Local-first runtime cleanup and recovery hardening

2026-03-07 23:18:07 +03:00
parent 4e977737ee
commit 06397a6bd1
53 changed files with 1856 additions and 2080 deletions
--- a/internal/appstate/backup.go
+++ b/internal/appstate/backup.go
@@ -88,6 +88,9 @@ func EnsureRotatingLocalBackup(dbPath, configPath string) ([]string, error) {
 	}

 	root := resolveBackupRoot(dbPath)
+	if err := validateBackupRoot(root); err != nil {
+		return nil, err
+	}
 	now := backupNow()

 	created := make([]string, 0)
@@ -111,6 +114,40 @@ func resolveBackupRoot(dbPath string) string {
 	return filepath.Join(filepath.Dir(dbPath), "backups")
 }

+func validateBackupRoot(root string) error {
+	absRoot, err := filepath.Abs(root)
+	if err != nil {
+		return fmt.Errorf("resolve backup root: %w", err)
+	}
+
+	if gitRoot, ok := findGitWorktreeRoot(absRoot); ok {
+		return fmt.Errorf("backup root must stay outside git worktree: %s is inside %s", absRoot, gitRoot)
+	}
+
+	return nil
+}
+
+func findGitWorktreeRoot(path string) (string, bool) {
+	current := filepath.Clean(path)
+	info, err := os.Stat(current)
+	if err == nil && !info.IsDir() {
+		current = filepath.Dir(current)
+	}
+
+	for {
+		gitPath := filepath.Join(current, ".git")
+		if _, err := os.Stat(gitPath); err == nil {
+			return current, true
+		}
+
+		parent := filepath.Dir(current)
+		if parent == current {
+			return "", false
+		}
+		current = parent
+	}
+}
+
 func isBackupDisabled() bool {
 	val := strings.ToLower(strings.TrimSpace(os.Getenv(envBackupDisable)))
 	return val == "1" || val == "true" || val == "yes"
--- a/internal/appstate/backup_test.go
+++ b/internal/appstate/backup_test.go
@@ -3,6 +3,7 @@ package appstate
 import (
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 	"time"
 )
@@ -69,7 +70,7 @@ func TestEnsureRotatingLocalBackupEnvControls(t *testing.T) {
 	if _, err := EnsureRotatingLocalBackup(dbPath, cfgPath); err != nil {
 		t.Fatalf("backup with env: %v", err)
 	}
-	if _, err := os.Stat(filepath.Join(backupRoot, "daily", "meta.json")); err != nil {
+	if _, err := os.Stat(filepath.Join(backupRoot, "daily", ".period.json")); err != nil {
 		t.Fatalf("expected backup in custom dir: %v", err)
 	}

@@ -77,7 +78,35 @@ func TestEnsureRotatingLocalBackupEnvControls(t *testing.T) {
 	if _, err := EnsureRotatingLocalBackup(dbPath, cfgPath); err != nil {
 		t.Fatalf("backup disabled: %v", err)
 	}
-	if _, err := os.Stat(filepath.Join(backupRoot, "daily", "meta.json")); err != nil {
+	if _, err := os.Stat(filepath.Join(backupRoot, "daily", ".period.json")); err != nil {
 		t.Fatalf("backup should remain from previous run: %v", err)
 	}
 }
+
+func TestEnsureRotatingLocalBackupRejectsGitWorktree(t *testing.T) {
+	temp := t.TempDir()
+	repoRoot := filepath.Join(temp, "repo")
+	if err := os.MkdirAll(filepath.Join(repoRoot, ".git"), 0755); err != nil {
+		t.Fatalf("mkdir git dir: %v", err)
+	}
+
+	dbPath := filepath.Join(repoRoot, "data", "qfs.db")
+	cfgPath := filepath.Join(repoRoot, "data", "config.yaml")
+	if err := os.MkdirAll(filepath.Dir(dbPath), 0755); err != nil {
+		t.Fatalf("mkdir data dir: %v", err)
+	}
+	if err := os.WriteFile(dbPath, []byte("db"), 0644); err != nil {
+		t.Fatalf("write db: %v", err)
+	}
+	if err := os.WriteFile(cfgPath, []byte("cfg"), 0644); err != nil {
+		t.Fatalf("write cfg: %v", err)
+	}
+
+	_, err := EnsureRotatingLocalBackup(dbPath, cfgPath)
+	if err == nil {
+		t.Fatal("expected git worktree backup root to be rejected")
+	}
+	if !strings.Contains(err.Error(), "outside git worktree") {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -14,7 +14,6 @@ import (
 type Config struct {
 	Server        ServerConfig        `yaml:"server"`
 	Database      DatabaseConfig      `yaml:"database"`
-	Auth          AuthConfig          `yaml:"auth"`
 	Pricing       PricingConfig       `yaml:"pricing"`
 	Export        ExportConfig        `yaml:"export"`
 	Alerts        AlertsConfig        `yaml:"alerts"`
@@ -57,12 +56,6 @@ func (d *DatabaseConfig) DSN() string {
 	return cfg.FormatDSN()
 }

-type AuthConfig struct {
-	JWTSecret     string        `yaml:"jwt_secret"`
-	TokenExpiry   time.Duration `yaml:"token_expiry"`
-	RefreshExpiry time.Duration `yaml:"refresh_expiry"`
-}
-
 type PricingConfig struct {
 	DefaultMethod       string `yaml:"default_method"`
 	DefaultPeriodDays   int    `yaml:"default_period_days"`
@@ -152,13 +145,6 @@ func (c *Config) setDefaults() {
 		c.Database.ConnMaxLifetime = 5 * time.Minute
 	}

-	if c.Auth.TokenExpiry == 0 {
-		c.Auth.TokenExpiry = 24 * time.Hour
-	}
-	if c.Auth.RefreshExpiry == 0 {
-		c.Auth.RefreshExpiry = 7 * 24 * time.Hour
-	}
-
 	if c.Pricing.DefaultMethod == "" {
 		c.Pricing.DefaultMethod = "weighted_median"
 	}
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -1,113 +0,0 @@
-package handlers
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	"git.mchus.pro/mchus/quoteforge/internal/middleware"
-	"git.mchus.pro/mchus/quoteforge/internal/repository"
-	"git.mchus.pro/mchus/quoteforge/internal/services"
-)
-
-type AuthHandler struct {
-	authService *services.AuthService
-	userRepo    *repository.UserRepository
-}
-
-func NewAuthHandler(authService *services.AuthService, userRepo *repository.UserRepository) *AuthHandler {
-	return &AuthHandler{
-		authService: authService,
-		userRepo:    userRepo,
-	}
-}
-
-type LoginRequest struct {
-	Username string `json:"username" binding:"required"`
-	Password string `json:"password" binding:"required"`
-}
-
-type LoginResponse struct {
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
-	ExpiresAt    int64  `json:"expires_at"`
-	User         UserResponse `json:"user"`
-}
-
-type UserResponse struct {
-	ID       uint   `json:"id"`
-	Username string `json:"username"`
-	Email    string `json:"email"`
-	Role     string `json:"role"`
-}
-
-func (h *AuthHandler) Login(c *gin.Context) {
-	var req LoginRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	tokens, user, err := h.authService.Login(req.Username, req.Password)
-	if err != nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, LoginResponse{
-		AccessToken:  tokens.AccessToken,
-		RefreshToken: tokens.RefreshToken,
-		ExpiresAt:    tokens.ExpiresAt,
-		User: UserResponse{
-			ID:       user.ID,
-			Username: user.Username,
-			Email:    user.Email,
-			Role:     string(user.Role),
-		},
-	})
-}
-
-type RefreshRequest struct {
-	RefreshToken string `json:"refresh_token" binding:"required"`
-}
-
-func (h *AuthHandler) Refresh(c *gin.Context) {
-	var req RefreshRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	tokens, err := h.authService.RefreshTokens(req.RefreshToken)
-	if err != nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, tokens)
-}
-
-func (h *AuthHandler) Me(c *gin.Context) {
-	claims := middleware.GetClaims(c)
-	if claims == nil {
-		c.JSON(http.StatusUnauthorized, gin.H{"error": "not authenticated"})
-		return
-	}
-
-	user, err := h.userRepo.GetByID(claims.UserID)
-	if err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "user not found"})
-		return
-	}
-
-	c.JSON(http.StatusOK, UserResponse{
-		ID:       user.ID,
-		Username: user.Username,
-		Email:    user.Email,
-		Role:     string(user.Role),
-	})
-}
-
-func (h *AuthHandler) Logout(c *gin.Context) {
-	// JWT is stateless, logout is handled on client by discarding tokens
-	c.JSON(http.StatusOK, gin.H{"message": "logged out"})
-}
--- a/internal/handlers/configuration.go
+++ b/internal/handlers/configuration.go
@@ -1,239 +0,0 @@
-package handlers
-
-import (
-	"net/http"
-	"strconv"
-
-	"git.mchus.pro/mchus/quoteforge/internal/middleware"
-	"git.mchus.pro/mchus/quoteforge/internal/services"
-	"github.com/gin-gonic/gin"
-)
-
-type ConfigurationHandler struct {
-	configService *services.ConfigurationService
-	exportService *services.ExportService
-}
-
-func NewConfigurationHandler(
-	configService *services.ConfigurationService,
-	exportService *services.ExportService,
-) *ConfigurationHandler {
-	return &ConfigurationHandler{
-		configService: configService,
-		exportService: exportService,
-	}
-}
-
-func (h *ConfigurationHandler) List(c *gin.Context) {
-	username := middleware.GetUsername(c)
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	perPage, _ := strconv.Atoi(c.DefaultQuery("per_page", "20"))
-
-	configs, total, err := h.configService.ListByUser(username, page, perPage)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{
-		"configurations": configs,
-		"total":          total,
-		"page":           page,
-		"per_page":       perPage,
-	})
-}
-
-func (h *ConfigurationHandler) Create(c *gin.Context) {
-	username := middleware.GetUsername(c)
-
-	var req services.CreateConfigRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	config, err := h.configService.Create(username, &req)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusCreated, config)
-}
-
-func (h *ConfigurationHandler) Get(c *gin.Context) {
-	username := middleware.GetUsername(c)
-	uuid := c.Param("uuid")
-
-	config, err := h.configService.GetByUUID(uuid, username)
-	if err != nil {
-		status := http.StatusNotFound
-		if err == services.ErrConfigForbidden {
-			status = http.StatusForbidden
-		}
-		c.JSON(status, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, config)
-}
-
-func (h *ConfigurationHandler) Update(c *gin.Context) {
-	username := middleware.GetUsername(c)
-	uuid := c.Param("uuid")
-
-	var req services.CreateConfigRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	config, err := h.configService.Update(uuid, username, &req)
-	if err != nil {
-		status := http.StatusInternalServerError
-		if err == services.ErrConfigNotFound {
-			status = http.StatusNotFound
-		} else if err == services.ErrConfigForbidden {
-			status = http.StatusForbidden
-		}
-		c.JSON(status, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, config)
-}
-
-func (h *ConfigurationHandler) Delete(c *gin.Context) {
-	username := middleware.GetUsername(c)
-	uuid := c.Param("uuid")
-
-	err := h.configService.Delete(uuid, username)
-	if err != nil {
-		status := http.StatusInternalServerError
-		if err == services.ErrConfigNotFound {
-			status = http.StatusNotFound
-		} else if err == services.ErrConfigForbidden {
-			status = http.StatusForbidden
-		}
-		c.JSON(status, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, gin.H{"message": "deleted"})
-}
-
-type RenameConfigRequest struct {
-	Name string `json:"name" binding:"required"`
-}
-
-func (h *ConfigurationHandler) Rename(c *gin.Context) {
-	username := middleware.GetUsername(c)
-	uuid := c.Param("uuid")
-
-	var req RenameConfigRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	config, err := h.configService.Rename(uuid, username, req.Name)
-	if err != nil {
-		status := http.StatusInternalServerError
-		if err == services.ErrConfigNotFound {
-			status = http.StatusNotFound
-		} else if err == services.ErrConfigForbidden {
-			status = http.StatusForbidden
-		}
-		c.JSON(status, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, config)
-}
-
-type CloneConfigRequest struct {
-	Name string `json:"name" binding:"required"`
-}
-
-func (h *ConfigurationHandler) Clone(c *gin.Context) {
-	username := middleware.GetUsername(c)
-	uuid := c.Param("uuid")
-
-	var req CloneConfigRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	config, err := h.configService.Clone(uuid, username, req.Name)
-	if err != nil {
-		status := http.StatusInternalServerError
-		if err == services.ErrConfigNotFound {
-			status = http.StatusNotFound
-		} else if err == services.ErrConfigForbidden {
-			status = http.StatusForbidden
-		}
-		c.JSON(status, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusCreated, config)
-}
-
-func (h *ConfigurationHandler) RefreshPrices(c *gin.Context) {
-	username := middleware.GetUsername(c)
-	uuid := c.Param("uuid")
-
-	config, err := h.configService.RefreshPrices(uuid, username)
-	if err != nil {
-		status := http.StatusInternalServerError
-		if err == services.ErrConfigNotFound {
-			status = http.StatusNotFound
-		} else if err == services.ErrConfigForbidden {
-			status = http.StatusForbidden
-		}
-		c.JSON(status, gin.H{"error": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, config)
-}
-
-// func (h *ConfigurationHandler) ExportJSON(c *gin.Context) {
-// 	userID := middleware.GetUserID(c)
-// 	uuid := c.Param("uuid")
-//
-// 	config, err := h.configService.GetByUUID(uuid, userID)
-// 	if err != nil {
-// 		c.JSON(http.StatusNotFound, gin.H{"error": err.Error()})
-// 		return
-// 	}
-//
-// 	data, err := h.configService.ExportJSON(uuid, userID)
-// 	if err != nil {
-// 		c.JSON(http.StatusNotFound, gin.H{"error": err.Error()})
-// 		return
-// 	}
-//
-// 	filename := fmt.Sprintf("%s %s SPEC.json", config.CreatedAt.Format("2006-01-02"), config.Name)
-// 	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", filename))
-// 	c.Data(http.StatusOK, "application/json", data)
-// }
-
-// func (h *ConfigurationHandler) ImportJSON(c *gin.Context) {
-// 	userID := middleware.GetUserID(c)
-//
-// 	data, err := io.ReadAll(c.Request.Body)
-// 	if err != nil {
-// 		c.JSON(http.StatusBadRequest, gin.H{"error": "failed to read body"})
-// 		return
-// 	}
-//
-// 	config, err := h.configService.ImportJSON(userID, data)
-// 	if err != nil {
-// 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-// 		return
-// 	}
-//
-// 	c.JSON(http.StatusCreated, config)
-// }
--- a/internal/handlers/export.go
+++ b/internal/handlers/export.go
@@ -6,7 +6,6 @@ import (
 	"strings"
 	"time"

-	"git.mchus.pro/mchus/quoteforge/internal/middleware"
 	"git.mchus.pro/mchus/quoteforge/internal/models"
 	"git.mchus.pro/mchus/quoteforge/internal/services"
 	"github.com/gin-gonic/gin"
@@ -16,17 +15,20 @@ type ExportHandler struct {
 	exportService  *services.ExportService
 	configService  services.ConfigurationGetter
 	projectService *services.ProjectService
+	dbUsername     string
 }

 func NewExportHandler(
 	exportService *services.ExportService,
 	configService services.ConfigurationGetter,
 	projectService *services.ProjectService,
+	dbUsername string,
 ) *ExportHandler {
 	return &ExportHandler{
 		exportService:  exportService,
 		configService:  configService,
 		projectService: projectService,
+		dbUsername:     dbUsername,
 	}
 }

@@ -71,8 +73,7 @@ func (h *ExportHandler) ExportCSV(c *gin.Context) {
 	// Get project code for filename
 	projectCode := req.ProjectName // legacy field: may contain code from frontend
 	if projectCode == "" && req.ProjectUUID != "" {
-		username := middleware.GetUsername(c)
-		if project, err := h.projectService.GetByUUID(req.ProjectUUID, username); err == nil && project != nil {
+		if project, err := h.projectService.GetByUUID(req.ProjectUUID, h.dbUsername); err == nil && project != nil {
 			projectCode = project.Code
 		}
 	}
@@ -144,11 +145,10 @@ func sanitizeFilenameSegment(value string) string {
 }

 func (h *ExportHandler) ExportConfigCSV(c *gin.Context) {
-	username := middleware.GetUsername(c)
 	uuid := c.Param("uuid")

 	// Get config before streaming (can return JSON error)
-	config, err := h.configService.GetByUUID(uuid, username)
+	config, err := h.configService.GetByUUID(uuid, h.dbUsername)
 	if err != nil {
 		c.JSON(http.StatusNotFound, gin.H{"error": err.Error()})
 		return
@@ -165,7 +165,7 @@ func (h *ExportHandler) ExportConfigCSV(c *gin.Context) {
 	// Get project code for filename
 	projectCode := config.Name // fallback: use config name if no project
 	if config.ProjectUUID != nil && *config.ProjectUUID != "" {
-		if project, err := h.projectService.GetByUUID(*config.ProjectUUID, username); err == nil && project != nil {
+		if project, err := h.projectService.GetByUUID(*config.ProjectUUID, h.dbUsername); err == nil && project != nil {
 			projectCode = project.Code
 		}
 	}
@@ -189,16 +189,15 @@ func (h *ExportHandler) ExportConfigCSV(c *gin.Context) {

 // ExportProjectCSV exports all active configurations of a project as a single CSV file.
 func (h *ExportHandler) ExportProjectCSV(c *gin.Context) {
-	username := middleware.GetUsername(c)
 	projectUUID := c.Param("uuid")

-	project, err := h.projectService.GetByUUID(projectUUID, username)
+	project, err := h.projectService.GetByUUID(projectUUID, h.dbUsername)
 	if err != nil {
 		c.JSON(http.StatusNotFound, gin.H{"error": err.Error()})
 		return
 	}

-	result, err := h.projectService.ListConfigurations(projectUUID, username, "active")
+	result, err := h.projectService.ListConfigurations(projectUUID, h.dbUsername, "active")
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
@@ -223,7 +222,6 @@ func (h *ExportHandler) ExportProjectCSV(c *gin.Context) {
 }

 func (h *ExportHandler) ExportProjectPricingCSV(c *gin.Context) {
-	username := middleware.GetUsername(c)
 	projectUUID := c.Param("uuid")

 	var req ProjectExportOptionsRequest
@@ -232,13 +230,13 @@ func (h *ExportHandler) ExportProjectPricingCSV(c *gin.Context) {
 		return
 	}

-	project, err := h.projectService.GetByUUID(projectUUID, username)
+	project, err := h.projectService.GetByUUID(projectUUID, h.dbUsername)
 	if err != nil {
 		c.JSON(http.StatusNotFound, gin.H{"error": err.Error()})
 		return
 	}

-	result, err := h.projectService.ListConfigurations(projectUUID, username, "active")
+	result, err := h.projectService.ListConfigurations(projectUUID, h.dbUsername, "active")
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
--- a/internal/handlers/export_test.go
+++ b/internal/handlers/export_test.go
@@ -26,7 +26,6 @@ func (m *mockConfigService) GetByUUID(uuid string, ownerUsername string) (*model
 	return m.config, m.err
 }

-
 func TestExportCSV_Success(t *testing.T) {
 	gin.SetMode(gin.TestMode)

@@ -36,6 +35,7 @@ func TestExportCSV_Success(t *testing.T) {
 		exportSvc,
 		&mockConfigService{},
 		nil,
+		"testuser",
 	)

