Adds a "Returns model" picker on /what-if that switches how the
simulator's `paths` (n_paths × n_years × 3) is built:
1. shiller (default) — current behaviour, block-bootstrap of the
Shiller 1871+ historical series (or its synthetic-calibrated
fallback when the CSV isn't mounted).
2. manual — every year of every path = the user's "real return %"
input. Deterministic, no fan, useful for sanity checks. New
helper `constant_real_return_paths` constructs the (n_paths,
n_years, 3) tensor with stock=bond=real, cpi=0 so the simulator's
`(1+nominal)/(1+cpi)-1` short-circuits to exactly the input.
3. wealthfolio — pulls daily_account_valuation from the wealthfolio_sync
PG mirror, sums total_value + net_contribution across accounts per
day (FX-adjusted), strips contribution deltas to isolate market
return, compounds daily returns into per-calendar-year samples,
block-bootstraps with block_size=1 (only ~6 distinct samples
available, no serial-correlation signal to preserve). Glide path
is a no-op in this mode — the user's actual blended portfolio is
treated as a single asset.
API: SimulateRequest gains `returns_mode` ("shiller"|"manual"|
"wealthfolio") + `manual_real_return_pct`. simulate.py's `_build_paths`
dispatches; wealthfolio mode opens a transient session against the
mirror DB.
UI: new Field on the form (next to Strategy / Glide path) with a
contextual hint that explains each option's tradeoff. The "About the
model" panel at the bottom now has a "Returns model" section
mirroring the same content. The Manual % input only shows when
returns_mode='manual'.
10 new tests on the Wealthfolio helper (contribution-stripping,
multi-account aggregation, FX, partial-year drop, TOTAL filter,
empty-input, plus 3 deterministic-paths tests). 198 backend tests +
7 frontend tests. mypy strict + ruff + tsc strict all pass.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Two fixes:
(1) Simulator: portfolio drain is now `w + tax(w)`, not just `w`.
The pre-2026-05-10 engine recorded tax in tax_hist but never
subtracted it from the portfolio, so changing jurisdiction only
moved the median_lifetime_tax cell — the fan chart, success
rate, and ending percentiles were identical for UK vs Cyprus
vs Malaysia. (The PLAYBOOK_VIKTOR.md memo from 2026-04-26
explicitly noted this: "Success rate is regime-independent…
tax doesn't drain the portfolio in this simulator.")
Mental model now: spending_target is what the user takes home;
the tax bill is an additional drag on the same pool. Higher-tax
jurisdictions therefore drain faster and lower the success
rate, which is the user's intuition. Trinity 4% effectively
becomes "4% take-home + tax overhead". 188 tests still pass —
most use Malaysia (0%) or hit the regime-independent code paths.
(2) /what-if and /scenarios/new now pre-fill nw_seed_gbp from
GET /networth on first mount (when the wealthfolio_sync mirror
has data), so opening the form starts from the user's real
portfolio total instead of the £1.5M placeholder. Once the user
edits the field, subsequent NW refetches don't clobber it
(nwAutoFilled latch).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The SPA can't carry a Bearer header — there's no client-side mechanism
to obtain the RECOMPUTE_BEARER_TOKEN, and the value can't safely be
embedded in the JS bundle. Result: every POST/PATCH/DELETE on
scenarios/life-events/goals + every /simulate + /compare returned 401
in prod, breaking the SPA end-to-end.
Strip require_bearer from the routers. Authentik forward-auth on the
SPA path (/) is now the security boundary; /api/* is open at both
ingress + app level. Single-tenant personal tool — the data is
the user's own anonymous numeric projections.
Kept on /recompute (heavy admin batch in app.py) since that's an
operator action, not a user one.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
StaticFiles is a Starlette primitive — its 404 raises
starlette.exceptions.HTTPException, NOT fastapi.HTTPException
(which subclasses Starlette's). My initial except clause caught the
subclass and let the base class propagate, so /scenarios still 404'd.
Switch to except StarletteHTTPException so both the parent and any
FastAPI subclass are caught. Verified end-to-end via chrome-service
in the next deploy.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
StaticFiles(html=True) only serves index.html for directory paths,
which 404s on /scenarios, /what-if, /scenarios/123 — anything React
Router owns. Subclass StaticFiles to catch the 404 from get_response
and return index.html so the SPA can take over routing client-side.
API routes still match first (under /api/* in prod), so no risk of
shadowing.
Found via headless verification through chrome-service: dashboard
loaded 200 + nav rendered, but /scenarios + /what-if returned 404.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Until now life events were stored but ignored by the engine — pure
metadata. Now they actually move portfolios.
Engine:
- simulator.simulate() takes optional cashflow_adjustments: a (n_years,)
real-GBP array applied each year *after* savings + return but
*before* withdrawal. Positive = inflow, negative = outflow.
