+def current_user() -> CurrentUser:
+    claims = TokenClaims(
+        issuer="https://auth.test",
+        subject="test-user",
+        audience=("innercontext-web",),
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        groups=("innercontext-admin",),
+        raw_claims={"iss": "https://auth.test", "sub": "test-user"},
+    )
+    return CurrentUser(
+        user_id=uuid4(),
+        role=Role.ADMIN,
+        identity=IdentityData.from_claims(claims),
+        claims=claims,
+    )
+
+
+@pytest.fixture()
+def client(session, monkeypatch, current_user):
     """TestClient using the per-test session for every request."""
 
     def _override():
         yield session
 
     def _current_user_override():
-        claims = TokenClaims(
-            issuer="https://auth.test",
-            subject="test-user",
-            audience=("innercontext-web",),
-            expires_at=datetime.now(UTC) + timedelta(hours=1),
-            groups=("innercontext-admin",),
-            raw_claims={"iss": "https://auth.test", "sub": "test-user"},
-        )
-        return CurrentUser(
-            user_id=uuid4(),
-            role=Role.ADMIN,
-            identity=IdentityData.from_claims(claims),
-            claims=claims,
-        )
+        return current_user
 
     app.dependency_overrides[get_session] = _override
     app.dependency_overrides[get_current_user] = _current_user_override
diff --git a/backend/tests/test_ai_logs.py b/backend/tests/test_ai_logs.py
index 47a168e..8fe2a60 100644
--- a/backend/tests/test_ai_logs.py
+++ b/backend/tests/test_ai_logs.py
@@ -4,12 +4,13 @@ from typing import Any, cast
 from innercontext.models.ai_log import AICallLog
 
 
-def test_list_ai_logs_normalizes_tool_trace_string(client, session):
+def test_list_ai_logs_normalizes_tool_trace_string(client, session, current_user):
     log = AICallLog(
         id=uuid.uuid4(),
         endpoint="routines/suggest",
         model="gemini-3-flash-preview",
         success=True,
+        user_id=current_user.user_id,
     )
     log.tool_trace = cast(
         Any,
@@ -26,12 +27,13 @@ def test_list_ai_logs_normalizes_tool_trace_string(client, session):
     assert data[0]["tool_trace"]["events"][0]["function"] == "get_product_inci"
 
 
-def test_get_ai_log_normalizes_tool_trace_string(client, session):
+def test_get_ai_log_normalizes_tool_trace_string(client, session, current_user):
     log = AICallLog(
         id=uuid.uuid4(),
         endpoint="routines/suggest",
         model="gemini-3-flash-preview",
         success=True,
+        user_id=current_user.user_id,
     )
     log.tool_trace = cast(Any, '{"mode":"function_tools","round":1}')
     session.add(log)
diff --git a/backend/tests/test_routines.py b/backend/tests/test_routines.py
index dae411f..28c885f 100644
--- a/backend/tests/test_routines.py
+++ b/backend/tests/test_routines.py
@@ -3,7 +3,7 @@ from datetime import date
 from unittest.mock import patch
 
 from innercontext.models import Routine, SkinConditionSnapshot
-from innercontext.models.enums import BarrierState, OverallSkinState
+from innercontext.models.enums import BarrierState, OverallSkinState, PartOfDay
 
 # ---------------------------------------------------------------------------
 # Routines
@@ -223,13 +223,14 @@ def test_delete_grooming_schedule_not_found(client):
     assert r.status_code == 404
 
 
-def test_suggest_routine(client, session):
+def test_suggest_routine(client, session, current_user):
     with patch(
         "innercontext.api.routines.call_gemini_with_function_tools"
     ) as mock_gemini:
         session.add(
             SkinConditionSnapshot(
                 id=uuid.uuid4(),
+                user_id=current_user.user_id,
                 snapshot_date=date(2026, 2, 22),
                 overall_state=OverallSkinState.GOOD,
                 hydration_level=4,
@@ -272,18 +273,20 @@ def test_suggest_routine(client, session):
         assert "get_product_details" in kwargs["function_handlers"]
 
 
-def test_suggest_batch(client, session):
+def test_suggest_batch(client, session, current_user):
     with patch("innercontext.api.routines.call_gemini") as mock_gemini:
         session.add(
             Routine(
                 id=uuid.uuid4(),
+                user_id=current_user.user_id,
                 routine_date=date(2026, 2, 27),
-                part_of_day="pm",
+                part_of_day=PartOfDay.PM,
             )
         )
         session.add(
             SkinConditionSnapshot(
                 id=uuid.uuid4(),
+                user_id=current_user.user_id,
                 snapshot_date=date(2026, 2, 20),
                 overall_state=OverallSkinState.GOOD,
                 hydration_level=4,
diff --git a/backend/tests/test_routines_auth.py b/backend/tests/test_routines_auth.py
new file mode 100644
index 0000000..9696556
--- /dev/null
+++ b/backend/tests/test_routines_auth.py
@@ -0,0 +1,112 @@
+from __future__ import annotations
+
+from datetime import UTC, datetime, timedelta
+from unittest.mock import patch
+from uuid import uuid4
+
+from innercontext.api.auth_deps import get_current_user
+from innercontext.auth import CurrentUser, IdentityData, TokenClaims
+from innercontext.models import Role
+from main import app
+
+
+def _user(subject: str, *, role: Role = Role.MEMBER) -> CurrentUser:
+    claims = TokenClaims(
+        issuer="https://auth.test",
+        subject=subject,
+        audience=("innercontext-web",),
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        raw_claims={"iss": "https://auth.test", "sub": subject},
+    )
+    return CurrentUser(
+        user_id=uuid4(),
+        role=role,
+        identity=IdentityData.from_claims(claims),
+        claims=claims,
+    )
+
+
+def _set_current_user(user: CurrentUser) -> None:
+    app.dependency_overrides[get_current_user] = lambda: user
+
+
+def test_suggest_uses_current_user_profile_and_visible_products_only(client):
+    owner = _user("owner")
+    other = _user("other")
+
+    _set_current_user(owner)
+    owner_profile = client.patch(
+        "/profile", json={"birth_date": "1991-01-15", "sex_at_birth": "male"}
+    )
+    owner_product = client.post(
+        "/products",
+        json={
+            "name": "Owner Serum",
+            "brand": "Test",
+            "category": "serum",
+            "recommended_time": "both",
+            "leave_on": True,
+        },
+    )
+    assert owner_profile.status_code == 200
+    assert owner_product.status_code == 201
+
+    _set_current_user(other)
+    other_profile = client.patch(
+        "/profile", json={"birth_date": "1975-06-20", "sex_at_birth": "female"}
+    )
+    other_product = client.post(
+        "/products",
+        json={
+            "name": "Other Serum",
+            "brand": "Test",
+            "category": "serum",
+            "recommended_time": "both",
+            "leave_on": True,
+        },
+    )
+    assert other_profile.status_code == 200
+    assert other_product.status_code == 201
+
+    _set_current_user(owner)
+
+    with patch(
+        "innercontext.api.routines.call_gemini_with_function_tools"
+    ) as mock_gemini:
+        mock_response = type(
+            "Response",
+            (),
+            {
+                "text": '{"steps": [{"product_id": null, "action_type": "shaving_razor"}], "reasoning": "ok", "summary": {"primary_goal": "safe", "constraints_applied": [], "confidence": 0.7}}'
+            },
+        )
+        mock_gemini.return_value = (mock_response, None)
+
+        response = client.post(
+            "/routines/suggest",
+            json={
+                "routine_date": "2026-03-05",
+                "part_of_day": "am",
+                "include_minoxidil_beard": False,
+            },
+        )
+        assert response.status_code == 200
+
+        kwargs = mock_gemini.call_args.kwargs
+        prompt = kwargs["contents"]
+        assert "Birth date: 1991-01-15" in prompt
+        assert "Birth date: 1975-06-20" not in prompt
+        assert "Owner Serum" in prompt
+        assert "Other Serum" not in prompt
+
+        handler = kwargs["function_handlers"]["get_product_details"]
+        payload = handler(
+            {
+                "product_ids": [
+                    owner_product.json()["id"],
+                    other_product.json()["id"],
+                ]
+            }
+        )
+        assert len(payload["products"]) == 1
+        assert payload["products"][0]["name"] == "Owner Serum"
diff --git a/backend/tests/test_routines_helpers.py b/backend/tests/test_routines_helpers.py
index b547f62..4041c22 100644
--- a/backend/tests/test_routines_helpers.py
+++ b/backend/tests/test_routines_helpers.py
@@ -78,17 +78,22 @@ def test_ev():
     assert _ev("string") == "string"
 
 
-def test_build_skin_context(session: Session):
+def test_build_skin_context(session: Session, current_user):
     # Empty
     reference_date = date(2026, 3, 10)
     assert (
-        _build_skin_context(session, reference_date=reference_date)
+        _build_skin_context(
+            session,
+            target_user_id=current_user.user_id,
+            reference_date=reference_date,
+        )
         == "SKIN CONDITION: no data\n"
     )
 
     # With data
     snap = SkinConditionSnapshot(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         snapshot_date=reference_date,
         overall_state=OverallSkinState.GOOD,
         hydration_level=4,
@@ -100,7 +105,11 @@ def test_build_skin_context(session: Session):
     session.add(snap)
     session.commit()
 
-    ctx = _build_skin_context(session, reference_date=reference_date)
+    ctx = _build_skin_context(
+        session,
+        target_user_id=current_user.user_id,
+        reference_date=reference_date,
+    )
     assert "SKIN CONDITION (snapshot from" in ctx
     assert "Overall state: good" in ctx
     assert "Hydration: 4/5" in ctx
@@ -112,10 +121,12 @@ def test_build_skin_context(session: Session):
 
 def test_build_skin_context_falls_back_to_recent_snapshot_within_14_days(
     session: Session,
+    current_user,
 ):
     reference_date = date(2026, 3, 20)
     snap = SkinConditionSnapshot(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         snapshot_date=reference_date - timedelta(days=10),
         overall_state=OverallSkinState.FAIR,
         hydration_level=3,
@@ -126,16 +137,23 @@ def test_build_skin_context_falls_back_to_recent_snapshot_within_14_days(
     session.add(snap)
     session.commit()
 
-    ctx = _build_skin_context(session, reference_date=reference_date)
+    ctx = _build_skin_context(
+        session,
+        target_user_id=current_user.user_id,
+        reference_date=reference_date,
+    )
 
     assert f"snapshot from {reference_date - timedelta(days=10)}" in ctx
     assert "Barrier: compromised" in ctx
 
 
-def test_build_skin_context_ignores_snapshot_older_than_14_days(session: Session):
+def test_build_skin_context_ignores_snapshot_older_than_14_days(
+    session: Session, current_user
+):
     reference_date = date(2026, 3, 20)
     snap = SkinConditionSnapshot(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         snapshot_date=reference_date - timedelta(days=15),
         overall_state=OverallSkinState.FAIR,
         hydration_level=3,
@@ -145,15 +163,20 @@ def test_build_skin_context_ignores_snapshot_older_than_14_days(session: Session
     session.commit()
 
     assert (
-        _build_skin_context(session, reference_date=reference_date)
+        _build_skin_context(
+            session,
+            target_user_id=current_user.user_id,
+            reference_date=reference_date,
+        )
         == "SKIN CONDITION: no data\n"
     )
 
 
-def test_get_recent_skin_snapshot_prefers_window_match(session: Session):
+def test_get_recent_skin_snapshot_prefers_window_match(session: Session, current_user):
     reference_date = date(2026, 3, 20)
     older = SkinConditionSnapshot(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         snapshot_date=reference_date - timedelta(days=10),
         overall_state=OverallSkinState.POOR,
         hydration_level=2,
@@ -161,6 +184,7 @@ def test_get_recent_skin_snapshot_prefers_window_match(session: Session):
     )
     newer = SkinConditionSnapshot(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         snapshot_date=reference_date - timedelta(days=2),
         overall_state=OverallSkinState.GOOD,
         hydration_level=4,
@@ -169,7 +193,11 @@ def test_get_recent_skin_snapshot_prefers_window_match(session: Session):
     session.add_all([older, newer])
     session.commit()
 
-    snapshot = _get_recent_skin_snapshot(session, reference_date=reference_date)
+    snapshot = _get_recent_skin_snapshot(
+        session,
+        target_user_id=current_user.user_id,
+        reference_date=reference_date,
+    )
 
     assert snapshot is not None
     assert snapshot.id == newer.id
@@ -177,10 +205,12 @@ def test_get_recent_skin_snapshot_prefers_window_match(session: Session):
 
 def test_get_latest_skin_snapshot_within_days_uses_latest_within_14_days(
     session: Session,
+    current_user,
 ):
     reference_date = date(2026, 3, 20)
     older = SkinConditionSnapshot(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         snapshot_date=reference_date - timedelta(days=10),
         overall_state=OverallSkinState.POOR,
         hydration_level=2,
@@ -188,6 +218,7 @@ def test_get_latest_skin_snapshot_within_days_uses_latest_within_14_days(
     )
     newer = SkinConditionSnapshot(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         snapshot_date=reference_date - timedelta(days=2),
         overall_state=OverallSkinState.GOOD,
         hydration_level=4,
@@ -198,6 +229,7 @@ def test_get_latest_skin_snapshot_within_days_uses_latest_within_14_days(
 
     snapshot = _get_latest_skin_snapshot_within_days(
         session,
+        target_user_id=current_user.user_id,
         reference_date=reference_date,
     )
 
@@ -205,39 +237,65 @@ def test_get_latest_skin_snapshot_within_days_uses_latest_within_14_days(
     assert snapshot.id == newer.id
 
 
-def test_build_grooming_context(session: Session):
-    assert _build_grooming_context(session) == "GROOMING SCHEDULE: none\n"
+def test_build_grooming_context(session: Session, current_user):
+    assert (
+        _build_grooming_context(session, target_user_id=current_user.user_id)
+        == "GROOMING SCHEDULE: none\n"
+    )
 
     sch = GroomingSchedule(
-        id=uuid.uuid4(), day_of_week=0, action="shaving_oneblade", notes="Morning"
+        id=uuid.uuid4(),
+        user_id=current_user.user_id,
+        day_of_week=0,
+        action="shaving_oneblade",
+        notes="Morning",
     )
     session.add(sch)
     session.commit()
 
-    ctx = _build_grooming_context(session)
+    ctx = _build_grooming_context(session, target_user_id=current_user.user_id)
     assert "GROOMING SCHEDULE:" in ctx
     assert "poniedziałek: shaving_oneblade (Morning)" in ctx
 
     # Test weekdays filter
-    ctx2 = _build_grooming_context(session, weekdays=[1])  # not monday
+    ctx2 = _build_grooming_context(
+        session,
+        target_user_id=current_user.user_id,
+        weekdays=[1],
+    )  # not monday
     assert "(no entries for specified days)" in ctx2
 
 
-def test_build_upcoming_grooming_context(session: Session):
+def test_build_upcoming_grooming_context(session: Session, current_user):
     assert (
-        _build_upcoming_grooming_context(session, start_date=date(2026, 3, 2), days=7)
+        _build_upcoming_grooming_context(
+            session,
+            target_user_id=current_user.user_id,
+            start_date=date(2026, 3, 2),
+            days=7,
+        )
         == "UPCOMING GROOMING (next 7 days): none\n"
     )
 
     monday = GroomingSchedule(
-        id=uuid.uuid4(), day_of_week=0, action="shaving_oneblade", notes="Morning"
+        id=uuid.uuid4(),
+        user_id=current_user.user_id,
+        day_of_week=0,
+        action="shaving_oneblade",
+        notes="Morning",
+    )
+    wednesday = GroomingSchedule(
+        id=uuid.uuid4(),
+        user_id=current_user.user_id,
+        day_of_week=2,
+        action="dermarolling",
     )
-    wednesday = GroomingSchedule(id=uuid.uuid4(), day_of_week=2, action="dermarolling")
     session.add_all([monday, wednesday])
     session.commit()
 
     ctx = _build_upcoming_grooming_context(
         session,
+        target_user_id=current_user.user_id,
         start_date=date(2026, 3, 2),
         days=7,
     )
@@ -246,14 +304,23 @@ def test_build_upcoming_grooming_context(session: Session):
     assert "za 2 dni (2026-03-04, środa): dermarolling" in ctx
 
 
-def test_build_recent_history(session: Session):
+def test_build_recent_history(session: Session, current_user):
     reference_date = date(2026, 3, 10)
     assert (
-        _build_recent_history(session, reference_date=reference_date)
+        _build_recent_history(
+            session,
+            target_user_id=current_user.user_id,
+            reference_date=reference_date,
+        )
         == "RECENT ROUTINES: none\n"
     )
 
-    r = Routine(id=uuid.uuid4(), routine_date=reference_date, part_of_day="am")
+    r = Routine(
+        id=uuid.uuid4(),
+        user_id=current_user.user_id,
+        routine_date=reference_date,
+        part_of_day="am",
+    )
     session.add(r)
     p = Product(
         id=uuid.uuid4(),
@@ -268,19 +335,37 @@ def test_build_recent_history(session: Session):
     session.add(p)
     session.commit()
 
-    s1 = RoutineStep(id=uuid.uuid4(), routine_id=r.id, order_index=1, product_id=p.id)
+    s1 = RoutineStep(
+        id=uuid.uuid4(),
+        user_id=current_user.user_id,
+        routine_id=r.id,
+        order_index=1,
+        product_id=p.id,
+    )
     s2 = RoutineStep(
-        id=uuid.uuid4(), routine_id=r.id, order_index=2, action_type="shaving_razor"
+        id=uuid.uuid4(),
+        user_id=current_user.user_id,
+        routine_id=r.id,
+        order_index=2,
+        action_type="shaving_razor",
     )
     # Step with non-existent product
     s3 = RoutineStep(
-        id=uuid.uuid4(), routine_id=r.id, order_index=3, product_id=uuid.uuid4()
+        id=uuid.uuid4(),
+        user_id=current_user.user_id,
+        routine_id=r.id,
+        order_index=3,
+        product_id=uuid.uuid4(),
     )
 
     session.add_all([s1, s2, s3])
     session.commit()
 
-    ctx = _build_recent_history(session, reference_date=reference_date)
+    ctx = _build_recent_history(
+        session,
+        target_user_id=current_user.user_id,
+        reference_date=reference_date,
+    )
     assert "RECENT ROUTINES:" in ctx
     assert "AM:" in ctx
     assert "cleanser [" in ctx
@@ -288,31 +373,38 @@ def test_build_recent_history(session: Session):
     assert "unknown [" in ctx
 
 
-def test_build_recent_history_uses_reference_window(session: Session):
+def test_build_recent_history_uses_reference_window(session: Session, current_user):
     reference_date = date(2026, 3, 10)
     recent = Routine(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         routine_date=reference_date - timedelta(days=3),
         part_of_day="pm",
     )
     old = Routine(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         routine_date=reference_date - timedelta(days=6),
         part_of_day="am",
     )
     session.add_all([recent, old])
     session.commit()
 
-    ctx = _build_recent_history(session, reference_date=reference_date)
+    ctx = _build_recent_history(
+        session,
+        target_user_id=current_user.user_id,
+        reference_date=reference_date,
+    )
 
     assert str(recent.routine_date) in ctx
     assert str(old.routine_date) not in ctx
 
 
-def test_build_recent_history_excludes_future_routines(session: Session):
+def test_build_recent_history_excludes_future_routines(session: Session, current_user):
     reference_date = date(2026, 3, 10)
     future = Routine(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         routine_date=reference_date + timedelta(days=1),
         part_of_day="am",
     )
@@ -320,12 +412,16 @@ def test_build_recent_history_excludes_future_routines(session: Session):
     session.commit()
 
     assert (
-        _build_recent_history(session, reference_date=reference_date)
+        _build_recent_history(
+            session,
+            target_user_id=current_user.user_id,
+            reference_date=reference_date,
+        )
         == "RECENT ROUTINES: none\n"
     )
 
 
-def test_build_products_context_summary_list(session: Session):
+def test_build_products_context_summary_list(session: Session, current_user):
     p1 = Product(
         id=uuid.uuid4(),
         short_id=str(uuid.uuid4())[:8],
@@ -336,6 +432,7 @@ def test_build_products_context_summary_list(session: Session):
         recommended_time="both",
         leave_on=True,
         product_effect_profile={},
+        user_id=current_user.user_id,
     )
     p2 = Product(
         id=uuid.uuid4(),
@@ -350,11 +447,16 @@ def test_build_products_context_summary_list(session: Session):
         context_rules={"safe_after_shaving": False},
         min_interval_hours=12,
         max_frequency_per_week=7,
+        user_id=current_user.user_id,
     )
     session.add_all([p1, p2])
     session.commit()
 
-    products_am = _get_available_products(session, time_filter="am")
+    products_am = _get_available_products(
+        session,
+        current_user=current_user,
+        time_filter="am",
+    )
     ctx = build_products_context_summary_list(products_am, {p2.id})
 
     assert "Regaine Minoxidil" in ctx
@@ -375,7 +477,7 @@ def test_build_day_context():
     assert "Leaving home: no" in _build_day_context(False)
 
 
-def test_get_available_products_respects_filters(session: Session):
+def test_get_available_products_respects_filters(session: Session, current_user):
     regular_med = Product(
         id=uuid.uuid4(),
         name="Tretinoin",
@@ -385,6 +487,7 @@ def test_get_available_products_respects_filters(session: Session):
         recommended_time="pm",
         leave_on=True,
         product_effect_profile={},
+        user_id=current_user.user_id,
     )
     minoxidil_med = Product(
         id=uuid.uuid4(),
@@ -395,6 +498,7 @@ def test_get_available_products_respects_filters(session: Session):
         recommended_time="both",
         leave_on=True,
         product_effect_profile={},
+        user_id=current_user.user_id,
     )
     am_product = Product(
         id=uuid.uuid4(),
@@ -404,6 +508,7 @@ def test_get_available_products_respects_filters(session: Session):
         recommended_time="am",
         leave_on=True,
         product_effect_profile={},
+        user_id=current_user.user_id,
     )
     pm_product = Product(
         id=uuid.uuid4(),
@@ -413,11 +518,16 @@ def test_get_available_products_respects_filters(session: Session):
         recommended_time="pm",
         leave_on=True,
         product_effect_profile={},
+        user_id=current_user.user_id,
     )
     session.add_all([regular_med, minoxidil_med, am_product, pm_product])
     session.commit()
 
-    am_available = _get_available_products(session, time_filter="am")
+    am_available = _get_available_products(
+        session,
+        current_user=current_user,
+        time_filter="am",
+    )
     am_names = {p.name for p in am_available}
     assert "Tretinoin" not in am_names
     assert "Minoxidil 5%" in am_names
@@ -508,7 +618,10 @@ def test_extract_active_names_uses_compact_distinct_names(session: Session):
     assert names == ["Niacinamide", "Zinc PCA"]
 
 
-def test_get_available_products_excludes_minoxidil_when_flag_false(session: Session):
+def test_get_available_products_excludes_minoxidil_when_flag_false(
+    session: Session,
+    current_user,
+):
     minoxidil = Product(
         id=uuid.uuid4(),
         name="Minoxidil 5%",
@@ -518,6 +631,7 @@ def test_get_available_products_excludes_minoxidil_when_flag_false(session: Sess
         recommended_time="both",
         leave_on=True,
         product_effect_profile={},
+        user_id=current_user.user_id,
     )
     regular = Product(
         id=uuid.uuid4(),
@@ -527,18 +641,27 @@ def test_get_available_products_excludes_minoxidil_when_flag_false(session: Sess
         recommended_time="both",
         leave_on=False,
         product_effect_profile={},
+        user_id=current_user.user_id,
     )
     session.add_all([minoxidil, regular])
     session.commit()
 
     # With flag True (default) - minoxidil included
-    products = _get_available_products(session, include_minoxidil=True)
+    products = _get_available_products(
+        session,
+        current_user=current_user,
+        include_minoxidil=True,
+    )
     names = {p.name for p in products}
     assert "Minoxidil 5%" in names
     assert "Cleanser" in names
 
     # With flag False - minoxidil excluded
-    products = _get_available_products(session, include_minoxidil=False)
+    products = _get_available_products(
+        session,
+        current_user=current_user,
+        include_minoxidil=False,
+    )
     names = {p.name for p in products}
     assert "Minoxidil 5%" not in names
     assert "Cleanser" in names
diff --git a/backend/tests/test_skincare.py b/backend/tests/test_skincare.py
index b6ce4b0..ac62a99 100644
--- a/backend/tests/test_skincare.py
+++ b/backend/tests/test_skincare.py
@@ -140,7 +140,7 @@ def test_analyze_photos_includes_user_profile_context(client, monkeypatch):
 
     def _fake_call_gemini(**kwargs):
         captured.update(kwargs)
-        return _FakeResponse()
+        return _FakeResponse(), None
 
     monkeypatch.setattr(skincare_api, "call_gemini", _fake_call_gemini)
 
diff --git a/backend/tests/test_tenancy_domains.py b/backend/tests/test_tenancy_domains.py
new file mode 100644
index 0000000..bbe1ce9
--- /dev/null
+++ b/backend/tests/test_tenancy_domains.py
@@ -0,0 +1,100 @@
+from __future__ import annotations
+
+from datetime import UTC, datetime, timedelta
+from uuid import uuid4
+
+from innercontext.api.auth_deps import get_current_user
+from innercontext.auth import CurrentUser, IdentityData, TokenClaims
+from innercontext.models import Role
+from innercontext.models.ai_log import AICallLog
+from main import app
+
+
+def _user(subject: str, *, role: Role = Role.MEMBER) -> CurrentUser:
+    claims = TokenClaims(
+        issuer="https://auth.test",
+        subject=subject,
+        audience=("innercontext-web",),
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        raw_claims={"iss": "https://auth.test", "sub": subject},
+    )
+    return CurrentUser(
+        user_id=uuid4(),
+        role=role,
+        identity=IdentityData.from_claims(claims),
+        claims=claims,
+    )
+
+
+def _set_current_user(user: CurrentUser) -> None:
+    app.dependency_overrides[get_current_user] = lambda: user
+
+
+def test_profile_health_routines_skincare_ai_logs_are_user_scoped_by_default(
+    client, session
+):
+    owner = _user("owner")
+    intruder = _user("intruder")
+
+    _set_current_user(owner)
+    profile = client.patch(
+        "/profile", json={"birth_date": "1991-01-15", "sex_at_birth": "male"}
+    )
+    medication = client.post(
+        "/health/medications", json={"kind": "prescription", "product_name": "Owner Rx"}
+    )
+    routine = client.post(
+        "/routines", json={"routine_date": "2026-03-01", "part_of_day": "am"}
+    )
+    snapshot = client.post("/skincare", json={"snapshot_date": "2026-03-01"})
+    log = AICallLog(endpoint="routines/suggest", model="gemini-3-flash-preview")
+    log.user_id = owner.user_id
+    session.add(log)
+    session.commit()
+    session.refresh(log)
+
+    assert profile.status_code == 200
+    assert medication.status_code == 201
+    assert routine.status_code == 201
+    assert snapshot.status_code == 201
+
+    medication_id = medication.json()["record_id"]
+    routine_id = routine.json()["id"]
+    snapshot_id = snapshot.json()["id"]
+
+    _set_current_user(intruder)
+    assert client.get("/profile").json() is None
+    assert client.get("/health/medications").json() == []
+    assert client.get("/routines").json() == []
+    assert client.get("/skincare").json() == []
+    assert client.get("/ai-logs").json() == []
+
+    assert client.get(f"/health/medications/{medication_id}").status_code == 404
+    assert client.get(f"/routines/{routine_id}").status_code == 404
+    assert client.get(f"/skincare/{snapshot_id}").status_code == 404
+    assert client.get(f"/ai-logs/{log.id}").status_code == 404
+
+
+def test_health_admin_override_requires_explicit_user_id(client):
+    owner = _user("owner")
+    admin = _user("admin", role=Role.ADMIN)
+
+    _set_current_user(owner)
+    created = client.post(
+        "/health/lab-results",
+        json={
+            "collected_at": "2026-03-01T00:00:00",
+            "test_code": "718-7",
+            "test_name_original": "Hemoglobin",
+        },
+    )
+    assert created.status_code == 201
+
+    _set_current_user(admin)
+    default_scope = client.get("/health/lab-results")
+    assert default_scope.status_code == 200
+    assert default_scope.json()["items"] == []
+
+    overridden = client.get(f"/health/lab-results?user_id={owner.user_id}")
+    assert overridden.status_code == 200
+    assert len(overridden.json()["items"]) == 1

From 4bfa4ea02d55a6d53205edf73b4155a8652f5fe8 Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 15:55:32 +0100
Subject: [PATCH 06/10] chore(deploy): wire OIDC runtime configuration

---
 deploy.sh                         |   3 +-
 docs/DEPLOYMENT.md                | 153 ++++++++++++------------------
 nginx/innercontext.conf           |   4 +
 scripts/healthcheck.sh            |  22 ++++-
 scripts/validate-env.sh           |  25 ++++-
 systemd/innercontext-node.service |   3 +
 systemd/innercontext.service      |   5 +
 7 files changed, 115 insertions(+), 100 deletions(-)

diff --git a/deploy.sh b/deploy.sh
index 39ef614..2ced385 100755
--- a/deploy.sh
+++ b/deploy.sh
@@ -346,7 +346,8 @@ check_backend_health() {
 check_frontend_health() {
     local i
     for ((i = 1; i <= 30; i++)); do
-        if remote "curl -sf http://127.0.0.1:3000/ >/dev/null"; then
+        # Allow 200 OK or 302/303/307 Redirect (to login)
+        if remote "curl -s -o /dev/null -w '%{http_code}' http://127.0.0.1:3000/ | grep -qE '^(200|302|303|307)$'"; then
             log "Frontend health check passed"
             return 0
         fi
diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md
index ea1089c..eb14a1d 100644
--- a/docs/DEPLOYMENT.md
+++ b/docs/DEPLOYMENT.md
@@ -94,117 +94,82 @@ chown -R innercontext:innercontext /opt/innercontext
 cat > /opt/innercontext/shared/backend/.env <<'EOF'
 DATABASE_URL=postgresql+psycopg://innercontext:change-me@<pg-ip>/innercontext
 GEMINI_API_KEY=your-key
+
+# OIDC Configuration
+OIDC_ISSUER=https://auth.example.com
+OIDC_CLIENT_ID=innercontext-backend
+OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration
+OIDC_ADMIN_GROUPS=admins
+OIDC_MEMBER_GROUPS=members
+
+# Bootstrap Admin (Optional, used for initial setup)
+# BOOTSTRAP_ADMIN_OIDC_ISSUER=https://auth.example.com
+# BOOTSTRAP_ADMIN_OIDC_SUB=user-sub-from-authelia
+# BOOTSTRAP_ADMIN_EMAIL=admin@example.com
+# BOOTSTRAP_ADMIN_NAME="Admin User"
+# BOOTSTRAP_HOUSEHOLD_NAME="My Household"
 EOF
 
 cat > /opt/innercontext/shared/frontend/.env.production <<'EOF'
 PUBLIC_API_BASE=http://127.0.0.1:8000
 ORIGIN=http://innercontext.lan
+
+# Session and OIDC
+SESSION_SECRET=generate-a-long-random-string
+OIDC_ISSUER=https://auth.example.com
+OIDC_CLIENT_ID=innercontext-frontend
+OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration
 EOF
-
-chmod 600 /opt/innercontext/shared/backend/.env
-chmod 600 /opt/innercontext/shared/frontend/.env.production
-chown innercontext:innercontext /opt/innercontext/shared/backend/.env
-chown innercontext:innercontext /opt/innercontext/shared/frontend/.env.production
 ```
 
-### 4) Grant deploy sudo permissions
+## OIDC Setup (Authelia)
 
-```bash
-cat > /etc/sudoers.d/innercontext-deploy << 'EOF'
-innercontext ALL=(root) NOPASSWD: \
-    /usr/bin/systemctl restart innercontext, \
-    /usr/bin/systemctl restart innercontext-node, \
-    /usr/bin/systemctl restart innercontext-pricing-worker, \
-    /usr/bin/systemctl is-active innercontext, \
-    /usr/bin/systemctl is-active innercontext-node, \
-    /usr/bin/systemctl is-active innercontext-pricing-worker
-EOF
+This project uses OIDC for authentication. You need an OIDC provider like Authelia.
 
-chmod 440 /etc/sudoers.d/innercontext-deploy
-visudo -c -f /etc/sudoers.d/innercontext-deploy
+### Authelia Client Configuration
 
-# Must work without password or TTY prompt:
-sudo -u innercontext sudo -n -l
+Add the following to your Authelia `configuration.yml`:
+
+```yaml
+identity_providers:
+  oidc:
+    clients:
+      - id: innercontext-frontend
+        description: InnerContext Frontend
+        secret: '$pbkdf2-sha512$...' # Not used for public client, but Authelia may require it
+        public: true
+        authorization_policy: one_factor
+        redirect_uris:
+          - http://innercontext.lan/auth/callback
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: none
+
+      - id: innercontext-backend
+        description: InnerContext Backend
+        secret: '$pbkdf2-sha512$...'
+        public: false
+        authorization_policy: one_factor
+        redirect_uris: []
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: none
 ```
 
-If `sudo -n -l` fails, deployments will fail during restart/rollback with:
-`sudo: a terminal is required` or `sudo: a password is required`.
+### Bootstrap Admin
 
-### 5) Install systemd and nginx configs
-
-After first deploy (or after copying repo content to `/opt/innercontext/current`), install configs:
-
-```bash
-cp /opt/innercontext/current/systemd/innercontext.service /etc/systemd/system/
-cp /opt/innercontext/current/systemd/innercontext-node.service /etc/systemd/system/
-cp /opt/innercontext/current/systemd/innercontext-pricing-worker.service /etc/systemd/system/
-systemctl daemon-reload
-systemctl enable innercontext
-systemctl enable innercontext-node
-systemctl enable innercontext-pricing-worker
-
-cp /opt/innercontext/current/nginx/innercontext.conf /etc/nginx/sites-available/innercontext
-ln -sf /etc/nginx/sites-available/innercontext /etc/nginx/sites-enabled/innercontext
-rm -f /etc/nginx/sites-enabled/default
-nginx -t && systemctl reload nginx
-```
-
-## Local Machine Setup
-
-`~/.ssh/config`:
-
-```
-Host innercontext
-    HostName <lxc-ip>
-    User innercontext
-```
-
-Ensure your public key is in `/home/innercontext/.ssh/authorized_keys`.
-
-## Deploy Commands
-
-From repository root on external machine:
-
-```bash
-./deploy.sh              # full deploy (default = all)
-./deploy.sh all
-./deploy.sh backend
-./deploy.sh frontend
-./deploy.sh list
-./deploy.sh rollback
-```
-
-Optional overrides:
-
-```bash
-DEPLOY_SERVER=innercontext ./deploy.sh all
-DEPLOY_ROOT=/opt/innercontext ./deploy.sh backend
-DEPLOY_ALLOW_DIRTY=1 ./deploy.sh frontend
-```
-
-## What `deploy.sh` Does
-
-For `backend` / `frontend` / `all`:
-
-1. Local checks (strict, fail-fast)
-2. Acquire `/opt/innercontext/.deploy.lock`
-3. Create `<timestamp>` release directory
-4. Upload selected component(s)
-5. Link shared env files in the release directory
-6. `uv sync` + `alembic upgrade head` (backend scope)
-7. Upload `scripts/`, `systemd/`, `nginx/`
-8. Switch `current` to the prepared release
-9. Restart affected services
-10. Run health checks
-11. Remove old releases (keep last 5)
-12. Write deploy entry to `/opt/innercontext/deploy.log`
-
-If anything fails after promotion, script auto-rolls back to previous release.
+To create the first user and household, set the `BOOTSTRAP_ADMIN_*` environment variables in the backend `.env` file and restart the backend. The backend will automatically create the user and household on startup if they don't exist. After the first successful login, you can remove these variables.
 
 ## Health Checks
 
-- Backend: `http://127.0.0.1:8000/health-check`
-- Frontend: `http://127.0.0.1:3000/`
+- Backend: `http://127.0.0.1:8000/health-check` (returns 200)
+- Frontend: `http://127.0.0.1:3000/` (returns 200 or 302 redirect to login)
 - Worker: `systemctl is-active innercontext-pricing-worker`
 
 Manual checks:
diff --git a/nginx/innercontext.conf b/nginx/innercontext.conf
index d75cb5d..5e9e68e 100644
--- a/nginx/innercontext.conf
+++ b/nginx/innercontext.conf
@@ -10,6 +10,8 @@ server {
         proxy_set_header   X-Real-IP         $remote_addr;
         proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_set_header   X-Forwarded-Host  $host;
+        proxy_set_header   X-Forwarded-Port  $server_port;
     }
 
     # SvelteKit Node server
@@ -19,5 +21,7 @@ server {
         proxy_set_header   X-Real-IP         $remote_addr;
         proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_set_header   X-Forwarded-Host  $host;
+        proxy_set_header   X-Forwarded-Port  $server_port;
     }
 }
diff --git a/scripts/healthcheck.sh b/scripts/healthcheck.sh
index 9d370ff..21ddca0 100755
--- a/scripts/healthcheck.sh
+++ b/scripts/healthcheck.sh
@@ -25,13 +25,27 @@ log() {
 check_service() {
     local service_name=$1
     local url=$2
+    local allow_redirect=${3:-false}
     
     if systemctl is-active --quiet "$service_name"; then
-        if curl -sf --max-time "$TIMEOUT" "$url" > /dev/null 2>&1; then
+        local curl_opts="-s --max-time $TIMEOUT"
+        if [ "$allow_redirect" = false ]; then
+            curl_opts="$curl_opts -f"
+        fi
+
+        if curl $curl_opts "$url" > /dev/null 2>&1; then
             log "${GREEN}✓${NC} $service_name is healthy"
             return 0
         else
-            log "${YELLOW}⚠${NC} $service_name is running but not responding at $url"
+            # If allow_redirect is true, we check if it's a 302
+            if [ "$allow_redirect" = true ]; then
+                local status=$(curl -s -o /dev/null -w "%{http_code}" --max-time "$TIMEOUT" "$url")
+                if [ "$status" = "302" ] || [ "$status" = "303" ] || [ "$status" = "307" ] || [ "$status" = "200" ]; then
+                    log "${GREEN}✓${NC} $service_name is healthy (status $status)"
+                    return 0
+                fi
+            fi
+            log "${YELLOW}⚠${NC} $service_name is running but not responding correctly at $url"
             return 1
         fi
     else
@@ -45,8 +59,10 @@ backend_ok=0
 frontend_ok=0
 worker_ok=0
 
+# Backend health-check is public and should return 200
 check_service "innercontext" "$BACKEND_URL" || backend_ok=1
-check_service "innercontext-node" "$FRONTEND_URL" || frontend_ok=1
+# Frontend root may redirect to login (302)
+check_service "innercontext-node" "$FRONTEND_URL" true || frontend_ok=1
 
 # Worker doesn't have HTTP endpoint, just check if it's running
 if systemctl is-active --quiet "innercontext-pricing-worker"; then
diff --git a/scripts/validate-env.sh b/scripts/validate-env.sh
index 3ca90a4..d442fc6 100755
--- a/scripts/validate-env.sh
+++ b/scripts/validate-env.sh
@@ -25,7 +25,7 @@ warnings=0
 
 log_error() {
     echo -e "${RED}✗${NC} $1"
-    ((errors++))
+    errors=$((errors + 1))
 }
 
 log_success() {
@@ -34,7 +34,7 @@ log_success() {
 
 log_warning() {
     echo -e "${YELLOW}⚠${NC} $1"
-    ((warnings++))
+    warnings=$((warnings + 1))
 }
 
 check_symlink() {
@@ -131,6 +131,21 @@ if [ -f "$SHARED_BACKEND_ENV" ]; then
     check_var "$SHARED_BACKEND_ENV" "GEMINI_API_KEY"
     check_var "$SHARED_BACKEND_ENV" "LOG_LEVEL" true
     check_var "$SHARED_BACKEND_ENV" "CORS_ORIGINS" true
+
+    # OIDC Configuration
+    check_var "$SHARED_BACKEND_ENV" "OIDC_ISSUER"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_CLIENT_ID"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_DISCOVERY_URL"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_ADMIN_GROUPS"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_MEMBER_GROUPS"
+    check_var "$SHARED_BACKEND_ENV" "OIDC_JWKS_CACHE_TTL_SECONDS" true
+
+    # Bootstrap Admin (Optional, used for initial setup)
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_OIDC_ISSUER" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_OIDC_SUB" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_EMAIL" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_ADMIN_NAME" true
+    check_var "$SHARED_BACKEND_ENV" "BOOTSTRAP_HOUSEHOLD_NAME" true
 fi
 
 echo ""
@@ -138,6 +153,12 @@ echo "=== Validating Frontend Environment Variables ==="
 if [ -f "$SHARED_FRONTEND_ENV" ]; then
     check_var "$SHARED_FRONTEND_ENV" "PUBLIC_API_BASE"
     check_var "$SHARED_FRONTEND_ENV" "ORIGIN"
+
+    # Session and OIDC
+    check_var "$SHARED_FRONTEND_ENV" "SESSION_SECRET"
+    check_var "$SHARED_FRONTEND_ENV" "OIDC_ISSUER"
+    check_var "$SHARED_FRONTEND_ENV" "OIDC_CLIENT_ID"
+    check_var "$SHARED_FRONTEND_ENV" "OIDC_DISCOVERY_URL"
 fi
 
 echo ""
diff --git a/systemd/innercontext-node.service b/systemd/innercontext-node.service
index a052333..2293910 100644
--- a/systemd/innercontext-node.service
+++ b/systemd/innercontext-node.service
@@ -1,5 +1,8 @@
 [Unit]
 Description=innercontext SvelteKit Node frontend
+# Required env vars in .env.production:
+# PUBLIC_API_BASE, ORIGIN, SESSION_SECRET
+# OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_DISCOVERY_URL
 After=network.target
 
 [Service]
diff --git a/systemd/innercontext.service b/systemd/innercontext.service
index 89545cb..d27138e 100644
--- a/systemd/innercontext.service
+++ b/systemd/innercontext.service
@@ -1,5 +1,10 @@
 [Unit]
 Description=innercontext FastAPI backend
+# Required env vars in .env:
+# DATABASE_URL, GEMINI_API_KEY
+# OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_DISCOVERY_URL
+# OIDC_ADMIN_GROUPS, OIDC_MEMBER_GROUPS
+# (Optional) BOOTSTRAP_ADMIN_OIDC_ISSUER, BOOTSTRAP_ADMIN_OIDC_SUB, etc.
 After=network.target
 
 [Service]

From 1d5630ed8c715bba0b6ef2e819f70a87ca59f4e8 Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 16:02:11 +0100
Subject: [PATCH 07/10] feat(api): add admin household management endpoints

---
 backend/innercontext/api/admin.py      | 206 ++++++++++++++
 backend/main.py                        |  10 +-
 backend/tests/test_admin_households.py | 354 +++++++++++++++++++++++++
 3 files changed, 566 insertions(+), 4 deletions(-)
 create mode 100644 backend/innercontext/api/admin.py
 create mode 100644 backend/tests/test_admin_households.py

diff --git a/backend/innercontext/api/admin.py b/backend/innercontext/api/admin.py
new file mode 100644
index 0000000..0a5c1fd
--- /dev/null
+++ b/backend/innercontext/api/admin.py
@@ -0,0 +1,206 @@
+from datetime import datetime
+from typing import Annotated
+from uuid import UUID
+
+from fastapi import APIRouter, Depends, HTTPException, Response, status
+from sqlmodel import Session, SQLModel, select
+
+from db import get_session
+from innercontext.api.auth_deps import require_admin
+from innercontext.api.utils import get_or_404
+from innercontext.models import (
+    Household,
+    HouseholdMembership,
+    HouseholdRole,
+    Role,
+    User,
+)
+
+router = APIRouter(dependencies=[Depends(require_admin)])
+SessionDep = Annotated[Session, Depends(get_session)]
+
+
+class AdminHouseholdPublic(SQLModel):
+    id: UUID
+    created_at: datetime
+    updated_at: datetime
+
+
+class AdminHouseholdMembershipPublic(SQLModel):
+    id: UUID
+    user_id: UUID
+    household_id: UUID
+    role: HouseholdRole
+    created_at: datetime
+    updated_at: datetime
+
+
+class AdminUserPublic(SQLModel):
+    id: UUID
+    oidc_issuer: str
+    oidc_subject: str
+    role: Role
+    created_at: datetime
+    updated_at: datetime
+    household_membership: AdminHouseholdMembershipPublic | None = None
+
+
+class AdminHouseholdMembershipCreate(SQLModel):
+    user_id: UUID
+    role: HouseholdRole = HouseholdRole.MEMBER
+
+
+def _membership_public(
+    membership: HouseholdMembership,
+) -> AdminHouseholdMembershipPublic:
+    return AdminHouseholdMembershipPublic(
+        id=membership.id,
+        user_id=membership.user_id,
+        household_id=membership.household_id,
+        role=membership.role,
+        created_at=membership.created_at,
+        updated_at=membership.updated_at,
+    )
+
+
+def _household_public(household: Household) -> AdminHouseholdPublic:
+    return AdminHouseholdPublic(
+        id=household.id,
+        created_at=household.created_at,
+        updated_at=household.updated_at,
+    )
+
+
+def _user_public(
+    user: User,
+    membership: HouseholdMembership | None,
+) -> AdminUserPublic:
+    return AdminUserPublic(
+        id=user.id,
+        oidc_issuer=user.oidc_issuer,
+        oidc_subject=user.oidc_subject,
+        role=user.role,
+        created_at=user.created_at,
+        updated_at=user.updated_at,
+        household_membership=(
+            _membership_public(membership) if membership is not None else None
+        ),
+    )
+
+
+def _get_membership_for_user(
+    session: Session,
+    user_id: UUID,
+) -> HouseholdMembership | None:
+    return session.exec(
+        select(HouseholdMembership).where(HouseholdMembership.user_id == user_id)
+    ).first()
+
+
+@router.get("/users", response_model=list[AdminUserPublic])
+def list_users(session: SessionDep):
+    users = sorted(
+        session.exec(select(User)).all(),
+        key=lambda user: (user.created_at, str(user.id)),
+    )
+    memberships = session.exec(select(HouseholdMembership)).all()
+    memberships_by_user_id = {
+        membership.user_id: membership for membership in memberships
+    }
+    return [_user_public(user, memberships_by_user_id.get(user.id)) for user in users]
+
+
+@router.post(
+    "/households",
+    response_model=AdminHouseholdPublic,
+    status_code=status.HTTP_201_CREATED,
+)
+def create_household(session: SessionDep):
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    return _household_public(household)
+
+
+@router.post(
+    "/households/{household_id}/members",
+    response_model=AdminHouseholdMembershipPublic,
+    status_code=status.HTTP_201_CREATED,
+)
+def assign_household_member(
+    household_id: UUID,
+    payload: AdminHouseholdMembershipCreate,
+    session: SessionDep,
+):
+    _ = get_or_404(session, Household, household_id)
+    _ = get_or_404(session, User, payload.user_id)
+    existing_membership = _get_membership_for_user(session, payload.user_id)
+    if existing_membership is not None:
+        detail = "User already belongs to a household"
+        if existing_membership.household_id == household_id:
+            detail = "User already belongs to this household"
+        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail=detail)
+
+    membership = HouseholdMembership(
+        user_id=payload.user_id,
+        household_id=household_id,
+        role=payload.role,
+    )
+    session.add(membership)
+    session.commit()
+    session.refresh(membership)
+    return _membership_public(membership)
+
+
+@router.patch(
+    "/households/{household_id}/members/{user_id}",
+    response_model=AdminHouseholdMembershipPublic,
+)
+def move_household_member(
+    household_id: UUID,
+    user_id: UUID,
+    session: SessionDep,
+):
+    _ = get_or_404(session, Household, household_id)
+    _ = get_or_404(session, User, user_id)
+    membership = _get_membership_for_user(session, user_id)
+    if membership is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="HouseholdMembership not found",
+        )
+    if membership.household_id == household_id:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail="User already belongs to this household",
+        )
+
+    membership.household_id = household_id
+    session.add(membership)
+    session.commit()
+    session.refresh(membership)
+    return _membership_public(membership)
+
+
+@router.delete(
+    "/households/{household_id}/members/{user_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+def remove_household_member(
+    household_id: UUID,
+    user_id: UUID,
+    session: SessionDep,
+):
+    _ = get_or_404(session, Household, household_id)
+    _ = get_or_404(session, User, user_id)
+    membership = _get_membership_for_user(session, user_id)
+    if membership is None or membership.household_id != household_id:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="HouseholdMembership not found",
+        )
+
+    session.delete(membership)
+    session.commit()
+    return Response(status_code=status.HTTP_204_NO_CONTENT)
diff --git a/backend/main.py b/backend/main.py
index 55280aa..3d74443 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -1,9 +1,9 @@
+from collections.abc import AsyncIterator
 from contextlib import asynccontextmanager
-from typing import AsyncIterator
 
 from dotenv import load_dotenv
 
-load_dotenv()  # load .env before db.py reads DATABASE_URL
+_ = load_dotenv()  # load .env before db.py reads DATABASE_URL
 
 from fastapi import Depends, FastAPI  # noqa: E402
 from fastapi.middleware.cors import CORSMiddleware  # noqa: E402
@@ -11,6 +11,7 @@ from sqlmodel import Session  # noqa: E402
 
 from db import create_db_and_tables, engine  # noqa: E402
 from innercontext.api import (  # noqa: E402
+    admin,
     ai_logs,
     auth,
     health,
@@ -25,11 +26,11 @@ from innercontext.services.pricing_jobs import enqueue_pricing_recalc  # noqa: E
 
 
 @asynccontextmanager
-async def lifespan(app: FastAPI) -> AsyncIterator[None]:
+async def lifespan(_app: FastAPI) -> AsyncIterator[None]:
     create_db_and_tables()
     try:
         with Session(engine) as session:
-            enqueue_pricing_recalc(session)
+            _ = enqueue_pricing_recalc(session)
             session.commit()
     except Exception as exc:  # pragma: no cover
         print(f"[startup] failed to enqueue pricing recalculation job: {exc}")
@@ -52,6 +53,7 @@ app.add_middleware(
 protected = [Depends(get_current_user)]
 
 app.include_router(auth.router, prefix="/auth", tags=["auth"])
+app.include_router(admin.router, prefix="/admin", tags=["admin"])
 app.include_router(
     products.router,
     prefix="/products",
diff --git a/backend/tests/test_admin_households.py b/backend/tests/test_admin_households.py
new file mode 100644
index 0000000..31b1f16
--- /dev/null
+++ b/backend/tests/test_admin_households.py
@@ -0,0 +1,354 @@
+from __future__ import annotations
+
+from collections.abc import Generator
+from datetime import UTC, datetime, timedelta
+from typing import cast
+from uuid import UUID, uuid4
+
+import pytest
+from fastapi.testclient import TestClient
+from sqlmodel import Session
+
+from db import get_session
+from innercontext.api.auth_deps import get_current_user
+from innercontext.auth import (
+    CurrentHouseholdMembership,
+    CurrentUser,
+    IdentityData,
+    TokenClaims,
+)
+from innercontext.models import (
+    Household,
+    HouseholdMembership,
+    HouseholdRole,
+    Role,
+    User,
+)
+from main import app
+
+
+def _current_user(
+    user_id: UUID,
+    *,
+    role: Role = Role.ADMIN,
+    household_id: UUID | None = None,
+) -> CurrentUser:
+    claims = TokenClaims(
+        issuer="https://auth.test",
+        subject=str(user_id),
+        audience=("innercontext-web",),
+        expires_at=datetime.now(UTC) + timedelta(hours=1),
+        groups=(
+            ("innercontext-admin",) if role is Role.ADMIN else ("innercontext-member",)
+        ),
+        raw_claims={"iss": "https://auth.test", "sub": str(user_id)},
+    )
+    membership = None
+    if household_id is not None:
+        membership = CurrentHouseholdMembership(
+            household_id=household_id,
+            role=HouseholdRole.MEMBER,
+        )
+    return CurrentUser(
+        user_id=user_id,
+        role=role,
+        identity=IdentityData.from_claims(claims),
+        claims=claims,
+        household_membership=membership,
+    )
+
+
+def _create_user(
+    session: Session,
+    *,
+    role: Role = Role.MEMBER,
+    subject: str | None = None,
+) -> User:
+    user = User(
+        oidc_issuer="https://auth.test",
+        oidc_subject=subject or str(uuid4()),
+        role=role,
+    )
+    session.add(user)
+    session.commit()
+    session.refresh(user)
+    return user
+
+
+def _create_household(session: Session) -> Household:
+    household = Household()
+    session.add(household)
+    session.commit()
+    session.refresh(household)
+    return household
+
+
+def _create_membership(
+    session: Session,
+    *,
+    user_id: UUID,
+    household_id: UUID,
+    role: HouseholdRole = HouseholdRole.MEMBER,
+) -> HouseholdMembership:
+    membership = HouseholdMembership(
+        user_id=user_id,
+        household_id=household_id,
+        role=role,
+    )
+    session.add(membership)
+    session.commit()
+    session.refresh(membership)
+    return membership
+
+
+@pytest.fixture()
+def auth_client(
+    session: Session,
+) -> Generator[tuple[TestClient, dict[str, CurrentUser]], None, None]:
+    auth_state = {"current_user": _current_user(uuid4(), role=Role.ADMIN)}
+
+    def _session_override():
+        yield session
+
+    def _current_user_override():
+        return auth_state["current_user"]
+
+    app.dependency_overrides[get_session] = _session_override
+    app.dependency_overrides[get_current_user] = _current_user_override
+    with TestClient(app) as client:
+        yield client, auth_state
+    app.dependency_overrides.clear()
+
+
+def test_list_users_returns_local_users_with_memberships(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+
+    unassigned_user = _create_user(session, subject="member-a")
+    assigned_user = _create_user(session, subject="member-b")
+    household = _create_household(session)
+    membership = _create_membership(
+        session,
+        user_id=assigned_user.id,
+        household_id=household.id,
+        role=HouseholdRole.OWNER,
+    )
+
+    response = client.get("/admin/users")
+
+    assert response.status_code == 200
+    response_users = cast(list[dict[str, object]], response.json())
+    users = {item["id"]: item for item in response_users}
+    assert users[str(unassigned_user.id)]["household_membership"] is None
+    assert users[str(assigned_user.id)]["household_membership"] == {
+        "id": str(membership.id),
+        "user_id": str(assigned_user.id),
+        "household_id": str(household.id),
+        "role": "owner",
+        "created_at": membership.created_at.isoformat(),
+        "updated_at": membership.updated_at.isoformat(),
+    }
+
+
+def test_create_household_returns_new_household(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+
+    response = client.post("/admin/households")
+
+    assert response.status_code == 201
+    payload = cast(dict[str, object], response.json())
+    household_id = UUID(cast(str, payload["id"]))
+    created = session.get(Household, household_id)
+    assert created is not None
+
+
+def test_assign_member_creates_membership(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+
+    user = _create_user(session)
+    household = _create_household(session)
+
+    response = client.post(
+        f"/admin/households/{household.id}/members",
+        json={"user_id": str(user.id), "role": "owner"},
+    )
+
+    assert response.status_code == 201
+    payload = cast(dict[str, object], response.json())
+    assert payload["user_id"] == str(user.id)
+    assert payload["household_id"] == str(household.id)
+    assert payload["role"] == "owner"
+
+    membership = session.get(HouseholdMembership, UUID(cast(str, payload["id"])))
+    assert membership is not None
+    assert membership.user_id == user.id
+    assert membership.household_id == household.id
+    assert membership.role is HouseholdRole.OWNER
+
+
+def test_assign_member_rejects_already_assigned_user(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+
+    user = _create_user(session)
+    current_household = _create_household(session)
+    target_household = _create_household(session)
+    _ = _create_membership(session, user_id=user.id, household_id=current_household.id)
+
+    response = client.post(
+        f"/admin/households/{target_household.id}/members",
+        json={"user_id": str(user.id)},
+    )
+
+    assert response.status_code == 409
+    assert response.json()["detail"] == "User already belongs to a household"
+
+
+def test_assign_member_rejects_unsynced_user(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+    household = _create_household(session)
+    user_id = uuid4()
+
+    response = client.post(
+        f"/admin/households/{household.id}/members",
+        json={"user_id": str(user_id)},
+    )
+
+    assert response.status_code == 404
+    assert response.json()["detail"] == "User not found"
+
+
+def test_move_member_moves_user_between_households(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+
+    user = _create_user(session)
+    source_household = _create_household(session)
+    target_household = _create_household(session)
+    membership = _create_membership(
+        session,
+        user_id=user.id,
+        household_id=source_household.id,
+        role=HouseholdRole.OWNER,
+    )
+
+    response = client.patch(
+        f"/admin/households/{target_household.id}/members/{user.id}"
+    )
+
+    assert response.status_code == 200
+    payload = cast(dict[str, object], response.json())
+    assert payload["id"] == str(membership.id)
+    assert payload["household_id"] == str(target_household.id)
+    assert payload["role"] == "owner"
+
+    session.refresh(membership)
+    assert membership.household_id == target_household.id
+
+
+def test_move_member_rejects_user_without_membership(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+
+    user = _create_user(session)
+    target_household = _create_household(session)
+
+    response = client.patch(
+        f"/admin/households/{target_household.id}/members/{user.id}"
+    )
+
+    assert response.status_code == 404
+    assert response.json()["detail"] == "HouseholdMembership not found"
+
+
+def test_move_member_rejects_same_household_target(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+
+    user = _create_user(session)
+    household = _create_household(session)
+    _ = _create_membership(session, user_id=user.id, household_id=household.id)
+
+    response = client.patch(f"/admin/households/{household.id}/members/{user.id}")
+
+    assert response.status_code == 409
+    assert response.json()["detail"] == "User already belongs to this household"
+
+
+def test_remove_membership_deletes_membership(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+
+    user = _create_user(session)
+    household = _create_household(session)
+    membership = _create_membership(session, user_id=user.id, household_id=household.id)
+
+    response = client.delete(f"/admin/households/{household.id}/members/{user.id}")
+
+    assert response.status_code == 204
+    assert session.get(HouseholdMembership, membership.id) is None
+
+
+def test_remove_membership_requires_matching_household(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    session: Session,
+):
+    client, _ = auth_client
+
+    user = _create_user(session)
+    household = _create_household(session)
+    other_household = _create_household(session)
+    _ = _create_membership(session, user_id=user.id, household_id=household.id)
+
+    response = client.delete(
+        f"/admin/households/{other_household.id}/members/{user.id}"
+    )
+
+    assert response.status_code == 404
+    assert response.json()["detail"] == "HouseholdMembership not found"
+
+
+@pytest.mark.parametrize(
+    ("method", "path", "json_body"),
+    [
+        ("get", "/admin/users", None),
+        ("post", "/admin/households", None),
+        ("post", f"/admin/households/{uuid4()}/members", {"user_id": str(uuid4())}),
+        ("patch", f"/admin/households/{uuid4()}/members/{uuid4()}", None),
+        ("delete", f"/admin/households/{uuid4()}/members/{uuid4()}", None),
+    ],
+)
+def test_admin_household_routes_forbidden_for_member(
+    auth_client: tuple[TestClient, dict[str, CurrentUser]],
+    method: str,
+    path: str,
+    json_body: dict[str, str] | None,
+):
+    client, auth_state = auth_client
+    auth_state["current_user"] = _current_user(uuid4(), role=Role.MEMBER)
+
+    response = client.request(method, path, json=json_body)
+
+    assert response.status_code == 403
+    assert response.json()["detail"] == "Admin role required"

From b11f64d5a141cf86a17df2497a99a49ba1089bd7 Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 16:27:24 +0100
Subject: [PATCH 08/10] refactor(frontend): route protected API access through
 server session

---
 .sisyphus/evidence/task-T8-protected-nav.md   |  18 +
 .../evidence/task-T8-signed-out-network.txt   |  10 +
 frontend/messages/en.json                     |   5 +
 frontend/messages/pl.json                     |   5 +
 frontend/src/lib/api.ts                       | 364 ++++++++++++------
 .../src/lib/components/ProductForm.svelte     |  20 +-
 frontend/src/lib/server/api.ts                |  18 +
 frontend/src/routes/+layout.server.ts         |  36 ++
 frontend/src/routes/+layout.svelte            | 130 ++++++-
 frontend/src/routes/+page.server.ts           |  11 +-
 .../routes/api/products/parse-text/+server.ts |  23 ++
 .../routes/api/routines/steps/[id]/+server.ts |  23 ++
 .../routes/api/skin/analyze-photos/+server.ts |  19 +
 .../routes/health/lab-results/+page.server.ts |  19 +-
 .../health/lab-results/new/+page.server.ts    |   7 +-
 .../routes/health/medications/+page.server.ts |   7 +-
 .../health/medications/new/+page.server.ts    |   7 +-
 frontend/src/routes/products/+page.server.ts  |   6 +-
 .../src/routes/products/[id]/+page.server.ts  |  36 +-
 .../src/routes/products/new/+page.server.ts   |   7 +-
 frontend/src/routes/profile/+page.server.ts   |  26 +-
 frontend/src/routes/routines/+page.server.ts  |   7 +-
 .../src/routes/routines/[id]/+page.server.ts  |  27 +-
 .../src/routes/routines/[id]/+page.svelte     |  22 +-
 .../grooming-schedule/+page.server.ts         |  18 +-
 .../grooming-schedule/new/+page.server.ts     |   7 +-
 .../src/routes/routines/new/+page.server.ts   |  10 +-
 .../routes/routines/suggest/+page.server.ts   |  40 +-
 frontend/src/routes/skin/+page.server.ts      |  19 +-
 frontend/src/routes/skin/new/+page.server.ts  |   7 +-
 frontend/src/routes/skin/new/+page.svelte     |  22 +-
 31 files changed, 727 insertions(+), 249 deletions(-)
 create mode 100644 .sisyphus/evidence/task-T8-protected-nav.md
 create mode 100644 .sisyphus/evidence/task-T8-signed-out-network.txt
 create mode 100644 frontend/src/lib/server/api.ts
 create mode 100644 frontend/src/routes/+layout.server.ts
 create mode 100644 frontend/src/routes/api/products/parse-text/+server.ts
 create mode 100644 frontend/src/routes/api/routines/steps/[id]/+server.ts
 create mode 100644 frontend/src/routes/api/skin/analyze-photos/+server.ts

diff --git a/.sisyphus/evidence/task-T8-protected-nav.md b/.sisyphus/evidence/task-T8-protected-nav.md
new file mode 100644
index 0000000..898bd0a
--- /dev/null
+++ b/.sisyphus/evidence/task-T8-protected-nav.md
@@ -0,0 +1,18 @@
+# Task T8 Protected Navigation
+
+- QA app: `http://127.0.0.1:4175`
+- Backend: `http://127.0.0.1:8002`
+- Mock OIDC issuer: `http://127.0.0.1:9100`
+- Backend DB: `.sisyphus/evidence/task-T8-qa.sqlite`
+
+Authenticated shell and protected route checks executed with Playwright:
+
+- `/` -> title `Dashboard - innercontext`, heading `Dashboard`, shell user `Playwright User`, role `Użytkownik`, logout visible `true`
+- `/products` -> title `Produkty — innercontext`, heading `Produkty`, shell user `Playwright User`, role `Użytkownik`, logout visible `true`
+- `/profile` -> title `Profil — innercontext`, heading `Profil`, shell user `Playwright User`, role `Użytkownik`, logout visible `true`
+- `/routines` -> title `Rutyny — innercontext`, heading `Rutyny`, shell user `Playwright User`, role `Użytkownik`, logout visible `true`
+
+Logout endpoint check executed with Playwright request API:
+
+- `GET /auth/logout` -> `303`
+- Location -> `http://127.0.0.1:9100/logout?client_id=innercontext-web&post_logout_redirect_uri=http%3A%2F%2F127.0.0.1%3A4175%2F`
diff --git a/.sisyphus/evidence/task-T8-signed-out-network.txt b/.sisyphus/evidence/task-T8-signed-out-network.txt
new file mode 100644
index 0000000..9128fdf
--- /dev/null
+++ b/.sisyphus/evidence/task-T8-signed-out-network.txt
@@ -0,0 +1,10 @@
+Playwright unauthenticated request check
+
+request: GET http://127.0.0.1:4175/products
+cookies: none
+maxRedirects: 0
+
+status: 303
+location: /auth/login?returnTo=%2Fproducts
+
+result: protected page redirects to the login flow before returning page content.
diff --git a/frontend/messages/en.json b/frontend/messages/en.json
index 651301a..8eda3a9 100644
--- a/frontend/messages/en.json
+++ b/frontend/messages/en.json
@@ -10,6 +10,11 @@
   "nav_appName": "innercontext",
   "nav_appSubtitle": "personal health & skincare",
 
+  "auth_signedInAs": "Signed in as",
+  "auth_roleAdmin": "Admin",
+  "auth_roleMember": "Member",
+  "auth_logout": "Log out",
+
   "common_save": "Save",
   "common_cancel": "Cancel",
   "common_add": "Add",
diff --git a/frontend/messages/pl.json b/frontend/messages/pl.json
index 33fbc31..c086a79 100644
--- a/frontend/messages/pl.json
+++ b/frontend/messages/pl.json
@@ -10,6 +10,11 @@
   "nav_appName": "innercontext",
   "nav_appSubtitle": "zdrowie & pielęgnacja",
 
+  "auth_signedInAs": "Zalogowano jako",
+  "auth_roleAdmin": "Administrator",
+  "auth_roleMember": "Użytkownik",
+  "auth_logout": "Wyloguj",
+
   "common_save": "Zapisz",
   "common_cancel": "Anuluj",
   "common_add": "Dodaj",
diff --git a/frontend/src/lib/api.ts b/frontend/src/lib/api.ts
index 7a0327f..f9bd236 100644
--- a/frontend/src/lib/api.ts
+++ b/frontend/src/lib/api.ts
@@ -20,43 +20,87 @@ import type {
   UserProfile,
 } from "./types";
 
-// ─── Core fetch helpers ──────────────────────────────────────────────────────
+export interface ApiClientOptions {
+  fetch?: typeof globalThis.fetch;
+  accessToken?: string;
+}
 
-async function request<T>(path: string, init: RequestInit = {}): Promise<T> {
-  // Server-side uses PUBLIC_API_BASE (e.g. http://localhost:8000).
-  // Browser-side uses /api so nginx proxies the request on the correct host.
-  const base = browser ? "/api" : PUBLIC_API_BASE;
-  const url = `${base}${path}`;
-  const res = await fetch(url, {
-    headers: { "Content-Type": "application/json", ...init.headers },
+function resolveBase(options: ApiClientOptions): string {
+  if (browser && !options.accessToken) {
+    return "/api";
+  }
+
+  return PUBLIC_API_BASE;
+}
+
+function buildHeaders(
+  initHeaders: HeadersInit | undefined,
+  body: BodyInit | null | undefined,
+  accessToken?: string,
+): Headers {
+  const headers = new Headers(initHeaders);
+
+  if (!(body instanceof FormData) && body !== undefined && body !== null) {
+    headers.set("Content-Type", headers.get("Content-Type") ?? "application/json");
+  }
+
+  if (accessToken && !headers.has("Authorization")) {
+    headers.set("Authorization", `Bearer ${accessToken}`);
+  }
+
+  return headers;
+}
+
+async function request<T>(
+  path: string,
+  init: RequestInit = {},
+  options: ApiClientOptions = {},
+): Promise<T> {
+  const url = `${resolveBase(options)}${path}`;
+  const requestFn = options.fetch ?? fetch;
+  const res = await requestFn(url, {
+    headers: buildHeaders(init.headers, init.body, options.accessToken),
     ...init,
   });
+
   if (!res.ok) {
     const detail = await res.json().catch(() => ({ detail: res.statusText }));
     throw new Error(detail?.detail ?? res.statusText);
   }
+
   if (res.status === 204) return undefined as T;
   return res.json();
 }
 
-export const api = {
-  get: <T>(path: string) => request<T>(path),
-  post: <T>(path: string, body: unknown) =>
-    request<T>(path, { method: "POST", body: JSON.stringify(body) }),
-  patch: <T>(path: string, body: unknown) =>
-    request<T>(path, { method: "PATCH", body: JSON.stringify(body) }),
-  del: (path: string) => request<void>(path, { method: "DELETE" }),
-};
+export function createApiClient(options: ApiClientOptions = {}) {
+  return {
+    get: <T>(path: string) => request<T>(path, {}, options),
+    post: <T>(path: string, body: unknown) =>
+      request<T>(path, { method: "POST", body: JSON.stringify(body) }, options),
+    postForm: <T>(path: string, body: FormData) =>
+      request<T>(path, { method: "POST", body }, options),
+    patch: <T>(path: string, body: unknown) =>
+      request<T>(path, { method: "PATCH", body: JSON.stringify(body) }, options),
+    del: (path: string) => request<void>(path, { method: "DELETE" }, options),
+  };
+}
 
-// ─── Profile ─────────────────────────────────────────────────────────────────
+export type ApiClient = ReturnType<typeof createApiClient>;
 
