arthexis 0.1.16__py3-none-any.whl → 0.1.28__py3-none-any.whl

core/models.py

@@ -4,37 +4,45 @@ from django.contrib.auth.models import (
     UserManager as DjangoUserManager,
 )
 from django.db import DatabaseError, IntegrityError, connections, models, transaction
-from django.db.models import Q
-from django.db.models.functions import Lower
+from django.db.models import Q, F
+from django.db.models.functions import Lower, Length
 from django.conf import settings
 from django.contrib.auth import get_user_model
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext_lazy as _, gettext, override
 from django.core.validators import MaxValueValidator, MinValueValidator, RegexValidator
 from django.core.exceptions import ValidationError
 from django.apps import apps
 from django.db.models.signals import m2m_changed, post_delete, post_save
 from django.dispatch import receiver
 from django.views.decorators.debug import sensitive_variables
-from datetime import time as datetime_time, timedelta
+from datetime import (
+    time as datetime_time,
+    timedelta,
+    datetime as datetime_datetime,
+    date as datetime_date,
+    timezone as datetime_timezone,
+)
 import logging
+import json
 from django.contrib.contenttypes.models import ContentType
 import hashlib
 import hmac
 import os
 import subprocess
-import secrets
 import re
 from io import BytesIO
 from django.core.files.base import ContentFile
 import qrcode
-from django.utils import timezone
+from django.utils import timezone, formats
 from django.utils.dateparse import parse_datetime
 import uuid
 from pathlib import Path
 from django.core import serializers
 from django.core.management.color import no_style
-from urllib.parse import quote_plus, urlparse
+from urllib.parse import quote, quote_plus, urlparse
+from zoneinfo import ZoneInfo
 from utils import revision as revision_utils
+from core.celery_utils import normalize_periodic_task_name
 from typing import Any, Type
 from defusedxml import xmlrpc as defused_xmlrpc
 import requests
@@ -44,6 +52,51 @@ xmlrpc_client = defused_xmlrpc.xmlrpc_client
 
 logger = logging.getLogger(__name__)
 
+
+def _available_language_codes() -> set[str]:
+    return {code.lower() for code, _ in getattr(settings, "LANGUAGES", [])}
+
+
+def default_report_language() -> str:
+    configured = getattr(settings, "LANGUAGE_CODE", "en") or "en"
+    configured = configured.replace("_", "-").lower()
+    base = configured.split("-", 1)[0]
+    available = _available_language_codes()
+    if base in available:
+        return base
+    if configured in available:
+        return configured
+    if available:
+        return next(iter(sorted(available)))
+    return "en"
+
+
+def normalize_report_language(language: str | None) -> str:
+    default = default_report_language()
+    if not language:
+        return default
+    candidate = str(language).strip().lower()
+    if not candidate:
+        return default
+    candidate = candidate.replace("_", "-")
+    available = _available_language_codes()
+    if candidate in available:
+        return candidate
+    base = candidate.split("-", 1)[0]
+    if base in available:
+        return base
+    return default
+
+
+def normalize_report_title(title: str | None) -> str:
+    value = (title or "").strip()
+    if "\r" in value or "\n" in value:
+        raise ValidationError(
+            _("Report title cannot contain control characters."),
+        )
+    return value
+
+
 from .entity import Entity, EntityUserManager, EntityManager
 from .release import (
     Package as ReleasePackage,
@@ -336,7 +389,6 @@ class User(Entity, AbstractUser):
     objects = EntityUserManager()
     all_objects = DjangoUserManager()
     """Custom user model."""
-    birthday = models.DateField(null=True, blank=True)
     data_path = models.CharField(max_length=255, blank=True)
     last_visit_ip_address = models.GenericIPAddressField(null=True, blank=True)
     operate_as = models.ForeignKey(
@@ -518,17 +570,18 @@ class User(Entity, AbstractUser):
     def odoo_profile(self):
         return self._direct_profile("OdooProfile")
 
-    @property
-    def assistant_profile(self):
-        return self._direct_profile("AssistantProfile")
-
     @property
     def social_profile(self):
         return self._direct_profile("SocialProfile")
 
     @property
-    def chat_profile(self):
-        return self.assistant_profile
+    def google_calendar_profile(self):
+        return self._direct_profile("GoogleCalendarProfile")
+
+
+    class Meta(AbstractUser.Meta):
+        verbose_name = _("User")
+        verbose_name_plural = _("Users")
 
 
 class UserPhoneNumber(Entity):
@@ -557,11 +610,19 @@ class UserPhoneNumber(Entity):
 class OdooProfile(Profile):
     """Store Odoo API credentials for a user."""
 
+    class CRM(models.TextChoices):
+        ODOO = "odoo", _("Odoo")
+
     profile_fields = ("host", "database", "username", "password")
     host = SigilShortAutoField(max_length=255)
     database = SigilShortAutoField(max_length=255)
     username = SigilShortAutoField(max_length=255)
     password = SigilShortAutoField(max_length=255)
+    crm = models.CharField(
+        max_length=32,
+        choices=CRM.choices,
+        default=CRM.ODOO,
+    )
     verified_on = models.DateTimeField(null=True, blank=True)
     odoo_uid = models.PositiveIntegerField(null=True, blank=True, editable=False)
     name = models.CharField(max_length=255, blank=True, editable=False)
@@ -591,6 +652,14 @@ class OdooProfile(Profile):
         database = self._resolved_field_value("database")
         return database or ""
 
+    def _profile_name(self) -> str:
+        """Return the stored name for this profile without database suffix."""
+
+        username = self._resolved_field_value("username")
+        if username:
+            return username
+        return self._resolved_field_value("database")
+
     def save(self, *args, **kwargs):
         if self.pk:
             old = type(self).all_objects.get(pk=self.pk)
@@ -601,7 +670,7 @@ class OdooProfile(Profile):
                 or old.host != self.host
             ):
                 self._clear_verification()
-        computed_name = self._display_identifier()
+        computed_name = self._profile_name()
         update_fields = kwargs.get("update_fields")
         update_fields_set = set(update_fields) if update_fields is not None else None
         if computed_name != self.name:
@@ -636,6 +705,7 @@ class OdooProfile(Profile):
         self.odoo_uid = uid
         self.email = info.get("email", "")
         self.verified_on = timezone.now()
+        self.name = self._profile_name()
         self.save(update_fields=["odoo_uid", "name", "email", "verified_on"])
         return True
 
@@ -676,8 +746,8 @@ class OdooProfile(Profile):
         return f"{owner} @ {self.host}" if owner else self.host
 
     class Meta:
-        verbose_name = _("Odoo Employee")
-        verbose_name_plural = _("Odoo Employees")
+        verbose_name = _("CRM Employee")
+        verbose_name_plural = _("CRM Employees")
         constraints = [
             models.CheckConstraint(
                 check=(
@@ -690,24 +760,47 @@ class OdooProfile(Profile):
 
 
 class OpenPayProfile(Profile):
-    """Store OpenPay gateway credentials for a user or security group."""
+    """Store payment processor credentials for a user or security group."""
+
+    PROCESSOR_OPENPAY = "openpay"
+    PROCESSOR_PAYPAL = "paypal"
+    PROCESSOR_CHOICES = (
+        (PROCESSOR_OPENPAY, _("OpenPay")),
+        (PROCESSOR_PAYPAL, _("PayPal")),
+    )
 
     SANDBOX_API_URL = "https://sandbox-api.openpay.mx/v1"
     PRODUCTION_API_URL = "https://api.openpay.mx/v1"
 
+    PAYPAL_SANDBOX_API_URL = "https://api-m.sandbox.paypal.com"
+    PAYPAL_PRODUCTION_API_URL = "https://api-m.paypal.com"
+
     profile_fields = (
         "merchant_id",
         "private_key",
         "public_key",
         "is_production",
         "webhook_secret",
+        "paypal_client_id",
+        "paypal_client_secret",
+        "paypal_webhook_id",
+        "paypal_is_production",
     )
 
-    merchant_id = SigilShortAutoField(max_length=100)
-    private_key = SigilShortAutoField(max_length=255)
-    public_key = SigilShortAutoField(max_length=255)
+    default_processor = models.CharField(
+        max_length=20,
+        choices=PROCESSOR_CHOICES,
+        default=PROCESSOR_OPENPAY,
+    )
+    merchant_id = SigilShortAutoField(max_length=100, blank=True)
+    private_key = SigilShortAutoField(max_length=255, blank=True)
+    public_key = SigilShortAutoField(max_length=255, blank=True)
     is_production = models.BooleanField(default=False)
     webhook_secret = SigilShortAutoField(max_length=255, blank=True)
+    paypal_client_id = SigilShortAutoField(max_length=255, blank=True)
+    paypal_client_secret = SigilShortAutoField(max_length=255, blank=True)
+    paypal_webhook_id = SigilShortAutoField(max_length=255, blank=True)
+    paypal_is_production = models.BooleanField(default=False)
     verified_on = models.DateTimeField(null=True, blank=True)
     verification_reference = models.CharField(max_length=255, blank=True, editable=False)
 
@@ -724,6 +817,11 @@ class OpenPayProfile(Profile):
                 or old.public_key != self.public_key
                 or old.is_production != self.is_production
                 or old.webhook_secret != self.webhook_secret
+                or old.default_processor != self.default_processor
+                or old.paypal_client_id != self.paypal_client_id
+                or old.paypal_client_secret != self.paypal_client_secret
+                or old.paypal_webhook_id != self.paypal_webhook_id
+                or old.paypal_is_production != self.paypal_is_production
             ):
                 self._clear_verification()
         super().save(*args, **kwargs)
@@ -732,6 +830,8 @@ class OpenPayProfile(Profile):
     def is_verified(self):
         return self.verified_on is not None
 
+    # --- OpenPay helpers -------------------------------------------------
+
     def get_api_base_url(self) -> str:
         return self.PRODUCTION_API_URL if self.is_production else self.SANDBOX_API_URL
 
@@ -748,6 +848,47 @@ class OpenPayProfile(Profile):
     def is_sandbox(self) -> bool:
         return not self.is_production
 
