Upload folder using huggingface_hub

.dockerignore

@@ -0,0 +1,50 @@
+# Git
+.git
+.gitignore
+
+# Python
+__pycache__
+*.py[cod]
+*$py.class
+*.so
+.Python
+.venv
+venv
+ENV
+.eggs
+*.egg-info
+.pytest_cache
+
+# Node
+node_modules
+frontend/node_modules
+
+# IDE
+.vscode
+.idea
+*.swp
+*.swo
+
+# Local data
+data/
+*.db
+uploads/
+archives/
+
+# Environment files (secrets are in HF Spaces settings)
+.env
+.env.local
+.env.*.local
+
+# Documentation and misc
+LICENSE
+docs/
+
+# Build artifacts
+dist/
+build/
+frontend/dist/
+
+# OS files
+.DS_Store
+Thumbs.db

.gitattributes

@@ -33,3 +33,15 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+backend/static/CSG_LOGO_light.png filter=lfs diff=lfs merge=lfs -text
+backend/static/logo.png filter=lfs diff=lfs merge=lfs -text
+backend/static/trex-logo.png filter=lfs diff=lfs merge=lfs -text
+backend/static/videos/splash.mp4 filter=lfs diff=lfs merge=lfs -text
+backend/static/videos/splash_2.mp4 filter=lfs diff=lfs merge=lfs -text
+backend/static/videos/splash_3.mp4 filter=lfs diff=lfs merge=lfs -text
+frontend/public/CSG_LOGO_light.png filter=lfs diff=lfs merge=lfs -text
+frontend/public/logo.png filter=lfs diff=lfs merge=lfs -text
+frontend/public/trex-logo.png filter=lfs diff=lfs merge=lfs -text
+frontend/public/videos/splash.mp4 filter=lfs diff=lfs merge=lfs -text
+frontend/public/videos/splash_2.mp4 filter=lfs diff=lfs merge=lfs -text
+frontend/public/videos/splash_3.mp4 filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1,47 @@
+# Dependencies
+node_modules/
+__pycache__/
+*.py[cod]
+*$py.class
+.venv/
+venv/
+env/
+
+# Build outputs
+dist/
+build/
+*.egg-info/
+.eggs/
+
+# Data directories (contain sensitive data)
+data/
+uploads/
+archives/
+
+# Environment files
+.env
+.env.local
+.env.*.local
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+logs/
+
+# Testing
+.coverage
+htmlcov/
+.pytest_cache/
+
+# Keep gitkeep files
+!.gitkeep

Dockerfile

@@ -0,0 +1,71 @@
+# HuggingFace Spaces Docker deployment for Crop Dashboard
+# Multi-stage build for smaller final image
+
+# Stage 1: Build frontend
+FROM node:20-alpine AS frontend-builder
+
+WORKDIR /app/frontend
+
+# Copy package files
+COPY frontend/package*.json ./
+
+# Install dependencies
+RUN npm ci
+
+# Copy frontend source
+COPY frontend/ ./
+
+# Build frontend
+RUN npm run build
+
+# Stage 2: Python backend + serve frontend
+FROM python:3.11-slim
+
+# Set environment variables
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+ENV PORT=7860
+
+# Install system dependencies for SQLCipher
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc \
+    libsqlcipher-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copy requirements and install Python dependencies
+COPY backend/requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy backend code
+COPY backend/ ./backend/
+
+# Copy built frontend from Stage 1 to backend/static (where main.py expects it)
+COPY --from=frontend-builder /app/frontend/dist ./backend/static
+
+# Create non-root user for security (HF Spaces requirement)
+RUN useradd -m -u 1000 user
+
+# Create data directory with proper permissions AFTER creating user
+RUN mkdir -p /data /data/uploads /data/archives && \
+    chown -R user:user /data
+
+# Switch to non-root user
+USER user
+
+# Set HOME for the user
+ENV HOME=/home/user
+ENV PATH="/home/user/.local/bin:$PATH"
+
+# Set database URL to use persistent /data directory
+ENV DATABASE_URL=sqlite:////data/crop_dashboard.db
+
+# Set demo mode to disable Box integration
+ENV DEMO_MODE=true
+
+# Expose port 7860 (HuggingFace Spaces requirement)
+EXPOSE 7860
+
+# Run the application
+CMD ["python", "-m", "uvicorn", "backend.main:app", "--host", "0.0.0.0", "--port", "7860"]

README.md

@@ -1,11 +1,61 @@
----
-title: Csg Dash Demo
-emoji: 🌖
-colorFrom: blue
-colorTo: yellow
-sdk: docker
-pinned: false
-license: cc0-1.0
----
-
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+---
+title: Crop Dashboard Platform
+emoji: 🌾
+colorFrom: green
+colorTo: blue
+sdk: docker
+pinned: false
+license: mit
+app_port: 7860
+---
+
+# Crop Dashboard Platform
+
+A professional agricultural sensor data management platform built with FastAPI and React.
+
+## Features
+
+- Real-time sensor data visualization
+- Multi-site management with crop categorization
+- Role-based access control (RBAC)
+- Group-based site access management
+- Encrypted SQLite database (SQLCipher)
+- JWT authentication with refresh tokens
+- Dark/Light mode support
+
+## Demo Accounts
+
+This demo uses synthetic data that is regenerated on each restart.
+
+**Grower One:**
+- Email: `grower1@demo.cropdash.dev`
+- Password: `demo123`
+- Access: Sites 01-05
+
+**Grower Two:**
+- Email: `grower2@demo.cropdash.dev`
+- Password: `demo123`
+- Access: Sites 06-10
+
+**Admin Access:**
+- Email: `admin@cropdash.dev`
+- Password: Please inquire
+
+> **Note:** All data displayed is synthetically generated for demonstration purposes only.
+
+## Environment Variables
+
+Configure these as Secrets in your HuggingFace Space settings:
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| `SECRET_KEY` | JWT access token signing key (min 32 chars) | Yes |
+| `REFRESH_SECRET_KEY` | JWT refresh token signing key (min 32 chars) | Yes |
+| `DB_ENCRYPTION_KEY` | SQLCipher database encryption key (64+ chars recommended) | Yes |
+| `ADMIN_PASSWORD` | Admin account password | Yes |
+
+## Tech Stack
+
+- **Backend:** FastAPI, SQLAlchemy, SQLCipher
+- **Frontend:** React, TypeScript, Tailwind CSS, Plotly
+- **Auth:** JWT tokens with refresh token support and token versioning

backend/api/__init__.py

@@ -0,0 +1,12 @@
+from fastapi import APIRouter
+from backend.api import auth, users, sites, sensors, groups, admin, pipeline, box
+
+api_router = APIRouter()
+api_router.include_router(auth.router, prefix="/auth", tags=["Authentication"])
+api_router.include_router(users.router, prefix="/users", tags=["Users"])
+api_router.include_router(groups.router, prefix="/groups", tags=["Groups"])
+api_router.include_router(sites.router, prefix="/sites", tags=["Sites"])
+api_router.include_router(sensors.router, prefix="/sensors", tags=["Sensors"])
+api_router.include_router(admin.router, prefix="/admin", tags=["Admin"])
+api_router.include_router(pipeline.router, prefix="/pipeline", tags=["Pipeline"])
+api_router.include_router(box.router, prefix="/box", tags=["Box Integration"])

backend/api/admin.py

@@ -0,0 +1,345 @@
+from datetime import datetime
+from io import StringIO
+import csv
+from fastapi import APIRouter, HTTPException, status, Query
+from fastapi.responses import StreamingResponse
+from sqlalchemy import or_, cast, String
+from backend.core.dependencies import DbSession, AdminUser
+from backend.schemas.admin import (
+    AuditLogResponse, SystemStatsResponse, SiteCreate, SiteUpdate
+)
+from backend.schemas.site import SiteResponse
+from backend.models import (
+    User, Group, Site, Crop, AuditLog, SensorData,
+    EquipmentGroup, Parameter
+)
+
+router = APIRouter()
+
+
+@router.get("/stats", response_model=SystemStatsResponse)
+def get_system_stats(db: DbSession, admin: AdminUser):
+    return SystemStatsResponse(
+        total_users=db.query(User).count(),
+        active_users=db.query(User).filter(User.is_active == True).count(),
+        total_groups=db.query(Group).count(),
+        total_sites=db.query(Site).count(),
+        active_sites=db.query(Site).filter(Site.is_active == True).count(),
+        total_sensor_records=db.query(SensorData).count(),
+        total_parameters=db.query(Parameter).count(),
+        total_equipment_groups=db.query(EquipmentGroup).count()
+    )
+
+
+@router.get("/audit", response_model=list[AuditLogResponse])
+def get_audit_logs(
+    db: DbSession,
+    admin: AdminUser,
+    limit: int = Query(default=100, le=1000),
+    offset: int = Query(default=0),
+    user_id: str | None = None,
+    action: str | None = None,
+    search: str | None = Query(default=None, description="Search in user email, IP address, resource type/id, and details"),
+    start_date: datetime | None = Query(default=None, description="Filter logs from this date (ISO format)"),
+    end_date: datetime | None = Query(default=None, description="Filter logs until this date (ISO format)")
+):
+    """Get audit logs with optional filtering and search."""
+    query = db.query(AuditLog).order_by(AuditLog.created_at.desc())
+
+    if user_id:
+        query = query.filter(AuditLog.user_id == user_id)
+    if action:
+        query = query.filter(AuditLog.action == action)
+    if start_date:
+        query = query.filter(AuditLog.created_at >= start_date)
+    if end_date:
+        query = query.filter(AuditLog.created_at <= end_date)
+
+    # Get all user emails for search matching
+    all_users = db.query(User).all()
+    user_map = {u.id: u.email for u in all_users}
+    email_to_id = {u.email.lower(): u.id for u in all_users}
+
+    # Apply search filter
+    if search:
+        search_lower = search.lower()
+        # First check if search matches a user email
+        matching_user_ids = [uid for email, uid in email_to_id.items() if search_lower in email]
+
+        # Build OR conditions for search
+        search_conditions = [
+            AuditLog.ip_address.ilike(f"%{search}%"),
+            AuditLog.resource_type.ilike(f"%{search}%"),
+            AuditLog.resource_id.ilike(f"%{search}%"),
+            AuditLog.action.ilike(f"%{search}%"),
+            cast(AuditLog.details, String).ilike(f"%{search}%"),
+        ]
+
+        # Add user_id matches if any emails matched
+        if matching_user_ids:
+            search_conditions.append(AuditLog.user_id.in_(matching_user_ids))
+
+        query = query.filter(or_(*search_conditions))
+
+    logs = query.offset(offset).limit(limit).all()
+
+    return [
+        AuditLogResponse(
+            id=log.id,
+            user_id=log.user_id,
+            user_email=user_map.get(log.user_id) if log.user_id else None,
+            action=log.action,
+            resource_type=log.resource_type,
+            resource_id=log.resource_id,
+            details=log.details,
+            ip_address=log.ip_address,
+            created_at=log.created_at
+        )
+        for log in logs
+    ]
+
+
+@router.get("/audit/export")
+def export_audit_logs(
+    db: DbSession,
+    admin: AdminUser,
+    user_id: str | None = None,
+    action: str | None = None,
+    search: str | None = None,
+    start_date: datetime | None = None,
+    end_date: datetime | None = None
+):
+    """Export audit logs as CSV file."""
+    query = db.query(AuditLog).order_by(AuditLog.created_at.desc())
+
+    if user_id:
+        query = query.filter(AuditLog.user_id == user_id)
+    if action:
+        query = query.filter(AuditLog.action == action)
+    if start_date:
+        query = query.filter(AuditLog.created_at >= start_date)
+    if end_date:
+        query = query.filter(AuditLog.created_at <= end_date)
+
+    # Get all user emails for mapping
+    all_users = db.query(User).all()
+    user_map = {u.id: u.email for u in all_users}
+    email_to_id = {u.email.lower(): u.id for u in all_users}
+
+    # Apply search filter
+    if search:
+        search_lower = search.lower()
+        matching_user_ids = [uid for email, uid in email_to_id.items() if search_lower in email]
+        search_conditions = [
+            AuditLog.ip_address.ilike(f"%{search}%"),
+            AuditLog.resource_type.ilike(f"%{search}%"),
+            AuditLog.resource_id.ilike(f"%{search}%"),
+            AuditLog.action.ilike(f"%{search}%"),
+            cast(AuditLog.details, String).ilike(f"%{search}%"),
+        ]
+        if matching_user_ids:
+            search_conditions.append(AuditLog.user_id.in_(matching_user_ids))
+        query = query.filter(or_(*search_conditions))
+
+    logs = query.all()
+
+    # Create CSV in memory
+    output = StringIO()
+    writer = csv.writer(output)
+
+    # Write header
+    writer.writerow([
+        "ID", "Timestamp (UTC)", "User Email", "Action", "Resource Type",
+        "Resource ID", "IP Address", "Details"
+    ])
+
+    # Write data rows
+    for log in logs:
+        writer.writerow([
+            log.id,
+            log.created_at.isoformat() if log.created_at else "",
+            user_map.get(log.user_id, "") if log.user_id else "",
+            log.action,
+            log.resource_type or "",
+            log.resource_id or "",
+            log.ip_address or "",
+            str(log.details) if log.details else ""
+        ])
+
+    output.seek(0)
+
+    # Generate filename with timestamp
+    timestamp = datetime.now().strftime('%Y%m%d_%H%M%S')
+    filename = f"audit_log_export_{timestamp}.csv"
+
+    return StreamingResponse(
+        iter([output.getvalue()]),
+        media_type="text/csv",
+        headers={"Content-Disposition": f"attachment; filename={filename}"}
+    )
+
+
+@router.get("/sites", response_model=list[SiteResponse])
+def list_all_sites(db: DbSession, admin: AdminUser):
+    """List all sites (including inactive) for admin management."""
+    sites = db.query(Site).all()
+    return [
+        SiteResponse(
+            id=s.id,
+            site_code=s.site_code,
+            name=s.name,
+            crop_id=s.crop_id,
+            crop_name=s.crop.display_name if s.crop else None,
+            latitude=s.latitude,
+            longitude=s.longitude,
+            is_active=s.is_active
+        )
+        for s in sites
+    ]
+
+
+@router.post("/sites", response_model=SiteResponse, status_code=status.HTTP_201_CREATED)
+def create_site(site_data: SiteCreate, db: DbSession, admin: AdminUser):
+    existing = db.query(Site).filter(Site.site_code == site_data.site_code).first()
+    if existing:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Site with this code already exists"
+        )
+
+    crop = db.query(Crop).filter(Crop.id == site_data.crop_id).first()
+    if not crop:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid crop_id"
+        )
+
+    site = Site(
+        site_code=site_data.site_code,
+        name=site_data.name,
+        crop_id=site_data.crop_id,
+        latitude=site_data.latitude,
+        longitude=site_data.longitude
+    )
+    db.add(site)
+    db.commit()
+    db.refresh(site)
+
+    # Log the action
+    log = AuditLog(
+        user_id=admin.id,
+        action="site_created",
+        resource_type="site",
+        resource_id=site.id,
+        details={"site_code": site.site_code, "name": site.name}
+    )
+    db.add(log)
+    db.commit()
+
+    return SiteResponse(
+        id=site.id,
+        site_code=site.site_code,
+        name=site.name,
+        crop_id=site.crop_id,
+        crop_name=crop.display_name,
+        latitude=site.latitude,
+        longitude=site.longitude,
+        is_active=site.is_active
+    )
+
+
+@router.put("/sites/{site_id}", response_model=SiteResponse)
+def update_site(site_id: str, site_data: SiteUpdate, db: DbSession, admin: AdminUser):
+    site = db.query(Site).filter(Site.id == site_id).first()
+    if not site:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Site not found"
+        )
+
+    if site_data.site_code is not None:
+        existing = db.query(Site).filter(Site.site_code == site_data.site_code, Site.id != site_id).first()
+        if existing:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Site with this code already exists"
+            )
+        site.site_code = site_data.site_code
+
+    if site_data.name is not None:
+        site.name = site_data.name
+    if site_data.crop_id is not None:
+        crop = db.query(Crop).filter(Crop.id == site_data.crop_id).first()
+        if not crop:
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Invalid crop_id")
+        site.crop_id = site_data.crop_id
+    if site_data.latitude is not None:
+        site.latitude = site_data.latitude
+    if site_data.longitude is not None:
+        site.longitude = site_data.longitude
+    if site_data.is_active is not None:
+        site.is_active = site_data.is_active
+
+    db.commit()
+    db.refresh(site)
+
+    # Log the action
+    log = AuditLog(
+        user_id=admin.id,
+        action="site_updated",
+        resource_type="site",
+        resource_id=site.id,
+        details={"site_code": site.site_code}
+    )
+    db.add(log)
+    db.commit()
+
+    return SiteResponse(
+        id=site.id,
+        site_code=site.site_code,
+        name=site.name,
+        crop_id=site.crop_id,
+        crop_name=site.crop.display_name if site.crop else None,
+        latitude=site.latitude,
+        longitude=site.longitude,
+        is_active=site.is_active
+    )
+
+
+@router.delete("/sites/{site_id}", status_code=status.HTTP_204_NO_CONTENT)
+def delete_site(site_id: str, db: DbSession, admin: AdminUser):
+    site = db.query(Site).filter(Site.id == site_id).first()
+    if not site:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Site not found"
+        )
+
+    # Log before deletion
+    log = AuditLog(
+        user_id=admin.id,
+        action="site_deleted",
+        resource_type="site",
+        resource_id=site.id,
+        details={"site_code": site.site_code, "name": site.name}
+    )
+    db.add(log)
+
+    db.delete(site)
+    db.commit()
+
+
+@router.get("/crops", response_model=list[dict])
+def list_crops_admin(db: DbSession, admin: AdminUser):
+    """List all crops with site counts for admin."""
+    crops = db.query(Crop).all()
+    return [
+        {
+            "id": c.id,
+            "name": c.name,
+            "display_name": c.display_name,
+            "color": c.color,
+            "site_count": db.query(Site).filter(Site.crop_id == c.id).count()
+        }
+        for c in crops
+    ]

backend/api/auth.py

@@ -0,0 +1,114 @@
+from fastapi import APIRouter, HTTPException, status, Request
+from backend.core.dependencies import DbSession, CurrentUser
+from backend.schemas.auth import LoginRequest, Token, RefreshRequest
+from backend.schemas.user import UserResponse
+from backend.services.auth import authenticate_user, create_token_for_user
+from backend.core.security import verify_refresh_token
+from backend.models import User, AuditLog
+
+router = APIRouter()
+
+
+@router.post("/login", response_model=Token)
+def login(request: LoginRequest, db: DbSession, req: Request):
+    user = authenticate_user(db, request.email, request.password)
+    if not user:
+        # Log failed login attempt
+        log = AuditLog(
+            action="login_failed",
+            details={"email": request.email},
+            ip_address=req.client.host if req.client else None
+        )
+        db.add(log)
+        db.commit()
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect email or password",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="User account is disabled",
+        )
+
+    # Log successful login
+    log = AuditLog(
+        user_id=user.id,
+        action="login_success",
+        details={"email": user.email},
+        ip_address=req.client.host if req.client else None
+    )
+    db.add(log)
+    db.commit()
+
+    return create_token_for_user(db, user)
+
+
+@router.get("/me", response_model=UserResponse)
+def get_current_user_info(current_user: CurrentUser, db: DbSession):
+    # Get group names for response
+    group_names = [ug.group.name for ug in current_user.groups]
+    return UserResponse(
+        id=current_user.id,
+        email=current_user.email,
+        full_name=current_user.full_name,
+        is_admin=current_user.is_admin,
+        is_active=current_user.is_active,
+        created_at=current_user.created_at,
+        last_login=current_user.last_login,
+        groups=group_names
+    )
+
+
+@router.post("/logout")
+def logout(current_user: CurrentUser, db: DbSession):
+    """Logout user by invalidating all their tokens."""
+    current_user.token_version += 1
+    db.commit()
+    return {"message": "Successfully logged out"}
+
+
+@router.post("/refresh", response_model=Token)
+def refresh_token(request: RefreshRequest, db: DbSession):
+    """Exchange a valid refresh token for new access + refresh tokens."""
+    payload = verify_refresh_token(request.refresh_token)
+
+    if payload is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or expired refresh token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    user_id = payload.get("sub")
+    if not user_id:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid token payload",
+        )
+
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="User not found",
+        )
+
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="User account is disabled",
+        )
+
+    # Check token version - ensures refresh tokens are invalidated on password change
+    token_version = payload.get("token_version")
+    if token_version is None or token_version != user.token_version:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token has been revoked",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    # Generate new tokens
+    return create_token_for_user(db, user)

backend/api/box.py

@@ -0,0 +1,437 @@
+"""Box integration API endpoints."""
+from fastapi import APIRouter, HTTPException, status
+from pydantic import BaseModel
+from typing import Optional
+
+from backend.config import settings
+from backend.core.dependencies import DbSession, AdminUser
+from backend.services.box_integration import BoxService, is_box_configured
+from backend.services.box_worker import (
+    run_box_sync, get_sync_status, update_sync_schedule,
+    start_scheduler, stop_scheduler
+)
+from backend.models import AuditLog
+
+
+router = APIRouter()
+
+
+def check_demo_mode():
+    """Raise an error if running in demo mode."""
+    if settings.demo_mode:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Box integration is disabled in demo mode. See the feature preview below for what's available in production."
+        )
+
+
+# Request/Response models
+class OAuthCallbackRequest(BaseModel):
+    code: str
+    state: str
+
+
+class FolderConfigRequest(BaseModel):
+    staging_folder_id: str
+    staging_folder_name: str
+    processed_folder_id: str
+    processed_folder_name: str
+    sync_interval_minutes: int = 60
+
+
+class ConnectionStatus(BaseModel):
+    is_configured: bool
+    is_connected: bool
+    is_active: bool
+    box_user_name: Optional[str] = None
+    box_user_email: Optional[str] = None
+    staging_folder_name: Optional[str] = None
+    processed_folder_name: Optional[str] = None
+    sync_interval_minutes: int = 60
+    last_sync: Optional[str] = None
+    last_sync_status: Optional[str] = None
+    last_sync_message: Optional[str] = None
+    files_processed_count: int = 0
+    # Backup config
+    backup_folder_id: Optional[str] = None
+    backup_folder_name: Optional[str] = None
+    backup_enabled: bool = False
+    backup_schedule: Optional[str] = None
+    backup_time: Optional[str] = None
+    last_backup: Optional[str] = None
+    last_backup_status: Optional[str] = None
+    last_backup_message: Optional[str] = None
+
+
+class BackupConfigRequest(BaseModel):
+    backup_folder_id: str
+    backup_folder_name: str
+    backup_enabled: bool = True
+    backup_schedule: str = "manual"  # manual, daily, weekly
+    backup_time: Optional[str] = None  # HH:MM format for scheduled backups
+
+
+@router.get("/status")
+def get_box_status(admin: AdminUser, db: DbSession) -> ConnectionStatus:
+    """Get Box connection status including backup configuration."""
+    box_service = BoxService(db)
+    connection = box_service.get_connection()
+
+    if not connection:
+        return ConnectionStatus(
+            is_configured=is_box_configured(),
+            is_connected=False,
+            is_active=False
+        )
+
+    return ConnectionStatus(
+        is_configured=is_box_configured(),
+        is_connected=True,
+        is_active=connection.is_active,
+        box_user_name=connection.box_user_name,
+        box_user_email=connection.box_user_email,
+        staging_folder_name=connection.staging_folder_name,
+        processed_folder_name=connection.processed_folder_name,
+        sync_interval_minutes=connection.sync_interval_minutes,
+        last_sync=connection.last_sync.isoformat() if connection.last_sync else None,
+        last_sync_status=connection.last_sync_status,
+        last_sync_message=connection.last_sync_message,
+        files_processed_count=connection.files_processed_count,
+        # Backup fields
+        backup_folder_id=connection.backup_folder_id,
+        backup_folder_name=connection.backup_folder_name,
+        backup_enabled=connection.backup_enabled,
+        backup_schedule=connection.backup_schedule,
+        backup_time=connection.backup_time,
+        last_backup=connection.last_backup.isoformat() if connection.last_backup else None,
+        last_backup_status=connection.last_backup_status,
+        last_backup_message=connection.last_backup_message
+    )
+
+
+@router.get("/auth-url")
+def get_auth_url(admin: AdminUser, db: DbSession):
+    """Get Box OAuth authorization URL."""
+    check_demo_mode()
+    if not is_box_configured():
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Box OAuth not configured. Set BOX_CLIENT_ID and BOX_CLIENT_SECRET in .env"
+        )
+
+    box_service = BoxService(db)
+    try:
+        result = box_service.get_oauth_url()
+        return result
+    except ValueError as e:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
+
+
+@router.post("/callback")
+def oauth_callback(request: OAuthCallbackRequest, admin: AdminUser, db: DbSession):
+    """Handle Box OAuth callback - exchange code for tokens."""
+    box_service = BoxService(db)
+
+    try:
+        connection = box_service.exchange_code(request.code, request.state)
+
+        # Log audit event
+        audit = AuditLog(
+            user_id=admin.id,
+            action='box_connect',
+            resource_type='box_connection',
+            resource_id=connection.id,
+            details={
+                'box_user_email': connection.box_user_email,
+                'box_user_name': connection.box_user_name
+            }
+        )
+        db.add(audit)
+        db.commit()
+
+        return {
+            'success': True,
+            'message': f'Connected to Box as {connection.box_user_name}',
+            'user_name': connection.box_user_name,
+            'user_email': connection.box_user_email
+        }
+    except ValueError as e:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
+
+
+@router.get("/folders")
+def list_folders(admin: AdminUser, db: DbSession, folder_id: str = '0'):
+    """List folders in Box (for folder picker)."""
+    box_service = BoxService(db)
+
+    try:
+        folders = box_service.list_folders(folder_id)
+        return {'folders': folders, 'parent_id': folder_id}
+    except ValueError as e:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
+
+
+@router.post("/configure")
+def configure_folders(request: FolderConfigRequest, admin: AdminUser, db: DbSession):
+    """Configure Box folders for staging and processed files."""
+    box_service = BoxService(db)
+
+    try:
+        connection = box_service.update_folder_config(
+            staging_folder_id=request.staging_folder_id,
+            staging_folder_name=request.staging_folder_name,
+            processed_folder_id=request.processed_folder_id,
+            processed_folder_name=request.processed_folder_name,
+            sync_interval_minutes=request.sync_interval_minutes
+        )
+
+        # Update scheduler with new interval
+        update_sync_schedule(request.sync_interval_minutes)
+
+        # Log audit event
+        audit = AuditLog(
+            user_id=admin.id,
+            action='box_configure',
+            resource_type='box_connection',
+            resource_id=connection.id,
+            details={
+                'staging_folder': request.staging_folder_name,
+                'processed_folder': request.processed_folder_name,
+                'sync_interval': request.sync_interval_minutes
+            }
+        )
+        db.add(audit)
+        db.commit()
+
+        return {
+            'success': True,
+            'message': 'Box folders configured successfully',
+            'is_active': connection.is_active
+        }
+    except ValueError as e:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
+
+
+@router.post("/disconnect")
+def disconnect_box(admin: AdminUser, db: DbSession):
+    """Disconnect Box account."""
+    box_service = BoxService(db)
+
+    # Log before disconnect to capture connection details
+    connection = box_service.get_connection()
+    if connection:
+        audit = AuditLog(
+            user_id=admin.id,
+            action='box_disconnect',
+            resource_type='box_connection',
+            resource_id=connection.id,
+            details={
+                'box_user_email': connection.box_user_email
+            }
+        )
+        db.add(audit)
+
+    if box_service.disconnect():
+        # Stop scheduler
+        stop_scheduler()
+        db.commit()
+        return {'success': True, 'message': 'Box disconnected'}
+
+    raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="No Box connection found")
+
+
+@router.post("/sync")
+def trigger_sync(admin: AdminUser, db: DbSession):
+    """Manually trigger Box sync."""
+    status_info = get_sync_status()
+
+    if not status_info.get('is_connected'):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="No Box connection available"
+        )
+
+    if not status_info.get('is_active'):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Box connection not active. Please configure folders first."
+        )
+
+    # Log sync trigger
+    box_service = BoxService(db)
+    connection = box_service.get_connection()
+    if connection:
+        audit = AuditLog(
+            user_id=admin.id,
+            action='box_sync_manual',
+            resource_type='box_connection',
+            resource_id=connection.id
+        )
+        db.add(audit)
+        db.commit()
+
+    # Run sync
+    result = run_box_sync(force=True)
+
+    return result
+
+
+@router.get("/sync-status")
+def get_current_sync_status(admin: AdminUser, db: DbSession):
+    """Get current sync worker status."""
+    return get_sync_status()
+
+
+@router.get("/logs")
+def get_sync_logs(admin: AdminUser, db: DbSession, limit: int = 20):
+    """Get recent sync logs."""
+    box_service = BoxService(db)
+    logs = box_service.get_sync_logs(limit)
+
+    return {
+        'logs': [
+            {
+                'id': log.id,
+                'started_at': log.started_at.isoformat() if log.started_at else None,
+                'completed_at': log.completed_at.isoformat() if log.completed_at else None,
+                'status': log.status,
+                'files_found': log.files_found,
+                'files_processed': log.files_processed,
+                'files_failed': log.files_failed,
+                'records_imported': log.records_imported,
+                'error_message': log.error_message
+            }
+            for log in logs
+        ]
+    }
+
+
+# ============== Database Backup to Box ==============
+
+@router.post("/backup/configure")
+def configure_backup(request: BackupConfigRequest, admin: AdminUser, db: DbSession):
+    """Configure database backup to Box."""
+    box_service = BoxService(db)
+    connection = box_service.get_connection()
+
+    if not connection:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="No Box connection available. Please connect to Box first."
+        )
+
+    # Update backup configuration
+    connection.backup_folder_id = request.backup_folder_id
+    connection.backup_folder_name = request.backup_folder_name
+    connection.backup_enabled = request.backup_enabled
+    connection.backup_schedule = request.backup_schedule
+    connection.backup_time = request.backup_time
+
+    db.commit()
+
+    # Update backup scheduler if enabled
+    from backend.services.box_worker import update_backup_schedule
+    if request.backup_enabled and request.backup_schedule != "manual":
+        update_backup_schedule(request.backup_schedule, request.backup_time)
+    else:
+        # Disable backup scheduler
+        update_backup_schedule(None, None)
+
+    # Audit log
+    audit = AuditLog(
+        user_id=admin.id,
+        action='backup_configured',
+        resource_type='box_connection',
+        resource_id=connection.id,
+        details={
+            'backup_folder': request.backup_folder_name,
+            'schedule': request.backup_schedule,
+            'enabled': request.backup_enabled
+        }
+    )
+    db.add(audit)
+    db.commit()
+
+    return {
+        'success': True,
+        'message': 'Backup configuration saved',
+        'backup_enabled': connection.backup_enabled,
+        'backup_schedule': connection.backup_schedule
+    }
+
+
+@router.post("/backup/run")
+def run_backup(admin: AdminUser, db: DbSession):
+    """Manually trigger database backup to Box."""
+    box_service = BoxService(db)
+    connection = box_service.get_connection()
+
+    if not connection:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="No Box connection available"
+        )
+
+    if not connection.backup_folder_id:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Backup folder not configured. Please select a backup folder first."
+        )
+
+    # Run backup
+    from backend.services.box_worker import run_database_backup
+    result = run_database_backup(triggered_by=admin.email)
+
+    # Audit log
+    audit = AuditLog(
+        user_id=admin.id,
+        action='backup_manual',
+        resource_type='database',
+        details={
+            'status': result.get('status'),
+            'backup_folder': connection.backup_folder_name,
+            'filename': result.get('filename')
+        }
+    )
+    db.add(audit)
+    db.commit()
+
+    return result
+
+
+@router.delete("/backup/configure")
+def disable_backup(admin: AdminUser, db: DbSession):
+    """Disable database backup to Box."""
+    box_service = BoxService(db)
+    connection = box_service.get_connection()
+
+    if not connection:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="No Box connection found"
+        )
+
+    # Clear backup configuration
+    connection.backup_folder_id = None
+    connection.backup_folder_name = None
+    connection.backup_enabled = False
+    connection.backup_schedule = None
+    connection.backup_time = None
+
+    db.commit()
+
+    # Disable backup scheduler
+    from backend.services.box_worker import update_backup_schedule
+    update_backup_schedule(None, None)
+
+    # Audit log
+    audit = AuditLog(
+        user_id=admin.id,
+        action='backup_disabled',
+        resource_type='box_connection',
+        resource_id=connection.id
+    )
+    db.add(audit)
+    db.commit()
+
+    return {'success': True, 'message': 'Backup disabled'}