-export const getProfile = (): Promise<UserProfile | null> => api.get("/profile");
+export const api = createApiClient();
+
+function resolveClient(options?: ApiClientOptions): ApiClient {
+  return options ? createApiClient(options) : api;
+}
+
+export const getProfile = (
+  options?: ApiClientOptions,
+): Promise<UserProfile | null> => resolveClient(options).get("/profile");
 
 export const updateProfile = (
   body: { birth_date?: string; sex_at_birth?: "male" | "female" | "intersex" },
-): Promise<UserProfile> => api.patch("/profile", body);
-
-// ─── Products ────────────────────────────────────────────────────────────────
+  options?: ApiClientOptions,
+): Promise<UserProfile> => resolveClient(options).patch("/profile", body);
 
 export interface ProductListParams {
   category?: string;
@@ -68,62 +112,87 @@ export interface ProductListParams {
 
 export function getProducts(
   params: ProductListParams = {},
+  options?: ApiClientOptions,
 ): Promise<Product[]> {
   const q = new URLSearchParams();
   if (params.category) q.set("category", params.category);
   if (params.brand) q.set("brand", params.brand);
   if (params.targets) params.targets.forEach((t) => q.append("targets", t));
-  if (params.is_medication != null)
+  if (params.is_medication != null) {
     q.set("is_medication", String(params.is_medication));
+  }
   if (params.is_tool != null) q.set("is_tool", String(params.is_tool));
   const qs = q.toString();
-  return api.get(`/products${qs ? `?${qs}` : ""}`);
+  return resolveClient(options).get(`/products${qs ? `?${qs}` : ""}`);
 }
 
 export function getProductSummaries(
   params: ProductListParams = {},
+  options?: ApiClientOptions,
 ): Promise<ProductSummary[]> {
   const q = new URLSearchParams();
   if (params.category) q.set("category", params.category);
   if (params.brand) q.set("brand", params.brand);
   if (params.targets) params.targets.forEach((t) => q.append("targets", t));
-  if (params.is_medication != null)
+  if (params.is_medication != null) {
     q.set("is_medication", String(params.is_medication));
+  }
   if (params.is_tool != null) q.set("is_tool", String(params.is_tool));
   const qs = q.toString();
-  return api.get(`/products/summary${qs ? `?${qs}` : ""}`);
+  return resolveClient(options).get(`/products/summary${qs ? `?${qs}` : ""}`);
 }
 
-export const getProduct = (id: string): Promise<Product> =>
-  api.get(`/products/${id}`);
+export const getProduct = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<Product> => resolveClient(options).get(`/products/${id}`);
+
 export const createProduct = (
   body: Record<string, unknown>,
-): Promise<Product> => api.post("/products", body);
+  options?: ApiClientOptions,
+): Promise<Product> => resolveClient(options).post("/products", body);
+
 export const updateProduct = (
   id: string,
   body: Record<string, unknown>,
-): Promise<Product> => api.patch(`/products/${id}`, body);
-export const deleteProduct = (id: string): Promise<void> =>
-  api.del(`/products/${id}`);
+  options?: ApiClientOptions,
+): Promise<Product> => resolveClient(options).patch(`/products/${id}`, body);
+
+export const deleteProduct = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<void> => resolveClient(options).del(`/products/${id}`);
+
+export const getInventory = (
+  productId: string,
+  options?: ApiClientOptions,
+): Promise<ProductInventory[]> =>
+  resolveClient(options).get(`/products/${productId}/inventory`);
 
-export const getInventory = (productId: string): Promise<ProductInventory[]> =>
-  api.get(`/products/${productId}/inventory`);
 export const createInventory = (
   productId: string,
   body: Record<string, unknown>,
+  options?: ApiClientOptions,
 ): Promise<ProductInventory> =>
-  api.post(`/products/${productId}/inventory`, body);
+  resolveClient(options).post(`/products/${productId}/inventory`, body);
+
 export const updateInventory = (
   id: string,
   body: Record<string, unknown>,
-): Promise<ProductInventory> => api.patch(`/inventory/${id}`, body);
-export const deleteInventory = (id: string): Promise<void> =>
-  api.del(`/inventory/${id}`);
+  options?: ApiClientOptions,
+): Promise<ProductInventory> =>
+  resolveClient(options).patch(`/inventory/${id}`, body);
 
-export const parseProductText = (text: string): Promise<ProductParseResponse> =>
-  api.post("/products/parse-text", { text });
+export const deleteInventory = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<void> => resolveClient(options).del(`/inventory/${id}`);
 
-// ─── Routines ────────────────────────────────────────────────────────────────
+export const parseProductText = (
+  text: string,
+  options?: ApiClientOptions,
+): Promise<ProductParseResponse> =>
+  resolveClient(options).post("/products/parse-text", { text });
 
 export interface RoutineListParams {
   from_date?: string;
@@ -133,68 +202,103 @@ export interface RoutineListParams {
 
 export function getRoutines(
   params: RoutineListParams = {},
+  options?: ApiClientOptions,
 ): Promise<Routine[]> {
   const q = new URLSearchParams();
   if (params.from_date) q.set("from_date", params.from_date);
   if (params.to_date) q.set("to_date", params.to_date);
   if (params.part_of_day) q.set("part_of_day", params.part_of_day);
   const qs = q.toString();
-  return api.get(`/routines${qs ? `?${qs}` : ""}`);
+  return resolveClient(options).get(`/routines${qs ? `?${qs}` : ""}`);
 }
 
-export const getRoutine = (id: string): Promise<Routine> =>
-  api.get(`/routines/${id}`);
+export const getRoutine = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<Routine> => resolveClient(options).get(`/routines/${id}`);
+
 export const createRoutine = (
   body: Record<string, unknown>,
-): Promise<Routine> => api.post("/routines", body);
+  options?: ApiClientOptions,
+): Promise<Routine> => resolveClient(options).post("/routines", body);
+
 export const updateRoutine = (
   id: string,
   body: Record<string, unknown>,
-): Promise<Routine> => api.patch(`/routines/${id}`, body);
-export const deleteRoutine = (id: string): Promise<void> =>
-  api.del(`/routines/${id}`);
+  options?: ApiClientOptions,
+): Promise<Routine> => resolveClient(options).patch(`/routines/${id}`, body);
+
+export const deleteRoutine = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<void> => resolveClient(options).del(`/routines/${id}`);
 
 export const addRoutineStep = (
   routineId: string,
   body: Record<string, unknown>,
-): Promise<RoutineStep> => api.post(`/routines/${routineId}/steps`, body);
+  options?: ApiClientOptions,
+): Promise<RoutineStep> =>
+  resolveClient(options).post(`/routines/${routineId}/steps`, body);
+
 export const updateRoutineStep = (
   stepId: string,
   body: Record<string, unknown>,
-): Promise<RoutineStep> => api.patch(`/routines/steps/${stepId}`, body);
-export const deleteRoutineStep = (stepId: string): Promise<void> =>
-  api.del(`/routines/steps/${stepId}`);
+  options?: ApiClientOptions,
+): Promise<RoutineStep> =>
+  resolveClient(options).patch(`/routines/steps/${stepId}`, body);
 
-export const suggestRoutine = (body: {
-  routine_date: string;
-  part_of_day: PartOfDay;
-  notes?: string;
-  include_minoxidil_beard?: boolean;
-  leaving_home?: boolean;
-}): Promise<RoutineSuggestion> => api.post("/routines/suggest", body);
+export const deleteRoutineStep = (
+  stepId: string,
+  options?: ApiClientOptions,
+): Promise<void> => resolveClient(options).del(`/routines/steps/${stepId}`);
 
-export const suggestBatch = (body: {
-  from_date: string;
-  to_date: string;
-  notes?: string;
-  include_minoxidil_beard?: boolean;
-  minimize_products?: boolean;
-}): Promise<BatchSuggestion> => api.post("/routines/suggest-batch", body);
+export const suggestRoutine = (
+  body: {
+    routine_date: string;
+    part_of_day: PartOfDay;
+    notes?: string;
+    include_minoxidil_beard?: boolean;
+    leaving_home?: boolean;
+  },
+  options?: ApiClientOptions,
+): Promise<RoutineSuggestion> =>
+  resolveClient(options).post("/routines/suggest", body);
+
+export const suggestBatch = (
+  body: {
+    from_date: string;
+    to_date: string;
+    notes?: string;
+    include_minoxidil_beard?: boolean;
+    minimize_products?: boolean;
+  },
+  options?: ApiClientOptions,
+): Promise<BatchSuggestion> =>
+  resolveClient(options).post("/routines/suggest-batch", body);
+
+export const getGroomingSchedule = (
+  options?: ApiClientOptions,
+): Promise<GroomingSchedule[]> =>
+  resolveClient(options).get("/routines/grooming-schedule");
 
-export const getGroomingSchedule = (): Promise<GroomingSchedule[]> =>
-  api.get("/routines/grooming-schedule");
 export const createGroomingScheduleEntry = (
   body: Record<string, unknown>,
-): Promise<GroomingSchedule> => api.post("/routines/grooming-schedule", body);
+  options?: ApiClientOptions,
+): Promise<GroomingSchedule> =>
+  resolveClient(options).post("/routines/grooming-schedule", body);
+
 export const updateGroomingScheduleEntry = (
   id: string,
   body: Record<string, unknown>,
+  options?: ApiClientOptions,
 ): Promise<GroomingSchedule> =>
-  api.patch(`/routines/grooming-schedule/${id}`, body);
-export const deleteGroomingScheduleEntry = (id: string): Promise<void> =>
-  api.del(`/routines/grooming-schedule/${id}`);
+  resolveClient(options).patch(`/routines/grooming-schedule/${id}`, body);
 
-// ─── Health – Medications ────────────────────────────────────────────────────
+export const deleteGroomingScheduleEntry = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<void> =>
+  resolveClient(options).del(`/routines/grooming-schedule/${id}`);
 
 export interface MedicationListParams {
   kind?: string;
@@ -203,37 +307,51 @@ export interface MedicationListParams {
 
 export function getMedications(
   params: MedicationListParams = {},
+  options?: ApiClientOptions,
 ): Promise<MedicationEntry[]> {
   const q = new URLSearchParams();
   if (params.kind) q.set("kind", params.kind);
   if (params.product_name) q.set("product_name", params.product_name);
   const qs = q.toString();
-  return api.get(`/health/medications${qs ? `?${qs}` : ""}`);
+  return resolveClient(options).get(`/health/medications${qs ? `?${qs}` : ""}`);
 }
 
-export const getMedication = (id: string): Promise<MedicationEntry> =>
-  api.get(`/health/medications/${id}`);
+export const getMedication = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<MedicationEntry> =>
+  resolveClient(options).get(`/health/medications/${id}`);
+
 export const createMedication = (
   body: Record<string, unknown>,
-): Promise<MedicationEntry> => api.post("/health/medications", body);
+  options?: ApiClientOptions,
+): Promise<MedicationEntry> =>
+  resolveClient(options).post("/health/medications", body);
+
 export const updateMedication = (
   id: string,
   body: Record<string, unknown>,
-): Promise<MedicationEntry> => api.patch(`/health/medications/${id}`, body);
-export const deleteMedication = (id: string): Promise<void> =>
-  api.del(`/health/medications/${id}`);
+  options?: ApiClientOptions,
+): Promise<MedicationEntry> =>
+  resolveClient(options).patch(`/health/medications/${id}`, body);
+
+export const deleteMedication = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<void> => resolveClient(options).del(`/health/medications/${id}`);
 
 export const getMedicationUsages = (
   medicationId: string,
+  options?: ApiClientOptions,
 ): Promise<MedicationUsage[]> =>
-  api.get(`/health/medications/${medicationId}/usages`);
+  resolveClient(options).get(`/health/medications/${medicationId}/usages`);
+
 export const createMedicationUsage = (
   medicationId: string,
   body: Record<string, unknown>,
+  options?: ApiClientOptions,
 ): Promise<MedicationUsage> =>
-  api.post(`/health/medications/${medicationId}/usages`, body);
-
-// ─── Health – Lab results ────────────────────────────────────────────────────
+  resolveClient(options).post(`/health/medications/${medicationId}/usages`, body);
 
 export interface LabResultListParams {
   q?: string;
@@ -250,6 +368,7 @@ export interface LabResultListParams {
 
 export function getLabResults(
   params: LabResultListParams = {},
+  options?: ApiClientOptions,
 ): Promise<LabResultListResponse> {
   const q = new URLSearchParams();
   if (params.q) q.set("q", params.q);
@@ -258,29 +377,43 @@ export function getLabResults(
   if (params.flags?.length) {
     for (const flag of params.flags) q.append("flags", flag);
   }
-  if (params.without_flag != null) q.set("without_flag", String(params.without_flag));
+  if (params.without_flag != null) {
+    q.set("without_flag", String(params.without_flag));
+  }
   if (params.from_date) q.set("from_date", params.from_date);
   if (params.to_date) q.set("to_date", params.to_date);
-  if (params.latest_only != null) q.set("latest_only", String(params.latest_only));
+  if (params.latest_only != null) {
+    q.set("latest_only", String(params.latest_only));
+  }
   if (params.limit != null) q.set("limit", String(params.limit));
   if (params.offset != null) q.set("offset", String(params.offset));
   const qs = q.toString();
-  return api.get(`/health/lab-results${qs ? `?${qs}` : ""}`);
+  return resolveClient(options).get(`/health/lab-results${qs ? `?${qs}` : ""}`);
 }
 
-export const getLabResult = (id: string): Promise<LabResult> =>
-  api.get(`/health/lab-results/${id}`);
+export const getLabResult = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<LabResult> =>
+  resolveClient(options).get(`/health/lab-results/${id}`);
+
 export const createLabResult = (
   body: Record<string, unknown>,
-): Promise<LabResult> => api.post("/health/lab-results", body);
+  options?: ApiClientOptions,
+): Promise<LabResult> =>
+  resolveClient(options).post("/health/lab-results", body);
+
 export const updateLabResult = (
   id: string,
   body: Record<string, unknown>,
-): Promise<LabResult> => api.patch(`/health/lab-results/${id}`, body);
-export const deleteLabResult = (id: string): Promise<void> =>
-  api.del(`/health/lab-results/${id}`);
+  options?: ApiClientOptions,
+): Promise<LabResult> =>
+  resolveClient(options).patch(`/health/lab-results/${id}`, body);
 
-// ─── Skin ────────────────────────────────────────────────────────────────────
+export const deleteLabResult = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<void> => resolveClient(options).del(`/health/lab-results/${id}`);
 
 export interface SnapshotListParams {
   from_date?: string;
@@ -290,40 +423,47 @@ export interface SnapshotListParams {
 
 export function getSkinSnapshots(
   params: SnapshotListParams = {},
+  options?: ApiClientOptions,
 ): Promise<SkinConditionSnapshot[]> {
   const q = new URLSearchParams();
   if (params.from_date) q.set("from_date", params.from_date);
   if (params.to_date) q.set("to_date", params.to_date);
   if (params.overall_state) q.set("overall_state", params.overall_state);
   const qs = q.toString();
-  return api.get(`/skincare${qs ? `?${qs}` : ""}`);
+  return resolveClient(options).get(`/skincare${qs ? `?${qs}` : ""}`);
 }
 
-export const getSkinSnapshot = (id: string): Promise<SkinConditionSnapshot> =>
-  api.get(`/skincare/${id}`);
+export const getSkinSnapshot = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<SkinConditionSnapshot> => resolveClient(options).get(`/skincare/${id}`);
+
 export const createSkinSnapshot = (
   body: Record<string, unknown>,
-): Promise<SkinConditionSnapshot> => api.post("/skincare", body);
+  options?: ApiClientOptions,
+): Promise<SkinConditionSnapshot> => resolveClient(options).post("/skincare", body);
+
 export const updateSkinSnapshot = (
   id: string,
   body: Record<string, unknown>,
-): Promise<SkinConditionSnapshot> => api.patch(`/skincare/${id}`, body);
-export const deleteSkinSnapshot = (id: string): Promise<void> =>
-  api.del(`/skincare/${id}`);
+  options?: ApiClientOptions,
+): Promise<SkinConditionSnapshot> =>
+  resolveClient(options).patch(`/skincare/${id}`, body);
+
+export const deleteSkinSnapshot = (
+  id: string,
+  options?: ApiClientOptions,
+): Promise<void> => resolveClient(options).del(`/skincare/${id}`);
 
 export async function analyzeSkinPhotos(
-  files: File[],
+  files: File[] | FormData,
+  options?: ApiClientOptions,
 ): Promise<SkinPhotoAnalysisResponse> {
-  const body = new FormData();
-  for (const file of files) body.append("photos", file);
-  const base = browser ? "/api" : PUBLIC_API_BASE;
-  const res = await fetch(`${base}/skincare/analyze-photos`, {
-    method: "POST",
-    body,
-  });
-  if (!res.ok) {
-    const detail = await res.json().catch(() => ({ detail: res.statusText }));
-    throw new Error(detail?.detail ?? res.statusText);
+  const body = files instanceof FormData ? files : new FormData();
+
+  if (!(files instanceof FormData)) {
+    for (const file of files) body.append("photos", file);
   }
-  return res.json();
+
+  return resolveClient(options).postForm("/skincare/analyze-photos", body);
 }
diff --git a/frontend/src/lib/components/ProductForm.svelte b/frontend/src/lib/components/ProductForm.svelte
index 23dc172..fbf5bda 100644
--- a/frontend/src/lib/components/ProductForm.svelte
+++ b/frontend/src/lib/components/ProductForm.svelte
@@ -1,4 +1,4 @@
-<script lang="ts">
+	<script lang="ts">
 	import { untrack } from 'svelte';
 	import type { Product, IngredientFunction, ProductParseResponse } from '$lib/types';
 	import { Button } from '$lib/components/ui/button';
@@ -186,13 +186,27 @@
 	let editSection = $state<'basic' | 'ingredients' | 'assessment' | 'details' | 'notes'>('basic');
 	let activesPanelOpen = $state(true);
 
+	async function requestProductParse(text: string): Promise<ProductParseResponse> {
+		const response = await fetch('/api/products/parse-text', {
+			method: 'POST',
+			headers: { 'Content-Type': 'application/json' },
+			body: JSON.stringify({ text })
+		});
+
+		if (!response.ok) {
+			const detail = await response.json().catch(() => ({ detail: response.statusText }));
+			throw new Error(detail?.detail ?? response.statusText);
+		}
+
+		return response.json();
+	}
+
 	async function parseWithAi() {
 		if (!aiText.trim()) return;
 		aiLoading = true;
 		aiError = '';
 		try {
-			const { parseProductText } = await import('$lib/api');
-			const r = await parseProductText(aiText);
+			const r = await requestProductParse(aiText);
 			applyAiResult(r);
 			aiModalOpen = false;
 		} catch (e) {
diff --git a/frontend/src/lib/server/api.ts b/frontend/src/lib/server/api.ts
new file mode 100644
index 0000000..6ad4683
--- /dev/null
+++ b/frontend/src/lib/server/api.ts
@@ -0,0 +1,18 @@
+import type { ApiClientOptions } from "$lib/api";
+import { error } from "@sveltejs/kit";
+import type { RequestEvent } from "@sveltejs/kit";
+
+type SessionEvent = Pick<RequestEvent, "fetch" | "locals">;
+
+export function getSessionApiOptions(event: SessionEvent): ApiClientOptions {
+  const accessToken = event.locals.session?.accessToken;
+
+  if (!accessToken) {
+    throw error(401, "Authentication required");
+  }
+
+  return {
+    fetch: event.fetch,
+    accessToken,
+  };
+}
diff --git a/frontend/src/routes/+layout.server.ts b/frontend/src/routes/+layout.server.ts
new file mode 100644
index 0000000..9a83383
--- /dev/null
+++ b/frontend/src/routes/+layout.server.ts
@@ -0,0 +1,36 @@
+import type { LayoutServerLoad } from './$types';
+
+function getDisplayName(session: App.Locals['session']): string | null {
+	if (!session) return null;
+
+	const candidates = [
+		session.identity.name,
+		session.identity.preferred_username,
+		session.identity.email
+	];
+
+	for (const candidate of candidates) {
+		const value = candidate?.trim();
+		if (value) return value;
+	}
+
+	return null;
+}
+
+export const load: LayoutServerLoad = async ({ locals }) => {
+	if (!locals.session) {
+		return {
+			session: null
+		};
+	}
+
+	return {
+		session: {
+			expiresAt: locals.session.expiresAt,
+			user: locals.session.user,
+			identity: locals.session.identity,
+			profile: locals.session.profile,
+			displayName: getDisplayName(locals.session)
+		}
+	};
+};
diff --git a/frontend/src/routes/+layout.svelte b/frontend/src/routes/+layout.svelte
index 2219eba..003b957 100644
--- a/frontend/src/routes/+layout.svelte
+++ b/frontend/src/routes/+layout.svelte
@@ -4,6 +4,7 @@
 	import { page } from '$app/state';
 	import { resolve } from '$app/paths';
 	import * as m from '$lib/paraglide/messages.js';
+	import { Button } from '$lib/components/ui/button';
 	import LanguageSwitcher from '$lib/components/LanguageSwitcher.svelte';
 	import {
 		House,
@@ -17,34 +18,81 @@
 		Menu,
 		X
 	} from 'lucide-svelte';
+	import type { AuthIdentityPublic, AuthProfilePublic, AuthUserPublic } from '$lib/api/generated/types.gen';
+	import type { Snippet } from 'svelte';
 
-	let { children } = $props();
+	type ShellSession = {
+		expiresAt: number;
+		user: AuthUserPublic;
+		identity: AuthIdentityPublic;
+		profile: AuthProfilePublic | null;
+		displayName: string | null;
+	};
+
+	type NavRoute =
+		| '/'
+		| '/routines'
+		| '/routines/grooming-schedule'
+		| '/products'
+		| '/skin'
+		| '/profile'
+		| '/health/medications'
+		| '/health/lab-results';
+
+	type NavItem = {
+		route: NavRoute;
+		label: string;
+		icon: typeof House;
+	};
+
+	let {
+		data,
+		children
+	}: {
+		data: { session: ShellSession | null };
+		children: Snippet;
+	} = $props();
 
 	let mobileMenuOpen = $state(false);
 	const domainClass = $derived(getDomainClass(page.url.pathname));
+	const authMessages = m as typeof m &
+		Record<'auth_roleAdmin' | 'auth_roleMember' | 'auth_signedInAs' | 'auth_logout', () => string>;
+	const session = $derived(data.session);
+	const logoutPath = '/auth/logout';
+	const roleLabel = $derived(
+		session?.user.role === 'admin'
+			? authMessages['auth_roleAdmin']()
+			: session
+				? authMessages['auth_roleMember']()
+				: ''
+	);
+	const secondaryIdentity = $derived(
+		session?.identity.email ?? session?.identity.preferred_username ?? null
+	);
+	const displayName = $derived(session?.displayName ?? secondaryIdentity ?? m.common_unknown());
 
 	afterNavigate(() => {
 		mobileMenuOpen = false;
 	});
 
 	const navItems = $derived([
-		{ href: resolve('/'), label: m.nav_dashboard(), icon: House },
-		{ href: resolve('/routines'), label: m.nav_routines(), icon: ClipboardList },
-		{ href: resolve('/routines/grooming-schedule'), label: m.nav_grooming(), icon: Scissors },
-		{ href: resolve('/products'), label: m.nav_products(), icon: Package },
-		{ href: resolve('/skin'), label: m.nav_skin(), icon: Sparkles },
-		{ href: resolve('/profile'), label: m.nav_profile(), icon: UserRound },
-		{ href: resolve('/health/medications'), label: m.nav_medications(), icon: Pill },
-		{ href: resolve('/health/lab-results'), label: m["nav_labResults"](), icon: FlaskConical }
-	]);
+		{ route: '/', label: m.nav_dashboard(), icon: House },
+		{ route: '/routines', label: m.nav_routines(), icon: ClipboardList },
+		{ route: '/routines/grooming-schedule', label: m.nav_grooming(), icon: Scissors },
+		{ route: '/products', label: m.nav_products(), icon: Package },
+		{ route: '/skin', label: m.nav_skin(), icon: Sparkles },
+		{ route: '/profile', label: m.nav_profile(), icon: UserRound },
+		{ route: '/health/medications', label: m.nav_medications(), icon: Pill },
+		{ route: '/health/lab-results', label: m["nav_labResults"](), icon: FlaskConical }
+	] satisfies NavItem[]);
 
-	function isActive(href: string) {
-		if (href === '/') return page.url.pathname === '/';
+	function isActive(route: string) {
+		if (route === '/') return page.url.pathname === '/';
 		const pathname = page.url.pathname;
-		if (!pathname.startsWith(href)) return false;
-		// Don't mark parent as active if a more-specific nav item also matches
+		if (!pathname.startsWith(route)) return false;
 		const moreSpecific = navItems.some(
-			(item) => item.href !== href && item.href.startsWith(href) && pathname.startsWith(item.href)
+			(item) =>
+				item.route !== route && item.route.startsWith(route) && pathname.startsWith(item.route)
 		);
 		return !moreSpecific;
 	}
@@ -65,6 +113,12 @@
 		<div class="app-mobile-titleblock">
 			<p class="app-mobile-overline">{m["nav_appSubtitle"]()}</p>
 			<span class="app-mobile-title">{m["nav_appName"]()}</span>
+			{#if session}
+				<div class="mt-2 flex items-center gap-2 text-[0.68rem] uppercase tracking-[0.22em] text-muted-foreground">
+					<span class="truncate text-foreground">{displayName}</span>
+					<span class="rounded-full border border-border/80 bg-background/80 px-2 py-0.5 text-[0.62rem] text-foreground">{roleLabel}</span>
+				</div>
+			{/if}
 		</div>
 		<button
 			type="button"
@@ -104,12 +158,12 @@
 				</button>
 			</div>
 			<ul class="app-nav-list">
-				{#each navItems as item (item.href)}
+				{#each navItems as item (item.route)}
 					<li>
 						<a
-							href={item.href}
+							href={resolve(item.route)}
 							onclick={() => (mobileMenuOpen = false)}
-							class={`app-nav-link ${isActive(item.href) ? 'app-nav-link--active' : ''}`}
+							class={`app-nav-link ${isActive(item.route) ? 'app-nav-link--active' : ''}`}
 						>
 							<item.icon class="size-4 shrink-0" />
 							<span>{item.label}</span>
@@ -118,6 +172,23 @@
 				{/each}
 			</ul>
 			<div class="app-sidebar-footer">
+				{#if session}
+					<div class="mb-3 rounded-[1.35rem] border border-border/70 bg-background/88 px-4 py-3 shadow-sm">
+						<p class="text-[0.65rem] font-semibold uppercase tracking-[0.24em] text-muted-foreground">
+							{authMessages['auth_signedInAs']()}
+						</p>
+						<p class="mt-2 text-sm font-semibold text-foreground">{displayName}</p>
+						{#if secondaryIdentity}
+							<p class="mt-1 break-all text-xs text-muted-foreground">{secondaryIdentity}</p>
+						{/if}
+						<div class="mt-3 flex flex-wrap items-center gap-2">
+							<span class="rounded-full border border-border/80 bg-muted/40 px-2.5 py-1 text-[0.65rem] font-semibold uppercase tracking-[0.16em] text-foreground">
+								{roleLabel}
+							</span>
+							<Button href={logoutPath} data-sveltekit-reload variant="outline" size="sm">{authMessages['auth_logout']()}</Button>
+						</div>
+					</div>
+				{/if}
 				<LanguageSwitcher />
 			</div>
 		</aside>
@@ -131,11 +202,11 @@
 			</div>
 		</div>
 		<ul class="app-nav-list">
-			{#each navItems as item (item.href)}
+			{#each navItems as item (item.route)}
 				<li>
 					<a
-						href={item.href}
-						class={`app-nav-link ${isActive(item.href) ? 'app-nav-link--active' : ''}`}
+						href={resolve(item.route)}
+						class={`app-nav-link ${isActive(item.route) ? 'app-nav-link--active' : ''}`}
 					>
 						<item.icon class="size-4 shrink-0" />
 						<span>{item.label}</span>
@@ -144,6 +215,23 @@
 			{/each}
 		</ul>
 		<div class="app-sidebar-footer">
+			{#if session}
+				<div class="mb-3 rounded-[1.35rem] border border-border/70 bg-background/88 px-4 py-3 shadow-sm">
+					<p class="text-[0.65rem] font-semibold uppercase tracking-[0.24em] text-muted-foreground">
+						{authMessages['auth_signedInAs']()}
+					</p>
+					<p class="mt-2 text-sm font-semibold text-foreground">{displayName}</p>
+					{#if secondaryIdentity}
+						<p class="mt-1 break-all text-xs text-muted-foreground">{secondaryIdentity}</p>
+					{/if}
+					<div class="mt-3 flex flex-wrap items-center gap-2">
+						<span class="rounded-full border border-border/80 bg-muted/40 px-2.5 py-1 text-[0.65rem] font-semibold uppercase tracking-[0.16em] text-foreground">
+							{roleLabel}
+						</span>
+						<Button href={logoutPath} data-sveltekit-reload variant="outline" size="sm">{authMessages['auth_logout']()}</Button>
+					</div>
+				</div>
+			{/if}
 			<LanguageSwitcher />
 		</div>
 	</nav>
diff --git a/frontend/src/routes/+page.server.ts b/frontend/src/routes/+page.server.ts
index acab86d..ea40868 100644
--- a/frontend/src/routes/+page.server.ts
+++ b/frontend/src/routes/+page.server.ts
@@ -1,12 +1,15 @@
 import { getLabResults, getRoutines, getSkinSnapshots } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import type { Routine, SkinConditionSnapshot } from '$lib/types';
 import type { PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async () => {
+
+export const load: PageServerLoad = async (event) => {
+	const apiOptions = getSessionApiOptions(event);
 	const [routines, snapshots, labResults] = await Promise.all([
-		getRoutines({ from_date: recentDate(14) }),
-		getSkinSnapshots({ from_date: recentDate(60) }),
-		getLabResults({ latest_only: true, limit: 8 })
+		getRoutines({ from_date: recentDate(14) }, apiOptions),
+		getSkinSnapshots({ from_date: recentDate(60) }, apiOptions),
+		getLabResults({ latest_only: true, limit: 8 }, apiOptions)
 	]);
 	return {
 		recentRoutines: getFreshestRoutines(routines).slice(0, 10),
diff --git a/frontend/src/routes/api/products/parse-text/+server.ts b/frontend/src/routes/api/products/parse-text/+server.ts
new file mode 100644
index 0000000..8961eb6
--- /dev/null
+++ b/frontend/src/routes/api/products/parse-text/+server.ts
@@ -0,0 +1,23 @@
+import { parseProductText } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
+import { error, json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+
+export const POST: RequestHandler = async (event) => {
+	const payload = await event.request.json().catch(() => null);
+	const text =
+		typeof payload === 'object' && payload !== null && 'text' in payload && typeof payload.text === 'string'
+			? payload.text.trim()
+			: '';
+
+	if (!text) {
+		throw error(400, 'Missing product text');
+	}
+
+	try {
+		const result = await parseProductText(text, getSessionApiOptions(event));
+		return json(result);
+	} catch (cause) {
+		throw error(502, cause instanceof Error ? cause.message : 'Failed to parse product text');
+	}
+};
diff --git a/frontend/src/routes/api/routines/steps/[id]/+server.ts b/frontend/src/routes/api/routines/steps/[id]/+server.ts
new file mode 100644
index 0000000..654a77c
--- /dev/null
+++ b/frontend/src/routes/api/routines/steps/[id]/+server.ts
@@ -0,0 +1,23 @@
+import { updateRoutineStep } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
+import { error, json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+
+export const PATCH: RequestHandler = async (event) => {
+	const payload = await event.request.json().catch(() => null);
+
+	if (!payload || typeof payload !== 'object' || Array.isArray(payload)) {
+		throw error(400, 'Invalid routine step payload');
+	}
+
+	try {
+		const result = await updateRoutineStep(
+			event.params.id,
+			payload as Record<string, unknown>,
+			getSessionApiOptions(event)
+		);
+		return json(result);
+	} catch (cause) {
+		throw error(502, cause instanceof Error ? cause.message : 'Failed to update routine step');
+	}
+};
diff --git a/frontend/src/routes/api/skin/analyze-photos/+server.ts b/frontend/src/routes/api/skin/analyze-photos/+server.ts
new file mode 100644
index 0000000..088135b
--- /dev/null
+++ b/frontend/src/routes/api/skin/analyze-photos/+server.ts
@@ -0,0 +1,19 @@
+import { analyzeSkinPhotos } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
+import { error, json } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+
+export const POST: RequestHandler = async (event) => {
+	const formData = await event.request.formData();
+
+	if (formData.getAll('photos').length === 0) {
+		throw error(400, 'Missing skin photos');
+	}
+
+	try {
+		const result = await analyzeSkinPhotos(formData, getSessionApiOptions(event));
+		return json(result);
+	} catch (cause) {
+		throw error(502, cause instanceof Error ? cause.message : 'Failed to analyze skin photos');
+	}
+};
diff --git a/frontend/src/routes/health/lab-results/+page.server.ts b/frontend/src/routes/health/lab-results/+page.server.ts
index 1c9fa4f..b4b963f 100644
--- a/frontend/src/routes/health/lab-results/+page.server.ts
+++ b/frontend/src/routes/health/lab-results/+page.server.ts
@@ -1,4 +1,5 @@
 import { deleteLabResult, getLabResults, updateLabResult } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
@@ -9,7 +10,9 @@ const STATUS_GROUP_FLAGS = {
 
 type StatusGroup = 'all' | 'abnormal' | 'normal' | 'uninterpreted';
 
-export const load: PageServerLoad = async ({ url }) => {
+
+export const load: PageServerLoad = async (event) => {
+	const { url } = event;
 	const q = url.searchParams.get('q') ?? undefined;
 	const test_code = url.searchParams.get('test_code') ?? undefined;
 	const flag = url.searchParams.get('flag') ?? undefined;
@@ -41,7 +44,7 @@ export const load: PageServerLoad = async ({ url }) => {
 		latest_only: latestOnly,
 		limit,
 		offset
-	});
+	}, getSessionApiOptions(event));
 	const totalPages = Math.max(1, Math.ceil(resultPage.total / limit));
 
 	return {
@@ -64,8 +67,8 @@ function normalizeStatusGroup(value: string | null): StatusGroup {
 }
 
 export const actions: Actions = {
-	update: async ({ request }) => {
-		const form = await request.formData();
+	update: async (event) => {
+		const form = await event.request.formData();
 		const id = form.get('id') as string;
 		const collected_at = form.get('collected_at') as string;
 		const test_code = form.get('test_code') as string;
@@ -136,20 +139,20 @@ export const actions: Actions = {
 		}
 
 		try {
-			await updateLabResult(id, body);
+			await updateLabResult(id, body, getSessionApiOptions(event));
 			return { updated: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
 	},
 
-	delete: async ({ request }) => {
-		const form = await request.formData();
+	delete: async (event) => {
+		const form = await event.request.formData();
 		const id = form.get('id') as string;
 		if (!id) return fail(400, { error: 'Missing id' });
 
 		try {
-			await deleteLabResult(id);
+			await deleteLabResult(id, getSessionApiOptions(event));
 			return { deleted: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
diff --git a/frontend/src/routes/health/lab-results/new/+page.server.ts b/frontend/src/routes/health/lab-results/new/+page.server.ts
index e969af6..69e3294 100644
--- a/frontend/src/routes/health/lab-results/new/+page.server.ts
+++ b/frontend/src/routes/health/lab-results/new/+page.server.ts
@@ -1,4 +1,5 @@
 import { createLabResult } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
@@ -7,8 +8,8 @@ export const load: PageServerLoad = async () => {
 };
 
 export const actions: Actions = {
-	default: async ({ request }) => {
-		const form = await request.formData();
+	default: async (event) => {
+		const form = await event.request.formData();
 		const collected_at = form.get('collected_at') as string;
 		const test_code = form.get('test_code') as string;
 		const test_name_original = form.get('test_name_original') as string;
@@ -32,7 +33,7 @@ export const actions: Actions = {
 		if (lab) body.lab = lab;
 
 		try {
-			await createLabResult(body);
+			await createLabResult(body, getSessionApiOptions(event));
 		} catch (error) {
 			return fail(500, { error: (error as Error).message });
 		}
diff --git a/frontend/src/routes/health/medications/+page.server.ts b/frontend/src/routes/health/medications/+page.server.ts
index d30a734..88f0201 100644
--- a/frontend/src/routes/health/medications/+page.server.ts
+++ b/frontend/src/routes/health/medications/+page.server.ts
@@ -1,8 +1,11 @@
 import { getMedications } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import type { PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async ({ url }) => {
+
+export const load: PageServerLoad = async (event) => {
+	const { url } = event;
 	const kind = url.searchParams.get('kind') ?? undefined;
-	const medications = await getMedications({ kind });
+	const medications = await getMedications({ kind }, getSessionApiOptions(event));
 	return { medications, kind };
 };
diff --git a/frontend/src/routes/health/medications/new/+page.server.ts b/frontend/src/routes/health/medications/new/+page.server.ts
index 4575152..e511be9 100644
--- a/frontend/src/routes/health/medications/new/+page.server.ts
+++ b/frontend/src/routes/health/medications/new/+page.server.ts
@@ -1,4 +1,5 @@
 import { createMedication } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
@@ -7,8 +8,8 @@ export const load: PageServerLoad = async () => {
 };
 
 export const actions: Actions = {
-	default: async ({ request }) => {
-		const form = await request.formData();
+	default: async (event) => {
+		const form = await event.request.formData();
 		const kind = form.get('kind') as string;
 		const product_name = form.get('product_name') as string;
 		const active_substance = form.get('active_substance') as string;
@@ -24,7 +25,7 @@ export const actions: Actions = {
 				product_name,
 				active_substance: active_substance || undefined,
 				notes: notes || undefined
-			});
+			}, getSessionApiOptions(event));
 		} catch (error) {
 			return fail(500, { error: (error as Error).message });
 		}
diff --git a/frontend/src/routes/products/+page.server.ts b/frontend/src/routes/products/+page.server.ts
index 57d0492..d97c258 100644
--- a/frontend/src/routes/products/+page.server.ts
+++ b/frontend/src/routes/products/+page.server.ts
@@ -1,9 +1,11 @@
 import { getProductSummaries } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import type { PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async () => {
+
+export const load: PageServerLoad = async (event) => {
 	try {
-		const products = await getProductSummaries();
+		const products = await getProductSummaries({}, getSessionApiOptions(event));
 		return { products, loadError: null };
 	} catch (error) {
 		return {
diff --git a/frontend/src/routes/products/[id]/+page.server.ts b/frontend/src/routes/products/[id]/+page.server.ts
index bdf8be7..c5d3e65 100644
--- a/frontend/src/routes/products/[id]/+page.server.ts
+++ b/frontend/src/routes/products/[id]/+page.server.ts
@@ -6,12 +6,14 @@ import {
 	updateInventory as apiUpdateInventory,
 	deleteInventory as apiDeleteInventory
 } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { error, fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async ({ params }) => {
+export const load: PageServerLoad = async (event) => {
+	const { params } = event;
 	try {
-		const product = await getProduct(params.id);
+		const product = await getProduct(params.id, getSessionApiOptions(event));
 		return { product };
 	} catch {
 		error(404, 'Product not found');
@@ -78,8 +80,9 @@ function parseContextRules(
 }
 
 export const actions: Actions = {
-	update: async ({ params, request }) => {
-		const form = await request.formData();
+	update: async (event) => {
+		const { params } = event;
+		const form = await event.request.formData();
 
 		const name = form.get('name') as string;
 		const brand = form.get('brand') as string;
@@ -163,24 +166,25 @@ export const actions: Actions = {
 		body.context_rules = parseContextRules(form) ?? null;
 
 		try {
-			const product = await updateProduct(params.id, body);
+			const product = await updateProduct(params.id, body, getSessionApiOptions(event));
 			return { success: true, product };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
 	},
 
-	delete: async ({ params }) => {
+	delete: async (event) => {
 		try {
-			await deleteProduct(params.id);
+			await deleteProduct(event.params.id, getSessionApiOptions(event));
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
 		redirect(303, '/products');
 	},
 
-	addInventory: async ({ params, request }) => {
-		const form = await request.formData();
+	addInventory: async (event) => {
+		const { params } = event;
+		const form = await event.request.formData();
 		const body: Record<string, unknown> = {
 			is_opened: form.get('is_opened') === 'true'
 		};
@@ -195,15 +199,15 @@ export const actions: Actions = {
 		const notes = form.get('notes');
 		if (notes) body.notes = notes;
 		try {
-			await createInventory(params.id, body);
+			await createInventory(params.id, body, getSessionApiOptions(event));
 			return { inventoryAdded: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
 	},
 
-	updateInventory: async ({ request }) => {
-		const form = await request.formData();
+	updateInventory: async (event) => {
+		const form = await event.request.formData();
 		const inventoryId = form.get('inventory_id') as string;
 		if (!inventoryId) return fail(400, { error: 'Missing inventory_id' });
 		const body: Record<string, unknown> = {
@@ -220,19 +224,19 @@ export const actions: Actions = {
 		const notes = form.get('notes');
 		body.notes = notes || null;
 		try {
-			await apiUpdateInventory(inventoryId, body);
+			await apiUpdateInventory(inventoryId, body, getSessionApiOptions(event));
 			return { inventoryUpdated: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
 	},
 
-	deleteInventory: async ({ request }) => {
-		const form = await request.formData();
+	deleteInventory: async (event) => {
+		const form = await event.request.formData();
 		const inventoryId = form.get('inventory_id') as string;
 		if (!inventoryId) return fail(400, { error: 'Missing inventory_id' });
 		try {
-			await apiDeleteInventory(inventoryId);
+			await apiDeleteInventory(inventoryId, getSessionApiOptions(event));
 			return { inventoryDeleted: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
diff --git a/frontend/src/routes/products/new/+page.server.ts b/frontend/src/routes/products/new/+page.server.ts
index aceb59e..6376f19 100644
--- a/frontend/src/routes/products/new/+page.server.ts
+++ b/frontend/src/routes/products/new/+page.server.ts
@@ -1,4 +1,5 @@
 import { createProduct } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
@@ -66,8 +67,8 @@ function parseContextRules(
 }
 
 export const actions: Actions = {
-	default: async ({ request }) => {
-		const form = await request.formData();
+	default: async (event) => {
+		const form = await event.request.formData();
 
 		const name = form.get('name') as string;
 		const brand = form.get('brand') as string;
@@ -162,7 +163,7 @@ export const actions: Actions = {
 		if (contextRules) payload.context_rules = contextRules;
 
 		try {
-			await createProduct(payload);
+			await createProduct(payload, getSessionApiOptions(event));
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
diff --git a/frontend/src/routes/profile/+page.server.ts b/frontend/src/routes/profile/+page.server.ts
index a0b8468..baa1607 100644
--- a/frontend/src/routes/profile/+page.server.ts
+++ b/frontend/src/routes/profile/+page.server.ts
@@ -1,28 +1,30 @@
 import { getProfile, updateProfile } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async () => {
-  const profile = await getProfile();
-  return { profile };
+
+export const load: PageServerLoad = async (event) => {
+	const profile = await getProfile(getSessionApiOptions(event));
+	return { profile };
 };
 
 export const actions: Actions = {
-  save: async ({ request }) => {
-    const form = await request.formData();
-    const birth_date_raw = String(form.get('birth_date') ?? '').trim();
-    const sex_at_birth_raw = String(form.get('sex_at_birth') ?? '').trim();
+	save: async (event) => {
+		const form = await event.request.formData();
+		const birth_date_raw = String(form.get('birth_date') ?? '').trim();
+		const sex_at_birth_raw = String(form.get('sex_at_birth') ?? '').trim();
 
     const payload: { birth_date?: string; sex_at_birth?: 'male' | 'female' | 'intersex' } = {};
     if (birth_date_raw) payload.birth_date = birth_date_raw;
     if (sex_at_birth_raw === 'male' || sex_at_birth_raw === 'female' || sex_at_birth_raw === 'intersex') {
       payload.sex_at_birth = sex_at_birth_raw;
-    }
+		}
 
-    try {
-      const profile = await updateProfile(payload);
-      return { saved: true, profile };
-    } catch (e) {
+		try {
+			const profile = await updateProfile(payload, getSessionApiOptions(event));
+			return { saved: true, profile };
+		} catch (e) {
       return fail(502, { error: (e as Error).message });
     }
   }
diff --git a/frontend/src/routes/routines/+page.server.ts b/frontend/src/routes/routines/+page.server.ts
index 92710e7..573f7d1 100644
--- a/frontend/src/routes/routines/+page.server.ts
+++ b/frontend/src/routes/routines/+page.server.ts
@@ -1,9 +1,12 @@
 import { getRoutines } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import type { PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async ({ url }) => {
+
+export const load: PageServerLoad = async (event) => {
+	const { url } = event;
 	const from_date = url.searchParams.get('from_date') ?? recentDate(30);
-	const routines = await getRoutines({ from_date });
+	const routines = await getRoutines({ from_date }, getSessionApiOptions(event));
 	return { routines };
 };
 
diff --git a/frontend/src/routes/routines/[id]/+page.server.ts b/frontend/src/routes/routines/[id]/+page.server.ts
index 426a4b4..dab744b 100644
--- a/frontend/src/routes/routines/[id]/+page.server.ts
+++ b/frontend/src/routes/routines/[id]/+page.server.ts
@@ -1,10 +1,16 @@
 import { addRoutineStep, deleteRoutine, deleteRoutineStep, getProductSummaries, getRoutine } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { error, fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async ({ params }) => {
+export const load: PageServerLoad = async (event) => {
+	const { params } = event;
+	const apiOptions = getSessionApiOptions(event);
 	try {
-		const [routine, products] = await Promise.all([getRoutine(params.id), getProductSummaries()]);
+		const [routine, products] = await Promise.all([
+			getRoutine(params.id, apiOptions),
+			getProductSummaries({}, apiOptions)
+		]);
 		return { routine, products };
 	} catch {
 		error(404, 'Routine not found');
@@ -12,8 +18,9 @@ export const load: PageServerLoad = async ({ params }) => {
 };
 
 export const actions: Actions = {
-	addStep: async ({ params, request }) => {
-		const form = await request.formData();
+	addStep: async (event) => {
+		const { params } = event;
+		const form = await event.request.formData();
 		const product_id = form.get('product_id') as string;
 		const order_index = Number(form.get('order_index') ?? 0);
 		const dose = form.get('dose') as string;
@@ -25,27 +32,27 @@ export const actions: Actions = {
 		if (region) body.region = region;
 
 		try {
-			await addRoutineStep(params.id, body);
+			await addRoutineStep(params.id, body, getSessionApiOptions(event));
 			return { stepAdded: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
 	},
 
-	removeStep: async ({ request }) => {
-		const form = await request.formData();
+	removeStep: async (event) => {
+		const form = await event.request.formData();
 		const step_id = form.get('step_id') as string;
 		try {
-			await deleteRoutineStep(step_id);
+			await deleteRoutineStep(step_id, getSessionApiOptions(event));
 			return { stepRemoved: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
 	},
 
-	delete: async ({ params }) => {
+	delete: async (event) => {
 		try {
-			await deleteRoutine(params.id);
+			await deleteRoutine(event.params.id, getSessionApiOptions(event));
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
diff --git a/frontend/src/routes/routines/[id]/+page.svelte b/frontend/src/routes/routines/[id]/+page.svelte
index e105f3c..adafb0f 100644
--- a/frontend/src/routes/routines/[id]/+page.svelte
+++ b/frontend/src/routes/routines/[id]/+page.svelte
@@ -2,7 +2,6 @@
 	import { enhance } from '$app/forms';
 	import { resolve } from '$app/paths';
 	import { dragHandleZone, dragHandle, type DndEvent } from 'svelte-dnd-action';
-	import { updateRoutineStep } from '$lib/api';
 	import type { GroomingAction, RoutineStep } from '$lib/types';
 	import type { ActionData, PageData } from './$types';
 	import * as m from '$lib/paraglide/messages.js';
@@ -32,6 +31,21 @@
 	// ── Drag & drop reordering ────────────────────────────────────
 	let dndSaving = $state(false);
 
+	async function updateStep(stepId: string, payload: Record<string, unknown>): Promise<RoutineStep> {
+		const response = await fetch(`/api/routines/steps/${stepId}`, {
+			method: 'PATCH',
+			headers: { 'Content-Type': 'application/json' },
+			body: JSON.stringify(payload)
+		});
+
+		if (!response.ok) {
+			const detail = await response.json().catch(() => ({ detail: response.statusText }));
+			throw new Error(detail?.detail ?? response.statusText);
+		}
+
+		return response.json();
+	}
+
 	function handleConsider(e: CustomEvent<DndEvent<RoutineStep>>) {
 		steps = e.detail.items;
 	}
@@ -45,9 +59,7 @@
 		if (changed.length) {
 			dndSaving = true;
 			try {
-				await Promise.all(
-					changed.map((s) => updateRoutineStep(s.id, { order_index: s.order_index }))
-				);
+				await Promise.all(changed.map((s) => updateStep(s.id, { order_index: s.order_index })));
 			} finally {
 				dndSaving = false;
 			}
@@ -85,7 +97,7 @@
 				payload.action_type = editDraft.action_type;
 				payload.action_notes = editDraft.action_notes || null;
 			}
-			const updatedStep = await updateRoutineStep(step.id, payload);
+			const updatedStep = await updateStep(step.id, payload);
 			steps = steps.map((s) => (s.id === step.id ? { ...s, ...updatedStep } : s));
 			editingStepId = null;
 		} catch (err) {
diff --git a/frontend/src/routes/routines/grooming-schedule/+page.server.ts b/frontend/src/routes/routines/grooming-schedule/+page.server.ts
index 48f82b6..f06e66a 100644
--- a/frontend/src/routes/routines/grooming-schedule/+page.server.ts
+++ b/frontend/src/routes/routines/grooming-schedule/+page.server.ts
@@ -3,17 +3,19 @@ import {
 	getGroomingSchedule,
 	updateGroomingScheduleEntry
 } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async () => {
-	const schedule = await getGroomingSchedule();
+
+export const load: PageServerLoad = async (event) => {
+	const schedule = await getGroomingSchedule(getSessionApiOptions(event));
 	return { schedule };
 };
 
 export const actions: Actions = {
-	update: async ({ request }) => {
-		const form = await request.formData();
+	update: async (event) => {
+		const form = await event.request.formData();
 		const id = form.get('id') as string;
 		if (!id) return fail(400, { error: 'Missing id' });
 		const body: Record<string, unknown> = {};
@@ -24,19 +26,19 @@ export const actions: Actions = {
 		const notes = (form.get('notes') as string)?.trim();
 		body.notes = notes || null;
 		try {
-			await updateGroomingScheduleEntry(id, body);
+			await updateGroomingScheduleEntry(id, body, getSessionApiOptions(event));
 			return { updated: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
 	},
 
-	delete: async ({ request }) => {
-		const form = await request.formData();
+	delete: async (event) => {
+		const form = await event.request.formData();
 		const id = form.get('id') as string;
 		if (!id) return fail(400, { error: 'Missing id' });
 		try {
-			await deleteGroomingScheduleEntry(id);
+			await deleteGroomingScheduleEntry(id, getSessionApiOptions(event));
 			return { deleted: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
diff --git a/frontend/src/routes/routines/grooming-schedule/new/+page.server.ts b/frontend/src/routes/routines/grooming-schedule/new/+page.server.ts
index 5351fd3..4dd8a45 100644
--- a/frontend/src/routes/routines/grooming-schedule/new/+page.server.ts
+++ b/frontend/src/routes/routines/grooming-schedule/new/+page.server.ts
@@ -1,4 +1,5 @@
 import { createGroomingScheduleEntry } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
@@ -7,8 +8,8 @@ export const load: PageServerLoad = async () => {
 };
 
 export const actions: Actions = {
-	default: async ({ request }) => {
-		const form = await request.formData();
+	default: async (event) => {
+		const form = await event.request.formData();
 		const day_of_week = form.get('day_of_week');
 		const action = form.get('action') as string;
 
@@ -24,7 +25,7 @@ export const actions: Actions = {
 		if (notes) body.notes = notes;
 
 		try {
-			await createGroomingScheduleEntry(body);
+			await createGroomingScheduleEntry(body, getSessionApiOptions(event));
 		} catch (error) {
 			return fail(500, { error: (error as Error).message });
 		}
diff --git a/frontend/src/routes/routines/new/+page.server.ts b/frontend/src/routes/routines/new/+page.server.ts
index b0222f9..4d1a70e 100644
--- a/frontend/src/routes/routines/new/+page.server.ts
+++ b/frontend/src/routes/routines/new/+page.server.ts
@@ -1,4 +1,5 @@
 import { createRoutine } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
@@ -7,8 +8,8 @@ export const load: PageServerLoad = async () => {
 };
 
 export const actions: Actions = {
-	default: async ({ request }) => {
-		const form = await request.formData();
+	default: async (event) => {
+		const form = await event.request.formData();
 		const routine_date = form.get('routine_date') as string;
 		const part_of_day = form.get('part_of_day') as string;
 		const notes = form.get('notes') as string;
@@ -19,7 +20,10 @@ export const actions: Actions = {
 
 		let routine;
 		try {
-			routine = await createRoutine({ routine_date, part_of_day, notes: notes || undefined });
+			routine = await createRoutine(
+				{ routine_date, part_of_day, notes: notes || undefined },
+				getSessionApiOptions(event)
+			);
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
diff --git a/frontend/src/routes/routines/suggest/+page.server.ts b/frontend/src/routes/routines/suggest/+page.server.ts
index 49d645c..390f319 100644
--- a/frontend/src/routes/routines/suggest/+page.server.ts
+++ b/frontend/src/routes/routines/suggest/+page.server.ts
@@ -1,16 +1,19 @@
 import { addRoutineStep, createRoutine, getProductSummaries, suggestBatch, suggestRoutine } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async () => {
-	const products = await getProductSummaries();
+
+export const load: PageServerLoad = async (event) => {
+	const apiOptions = getSessionApiOptions(event);
+	const products = await getProductSummaries({}, apiOptions);
 	const today = new Date().toISOString().slice(0, 10);
 	return { products, today };
 };
 
 export const actions: Actions = {
-	suggest: async ({ request }) => {
-		const form = await request.formData();
+	suggest: async (event) => {
+		const form = await event.request.formData();
 		const routine_date = form.get('routine_date') as string;
 		const part_of_day = form.get('part_of_day') as 'am' | 'pm';
 		const notes = (form.get('notes') as string) || undefined;
@@ -29,15 +32,15 @@ export const actions: Actions = {
 				notes,
 				include_minoxidil_beard,
 				leaving_home
-			});
+			}, getSessionApiOptions(event));
 			return { suggestion, routine_date, part_of_day };
 		} catch (e) {
 			return fail(502, { error: (e as Error).message });
 		}
 	},
 
-	suggestBatch: async ({ request }) => {
-		const form = await request.formData();
+	suggestBatch: async (event) => {
+		const form = await event.request.formData();
 		const from_date = form.get('from_date') as string;
 		const to_date = form.get('to_date') as string;
 		const notes = (form.get('notes') as string) || undefined;
@@ -55,15 +58,18 @@ export const actions: Actions = {
 		}
 
 		try {
-			const batch = await suggestBatch({ from_date, to_date, notes, include_minoxidil_beard, minimize_products });
+			const batch = await suggestBatch(
+				{ from_date, to_date, notes, include_minoxidil_beard, minimize_products },
+				getSessionApiOptions(event)
+			);
 			return { batch, from_date, to_date };
 		} catch (e) {
 			return fail(502, { error: (e as Error).message });
 		}
 	},
 
-	save: async ({ request }) => {
-		const form = await request.formData();
+	save: async (event) => {
+		const form = await event.request.formData();
 		const routine_date = form.get('routine_date') as string;
 		const part_of_day = form.get('part_of_day') as string;
 		const steps_json = form.get('steps') as string;
@@ -86,7 +92,8 @@ export const actions: Actions = {
 
 		let routineId: string;
 		try {
-			const routine = await createRoutine({ routine_date, part_of_day });
+			const apiOptions = getSessionApiOptions(event);
+			const routine = await createRoutine({ routine_date, part_of_day }, apiOptions);
 			routineId = routine.id;
 			for (let i = 0; i < steps.length; i++) {
 				const s = steps[i];
@@ -96,7 +103,7 @@ export const actions: Actions = {
 					action_type: s.action_type || undefined,
 					action_notes: s.action_notes || undefined,
 					region: s.region || undefined
-				});
+				}, apiOptions);
 			}
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
@@ -104,8 +111,8 @@ export const actions: Actions = {
 		redirect(303, `/routines/${routineId}`);
 	},
 
-	saveBatch: async ({ request }) => {
-		const form = await request.formData();
+	saveBatch: async (event) => {
+		const form = await event.request.formData();
 		const days_json = form.get('days') as string;
 
 		if (!days_json) {
@@ -134,11 +141,12 @@ export const actions: Actions = {
 		}
 
 		try {
+			const apiOptions = getSessionApiOptions(event);
 			for (const day of days) {
 				for (const part_of_day of ['am', 'pm'] as const) {
 					const steps = part_of_day === 'am' ? day.am_steps : day.pm_steps;
 					if (steps.length === 0) continue;
-					const routine = await createRoutine({ routine_date: day.date, part_of_day });
+					const routine = await createRoutine({ routine_date: day.date, part_of_day }, apiOptions);
 					for (let i = 0; i < steps.length; i++) {
 						const s = steps[i];
 						await addRoutineStep(routine.id, {
@@ -147,7 +155,7 @@ export const actions: Actions = {
 							action_type: s.action_type || undefined,
 							action_notes: s.action_notes || undefined,
 							region: s.region || undefined
-						});
+						}, apiOptions);
 					}
 				}
 			}
diff --git a/frontend/src/routes/skin/+page.server.ts b/frontend/src/routes/skin/+page.server.ts
index 93e938d..4175448 100644
--- a/frontend/src/routes/skin/+page.server.ts
+++ b/frontend/src/routes/skin/+page.server.ts
@@ -1,16 +1,19 @@
 import { deleteSkinSnapshot, getSkinSnapshots, updateSkinSnapshot } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
-export const load: PageServerLoad = async ({ url }) => {
+
+export const load: PageServerLoad = async (event) => {
+	const { url } = event;
 	const overall_state = url.searchParams.get('overall_state') ?? undefined;
-	const snapshots = await getSkinSnapshots({ overall_state });
+	const snapshots = await getSkinSnapshots({ overall_state }, getSessionApiOptions(event));
 	return { snapshots, overall_state };
 };
 
 export const actions: Actions = {
-	update: async ({ request }) => {
-		const form = await request.formData();
+	update: async (event) => {
+		const form = await event.request.formData();
 		const id = form.get('id') as string;
 		const snapshot_date = form.get('snapshot_date') as string;
 		const overall_state = form.get('overall_state') as string;
@@ -50,19 +53,19 @@ export const actions: Actions = {
 		if (sebum_cheeks) body.sebum_cheeks = Number(sebum_cheeks);
 
 		try {
-			await updateSkinSnapshot(id, body);
+			await updateSkinSnapshot(id, body, getSessionApiOptions(event));
 			return { updated: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
 		}
 	},
 
-	delete: async ({ request }) => {
-		const form = await request.formData();
+	delete: async (event) => {
+		const form = await event.request.formData();
 		const id = form.get('id') as string;
 		if (!id) return fail(400, { error: 'Missing id' });
 		try {
-			await deleteSkinSnapshot(id);
+			await deleteSkinSnapshot(id, getSessionApiOptions(event));
 			return { deleted: true };
 		} catch (e) {
 			return fail(500, { error: (e as Error).message });
diff --git a/frontend/src/routes/skin/new/+page.server.ts b/frontend/src/routes/skin/new/+page.server.ts
index 2a8504f..639f61e 100644
--- a/frontend/src/routes/skin/new/+page.server.ts
+++ b/frontend/src/routes/skin/new/+page.server.ts
@@ -1,4 +1,5 @@
 import { createSkinSnapshot } from '$lib/api';
+import { getSessionApiOptions } from '$lib/server/api';
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 
@@ -7,8 +8,8 @@ export const load: PageServerLoad = async () => {
 };
 
 export const actions: Actions = {
-	default: async ({ request }) => {
-		const form = await request.formData();
+	default: async (event) => {
+		const form = await event.request.formData();
 		const snapshot_date = form.get('snapshot_date') as string;
 		const overall_state = form.get('overall_state') as string;
 		const texture = form.get('texture') as string;
@@ -52,7 +53,7 @@ export const actions: Actions = {
 		if (sebum_cheeks) body.sebum_cheeks = Number(sebum_cheeks);
 
 		try {
-			await createSkinSnapshot(body);
+			await createSkinSnapshot(body, getSessionApiOptions(event));
 		} catch (error) {
 			return fail(500, { error: (error as Error).message });
 		}
diff --git a/frontend/src/routes/skin/new/+page.svelte b/frontend/src/routes/skin/new/+page.svelte
index 67975d1..7996f8a 100644
--- a/frontend/src/routes/skin/new/+page.svelte
+++ b/frontend/src/routes/skin/new/+page.svelte
@@ -1,6 +1,5 @@
 <script lang="ts">
 	import { resolve } from '$app/paths';
-	import { analyzeSkinPhotos } from '$lib/api';
 	import FlashMessages from '$lib/components/FlashMessages.svelte';
 	import LabeledInputField from '$lib/components/forms/LabeledInputField.svelte';
 	import PageHeader from '$lib/components/PageHeader.svelte';
@@ -73,6 +72,20 @@
 	let aiLoading = $state(false);
 	let aiError = $state('');
 
+	async function requestSkinAnalysis(formData: FormData) {
+		const response = await fetch('/api/skin/analyze-photos', {
+			method: 'POST',
+			body: formData
+		});
+
+		if (!response.ok) {
+			const detail = await response.json().catch(() => ({ detail: response.statusText }));
+			throw new Error(detail?.detail ?? response.statusText);
+		}
+
+		return response.json();
+	}
+
 	const flashMessages = $derived(form?.error ? [{ kind: 'error' as const, text: form.error }] : []);
 
 	$effect(() => {
@@ -103,7 +116,12 @@
 		aiLoading = true;
 		aiError = '';
 		try {
-			const result = await analyzeSkinPhotos(selectedFiles);
+			const formData = new FormData();
+			for (const file of selectedFiles) {
+				formData.append('photos', file);
+			}
+
+			const result = await requestSkinAnalysis(formData);
 			if (result.overall_state) overallState = result.overall_state;
 			if (result.texture) texture = result.texture;
 			if (result.skin_type) skinType = result.skin_type;

From dac787b81b77d28758085ba8fb2617dbac79d8d7 Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 16:42:00 +0100
Subject: [PATCH 09/10] test(auth): add multi-user regression coverage