+    # --- PayPal helpers --------------------------------------------------
+
+    def get_paypal_api_base_url(self) -> str:
+        return (
+            self.PAYPAL_PRODUCTION_API_URL
+            if self.paypal_is_production
+            else self.PAYPAL_SANDBOX_API_URL
+        )
+
+    def get_paypal_auth(self) -> tuple[str, str]:
+        return (self.paypal_client_id, self.paypal_client_secret)
+
+    # --- Processor utilities --------------------------------------------
+
+    def has_openpay_credentials(self) -> bool:
+        return all(
+            getattr(self, field)
+            for field in ("merchant_id", "private_key", "public_key")
+        )
+
+    def has_paypal_credentials(self) -> bool:
+        return all(
+            getattr(self, field)
+            for field in ("paypal_client_id", "paypal_client_secret")
+        )
+
+    def iter_processors(self):
+        preferred = self.default_processor or self.PROCESSOR_OPENPAY
+        ordered = [preferred]
+        other = (
+            self.PROCESSOR_PAYPAL
+            if preferred == self.PROCESSOR_OPENPAY
+            else self.PROCESSOR_OPENPAY
+        )
+        ordered.append(other)
+        for processor in ordered:
+            if processor == self.PROCESSOR_OPENPAY and self.has_openpay_credentials():
+                yield processor
+            elif processor == self.PROCESSOR_PAYPAL and self.has_paypal_credentials():
+                yield processor
+
     def sign_webhook(self, payload: bytes | str, timestamp: str | None = None) -> str:
         if not self.webhook_secret:
             raise ValueError("Webhook secret is not configured")
@@ -780,7 +921,7 @@ class OpenPayProfile(Profile):
         self._clear_verification()
         return self
 
-    def verify(self):
+    def _verify_openpay(self):
         url = self.build_api_url("charges")
         try:
             response = requests.get(
@@ -829,13 +970,62 @@ class OpenPayProfile(Profile):
         self.save(update_fields=["verification_reference", "verified_on"])
         return True
 
+    def _verify_paypal(self):
+        url = f"{self.get_paypal_api_base_url()}/v1/oauth2/token"
+        try:
+            response = requests.post(
+                url,
+                auth=self.get_paypal_auth(),
+                data={"grant_type": "client_credentials"},
+                timeout=10,
+            )
+        except requests.RequestException as exc:  # pragma: no cover - network failure
+            self._clear_verification()
+            if self.pk:
+                self.save(update_fields=["verification_reference", "verified_on"])
+            raise ValidationError(
+                _("Unable to verify PayPal credentials: %(error)s")
+                % {"error": exc}
+            ) from exc
+        if response.status_code != 200:
+            self._clear_verification()
+            if self.pk:
+                self.save(update_fields=["verification_reference", "verified_on"])
+            raise ValidationError(_("Invalid PayPal credentials"))
+        try:
+            payload = response.json() or {}
+        except ValueError:
+            payload = {}
+        scope = ""
+        if isinstance(payload, dict):
+            scope = payload.get("scope") or payload.get("access_token") or ""
+        self.verification_reference = f"PayPal: {scope}" if scope else "PayPal"
+        self.verified_on = timezone.now()
+        self.save(update_fields=["verification_reference", "verified_on"])
+        return True
+
+    def verify(self):
+        errors = []
+        for processor in self.iter_processors():
+            try:
+                if processor == self.PROCESSOR_OPENPAY:
+                    return self._verify_openpay()
+                if processor == self.PROCESSOR_PAYPAL:
+                    return self._verify_paypal()
+            except ValidationError as exc:
+                errors.append(exc)
+        if errors:
+            raise errors[-1]
+        raise ValidationError(_("No payment processors are configured."))
+
     def __str__(self):  # pragma: no cover - simple representation
         owner = self.owner_display()
-        return f"{owner} @ {self.merchant_id}" if owner else self.merchant_id
+        identifier = self.merchant_id or self.paypal_client_id or ""
+        return f"{owner} @ {identifier}" if owner and identifier else (owner or identifier)
 
     class Meta:
-        verbose_name = _("OpenPay Merchant")
-        verbose_name_plural = _("OpenPay Merchants")
+        verbose_name = _("Payment Processor")
+        verbose_name_plural = _("Payment Processors")
         constraints = [
             models.CheckConstraint(
                 check=(
@@ -847,6 +1037,184 @@ class OpenPayProfile(Profile):
         ]
 
 
+class GoogleCalendarProfile(Profile):
+    """Store Google Calendar configuration for a user or security group."""
+
+    profile_fields = ("calendar_id", "api_key", "display_name", "timezone")
+
+    calendar_id = SigilShortAutoField(max_length=255)
+    api_key = SigilShortAutoField(max_length=255)
+    display_name = models.CharField(max_length=255, blank=True)
+    max_events = models.PositiveIntegerField(
+        default=5,
+        validators=[MinValueValidator(1), MaxValueValidator(20)],
+        help_text=_("Number of upcoming events to display (1-20)."),
+    )
+    timezone = SigilShortAutoField(max_length=100, blank=True)
+
+    GOOGLE_EVENTS_URL = (
+        "https://www.googleapis.com/calendar/v3/calendars/{calendar}/events"
+    )
+    GOOGLE_EMBED_URL = "https://calendar.google.com/calendar/embed?src={calendar}&ctz={tz}"
+
+    class Meta:
+        verbose_name = _("Google Calendar")
+        verbose_name_plural = _("Google Calendars")
+        constraints = [
+            models.CheckConstraint(
+                check=(
+                    (Q(user__isnull=False) & Q(group__isnull=True))
+                    | (Q(user__isnull=True) & Q(group__isnull=False))
+                ),
+                name="googlecalendarprofile_requires_owner",
+            )
+        ]
+
+    def __str__(self):  # pragma: no cover - simple representation
+        label = self.get_display_name()
+        return label or self.resolved_calendar_id()
+
+    def resolved_calendar_id(self) -> str:
+        value = self.resolve_sigils("calendar_id")
+        return value or self.calendar_id or ""
+
+    def resolved_api_key(self) -> str:
+        value = self.resolve_sigils("api_key")
+        return value or self.api_key or ""
+
+    def resolved_timezone(self) -> str:
+        value = self.resolve_sigils("timezone")
+        return value or self.timezone or ""
+
+    def get_timezone(self) -> ZoneInfo:
+        tz_name = self.resolved_timezone() or settings.TIME_ZONE
+        try:
+            return ZoneInfo(tz_name)
+        except Exception:
+            return ZoneInfo("UTC")
+
+    def get_display_name(self) -> str:
+        value = self.resolve_sigils("display_name")
+        if value:
+            return value
+        if self.display_name:
+            return self.display_name
+        return ""
+
+    def build_events_url(self) -> str:
+        calendar = self.resolved_calendar_id().strip()
+        if not calendar:
+            return ""
+        encoded = quote(calendar, safe="@")
+        return self.GOOGLE_EVENTS_URL.format(calendar=encoded)
+
+    def build_calendar_url(self) -> str:
+        calendar = self.resolved_calendar_id().strip()
+        if not calendar:
+            return ""
+        tz = self.get_timezone().key
+        encoded_calendar = quote_plus(calendar)
+        encoded_tz = quote_plus(tz)
+        return self.GOOGLE_EMBED_URL.format(calendar=encoded_calendar, tz=encoded_tz)
+
+    def _parse_event_point(self, data: dict) -> tuple[datetime_datetime | None, bool]:
+        if not isinstance(data, dict):
+            return None, False
+
+        tz_name = data.get("timeZone")
+        default_tz = self.get_timezone()
+        tzinfo = default_tz
+        if tz_name:
+            try:
+                tzinfo = ZoneInfo(tz_name)
+            except Exception:
+                tzinfo = default_tz
+
+        timestamp = data.get("dateTime")
+        if timestamp:
+            dt = parse_datetime(timestamp)
+            if dt is None:
+                try:
+                    dt = datetime_datetime.fromisoformat(
+                        timestamp.replace("Z", "+00:00")
+                    )
+                except ValueError:
+                    dt = None
+            if dt is not None and dt.tzinfo is None:
+                dt = dt.replace(tzinfo=tzinfo)
+            return dt, False
+
+        date_value = data.get("date")
+        if date_value:
+            try:
+                day = datetime_date.fromisoformat(date_value)
+            except ValueError:
+                return None, True
+            dt = datetime_datetime.combine(day, datetime_time.min, tzinfo=tzinfo)
+            return dt, True
+
+        return None, False
+
+    def fetch_events(self, *, max_results: int | None = None) -> list[dict[str, object]]:
+        calendar_id = self.resolved_calendar_id().strip()
+        api_key = self.resolved_api_key().strip()
+        if not calendar_id or not api_key:
+            return []
+
+        url = self.build_events_url()
+        if not url:
+            return []
+
+        now = timezone.now().astimezone(datetime_timezone.utc).replace(microsecond=0)
+        params = {
+            "key": api_key,
+            "singleEvents": "true",
+            "orderBy": "startTime",
+            "timeMin": now.isoformat().replace("+00:00", "Z"),
+            "maxResults": max_results or self.max_events or 5,
+        }
+
+        try:
+            response = requests.get(url, params=params, timeout=10)
+            response.raise_for_status()
+            payload = response.json()
+        except (requests.RequestException, ValueError):
+            logger.warning(
+                "Failed to fetch Google Calendar events for profile %s", self.pk,
+                exc_info=True,
+            )
+            return []
+
+        items = payload.get("items")
+        if not isinstance(items, list):
+            return []
+
+        events: list[dict[str, object]] = []
+        for item in items:
+            if not isinstance(item, dict):
+                continue
+            start, all_day = self._parse_event_point(item.get("start") or {})
+            end, _ = self._parse_event_point(item.get("end") or {})
+            summary = item.get("summary") or ""
+            link = item.get("htmlLink") or ""
+            location = item.get("location") or ""
+            if start is None:
+                continue
+            events.append(
+                {
+                    "summary": summary,
+                    "start": start,
+                    "end": end,
+                    "all_day": all_day,
+                    "html_link": link,
+                    "location": location,
+                }
+            )
+
+        events.sort(key=lambda event: event.get("start") or timezone.now())
+        return events
+
+
 class EmailInbox(Profile):
     """Credentials and configuration for connecting to an email mailbox."""
 
