Fix CI lint + format + pinpoint pip-audit exception

Ruff findings cleaned up:
- Unused imports dropped (base64 in patient.py, HTTPException in
terminology.py, PageBreak in reports.py, alembic's op/sa in the
empty baseline migration)
- asyncio.TimeoutError -> builtin TimeoutError (pdf_extractor)
- Import blocks reorganized per isort in history.py, db.py, and the
security_headers middleware
- try/except/pass in Sentry's before_send hook now logs the filter
error at debug level instead of swallowing silently (S110)
- 10 files passed through `ruff format` for style consistency

ruff.toml: alembic/versions/ added to per-file-ignores. Autogenerated
migrations ship with a fixed `Union[str, Sequence[str], None]` template
and other patterns ruff flags; linting the template breaks autogenerate.

CI pip-audit workflow: explicitly --ignore-vuln CVE-2026-1839 with a
documented justification — the vulnerability is in Transformers'
Trainer._load_rng_state which unpickles external .pth files during
training. DepScreen is inference-only and never uses Trainer or loads
external checkpoints. The fix lands in transformers 5.0.0rc3, a
pre-release; ignore stays until 5.0.0 stable ships.

Verified locally: ruff check + ruff format --check + backend imports
all clean after changes.

.github/workflows/ci.yml

@@ -83,10 +83,15 @@ jobs:
 
       - name: Audit backend requirements
         # --desc: show a one-line description of each CVE
-        # --ignore-vuln: reserved hook for temporary pinned-but-flagged deps
-        # We target requirements.txt directly so transitive deps are also
-        # resolved and scanned, not just what happens to be installed in CI.
-        run: pip-audit --requirement requirements.txt --desc --strict
+        # --ignore-vuln: deliberately ignored CVEs with justification:
+        #   CVE-2026-1839 (transformers) — affects Trainer._load_rng_state,
+        #     only reachable when loading malicious rng_state.pth checkpoints
+        #     during training. We do inference-only, never Trainer, never
+        #     deserialize external .pth files. Fix is in 5.0.0rc3 (pre-release);
+        #     re-evaluate when 5.0.0 ships stable.
+        run: |
+          pip-audit --requirement requirements.txt --desc --strict \
+            --ignore-vuln CVE-2026-1839
 
   docker-build:
     name: Docker Build

alembic/versions/72deba99af9e_reconcile_deployed_schema_with_current_.py

@@ -1,21 +1,18 @@
 """reconcile deployed schema with current models (initial baseline)
 
 Revision ID: 72deba99af9e
-Revises: 
+Revises:
 Create Date: 2026-04-15 13:52:00.764298
 
 """
-from typing import Sequence, Union
-
-from alembic import op
-import sqlalchemy as sa
 
+from collections.abc import Sequence
 
 # revision identifiers, used by Alembic.
-revision: str = '72deba99af9e'
-down_revision: Union[str, Sequence[str], None] = None
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
+revision: str = "72deba99af9e"
+down_revision: str | Sequence[str] | None = None
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
 
 
 def upgrade() -> None:

app/api/routes/dashboard.py

@@ -338,12 +338,7 @@ async def download_patient_summary_pdf(
     allergies = db.query(Allergy).filter(Allergy.patient_id == patient_id).all()
     diagnoses = db.query(Diagnosis).filter(Diagnosis.patient_id == patient_id).all()
     contacts = db.query(EmergencyContact).filter(EmergencyContact.patient_id == patient_id).all()
-    care_plans = (
-        db.query(CarePlan)
-        .filter(CarePlan.patient_id == patient_id)
-        .order_by(desc(CarePlan.updated_at))
-        .all()
-    )
+    care_plans = db.query(CarePlan).filter(CarePlan.patient_id == patient_id).order_by(desc(CarePlan.updated_at)).all()
     screenings = (
         db.query(Screening)
         .filter(Screening.patient_id == patient_id)
@@ -367,37 +362,50 @@ async def download_patient_summary_pdf(
     export_dict = {
         "medications": [
             {
-                "name": m.name, "dosage": m.dosage, "frequency": m.frequency,
-                "start_date": m.start_date, "prescribed_by": m.prescribed_by,
+                "name": m.name,
+                "dosage": m.dosage,
+                "frequency": m.frequency,
+                "start_date": m.start_date,
+                "prescribed_by": m.prescribed_by,
                 "is_active": m.is_active,
             }
             for m in medications
         ],
         "allergies": [
             {
-                "allergen": a.allergen, "allergy_type": a.allergy_type,
-                "severity": a.severity, "reaction": a.reaction, "notes": a.notes,
+                "allergen": a.allergen,
+                "allergy_type": a.allergy_type,
+                "severity": a.severity,
+                "reaction": a.reaction,
+                "notes": a.notes,
             }
             for a in allergies
         ],
         "diagnoses": [
             {
-                "condition": d.condition, "icd10_code": d.icd10_code, "status": d.status,
-                "diagnosed_date": d.diagnosed_date, "diagnosed_by": d.diagnosed_by,
+                "condition": d.condition,
+                "icd10_code": d.icd10_code,
+                "status": d.status,
+                "diagnosed_date": d.diagnosed_date,
+                "diagnosed_by": d.diagnosed_by,
             }
             for d in diagnoses
         ],
         "emergency_contacts": [
             {
-                "contact_name": c.contact_name, "phone": c.phone,
-                "relation": c.relation, "is_primary": c.is_primary,
+                "contact_name": c.contact_name,
+                "phone": c.phone,
+                "relation": c.relation,
+                "is_primary": c.is_primary,
             }
             for c in contacts
         ],
         "care_plans": [
             {
-                "title": cp.title, "description": cp.description,
-                "status": cp.status, "review_date": cp.review_date,
+                "title": cp.title,
+                "description": cp.description,
+                "status": cp.status,
+                "review_date": cp.review_date,
             }
             for cp in care_plans
         ],
@@ -1250,12 +1258,7 @@ async def list_diagnoses(
 ):
     """List a patient's diagnoses (clinician view)."""
     _verify_patient_access(db, patient_id, current_user.id)
-    rows = (
-        db.query(Diagnosis)
-        .filter(Diagnosis.patient_id == patient_id)
-        .order_by(desc(Diagnosis.created_at))
-        .all()
-    )
+    rows = db.query(Diagnosis).filter(Diagnosis.patient_id == patient_id).order_by(desc(Diagnosis.created_at)).all()
     return [_diagnosis_to_response(dx) for dx in rows]
 
 
@@ -1376,12 +1379,7 @@ async def list_patient_medications(
 ):
     """List a patient's medications (clinician view)."""
     _verify_patient_access(db, patient_id, current_user.id)
-    meds = (
-        db.query(Medication)
-        .filter(Medication.patient_id == patient_id)
-        .order_by(desc(Medication.created_at))
-        .all()
-    )
+    meds = db.query(Medication).filter(Medication.patient_id == patient_id).order_by(desc(Medication.created_at)).all()
     return [_medication_to_response(m) for m in meds]
 
 
@@ -1491,7 +1489,9 @@ async def update_patient_medication(
 
     db.commit()
     db.refresh(med)
-    log_audit(db, current_user.id, "medication_updated_by_clinician", resource_type="medication", resource_id=medication_id)
+    log_audit(
+        db, current_user.id, "medication_updated_by_clinician", resource_type="medication", resource_id=medication_id
+    )
 
     return _medication_to_response(med)
 
@@ -1513,7 +1513,13 @@ async def deactivate_patient_medication(
 
     med.is_active = False
     db.commit()
-    log_audit(db, current_user.id, "medication_deactivated_by_clinician", resource_type="medication", resource_id=medication_id)
+    log_audit(
+        db,
+        current_user.id,
+        "medication_deactivated_by_clinician",
+        resource_type="medication",
+        resource_id=medication_id,
+    )
 
     return {"status": "deactivated", "medication_id": medication_id}
 
@@ -1640,7 +1646,12 @@ async def assign_patient_screening_schedule(
     db.add(schedule)
 
     # Notify the patient
-    freq_label = {"weekly": "weekly", "biweekly": "every two weeks", "monthly": "monthly", "custom": f"every {body.custom_days} days"}.get(body.frequency, body.frequency)
+    freq_label = {
+        "weekly": "weekly",
+        "biweekly": "every two weeks",
+        "monthly": "monthly",
+        "custom": f"every {body.custom_days} days",
+    }.get(body.frequency, body.frequency)
     db.add(
         Notification(
             user_id=patient_id,

app/api/routes/history.py

@@ -14,7 +14,6 @@ from sqlalchemy.orm import Session
 
 from app.middleware.rate_limiter import limiter
 from app.models.db import Screening, User, get_db
-from app.services.reports import build_screening_pdf
 from app.schemas.analysis import (
     Evidence,
     ExplanationReport,
@@ -25,6 +24,7 @@ from app.schemas.analysis import (
     VerificationReport,
 )
 from app.services.auth import get_current_user
+from app.services.reports import build_screening_pdf
 