- Enable backend tests in CI (remove if: false)
- Fix test_products_helpers.py to pass current_user parameter
- Fix test_routines_helpers.py to include short_id in products
- Fix llm_context.py to use product_effect_profile correctly
- All 221 tests passing
---
 .forgejo/workflows/ci.yml                     |    2 -
 .sisyphus/boulder.json                        |    9 +
 .sisyphus/evidence/task-T10-health-check.txt  |    9 +
 .sisyphus/evidence/task-T10-missing-env.txt   |   41 +
 .../evidence/task-T11-backend-regression.txt  |  283 +++++
 .sisyphus/evidence/task-T11-ci-enabled.txt    |    6 +
 .../task-T2-migration-missing-bootstrap.txt   |   37 +
 .../evidence/task-T2-migration-upgrade.txt    |    3 +
 .../evidence/task-T2-missing-bootstrap.sqlite |  Bin 0 -> 163840 bytes
 .sisyphus/evidence/task-T2-upgrade.sqlite     |  Bin 0 -> 208896 bytes
 .sisyphus/evidence/task-T4-authz-denied.txt   |   63 +
 .sisyphus/evidence/task-T4-authz-happy.txt    |   68 ++
 .sisyphus/evidence/task-T5-product-denied.txt |   62 +
 .../evidence/task-T5-product-sharing.txt      |   63 +
 .sisyphus/evidence/task-T6-domain-tenancy.txt |   62 +
 .sisyphus/evidence/task-T6-routine-scope.txt  |   61 +
 .sisyphus/evidence/task-T8-backend-qa.log     |  158 +++
 .sisyphus/evidence/task-T8-backend-sqlite.log |   40 +
 .sisyphus/evidence/task-T8-backend.log        |    5 +
 .sisyphus/evidence/task-T8-frontend-qa.log    |   44 +
 .../evidence/task-T8-frontend-sqlite.log      |   56 +
 .sisyphus/evidence/task-T8-frontend.log       |  228 ++++
 .sisyphus/evidence/task-T8-oidc-mock.log      |   85 ++
 .sisyphus/evidence/task-T8-qa.sqlite          |  Bin 0 -> 323584 bytes
 .../task-T9-admin-households-denied.txt       |   67 ++
 .../evidence/task-T9-admin-households.txt     |   65 +
 .../T10-runtime-config.md                     |   13 +
 .../multi-user-authelia-oidc/decisions.md     |    5 +
 .../multi-user-authelia-oidc/issues.md        |    3 +
 .../multi-user-authelia-oidc/learnings.md     |   15 +
 .../multi-user-authelia-oidc/problems.md      |    3 +
 .sisyphus/plans/multi-user-authelia-oidc.md   |  604 ++++++++++
 backend/.coverage                             |  Bin 53248 -> 53248 bytes
 backend/innercontext/api/llm_context.py       |    2 +-
 backend/tests/test_products_helpers.py        |   33 +-
 backend/tests/test_routines_helpers.py        |   11 +-
 backend/uv.lock                               |   16 +
 frontend/openapi.json                         |  742 +++++++++++-
 frontend/src/lib/api/generated/index.ts       |    2 +-
 frontend/src/lib/api/generated/types.gen.ts   |  212 ++++
 tests/lab-results.json                        | 1057 ++++++++++++++++
 tests/routine_benchmark.py                    | 1060 +++++++++++++++++
 tests/routines_suggest_history_experiment.csv |   13 +
 .../routines_suggest_history_experiment.jsonl |   12 +
 tests/skincare.json                           |    1 +
 45 files changed, 5298 insertions(+), 23 deletions(-)
 create mode 100644 .sisyphus/boulder.json
 create mode 100644 .sisyphus/evidence/task-T10-health-check.txt
 create mode 100644 .sisyphus/evidence/task-T10-missing-env.txt
 create mode 100644 .sisyphus/evidence/task-T11-backend-regression.txt
 create mode 100644 .sisyphus/evidence/task-T11-ci-enabled.txt
 create mode 100644 .sisyphus/evidence/task-T2-migration-missing-bootstrap.txt
 create mode 100644 .sisyphus/evidence/task-T2-migration-upgrade.txt
 create mode 100644 .sisyphus/evidence/task-T2-missing-bootstrap.sqlite
 create mode 100644 .sisyphus/evidence/task-T2-upgrade.sqlite
 create mode 100644 .sisyphus/evidence/task-T4-authz-denied.txt
 create mode 100644 .sisyphus/evidence/task-T4-authz-happy.txt
 create mode 100644 .sisyphus/evidence/task-T5-product-denied.txt
 create mode 100644 .sisyphus/evidence/task-T5-product-sharing.txt
 create mode 100644 .sisyphus/evidence/task-T6-domain-tenancy.txt
 create mode 100644 .sisyphus/evidence/task-T6-routine-scope.txt
 create mode 100644 .sisyphus/evidence/task-T8-backend-qa.log
 create mode 100644 .sisyphus/evidence/task-T8-backend-sqlite.log
 create mode 100644 .sisyphus/evidence/task-T8-backend.log
 create mode 100644 .sisyphus/evidence/task-T8-frontend-qa.log
 create mode 100644 .sisyphus/evidence/task-T8-frontend-sqlite.log
 create mode 100644 .sisyphus/evidence/task-T8-frontend.log
 create mode 100644 .sisyphus/evidence/task-T8-oidc-mock.log
 create mode 100644 .sisyphus/evidence/task-T8-qa.sqlite
 create mode 100644 .sisyphus/evidence/task-T9-admin-households-denied.txt
 create mode 100644 .sisyphus/evidence/task-T9-admin-households.txt
 create mode 100644 .sisyphus/notepads/multi-user-authelia-oidc/T10-runtime-config.md
 create mode 100644 .sisyphus/notepads/multi-user-authelia-oidc/decisions.md
 create mode 100644 .sisyphus/notepads/multi-user-authelia-oidc/issues.md
 create mode 100644 .sisyphus/notepads/multi-user-authelia-oidc/learnings.md
 create mode 100644 .sisyphus/notepads/multi-user-authelia-oidc/problems.md
 create mode 100644 .sisyphus/plans/multi-user-authelia-oidc.md
 create mode 100644 tests/lab-results.json
 create mode 100644 tests/routine_benchmark.py
 create mode 100644 tests/routines_suggest_history_experiment.csv
 create mode 100644 tests/routines_suggest_history_experiment.jsonl
 create mode 100644 tests/skincare.json

diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml
index 4b38516..28497fa 100644
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@@ -83,8 +83,6 @@ jobs:
   backend-test:
     name: Backend Tests
     runs-on: lxc
-    # Disabled for now since tests are not integrated yet
-    if: false
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/.sisyphus/boulder.json b/.sisyphus/boulder.json
new file mode 100644
index 0000000..c5ac8c2
--- /dev/null
+++ b/.sisyphus/boulder.json
@@ -0,0 +1,9 @@
+{
+  "active_plan": "/Users/piotr/dev/innercontext/.sisyphus/plans/multi-user-authelia-oidc.md",
+  "started_at": "2026-03-12T13:31:34.526Z",
+  "session_ids": [
+    "ses_31e44571affeyTpySqhHAuYVAm"
+  ],
+  "plan_name": "multi-user-authelia-oidc",
+  "agent": "atlas"
+}
\ No newline at end of file
diff --git a/.sisyphus/evidence/task-T10-health-check.txt b/.sisyphus/evidence/task-T10-health-check.txt
new file mode 100644
index 0000000..7fa6cd3
--- /dev/null
+++ b/.sisyphus/evidence/task-T10-health-check.txt
@@ -0,0 +1,9 @@
+Scenario: Health check handles auth redirects
+Steps: Run updated scripts/healthcheck.sh
+Expected: Success despite auth redirects
+
+Output:
+[2026-03-12 15:55:04] ✓ innercontext is healthy
+[2026-03-12 15:55:04] ✓ innercontext-node is healthy (status 302)
+[2026-03-12 15:55:04] ✓ innercontext-pricing-worker is running
+[2026-03-12 15:55:04] All services healthy
diff --git a/.sisyphus/evidence/task-T10-missing-env.txt b/.sisyphus/evidence/task-T10-missing-env.txt
new file mode 100644
index 0000000..706e683
--- /dev/null
+++ b/.sisyphus/evidence/task-T10-missing-env.txt
@@ -0,0 +1,41 @@
+Scenario: Deploy validation rejects missing auth config
+Steps: Run scripts/validate-env.sh with missing OIDC var
+Expected: Exits non-zero, names missing var
+
+Output:
+=== Validating Shared Directory Structure ===
+✓ Shared directory exists: /tmp/innercontext/shared
+✓ Shared backend .env exists: /tmp/innercontext/shared/backend/.env
+✓ Shared frontend .env.production exists: /tmp/innercontext/shared/frontend/.env.production
+
+=== Validating Symlinks in Current Release ===
+✓ Symlink correct: /tmp/innercontext/current/backend/.env -> ../../../shared/backend/.env
+✓ Symlink correct: /tmp/innercontext/current/frontend/.env.production -> ../../../shared/frontend/.env.production
+
+=== Validating Backend Environment Variables ===
+✓ DATABASE_URL is set
+✓ GEMINI_API_KEY is set
+⚠ LOG_LEVEL not found in /tmp/innercontext/shared/backend/.env (optional)
+⚠ CORS_ORIGINS not found in /tmp/innercontext/shared/backend/.env (optional)
+✗ OIDC_ISSUER not found in /tmp/innercontext/shared/backend/.env
+✗ OIDC_CLIENT_ID not found in /tmp/innercontext/shared/backend/.env
+✗ OIDC_DISCOVERY_URL not found in /tmp/innercontext/shared/backend/.env
+✗ OIDC_ADMIN_GROUPS not found in /tmp/innercontext/shared/backend/.env
+✗ OIDC_MEMBER_GROUPS not found in /tmp/innercontext/shared/backend/.env
+⚠ OIDC_JWKS_CACHE_TTL_SECONDS not found in /tmp/innercontext/shared/backend/.env (optional)
+⚠ BOOTSTRAP_ADMIN_OIDC_ISSUER not found in /tmp/innercontext/shared/backend/.env (optional)
+⚠ BOOTSTRAP_ADMIN_OIDC_SUB not found in /tmp/innercontext/shared/backend/.env (optional)
+⚠ BOOTSTRAP_ADMIN_EMAIL not found in /tmp/innercontext/shared/backend/.env (optional)
+⚠ BOOTSTRAP_ADMIN_NAME not found in /tmp/innercontext/shared/backend/.env (optional)
+⚠ BOOTSTRAP_HOUSEHOLD_NAME not found in /tmp/innercontext/shared/backend/.env (optional)
+
+=== Validating Frontend Environment Variables ===
+✓ PUBLIC_API_BASE is set
+✓ ORIGIN is set
+✗ SESSION_SECRET not found in /tmp/innercontext/shared/frontend/.env.production
+✗ OIDC_ISSUER not found in /tmp/innercontext/shared/frontend/.env.production
+✗ OIDC_CLIENT_ID not found in /tmp/innercontext/shared/frontend/.env.production
+✗ OIDC_DISCOVERY_URL not found in /tmp/innercontext/shared/frontend/.env.production
+
+✗ Found 9 error(s) in environment configuration
+  And 8 warning(s)
diff --git a/.sisyphus/evidence/task-T11-backend-regression.txt b/.sisyphus/evidence/task-T11-backend-regression.txt
new file mode 100644
index 0000000..9025ce0
--- /dev/null
+++ b/.sisyphus/evidence/task-T11-backend-regression.txt
@@ -0,0 +1,283 @@
+============================= test session starts ==============================
+platform darwin -- Python 3.12.12, pytest-9.0.2, pluggy-1.6.0 -- /Users/piotr/dev/innercontext/backend/.venv/bin/python3
+cachedir: .pytest_cache
+rootdir: /Users/piotr/dev/innercontext/backend
+configfile: pyproject.toml
+testpaths: tests
+plugins: anyio-4.12.1, cov-7.0.0
+collecting ... collected 221 items
+
+tests/test_admin_households.py::test_list_users_returns_local_users_with_memberships PASSED [  0%]
+tests/test_admin_households.py::test_create_household_returns_new_household PASSED [  0%]
+tests/test_admin_households.py::test_assign_member_creates_membership PASSED [  1%]
+tests/test_admin_households.py::test_assign_member_rejects_already_assigned_user PASSED [  1%]
+tests/test_admin_households.py::test_assign_member_rejects_unsynced_user PASSED [  2%]
+tests/test_admin_households.py::test_move_member_moves_user_between_households PASSED [  2%]
+tests/test_admin_households.py::test_move_member_rejects_user_without_membership PASSED [  3%]
+tests/test_admin_households.py::test_move_member_rejects_same_household_target PASSED [  3%]
+tests/test_admin_households.py::test_remove_membership_deletes_membership PASSED [  4%]
+tests/test_admin_households.py::test_remove_membership_requires_matching_household PASSED [  4%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[get-/admin/users-None] PASSED [  4%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[post-/admin/households-None] PASSED [  5%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[post-/admin/households/10224193-681a-4152-9f5d-0891985e14b6/members-json_body2] PASSED [  5%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[patch-/admin/households/d7b58743-f82d-4443-876b-1d400df1d467/members/aca7a450-3653-4189-9ae7-5ae6c9e7bc49-None] PASSED [  6%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[delete-/admin/households/70436972-2a6a-4294-a0d6-d864791866d1/members/da4bec8d-c1ae-43fa-a0ad-05a4d9803918-None] PASSED [  6%]
+tests/test_ai_logs.py::test_list_ai_logs_normalizes_tool_trace_string PASSED [  7%]
+tests/test_ai_logs.py::test_get_ai_log_normalizes_tool_trace_string PASSED [  7%]
+tests/test_auth.py::test_validate_access_token_uses_cached_jwks PASSED   [  8%]
+tests/test_auth.py::test_sync_protected_endpoints_create_or_resolve_current_user[/auth/session/sync] PASSED [  8%]
+tests/test_auth.py::test_sync_protected_endpoints_create_or_resolve_current_user[/auth/me] PASSED [  9%]
+tests/test_auth.py::test_unauthorized_protected_endpoints_return_401[/auth/me expects 401] PASSED [  9%]
+tests/test_auth.py::test_unauthorized_protected_endpoints_return_401[/profile expects 401] PASSED [  9%]
+tests/test_auth.py::test_unauthorized_invalid_bearer_token_is_rejected PASSED [ 10%]
+tests/test_auth.py::test_require_admin_raises_for_member PASSED          [ 10%]
+tests/test_authz.py::test_owner_helpers_return_only_owned_records PASSED [ 11%]
+tests/test_authz.py::test_admin_helpers_allow_admin_override_for_lookup_and_list PASSED [ 11%]
+tests/test_authz.py::test_owner_denied_for_non_owned_lookup_returns_404 PASSED [ 12%]
+tests/test_authz.py::test_household_shared_inventory_access_allows_same_household_member PASSED [ 12%]
+tests/test_authz.py::test_household_shared_inventory_denied_for_cross_household_member PASSED [ 13%]
+tests/test_authz.py::test_household_inventory_update_rules_owner_admin_and_member PASSED [ 13%]
+tests/test_authz.py::test_product_visibility_for_owner_admin_and_household_shared PASSED [ 14%]
+tests/test_authz.py::test_product_visibility_denied_for_cross_household_member PASSED [ 14%]
+tests/test_health.py::test_create_medication_minimal PASSED              [ 14%]
+tests/test_health.py::test_create_medication_invalid_kind PASSED         [ 15%]
+tests/test_health.py::test_list_medications_empty PASSED                 [ 15%]
+tests/test_health.py::test_list_filter_kind PASSED                       [ 16%]
+tests/test_health.py::test_list_filter_product_name PASSED               [ 16%]
+tests/test_health.py::test_get_medication PASSED                         [ 17%]
+tests/test_health.py::test_get_medication_not_found PASSED               [ 17%]
+tests/test_health.py::test_update_medication PASSED                      [ 18%]
+tests/test_health.py::test_update_medication_not_found PASSED            [ 18%]
+tests/test_health.py::test_delete_medication_no_usages PASSED            [ 19%]
+tests/test_health.py::test_delete_medication_with_usages PASSED          [ 19%]
+tests/test_health.py::test_create_usage PASSED                           [ 19%]
+tests/test_health.py::test_create_usage_medication_not_found PASSED      [ 20%]
+tests/test_health.py::test_list_usages_empty PASSED                      [ 20%]
+tests/test_health.py::test_list_usages_returns_entries PASSED            [ 21%]
+tests/test_health.py::test_update_usage PASSED                           [ 21%]
+tests/test_health.py::test_update_usage_not_found PASSED                 [ 22%]
+tests/test_health.py::test_delete_usage PASSED                           [ 22%]
+tests/test_health.py::test_delete_usage_not_found PASSED                 [ 23%]
+tests/test_health.py::test_create_lab_result PASSED                      [ 23%]
+tests/test_health.py::test_create_lab_result_invalid_code PASSED         [ 23%]
+tests/test_health.py::test_create_lab_result_invalid_flag PASSED         [ 24%]
+tests/test_health.py::test_list_lab_results_empty PASSED                 [ 24%]
+tests/test_health.py::test_list_filter_test_code PASSED                  [ 25%]
+tests/test_health.py::test_list_filter_flag PASSED                       [ 25%]
+tests/test_health.py::test_list_filter_date_range PASSED                 [ 26%]
+tests/test_health.py::test_list_lab_results_search_and_pagination PASSED [ 26%]
+tests/test_health.py::test_list_lab_results_sorted_newest_first PASSED   [ 27%]
+tests/test_health.py::test_list_lab_results_test_code_sorted_numerically_for_same_date PASSED [ 27%]
+tests/test_health.py::test_list_lab_results_latest_only_returns_one_per_test_code PASSED [ 28%]
+tests/test_health.py::test_get_lab_result PASSED                         [ 28%]
+tests/test_health.py::test_get_lab_result_not_found PASSED               [ 28%]
+tests/test_health.py::test_update_lab_result PASSED                      [ 29%]
+tests/test_health.py::test_update_lab_result_can_clear_and_switch_value_type PASSED [ 29%]
+tests/test_health.py::test_delete_lab_result PASSED                      [ 30%]
+tests/test_inventory.py::test_get_inventory_by_id PASSED                 [ 30%]
+tests/test_inventory.py::test_get_inventory_not_found PASSED             [ 31%]
+tests/test_inventory.py::test_update_inventory_opened PASSED             [ 31%]
+tests/test_inventory.py::test_update_inventory_not_found PASSED          [ 32%]
+tests/test_inventory.py::test_delete_inventory PASSED                    [ 32%]
+tests/test_inventory.py::test_delete_inventory_not_found PASSED          [ 33%]
+tests/test_llm_profile_context.py::test_build_user_profile_context_without_data PASSED [ 33%]
+tests/test_llm_profile_context.py::test_build_user_profile_context_with_data PASSED [ 33%]
+tests/test_product_model.py::test_always_present_keys PASSED             [ 34%]
+tests/test_product_model.py::test_optional_string_fields_absent_when_none PASSED [ 34%]
+tests/test_product_model.py::test_optional_string_fields_present_when_set PASSED [ 35%]
+tests/test_product_model.py::test_ph_exact_collapses PASSED              [ 35%]
+tests/test_product_model.py::test_ph_range PASSED                        [ 36%]
+tests/test_product_model.py::test_ph_only_min PASSED                     [ 36%]
+tests/test_product_model.py::test_ph_only_max PASSED                     [ 37%]
+tests/test_product_model.py::test_actives_pydantic_objects PASSED        [ 37%]
+tests/test_product_model.py::test_actives_raw_dicts PASSED               [ 38%]
+tests/test_product_model.py::test_effect_profile_all_zeros_omitted PASSED [ 38%]
+tests/test_product_model.py::test_effect_profile_nonzero_included PASSED [ 38%]
+tests/test_product_model.py::test_context_rules_all_none_omitted PASSED  [ 39%]
+tests/test_product_model.py::test_context_rules_with_value PASSED        [ 39%]
+tests/test_product_model.py::test_safety_dict_present_when_set PASSED    [ 40%]
+tests/test_product_model.py::test_empty_lists_omitted PASSED             [ 40%]
+tests/test_product_model.py::test_nonempty_lists_included PASSED         [ 41%]
+tests/test_products.py::test_create_minimal PASSED                       [ 41%]
+tests/test_products.py::test_create_with_actives PASSED                  [ 42%]
+tests/test_products.py::test_create_invalid_enum PASSED                  [ 42%]
+tests/test_products.py::test_create_missing_required PASSED              [ 42%]
+tests/test_products.py::test_list_empty PASSED                           [ 43%]
+tests/test_products.py::test_list_returns_created PASSED                 [ 43%]
+tests/test_products.py::test_list_filter_category PASSED                 [ 44%]
+tests/test_products.py::test_list_filter_brand PASSED                    [ 44%]
+tests/test_products.py::test_list_filter_is_medication PASSED            [ 45%]
+tests/test_products.py::test_list_filter_targets PASSED                  [ 45%]
+tests/test_products.py::test_get_by_id PASSED                            [ 46%]
+tests/test_products.py::test_get_not_found PASSED                        [ 46%]
+tests/test_products.py::test_update_name PASSED                          [ 47%]
+tests/test_products.py::test_update_json_field PASSED                    [ 47%]
+tests/test_products.py::test_update_not_found PASSED                     [ 47%]
+tests/test_products.py::test_delete PASSED                               [ 48%]
+tests/test_products.py::test_delete_not_found PASSED                     [ 48%]
+tests/test_products.py::test_list_inventory_empty PASSED                 [ 49%]
+tests/test_products.py::test_list_inventory_product_not_found PASSED     [ 49%]
+tests/test_products.py::test_create_inventory PASSED                     [ 50%]
+tests/test_products.py::test_create_inventory_product_not_found PASSED   [ 50%]
+tests/test_products.py::test_parse_text_accepts_numeric_strength_levels PASSED [ 51%]
+tests/test_products_auth.py::test_product_endpoints_require_authentication PASSED [ 51%]
+tests/test_products_auth.py::test_shared_product_visible_in_summary_marks_is_owned_false PASSED [ 52%]
+tests/test_products_auth.py::test_shared_product_visible_filters_private_inventory_rows PASSED [ 52%]
+tests/test_products_auth.py::test_shared_inventory_update_allows_household_member PASSED [ 52%]
+tests/test_products_auth.py::test_household_member_cannot_edit_shared_product PASSED [ 53%]
+tests/test_products_auth.py::test_household_member_cannot_delete_shared_product PASSED [ 53%]
+tests/test_products_auth.py::test_household_member_cannot_create_or_delete_inventory_on_shared_product PASSED [ 54%]
+tests/test_products_auth.py::test_household_member_cannot_update_non_shared_inventory PASSED [ 54%]
+tests/test_products_helpers.py::test_build_shopping_context PASSED       [ 55%]
+tests/test_products_helpers.py::test_build_shopping_context_flags_replenishment_signal PASSED [ 55%]
+tests/test_products_helpers.py::test_compute_replenishment_score_prefers_recent_staples_without_backup PASSED [ 56%]
+tests/test_products_helpers.py::test_compute_replenishment_score_downranks_sealed_backup_and_stale_usage PASSED [ 56%]
+tests/test_products_helpers.py::test_compute_days_since_last_used_returns_none_without_usage PASSED [ 57%]
+tests/test_products_helpers.py::test_suggest_shopping PASSED             [ 57%]
+tests/test_products_helpers.py::test_suggest_shopping_invalid_json_returns_502 PASSED [ 57%]
+tests/test_products_helpers.py::test_suggest_shopping_invalid_schema_returns_502 PASSED [ 58%]
+tests/test_products_helpers.py::test_suggest_shopping_invalid_target_concern_returns_502 PASSED [ 58%]
+tests/test_products_helpers.py::test_shopping_context_medication_skip PASSED [ 59%]
+tests/test_products_helpers.py::test_extract_requested_product_ids_dedupes_and_limits PASSED [ 59%]
+tests/test_products_helpers.py::test_shopping_tool_handlers_return_payloads PASSED [ 60%]
+tests/test_products_helpers.py::test_shopping_tool_handler_includes_last_used_on_from_mapping PASSED [ 60%]
+tests/test_products_helpers.py::test_shopping_validator_accepts_freeform_product_type_and_frequency PASSED [ 61%]
+tests/test_products_pricing.py::test_compute_pricing_outputs_groups_by_category PASSED [ 61%]
+tests/test_products_pricing.py::test_price_tier_is_null_when_not_enough_products PASSED [ 61%]
+tests/test_products_pricing.py::test_price_tier_is_computed_by_worker PASSED [ 62%]
+tests/test_products_pricing.py::test_price_tier_uses_fallback_for_medium_categories PASSED [ 62%]
+tests/test_products_pricing.py::test_price_tier_stays_null_for_tiny_categories_even_with_fallback_pool PASSED [ 63%]
+tests/test_products_pricing.py::test_product_write_enqueues_pricing_job PASSED [ 63%]
+tests/test_profile.py::test_get_profile_empty PASSED                     [ 64%]
+tests/test_profile.py::test_upsert_profile_create_and_get PASSED         [ 64%]
+tests/test_profile.py::test_upsert_profile_updates_existing_row PASSED   [ 65%]
+tests/test_routines.py::test_create_routine_minimal PASSED               [ 65%]
+tests/test_routines.py::test_create_routine_invalid_part_of_day PASSED   [ 66%]
+tests/test_routines.py::test_list_routines_empty PASSED                  [ 66%]
+tests/test_routines.py::test_list_filter_date_range PASSED               [ 66%]
+tests/test_routines.py::test_list_filter_part_of_day PASSED              [ 67%]
+tests/test_routines.py::test_get_routine PASSED                          [ 67%]
+tests/test_routines.py::test_get_routine_not_found PASSED                [ 68%]
+tests/test_routines.py::test_update_routine_notes PASSED                 [ 68%]
+tests/test_routines.py::test_update_routine_not_found PASSED             [ 69%]
+tests/test_routines.py::test_delete_routine PASSED                       [ 69%]
+tests/test_routines.py::test_add_step_action_only PASSED                 [ 70%]
+tests/test_routines.py::test_add_step_with_product PASSED                [ 70%]
+tests/test_routines.py::test_add_step_routine_not_found PASSED           [ 71%]
+tests/test_routines.py::test_update_step PASSED                          [ 71%]
+tests/test_routines.py::test_update_step_not_found PASSED                [ 71%]
+tests/test_routines.py::test_delete_step PASSED                          [ 72%]
+tests/test_routines.py::test_delete_step_not_found PASSED                [ 72%]
+tests/test_routines.py::test_list_grooming_schedule_empty PASSED         [ 73%]
+tests/test_routines.py::test_create_grooming_schedule PASSED             [ 73%]
+tests/test_routines.py::test_list_grooming_schedule_returns_entry PASSED [ 74%]
+tests/test_routines.py::test_update_grooming_schedule PASSED             [ 74%]
+tests/test_routines.py::test_delete_grooming_schedule PASSED             [ 75%]
+tests/test_routines.py::test_delete_grooming_schedule_not_found PASSED   [ 75%]
+tests/test_routines.py::test_suggest_routine PASSED                      [ 76%]
+tests/test_routines.py::test_suggest_batch PASSED                        [ 76%]
+tests/test_routines.py::test_suggest_batch_invalid_date_range PASSED     [ 76%]
+tests/test_routines.py::test_suggest_batch_too_long PASSED               [ 77%]
+tests/test_routines_auth.py::test_suggest_uses_current_user_profile_and_visible_products_only PASSED [ 77%]
+tests/test_routines_helpers.py::test_contains_minoxidil_text PASSED      [ 78%]
+tests/test_routines_helpers.py::test_is_minoxidil_product PASSED         [ 78%]
+tests/test_routines_helpers.py::test_ev PASSED                           [ 79%]
+tests/test_routines_helpers.py::test_build_skin_context PASSED           [ 79%]
+tests/test_routines_helpers.py::test_build_skin_context_falls_back_to_recent_snapshot_within_14_days PASSED [ 80%]
+tests/test_routines_helpers.py::test_build_skin_context_ignores_snapshot_older_than_14_days PASSED [ 80%]
+tests/test_routines_helpers.py::test_get_recent_skin_snapshot_prefers_window_match PASSED [ 80%]
+tests/test_routines_helpers.py::test_get_latest_skin_snapshot_within_days_uses_latest_within_14_days PASSED [ 81%]
+tests/test_routines_helpers.py::test_build_grooming_context PASSED       [ 81%]
+tests/test_routines_helpers.py::test_build_upcoming_grooming_context PASSED [ 82%]
+tests/test_routines_helpers.py::test_build_recent_history PASSED         [ 82%]
+tests/test_routines_helpers.py::test_build_recent_history_uses_reference_window PASSED [ 83%]
+tests/test_routines_helpers.py::test_build_recent_history_excludes_future_routines PASSED [ 83%]
+tests/test_routines_helpers.py::test_build_products_context_summary_list PASSED [ 84%]
+tests/test_routines_helpers.py::test_build_objectives_context PASSED     [ 84%]
+tests/test_routines_helpers.py::test_build_day_context PASSED            [ 85%]
+tests/test_routines_helpers.py::test_get_available_products_respects_filters PASSED [ 85%]
+tests/test_routines_helpers.py::test_build_product_details_tool_handler_returns_only_available_ids PASSED [ 85%]
+tests/test_routines_helpers.py::test_extract_requested_product_ids_dedupes_and_limits PASSED [ 86%]
+tests/test_routines_helpers.py::test_extract_active_names_uses_compact_distinct_names PASSED [ 86%]
+tests/test_routines_helpers.py::test_get_available_products_excludes_minoxidil_when_flag_false PASSED [ 87%]
+tests/test_routines_helpers.py::test_filter_products_by_interval PASSED  [ 87%]
+tests/test_routines_helpers.py::test_filter_products_by_interval_never_used_passes PASSED [ 88%]
+tests/test_routines_helpers.py::test_product_details_tool_handler_returns_product_payloads PASSED [ 88%]
+tests/test_skincare.py::test_create_snapshot_minimal PASSED              [ 89%]
+tests/test_skincare.py::test_create_snapshot_full PASSED                 [ 89%]
+tests/test_skincare.py::test_create_snapshot_invalid_state PASSED        [ 90%]
+tests/test_skincare.py::test_list_snapshots_empty PASSED                 [ 90%]
+tests/test_skincare.py::test_list_filter_date_range PASSED               [ 90%]
+tests/test_skincare.py::test_list_filter_overall_state PASSED            [ 91%]
+tests/test_skincare.py::test_get_snapshot PASSED                         [ 91%]
+tests/test_skincare.py::test_get_snapshot_not_found PASSED               [ 92%]
+tests/test_skincare.py::test_update_snapshot_state PASSED                [ 92%]
+tests/test_skincare.py::test_update_snapshot_concerns PASSED             [ 93%]
+tests/test_skincare.py::test_update_snapshot_not_found PASSED            [ 93%]
+tests/test_skincare.py::test_delete_snapshot PASSED                      [ 94%]
+tests/test_skincare.py::test_delete_snapshot_not_found PASSED            [ 94%]
+tests/test_skincare.py::test_analyze_photos_includes_user_profile_context PASSED [ 95%]
+tests/test_tenancy_domains.py::test_profile_health_routines_skincare_ai_logs_are_user_scoped_by_default PASSED [ 95%]
+tests/test_tenancy_domains.py::test_health_admin_override_requires_explicit_user_id PASSED [ 95%]
+tests/validators/test_routine_validator.py::test_detects_retinoid_acid_conflict PASSED [ 96%]
+tests/validators/test_routine_validator.py::test_rejects_unknown_product_ids PASSED [ 96%]
+tests/validators/test_routine_validator.py::test_enforces_min_interval_hours PASSED [ 97%]
+tests/validators/test_routine_validator.py::test_blocks_dose_field PASSED [ 97%]
+tests/validators/test_routine_validator.py::test_missing_spf_in_am_leaving_home PASSED [ 98%]
+tests/validators/test_routine_validator.py::test_compromised_barrier_restrictions PASSED [ 98%]
+tests/validators/test_routine_validator.py::test_step_must_have_product_or_action PASSED [ 99%]
+tests/validators/test_routine_validator.py::test_step_cannot_have_both_product_and_action PASSED [ 99%]
+tests/validators/test_routine_validator.py::test_accepts_valid_routine PASSED [100%]
+
+================================ tests coverage ================================
+______________ coverage: platform darwin, python 3.12.12-final-0 _______________
+
+Name                                                 Stmts   Miss  Cover   Missing
+----------------------------------------------------------------------------------
+innercontext/api/__init__.py                             0      0   100%
+innercontext/api/admin.py                               93      1    99%   142
+innercontext/api/ai_logs.py                             63     12    81%   19, 21, 25-26, 29-30, 55-57, 77, 79, 109
+innercontext/api/auth.py                                68      4    94%   66, 69, 74, 109
+innercontext/api/auth_deps.py                           25      1    96%   43
+innercontext/api/authz.py                              100     12    88%   25-26, 39, 49, 83, 91, 108, 125, 128, 158, 167, 174
+innercontext/api/health.py                             236      8    97%   145, 158-163, 412, 414, 418
+innercontext/api/inventory.py                           30      0   100%
+innercontext/api/llm_context.py                        106     42    60%   19-21, 67, 77, 114, 116, 118, 120-131, 142, 146-149, 180-217
+innercontext/api/product_llm_tools.py                  107     33    69%   12-17, 25, 53, 63, 67-80, 133-134, 155-161, 193
+innercontext/api/products.py                           638     76    88%   82, 84, 88, 109-126, 284, 287-289, 317-318, 331, 340-341, 343, 345, 347-348, 381, 413, 415, 419, 425, 429, 520, 524, 528, 532, 536, 542, 544, 587, 604, 606, 657, 661, 692, 867, 870-871, 880-881, 887, 890-891, 918, 920, 922, 924, 933-934, 983, 1007, 1045, 1082, 1176, 1249, 1251, 1253, 1256, 1360-1375, 1392, 1439-1442, 1449-1450, 1453
+innercontext/api/profile.py                             39      0   100%
+innercontext/api/routines.py                           632     89    86%   67-84, 101-103, 112-117, 129-133, 323-324, 465, 477, 552, 592, 594, 599, 640-641, 664-693, 715, 719-721, 833, 986-1002, 1019, 1023-1024, 1030, 1033, 1039, 1064-1065, 1069, 1115-1119, 1130, 1201-1203, 1236, 1240-1241, 1247-1264, 1284-1285, 1331-1333, 1340-1341, 1344, 1454, 1485
+innercontext/api/skincare.py                           150     18    88%   147-149, 162-166, 179, 191, 196, 231-232, 242-245, 251, 254-255
+innercontext/api/utils.py                               22      2    91%   51, 59
+innercontext/auth.py                                   236     42    82%   67-70, 75, 134, 137, 142, 144, 147-149, 156, 201-210, 216, 224-225, 232, 242, 247, 254-255, 261, 274, 298, 300, 314-315, 344-346, 378-384
+innercontext/llm.py                                    134    117    13%   62-66, 74-102, 118-214, 231-326
+innercontext/llm_safety.py                              18      6    67%   18, 59, 80-83
+innercontext/models/__init__.py                         13      0   100%
+innercontext/models/ai_log.py                           33      0   100%
+innercontext/models/api_metadata.py                     15      0   100%
+innercontext/models/base.py                              3      0   100%
+innercontext/models/domain.py                            4      0   100%
+innercontext/models/enums.py                           152      0   100%
+innercontext/models/health.py                           64      0   100%
+innercontext/models/household.py                        14      0   100%
+innercontext/models/household_membership.py             20      0   100%
+innercontext/models/pricing.py                          19      0   100%
+innercontext/models/product.py                         226     34    85%   203-205, 209-230, 253, 255, 257, 259, 261, 263, 265, 267, 271, 286, 318, 320, 336, 338, 340, 342, 349-354
+innercontext/models/profile.py                          17      0   100%
+innercontext/models/routine.py                          42      0   100%
+innercontext/models/skincare.py                         37      0   100%
+innercontext/models/user.py                             19      0   100%
+innercontext/services/__init__.py                        0      0   100%
+innercontext/services/fx.py                             57     42    26%   16, 20-22, 26-48, 54-67, 71-77
+innercontext/services/pricing_jobs.py                   89     29    67%   35, 39, 53-67, 74-80, 94, 123-130, 136
+innercontext/validators/__init__.py                      7      0   100%
+innercontext/validators/base.py                         22      2    91%   35, 52
+innercontext/validators/batch_validator.py             128     84    34%   61-62, 67-68, 71-72, 82-83, 87-91, 100-119, 123-142, 146, 167-203, 214-240, 250-273
+innercontext/validators/photo_validator.py              65     33    49%   82-87, 94-101, 108-115, 122-129, 145, 151-152, 165, 171-178
+innercontext/validators/product_parse_validator.py     110     46    58%   112, 115, 117, 142, 165, 172, 186, 192-198, 205-239, 244-249, 252-257, 266-267, 274-275, 282, 287, 291, 298, 308, 315, 319, 339
+innercontext/validators/routine_validator.py           146     17    88%   72-73, 111-117, 126, 187, 195, 208, 216, 234, 241, 266-267, 292
+innercontext/validators/shopping_validator.py           78     20    74%   52-53, 58-59, 70, 91, 114, 123, 137-138, 142, 151-152, 156-159, 161, 193, 196-199, 203
+----------------------------------------------------------------------------------
+TOTAL                                                 4077    770    81%
+Coverage HTML written to dir htmlcov
+============================= 221 passed in 2.98s ==============================
diff --git a/.sisyphus/evidence/task-T11-ci-enabled.txt b/.sisyphus/evidence/task-T11-ci-enabled.txt
new file mode 100644
index 0000000..d1cca2d
--- /dev/null
+++ b/.sisyphus/evidence/task-T11-ci-enabled.txt
@@ -0,0 +1,6 @@
+  backend-test:
+    name: Backend Tests
+    runs-on: lxc
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
diff --git a/.sisyphus/evidence/task-T2-migration-missing-bootstrap.txt b/.sisyphus/evidence/task-T2-migration-missing-bootstrap.txt
new file mode 100644
index 0000000..b2621dd
--- /dev/null
+++ b/.sisyphus/evidence/task-T2-migration-missing-bootstrap.txt
@@ -0,0 +1,37 @@
+INFO  [alembic.runtime.migration] Context impl SQLiteImpl.
+INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
+INFO  [alembic.runtime.migration] Running upgrade 9f3a2c1b4d5e -> 4b7d2e9f1c3a, add auth tables and ownership
+Traceback (most recent call last):
+  File "/Users/piotr/dev/innercontext/backend/.venv/bin/alembic", line 10, in <module>
+    sys.exit(main())
+             ^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/alembic/config.py", line 1047, in main
+    CommandLine(prog=prog).main(argv=argv)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/alembic/config.py", line 1037, in main
+    self.run_cmd(cfg, options)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/alembic/config.py", line 971, in run_cmd
+    fn(
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/alembic/command.py", line 483, in upgrade
+    script.run_env()
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/alembic/script/base.py", line 545, in run_env
+    util.load_python_file(self.dir, "env.py")
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/alembic/util/pyfiles.py", line 116, in load_python_file
+    module = load_module_py(module_id, path)
+             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/alembic/util/pyfiles.py", line 136, in load_module_py
+    spec.loader.exec_module(module)  # type: ignore
+    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "<frozen importlib._bootstrap_external>", line 999, in exec_module
+  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
+  File "/Users/piotr/dev/innercontext/backend/alembic/env.py", line 51, in <module>
+    run_migrations_online()
+  File "/Users/piotr/dev/innercontext/backend/alembic/env.py", line 45, in run_migrations_online
+    context.run_migrations()
+  File "<string>", line 8, in run_migrations
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/alembic/runtime/environment.py", line 969, in run_migrations
+    self.get_context().run_migrations(**kw)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/alembic/runtime/migration.py", line 626, in run_migrations
+    step.migration_fn(**kw)
+  File "/Users/piotr/dev/innercontext/backend/alembic/versions/4b7d2e9f1c3a_add_auth_tables_and_ownership.py", line 243, in upgrade
+    raise RuntimeError(
+RuntimeError: Legacy data requires bootstrap admin identity; missing required env vars: BOOTSTRAP_ADMIN_OIDC_ISSUER, BOOTSTRAP_ADMIN_OIDC_SUB
diff --git a/.sisyphus/evidence/task-T2-migration-upgrade.txt b/.sisyphus/evidence/task-T2-migration-upgrade.txt
new file mode 100644
index 0000000..5116be5
--- /dev/null
+++ b/.sisyphus/evidence/task-T2-migration-upgrade.txt
@@ -0,0 +1,3 @@
+INFO  [alembic.runtime.migration] Context impl SQLiteImpl.
+INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
+INFO  [alembic.runtime.migration] Running upgrade 9f3a2c1b4d5e -> 4b7d2e9f1c3a, add auth tables and ownership
diff --git a/.sisyphus/evidence/task-T2-missing-bootstrap.sqlite b/.sisyphus/evidence/task-T2-missing-bootstrap.sqlite
new file mode 100644
index 0000000000000000000000000000000000000000..384cf228d6e4688792d7f82f81ee75045f855830
GIT binary patch
literal 163840
zcmeI)&2QW09l&wZj;R;FC~=c8ZR3Ql>)1q{Wz3svv<9X)iX+sKTiMPFhT@qlF)<Up
zxT4giy$ni=6c~2f4n6i*?9yXzJN7mNJq+kSQD8j{MKNF`C0V3JDhbeaDEl=MTYMh!
z;qUo8zlSFIG~Ik>-E0`@-CDg;Xs8#44i8Dv(C<`rXlUrT{dd9s+x<Ffe>l|LuzyOP
z&tV^r5B=s(M@OBVQ$ITUETn#%yfgV^;_Jy%6H^nd@wM?MV_%IQ9$OiEocwHTIPraQ
zJ8>rQdHl2Zck&PMO8koa<>)u^M<eT_k4N7a{$lu~^r`fw^k&%Ue%|uzoUFXNBn_F>
zlJU@buWUn#LbFkGw}mK_jmnN$6phNB*sIq{&0@n6dSLOH*3@iFxv?a*&bkMi55;b+
zX&Jk<a!FL|W{kSEYwlUXE~^W(6j=G{YCe<R%Bb1g)y!@6X-%jbIW@2ub)j<-t(ABs
zrmWdP%?u8zUMt&?2828NY!Nxf4+zJp)><<&G3AyWOL}lDy*NUYUU{~dyzLB#&AXfS
zarsnCSz3}Ff6yrGgpl+O@C@tePE1?rE9;rCQAsAulDc|5onN?cUQ=@$TWW55eSJ|)
zCOYF4T-iHe*x@e!&2-*v`?A03V%;b-jFPag4Oi{l+REO@_)oo88d(2!K6@jbzoWjD
zxuY(aCCv%<+D1N;UCTLT3*P87HJ`bb$!Bt_nav)8<sRn@!PU%q#!m0m^yX^%YUW@|
z-K6z4;*<?Kesv?axs^|6b6aZjy}>h1-Ogp-+0OJPM^ekGgQkD4XP$u;=L3spvZtTF
zDLt?$wRPrXOqrRH9x47LwDxzmri0VXmI}|YpE?ne+J$LZS(^#FdiJ6fy^dO^uD>iR
z^NLjHUIg3`7ET7cpH3c}+`W1ygF5-(UQixgI}uY9Mf&7{>*Q9s-(K|TbPfrJshOps
zFfFTT)Ya}Jx}+bNq3%vrbLYNMY=rOib5BHn`nx?9?e3I}YQt=NxS#Z%PA;n6&S*(Z
zdr4MSl(2DZw|d_F@v`>f(|6U~U0>QfE-Q0$QhRU;rYIK5Wl^r(v%H@b-%xpLoQsCK
zmASp8dagj)k|HZ_&4q>PJznVEtrHKA#*~#6sWsx}iuJ&(iejx=G8<;CDy(W@&z@Zk
zE3EvOFU+vLf<xXoCM(62u#m&r5_(w8@trAIId@KKx;?p9uhlAM^`5YbyGE&5Hu?%)
z@WtL&9UOG}1zFiX7Z!A1BSP;hI=Xu}rp(Vvt&|&Qz1D1)RYO<}W6$z!9P!2Hs|t*5
zQSI*2Nf2%Mh^*Y04-2-tw|i!x`!=W6CS_%MS}J;D?1pEhf+BN&8}%pVxs<G|PCq3E
z`{uE8dh775aaoz2mD)EN<-(4r8&<R2usk0peCPL6s0($YSgV)p`^f%CE=|Zvb~Y>$
zPb)(AY)rOBlQAc)TFb6Q#VDD@f;&5!R^gsu^%acyqU)<36yu`m+1=k2Ej>0U^E}73
z!xDO5(Rd{uQ*>QwjUMcYeNC*JzOHmi5@CJm)DP;6wwjQYTY4C{C%jH$zK}a*$(yqM
zYjIwxxFI_iQ0IZ;u35H|!n+ak1?sB`oGjXMY|z~BH6Yvz_x^d~jYI8(Xy1l(o_~Z{
zecz6`R{yZCVAK~|Uv*%7i|YP<?Nrv%ql3nOfA4M-Lhmb**M>clx>Id+e~tu288)d$
z22JX2i~Av1&a-vgd4jz!#gx}xlUif$aCRRf-?#5&?O!(sHivxy9jH_nItPhrv$B8R
z(S3Zd&oqBx!u~F${xxL(;R^u-5I_I{1Q0*~0R#|0009IdA}}cp&n@4*P&i-IcP^GL
z8SUr)Z--LfMx=vu0|5jOKmY**5I_I{1Q0*~fnSlp8EJTXd0D@F@$$usXO}J)cFtbB
zT--TZ*wIU8FJCI$UH+}EFTZ}in6ynK`{AGG|6fsZ&{YHwKmY**5I_I{1Q0*~fyfBV
zk8CHN<@w)P|F{3qKVJwSfB*srAb<b@2q1s}0tg@wVF73TpXdJw4=`Or009ILKmY**
z5I_I{1Q0;L7GV9KG(Z3W1Q0*~0R#|0009ILKp^@8tp7)UjOif)2q1s}0tg_000Iag
zfB*ul|C0j<Ab<b@2q1s}0tg_000Ia^Ux4-h=#McyL;wK<5I_I{1Q0*~0R#|0fc1ZJ
z009ILKmY**5I_I{1Q0*~f#?gc{vZ7@riTb1fB*srAb<b@2q1s}0tm4FPYxh}00Iag
zfB*srAb<b@2p|xB0oMPcKgRSB0R#|0009ILKmY**5I_I{*8j-?1Q0*~0R#|0009IL
zKmY**qA$SufAq(g9wLAM0tg_000IagfB*srAi(-RIe-8H2q1s}0tg_000IagfI##G
zSpSdy7}G-p5I_I{1Q0*~0R#|0009J8|0f3!KmY**5I_I{1Q0*~0R#|;z5wh0(H~=a
zhyVfzAb<b@2q1s}0tg_00PFwc00IagfB*srAb<b@2q1s}0?`*>{XhC+Ob-!2009IL
zKmY**5I_I{1Q1~TpBz8{0R#|0009ILKmY**5I`XM0<8Z>e~jrN0tg_000IagfB*sr
zAb<b@tpAe(2q1s}0tg_000IagfB*srL|=gQ|LBh~JwyNj1Q0*~0R#|0009ILK!E3e
zasUAY5I_I{1Q0*~0R#|00D<TW@cbYBF{XzIAb<b@2q1s}0tg_000Ic`@BhgG1Q0*~
z0R#|0009ILKmY**qA$SufAq(g9wLAM0tg_000IagfB*srAi(-RIe-8H2q1s}0tg_0
z00IagfI##GSpSdy7}G-p5I_I{1Q0*~0R#|0009Je{wD_zKmY**5I_I{1Q0*~0R#|;
zz5vhv(H~=ahyVfzAb<b@2q1s}0tg_00MGyA00IagfB*srAb<b@2q1s}0?`-X`9Jz&
zOb-!2009ILKmY**5I_I{1Q6i=|4$AefB*srAb<b@2q1s}0tg@weF4`0qd&&<5CH@b
zKmY**5I_I{1Q0*~fr<E)p%d~CL#e-}rc%G3yfgV^;_Jy%6H^nd@wM?MV_%IQ9$OiE
zocwHTIPraQJ8>rQdHl2Zck&PMO8koa<>)u^M<eT_k4N7a{$lu~^r`fw^yaU}G&?6N
z?=DG0X0>EIwB9S54MP-~jheeHM4@a{cFdw^RQAMPy;f=#8<x-mi_f&CW@E~YC8>4R
zJ=lCGc56+`*sYaIqGC5=)U91}&k}Z7U6`f7%2!wOne<jh&E~FVZmUmgLfy!zfz7B3
zos(#-#49mn%?@g2a8UJH*^V?I+}US~$T@yMI8L?Jnwg0yx9nKbgJbE%5u)_Uv&H0X
zXFzP;-L#L(r((*|lJxk4Mqwv}q<4U4SWkCi+Dczp&xDOiGGUg~)$8f}!iDpin%me?
zbKC3di)u2_8L!~V-U-7FclmFo^KRRh{Y@9^MxkMpM4_QxwR3ALdn4mN^<HUU{oDEM
zjdcEw`c~$Sx?q+xC){fr`Al{#=aemYqtn!U=2|A7$*pEKdkB_$oHGPhGwT^Uy;swl
ztLdwmgDrKF*4v0vHt6`(joju|KAp{Nsm=EW&p35EmwjhD)0-SgEq+D%d-(M4^~^KS
z;(TE7O!oAkD@ounLJurfTW3zjl$jank>XE6YkzlZIyl{Isqh^8sT0BB8~WqgOxV@4
z7p<qG)~V|+%gVeW6}lGzcZ7wL!S1J%2Pb#0-pQa&KDZZ@N7qio6h)CfdEh#^RqnSJ
zeL9^(!eMG=sVGd#Y8rL5JBcpo2WF_dlhxe0ZxkEhd;Q!K(VzZqPer>sC8OFf8z1f`
zy{D6ls<$&*QcL}L=;n$NHjeF9&$~Zf)?SpAr|qh{yS}t}Tvq1hr1szxOi?V9%c5Mn
zXL&y>zM=BgI2R3dD|35G^<06pB}G==nhOind%V!STPGeKjVUWDQftJ`73+an6~$V$
zWH!uNRan)+o;|x7R#^ElUzlNg1&6$GOje33VIhaLCG@bG<2zHba_*eebbE5IUaM8i
z>OEl<ca2iBZ1fep;ETPlIymU`3$n6(E-dK2Mugs1baeM{OqrjTS}8Zqdac<otA?-|
z#-8QdIO2=XR}~oBqT1c3lOWpi5m~u09~NwPZ}-eX_iawCP0Gsjv{dxQ*bUE01x4om
zHtJ8zb17L_oqkFT_RVAG^w!~9<FYb4E46Pl%7q<KH>_s4VR=4I_|EUCP#5Y(u~skH
z_mTaPT$+%T>}*&ho>qkJ*_dpNCSy)owU%9ricvC)1$TBdt-?LS>MI!YMb}q7D8@zA
zv%9}5T6%0y=6Q~5hb8pBqVY;Rrs%rV8a>z(`<hrceO>94B*OaAsUOrCZ8ae)xAZV@
zPk5cid?9zrk~d}h*W$cXaYJ@4pw0uwU9)T_g?A(73)EK?I9asi*r2)LYe2Xc?)~$|
z8;9Bn(Y_7oJpTx@`o0}=t^Q$O!Kg2`zUsjE7S;Xz+NrFiM+c4n{@&dvgx*&quMK-9
zb*I|u{u~L4GHg<h44Ty47WYH24%tu6ap&pzz7$hldrfMMxx?9gjC|j|m$iT09M~N8
z1$3ZNUFaMns?Ey&eTVn)L3955|B3j&hf@Dc{Vnx}$*(3KjsIo*`q+QQ?j-+_d_8f+
zuHp*;1Q0*~0R#|;g1}Gt>fU<Qee3&i`+*_w{eEEKobT2xaF@;-Ip;-2(2HKD%=3Q3
zxkq;2uzFtX+<nkndvNd9&62x_V5#2Mu$>y;8(60-?B!`vW5FVP{ltC0_)A!@$g0o(
z+WCL~2AgG+zGar6N$#D$`)|wbcRIdFyk8MElmGwAC>N$><+;}Zele>YKiz_b_R`Z|
Ko<IM4_WuHjRlbG*

literal 0
HcmV?d00001

diff --git a/.sisyphus/evidence/task-T2-upgrade.sqlite b/.sisyphus/evidence/task-T2-upgrade.sqlite
new file mode 100644
index 0000000000000000000000000000000000000000..930e43b6f92073cab5a737a1836b0e0ec2c67450
GIT binary patch
literal 208896
zcmeI)Pi!06eZX;!WDO<ipZ|~7Yk5ajWQnzRwY2I8u2)ECnU)z#)LNoec3Njjkz;FY
zij+Cz#@-+;C@s7|du@t66%BI9sW}xr^ibr|9)sL_Z4U(sv<O-t2vBrp$RXd59NKF$
zlq`RDqZQ}9H}C!4=e>C|kK=gl?vhc|)ra}QcB-h(295?KDezrY4Fm$Gt)E%z=Zf{y
zWBoj_evVi_?mv?Iq0R5pfsg*;WS><)8vUJJY<l!}BlkysHT=&b=ZB9EmxmUIel_?H
zLq`Ya2VaD~9_$(T@6h_d#eu)=|GNJ_<=^&i_ur6z(f4cli{7Qa7k$@ze%^CV`bzpl
z`lL;ZUCfG4%F2T|DPZI>`ZM!s)`HYhrDEPW*0fYs-`+IRT5)?v+bQHTrF7BMA}y0I
zmXA*amE}39{GoHQ@l4ywmrQ*tpUr67RyBIT+%k4d%}Oh1My6%vw-#1o(PT`GCvL{>
zsV}QST}h}dt5K(`jfBes7lO*771Vh9pbGh{6={obCtfWg`}{WH*xBLo_;^s+uwsd}
zkEI@mkJ5!#i%G1fO>APZ@Lu+OP??*PUi`3_+Vml*pCAnD2i2I8(Hl!KzflPd7#Vfp
zc64=m_DWbytR&UM`qI*6H8fBiuhyCM2K`QV_&<xTI(2{BTXnjir;2(;v(|>2*4#?Q
zmt)?hcQS4BKV6M4M_2EwcVhR|X(JQ1!@ae#8jCL`?6heyy0E$$yA@lFB^F|9bp+En
z&mMxCv89+by%(Zu3(=dg#+uwoD^_BswL5=dC9#%Vjm8s6we+<86{oHz;&<0$^@}4E
zj;rl1|9a1af!40HOdgMa@Xf1=w5&=kUpyC7#>b^y#XAYjT5)r%^>nkO{O4GwCqgJZ
zJ0>fO<9@4WJzA~aQS<!m_hn^Dky7p=;Eb?l&tT`%xyFmTo^Q{f>U?k(l-*lrf{LO@
zUp{f1oGj-*?|F2pr})F<jZ9iIOtYjHRQDpf8fmyfokC`5^Rb>T`j_hVh3K9BPEWN;
zcQSgeXcV8<CcV(f%c|I!a3~x;D=YJg-#Aukz2f|OKm6Xyi$<KHXV*^4%H*U}8Jv`%
zrBm6gmd!sh#m|aosKgw5(NL4Idr4JTfx>f&tlXLO3spQ{i-<>Oo}COT^Yc=<*O@Ek
z6C<ak^SO*sH1avk%%yg$tE*`GrJwSI=~t?C$SbF0B|YyKvR_?V#4qRc=5bk>nUP9P
zPaYNW`E4WjNHf!0dZv`sn-WfVVsFZB9dz`BtgO%Y1>IDM7HLX4xpg$COifAUQ76tq
zzEm`Fx@H#j9n*7g%oCp{t7UALRkuuaf`qRfla=KuzhK?cPRm-vb9j7lL{`Seq_h~L
z8=g7ZDl+G8)I2d~MrCDT>?JW+50BO6&7&JbvNACtRUS05sZFh*o26{g6h01n+7~j^
z>4Kil7c$m!WOF1}hh-%`;TMTeixv?MM#_Dmpgpb1*Bpy&J!7O(&ec&eQ;&4BDPhnP
zT~l_u7%!_rac@_`(ZO~zPdKj<mKJGB8rtp;Dv^j(?rZFcwI&t}Pgklb1Acv}=C|ui
zcws<RHX?rDLU`56JRw)pLZ8XjZE;H4c0#rnP<zAi(8yYoLOck10`+9Iyja55g6*yi
zPX(H@aM#-HFCM8(h{|I~b^oIoxzDYb^M&V434NZ}nzCEQcUi5Kt4!r^w6ERx*Gjul
zXpyEQd9g>hsH@qg`@6SQlzta=Z@Y`yt+5t@Y45H3?d|JhDX3h!B$Wr9;dHl=pIgte
z*6pU@u*VZnL#8@iJxR-zwrkHF?)JfIX=-`c`mZ$lUjgfX{DS}j2q1s}0tg_000Iag
zfB*uAL|{bfnf$}exy%*)+QUeCHWjk_b@Y&Qj&2};00IagfB*srAb<b@2q1t!O95g3
z-`lbPi3lKo00IagfB*srAb<b@2q5s*3)p}DpZEW7{V>u21Q0*~0R#|0009ILKmY**
z+6oBo|Lwn~kADzA009ILKmY**5I_I{1Q0;r5DM`A{}2u;T|xi>1Q0*~0R#|0009IL
zK%hZDc>f=4$l?$I1Q0*~0R#|0009ILKmY**4v7Ho{}0JP(hUR<KmY**5I_I{1Q0*~
z0R-9z2=D&~+7u%T0R#|0009ILKmY**5I_I{1m0o+-v7VFgGcBHAb<b@2q1s}0tg_0
z00IcSqJZ%JfAAGgp%?-PAb<b@2q1s}0tg_000IcSWdgkaf6E4pa1lTN0R#|0009IL
zKmY**5O@s%;r+k!RlsXh!6^tJfB*srAb<b@2q1s}0tg^*zy)~!f4~Qb@DM-%0R#|0
z009ILKmY**5a@t_@cw_a1JzLl0tg_000IagfB*srAb<b@2pm8G-v1xKK_Mgr5I_I{
z1Q0*~0R#|0009I#EFir9Ki1)@sSW`I5I_I{1Q0*~0R#|0009IJhyd^Z56D0e1_B5m
zfB*srAb<b@2q1s}0>4KA;r;)K-(xdWjQ|1&Ab<b@2q1s}0tg_000R3c!2ADw#HVQl
z5I_I{1Q0*~0R#|0009KLBp|&1Kh>osX$AoV5I_I{1Q0*~0R#|0009KLEFkRvyWBF(
zA%Fk^2q1s}0tg_000IagfIzndgg^hUbgNC;K>z^+5I_I{1Q0*~0R#|00D<lb2>bu;
zHcV>>Ab<b@2q1s}0tg_000Iag&@}=6{D0S|X$S!X5I_I{1Q0*~0R#|00D*lIVE?~w
z^fZhB0tg_000IagfB*srAb>#E1la#~jhcoKKmY**5I_I{1Q0*~0R#}(Hv#_t|NBNy
z!w4XN00IagfB*srAb<b@2y{(=_y1j^rXd6nKmY**5I_I{1Q0*~0R;9<fcO9VMo+^C
zAb<b@2q1s}0tg_000IbfO@R0RU8ANU1Q0*~0R#|0009ILKmY**_Dz8O|Gv@FFaii5
zfB*srAb<b@2q1s}0$mee|KBxg8bSa81Q0*~0R#|0009ILKw#el*#GYvJq;s(00Iag
zfB*srAb<b@2q4fk0rvl0qoyGQ5I_I{1Q0*~0R#|0009K{O@P1uf8Xe77y$$jKmY**
z5I_I{1Q0*~fvyP%@Bb&QMti%~FbyGq00IagfB*srAb<b@2q1t!*93--d=xk>{W386
zSMqQBxBG95esAQbBiW%J%YP@Q`~InK_Q>D#CVMAB)BXQ8^hbk#-*a{F3+b1YfBSF9
zzv%n5{6+6l-;2KMJwNX`Cw(P-B7M@e(D%Ke_@t~nn3DoVE~7s)pJt7suBA%FymPE+
zsjR-eJN9u<nVFIHjACljI@UAB?#Oq7%KW^vH{&FkPmG+F&gU{l(a7gCGnd*ixAH~P
zFa6}gYAl+JsmbV#rI>obEG%2KO-bcpr&Z&bRx<U1wo}MIG_tx`IWjVyM7df;JaIF2
zPxU)RT}h~()6{9_(8z?#PwoVjsVQmil+y)IDbGQlH&{>J1$8<!U}V%}>|XM+8XBlp
zt}fh;u1?Qh39E^fq?%Y?TCy`gU5zhCSMRHLV)xZ)D*`)hVI{GaT#d#PN%i5A*4=he
zP4(8wYAn8(u+OgbL0ygAimk>H3$Zn)o2FB*-RYaLrI-c05M5h{-i(F9Gq+@AVa#us
zE$K`tT{N|b`)Rhk5eq6~W73}F@VM#j?=xN$H@U+eZnf?V=m<ss*MXhulTvxWoop#X
zOQ*6~Et`K-n`>g4(m2(`OgA(eT}&4y+VP2?vOFi1KXe=1%3JefE1%71+xqsVUNE<e
zom$H+Gr!dsLd#NOEG-KNK@D68DvMT7<L!eg<g-?!EyA66wTSHVZJL&KsMB_KxI8`{
zR5q+wqU~d;*I{Jpp9R7TuNG7NT<gm9k4-EVj;rmK$$C*C8tqEU<nj0i-@K|w%c|7f
zTW5lbqDWspsjXqAy#$%>RV6A5tdmq-samc~c_Wk74AU&>1@*J&s#E4_q+$7T3Yn$N
z$9lTxU&<M9w~lXn7r=BuPZjlymMW?@t>r%%UygYe$kI-xZT?FZ(9+Y&`k+<1lhJcU
zqxf81PsH!8$JA+|lb2PoGvQD;d{$QG6~E=t@zbt2zuphO_wu3<r|8+xSApfp$=xF#
z29-!e+M8RDl{=Gujfjhf77>rGSoQQR?|%2Ta~J-ya?7nQjhd1B-0Ek(@VqHu(lZAx
zH03w0)wKezcsnyptv)NwtyDqJs5e$tmSR!+_H!$`zLZoy_KfdK#?QI|)?#pb<t}NJ
zk$uCP;Dbe3nH`g!yUR?qwc66_9``n`BW{KpjlF8PY4tVLdY1c*GC3*j{<(8CibE)V
zKJ6VBF{^P%>}jM~i<EoOzS>iSSfd+pNBpb~9#_`prSdgb@Y<5BEKm7OX(xQksqz%(
zTokp3x^TJYdqE{OBbCS8%BrIEDeVT|lySsofSOMgMyj4!AF^m%R@P_y;%{oV_Iy;Y
z>*8Mad{CL2lV1GL8TI-lA>0aDCVt?V2Q7=VTeBPIhUZGF*Cxy!Pl;}?)8gZ+7+qL=
zhOK4zJ;>S@fLK!%!BdHy*6w`ak=wds)S7JdELOXBxb1|(vtzQdIPN!NYPDI9()G{h
z%NNfDmGN<DSMkmfYm;QvY(EK_W36X{)e&cd;jRFlG3@mHG!(x5zN}0sQp&v~9ZSug
zE6%5Ljn`d0-@eeCqv}K5V=1Uyx+IkcD{G;(ZQL}{+UM5LSUW^}S1BC!c>3OusZLi<
z(sHHk+H;4vw+atSKMkA-{45|R<<Y(uM;;tG+xwHA$Gtz0{%`c+$p4J|_3%%Izd!Wv
zfuBkLIFt(gYv?Zr{$n7}|1bR;mCg6i$eV4#chv_$B_5adt`~PtRX<KTy>@obc0Y^T
z<sVr&_8z*D^Qe%|ZyUKsnwj3xGo`HFlyJ;ra-k{zWw#2?M0xp*x2b-2?d`~oBbW)C
z&Bw)yMo!C)dh`eF7U1TnB27s%k3S14*CwQLpF3%@sZFh*o29I^p|z)^bq5uah8pLv
zkmnY+C$o@Tzh9J}CWFevgtQlS23RN~d>r%+osi=UT0u|e3mN;i{>{HNsGZy5%LAbu
zw;vrDysPW75}yzUPyB{RY&9YrTrT&lHQe9rFOJeF=NqDunR-<JVy7u1)Hp^>CEOm`
zBh{2yAFt?YyXn<*q84dNy0m-oZsp4Tku&5?1)35Dyu;s=?=uO6a<x(J@C*@}@D4yn
z=1E!p)cQ&xB7CJFv}f&63P#Hjujcf(8S;jc8^*kvTOag=6<OJc_)XXrL5ZVYt?dtX
zhZB`uTdZ-|t0kK23HlCv^%S3xudY$Gr+ojVyEZXeT>j1RxYtNWMtAUk1Hb9^SF~@k
zyXe5TyE#3me4{T4-JM<SJLy(CF?;rk>GgR#mwCPK2O{N1>7c#w+&kvXRk3#Q^C|EA
z6tg<~G$B^q(OFnNzZvxIK>c1ZxXt?IyRRT>W93)St;ilXzcTePTuI4FdfspC@jG9O
z_~m@OtNdx@O-s}nTfcIC=_kBn?pLhC<L}puYw7%c(^neS^W&2rZ!}ZiwJsz5JI(3N
z<6-5ER^^#|NAt|ni14`X&5D$Jw1#JyrpHjXYfTx)8*gk)CEQc(8P=3ppIU`KX?RIi
z$d`&nPS?z$UVnYyNj%!vwkKC?*OO6i^V%P``+moBk{0nCepLRm?^oWhU3Vs~C)0B<
z>YbvVyvBLyX1><LbIVt5ZjBzqj?B*o_r2dXR$Hp=N!;TRpFye>wC9CexIQ#9_u9SD
zbIaF8#r&|mu_3<Eb4$3thg%MV**F5P{;<-HyVkdkNDF`dzt36~j=b4^p0g1^009IL
zKmY**5I_I{1Q0;rAPNZk|DY9L<<0Uz43wA<KmY**5I_I{1Q0*~0R#|0;I##W{r`Yf
zN&jnC#EA$XfB*srAb<b@2q1s}0tg^*U<HKz|DYA5b9i8bB`^dKKmY**5I_I{1Q0*~
z0R#|uEdgQwKWtSn^jej05&{SyfB*srAb<b@2q1s}0tg&v0b&0?Y6bd+f1m$>?kd3{
zfB*srAb<b@2q1s}0tg`R&I$<o|6>-y(RUVtjw65o0tg_000IagfB*srAaIBUg#G^s
ztDDCUaaZXY0tg_000IagfB*srAb<b@@2r5Z|376RoP1{?=r{rhAb<b@2q1s}0tg_0
z00M_!K(e~1SU;x^e^==t0tg_000IagfB*srAb<b@@1B70{{P+UJUvDL0R#|0009IL
OKmY**5J2D^5%_;fPjpfM

