Phase 1: scaffold local backend — models, schemas, routers, printer service, Docker

2026-04-20 11:22:55 +03:00
commit 4ffe27df95
44 changed files with 2729 additions and 0 deletions
--- a/local_backend/routers/init.py
+++ b/local_backend/routers/init.py
--- a/local_backend/routers/auth.py
+++ b/local_backend/routers/auth.py
@@ -0,0 +1,64 @@
+import jwt
+import bcrypt
+from datetime import datetime, timedelta, timezone
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+
+from database import get_db
+from config import settings
+from models.user import User
+from schemas.auth import LoginRequest, TokenResponse
+from schemas.user import UserOut
+
+router = APIRouter()
+
+TOKEN_EXPIRY_HOURS = 8
+# In-memory token blacklist (cleared on restart — acceptable for local use)
+_blacklisted_tokens: set[str] = set()
+
+
+def _make_token(user: User) -> str:
+    payload = {
+        "sub": str(user.id),
+        "username": user.username,
+        "role": user.role,
+        "exp": datetime.now(timezone.utc) + timedelta(hours=TOKEN_EXPIRY_HOURS),
+    }
+    return jwt.encode(payload, settings.SECRET_KEY, algorithm="HS256")
+
+
+def decode_token(token: str) -> dict:
+    if token in _blacklisted_tokens:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Token revoked")
+    try:
+        return jwt.decode(token, settings.SECRET_KEY, algorithms=["HS256"])
+    except jwt.ExpiredSignatureError:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Token expired")
+    except jwt.InvalidTokenError:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")
+
+
+@router.post("/login", response_model=TokenResponse)
+def login(body: LoginRequest, db: Session = Depends(get_db)):
+    user = db.query(User).filter(User.username == body.username, User.is_active == True).first()
+    if not user or not bcrypt.checkpw(body.pin.encode(), user.pin_hash.encode()):
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")
+    token = _make_token(user)
+    return TokenResponse(access_token=token, user=UserOut.model_validate(user))
+
+
+@router.post("/refresh", response_model=TokenResponse)
+def refresh(token: str, db: Session = Depends(get_db)):
+    payload = decode_token(token)
+    user = db.query(User).filter(User.id == int(payload["sub"]), User.is_active == True).first()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found")
+    _blacklisted_tokens.add(token)
+    new_token = _make_token(user)
+    return TokenResponse(access_token=new_token, user=UserOut.model_validate(user))
+
+
+@router.post("/logout")
+def logout(token: str):
+    _blacklisted_tokens.add(token)
+    return {"status": "logged out"}
--- a/local_backend/routers/deps.py
+++ b/local_backend/routers/deps.py
@@ -0,0 +1,32 @@
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from sqlalchemy.orm import Session
+
+from database import get_db
+from models.user import User
+from routers.auth import decode_token
+
+bearer = HTTPBearer()
+
+
+def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(bearer),
+    db: Session = Depends(get_db),
+) -> User:
+    payload = decode_token(credentials.credentials)
+    user = db.query(User).filter(User.id == int(payload["sub"]), User.is_active == True).first()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found")
+    return user
+
+
+def require_manager(user: User = Depends(get_current_user)) -> User:
+    if user.role not in ("manager", "sysadmin"):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Manager access required")
+    return user
+
+
+def require_sysadmin(user: User = Depends(get_current_user)) -> User:
+    if user.role != "sysadmin":
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Sysadmin access required")
+    return user
--- a/local_backend/routers/orders.py
+++ b/local_backend/routers/orders.py
@@ -0,0 +1,231 @@
+import json
+from datetime import datetime
+from fastapi import APIRouter, Depends, HTTPException, status, BackgroundTasks
+from sqlalchemy.orm import Session
+from typing import List, Optional
+
+from database import get_db
+from models.order import Order, OrderItem, OrderWaiter
+from models.user import User, AssistantAssignment
+from models.product import Product
+from schemas.order import OrderCreate, OrderOut, OrderItemOut, AddItemsRequest, PayItemsRequest, AssignWaiterRequest
