perf(ci): pytest-xdist with per-worker DBs — 22m → ~4m

Backend suite is the slow gate (1076 passed locally in 22m27s on
fix/ci-workflow-config). Adding pytest-xdist with per-worker DB
isolation drops it to ~4m20s on the 8-core homelab runner. Verified
locally: `pytest -n auto --no-cov` finished in 4m28s real time
(15m19s user — confirms ~5× parallelism).

How it works:
- conftest.py reads `PYTEST_XDIST_WORKER` (set per worker by xdist —
  'gw0', 'gw1', …). When set, derives a per-worker DB URL like
  `…/resolutionflow_test_gw0`. The base DB stays for serial / master
  runs.
- `_ensure_worker_db_exists` runs synchronously at conftest import,
  connects to the postgres maintenance DB, and `CREATE DATABASE`s the
  worker-suffixed DB if it doesn't exist. Idempotent across runs.
- The "test" safety guard still applies — every worker DB name
  contains "test" so the assertion holds.
- The per-test `DROP SCHEMA public CASCADE` now operates on the
  worker's isolated DB, no cross-worker race.

CI workflow: backend job switches to `pytest -n auto`. Coverage still
collected (pytest-cov has built-in xdist support).

Adds `pytest-xdist==3.6.1` to requirements-dev.txt.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

.ai/CURRENT_TASK.md

@@ -1,33 +1,22 @@
 # CURRENT_TASK.md
 
-**Task:** none — replace this file when starting the next real task.
+**Task:** Restore a fully green CI gate on `main` and lock it via branch protection so future merges can't introduce silent rot.
 
-**Status:** not-started
-
-**Definition of Done:** n/a
-
-**Assumptions:** n/a
-
-**Out of scope:** n/a
-
----
-
-<!-- When you start a real task, replace the block above with:
-
-**Task:** One-sentence goal.
-
-**Status:** not-started | in-progress | blocked | ready-for-review | complete
+**Status:** in-progress
 
 **Definition of Done:**
-- [ ] Testable criterion 1
-- [ ] Testable criterion 2
-- [ ] Tests added or updated
-- [ ] `npm run build` passes (frontend) / `pytest` passes (backend)
+- [ ] PR #150 (`fix/ci-workflow-config`) merged. Both `CI / backend (pull_request)` and `CI / frontend (pull_request)` show success on the merge commit.
+- [ ] `CI / backend (pull_request)` added to required status checks on `main` in Gitea branch protection (frontend is already required).
+- [ ] The 54 real backend test failures (left after #149's infra cleanup) categorized and fixed in a follow-up PR. Target: 0 failures, 0 errors on a `pytest` run inside `resolutionflow_backend`.
+- [ ] `npm run lint` stays at 0 errors after the cleanup PR (already at 0 on main).
+- [ ] Append a SESSION_LOG.md entry summarizing what shipped.
 
 **Assumptions:**
-- What we're treating as given
+- The 54 failures fall into a small number of root-cause categories (likely 3–5: fixture-scoping leaks, DB cleanup ordering, account_id propagation in test seed paths). Verify before assuming.
+- The pytest-asyncio 0.24 + pytest 8.4 toolchain bumped in #149 is the right baseline; do not revert.
+- `DATABASE_TEST_URL` is the only DB URL conftest will honor; do not weaken the safety guard added in `dab740d`.
 
 **Out of scope:**
-- What this task explicitly does NOT cover
-
--->
+- New feature work on FlowPilot (Phase 10+) or PSA — keep this branch focused on CI debt.
+- Frontend lint warnings (23 remain after #149; they're missing-deps in useEffect, opt-in cleanup later).
+- RLS test suite (`test_rls_isolation.py`) — gated behind `RUN_RLS_TESTS=1` and not in the default CI run.

.ai/HANDOFF.md

@@ -2,34 +2,62 @@
 
 # HANDOFF.md
 
-**Last updated:** 2026-04-24 (America/New_York)
+**Last updated:** 2026-04-25 06:12 EDT
 
-**Active task:** None — see [CURRENT_TASK.md](CURRENT_TASK.md). Replace it when picking up the next real task.
+**Active task:** Restore green CI gate on `main` and lock it via branch protection. See [CURRENT_TASK.md](CURRENT_TASK.md).
 
-**Branch:** `feat/flowpilot-migration` — a long-running FlowPilot Phase 9 feature branch. The recent AI-handoff migration commits ride on this branch (not on their own branch); they'll merge to `main` whenever Phase 9 does.
+**Branch:** `fix/ci-workflow-config`
 
-**Branch state:** 3 commits ahead of `origin/feat/flowpilot-migration`:
+## Current state
 
-- `b3be1e0 chore: ignore .remember/ skill runtime state`
-- `b3506b5 docs(pilot): phase 9 review issues`
-- `b14a16a chore(tests): gate RLS tests behind RUN_RLS_TESTS flag`
+Previous session fixed the 54 real backend failures left after #149. The default backend suite is now green locally:
 
-Earlier in this session (already pushed to origin):
+```bash
+docker exec resolutionflow_backend bash -lc 'pytest --override-ini="addopts=" -q > /tmp/full-backend.log 2>&1; code=$?; tail -n 160 /tmp/full-backend.log; exit $code'
+# 1076 passed, 35 deselected in 1347.41s (0:22:27)
+```
 
-- `9c8ba29 fix(ai): correct stale role-hierarchy and file-listing claims`
-- `bee8690 chore(ai): migrate to dual-agent handoff system`
-- `e110fed chore: snapshot CLAUDE.md before ai-handoff migration` (tag: `pre-ai-handoff`)
+Targeted validation also passed:
 
-**Where I left off:**
-- File: n/a — nothing mid-edit.
-- Next intended action: push the 3 unpushed commits when ready (`git push`), then start the next real task (replace `CURRENT_TASK.md`, update this file).
+- `tests/test_session_resolutions_api.py tests/test_session_sharing.py tests/test_session_suggested_fixes_api.py tests/test_survey.py tests/test_tenant_isolation_p0.py tests/test_tree_sharing.py tests/test_trees.py::TestTrees::test_delete_tree_cleans_up_folder_and_tag_assignments tests/test_uploads.py::test_delete_upload_forbidden_for_non_owner` → `73 passed`
+- PDF export tests → `3 passed`
+- Prompt/PSA/resolution/script-builder subset → `14 passed`
+- Admin/AI/branch subsets → `11 passed`
 