@@ -1760,10 +2128,16 @@ class Reference(Entity):
         return (self.alt_text,)
 
 
+    class Meta:
+        verbose_name = _("Reference")
+        verbose_name_plural = _("References")
+
+
 class RFID(Entity):
     """RFID tag that may be assigned to one account."""
 
     label_id = models.AutoField(primary_key=True, db_column="label_id")
+    MATCH_PREFIX_LENGTH = 8
     rfid = models.CharField(
         max_length=255,
         unique=True,
@@ -1775,6 +2149,14 @@ class RFID(Entity):
             )
         ],
     )
+    reversed_uid = models.CharField(
+        max_length=255,
+        default="",
+        blank=True,
+        editable=False,
+        verbose_name="Reversed UID",
+        help_text="UID value stored with opposite endianness for reference.",
+    )
     custom_label = models.CharField(
         max_length=32,
         blank=True,
@@ -1851,6 +2233,17 @@ class RFID(Entity):
         choices=KIND_CHOICES,
         default=CLASSIC,
     )
+    BIG_ENDIAN = "BIG"
+    LITTLE_ENDIAN = "LITTLE"
+    ENDIANNESS_CHOICES = [
+        (BIG_ENDIAN, _("Big endian")),
+        (LITTLE_ENDIAN, _("Little endian")),
+    ]
+    endianness = models.CharField(
+        max_length=6,
+        choices=ENDIANNESS_CHOICES,
+        default=BIG_ENDIAN,
+    )
     reference = models.ForeignKey(
         "Reference",
         null=True,
@@ -1895,13 +2288,24 @@ class RFID(Entity):
                 if self.key_b and old["key_b"] != self.key_b.upper():
                     self.key_b_verified = False
         if self.rfid:
-            self.rfid = self.rfid.upper()
+            normalized_rfid = self.rfid.upper()
+            self.rfid = normalized_rfid
+            reversed_uid = self.reverse_uid(normalized_rfid)
+            if reversed_uid != self.reversed_uid:
+                self.reversed_uid = reversed_uid
+                if update_fields:
+                    fields = set(update_fields)
+                    if "reversed_uid" not in fields:
+                        fields.add("reversed_uid")
+                        kwargs["update_fields"] = tuple(fields)
         if self.key_a:
             self.key_a = self.key_a.upper()
         if self.key_b:
             self.key_b = self.key_b.upper()
         if self.kind:
             self.kind = self.kind.upper()
+        if self.endianness:
+            self.endianness = self.normalize_endianness(self.endianness)
         super().save(*args, **kwargs)
         if not self.allowed:
             self.energy_accounts.clear()
@@ -1909,6 +2313,132 @@ class RFID(Entity):
     def __str__(self):  # pragma: no cover - simple representation
         return str(self.label_id)
 
+    @classmethod
+    def normalize_code(cls, value: str) -> str:
+        """Return ``value`` normalized for comparisons."""
+
+        return "".join((value or "").split()).upper()
+
+    def adopt_rfid(self, candidate: str) -> bool:
+        """Adopt ``candidate`` as the stored RFID if it is a better match."""
+
+        normalized = type(self).normalize_code(candidate)
+        if not normalized:
+            return False
+        current = type(self).normalize_code(self.rfid)
+        if current == normalized:
+            return False
+        if not current:
+            self.rfid = normalized
+            return True
+        reversed_current = type(self).reverse_uid(current)
+        if reversed_current and reversed_current == normalized:
+            self.rfid = normalized
+            return True
+        if len(normalized) < len(current):
+            self.rfid = normalized
+            return True
+        if len(normalized) == len(current) and normalized < current:
+            self.rfid = normalized
+            return True
+        return False
+
+    @classmethod
+    def matching_queryset(cls, value: str) -> models.QuerySet["RFID"]:
+        """Return RFID records matching ``value`` using prefix comparison."""
+
+        normalized = cls.normalize_code(value)
+        if not normalized:
+            return cls.objects.none()
+
+        conditions: list[Q] = []
+        candidate = normalized
+        if candidate:
+            conditions.append(Q(rfid=candidate))
+        alternate = cls.reverse_uid(candidate)
+        if alternate and alternate != candidate:
+            conditions.append(Q(rfid=alternate))
+
+        prefix_length = min(len(candidate), cls.MATCH_PREFIX_LENGTH)
+        if prefix_length:
+            prefix = candidate[:prefix_length]
+            conditions.append(Q(rfid__startswith=prefix))
+            if alternate and alternate != candidate:
+                alt_prefix = alternate[:prefix_length]
+                if alt_prefix:
+                    conditions.append(Q(rfid__startswith=alt_prefix))
+
+        query: Q | None = None
+        for condition in conditions:
+            query = condition if query is None else query | condition
+
+        if query is None:
+            return cls.objects.none()
+
+        queryset = cls.objects.filter(query).distinct()
+        return queryset.annotate(rfid_length=Length("rfid")).order_by(
+            "rfid_length", "rfid", "pk"
+        )
+
+    @classmethod
+    def find_match(cls, value: str) -> "RFID | None":
+        """Return the best matching RFID for ``value`` if it exists."""
+
+        return cls.matching_queryset(value).first()
+
+    @classmethod
+    def update_or_create_from_code(
+        cls, value: str, defaults: dict[str, Any] | None = None
+    ) -> tuple["RFID", bool]:
+        """Update or create an RFID using relaxed matching rules."""
+
+        normalized = cls.normalize_code(value)
+        if not normalized:
+            raise ValueError("RFID value is required")
+
+        defaults_map = defaults.copy() if defaults else {}
+        existing = cls.find_match(normalized)
+        if existing:
+            update_fields: set[str] = set()
+            if existing.adopt_rfid(normalized):
+                update_fields.add("rfid")
+            for field_name, new_value in defaults_map.items():
+                if getattr(existing, field_name) != new_value:
+                    setattr(existing, field_name, new_value)
+                    update_fields.add(field_name)
+            if update_fields:
+                existing.save(update_fields=sorted(update_fields))
+            return existing, False
+
+        create_kwargs = defaults_map
+        create_kwargs["rfid"] = normalized
+        tag = cls.objects.create(**create_kwargs)
+        return tag, True
+
+    @classmethod
+    def normalize_endianness(cls, value: object) -> str:
+        """Return a valid endianness value, defaulting to BIG."""
+
+        if isinstance(value, str):
+            candidate = value.strip().upper()
+            valid = {choice[0] for choice in cls.ENDIANNESS_CHOICES}
+            if candidate in valid:
+                return candidate
+        return cls.BIG_ENDIAN
+
+    @staticmethod
+    def reverse_uid(value: str) -> str:
+        """Return ``value`` with reversed byte order for reference storage."""
+
+        normalized = "".join((value or "").split()).upper()
+        if not normalized:
+            return ""
+        if len(normalized) % 2 != 0:
+            return normalized[::-1]
+        bytes_list = [normalized[index : index + 2] for index in range(0, len(normalized), 2)]
+        bytes_list.reverse()
+        return "".join(bytes_list)
+
     @classmethod
     def next_scan_label(
         cls, *, step: int | None = None, start: int | None = None
@@ -1971,13 +2501,26 @@ class RFID(Entity):
 
     @classmethod
     def register_scan(
-        cls, rfid: str, *, kind: str | None = None
+        cls,
+        rfid: str,
+        *,
+        kind: str | None = None,
+        endianness: str | None = None,
     ) -> tuple["RFID", bool]:
         """Return or create an RFID that was detected via scanning."""
 
-        normalized = (rfid or "").upper()
-        existing = cls.objects.filter(rfid=normalized).first()
+        normalized = cls.normalize_code(rfid)
+        desired_endianness = cls.normalize_endianness(endianness)
+        existing = cls.find_match(normalized)
         if existing:
+            update_fields: list[str] = []
+            if existing.adopt_rfid(normalized):
+                update_fields.append("rfid")
+            if existing.endianness != desired_endianness:
+                existing.endianness = desired_endianness
+                update_fields.append("endianness")
+            if update_fields:
+                existing.save(update_fields=update_fields)
             return existing, False
 
         attempts = 0
@@ -1990,6 +2533,7 @@ class RFID(Entity):
                 "rfid": normalized,
                 "allowed": True,
                 "released": False,
+                "endianness": desired_endianness,
             }
             if kind:
                 create_kwargs["kind"] = kind
@@ -1998,23 +2542,28 @@ class RFID(Entity):
                     tag = cls.objects.create(**create_kwargs)
                     cls._reset_label_sequence()
             except IntegrityError:
-                existing = cls.objects.filter(rfid=normalized).first()
+                existing = cls.find_match(normalized)
                 if existing:
                     return existing, False
             else:
                 return tag, True
         raise IntegrityError("Unable to allocate label id for scanned RFID")
 
-    @staticmethod
-    def get_account_by_rfid(value):
+    @classmethod
+    def get_account_by_rfid(cls, value):
         """Return the energy account associated with an RFID code if it exists."""
         try:
             EnergyAccount = apps.get_model("core", "EnergyAccount")
         except LookupError:  # pragma: no cover - energy accounts app optional
             return None
-        return EnergyAccount.objects.filter(
-            rfids__rfid=value.upper(), rfids__allowed=True
-        ).first()
+        matches = cls.matching_queryset(value).filter(allowed=True)
+        if not matches.exists():
+            return None
+        return (
+            EnergyAccount.objects.filter(rfids__in=matches)
+            .distinct()
+            .first()
+        )
 
     class Meta:
         verbose_name = "RFID"
@@ -2365,8 +2914,24 @@ class ClientReportSchedule(Entity):
     periodicity = models.CharField(
         max_length=12, choices=PERIODICITY_CHOICES, default=PERIODICITY_NONE
     )
+    language = models.CharField(
+        max_length=12,
+        choices=settings.LANGUAGES,
+        default=default_report_language,
+    )
+    title = models.CharField(
+        max_length=200,
+        blank=True,
+        default="",
+        verbose_name=_("Title"),
+    )
     email_recipients = models.JSONField(default=list, blank=True)
     disable_emails = models.BooleanField(default=False)
+    chargers = models.ManyToManyField(
+        "ocpp.Charger",
+        blank=True,
+        related_name="client_report_schedules",
+    )
     periodic_task = models.OneToOneField(
         "django_celery_beat.PeriodicTask",
         on_delete=models.SET_NULL,
@@ -2380,11 +2945,19 @@ class ClientReportSchedule(Entity):
         verbose_name = "Client Report Schedule"
         verbose_name_plural = "Client Report Schedules"
 
+    @classmethod
+    def label_for_periodicity(cls, value: str) -> str:
+        lookup = dict(cls.PERIODICITY_CHOICES)
+        return lookup.get(value, value)
+
     def __str__(self) -> str:  # pragma: no cover - simple representation
         owner = self.owner.get_username() if self.owner else "Unassigned"
         return f"Client Report Schedule ({owner})"
 
     def save(self, *args, **kwargs):
+        if self.language:
+            self.language = normalize_report_language(self.language)
+        self.title = normalize_report_title(self.title)
         sync = kwargs.pop("sync_task", True)
         super().save(*args, **kwargs)
         if sync and self.pk:
@@ -2436,7 +3009,8 @@ class ClientReportSchedule(Entity):
                 month_of_year="*",
             )
 