+from routers.deps import get_current_user, require_manager
+from services.printer_service import route_and_print
+
+router = APIRouter()
+
+
+def _can_access_order(order: Order, user: User, db: Session) -> bool:
+    if user.role in ("manager", "sysadmin"):
+        return True
+    if order.opened_by == user.id:
+        return True
+    if any(ow.waiter_id == user.id for ow in order.waiters):
+        return True
+    # Assistant check: user is assistant to any waiter assigned to this order
+    assigned_ids = {ow.waiter_id for ow in order.waiters}
+    assistant_of = db.query(AssistantAssignment).filter(
+        AssistantAssignment.assistant_waiter_id == user.id,
+        AssistantAssignment.primary_waiter_id.in_(assigned_ids),
+    ).first()
+    return assistant_of is not None
+
+
+@router.get("/", response_model=List[OrderOut])
+def list_orders(
+    order_status: Optional[str] = None,
+    waiter_id: Optional[int] = None,
+    db: Session = Depends(get_db),
+    user: User = Depends(require_manager),
+):
+    q = db.query(Order)
+    if order_status:
+        q = q.filter(Order.status == order_status)
+    if waiter_id:
+        q = q.join(OrderWaiter).filter(OrderWaiter.waiter_id == waiter_id)
+    return q.all()
+
+
+@router.get("/my", response_model=List[OrderOut])
+def my_orders(db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    direct = db.query(Order).join(OrderWaiter).filter(
+        OrderWaiter.waiter_id == user.id,
+        Order.status.in_(["open", "partially_paid"]),
+    ).all()
+    # Also orders where user is opener but not explicitly assigned
+    also_opened = db.query(Order).filter(
+        Order.opened_by == user.id,
+        Order.status.in_(["open", "partially_paid"]),
+    ).all()
+    seen = {o.id for o in direct}
+    return direct + [o for o in also_opened if o.id not in seen]
+
+
+@router.get("/{order_id}", response_model=OrderOut)
+def get_order(order_id: int, db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    order = db.query(Order).filter(Order.id == order_id).first()
+    if not order:
+        raise HTTPException(status_code=404, detail="Order not found")
+    if not _can_access_order(order, user, db):
+        raise HTTPException(status_code=403, detail="Access denied")
+    return order
+
+
+@router.post("/", response_model=OrderOut, status_code=status.HTTP_201_CREATED)
+def open_order(body: OrderCreate, db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    existing = db.query(Order).filter(
+        Order.table_id == body.table_id,
+        Order.status.in_(["open", "partially_paid"]),
+    ).first()
+    if existing:
+        raise HTTPException(status_code=400, detail="Table already has an open order")
+    order = Order(table_id=body.table_id, opened_by=user.id)
+    db.add(order)
+    db.flush()
+    db.add(OrderWaiter(order_id=order.id, waiter_id=user.id))
+    db.commit()
+    db.refresh(order)
+    return order
+
+
+@router.post("/{order_id}/items", response_model=OrderOut)
+def add_items(
+    order_id: int,
+    body: AddItemsRequest,
+    background_tasks: BackgroundTasks,
+    db: Session = Depends(get_db),
+    user: User = Depends(get_current_user),
+):
+    order = db.query(Order).filter(Order.id == order_id).first()
+    if not order:
+        raise HTTPException(status_code=404, detail="Order not found")
+    if not _can_access_order(order, user, db):
+        raise HTTPException(status_code=403, detail="Access denied")
+    if order.status not in ("open", "partially_paid"):
+        raise HTTPException(status_code=400, detail="Order is not open")
+
+    new_item_ids = []
+    for item_in in body.items:
+        product = db.query(Product).filter(Product.id == item_in.product_id).first()
+        if not product or not product.is_available:
+            raise HTTPException(status_code=400, detail=f"Product {item_in.product_id} not available")
+        item = OrderItem(
+            order_id=order_id,
+            product_id=item_in.product_id,
+            added_by=user.id,
+            quantity=item_in.quantity,
+            unit_price=product.base_price,  # price snapshot
+            selected_options=json.dumps(item_in.selected_options) if item_in.selected_options else None,