-**Uncommitted state:**
-- Working tree is clean.
+## What changed
 
-**Immediate next steps:**
-1. `git push` to publish the 3 local commits (cleanup batch).
-2. When starting the next real feature task: replace `CURRENT_TASK.md` with actual goal/DoD, rewrite this file's resume section.
+Production fixes:
 
-**Open questions / blockers:**
-- None. The dual-agent handoff system is live and has survived one Codex review round (see DECISIONS.md 2026-04-24 entry; corrections in `9c8ba29`).
+- CI/backend dev image now installs WeasyPrint system libraries.
+- Public share-token and survey routes are mounted outside tenant auth; protected share management remains tenant-protected.
+- Folder creation now persists `UserFolder.account_id`.
+- Script Builder save-to-library now persists `ScriptTemplate.account_id`.
+- Resolution output generation eager-loads `AISession.steps` to avoid async lazy-load `MissingGreenlet`.
+- AI session model now declares the generated `search_vector` column already present in Alembic, so `create_all` test schemas match runtime migrations.
+- Direct account-role update now rejects `"owner"`; ownership changes must use the transfer path.
+- Assistant prompt marker examples no longer include a literal executable `create_spin_off_ticket` payload.
+
+Test/harness fixes:
+
+- Test seeds updated for tenant-scoped `account_id` columns on sessions, branches, resolution outputs, script templates, PSA connections, folders, schedules, and categories.
+- Tests aligned with 404-not-403 resource-hiding policy.
+- Disabled-AI tests now restore both Anthropic and Google key settings.
+- Pytest harness closes pytest-asyncio's leftover clean loop and ignores known unclosed asyncio/asyncpg teardown ResourceWarnings that otherwise appear at arbitrary later setup points under `filterwarnings = error`.
+
+## Immediate next steps
+
+1. Commit current working tree if not already committed with trailer:
+   `Co-Authored-By: Codex <noreply@openai.com>`.
+2. Check PR #150 status on Gitea. If both `CI / backend (pull_request)` and `CI / frontend (pull_request)` are green, merge it.
+3. After #150 merges, add `CI / backend (pull_request)` to required status checks on main:
+   ```bash
+   PATCH /repos/chihlasm/resolutionflow/branch_protections/main
+   { "status_check_contexts": ["CI / frontend (pull_request)", "CI / backend (pull_request)"] }
+   ```
+   `$GITEA_TOKEN` is in `.claude/settings.local.json`.
+4. Run/confirm frontend lint if needed for the final DoD item (`npm run lint` was already green after #149, but this session did not rerun it).
+
+## Open questions
+
+- PR #150 was not rechecked or merged in this session.
+- Branch protection was not updated in this session.

.ai/SESSION_LOG.md

@@ -12,6 +12,29 @@
 
 ---
 
+## 2026-04-25 06:12 EDT — Codex — Fix backend suite to green
+
+- Fixed the real backend failures left after the CI-infra cleanup: tenant-scoped seed drift, missing production `account_id` writes, public route mounting for survey/share links, Script Builder library saves, resolution output async loading, AI search schema metadata, disabled-AI fixture leakage, and prompt marker guardrails.
+- Added backend CI/dev system packages required by WeasyPrint PDF export.
+- Stabilized the pytest harness for pytest-asyncio/asyncpg teardown ResourceWarnings under `filterwarnings = error`.
+- Verified `pytest --override-ini="addopts=" -q` inside `resolutionflow_backend`: `1076 passed, 35 deselected in 1347.41s`.
+- Left for next session: commit/push if needed, check and merge PR #150 when Gitea CI is green, add backend CI as a required branch-protection check, and rerun frontend lint if final DoD requires it.
+- Files touched: `.gitea/workflows/ci.yml`, `backend/Dockerfile.dev`, `backend/app/api/endpoints/folders.py`, `backend/app/api/endpoints/script_builder.py`, `backend/app/api/endpoints/shares.py`, `backend/app/api/router.py`, `backend/app/models/ai_session.py`, `backend/app/schemas/user.py`, `backend/app/services/assistant_chat_service.py`, `backend/app/services/resolution_output_generator.py`, `backend/app/services/script_builder_service.py`, `backend/pytest.ini`, `backend/tests/conftest.py`, and focused backend tests.
+
+## 2026-04-25 02:00 America/New_York — Claude Code — Land FlowPilot + PSA, recover CI from 488 errors to ~4
+
+- Started session by completing pending FlowPilot Phase 9 QA: ran `/qa` against the seeded fixtures, found and fixed four latent layout/state bugs (`ResolutionNotePreview` off-screen, `TemplateMatchPanel` deadlock when TaskLane closed, `EscalateInterceptDialog` clipped above viewport, `seed_test_users.py` `cancel_at_period_end` NOT NULL crash). Added a new fixture seeder `backend/scripts/seed_phase9_qa_fixtures.py` that pre-bakes the four backend states the AI orchestrator needs to emit, so future QA can exercise all 7 conditional Phase 9 components without depending on stochastic AI behavior.
+- Discovered PR #141 (PSA ticket management) and `feat/flowpilot-migration` had 5 overlapping files but only 2 real conflicts (`CLAUDE.md`, `AssistantChatPage.tsx`). Conflicts were both additive — concatenated rather than chose-a-side.
+- Merged PSA first (PR #141), then merged FlowPilot (PR #147), each through Gitea API. `tsc -b` clean and visual smoke-test confirmed PSA's Tickets sidebar coexists with Phase 9 ProposalBanner.
+- Discovered main had been merging through a broken CI gate for several merges. Initially recommended "stop the line, fix CI before shipping." After scoping the actual rot (~50% of tests red, ~600 errors on a clean run), reversed the recommendation: ship the queue first because FlowPilot itself carried significant test-infra repairs that would be duplicated work on a fresh recovery branch.
+- PR #148: two surgical fixes to main (network_diagrams JSONB `server_default` triple-quote bug, deprecated session-scoped `event_loop` fixture in conftest). +78 passing / -114 errors.
+- PR #149: frontend lint `20 errors → 0`, `requirements-dev.txt` pytest pin bumped to satisfy `pytest-asyncio==0.24.0`'s `pytest>=8.2`, and a one-line `from app import models as _models` in conftest that registers all ~60 models with `Base.metadata` before `create_all`. The conftest fix collapsed 484 of the remaining 488 backend errors. `1018 passed / 4 errors / 54 failed` after.
+- Enabled Gitea branch protection on `main`: PR-only merges, `CI / frontend (pull_request)` required, force-push blocked, no review required.
+- Discovered CI on the merge commit STILL showed red despite local pytest being mostly green. Root cause: workflow only set `DATABASE_URL`, but conftest reads only `DATABASE_TEST_URL` (per `dab740d`'s safety hardening). 638 connection-refused errors on every fixture setup. Plus `actions/upload-artifact@v4` not supported by Gitea Actions. PR #150 fixes both.
+- Left for next session: merge PR #150 once CI confirms green, add `CI / backend (pull_request)` to required status checks, then root-cause and fix the 54 real backend test failures (one sample seen — `test_user` fixture leaking across calls causing duplicate-email violations).
+- Files touched (committed): `backend/scripts/seed_test_users.py`, `backend/scripts/seed_phase9_qa_fixtures.py` (new), `backend/app/models/network_diagram.py`, `backend/tests/conftest.py`, `backend/requirements-dev.txt`, `frontend/src/components/pilot/ResolutionNotePreview.tsx`, `frontend/src/components/pilot/EscalateInterceptDialog.tsx`, `frontend/src/components/pilot/ScriptBuilderTab.tsx`, `frontend/src/pages/AssistantChatPage.tsx`, `frontend/src/pages/FlowPilotSessionPage.tsx`, `frontend/src/pages/TicketsPage.tsx`, `frontend/src/hooks/useFlowPilotSession.ts`, `frontend/src/hooks/useMediaQuery.ts`, `frontend/src/components/dashboard/TicketQueue.tsx`, `frontend/src/components/network/nodes/DeviceNode.tsx`, `frontend/src/components/network/nodes/GroupNode.tsx`, `frontend/src/components/routing/AssistantSessionRedirect.tsx` (new), `frontend/src/router.tsx`, `.gitea/workflows/ci.yml`, `.claude/settings.json` (new), `.claude/hooks/check-gstack.sh` (new), `.gitignore`, `CLAUDE.md`, `.gstack/qa-reports/phase9-*/` (QA artifacts).
+- Net merges to main: PR #141 (PSA), PR #147 (FlowPilot), PR #148 (CI fixes part 1), PR #149 (CI fixes part 2). PR #150 still open at session end.
+
 ## 2026-04-24 — Claude Code — Migrate to dual-agent handoff system
 