-        name = f"client_report_schedule_{self.pk}"
+        raw_name = f"client_report_schedule_{self.pk}"
+        name = normalize_periodic_task_name(PeriodicTask.objects, raw_name)
         defaults = {
             "crontab": schedule,
             "task": "core.tasks.run_client_report_schedule",
@@ -2476,6 +3050,78 @@ class ClientReportSchedule(Entity):
 
         return start, end
 
+    def _advance_period(
+        self, start: datetime_date, end: datetime_date
+    ) -> tuple[datetime_date, datetime_date]:
+        import calendar as _calendar
+        import datetime as _datetime
+
+        if self.periodicity == self.PERIODICITY_DAILY:
+            delta = _datetime.timedelta(days=1)
+            return start + delta, end + delta
+        if self.periodicity == self.PERIODICITY_WEEKLY:
+            delta = _datetime.timedelta(days=7)
+            return start + delta, end + delta
+        if self.periodicity == self.PERIODICITY_MONTHLY:
+            base_start = start.replace(day=1)
+            year = base_start.year
+            month = base_start.month
+            if month == 12:
+                next_year = year + 1
+                next_month = 1
+            else:
+                next_year = year
+                next_month = month + 1
+            next_start = base_start.replace(year=next_year, month=next_month, day=1)
+            last_day = _calendar.monthrange(next_year, next_month)[1]
+            next_end = next_start.replace(day=last_day)
+            return next_start, next_end
+        raise ValueError("advance_period called for non-recurring schedule")
+
+    def iter_pending_periods(self, reference=None):
+        from django.utils import timezone
+
+        if self.periodicity == self.PERIODICITY_NONE:
+            return []
+
+        ref_date = reference or timezone.localdate()
+        try:
+            target_start, target_end = self.calculate_period(reference=ref_date)
+        except ValueError:
+            return []
+
+        reports = self.reports.order_by("start_date", "end_date")
+        last_report = reports.last()
+        if last_report:
+            current_start, current_end = self._advance_period(
+                last_report.start_date, last_report.end_date
+            )
+        else:
+            current_start, current_end = target_start, target_end
+
+        if current_end < current_start:
+            return []
+
+        pending: list[tuple[datetime.date, datetime.date]] = []
+        safety = 0
+        while current_end <= target_end:
+            exists = reports.filter(
+                start_date=current_start, end_date=current_end
+            ).exists()
+            if not exists:
+                pending.append((current_start, current_end))
+            try:
+                current_start, current_end = self._advance_period(
+                    current_start, current_end
+                )
+            except ValueError:
+                break
+            safety += 1
+            if safety > 400:
+                break
+
+        return pending
+
     def resolve_recipients(self):
         """Return (to, cc) email lists respecting owner fallbacks."""
 
@@ -2523,38 +3169,27 @@ class ClientReportSchedule(Entity):
 
         return to, cc
 
+    def resolve_reply_to(self) -> list[str]:
+        return ClientReport.resolve_reply_to_for_owner(self.owner)
+
     def get_outbox(self):
         """Return the preferred :class:`nodes.models.EmailOutbox` instance."""
 
-        from nodes.models import EmailOutbox, Node
-
-        if self.owner:
-            try:
-                outbox = self.owner.get_profile(EmailOutbox)
-            except Exception:  # pragma: no cover - defensive catch
-                outbox = None
-            if outbox:
-                return outbox
-
-        node = Node.get_local()
-        if node:
-            return getattr(node, "email_outbox", None)
-        return None
+        return ClientReport.resolve_outbox_for_owner(self.owner)
 
     def notify_failure(self, message: str):
         from nodes.models import NetMessage
 
         NetMessage.broadcast("Client report delivery issue", message)
 
-    def run(self):
+    def run(self, *, start: datetime_date | None = None, end: datetime_date | None = None):
         """Generate the report, persist it and deliver notifications."""
 
-        from core import mailer
-
-        try:
-            start, end = self.calculate_period()
-        except ValueError:
-            return None
+        if start is None or end is None:
+            try:
+                start, end = self.calculate_period()
+            except ValueError:
+                return None
 
         try:
             report = ClientReport.generate(
@@ -2564,8 +3199,12 @@ class ClientReportSchedule(Entity):
                 schedule=self,
                 recipients=self.email_recipients,
                 disable_emails=self.disable_emails,
+                chargers=list(self.chargers.all()),
+                language=self.language,
+                title=self.title,
             )
-            export, html_content = report.store_local_copy()
+            report.chargers.set(self.chargers.all())
+            report.store_local_copy()
         except Exception as exc:
             self.notify_failure(str(exc))
             raise
@@ -2577,32 +3216,12 @@ class ClientReportSchedule(Entity):
                 raise RuntimeError("No recipients available for client report")
             else:
                 try:
-                    attachments = []
-                    html_name = Path(export["html_path"]).name
-                    attachments.append((html_name, html_content, "text/html"))
-                    json_file = Path(settings.BASE_DIR) / export["json_path"]
-                    if json_file.exists():
-                        attachments.append(
-                            (
-                                json_file.name,
-                                json_file.read_text(encoding="utf-8"),
-                                "application/json",
-                            )
-                        )
-                    subject = f"Client report {report.start_date} to {report.end_date}"
-                    body = (
-                        "Attached is the client report generated for the period "
-                        f"{report.start_date} to {report.end_date}."
-                    )
-                    mailer.send(
-                        subject,
-                        body,
-                        to,
-                        outbox=self.get_outbox(),
+                    delivered = report.send_delivery(
+                        to=to,
                         cc=cc,
-                        attachments=attachments,
+                        outbox=self.get_outbox(),
+                        reply_to=self.resolve_reply_to(),
                     )
-                    delivered = list(dict.fromkeys(to + (cc or [])))
                     if delivered:
                         type(report).objects.filter(pk=report.pk).update(
                             recipients=delivered
@@ -2617,6 +3236,14 @@ class ClientReportSchedule(Entity):
         self.last_generated_on = now
         return report
 
+    def generate_missing_reports(self, reference=None):
+        generated: list["ClientReport"] = []
+        for start, end in self.iter_pending_periods(reference=reference):
+            report = self.run(start=start, end=end)
+            if report:
+                generated.append(report)
+        return generated
+
 
 class ClientReport(Entity):
     """Snapshot of energy usage over a period."""
@@ -2639,15 +3266,70 @@ class ClientReport(Entity):
         blank=True,
         related_name="reports",
     )
+    language = models.CharField(
+        max_length=12,
+        choices=settings.LANGUAGES,
+        default=default_report_language,
+    )
+    title = models.CharField(
+        max_length=200,
+        blank=True,
+        default="",
+        verbose_name=_("Title"),
+    )
     recipients = models.JSONField(default=list, blank=True)
     disable_emails = models.BooleanField(default=False)
+    chargers = models.ManyToManyField(
+        "ocpp.Charger",
+        blank=True,
+        related_name="client_reports",
+    )
 
     class Meta:
-        verbose_name = "Consumer Report"
-        verbose_name_plural = "Consumer Reports"
+        verbose_name = _("Consumer Report")
+        verbose_name_plural = _("Consumer Reports")
         db_table = "core_client_report"
         ordering = ["-created_on"]
 
+    def __str__(self) -> str:  # pragma: no cover - simple representation
+        period_type = (
+            self.schedule.periodicity
+            if self.schedule
+            else ClientReportSchedule.PERIODICITY_NONE
+        )
+        return f"{self.start_date} - {self.end_date} ({period_type})"
+
+    @staticmethod
+    def default_language() -> str:
+        return default_report_language()
+
+    @staticmethod
+    def normalize_language(language: str | None) -> str:
+        return normalize_report_language(language)
+
+    @staticmethod
+    def normalize_title(title: str | None) -> str:
+        return normalize_report_title(title)
+
+    def save(self, *args, **kwargs):
+        if self.language:
+            self.language = normalize_report_language(self.language)
+        self.title = self.normalize_title(self.title)
+        super().save(*args, **kwargs)
+
+    @property
+    def periodicity_label(self) -> str:
+        if self.schedule:
+            return self.schedule.get_periodicity_display()
+        return ClientReportSchedule.label_for_periodicity(
+            ClientReportSchedule.PERIODICITY_NONE
+        )
+
+    @property
+    def total_kw_period(self) -> float:
+        totals = (self.rows_for_display or {}).get("totals", {})
+        return float(totals.get("total_kw_period", 0.0) or 0.0)
+
     @classmethod
     def generate(
         cls,
@@ -2658,17 +3340,36 @@ class ClientReport(Entity):
         schedule=None,
         recipients: list[str] | None = None,
         disable_emails: bool = False,
+        chargers=None,
+        language: str | None = None,
+        title: str | None = None,
     ):
-        rows = cls.build_rows(start_date, end_date)
-        return cls.objects.create(
+        from collections.abc import Iterable as _Iterable
+
+        charger_list = []
+        if chargers:
+            if isinstance(chargers, _Iterable):
+                charger_list = list(chargers)
+            else:
+                charger_list = [chargers]
+
+        payload = cls.build_rows(start_date, end_date, chargers=charger_list)
+        normalized_language = cls.normalize_language(language)
+        title_value = cls.normalize_title(title)
+        report = cls.objects.create(
             start_date=start_date,
             end_date=end_date,
-            data={"rows": rows, "schema": "session-list/v1"},
+            data=payload,
             owner=owner,
             schedule=schedule,
             recipients=list(recipients or []),
             disable_emails=disable_emails,
+            language=normalized_language,
+            title=title_value,
         )
+        if charger_list:
+            report.chargers.set(charger_list)
+        return report
 
     def store_local_copy(self, html: str | None = None):
         """Persist the report data and optional HTML rendering to disk."""
@@ -2682,9 +3383,16 @@ class ClientReport(Entity):
         timestamp = timezone.now().strftime("%Y%m%d%H%M%S")
         identifier = f"client_report_{self.pk}_{timestamp}"
 
-        html_content = html or render_to_string(
-            "core/reports/client_report_email.html", {"report": self}
-        )
+        language_code = self.normalize_language(self.language)
+        context = {
+            "report": self,
+            "language_code": language_code,
+            "default_language": type(self).default_language(),
+        }
+        with override(language_code):
+            html_content = html or render_to_string(
+                "core/reports/client_report_email.html", context
+            )
         html_path = report_dir / f"{identifier}.html"
         html_path.write_text(html_content, encoding="utf-8")
 
@@ -2693,15 +3401,13 @@ class ClientReport(Entity):
             _json.dumps(self.data, indent=2, default=str), encoding="utf-8"
         )
 