 router = APIRouter()
 logger = logging.getLogger(__name__)
@@ -192,8 +192,7 @@ async def download_screening_pdf(
         "severity_label": screening.severity_level or "none",
         "severity_score": symptom_data.get("total_sentences_analyzed"),
         "symptoms": [
-            {"criterion": sym.get("dsm5_criterion", sym.get("criterion", "")),
-             "confidence": sym.get("confidence", 0)}
+            {"criterion": sym.get("dsm5_criterion", sym.get("criterion", "")), "confidence": sym.get("confidence", 0)}
             for sym in symptom_data.get("symptoms_detected", [])
         ],
         "detected_sentences": [

app/api/routes/patient.py

@@ -6,7 +6,6 @@ symptom trends, data export, emergency contacts, medications,
 allergies, diagnoses, screening schedules, and onboarding.
 """
 
-import base64
 import logging
 from datetime import date, datetime, timedelta
 from typing import Optional
@@ -352,10 +351,7 @@ async def upload_my_document_file(
     content_type = (file.content_type or "").lower()
 
     is_pdf = filename.endswith(".pdf") or content_type == "application/pdf"
-    is_text = (
-        filename.endswith(".txt")
-        or content_type.startswith("text/")
-    )
+    is_text = filename.endswith(".txt") or content_type.startswith("text/")
 
     if is_pdf:
         try:
@@ -1312,10 +1308,7 @@ async def export_my_data_pdf(
     from app.services.reports import build_patient_export_pdf
 
     screenings = (
-        db.query(Screening)
-        .filter(Screening.patient_id == current_user.id)
-        .order_by(desc(Screening.created_at))
-        .all()
+        db.query(Screening).filter(Screening.patient_id == current_user.id).order_by(desc(Screening.created_at)).all()
     )
     documents = db.query(PatientDocument).filter(PatientDocument.patient_id == current_user.id).all()
     contacts = db.query(EmergencyContact).filter(EmergencyContact.patient_id == current_user.id).all()
@@ -1350,44 +1343,53 @@ async def export_my_data_pdf(
         ],
         "medications": [
             {
-                "name": m.name, "dosage": m.dosage, "frequency": m.frequency,
-                "start_date": m.start_date, "prescribed_by": m.prescribed_by,
+                "name": m.name,
+                "dosage": m.dosage,
+                "frequency": m.frequency,
+                "start_date": m.start_date,
+                "prescribed_by": m.prescribed_by,
                 "is_active": m.is_active,
             }
             for m in medications
         ],
         "allergies": [
             {
-                "allergen": a.allergen, "allergy_type": a.allergy_type,
-                "severity": a.severity, "reaction": a.reaction,
+                "allergen": a.allergen,
+                "allergy_type": a.allergy_type,
+                "severity": a.severity,
+                "reaction": a.reaction,
             }
             for a in allergies
         ],
         "diagnoses": [
             {
-                "condition": d.condition, "icd10_code": d.icd10_code, "status": d.status,
-                "diagnosed_date": d.diagnosed_date, "diagnosed_by": d.diagnosed_by,
+                "condition": d.condition,
+                "icd10_code": d.icd10_code,
+                "status": d.status,
+                "diagnosed_date": d.diagnosed_date,
+                "diagnosed_by": d.diagnosed_by,
             }
             for d in diagnoses
         ],
         "emergency_contacts": [
             {
-                "contact_name": c.contact_name, "phone": c.phone,
-                "relation": c.relation, "is_primary": c.is_primary,
+                "contact_name": c.contact_name,
+                "phone": c.phone,
+                "relation": c.relation,
+                "is_primary": c.is_primary,
             }
             for c in contacts
         ],
         "care_plans": [
             {
-                "title": cp.title, "description": cp.description,
-                "status": cp.status, "review_date": cp.review_date,
+                "title": cp.title,
+                "description": cp.description,
+                "status": cp.status,
+                "review_date": cp.review_date,
             }
             for cp in care_plans
         ],
-        "documents": [
-            {"title": d.title, "doc_type": d.doc_type, "created_at": d.created_at}
-            for d in documents
-        ],
+        "documents": [{"title": d.title, "doc_type": d.doc_type, "created_at": d.created_at} for d in documents],
     }
 
     buf = build_patient_export_pdf(patient_dict, export_dict)
@@ -1498,6 +1500,7 @@ async def mark_notification_read(
 
