- enrich_apply now imports audit_seal_router.audit_log and writes a sys_audit
row after every successful UPDATE: action='enrich.apply', target_type=kind,
target_id=eid, payload={applied: {...}, sources: [...]}, user from headers.
- Other modules (cc2 users, cc4 invoices/putni_nalozi, cc5 clanarine/lijecnicki/
obrasci) can call the same helper:
from audit_seal_router import audit_log
audit_log(action='users.update', target_type='users', target_id=u['id'],
payload={'changed':[...]}, user_email=actor)
- Verified: real apply on klub 4528 produced sys_audit id 102.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The bare @app.get/post('/api/admin/users') decorators in pgz_sport_api.py
were registered before app.include_router(admin_users_router) and shadowed
the JWT-protected M2 routes, leaking user list to anyone.
Removed all three: GET /api/admin/users, POST /api/admin/users,
POST /api/admin/users/{uid}/toggle. The auth.admin_users router now owns
this prefix exclusively and gates every method with require_user.
Verified: no-auth → 401, invalid token → 401, valid Bearer → 200.
- erp/putni_nalozi.py: FastAPI router /api/erp/putni-nalog
- GET /preview: live obračun dnevnica + kilometrine za UI
- POST /putni-nalog: kreiraj (draft) iz UI forme (voditelj, putnici, od→do, km)
- PUT /putni-nalog/{id}: izmjena s recompute dnevnica
- POST /putni-nalog/{id}/odobriti: status=odobren
- POST /putni-nalog/{id}/zatvori: linkanje računa (invoice_ids), končan obračun
- HR 2025: domaće 30 € (>8h), 15 € (5–8h), 0 € (<5h); inozemne po zemlji (NN tablica)
- km × 0.50 €/km (neoporezivi limit 2025)
- Live test: Rijeka→Zagreb 3 dana = 3 dnevnice × 30 € + 380 km × 0.50 € = 280 € prije računa, 455 € sa hotelom+meals
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
claude-cc1