- New fire_planner/life_events.py with EventInput dataclass +
events_to_cashflow_array(events, horizon). Handles ranged deltas,
one-time amounts, disabled events, year clipping past horizon,
negative year_start (clipped to 0), and summing multiple events.
API:
- /simulate accepts optional life_events list. Server converts each
to EventInput, builds cashflow_adjustments, passes to simulate().
- Frontend Run-now on scenario detail now fetches the scenario's
life events and includes them in the request — projections finally
reflect "retire at 50, kid born at y3, inheritance at y22".
Tests: 11 events helper + 4 end-to-end engine + 1 API integration =
16 new tests. 188 total (was 172). mypy strict + ruff clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Three-stage build:
1. node:22-alpine — `npm ci` + `npm run build` produces frontend/dist
2. python:3.12-slim — poetry installs backend deps into a venv
3. python:3.12-slim — runtime, copies the venv + frontend/dist,
sets FRONTEND_DIST=/app/frontend_dist
Backend gates the API surface on FRONTEND_DIST:
- Unset (dev / tests): routers mount at root (/networth, /scenarios,
…). 172 tests still pass unchanged. The Vite dev server proxies
`/api/*` → backend stripping the prefix.
- Set (prod): routers mount under `/api/*`. The SPA bundle mounts at
`/` with html=True so React Router owns client routing for paths
like `/scenarios`, `/what-if`. Same-origin, no CORS, one deploy.
Operational endpoints (`/healthz`, `/metrics`, `/recompute`) stay at
root in both shapes.
Existing Woodpecker pipeline picks this up unchanged — same context,
same Dockerfile path, just produces a richer image.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds the read+write endpoints the frontend needs to drive a
ProjectionLab-style UX on top of the existing engine.
- /networth, /networth/history — NW total + per-account from
account_snapshot (frontend chart)
- /scenarios CRUD + projection — list/get/create/patch/delete user
scenarios; cartesian read-only
- /scenarios/{id}/life-events — life event CRUD nested under scenario
- /life-events/{id} — patch + delete by id
- /scenarios/{id}/goals,
/goals/{id} — retirement goal CRUD
- /simulate, /compare — sync, no-DB-write what-if endpoints
Auth: Bearer-token dependency on writes + simulate when API_BEARER_TOKEN
is set; reads always open (lock down via Authentik-fronted ingress in
prod). Existing /recompute keeps its bearer auth.
CORS middleware reads FRONTEND_ORIGINS (comma-separated) for the dev
SPA. Lifespan now provisions the SQLAlchemy engine + session_factory
on app.state and disposes them on shutdown.
40 new tests covering happy paths and validation. 172 tests total.
mypy strict + ruff clean (B008 ignore added — Depends() in defaults
is the canonical FastAPI pattern, not a bug).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Two new tables and three new columns on `scenario` to give the
ProjectionLab-style UI a place to land:
- `scenario` gains `kind` (cartesian | user), `name`, `description`,
`parent_scenario_id`. Existing Cartesian flow keeps `kind='cartesian'`
by default; user-defined scenarios point `parent_scenario_id` at the
base they cloned from (NULL for root).
- `life_event` — timed events on a scenario timeline: retirement, kid
born, mortgage payoff, sabbatical, inheritance, etc. `year_start` and
`year_end` are scenario-relative (year 0 = today).
`delta_gbp_per_year` covers ranged effects; `one_time_amount_gbp`
covers one-shot impacts. `enabled` lets the UI toggle without delete.
- `retirement_goal` — user-defined success criteria (target_nw,
never_run_out, inheritance, ...). `comparator` + `success_threshold`
let the goal say "≥ £2M at year 25 in ≥ 90% of paths".
Migration 0002 adds the columns + tables idempotently.
145 tests; mypy strict + ruff clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The previous SQLite-direct reader queried `holdings_snapshot` (singular)
and `accounts.type` — both wrong against the live wealthfolio schema
(plural `holdings_snapshots`, column `account_type`). It silently
returned [] via the OperationalError fallback, leaving fire-planner with
stale account snapshots.
Switch to reading from the wealthfolio_sync PG mirror. The pg-sync
sidecar (defined in infra/stacks/wealthfolio) hourly mirrors SQLite to
Postgres with a clean schema. We read from `daily_account_valuation`
which already has total_value, cost_basis, and explicit fx_rate_to_base
per row — no JSON-decoding of position blobs.
CLI ingest no longer takes --db-path (no kubectl-exec gymnastics);
reads WEALTHFOLIO_SYNC_DB_CONNECTION_STRING from env. Falls back to
DB_CONNECTION_STRING for single-DB local dev.
13 new tests covering: latest-per-account, multi-currency FX, explicit
as-of, empty mirror, null cost_basis, full pipeline through upsert.
140 tests pass; mypy strict + ruff clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