 # ── Profile Picture Upload ───────────────────────────────────────────────────
 
+
 @router.post("/profile/picture")
 @limiter.limit("10/minute")
 async def upload_profile_picture(

app/api/routes/terminology.py

@@ -20,7 +20,7 @@ from __future__ import annotations
 import logging
 
 import httpx
-from fastapi import APIRouter, Depends, HTTPException, Query, Request
+from fastapi import APIRouter, Depends, Query, Request
 
 from app.middleware.rate_limiter import limiter
 from app.models.db import User

app/api/routes/webhooks.py

@@ -103,11 +103,7 @@ async def resend_webhook(
         logger.info(f"Resend webhook {event_type} has no email_id, ignoring")
         return {"status": "ignored", "reason": "missing_email_id"}
 
-    row = (
-        db.query(EmailDelivery)
-        .filter(EmailDelivery.resend_email_id == resend_email_id)
-        .first()
-    )
+    row = db.query(EmailDelivery).filter(EmailDelivery.resend_email_id == resend_email_id).first()
     if not row:
         # Not a crime — could be an email sent outside this app against the same Resend account.
         logger.info(f"Resend webhook for unknown email {resend_email_id} ({event_type})")
@@ -115,18 +111,20 @@ async def resend_webhook(
 
     # Append to event trail (JSON column)
     events = list(row.events or [])
-    events.append({
-        "type": event_type,
-        "at": datetime.utcnow().isoformat(),
-        "raw": {
-            # Keep only the fields we actually want to retain — avoid storing PII
-            # we don't need. The `to` and subject are already on the row.
-            "bounce_type": (data.get("bounce") or {}).get("type"),
-            "bounce_subtype": (data.get("bounce") or {}).get("subType"),
-            "click_link": (data.get("click") or {}).get("link"),
-            "open_user_agent": (data.get("open") or {}).get("userAgent"),
-        },
-    })
+    events.append(
+        {
+            "type": event_type,
+            "at": datetime.utcnow().isoformat(),
+            "raw": {
+                # Keep only the fields we actually want to retain — avoid storing PII
+                # we don't need. The `to` and subject are already on the row.
+                "bounce_type": (data.get("bounce") or {}).get("type"),
+                "bounce_subtype": (data.get("bounce") or {}).get("subType"),
+                "click_link": (data.get("click") or {}).get("link"),
+                "open_user_agent": (data.get("open") or {}).get("userAgent"),
+            },
+        }
+    )
     row.events = events
     row.last_event_at = datetime.utcnow()
 

app/core/sentry.py

@@ -61,7 +61,7 @@ def _before_send(event: dict, hint: dict) -> dict | None:
     # Drop 4xx HTTPExceptions: those are expected validation failures
     exc_info = hint.get("exc_info")
     if exc_info:
-        exc_type, exc_value, _ = exc_info
+        _exc_type, exc_value, _tb = exc_info
         try:
             from fastapi import HTTPException
 
@@ -69,8 +69,10 @@ def _before_send(event: dict, hint: dict) -> dict | None:
                 status = getattr(exc_value, "status_code", 500)
                 if 400 <= status < 500:
                     return None
-        except Exception:
-            pass
+        except Exception as filter_err:
+            # Filtering isn't worth failing an error report over — log
+            # the filter-side failure so we notice if this path breaks.
+            logger.debug(f"HTTPException filter skipped: {filter_err}")
 
     # Scrub the event payload
     _scrub_mapping(event)

app/middleware/security_headers.py

@@ -26,13 +26,7 @@ from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.requests import Request
 from starlette.responses import Response
 
-
-_BACKEND_CSP = (
-    "default-src 'none'; "
-    "frame-ancestors 'none'; "
-    "base-uri 'none'; "
-    "form-action 'none'"
-)
+_BACKEND_CSP = "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'"
 
 
 class SecurityHeadersMiddleware(BaseHTTPMiddleware):

app/models/db.py

@@ -502,11 +502,12 @@ def init_db():
     import logging
     from pathlib import Path
 
-    from alembic import command
     from alembic.config import Config
     from alembic.runtime.migration import MigrationContext
     from sqlalchemy import text
 
+    from alembic import command
+
     log = logging.getLogger(__name__)
 
     # pgvector is a Supabase extension; on SQLite this is a no-op.

app/services/avatar.py

@@ -154,9 +154,7 @@ class AvatarService:
             raise RuntimeError("Avatar storage is not configured on this server.")
 
         if content_type and content_type.lower() not in ALLOWED_MIME_TYPES:
-            raise AvatarError(
-                "Only JPG, PNG, WebP, and HEIC images are supported."
-            )
+            raise AvatarError("Only JPG, PNG, WebP, and HEIC images are supported.")
 