backend/api/groups.py

@@ -0,0 +1,337 @@
+from fastapi import APIRouter, HTTPException, status, Request
+from backend.core.dependencies import DbSession, AdminUser
+from backend.schemas.group import (
+    GroupCreate, GroupUpdate, GroupResponse, GroupDetailResponse,
+    GroupMemberResponse, GroupSiteResponse,
+    AssignUserToGroupRequest, AssignSiteToGroupRequest
+)
+from backend.models import Group, User, Site, UserGroup, GroupSite, AuditLog
+
+router = APIRouter()
+
+
+@router.get("", response_model=list[GroupResponse])
+def list_groups(db: DbSession, admin: AdminUser):
+    groups = db.query(Group).all()
+    return [
+        GroupResponse(
+            id=g.id,
+            name=g.name,
+            description=g.description,
+            created_at=g.created_at,
+            updated_at=g.updated_at,
+            member_count=len(g.members),
+            site_count=len(g.sites)
+        )
+        for g in groups
+    ]
+
+
+@router.post("", response_model=GroupResponse, status_code=status.HTTP_201_CREATED)
+def create_group(group_data: GroupCreate, db: DbSession, admin: AdminUser, request: Request):
+    existing = db.query(Group).filter(Group.name == group_data.name).first()
+    if existing:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Group with this name already exists"
+        )
+    group = Group(name=group_data.name, description=group_data.description)
+    db.add(group)
+    db.commit()
+    db.refresh(group)
+
+    # Audit log
+    audit = AuditLog(
+        user_id=admin.id,
+        action="group_created",
+        resource_type="group",
+        resource_id=group.id,
+        details={"name": group.name, "description": group.description},
+        ip_address=request.client.host if request.client else None
+    )
+    db.add(audit)
+    db.commit()
+
+    return GroupResponse(
+        id=group.id,
+        name=group.name,
+        description=group.description,
+        created_at=group.created_at,
+        updated_at=group.updated_at,
+        member_count=0,
+        site_count=0
+    )
+
+
+@router.get("/{group_id}", response_model=GroupDetailResponse)
+def get_group(group_id: str, db: DbSession, admin: AdminUser):
+    group = db.query(Group).filter(Group.id == group_id).first()
+    if not group:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Group not found"
+        )
+
+    members = [
+        GroupMemberResponse(
+            user_id=ug.user.id,
+            email=ug.user.email,
+            full_name=ug.user.full_name,
+            role=ug.role
+        )
+        for ug in group.members
+    ]
+
+    sites = [
+        GroupSiteResponse(
+            site_id=gs.site.id,
+            site_code=gs.site.site_code,
+            site_name=gs.site.name
+        )
+        for gs in group.sites
+    ]
+
+    return GroupDetailResponse(
+        id=group.id,
+        name=group.name,
+        description=group.description,
+        created_at=group.created_at,
+        updated_at=group.updated_at,
+        member_count=len(members),
+        site_count=len(sites),
+        members=members,
+        sites=sites
+    )
+
+
+@router.put("/{group_id}", response_model=GroupResponse)
+def update_group(group_id: str, group_data: GroupUpdate, db: DbSession, admin: AdminUser, request: Request):
+    group = db.query(Group).filter(Group.id == group_id).first()
+    if not group:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Group not found"
+        )
+
+    changes = {}
+    old_name = group.name
+
+    if group_data.name is not None:
+        # Check for duplicate name
+        existing = db.query(Group).filter(Group.name == group_data.name, Group.id != group_id).first()
+        if existing:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Group with this name already exists"
+            )
+        if group_data.name != group.name:
+            changes["name"] = {"old": group.name, "new": group_data.name}
+        group.name = group_data.name
+    if group_data.description is not None:
+        if group_data.description != group.description:
+            changes["description"] = {"old": group.description, "new": group_data.description}
+        group.description = group_data.description
+
+    db.commit()
+    db.refresh(group)
+
+    # Audit log
+    if changes:
+        audit = AuditLog(
+            user_id=admin.id,
+            action="group_updated",
+            resource_type="group",
+            resource_id=group.id,
+            details={"group_name": old_name, "changes": changes},
+            ip_address=request.client.host if request.client else None
+        )
+        db.add(audit)
+        db.commit()
+
+    return GroupResponse(
+        id=group.id,
+        name=group.name,
+        description=group.description,
+        created_at=group.created_at,
+        updated_at=group.updated_at,
+        member_count=len(group.members),
+        site_count=len(group.sites)
+    )
+
+
+@router.delete("/{group_id}", status_code=status.HTTP_204_NO_CONTENT)
+def delete_group(group_id: str, db: DbSession, admin: AdminUser, request: Request):
+    group = db.query(Group).filter(Group.id == group_id).first()
+    if not group:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Group not found"
+        )
+
+    # Audit log before deletion
+    audit = AuditLog(
+        user_id=admin.id,
+        action="group_deleted",
+        resource_type="group",
+        resource_id=group.id,
+        details={"name": group.name, "member_count": len(group.members), "site_count": len(group.sites)},
+        ip_address=request.client.host if request.client else None
+    )
+    db.add(audit)
+
+    db.delete(group)
+    db.commit()
+
+
+@router.post("/{group_id}/users", status_code=status.HTTP_201_CREATED)
+def assign_user_to_group(group_id: str, data: AssignUserToGroupRequest, db: DbSession, admin: AdminUser, request: Request):
+    group = db.query(Group).filter(Group.id == group_id).first()
+    if not group:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Group not found")
+
+    user = db.query(User).filter(User.id == data.user_id).first()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+
+    existing = db.query(UserGroup).filter(
+        UserGroup.user_id == data.user_id,
+        UserGroup.group_id == group_id
+    ).first()
+
+    action = "user_role_updated" if existing else "user_assigned_to_group"
+    old_role = existing.role if existing else None
+
+    if existing:
+        existing.role = data.role
+    else:
+        ug = UserGroup(user_id=data.user_id, group_id=group_id, role=data.role)
+        db.add(ug)
+
+    db.commit()
+
+    # Audit log
+    details = {
+        "user_email": user.email,
+        "group_name": group.name,
+        "role": data.role
+    }
+    if old_role:
+        details["old_role"] = old_role
+
+    audit = AuditLog(
+        user_id=admin.id,
+        action=action,
+        resource_type="user_group",
+        resource_id=f"{user.id}:{group.id}",
+        details=details,
+        ip_address=request.client.host if request.client else None
+    )
+    db.add(audit)
+    db.commit()
+
+    return {"message": "User assigned to group"}
+
+
+@router.delete("/{group_id}/users/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
+def remove_user_from_group(group_id: str, user_id: str, db: DbSession, admin: AdminUser, request: Request):
+    ug = db.query(UserGroup).filter(
+        UserGroup.user_id == user_id,
+        UserGroup.group_id == group_id
+    ).first()
+    if not ug:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not in group")
+
+    # Get names for audit log
+    user = db.query(User).filter(User.id == user_id).first()
+    group = db.query(Group).filter(Group.id == group_id).first()
+
+    # Audit log before deletion
+    audit = AuditLog(
+        user_id=admin.id,
+        action="user_removed_from_group",
+        resource_type="user_group",
+        resource_id=f"{user_id}:{group_id}",
+        details={
+            "user_email": user.email if user else user_id,
+            "group_name": group.name if group else group_id,
+            "role": ug.role
+        },
+        ip_address=request.client.host if request.client else None
+    )
+    db.add(audit)
+
+    db.delete(ug)
+    db.commit()
+
+
+@router.post("/{group_id}/sites", status_code=status.HTTP_201_CREATED)
+def assign_site_to_group(group_id: str, data: AssignSiteToGroupRequest, db: DbSession, admin: AdminUser, request: Request):
+    group = db.query(Group).filter(Group.id == group_id).first()
+    if not group:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Group not found")
+
+    site = db.query(Site).filter(Site.id == data.site_id).first()
+    if not site:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Site not found")
+
+    existing = db.query(GroupSite).filter(
+        GroupSite.site_id == data.site_id,
+        GroupSite.group_id == group_id
+    ).first()
+
+    if existing:
+        return {"message": "Site already in group"}
+
+    gs = GroupSite(site_id=data.site_id, group_id=group_id)
+    db.add(gs)
+    db.commit()
+
+    # Audit log
+    audit = AuditLog(
+        user_id=admin.id,
+        action="site_assigned_to_group",
+        resource_type="group_site",
+        resource_id=f"{group.id}:{site.id}",
+        details={
+            "site_code": site.site_code,
+            "site_name": site.name,
+            "group_name": group.name
+        },
+        ip_address=request.client.host if request.client else None
+    )
+    db.add(audit)
+    db.commit()
+
+    return {"message": "Site assigned to group"}
+
+
+@router.delete("/{group_id}/sites/{site_id}", status_code=status.HTTP_204_NO_CONTENT)
+def remove_site_from_group(group_id: str, site_id: str, db: DbSession, admin: AdminUser, request: Request):
+    gs = db.query(GroupSite).filter(
+        GroupSite.site_id == site_id,
+        GroupSite.group_id == group_id
+    ).first()
+    if not gs:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Site not in group")
+
+    # Get names for audit log
+    site = db.query(Site).filter(Site.id == site_id).first()
+    group = db.query(Group).filter(Group.id == group_id).first()
+
+    # Audit log before deletion
+    audit = AuditLog(
+        user_id=admin.id,
+        action="site_removed_from_group",
+        resource_type="group_site",
+        resource_id=f"{group_id}:{site_id}",
+        details={
+            "site_code": site.site_code if site else site_id,
+            "site_name": site.name if site else None,
+            "group_name": group.name if group else group_id
+        },
+        ip_address=request.client.host if request.client else None
+    )
+    db.add(audit)
+
+    db.delete(gs)
+    db.commit()

backend/api/pipeline.py

@@ -0,0 +1,267 @@
+"""Pipeline API endpoints for file upload and processing."""
+from fastapi import APIRouter, HTTPException, UploadFile, File, status
+from fastapi.responses import FileResponse, StreamingResponse
+from typing import Optional
+import shutil
+import io
+from datetime import datetime
+from pathlib import Path
+
+from backend.core.dependencies import DbSession, AdminUser
+from backend.schemas.pipeline import (
+    FileInfo, FileUploadResponse, ProcessingResult,
+    PipelineStatus, ProcessRequest, DatabaseExportResponse
+)
+from backend.services import pipeline_worker
+from backend.config import settings
+from backend.models import User, Group, Site, SensorData, AuditLog, FileArchive
+
+
+router = APIRouter()
+
+
+@router.get("/status", response_model=PipelineStatus)
+def get_pipeline_status(admin: AdminUser):
+    """Get current pipeline status including staging and processed files."""
+    status_data = pipeline_worker.get_pipeline_status()
+    return PipelineStatus(
+        staging_files=[FileInfo(**f) for f in status_data['staging_files']],
+        processed_files=[FileInfo(**f) for f in status_data['processed_files']],
+        is_processing=status_data['is_processing'],
+        last_run=status_data['last_run']
+    )
+
+
+@router.post("/upload", response_model=FileUploadResponse)
+async def upload_file(
+    file: UploadFile = File(...),
+    admin: AdminUser = None,
+    db: DbSession = None
+):
+    """Upload a CSV file to the staging directory."""
+    # Validate file type
+    if not file.filename or not file.filename.lower().endswith('.csv'):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Only CSV files are allowed"
+        )
+
+    # Read file content
+    content = await file.read()
+
+    # Check file size (max 100MB)
+    if len(content) > 100 * 1024 * 1024:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="File too large. Maximum size is 100MB"
+        )
+
+    # Save to staging
+    filepath = pipeline_worker.save_uploaded_file(content, file.filename)
+
+    # Log audit event
+    audit = AuditLog(
+        user_id=admin.id,
+        action='file_upload',
+        resource_type='pipeline',
+        details={'filename': filepath.name, 'size': len(content)}
+    )
+    db.add(audit)
+    db.commit()
+
+    return FileUploadResponse(
+        filename=filepath.name,
+        size=len(content),
+        message="File uploaded to staging successfully"
+    )
+
+
+@router.post("/process", response_model=list[ProcessingResult])
+def process_files(
+    request: ProcessRequest,
+    admin: AdminUser,
+    db: DbSession
+):
+    """Process files from staging directory."""
+    results = pipeline_worker.process_all_staging_files(
+        db,
+        user_id=admin.id,
+        filenames=request.filenames
+    )
+
+    return [ProcessingResult(**r) for r in results]
+
+
+@router.delete("/staging/{filename}")
+def delete_staging_file(filename: str, admin: AdminUser, db: DbSession):
+    """Delete a file from staging directory."""
+    if pipeline_worker.delete_staging_file(filename):
+        # Log audit
+        audit = AuditLog(
+            user_id=admin.id,
+            action='file_delete',
+            resource_type='staging',
+            details={'filename': filename}
+        )
+        db.add(audit)
+        db.commit()
+        return {"message": f"Deleted {filename} from staging"}
+
+    raise HTTPException(
+        status_code=status.HTTP_404_NOT_FOUND,
+        detail="File not found in staging"
+    )
+
+
+@router.delete("/processed/{filename}")
+def delete_processed_file(filename: str, admin: AdminUser, db: DbSession):
+    """Delete a file from processed directory."""
+    if pipeline_worker.delete_processed_file(filename):
+        # Log audit
+        audit = AuditLog(
+            user_id=admin.id,
+            action='file_delete',
+            resource_type='processed',
+            details={'filename': filename}
+        )
+        db.add(audit)
+        db.commit()
+        return {"message": f"Deleted {filename} from processed"}
+
+    raise HTTPException(
+        status_code=status.HTTP_404_NOT_FOUND,
+        detail="File not found in processed"
+    )
+
+
+@router.get("/database/export")
+def export_database(admin: AdminUser, db: DbSession):
+    """Export the entire database as a downloadable SQLite file."""
+    # Get database path
+    db_path = Path(settings.database_url.replace("sqlite:///", ""))
+
+    if not db_path.exists():
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Database file not found"
+        )
+
+    # Get table counts for metadata - dynamically query all tables
+    from sqlalchemy import inspect, text
+    inspector = inspect(db.get_bind())
+    table_names = inspector.get_table_names()
+    table_counts = {}
+    for table_name in sorted(table_names):
+        result = db.execute(text(f"SELECT COUNT(*) FROM {table_name}"))
+        table_counts[table_name] = result.scalar()
+
+    # Log audit
+    audit = AuditLog(
+        user_id=admin.id,
+        action='database_export',
+        resource_type='database',
+        details={'table_counts': table_counts}
+    )
+    db.add(audit)
+    db.commit()
+
+    # Return file as download
+    timestamp = datetime.now().strftime('%Y%m%d_%H%M%S')
+    filename = f"csg_dashboard_backup_{timestamp}.db"
+
+    return FileResponse(
+        path=str(db_path),
+        filename=filename,
+        media_type='application/octet-stream'
+    )
+
+
+@router.get("/database/stats")
+def get_database_stats(admin: AdminUser, db: DbSession):
+    """Get database statistics - dynamically lists all tables."""
+    db_path = Path(settings.database_url.replace("sqlite:///", ""))
+
+    # Dynamically get all table counts
+    from sqlalchemy import inspect, text
+    inspector = inspect(db.get_bind())
+    table_names = inspector.get_table_names()
+    tables = {}
+    for table_name in sorted(table_names):
+        result = db.execute(text(f"SELECT COUNT(*) FROM {table_name}"))
+        tables[table_name] = result.scalar()
+
+    stats = {
+        'file_size': db_path.stat().st_size if db_path.exists() else 0,
+        'tables': tables
+    }
+    return stats
+
+
+@router.post("/database/import")
+async def import_database(
+    file: UploadFile = File(...),
+    admin: AdminUser = None,
+    db: DbSession = None
+):
+    """
+    Import/restore a database from a backup file.
+    WARNING: This will replace ALL existing data!
+    Supports both encrypted (SQLCipher) and unencrypted SQLite databases.
+    """
+    # Validate file type
+    if not file.filename or not file.filename.lower().endswith('.db'):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Only .db files are allowed"
+        )
+
+    # Read file content
+    content = await file.read()
+
+    # Validate file size (must be at least 100 bytes for a valid SQLCipher db)
+    if len(content) < 100:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="File too small to be a valid database"
+        )
+
+    # Only accept encrypted (SQLCipher) databases
+    # Unencrypted SQLite files start with "SQLite format 3" - reject these
+    if content.startswith(b'SQLite format 3'):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Unencrypted database not allowed. Only encrypted (SQLCipher) backups can be imported."
+        )
+
+    # Get database path
+    db_path = Path(settings.database_url.replace("sqlite:///", ""))
+
+    # Create backup of current database
+    backup_path = db_path.parent / f"pre_import_backup_{datetime.now().strftime('%Y%m%d_%H%M%S')}.db"
+    if db_path.exists():
+        shutil.copy(str(db_path), str(backup_path))
+
+    # Close current connection (this is important!)
+    # Note: In production, you'd want to properly close all connections
+    db.close()
+
+    try:
+        # Write new database
+        with open(db_path, 'wb') as f:
+            f.write(content)
+
+        return {
+            "message": "Database imported successfully",
+            "backup_created": str(backup_path),
+            "imported_size": len(content),
+            "restart_required": True
+        }
+
+    except Exception as e:
+        # Restore backup on error
+        if backup_path.exists():
+            shutil.copy(str(backup_path), str(db_path))
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"Import failed: {str(e)}. Original database restored."
+        )

backend/api/sensors.py

@@ -0,0 +1,97 @@
+from datetime import datetime, timedelta
+from fastapi import APIRouter, HTTPException, Query
+from backend.core.dependencies import DbSession, AccessContext
+from backend.schemas.sensor import SensorDataResponse, SensorDataPoint
+from backend.models import SensorData, Site
+
+router = APIRouter()
+
+
+@router.get("/data", response_model=SensorDataResponse)
+def get_sensor_data(
+    db: DbSession,
+    access: AccessContext,
+    sites: list[str] = Query(..., description="Site codes to query"),
+    parameters: list[str] = Query(..., description="Parameter names to retrieve"),
+    start: datetime | None = Query(None, description="Start datetime"),
+    end: datetime | None = Query(None, description="End datetime")
+):
+    """Get sensor data for specified sites and parameters."""
+    # Validate user has access to all requested sites
+    for site_code in sites:
+        access.require_site_access(site_code=site_code)
+
+    # Default to last 7 days if no range specified
+    if end is None:
+        end = datetime.utcnow()
+    if start is None:
+        start = end - timedelta(days=7)
+
+    # Get site IDs from codes
+    site_records = db.query(Site).filter(Site.site_code.in_(sites)).all()
+    site_id_map = {s.site_code: s.id for s in site_records}
+    site_ids = list(site_id_map.values())
+
+    # Query sensor data
+    query = db.query(SensorData).filter(
+        SensorData.site_id.in_(site_ids),
+        SensorData.timestamp >= start,
+        SensorData.timestamp <= end
+    ).order_by(SensorData.timestamp)
+
+    data_records = query.all()
+
+    # Build response
+    data_points = []
+    for record in data_records:
+        # Get site code from site_id
+        site_code = next((code for code, sid in site_id_map.items() if sid == record.site_id), None)
+        if not site_code:
+            continue
+
+        # Extract requested parameters from JSON data
+        values = {}
+        for param in parameters:
+            values[param] = record.data.get(param)
+
+        data_points.append(SensorDataPoint(
+            timestamp=record.timestamp,
+            site_code=site_code,
+            values=values
+        ))
+
+    return SensorDataResponse(
+        data=data_points,
+        sites=sites,
+        parameters=parameters,
+        count=len(data_points)
+    )
+
+
+@router.get("/latest")
+def get_latest_data(
+    db: DbSession,
+    access: AccessContext,
+    sites: list[str] = Query(..., description="Site codes to query")
+):
+    """Get the most recent data point for each site."""
+    # Validate user has access to all requested sites
+    for site_code in sites:
+        access.require_site_access(site_code=site_code)
+
+    site_records = db.query(Site).filter(Site.site_code.in_(sites)).all()
+    site_id_map = {s.id: s.site_code for s in site_records}
+
+    results = {}
+    for site_id, site_code in site_id_map.items():
+        latest = db.query(SensorData).filter(
+            SensorData.site_id == site_id
+        ).order_by(SensorData.timestamp.desc()).first()
+
+        if latest:
+            results[site_code] = {
+                "timestamp": latest.timestamp,
+                "data": latest.data
+            }
+
+    return results

