Merge remote-tracking branch 'origin/master'

.gitignore

@@ -0,0 +1,12 @@
+# Node
+node_modules/
+
+# Build
+dist/
+
+# Deploy output
+svc/public/
+svc/public/**
+
+ui/dist/
+ui/dist/**

deploy/deploy.sh

@@ -0,0 +1,212 @@
+#!/bin/bash
+set -euo pipefail
+umask 022
+
+export NODE_OPTIONS="--max_old_space_size=4096"
+export CI="true"
+export npm_config_progress="false"
+export npm_config_loglevel="warn"
+export FORCE_COLOR="0"
+
+LOG_FILE="/var/log/bssapp_deploy.log"
+APP_DIR="/opt/bssapp"
+LOCK_FILE="/tmp/bssapp_deploy.lock"
+RUNTIME_BACKUP_DIR=""
+RUNTIME_PRESERVE_FILES=(
+  ".env"
+  "mail.env"
+  "svc/.env"
+  "svc/mail.env"
+  "svc/fonts"
+  "svc/public"
+)
+
+log_step() {
+  echo "== $1 =="
+}
+
+backup_runtime_files() {
+  RUNTIME_BACKUP_DIR="$(mktemp -d /tmp/bssapp-runtime.XXXXXX)"
+
+  for rel in "${RUNTIME_PRESERVE_FILES[@]}"; do
+    src="$APP_DIR/$rel"
+    dst="$RUNTIME_BACKUP_DIR/$rel"
+    if [[ -e "$src" ]]; then
+      mkdir -p "$(dirname "$dst")"
+      cp -a "$src" "$dst"
+    fi
+  done
+}
+
+restore_runtime_files() {
+  [[ -n "$RUNTIME_BACKUP_DIR" && -d "$RUNTIME_BACKUP_DIR" ]] || return 0
+  find "$RUNTIME_BACKUP_DIR" -mindepth 1 -print -quit | grep -q . || return 0
+  cp -a "$RUNTIME_BACKUP_DIR/." "$APP_DIR/"
+}
+
+cleanup_runtime_backup() {
+  if [[ -n "$RUNTIME_BACKUP_DIR" && -d "$RUNTIME_BACKUP_DIR" ]]; then
+    rm -rf "$RUNTIME_BACKUP_DIR"
+  fi
+}
+
+ensure_runtime_env_files() {
+  [[ -f "$APP_DIR/.env" ]] || touch "$APP_DIR/.env"
+  [[ -f "$APP_DIR/mail.env" ]] || touch "$APP_DIR/mail.env"
+  [[ -f "$APP_DIR/svc/.env" ]] || touch "$APP_DIR/svc/.env"
+  [[ -f "$APP_DIR/svc/mail.env" ]] || touch "$APP_DIR/svc/mail.env"
+}
+
+ensure_pdf_fonts() {
+  local font_dir="$APP_DIR/svc/fonts"
+  local sys_font_dir="/usr/share/fonts/truetype/dejavu"
+
+  mkdir -p "$font_dir"
+
+  if [[ ! -f "$font_dir/DejaVuSans.ttf" && -f "$sys_font_dir/DejaVuSans.ttf" ]]; then
+    cp -a "$sys_font_dir/DejaVuSans.ttf" "$font_dir/DejaVuSans.ttf"
+  fi
+  if [[ ! -f "$font_dir/DejaVuSans-Bold.ttf" && -f "$sys_font_dir/DejaVuSans-Bold.ttf" ]]; then
+    cp -a "$sys_font_dir/DejaVuSans-Bold.ttf" "$font_dir/DejaVuSans-Bold.ttf"
+  fi
+
+  if [[ ! -f "$font_dir/DejaVuSans.ttf" || ! -f "$font_dir/DejaVuSans-Bold.ttf" ]]; then
+    echo "ERROR: Required PDF fonts missing in $font_dir"
+    return 1
+  fi
+}
+
+ensure_ui_permissions() {
+  local ui_root="$APP_DIR/ui/dist/spa"
+
+  if [[ ! -d "$ui_root" ]]; then
+    echo "ERROR: UI build output not found at $ui_root"
+    return 1
+  fi
+
+  chmod 755 /opt "$APP_DIR" "$APP_DIR/ui" "$APP_DIR/ui/dist" "$ui_root"
+  find "$ui_root" -type d -exec chmod 755 {} \;
+  find "$ui_root" -type f -exec chmod 644 {} \;
+}
+
+ensure_ui_readable_by_nginx() {
+  local ui_index="$APP_DIR/ui/dist/spa/index.html"
+
+  if [[ ! -f "$ui_index" ]]; then
+    echo "ERROR: UI index not found at $ui_index"
+    return 1
+  fi
+
+  if id -u www-data >/dev/null 2>&1; then
+    if ! su -s /bin/sh -c "test -r '$ui_index'" www-data; then
+      echo "ERROR: www-data cannot read $ui_index"
+      namei -l "$ui_index" || true
+      return 1
+    fi
+  fi
+}
+
+build_api_binary() {
+  if ! command -v go >/dev/null 2>&1; then
+    echo "ERROR: go command not found"
+    return 1
+  fi
+
+  export GOPATH="${GOPATH:-/var/cache/bssapp-go}"
+  export GOMODCACHE="${GOMODCACHE:-$GOPATH/pkg/mod}"
+  export GOCACHE="${GOCACHE:-/var/cache/bssapp-go-build}"
+  mkdir -p "$GOPATH" "$GOMODCACHE" "$GOCACHE"
+
+  cd "$APP_DIR/svc"
+  GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-w -s" -o "$APP_DIR/svc/bssapp" ./main.go
+  chmod +x "$APP_DIR/svc/bssapp"
+}
+
+restart_services() {
+  systemctl daemon-reload || true
+
+  systemctl restart bssapp
+  if ! systemctl is-active --quiet bssapp; then
+    echo "ERROR: bssapp service failed to start"
+    return 1
+  fi
+
+  if systemctl cat nginx >/dev/null 2>&1; then
+    systemctl restart nginx
+    if ! systemctl is-active --quiet nginx; then
+      echo "ERROR: nginx service failed to start"
+      return 1
+    fi
+  else
+    echo "WARN: nginx service not found; frontend may be unreachable."
+  fi
+}
+
+run_deploy() {
+  trap cleanup_runtime_backup EXIT
+
+  exec 9>"$LOCK_FILE"
+  if ! flock -n 9; then
+    echo "[$(date '+%F %T')] Deploy already running. Skipping new request."
+    return 0
+  fi
+
+  echo "=============================="
+  echo "[DEPLOY START] $(date '+%F %T')"
+  echo "=============================="
+
+  cd "$APP_DIR"
+
+  log_step "GIT SYNC"
+  backup_runtime_files
+  git fetch origin
+  git reset --hard origin/master
+  git clean -fdx \
+    -e .env \
+    -e mail.env \
+    -e svc/.env \
+    -e svc/mail.env \
+    -e svc/fonts \
+    -e svc/public \
+    -e svc/bssapp
+  restore_runtime_files
+  echo "DEPLOY COMMIT: $(git rev-parse --short HEAD)"
+
+  log_step "BUILD UI"
+  cd "$APP_DIR/ui"
+  npm ci --no-audit --no-fund --include=optional
+  npm i -D --no-audit --no-fund sass-embedded@1.93.2
+  npm run build
+
+  log_step "ENSURE UI PERMISSIONS"
+  ensure_ui_permissions
+  ensure_ui_readable_by_nginx
+
+  log_step "BUILD API"
+  build_api_binary
+
+  log_step "ENSURE ENV FILES"
+  ensure_runtime_env_files
+
+  log_step "ENSURE PDF FONTS"
+  ensure_pdf_fonts
+
+  log_step "RESTART SERVICES"
+  restart_services
+
+  echo "[DEPLOY FINISHED] $(date '+%F %T')"
+}
+
+if [[ "${1:-}" == "--run" ]]; then
+  mkdir -p "$(dirname "$LOG_FILE")"
+  if command -v logger >/dev/null 2>&1; then
+    run_deploy 2>&1 | tee -a "$LOG_FILE" >(logger -t bssapp-deploy -p user.info)
+    exit ${PIPESTATUS[0]}
+  else
+    run_deploy >>"$LOG_FILE" 2>&1
+    exit $?
+  fi
+fi
+
+nohup /bin/bash "$0" --run </dev/null >/dev/null 2>&1 &
+exit 0

deploy/hooks.json

@@ -0,0 +1,57 @@
+[
+  {
+    "id": "bssapp-deploy",
+    "execute-command": "/bin/bash",
+    "command-working-directory": "/opt/bssapp",
+    "pass-arguments-to-command": [
+      {
+        "source": "string",
+        "name": "/opt/bssapp/deploy/deploy.sh"
+      }
+    ],
+    "trigger-rule": {
+      "or": [
+        {
+          "match": {
+            "type": "value",
+            "value": "Bearer bssapp-secret-2026",
+            "parameter": {
+              "source": "header",
+              "name": "Authorization"
+            }
+          }
+        },
+        {
+          "match": {
+            "type": "value",
+            "value": "bssapp-secret-2026",
+            "parameter": {
+              "source": "header",
+              "name": "Authorization"
+            }
+          }
+        },
+        {
+          "match": {
+            "type": "value",
+            "value": "X-BSSAPP-SECRET: bssapp-secret-2026",
+            "parameter": {
+              "source": "header",
+              "name": "Authorization"
+            }
+          }
+        },
+        {
+          "match": {
+            "type": "value",
+            "value": "bssapp-secret-2026",
+            "parameter": {
+              "source": "header",
+              "name": "X-BSSAPP-SECRET"
+            }
+          }
+        }
+      ]
+    }
+  }
+]

scripts/sql/add_indexes_order_validate.sql

@@ -0,0 +1,27 @@
+/* Indexes for order validate performance */
+
+IF NOT EXISTS (
+  SELECT 1
+  FROM sys.indexes
+  WHERE name = 'IX_trOrderLine_OrderHeader_ItemCode'
+    AND object_id = OBJECT_ID('dbo.trOrderLine')
+)
+BEGIN
+  CREATE NONCLUSTERED INDEX IX_trOrderLine_OrderHeader_ItemCode
+  ON dbo.trOrderLine (OrderHeaderID, ItemCode)
+  INCLUDE (ItemTypeCode, ColorCode, ItemDim1Code, ItemDim2Code, ItemDim3Code, LineDescription, SortOrder, OrderLineID);
+END
+GO
+
+IF NOT EXISTS (
+  SELECT 1
+  FROM sys.indexes
+  WHERE name = 'IX_prItemVariant_Combo'
+    AND object_id = OBJECT_ID('dbo.prItemVariant')
+)
+BEGIN
+  CREATE NONCLUSTERED INDEX IX_prItemVariant_Combo
+  ON dbo.prItemVariant (ItemTypeCode, ItemCode, ColorCode, ItemDim1Code, ItemDim2Code, ItemDim3Code)
+  INCLUDE (PLU);
+END
+GO

svc/.env

@@ -1,8 +0,0 @@
-JWT_SECRET=bssapp_super_secret_key_1234567890
-PASSWORD_RESET_SECRET=1dc7d6d52fd0459a8b1f288a6590428e760f54339f8e47beb20db36b6df6070b
-APP_FRONTEND_URL=http://localhost:9000
-API_URL=http://localhost:8080
-
-
-
-

svc/.env.local

@@ -0,0 +1,33 @@
+# ===============================
+# SECURITY
+# ===============================
+JWT_SECRET=bssapp_super_secret_key_1234567890
+PASSWORD_RESET_SECRET=1dc7d6d52fd0459a8b1f288a6590428e760f54339f8e47beb20db36b6df6070b
+
+# ===============================
+# URLS (PRODUCTION)
+# ===============================
+APP_FRONTEND_URL=http://46.224.33.150
+API_URL=http://46.224.33.150
+
+# Eğer Nginx ile /api varsa:
+# API_URL=http://46.224.33.150/api
+
+# ===============================
+# UI
+# ===============================
+UI_DIR=/opt/bssapp/ui/dist
+
+# ===============================
+# DATABASES
+# ===============================
+POSTGRES_CONN=host=46.224.33.150 port=5432 user=postgres password=tayitkan dbname=baggib2b sslmode=disable
+MSSQL_CONN=sqlserver://sa:Gil_0150@100.127.186.137:1433?database=BAGGI_V3&encrypt=disable
+
+# ===============================
+# PDF
+# ===============================
+PDF_FONT_DIR=/opt/bssapp/svc/fonts
+API_HOST=0.0.0.0
+API_PORT=8080
+

svc/.gitignore

@@ -0,0 +1,13 @@
+# Binary
+bssapp
+
+# Env
+.env
+mail.env
+
+# Runtime fonts
+fonts/*.ttf
+
+# Go
+.gocache
+*.exe

svc/db/mssql.go

@@ -4,15 +4,20 @@ import (
 	"database/sql"
 	"fmt"
 	"log"
+	"os"
+	"strings"
 
 	_ "github.com/microsoft/go-mssqldb"
 )
 
 var MssqlDB *sql.DB
 
+// ConnectMSSQL MSSQL baglantisini ortam degiskeninden baslatir.
 func ConnectMSSQL() {
-	//connString := "sqlserver://sa:Gil_0150@10.0.0.9:1433?databaseName=BAGGI_V3"
+	connString := strings.TrimSpace(os.Getenv("MSSQL_CONN"))
-	connString := "sqlserver://sa:Gil_0150@100.127.221.13:1433?databaseName=BAGGI_V3"
+	if connString == "" {
+		log.Fatal("MSSQL_CONN tanımlı değil")
+	}
 
 	var err error
 	MssqlDB, err = sql.Open("sqlserver", connString)
@@ -20,13 +25,13 @@ func ConnectMSSQL() {
 		log.Fatal("MSSQL bağlantı hatası:", err)
 	}
 
-	err = MssqlDB.Ping()
+	if err = MssqlDB.Ping(); err != nil {
-	if err != nil {
 		log.Fatal("MSSQL erişilemiyor:", err)
 	}
 
-	fmt.Println("✅ MSSQL bağlantısı başarılı!")
+	fmt.Println("MSSQL bağlantısı başarılı")
 }
+
 func GetDB() *sql.DB {
 	return MssqlDB
 }

svc/db/postgres.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"strings"
 	"time"
 
 	_ "github.com/lib/pq"
@@ -12,14 +13,11 @@ import (
 
 var PgDB *sql.DB
 
-// ConnectPostgres → PostgreSQL veritabanına bağlanır
+// ConnectPostgres PostgreSQL veritabanına bağlanır.
 func ConnectPostgres() (*sql.DB, error) {
-	// Bağlantı stringi (istersen .env’den oku)
+	connStr := strings.TrimSpace(os.Getenv("POSTGRES_CONN"))
-	connStr := os.Getenv("POSTGRES_CONN")
 	if connStr == "" {
-		// fallback → sabit tanımlı bağlantı
+		return nil, fmt.Errorf("POSTGRES_CONN tanımlı değil")
-		connStr = "host= 46.224.33.150 port=5432 user=postgres password=tayitkan dbname=baggib2b sslmode=disable"
-		//connStr = "host=172.16.0.3 port=5432 user=postgres password=tayitkan dbname=baggib2b sslmode=disable"
 	}
 
 	db, err := sql.Open("postgres", connStr)
@@ -27,26 +25,48 @@ func ConnectPostgres() (*sql.DB, error) {
 		return nil, fmt.Errorf("PostgreSQL bağlantı hatası: %w", err)
 	}
 
-	// =======================================================
+	// Bağlantı havuzu ayarları (audit log uyumlu).
-	// 🔹 BAĞLANTI HAVUZU (AUDIT LOG UYUMLU)
+	db.SetMaxOpenConns(30)
-	// =======================================================
-	db.SetMaxOpenConns(30) // audit + api paralel çalışsın
 	db.SetMaxIdleConns(10)
 	db.SetConnMaxLifetime(30 * time.Minute)
-	db.SetConnMaxIdleTime(5 * time.Minute) // 🔥 uzun idle audit bağlantılarını kapat
+	db.SetConnMaxIdleTime(5 * time.Minute)
 
-	// 🔹 Test et
+	// Bağlantıyı test et.
 	if err = db.Ping(); err != nil {
-		return nil, fmt.Errorf("PostgreSQL erişilemiyor: %w", err)
+		// Some managed PostgreSQL servers require TLS. If the current DSN uses
+		// sslmode=disable and server rejects with "no encryption", retry once
+		// with sslmode=require to avoid startup failure.
+		if strings.Contains(err.Error(), "no pg_hba.conf entry") &&
+			strings.Contains(err.Error(), "no encryption") &&
+			strings.Contains(strings.ToLower(connStr), "sslmode=disable") {
+			secureConnStr := strings.Replace(connStr, "sslmode=disable", "sslmode=require", 1)
+			log.Println("PostgreSQL TLS gerektiriyor, sslmode=require ile tekrar deneniyor")
+
+			_ = db.Close()
+			db, err = sql.Open("postgres", secureConnStr)
+			if err != nil {
+				return nil, fmt.Errorf("PostgreSQL TLS retry open failed: %w", err)
+			}
+
+			db.SetMaxOpenConns(30)
+			db.SetMaxIdleConns(10)
+			db.SetConnMaxLifetime(30 * time.Minute)
+			db.SetConnMaxIdleTime(5 * time.Minute)
+
+			if err = db.Ping(); err != nil {
+				return nil, fmt.Errorf("PostgreSQL erişilemiyor (TLS retry): %w", err)
+			}
+		} else {
+			return nil, fmt.Errorf("PostgreSQL erişilemiyor: %w", err)
+		}
 	}
 
-	log.Println("✅ PostgreSQL bağlantısı başarılı!")
+	log.Println("PostgreSQL bağlantısı başarılı")
 	PgDB = db
 	return db, nil
-
 }
 
-// GetPostgresUsers → test amaçlı ilk 5 kullanıcıyı listeler
+// GetPostgresUsers test amaçlı ilk 5 kullanıcıyı listeler.
 func GetPostgresUsers(db *sql.DB) error {
 	query := `SELECT id, code, email FROM mk_dfusr ORDER BY id LIMIT 5`
 	rows, err := db.Query(query)
@@ -55,14 +75,14 @@ func GetPostgresUsers(db *sql.DB) error {
 	}
 	defer rows.Close()
 
-	fmt.Println("📋 İlk 5 PostgreSQL kullanıcısı:")
+	fmt.Println("İlk 5 PostgreSQL kullanıcısı:")
 	for rows.Next() {
 		var id int
 		var code, email string
 		if err := rows.Scan(&id, &code, &email); err != nil {
 			return err
 		}
-		fmt.Printf("  ➜ ID: %-4d | USER: %-20s | EMAIL: %s\n", id, code, email)
+		fmt.Printf("  -> ID: %-4d | USER: %-20s | EMAIL: %s\n", id, code, email)
 	}
 
 	return rows.Err()

svc/mail.env

@@ -1,4 +0,0 @@
-AZURE_TENANT_ID=c8e0675d-1f6e-40f3-ba5f-3d1985b92317
-AZURE_CLIENT_ID=94a134b7-757f-4bcc-9e4b-d577b631a9a3
-AZURE_CLIENT_SECRET=PaW8Q~9NzYXHrESZcKoP6.hRxS.CyQshvJ0Y0czx
-MAIL_FROM=baggiss@baggi.com.tr

svc/main.go

@@ -212,19 +212,19 @@ func InitRoutes(pgDB *sql.DB, mssql *sql.DB, ml *mailer.GraphMailer) *mux.Router
 	// ============================================================
 	bindV3(r, pgDB,
 		"/api/password/change", "POST",
-		"system", "update",
+		"auth", "update",
 		wrapV3(http.HandlerFunc(routes.FirstPasswordChangeHandler(pgDB))),
 	)
 
 	bindV3(r, pgDB,
 		"/api/activity-logs", "GET",
-		"user", "view",
+		"system", "read",
 		wrapV3(routes.AdminActivityLogsHandler(pgDB)),
 	)
 
 	bindV3(r, pgDB,
 		"/api/test-mail", "POST",
-		"user", "insert",
+		"system", "update",
 		wrapV3(routes.TestMailHandler(ml)),
 	)
 
@@ -235,12 +235,12 @@ func InitRoutes(pgDB *sql.DB, mssql *sql.DB, ml *mailer.GraphMailer) *mux.Router
 
 	bindV3(r, pgDB,
 		rolePerm, "GET",
-		"user", "update",
+		"system", "update",
 		wrapV3(routes.GetRolePermissionMatrix(pgDB)),
 	)
 	bindV3(r, pgDB,
 		rolePerm, "POST",
-		"user", "update",
+		"system", "update",
 		wrapV3(routes.SaveRolePermissionMatrix(pgDB)),
 	)
 
@@ -248,12 +248,12 @@ func InitRoutes(pgDB *sql.DB, mssql *sql.DB, ml *mailer.GraphMailer) *mux.Router
 
 	bindV3(r, pgDB,
 		userPerm, "GET",
-		"user", "update",
+		"system", "update",
 		wrapV3(routes.GetUserPermissionsHandler(pgDB)),
 	)
 	bindV3(r, pgDB,
 		userPerm, "POST",
-		"user", "update",
+		"system", "update",
 		wrapV3(routes.SaveUserPermissionsHandler(pgDB)),
 	)
 
@@ -286,17 +286,17 @@ func InitRoutes(pgDB *sql.DB, mssql *sql.DB, ml *mailer.GraphMailer) *mux.Router
 
 	bindV3(r, pgDB,
 		"/api/role-dept-permissions/list", "GET",
-		"user", "update",
+		"system", "update",
 		wrapV3(http.HandlerFunc(rdHandler.List)),
 	)
 	bindV3(r, pgDB,
 		rdPerm, "GET",
-		"user", "update",
+		"system", "update",
 		wrapV3(http.HandlerFunc(rdHandler.Get)),
 	)
 	bindV3(r, pgDB,
 		rdPerm, "POST",
-		"user", "update",
+		"system", "update",
 		wrapV3(http.HandlerFunc(rdHandler.Save)),
 	)
 