         webp_bytes = _normalize_to_webp(raw_bytes)
 
@@ -179,9 +177,7 @@ class AvatarService:
             )
         except Exception as e:
             logger.error(f"Supabase upload failed for user {user_id}: {e}")
-            raise RuntimeError(
-                "We couldn't save your picture. Please try again in a moment."
-            ) from e
+            raise RuntimeError("We couldn't save your picture. Please try again in a moment.") from e
 
         # Public URL from the bucket. Supabase returns {"publicUrl": "..."}.
         url_resp: Any = self._client.storage.from_(self.bucket).get_public_url(key)
@@ -193,6 +189,7 @@ class AvatarService:
         # Append a version query-string driven by upload time so the browser
         # reliably pulls the new file.
         import time
+
         return f"{public_url}?v={int(time.time())}"
 
     def delete(self, user_id: str) -> None:

app/services/email.py

@@ -316,7 +316,9 @@ class EmailService:
         else:
             subject = "Your check-in is ready"
             headline = "A quiet reminder"
-            detail = "A check-in is waiting for you today. Just a few minutes of reflection can be surprisingly helpful."
+            detail = (
+                "A check-in is waiting for you today. Just a few minutes of reflection can be surprisingly helpful."
+            )
         body = f"""
             <h2>{headline}</h2>
             <p>Hello {patient_name},</p>

app/services/pdf_extractor.py

@@ -77,9 +77,7 @@ def _ocr_sync(data: bytes) -> bytes:
         import ocrmypdf
     except ImportError as e:
         logger.warning(f"ocrmypdf not installed, cannot OCR: {e}")
-        raise PDFExtractionError(
-            "This PDF appears to be a scan and OCR is not available in this environment."
-        ) from e
+        raise PDFExtractionError("This PDF appears to be a scan and OCR is not available in this environment.") from e
 
     in_buf = io.BytesIO(data)
     out_buf = io.BytesIO()
@@ -116,7 +114,7 @@ async def _ocr_with_timeout(data: bytes) -> bytes:
             asyncio.to_thread(_ocr_sync, data),
             timeout=OCR_TIMEOUT_SECONDS,
         )
-    except asyncio.TimeoutError:
+    except TimeoutError:
         raise PDFExtractionError(
             f"OCR took longer than {OCR_TIMEOUT_SECONDS}s. For large scans, "
             "please split into smaller PDFs or paste the content as text."
@@ -156,8 +154,6 @@ async def extract_text_from_pdf_bytes(data: bytes) -> str:
         # Preserve any partial direct-extract text we may have had
         if text:
             return text
-        raise PDFExtractionError(
-            "No text was found in this PDF, even after OCR. Please type the content manually."
-        )
+        raise PDFExtractionError("No text was found in this PDF, even after OCR. Please type the content manually.")
 
     return text

app/services/reports.py

@@ -25,7 +25,6 @@ from reportlab.lib.units import cm
 from reportlab.platypus import (
     HRFlowable,
     KeepTogether,
-    PageBreak,
     Paragraph,
     SimpleDocTemplate,
     Spacer,
@@ -205,20 +204,24 @@ def _kv_table(rows: list[tuple[str, str]], s: dict[str, ParagraphStyle]) -> Tabl
     data = []
     for k, v in rows:
         val = v if v not in (None, "") else "—"
-        data.append([
-            Paragraph(f"<font color='#5A6170'>{k}</font>", s["meta"]),
-            Paragraph(str(val), s["body"]),
-        ])
+        data.append(
+            [
+                Paragraph(f"<font color='#5A6170'>{k}</font>", s["meta"]),
+                Paragraph(str(val), s["body"]),
+            ]
+        )
     t = Table(data, colWidths=[4.5 * cm, None])
     t.setStyle(
-        TableStyle([
-            ("VALIGN", (0, 0), (-1, -1), "TOP"),
-            ("LEFTPADDING", (0, 0), (-1, -1), 0),
-            ("RIGHTPADDING", (0, 0), (-1, -1), 4),
-            ("TOPPADDING", (0, 0), (-1, -1), 3),
-            ("BOTTOMPADDING", (0, 0), (-1, -1), 3),
-            ("LINEBELOW", (0, 0), (-1, -2), 0.25, BORDER),
-        ])
+        TableStyle(
+            [
+                ("VALIGN", (0, 0), (-1, -1), "TOP"),
+                ("LEFTPADDING", (0, 0), (-1, -1), 0),
+                ("RIGHTPADDING", (0, 0), (-1, -1), 4),
+                ("TOPPADDING", (0, 0), (-1, -1), 3),
+                ("BOTTOMPADDING", (0, 0), (-1, -1), 3),
+                ("LINEBELOW", (0, 0), (-1, -2), 0.25, BORDER),
+            ]
+        )
     )
     return t
 