backend/api/sites.py

@@ -0,0 +1,129 @@
+from fastapi import APIRouter, HTTPException, status
+from backend.core.dependencies import DbSession, AccessContext
+from backend.schemas.site import SiteResponse, CropResponse, EquipmentGroupResponse, ParameterResponse
+from backend.models import Site, Crop, EquipmentGroup, Parameter
+
+router = APIRouter()
+
+
+@router.get("", response_model=list[SiteResponse])
+def list_sites(db: DbSession, access: AccessContext):
+    """List sites accessible to the current user."""
+    if access.is_admin:
+        sites = db.query(Site).filter(Site.is_active == True).all()
+    else:
+        if not access.site_ids:
+            return []
+        sites = db.query(Site).filter(Site.id.in_(access.site_ids)).all()
+
+    return [
+        SiteResponse(
+            id=s.id,
+            site_code=s.site_code,
+            name=s.name,
+            crop_id=s.crop_id,
+            crop_name=s.crop.display_name if s.crop else None,
+            latitude=s.latitude,
+            longitude=s.longitude,
+            is_active=s.is_active
+        )
+        for s in sites
+    ]
+
+
+@router.get("/crops", response_model=list[CropResponse])
+def list_crops(db: DbSession, access: AccessContext):
+    """List crops that appear in the user's accessible sites."""
+    if access.is_admin:
+        crops = db.query(Crop).all()
+    else:
+        if not access.crop_ids:
+            return []
+        crops = db.query(Crop).filter(Crop.id.in_(access.crop_ids)).all()
+
+    return [CropResponse.model_validate(c) for c in crops]
+
+
+@router.get("/equipment-groups", response_model=list[EquipmentGroupResponse])
+def list_equipment_groups(db: DbSession, access: AccessContext, crop_id: str | None = None):
+    """List equipment groups for crops accessible to the current user."""
+    if access.is_admin:
+        query = db.query(EquipmentGroup)
+    else:
+        if not access.crop_ids:
+            return []
+        query = db.query(EquipmentGroup).filter(EquipmentGroup.crop_id.in_(access.crop_ids))
+
+    if crop_id:
+        # Validate user has access to this crop
+        if not access.is_admin and crop_id not in access.crop_ids:
+            return []
+        query = query.filter(EquipmentGroup.crop_id == crop_id)
+
+    groups = query.all()
+    return [EquipmentGroupResponse.model_validate(g) for g in groups]
+
+
+@router.get("/parameters", response_model=list[ParameterResponse])
+def list_parameters(
+    db: DbSession,
+    access: AccessContext,
+    crop_id: str | None = None,
+    equipment_group_id: str | None = None
+):
+    """List parameters for crops accessible to the current user."""
+    if access.is_admin:
+        query = db.query(Parameter)
+    else:
+        if not access.crop_ids:
+            return []
+        query = db.query(Parameter).filter(Parameter.crop_id.in_(access.crop_ids))
+
+    if crop_id:
+        # Validate user has access to this crop
+        if not access.is_admin and crop_id not in access.crop_ids:
+            return []
+        query = query.filter(Parameter.crop_id == crop_id)
+
+    if equipment_group_id:
+        query = query.filter(Parameter.equipment_group_id == equipment_group_id)
+
+    params = query.all()
+    return [
+        ParameterResponse(
+            id=p.id,
+            name=p.name,
+            display_name=p.display_name,
+            unit=p.unit,
+            equipment_group_id=p.equipment_group_id,
+            equipment_group_name=p.equipment_group.name if p.equipment_group else None,
+            min_range=p.min_range,
+            max_range=p.max_range
+        )
+        for p in params
+    ]
+
+
+@router.get("/{site_code}", response_model=SiteResponse)
+def get_site(site_code: str, db: DbSession, access: AccessContext):
+    """Get a specific site by code."""
+    site = db.query(Site).filter(Site.site_code == site_code).first()
+    if not site:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Site not found"
+        )
+
+    # Use the access context to validate
+    access.require_site_access(site_code=site_code)
+
+    return SiteResponse(
+        id=site.id,
+        site_code=site.site_code,
+        name=site.name,
+        crop_id=site.crop_id,
+        crop_name=site.crop.display_name if site.crop else None,
+        latitude=site.latitude,
+        longitude=site.longitude,
+        is_active=site.is_active
+    )

backend/api/users.py

@@ -0,0 +1,227 @@
+from fastapi import APIRouter, HTTPException, status, Request
+from backend.core.dependencies import DbSession, AdminUser
+from backend.schemas.user import UserCreate, UserUpdate, UserResponse
+from backend.services.auth import create_user, get_user_by_email
+from backend.models import User, AuditLog
+
+router = APIRouter()
+
+
+@router.get("", response_model=list[UserResponse])
+def list_users(db: DbSession, admin: AdminUser):
+    users = db.query(User).all()
+    return [
+        UserResponse(
+            id=u.id,
+            email=u.email,
+            full_name=u.full_name,
+            is_admin=u.is_admin,
+            is_active=u.is_active,
+            created_at=u.created_at,
+            last_login=u.last_login,
+            groups=[ug.group.name for ug in u.groups]
+        )
+        for u in users
+    ]
+
+
+@router.post("", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
+def create_new_user(user_data: UserCreate, db: DbSession, admin: AdminUser, request: Request):
+    existing = get_user_by_email(db, user_data.email)
+    if existing:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="User with this email already exists"
+        )
+    user = create_user(
+        db,
+        email=user_data.email,
+        password=user_data.password,
+        full_name=user_data.full_name,
+        is_admin=user_data.is_admin
+    )
+
+    # Audit log
+    audit = AuditLog(
+        user_id=admin.id,
+        action="user_created",
+        resource_type="user",
+        resource_id=user.id,
+        details={"email": user.email, "full_name": user.full_name, "is_admin": user.is_admin},
+        ip_address=request.client.host if request.client else None
+    )
+    db.add(audit)
+    db.commit()
+
+    return UserResponse(
+        id=user.id,
+        email=user.email,
+        full_name=user.full_name,
+        is_admin=user.is_admin,
+        is_active=user.is_active,
+        created_at=user.created_at,
+        groups=[]
+    )
+
+
+@router.get("/{user_id}", response_model=UserResponse)
+def get_user(user_id: str, db: DbSession, admin: AdminUser):
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found"
+        )
+    return UserResponse(
+        id=user.id,
+        email=user.email,
+        full_name=user.full_name,
+        is_admin=user.is_admin,
+        is_active=user.is_active,
+        created_at=user.created_at,
+        last_login=user.last_login,
+        groups=[ug.group.name for ug in user.groups]
+    )
+
+
+@router.put("/{user_id}", response_model=UserResponse)
+def update_user(user_id: str, user_data: UserUpdate, db: DbSession, admin: AdminUser, request: Request):
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found"
+        )
+
+    # Track changes for audit logging
+    old_is_admin = user.is_admin
+    old_is_active = user.is_active
+    changes = {}
+
+    # Prevent deactivating or removing admin status from admin users
+    if user.is_admin:
+        if user_data.is_active is not None and not user_data.is_active:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Cannot deactivate an admin account. Remove admin privileges first."
+            )
+        if user_data.is_admin is not None and not user_data.is_admin:
+            # Check if this is the last admin
+            admin_count = db.query(User).filter(User.is_admin == True, User.is_active == True).count()
+            if admin_count <= 1:
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail="Cannot remove admin privileges from the last admin account."
+                )
+
+    if user_data.email is not None and user_data.email != user.email:
+        changes["email"] = {"old": user.email, "new": user_data.email}
+        user.email = user_data.email
+    if user_data.full_name is not None and user_data.full_name != user.full_name:
+        changes["full_name"] = {"old": user.full_name, "new": user_data.full_name}
+        user.full_name = user_data.full_name
+    if user_data.is_admin is not None:
+        user.is_admin = user_data.is_admin
+    if user_data.is_active is not None:
+        user.is_active = user_data.is_active
+    if user_data.password is not None:
+        from backend.core.security import get_password_hash
+        user.password_hash = get_password_hash(user_data.password)
+        user.token_version += 1  # Invalidate all existing tokens
+
+    db.commit()
+    db.refresh(user)
+
+    ip_address = request.client.host if request.client else None
+
+    # Create specific audit logs for important changes
+    if user_data.password is not None:
+        audit = AuditLog(
+            user_id=admin.id,
+            action="password_changed",
+            resource_type="user",
+            resource_id=user.id,
+            details={"target_email": user.email, "changed_by": admin.email},
+            ip_address=ip_address
+        )
+        db.add(audit)
+
+    if user_data.is_admin is not None and old_is_admin != user.is_admin:
+        action = "admin_granted" if user.is_admin else "admin_revoked"
+        audit = AuditLog(
+            user_id=admin.id,
+            action=action,
+            resource_type="user",
+            resource_id=user.id,
+            details={"target_email": user.email},
+            ip_address=ip_address
+        )
+        db.add(audit)
+
+    if user_data.is_active is not None and old_is_active != user.is_active:
+        action = "user_activated" if user.is_active else "user_deactivated"
+        audit = AuditLog(
+            user_id=admin.id,
+            action=action,
+            resource_type="user",
+            resource_id=user.id,
+            details={"target_email": user.email},
+            ip_address=ip_address
+        )
+        db.add(audit)
+
+    # General update log
+    if changes:
+        audit = AuditLog(
+            user_id=admin.id,
+            action="user_updated",
+            resource_type="user",
+            resource_id=user.id,
+            details={"target_email": user.email, "changes": changes},
+            ip_address=ip_address
+        )
+        db.add(audit)
+
+    db.commit()
+
+    return UserResponse(
+        id=user.id,
+        email=user.email,
+        full_name=user.full_name,
+        is_admin=user.is_admin,
+        is_active=user.is_active,
+        created_at=user.created_at,
+        last_login=user.last_login,
+        groups=[ug.group.name for ug in user.groups]
+    )
+
+
+@router.delete("/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
+def delete_user(user_id: str, db: DbSession, admin: AdminUser, request: Request):
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found"
+        )
+
+    # Prevent deleting admin accounts
+    if user.is_admin:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Cannot delete an admin account. Remove admin privileges first."
+        )
+
+    # Audit log before deletion
+    audit = AuditLog(
+        user_id=admin.id,
+        action="user_deleted",
+        resource_type="user",
+        resource_id=user.id,
+        details={"email": user.email, "full_name": user.full_name},
+        ip_address=request.client.host if request.client else None
+    )
+    db.add(audit)
+
+    db.delete(user)
+    db.commit()

backend/config.py

@@ -0,0 +1,106 @@
+import os
+from pathlib import Path
+from pydantic_settings import BaseSettings
+from functools import lru_cache
+
+
+class Settings(BaseSettings):
+    # App settings
+    app_name: str = "CSG Flux Dashboard"
+    debug: bool = False
+
+    # Deployment mode - True for HuggingFace demo deployment
+    # Data resets on restart, uses synthetic demo data
+    demo_mode: bool = True
+
+    # Security
+    secret_key: str = "dev-secret-key-change-in-production-min-32-chars"
+    refresh_secret_key: str = "dev-refresh-secret-key-change-in-production-min-32-chars"
+    algorithm: str = "HS256"
+    access_token_expire_minutes: int = 30  # 30 minutes
+    refresh_token_expire_days: int = 7     # 7 days
+
+    # Database - Use /data for HF Spaces persistent storage
+    # DATABASE_URL env var is set in Dockerfile for HF Spaces
+    database_url: str = "sqlite:///./data/crop_dashboard.db"
+    db_encryption_key: str | None = None  # SQLCipher encryption key
+
+    # Paths - Detect HF Spaces environment and use /data for persistence
+    base_dir: Path = Path(__file__).parent.parent
+
+    @property
+    def is_hf_spaces(self) -> bool:
+        """Check if running in HuggingFace Spaces environment."""
+        return os.path.exists("/data") and os.access("/data", os.W_OK)
+
+    @property
+    def data_dir(self) -> Path:
+        return Path("/data") if self.is_hf_spaces else self.base_dir / "data"
+
+    @property
+    def uploads_dir(self) -> Path:
+        return Path("/data/uploads") if self.is_hf_spaces else self.base_dir / "uploads"
+
+    @property
+    def archives_dir(self) -> Path:
+        return Path("/data/archives") if self.is_hf_spaces else self.base_dir / "archives"
+
+    # Initial admin (created on first run)
+    # ADMIN_PASSWORD must be set as an environment variable/secret for security
+    admin_email: str = "admin@cropdash.dev"
+    admin_password: str = ""  # Set via ADMIN_PASSWORD env var
+
+    # CORS - parse from comma-separated env var if provided
+    cors_origins: list[str] = ["http://localhost:5173", "http://127.0.0.1:5173"]
+
+    @property
+    def all_cors_origins(self) -> list[str]:
+        """Return all CORS origins including HF Spaces URL when deployed."""
+        origins = list(self.cors_origins)
+        # Add HF Spaces URL when running in that environment
+        if os.environ.get("SPACE_ID"):
+            space_id = os.environ.get("SPACE_ID", "")
+            # SPACE_ID format is "username/space-name"
+            if "/" in space_id:
+                username, space_name = space_id.split("/", 1)
+                hf_url = f"https://{username}-{space_name}.hf.space"
+                if hf_url not in origins:
+                    origins.append(hf_url)
+        # Always include the known HF Spaces URL
+        hf_space_url = "https://richtext-crop-dashboard-platform.hf.space"
+        if hf_space_url not in origins:
+            origins.append(hf_space_url)
+        return origins
+
+    # Box OAuth Configuration
+    # Get these from https://app.box.com/developers/console
+    box_client_id: str = ""
+    box_client_secret: str = ""
+    box_redirect_uri: str = "http://localhost:5173/admin/box/callback"
+
+    class Config:
+        env_file = ".env"
+        env_file_encoding = "utf-8"
+
+    @classmethod
+    def parse_cors_origins(cls, v):
+        """Parse CORS_ORIGINS from comma-separated string if needed."""
+        if isinstance(v, str):
+            return [origin.strip() for origin in v.split(',') if origin.strip()]
+        return v
+
+
+@lru_cache()
+def get_settings() -> Settings:
+    return Settings()
+
+
+settings = get_settings()
+
+# Ensure directories exist (use try/except for permission issues)
+try:
+    settings.data_dir.mkdir(parents=True, exist_ok=True)
+    settings.uploads_dir.mkdir(parents=True, exist_ok=True)
+    settings.archives_dir.mkdir(parents=True, exist_ok=True)
+except PermissionError:
+    pass  # Directories may already exist or be managed by the platform

backend/core/access_control.py

@@ -0,0 +1,165 @@
+"""
+Centralized Access Control Module
+
+This module provides a single source of truth for all access control logic.
+It computes a user's accessible resources ONCE per request and caches them
+in a UserAccessContext object that can be injected into any endpoint.
+
+Usage in endpoints:
+    from backend.core.dependencies import DbSession, AccessContext
+
+    @router.get("/data")
+    def get_data(access: AccessContext, db: DbSession):
+        if not access.is_admin:
+            # Filter by user's accessible sites
+            query = query.filter(Model.site_id.in_(access.site_ids))
+        return query.all()
+
+Adding new data types:
+    1. If data is site-scoped: use access.site_ids or access.site_codes
+    2. If data is crop-scoped: use access.crop_ids
+    3. If data needs new scope: add new field to UserAccessContext
+"""
+
+from dataclasses import dataclass
+from typing import Annotated
+from fastapi import Depends, HTTPException, status
+from sqlalchemy.orm import Session
+
+from backend.database import get_db
+from backend.core.dependencies import get_current_user
+from backend.models import User, UserGroup, GroupSite, Site
+
+
+@dataclass
+class UserAccessContext:
+    """
+    Cached access context for a user request.
+
+    This object is created ONCE per request and contains all the information
+    needed to filter data by the user's group memberships.
+
+    Attributes:
+        user: The authenticated User object
+        is_admin: Whether user has admin privileges (bypasses all filters)
+        site_ids: Set of Site.id values the user can access
+        site_codes: Set of Site.site_code values the user can access
+        crop_ids: Set of Crop.id values from the user's accessible sites
+    """
+    user: User
+    is_admin: bool
+    site_ids: set[str]
+    site_codes: set[str]
+    crop_ids: set[str]
+
+    def has_site_access(self, site_id: str = None, site_code: str = None) -> bool:
+        """Check if user has access to a specific site."""
+        if self.is_admin:
+            return True
+        if site_id:
+            return site_id in self.site_ids
+        if site_code:
+            return site_code in self.site_codes
+        return False
+
+    def has_crop_access(self, crop_id: str) -> bool:
+        """Check if user has access to a specific crop (via their sites)."""
+        if self.is_admin:
+            return True
+        return crop_id in self.crop_ids
+
+    def require_site_access(self, site_id: str = None, site_code: str = None) -> None:
+        """Raise 403 if user doesn't have access to the site."""
+        if not self.has_site_access(site_id=site_id, site_code=site_code):
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="You don't have access to this site"
+            )
+
+    def require_crop_access(self, crop_id: str) -> None:
+        """Raise 403 if user doesn't have access to the crop."""
+        if not self.has_crop_access(crop_id):
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="You don't have access to this crop"
+            )
+
+
+def get_access_context(
+    user: Annotated[User, Depends(get_current_user)],
+    db: Annotated[Session, Depends(get_db)]
+) -> UserAccessContext:
+    """
+    FastAPI dependency that creates a UserAccessContext for the current request.
+
+    This is computed ONCE per request and cached by FastAPI's dependency system.
+    All endpoints that inject AccessContext will receive the same instance.
+
+    For admins: Returns context with is_admin=True (no filtering needed)
+    For regular users: Queries their group memberships and accessible sites
+    """
+    if user.is_admin:
+        # Admin users see everything - query all active sites
+        sites = db.query(Site).filter(Site.is_active == True).all()
+        site_ids = {s.id for s in sites}
+        site_codes = {s.site_code for s in sites}
+        crop_ids = {s.crop_id for s in sites if s.crop_id}
+
+        return UserAccessContext(
+            user=user,
+            is_admin=True,
+            site_ids=site_ids,
+            site_codes=site_codes,
+            crop_ids=crop_ids
+        )
+
+    # Regular user - filter by group membership
+    # Step 1: Get user's group IDs
+    user_groups = db.query(UserGroup).filter(UserGroup.user_id == user.id).all()
+    group_ids = [ug.group_id for ug in user_groups]
+
+    if not group_ids:
+        # User has no groups - empty access
+        return UserAccessContext(
+            user=user,
+            is_admin=False,
+            site_ids=set(),
+            site_codes=set(),
+            crop_ids=set()
+        )
+
+    # Step 2: Get site IDs from those groups
+    group_sites = db.query(GroupSite).filter(GroupSite.group_id.in_(group_ids)).all()
+    site_ids_list = [gs.site_id for gs in group_sites]
+
+    if not site_ids_list:
+        # Groups have no sites assigned
+        return UserAccessContext(
+            user=user,
+            is_admin=False,
+            site_ids=set(),
+            site_codes=set(),
+            crop_ids=set()
+        )
+
+    # Step 3: Get actual site objects (only active ones)
+    sites = db.query(Site).filter(
+        Site.id.in_(site_ids_list),
+        Site.is_active == True
+    ).all()
+
+    site_ids = {s.id for s in sites}
+    site_codes = {s.site_code for s in sites}
+    crop_ids = {s.crop_id for s in sites if s.crop_id}
+
+    return UserAccessContext(
+        user=user,
+        is_admin=False,
+        site_ids=site_ids,
+        site_codes=site_codes,
+        crop_ids=crop_ids
+    )
+
+
+# Type alias for dependency injection - use this in endpoint signatures
+AccessContext = Annotated[UserAccessContext, Depends(get_access_context)]

backend/core/dependencies.py

@@ -0,0 +1,75 @@
+from typing import Annotated
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from sqlalchemy.orm import Session
+from backend.database import get_db
+from backend.core.security import verify_token
+from backend.models import User
+
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/auth/login")
+
+
+def get_current_user(
+    token: Annotated[str, Depends(oauth2_scheme)],
+    db: Annotated[Session, Depends(get_db)]
+) -> User:
+    payload = verify_token(token)
+
+    if payload is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or expired token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    user_id = payload.get("sub")
+    if not user_id or not isinstance(user_id, str):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid token payload",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    user = db.query(User).filter(User.id == user_id).first()
+    if user is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="User not found",
+        )
+
+    # Check token version - invalidates tokens after password change/logout
+    token_version = payload.get("token_version")
+    if token_version is None or token_version != user.token_version:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Token has been revoked",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="User account is disabled",
+        )
+
+    return user
+
+
+def get_current_admin_user(
+    current_user: Annotated[User, Depends(get_current_user)]
+) -> User:
+    if not current_user.is_admin:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin access required",
+        )
+    return current_user
+
+
+# Type aliases for cleaner route signatures
+CurrentUser = Annotated[User, Depends(get_current_user)]
+AdminUser = Annotated[User, Depends(get_current_admin_user)]
+DbSession = Annotated[Session, Depends(get_db)]
+
+# Re-export access control for convenience
+from backend.core.access_control import AccessContext, UserAccessContext

backend/core/security.py

@@ -0,0 +1,57 @@
+from datetime import datetime, timedelta
+from typing import Any
+from jose import jwt, JWTError
+from passlib.context import CryptContext
+from backend.config import settings
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+
+def create_access_token(data: dict[str, Any], expires_delta: timedelta | None = None) -> str:
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(minutes=settings.access_token_expire_minutes)
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, settings.secret_key, algorithm=settings.algorithm)
+    return encoded_jwt
+
+
+def verify_token(token: str) -> dict[str, Any] | None:
+    try:
+        payload = jwt.decode(token, settings.secret_key, algorithms=[settings.algorithm])
+        return payload
+    except JWTError:
+        return None
+
+
+def create_refresh_token(data: dict[str, Any], expires_delta: timedelta | None = None) -> str:
+    """Create a refresh token with longer expiry and different secret."""
+    to_encode = data.copy()
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(days=settings.refresh_token_expire_days)
+    to_encode.update({"exp": expire, "type": "refresh"})
+    encoded_jwt = jwt.encode(to_encode, settings.refresh_secret_key, algorithm=settings.algorithm)
+    return encoded_jwt
+
+
+def verify_refresh_token(token: str) -> dict[str, Any] | None:
+    """Verify a refresh token using the refresh secret key."""
+    try:
+        payload = jwt.decode(token, settings.refresh_secret_key, algorithms=[settings.algorithm])
+        if payload.get("type") != "refresh":
+            return None
+        return payload
+    except JWTError:
+        return None
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    return pwd_context.verify(plain_password, hashed_password)
+
+
+def get_password_hash(password: str) -> str:
+    return pwd_context.hash(password)

backend/database.py

@@ -0,0 +1,144 @@
+"""
+Database module with SQLCipher encryption support.
+
+When DB_ENCRYPTION_KEY is set in the environment (or .env file), the database
+will be encrypted using SQLCipher. If no key is provided, a standard SQLite
+database is used (for development only).
+"""
+import os
+from sqlalchemy import create_engine, event, text
+from sqlalchemy.orm import sessionmaker, DeclarativeBase
+from backend.config import settings
+
+# Check if SQLCipher is available
+SQLCIPHER_AVAILABLE = False
+try:
+    import sqlcipher3
+    SQLCIPHER_AVAILABLE = True
+except ImportError:
+    pass
+
+
+def _get_db_path() -> str:
+    """Extract the database file path from the database URL."""
+    import os
+    from pathlib import Path
+
+    # Check if running in HF Spaces (writable /data directory)
+    is_hf_spaces = os.path.exists("/data") and os.access("/data", os.W_OK)
+
+    if is_hf_spaces:
+        # Use HF Spaces persistent storage
+        db_path = "/data/crop_dashboard.db"
+    else:
+        # Parse from settings for local development
+        url = settings.database_url
+        if url.startswith("sqlite:///"):
+            db_path = url[10:]  # Remove "sqlite:///"
+            if db_path.startswith("./"):
+                db_path = db_path[2:]
+        else:
+            db_path = url
+
+    # Ensure directory exists
+    db_dir = Path(db_path).parent
+    try:
+        db_dir.mkdir(parents=True, exist_ok=True)
+    except PermissionError:
+        pass  # Directory may already exist
+
+    return db_path
+
+
+def _create_encrypted_engine():
+    """Create an engine using SQLCipher for encrypted database access."""
+    if not SQLCIPHER_AVAILABLE:
+        raise RuntimeError(
+            "SQLCipher encryption requested but sqlcipher3 is not installed. "
+            "Install with: pip install sqlcipher3"
+        )
+
+    db_path = _get_db_path()
+    key = settings.db_encryption_key
+
+    def create_connection():
+        """Create a new SQLCipher connection."""
+        conn = sqlcipher3.connect(db_path, check_same_thread=False)
+        # Set the encryption key
+        conn.execute(f"PRAGMA key = '{key}'")
+        # Use SQLCipher 4 defaults for strong encryption
+        conn.execute("PRAGMA cipher_compatibility = 4")
+        conn.execute("PRAGMA kdf_iter = 256000")
+        conn.execute("PRAGMA cipher_memory_security = ON")
+        return conn
+
+    # Create engine with creator function
+    # Note: SQLite with creator uses StaticPool instead of QueuePool
+    from sqlalchemy.pool import StaticPool
+    engine = create_engine(
+        "sqlite://",  # Dummy URL, we override with creator
+        creator=create_connection,
+        poolclass=StaticPool
+    )
+
+    return engine
+
+
+def _create_standard_engine():
+    """Create a standard SQLite engine (no encryption)."""
+    engine = create_engine(
+        settings.database_url,
+        connect_args={"check_same_thread": False}
+    )
+    return engine
+
+
+def create_db_engine():
+    """
+    Create the appropriate database engine based on configuration.
+
+    If db_encryption_key is set, uses SQLCipher for encryption.
+    Otherwise, uses standard SQLite.
+    """
+    if settings.db_encryption_key:
+        print("Database encryption enabled (SQLCipher)")
+        return _create_encrypted_engine()
+    else:
+        print("WARNING: Database is NOT encrypted (no DB_ENCRYPTION_KEY set)")
+        return _create_standard_engine()
+
+
+# Create the engine
+engine = create_db_engine()
+
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+
+
+class Base(DeclarativeBase):
+    pass
+
+
+def get_db():
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()
+
+
+def init_db():
+    from backend.models import user, group, site, sensor_data, pipeline, box_connection
+    Base.metadata.create_all(bind=engine)
+
+
+def is_database_encrypted(db_path: str | None = None) -> bool:
+    """Check if the database file is encrypted."""
+    path = db_path or _get_db_path()
+    if not os.path.exists(path):
+        return False
+
+    with open(path, 'rb') as f:
+        header = f.read(16)
+
+    # SQLite files start with "SQLite format 3\0"
+    return header != b'SQLite format 3\x00'