@@ -325,6 +325,11 @@ func InitRoutes(pgDB *sql.DB, mssql *sql.DB, ml *mailer.GraphMailer) *mux.Router
 		"user", "update",
 		wrapV3(routes.UserDetailRoute(pgDB)),
 	)
+	bindV3(r, pgDB,
+		"/api/users/{id}", "DELETE",
+		"user", "delete",
+		wrapV3(routes.UserDetailRoute(pgDB)),
+	)
 
 	bindV3(r, pgDB,
 		"/api/users/{id}/admin-reset-password", "POST",
@@ -434,6 +439,11 @@ func InitRoutes(pgDB *sql.DB, mssql *sql.DB, ml *mailer.GraphMailer) *mux.Router
 		{"/api/order/update", "POST", "update", http.HandlerFunc(routes.UpdateOrderHandler)},
 		{"/api/order/get/{id}", "GET", "view", routes.GetOrderByIDHandler(mssql)},
 		{"/api/orders/list", "GET", "view", routes.OrderListRoute(mssql)},
+		{"/api/orders/production-list", "GET", "update", routes.OrderProductionListRoute(mssql)},
+		{"/api/orders/production-items/{id}", "GET", "view", routes.OrderProductionItemsRoute(mssql)},
+		{"/api/orders/production-items/{id}/insert-missing", "POST", "update", routes.OrderProductionInsertMissingRoute(mssql)},
+		{"/api/orders/production-items/{id}/validate", "POST", "update", routes.OrderProductionValidateRoute(mssql)},
+		{"/api/orders/production-items/{id}/apply", "POST", "update", routes.OrderProductionApplyRoute(mssql)},
 		{"/api/orders/close-ready", "GET", "update", routes.OrderCloseReadyListRoute(mssql)},
 		{"/api/orders/bulk-close", "POST", "update", routes.OrderBulkCloseRoute(mssql)},
 		{"/api/orders/export", "GET", "export", routes.OrderListExcelRoute(mssql)},
@@ -611,8 +621,21 @@ func main() {
 		),
 	)
 
-	log.Println("✅ Server çalışıyor: http://localhost:8080")
+	host := strings.TrimSpace(os.Getenv("API_HOST"))
-	log.Fatal(http.ListenAndServe(":8080", handler))
+	port := strings.TrimSpace(os.Getenv("API_PORT"))
+
+	if host == "" {
+		host = "0.0.0.0"
+	}
+	if port == "" {
+		port = "8080"
+	}
+
+	addr := host + ":" + port
+
+	log.Println("🚀 Server running at:", addr)
+	log.Fatal(http.ListenAndServe(addr, handler))
+
 }
 
 func mountSPA(r *mux.Router) {
@@ -672,12 +695,17 @@ func uiRootDir() string {
 		return d
 	}
 
-	candidates := []string{"../ui/dist", "./ui/dist"}
+	candidates := []string{
+		"../ui/dist/spa",
+		"./ui/dist/spa",
+		"../ui/dist",
+		"./ui/dist",
+	}
 	for _, d := range candidates {
 		if fi, err := os.Stat(d); err == nil && fi.IsDir() {
 			return d
 		}
 	}
 
-	return "../ui/dist"
+	return "../ui/dist/spa"
 }

svc/middlewares/auth_middleware.go

@@ -10,29 +10,49 @@ import (
 
 func AuthMiddleware(db *sql.DB, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-
 		authHeader := r.Header.Get("Authorization")
 		if authHeader == "" {
-			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			log.Printf(
+				"AUTH_MIDDLEWARE 401 reason=missing_authorization_header method=%s path=%s",
+				r.Method,
+				r.URL.Path,
+			)
+			http.Error(w, "unauthorized: authorization header missing", http.StatusUnauthorized)
 			return
 		}
 
 		parts := strings.SplitN(authHeader, " ", 2)
 		if len(parts) != 2 || parts[0] != "Bearer" {
-			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			log.Printf(
+				"AUTH_MIDDLEWARE 401 reason=invalid_authorization_format method=%s path=%s raw=%q",
+				r.Method,
+				r.URL.Path,
+				authHeader,
+			)
+			http.Error(w, "unauthorized: invalid authorization format", http.StatusUnauthorized)
 			return
 		}
 
 		claims, err := auth.ValidateToken(parts[1])
 		if err != nil {
-			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			log.Printf(
+				"AUTH_MIDDLEWARE 401 reason=token_validation_failed method=%s path=%s err=%v",
+				r.Method,
+				r.URL.Path,
+				err,
+			)
+			http.Error(w, "unauthorized: token validation failed", http.StatusUnauthorized)
 			return
 		}
 
-		// 🔥 BU SATIR ŞART
 		ctx := auth.WithClaims(r.Context(), claims)
-
+		log.Printf(
-		log.Printf("🔐 AUTH CTX SET user=%d role=%s", claims.ID, claims.RoleCode)
+			"AUTH_MIDDLEWARE PASS user=%d role=%s method=%s path=%s",
+			claims.ID,
+			claims.RoleCode,
+			r.Method,
+			r.URL.Path,
+		)
 
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})

svc/middlewares/authz_v2.go

@@ -859,7 +859,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 			// =====================================================
 			claims, ok := auth.GetClaimsFromContext(r.Context())
 			if !ok || claims == nil {
-				http.Error(w, "unauthorized", http.StatusUnauthorized)
+				log.Printf(
+					"AUTHZ_BY_ROUTE 401 reason=claims_missing method=%s path=%s",
+					r.Method,
+					r.URL.Path,
+				)
+				http.Error(w, "unauthorized: token missing or invalid", http.StatusUnauthorized)
 				return
 			}
 
@@ -873,7 +878,7 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 					r.Method, r.URL.Path,
 				)
 
-				http.Error(w, "route not resolved", 403)
+				http.Error(w, "route not resolved", http.StatusForbidden)
 				return
 			}
 
@@ -881,7 +886,22 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 			if err != nil {
 				log.Printf("❌ AUTHZ: path template error: %v", err)
 
-				http.Error(w, "route template error", 403)
+				http.Error(w, "route template error", http.StatusForbidden)
+				return
+			}
+
+			// Password change must be reachable for every authenticated user.
+			// This avoids permission deadlocks during forced first-password flow.
+			if pathTemplate == "/api/password/change" {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Self permission endpoints are required right after login
+			// to hydrate UI permission state for the authenticated user.
+			switch pathTemplate {
+			case "/api/permissions/routes", "/api/permissions/effective":
+				next.ServeHTTP(w, r)
 				return
 			}
 
@@ -908,7 +928,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 					pathTemplate,
 				)
 
-				http.Error(w, "route permission not found", 403)
+				if pathTemplate == "/api/password/change" {
+					http.Error(w, "password change route permission not found", http.StatusForbidden)
+					return
+				}
+
+				http.Error(w, "route permission not found", http.StatusForbidden)
 				return
 			}
 
@@ -935,7 +960,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 					err,
 				)
 
-				http.Error(w, "forbidden", 403)
+				if pathTemplate == "/api/password/change" {
+					http.Error(w, "password change permission check failed", http.StatusForbidden)
+					return
+				}
+
+				http.Error(w, "forbidden", http.StatusForbidden)
 				return
 			}
 
@@ -948,7 +978,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 					action,
 				)
 
-				http.Error(w, "forbidden", 403)
+				if pathTemplate == "/api/password/change" {
+					http.Error(w, "password change forbidden: permission denied", http.StatusForbidden)
+					return
+				}
+
+				http.Error(w, "forbidden", http.StatusForbidden)
 				return
 			}
 

svc/models/orderlist.go

@@ -21,6 +21,7 @@ type OrderList struct {
 	// ℹ️ Sipariş Durumu
 	CreditableConfirmedDate string `json:"CreditableConfirmedDate"`
 	IsCreditableConfirmed   bool   `json:"IsCreditableConfirmed"`
+	HasUretimUrunu          bool   `json:"HasUretimUrunu"`
 
 	// 💱 Para Birimi
 	DocCurrencyCode string `json:"DocCurrencyCode"`

svc/models/orderproductionitem.go

@@ -0,0 +1,25 @@
+package models
+
+// ========================================================
+// 📌 OrderProductionItem — U ile başlayan ürün satırı
+// ========================================================
+type OrderProductionItem struct {
+	OrderHeaderID string `json:"OrderHeaderID"`
+	OrderLineID   string `json:"OrderLineID"`
+
+	ItemTypeCode int16  `json:"ItemTypeCode"`
+	OldDim1      string `json:"OldDim1"`
+	OldDim3      string `json:"OldDim3"`
+
+	OldItemCode string `json:"OldItemCode"`
+	OldColor    string `json:"OldColor"`
+	OldDim2     string `json:"OldDim2"`
+	OldDesc     string `json:"OldDesc"`
+
+	NewItemCode string `json:"NewItemCode"`
+	NewColor    string `json:"NewColor"`
+	NewDim2     string `json:"NewDim2"`
+	NewDesc     string `json:"NewDesc"`
+
+	IsVariantMissing bool `json:"IsVariantMissing"`
+}

svc/models/orderproductionupdate.go

@@ -0,0 +1,24 @@
+package models
+
+type OrderProductionUpdateLine struct {
+	OrderLineID string `json:"OrderLineID"`
+	NewItemCode string `json:"NewItemCode"`
+	NewColor    string `json:"NewColor"`
+	NewDim2     string `json:"NewDim2"`
+	NewDesc     string `json:"NewDesc"`
+}
+
+type OrderProductionUpdatePayload struct {
+	Lines         []OrderProductionUpdateLine `json:"lines"`
+	InsertMissing bool                        `json:"insertMissing"`
+}
+
+type OrderProductionMissingVariant struct {
+	OrderLineID   string `json:"OrderLineID"`
+	ItemTypeCode  int16  `json:"ItemTypeCode"`
+	ItemCode      string `json:"ItemCode"`
+	ColorCode     string `json:"ColorCode"`
+	ItemDim1Code  string `json:"ItemDim1Code"`
+	ItemDim2Code  string `json:"ItemDim2Code"`
+	ItemDim3Code  string `json:"ItemDim3Code"`
+}

svc/queries/order_bulk_close.go

@@ -183,7 +183,6 @@ WHERE
     AND h.ProcessCode   = 'WS'
     AND h.IsClosed      = 0
     AND ISNULL(l.TotalAmount,0) > 0
-    AND (ISNULL(l.PackedAmount,0) * 100.0) / NULLIF(l.TotalAmount,0) >= 100
 
     AND EXISTS (
         SELECT 1
@@ -322,7 +321,6 @@ WHERE
         ) t
         WHERE t.OrderHeaderID = h.OrderHeaderID
           AND t.TotalAmount > 0
-          AND (t.PackedAmount * 100.0) / NULLIF(t.TotalAmount,0) >= 100
     );
 `, strings.Join(placeholders, ","), piyasaWhere)
 

svc/queries/order_write.go

@@ -1103,6 +1103,38 @@ func UpdateOrder(header models.OrderHeader, lines []models.OrderDetail, user *mo
 	now := time.Now()
 	v3User := buildV3AuditUser(user)
 
+	// Hard delete bazen FK nedeniyle patlayabiliyor.
+	// Bu durumda satırı soft-close ederek akışı güvenli şekilde tamamlarız.
+	deleteOrSoftCloseLine := func(lineID string) error {
+		if _, err := tx.Exec(`DELETE FROM BAGGI_V3.dbo.trOrderLineCurrency WHERE OrderLineID=@p1`, lineID); err != nil {
+			return fmt.Errorf("line currency delete failed line_id=%s: %w", lineID, err)
+		}
+
+		if _, err := tx.Exec(`
+DELETE FROM BAGGI_V3.dbo.trOrderLine
+WHERE OrderHeaderID=@p1 AND OrderLineID=@p2 AND ISNULL(IsClosed,0)=0
+`, header.OrderHeaderID, lineID); err != nil {
+			fmt.Printf("[ORDER_UPDATE] hard delete failed, trying qty-zero soft-close line_id=%s err=%v\n", lineID, err)
+
+			// IsClosed computed olabilir; sadece miktarları sıfırla.
+			if _, err2 := tx.Exec(`
+UPDATE BAGGI_V3.dbo.trOrderLine
+SET
+	Qty1 = 0,
+	Qty2 = 0,
+	CancelQty1 = 0,
+	CancelQty2 = 0,
+	LastUpdatedUserName = @p1,
+	LastUpdatedDate = @p2
+WHERE OrderHeaderID=@p3 AND OrderLineID=@p4 AND ISNULL(IsClosed,0)=0
+`, v3User, now, header.OrderHeaderID, lineID); err2 != nil {
+				return fmt.Errorf("line delete failed line_id=%s: %v; qty-zero soft-close failed: %w", lineID, err, err2)
+			}
+		}
+
+		return nil
+	}
+
 	// Döviz kuru (Header ExchangeRate fallback)
 	exRate := 1.0
 	if header.DocCurrencyCode.Valid && header.DocCurrencyCode.String != "TRY" {
@@ -1329,13 +1361,7 @@ WHERE OrderLineID=@p42 AND ISNULL(IsClosed,0)=0`)
 					Dim2:      strings.TrimSpace(safeNS(ln.ItemDim2Code)),
 				}
 			}
-			if _, err := tx.Exec(`DELETE FROM BAGGI_V3.dbo.trOrderLineCurrency WHERE OrderLineID=@p1`, ln.OrderLineID); err != nil {
+			if err := deleteOrSoftCloseLine(ln.OrderLineID); err != nil {
-				return nil, err
-			}
-			if _, err := tx.Exec(`
-DELETE FROM BAGGI_V3.dbo.trOrderLine
-WHERE OrderHeaderID=@p1 AND OrderLineID=@p2 AND ISNULL(IsClosed,0)=0
-`, header.OrderHeaderID, ln.OrderLineID); err != nil {
 				return nil, err
 			}
 
@@ -1356,6 +1382,15 @@ WHERE OrderHeaderID=@p1 AND OrderLineID=@p2 AND ISNULL(IsClosed,0)=0
 			}
 		}
 
+		// Edit akışında bazen stale OrderLineID gelebiliyor (silinmiş/eski satır ID'si).
+		// Böyle bir ID ile UPDATE denemek yerine yeni satır olarak ele al.
+		if !isNew && ln.OrderLineID != "" {
+			if _, stillOpen := existingOpen[ln.OrderLineID]; !stillOpen {
+				ln.OrderLineID = uuid.New().String()
+				isNew = true
+			}
+		}
+
 		// Variant guard
 		if qtyValue(ln.Qty1) > 0 {
 			if err := ValidateItemVariant(tx, ln); err != nil {
@@ -1482,10 +1517,7 @@ WHERE OrderHeaderID=@p1 AND OrderLineID=@p2 AND ISNULL(IsClosed,0)=0
 				id, meta.item, meta.color, meta.dim1, meta.dim2)
 			continue
 		}
-		if _, err := tx.Exec(`DELETE FROM BAGGI_V3.dbo.trOrderLineCurrency WHERE OrderLineID=@p1`, id); err != nil {
+		if err := deleteOrSoftCloseLine(id); err != nil {
-			return nil, err
-		}
-		if _, err := tx.Exec(`DELETE FROM BAGGI_V3.dbo.trOrderLine WHERE OrderLineID=@p1 AND ISNULL(IsClosed,0)=0`, id); err != nil {
 			return nil, err
 		}
 	}

svc/queries/orderlist.go

@@ -112,6 +112,16 @@ SELECT
     END                                            AS PackedRatePct,
 
     ISNULL(h.IsCreditableConfirmed,0)              AS IsCreditableConfirmed,
+    CASE
+        WHEN EXISTS (
+            SELECT 1
+            FROM dbo.trOrderLine l2
+            WHERE l2.OrderHeaderID = h.OrderHeaderID
+              AND ISNULL(l2.ItemCode,'') LIKE 'U%%'
+        )
+            THEN CAST(1 AS bit)
+        ELSE CAST(0 AS bit)
+    END                                            AS HasUretimUrunu,
     ISNULL(h.Description,'')                       AS Description,
 
     usd.Rate                                       AS ExchangeRateUSD

svc/queries/orderproduction_items.go

@@ -0,0 +1,222 @@
+package queries
+
+import (
+	"database/sql"
+
+	"bssapp-backend/models"
+)
+
+// ========================================================
+// 📌 GetOrderProductionItems — OrderHeaderID için U ürünleri
+// ========================================================
+func GetOrderProductionItems(mssql *sql.DB, orderHeaderID string) (*sql.Rows, error) {
+	return mssql.Query(`
+SELECT
+    CAST(l.OrderHeaderID AS NVARCHAR(50)) AS OrderHeaderID,
+    CAST(l.OrderLineID   AS NVARCHAR(50)) AS OrderLineID,
+    l.ItemTypeCode       AS ItemTypeCode,
+    ISNULL(l.ItemDim1Code,'') AS OldDim1,
+    ISNULL(l.ItemDim3Code,'') AS OldDim3,
+
+    ISNULL(l.ItemCode,'')      AS OldItemCode,
+    ISNULL(l.ColorCode,'')     AS OldColor,
+    ISNULL(l.ItemDim2Code,'')  AS OldDim2,
+    ISNULL(l.LineDescription,'') AS OldDesc,
+
+    CAST('' AS NVARCHAR(60))   AS NewItemCode,
+    CAST('' AS NVARCHAR(30))   AS NewColor,
+    CAST('' AS NVARCHAR(30))   AS NewDim2,
+    CAST('' AS NVARCHAR(250))  AS NewDesc,
+
+    CAST(0 AS bit) AS IsVariantMissing
+FROM dbo.trOrderLine l
+WHERE l.OrderHeaderID = @p1
+  AND ISNULL(l.ItemCode,'') LIKE 'U%'
+ORDER BY l.SortOrder, l.OrderLineID
+`, orderHeaderID)
+}
+
+// ========================================================
+// 📌 InsertMissingProductionVariants — eksik prItemVariant ekler
+// ========================================================
+func InsertMissingProductionVariants(mssql *sql.DB, orderHeaderID string, username string) (int64, error) {
+	query := `
+;WITH Missing AS (
+    SELECT DISTINCT
+        l.ItemTypeCode,
+        l.ItemCode,
+        l.ColorCode,
+        l.ItemDim1Code,
+        l.ItemDim2Code,
+        l.ItemDim3Code
+    FROM dbo.trOrderLine l
+    LEFT JOIN dbo.prItemVariant pv
+      ON pv.ItemTypeCode = l.ItemTypeCode
+     AND pv.ItemCode     = l.ItemCode
+     AND pv.ColorCode    = l.ColorCode
+     AND ISNULL(pv.ItemDim1Code,'') = ISNULL(l.ItemDim1Code,'')
+     AND ISNULL(pv.ItemDim2Code,'') = ISNULL(l.ItemDim2Code,'')
+     AND ISNULL(pv.ItemDim3Code,'') = ISNULL(l.ItemDim3Code,'')
+    WHERE l.OrderHeaderID = @p1
+      AND ISNULL(l.ItemCode,'') LIKE 'U%'
+      AND pv.ItemCode IS NULL
+),
+MaxPlu AS (
+    SELECT ISNULL(MAX(PLU),0) AS BasePlu
+    FROM dbo.prItemVariant WITH (UPDLOCK, HOLDLOCK)
+)
+INSERT INTO dbo.prItemVariant (
+    ItemTypeCode,
+    ItemCode,
+    ColorCode,
+    ItemDim1Code,
+    ItemDim2Code,
+    ItemDim3Code,
+    PLU,
+    CreatedUserName,
+    CreatedDate,
+    LastUpdatedUserName,
+    LastUpdatedDate
+)
+SELECT
+    m.ItemTypeCode,
+    m.ItemCode,
+    m.ColorCode,
+    m.ItemDim1Code,
+    m.ItemDim2Code,
+    m.ItemDim3Code,
+    mp.BasePlu + ROW_NUMBER() OVER (ORDER BY m.ItemCode, m.ColorCode, m.ItemDim1Code, m.ItemDim2Code, m.ItemDim3Code),
+    @p2,
+    GETDATE(),
+    @p2,
+    GETDATE()
+FROM Missing m
+CROSS JOIN MaxPlu mp;
+`
+
+	res, err := mssql.Exec(query, orderHeaderID, username)
+	if err != nil {
+		return 0, err
+	}
+	return res.RowsAffected()
+}
+
+// ========================================================
+// OrderProductionUpdate - variant kontrolu ve guncelleme
+// ========================================================
+func GetOrderLineDims(mssql *sql.DB, orderHeaderID string, orderLineID string) (int16, string, string, string, error) {
+	var itemTypeCode int16
+	var dim1 string
+	var dim2 string
+	var dim3 string
+	err := mssql.QueryRow(`
+SELECT
+    ItemTypeCode,
+    ISNULL(ItemDim1Code,'') AS ItemDim1Code,
+    ISNULL(ItemDim2Code,'') AS ItemDim2Code,
+    ISNULL(ItemDim3Code,'') AS ItemDim3Code
+FROM dbo.trOrderLine
+WHERE OrderHeaderID = @p1 AND OrderLineID = @p2
+`, orderHeaderID, orderLineID).Scan(&itemTypeCode, &dim1, &dim2, &dim3)
+	return itemTypeCode, dim1, dim2, dim3, err
+}
+
+func VariantExists(mssql *sql.DB, itemTypeCode int16, itemCode string, colorCode string, dim1 string, dim2 string, dim3 string) (bool, error) {
+	var exists int
+	err := mssql.QueryRow(`
+SELECT TOP 1 1
+FROM dbo.prItemVariant
+WHERE ItemTypeCode = @p1
+  AND ItemCode     = @p2
+  AND ColorCode    = @p3
+  AND ISNULL(ItemDim1Code,'') = ISNULL(@p4,'')
+  AND ISNULL(ItemDim2Code,'') = ISNULL(@p5,'')
+  AND ISNULL(ItemDim3Code,'') = ISNULL(@p6,'')
+`, itemTypeCode, itemCode, colorCode, dim1, dim2, dim3).Scan(&exists)
+	if err == sql.ErrNoRows {
+		return false, nil
+	}
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+func InsertMissingVariantsTx(tx *sql.Tx, missing []models.OrderProductionMissingVariant, username string) (int64, error) {
+	if len(missing) == 0 {
+		return 0, nil
+	}
+
+	var basePlu int64
+	if err := tx.QueryRow(`
+SELECT ISNULL(MAX(PLU),0) AS BasePlu
+FROM dbo.prItemVariant WITH (UPDLOCK, HOLDLOCK)
+`).Scan(&basePlu); err != nil {
+		return 0, err
+	}
+
+	var inserted int64
+	for i, v := range missing {
+		plu := basePlu + int64(i) + 1
+		res, err := tx.Exec(`
+IF NOT EXISTS (
+    SELECT 1
+    FROM dbo.prItemVariant
+    WHERE ItemTypeCode = @p1
+      AND ItemCode     = @p2
+      AND ColorCode    = @p3
+      AND ISNULL(ItemDim1Code,'') = ISNULL(@p4,'')
+      AND ISNULL(ItemDim2Code,'') = ISNULL(@p5,'')
+      AND ISNULL(ItemDim3Code,'') = ISNULL(@p6,'')
+)
+INSERT INTO dbo.prItemVariant (
+    ItemTypeCode,
+    ItemCode,
+    ColorCode,
+    ItemDim1Code,
+    ItemDim2Code,
+    ItemDim3Code,
+    PLU,
+    CreatedUserName,
+    CreatedDate,
+    LastUpdatedUserName,
+    LastUpdatedDate
+)
+VALUES (
+    @p1, @p2, @p3, @p4, @p5, @p6,
+    @p7, @p8, GETDATE(), @p8, GETDATE()
+);
+`, v.ItemTypeCode, v.ItemCode, v.ColorCode, v.ItemDim1Code, v.ItemDim2Code, v.ItemDim3Code, plu, username)
+		if err != nil {
+			return inserted, err
+		}
+		if rows, err := res.RowsAffected(); err == nil {
+			inserted += rows
+		}
+	}
+	return inserted, nil
+}
+
+func UpdateOrderLinesTx(tx *sql.Tx, orderHeaderID string, lines []models.OrderProductionUpdateLine, username string) (int64, error) {
+	var updated int64
+	for _, line := range lines {
+		res, err := tx.Exec(`
+UPDATE dbo.trOrderLine
+SET
+    ItemCode = @p1,
+    ColorCode = @p2,
+    ItemDim2Code = @p3,
+    LineDescription = COALESCE(NULLIF(@p4,''), LineDescription),
+    LastUpdatedUserName = @p5,
+    LastUpdatedDate = GETDATE()
+WHERE OrderHeaderID = @p6 AND OrderLineID = @p7
+`, line.NewItemCode, line.NewColor, line.NewDim2, line.NewDesc, username, orderHeaderID, line.OrderLineID)
+		if err != nil {
+			return updated, err
+		}
+		if rows, err := res.RowsAffected(); err == nil {
+			updated += rows
+		}
+	}
+	return updated, nil
+}