+            removed_ingredients=json.dumps(item_in.removed_ingredients) if item_in.removed_ingredients else None,
+            notes=item_in.notes,
+        )
+        db.add(item)
+        db.flush()
+        new_item_ids.append(item.id)
+
+    db.commit()
+    db.refresh(order)
+
+    # Printer routing runs in background — must never block the order save
+    background_tasks.add_task(route_and_print, order_id, new_item_ids)
+
+    return order
+
+
+@router.put("/{order_id}/items/{item_id}", response_model=OrderItemOut)
+def edit_item(order_id: int, item_id: int, notes: Optional[str] = None, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    item = db.query(OrderItem).filter(OrderItem.id == item_id, OrderItem.order_id == order_id).first()
+    if not item:
+        raise HTTPException(status_code=404, detail="Item not found")
+    if notes is not None:
+        item.notes = notes
+    db.commit()
+    db.refresh(item)
+    return item
+
+
+@router.delete("/{order_id}/items/{item_id}", status_code=status.HTTP_204_NO_CONTENT)
+def cancel_item(order_id: int, item_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    item = db.query(OrderItem).filter(OrderItem.id == item_id, OrderItem.order_id == order_id).first()
+    if not item:
+        raise HTTPException(status_code=404, detail="Item not found")
+    item.status = "cancelled"
+    db.commit()
+
+
+@router.post("/{order_id}/pay")
+def pay_items(order_id: int, body: PayItemsRequest, db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    order = db.query(Order).filter(Order.id == order_id).first()
+    if not order:
+        raise HTTPException(status_code=404, detail="Order not found")
+    if not _can_access_order(order, user, db):
+        raise HTTPException(status_code=403, detail="Access denied")
+
+    items = db.query(OrderItem).filter(
+        OrderItem.id.in_(body.item_ids),
+        OrderItem.order_id == order_id,
+        OrderItem.status == "active",
+    ).all()
+    for item in items:
+        item.status = "paid"
+
+    active_remaining = db.query(OrderItem).filter(
+        OrderItem.order_id == order_id, OrderItem.status == "active"
+    ).count()
+    order.status = "paid" if active_remaining == 0 else "partially_paid"
+
+    db.commit()
+    return {"status": order.status, "paid_item_ids": [i.id for i in items]}
+
+
+@router.post("/{order_id}/close")
+def close_order(order_id: int, db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    order = db.query(Order).filter(Order.id == order_id).first()
+    if not order:
+        raise HTTPException(status_code=404, detail="Order not found")
+    if not _can_access_order(order, user, db):
+        raise HTTPException(status_code=403, detail="Access denied")
+    if order.status not in ("paid", "open", "partially_paid"):
+        raise HTTPException(status_code=400, detail="Cannot close order in current status")
+    order.status = "closed"
+    order.closed_at = datetime.utcnow()
+    order.closed_by = user.id
+    db.commit()
+    return {"status": "closed"}
+
+
+@router.delete("/{order_id}", status_code=status.HTTP_204_NO_CONTENT)
+def cancel_order(order_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    order = db.query(Order).filter(Order.id == order_id).first()
+    if not order:
+        raise HTTPException(status_code=404, detail="Order not found")
+    order.status = "cancelled"
+    order.closed_at = datetime.utcnow()
+    order.closed_by = user.id
+    db.commit()
+
+
+@router.put("/{order_id}/assign-waiter")
+def assign_waiter(order_id: int, body: AssignWaiterRequest, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    order = db.query(Order).filter(Order.id == order_id).first()
+    if not order:
+        raise HTTPException(status_code=404, detail="Order not found")
+    existing = db.query(OrderWaiter).filter(
+        OrderWaiter.order_id == order_id, OrderWaiter.waiter_id == body.waiter_id
+    ).first()
+    if existing:
+        raise HTTPException(status_code=400, detail="Waiter already assigned")
+    db.add(OrderWaiter(order_id=order_id, waiter_id=body.waiter_id))
+    db.commit()
+    return {"status": "assigned"}
+
+
+@router.delete("/{order_id}/waiters/{waiter_id}", status_code=status.HTTP_204_NO_CONTENT)
