StaticFiles is a Starlette primitive — its 404 raises
starlette.exceptions.HTTPException, NOT fastapi.HTTPException
(which subclasses Starlette's). My initial except clause caught the
subclass and let the base class propagate, so /scenarios still 404'd.
Switch to except StarletteHTTPException so both the parent and any
FastAPI subclass are caught. Verified end-to-end via chrome-service
in the next deploy.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
StaticFiles(html=True) only serves index.html for directory paths,
which 404s on /scenarios, /what-if, /scenarios/123 — anything React
Router owns. Subclass StaticFiles to catch the 404 from get_response
and return index.html so the SPA can take over routing client-side.
API routes still match first (under /api/* in prod), so no risk of
shadowing.
Found via headless verification through chrome-service: dashboard
loaded 200 + nav rendered, but /scenarios + /what-if returned 404.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Three-stage build:
1. node:22-alpine — `npm ci` + `npm run build` produces frontend/dist
2. python:3.12-slim — poetry installs backend deps into a venv
3. python:3.12-slim — runtime, copies the venv + frontend/dist,
sets FRONTEND_DIST=/app/frontend_dist
Backend gates the API surface on FRONTEND_DIST:
- Unset (dev / tests): routers mount at root (/networth, /scenarios,
…). 172 tests still pass unchanged. The Vite dev server proxies
`/api/*` → backend stripping the prefix.
- Set (prod): routers mount under `/api/*`. The SPA bundle mounts at
`/` with html=True so React Router owns client routing for paths
like `/scenarios`, `/what-if`. Same-origin, no CORS, one deploy.
Operational endpoints (`/healthz`, `/metrics`, `/recompute`) stay at
root in both shapes.
Existing Woodpecker pipeline picks this up unchanged — same context,
same Dockerfile path, just produces a richer image.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds the read+write endpoints the frontend needs to drive a
ProjectionLab-style UX on top of the existing engine.
- /networth, /networth/history — NW total + per-account from
account_snapshot (frontend chart)
- /scenarios CRUD + projection — list/get/create/patch/delete user
scenarios; cartesian read-only
- /scenarios/{id}/life-events — life event CRUD nested under scenario
- /life-events/{id} — patch + delete by id
- /scenarios/{id}/goals,
/goals/{id} — retirement goal CRUD
- /simulate, /compare — sync, no-DB-write what-if endpoints
Auth: Bearer-token dependency on writes + simulate when API_BEARER_TOKEN
is set; reads always open (lock down via Authentik-fronted ingress in
prod). Existing /recompute keeps its bearer auth.
CORS middleware reads FRONTEND_ORIGINS (comma-separated) for the dev
SPA. Lifespan now provisions the SQLAlchemy engine + session_factory
on app.state and disposes them on shutdown.
40 new tests covering happy paths and validation. 172 tests total.
mypy strict + ruff clean (B008 ignore added — Depends() in defaults
is the canonical FastAPI pattern, not a bug).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