svc/queries/orderproductionlist.go

@@ -0,0 +1,269 @@
+package queries
+
+import (
+	"bssapp-backend/auth"
+	"bssapp-backend/internal/authz"
+	"context"
+	"database/sql"
+	"fmt"
+)
+
+// ========================================================
+// 📌 GetOrderProductionList — Üretime verilecek ürün içeren siparişler
+// ========================================================
+func GetOrderProductionList(
+	ctx context.Context,
+	mssql *sql.DB,
+	pg *sql.DB,
+	search string,
+) (*sql.Rows, error) {
+
+	claims, ok := auth.GetClaimsFromContext(ctx)
+	if !ok || claims == nil {
+		return nil, fmt.Errorf("unauthorized: claims not found")
+	}
+
+	// ----------------------------------------------------
+	// 🔐 PIYASA FILTER (ADMIN BYPASS)
+	// ----------------------------------------------------
+	piyasaWhere := "1=1"
+
+	if !claims.IsAdmin() {
+
+		codes, err := authz.GetUserPiyasaCodes(pg, int(claims.ID))
+		if err != nil {
+			return nil, fmt.Errorf("piyasa codes load error: %w", err)
+		}
+
+		if len(codes) == 0 {
+			piyasaWhere = "1=0"
+		} else {
+			piyasaWhere = authz.BuildINClause(
+				"UPPER(f2.CustomerAtt01)",
+				codes,
+			)
+		}
+	}
+
+	// ----------------------------------------------------
+	// 📄 BASE QUERY (orderlist.go ile aynı kolonlar)
+	// ----------------------------------------------------
+	baseQuery := fmt.Sprintf(`
+SELECT
+    CAST(h.OrderHeaderID AS NVARCHAR(50))           AS OrderHeaderID,
+    ISNULL(h.OrderNumber, '')                      AS OrderNumber,
+    CONVERT(varchar, h.OrderDate, 23)              AS OrderDate,
+
+    ISNULL(h.CurrAccCode, '')                      AS CurrAccCode,
+    ISNULL(ca.CurrAccDescription, '')              AS CurrAccDescription,
+
+    ISNULL(mt.AttributeDescription, '')            AS MusteriTemsilcisi,
+    ISNULL(py.AttributeDescription, '')            AS Piyasa,
+
+    CONVERT(varchar, h.CreditableConfirmedDate,23) AS CreditableConfirmedDate,
+    ISNULL(h.DocCurrencyCode,'TRY')                AS DocCurrencyCode,
+
+    ISNULL(l.TotalAmount,0)                        AS TotalAmount,
+
+    ----------------------------------------------------------------
+    -- USD HESABI (TRY / EUR / GBP / USD DESTEKLİ)
+    ----------------------------------------------------------------
+    CASE
+        WHEN h.DocCurrencyCode = 'USD'
+            THEN ISNULL(l.TotalAmount,0)
+
+        WHEN h.DocCurrencyCode = 'TRY'
+             AND usd.Rate > 0
+            THEN ISNULL(l.TotalAmount,0) / usd.Rate
+
+        WHEN h.DocCurrencyCode IN ('EUR','GBP')
+             AND cur.Rate > 0
+             AND usd.Rate > 0
+            THEN (ISNULL(l.TotalAmount,0) * cur.Rate) / usd.Rate
+
+        ELSE 0
+    END                                            AS TotalAmountUSD,
+
+    ISNULL(l.PackedAmount,0)                       AS PackedAmount,
+
+    CASE
+        WHEN h.DocCurrencyCode = 'USD'
+            THEN ISNULL(l.PackedAmount,0)
+
+        WHEN h.DocCurrencyCode = 'TRY'
+             AND usd.Rate > 0
+            THEN ISNULL(l.PackedTRY,0) / usd.Rate
+
+        WHEN cur.Rate > 0
+             AND usd.Rate > 0
+            THEN (ISNULL(l.PackedAmount,0) * cur.Rate) / usd.Rate
+
+        ELSE 0
+    END                                            AS PackedUSD,
+
+    CASE
+        WHEN ISNULL(l.TotalAmount,0) > 0
+            THEN (ISNULL(l.PackedAmount,0) * 100.0) / NULLIF(l.TotalAmount,0)
+        ELSE 0
+    END                                            AS PackedRatePct,
+
+    ISNULL(h.IsCreditableConfirmed,0)              AS IsCreditableConfirmed,
+    CAST(1 AS bit)                                 AS HasUretimUrunu,
+    ISNULL(h.Description,'')                       AS Description,
+
+    usd.Rate                                       AS ExchangeRateUSD
+
+FROM dbo.trOrderHeader h
+
+-- ✅ TOPLAM ARTIK trOrderLineCurrency'den: CurrencyCode = DocCurrencyCode
+JOIN (
+    SELECT
+        l.OrderHeaderID,
+        SUM(ISNULL(c.NetAmount,0)) AS TotalAmount,
+        SUM(
+            CASE
+                WHEN ISNULL(c.CurrencyCode,'') = 'TRY'
+                    THEN ISNULL(c.NetAmount,0)
+                ELSE 0
+            END
+        ) AS TotalTRY,
+        SUM(
+            CASE
+                WHEN ISNULL(l.IsClosed,0) = 1
+                    THEN ISNULL(c.NetAmount,0)
+                ELSE 0
+            END
+        ) AS PackedAmount,
+        SUM(
+            CASE
+                WHEN ISNULL(l.IsClosed,0) = 1
+                     AND ISNULL(c.CurrencyCode,'') = 'TRY'
+                    THEN ISNULL(c.NetAmount,0)
+                ELSE 0
+            END
+        ) AS PackedTRY
+    FROM dbo.trOrderLine l
+    JOIN dbo.trOrderHeader h2
+      ON h2.OrderHeaderID = l.OrderHeaderID
+    LEFT JOIN dbo.trOrderLineCurrency c
+      ON c.OrderLineID  = l.OrderLineID
+     AND c.CurrencyCode = ISNULL(h2.DocCurrencyCode,'TRY')
+    GROUP BY l.OrderHeaderID
+) l
+  ON l.OrderHeaderID = h.OrderHeaderID
+
+LEFT JOIN dbo.cdCurrAccDesc ca
+  ON ca.CurrAccCode = h.CurrAccCode
+ AND ca.LangCode = 'TR'
+
+-- müşteri temsilcisi + piyasa açıklamaları
+LEFT JOIN dbo.CustomerAttributesFilter f
+  ON f.CurrAccCode = h.CurrAccCode
+
+LEFT JOIN dbo.cdCurrAccAttributeDesc mt
+  ON mt.CurrAccTypeCode    = 3
+ AND mt.AttributeTypeCode  = 2
+ AND mt.AttributeCode      = f.CustomerAtt02
+ AND mt.LangCode           = 'TR'
+
+LEFT JOIN dbo.cdCurrAccAttributeDesc py
+  ON py.CurrAccTypeCode    = 3
+ AND py.AttributeTypeCode  = 1
+ AND py.AttributeCode      = f.CustomerAtt01
+ AND py.LangCode           = 'TR'
+
+----------------------------------------------------------------
+-- USD → TRY
+----------------------------------------------------------------
+OUTER APPLY (
+    SELECT TOP 1 Rate
+    FROM dbo.AllExchangeRates
+    WHERE CurrencyCode = 'USD'
+      AND RelationCurrencyCode = 'TRY'
+      AND ExchangeTypeCode = 6
+      AND Rate > 0
+      AND Date <= CAST(GETDATE() AS date)
+    ORDER BY Date DESC
+) usd
+
+----------------------------------------------------------------
+-- ORDER PB → TRY
+----------------------------------------------------------------
+OUTER APPLY (
+    SELECT TOP 1 Rate
+    FROM dbo.AllExchangeRates
+    WHERE CurrencyCode = h.DocCurrencyCode
+      AND RelationCurrencyCode = 'TRY'
+      AND ExchangeTypeCode = 6
+      AND Rate > 0
+      AND Date <= CAST(GETDATE() AS date)
+    ORDER BY Date DESC
+) cur
+
+WHERE
+    ISNULL(h.IsCancelOrder,0) = 0
+    AND h.OrderTypeCode = 1
+    AND h.ProcessCode   = 'WS'
+    AND h.IsClosed      = 0
+    -- 🔐 PIYASA AUTHZ (EXISTS — SAĞLAM YOL)
+    AND EXISTS (
+        SELECT 1
+        FROM dbo.CustomerAttributesFilter f2
+        WHERE f2.CurrAccCode = h.CurrAccCode
+          AND %s
+    )
+    -- ✅ Üretime verilecek ürün filtresi
+    AND EXISTS (
+        SELECT 1
+        FROM dbo.trOrderLine l2
+        WHERE l2.OrderHeaderID = h.OrderHeaderID
+          AND ISNULL(l2.ItemCode,'') LIKE 'U%%'
+    )
+`, piyasaWhere)
+
+	// ----------------------------------------------------
+	// 🔍 SEARCH FILTER (CASE + TR SAFE)
+	// ----------------------------------------------------
+	if search != "" {
+		baseQuery += `
+AND EXISTS (
+  SELECT 1
+  FROM dbo.trOrderHeader h2
+  LEFT JOIN dbo.cdCurrAccDesc ca2
+    ON ca2.CurrAccCode = h2.CurrAccCode
+   AND ca2.LangCode = 'TR'
+  WHERE h2.OrderHeaderID = h.OrderHeaderID
+    AND (
+      LOWER(REPLACE(REPLACE(h2.OrderNumber,'İ','I'),'ı','i'))
+        COLLATE Latin1_General_CI_AI LIKE LOWER(@p1)
+
+      OR LOWER(REPLACE(REPLACE(h2.CurrAccCode,'İ','I'),'ı','i'))
+        COLLATE Latin1_General_CI_AI LIKE LOWER(@p1)
+
+      OR LOWER(REPLACE(REPLACE(ca2.CurrAccDescription,'İ','I'),'ı','i'))
+        COLLATE Latin1_General_CI_AI LIKE LOWER(@p1)
+
+      OR LOWER(REPLACE(REPLACE(h2.Description,'İ','I'),'ı','i'))
+        COLLATE Latin1_General_CI_AI LIKE LOWER(@p1)
+    )
+)
+`
+	}
+
+	// ----------------------------------------------------
+	// 📌 ORDER
+	// ----------------------------------------------------
+	baseQuery += `
+ORDER BY h.CreatedDate DESC
+`
+
+	// ----------------------------------------------------
+	// ▶ EXECUTE
+	// ----------------------------------------------------
+	if search != "" {
+		searchLike := fmt.Sprintf("%%%s%%", search)
+		return mssql.Query(baseQuery, searchLike)
+	}
+
+	return mssql.Query(baseQuery)
+}

svc/queries/statement_header.go

@@ -10,75 +10,136 @@ import (
 
 // Ana tabloyu getiren fonksiyon (Vue header tablosu için)
 func GetStatements(params models.StatementParams) ([]models.StatementHeader, error) {
+
 	// AccountCode normalize: "ZLA0127" → "ZLA 0127"
 	if len(params.AccountCode) == 7 && strings.ContainsAny(params.AccountCode, "0123456789") {
 		params.AccountCode = params.AccountCode[:3] + " " + params.AccountCode[3:]
 	}
+	if strings.TrimSpace(params.LangCode) == "" {
+		params.LangCode = "TR"
+	}
 
 	// Parislemler []string → '1','2','3'
 	parislemFilter := "''"
 	if len(params.Parislemler) > 0 {
-		quoted := make([]string, len(params.Parislemler))
+		quoted := make([]string, 0, len(params.Parislemler))
-		for i, v := range params.Parislemler {
+		for _, v := range params.Parislemler {
-			quoted[i] = fmt.Sprintf("'%s'", v)
+			v = strings.TrimSpace(v)
+			if v == "" {
+				continue
+			}
+			quoted = append(quoted, fmt.Sprintf("'%s'", strings.ReplaceAll(v, "'", "''")))
+		}
+		if len(quoted) > 0 {
+			parislemFilter = strings.Join(quoted, ",")
 		}
-		parislemFilter = strings.Join(quoted, ",")
 	}
 
 	query := fmt.Sprintf(`
-;WITH Opening AS (
+;WITH CurrDesc AS (
-    SELECT 
+    SELECT
-        b.CurrAccCode AS Cari_Kod,
+        CurrAccCode,
-        b.DocCurrencyCode AS Para_Birimi,
+        MAX(CurrAccDescription) AS CurrAccDescription
-        SUM(c.Debit - c.Credit) AS Devir_Bakiyesi
+    FROM cdCurrAccDesc
+    WHERE LangCode = @LangCode
+    GROUP BY CurrAccCode
+),
+
+/* =========================================================
+   ✅ Bu aralıkta hareket var mı?
+   Varsa : Devir = startdate öncesi
+   Yoksa : Devir = enddate dahil (enddate itibariyle bakiye)
+   ========================================================= */
+HasMovement AS (
+    SELECT
+        CASE WHEN EXISTS (
+            SELECT 1
+            FROM trCurrAccBook b
+            INNER JOIN CurrAccBookATAttributesFilter f
+              ON f.CurrAccBookID = b.CurrAccBookID
+             AND f.ATAtt01 IN (%s)
+            WHERE b.CurrAccCode LIKE '%%' + @Carikod + '%%'
+              AND b.DocumentDate BETWEEN @startdate AND @enddate
+        ) THEN 1 ELSE 0 END AS HasMov
+),
+
+/* =========================================================
+   ✅ Opening (Devir) — TEK CARİ KOD ALTINDA KONSOLİDE
+   Cari_Kod = @Carikod (sabit)
+   ========================================================= */
+Opening AS (
+    SELECT
+        @Carikod           AS Cari_Kod,
+        b.DocCurrencyCode  AS Para_Birimi,
+        SUM(ISNULL(c.Debit,0) - ISNULL(c.Credit,0)) AS Devir_Bakiyesi
     FROM trCurrAccBook b
+    CROSS JOIN HasMovement hm
+    INNER JOIN CurrAccBookATAttributesFilter f2
+      ON f2.CurrAccBookID = b.CurrAccBookID
+     AND f2.ATAtt01 IN (%s)
     LEFT JOIN trCurrAccBookCurrency c
       ON c.CurrAccBookID = b.CurrAccBookID
      AND c.CurrencyCode  = b.DocCurrencyCode
     WHERE b.CurrAccCode LIKE '%%' + @Carikod + '%%'
-      AND b.DocumentDate < @startdate
+      AND (
-      AND EXISTS (
+            (hm.HasMov = 1 AND b.DocumentDate <  @startdate)  -- hareket varsa: klasik devir
-            SELECT 1
+         OR (hm.HasMov = 0 AND b.DocumentDate <= @enddate)    -- hareket yoksa: enddate itibariyle bakiye
-            FROM CurrAccBookATAttributesFilter f2
-            WHERE f2.CurrAccBookID = b.CurrAccBookID
-              AND f2.ATAtt01 IN (%s)
       )
-    GROUP BY b.CurrAccCode, b.DocCurrencyCode
+    GROUP BY b.DocCurrencyCode
 ),
+
+/* =========================================================
+   ✅ Hareketler (Movements) — TEK CARİ KOD ALTINDA KONSOLİDE
+   Cari_Kod = @Carikod (sabit)
+   Running sadece aralıktaki hareketlerden gelir.
+   ========================================================= */
 Movements AS (
-    SELECT 
+    SELECT
-        b.CurrAccCode        AS Cari_Kod,
+        @Carikod AS Cari_Kod,
-        d.CurrAccDescription AS Cari_Isim,
+
-        CONVERT(varchar(10), b.DocumentDate, 23) AS Belge_Tarihi, 
+        COALESCE(
-        CONVERT(varchar(10), b.DueDate, 23)      AS Vade_Tarihi, 
+            (SELECT TOP 1 cd.CurrAccDescription
-        b.RefNumber          AS Belge_No,
+             FROM CurrDesc cd
+             WHERE cd.CurrAccCode = @Carikod),
+            (SELECT TOP 1 cd.CurrAccDescription
+             FROM CurrDesc cd
+             WHERE cd.CurrAccCode LIKE '%%' + @Carikod + '%%'
+             ORDER BY cd.CurrAccCode)
+        ) AS Cari_Isim,
+
+        CONVERT(varchar(10), b.DocumentDate, 23) AS Belge_Tarihi,
+        CONVERT(varchar(10), b.DueDate, 23)      AS Vade_Tarihi,
+
+        b.RefNumber           AS Belge_No,
         b.BaseApplicationCode AS Islem_Tipi,
-        b.LineDescription    AS Aciklama,
+        b.LineDescription     AS Aciklama,
-        b.DocCurrencyCode    AS Para_Birimi,
+
-        c.Debit              AS Borc,
+        b.DocCurrencyCode     AS Para_Birimi,
-        c.Credit             AS Alacak,
+
-        SUM(c.Debit - c.Credit)
+        ISNULL(c.Debit,0)     AS Borc,
-            OVER (PARTITION BY b.CurrAccCode, c.CurrencyCode 
+        ISNULL(c.Credit,0)    AS Alacak,
-                  ORDER BY b.DocumentDate, b.CurrAccBookID) AS Hareket_Bakiyesi,
+
+        SUM(ISNULL(c.Debit,0) - ISNULL(c.Credit,0))
+            OVER (
+              PARTITION BY b.DocCurrencyCode
+              ORDER BY b.DocumentDate, b.CurrAccBookID
+            ) AS Hareket_Bakiyesi,
+
         f.ATAtt01 AS Parislemtipi
+
     FROM trCurrAccBook b
-    LEFT JOIN cdCurrAccDesc d
+    INNER JOIN CurrAccBookATAttributesFilter f
-        ON b.CurrAccCode = d.CurrAccCode 
+      ON f.CurrAccBookID = b.CurrAccBookID
+     AND f.ATAtt01 IN (%s)
     LEFT JOIN trCurrAccBookCurrency c
-        ON b.CurrAccBookID = c.CurrAccBookID
+      ON c.CurrAccBookID = b.CurrAccBookID
-       AND b.DocCurrencyCode = c.CurrencyCode
+     AND c.CurrencyCode  = b.DocCurrencyCode
-    LEFT JOIN CurrAccBookATAttributesFilter f
+
-        ON b.CurrAccBookID = f.CurrAccBookID
     WHERE b.CurrAccCode LIKE '%%' + @Carikod + '%%'
       AND b.DocumentDate BETWEEN @startdate AND @enddate
-      AND EXISTS (
+)
-            SELECT 1 
+
-            FROM CurrAccBookATAttributesFilter f2
+SELECT
-            WHERE f2.CurrAccBookID = b.CurrAccBookID
-              AND f2.ATAtt01 IN (%s)
-      )
-) 
-SELECT 
     m.Cari_Kod,
     m.Cari_Isim,
     m.Belge_Tarihi,
@@ -89,52 +150,62 @@ SELECT
     m.Para_Birimi,
     m.Borc,
     m.Alacak,
+
+    /* ✅ Bakiye = Devir + Aralıktaki Running */
     ISNULL(o.Devir_Bakiyesi,0) + m.Hareket_Bakiyesi AS Bakiye,
+
     m.Parislemtipi AS Parislemler
+
 FROM Movements m
 LEFT JOIN Opening o
-  ON o.Cari_Kod = m.Cari_Kod
+  ON o.Cari_Kod    = m.Cari_Kod
  AND o.Para_Birimi = m.Para_Birimi
 