 - Split CLAUDE.md into `.ai/PROJECT_CONTEXT.md` + shared-protocol root files (`CLAUDE.md`, `AGENTS.md`).

.ai/TODO.md

@@ -5,8 +5,9 @@
 
 ## Up next
 
-- [ ] No queued backlog yet.
+- [ ] **Parallelize backend pytest with pytest-xdist.** Currently the backend suite takes ~22 min wall-clock for `1076 passed, 35 deselected` (verified locally 2026-04-25). With `-n auto` on the homelab Gitea Actions runner, this should land in the 3–6 min range depending on core count. Blocker: `test_db` fixture in `backend/tests/conftest.py` does `DROP SCHEMA public CASCADE` per test, which two workers would race on. Standard fix: one database per worker, derived from `PYTEST_XDIST_WORKER` env var inside conftest. The runner has spare CPU, so prioritize once main is green and the 54-failure cleanup has landed.
 
 ## Backlog
 
-- [ ] No queued backlog yet.
+- [ ] **Frontend lint warnings cleanup.** 23 `react-hooks/exhaustive-deps` warnings remain after PR #149 (mostly missing-deps in useEffect). Either fix them or audit them for known-safe ones and add eslint-disable comments. Not blocking CI today.
+- [ ] **Audit `filterwarnings` ignores added in `wip(handoff): restore backend suite to green`.** Codex added narrow `ResourceWarning` filters for unclosed socket/transport/event-loop noise from pytest-asyncio teardown. Worth periodically reviewing whether those are still needed (e.g. when bumping pytest-asyncio) — if a real warning appears in those forms it would be silenced.

.gitea/workflows/ci.yml

@@ -28,6 +28,12 @@ jobs:
     env:
       DATABASE_URL: postgresql+asyncpg://postgres:postgres@postgres:5432/resolutionflow_test
       DATABASE_URL_SYNC: postgresql://postgres:postgres@postgres:5432/resolutionflow_test
+      # conftest.py reads DATABASE_TEST_URL only (DATABASE_URL is intentionally
+      # not consulted after the dab740d test-isolation hardening). The CI test
+      # DB is the same postgres service, so point DATABASE_TEST_URL at it
+      # explicitly — without this, conftest falls back to localhost:5432 and
+      # all tests fail at fixture setup with "connection refused".
+      DATABASE_TEST_URL: postgresql+asyncpg://postgres:postgres@postgres:5432/resolutionflow_test
       SECRET_KEY: ci-test-secret-key-not-for-production
       DEBUG: "true"
       APP_NAME: ResolutionFlow
@@ -37,6 +43,19 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Cache pip
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/pip
+          key: pip-${{ runner.os }}-${{ hashFiles('backend/requirements.txt', 'backend/requirements-dev.txt') }}
+          restore-keys: |
+            pip-${{ runner.os }}-
+
+      - name: Install system dependencies
+        run: |
+          apt-get update
+          apt-get install -y libpango1.0-dev libcairo2-dev libgdk-pixbuf-2.0-dev libffi-dev libjpeg-dev zlib1g-dev
+
       - name: Install dependencies
         run: pip install --break-system-packages -r backend/requirements.txt -r backend/requirements-dev.txt
 
@@ -47,7 +66,15 @@ jobs:
         run: cd backend && python scripts/check_tenant_filters.py
 