-        def _relative(path: Path) -> str:
-            try:
-                return str(path.relative_to(base_dir))
-            except ValueError:
-                return str(path)
+        pdf_path = report_dir / f"{identifier}.pdf"
+        self.render_pdf(pdf_path)
 
         export = {
-            "html_path": _relative(html_path),
-            "json_path": _relative(json_path),
+            "html_path": ClientReport._relative_to_base(html_path, base_dir),
+            "json_path": ClientReport._relative_to_base(json_path, base_dir),
+            "pdf_path": ClientReport._relative_to_base(pdf_path, base_dir),
         }
 
         updated = dict(self.data)
@@ -2710,27 +3416,122 @@ class ClientReport(Entity):
         self.data = updated
         return export, html_content
 
+    def send_delivery(
+        self,
+        *,
+        to: list[str] | tuple[str, ...],
+        cc: list[str] | tuple[str, ...] | None = None,
+        outbox=None,
+        reply_to: list[str] | None = None,
+    ) -> list[str]:
+        from core import mailer
+
+        recipients = list(to or [])
+        if not recipients:
+            return []
+
+        pdf_path = self.ensure_pdf()
+        attachments = [
+            (pdf_path.name, pdf_path.read_bytes(), "application/pdf"),
+        ]
+
+        language_code = self.normalize_language(self.language)
+        with override(language_code):
+            totals = self.rows_for_display.get("totals", {})
+            start_display = formats.date_format(
+                self.start_date, format="DATE_FORMAT", use_l10n=True
+            )
+            end_display = formats.date_format(
+                self.end_date, format="DATE_FORMAT", use_l10n=True
+            )
+            total_kw_period_label = gettext("Total kW during period")
+            total_kw_all_label = gettext("Total kW (all time)")
+            report_title = self.normalize_title(self.title) or gettext(
+                "Consumer Report"
+            )
+            body_lines = [
+                gettext("%(title)s for %(start)s through %(end)s.")
+                % {"title": report_title, "start": start_display, "end": end_display},
+                f"{total_kw_period_label}: "
+                f"{formats.number_format(totals.get('total_kw_period', 0.0), decimal_pos=2, use_l10n=True)}.",
+                f"{total_kw_all_label}: "
+                f"{formats.number_format(totals.get('total_kw', 0.0), decimal_pos=2, use_l10n=True)}.",
+            ]
+            message = "\n".join(body_lines)
+            subject = gettext("%(title)s %(start)s - %(end)s") % {
+                "title": report_title,
+                "start": start_display,
+                "end": end_display,
+            }
+
+        kwargs = {}
+        if reply_to:
+            kwargs["reply_to"] = reply_to
+
+        mailer.send(
+            subject,
+            message,
+            recipients,
+            outbox=outbox,
+            cc=list(cc or []),
+            attachments=attachments,
+            **kwargs,
+        )
+
+        delivered = list(dict.fromkeys(recipients + list(cc or [])))
+        return delivered
+
+    @staticmethod
+    def build_rows(
+        start_date=None,
+        end_date=None,
+        *,
+        for_display: bool = False,
+        chargers=None,
+    ):
+        dataset = ClientReport._build_dataset(start_date, end_date, chargers=chargers)
+        if for_display:
+            return ClientReport._normalize_dataset_for_display(dataset)
+        return dataset
+
     @staticmethod
-    def build_rows(start_date=None, end_date=None, *, for_display: bool = False):
-        from ocpp.models import Transaction
+    def _build_dataset(start_date=None, end_date=None, *, chargers=None):
+        from datetime import datetime, time, timedelta, timezone as pytimezone
+        from ocpp.models import (
+            Charger,
+            Transaction,
+            annotate_transaction_energy_bounds,
+        )
 
-        qs = Transaction.objects.exclude(rfid="")
-        if start_date:
-            from datetime import datetime, time, timedelta, timezone as pytimezone
+        qs = Transaction.objects.all()
 
+        start_dt = None
+        end_dt = None
+        if start_date:
             start_dt = datetime.combine(start_date, time.min, tzinfo=pytimezone.utc)
             qs = qs.filter(start_time__gte=start_dt)
         if end_date:
-            from datetime import datetime, time, timedelta, timezone as pytimezone
-
             end_dt = datetime.combine(
                 end_date + timedelta(days=1), time.min, tzinfo=pytimezone.utc
             )
             qs = qs.filter(start_time__lt=end_dt)
 
-        transactions = list(
-            qs.select_related("account").order_by("-start_time", "-pk")
+        selected_base_ids = None
+        if chargers:
+            selected_base_ids = {
+                charger.charger_id for charger in chargers if charger.charger_id
+            }
+            if selected_base_ids:
+                qs = qs.filter(charger__charger_id__in=selected_base_ids)
+
+        qs = qs.select_related("account", "charger")
+        qs = annotate_transaction_energy_bounds(
+            qs,
+            start_field="report_meter_energy_start",
+            end_field="report_meter_energy_end",
         )
+        transactions = list(qs.order_by("start_time", "pk"))
+
         rfid_values = {tx.rfid for tx in transactions if tx.rfid}
         tag_map: dict[str, RFID] = {}
         if rfid_values:
@@ -2741,51 +3542,283 @@ class ClientReport(Entity):
                 )
             }
 
-        rows: list[dict[str, Any]] = []
+        charger_ids = {
+            tx.charger.charger_id
+            for tx in transactions
+            if getattr(tx, "charger", None) and tx.charger.charger_id
+        }
+        aggregator_map: dict[str, Charger] = {}
+        if charger_ids:
+            aggregator_map = {
+                charger.charger_id: charger
+                for charger in Charger.objects.filter(
+                    charger_id__in=charger_ids, connector_id__isnull=True
+                )
+            }
+
+        groups: dict[str, dict[str, Any]] = {}
         for tx in transactions:
-            energy = tx.kw
-            if energy <= 0:
+            charger = getattr(tx, "charger", None)
+            if charger is None:
+                continue
+            base_id = charger.charger_id
+            if selected_base_ids is not None and base_id not in selected_base_ids:
                 continue
+            aggregator = aggregator_map.get(base_id) or charger
+            entry = groups.setdefault(
+                base_id,
+                {"charger": aggregator, "transactions": []},
+            )
+            entry["transactions"].append(tx)
+
+        evcs_entries: list[dict[str, Any]] = []
+        total_all_time = 0.0
+        total_period = 0.0
+
+        def _sort_key(tx):
+            anchor = getattr(tx, "start_time", None)
+            if anchor is None:
+                anchor = datetime.min.replace(tzinfo=pytimezone.utc)
+            return (anchor, tx.pk or 0)
+
+        for base_id, info in sorted(groups.items(), key=lambda item: item[0]):
+            aggregator = info["charger"]
+            txs = sorted(info["transactions"], key=_sort_key)
+            total_kw_all = float(getattr(aggregator, "total_kw", 0.0) or 0.0)
+            total_kw_period = 0.0
+            if hasattr(aggregator, "total_kw_for_range"):
+                total_kw_period = float(
+                    aggregator.total_kw_for_range(start=start_dt, end=end_dt) or 0.0
+                )
+            total_all_time += total_kw_all
+            total_period += total_kw_period
 
-            subject = None
-            if tx.account and getattr(tx.account, "name", None):
-                subject = tx.account.name
-            else:
-                tag = tag_map.get(tx.rfid)
-                if tag:
-                    account = next(iter(tag.energy_accounts.all()), None)
-                    if account:
-                        subject = account.name
-                    else:
-                        subject = str(tag.label_id)
+            session_rows: list[dict[str, Any]] = []
+            for tx in txs:
+                session_kw = float(getattr(tx, "kw", 0.0) or 0.0)
+                if session_kw <= 0:
+                    continue
 
-            if subject is None:
-                subject = tx.rfid
+                start_kwh, end_kwh = ClientReport._resolve_meter_bounds(tx)
 
-            start_value = tx.start_time
-            end_value = tx.stop_time
-            if not for_display:
-                start_value = start_value.isoformat()
-                end_value = end_value.isoformat() if end_value else None
+                connector_number = (
+                    tx.connector_id
+                    if getattr(tx, "connector_id", None) is not None
+                    else getattr(getattr(tx, "charger", None), "connector_id", None)
+                )
+
+                rfid_value = (tx.rfid or "").strip()
+                tag = tag_map.get(rfid_value)
+                label = None
+                account_name = (
+                    tx.account.name
+                    if tx.account and getattr(tx.account, "name", None)
+                    else None
+                )
+                if tag:
+                    label = tag.custom_label or str(tag.label_id)
+                    if not account_name:
+                        account = next(iter(tag.energy_accounts.all()), None)
+                        if account and getattr(account, "name", None):
+                            account_name = account.name
+                elif rfid_value:
+                    label = rfid_value
+
+                session_rows.append(
+                    {
+                        "connector": connector_number,
+                        "rfid_label": label,
+                        "account_name": account_name,
+                        "start_kwh": start_kwh,
+                        "end_kwh": end_kwh,
+                        "session_kwh": session_kw,
+                        "start": tx.start_time.isoformat()
+                        if getattr(tx, "start_time", None)
+                        else None,
+                        "end": tx.stop_time.isoformat()
+                        if getattr(tx, "stop_time", None)
+                        else None,
+                    }
+                )
 
-            rows.append(
+            evcs_entries.append(
                 {
-                    "subject": subject,
-                    "rfid": tx.rfid,
-                    "kw": energy,
-                    "start": start_value,
-                    "end": end_value,
+                    "charger_id": aggregator.pk,
+                    "serial_number": aggregator.charger_id,
+                    "display_name": aggregator.display_name
+                    or aggregator.name
+                    or aggregator.charger_id,
+                    "total_kw": total_kw_all,
+                    "total_kw_period": total_kw_period,
+                    "transactions": session_rows,
                 }
             )
 
-        return rows
+        filters: dict[str, Any] = {}
+        if selected_base_ids:
+            filters["chargers"] = sorted(selected_base_ids)
 