 	// Create JSON request body
@@ -110,6 +110,7 @@ func TestExportCSV_InvalidRequest(t *testing.T) {
 		exportSvc,
 		&mockConfigService{},
 		nil,
+		"testuser",
 	)

 	// Create invalid request (missing required field)
@@ -143,6 +144,7 @@ func TestExportCSV_EmptyItems(t *testing.T) {
 		exportSvc,
 		&mockConfigService{},
 		nil,
+		"testuser",
 	)

 	// Create request with empty items array - should fail binding validation
@@ -184,6 +186,7 @@ func TestExportConfigCSV_Success(t *testing.T) {
 		exportSvc,
 		&mockConfigService{config: mockConfig},
 		nil,
+		"testuser",
 	)

 	// Create HTTP request
@@ -196,9 +199,6 @@ func TestExportConfigCSV_Success(t *testing.T) {
 		{Key: "uuid", Value: "test-uuid"},
 	}

-	// Mock middleware.GetUsername
-	c.Set("username", "testuser")
-
 	handler.ExportConfigCSV(c)

 	// Check status code
@@ -233,6 +233,7 @@ func TestExportConfigCSV_NotFound(t *testing.T) {
 		exportSvc,
 		&mockConfigService{err: errors.New("config not found")},
 		nil,
+		"testuser",
 	)

 	req, _ := http.NewRequest("GET", "/api/configs/nonexistent-uuid/export", nil)
@@ -243,8 +244,6 @@ func TestExportConfigCSV_NotFound(t *testing.T) {
 	c.Params = gin.Params{
 		{Key: "uuid", Value: "nonexistent-uuid"},
 	}
-	c.Set("username", "testuser")
-
 	handler.ExportConfigCSV(c)

 	// Should return 404 Not Found
@@ -277,6 +276,7 @@ func TestExportConfigCSV_EmptyItems(t *testing.T) {
 		exportSvc,
 		&mockConfigService{config: mockConfig},
 		nil,
+		"testuser",
 	)

 	req, _ := http.NewRequest("GET", "/api/configs/test-uuid/export", nil)
@@ -287,8 +287,6 @@ func TestExportConfigCSV_EmptyItems(t *testing.T) {
 	c.Params = gin.Params{
 		{Key: "uuid", Value: "test-uuid"},
 	}
-	c.Set("username", "testuser")
-
 	handler.ExportConfigCSV(c)

 	// Should return 400 Bad Request
--- a/internal/handlers/partnumber_books.go
+++ b/internal/handlers/partnumber_books.go
@@ -91,16 +91,16 @@ func (h *PartnumberBooksHandler) GetItems(c *gin.Context) {
 	}

 	c.JSON(http.StatusOK, gin.H{
-		"book_id":       book.ServerID,
-		"version":       book.Version,
-		"is_active":     book.IsActive,
-		"items":         items,
-		"total":         total,
-		"page":          page,
-		"per_page":      perPage,
-		"search":        search,
-		"book_total":    bookRepo.CountBookItems(book.ID),
-		"lot_count":     bookRepo.CountDistinctLots(book.ID),
-		"primary_count": bookRepo.CountPrimaryItems(book.ID),
+		"book_id":     book.ServerID,
+		"version":     book.Version,
+		"is_active":   book.IsActive,
+		"partnumbers": book.PartnumbersJSON,
+		"items":       items,
+		"total":       total,
+		"page":        page,
+		"per_page":    perPage,
+		"search":      search,
+		"book_total":  bookRepo.CountBookItems(book.ID),
+		"lot_count":   bookRepo.CountDistinctLots(book.ID),
 	})
 }
--- a/internal/handlers/sync.go
+++ b/internal/handlers/sync.go
@@ -516,18 +516,11 @@ func (h *SyncHandler) GetInfo(c *gin.Context) {
 	// Get sync times
 	lastPricelistSync := h.localDB.GetLastSyncTime()

-	// Get MariaDB counts (if online)
-	var lotCount, lotLogCount int64
-	if isOnline {
-		if mariaDB, err := h.connMgr.GetDB(); err == nil {
-			mariaDB.Table("lot").Count(&lotCount)
-			mariaDB.Table("lot_log").Count(&lotLogCount)
-		}
-	}
-
 	// Get local counts
 	configCount := h.localDB.CountConfigurations()
 	projectCount := h.localDB.CountProjects()
+	componentCount := h.localDB.CountLocalComponents()
+	pricelistCount := h.localDB.CountLocalPricelists()

 	// Get error count (only changes with LastError != "")
 	errorCount := int(h.localDB.CountErroredChanges())
@@ -562,8 +555,8 @@ func (h *SyncHandler) GetInfo(c *gin.Context) {
 		DBName:         dbName,
 		IsOnline:       isOnline,
 		LastSyncAt:     lastPricelistSync,
-		LotCount:       lotCount,
-		LotLogCount:    lotLogCount,
+		LotCount:       componentCount,
+		LotLogCount:    pricelistCount,
 		ConfigCount:    configCount,
 		ProjectCount:   projectCount,
 		PendingChanges: changes,
--- a/internal/handlers/web.go
+++ b/internal/handlers/web.go
@@ -3,19 +3,20 @@ package handlers
 import (
 	"html/template"
 	"strconv"
+	"strings"

 	qfassets "git.mchus.pro/mchus/quoteforge"
-	"git.mchus.pro/mchus/quoteforge/internal/repository"
-	"git.mchus.pro/mchus/quoteforge/internal/services"
+	"git.mchus.pro/mchus/quoteforge/internal/localdb"
+	"git.mchus.pro/mchus/quoteforge/internal/models"
 	"github.com/gin-gonic/gin"
 )

 type WebHandler struct {
-	templates        map[string]*template.Template
-	componentService *services.ComponentService
+	templates map[string]*template.Template
+	localDB   *localdb.LocalDB
 }

-func NewWebHandler(_ string, componentService *services.ComponentService) (*WebHandler, error) {
+func NewWebHandler(_ string, localDB *localdb.LocalDB) (*WebHandler, error) {
 	funcMap := template.FuncMap{
 		"sub": func(a, b int) int { return a - b },
 		"add": func(a, b int) int { return a + b },
@@ -59,7 +60,7 @@ func NewWebHandler(_ string, componentService *services.ComponentService) (*WebH

 	templates := make(map[string]*template.Template)
 	// Load each page template with base
-	simplePages := []string{"login.html", "configs.html", "projects.html", "project_detail.html", "pricelists.html", "pricelist_detail.html", "config_revisions.html", "partnumber_books.html"}
+	simplePages := []string{"configs.html", "projects.html", "project_detail.html", "pricelists.html", "pricelist_detail.html", "config_revisions.html", "partnumber_books.html"}
 	for _, page := range simplePages {
 		var tmpl *template.Template
 		var err error
@@ -104,8 +105,8 @@ func NewWebHandler(_ string, componentService *services.ComponentService) (*WebH
 	}

 	return &WebHandler{
-		templates:        templates,
-		componentService: componentService,
+		templates: templates,
+		localDB:   localDB,
 	}, nil
 }

@@ -128,36 +129,28 @@ func (h *WebHandler) Index(c *gin.Context) {
 }

 func (h *WebHandler) Configurator(c *gin.Context) {
-	categories, _ := h.componentService.GetCategories()
 	uuid := c.Query("uuid")
-
-	filter := repository.ComponentFilter{}
-	result, err := h.componentService.List(filter, 1, 20)
+	categories, _ := h.localCategories()
+	components, total, err := h.localDB.ListComponents(localdb.ComponentFilter{}, 0, 20)

 	data := gin.H{
 		"ActivePage": "configurator",
 		"Categories": categories,
-		"Components": []interface{}{},
+		"Components": []localComponentView{},
 		"Total":      int64(0),
 		"Page":       1,
 		"PerPage":    20,
 		"ConfigUUID": uuid,
 	}

-	if err == nil && result != nil {
-		data["Components"] = result.Components
-		data["Total"] = result.Total
-		data["Page"] = result.Page
-		data["PerPage"] = result.PerPage
+	if err == nil {
+		data["Components"] = toLocalComponentViews(components)
+		data["Total"] = total
 	}

 	h.render(c, "index.html", data)
 }

-func (h *WebHandler) Login(c *gin.Context) {
-	h.render(c, "login.html", nil)
-}
-
 func (h *WebHandler) Configs(c *gin.Context) {
 	h.render(c, "configs.html", gin.H{"ActivePage": "configs"})
 }
@@ -196,25 +189,30 @@ func (h *WebHandler) PartnumberBooks(c *gin.Context) {

 func (h *WebHandler) ComponentsPartial(c *gin.Context) {
 	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
+	if page < 1 {
+		page = 1
+	}

-	filter := repository.ComponentFilter{
+	filter := localdb.ComponentFilter{
 		Category: c.Query("category"),
 		Search:   c.Query("search"),
 	}
+	if c.Query("has_price") == "true" {
+		filter.HasPrice = true
+	}
+	offset := (page - 1) * 20

 	data := gin.H{
-		"Components": []interface{}{},
+		"Components": []localComponentView{},
 		"Total":      int64(0),
 		"Page":       page,
 		"PerPage":    20,
 	}

-	result, err := h.componentService.List(filter, page, 20)
-	if err == nil && result != nil {
-		data["Components"] = result.Components
-		data["Total"] = result.Total
-		data["Page"] = result.Page
-		data["PerPage"] = result.PerPage
+	components, total, err := h.localDB.ListComponents(filter, offset, 20)
+	if err == nil {
+		data["Components"] = toLocalComponentViews(components)
+		data["Total"] = total
 	}

 	c.Header("Content-Type", "text/html; charset=utf-8")
@@ -222,3 +220,46 @@ func (h *WebHandler) ComponentsPartial(c *gin.Context) {
 		tmpl.ExecuteTemplate(c.Writer, "components_list.html", data)
 	}
 }
+
+type localComponentView struct {
+	LotName      string
+	Description  string
+	Category     string
+	CategoryName string
+	Model        string
+	CurrentPrice *float64
+}
+
+func toLocalComponentViews(items []localdb.LocalComponent) []localComponentView {
+	result := make([]localComponentView, 0, len(items))
+	for _, item := range items {
+		result = append(result, localComponentView{
+			LotName:      item.LotName,
+			Description:  item.LotDescription,
+			Category:     item.Category,
+			CategoryName: item.Category,
+			Model:        item.Model,
+		})
+	}
+	return result
+}
+
+func (h *WebHandler) localCategories() ([]models.Category, error) {
+	codes, err := h.localDB.GetLocalComponentCategories()
+	if err != nil || len(codes) == 0 {
+		return []models.Category{}, err
+	}
+
+	categories := make([]models.Category, 0, len(codes))
+	for _, code := range codes {
+		trimmed := strings.TrimSpace(code)
+		if trimmed == "" {
+			continue
+		}
+		categories = append(categories, models.Category{
+			Code: trimmed,
+			Name: trimmed,
+		})
+	}
+	return categories, nil
+}
--- a/internal/localdb/converters.go
+++ b/internal/localdb/converters.go
@@ -46,10 +46,6 @@ func ConfigurationToLocal(cfg *models.Configuration) *LocalConfiguration {
 		OriginalUsername:      cfg.OwnerUsername,
 	}

-	if local.OriginalUsername == "" && cfg.User != nil {
-		local.OriginalUsername = cfg.User.Username
-	}
-
 	if cfg.ID > 0 {
 		serverID := cfg.ID
 		local.ServerID = &serverID
--- a/internal/localdb/encryption.go
+++ b/internal/localdb/encryption.go
@@ -7,19 +7,104 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"errors"
+	"fmt"
 	"io"
 	"os"
+	"path/filepath"
+	"strings"
+
+	"git.mchus.pro/mchus/quoteforge/internal/appstate"
 )

-// getEncryptionKey derives a 32-byte key from environment variable or machine ID
-func getEncryptionKey() []byte {
+const encryptionKeyFileName = "local_encryption.key"
+
+// getEncryptionKey resolves the active encryption key.
+// Preference order:
+// 1. QUOTEFORGE_ENCRYPTION_KEY env var
+// 2. application-managed random key file in the user state directory
+func getEncryptionKey() ([]byte, error) {
 	key := os.Getenv("QUOTEFORGE_ENCRYPTION_KEY")
-	if key == "" {
-		// Fallback to a machine-based key (hostname + fixed salt)
-		hostname, _ := os.Hostname()
-		key = hostname + "quoteforge-salt-2024"
+	if key != "" {
+		hash := sha256.Sum256([]byte(key))
+		return hash[:], nil
 	}
-	// Hash to get exactly 32 bytes for AES-256
+
+	stateDir, err := resolveEncryptionStateDir()
+	if err != nil {
+		return nil, fmt.Errorf("resolve encryption state dir: %w", err)
+	}
+
+	return loadOrCreateEncryptionKey(filepath.Join(stateDir, encryptionKeyFileName))
+}
+
+func resolveEncryptionStateDir() (string, error) {
+	configPath, err := appstate.ResolveConfigPath("")
+	if err != nil {
+		return "", err
+	}
+	return filepath.Dir(configPath), nil
+}
+
+func loadOrCreateEncryptionKey(path string) ([]byte, error) {
+	if data, err := os.ReadFile(path); err == nil {
+		return parseEncryptionKeyFile(data)
+	} else if !errors.Is(err, os.ErrNotExist) {
+		return nil, fmt.Errorf("read encryption key: %w", err)
+	}
+
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
+		return nil, fmt.Errorf("create encryption key dir: %w", err)
+	}
+
+	raw := make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, raw); err != nil {
+		return nil, fmt.Errorf("generate encryption key: %w", err)
+	}
+
+	encoded := base64.StdEncoding.EncodeToString(raw)
+	if err := writeKeyFile(path, []byte(encoded+"\n")); err != nil {
+		if errors.Is(err, os.ErrExist) {
+			data, readErr := os.ReadFile(path)
+			if readErr != nil {
+				return nil, fmt.Errorf("read concurrent encryption key: %w", readErr)
+			}
+			return parseEncryptionKeyFile(data)
+		}
+		return nil, err
+	}
+
+	return raw, nil
+}
+
+func writeKeyFile(path string, data []byte) error {
+	file, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0600)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	if _, err := file.Write(data); err != nil {
+		return err
+	}
+
+	return file.Sync()
+}
+
+func parseEncryptionKeyFile(data []byte) ([]byte, error) {
+	trimmed := strings.TrimSpace(string(data))
+	decoded, err := base64.StdEncoding.DecodeString(trimmed)
+	if err != nil {
+		return nil, fmt.Errorf("decode encryption key file: %w", err)
+	}
+	if len(decoded) != 32 {
+		return nil, fmt.Errorf("invalid encryption key length: %d", len(decoded))
+	}
+	return decoded, nil
+}
+
+func getLegacyEncryptionKey() []byte {
+	hostname, _ := os.Hostname()
+	key := hostname + "quoteforge-salt-2024"
 	hash := sha256.Sum256([]byte(key))
 	return hash[:]
 }
@@ -30,7 +115,10 @@ func Encrypt(plaintext string) (string, error) {
 		return "", nil
 	}

-	key := getEncryptionKey()
+	key, err := getEncryptionKey()
+	if err != nil {
+		return "", err
+	}
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return "", err
@@ -56,12 +144,50 @@ func Decrypt(ciphertext string) (string, error) {
 		return "", nil
 	}

-	key := getEncryptionKey()
-	data, err := base64.StdEncoding.DecodeString(ciphertext)
+	key, err := getEncryptionKey()
 	if err != nil {
 		return "", err
 	}
+	plaintext, legacy, err := decryptWithKeys(ciphertext, key, getLegacyEncryptionKey())
+	if err != nil {
+		return "", err
+	}
+	_ = legacy
+	return plaintext, nil
+}

+func DecryptWithMetadata(ciphertext string) (string, bool, error) {
+	if ciphertext == "" {
+		return "", false, nil
+	}
+
+	key, err := getEncryptionKey()
+	if err != nil {
+		return "", false, err
+	}
+	return decryptWithKeys(ciphertext, key, getLegacyEncryptionKey())
+}
+
+func decryptWithKeys(ciphertext string, primaryKey, legacyKey []byte) (string, bool, error) {
+	data, err := base64.StdEncoding.DecodeString(ciphertext)
+	if err != nil {
+		return "", false, err
+	}
+
+	plaintext, err := decryptWithKey(data, primaryKey)
+	if err == nil {
+		return plaintext, false, nil
+	}
+
+	legacyPlaintext, legacyErr := decryptWithKey(data, legacyKey)
+	if legacyErr == nil {
+		return legacyPlaintext, true, nil
+	}
+
+	return "", false, err
+}
+
+func decryptWithKey(data, key []byte) (string, error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return "", err
--- a/internal/localdb/encryption_test.go
+++ b/internal/localdb/encryption_test.go
@@ -0,0 +1,97 @@
+package localdb
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"io"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestEncryptCreatesPersistentKeyFile(t *testing.T) {
+	stateDir := t.TempDir()
+	t.Setenv("QFS_STATE_DIR", stateDir)
+	t.Setenv("QUOTEFORGE_ENCRYPTION_KEY", "")
+
+	ciphertext, err := Encrypt("secret-password")
+	if err != nil {
+		t.Fatalf("encrypt: %v", err)
+	}
+	if ciphertext == "" {
+		t.Fatal("expected ciphertext")
+	}
+
+	keyPath := filepath.Join(stateDir, encryptionKeyFileName)
+	info, err := os.Stat(keyPath)
+	if err != nil {
+		t.Fatalf("stat key file: %v", err)
+	}
+	if info.Mode().Perm() != 0600 {
+		t.Fatalf("expected 0600 key file, got %v", info.Mode().Perm())
+	}
+}
+
+func TestDecryptMigratesLegacyCiphertext(t *testing.T) {
+	stateDir := t.TempDir()
+	t.Setenv("QFS_STATE_DIR", stateDir)
+	t.Setenv("QUOTEFORGE_ENCRYPTION_KEY", "")
+
+	legacyCiphertext := encryptWithKeyForTest(t, getLegacyEncryptionKey(), "legacy-password")
+
+	plaintext, migrated, err := DecryptWithMetadata(legacyCiphertext)
+	if err != nil {
+		t.Fatalf("decrypt legacy: %v", err)
+	}
+	if plaintext != "legacy-password" {
+		t.Fatalf("unexpected plaintext: %q", plaintext)
+	}
+	if !migrated {
+		t.Fatal("expected legacy ciphertext to require migration")
+	}
+
+	currentCiphertext, err := Encrypt("legacy-password")
+	if err != nil {
+		t.Fatalf("encrypt current: %v", err)
+	}
+	plaintext, migrated, err = DecryptWithMetadata(currentCiphertext)
+	if err != nil {
+		t.Fatalf("decrypt current: %v", err)
+	}
+	if migrated {
+		t.Fatal("did not expect current ciphertext to require migration")
+	}
+}
+
+func encryptWithKeyForTest(t *testing.T, key []byte, plaintext string) string {
+	t.Helper()
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		t.Fatalf("new cipher: %v", err)
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		t.Fatalf("new gcm: %v", err)
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		t.Fatalf("read nonce: %v", err)
+	}
+
+	ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
+	return base64.StdEncoding.EncodeToString(ciphertext)
+}
+
+func TestLegacyEncryptionKeyRemainsDeterministic(t *testing.T) {
+	hostname, _ := os.Hostname()
+	expected := sha256.Sum256([]byte(hostname + "quoteforge-salt-2024"))
+	actual := getLegacyEncryptionKey()
+	if string(actual) != string(expected[:]) {
+		t.Fatal("legacy key derivation changed")
+	}
+}
--- a/internal/localdb/local_migrations_test.go
+++ b/internal/localdb/local_migrations_test.go
@@ -5,7 +5,10 @@ import (
 	"testing"
 	"time"