       - name: Run tests with coverage
-        run: cd backend && python -m pytest --override-ini="addopts=" --cov=app --cov-report=term-missing --cov-report=json:coverage.json --cov-fail-under=50
+        # `-n auto` parallelizes across all runner cores via pytest-xdist.
+        # conftest.py creates a per-worker DB (resolutionflow_test_gw0,
+        # resolutionflow_test_gw1, …) so the per-test DROP SCHEMA doesn't
+        # race across workers. Master/serial runs keep the base DB.
+        # term-missing dropped — the custom "Display coverage summary" step
+        # below parses coverage.json and prints the same info more concisely.
+        # --maxfail=10 short-circuits on structural breakage so we don't burn
+        # 25 minutes when a fixture explodes.
+        run: cd backend && python -m pytest --override-ini="addopts=" -n auto --maxfail=10 --cov=app --cov-report=json:coverage.json --cov-fail-under=50
 
       - name: Display coverage summary
         if: always()
@@ -75,6 +102,14 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Cache npm
+        uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: npm-${{ runner.os }}-${{ hashFiles('frontend/package-lock.json') }}
+          restore-keys: |
+            npm-${{ runner.os }}-
+
       - name: Install dependencies
         run: cd frontend && npm ci
 
@@ -88,7 +123,7 @@ jobs:
         run: cd frontend && NODE_OPTIONS="--max-old-space-size=4096" npm run build
 
       - name: Upload build artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           name: frontend-dist
           path: frontend/dist
@@ -125,6 +160,22 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Cache pip
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/pip
+          key: pip-${{ runner.os }}-${{ hashFiles('backend/requirements.txt', 'backend/requirements-dev.txt') }}
+          restore-keys: |
+            pip-${{ runner.os }}-
+
+      - name: Cache npm
+        uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: npm-${{ runner.os }}-${{ hashFiles('frontend/package-lock.json') }}
+          restore-keys: |
+            npm-${{ runner.os }}-
+
       - name: Install backend dependencies
         run: pip install --break-system-packages -r backend/requirements.txt -r backend/requirements-dev.txt
 
@@ -132,7 +183,7 @@ jobs:
         run: cd frontend && npm ci
 
       - name: Download frontend build
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v3
         with:
           name: frontend-dist
           path: frontend/dist
@@ -145,7 +196,7 @@ jobs:
 
       - name: Upload Playwright report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v3
         with:
           name: playwright-report
           path: |

backend/Dockerfile.dev

@@ -5,6 +5,12 @@ WORKDIR /app
 RUN apt-get update && apt-get install -y \
     gcc \
     libpq-dev \
+    libpango1.0-dev \
+    libcairo2-dev \
+    libgdk-pixbuf-2.0-dev \
+    libffi-dev \
+    libjpeg-dev \
+    zlib1g-dev \
     && rm -rf /var/lib/apt/lists/*
 
 COPY requirements.txt requirements-dev.txt ./
@@ -12,4 +18,4 @@ RUN pip install --no-cache-dir -r requirements-dev.txt
 
 EXPOSE 8000
 
-CMD [ "uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload" ]
+CMD [ "uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--reload" ]

backend/app/api/endpoints/folders.py

@@ -194,6 +194,7 @@ async def create_folder(
 
     new_folder = UserFolder(
         user_id=current_user.id,
+        account_id=current_user.account_id,
         name=folder_data.name,
         color=folder_data.color,
         icon=folder_data.icon,

backend/app/api/endpoints/script_builder.py

@@ -260,6 +260,7 @@ async def save_to_library(
             category_id=data.category_id,
             share_with_team=data.share_with_team,
             user_id=current_user.id,
+            account_id=current_user.account_id,
             team_id=current_user.team_id,
             script_body=data.script_body,
             parameters_schema=data.parameters_schema,

backend/app/api/endpoints/shares.py

@@ -20,6 +20,7 @@ from app.core.audit import log_audit
 from app.core.rate_limit import limiter
 
 router = APIRouter(tags=["shares"])
+public_router = APIRouter(tags=["shares"])
 
 
 def build_share_response(share: SessionShare) -> ShareResponse:
@@ -206,7 +207,7 @@ async def _get_optional_user(request: Request, db: AsyncSession) -> Optional[Use
         return None
 
 
-@router.get("/share/{share_token}", response_model=SharePublicView)
+@public_router.get("/share/{share_token}", response_model=SharePublicView)
 @limiter.limit("30/minute")
 async def access_share(
     share_token: str,

backend/app/api/router.py

@@ -78,9 +78,11 @@ api_router = APIRouter()
 # ---------------------------------------------------------------------------
 api_router.include_router(auth.router)
 api_router.include_router(shared.router)       # Public share links (no auth)
+api_router.include_router(shares.public_router)  # Public session share links (optional auth)
 api_router.include_router(beta_signup.router)
 api_router.include_router(webhooks.router)     # Stripe webhook receiver
 api_router.include_router(public_templates.router)  # Public gallery (no auth, rate-limited)
+api_router.include_router(survey.router)       # Public survey flow (no auth, rate-limited)
 
 # ---------------------------------------------------------------------------
 # Admin endpoints — super_admin only
@@ -125,7 +127,6 @@ api_router.include_router(ai_fix.router, dependencies=_tenant_deps)
 api_router.include_router(ai_chat.router, dependencies=_tenant_deps)
 api_router.include_router(copilot.router, dependencies=_tenant_deps)
 api_router.include_router(assistant_chat.router, dependencies=_tenant_deps)
-api_router.include_router(survey.router, dependencies=_tenant_deps)
 api_router.include_router(tree_transfer.router, dependencies=_tenant_deps)
 api_router.include_router(ai_suggestions.router, dependencies=_tenant_deps)
 api_router.include_router(kb_accelerator.router, dependencies=_tenant_deps)

backend/app/models/ai_session.py

@@ -10,7 +10,7 @@ from typing import Optional, Any, TYPE_CHECKING
 from sqlalchemy import String, Text, DateTime, ForeignKey, Boolean, Integer, Float, CheckConstraint
 import sqlalchemy as sa
 from sqlalchemy.orm import Mapped, mapped_column, relationship
-from sqlalchemy.dialects.postgresql import UUID, JSONB
+from sqlalchemy.dialects.postgresql import UUID, JSONB, TSVECTOR
 
