The SPA can't carry a Bearer header — there's no client-side mechanism
to obtain the RECOMPUTE_BEARER_TOKEN, and the value can't safely be
embedded in the JS bundle. Result: every POST/PATCH/DELETE on
scenarios/life-events/goals + every /simulate + /compare returned 401
in prod, breaking the SPA end-to-end.
Strip require_bearer from the routers. Authentik forward-auth on the
SPA path (/) is now the security boundary; /api/* is open at both
ingress + app level. Single-tenant personal tool — the data is
the user's own anonymous numeric projections.
Kept on /recompute (heavy admin batch in app.py) since that's an
operator action, not a user one.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds the read+write endpoints the frontend needs to drive a
ProjectionLab-style UX on top of the existing engine.
- /networth, /networth/history — NW total + per-account from
account_snapshot (frontend chart)
- /scenarios CRUD + projection — list/get/create/patch/delete user
scenarios; cartesian read-only
- /scenarios/{id}/life-events — life event CRUD nested under scenario
- /life-events/{id} — patch + delete by id
- /scenarios/{id}/goals,
/goals/{id} — retirement goal CRUD
- /simulate, /compare — sync, no-DB-write what-if endpoints
Auth: Bearer-token dependency on writes + simulate when API_BEARER_TOKEN
is set; reads always open (lock down via Authentik-fronted ingress in
prod). Existing /recompute keeps its bearer auth.
CORS middleware reads FRONTEND_ORIGINS (comma-separated) for the dev
SPA. Lifespan now provisions the SQLAlchemy engine + session_factory
on app.state and disposes them on shutdown.
40 new tests covering happy paths and validation. 172 tests total.
mypy strict + ruff clean (B008 ignore added — Depends() in defaults
is the canonical FastAPI pattern, not a bug).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