+def remove_waiter(order_id: int, waiter_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    assignment = db.query(OrderWaiter).filter(
+        OrderWaiter.order_id == order_id, OrderWaiter.waiter_id == waiter_id
+    ).first()
+    if not assignment:
+        raise HTTPException(status_code=404, detail="Assignment not found")
+    db.delete(assignment)
+    db.commit()
--- a/local_backend/routers/products.py
+++ b/local_backend/routers/products.py
@@ -0,0 +1,94 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+
+from database import get_db
+from models.product import Product, Category, ProductOption, ProductIngredient
+from models.user import User
+from schemas.product import (
+    ProductCreate, ProductUpdate, ProductOut,
+    CategoryCreate, CategoryUpdate, CategoryOut,
+)
+from routers.deps import get_current_user, require_manager
+
+router = APIRouter()
+
+
+# ── Categories ───────────────────────────────────────────────────────────────
+
+@router.get("/categories", response_model=List[CategoryOut])
+def list_categories(db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    return db.query(Category).order_by(Category.sort_order).all()
+
+
+@router.post("/categories", response_model=CategoryOut, status_code=status.HTTP_201_CREATED)
+def create_category(body: CategoryCreate, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    cat = Category(**body.model_dump())
+    db.add(cat)
+    db.commit()
+    db.refresh(cat)
+    return cat
+
+
+@router.put("/categories/{category_id}", response_model=CategoryOut)
+def update_category(category_id: int, body: CategoryUpdate, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    cat = db.query(Category).filter(Category.id == category_id).first()
+    if not cat:
+        raise HTTPException(status_code=404, detail="Category not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(cat, field, value)
+    db.commit()
+    db.refresh(cat)
+    return cat
+
+
+@router.delete("/categories/{category_id}", status_code=status.HTTP_204_NO_CONTENT)
+def delete_category(category_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    cat = db.query(Category).filter(Category.id == category_id).first()
+    if not cat:
+        raise HTTPException(status_code=404, detail="Category not found")
+    db.delete(cat)
+    db.commit()
+
+
+# ── Products ──────────────────────────────────────────────────────────────────
+
+@router.get("/", response_model=List[ProductOut])
+def list_products(db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    return db.query(Product).filter(Product.is_available == True).all()
+
+
+@router.post("/", response_model=ProductOut, status_code=status.HTTP_201_CREATED)
+def create_product(body: ProductCreate, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    data = body.model_dump(exclude={"options", "ingredients"})
+    product = Product(**data)
+    db.add(product)
+    db.flush()
+    for opt in body.options:
+        db.add(ProductOption(product_id=product.id, **opt.model_dump()))
+    for ing in body.ingredients:
+        db.add(ProductIngredient(product_id=product.id, **ing.model_dump()))
+    db.commit()
+    db.refresh(product)
+    return product
+
+
+@router.put("/{product_id}", response_model=ProductOut)
+def update_product(product_id: int, body: ProductUpdate, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    product = db.query(Product).filter(Product.id == product_id).first()
+    if not product:
+        raise HTTPException(status_code=404, detail="Product not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(product, field, value)
+    db.commit()
+    db.refresh(product)
+    return product
+
+
+@router.delete("/{product_id}", status_code=status.HTTP_204_NO_CONTENT)
+def deactivate_product(product_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    product = db.query(Product).filter(Product.id == product_id).first()
+    if not product:
+        raise HTTPException(status_code=404, detail="Product not found")
+    product.is_available = False
+    db.commit()
--- a/local_backend/routers/reports.py
+++ b/local_backend/routers/reports.py
@@ -0,0 +1,86 @@
+from fastapi import APIRouter, Depends, Query
+from sqlalchemy.orm import Session
+from sqlalchemy import func