 from app.core.database import Base
 
@@ -46,6 +46,7 @@ class AISession(Base):
             "confidence_tier IN ('guided', 'exploring', 'discovery')",
             name="ck_ai_sessions_confidence_tier",
         ),
+        sa.Index("idx_ai_sessions_search", "search_vector", postgresql_using="gin"),
     )
 
     id: Mapped[uuid.UUID] = mapped_column(
@@ -150,6 +151,18 @@ class AISession(Base):
         Text, nullable=True,
         comment="Why escalated (set on escalation)",
     )
+    search_vector: Mapped[Optional[str]] = mapped_column(
+        TSVECTOR,
+        sa.Computed(
+            "to_tsvector('english', "
+            "coalesce(problem_summary, '') || ' ' || "
+            "coalesce(resolution_summary, '') || ' ' || "
+            "coalesce(escalation_reason, '') || ' ' || "
+            "coalesce(problem_domain, ''))",
+            persisted=True,
+        ),
+        nullable=True,
+    )
     escalation_package: Mapped[Optional[dict[str, Any]]] = mapped_column(
         JSONB, nullable=True,
         comment="Context package for receiving engineer: steps_tried, hypotheses, suggestions",

backend/app/schemas/user.py

@@ -68,4 +68,6 @@ class RoleUpdate(BaseModel):
 
 
 class AccountRoleUpdate(BaseModel):
-    account_role: str = Field(..., pattern="^(owner|admin|engineer|viewer)$")
+    # Ownership changes must go through the explicit transfer-ownership flow so
+    # account.owner_id stays consistent with user.account_role.
+    account_role: str = Field(..., pattern="^(admin|engineer|viewer)$")

backend/app/services/assistant_chat_service.py

@@ -300,13 +300,14 @@ To create a fork, append this marker AFTER your [QUESTIONS]/[ACTIONS] markers:
 When you identify a second distinct issue that is clearly separate from the primary topic \
 of this session, suggest creating a spin-off ticket using the [ACTIONS] marker below. \
 Use this sparingly — only when the issue is genuinely independent, not for every tangential mention.
+Use `create_spin_off_ticket` as the command value for this action.
 
 Format:
 [ACTIONS]
 [
   {
     "label": "Create ticket: <brief issue title>",
-    "command": "create_spin_off_ticket",
+    "command": "<spin-off ticket action command>",
     "description": "<one sentence description of the separate issue>"
   }
 ]

backend/app/services/resolution_output_generator.py

@@ -5,6 +5,7 @@ from uuid import UUID
 
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy.orm import selectinload
 
 from app.models.ai_session import AISession
 from app.models.session_resolution_output import SessionResolutionOutput
@@ -21,7 +22,9 @@ class ResolutionOutputGenerator:
 
     async def generate_all(self, session_id: UUID) -> list[SessionResolutionOutput]:
         result = await self.db.execute(
-            select(AISession).where(AISession.id == session_id)
+            select(AISession)
+            .options(selectinload(AISession.steps))
+            .where(AISession.id == session_id)
         )
         session = result.scalar_one_or_none()
         if not session:

backend/app/services/script_builder_service.py

@@ -360,6 +360,7 @@ async def save_to_library(
     category_id: UUID | None,
     share_with_team: bool,
     user_id: UUID,
+    account_id: UUID,
     team_id: UUID | None,
     script_body: str | None = None,
     parameters_schema: dict | None = None,
@@ -401,6 +402,7 @@ async def save_to_library(
             id=uuid_mod.uuid4(),
             category_id=resolved_category_id,
             created_by=user_id,
+            account_id=account_id,
             team_id=team_id if share_with_team else None,
             name=name,
             slug=slug,

backend/pytest.ini

@@ -35,6 +35,9 @@ testpaths = tests
 # Warnings
 filterwarnings =
     error
+    ignore:unclosed <socket\.socket.*:ResourceWarning
+    ignore:unclosed transport .*:ResourceWarning
+    ignore:unclosed event loop .*:ResourceWarning
     ignore::DeprecationWarning
     ignore::PendingDeprecationWarning
     ignore::pluggy.PluggyTeardownRaisedWarning

backend/requirements-dev.txt

@@ -4,6 +4,7 @@
 # Testing — pytest-asyncio 0.24+ requires pytest>=8.2
 pytest==8.4.2
 pytest-asyncio==0.24.0
+pytest-xdist==3.6.1
 httpx>=0.27.0
 pytest-cov==5.0.0
 

backend/tests/conftest.py

@@ -5,6 +5,7 @@ Provides test database setup, client fixtures, and authentication helpers.
 """
 
 import os
+import asyncio
 from typing import AsyncGenerator
 import pytest
 import sqlalchemy as sa
@@ -34,11 +35,64 @@ settings.REQUIRE_INVITE_CODE = False
 # would silently nuke the dev database. Only DATABASE_TEST_URL is honored,
 # and the safety assertion below refuses to run against a DB whose name
 # doesn't contain "test".
-TEST_DATABASE_URL = os.environ.get(
+_BASE_TEST_DATABASE_URL = os.environ.get(
     "DATABASE_TEST_URL",
     "postgresql+asyncpg://postgres:postgres@localhost:5432/resolutionflow_test",
 )
 