+	"github.com/glebarez/sqlite"
 	"github.com/google/uuid"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
 )

 func TestRunLocalMigrationsBackfillsExistingConfigurations(t *testing.T) {
@@ -313,3 +316,280 @@ func TestRunLocalMigrationsBackfillsConfigurationLineNo(t *testing.T) {
 		t.Fatalf("expected line_no [10,20], got [%d,%d]", rows[0].Line, rows[1].Line)
 	}
 }
+
+func TestRunLocalMigrationsDeduplicatesCanonicalPartnumberCatalog(t *testing.T) {
+	dbPath := filepath.Join(t.TempDir(), "partnumber_catalog_dedup.db")
+	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{
+		Logger: logger.Default.LogMode(logger.Silent),
+	})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+
+	firstLots := LocalPartnumberBookLots{
+		{LotName: "LOT-A", Qty: 1},
+	}
+	secondLots := LocalPartnumberBookLots{
+		{LotName: "LOT-B", Qty: 2},
+	}
+
+	if err := db.Exec(`
+		CREATE TABLE local_partnumber_book_items (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			partnumber TEXT NOT NULL,
+			lots_json TEXT NOT NULL,
+			description TEXT
+		)
+	`).Error; err != nil {
+		t.Fatalf("create dirty local_partnumber_book_items: %v", err)
+	}
+
+	if err := db.Create(&LocalPartnumberBookItem{
+		Partnumber:  "PN-001",
+		LotsJSON:    firstLots,
+		Description: "",
+	}).Error; err != nil {
+		t.Fatalf("insert first duplicate row: %v", err)
+	}
+	if err := db.Create(&LocalPartnumberBookItem{
+		Partnumber:  "PN-001",
+		LotsJSON:    secondLots,
+		Description: "Canonical description",
+	}).Error; err != nil {
+		t.Fatalf("insert second duplicate row: %v", err)
+	}
+
+	if err := migrateLocalPartnumberBookCatalog(db); err != nil {
+		t.Fatalf("migrate local partnumber catalog: %v", err)
+	}
+
+	var items []LocalPartnumberBookItem
+	if err := db.Order("partnumber ASC").Find(&items).Error; err != nil {
+		t.Fatalf("load migrated partnumber items: %v", err)
+	}
+	if len(items) != 1 {
+		t.Fatalf("expected 1 deduplicated item, got %d", len(items))
+	}
+	if items[0].Partnumber != "PN-001" {
+		t.Fatalf("unexpected partnumber: %s", items[0].Partnumber)
+	}
+	if items[0].Description != "Canonical description" {
+		t.Fatalf("expected merged description, got %q", items[0].Description)
+	}
+	if len(items[0].LotsJSON) != 2 {
+		t.Fatalf("expected merged lots from duplicates, got %d", len(items[0].LotsJSON))
+	}
+
+	var duplicateCount int64
+	if err := db.Model(&LocalPartnumberBookItem{}).
+		Where("partnumber = ?", "PN-001").
+		Count(&duplicateCount).Error; err != nil {
+		t.Fatalf("count deduplicated partnumber: %v", err)
+	}
+	if duplicateCount != 1 {
+		t.Fatalf("expected unique partnumber row after migration, got %d", duplicateCount)
+	}
+}
+
+func TestSanitizeLocalPartnumberBookCatalogRemovesRowsWithoutPartnumber(t *testing.T) {
+	dbPath := filepath.Join(t.TempDir(), "sanitize_partnumber_catalog.db")
+	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{
+		Logger: logger.Default.LogMode(logger.Silent),
+	})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+
+	if err := db.Exec(`
+		CREATE TABLE local_partnumber_book_items (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			partnumber TEXT NULL,
+			lots_json TEXT NOT NULL,
+			description TEXT
+		)
+	`).Error; err != nil {
+		t.Fatalf("create local_partnumber_book_items: %v", err)
+	}
+	if err := db.Exec(`
+		INSERT INTO local_partnumber_book_items (partnumber, lots_json, description) VALUES
+		(NULL, '[]', 'null pn'),
+		('', '[]', 'empty pn'),
+		('PN-OK', '[]', 'valid pn')
+	`).Error; err != nil {
+		t.Fatalf("seed local_partnumber_book_items: %v", err)
+	}
+
+	if err := sanitizeLocalPartnumberBookCatalog(db); err != nil {
+		t.Fatalf("sanitize local partnumber catalog: %v", err)
+	}
+
+	var items []LocalPartnumberBookItem
+	if err := db.Order("id ASC").Find(&items).Error; err != nil {
+		t.Fatalf("load sanitized items: %v", err)
+	}
+	if len(items) != 1 {
+		t.Fatalf("expected 1 valid item after sanitize, got %d", len(items))
+	}
+	if items[0].Partnumber != "PN-OK" {
+		t.Fatalf("expected remaining partnumber PN-OK, got %q", items[0].Partnumber)
+	}
+}
+
+func TestNewMigratesLegacyPartnumberBookCatalogBeforeAutoMigrate(t *testing.T) {
+	dbPath := filepath.Join(t.TempDir(), "legacy_partnumber_catalog.db")
+	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{
+		Logger: logger.Default.LogMode(logger.Silent),
+	})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+
+	if err := db.Exec(`
+		CREATE TABLE local_partnumber_book_items (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			partnumber TEXT NOT NULL UNIQUE,
+			lots_json TEXT NOT NULL,
+			is_primary_pn INTEGER NOT NULL DEFAULT 0,
+			description TEXT
+		)
+	`).Error; err != nil {
+		t.Fatalf("create legacy local_partnumber_book_items: %v", err)
+	}
+	if err := db.Exec(`
+		INSERT INTO local_partnumber_book_items (partnumber, lots_json, is_primary_pn, description)
+		VALUES ('PN-001', '[{"lot_name":"CPU_A","qty":1}]', 0, 'Legacy row')
+	`).Error; err != nil {
+		t.Fatalf("seed legacy local_partnumber_book_items: %v", err)
+	}
+
+	local, err := New(dbPath)
+	if err != nil {
+		t.Fatalf("open localdb with legacy catalog: %v", err)
+	}
+	t.Cleanup(func() { _ = local.Close() })
+
+	var columns []struct {
+		Name string `gorm:"column:name"`
+	}
+	if err := local.DB().Raw(`SELECT name FROM pragma_table_info('local_partnumber_book_items')`).Scan(&columns).Error; err != nil {
+		t.Fatalf("load local_partnumber_book_items columns: %v", err)
+	}
+	for _, column := range columns {
+		if column.Name == "is_primary_pn" {
+			t.Fatalf("expected legacy is_primary_pn column to be removed before automigrate")
+		}
+	}
+
+	var items []LocalPartnumberBookItem
+	if err := local.DB().Find(&items).Error; err != nil {
+		t.Fatalf("load migrated local_partnumber_book_items: %v", err)
+	}
+	if len(items) != 1 || items[0].Partnumber != "PN-001" {
+		t.Fatalf("unexpected migrated rows: %#v", items)
+	}
+}
+
+func TestNewRecoversBrokenPartnumberBookCatalogCache(t *testing.T) {
+	dbPath := filepath.Join(t.TempDir(), "broken_partnumber_catalog.db")
+	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{
+		Logger: logger.Default.LogMode(logger.Silent),
+	})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+
+	if err := db.Exec(`
+		CREATE TABLE local_partnumber_book_items (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			partnumber TEXT NOT NULL UNIQUE,
+			lots_json TEXT NOT NULL,
+			description TEXT
+		)
+	`).Error; err != nil {
+		t.Fatalf("create broken local_partnumber_book_items: %v", err)
+	}
+	if err := db.Exec(`
+		INSERT INTO local_partnumber_book_items (partnumber, lots_json, description)
+		VALUES ('PN-001', '{not-json}', 'Broken cache row')
+	`).Error; err != nil {
+		t.Fatalf("seed broken local_partnumber_book_items: %v", err)
+	}
+
+	local, err := New(dbPath)
+	if err != nil {
+		t.Fatalf("open localdb with broken catalog cache: %v", err)
+	}
+	t.Cleanup(func() { _ = local.Close() })
+
+	var count int64
+	if err := local.DB().Model(&LocalPartnumberBookItem{}).Count(&count).Error; err != nil {
+		t.Fatalf("count recovered local_partnumber_book_items: %v", err)
+	}
+	if count != 0 {
+		t.Fatalf("expected empty recovered local_partnumber_book_items, got %d rows", count)
+	}
+
+	var quarantineTables []struct {
+		Name string `gorm:"column:name"`
+	}
+	if err := local.DB().Raw(`
+		SELECT name
+		FROM sqlite_master
+		WHERE type = 'table' AND name LIKE 'local_partnumber_book_items_broken_%'
+	`).Scan(&quarantineTables).Error; err != nil {
+		t.Fatalf("load quarantine tables: %v", err)
+	}
+	if len(quarantineTables) != 1 {
+		t.Fatalf("expected one quarantined broken catalog table, got %d", len(quarantineTables))
+	}
+}
+
+func TestCleanupStaleReadOnlyCacheTempTablesDropsShadowTempWhenBaseExists(t *testing.T) {
+	dbPath := filepath.Join(t.TempDir(), "stale_cache_temp.db")
+	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{
+		Logger: logger.Default.LogMode(logger.Silent),
+	})
+	if err != nil {
+		t.Fatalf("open sqlite: %v", err)
+	}
+
+	if err := db.Exec(`
+		CREATE TABLE local_pricelist_items (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			pricelist_id INTEGER NOT NULL,
+			partnumber TEXT,
+			brand TEXT NOT NULL DEFAULT '',
+			lot_name TEXT NOT NULL,
+			description TEXT,
+			price REAL NOT NULL DEFAULT 0,
+			quantity INTEGER NOT NULL DEFAULT 0,
+			reserve INTEGER NOT NULL DEFAULT 0,
+			available_qty REAL,
+			partnumbers TEXT,
+			lot_category TEXT,
+			created_at DATETIME,
+			updated_at DATETIME
+		)
+	`).Error; err != nil {
+		t.Fatalf("create local_pricelist_items: %v", err)
+	}
+	if err := db.Exec(`
+		CREATE TABLE local_pricelist_items__temp (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			legacy TEXT
+		)
+	`).Error; err != nil {
+		t.Fatalf("create local_pricelist_items__temp: %v", err)
+	}
+
+	if err := cleanupStaleReadOnlyCacheTempTables(db); err != nil {
+		t.Fatalf("cleanup stale read-only cache temp tables: %v", err)
+	}
+
+	if db.Migrator().HasTable("local_pricelist_items__temp") {
+		t.Fatalf("expected stale temp table to be dropped")
+	}
+	if !db.Migrator().HasTable("local_pricelist_items") {
+		t.Fatalf("expected base local_pricelist_items table to remain")
+	}
+}
--- a/internal/localdb/localdb.go
+++ b/internal/localdb/localdb.go
@@ -1,6 +1,7 @@
 package localdb

 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
@@ -42,6 +43,14 @@ type LocalDB struct {
 	path string
 }

+var localReadOnlyCacheTables = []string{
+	"local_pricelist_items",
+	"local_pricelists",
+	"local_components",
+	"local_partnumber_book_items",
+	"local_partnumber_books",
+}
+
 // ResetData clears local data tables while keeping connection settings.
 // It does not drop schema or connection_settings.
 func ResetData(dbPath string) error {
@@ -70,7 +79,6 @@ func ResetData(dbPath string) error {
 		"local_pricelists",
 		"local_pricelist_items",
 		"local_components",
-		"local_remote_migrations_applied",
 		"local_sync_guard_state",
 		"pending_changes",
 		"app_settings",
@@ -111,6 +119,12 @@ func New(dbPath string) (*LocalDB, error) {
 	if err := ensureLocalProjectsTable(db); err != nil {
 		return nil, fmt.Errorf("ensure local_projects table: %w", err)
 	}
+	if err := prepareLocalPartnumberBookCatalog(db); err != nil {
+		return nil, fmt.Errorf("prepare local partnumber book catalog: %w", err)
+	}
+	if err := cleanupStaleReadOnlyCacheTempTables(db); err != nil {
+		return nil, fmt.Errorf("cleanup stale read-only cache temp tables: %w", err)
+	}

 	// Preflight: ensure local_projects has non-null UUIDs before AutoMigrate rebuilds tables.
 	if db.Migrator().HasTable(&LocalProject{}) {
@@ -131,24 +145,28 @@ func New(dbPath string) (*LocalDB, error) {
 	}

 	// Auto-migrate all local tables
-	if err := db.AutoMigrate(
-		&ConnectionSettings{},
-		&LocalConfiguration{},
-		&LocalConfigurationVersion{},
-		&LocalPricelist{},
-		&LocalPricelistItem{},
-		&LocalComponent{},
-		&AppSetting{},
-		&LocalRemoteMigrationApplied{},
-		&LocalSyncGuardState{},
-		&PendingChange{},
-		&LocalPartnumberBook{},
-		&LocalPartnumberBookItem{},
-	); err != nil {
-		return nil, fmt.Errorf("migrating sqlite database: %w", err)
+	if err := autoMigrateLocalSchema(db); err != nil {
+		if recovered, recoveryErr := recoverFromReadOnlyCacheInitFailure(db, err); recoveryErr != nil {
+			return nil, fmt.Errorf("migrating sqlite database: %w (recovery failed: %v)", err, recoveryErr)
+		} else if !recovered {
+			return nil, fmt.Errorf("migrating sqlite database: %w", err)
+		}
+		if err := autoMigrateLocalSchema(db); err != nil {
+			return nil, fmt.Errorf("migrating sqlite database after cache recovery: %w", err)
+		}
+	}
+	if err := ensureLocalPartnumberBookItemTable(db); err != nil {
+		return nil, fmt.Errorf("ensure local partnumber book item table: %w", err)
 	}
 	if err := runLocalMigrations(db); err != nil {
-		return nil, fmt.Errorf("running local sqlite migrations: %w", err)
+		if recovered, recoveryErr := recoverFromReadOnlyCacheInitFailure(db, err); recoveryErr != nil {
+			return nil, fmt.Errorf("running local sqlite migrations: %w (recovery failed: %v)", err, recoveryErr)
+		} else if !recovered {
+			return nil, fmt.Errorf("running local sqlite migrations: %w", err)
+		}
+		if err := runLocalMigrations(db); err != nil {
+			return nil, fmt.Errorf("running local sqlite migrations after cache recovery: %w", err)
+		}
 	}

 	slog.Info("local SQLite database initialized", "path", dbPath)
@@ -191,6 +209,282 @@ CREATE TABLE local_projects (
 	return nil
 }