@@ -334,16 +337,18 @@ def build_screening_pdf(screening: dict, patient: dict) -> BytesIO:
             data.append([sym.get("criterion", "—").replace("_", " ").title(), conf_str])
         t = Table(data, colWidths=[9 * cm, 4 * cm])
         t.setStyle(
-            TableStyle([
-                ("BACKGROUND", (0, 0), (-1, 0), CREAM_DARK),
-                ("TEXTCOLOR", (0, 0), (-1, 0), INK),
-                ("FONTNAME", (0, 0), (-1, 0), "Helvetica-Bold"),
-                ("FONTSIZE", (0, 0), (-1, -1), 9),
-                ("BOTTOMPADDING", (0, 0), (-1, -1), 6),
-                ("TOPPADDING", (0, 0), (-1, -1), 6),
-                ("VALIGN", (0, 0), (-1, -1), "MIDDLE"),
-                ("LINEBELOW", (0, 0), (-1, -1), 0.25, BORDER),
-            ])
+            TableStyle(
+                [
+                    ("BACKGROUND", (0, 0), (-1, 0), CREAM_DARK),
+                    ("TEXTCOLOR", (0, 0), (-1, 0), INK),
+                    ("FONTNAME", (0, 0), (-1, 0), "Helvetica-Bold"),
+                    ("FONTSIZE", (0, 0), (-1, -1), 9),
+                    ("BOTTOMPADDING", (0, 0), (-1, -1), 6),
+                    ("TOPPADDING", (0, 0), (-1, -1), 6),
+                    ("VALIGN", (0, 0), (-1, -1), "MIDDLE"),
+                    ("LINEBELOW", (0, 0), (-1, -1), 0.25, BORDER),
+                ]
+            )
         )
         story.append(t)
 
@@ -444,13 +449,15 @@ def build_patient_export_pdf(patient: dict, export: dict) -> BytesIO:
     else:
         data = [["Name", "Dosage", "Frequency", "Prescribed by", "Started"]]
         for m in meds:
-            data.append([
-                _safe(m.get("name")),
-                _safe(m.get("dosage")),
-                _safe(m.get("frequency")),
-                _safe(m.get("prescribed_by")),
-                _format_date(m.get("start_date")),
-            ])
+            data.append(
+                [
+                    _safe(m.get("name")),
+                    _safe(m.get("dosage")),
+                    _safe(m.get("frequency")),
+                    _safe(m.get("prescribed_by")),
+                    _format_date(m.get("start_date")),
+                ]
+            )
         story.append(_grid(data, s))
 
     # ── Allergies ────────
@@ -461,12 +468,14 @@ def build_patient_export_pdf(patient: dict, export: dict) -> BytesIO:
     else:
         data = [["Allergen", "Type", "Severity", "Reaction"]]
         for a in allergies:
-            data.append([
-                _safe(a.get("allergen")),
-                _safe(a.get("allergy_type")),
-                _safe(a.get("severity")),
-                _safe(a.get("reaction")),
-            ])
+            data.append(
+                [
+                    _safe(a.get("allergen")),
+                    _safe(a.get("allergy_type")),
+                    _safe(a.get("severity")),
+                    _safe(a.get("reaction")),
+                ]
+            )
         story.append(_grid(data, s))
 
     # ── Diagnoses ────────
@@ -477,13 +486,15 @@ def build_patient_export_pdf(patient: dict, export: dict) -> BytesIO:
     else:
         data = [["Condition", "ICD-10", "Status", "Diagnosed", "By"]]
         for d in dxs:
-            data.append([
-                _safe(d.get("condition")),
-                _safe(d.get("icd10_code")),
-                _safe(d.get("status")),
-                _format_date(d.get("diagnosed_date")),
-                _safe(d.get("diagnosed_by")),
-            ])
+            data.append(
+                [
+                    _safe(d.get("condition")),
+                    _safe(d.get("icd10_code")),
+                    _safe(d.get("status")),
+                    _format_date(d.get("diagnosed_date")),
+                    _safe(d.get("diagnosed_by")),
+                ]
+            )
         story.append(_grid(data, s))
 