-    @property
-    def rows_for_display(self):
-        rows = self.data.get("rows", [])
-        if self.data.get("schema") == "session-list/v1":
+        return {
+            "schema": "evcs-session/v1",
+            "evcs": evcs_entries,
+            "totals": {
+                "total_kw": total_all_time,
+                "total_kw_period": total_period,
+            },
+            "filters": filters,
+        }
+
+    @staticmethod
+    def _resolve_meter_bounds(tx) -> tuple[float | None, float | None]:
+        def _convert(value):
+            if value in {None, ""}:
+                return None
+            try:
+                return float(value) / 1000.0
+            except (TypeError, ValueError):
+                return None
+
+        start_value = _convert(getattr(tx, "meter_start", None))
+        end_value = _convert(getattr(tx, "meter_stop", None))
+
+        def _coerce_energy(value):
+            if value in {None, ""}:
+                return None
+            try:
+                return float(value)
+            except (TypeError, ValueError):
+                return None
+
+        if start_value is None:
+            annotated_start = getattr(tx, "report_meter_energy_start", None)
+            start_value = _coerce_energy(annotated_start)
+
+        if end_value is None:
+            annotated_end = getattr(tx, "report_meter_energy_end", None)
+            end_value = _coerce_energy(annotated_end)
+
+        if start_value is None or end_value is None:
+            readings_manager = getattr(tx, "meter_values", None)
+            if readings_manager is not None:
+                qs = readings_manager.filter(energy__isnull=False).order_by("timestamp")
+                if start_value is None:
+                    first_energy = qs.values_list("energy", flat=True).first()
+                    start_value = _coerce_energy(first_energy)
+                if end_value is None:
+                    last_energy = qs.order_by("-timestamp").values_list(
+                        "energy", flat=True
+                    ).first()
+                    end_value = _coerce_energy(last_energy)
+
+        return start_value, end_value
+
+    @staticmethod
+    def _format_session_datetime(value):
+        if not value:
+            return None
+        localized = timezone.localtime(value)
+        date_part = formats.date_format(
+            localized, format="MONTH_DAY_FORMAT", use_l10n=True
+        )
+        time_part = formats.time_format(
+            localized, format="TIME_FORMAT", use_l10n=True
+        )
+        return gettext("%(date)s, %(time)s") % {
+            "date": date_part,
+            "time": time_part,
+        }
+
+    @staticmethod
+    def _calculate_duration_minutes(start, end):
+        if not start or not end:
+            return None
+        total_seconds = (end - start).total_seconds()
+        if total_seconds < 0:
+            return None
+        return int(round(total_seconds / 60.0))
+
+    @staticmethod
+    def _normalize_dataset_for_display(dataset: dict[str, Any]):
+        schema = dataset.get("schema")
+        if schema == "evcs-session/v1":
+            from datetime import datetime
+
+            evcs_entries: list[dict[str, Any]] = []
+            for entry in dataset.get("evcs", []):
+                normalized_rows: list[dict[str, Any]] = []
+                for row in entry.get("transactions", []):
+                    start_val = row.get("start")
+                    end_val = row.get("end")
+
+                    start_dt = None
+                    if start_val:
+                        start_dt = parse_datetime(start_val)
+                        if start_dt and timezone.is_naive(start_dt):
+                            start_dt = timezone.make_aware(start_dt, timezone.utc)
+
+                    end_dt = None
+                    if end_val:
+                        end_dt = parse_datetime(end_val)
+                        if end_dt and timezone.is_naive(end_dt):
+                            end_dt = timezone.make_aware(end_dt, timezone.utc)
+
+                    normalized_rows.append(
+                        {
+                            "connector": row.get("connector"),
+                            "rfid_label": row.get("rfid_label"),
+                            "account_name": row.get("account_name"),
+                            "start_kwh": row.get("start_kwh"),
+                            "end_kwh": row.get("end_kwh"),
+                            "session_kwh": row.get("session_kwh"),
+                            "start": start_dt,
+                            "end": end_dt,
+                            "start_display": ClientReport._format_session_datetime(
+                                start_dt
+                            ),
+                            "end_display": ClientReport._format_session_datetime(
+                                end_dt
+                            ),
+                            "duration_minutes": ClientReport._calculate_duration_minutes(
+                                start_dt, end_dt
+                            ),
+                        }
+                    )
+
+                normalized_rows.sort(
+                    key=lambda item: (
+                        item["start"]
+                        if item["start"] is not None
+                        else datetime.min.replace(tzinfo=timezone.utc),
+                        item.get("connector") or 0,
+                    )
+                )
+
+                evcs_entries.append(
+                    {
+                        "display_name": entry.get("display_name")
+                        or entry.get("serial_number")
+                        or "Charge Point",
+                        "serial_number": entry.get("serial_number"),
+                        "total_kw": entry.get("total_kw", 0.0),
+                        "total_kw_period": entry.get("total_kw_period", 0.0),
+                        "transactions": normalized_rows,
+                    }
+                )
+
+            totals = dataset.get("totals", {})
+            return {
+                "schema": schema,
+                "evcs": evcs_entries,
+                "totals": {
+                    "total_kw": totals.get("total_kw", 0.0),
+                    "total_kw_period": totals.get("total_kw_period", 0.0),
+                },
+                "filters": dataset.get("filters", {}),
+            }
+
+        if schema == "session-list/v1":
             parsed: list[dict[str, Any]] = []
-            for row in rows:
+            for row in dataset.get("rows", []):
                 item = dict(row)
                 start_val = row.get("start")
                 end_val = row.get("end")
@@ -2796,6 +3829,7 @@ class ClientReport(Entity):
                         start_dt = timezone.make_aware(start_dt, timezone.utc)
                     item["start"] = start_dt
                 else:
+                    start_dt = None
                     item["start"] = None
 
                 if end_val:
@@ -2804,11 +3838,377 @@ class ClientReport(Entity):
                         end_dt = timezone.make_aware(end_dt, timezone.utc)
                     item["end"] = end_dt
                 else:
+                    end_dt = None
                     item["end"] = None
 