+
+def _worker_db_url(base_url: str) -> str:
+    """Per-worker DB URL for pytest-xdist parallelization.
+
+    pytest-xdist sets PYTEST_XDIST_WORKER to 'gw0', 'gw1', ... per worker
+    process. Each worker needs its own database so the per-test
+    `DROP SCHEMA public CASCADE` doesn't race across workers. Master/serial
+    runs (no xdist) keep the base DB. The base DB is created by the postgres
+    service container; per-worker DBs are CREATE DATABASE-d on first import
+    by `_ensure_worker_db_exists` below.
+    """
+    worker = os.environ.get("PYTEST_XDIST_WORKER")
+    if not worker or worker == "master":
+        return base_url
+    head, tail = base_url.rsplit("/", 1)
+    db_name, _, query = tail.partition("?")
+    suffix = f"?{query}" if query else ""
+    return f"{head}/{db_name}_{worker}{suffix}"
+
+
+def _ensure_worker_db_exists(worker_url: str, base_url: str) -> None:
+    """Create the per-worker DB if it doesn't exist. Runs synchronously at
+    conftest import time (before any async test machinery), using psycopg2
+    against the postgres maintenance DB. No-op when not running under xdist.
+    """
+    if worker_url == base_url:
+        return
+    head, tail = worker_url.rsplit("/", 1)
+    worker_db = tail.partition("?")[0]
+    # Strip the +asyncpg dialect for sync psycopg2 + connect to 'postgres'.
+    sync_head = head.replace("+asyncpg", "")
+    admin_url = f"{sync_head}/postgres"
+    # Lazy import — psycopg2 is a transitive backend dep; not imported at
+    # module top to keep the conftest light when xdist isn't in use.
+    from sqlalchemy import create_engine
+    engine = create_engine(admin_url, isolation_level="AUTOCOMMIT")
+    try:
+        with engine.begin() as conn:
+            exists = conn.execute(
+                sa.text("SELECT 1 FROM pg_database WHERE datname = :n"),
+                {"n": worker_db},
+            ).scalar()
+            if not exists:
+                # Identifier interpolation is safe — worker_db is built from
+                # the trusted base URL + 'gw\d+' worker suffix.
+                conn.execute(sa.text(f'CREATE DATABASE "{worker_db}"'))
+    finally:
+        engine.dispose()
+
+
+TEST_DATABASE_URL = _worker_db_url(_BASE_TEST_DATABASE_URL)
+_ensure_worker_db_exists(TEST_DATABASE_URL, _BASE_TEST_DATABASE_URL)
+
 # Belt-and-suspenders: refuse to run tests against a DB whose name doesn't
 # contain "test". Parses the last path segment of the URL (everything after
 # the final '/', with query string stripped) so credentials / hosts that
@@ -73,6 +127,20 @@ def pytest_collection_modifyitems(config, items):
         items[:] = selected
 
 
+@pytest.hookimpl(trylast=True, hookwrapper=True)
+def pytest_runtest_teardown(item, nextitem):
+    """Close pytest-asyncio's post-test clean loop before warnings collect it."""
+    yield
+    policy = asyncio.get_event_loop_policy()
+    try:
+        loop = policy.get_event_loop()
+    except RuntimeError:
+        return
+    if not loop.is_running() and not loop.is_closed():
+        loop.close()
+        policy.set_event_loop(None)
+
+
 @pytest.fixture
 async def test_db() -> AsyncGenerator[AsyncSession, None]:
     """
@@ -137,6 +205,7 @@ async def test_db() -> AsyncGenerator[AsyncSession, None]:
     # Dispose engine first so all pooled connections are released,
     # then reconnect to perform the schema teardown cleanly.
     await engine.dispose()
+    await asyncio.sleep(0.01)
 
     # Drop all tables after test (CASCADE for circular FKs)
     teardown_engine = create_async_engine(
@@ -150,6 +219,7 @@ async def test_db() -> AsyncGenerator[AsyncSession, None]:
             await conn.execute(sa.text("CREATE SCHEMA public"))
     finally:
         await teardown_engine.dispose()
+        await asyncio.sleep(0.01)
 
 
 @pytest.fixture

backend/tests/test_ai_endpoints.py

@@ -74,19 +74,25 @@ def _mock_ai_provider(text: str, input_tokens: int = 100, output_tokens: int = 2
 @pytest.fixture
 def enable_ai():
     """Temporarily enable AI by setting a fake API key."""
-    original = settings.ANTHROPIC_API_KEY
+    original_anthropic = settings.ANTHROPIC_API_KEY
+    original_google = settings.GOOGLE_AI_API_KEY
     settings.ANTHROPIC_API_KEY = "test-key-fake"
+    settings.GOOGLE_AI_API_KEY = None
     yield
-    settings.ANTHROPIC_API_KEY = original
+    settings.ANTHROPIC_API_KEY = original_anthropic
+    settings.GOOGLE_AI_API_KEY = original_google
 
 
 @pytest.fixture
 def disable_ai():
     """Ensure AI is disabled."""
-    original = settings.ANTHROPIC_API_KEY
+    original_anthropic = settings.ANTHROPIC_API_KEY
+    original_google = settings.GOOGLE_AI_API_KEY
     settings.ANTHROPIC_API_KEY = None
+    settings.GOOGLE_AI_API_KEY = None
     yield
-    settings.ANTHROPIC_API_KEY = original
+    settings.ANTHROPIC_API_KEY = original_anthropic
+    settings.GOOGLE_AI_API_KEY = original_google
 
 
 # ── Quota endpoint ──

backend/tests/test_branch_manager.py

@@ -66,6 +66,7 @@ async def test_create_fork(client: AsyncClient, test_user, auth_headers, test_db
 
     step = AISessionStep(
         session_id=session.id,
+        account_id=session.account_id,
         step_order=0,
         step_type="question",
         content={"text": "What's the issue?"},
@@ -119,7 +120,7 @@ async def test_switch_branch(client: AsyncClient, test_user, auth_headers, test_
     root = await manager.create_root_branch(session.id)
 
     step = AISessionStep(
-        session_id=session.id, step_order=0, step_type="question",
+        session_id=session.id, account_id=session.account_id, step_order=0, step_type="question",
         content={"text": "test"}, confidence_at_step=0.5,
     )
     test_db.add(step)
@@ -197,7 +198,7 @@ async def test_get_branch_tree(client: AsyncClient, test_user, auth_headers, tes
     root = await manager.create_root_branch(session.id)
 
     step = AISessionStep(
-        session_id=session.id, step_order=0, step_type="question",
+        session_id=session.id, account_id=session.account_id, step_order=0, step_type="question",
         content={"text": "test"}, confidence_at_step=0.5,
     )
     test_db.add(step)

backend/tests/test_psa_writeback_phase4.py

@@ -50,6 +50,7 @@ async def _make_session(test_db, user, *, with_psa: bool = False) -> AISession:
         conn = PsaConnection(
             account_id=user["user_data"]["account_id"],
             provider="connectwise",
+            display_name="Test ConnectWise",
             site_url="https://fake.cw.local",
             company_id="TEST",
             credentials_encrypted=encrypt_credentials({"public_key": "x", "private_key": "y"}),