+func autoMigrateLocalSchema(db *gorm.DB) error {
+	return db.AutoMigrate(
+		&ConnectionSettings{},
+		&LocalConfiguration{},
+		&LocalConfigurationVersion{},
+		&LocalPricelist{},
+		&LocalPricelistItem{},
+		&LocalComponent{},
+		&AppSetting{},
+		&LocalSyncGuardState{},
+		&PendingChange{},
+		&LocalPartnumberBook{},
+	)
+}
+
+func sanitizeLocalPartnumberBookCatalog(db *gorm.DB) error {
+	if !db.Migrator().HasTable(&LocalPartnumberBookItem{}) {
+		return nil
+	}
+
+	// Old local databases may contain partially migrated catalog rows with NULL/empty
+	// partnumber values. SQLite table rebuild during AutoMigrate fails on such rows once
+	// the schema enforces NOT NULL, so remove them before AutoMigrate touches the table.
+	if err := db.Exec(`
+		DELETE FROM local_partnumber_book_items
+		WHERE partnumber IS NULL OR TRIM(partnumber) = ''
+	`).Error; err != nil {
+		return err
+	}
+	return nil
+}
+
+func prepareLocalPartnumberBookCatalog(db *gorm.DB) error {
+	if err := cleanupStaleLocalPartnumberBookCatalogTempTable(db); err != nil {
+		if recoveryErr := recoverLocalPartnumberBookCatalog(db, fmt.Errorf("cleanup stale temp table: %w", err)); recoveryErr != nil {
+			return recoveryErr
+		}
+		return nil
+	}
+	if err := sanitizeLocalPartnumberBookCatalog(db); err != nil {
+		if recoveryErr := recoverLocalPartnumberBookCatalog(db, fmt.Errorf("sanitize catalog: %w", err)); recoveryErr != nil {
+			return recoveryErr
+		}
+		return nil
+	}
+	if err := migrateLegacyPartnumberBookCatalogBeforeAutoMigrate(db); err != nil {
+		if recoveryErr := recoverLocalPartnumberBookCatalog(db, fmt.Errorf("migrate legacy catalog: %w", err)); recoveryErr != nil {
+			return recoveryErr
+		}
+		return nil
+	}
+	if err := ensureLocalPartnumberBookItemTable(db); err != nil {
+		if recoveryErr := recoverLocalPartnumberBookCatalog(db, fmt.Errorf("ensure canonical catalog table: %w", err)); recoveryErr != nil {
+			return recoveryErr
+		}
+		return nil
+	}
+	if err := validateLocalPartnumberBookCatalog(db); err != nil {
+		if recoveryErr := recoverLocalPartnumberBookCatalog(db, fmt.Errorf("validate canonical catalog: %w", err)); recoveryErr != nil {
+			return recoveryErr
+		}
+	}
+	return nil
+}
+
+func cleanupStaleReadOnlyCacheTempTables(db *gorm.DB) error {
+	for _, tableName := range localReadOnlyCacheTables {
+		tempName := tableName + "__temp"
+		if !db.Migrator().HasTable(tempName) {
+			continue
+		}
+		if db.Migrator().HasTable(tableName) {
+			if err := db.Exec(`DROP TABLE ` + tempName).Error; err != nil {
+				return err
+			}
+			continue
+		}
+		if err := quarantineSQLiteTable(db, tempName, localReadOnlyCacheQuarantineTableName(tableName, "temp")); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func cleanupStaleLocalPartnumberBookCatalogTempTable(db *gorm.DB) error {
+	if !db.Migrator().HasTable("local_partnumber_book_items__temp") {
+		return nil
+	}
+	if db.Migrator().HasTable(&LocalPartnumberBookItem{}) {
+		return db.Exec(`DROP TABLE local_partnumber_book_items__temp`).Error
+	}
+	return quarantineSQLiteTable(db, "local_partnumber_book_items__temp", localPartnumberBookCatalogQuarantineTableName("temp"))
+}
+
+func migrateLegacyPartnumberBookCatalogBeforeAutoMigrate(db *gorm.DB) error {
+	if !db.Migrator().HasTable(&LocalPartnumberBookItem{}) {
+		return nil
+	}
+
+	// Legacy databases may still have the pre-catalog shape (`book_id`/`lot_name`) or the
+	// intermediate canonical shape with obsolete columns like `is_primary_pn`. Let the
+	// explicit rebuild logic normalize this table before GORM AutoMigrate attempts a
+	// table-copy migration on its own.
+	return migrateLocalPartnumberBookCatalog(db)
+}
+
+func ensureLocalPartnumberBookItemTable(db *gorm.DB) error {
+	if db.Migrator().HasTable(&LocalPartnumberBookItem{}) {
+		return nil
+	}
+	if err := db.Exec(`
+		CREATE TABLE local_partnumber_book_items (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			partnumber TEXT NOT NULL UNIQUE,
+			lots_json TEXT NOT NULL,
+			description TEXT
+		)
+	`).Error; err != nil {
+		return err
+	}
+	return db.Exec(`CREATE UNIQUE INDEX IF NOT EXISTS idx_local_partnumber_book_items_partnumber ON local_partnumber_book_items(partnumber)`).Error
+}
+
+func validateLocalPartnumberBookCatalog(db *gorm.DB) error {
+	if !db.Migrator().HasTable(&LocalPartnumberBookItem{}) {
+		return nil
+	}
+
+	type rawCatalogRow struct {
+		Partnumber  string `gorm:"column:partnumber"`
+		LotsJSON    string `gorm:"column:lots_json"`
+		Description string `gorm:"column:description"`
+	}
+
+	var rows []rawCatalogRow
+	if err := db.Raw(`
+		SELECT partnumber, lots_json, COALESCE(description, '') AS description
+		FROM local_partnumber_book_items
+		ORDER BY id ASC
+	`).Scan(&rows).Error; err != nil {
+		return fmt.Errorf("load canonical catalog rows: %w", err)
+	}
+
+	seen := make(map[string]struct{}, len(rows))
+	for _, row := range rows {
+		partnumber := strings.TrimSpace(row.Partnumber)
+		if partnumber == "" {
+			return errors.New("catalog contains empty partnumber")
+		}
+		if _, exists := seen[partnumber]; exists {
+			return fmt.Errorf("catalog contains duplicate partnumber %q", partnumber)
+		}
+		seen[partnumber] = struct{}{}
+		if strings.TrimSpace(row.LotsJSON) == "" {
+			return fmt.Errorf("catalog row %q has empty lots_json", partnumber)
+		}
+		var lots LocalPartnumberBookLots
+		if err := json.Unmarshal([]byte(row.LotsJSON), &lots); err != nil {
+			return fmt.Errorf("catalog row %q has invalid lots_json: %w", partnumber, err)
+		}
+	}
+
+	return nil
+}
+
+func recoverLocalPartnumberBookCatalog(db *gorm.DB, cause error) error {
+	slog.Warn("recovering broken local partnumber book catalog", "error", cause.Error())
+
+	if err := ensureLocalPartnumberBooksCatalogColumn(db); err != nil {
+		return fmt.Errorf("ensure local_partnumber_books.partnumbers_json during recovery: %w", err)
+	}
+
+	if db.Migrator().HasTable("local_partnumber_book_items__temp") {
+		if err := quarantineSQLiteTable(db, "local_partnumber_book_items__temp", localPartnumberBookCatalogQuarantineTableName("temp")); err != nil {
+			return fmt.Errorf("quarantine local_partnumber_book_items__temp: %w", err)
+		}
+	}
+	if db.Migrator().HasTable(&LocalPartnumberBookItem{}) {
+		if err := quarantineSQLiteTable(db, "local_partnumber_book_items", localPartnumberBookCatalogQuarantineTableName("broken")); err != nil {
+			return fmt.Errorf("quarantine local_partnumber_book_items: %w", err)
+		}
+	}
+	if err := ensureLocalPartnumberBookItemTable(db); err != nil {
+		return fmt.Errorf("recreate local_partnumber_book_items after recovery: %w", err)
+	}
+
+	slog.Warn("local partnumber book catalog reset to empty cache; next sync will rebuild it")
+	return nil
+}
+
+func recoverFromReadOnlyCacheInitFailure(db *gorm.DB, cause error) (bool, error) {
+	lowerCause := strings.ToLower(cause.Error())
+	recoveredAny := false
+
+	for _, tableName := range affectedReadOnlyCacheTables(lowerCause) {
+		if err := resetReadOnlyCacheTable(db, tableName); err != nil {
+			return recoveredAny, err
+		}
+		recoveredAny = true
+	}
+
+	if strings.Contains(lowerCause, "local_partnumber_book_items") || strings.Contains(lowerCause, "local_partnumber_books") {
+		if err := recoverLocalPartnumberBookCatalog(db, cause); err != nil {
+			return recoveredAny, err
+		}
+		recoveredAny = true
+	}
+
+	if recoveredAny {
+		slog.Warn("recovered read-only local cache tables after startup failure", "error", cause.Error())
+	}
+	return recoveredAny, nil
+}
+
+func affectedReadOnlyCacheTables(lowerCause string) []string {
+	affected := make([]string, 0, len(localReadOnlyCacheTables))
+	for _, tableName := range localReadOnlyCacheTables {
+		if tableName == "local_partnumber_book_items" || tableName == "local_partnumber_books" {
+			continue
+		}
+		if strings.Contains(lowerCause, tableName) {
+			affected = append(affected, tableName)
+		}
+	}
+	return affected
+}
+
+func resetReadOnlyCacheTable(db *gorm.DB, tableName string) error {
+	slog.Warn("resetting read-only local cache table", "table", tableName)
+	tempName := tableName + "__temp"
+	if db.Migrator().HasTable(tempName) {
+		if err := quarantineSQLiteTable(db, tempName, localReadOnlyCacheQuarantineTableName(tableName, "temp")); err != nil {
+			return fmt.Errorf("quarantine temp table %s: %w", tempName, err)
+		}
+	}
+	if db.Migrator().HasTable(tableName) {
+		if err := quarantineSQLiteTable(db, tableName, localReadOnlyCacheQuarantineTableName(tableName, "broken")); err != nil {
+			return fmt.Errorf("quarantine table %s: %w", tableName, err)
+		}
+	}
+	return nil
+}
+
+func ensureLocalPartnumberBooksCatalogColumn(db *gorm.DB) error {
+	if !db.Migrator().HasTable(&LocalPartnumberBook{}) {
+		return nil
+	}
+	if db.Migrator().HasColumn(&LocalPartnumberBook{}, "partnumbers_json") {
+		return nil
+	}
+	return db.Exec(`ALTER TABLE local_partnumber_books ADD COLUMN partnumbers_json TEXT NOT NULL DEFAULT '[]'`).Error
+}
+
+func quarantineSQLiteTable(db *gorm.DB, tableName string, quarantineName string) error {
+	if !db.Migrator().HasTable(tableName) {
+		return nil
+	}
+	if tableName == quarantineName {
+		return nil
+	}
+	if db.Migrator().HasTable(quarantineName) {
+		if err := db.Exec(`DROP TABLE ` + quarantineName).Error; err != nil {
+			return err
+		}
+	}
+	return db.Exec(`ALTER TABLE ` + tableName + ` RENAME TO ` + quarantineName).Error
+}
+
+func localPartnumberBookCatalogQuarantineTableName(kind string) string {
+	return "local_partnumber_book_items_" + kind + "_" + time.Now().UTC().Format("20060102150405")
+}
+
+func localReadOnlyCacheQuarantineTableName(tableName string, kind string) string {
+	return tableName + "_" + kind + "_" + time.Now().UTC().Format("20060102150405")
+}
+
 // HasSettings returns true if connection settings exist
 func (l *LocalDB) HasSettings() bool {
 	var count int64
@@ -206,10 +500,23 @@ func (l *LocalDB) GetSettings() (*ConnectionSettings, error) {
 	}

 	// Decrypt password
-	password, err := Decrypt(settings.PasswordEncrypted)
+	password, migrated, err := DecryptWithMetadata(settings.PasswordEncrypted)
 	if err != nil {
 		return nil, fmt.Errorf("decrypting password: %w", err)
 	}
+
+	if migrated {
+		encrypted, encryptErr := Encrypt(password)
+		if encryptErr != nil {
+			return nil, fmt.Errorf("re-encrypting legacy password: %w", encryptErr)
+		}
+		if err := l.db.Model(&ConnectionSettings{}).
+			Where("id = ?", settings.ID).
+			Update("password_encrypted", encrypted).Error; err != nil {
+			return nil, fmt.Errorf("upgrading legacy password encryption: %w", err)
+		}
+	}
+
 	settings.PasswordEncrypted = password // Return decrypted password in this field

 	return &settings, nil
@@ -1235,42 +1542,6 @@ func (l *LocalDB) repairConfigurationChange(change *PendingChange) error {
 	return nil
 }

-// GetRemoteMigrationApplied returns a locally applied remote migration by ID.
-func (l *LocalDB) GetRemoteMigrationApplied(id string) (*LocalRemoteMigrationApplied, error) {
-	var migration LocalRemoteMigrationApplied
-	if err := l.db.Where("id = ?", id).First(&migration).Error; err != nil {
-		return nil, err
-	}
-	return &migration, nil
-}
-
-// UpsertRemoteMigrationApplied writes applied migration metadata.
-func (l *LocalDB) UpsertRemoteMigrationApplied(id, checksum, appVersion string, appliedAt time.Time) error {
-	record := &LocalRemoteMigrationApplied{
-		ID:         id,
-		Checksum:   checksum,
-		AppVersion: appVersion,
-		AppliedAt:  appliedAt,
-	}
-	return l.db.Clauses(clause.OnConflict{
-		Columns: []clause.Column{{Name: "id"}},
-		DoUpdates: clause.Assignments(map[string]interface{}{
-			"checksum":    checksum,
-			"app_version": appVersion,
-			"applied_at":  appliedAt,
-		}),
-	}).Create(record).Error
-}
-
-// GetLatestAppliedRemoteMigrationID returns last applied remote migration id.
-func (l *LocalDB) GetLatestAppliedRemoteMigrationID() (string, error) {
-	var record LocalRemoteMigrationApplied
-	if err := l.db.Order("applied_at DESC").First(&record).Error; err != nil {
-		return "", err
-	}
-	return record.ID, nil
-}
-
 // GetSyncGuardState returns the latest readiness guard state.
 func (l *LocalDB) GetSyncGuardState() (*LocalSyncGuardState, error) {
 	var state LocalSyncGuardState
--- a/internal/localdb/migrations.go
+++ b/internal/localdb/migrations.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"sort"
 	"strings"
 	"time"

@@ -113,6 +114,19 @@ var localMigrations = []localMigration{
 		name: "Add line_no to local_configurations and backfill ordering",
 		run:  addLocalConfigurationLineNo,
 	},
+	{
+		id:   "2026_03_07_local_partnumber_book_catalog",
+		name: "Convert local partnumber book cache to book membership + deduplicated PN catalog",
+		run:  migrateLocalPartnumberBookCatalog,
+	},
+}
+
+type localPartnumberCatalogRow struct {
+	Partnumber  string
+	LotsJSON    LocalPartnumberBookLots
+	Description string
+	CreatedAt   time.Time
+	ServerID    int
 }

 func runLocalMigrations(db *gorm.DB) error {
@@ -865,3 +879,216 @@ WHERE id IN (SELECT id FROM ranked)
 	return nil
 }

+func migrateLocalPartnumberBookCatalog(tx *gorm.DB) error {
+	type columnInfo struct {
+		Name string `gorm:"column:name"`
+	}
+
+	hasBooksTable := tx.Migrator().HasTable(&LocalPartnumberBook{})
+	hasItemsTable := tx.Migrator().HasTable(&LocalPartnumberBookItem{})
+	if !hasItemsTable {
+		return nil
+	}
+
+	if hasBooksTable {
+		var bookCols []columnInfo
+		if err := tx.Raw(`SELECT name FROM pragma_table_info('local_partnumber_books')`).Scan(&bookCols).Error; err != nil {
+			return fmt.Errorf("load local_partnumber_books columns: %w", err)
+		}
+		hasPartnumbersJSON := false
+		for _, c := range bookCols {
+			if c.Name == "partnumbers_json" {
+				hasPartnumbersJSON = true
+				break
+			}
+		}
+		if !hasPartnumbersJSON {
+			if err := tx.Exec(`ALTER TABLE local_partnumber_books ADD COLUMN partnumbers_json TEXT NOT NULL DEFAULT '[]'`).Error; err != nil {
+				return fmt.Errorf("add local_partnumber_books.partnumbers_json: %w", err)
+			}
+		}
+	}
+
+	var itemCols []columnInfo
+	if err := tx.Raw(`SELECT name FROM pragma_table_info('local_partnumber_book_items')`).Scan(&itemCols).Error; err != nil {
+		return fmt.Errorf("load local_partnumber_book_items columns: %w", err)
+	}
+	hasBookID := false
+	hasLotName := false
+	hasLotsJSON := false
+	for _, c := range itemCols {
+		if c.Name == "book_id" {
+			hasBookID = true
+		}
+		if c.Name == "lot_name" {
+			hasLotName = true
+		}
+		if c.Name == "lots_json" {
+			hasLotsJSON = true
+		}
+	}
+	if !hasBookID && !hasLotName && !hasLotsJSON {
+		return nil
+	}
+
+	type legacyRow struct {
+		BookID      uint
+		Partnumber  string
+		LotName     string
+		Description string
+		CreatedAt   time.Time
+		ServerID    int
+	}
+	bookPNs := make(map[uint]map[string]struct{})
+	catalog := make(map[string]*localPartnumberCatalogRow)
+
+	if hasBookID || hasLotName {
+		var rows []legacyRow
+		if err := tx.Raw(`
+			SELECT
+				i.book_id,
+				i.partnumber,
+				i.lot_name,
+				COALESCE(i.description, '') AS description,
+				b.created_at,
+				b.server_id
+			FROM local_partnumber_book_items i
+			INNER JOIN local_partnumber_books b ON b.id = i.book_id
+			ORDER BY b.created_at DESC, b.id DESC, i.partnumber ASC, i.id ASC
+		`).Scan(&rows).Error; err != nil {
+			return fmt.Errorf("load legacy local partnumber book items: %w", err)
+		}
+
+		for _, row := range rows {
+			if _, ok := bookPNs[row.BookID]; !ok {
+				bookPNs[row.BookID] = make(map[string]struct{})
+			}
+			bookPNs[row.BookID][row.Partnumber] = struct{}{}
+
+			entry, ok := catalog[row.Partnumber]
+			if !ok {
+				entry = &localPartnumberCatalogRow{
+					Partnumber:  row.Partnumber,
+					Description: row.Description,
+					CreatedAt:   row.CreatedAt,
+					ServerID:    row.ServerID,
+				}
+				catalog[row.Partnumber] = entry
+			}
+			if row.CreatedAt.After(entry.CreatedAt) || (row.CreatedAt.Equal(entry.CreatedAt) && row.ServerID >= entry.ServerID) {
+				entry.Description = row.Description
+				entry.CreatedAt = row.CreatedAt
+				entry.ServerID = row.ServerID
+			}
+			found := false
+			for i := range entry.LotsJSON {
+				if entry.LotsJSON[i].LotName == row.LotName {
+					entry.LotsJSON[i].Qty += 1
+					found = true
+					break
+				}
+			}
+			if !found && row.LotName != "" {
+				entry.LotsJSON = append(entry.LotsJSON, LocalPartnumberBookLot{LotName: row.LotName, Qty: 1})
+			}
+		}
+
+		var books []LocalPartnumberBook
+		if err := tx.Find(&books).Error; err != nil {
+			return fmt.Errorf("load local partnumber books: %w", err)
+		}
+		for _, book := range books {
+			pnSet := bookPNs[book.ID]
+			partnumbers := make([]string, 0, len(pnSet))
+			for pn := range pnSet {
+				partnumbers = append(partnumbers, pn)
+			}
+			sort.Strings(partnumbers)
+			if err := tx.Model(&LocalPartnumberBook{}).
+				Where("id = ?", book.ID).
+				Update("partnumbers_json", LocalStringList(partnumbers)).Error; err != nil {
+				return fmt.Errorf("update partnumbers_json for local book %d: %w", book.ID, err)
+			}
+		}
+	} else {
+		var items []LocalPartnumberBookItem
+		if err := tx.Order("id DESC").Find(&items).Error; err != nil {
+			return fmt.Errorf("load canonical local partnumber book items: %w", err)
+		}
+		for _, item := range items {
+			entry, ok := catalog[item.Partnumber]
+			if !ok {
+				copiedLots := append(LocalPartnumberBookLots(nil), item.LotsJSON...)
+				catalog[item.Partnumber] = &localPartnumberCatalogRow{
+					Partnumber:  item.Partnumber,
+					LotsJSON:    copiedLots,
+					Description: item.Description,
+				}
+				continue
+			}
+			if entry.Description == "" && item.Description != "" {
+				entry.Description = item.Description
+			}
+			for _, lot := range item.LotsJSON {
+				merged := false
+				for i := range entry.LotsJSON {
+					if entry.LotsJSON[i].LotName == lot.LotName {
+						if lot.Qty > entry.LotsJSON[i].Qty {
+							entry.LotsJSON[i].Qty = lot.Qty
+						}
+						merged = true
+						break
+					}
+				}
+				if !merged {
+					entry.LotsJSON = append(entry.LotsJSON, lot)
+				}
+			}
+		}
+	}
+
+	return rebuildLocalPartnumberBookCatalog(tx, catalog)
+}
+
+func rebuildLocalPartnumberBookCatalog(tx *gorm.DB, catalog map[string]*localPartnumberCatalogRow) error {
+	if err := tx.Exec(`
+		CREATE TABLE local_partnumber_book_items_new (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			partnumber TEXT NOT NULL UNIQUE,
+			lots_json TEXT NOT NULL,
+			description TEXT
+		)
+	`).Error; err != nil {
+		return fmt.Errorf("create new local_partnumber_book_items table: %w", err)
+	}
+
+	orderedPartnumbers := make([]string, 0, len(catalog))
+	for pn := range catalog {
+		orderedPartnumbers = append(orderedPartnumbers, pn)
+	}
+	sort.Strings(orderedPartnumbers)
+	for _, pn := range orderedPartnumbers {
+		row := catalog[pn]
+		sort.Slice(row.LotsJSON, func(i, j int) bool {
+			return row.LotsJSON[i].LotName < row.LotsJSON[j].LotName
+		})
+		if err := tx.Table("local_partnumber_book_items_new").Create(&LocalPartnumberBookItem{
+			Partnumber:  row.Partnumber,
+			LotsJSON:    row.LotsJSON,
+			Description: row.Description,
+		}).Error; err != nil {
+			return fmt.Errorf("insert new local_partnumber_book_items row for %s: %w", pn, err)
+		}
+	}
+
+	if err := tx.Exec(`DROP TABLE local_partnumber_book_items`).Error; err != nil {
+		return fmt.Errorf("drop legacy local_partnumber_book_items: %w", err)
+	}
+	if err := tx.Exec(`ALTER TABLE local_partnumber_book_items_new RENAME TO local_partnumber_book_items`).Error; err != nil {
+		return fmt.Errorf("rename new local_partnumber_book_items table: %w", err)
+	}
+	if err := tx.Exec(`CREATE UNIQUE INDEX IF NOT EXISTS idx_local_partnumber_book_items_partnumber ON local_partnumber_book_items(partnumber)`).Error; err != nil {
+		return fmt.Errorf("create local_partnumber_book_items partnumber index: %w", err)
+	}
+	return nil
+}
--- a/internal/localdb/models.go
+++ b/internal/localdb/models.go
@@ -203,18 +203,6 @@ func (LocalComponent) TableName() string {
 	return "local_components"
 }

-// LocalRemoteMigrationApplied tracks remote SQLite migrations received from server and applied locally.
-type LocalRemoteMigrationApplied struct {
-	ID         string    `gorm:"primaryKey;size:128" json:"id"`
-	Checksum   string    `gorm:"size:128;not null" json:"checksum"`
-	AppVersion string    `gorm:"size:64" json:"app_version,omitempty"`
-	AppliedAt  time.Time `gorm:"not null" json:"applied_at"`
-}
-
-func (LocalRemoteMigrationApplied) TableName() string {
-	return "local_remote_migrations_applied"
-}
-
 // LocalSyncGuardState stores latest sync readiness decision for UI and preflight checks.
 type LocalSyncGuardState struct {
 	ID                    uint       `gorm:"primaryKey;autoIncrement" json:"id"`
@@ -248,25 +236,52 @@ func (PendingChange) TableName() string {