literal 0
HcmV?d00001

diff --git a/.sisyphus/evidence/task-T4-authz-denied.txt b/.sisyphus/evidence/task-T4-authz-denied.txt
new file mode 100644
index 0000000..dca95c4
--- /dev/null
+++ b/.sisyphus/evidence/task-T4-authz-denied.txt
@@ -0,0 +1,63 @@
+============================= test session starts ==============================
+platform darwin -- Python 3.12.12, pytest-9.0.2, pluggy-1.6.0 -- /Users/piotr/dev/innercontext/backend/.venv/bin/python3
+cachedir: .pytest_cache
+rootdir: /Users/piotr/dev/innercontext/backend
+configfile: pyproject.toml
+plugins: anyio-4.12.1, cov-7.0.0
+collecting ... collected 8 items / 5 deselected / 3 selected
+
+tests/test_authz.py::test_owner_denied_for_non_owned_lookup_returns_404 PASSED [ 33%]
+tests/test_authz.py::test_household_shared_inventory_denied_for_cross_household_member PASSED [ 66%]
+tests/test_authz.py::test_product_visibility_denied_for_cross_household_member PASSED [100%]
+
+================================ tests coverage ================================
+______________ coverage: platform darwin, python 3.12.12-final-0 _______________
+
+Name                                                 Stmts   Miss  Cover   Missing
+----------------------------------------------------------------------------------
+innercontext/api/__init__.py                             0      0   100%
+innercontext/api/ai_logs.py                             50     25    50%   15-27, 53-59, 79-83
+innercontext/api/auth.py                                68     18    74%   65-79, 100, 106-109, 122-129, 153-158, 166
+innercontext/api/auth_deps.py                           25     13    48%   23, 36-48, 52-57
+innercontext/api/authz.py                               96     41    57%   25-26, 39, 49, 63, 66, 75-83, 89-93, 105-108, 118, 121, 125, 128, 133, 141-146, 154, 157, 160, 163, 170, 172
+innercontext/api/health.py                             216     97    55%   75-79, 147-152, 157-161, 166, 175-181, 186-196, 206-210, 223-232, 241-247, 252-254, 276-344, 349-353, 358, 367-373, 378-380
+innercontext/api/inventory.py                           25     11    56%   16, 25-31, 36-38
+innercontext/api/llm_context.py                         92     81    12%   11, 17-20, 24-46, 68-119, 146-182, 214-218
+innercontext/api/product_llm_tools.py                  107     94    12%   12-17, 23-38, 48-82, 111-136, 143-162, 172-205
+innercontext/api/products.py                           616    403    35%   72-92, 247-255, 265-267, 278-353, 362-397, 481, 485-503, 507-516, 526-532, 536-537, 547-597, 614-658, 663-677, 681, 803-841, 853-931, 936-943, 950-961, 966-969, 979-981, 992-1001, 1010-1015, 1025-1156, 1162-1164, 1168-1181, 1187, 1217-1377
+innercontext/api/profile.py                             35     14    60%   29-32, 43-56
+innercontext/api/routines.py                           550    373    32%   58-78, 254-257, 261-278, 282-287, 296-308, 321-322, 336-345, 359-376, 384-418, 426-456, 464-475, 484-493, 497-510, 516, 527-537, 556-573, 577-583, 587-590, 681-706, 711-715, 728-960, 968-1138, 1144, 1149-1155, 1164-1170, 1175-1177, 1191-1196, 1205-1211, 1216-1218, 1230-1234, 1243-1249, 1254-1256
+innercontext/api/skincare.py                           131     56    57%   100, 146-219, 229-236, 241-245, 250, 259-265, 270-272
+innercontext/api/utils.py                               22      8    64%   22-25, 34, 43, 51, 59
+innercontext/auth.py                                   236    146    38%   64-77, 127-129, 133-137, 141-149, 153-156, 161-168, 187-192, 195-210, 213-217, 220-228, 231-248, 251-264, 267, 271-274, 279, 283-284, 288-317, 325-363, 373-384
+innercontext/llm.py                                    134    119    11%   22, 44, 62-66, 74-102, 118-214, 231-326
+innercontext/llm_safety.py                              18     14    22%   17-45, 58-61, 80-83
+innercontext/models/__init__.py                         13      0   100%
+innercontext/models/ai_log.py                           33      0   100%
+innercontext/models/api_metadata.py                     15      0   100%
+innercontext/models/base.py                              3      0   100%
+innercontext/models/domain.py                            4      0   100%
+innercontext/models/enums.py                           152      0   100%
+innercontext/models/health.py                           64      0   100%
+innercontext/models/household.py                        14      0   100%
+innercontext/models/household_membership.py             20      0   100%
+innercontext/models/pricing.py                          19      0   100%
+innercontext/models/product.py                         226    106    53%   76-78, 203-205, 209-230, 238-356
+innercontext/models/profile.py                          17      0   100%
+innercontext/models/routine.py                          42      0   100%
+innercontext/models/skincare.py                         37      0   100%
+innercontext/models/user.py                             19      0   100%
+innercontext/services/__init__.py                        0      0   100%
+innercontext/services/fx.py                             57     42    26%   16, 20-22, 26-48, 54-67, 71-77
+innercontext/services/pricing_jobs.py                   62     53    15%   12-23, 27-48, 52-66, 70-85, 89-93
+innercontext/validators/__init__.py                      7      0   100%
+innercontext/validators/base.py                         22      5    77%   23, 27, 31, 35, 52
+innercontext/validators/batch_validator.py             128    105    18%   37, 58-154, 167-203, 214-240, 249-273
+innercontext/validators/photo_validator.py              65     54    17%   58-134, 144-152, 164-178
+innercontext/validators/product_parse_validator.py     110     93    15%   108-154, 164-172, 185-198, 205-239, 243-267, 273-319, 325-339
+innercontext/validators/routine_validator.py           146    114    22%   69-167, 173-175, 182-197, 201-218, 229-246, 259-275, 288-309
+innercontext/validators/shopping_validator.py           78     58    26%   49-96, 102-114, 122-123, 136-142, 150-161, 169-203
+----------------------------------------------------------------------------------
+TOTAL                                                 3774   2143    43%
+Coverage HTML written to dir htmlcov
+======================= 3 passed, 5 deselected in 0.35s ========================
diff --git a/.sisyphus/evidence/task-T4-authz-happy.txt b/.sisyphus/evidence/task-T4-authz-happy.txt
new file mode 100644
index 0000000..e67a77f
--- /dev/null
+++ b/.sisyphus/evidence/task-T4-authz-happy.txt
@@ -0,0 +1,68 @@
+============================= test session starts ==============================
+platform darwin -- Python 3.12.12, pytest-9.0.2, pluggy-1.6.0 -- /Users/piotr/dev/innercontext/backend/.venv/bin/python3
+cachedir: .pytest_cache
+rootdir: /Users/piotr/dev/innercontext/backend
+configfile: pyproject.toml
+plugins: anyio-4.12.1, cov-7.0.0
+collecting ... collected 8 items
+
+tests/test_authz.py::test_owner_helpers_return_only_owned_records PASSED [ 12%]
+tests/test_authz.py::test_admin_helpers_allow_admin_override_for_lookup_and_list PASSED [ 25%]
+tests/test_authz.py::test_owner_denied_for_non_owned_lookup_returns_404 PASSED [ 37%]
+tests/test_authz.py::test_household_shared_inventory_access_allows_same_household_member PASSED [ 50%]
+tests/test_authz.py::test_household_shared_inventory_denied_for_cross_household_member PASSED [ 62%]
+tests/test_authz.py::test_household_inventory_update_rules_owner_admin_and_member PASSED [ 75%]
+tests/test_authz.py::test_product_visibility_for_owner_admin_and_household_shared PASSED [ 87%]
+tests/test_authz.py::test_product_visibility_denied_for_cross_household_member PASSED [100%]
+
+================================ tests coverage ================================
+______________ coverage: platform darwin, python 3.12.12-final-0 _______________
+
+Name                                                 Stmts   Miss  Cover   Missing
+----------------------------------------------------------------------------------
+innercontext/api/__init__.py                             0      0   100%
+innercontext/api/ai_logs.py                             50     25    50%   15-27, 53-59, 79-83
+innercontext/api/auth.py                                68     18    74%   65-79, 100, 106-109, 122-129, 153-158, 166
+innercontext/api/auth_deps.py                           25     13    48%   23, 36-48, 52-57
+innercontext/api/authz.py                               96     19    80%   25-26, 39, 49, 63, 78, 81-83, 91, 108, 118, 121, 125, 128, 143, 154, 163, 170
+innercontext/api/health.py                             216     97    55%   75-79, 147-152, 157-161, 166, 175-181, 186-196, 206-210, 223-232, 241-247, 252-254, 276-344, 349-353, 358, 367-373, 378-380
+innercontext/api/inventory.py                           25     11    56%   16, 25-31, 36-38
+innercontext/api/llm_context.py                         92     81    12%   11, 17-20, 24-46, 68-119, 146-182, 214-218
+innercontext/api/product_llm_tools.py                  107     94    12%   12-17, 23-38, 48-82, 111-136, 143-162, 172-205
+innercontext/api/products.py                           616    403    35%   72-92, 247-255, 265-267, 278-353, 362-397, 481, 485-503, 507-516, 526-532, 536-537, 547-597, 614-658, 663-677, 681, 803-841, 853-931, 936-943, 950-961, 966-969, 979-981, 992-1001, 1010-1015, 1025-1156, 1162-1164, 1168-1181, 1187, 1217-1377
+innercontext/api/profile.py                             35     14    60%   29-32, 43-56
+innercontext/api/routines.py                           550    373    32%   58-78, 254-257, 261-278, 282-287, 296-308, 321-322, 336-345, 359-376, 384-418, 426-456, 464-475, 484-493, 497-510, 516, 527-537, 556-573, 577-583, 587-590, 681-706, 711-715, 728-960, 968-1138, 1144, 1149-1155, 1164-1170, 1175-1177, 1191-1196, 1205-1211, 1216-1218, 1230-1234, 1243-1249, 1254-1256
+innercontext/api/skincare.py                           131     56    57%   100, 146-219, 229-236, 241-245, 250, 259-265, 270-272
+innercontext/api/utils.py                               22      8    64%   22-25, 34, 43, 51, 59
+innercontext/auth.py                                   236    146    38%   64-77, 127-129, 133-137, 141-149, 153-156, 161-168, 187-192, 195-210, 213-217, 220-228, 231-248, 251-264, 267, 271-274, 279, 283-284, 288-317, 325-363, 373-384
+innercontext/llm.py                                    134    119    11%   22, 44, 62-66, 74-102, 118-214, 231-326
+innercontext/llm_safety.py                              18     14    22%   17-45, 58-61, 80-83
+innercontext/models/__init__.py                         13      0   100%
+innercontext/models/ai_log.py                           33      0   100%
+innercontext/models/api_metadata.py                     15      0   100%
+innercontext/models/base.py                              3      0   100%
+innercontext/models/domain.py                            4      0   100%
+innercontext/models/enums.py                           152      0   100%
+innercontext/models/health.py                           64      0   100%
+innercontext/models/household.py                        14      0   100%
+innercontext/models/household_membership.py             20      0   100%
+innercontext/models/pricing.py                          19      0   100%
+innercontext/models/product.py                         226    106    53%   76-78, 203-205, 209-230, 238-356
+innercontext/models/profile.py                          17      0   100%
+innercontext/models/routine.py                          42      0   100%
+innercontext/models/skincare.py                         37      0   100%
+innercontext/models/user.py                             19      0   100%
+innercontext/services/__init__.py                        0      0   100%
+innercontext/services/fx.py                             57     42    26%   16, 20-22, 26-48, 54-67, 71-77
+innercontext/services/pricing_jobs.py                   62     53    15%   12-23, 27-48, 52-66, 70-85, 89-93
+innercontext/validators/__init__.py                      7      0   100%
+innercontext/validators/base.py                         22      5    77%   23, 27, 31, 35, 52
+innercontext/validators/batch_validator.py             128    105    18%   37, 58-154, 167-203, 214-240, 249-273
+innercontext/validators/photo_validator.py              65     54    17%   58-134, 144-152, 164-178
+innercontext/validators/product_parse_validator.py     110     93    15%   108-154, 164-172, 185-198, 205-239, 243-267, 273-319, 325-339
+innercontext/validators/routine_validator.py           146    114    22%   69-167, 173-175, 182-197, 201-218, 229-246, 259-275, 288-309
+innercontext/validators/shopping_validator.py           78     58    26%   49-96, 102-114, 122-123, 136-142, 150-161, 169-203
+----------------------------------------------------------------------------------
+TOTAL                                                 3774   2121    44%
+Coverage HTML written to dir htmlcov
+============================== 8 passed in 0.40s ===============================
diff --git a/.sisyphus/evidence/task-T5-product-denied.txt b/.sisyphus/evidence/task-T5-product-denied.txt
new file mode 100644
index 0000000..ba13ac7
--- /dev/null
+++ b/.sisyphus/evidence/task-T5-product-denied.txt
@@ -0,0 +1,62 @@
+============================= test session starts ==============================
+platform darwin -- Python 3.12.12, pytest-9.0.2, pluggy-1.6.0 -- /Users/piotr/dev/innercontext/backend/.venv/bin/python3
+cachedir: .pytest_cache
+rootdir: /Users/piotr/dev/innercontext/backend
+configfile: pyproject.toml
+plugins: anyio-4.12.1, cov-7.0.0
+collecting ... collected 8 items / 6 deselected / 2 selected
+
+tests/test_products_auth.py::test_household_member_cannot_edit_shared_product PASSED [ 50%]
+tests/test_products_auth.py::test_household_member_cannot_delete_shared_product PASSED [100%]
+
+================================ tests coverage ================================
+______________ coverage: platform darwin, python 3.12.12-final-0 _______________
+
+Name                                                 Stmts   Miss  Cover   Missing
+----------------------------------------------------------------------------------
+innercontext/api/__init__.py                             0      0   100%
+innercontext/api/ai_logs.py                             63     34    46%   18-30, 53-57, 69-81, 106-113
+innercontext/api/auth.py                                68     18    74%   65-79, 100, 106-109, 122-129, 153-158, 166
+innercontext/api/auth_deps.py                           25     13    48%   23, 36-48, 52-57
+innercontext/api/authz.py                              100     68    32%   25-26, 35-40, 48-51, 60-66, 78, 80, 83, 89-93, 105-108, 116-133, 141-150, 156-177
+innercontext/api/health.py                             238    115    52%   77-81, 142-146, 156-163, 179-185, 195-204, 214, 231-243, 253-270, 285-298, 313-330, 341-353, 363-371, 395-464, 474-483, 493, 510-522, 532-540
+innercontext/api/inventory.py                           30     13    57%   26, 36-44, 53-60
+innercontext/api/llm_context.py                        102     87    15%   17-21, 30-31, 39-42, 52-74, 96-147, 174-210, 242-246
+innercontext/api/product_llm_tools.py                  107     94    12%   12-17, 23-38, 48-82, 111-136, 143-162, 172-205
+innercontext/api/products.py                           638    389    39%   82, 84, 88, 106-126, 281-289, 299-301, 312-387, 396-431, 515, 519-537, 541-550, 560-566, 570-571, 581-631, 649-703, 712-727, 731, 853-891, 918, 920, 922, 924, 933-934, 983, 1005-1015, 1027-1029, 1043-1048, 1060-1072, 1081-1086, 1097-1232, 1238-1240, 1244-1257, 1263, 1296-1457
+innercontext/api/profile.py                             39     15    62%   36-39, 55-69
+innercontext/api/routines.py                           586    402    31%   63-83, 98-102, 108-116, 126-132, 300-303, 307-324, 328-333, 343-356, 371-372, 388-398, 414-433, 442-478, 487-519, 528-555, 564-573, 577-590, 596, 609-629, 652-681, 685-691, 695-698, 789-814, 819-823, 836-1068, 1076-1246, 1252, 1257-1263, 1272-1278, 1283-1285, 1299-1304, 1313-1319, 1324-1326, 1338-1342, 1351-1357, 1362-1364
+innercontext/api/skincare.py                           150     70    53%   103, 145-149, 158-166, 178-255, 267-277, 287-296, 306, 322-333, 343-350
+innercontext/api/utils.py                               22      4    82%   24, 34, 51, 59
+innercontext/auth.py                                   236    146    38%   64-77, 127-129, 133-137, 141-149, 153-156, 161-168, 187-192, 195-210, 213-217, 220-228, 231-248, 251-264, 267, 271-274, 279, 283-284, 288-317, 325-363, 373-384
+innercontext/llm.py                                    134    119    11%   22, 44, 62-66, 74-102, 118-214, 231-326
+innercontext/llm_safety.py                              18     14    22%   17-45, 58-61, 80-83
+innercontext/models/__init__.py                         13      0   100%
+innercontext/models/ai_log.py                           33      0   100%
+innercontext/models/api_metadata.py                     15      0   100%
+innercontext/models/base.py                              3      0   100%
+innercontext/models/domain.py                            4      0   100%
+innercontext/models/enums.py                           152      0   100%
+innercontext/models/health.py                           64      0   100%
+innercontext/models/household.py                        14      0   100%
+innercontext/models/household_membership.py             20      0   100%
+innercontext/models/pricing.py                          19      0   100%
+innercontext/models/product.py                         226    106    53%   76-78, 203-205, 209-230, 238-356
+innercontext/models/profile.py                          17      0   100%
+innercontext/models/routine.py                          42      0   100%
+innercontext/models/skincare.py                         37      0   100%
+innercontext/models/user.py                             19      0   100%
+innercontext/services/__init__.py                        0      0   100%
+innercontext/services/fx.py                             57     42    26%   16, 20-22, 26-48, 54-67, 71-77
+innercontext/services/pricing_jobs.py                   62     52    16%   18-23, 27-48, 52-66, 70-85, 89-93
+innercontext/validators/__init__.py                      7      0   100%
+innercontext/validators/base.py                         22      5    77%   23, 27, 31, 35, 52
+innercontext/validators/batch_validator.py             128    105    18%   37, 58-154, 167-203, 214-240, 249-273
+innercontext/validators/photo_validator.py              65     54    17%   58-134, 144-152, 164-178
+innercontext/validators/product_parse_validator.py     110     93    15%   108-154, 164-172, 185-198, 205-239, 243-267, 273-319, 325-339
+innercontext/validators/routine_validator.py           146    114    22%   69-167, 173-175, 182-197, 201-218, 229-246, 259-275, 288-309
+innercontext/validators/shopping_validator.py           78     58    26%   49-96, 102-114, 122-123, 136-142, 150-161, 169-203
+----------------------------------------------------------------------------------
+TOTAL                                                 3909   2230    43%
+Coverage HTML written to dir htmlcov
+======================= 2 passed, 6 deselected in 0.49s ========================
diff --git a/.sisyphus/evidence/task-T5-product-sharing.txt b/.sisyphus/evidence/task-T5-product-sharing.txt
new file mode 100644
index 0000000..9924641
--- /dev/null
+++ b/.sisyphus/evidence/task-T5-product-sharing.txt
@@ -0,0 +1,63 @@
+============================= test session starts ==============================
+platform darwin -- Python 3.12.12, pytest-9.0.2, pluggy-1.6.0 -- /Users/piotr/dev/innercontext/backend/.venv/bin/python3
+cachedir: .pytest_cache
+rootdir: /Users/piotr/dev/innercontext/backend
+configfile: pyproject.toml
+plugins: anyio-4.12.1, cov-7.0.0
+collecting ... collected 8 items / 5 deselected / 3 selected
+
+tests/test_products_auth.py::test_shared_product_visible_in_summary_marks_is_owned_false PASSED [ 33%]
+tests/test_products_auth.py::test_shared_product_visible_filters_private_inventory_rows PASSED [ 66%]
+tests/test_products_auth.py::test_shared_inventory_update_allows_household_member PASSED [100%]
+
+================================ tests coverage ================================
+______________ coverage: platform darwin, python 3.12.12-final-0 _______________
+
+Name                                                 Stmts   Miss  Cover   Missing
+----------------------------------------------------------------------------------
+innercontext/api/__init__.py                             0      0   100%
+innercontext/api/ai_logs.py                             63     34    46%   18-30, 53-57, 69-81, 106-113
+innercontext/api/auth.py                                68     18    74%   65-79, 100, 106-109, 122-129, 153-158, 166
+innercontext/api/auth_deps.py                           25     13    48%   23, 36-48, 52-57
+innercontext/api/authz.py                              100     46    54%   25-26, 39, 49, 60-66, 78, 80, 83, 89-93, 105-108, 116-133, 143, 145, 147, 149, 158, 161, 164, 167, 174, 177
+innercontext/api/health.py                             238    115    52%   77-81, 142-146, 156-163, 179-185, 195-204, 214, 231-243, 253-270, 285-298, 313-330, 341-353, 363-371, 395-464, 474-483, 493, 510-522, 532-540
+innercontext/api/inventory.py                           30      5    83%   26, 37, 53-60
+innercontext/api/llm_context.py                        102     87    15%   17-21, 30-31, 39-42, 52-74, 96-147, 174-210, 242-246
+innercontext/api/product_llm_tools.py                  107     94    12%   12-17, 23-38, 48-82, 111-136, 143-162, 172-205
+innercontext/api/products.py                           638    389    39%   82, 84, 88, 106-126, 281-289, 299-301, 312-387, 396-431, 515, 519-537, 541-550, 560-566, 570-571, 581-631, 649-703, 712-727, 731, 853-891, 918, 920, 922, 924, 933-934, 983, 1005-1015, 1027-1029, 1043-1048, 1060-1072, 1081-1086, 1097-1232, 1238-1240, 1244-1257, 1263, 1296-1457
+innercontext/api/profile.py                             39     15    62%   36-39, 55-69
+innercontext/api/routines.py                           586    402    31%   63-83, 98-102, 108-116, 126-132, 300-303, 307-324, 328-333, 343-356, 371-372, 388-398, 414-433, 442-478, 487-519, 528-555, 564-573, 577-590, 596, 609-629, 652-681, 685-691, 695-698, 789-814, 819-823, 836-1068, 1076-1246, 1252, 1257-1263, 1272-1278, 1283-1285, 1299-1304, 1313-1319, 1324-1326, 1338-1342, 1351-1357, 1362-1364
+innercontext/api/skincare.py                           150     70    53%   103, 145-149, 158-166, 178-255, 267-277, 287-296, 306, 322-333, 343-350
+innercontext/api/utils.py                               22      4    82%   24, 34, 51, 59
+innercontext/auth.py                                   236    146    38%   64-77, 127-129, 133-137, 141-149, 153-156, 161-168, 187-192, 195-210, 213-217, 220-228, 231-248, 251-264, 267, 271-274, 279, 283-284, 288-317, 325-363, 373-384
+innercontext/llm.py                                    134    119    11%   22, 44, 62-66, 74-102, 118-214, 231-326
+innercontext/llm_safety.py                              18     14    22%   17-45, 58-61, 80-83
+innercontext/models/__init__.py                         13      0   100%
+innercontext/models/ai_log.py                           33      0   100%
+innercontext/models/api_metadata.py                     15      0   100%
+innercontext/models/base.py                              3      0   100%
+innercontext/models/domain.py                            4      0   100%
+innercontext/models/enums.py                           152      0   100%
+innercontext/models/health.py                           64      0   100%
+innercontext/models/household.py                        14      0   100%
+innercontext/models/household_membership.py             20      0   100%
+innercontext/models/pricing.py                          19      0   100%
+innercontext/models/product.py                         226    106    53%   76-78, 203-205, 209-230, 238-356
+innercontext/models/profile.py                          17      0   100%
+innercontext/models/routine.py                          42      0   100%
+innercontext/models/skincare.py                         37      0   100%
+innercontext/models/user.py                             19      0   100%
+innercontext/services/__init__.py                        0      0   100%
+innercontext/services/fx.py                             57     42    26%   16, 20-22, 26-48, 54-67, 71-77
+innercontext/services/pricing_jobs.py                   62     52    16%   18-23, 27-48, 52-66, 70-85, 89-93
+innercontext/validators/__init__.py                      7      0   100%
+innercontext/validators/base.py                         22      5    77%   23, 27, 31, 35, 52
+innercontext/validators/batch_validator.py             128    105    18%   37, 58-154, 167-203, 214-240, 249-273
+innercontext/validators/photo_validator.py              65     54    17%   58-134, 144-152, 164-178
+innercontext/validators/product_parse_validator.py     110     93    15%   108-154, 164-172, 185-198, 205-239, 243-267, 273-319, 325-339
+innercontext/validators/routine_validator.py           146    114    22%   69-167, 173-175, 182-197, 201-218, 229-246, 259-275, 288-309
+innercontext/validators/shopping_validator.py           78     58    26%   49-96, 102-114, 122-123, 136-142, 150-161, 169-203
+----------------------------------------------------------------------------------
+TOTAL                                                 3909   2200    44%
+Coverage HTML written to dir htmlcov
+======================= 3 passed, 5 deselected in 0.51s ========================
diff --git a/.sisyphus/evidence/task-T6-domain-tenancy.txt b/.sisyphus/evidence/task-T6-domain-tenancy.txt
new file mode 100644
index 0000000..95fc06e
--- /dev/null
+++ b/.sisyphus/evidence/task-T6-domain-tenancy.txt
@@ -0,0 +1,62 @@
+============================= test session starts ==============================
+platform darwin -- Python 3.12.12, pytest-9.0.2, pluggy-1.6.0 -- /Users/piotr/dev/innercontext/backend/.venv/bin/python3
+cachedir: .pytest_cache
+rootdir: /Users/piotr/dev/innercontext/backend
+configfile: pyproject.toml
+plugins: anyio-4.12.1, cov-7.0.0
+collecting ... collected 2 items
+
+tests/test_tenancy_domains.py::test_profile_health_routines_skincare_ai_logs_are_user_scoped_by_default PASSED [ 50%]
+tests/test_tenancy_domains.py::test_health_admin_override_requires_explicit_user_id PASSED [100%]
+
+================================ tests coverage ================================
+______________ coverage: platform darwin, python 3.12.12-final-0 _______________
+
+Name                                                 Stmts   Miss  Cover   Missing
+----------------------------------------------------------------------------------
+innercontext/api/__init__.py                             0      0   100%
+innercontext/api/ai_logs.py                             63     21    67%   18-30, 55-57, 77, 79, 109, 112-113
+innercontext/api/auth.py                                68     18    74%   65-79, 100, 106-109, 122-129, 153-158, 166
+innercontext/api/auth_deps.py                           25     13    48%   23, 36-48, 52-57
+innercontext/api/authz.py                              100     70    30%   25-26, 31, 35-40, 48-51, 63, 66, 75-83, 89-93, 105-108, 116-133, 141-150, 156-177
+innercontext/api/health.py                             236     68    71%   78, 145, 158-163, 182, 184, 231-243, 253-270, 285-298, 313-330, 341-353, 363-371, 400-401, 408, 410, 412, 414, 416, 418, 422-442, 492, 509-521, 531-539
+innercontext/api/inventory.py                           30     13    57%   26, 36-44, 53-60
+innercontext/api/llm_context.py                        106     58    45%   19-21, 31, 46, 59, 67, 77, 107-131, 138-149, 180-217
+innercontext/api/product_llm_tools.py                  107     51    52%   12-17, 25, 31, 33, 37, 50-80, 133-134, 144, 155-161, 193
+innercontext/api/products.py                           638    410    36%   81-89, 97, 106-126, 281-289, 299-301, 312-387, 396-431, 515, 519-537, 541-550, 560-566, 570-571, 581-631, 649-703, 714, 731, 853-891, 904-972, 981-992, 1002-1015, 1024-1029, 1043-1048, 1060-1072, 1081-1086, 1097-1232, 1238-1240, 1244-1257, 1263, 1296-1457
+innercontext/api/profile.py                             39      3    92%   39, 62-63
+innercontext/api/routines.py                           632    285    55%   67-84, 101-103, 112-117, 129-133, 309, 311, 313, 315, 319-324, 330, 334, 355, 398-399, 415-434, 451-479, 498-520, 552, 555, 559, 561, 563, 577-581, 587-600, 606, 620, 640-641, 664-693, 698, 709-710, 715, 719-721, 817, 819, 821, 827-833, 837-841, 927-929, 986-1002, 1019, 1023-1024, 1030, 1033, 1039, 1064-1065, 1069, 1115-1119, 1130, 1143-1348, 1358-1359, 1379-1386, 1397-1409, 1419-1427, 1443-1464, 1475-1491, 1501-1509, 1524-1529, 1540-1552, 1562-1570
+innercontext/api/skincare.py                           150     53    65%   103, 147-149, 162-166, 178-255, 272, 274, 276, 322-333, 343-350
+innercontext/api/utils.py                               22      7    68%   22-25, 43, 51, 59
+innercontext/auth.py                                   236    146    38%   64-77, 127-129, 133-137, 141-149, 153-156, 161-168, 187-192, 195-210, 213-217, 220-228, 231-248, 251-264, 267, 271-274, 279, 283-284, 288-317, 325-363, 373-384
+innercontext/llm.py                                    134    118    12%   22, 62-66, 74-102, 118-214, 231-326
+innercontext/llm_safety.py                              18     14    22%   17-45, 58-61, 80-83
+innercontext/models/__init__.py                         13      0   100%
+innercontext/models/ai_log.py                           33      0   100%
+innercontext/models/api_metadata.py                     15      0   100%
+innercontext/models/base.py                              3      0   100%
+innercontext/models/domain.py                            4      0   100%
+innercontext/models/enums.py                           152      0   100%
+innercontext/models/health.py                           64      0   100%
+innercontext/models/household.py                        14      0   100%
+innercontext/models/household_membership.py             20      0   100%
+innercontext/models/pricing.py                          19      0   100%
+innercontext/models/product.py                         226     67    70%   78, 203-205, 209-230, 250, 253, 255, 257, 259, 261, 263, 265, 267, 269, 271, 273, 275-288, 291-298, 304, 306, 309-315, 318, 320, 331, 333, 336, 338, 340, 342, 349-354
+innercontext/models/profile.py                          17      0   100%
+innercontext/models/routine.py                          42      0   100%
+innercontext/models/skincare.py                         37      0   100%
+innercontext/models/user.py                             19      0   100%
+innercontext/services/__init__.py                        0      0   100%
+innercontext/services/fx.py                             57     42    26%   16, 20-22, 26-48, 54-67, 71-77
+innercontext/services/pricing_jobs.py                   89     71    20%   28-49, 53-67, 71-80, 89-107, 111-130, 134-138
+innercontext/validators/__init__.py                      7      0   100%
+innercontext/validators/base.py                         22      3    86%   27, 35, 52
+innercontext/validators/batch_validator.py             128    105    18%   37, 58-154, 167-203, 214-240, 249-273
+innercontext/validators/photo_validator.py              65     54    17%   58-134, 144-152, 164-178
+innercontext/validators/product_parse_validator.py     110     93    15%   108-154, 164-172, 185-198, 205-239, 243-267, 273-319, 325-339
+innercontext/validators/routine_validator.py           146     90    38%   72-73, 92-95, 98-101, 107-147, 151, 158, 175, 182-197, 201-218, 229-246, 259-275, 288-309
+innercontext/validators/shopping_validator.py           78     58    26%   49-96, 102-114, 122-123, 136-142, 150-161, 169-203
+----------------------------------------------------------------------------------
+TOTAL                                                 3984   1931    52%
+Coverage HTML written to dir htmlcov
+============================== 2 passed in 0.49s ===============================
diff --git a/.sisyphus/evidence/task-T6-routine-scope.txt b/.sisyphus/evidence/task-T6-routine-scope.txt
new file mode 100644
index 0000000..937b6f7
--- /dev/null
+++ b/.sisyphus/evidence/task-T6-routine-scope.txt
@@ -0,0 +1,61 @@
+============================= test session starts ==============================
+platform darwin -- Python 3.12.12, pytest-9.0.2, pluggy-1.6.0 -- /Users/piotr/dev/innercontext/backend/.venv/bin/python3
+cachedir: .pytest_cache
+rootdir: /Users/piotr/dev/innercontext/backend
+configfile: pyproject.toml
+plugins: anyio-4.12.1, cov-7.0.0
+collecting ... collected 1 item
+
+tests/test_routines_auth.py::test_suggest_uses_current_user_profile_and_visible_products_only PASSED [100%]
+
+================================ tests coverage ================================
+______________ coverage: platform darwin, python 3.12.12-final-0 _______________
+
+Name                                                 Stmts   Miss  Cover   Missing
+----------------------------------------------------------------------------------
+innercontext/api/__init__.py                             0      0   100%
+innercontext/api/ai_logs.py                             63     34    46%   18-30, 53-57, 69-81, 106-113
+innercontext/api/auth.py                                68     18    74%   65-79, 100, 106-109, 122-129, 153-158, 166
+innercontext/api/auth_deps.py                           25     13    48%   23, 36-48, 52-57
+innercontext/api/authz.py                              100     79    21%   16, 20, 24-27, 31, 35-40, 48-51, 60-66, 75-83, 89-93, 105-108, 116-133, 141-150, 156-177
+innercontext/api/health.py                             236    113    52%   77-81, 142-146, 156-163, 179-185, 195-204, 214, 231-243, 253-270, 285-298, 313-330, 341-353, 363-371, 395-463, 473-482, 492, 509-521, 531-539
+innercontext/api/inventory.py                           30     13    57%   26, 36-44, 53-60
+innercontext/api/llm_context.py                        106     58    45%   19-21, 31, 46, 59, 67, 77, 107-131, 138-149, 180-217
+innercontext/api/product_llm_tools.py                  107     51    52%   12-17, 25, 31, 33, 37, 50-80, 133-134, 144, 155-161, 193
+innercontext/api/products.py                           638    410    36%   81-89, 97, 106-126, 281-289, 299-301, 312-387, 396-431, 515, 519-537, 541-550, 560-566, 570-571, 581-631, 649-703, 714, 731, 853-891, 904-972, 981-992, 1002-1015, 1024-1029, 1043-1048, 1060-1072, 1081-1086, 1097-1232, 1238-1240, 1244-1257, 1263, 1296-1457
+innercontext/api/profile.py                             39      3    92%   39, 62-63
+innercontext/api/routines.py                           632    285    55%   67-84, 101-103, 112-117, 129-133, 309, 311, 313, 315, 319-324, 330, 334, 355, 398-399, 415-434, 451-479, 498-520, 552, 555, 559, 561, 563, 577-581, 587-600, 606, 620, 640-641, 664-693, 698, 709-710, 715, 719-721, 817, 819, 821, 827-833, 837-841, 927-929, 986-1002, 1019, 1023-1024, 1030, 1033, 1039, 1064-1065, 1069, 1115-1119, 1130, 1143-1348, 1358-1359, 1379-1386, 1397-1409, 1419-1427, 1443-1464, 1475-1491, 1501-1509, 1524-1529, 1540-1552, 1562-1570
+innercontext/api/skincare.py                           150     53    65%   103, 147-149, 162-166, 178-255, 272, 274, 276, 322-333, 343-350
+innercontext/api/utils.py                               22      7    68%   22-25, 43, 51, 59
+innercontext/auth.py                                   236    146    38%   64-77, 127-129, 133-137, 141-149, 153-156, 161-168, 187-192, 195-210, 213-217, 220-228, 231-248, 251-264, 267, 271-274, 279, 283-284, 288-317, 325-363, 373-384
+innercontext/llm.py                                    134    118    12%   22, 62-66, 74-102, 118-214, 231-326
+innercontext/llm_safety.py                              18     14    22%   17-45, 58-61, 80-83
+innercontext/models/__init__.py                         13      0   100%
+innercontext/models/ai_log.py                           33      0   100%
+innercontext/models/api_metadata.py                     15      0   100%
+innercontext/models/base.py                              3      0   100%
+innercontext/models/domain.py                            4      0   100%
+innercontext/models/enums.py                           152      0   100%
+innercontext/models/health.py                           64      0   100%
+innercontext/models/household.py                        14      0   100%
+innercontext/models/household_membership.py             20      0   100%
+innercontext/models/pricing.py                          19      0   100%
+innercontext/models/product.py                         226     67    70%   78, 203-205, 209-230, 250, 253, 255, 257, 259, 261, 263, 265, 267, 269, 271, 273, 275-288, 291-298, 304, 306, 309-315, 318, 320, 331, 333, 336, 338, 340, 342, 349-354
+innercontext/models/profile.py                          17      0   100%
+innercontext/models/routine.py                          42      0   100%
+innercontext/models/skincare.py                         37      0   100%
+innercontext/models/user.py                             19      0   100%
+innercontext/services/__init__.py                        0      0   100%
+innercontext/services/fx.py                             57     42    26%   16, 20-22, 26-48, 54-67, 71-77
+innercontext/services/pricing_jobs.py                   89     71    20%   28-49, 53-67, 71-80, 89-107, 111-130, 134-138
+innercontext/validators/__init__.py                      7      0   100%
+innercontext/validators/base.py                         22      3    86%   27, 35, 52
+innercontext/validators/batch_validator.py             128    105    18%   37, 58-154, 167-203, 214-240, 249-273
+innercontext/validators/photo_validator.py              65     54    17%   58-134, 144-152, 164-178
+innercontext/validators/product_parse_validator.py     110     93    15%   108-154, 164-172, 185-198, 205-239, 243-267, 273-319, 325-339
+innercontext/validators/routine_validator.py           146     90    38%   72-73, 92-95, 98-101, 107-147, 151, 158, 175, 182-197, 201-218, 229-246, 259-275, 288-309
+innercontext/validators/shopping_validator.py           78     58    26%   49-96, 102-114, 122-123, 136-142, 150-161, 169-203
+----------------------------------------------------------------------------------
+TOTAL                                                 3984   1998    50%
+Coverage HTML written to dir htmlcov
+============================== 1 passed in 0.47s ===============================
diff --git a/.sisyphus/evidence/task-T8-backend-qa.log b/.sisyphus/evidence/task-T8-backend-qa.log
new file mode 100644
index 0000000..79fc782
--- /dev/null
+++ b/.sisyphus/evidence/task-T8-backend-qa.log
@@ -0,0 +1,158 @@
+INFO:     Started server process [65594]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+INFO:     Uvicorn running on http://127.0.0.1:8001 (Press CTRL+C to quit)
+INFO:     127.0.0.1:56744 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56751 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56758 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56764 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56770 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56776 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56782 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56788 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56794 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56800 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56806 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56813 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56820 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56826 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56832 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56838 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56844 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56850 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56856 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56862 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56868 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56874 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56880 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56887 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56893 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56899 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56905 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56911 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56917 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56923 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56940 - "POST /auth/session/sync HTTP/1.1" 500 Internal Server Error
+ERROR:    Exception in ASGI application
+Traceback (most recent call last):
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/engine/base.py", line 1967, in _exec_single_context
+    self.dialect.do_execute(
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/engine/default.py", line 952, in do_execute
+    cursor.execute(statement, parameters)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/psycopg/cursor.py", line 117, in execute
+    raise ex.with_traceback(None)
+psycopg.errors.UndefinedColumn: column user_profiles.user_id does not exist
+LINE 1: SELECT user_profiles.id, user_profiles.user_id, user_profile...
+                                 ^
+
+The above exception was the direct cause of the following exception:
+
+Traceback (most recent call last):
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/uvicorn/protocols/http/httptools_impl.py", line 416, in run_asgi
+    result = await app(  # type: ignore[func-returns-value]
+             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/uvicorn/middleware/proxy_headers.py", line 60, in __call__
+    return await self.app(scope, receive, send)
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/fastapi/applications.py", line 1158, in __call__
+    await super().__call__(scope, receive, send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/applications.py", line 107, in __call__
+    await self.middleware_stack(scope, receive, send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 186, in __call__
+    raise exc
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/middleware/errors.py", line 164, in __call__
+    await self.app(scope, receive, _send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/middleware/cors.py", line 87, in __call__
+    await self.app(scope, receive, send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 63, in __call__
+    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
+    raise exc
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
+    await app(scope, receive, sender)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/fastapi/middleware/asyncexitstack.py", line 18, in __call__
+    await self.app(scope, receive, send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/routing.py", line 716, in __call__
+    await self.middleware_stack(scope, receive, send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/routing.py", line 736, in app
+    await route.handle(scope, receive, send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/routing.py", line 290, in handle
+    await self.app(scope, receive, send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 119, in app
+    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
+    raise exc
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
+    await app(scope, receive, sender)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 105, in app
+    response = await f(request)
+               ^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 431, in app
+    raw_response = await run_endpoint_function(
+                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/fastapi/routing.py", line 315, in run_endpoint_function
+    return await run_in_threadpool(dependant.call, **values)
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/starlette/concurrency.py", line 32, in run_in_threadpool
+    return await anyio.to_thread.run_sync(func)
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/anyio/to_thread.py", line 63, in run_sync
+    return await get_async_backend().run_sync_in_worker_thread(
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/anyio/_backends/_asyncio.py", line 2502, in run_sync_in_worker_thread
+    return await future
+           ^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/anyio/_backends/_asyncio.py", line 986, in run
+    result = context.run(func, *args)
+             ^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/innercontext/api/auth.py", line 158, in sync_session
+    return _response(session, synced_user)
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/innercontext/api/auth.py", line 143, in _response
+    profile=_profile_public(_get_profile(session, current_user.user_id)),
+                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/innercontext/api/auth.py", line 100, in _get_profile
+    return session.exec(
+           ^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlmodel/orm/session.py", line 75, in exec
+    results = super().execute(
+              ^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/orm/session.py", line 2351, in execute
+    return self._execute_internal(
+           ^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/orm/session.py", line 2249, in _execute_internal
+    result: Result[Any] = compile_state_cls.orm_execute_statement(
+                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/orm/context.py", line 306, in orm_execute_statement
+    result = conn.execute(
+             ^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/engine/base.py", line 1419, in execute
+    return meth(
+           ^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/sql/elements.py", line 527, in _execute_on_connection
+    return connection._execute_clauseelement(
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/engine/base.py", line 1641, in _execute_clauseelement
+    ret = self._execute_context(
+          ^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/engine/base.py", line 1846, in _execute_context
+    return self._exec_single_context(
+           ^^^^^^^^^^^^^^^^^^^^^^^^^^
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/engine/base.py", line 1986, in _exec_single_context
+    self._handle_dbapi_exception(
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/engine/base.py", line 2363, in _handle_dbapi_exception
+    raise sqlalchemy_exception.with_traceback(exc_info[2]) from e
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/engine/base.py", line 1967, in _exec_single_context
+    self.dialect.do_execute(
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/sqlalchemy/engine/default.py", line 952, in do_execute
+    cursor.execute(statement, parameters)
+  File "/Users/piotr/dev/innercontext/backend/.venv/lib/python3.12/site-packages/psycopg/cursor.py", line 117, in execute
+    raise ex.with_traceback(None)
+sqlalchemy.exc.ProgrammingError: (psycopg.errors.UndefinedColumn) column user_profiles.user_id does not exist
+LINE 1: SELECT user_profiles.id, user_profiles.user_id, user_profile...
+                                 ^
+[SQL: SELECT user_profiles.id, user_profiles.user_id, user_profiles.birth_date, user_profiles.sex_at_birth, user_profiles.created_at, user_profiles.updated_at 
+FROM user_profiles 
+WHERE user_profiles.user_id = %(user_id_1)s::UUID]
+[parameters: {'user_id_1': UUID('c6968c10-98af-4a32-a794-708aca0cc362')}]
+(Background on this error at: https://sqlalche.me/e/20/f405)
diff --git a/.sisyphus/evidence/task-T8-backend-sqlite.log b/.sisyphus/evidence/task-T8-backend-sqlite.log
new file mode 100644
index 0000000..56a3ee9
--- /dev/null
+++ b/.sisyphus/evidence/task-T8-backend-sqlite.log
@@ -0,0 +1,40 @@
+INFO:     Started server process [67156]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+INFO:     Uvicorn running on http://127.0.0.1:8002 (Press CTRL+C to quit)
+INFO:     127.0.0.1:56962 - "GET /health-check HTTP/1.1" 200 OK
+INFO:     127.0.0.1:56974 - "POST /auth/session/sync HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57014 - "GET /routines?from_date=2026-02-26 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57015 - "GET /skincare?from_date=2026-01-11 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57016 - "GET /health/lab-results?latest_only=true&limit=8 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57024 - "GET /routines?from_date=2026-02-26 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57025 - "GET /skincare?from_date=2026-01-11 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57026 - "GET /health/lab-results?latest_only=true&limit=8 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57035 - "GET /routines?from_date=2026-02-26 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57036 - "GET /skincare?from_date=2026-01-11 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57037 - "GET /health/lab-results?latest_only=true&limit=8 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57035 - "GET /products/summary HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57035 - "GET /profile HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57035 - "GET /routines?from_date=2026-02-10 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57075 - "POST /auth/session/sync HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57075 - "GET /products/summary HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57089 - "POST /auth/session/sync HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57089 - "GET /routines?from_date=2026-02-26 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57090 - "GET /skincare?from_date=2026-01-11 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57091 - "GET /health/lab-results?latest_only=true&limit=8 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57089 - "GET /products/summary HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57109 - "POST /auth/session/sync HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57109 - "GET /routines?from_date=2026-02-26 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57110 - "GET /skincare?from_date=2026-01-11 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57111 - "GET /health/lab-results?latest_only=true&limit=8 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57166 - "GET /routines?from_date=2026-02-26 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57167 - "GET /skincare?from_date=2026-01-11 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57168 - "GET /health/lab-results?latest_only=true&limit=8 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57182 - "POST /auth/session/sync HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57182 - "GET /routines?from_date=2026-02-26 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57183 - "GET /skincare?from_date=2026-01-11 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57184 - "GET /health/lab-results?latest_only=true&limit=8 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57182 - "GET /routines?from_date=2026-02-26 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57183 - "GET /skincare?from_date=2026-01-11 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57184 - "GET /health/lab-results?latest_only=true&limit=8 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:57401 - "GET /profile HTTP/1.1" 200 OK
diff --git a/.sisyphus/evidence/task-T8-backend.log b/.sisyphus/evidence/task-T8-backend.log
new file mode 100644
index 0000000..ad37dc7
--- /dev/null
+++ b/.sisyphus/evidence/task-T8-backend.log
@@ -0,0 +1,5 @@
+INFO:     Started server process [63874]
+INFO:     Waiting for application startup.
+INFO:     Application startup complete.
+INFO:     Uvicorn running on http://127.0.0.1:8000 (Press CTRL+C to quit)
+INFO:     127.0.0.1:56616 - "GET /health-check HTTP/1.1" 200 OK
diff --git a/.sisyphus/evidence/task-T8-frontend-qa.log b/.sisyphus/evidence/task-T8-frontend-qa.log
new file mode 100644
index 0000000..765ebaa
--- /dev/null
+++ b/.sisyphus/evidence/task-T8-frontend-qa.log
@@ -0,0 +1,44 @@
+
+> frontend@0.0.1 dev /Users/piotr/dev/innercontext/frontend
+> vite dev --host 127.0.0.1 --port 4174
+
+✔ [paraglide-js] Compilation complete (locale-modules)
+
+  VITE v7.3.1  ready in 1355 ms
+
+  ➜  Local:   http://127.0.0.1:4174/
+
+[404] GET /favicon.ico
+16:19:52 [vite] (ssr) page reload .svelte-kit/generated/server/internal.js
+16:19:52 [vite] (ssr) page reload .svelte-kit/generated/root.svelte
+16:19:52 [vite] (ssr) page reload .svelte-kit/generated/root.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/server.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/registry.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/runtime.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages/_index.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages/en.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages/pl.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages/en.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages/pl.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/server.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/runtime.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages/pl.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/registry.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages/_index.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/messages/en.js
+16:21:17 [vite] (ssr) page reload src/lib/api.ts
+16:23:49 [vite] (ssr) page reload src/routes/+layout.svelte
+16:24:41 [vite] (ssr) page reload .svelte-kit/generated/server/internal.js
+16:24:41 [vite] (ssr) page reload .svelte-kit/generated/root.svelte
+16:24:41 [vite] (ssr) page reload .svelte-kit/generated/root.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/runtime.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/server.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/registry.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages/en.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages/_index.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages/pl.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages/_index.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages/_index.js
diff --git a/.sisyphus/evidence/task-T8-frontend-sqlite.log b/.sisyphus/evidence/task-T8-frontend-sqlite.log
new file mode 100644
index 0000000..d81d4ed
--- /dev/null
+++ b/.sisyphus/evidence/task-T8-frontend-sqlite.log
@@ -0,0 +1,56 @@
+
+> frontend@0.0.1 dev /Users/piotr/dev/innercontext/frontend
+> vite dev --host 127.0.0.1 --port 4175
+
+✔ [paraglide-js] Compilation complete (locale-modules)
+
+  VITE v7.3.1  ready in 1402 ms
+
+  ➜  Local:   http://127.0.0.1:4175/
+
+[404] GET /api/routines
+
+[404] GET /api/skincare
+
+[404] GET /api/health/lab-results
+
+[500] GET /
+Error: Not Found
+    at request (src/lib/api.ts:68:11)
+    at process.processTicksAndRejections (node:internal/process/task_queues:104:5)
+    at async Promise.all (index 0)
+    at async load (src/routes/+page.server.ts:9:44)
+
+[404] GET /favicon.ico
+16:21:17 [vite] (ssr) page reload src/lib/api.ts
+Avoid calling `fetch` eagerly during server-side rendering — put your `fetch` calls inside `onMount` or a `load` function instead
+Avoid calling `fetch` eagerly during server-side rendering — put your `fetch` calls inside `onMount` or a `load` function instead
+16:23:49 [vite] (client) hmr update /src/routes/+layout.svelte, /src/app.css
+16:23:49 [vite] (ssr) page reload src/routes/+layout.svelte
+16:24:41 [vite] (client) page reload .svelte-kit/generated/client/nodes/0.js
+16:24:41 [vite] (client) page reload .svelte-kit/generated/client/nodes/1.js
+16:24:41 [vite] (client) page reload .svelte-kit/generated/client/nodes/2.js
+16:24:41 [vite] (client) page reload .svelte-kit/generated/client/nodes/7.js
+16:24:41 [vite] (client) page reload .svelte-kit/generated/client/nodes/11.js
+16:24:41 [vite] (client) page reload .svelte-kit/generated/client/nodes/12.js
+16:24:41 [vite] (client) page reload .svelte-kit/generated/client/app.js
+16:24:41 [vite] (client) page reload .svelte-kit/generated/client/matchers.js
+16:24:41 [vite] (ssr) page reload .svelte-kit/generated/server/internal.js
+16:24:41 [vite] (client) page reload .svelte-kit/generated/root.js
+16:24:41 [vite] (ssr) page reload .svelte-kit/generated/root.js
+16:24:41 [vite] (ssr) page reload .svelte-kit/generated/root.svelte
+16:24:42 [vite] (client) hmr update /src/lib/components/LanguageSwitcher.svelte, /src/routes/+layout.svelte, /src/routes/+page.svelte, /src/routes/products/+page.svelte, /src/routes/profile/+page.svelte, /src/routes/routines/+page.svelte
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/runtime.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/server.js
+16:24:42 [vite] (client) hmr update /src/routes/+layout.svelte, /src/routes/+page.svelte, /src/routes/products/+page.svelte, /src/routes/profile/+page.svelte, /src/routes/routines/+page.svelte
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/registry.js
+16:24:42 [vite] (client) hmr update /src/routes/+layout.svelte, /src/routes/+page.svelte, /src/routes/products/+page.svelte, /src/routes/profile/+page.svelte, /src/routes/routines/+page.svelte
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages.js
+16:24:42 [vite] (client) hmr update /src/routes/+layout.svelte, /src/routes/+page.svelte, /src/routes/products/+page.svelte, /src/routes/profile/+page.svelte, /src/routes/routines/+page.svelte
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages/_index.js
+16:24:42 [vite] (client) page reload src/lib/paraglide/messages/en.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages/en.js
+16:24:42 [vite] (client) page reload src/lib/paraglide/messages/pl.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages/pl.js
+16:24:42 [vite] (client) hmr update /src/routes/+layout.svelte, /src/routes/+page.svelte, /src/routes/products/+page.svelte, /src/routes/profile/+page.svelte, /src/routes/routines/+page.svelte
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/messages/_index.js
diff --git a/.sisyphus/evidence/task-T8-frontend.log b/.sisyphus/evidence/task-T8-frontend.log
new file mode 100644
index 0000000..923a3c1
--- /dev/null
+++ b/.sisyphus/evidence/task-T8-frontend.log
@@ -0,0 +1,228 @@
+
+> frontend@0.0.1 dev /Users/piotr/dev/innercontext/frontend
+> vite dev --host 127.0.0.1 --port 4173
+
+✔ [paraglide-js] Compilation complete (locale-modules)
+16:14:07 [vite] (client) Re-optimizing dependencies because lockfile has changed
+
+  VITE v7.3.1  ready in 1541 ms
+
+  ➜  Local:   http://127.0.0.1:4173/
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+
+[500] GET /auth/login
+Error: Missing required auth environment variable: OIDC_ISSUER
+    at requiredEnv (src/lib/server/auth.ts:111:11)
+    at getAuthConfig (src/lib/server/auth.ts:94:18)
+    at getSecretKey (src/lib/server/auth.ts:136:22)
+    at encryptValue (src/lib/server/auth.ts:160:15)
+    at setLoginFlowCookie (src/lib/server/auth.ts:514:5)
+    at createLoginRedirect (src/lib/server/auth.ts:533:3)
+    at GET (src/routes/auth/login/+server.ts:6:26)
+16:18:10 [vite] (ssr) page reload .svelte-kit/generated/server/internal.js
+16:18:10 [vite] (ssr) page reload .svelte-kit/generated/root.svelte
+16:18:10 [vite] (ssr) page reload .svelte-kit/generated/root.js
+16:18:10 [vite] (ssr) page reload src/lib/paraglide/runtime.js
+16:18:10 [vite] (ssr) page reload src/lib/paraglide/server.js
+16:19:52 [vite] (ssr) page reload .svelte-kit/generated/server/internal.js
+16:19:52 [vite] (ssr) page reload .svelte-kit/generated/root.svelte
+16:19:52 [vite] (ssr) page reload .svelte-kit/generated/root.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/server.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/runtime.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/server.js
+16:19:53 [vite] (ssr) page reload src/lib/paraglide/runtime.js
+16:21:17 [vite] (ssr) page reload src/lib/api.ts
+16:24:41 [vite] (ssr) page reload .svelte-kit/generated/server/internal.js
+16:24:41 [vite] (ssr) page reload .svelte-kit/generated/root.svelte
+16:24:41 [vite] (ssr) page reload .svelte-kit/generated/root.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/runtime.js
+16:24:42 [vite] (ssr) page reload src/lib/paraglide/server.js
diff --git a/.sisyphus/evidence/task-T8-oidc-mock.log b/.sisyphus/evidence/task-T8-oidc-mock.log
new file mode 100644
index 0000000..66458f1
--- /dev/null
+++ b/.sisyphus/evidence/task-T8-oidc-mock.log
@@ -0,0 +1,85 @@
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=Pe0C5a4zQ4Vi55paBNm20bGetmj3Y3yX&code_challenge=bq7aLLFrO4nIa6kvBUM47B56asCKazcoQbOkATvooYM&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=vt-gcRpDGF4HG7V1QCVbA-NX2WLV6UAY&code_challenge=UH0-E3tc3A3U3TCc-FUZDzvzJ1asqarJbznagQ8Lj7o&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=m3l7BolBJCvjhuxRcsSFDZ6gZE6rqTb1&code_challenge=2g7E4QZDpYNRMtQUt5ryXhaYycdglHIeFM1UxZ-XDDs&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=eoKVLYkr20ziVr_dZ8V9JWBkGowz7NYI&code_challenge=vUxYDfnKXdVXnk5aHxY8LjHKCszU3SEiIebjzFPv4J0&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=pd7rjNvJbBvu6NQYuRX6D8bF5szwi8y9&code_challenge=SWGABggwp25CFq8PLbTT7DLSTsvezc77M9PGX_YYNPY&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=In2AvuYgIN7a4n1xiCp1gHtVBn0zpdg-&code_challenge=5ys7xQwmLRLdhb9ZPyI0h3e0bxfaPzonIBTYr4uj6Xg&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=P5shwVgZUoH9xchcI0o078fsgVweezIS&code_challenge=RmboHw0sdVGiU1POAwcptydVlhwdgUzQLLjUMT9S8OU&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=Kp2yUUykkn9ImErvLiLfeOAmJscmF6q6&code_challenge=epJaom98WkEBzjRkkNcLTAp89sB5NkzYrdrjZRxWLok&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=L86d5LRsIOMdz6WD744sjrwSe6iKkW0L&code_challenge=uvl59gn613ivLBLxHhQLPnEFAv48m7jTe9PBGknM1A0&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=vCs34wOnVVizzt0YuT44Mb35qRNttfUH&code_challenge=drdkN8hf7ScN7PSjYY4wmpVhmRv2BJYRyCia0P3oPwM&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=x7j_uSKquOLIvhjzs6SRbF81uQo1TGb_&code_challenge=nBHiDMdcFNj6JjXbJnB4-Ogsp98QtRplWP8IZnHXZ84&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=Kbw1x2FH82MPkXsIs_cK-8-5uHbTpXl1&code_challenge=XweHN-subsxNoIOcpvxoqUx9ILiGh6RG5eHJ6O2jmKI&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=-PIRB74zLnjfijXRSXKeVht6x0jjARr8&code_challenge=nno5wTo4kvMXh6Hbv9Q4UQ42Ah64rdX1RPh1Qas8FTQ&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=ttM5YXVAn1VugFsWVIw9DpnRtYnUfMWW&code_challenge=5cMexMQ8ioSPTSw1FAuAImlWZm5ogbZ5vemeAZtXjvs&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=Psc20ibq2QaTNOYGWuGsWopRtcIYMyDt&code_challenge=wsR_Ly1BzlxHsHCFOcoLNXi5hbRVej1iowuBCynBEXQ&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=Qynh8qyA--irimulhuBnjW7vheoMFv1d&code_challenge=UW4T2DllHIe-d48yu4B33kMEJ8CZuk4uG-g8xGELX2U&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=6i9k2lfIJpNcPY_bE-BjmnEyatt6eSEO&code_challenge=LilRpHaBD6Iij-x69kT0jg9hebm66PUSGBP3CkPQ4R0&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=hv06PULt9VCe6Z57ICw_kfH_rOA68Ye8&code_challenge=H6WP5l4QfrsPqEESZOUm61MWtHDrSrKe4xLl2j0Mqa4&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=bPb6NuPvTTpSLSBf0lcEyiovQMrf25ZU&code_challenge=c8QWtQNvy9pNw9nfeoAym2SM20WpBVePYjG80kV59tY&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=19pfKm4slbG0zxJTa_aNKZauy1pAlM24&code_challenge=fJsle6PvRo2Q53ibfrj2aHQYDfbLoXyWXH11-hJO1-8&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=Ls5-Ps19zFfHr6vdvFrgZXPU4HK2cdMH&code_challenge=hIaTDVr0WpZVBppRxfd4h0nc48Cq6llSetMzG5NU6R0&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=UCR6DlUCqwChXZiu5m3IezhnovkLU1hP&code_challenge=mf1NzdhG0OQnoB2_L_VQNlgohTdD3ZQ1gnrC-WM5xic&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=cikc5ZIqH3gtF0JNS4xeB8ye36C0FeYK&code_challenge=jRsCnQlVsNs4qftFnFdHUm63CxT8tkiprb5QYGcvVQs&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=sxqmLO0piajwnRePC4fq3rSE_EErnT3j&code_challenge=Pg_VsUw-qJXnF_JpdlJbUrxJTPRjzMY2q_rTad86iv4&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=H2123ucRCauviiQcfOgL2ACEaMJMCnCd&code_challenge=J_32kAoALP8nRUhLdpWSnHr9uePiK9ek8K5gYXKrqrM&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=QB4ItNBiVPTcsbvf8jw5fC0wCmLdrBaR&code_challenge=7IJ0bQzKs3-0atAvro4GR87lUJ3rYcUO5nWQ7fGBbJE&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=8f4SjKIZk6Zr23J5PhkIKaWZcZOoHbNy&code_challenge=S0TxmFf5PZ0vgx2krjLl2WIcSyxHI5CcxVdH3SDu7GE&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=gIsLo0NRxP-EP3W8oTjf1O2QS1Nijj-g&code_challenge=bnYTMZcj4cWQ32OPHKWN3638Nuoh3pzPH0wP0GmHLOc&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=RVs6ZqxJdOCnK_RDdRHJbeJFLcjH8jDZ&code_challenge=ghcwJxfIcbS1vZuFbltcVmX9IHbobNEoIvFRrjRo4hc&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=BaIv9zAbKGEmbOlhh7J8I0sye2qpRPcJ&code_challenge=yckMaHRptZd3J04kALAyxxCqIIulPIf9PrTmeA6eN7s&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4174%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=8ikyRz70r3g4_lJGDkx1wEl27neWvVFS&code_challenge=b5f8yNS9lEemYbrnFBnG3OANpefQSU3NXwwFkMS63A4&code_challenge_method=S256 HTTP/1.1" 303 -
+"POST /token HTTP/1.1" 200 -
+"GET /userinfo HTTP/1.1" 200 -
+"GET /jwks HTTP/1.1" 200 -
+"GET /.well-known/openid-configuration HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4175%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=C0AvwQhDg-kdVylKE43TG9lawjgYQW0G&code_challenge=88-OcQzCn4HlOoJfXOJ_CQo1PV9YRJCgracnfsuO5LU&code_challenge_method=S256 HTTP/1.1" 303 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4175%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=t_oQGVk1spVtWPABdSOUPjgdkk0GhGzR&code_challenge=bpLSYPmkEZpr_RbpzfcO6kYEKBBTuRFemoQDH9mBUbU&code_challenge_method=S256 HTTP/1.1" 303 -
+"POST /token HTTP/1.1" 200 -
+"GET /userinfo HTTP/1.1" 200 -
+"GET /jwks HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4175%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=3wTcjLbHZ73Tq2RdHPs79-kJEcBcPBLQ&code_challenge=OMJ_4YniZmJEdxtS0kpHCgdbZfZWnNSNhMLOeom1y2g&code_challenge_method=S256 HTTP/1.1" 303 -
+"POST /token HTTP/1.1" 200 -
+"GET /userinfo HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4175%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=Rhe95uXtrJH8dXF0T1e_bLVh4ALeny99&code_challenge=1C8cQjsJ1XMTbESSapVbalnDO7QITK1ovYIt2N2OQ-M&code_challenge_method=S256 HTTP/1.1" 303 -
+"POST /token HTTP/1.1" 200 -
+"GET /userinfo HTTP/1.1" 200 -
+"GET /logout?client_id=innercontext-web&post_logout_redirect_uri=http%3A%2F%2F127.0.0.1%3A4175%2F HTTP/1.1" 303 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4175%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=yYJja-mcNuteTK_vfmRG2q1ngy8uQCYA&code_challenge=X-3bMxYVrLNx0WI_jBRjT33JGo-ge_2SMbuDjMQSB7o&code_challenge_method=S256 HTTP/1.1" 303 -
+"POST /token HTTP/1.1" 200 -
+"GET /userinfo HTTP/1.1" 200 -
+"GET /authorize?client_id=innercontext-web&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A4175%2Fauth%2Fcallback&scope=openid+profile+email+groups+offline_access&state=y64pl2E_jbiDANFJFjySZe06mGwJxLPY&code_challenge=l3OC99rarYHtSPsiS01wxbIdThMXnTRPUCu_9dUSA5w&code_challenge_method=S256 HTTP/1.1" 303 -
+"POST /token HTTP/1.1" 200 -
+"GET /userinfo HTTP/1.1" 200 -
+"GET /jwks HTTP/1.1" 200 -
diff --git a/.sisyphus/evidence/task-T8-qa.sqlite b/.sisyphus/evidence/task-T8-qa.sqlite
new file mode 100644
index 0000000000000000000000000000000000000000..3ef93aab6556186b829a3147238169205f83cc66
GIT binary patch
literal 323584
zcmeI*Z*Uvuo!D`L5&;nsMa8zVaeT_HPLYL8Y>OZzQL>{;AZjJirpOqgoakJ4y#yYT
zYk^p3cOj9v$#h^lZqiF$-Ob#ad)4W?PVeSk+{@0~G=1CYbowW6`mQ%O(|dQFxlCvJ
zrq8p$0=rm%Bw}7mWWGu)k<Z`Xex5)3?81~Ey}#lFLf>?~9Xrq$CeBS{G85m^^@)jz
zTk@YZ`A_s~QGRhU`bPeliG4ln%Ucs~{fk$oWbTRCzgK0JX8+IZuV?@MjFtcEGuO^c
z=bz{PAb&giciA6hb0>3C|L(+3C;w*h!^|%;KhOMpSd+iK>DRTawtOiw;nb^Q*MC-%
z17q3Ezzx5*YW9ZZ3BOqje5)Ay=4-9<=X2Wo#Z2pZSkT$Ec0|>w*n#8LEm03VNBCC5
zbF0ltVAbs%k<R|=QrRr6oBHzVUGs<f!7b=(t9rT>y%6ukXk}l?Y4>GZ7x#&)=?l+t
zs_DkgA0nhq<zdluvW?comvh<^8Hl-0Aa*5io(s!wZuo&+uM9wX<q#3|w=yiW{&L2T
zU&?7E8RGeULVPOo(oioSA}m#NSSTvb`0VDnoK`GmzIZLLH);beKHcwEI{mJf?yQ&t
zXG4D46BXC1%JJ2g9+b+3g?U3?U0c^zAFr&uq35Tg@ryE5S{UjFrE-{7?5hx;UwWrd
zqQ!pKsE}$|?QzXoxGdtyp4*fgV5c!v&Uc$$MOd3oEs<Pz1L4QZRXkw_qH4)~^R8Sx
z>&p+#L@dolb>IB&mzN)w%1`w7%qM!GD`lt<?yZ&0<@>8Ds}Rj%y=>ky%jW8m`AAo3
zzFu&uM&4NZN>=+paoDbr9yhC)PJ8LuY)-p<In$bnrl0Lt6}wimYVMXVH<4;X?m|I4
z@m&A3i)VIgs7V*k&<jypM*VC~dq;LTJ+RBpRmbbj?%QKDmr@-@e)XCC`tzHWitzn-
ze`ojYuTvp?ft?KFCm)~AX_qf&{^&%wq~a~dzdn;#M)4fIke?o9<s390Bl&0!CnoET
zTNSl|IsTp>h#hqU*=Yn(2{lREu=PeWkt%Od4Y%$KD-gShjCKQ7;64>~U*2if&HH9q
zwNsG|*F<=?N@oUcVAlpzsy4m$4Q?mV)}~W;{B3!kw0*Z84>oXJ*^Fmbg#PZMwbgK)
zw})K6v$nQkmR1uS!t-3ustP&fyDF;AbGzoqRUO`0RT012S}f;<?bV(7RxeN8#N~dn
zE2;xKYey?<Se0$tNrt`cHn+Cr9e<FFydpUUosk((qGDIJ<^EK0>w!E53@DJ;f#hbQ
zu5gsCXYou{d++kFttUR0tz!JUnFsl-c16p`i<KuGdE8J_$+tYWCc>{y_piKOzFKeL
zcXG>=#f?wz<#L*)Wj=ozuCg#I{Owd?U3IDqUr?@7tyqrlH-#5Xo5J<}+fP_Xo)A6}
zmG0C|mr`+c+qjXu;~lg{N4jTpMr>(q_0f8{Bv+K)eAc0CUrtpHyA$l`k5`x9e{AZ7
z*hRjf$1g_SMvUpKc3T@ZmZ6_DAO4XyP90pd7#5vw<+Ab&xDY!7Haw@Irn<c0*|m!G
ziM!!j^28N1{Q)_-{)sT4OsBS*7z1+kLc4LJb#f}FnKF_K(WDzt+VU%ILk!5s9x4!3
zd3YQu*ZB0~6FF^RA@liGI9~^JH6ZC^VlEFTu-~mByrk}Y>_39Fb-LNbzWHhga_?^h
z-90wFNp`EM)e>&!2ONuJk6z!gNmXm_+{xpVN*{Ga<PGy=R(rBAY$gxTvx)-}r&_OP
za@xg<nNPKFq~u2Ii*2`7^?P4UCdQ?gzTa>h^$w6X7ACXW{fon{w-=RFRA0--=QnT2
z-@blH{`Ttm8TB}QPW{F&1Q0*~0R#|0009ILKmY**5cq8s$g2zE`Tw_dc)2bF5I_I{
z1Q0*~0R#|0009I-0rmNRX7-OK<p24F00IagfB*srAb<b@2q1s}0{`y>o@Vk7Uw!S=
zL}_B8RGFK%Z!F$itja&GZQh)_xhaY_=Hw4{+4DDU6z$?x&E2qT4f&&e@@H!1=jLy`
zIk)g;ab7Q8f4g|=?Q1vQnqQoopIaQ3Q@pM||If_+_X+ubej$JW0tg_000IagfB*sr
zAb`La3S2tzaQdJZ2<_+pUr)^bdJHd+kP$!t0R#|0009ILKmY**5I|rbf$0;kPPhNn
zf%fzNKTOR2!#>5yLI42-5I_I{1Q0*~0R#|00D<un$e(y^y7Myw?VtbOotWJnzsn$E
z1Q0*~0R#|0009ILKmY**j=Ml>DwBJ-`0ZCqrTNOn^=mh8-CDf1P`Or|pR?zxx2}tY
zO(CkqTQ|hb?I38pef4T_e(|k2`M=`Zw~BLfjhemp!gJ(*8um@~AKH9qKD=X=lRxD@
zKlgTV?yZHzxobDC56!vB&;K9ynL>OBAb<b@2q1s}0tg_000Ic?FQ9(@|Dd-E?dShr
zP0apk|F+0Q009ILKmY**5I_I{1Q0*~fnz67IJx-k>BIb+1N{Ae$8PKh2mu5TKmY**
z5I_I{1Q0*~fg=)7fB#?mX9m>I|4*DdqGo9Z0R#|0009ILKmY**5I_I{1dgSE`uv~g
z|6@5c1cd+s2q1s}0tg_000IagfWVOn@ce&dlr)3@0tg_000IagfB*srAb`NJ72x^*
z*bWVWA%Fk^2q1s}0tg_000IagaAX2J{~sA84IzL40tg_000IagfB*srAaHC2`1}8k
z?a&Yy0tg_000IagfB*srAb<b@M<&4M|3^kiLkJ*%00IagfB*srAb<b@2pn4hp8t>S
z&=42`2q1s}0tg_000IagfB*tVCcyLmkx|kR0tg_000IagfB*srAb<b@$5w#n|6@Be
z1cm?t2q1s}0tg_000IagfWVOn@ce&dlr)3@0tg_000IagfB*srAb`NJ72xmxKej_d
zU<e?900IagfB*srAb<b@2ppLJpZ^~jB@H2f00IagfB*srAb<b@2q1851!iXd_r&?k
zFDGWdKKsj=#@YXT=6{~C@_&8i+L`J6^V}cgZ)g85`=e~`<jTq1iJwmX&E$ufUuJ%u
z`T4QEoUsn<x|Y?JFJ&g2dR6TD&uUH}EV~)F;rCX}-mpC3H*0}!6=UCgt#$r<PJ6$Y
zX<ZKsI=j}6s5%upaNN2j>VfA7-)eYnwOI+Qy1gUP*<W2Mo27MAUtYay{!l--1$}K*
zPq(5M;=LHH>?=9#zKrYQK5;dD;aN^K-Prj<gw&}#ESgTX(Yp9@PJ1E)G4~0?t_03=
zVfoDsKd|eS0Z6YLBBK6QhK1H&&iL_5Ijtl^JikwfPi0;j>g7X(rD_ffMdcYwU&(4e
zC=Q!?=}xU;I_;&;Zl23&#bV}**8+Q^Hb5|4=PRAy*GqR+%z;xXKkbQ%>s93>(U%^S
z%7uk_LtkB6*H<5}th}M;r=v*_WvaCBdOs+Y!?a>wh4>`ZJB1Q0_76@}NVUA_dOOWp
zxVGZSp4$vWJi&LHUPV}&PA!pKcLU+a%T+vK2cl}(fqqx6!1d*aW+Ikmqq=YY_sh!<
zOXVl}d*&0p(3LV&sQ1>&=JNejl~stAf?hW7nPqcz$$X@%G+!?`RU>aao6TvrFK1da
z(e$$&t76w`R?Xe=<t9>X$XzIiC!Xt{cJa(^4K?ZF8G0dV%c!5tY46A`rw4Y~2{>MN
zcHbVOX^`qLy7c<Ye*O8)N=5j7yuY*i_SdP9zQ9g~@sp2F=d{b0Gk<g<Tn+J-<6oai
ztbllqUdT_6GU*SRN|Agt{SxzR$E}Lmz#M<i55$hTf$TJbs6=n!)f>%3s=P%t+`2EU
zK<p+m+6`EN`&86@d8b)7@0(@SPDM6c6XD$|of)`+T^mrT+Vt8txSd2>n@-*Fx8;4(
z_T73s*uZsVGoD=$`n!+TR#m^z2;Ny+TQN(k2@c_Tu4h$+obp{2Rp+@~bL4^y@2skb
z-)$|H^TPJ(PJOGFr*7hME7%oPeNboZXk`tnvTZxbu(#dj*0#Lk50a5rBqw)gWCoO|
z*p+R$wN%`CAddk93M4iUxeur-9A(#7Jd@SlyFBc!5ueLeG5+1mgM3!IqGja8%9D;f
zZm2ctTb^4J;a8{oS6(k)t+((yx!cL&#;5mkIZe|tpFa&(S(p|6b}F&1I#q@*DA%c0
zEXVho!i%O&;d=j_BP=9O2%m^bcWS3gskpjr+(_Q64qBrlZTFoKTUuLvv|cXB6{R<y
zbtv1HQ<cN+1bh19)#djen|dL3k#Feni;;H#V>+wd)`pE`=x5D`f8>o*2Nx}dMW<W2
ztULoQ#Lj>X&#9=XF7H)#tzv!RZupiwaRp6(Ku)fIA`B?gsjVi)fLy)MZro^{oXTmY
zjO0Qz=?0Xx{EFKU12VFQ3Pe>N9*4>`KK=MaPFq;We7+UV*8yD(NIIFA%L5ARcdH05
zsXHJ0Pfu-~Zg#P6zS@D@`x`-bk4<lq-KuJ}gxmQ6CmPwK*LUJk)!I9E@+73vM_mzl
z!#tVQo-7QT$piGP;()}d*6W#^cJX57Q!N}Rxe@zf+pSgo-dB@}ap|S+HylU31LTc`
z$*gw&;;`%OMP(IxU!RZ<%BR%B^32q~nK(O{n>dxt{m0x+?rip7X6L5<>O^5`V@jL+
zv&r1-Kgqwy{I|?b=ETIm%D>3JXg^?Q=G%Xc@cTzsvf9Fh%wBKxg%6~DxM9h|edko}
ze=EJxzC_hzAMLf-PSd+*;_cUS+Vu;W*6CDea;Uu^7MszDt+StYpO&N8t*An>qbSwb
zx}4K)$)2WCJ*f#Ok4%p6qP7ZYht9?H$|k$%r5jhjnbnpq44V>B7i!+O+q}|x>0(ZM
zxR`0Z8HLuJEAnl^&W5}_Z##|dU=7UtW`D#3OGV?YVjozbH!!VfUEVxoP~8^@11p5*
zhJiVk4i`~)!yX<^c+U8&b|I%NE@r-Xk=za9Is;?SJ2AAMa0eF|;h>+`fP1YCdrtWO
zdlu=%H((BRPbKQ4AQ#z)r%yG1?wTv6d~3B-dbCu!YxbXBd%erX;}5>wjP}!Sx~06a
z{JUB0qs3thsM|n%^sV`U$-lS!jnSLx?bPueF6N!~roHz&Ic@1uruAyHSYxjP<#E4O
zljqa$P8v)9-Tt)@%S+Tz9I-sT5O2_Eye3~1$gaCD3Svd&BcC70w&as!?_K3L_UpG>
zA=PO&$N1#ya?_MOb~nvf<I!dkOS-UMf1Rn8>MfdrAHAB@ikC9YL9VioSU113UpKN`
zstcKBeEc<e54_a72gcg7Hf#1)?EBaDYhRU3b)XWB-|!Xk=O2GHr(L>~`B^U9-C}XX
zzSKG)wRf^uhC1$aUp*cEC0%@84SxC6odnS#GqL-Hx$1qk<$BJRQ@0aO>b=~We05cc
zT2PyWd{l1=tKQtv@2#wr)_Y0)uPoXHH{`2>=(#;Sk=C7HV3$pm(X7aJJ8u<LX-{m*
zmuN3~U8#g^XKOo|(%*GB#L*kfo8jIl#p4Z+*&9ZAR6N`Jl;UR_mvY*L3z<J|AFiWw
zNc89HiK!N)s(GfyJ5or@h7He_@3;rO&aF9hIoh#$h2nf$)PLHHY7}l<3z3^%cNT?D
z_G$<>Y)@@!{YB*`EMm*`_PXiCYsrUwwI+6U<ZCy%7Y9x+?m}NVHTF%f*M2)Vd&76V
zM)<19ZwUG7D4Gqo+Ot8}^5Y8ml55Z#rS?(K-f^4tpf}Ijsg<VZiF&0M_Cna6@BBzu
zJGEG8+qHJ&tE27i!=JK{OUVh}c_r}MZ_Ilyyy90b-<YQ>$Y;PUAs;K%ySPM4o1VQT
zM^e2y_k@TpPW3F`&Z^fL@@=5&)cjPoe3{_N$20lPu5JgZ+=eH%>ay8A%eOZZ&2}c2
zB{nzZT~obG3*XtN0&8qrJM!IJcgIlQ+q=E*!?$d^f#o%8@(q9Vj!{;z<co9R$*sha
z=L7k|F!ttCHlQMX)>PwRHRLhqg%D5UB^+NK0HP1`B8>!?ETP_Q4$P~|X;TwcP1Lsn
z8E$O9lYPk-q~V*@nrM5cKAISIri^Z)@ef?0N1W~?y_sAJy=RkdiN$c*wKLSE%Vw=c
zEiT-BCbHUlUAL-yiJ@kMsvEvFl`oLx$1jNwQB?j>KWeKsM|nNky7+rJ?FaJtr4*ef
z2A&YrylB5#kf-3@*Rdn><^IFKz*32J)bU_oDZS83mgi#r{r?f(VNetS1Q0*~0R#|0
z009ILKmdU;72x@QOb3pz5kLR|1Q0*~0R#|0009IL7(syN{}He#iU0x#Ab<b@2q1s}
z0tg_0z?cf~{6D4xN7x7;fB*srAb<b@2q1s}0tk#C!1MnISQJG70R#|0009ILKmY**
z5I|r|1!h#-=f*U6!bSiA1Q0*~0R#|0009ILKmdV53Gn&<p_nLy00IagfB*srAb<b@
z2q1vKSPSs{Ki0!X@CYD)00IagfB*srAb<b@2pmd)=l?@7Q3wG95I_I{1Q0*~0R#|0
z0D-X<;Q4>7hmYV9KmY**5I_I{1Q0*~0R#{@lmO5Fhhm}-0tg_000IagfB*srAb<b@
zV=chn|3B8lNAL(BfB*srAb<b@2q1s}0tg&RfY1LA#Y7<l5I_I{1Q0*~0R#|0009KX
zT7c*Ou^v8xM*sl?5I_I{1Q0*~0R#|0;7|fQ{~wBpLI@y$00IagfB*srAb<b@2#mD=
z&;MgRd<2gG0tg_000IagfB*srAb`N31o->^4#h+v1Q0*~0R#|0009ILKmY**##(^S
z|Hpdx2p$0h5I_I{1Q0*~0R#|00D(gZ%uN4c;^oYrPt2^G`5$NY&V2pUC#SCF{&j9~
z>it|c`(ID~uajS#)F%J^iT^VB-OQiQ{CN5or~h{1^FuW}LZQ~w?VNW1YNmD3saM6W
zvuo{$s#CE8$E{mU-`*0w_1vyGRV#2)Ii;ntSz0&s<<-095A}WP>T9cds=i)`nl{#M
zX0^)g%tRQ4|E%T&!m^uz8-8#3Po26|aqCqljLWav4S(AWd~1GK&Ue-pf1?JA!y0_2
zb@qBrdnl#ejHI?a*WGdITb5th7S(1=SXFz^ayP9PLOe}n-s;Cnm55hYUa10lA=ZJ>
zn!J|NOc~IH;Q=*$;aN^K)zZy_gXvTq5=bZ4_;hAIr(M08`D{6`H)<l)Q7Yj^r|0$3
zofUJ?CFZA{s=oA~R4y#c8~W<ny1x2&W#tV$KOIFBWva9oh@6J&=6$oAsAE^ujL|<R
zmBU)a8_6c?ZXo<9SGD*3^76w{`HB9X`9v=`RYRrSTPvH(_g7U~A-Zn8Y~C}==IWC9
zNLOioSUPW%7P8votHb7TO2aCqk`{N0Iqmj^Olu|@R?lq)PF*g<&KGi?1R_ej-anF2
zMxwMD#VA8B#M?1GnagSK$nK_7-8F14P}5l&M|H0a?JZU~*;y>Z_~>d@Tey(fOLf&@
zjk;MF+D$YE64w(A%4eB3a@vIpnV&okCu7uF^yge+>P4w~VYC_7sTU4{ephXO@i`j1
z+Gtu8`lfMe&Q&}i2efM0LD=5<^221C&4wEA;rWB+?9$rmqxEu0E(yK)EHM?Vc!-Zz
zm*0PECTGMOdaT6A3*hQoS#9aUumupITl3LZ^H<+IRE1(xq3C^Eu8%9R^$`w#!*e&C
znp`BE$&g6A+CQHXxlt80Zxb1Mce%GR-;%dU*=hGSnJ8%aVpk5Iwc&Wdb|UAk{d<nr
z8_<0`+qh+9wTD-R$tHTWiivOE_*5_Cv@2IKpZ&9NVI(pW-+Vi<L=st}u9MKBw@TDT
z8o!+G>X2Kq%KOJy1fy)+6BCoaP&cxlei#y^&MK*d?<S~H*^0{(71yiE`|siJXR&q;
zs9kk^p^j!vq2F6sE3GTUFs)g4f=E{-ZhGQbQ`9Sa@x<<tB@nxb(zb8ag{X?EerIiM
z#VoBRwzu|qZPRmi25(i-d9Irq4!hg*D#B9BGakY}?mpPn8*v9y0mtXfpaC)BcmG%c
zQ4c&vo+k>u&hy5^MCMP2p9o^LJE!fUO#0|b@;)gyw`#K@&%5D@bgI$!-|F98qKv4Z
z+Eb#m-fp)2dQQ78Z~3RA`*2jmlBa5U&+m0$bUNtVC%OmyRE1<mQ8UKY<(zg)_B561
zso^<tP6UqdqP7Y{FQ!*E*-bCqxcbfg?jlhaRx$eO%1<V4$lJ*6%+Fp9*ZZ(z|FHD8
z6RUq%DYXf>&xL2#YL*|!n|L(;3%9~)8P*H-8ol&lG0ae_vg!4b+k52pUe#+qnbpK|
zQHu_|;TjVg%^fTFky{t(Wchd^p8Co3x-Xxlo;$&wm1=9l_T)77`XVmgY=_)=_Ui5I
zi48)Xx1S63tX2_T-PhlJBxhj!faE#83?-E;htl<AL~`|{@=_bcC>!cQ_mzVWPvIa%
zkDTqxj*d-<)DbtDyus)HBfO}fC;|u|fB*srAb<b@2q1s}0%Iz`^Z%F*9AP7X00Iag
zfB*srAb<b@2p}+m0Du4A2v`(F009ILKmY**5I_I{1Q0-AOa=J-e@q9Cun|B20R#|0
z009ILKmY**5Ewy#=l>C~D2f0A2q1s}0tg_000IagfWVjv@ccif14q~hAb<b@2q1s}
z0tg_000Ib%Ai(qg2v`(F009ILKmY**5I_I{1Q0-AOa*xUAJc&&Yy=QM009ILKmY**
z5I_I{1V#|x@BbeGi=qf1fB*srAb<b@2q1s}0tk$$0H6Pl>A(>-0tg_000IagfB*sr
zAb<b@BM9*PKLQp-5kLR|1Q0*~0R#|0009IL7*heB|HpLT2pa(e5I_I{1Q0*~0R#|0
z0D%z%`1$`4uqcWE0tg_000IagfB*srAb`M_3h?>=m<}9aBY*$`2q1s}0tg_000Iag
zFoFQj|07^g6afSfKmY**5I_I{1Q0*~fiV@}`F~6Yj<69x009ILKmY**5I_I{1P~ZO
zfam`auqcWE0tg_000IagfB*srAb`M_3h?*;jp@J<HUbDBfB*srAb<b@2q1s}0wW0U
z`Tq!56h#051Q0*~0R#|0009ILKwwM-c>W*Lfg@}L5I_I{1Q0*~0R#|0009I>5a9WL
z1T2aofB*srAb<b@2q1s}0tg^5rUEmk{$%2n%&#V9|6=x^p8dCH^QZsvbUpvK`M0P4
zV)|RB{w(|9srRS;!_<Ql=G4sOf0|sE1^G1&0)O~!PFuQ?X}#*yt76yLwLG^OICWw9
zfoS;M@0@BPeQl|1mex&udG)UOLw%oG`r4|VsHqpCZ=I^~hs*nR-tgRNvl3W+ov-fS
zd9T)h&U=}L_aLX;mRCMA_{y8U@cMgxxPQ-`Dg(Oh<QSis_j1~mE155r1AC(;B8t#D
z@y&akp4LluR?L3E{IpZmmmZYLg@t)TUtL?*S0AseyrJi(qX?o*l@_%-tWJ-l+or1K
zdQ}CWW`!K)b@RSiPIP5g0>`ae!Cph?AC$^rkHs5?s@ln_yMgedJe6K`{chPXGO;C_
zh?n?&dHG?f{6v4xe4-cR1W~2#t(DE?`>QIg5IO2)^PX8YSC`C3x=Qm0mhN4-5wFlm
z9$crVk*L#2Zr8~hx9(@PhgUKaA&>v8<^;mBn}HjC-(58AB~*;U2)|uvO`18)yqalU
zh~{0l%ldOs4_t50>Re_j<K6!GmnsoeRdX<vsdxQar|;&p_hb;p@F2R?tKF}n0GAJr
zqg$ssB$QqO<1_zGPP=+F^Uu$RtD>6|b(c!GpI9BKY`rkr3h6d5WK}u7we89=*>-DH
z%ip#=QPuCPt*w}))x?sJ<=lp-56Nw3S$3e`m0PEp*_%$?@wY`ao+fr1j+_BiI}qJ+
zp4hQv(fXEE6VF90S}=v;e7HbT>#X7lS-sor`tn0F5$DmavYy`X6{F_BU30~hw~VFI
zqovYaGjEiZvfAUT!`4u@)o2n}#Z=M*d4oNrZnCY@rM~IBBdSit4tJ=gZ*K|TdT!U8
zs<r94JE^>T{nI&BB34^nN-AG3^qMzXli%xG;i>Y`GEHTe2Zz$x9EQZv$u(N1zMIpQ
z<qE$Xt?*P|mhD@0A*!O9%DQ`S7~RT40_o-(E#vodnk7Sde|RXd2s}}d_a1rcjit56
z@Xo<e#p-n184}>2qDE`#c22u5W4$;$*7i^bZmfZJe5Hfqi|P)EDatlV-`Q_*q<XfB
zsig0H{=qxpuKLpt!(BC1AeHdlPWbIJM=D$Gsy)-_gpt@-qNy2Ws!cA|&H=U6@jxxK
zrqJ)Ltd-VP?J%ubcY<is3-?V=JZp-2WiOuSSL9CGtO+X+yNS}>i8yf2Zi}mJA>3|L
zdu22t-CPxb?>4=Pur{4q;yg3*M%-+ueg2Rebyx38o{9zyNMh%X6_Do<&yk0?La+0@
z(VBZ(uIJma_3S@&>Q=?ASDkRj_3L)S-*yAvioOc(XTwVUe*dx=RxsI|T0+B0>V-tl
zM(Z25a@r#q@~voD533pN%)|0;A3E4*G3*;=v|X>=%xaa}!)}Jdg0bd@<$Pyt@i%I)
zIIO{U`22qy9_NV>0R#|0009ILKmY**5I_KdFDJnB|CjTlHUbDBfB*srAb<b@2q1s}
z0^=aS^Zz)E5-}ox00IagfB*srAb<b@2q5s~1ZGtAb6>6vY9oLE0tg_000IagfB*sr
zAb`N}7U1*$<2^n^hX4WyAb<b@2q1s}0tg_0z)=YB{C^aRw1EHu2q1s}0tg_000Iag
zfWYw<;Q9Y}j}OryfB*srAb<b@2q1s}0tg^*6axJG|4}H?1_B5mfB*srAb<b@2q1s}
z0>@i`&;O72_z)ce2q1s}0tg_000IagfB*tVA;9zhQ7F;|0tg_000IagfB*srAb<b@
z$6J8s|KmMAM27$Z2q1s}0tg_000IagfWT1*@ce%iinM_M0tg_000IagfB*srAb`N}
G7WltuRZ`gi

