Spaces:

Lukeetah
/

Inventory

Sleeping

App Files Files Community

Inventory / app.py

Lukeetah

Update app.py

0b5603a verified about 1 year ago

raw

history blame contribute delete

69.8 kB

	# -- coding: utf-8 --
	"""
	Business Automation Suite - AI-Ready Core v3.0 (User Management Added)
	Designed by Gemini Advanced Development Unit under impeccable direction.
	Target Platform: Hugging Face Spaces (Free Tier)
	Architecture: Single-File Ultra-Efficient Application with API Backend
	"""

	import sqlite3
	import hashlib
	import secrets
	import datetime
	import json
	import os
	from flask import Flask, request, jsonify, session, render_template_string, redirect, url_for, Response
	from functools import wraps
	from typing import Dict, List, Tuple, Optional, Any, Union

	# --- Constants and Configuration ---

	DB_NAME = "business_suite_v3.db" # Use a different DB name for v3 or keep v2 name if migrating data
	SALT_LENGTH = 16
	SECRET_KEY = secrets.token_hex(24) # Regenerate or get from environment in production

	# --- Database Core: The Central Nervous System ---

	def get_db_connection() -> sqlite3.Connection:
	"""Establishes and returns a database connection. Enables Foreign Keys."""
	conn = sqlite3.connect(DB_NAME, check_same_thread=False) # check_same_thread=False is needed for Flask/multi-threading
	conn.row_factory = sqlite3.Row
	conn.execute("PRAGMA foreign_keys = ON;")
	return conn

	def setup_database():
	"""Initializes the database schema if it doesn't exist. Idempotent."""
	required_tables = {"users", "business_config", "inventory_items", "suppliers", "purchase_suggestions", "event_log"}
	conn_check = None
	try:
	db_exists = os.path.exists(DB_NAME)
	if db_exists:
	conn_check = get_db_connection()
	cursor_check = conn_check.cursor()
	cursor_check.execute("SELECT name FROM sqlite_master WHERE type='table';")
	existing_tables = {row[0] for row in cursor_check.fetchall()}
	conn_check.close()
	else:
	existing_tables = set()

	if not required_tables.issubset(existing_tables):
	print("INFO: Database schema not found or incomplete. Initializing...")
	conn = get_db_connection()
	cursor = conn.cursor()

	# Users Table (Schema unchanged, but central to this update)
	cursor.execute("""
	CREATE TABLE IF NOT EXISTS users (
	username TEXT PRIMARY KEY,
	hashed_password TEXT NOT NULL,
	salt TEXT NOT NULL,
	is_admin INTEGER DEFAULT 0 NOT NULL,
	created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
	);
	""")

	# Business Configuration
	cursor.execute("""
	CREATE TABLE IF NOT EXISTS business_config (
	config_key TEXT PRIMARY KEY,
	config_value TEXT,
	description TEXT,
	last_updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP
	);
	""")

	# Inventory Items
	cursor.execute("""
	CREATE TABLE IF NOT EXISTS inventory_items (
	item_id INTEGER PRIMARY KEY AUTOINCREMENT,
	item_name TEXT UNIQUE NOT NULL,
	description TEXT,
	current_quantity REAL DEFAULT 0 NOT NULL,
	unit TEXT DEFAULT 'units' NOT NULL,
	reorder_level REAL,
	preferred_supplier_id INTEGER,
	last_updated TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
	FOREIGN KEY (preferred_supplier_id) REFERENCES suppliers(supplier_id) ON DELETE SET NULL
	);
	""")

	# Suppliers
	cursor.execute("""
	CREATE TABLE IF NOT EXISTS suppliers (
	supplier_id INTEGER PRIMARY KEY AUTOINCREMENT,
	supplier_name TEXT UNIQUE NOT NULL,
	contact_info TEXT,
	notes TEXT,
	created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
	);
	""")

	# Purchase Suggestions
	cursor.execute("""
	CREATE TABLE IF NOT EXISTS purchase_suggestions (
	suggestion_id INTEGER PRIMARY KEY AUTOINCREMENT,
	item_id INTEGER NOT NULL,
	suggested_quantity REAL NOT NULL,
	supplier_id INTEGER,
	reason TEXT,
	status TEXT DEFAULT 'pending' NOT NULL CHECK(status IN ('pending', 'ordered', 'received', 'cancelled')),
	created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
	resolved_at TIMESTAMP,
	FOREIGN KEY (item_id) REFERENCES inventory_items(item_id) ON DELETE CASCADE,
	FOREIGN KEY (supplier_id) REFERENCES suppliers(supplier_id) ON DELETE SET NULL
	);
	""")

	# Event Log
	cursor.execute("""
	CREATE TABLE IF NOT EXISTS event_log (
	log_id INTEGER PRIMARY KEY AUTOINCREMENT,
	event_type TEXT NOT NULL,
	username TEXT,
	details TEXT,
	timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP
	);
	""")

	# Default Data (Only if creating tables)
	# Create a default admin user if none exists
	cursor.execute("SELECT COUNT(*) FROM users WHERE is_admin = 1;")
	if cursor.fetchone()[0] == 0:
	print("INFO: Creating default admin user 'admin' with password 'changeme'. PLEASE CHANGE THIS PASSWORD.")
	default_username = "admin"
	default_password = "changeme"
	salt = secrets.token_hex(SALT_LENGTH)
	hashed_password = hash_password(default_password, salt)
	cursor.execute("""
	INSERT INTO users (username, hashed_password, salt, is_admin)
	VALUES (?, ?, ?, 1)
	""", (default_username, hashed_password, salt))
	# Manually log event here as log_event might not be fully ready if DB just created
	cursor.execute("INSERT INTO event_log (username, event_type, details) VALUES (?, ?, ?)",
	('System', 'DEFAULT_ADMIN_CREATED', json.dumps({'username': default_username})))


	# Default business config
	default_config = {
	'business_name': ('My Automated Business', 'The name displayed in the UI'),
	'low_stock_alert_threshold_pct': ('0.1', 'Alert if stock falls below 10% of reorder level (if set)'),
	'default_currency': ('USD', 'Default currency symbol')
	}
	for key, (value, desc) in default_config.items():
	cursor.execute("INSERT OR IGNORE INTO business_config (config_key, config_value, description) VALUES (?, ?, ?)", (key, value, desc))

	conn.commit()
	print("INFO: Database initialization complete.")
	conn.close()
	else:
	print("INFO: Database schema already exists.")

	except sqlite3.Error as e:
	print(f"FATAL: Database setup/check failed: {e}")
	if conn_check: conn_check.close()
	raise
	except Exception as e:
	print(f"FATAL: An unexpected error occurred during database setup: {e}")
	if conn_check: conn_check.close()
	raise

	# --- Security Module (Hashing unchanged, Auth adapted for Flask) ---

	def hash_password(password: str, salt: str) -> str:
	"""Hashes the password with the given salt using SHA-256."""
	password_bytes = password.encode('utf-8')
	salt_bytes = salt.encode('utf-8')
	hashed = hashlib.pbkdf2_hmac('sha256', password_bytes, salt_bytes, 100000)
	return hashed.hex()

	def verify_password(stored_password_hash: str, salt: str, provided_password: str) -> bool:
	"""Verifies a provided password against a stored hash and salt."""
	provided_hash = hash_password(provided_password, salt)
	return provided_hash == stored_password_hash