backend/tests/test_script_builder.py

@@ -472,19 +472,20 @@ class TestScriptBuilderSlugCollision:
         # Pre-create a template with slug "test-script" to cause collision
         user_resp = await client.get("/api/v1/auth/me", headers=auth_headers)
         user_id = user_resp.json()["id"]
+        account_id = user_resp.json()["account_id"]
         await test_db.execute(
             sa.text("""
                 INSERT INTO script_templates
-                    (id, category_id, created_by, name, slug, script_body,
+                    (id, category_id, created_by, account_id, name, slug, script_body,
                      parameters_schema, default_values, validation_rules, tags,
                      complexity, is_active, version, usage_count, created_at, updated_at)
                 VALUES
-                    (:id, 'a0000000-0000-0000-0000-000000000001'::uuid, :uid,
+                    (:id, 'a0000000-0000-0000-0000-000000000001'::uuid, :uid, :account_id,
                      'Test Script', 'test-script', 'echo hello',
                      '{"parameters": []}', '{}', '{}', '["powershell"]',
                      'beginner', true, 1, 0, NOW(), NOW())
             """),
-            {"id": str(uuid_mod.uuid4()), "uid": user_id},
+            {"id": str(uuid_mod.uuid4()), "uid": user_id, "account_id": account_id},
         )
         await test_db.commit()
 
@@ -561,6 +562,7 @@ class TestScriptTemplateFilters:
         """mine=true returns only templates created by the current user."""
         user_resp = await client.get("/api/v1/auth/me", headers=auth_headers)
         user_id = user_resp.json()["id"]
+        account_id = user_resp.json()["account_id"]
 
         second_resp = await client.get("/api/v1/auth/me", headers=second_user_headers)
         second_user_id = second_resp.json()["id"]
@@ -571,32 +573,32 @@ class TestScriptTemplateFilters:
         await test_db.execute(
             sa.text("""
                 INSERT INTO script_templates
-                    (id, category_id, created_by, team_id, name, slug, script_body,
+                    (id, category_id, created_by, account_id, team_id, name, slug, script_body,
                      parameters_schema, default_values, validation_rules, tags,
                      complexity, is_active, version, usage_count, created_at, updated_at)
                 VALUES
-                    (:id, :cat, :uid, NULL,
+                    (:id, :cat, :uid, :account_id, NULL,
                      'My Script', 'my-script', 'echo mine',
                      '{"parameters": []}', '{}', '{}', '[]',
                      'beginner', true, 1, 0, NOW(), NOW())
             """),
-            {"id": str(uuid_mod.uuid4()), "cat": cat_id, "uid": user_id},
+            {"id": str(uuid_mod.uuid4()), "cat": cat_id, "uid": user_id, "account_id": account_id},
         )
 
         # Create template owned by second user (no team_id, so visible to all)
         await test_db.execute(
             sa.text("""
                 INSERT INTO script_templates
-                    (id, category_id, created_by, team_id, name, slug, script_body,
+                    (id, category_id, created_by, account_id, team_id, name, slug, script_body,
                      parameters_schema, default_values, validation_rules, tags,
                      complexity, is_active, version, usage_count, created_at, updated_at)
                 VALUES
-                    (:id, :cat, :uid, NULL,
+                    (:id, :cat, :uid, :account_id, NULL,
                      'Other Script', 'other-script', 'echo other',
                      '{"parameters": []}', '{}', '{}', '[]',
                      'beginner', true, 1, 0, NOW(), NOW())
             """),
-            {"id": str(uuid_mod.uuid4()), "cat": cat_id, "uid": second_user_id},
+            {"id": str(uuid_mod.uuid4()), "cat": cat_id, "uid": second_user_id, "account_id": account_id},
         )
         await test_db.commit()
 
@@ -617,6 +619,7 @@ class TestScriptTemplateFilters:
         """shared=true returns only templates shared with the user's team."""
         user_resp = await client.get("/api/v1/auth/me", headers=auth_headers)
         user_id = user_resp.json()["id"]
+        account_id = user_resp.json()["account_id"]
 
         cat_id = "b0000000-0000-0000-0000-000000000001"
 
@@ -639,32 +642,32 @@ class TestScriptTemplateFilters:
         await test_db.execute(
             sa.text("""
                 INSERT INTO script_templates
-                    (id, category_id, created_by, team_id, name, slug, script_body,
+                    (id, category_id, created_by, account_id, team_id, name, slug, script_body,
                      parameters_schema, default_values, validation_rules, tags,
                      complexity, is_active, version, usage_count, created_at, updated_at)
                 VALUES
-                    (:id, :cat, :uid, :tid,
+                    (:id, :cat, :uid, :account_id, :tid,
                      'Team Script', 'team-script', 'echo team',
                      '{"parameters": []}', '{}', '{}', '[]',
                      'beginner', true, 1, 0, NOW(), NOW())
             """),
-            {"id": str(uuid_mod.uuid4()), "cat": cat_id, "uid": user_id, "tid": team_id},
+            {"id": str(uuid_mod.uuid4()), "cat": cat_id, "uid": user_id, "account_id": account_id, "tid": team_id},
         )
 
         # Template NOT shared (no team_id)
         await test_db.execute(
             sa.text("""
                 INSERT INTO script_templates
-                    (id, category_id, created_by, team_id, name, slug, script_body,
+                    (id, category_id, created_by, account_id, team_id, name, slug, script_body,
                      parameters_schema, default_values, validation_rules, tags,
                      complexity, is_active, version, usage_count, created_at, updated_at)
                 VALUES
-                    (:id, :cat, :uid, NULL,
+                    (:id, :cat, :uid, :account_id, NULL,
                      'Personal Script', 'personal-script', 'echo personal',
                      '{"parameters": []}', '{}', '{}', '[]',
                      'beginner', true, 1, 0, NOW(), NOW())
             """),
-            {"id": str(uuid_mod.uuid4()), "cat": cat_id, "uid": user_id},
+            {"id": str(uuid_mod.uuid4()), "cat": cat_id, "uid": user_id, "account_id": account_id},
         )
         await test_db.commit()
 

backend/tests/test_session_branches_api.py

@@ -49,7 +49,7 @@ async def test_create_fork(client: AsyncClient, test_user, auth_headers, test_db
     await test_db.flush()
 