+                item["start_display"] = ClientReport._format_session_datetime(start_dt)
+                item["end_display"] = ClientReport._format_session_datetime(end_dt)
+                item["duration_minutes"] = ClientReport._calculate_duration_minutes(
+                    start_dt, end_dt
+                )
+
                 parsed.append(item)
-            return parsed
-        return rows
+
+            return {"schema": schema, "rows": parsed}
+
+        return {
+            "schema": schema,
+            "rows": dataset.get("rows", []),
+            "filters": dataset.get("filters", {}),
+        }
+
+    @property
+    def rows_for_display(self):
+        data = self.data or {}
+        return ClientReport._normalize_dataset_for_display(data)
+
+    @staticmethod
+    def _relative_to_base(path: Path, base_dir: Path) -> str:
+        try:
+            return str(path.relative_to(base_dir))
+        except ValueError:
+            return str(path)
+
+    @classmethod
+    def _load_pdf_template(cls, language_code: str | None) -> dict[str, str]:
+        from django.template import TemplateDoesNotExist
+        from django.template.loader import render_to_string
+
+        candidates: list[str] = []
+        normalized = cls.normalize_language(language_code)
+        if normalized:
+            candidates.append(normalized)
+
+        default_code = default_report_language()
+        if default_code and default_code not in candidates:
+            candidates.append(default_code)
+
+        if "en" not in candidates:
+            candidates.append("en")
+
+        for code in dict.fromkeys(candidates):
+            template_name = f"core/reports/client_report_pdf/{code}.json"
+            try:
+                rendered = render_to_string(template_name)
+            except TemplateDoesNotExist:
+                continue
+            if not rendered:
+                continue
+            try:
+                data = json.loads(rendered)
+            except json.JSONDecodeError:
+                logger.warning(
+                    "Invalid client report PDF template %s", template_name, exc_info=True
+                )
+                continue
+            if isinstance(data, dict):
+                return data
+
+        return {}
+
+    @staticmethod
+    def resolve_reply_to_for_owner(owner) -> list[str]:
+        if not owner:
+            return []
+        try:
+            inbox = owner.get_profile(EmailInbox)
+        except Exception:  # pragma: no cover - defensive catch
+            inbox = None
+        if inbox and getattr(inbox, "username", ""):
+            address = inbox.username.strip()
+            if address:
+                return [address]
+        return []
+
+    @staticmethod
+    def resolve_outbox_for_owner(owner):
+        from nodes.models import EmailOutbox, Node
+
+        if owner:
+            try:
+                outbox = owner.get_profile(EmailOutbox)
+            except Exception:  # pragma: no cover - defensive catch
+                outbox = None
+            if outbox:
+                return outbox
+
+        node = Node.get_local()
+        if node:
+            return getattr(node, "email_outbox", None)
+        return None
+
+    def render_pdf(self, target: Path):
+        from reportlab.lib import colors
+        from reportlab.lib.pagesizes import landscape, letter
+        from reportlab.lib.styles import getSampleStyleSheet
+        from reportlab.lib.units import inch
+        from reportlab.platypus import (
+            Paragraph,
+            SimpleDocTemplate,
+            Spacer,
+            Table,
+            TableStyle,
+        )
+
+        target_path = Path(target)
+        target_path.parent.mkdir(parents=True, exist_ok=True)
+
+        dataset = self.rows_for_display
+        schema = dataset.get("schema")
+
+        language_code = self.normalize_language(self.language)
+        with override(language_code):
+            styles = getSampleStyleSheet()
+            title_style = styles["Title"]
+            subtitle_style = styles["Heading2"]
+            normal_style = styles["BodyText"]
+            emphasis_style = styles["Heading3"]
+
+            document = SimpleDocTemplate(
+                str(target_path),
+                pagesize=landscape(letter),
+                leftMargin=0.5 * inch,
+                rightMargin=0.5 * inch,
+                topMargin=0.6 * inch,
+                bottomMargin=0.5 * inch,
+            )
+
+            story: list = []
+            labels = self._load_pdf_template(language_code)
+
+            def label(key: str, default: str) -> str:
+                value = labels.get(key) if isinstance(labels, dict) else None
+                if isinstance(value, str) and value.strip():
+                    return value
+                return gettext(default)
+
+            report_title = self.normalize_title(self.title) or label(
+                "title", "Consumer Report"
+            )
+            story.append(Paragraph(report_title, title_style))
+
+            start_display = formats.date_format(
+                self.start_date, format="DATE_FORMAT", use_l10n=True
+            )
+            end_display = formats.date_format(
+                self.end_date, format="DATE_FORMAT", use_l10n=True
+            )
+            default_period_text = gettext("Period: %(start)s to %(end)s") % {
+                "start": start_display,
+                "end": end_display,
+            }
+            period_template = labels.get("period") if isinstance(labels, dict) else None
+            if isinstance(period_template, str):
+                try:
+                    period_text = period_template.format(
+                        start=start_display, end=end_display
+                    )
+                except (KeyError, IndexError, ValueError):
+                    logger.warning(
+                        "Invalid period template for client report PDF: %s",
+                        period_template,
+                    )
+                    period_text = default_period_text
+            else:
+                period_text = default_period_text
+            story.append(Paragraph(period_text, emphasis_style))
+            story.append(Spacer(1, 0.25 * inch))
+
+            total_kw_all_time_label = label("total_kw_all_time", "Total kW (all time)")
+            total_kw_period_label = label("total_kw_period", "Total kW (period)")
+            connector_label = label("connector", "Connector")
+            account_label = label("account", "Account")
+            session_kwh_label = label("session_kwh", "Session kW")
+            session_start_label = label("session_start", "Session start")
+            session_end_label = label("session_end", "Session end")
+            time_label = label("time", "Time")
+            rfid_label = label("rfid_label", "RFID label")
+            no_sessions_period = label(
+                "no_sessions_period",
+                "No charging sessions recorded for the selected period.",
+            )
+            no_sessions_point = label(
+                "no_sessions_point",
+                "No charging sessions recorded for this charge point.",
+            )
+            no_structured_data = label(
+                "no_structured_data",
+                "No structured data is available for this report.",
+            )
+            report_totals_label = label("report_totals", "Report totals")
+            total_kw_period_line = label(
+                "total_kw_period_line", "Total kW during period"
+            )
+            charge_point_label = label("charge_point", "Charge Point")
+            serial_template = (
+                labels.get("charge_point_serial")
+                if isinstance(labels, dict)
+                else None
+            )
+
+            def format_datetime(value):
+                if not value:
+                    return "—"
+                return ClientReport._format_session_datetime(value) or "—"
+
+            def format_decimal(value):
+                if value is None:
+                    return "—"
+                return formats.number_format(value, decimal_pos=2, use_l10n=True)
+
+            def format_duration(value):
+                if value is None:
+                    return "—"
+                return formats.number_format(value, decimal_pos=0, use_l10n=True)
+
+            if schema == "evcs-session/v1":
+                evcs_entries = dataset.get("evcs", [])
+                if not evcs_entries:
+                    story.append(Paragraph(no_sessions_period, normal_style))
+                for index, evcs in enumerate(evcs_entries):
+                    if index:
+                        story.append(Spacer(1, 0.2 * inch))
+
+                    display_name = evcs.get("display_name") or charge_point_label
+                    serial_number = evcs.get("serial_number")
+                    if serial_number:
+                        if isinstance(serial_template, str):
+                            try:
+                                header_text = serial_template.format(
+                                    name=display_name, serial=serial_number
+                                )
+                            except (KeyError, IndexError, ValueError):
+                                header_text = serial_template
+                        else:
+                            header_text = gettext("%(name)s (Serial: %(serial)s)") % {
+                                "name": display_name,
+                                "serial": serial_number,
+                            }
+                    else:
+                        header_text = display_name
+                    story.append(Paragraph(header_text, subtitle_style))
+
+                    metrics_text = (
+                        f"{total_kw_all_time_label}: "
+                        f"{format_decimal(evcs.get('total_kw', 0.0))} | "
+                        f"{total_kw_period_label}: "
+                        f"{format_decimal(evcs.get('total_kw_period', 0.0))}"
+                    )
+                    story.append(Paragraph(metrics_text, normal_style))
+                    story.append(Spacer(1, 0.1 * inch))
+
+                    transactions = evcs.get("transactions", [])
+                    if transactions:
+                        table_data = [
+                            [
+                                session_kwh_label,
+                                session_start_label,
+                                session_end_label,
+                                time_label,
+                                connector_label,
+                                rfid_label,
+                                account_label,
+                            ]
+                        ]
+
+                        for row in transactions:
+                            start_dt = row.get("start")
+                            end_dt = row.get("end")
+                            duration_value = row.get("duration_minutes")
+                            table_data.append(
+                                [
+                                    format_decimal(row.get("session_kwh")),
+                                    format_datetime(start_dt),
+                                    format_datetime(end_dt),
+                                    format_duration(duration_value),
+                                    row.get("connector")
+                                    if row.get("connector") is not None
+                                    else "—",
+                                    row.get("rfid_label") or "—",
+                                    row.get("account_name") or "—",
+                                ]
+                            )
+
+                        column_count = len(table_data[0])
+                        col_width = document.width / column_count if column_count else None
+                        table = Table(
+                            table_data,
+                            repeatRows=1,
+                            colWidths=[col_width] * column_count if col_width else None,
+                            hAlign="LEFT",
+                        )
+                        table.setStyle(
+                            TableStyle(
+                                [
+                                    (
+                                        "BACKGROUND",
+                                        (0, 0),
+                                        (-1, 0),
+                                        colors.HexColor("#0f172a"),
+                                    ),
+                                    ("TEXTCOLOR", (0, 0), (-1, 0), colors.white),
+                                    ("ALIGN", (0, 0), (-1, 0), "CENTER"),
+                                    ("FONTNAME", (0, 0), (-1, 0), "Helvetica-Bold"),
+                                    ("FONTSIZE", (0, 0), (-1, 0), 9),
+                                    (
+                                        "ROWBACKGROUNDS",
+                                        (0, 1),
+                                        (-1, -1),
+                                        [colors.whitesmoke, colors.HexColor("#eef2ff")],
+                                    ),
+                                    ("GRID", (0, 0), (-1, -1), 0.25, colors.grey),
+                                    ("VALIGN", (0, 1), (-1, -1), "MIDDLE"),
+                                ]
+                            )
+                        )
+                        story.append(table)
+                    else:
+                        story.append(Paragraph(no_sessions_point, normal_style))
+            else:
+                story.append(Paragraph(no_structured_data, normal_style))
+
+            totals = dataset.get("totals") or {}
+            story.append(Spacer(1, 0.3 * inch))
+            story.append(Paragraph(report_totals_label, emphasis_style))
+            story.append(
+                Paragraph(
+                    f"{total_kw_all_time_label}: "
+                    f"{format_decimal(totals.get('total_kw', 0.0))}",
+                    emphasis_style,
+                )
+            )
+            story.append(
+                Paragraph(
+                    f"{total_kw_period_line}: "
+                    f"{format_decimal(totals.get('total_kw_period', 0.0))}",
+                    emphasis_style,
+                )
+            )
+
+            document.build(story)
+
+    def ensure_pdf(self) -> Path:
+        base_dir = Path(settings.BASE_DIR)
+        export = dict((self.data or {}).get("export") or {})
+        pdf_relative = export.get("pdf_path")
+        if pdf_relative:
+            candidate = base_dir / pdf_relative
+            if candidate.exists():
+                return candidate
+
+        report_dir = base_dir / "work" / "reports"
+        report_dir.mkdir(parents=True, exist_ok=True)
+        timestamp = timezone.now().strftime("%Y%m%d%H%M%S")
+        identifier = f"client_report_{self.pk}_{timestamp}"
+        pdf_path = report_dir / f"{identifier}.pdf"
+        self.render_pdf(pdf_path)
+
+        export["pdf_path"] = ClientReport._relative_to_base(pdf_path, base_dir)
+        updated = dict(self.data)
+        updated["export"] = export
+        type(self).objects.filter(pk=self.pk).update(data=updated)
+        self.data = updated
+        return pdf_path
 
 
 class BrandManager(EntityManager):
@@ -2968,6 +4368,11 @@ class Product(Entity):
         return self.name
 
 
+    class Meta:
+        verbose_name = _("Product")
+        verbose_name_plural = _("Products")
+
+
 class AdminHistory(Entity):
     """Record of recently visited admin changelists for a user."""
 
@@ -3209,6 +4614,11 @@ class PackageRelease(Entity):
     def natural_key(self):
         return (self.package.name, self.version)
 
+    class Severity(models.TextChoices):
+        NORMAL = "normal", _("Normal")
+        LOW = "low", _("Low")
+        CRITICAL = "critical", _("Critical")
+
     package = models.ForeignKey(
         Package, on_delete=models.CASCADE, related_name="releases"
     )
@@ -3219,6 +4629,12 @@ class PackageRelease(Entity):
     revision = models.CharField(
         max_length=40, blank=True, default=revision_utils.get_revision, editable=False
     )
+    severity = models.CharField(
+        max_length=16,
+        choices=Severity.choices,
+        default=Severity.NORMAL,
+        help_text=_("Controls the expected urgency for auto-upgrades."),
+    )
     changelog = models.TextField(blank=True, default="")
     pypi_url = models.URLField("PyPI URL", blank=True, editable=False)
     github_url = models.URLField("GitHub URL", blank=True, editable=False)
@@ -3243,7 +4659,13 @@ class PackageRelease(Entity):
         for release in cls.objects.all():
             name = f"releases__packagerelease_{release.version.replace('.', '_')}.json"
             path = base / name
-            data = serializers.serialize("json", [release])
+            data = serializers.serialize(
+                "json",
+                [release],
+                use_natural_foreign_keys=True,
+                use_natural_primary_keys=True,
+            )
+            data = json.dumps(json.loads(data), indent=2) + "\n"
             expected.add(name)
             try:
                 current = path.read_text(encoding="utf-8")
@@ -3255,6 +4677,10 @@ class PackageRelease(Entity):
             if old_name not in expected and old_path.exists():
                 old_path.unlink()
 
+    def delete(self, using=None, keep_parents=False):
+        user_data.delete_user_fixture(self)
+        super().delete(using=using, keep_parents=keep_parents)
+
     def __str__(self) -> str:  # pragma: no cover - trivial
         return f"{self.package.name} {self.version}"
 
@@ -3262,10 +4688,27 @@ class PackageRelease(Entity):
         """Return a :class:`ReleasePackage` built from the package."""
         return self.package.to_package()
 
-    def to_credentials(self) -> Credentials | None:
-        """Return :class:`Credentials` from the associated release manager."""
-        manager = self.release_manager or self.package.release_manager
-        if manager:
+    def to_credentials(
+        self, user: models.Model | None = None
+    ) -> Credentials | None:
+        """Return :class:`Credentials` from available release managers."""
+
+        manager_candidates: list[ReleaseManager] = []
+
+        for candidate in (self.release_manager, self.package.release_manager):
+            if candidate and candidate not in manager_candidates:
+                manager_candidates.append(candidate)
+
+        if user is not None and getattr(user, "is_authenticated", False):
+            try:
+                user_manager = ReleaseManager.objects.get(user=user)
+            except ReleaseManager.DoesNotExist:
+                user_manager = None
+            else:
+                if user_manager not in manager_candidates:
+                    manager_candidates.append(user_manager)
+
+        for manager in manager_candidates:
             creds = manager.to_credentials()
             if creds and creds.has_auth():
                 return creds
@@ -3287,7 +4730,9 @@ class PackageRelease(Entity):
             return manager.github_token
         return os.environ.get("GITHUB_TOKEN")
 
-    def build_publish_targets(self) -> list[RepositoryTarget]:
+    def build_publish_targets(
+        self, user: models.Model | None = None
+    ) -> list[RepositoryTarget]:
         """Return repository targets for publishing this release."""
 
         manager = self.release_manager or self.package.release_manager
@@ -3296,7 +4741,7 @@ class PackageRelease(Entity):
         env_primary = os.environ.get("PYPI_REPOSITORY_URL", "")
         primary_url = env_primary.strip()
 