	# --- Authentication/Authorization Decorators ---

	def login_required(f):
	"""Decorator to restrict access to logged-in users."""
	@wraps(f)
	def decorated_function(args, *kwargs):
	if 'username' not in session:
	# For API requests, return 401 Unauthorized
	if request.endpoint and request.endpoint.startswith('api_'):
	return jsonify({"success": False, "message": "Authentication required"}), 401
	# For page loads, redirect to login (index route handles this now)
	return redirect(url_for('index')) # Redirect back to index which renders login if not auth
	return f(args, *kwargs)
	return decorated_function

	def admin_required(f):
	"""Decorator to restrict access to admin users."""
	@wraps(f)
	@login_required # Ensure user is logged in first
	def decorated_function(args, *kwargs):
	if not session.get('is_admin', False):
	# For API requests, return 403 Forbidden
	if request.endpoint and request.endpoint.startswith('api_'):
	return jsonify({"success": False, "message": "Admin access required"}), 403
	# For page loads (not currently used for admin-only pages, but good practice)
	return jsonify({"success": False, "message": "Admin access required"}), 403 # Should ideally redirect or render error page
	return f(args, *kwargs)
	return decorated_function


	# --- Event Logging Module ---

	def log_event(username: Optional[str], event_type: str, details: Dict[str, Any]):
	"""Logs an event to the database."""
	# Ensure details are serializable (handle common non-serializable types)
	serializable_details = {}
	for k, v in details.items():
	if isinstance(v, (str, int, float, bool, list, dict, tuple)) or v is None:
	serializable_details[k] = v
	else:
	try:
	serializable_details[k] = json.dumps(v) # Try serializing complex objects
	except TypeError:
	serializable_details[k] = str(v) # Fallback to string conversion


	try:
	conn = get_db_connection()
	cursor = conn.cursor()
	# Add remote_addr to logs where available (especially for login)
	event_details = serializable_details
	if request and request.remote_addr:
	event_details['ip_address'] = request.remote_addr


	cursor.execute("""
	INSERT INTO event_log (username, event_type, details)
	VALUES (?, ?, ?)
	""", (username, event_type, json.dumps(event_details)))
	conn.commit()
	conn.close()
	except sqlite3.Error as e:
	print(f"ERROR: Failed to log event {event_type} for user {username}: {e}")
	except TypeError as te:
	print(f"ERROR: Failed to serialize details for event {event_type}: {te} - Details: {serializable_details}")
	except Exception as ex: # Catch unexpected errors during logging itself
	print(f"ERROR: Unexpected error in log_event for {event_type}: {ex}")


	# --- Business Logic Core (Inventory, Suppliers, Suggestions - Unchanged) ---
	# (Omitted here for brevity as they are the same as v2.0 logic functions,
	# assuming they are present above the API routes in the final app.py file)
	# e.g., get_business_config_logic, update_business_config_logic,
	# get_inventory_summary_logic, add_inventory_item_logic, update_inventory_quantity_logic,
	# get_suppliers_logic, add_supplier_logic,
	# check_and_suggest_reorders_logic, get_pending_suggestions_logic, resolve_suggestion_logic

	# --- NEW: User Management Logic ---

	def get_users_logic() -> List[Dict[str, Any]]:
	"""Retrieves a list of all users (excluding sensitive info)."""
	users = []
	try:
	conn = get_db_connection()
	cursor = conn.cursor()
	# Select only safe fields for UI
	cursor.execute("SELECT username, is_admin, created_at FROM users ORDER BY username;")
	users = [dict(row) for row in cursor.fetchall()] # Convert to dicts
	conn.close()
	except sqlite3.Error as e:
	print(f"ERROR: Failed to retrieve users: {e}")
	# Consider raising an exception or returning an error structure
	return users


	def add_user_logic(username: str, password: str, is_admin: bool, creating_user_username: str) -> Tuple[bool, str]:
	"""Adds a new user to the database."""
	if not username or not password:
	return False, "Username and password are required."

	try:
	# Basic sanitization (more robust validation recommended)
	username = username.strip()
	if len(username) < 3: return False, "Username must be at least 3 characters long."
	if len(password) < 6: return False, "Password must be at least 6 characters long." # Example policy

	salt = secrets.token_hex(SALT_LENGTH)
	hashed_password = hash_password(password, salt)

	conn = get_db_connection()
	cursor = conn.cursor()

	# Check if username already exists
	cursor.execute("SELECT COUNT(*) FROM users WHERE username = ?", (username,))
	if cursor.fetchone()[0] > 0:
	conn.close()
	log_event(creating_user_username, 'ADD_USER_FAILURE', {'reason': 'Username exists', 'new_username': username})
	return False, f"Username '{username}' already exists."

	# Insert the new user
	cursor.execute("""
	INSERT INTO users (username, hashed_password, salt, is_admin)
	VALUES (?, ?, ?, ?)
	""", (username, hashed_password, salt, 1 if is_admin else 0))

	conn.commit()
	conn.close()
	log_event(creating_user_username, 'USER_ADDED', {'new_username': username, 'is_admin': is_admin})
	return True, f"User '{username}' added successfully."

	except sqlite3.IntegrityError:
	# Should be caught by the SELECT COUNT(*) but defense in depth
	log_event(creating_user_username, 'ADD_USER_FAILURE', {'reason': 'Integrity error (duplicate)', 'new_username': username})
	return False, f"Username '{username}' already exists (integrity error)."
	except sqlite3.Error as e:
	print(f"ERROR: Failed to add user {username}: {e}")
	log_event(creating_user_username, 'ADD_USER_ERROR', {'new_username': username, 'error': str(e)})
	return False, f"Database error adding user: {e}"
	except Exception as e:
	print(f"ERROR: Unexpected error in add_user_logic for {username}: {e}")
	log_event(creating_user_username, 'ADD_USER_UNEXPECTED_ERROR', {'new_username': username, 'error': str(e)})
	return False, f"An unexpected server error occurred: {e}"