 UNION ALL
 
--- Devir satırı
+/* =========================================================
-SELECT  
+   ✅ Devir Satırı (kur bazında) — Opening'den gelir
-    @Carikod                    AS Cari_Kod,
+   Hareket varsa: startdate öncesi
-    MAX(d.CurrAccDescription)   AS Cari_Isim,
+   Hareket yoksa: enddate itibariyle bakiye
-    CONVERT(varchar(10), @startdate, 23) AS Belge_Tarihi, 
+   ========================================================= */
-    CONVERT(varchar(10), @startdate, 23) AS Vade_Tarihi, 
+SELECT
-    'Baslangic_devir'           AS Belge_No,
+    o.Cari_Kod,
-    'Devir'                     AS Islem_Tipi,
+    COALESCE(
-    'Devir Bakiyesi'            AS Aciklama,
+        (SELECT TOP 1 cd.CurrAccDescription
-    b.DocCurrencyCode           AS Para_Birimi,
+         FROM CurrDesc cd
-    SUM(c.Debit)                AS Borc,
+         WHERE cd.CurrAccCode = @Carikod),
-    SUM(c.Credit)               AS Alacak,
+        (SELECT TOP 1 cd.CurrAccDescription
-    SUM(c.Debit) - SUM(c.Credit) AS Bakiye,
+         FROM CurrDesc cd
-    (
+         WHERE cd.CurrAccCode LIKE '%%' + @Carikod + '%%'
-      SELECT STRING_AGG(x.ATAtt01, ',')
+         ORDER BY cd.CurrAccCode)
-      FROM (
+    ) AS Cari_Isim,
-        SELECT DISTINCT f2.ATAtt01
-        FROM CurrAccBookATAttributesFilter f2
-        INNER JOIN trCurrAccBook bb
-          ON f2.CurrAccBookID = bb.CurrAccBookID
-        WHERE bb.CurrAccCode LIKE '%%' + @Carikod + '%%'
-          AND bb.DocumentDate < @startdate
-          AND f2.ATAtt01 IN (%s)
-      ) x
-    ) AS Parislemler
-FROM trCurrAccBook b
-LEFT JOIN cdCurrAccDesc d
-    ON b.CurrAccCode = d.CurrAccCode 
-LEFT JOIN trCurrAccBookCurrency c
-    ON b.CurrAccBookID = c.CurrAccBookID
-   AND b.DocCurrencyCode = c.CurrencyCode
-WHERE b.CurrAccCode LIKE '%%' + @Carikod + '%%'
-  AND b.DocumentDate < @startdate
-GROUP BY b.DocCurrencyCode
 
-ORDER BY Para_Birimi, Belge_Tarihi;
+    CONVERT(varchar(10), @startdate, 23) AS Belge_Tarihi,
-`, parislemFilter, parislemFilter, parislemFilter)
+    CONVERT(varchar(10), @startdate, 23) AS Vade_Tarihi,
+
+    'Baslangic_devir' AS Belge_No,
+    'Devir'           AS Islem_Tipi,
+    'Devir Bakiyesi'  AS Aciklama,
+
+    o.Para_Birimi,
+
+    CASE WHEN o.Devir_Bakiyesi >= 0 THEN o.Devir_Bakiyesi ELSE 0 END AS Borc,
+    CASE WHEN o.Devir_Bakiyesi <  0 THEN ABS(o.Devir_Bakiyesi) ELSE 0 END AS Alacak,
+
+    o.Devir_Bakiyesi AS Bakiye,
+
+    CAST(NULL AS varchar(32)) AS Parislemler
+
+FROM Opening o
+
+ORDER BY
+    Para_Birimi,
+    Belge_Tarihi;
+`,
+		parislemFilter, // HasMovement
+		parislemFilter, // Opening
+		parislemFilter, // Movements
+	)
 
 	rows, err := db.MssqlDB.Query(query,
 		sql.Named("startdate", params.StartDate),

svc/queries/statement_header_pdf.go

@@ -1,187 +1,18 @@
-// queries/statements_header_pdf.go
 package queries
 
 import (
-	"bssapp-backend/db"
 	"bssapp-backend/models"
-	"database/sql"
-	"fmt"
 	"log"
-	"strings"
 )
 
-// küçük yardımcı: boşlukları temizle, her değeri ayrı tırnakla sar
-func buildQuotedHList(vals []string) string {
-	var pp []string
-	for _, v := range vals {
-		v = strings.TrimSpace(v)
-		if v != "" {
-			pp = append(pp, fmt.Sprintf("'%s'", v)) // '1','2' gibi
-		}
-	}
-	if len(pp) == 0 {
-		return ""
-	}
-	return strings.Join(pp, ",")
-}
-
-/* ============================ HEADER (Ana Tablo) ============================ */
-
 func GetStatementsHPDF(accountCode, startDate, endDate string, parislemler []string) ([]models.StatementHeader, []string, error) {
-	// Account normalize
+	headers, err := getStatementsForPDF(accountCode, startDate, endDate, parislemler)
-	if len(accountCode) == 7 && strings.ContainsAny(accountCode, "0123456789") {
-		accountCode = accountCode[:3] + " " + accountCode[3:]
-	}
-
-	// IN list parse et
-	inList := buildQuotedHList(parislemler)
-	parislemCond := "''"
-	if inList != "" {
-		parislemCond = inList
-	}
-
-	query := fmt.Sprintf(`
-;WITH Opening AS (
-    SELECT 
-        b.CurrAccCode AS Cari_Kod,
-        b.DocCurrencyCode AS Para_Birimi,
-        SUM(c.Debit - c.Credit) AS Devir_Bakiyesi
-    FROM trCurrAccBook b
-    LEFT JOIN trCurrAccBookCurrency c
-      ON c.CurrAccBookID = b.CurrAccBookID
-     AND c.CurrencyCode  = b.DocCurrencyCode
-    WHERE b.CurrAccCode LIKE @Carikod
-      AND b.DocumentDate < @StartDate
-      AND EXISTS (
-            SELECT 1
-            FROM CurrAccBookATAttributesFilter f2
-            WHERE f2.CurrAccBookID = b.CurrAccBookID
-              AND f2.ATAtt01 IN (%s)
-      )
-    GROUP BY b.CurrAccCode, b.DocCurrencyCode
-),
-Movements AS (
-    SELECT 
-        b.CurrAccCode        AS Cari_Kod,
-        d.CurrAccDescription AS Cari_Isim,
-        CONVERT(varchar(10), b.DocumentDate, 23) AS Belge_Tarihi, 
-        CONVERT(varchar(10), b.DueDate, 23)      AS Vade_Tarihi, 
-        b.RefNumber          AS Belge_No,
-        b.BaseApplicationCode AS Islem_Tipi,
-        b.LineDescription    AS Aciklama,
-        b.DocCurrencyCode    AS Para_Birimi,
-        c.Debit              AS Borc,
-        c.Credit             AS Alacak,
-        SUM(c.Debit - c.Credit)
-            OVER (PARTITION BY b.CurrAccCode, c.CurrencyCode 
-                  ORDER BY b.DocumentDate, b.CurrAccBookID) AS Hareket_Bakiyesi,
-        f.ATAtt01 AS Parislemler
-    FROM trCurrAccBook b
-    LEFT JOIN cdCurrAccDesc d
-        ON b.CurrAccCode = d.CurrAccCode AND d.LangCode = 'TR'
-    LEFT JOIN trCurrAccBookCurrency c
-        ON b.CurrAccBookID = c.CurrAccBookID
-       AND b.DocCurrencyCode = c.CurrencyCode
-    LEFT JOIN CurrAccBookATAttributesFilter f
-        ON b.CurrAccBookID = f.CurrAccBookID
-    WHERE b.CurrAccCode LIKE @Carikod
-      AND b.DocumentDate BETWEEN @StartDate AND @EndDate
-      AND EXISTS (
-            SELECT 1 
-            FROM CurrAccBookATAttributesFilter f2
-            WHERE f2.CurrAccBookID = b.CurrAccBookID
-              AND f2.ATAtt01 IN (%s)
-      )
-)`, parislemCond, parislemCond)
-	query += fmt.Sprintf(`
-SELECT 
-    m.Cari_Kod,
-    m.Cari_Isim,
-    m.Belge_Tarihi,
-    m.Vade_Tarihi,
-    m.Belge_No,
-    m.Islem_Tipi,
-    m.Aciklama,
-    m.Para_Birimi,
-    m.Borc,
-    m.Alacak,
-    ISNULL(o.Devir_Bakiyesi,0) + m.Hareket_Bakiyesi AS Bakiye,
-    m.Parislemler
-FROM Movements m
-LEFT JOIN Opening o
-  ON o.Cari_Kod = m.Cari_Kod
- AND o.Para_Birimi = m.Para_Birimi
-
-UNION ALL
-
--- Devir satırı
-SELECT  
-    @Carikod                    AS Cari_Kod,
-    MAX(d.CurrAccDescription)   AS Cari_Isim,
-    CONVERT(varchar(10), @StartDate, 23) AS Belge_Tarihi, 
-    CONVERT(varchar(10), @StartDate, 23) AS Vade_Tarihi, 
-    'Baslangic_devir'           AS Belge_No,
-    'Devir'                     AS Islem_Tipi,
-    'Devir Bakiyesi'            AS Aciklama,
-    b.DocCurrencyCode           AS Para_Birimi,
-    SUM(c.Debit)                AS Borc,
-    SUM(c.Credit)               AS Alacak,
-    SUM(c.Debit) - SUM(c.Credit) AS Bakiye,
-    (
-      SELECT STRING_AGG(x.ATAtt01, ',')
-      FROM (
-        SELECT DISTINCT f2.ATAtt01
-        FROM CurrAccBookATAttributesFilter f2
-        INNER JOIN trCurrAccBook bb
-          ON f2.CurrAccBookID = bb.CurrAccBookID
-        WHERE bb.CurrAccCode LIKE @Carikod
-          AND bb.DocumentDate < @StartDate
-          AND f2.ATAtt01 IN (%s)
-      ) x
-    ) AS Parislemler
-FROM trCurrAccBook b
-LEFT JOIN cdCurrAccDesc d
-    ON b.CurrAccCode = d.CurrAccCode AND d.LangCode = 'TR'
-LEFT JOIN trCurrAccBookCurrency c
-    ON b.CurrAccBookID = c.CurrAccBookID
-   AND b.DocCurrencyCode = c.CurrencyCode
-WHERE b.CurrAccCode LIKE @Carikod
-  AND b.DocumentDate < @StartDate
-GROUP BY b.DocCurrencyCode
-
-ORDER BY Para_Birimi, Belge_Tarihi;`, parislemCond)
-
-	rows, err := db.MssqlDB.Query(query,
-		sql.Named("Carikod", "%"+accountCode+"%"),
-		sql.Named("StartDate", startDate),
-		sql.Named("EndDate", endDate),
-	)
 	if err != nil {
-		log.Printf("❌ Header sorgu hatası: %v", err)
+		log.Printf("Header query error: %v", err)
-		return nil, nil, fmt.Errorf("header sorgu hatası: %v", err)
+		return nil, nil, err
 	}
-	defer rows.Close()
 
-	var headers []models.StatementHeader
+	belgeNos := collectBelgeNos(headers)
-	var belgeNos []string
+	log.Printf("Header rows fetched: %d, belge no count: %d", len(headers), len(belgeNos))
-	for rows.Next() {
-		var h models.StatementHeader
-		if err := rows.Scan(
-			&h.CariKod, &h.CariIsim,
-			&h.BelgeTarihi, &h.VadeTarihi,
-			&h.BelgeNo, &h.IslemTipi,
-			&h.Aciklama, &h.ParaBirimi,
-			&h.Borc, &h.Alacak,
-			&h.Bakiye, &h.Parislemler,
-		); err != nil {
-			log.Printf("❌ Header scan hatası: %v", err)
-			return nil, nil, err
-		}
-		headers = append(headers, h)
-		if h.BelgeNo != "" {
-			belgeNos = append(belgeNos, h.BelgeNo)
-		}
-	}
-	log.Printf("✅ Header verileri alındı: %d kayıt, %d belge no", len(headers), len(belgeNos))
 	return headers, belgeNos, nil
 }

svc/queries/statement_pdf_common.go

@@ -0,0 +1,35 @@
+package queries
+
+import "bssapp-backend/models"
+
+func getStatementsForPDF(
+	accountCode string,
+	startDate string,
+	endDate string,
+	parislemler []string,
+) ([]models.StatementHeader, error) {
+	return GetStatements(models.StatementParams{
+		AccountCode: accountCode,
+		StartDate:   startDate,
+		EndDate:     endDate,
+		LangCode:    "TR",
+		Parislemler: parislemler,
+	})
+}
+
+func collectBelgeNos(headers []models.StatementHeader) []string {
+	seen := make(map[string]struct{}, len(headers))
+	out := make([]string, 0, len(headers))
+	for _, h := range headers {
+		no := h.BelgeNo
+		if no == "" || no == "Baslangic_devir" {
+			continue
+		}
+		if _, ok := seen[no]; ok {
+			continue
+		}
+		seen[no] = struct{}{}
+		out = append(out, no)
+	}
+	return out
+}

svc/queries/statements_detail.go

@@ -31,9 +31,17 @@ SELECT
     COALESCE(MAX(KisaKarDesc.AttributeDescription), '')   AS Icerik,
     a.ItemCode       AS Urun_Kodu,
     a.ColorCode      AS Urun_Rengi,
-    SUM(a.Qty1)      AS Toplam_Adet,
+    SUM(a.Qty1) AS Toplam_Adet,
-    SUM(ABS(a.Doc_Price)) AS Toplam_Fiyat,
+
-    CAST(SUM(a.Qty1 * ABS(a.Doc_Price)) AS numeric(18,2)) AS Toplam_Tutar
+CAST(
+    SUM(a.Qty1 * ABS(a.Doc_Price)) 
+    / NULLIF(SUM(a.Qty1),0)
+AS numeric(18,4)) AS Doviz_Fiyat,
+
+CAST(
+    SUM(a.Qty1 * ABS(a.Doc_Price)) 
+AS numeric(18,2)) AS Toplam_Tutar
+
 FROM AllInvoicesWithAttributes a
 LEFT JOIN prItemAttribute AnaGrup
     ON a.ItemCode = AnaGrup.ItemCode AND AnaGrup.AttributeTypeCode = 1

svc/queries/statements_pdf.go

@@ -10,179 +10,15 @@ import (
 	"strings"
 )
 
-// küçük yardımcı: boşlukları temizle, her değeri ayrı tırnakla sar
-func buildQuotedList(vals []string) string {
-	var pp []string
-	for _, v := range vals {
-		v = strings.TrimSpace(v)
-		if v != "" {
-			pp = append(pp, fmt.Sprintf("'%s'", v)) // '1','2' gibi
-		}
-	}
-	if len(pp) == 0 {
-		return ""
-	}
-	return strings.Join(pp, ",")
-}
-
-/* ============================ HEADER (Ana Tablo) ============================ */
-
 func GetStatementsPDF(accountCode, startDate, endDate string, parislemler []string) ([]models.StatementHeader, []string, error) {
-	// Account normalize
+	headers, err := getStatementsForPDF(accountCode, startDate, endDate, parislemler)
-	if len(accountCode) == 7 && strings.ContainsAny(accountCode, "0123456789") {
-		accountCode = accountCode[:3] + " " + accountCode[3:]
-	}
-
-	// IN list parse et
-	inList := buildQuotedList(parislemler)
-	parislemCond := "''"
-	if inList != "" {
-		parislemCond = inList
-	}
-
-	query := fmt.Sprintf(`
-;WITH Opening AS (
-    SELECT 
-        b.CurrAccCode AS Cari_Kod,
-        b.DocCurrencyCode AS Para_Birimi,
-        SUM(c.Debit - c.Credit) AS Devir_Bakiyesi
-    FROM trCurrAccBook b
-    LEFT JOIN trCurrAccBookCurrency c
-      ON c.CurrAccBookID = b.CurrAccBookID
-     AND c.CurrencyCode  = b.DocCurrencyCode
-    WHERE b.CurrAccCode LIKE @Carikod
-      AND b.DocumentDate < @StartDate
-      AND EXISTS (
-            SELECT 1
-            FROM CurrAccBookATAttributesFilter f2
-            WHERE f2.CurrAccBookID = b.CurrAccBookID
-              AND f2.ATAtt01 IN (%s)
-      )
-    GROUP BY b.CurrAccCode, b.DocCurrencyCode
-),
-Movements AS (
-    SELECT 
-        b.CurrAccCode        AS Cari_Kod,
-        d.CurrAccDescription AS Cari_Isim,
-        CONVERT(varchar(10), b.DocumentDate, 23) AS Belge_Tarihi, 
-        CONVERT(varchar(10), b.DueDate, 23)      AS Vade_Tarihi, 
-        b.RefNumber          AS Belge_No,
-        b.BaseApplicationCode AS Islem_Tipi,
-        b.LineDescription    AS Aciklama,
-        b.DocCurrencyCode    AS Para_Birimi,
-        c.Debit              AS Borc,
-        c.Credit             AS Alacak,
-        SUM(c.Debit - c.Credit)
-            OVER (PARTITION BY b.CurrAccCode, c.CurrencyCode 
-                  ORDER BY b.DocumentDate, b.CurrAccBookID) AS Hareket_Bakiyesi,
-        f.ATAtt01 AS Parislemler
-    FROM trCurrAccBook b
-    LEFT JOIN cdCurrAccDesc d
-        ON b.CurrAccCode = d.CurrAccCode AND d.LangCode = 'TR'
-    LEFT JOIN trCurrAccBookCurrency c
-        ON b.CurrAccBookID = c.CurrAccBookID
-       AND b.DocCurrencyCode = c.CurrencyCode
-    LEFT JOIN CurrAccBookATAttributesFilter f
-        ON b.CurrAccBookID = f.CurrAccBookID
-    WHERE b.CurrAccCode LIKE @Carikod
-      AND b.DocumentDate BETWEEN @StartDate AND @EndDate
-      AND EXISTS (
-            SELECT 1 
-            FROM CurrAccBookATAttributesFilter f2
-            WHERE f2.CurrAccBookID = b.CurrAccBookID
-              AND f2.ATAtt01 IN (%s)
-      )
-)`, parislemCond, parislemCond)
-	query += fmt.Sprintf(`
-SELECT 
-    m.Cari_Kod,
-    m.Cari_Isim,
-    m.Belge_Tarihi,
-    m.Vade_Tarihi,
-    m.Belge_No,
-    m.Islem_Tipi,
-    m.Aciklama,
-    m.Para_Birimi,
-    m.Borc,
-    m.Alacak,
-    ISNULL(o.Devir_Bakiyesi,0) + m.Hareket_Bakiyesi AS Bakiye,
-    m.Parislemler
-FROM Movements m
-LEFT JOIN Opening o
-  ON o.Cari_Kod = m.Cari_Kod
- AND o.Para_Birimi = m.Para_Birimi
-
-UNION ALL
-
--- Devir satırı
-SELECT  
-    @Carikod                    AS Cari_Kod,
-    MAX(d.CurrAccDescription)   AS Cari_Isim,
-    CONVERT(varchar(10), @StartDate, 23) AS Belge_Tarihi, 
-    CONVERT(varchar(10), @StartDate, 23) AS Vade_Tarihi, 
-    'Baslangic_devir'           AS Belge_No,
-    'Devir'                     AS Islem_Tipi,
-    'Devir Bakiyesi'            AS Aciklama,
-    b.DocCurrencyCode           AS Para_Birimi,
-    SUM(c.Debit)                AS Borc,
-    SUM(c.Credit)               AS Alacak,
-    SUM(c.Debit) - SUM(c.Credit) AS Bakiye,
-    (
-      SELECT STRING_AGG(x.ATAtt01, ',')
-      FROM (
-        SELECT DISTINCT f2.ATAtt01
-        FROM CurrAccBookATAttributesFilter f2
-        INNER JOIN trCurrAccBook bb
-          ON f2.CurrAccBookID = bb.CurrAccBookID
-        WHERE bb.CurrAccCode LIKE @Carikod
-          AND bb.DocumentDate < @StartDate
-          AND f2.ATAtt01 IN (%s)
-      ) x
-    ) AS Parislemler
-FROM trCurrAccBook b
-LEFT JOIN cdCurrAccDesc d
-    ON b.CurrAccCode = d.CurrAccCode AND d.LangCode = 'TR'
-LEFT JOIN trCurrAccBookCurrency c
-    ON b.CurrAccBookID = c.CurrAccBookID
-   AND b.DocCurrencyCode = c.CurrencyCode
-WHERE b.CurrAccCode LIKE @Carikod
-  AND b.DocumentDate < @StartDate
-GROUP BY b.DocCurrencyCode
-
-ORDER BY Para_Birimi, Belge_Tarihi;`, parislemCond)
-
-	rows, err := db.MssqlDB.Query(query,
-		sql.Named("Carikod", "%"+accountCode+"%"),
-		sql.Named("StartDate", startDate),
-		sql.Named("EndDate", endDate),
-	)
 	if err != nil {
-		log.Printf("❌ Header sorgu hatası: %v", err)
+		log.Printf("Header query error: %v", err)
-		return nil, nil, fmt.Errorf("header sorgu hatası: %v", err)
+		return nil, nil, err
 	}
-	defer rows.Close()
 