backend/main.py

@@ -0,0 +1,441 @@
+import os
+from contextlib import asynccontextmanager
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.staticfiles import StaticFiles
+from fastapi.responses import FileResponse
+from pathlib import Path
+
+from backend.config import settings
+from backend.database import init_db, engine
+from backend.api import api_router
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI):
+    # Startup
+    if settings.demo_mode:
+        print("=" * 50)
+        print("  RUNNING IN DEMO MODE")
+        print("  Data will reset on restart")
+        print("=" * 50)
+        # In demo mode, always delete and recreate the database
+        db_path = Path(settings.database_url.replace("sqlite:///", ""))
+        if db_path.exists():
+            db_path.unlink()
+            print(f"Deleted existing database: {db_path}")
+
+    init_db()
+    seed_initial_data()
+
+    # Initialize Box scheduler if connection exists
+    from backend.services.box_worker import initialize_box_scheduler, stop_scheduler
+    try:
+        initialize_box_scheduler()
+    except Exception as e:
+        print(f"Warning: Failed to initialize Box scheduler: {e}")
+
+    yield
+
+    # Shutdown
+    try:
+        stop_scheduler()
+    except Exception:
+        pass
+
+
+app = FastAPI(
+    title=settings.app_name,
+    description="Agricultural sensor data dashboard for crop monitoring",
+    version="1.0.0",
+    lifespan=lifespan
+)
+
+# CORS middleware - use all_cors_origins to include HF Spaces URL when deployed
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=settings.all_cors_origins,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# API routes
+app.include_router(api_router, prefix="/api")
+
+
+def seed_initial_data():
+    """Seed the database with initial admin user and sample data.
+
+    This creates fake demo data with randomized California locations.
+    All site names, locations, and sensor data are synthetic and not real.
+    """
+    import random
+    from datetime import datetime, timedelta
+    from backend.database import SessionLocal
+    from backend.models import User, Crop, Site, Group, GroupSite, EquipmentGroup, Parameter, SensorData
+    from backend.models import UserGroup
+    from backend.services.auth import get_user_by_email, create_user
+
+    db = SessionLocal()
+    try:
+        # Check if database is empty (for production mode)
+        user_count = db.query(User).count()
+        if user_count > 0 and not settings.demo_mode:
+            print("Database already seeded, skipping...")
+            return
+
+        # Create admin user if not exists (password from env var)
+        admin = get_user_by_email(db, settings.admin_email)
+        if not admin and settings.admin_password:
+            admin = create_user(
+                db,
+                email=settings.admin_email,
+                password=settings.admin_password,
+                full_name="System Administrator",
+                is_admin=True
+            )
+            print(f"Created admin user: {settings.admin_email}")
+        elif not settings.admin_password:
+            print("Warning: ADMIN_PASSWORD not set, skipping admin user creation")
+
+        # Create crops if not exist
+        crops_data = [
+            {"name": "almonds", "display_name": "Almonds", "color": "#3B82F6"},
+            {"name": "grapes", "display_name": "Grapes", "color": "#8B5CF6"},
+            {"name": "olives", "display_name": "Olives", "color": "#EF4444"},
+            {"name": "pistachios", "display_name": "Pistachios", "color": "#22C55E"},
+            {"name": "table_grapes", "display_name": "Table Grapes", "color": "#F59E0B"},
+        ]
+
+        crop_map = {}
+        for crop_data in crops_data:
+            crop = db.query(Crop).filter(Crop.name == crop_data["name"]).first()
+            if not crop:
+                crop = Crop(**crop_data)
+                db.add(crop)
+                db.commit()
+                db.refresh(crop)
+            crop_map[crop_data["name"]] = crop
+
+        # Create 10 FAKE sites with randomized California locations
+        # These are NOT real locations - just random points in California for demo purposes
+        sites_data = [
+            # Grower One sites (Site 01-05)
+            {"site_code": "SITE_01", "name": "Demo Site 01 - North Valley", "crop": "almonds", "lat": 35.42, "lon": -119.85},
+            {"site_code": "SITE_02", "name": "Demo Site 02 - Central Plains", "crop": "almonds", "lat": 36.15, "lon": -120.32},
+            {"site_code": "SITE_03", "name": "Demo Site 03 - West Ridge", "crop": "grapes", "lat": 34.78, "lon": -118.95},
+            {"site_code": "SITE_04", "name": "Demo Site 04 - South Basin", "crop": "olives", "lat": 35.89, "lon": -119.42},
+            {"site_code": "SITE_05", "name": "Demo Site 05 - East Hills", "crop": "pistachios", "lat": 36.52, "lon": -118.78},
+            # Grower Two sites (Site 06-10)
+            {"site_code": "SITE_06", "name": "Demo Site 06 - River Delta", "crop": "grapes", "lat": 34.25, "lon": -119.15},
+            {"site_code": "SITE_07", "name": "Demo Site 07 - Mountain View", "crop": "olives", "lat": 35.65, "lon": -120.88},
+            {"site_code": "SITE_08", "name": "Demo Site 08 - Coastal Range", "crop": "table_grapes", "lat": 36.85, "lon": -119.55},
+            {"site_code": "SITE_09", "name": "Demo Site 09 - Valley Floor", "crop": "almonds", "lat": 34.95, "lon": -118.62},
+            {"site_code": "SITE_10", "name": "Demo Site 10 - Highland Farm", "crop": "pistachios", "lat": 35.35, "lon": -120.15},
+        ]
+
+        site_objects = {}
+        for site_data in sites_data:
+            site = db.query(Site).filter(Site.site_code == site_data["site_code"]).first()
+            if not site:
+                site = Site(
+                    site_code=site_data["site_code"],
+                    name=site_data["name"],
+                    crop_id=crop_map[site_data["crop"]].id,
+                    latitude=site_data["lat"],
+                    longitude=site_data["lon"]
+                )
+                db.add(site)
+                db.commit()
+                db.refresh(site)
+            site_objects[site_data["site_code"]] = site
+
+        print(f"Created {len(site_objects)} demo sites")
+
+        # Create equipment groups and parameters for each crop
+        equipment_groups_data = [
+            "Sonic Anemometer", "IRGASON", "Net Radiometer", "Soil Thermocouple",
+            "Soil Moisture Probes", "Energy Budget", "EC100 Probe", "Infrared Sensor"
+        ]
+
+        # Parameters with their equipment group assignments
+        parameters_data = [
+            ("TA_1_1_1", "EC100 Probe", "Air Temperature", "C"),
+            ("RH_1_1_1", "EC100 Probe", "Relative Humidity", "%"),
+            ("VPD", "EC100 Probe", "Vapor Pressure Deficit", "kPa"),
+            ("WS", "Sonic Anemometer", "Wind Speed", "m/s"),
+            ("WD", "Sonic Anemometer", "Wind Direction", "deg"),
+            ("USTAR", "Sonic Anemometer", "Friction Velocity", "m/s"),
+            ("T_SONIC", "Sonic Anemometer", "Sonic Temperature", "C"),
+            ("SW_IN", "Net Radiometer", "Incoming Shortwave", "W/m2"),
+            ("SW_OUT", "Net Radiometer", "Outgoing Shortwave", "W/m2"),
+            ("LW_IN", "Net Radiometer", "Incoming Longwave", "W/m2"),
+            ("LW_OUT", "Net Radiometer", "Outgoing Longwave", "W/m2"),
+            ("NETRAD", "Net Radiometer", "Net Radiation", "W/m2"),
+            ("TS1_2cm", "Soil Thermocouple", "Soil Temp 2cm", "C"),
+            ("TS1_6cm", "Soil Thermocouple", "Soil Temp 6cm", "C"),
+            ("SWC_1_1_1", "Soil Moisture Probes", "Soil Water Content", "%"),
+            ("H", "Energy Budget", "Sensible Heat Flux", "W/m2"),
+            ("LE", "Energy Budget", "Latent Heat Flux", "W/m2"),
+            ("G", "Energy Budget", "Ground Heat Flux", "W/m2"),
+            ("FC_mass", "IRGASON", "CO2 Flux", "mg/m2/s"),
+            ("ET", "IRGASON", "Evapotranspiration", "mm/hr"),
+            ("CO2_density", "IRGASON", "CO2 Density", "mg/m3"),
+            ("H2O_density", "IRGASON", "H2O Density", "g/m3"),
+            ("T_CANOPY", "Infrared Sensor", "Canopy Temperature", "C"),
+        ]
+
+        for crop_name, crop in crop_map.items():
+            # Create equipment groups for this crop
+            eq_map = {}
+            for eq_name in equipment_groups_data:
+                existing = db.query(EquipmentGroup).filter(
+                    EquipmentGroup.name == eq_name,
+                    EquipmentGroup.crop_id == crop.id
+                ).first()
+                if not existing:
+                    eq = EquipmentGroup(name=eq_name, crop_id=crop.id)
+                    db.add(eq)
+                    db.flush()
+                    eq_map[eq_name] = eq.id
+                else:
+                    eq_map[eq_name] = existing.id
+
+            # Create parameters for this crop
+            for param_name, eq_name, display_name, unit in parameters_data:
+                existing = db.query(Parameter).filter(
+                    Parameter.name == param_name,
+                    Parameter.crop_id == crop.id
+                ).first()
+                if not existing:
+                    param = Parameter(
+                        name=param_name,
+                        display_name=display_name,
+                        unit=unit,
+                        crop_id=crop.id,
+                        equipment_group_id=eq_map.get(eq_name)
+                    )
+                    db.add(param)
+            db.commit()
+
+        print("Created equipment groups and parameters for all crops")
+
+        # Create "Grower One Farms" group (Sites 01-05)
+        grower_one_group = db.query(Group).filter(Group.name == "Grower One Farms").first()
+        if not grower_one_group:
+            grower_one_group = Group(
+                name="Grower One Farms",
+                description="Demo group for Grower One with access to Sites 01-05"
+            )
+            db.add(grower_one_group)
+            db.commit()
+            db.refresh(grower_one_group)
+
+            # Add sites 01-05 to Grower One group
+            for code in ["SITE_01", "SITE_02", "SITE_03", "SITE_04", "SITE_05"]:
+                if code in site_objects:
+                    gs = GroupSite(group_id=grower_one_group.id, site_id=site_objects[code].id)
+                    db.add(gs)
+            db.commit()
+            print("Created Grower One Farms group with 5 sites")
+
+        # Create "Grower Two Farms" group (Sites 06-10)
+        grower_two_group = db.query(Group).filter(Group.name == "Grower Two Farms").first()
+        if not grower_two_group:
+            grower_two_group = Group(
+                name="Grower Two Farms",
+                description="Demo group for Grower Two with access to Sites 06-10"
+            )
+            db.add(grower_two_group)
+            db.commit()
+            db.refresh(grower_two_group)
+
+            # Add sites 06-10 to Grower Two group
+            for code in ["SITE_06", "SITE_07", "SITE_08", "SITE_09", "SITE_10"]:
+                if code in site_objects:
+                    gs = GroupSite(group_id=grower_two_group.id, site_id=site_objects[code].id)
+                    db.add(gs)
+            db.commit()
+            print("Created Grower Two Farms group with 5 sites")
+
+        # Create Grower One user
+        grower1 = get_user_by_email(db, "grower1@demo.cropdash.dev")
+        if not grower1:
+            grower1 = create_user(
+                db,
+                email="grower1@demo.cropdash.dev",
+                password="demo123",
+                full_name="Grower One",
+                is_admin=False
+            )
+            ug = UserGroup(user_id=grower1.id, group_id=grower_one_group.id, role="viewer")
+            db.add(ug)
+            db.commit()
+            print("Created demo user: grower1@demo.cropdash.dev")
+
+        # Create Grower Two user
+        grower2 = get_user_by_email(db, "grower2@demo.cropdash.dev")
+        if not grower2:
+            grower2 = create_user(
+                db,
+                email="grower2@demo.cropdash.dev",
+                password="demo123",
+                full_name="Grower Two",
+                is_admin=False
+            )
+            ug = UserGroup(user_id=grower2.id, group_id=grower_two_group.id, role="viewer")
+            db.add(ug)
+            db.commit()
+            print("Created demo user: grower2@demo.cropdash.dev")
+
+        # Generate fake sensor data for all sites
+        print("\nGenerating synthetic sensor data...")
+        generate_fake_sensor_data(db, site_objects)
+
+        print("\nDatabase seeded successfully with demo data")
+
+    finally:
+        db.close()
+
+
+def generate_fake_sensor_data(db, site_objects: dict):
+    """Generate synthetic sensor data for demo purposes.
+
+    All data is randomly generated and does not represent real measurements.
+    """
+    import random
+    from datetime import datetime, timedelta
+    from backend.models import SensorData
+
+    # Generate data for the last 30 days, every 30 minutes
+    end_time = datetime.now()
+    start_time = end_time - timedelta(days=30)
+
+    # Parameter ranges for realistic-looking fake data
+    param_ranges = {
+        "TA_1_1_1": (10, 40),      # Air temp C
+        "RH_1_1_1": (20, 95),      # Relative humidity %
+        "VPD": (0.5, 4.0),         # Vapor pressure deficit kPa
+        "WS": (0.1, 8.0),          # Wind speed m/s
+        "WD": (0, 360),            # Wind direction deg
+        "USTAR": (0.05, 0.8),      # Friction velocity m/s
+        "T_SONIC": (10, 42),       # Sonic temp C
+        "SW_IN": (0, 900),         # Incoming shortwave W/m2
+        "SW_OUT": (0, 150),        # Outgoing shortwave W/m2
+        "LW_IN": (250, 420),       # Incoming longwave W/m2
+        "LW_OUT": (300, 550),      # Outgoing longwave W/m2
+        "NETRAD": (-100, 700),     # Net radiation W/m2
+        "TS1_2cm": (12, 35),       # Soil temp 2cm C
+        "TS1_6cm": (14, 32),       # Soil temp 6cm C
+        "SWC_1_1_1": (5, 55),      # Soil water content %
+        "H": (-50, 350),           # Sensible heat W/m2
+        "LE": (-20, 400),          # Latent heat W/m2
+        "G": (-80, 200),           # Ground heat W/m2
+        "FC_mass": (-1.5, 1.5),    # CO2 flux mg/m2/s
+        "ET": (-0.2, 1.5),         # ET mm/hr
+        "CO2_density": (680, 850), # CO2 density mg/m3
+        "H2O_density": (5, 18),    # H2O density g/m3
+        "T_CANOPY": (8, 45),       # Canopy temp C
+    }
+
+    total_records = 0
+    for site_code, site in site_objects.items():
+        current_time = start_time
+        batch = []
+        record_num = 1
+
+        # Add some site-specific variation
+        site_offset = random.uniform(-3, 3)
+
+        while current_time <= end_time:
+            # Calculate hour of day for diurnal patterns
+            hour = current_time.hour
+            is_daytime = 6 <= hour <= 18
+
+            # Generate data with diurnal patterns
+            data = {}
+            for param, (min_val, max_val) in param_ranges.items():
+                base = random.uniform(min_val, max_val)
+
+                # Add diurnal variation for relevant parameters
+                if param in ["SW_IN", "NETRAD", "H", "LE", "ET", "T_CANOPY", "TA_1_1_1"]:
+                    if is_daytime:
+                        # Higher during day, peak around noon
+                        hour_factor = 1 - abs(hour - 12) / 12
+                        base = min_val + (max_val - min_val) * (0.3 + 0.7 * hour_factor)
+                    else:
+                        base = min_val + (max_val - min_val) * 0.1
+
+                # Add some noise and site variation
+                value = base + site_offset + random.gauss(0, (max_val - min_val) * 0.05)
+                value = max(min_val, min(max_val, value))  # Clamp to range
+                data[param] = round(value, 4)
+
+            sensor_data = SensorData(
+                site_id=site.id,
+                timestamp=current_time,
+                data=data,
+                record_number=record_num
+            )
+            batch.append(sensor_data)
+            record_num += 1
+
+            # Batch insert every 500 records
+            if len(batch) >= 500:
+                db.bulk_save_objects(batch)
+                db.commit()
+                total_records += len(batch)
+                batch = []
+
+            current_time += timedelta(minutes=30)
+
+        # Insert remaining records
+        if batch:
+            db.bulk_save_objects(batch)
+            db.commit()
+            total_records += len(batch)
+
+        print(f"  Generated data for {site_code}")
+
+    print(f"  Total synthetic records: {total_records}")
+
+
+@app.get("/health")
+def health_check():
+    return {"status": "healthy", "app": settings.app_name, "demo_mode": settings.demo_mode}
+
+
+@app.get("/api/config/mode")
+def get_config_mode():
+    """Return configuration mode for frontend."""
+    return {"demo_mode": settings.demo_mode}
+
+
+# Serve static files (frontend) if they exist - must be after all API routes
+static_dir = Path(__file__).parent / "static"
+if static_dir.exists():
+    # Serve static assets directory
+    assets_dir = static_dir / "assets"
+    if assets_dir.exists():
+        app.mount("/assets", StaticFiles(directory=assets_dir), name="assets")
+
+    # Catch-all route for SPA - must be last
+    @app.get("/{full_path:path}")
+    async def serve_spa(full_path: str):
+        """Serve frontend SPA files."""
+        # Try to serve the exact file first
+        file_path = static_dir / full_path
+        if file_path.exists() and file_path.is_file():
+            return FileResponse(file_path)
+        # Return index.html for all other routes (SPA routing)
+        index_path = static_dir / "index.html"
+        if index_path.exists():
+            return FileResponse(index_path)
+        # Fallback
+        return {"error": "Not found"}
+
+
+if __name__ == "__main__":
+    import uvicorn
+    uvicorn.run("backend.main:app", host="0.0.0.0", port=8000, reload=True)

backend/models/__init__.py

@@ -0,0 +1,12 @@
+from backend.models.user import User, UserGroup
+from backend.models.group import Group
+from backend.models.site import Crop, Site, GroupSite, EquipmentGroup, Parameter
+from backend.models.sensor_data import SensorData
+from backend.models.pipeline import FileArchive, PipelineConfig, AuditLog
+from backend.models.box_connection import BoxConnection, BoxSyncLog
+
+__all__ = [
+    "User", "UserGroup", "Group", "Crop", "Site", "GroupSite",
+    "EquipmentGroup", "Parameter", "SensorData", "FileArchive",
+    "PipelineConfig", "AuditLog", "BoxConnection", "BoxSyncLog"
+]

backend/models/box_connection.py

@@ -0,0 +1,69 @@
+"""Box cloud storage connection model."""
+import uuid
+from datetime import datetime
+from sqlalchemy import String, DateTime, Integer, Boolean, Text, JSON
+from sqlalchemy.orm import Mapped, mapped_column
+from backend.database import Base
+
+
+class BoxConnection(Base):
+    """Store Box OAuth tokens and folder configuration."""
+    __tablename__ = "box_connections"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    name: Mapped[str] = mapped_column(String(100), default="Box Connection")
+
+    # OAuth tokens (should be encrypted in production)
+    access_token: Mapped[str | None] = mapped_column(Text, nullable=True)
+    refresh_token: Mapped[str | None] = mapped_column(Text, nullable=True)
+    token_expires_at: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)
+
+    # Box user info
+    box_user_id: Mapped[str | None] = mapped_column(String(50), nullable=True)
+    box_user_name: Mapped[str | None] = mapped_column(String(255), nullable=True)
+    box_user_email: Mapped[str | None] = mapped_column(String(255), nullable=True)
+
+    # Folder configuration
+    staging_folder_id: Mapped[str | None] = mapped_column(String(50), nullable=True)
+    staging_folder_name: Mapped[str | None] = mapped_column(String(255), nullable=True)
+    processed_folder_id: Mapped[str | None] = mapped_column(String(50), nullable=True)
+    processed_folder_name: Mapped[str | None] = mapped_column(String(255), nullable=True)
+
+    # Sync settings
+    is_active: Mapped[bool] = mapped_column(Boolean, default=False)
+    sync_interval_minutes: Mapped[int] = mapped_column(Integer, default=60)
+    last_sync: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)
+    last_sync_status: Mapped[str | None] = mapped_column(String(50), nullable=True)  # success, error, in_progress
+    last_sync_message: Mapped[str | None] = mapped_column(Text, nullable=True)
+    files_processed_count: Mapped[int] = mapped_column(Integer, default=0)
+
+    # Database backup settings
+    backup_folder_id: Mapped[str | None] = mapped_column(String(50), nullable=True)
+    backup_folder_name: Mapped[str | None] = mapped_column(String(255), nullable=True)
+    backup_enabled: Mapped[bool] = mapped_column(Boolean, default=False)
+    backup_schedule: Mapped[str | None] = mapped_column(String(50), nullable=True)  # manual, daily, weekly
+    backup_time: Mapped[str | None] = mapped_column(String(10), nullable=True)  # HH:MM format for scheduled backups
+    last_backup: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)
+    last_backup_status: Mapped[str | None] = mapped_column(String(50), nullable=True)
+    last_backup_message: Mapped[str | None] = mapped_column(Text, nullable=True)
+
+    # Timestamps
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow)
+    updated_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+
+class BoxSyncLog(Base):
+    """Log of Box sync operations."""
+    __tablename__ = "box_sync_logs"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+    connection_id: Mapped[str] = mapped_column(String(36), nullable=False, index=True)
+    started_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow)
+    completed_at: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)
+    status: Mapped[str] = mapped_column(String(50), default="in_progress")  # in_progress, success, error
+    files_found: Mapped[int] = mapped_column(Integer, default=0)
+    files_processed: Mapped[int] = mapped_column(Integer, default=0)
+    files_failed: Mapped[int] = mapped_column(Integer, default=0)
+    records_imported: Mapped[int] = mapped_column(Integer, default=0)
+    error_message: Mapped[str | None] = mapped_column(Text, nullable=True)
+    details: Mapped[dict | None] = mapped_column(JSON, nullable=True)

backend/models/group.py

@@ -0,0 +1,19 @@
+import uuid
+from datetime import datetime
+from sqlalchemy import String, DateTime, Text
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from backend.database import Base
+
+
+class Group(Base):
+    __tablename__ = "groups"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    name: Mapped[str] = mapped_column(String(255), unique=True, nullable=False)
+    description: Mapped[str | None] = mapped_column(Text, nullable=True)
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow)
+    updated_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+    # Relationships
+    members: Mapped[list["UserGroup"]] = relationship("UserGroup", back_populates="group", cascade="all, delete-orphan")
+    sites: Mapped[list["GroupSite"]] = relationship("GroupSite", back_populates="group", cascade="all, delete-orphan")

backend/models/pipeline.py

@@ -0,0 +1,43 @@
+import uuid
+from datetime import datetime
+from sqlalchemy import String, DateTime, Integer, ForeignKey, Text, JSON
+from sqlalchemy.orm import Mapped, mapped_column
+from backend.database import Base
+
+
+class FileArchive(Base):
+    __tablename__ = "file_archives"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    original_filename: Mapped[str] = mapped_column(String(255), nullable=False)
+    file_hash: Mapped[str] = mapped_column(String(64), nullable=False, index=True)  # SHA256
+    file_size: Mapped[int | None] = mapped_column(Integer, nullable=True)
+    upload_date: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow)
+    processed_date: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)
+    status: Mapped[str] = mapped_column(String(50), default="pending")  # pending, processing, completed, error
+    error_message: Mapped[str | None] = mapped_column(Text, nullable=True)
+    records_imported: Mapped[int] = mapped_column(Integer, default=0)
+    archived_path: Mapped[str | None] = mapped_column(String(500), nullable=True)
+
+
+class PipelineConfig(Base):
+    __tablename__ = "pipeline_config"
+
+    key: Mapped[str] = mapped_column(String(100), primary_key=True)
+    value: Mapped[str] = mapped_column(Text, nullable=False)
+    description: Mapped[str | None] = mapped_column(Text, nullable=True)
+    updated_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+    updated_by: Mapped[str | None] = mapped_column(String(36), ForeignKey("users.id"), nullable=True)
+
+
+class AuditLog(Base):
+    __tablename__ = "audit_log"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+    user_id: Mapped[str | None] = mapped_column(String(36), ForeignKey("users.id"), nullable=True)
+    action: Mapped[str] = mapped_column(String(100), nullable=False)
+    resource_type: Mapped[str | None] = mapped_column(String(100), nullable=True)
+    resource_id: Mapped[str | None] = mapped_column(String(36), nullable=True)
+    details: Mapped[dict | None] = mapped_column(JSON, nullable=True)
+    ip_address: Mapped[str | None] = mapped_column(String(45), nullable=True)
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow, index=True)

backend/models/sensor_data.py

@@ -0,0 +1,23 @@
+from datetime import datetime
+from sqlalchemy import String, DateTime, Integer, ForeignKey, JSON, Index
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from backend.database import Base
+
+
+class SensorData(Base):
+    __tablename__ = "sensor_data"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+    site_id: Mapped[str] = mapped_column(String(36), ForeignKey("sites.id"), nullable=False, index=True)
+    timestamp: Mapped[datetime] = mapped_column(DateTime, nullable=False, index=True)
+    data: Mapped[dict] = mapped_column(JSON, nullable=False)  # All parameter values as JSON
+    record_number: Mapped[int | None] = mapped_column(Integer, nullable=True)
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow)
+
+    # Relationships
+    site: Mapped["Site"] = relationship("Site", back_populates="sensor_data")
+
+    # Composite index for efficient time-range queries
+    __table_args__ = (
+        Index("idx_sensor_data_site_timestamp", "site_id", "timestamp", unique=True),
+    )

backend/models/site.py

@@ -0,0 +1,78 @@
+import uuid
+from datetime import datetime
+from sqlalchemy import String, DateTime, Float, Boolean, ForeignKey, Text
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from backend.database import Base
+
+
+class Crop(Base):
+    __tablename__ = "crops"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    name: Mapped[str] = mapped_column(String(100), unique=True, nullable=False)  # e.g., "almonds"
+    display_name: Mapped[str] = mapped_column(String(100), nullable=False)  # e.g., "Almonds"
+    color: Mapped[str] = mapped_column(String(20), default="#3B82F6")  # Hex color for map markers
+
+    # Relationships
+    sites: Mapped[list["Site"]] = relationship("Site", back_populates="crop")
+    equipment_groups: Mapped[list["EquipmentGroup"]] = relationship("EquipmentGroup", back_populates="crop")
+    parameters: Mapped[list["Parameter"]] = relationship("Parameter", back_populates="crop")
+
+
+class Site(Base):
+    __tablename__ = "sites"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    site_code: Mapped[str] = mapped_column(String(50), unique=True, nullable=False, index=True)  # e.g., "OLA_001"
+    name: Mapped[str] = mapped_column(String(255), nullable=False)
+    crop_id: Mapped[str] = mapped_column(String(36), ForeignKey("crops.id"), nullable=False)
+    latitude: Mapped[float] = mapped_column(Float, nullable=False)
+    longitude: Mapped[float] = mapped_column(Float, nullable=False)
+    is_active: Mapped[bool] = mapped_column(Boolean, default=True)
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow)
+    updated_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+    # Relationships
+    crop: Mapped["Crop"] = relationship("Crop", back_populates="sites")
+    groups: Mapped[list["GroupSite"]] = relationship("GroupSite", back_populates="site", cascade="all, delete-orphan")
+    sensor_data: Mapped[list["SensorData"]] = relationship("SensorData", back_populates="site", cascade="all, delete-orphan")
+
+
+class GroupSite(Base):
+    __tablename__ = "group_sites"
+
+    group_id: Mapped[str] = mapped_column(String(36), ForeignKey("groups.id", ondelete="CASCADE"), primary_key=True)
+    site_id: Mapped[str] = mapped_column(String(36), ForeignKey("sites.id", ondelete="CASCADE"), primary_key=True)
+
+    # Relationships
+    group: Mapped["Group"] = relationship("Group", back_populates="sites")
+    site: Mapped["Site"] = relationship("Site", back_populates="groups")
+
+
+class EquipmentGroup(Base):
+    __tablename__ = "equipment_groups"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    name: Mapped[str] = mapped_column(String(255), nullable=False)  # e.g., "Soil Thermocouple"
+    crop_id: Mapped[str] = mapped_column(String(36), ForeignKey("crops.id"), nullable=False)
+
+    # Relationships
+    crop: Mapped["Crop"] = relationship("Crop", back_populates="equipment_groups")
+    parameters: Mapped[list["Parameter"]] = relationship("Parameter", back_populates="equipment_group")
+
+
+class Parameter(Base):
+    __tablename__ = "parameters"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    name: Mapped[str] = mapped_column(String(100), nullable=False)  # e.g., "TS1_2cm"
+    display_name: Mapped[str | None] = mapped_column(String(255), nullable=True)
+    unit: Mapped[str | None] = mapped_column(String(50), nullable=True)
+    equipment_group_id: Mapped[str | None] = mapped_column(String(36), ForeignKey("equipment_groups.id"), nullable=True)
+    crop_id: Mapped[str] = mapped_column(String(36), ForeignKey("crops.id"), nullable=False)
+    min_range: Mapped[float | None] = mapped_column(Float, nullable=True)
+    max_range: Mapped[float | None] = mapped_column(Float, nullable=True)
+
+    # Relationships
+    equipment_group: Mapped["EquipmentGroup | None"] = relationship("EquipmentGroup", back_populates="parameters")
+    crop: Mapped["Crop"] = relationship("Crop", back_populates="parameters")