	# --- Flask Application Setup ---
	app = Flask(__name__)
	app.secret_key = SECRET_KEY # MUST be set for sessions to work

	# --- HTML/CSS/JS Templates (Embedded in Python String) ---

	# NOTE: This is the only place where the HTML structure changes.
	# The JS part below will be updated to handle the new User section.
	HTML_TEMPLATE = """
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Business Suite v3.0</title>
	<style>
	/* Ultra-minimalist CSS for efficiency - Inherited from v2 */
	body { font-family: sans-serif; line-height: 1.6; margin: 0; padding: 0; background-color: #f4f4f4; color: #333; }
	.container { max-width: 1200px; margin: 20px auto; padding: 20px; background-color: #fff; box-shadow: 0 0 10px rgba(0,0,0,0.1); border-radius: 8px; }
	header { display: flex; justify-content: space-between; align-items: center; border-bottom: 1px solid #eee; padding-bottom: 10px; margin-bottom: 20px; }
	header h1 { margin: 0; color: #555; font-size: 1.8em; }
	#user-info { font-size: 0.9em; }
	#logout-btn { background-color: #dc3545; color: white; border: none; padding: 8px 15px; border-radius: 4px; cursor: pointer; font-size: 0.9em; }
	#logout-btn:hover { background-color: #bb2d3b; }
	nav button { background-color: #007bff; color: white; border: none; padding: 10px 15px; margin-right: 10px; border-radius: 4px; cursor: pointer; font-size: 1em; }
	nav button:hover { background-color: #0056b3; }
	nav button.active { background-color: #0056b3; font-weight: bold; }
	h2 { color: #007bff; border-bottom: 2px solid #007bff; padding-bottom: 5px; margin-top: 30px; }
	section { display: none; margin-top: 20px; animation: fadeIn 0.5s; }
	section.active { display: block; }
	@keyframes fadeIn { from { opacity: 0; } to { opacity: 1; } }
	table { width: 100%; border-collapse: collapse; margin-top: 15px; font-size: 0.9em; }
	th, td { border: 1px solid #ddd; padding: 10px; text-align: left; }
	th { background-color: #f0f0f0; font-weight: bold; }
	tr:nth-child(even) { background-color: #f9f9f9; }
	form { margin-top: 20px; padding: 15px; background-color: #f9f9f9; border: 1px solid #eee; border-radius: 5px; }
	form label { display: block; margin-bottom: 5px; font-weight: bold; }
	form input[type="text"], form input[type="number"], form input[type="password"], form select, form textarea, form input[type="checkbox"] {
	padding: 10px;
	margin-bottom: 10px;
	border: 1px solid #ccc;
	border-radius: 4px;
	box-sizing: border-box; /* Include padding and border */
	display: inline-block; /* Align with labels */
	vertical-align: middle; /* Align with labels */
	}
	form input[type="checkbox"] { width: auto; margin-right: 5px; }
	form label[for] { /* Specific styling for labels linked to inputs */
	display: inline-block; /* Allow label and input to be on the same line */
	margin-bottom: 10px;
	margin-right: 15px; /* Space between label/input pairs */
	vertical-align: middle;
	font-weight: normal; /* Reduce weight for inline labels */
	}
	form input[type="text"], form input[type="number"], form input[type="password"], form select, form textarea {
	width: calc(100% - 22px); /* Default for full width */
	display: block; /* Revert to block for full-width inputs */
	margin-right: 0;
	}
	.form-group { margin-bottom: 0; }
	.form-group label[for] { display: block; font-weight: bold; margin-bottom: 5px; } /* Revert labels in form-group */

	form textarea { height: 60px; }
	form button { background-color: #28a745; color: white; border: none; padding: 12px 20px; border-radius: 4px; cursor: pointer; font-size: 1em; }
	form button:hover { background-color: #218838; }
	.form-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 15px; }
	.status-message { padding: 10px; margin-top: 15px; border-radius: 4px; font-weight: bold; text-align: center; }
	.status-success { background-color: #d4edda; color: #155724; border: 1px solid #c3e6cb; }
	.status-error { background-color: #f8d7da; color: #721c24; border: 1px solid #f5c6cb; }
	.hidden { display: none !important; } /* Use important to override form-grid display */
	.accordion { background-color: #eee; color: #444; cursor: pointer; padding: 12px; width: 100%; text-align: left; border: none; outline: none; transition: 0.4s; margin-top: 10px; border-radius: 4px; }
	.accordion:hover, .accordion.active { background-color: #ccc; }
	.panel { padding: 0 18px; background-color: white; display: none; overflow: hidden; border: 1px solid #eee; border-top: none; border-radius: 0 0 4px 4px; }
	/* Login Form Specifics - Inherited from v2 */
	#login-form { max-width: 400px; margin: 50px auto; padding: 30px; background-color: #fff; box-shadow: 0 0 15px rgba(0,0,0,0.2); border-radius: 8px; }
	#login-form h2 { text-align: center; margin-bottom: 25px; color: #333; border: none;}
	#login-form button { width: 100%; background-color: #007bff; }
	#login-form button:hover { background-color: #0056b3; }
	.spinner { border: 4px solid #f3f3f3; border-top: 4px solid #3498db; border-radius: 50%; width: 20px; height: 20px; animation: spin 1s linear infinite; display: inline-block; margin-left: 10px; vertical-align: middle; }
	@keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } }
	.loading { text-align: center; padding: 20px; font-style: italic; color: #777; }
	button .spinner { display: none; } /* Hide spinner by default */
	button.loading .spinner { display: inline-block; } /* Show spinner when button has loading class */
	button.loading span { vertical-align: middle; } /* Align text with spinner */

	/* Specific style for the checkbox label */
	#add-user-form .form-group label[for="add-user-is-admin"] {
	display: inline-block; /* Keep label and checkbox on the same line */
	margin-right: 5px;
	font-weight: normal;
	vertical-align: middle;
	width: auto; /* Allow label width to shrink */
	}
	#add-user-form .form-group input[type="checkbox"] {
	width: auto; /* Ensure checkbox width is default */
	margin-right: 15px;
	vertical-align: middle;
	}

	</style>
	</head>
	<body>

	<div id="login-section" class="container {{ 'hidden' if session.get('username') else '' }}">
	<form id="login-form">
	<h2>Business Suite Login</h2>
	<div id="login-error" class="status-message status-error hidden"></div>
	<div class="form-group">
	<label for="username">Username:</label>
	<input type="text" id="username" name="username" required>
	</div>
	<div class="form-group">
	<label for="password">Password:</label>
	<input type="password" id="password" name="password" required>
	</div>
	<button type="submit"><span>Login</span><div class="spinner"></div></button>
	</form>
	</div>

	<div id="app-section" class="container {{ '' if session.get('username') else 'hidden' }}">
	<header>
	<h1>Business Suite</h1>
	<div id="user-info">
	Logged in as: <strong id="user-display">{{ session.get('username', '') }}</strong>
	(<span id="admin-display">{{ 'Admin' if session.get('is_admin') else 'User' }}</span>)
	<button id="logout-btn">Logout</button>
	</div>
	</header>

	<nav>
	<button data-section="inventory" class="nav-btn active">📦 Inventory</button>
	<button data-section="suppliers" class="nav-btn">🤝 Suppliers</button>
	<button data-section="suggestions" class="nav-btn">💡 Suggestions</button>
	{# NEW: User Management Button - Only visible if is_admin is true #}
	<button data-section="users" class="nav-btn {{ '' if session.get('is_admin') else 'hidden' }}">👥 Users</button>
	</nav>