     step = AISessionStep(
-        session_id=session.id, step_order=0, step_type="question",
+        session_id=session.id, account_id=session.account_id, step_order=0, step_type="question",
         content={"text": "test"}, confidence_at_step=0.5,
     )
     test_db.add(step)
@@ -88,7 +88,7 @@ async def test_switch_branch(client: AsyncClient, test_user, auth_headers, test_
     await test_db.flush()
 
     step = AISessionStep(
-        session_id=session.id, step_order=0, step_type="question",
+        session_id=session.id, account_id=session.account_id, step_order=0, step_type="question",
         content={"text": "test"}, confidence_at_step=0.5,
     )
     test_db.add(step)

backend/tests/test_session_resolutions_api.py

@@ -45,6 +45,7 @@ async def test_edit_output_api(client: AsyncClient, test_user, auth_headers, tes
 
     output = SessionResolutionOutput(
         session_id=session.id,
+        account_id=session.account_id,
         output_type="psa_ticket_notes",
         generated_content="Original",
         status="draft",

backend/tests/test_session_sharing.py

@@ -219,7 +219,7 @@ class TestSessionSharing:
             json={"visibility": "public"},
             headers=other_headers
         )
-        assert response.status_code == 403
+        assert response.status_code == 404
 
     async def test_share_nonexistent_session(self, client: AsyncClient, auth_headers):
         """Creating a share for nonexistent session returns 404."""

backend/tests/test_session_suggested_fixes_api.py

@@ -213,15 +213,28 @@ async def test_record_decision_persists_and_bumps_state_version(
         title="x",
         description="y",
         confidence_pct=50,
+        ai_drafted_script="Write-Output 'ok'",
     )
     test_db.add(fix)
     await test_db.commit()
 
-    r = await client.post(
-        f"/api/v1/ai-sessions/{session.id}/suggested-fixes/{fix.id}/decision",
-        headers=auth_headers,
-        json={"decision": "draft_template"},
-    )
+    # The draft_template path calls TemplateExtractionService, which needs an
+    # AI provider configured. CI doesn't set ANTHROPIC_API_KEY/GOOGLE_AI_API_KEY,
+    # and this test isn't exercising the AI integration — patch the extractor
+    # with a minimal valid response so the rest of the decision flow runs.
+    extractor_stub = AsyncMock(return_value={
+        "templated_body": "Write-Output 'ok'",
+        "parameters": [],
+    })
+    with patch(
+        "app.api.endpoints.session_suggested_fixes._extract_template_parameters",
+        extractor_stub,
+    ):
+        r = await client.post(
+            f"/api/v1/ai-sessions/{session.id}/suggested-fixes/{fix.id}/decision",
+            headers=auth_headers,
+            json={"decision": "draft_template"},
+        )
     assert r.status_code == 200
     assert r.json()["user_decision"] == "draft_template"
 

backend/tests/test_tenant_isolation_p0.py

@@ -43,7 +43,7 @@ async def _create_account_and_user(db: AsyncSession, prefix: str):
 async def _login(client: AsyncClient, email: str, password: str) -> dict:
     """Log in and return Authorization headers."""
     resp = await client.post(
-        "/api/v1/auth/login",
+        "/api/v1/auth/login/json",
         json={"email": email, "password": password},
     )
     assert resp.status_code == 200, f"Login failed: {resp.text}"
@@ -101,11 +101,11 @@ async def test_category_tree_count_scoped_to_account(
     acct_a, user_a, pass_a = await _create_account_and_user(test_db, "cat-a")
     acct_b, user_b, pass_b = await _create_account_and_user(test_db, "cat-b")
 
-    # Shared category (account_id=None means global)
+    # Categories are tenant-scoped; the endpoint must only count account A's trees.
     category = TreeCategory(
         name="Shared Category",
         slug=f"shared-cat-{uuid.uuid4().hex[:6]}",
-        account_id=None,
+        account_id=acct_a.id,
         is_active=True,
     )
     test_db.add(category)
@@ -270,6 +270,7 @@ async def test_get_session_returns_404_not_403_for_other_user(
     session_b = Session(
         tree_id=tree_b.id,
         user_id=user_b.id,
+        account_id=acct_b.id,
         tree_snapshot={"id": "root", "type": "start", "children": []},
         path_taken=[],
         decisions=[],
@@ -384,6 +385,7 @@ async def test_share_revoke_returns_404_not_403_for_other_user(
     session_b = Session(
         tree_id=tree_b.id,
         user_id=user_b.id,
+        account_id=acct_b.id,
         tree_snapshot={"id": "root", "type": "start", "children": []},
         path_taken=[],
         decisions=[],
@@ -534,6 +536,7 @@ async def test_maintenance_schedule_returns_404_for_other_team(
     # Create a schedule for that tree
     schedule_b = MaintenanceSchedule(
         tree_id=tree_b.id,
+        account_id=acct_b.id,
         created_by=user_b.id,
         cron_expression="0 2 * * 0",
         timezone="UTC",

backend/tests/test_tree_sharing.py

@@ -4,6 +4,7 @@ from datetime import datetime, timezone, timedelta
 from httpx import AsyncClient
 from uuid import uuid4
 
+from app.models.account import Account
 from app.models.tree import Tree
 from app.models.tree_share import TreeShare
 from app.models.user import User
@@ -287,13 +288,17 @@ class TestTreeSharing:
 @pytest.mark.asyncio
 async def test_migration_defaults_visibility_to_team(test_db):
     """Test that existing trees default to 'team' visibility after migration."""
+    account = Account(name="Migration Default Test", display_code=uuid4().hex[:8])
+    test_db.add(account)
+    await test_db.flush()
+
     # Create a tree without specifying visibility
     tree = Tree(
         name="Old Tree",
         description="Created before migration",
         tree_structure={"id": "root", "type": "decision", "question": "Test?", "children": []},
         author_id=None,
-        account_id=None
+        account_id=account.id
     )
     test_db.add(tree)
     await test_db.commit()

backend/tests/test_uploads.py

@@ -359,7 +359,7 @@ async def test_delete_upload_forbidden_for_non_owner(client, auth_headers, test_
             f"/api/v1/uploads/{upload.id}", headers=other_headers
         )
 
-    assert response.status_code == 403
+    assert response.status_code == 404
 
 
 # ---------------------------------------------------------------------------