chore:update docs (#295)

Author: y4nder

docs/ROADMAP.md

@@ -1,20 +1,20 @@
 # Roadmap: api.faculytics
 
-This roadmap tracks the implementation status of the `api.faculytics` backend against the product direction. It reflects the checked-in `develop` branch as of 2026-03-31.
+This roadmap tracks the implementation status of the `api.faculytics` backend against the product direction. It reflects the checked-in `develop` branch as of 2026-04-12.
 
 ## Project Vision
 
 Provide a robust, analytics-driven bridge between Moodle learning environments and institutional assessment workflows, enabling data-informed decisions through synchronized academic data, asynchronous AI enrichment, and structured feedback collection from direct submissions and file-based ingestion.
 
 ## Status Snapshot
 
-| Phase                                         | Status          | Notes                                                                                                                              |
-| --------------------------------------------- | --------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
-| Phase 1. Foundation & Core Synchronization    | Complete        | Core auth, Moodle sync, hydration, scheduling, and resilience are in place.                                                        |
-| Phase 2. Questionnaire & Ingestion Engine     | Mostly complete | Questionnaire management, draft/submit flows, and CSV ingestion are live; self-serve file mapping is still pending.                |
-| Phase 3. AI & Inference Pipeline              | Mostly complete | End-to-end pipeline is shipped; production worker rollout and operator monitoring remain open.                                     |
-| Phase 4. Analytics & Reporting Infrastructure | In progress     | Materialized-view analytics, faculty reports, and PDF export are live; Excel export and long-term analytics scaling remain open.   |
-| Phase 5. Governance & Ecosystem               | In progress     | Scoped access, admin tooling, and audit logging are implemented; finer-grained permissions and ecosystem integrations remain open. |
+| Phase                                         | Status          | Notes                                                                                                                                                     |
+| --------------------------------------------- | --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Phase 1. Foundation & Core Synchronization    | Complete        | Core auth, Moodle sync, hydration, scheduling, and resilience are in place.                                                                               |
+| Phase 2. Questionnaire & Ingestion Engine     | Mostly complete | Questionnaire management, draft/submit flows, and CSV ingestion are live; self-serve file mapping is still pending.                                       |
+| Phase 3. AI & Inference Pipeline              | Mostly complete | End-to-end pipeline is shipped; production worker rollout and operator monitoring remain open.                                                            |
+| Phase 4. Analytics & Reporting Infrastructure | In progress     | Materialized-view analytics, faculty reports, and PDF export are live; Excel export and long-term analytics scaling remain open.                          |
+| Phase 5. Governance & Ecosystem               | In progress     | Scoped access, admin tooling, audit logging, and audit query endpoints are implemented; finer-grained permissions and ecosystem integrations remain open. |
 
 Cross-cutting platform capabilities already present in the codebase but not treated as separate roadmap phases include Redis-backed caching and throttling, structured health checks, request-scoped CLS metadata, and the authenticated `ChatKit` endpoint.
 
@@ -28,7 +28,8 @@ Cross-cutting platform capabilities already present in the codebase but not trea
 - [x] **Institutional Hierarchy Sync:** Campuses, semesters, departments, programs, courses, and enrollments are mirrored from Moodle.
 - [x] **Per-User Hydration on Login:** Moodle logins refresh the user's courses, enrollments, sections, and institutional roles.
 - [x] **Section Sync from Moodle Groups:** Course groups are materialized locally as `Section` and attached to enrollments.
-- [x] **Institutional Authority Mapping:** Dean and chairperson scope is derived from Moodle category structure, with support for manual dean assignment.
+- [x] **Institutional Authority Mapping:** Dean and chairperson scope is derived from Moodle category structure, with support for manual dean assignment and a server-resolved dean-eligibility lookup for the admin UI.
+- [x] **User Scope & Role Backfill During Sync:** Enrollment sync now populates `user.campus/program/department` and derives `user.roles` from enrollments + institutional roles (protecting manually granted `SUPER_ADMIN`/`ADMIN`) as explicit post-enrollment phases.
 - [x] **Dynamic Sync Scheduling & SyncLog Observability:** Sync cadence is runtime-configurable and every run is recorded with per-phase metrics.
 - [x] **Semester Label Enrichment:** Moodle semester codes are parsed into display labels and academic year metadata.
 - [x] **Moodle Connectivity Resilience (FAC-33):** 10-second request timeouts and connectivity-specific failures prevent hanging auth and sync paths.
@@ -38,7 +39,7 @@ Cross-cutting platform capabilities already present in the codebase but not trea
 