	<div id="global-status" class="status-message hidden"></div>

	<!-- Inventory Section - Inherited from v2 -->
	<section id="inventory-section" class="active">
	<h2>Inventory Management</h2>
	<button class="accordion">Perform Inventory Actions ▼</button>
	<div class="panel">
	<form id="inventory-action-form" class="form-grid">
	<div class="form-group">
	<label for="inv-action-type">Action Type:</label>
	<select id="inv-action-type" name="action_type">
	<option value="sale">Record Sale (-)</option>
	<option value="adjustment">Record Adjustment (+/-)</option>
	<option value="delivery">Record Delivery (+)</option>
	</select>
	</div>
	<div class="form-group">
	<label for="inv-item-id">Item ID:</label>
	<input type="number" id="inv-item-id" name="item_id" required min="1" step="1">
	</div>
	<div class="form-group">
	<label for="inv-quantity-change">Quantity:</label>
	<input type="number" id="inv-quantity-change" name="quantity_change" required step="any">
	</div>
	<div class="form-group" style="grid-column: 1 / -1;">
	<label for="inv-reason">Reason/Note:</label>
	<input type="text" id="inv-reason" name="reason" placeholder="e.g., Customer order #123, Stocktake correction">
	</div>
	<div class="form-group" style="grid-column: 1 / -1;">
	<button type="submit"><span>Submit Action</span><div class="spinner"></div></button>
	</div>
	</form>
	</div>

	<button class="accordion">Add New Inventory Item ▼</button>
	<div class="panel">
	<form id="add-item-form" class="form-grid">
	<div class="form-group">
	<label for="add-item-name">Name *:</label>
	<input type="text" id="add-item-name" name="name" required>
	</div>
	<div class="form-group">
	<label for="add-item-unit">Unit *:</label>
	<input type="text" id="add-item-unit" name="unit" value="units" required>
	</div>
	<div class="form-group">
	<label for="add-item-initial-qty">Initial Qty:</label>
	<input type="number" id="add-item-initial-qty" name="initial_quantity" value="0" step="any">
	</div>
	<div class="form-group">
	<label for="add-item-desc">Description:</label>
	<input type="text" id="add-item-desc" name="description">
	</div>
	<div class="form-group">
	<label for="add-item-reorder-lvl">Reorder Lvl:</label>
	<input type="number" id="add-item-reorder-lvl" name="reorder_level" step="any" placeholder="Optional">
	</div>
	<div class="form-group">
	<label for="add-item-supplier-id">Pref. Supplier ID:</label>
	<input type="number" id="add-item-supplier-id" name="preferred_supplier_id" step="1" placeholder="Optional">
	</div>
	<div class="form-group" style="grid-column: 1 / -1;">
	<button type="submit"><span>Add Item</span><div class="spinner"></div></button>
	</div>
	</form>
	</div>

	<h3>Current Inventory</h3>
	<button id="refresh-inventory-btn"><span>Refresh List</span><div class="spinner"></div></button>
	<div id="inventory-table-container"><div class="loading">Loading inventory...</div></div>
	</section>

	<!-- Suppliers Section - Inherited from v2 -->
	<section id="suppliers-section">
	<h2>Supplier Management</h2>
	<button class="accordion">Add New Supplier ▼</button>
	<div class="panel">
	<form id="add-supplier-form" class="form-grid">
	<div class="form-group">
	<label for="add-supplier-name">Name *:</label>
	<input type="text" id="add-supplier-name" name="name" required>
	</div>
	<div class="form-group">
	<label for="add-supplier-contact">Contact Info:</label>
	<input type="text" id="add-supplier-contact" name="contact_info">
	</div>
	<div class="form-group" style="grid-column: 1 / -1;">
	<label for="add-supplier-notes">Notes:</label>
	<textarea id="add-supplier-notes" name="notes"></textarea>
	</div>
	<div class="form-group" style="grid-column: 1 / -1;">
	<button type="submit"><span>Add Supplier</span><div class="spinner"></div></button>
	</div>
	</form>
	</div>

	<h3>Supplier List</h3>
	<button id="refresh-suppliers-btn"><span>Refresh List</span><div class="spinner"></div></button>
	<div id="suppliers-table-container"><div class="loading">Loading suppliers...</div></div>
	</section>

	<!-- Suggestions Section - Inherited from v2 -->
	<section id="suggestions-section">
	<h2>Purchase Suggestions</h2>
	<button class="accordion">Resolve Pending Suggestion ▼</button>
	<div class="panel">
	<form id="resolve-suggestion-form" class="form-grid">
	<div class="form-group">
	<label for="resolve-suggestion-id">Suggestion ID *:</label>
	<select id="resolve-suggestion-id" name="suggestion_id" required>
	<option value="">-- Select Suggestion --</option>
	</select>
	</div>
	<div class="form-group">
	<label for="resolve-action">Action Taken *:</label>
	<select id="resolve-action" name="action" required>
	<option value="ordered">Ordered</option>
	<option value="received">Received</option>
	<option value="cancelled">Cancelled</option>
	</select>
	</div>
	<div class="form-group" id="received-qty-group" class="hidden"> {/* Initially hidden */}
	<label for="resolve-received-qty">Quantity Received *:</label>
	<input type="number" id="resolve-received-qty" name="received_quantity" step="any" min="0.01">
	</div>
	<div class="form-group" style="grid-column: 1 / -1;">
	<button type="submit"><span>Resolve Suggestion</span><div class="spinner"></div></button>
	</div>
	</form>
	</div>

	<h3>Pending Suggestions</h3>
	<button id="refresh-suggestions-btn"><span>Refresh List</span><div class="spinner"></div></button>
	<div id="suggestions-table-container"><div class="loading">Loading suggestions...</div></div>
	</section>

	{# NEW: User Management Section #}
	<section id="users-section">
	<h2>User Management</h2>
	<p>Manage system users. Requires Admin privileges.</p>

	<button class="accordion">Add New User ▼</button>
	<div class="panel">
	<form id="add-user-form"> {/* Not using form-grid here for simpler layout */}
	<div class="form-group">
	<label for="add-user-username">Username *:</label>
	<input type="text" id="add-user-username" name="username" required minlength="3">
	</div>
	<div class="form-group">
	<label for="add-user-password">Password *:</label>
	<input type="password" id="add-user-password" name="password" required minlength="6">
	</div>
	<div class="form-group">
	<label for="add-user-is-admin">Is Admin:</label>
	<input type="checkbox" id="add-user-is-admin" name="is_admin" value="true">
	</div>
	<div class="form-group">
	<button type="submit"><span>Add User</span><div class="spinner"></div></button>
	</div>
	</form>
	</div>

	<h3>System Users</h3>
	<button id="refresh-users-btn"><span>Refresh List</span><div class="spinner"></div></button>
	<div id="users-table-container"><div class="loading">Loading users...</div></div>
	</section>


	</div>

	<script>
	// Encapsulate JS in an IIFE
	(function() {
	// --- State & Configuration ---
	let currentSection = 'inventory'; // Default section
	let isLoggedIn = {{ 'true' if session.get('username') else 'false' }};
	let isAdmin = {{ 'true' if session.get('is_admin') else 'false' }};