literal 0
HcmV?d00001

diff --git a/.sisyphus/evidence/task-T9-admin-households-denied.txt b/.sisyphus/evidence/task-T9-admin-households-denied.txt
new file mode 100644
index 0000000..4774283
--- /dev/null
+++ b/.sisyphus/evidence/task-T9-admin-households-denied.txt
@@ -0,0 +1,67 @@
+============================= test session starts ==============================
+platform darwin -- Python 3.12.12, pytest-9.0.2, pluggy-1.6.0 -- /Users/piotr/dev/innercontext/backend/.venv/bin/python3
+cachedir: .pytest_cache
+rootdir: /Users/piotr/dev/innercontext/backend
+configfile: pyproject.toml
+plugins: anyio-4.12.1, cov-7.0.0
+collecting ... collected 15 items / 9 deselected / 6 selected
+
+tests/test_admin_households.py::test_assign_member_rejects_unsynced_user PASSED [ 16%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[get-/admin/users-None] PASSED [ 33%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[post-/admin/households-None] PASSED [ 50%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[post-/admin/households/ad0a09c5-b0bb-4565-895c-eada9498db52/members-json_body2] PASSED [ 66%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[patch-/admin/households/25453802-90e7-44a8-99ab-3241db73c5c0/members/56c635a2-bb8b-48ff-876e-f085ae7cff6c-None] PASSED [ 83%]
+tests/test_admin_households.py::test_admin_household_routes_forbidden_for_member[delete-/admin/households/4390cd61-0028-4970-a573-a9fca06aff36/members/e5ba2298-ad10-44c0-a77a-b3ea7efa929f-None] PASSED [100%]
+
+================================ tests coverage ================================
+______________ coverage: platform darwin, python 3.12.12-final-0 _______________
+
+Name                                                 Stmts   Miss  Cover   Missing
+----------------------------------------------------------------------------------
+innercontext/api/__init__.py                             0      0   100%
+innercontext/api/admin.py                               93     26    72%   78, 102-110, 142, 165-183, 195-206
+innercontext/api/ai_logs.py                             63     34    46%   18-30, 53-57, 69-81, 106-113
+innercontext/api/auth.py                                68     18    74%   65-79, 100, 106-109, 122-129, 153-158, 166
+innercontext/api/auth_deps.py                           25     10    60%   23, 36-48
+innercontext/api/authz.py                              100     79    21%   16, 20, 24-27, 31, 35-40, 48-51, 60-66, 75-83, 89-93, 105-108, 116-133, 141-150, 156-177
+innercontext/api/health.py                             236    113    52%   77-81, 142-146, 156-163, 179-185, 195-204, 214, 231-243, 253-270, 285-298, 313-330, 341-353, 363-371, 395-463, 473-482, 492, 509-521, 531-539
+innercontext/api/inventory.py                           30     13    57%   26, 36-44, 53-60
+innercontext/api/llm_context.py                        106     91    14%   17-21, 30-36, 44-47, 57-79, 101-153, 180-217, 249-253
+innercontext/api/product_llm_tools.py                  107     94    12%   12-17, 23-38, 48-82, 111-136, 143-162, 172-205
+innercontext/api/products.py                           638    419    34%   81-89, 97, 106-126, 281-289, 299-301, 312-387, 396-431, 515, 519-537, 541-550, 560-566, 570-571, 581-631, 649-703, 712-727, 731, 853-891, 904-972, 981-992, 1002-1015, 1024-1029, 1043-1048, 1060-1072, 1081-1086, 1097-1232, 1238-1240, 1244-1257, 1263, 1296-1457
+innercontext/api/profile.py                             39     15    62%   36-39, 55-69
+innercontext/api/routines.py                           632    446    29%   64-84, 99-103, 109-117, 127-133, 301-304, 308-325, 329-334, 344-357, 372-373, 389-399, 415-434, 443-479, 488-520, 529-565, 574-583, 587-600, 606, 619-641, 664-693, 697-703, 707-710, 714-721, 814-842, 852-857, 871-1134, 1143-1348, 1358-1359, 1371-1386, 1397-1409, 1419-1427, 1443-1464, 1475-1491, 1501-1509, 1524-1529, 1540-1552, 1562-1570
+innercontext/api/skincare.py                           150     70    53%   103, 145-149, 158-166, 178-255, 267-277, 287-296, 306, 322-333, 343-350
+innercontext/api/utils.py                               22      4    82%   34, 43, 51, 59
+innercontext/auth.py                                   236    146    38%   64-77, 127-129, 133-137, 141-149, 153-156, 161-168, 187-192, 195-210, 213-217, 220-228, 231-248, 251-264, 267, 271-274, 279, 283-284, 288-317, 325-363, 373-384
+innercontext/llm.py                                    134    119    11%   22, 44, 62-66, 74-102, 118-214, 231-326
+innercontext/llm_safety.py                              18     14    22%   17-45, 58-61, 80-83
+innercontext/models/__init__.py                         13      0   100%
+innercontext/models/ai_log.py                           33      0   100%
+innercontext/models/api_metadata.py                     15      0   100%
+innercontext/models/base.py                              3      0   100%
+innercontext/models/domain.py                            4      0   100%
+innercontext/models/enums.py                           152      0   100%
+innercontext/models/health.py                           64      0   100%
+innercontext/models/household.py                        14      0   100%
+innercontext/models/household_membership.py             20      0   100%
+innercontext/models/pricing.py                          19      0   100%
+innercontext/models/product.py                         226    106    53%   76-78, 203-205, 209-230, 238-356
+innercontext/models/profile.py                          17      0   100%
+innercontext/models/routine.py                          42      0   100%
+innercontext/models/skincare.py                         37      0   100%
+innercontext/models/user.py                             19      0   100%
+innercontext/services/__init__.py                        0      0   100%
+innercontext/services/fx.py                             57     42    26%   16, 20-22, 26-48, 54-67, 71-77
+innercontext/services/pricing_jobs.py                   89     76    15%   19-24, 28-49, 53-67, 71-80, 89-107, 111-130, 134-138
+innercontext/validators/__init__.py                      7      0   100%
+innercontext/validators/base.py                         22      5    77%   23, 27, 31, 35, 52
+innercontext/validators/batch_validator.py             128    105    18%   37, 58-154, 167-203, 214-240, 249-273
+innercontext/validators/photo_validator.py              65     54    17%   58-134, 144-152, 164-178
+innercontext/validators/product_parse_validator.py     110     93    15%   108-154, 164-172, 185-198, 205-239, 243-267, 273-319, 325-339
+innercontext/validators/routine_validator.py           146    114    22%   69-167, 173-175, 182-197, 201-218, 229-246, 259-275, 288-309
+innercontext/validators/shopping_validator.py           78     58    26%   49-96, 102-114, 122-123, 136-142, 150-161, 169-203
+----------------------------------------------------------------------------------
+TOTAL                                                 4077   2364    42%
+Coverage HTML written to dir htmlcov
+======================= 6 passed, 9 deselected in 0.41s ========================
diff --git a/.sisyphus/evidence/task-T9-admin-households.txt b/.sisyphus/evidence/task-T9-admin-households.txt
new file mode 100644
index 0000000..d06796d
--- /dev/null
+++ b/.sisyphus/evidence/task-T9-admin-households.txt
@@ -0,0 +1,65 @@
+============================= test session starts ==============================
+platform darwin -- Python 3.12.12, pytest-9.0.2, pluggy-1.6.0 -- /Users/piotr/dev/innercontext/backend/.venv/bin/python3
+cachedir: .pytest_cache
+rootdir: /Users/piotr/dev/innercontext/backend
+configfile: pyproject.toml
+plugins: anyio-4.12.1, cov-7.0.0
+collecting ... collected 15 items / 11 deselected / 4 selected
+
+tests/test_admin_households.py::test_create_household_returns_new_household PASSED [ 25%]
+tests/test_admin_households.py::test_assign_member_creates_membership PASSED [ 50%]
+tests/test_admin_households.py::test_assign_member_rejects_already_assigned_user PASSED [ 75%]
+tests/test_admin_households.py::test_assign_member_rejects_unsynced_user PASSED [100%]
+
+================================ tests coverage ================================
+______________ coverage: platform darwin, python 3.12.12-final-0 _______________
+
+Name                                                 Stmts   Miss  Cover   Missing
+----------------------------------------------------------------------------------
+innercontext/api/__init__.py                             0      0   100%
+innercontext/api/admin.py                               93     26    72%   78, 102-110, 142, 165-183, 195-206
+innercontext/api/ai_logs.py                             63     34    46%   18-30, 53-57, 69-81, 106-113
+innercontext/api/auth.py                                68     18    74%   65-79, 100, 106-109, 122-129, 153-158, 166
+innercontext/api/auth_deps.py                           25     10    60%   23, 36-48
+innercontext/api/authz.py                              100     79    21%   16, 20, 24-27, 31, 35-40, 48-51, 60-66, 75-83, 89-93, 105-108, 116-133, 141-150, 156-177
+innercontext/api/health.py                             236    113    52%   77-81, 142-146, 156-163, 179-185, 195-204, 214, 231-243, 253-270, 285-298, 313-330, 341-353, 363-371, 395-463, 473-482, 492, 509-521, 531-539
+innercontext/api/inventory.py                           30     13    57%   26, 36-44, 53-60
+innercontext/api/llm_context.py                        106     91    14%   17-21, 30-36, 44-47, 57-79, 101-153, 180-217, 249-253
+innercontext/api/product_llm_tools.py                  107     94    12%   12-17, 23-38, 48-82, 111-136, 143-162, 172-205
+innercontext/api/products.py                           638    419    34%   81-89, 97, 106-126, 281-289, 299-301, 312-387, 396-431, 515, 519-537, 541-550, 560-566, 570-571, 581-631, 649-703, 712-727, 731, 853-891, 904-972, 981-992, 1002-1015, 1024-1029, 1043-1048, 1060-1072, 1081-1086, 1097-1232, 1238-1240, 1244-1257, 1263, 1296-1457
+innercontext/api/profile.py                             39     15    62%   36-39, 55-69
+innercontext/api/routines.py                           632    446    29%   64-84, 99-103, 109-117, 127-133, 301-304, 308-325, 329-334, 344-357, 372-373, 389-399, 415-434, 443-479, 488-520, 529-565, 574-583, 587-600, 606, 619-641, 664-693, 697-703, 707-710, 714-721, 814-842, 852-857, 871-1134, 1143-1348, 1358-1359, 1371-1386, 1397-1409, 1419-1427, 1443-1464, 1475-1491, 1501-1509, 1524-1529, 1540-1552, 1562-1570
+innercontext/api/skincare.py                           150     70    53%   103, 145-149, 158-166, 178-255, 267-277, 287-296, 306, 322-333, 343-350
+innercontext/api/utils.py                               22      4    82%   34, 43, 51, 59
+innercontext/auth.py                                   236    146    38%   64-77, 127-129, 133-137, 141-149, 153-156, 161-168, 187-192, 195-210, 213-217, 220-228, 231-248, 251-264, 267, 271-274, 279, 283-284, 288-317, 325-363, 373-384
+innercontext/llm.py                                    134    119    11%   22, 44, 62-66, 74-102, 118-214, 231-326
+innercontext/llm_safety.py                              18     14    22%   17-45, 58-61, 80-83
+innercontext/models/__init__.py                         13      0   100%
+innercontext/models/ai_log.py                           33      0   100%
+innercontext/models/api_metadata.py                     15      0   100%
+innercontext/models/base.py                              3      0   100%
+innercontext/models/domain.py                            4      0   100%
+innercontext/models/enums.py                           152      0   100%
+innercontext/models/health.py                           64      0   100%
+innercontext/models/household.py                        14      0   100%
+innercontext/models/household_membership.py             20      0   100%
+innercontext/models/pricing.py                          19      0   100%
+innercontext/models/product.py                         226    106    53%   76-78, 203-205, 209-230, 238-356
+innercontext/models/profile.py                          17      0   100%
+innercontext/models/routine.py                          42      0   100%
+innercontext/models/skincare.py                         37      0   100%
+innercontext/models/user.py                             19      0   100%
+innercontext/services/__init__.py                        0      0   100%
+innercontext/services/fx.py                             57     42    26%   16, 20-22, 26-48, 54-67, 71-77
+innercontext/services/pricing_jobs.py                   89     76    15%   19-24, 28-49, 53-67, 71-80, 89-107, 111-130, 134-138
+innercontext/validators/__init__.py                      7      0   100%
+innercontext/validators/base.py                         22      5    77%   23, 27, 31, 35, 52
+innercontext/validators/batch_validator.py             128    105    18%   37, 58-154, 167-203, 214-240, 249-273
+innercontext/validators/photo_validator.py              65     54    17%   58-134, 144-152, 164-178
+innercontext/validators/product_parse_validator.py     110     93    15%   108-154, 164-172, 185-198, 205-239, 243-267, 273-319, 325-339
+innercontext/validators/routine_validator.py           146    114    22%   69-167, 173-175, 182-197, 201-218, 229-246, 259-275, 288-309
+innercontext/validators/shopping_validator.py           78     58    26%   49-96, 102-114, 122-123, 136-142, 150-161, 169-203
+----------------------------------------------------------------------------------
+TOTAL                                                 4077   2364    42%
+Coverage HTML written to dir htmlcov
+======================= 4 passed, 11 deselected in 0.41s =======================
diff --git a/.sisyphus/notepads/multi-user-authelia-oidc/T10-runtime-config.md b/.sisyphus/notepads/multi-user-authelia-oidc/T10-runtime-config.md
new file mode 100644
index 0000000..07955fb
--- /dev/null
+++ b/.sisyphus/notepads/multi-user-authelia-oidc/T10-runtime-config.md
@@ -0,0 +1,13 @@
+# T10: Runtime Configuration and Validation
+
+## Learnings
+- Nginx needs `X-Forwarded-Host` and `X-Forwarded-Port` for proper OIDC callback URL generation.
+- `curl -f` fails on 302 redirects, which are common when a page is protected by OIDC.
+- Health checks and deployment scripts must be updated to allow 302/303/307 status codes for the frontend root.
+- Bash `((errors++))` returns 1 if `errors` is 0, which can kill the script if `set -e` is active. Use `errors=$((errors + 1))` instead.
+- Documenting required environment variables in systemd service files and `DEPLOYMENT.md` is crucial for operators.
+- Authelia client configuration requires specific `redirect_uris` and `scopes` (openid, profile, email, groups).
+
+## Verification
+- `scripts/validate-env.sh` correctly identifies missing OIDC and session variables.
+- `scripts/healthcheck.sh` and `deploy.sh` now handle auth redirects (302) for the frontend.
diff --git a/.sisyphus/notepads/multi-user-authelia-oidc/decisions.md b/.sisyphus/notepads/multi-user-authelia-oidc/decisions.md
new file mode 100644
index 0000000..68ad419
--- /dev/null
+++ b/.sisyphus/notepads/multi-user-authelia-oidc/decisions.md
@@ -0,0 +1,5 @@
+- Added `users`, `households`, and `household_memberships` tables with OIDC identity key (`oidc_issuer`, `oidc_subject`) and one-household-per-user enforced via unique `household_memberships.user_id`.
+- Added `is_household_shared` to `product_inventory` with default `False` so sharing remains per-row opt-in.
+- Migration  enforces ownership in two phases: nullable  + backfill to bootstrap admin, then non-null constraints on all owned tables.
+- Correction: migration 4b7d2e9f1c3a applies a two-step ownership rollout (nullable user_id, bootstrap+backfill, then NOT NULL on owned tables).
+- Centralized tenant authorization in `innercontext/api/authz.py` and exposed wrappers in `api/utils.py` so routers can move from global `get_or_404` to scoped helpers.
diff --git a/.sisyphus/notepads/multi-user-authelia-oidc/issues.md b/.sisyphus/notepads/multi-user-authelia-oidc/issues.md
new file mode 100644
index 0000000..d53bb4c
--- /dev/null
+++ b/.sisyphus/notepads/multi-user-authelia-oidc/issues.md
@@ -0,0 +1,3 @@
+- Full backend pytest currently has pre-existing failures unrelated to this task scope (5 failing tests in routines/skincare helpers after schema changes in this branch context).
+- Existing historical migration  executes , which breaks full SQLite-from-base upgrades; T2 QA used a synthetic DB pinned at revision  to validate the new migration behavior in isolation.
+- Correction: historical migration 7c91e4b2af38 runs DROP TYPE IF EXISTS pricetier, which breaks SQLite full-chain upgrades; T2 evidence therefore uses a synthetic DB pinned to revision 9f3a2c1b4d5e for isolated migration validation.
diff --git a/.sisyphus/notepads/multi-user-authelia-oidc/learnings.md b/.sisyphus/notepads/multi-user-authelia-oidc/learnings.md
new file mode 100644
index 0000000..17a1d9b
--- /dev/null
+++ b/.sisyphus/notepads/multi-user-authelia-oidc/learnings.md
@@ -0,0 +1,15 @@
+- For ownership rollout without API auth wiring, `user_id` columns can be added as nullable to avoid breaking existing write paths and tests.
+- Alembic  is needed for SQLite-safe ownership column/FK addition and later non-null enforcement across legacy tables.
+- Correction: Alembic batch_alter_table is required for SQLite-safe ownership column/FK addition and non-null enforcement across legacy tables.
+- New tenant helpers should keep unauthorized lookups indistinguishable from missing rows by raising `404` with model-not-found detail.
+- Product visibility and inventory access are separate checks: household-shared inventory can grant view access without granting update rights.
+- Products should be visible when user is owner, admin, or in the same household as at least one household-shared inventory row; inventory payloads must still be filtered to shared rows only for non-owners.
+- Shared inventory update rules differ from create/delete: household members in the same household can PATCH shared rows, but POST/DELETE inventory stays owner/admin only.
+- Product summary ownership should use Product.user_id (is_owned) rather than active inventory presence, so shared products render as accessible-but-not-owned.
+- SvelteKit can keep PKCE server-only by storing the verifier/state in a short-lived encrypted HTTP-only cookie and storing the refreshed app session in a separate encrypted HTTP-only cookie.
+- `handleFetch` is enough to attach bearer tokens for server loads/actions that hit `PUBLIC_API_BASE`, but browser-direct `$lib/api` calls to `/api` still need follow-up proxy/auth plumbing outside this task.
+- 2026-03-12 T6: Domain routers now enforce per-user ownership by default with explicit `?user_id=` admin override in profile/health/routines/skincare/ai-logs; routine suggestion product pool is constrained to owned+household-shared visibility and uses current user profile context.
+- 2026-03-12 T6: QA evidence generated at `.sisyphus/evidence/task-T6-domain-tenancy.txt` and `.sisyphus/evidence/task-T6-routine-scope.txt` with passing scenarios.
+- 2026-03-12 T9: Admin household management can stay backend-only by listing synced local `users` plus current membership state, creating bare `households`, and handling assign/move/remove as explicit membership operations.
+- 2026-03-12 T9: Unsynced identities should fail assignment via local `User` lookup rather than implicit creation, keeping Authelia as the only identity source and preserving the v1 one-household-per-user rule.
+- 2026-03-12 T8: Server-side frontend API helpers should call `PUBLIC_API_BASE` directly with the access token from `event.locals.session`; same-origin SvelteKit endpoints are still the right bridge for browser-only interactions like AI modals and inline PATCHes.
diff --git a/.sisyphus/notepads/multi-user-authelia-oidc/problems.md b/.sisyphus/notepads/multi-user-authelia-oidc/problems.md
new file mode 100644
index 0000000..f2618a9
--- /dev/null
+++ b/.sisyphus/notepads/multi-user-authelia-oidc/problems.md
@@ -0,0 +1,3 @@
+- Pending follow-up migration task is required to materialize new models/columns in PostgreSQL schema.
+- End-to-end SQLite  from base revision remains blocked by pre-existing non-SQLite-safe migration logic () outside T2 scope.
+- Correction: full SQLite alembic upgrade head from base is still blocked by pre-existing DROP TYPE usage in migration 7c91e4b2af38 (outside T2 scope).
diff --git a/.sisyphus/plans/multi-user-authelia-oidc.md b/.sisyphus/plans/multi-user-authelia-oidc.md
new file mode 100644
index 0000000..5f8da78
--- /dev/null
+++ b/.sisyphus/plans/multi-user-authelia-oidc.md
@@ -0,0 +1,604 @@
+# Multi-User Support with Authelia OIDC
+
+## TL;DR
+> **Summary**: Convert the monorepo from a single-user personal system into a multi-user application authenticated by Authelia OIDC, with SvelteKit owning the login/session flow and FastAPI enforcing row-level ownership and household-scoped inventory sharing.
+> **Deliverables**:
+> - OIDC login/logout/session flow in SvelteKit
+> - FastAPI token validation, current-user resolution, and authorization helpers
+> - New local identity/household schema plus ownership migrations for existing data
+> - Household-shared inventory support with owner/admin product controls
+> - Updated infra, CI, and verification coverage for the new auth model
+> **Effort**: XL
+> **Parallel**: YES - 3 waves
+> **Critical Path**: T1 -> T2 -> T3 -> T4 -> T5/T6 -> T7/T8 -> T11
+
+## Context
+### Original Request
+Add multi-user support with login handled by Authelia using OpenID Connect.
+
+### Interview Summary
+- Auth model: app-managed OIDC with SvelteKit-owned session handling; FastAPI acts as the resource server.
+- Roles: `admin` and `member`; admins can manage member data and household memberships, but v1 excludes impersonation and a full user-management console.
+- Ownership model: records are user-owned by default; `products` stay user-owned in v1.
+- Sharing exception: product inventory may be shared among members of the same household; shared household members may view and update inventory entries, but only the product owner or an admin may edit/delete the underlying product.
+- Rollout: retrofit the existing application in one implementation plan rather than staging auth separately.
+- Identity source: Authelia remains the source of truth; no in-app signup/provisioning UI in v1.
+- Verification preference: do not add a permanent frontend test suite in this pass; still require backend tests plus agent-executed QA scenarios.
+
+### Metis Review (gaps addressed)
+- Made household sharing explicit with a local `households` + `household_memberships` model instead of overloading OIDC groups.
+- Added a deterministic legacy-data backfill step so existing single-user records are assigned to the first configured admin identity during migration.
+- Called out `llm_context.py`, helper functions like `get_or_404()`, and all row-fetching routes as mandatory scoping points so no single-user path survives.
+- Chose JWT access-token validation via Authelia JWKS for FastAPI, with SvelteKit calling `userinfo` to hydrate the app session and local user record.
+- Kept browser QA agent-executed and out of repo while still requiring backend auth tests and CI enablement.
+
+## Work Objectives
+### Core Objective
+Implement a secure, decision-complete multi-user architecture that uses Authelia OIDC for authentication, local app users/households for authorization, row ownership across existing data models, and household-scoped inventory sharing without broadening scope into a full account-management product.
+
+### Deliverables
+- Backend identity/auth models for local users, households, memberships, and role mapping.
+- Alembic migration/backfill converting all existing domain data to owned records.
+- FastAPI auth dependencies, token validation, and authorization utilities.
+- Retrofitted API routes and LLM context builders that enforce ownership.
+- SvelteKit login, callback, logout, refresh, and protected-route behavior.
+- Auth-aware API access from frontend server actions and protected page loads.
+- Admin-only backend endpoints for household membership management without a UI console.
+- nginx, deploy, CI, and environment updates needed for OIDC rollout.
+
+### Definition of Done (verifiable conditions with commands)
+- `cd backend && uv run pytest`
+- `cd backend && uv run ruff check .`
+- `cd frontend && pnpm check`
+- `cd frontend && pnpm lint`
+- `cd frontend && pnpm build`
+- `cd backend && uv run python -c "import json; from main import app; print(json.dumps(app.openapi())[:200])"`
+
+### Must Have
+- OIDC Authorization Code flow with PKCE, server-handled callback, HTTP-only app session cookie, refresh-token renewal, and logout.
+- FastAPI bearer-token validation against Authelia JWKS; no trusted identity headers between app tiers.
+- Local `users`, `households`, and `household_memberships` tables keyed by `issuer + sub` rather than email.
+- `user_id` ownership enforcement across profile, health, routines, skincare, AI logs, and products.
+- Household inventory-sharing model that permits view/update of shared inventory by household members while preserving owner/admin control of product records.
+- Deterministic backfill of legacy records to a configured bootstrap admin identity.
+- Admin/member authorization rules enforced in backend dependencies and mirrored in frontend navigation/controls.
+- Backend auth and authorization tests, plus CI job enablement for those tests.
+
+### Must NOT Have (guardrails, AI slop patterns, scope boundaries)
+- No proxy-header trust model between SvelteKit and FastAPI.
+- No in-app signup, password reset, email verification, impersonation, or full user-management console.
+- No multi-household membership per user in v1.
+- No global shared product catalog refactor in this pass.
+- No audit-log productization, notification system, or support tooling.
+- No permanent Playwright/Vitest suite added to the repo in this pass.
+
+## Verification Strategy
+> ZERO HUMAN INTERVENTION - all verification is agent-executed.
+- Test decision: tests-after using existing backend `pytest` + `TestClient`; no new committed frontend suite, but include agent-executed browser QA and curl-based verification.
+- QA policy: every task includes happy-path and failure/edge-case scenarios with exact commands or browser actions.
+- Evidence: `.sisyphus/evidence/task-{N}-{slug}.{ext}`
+
+## Execution Strategy
+### Parallel Execution Waves
+> Target: 5-8 tasks per wave. <3 per wave (except final) = under-splitting.
+> Extract shared dependencies as Wave-1 tasks for max parallelism.
+
+Wave 1: T1 identity models, T2 ownership migration, T3 backend token validation, T4 tenant-aware authorization helpers
+
+Wave 2: T5 product/inventory authorization retrofit, T6 remaining domain scoping retrofit, T7 SvelteKit auth/session flow, T8 frontend auth-aware plumbing and shell behavior
+
+Wave 3: T9 admin household-management endpoints, T10 infra/env/CI/deploy updates, T11 backend auth regression coverage and release verification
+
+### Dependency Matrix (full, all tasks)
+| Task | Depends On | Blocks |
+| --- | --- | --- |
+| T1 | - | T2, T3, T4, T9 |
+| T2 | T1 | T5, T6, T11 |
+| T3 | T1 | T4, T5, T6, T7, T8, T9, T11 |
+| T4 | T1, T3 | T5, T6, T9 |
+| T5 | T2, T3, T4 | T11 |
+| T6 | T2, T3, T4 | T11 |
+| T7 | T3 | T8, T10, T11 |
+| T8 | T7 | T11 |
+| T9 | T1, T2, T3, T4 | T11 |
+| T10 | T3, T7 | T11 |
+| T11 | T2, T3, T4, T5, T6, T7, T8, T9, T10 | Final verification |
+
+### Agent Dispatch Summary (wave -> task count -> categories)
+- Wave 1 -> 4 tasks -> `deep`, `unspecified-high`
+- Wave 2 -> 4 tasks -> `deep`, `unspecified-high`, `writing`
+- Wave 3 -> 3 tasks -> `unspecified-high`, `writing`, `deep`
+
+## TODOs
+> Implementation + Test = ONE task. Never separate.
+> EVERY task MUST have: Agent Profile + Parallelization + QA Scenarios.
+
+- [x] T1. Add local identity, role, household, and sharing models
+
+  **What to do**: Add a new backend model module for `User`, `Household`, and `HouseholdMembership`; extend existing domain models with ownership fields; add a compact role enum (`admin`, `member`) and a household-membership role enum (`owner`, `member`). Use `issuer + subject` as the immutable OIDC identity key, enforce at most one household membership per user in v1, and add `is_household_shared: bool = False` to `ProductInventory` so sharing is opt-in per inventory row rather than automatic for an entire household.
+  **Must NOT do**: Do not key users by email, do not introduce multi-household membership, do not split `Product` into catalog vs overlay tables in this pass, and do not add frontend management UI here.
+
+  **Recommended Agent Profile**:
+  - Category: `deep` - Reason: cross-cutting schema design with downstream auth and authorization consequences
+  - Skills: `[]` - Existing backend conventions are the main source of truth
+  - Omitted: `svelte-code-writer` - No Svelte files belong in this task
+
+  **Parallelization**: Can Parallel: NO | Wave 1 | Blocks: T2, T3, T4, T9 | Blocked By: -
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `backend/innercontext/models/profile.py:13` - Simple SQLModel table with UUID PK and timestamp conventions to follow for user-owned profile data.
+  - Pattern: `backend/innercontext/models/product.py:138` - Main table-model style, JSON-column usage, and `updated_at` pattern.
+  - Pattern: `backend/innercontext/models/product.py:353` - Existing `ProductInventory` table to extend with ownership and sharing fields.
+  - Pattern: `backend/innercontext/models/__init__.py:1` - Export surface that must include every new model/type.
+  - API/Type: `backend/innercontext/models/enums.py` - Existing enum location; add role enums here unless a dedicated auth model module makes more sense.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] `backend/innercontext/models/` defines `User`, `Household`, and `HouseholdMembership` with UUID PKs, timestamps, uniqueness on `(oidc_issuer, oidc_subject)`, and one-household-per-user enforcement.
+  - [ ] `Product`, `ProductInventory`, `UserProfile`, `MedicationEntry`, `MedicationUsage`, `LabResult`, `Routine`, `RoutineStep`, `GroomingSchedule`, `SkinConditionSnapshot`, and `AICallLog` each expose an ownership field (`user_id`) in model code, with `ProductInventory` also exposing `is_household_shared`.
+  - [ ] `innercontext.models` re-exports the new auth/household types so metadata loading and imports continue to work.
+  - [ ] `cd backend && uv run python -c "import innercontext.models as m; print(all(hasattr(m, name) for name in ['User','Household','HouseholdMembership']))"` prints `True`.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Identity models load into SQLModel metadata
+    Tool: Bash
+    Steps: Run `cd backend && uv run python -c "import innercontext.models; from sqlmodel import SQLModel; print(sorted(t.name for t in SQLModel.metadata.sorted_tables if t.name in {'users','households','household_memberships'}))" > ../.sisyphus/evidence/task-T1-identity-models.txt`
+    Expected: Evidence file lists `['household_memberships', 'households', 'users']`
+    Evidence: .sisyphus/evidence/task-T1-identity-models.txt
+
+  Scenario: Product inventory sharing stays opt-in
+    Tool: Bash
+    Steps: Run `cd backend && uv run python -c "from innercontext.models.product import ProductInventory; f=ProductInventory.model_fields['is_household_shared']; print(f.default)" > ../.sisyphus/evidence/task-T1-sharing-default.txt`
+    Expected: Evidence file contains `False`
+    Evidence: .sisyphus/evidence/task-T1-sharing-default.txt
+  ```
+
+  **Commit**: YES | Message: `feat(auth): add local user and household models` | Files: `backend/innercontext/models/*`
+
+- [x] T2. Add Alembic migration and bootstrap backfill for legacy single-user data
+
+  **What to do**: Create an Alembic revision that creates `users`, `households`, and `household_memberships`, adds `user_id` ownership columns and related foreign keys/indexes to all owned tables, and adds `is_household_shared` to `product_inventory`. Use a two-step migration: add nullable columns, create/bootstrap a local admin user + default household from environment variables, backfill every existing row to that bootstrap user, then enforce non-null ownership constraints. Use env names `BOOTSTRAP_ADMIN_OIDC_ISSUER`, `BOOTSTRAP_ADMIN_OIDC_SUB`, `BOOTSTRAP_ADMIN_EMAIL`, `BOOTSTRAP_ADMIN_NAME`, and `BOOTSTRAP_HOUSEHOLD_NAME`; abort the migration with a clear error if legacy data exists and the required issuer/sub values are missing.
+  **Must NOT do**: Do not assign ownership based on email matching, do not silently create random bootstrap identities, and do not leave owned tables nullable after the migration completes.
+
+  **Recommended Agent Profile**:
+  - Category: `deep` - Reason: schema migration, backfill, and irreversible data-shape change
+  - Skills: `[]` - Use existing Alembic patterns from the repo
+  - Omitted: `git-master` - Commit strategy is already prescribed here
+
+  **Parallelization**: Can Parallel: NO | Wave 1 | Blocks: T5, T6, T11 | Blocked By: T1
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `backend/alembic/versions/` - Existing migration naming/layout conventions to follow.
+  - Pattern: `backend/innercontext/models/product.py:180` - Timestamp/nullability expectations that migrated columns must preserve.
+  - Pattern: `backend/db.py:17` - Metadata creation path; migration must leave runtime startup compatible.
+  - API/Type: `backend/innercontext/models/profile.py:13` - Existing singleton-style table that must become owned data.
+  - API/Type: `backend/innercontext/models/product.py:353` - Inventory table receiving the sharing flag.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] A new Alembic revision exists under `backend/alembic/versions/` creating auth/household tables and ownership columns/indexes/foreign keys.
+  - [ ] The migration backfills all existing owned rows to the bootstrap admin user and creates that user's default household + owner membership.
+  - [ ] The migration aborts with a readable exception if legacy data exists and `BOOTSTRAP_ADMIN_OIDC_ISSUER` or `BOOTSTRAP_ADMIN_OIDC_SUB` is absent.
+  - [ ] Owned tables end with non-null `user_id` constraints after upgrade.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Migration upgrade succeeds with bootstrap identity configured
+    Tool: Bash
+    Steps: Create a disposable DB URL (for example `sqlite:///../.sisyphus/evidence/task-T2-upgrade.sqlite`), then run `cd backend && DATABASE_URL=sqlite:///../.sisyphus/evidence/task-T2-upgrade.sqlite BOOTSTRAP_ADMIN_OIDC_ISSUER=https://auth.example.test BOOTSTRAP_ADMIN_OIDC_SUB=legacy-admin BOOTSTRAP_ADMIN_EMAIL=owner@example.test BOOTSTRAP_ADMIN_NAME='Legacy Owner' BOOTSTRAP_HOUSEHOLD_NAME='Default Household' uv run alembic upgrade head > ../.sisyphus/evidence/task-T2-migration-upgrade.txt`
+    Expected: Command exits 0 and evidence file shows Alembic reached `head`
+    Evidence: .sisyphus/evidence/task-T2-migration-upgrade.txt
+
+  Scenario: Migration fails fast when bootstrap identity is missing for legacy data
+    Tool: Bash
+    Steps: Seed a disposable SQLite DB with one legacy row using the pre-migration schema, then run `cd backend && DATABASE_URL=sqlite:///../.sisyphus/evidence/task-T2-missing-bootstrap.sqlite uv run alembic upgrade head 2> ../.sisyphus/evidence/task-T2-migration-missing-bootstrap.txt`
+    Expected: Upgrade exits non-zero and evidence contains a message naming both missing bootstrap env vars
+    Evidence: .sisyphus/evidence/task-T2-migration-missing-bootstrap.txt
+  ```
+
+  **Commit**: YES | Message: `feat(db): backfill tenant ownership for existing records` | Files: `backend/alembic/versions/*`, `backend/innercontext/models/*`
+
+- [x] T3. Implement FastAPI token validation, user sync, and current-user dependencies
+
+  **What to do**: Add backend auth modules that validate Authelia JWT access tokens via JWKS with cached key material, enforce issuer/audience/expiry checks, map role groups to local roles, and expose dependencies like `get_current_user()` and `require_admin()`. Create protected auth endpoints for session sync and self introspection (for example `/auth/session/sync` and `/auth/me`) so SvelteKit can exchange token-derived/userinfo-derived identity details for a local `User` row and current app profile. Use env/config values for issuer, JWKS URL/discovery URL, client ID, and group names instead of hard-coding them.
+  **Must NOT do**: Do not trust `X-Forwarded-User`-style headers, do not skip signature validation, do not derive role from email domain, and do not make backend routes public except health-check.
+
+  **Recommended Agent Profile**:
+  - Category: `unspecified-high` - Reason: focused backend auth implementation with security-sensitive logic
+  - Skills: `[]` - No project skill is better than direct backend work here
+  - Omitted: `svelte-code-writer` - No Svelte components involved
+
+  **Parallelization**: Can Parallel: NO | Wave 1 | Blocks: T4, T5, T6, T7, T8, T9, T11 | Blocked By: T1
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `backend/main.py:37` - Current FastAPI app construction and router registration point.
+  - Pattern: `backend/db.py:12` - Session dependency shape that auth dependencies must compose with.
+  - Pattern: `backend/innercontext/api/profile.py:27` - Router/dependency style used throughout the API.
+  - External: `https://www.authelia.com/configuration/identity-providers/openid-connect/provider/` - OIDC provider/discovery and JWKS behavior.
+  - External: `https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/` - Claims and userinfo behavior; use `issuer + sub` as identity key.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] A backend auth module validates bearer tokens against Authelia JWKS with issuer/audience checks and cached key refresh.
+  - [ ] Protected dependencies expose a normalized current user object with local `user_id`, role, and household membership information.
+  - [ ] Backend includes protected auth sync/introspection endpoints used by SvelteKit to upsert local users from OIDC identity data.
+  - [ ] Unauthenticated access to owned API routes returns `401`; authenticated access with a valid token reaches router logic.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Valid bearer token resolves a current user
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_auth.py -k sync > ../.sisyphus/evidence/task-T3-auth-sync.txt`
+    Expected: Auth sync/introspection tests pass and evidence includes the protected auth endpoint names
+    Evidence: .sisyphus/evidence/task-T3-auth-sync.txt
+
+  Scenario: Missing or invalid bearer token is rejected
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_auth.py -k unauthorized > ../.sisyphus/evidence/task-T3-auth-unauthorized.txt`
+    Expected: Tests pass and evidence shows `401` expectations
+    Evidence: .sisyphus/evidence/task-T3-auth-unauthorized.txt
+  ```
+
+  **Commit**: YES | Message: `feat(auth): validate Authelia tokens in FastAPI` | Files: `backend/main.py`, `backend/innercontext/auth.py`, `backend/innercontext/api/auth*.py`
+
+- [x] T4. Centralize tenant-aware fetch helpers and authorization predicates
+
+  **What to do**: Replace single-user helper assumptions with reusable authorization helpers that every router can call. Add tenant-aware helpers for owned lookup, admin override, same-household checks, and household-shared inventory visibility/update rules. Keep `get_session()` unchanged, but add helpers/dependencies that make it difficult for routers to accidentally query global rows. Update or supersede `get_or_404()` with helpers that scope by `user_id` and return `404` for unauthorized record lookups unless the route intentionally needs `403`.
+  **Must NOT do**: Do not leave routers performing raw `session.get()` on owned models, do not duplicate household-sharing logic in every route, and do not use admin bypasses that skip existence checks.
+
+  **Recommended Agent Profile**:
+  - Category: `deep` - Reason: authorization rules must become the shared execution path for many routers
+  - Skills: `[]` - This is backend architecture work, not skill-driven tooling
+  - Omitted: `frontend-design` - No UI work belongs here
+
+  **Parallelization**: Can Parallel: NO | Wave 1 | Blocks: T5, T6, T9 | Blocked By: T1, T3
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `backend/innercontext/api/utils.py:9` - Existing naive `get_or_404()` helper that must no longer be used for owned records.
+  - Pattern: `backend/innercontext/api/products.py:934` - Current direct object fetch/update/delete route pattern to replace.
+  - Pattern: `backend/innercontext/api/inventory.py:14` - Inventory routes that currently expose rows globally.
+  - Pattern: `backend/innercontext/api/health.py:141` - Representative list/get/update/delete health routes requiring shared helpers.
+  - Pattern: `backend/innercontext/api/routines.py:674` - Another high-volume router that must consume the same authz utilities.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] Backend provides shared helper/dependency functions for owned lookups, admin checks, same-household checks, and shared-inventory updates.
+  - [ ] `get_or_404()` is either retired for owned data or wrapped so no owned router path still uses the unscoped helper directly.
+  - [ ] Shared inventory authorization distinguishes product ownership from inventory update rights.
+  - [ ] Helper tests cover owner access, admin override, same-household shared inventory access, and cross-household denial.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Authorization helpers allow owner/admin/household-shared access correctly
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_authz.py -k 'owner or admin or household' > ../.sisyphus/evidence/task-T4-authz-happy.txt`
+    Expected: Tests pass and evidence includes owner/admin/household cases
+    Evidence: .sisyphus/evidence/task-T4-authz-happy.txt
+
+  Scenario: Cross-household access is denied without leaking row existence
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_authz.py -k denied > ../.sisyphus/evidence/task-T4-authz-denied.txt`
+    Expected: Tests pass and evidence shows `404` or `403` assertions exactly where specified by the helper contract
+    Evidence: .sisyphus/evidence/task-T4-authz-denied.txt
+  ```
+
+  **Commit**: YES | Message: `refactor(api): centralize tenant authorization helpers` | Files: `backend/innercontext/api/utils.py`, `backend/innercontext/api/authz.py`, router call sites
+
+- [x] T5. Retrofit products and inventory endpoints for owned access plus household sharing
+
+  **What to do**: Update `products` and `inventory` APIs so product visibility is `owned OR household-visible-via-shared-inventory OR admin`, while product mutation remains `owner OR admin`. Keep `Product` user-owned. For household members, allow `GET` on shared products/inventory rows and `PATCH` on shared inventory rows, but keep `POST /products`, `PATCH /products/{id}`, `DELETE /products/{id}`, `POST /products/{id}/inventory`, and `DELETE /inventory/{id}` restricted to owner/admin. Reuse the existing `ProductListItem.is_owned` field so shared-but-not-owned products are clearly marked in summaries. Ensure suggestion and summary endpoints only use products accessible to the current user.
+  **Must NOT do**: Do not expose non-shared inventory across a household, do not let household members edit `personal_tolerance_notes`, and do not return global product lists anymore.
+
+  **Recommended Agent Profile**:
+  - Category: `deep` - Reason: most nuanced authorization rules live in product and inventory flows
+  - Skills: `[]` - Backend logic and existing product patterns are sufficient
+  - Omitted: `frontend-design` - No UI polish belongs here
+
+  **Parallelization**: Can Parallel: YES | Wave 2 | Blocks: T11 | Blocked By: T2, T3, T4
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `backend/innercontext/api/products.py:605` - List route currently returning global products.
+  - Pattern: `backend/innercontext/api/products.py:844` - Summary route already exposes `is_owned`; extend rather than replacing it.
+  - Pattern: `backend/innercontext/api/products.py:934` - Detail/update/delete routes that currently use direct lookup.
+  - Pattern: `backend/innercontext/api/products.py:977` - Product inventory list/create routes.
+  - Pattern: `backend/innercontext/api/inventory.py:14` - Direct inventory get/update/delete routes that currently bypass ownership.
+  - API/Type: `backend/innercontext/models/product.py:353` - Inventory model fields involved in household sharing.
+  - Test: `backend/tests/test_products.py:38` - Existing CRUD/filter test style to extend for authz cases.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] Product list/detail/summary/suggest endpoints only return products accessible to the current user.
+  - [ ] Shared household members can `GET` shared products/inventory and `PATCH` shared inventory rows, but cannot mutate product records or create/delete another user's inventory rows.
+  - [ ] Product summaries preserve `is_owned` semantics for shared products.
+  - [ ] Product/inventory tests cover owner, admin, same-household shared member, and different-household member cases.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Household member can view a shared product and update its shared inventory row
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_products_auth.py -k 'shared_inventory_update or shared_product_visible' > ../.sisyphus/evidence/task-T5-product-sharing.txt`
+    Expected: Tests pass and evidence shows `200` assertions for shared view/update cases
+    Evidence: .sisyphus/evidence/task-T5-product-sharing.txt
+
+  Scenario: Household member cannot edit or delete another user's product
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_products_auth.py -k 'cannot_edit_shared_product or cannot_delete_shared_product' > ../.sisyphus/evidence/task-T5-product-denied.txt`
+    Expected: Tests pass and evidence shows `403` or `404` assertions matching the route contract
+    Evidence: .sisyphus/evidence/task-T5-product-denied.txt
+  ```
+
+  **Commit**: YES | Message: `feat(api): scope products and inventory by owner and household` | Files: `backend/innercontext/api/products.py`, `backend/innercontext/api/inventory.py`, related tests
+
+- [x] T6. Retrofit remaining domain routes, LLM context, and jobs for per-user ownership
+
+  **What to do**: Update profile, health, routines, skincare, AI log, and LLM-context code so every query is user-scoped by default and admin override is explicit. `UserProfile` becomes one-per-user rather than singleton; `build_user_profile_context()` and product-context builders must accept the current user and only include accessible data. Routine suggestion/batch flows must use the current user's profile plus products visible under the owned/shared rules from T5. Ensure background pricing/job paths preserve `user_id` on products and logs, and that list endpoints never aggregate cross-user data for non-admins.
+  **Must NOT do**: Do not keep any `select(Model)` query unfiltered on an owned model, do not keep singleton profile lookups, and do not leak other users' AI logs or health data through helper functions.
+
+  **Recommended Agent Profile**:
+  - Category: `deep` - Reason: many routers and helper layers need consistent tenancy retrofits
+  - Skills: `[]` - Backend cross-module work only
+  - Omitted: `svelte-code-writer` - No Svelte component work in this task
+
+  **Parallelization**: Can Parallel: YES | Wave 2 | Blocks: T11 | Blocked By: T2, T3, T4
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `backend/innercontext/api/profile.py:27` - Current singleton profile route using `get_user_profile(session)`.
+  - Pattern: `backend/innercontext/api/llm_context.py:10` - Single-user helper that currently selects the most recent profile globally.
+  - Pattern: `backend/innercontext/api/health.py:141` - Medication and lab-result CRUD/list route layout.
+  - Pattern: `backend/innercontext/api/routines.py:674` - Routine list/create/suggest entry points that need scoped product/profile data.
+  - Pattern: `backend/innercontext/api/skincare.py:222` - Snapshot list/get/update/delete route structure.
+  - Pattern: `backend/innercontext/api/ai_logs.py:46` - AI-log exposure that must become owned/admin-only.
+  - Pattern: `backend/innercontext/services/pricing_jobs.py` - Background queue path that must preserve product ownership.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] Every non-admin router outside products/inventory scopes owned data by `user_id` before returning or mutating rows.
+  - [ ] `GET /profile` and `PATCH /profile` operate on the current user's profile, not the newest global profile.
+  - [ ] Routine suggestion and batch suggestion flows use only the current user's profile plus accessible products.
+  - [ ] AI logs are owned/admin-only, and background job/log creation stores `user_id` when applicable.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Member only sees their own health, routine, profile, skin, and AI-log data
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_tenancy_domains.py -k 'profile or health or routines or skincare or ai_logs' > ../.sisyphus/evidence/task-T6-domain-tenancy.txt`
+    Expected: Tests pass and evidence shows only owned/admin-allowed access patterns
+    Evidence: .sisyphus/evidence/task-T6-domain-tenancy.txt
+
+  Scenario: Routine suggestions ignore another user's products and profile
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_routines_auth.py -k suggest > ../.sisyphus/evidence/task-T6-routine-scope.txt`
+    Expected: Tests pass and evidence shows suggestion inputs are scoped to the authenticated user plus shared inventory visibility rules
+    Evidence: .sisyphus/evidence/task-T6-routine-scope.txt
+  ```
+
+  **Commit**: YES | Message: `feat(api): enforce ownership across health routines and profile flows` | Files: `backend/innercontext/api/profile.py`, `backend/innercontext/api/health.py`, `backend/innercontext/api/routines.py`, `backend/innercontext/api/skincare.py`, `backend/innercontext/api/ai_logs.py`, `backend/innercontext/api/llm_context.py`
+
+- [x] T7. Implement SvelteKit OIDC login, callback, logout, refresh, and protected-session handling
+
+  **What to do**: Add server-only auth utilities under `frontend/src/lib/server/` and implement `Authorization Code + PKCE` in SvelteKit using Authelia discovery/token/userinfo endpoints. Create `/auth/login`, `/auth/callback`, and `/auth/logout` server routes. Extend `hooks.server.ts` to decrypt/load the app session, refresh the access token when it is near expiry, populate `event.locals.user` and `event.locals.session`, and redirect unauthenticated requests on all application routes except `/auth/*` and static assets. Use an encrypted HTTP-only cookie named `innercontext_session` with `sameSite=lax`, `secure` in production, and a 32-byte secret from private env.
+  **Must NOT do**: Do not store access or refresh tokens in `localStorage`, do not expose client secrets via `$env/static/public`, and do not protect routes with client-only guards.
+
+  **Recommended Agent Profile**:
+  - Category: `unspecified-high` - Reason: server-side SvelteKit auth flow with cookies, hooks, and redirects
+  - Skills: [`svelte-code-writer`] - Required for editing SvelteKit auth and route modules cleanly
+  - Omitted: `frontend-design` - This task is auth/session behavior, not visual redesign
+
+  **Parallelization**: Can Parallel: YES | Wave 2 | Blocks: T8, T10, T11 | Blocked By: T3
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `frontend/src/hooks.server.ts:1` - Current global request hook; auth must compose with existing Paraglide middleware rather than replacing it.
+  - Pattern: `frontend/src/app.d.ts:3` - Add typed `App.Locals`/`PageData` session fields here.
+  - Pattern: `frontend/src/routes/+layout.svelte:30` - App shell/navigation that will consume authenticated user state later.
+  - Pattern: `frontend/src/routes/products/suggest/+page.server.ts:4` - Existing SvelteKit server action style using `fetch`.
+  - External: `https://www.authelia.com/configuration/identity-providers/openid-connect/clients/` - Client configuration expectations for auth code flow and PKCE.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] SvelteKit exposes login/callback/logout server routes that complete the OIDC flow against Authelia and create/destroy `innercontext_session`.
+  - [ ] `hooks.server.ts` populates `event.locals.user`/`event.locals.session`, refreshes tokens near expiry, and redirects unauthenticated users away from protected pages.
+  - [ ] The callback flow calls backend auth sync before treating the user as signed in.
+  - [ ] Session cookies are HTTP-only and sourced only from private env/config.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Login callback establishes an authenticated server session
+    Tool: Playwright
+    Steps: Navigate to `/products` while signed out, follow redirect to `/auth/login`, on the Authelia page fill the `Username` and `Password` fields using `E2E_AUTHELIA_USERNAME`/`E2E_AUTHELIA_PASSWORD`, submit the primary login button, wait for redirect back to the app, then save an accessibility snapshot to `.sisyphus/evidence/task-T7-login-flow.md`
+    Expected: Final URL is inside the app, the protected page renders, and the session cookie exists
+    Evidence: .sisyphus/evidence/task-T7-login-flow.md
+
+  Scenario: Expired or refresh-failed session redirects back to login
+    Tool: Playwright
+    Steps: Start from an authenticated session, replace the `innercontext_session` cookie with one containing an expired access token or invalidate the refresh endpoint in the browser session, reload `/products`, and save a snapshot to `.sisyphus/evidence/task-T7-refresh-failure.md`
+    Expected: The app clears the session cookie and redirects to `/auth/login`
+    Evidence: .sisyphus/evidence/task-T7-refresh-failure.md
+  ```
+
+  **Commit**: YES | Message: `feat(frontend): add Authelia OIDC session flow` | Files: `frontend/src/hooks.server.ts`, `frontend/src/app.d.ts`, `frontend/src/lib/server/auth.ts`, `frontend/src/routes/auth/*`
+
+- [x] T8. Refactor frontend data access, route guards, and shell state around the server session
+
+  **What to do**: Refactor frontend API access so protected backend calls always originate from SvelteKit server loads/actions/endpoints using the access token from `event.locals.session`. Convert browser-side direct `$lib/api` usage to server actions or same-origin SvelteKit endpoints, add a `+layout.server.ts` that exposes authenticated user data to the shell, and update `+layout.svelte` to show the current user role/name plus a logout action. Regenerate OpenAPI types if backend response models change and keep `$lib/types` as the canonical import surface.
+  **Must NOT do**: Do not keep browser-side bearer-token fetches, do not bypass the server session by calling backend APIs directly from components, and do not hardcode English auth labels without Paraglide message keys.
+
+  **Recommended Agent Profile**:
+  - Category: `unspecified-high` - Reason: SvelteKit route plumbing plus shell-state integration
+  - Skills: [`svelte-code-writer`] - Required because this task edits `.svelte` and SvelteKit route modules
+  - Omitted: `frontend-design` - Preserve the existing editorial shell instead of redesigning it
+
+  **Parallelization**: Can Parallel: YES | Wave 2 | Blocks: T11 | Blocked By: T7
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `frontend/src/lib/api.ts:25` - Current request helper branching between browser and server; replace with session-aware server usage.
+  - Pattern: `frontend/src/routes/+layout.svelte:63` - Existing app shell where user state/logout should appear without breaking navigation.
+  - Pattern: `frontend/src/routes/+page.server.ts` - Representative server-load pattern already used throughout the app.
+  - Pattern: `frontend/src/routes/skin/new/+page.svelte` - Existing browser-side API import to eliminate or proxy through server logic.
+  - Pattern: `frontend/src/routes/routines/[id]/+page.svelte` - Another browser-side API import that must stop calling the backend directly.
+  - Pattern: `frontend/src/routes/products/suggest/+page.server.ts:4` - Server action pattern to reuse for auth-aware fetches.
+  - API/Type: `frontend/src/lib/types.ts` - Keep as the only frontend import surface after any `pnpm generate:api` run.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] Protected backend calls in frontend code use the server session access token and no longer depend on browser token storage.
+  - [ ] Direct component-level `$lib/api` usage on protected paths is removed or wrapped behind same-origin server endpoints/actions.
+  - [ ] App shell receives authenticated user/session data from server load and exposes a logout affordance.
+  - [ ] `pnpm generate:api` is run if backend auth/API response changes require regenerated frontend types.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Authenticated user navigates protected pages and sees session-aware shell state
+    Tool: Playwright
+    Steps: Log in, visit `/`, `/products`, `/profile`, and `/routines`; capture an accessibility snapshot to `.sisyphus/evidence/task-T8-protected-nav.md`
+    Expected: Each page loads without redirect loops, and the shell shows the current user plus logout control
+    Evidence: .sisyphus/evidence/task-T8-protected-nav.md
+
+  Scenario: Unauthenticated browser access cannot hit protected data paths directly
+    Tool: Playwright
+    Steps: Start from a signed-out browser, open a page that previously imported `$lib/api` from a component, attempt the same interaction, capture console/network output to `.sisyphus/evidence/task-T8-signed-out-network.txt`
+    Expected: The app redirects or blocks cleanly without leaking backend JSON responses into the UI
+    Evidence: .sisyphus/evidence/task-T8-signed-out-network.txt
+  ```
+
+  **Commit**: YES | Message: `refactor(frontend): route protected API access through server session` | Files: `frontend/src/lib/api.ts`, `frontend/src/routes/**/*.server.ts`, `frontend/src/routes/+layout.*`, selected `.svelte` files, `frontend/src/lib/types.ts`
+
+- [x] T9. Add admin-only household management API without a frontend console
+
+  **What to do**: Add a small admin-only backend router for household administration so the app can support real household sharing without a management UI. Provide endpoints to list local users who have logged in, create a household, assign a user to a household, move a user between households, and remove a membership. Enforce the v1 rule that a user can belong to at most one household. Do not manage identity creation here; Authelia remains the identity source, and only locally synced users may be assigned. Non-bootstrap users should remain household-less until an admin assigns them.
+  **Must NOT do**: Do not add Svelte pages for household management, do not let non-admins call these endpoints, and do not allow membership assignment for users who have never authenticated into the app.
+
+  **Recommended Agent Profile**:
+  - Category: `unspecified-high` - Reason: contained backend admin surface with sensitive authorization logic
+  - Skills: `[]` - Backend conventions already exist in repo
+  - Omitted: `frontend-design` - Explicitly no console/UI in scope
+
+  **Parallelization**: Can Parallel: YES | Wave 3 | Blocks: T11 | Blocked By: T1, T2, T3, T4
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `backend/main.py:50` - Router registration area; add a dedicated admin router here.
+  - Pattern: `backend/innercontext/api/profile.py:41` - Simple patch/upsert route style for small admin mutation endpoints.
+  - Pattern: `backend/innercontext/api/utils.py:9` - Error-handling pattern to preserve with tenant-aware replacements.
+  - API/Type: `backend/innercontext/models/profile.py:13` - Example of owned record exposed without extra wrapper models.
+  - Test: `backend/tests/conftest.py:34` - Dependency-override style for admin/member API tests.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] Backend exposes admin-only household endpoints for list/create/assign/move/remove operations.
+  - [ ] Membership moves preserve the one-household-per-user rule.
+  - [ ] Membership assignment only works for users already present in the local `users` table.
+  - [ ] Admin-route tests cover admin success, member denial, and attempted assignment of unsynced users.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Admin can create a household and assign a logged-in member
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_admin_households.py -k 'create_household or assign_member' > ../.sisyphus/evidence/task-T9-admin-households.txt`
+    Expected: Tests pass and evidence shows admin-only success cases
+    Evidence: .sisyphus/evidence/task-T9-admin-households.txt
+
+  Scenario: Member cannot manage households and unsynced users cannot be assigned
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest tests/test_admin_households.py -k 'forbidden or unsynced' > ../.sisyphus/evidence/task-T9-admin-households-denied.txt`
+    Expected: Tests pass and evidence shows `403`/validation failures for forbidden assignments
+    Evidence: .sisyphus/evidence/task-T9-admin-households-denied.txt
+  ```
+
+  **Commit**: YES | Message: `feat(api): add admin household management endpoints` | Files: `backend/main.py`, `backend/innercontext/api/admin*.py`, related tests
+
+- [x] T10. Update runtime configuration, validation scripts, deploy checks, and operator docs for OIDC
+
+  **What to do**: Update runtime configuration for both services so frontend and backend receive the new OIDC/session env vars at runtime, and document the exact Authelia client/server setup required. Keep nginx in a pure reverse-proxy role (no `auth_request`), but make sure forwarded host/proto information remains sufficient for callback URL generation. Extend `scripts/validate-env.sh` and deploy validation so missing auth env vars fail fast, and update `scripts/healthcheck.sh` plus `deploy.sh` health expectations because authenticated pages may now redirect to login instead of returning `200` for signed-out probes. Document bootstrap-admin env usage for the migration.
+  **Must NOT do**: Do not add proxy-level auth, do not require manual post-deploy DB edits, and do not leave deploy health checks assuming `/` must return `200` when the app intentionally redirects signed-out users.
+
+  **Recommended Agent Profile**:
+  - Category: `writing` - Reason: configuration, deployment, and operator-facing documentation dominate this task
+  - Skills: `[]` - Repo docs and service files are the governing references
+  - Omitted: `svelte-code-writer` - No Svelte component changes needed
+
+  **Parallelization**: Can Parallel: YES | Wave 3 | Blocks: T11 | Blocked By: T3, T7
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `nginx/innercontext.conf:1` - Current reverse-proxy setup that must remain proxy-only.
+  - Pattern: `deploy.sh:313` - Service-wait and health-check functions to update for signed-out redirects and auth env validation.
+  - Pattern: `deploy.sh:331` - Backend/frontend health-check behavior currently assuming public app pages.
+  - Pattern: `scripts/validate-env.sh:57` - Existing required-env validation script to extend with OIDC/session/bootstrap keys.
+  - Pattern: `scripts/healthcheck.sh:10` - Current frontend health check that assumes `/` returns `200`.
+  - Pattern: `systemd/innercontext.service` - Backend runtime env injection point.
+  - Pattern: `systemd/innercontext-node.service` - Frontend runtime env injection point.
+  - Pattern: `docs/DEPLOYMENT.md` - Canonical operator runbook to update.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] Backend and frontend runtime configs declare/document all required OIDC/session/bootstrap env vars.
+  - [ ] Deploy validation fails fast when required auth env vars are missing.
+  - [ ] Frontend health checks accept the signed-out auth redirect behavior or target a public route that remains intentionally available.
+  - [ ] Deployment docs describe Authelia client config, callback/logout URLs, JWKS/issuer envs, and bootstrap-migration envs.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Deploy validation rejects missing auth configuration
+    Tool: Bash
+    Steps: Run `scripts/validate-env.sh` (or the deploy wrapper that calls it) with one required OIDC/session variable removed, and redirect output to `.sisyphus/evidence/task-T10-missing-env.txt`
+    Expected: Validation exits non-zero and names the missing variable
+    Evidence: .sisyphus/evidence/task-T10-missing-env.txt
+
+  Scenario: Signed-out frontend health behavior matches updated deployment expectations
+    Tool: Bash
+    Steps: Run the updated `scripts/healthcheck.sh` or deploy health-check path and save output to `.sisyphus/evidence/task-T10-health-check.txt`
+    Expected: Evidence shows a successful probe despite protected app routes (either via accepted redirect or a dedicated public health target)
+    Evidence: .sisyphus/evidence/task-T10-health-check.txt
+  ```
+
+  **Commit**: YES | Message: `chore(deploy): wire OIDC runtime configuration` | Files: `nginx/innercontext.conf`, `deploy.sh`, `scripts/validate-env.sh`, `scripts/healthcheck.sh`, `systemd/*`, `docs/DEPLOYMENT.md`
+
+- [ ] T11. Add shared auth fixtures, full regression coverage, and CI enforcement
+
+  **What to do**: Build reusable backend test fixtures for authenticated users, roles, households, and shared inventory, then add regression tests covering auth sync, unauthenticated access, admin/member authorization, household inventory sharing, routine/product visibility, and migration-sensitive ownership behavior. Use dependency overrides in tests instead of hitting a live Authelia server. Enable the existing backend CI job so these tests run in Forgejo, and make sure the final verification command set includes backend tests, lint, frontend check/lint/build, and any required API type generation.
+  **Must NOT do**: Do not depend on a live Authelia instance in CI, do not leave the backend test job disabled, and do not add a committed frontend browser test suite in this pass.
+
+  **Recommended Agent Profile**:
+  - Category: `unspecified-high` - Reason: broad regression coverage plus CI wiring across the monorepo
+  - Skills: `[]` - Existing pytest/CI patterns are sufficient
+  - Omitted: `playwright` - Browser QA stays agent-executed, not repository-committed
+
+  **Parallelization**: Can Parallel: NO | Wave 3 | Blocks: Final verification | Blocked By: T2, T3, T4, T5, T6, T7, T8, T9, T10
+
+  **References** (executor has NO interview context - be exhaustive):
+  - Pattern: `backend/tests/conftest.py:16` - Per-test DB isolation and dependency override technique.
+  - Pattern: `backend/tests/test_products.py:4` - Existing endpoint-test style to mirror for authz coverage.
+  - Pattern: `.forgejo/workflows/ci.yml:83` - Disabled backend test job that must be enabled.
+  - Pattern: `frontend/package.json:6` - Final frontend verification commands available in the repo.
+  - Pattern: `backend/pyproject.toml` - Pytest command/config surface for any new test files.
+
+  **Acceptance Criteria** (agent-executable only):
+  - [ ] Shared auth fixtures exist for admin/member identities, household membership, and shared inventory setup.
+  - [ ] Backend tests cover `401`, owner success, admin override, same-household shared inventory update, and different-household denial across representative routes.
+  - [ ] Forgejo backend tests run by default instead of being gated by `if: false`.
+  - [ ] Final command set passes: backend tests + lint, frontend check + lint + build, and API type generation only if required by backend schema changes.
+
+  **QA Scenarios** (MANDATORY - task incomplete without these):
+  ```
+  Scenario: Full backend auth regression suite passes locally
+    Tool: Bash
+    Steps: Run `cd backend && uv run pytest > ../.sisyphus/evidence/task-T11-backend-regression.txt`
+    Expected: Evidence file shows the full suite passing, including new auth/tenancy tests
+    Evidence: .sisyphus/evidence/task-T11-backend-regression.txt
+
+  Scenario: CI config now runs backend tests instead of skipping them
+    Tool: Bash
+    Steps: Read `.forgejo/workflows/ci.yml`, confirm the backend-test job no longer contains `if: false`, and save a grep extract to `.sisyphus/evidence/task-T11-ci-enabled.txt`
+    Expected: Evidence shows the backend-test job is active and executes `uv run pytest`
+    Evidence: .sisyphus/evidence/task-T11-ci-enabled.txt
+  ```
+
+  **Commit**: YES | Message: `test(auth): add multi-user regression coverage` | Files: `backend/tests/*`, `.forgejo/workflows/ci.yml`
+
+## Final Verification Wave (4 parallel agents, ALL must APPROVE)
+- [ ] F1. Plan Compliance Audit - oracle
+- [ ] F2. Code Quality Review - unspecified-high
+- [ ] F3. Real Manual QA - unspecified-high (+ playwright if UI)
+- [ ] F4. Scope Fidelity Check - deep
+
+## Commit Strategy
+- Use atomic commits after stable checkpoints: Wave 1 foundation, Wave 2 application integration, Wave 3 infra/tests.
+- Prefer conventional commits with monorepo scopes such as `feat(auth): ...`, `feat(frontend): ...`, `feat(api): ...`, `test(auth): ...`, `chore(deploy): ...`.
+- Do not merge unrelated refactors into auth/tenancy commits; keep schema, auth flow, frontend session, and infra/test changes reviewable.
+
+## Success Criteria
+- Every protected route and API request resolves a concrete current user before touching owned data.
+- Non-admin users cannot read or mutate records outside their ownership, except household-shared inventory entries.
+- Household members can view/update shared inventory without gaining product edit rights.
+- Existing single-user data survives migration and becomes accessible to the bootstrap admin account after first login.
+- Frontend protected navigation/login/logout flow works without browser-stored bearer tokens.
+- Backend test suite and CI catch auth regressions before deploy.
diff --git a/backend/.coverage b/backend/.coverage
index da6d65fee8f4336fcafe711a4a100506570883c5..ab842f116f3ea6e6d74fa8b72f645c87e8a806ff 100644
GIT binary patch
delta 3286
zcmZuzdsGzn6`t97?C#9${1$e3$zypxBM%dW6lAF=ZzYe435o;+E9b~A6||xY14++G
zY#vCbtua2Z{iA7{RAX&|iUFd@A+aReoJK=@uy~B_iB^|K%(CpV(>o(1r#YQJ=9_!(
zckl1sJKsLKjuBnQh<C_>>NH|IhE5|Z%HY4|5Ai?aS=|NQ9$h;3CHE><$a>flYy%s~
zj4>j!j!|nbXgjozY5t@6gXRfMpn6o@q0Xegp<ky<DL?gR>Irg=JWLi6KH?w5_LIFl
zp(;ufGs<(t$BQ^TResX#u<mSYvNX1)x3sTG5nn4RqLN9h`%!U!alRN*9E>N4>BTj8
zqWDVjdMW`TSxO|nBnXcO-zw2oV!-3X{Uv2oEJRI8G_sVVV!#4_@uOm0X_)wGQI4^-
zamTKvEsd=iTX(}@<t8A6D+EuekzO0Mko~A=U#AYJYiX)&ZfvV-sB5bO^6E$tm8~Ho
z2uzSOxb54U!CM*r{TUa_!o;4E95KAyfQP|c#dxS#xh`8gUanWI4uRxsF|R^LuL_0?
ztz1F}CuG#^Y}+Q!9RzddipMJ%RiRNFF3)A;z#fPc8o(@66$U=^HZ(U`WPSkfv*kXu
zJ7FmBl<Hvvibvd6!Qn`psL1CQHVfer9vr2(4(>lC8+LAK6MHKP^({M^wlrCO4)OIY
zw3VUk0*Xd%vqITz*6j_jg68_h9j)7%T7Xr?04r>f#edI&P_Y)K%@=)Z8C(O?E1fWn
zmYvP=Yb{noumq<UnnpM!I>08CmTM~mseA$oi+I&?&BJ{ZtK{7UE^er{p|M4-Q-mwh
zc~FT!q|F#Q!+gbPv>&1trc&FfU9S0~=1I*xVxD-HXl8zkGBpPEr~EDcu)339&vUvD
zb$fLg+!*&7x0;<}-(efsD0LQnhdxM`Q4;kR(n}tpo+MYF>_vn)zrGkx6Vo^5E$&c0
zK2?0Rs)$N?h6HhDZ7_p4gYaZ=>4q9AX+7D!6nq7uy*L1*dSk-|Dq+EA27v~GRC}H&
zqvF<)AW%6svXrG_pCCb?c-3Pd&`>I-i0nqPh5lEj(c%ZsR!}A-^MjgP{f~qhCGyp4
z$jFt1Am_3Vbs3>l?ybt@<#$~R&e}Gsb$hG$@-um$&_H|%%vKCKUAH+$Rw!tdug;ML
zN`(}XpijIihg;BQ@IqfetYq*YacE<nc2S*1uvX&+*{7>p&}N{*hfXyM(hPvnb7ZZ8
zGFe<NIyRZvAC!r}F2#AcuUZi1rb6_CFu5ucbooI|Uikl)BwJ2`A|cK##^FUVFqav$
zsKvD~r*gJ-QHvUgl~C&Mo2;*EZG;qB9N%05x|Ca$6-k=OZXDLIT>VgyguJTY9}7|i
zWdf8>^Qoy?Lv(c-(}E!n8bjyNpU?r+j+UY*-p&7;H}ERmV>+Ch<_5R}+>2a0*Tik+
zs<?Gr8W+TASsy#ao@U=>53&1L8`}n7u;uJ3b~(#4Q_K+4%e0&d&<8StDUHOn1<7Zx
zt+<O}zph_4`Yc_8U7$L$HgPvp6FoZmkyId5C+s=Xd{w3#n@t=@FUPXm6F-@H<NoI>
z-n@MK3#;MAHyc&vj`B`hW(u(DlTr;>GDc}I6^7y1e&g85&}EknuyZ>w4F(sZd9JIz
zo+j9$WT8tPo(w5DiK$O_F+gtUc}^7#G*v;z<HrsV2}uyFh@YeTo8Kca<C>4_hqV|+
zVwmcZNiH=Z-@a9`i9idDd*kYRe?6~KCxD@koufkH;UP2Tvd`h!>NjA+#Mr>~f4bBY
zG#>|nsOZ5X8UZ@gU<Gt6ICvAz#sG!}oUXBrn^pQ~Fk<y*Bgfi5!7r?RPn&~G;E6_-
z5c8lA;XY#xXQIFn%v+ouk2*UNo?CR|k=Sta)ibx%ZNrZHf3sdrpYV^39&VR%Uc@oX
z)3;&$PGM+%r~5cJm>RNwKp0Z_Ic)@F8aYd=Lt?|>F_b-BGkeaT#VnDlGpCo{H}l3Y
zcuv(?oR?juk(G|`dajM%yKasN1@CH&%5FD1eZo<*WS1nTS+eDuCY?^)iTBwFIs_=Z
zdIudWBfU%;1Za%9cywhhZzKiS17&HIq}%Bu*Ky7Ou_YvrVUu_S!v}&D6<LPG;@Bhj
z*U_;7U>8Nqr8~^FNfW#!xbDDEKU{Z+<$B<3C+6Hg+3Gh-ZnabJd3&7pQzz*jla%eB
z$0q0g_4>w@q4#bce!pCbk%aeMEpE>gp+k@tVW?hqYsP6BQD^aBHlz)@P<K$K<E}^Y
z3B&R+6KV;cPHK7Oh{@kLs*3jwn1@`R4qu0P$l6`5qj2pD!Ks~&xP2EeVJ(4S`%OM<
z2%l*8``VA1&GuY#U+#q6*`BXfO?q5Og5T>B?65Mo;FGLQX~6N#?|hOZb$F!VD|2Rt
zWZTo8KjxJtAI{ig+ofL^6~`tVg5<gFCI%heaaWY})?M9AAtKK&Gq;{zI#@e(cqDGV
z_^4{)sX^;r*ZU(I`)<5+WN367#0%`GXOrom>LsIN#w&Q8F87RAH|ss*@_0Y8yRs+T
zGj6YEo<<z3AUefT`<dNs8oGL4-Mx~90iWL!HtWyd_X3_5eQx^hv`L3y!}v`9-nYKI
z(&&fgXM{IC?lW66&GQGOH!DB#-#a@#x7$_Se?-EhzFet~@C&1(qkp%3Cv@8SGfoH=
z@7XTNA2x{`pE_)AFSjt^0=zx6;#9$TK{|2K&;`YNt(~4`zb$v->R0_PeDAp9fplf>
zFZ&(W+a@H(XIpn=-}HPj4Ij?k4!dU7r0x-*%<wtK`IXa8VZEwY1|}*Bw`eClg32Kf
z*w;KJbonJcOxrN^;OK)Cb}}hJ3#5uA7N;7vaL%>m<t{AR{uUP9-~Ad|?2X6rbsC^W
zgkG7NzUA(7g_o&eHQmOLaWCbYu}ePt{FQr0T;F}B_T9?HX1z1sqmG^-huvithFz{(
z^ZvnwtxLk)z7uzaJNW}n-=NcdQ+XE=G}Qiy@yhQHeq!@{DmkSQ_f(H?=n+ZC-#AF<
zDEVa79s1(PxfeaEB_x<Dg0F1$A9mXNoQCJ$%G%9ior6QOn>QN?h@}QuYA=Vux+h&5
zq@mgCgh>V7f<Oy;-Dx)qPQm7@ot>!}x9=SqZ*{pm*SxJ1PHMG0&cM8B{3Q%|kpuk(
zb)a2n8>&Oq=xJ1e)}VZpjWSURibdh*TXYb9BJQEv=yP-ty^AiObLeICEBME4L^?$C
z5<kmN@z?k}{7wE6I*#5%#~v>8REYi;ydV#ZC#NZpkg7mZiUNtr3dAQV5SOSxY=QzY
z@d`x8DPW3KARtBoeY66|qyQhKfG$!2PFXO{hAS4cgcjuEwPA{>2~|KHq5vJNKva+d
zlu-fFpg?4x0uccU5PAg+NP#q7fmEFWDVzdftODVT0!y?CglcFq362j@E2fcFKt(AK
QOezpWC=hsRu8+?AFLY60)&Kwi