 - [x] **Recursive Schema Validation:** Questionnaire schemas enforce leaf-only questions and exact weight totals.
 - [x] **Dimension Registry & Admin API:** Canonical dimensions are seeded and can be managed through the dimensions module.
-- [x] **Questionnaire Lifecycle Management:** Questionnaires support creation, update, archive, publish, deprecate, and version detail flows.
+- [x] **Questionnaire Lifecycle Management:** Questionnaires support creation, update, archive, publish, deprecate, version detail, and version-from-template flows (draft seeded from any prior published version).
 - [x] **Institutional Snapshotting:** Submissions persist faculty, department, program, campus, and semester snapshots for historical stability.
 - [x] **Draft Save/Resume Flow:** Respondents can save, retrieve, list, and delete drafts before final submission.
 - [x] **Submission & Scoring:** Finalized submissions validate answers, compute normalized scores, and enforce duplicate-submission rules.
@@ -56,7 +57,8 @@ Cross-cutting platform capabilities already present in the codebase but not trea
 - [x] **Topic Modeling (FAC-46):** Topic discovery persists assignments, keywords, and run provenance.
 - [x] **Topic Labeling:** Topic clusters are labeled before recommendation generation.
 - [x] **Embedding Generation (FAC-46):** pgvector-backed embeddings are stored and upserted per submission.
-- [x] **Recommendations Engine v2 (FAC-55):** Recommendations are generated directly via OpenAI with structured output, confidence, and supporting evidence.
+- [x] **Recommendations Engine v2 (FAC-55):** Recommendations are generated directly via OpenAI with structured output, confidence, and pipeline-scoped supporting evidence (topic counts narrowed to the pipeline's `submissionIds`, preventing cross-faculty leakage).
+- [x] **LLM Worker Hardening:** Sentiment processor pins responses to the dispatched `submissionId` set, drops hallucinated IDs with observability logs, and terminally fails the stage when a batch is 100% hallucinated (retrying the LLM is counter-productive).
 - [x] **Worker Contracts & Inference Versioning:** Zod-validated contracts and version fields exist across pipeline runs.
 - [x] **Local Worker Simulation:** `mock-worker/` supports local development without deployed inference workers.
 - [ ] **RunPod / Production Worker Rollout:** Sentiment and topic-model stages still need production endpoint deployment and cutover.
@@ -81,9 +83,10 @@ Cross-cutting platform capabilities already present in the codebase but not trea
 - [x] **Scoped Dean/Chairperson Access:** `ScopeResolverService` restricts analytics, curriculum, and faculty queries to authorized departments and programs.
 - [x] **Institutional Role Administration:** Super admins can assign and remove manual dean/chairperson roles through admin endpoints.
 - [x] **Admin Directory APIs:** Super-admin endpoints support user listing, filtering, and institutional role management workflows.
-- [x] **Append-Only Audit Trail:** Auth, sync, questionnaire, and analysis actions are captured through the global audit pipeline.
+- [x] **Append-Only Audit Trail:** Auth, sync, questionnaire, analysis, and Moodle provisioning actions are captured through the global audit pipeline.
+- [x] **Audit Review Surface:** `GET /audit-logs` and `GET /audit-logs/:id` expose filterable, paginated audit queries (super-admin only) with stable ordering and LIKE-pattern sanitization.
+- [x] **Moodle Seeding Toolkit:** API-native provisioning of categories, bulk/quick courses, and fake users replaces the external Rust CLI, with live Moodle tree inspection and cascading admin filters.
 - [ ] **Fine-Grained Permission Model:** Access control is still role-centric rather than permission-centric.
-- [ ] **Audit Review Surface:** The write path exists, but there are no audit query/reporting endpoints for operators yet.
 - [ ] **Notification Engine:** Automated reminders and outbound notifications are still pending.
 - [ ] **External SIS Integration:** Moodle remains the only production integration surface for institutional data.
 

docs/architecture/ai-inference-pipeline.md

@@ -119,6 +119,19 @@ The recommendations stage does **not** use the batch message contract — see [R
 
 See `docs/worker-contracts/` for full per-worker contracts.
 
+### Dispatch-Set Pinning (LLM Workers)
+
+Zod validates the **shape** of a worker response but cannot validate that the `submissionId` keys actually correspond to rows the API dispatched. For LLM-backed workers this matters: under some prompts the model hallucinates UUIDs that don't exist in the dispatched batch, and persisting them causes PostgreSQL FK violations that abort the whole batch transaction — losing even the valid results.
+
+`SentimentProcessor.Persist()` pins the response against a dispatch set:
+
+1. Build `dispatchedIds = new Set(job.data.items.map(i => i.submissionId))` before any DB work.
+2. Drop every result whose `submissionId` is not in `dispatchedIds`. Log `warn "Dropped X of Y sentiment results for run {runId} (unknown submissionIds)"` whenever the drop count is non-zero.
+3. If **all** results are dropped, call `orchestrator.OnStageFailed(pipelineId, 'sentiment_analysis', ...)` and return. Retry is not useful — more LLM calls will produce more hallucinations.
+4. The pre-existing `sentimentResultItemSchema.safeParse` loop still runs on the filtered set as a second validation layer.
+
+Treat any new LLM-backed processor under `BaseAnalysisProcessor` as needing the same pattern. See [Decision #41 — LLM-Backed Worker Dispatch-Set Pinning](../decisions/decisions.md#41-llm-backed-worker-dispatch-set-pinning).
+
 ## 4. Sentiment Gate
 