	// --- DOM Element References ---
	// (Keep all existing references from v3.0)
	const loginSection = document.getElementById('login-section');
	const appSection = document.getElementById('app-section');
	const loginForm = document.getElementById('login-form');
	const loginError = document.getElementById('login-error');
	const userInfo = document.getElementById('user-info');
	const userDisplay = document.getElementById('user-display');
	const adminDisplay = document.getElementById('admin-display');
	const logoutBtn = document.getElementById('logout-btn');
	const navButtons = document.querySelectorAll('.nav-btn');
	const sections = document.querySelectorAll('section');
	const globalStatus = document.getElementById('global-status');
	const inventoryTableContainer = document.getElementById('inventory-table-container');
	const suppliersTableContainer = document.getElementById('suppliers-table-container');
	const suggestionsTableContainer = document.getElementById('suggestions-table-container');
	const usersTableContainer = document.getElementById('users-table-container');
	const inventoryActionForm = document.getElementById('inventory-action-form');
	const addItemForm = document.getElementById('add-item-form');
	const addSupplierForm = document.getElementById('add-supplier-form');
	const resolveSuggestionForm = document.getElementById('resolve-suggestion-form');
	const addUserForm = document.getElementById('add-user-form');
	const resolveSuggestionIdSelect = document.getElementById('resolve-suggestion-id');
	const resolveActionSelect = document.getElementById('resolve-action');
	const receivedQtyGroup = document.getElementById('received-qty-group');
	const resolveReceivedQtyInput = document.getElementById('resolve-received-qty');
	const refreshInventoryBtn = document.getElementById('refresh-inventory-btn');
	const refreshSuppliersBtn = document.getElementById('refresh-suppliers-btn');
	const refreshSuggestionsBtn = document.getElementById('refresh-suggestions-btn');
	const refreshUsersBtn = document.getElementById('refresh-users-btn');

	// --- Utility Functions ---

	// * UPDATED/IMPROVED apiRequest function *
	async function apiRequest(endpoint, method = 'GET', body = null, button = null) {
	const options = {
	method: method,
	headers: {
	// Set Content-Type only if body exists, avoids issues with GET/HEAD
	...(body && {'Content-Type': 'application/json'}),
	// Add other headers if needed, e.g., CSRF token
	}
	};
	if (body) {
	options.body = JSON.stringify(body);
	}

	// Show spinner on button if provided
	if (button) {
	button.classList.add('loading');
	button.disabled = true;
	}

	try {
	const response = await fetch(endpoint, options);

	// --- Authentication/Authorization Checks FIRST ---
	if (response.status === 401) {
	showStatus("Session expired or not authorized. Reloading login...", true);
	setTimeout(() => window.location.reload(), 2000); // Reload to show login
	// Indicate failure to the caller implicitly by not returning data
	// Or explicitly throw an error handled by the caller's catch block
	throw new Error("Authentication required"); // Throw to stop execution
	}
	if (response.status === 403) {
	let errorMsg = "Access forbidden.";
	try { // Try to parse error message from JSON body for 403
	const errorData = await response.json();
	errorMsg = errorData.message \|\| errorMsg;
	} catch (parseError) { /* Body wasn't JSON, use default message */ }
	throw new Error(errorMsg); // Throw specific forbidden error
	}

	// --- Check for ANY Non-OK Statuses (4xx, 5xx, excluding 401/403) ---
	if (!response.ok) {
	let errorMsg = `Request failed: ${response.status} ${response.statusText}`;
	let errorDetails = '';
	try {
	// Attempt to get error details from JSON body first
	const errorData = await response.json();
	errorDetails = errorData.message \|\| JSON.stringify(errorData);
	} catch (e) {
	// Body wasn't JSON, try reading as text
	try {
	errorDetails = await response.text();
	// Avoid logging full HTML pages if that's what we received
	if (errorDetails.trim().toLowerCase().startsWith('<!doctype html') \|\| errorDetails.trim().startsWith('<html')) {
	errorDetails = "(Received unexpected HTML response body)";
	} else if (errorDetails.length > 150) { // Truncate long text errors
	errorDetails = errorDetails.substring(0, 150) + "...";
	}
	} catch (textError) {
	errorDetails = "(Could not read error response body)";
	}
	}
	throw new Error(`${errorMsg}. ${errorDetails}`);
	}

	// --- If response.ok (2xx status), check Content-Type before parsing ---
	const contentType = response.headers.get('content-type');
	if (!contentType \|\| !contentType.includes('application/json')) {
	// We expected JSON, but didn't get it, even on success status!
	let responseBodyPreview = '(Could not read response body)';
	try {
	responseBodyPreview = (await response.text()).substring(0, 100); // Get start of body
	} catch(e) {/* ignore */}
	console.warn(`Expected JSON response from ${endpoint}, but received ${contentType \|\| 'unknown content type'}. Body starts: ${responseBodyPreview}`);
	throw new Error(`Received unexpected content type from server: ${contentType \|\| 'unknown'}. Check server logs.`);
	}

	// --- Only parse JSON if status is OK and Content-Type is correct ---
	const data = await response.json();
	return data; // Success case

	} catch (error) {
	console.error(`API Request Error during fetch to ${endpoint}:`, error);
	// Rethrow the error (already constructed meaningfully above)
	// The calling function's catch block should display it.
	throw error;
	} finally {
	if (button) {
	button.classList.remove('loading');
	button.disabled = false;
	}
	}
	}

	// Display status messages (Unchanged from v3.0)
	function showStatus(message, isError = false, element = globalStatus) {
	if (!element) { console.error("Status element not found"); return; }
	element.textContent = message;
	element.className = 'status-message'; // Reset classes
	element.classList.add(isError ? 'status-error' : 'status-success');
	element.classList.remove('hidden');
	setTimeout(() => { if(element) element.classList.add('hidden'); }, 5000);
	}

	// Create HTML Table from data array (Unchanged from v3.0)
	function createTable(data, columns) {
	if (!data \|\| data.length === 0) {
	return '<p>No data available.</p>';
	}
	let html = '<table><thead><tr>';
	columns.forEach(col => {
	const headerText = col.replace(/_/g, ' ').replace(/\b\w/g, l => l.toUpperCase());
	html += `<th>${headerText}</th>`;
	});
	html += '</tr></thead><tbody>';
	data.forEach(row => {
	html += '<tr>';
	columns.forEach(col => {
	let cellValue = row[col];
	if (typeof cellValue === 'boolean') {
	cellValue = cellValue ? 'Yes' : 'No';
	} else if (cellValue === null \|\| cellValue === undefined) {
	cellValue = '';
	}
	html += `<td>${cellValue}</td>`;
	});
	html += '</tr>';
	});
	html += '</tbody></table>';
	return html;
	}

