Feat/shadcn layout theme overhaul (#2)

* chore: harden env secrets and docker health checks

* feat: implement recruitment API and hooks for job postings and applications

- Added recruitment API functions for job postings: get, create, update, and delete.
- Implemented hooks for managing job postings and applications using React Query.
- Enhanced Admin Settings page with improved layout and accessibility features.
- Updated Audit Trail page with better styling and responsive design.
- Introduced new types for leave and attendance management.
- Enhanced Tailwind CSS configuration with theme tokens and improved dark mode support.
- Updated TypeScript configuration for better path resolution.
- Integrated shadcn components and improved sidebar navigation experience.
- Fixed layout stability issues and ensured consistent dark mode appearance.

Author: denmark0128

backend/app/audit/models.py

@@ -1,11 +1,15 @@
-from datetime import datetime
+from datetime import UTC, datetime
 
 from sqlalchemy import DateTime, ForeignKey, Integer, String, Text
 from sqlalchemy.orm import Mapped, mapped_column
 
 from app.database import Base
 
 
+def _utcnow() -> datetime:
+    return datetime.now(UTC)
+
+
 class AuditLog(Base):
     __tablename__ = "audit_logs"
 
@@ -16,4 +20,4 @@ class AuditLog(Base):
     entity_type: Mapped[str] = mapped_column(String(120), nullable=False, index=True)
     entity_id: Mapped[str | None] = mapped_column(String(120), nullable=True, index=True)
     details: Mapped[str | None] = mapped_column(Text, nullable=True)
-    created_at: Mapped[datetime] = mapped_column(DateTime, nullable=False, default=datetime.utcnow, index=True)
+    created_at: Mapped[datetime] = mapped_column(DateTime, nullable=False, default=_utcnow, index=True)

backend/app/auth/router.py

@@ -5,6 +5,7 @@
 from app.auth.models import User, UserRole
 from app.auth.schemas import AuthTokenPayload, AuthUserResponse, ChangePasswordRequest, LoginRequest, RegisterRequest, SignupRequest, UpdateProfileRequest
 from app.auth.service import authenticate_user, change_user_password, create_access_token, create_signup_user, create_user, update_user_profile
+from app.config import settings
 from app.dependencies import get_current_user, get_db, require_roles
 from app.utils.responses import success_response
 
@@ -64,12 +65,13 @@ def login(payload: LoginRequest, response: Response, db: Session = Depends(get_d
         actor=user,
     )
 
+    is_production = settings.app_env.lower() == "production"
     response.set_cookie(
         key="access_token",
         value=access_token,
         httponly=True,
-        secure=False,
-        samesite="lax",
+        secure=is_production,
+        samesite="strict" if is_production else "lax",
     )
 
     token_payload = AuthTokenPayload(

backend/app/auth/schemas.py

@@ -1,8 +1,20 @@
-from pydantic import BaseModel, EmailStr
+from pydantic import BaseModel, EmailStr, field_validator
 
 from app.auth.models import UserRole
 
 
+def _validate_password_strength(value: str) -> str:
+    if len(value) < 8:
+        raise ValueError("Password must be at least 8 characters")
+    if not any(c.isupper() for c in value):
+        raise ValueError("Password must contain at least one uppercase letter")
+    if not any(c.islower() for c in value):
+        raise ValueError("Password must contain at least one lowercase letter")
+    if not any(c.isdigit() for c in value):
+        raise ValueError("Password must contain at least one digit")
+    return value
+
+
 class LoginRequest(BaseModel):
     email: EmailStr
     password: str
@@ -14,13 +26,23 @@ class RegisterRequest(BaseModel):
     password: str
     role: UserRole = UserRole.employee
 
+    @field_validator("password")
+    @classmethod
+    def password_strength(cls, v: str) -> str:
+        return _validate_password_strength(v)
+
 
 class SignupRequest(BaseModel):
     email: EmailStr
     full_name: str
     password: str
     department: str
 
+    @field_validator("password")
+    @classmethod
+    def password_strength(cls, v: str) -> str:
+        return _validate_password_strength(v)
+
 
 class AuthUserResponse(BaseModel):
     id: int
@@ -52,3 +74,8 @@ class UpdateProfileRequest(BaseModel):
 class ChangePasswordRequest(BaseModel):
     current_password: str
     new_password: str
+
+    @field_validator("new_password")
+    @classmethod
+    def password_strength(cls, v: str) -> str:
+        return _validate_password_strength(v)

backend/app/config.py

@@ -37,7 +37,11 @@ def validate_security_settings(self) -> "Settings":
             raise ValueError("DEFAULT_ADMIN_PASSWORD and DEFAULT_HR_PASSWORD must be different in production")
         return self
 
-    model_config = SettingsConfigDict(env_file=".env", env_file_encoding="utf-8", extra="ignore")
+    model_config = SettingsConfigDict(
+        env_file=(".env", "backend/.env"),
+        env_file_encoding="utf-8",
+        extra="ignore",
+    )
 
 
 settings = Settings()

backend/app/employees/router.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, status
+from fastapi import APIRouter, Depends, Query, status
 from sqlalchemy.orm import Session
 
 from app.audit.service import create_audit_log
@@ -46,10 +46,18 @@ def create_employee_endpoint(
 