     # ── Emergency contacts ────────
@@ -494,12 +505,14 @@ def build_patient_export_pdf(patient: dict, export: dict) -> BytesIO:
     else:
         data = [["Name", "Phone", "Relation", "Primary"]]
         for c in contacts:
-            data.append([
-                _safe(c.get("contact_name")),
-                _safe(c.get("phone")),
-                _safe(c.get("relation")),
-                "Yes" if c.get("is_primary") else "—",
-            ])
+            data.append(
+                [
+                    _safe(c.get("contact_name")),
+                    _safe(c.get("phone")),
+                    _safe(c.get("relation")),
+                    "Yes" if c.get("is_primary") else "—",
+                ]
+            )
         story.append(_grid(data, s))
 
     # ── Screenings ────────
@@ -510,12 +523,14 @@ def build_patient_export_pdf(patient: dict, export: dict) -> BytesIO:
     else:
         data = [["Date", "Severity", "Score", "Flagged"]]
         for sc in screenings:
-            data.append([
-                _format_date(sc.get("created_at")),
-                _safe(sc.get("severity_label")).title(),
-                _safe(sc.get("severity_score")),
-                "Yes" if sc.get("flagged_for_review") else "—",
-            ])
+            data.append(
+                [
+                    _format_date(sc.get("created_at")),
+                    _safe(sc.get("severity_label")).title(),
+                    _safe(sc.get("severity_score")),
+                    "Yes" if sc.get("flagged_for_review") else "—",
+                ]
+            )
         story.append(_grid(data, s))
 
     # ── Documents ────────
@@ -564,7 +579,8 @@ def build_patient_summary_pdf(patient: dict, export: dict, clinician_name: str |
     active_meds = [m for m in (export.get("medications") or []) if m.get("is_active") is not False]
     active_dxs = [d for d in (export.get("diagnoses") or []) if d.get("status") == "active"]
     life_threatening = [
-        a for a in (export.get("allergies") or [])
+        a
+        for a in (export.get("allergies") or [])
         if (a.get("severity") or "").lower() in {"life_threatening", "life-threatening", "severe"}
     ]
     latest_screenings = (export.get("screenings") or [])[:5]
@@ -607,12 +623,14 @@ def build_patient_summary_pdf(patient: dict, export: dict, clinician_name: str |
         data = [["Allergen", "Severity", "Reaction", "Notes"]]
         sort_key = {"life_threatening": 0, "life-threatening": 0, "severe": 1, "moderate": 2, "mild": 3}
         for a in sorted(allergies, key=lambda x: sort_key.get((x.get("severity") or "").lower(), 99)):
-            data.append([
-                _safe(a.get("allergen")),
-                _safe(a.get("severity")),
-                _safe(a.get("reaction")),
-                _safe(a.get("notes")),
-            ])
+            data.append(
+                [
+                    _safe(a.get("allergen")),
+                    _safe(a.get("severity")),
+                    _safe(a.get("reaction")),
+                    _safe(a.get("notes")),
+                ]
+            )
         story.append(_grid(data, s))
 
     # ── Medications ────────
@@ -620,13 +638,15 @@ def build_patient_summary_pdf(patient: dict, export: dict, clinician_name: str |
         story.append(Paragraph("Active medications", s["h2"]))
         data = [["Name", "Dosage", "Frequency", "Started", "Prescribed by"]]
         for m in active_meds:
-            data.append([
-                _safe(m.get("name")),
-                _safe(m.get("dosage")),
-                _safe(m.get("frequency")),
-                _format_date(m.get("start_date")),
-                _safe(m.get("prescribed_by")),
-            ])
+            data.append(
+                [
+                    _safe(m.get("name")),
+                    _safe(m.get("dosage")),
+                    _safe(m.get("frequency")),
+                    _format_date(m.get("start_date")),
+                    _safe(m.get("prescribed_by")),
+                ]
+            )
         story.append(_grid(data, s))
 
     # ── Diagnoses ────────
@@ -634,12 +654,14 @@ def build_patient_summary_pdf(patient: dict, export: dict, clinician_name: str |
         story.append(Paragraph("Active diagnoses", s["h2"]))
         data = [["Condition", "ICD-10", "Diagnosed", "By"]]
         for d in active_dxs:
-            data.append([
-                _safe(d.get("condition")),
-                _safe(d.get("icd10_code")),
-                _format_date(d.get("diagnosed_date")),
-                _safe(d.get("diagnosed_by")),
-            ])
+            data.append(
+                [
+                    _safe(d.get("condition")),
+                    _safe(d.get("icd10_code")),
+                    _format_date(d.get("diagnosed_date")),
+                    _safe(d.get("diagnosed_by")),
+                ]
+            )
         story.append(_grid(data, s))
 