 Between sentiment analysis and topic modeling, a **sentiment gate** filters the corpus:
@@ -292,6 +305,8 @@ Each `RecommendedAction` stores a `supportingEvidence` JSONB column with:
 - **Confidence level:** HIGH / MEDIUM / LOW
 - **basedOnSubmissions:** Total comment count in scope
 
+> **Pipeline-scoped counts.** `TopicSource.commentCount` is derived from `TopicAssignment` rows filtered by **both** `topic.id IN (...)` and `submission.id IN (pipelineSubmissionIds)` — **not** from the `Topic.docCount` column. `Topic` is a shared entity: multiple pipelines across different faculty can produce assignments against the same topic, and `docCount` is a global counter over all of them. Scoping by `submissionIds` prevents cross-faculty evidence leakage and makes `confidenceLevel` reflect the current pipeline's evidence rather than the topic's global activity. Any future consumer of topic-derived evidence must apply the same scoping.
+
 ### Output Schema
 
 Actions follow the `RecommendedActionItem` schema:

docs/architecture/analytics.md

@@ -81,9 +81,11 @@ All endpoints require `DEAN` or `SUPER_ADMIN` role. Dean scope is enforced via `
 | Method | Path                   | Query Params                           | Description                                       |
 | ------ | ---------------------- | -------------------------------------- | ------------------------------------------------- |
 | GET    | `/analytics/overview`  | `semesterId` (required), `programCode` | Department overview with per-faculty stats        |
-| GET    | `/analytics/attention` | `semesterId` (required)                | Faculty flagged for review with attention flags   |
+| GET    | `/analytics/attention` | `semesterId` (required), `programCode` | Faculty flagged for review with attention flags   |
 | GET    | `/analytics/trends`    | `semesterId`, `minSemesters`, `minR2`  | Faculty trend data with linear regression results |
 
+`programCode` on both `overview` and `attention` is trimmed, required non-empty, and capped at 20 characters.
+
 ### Department Overview (`/analytics/overview`)
 
 Returns per-faculty stats for a semester with computed fields:
@@ -116,3 +118,15 @@ Falls back to the latest semester for scope resolution when `semesterId` is omit
 ## Scope Resolution
 
 Unlike `FacultyModule` and `CurriculumModule` which resolve to department UUIDs, the `AnalyticsService` resolves to **department codes** (via `ResolveDepartmentCodes()`). This is because the materialized views use `department_code_snapshot` (a string snapshot from submission time) rather than foreign key references to the live department table.
+
+### Program-Level Scope Check
+
+When callers pass `programCode` on `overview` or `attention`, the service validates it against `ScopeResolverService.ResolveProgramCodes(semesterId)`:
+
+- `null` (super admin / dean) — any `programCode` accepted.
+- `string[]` (chairperson) — `programCode` must be in the list.
+- Out-of-scope requests **do not 403**. They short-circuit and return a well-formed empty payload with `lastRefreshedAt` populated.
+
+The silent short-circuit avoids leaking existence information (a 403 tells the caller "that program exists but you can't see it"; an empty result does not). Chairpersons already cannot enumerate programs outside their scope via `/curriculum/programs` — that endpoint applies the same `ResolveProgramIds` filter.
+
+`GetAttentionList` adds `AND program_code_snapshot = ?` to the `mv_faculty_semester_stats` source of the consistency-gap and skipped-signals subqueries. The trend-based signal joins `mv_faculty_trends` against `mv_faculty_semester_stats` on `(faculty_id, department_code_snapshot)` so trend rows can be filtered by the per-semester program snapshot — trend rows are not scoped to a single program by themselves.

docs/architecture/audit-trail.md

@@ -49,7 +49,7 @@ Append-only, immutable. Does **not** extend `CustomBaseEntity` (no `updatedAt`,
 
 Queries must use `filters: { softDelete: false }` to bypass the global soft-delete filter.
 