 // LocalPartnumberBook stores a version snapshot of the PN→LOT mapping book (pull-only from PriceForge)
 type LocalPartnumberBook struct {
-	ID        uint      `gorm:"primaryKey;autoIncrement" json:"id"`
-	ServerID  int       `gorm:"uniqueIndex;not null" json:"server_id"`
-	Version   string    `gorm:"not null" json:"version"`
-	CreatedAt time.Time `gorm:"not null" json:"created_at"`
-	IsActive  bool      `gorm:"not null;default:true" json:"is_active"`
+	ID              uint            `gorm:"primaryKey;autoIncrement" json:"id"`
+	ServerID        int             `gorm:"uniqueIndex;not null" json:"server_id"`
+	Version         string          `gorm:"not null" json:"version"`
+	CreatedAt       time.Time       `gorm:"not null" json:"created_at"`
+	IsActive        bool            `gorm:"not null;default:true" json:"is_active"`
+	PartnumbersJSON LocalStringList `gorm:"column:partnumbers_json;type:text" json:"partnumbers_json"`
 }

 func (LocalPartnumberBook) TableName() string {
 	return "local_partnumber_books"
 }

-// LocalPartnumberBookItem stores a single PN→LOT mapping within a book snapshot
+type LocalPartnumberBookLot struct {
+	LotName string  `json:"lot_name"`
+	Qty     float64 `json:"qty"`
+}
+
+type LocalPartnumberBookLots []LocalPartnumberBookLot
+
+func (l LocalPartnumberBookLots) Value() (driver.Value, error) {
+	return json.Marshal(l)
+}
+
+func (l *LocalPartnumberBookLots) Scan(value interface{}) error {
+	if value == nil {
+		*l = make(LocalPartnumberBookLots, 0)
+		return nil
+	}
+	var bytes []byte
+	switch v := value.(type) {
+	case []byte:
+		bytes = v
+	case string:
+		bytes = []byte(v)
+	default:
+		return errors.New("type assertion failed for LocalPartnumberBookLots")
+	}
+	return json.Unmarshal(bytes, l)
+}
+
+// LocalPartnumberBookItem stores the canonical PN composition pulled from PriceForge.
 type LocalPartnumberBookItem struct {
-	ID          uint   `gorm:"primaryKey;autoIncrement" json:"id"`
-	BookID      uint   `gorm:"not null;index:idx_local_book_pn,priority:1" json:"book_id"`
-	Partnumber  string `gorm:"not null;index:idx_local_book_pn,priority:2" json:"partnumber"`
-	LotName     string `gorm:"not null" json:"lot_name"`
-	IsPrimaryPN bool   `gorm:"not null;default:false" json:"is_primary_pn"`
-	Description string `json:"description,omitempty"`
+	ID          uint                    `gorm:"primaryKey;autoIncrement" json:"id"`
+	Partnumber  string                  `gorm:"not null" json:"partnumber"`
+	LotsJSON    LocalPartnumberBookLots `gorm:"column:lots_json;type:text" json:"lots_json"`
+	Description string                  `json:"description,omitempty"`
 }

 func (LocalPartnumberBookItem) TableName() string {
--- a/internal/lotmatch/resolver.go
+++ b/internal/lotmatch/resolver.go
@@ -1,238 +0,0 @@
-package lotmatch
-
-import (
-	"errors"
-	"regexp"
-	"sort"
-	"strings"
-
-	"git.mchus.pro/mchus/quoteforge/internal/models"
-	"gorm.io/gorm"
-)
-
-var (
-	ErrResolveConflict = errors.New("multiple lot matches")
-	ErrResolveNotFound = errors.New("lot not found")
-)
-
-type LotResolver struct {
-	partnumberToLots map[string][]string
-	exactLots        map[string]string
-	allLots          []string
-}
-
-type MappingMatcher struct {
-	exact    map[string][]string
-	exactLot map[string]string
-	wildcard []wildcardMapping
-}
-
-type wildcardMapping struct {
-	lotName string
-	re      *regexp.Regexp
-}
-
-func NewLotResolverFromDB(db *gorm.DB) (*LotResolver, error) {
-	mappings, lots, err := loadMappingsAndLots(db)
-	if err != nil {
-		return nil, err
-	}
-	return NewLotResolver(mappings, lots), nil
-}
-
-func NewMappingMatcherFromDB(db *gorm.DB) (*MappingMatcher, error) {
-	mappings, lots, err := loadMappingsAndLots(db)
-	if err != nil {
-		return nil, err
-	}
-	return NewMappingMatcher(mappings, lots), nil
-}
-
-func NewLotResolver(mappings []models.LotPartnumber, lots []models.Lot) *LotResolver {
-	partnumberToLots := make(map[string][]string, len(mappings))
-	for _, m := range mappings {
-		pn := NormalizeKey(m.Partnumber)
-		lot := strings.TrimSpace(m.LotName)
-		if pn == "" || lot == "" {
-			continue
-		}
-		partnumberToLots[pn] = append(partnumberToLots[pn], lot)
-	}
-	for key := range partnumberToLots {
-		partnumberToLots[key] = uniqueCaseInsensitive(partnumberToLots[key])
-	}
-
-	exactLots := make(map[string]string, len(lots))
-	allLots := make([]string, 0, len(lots))
-	for _, l := range lots {
-		name := strings.TrimSpace(l.LotName)
-		if name == "" {
-			continue
-		}
-		exactLots[NormalizeKey(name)] = name
-		allLots = append(allLots, name)
-	}
-	sort.Slice(allLots, func(i, j int) bool {
-		li := len([]rune(allLots[i]))
-		lj := len([]rune(allLots[j]))
-		if li == lj {
-			return allLots[i] < allLots[j]
-		}
-		return li > lj
-	})
-
-	return &LotResolver{
-		partnumberToLots: partnumberToLots,
-		exactLots:        exactLots,
-		allLots:          allLots,
-	}
-}
-
-func NewMappingMatcher(mappings []models.LotPartnumber, lots []models.Lot) *MappingMatcher {
-	exact := make(map[string][]string, len(mappings))
-	wildcards := make([]wildcardMapping, 0, len(mappings))
-	for _, m := range mappings {
-		pn := NormalizeKey(m.Partnumber)
-		lot := strings.TrimSpace(m.LotName)
-		if pn == "" || lot == "" {
-			continue
-		}
-		if strings.Contains(pn, "*") {
-			pattern := "^" + regexp.QuoteMeta(pn) + "$"
-			pattern = strings.ReplaceAll(pattern, "\\*", ".*")
-			re, err := regexp.Compile(pattern)
-			if err != nil {
-				continue
-			}
-			wildcards = append(wildcards, wildcardMapping{lotName: lot, re: re})
-			continue
-		}
-		exact[pn] = append(exact[pn], lot)
-	}
-	for key := range exact {
-		exact[key] = uniqueCaseInsensitive(exact[key])
-	}
-
-	exactLot := make(map[string]string, len(lots))
-	for _, l := range lots {
-		name := strings.TrimSpace(l.LotName)
-		if name == "" {
-			continue
-		}
-		exactLot[NormalizeKey(name)] = name
-	}
-
-	return &MappingMatcher{
-		exact:    exact,
-		exactLot: exactLot,
-		wildcard: wildcards,
-	}
-}
-
-func (r *LotResolver) Resolve(partnumber string) (string, string, error) {
-	key := NormalizeKey(partnumber)
-	if key == "" {
-		return "", "", ErrResolveNotFound
-	}
-
-	if mapped := r.partnumberToLots[key]; len(mapped) > 0 {
-		if len(mapped) == 1 {
-			return mapped[0], "mapping_table", nil
-		}
-		return "", "", ErrResolveConflict
-	}
-	if exact, ok := r.exactLots[key]; ok {
-		return exact, "article_exact", nil
-	}
-
-	best := ""
-	bestLen := -1
-	tie := false
-	for _, lot := range r.allLots {
-		lotKey := NormalizeKey(lot)
-		if lotKey == "" {
-			continue
-		}
-		if strings.HasPrefix(key, lotKey) {
-			l := len([]rune(lotKey))
-			if l > bestLen {
-				best = lot
-				bestLen = l
-				tie = false
-			} else if l == bestLen && !strings.EqualFold(best, lot) {
-				tie = true
-			}
-		}
-	}
-	if best == "" {
-		return "", "", ErrResolveNotFound
-	}
-	if tie {
-		return "", "", ErrResolveConflict
-	}
-	return best, "prefix", nil
-}
-
-func (m *MappingMatcher) MatchLots(partnumber string) []string {
-	if m == nil {
-		return nil
-	}
-	key := NormalizeKey(partnumber)
-	if key == "" {
-		return nil
-	}
-
-	lots := make([]string, 0, 2)
-	if exact := m.exact[key]; len(exact) > 0 {
-		lots = append(lots, exact...)
-	}
-	for _, wc := range m.wildcard {
-		if wc.re == nil || !wc.re.MatchString(key) {
-			continue
-		}
-		lots = append(lots, wc.lotName)
-	}
-	if lot, ok := m.exactLot[key]; ok && strings.TrimSpace(lot) != "" {
-		lots = append(lots, lot)
-	}
-	return uniqueCaseInsensitive(lots)
-}
-
-func NormalizeKey(v string) string {
-	s := strings.ToLower(strings.TrimSpace(v))
-	replacer := strings.NewReplacer(" ", "", "-", "", "_", "", ".", "", "/", "", "\\", "", "\"", "", "'", "", "(", "", ")", "")
-	return replacer.Replace(s)
-}
-
-func loadMappingsAndLots(db *gorm.DB) ([]models.LotPartnumber, []models.Lot, error) {
-	var mappings []models.LotPartnumber
-	if err := db.Find(&mappings).Error; err != nil {
-		return nil, nil, err
-	}
-	var lots []models.Lot
-	if err := db.Select("lot_name").Find(&lots).Error; err != nil {
-		return nil, nil, err
-	}
-	return mappings, lots, nil
-}
-
-func uniqueCaseInsensitive(values []string) []string {
-	seen := make(map[string]struct{}, len(values))
-	out := make([]string, 0, len(values))
-	for _, v := range values {
-		trimmed := strings.TrimSpace(v)
-		if trimmed == "" {
-			continue
-		}
-		key := strings.ToLower(trimmed)
-		if _, ok := seen[key]; ok {
-			continue
-		}
-		seen[key] = struct{}{}
-		out = append(out, trimmed)
-	}
-	sort.Slice(out, func(i, j int) bool {
-		return strings.ToLower(out[i]) < strings.ToLower(out[j])
-	})
-	return out
-}
--- a/internal/lotmatch/resolver_test.go
+++ b/internal/lotmatch/resolver_test.go
@@ -1,62 +0,0 @@
-package lotmatch
-
-import (
-	"testing"
-
-	"git.mchus.pro/mchus/quoteforge/internal/models"
-)
-
-func TestLotResolverPrecedence(t *testing.T) {
-	resolver := NewLotResolver(
-		[]models.LotPartnumber{
-			{Partnumber: "PN-1", LotName: "LOT_A"},
-		},
-		[]models.Lot{
-			{LotName: "CPU_X_LONG"},
-			{LotName: "CPU_X"},
-		},
-	)
-
-	lot, by, err := resolver.Resolve("PN-1")
-	if err != nil || lot != "LOT_A" || by != "mapping_table" {
-		t.Fatalf("expected mapping_table LOT_A, got lot=%s by=%s err=%v", lot, by, err)
-	}
-
-	lot, by, err = resolver.Resolve("CPU_X")
-	if err != nil || lot != "CPU_X" || by != "article_exact" {
-		t.Fatalf("expected article_exact CPU_X, got lot=%s by=%s err=%v", lot, by, err)
-	}
-
-	lot, by, err = resolver.Resolve("CPU_X_LONG_001")
-	if err != nil || lot != "CPU_X_LONG" || by != "prefix" {
-		t.Fatalf("expected prefix CPU_X_LONG, got lot=%s by=%s err=%v", lot, by, err)
-	}
-}
-
-func TestMappingMatcherWildcardAndExactLot(t *testing.T) {
-	matcher := NewMappingMatcher(
-		[]models.LotPartnumber{
-			{Partnumber: "R750*", LotName: "SERVER_R750"},
-			{Partnumber: "HDD-01", LotName: "HDD_01"},
-		},
-		[]models.Lot{
-			{LotName: "MEM_DDR5_16G_4800"},
-		},
-	)
-
-	check := func(partnumber string, want string) {
-		t.Helper()
-		got := matcher.MatchLots(partnumber)
-		if len(got) != 1 || got[0] != want {
-			t.Fatalf("partnumber %s: expected [%s], got %#v", partnumber, want, got)
-		}
-	}
-
-	check("R750XD", "SERVER_R750")
-	check("HDD-01", "HDD_01")
-	check("MEM_DDR5_16G_4800", "MEM_DDR5_16G_4800")
-
-	if got := matcher.MatchLots("UNKNOWN"); len(got) != 0 {
-		t.Fatalf("expected no matches for UNKNOWN, got %#v", got)
-	}
-}
--- a/internal/middleware/auth.go
+++ b/internal/middleware/auth.go
@@ -1,110 +0,0 @@
-package middleware
-
-import (
-	"net/http"
-	"strings"
-
-	"git.mchus.pro/mchus/quoteforge/internal/models"
-	"git.mchus.pro/mchus/quoteforge/internal/services"
-	"github.com/gin-gonic/gin"
-)
-
-const (
-	AuthUserKey   = "auth_user"
-	AuthClaimsKey = "auth_claims"
-)
-
-func Auth(authService *services.AuthService) gin.HandlerFunc {
-	return func(c *gin.Context) {
-		authHeader := c.GetHeader("Authorization")
-		if authHeader == "" {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-				"error": "authorization header required",
-			})
-			return
-		}
-
-		parts := strings.SplitN(authHeader, " ", 2)
-		if len(parts) != 2 || parts[0] != "Bearer" {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-				"error": "invalid authorization header format",
-			})
-			return
-		}
-
-		claims, err := authService.ValidateToken(parts[1])
-		if err != nil {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-				"error": err.Error(),
-			})
-			return
-		}
-
-		c.Set(AuthClaimsKey, claims)
-		c.Next()
-	}
-}
-
-func RequireRole(roles ...models.UserRole) gin.HandlerFunc {
-	return func(c *gin.Context) {
-		claims, exists := c.Get(AuthClaimsKey)
-		if !exists {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
-				"error": "authentication required",
-			})
-			return
-		}
-
-		authClaims := claims.(*services.Claims)
-
-		for _, role := range roles {
-			if authClaims.Role == role {
-				c.Next()
-				return
-			}
-		}
-
-		c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
-			"error": "insufficient permissions",
-		})
-	}
-}
-
-func RequireEditor() gin.HandlerFunc {
-	return RequireRole(models.RoleEditor, models.RolePricingAdmin, models.RoleAdmin)
-}
-
-func RequirePricingAdmin() gin.HandlerFunc {
-	return RequireRole(models.RolePricingAdmin, models.RoleAdmin)
-}
-
-func RequireAdmin() gin.HandlerFunc {
-	return RequireRole(models.RoleAdmin)
-}
-
-// GetClaims extracts auth claims from context
-func GetClaims(c *gin.Context) *services.Claims {
-	claims, exists := c.Get(AuthClaimsKey)
-	if !exists {
-		return nil
-	}
-	return claims.(*services.Claims)
-}
-
-// GetUserID extracts user ID from context
-func GetUserID(c *gin.Context) uint {
-	claims := GetClaims(c)
-	if claims == nil {
-		return 0
-	}
-	return claims.UserID
-}
-
-// GetUsername extracts username from context
-func GetUsername(c *gin.Context) string {
-	claims := GetClaims(c)
-	if claims == nil {
-		return ""
-	}
-	return claims.Username
-}
--- a/internal/models/configuration.go
+++ b/internal/models/configuration.go
@@ -117,8 +117,6 @@ type Configuration struct {
 	PriceUpdatedAt        *time.Time  `gorm:"type:timestamp" json:"price_updated_at,omitempty"`
 	CreatedAt             time.Time   `gorm:"autoCreateTime" json:"created_at"`
 	CurrentVersionNo      int         `gorm:"-" json:"current_version_no,omitempty"`
-
-	User *User `gorm:"foreignKey:UserID" json:"user,omitempty"`
 }

 func (Configuration) TableName() string {
@@ -133,8 +131,6 @@ type PriceOverride struct {
 	ValidUntil *time.Time `gorm:"type:date" json:"valid_until"`
 	Reason     string     `gorm:"type:text" json:"reason"`
 	CreatedBy  uint       `gorm:"not null" json:"created_by"`
-
-	Creator *User `gorm:"foreignKey:CreatedBy" json:"creator,omitempty"`
 }

 func (PriceOverride) TableName() string {
--- a/internal/models/lot.go
+++ b/internal/models/lot.go
@@ -55,17 +55,6 @@ func (StockLog) TableName() string {
 	return "stock_log"
 }

-// LotPartnumber maps external part numbers to internal lots.
-type LotPartnumber struct {
-	Partnumber  string  `gorm:"column:partnumber;size:255;primaryKey" json:"partnumber"`
-	LotName     string  `gorm:"column:lot_name;size:255;primaryKey" json:"lot_name"`
-	Description *string `gorm:"column:description;size:10000" json:"description,omitempty"`
-}
-
-func (LotPartnumber) TableName() string {
-	return "lot_partnumbers"
-}
-
 // StockIgnoreRule contains import ignore pattern rules.
 type StockIgnoreRule struct {
 	ID        uint      `gorm:"column:id;primaryKey;autoIncrement" json:"id"`
--- a/internal/models/models.go
+++ b/internal/models/models.go
@@ -10,7 +10,6 @@ import (
 // AllModels returns all models for auto-migration
 func AllModels() []interface{} {
 	return []interface{}{
-		&User{},
 		&Category{},
 		&LotMetadata{},
 		&Project{},
@@ -52,54 +51,3 @@ func SeedCategories(db *gorm.DB) error {
 	}
 	return nil
 }
-
-// SeedAdminUser creates default admin user if not exists
-// Default credentials: admin / admin123
-func SeedAdminUser(db *gorm.DB, passwordHash string) error {
-	var count int64
-	db.Model(&User{}).Where("username = ?", "admin").Count(&count)
-	if count > 0 {
-		return nil
-	}
-
-	admin := &User{
-		Username:     "admin",
-		Email:        "admin@example.com",
-		PasswordHash: passwordHash,
-		Role:         RoleAdmin,
-		IsActive:     true,
-	}
-	return db.Create(admin).Error
-}
-
-// EnsureDBUser creates or returns the user corresponding to the database connection username.
-// This is used when RBAC is disabled - configurations are owned by the DB user.
-// Returns the user ID that should be used for all operations.
-func EnsureDBUser(db *gorm.DB, dbUsername string) (uint, error) {
-	if dbUsername == "" {
-		return 0, nil
-	}
-
-	var user User
-	err := db.Where("username = ?", dbUsername).First(&user).Error
-	if err == nil {
-		return user.ID, nil
-	}
-
-	// User doesn't exist, create it
-	user = User{
-		Username:     dbUsername,
-		Email:        dbUsername + "@db.local",
-		PasswordHash: "-", // No password - this is a DB user, not an app user
-		Role:         RoleAdmin,
-		IsActive:     true,
-	}
-
-	if err := db.Create(&user).Error; err != nil {
-		slog.Error("failed to create DB user", "username", dbUsername, "error", err)
-		return 0, err
-	}
-
-	slog.Info("created DB user for configurations", "username", dbUsername, "user_id", user.ID)
-	return user.ID, nil
-}
--- a/internal/models/user.go
+++ b/internal/models/user.go
@@ -1,39 +0,0 @@
-package models
-
-import "time"
-
-type UserRole string
-
-const (
-	RoleViewer       UserRole = "viewer"
-	RoleEditor       UserRole = "editor"
-	RolePricingAdmin UserRole = "pricing_admin"
-	RoleAdmin        UserRole = "admin"
-)
-
-type User struct {
-	ID           uint      `gorm:"primaryKey;autoIncrement" json:"id"`
-	Username     string    `gorm:"size:100;uniqueIndex;not null" json:"username"`
-	Email        string    `gorm:"size:255;uniqueIndex;not null" json:"email"`
-	PasswordHash string    `gorm:"size:255;not null" json:"-"`
-	Role         UserRole  `gorm:"type:enum('viewer','editor','pricing_admin','admin');default:'viewer'" json:"role"`
-	IsActive     bool      `gorm:"default:true" json:"is_active"`
-	CreatedAt    time.Time `gorm:"autoCreateTime" json:"created_at"`
-	UpdatedAt    time.Time `gorm:"autoUpdateTime" json:"updated_at"`
-}
-
-func (User) TableName() string {
-	return "qt_users"
-}
-
-func (u *User) CanEdit() bool {
-	return u.Role == RoleEditor || u.Role == RolePricingAdmin || u.Role == RoleAdmin
-}
-
-func (u *User) CanManagePricing() bool {
-	return u.Role == RolePricingAdmin || u.Role == RoleAdmin
-}
-
-func (u *User) CanManageUsers() bool {
-	return u.Role == RoleAdmin
-}
--- a/internal/repository/partnumber_book.go
+++ b/internal/repository/partnumber_book.go
@@ -3,6 +3,7 @@ package repository
 import (
 	"git.mchus.pro/mchus/quoteforge/internal/localdb"
 	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
 )