-        primary_creds = self.to_credentials()
+        primary_creds = self.to_credentials(user=user)
         targets.append(
             RepositoryTarget(
                 name="PyPI",
@@ -3438,6 +4883,8 @@ class PackageRelease(Entity):
         """
 
         version = (version or "").strip()
+        if version.endswith("+"):
+            version = version.rstrip("+")
         revision = (revision or "").strip()
         if not version or not revision:
             return True
@@ -3523,73 +4970,6 @@ def _rfid_unique_energy_account(
                     "RFID tags may only be assigned to one energy account."
                 )
 
-
-def hash_key(key: str) -> str:
-    """Return a SHA-256 hash for ``key``."""
-
-    return hashlib.sha256(key.encode()).hexdigest()
-
-
-class AssistantProfile(Profile):
-    """Stores a hashed user key used by the assistant for authentication.
-
-    The plain-text ``user_key`` is generated server-side and shown only once.
-    Users must supply this key in the ``Authorization: Bearer <user_key>``
-    header when requesting protected endpoints. Only the hash is stored.
-    """
-
-    id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
-    profile_fields = ("user_key_hash", "scopes", "is_active")
-    user_key_hash = models.CharField(max_length=64, unique=True)
-    scopes = models.JSONField(default=list, blank=True)
-    created_at = models.DateTimeField(auto_now_add=True)
-    last_used_at = models.DateTimeField(null=True, blank=True)
-    is_active = models.BooleanField(default=True)
-
-    class Meta:
-        db_table = "workgroup_assistantprofile"
-        verbose_name = "Assistant Profile"
-        verbose_name_plural = "Assistant Profiles"
-        constraints = [
-            models.CheckConstraint(
-                check=(
-                    (Q(user__isnull=False) & Q(group__isnull=True))
-                    | (Q(user__isnull=True) & Q(group__isnull=False))
-                ),
-                name="assistantprofile_requires_owner",
-            )
-        ]
-
-    @classmethod
-    def issue_key(cls, user) -> tuple["AssistantProfile", str]:
-        """Create or update a profile and return it with a new plain key."""
-
-        key = secrets.token_hex(32)
-        key_hash = hash_key(key)
-        if user is None:
-            raise ValueError("Assistant profiles require a user instance")
-
-        profile, _ = cls.objects.update_or_create(
-            user=user,
-            defaults={
-                "user_key_hash": key_hash,
-                "last_used_at": None,
-                "is_active": True,
-            },
-        )
-        return profile, key
-
-    def touch(self) -> None:
-        """Record that the key was used."""
-
-        self.last_used_at = timezone.now()
-        self.save(update_fields=["last_used_at"])
-
-    def __str__(self) -> str:  # pragma: no cover - simple representation
-        owner = self.owner_display()
-        return f"AssistantProfile for {owner}" if owner else "AssistantProfile"
-
-
 def validate_relative_url(value: str) -> None:
     if not value:
         return
@@ -3602,7 +4982,6 @@ class TodoManager(EntityManager):
     def get_by_natural_key(self, request: str):
         return self.get(request=request)
 
-
 class Todo(Entity):
     """Tasks requested for the Release Manager."""
 
@@ -3614,7 +4993,38 @@ class Todo(Entity):
     generated_for_version = models.CharField(max_length=20, blank=True, default="")
     generated_for_revision = models.CharField(max_length=40, blank=True, default="")
     done_on = models.DateTimeField(null=True, blank=True)
+    done_node = models.ForeignKey(
+        "nodes.Node",
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="completed_todos",
+        help_text="Node where this TODO was completed.",
+    )
+    done_version = models.CharField(max_length=20, blank=True, default="")
+    done_revision = models.CharField(max_length=40, blank=True, default="")
+    done_username = models.CharField(max_length=150, blank=True, default="")
     on_done_condition = ConditionTextField(blank=True, default="")
+    origin_node = models.ForeignKey(
+        "nodes.Node",
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="originated_todos",
+        help_text="Node where this TODO was generated.",
+    )
+    original_user = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="originated_todos",
+        help_text="User responsible for creating this TODO.",
+    )
+    original_user_is_authenticated = models.BooleanField(
+        default=False,
+        help_text="Whether the originating user was authenticated during creation.",
+    )
 
     objects = TodoManager()
 
@@ -3655,6 +5065,203 @@ class Todo(Entity):
             return field.evaluate(self)
         return ConditionCheckResult(True, "")
 
+    def save(self, *args, **kwargs):
+        created = self.pk is None
+        tracked_fields = {
+            "done_on",
+            "done_node",
+            "done_node_id",
+            "done_revision",
+            "done_username",
+            "done_version",
+            "is_deleted",
+        }
+        update_fields = kwargs.get("update_fields")
+        monitor_changes = not created and (
+            update_fields is None or tracked_fields.intersection(update_fields)
+        )
+        previous_state = None
+        if monitor_changes:
+            previous_state = (
+                type(self)
+                .all_objects.filter(pk=self.pk)
+                .values(
+                    "done_on",
+                    "done_node_id",
+                    "done_revision",
+                    "done_username",
+                    "done_version",
+                    "is_deleted",
+                )
+                .first()
+            )
+        super().save(*args, **kwargs)
+
+        if created:
+            return
+
+        previous_done_on = previous_state["done_on"] if previous_state else None
+        previous_is_deleted = previous_state["is_deleted"] if previous_state else False
+        previous_done_node = (
+            previous_state["done_node_id"] if previous_state else None
+        )
+        previous_done_revision = (
+            previous_state["done_revision"] if previous_state else ""
+        )
+        previous_done_username = (
+            previous_state["done_username"] if previous_state else ""
+        )
+        previous_done_version = (
+            previous_state["done_version"] if previous_state else ""
+        )
+        if (
+            previous_done_on == self.done_on
+            and previous_is_deleted == self.is_deleted
+            and previous_done_node == getattr(self, "done_node_id", None)
+            and previous_done_revision == self.done_revision
+            and previous_done_username == self.done_username
+            and previous_done_version == self.done_version
+        ):
+            return
+
+        self._update_fixture_state()
+
+    def populate_done_metadata(self, user=None) -> None:
+        """Populate metadata fields for a completed TODO."""
+
+        node = None
+        try:  # pragma: no cover - defensive import guard
+            from nodes.models import Node  # type: ignore
+        except Exception:  # pragma: no cover - when app not ready
+            Node = None
+
+        if Node is not None:
+            try:
+                node = Node.get_local()
+            except Exception:  # pragma: no cover - fallback on errors
+                node = None
+        self.done_node = node if node else None
+
+        version_value = ""
+        revision_value = ""
+        if node is not None:
+            version_value = (node.installed_version or "").strip()
+            revision_value = (node.installed_revision or "").strip()
+
+        if not version_value:
+            version_path = Path(settings.BASE_DIR) / "VERSION"
+            try:
+                version_value = version_path.read_text(encoding="utf-8").strip()
+            except OSError:
+                version_value = ""
+
+        if not revision_value:
+            try:
+                revision_value = revision_utils.get_revision() or ""
+            except Exception:  # pragma: no cover - defensive fallback
+                revision_value = ""
+
+        username_value = ""
+        if user is not None and getattr(user, "is_authenticated", False):
+            try:
+                username_value = user.get_username() or ""
+            except Exception:  # pragma: no cover - fallback to attribute
+                username_value = getattr(user, "username", "") or ""
+
+        self.done_version = version_value
+        self.done_revision = revision_value
+        self.done_username = username_value
+
+    def _update_fixture_state(self) -> None:
+        if not self.is_seed_data:
+            return
+
+        request_text = (self.request or "").strip()
+        if not request_text:
+            return
+
+        slug = self._fixture_slug(request_text)
+        if not slug:
+            return
+
+        base_dir = Path(settings.BASE_DIR)
+        fixture_path = base_dir / "core" / "fixtures" / f"todo__{slug}.json"
+        if not fixture_path.exists():
+            return
+
+        try:
+            with fixture_path.open("r", encoding="utf-8") as handle:
+                data = json.load(handle)
+        except Exception:
+            logger.exception("Failed to read TODO fixture %s", fixture_path)
+            return
+
+        if not isinstance(data, list):
+            return
+
+        updated = False
+        normalized_request = request_text.lower()
+        for item in data:
+            if not isinstance(item, dict):
+                continue
+            fields = item.get("fields")
+            if not isinstance(fields, dict):
+                continue
+            candidate = (fields.get("request") or "").strip().lower()
+            if candidate != normalized_request:
+                continue
+            if self._apply_fixture_fields(fields):
+                updated = True
+
+        if not updated:
+            return
+
+        content = json.dumps(data, indent=2, ensure_ascii=False)
+        if not content.endswith("\n"):
+            content += "\n"
+
+        try:
+            fixture_path.write_text(content, encoding="utf-8")
+        except OSError:
+            logger.exception("Failed to write TODO fixture %s", fixture_path)
+
+    def _apply_fixture_fields(self, fields: dict[str, object]) -> bool:
+        changed = False
+
+        def _assign(key: str, value: object) -> None:
+            nonlocal changed
+            if fields.get(key) != value:
+                fields[key] = value
+                changed = True
+
+        _assign("request", self.request or "")
+        _assign("url", self.url or "")
+        _assign("request_details", self.request_details or "")
+        _assign("done_version", self.done_version or "")
+        _assign("done_revision", self.done_revision or "")
+        _assign("done_username", self.done_username or "")
+
+        if self.done_on:
+            done_value = timezone.localtime(self.done_on)
+            _assign("done_on", done_value.isoformat())
+        else:
+            if fields.get("done_on") is not None:
+                fields["done_on"] = None
+                changed = True
+
+        if self.is_deleted:
+            _assign("is_deleted", True)
+        elif fields.get("is_deleted"):
+            fields["is_deleted"] = False
+            changed = True
+
+        return changed
+
+    @staticmethod
+    def _fixture_slug(value: str) -> str:
+        slug = re.sub(r"[^a-z0-9]+", "_", value.lower()).strip("_")
+        return slug
+
 
 class TOTPDeviceSettings(models.Model):
     """Per-device configuration options for authenticator enrollments."""
@@ -3674,5 +5281,5 @@ class TOTPDeviceSettings(models.Model):
     is_user_data = models.BooleanField(default=False)
 
     class Meta:
-        verbose_name = _("Authenticator device settings")
-        verbose_name_plural = _("Authenticator device settings")
+        verbose_name = _("Authenticator Device Setting")
+        verbose_name_plural = _("Authenticator Device Settings")