+from datetime import date, datetime, timedelta
+from typing import Optional, List
+
+from database import get_db
+from models.order import Order, OrderItem, OrderWaiter
+from models.user import User
+from models.table import Table
+from schemas.order import OrderOut
+from schemas.table import TableOut
+from routers.deps import require_manager
+
+router = APIRouter()
+
+
+@router.get("/shift")
+def shift_summary(
+    report_date: Optional[date] = Query(default=None, alias="date"),
+    waiter_id: Optional[int] = None,
+    db: Session = Depends(get_db),
+    user: User = Depends(require_manager),
+):
+    target = report_date or date.today()
+    start = datetime.combine(target, datetime.min.time())
+    end = start + timedelta(days=1)
+
+    q = db.query(Order).filter(Order.opened_at >= start, Order.opened_at < end)
+    if waiter_id:
+        q = q.join(OrderWaiter).filter(OrderWaiter.waiter_id == waiter_id)
+    orders = q.all()
+
+    summary = {}
+    for order in orders:
+        waiter = db.query(User).filter(User.id == order.opened_by).first()
+        key = waiter.username if waiter else "unknown"
+        if key not in summary:
+            summary[key] = {"orders": 0, "items": 0, "total": 0.0}
+        summary[key]["orders"] += 1
+        for item in order.items:
+            if item.status in ("active", "paid"):
+                summary[key]["items"] += item.quantity
+                summary[key]["total"] += item.unit_price * item.quantity
+
+    return {"date": str(target), "waiters": summary}
+
+
+@router.get("/orders/history", response_model=List[OrderOut])
+def order_history(
+    from_date: Optional[str] = Query(default=None, alias="from"),
+    to_date: Optional[str] = Query(default=None, alias="to"),
+    waiter_id: Optional[int] = None,
+    order_status: Optional[str] = Query(default=None, alias="status"),
+    page: int = 1,
+    page_size: int = 50,
+    db: Session = Depends(get_db),
+    user: User = Depends(require_manager),
+):
+    q = db.query(Order)
+    if from_date:
+        q = q.filter(Order.opened_at >= datetime.fromisoformat(from_date))
+    if to_date:
+        q = q.filter(Order.opened_at <= datetime.fromisoformat(to_date))
+    if waiter_id:
+        q = q.join(OrderWaiter).filter(OrderWaiter.waiter_id == waiter_id)
+    if order_status:
+        q = q.filter(Order.status == order_status)
+    return q.order_by(Order.opened_at.desc()).offset((page - 1) * page_size).limit(page_size).all()
+
+
+@router.get("/tables/summary")
+def tables_summary(db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    tables = db.query(Table).filter(Table.is_active == True).all()
+    result = []
+    for table in tables:
+        active_order = db.query(Order).filter(
+            Order.table_id == table.id,
+            Order.status.in_(["open", "partially_paid"]),
+        ).first()
+        result.append({
+            "table": TableOut.model_validate(table),
+            "status": active_order.status if active_order else "free",
+            "order_id": active_order.id if active_order else None,
+        })
+    return result
--- a/local_backend/routers/system.py
+++ b/local_backend/routers/system.py
@@ -0,0 +1,71 @@
+import time
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+from typing import List
+
+from database import get_db
+from models.printer import Printer
+from schemas.printer import PrinterUpdate, PrinterOut
+from routers.deps import get_current_user, require_manager, require_sysadmin
+from models.user import User
+from services import printer_service
+from middleware.license_check import license_state
+
+router = APIRouter()
+
+_start_time = time.time()
+
+
+@router.get("/health")
+def health():
+    return {"status": "ok"}
+
+
+@router.get("/status")
+def system_status(db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    printers = db.query(Printer).filter(Printer.is_active == True).all()
+    printer_statuses = []
+    for p in printers:
+        reachable = printer_service.check_printer(p.ip_address, p.port)
+        printer_statuses.append({"id": p.id, "name": p.name, "reachable": reachable})
+
+    return {
+        "uptime_seconds": int(time.time() - _start_time),
+        "licensed": license_state.get("licensed", True),