	// --- Data Loading Functions (Use the new apiRequest, error handling added) ---

	async function loadInventory(button = null) {
	inventoryTableContainer.innerHTML = '<div class="loading">Loading inventory...</div>';
	try {
	// Use the robust apiRequest
	const data = await apiRequest('/api/inventory', 'GET', null, button);
	// apiRequest now throws on error or returns valid data
	if (data && data.success) {
	const columns = ["item_id", "item_name", "description", "current_quantity", "unit", "reorder_level", "preferred_supplier_name", "last_updated_str"];
	inventoryTableContainer.innerHTML = createTable(data.inventory, columns);
	} else if (data) { // Should ideally not happen if apiRequest throws, but defense-in-depth
	inventoryTableContainer.innerHTML = `<p class="status-error">Failed to load inventory: ${data.message \|\| 'Unknown error'}</p>`;
	}
	// No else needed - error case is handled by the catch block now
	} catch (error) {
	// Catch errors thrown by apiRequest
	console.error("Error in loadInventory:", error);
	// Display the error message constructed by apiRequest
	inventoryTableContainer.innerHTML = `<p class="status-error">Error loading inventory: ${error.message}</p>`;
	}
	}

	async function loadSuppliers(button = null) {
	suppliersTableContainer.innerHTML = '<div class="loading">Loading suppliers...</div>';
	try {
	const data = await apiRequest('/api/suppliers', 'GET', null, button);
	if (data && data.success) {
	const columns = ["supplier_id", "supplier_name", "contact_info", "notes"];
	suppliersTableContainer.innerHTML = createTable(data.suppliers, columns);
	} else if (data) {
	suppliersTableContainer.innerHTML = `<p class="status-error">Failed to load suppliers: ${data.message \|\| 'Unknown error'}</p>`;
	}
	} catch (error) {
	console.error("Error in loadSuppliers:", error);
	suppliersTableContainer.innerHTML = `<p class="status-error">Error loading suppliers: ${error.message}</p>`;
	}
	}

	async function loadSuggestions(button = null) {
	suggestionsTableContainer.innerHTML = '<div class="loading">Loading suggestions...</div>';
	resolveSuggestionIdSelect.innerHTML = '<option value="">-- Loading... --</option>';
	try {
	const data = await apiRequest('/api/suggestions', 'GET', null, button);
	if (data && data.success) {
	const columns = ["suggestion_id", "item_name", "suggested_quantity", "unit", "supplier_name", "reason", "created_at_str"];
	suggestionsTableContainer.innerHTML = createTable(data.suggestions, columns);

	resolveSuggestionIdSelect.innerHTML = '<option value="">-- Select Suggestion --</option>';
	if (data.suggestions.length > 0) {
	data.suggestions.forEach(s => {
	const option = document.createElement('option');
	option.value = s.suggestion_id;
	option.textContent = `ID: ${s.suggestion_id} - ${s.item_name} (Qty: ${s.suggested_quantity})`;
	resolveSuggestionIdSelect.appendChild(option);
	});
	} else {
	resolveSuggestionIdSelect.innerHTML = '<option value="">-- No pending suggestions --</option>';
	}
	} else if (data) {
	suggestionsTableContainer.innerHTML = `<p class="status-error">Failed to load suggestions: ${data.message \|\| 'Unknown error'}</p>`;
	resolveSuggestionIdSelect.innerHTML = '<option value="">-- Error loading --</option>';
	}
	} catch (error) {
	console.error("Error in loadSuggestions:", error);
	suggestionsTableContainer.innerHTML = `<p class="status-error">Error loading suggestions: ${error.message}</p>`;
	resolveSuggestionIdSelect.innerHTML = '<option value="">-- Error loading --</option>';
	}
	}

	async function loadUsers(button = null) {
	usersTableContainer.innerHTML = '<div class="loading">Loading users...</div>';
	if (!isAdmin) {
	usersTableContainer.innerHTML = '<p class="status-error">Admin access required to view users.</p>';
	return;
	}
	try {
	const data = await apiRequest('/api/users', 'GET', null, button);
	if (data && data.success) {
	const columns = ["username", "is_admin", "created_at"];
	usersTableContainer.innerHTML = createTable(data.users, columns);
	} else if (data) {
	usersTableContainer.innerHTML = `<p class="status-error">Failed to load users: ${data.message \|\| 'Unknown error'}</p>`;
	}
	} catch (error) {
	console.error("Error in loadUsers:", error);
	// Check if it was specifically a Forbidden error caught by apiRequest
	if (error.message.includes("forbidden") \|\| error.message.includes("Access required")) {
	usersTableContainer.innerHTML = '<p class="status-error">Admin access required.</p>';
	} else {
	usersTableContainer.innerHTML = `<p class="status-error">Error loading users: ${error.message}</p>`;
	}
	}
	}


	// --- Event Handlers ---
	// (Login, Logout, Navigation, Inventory Action, Add Item, Add Supplier, Resolve Suggestion, Add User)
	// These handlers remain largely the same as in v3.0, but now their calls to apiRequest
	// benefit from the improved error handling within apiRequest itself.
	// The .catch(error => showStatus(error.message, true)); blocks within each handler
	// will now display more specific error messages originating from apiRequest.

	// Example: Login Handler (No change needed, catch block handles errors from apiRequest)
	loginForm.addEventListener('submit', async (e) => {
	e.preventDefault();
	loginError.classList.add('hidden');
	const username = loginForm.username.value;
	const password = loginForm.password.value;
	const button = loginForm.querySelector('button[type="submit"]');

	try {
	const data = await apiRequest('/api/login', 'POST', { username, password }, button);
	if (data && data.success) { // Check for data existence after await
	isLoggedIn = true;
	isAdmin = data.user.is_admin;
	loginSection.classList.add('hidden');
	appSection.classList.remove('hidden');
	userDisplay.textContent = data.user.username;
	adminDisplay.textContent = isAdmin ? 'Admin' : 'User';
	document.querySelector('.nav-btn[data-section="users"]').classList.toggle('hidden', !isAdmin);
	navigateTo(currentSection);
	}
	// No explicit else needed, apiRequest throws on failure
	} catch (error) {
	// Handle errors thrown by apiRequest (e.g., auth failed, network error)
	showStatus(error.message, true, loginError); // Display error in login form's status area
	// Reset state just in case
	isLoggedIn = false;
	isAdmin = false;
	}
	});

	// Example: Logout Handler (No change needed)
	logoutBtn.addEventListener('click', async () => {
	try {
	const data = await apiRequest('/api/logout', 'POST');
	if (data && data.success) { // Check data exists
	isLoggedIn = false;
	isAdmin = false;
	loginSection.classList.remove('hidden');
	appSection.classList.add('hidden');
	loginForm.reset();
	loginError.classList.add('hidden');
	document.querySelector('.nav-btn[data-section="users"]').classList.add('hidden');
	inventoryTableContainer.innerHTML = '';
	suppliersTableContainer.innerHTML = '';
	suggestionsTableContainer.innerHTML = '';
	usersTableContainer.innerHTML = '';
	navigateTo('inventory');
	}
	} catch (error) {
	// Handle potential errors during logout API call
	showStatus(error.message, true);
	}
	});

	// ... (Keep other event handlers: navButtons, inventoryActionForm, addItemForm, etc. as they were in v3.0) ...
	// Ensure all handlers use `try...catch` around `apiRequest` calls and use `showStatus(error.message, true)` in the catch block.