 // PartnumberBookRepository provides read-only access to local partnumber book snapshots.
@@ -26,8 +27,11 @@ func (r *PartnumberBookRepository) GetActiveBook() (*localdb.LocalPartnumberBook

 // GetBookItems returns all items for the given local book ID.
 func (r *PartnumberBookRepository) GetBookItems(bookID uint) ([]localdb.LocalPartnumberBookItem, error) {
-	var items []localdb.LocalPartnumberBookItem
-	err := r.db.Where("book_id = ?", bookID).Find(&items).Error
+	book, err := r.getBook(bookID)
+	if err != nil {
+		return nil, err
+	}
+	items, _, err := r.listCatalogItems(book.PartnumbersJSON, "", 0, 0)
 	return items, err
 }

@@ -40,30 +44,31 @@ func (r *PartnumberBookRepository) GetBookItemsPage(bookID uint, search string,
 		perPage = 100
 	}

-	query := r.db.Model(&localdb.LocalPartnumberBookItem{}).Where("book_id = ?", bookID)
-	trimmedSearch := "%" + search + "%"
-	if search != "" {
-		query = query.Where("partnumber LIKE ? OR lot_name LIKE ?", trimmedSearch, trimmedSearch)
-	}
-
-	var total int64
-	if err := query.Count(&total).Error; err != nil {
+	book, err := r.getBook(bookID)
+	if err != nil {
 		return nil, 0, err
 	}
-
-	var items []localdb.LocalPartnumberBookItem
-	err := query.
-		Order("partnumber ASC, lot_name ASC, id ASC").
-		Offset((page - 1) * perPage).
-		Limit(perPage).
-		Find(&items).Error
-	return items, total, err
+	return r.listCatalogItems(book.PartnumbersJSON, search, page, perPage)
 }

 // FindLotByPartnumber looks up a partnumber in the active book and returns the matching items.
 func (r *PartnumberBookRepository) FindLotByPartnumber(bookID uint, partnumber string) ([]localdb.LocalPartnumberBookItem, error) {
+	book, err := r.getBook(bookID)
+	if err != nil {
+		return nil, err
+	}
+	found := false
+	for _, pn := range book.PartnumbersJSON {
+		if pn == partnumber {
+			found = true
+			break
+		}
+	}
+	if !found {
+		return nil, nil
+	}
 	var items []localdb.LocalPartnumberBookItem
-	err := r.db.Where("book_id = ? AND partnumber = ?", bookID, partnumber).Find(&items).Error
+	err = r.db.Where("partnumber = ?", partnumber).Find(&items).Error
 	return items, err
 }

@@ -79,34 +84,91 @@ func (r *PartnumberBookRepository) SaveBook(book *localdb.LocalPartnumberBook) e
 	return r.db.Save(book).Error
 }

-// SaveBookItems bulk-inserts items for a book snapshot.
+// SaveBookItems upserts canonical PN catalog rows.
 func (r *PartnumberBookRepository) SaveBookItems(items []localdb.LocalPartnumberBookItem) error {
 	if len(items) == 0 {
 		return nil
 	}
-	return r.db.CreateInBatches(items, 500).Error
+	return r.db.Clauses(clause.OnConflict{
+		Columns: []clause.Column{{Name: "partnumber"}},
+		DoUpdates: clause.AssignmentColumns([]string{
+			"lots_json",
+			"description",
+		}),
+	}).CreateInBatches(items, 500).Error
 }

 // CountBookItems returns the number of items for a given local book ID.
 func (r *PartnumberBookRepository) CountBookItems(bookID uint) int64 {
-	var count int64
-	r.db.Model(&localdb.LocalPartnumberBookItem{}).Where("book_id = ?", bookID).Count(&count)
-	return count
+	book, err := r.getBook(bookID)
+	if err != nil {
+		return 0
+	}
+	return int64(len(book.PartnumbersJSON))
 }

 func (r *PartnumberBookRepository) CountDistinctLots(bookID uint) int64 {
-	var count int64
-	r.db.Model(&localdb.LocalPartnumberBookItem{}).
-		Where("book_id = ?", bookID).
-		Distinct("lot_name").
-		Count(&count)
-	return count
+	items, err := r.GetBookItems(bookID)
+	if err != nil {
+		return 0
+	}
+	seen := make(map[string]struct{})
+	for _, item := range items {
+		for _, lot := range item.LotsJSON {
+			if lot.LotName == "" {
+				continue
+			}
+			seen[lot.LotName] = struct{}{}
+		}
+	}
+	return int64(len(seen))
 }

-func (r *PartnumberBookRepository) CountPrimaryItems(bookID uint) int64 {
+func (r *PartnumberBookRepository) HasAllBookItems(bookID uint) bool {
+	book, err := r.getBook(bookID)
+	if err != nil {
+		return false
+	}
+	if len(book.PartnumbersJSON) == 0 {
+		return true
+	}
 	var count int64
-	r.db.Model(&localdb.LocalPartnumberBookItem{}).
-		Where("book_id = ? AND is_primary_pn = ?", bookID, true).
-		Count(&count)
-	return count
+	if err := r.db.Model(&localdb.LocalPartnumberBookItem{}).
+		Where("partnumber IN ?", []string(book.PartnumbersJSON)).
+		Count(&count).Error; err != nil {
+		return false
+	}
+	return count == int64(len(book.PartnumbersJSON))
+}
+
+func (r *PartnumberBookRepository) getBook(bookID uint) (*localdb.LocalPartnumberBook, error) {
+	var book localdb.LocalPartnumberBook
+	if err := r.db.First(&book, bookID).Error; err != nil {
+		return nil, err
+	}
+	return &book, nil
+}
+
+func (r *PartnumberBookRepository) listCatalogItems(partnumbers localdb.LocalStringList, search string, page, perPage int) ([]localdb.LocalPartnumberBookItem, int64, error) {
+	if len(partnumbers) == 0 {
+		return []localdb.LocalPartnumberBookItem{}, 0, nil
+	}
+
+	query := r.db.Model(&localdb.LocalPartnumberBookItem{}).Where("partnumber IN ?", []string(partnumbers))
+	if search != "" {
+		trimmedSearch := "%" + search + "%"
+		query = query.Where("partnumber LIKE ? OR lots_json LIKE ? OR description LIKE ?", trimmedSearch, trimmedSearch, trimmedSearch)
+	}
+
+	var total int64
+	if err := query.Count(&total).Error; err != nil {
+		return nil, 0, err
+	}
+
+	var items []localdb.LocalPartnumberBookItem
+	if page > 0 && perPage > 0 {
+		query = query.Offset((page - 1) * perPage).Limit(perPage)
+	}
+	err := query.Order("partnumber ASC, id ASC").Find(&items).Error
+	return items, total, err
 }
--- a/internal/repository/pricelist.go
+++ b/internal/repository/pricelist.go
@@ -3,13 +3,10 @@ package repository
 import (
 	"errors"
 	"fmt"
-	"log/slog"
-	"sort"
 	"strconv"
 	"strings"
 	"time"

-	"git.mchus.pro/mchus/quoteforge/internal/lotmatch"
 	"git.mchus.pro/mchus/quoteforge/internal/models"
 	"gorm.io/gorm"
 )
@@ -246,94 +243,9 @@ func (r *PricelistRepository) GetItems(pricelistID uint, offset, limit int, sear
 		items[i].Category = strings.TrimSpace(items[i].LotCategory)
 	}

-	// Stock/partnumber enrichment is optional for pricelist item listing.
-	// Return base pricelist rows (lot_name/price/category) even when DB user lacks
-	// access to stock mapping tables (e.g. lot_partnumbers, stock_log).
-	if err := r.enrichItemsWithStock(items); err != nil {
-		slog.Warn("pricelist items stock enrichment skipped", "pricelist_id", pricelistID, "error", err)
-	}
-
 	return items, total, nil
 }

-func (r *PricelistRepository) enrichItemsWithStock(items []models.PricelistItem) error {
-	if len(items) == 0 {
-		return nil
-	}
-
-	resolver, err := lotmatch.NewLotResolverFromDB(r.db)
-	if err != nil {
-		return err
-	}
-
-	type stockRow struct {
-		Partnumber string   `gorm:"column:partnumber"`
-		Qty        *float64 `gorm:"column:qty"`
-	}
-	rows := make([]stockRow, 0)
-	if err := r.db.Raw(`
-		SELECT s.partnumber, s.qty
-		FROM stock_log s
-		INNER JOIN (
-			SELECT partnumber, MAX(date) AS max_date
-			FROM stock_log
-			GROUP BY partnumber
-		) latest ON latest.partnumber = s.partnumber AND latest.max_date = s.date
-		WHERE s.qty IS NOT NULL
-	`).Scan(&rows).Error; err != nil {
-		return err
-	}
-
-	lotTotals := make(map[string]float64, len(items))
-	lotPartnumbers := make(map[string][]string, len(items))
-	seenPartnumbers := make(map[string]map[string]struct{}, len(items))
-
-	for i := range rows {
-		row := rows[i]
-		if strings.TrimSpace(row.Partnumber) == "" {
-			continue
-		}
-		lotName, _, resolveErr := resolver.Resolve(row.Partnumber)
-		if resolveErr != nil || strings.TrimSpace(lotName) == "" {
-			continue
-		}
-
-		if row.Qty != nil {
-			lotTotals[lotName] += *row.Qty
-		}
-
-		pn := strings.TrimSpace(row.Partnumber)
-		if pn == "" {
-			continue
-		}
-		if _, ok := seenPartnumbers[lotName]; !ok {
-			seenPartnumbers[lotName] = make(map[string]struct{}, 4)
-		}
-		key := strings.ToLower(pn)
-		if _, exists := seenPartnumbers[lotName][key]; exists {
-			continue
-		}
-		seenPartnumbers[lotName][key] = struct{}{}
-		lotPartnumbers[lotName] = append(lotPartnumbers[lotName], pn)
-	}
-
-	for i := range items {
-		lotName := items[i].LotName
-		if qty, ok := lotTotals[lotName]; ok {
-			qtyCopy := qty
-			items[i].AvailableQty = &qtyCopy
-		}
-		if partnumbers := lotPartnumbers[lotName]; len(partnumbers) > 0 {
-			sort.Slice(partnumbers, func(a, b int) bool {
-				return strings.ToLower(partnumbers[a]) < strings.ToLower(partnumbers[b])
-			})
-			items[i].Partnumbers = partnumbers
-		}
-	}
-
-	return nil
-}
-
 // GetLotNames returns distinct lot names from pricelist items.
 func (r *PricelistRepository) GetLotNames(pricelistID uint) ([]string, error) {
 	var lotNames []string
--- a/internal/repository/pricelist_test.go
+++ b/internal/repository/pricelist_test.go
@@ -75,57 +75,6 @@ func TestGenerateVersion_IsolatedBySource(t *testing.T) {
 	}
 }

-func TestGetItems_WarehouseAvailableQtyUsesPrefixResolver(t *testing.T) {
-	repo := newTestPricelistRepository(t)
-	db := repo.db
-
-	warehouse := models.Pricelist{
-		Source:    string(models.PricelistSourceWarehouse),
-		Version:   "S-2026-02-07-001",
-		CreatedBy: "test",
-		IsActive:  true,
-	}
-	if err := db.Create(&warehouse).Error; err != nil {
-		t.Fatalf("create pricelist: %v", err)
-	}
-	if err := db.Create(&models.PricelistItem{
-		PricelistID: warehouse.ID,
-		LotName:     "SSD_NVME_03.2T",
-		Price:       100,
-	}).Error; err != nil {
-		t.Fatalf("create pricelist item: %v", err)
-	}
-	if err := db.Create(&models.Lot{LotName: "SSD_NVME_03.2T"}).Error; err != nil {
-		t.Fatalf("create lot: %v", err)
-	}
-	qty := 5.0
-	if err := db.Create(&models.StockLog{
-		Partnumber: "SSD_NVME_03.2T_GEN3_P4610",
-		Date:       time.Now(),
-		Price:      200,
-		Qty:        &qty,
-	}).Error; err != nil {
-		t.Fatalf("create stock log: %v", err)
-	}
-
-	items, total, err := repo.GetItems(warehouse.ID, 0, 20, "")
-	if err != nil {
-		t.Fatalf("GetItems: %v", err)
-	}
-	if total != 1 {
-		t.Fatalf("expected total=1, got %d", total)
-	}
-	if len(items) != 1 {
-		t.Fatalf("expected 1 item, got %d", len(items))
-	}
-	if items[0].AvailableQty == nil {
-		t.Fatalf("expected available qty to be set")
-	}
-	if *items[0].AvailableQty != 5 {
-		t.Fatalf("expected available qty=5, got %v", *items[0].AvailableQty)
-	}
-}
-
 func TestGetLatestActiveBySource_SkipsPricelistsWithoutItems(t *testing.T) {
 	repo := newTestPricelistRepository(t)
 	db := repo.db
@@ -228,7 +177,7 @@ func newTestPricelistRepository(t *testing.T) *PricelistRepository {
 	if err != nil {
 		t.Fatalf("open sqlite: %v", err)
 	}
-	if err := db.AutoMigrate(&models.Pricelist{}, &models.PricelistItem{}, &models.Lot{}, &models.LotPartnumber{}, &models.StockLog{}); err != nil {
+	if err := db.AutoMigrate(&models.Pricelist{}, &models.PricelistItem{}, &models.Lot{}, &models.StockLog{}); err != nil {
 		t.Fatalf("migrate: %v", err)
 	}
 	return NewPricelistRepository(db)
--- a/internal/repository/user.go
+++ b/internal/repository/user.go
@@ -1,62 +0,0 @@
-package repository
-
-import (
-	"git.mchus.pro/mchus/quoteforge/internal/models"
-	"gorm.io/gorm"
-)
-
-type UserRepository struct {
-	db *gorm.DB
-}
-
-func NewUserRepository(db *gorm.DB) *UserRepository {
-	return &UserRepository{db: db}
-}
-
-func (r *UserRepository) Create(user *models.User) error {
-	return r.db.Create(user).Error
-}
-
-func (r *UserRepository) GetByID(id uint) (*models.User, error) {
-	var user models.User
-	err := r.db.First(&user, id).Error
-	if err != nil {
-		return nil, err
-	}
-	return &user, nil
-}
-
-func (r *UserRepository) GetByUsername(username string) (*models.User, error) {
-	var user models.User
-	err := r.db.Where("username = ?", username).First(&user).Error
-	if err != nil {
-		return nil, err
-	}
-	return &user, nil
-}
-
-func (r *UserRepository) GetByEmail(email string) (*models.User, error) {
-	var user models.User
-	err := r.db.Where("email = ?", email).First(&user).Error
-	if err != nil {
-		return nil, err
-	}
-	return &user, nil
-}
-
-func (r *UserRepository) Update(user *models.User) error {
-	return r.db.Save(user).Error
-}
-
-func (r *UserRepository) Delete(id uint) error {
-	return r.db.Delete(&models.User{}, id).Error
-}
-
-func (r *UserRepository) List(offset, limit int) ([]models.User, int64, error) {
-	var users []models.User
-	var total int64
-
-	r.db.Model(&models.User{}).Count(&total)
-	err := r.db.Offset(offset).Limit(limit).Find(&users).Error
-	return users, total, err
-}
--- a/internal/services/auth.go
+++ b/internal/services/auth.go
@@ -1,180 +0,0 @@
-package services
-
-import (
-	"errors"
-	"time"
-
-	"github.com/golang-jwt/jwt/v5"
-	"git.mchus.pro/mchus/quoteforge/internal/config"
-	"git.mchus.pro/mchus/quoteforge/internal/models"
-	"git.mchus.pro/mchus/quoteforge/internal/repository"
-	"golang.org/x/crypto/bcrypt"
-)
-
-var (
-	ErrInvalidCredentials = errors.New("invalid username or password")
-	ErrUserNotFound       = errors.New("user not found")
-	ErrUserInactive       = errors.New("user account is inactive")
-	ErrInvalidToken       = errors.New("invalid token")
-	ErrTokenExpired       = errors.New("token expired")
-)
-
-type AuthService struct {
-	userRepo *repository.UserRepository
-	config   config.AuthConfig
-}
-
-func NewAuthService(userRepo *repository.UserRepository, cfg config.AuthConfig) *AuthService {
-	return &AuthService{
-		userRepo: userRepo,
-		config:   cfg,
-	}
-}
-
-type TokenPair struct {
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
-	ExpiresAt    int64  `json:"expires_at"`
-}
-
-type Claims struct {
-	UserID   uint            `json:"user_id"`
-	Username string          `json:"username"`
-	Role     models.UserRole `json:"role"`
-	jwt.RegisteredClaims
-}
-
-func (s *AuthService) Login(username, password string) (*TokenPair, *models.User, error) {
-	user, err := s.userRepo.GetByUsername(username)
-	if err != nil {
-		return nil, nil, ErrInvalidCredentials
-	}
-
-	if !user.IsActive {
-		return nil, nil, ErrUserInactive
-	}
-
-	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(password)); err != nil {
-		return nil, nil, ErrInvalidCredentials
-	}
-
-	tokens, err := s.generateTokenPair(user)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return tokens, user, nil
-}
-
-func (s *AuthService) RefreshTokens(refreshToken string) (*TokenPair, error) {
-	claims, err := s.ValidateToken(refreshToken)
-	if err != nil {
-		return nil, err
-	}
-
-	user, err := s.userRepo.GetByID(claims.UserID)
-	if err != nil {
-		return nil, ErrUserNotFound
-	}
-
-	if !user.IsActive {
-		return nil, ErrUserInactive
-	}
-
-	return s.generateTokenPair(user)
-}
-
-func (s *AuthService) ValidateToken(tokenString string) (*Claims, error) {
-	token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
-		return []byte(s.config.JWTSecret), nil
-	})
-
-	if err != nil {
-		if errors.Is(err, jwt.ErrTokenExpired) {
-			return nil, ErrTokenExpired
-		}
-		return nil, ErrInvalidToken
-	}
-
-	claims, ok := token.Claims.(*Claims)
-	if !ok || !token.Valid {
-		return nil, ErrInvalidToken
-	}
-
-	return claims, nil
-}
-
-func (s *AuthService) generateTokenPair(user *models.User) (*TokenPair, error) {
-	now := time.Now()
-	accessExpiry := now.Add(s.config.TokenExpiry)
-	refreshExpiry := now.Add(s.config.RefreshExpiry)
-
-	accessClaims := &Claims{
-		UserID:   user.ID,
-		Username: user.Username,
-		Role:     user.Role,
-		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(accessExpiry),
-			IssuedAt:  jwt.NewNumericDate(now),
-			Subject:   user.Username,
-		},
-	}
-
-	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
-	accessTokenString, err := accessToken.SignedString([]byte(s.config.JWTSecret))
-	if err != nil {
-		return nil, err
-	}
-
-	refreshClaims := &Claims{
-		UserID:   user.ID,
-		Username: user.Username,
-		Role:     user.Role,
-		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(refreshExpiry),
-			IssuedAt:  jwt.NewNumericDate(now),
-			Subject:   user.Username,
-		},
-	}
-
-	refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims)
-	refreshTokenString, err := refreshToken.SignedString([]byte(s.config.JWTSecret))
-	if err != nil {
-		return nil, err
-	}
-
-	return &TokenPair{
-		AccessToken:  accessTokenString,
-		RefreshToken: refreshTokenString,
-		ExpiresAt:    accessExpiry.Unix(),
-	}, nil
-}
-
-func (s *AuthService) HashPassword(password string) (string, error) {
-	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
-	if err != nil {
-		return "", err
-	}
-	return string(hash), nil
-}
-
-func (s *AuthService) CreateUser(username, email, password string, role models.UserRole) (*models.User, error) {
-	hash, err := s.HashPassword(password)
-	if err != nil {
-		return nil, err
-	}
-
-	user := &models.User{
-		Username:     username,
-		Email:        email,
-		PasswordHash: hash,
-		Role:         role,
-		IsActive:     true,
-	}
-
-	if err := s.userRepo.Create(user); err != nil {
-		return nil, err
-	}
-
-	return user, nil
-}
--- a/internal/services/configuration.go
+++ b/internal/services/configuration.go
@@ -608,13 +608,7 @@ func (s *ConfigurationService) isOwner(config *models.Configuration, ownerUserna
 	if config == nil || ownerUsername == "" {
 		return false
 	}
-	if config.OwnerUsername != "" {
-		return config.OwnerUsername == ownerUsername
-	}
-	if config.User != nil {
-		return config.User.Username == ownerUsername
-	}
-	return false
+	return config.OwnerUsername == ownerUsername
 }