backend/models/user.py

@@ -0,0 +1,36 @@
+import uuid
+from datetime import datetime
+from sqlalchemy import String, Boolean, DateTime, ForeignKey, Text, Integer
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from backend.database import Base
+
+
+class User(Base):
+    __tablename__ = "users"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=lambda: str(uuid.uuid4()))
+    email: Mapped[str] = mapped_column(String(255), unique=True, nullable=False, index=True)
+    password_hash: Mapped[str] = mapped_column(Text, nullable=False)
+    full_name: Mapped[str] = mapped_column(String(255), nullable=False)
+    is_admin: Mapped[bool] = mapped_column(Boolean, default=False)
+    is_active: Mapped[bool] = mapped_column(Boolean, default=True)
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow)
+    updated_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+    last_login: Mapped[datetime | None] = mapped_column(DateTime, nullable=True)
+    token_version: Mapped[int] = mapped_column(Integer, default=1)
+
+    # Relationships
+    groups: Mapped[list["UserGroup"]] = relationship("UserGroup", back_populates="user", cascade="all, delete-orphan")
+
+
+class UserGroup(Base):
+    __tablename__ = "user_groups"
+
+    user_id: Mapped[str] = mapped_column(String(36), ForeignKey("users.id", ondelete="CASCADE"), primary_key=True)
+    group_id: Mapped[str] = mapped_column(String(36), ForeignKey("groups.id", ondelete="CASCADE"), primary_key=True)
+    role: Mapped[str] = mapped_column(String(50), default="viewer")  # viewer, editor, manager
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow)
+
+    # Relationships
+    user: Mapped["User"] = relationship("User", back_populates="groups")
+    group: Mapped["Group"] = relationship("Group", back_populates="members")

backend/requirements.txt

@@ -0,0 +1,15 @@
+fastapi==0.109.0
+uvicorn[standard]==0.27.0
+sqlalchemy==2.0.25
+pydantic[email]==2.5.3
+pydantic-settings==2.1.0
+python-jose[cryptography]==3.3.0
+passlib==1.7.4
+bcrypt==4.0.1
+python-multipart==0.0.6
+pandas==2.2.0
+numpy==1.26.3
+aiofiles==23.2.1
+boxsdk==3.9.2
+apscheduler==3.10.4
+sqlcipher3==0.5.3

backend/schemas/__init__.py

@@ -0,0 +1,11 @@
+from backend.schemas.user import UserCreate, UserUpdate, UserResponse, UserInDB
+from backend.schemas.auth import Token, TokenPayload, LoginRequest
+from backend.schemas.site import SiteResponse, CropResponse, ParameterResponse
+from backend.schemas.sensor import SensorDataQuery, SensorDataResponse
+
+__all__ = [
+    "UserCreate", "UserUpdate", "UserResponse", "UserInDB",
+    "Token", "TokenPayload", "LoginRequest",
+    "SiteResponse", "CropResponse", "ParameterResponse",
+    "SensorDataQuery", "SensorDataResponse"
+]

backend/schemas/admin.py

@@ -0,0 +1,45 @@
+from datetime import datetime
+from pydantic import BaseModel
+
+
+class AuditLogResponse(BaseModel):
+    id: int
+    user_id: str | None
+    user_email: str | None = None
+    action: str
+    resource_type: str | None
+    resource_id: str | None
+    details: dict | None
+    ip_address: str | None
+    created_at: datetime
+
+    class Config:
+        from_attributes = True
+
+
+class SystemStatsResponse(BaseModel):
+    total_users: int
+    active_users: int
+    total_groups: int
+    total_sites: int
+    active_sites: int
+    total_sensor_records: int
+    total_parameters: int
+    total_equipment_groups: int
+
+
+class SiteCreate(BaseModel):
+    site_code: str
+    name: str
+    crop_id: str
+    latitude: float
+    longitude: float
+
+
+class SiteUpdate(BaseModel):
+    site_code: str | None = None
+    name: str | None = None
+    crop_id: str | None = None
+    latitude: float | None = None
+    longitude: float | None = None
+    is_active: bool | None = None

backend/schemas/auth.py

@@ -0,0 +1,25 @@
+from pydantic import BaseModel, EmailStr
+
+
+class LoginRequest(BaseModel):
+    email: EmailStr
+    password: str
+
+
+class Token(BaseModel):
+    access_token: str
+    refresh_token: str
+    token_type: str = "bearer"
+
+
+class RefreshRequest(BaseModel):
+    refresh_token: str
+
+
+class TokenPayload(BaseModel):
+    sub: str  # user_id
+    email: str
+    is_admin: bool
+    groups: list[str]  # group_ids
+    sites: list[str]  # site_codes the user can access
+    exp: int

backend/schemas/group.py

@@ -0,0 +1,60 @@
+from datetime import datetime
+from pydantic import BaseModel
+
+
+class GroupBase(BaseModel):
+    name: str
+    description: str | None = None
+
+
+class GroupCreate(GroupBase):
+    pass
+
+
+class GroupUpdate(BaseModel):
+    name: str | None = None
+    description: str | None = None
+
+
+class GroupMemberResponse(BaseModel):
+    user_id: str
+    email: str
+    full_name: str
+    role: str
+
+    class Config:
+        from_attributes = True
+
+
+class GroupSiteResponse(BaseModel):
+    site_id: str
+    site_code: str
+    site_name: str
+
+    class Config:
+        from_attributes = True
+
+
+class GroupResponse(GroupBase):
+    id: str
+    created_at: datetime
+    updated_at: datetime
+    member_count: int = 0
+    site_count: int = 0
+
+    class Config:
+        from_attributes = True
+
+
+class GroupDetailResponse(GroupResponse):
+    members: list[GroupMemberResponse] = []
+    sites: list[GroupSiteResponse] = []
+
+
+class AssignUserToGroupRequest(BaseModel):
+    user_id: str
+    role: str = "viewer"  # viewer, editor, manager
+
+
+class AssignSiteToGroupRequest(BaseModel):
+    site_id: str

backend/schemas/pipeline.py

@@ -0,0 +1,56 @@
+"""Pipeline schemas for file upload and processing."""
+from pydantic import BaseModel
+from datetime import datetime
+from typing import Optional
+
+
+class FileInfo(BaseModel):
+    """Information about a file in staging or processed folder."""
+    filename: str
+    size: int
+    modified: datetime
+    status: str  # staging, processing, processed, error
+
+
+class FileUploadResponse(BaseModel):
+    """Response after uploading a file."""
+    filename: str
+    size: int
+    message: str
+
+
+class ProcessingResult(BaseModel):
+    """Result of processing a single file."""
+    filename: str
+    status: str  # success, error
+    records_imported: int
+    records_skipped: int
+    records_duplicate: int
+    error_message: Optional[str] = None
+    processing_time: float  # seconds
+
+
+class PipelineStatus(BaseModel):
+    """Overall pipeline status."""
+    staging_files: list[FileInfo]
+    processed_files: list[FileInfo]
+    is_processing: bool
+    last_run: Optional[datetime] = None
+
+
+class ProcessRequest(BaseModel):
+    """Request to process specific files."""
+    filenames: Optional[list[str]] = None  # None = process all staging files
+
+
+class DatabaseExportResponse(BaseModel):
+    """Response for database export."""
+    filename: str
+    size: int
+    tables: dict[str, int]  # table name -> row count
+    created_at: datetime
+
+
+class DatabaseImportRequest(BaseModel):
+    """Request for database import confirmation."""
+    confirm: bool = False

backend/schemas/sensor.py

@@ -0,0 +1,22 @@
+from datetime import datetime
+from pydantic import BaseModel
+
+
+class SensorDataQuery(BaseModel):
+    sites: list[str]  # site_codes
+    parameters: list[str]  # parameter names
+    start: datetime | None = None
+    end: datetime | None = None
+
+
+class SensorDataPoint(BaseModel):
+    timestamp: datetime
+    site_code: str
+    values: dict[str, float | None]  # parameter_name -> value
+
+
+class SensorDataResponse(BaseModel):
+    data: list[SensorDataPoint]
+    sites: list[str]
+    parameters: list[str]
+    count: int

backend/schemas/site.py

@@ -0,0 +1,49 @@
+from datetime import datetime
+from pydantic import BaseModel
+
+
+class CropResponse(BaseModel):
+    id: str
+    name: str
+    display_name: str
+    color: str
+
+    class Config:
+        from_attributes = True
+
+
+class SiteResponse(BaseModel):
+    id: str
+    site_code: str
+    name: str
+    crop_id: str
+    crop_name: str | None = None
+    latitude: float
+    longitude: float
+    is_active: bool
+
+    class Config:
+        from_attributes = True
+
+
+class EquipmentGroupResponse(BaseModel):
+    id: str
+    name: str
+    crop_id: str
+
+    class Config:
+        from_attributes = True
+
+
+class ParameterResponse(BaseModel):
+    id: str
+    name: str
+    display_name: str | None
+    unit: str | None
+    equipment_group_id: str | None
+    equipment_group_name: str | None = None
+    min_range: float | None
+    max_range: float | None
+
+    class Config:
+        from_attributes = True

backend/schemas/user.py

@@ -0,0 +1,41 @@
+from datetime import datetime
+from pydantic import BaseModel, EmailStr
+
+
+class UserBase(BaseModel):
+    email: EmailStr
+    full_name: str
+    is_admin: bool = False
+
+
+class UserCreate(UserBase):
+    password: str
+
+
+class UserUpdate(BaseModel):
+    email: EmailStr | None = None
+    full_name: str | None = None
+    is_admin: bool | None = None
+    is_active: bool | None = None
+    password: str | None = None
+
+
+class UserResponse(UserBase):
+    id: str
+    is_active: bool
+    created_at: datetime
+    last_login: datetime | None = None
+    groups: list[str] = []  # List of group names
+
+    class Config:
+        from_attributes = True
+
+
+class UserInDB(UserBase):
+    id: str
+    password_hash: str
+    is_active: bool
+    created_at: datetime
+
+    class Config:
+        from_attributes = True

backend/services/auth.py

@@ -0,0 +1,84 @@
+from datetime import datetime
+from sqlalchemy.orm import Session
+from backend.models import User, UserGroup, GroupSite
+from backend.core.security import verify_password, get_password_hash, create_access_token, create_refresh_token
+from backend.schemas.auth import Token
+
+
+def authenticate_user(db: Session, email: str, password: str) -> User | None:
+    user = db.query(User).filter(User.email == email).first()
+    if not user:
+        return None
+    if not verify_password(password, user.password_hash):
+        return None
+    return user
+
+
+def create_token_for_user(db: Session, user: User) -> Token:
+    # Get user's groups
+    user_groups = db.query(UserGroup).filter(UserGroup.user_id == user.id).all()
+    group_ids = [ug.group_id for ug in user_groups]
+
+    # Get sites accessible through user's groups
+    if user.is_admin:
+        # Admin can see all sites
+        from backend.models import Site
+        sites = db.query(Site).filter(Site.is_active == True).all()
+        site_codes = [s.site_code for s in sites]
+    else:
+        # Regular user can only see sites from their groups
+        group_sites = db.query(GroupSite).filter(GroupSite.group_id.in_(group_ids)).all()
+        site_ids = [gs.site_id for gs in group_sites]
+        from backend.models import Site
+        sites = db.query(Site).filter(Site.id.in_(site_ids), Site.is_active == True).all()
+        site_codes = [s.site_code for s in sites]
+
+    # Common token data
+    token_data = {
+        "sub": user.id,
+        "email": user.email,
+        "is_admin": user.is_admin,
+        "groups": group_ids,
+        "sites": site_codes,
+        "token_version": user.token_version,
+    }
+
+    # Create both tokens
+    access_token = create_access_token(data=token_data)
+
+    # Refresh token only needs user ID and token_version for validation
+    refresh_data = {
+        "sub": user.id,
+        "token_version": user.token_version,
+    }
+    refresh_token = create_refresh_token(data=refresh_data)
+
+    # Update last login
+    user.last_login = datetime.utcnow()
+    db.commit()
+
+    return Token(access_token=access_token, refresh_token=refresh_token)
+
+
+def create_user(
+    db: Session,
+    email: str,
+    password: str,
+    full_name: str,
+    is_admin: bool = False
+) -> User:
+    password_hash = get_password_hash(password)
+    user = User(
+        email=email,
+        password_hash=password_hash,
+        full_name=full_name,
+        is_admin=is_admin
+    )
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+    return user
+
+
+def get_user_by_email(db: Session, email: str) -> User | None:
+    return db.query(User).filter(User.email == email).first()

backend/services/box_integration.py

@@ -0,0 +1,312 @@
+"""
+Box integration service for OAuth and file operations.
+Handles authentication, folder browsing, file downloads, and file moves.
+"""
+import os
+import shutil
+import secrets
+from datetime import datetime, timedelta
+from pathlib import Path
+from typing import Optional
+from urllib.parse import urlencode
+
+from boxsdk import OAuth2, Client
+from boxsdk.exception import BoxAPIException
+from sqlalchemy.orm import Session
+
+from backend.config import settings
+from backend.models import BoxConnection, BoxSyncLog, AuditLog
+
+
+# OAuth state storage (in production, use Redis or database)
+_oauth_states: dict[str, datetime] = {}
+
+
+class BoxService:
+    """Service for Box API operations."""
+
+    def __init__(self, db: Session):
+        self.db = db
+
+    def get_connection(self) -> Optional[BoxConnection]:
+        """Get the current Box connection (only one allowed)."""
+        return self.db.query(BoxConnection).first()
+
+    def get_oauth_url(self) -> dict:
+        """Generate Box OAuth authorization URL."""
+        if not settings.box_client_id or not settings.box_client_secret:
+            raise ValueError("Box OAuth credentials not configured. Set BOX_CLIENT_ID and BOX_CLIENT_SECRET in .env")
+
+        # Generate state token for CSRF protection
+        state = secrets.token_urlsafe(32)
+        _oauth_states[state] = datetime.utcnow()
+
+        # Clean old states (older than 10 minutes)
+        cutoff = datetime.utcnow() - timedelta(minutes=10)
+        for s, t in list(_oauth_states.items()):
+            if t < cutoff:
+                del _oauth_states[s]
+
+        # Build authorization URL
+        params = {
+            'client_id': settings.box_client_id,
+            'redirect_uri': settings.box_redirect_uri,
+            'response_type': 'code',
+            'state': state,
+        }
+        auth_url = f"https://account.box.com/api/oauth2/authorize?{urlencode(params)}"
+
+        return {
+            'auth_url': auth_url,
+            'state': state
+        }
+
+    def exchange_code(self, code: str, state: str) -> BoxConnection:
+        """Exchange authorization code for tokens."""
+        # Verify state
+        if state not in _oauth_states:
+            raise ValueError("Invalid or expired state token")
+        del _oauth_states[state]
+
+        # Create OAuth2 object and authenticate
+        oauth = OAuth2(
+            client_id=settings.box_client_id,
+            client_secret=settings.box_client_secret,
+        )
+
+        # Exchange code for tokens
+        access_token, refresh_token = oauth.authenticate(code)
+
+        # Create Box client to get user info
+        client = Client(oauth)
+        user = client.user().get()
+
+        # Get or create connection
+        connection = self.get_connection()
+        if not connection:
+            connection = BoxConnection()
+            self.db.add(connection)
+
+        # Update connection with tokens and user info
+        connection.access_token = access_token
+        connection.refresh_token = refresh_token
+        connection.token_expires_at = datetime.utcnow() + timedelta(hours=1)
+        connection.box_user_id = user.id
+        connection.box_user_name = user.name
+        connection.box_user_email = user.login
+        connection.updated_at = datetime.utcnow()
+
+        self.db.commit()
+        self.db.refresh(connection)
+
+        return connection
+
+    def get_client(self, connection: Optional[BoxConnection] = None) -> Optional[Client]:
+        """Get an authenticated Box client, refreshing tokens if needed."""
+        if connection is None:
+            connection = self.get_connection()
+
+        if not connection or not connection.access_token:
+            return None
+
+        def store_tokens(access_token, refresh_token):
+            """Callback to store refreshed tokens."""
+            connection.access_token = access_token
+            connection.refresh_token = refresh_token
+            connection.token_expires_at = datetime.utcnow() + timedelta(hours=1)
+            connection.updated_at = datetime.utcnow()
+            self.db.commit()
+
+        oauth = OAuth2(
+            client_id=settings.box_client_id,
+            client_secret=settings.box_client_secret,
+            access_token=connection.access_token,
+            refresh_token=connection.refresh_token,
+            store_tokens=store_tokens
+        )
+
+        return Client(oauth)
+
+    def list_folders(self, folder_id: str = '0', connection: Optional[BoxConnection] = None) -> list[dict]:
+        """List folders in a Box folder."""
+        client = self.get_client(connection)
+        if not client:
+            raise ValueError("No Box connection available")
+
+        try:
+            folder = client.folder(folder_id).get()
+            items = folder.get_items(limit=100, offset=0)
+
+            folders = []
+            for item in items:
+                if item.type == 'folder':
+                    folders.append({
+                        'id': item.id,
+                        'name': item.name,
+                        'type': 'folder'
+                    })
+
+            return folders
+        except BoxAPIException as e:
+            raise ValueError(f"Box API error: {e.message}")
+
+    def list_files(self, folder_id: str, connection: Optional[BoxConnection] = None) -> list[dict]:
+        """List CSV files in a Box folder."""
+        client = self.get_client(connection)
+        if not client:
+            raise ValueError("No Box connection available")
+
+        try:
+            folder = client.folder(folder_id).get()
+            # Request specific fields - mini items from get_items() don't have size/modified_at
+            items = folder.get_items(limit=1000, offset=0, fields=['id', 'name', 'type', 'size', 'modified_at'])
+
+            files = []
+            for item in items:
+                if item.type == 'file' and item.name.lower().endswith('.csv'):
+                    files.append({
+                        'id': item.id,
+                        'name': item.name,
+                        'size': getattr(item, 'size', None),
+                        'modified_at': getattr(item, 'modified_at', None)
+                    })
+
+            return files
+        except BoxAPIException as e:
+            raise ValueError(f"Box API error: {e.message}")
+
+    def download_file(self, file_id: str, local_path: Path, connection: Optional[BoxConnection] = None) -> Path:
+        """Download a file from Box to local storage."""
+        client = self.get_client(connection)
+        if not client:
+            raise ValueError("No Box connection available")
+
+        try:
+            box_file = client.file(file_id).get()
+            with open(local_path, 'wb') as f:
+                box_file.download_to(f)
+            return local_path
+        except BoxAPIException as e:
+            raise ValueError(f"Box API error: {e.message}")
+
+    def move_file(self, file_id: str, dest_folder_id: str, connection: Optional[BoxConnection] = None) -> dict:
+        """Move a file to a different folder in Box."""
+        client = self.get_client(connection)
+        if not client:
+            raise ValueError("No Box connection available")
+
+        try:
+            box_file = client.file(file_id)
+            moved_file = box_file.move(parent_folder=client.folder(dest_folder_id))
+            return {
+                'id': moved_file.id,
+                'name': moved_file.name,
+                'parent_id': moved_file.parent.id
+            }
+        except BoxAPIException as e:
+            raise ValueError(f"Box API error: {e.message}")
+
+    def upload_file(
+        self,
+        file_path: Path,
+        folder_id: str,
+        filename: Optional[str] = None,
+        connection: Optional[BoxConnection] = None
+    ) -> dict:
+        """Upload a file to a Box folder."""
+        client = self.get_client(connection)
+        if not client:
+            raise ValueError("No Box connection available")
+
+        try:
+            folder = client.folder(folder_id)
+            upload_filename = filename or file_path.name
+
+            with open(file_path, 'rb') as f:
+                uploaded_file = folder.upload_stream(f, upload_filename)
+
+            return {
+                'id': uploaded_file.id,
+                'name': uploaded_file.name,
+                'size': uploaded_file.size if hasattr(uploaded_file, 'size') else None
+            }
+        except BoxAPIException as e:
+            raise ValueError(f"Box API error: {e.message}")
+
+    def update_folder_config(
+        self,
+        staging_folder_id: str,
+        staging_folder_name: str,
+        processed_folder_id: str,
+        processed_folder_name: str,
+        sync_interval_minutes: int = 60,
+        connection: Optional[BoxConnection] = None
+    ) -> BoxConnection:
+        """Update folder configuration for the Box connection."""
+        if connection is None:
+            connection = self.get_connection()
+
+        if not connection:
+            raise ValueError("No Box connection available")
+
+        connection.staging_folder_id = staging_folder_id
+        connection.staging_folder_name = staging_folder_name
+        connection.processed_folder_id = processed_folder_id
+        connection.processed_folder_name = processed_folder_name
+        connection.sync_interval_minutes = sync_interval_minutes
+        connection.is_active = True
+        connection.updated_at = datetime.utcnow()
+
+        self.db.commit()
+        self.db.refresh(connection)
+
+        return connection
+
+    def disconnect(self) -> bool:
+        """Remove Box connection and clear tokens."""
+        connection = self.get_connection()
+        if connection:
+            self.db.delete(connection)
+            self.db.commit()
+            return True
+        return False
+
+    def create_sync_log(self, connection_id: str) -> BoxSyncLog:
+        """Create a new sync log entry."""
+        log = BoxSyncLog(connection_id=connection_id)
+        self.db.add(log)
+        self.db.commit()
+        self.db.refresh(log)
+        return log
+
+    def update_sync_log(
+        self,
+        log: BoxSyncLog,
+        status: str,
+        files_found: int = 0,
+        files_processed: int = 0,
+        files_failed: int = 0,
+        records_imported: int = 0,
+        error_message: Optional[str] = None,
+        details: Optional[dict] = None
+    ):
+        """Update a sync log entry."""
+        log.status = status
+        log.files_found = files_found
+        log.files_processed = files_processed
+        log.files_failed = files_failed
+        log.records_imported = records_imported
+        log.error_message = error_message
+        log.details = details
+        if status in ['success', 'error']:
+            log.completed_at = datetime.utcnow()
+        self.db.commit()
+
+    def get_sync_logs(self, limit: int = 20) -> list[BoxSyncLog]:
+        """Get recent sync logs."""
+        return self.db.query(BoxSyncLog).order_by(BoxSyncLog.started_at.desc()).limit(limit).all()
+
+
+def is_box_configured() -> bool:
+    """Check if Box OAuth credentials are configured."""
+    return bool(settings.box_client_id and settings.box_client_secret)