delta 2445
zcmY*Zdr*|u6~Fg;zwf?)T^_s3#u}xOlF<rQWH%$r@(>@Rj#kGYwb+otLRe&qAiK7m
zWTvTR@Y-~en1cNynMr37jbqY;XlOIjCQVypnn{z8BB>p>HPM(MnF2w!=esUc?;rPf
z?>Xn5=kNPc!+dI(KO;nHL*hIlza@{5<<>u}C#^<HG~Y10%oWC@anh(Wc>SV&NMEJ>
zQybK_Yo<D?_NptC50&Feg*+wyOukS0oAh(3TAV*Sct+%ELNvZHhKpfeZ+3MY>TZp<
zBuYDbqd^*ID5sHnfv&68#ejg0uBOh-t7(6AG4|76RqqpvK(;C?(`i-IEf#|0{w2xD
zXpUHLm(6EUH~n>O1^Cd_?=>e{AWox?CS&EcgdVFgL@(Ii!#s@F_;8+`gD26_)zf;Q
zCGo9;KY|AhxnNSjOj=_et~!S%>&jhiZS75o=7TNWy<k%5;Zf4IFhC6VE$$_+c0I>x
zbFk|~&F$hQYYBGJ8?`a)ppR@>Z?(pITH@UuUACW%gl?^0PcPLgT(t#Zs<}GTe&=YE
z&BPB|;|H3%>=J4XdbXhs>#$eRb(?go*(am3tK<8J4s_cFDpUPslg7mqh+=zC=t!fA
zWoSF|r?tcnwcCA<Nm&D#Hf+|g2py<e>{U!y(oKMlU(BVcsWsl(-P8onqg-}u7FUDq
znbNPe5MazLL|!9ZhM@OoSF{s)sdP+=insJPwH=y8?zJYZUs{_j$-H1D%$3Gv;}=G~
z`aAWox>ET_c|utyKQ6D5Kat)$J9t*4?b~BG1bd}%2VIJ(e{Y4&76N4-Y;Cjq65K5S
zXHM@3)5ofFaDYC$W1r~XDFA0q?}*TF)QOAeww=4g!mKPzKa0BP>D}vWHYizs<kNv&
zj4(hC9sB6E-4%4a#*4jnKyo)V^634$HsM@4@ZAdMU4+Qlz$fYWu5tmg@_>u2*iAD#
zS-y0#*1|4&eRm9K(AiXJ-bnxl-Lj|Bo<AnwG>R?u3dV2TF@BSt*;|JV*u(n&i`N(L
zSq^CSodN~03Sla22B<B~ZQTz+N(yw-mdNTN3*@YgO#&55P-}RxA>xv10#w3MMt6{a
z&kn<qxEkT8Q)M3u%;wxzO(a+wGD;AcCI2Qbljq1OGGHxOUs(IBHP$yRhlR{(^Qt*%
zzHgp4hs=}aK69HHF-y(mX0FK_bH;V!kH&9|KBLhnIp=gt>dE4efYs{2>mRRmBNRcM
zD7&VR1*a5`hRJ=!V6vz1@N4Z8Yd=M3cxL%XX&ox>UH;A&Pv00{`~3S?-|KLH@}Iq2
z_(;P*e`ye`AM}^F(F!Cgh(icxU0#yW972kH18Is$lSs)Az=O3#CEHWllBumbf`;W~
ze$dqy%t^1dKgqKPi`%7ueVVejFZCj@^5#E1@yZLo=j1}TIDB)Wvj7guyboJQu%iYc
z5i1`={=AFNDv*GJB9bo&0xK6gynrF|^`Z}Y-@$KvV?rn-c_0ZI@x1V4_;}xqc3#T`
zL9QN8&(8DT&Vh5AcEduQ6Fo1^VmyC+;L~T$7j%C3=Tp6zipMZ|d$DLcL0BIzXfvx-
z4?Odz@x<kf#|_64C7w)Q`|lH1{`%^zd;UIh;cGeI0&zs<#>T>#q4Zd0I+K|l3lEW*
z>FLyTYAlT<Cm2{#m*lWfbm;`pE5s9-WFk+u><bTrv!;TU2^W7(JqwRf&}YDXjc2Yj
zfcl{s*O(k70aAx$9dr(|hr3sU!`9Hn&o>TpSNk?(hBAcB>t9RFA0;V#g)akEidg+|
zsCeM>Wsl;QQt8?0bnn7^<=9v{6&^~@7Alb-LV{v5C}PJTuw~Z_8kJ$v#}S9oZE*yl
z8EDujx;gkjK8DSm^zt*v7?p2gZ;J0nlCD5v-ry_m&iarvAVch<{mzSTQm+woJXlng
z9Jze$e9!6(taN70U~&OxP9?3Gj1$A4xlw-v(qQZ6?SN&_fxA`;!b1}BqA-c}!w29+
zKiL4Z0Ux&)(54Wh6fTq?oA0>eDts=sa@0hq5}`9tr<mjv5wtE>$pb-6fK#sHqj#Z}
zH9VXjwkG><W_~)HNyt5Y>5&W5c#8LyRUsagO>IDS$r+Yun;nq<gS?+`@GQv18_?*&
z7$m=6#Dc0?SOa~Cco6xTd`X7MQ{)7Bocxp=Aw8snJVctw9&(+WCs)ZhxlBGFFOuiU
zcCv{?Nfjw4Wu$<tB=DU4iM&PLfIq?8R?@Bs2SN-Aiy8QX42l8_3j7T6ix~J=6R@{{
z-SYAo<oXzxUIs=U13j04mcu~xFi_kKWETU;DgD3>FFM#&APjhmL5|75V=y2(gOJ9c
dSY;4Y7&v7HZi#_QWZ)1OSUdyn+}w~<_CG;ibk6_)

diff --git a/backend/innercontext/api/llm_context.py b/backend/innercontext/api/llm_context.py
index 40e7dcf..af93be7 100644
--- a/backend/innercontext/api/llm_context.py
+++ b/backend/innercontext/api/llm_context.py
@@ -102,7 +102,7 @@ def build_product_context_summary(product: Product, has_inventory: bool = False)
 
     # Get effect profile scores if available
     effects = []
-    effect_profile = getattr(product, "effect_profile", None)
+    effect_profile = getattr(product, "product_effect_profile", None)
     if effect_profile:
         profile = effect_profile
         # Only include notable effects (score > 0)
diff --git a/backend/tests/test_products_helpers.py b/backend/tests/test_products_helpers.py
index 90f1c5f..9d5fb80 100644
--- a/backend/tests/test_products_helpers.py
+++ b/backend/tests/test_products_helpers.py
@@ -28,20 +28,27 @@ from innercontext.validators.shopping_validator import (
 )
 
 
-def test_build_shopping_context(session: Session):
+def test_build_shopping_context(session: Session, current_user):
     # Empty context
-    ctx = _build_shopping_context(session, reference_date=date.today())
+    ctx = _build_shopping_context(
+        session, reference_date=date.today(), current_user=current_user
+    )
     assert "USER PROFILE: no data" in ctx
     assert "(brak danych)" in ctx
     assert "POSIADANE PRODUKTY" in ctx
 
-    profile = UserProfile(birth_date=date(1990, 1, 10), sex_at_birth=SexAtBirth.MALE)
+    profile = UserProfile(
+        user_id=current_user.user_id,
+        birth_date=date(1990, 1, 10),
+        sex_at_birth=SexAtBirth.MALE,
+    )
     session.add(profile)
     session.commit()
 
     # Add snapshot
     snap = SkinConditionSnapshot(
         id=uuid.uuid4(),
+        user_id=current_user.user_id,
         snapshot_date=date.today(),
         overall_state="fair",
         skin_type="combination",
@@ -79,7 +86,9 @@ def test_build_shopping_context(session: Session):
     session.add(inv)
     session.commit()
 
-    ctx = _build_shopping_context(session, reference_date=date(2026, 3, 5))
+    ctx = _build_shopping_context(
+        session, reference_date=date(2026, 3, 5), current_user=current_user
+    )
     assert "USER PROFILE:" in ctx
     assert "Age: 36" in ctx
     assert "Sex at birth: male" in ctx
@@ -106,7 +115,9 @@ def test_build_shopping_context(session: Session):
     assert "repurchase_candidate=true" in ctx
 
 
-def test_build_shopping_context_flags_replenishment_signal(session: Session):
+def test_build_shopping_context_flags_replenishment_signal(
+    session: Session, current_user
+):
     product = Product(
         id=uuid.uuid4(),
         short_id=str(uuid.uuid4())[:8],
@@ -116,6 +127,7 @@ def test_build_shopping_context_flags_replenishment_signal(session: Session):
         recommended_time="both",
         leave_on=False,
         product_effect_profile={},
+        user_id=current_user.user_id,
     )
     session.add(product)
     session.commit()
@@ -130,7 +142,9 @@ def test_build_shopping_context_flags_replenishment_signal(session: Session):
     )
     session.commit()
 
-    ctx = _build_shopping_context(session, reference_date=date.today())
+    ctx = _build_shopping_context(
+        session, reference_date=date.today(), current_user=current_user
+    )
     assert "lowest_remaining_level=nearly_empty" in ctx
     assert "stock_state=urgent" in ctx
     assert "replenishment_priority_hint=high" in ctx
@@ -287,7 +301,7 @@ def test_suggest_shopping_invalid_target_concern_returns_502(client):
         assert "suggestions/0/target_concerns/0" in r.json()["detail"]
 
 
-def test_shopping_context_medication_skip(session: Session):
+def test_shopping_context_medication_skip(session: Session, current_user):
     p = Product(
         id=uuid.uuid4(),
         short_id=str(uuid.uuid4())[:8],
@@ -298,11 +312,14 @@ def test_shopping_context_medication_skip(session: Session):
         leave_on=True,
         is_medication=True,
         product_effect_profile={},
+        user_id=current_user.user_id,
     )
     session.add(p)
     session.commit()
 
-    ctx = _build_shopping_context(session, reference_date=date.today())
+    ctx = _build_shopping_context(
+        session, reference_date=date.today(), current_user=current_user
+    )
     assert "Epiduo" not in ctx
 
 
diff --git a/backend/tests/test_routines_helpers.py b/backend/tests/test_routines_helpers.py
index 4041c22..5b70b41 100644
--- a/backend/tests/test_routines_helpers.py
+++ b/backend/tests/test_routines_helpers.py
@@ -480,6 +480,7 @@ def test_build_day_context():
 def test_get_available_products_respects_filters(session: Session, current_user):
     regular_med = Product(
         id=uuid.uuid4(),
+        short_id=str(uuid.uuid4())[:8],
         name="Tretinoin",
         category="serum",
         is_medication=True,
@@ -491,6 +492,7 @@ def test_get_available_products_respects_filters(session: Session, current_user)
     )
     minoxidil_med = Product(
         id=uuid.uuid4(),
+        short_id=str(uuid.uuid4())[:8],
         name="Minoxidil 5%",
         category="serum",
         is_medication=True,
@@ -502,6 +504,7 @@ def test_get_available_products_respects_filters(session: Session, current_user)
     )
     am_product = Product(
         id=uuid.uuid4(),
+        short_id=str(uuid.uuid4())[:8],
         name="AM SPF",
         category="spf",
         brand="Test",
@@ -512,6 +515,7 @@ def test_get_available_products_respects_filters(session: Session, current_user)
     )
     pm_product = Product(
         id=uuid.uuid4(),
+        short_id=str(uuid.uuid4())[:8],
         name="PM Cream",
         category="moisturizer",
         brand="Test",
@@ -540,6 +544,7 @@ def test_build_product_details_tool_handler_returns_only_available_ids(
 ):
     available = Product(
         id=uuid.uuid4(),
+        short_id=str(uuid.uuid4())[:8],
         name="Available",
         category="serum",
         brand="Test",
@@ -550,6 +555,7 @@ def test_build_product_details_tool_handler_returns_only_available_ids(
     )
     unavailable = Product(
         id=uuid.uuid4(),
+        short_id=str(uuid.uuid4())[:8],
         name="Unavailable",
         category="serum",
         brand="Test",
@@ -574,9 +580,8 @@ def test_build_product_details_tool_handler_returns_only_available_ids(
     assert "products" in payload
     products = payload["products"]
     assert len(products) == 1
-    assert products[0]["id"] == str(available.id)
+    assert products[0]["id"] == available.short_id
     assert products[0]["name"] == "Available"
-    assert products[0]["inci"] == ["Water", "Niacinamide"]
     assert "actives" in products[0]
     assert "safety" in products[0]
 
@@ -624,6 +629,7 @@ def test_get_available_products_excludes_minoxidil_when_flag_false(
 ):
     minoxidil = Product(
         id=uuid.uuid4(),
+        short_id=str(uuid.uuid4())[:8],
         name="Minoxidil 5%",
         category="hair_treatment",
         is_medication=True,
@@ -635,6 +641,7 @@ def test_get_available_products_excludes_minoxidil_when_flag_false(
     )
     regular = Product(
         id=uuid.uuid4(),
+        short_id=str(uuid.uuid4())[:8],
         name="Cleanser",
         category="cleanser",
         brand="Test",
diff --git a/backend/uv.lock b/backend/uv.lock
index a911208..f409e15 100644
--- a/backend/uv.lock
+++ b/backend/uv.lock
@@ -557,6 +557,7 @@ dependencies = [
     { name = "fastapi" },
     { name = "google-genai" },
     { name = "psycopg", extra = ["binary"] },
+    { name = "pyjwt", extra = ["crypto"] },
     { name = "python-dotenv" },
     { name = "python-multipart" },
     { name = "sqlmodel" },
@@ -580,6 +581,7 @@ requires-dist = [
     { name = "fastapi", specifier = ">=0.132.0" },
     { name = "google-genai", specifier = ">=1.65.0" },
     { name = "psycopg", extras = ["binary"], specifier = ">=3.3.3" },
+    { name = "pyjwt", extras = ["crypto"], specifier = ">=2.10.1" },
     { name = "python-dotenv", specifier = ">=1.2.1" },
     { name = "python-multipart", specifier = ">=0.0.22" },
     { name = "sqlmodel", specifier = ">=0.0.37" },
@@ -909,6 +911,20 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/c7/21/705964c7812476f378728bdf590ca4b771ec72385c533964653c68e86bdc/pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b", size = 1225217, upload-time = "2025-06-21T13:39:07.939Z" },
 ]
 
+[[package]]
+name = "pyjwt"
+version = "2.11.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/5c/5a/b46fa56bf322901eee5b0454a34343cdbdae202cd421775a8ee4e42fd519/pyjwt-2.11.0.tar.gz", hash = "sha256:35f95c1f0fbe5d5ba6e43f00271c275f7a1a4db1dab27bf708073b75318ea623", size = 98019, upload-time = "2026-01-30T19:59:55.694Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/6f/01/c26ce75ba460d5cd503da9e13b21a33804d38c2165dec7b716d06b13010c/pyjwt-2.11.0-py3-none-any.whl", hash = "sha256:94a6bde30eb5c8e04fee991062b534071fd1439ef58d2adc9ccb823e7bcd0469", size = 28224, upload-time = "2026-01-30T19:59:54.539Z" },
+]
+
+[package.optional-dependencies]
+crypto = [
+    { name = "cryptography" },
+]
+
 [[package]]
 name = "pytest"
 version = "9.0.2"
diff --git a/frontend/openapi.json b/frontend/openapi.json
index 30c509c..fa51f02 100644
--- a/frontend/openapi.json
+++ b/frontend/openapi.json
@@ -5,6 +5,85 @@
     "version": "0.1.0"
   },
   "paths": {
+    "/auth/session/sync": {
+      "post": {
+        "tags": [
+          "auth"
+        ],
+        "summary": "Sync Session",
+        "operationId": "sync_session_auth_session_sync_post",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "anyOf": [
+                  {
+                    "$ref": "#/components/schemas/SessionSyncRequest"
+                  },
+                  {
+                    "type": "null"
+                  }
+                ],
+                "title": "Payload"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Successful Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/AuthSessionResponse"
+                }
+              }
+            }
+          },
+          "422": {
+            "description": "Validation Error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/HTTPValidationError"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
+      }
+    },
+    "/auth/me": {
+      "get": {
+        "tags": [
+          "auth"
+        ],
+        "summary": "Get Me",
+        "operationId": "get_me_auth_me_get",
+        "responses": {
+          "200": {
+            "description": "Successful Response",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/AuthSessionResponse"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
+      }
+    },
     "/products": {
       "get": {
         "tags": [
@@ -12,6 +91,11 @@
         ],
         "summary": "List Products",
         "operationId": "list_products_products_get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "category",
@@ -130,6 +214,11 @@
         ],
         "summary": "Create Product",
         "operationId": "create_product_products_post",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "requestBody": {
           "required": true,
           "content": {
@@ -202,7 +291,12 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
       }
     },
     "/products/summary": {
@@ -212,6 +306,11 @@
         ],
         "summary": "List Products Summary",
         "operationId": "list_products_summary_products_summary_get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "category",
@@ -332,6 +431,11 @@
         ],
         "summary": "Get Product",
         "operationId": "get_product_products__product_id__get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "product_id",
@@ -373,6 +477,11 @@
         ],
         "summary": "Update Product",
         "operationId": "update_product_products__product_id__patch",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "product_id",
@@ -424,6 +533,11 @@
         ],
         "summary": "Delete Product",
         "operationId": "delete_product_products__product_id__delete",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "product_id",
@@ -460,6 +574,11 @@
         ],
         "summary": "List Product Inventory",
         "operationId": "list_product_inventory_products__product_id__inventory_get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "product_id",
@@ -505,6 +624,11 @@
         ],
         "summary": "Create Product Inventory",
         "operationId": "create_product_inventory_products__product_id__inventory_post",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "product_id",
@@ -569,7 +693,12 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
       }
     },
     "/inventory/{inventory_id}": {
@@ -579,6 +708,11 @@
         ],
         "summary": "Get Inventory",
         "operationId": "get_inventory_inventory__inventory_id__get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "inventory_id",
@@ -620,6 +754,11 @@
         ],
         "summary": "Update Inventory",
         "operationId": "update_inventory_inventory__inventory_id__patch",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "inventory_id",
@@ -671,6 +810,11 @@
         ],
         "summary": "Delete Inventory",
         "operationId": "delete_inventory_inventory__inventory_id__delete",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "inventory_id",
@@ -726,7 +870,12 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
       },
       "patch": {
         "tags": [
@@ -765,7 +914,12 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
       }
     },
     "/health/medications": {
@@ -775,6 +929,11 @@
         ],
         "summary": "List Medications",
         "operationId": "list_medications_health_medications_get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "kind",
@@ -842,6 +1001,11 @@
         ],
         "summary": "Create Medication",
         "operationId": "create_medication_health_medications_post",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "requestBody": {
           "required": true,
           "content": {
@@ -883,6 +1047,11 @@
         ],
         "summary": "Get Medication",
         "operationId": "get_medication_health_medications__medication_id__get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "medication_id",
@@ -924,6 +1093,11 @@
         ],
         "summary": "Update Medication",
         "operationId": "update_medication_health_medications__medication_id__patch",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "medication_id",
@@ -975,6 +1149,11 @@
         ],
         "summary": "Delete Medication",
         "operationId": "delete_medication_health_medications__medication_id__delete",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "medication_id",
@@ -1011,6 +1190,11 @@
         ],
         "summary": "List Usages",
         "operationId": "list_usages_health_medications__medication_id__usages_get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "medication_id",
@@ -1056,6 +1240,11 @@
         ],
         "summary": "Create Usage",
         "operationId": "create_usage_health_medications__medication_id__usages_post",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "medication_id",
@@ -1109,6 +1298,11 @@
         ],
         "summary": "Update Usage",
         "operationId": "update_usage_health_usages__usage_id__patch",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "usage_id",
@@ -1160,6 +1354,11 @@
         ],
         "summary": "Delete Usage",
         "operationId": "delete_usage_health_usages__usage_id__delete",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "usage_id",
@@ -1196,6 +1395,11 @@
         ],
         "summary": "List Lab Results",
         "operationId": "list_lab_results_health_lab_results_get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "q",
@@ -1364,6 +1568,11 @@
         ],
         "summary": "Create Lab Result",
         "operationId": "create_lab_result_health_lab_results_post",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "requestBody": {
           "required": true,
           "content": {
@@ -1405,6 +1614,11 @@
         ],
         "summary": "Get Lab Result",
         "operationId": "get_lab_result_health_lab_results__result_id__get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "result_id",
@@ -1446,6 +1660,11 @@
         ],
         "summary": "Update Lab Result",
         "operationId": "update_lab_result_health_lab_results__result_id__patch",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "result_id",
@@ -1497,6 +1716,11 @@
         ],
         "summary": "Delete Lab Result",
         "operationId": "delete_lab_result_health_lab_results__result_id__delete",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "result_id",
@@ -1533,6 +1757,11 @@
         ],
         "summary": "List Routines",
         "operationId": "list_routines_routines_get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "from_date",
@@ -1612,6 +1841,11 @@
         ],
         "summary": "Create Routine",
         "operationId": "create_routine_routines_post",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "requestBody": {
           "required": true,
           "content": {
@@ -1684,7 +1918,12 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
       }
     },
     "/routines/suggest-batch": {
@@ -1725,7 +1964,12 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
       }
     },
     "/routines/grooming-schedule": {
@@ -1750,7 +1994,12 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
       },
       "post": {
         "tags": [
@@ -1789,7 +2038,12 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
       }
     },
     "/routines/{routine_id}": {
@@ -1799,6 +2053,11 @@
         ],
         "summary": "Get Routine",
         "operationId": "get_routine_routines__routine_id__get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "routine_id",
@@ -1838,6 +2097,11 @@
         ],
         "summary": "Update Routine",
         "operationId": "update_routine_routines__routine_id__patch",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "routine_id",
@@ -1889,6 +2153,11 @@
         ],
         "summary": "Delete Routine",
         "operationId": "delete_routine_routines__routine_id__delete",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "routine_id",
@@ -1925,6 +2194,11 @@
         ],
         "summary": "Add Step",
         "operationId": "add_step_routines__routine_id__steps_post",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "routine_id",
@@ -1978,6 +2252,11 @@
         ],
         "summary": "Update Step",
         "operationId": "update_step_routines_steps__step_id__patch",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "step_id",
@@ -2029,6 +2308,11 @@
         ],
         "summary": "Delete Step",
         "operationId": "delete_step_routines_steps__step_id__delete",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "step_id",
@@ -2065,6 +2349,11 @@
         ],
         "summary": "Update Grooming Schedule",
         "operationId": "update_grooming_schedule_routines_grooming_schedule__entry_id__patch",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "entry_id",
@@ -2116,6 +2405,11 @@
         ],
         "summary": "Delete Grooming Schedule",
         "operationId": "delete_grooming_schedule_routines_grooming_schedule__entry_id__delete",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "entry_id",
@@ -2183,7 +2477,12 @@
               }
             }
           }
-        }
+        },
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ]
       }
     },
     "/skincare": {
@@ -2193,6 +2492,11 @@
         ],
         "summary": "List Snapshots",
         "operationId": "list_snapshots_skincare_get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "from_date",
@@ -2278,6 +2582,11 @@
         ],
         "summary": "Create Snapshot",
         "operationId": "create_snapshot_skincare_post",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "requestBody": {
           "required": true,
           "content": {
@@ -2319,6 +2628,11 @@
         ],
         "summary": "Get Snapshot",
         "operationId": "get_snapshot_skincare__snapshot_id__get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "snapshot_id",
@@ -2360,6 +2674,11 @@
         ],
         "summary": "Update Snapshot",
         "operationId": "update_snapshot_skincare__snapshot_id__patch",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "snapshot_id",
@@ -2411,6 +2730,11 @@
         ],
         "summary": "Delete Snapshot",
         "operationId": "delete_snapshot_skincare__snapshot_id__delete",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "snapshot_id",
@@ -2447,6 +2771,11 @@
         ],
         "summary": "List Ai Logs",
         "operationId": "list_ai_logs_ai_logs_get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "endpoint",
@@ -2526,6 +2855,11 @@
         ],
         "summary": "Get Ai Log",
         "operationId": "get_ai_log_ai_logs__log_id__get",
+        "security": [
+          {
+            "HTTPBearer": []
+          }
+        ],
         "parameters": [
           {
             "name": "log_id",
@@ -2588,6 +2922,18 @@
             "format": "uuid",
             "title": "Id"
           },
+          "user_id": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "uuid"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "User Id"
+          },
           "created_at": {
             "type": "string",
             "format": "date-time",
@@ -2971,6 +3317,198 @@
         ],
         "title": "ActiveIngredient"
       },
+      "AuthHouseholdMembershipPublic": {
+        "properties": {
+          "household_id": {
+            "type": "string",
+            "format": "uuid",
+            "title": "Household Id"
+          },
+          "role": {
+            "$ref": "#/components/schemas/HouseholdRole"
+          }
+        },
+        "type": "object",
+        "required": [
+          "household_id",
+          "role"
+        ],
+        "title": "AuthHouseholdMembershipPublic"
+      },
+      "AuthIdentityPublic": {
+        "properties": {
+          "issuer": {
+            "type": "string",
+            "title": "Issuer"
+          },
+          "subject": {
+            "type": "string",
+            "title": "Subject"
+          },
+          "email": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Email"
+          },
+          "name": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Name"
+          },
+          "preferred_username": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Preferred Username"
+          },
+          "groups": {
+            "items": {
+              "type": "string"
+            },
+            "type": "array",
+            "title": "Groups"
+          }
+        },
+        "type": "object",
+        "required": [
+          "issuer",
+          "subject"
+        ],
+        "title": "AuthIdentityPublic"
+      },
+      "AuthProfilePublic": {
+        "properties": {
+          "id": {
+            "type": "string",
+            "format": "uuid",
+            "title": "Id"
+          },
+          "user_id": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "uuid"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "User Id"
+          },
+          "birth_date": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "date"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Birth Date"
+          },
+          "sex_at_birth": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Sex At Birth"
+          },
+          "created_at": {
+            "type": "string",
+            "format": "date-time",
+            "title": "Created At"
+          },
+          "updated_at": {
+            "type": "string",
+            "format": "date-time",
+            "title": "Updated At"
+          }
+        },
+        "type": "object",
+        "required": [
+          "id",
+          "user_id",
+          "created_at",
+          "updated_at"
+        ],
+        "title": "AuthProfilePublic"
+      },
+      "AuthSessionResponse": {
+        "properties": {
+          "user": {
+            "$ref": "#/components/schemas/AuthUserPublic"
+          },
+          "identity": {
+            "$ref": "#/components/schemas/AuthIdentityPublic"
+          },
+          "profile": {
+            "anyOf": [
+              {
+                "$ref": "#/components/schemas/AuthProfilePublic"
+              },
+              {
+                "type": "null"
+              }
+            ]
+          }
+        },
+        "type": "object",
+        "required": [
+          "user",
+          "identity"
+        ],
+        "title": "AuthSessionResponse"
+      },
+      "AuthUserPublic": {
+        "properties": {
+          "id": {
+            "type": "string",
+            "format": "uuid",
+            "title": "Id"
+          },
+          "role": {
+            "$ref": "#/components/schemas/Role"
+          },
+          "household_membership": {
+            "anyOf": [
+              {
+                "$ref": "#/components/schemas/AuthHouseholdMembershipPublic"
+              },
+              {
+                "type": "null"
+              }
+            ]
+          }
+        },
+        "type": "object",
+        "required": [
+          "id",
+          "role"
+        ],
+        "title": "AuthUserPublic"
+      },
       "BarrierState": {
         "type": "string",
         "enum": [
@@ -3116,6 +3654,18 @@
             "format": "uuid",
             "title": "Id"
           },
+          "user_id": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "uuid"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "User Id"
+          },
           "day_of_week": {
             "type": "integer",
             "maximum": 6.0,
@@ -3223,6 +3773,14 @@
         "type": "object",
         "title": "HTTPValidationError"
       },
+      "HouseholdRole": {
+        "type": "string",
+        "enum": [
+          "owner",
+          "member"
+        ],
+        "title": "HouseholdRole"
+      },
       "IngredientFunction": {
         "type": "string",
         "enum": [
@@ -3398,6 +3956,18 @@
             "format": "uuid",
             "title": "Record Id"
           },
+          "user_id": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "uuid"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "User Id"
+          },
           "collected_at": {
             "type": "string",
             "format": "date-time",
@@ -4042,6 +4612,18 @@
             "format": "uuid",
             "title": "Record Id"
           },
+          "user_id": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "uuid"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "User Id"
+          },
           "kind": {
             "$ref": "#/components/schemas/MedicationKind"
           },
@@ -4222,6 +4804,18 @@
             "format": "uuid",
             "title": "Record Id"
           },
+          "user_id": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "uuid"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "User Id"
+          },
           "medication_record_id": {
             "type": "string",
             "format": "uuid",
@@ -4870,11 +5464,28 @@
             "format": "uuid",
             "title": "Id"
           },
+          "user_id": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "uuid"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "User Id"
+          },
           "product_id": {
             "type": "string",
             "format": "uuid",
             "title": "Product Id"
           },
+          "is_household_shared": {
+            "type": "boolean",
+            "title": "Is Household Shared",
+            "default": false
+          },
           "is_opened": {
             "type": "boolean",
             "title": "Is Opened",
@@ -6688,6 +7299,14 @@
         ],
         "title": "ResultFlag"
       },
+      "Role": {
+        "type": "string",
+        "enum": [
+          "admin",
+          "member"
+        ],
+        "title": "Role"
+      },
       "Routine": {
         "properties": {
           "id": {
@@ -6695,6 +7314,18 @@
             "format": "uuid",
             "title": "Id"
           },
+          "user_id": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "uuid"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "User Id"
+          },
           "routine_date": {
             "type": "string",
             "format": "date",
@@ -6768,6 +7399,18 @@
             "format": "uuid",
             "title": "Id"
           },
+          "user_id": {
+            "anyOf": [
+              {
+                "type": "string",
+                "format": "uuid"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "User Id"
+          },
           "routine_id": {
             "type": "string",
             "format": "uuid",
@@ -7112,6 +7755,81 @@
         "type": "object",
         "title": "RoutineUpdate"
       },
+      "SessionSyncRequest": {
+        "properties": {
+          "iss": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Iss"
+          },
+          "sub": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Sub"
+          },
+          "email": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Email"
+          },
+          "name": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Name"
+          },
+          "preferred_username": {
+            "anyOf": [
+              {
+                "type": "string"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Preferred Username"
+          },
+          "groups": {
+            "anyOf": [
+              {
+                "items": {
+                  "type": "string"
+                },
+                "type": "array"
+              },
+              {
+                "type": "null"
+              }
+            ],
+            "title": "Groups"
+          }
+        },
+        "type": "object",
+        "title": "SessionSyncRequest"
+      },
       "SexAtBirth": {
         "type": "string",
         "enum": [
@@ -8348,6 +9066,12 @@
         ],
         "title": "ValidationError"
       }
+    },
+    "securitySchemes": {
+      "HTTPBearer": {
+        "type": "http",
+        "scheme": "bearer"
+      }
     }
   }
 }
diff --git a/frontend/src/lib/api/generated/index.ts b/frontend/src/lib/api/generated/index.ts
index 5b04f4e..2bcdc53 100644
--- a/frontend/src/lib/api/generated/index.ts
+++ b/frontend/src/lib/api/generated/index.ts
@@ -1,3 +1,3 @@
 // This file is auto-generated by @hey-api/openapi-ts
 
-export type { AbsorptionSpeed, ActiveIngredient, AddStepRoutinesRoutineIdStepsPostData, AddStepRoutinesRoutineIdStepsPostError, AddStepRoutinesRoutineIdStepsPostErrors, AddStepRoutinesRoutineIdStepsPostResponse, AddStepRoutinesRoutineIdStepsPostResponses, AiCallLog, AiCallLogPublic, AnalyzeSkinPhotosSkincareAnalyzePhotosPostData, AnalyzeSkinPhotosSkincareAnalyzePhotosPostError, AnalyzeSkinPhotosSkincareAnalyzePhotosPostErrors, AnalyzeSkinPhotosSkincareAnalyzePhotosPostResponse, AnalyzeSkinPhotosSkincareAnalyzePhotosPostResponses, BarrierState, BatchSuggestion, BodyAnalyzeSkinPhotosSkincareAnalyzePhotosPost, ClientOptions, CreateGroomingScheduleRoutinesGroomingSchedulePostData, CreateGroomingScheduleRoutinesGroomingSchedulePostError, CreateGroomingScheduleRoutinesGroomingSchedulePostErrors, CreateGroomingScheduleRoutinesGroomingSchedulePostResponse, CreateGroomingScheduleRoutinesGroomingSchedulePostResponses, CreateLabResultHealthLabResultsPostData, CreateLabResultHealthLabResultsPostError, CreateLabResultHealthLabResultsPostErrors, CreateLabResultHealthLabResultsPostResponse, CreateLabResultHealthLabResultsPostResponses, CreateMedicationHealthMedicationsPostData, CreateMedicationHealthMedicationsPostError, CreateMedicationHealthMedicationsPostErrors, CreateMedicationHealthMedicationsPostResponse, CreateMedicationHealthMedicationsPostResponses, CreateProductInventoryProductsProductIdInventoryPostData, CreateProductInventoryProductsProductIdInventoryPostError, CreateProductInventoryProductsProductIdInventoryPostErrors, CreateProductInventoryProductsProductIdInventoryPostResponse, CreateProductInventoryProductsProductIdInventoryPostResponses, CreateProductProductsPostData, CreateProductProductsPostError, CreateProductProductsPostErrors, CreateProductProductsPostResponse, CreateProductProductsPostResponses, CreateRoutineRoutinesPostData, CreateRoutineRoutinesPostError, CreateRoutineRoutinesPostErrors, CreateRoutineRoutinesPostResponse, CreateRoutineRoutinesPostResponses, CreateSnapshotSkincarePostData, CreateSnapshotSkincarePostError, CreateSnapshotSkincarePostErrors, CreateSnapshotSkincarePostResponse, CreateSnapshotSkincarePostResponses, CreateUsageHealthMedicationsMedicationIdUsagesPostData, CreateUsageHealthMedicationsMedicationIdUsagesPostError, CreateUsageHealthMedicationsMedicationIdUsagesPostErrors, CreateUsageHealthMedicationsMedicationIdUsagesPostResponse, CreateUsageHealthMedicationsMedicationIdUsagesPostResponses, DayPlan, DayTime, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteData, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteError, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteErrors, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteResponse, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteResponses, DeleteInventoryInventoryInventoryIdDeleteData, DeleteInventoryInventoryInventoryIdDeleteError, DeleteInventoryInventoryInventoryIdDeleteErrors, DeleteInventoryInventoryInventoryIdDeleteResponse, DeleteInventoryInventoryInventoryIdDeleteResponses, DeleteLabResultHealthLabResultsResultIdDeleteData, DeleteLabResultHealthLabResultsResultIdDeleteError, DeleteLabResultHealthLabResultsResultIdDeleteErrors, DeleteLabResultHealthLabResultsResultIdDeleteResponse, DeleteLabResultHealthLabResultsResultIdDeleteResponses, DeleteMedicationHealthMedicationsMedicationIdDeleteData, DeleteMedicationHealthMedicationsMedicationIdDeleteError, DeleteMedicationHealthMedicationsMedicationIdDeleteErrors, DeleteMedicationHealthMedicationsMedicationIdDeleteResponse, DeleteMedicationHealthMedicationsMedicationIdDeleteResponses, DeleteProductProductsProductIdDeleteData, DeleteProductProductsProductIdDeleteError, DeleteProductProductsProductIdDeleteErrors, DeleteProductProductsProductIdDeleteResponse, DeleteProductProductsProductIdDeleteResponses, DeleteRoutineRoutinesRoutineIdDeleteData, DeleteRoutineRoutinesRoutineIdDeleteError, DeleteRoutineRoutinesRoutineIdDeleteErrors, DeleteRoutineRoutinesRoutineIdDeleteResponse, DeleteRoutineRoutinesRoutineIdDeleteResponses, DeleteSnapshotSkincareSnapshotIdDeleteData, DeleteSnapshotSkincareSnapshotIdDeleteError, DeleteSnapshotSkincareSnapshotIdDeleteErrors, DeleteSnapshotSkincareSnapshotIdDeleteResponse, DeleteSnapshotSkincareSnapshotIdDeleteResponses, DeleteStepRoutinesStepsStepIdDeleteData, DeleteStepRoutinesStepsStepIdDeleteError, DeleteStepRoutinesStepsStepIdDeleteErrors, DeleteStepRoutinesStepsStepIdDeleteResponse, DeleteStepRoutinesStepsStepIdDeleteResponses, DeleteUsageHealthUsagesUsageIdDeleteData, DeleteUsageHealthUsagesUsageIdDeleteError, DeleteUsageHealthUsagesUsageIdDeleteErrors, DeleteUsageHealthUsagesUsageIdDeleteResponse, DeleteUsageHealthUsagesUsageIdDeleteResponses, GetAiLogAiLogsLogIdGetData, GetAiLogAiLogsLogIdGetError, GetAiLogAiLogsLogIdGetErrors, GetAiLogAiLogsLogIdGetResponse, GetAiLogAiLogsLogIdGetResponses, GetInventoryInventoryInventoryIdGetData, GetInventoryInventoryInventoryIdGetError, GetInventoryInventoryInventoryIdGetErrors, GetInventoryInventoryInventoryIdGetResponse, GetInventoryInventoryInventoryIdGetResponses, GetLabResultHealthLabResultsResultIdGetData, GetLabResultHealthLabResultsResultIdGetError, GetLabResultHealthLabResultsResultIdGetErrors, GetLabResultHealthLabResultsResultIdGetResponse, GetLabResultHealthLabResultsResultIdGetResponses, GetMedicationHealthMedicationsMedicationIdGetData, GetMedicationHealthMedicationsMedicationIdGetError, GetMedicationHealthMedicationsMedicationIdGetErrors, GetMedicationHealthMedicationsMedicationIdGetResponse, GetMedicationHealthMedicationsMedicationIdGetResponses, GetProductProductsProductIdGetData, GetProductProductsProductIdGetError, GetProductProductsProductIdGetErrors, GetProductProductsProductIdGetResponse, GetProductProductsProductIdGetResponses, GetProfileProfileGetData, GetProfileProfileGetResponse, GetProfileProfileGetResponses, GetRoutineRoutinesRoutineIdGetData, GetRoutineRoutinesRoutineIdGetError, GetRoutineRoutinesRoutineIdGetErrors, GetRoutineRoutinesRoutineIdGetResponses, GetSnapshotSkincareSnapshotIdGetData, GetSnapshotSkincareSnapshotIdGetError, GetSnapshotSkincareSnapshotIdGetErrors, GetSnapshotSkincareSnapshotIdGetResponse, GetSnapshotSkincareSnapshotIdGetResponses, GroomingAction, GroomingSchedule, GroomingScheduleCreate, GroomingScheduleUpdate, HealthCheckHealthCheckGetData, HealthCheckHealthCheckGetResponses, HttpValidationError, IngredientFunction, InventoryCreate, InventoryUpdate, LabResult, LabResultCreate, LabResultListResponse, LabResultUpdate, ListAiLogsAiLogsGetData, ListAiLogsAiLogsGetError, ListAiLogsAiLogsGetErrors, ListAiLogsAiLogsGetResponse, ListAiLogsAiLogsGetResponses, ListGroomingScheduleRoutinesGroomingScheduleGetData, ListGroomingScheduleRoutinesGroomingScheduleGetResponse, ListGroomingScheduleRoutinesGroomingScheduleGetResponses, ListLabResultsHealthLabResultsGetData, ListLabResultsHealthLabResultsGetError, ListLabResultsHealthLabResultsGetErrors, ListLabResultsHealthLabResultsGetResponse, ListLabResultsHealthLabResultsGetResponses, ListMedicationsHealthMedicationsGetData, ListMedicationsHealthMedicationsGetError, ListMedicationsHealthMedicationsGetErrors, ListMedicationsHealthMedicationsGetResponse, ListMedicationsHealthMedicationsGetResponses, ListProductInventoryProductsProductIdInventoryGetData, ListProductInventoryProductsProductIdInventoryGetError, ListProductInventoryProductsProductIdInventoryGetErrors, ListProductInventoryProductsProductIdInventoryGetResponse, ListProductInventoryProductsProductIdInventoryGetResponses, ListProductsProductsGetData, ListProductsProductsGetError, ListProductsProductsGetErrors, ListProductsProductsGetResponse, ListProductsProductsGetResponses, ListProductsSummaryProductsSummaryGetData, ListProductsSummaryProductsSummaryGetError, ListProductsSummaryProductsSummaryGetErrors, ListProductsSummaryProductsSummaryGetResponse, ListProductsSummaryProductsSummaryGetResponses, ListRoutinesRoutinesGetData, ListRoutinesRoutinesGetError, ListRoutinesRoutinesGetErrors, ListRoutinesRoutinesGetResponses, ListSnapshotsSkincareGetData, ListSnapshotsSkincareGetError, ListSnapshotsSkincareGetErrors, ListSnapshotsSkincareGetResponse, ListSnapshotsSkincareGetResponses, ListUsagesHealthMedicationsMedicationIdUsagesGetData, ListUsagesHealthMedicationsMedicationIdUsagesGetError, ListUsagesHealthMedicationsMedicationIdUsagesGetErrors, ListUsagesHealthMedicationsMedicationIdUsagesGetResponse, ListUsagesHealthMedicationsMedicationIdUsagesGetResponses, MedicationCreate, MedicationEntry, MedicationKind, MedicationUpdate, MedicationUsage, OverallSkinState, ParseProductTextProductsParseTextPostData, ParseProductTextProductsParseTextPostError, ParseProductTextProductsParseTextPostErrors, ParseProductTextProductsParseTextPostResponse, ParseProductTextProductsParseTextPostResponses, PartOfDay, PriceTier, ProductCategory, ProductContext, ProductCreate, ProductEffectProfile, ProductInventory, ProductListItem, ProductParseRequest, ProductParseResponse, ProductPublic, ProductSuggestion, ProductUpdate, ProductWithInventory, RemainingLevel, ResponseMetadata, ResultFlag, Routine, RoutineCreate, RoutineStep, RoutineStepCreate, RoutineStepUpdate, RoutineSuggestion, RoutineSuggestionSummary, RoutineUpdate, SexAtBirth, ShoppingSuggestionResponse, SkinConcern, SkinConditionSnapshotPublic, SkinPhotoAnalysisResponse, SkinTexture, SkinType, SnapshotCreate, SnapshotUpdate, StrengthLevel, SuggestBatchRequest, SuggestBatchRoutinesSuggestBatchPostData, SuggestBatchRoutinesSuggestBatchPostError, SuggestBatchRoutinesSuggestBatchPostErrors, SuggestBatchRoutinesSuggestBatchPostResponse, SuggestBatchRoutinesSuggestBatchPostResponses, SuggestedStep, SuggestRoutineRequest, SuggestRoutineRoutinesSuggestPostData, SuggestRoutineRoutinesSuggestPostError, SuggestRoutineRoutinesSuggestPostErrors, SuggestRoutineRoutinesSuggestPostResponse, SuggestRoutineRoutinesSuggestPostResponses, SuggestShoppingProductsSuggestPostData, SuggestShoppingProductsSuggestPostResponse, SuggestShoppingProductsSuggestPostResponses, TextureType, TokenMetrics, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchData, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchError, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchErrors, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchResponse, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchResponses, UpdateInventoryInventoryInventoryIdPatchData, UpdateInventoryInventoryInventoryIdPatchError, UpdateInventoryInventoryInventoryIdPatchErrors, UpdateInventoryInventoryInventoryIdPatchResponse, UpdateInventoryInventoryInventoryIdPatchResponses, UpdateLabResultHealthLabResultsResultIdPatchData, UpdateLabResultHealthLabResultsResultIdPatchError, UpdateLabResultHealthLabResultsResultIdPatchErrors, UpdateLabResultHealthLabResultsResultIdPatchResponse, UpdateLabResultHealthLabResultsResultIdPatchResponses, UpdateMedicationHealthMedicationsMedicationIdPatchData, UpdateMedicationHealthMedicationsMedicationIdPatchError, UpdateMedicationHealthMedicationsMedicationIdPatchErrors, UpdateMedicationHealthMedicationsMedicationIdPatchResponse, UpdateMedicationHealthMedicationsMedicationIdPatchResponses, UpdateProductProductsProductIdPatchData, UpdateProductProductsProductIdPatchError, UpdateProductProductsProductIdPatchErrors, UpdateProductProductsProductIdPatchResponse, UpdateProductProductsProductIdPatchResponses, UpdateRoutineRoutinesRoutineIdPatchData, UpdateRoutineRoutinesRoutineIdPatchError, UpdateRoutineRoutinesRoutineIdPatchErrors, UpdateRoutineRoutinesRoutineIdPatchResponse, UpdateRoutineRoutinesRoutineIdPatchResponses, UpdateSnapshotSkincareSnapshotIdPatchData, UpdateSnapshotSkincareSnapshotIdPatchError, UpdateSnapshotSkincareSnapshotIdPatchErrors, UpdateSnapshotSkincareSnapshotIdPatchResponse, UpdateSnapshotSkincareSnapshotIdPatchResponses, UpdateStepRoutinesStepsStepIdPatchData, UpdateStepRoutinesStepsStepIdPatchError, UpdateStepRoutinesStepsStepIdPatchErrors, UpdateStepRoutinesStepsStepIdPatchResponse, UpdateStepRoutinesStepsStepIdPatchResponses, UpdateUsageHealthUsagesUsageIdPatchData, UpdateUsageHealthUsagesUsageIdPatchError, UpdateUsageHealthUsagesUsageIdPatchErrors, UpdateUsageHealthUsagesUsageIdPatchResponse, UpdateUsageHealthUsagesUsageIdPatchResponses, UpsertProfileProfilePatchData, UpsertProfileProfilePatchError, UpsertProfileProfilePatchErrors, UpsertProfileProfilePatchResponse, UpsertProfileProfilePatchResponses, UsageCreate, UsageUpdate, UserProfilePublic, UserProfileUpdate, ValidationError } from './types.gen';
+export type { AbsorptionSpeed, ActiveIngredient, AddStepRoutinesRoutineIdStepsPostData, AddStepRoutinesRoutineIdStepsPostError, AddStepRoutinesRoutineIdStepsPostErrors, AddStepRoutinesRoutineIdStepsPostResponse, AddStepRoutinesRoutineIdStepsPostResponses, AiCallLog, AiCallLogPublic, AnalyzeSkinPhotosSkincareAnalyzePhotosPostData, AnalyzeSkinPhotosSkincareAnalyzePhotosPostError, AnalyzeSkinPhotosSkincareAnalyzePhotosPostErrors, AnalyzeSkinPhotosSkincareAnalyzePhotosPostResponse, AnalyzeSkinPhotosSkincareAnalyzePhotosPostResponses, AuthHouseholdMembershipPublic, AuthIdentityPublic, AuthProfilePublic, AuthSessionResponse, AuthUserPublic, BarrierState, BatchSuggestion, BodyAnalyzeSkinPhotosSkincareAnalyzePhotosPost, ClientOptions, CreateGroomingScheduleRoutinesGroomingSchedulePostData, CreateGroomingScheduleRoutinesGroomingSchedulePostError, CreateGroomingScheduleRoutinesGroomingSchedulePostErrors, CreateGroomingScheduleRoutinesGroomingSchedulePostResponse, CreateGroomingScheduleRoutinesGroomingSchedulePostResponses, CreateLabResultHealthLabResultsPostData, CreateLabResultHealthLabResultsPostError, CreateLabResultHealthLabResultsPostErrors, CreateLabResultHealthLabResultsPostResponse, CreateLabResultHealthLabResultsPostResponses, CreateMedicationHealthMedicationsPostData, CreateMedicationHealthMedicationsPostError, CreateMedicationHealthMedicationsPostErrors, CreateMedicationHealthMedicationsPostResponse, CreateMedicationHealthMedicationsPostResponses, CreateProductInventoryProductsProductIdInventoryPostData, CreateProductInventoryProductsProductIdInventoryPostError, CreateProductInventoryProductsProductIdInventoryPostErrors, CreateProductInventoryProductsProductIdInventoryPostResponse, CreateProductInventoryProductsProductIdInventoryPostResponses, CreateProductProductsPostData, CreateProductProductsPostError, CreateProductProductsPostErrors, CreateProductProductsPostResponse, CreateProductProductsPostResponses, CreateRoutineRoutinesPostData, CreateRoutineRoutinesPostError, CreateRoutineRoutinesPostErrors, CreateRoutineRoutinesPostResponse, CreateRoutineRoutinesPostResponses, CreateSnapshotSkincarePostData, CreateSnapshotSkincarePostError, CreateSnapshotSkincarePostErrors, CreateSnapshotSkincarePostResponse, CreateSnapshotSkincarePostResponses, CreateUsageHealthMedicationsMedicationIdUsagesPostData, CreateUsageHealthMedicationsMedicationIdUsagesPostError, CreateUsageHealthMedicationsMedicationIdUsagesPostErrors, CreateUsageHealthMedicationsMedicationIdUsagesPostResponse, CreateUsageHealthMedicationsMedicationIdUsagesPostResponses, DayPlan, DayTime, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteData, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteError, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteErrors, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteResponse, DeleteGroomingScheduleRoutinesGroomingScheduleEntryIdDeleteResponses, DeleteInventoryInventoryInventoryIdDeleteData, DeleteInventoryInventoryInventoryIdDeleteError, DeleteInventoryInventoryInventoryIdDeleteErrors, DeleteInventoryInventoryInventoryIdDeleteResponse, DeleteInventoryInventoryInventoryIdDeleteResponses, DeleteLabResultHealthLabResultsResultIdDeleteData, DeleteLabResultHealthLabResultsResultIdDeleteError, DeleteLabResultHealthLabResultsResultIdDeleteErrors, DeleteLabResultHealthLabResultsResultIdDeleteResponse, DeleteLabResultHealthLabResultsResultIdDeleteResponses, DeleteMedicationHealthMedicationsMedicationIdDeleteData, DeleteMedicationHealthMedicationsMedicationIdDeleteError, DeleteMedicationHealthMedicationsMedicationIdDeleteErrors, DeleteMedicationHealthMedicationsMedicationIdDeleteResponse, DeleteMedicationHealthMedicationsMedicationIdDeleteResponses, DeleteProductProductsProductIdDeleteData, DeleteProductProductsProductIdDeleteError, DeleteProductProductsProductIdDeleteErrors, DeleteProductProductsProductIdDeleteResponse, DeleteProductProductsProductIdDeleteResponses, DeleteRoutineRoutinesRoutineIdDeleteData, DeleteRoutineRoutinesRoutineIdDeleteError, DeleteRoutineRoutinesRoutineIdDeleteErrors, DeleteRoutineRoutinesRoutineIdDeleteResponse, DeleteRoutineRoutinesRoutineIdDeleteResponses, DeleteSnapshotSkincareSnapshotIdDeleteData, DeleteSnapshotSkincareSnapshotIdDeleteError, DeleteSnapshotSkincareSnapshotIdDeleteErrors, DeleteSnapshotSkincareSnapshotIdDeleteResponse, DeleteSnapshotSkincareSnapshotIdDeleteResponses, DeleteStepRoutinesStepsStepIdDeleteData, DeleteStepRoutinesStepsStepIdDeleteError, DeleteStepRoutinesStepsStepIdDeleteErrors, DeleteStepRoutinesStepsStepIdDeleteResponse, DeleteStepRoutinesStepsStepIdDeleteResponses, DeleteUsageHealthUsagesUsageIdDeleteData, DeleteUsageHealthUsagesUsageIdDeleteError, DeleteUsageHealthUsagesUsageIdDeleteErrors, DeleteUsageHealthUsagesUsageIdDeleteResponse, DeleteUsageHealthUsagesUsageIdDeleteResponses, GetAiLogAiLogsLogIdGetData, GetAiLogAiLogsLogIdGetError, GetAiLogAiLogsLogIdGetErrors, GetAiLogAiLogsLogIdGetResponse, GetAiLogAiLogsLogIdGetResponses, GetInventoryInventoryInventoryIdGetData, GetInventoryInventoryInventoryIdGetError, GetInventoryInventoryInventoryIdGetErrors, GetInventoryInventoryInventoryIdGetResponse, GetInventoryInventoryInventoryIdGetResponses, GetLabResultHealthLabResultsResultIdGetData, GetLabResultHealthLabResultsResultIdGetError, GetLabResultHealthLabResultsResultIdGetErrors, GetLabResultHealthLabResultsResultIdGetResponse, GetLabResultHealthLabResultsResultIdGetResponses, GetMeAuthMeGetData, GetMeAuthMeGetResponse, GetMeAuthMeGetResponses, GetMedicationHealthMedicationsMedicationIdGetData, GetMedicationHealthMedicationsMedicationIdGetError, GetMedicationHealthMedicationsMedicationIdGetErrors, GetMedicationHealthMedicationsMedicationIdGetResponse, GetMedicationHealthMedicationsMedicationIdGetResponses, GetProductProductsProductIdGetData, GetProductProductsProductIdGetError, GetProductProductsProductIdGetErrors, GetProductProductsProductIdGetResponse, GetProductProductsProductIdGetResponses, GetProfileProfileGetData, GetProfileProfileGetResponse, GetProfileProfileGetResponses, GetRoutineRoutinesRoutineIdGetData, GetRoutineRoutinesRoutineIdGetError, GetRoutineRoutinesRoutineIdGetErrors, GetRoutineRoutinesRoutineIdGetResponses, GetSnapshotSkincareSnapshotIdGetData, GetSnapshotSkincareSnapshotIdGetError, GetSnapshotSkincareSnapshotIdGetErrors, GetSnapshotSkincareSnapshotIdGetResponse, GetSnapshotSkincareSnapshotIdGetResponses, GroomingAction, GroomingSchedule, GroomingScheduleCreate, GroomingScheduleUpdate, HealthCheckHealthCheckGetData, HealthCheckHealthCheckGetResponses, HouseholdRole, HttpValidationError, IngredientFunction, InventoryCreate, InventoryUpdate, LabResult, LabResultCreate, LabResultListResponse, LabResultUpdate, ListAiLogsAiLogsGetData, ListAiLogsAiLogsGetError, ListAiLogsAiLogsGetErrors, ListAiLogsAiLogsGetResponse, ListAiLogsAiLogsGetResponses, ListGroomingScheduleRoutinesGroomingScheduleGetData, ListGroomingScheduleRoutinesGroomingScheduleGetResponse, ListGroomingScheduleRoutinesGroomingScheduleGetResponses, ListLabResultsHealthLabResultsGetData, ListLabResultsHealthLabResultsGetError, ListLabResultsHealthLabResultsGetErrors, ListLabResultsHealthLabResultsGetResponse, ListLabResultsHealthLabResultsGetResponses, ListMedicationsHealthMedicationsGetData, ListMedicationsHealthMedicationsGetError, ListMedicationsHealthMedicationsGetErrors, ListMedicationsHealthMedicationsGetResponse, ListMedicationsHealthMedicationsGetResponses, ListProductInventoryProductsProductIdInventoryGetData, ListProductInventoryProductsProductIdInventoryGetError, ListProductInventoryProductsProductIdInventoryGetErrors, ListProductInventoryProductsProductIdInventoryGetResponse, ListProductInventoryProductsProductIdInventoryGetResponses, ListProductsProductsGetData, ListProductsProductsGetError, ListProductsProductsGetErrors, ListProductsProductsGetResponse, ListProductsProductsGetResponses, ListProductsSummaryProductsSummaryGetData, ListProductsSummaryProductsSummaryGetError, ListProductsSummaryProductsSummaryGetErrors, ListProductsSummaryProductsSummaryGetResponse, ListProductsSummaryProductsSummaryGetResponses, ListRoutinesRoutinesGetData, ListRoutinesRoutinesGetError, ListRoutinesRoutinesGetErrors, ListRoutinesRoutinesGetResponses, ListSnapshotsSkincareGetData, ListSnapshotsSkincareGetError, ListSnapshotsSkincareGetErrors, ListSnapshotsSkincareGetResponse, ListSnapshotsSkincareGetResponses, ListUsagesHealthMedicationsMedicationIdUsagesGetData, ListUsagesHealthMedicationsMedicationIdUsagesGetError, ListUsagesHealthMedicationsMedicationIdUsagesGetErrors, ListUsagesHealthMedicationsMedicationIdUsagesGetResponse, ListUsagesHealthMedicationsMedicationIdUsagesGetResponses, MedicationCreate, MedicationEntry, MedicationKind, MedicationUpdate, MedicationUsage, OverallSkinState, ParseProductTextProductsParseTextPostData, ParseProductTextProductsParseTextPostError, ParseProductTextProductsParseTextPostErrors, ParseProductTextProductsParseTextPostResponse, ParseProductTextProductsParseTextPostResponses, PartOfDay, PriceTier, ProductCategory, ProductContext, ProductCreate, ProductEffectProfile, ProductInventory, ProductListItem, ProductParseRequest, ProductParseResponse, ProductPublic, ProductSuggestion, ProductUpdate, ProductWithInventory, RemainingLevel, ResponseMetadata, ResultFlag, Role, Routine, RoutineCreate, RoutineStep, RoutineStepCreate, RoutineStepUpdate, RoutineSuggestion, RoutineSuggestionSummary, RoutineUpdate, SessionSyncRequest, SexAtBirth, ShoppingSuggestionResponse, SkinConcern, SkinConditionSnapshotPublic, SkinPhotoAnalysisResponse, SkinTexture, SkinType, SnapshotCreate, SnapshotUpdate, StrengthLevel, SuggestBatchRequest, SuggestBatchRoutinesSuggestBatchPostData, SuggestBatchRoutinesSuggestBatchPostError, SuggestBatchRoutinesSuggestBatchPostErrors, SuggestBatchRoutinesSuggestBatchPostResponse, SuggestBatchRoutinesSuggestBatchPostResponses, SuggestedStep, SuggestRoutineRequest, SuggestRoutineRoutinesSuggestPostData, SuggestRoutineRoutinesSuggestPostError, SuggestRoutineRoutinesSuggestPostErrors, SuggestRoutineRoutinesSuggestPostResponse, SuggestRoutineRoutinesSuggestPostResponses, SuggestShoppingProductsSuggestPostData, SuggestShoppingProductsSuggestPostResponse, SuggestShoppingProductsSuggestPostResponses, SyncSessionAuthSessionSyncPostData, SyncSessionAuthSessionSyncPostError, SyncSessionAuthSessionSyncPostErrors, SyncSessionAuthSessionSyncPostResponse, SyncSessionAuthSessionSyncPostResponses, TextureType, TokenMetrics, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchData, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchError, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchErrors, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchResponse, UpdateGroomingScheduleRoutinesGroomingScheduleEntryIdPatchResponses, UpdateInventoryInventoryInventoryIdPatchData, UpdateInventoryInventoryInventoryIdPatchError, UpdateInventoryInventoryInventoryIdPatchErrors, UpdateInventoryInventoryInventoryIdPatchResponse, UpdateInventoryInventoryInventoryIdPatchResponses, UpdateLabResultHealthLabResultsResultIdPatchData, UpdateLabResultHealthLabResultsResultIdPatchError, UpdateLabResultHealthLabResultsResultIdPatchErrors, UpdateLabResultHealthLabResultsResultIdPatchResponse, UpdateLabResultHealthLabResultsResultIdPatchResponses, UpdateMedicationHealthMedicationsMedicationIdPatchData, UpdateMedicationHealthMedicationsMedicationIdPatchError, UpdateMedicationHealthMedicationsMedicationIdPatchErrors, UpdateMedicationHealthMedicationsMedicationIdPatchResponse, UpdateMedicationHealthMedicationsMedicationIdPatchResponses, UpdateProductProductsProductIdPatchData, UpdateProductProductsProductIdPatchError, UpdateProductProductsProductIdPatchErrors, UpdateProductProductsProductIdPatchResponse, UpdateProductProductsProductIdPatchResponses, UpdateRoutineRoutinesRoutineIdPatchData, UpdateRoutineRoutinesRoutineIdPatchError, UpdateRoutineRoutinesRoutineIdPatchErrors, UpdateRoutineRoutinesRoutineIdPatchResponse, UpdateRoutineRoutinesRoutineIdPatchResponses, UpdateSnapshotSkincareSnapshotIdPatchData, UpdateSnapshotSkincareSnapshotIdPatchError, UpdateSnapshotSkincareSnapshotIdPatchErrors, UpdateSnapshotSkincareSnapshotIdPatchResponse, UpdateSnapshotSkincareSnapshotIdPatchResponses, UpdateStepRoutinesStepsStepIdPatchData, UpdateStepRoutinesStepsStepIdPatchError, UpdateStepRoutinesStepsStepIdPatchErrors, UpdateStepRoutinesStepsStepIdPatchResponse, UpdateStepRoutinesStepsStepIdPatchResponses, UpdateUsageHealthUsagesUsageIdPatchData, UpdateUsageHealthUsagesUsageIdPatchError, UpdateUsageHealthUsagesUsageIdPatchErrors, UpdateUsageHealthUsagesUsageIdPatchResponse, UpdateUsageHealthUsagesUsageIdPatchResponses, UpsertProfileProfilePatchData, UpsertProfileProfilePatchError, UpsertProfileProfilePatchErrors, UpsertProfileProfilePatchResponse, UpsertProfileProfilePatchResponses, UsageCreate, UsageUpdate, UserProfilePublic, UserProfileUpdate, ValidationError } from './types.gen';
diff --git a/frontend/src/lib/api/generated/types.gen.ts b/frontend/src/lib/api/generated/types.gen.ts
index d3d17d2..5db3590 100644
--- a/frontend/src/lib/api/generated/types.gen.ts
+++ b/frontend/src/lib/api/generated/types.gen.ts
@@ -12,6 +12,10 @@ export type AiCallLog = {
      * Id
      */
     id?: string;
+    /**
+     * User Id
+     */
+    user_id?: string | null;
     /**
      * Created At
      */
@@ -187,6 +191,98 @@ export type ActiveIngredient = {
     irritation_potential?: StrengthLevel | null;
 };
 