-	var headers []models.StatementHeader
+	belgeNos := collectBelgeNos(headers)
-	var belgeNos []string
+	log.Printf("Header rows fetched: %d, belge no count: %d", len(headers), len(belgeNos))
-	for rows.Next() {
-		var h models.StatementHeader
-		if err := rows.Scan(
-			&h.CariKod, &h.CariIsim,
-			&h.BelgeTarihi, &h.VadeTarihi,
-			&h.BelgeNo, &h.IslemTipi,
-			&h.Aciklama, &h.ParaBirimi,
-			&h.Borc, &h.Alacak,
-			&h.Bakiye, &h.Parislemler,
-		); err != nil {
-			log.Printf("❌ Header scan hatası: %v", err)
-			return nil, nil, err
-		}
-		headers = append(headers, h)
-		if h.BelgeNo != "" {
-			belgeNos = append(belgeNos, h.BelgeNo)
-		}
-	}
-	log.Printf("✅ Header verileri alındı: %d kayıt, %d belge no", len(headers), len(belgeNos))
 	return headers, belgeNos, nil
 }
 
@@ -191,7 +27,7 @@ ORDER BY Para_Birimi, Belge_Tarihi;`, parislemCond)
 func GetDetailsMapPDF(belgeNos []string, startDate, endDate string) (map[string][]models.StatementDetail, error) {
 	result := make(map[string][]models.StatementDetail)
 	if len(belgeNos) == 0 {
-		log.Println("⚠️ GetDetailsMapPDF: belge listesi boş")
+		log.Println("GetDetailsMapPDF: belge listesi bos")
 		return result, nil
 	}
 
@@ -219,7 +55,11 @@ SELECT
    MAX(ISNULL(KisaKarDesc.AttributeDescription, '')) AS Icerik,
 
     a.ItemCode, a.ColorCode,
-    SUM(a.Qty1), SUM(ABS(a.Doc_Price)),
+    SUM(a.Qty1),
+    CAST(
+        SUM(a.Qty1 * ABS(a.Doc_Price))
+        / NULLIF(SUM(a.Qty1), 0)
+    AS numeric(18,4)),
     CAST(SUM(a.Qty1 * ABS(a.Doc_Price)) AS numeric(18,2))
 
 FROM AllInvoicesWithAttributes a
@@ -258,7 +98,7 @@ LEFT JOIN cdItemAttributeDesc FitDesc
  AND FitTbl.AttributeCode     = FitDesc.AttributeCode
  AND FitTbl.ItemTypeCode      = FitDesc.ItemTypeCode
 
--- Kısa Karışım
+-- Kisa Karisim
 LEFT JOIN prItemAttribute KisaKar
   ON a.ItemCode = KisaKar.ItemCode AND KisaKar.AttributeTypeCode = 41
 LEFT JOIN cdItemAttributeDesc KisaKarDesc
@@ -274,8 +114,8 @@ ORDER BY a.InvoiceNumber, a.ItemCode, a.ColorCode;`, inBelge)
 		sql.Named("EndDate", endDate),
 	)
 	if err != nil {
-		log.Printf("❌ Detay sorgu hatası: %v", err)
+		log.Printf("Detail query error: %v", err)
-		return nil, fmt.Errorf("detay sorgu hatası: %v", err)
+		return nil, fmt.Errorf("detay sorgu hatasi: %v", err)
 	}
 	defer rows.Close()
 
@@ -295,11 +135,11 @@ ORDER BY a.InvoiceNumber, a.ItemCode, a.ColorCode;`, inBelge)
 			&d.ToplamFiyat,
 			&d.ToplamTutar,
 		); err != nil {
-			log.Printf("❌ Detay scan hatası: %v", err)
+			log.Printf("Detail scan error: %v", err)
 			return nil, err
 		}
 		result[d.BelgeRefNumarasi] = append(result[d.BelgeRefNumarasi], d)
 	}
-	log.Printf("✅ Detay verileri alındı: %d belge için detay var", len(result))
+	log.Printf("Detail rows fetched for %d belge", len(result))
 	return result, nil
 }

svc/queries/user_detail.go

@@ -85,7 +85,7 @@ SET
   full_name  = $4,
   email      = $5,
   mobile     = $6,
-  address    = NULLIF($7, ''),
+  address    = COALESCE($7, ''),
   updated_at = NOW()
 WHERE id = $1
 `

svc/repository/user_repo.go

@@ -234,11 +234,18 @@ func (r *UserRepository) GetLegacyUserForLogin(login string) (*models.User, erro
 			COALESCE(u.upass,'') as upass,
 			u.is_active,
 			COALESCE(u.email,''),
-			COALESCE(u.dfrole_id,0) as role_id,
+			COALESCE(ru.dfrole_id,0) as role_id,
 			COALESCE(dr.code,'')    as role_code,
 			COALESCE(u.force_password_change,false)
 		FROM dfusr u
-		LEFT JOIN dfrole dr ON dr.id = u.dfrole_id
+		LEFT JOIN LATERAL (
+			SELECT dfrole_id
+			FROM dfrole_usr
+			WHERE dfusr_id = u.id
+			ORDER BY dfrole_id
+			LIMIT 1
+		) ru ON true
+		LEFT JOIN dfrole dr ON dr.id = ru.dfrole_id
 		WHERE u.is_active = true
 		  AND (
 			LOWER(u.code)  = LOWER($1)

svc/routes/admin_reset_password.go

@@ -62,7 +62,7 @@ func AdminResetPasswordHandler(db *sql.DB) http.HandlerFunc {
 		// ---------------------------------------------------
 		// 4️⃣ UPDATE mk_dfusr
 		// ---------------------------------------------------
-		_, err = db.Exec(`
+		res, err := db.Exec(`
 			UPDATE mk_dfusr
 			SET
 				password_hash = $1,
@@ -77,6 +77,24 @@ func AdminResetPasswordHandler(db *sql.DB) http.HandlerFunc {
 			return
 		}
 
+		affected, _ := res.RowsAffected()
+		if affected == 0 {
+			_, err = db.Exec(`
+				UPDATE dfusr
+				SET
+					upass = $1,
+					force_password_change = true,
+					last_updated_date = NOW()
+				WHERE id = $2
+				  AND is_active = true
+			`, string(hash), userID)
+
+			if err != nil {
+				http.Error(w, "legacy password reset failed", http.StatusInternalServerError)
+				return
+			}
+		}
+
 		// ---------------------------------------------------
 		// 5️⃣ REFRESH TOKEN REVOKE
 		// ---------------------------------------------------

svc/routes/first_password_change.go

@@ -6,10 +6,13 @@ import (
 	"bssapp-backend/internal/security"
 	"bssapp-backend/models"
 	"bssapp-backend/repository"
+	"bssapp-backend/services"
 	"database/sql"
 	"encoding/json"
+	"errors"
 	"log"
 	"net/http"
+	"strings"
 	"time"
 
 	"golang.org/x/crypto/bcrypt"
@@ -17,115 +20,254 @@ import (
 
 func FirstPasswordChangeHandler(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-
 		w.Header().Set("Content-Type", "application/json; charset=utf-8")
 
-		// --------------------------------------------------
-		// 1️⃣ JWT CLAIMS
-		// --------------------------------------------------
 		claims, ok := auth.GetClaimsFromContext(r.Context())
 		if !ok || claims == nil {
-			http.Error(w, "unauthorized", http.StatusUnauthorized)
+			log.Printf(
+				"FIRST_PASSWORD_CHANGE 401 reason=claims_missing method=%s path=%s",
+				r.Method,
+				r.URL.Path,
+			)
+			http.Error(w, "yetkisiz: token eksik veya geçersiz", http.StatusUnauthorized)
 			return
 		}
 
-		// --------------------------------------------------
-		// 2️⃣ PAYLOAD
-		// --------------------------------------------------
 		var req struct {
 			CurrentPassword string `json:"current_password"`
 			NewPassword     string `json:"new_password"`
 		}
 
 		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-			http.Error(w, "invalid payload", http.StatusBadRequest)
+			http.Error(w, "geçersiz istek gövdesi", http.StatusBadRequest)
 			return
 		}
 
+		req.CurrentPassword = strings.TrimSpace(req.CurrentPassword)
+		req.NewPassword = strings.TrimSpace(req.NewPassword)
 		if req.CurrentPassword == "" || req.NewPassword == "" {
-			http.Error(w, "password fields required", http.StatusUnprocessableEntity)
+			http.Error(w, "şifre alanları zorunludur", http.StatusUnprocessableEntity)
 			return
 		}
 
-		// --------------------------------------------------
+		mkRepo := repository.NewMkUserRepository(db)
-		// 3️⃣ LOAD USER (mk_dfusr)
+		legacyRepo := repository.NewUserRepository(db)
-		// --------------------------------------------------
-		var currentHash string
-		err := db.QueryRow(`
-			SELECT password_hash
-			FROM mk_dfusr
-			WHERE id = $1
-		`, claims.ID).Scan(&currentHash)
 
-		if err != nil || currentHash == "" {
+		mkUser, mkErr := mkRepo.GetByID(claims.ID)
-			http.Error(w, "user not found", http.StatusUnauthorized)
+		hasMkUser := mkErr == nil
+		if mkErr != nil && !errors.Is(mkErr, repository.ErrMkUserNotFound) {
+			log.Printf(
+				"FIRST_PASSWORD_CHANGE 500 reason=mk_lookup_failed user_id=%d err=%v",
+				claims.ID,
+				mkErr,
+			)
+			http.Error(w, "kullanıcı sorgulama hatası", http.StatusInternalServerError)
 			return
 		}
 
-		// --------------------------------------------------
+		var legacyUser *models.User
-		// 4️⃣ CURRENT PASSWORD CHECK
+
-		// --------------------------------------------------
+		// If user already exists in mk_dfusr with hash, verify against mk hash.
-		if bcrypt.CompareHashAndPassword(
+		// Otherwise verify against legacy dfusr password before migration.
-			[]byte(currentHash),
+		if hasMkUser && strings.TrimSpace(mkUser.PasswordHash) != "" {
-			[]byte(req.CurrentPassword),
+			if bcrypt.CompareHashAndPassword(
-		) != nil {
+				[]byte(mkUser.PasswordHash),
-			http.Error(w, "mevcut şifre hatalı", http.StatusUnauthorized)
+				[]byte(req.CurrentPassword),
-			return
+			) != nil {
+				log.Printf(
+					"FIRST_PASSWORD_CHANGE 401 reason=current_password_mismatch_mk user_id=%d username=%s",
+					claims.ID,
+					claims.Username,
+				)
+				http.Error(w, "mevcut şifre hatalı", http.StatusUnauthorized)
+				return
+			}
+		} else {
+			var err error
+			legacyUser, err = legacyRepo.GetLegacyUserForLogin(claims.Username)
+			if err != nil || legacyUser == nil || !legacyUser.IsActive {
+				log.Printf(
+					"FIRST_PASSWORD_CHANGE 401 reason=legacy_user_not_found user_id=%d username=%s err=%v",
+					claims.ID,
+					claims.Username,
+					err,
+				)
+				http.Error(w, "yetkisiz: kullanıcı bulunamadı", http.StatusUnauthorized)
+				return
+			}
+			if !hasMkUser && int64(legacyUser.ID) != claims.ID {
+				log.Printf(
+					"FIRST_PASSWORD_CHANGE 401 reason=legacy_id_mismatch user_id=%d legacy_id=%d username=%s",
+					claims.ID,
+					legacyUser.ID,
+					claims.Username,
+				)
+				http.Error(w, "yetkisiz: kullanıcı bulunamadı", http.StatusUnauthorized)
+				return
+			}
+
+			if !services.CheckPasswordWithLegacy(legacyUser, req.CurrentPassword) {
+				log.Printf(
+					"FIRST_PASSWORD_CHANGE 401 reason=current_password_mismatch_legacy user_id=%d username=%s",
+					claims.ID,
+					claims.Username,
+				)
+				http.Error(w, "mevcut şifre hatalı", http.StatusUnauthorized)
+				return
+			}
 		}
 
-		// --------------------------------------------------
-		// 5️⃣ PASSWORD POLICY
-		// --------------------------------------------------
 		if err := security.ValidatePassword(req.NewPassword); err != nil {
 			http.Error(w, err.Error(), http.StatusUnprocessableEntity)
 			return
 		}
 
-		// --------------------------------------------------
-		// 6️⃣ HASH NEW PASSWORD
-		// --------------------------------------------------
 		hash, err := bcrypt.GenerateFromPassword(
 			[]byte(req.NewPassword),
 			bcrypt.DefaultCost,
 		)
 		if err != nil {
-			http.Error(w, "password hash error", http.StatusInternalServerError)
+			http.Error(w, "şifre hash hatası", http.StatusInternalServerError)
 			return
 		}
 
-		// --------------------------------------------------
+		tx, err := db.Begin()
-		// 7️⃣ UPDATE mk_dfusr
-		// --------------------------------------------------
-		_, err = db.Exec(`
-			UPDATE mk_dfusr
-			SET
-				password_hash = $1,
-				force_password_change = false,
-				password_updated_at = NOW(),
-				updated_at = NOW()
-			WHERE id = $2
-		`, string(hash), claims.ID)
-
 		if err != nil {
-			http.Error(w, "password update failed", http.StatusInternalServerError)
+			http.Error(w, "işlem başlatılamadı", http.StatusInternalServerError)
+			return
+		}
+		defer tx.Rollback()
+
+		migratedFromLegacy := false
+
+		if hasMkUser {
+			res, err := tx.Exec(`
+				UPDATE mk_dfusr
+				SET
+					password_hash = $1,
+					force_password_change = false,
+					password_updated_at = NOW(),
+					updated_at = NOW()
+				WHERE id = $2
+			`, string(hash), claims.ID)
+			if err != nil {
+				log.Printf(
+					"FIRST_PASSWORD_CHANGE 500 reason=password_update_failed user_id=%d err=%v",
+					claims.ID,
+					err,
+				)
+				http.Error(w, "şifre güncellenemedi", http.StatusInternalServerError)
+				return
+			}
+
+			affected, _ := res.RowsAffected()
+			if affected == 0 {
+				log.Printf(
+					"FIRST_PASSWORD_CHANGE 500 reason=password_update_no_rows user_id=%d",
+					claims.ID,
+				)
+				http.Error(w, "şifre güncellenemedi", http.StatusInternalServerError)
+				return
+			}
+		} else {
+			if legacyUser == nil {
+				// Defensive fallback, should not happen.
+				legacyUser, err = legacyRepo.GetLegacyUserForLogin(claims.Username)
+				if err != nil || legacyUser == nil {
+					log.Printf(
+						"FIRST_PASSWORD_CHANGE 500 reason=legacy_reload_failed user_id=%d username=%s err=%v",
+						claims.ID,
+						claims.Username,
+						err,
+					)
+					http.Error(w, "legacy kullanıcı yeniden yüklenemedi", http.StatusInternalServerError)
+					return
+				}
+				if !hasMkUser && int64(legacyUser.ID) != claims.ID {
+					log.Printf(
+						"FIRST_PASSWORD_CHANGE 500 reason=legacy_reload_id_mismatch user_id=%d legacy_id=%d username=%s",
+						claims.ID,
+						legacyUser.ID,
+						claims.Username,
+					)
+					http.Error(w, "legacy kullanıcı yeniden yüklenemedi", http.StatusInternalServerError)
+					return
+				}
+			}
+
+			_, err = tx.Exec(`
+				INSERT INTO mk_dfusr (
+					id,
+					username,
+					email,
+					full_name,
+					mobile,
+					address,
+					is_active,
+					password_hash,
+					force_password_change,
+					password_updated_at,
+					created_at,
+					updated_at
+				)
+				VALUES (
+					$1,$2,$3,$4,$5,$6,$7,$8,false,NOW(),NOW(),NOW()
+				)
+				ON CONFLICT (id)
+				DO UPDATE SET
+					username = EXCLUDED.username,
+					email = EXCLUDED.email,
+					full_name = EXCLUDED.full_name,
+					mobile = EXCLUDED.mobile,
+					address = EXCLUDED.address,
+					is_active = EXCLUDED.is_active,
+					password_hash = EXCLUDED.password_hash,
+					force_password_change = false,
+					password_updated_at = NOW(),
+					updated_at = NOW()
+			`,
+				int64(legacyUser.ID),
+				strings.TrimSpace(legacyUser.Username),
+				strings.TrimSpace(legacyUser.Email),
+				strings.TrimSpace(legacyUser.FullName),
+				strings.TrimSpace(legacyUser.Mobile),
+				strings.TrimSpace(legacyUser.Address),
+				legacyUser.IsActive,
+				string(hash),
+			)
+			if err != nil {
+				log.Printf(
+					"FIRST_PASSWORD_CHANGE 500 reason=legacy_migration_failed user_id=%d username=%s err=%v",
+					claims.ID,
+					claims.Username,
+					err,
+				)
+				http.Error(w, "legacy geçişi başarısız", http.StatusInternalServerError)
+				return
+			}
+
+			migratedFromLegacy = true
+		}
+
+		if err := tx.Commit(); err != nil {
+			log.Printf(
+				"FIRST_PASSWORD_CHANGE 500 reason=tx_commit_failed user_id=%d err=%v",
+				claims.ID,
+				err,
+			)
+			http.Error(w, "işlem tamamlanamadı", http.StatusInternalServerError)
 			return
 		}
 
-		// --------------------------------------------------
+		_ = repository.NewRefreshTokenRepository(db).RevokeAllForUser(claims.ID)
-		// 8️⃣ REFRESH TOKEN REVOKE
-		// --------------------------------------------------
-		_ = repository.
-			NewRefreshTokenRepository(db).
-			RevokeAllForUser(claims.ID)
 
-		// --------------------------------------------------
-		// 9️⃣ NEW JWT (TEK DOĞRU YOL)
-		// --------------------------------------------------
 		newClaims := auth.BuildClaimsFromUser(
 			&models.MkUser{
 				ID:                  claims.ID,
 				Username:            claims.Username,
+				RoleID:              claims.RoleID,
 				RoleCode:            claims.RoleCode,
+				DepartmentCodes:     claims.DepartmentCodes,
 				V3Username:          claims.V3Username,
 				V3UserGroup:         claims.V3UserGroup,
 				SessionID:           claims.SessionID,
@@ -140,22 +282,20 @@ func FirstPasswordChangeHandler(db *sql.DB) http.HandlerFunc {
 			false,
 		)
 		if err != nil {
-			http.Error(w, "token generation failed", http.StatusInternalServerError)
+			http.Error(w, "token üretilemedi", http.StatusInternalServerError)
 			return
 		}
 
-		// --------------------------------------------------
+		source := "mk_password_update"
-		// 🔟 AUDIT
+		if migratedFromLegacy {
-		// --------------------------------------------------
+			source = "legacy_migration_completed"
+		}
 		auditlog.ForcePasswordChangeCompleted(
 			r.Context(),
 			claims.ID,
-			"self_change",
+			source,
 		)
 
-		// --------------------------------------------------
-		// 1️⃣1️⃣ RESPONSE
-		// --------------------------------------------------
 		_ = json.NewEncoder(w).Encode(map[string]any{
 			"token": newToken,
 			"user": map[string]any{
@@ -163,7 +303,14 @@ func FirstPasswordChangeHandler(db *sql.DB) http.HandlerFunc {
 				"username":              claims.Username,
 				"force_password_change": false,
 			},
+			"migrated_from_legacy": migratedFromLegacy,
 		})
-		log.Printf("✅ FIRST-PASS claims user=%d role=%s", claims.ID, claims.RoleCode)
+
+		log.Printf(
+			"FIRST_PASSWORD_CHANGE 200 user=%d role=%s migrated_from_legacy=%v",
+			claims.ID,
+			claims.RoleCode,
+			migratedFromLegacy,
+		)
 	}
 }

svc/routes/login.go

@@ -3,6 +3,7 @@ package routes
 import (
 	"bssapp-backend/auth"
 	"bssapp-backend/internal/auditlog"
+	"bssapp-backend/internal/security"
 	"bssapp-backend/models"
 	"bssapp-backend/queries"
 	"bssapp-backend/repository"
@@ -29,6 +30,76 @@ type LoginRequest struct {
 	Password string `json:"password"`
 }
 
+func looksLikeBcryptHash(value string) bool {
+	return strings.HasPrefix(value, "$2a$") ||
+		strings.HasPrefix(value, "$2b$") ||
+		strings.HasPrefix(value, "$2y$")
+}
+
+func ensureLegacyUserReadyForSession(db *sql.DB, legacyUser *models.User) (int64, error) {
+	desiredID := int64(legacyUser.ID)
+
+	_, err := db.Exec(`
+		INSERT INTO mk_dfusr (
+			id,
+			username,
+			email,
+			full_name,
+			mobile,
+			address,
+			is_active,
+			password_hash,
+			force_password_change,
+			created_at,
+			updated_at
+		)
+		VALUES (
+			$1,$2,$3,$4,$5,$6,$7,'',true,NOW(),NOW()
+		)
+		ON CONFLICT (id)
+		DO UPDATE SET
+			username = EXCLUDED.username,
+			email = EXCLUDED.email,
+			full_name = COALESCE(NULLIF(EXCLUDED.full_name, ''), mk_dfusr.full_name),
+			mobile = COALESCE(NULLIF(EXCLUDED.mobile, ''), mk_dfusr.mobile),
+			address = COALESCE(NULLIF(EXCLUDED.address, ''), mk_dfusr.address),
+			is_active = EXCLUDED.is_active,
+			force_password_change = true,
+			updated_at = NOW()
+	`,
+		desiredID,
+		strings.TrimSpace(legacyUser.Username),
+		strings.TrimSpace(legacyUser.Email),
+		strings.TrimSpace(legacyUser.FullName),
+		strings.TrimSpace(legacyUser.Mobile),
+		strings.TrimSpace(legacyUser.Address),
+		legacyUser.IsActive,
+	)
+	if err == nil {
+		return desiredID, nil
+	}
+
+	mkRepo := repository.NewMkUserRepository(db)
+	existing, lookupErr := mkRepo.GetByUsername(legacyUser.Username)
+	if lookupErr != nil {
+		return 0, err
+	}
+
+	_, updErr := db.Exec(`
+		UPDATE mk_dfusr
+		SET
+			is_active = $1,
+			force_password_change = true,
+			updated_at = NOW()
+		WHERE id = $2
+	`, legacyUser.IsActive, existing.ID)
+	if updErr != nil {
+		return 0, updErr
+	}
+
+	return existing.ID, nil
+}
+
 func LoginHandler(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
@@ -83,19 +154,36 @@ func LoginHandler(db *sql.DB) http.HandlerFunc {
 		if err == nil {
 
