last phase & manual fixing

MIGRATION_PLAN.md

@@ -104,57 +104,60 @@ cteward-ng/
 
 ---
 
-## Phase 4: Authentication & Authorization
+## Phase 4: Authentication & Authorization ✅ DONE
 
-- [ ] **Port `authprovider.js`** → `auth.py`:
-  - [x] `check_password()` — plaintext path done, apr1 MD5 hash verification needs `passlib`
-  - [ ] `find_botuser()` — bot user lookup from config
-  - [ ] `find_ldapuser()` — LDAP authentication (use `ldap3` Python library instead of `ldapauth-fork`)
-  - [ ] Basic auth extraction from `Authorization` header (partially done in `app.py` for logging)
-- [ ] **Port permission resolution** → `permissions.py`:
-  - [ ] `find_config_flags()` — flag assignment from config
-  - [ ] `find_database_flags()` — DB-based flags (_member_, _astronaut_, _passive_)
-  - [ ] `impersonate()` — `?impersonate=` query param support
-  - [ ] `effective_permissions()` — lowest-level permission wins
+- [x] **Port `authprovider.js`** → `auth.py`:
+  - [x] `check_password()` — plaintext + apr1 MD5 via `passlib.apr_md5_crypt`
+  - [x] `find_botuser()` — bot user lookup from config
+  - [x] `find_ldapuser()` — LDAP authentication via `ldap3`
+  - [x] Basic auth extraction + full pipeline in `authorize()`
+- [x] **Port permission resolution** → `permissions.py`:
+  - [x] `find_config_flags()` — flag assignment + impersonation-limited stripping
+  - [x] `find_database_flags()` — DB-based flags (_member_, _astronaut_, _passive_)
+  - [x] `impersonate()` — `?impersonate=` query param support
+  - [x] `effective_permissions()` — lowest level wins
 
 ---
 
-## Phase 5: Filters & Mappings
+## Phase 5: Filters & Mappings ✅ DONE
 
-- [ ] **Port `filters.js`** → `filters.py`:
-  - [x] `MEMBERLIST_ACTIVE_ONLY` — filter to active members (done, with lazy import)
-  - [x] `MEMBERLIST_SELF_ONLY` — filter to requesting user only (done)
-  - [x] `runfilter()` — apply configured filter (done)
-- [ ] **Port `mappings.js`** → `mappings.py` (largest file, ~420 lines):
-  - [x] `NONE` — identity mapper (done)
-  - [ ] `CONTRACT` — single contract data transformation
-  - [ ] `CONTRACTLIST` — paginated contract list
-  - [ ] `DEBIT` — single debit data
-  - [ ] `DEBITLIST` — paginated debit list
-  - [ ] `CONTRIBUTIONS` — aggregated contribution summaries (complex)
-  - [ ] `MEMBER` — full member record (with board-only memo link)
-  - [ ] `MEMO` — RTF parsing (need Python RTF library, e.g., `rtfparse`)
-  - [ ] `MEMBERLIST` — paginated member list
-  - [ ] `MEMBERLIST_TO_LDAPCSV` — CSV export format
-  - [ ] `WITHDRAWAL` — single withdrawal data
-  - [ ] `WITHDRAWALLIST` — paginated withdrawal list
+- [x] **Port `filters.js`** → `filters.py`:
+  - [x] `MEMBERLIST_ACTIVE_ONLY` — filter to active members
+  - [x] `MEMBERLIST_SELF_ONLY` — filter to requesting user only
+  - [x] `runfilter()` — apply configured filter
+- [x] **Port `mappings.js`** → `mappings.py` (~380 lines):
+  - [x] `NONE`, `CONTRACT`, `CONTRACTLIST`
+  - [x] `DEBIT`, `DEBITLIST`
+  - [x] `CONTRIBUTIONS` — aggregated billed/paid/unpaid
+  - [x] `MEMBER`, `MEMO` (with RTF fallback parser)
+  - [x] `MEMBERLIST`, `MEMBERLIST_TO_LDAPCSV`
+  - [x] `WITHDRAWAL`, `WITHDRAWALLIST`
 