 @router.get("/")
 def list_employees_endpoint(
+    skip: int = Query(default=0, ge=0),
+    limit: int = Query(default=50, ge=1, le=200),
+    search: str | None = None,
+    department: str | None = None,
+    employment_status: str | None = None,
     db: Session = Depends(get_db),
     _: User = Depends(require_roles(UserRole.admin, UserRole.hr_manager, UserRole.employee)),
 ):
-    employees = list_employees(db)
+    employees, total = list_employees(
+        db, skip=skip, limit=limit, search=search,
+        department=department, employment_status=employment_status,
+    )
     user_ids = [item.user_id for item in employees if item.user_id is not None]
     users_by_id = {
         item.id: item
@@ -63,7 +71,7 @@ def list_employees_endpoint(
         )
         for item in employees
     ]
-    return success_response("Employees fetched successfully", data)
+    return success_response("Employees fetched successfully", {"items": data, "total": total})
 
 
 @router.get("/{employee_id}")

backend/app/employees/schemas.py

@@ -1,6 +1,6 @@
 from decimal import Decimal
 
-from pydantic import BaseModel, Field
+from pydantic import BaseModel, ConfigDict, Field
 
 from app.employees.models import EmploymentType, RateType
 
@@ -62,5 +62,4 @@ class EmployeeResponse(EmployeeBase):
     city: str | None = None
     region: str | None = None
 
-    class Config:
-        from_attributes = True
+    model_config = ConfigDict(from_attributes=True)

backend/app/employees/service.py

@@ -17,8 +17,30 @@ def create_employee(db: Session, payload: EmployeeCreate) -> Employee:
     return employee
 
 
-def list_employees(db: Session) -> list[Employee]:
-    return db.query(Employee).order_by(Employee.id.desc()).all()
+def list_employees(
+    db: Session,
+    *,
+    skip: int = 0,
+    limit: int = 50,
+    search: str | None = None,
+    department: str | None = None,
+    employment_status: str | None = None,
+) -> tuple[list[Employee], int]:
+    query = db.query(Employee)
+
+    if search:
+        term = f"%{search}%"
+        query = query.filter(
+            (Employee.profile_name.ilike(term)) | (Employee.employee_code.ilike(term))
+        )
+    if department:
+        query = query.filter(Employee.department == department)
+    if employment_status:
+        query = query.filter(Employee.employment_status == employment_status)
+
+    total = query.count()
+    items = query.order_by(Employee.id.desc()).offset(skip).limit(limit).all()
+    return items, total
 
 
 def get_employee(db: Session, employee_id: int) -> Employee:

backend/app/leave/models.py

@@ -1,11 +1,49 @@
-from datetime import datetime
+import enum
+from datetime import UTC, datetime
 
-from sqlalchemy import DateTime, ForeignKey, Integer, String, UniqueConstraint
+from sqlalchemy import Date, DateTime, Enum, ForeignKey, Integer, String, Text, UniqueConstraint
 from sqlalchemy.orm import Mapped, mapped_column
 
 from app.database import Base
 
 
+def _utcnow() -> datetime:
+	return datetime.now(UTC)
+
+
+class LeaveType(str, enum.Enum):
+	vacation = "vacation"
+	sick = "sick"
+	personal = "personal"
+	maternity = "maternity"
+	paternity = "paternity"
+	bereavement = "bereavement"
+	unpaid = "unpaid"
+
+
+class LeaveStatus(str, enum.Enum):
+	pending = "pending"
+	approved = "approved"
+	rejected = "rejected"
+	cancelled = "cancelled"
+
+
+class LeaveRequest(Base):
+	__tablename__ = "leave_requests"
+
+	id: Mapped[int] = mapped_column(Integer, primary_key=True, index=True)
+	employee_id: Mapped[int] = mapped_column(ForeignKey("employees.id"), nullable=False, index=True)
+	leave_type: Mapped[LeaveType] = mapped_column(Enum(LeaveType), nullable=False)
+	start_date: Mapped[str] = mapped_column(String(20), nullable=False)
+	end_date: Mapped[str] = mapped_column(String(20), nullable=False)
+	reason: Mapped[str | None] = mapped_column(Text, nullable=True)
+	status: Mapped[LeaveStatus] = mapped_column(Enum(LeaveStatus), nullable=False, default=LeaveStatus.pending)
+	reviewer_id: Mapped[int | None] = mapped_column(ForeignKey("users.id"), nullable=True)
+	review_note: Mapped[str | None] = mapped_column(Text, nullable=True)
+	created_at: Mapped[datetime] = mapped_column(DateTime, nullable=False, default=_utcnow)
+	updated_at: Mapped[datetime] = mapped_column(DateTime, nullable=False, default=_utcnow, onupdate=_utcnow)
+
+
 class AttendancePunch(Base):
 	__tablename__ = "attendance_punches"
 	__table_args__ = (UniqueConstraint("punch_key", name="uq_attendance_punch_key"),)
@@ -19,4 +57,4 @@ class AttendancePunch(Base):
 	punch_time: Mapped[datetime] = mapped_column(DateTime, nullable=False, index=True)
 	source: Mapped[str] = mapped_column(String(30), nullable=False, default="biometric")
 	punch_key: Mapped[str] = mapped_column(String(255), nullable=False)
-	created_at: Mapped[datetime] = mapped_column(DateTime, nullable=False, default=datetime.utcnow)
+	created_at: Mapped[datetime] = mapped_column(DateTime, nullable=False, default=_utcnow)