Local-first runtime cleanup and recovery hardening

bible-local/01-overview.md

@@ -3,7 +3,7 @@
 ## What is QuoteForge
 
 A corporate server configuration and quotation tool.
-Operates in **strict local-first** mode: all user operations go through local SQLite; MariaDB is used only for synchronization.
+Operates in **strict local-first** mode: all user operations go through local SQLite; MariaDB is used only by synchronization and dedicated setup/migration tooling.
 
 ---
 
@@ -18,14 +18,14 @@ Operates in **strict local-first** mode: all user operations go through local SQ
 - Full offline operation — continue working without network, sync later
 - Guarded synchronization — sync is blocked by preflight check if local schema is not ready
 
-### User Roles
+### Local Client Security Model
 
-| Role | Permissions |
-|------|-------------|
-| `viewer` | View, create quotes, export |
-| `editor` | + save configurations |
-| `pricing_admin` | + manage prices and alerts |
-| `admin` | Full access, user management |
+QuoteForge is currently a **single-user thick client** bound to `localhost`.
+
+- The local HTTP/UI layer is not treated as a multi-user security boundary.
+- RBAC is not part of the active product contract for the local client.
+- The authoritative authentication boundary is the remote sync server and its DB credentials captured during setup.
+- If the app is ever exposed beyond `localhost`, auth/RBAC must be reintroduced as an enforced perimeter before release.
 
 ### Price Freshness Indicators
 
@@ -45,7 +45,7 @@ Operates in **strict local-first** mode: all user operations go through local SQ
 | Backend | Go 1.22+, Gin, GORM |
 | Frontend | HTML, Tailwind CSS, htmx |
 | Local DB | SQLite (`qfs.db`) |
-| Server DB | MariaDB 11+ (sync + server admin) |
+| Server DB | MariaDB 11+ (sync transport only for app runtime) |
 | Export | encoding/csv, excelize (XLSX) |
 
 ---
@@ -82,7 +82,6 @@ quoteforge/
 │   ├── db/                       # DB initialization
 │   ├── handlers/                 # HTTP handlers
 │   ├── localdb/                  # SQLite layer
-│   ├── lotmatch/                 # Lot matching logic
 │   ├── middleware/               # Auth, CORS, etc.
 │   ├── models/                   # GORM models
 │   ├── repository/               # Repository layer
@@ -101,23 +100,30 @@ quoteforge/
 
 ## Integration with Existing DB
 
-QuoteForge integrates with the existing `RFQ_LOG` database:
+QuoteForge integrates with the existing `RFQ_LOG` database.
+
+Hard boundary:
+
+- normal runtime HTTP handlers, UI flows, pricing, export, BOM resolution, and project/config CRUD must use SQLite only;
+- MariaDB access is allowed only inside `internal/services/sync/*` and dedicated setup/migration tools under `cmd/`;
+- any new direct MariaDB query in non-sync runtime code is an architectural violation.
 
 **Read-only:**
 - `lot` — component catalog
 - `qt_lot_metadata` — extended component data
 - `qt_categories` — categories
 - `qt_pricelists`, `qt_pricelist_items` — pricelists
+- `stock_log` — stock quantities consumed during sync enrichment
+- `qt_partnumber_books`, `qt_partnumber_book_items` — partnumber book snapshots consumed during sync pull
 
 **Read + Write:**
 - `qt_configurations` — configurations
 - `qt_projects` — projects
 
 **Sync service tables:**
-- `qt_client_local_migrations` — migration catalog (SELECT only)
 - `qt_client_schema_state` — applied migrations state and operational client status per device (`username + hostname`)
   Fields written by QuoteForge:
-  `last_applied_migration_id`, `app_version`, `last_sync_at`, `last_sync_status`,
+  `app_version`, `last_sync_at`, `last_sync_status`,
   `pending_changes_count`, `pending_errors_count`, `configurations_count`, `projects_count`,
   `estimate_pricelist_version`, `warehouse_pricelist_version`, `competitor_pricelist_version`,
   `last_sync_error_code`, `last_sync_error_text`, `last_checked_at`, `updated_at`