 			// mk_dfusr authoritative
-			if strings.TrimSpace(mkUser.PasswordHash) != "" {
+			mkHash := strings.TrimSpace(mkUser.PasswordHash)
+			if mkHash != "" {
+				if looksLikeBcryptHash(mkHash) {
+					cmpErr := bcrypt.CompareHashAndPassword(
+						[]byte(mkHash),
+						[]byte(pass),
+					)
+					if cmpErr == nil {
+						_ = mkRepo.TouchLastLogin(mkUser.ID)
+						writeLoginResponse(w, db, mkUser)
+						return
+					}
 
-				if bcrypt.CompareHashAndPassword(
+					if !mkUser.ForcePasswordChange {
-					[]byte(mkUser.PasswordHash),
+						http.Error(w, "invalid credentials", http.StatusUnauthorized)
-					[]byte(pass),
+						return
-				) != nil {
+					}
-					http.Error(w, "Kullanıcı adı veya parola hatalı", http.StatusUnauthorized)
+
-					return
+					log.Printf(
+						"LOGIN FALLBACK legacy allowed (force_password_change=true) username=%s id=%d",
+						mkUser.Username,
+						mkUser.ID,
+					)
+				} else {
+					log.Printf(
+						"LOGIN FALLBACK legacy allowed (non-bcrypt mk hash) username=%s id=%d",
+						mkUser.Username,
+						mkUser.ID,
+					)
 				}
-
-				_ = mkRepo.TouchLastLogin(mkUser.ID)
-				writeLoginResponse(w, db, mkUser)
-				return
 			}
 			// password_hash boşsa legacy fallback
 		} else if err != repository.ErrMkUserNotFound {
@@ -133,31 +221,30 @@ func LoginHandler(db *sql.DB) http.HandlerFunc {
 		}
 
 		// ==================================================
-		// 3️⃣ MIGRATION (dfusr → mk_dfusr)
+		// 3️⃣ LEGACY SESSION (PENDING MIGRATION)
+		// - mk_dfusr migration is completed in /api/password/change
 		// ==================================================
-		newHash, err := bcrypt.GenerateFromPassword(
+		mkID, err := ensureLegacyUserReadyForSession(db, legacyUser)
-			[]byte(pass),
-			bcrypt.DefaultCost,
-		)
 		if err != nil {
-			http.Error(w, "Şifre üretilemedi", http.StatusInternalServerError)
+			log.Printf("LEGACY LOGIN MIGRATION BIND FAILED username=%s err=%v", login, err)
+			http.Error(w, "Giriş yapılamadı", http.StatusInternalServerError)
 			return
 		}
 
-		mkUser, err = mkRepo.CreateFromLegacy(legacyUser, string(newHash))
+		mkUser = &models.MkUser{
-		if err != nil {
+			ID:                  mkID,
-			log.Println("❌ CREATE_FROM_LEGACY FAILED:", err)
+			Username:            legacyUser.Username,
-			http.Error(w, "Kullanıcı migrate edilemedi", http.StatusInternalServerError)
+			Email:               legacyUser.Email,
-			return
+			IsActive:            legacyUser.IsActive,
+			RoleID:              int64(legacyUser.RoleID),
+			RoleCode:            legacyUser.RoleCode,
+			ForcePasswordChange: true,
 		}
 
-		// 🔥 KRİTİK: TOKEN GUARD İÇİN GARANTİ
-		mkUser.ForcePasswordChange = true
-
 		auditlog.Write(auditlog.ActivityLog{
-			ActionType:     "LEGACY_USER_MIGRATED",
+			ActionType:     "LEGACY_USER_LOGIN_PENDING_MIGRATION",
 			ActionCategory: "security",
-			Description:    "dfusr -> mk_dfusr on login",
+			Description:    "legacy giriş başarılı, ilk şifre değişikliği gerekli",
 			IsSuccess:      true,
 		})
 
@@ -216,6 +303,22 @@ func writeLoginResponse(w http.ResponseWriter, db *sql.DB, user *models.MkUser)
 		return
 	}
 
+	refreshPlain, refreshHash, err := security.GenerateRefreshToken()
+	if err != nil {
+		http.Error(w, "Refresh token üretilemedi", http.StatusInternalServerError)
+		return
+	}
+
+	refreshExp := time.Now().Add(14 * 24 * time.Hour)
+	rtRepo := repository.NewRefreshTokenRepository(db)
+	if err := rtRepo.IssueRefreshToken(user.ID, refreshHash, refreshExp); err != nil {
+		log.Printf("refresh token store failed user=%d err=%v", user.ID, err)
+		http.Error(w, "Session başlatılamadı", http.StatusInternalServerError)
+		return
+	}
+
+	setRefreshCookie(w, refreshPlain, refreshExp)
+
 	_ = json.NewEncoder(w).Encode(map[string]any{
 		"token": token,
 		"user": map[string]any{

svc/routes/order_pdf.go

@@ -3,16 +3,19 @@ package routes
 import (
 	"bytes"
 	"database/sql"
+	"errors"
 	"fmt"
-	"github.com/gorilla/mux"
-	"github.com/jung-kurt/gofpdf"
 	"log"
 	"math"
 	"net/http"
-	"os"
+	"runtime/debug"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
+
+	"github.com/gorilla/mux"
+	"github.com/jung-kurt/gofpdf"
 )
 
 /* ===========================================================
@@ -238,6 +241,13 @@ func s64(v sql.NullString) string {
 	return v.String
 }
 
+func sOrEmpty(v sql.NullString) string {
+	if !v.Valid {
+		return ""
+	}
+	return strings.TrimSpace(v.String)
+}
+
 func normalizeBedenLabelGo(v string) string {
 	// 1️⃣ NULL / boş / whitespace → " " (aksbir null kolonu)
 	s := strings.TrimSpace(v)
@@ -281,25 +291,88 @@ func normalizeBedenLabelGo(v string) string {
 	return s
 }
 
+func parseNumericSize(v string) (int, bool) {
+	s := strings.TrimSpace(strings.ToUpper(v))
+	if s == "" {
+		return 0, false
+	}
+	n, err := strconv.Atoi(s)
+	if err != nil {
+		return 0, false
+	}
+	return n, true
+}
+
 func detectBedenGroupGo(bedenList []string, ana, alt string) string {
 	ana = safeTrimUpper(ana)
 	alt = safeTrimUpper(alt)
 
+	// Ürün grubu adı doğrudan ayakkabı ise öncelikli.
+	if strings.Contains(ana, "AYAKKABI") || strings.Contains(alt, "AYAKKABI") {
+		return catAyk
+	}
+
+	var hasYasNumeric bool
+	var hasAykNumeric bool
+	var hasPanNumeric bool
+
 	for _, b := range bedenList {
+		b = safeTrimUpper(b)
+
 		switch b {
-		case "XS", "S", "M", "L", "XL":
+		case "XS", "S", "M", "L", "XL",
+			"2XL", "3XL", "4XL", "5XL", "6XL", "7XL":
 			return catGom
 		}
+
+		if n, ok := parseNumericSize(b); ok {
+			if n >= 2 && n <= 14 {
+				hasYasNumeric = true
+			}
+			if n >= 39 && n <= 45 {
+				hasAykNumeric = true
+			}
+			if n >= 38 && n <= 68 {
+				hasPanNumeric = true
+			}
+		}
+	}
+
+	if hasAykNumeric {
+		return catAyk
 	}
 
 	if strings.Contains(ana, "PANTOLON") {
 		return catPan
 	}
+	if hasPanNumeric {
+		return catPan
+	}
 	if strings.Contains(alt, "ÇOCUK") || strings.Contains(alt, "GARSON") {
 		return catYas
 	}
+	if hasYasNumeric {
+		return catYas
+	}
+
 	return catTak
 }
+
+func formatSizeQtyForLog(m map[string]int) string {
+	if len(m) == 0 {
+		return "{}"
+	}
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	parts := make([]string, 0, len(keys))
+	for _, k := range keys {
+		parts = append(parts, fmt.Sprintf("%s:%d", k, m[k]))
+	}
+	return "{" + strings.Join(parts, ", ") + "}"
+}
 func defaultSizeListFor(cat string) []string {
 	switch cat {
 	case catAyk:
@@ -331,25 +404,25 @@ func contains(list []string, v string) bool {
    2) PDF OLUŞTURUCU (A4 YATAY + FOOTER)
    =========================================================== */
 
-func newOrderPdf() *gofpdf.Fpdf {
+func newOrderPdf() (*gofpdf.Fpdf, error) {
 	pdf := gofpdf.New("L", "mm", "A4", "")
 	pdf.SetMargins(10, 10, 10)
 	pdf.SetAutoPageBreak(false, 12)
 
-	// UTF8 fontlar
+	if err := registerDejavuFonts(pdf, "dejavu"); err != nil {
-	pdf.AddUTF8Font("dejavu", "", "fonts/DejaVuSans.ttf")
+		return nil, err
-	pdf.AddUTF8Font("dejavu-b", "", "fonts/DejaVuSans-Bold.ttf")
+	}
 
 	// Footer: sayfa numarası
 	pdf.AliasNbPages("")
 	pdf.SetFooterFunc(func() {
 		pdf.SetY(-10)
-		pdf.SetFont("dejavu", "", 8)
+		pdf.SetFont("dejavu", "B", 8)
 		txt := fmt.Sprintf("Sayfa %d/{nb}", pdf.PageNo())
 		pdf.CellFormat(0, 10, txt, "", 0, "R", false, 0, "")
 	})
 
-	return pdf
+	return pdf, nil
 }
 
 /* ===========================================================
@@ -373,7 +446,7 @@ func getOrderHeaderFromDB(db *sql.DB, orderID string) (*OrderHeader, error) {
             ISNULL((
                 SELECT TOP (1) ca.AttributeDescription
                 FROM BAGGI_V3.dbo.cdCurrAccAttributeDesc AS ca WITH (NOLOCK)
-                WHERE ca.CurrAccTypeCode   = 3
+                WHERE ca.CurrAccTypeCode   IN (1,3)
                   AND ca.AttributeTypeCode = 2      -- 🟡 Müşteri Temsilcisi
                   AND ca.AttributeCode     = f.CustomerAtt02
                   AND ca.LangCode         = 'TR'
@@ -388,24 +461,36 @@ func getOrderHeaderFromDB(db *sql.DB, orderID string) (*OrderHeader, error) {
 
 	var h OrderHeader
 	var orderDate sql.NullTime
+	var orderNumber, currAccCode, currAccName, docCurrency sql.NullString
+	var description, internalDesc, officeCode, createdUser, customerRep sql.NullString
 
 	err := row.Scan(
 		&h.OrderHeaderID,
-		&h.OrderNumber,
+		&orderNumber,
-		&h.CurrAccCode,
+		&currAccCode,
-		&h.CurrAccName,
+		&currAccName,
-		&h.DocCurrency,
+		&docCurrency,
 		&orderDate,
-		&h.Description,
+		&description,
-		&h.InternalDesc,
+		&internalDesc,
-		&h.OfficeCode,
+		&officeCode,
-		&h.CreatedUser,
+		&createdUser,
-		&h.CustomerRep, // 🆕 buradan geliyor
+		&customerRep, // 🆕 buradan geliyor
 	)
 	if err != nil {
 		return nil, err
 	}
 
+	h.OrderNumber = sOrEmpty(orderNumber)
+	h.CurrAccCode = sOrEmpty(currAccCode)
+	h.CurrAccName = sOrEmpty(currAccName)
+	h.DocCurrency = sOrEmpty(docCurrency)
+	h.Description = sOrEmpty(description)
+	h.InternalDesc = sOrEmpty(internalDesc)
+	h.OfficeCode = sOrEmpty(officeCode)
+	h.CreatedUser = sOrEmpty(createdUser)
+	h.CustomerRep = sOrEmpty(customerRep)
+
 	if orderDate.Valid {
 		h.OrderDate = orderDate.Time
 	}
@@ -626,9 +711,8 @@ func drawOrderHeader(pdf *gofpdf.Fpdf, h *OrderHeader, showDesc bool) float64 {
 	/* ----------------------------------------------------
 	   1) LOGO
 	---------------------------------------------------- */
-	logo := "./public/Baggi-Tekstil-A.s-Logolu.jpeg"
+	if logoPath, err := resolvePdfImagePath("Baggi-Tekstil-A.s-Logolu.jpeg"); err == nil {
-	if _, err := os.Stat(logo); err == nil {
+		pdf.ImageOptions(logoPath, marginL, y, 32, 0, false, gofpdf.ImageOptions{}, 0, "")
-		pdf.ImageOptions(logo, marginL, y, 32, 0, false, gofpdf.ImageOptions{}, 0, "")
 	}
 
 	/* ----------------------------------------------------
@@ -641,7 +725,7 @@ func drawOrderHeader(pdf *gofpdf.Fpdf, h *OrderHeader, showDesc bool) float64 {
 	pdf.SetFillColor(149, 113, 22) // Baggi altın
 	pdf.Rect(titleX, titleY, titleW, 10, "F")
 
-	pdf.SetFont("dejavu-b", "", 13)
+	pdf.SetFont("dejavu", "B", 13)
 	pdf.SetTextColor(255, 255, 255)
 	pdf.SetXY(titleX+4, titleY+2)
 	pdf.CellFormat(titleW-8, 6, "BAGGI TEKSTİL - SİPARİŞ FORMU", "", 0, "L", false, 0, "")
@@ -657,7 +741,7 @@ func drawOrderHeader(pdf *gofpdf.Fpdf, h *OrderHeader, showDesc bool) float64 {
 	pdf.SetDrawColor(180, 180, 180)
 	pdf.Rect(boxX, boxY, boxW, boxH, "")
 
-	pdf.SetFont("dejavu-b", "", 9)
+	pdf.SetFont("dejavu", "B", 9)
 	pdf.SetTextColor(149, 113, 22)
 	rep := strings.TrimSpace(h.CustomerRep)
 	if rep == "" {
@@ -712,7 +796,7 @@ func drawOrderHeader(pdf *gofpdf.Fpdf, h *OrderHeader, showDesc bool) float64 {
 		pdf.Rect(marginL, y, pageW-marginL*2, descBoxH, "")
 
 		// Başlık
-		pdf.SetFont("dejavu-b", "", 8)
+		pdf.SetFont("dejavu", "B", 8)
 		pdf.SetTextColor(149, 113, 22)
 		pdf.SetXY(marginL+3, y+2)
 		pdf.CellFormat(40, 4, "Sipariş Genel Açıklaması:", "", 0, "L", false, 0, "")
@@ -740,7 +824,7 @@ func drawOrderHeader(pdf *gofpdf.Fpdf, h *OrderHeader, showDesc bool) float64 {
 	===========================================================
 */
 func drawGridHeader(pdf *gofpdf.Fpdf, layout pdfLayout, startY float64, catSizes CategorySizeMap) float64 {
-	pdf.SetFont("dejavu-b", "", 6)
+	pdf.SetFont("dejavu", "B", 6)
 	pdf.SetDrawColor(baggiGrayBorderR, baggiGrayBorderG, baggiGrayBorderB)
 	pdf.SetFillColor(baggiCreamR, baggiCreamG, baggiCreamB)
 	pdf.SetTextColor(20, 20, 20) // 🟣 TÜM HEADER YAZILARI SİYAH
@@ -896,10 +980,17 @@ func calcRowHeight(pdf *gofpdf.Fpdf, layout pdfLayout, row PdfRow) float64 {
 		return base
 	}
 
-	// Yeni: açıklama genişliği = sol + sağ
+	// Açıklama tek kolonda (ColDescLeft) render ediliyor.
-	descW := layout.ColDescW
+	// ColDescW set edilmediği için 0 kalabiliyor; bu durumda SplitLines patlayabiliyor.
+	descW := layout.ColDescLeft
+	if descW <= float64(2*OcellPadX) {
+		descW = layout.ColDescLeft + layout.ColDescRight
+	}
+	if descW <= float64(2*OcellPadX) {
+		return base
+	}
 
-	lines := pdf.SplitLines([]byte(desc), descW-2*OcellPadX)
+	lines := pdf.SplitLines([]byte(desc), descW-float64(2*OcellPadX))
 	lineH := 3.2
 	h := float64(len(lines))*lineH + 2
 
@@ -1101,7 +1192,7 @@ func drawTotalsBox(
 	valueX := x + w - 70 // değerlerin sağda hizalanacağı kolon
 
 	pdf.SetTextColor(149, 113, 22) // Sol başlık gold
-	pdf.SetFont("dejavu-b", "", 8.5)
+	pdf.SetFont("dejavu", "B", 8.5)
 
 	y := startY + 2
 
@@ -1112,7 +1203,7 @@ func drawTotalsBox(
 	pdf.CellFormat(80, lineH, "TOPLAM TUTAR", "", 0, "L", false, 0, "")
 
 	pdf.SetTextColor(201, 162, 39)
-	pdf.SetFont("dejavu-b", "", 9)
+	pdf.SetFont("dejavu", "B", 9)
 
 	pdf.SetXY(valueX, y)
 	pdf.CellFormat(65, lineH,
@@ -1127,7 +1218,7 @@ func drawTotalsBox(
 	if hasVat {
 
 		pdf.SetTextColor(149, 113, 22) // gold başlık
-		pdf.SetFont("dejavu-b", "", 8.5)
+		pdf.SetFont("dejavu", "B", 8.5)
 
 		pdf.SetXY(labelX, y)
 		pdf.CellFormat(80, lineH,
@@ -1135,7 +1226,7 @@ func drawTotalsBox(
 			"", 0, "L", false, 0, "")
 
 		pdf.SetTextColor(20, 20, 20)
-		pdf.SetFont("dejavu-b", "", 9)
+		pdf.SetFont("dejavu", "B", 9)
 
 		pdf.SetXY(valueX, y)
 		pdf.CellFormat(65, lineH,
@@ -1148,13 +1239,13 @@ func drawTotalsBox(
 		   3️⃣ KDV DAHİL TOPLAM
 		---------------------------------------------------- */
 		pdf.SetTextColor(201, 162, 39)
-		pdf.SetFont("dejavu-b", "", 8.5)
+		pdf.SetFont("dejavu", "B", 8.5)
 
 		pdf.SetXY(labelX, y)
 		pdf.CellFormat(80, lineH, "KDV DAHİL TOPLAM TUTAR", "", 0, "L", false, 0, "")
 
 		pdf.SetTextColor(20, 20, 20)
-		pdf.SetFont("dejavu-b", "", 9)
+		pdf.SetFont("dejavu", "B", 9)
 
 		pdf.SetXY(valueX, y)
 		pdf.CellFormat(65, lineH,
@@ -1183,7 +1274,7 @@ func drawGroupSummaryBar(pdf *gofpdf.Fpdf, layout pdfLayout, groupName string, t
 	pdf.SetDrawColor(214, 192, 106)
 	pdf.Rect(x, y, w, h, "DF")
 
-	pdf.SetFont("dejavu-b", "", 8.5)
+	pdf.SetFont("dejavu", "B", 8.5)
 	pdf.SetTextColor(20, 20, 20)
 
 	leftTxt := strings.ToUpper(strings.TrimSpace(groupName))
@@ -1327,11 +1418,22 @@ func OrderPDFHandler(db *sql.DB) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 
 		orderID := mux.Vars(r)["id"]
+		log.Printf("📄 OrderPDFHandler start orderID=%s", orderID)
+		defer func() {
+			if rec := recover(); rec != nil {
+				log.Printf("❌ PANIC OrderPDFHandler orderID=%s: %v", orderID, rec)
+				debug.PrintStack()
+				http.Error(w, fmt.Sprintf("order pdf panic: %v", rec), http.StatusInternalServerError)
+			}
+		}()
+
 		if orderID == "" {
+			log.Printf("❌ OrderPDFHandler missing order id")
 			http.Error(w, "missing order id", http.StatusBadRequest)
 			return
 		}
 		if db == nil {
+			log.Printf("❌ OrderPDFHandler db is nil")
 			http.Error(w, "db not initialized", http.StatusInternalServerError)
 			return
 		}
@@ -1339,18 +1441,23 @@ func OrderPDFHandler(db *sql.DB) http.Handler {
 		// Header
 		header, err := getOrderHeaderFromDB(db, orderID)
 		if err != nil {
-			log.Println("header error:", err)
+			log.Printf("❌ OrderPDF header error orderID=%s: %v", orderID, err)
-			http.Error(w, "header not found", http.StatusInternalServerError)
+			if errors.Is(err, sql.ErrNoRows) {
+				http.Error(w, "order not found", http.StatusNotFound)
+				return
+			}
+			http.Error(w, "header not found: "+err.Error(), http.StatusInternalServerError)
 			return
 		}
 
 		// Lines
 		lines, err := getOrderLinesFromDB(db, orderID)
 		if err != nil {
-			log.Println("lines error:", err)
+			log.Printf("❌ OrderPDF lines error orderID=%s: %v", orderID, err)
-			http.Error(w, "lines not found", http.StatusInternalServerError)
+			http.Error(w, "lines not found: "+err.Error(), http.StatusInternalServerError)
 			return
 		}
+		log.Printf("📄 OrderPDF lines loaded orderID=%s lineCount=%d", orderID, len(lines))
 		// 🔹 Satırlardan KDV bilgisi yakala (ilk pozitif orana göre)
 		hasVat := false
 		var vatRate float64
@@ -1365,16 +1472,45 @@ func OrderPDFHandler(db *sql.DB) http.Handler {
 