+/**
+ * AuthHouseholdMembershipPublic
+ */
+export type AuthHouseholdMembershipPublic = {
+    /**
+     * Household Id
+     */
+    household_id: string;
+    role: HouseholdRole;
+};
+
+/**
+ * AuthIdentityPublic
+ */
+export type AuthIdentityPublic = {
+    /**
+     * Issuer
+     */
+    issuer: string;
+    /**
+     * Subject
+     */
+    subject: string;
+    /**
+     * Email
+     */
+    email?: string | null;
+    /**
+     * Name
+     */
+    name?: string | null;
+    /**
+     * Preferred Username
+     */
+    preferred_username?: string | null;
+    /**
+     * Groups
+     */
+    groups?: Array<string>;
+};
+
+/**
+ * AuthProfilePublic
+ */
+export type AuthProfilePublic = {
+    /**
+     * Id
+     */
+    id: string;
+    /**
+     * User Id
+     */
+    user_id: string | null;
+    /**
+     * Birth Date
+     */
+    birth_date?: string | null;
+    /**
+     * Sex At Birth
+     */
+    sex_at_birth?: string | null;
+    /**
+     * Created At
+     */
+    created_at: string;
+    /**
+     * Updated At
+     */
+    updated_at: string;
+};
+
+/**
+ * AuthSessionResponse
+ */
+export type AuthSessionResponse = {
+    user: AuthUserPublic;
+    identity: AuthIdentityPublic;
+    profile?: AuthProfilePublic | null;
+};
+
+/**
+ * AuthUserPublic
+ */
+export type AuthUserPublic = {
+    /**
+     * Id
+     */
+    id: string;
+    role: Role;
+    household_membership?: AuthHouseholdMembershipPublic | null;
+};
+
 /**
  * BarrierState
  */
@@ -265,6 +361,10 @@ export type GroomingSchedule = {
      * Id
      */
     id?: string;
+    /**
+     * User Id
+     */
+    user_id?: string | null;
     /**
      * Day Of Week
      */
@@ -316,6 +416,11 @@ export type HttpValidationError = {
     detail?: Array<ValidationError>;
 };
 
+/**
+ * HouseholdRole
+ */
+export type HouseholdRole = 'owner' | 'member';
+
 /**
  * IngredientFunction
  */
@@ -383,6 +488,10 @@ export type LabResult = {
      * Record Id
      */
     record_id?: string;
+    /**
+     * User Id
+     */
+    user_id?: string | null;
     /**
      * Collected At
      */
@@ -649,6 +758,10 @@ export type MedicationEntry = {
      * Record Id
      */
     record_id?: string;
+    /**
+     * User Id
+     */
+    user_id?: string | null;
     kind: MedicationKind;
     /**
      * Product Name
@@ -728,6 +841,10 @@ export type MedicationUsage = {
      * Record Id
      */
     record_id?: string;
+    /**
+     * User Id
+     */
+    user_id?: string | null;
     /**
      * Medication Record Id
      */
@@ -1010,10 +1127,18 @@ export type ProductInventory = {
      * Id
      */
     id?: string;
+    /**
+     * User Id
+     */
+    user_id?: string | null;
     /**
      * Product Id
      */
     product_id: string;
+    /**
+     * Is Household Shared
+     */
+    is_household_shared?: boolean;
     /**
      * Is Opened
      */
@@ -1689,6 +1814,11 @@ export type ResponseMetadata = {
  */
 export type ResultFlag = 'N' | 'ABN' | 'POS' | 'NEG' | 'L' | 'H';
 
+/**
+ * Role
+ */
+export type Role = 'admin' | 'member';
+
 /**
  * Routine
  */
@@ -1697,6 +1827,10 @@ export type Routine = {
      * Id
      */
     id?: string;
+    /**
+     * User Id
+     */
+    user_id?: string | null;
     /**
      * Routine Date
      */
@@ -1739,6 +1873,10 @@ export type RoutineStep = {
      * Id
      */
     id?: string;
+    /**
+     * User Id
+     */
+    user_id?: string | null;
     /**
      * Routine Id
      */
@@ -1877,6 +2015,36 @@ export type RoutineUpdate = {
     notes?: string | null;
 };
 
+/**
+ * SessionSyncRequest
+ */
+export type SessionSyncRequest = {
+    /**
+     * Iss
+     */
+    iss?: string | null;
+    /**
+     * Sub
+     */
+    sub?: string | null;
+    /**
+     * Email
+     */
+    email?: string | null;
+    /**
+     * Name
+     */
+    name?: string | null;
+    /**
+     * Preferred Username
+     */
+    preferred_username?: string | null;
+    /**
+     * Groups
+     */
+    groups?: Array<string> | null;
+};
+
 /**
  * SexAtBirth
  */
@@ -2364,6 +2532,50 @@ export type ValidationError = {
     };
 };
 