 // // Export configuration as JSON
--- a/internal/services/sync/partnumber_books.go
+++ b/internal/services/sync/partnumber_books.go
@@ -1,6 +1,7 @@
 package sync

 import (
+	"encoding/json"
 	"fmt"
 	"log/slog"
 	"time"
@@ -23,13 +24,14 @@ func (s *Service) PullPartnumberBooks() (int, error) {
 	localBookRepo := repository.NewPartnumberBookRepository(s.localDB.DB())

 	type serverBook struct {
-		ID        int       `gorm:"column:id"`
-		Version   string    `gorm:"column:version"`
-		CreatedAt time.Time `gorm:"column:created_at"`
-		IsActive  bool      `gorm:"column:is_active"`
+		ID              int       `gorm:"column:id"`
+		Version         string    `gorm:"column:version"`
+		CreatedAt       time.Time `gorm:"column:created_at"`
+		IsActive        bool      `gorm:"column:is_active"`
+		PartnumbersJSON string    `gorm:"column:partnumbers_json"`
 	}
 	var serverBooks []serverBook
-	if err := mariaDB.Raw("SELECT id, version, created_at, is_active FROM qt_partnumber_books ORDER BY created_at DESC, id DESC").Scan(&serverBooks).Error; err != nil {
+	if err := mariaDB.Raw("SELECT id, version, created_at, is_active, partnumbers_json FROM qt_partnumber_books ORDER BY created_at DESC, id DESC").Scan(&serverBooks).Error; err != nil {
 		return 0, fmt.Errorf("querying server partnumber books: %w", err)
 	}
 	slog.Info("partnumber books found on server", "count", len(serverBooks))
@@ -38,16 +40,28 @@ func (s *Service) PullPartnumberBooks() (int, error) {
 	for _, sb := range serverBooks {
 		var existing localdb.LocalPartnumberBook
 		err := s.localDB.DB().Where("server_id = ?", sb.ID).First(&existing).Error
+		partnumbers, errPartnumbers := decodeServerPartnumbers(sb.PartnumbersJSON)
+		if errPartnumbers != nil {
+			slog.Error("failed to decode server partnumbers_json", "server_id", sb.ID, "error", errPartnumbers)
+			continue
+		}
 		if err == nil {
-			// Header exists — check whether items were saved
+			existing.Version = sb.Version
+			existing.CreatedAt = sb.CreatedAt
+			existing.IsActive = sb.IsActive
+			existing.PartnumbersJSON = partnumbers
+			if err := localBookRepo.SaveBook(&existing); err != nil {
+				slog.Error("failed to update local partnumber book header", "server_id", sb.ID, "error", err)
+				continue
+			}
+
 			localItemCount := localBookRepo.CountBookItems(existing.ID)
-			if localItemCount > 0 {
+			if localItemCount > 0 && localBookRepo.HasAllBookItems(existing.ID) {
 				slog.Debug("partnumber book already synced, skipping", "server_id", sb.ID, "version", sb.Version, "items", localItemCount)
 				continue
 			}
-			// Items missing — re-pull them
-			slog.Info("partnumber book header exists but has no items, re-pulling items", "server_id", sb.ID, "version", sb.Version)
-			n, err := pullBookItems(mariaDB, localBookRepo, sb.ID, existing.ID)
+			slog.Info("partnumber book header exists but catalog items are missing, re-pulling items", "server_id", sb.ID, "version", sb.Version)
+			n, err := pullBookItems(mariaDB, localBookRepo, existing.PartnumbersJSON)
 			if err != nil {
 				slog.Error("failed to re-pull items for existing book", "server_id", sb.ID, "error", err)
 			} else {
@@ -60,17 +74,18 @@ func (s *Service) PullPartnumberBooks() (int, error) {
 		slog.Info("pulling new partnumber book", "server_id", sb.ID, "version", sb.Version, "is_active", sb.IsActive)

 		localBook := &localdb.LocalPartnumberBook{
-			ServerID:  sb.ID,
-			Version:   sb.Version,
-			CreatedAt: sb.CreatedAt,
-			IsActive:  sb.IsActive,
+			ServerID:        sb.ID,
+			Version:         sb.Version,
+			CreatedAt:       sb.CreatedAt,
+			IsActive:        sb.IsActive,
+			PartnumbersJSON: partnumbers,
 		}
 		if err := localBookRepo.SaveBook(localBook); err != nil {
 			slog.Error("failed to save local partnumber book", "server_id", sb.ID, "error", err)
 			continue
 		}

-		n, err := pullBookItems(mariaDB, localBookRepo, sb.ID, localBook.ID)
+		n, err := pullBookItems(mariaDB, localBookRepo, localBook.PartnumbersJSON)
 		if err != nil {
 			slog.Error("failed to pull items for new book", "server_id", sb.ID, "error", err)
 			continue
@@ -84,39 +99,39 @@ func (s *Service) PullPartnumberBooks() (int, error) {
 	return pulled, nil
 }

-// pullBookItems fetches items for a single book from MariaDB and saves them to SQLite.
+// pullBookItems fetches catalog items for a partnumber list from MariaDB and saves them to SQLite.
 // Returns the number of items saved.
-func pullBookItems(mariaDB *gorm.DB, repo *repository.PartnumberBookRepository, serverBookID int, localBookID uint) (int, error) {
+func pullBookItems(mariaDB *gorm.DB, repo *repository.PartnumberBookRepository, partnumbers localdb.LocalStringList) (int, error) {
+	if len(partnumbers) == 0 {
+		return 0, nil
+	}
+
 	type serverItem struct {
 		Partnumber  string `gorm:"column:partnumber"`
-		LotName     string `gorm:"column:lot_name"`
-		IsPrimaryPN bool   `gorm:"column:is_primary_pn"`
+		LotsJSON    string `gorm:"column:lots_json"`
 		Description string `gorm:"column:description"`
 	}
-	// description column may not exist yet on older server schemas — query without it first,
-	// then retry with it to populate descriptions if available.
 	var serverItems []serverItem
-	err := mariaDB.Raw("SELECT partnumber, lot_name, is_primary_pn, description FROM qt_partnumber_book_items WHERE book_id = ?", serverBookID).Scan(&serverItems).Error
+	err := mariaDB.Raw("SELECT partnumber, lots_json, description FROM qt_partnumber_book_items WHERE partnumber IN ?", []string(partnumbers)).Scan(&serverItems).Error
 	if err != nil {
-		slog.Warn("description column not available on server, retrying without it", "server_book_id", serverBookID, "error", err)
-		if err2 := mariaDB.Raw("SELECT partnumber, lot_name, is_primary_pn FROM qt_partnumber_book_items WHERE book_id = ?", serverBookID).Scan(&serverItems).Error; err2 != nil {
-			return 0, fmt.Errorf("querying items from server: %w", err2)
-		}
+		return 0, fmt.Errorf("querying items from server: %w", err)
 	}
-	slog.Info("partnumber book items fetched from server", "server_book_id", serverBookID, "count", len(serverItems))
+	slog.Info("partnumber book items fetched from server", "count", len(serverItems), "requested_partnumbers", len(partnumbers))

 	if len(serverItems) == 0 {
-		slog.Warn("server returned 0 items for book — check qt_partnumber_book_items on server", "server_book_id", serverBookID)
+		slog.Warn("server returned 0 partnumber book items")
 		return 0, nil
 	}

 	localItems := make([]localdb.LocalPartnumberBookItem, 0, len(serverItems))
 	for _, si := range serverItems {
+		var lots localdb.LocalPartnumberBookLots
+		if err := json.Unmarshal([]byte(si.LotsJSON), &lots); err != nil {
+			return 0, fmt.Errorf("decode lots_json for %s: %w", si.Partnumber, err)
+		}
 		localItems = append(localItems, localdb.LocalPartnumberBookItem{
-			BookID:      localBookID,
 			Partnumber:  si.Partnumber,
-			LotName:     si.LotName,
-			IsPrimaryPN: si.IsPrimaryPN,
+			LotsJSON:    lots,
 			Description: si.Description,
 		})
 	}
@@ -125,3 +140,14 @@ func pullBookItems(mariaDB *gorm.DB, repo *repository.PartnumberBookRepository,
 	}
 	return len(localItems), nil
 }
+
+func decodeServerPartnumbers(raw string) (localdb.LocalStringList, error) {
+	if raw == "" {
+		return localdb.LocalStringList{}, nil
+	}
+	var items []string
+	if err := json.Unmarshal([]byte(raw), &items); err != nil {
+		return nil, err
+	}
+	return localdb.LocalStringList(items), nil
+}
--- a/internal/services/sync/readiness.go
+++ b/internal/services/sync/readiness.go
@@ -1,14 +1,10 @@
 package sync

 import (
-	"bufio"
-	"crypto/sha256"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"log/slog"
 	"os"
-	"strconv"
 	"strings"
 	"time"

@@ -80,48 +76,6 @@ func (s *Service) GetReadiness() (*SyncReadiness, error) {
 		)
 	}

-	migrations, err := listActiveClientMigrations(mariaDB)
-	if err != nil {
-		return s.blockedReadiness(
-			now,
-			"REMOTE_MIGRATION_REGISTRY_UNAVAILABLE",
-			"Синхронизация заблокирована: не удалось проверить централизованные миграции локальной БД.",
-			nil,
-		)
-	}
-
-	for i := range migrations {
-		m := migrations[i]
-		if strings.TrimSpace(m.MinAppVersion) != "" {
-			if compareVersions(appmeta.Version(), m.MinAppVersion) < 0 {
-				min := m.MinAppVersion
-				return s.blockedReadiness(
-					now,
-					"MIN_APP_VERSION_REQUIRED",
-					fmt.Sprintf("Требуется обновление приложения до версии %s для безопасной синхронизации.", m.MinAppVersion),
-					&min,
-				)
-			}
-		}
-	}
-
-	if err := s.applyMissingRemoteMigrations(migrations); err != nil {
-		if strings.Contains(strings.ToLower(err.Error()), "checksum") {
-			return s.blockedReadiness(
-				now,
-				"REMOTE_MIGRATION_CHECKSUM_MISMATCH",
-				"Синхронизация заблокирована: контрольная сумма миграции не совпадает.",
-				nil,
-			)
-		}
-		return s.blockedReadiness(
-			now,
-			"LOCAL_MIGRATION_APPLY_FAILED",
-			"Синхронизация заблокирована: не удалось применить миграции локальной БД.",
-			nil,
-		)
-	}
-
 	if err := s.reportClientSchemaState(mariaDB, now); err != nil {
 		slog.Warn("failed to report client schema state", "error", err)
 	}
@@ -158,64 +112,12 @@ func (s *Service) isOnline() bool {
 	return s.connMgr.IsOnline()
 }

-type clientLocalMigration struct {
-	ID            string    `gorm:"column:id"`
-	Name          string    `gorm:"column:name"`
-	SQLText       string    `gorm:"column:sql_text"`
-	Checksum      string    `gorm:"column:checksum"`
-	MinAppVersion string    `gorm:"column:min_app_version"`
-	OrderNo       int       `gorm:"column:order_no"`
-	CreatedAt     time.Time `gorm:"column:created_at"`
-}
-
-func listActiveClientMigrations(db *gorm.DB) ([]clientLocalMigration, error) {
-	if strings.EqualFold(db.Dialector.Name(), "sqlite") {
-		return []clientLocalMigration{}, nil
-	}
-	if err := ensureClientMigrationRegistryTable(db); err != nil {
-		return nil, err
-	}
-
-	rows := make([]clientLocalMigration, 0)
-	if err := db.Raw(`
-		SELECT id, name, sql_text, checksum, COALESCE(min_app_version, '') AS min_app_version, order_no, created_at
-		FROM qt_client_local_migrations
-		WHERE is_active = 1
-		ORDER BY order_no ASC, created_at ASC, id ASC
-	`).Scan(&rows).Error; err != nil {
-		return nil, fmt.Errorf("load client local migrations: %w", err)
-	}
-
-	return rows, nil
-}
-
-func ensureClientMigrationRegistryTable(db *gorm.DB) error {
-	// Check if table exists instead of trying to create (avoids permission issues)
-	if !tableExists(db, "qt_client_local_migrations") {
-		if err := db.Exec(`
-			CREATE TABLE IF NOT EXISTS qt_client_local_migrations (
-				id VARCHAR(128) NOT NULL,
-				name VARCHAR(255) NOT NULL,
-				sql_text LONGTEXT NOT NULL,
-				checksum VARCHAR(128) NOT NULL,
-				min_app_version VARCHAR(64) NULL,
-				order_no INT NOT NULL DEFAULT 0,
-				is_active TINYINT(1) NOT NULL DEFAULT 1,
-				created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-				PRIMARY KEY (id),
-				INDEX idx_qt_client_local_migrations_active_order (is_active, order_no, created_at)
-			)
-		`).Error; err != nil {
-			return fmt.Errorf("create qt_client_local_migrations table: %w", err)
-		}
-	}
-
+func ensureClientSchemaStateTable(db *gorm.DB) error {
 	if !tableExists(db, "qt_client_schema_state") {
 		if err := db.Exec(`
 			CREATE TABLE IF NOT EXISTS qt_client_schema_state (
 				username VARCHAR(100) NOT NULL,
 				hostname VARCHAR(255) NOT NULL DEFAULT '',
-				last_applied_migration_id VARCHAR(128) NULL,
 				app_version VARCHAR(64) NULL,
 				last_sync_at DATETIME NULL,
 				last_sync_status VARCHAR(32) NULL,
@@ -287,114 +189,13 @@ func tableExists(db *gorm.DB, tableName string) bool {
 	return count > 0
 }