 		// Normalize
 		rows := normalizeOrderLinesForPdf(lines)
+		log.Printf("📄 OrderPDF normalized rows orderID=%s rowCount=%d", orderID, len(rows))
+		for i, rr := range rows {
+			if i >= 30 {
+				break
+			}
+			log.Printf(
+				"📄 OrderPDF row[%d] model=%s color=%s groupMain=%q groupSub=%q category=%s totalQty=%d sizeQty=%s",
+				i,
+				rr.Model,
+				rr.Color,
+				rr.GroupMain,
+				rr.GroupSub,
+				rr.Category,
+				rr.TotalQty,
+				formatSizeQtyForLog(rr.SizeQty),
+			)
+		}
 
 		// PDF
-		pdf := newOrderPdf()
+		pdf, err := newOrderPdf()
+		if err != nil {
+			log.Printf("❌ OrderPDF init error orderID=%s: %v", orderID, err)
+			http.Error(w, "pdf init error: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
 		renderOrderGrid(pdf, header, rows, hasVat, vatRate)
+		if err := pdf.Error(); err != nil {
+			log.Printf("❌ OrderPDF render error orderID=%s: %v", orderID, err)
+			http.Error(w, "pdf render error: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
 
 		var buf bytes.Buffer
 		if err := pdf.Output(&buf); err != nil {
+			log.Printf("❌ OrderPDF output error orderID=%s: %v", orderID, err)
 			http.Error(w, "pdf output error: "+err.Error(), http.StatusInternalServerError)
 			return
 		}
+		log.Printf("✅ OrderPDF success orderID=%s bytes=%d", orderID, buf.Len())
 
 		w.Header().Set("Content-Type", "application/pdf")
 		w.Header().Set(

svc/routes/orderlist.go

@@ -58,7 +58,7 @@ func OrderListRoute(mssql *sql.DB) http.Handler {
 		count := 0
 
 		// ==================================================
-		// 🧠 SCAN — SQL SELECT ile BİRE BİR (17 kolon)
+		// 🧠 SCAN — SQL SELECT ile BİRE BİR (18 kolon)
 		// ==================================================
 		for rows.Next() {
 
@@ -85,9 +85,10 @@ func OrderListRoute(mssql *sql.DB) http.Handler {
 				&o.PackedRatePct,  // 14
 
 				&o.IsCreditableConfirmed, // 15
-				&o.Description,           // 16
+				&o.HasUretimUrunu,        // 16
+				&o.Description,           // 17
 
-				&o.ExchangeRateUSD, // 17
+				&o.ExchangeRateUSD, // 18
 			)
 
 			if err != nil {

svc/routes/orderproductionitems.go

@@ -0,0 +1,294 @@
+package routes
+
+import (
+	"bssapp-backend/auth"
+	"bssapp-backend/models"
+	"bssapp-backend/queries"
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/gorilla/mux"
+)
+
+// ======================================================
+// 📌 OrderProductionItemsRoute — U ürün satırları
+// ======================================================
+func OrderProductionItemsRoute(mssql *sql.DB) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		id := mux.Vars(r)["id"]
+		if id == "" {
+			http.Error(w, "OrderHeaderID bulunamadı", http.StatusBadRequest)
+			return
+		}
+
+		rows, err := queries.GetOrderProductionItems(mssql, id)
+		if err != nil {
+			log.Printf("❌ SQL sorgu hatası: %v", err)
+			http.Error(w, "Veritabanı hatası", http.StatusInternalServerError)
+			return
+		}
+		defer rows.Close()
+
+		list := make([]models.OrderProductionItem, 0, 100)
+
+		for rows.Next() {
+			var o models.OrderProductionItem
+			if err := rows.Scan(
+				&o.OrderHeaderID,
+				&o.OrderLineID,
+				&o.ItemTypeCode,
+				&o.OldDim1,
+				&o.OldDim3,
+				&o.OldItemCode,
+				&o.OldColor,
+				&o.OldDim2,
+				&o.OldDesc,
+				&o.NewItemCode,
+				&o.NewColor,
+				&o.NewDim2,
+				&o.NewDesc,
+				&o.IsVariantMissing,
+			); err != nil {
+				log.Printf("⚠️ SCAN HATASI: %v", err)
+				continue
+			}
+			list = append(list, o)
+		}
+
+		if err := rows.Err(); err != nil {
+			log.Printf("⚠️ rows.Err(): %v", err)
+		}
+
+		if err := json.NewEncoder(w).Encode(list); err != nil {
+			log.Printf("❌ encode error: %v", err)
+		}
+	})
+}
+
+// ======================================================
+// 📌 OrderProductionInsertMissingRoute — eksik varyantları ekler
+// ======================================================
+func OrderProductionInsertMissingRoute(mssql *sql.DB) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		id := mux.Vars(r)["id"]
+		if id == "" {
+			http.Error(w, "OrderHeaderID bulunamadı", http.StatusBadRequest)
+			return
+		}
+
+		claims, _ := auth.GetClaimsFromContext(r.Context())
+		username := ""
+		if claims != nil {
+			username = claims.Username
+		}
+		if username == "" {
+			username = "system"
+		}
+
+		affected, err := queries.InsertMissingProductionVariants(mssql, id, username)
+		if err != nil {
+			log.Printf("❌ INSERT varyant hatası: %v", err)
+			http.Error(w, "Veritabanı hatası", http.StatusInternalServerError)
+			return
+		}
+
+		resp := map[string]any{
+			"inserted": affected,
+		}
+		if err := json.NewEncoder(w).Encode(resp); err != nil {
+			log.Printf("❌ encode error: %v", err)
+		}
+	})
+}
+
+// ======================================================
+// OrderProductionValidateRoute - yeni model varyant kontrolu
+// ======================================================
+func OrderProductionValidateRoute(mssql *sql.DB) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		id := mux.Vars(r)["id"]
+		if id == "" {
+			http.Error(w, "OrderHeaderID bulunamadi", http.StatusBadRequest)
+			return
+		}
+
+		var payload models.OrderProductionUpdatePayload
+		if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
+			http.Error(w, "Gecersiz istek", http.StatusBadRequest)
+			return
+		}
+		if err := validateUpdateLines(payload.Lines); err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		missing, err := buildMissingVariants(mssql, id, payload.Lines)
+		if err != nil {
+			log.Printf("❌ validate error: %v", err)
+			http.Error(w, "Veritabani hatasi", http.StatusInternalServerError)
+			return
+		}
+
+		resp := map[string]any{
+			"missingCount": len(missing),
+			"missing":      missing,
+		}
+		if err := json.NewEncoder(w).Encode(resp); err != nil {
+			log.Printf("❌ encode error: %v", err)
+		}
+	})
+}
+
+// ======================================================
+// OrderProductionApplyRoute - yeni model varyant guncelleme
+// ======================================================
+func OrderProductionApplyRoute(mssql *sql.DB) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		id := mux.Vars(r)["id"]
+		if id == "" {
+			http.Error(w, "OrderHeaderID bulunamadi", http.StatusBadRequest)
+			return
+		}
+
+		var payload models.OrderProductionUpdatePayload
+		if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
+			http.Error(w, "Gecersiz istek", http.StatusBadRequest)
+			return
+		}
+		if err := validateUpdateLines(payload.Lines); err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		missing, err := buildMissingVariants(mssql, id, payload.Lines)
+		if err != nil {
+			log.Printf("❌ apply validate error: %v", err)
+			http.Error(w, "Veritabani hatasi", http.StatusInternalServerError)
+			return
+		}
+
+		if len(missing) > 0 && !payload.InsertMissing {
+			w.WriteHeader(http.StatusConflict)
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"missingCount": len(missing),
+				"missing":      missing,
+				"message":      "Eksik varyantlar var",
+			})
+			return
+		}
+
+		claims, _ := auth.GetClaimsFromContext(r.Context())
+		username := ""
+		if claims != nil {
+			username = claims.Username
+		}
+		if strings.TrimSpace(username) == "" {
+			username = "system"
+		}
+
+		tx, err := mssql.Begin()
+		if err != nil {
+			http.Error(w, "Veritabani hatasi", http.StatusInternalServerError)
+			return
+		}
+		defer tx.Rollback()
+
+		var inserted int64
+		if payload.InsertMissing {
+			inserted, err = queries.InsertMissingVariantsTx(tx, missing, username)
+			if err != nil {
+				log.Printf("❌ insert missing error: %v", err)
+				http.Error(w, "Veritabani hatasi", http.StatusInternalServerError)
+				return
+			}
+		}
+
+		updated, err := queries.UpdateOrderLinesTx(tx, id, payload.Lines, username)
+		if err != nil {
+			log.Printf("❌ update order lines error: %v", err)
+			http.Error(w, "Veritabani hatasi", http.StatusInternalServerError)
+			return
+		}
+
+		if err := tx.Commit(); err != nil {
+			log.Printf("❌ commit error: %v", err)
+			http.Error(w, "Veritabani hatasi", http.StatusInternalServerError)
+			return
+		}
+
+		resp := map[string]any{
+			"updated":  updated,
+			"inserted": inserted,
+		}
+		if err := json.NewEncoder(w).Encode(resp); err != nil {
+			log.Printf("❌ encode error: %v", err)
+		}
+	})
+}
+
+func buildMissingVariants(mssql *sql.DB, orderHeaderID string, lines []models.OrderProductionUpdateLine) ([]models.OrderProductionMissingVariant, error) {
+	missing := make([]models.OrderProductionMissingVariant, 0)
+
+	for _, line := range lines {
+		lineID := strings.TrimSpace(line.OrderLineID)
+		newItem := strings.TrimSpace(line.NewItemCode)
+		newColor := strings.TrimSpace(line.NewColor)
+		newDim2 := strings.TrimSpace(line.NewDim2)
+
+		if lineID == "" || newItem == "" || newColor == "" {
+			continue
+		}
+
+		itemTypeCode, dim1, _, dim3, err := queries.GetOrderLineDims(mssql, orderHeaderID, lineID)
+		if err != nil {
+			return nil, err
+		}
+
+		exists, err := queries.VariantExists(mssql, itemTypeCode, newItem, newColor, dim1, newDim2, dim3)
+		if err != nil {
+			return nil, err
+		}
+		if !exists {
+			missing = append(missing, models.OrderProductionMissingVariant{
+				OrderLineID:  lineID,
+				ItemTypeCode: itemTypeCode,
+				ItemCode:     newItem,
+				ColorCode:    newColor,
+				ItemDim1Code: dim1,
+				ItemDim2Code: newDim2,
+				ItemDim3Code: dim3,
+			})
+		}
+	}
+
+	return missing, nil
+}
+
+func validateUpdateLines(lines []models.OrderProductionUpdateLine) error {
+	for _, line := range lines {
+		if strings.TrimSpace(line.OrderLineID) == "" {
+			return errors.New("OrderLineID zorunlu")
+		}
+		if strings.TrimSpace(line.NewItemCode) == "" {
+			return errors.New("Yeni urun kodu zorunlu")
+		}
+		if strings.TrimSpace(line.NewColor) == "" {
+			return errors.New("Yeni renk kodu zorunlu")
+		}
+	}
+	return nil
+}

svc/routes/orderproductionlist.go

@@ -0,0 +1,130 @@
+package routes
+
+import (
+	"bssapp-backend/auth"
+	"bssapp-backend/db"
+	"bssapp-backend/models"
+	"bssapp-backend/queries"
+	"database/sql"
+	"encoding/json"
+	"log"
+	"net/http"
+	"strings"
+)
+
+// ======================================================
+// 📌 OrderProductionListRoute — Üretime verilecek siparişler
+// ======================================================
+func OrderProductionListRoute(mssql *sql.DB) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		// --------------------------------------------------
+		// 🔍 Query Param (RAW + TRIM)
+		// --------------------------------------------------
+		raw := r.URL.Query().Get("search")
+		search := strings.TrimSpace(raw)
+
+		log.Printf(
+			"📥 /api/orders/production-list search raw=%q trimmed=%q lenRaw=%d lenTrim=%d",
+			raw,
+			search,
+			len(raw),
+			len(search),
+		)
+
+		// --------------------------------------------------
+		// 🗄 SQL CALL (WITH CONTEXT)
+		// --------------------------------------------------
+		rows, err := queries.GetOrderProductionList(
+			r.Context(),
+			mssql,
+			db.PgDB,
+			search,
+		)
+
+		if err != nil {
+			log.Printf("❌ SQL sorgu hatası: %v", err)
+			http.Error(w, "Veritabanı hatası", http.StatusInternalServerError)
+			return
+		}
+		defer rows.Close()
+
+		// --------------------------------------------------
+		// 📦 Sonuç Listesi
+		// --------------------------------------------------
+		list := make([]models.OrderList, 0, 100)
+		count := 0
+
+		// ==================================================
+		// 🧠 SCAN — SQL SELECT ile BİRE BİR (18 kolon)
+		// ==================================================
+		for rows.Next() {
+
+			var o models.OrderList
+
+			err = rows.Scan(
+				&o.OrderHeaderID, // 1
+				&o.OrderNumber,   // 2
+				&o.OrderDate,     // 3
+
+				&o.CurrAccCode,        // 4
+				&o.CurrAccDescription, // 5
+
+				&o.MusteriTemsilcisi, // 6
+				&o.Piyasa,            // 7
+
+				&o.CreditableConfirmedDate, // 8
+				&o.DocCurrencyCode,         // 9
+
+				&o.TotalAmount,    // 10
+				&o.TotalAmountUSD, // 11
+				&o.PackedAmount,   // 12
+				&o.PackedUSD,      // 13
+				&o.PackedRatePct,  // 14
+
+				&o.IsCreditableConfirmed, // 15
+				&o.HasUretimUrunu,        // 16
+				&o.Description,           // 17
+
+				&o.ExchangeRateUSD, // 18
+			)
+
+			if err != nil {
+				log.Printf(
+					"⚠️ SCAN HATASI | OrderHeaderID=%v | err=%v",
+					o.OrderHeaderID,
+					err,
+				)
+				continue
+			}
+
+			list = append(list, o)
+			count++
+		}
+
+		if err := rows.Err(); err != nil {
+			log.Printf("⚠️ rows.Err(): %v", err)
+		}
+
+		// --------------------------------------------------
+		// 📊 RESULT LOG
+		// --------------------------------------------------
+		claims, _ := auth.GetClaimsFromContext(r.Context())
+
+		log.Printf(
+			"✅ Order production list DONE | user=%d | search=%q | resultCount=%d",
+			claims.ID,
+			search,
+			count,
+		)
+
+		// --------------------------------------------------
+		// ✅ JSON RESPONSE
+		// --------------------------------------------------
+		if err := json.NewEncoder(w).Encode(list); err != nil {
+			log.Printf("❌ encode error: %v", err)
+		}
+	})
+}

svc/routes/orderproductionupdate.go

@@ -0,0 +1,230 @@
+package routes
+
+import (
+	"bssapp-backend/auth"
+	"bssapp-backend/db"
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/gorilla/mux"
+)
+
+type ProductionUpdateLine struct {
+	OrderLineID string `json:"OrderLineID"`
+	ItemTypeCode int16  `json:"ItemTypeCode"`
+	ItemCode     string `json:"ItemCode"`
+	ColorCode    string `json:"ColorCode"`
+	ItemDim1Code string `json:"ItemDim1Code"`
+	ItemDim2Code string `json:"ItemDim2Code"`
+	ItemDim3Code string `json:"ItemDim3Code"`
+	LineDescription string `json:"LineDescription"`
+}
+
+type ProductionUpdateRequest struct {
+	Lines         []ProductionUpdateLine `json:"lines"`
+	InsertMissing bool                   `json:"insertMissing"`
+}
+
+type MissingVariant struct {
+	ItemTypeCode int16  `json:"ItemTypeCode"`
+	ItemCode     string `json:"ItemCode"`
+	ColorCode    string `json:"ColorCode"`
+	ItemDim1Code string `json:"ItemDim1Code"`
+	ItemDim2Code string `json:"ItemDim2Code"`
+	ItemDim3Code string `json:"ItemDim3Code"`
+}
+
+// ======================================================
+// 📌 OrderProductionUpdateRoute — U ürün satırlarını güncelle
+// ======================================================
+func OrderProductionUpdateRoute(mssql *sql.DB) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		id := mux.Vars(r)["id"]
+		if id == "" {
+			http.Error(w, "OrderHeaderID bulunamadı", http.StatusBadRequest)
+			return
+		}
+
+		var req ProductionUpdateRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			http.Error(w, "Geçersiz JSON", http.StatusBadRequest)
+			return
+		}
+
+		if len(req.Lines) == 0 {
+			http.Error(w, "Satır bulunamadı", http.StatusBadRequest)
+			return
+		}
+
+		claims, _ := auth.GetClaimsFromContext(r.Context())
+		username := ""
+		if claims != nil {
+			username = claims.Username
+		}
+		if username == "" {
+			username = "system"
+		}
+
+		tx, err := db.MssqlDB.Begin()
+		if err != nil {
+			http.Error(w, "İşlem başlatılamadı", http.StatusInternalServerError)
+			return
+		}
+		defer tx.Rollback()
+
+		// 1) Eksik varyantları kontrol et
+		missingMap := make(map[string]MissingVariant)
+		checkStmt, err := tx.Prepare(`
+SELECT TOP 1 1
+FROM dbo.prItemVariant
+WHERE ItemTypeCode = @p1
+  AND ItemCode = @p2
+  AND ColorCode = @p3
+  AND ISNULL(ItemDim1Code,'') = ISNULL(@p4,'')
+  AND ISNULL(ItemDim2Code,'') = ISNULL(@p5,'')
+  AND ISNULL(ItemDim3Code,'') = ISNULL(@p6,'')
+`)
+		if err != nil {
+			http.Error(w, "Varyant kontrolü hazırlanamadı", http.StatusInternalServerError)
+			return
+		}
+		defer checkStmt.Close()
+
+		for _, ln := range req.Lines {
+			if strings.TrimSpace(ln.ItemCode) == "" {
+				http.Error(w, "Yeni model kodu boş", http.StatusBadRequest)
+				return
+			}
+			row := checkStmt.QueryRow(
+				ln.ItemTypeCode,
+				ln.ItemCode,
+				ln.ColorCode,
+				ln.ItemDim1Code,
+				ln.ItemDim2Code,
+				ln.ItemDim3Code,
+			)
+			var ok int
+			if err := row.Scan(&ok); err != nil {
+				if errors.Is(err, sql.ErrNoRows) {
+					key := strings.Join([]string{
+						ln.ItemCode, ln.ColorCode, ln.ItemDim1Code, ln.ItemDim2Code, ln.ItemDim3Code,
+					}, "|")
+					missingMap[key] = MissingVariant{
+						ItemTypeCode: ln.ItemTypeCode,
+						ItemCode:     ln.ItemCode,
+						ColorCode:    ln.ColorCode,
+						ItemDim1Code: ln.ItemDim1Code,
+						ItemDim2Code: ln.ItemDim2Code,
+						ItemDim3Code: ln.ItemDim3Code,
+					}
+					continue
+				}
+				http.Error(w, "Varyant kontrolü hatası", http.StatusInternalServerError)
+				return
+			}
+		}
+
+		if len(missingMap) > 0 && !req.InsertMissing {
+			missing := make([]MissingVariant, 0, len(missingMap))
+			for _, v := range missingMap {
+				missing = append(missing, v)
+			}
+			w.WriteHeader(http.StatusConflict)
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"missing": missing,
+			})
+			return
+		}
+
+		// 2) Eksikleri ekle (gerekirse)
+		if len(missingMap) > 0 {
+			// PLU üretimi (max + row_number)
+			var basePlu int64
+			if err := tx.QueryRow(`SELECT ISNULL(MAX(PLU),0) FROM dbo.prItemVariant WITH (UPDLOCK, HOLDLOCK)`).Scan(&basePlu); err != nil {
+				http.Error(w, "PLU alınamadı", http.StatusInternalServerError)
+				return
+			}
+
+			now := time.Now()
+			i := int64(0)
+			for _, v := range missingMap {
+				i++
+				if _, err := tx.Exec(`
+INSERT INTO dbo.prItemVariant
+(
+	ItemTypeCode, ItemCode, ColorCode, ItemDim1Code, ItemDim2Code, ItemDim3Code,
+	PLU, CreatedUserName, CreatedDate, LastUpdatedUserName, LastUpdatedDate
+)
+VALUES
+(@p1,@p2,@p3,@p4,@p5,@p6,@p7,@p8,@p9,@p8,@p9)
+`,
+					v.ItemTypeCode,
+					v.ItemCode,
+					v.ColorCode,
+					v.ItemDim1Code,
+					v.ItemDim2Code,
+					v.ItemDim3Code,
+					basePlu+i,
+					username,
+					now,
+				); err != nil {
+					http.Error(w, "Varyant insert hatası", http.StatusInternalServerError)
+					return
+				}
+			}
+		}
+
+		// 3) trOrderLine güncelle
+		updStmt, err := tx.Prepare(`
+UPDATE dbo.trOrderLine
+SET
+	ItemCode = @p1,
+	ColorCode = @p2,
+	ItemDim2Code = @p3,
+	LineDescription = @p4,
+	LastUpdatedUserName = @p5,
+	LastUpdatedDate = @p6
+WHERE OrderHeaderID = @p7
+  AND OrderLineID = @p8
+`)
+		if err != nil {
+			http.Error(w, "Update hazırlığı başarısız", http.StatusInternalServerError)
+			return
+		}
+		defer updStmt.Close()
+
+		now := time.Now()
+		for _, ln := range req.Lines {
+			if _, err := updStmt.Exec(
+				ln.ItemCode,
+				ln.ColorCode,
+				ln.ItemDim2Code,
+				ln.LineDescription,
+				username,
+				now,
+				id,
+				ln.OrderLineID,
+			); err != nil {
+				http.Error(w, "Satır güncelleme hatası", http.StatusInternalServerError)
+				return
+			}
+		}
+
+		if err := tx.Commit(); err != nil {
+			http.Error(w, "Commit hatası", http.StatusInternalServerError)
+			return
+		}
+
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"status":  "ok",
+			"updated": len(req.Lines),
+		})
+	})
+}