backend/services/box_worker.py

@@ -0,0 +1,404 @@
+"""
+Box background worker for periodic file sync.
+Downloads files from Box staging folder, processes them, and moves to processed folder.
+"""
+import time
+from datetime import datetime
+from pathlib import Path
+from typing import Optional
+import threading
+
+from apscheduler.schedulers.background import BackgroundScheduler
+from apscheduler.triggers.interval import IntervalTrigger
+from sqlalchemy.orm import Session
+
+from backend.database import SessionLocal
+from backend.models import BoxConnection, BoxSyncLog, AuditLog
+from backend.services.box_integration import BoxService
+from backend.services import pipeline_worker
+from backend.config import settings
+
+
+# Global scheduler instance
+_scheduler: Optional[BackgroundScheduler] = None
+_is_syncing = False
+_sync_lock = threading.Lock()
+
+
+def get_scheduler() -> BackgroundScheduler:
+    """Get or create the background scheduler."""
+    global _scheduler
+    if _scheduler is None:
+        _scheduler = BackgroundScheduler()
+    return _scheduler
+
+
+def start_scheduler():
+    """Start the background scheduler if not already running."""
+    scheduler = get_scheduler()
+    if not scheduler.running:
+        scheduler.start()
+        print("Box sync scheduler started")
+
+
+def stop_scheduler():
+    """Stop the background scheduler."""
+    global _scheduler
+    if _scheduler and _scheduler.running:
+        _scheduler.shutdown(wait=False)
+        _scheduler = None
+        print("Box sync scheduler stopped")
+
+
+def update_sync_schedule(interval_minutes: int = 60):
+    """Update the sync schedule interval."""
+    scheduler = get_scheduler()
+
+    # Remove existing job if any
+    if scheduler.get_job('box_sync'):
+        scheduler.remove_job('box_sync')
+
+    # Add new job with updated interval
+    scheduler.add_job(
+        run_box_sync,
+        trigger=IntervalTrigger(minutes=interval_minutes),
+        id='box_sync',
+        name='Box File Sync',
+        replace_existing=True,
+        max_instances=1
+    )
+
+    if not scheduler.running:
+        start_scheduler()
+
+    print(f"Box sync scheduled every {interval_minutes} minutes")
+
+
+def run_box_sync(force: bool = False) -> dict:
+    """
+    Run Box sync operation.
+    Downloads files from Box staging, processes them, and moves to processed folder.
+
+    Args:
+        force: If True, run even if another sync is in progress
+
+    Returns:
+        dict with sync results
+    """
+    global _is_syncing
+
+    # Check if already syncing
+    with _sync_lock:
+        if _is_syncing and not force:
+            return {'status': 'skipped', 'message': 'Sync already in progress'}
+        _is_syncing = True
+
+    result = {
+        'status': 'success',
+        'files_found': 0,
+        'files_processed': 0,
+        'files_failed': 0,
+        'records_imported': 0,
+        'errors': []
+    }
+
+    db = SessionLocal()
+    try:
+        box_service = BoxService(db)
+        connection = box_service.get_connection()
+
+        if not connection or not connection.is_active:
+            result['status'] = 'skipped'
+            result['message'] = 'No active Box connection'
+            return result
+
+        if not connection.staging_folder_id or not connection.processed_folder_id:
+            result['status'] = 'error'
+            result['message'] = 'Box folders not configured'
+            return result
+
+        # Create sync log
+        sync_log = box_service.create_sync_log(connection.id)
+
+        try:
+            # List files in staging folder
+            files = box_service.list_files(connection.staging_folder_id, connection)
+            result['files_found'] = len(files)
+
+            if not files:
+                box_service.update_sync_log(
+                    sync_log,
+                    status='success',
+                    files_found=0,
+                    details={'message': 'No files to process'}
+                )
+                connection.last_sync = datetime.utcnow()
+                connection.last_sync_status = 'success'
+                connection.last_sync_message = 'No new files'
+                db.commit()
+                return result
+
+            # Process each file
+            staging_dir = Path(settings.uploads_dir) / "staging"
+            staging_dir.mkdir(parents=True, exist_ok=True)
+
+            for file_info in files:
+                file_id = file_info['id']
+                file_name = file_info['name']
+
+                try:
+                    # Download to local staging
+                    local_path = staging_dir / f"box_{datetime.now().strftime('%Y%m%d_%H%M%S')}_{file_name}"
+                    box_service.download_file(file_id, local_path, connection)
+
+                    # Process the file using existing pipeline
+                    process_result = pipeline_worker.process_single_file(db, local_path, user_id=None)
+
+                    if process_result['status'] == 'success':
+                        result['files_processed'] += 1
+                        result['records_imported'] += process_result['records_imported']
+
+                        # Move file to processed folder in Box
+                        try:
+                            box_service.move_file(file_id, connection.processed_folder_id, connection)
+                        except Exception as move_err:
+                            result['errors'].append(f"Failed to move {file_name} in Box: {str(move_err)}")
+                    else:
+                        result['files_failed'] += 1
+                        result['errors'].append(f"{file_name}: {process_result.get('error_message', 'Unknown error')}")
+
+                except Exception as file_err:
+                    result['files_failed'] += 1
+                    result['errors'].append(f"{file_name}: {str(file_err)}")
+
+            # Update sync log
+            final_status = 'success' if result['files_failed'] == 0 else 'partial'
+            if result['files_processed'] == 0 and result['files_failed'] > 0:
+                final_status = 'error'
+
+            box_service.update_sync_log(
+                sync_log,
+                status=final_status,
+                files_found=result['files_found'],
+                files_processed=result['files_processed'],
+                files_failed=result['files_failed'],
+                records_imported=result['records_imported'],
+                error_message='; '.join(result['errors'][:5]) if result['errors'] else None,
+                details={'errors': result['errors']}
+            )
+
+            # Update connection status
+            connection.last_sync = datetime.utcnow()
+            connection.last_sync_status = final_status
+            connection.last_sync_message = f"Processed {result['files_processed']}/{result['files_found']} files"
+            connection.files_processed_count += result['files_processed']
+            db.commit()
+
+            result['status'] = final_status
+
+        except Exception as e:
+            box_service.update_sync_log(
+                sync_log,
+                status='error',
+                error_message=str(e)
+            )
+            connection.last_sync = datetime.utcnow()
+            connection.last_sync_status = 'error'
+            connection.last_sync_message = str(e)
+            db.commit()
+
+            result['status'] = 'error'
+            result['errors'].append(str(e))
+
+    finally:
+        db.close()
+        with _sync_lock:
+            _is_syncing = False
+
+    return result
+
+
+def get_sync_status() -> dict:
+    """Get current sync status."""
+    db = SessionLocal()
+    try:
+        box_service = BoxService(db)
+        connection = box_service.get_connection()
+
+        if not connection:
+            return {
+                'is_connected': False,
+                'is_syncing': _is_syncing,
+                'scheduler_running': _scheduler.running if _scheduler else False
+            }
+
+        return {
+            'is_connected': True,
+            'is_active': connection.is_active,
+            'is_syncing': _is_syncing,
+            'scheduler_running': _scheduler.running if _scheduler else False,
+            'last_sync': connection.last_sync.isoformat() if connection.last_sync else None,
+            'last_sync_status': connection.last_sync_status,
+            'last_sync_message': connection.last_sync_message,
+            'sync_interval_minutes': connection.sync_interval_minutes,
+            'files_processed_total': connection.files_processed_count
+        }
+    finally:
+        db.close()
+
+
+def initialize_box_scheduler():
+    """Initialize the Box scheduler based on active connection settings."""
+    db = SessionLocal()
+    try:
+        box_service = BoxService(db)
+        connection = box_service.get_connection()
+
+        if connection and connection.is_active and connection.staging_folder_id:
+            update_sync_schedule(connection.sync_interval_minutes)
+            print(f"Box scheduler initialized with {connection.sync_interval_minutes} minute interval")
+
+        # Initialize backup scheduler if configured
+        if connection and connection.backup_enabled and connection.backup_schedule != "manual":
+            update_backup_schedule(connection.backup_schedule, connection.backup_time)
+            print(f"Backup scheduler initialized: {connection.backup_schedule}")
+    finally:
+        db.close()
+
+
+# ============== Database Backup Functions ==============
+
+_backup_scheduler: Optional[BackgroundScheduler] = None
+
+
+def get_backup_scheduler() -> BackgroundScheduler:
+    """Get or create the backup scheduler."""
+    global _backup_scheduler
+    if _backup_scheduler is None:
+        _backup_scheduler = BackgroundScheduler()
+    return _backup_scheduler
+
+
+def update_backup_schedule(schedule: Optional[str], backup_time: Optional[str]):
+    """Update or disable the backup schedule."""
+    scheduler = get_backup_scheduler()
+
+    # Remove existing backup job if any
+    if scheduler.get_job('database_backup'):
+        scheduler.remove_job('database_backup')
+
+    if schedule is None or schedule == "manual":
+        print("Backup scheduler disabled")
+        return
+
+    # Parse backup time (default to 02:00 if not specified)
+    hour = 2
+    minute = 0
+    if backup_time:
+        try:
+            parts = backup_time.split(':')
+            hour = int(parts[0])
+            minute = int(parts[1]) if len(parts) > 1 else 0
+        except (ValueError, IndexError):
+            pass
+
+    # Configure trigger based on schedule
+    if schedule == "daily":
+        from apscheduler.triggers.cron import CronTrigger
+        trigger = CronTrigger(hour=hour, minute=minute)
+        print(f"Backup scheduled daily at {hour:02d}:{minute:02d}")
+    elif schedule == "weekly":
+        from apscheduler.triggers.cron import CronTrigger
+        # Weekly on Sunday
+        trigger = CronTrigger(day_of_week='sun', hour=hour, minute=minute)
+        print(f"Backup scheduled weekly on Sunday at {hour:02d}:{minute:02d}")
+    else:
+        print(f"Unknown backup schedule: {schedule}")
+        return
+
+    scheduler.add_job(
+        run_database_backup,
+        trigger=trigger,
+        id='database_backup',
+        name='Database Backup to Box',
+        replace_existing=True,
+        max_instances=1
+    )
+
+    if not scheduler.running:
+        scheduler.start()
+
+
+def run_database_backup(triggered_by: str = "scheduler") -> dict:
+    """
+    Run database backup to Box.
+
+    Copies the encrypted SQLite database to the configured Box backup folder.
+    """
+    result = {
+        'status': 'success',
+        'message': '',
+        'filename': None,
+        'triggered_by': triggered_by
+    }
+
+    db = SessionLocal()
+    try:
+        box_service = BoxService(db)
+        connection = box_service.get_connection()
+
+        if not connection:
+            result['status'] = 'error'
+            result['message'] = 'No Box connection available'
+            return result
+
+        if not connection.backup_folder_id:
+            result['status'] = 'error'
+            result['message'] = 'Backup folder not configured'
+            return result
+
+        # Get database file path
+        db_path = Path(settings.database_url.replace("sqlite:///", ""))
+
+        if not db_path.exists():
+            result['status'] = 'error'
+            result['message'] = 'Database file not found'
+            return result
+
+        # Generate backup filename with timestamp
+        timestamp = datetime.now().strftime('%Y%m%d_%H%M%S')
+        backup_filename = f"csg_dashboard_backup_{timestamp}.db"
+
+        try:
+            # Upload to Box
+            box_service.upload_file(
+                file_path=db_path,
+                folder_id=connection.backup_folder_id,
+                filename=backup_filename,
+                connection=connection
+            )
+
+            result['status'] = 'success'
+            result['message'] = f'Backup uploaded successfully: {backup_filename}'
+            result['filename'] = backup_filename
+
+            # Update connection status
+            connection.last_backup = datetime.utcnow()
+            connection.last_backup_status = 'success'
+            connection.last_backup_message = f'Uploaded {backup_filename}'
+            db.commit()
+
+        except Exception as e:
+            result['status'] = 'error'
+            result['message'] = f'Upload failed: {str(e)}'
+
+            # Update connection status
+            connection.last_backup = datetime.utcnow()
+            connection.last_backup_status = 'error'
+            connection.last_backup_message = str(e)
+            db.commit()
+
+    finally:
+        db.close()
+
+    return result

backend/services/data_import.py

@@ -0,0 +1,271 @@
+"""
+Data import service for loading sample sensor data.
+"""
+import pandas as pd
+from pathlib import Path
+from datetime import datetime
+import json
+from sqlalchemy.orm import Session
+from backend.models import Site, SensorData, Crop, EquipmentGroup, Parameter
+
+
+def get_site_map(db: Session) -> dict[str, str]:
+    """Get mapping of site_code to site_id."""
+    sites = db.query(Site).all()
+    return {s.site_code: s.id for s in sites}
+
+
+def get_crop_map(db: Session) -> dict[str, str]:
+    """Get mapping of crop_name to crop_id."""
+    crops = db.query(Crop).all()
+    return {c.name: c.id for c in crops}
+
+
+def import_equipment_groups(db: Session, base_path: Path):
+    """Import equipment groups and parameters from CSV files."""
+    crop_map = get_crop_map(db)
+
+    equipment_files = {
+        "almonds": "Almond_Equipment.csv",
+        "grapes": "Grape_Equipment.csv",
+        "olives": "Olive_Equipment.csv",
+        "pistachios": "Pistachio_Equipment.csv",
+    }
+
+    for crop_name, filename in equipment_files.items():
+        filepath = base_path / "read-in-csvs" / filename
+        if not filepath.exists():
+            print(f"Warning: {filepath} not found, skipping")
+            continue
+
+        crop_id = crop_map.get(crop_name)
+        if not crop_id:
+            print(f"Warning: Crop '{crop_name}' not found in database")
+            continue
+
+        # Read CSV - row 0 is parameter names (headers), row 1 is equipment groups
+        df = pd.read_csv(filepath, header=0, nrows=1)
+
+        # Get unique equipment groups for this crop
+        equipment_groups = set(df.iloc[0].values)
+
+        # Create equipment groups
+        eq_group_map = {}
+        for eq_name in equipment_groups:
+            if pd.isna(eq_name) or not eq_name:
+                continue
+            existing = db.query(EquipmentGroup).filter(
+                EquipmentGroup.name == eq_name,
+                EquipmentGroup.crop_id == crop_id
+            ).first()
+            if not existing:
+                eq = EquipmentGroup(name=eq_name, crop_id=crop_id)
+                db.add(eq)
+                db.flush()
+                eq_group_map[eq_name] = eq.id
+            else:
+                eq_group_map[eq_name] = existing.id
+
+        # Create parameters
+        for param_name in df.columns:
+            eq_name = df.iloc[0][param_name]
+            if pd.isna(eq_name):
+                eq_id = None
+            else:
+                eq_id = eq_group_map.get(eq_name)
+
+            existing = db.query(Parameter).filter(
+                Parameter.name == param_name,
+                Parameter.crop_id == crop_id
+            ).first()
+            if not existing:
+                param = Parameter(
+                    name=param_name,
+                    display_name=param_name.replace("_", " ").title(),
+                    crop_id=crop_id,
+                    equipment_group_id=eq_id
+                )
+                db.add(param)
+
+        db.commit()
+        print(f"Imported equipment groups for {crop_name}")
+
+    # Also add equipment groups for table_grapes (copy from grapes)
+    grapes_id = crop_map.get("grapes")
+    table_grapes_id = crop_map.get("table_grapes")
+    if grapes_id and table_grapes_id:
+        grape_eqs = db.query(EquipmentGroup).filter(EquipmentGroup.crop_id == grapes_id).all()
+        for eq in grape_eqs:
+            existing = db.query(EquipmentGroup).filter(
+                EquipmentGroup.name == eq.name,
+                EquipmentGroup.crop_id == table_grapes_id
+            ).first()
+            if not existing:
+                new_eq = EquipmentGroup(name=eq.name, crop_id=table_grapes_id)
+                db.add(new_eq)
+
+        grape_params = db.query(Parameter).filter(Parameter.crop_id == grapes_id).all()
+        for param in grape_params:
+            existing = db.query(Parameter).filter(
+                Parameter.name == param.name,
+                Parameter.crop_id == table_grapes_id
+            ).first()
+            if not existing:
+                # Find equipment group ID for table grapes
+                eq_id = None
+                if param.equipment_group:
+                    new_eq = db.query(EquipmentGroup).filter(
+                        EquipmentGroup.name == param.equipment_group.name,
+                        EquipmentGroup.crop_id == table_grapes_id
+                    ).first()
+                    if new_eq:
+                        eq_id = new_eq.id
+
+                new_param = Parameter(
+                    name=param.name,
+                    display_name=param.display_name,
+                    crop_id=table_grapes_id,
+                    equipment_group_id=eq_id
+                )
+                db.add(new_param)
+        db.commit()
+        print("Copied equipment groups to table_grapes")
+
+
+def import_sensor_data_from_csv(
+    db: Session,
+    csv_path: Path,
+    site_map: dict[str, str],
+    batch_size: int = 500
+) -> int:
+    """Import sensor data from a CSV file."""
+    print(f"Reading {csv_path.name}...")
+
+    # Read CSV
+    df = pd.read_csv(csv_path, low_memory=False)
+
+    # Check for required columns
+    if "TIMESTAMP" not in df.columns:
+        print(f"Error: TIMESTAMP column not found in {csv_path}")
+        return 0
+    if "Site" not in df.columns:
+        print(f"Error: Site column not found in {csv_path}")
+        return 0
+
+    # Columns to exclude from data JSON
+    exclude_cols = {"TIMESTAMP", "Site", "RECORD", "Unnamed: 0"}
+    data_cols = [c for c in df.columns if c not in exclude_cols]
+
+    imported = 0
+    skipped = 0
+    duplicates = 0
+
+    for idx, row in df.iterrows():
+        site_code = row.get("Site")
+        if pd.isna(site_code) or site_code not in site_map:
+            skipped += 1
+            continue
+
+        try:
+            timestamp = pd.to_datetime(row["TIMESTAMP"])
+        except Exception:
+            skipped += 1
+            continue
+
+        site_id = site_map[site_code]
+        ts = timestamp.to_pydatetime()
+
+        # Check for existing record
+        existing = db.query(SensorData).filter(
+            SensorData.site_id == site_id,
+            SensorData.timestamp == ts
+        ).first()
+
+        if existing:
+            duplicates += 1
+            continue
+
+        # Build data dict with all sensor values
+        data = {}
+        for col in data_cols:
+            val = row[col]
+            if pd.notna(val):
+                # Convert numpy types to Python types
+                if hasattr(val, 'item'):
+                    val = val.item()
+                data[col] = val
+
+        record_num = row.get("RECORD")
+        if pd.notna(record_num):
+            record_num = int(record_num)
+        else:
+            record_num = None
+
+        sensor_data = SensorData(
+            site_id=site_id,
+            timestamp=ts,
+            data=data,
+            record_number=record_num
+        )
+        db.add(sensor_data)
+        imported += 1
+
+        if imported % 500 == 0:
+            db.commit()
+            if imported % 2000 == 0:
+                print(f"  Imported {imported} records...")
+
+    db.commit()
+    print(f"  Completed: {imported} imported, {duplicates} duplicates, {skipped} skipped")
+    return imported
+
+
+def import_all_sample_data(db: Session, original_repo_path: str):
+    """Import all sample data from the original repo."""
+    base_path = Path(original_repo_path)
+    sample_path = base_path / "sample-data"
+
+    if not sample_path.exists():
+        raise FileNotFoundError(f"Sample data path not found: {sample_path}")
+
+    # Import equipment groups first
+    print("\n=== Importing Equipment Groups ===")
+    import_equipment_groups(db, base_path)
+
+    # Get site mapping
+    site_map = get_site_map(db)
+    print(f"\nFound {len(site_map)} sites in database")
+
+    # Import sensor data from each CSV
+    print("\n=== Importing Sensor Data ===")
+    csv_files = ["trex_data.csv", "matt_data.csv", "lynn_data.csv"]
+    total = 0
+
+    for csv_file in csv_files:
+        csv_path = sample_path / csv_file
+        if csv_path.exists():
+            count = import_sensor_data_from_csv(db, csv_path, site_map)
+            total += count
+        else:
+            print(f"Warning: {csv_path} not found")
+
+    print(f"\n=== Import Complete ===")
+    print(f"Total records imported: {total}")
+    return total
+
+
+if __name__ == "__main__":
+    # Run as standalone script
+    import sys
+    sys.path.insert(0, str(Path(__file__).parent.parent.parent))
+
+    from backend.database import SessionLocal, init_db
+
+    init_db()
+    db = SessionLocal()
+
+    try:
+        original_repo = "/Users/rich/Dev/cropdash/crop-dashboard"
+        import_all_sample_data(db, original_repo)
+    finally:
+        db.close()

backend/services/pipeline_worker.py

@@ -0,0 +1,383 @@
+"""
+Pipeline worker for processing CSI datalogger files.
+Handles file upload, validation, processing, and archival.
+"""
+import os
+import shutil
+import time
+import hashlib
+from pathlib import Path
+from datetime import datetime
+from typing import Optional
+import pandas as pd
+from sqlalchemy.orm import Session
+
+from backend.models import Site, SensorData, FileArchive, AuditLog
+from backend.config import settings
+
+
+# Paths
+UPLOAD_BASE = Path(settings.uploads_dir)
+STAGING_DIR = UPLOAD_BASE / "staging"
+PROCESSED_DIR = UPLOAD_BASE / "processed"
+
+# Ensure directories exist
+STAGING_DIR.mkdir(parents=True, exist_ok=True)
+PROCESSED_DIR.mkdir(parents=True, exist_ok=True)
+
+# Processing state
+_is_processing = False
+_last_run: Optional[datetime] = None
+
+
+def get_file_hash(filepath: Path) -> str:
+    """Calculate SHA256 hash of a file."""
+    sha256 = hashlib.sha256()
+    with open(filepath, 'rb') as f:
+        for chunk in iter(lambda: f.read(8192), b''):
+            sha256.update(chunk)
+    return sha256.hexdigest()
+
+
+def list_staging_files() -> list[dict]:
+    """List all files in the staging directory."""
+    files = []
+    for f in STAGING_DIR.iterdir():
+        if f.is_file() and f.suffix.lower() == '.csv':
+            stat = f.stat()
+            files.append({
+                'filename': f.name,
+                'size': stat.st_size,
+                'modified': datetime.fromtimestamp(stat.st_mtime),
+                'status': 'staging'
+            })
+    return sorted(files, key=lambda x: x['modified'], reverse=True)
+
+
+def list_processed_files() -> list[dict]:
+    """List all files in the processed directory."""
+    files = []
+    for f in PROCESSED_DIR.iterdir():
+        if f.is_file() and f.suffix.lower() == '.csv':
+            stat = f.stat()
+            files.append({
+                'filename': f.name,
+                'size': stat.st_size,
+                'modified': datetime.fromtimestamp(stat.st_mtime),
+                'status': 'processed'
+            })
+    return sorted(files, key=lambda x: x['modified'], reverse=True)
+
+
+def validate_csv_file(filepath: Path) -> tuple[bool, str]:
+    """
+    Validate that a CSV file is a valid CSI datalogger format.
+    Returns (is_valid, error_message).
+    """
+    try:
+        # Try reading with CSI format (skip metadata rows)
+        df = pd.read_csv(
+            filepath,
+            header=[0],
+            skiprows=[0, 2, 3] if _is_csi_format(filepath) else None,
+            sep=',',
+            na_values="NAN",
+            engine='python',
+            nrows=10  # Just check first few rows
+        )
+
+        # Check for required columns
+        if 'TIMESTAMP' not in df.columns:
+            return False, "Missing TIMESTAMP column"
+        if 'Site' not in df.columns:
+            return False, "Missing Site column"
+
+        return True, ""
+    except Exception as e:
+        return False, str(e)
+
+
+def _is_csi_format(filepath: Path) -> bool:
+    """Check if file is CSI datalogger format by looking at first line."""
+    try:
+        with open(filepath, 'r') as f:
+            first_line = f.readline()
+            return first_line.startswith('"TOA5"') or first_line.startswith('TOA5')
+    except Exception:
+        return False
+
+
+def process_single_file(
+    db: Session,
+    filepath: Path,
+    user_id: Optional[str] = None
+) -> dict:
+    """
+    Process a single CSV file and import data to database.
+    Returns processing result dict.
+    """
+    start_time = time.time()
+    result = {
+        'filename': filepath.name,
+        'status': 'error',
+        'records_imported': 0,
+        'records_skipped': 0,
+        'records_duplicate': 0,
+        'error_message': None,
+        'processing_time': 0.0
+    }
+
+    try:
+        # Validate file
+        is_valid, error = validate_csv_file(filepath)
+        if not is_valid:
+            result['error_message'] = f"Validation failed: {error}"
+            return result
+
+        # Get file hash for deduplication tracking
+        file_hash = get_file_hash(filepath)
+
+        # Check if already processed
+        existing_archive = db.query(FileArchive).filter(
+            FileArchive.file_hash == file_hash
+        ).first()
+        if existing_archive and existing_archive.status == 'completed':
+            result['error_message'] = "File already processed (duplicate hash)"
+            result['status'] = 'duplicate'
+            return result
+
+        # Create or update archive record
+        if existing_archive:
+            archive = existing_archive
+            archive.status = 'processing'
+        else:
+            archive = FileArchive(
+                original_filename=filepath.name,
+                file_hash=file_hash,
+                file_size=filepath.stat().st_size,
+                status='processing'
+            )
+            db.add(archive)
+        db.commit()
+
+        # Read the CSV
+        is_csi = _is_csi_format(filepath)
+        if is_csi:
+            df = pd.read_csv(
+                filepath,
+                header=[0],
+                skiprows=[0, 2, 3],
+                sep=',',
+                na_values="NAN",
+                engine='python',
+                low_memory=False
+            )
+        else:
+            df = pd.read_csv(filepath, low_memory=False)
+
+        # Get site mapping
+        sites = db.query(Site).all()
+        site_map = {s.site_code: s.id for s in sites}
+
+        # Columns to exclude from data JSON
+        exclude_cols = {'TIMESTAMP', 'Site', 'RECORD', 'Unnamed: 0'}
+        data_cols = [c for c in df.columns if c not in exclude_cols]
+
+        imported = 0
+        skipped = 0
+        duplicates = 0
+
+        for idx, row in df.iterrows():
+            site_code = row.get('Site')
+            if pd.isna(site_code) or site_code not in site_map:
+                skipped += 1
+                continue
+
+            try:
+                timestamp = pd.to_datetime(row['TIMESTAMP'])
+            except Exception:
+                skipped += 1
+                continue
+
+            site_id = site_map[site_code]
+            ts = timestamp.to_pydatetime()
+
+            # Check for existing record (upsert logic)
+            existing = db.query(SensorData).filter(
+                SensorData.site_id == site_id,
+                SensorData.timestamp == ts
+            ).first()
+
+            if existing:
+                duplicates += 1
+                continue
+
+            # Build data dict
+            data = {}
+            for col in data_cols:
+                val = row[col]
+                if pd.notna(val):
+                    if hasattr(val, 'item'):
+                        val = val.item()
+                    data[col] = val
+
+            # Apply QA/QC filters (like original)
+            # Skip bad values
+            if data.get('LW_IN', 0) < -10000000:
+                skipped += 1
+                continue
+
+            record_num = row.get('RECORD')
+            if pd.notna(record_num):
+                record_num = int(record_num)
+            else:
+                record_num = None
+
+            sensor_data = SensorData(
+                site_id=site_id,
+                timestamp=ts,
+                data=data,
+                record_number=record_num
+            )
+            db.add(sensor_data)
+            imported += 1
+
+            # Batch commit
+            if imported % 500 == 0:
+                db.commit()
+
+        db.commit()
+
+        # Update archive record
+        archive.status = 'completed'
+        archive.processed_date = datetime.utcnow()
+        archive.records_imported = imported
+
+        # Move file to processed
+        processed_path = PROCESSED_DIR / f"{datetime.now().strftime('%Y%m%d_%H%M%S')}_{filepath.name}"
+        archive.archived_path = str(processed_path)
+        shutil.move(str(filepath), str(processed_path))
+
+        db.commit()
+
+        # Log audit event
+        if user_id:
+            audit = AuditLog(
+                user_id=user_id,
+                action='pipeline_import',
+                resource_type='sensor_data',
+                resource_id=archive.id,
+                details={
+                    'filename': filepath.name,
+                    'records_imported': imported,
+                    'records_skipped': skipped,
+                    'records_duplicate': duplicates
+                }
+            )
+            db.add(audit)
+            db.commit()
+
+        result['status'] = 'success'
+        result['records_imported'] = imported
+        result['records_skipped'] = skipped
+        result['records_duplicate'] = duplicates
+
+    except Exception as e:
+        result['error_message'] = str(e)
+        db.rollback()
+
+        # Update archive with error
+        try:
+            archive = db.query(FileArchive).filter(
+                FileArchive.original_filename == filepath.name
+            ).first()
+            if archive:
+                archive.status = 'error'
+                archive.error_message = str(e)
+                db.commit()
+        except Exception:
+            pass
+
+    result['processing_time'] = time.time() - start_time
+    return result
+
+
+def process_all_staging_files(
+    db: Session,
+    user_id: Optional[str] = None,
+    filenames: Optional[list[str]] = None
+) -> list[dict]:
+    """
+    Process all files in staging directory (or specified files).
+    Returns list of processing results.
+    """
+    global _is_processing, _last_run
+
+    if _is_processing:
+        return [{'status': 'error', 'error_message': 'Processing already in progress'}]
+
+    _is_processing = True
+    results = []
+
+    try:
+        # Get files to process
+        if filenames:
+            files = [STAGING_DIR / f for f in filenames if (STAGING_DIR / f).exists()]
+        else:
+            files = [f for f in STAGING_DIR.iterdir() if f.is_file() and f.suffix.lower() == '.csv']
+
+        for filepath in files:
+            result = process_single_file(db, filepath, user_id)
+            results.append(result)
+
+        _last_run = datetime.utcnow()
+
+    finally:
+        _is_processing = False
+
+    return results
+
+
+def get_pipeline_status() -> dict:
+    """Get current pipeline status."""
+    return {
+        'staging_files': list_staging_files(),
+        'processed_files': list_processed_files(),
+        'is_processing': _is_processing,
+        'last_run': _last_run
+    }
+
+
+def save_uploaded_file(file_content: bytes, filename: str) -> Path:
+    """Save an uploaded file to the staging directory."""
+    # Sanitize filename
+    safe_filename = "".join(c for c in filename if c.isalnum() or c in '._-')
+    if not safe_filename.lower().endswith('.csv'):
+        safe_filename += '.csv'
+
+    # Add timestamp to avoid conflicts
+    timestamped_name = f"{datetime.now().strftime('%Y%m%d_%H%M%S')}_{safe_filename}"
+    filepath = STAGING_DIR / timestamped_name
+
+    with open(filepath, 'wb') as f:
+        f.write(file_content)
+
+    return filepath
+
+
+def delete_staging_file(filename: str) -> bool:
+    """Delete a file from staging directory."""
+    filepath = STAGING_DIR / filename
+    if filepath.exists() and filepath.is_file():
+        filepath.unlink()
+        return True
+    return False
+
+
+def delete_processed_file(filename: str) -> bool:
+    """Delete a file from processed directory."""
+    filepath = PROCESSED_DIR / filename
+    if filepath.exists() and filepath.is_file():
+        filepath.unlink()
+        return True
+    return False

