Local-first runtime cleanup and recovery hardening

bible-local/02-architecture.md

@@ -21,6 +21,36 @@ MariaDB (RFQ_LOG)        ← pull/push only
 - If MariaDB is unavailable → local work continues without restrictions
 - Changes are queued in `pending_changes` and pushed on next sync
 
+## MariaDB Boundary
+
+MariaDB is not part of the runtime read/write path for user features.
+
+Hard rules:
+
+- HTTP handlers, web pages, quote calculation, export, vendor BOM resolution, pricelist browsing, project browsing, and configuration CRUD must read/write SQLite only.
+- MariaDB access from the app runtime is allowed only inside the sync subsystem (`internal/services/sync/*`) for explicit pull/push work.
+- Dedicated tooling under `cmd/migrate` and `cmd/migrate_ops_projects` may access MariaDB for operator-run schema/data migration tasks.
+- Setup may test/store connection settings, but after setup the application must treat MariaDB as sync transport only.
+- Any new repository/service/handler that issues MariaDB queries outside sync is a regression and must be rejected in review.
+- Local SQLite migrations are code-defined only (`AutoMigrate` + `runLocalMigrations`); there is no server-driven client migration registry.
+- Read-only local sync caches are disposable. If a local cache table cannot be migrated safely at startup, the client may quarantine/reset that cache and continue booting.
+
+Forbidden patterns:
+
+- calling `connMgr.GetDB()` from non-sync runtime business code;
+- constructing MariaDB-backed repositories in handlers for normal user requests;
+- using MariaDB as online fallback for reads when local SQLite already contains the synced dataset;
+- adding UI/API features that depend on live MariaDB availability.
+
+## Local Client Boundary
+
+The running app is a localhost-only thick client.
+
+- Browser/UI requests on the local machine are treated as part of the same trusted user session.
+- Local routes are not modeled as a hardened multi-user API perimeter.
+- Authorization to the central server happens through the saved MariaDB connection configured during setup.
+- Any future deployment that binds beyond `127.0.0.1` must add enforced auth/RBAC before exposure.
+
 ---
 
 ## Synchronization
@@ -61,6 +91,7 @@ pending_changes                         pending_changes
 | Projects | Client ↔ Server ↔ Other Clients |
 | Pricelists | Server → Clients only (no push) |
 | Components | Server → Clients only |
+| Partnumber books | Server → Clients only |
 
 Local pricelists not present on the server and not referenced by active configurations are deleted automatically on sync.
 
@@ -75,8 +106,7 @@ Configurations and projects are **never hard-deleted**. Deletion is archive via
 
 Before every push/pull, a preflight check runs:
 1. Is the server (MariaDB) reachable?
-2. Can centralized local DB migrations be applied?
-3. Does the application version satisfy `min_app_version` of pending migrations?
+2. Is the local client schema initialized and writable?
 
 **If the check fails:**
 - Local CRUD continues without restriction
@@ -91,6 +121,7 @@ Before every push/pull, a preflight check runs:
 
 **Prices come only from `local_pricelist_items`.**
 Components (`local_components`) are metadata-only — they contain no pricing information.
+Stock enrichment for pricelist rows is persisted into `local_pricelist_items` during sync; UI/runtime must not resolve it live from MariaDB.
 
 ### Lookup Pattern