-## MVP Actions
+## Action Codes
 
 ```typescript
 export const AuditAction = {
@@ -65,9 +65,16 @@ export const AuditAction = {
   ANALYSIS_PIPELINE_CREATE: 'analysis.pipeline.create',
   ANALYSIS_PIPELINE_CONFIRM: 'analysis.pipeline.confirm',
   ANALYSIS_PIPELINE_CANCEL: 'analysis.pipeline.cancel',
+  MOODLE_PROVISION_CATEGORIES: 'moodle.provision.categories',
+  MOODLE_PROVISION_COURSES: 'moodle.provision.courses',
+  MOODLE_PROVISION_QUICK_COURSE: 'moodle.provision.quick-course',
+  MOODLE_PROVISION_USERS: 'moodle.provision.users',
+  MOODLE_BULK_PROVISION_COURSES: 'moodle.provision.bulk-courses',
 } as const;
 ```
 
+The `moodle.provision.*` actions are emitted by the Moodle seeding toolkit — see [Moodle Provisioning](../moodle/provisioning.md).
+
 ## Interceptor Path Detail
 
 Endpoints are tagged with the `@Audited({ action, resource? })` decorator, which sets Reflector metadata. The `AuditInterceptor` reads this metadata and, on successful response (RxJS `tap`, not `finalize`), enqueues an audit event.
@@ -115,3 +122,55 @@ Audit failures never break the request:
 1. `AuditService.Emit()` wraps `queue.add()` in try/catch — logs a warning, returns void.
 2. `AuditInterceptor` wraps the entire `tap` callback in try/catch — errors are logged, never propagated.
 3. The `.catch()` on the `Emit()` promise handles async rejections.
+
+## Query API
+
+`AuditController` exposes read-only query endpoints for operators. All routes require `SUPER_ADMIN` — any other role receives `403 Forbidden`.
+
+| Method | Path              | Description                                      |
+| ------ | ----------------- | ------------------------------------------------ |
+| GET    | `/audit-logs`     | Paginated, filterable list of audit records      |
+| GET    | `/audit-logs/:id` | Fetch a single record by UUID (`404` if missing) |
+
+### List Filters (`ListAuditLogsQueryDto`)
+
+| Field            | Match type                                                     | Notes                                              |
+| ---------------- | -------------------------------------------------------------- | -------------------------------------------------- |
+| `action`         | Exact                                                          | e.g., `auth.login.success`                         |
+| `actorId`        | Exact (UUID)                                                   |                                                    |
+| `actorUsername`  | Case-insensitive partial (`$ilike %value%`)                    | Trimmed; `%`, `_`, `\` are escaped before matching |
+| `resourceType`   | Exact                                                          | e.g., `User`, `AnalysisPipeline`                   |
+| `resourceId`     | Exact                                                          |                                                    |
+| `from` / `to`    | Inclusive range on `occurredAt`                                | ISO 8601 date strings                              |
+| `search`         | OR `$ilike` across `actorUsername` / `action` / `resourceType` | Same escape rules                                  |
+| `page` / `limit` | Inherited from `PaginationQueryDto`                            | Defaults `page=1`, `limit=10`; `limit` max `100`   |
+
+Explicit filters are combined with AND; `search` is always wrapped in its own `$or` so operators can express "admin login in January" by combining `search=login` with `from/to`.
+
+### Ordering & Pagination
+
+Results are ordered `occurredAt DESC, id DESC`. The secondary sort on `id` is load-bearing: audit writes land at sub-millisecond precision, so ordering by `occurredAt` alone would yield non-deterministic paging for bursty activity (logins, sync kickoff).
+
+`findAndCount` is issued with `filters: { softDelete: false }` — belt-and-suspenders, since the entity does not extend `CustomBaseEntity` and cannot be soft-deleted today.
+
+### Response Shapes
+
+```ts
+// GET /audit-logs
+{
+  data: AuditLogItemResponseDto[],
+  meta: {
+    totalItems: number,
+    itemCount: number,
+    itemsPerPage: number,
+    totalPages: number,
+    currentPage: number,
+  },
+}
+```
+
+`AuditLogItemResponseDto` and `AuditLogDetailResponseDto` currently share the same shape (`id`, `action`, `actorId?`, `actorUsername?`, `resourceType?`, `resourceId?`, `metadata?`, `browserName?`, `os?`, `ipAddress?`, `occurredAt`). They are kept as separate DTOs on purpose: the list view may later strip heavy fields (`metadata`, `ipAddress`) for bandwidth/privacy without breaking the single-record contract.
+
+### LIKE-Pattern Escaping
+
+User-supplied strings are trimmed and sanitized before being wrapped in `%…%`. `%`, `_`, and `\` are replaced with their backslash-escaped variants so that a username containing `%` cannot silently widen the match to every row.