backend/static/assets/index-CNGvhoA_.css

@@ -0,0 +1 @@
+.leaflet-pane,.leaflet-tile,.leaflet-marker-icon,.leaflet-marker-shadow,.leaflet-tile-container,.leaflet-pane>svg,.leaflet-pane>canvas,.leaflet-zoom-box,.leaflet-image-layer,.leaflet-layer{position:absolute;left:0;top:0}.leaflet-container{overflow:hidden}.leaflet-tile,.leaflet-marker-icon,.leaflet-marker-shadow{-webkit-user-select:none;-moz-user-select:none;user-select:none;-webkit-user-drag:none}.leaflet-tile::-moz-selection{background:transparent}.leaflet-tile::selection{background:transparent}.leaflet-safari .leaflet-tile{image-rendering:-webkit-optimize-contrast}.leaflet-safari .leaflet-tile-container{width:1600px;height:1600px;-webkit-transform-origin:0 0}.leaflet-marker-icon,.leaflet-marker-shadow{display:block}.leaflet-container .leaflet-overlay-pane svg{max-width:none!important;max-height:none!important}.leaflet-container .leaflet-marker-pane img,.leaflet-container .leaflet-shadow-pane img,.leaflet-container .leaflet-tile-pane img,.leaflet-container img.leaflet-image-layer,.leaflet-container .leaflet-tile{max-width:none!important;max-height:none!important;width:auto;padding:0}.leaflet-container img.leaflet-tile{mix-blend-mode:plus-lighter}.leaflet-container.leaflet-touch-zoom{touch-action:pan-x pan-y}.leaflet-container.leaflet-touch-drag{touch-action:none;touch-action:pinch-zoom}.leaflet-container.leaflet-touch-drag.leaflet-touch-zoom{touch-action:none}.leaflet-container{-webkit-tap-highlight-color:transparent}.leaflet-container a{-webkit-tap-highlight-color:rgba(51,181,229,.4)}.leaflet-tile{filter:inherit;visibility:hidden}.leaflet-tile-loaded{visibility:inherit}.leaflet-zoom-box{width:0;height:0;box-sizing:border-box;z-index:800}.leaflet-overlay-pane svg{-moz-user-select:none}.leaflet-pane{z-index:400}.leaflet-tile-pane{z-index:200}.leaflet-overlay-pane{z-index:400}.leaflet-shadow-pane{z-index:500}.leaflet-marker-pane{z-index:600}.leaflet-tooltip-pane{z-index:650}.leaflet-popup-pane{z-index:700}.leaflet-map-pane canvas{z-index:100}.leaflet-map-pane svg{z-index:200}.leaflet-vml-shape{width:1px;height:1px}.lvml{behavior:url(#default#VML);display:inline-block;position:absolute}.leaflet-control{position:relative;z-index:800;pointer-events:visiblePainted;pointer-events:auto}.leaflet-top,.leaflet-bottom{position:absolute;z-index:1000;pointer-events:none}.leaflet-top{top:0}.leaflet-right{right:0}.leaflet-bottom{bottom:0}.leaflet-left{left:0}.leaflet-control{float:left;clear:both}.leaflet-right .leaflet-control{float:right}.leaflet-top .leaflet-control{margin-top:10px}.leaflet-bottom .leaflet-control{margin-bottom:10px}.leaflet-left .leaflet-control{margin-left:10px}.leaflet-right .leaflet-control{margin-right:10px}.leaflet-fade-anim .leaflet-popup{opacity:0;transition:opacity .2s linear}.leaflet-fade-anim .leaflet-map-pane .leaflet-popup{opacity:1}.leaflet-zoom-animated{transform-origin:0 0}svg.leaflet-zoom-animated{will-change:transform}.leaflet-zoom-anim .leaflet-zoom-animated{transition:transform .25s cubic-bezier(0,0,.25,1)}.leaflet-zoom-anim .leaflet-tile,.leaflet-pan-anim .leaflet-tile{transition:none}.leaflet-zoom-anim .leaflet-zoom-hide{visibility:hidden}.leaflet-interactive{cursor:pointer}.leaflet-grab{cursor:grab}.leaflet-crosshair,.leaflet-crosshair .leaflet-interactive{cursor:crosshair}.leaflet-popup-pane,.leaflet-control{cursor:auto}.leaflet-dragging .leaflet-grab,.leaflet-dragging .leaflet-grab .leaflet-interactive,.leaflet-dragging .leaflet-marker-draggable{cursor:move;cursor:grabbing}.leaflet-marker-icon,.leaflet-marker-shadow,.leaflet-image-layer,.leaflet-pane>svg path,.leaflet-tile-container{pointer-events:none}.leaflet-marker-icon.leaflet-interactive,.leaflet-image-layer.leaflet-interactive,.leaflet-pane>svg path.leaflet-interactive,svg.leaflet-image-layer.leaflet-interactive path{pointer-events:visiblePainted;pointer-events:auto}.leaflet-container{background:#ddd;outline-offset:1px}.leaflet-container a{color:#0078a8}.leaflet-zoom-box{border:2px dotted #38f;background:#ffffff80}.leaflet-container{font-family:Helvetica Neue,Arial,Helvetica,sans-serif;font-size:12px;font-size:.75rem;line-height:1.5}.leaflet-bar{box-shadow:0 1px 5px #000000a6;border-radius:4px}.leaflet-bar a{background-color:#fff;border-bottom:1px solid #ccc;width:26px;height:26px;line-height:26px;display:block;text-align:center;text-decoration:none;color:#000}.leaflet-bar a,.leaflet-control-layers-toggle{background-position:50% 50%;background-repeat:no-repeat;display:block}.leaflet-bar a:hover,.leaflet-bar a:focus{background-color:#f4f4f4}.leaflet-bar a:first-child{border-top-left-radius:4px;border-top-right-radius:4px}.leaflet-bar a:last-child{border-bottom-left-radius:4px;border-bottom-right-radius:4px;border-bottom:none}.leaflet-bar a.leaflet-disabled{cursor:default;background-color:#f4f4f4;color:#bbb}.leaflet-touch .leaflet-bar a{width:30px;height:30px;line-height:30px}.leaflet-touch .leaflet-bar a:first-child{border-top-left-radius:2px;border-top-right-radius:2px}.leaflet-touch .leaflet-bar a:last-child{border-bottom-left-radius:2px;border-bottom-right-radius:2px}.leaflet-control-zoom-in,.leaflet-control-zoom-out{font:700 18px Lucida Console,Monaco,monospace;text-indent:1px}.leaflet-touch .leaflet-control-zoom-in,.leaflet-touch .leaflet-control-zoom-out{font-size:22px}.leaflet-control-layers{box-shadow:0 1px 5px #0006;background:#fff;border-radius:5px}.leaflet-control-layers-toggle{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABoAAAAaCAQAAAADQ4RFAAACf0lEQVR4AY1UM3gkARTePdvdoTxXKc+qTl3aU5U6b2Kbkz3Gtq3Zw6ziLGNPzrYx7946Tr6/ee/XeCQ4D3ykPtL5tHno4n0d/h3+xfuWHGLX81cn7r0iTNzjr7LrlxCqPtkbTQEHeqOrTy4Yyt3VCi/IOB0v7rVC7q45Q3Gr5K6jt+3Gl5nCoDD4MtO+j96Wu8atmhGqcNGHObuf8OM/x3AMx38+4Z2sPqzCxRFK2aF2e5Jol56XTLyggAMTL56XOMoS1W4pOyjUcGGQdZxU6qRh7B9Zp+PfpOFlqt0zyDZckPi1ttmIp03jX8gyJ8a/PG2yutpS/Vol7peZIbZcKBAEEheEIAgFbDkz5H6Zrkm2hVWGiXKiF4Ycw0RWKdtC16Q7qe3X4iOMxruonzegJzWaXFrU9utOSsLUmrc0YjeWYjCW4PDMADElpJSSQ0vQvA1Tm6/JlKnqFs1EGyZiFCqnRZTEJJJiKRYzVYzJck2Rm6P4iH+cmSY0YzimYa8l0EtTODFWhcMIMVqdsI2uiTvKmTisIDHJ3od5GILVhBCarCfVRmo4uTjkhrhzkiBV7SsaqS+TzrzM1qpGGUFt28pIySQHR6h7F6KSwGWm97ay+Z+ZqMcEjEWebE7wxCSQwpkhJqoZA5ivCdZDjJepuJ9IQjGGUmuXJdBFUygxVqVsxFsLMbDe8ZbDYVCGKxs+W080max1hFCarCfV+C1KATwcnvE9gRRuMP2prdbWGowm1KB1y+zwMMENkM755cJ2yPDtqhTI6ED1M/82yIDtC/4j4BijjeObflpO9I9MwXTCsSX8jWAFeHr05WoLTJ5G8IQVS/7vwR6ohirYM7f6HzYpogfS3R2OAAAAAElFTkSuQmCC);width:36px;height:36px}.leaflet-retina .leaflet-control-layers-toggle{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADQAAAA0CAQAAABvcdNgAAAEsklEQVR4AWL4TydIhpZK1kpWOlg0w3ZXP6D2soBtG42jeI6ZmQTHzAxiTbSJsYLjO9HhP+WOmcuhciVnmHVQcJnp7DFvScowZorad/+V/fVzMdMT2g9Cv9guXGv/7pYOrXh2U+RRR3dSd9JRx6bIFc/ekqHI29JC6pJ5ZEh1yWkhkbcFeSjxgx3L2m1cb1C7bceyxA+CNjT/Ifff+/kDk2u/w/33/IeCMOSaWZ4glosqT3DNnNZQ7Cs58/3Ce5HL78iZH/vKVIaYlqzfdLu8Vi7dnvUbEza5Idt36tquZFldl6N5Z/POLof0XLK61mZCmJSWjVF9tEjUluu74IUXvgttuVIHE7YxSkaYhJZam7yiM9Pv82JYfl9nptxZaxMJE4YSPty+vF0+Y2up9d3wwijfjZbabqm/3bZ9ecKHsiGmRflnn1MW4pjHf9oLufyn2z3y1D6n8g8TZhxyzipLNPnAUpsOiuWimg52psrTZYnOWYNDTMuWBWa0tJb4rgq1UvmutpaYEbZlwU3CLJm/ayYjHW5/h7xWLn9Hh1vepDkyf7dE7MtT5LR4e7yYpHrkhOUpEfssBLq2pPhAqoSWKUkk7EDqkmK6RrCEzqDjhNDWNE+XSMvkJRDWlZTmCW0l0PHQGRZY5t1L83kT0Y3l2SItk5JAWHl2dCOBm+fPu3fo5/3v61RMCO9Jx2EEYYhb0rmNQMX/vm7gqOEJLcXTGw3CAuRNeyaPWwjR8PRqKQ1PDA/dpv+on9Shox52WFnx0KY8onHayrJzm87i5h9xGw/tfkev0jGsQizqezUKjk12hBMKJ4kbCqGPVNXudyyrShovGw5CgxsRICxF6aRmSjlBnHRzg7Gx8fKqEubI2rahQYdR1YgDIRQO7JvQyD52hoIQx0mxa0ODtW2Iozn1le2iIRdzwWewedyZzewidueOGqlsn1MvcnQpuVwLGG3/IR1hIKxCjelIDZ8ldqWz25jWAsnldEnK0Zxro19TGVb2ffIZEsIO89EIEDvKMPrzmBOQcKQ+rroye6NgRRxqR4U8EAkz0CL6uSGOm6KQCdWjvjRiSP1BPalCRS5iQYiEIvxuBMJEWgzSoHADcVMuN7IuqqTeyUPq22qFimFtxDyBBJEwNyt6TM88blFHao/6tWWhuuOM4SAK4EI4QmFHA+SEyWlp4EQoJ13cYGzMu7yszEIBOm2rVmHUNqwAIQabISNMRstmdhNWcFLsSm+0tjJH1MdRxO5Nx0WDMhCtgD6OKgZeljJqJKc9po8juskR9XN0Y1lZ3mWjLR9JCO1jRDMd0fpYC2VnvjBSEFg7wBENc0R9HFlb0xvF1+TBEpF68d+DHR6IOWVv2BECtxo46hOFUBd/APU57WIoEwJhIi2CdpyZX0m93BZicktMj1AS9dClteUFAUNUIEygRZCtik5zSxI9MubTBH1GOiHsiLJ3OCoSZkILa9PxiN0EbvhsAo8tdAf9Seepd36lGWHmtNANTv5Jd0z4QYyeo/UEJqxKRpg5LZx6btLPsOaEmdMyxYdlc8LMaJnikDlhclqmPiQnTEpLUIZEwkRagjYkEibQErwhkTAKCLQEbUgkzJQWc/0PstHHcfEdQ+UAAAAASUVORK5CYII=);background-size:26px 26px}.leaflet-touch .leaflet-control-layers-toggle{width:44px;height:44px}.leaflet-control-layers .leaflet-control-layers-list,.leaflet-control-layers-expanded .leaflet-control-layers-toggle{display:none}.leaflet-control-layers-expanded .leaflet-control-layers-list{display:block;position:relative}.leaflet-control-layers-expanded{padding:6px 10px 6px 6px;color:#333;background:#fff}.leaflet-control-layers-scrollbar{overflow-y:scroll;overflow-x:hidden;padding-right:5px}.leaflet-control-layers-selector{margin-top:2px;position:relative;top:1px}.leaflet-control-layers label{display:block;font-size:13px;font-size:1.08333em}.leaflet-control-layers-separator{height:0;border-top:1px solid #ddd;margin:5px -10px 5px -6px}.leaflet-default-icon-path{background-image:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABkAAAApCAYAAADAk4LOAAAFgUlEQVR4Aa1XA5BjWRTN2oW17d3YaZtr2962HUzbDNpjszW24mRt28p47v7zq/bXZtrp/lWnXr337j3nPCe85NcypgSFdugCpW5YoDAMRaIMqRi6aKq5E3YqDQO3qAwjVWrD8Ncq/RBpykd8oZUb/kaJutow8r1aP9II0WmLKLIsJyv1w/kqw9Ch2MYdB++12Onxee/QMwvf4/Dk/Lfp/i4nxTXtOoQ4pW5Aj7wpici1A9erdAN2OH64x8OSP9j3Ft3b7aWkTg/Fm91siTra0f9on5sQr9INejH6CUUUpavjFNq1B+Oadhxmnfa8RfEmN8VNAsQhPqF55xHkMzz3jSmChWU6f7/XZKNH+9+hBLOHYozuKQPxyMPUKkrX/K0uWnfFaJGS1QPRtZsOPtr3NsW0uyh6NNCOkU3Yz+bXbT3I8G3xE5EXLXtCXbbqwCO9zPQYPRTZ5vIDXD7U+w7rFDEoUUf7ibHIR4y6bLVPXrz8JVZEql13trxwue/uDivd3fkWRbS6/IA2bID4uk0UpF1N8qLlbBlXs4Ee7HLTfV1j54APvODnSfOWBqtKVvjgLKzF5YdEk5ewRkGlK0i33Eofffc7HT56jD7/6U+qH3Cx7SBLNntH5YIPvODnyfIXZYRVDPqgHtLs5ABHD3YzLuespb7t79FY34DjMwrVrcTuwlT55YMPvOBnRrJ4VXTdNnYug5ucHLBjEpt30701A3Ts+HEa73u6dT3FNWwflY86eMHPk+Yu+i6pzUpRrW7SNDg5JHR4KapmM5Wv2E8Tfcb1HoqqHMHU+uWDD7zg54mz5/2BSnizi9T1Dg4QQXLToGNCkb6tb1NU+QAlGr1++eADrzhn/u8Q2YZhQVlZ5+CAOtqfbhmaUCS1ezNFVm2imDbPmPng5wmz+gwh+oHDce0eUtQ6OGDIyR0uUhUsoO3vfDmmgOezH0mZN59x7MBi++WDL1g/eEiU3avlidO671bkLfwbw5XV2P8Pzo0ydy4t2/0eu33xYSOMOD8hTf4CrBtGMSoXfPLchX+J0ruSePw3LZeK0juPJbYzrhkH0io7B3k164hiGvawhOKMLkrQLyVpZg8rHFW7E2uHOL888IBPlNZ1FPzstSJM694fWr6RwpvcJK60+0HCILTBzZLFNdtAzJaohze60T8qBzyh5ZuOg5e7uwQppofEmf2++DYvmySqGBuKaicF1blQjhuHdvCIMvp8whTTfZzI7RldpwtSzL+F1+wkdZ2TBOW2gIF88PBTzD/gpeREAMEbxnJcaJHNHrpzji0gQCS6hdkEeYt9DF/2qPcEC8RM28Hwmr3sdNyht00byAut2k3gufWNtgtOEOFGUwcXWNDbdNbpgBGxEvKkOQsxivJx33iow0Vw5S6SVTrpVq11ysA2Rp7gTfPfktc6zhtXBBC+adRLshf6sG2RfHPZ5EAc4sVZ83yCN00Fk/4kggu40ZTvIEm5g24qtU4KjBrx/BTTH8ifVASAG7gKrnWxJDcU7x8X6Ecczhm3o6YicvsLXWfh3Ch1W0k8x0nXF+0fFxgt4phz8QvypiwCCFKMqXCnqXExjq10beH+UUA7+nG6mdG/Pu0f3LgFcGrl2s0kNNjpmoJ9o4B29CMO8dMT4Q5ox8uitF6fqsrJOr8qnwNbRzv6hSnG5wP+64C7h9lp30hKNtKdWjtdkbuPA19nJ7Tz3zR/ibgARbhb4AlhavcBebmTHcFl2fvYEnW0ox9xMxKBS8btJ+KiEbq9zA4RthQXDhPa0T9TEe69gWupwc6uBUphquXgf+/FrIjweHQS4/pduMe5ERUMHUd9xv8ZR98CxkS4F2n3EUrUZ10EYNw7BWm9x1GiPssi3GgiGRDKWRYZfXlON+dfNbM+GgIwYdwAAAAASUVORK5CYII=)}.leaflet-container .leaflet-control-attribution{background:#fff;background:#fffc;margin:0}.leaflet-control-attribution,.leaflet-control-scale-line{padding:0 5px;color:#333;line-height:1.4}.leaflet-control-attribution a{text-decoration:none}.leaflet-control-attribution a:hover,.leaflet-control-attribution a:focus{text-decoration:underline}.leaflet-attribution-flag{display:inline!important;vertical-align:baseline!important;width:1em;height:.6669em}.leaflet-left .leaflet-control-scale{margin-left:5px}.leaflet-bottom .leaflet-control-scale{margin-bottom:5px}.leaflet-control-scale-line{border:2px solid #777;border-top:none;line-height:1.1;padding:2px 5px 1px;white-space:nowrap;box-sizing:border-box;background:#fffc;text-shadow:1px 1px #fff}.leaflet-control-scale-line:not(:first-child){border-top:2px solid #777;border-bottom:none;margin-top:-2px}.leaflet-control-scale-line:not(:first-child):not(:last-child){border-bottom:2px solid #777}.leaflet-touch .leaflet-control-attribution,.leaflet-touch .leaflet-control-layers,.leaflet-touch .leaflet-bar{box-shadow:none}.leaflet-touch .leaflet-control-layers,.leaflet-touch .leaflet-bar{border:2px solid rgba(0,0,0,.2);background-clip:padding-box}.leaflet-popup{position:absolute;text-align:center;margin-bottom:20px}.leaflet-popup-content-wrapper{padding:1px;text-align:left;border-radius:12px}.leaflet-popup-content{margin:13px 24px 13px 20px;line-height:1.3;font-size:13px;font-size:1.08333em;min-height:1px}.leaflet-popup-content p{margin:1.3em 0}.leaflet-popup-tip-container{width:40px;height:20px;position:absolute;left:50%;margin-top:-1px;margin-left:-20px;overflow:hidden;pointer-events:none}.leaflet-popup-tip{width:17px;height:17px;padding:1px;margin:-10px auto 0;pointer-events:auto;transform:rotate(45deg)}.leaflet-popup-content-wrapper,.leaflet-popup-tip{background:#fff;color:#333;box-shadow:0 3px 14px #0006}.leaflet-container a.leaflet-popup-close-button{position:absolute;top:0;right:0;border:none;text-align:center;width:24px;height:24px;font:16px/24px Tahoma,Verdana,sans-serif;color:#757575;text-decoration:none;background:transparent}.leaflet-container a.leaflet-popup-close-button:hover,.leaflet-container a.leaflet-popup-close-button:focus{color:#585858}.leaflet-popup-scrolled{overflow:auto}.leaflet-oldie .leaflet-popup-content-wrapper{-ms-zoom:1}.leaflet-oldie .leaflet-popup-tip{width:24px;margin:0 auto;-ms-filter:"progid:DXImageTransform.Microsoft.Matrix(M11=0.70710678, M12=0.70710678, M21=-0.70710678, M22=0.70710678)";filter:progid:DXImageTransform.Microsoft.Matrix(M11=.70710678,M12=.70710678,M21=-.70710678,M22=.70710678)}.leaflet-oldie .leaflet-control-zoom,.leaflet-oldie .leaflet-control-layers,.leaflet-oldie .leaflet-popup-content-wrapper,.leaflet-oldie .leaflet-popup-tip{border:1px solid #999}.leaflet-div-icon{background:#fff;border:1px solid #666}.leaflet-tooltip{position:absolute;padding:6px;background-color:#fff;border:1px solid #fff;border-radius:3px;color:#222;white-space:nowrap;-webkit-user-select:none;-moz-user-select:none;user-select:none;pointer-events:none;box-shadow:0 1px 3px #0006}.leaflet-tooltip.leaflet-interactive{cursor:pointer;pointer-events:auto}.leaflet-tooltip-top:before,.leaflet-tooltip-bottom:before,.leaflet-tooltip-left:before,.leaflet-tooltip-right:before{position:absolute;pointer-events:none;border:6px solid transparent;background:transparent;content:""}.leaflet-tooltip-bottom{margin-top:6px}.leaflet-tooltip-top{margin-top:-6px}.leaflet-tooltip-bottom:before,.leaflet-tooltip-top:before{left:50%;margin-left:-6px}.leaflet-tooltip-top:before{bottom:0;margin-bottom:-12px;border-top-color:#fff}.leaflet-tooltip-bottom:before{top:0;margin-top:-12px;margin-left:-6px;border-bottom-color:#fff}.leaflet-tooltip-left{margin-left:-6px}.leaflet-tooltip-right{margin-left:6px}.leaflet-tooltip-left:before,.leaflet-tooltip-right:before{top:50%;margin-top:-6px}.leaflet-tooltip-left:before{right:0;margin-right:-12px;border-left-color:#fff}.leaflet-tooltip-right:before{left:0;margin-left:-12px;border-right-color:#fff}@media print{.leaflet-control{-webkit-print-color-adjust:exact;print-color-adjust:exact}}*,:before,:after{--tw-border-spacing-x: 0;--tw-border-spacing-y: 0;--tw-translate-x: 0;--tw-translate-y: 0;--tw-rotate: 0;--tw-skew-x: 0;--tw-skew-y: 0;--tw-scale-x: 1;--tw-scale-y: 1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness: proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width: 0px;--tw-ring-offset-color: #fff;--tw-ring-color: rgb(59 130 246 / .5);--tw-ring-offset-shadow: 0 0 #0000;--tw-ring-shadow: 0 0 #0000;--tw-shadow: 0 0 #0000;--tw-shadow-colored: 0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }::backdrop{--tw-border-spacing-x: 0;--tw-border-spacing-y: 0;--tw-translate-x: 0;--tw-translate-y: 0;--tw-rotate: 0;--tw-skew-x: 0;--tw-skew-y: 0;--tw-scale-x: 1;--tw-scale-y: 1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness: proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width: 0px;--tw-ring-offset-color: #fff;--tw-ring-color: rgb(59 130 246 / .5);--tw-ring-offset-shadow: 0 0 #0000;--tw-ring-shadow: 0 0 #0000;--tw-shadow: 0 0 #0000;--tw-shadow-colored: 0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }*,:before,:after{box-sizing:border-box;border-width:0;border-style:solid;border-color:#e5e7eb}:before,:after{--tw-content: ""}html,:host{line-height:1.5;-webkit-text-size-adjust:100%;-moz-tab-size:4;-o-tab-size:4;tab-size:4;font-family:ui-sans-serif,system-ui,sans-serif,"Apple Color Emoji","Segoe UI Emoji",Segoe UI Symbol,"Noto Color Emoji";font-feature-settings:normal;font-variation-settings:normal;-webkit-tap-highlight-color:transparent}body{margin:0;line-height:inherit}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,samp,pre{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-feature-settings:normal;font-variation-settings:normal;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}button,input,optgroup,select,textarea{font-family:inherit;font-feature-settings:inherit;font-variation-settings:inherit;font-size:100%;font-weight:inherit;line-height:inherit;letter-spacing:inherit;color:inherit;margin:0;padding:0}button,select{text-transform:none}button,input:where([type=button]),input:where([type=reset]),input:where([type=submit]){-webkit-appearance:button;background-color:transparent;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:baseline}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dl,dd,h1,h2,h3,h4,h5,h6,hr,figure,p,pre{margin:0}fieldset{margin:0;padding:0}legend{padding:0}ol,ul,menu{list-style:none;margin:0;padding:0}dialog{padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{opacity:1;color:#9ca3af}input::placeholder,textarea::placeholder{opacity:1;color:#9ca3af}button,[role=button]{cursor:pointer}:disabled{cursor:default}img,svg,video,canvas,audio,iframe,embed,object{display:block;vertical-align:middle}img,video{max-width:100%;height:auto}[hidden]:where(:not([hidden=until-found])){display:none}:root{--background: 0 0% 98%;--foreground: 222.2 84% 4.9%;--card: 0 0% 100%;--card-foreground: 222.2 84% 4.9%;--primary: 221.2 83.2% 53.3%;--primary-foreground: 210 40% 98%;--secondary: 210 40% 96.1%;--secondary-foreground: 222.2 47.4% 11.2%;--muted: 210 40% 96.1%;--muted-foreground: 215.4 16.3% 46.9%;--accent: 210 40% 96.1%;--accent-foreground: 222.2 47.4% 11.2%;--destructive: 0 84.2% 60.2%;--destructive-foreground: 210 40% 98%;--border: 214.3 31.8% 91.4%;--input: 214.3 31.8% 91.4%;--ring: 221.2 83.2% 53.3%;--radius: .5rem}.dark{--background: 222.2 84% 4.9%;--foreground: 210 40% 98%;--card: 222.2 84% 4.9%;--card-foreground: 210 40% 98%;--primary: 217.2 91.2% 59.8%;--primary-foreground: 222.2 47.4% 11.2%;--secondary: 217.2 32.6% 17.5%;--secondary-foreground: 210 40% 98%;--muted: 217.2 32.6% 17.5%;--muted-foreground: 215 20.2% 65.1%;--accent: 217.2 32.6% 17.5%;--accent-foreground: 210 40% 98%;--destructive: 0 62.8% 30.6%;--destructive-foreground: 210 40% 98%;--border: 217.2 32.6% 17.5%;--input: 217.2 32.6% 17.5%;--ring: 224.3 76.3% 48%}*{border-color:hsl(var(--border))}body{background-color:hsl(var(--background));color:hsl(var(--foreground));font-feature-settings:"rlig" 1,"calt" 1}.pointer-events-none{pointer-events:none}.pointer-events-auto{pointer-events:auto}.visible{visibility:visible}.fixed{position:fixed}.absolute{position:absolute}.relative{position:relative}.sticky{position:sticky}.inset-0{top:0;right:0;bottom:0;left:0}.bottom-0{bottom:0}.bottom-2{bottom:.5rem}.bottom-4{bottom:1rem}.left-0{left:0}.left-0\.5{left:.125rem}.left-1\/2{left:50%}.left-2{left:.5rem}.left-3{left:.75rem}.right-0{right:0}.right-2{right:.5rem}.right-3{right:.75rem}.right-4{right:1rem}.top-0{top:0}.top-0\.5{top:.125rem}.top-1\/2{top:50%}.top-16{top:4rem}.top-2{top:.5rem}.z-0{z-index:0}.z-10{z-index:10}.z-40{z-index:40}.z-50{z-index:50}.z-\[1000\]{z-index:1000}.z-\[100\]{z-index:100}.mx-1{margin-left:.25rem;margin-right:.25rem}.mx-auto{margin-left:auto;margin-right:auto}.mb-1{margin-bottom:.25rem}.mb-1\.5{margin-bottom:.375rem}.mb-2{margin-bottom:.5rem}.mb-3{margin-bottom:.75rem}.mb-4{margin-bottom:1rem}.mb-6{margin-bottom:1.5rem}.mb-8{margin-bottom:2rem}.ml-2{margin-left:.5rem}.ml-auto{margin-left:auto}.mr-1{margin-right:.25rem}.mt-0\.5{margin-top:.125rem}.mt-1{margin-top:.25rem}.mt-2{margin-top:.5rem}.mt-3{margin-top:.75rem}.mt-32{margin-top:8rem}.mt-4{margin-top:1rem}.mt-6{margin-top:1.5rem}.mt-8{margin-top:2rem}.mt-auto{margin-top:auto}.block{display:block}.inline-block{display:inline-block}.flex{display:flex}.inline-flex{display:inline-flex}.table{display:table}.grid{display:grid}.hidden{display:none}.h-1{height:.25rem}.h-10{height:2.5rem}.h-12{height:3rem}.h-14{height:3.5rem}.h-16{height:4rem}.h-2{height:.5rem}.h-2\.5{height:.625rem}.h-24{height:6rem}.h-3{height:.75rem}.h-3\.5{height:.875rem}.h-32{height:8rem}.h-4{height:1rem}.h-5{height:1.25rem}.h-6{height:1.5rem}.h-7{height:1.75rem}.h-8{height:2rem}.h-\[400px\]{height:400px}.h-full{height:100%}.max-h-64{max-height:16rem}.max-h-72{max-height:18rem}.max-h-80{max-height:20rem}.max-h-96{max-height:24rem}.max-h-\[200px\]{max-height:200px}.max-h-full{max-height:100%}.min-h-\[calc\(100vh-4rem\)\]{min-height:calc(100vh - 4rem)}.min-h-screen{min-height:100vh}.w-1\/2{width:50%}.w-10{width:2.5rem}.w-11{width:2.75rem}.w-12{width:3rem}.w-14{width:3.5rem}.w-16{width:4rem}.w-2{width:.5rem}.w-2\.5{width:.625rem}.w-20{width:5rem}.w-24{width:6rem}.w-3{width:.75rem}.w-3\.5{width:.875rem}.w-3\/4{width:75%}.w-32{width:8rem}.w-4{width:1rem}.w-48{width:12rem}.w-5{width:1.25rem}.w-6{width:1.5rem}.w-64{width:16rem}.w-7{width:1.75rem}.w-8{width:2rem}.w-\[300px\]{width:300px}.w-auto{width:auto}.w-full{width:100%}.w-px{width:1px}.min-w-0{min-width:0px}.max-w-7xl{max-width:80rem}.max-w-\[180px\]{max-width:180px}.max-w-full{max-width:100%}.max-w-md{max-width:28rem}.max-w-sm{max-width:24rem}.max-w-xl{max-width:36rem}.flex-1{flex:1 1 0%}.flex-shrink-0,.shrink-0{flex-shrink:0}.origin-left{transform-origin:left}.