-func (s *Service) applyMissingRemoteMigrations(migrations []clientLocalMigration) error {
-	for i := range migrations {
-		m := migrations[i]
-		computedChecksum := digestSQL(m.SQLText)
-		checksum := strings.TrimSpace(m.Checksum)
-		if checksum == "" {
-			checksum = computedChecksum
-		} else if !strings.EqualFold(checksum, computedChecksum) {
-			return fmt.Errorf("checksum mismatch for migration %s", m.ID)
-		}
-
-		applied, err := s.localDB.GetRemoteMigrationApplied(m.ID)
-		if err == nil {
-			if strings.TrimSpace(applied.Checksum) != checksum {
-				return fmt.Errorf("checksum mismatch for migration %s", m.ID)
-			}
-			continue
-		}
-		if !errors.Is(err, gorm.ErrRecordNotFound) {
-			return fmt.Errorf("check local applied migration %s: %w", m.ID, err)
-		}
-
-		if strings.TrimSpace(m.SQLText) == "" {
-			if err := s.localDB.UpsertRemoteMigrationApplied(m.ID, checksum, appmeta.Version(), time.Now().UTC()); err != nil {
-				return fmt.Errorf("mark empty migration %s as applied: %w", m.ID, err)
-			}
-			continue
-		}
-
-		statements := splitSQLStatementsLite(m.SQLText)
-		if err := s.localDB.DB().Transaction(func(tx *gorm.DB) error {
-			for _, stmt := range statements {
-				if err := tx.Exec(stmt).Error; err != nil {
-					return fmt.Errorf("apply migration %s statement %q: %w", m.ID, stmt, err)
-				}
-			}
-			return nil
-		}); err != nil {
-			return err
-		}
-
-		if err := s.localDB.UpsertRemoteMigrationApplied(m.ID, checksum, appmeta.Version(), time.Now().UTC()); err != nil {
-			return fmt.Errorf("record applied migration %s: %w", m.ID, err)
-		}
-	}
-	return nil
-}
-
-func splitSQLStatementsLite(script string) []string {
-	scanner := bufio.NewScanner(strings.NewReader(script))
-	scanner.Buffer(make([]byte, 1024), 1024*1024)
-
-	lines := make([]string, 0, 64)
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-		if line == "" || strings.HasPrefix(line, "--") {
-			continue
-		}
-		lines = append(lines, scanner.Text())
-	}
-	combined := strings.Join(lines, "\n")
-	raw := strings.Split(combined, ";")
-	stmts := make([]string, 0, len(raw))
-	for _, stmt := range raw {
-		trimmed := strings.TrimSpace(stmt)
-		if trimmed == "" {
-			continue
-		}
-		stmts = append(stmts, trimmed)
-	}
-	return stmts
-}
-
-func digestSQL(sqlText string) string {
-	hash := sha256.Sum256([]byte(sqlText))
-	return hex.EncodeToString(hash[:])
-}
-
-func compareVersions(left, right string) int {
-	leftParts := normalizeVersionParts(left)
-	rightParts := normalizeVersionParts(right)
-	maxLen := len(leftParts)
-	if len(rightParts) > maxLen {
-		maxLen = len(rightParts)
-	}
-	for i := 0; i < maxLen; i++ {
-		lv := 0
-		rv := 0
-		if i < len(leftParts) {
-			lv = leftParts[i]
-		}
-		if i < len(rightParts) {
-			rv = rightParts[i]
-		}
-		if lv < rv {
-			return -1
-		}
-		if lv > rv {
-			return 1
-		}
-	}
-	return 0
-}
-
 func (s *Service) reportClientSchemaState(mariaDB *gorm.DB, checkedAt time.Time) error {
 	if strings.EqualFold(mariaDB.Dialector.Name(), "sqlite") {
 		return nil
 	}
+	if err := ensureClientSchemaStateTable(mariaDB); err != nil {
+		return err
+	}
 	username := strings.TrimSpace(s.localDB.GetDBUser())
 	if username == "" {
 		return nil
@@ -404,10 +205,6 @@ func (s *Service) reportClientSchemaState(mariaDB *gorm.DB, checkedAt time.Time)
 		hostname = ""
 	}
 	hostname = strings.TrimSpace(hostname)
-	lastMigrationID := ""
-	if id, err := s.localDB.GetLatestAppliedRemoteMigrationID(); err == nil {
-		lastMigrationID = id
-	}
 	lastSyncAt := s.localDB.GetLastSyncTime()
 	lastSyncStatus := ReadinessReady
 	pendingChangesCount := s.localDB.CountPendingChanges()
@@ -420,16 +217,15 @@ func (s *Service) reportClientSchemaState(mariaDB *gorm.DB, checkedAt time.Time)
 	lastSyncErrorCode, lastSyncErrorText := latestSyncErrorState(s.localDB)
 	return mariaDB.Exec(`
 		INSERT INTO qt_client_schema_state (
-			username, hostname, last_applied_migration_id, app_version,
+			username, hostname, app_version,
 			last_sync_at, last_sync_status, pending_changes_count, pending_errors_count,
 			configurations_count, projects_count,
 			estimate_pricelist_version, warehouse_pricelist_version, competitor_pricelist_version,
 			last_sync_error_code, last_sync_error_text,
 			last_checked_at, updated_at
 		)
-		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
 		ON DUPLICATE KEY UPDATE
-			last_applied_migration_id = VALUES(last_applied_migration_id),
 			app_version = VALUES(app_version),
 			last_sync_at = VALUES(last_sync_at),
 			last_sync_status = VALUES(last_sync_status),
@@ -444,7 +240,7 @@ func (s *Service) reportClientSchemaState(mariaDB *gorm.DB, checkedAt time.Time)
 			last_sync_error_text = VALUES(last_sync_error_text),
 			last_checked_at = VALUES(last_checked_at),
 			updated_at = VALUES(updated_at)
-	`, username, hostname, lastMigrationID, appmeta.Version(),
+	`, username, hostname, appmeta.Version(),
 		lastSyncAt, lastSyncStatus, pendingChangesCount, pendingErrorsCount,
 		configurationsCount, projectsCount,
 		estimateVersion, warehouseVersion, competitorVersion,
@@ -503,34 +299,6 @@ func optionalString(value string) *string {
 	return &v
 }

-func normalizeVersionParts(v string) []int {
-	trimmed := strings.TrimSpace(v)
-	trimmed = strings.TrimPrefix(trimmed, "v")
-	chunks := strings.Split(trimmed, ".")
-	parts := make([]int, 0, len(chunks))
-	for _, chunk := range chunks {
-		clean := strings.TrimSpace(chunk)
-		if clean == "" {
-			parts = append(parts, 0)
-			continue
-		}
-		n := 0
-		for i := 0; i < len(clean); i++ {
-			if clean[i] < '0' || clean[i] > '9' {
-				clean = clean[:i]
-				break
-			}
-		}
-		if clean != "" {
-			if parsed, err := strconv.Atoi(clean); err == nil {
-				n = parsed
-			}
-		}
-		parts = append(parts, n)
-	}
-	return parts
-}
-
 func toReadinessFromState(state *localdb.LocalSyncGuardState) *SyncReadiness {
 	if state == nil {
 		return nil
--- a/internal/services/sync/service.go
+++ b/internal/services/sync/service.go
@@ -690,6 +690,9 @@ func (s *Service) SyncPricelistItems(localPricelistID uint) (int, error) {
 	for i, item := range serverItems {
 		localItems[i] = *localdb.PricelistItemToLocal(&item, localPricelistID)
 	}
+	if err := s.enrichLocalPricelistItemsWithStock(mariaDB, localItems); err != nil {
+		slog.Warn("pricelist stock enrichment skipped", "pricelist_id", localPricelistID, "error", err)
+	}

 	if err := s.localDB.SaveLocalPricelistItems(localItems); err != nil {
 		return 0, fmt.Errorf("saving local pricelist items: %w", err)
@@ -708,6 +711,111 @@ func (s *Service) SyncPricelistItemsByServerID(serverPricelistID uint) (int, err
 	return s.SyncPricelistItems(localPL.ID)
 }

+func (s *Service) enrichLocalPricelistItemsWithStock(mariaDB *gorm.DB, items []localdb.LocalPricelistItem) error {
+	if len(items) == 0 {
+		return nil
+	}
+
+	bookRepo := repository.NewPartnumberBookRepository(s.localDB.DB())
+	book, err := bookRepo.GetActiveBook()
+	if err != nil || book == nil {
+		return nil
+	}
+
+	bookItems, err := bookRepo.GetBookItems(book.ID)
+	if err != nil {
+		return err
+	}
+	if len(bookItems) == 0 {
+		return nil
+	}
+
+	partnumberToLots := make(map[string][]string, len(bookItems))
+	for _, item := range bookItems {
+		pn := strings.TrimSpace(item.Partnumber)
+		if pn == "" {
+			continue
+		}
+		seenLots := make(map[string]struct{}, len(item.LotsJSON))
+		for _, lot := range item.LotsJSON {
+			lotName := strings.TrimSpace(lot.LotName)
+			if lotName == "" {
+				continue
+			}
+			key := strings.ToLower(lotName)
+			if _, exists := seenLots[key]; exists {
+				continue
+			}
+			seenLots[key] = struct{}{}
+			partnumberToLots[pn] = append(partnumberToLots[pn], lotName)
+		}
+	}
+	if len(partnumberToLots) == 0 {
+		return nil
+	}
+
+	type stockRow struct {
+		Partnumber string   `gorm:"column:partnumber"`
+		Qty        *float64 `gorm:"column:qty"`
+	}
+	rows := make([]stockRow, 0)
+	if err := mariaDB.Raw(`
+		SELECT s.partnumber, s.qty
+		FROM stock_log s
+		INNER JOIN (
+			SELECT partnumber, MAX(date) AS max_date
+			FROM stock_log
+			GROUP BY partnumber
+		) latest ON latest.partnumber = s.partnumber AND latest.max_date = s.date
+		WHERE s.qty IS NOT NULL
+	`).Scan(&rows).Error; err != nil {
+		return err
+	}
+
+	lotTotals := make(map[string]float64, len(items))
+	lotPartnumbers := make(map[string][]string, len(items))
+	seenPartnumbers := make(map[string]map[string]struct{}, len(items))
+
+	for _, row := range rows {
+		pn := strings.TrimSpace(row.Partnumber)
+		if pn == "" || row.Qty == nil {
+			continue
+		}
+		lots := partnumberToLots[pn]
+		if len(lots) == 0 {
+			continue
+		}
+		for _, lotName := range lots {
+			lotTotals[lotName] += *row.Qty
+			if _, ok := seenPartnumbers[lotName]; !ok {
+				seenPartnumbers[lotName] = make(map[string]struct{}, 4)
+			}
+			key := strings.ToLower(pn)
+			if _, exists := seenPartnumbers[lotName][key]; exists {
+				continue
+			}
+			seenPartnumbers[lotName][key] = struct{}{}
+			lotPartnumbers[lotName] = append(lotPartnumbers[lotName], pn)
+		}
+	}
+
+	for i := range items {
+		lotName := strings.TrimSpace(items[i].LotName)
+		if qty, ok := lotTotals[lotName]; ok {
+			qtyCopy := qty
+			items[i].AvailableQty = &qtyCopy
+		}
+		if partnumbers := lotPartnumbers[lotName]; len(partnumbers) > 0 {
+			sort.Slice(partnumbers, func(a, b int) bool {
+				return strings.ToLower(partnumbers[a]) < strings.ToLower(partnumbers[b])
+			})
+			items[i].Partnumbers = append(localdb.LocalStringList{}, partnumbers...)
+		}
+	}
+
+	return nil
+}
+
 // GetLocalPriceForLot returns the price for a lot from a local pricelist
 func (s *Service) GetLocalPriceForLot(localPricelistID uint, lotName string) (float64, error) {
 	return s.localDB.GetLocalPriceForLot(localPricelistID, lotName)
--- a/internal/services/sync/service_pricelist_category_backfill_test.go
+++ b/internal/services/sync/service_pricelist_category_backfill_test.go
@@ -17,7 +17,6 @@ func TestSyncPricelists_BackfillsLotCategoryForUsedPricelistItems(t *testing.T)
 		&models.Pricelist{},
 		&models.PricelistItem{},
 		&models.Lot{},
-		&models.LotPartnumber{},
 		&models.StockLog{},
 	); err != nil {
 		t.Fatalf("migrate server tables: %v", err)
@@ -105,3 +104,102 @@ func TestSyncPricelists_BackfillsLotCategoryForUsedPricelistItems(t *testing.T)
 	}
 }

+func TestSyncPricelistItems_EnrichesStockFromLocalPartnumberBook(t *testing.T) {
+	local := newLocalDBForSyncTest(t)
+	serverDB := newServerDBForSyncTest(t)
+
+	if err := serverDB.AutoMigrate(
+		&models.Pricelist{},
+		&models.PricelistItem{},
+		&models.Lot{},
+		&models.StockLog{},
+	); err != nil {
+		t.Fatalf("migrate server tables: %v", err)
+	}
+
+	serverPL := models.Pricelist{
+		Source:       "warehouse",
+		Version:      "2026-03-07-001",
+		Notification: "server",
+		CreatedBy:    "tester",
+		IsActive:     true,
+		CreatedAt:    time.Now().Add(-1 * time.Hour),
+	}
+	if err := serverDB.Create(&serverPL).Error; err != nil {
+		t.Fatalf("create server pricelist: %v", err)
+	}
+	if err := serverDB.Create(&models.PricelistItem{
+		PricelistID: serverPL.ID,
+		LotName:     "CPU_A",
+		LotCategory: "CPU",
+		Price:       10,
+	}).Error; err != nil {
+		t.Fatalf("create server pricelist item: %v", err)
+	}
+	qty := 7.0
+	if err := serverDB.Create(&models.StockLog{
+		Partnumber: "CPU-PN-1",
+		Date:       time.Now(),
+		Price:      100,
+		Qty:        &qty,
+	}).Error; err != nil {
+		t.Fatalf("create stock log: %v", err)
+	}
+
+	if err := local.SaveLocalPricelist(&localdb.LocalPricelist{
+		ServerID:  serverPL.ID,
+		Source:    serverPL.Source,
+		Version:   serverPL.Version,
+		Name:      serverPL.Notification,
+		CreatedAt: serverPL.CreatedAt,
+		SyncedAt:  time.Now(),
+		IsUsed:    false,
+	}); err != nil {
+		t.Fatalf("seed local pricelist: %v", err)
+	}
+	localPL, err := local.GetLocalPricelistByServerID(serverPL.ID)
+	if err != nil {
+		t.Fatalf("get local pricelist: %v", err)
+	}
+
+	if err := local.DB().Create(&localdb.LocalPartnumberBook{
+		ServerID:        1,
+		Version:         "2026-03-07-001",
+		CreatedAt:       time.Now(),
+		IsActive:        true,
+		PartnumbersJSON: localdb.LocalStringList{"CPU-PN-1"},
+	}).Error; err != nil {
+		t.Fatalf("create local partnumber book: %v", err)
+	}
+	if err := local.DB().Create(&localdb.LocalPartnumberBookItem{
+		Partnumber: "CPU-PN-1",
+		LotsJSON: localdb.LocalPartnumberBookLots{
+			{LotName: "CPU_A", Qty: 1},
+		},
+		Description: "CPU PN",
+	}).Error; err != nil {
+		t.Fatalf("create local partnumber book item: %v", err)
+	}
+
+	svc := syncsvc.NewServiceWithDB(serverDB, local)
+	if _, err := svc.SyncPricelistItems(localPL.ID); err != nil {
+		t.Fatalf("sync pricelist items: %v", err)
+	}
+
+	items, err := local.GetLocalPricelistItems(localPL.ID)
+	if err != nil {
+		t.Fatalf("load local items: %v", err)
+	}
+	if len(items) != 1 {
+		t.Fatalf("expected 1 local item, got %d", len(items))
+	}
+	if items[0].AvailableQty == nil {
+		t.Fatalf("expected available_qty to be set")
+	}
+	if *items[0].AvailableQty != 7 {
+		t.Fatalf("expected available_qty=7, got %v", *items[0].AvailableQty)
+	}
+	if len(items[0].Partnumbers) != 1 || items[0].Partnumbers[0] != "CPU-PN-1" {
+		t.Fatalf("expected partnumbers [CPU-PN-1], got %v", items[0].Partnumbers)
+	}
+}
--- a/internal/services/vendor_spec_resolver.go
+++ b/internal/services/vendor_spec_resolver.go
@@ -3,6 +3,7 @@ package services
 import (
 	"git.mchus.pro/mchus/quoteforge/internal/localdb"
 	"git.mchus.pro/mchus/quoteforge/internal/repository"
+	"math"
 )

 // ResolvedBOMRow is the result of resolving a single vendor BOM row.
@@ -47,7 +48,19 @@ func (r *VendorSpecResolver) Resolve(items []localdb.VendorSpecItem) ([]localdb.
 		// Step 1: Look up in active book
 		matches, err := r.bookRepo.FindLotByPartnumber(book.ID, pn)
 		if err == nil && len(matches) > 0 {
-			items[i].ResolvedLotName = matches[0].LotName
+			items[i].LotMappings = make([]localdb.VendorSpecLotMapping, 0, len(matches[0].LotsJSON))
+			for _, lot := range matches[0].LotsJSON {
+				if lot.LotName == "" {
+					continue
+				}
+				items[i].LotMappings = append(items[i].LotMappings, localdb.VendorSpecLotMapping{
+					LotName:       lot.LotName,
+					QuantityPerPN: lotQtyToInt(lot.Qty),
+				})
+			}
+			if len(items[i].LotMappings) > 0 {
+				items[i].ResolvedLotName = items[i].LotMappings[0].LotName
+			}
 			items[i].ResolutionSource = "book"
 			continue
 		}
@@ -67,13 +80,9 @@ func (r *VendorSpecResolver) Resolve(items []localdb.VendorSpecItem) ([]localdb.
 	return items, nil
 }

-// AggregateLOTs applies the qty-logic to compute per-LOT quantities from the resolved BOM.
-// qty(lot) = SUM(qty of primary PN rows for this lot) if any primary PN exists, else 1.
+// AggregateLOTs applies qty from the resolved PN composition stored in lots_json.
 func AggregateLOTs(items []localdb.VendorSpecItem, book *localdb.LocalPartnumberBook, bookRepo *repository.PartnumberBookRepository) ([]AggregatedLOT, error) {
-	// Gather all unique lot names that resolved
-	lotPrimary := make(map[string]int)     // lot_name → sum of primary PN quantities
-	lotAny := make(map[string]bool)        // lot_name → seen at least once (non-primary)
-	lotHasPrimary := make(map[string]bool) // lot_name → has at least one primary PN in spec
+	lotTotals := make(map[string]int)

 	if book != nil {
 		for _, item := range items {
@@ -83,21 +92,17 @@ func AggregateLOTs(items []localdb.VendorSpecItem, book *localdb.LocalPartnumber
 			lot := item.ResolvedLotName
 			pn := item.VendorPartnumber

-			// Find if this pn is primary for its lot
 			matches, err := bookRepo.FindLotByPartnumber(book.ID, pn)
 			if err != nil || len(matches) == 0 {
-				// manual/unresolved — treat as non-primary
-				lotAny[lot] = true
+				lotTotals[lot] += item.Quantity
 				continue
 			}
 			for _, m := range matches {
-				if m.LotName == lot {
-					if m.IsPrimaryPN {
-						lotPrimary[lot] += item.Quantity
-						lotHasPrimary[lot] = true
-					} else {
-						lotAny[lot] = true
+				for _, mappedLot := range m.LotsJSON {
+					if mappedLot.LotName != lot {
+						continue
 					}
+					lotTotals[lot] += item.Quantity * lotQtyToInt(mappedLot.Qty)
 				}
 			}
 		}
@@ -105,7 +110,7 @@ func AggregateLOTs(items []localdb.VendorSpecItem, book *localdb.LocalPartnumber
 		// No book: all resolved rows contribute qty=1 per lot
 		for _, item := range items {
 			if item.ResolvedLotName != "" {
-				lotAny[item.ResolvedLotName] = true
+				lotTotals[item.ResolvedLotName] += item.Quantity
 			}
 		}
 	}
@@ -119,11 +124,18 @@ func AggregateLOTs(items []localdb.VendorSpecItem, book *localdb.LocalPartnumber
 			continue
 		}
 		seen[lot] = true
-		qty := 1
-		if lotHasPrimary[lot] {
-			qty = lotPrimary[lot]
+		qty := lotTotals[lot]
+		if qty < 1 {
+			qty = 1
 		}
 		result = append(result, AggregatedLOT{LotName: lot, Quantity: qty})
 	}
 	return result, nil
 }
+
+func lotQtyToInt(qty float64) int {
+	if qty < 1 {
+		return 1
+	}
+	return int(math.Round(qty))
+}
--- a/internal/services/vendor_workspace_import_test.go
+++ b/internal/services/vendor_workspace_import_test.go
@@ -231,20 +231,17 @@ func TestImportVendorWorkspaceToProject_AutoResolvesAndAppliesEstimate(t *testin

 	bookRepo := local.DB()
 	if err := bookRepo.Create(&localdb.LocalPartnumberBook{
-		ServerID:  501,
-		Version:   "B-1",
-		CreatedAt: time.Now(),
-		IsActive:  true,
+		ServerID:        501,
+		Version:         "B-1",
+		CreatedAt:       time.Now(),
+		IsActive:        true,
+		PartnumbersJSON: localdb.LocalStringList{"CPU-1", "LIC-1"},
 	}).Error; err != nil {
 		t.Fatalf("save active book: %v", err)
 	}
-	var book localdb.LocalPartnumberBook
-	if err := bookRepo.Where("server_id = ?", 501).First(&book).Error; err != nil {
-		t.Fatalf("load active book: %v", err)
-	}
 	if err := bookRepo.Create([]localdb.LocalPartnumberBookItem{
-		{BookID: book.ID, Partnumber: "CPU-1", LotName: "CPU_INTEL_6747P", IsPrimaryPN: true},
-		{BookID: book.ID, Partnumber: "LIC-1", LotName: "LICENSE_XCC", IsPrimaryPN: true},
+		{Partnumber: "CPU-1", LotsJSON: localdb.LocalPartnumberBookLots{{LotName: "CPU_INTEL_6747P", Qty: 1}}},
+		{Partnumber: "LIC-1", LotsJSON: localdb.LocalPartnumberBookLots{{LotName: "LICENSE_XCC", Qty: 1}}},
 	}).Error; err != nil {
 		t.Fatalf("save book items: %v", err)
 	}