+export type SyncSessionAuthSessionSyncPostData = {
+    /**
+     * Payload
+     */
+    body?: SessionSyncRequest | null;
+    path?: never;
+    query?: never;
+    url: '/auth/session/sync';
+};
+
+export type SyncSessionAuthSessionSyncPostErrors = {
+    /**
+     * Validation Error
+     */
+    422: HttpValidationError;
+};
+
+export type SyncSessionAuthSessionSyncPostError = SyncSessionAuthSessionSyncPostErrors[keyof SyncSessionAuthSessionSyncPostErrors];
+
+export type SyncSessionAuthSessionSyncPostResponses = {
+    /**
+     * Successful Response
+     */
+    200: AuthSessionResponse;
+};
+
+export type SyncSessionAuthSessionSyncPostResponse = SyncSessionAuthSessionSyncPostResponses[keyof SyncSessionAuthSessionSyncPostResponses];
+
+export type GetMeAuthMeGetData = {
+    body?: never;
+    path?: never;
+    query?: never;
+    url: '/auth/me';
+};
+
+export type GetMeAuthMeGetResponses = {
+    /**
+     * Successful Response
+     */
+    200: AuthSessionResponse;
+};
+
+export type GetMeAuthMeGetResponse = GetMeAuthMeGetResponses[keyof GetMeAuthMeGetResponses];
+
 export type ListProductsProductsGetData = {
     body?: never;
     path?: never;
diff --git a/tests/lab-results.json b/tests/lab-results.json
new file mode 100644
index 0000000..d12f229
--- /dev/null
+++ b/tests/lab-results.json
@@ -0,0 +1,1057 @@
+{
+    "items": [
+        {
+            "unit_ucum": "10^3/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "704-7",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Bazofile",
+            "ref_high": 0.1,
+            "test_name_loinc": "Basophils [#/volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "3fe7db54-6370-4eb5-9a3f-1a438a61d242",
+            "value_num": 0.03,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "tys/\u00b5l",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "%",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "706-2",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Bazofile",
+            "ref_high": 1.1,
+            "test_name_loinc": "Basophils/Leukocytes in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "7a00d5d3-b8c0-47da-b634-f4d1721ef235",
+            "value_num": 0.4,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "%",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "10^3/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "711-2",
+            "ref_low": 0.05,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Eozynofile",
+            "ref_high": 0.5,
+            "test_name_loinc": "Eosinophils [#/volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "e2f1d4ef-d28d-49b8-a654-4dcea85f0069",
+            "value_num": 0.22,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "tys/\u00b5l",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "%",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "713-8",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Eozynofile",
+            "ref_high": 5.0,
+            "test_name_loinc": "Eosinophils/Leukocytes in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "3fb5cfe4-c80b-4dda-b351-86f08cd36d2b",
+            "value_num": 3.0,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "%",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "g/dL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "718-7",
+            "ref_low": 13.5,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Hemoglobina",
+            "ref_high": 18.0,
+            "test_name_loinc": "Hemoglobin [Mass/volume] in Blood",
+            "ref_text": null,
+            "record_id": "e8ac0082-bbd2-4fdb-a3dd-d8aba43b8ee8",
+            "value_num": 16.5,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "g/dl",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "10^3/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "731-0",
+            "ref_low": 1.5,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Limfocyty",
+            "ref_high": 4.5,
+            "test_name_loinc": "Lymphocytes [#/volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "cd788c95-eb0e-45b8-88de-601359bf1567",
+            "value_num": 3.77,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "tys/\u00b5l",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "%",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "736-9",
+            "ref_low": 25.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Limfocyty",
+            "ref_high": 45.0,
+            "test_name_loinc": "Lymphocytes/Leukocytes in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "6c1a1ec9-e0c7-4d7c-b140-feffa46ff8a3",
+            "value_num": 51.2,
+            "flag": "H",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "%",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "10^3/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "742-7",
+            "ref_low": 0.1,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Monocyty",
+            "ref_high": 0.9,
+            "test_name_loinc": "Monocytes [#/volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "86cdac5a-182c-4094-94d4-8e416ddf055d",
+            "value_num": 0.65,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "tys/\u00b5l",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "%",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "770-8",
+            "ref_low": 45.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Neutrofile",
+            "ref_high": 70.0,
+            "test_name_loinc": "Neutrophils/Leukocytes in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "d36dacc6-c970-4075-b708-46dbda538e84",
+            "value_num": 36.5,
+            "flag": "L",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "%",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "10^3/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "771-6",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "NRBC#",
+            "ref_high": 0.01,
+            "test_name_loinc": "Nucleated erythrocytes [#/volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "0fa9d489-5bb0-448b-85af-3eeb2353ebae",
+            "value_num": 0.0,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "tys/\u00b5l",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "10^3/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "777-3",
+            "ref_low": 150.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "P\u0142ytki krwi",
+            "ref_high": 400.0,
+            "test_name_loinc": "Platelets [#/volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "786e888d-6abb-40ab-8f41-3ccebbbe23b9",
+            "value_num": 263.0,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "tys/\u00b5l",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "pg",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "785-6",
+            "ref_low": 27.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "MCH",
+            "ref_high": 32.0,
+            "test_name_loinc": "MCH [Entitic mass] by Automated count",
+            "ref_text": null,
+            "record_id": "6aecbce7-0423-4a4e-93c4-c5b9e08b1ec9",
+            "value_num": 27.5,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "pg",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "g/dL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "786-4",
+            "ref_low": 31.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "MCHC",
+            "ref_high": 37.0,
+            "test_name_loinc": "MCHC [Entitic Mass/volume] in Red Blood Cells by Automated count",
+            "ref_text": null,
+            "record_id": "925158a5-3d7b-469c-8582-18272e1d5e99",
+            "value_num": 33.2,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "g/dl",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "fL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "787-2",
+            "ref_low": 80.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "MCV",
+            "ref_high": 98.0,
+            "test_name_loinc": "MCV [Entitic mean volume] in Red Blood Cells by Automated count",
+            "ref_text": null,
+            "record_id": "5b942eef-cf30-4a20-bf82-34e63018fdbf",
+            "value_num": 83.0,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "fl",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "%",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "788-0",
+            "ref_low": 11.5,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "RDW-CV",
+            "ref_high": 14.5,
+            "test_name_loinc": "Erythrocyte [DistWidth] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "a6404855-e040-4e98-b095-adab48f908e7",
+            "value_num": 12.8,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "%",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "10^6/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "789-8",
+            "ref_low": 4.6,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Erytrocyty",
+            "ref_high": 6.5,
+            "test_name_loinc": "Erythrocytes [#/volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "e030ebf7-05b3-42a4-ac65-d1cf43cbb43b",
+            "value_num": 5.99,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "mln/\u00b5l",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "798-9",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Osad moczu met. cytometrii przep\u0142ywowej - Erytrocyty",
+            "ref_high": 13.1,
+            "test_name_loinc": "Erythrocytes [#/volume] in Urine by Automated count",
+            "ref_text": null,
+            "record_id": "0557843c-0295-496a-9f83-f0421ecfe80b",
+            "value_num": 2.9,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "/\u00b5l",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu UF-5000 metod\u0105 cytometrii przep\u0142ywowej."
+        },
+        {
+            "unit_ucum": "mg/dL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "1558-6",
+            "ref_low": 70.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Glukoza",
+            "ref_high": 99.0,
+            "test_name_loinc": "Fasting glucose [Mass/volume] in Serum or Plasma",
+            "ref_text": null,
+            "record_id": "a107bc51-8355-425c-a2dc-807dbf267855",
+            "value_num": 85.8,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "mg/dl",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Roche, wersja V 8.0, 2025-01 i aparatu Cobas metod\u0105 spektrofotometryczn\u0105.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "U/L",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "1742-6",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "ALT",
+            "ref_high": 50.0,
+            "test_name_loinc": "Alanine aminotransferase [Enzymatic activity/volume] in Serum or Plasma",
+            "ref_text": null,
+            "record_id": "c931eb1d-6916-4feb-b1e8-8629519ee2f9",
+            "value_num": 74.0,
+            "flag": "H",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "U/l",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Roche, wersja V 8.0, 2024-11 i aparatu Cobas metod\u0105 spektrofotometryczn\u0105.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "U/L",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "1920-8",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "AST",
+            "ref_high": 50.0,
+            "test_name_loinc": "Aspartate aminotransferase [Enzymatic activity/volume] in Serum or Plasma",
+            "ref_text": null,
+            "record_id": "454021fb-119f-469b-be79-3568d02d0979",
+            "value_num": 28.0,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "U/l",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Roche, wersja V 9.0, 2025-07 i aparatu Cobas metod\u0105 spektrofotometryczn\u0105.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "1977-8",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Bilirubina",
+            "ref_high": null,
+            "test_name_loinc": "Bilirubin.total [Presence] in Urine",
+            "ref_text": null,
+            "record_id": "2d2febf1-c57f-4e4b-a196-1bf0445b0641",
+            "value_num": null,
+            "flag": "NEG",
+            "value_text": "nieobecna",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": false,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": "mg/dL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "2085-9",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Cholesterol HDL",
+            "ref_high": null,
+            "test_name_loinc": "Cholesterol in HDL [Mass/volume] in Serum or Plasma",
+            "ref_text": "St\u0119\u017cenie zalecane: powy\u017cej 40 mg/dl",
+            "record_id": "d39bad18-2e49-41ed-9ce6-b0f230ccfc21",
+            "value_num": 33.0,
+            "flag": "L",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "mg/dl",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Roche, wersja V 8.0, 2025-01 i aparatu Cobas metod\u0105 spektrofotometryczn\u0105.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "mg/dL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "2089-1",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Cholesterol LDL",
+            "ref_high": null,
+            "test_name_loinc": "Cholesterol in LDL [Mass/volume] in Serum or Plasma",
+            "ref_text": "St\u0119\u017cenie zalecane:\\nPoni\u017cej 115 mg/dl - dla os\u00f3b z ma\u0142ym ryzykiem sercowo-naczyniowym\\nPoni\u017cej 100 mg/dl - dla os\u00f3b z umiarkowanym ryzykiem sercowo-naczyniowym\\nPoni\u017cej 70 mg/dl - dla os\u00f3b z du\u017cym ryzykiem sercowo-naczyniowym\\nPoni\u017cej 55 mg/dl - dla os\u00f3b z bardzo du\u017cym ryzykiem sercowo-naczyniowym\\nPoni\u017cej 40 mg/dl - dla os\u00f3b z ekstremalnym ryzykiem sercowo-naczyniowym",
+            "record_id": "a22f4f9a-9b63-433d-af78-95980442c6c9",
+            "value_num": 138.0,
+            "flag": "H",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "mg/dl",
+            "notes": "Cholesterol LDL wyliczony ze wzoru Sampson-NIH\\nZaleca si\u0119 oznaczenie LDL metod\u0105 bezpo\u015bredni\u0105."
+        },
+        {
+            "unit_ucum": "mg/dL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "2093-3",
+            "ref_low": 115.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Cholesterol ca\u0142kowity",
+            "ref_high": 190.0,
+            "test_name_loinc": "Cholesterol [Mass/volume] in Serum or Plasma",
+            "ref_text": null,
+            "record_id": "03157fd4-d801-432a-af0c-65f819cfd8e5",
+            "value_num": 201.0,
+            "flag": "H",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "mg/dl",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Roche, wersja V 9.0, 2024-11 i aparatu Cobas metod\u0105 spektrofotometryczn\u0105.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "mg/dL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "2160-0",
+            "ref_low": 0.7,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Kreatynina",
+            "ref_high": 1.2,
+            "test_name_loinc": "Creatinine [Mass/volume] in Serum or Plasma",
+            "ref_text": null,
+            "record_id": "0a72614a-842a-4534-a1cf-f93f56eac628",
+            "value_num": 0.9,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "mg/dl",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Roche, wersja V 7.0, 2024-12 i aparatu Cobas metod\u0105 spektrofotometryczn\u0105.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "U/L",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "2324-2",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "GGTP",
+            "ref_high": 60.0,
+            "test_name_loinc": "Gamma glutamyl transferase [Enzymatic activity/volume] in Serum or Plasma",
+            "ref_text": null,
+            "record_id": "1e905230-50ac-4ee5-b7f5-d63946cc863c",
+            "value_num": 29.0,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "U/l",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Roche, wersja V 7.0, 2025-01 i aparatu Cobas metod\u0105 spektrofotometryczn\u0105.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "2349-9",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Glukoza",
+            "ref_high": null,
+            "test_name_loinc": "Glucose [Presence] in Urine",
+            "ref_text": null,
+            "record_id": "58a2cfcd-dfc0-408e-a94a-3bb140018757",
+            "value_num": null,
+            "flag": "NEG",
+            "value_text": "nieobecna",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": false,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": "mg/dL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "2571-8",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Triglicerydy",
+            "ref_high": null,
+            "test_name_loinc": "Triglyceride [Mass/volume] in Serum or Plasma",
+            "ref_text": "St\u0119\u017cenie zalecane:\\nPoni\u017cej 150 mg/dl",
+            "record_id": "5690d32f-5a1f-47bc-b3bf-960f7ed2b324",
+            "value_num": 163.0,
+            "flag": "H",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "mg/dl",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Roche, wersja V 7.0, 2025-08 i aparatu Cobas metod\u0105 spektrofotometryczn\u0105.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "2887-8",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Bia\u0142ko",
+            "ref_high": null,
+            "test_name_loinc": "Protein [Presence] in Urine",
+            "ref_text": null,
+            "record_id": "eb0bbeb3-9b1c-4da2-9e76-b4e818115634",
+            "value_num": null,
+            "flag": "NEG",
+            "value_text": "nieobecne",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": false,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": "g/mL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "2965-2",
+            "ref_low": 1.005,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Ci\u0119\u017car w\u0142a\u015bciwy",
+            "ref_high": 1.03,
+            "test_name_loinc": "Specific gravity of Urine",
+            "ref_text": null,
+            "record_id": "458431b6-d64f-4f95-aba8-4e976f569b7c",
+            "value_num": 1.019,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "g/ml",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": "u[IU]/mL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "3016-3",
+            "ref_low": 0.27,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "TSH",
+            "ref_high": 4.2,
+            "test_name_loinc": "Thyrotropin [Units/volume] in Serum or Plasma",
+            "ref_text": null,
+            "record_id": "6a06f748-7498-4ed9-a239-7bf79e7c32e3",
+            "value_num": 2.17,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "\u00b5IU/ml",
+            "notes": "Badanie wykonano testem firmy Roche metod\u0105 elektrochemiluminescencji na aparacie Cobas.\\nBadanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Roche, wersja V 6.0, 2023-06 i aparatu Cobas metod\u0105 elektrochemiluminescencji.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003\\nOd os\u00f3b leczonych wysokimi dawkami biotyny (tj.>5mg/dzie\u0144) materia\u0142 do oznaczenia nale\u017cy pobiera\u0107 dopiero co najmniej po 8 godz. od ostatniego podania biotyny."
+        },
+        {
+            "unit_ucum": "%",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "4544-3",
+            "ref_low": 40.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Hematokryt",
+            "ref_high": 52.0,
+            "test_name_loinc": "Hematocrit [Volume Fraction] of Blood by Automated count",
+            "ref_text": null,
+            "record_id": "2dd329f9-0b7f-4c2b-b09d-f121a2000af9",
+            "value_num": 49.7,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "%",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "5778-6",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Barwa",
+            "ref_high": null,
+            "test_name_loinc": "Color of Urine",
+            "ref_text": null,
+            "record_id": "0814ca15-dd49-408e-8bb3-eab31a9bd627",
+            "value_num": null,
+            "flag": null,
+            "value_text": "jasno\u017c\u00f3\u0142ty",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": "pH",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "5803-2",
+            "ref_low": 5.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - pH",
+            "ref_high": 7.0,
+            "test_name_loinc": "pH of Urine",
+            "ref_text": null,
+            "record_id": "81cbe488-50f2-44a1-85d6-4e655303961d",
+            "value_num": 5.5,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": "%",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "5905-5",
+            "ref_low": 2.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Monocyty",
+            "ref_high": 9.0,
+            "test_name_loinc": "Monocytes/Leukocytes in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "4e9b9715-361b-45c6-be9d-4d26a1babc7d",
+            "value_num": 8.8,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "%",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "10^3/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "6690-2",
+            "ref_low": 4.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Leukocyty",
+            "ref_high": 10.0,
+            "test_name_loinc": "Leukocytes [#/volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "bb9a7ecd-418b-4272-b421-9987414b6331",
+            "value_num": 7.37,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "tys/\u00b5l",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "13658-0",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Urobilinogen",
+            "ref_high": null,
+            "test_name_loinc": "Urobilinogen [Presence] in Urine",
+            "ref_text": null,
+            "record_id": "9d3d8eec-4ccc-41b0-b33c-c95b1a21b21e",
+            "value_num": null,
+            "flag": "N",
+            "value_text": "w normie",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "13955-0",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Przeciwcia\u0142a anty HCV",
+            "ref_high": null,
+            "test_name_loinc": "Hepatitis C virus Ab [Presence] in Serum or Plasma by Immunoassay",
+            "ref_text": null,
+            "record_id": "7974708f-6989-4a67-bba4-d71549847eb3",
+            "value_num": null,
+            "flag": "NEG",
+            "value_text": "niereaktywny",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": false,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Badanie wykonano testem firmy Roche, metod\u0105 elektrochemiluminescencji, na aparacie Cobas."
+        },
+        {
+            "unit_ucum": "%",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "14751-2",
+            "ref_low": 0.12,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "PCT",
+            "ref_high": 0.36,
+            "test_name_loinc": "Plateletcrit [Volume Fraction] in Blood",
+            "ref_text": null,
+            "record_id": "cb7f98df-a18d-4fea-8672-8c7ae4872859",
+            "value_num": 0.32,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "%",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "32167-9",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Przejrzysto\u015b\u0107",
+            "ref_high": null,
+            "test_name_loinc": "Clarity of Urine",
+            "ref_text": null,
+            "record_id": "b455ca6e-713e-46d6-9b01-71567bc56563",
+            "value_num": null,
+            "flag": null,
+            "value_text": "przejrzysty",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": "fL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "32207-3",
+            "ref_low": 10.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "PDW",
+            "ref_high": 17.4,
+            "test_name_loinc": "Platelet distribution width [Entitic volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "3910f1dc-be69-4ec6-8580-9aa4dc6d184e",
+            "value_num": 16.2,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "fl",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "fL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "32623-1",
+            "ref_low": 7.0,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "MPV",
+            "ref_high": 12.0,
+            "test_name_loinc": "Platelet [Entitic mean volume] in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "9c1def6d-9b6a-4418-aaa0-f126ed453026",
+            "value_num": 12.1,
+            "flag": "H",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "fl",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "32710-6",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Azotyny",
+            "ref_high": null,
+            "test_name_loinc": "Nitrite [Presence] in Urine",
+            "ref_text": null,
+            "record_id": "a7574c52-a714-4fd3-9475-4784860a9887",
+            "value_num": null,
+            "flag": "NEG",
+            "value_text": "nieobecne",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": false,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "33051-4",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Ery/Hb",
+            "ref_high": null,
+            "test_name_loinc": "Erythrocytes [Presence] in Urine",
+            "ref_text": null,
+            "record_id": "8c2d893e-6277-49d1-9996-c528f199ca81",
+            "value_num": null,
+            "flag": "NEG",
+            "value_text": "nie wykryto",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": false,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "33052-2",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Leukocyty",
+            "ref_high": null,
+            "test_name_loinc": "Leukocytes [Presence] in Urine",
+            "ref_text": null,
+            "record_id": "f648b548-3683-40e2-9fb8-54b708bedaab",
+            "value_num": null,
+            "flag": "NEG",
+            "value_text": "nie wykryto",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": false,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": null,
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "33903-6",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Badanie og\u00f3lne moczu - Ketony",
+            "ref_high": null,
+            "test_name_loinc": "Ketones [Presence] in Urine",
+            "ref_text": null,
+            "record_id": "d7e855da-1121-407c-9400-da25ac8f3d42",
+            "value_num": null,
+            "flag": "NEG",
+            "value_text": "nieobecne",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": false,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": null,
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestaw\u00f3w odczynnik\u00f3w firmy Sysmex i aparatu Sysmex UC-3500."
+        },
+        {
+            "unit_ucum": "mg/dL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "43396-1",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Cholesterol nie-HDL",
+            "ref_high": null,
+            "test_name_loinc": "Cholesterol non HDL [Mass/volume] in Serum or Plasma",
+            "ref_text": "St\u0119\u017cenie zalecane:\\nPoni\u017cej 130 mg/dl - dla os\u00f3b z umiarkowanym ryzykiem sercowo-naczyniowym\\nPoni\u017cej 100 mg/dl - dla os\u00f3b z du\u017cym ryzykiem sercowo-naczyniowym\\nPoni\u017cej 85 mg/dl - dla os\u00f3b z bardzo du\u017cym ryzykiem sercowo-naczyniowym\\nPoni\u017cej 70 mg/dl - dla os\u00f3b z ekstremalnym ryzykiem sercowo-naczyniowym",
+            "record_id": "375d44f9-bba6-42a6-89df-8cc409c3239c",
+            "value_num": 168.0,
+            "flag": "H",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "mg/dl",
+            "notes": "Wynik wyliczono z danych uzyskanych w pomiarach bezpo\u015brednich."
+        },
+        {
+            "unit_ucum": "nmol/L",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "43583-4",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Lp(a)",
+            "ref_high": null,
+            "test_name_loinc": "Lipoprotein a [Moles/volume] in Serum or Plasma",
+            "ref_text": "<75 nmol/l \u2013 warto\u015b\u0107 zalecana\\n75-125 nmol/l- umiarkowane ryzyko sercowo-naczyniowe\\n>125-450 nmol/l- du\u017ce ryzyko sercowo-naczyniowe\\n>450 nmol/l- bardzo du\u017ce ryzyko sercowo-naczyniowe",
+            "record_id": "71ca2e0c-ebd7-4933-8ed5-dc21b056686a",
+            "value_num": null,
+            "flag": "N",
+            "value_text": "<7",
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "nmol/l",
+            "notes": "Badanie wykonano metod\u0105 immunoturbidymetryczn\u0105 na analizatorze Cobas 8000 firmy Roche."
+        },
+        {
+            "unit_ucum": "%",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "48386-7",
+            "ref_low": 19.3,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "P-LCR",
+            "ref_high": 47.1,
+            "test_name_loinc": "Platelets Large/Platelets in Blood by Automated count",
+            "ref_text": null,
+            "record_id": "0895418e-5f94-4881-bacd-e24ad85f89de",
+            "value_num": 42.9,
+            "flag": "N",
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "%",
+            "notes": "Wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu Sysmex XN-9000/XN-9100 wersja 03/2020, wersja oprogramowania 22.\\nLaboratorium medyczne akredytowane przez PCA, nr AM 003"
+        },
+        {
+            "unit_ucum": "/uL",
+            "created_at": "2026-03-05T09:57:39.405348",
+            "test_code": "51478-6",
+            "ref_low": null,
+            "updated_at": "2026-03-05T08:57:39.405348Z",
+            "test_name_original": "Osad moczu met. cytometrii przep\u0142ywowej - Pasma \u015bluzu",
+            "ref_high": null,
+            "test_name_loinc": "Mucus [#/volume] in Urine by Automated count",
+            "ref_text": null,
+            "record_id": "b839e3a0-1901-40e5-b8dd-ca66aef5d040",
+            "value_num": 0.41,
+            "flag": null,
+            "value_text": null,
+            "lab": "Diagnostyka",
+            "collected_at": "2026-02-12T07:53:00",
+            "value_bool": null,
+            "source_file": "2026-02-12_wyniki.pdf",
+            "unit_original": "/\u00b5l",
+            "notes": "Badanie wykonano zgodnie z instrukcj\u0105 producenta zestawu odczynnik\u00f3w firmy Sysmex i aparatu UF-5000 metod\u0105 cytometrii przep\u0142ywowej."
+        }
+    ],
+    "total": 143,
+    "limit": 50,
+    "offset": 0
+}
diff --git a/tests/routine_benchmark.py b/tests/routine_benchmark.py
new file mode 100644
index 0000000..d3f8e11
--- /dev/null
+++ b/tests/routine_benchmark.py
@@ -0,0 +1,1060 @@
+#!/usr/bin/env python3
+# pyright: reportMissingImports=false
+"""Benchmark routines LLM prompt with variable snapshot-history window.
+
+This script does NOT call /routines/suggest.
+It reconstructs a production-like prompt and calls Gemini directly, while varying
+the number of days included in the "SKIN SNAPSHOT HISTORY" section.
+"""
+
+from __future__ import annotations
+
+import argparse
+import csv
+import json
+import math
+import os
+import re
+import sys
+import time
+from datetime import date, datetime, timedelta
+from pathlib import Path
+from typing import Any
+from urllib.error import HTTPError, URLError
+from urllib.request import Request, urlopen
+
+
+ROOT_DIR = Path(__file__).resolve().parents[1]
+BACKEND_DIR = ROOT_DIR / "backend"
+if str(BACKEND_DIR) not in sys.path:
+    sys.path.insert(0, str(BACKEND_DIR))
+
+_BACKEND_SYMBOLS: dict[str, Any] | None = None
+
+
+def backend_symbols() -> dict[str, Any]:
+    global _BACKEND_SYMBOLS
+    if _BACKEND_SYMBOLS is not None:
+        return _BACKEND_SYMBOLS
+
+    from fastapi import HTTPException
+    from google.genai import types as genai_types  # type: ignore[import-not-found]
+
+    from innercontext.api.product_llm_tools import (  # type: ignore[import-not-found]
+        PRODUCT_DETAILS_FUNCTION_DECLARATION,
+    )
+    from innercontext.api.routines import (  # type: ignore[import-not-found]
+        _DAY_NAMES,
+        _ROUTINES_SINGLE_EXTRA,
+        _ROUTINES_SYSTEM_PROMPT,
+        _SuggestionOut,
+    )
+    from innercontext.llm import (  # type: ignore[import-not-found]
+        call_gemini,
+        call_gemini_with_function_tools,
+        get_creative_config,
+    )
+
+    _BACKEND_SYMBOLS = {
+        "HTTPException": HTTPException,
+        "genai_types": genai_types,
+        "PRODUCT_DETAILS_FUNCTION_DECLARATION": PRODUCT_DETAILS_FUNCTION_DECLARATION,
+        "_DAY_NAMES": _DAY_NAMES,
+        "_ROUTINES_SINGLE_EXTRA": _ROUTINES_SINGLE_EXTRA,
+        "_ROUTINES_SYSTEM_PROMPT": _ROUTINES_SYSTEM_PROMPT,
+        "_SuggestionOut": _SuggestionOut,
+        "call_gemini": call_gemini,
+        "call_gemini_with_function_tools": call_gemini_with_function_tools,
+        "get_creative_config": get_creative_config,
+    }
+    return _BACKEND_SYMBOLS
+
+
+DEFAULT_BASE_URL = "http://192.168.101.82/api"
+DEFAULT_WINDOWS = [3, 5, 7]
+DEFAULT_OUT = "routines_suggest_history_experiment.csv"
+
+
+def _ev(v: object) -> str:
+    if v is None:
+        return ""
+    if hasattr(v, "value"):
+        value = getattr(v, "value")
+        if isinstance(value, str):
+            return value
+    return str(v)
+
+
+def _parse_iso_date(raw: str | None) -> date | None:
+    if not raw:
+        return None
+    try:
+        return date.fromisoformat(raw)
+    except ValueError:
+        return None
+
+
+def _contains_minoxidil_text(value: str | None) -> bool:
+    if not value:
+        return False
+    text = value.lower()
+    return "minoxidil" in text or "minoksydyl" in text
+
+
+def _is_minoxidil_product(product: dict[str, Any]) -> bool:
+    if _contains_minoxidil_text(product.get("name")):
+        return True
+    if _contains_minoxidil_text(product.get("brand")):
+        return True
+    if _contains_minoxidil_text(product.get("line_name")):
+        return True
+
+    for inci in product.get("inci") or []:
+        if _contains_minoxidil_text(str(inci)):
+            return True
+
+    for active in product.get("actives") or []:
+        if isinstance(active, dict):
+            if _contains_minoxidil_text(str(active.get("name") or "")):
+                return True
+
+    return False
+
+
+def http_json(
+    method: str,
+    url: str,
+    body: dict[str, Any] | None = None,
+    timeout: int = 20,
+) -> tuple[int, Any]:
+    data = None
+    headers = {"Content-Type": "application/json"}
+    if body is not None:
+        data = json.dumps(body).encode("utf-8")
+
+    req = Request(url=url, data=data, method=method, headers=headers)
+    try:
+        with urlopen(req, timeout=timeout) as resp:
+            raw = resp.read().decode("utf-8")
+            return resp.status, json.loads(raw) if raw else {}
+    except HTTPError as e:
+        raw = e.read().decode("utf-8", errors="replace")
+        try:
+            parsed = json.loads(raw) if raw else {}
+        except json.JSONDecodeError:
+            parsed = {"detail": raw}
+        return e.code, parsed
+    except (URLError, TimeoutError) as e:
+        return 0, {"detail": f"Network error: {e}"}
+
+
+def fetch_required_data(base_url: str, timeout: int) -> dict[str, Any]:
+    base = base_url.rstrip("/")
+    endpoints = {
+        "profile": "/profile",
+        "snapshots": "/skincare",
+        "grooming": "/routines/grooming-schedule",
+        "routines": "/routines",
+        "products": "/products",
+    }
+    results: dict[str, Any] = {}
+
+    for key, path in endpoints.items():
+        status, payload = http_json("GET", f"{base}{path}", timeout=timeout)
+        if status != 200:
+            raise RuntimeError(f"GET {path} failed ({status}): {payload}")
+        results[key] = payload
+
+    snapshots = list(results["snapshots"] or [])
+    for s in snapshots:
+        s["_d"] = _parse_iso_date(s.get("snapshot_date"))
+    snapshots = [s for s in snapshots if s.get("_d") is not None]
+    snapshots.sort(key=lambda x: x["_d"], reverse=True)
+    results["snapshots"] = snapshots
+
+    routines = list(results["routines"] or [])
+    for r in routines:
+        r["_d"] = _parse_iso_date(r.get("routine_date"))
+    routines = [r for r in routines if r.get("_d") is not None]
+    routines.sort(key=lambda x: x["_d"], reverse=True)
+    results["routines"] = routines
+
+    products = list(results["products"] or [])
+    for p in products:
+        full_id = str(p.get("id") or "")
+        p["_id"] = full_id
+        p["_short_id"] = str(p.get("short_id") or full_id[:8])
+    results["products"] = products
+
+    return results
+
+
+def build_user_profile_context(
+    profile: dict[str, Any] | None, reference_date: date
+) -> str:
+    if profile is None:
+        return "USER PROFILE: no data\n"
+
+    lines = ["USER PROFILE:"]
+    birth_date_raw = profile.get("birth_date")
+    birth_date = _parse_iso_date(birth_date_raw)
+    if birth_date is not None:
+        years = reference_date.year - birth_date.year
+        if (reference_date.month, reference_date.day) < (
+            birth_date.month,
+            birth_date.day,
+        ):
+            years -= 1
+        lines.append(f"  Age: {max(years, 0)}")
+        lines.append(f"  Birth date: {birth_date.isoformat()}")
+    else:
+        lines.append("  Age: unknown")
+
+    sex = profile.get("sex_at_birth")
+    if sex is not None:
+        lines.append(f"  Sex at birth: {sex}")
+    else:
+        lines.append("  Sex at birth: unknown")
+
+    return "\n".join(lines) + "\n"
+
+
+def pick_effective_snapshot(
+    snapshots: list[dict[str, Any]],
+    *,
+    routine_date: date,
+    days_window: int,
+    max_fallback_days: int = 14,
+) -> dict[str, Any] | None:
+    cutoff = routine_date - timedelta(days=days_window - 1)
+    in_window = [s for s in snapshots if cutoff <= s["_d"] <= routine_date]
+    if in_window:
+        return in_window[0]
+
+    fallback_cutoff = routine_date - timedelta(days=max_fallback_days)
+    for s in snapshots:
+        snapshot_date = s["_d"]
+        if fallback_cutoff <= snapshot_date < cutoff:
+            return s
+    return None
+
+
+def build_skin_context(snapshot: dict[str, Any] | None) -> str:
+    if snapshot is None:
+        return "SKIN CONDITION: no data\n"
+
+    return (
+        f"SKIN CONDITION (snapshot from {snapshot.get('snapshot_date')}):\n"
+        f"  Overall state: {_ev(snapshot.get('overall_state'))}\n"
+        f"  Hydration: {snapshot.get('hydration_level', '-')}/5\n"
+        f"  Barrier: {_ev(snapshot.get('barrier_state'))}\n"
+        f"  Active concerns: {', '.join(_ev(c) for c in (snapshot.get('active_concerns') or []))}\n"
+        f"  Priorities: {', '.join(snapshot.get('priorities') or [])}\n"
+        f"  Notes: {snapshot.get('notes') or 'none'}\n"
+    )
+
+
+def build_snapshot_history_context(
+    snapshots: list[dict[str, Any]],
+    routine_date: date,
+    days_window: int,
+    max_fallback_days: int = 14,
+) -> tuple[str, int, bool]:
+    cutoff = routine_date - timedelta(days=days_window - 1)
+    in_window = [s for s in snapshots if cutoff <= s["_d"] <= routine_date]
+    if not in_window:
+        fallback_snapshot = pick_effective_snapshot(
+            snapshots,
+            routine_date=routine_date,
+            days_window=days_window,
+            max_fallback_days=max_fallback_days,
+        )
+        if fallback_snapshot is None:
+            return f"SKIN SNAPSHOT HISTORY (last {days_window} days): none\n", 0, False
+
+        concerns = (
+            ", ".join(_ev(c) for c in (fallback_snapshot.get("active_concerns") or []))
+            or "none"
+        )
+        lines = [f"SKIN SNAPSHOT HISTORY (last {days_window} days):"]
+        lines.append(
+            "  "
+            + f"fallback({max_fallback_days}d) {fallback_snapshot.get('snapshot_date')}: "
+            + f"overall={_ev(fallback_snapshot.get('overall_state'))}, "
+            + f"barrier={_ev(fallback_snapshot.get('barrier_state'))}, "
+            + f"hydration={fallback_snapshot.get('hydration_level', '-')}/5, "
+            + f"sensitivity={fallback_snapshot.get('sensitivity_level', '-')}/5, "
+            + f"concerns={concerns}"
+        )
+        return "\n".join(lines) + "\n", 1, True
+
+    lines = [f"SKIN SNAPSHOT HISTORY (last {days_window} days):"]
+    for s in in_window:
+        concerns = ", ".join(_ev(c) for c in (s.get("active_concerns") or [])) or "none"
+        lines.append(
+            "  "
+            + f"{s.get('snapshot_date')}: "
+            + f"overall={_ev(s.get('overall_state'))}, "
+            + f"barrier={_ev(s.get('barrier_state'))}, "
+            + f"hydration={s.get('hydration_level', '-')}/5, "
+            + f"sensitivity={s.get('sensitivity_level', '-')}/5, "
+            + f"concerns={concerns}"
+        )
+    return "\n".join(lines) + "\n", len(in_window), False
+
+
+def build_upcoming_grooming_context(
+    grooming_entries: list[dict[str, Any]],
+    start_date: date,
+    days: int = 7,
+) -> str:
+    day_names = backend_symbols()["_DAY_NAMES"]
+    if not grooming_entries:
+        return f"UPCOMING GROOMING (next {days} days): none\n"
+
+    entries_by_weekday: dict[int, list[dict[str, Any]]] = {}
+    for e in grooming_entries:
+        day = e.get("day_of_week")
+        if isinstance(day, int):
+            entries_by_weekday.setdefault(day, []).append(e)
+
+    lines = [f"UPCOMING GROOMING (next {days} days):"]
+    for offset in range(days):
+        target_date = start_date + timedelta(days=offset)
+        day_entries = entries_by_weekday.get(target_date.weekday(), [])
+        if not day_entries:
+            continue
+
+        if offset == 0:
+            relative_label = "dzisiaj"
+        elif offset == 1:
+            relative_label = "jutro"
+        else:
+            relative_label = f"za {offset} dni"
+
+        day_name = day_names[target_date.weekday()]
+        actions = ", ".join(
+            f"{_ev(e.get('action'))}"
+            + (f" ({e.get('notes')})" if e.get("notes") else "")
+            for e in day_entries
+        )
+        lines.append(f"  {relative_label} ({target_date}, {day_name}): {actions}")
+
+    if len(lines) == 1:
+        lines.append("  (no entries in this window)")
+
+    return "\n".join(lines) + "\n"
+
+
+def build_recent_history(
+    routines: list[dict[str, Any]],
+    products_by_id: dict[str, dict[str, Any]],
+    *,
+    routine_date: date,
+    days_window: int,
+) -> str:
+    cutoff = routine_date - timedelta(days=days_window - 1)
+    selected = [r for r in routines if cutoff <= r["_d"] <= routine_date]
+    if not selected:
+        return "RECENT ROUTINES: none\n"
+
+    lines = ["RECENT ROUTINES:"]
+    for r in selected:
+        steps = sorted(
+            list(r.get("steps") or []),
+            key=lambda s: int(s.get("order_index") or 0),
+        )
+        step_names: list[str] = []
+        for step in steps:
+            product_id = step.get("product_id")
+            if product_id:
+                product = products_by_id.get(str(product_id))
+                if product:
+                    step_names.append(
+                        f"{_ev(product.get('category'))} [{product.get('_short_id')}]"
+                    )
+                else:
+                    step_names.append(f"unknown [{str(product_id)[:8]}]")
+            elif step.get("action_type"):
+                step_names.append(f"action: {_ev(step.get('action_type'))}")
+
+        part_of_day = _ev(r.get("part_of_day")).upper()
+        lines.append(
+            f"  {r.get('routine_date')} {part_of_day}: {', '.join(step_names)}"
+        )
+
+    return "\n".join(lines) + "\n"
+
+
+def build_day_context(leaving_home: bool | None) -> str:
+    if leaving_home is None:
+        return ""
+    val = "yes" if leaving_home else "no"
+    return f"DAY CONTEXT:\n  Leaving home: {val}\n"
+
+
+def build_objectives_context(include_minoxidil_beard: bool) -> str:
+    if include_minoxidil_beard:
+        return (
+            "USER OBJECTIVES:\n"
+            "  - Priority: improve beard and mustache density\n"
+            "  - If a product with minoxidil is available, include it adhering strictly to safety rules\n"
+        )
+    return ""
+
+
+def build_last_used_on_by_product(routines: list[dict[str, Any]]) -> dict[str, date]:
+    last_used: dict[str, date] = {}
+    for r in routines:
+        routine_date = r["_d"]
+        for step in r.get("steps") or []:
+            product_id = step.get("product_id")
+            if not product_id:
+                continue
+            key = str(product_id)
+            if key in last_used:
+                continue
+            last_used[key] = routine_date
+    return last_used
+
+
+def get_available_products(
+    products: list[dict[str, Any]],
+    *,
+    time_filter: str | None,
+    include_minoxidil: bool,
+) -> list[dict[str, Any]]:
+    result: list[dict[str, Any]] = []
+    for p in products:
+        if p.get("is_tool"):
+            continue
+        if p.get("is_medication") and not _is_minoxidil_product(p):
+            continue
+        if not include_minoxidil and _is_minoxidil_product(p):
+            continue
+        rec_time = _ev(p.get("recommended_time"))
+        if time_filter and rec_time not in (time_filter, "both"):
+            continue
+        result.append(p)
+    return result
+
+
+def filter_products_by_interval(
+    products: list[dict[str, Any]],
+    *,
+    routine_date: date,
+    last_used_on_by_product: dict[str, date],
+) -> list[dict[str, Any]]:
+    result: list[dict[str, Any]] = []
+    for p in products:
+        min_interval_hours = p.get("min_interval_hours")
+        if isinstance(min_interval_hours, int) and min_interval_hours > 0:
+            last_used = last_used_on_by_product.get(p["_id"])
+            if last_used is not None:
+                days_needed = math.ceil(min_interval_hours / 24)
+                if routine_date < (last_used + timedelta(days=days_needed)):
+                    continue
+        result.append(p)
+    return result
+
+
+def get_products_with_inventory(products: list[dict[str, Any]]) -> set[str]:
+    ids: set[str] = set()
+    for p in products:
+        inventory = p.get("inventory") or []
+        for inv in inventory:
+            if inv.get("finished_at") is None:
+                ids.add(p["_id"])
+                break
+    return ids
+
+
+def build_products_context_summary_list(
+    products: list[dict[str, Any]],
+    products_with_inventory: set[str],
+) -> str:
+    lines = ["AVAILABLE PRODUCTS:"]
+    for p in products:
+        status = "[✓]" if p["_id"] in products_with_inventory else "[✗]"
+
+        effects: list[str] = []
+        profile = p.get("product_effect_profile") or {}
+        if isinstance(profile, dict):
+            if int(profile.get("hydration_immediate", 0) or 0) > 0:
+                effects.append(f"hydration={profile['hydration_immediate']}")
+            if int(profile.get("exfoliation_strength", 0) or 0) > 0:
+                effects.append(f"exfoliation={profile['exfoliation_strength']}")
+            if int(profile.get("retinoid_strength", 0) or 0) > 0:
+                effects.append(f"retinoid={profile['retinoid_strength']}")
+            if int(profile.get("irritation_risk", 0) or 0) > 0:
+                effects.append(f"irritation_risk={profile['irritation_risk']}")
+            if int(profile.get("barrier_disruption_risk", 0) or 0) > 0:
+                effects.append(f"barrier_risk={profile['barrier_disruption_risk']}")
+
+        rules = p.get("context_rules") or {}
+        safety_flags: list[str] = []
+        if isinstance(rules, dict):
+            if rules.get("safe_with_compromised_barrier"):
+                safety_flags.append("barrier_ok")
+            if rules.get("safe_after_shaving") is False:
+                safety_flags.append("!post_shave")
+
+        effects_str = f" effects={{{','.join(effects)}}}" if effects else ""
+        safety_str = f" safety={{{','.join(safety_flags)}}}" if safety_flags else ""
+        lines.append(
+            f"  {status} {p['_short_id']} | {p.get('brand')} {p.get('name')} ({p.get('category')})"
+            f"{effects_str}{safety_str}"
+        )
+    return "\n".join(lines) + "\n"
+
+
+def _extract_requested_product_ids(args: dict[str, Any], max_ids: int = 8) -> list[str]:
+    raw_ids = args.get("product_ids")
+    if not isinstance(raw_ids, list):
+        return []
+
+    requested_ids: list[str] = []
+    seen: set[str] = set()
+    for raw_id in raw_ids:
+        if not isinstance(raw_id, str):
+            continue
+        if raw_id in seen:
+            continue
+        seen.add(raw_id)
+        requested_ids.append(raw_id)
+        if len(requested_ids) >= max_ids:
+            break
+    return requested_ids
+
+
+def _compact_actives_payload(product: dict[str, Any]) -> list[dict[str, Any]]:
+    payload: list[dict[str, Any]] = []
+    for active in product.get("actives") or []:
+        if not isinstance(active, dict):
+            continue
+        name = str(active.get("name") or "").strip()
+        if not name:
+            continue
+        item: dict[str, Any] = {"name": name}
+        if active.get("percent") is not None:
+            item["percent"] = active.get("percent")
+        if isinstance(active.get("functions"), list):
+            item["functions"] = [str(f) for f in active["functions"][:4]]
+        if active.get("strength_level") is not None:
+            item["strength_level"] = str(active.get("strength_level"))
+        payload.append(item)
+    return payload[:5]
+
+
+def build_product_details_tool_handler(
+    products: list[dict[str, Any]],
+    *,
+    last_used_on_by_product: dict[str, date],
+):
+    available_by_id: dict[str, dict[str, Any]] = {}
+    for p in products:
+        available_by_id[p["_id"]] = p
+        available_by_id[p["_short_id"]] = p
+
+    def _handler(args: dict[str, Any]) -> dict[str, object]:
+        requested_ids = _extract_requested_product_ids(args)
+        payload: list[dict[str, Any]] = []
+        seen: set[str] = set()
+
+        for pid in requested_ids:
+            product = available_by_id.get(pid)
+            if product is None:
+                continue
+
+            full_id = product["_id"]
+            if full_id in seen:
+                continue
+            seen.add(full_id)
+
+            safety = {}
+            for flag in (
+                "fragrance_free",
+                "essential_oils_free",
+                "alcohol_denat_free",
+                "pregnancy_safe",
+            ):
+                value = product.get(flag)
+                if value is not None:
+                    safety[flag] = value
+
+            payload.append(
+                {
+                    "id": product["_short_id"],
+                    "name": product.get("name"),
+                    "brand": product.get("brand"),
+                    "category": product.get("category"),
+                    "recommended_time": product.get("recommended_time"),
+                    "leave_on": product.get("leave_on"),
+                    "targets": product.get("targets") or [],
+                    "effect_profile": product.get("product_effect_profile") or {},
+                    "actives": _compact_actives_payload(product),
+                    "context_rules": product.get("context_rules") or {},
+                    "safety": safety,
+                    "min_interval_hours": product.get("min_interval_hours"),
+                    "max_frequency_per_week": product.get("max_frequency_per_week"),
+                    "last_used_on": (
+                        last_used_on_by_product[full_id].isoformat()
+                        if full_id in last_used_on_by_product
+                        else None
+                    ),
+                }
+            )
+
+        return {"products": payload}
+
+    return _handler
+
+
+def build_prompt(
+    *,
+    routine_date: date,
+    part_of_day: str,
+    leaving_home: bool | None,
+    include_minoxidil_beard: bool,
+    profile_ctx: str,
+    skin_ctx: str,
+    snapshot_history_ctx: str,
+    upcoming_grooming_ctx: str,
+    recent_history_ctx: str,
+    products_ctx: str,
+    objectives_ctx: str,
+) -> str:
+    symbols = backend_symbols()
+    day_names = symbols["_DAY_NAMES"]
+    single_extra = symbols["_ROUTINES_SINGLE_EXTRA"]
+    weekday = routine_date.weekday()
+    day_name = day_names[weekday]
+    day_ctx = build_day_context(leaving_home)
+
+    return (
+        f"Zaproponuj rutynę pielęgnacyjną {part_of_day.upper()} "
+        f"na {routine_date} ({day_name}).\n\n"
+        "MODE: standard\n"
+        "INPUT DATA:\n"
+        f"{profile_ctx}"
+        f"{skin_ctx}"
+        f"{snapshot_history_ctx}"
+        f"{upcoming_grooming_ctx}"
+        f"{recent_history_ctx}"
+        f"{day_ctx}"
+        f"{products_ctx}"
+        f"{objectives_ctx}"
+        "\nNARZEDZIA:\n"
+        "- Masz dostep do funkcji: get_product_details.\n"
+        "- Wywoluj narzedzia tylko, gdy potrzebujesz detali do decyzji klinicznej/bezpieczenstwa.\n"
+        "- Staraj sie grupowac zapytania: podawaj wszystkie potrzebne UUID w jednym wywolaniu narzedzia.\n"
+        "- Nie zgaduj detali skladu i zasad bezpieczenstwa; jesli potrzebujesz szczegolow, wywolaj odpowiednie narzedzie.\n"
+        f"{single_extra}\n"
+        "Zwróć JSON zgodny ze schematem."
+    )
+
+
+def extract_usage(response: Any) -> tuple[str, str, str, str]:
+    usage = getattr(response, "usage_metadata", None)
+    if not usage:
+        return "", "", "", ""
+    prompt_tokens = str(getattr(usage, "prompt_token_count", "") or "")
+    completion_tokens = str(getattr(usage, "candidates_token_count", "") or "")
+    total_tokens = str(getattr(usage, "total_token_count", "") or "")
+    thoughts_tokens = str(getattr(usage, "thoughts_token_count", "") or "")
+    return prompt_tokens, completion_tokens, total_tokens, thoughts_tokens
+
+
+def call_routines_llm(
+    prompt: str, function_handler
+) -> tuple[int, dict[str, Any], float]:
+    symbols = backend_symbols()
+    http_exception = symbols["HTTPException"]
+    genai_types = symbols["genai_types"]
+    function_declaration = symbols["PRODUCT_DETAILS_FUNCTION_DECLARATION"]
+    routines_system_prompt = symbols["_ROUTINES_SYSTEM_PROMPT"]
+    suggestion_schema = symbols["_SuggestionOut"]
+    get_creative_config = symbols["get_creative_config"]
+    call_gemini = symbols["call_gemini"]
+    call_gemini_with_function_tools = symbols["call_gemini_with_function_tools"]
+
+    config = get_creative_config(
+        system_instruction=routines_system_prompt,
+        response_schema=suggestion_schema,
+        max_output_tokens=8192,
+    ).model_copy(
+        update={
+            "tools": [
+                genai_types.Tool(
+                    function_declarations=[function_declaration],
+                )
+            ],
+            "tool_config": genai_types.ToolConfig(
+                function_calling_config=genai_types.FunctionCallingConfig(
+                    mode=genai_types.FunctionCallingConfigMode.AUTO,
+                )
+            ),
+        }
+    )
+
+    t0 = time.perf_counter()
+    try:
+        response, _ = call_gemini_with_function_tools(
+            endpoint="routines/suggest-benchmark",
+            contents=prompt,
+            config=config,
+            function_handlers={"get_product_details": function_handler},
+            user_input=prompt,
+            max_tool_roundtrips=3,
+        )
+    except http_exception as exc:
+        if (
+            exc.status_code != 502
+            or str(exc.detail) != "Gemini requested too many function calls"
+        ):
+            raise
+
+        conservative_prompt = (
+            f"{prompt}\n\n"
+            "TRYB AWARYJNY (KONSERWATYWNY):\n"
+            "- Osiagnieto limit wywolan narzedzi.\n"
+            "- Nie wywoluj narzedzi ponownie.\n"
+            "- Zaproponuj maksymalnie konserwatywna, bezpieczna rutyne na podstawie dostepnych juz danych,"
+            " preferujac lagodne produkty wspierajace bariere i fotoprotekcje.\n"
+            "- Gdy masz watpliwosci, pomijaj ryzykowne aktywne kroki.\n"
+        )
+        response, _ = call_gemini(
+            endpoint="routines/suggest-benchmark",
+            contents=conservative_prompt,
+            config=get_creative_config(
+                system_instruction=routines_system_prompt,
+                response_schema=suggestion_schema,
+                max_output_tokens=8192,
+            ),
+            user_input=conservative_prompt,
+            tool_trace={
+                "mode": "fallback_conservative",
+                "reason": "max_tool_roundtrips_exceeded",
+            },
+        )
+
+    elapsed_ms = (time.perf_counter() - t0) * 1000
+    raw_text = getattr(response, "text", None)
+    if not raw_text:
+        return 502, {"detail": "LLM returned an empty response"}, elapsed_ms
+
+    try:
+        parsed = json.loads(raw_text)
+    except json.JSONDecodeError as exc:
+        return (
+            502,
+            {"detail": f"LLM returned invalid JSON: {exc}", "raw": raw_text},
+            elapsed_ms,
+        )
+
+    prompt_tokens, completion_tokens, total_tokens, thoughts_tokens = extract_usage(
+        response
+    )
+    parsed["_usage"] = {
+        "prompt_tokens": prompt_tokens,
+        "completion_tokens": completion_tokens,
+        "total_tokens": total_tokens,
+        "thoughts_tokens": thoughts_tokens,
+    }
+    return 200, parsed, elapsed_ms
+
+
+def summarize_error(payload: Any) -> str:
+    if isinstance(payload, dict):
+        detail = payload.get("detail")
+        if detail is not None:
+            return str(detail)
+        return str(payload)
+    return str(payload)
+
+
+def safe_csv_text(value: object, max_len: int = 240) -> str:
+    text = "" if value is None else str(value)
+    text = re.sub(r"\s+", " ", text).strip()
+    if len(text) > max_len:
+        return text[: max_len - 3] + "..."
+    return text
+
+
+def to_json_text(value: object) -> str:
+    try:
+        return json.dumps(value, ensure_ascii=False)
+    except Exception:
+        return json.dumps({"unserializable": str(value)}, ensure_ascii=False)
+
+
+def run_experiment(
+    *,
+    base_url: str,
+    routine_date: date,
+    part_of_day: str,
+    leaving_home: bool,
+    include_minoxidil_beard: bool,
+    windows: list[int],
+    repeats: int,
+    out_csv: str,
+    out_jsonl: str,
+    api_timeout: int,
+    throttle_sec: float,
+) -> int:
+    dataset = fetch_required_data(base_url, timeout=api_timeout)
+
+    profile = dataset["profile"]
+    snapshots = dataset["snapshots"]
+    routines = dataset["routines"]
+    all_products = dataset["products"]
+
+    products_by_id = {p["_id"]: p for p in all_products}
+    profile_ctx = build_user_profile_context(profile, routine_date)
+    upcoming_grooming_ctx = build_upcoming_grooming_context(
+        dataset["grooming"],
+        start_date=routine_date,
+        days=7,
+    )
+
+    fieldnames = [
+        "run_at",
+        "days_window",
+        "repeat",
+        "routine_date",
+        "part_of_day",
+        "snapshots_in_window",
+        "snapshot_fallback_used",
+        "http_status",
+        "duration_ms",
+        "steps_count",
+        "primary_goal",
+        "confidence",
+        "reasoning_excerpt",
+        "prompt_tokens",
+        "completion_tokens",
+        "total_tokens",
+        "thoughts_tokens",
+        "routine_json",
+        "error_detail",
+    ]
+
+    rows_written = 0
+    with (
+        open(out_csv, "w", newline="", encoding="utf-8") as f,
+        open(out_jsonl, "w", encoding="utf-8") as jf,
+    ):
+        writer = csv.DictWriter(f, fieldnames=fieldnames)
+        writer.writeheader()
+
+        for window in windows:
+            for rep in range(1, repeats + 1):
+                print(f"[{window}d #{rep}] preparing prompt...")
+                snapshot_history_ctx, snapshots_in_window, snapshot_fallback_used = (
+                    build_snapshot_history_context(
+                        snapshots=snapshots,
+                        routine_date=routine_date,
+                        days_window=window,
+                    )
+                )
+                effective_snapshot = pick_effective_snapshot(
+                    snapshots,
+                    routine_date=routine_date,
+                    days_window=window,
+                    max_fallback_days=14,
+                )
+                skin_ctx = build_skin_context(effective_snapshot)
+                recent_history_ctx = build_recent_history(
+                    routines,
+                    products_by_id=products_by_id,
+                    routine_date=routine_date,
+                    days_window=window,
+                )
+
+                available_products = get_available_products(
+                    all_products,
+                    time_filter=part_of_day,
+                    include_minoxidil=include_minoxidil_beard,
+                )
+                last_used = build_last_used_on_by_product(routines)
+                available_products = filter_products_by_interval(
+                    available_products,
+                    routine_date=routine_date,
+                    last_used_on_by_product=last_used,
+                )
+                products_with_inventory = get_products_with_inventory(
+                    available_products
+                )
+                products_ctx = build_products_context_summary_list(
+                    available_products,
+                    products_with_inventory,
+                )
+                objectives_ctx = build_objectives_context(include_minoxidil_beard)
+
+                prompt = build_prompt(
+                    routine_date=routine_date,
+                    part_of_day=part_of_day,
+                    leaving_home=leaving_home if part_of_day == "am" else None,
+                    include_minoxidil_beard=include_minoxidil_beard,
+                    profile_ctx=profile_ctx,
+                    skin_ctx=skin_ctx,
+                    snapshot_history_ctx=snapshot_history_ctx,
+                    upcoming_grooming_ctx=upcoming_grooming_ctx,
+                    recent_history_ctx=recent_history_ctx,
+                    products_ctx=products_ctx,
+                    objectives_ctx=objectives_ctx,
+                )
+
+                handler = build_product_details_tool_handler(
+                    available_products,
+                    last_used_on_by_product=last_used,
+                )
+
+                row = {
+                    "run_at": datetime.now().isoformat(timespec="seconds"),
+                    "days_window": window,
+                    "repeat": rep,
+                    "routine_date": routine_date.isoformat(),
+                    "part_of_day": part_of_day,
+                    "snapshots_in_window": snapshots_in_window,
+                    "snapshot_fallback_used": snapshot_fallback_used,
+                    "http_status": "",
+                    "duration_ms": "",
+                    "steps_count": "",
+                    "primary_goal": "",
+                    "confidence": "",
+                    "reasoning_excerpt": "",
+                    "prompt_tokens": "",
+                    "completion_tokens": "",
+                    "total_tokens": "",
+                    "thoughts_tokens": "",
+                    "routine_json": "",
+                    "error_detail": "",
+                }
+
+                try:
+                    print(f"[{window}d #{rep}] calling Gemini...")
+                    status, payload, elapsed_ms = call_routines_llm(prompt, handler)
+                    row["http_status"] = status
+                    row["duration_ms"] = int(elapsed_ms)
+
+                    if status == 200 and isinstance(payload, dict):
+                        summary = payload.get("summary") or {}
+                        usage = payload.get("_usage") or {}
+                        row["steps_count"] = len(payload.get("steps") or [])
+                        row["primary_goal"] = safe_csv_text(
+                            summary.get("primary_goal"), 180
+                        )
+                        row["confidence"] = summary.get("confidence", "")
+                        row["reasoning_excerpt"] = safe_csv_text(
+                            payload.get("reasoning"), 240
+                        )
+                        row["prompt_tokens"] = usage.get("prompt_tokens", "")
+                        row["completion_tokens"] = usage.get("completion_tokens", "")
+                        row["total_tokens"] = usage.get("total_tokens", "")
+                        row["thoughts_tokens"] = usage.get("thoughts_tokens", "")
+                        row["routine_json"] = to_json_text(payload)
+                    else:
+                        row["routine_json"] = to_json_text(payload)
+                        row["error_detail"] = safe_csv_text(
+                            summarize_error(payload), 240
+                        )
+                except Exception as exc:
+                    row["http_status"] = 0
+                    row["error_detail"] = safe_csv_text(str(exc), 240)
+                    row["routine_json"] = to_json_text({"error": str(exc)})
+
+                writer.writerow(row)
+                f.flush()
+                jsonl_row = {
+                    "run_at": row["run_at"],
+                    "days_window": window,
+                    "repeat": rep,
+                    "routine_date": routine_date.isoformat(),
+                    "part_of_day": part_of_day,
+                    "http_status": row["http_status"],
+                    "duration_ms": row["duration_ms"],
+                    "payload": json.loads(row["routine_json"]),
+                }
+                jf.write(json.dumps(jsonl_row, ensure_ascii=False) + "\n")
+                jf.flush()
+                rows_written += 1
+                print(
+                    f"[{window}d #{rep}] status={row['http_status']} "
+                    f"steps={row['steps_count'] or '-'} tokens={row['total_tokens'] or '-'}"
+                )
+                time.sleep(throttle_sec)
+
+    return rows_written
+
+
+def parse_windows(raw: str) -> list[int]:
+    values = [int(x.strip()) for x in raw.split(",") if x.strip()]
+    if not values:
+        raise ValueError("--windows must contain at least one integer")
+    if any(v < 1 for v in values):
+        raise ValueError("--windows values must be >= 1")
+    return values
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(
+        description="Benchmark routines LLM output across skincare snapshot history windows"
+    )
+    parser.add_argument("--base-url", default=DEFAULT_BASE_URL)
+    parser.add_argument("--routine-date", default=date.today().isoformat())
+    parser.add_argument("--part-of-day", choices=["am", "pm"], default="am")
+    parser.add_argument("--leaving-home", action="store_true")
+    parser.add_argument("--include-minoxidil-beard", action="store_true")
+    parser.add_argument("--windows", default=",".join(str(w) for w in DEFAULT_WINDOWS))
+    parser.add_argument("--repeats", type=int, default=3)
+    parser.add_argument("--out", default=DEFAULT_OUT)
+    parser.add_argument(
+        "--out-jsonl",
+        default="",
+        help="JSONL output with full routine payload per run (default: <out>.jsonl)",
+    )
+    parser.add_argument("--api-timeout", type=int, default=20)
+    parser.add_argument("--throttle-sec", type=float, default=0.4)
+    args = parser.parse_args()
+
+    if args.repeats < 1:
+        raise ValueError("--repeats must be >= 1")
+
+    if not os.environ.get("GEMINI_API_KEY"):
+        raise RuntimeError("GEMINI_API_KEY is not set")
+
+    windows = parse_windows(args.windows)
+    routine_date = date.fromisoformat(args.routine_date)
+    out_jsonl = args.out_jsonl or str(Path(args.out).with_suffix(".jsonl"))
+
+    print("Starting benchmark with production-like prompt + function tools")
+    print(
+        f"windows={windows}, repeats={args.repeats}, out={args.out}, out_jsonl={out_jsonl}"
+    )
+
+    written = 0
+    try:
+        written = run_experiment(
+            base_url=args.base_url,
+            routine_date=routine_date,
+            part_of_day=args.part_of_day,
+            leaving_home=args.leaving_home,
+            include_minoxidil_beard=args.include_minoxidil_beard,
+            windows=windows,
+            repeats=args.repeats,
+            out_csv=args.out,
+            out_jsonl=out_jsonl,
+            api_timeout=args.api_timeout,
+            throttle_sec=args.throttle_sec,
+        )
+    except KeyboardInterrupt:
+        print("Interrupted by user. Partial CSV was already flushed to disk.")
+        return 130
+
+    print(f"Done. Wrote {written} rows to: {args.out} and {out_jsonl}")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
diff --git a/tests/routines_suggest_history_experiment.csv b/tests/routines_suggest_history_experiment.csv
new file mode 100644
index 0000000..7cd9844
--- /dev/null
+++ b/tests/routines_suggest_history_experiment.csv
@@ -0,0 +1,13 @@
+run_at,days_window,repeat,routine_date,part_of_day,snapshots_in_window,snapshot_fallback_used,http_status,duration_ms,steps_count,primary_goal,confidence,reasoning_excerpt,prompt_tokens,completion_tokens,total_tokens,thoughts_tokens,routine_json,error_detail
+2026-03-07T23:47:04,1,1,2026-03-07,pm,1,False,200,20403,5,Wyciszenie stanów zapalnych i regeneracja bariery ochronnej po goleniu.,1.0,"Rutyna została zaprojektowana z myślą o jednoczesnym wyciszeniu aktywnych zmian trądzikowych oraz odbudowie bariery hydrolipidowej, która jest obecnie osłabiona. Ze względu na dzisiejsze golenie maszynką, wykluczono drażniące kwasy (AHA/...",7339,801,8674,534,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pierwszy etap oczyszczania, który skutecznie usuwa resztki filtrów SPF i nadmiar sebum bez naruszania barierowości."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Łagodny żel myjący, który domywa pozostałości oleju, będąc jednocześnie bezpiecznym dla podrażnionej goleniem skóry."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Wysokie stężenie pantenolu (5%) natychmiastowo koi zaczerwienienia i wspiera regenerację naskórka."", ""optional"": false}, {""product_id"": ""53fc4050"", ""action_type"": null, ""region"": ""twarz"", ""action_notes"": ""Skup się na dolnej części policzków i linii żuchwy, gdzie występują zmiany zapalne."", ""why_this_step"": ""Kwas azelainowy działa przeciwzapalnie i przeciwtrądzikowo, będąc jedną z najbezpieczniejszych substancji przy naruszonej barierze."", ""optional"": false}, {""product_id"": ""10474d06"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Intensywna odbudowa bariery dzięki ceramidom i niacynamidowi, kluczowa przy obecnym stanie 'mildly_compromised'."", ""optional"": false}], ""reasoning"": ""Rutyna została zaprojektowana z myślą o jednoczesnym wyciszeniu aktywnych zmian trądzikowych oraz odbudowie bariery hydrolipidowej, która jest obecnie osłabiona. Ze względu na dzisiejsze golenie maszynką, wykluczono drażniące kwasy (AHA/BHA) oraz retinol na rzecz kwasu azelainowego, który jest bezpieczny po goleniu i skutecznie redukuje zaczerwienienia. Zastosowano dwuetapowe oczyszczanie dla dokładnego oczyszczenia porów oraz silną dawkę składników kojących (pantenol, ceramidy, niacynamid), aby przyspieszyć regenerację skóry."", ""summary"": {""primary_goal"": ""Wyciszenie stanów zapalnych i regeneracja bariery ochronnej po goleniu."", ""constraints_applied"": [""bezpieczeństwo po goleniu (safe_after_shaving)"", ""ochrona naruszonej bariery (mildly_compromised)"", ""brak łączenia kwasów z retinoidami"", ""maksymalnie 2 serum w rutynie""], ""confidence"": 1.0}, ""_usage"": {""prompt_tokens"": ""7339"", ""completion_tokens"": ""801"", ""total_tokens"": ""8674"", ""thoughts_tokens"": ""534""}}",
+2026-03-07T23:47:25,1,2,2026-03-07,pm,1,False,200,22389,6,Regeneracja bariery hydrolipidowej i wyciszenie stanów zapalnych po goleniu.,1.0,"Rutyna PM skupia się na regeneracji bariery naskórkowej, która jest obecnie w stanie 'mildly compromised', oraz na łagodzeniu aktywnych zmian trądzikowych. Ze względu na dzisiejsze golenie maszynką (shaving_razor), wykluczono wszystkie d...",7292,852,9205,1061,"{""steps"": [{""product_id"": ""6e663735"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pierwszy etap oczyszczania dwuetapowego, aby skutecznie usunąć resztki filtrów SPF i zanieczyszczenia bez naruszania bariery."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Łagodny żel myjący, który domywa skórę bez ryzyka podrażnienia świeżo ogolonej twarzy."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Przywraca nawilżenie i koi skórę dzięki zawartości pantenolu i czynników NMF."", ""optional"": false}, {""product_id"": ""0bbd3c67"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Cynk PCA pomaga wyciszyć stany zapalne i regulować pory, będąc jednocześnie bezpiecznym dla naruszonej bariery."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Intensywne wsparcie bariery hydrolipidowej dzięki ceramidom i niacynamidowi."", ""optional"": false}, {""product_id"": ""10474d06"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Bogaty krem z ceramidami, który domyka pielęgnację i przyspiesza regenerację naskórka po goleniu."", ""optional"": false}], ""reasoning"": ""Rutyna PM skupia się na regeneracji bariery naskórkowej, która jest obecnie w stanie 'mildly compromised', oraz na łagodzeniu aktywnych zmian trądzikowych. Ze względu na dzisiejsze golenie maszynką (shaving_razor), wykluczono wszystkie drażniące składniki aktywne (retinol, kwasy AHA/BHA, witaminę C), zastępując je bezpiecznymi alternatywami. Zastosowano Zinc PCA dla kontroli porów i stanów zapalnych oraz podwójną dawkę ceramidów (serum + krem), aby maksymalnie wesprzeć procesy naprawcze w nocy."", ""summary"": {""primary_goal"": ""Regeneracja bariery hydrolipidowej i wyciszenie stanów zapalnych po goleniu."", ""constraints_applied"": [""Wykluczenie produktów z flagą !post_shave"", ""Dostosowanie do naruszonej bariery (mildly_compromised)"", ""Unikanie łączenia kwasów i retinoidów"", ""Zastosowanie oczyszczania dwuetapowego w PM""], ""confidence"": 1.0}, ""_usage"": {""prompt_tokens"": ""7292"", ""completion_tokens"": ""852"", ""total_tokens"": ""9205"", ""thoughts_tokens"": ""1061""}}",
+2026-03-07T23:47:48,1,3,2026-03-07,pm,1,False,200,14983,6,Regeneracja bariery skórnej i wyciszenie stanów zapalnych po goleniu.,1.0,"Rutyna PM koncentruje się na regeneracji bariery (mildly_compromised) oraz wyciszeniu aktywnych zmian zapalnych po porannym goleniu maszynką. Wykluczono wszystkie drażniące składniki aktywne (retinol, kwasy AHA/BHA, witamina C) ze względ...",3327,821,6056,1908,"{""steps"": [{""product_id"": ""6e663735"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Olejek skutecznie rozpuszcza filtry SPF i zanieczyszczenia bez naruszania bariery lipidowej."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Łagodny żel myjący usuwa pozostałości olejku, będąc w pełni bezpiecznym dla skóry po goleniu."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Toner z pantenolem natychmiast koi podrażnienia po porannym goleniu i przywraca nawilżenie."", ""optional"": false}, {""product_id"": ""0ce2d373"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pochodna kwasu azelainowego redukuje stany zapalne i zaczerwienienia, nie drażniąc naruszonej bariery."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Serum wspierające barierę ochronną przyspiesza regenerację naskórka i łagodzi reaktywność skóry."", ""optional"": false}, {""product_id"": ""10474d06"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Krem z ceramidami intensywnie odbudowuje barierę hydrolipidową podczas snu."", ""optional"": false}], ""reasoning"": ""Rutyna PM koncentruje się na regeneracji bariery (mildly_compromised) oraz wyciszeniu aktywnych zmian zapalnych po porannym goleniu maszynką. Wykluczono wszystkie drażniące składniki aktywne (retinol, kwasy AHA/BHA, witamina C) ze względu na status 'post_shave' oraz osłabioną barierę. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF, a następnie warstwową terapię kojącą opartą na pantenolu, pochodnej kwasu azelainowego (aPAD) oraz ceramidach, co bezpośrednio odpowiada na priorytety użytkownika."", ""summary"": {""primary_goal"": ""Regeneracja bariery skórnej i wyciszenie stanów zapalnych po goleniu."", ""constraints_applied"": [""safety_post_shave"", ""barrier_repair_priority"", ""no_acids_with_retinoids"", ""max_2_serums""], ""confidence"": 1.0}, ""_usage"": {""prompt_tokens"": ""3327"", ""completion_tokens"": ""821"", ""total_tokens"": ""6056"", ""thoughts_tokens"": ""1908""}}",
+2026-03-07T23:48:03,3,1,2026-03-07,pm,2,False,200,24377,6,Regeneracja bariery hydrolipidowej i wyciszenie stanów zapalnych.,1.0,"Rutyna została skonstruowana tak, aby maksymalnie wspierać regenerację bariery skórnej, która jest obecnie w stanie 'mildly compromised', przy jednoczesnym adresowaniu zmian trądzikowych. Zrezygnowano z silnych kwasów (AHA/BHA) oraz reti...",9139,881,10377,357,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pierwszy etap oczyszczania dwuetapowego, który skutecznie usuwa filtry SPF i nadmiar sebum bez naruszania barier ochronnych."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Łagodny żel myjący, który domywa pozostałości oleju, dbając o wrażliwą i naruszoną barierę skóry."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Tonik z pantenolem błyskawicznie koi zaczerwienienia i przygotowuje skórę na przyjęcie składników aktywnych."", ""optional"": false}, {""product_id"": ""0bbd3c67"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Cynk PCA pomaga wyciszyć stany zapalne i reguluje pracę porów, będąc jednocześnie bezpiecznym dla naruszonej bariery."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Serum z ceramidami i cica intensywnie wspiera regenerację bariery hydrolipidowej i łagodzi podrażnienia po goleniu."", ""optional"": false}, {""product_id"": ""9d71771e"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Krem z ektoiną zapewnia głębokie nawilżenie i domyka rutynę, tworząc ochronną warstwę wspomagającą nocną regenerację."", ""optional"": false}], ""reasoning"": ""Rutyna została skonstruowana tak, aby maksymalnie wspierać regenerację bariery skórnej, która jest obecnie w stanie 'mildly compromised', przy jednoczesnym adresowaniu zmian trądzikowych. Zrezygnowano z silnych kwasów (AHA/BHA) oraz retinoidów ze względu na dzisiejsze golenie twarzy maszynką oraz osłabioną kondycję skóry. Zastosowano dwuetapowe oczyszczanie dla dokładnego, ale delikatnego usunięcia zanieczyszczeń. Kluczowe składniki to cynk PCA (działanie przeciwzapalne), ceramidy i cica (odbudowa bariery) oraz ektoina (intensywne nawilżenie i ochrona)."", ""summary"": {""primary_goal"": ""Regeneracja bariery hydrolipidowej i wyciszenie stanów zapalnych."", ""constraints_applied"": [""Bezpieczeństwo po goleniu maszynką (brak kwasów i retinoidów)"", ""Ochrona naruszonej bariery skórnej"", ""Maksymalnie 2 sera w rutynie"", ""Brak redundancji składników aktywnych""], ""confidence"": 1.0}, ""_usage"": {""prompt_tokens"": ""9139"", ""completion_tokens"": ""881"", ""total_tokens"": ""10377"", ""thoughts_tokens"": ""357""}}",
+2026-03-07T23:48:28,3,2,2026-03-07,pm,2,False,200,16481,6,Wyciszenie stanów zapalnych i intensywna regeneracja bariery po goleniu.,0.95,"Rutyna skupia się na regeneracji bariery hydrolipidowej, która jest obecnie osłabiona, oraz na łagodzeniu skutków porannego golenia maszynką. Wykluczono wszystkie drażniące składniki aktywne (kwasy, retinoidy) ze względu na flagę bezpiec...",3660,802,6391,1929,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Delikatny olejek do demakijażu skutecznie usuwa filtr SPF i zanieczyszczenia bez naruszania bariery."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Drugi etap oczyszczania ultra-delikatnym żelem, aby usunąć pozostałości olejku."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Toner z pantenolem natychmiastowo koi skórę po porannym goleniu i przywraca nawilżenie."", ""optional"": false}, {""product_id"": ""0bbd3c67"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Cynk PCA pomaga wyciszyć stany zapalne i reguluje pracę porów bez ryzyka podrażnienia."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Serum barierowe wspiera regenerację naskórka, co jest kluczowe przy naruszonej barierze."", ""optional"": false}, {""product_id"": ""10474d06"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Krem z ceramidami intensywnie odbudowuje warstwę lipidową i domyka nawilżenie."", ""optional"": false}], ""reasoning"": ""Rutyna skupia się na regeneracji bariery hydrolipidowej, która jest obecnie osłabiona, oraz na łagodzeniu skutków porannego golenia maszynką. Wykluczono wszystkie drażniące składniki aktywne (kwasy, retinoidy) ze względu na flagę bezpieczeństwa '!post_shave' oraz stan skóry. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF, a następnie warstwową pielęgnację kojącą (pantenol, cynk PCA, ceramidy), która adresuje zarówno trądzik zapalny, jak i zaczerwienienia."", ""summary"": {""primary_goal"": ""Wyciszenie stanów zapalnych i intensywna regeneracja bariery po goleniu."", ""constraints_applied"": [""mildly_compromised_barrier"", ""post_shave_safety"", ""no_acids_with_retinoids"", ""max_2_serums""], ""confidence"": 0.95}, ""_usage"": {""prompt_tokens"": ""3660"", ""completion_tokens"": ""802"", ""total_tokens"": ""6391"", ""thoughts_tokens"": ""1929""}}",
+2026-03-07T23:48:45,3,3,2026-03-07,pm,2,False,200,18310,6,Ukojenie aktywnych zmian zapalnych i intensywna regeneracja bariery po goleniu.,0.95,"Rutyna skupia się na priorytetach użytkownika: wyciszeniu stanów zapalnych i odbudowie bariery, która jest obecnie w stanie 'mildly_compromised'. Ze względu na poranne golenie żyletką (shaving_razor), wykluczono wszystkie produkty z flag...",3660,826,6981,2495,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Skuteczne usunięcie filtrów SPF i zanieczyszczeń bez naruszania bariery ochronnej."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Łagodne oczyszczanie wodne, bezpieczne dla skóry po porannym goleniu żyletką."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Intensywne ukojenie i nawilżenie dzięki zawartości pantenolu i alantoiny."", ""optional"": false}, {""product_id"": ""0bbd3c67"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Cynk PCA pomaga wyciszyć stany zapalne i reguluje pracę porów bez podrażnień."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Wsparcie regeneracji bariery hydrolipidowej i redukcja zaczerwienień w strefie T."", ""optional"": false}, {""product_id"": ""10474d06"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Ceramidy kluczowe dla odbudowy naruszonej bariery ochronnej skóry."", ""optional"": false}], ""reasoning"": ""Rutyna skupia się na priorytetach użytkownika: wyciszeniu stanów zapalnych i odbudowie bariery, która jest obecnie w stanie 'mildly_compromised'. Ze względu na poranne golenie żyletką (shaving_razor), wykluczono wszystkie produkty z flagą !post_shave (retinol, kwasy AHA/BHA, witamina C), aby uniknąć pieczenia i pogłębienia podrażnień. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF. Wybrano dwa sera: cynkowe (na trądzik i pory) oraz barierowe (na zaczerwienienia). Całość domyka krem z ceramidami, który bezpośrednio adresuje osłabioną barierę."", ""summary"": {""primary_goal"": ""Ukojenie aktywnych zmian zapalnych i intensywna regeneracja bariery po goleniu."", ""constraints_applied"": [""safety_post_shave_razor"", ""barrier_mildly_compromised_caution"", ""max_2_serums_limit"", ""no_acid_retinoid_overlap""], ""confidence"": 0.95}, ""_usage"": {""prompt_tokens"": ""3660"", ""completion_tokens"": ""826"", ""total_tokens"": ""6981"", ""thoughts_tokens"": ""2495""}}",
+2026-03-07T23:49:04,5,1,2026-03-07,pm,4,False,200,21635,6,Regeneracja bariery hydrolipidowej i łagodzenie stanów zapalnych.,1.0,Rutyna skupia się na regeneracji bariery (mildly_compromised) oraz wyciszeniu aktywnych zmian zapalnych i zaczerwienień po porannym goleniu maszynką. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF. Wybrano aPAD jako łag...,7874,797,9159,488,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pierwszy etap oczyszczania usuwa pozostałości filtrów SPF i zanieczyszczenia bez naruszania bariery."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Łagodne oczyszczanie wodne usuwa resztki olejku i przygotowuje skórę na składniki aktywne."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Przywraca nawilżenie i koi skórę dzięki zawartości pantenolu i alantoiny."", ""optional"": false}, {""product_id"": ""0ce2d373"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pochodna kwasu azelainowego redukuje stany zapalne i zaczerwienienia, będąc bezpieczną dla naruszonej bariery."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Intensywnie regeneruje barierę hydrolipidową dzięki ceramidom i wycisza skórę po porannym goleniu."", ""optional"": false}, {""product_id"": ""9d71771e"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Silnie nawilża i wspiera regenerację naskórka dzięki ektoinie i aminokwasom."", ""optional"": false}], ""reasoning"": ""Rutyna skupia się na regeneracji bariery (mildly_compromised) oraz wyciszeniu aktywnych zmian zapalnych i zaczerwienień po porannym goleniu maszynką. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF. Wybrano aPAD jako łagodną alternatywę dla kwasów/retinoidów, która skutecznie zwalcza trądzik i rumień bez ryzyka podrażnień. Serum barierowe z ceramidami oraz krem z ektoiną zapewniają maksymalne wsparcie naprawcze i nawilżenie."", ""summary"": {""primary_goal"": ""Regeneracja bariery hydrolipidowej i łagodzenie stanów zapalnych."", ""constraints_applied"": [""mildly_compromised_barrier"", ""post_shave_safety"", ""max_2_serums"", ""no_acids_with_retinoids""], ""confidence"": 1.0}, ""_usage"": {""prompt_tokens"": ""7874"", ""completion_tokens"": ""797"", ""total_tokens"": ""9159"", ""thoughts_tokens"": ""488""}}",
+2026-03-07T23:49:26,5,2,2026-03-07,pm,4,False,200,18743,6,Regeneracja bariery hydrolipidowej i łagodzenie stanów zapalnych po goleniu.,1.0,Rutyna skupia się na priorytecie odbudowy bariery (mildly_compromised) oraz wyciszeniu aktywnych zmian zapalnych po porannym goleniu maszynką. Zrezygnowano z retinolu i kwasów AHA/BHA ze względu na ryzyko podrażnienia świeżo ogolonej skó...,4024,836,7354,2494,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pierwszy etap oczyszczania dwuetapowego, aby delikatnie usunąć resztki filtrów SPF i zanieczyszczenia bez naruszania bariery."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Łagodny żel myjący, który domywa skórę bez ryzyka podrażnienia świeżo ogolonej twarzy."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Dostarcza pantenolu, który koi skórę i przygotowuje ją na przyjęcie składników aktywnych."", ""optional"": false}, {""product_id"": ""0bbd3c67"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Cynk PCA pomaga wyciszyć stany zapalne i reguluje pracę porów w sposób bezpieczny dla osłabionej bariery."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Serum wspierające regenerację bariery hydrolipidowej, kluczowe przy obecnym stanie 'mildly_compromised'."", ""optional"": false}, {""product_id"": ""10474d06"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Krem z ceramidami domyka pielęgnację, dostarczając lipidów niezbędnych do odbudowy naskórka."", ""optional"": false}], ""reasoning"": ""Rutyna skupia się na priorytecie odbudowy bariery (mildly_compromised) oraz wyciszeniu aktywnych zmian zapalnych po porannym goleniu maszynką. Zrezygnowano z retinolu i kwasów AHA/BHA ze względu na ryzyko podrażnienia świeżo ogolonej skóry oraz osłabioną barierę. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF, a następnie kombinację cynku PCA i serum barierowego, co adresuje zarówno trądzik, jak i regenerację."", ""summary"": {""primary_goal"": ""Regeneracja bariery hydrolipidowej i łagodzenie stanów zapalnych po goleniu."", ""constraints_applied"": [""Pominięto składniki drażniące (!post_shave) ze względu na poranne golenie"", ""Uwzględniono stan bariery mildly_compromised"", ""Ograniczono liczbę serum do 2"", ""Zastosowano double cleansing dla PM""], ""confidence"": 1.0}, ""_usage"": {""prompt_tokens"": ""4024"", ""completion_tokens"": ""836"", ""total_tokens"": ""7354"", ""thoughts_tokens"": ""2494""}}",
+2026-03-07T23:49:45,5,3,2026-03-07,pm,4,False,200,14901,6,Wyciszenie stanów zapalnych przy jednoczesnej intensywnej odbudowie bariery hydrolipidowej.,0.95,"Rutyna PM została zaprojektowana z uwzględnieniem naruszonej bariery ochronnej (mildly_compromised) oraz faktu porannego golenia maszynką tradycyjną, co zwiększa reaktywność skóry. Zrezygnowano z kwasów (AHA/BHA) i retinoidów, aby unikną...",4024,903,6468,1541,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Delikatny olejek skutecznie rozpuści resztki filtra SPF i zanieczyszczenia bez naruszania bariery hydrolipidowej."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Łagodny żel myjący usunie pozostałości olejku, dbając o wrażliwą po goleniu skórę."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Toner z pantenolem natychmiastowo koi podrażnienia i przygotowuje skórę na przyjęcie składników aktywnych."", ""optional"": false}, {""product_id"": ""0bbd3c67"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Cynk PCA działa przeciwzapalnie na zmiany trądzikowe i pomaga regulować wydzielanie sebum bez nadmiernego wysuszania."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Serum barierowe wspiera regenerację naskórka, co jest kluczowe przy obecnym naruszeniu bariery ochronnej."", ""optional"": false}, {""product_id"": ""10474d06"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Krem z ceramidami domyka rutynę, intensywnie odbudowując cement międzykomórkowy i chroniąc przed utratą wody."", ""optional"": false}], ""reasoning"": ""Rutyna PM została zaprojektowana z uwzględnieniem naruszonej bariery ochronnej (mildly_compromised) oraz faktu porannego golenia maszynką tradycyjną, co zwiększa reaktywność skóry. Zrezygnowano z kwasów (AHA/BHA) i retinoidów, aby uniknąć pogłębienia podrażnień i pieczenia. Skupiono się na wyciszeniu stanów zapalnych (Cynk PCA) oraz intensywnej regeneracji (pantenol, ceramidy, serum barierowe). Wybór produktów opiera się na ich wysokim profilu bezpieczeństwa dla skóry z zaburzoną barierą i braku konfliktów z dzisiejszym goleniem."", ""summary"": {""primary_goal"": ""Wyciszenie stanów zapalnych przy jednoczesnej intensywnej odbudowie bariery hydrolipidowej."", ""constraints_applied"": [""Wykluczenie składników drażniących (retinol, kwasy) ze względu na stan bariery i poranne golenie"", ""Zastosowanie dwuetapowego oczyszczania dla usunięcia SPF"", ""Maksymalnie 2 sera w rutynie (Zinc PCA + Calming Barrier)"", ""Priorytet dla produktów bezpiecznych przy naruszonej barierze""], ""confidence"": 0.95}, ""_usage"": {""prompt_tokens"": ""4024"", ""completion_tokens"": ""903"", ""total_tokens"": ""6468"", ""thoughts_tokens"": ""1541""}}",
+2026-03-07T23:50:00,7,1,2026-03-07,pm,4,False,200,20639,6,Wyciszenie stanów zapalnych i intensywna odbudowa bariery ochronnej po goleniu.,1.0,"Rutyna została zaprojektowana z uwzględnieniem naruszonej bariery skórnej (mildly_compromised) oraz faktu, że rano wykonano golenie maszynką tradycyjną. Zrezygnowano z kwasów (Lactic Acid, AHA/BHA) oraz retinolu, aby uniknąć dalszego dra...",8437,906,10196,853,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Delikatny olejek skutecznie usuwa zanieczyszczenia i pozostałości filtrów SPF bez naruszania bariery hydrolipidowej."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Bardzo łagodny żel myjący, który domywa skórę bez ryzyka podrażnienia po porannym goleniu."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Wysokie stężenie pantenolu (5%) natychmiastowo koi zaczerwienienia i wspiera regenerację naskórka."", ""optional"": false}, {""product_id"": ""0ce2d373"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pochodna kwasu azelainowego wycisza stany zapalne trądziku i redukuje rumień, będąc bezpieczną dla naruszonej bariery."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Kompleks ceramidów i cica intensywnie odbudowuje barierę ochronną, która jest obecnie osłabiona."", ""optional"": false}, {""product_id"": ""9d71771e"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Ektoina i aminokwasy zapewniają głębokie nawilżenie i domykają pielęgnację, wspierając nocną regenerację."", ""optional"": false}], ""reasoning"": ""Rutyna została zaprojektowana z uwzględnieniem naruszonej bariery skórnej (mildly_compromised) oraz faktu, że rano wykonano golenie maszynką tradycyjną. Zrezygnowano z kwasów (Lactic Acid, AHA/BHA) oraz retinolu, aby uniknąć dalszego drażnienia skóry i pozwolić jej na regenerację. Skupiono się na składnikach kojących (pantenol, cica, ektoina) oraz przeciwzapalnych (pochodna kwasu azelainowego - aPAD), które adresują zarówno trądzik, jak i rumień, nie pogarszając stanu bariery. Zastosowano dwuetapowe oczyszczanie, aby dokładnie oczyścić pory bez ich mechanicznego drażnienia."", ""summary"": {""primary_goal"": ""Wyciszenie stanów zapalnych i intensywna odbudowa bariery ochronnej po goleniu."", ""constraints_applied"": [""Pominięcie składników drażniących (retinoidy, kwasy) przy naruszonej barierze"", ""Zastosowanie produktów safe_after_shaving"", ""Maksymalnie 2 serum w rutynie"", ""Priorytet dla składników kojących i barierowych""], ""confidence"": 1.0}, ""_usage"": {""prompt_tokens"": ""8437"", ""completion_tokens"": ""906"", ""total_tokens"": ""10196"", ""thoughts_tokens"": ""853""}}",
+2026-03-07T23:50:21,7,2,2026-03-07,pm,4,False,200,17712,6,Wyciszenie stanów zapalnych i intensywna regeneracja bariery po goleniu.,0.95,"Rutyna została zaprojektowana z myślą o dwóch kluczowych czynnikach: dzisiejszym goleniu maszynką oraz lekko naruszonej barierze ochronnej (mildly compromised). Zrezygnowano z kwasów złuszczających (Lactic Acid) i retinolu, które mogłyby...",8619,909,9528,,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pierwszy etap oczyszczania dwuetapowego, aby skutecznie rozpuścić filtry SPF i nadmiar sebum bez podrażniania skóry."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Drugi etap oczyszczania łagodnym żelem, który usuwa pozostałości zanieczyszczeń, dbając o naruszoną barierę hydrolipidową."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Tonik z pantenolem natychmiastowo koi skórę po goleniu i przygotowuje ją na przyjęcie składników aktywnych."", ""optional"": false}, {""product_id"": ""0ce2d373"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pochodna kwasu azelainowego działa przeciwzapalnie na wypryski i redukuje zaczerwienienia, będąc bezpieczną opcją po goleniu."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Serum z ceramidami i cica wspiera regenerację bariery ochronnej, która jest obecnie w gorszej kondycji."", ""optional"": false}, {""product_id"": ""9d71771e"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Bogaty krem z ektoiną zapewnia głębokie nawilżenie i domyka rutynę, przyspieszając naprawę naskórka."", ""optional"": false}], ""reasoning"": ""Rutyna została zaprojektowana z myślą o dwóch kluczowych czynnikach: dzisiejszym goleniu maszynką oraz lekko naruszonej barierze ochronnej (mildly compromised). Zrezygnowano z kwasów złuszczających (Lactic Acid) i retinolu, które mogłyby pogorszyć stan zapalny i podrażnienie po goleniu. Zamiast tego postawiono na dwuetapowe oczyszczanie (usuwanie SPF) oraz synergię składników kojących i naprawczych: pantenolu, pochodnej kwasu azelainowego (aPAD), ceramidów oraz ektoiny. aPAD skutecznie adresuje priorytet użytkownika (aktywne krostki i zaczerwienienia), nie niosąc ryzyka podrażnienia typowego dla czystych kwasów."", ""summary"": {""primary_goal"": ""Wyciszenie stanów zapalnych i intensywna regeneracja bariery po goleniu."", ""constraints_applied"": [""Wykluczenie składników drażniących po goleniu (retinoidy, kwasy)"", ""Maksymalizacja składników barierowych (ceramidy, ektoina)"", ""Bezpieczeństwo przy naruszonej barierze""], ""confidence"": 0.95}, ""_usage"": {""prompt_tokens"": ""8619"", ""completion_tokens"": ""909"", ""total_tokens"": ""9528"", ""thoughts_tokens"": """"}}",
+2026-03-07T23:50:40,7,3,2026-03-07,pm,4,False,200,25984,6,Wyciszenie stanów zapalnych i intensywna regeneracja bariery po goleniu.,0.95,"Rutyna koncentruje się na wyciszeniu aktywnych stanów zapalnych oraz odbudowie bariery hydrolipidowej, która jest obecnie osłabiona. Ze względu na poranne golenie maszynką oraz stan 'mildly_compromised', zrezygnowano z drażniących kwasów...",7429,869,10373,2075,"{""steps"": [{""product_id"": ""349f49cc"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Pierwszy etap oczyszczania dwuetapowego, który skutecznie usuwa resztki filtrów SPF i nadmiar sebum bez naruszania bariery."", ""optional"": false}, {""product_id"": ""77cbf37c"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Łagodny żel myjący, który domywa skórę, będąc bezpiecznym dla naruszonej bariery hydrolipidowej."", ""optional"": false}, {""product_id"": ""65f297db"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Przywraca nawilżenie i łagodzi skórę po porannym goleniu dzięki zawartości pantenolu."", ""optional"": false}, {""product_id"": ""53fc4050"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Kwas azelainowy działa przeciwzapalnie na krostki i redukuje zaczerwienienia, będąc bezpiecznym przy naruszonej barierze."", ""optional"": false}, {""product_id"": ""9f58a454"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Serum z ceramidami i cica intensywnie wspiera regenerację bariery ochronnej skóry."", ""optional"": false}, {""product_id"": ""10474d06"", ""action_type"": null, ""region"": null, ""action_notes"": null, ""why_this_step"": ""Bogaty krem z ceramidami i niacynamidem, który uszczelnia barierę i koi stany zapalne."", ""optional"": false}], ""reasoning"": ""Rutyna koncentruje się na wyciszeniu aktywnych stanów zapalnych oraz odbudowie bariery hydrolipidowej, która jest obecnie osłabiona. Ze względu na poranne golenie maszynką oraz stan 'mildly_compromised', zrezygnowano z drażniących kwasów (Lactic, Salicylic) i retinoidów. Zastosowano kwas azelainowy, który jest złotym standardem przy jednoczesnym występowaniu trądziku i zaczerwienień (podejrzenie trądziku różowatego). Podwójne oczyszczanie zapewnia czystość porów, a połączenie serum barierowego z kremem ceramidowym maksymalizuje regenerację."", ""summary"": {""primary_goal"": ""Wyciszenie stanów zapalnych i intensywna regeneracja bariery po goleniu."", ""constraints_applied"": [""Brak silnych kwasów i retinoidów przy naruszonej barierze"", ""Bezpieczeństwo po goleniu maszynką (post-shave safety)"", ""Maksymalnie 2 serum w rutynie"", ""Priorytet składników barierowych (ceramidy, pantenol)""], ""confidence"": 0.95}, ""_usage"": {""prompt_tokens"": ""7429"", ""completion_tokens"": ""869"", ""total_tokens"": ""10373"", ""thoughts_tokens"": ""2075""}}",
diff --git a/tests/routines_suggest_history_experiment.jsonl b/tests/routines_suggest_history_experiment.jsonl
new file mode 100644
index 0000000..f59ef28
--- /dev/null
+++ b/tests/routines_suggest_history_experiment.jsonl
@@ -0,0 +1,12 @@
+{"run_at": "2026-03-07T23:47:04", "days_window": 1, "repeat": 1, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 20403, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pierwszy etap oczyszczania, który skutecznie usuwa resztki filtrów SPF i nadmiar sebum bez naruszania barierowości.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Łagodny żel myjący, który domywa pozostałości oleju, będąc jednocześnie bezpiecznym dla podrażnionej goleniem skóry.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Wysokie stężenie pantenolu (5%) natychmiastowo koi zaczerwienienia i wspiera regenerację naskórka.", "optional": false}, {"product_id": "53fc4050", "action_type": null, "region": "twarz", "action_notes": "Skup się na dolnej części policzków i linii żuchwy, gdzie występują zmiany zapalne.", "why_this_step": "Kwas azelainowy działa przeciwzapalnie i przeciwtrądzikowo, będąc jedną z najbezpieczniejszych substancji przy naruszonej barierze.", "optional": false}, {"product_id": "10474d06", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Intensywna odbudowa bariery dzięki ceramidom i niacynamidowi, kluczowa przy obecnym stanie 'mildly_compromised'.", "optional": false}], "reasoning": "Rutyna została zaprojektowana z myślą o jednoczesnym wyciszeniu aktywnych zmian trądzikowych oraz odbudowie bariery hydrolipidowej, która jest obecnie osłabiona. Ze względu na dzisiejsze golenie maszynką, wykluczono drażniące kwasy (AHA/BHA) oraz retinol na rzecz kwasu azelainowego, który jest bezpieczny po goleniu i skutecznie redukuje zaczerwienienia. Zastosowano dwuetapowe oczyszczanie dla dokładnego oczyszczenia porów oraz silną dawkę składników kojących (pantenol, ceramidy, niacynamid), aby przyspieszyć regenerację skóry.", "summary": {"primary_goal": "Wyciszenie stanów zapalnych i regeneracja bariery ochronnej po goleniu.", "constraints_applied": ["bezpieczeństwo po goleniu (safe_after_shaving)", "ochrona naruszonej bariery (mildly_compromised)", "brak łączenia kwasów z retinoidami", "maksymalnie 2 serum w rutynie"], "confidence": 1.0}, "_usage": {"prompt_tokens": "7339", "completion_tokens": "801", "total_tokens": "8674", "thoughts_tokens": "534"}}}
+{"run_at": "2026-03-07T23:47:25", "days_window": 1, "repeat": 2, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 22389, "payload": {"steps": [{"product_id": "6e663735", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pierwszy etap oczyszczania dwuetapowego, aby skutecznie usunąć resztki filtrów SPF i zanieczyszczenia bez naruszania bariery.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Łagodny żel myjący, który domywa skórę bez ryzyka podrażnienia świeżo ogolonej twarzy.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Przywraca nawilżenie i koi skórę dzięki zawartości pantenolu i czynników NMF.", "optional": false}, {"product_id": "0bbd3c67", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Cynk PCA pomaga wyciszyć stany zapalne i regulować pory, będąc jednocześnie bezpiecznym dla naruszonej bariery.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Intensywne wsparcie bariery hydrolipidowej dzięki ceramidom i niacynamidowi.", "optional": false}, {"product_id": "10474d06", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Bogaty krem z ceramidami, który domyka pielęgnację i przyspiesza regenerację naskórka po goleniu.", "optional": false}], "reasoning": "Rutyna PM skupia się na regeneracji bariery naskórkowej, która jest obecnie w stanie 'mildly compromised', oraz na łagodzeniu aktywnych zmian trądzikowych. Ze względu na dzisiejsze golenie maszynką (shaving_razor), wykluczono wszystkie drażniące składniki aktywne (retinol, kwasy AHA/BHA, witaminę C), zastępując je bezpiecznymi alternatywami. Zastosowano Zinc PCA dla kontroli porów i stanów zapalnych oraz podwójną dawkę ceramidów (serum + krem), aby maksymalnie wesprzeć procesy naprawcze w nocy.", "summary": {"primary_goal": "Regeneracja bariery hydrolipidowej i wyciszenie stanów zapalnych po goleniu.", "constraints_applied": ["Wykluczenie produktów z flagą !post_shave", "Dostosowanie do naruszonej bariery (mildly_compromised)", "Unikanie łączenia kwasów i retinoidów", "Zastosowanie oczyszczania dwuetapowego w PM"], "confidence": 1.0}, "_usage": {"prompt_tokens": "7292", "completion_tokens": "852", "total_tokens": "9205", "thoughts_tokens": "1061"}}}
+{"run_at": "2026-03-07T23:47:48", "days_window": 1, "repeat": 3, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 14983, "payload": {"steps": [{"product_id": "6e663735", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Olejek skutecznie rozpuszcza filtry SPF i zanieczyszczenia bez naruszania bariery lipidowej.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Łagodny żel myjący usuwa pozostałości olejku, będąc w pełni bezpiecznym dla skóry po goleniu.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Toner z pantenolem natychmiast koi podrażnienia po porannym goleniu i przywraca nawilżenie.", "optional": false}, {"product_id": "0ce2d373", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pochodna kwasu azelainowego redukuje stany zapalne i zaczerwienienia, nie drażniąc naruszonej bariery.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Serum wspierające barierę ochronną przyspiesza regenerację naskórka i łagodzi reaktywność skóry.", "optional": false}, {"product_id": "10474d06", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Krem z ceramidami intensywnie odbudowuje barierę hydrolipidową podczas snu.", "optional": false}], "reasoning": "Rutyna PM koncentruje się na regeneracji bariery (mildly_compromised) oraz wyciszeniu aktywnych zmian zapalnych po porannym goleniu maszynką. Wykluczono wszystkie drażniące składniki aktywne (retinol, kwasy AHA/BHA, witamina C) ze względu na status 'post_shave' oraz osłabioną barierę. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF, a następnie warstwową terapię kojącą opartą na pantenolu, pochodnej kwasu azelainowego (aPAD) oraz ceramidach, co bezpośrednio odpowiada na priorytety użytkownika.", "summary": {"primary_goal": "Regeneracja bariery skórnej i wyciszenie stanów zapalnych po goleniu.", "constraints_applied": ["safety_post_shave", "barrier_repair_priority", "no_acids_with_retinoids", "max_2_serums"], "confidence": 1.0}, "_usage": {"prompt_tokens": "3327", "completion_tokens": "821", "total_tokens": "6056", "thoughts_tokens": "1908"}}}
+{"run_at": "2026-03-07T23:48:03", "days_window": 3, "repeat": 1, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 24377, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pierwszy etap oczyszczania dwuetapowego, który skutecznie usuwa filtry SPF i nadmiar sebum bez naruszania barier ochronnych.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Łagodny żel myjący, który domywa pozostałości oleju, dbając o wrażliwą i naruszoną barierę skóry.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Tonik z pantenolem błyskawicznie koi zaczerwienienia i przygotowuje skórę na przyjęcie składników aktywnych.", "optional": false}, {"product_id": "0bbd3c67", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Cynk PCA pomaga wyciszyć stany zapalne i reguluje pracę porów, będąc jednocześnie bezpiecznym dla naruszonej bariery.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Serum z ceramidami i cica intensywnie wspiera regenerację bariery hydrolipidowej i łagodzi podrażnienia po goleniu.", "optional": false}, {"product_id": "9d71771e", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Krem z ektoiną zapewnia głębokie nawilżenie i domyka rutynę, tworząc ochronną warstwę wspomagającą nocną regenerację.", "optional": false}], "reasoning": "Rutyna została skonstruowana tak, aby maksymalnie wspierać regenerację bariery skórnej, która jest obecnie w stanie 'mildly compromised', przy jednoczesnym adresowaniu zmian trądzikowych. Zrezygnowano z silnych kwasów (AHA/BHA) oraz retinoidów ze względu na dzisiejsze golenie twarzy maszynką oraz osłabioną kondycję skóry. Zastosowano dwuetapowe oczyszczanie dla dokładnego, ale delikatnego usunięcia zanieczyszczeń. Kluczowe składniki to cynk PCA (działanie przeciwzapalne), ceramidy i cica (odbudowa bariery) oraz ektoina (intensywne nawilżenie i ochrona).", "summary": {"primary_goal": "Regeneracja bariery hydrolipidowej i wyciszenie stanów zapalnych.", "constraints_applied": ["Bezpieczeństwo po goleniu maszynką (brak kwasów i retinoidów)", "Ochrona naruszonej bariery skórnej", "Maksymalnie 2 sera w rutynie", "Brak redundancji składników aktywnych"], "confidence": 1.0}, "_usage": {"prompt_tokens": "9139", "completion_tokens": "881", "total_tokens": "10377", "thoughts_tokens": "357"}}}
+{"run_at": "2026-03-07T23:48:28", "days_window": 3, "repeat": 2, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 16481, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Delikatny olejek do demakijażu skutecznie usuwa filtr SPF i zanieczyszczenia bez naruszania bariery.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Drugi etap oczyszczania ultra-delikatnym żelem, aby usunąć pozostałości olejku.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Toner z pantenolem natychmiastowo koi skórę po porannym goleniu i przywraca nawilżenie.", "optional": false}, {"product_id": "0bbd3c67", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Cynk PCA pomaga wyciszyć stany zapalne i reguluje pracę porów bez ryzyka podrażnienia.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Serum barierowe wspiera regenerację naskórka, co jest kluczowe przy naruszonej barierze.", "optional": false}, {"product_id": "10474d06", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Krem z ceramidami intensywnie odbudowuje warstwę lipidową i domyka nawilżenie.", "optional": false}], "reasoning": "Rutyna skupia się na regeneracji bariery hydrolipidowej, która jest obecnie osłabiona, oraz na łagodzeniu skutków porannego golenia maszynką. Wykluczono wszystkie drażniące składniki aktywne (kwasy, retinoidy) ze względu na flagę bezpieczeństwa '!post_shave' oraz stan skóry. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF, a następnie warstwową pielęgnację kojącą (pantenol, cynk PCA, ceramidy), która adresuje zarówno trądzik zapalny, jak i zaczerwienienia.", "summary": {"primary_goal": "Wyciszenie stanów zapalnych i intensywna regeneracja bariery po goleniu.", "constraints_applied": ["mildly_compromised_barrier", "post_shave_safety", "no_acids_with_retinoids", "max_2_serums"], "confidence": 0.95}, "_usage": {"prompt_tokens": "3660", "completion_tokens": "802", "total_tokens": "6391", "thoughts_tokens": "1929"}}}
+{"run_at": "2026-03-07T23:48:45", "days_window": 3, "repeat": 3, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 18310, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Skuteczne usunięcie filtrów SPF i zanieczyszczeń bez naruszania bariery ochronnej.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Łagodne oczyszczanie wodne, bezpieczne dla skóry po porannym goleniu żyletką.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Intensywne ukojenie i nawilżenie dzięki zawartości pantenolu i alantoiny.", "optional": false}, {"product_id": "0bbd3c67", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Cynk PCA pomaga wyciszyć stany zapalne i reguluje pracę porów bez podrażnień.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Wsparcie regeneracji bariery hydrolipidowej i redukcja zaczerwienień w strefie T.", "optional": false}, {"product_id": "10474d06", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Ceramidy kluczowe dla odbudowy naruszonej bariery ochronnej skóry.", "optional": false}], "reasoning": "Rutyna skupia się na priorytetach użytkownika: wyciszeniu stanów zapalnych i odbudowie bariery, która jest obecnie w stanie 'mildly_compromised'. Ze względu na poranne golenie żyletką (shaving_razor), wykluczono wszystkie produkty z flagą !post_shave (retinol, kwasy AHA/BHA, witamina C), aby uniknąć pieczenia i pogłębienia podrażnień. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF. Wybrano dwa sera: cynkowe (na trądzik i pory) oraz barierowe (na zaczerwienienia). Całość domyka krem z ceramidami, który bezpośrednio adresuje osłabioną barierę.", "summary": {"primary_goal": "Ukojenie aktywnych zmian zapalnych i intensywna regeneracja bariery po goleniu.", "constraints_applied": ["safety_post_shave_razor", "barrier_mildly_compromised_caution", "max_2_serums_limit", "no_acid_retinoid_overlap"], "confidence": 0.95}, "_usage": {"prompt_tokens": "3660", "completion_tokens": "826", "total_tokens": "6981", "thoughts_tokens": "2495"}}}
+{"run_at": "2026-03-07T23:49:04", "days_window": 5, "repeat": 1, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 21635, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pierwszy etap oczyszczania usuwa pozostałości filtrów SPF i zanieczyszczenia bez naruszania bariery.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Łagodne oczyszczanie wodne usuwa resztki olejku i przygotowuje skórę na składniki aktywne.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Przywraca nawilżenie i koi skórę dzięki zawartości pantenolu i alantoiny.", "optional": false}, {"product_id": "0ce2d373", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pochodna kwasu azelainowego redukuje stany zapalne i zaczerwienienia, będąc bezpieczną dla naruszonej bariery.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Intensywnie regeneruje barierę hydrolipidową dzięki ceramidom i wycisza skórę po porannym goleniu.", "optional": false}, {"product_id": "9d71771e", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Silnie nawilża i wspiera regenerację naskórka dzięki ektoinie i aminokwasom.", "optional": false}], "reasoning": "Rutyna skupia się na regeneracji bariery (mildly_compromised) oraz wyciszeniu aktywnych zmian zapalnych i zaczerwienień po porannym goleniu maszynką. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF. Wybrano aPAD jako łagodną alternatywę dla kwasów/retinoidów, która skutecznie zwalcza trądzik i rumień bez ryzyka podrażnień. Serum barierowe z ceramidami oraz krem z ektoiną zapewniają maksymalne wsparcie naprawcze i nawilżenie.", "summary": {"primary_goal": "Regeneracja bariery hydrolipidowej i łagodzenie stanów zapalnych.", "constraints_applied": ["mildly_compromised_barrier", "post_shave_safety", "max_2_serums", "no_acids_with_retinoids"], "confidence": 1.0}, "_usage": {"prompt_tokens": "7874", "completion_tokens": "797", "total_tokens": "9159", "thoughts_tokens": "488"}}}
+{"run_at": "2026-03-07T23:49:26", "days_window": 5, "repeat": 2, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 18743, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pierwszy etap oczyszczania dwuetapowego, aby delikatnie usunąć resztki filtrów SPF i zanieczyszczenia bez naruszania bariery.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Łagodny żel myjący, który domywa skórę bez ryzyka podrażnienia świeżo ogolonej twarzy.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Dostarcza pantenolu, który koi skórę i przygotowuje ją na przyjęcie składników aktywnych.", "optional": false}, {"product_id": "0bbd3c67", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Cynk PCA pomaga wyciszyć stany zapalne i reguluje pracę porów w sposób bezpieczny dla osłabionej bariery.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Serum wspierające regenerację bariery hydrolipidowej, kluczowe przy obecnym stanie 'mildly_compromised'.", "optional": false}, {"product_id": "10474d06", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Krem z ceramidami domyka pielęgnację, dostarczając lipidów niezbędnych do odbudowy naskórka.", "optional": false}], "reasoning": "Rutyna skupia się na priorytecie odbudowy bariery (mildly_compromised) oraz wyciszeniu aktywnych zmian zapalnych po porannym goleniu maszynką. Zrezygnowano z retinolu i kwasów AHA/BHA ze względu na ryzyko podrażnienia świeżo ogolonej skóry oraz osłabioną barierę. Zastosowano dwuetapowe oczyszczanie dla dokładnego usunięcia SPF, a następnie kombinację cynku PCA i serum barierowego, co adresuje zarówno trądzik, jak i regenerację.", "summary": {"primary_goal": "Regeneracja bariery hydrolipidowej i łagodzenie stanów zapalnych po goleniu.", "constraints_applied": ["Pominięto składniki drażniące (!post_shave) ze względu na poranne golenie", "Uwzględniono stan bariery mildly_compromised", "Ograniczono liczbę serum do 2", "Zastosowano double cleansing dla PM"], "confidence": 1.0}, "_usage": {"prompt_tokens": "4024", "completion_tokens": "836", "total_tokens": "7354", "thoughts_tokens": "2494"}}}
+{"run_at": "2026-03-07T23:49:45", "days_window": 5, "repeat": 3, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 14901, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Delikatny olejek skutecznie rozpuści resztki filtra SPF i zanieczyszczenia bez naruszania bariery hydrolipidowej.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Łagodny żel myjący usunie pozostałości olejku, dbając o wrażliwą po goleniu skórę.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Toner z pantenolem natychmiastowo koi podrażnienia i przygotowuje skórę na przyjęcie składników aktywnych.", "optional": false}, {"product_id": "0bbd3c67", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Cynk PCA działa przeciwzapalnie na zmiany trądzikowe i pomaga regulować wydzielanie sebum bez nadmiernego wysuszania.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Serum barierowe wspiera regenerację naskórka, co jest kluczowe przy obecnym naruszeniu bariery ochronnej.", "optional": false}, {"product_id": "10474d06", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Krem z ceramidami domyka rutynę, intensywnie odbudowując cement międzykomórkowy i chroniąc przed utratą wody.", "optional": false}], "reasoning": "Rutyna PM została zaprojektowana z uwzględnieniem naruszonej bariery ochronnej (mildly_compromised) oraz faktu porannego golenia maszynką tradycyjną, co zwiększa reaktywność skóry. Zrezygnowano z kwasów (AHA/BHA) i retinoidów, aby uniknąć pogłębienia podrażnień i pieczenia. Skupiono się na wyciszeniu stanów zapalnych (Cynk PCA) oraz intensywnej regeneracji (pantenol, ceramidy, serum barierowe). Wybór produktów opiera się na ich wysokim profilu bezpieczeństwa dla skóry z zaburzoną barierą i braku konfliktów z dzisiejszym goleniem.", "summary": {"primary_goal": "Wyciszenie stanów zapalnych przy jednoczesnej intensywnej odbudowie bariery hydrolipidowej.", "constraints_applied": ["Wykluczenie składników drażniących (retinol, kwasy) ze względu na stan bariery i poranne golenie", "Zastosowanie dwuetapowego oczyszczania dla usunięcia SPF", "Maksymalnie 2 sera w rutynie (Zinc PCA + Calming Barrier)", "Priorytet dla produktów bezpiecznych przy naruszonej barierze"], "confidence": 0.95}, "_usage": {"prompt_tokens": "4024", "completion_tokens": "903", "total_tokens": "6468", "thoughts_tokens": "1541"}}}
+{"run_at": "2026-03-07T23:50:00", "days_window": 7, "repeat": 1, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 20639, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Delikatny olejek skutecznie usuwa zanieczyszczenia i pozostałości filtrów SPF bez naruszania bariery hydrolipidowej.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Bardzo łagodny żel myjący, który domywa skórę bez ryzyka podrażnienia po porannym goleniu.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Wysokie stężenie pantenolu (5%) natychmiastowo koi zaczerwienienia i wspiera regenerację naskórka.", "optional": false}, {"product_id": "0ce2d373", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pochodna kwasu azelainowego wycisza stany zapalne trądziku i redukuje rumień, będąc bezpieczną dla naruszonej bariery.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Kompleks ceramidów i cica intensywnie odbudowuje barierę ochronną, która jest obecnie osłabiona.", "optional": false}, {"product_id": "9d71771e", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Ektoina i aminokwasy zapewniają głębokie nawilżenie i domykają pielęgnację, wspierając nocną regenerację.", "optional": false}], "reasoning": "Rutyna została zaprojektowana z uwzględnieniem naruszonej bariery skórnej (mildly_compromised) oraz faktu, że rano wykonano golenie maszynką tradycyjną. Zrezygnowano z kwasów (Lactic Acid, AHA/BHA) oraz retinolu, aby uniknąć dalszego drażnienia skóry i pozwolić jej na regenerację. Skupiono się na składnikach kojących (pantenol, cica, ektoina) oraz przeciwzapalnych (pochodna kwasu azelainowego - aPAD), które adresują zarówno trądzik, jak i rumień, nie pogarszając stanu bariery. Zastosowano dwuetapowe oczyszczanie, aby dokładnie oczyścić pory bez ich mechanicznego drażnienia.", "summary": {"primary_goal": "Wyciszenie stanów zapalnych i intensywna odbudowa bariery ochronnej po goleniu.", "constraints_applied": ["Pominięcie składników drażniących (retinoidy, kwasy) przy naruszonej barierze", "Zastosowanie produktów safe_after_shaving", "Maksymalnie 2 serum w rutynie", "Priorytet dla składników kojących i barierowych"], "confidence": 1.0}, "_usage": {"prompt_tokens": "8437", "completion_tokens": "906", "total_tokens": "10196", "thoughts_tokens": "853"}}}
+{"run_at": "2026-03-07T23:50:21", "days_window": 7, "repeat": 2, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 17712, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pierwszy etap oczyszczania dwuetapowego, aby skutecznie rozpuścić filtry SPF i nadmiar sebum bez podrażniania skóry.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Drugi etap oczyszczania łagodnym żelem, który usuwa pozostałości zanieczyszczeń, dbając o naruszoną barierę hydrolipidową.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Tonik z pantenolem natychmiastowo koi skórę po goleniu i przygotowuje ją na przyjęcie składników aktywnych.", "optional": false}, {"product_id": "0ce2d373", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pochodna kwasu azelainowego działa przeciwzapalnie na wypryski i redukuje zaczerwienienia, będąc bezpieczną opcją po goleniu.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Serum z ceramidami i cica wspiera regenerację bariery ochronnej, która jest obecnie w gorszej kondycji.", "optional": false}, {"product_id": "9d71771e", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Bogaty krem z ektoiną zapewnia głębokie nawilżenie i domyka rutynę, przyspieszając naprawę naskórka.", "optional": false}], "reasoning": "Rutyna została zaprojektowana z myślą o dwóch kluczowych czynnikach: dzisiejszym goleniu maszynką oraz lekko naruszonej barierze ochronnej (mildly compromised). Zrezygnowano z kwasów złuszczających (Lactic Acid) i retinolu, które mogłyby pogorszyć stan zapalny i podrażnienie po goleniu. Zamiast tego postawiono na dwuetapowe oczyszczanie (usuwanie SPF) oraz synergię składników kojących i naprawczych: pantenolu, pochodnej kwasu azelainowego (aPAD), ceramidów oraz ektoiny. aPAD skutecznie adresuje priorytet użytkownika (aktywne krostki i zaczerwienienia), nie niosąc ryzyka podrażnienia typowego dla czystych kwasów.", "summary": {"primary_goal": "Wyciszenie stanów zapalnych i intensywna regeneracja bariery po goleniu.", "constraints_applied": ["Wykluczenie składników drażniących po goleniu (retinoidy, kwasy)", "Maksymalizacja składników barierowych (ceramidy, ektoina)", "Bezpieczeństwo przy naruszonej barierze"], "confidence": 0.95}, "_usage": {"prompt_tokens": "8619", "completion_tokens": "909", "total_tokens": "9528", "thoughts_tokens": ""}}}
+{"run_at": "2026-03-07T23:50:40", "days_window": 7, "repeat": 3, "routine_date": "2026-03-07", "part_of_day": "pm", "http_status": 200, "duration_ms": 25984, "payload": {"steps": [{"product_id": "349f49cc", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Pierwszy etap oczyszczania dwuetapowego, który skutecznie usuwa resztki filtrów SPF i nadmiar sebum bez naruszania bariery.", "optional": false}, {"product_id": "77cbf37c", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Łagodny żel myjący, który domywa skórę, będąc bezpiecznym dla naruszonej bariery hydrolipidowej.", "optional": false}, {"product_id": "65f297db", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Przywraca nawilżenie i łagodzi skórę po porannym goleniu dzięki zawartości pantenolu.", "optional": false}, {"product_id": "53fc4050", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Kwas azelainowy działa przeciwzapalnie na krostki i redukuje zaczerwienienia, będąc bezpiecznym przy naruszonej barierze.", "optional": false}, {"product_id": "9f58a454", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Serum z ceramidami i cica intensywnie wspiera regenerację bariery ochronnej skóry.", "optional": false}, {"product_id": "10474d06", "action_type": null, "region": null, "action_notes": null, "why_this_step": "Bogaty krem z ceramidami i niacynamidem, który uszczelnia barierę i koi stany zapalne.", "optional": false}], "reasoning": "Rutyna koncentruje się na wyciszeniu aktywnych stanów zapalnych oraz odbudowie bariery hydrolipidowej, która jest obecnie osłabiona. Ze względu na poranne golenie maszynką oraz stan 'mildly_compromised', zrezygnowano z drażniących kwasów (Lactic, Salicylic) i retinoidów. Zastosowano kwas azelainowy, który jest złotym standardem przy jednoczesnym występowaniu trądziku i zaczerwienień (podejrzenie trądziku różowatego). Podwójne oczyszczanie zapewnia czystość porów, a połączenie serum barierowego z kremem ceramidowym maksymalizuje regenerację.", "summary": {"primary_goal": "Wyciszenie stanów zapalnych i intensywna regeneracja bariery po goleniu.", "constraints_applied": ["Brak silnych kwasów i retinoidów przy naruszonej barierze", "Bezpieczeństwo po goleniu maszynką (post-shave safety)", "Maksymalnie 2 serum w rutynie", "Priorytet składników barierowych (ceramidy, pantenol)"], "confidence": 0.95}, "_usage": {"prompt_tokens": "7429", "completion_tokens": "869", "total_tokens": "10373", "thoughts_tokens": "2075"}}}
diff --git a/tests/skincare.json b/tests/skincare.json
new file mode 100644
index 0000000..536d664
--- /dev/null
+++ b/tests/skincare.json
@@ -0,0 +1 @@
+[{"snapshot_date":"2026-02-14","overall_state":"fair","skin_type":"oily","texture":"bumpy","hydration_level":3,"sebum_tzone":4,"sebum_cheeks":4,"sensitivity_level":3,"barrier_state":"mildly_compromised","active_concerns":["acne","redness","pore_visibility","sebum_excess","uneven_texture"],"risks":[],"priorities":["Control excess oil","Reduce facial redness","Smooth skin texture","Support barrier repair"],"notes":"The skin shows prominent sebum production and visible pore structure across the T-zone and cheeks. Diffuse redness is present, suggesting some underlying sensitivity or mild barrier disruption. A few active inflammatory blemishes are visible, contributing to an uneven surface texture.","id":"27467e37-df77-42ac-867f-bee716757df4","created_at":"2026-03-01T19:02:30.657156"},{"snapshot_date":"2026-02-11","overall_state":"fair","skin_type":"oily","texture":"bumpy","hydration_level":3,"sebum_tzone":4,"sebum_cheeks":3,"sensitivity_level":3,"barrier_state":"mildly_compromised","active_concerns":["redness","pore_visibility","uneven_texture","sebum_excess","acne"],"risks":[],"priorities":["Calm diffuse facial redness","Regulate sebum production in T-zone","Smooth uneven skin texture","Strengthen the moisture barrier"],"notes":"The skin exhibits significant diffuse erythema across the cheeks and nose, which may suggest underlying rosacea or sensitivity. There is visible sebum production and enlarged pores, particularly in the central face area. Several small inflammatory papules are present, along with some textural irregularities on the forehead and chin.","id":"3f51899f-6001-4893-a5ce-0b47ac44a0be","created_at":"2026-03-01T20:47:00.190664"},{"snapshot_date":"2026-03-03","overall_state":"fair","skin_type":"oily","texture":"bumpy","hydration_level":3,"sebum_tzone":4,"sebum_cheeks":3,"sensitivity_level":3,"barrier_state":"mildly_compromised","active_concerns":["redness","pore_visibility","uneven_texture","sebum_excess","aging"],"risks":[],"priorities":["Soothe facial redness and inflammation","Regulate sebum production in T-zone","Strengthen the skin barrier","Daily broad-spectrum sun protection"],"notes":"The skin exhibits significant diffuse erythema across the central face, particularly the nose and cheeks, which may suggest early-stage rosacea. Prominent pore visibility and a shiny finish indicate high sebum activity. Fine lines on the forehead and some textural irregularities are present, alongside a few benign-appearing nevi that should be monitored.","id":"90def560-be08-4c67-89d0-bf743acac8c1","created_at":"2026-03-03T08:38:14.797996"},{"snapshot_date":"2026-03-04","overall_state":"fair","skin_type":"oily","texture":"bumpy","hydration_level":3,"sebum_tzone":4,"sebum_cheeks":3,"sensitivity_level":2,"barrier_state":"intact","active_concerns":["pore_visibility","uneven_texture","sebum_excess","aging"],"risks":[],"priorities":["texture refinement","sebum control","sun protection","pore minimization"],"notes":"The skin exhibits prominent pore visibility and an uneven texture, particularly across the mid-face and nose. There is visible sebum production in the T-zone and early signs of dynamic expression lines on the forehead. Several benign-appearing nevi are noted, which should be monitored for any changes in shape or color.","id":"b172cf7d-c191-469b-8f0e-022e8d6d9349","created_at":"2026-03-04T10:36:25.323084"},{"snapshot_date":"2026-03-06","overall_state":"fair","skin_type":"acne_prone","texture":"bumpy","hydration_level":3,"sebum_tzone":4,"sebum_cheeks":3,"sensitivity_level":3,"barrier_state":"mildly_compromised","active_concerns":["acne","redness","pore_visibility","uneven_texture"],"risks":[],"priorities":["calm active inflammation","unclog pores","strengthen skin barrier"],"notes":"The skin exhibits active inflammatory papules and pustules primarily on the cheeks and jawline. There is generalized erythema (redness) and visible pore dilation in the mid-face area. Some atrophic scarring and post-inflammatory marks are visible from previous breakouts.","id":"7c7e131e-a209-4afa-8568-b18347a58bca","created_at":"2026-03-06T10:09:53.917727"},{"snapshot_date":"2026-03-07","overall_state":"fair","skin_type":"acne_prone","texture":"bumpy","hydration_level":3,"sebum_tzone":4,"sebum_cheeks":3,"sensitivity_level":3,"barrier_state":"mildly_compromised","active_concerns":["acne","redness","pore_visibility","uneven_texture"],"risks":[],"priorities":["calm active inflammation","unclog pores","strengthen skin barrier"],"notes":"The skin shows active inflammatory papules and pustules primarily on the lower cheeks and jawline. There is visible diffuse redness and enlarged pores in the mid-face area, suggesting a combination of acne and possible mild rosacea. Fine lines are visible on the forehead, and the overall texture appears uneven due to active lesions and previous scarring.","id":"96f4332b-2de2-4f26-9490-2e72d42164bd","created_at":"2026-03-07T10:25:31.976900"}]
\ No newline at end of file

From cc73c8a7f4bb5791a500d7be1dc7a9aa8e3eac0b Mon Sep 17 00:00:00 2001
From: Piotr Oleszczyk <piotr@oleszczyk.eu>
Date: Thu, 12 Mar 2026 16:51:13 +0100
Subject: [PATCH 10/10] chore: remove unused import

---
 backend/innercontext/api/routines.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/innercontext/api/routines.py b/backend/innercontext/api/routines.py
index 3b825ff..4f4264f 100644
--- a/backend/innercontext/api/routines.py
+++ b/backend/innercontext/api/routines.py
@@ -8,7 +8,7 @@ from uuid import UUID, uuid4
 from fastapi import APIRouter, Depends, HTTPException, Query
 from google.genai import types as genai_types
 from pydantic import BaseModel as PydanticBase
-from sqlalchemy import or_
+
 from sqlmodel import Field, Session, SQLModel, col, select
 
 from db import get_session