-translate-x-1\/2{--tw-translate-x: -50%;transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skew(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.-translate-y-1\/2{--tw-translate-y: -50%;transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skew(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.translate-x-0{--tw-translate-x: 0px;transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skew(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.translate-x-5{--tw-translate-x: 1.25rem;transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skew(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.transform{transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skew(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}@keyframes pulse{50%{opacity:.5}}.animate-pulse{animation:pulse 2s cubic-bezier(.4,0,.6,1) infinite}@keyframes spin{to{transform:rotate(360deg)}}.animate-spin{animation:spin 1s linear infinite}.cursor-help{cursor:help}.cursor-not-allowed{cursor:not-allowed}.cursor-pointer{cursor:pointer}.select-none{-webkit-user-select:none;-moz-user-select:none;user-select:none}.resize-none{resize:none}.appearance-none{-webkit-appearance:none;-moz-appearance:none;appearance:none}.grid-cols-1{grid-template-columns:repeat(1,minmax(0,1fr))}.grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.grid-cols-3{grid-template-columns:repeat(3,minmax(0,1fr))}.grid-cols-4{grid-template-columns:repeat(4,minmax(0,1fr))}.flex-col{flex-direction:column}.flex-wrap{flex-wrap:wrap}.items-start{align-items:flex-start}.items-center{align-items:center}.justify-end{justify-content:flex-end}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.gap-1{gap:.25rem}.gap-1\.5{gap:.375rem}.gap-2{gap:.5rem}.gap-3{gap:.75rem}.gap-4{gap:1rem}.gap-6{gap:1.5rem}.gap-8{gap:2rem}.space-y-0\.5>:not([hidden])~:not([hidden]){--tw-space-y-reverse: 0;margin-top:calc(.125rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.125rem * var(--tw-space-y-reverse))}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse: 0;margin-top:calc(.25rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.25rem * var(--tw-space-y-reverse))}.space-y-1\.5>:not([hidden])~:not([hidden]){--tw-space-y-reverse: 0;margin-top:calc(.375rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.375rem * var(--tw-space-y-reverse))}.space-y-2>:not([hidden])~:not([hidden]){--tw-space-y-reverse: 0;margin-top:calc(.5rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.5rem * var(--tw-space-y-reverse))}.space-y-3>:not([hidden])~:not([hidden]){--tw-space-y-reverse: 0;margin-top:calc(.75rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.75rem * var(--tw-space-y-reverse))}.space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse: 0;margin-top:calc(1rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(1rem * var(--tw-space-y-reverse))}.space-y-6>:not([hidden])~:not([hidden]){--tw-space-y-reverse: 0;margin-top:calc(1.5rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(1.5rem * var(--tw-space-y-reverse))}.space-y-8>:not([hidden])~:not([hidden]){--tw-space-y-reverse: 0;margin-top:calc(2rem * calc(1 - var(--tw-space-y-reverse)));margin-bottom:calc(2rem * var(--tw-space-y-reverse))}.divide-x>:not([hidden])~:not([hidden]){--tw-divide-x-reverse: 0;border-right-width:calc(1px * var(--tw-divide-x-reverse));border-left-width:calc(1px * calc(1 - var(--tw-divide-x-reverse)))}.divide-y>:not([hidden])~:not([hidden]){--tw-divide-y-reverse: 0;border-top-width:calc(1px * calc(1 - var(--tw-divide-y-reverse)));border-bottom-width:calc(1px * var(--tw-divide-y-reverse))}.divide-border>:not([hidden])~:not([hidden]){border-color:hsl(var(--border))}.overflow-hidden{overflow:hidden}.overflow-x-auto{overflow-x:auto}.overflow-y-auto{overflow-y:auto}.truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.rounded{border-radius:.25rem}.rounded-2xl{border-radius:1rem}.rounded-full{border-radius:9999px}.rounded-lg{border-radius:var(--radius)}.rounded-md{border-radius:calc(var(--radius) - 2px)}.rounded-xl{border-radius:.75rem}.rounded-b-lg{border-bottom-right-radius:var(--radius);border-bottom-left-radius:var(--radius)}.border{border-width:1px}.border-0{border-width:0px}.border-2{border-width:2px}.border-b{border-bottom-width:1px}.border-r{border-right-width:1px}.border-t{border-top-width:1px}.border-dashed{border-style:dashed}.border-amber-500\/20{border-color:#f59e0b33}.border-amber-500\/30{border-color:#f59e0b4d}.border-blue-500\/20{border-color:#3b82f633}.border-blue-500\/30{border-color:#3b82f64d}.border-border{border-color:hsl(var(--border))}.border-emerald-500\/20{border-color:#10b98133}.border-emerald-500\/30{border-color:#10b9814d}.border-green-500\/20{border-color:#22c55e33}.border-input{border-color:hsl(var(--input))}.border-red-500\/20{border-color:#ef444433}.border-red-500\/30{border-color:#ef44444d}.border-slate-500\/20{border-color:#64748b33}.bg-amber-500{--tw-bg-opacity: 1;background-color:rgb(245 158 11 / var(--tw-bg-opacity, 1))}.bg-amber-500\/10{background-color:#f59e0b1a}.bg-amber-500\/20{background-color:#f59e0b33}.bg-amber-500\/5{background-color:#f59e0b0d}.bg-background{background-color:hsl(var(--background))}.bg-background\/60{background-color:hsl(var(--background) / .6)}.bg-background\/80{background-color:hsl(var(--background) / .8)}.bg-black\/50{background-color:#00000080}.bg-black\/60{background-color:#0009}.bg-blue-500{--tw-bg-opacity: 1;background-color:rgb(59 130 246 / var(--tw-bg-opacity, 1))}.bg-blue-500\/10{background-color:#3b82f61a}.bg-blue-500\/20{background-color:#3b82f633}.bg-border{background-color:hsl(var(--border))}.bg-card{background-color:hsl(var(--card))}.bg-card\/80{background-color:hsl(var(--card) / .8)}.bg-card\/95{background-color:hsl(var(--card) / .95)}.bg-cyan-500{--tw-bg-opacity: 1;background-color:rgb(6 182 212 / var(--tw-bg-opacity, 1))}.bg-cyan-500\/10{background-color:#06b6d41a}.bg-cyan-500\/20{background-color:#06b6d433}.bg-destructive\/10{background-color:hsl(var(--destructive) / .1)}.bg-emerald-500{--tw-bg-opacity: 1;background-color:rgb(16 185 129 / var(--tw-bg-opacity, 1))}.bg-emerald-500\/10{background-color:#10b9811a}.bg-gray-500\/20{background-color:#6b728033}.bg-green-500{--tw-bg-opacity: 1;background-color:rgb(34 197 94 / var(--tw-bg-opacity, 1))}.bg-green-500\/20{background-color:#22c55e33}.bg-green-500\/5{background-color:#22c55e0d}.bg-muted{background-color:hsl(var(--muted))}.bg-muted\/20{background-color:hsl(var(--muted) / .2)}.bg-muted\/30{background-color:hsl(var(--muted) / .3)}.bg-muted\/50{background-color:hsl(var(--muted) / .5)}.bg-orange-500{--tw-bg-opacity: 1;background-color:rgb(249 115 22 / var(--tw-bg-opacity, 1))}.bg-orange-500\/20{background-color:#f9731633}.bg-pink-500{--tw-bg-opacity: 1;background-color:rgb(236 72 153 / var(--tw-bg-opacity, 1))}.bg-primary{background-color:hsl(var(--primary))}.bg-primary\/10{background-color:hsl(var(--primary) / .1)}.bg-purple-500{--tw-bg-opacity: 1;background-color:rgb(168 85 247 / var(--tw-bg-opacity, 1))}.bg-purple-500\/10{background-color:#a855f71a}.bg-purple-500\/20{background-color:#a855f733}.bg-red-500{--tw-bg-opacity: 1;background-color:rgb(239 68 68 / var(--tw-bg-opacity, 1))}.bg-red-500\/10{background-color:#ef44441a}.bg-red-500\/20{background-color:#ef444433}.bg-red-500\/5{background-color:#ef44440d}.bg-white{--tw-bg-opacity: 1;background-color:rgb(255 255 255 / var(--tw-bg-opacity, 1))}.bg-white\/90{background-color:#ffffffe6}.bg-gradient-to-br{background-image:linear-gradient(to bottom right,var(--tw-gradient-stops))}.from-background{--tw-gradient-from: hsl(var(--background)) var(--tw-gradient-from-position);--tw-gradient-to: hsl(var(--background) / 0) var(--tw-gradient-to-position);--tw-gradient-stops: var(--tw-gradient-from), var(--tw-gradient-to)}.from-slate-500\/5{--tw-gradient-from: rgb(100 116 139 / .05) var(--tw-gradient-from-position);--tw-gradient-to: rgb(100 116 139 / 0) var(--tw-gradient-to-position);--tw-gradient-stops: var(--tw-gradient-from), var(--tw-gradient-to)}.to-muted{--tw-gradient-to: hsl(var(--muted)) var(--tw-gradient-to-position)}.to-zinc-500\/10{--tw-gradient-to: rgb(113 113 122 / .1) var(--tw-gradient-to-position)}.object-contain{-o-object-fit:contain;object-fit:contain}.p-1{padding:.25rem}.p-1\.5{padding:.375rem}.p-2{padding:.5rem}.p-2\.5{padding:.625rem}.p-3{padding:.75rem}.p-4{padding:1rem}.p-5{padding:1.25rem}.p-6{padding:1.5rem}.p-8{padding:2rem}.px-1\.5{padding-left:.375rem;padding-right:.375rem}.px-2{padding-left:.5rem;padding-right:.5rem}.px-2\.5{padding-left:.625rem;padding-right:.625rem}.px-3{padding-left:.75rem;padding-right:.75rem}.px-4{padding-left:1rem;padding-right:1rem}.px-5{padding-left:1.25rem;padding-right:1.25rem}.px-6{padding-left:1.5rem;padding-right:1.5rem}.py-0\.5{padding-top:.125rem;padding-bottom:.125rem}.py-1{padding-top:.25rem;padding-bottom:.25rem}.py-1\.5{padding-top:.375rem;padding-bottom:.375rem}.py-12{padding-top:3rem;padding-bottom:3rem}.py-2{padding-top:.5rem;padding-bottom:.5rem}.py-2\.5{padding-top:.625rem;padding-bottom:.625rem}.py-20{padding-top:5rem;padding-bottom:5rem}.py-3{padding-top:.75rem;padding-bottom:.75rem}.py-4{padding-top:1rem;padding-bottom:1rem}.py-8{padding-top:2rem;padding-bottom:2rem}.pl-10{padding-left:2.5rem}.pr-10{padding-right:2.5rem}.pr-4{padding-right:1rem}.pt-1{padding-top:.25rem}.pt-16{padding-top:4rem}.pt-20{padding-top:5rem}.pt-3{padding-top:.75rem}.pt-4{padding-top:1rem}.pt-6{padding-top:1.5rem}.text-left{text-align:left}.text-center{text-align:center}.text-right{text-align:right}.font-mono{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace}.text-2xl{font-size:1.5rem;line-height:2rem}.text-3xl{font-size:1.875rem;line-height:2.25rem}.text-lg{font-size:1.125rem;line-height:1.75rem}.text-sm{font-size:.875rem;line-height:1.25rem}.text-xs{font-size:.75rem;line-height:1rem}.font-bold{font-weight:700}.font-medium{font-weight:500}.font-normal{font-weight:400}.font-semibold{font-weight:600}.uppercase{text-transform:uppercase}.capitalize{text-transform:capitalize}.italic{font-style:italic}.leading-relaxed{line-height:1.625}.tracking-wide{letter-spacing:.025em}.text-amber-500{--tw-text-opacity: 1;color:rgb(245 158 11 / var(--tw-text-opacity, 1))}.text-amber-600{--tw-text-opacity: 1;color:rgb(217 119 6 / var(--tw-text-opacity, 1))}.text-amber-600\/90{color:#d97706e6}.text-amber-700{--tw-text-opacity: 1;color:rgb(180 83 9 / var(--tw-text-opacity, 1))}.text-blue-500{--tw-text-opacity: 1;color:rgb(59 130 246 / var(--tw-text-opacity, 1))}.text-blue-600{--tw-text-opacity: 1;color:rgb(37 99 235 / var(--tw-text-opacity, 1))}.text-cyan-500{--tw-text-opacity: 1;color:rgb(6 182 212 / var(--tw-text-opacity, 1))}.text-destructive{color:hsl(var(--destructive))}.text-emerald-500{--tw-text-opacity: 1;color:rgb(16 185 129 / var(--tw-text-opacity, 1))}.text-emerald-600{--tw-text-opacity: 1;color:rgb(5 150 105 / var(--tw-text-opacity, 1))}.text-foreground{color:hsl(var(--foreground))}.text-gray-500{--tw-text-opacity: 1;color:rgb(107 114 128 / var(--tw-text-opacity, 1))}.text-gray-600{--tw-text-opacity: 1;color:rgb(75 85 99 / var(--tw-text-opacity, 1))}.text-gray-700{--tw-text-opacity: 1;color:rgb(55 65 81 / var(--tw-text-opacity, 1))}.text-green-500{--tw-text-opacity: 1;color:rgb(34 197 94 / var(--tw-text-opacity, 1))}.text-muted-foreground{color:hsl(var(--muted-foreground))}.text-muted-foreground\/30{color:hsl(var(--muted-foreground) / .3)}.text-muted-foreground\/50{color:hsl(var(--muted-foreground) / .5)}.text-muted-foreground\/70{color:hsl(var(--muted-foreground) / .7)}.text-orange-500{--tw-text-opacity: 1;color:rgb(249 115 22 / var(--tw-text-opacity, 1))}.text-pink-500{--tw-text-opacity: 1;color:rgb(236 72 153 / var(--tw-text-opacity, 1))}.text-primary{color:hsl(var(--primary))}.text-primary-foreground{color:hsl(var(--primary-foreground))}.text-purple-500{--tw-text-opacity: 1;color:rgb(168 85 247 / var(--tw-text-opacity, 1))}.text-red-500{--tw-text-opacity: 1;color:rgb(239 68 68 / var(--tw-text-opacity, 1))}.text-red-600{--tw-text-opacity: 1;color:rgb(220 38 38 / var(--tw-text-opacity, 1))}.text-white{--tw-text-opacity: 1;color:rgb(255 255 255 / var(--tw-text-opacity, 1))}.opacity-30{opacity:.3}.opacity-50{opacity:.5}.opacity-60{opacity:.6}.shadow-2xl{--tw-shadow: 0 25px 50px -12px rgb(0 0 0 / .25);--tw-shadow-colored: 0 25px 50px -12px var(--tw-shadow-color);box-shadow:var(--tw-ring-offset-shadow, 0 0 #0000),var(--tw-ring-shadow, 0 0 #0000),var(--tw-shadow)}.shadow-lg{--tw-shadow: 0 10px 15px -3px rgb(0 0 0 / .1), 0 4px 6px -4px rgb(0 0 0 / .1);--tw-shadow-colored: 0 10px 15px -3px var(--tw-shadow-color), 0 4px 6px -4px var(--tw-shadow-color);box-shadow:var(--tw-ring-offset-shadow, 0 0 #0000),var(--tw-ring-shadow, 0 0 #0000),var(--tw-shadow)}.shadow-sm{--tw-shadow: 0 1px 2px 0 rgb(0 0 0 / .05);--tw-shadow-colored: 0 1px 2px 0 var(--tw-shadow-color);box-shadow:var(--tw-ring-offset-shadow, 0 0 #0000),var(--tw-ring-shadow, 0 0 #0000),var(--tw-shadow)}.shadow-xl{--tw-shadow: 0 20px 25px -5px rgb(0 0 0 / .1), 0 8px 10px -6px rgb(0 0 0 / .1);--tw-shadow-colored: 0 20px 25px -5px var(--tw-shadow-color), 0 8px 10px -6px var(--tw-shadow-color);box-shadow:var(--tw-ring-offset-shadow, 0 0 #0000),var(--tw-ring-shadow, 0 0 #0000),var(--tw-shadow)}.filter{filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.backdrop-blur-\[1px\]{--tw-backdrop-blur: blur(1px);-webkit-backdrop-filter:var(--tw-backdrop-blur) var(--tw-backdrop-brightness) var(--tw-backdrop-contrast) var(--tw-backdrop-grayscale) var(--tw-backdrop-hue-rotate) var(--tw-backdrop-invert) var(--tw-backdrop-opacity) var(--tw-backdrop-saturate) var(--tw-backdrop-sepia);backdrop-filter:var(--tw-backdrop-blur) var(--tw-backdrop-brightness) var(--tw-backdrop-contrast) var(--tw-backdrop-grayscale) var(--tw-backdrop-hue-rotate) var(--tw-backdrop-invert) var(--tw-backdrop-opacity) var(--tw-backdrop-saturate) var(--tw-backdrop-sepia)}.backdrop-blur-sm{--tw-backdrop-blur: blur(4px);-webkit-backdrop-filter:var(--tw-backdrop-blur) var(--tw-backdrop-brightness) var(--tw-backdrop-contrast) var(--tw-backdrop-grayscale) var(--tw-backdrop-hue-rotate) var(--tw-backdrop-invert) var(--tw-backdrop-opacity) var(--tw-backdrop-saturate) var(--tw-backdrop-sepia);backdrop-filter:var(--tw-backdrop-blur) var(--tw-backdrop-brightness) var(--tw-backdrop-contrast) var(--tw-backdrop-grayscale) var(--tw-backdrop-hue-rotate) var(--tw-backdrop-invert) var(--tw-backdrop-opacity) var(--tw-backdrop-saturate) var(--tw-backdrop-sepia)}.transition{transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.transition-all{transition-property:all;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.transition-colors{transition-property:color,background-color,border-color,text-decoration-color,fill,stroke;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.transition-transform{transition-property:transform;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.duration-200{transition-duration:.2s}.duration-300{transition-duration:.3s}::-webkit-scrollbar{width:8px;height:8px}::-webkit-scrollbar-track{background-color:hsl(var(--muted))}::-webkit-scrollbar-thumb{border-radius:9999px;background-color:hsl(var(--muted-foreground) / .3)}::-webkit-scrollbar-thumb:hover{background-color:hsl(var(--muted-foreground) / .5)}html{transition:color-scheme .2s ease}.leaflet-container{font-family:inherit;border-radius:.5rem}.leaflet-popup-content-wrapper{border-radius:.5rem;box-shadow:0 4px 6px -1px #0000001a,0 2px 4px -2px #0000001a}.leaflet-popup-content{margin:12px 14px}.dark .leaflet-popup-content-wrapper{background:#1e293b;color:#e2e8f0}.dark .leaflet-popup-tip{background:#1e293b}.dark .leaflet-popup-content a{color:#60a5fa}.custom-marker{background:transparent;border:none}.dark .leaflet-control-zoom a{background-color:#1e293b;color:#e2e8f0;border-color:#334155}.dark .leaflet-control-zoom a:hover{background-color:#334155}.dark .leaflet-control-attribution{background:#1e293bcc;color:#94a3b8}.dark .leaflet-control-attribution a{color:#60a5fa}.last\:border-0:last-child{border-width:0px}.hover\:bg-blue-600:hover{--tw-bg-opacity: 1;background-color:rgb(37 99 235 / var(--tw-bg-opacity, 1))}.hover\:bg-cyan-600:hover{--tw-bg-opacity: 1;background-color:rgb(8 145 178 / var(--tw-bg-opacity, 1))}.hover\:bg-green-500\/30:hover{background-color:#22c55e4d}.hover\:bg-muted:hover{background-color:hsl(var(--muted))}.hover\:bg-muted\/30:hover{background-color:hsl(var(--muted) / .3)}.hover\:bg-muted\/80:hover{background-color:hsl(var(--muted) / .8)}.hover\:bg-primary\/10:hover{background-color:hsl(var(--primary) / .1)}.hover\:bg-primary\/90:hover{background-color:hsl(var(--primary) / .9)}.hover\:bg-red-500\/10:hover{background-color:#ef44441a}.hover\:bg-red-500\/30:hover{background-color:#ef44444d}.hover\:bg-red-600:hover{--tw-bg-opacity: 1;background-color:rgb(220 38 38 / var(--tw-bg-opacity, 1))}.hover\:text-destructive:hover{color:hsl(var(--destructive))}.hover\:text-foreground:hover{color:hsl(var(--foreground))}.hover\:text-primary:hover{color:hsl(var(--primary))}.hover\:text-primary\/80:hover{color:hsl(var(--primary) / .8)}.hover\:text-red-500:hover{--tw-text-opacity: 1;color:rgb(239 68 68 / var(--tw-text-opacity, 1))}.hover\:underline:hover{text-decoration-line:underline}.focus\:border-primary:focus{border-color:hsl(var(--primary))}.focus\:outline-none:focus{outline:2px solid transparent;outline-offset:2px}.focus\:ring-2:focus{--tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);--tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(2px + var(--tw-ring-offset-width)) var(--tw-ring-color);box-shadow:var(--tw-ring-offset-shadow),var(--tw-ring-shadow),var(--tw-shadow, 0 0 #0000)}.focus\:ring-primary:focus{--tw-ring-color: hsl(var(--primary))}.focus\:ring-primary\/50:focus{--tw-ring-color: hsl(var(--primary) / .5)}.focus\:ring-offset-2:focus{--tw-ring-offset-width: 2px}.disabled\:cursor-not-allowed:disabled{cursor:not-allowed}.disabled\:opacity-50:disabled{opacity:.5}.dark\:border-slate-400\/20:is(.dark *){border-color:#94a3b833}.dark\:bg-slate-800\/90:is(.dark *){background-color:#1e293be6}.dark\:from-slate-400\/5:is(.dark *){--tw-gradient-from: rgb(148 163 184 / .05) var(--tw-gradient-from-position);--tw-gradient-to: rgb(148 163 184 / 0) var(--tw-gradient-to-position);--tw-gradient-stops: var(--tw-gradient-from), var(--tw-gradient-to)}.dark\:to-zinc-400\/10:is(.dark *){--tw-gradient-to: rgb(161 161 170 / .1) var(--tw-gradient-to-position)}.dark\:text-amber-300:is(.dark *){--tw-text-opacity: 1;color:rgb(252 211 77 / var(--tw-text-opacity, 1))}.dark\:text-amber-400:is(.dark *){--tw-text-opacity: 1;color:rgb(251 191 36 / var(--tw-text-opacity, 1))}.dark\:text-amber-400\/90:is(.dark *){color:#fbbf24e6}.dark\:text-blue-400:is(.dark *){--tw-text-opacity: 1;color:rgb(96 165 250 / var(--tw-text-opacity, 1))}.dark\:text-emerald-400:is(.dark *){--tw-text-opacity: 1;color:rgb(52 211 153 / var(--tw-text-opacity, 1))}.dark\:text-gray-300:is(.dark *){--tw-text-opacity: 1;color:rgb(209 213 219 / var(--tw-text-opacity, 1))}.dark\:text-gray-400:is(.dark *){--tw-text-opacity: 1;color:rgb(156 163 175 / var(--tw-text-opacity, 1))}.dark\:text-red-400:is(.dark *){--tw-text-opacity: 1;color:rgb(248 113 113 / var(--tw-text-opacity, 1))}@media (min-width: 640px){.sm\:block{display:block}.sm\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}}@media (min-width: 768px){.md\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.md\:grid-cols-3{grid-template-columns:repeat(3,minmax(0,1fr))}.md\:grid-cols-4{grid-template-columns:repeat(4,minmax(0,1fr))}}@media (min-width: 1024px){.lg\:col-span-2{grid-column:span 2 / span 2}.lg\:ml-\[300px\]{margin-left:300px}.lg\:block{display:block}.lg\:flex{display:flex}.lg\:hidden{display:none}.lg\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.lg\:grid-cols-3{grid-template-columns:repeat(3,minmax(0,1fr))}.lg\:grid-cols-4{grid-template-columns:repeat(4,minmax(0,1fr))}}