	// --- NEW versions of handlers with robust catch blocks ---
	// Navigation Handler
	navButtons.forEach(button => {
	button.addEventListener('click', () => {
	const sectionId = button.getAttribute('data-section');
	if (!isLoggedIn) { showStatus("Please login.", true); return; }
	if (sectionId === 'users' && !isAdmin) { showStatus("Admin access required.", true); return; }
	navigateTo(sectionId);
	});
	});

	// Inventory Action Handler
	inventoryActionForm.addEventListener('submit', async (e) => {
	e.preventDefault();
	const formData = new FormData(inventoryActionForm);
	const action_type = formData.get('action_type');
	const item_id = formData.get('item_id');
	let quantity_change = parseFloat(formData.get('quantity_change'));
	const reason = formData.get('reason') \|\| `Action: ${action_type}`;
	const button = inventoryActionForm.querySelector('button[type="submit"]');

	if (isNaN(quantity_change)) { showStatus("Quantity must be a number.", true); return; }
	// ... (quantity adjustment logic) ...
	if (action_type === 'sale') { if (quantity_change > 0) quantity_change = -quantity_change; else { showStatus("Sale quantity must be positive.", true); return; } }
	else if (action_type === 'delivery') { if (quantity_change < 0) { showStatus("Delivery quantity must be positive.", true); return; } }

	const payload = { quantity_change, reason };
	try {
	const data = await apiRequest(`/api/inventory/${item_id}/quantity`, 'POST', payload, button);
	if (data && data.success) {
	showStatus(data.message \|\| "Inventory updated.", false);
	inventoryActionForm.reset();
	loadInventory(); loadSuggestions();
	}
	} catch (error) { showStatus(error.message, true); }
	});

	// Add Item Handler
	addItemForm.addEventListener('submit', async (e) => {
	e.preventDefault();
	const formData = new FormData(addItemForm);
	const payload = Object.fromEntries(formData.entries());
	// ... (payload parsing logic) ...
	payload.initial_quantity = parseFloat(payload.initial_quantity \|\| 0);
	payload.reorder_level = payload.reorder_level ? parseFloat(payload.reorder_level) : null;
	payload.preferred_supplier_id = payload.preferred_supplier_id ? parseInt(payload.preferred_supplier_id) : null;
	if (isNaN(payload.initial_quantity) \|\| (payload.reorder_level !== null && isNaN(payload.reorder_level)) \|\| (payload.preferred_supplier_id !== null && isNaN(payload.preferred_supplier_id))) { showStatus("Invalid number input.", true); return; }

	const button = addItemForm.querySelector('button[type="submit"]');
	try {
	const data = await apiRequest('/api/inventory', 'POST', payload, button);
	if (data && data.success) {
	showStatus(data.message \|\| "Item added.", false);
	addItemForm.reset(); loadInventory();
	}
	} catch (error) { showStatus(error.message, true); }
	});

	// Add Supplier Handler
	addSupplierForm.addEventListener('submit', async (e) => {
	e.preventDefault();
	const formData = new FormData(addSupplierForm);
	const payload = Object.fromEntries(formData.entries());
	const button = addSupplierForm.querySelector('button[type="submit"]');
	try {
	const data = await apiRequest('/api/suppliers', 'POST', payload, button);
	if (data && data.success) {
	showStatus(data.message \|\| "Supplier added.", false);
	addSupplierForm.reset(); loadSuppliers();
	}
	} catch (error) { showStatus(error.message, true); }
	});

	// Resolve Suggestion Handler
	resolveSuggestionForm.addEventListener('submit', async (e) => {
	e.preventDefault();
	const formData = new FormData(resolveSuggestionForm);
	const suggestion_id = formData.get('suggestion_id');
	const action = formData.get('action');
	let received_quantity = formData.get('received_quantity');
	const button = resolveSuggestionForm.querySelector('button[type="submit"]');

	if (!suggestion_id) { showStatus("Select suggestion.", true); return; }
	// ... (payload preparation logic) ...
	const payload = { action };
	if (action === 'received') { if (!received_quantity \|\| isNaN(parseFloat(received_quantity)) \|\| parseFloat(received_quantity) <= 0) { showStatus("Valid positive quantity required.", true); return; } payload.received_quantity = parseFloat(received_quantity); } else { payload.received_quantity = null; }

	try {
	const data = await apiRequest(`/api/suggestions/${suggestion_id}/resolve`, 'POST', payload, button);
	if (data && data.success) {
	showStatus(data.message \|\| "Suggestion resolved.", false);
	resolveSuggestionForm.reset(); receivedQtyGroup.classList.add('hidden');
	loadSuggestions(); if (action === 'received') { loadInventory(); }
	}
	} catch (error) { showStatus(error.message, true); }
	});

	// Add User Handler
	addUserForm.addEventListener('submit', async (e) => {
	e.preventDefault();
	const formData = new FormData(addUserForm);
	const username = formData.get('username');
	const password = formData.get('password');
	const is_admin = formData.get('is_admin') === 'true';
	const button = addUserForm.querySelector('button[type="submit"]');

	// ... (basic validation) ...
	if (!username \|\| !password) { showStatus("Username and password required.", true); return; } if (username.length < 3) { showStatus("Username too short.", true); return; } if (password.length < 6) { showStatus("Password too short.", true); return; }

	const payload = { username, password, is_admin };
	try {
	const data = await apiRequest('/api/users', 'POST', payload, button);
	if (data && data.success) {
	showStatus(data.message \|\| "User added.", false);
	addUserForm.reset(); loadUsers();
	}
	} catch (error) { showStatus(error.message, true); }
	});

	// --- End Event Handlers ---


	// Refresh Button Handlers (Unchanged)
	refreshInventoryBtn.addEventListener('click', () => loadInventory(refreshInventoryBtn));
	refreshSuppliersBtn.addEventListener('click', () => loadSuppliers(refreshSuppliersBtn));
	refreshSuggestionsBtn.addEventListener('click', () => loadSuggestions(refreshSuggestionsBtn));
	refreshUsersBtn.addEventListener('click', () => loadUsers(refreshUsersBtn));

	// Accordion Handler (Unchanged)
	document.querySelectorAll('.accordion').forEach(accordion => {
	accordion.addEventListener('click', function() { this.classList.toggle('active'); const panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; this.innerHTML = this.innerHTML.replace('▲', '▼'); } else { panel.style.display = "block"; this.innerHTML = this.innerHTML.replace('▼', '▲'); } });
	});

	// --- Initial Load / State Check (Unchanged) ---
	function initialize() {
	if (isLoggedIn) {
	loginSection.classList.add('hidden');
	appSection.classList.remove('hidden');
	document.querySelector('.nav-btn[data-section="users"]').classList.toggle('hidden', !isAdmin);
	setTimeout(() => navigateTo(currentSection), 50);
	} else {
	loginSection.classList.remove('hidden');
	appSection.classList.add('hidden');
	}
	document.querySelectorAll('.panel').forEach(panel => panel.style.display = 'none');
	document.querySelectorAll('.accordion').forEach(acc => acc.innerHTML = acc.innerHTML.replace('▲', '▼'));
	}
	document.addEventListener('DOMContentLoaded', initialize);

	// Expose navigateTo globally for debugging if needed
	// window.navigateTo = navigateTo;