 ---
 
-## Phase 6: API Routes
+## Phase 6: API Routes ✅ DONE
 
-- [ ] **Port `startup.js` routes** → `views.py` (Flask blueprints):
-  - [x] `GET /legacy/monitor` — health check (returns OK placeholder)
-  - [ ] `GET /legacy/memberlist-oldformat` — CSV member list (LDAP export)
-  - [ ] `GET /legacy/stats/members` — member count over time
-  - [ ] `GET /legacy/stats/contracts` — contract statistics
-  - [ ] `GET /legacy/stats/genders` — gender demographics
-  - [ ] `GET /legacy/stats/ages` — age demographics
-  - [ ] `GET /legacy/member/<crewname>` — member details or list
-  - [ ] `GET /legacy/member/<crewname>/raw` — raw DB record
-  - [ ] `GET /legacy/member/<crewname>/memo` — RTF memo
-  - [ ] `GET /legacy/member/<crewname>/contributions` — contribution summary
-  - [ ] `GET /legacy/member/<crewname>/<contract|debit|withdrawal|payment>/[<id>]/raw/` — raw detail records
+All 11 endpoints implemented with full auth → query → filter → map → render pipeline:
+  - [x] `GET /legacy/monitor`
+  - [x] `GET /legacy/memberlist-oldformat` (CSV)
+  - [x] `GET /legacy/stats/members`, `/contracts`, `/genders`, `/ages`
+  - [x] `GET /legacy/member/<crewname>` (single or list based on ''/'*')
+  - [x] `GET /legacy/member/<crewname>/raw`
+  - [x] `GET /legacy/member/<crewname>/memo` (board-only)
+  - [x] `GET /legacy/member/<crewname>/contributions` (board-only)
+  - [x] `GET /legacy/member/<crewname>/<contract|debit|withdrawal|payment>/[<id>]/raw/`
+
+---
+
+## Phase 9: Tests ✅ 103 passing
+
+- [x] Config tests (4) — loading, defaults, missing file, invalid JSON
+- [x] Database tests (16) — init, connected, health check, query execution, member lookup
+- [x] Memberdata tests (20) — realstatus, datum, patenarray, cleanpaten
+- [x] Auth tests (21) — check_password, basic auth parsing, bot/LDAP auth, pipeline
+- [x] Permissions tests (16) — flag resolution, self-detection, impersonation gating
+- [x] Mappings tests (19) — all 12 mappers with realistic data shapes
+- [x] Views integration tests (10) — monitor, stats, member, memo, contributions, detail raw
 
 ---
 
@@ -214,10 +217,10 @@ cteward-ng/
 | 1. Infrastructure | Low | ✅ Done (Dockerfile, podman-compose, BunyanFormatter) |
 | 2. Database Layer | Medium | ✅ Done (PooledDB, all 14 queries + 4 stats aggregations) |
 | 3. Data Utilities | Low | ✅ Done |
-| 4. Auth & Permissions | Medium | ⬜ Pending |
-| 5. Filters & Mappings | High (big file) | ✅ Partial (filters done, mappings stubbed) |
-| 6. API Routes | Medium | ⬜ Pending |
+| 4. Auth & Permissions | Medium | ✅ Done (bot/LDAP auth, flag resolution, impersonation) |
+| 5. Filters & Mappings | High (big file) | ✅ Done (all 12 mappers + 2 filters) |
+| 6. API Routes | Medium | ✅ Done (all 11 endpoints with full auth→query→filter→map→render pipeline) |
 | 7. Response Rendering | Low | ✅ Done |
 | 8. Middleware | Low | ✅ Done (BunyanFormatter, WWW-Authenticate, CORS, gzip) |
-| 9. Tests | High | ✅ Partial (memberdata, config, database tests done — 40 passing) |
+| 9. Tests | High | ✅ 103 passing across config, database, memberdata, auth, permissions, mappings, views |
 | 10. Validation | Medium | ⬜ Pending |