+        "locked": license_state.get("locked", False),
+        "expires_at": license_state.get("expires_at"),
+        "printers": printer_statuses,
+    }
+
+
+@router.post("/printers/test")
+def test_printer(printer_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    printer = db.query(Printer).filter(Printer.id == printer_id).first()
+    if not printer:
+        raise HTTPException(status_code=404, detail="Printer not found")
+    success, error = printer_service.send_test_print(printer.ip_address, printer.port, printer.name)
+    return {"success": success, "error": error}
+
+
+@router.put("/printers/{printer_id}", response_model=PrinterOut)
+def update_printer(printer_id: int, body: PrinterUpdate, db: Session = Depends(get_db), user: User = Depends(require_sysadmin)):
+    printer = db.query(Printer).filter(Printer.id == printer_id).first()
+    if not printer:
+        raise HTTPException(status_code=404, detail="Printer not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(printer, field, value)
+    db.commit()
+    db.refresh(printer)
+    return printer
+
+
+@router.post("/lock")
+def lock_system(token: str, user: User = Depends(require_sysadmin)):
+    license_state["locked"] = True
+    return {"status": "locked"}
+
+
+@router.post("/unlock")
+def unlock_system(token: str, user: User = Depends(require_sysadmin)):
+    license_state["locked"] = False
+    return {"status": "unlocked"}
--- a/local_backend/routers/tables.py
+++ b/local_backend/routers/tables.py
@@ -0,0 +1,78 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+
+from database import get_db
+from models.table import Table
+from models.order import Order
+from models.user import User
+from schemas.table import TableCreate, TableUpdate, TableFloorplanUpdate, TableOut
+from routers.deps import get_current_user, require_manager
+
+router = APIRouter()
+
+
+@router.get("/", response_model=List[TableOut])
+def list_tables(db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    return db.query(Table).filter(Table.is_active == True).all()
+
+
+@router.post("/", response_model=TableOut, status_code=status.HTTP_201_CREATED)
+def create_table(body: TableCreate, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    if db.query(Table).filter(Table.number == body.number).first():
+        raise HTTPException(status_code=400, detail="Table number already exists")
+    table = Table(**body.model_dump())
+    db.add(table)
+    db.commit()
+    db.refresh(table)
+    return table
+
+
+@router.put("/{table_id}", response_model=TableOut)
+def update_table(table_id: int, body: TableUpdate, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    table = db.query(Table).filter(Table.id == table_id).first()
+    if not table:
+        raise HTTPException(status_code=404, detail="Table not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(table, field, value)
+    db.commit()
+    db.refresh(table)
+    return table
+
+
+@router.delete("/{table_id}", status_code=status.HTTP_204_NO_CONTENT)
+def deactivate_table(table_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    table = db.query(Table).filter(Table.id == table_id).first()
+    if not table:
+        raise HTTPException(status_code=404, detail="Table not found")
+    table.is_active = False
+    db.commit()
+
+
+@router.get("/{table_id}/status")
+def table_status(table_id: int, db: Session = Depends(get_db), user: User = Depends(get_current_user)):
+    table = db.query(Table).filter(Table.id == table_id).first()
+    if not table:
+        raise HTTPException(status_code=404, detail="Table not found")
+    active_order = (
+        db.query(Order)
+        .filter(Order.table_id == table_id, Order.status.in_(["open", "partially_paid"]))
+        .first()
+    )
+    return {
+        "table": TableOut.model_validate(table),
+        "active_order_id": active_order.id if active_order else None,
+        "order_status": active_order.status if active_order else None,
+    }
+
+
+@router.put("/{table_id}/floorplan", response_model=TableOut)
+def update_floorplan(table_id: int, body: TableFloorplanUpdate, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    table = db.query(Table).filter(Table.id == table_id).first()
+    if not table:
+        raise HTTPException(status_code=404, detail="Table not found")
+    table.floor_x = body.floor_x
+    table.floor_y = body.floor_y
+    db.commit()
+    db.refresh(table)
+    return table
--- a/local_backend/routers/waiters.py
+++ b/local_backend/routers/waiters.py
@@ -0,0 +1,100 @@
+import bcrypt
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+
+from database import get_db
+from models.user import User, AssistantAssignment
+from schemas.user import UserCreate, UserUpdate, UserOut, AssistantAssignmentOut
+from routers.deps import require_manager
+
+router = APIRouter()
+
+
+class ResetPinRequest:
+    def __init__(self, pin: str):
+        self.pin = pin
+
+
+@router.get("/", response_model=List[UserOut])
+def list_waiters(db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    return db.query(User).filter(User.role == "waiter").all()
+
+
+@router.post("/", response_model=UserOut, status_code=status.HTTP_201_CREATED)
+def create_waiter(body: UserCreate, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    if db.query(User).filter(User.username == body.username).first():
+        raise HTTPException(status_code=400, detail="Username already exists")
+    pin_hash = bcrypt.hashpw(body.pin.encode(), bcrypt.gensalt()).decode()
+    new_user = User(username=body.username, pin_hash=pin_hash, role=body.role, is_active=body.is_active)
+    db.add(new_user)
+    db.commit()
+    db.refresh(new_user)
+    return new_user
+
+
+@router.put("/{waiter_id}", response_model=UserOut)
+def update_waiter(waiter_id: int, body: UserUpdate, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    waiter = db.query(User).filter(User.id == waiter_id).first()
+    if not waiter:
+        raise HTTPException(status_code=404, detail="Waiter not found")
+    for field, value in body.model_dump(exclude_none=True).items():
+        setattr(waiter, field, value)
+    db.commit()
+    db.refresh(waiter)
+    return waiter
+
+
+@router.put("/{waiter_id}/reset-pin")
+def reset_pin(waiter_id: int, pin: str, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    waiter = db.query(User).filter(User.id == waiter_id).first()
+    if not waiter:
+        raise HTTPException(status_code=404, detail="Waiter not found")
+    waiter.pin_hash = bcrypt.hashpw(pin.encode(), bcrypt.gensalt()).decode()
+    db.commit()
+    return {"status": "pin reset"}
+
+
+@router.put("/{waiter_id}/block")
+def toggle_block(waiter_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    waiter = db.query(User).filter(User.id == waiter_id).first()
+    if not waiter:
+        raise HTTPException(status_code=404, detail="Waiter not found")
+    waiter.is_active = not waiter.is_active
+    db.commit()
+    return {"is_active": waiter.is_active}
+
+
+@router.delete("/{waiter_id}", status_code=status.HTTP_204_NO_CONTENT)
+def delete_waiter(waiter_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    waiter = db.query(User).filter(User.id == waiter_id).first()
+    if not waiter:
+        raise HTTPException(status_code=404, detail="Waiter not found")
+    db.delete(waiter)
+    db.commit()
+
+
+@router.post("/{waiter_id}/assign-assistant", response_model=AssistantAssignmentOut)
+def assign_assistant(waiter_id: int, assistant_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    existing = db.query(AssistantAssignment).filter(
+        AssistantAssignment.primary_waiter_id == waiter_id,
+        AssistantAssignment.assistant_waiter_id == assistant_id,
+    ).first()
+    if existing:
+        raise HTTPException(status_code=400, detail="Assignment already exists")
+    assignment = AssistantAssignment(primary_waiter_id=waiter_id, assistant_waiter_id=assistant_id)
+    db.add(assignment)
+    db.commit()
+    db.refresh(assignment)
+    return assignment
+
+
+@router.delete("/{waiter_id}/assistant", status_code=status.HTTP_204_NO_CONTENT)
+def remove_assistant(waiter_id: int, db: Session = Depends(get_db), user: User = Depends(require_manager)):
+    assignment = db.query(AssistantAssignment).filter(
+        AssistantAssignment.primary_waiter_id == waiter_id
+    ).first()
+    if not assignment:
+        raise HTTPException(status_code=404, detail="Assignment not found")
+    db.delete(assignment)
+    db.commit()