	})(); // End IIFE
	</script>
	</body>
	</html>
	"""


	# --- Flask Application Setup ---
	app = Flask(__name__)
	app.secret_key = SECRET_KEY

	# --- Flask Routes ---

	@app.route('/')
	def index():
	"""Serves the main application page or login page based on session."""
	# render_template_string passes Flask session variables to the Jinja2 template
	# The HTML template uses these to initially set element visibility
	return render_template_string(HTML_TEMPLATE, session=session)


	@app.route('/api/login', methods=['POST'])
	def api_login():
	"""Handles user login attempt."""
	data = request.get_json()
	username = data.get('username')
	password = data.get('password')

	if not username or not password:
	# Log missing credentials without associating with a specific user (attacker might be guessing)
	log_event(None, 'LOGIN_FAILURE', {'reason': 'Missing credentials', 'username_attempt': username, 'ip_address': request.remote_addr})
	return jsonify({"success": False, "message": "Username and password are required"}), 400

	conn = None
	try:
	conn = get_db_connection()
	cursor = conn.cursor()
	cursor.execute("SELECT username, hashed_password, salt, is_admin FROM users WHERE username = ?", (username,))
	user_row = cursor.fetchone()
	conn.close() # Close connection as early as possible

	if user_row:
	stored_hash = user_row['hashed_password']
	salt = user_row['salt']
	if verify_password(stored_hash, salt, password):
	# Login successful - store user info in session
	session['username'] = user_row['username']
	session['is_admin'] = bool(user_row['is_admin']) # Store as Python boolean
	session.permanent = True # Optional: make session permanent
	log_event(username, 'LOGIN_SUCCESS', {'ip_address': request.remote_addr})
	# Return user info including is_admin status to the frontend
	user_info = {"username": user_row['username'], "is_admin": bool(user_row['is_admin'])}
	return jsonify({"success": True, "message": "Login successful", "user": user_info})
	else:
	log_event(username, 'LOGIN_FAILURE', {'reason': 'Invalid password', 'ip_address': request.remote_addr})
	return jsonify({"success": False, "message": "Invalid username or password"}), 401
	else:
	log_event(username, 'LOGIN_FAILURE', {'reason': 'User not found', 'username_attempt': username, 'ip_address': request.remote_addr})
	return jsonify({"success": False, "message": "Invalid username or password"}), 401

	except sqlite3.Error as e:
	print(f"ERROR: Database error during login for user {username}: {e}")
	log_event(username, 'LOGIN_ERROR', {'error': str(e), 'ip_address': request.remote_addr})
	if conn: conn.close()
	return jsonify({"success": False, "message": "Server error during login"}), 500
	except Exception as e:
	print(f"ERROR: Unexpected error during login for user {username}: {e}")
	# Log as system event or None user if username couldn't be retrieved
	log_event(username or 'Unknown', 'LOGIN_UNEXPECTED_ERROR', {'error': str(e), 'ip_address': request.remote_addr})
	if conn: conn.close()
	return jsonify({"success": False, "message": "An unexpected server error occurred"}), 500


	@app.route('/api/logout', methods=['POST'])
	@login_required # Ensure user is logged in to log out
	def api_logout():
	"""Logs the user out by clearing the session."""
	username = session.get('username', 'Unknown')
	session.pop('username', None)
	session.pop('is_admin', None)
	# Explicitly clear session data from Flask's storage
	session.clear()
	log_event(username, 'LOGOUT', {'ip_address': request.remote_addr})
	return jsonify({"success": True, "message": "Logged out successfully"})

	@app.route('/api/status')
	def api_status():
	"""Checks if the user is currently logged in."""
	# This endpoint is useful for frontend validation if needed, but index route handles initial state
	if 'username' in session:
	user_info = {"username": session['username'], "is_admin": session.get('is_admin', False)}
	return jsonify({"logged_in": True, "user": user_info})
	else:
	return jsonify({"logged_in": False})

	# --- API Routes for Business Logic (Placeholder - Assume logic functions are defined above) ---
	# Example:
	# @app.route('/api/inventory', methods=['GET'])
	# @login_required
	# def api_get_inventory():
	# try:
	# items = get_inventory_summary_logic()
	# return jsonify({"success": True, "inventory": items})
	# except Exception as e:
	# return jsonify({"success": False, "message": f"Failed: {e}"}), 500
	# ... (other API routes for inventory, suppliers, suggestions from v2)


	# --- NEW: API Routes for User Management ---

	@app.route('/api/users', methods=['GET'])
	@admin_required # Only admins can list users
	def api_get_users():
	"""API endpoint to get list of users."""
	try:
	users = get_users_logic()
	# Exclude password/salt from API response for security
	safe_users = [{"username": u['username'], "is_admin": bool(u['is_admin']), "created_at": u['created_at']} for u in users]
	return jsonify({"success": True, "users": safe_users})
	except Exception as e:
	print(f"API ERROR: /api/users GET: {e}")
	# Log admin-only error under the admin's username
	log_event(session.get('username', 'Unknown Admin Attempt'), 'GET_USERS_API_ERROR', {'error': str(e)})
	return jsonify({"success": False, "message": f"Failed to retrieve users: {e}"}), 500

	@app.route('/api/users', methods=['POST'])
	@admin_required # Only admins can add users
	def api_add_user():
	"""API endpoint to add a new user."""
	data = request.get_json()
	if not data:
	log_event(session.get('username', 'Unknown Admin Attempt'), 'ADD_USER_API_FAILURE', {'reason': 'No data'})
	return jsonify({"success": False, "message": "Invalid request body"}), 400

	username = data.get('username')
	password = data.get('password')
	is_admin = data.get('is_admin', False) # Default to False if not provided
	creating_user_username = session.get('username', 'Unknown Admin') # The admin performing the action

	# Pass validation responsibility to the logic function
	success, message = add_user_logic(username, password, bool(is_admin), creating_user_username)

	if success:
	return jsonify({"success": True, "message": message})
	else:
	# Determine status code: 409 Conflict for duplicate, 400 for bad input
	status_code = 409 if 'already exists' in message else 400
	return jsonify({"success": False, "message": message}), status_code

	# Any unhandled exceptions would be caught by Flask's default error handler or gunicorn/web server
	# For impeccable error handling, add a broad try...except around the logic call here too


	# --- Application Entry Point ---

	if __name__ == "__main__":
	print("INFO: Starting Business Automation Suite v3.0 (Flask)...")
	print(f"INFO: Using database file: {os.path.abspath(DB_NAME)}")

	# Ensure database exists and schema is set up before launching Flask
	try:
	setup_database()
	except Exception as e:
	print(f"FATAL: Could not initialize database. Exiting. Error: {e}")
	exit(1)

	print("INFO: Launching Flask application...")
	# host='0.0.0.0' is essential for accessibility within Docker/HF Space
	# debug=False is important for production environments
	# Use gunicorn or similar WSGI server for production instead of app.run()
	# For HF Spaces, `app.run()` with server_name/port usually works via their infrastructure
	app.run(host='0.0.0.0', port=7860, debug=False)
	print("INFO: Application stopped.")