     # ── Screening trajectory ────────
@@ -647,13 +669,15 @@ def build_patient_summary_pdf(patient: dict, export: dict, clinician_name: str |
         story.append(Paragraph("Recent screenings", s["h2"]))
         data = [["Date", "Severity", "Score", "Flagged", "Notes"]]
         for sc in latest_screenings:
-            data.append([
-                _format_date(sc.get("created_at")),
-                _safe(sc.get("severity_label")).title(),
-                _safe(sc.get("severity_score")),
-                "Yes" if sc.get("flagged_for_review") else "—",
-                _safe((sc.get("clinician_notes") or "")[:80]),
-            ])
+            data.append(
+                [
+                    _format_date(sc.get("created_at")),
+                    _safe(sc.get("severity_label")).title(),
+                    _safe(sc.get("severity_score")),
+                    "Yes" if sc.get("flagged_for_review") else "—",
+                    _safe((sc.get("clinician_notes") or "")[:80]),
+                ]
+            )
         story.append(_grid(data, s))
 
     # ── Care plan ────────
@@ -662,15 +686,18 @@ def build_patient_summary_pdf(patient: dict, export: dict, clinician_name: str |
     if active_cps:
         story.append(Paragraph("Care plan", s["h2"]))
         for cp in active_cps[:2]:
-            story.append(KeepTogether([
-                Paragraph(f"<b>{_safe(cp.get('title'))}</b>", s["h3"]),
-                Paragraph(
-                    f"Status: <b>{_safe(cp.get('status'))}</b> · "
-                    f"Review: {_format_date(cp.get('review_date'))}",
-                    s["meta"],
-                ),
-                Paragraph(_safe(cp.get("description")), s["body"]),
-            ]))
+            story.append(
+                KeepTogether(
+                    [
+                        Paragraph(f"<b>{_safe(cp.get('title'))}</b>", s["h3"]),
+                        Paragraph(
+                            f"Status: <b>{_safe(cp.get('status'))}</b> · Review: {_format_date(cp.get('review_date'))}",
+                            s["meta"],
+                        ),
+                        Paragraph(_safe(cp.get("description")), s["body"]),
+                    ]
+                )
+            )
 
     # ── Emergency contact ────────
     contacts = export.get("emergency_contacts") or []
@@ -714,15 +741,17 @@ def _grid(data: list[list[str]], s: dict[str, ParagraphStyle]) -> Table:
 
     t = Table(wrapped, colWidths=col_widths, repeatRows=1)
     t.setStyle(
-        TableStyle([
-            ("BACKGROUND", (0, 0), (-1, 0), CREAM_DARK),
-            ("BOTTOMPADDING", (0, 0), (-1, -1), 5),
-            ("TOPPADDING", (0, 0), (-1, -1), 5),
-            ("LEFTPADDING", (0, 0), (-1, -1), 6),
-            ("RIGHTPADDING", (0, 0), (-1, -1), 6),
-            ("VALIGN", (0, 0), (-1, -1), "TOP"),
-            ("LINEBELOW", (0, 0), (-1, -1), 0.25, BORDER),
-        ])
+        TableStyle(
+            [
+                ("BACKGROUND", (0, 0), (-1, 0), CREAM_DARK),
+                ("BOTTOMPADDING", (0, 0), (-1, -1), 5),
+                ("TOPPADDING", (0, 0), (-1, -1), 5),
+                ("LEFTPADDING", (0, 0), (-1, -1), 6),
+                ("RIGHTPADDING", (0, 0), (-1, -1), 6),
+                ("VALIGN", (0, 0), (-1, -1), "TOP"),
+                ("LINEBELOW", (0, 0), (-1, -1), 0.25, BORDER),
+            ]
+        )
     )
     return t
 

ruff.toml

@@ -31,6 +31,10 @@ ignore = [
 [lint.per-file-ignores]
 "ml/scripts/**" = ["S", "E", "F841", "B905", "F401"]  # ML scripts are less strict
 "ml/scripts/deprecated/**" = ["ALL"]  # Deprecated scripts, not worth linting
+# Alembic autogenerates migration files with a fixed template; linting
+# the template breaks autogenerate. `alembic revision --autogenerate`
+# produces code we don't hand-edit unless fixing a diff.
+"alembic/versions/*.py" = ["ALL"]
 
 [format]
 quote-style = "double"