svc/routes/orders.go

@@ -81,6 +81,7 @@ func UpdateOrderHandler(w http.ResponseWriter, r *http.Request) {
 		_ = json.NewEncoder(w).Encode(map[string]any{
 			"code":    "ORDER_UPDATE_FAILED",
 			"message": "Sipariş kaydedilirken beklenmeyen bir hata oluştu.",
+			"detail":  err.Error(),
 		})
 		return
 	}

svc/routes/pdf_assets.go

@@ -0,0 +1,128 @@
+package routes
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/jung-kurt/gofpdf"
+)
+
+func resolvePdfAssetPath(name string) (string, error) {
+
+	base := strings.TrimSpace(os.Getenv("PDF_FONT_DIR"))
+
+	if base == "" {
+		return "", fmt.Errorf("env PDF_FONT_DIR not set")
+	}
+
+	if !strings.HasPrefix(base, "/") {
+		base = "/" + base
+	}
+
+	name = strings.TrimSpace(name)
+	name = strings.TrimPrefix(name, "/")
+	name = strings.TrimPrefix(name, "\\")
+
+	full := filepath.Join(base, name)
+	full = filepath.Clean(full)
+
+	log.Printf("📄 PDF FONT PATH = %s", full)
+
+	if _, err := os.Stat(full); err != nil {
+		return "", fmt.Errorf("font not found: %s (%v)", full, err)
+	}
+
+	return full, nil
+}
+
+func resolvePdfImagePath(fileName string) (string, error) {
+	return resolveAssetPath(fileName, []string{
+		"public",
+		filepath.Join("svc", "public"),
+	})
+}
+
+func resolveAssetPath(fileName string, relativeDirs []string) (string, error) {
+	candidates := make([]string, 0, len(relativeDirs)*3)
+	for _, dir := range relativeDirs {
+		candidates = append(candidates,
+			filepath.Join(dir, fileName),
+			filepath.Join(".", dir, fileName),
+			filepath.Join("..", dir, fileName),
+		)
+	}
+
+	if exePath, err := os.Executable(); err == nil {
+		exeDir := filepath.Dir(exePath)
+		for _, dir := range relativeDirs {
+			candidates = append(candidates,
+				filepath.Join(exeDir, dir, fileName),
+				filepath.Join(exeDir, "..", dir, fileName),
+			)
+		}
+	}
+
+	seen := map[string]struct{}{}
+	tried := make([]string, 0, len(candidates))
+
+	for _, p := range candidates {
+		if abs, err := filepath.Abs(p); err == nil {
+			p = abs
+		}
+
+		if _, ok := seen[p]; ok {
+			continue
+		}
+		seen[p] = struct{}{}
+		tried = append(tried, p)
+
+		if fi, err := os.Stat(p); err == nil && !fi.IsDir() {
+			return p, nil
+		}
+	}
+
+	return "", fmt.Errorf("asset not found: %s (tried: %s)", fileName, strings.Join(tried, ", "))
+}
+
+func registerDejavuFonts(pdf *gofpdf.Fpdf, s string) error {
+
+	regPath, err := resolvePdfAssetPath("DejaVuSans.ttf")
+	if err != nil {
+		return err
+	}
+
+	boldPath, err := resolvePdfAssetPath("DejaVuSans-Bold.ttf")
+	if err != nil {
+		return err
+	}
+
+	// SAME FAMILY: "dejavu"
+	pdf.AddUTF8FontFromBytes(
+		"dejavu",
+		"",
+		mustReadFile(regPath),
+	)
+
+	pdf.AddUTF8FontFromBytes(
+		"dejavu",
+		"B",
+		mustReadFile(boldPath),
+	)
+
+	if pdf.Error() != nil {
+		return fmt.Errorf("font init failed: %w", pdf.Error())
+	}
+
+	return nil
+}
+
+func mustReadFile(path string) []byte {
+	b, err := os.ReadFile(path)
+	if err != nil {
+		panic("FONT READ ERROR: " + err.Error())
+	}
+	return b
+}

svc/routes/role_department_permissions.go

@@ -14,6 +14,7 @@ import (
 	"strings"
 
 	"github.com/gorilla/mux"
+	"github.com/lib/pq"
 )
 
 type IdTitleOption struct {
@@ -57,7 +58,7 @@ type RoleDepartmentPermissionHandler struct {
 func NewRoleDepartmentPermissionHandler(db *sql.DB) *RoleDepartmentPermissionHandler {
 
 	return &RoleDepartmentPermissionHandler{
-		DB:   db, // ✅ EKLENDİ
+		DB:   db, // Added
 		Repo: permissions.NewRoleDepartmentPermissionRepo(db),
 	}
 }
@@ -417,7 +418,7 @@ func (h *PermissionHandler) GetUserOverrides(w http.ResponseWriter, r *http.Requ
 
 	list, err := h.Repo.GetUserOverridesByUserID(userID)
 	if err != nil {
-		log.Println("❌ USER OVERRIDE LOAD ERROR:", err)
+		log.Println("USER OVERRIDE LOAD ERROR:", err)
 		http.Error(w, "db error", http.StatusInternalServerError)
 		return
 	}
@@ -425,6 +426,138 @@ func (h *PermissionHandler) GetUserOverrides(w http.ResponseWriter, r *http.Requ
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	_ = json.NewEncoder(w).Encode(list)
 }
+
+type routePermissionSeed struct {
+	Module string
+	Action string
+	Path   string
+}
+
+type moduleActionSeed struct {
+	Module string
+	Action string
+}
+
+type permissionSnapshot struct {
+	user     map[string]bool
+	roleDept map[string]bool
+	role     map[string]bool
+}
+
+func permissionKey(module, action string) string {
+	return module + "|" + action
+}
+
+func loadPermissionSnapshot(
+	db *sql.DB,
+	userID int64,
+	roleID int64,
+	deptCodes []string,
+) (permissionSnapshot, error) {
+	snapshot := permissionSnapshot{
+		user:     make(map[string]bool, 128),
+		roleDept: make(map[string]bool, 128),
+		role:     make(map[string]bool, 128),
+	}
+
+	userRows, err := db.Query(`
+		SELECT module_code, action, allowed
+		FROM mk_sys_user_permissions
+		WHERE user_id = $1
+	`, userID)
+	if err != nil {
+		return snapshot, err
+	}
+	for userRows.Next() {
+		var module, action string
+		var allowed bool
+		if err := userRows.Scan(&module, &action, &allowed); err != nil {
+			_ = userRows.Close()
+			return snapshot, err
+		}
+		snapshot.user[permissionKey(module, action)] = allowed
+	}
+	if err := userRows.Err(); err != nil {
+		_ = userRows.Close()
+		return snapshot, err
+	}
+	_ = userRows.Close()
+
+	if len(deptCodes) > 0 {
+		roleDeptRows, err := db.Query(`
+			SELECT module_code, action, BOOL_OR(allowed) AS allowed
+			FROM vw_role_dept_permissions
+			WHERE role_id = $1
+			  AND department_code = ANY($2)
+			GROUP BY module_code, action
+		`,
+			roleID,
+			pq.Array(deptCodes),
+		)
+		if err != nil {
+			return snapshot, err
+		}
+		for roleDeptRows.Next() {
+			var module, action string
+			var allowed bool
+			if err := roleDeptRows.Scan(&module, &action, &allowed); err != nil {
+				_ = roleDeptRows.Close()
+				return snapshot, err
+			}
+			snapshot.roleDept[permissionKey(module, action)] = allowed
+		}
+		if err := roleDeptRows.Err(); err != nil {
+			_ = roleDeptRows.Close()
+			return snapshot, err
+		}
+		_ = roleDeptRows.Close()
+	}
+
+	roleRows, err := db.Query(`
+		SELECT module_code, action, allowed
+		FROM mk_sys_role_permissions
+		WHERE role_id = $1
+	`, roleID)
+	if err != nil {
+		return snapshot, err
+	}
+	for roleRows.Next() {
+		var module, action string
+		var allowed bool
+		if err := roleRows.Scan(&module, &action, &allowed); err != nil {
+			_ = roleRows.Close()
+			return snapshot, err
+		}
+		snapshot.role[permissionKey(module, action)] = allowed
+	}
+	if err := roleRows.Err(); err != nil {
+		_ = roleRows.Close()
+		return snapshot, err
+	}
+	_ = roleRows.Close()
+
+	return snapshot, nil
+}
+
+func resolvePermissionFromSnapshot(
+	s permissionSnapshot,
+	module string,
+	action string,
+) bool {
+	key := permissionKey(module, action)
+
+	if allowed, ok := s.user[key]; ok {
+		return allowed
+	}
+	if allowed, ok := s.roleDept[key]; ok {
+		return allowed
+	}
+	if allowed, ok := s.role[key]; ok {
+		return allowed
+	}
+	return false
+}
+
 func GetUserRoutePermissionsHandler(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
@@ -436,10 +569,16 @@ func GetUserRoutePermissionsHandler(db *sql.DB) http.HandlerFunc {
 			return
 		}
 
-		repo := permissions.NewPermissionRepository(db)
+		snapshot, err := loadPermissionSnapshot(
-
+			db,
-		// JWT’den departmanlar
+			int64(claims.ID),
-		depts := claims.DepartmentCodes
+			int64(claims.RoleID),
+			claims.DepartmentCodes,
+		)
+		if err != nil {
+			http.Error(w, err.Error(), 500)
+			return
+		}
 
 		rows, err := db.Query(`
 			SELECT DISTINCT
@@ -454,17 +593,9 @@ func GetUserRoutePermissionsHandler(db *sql.DB) http.HandlerFunc {
 		}
 		defer rows.Close()
 
-		type Row struct {
+		routeSeeds := make([]routePermissionSeed, 0, 128)
-			Route     string `json:"route"`
-			CanAccess bool   `json:"can_access"`
-		}
-
-		list := make([]Row, 0, 64)
-
 		for rows.Next() {
-
 			var module, action, path string
-
 			if err := rows.Scan(
 				&module,
 				&action,
@@ -473,22 +604,26 @@ func GetUserRoutePermissionsHandler(db *sql.DB) http.HandlerFunc {
 				continue
 			}
 
-			allowed, err := repo.ResolvePermissionChain(
+			routeSeeds = append(routeSeeds, routePermissionSeed{
-				int64(claims.ID),
+				Module: module,
-				int64(claims.RoleID),
+				Action: action,
-				depts,
+				Path:   path,
-				module,
+			})
-				action,
+		}
-			)
+		if err := rows.Err(); err != nil {
-
+			http.Error(w, err.Error(), 500)
-			if err != nil {
+			return
-				log.Println("PERM RESOLVE ERROR:", err)
+		}
-				continue
-			}
 
+		list := make([]Row, 0, len(routeSeeds))
+		for _, route := range routeSeeds {
 			list = append(list, Row{
-				Route:     path,
+				Route: route.Path,
-				CanAccess: allowed,
+				CanAccess: resolvePermissionFromSnapshot(
+					snapshot,
+					route.Module,
+					route.Action,
+				),
 			})
 		}
 
@@ -507,18 +642,17 @@ func GetMyEffectivePermissions(db *sql.DB) http.HandlerFunc {
 			return
 		}
 
-		repo := permissions.NewPermissionRepository(db)
+		snapshot, err := loadPermissionSnapshot(
-
+			db,
-		// ✅ JWT'DEN DEPARTMENTS
+			int64(claims.ID),
-		depts := claims.DepartmentCodes
+			int64(claims.RoleID),
-
+			claims.DepartmentCodes,
-		log.Printf("🧪 EFFECTIVE PERM | user=%d role=%d depts=%v",
-			claims.ID,
-			claims.RoleID,
-			depts,
 		)
+		if err != nil {
+			http.Error(w, err.Error(), 500)
+			return
+		}
 
-		// all system perms
 		all, err := db.Query(`
 			SELECT DISTINCT module_code, action
 			FROM mk_sys_routes
@@ -529,14 +663,7 @@ func GetMyEffectivePermissions(db *sql.DB) http.HandlerFunc {
 		}
 		defer all.Close()
 
-		type Row struct {
+		moduleActions := make([]moduleActionSeed, 0, 128)
-			Module  string `json:"module"`
-			Action  string `json:"action"`
-			Allowed bool   `json:"allowed"`
-		}
-
-		list := make([]Row, 0, 128)
-
 		for all.Next() {
 
 			var m, a string
@@ -544,22 +671,32 @@ func GetMyEffectivePermissions(db *sql.DB) http.HandlerFunc {
 				continue
 			}
 
-			allowed, err := repo.ResolvePermissionChain(
+			moduleActions = append(moduleActions, moduleActionSeed{
-				int64(claims.ID),
+				Module: m,
-				int64(claims.RoleID),
+				Action: a,
-				depts,
+			})
-				m,
+		}
-				a,
+		if err := all.Err(); err != nil {
-			)
+			http.Error(w, err.Error(), 500)
+			return
+		}
 
-			if err != nil {
+		type Row struct {
-				continue
+			Module  string `json:"module"`
-			}
+			Action  string `json:"action"`
+			Allowed bool   `json:"allowed"`
+		}
 
+		list := make([]Row, 0, len(moduleActions))
+		for _, item := range moduleActions {
 			list = append(list, Row{
-				Module:  m,
+				Module: item.Module,
-				Action:  a,
+				Action: item.Action,
-				Allowed: allowed,
+				Allowed: resolvePermissionFromSnapshot(
+					snapshot,
+					item.Module,
+					item.Action,
+				),
 			})
 		}
 

svc/routes/statement_header_pdf.go

@@ -9,8 +9,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
-	"os"
+	"runtime/debug"
-	"path/filepath"
 	"sort"
 	"strings"
 	"time"
@@ -53,9 +52,7 @@ var hMainWbase = []float64{
 // Font dosyaları
 const (
 	hFontFamilyReg  = "dejavu"
-	hFontFamilyBold = "dejavu-b"
+	hFontFamilyBold = "dejavu"
-	hFontPathReg    = "fonts/DejaVuSans.ttf"
-	hFontPathBold   = "fonts/DejaVuSans-Bold.ttf"
 )
 
 // Renkler
@@ -66,13 +63,8 @@ var (
 
 /* ============================ FONT / FORMAT ============================ */
 
-func hEnsureFonts(pdf *gofpdf.Fpdf) {
+func hEnsureFonts(pdf *gofpdf.Fpdf) error {
-	if _, err := os.Stat(hFontPathReg); err == nil {
+	return registerDejavuFonts(pdf, hFontFamilyReg)
-		pdf.AddUTF8Font(hFontFamilyReg, "", hFontPathReg)
-	}
-	if _, err := os.Stat(hFontPathBold); err == nil {
-		pdf.AddUTF8Font(hFontFamilyBold, "", hFontPathBold)
-	}
 }
 
 func hNormalizeWidths(base []float64, targetTotal float64) []float64 {
@@ -145,10 +137,9 @@ func hCalcRowHeightForText(pdf *gofpdf.Fpdf, text string, colWidth, lineHeight,
 /* ============================ HEADER ============================ */
 
 func hDrawPageHeader(pdf *gofpdf.Fpdf, cariKod, cariIsim, start, end string) float64 {
-	logoPath, _ := filepath.Abs("./public/Baggi-Tekstil-A.s-Logolu.jpeg")
+	if logoPath, err := resolvePdfImagePath("Baggi-Tekstil-A.s-Logolu.jpeg"); err == nil {
-
+		pdf.ImageOptions(logoPath, hMarginL, 2, hLogoW, 0, false, gofpdf.ImageOptions{}, 0, "")
-	// Logo
+	}
-	pdf.ImageOptions(logoPath, hMarginL, 2, hLogoW, 0, false, gofpdf.ImageOptions{}, 0, "")
 
 	// Başlıklar
 	pdf.SetFont(hFontFamilyBold, "", 16)
@@ -272,6 +263,14 @@ func hDrawMainDataRow(pdf *gofpdf.Fpdf, row []string, widths []float64, rowH flo
 
 func ExportStatementHeaderReportPDFHandler(mssql *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		defer func() {
+			if rec := recover(); rec != nil {
+				log.Printf("❌ PANIC ExportStatementHeaderReportPDFHandler: %v", rec)
+				debug.PrintStack()
+				http.Error(w, fmt.Sprintf("header PDF panic: %v", rec), http.StatusInternalServerError)
+			}
+		}()
+
 		claims, ok := auth.GetClaimsFromContext(r.Context())
 		if !ok || claims == nil {
 			http.Error(w, "unauthorized", http.StatusUnauthorized)
@@ -332,7 +331,10 @@ func ExportStatementHeaderReportPDFHandler(mssql *sql.DB) http.HandlerFunc {
 		pdf := gofpdf.New("L", "mm", "A4", "")
 		pdf.SetMargins(hMarginL, hMarginT, hMarginR)
 		pdf.SetAutoPageBreak(false, hMarginB)
-		hEnsureFonts(pdf)
+		if err := hEnsureFonts(pdf); err != nil {
+			http.Error(w, "PDF font yükleme hatası: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
 
 		wAvail := hPageWidth - hMarginL - hMarginR
 		mainWn := hNormalizeWidths(hMainWbase, wAvail)
@@ -380,6 +382,11 @@ func ExportStatementHeaderReportPDFHandler(mssql *sql.DB) http.HandlerFunc {
 			pdf.Ln(1)
 		}
 
+		if err := pdf.Error(); err != nil {
+			http.Error(w, "PDF render hatası: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+
 		var buf bytes.Buffer
 		if err := pdf.Output(&buf); err != nil {
 			http.Error(w, "PDF oluşturulamadı: "+err.Error(), http.StatusInternalServerError)

svc/routes/statements_pdf.go

@@ -10,8 +10,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
-	"os"
+	"runtime/debug"
-	"path/filepath"
 	"sort"
 	"strings"
 	"time"
@@ -79,9 +78,7 @@ var dWbase = []float64{
 // Font dosyaları
 const (
 	fontFamilyReg  = "dejavu"
-	fontFamilyBold = "dejavu-b"
+	fontFamilyBold = "dejavu"
-	fontPathReg    = "fonts/DejaVuSans.ttf"
-	fontPathBold   = "fonts/DejaVuSans-Bold.ttf"
 )
 
 // Kurumsal renkler
@@ -134,17 +131,8 @@ func formatCurrencyTR(n float64) string {
 }
 
 // Fontları yükle
-func ensureFonts(pdf *gofpdf.Fpdf) {
+func ensureFonts(pdf *gofpdf.Fpdf) error {
-	if _, err := os.Stat(fontPathReg); err == nil {
+	return registerDejavuFonts(pdf, fontFamilyReg)
-		pdf.AddUTF8Font(fontFamilyReg, "", fontPathReg)
-	} else {
-		log.Printf("⚠️ Font bulunamadı: %s", fontPathReg)
-	}
-	if _, err := os.Stat(fontPathBold); err == nil {
-		pdf.AddUTF8Font(fontFamilyBold, "", fontPathBold)
-	} else {
-		log.Printf("⚠️ Font bulunamadı: %s", fontPathBold)
-	}
 }
 
 // Güvenli satır kırma
@@ -237,10 +225,9 @@ func drawLabeledBox(pdf *gofpdf.Fpdf, x, y, w, h float64, label, value string, a
 }
 
 func drawPageHeader(pdf *gofpdf.Fpdf, cariKod, cariIsim, start, end string) float64 {
-	logoPath, _ := filepath.Abs("./public/Baggi-Tekstil-A.s-Logolu.jpeg")
+	if logoPath, err := resolvePdfImagePath("Baggi-Tekstil-A.s-Logolu.jpeg"); err == nil {
-
+		pdf.ImageOptions(logoPath, hMarginL, 2, hLogoW, 0, false, gofpdf.ImageOptions{}, 0, "")
-	// Logo
+	}
-	pdf.ImageOptions(logoPath, hMarginL, 2, hLogoW, 0, false, gofpdf.ImageOptions{}, 0, "")
 
 	// Başlıklar
 	pdf.SetFont(hFontFamilyBold, "", 16)
@@ -435,7 +422,8 @@ func ExportPDFHandler(mssql *sql.DB) http.HandlerFunc {
 		defer func() {
 			if rec := recover(); rec != nil {
 				log.Printf("❌ PANIC ExportPDFHandler: %v", rec)
-				http.Error(w, "PDF oluşturulurken hata oluştu", http.StatusInternalServerError)
+				debug.PrintStack()
+				http.Error(w, fmt.Sprintf("PDF oluşturulurken panic oluştu: %v", rec), http.StatusInternalServerError)
 			}
 		}()
 
@@ -513,7 +501,10 @@ func ExportPDFHandler(mssql *sql.DB) http.HandlerFunc {
 		pdf := gofpdf.New("L", "mm", "A4", "")
 		pdf.SetMargins(marginL, marginT, marginR)
 		pdf.SetAutoPageBreak(false, marginB)
-		ensureFonts(pdf)
+		if err := ensureFonts(pdf); err != nil {
+			http.Error(w, "PDF font yükleme hatası: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
 		pdf.SetFont(fontFamilyReg, "", 8.5)
 		pdf.SetTextColor(0, 0, 0)
 
@@ -614,6 +605,11 @@ func ExportPDFHandler(mssql *sql.DB) http.HandlerFunc {
 		}
 
 		// 7) Çıktı
+		if err := pdf.Error(); err != nil {
+			http.Error(w, "PDF render hatası: "+err.Error(), http.StatusInternalServerError)
+			return
+		}
+
 		var buf bytes.Buffer
 		if err := pdf.Output(&buf); err != nil {
 			http.Error(w, "PDF oluşturulamadı: "+err.Error(), http.StatusInternalServerError)

svc/routes/user_detail.go

@@ -1,6 +1,7 @@
 package routes
 
 import (
+	"bssapp-backend/auth"
 	"bssapp-backend/internal/auditlog"
 	"bssapp-backend/internal/mailer"
 	"bssapp-backend/internal/security"
@@ -11,9 +12,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/gorilla/mux"
@@ -49,6 +52,8 @@ func UserDetailRoute(db *sql.DB) http.Handler {
 			handleUserGet(db, w, userID)
 		case http.MethodPut:
 			handleUserUpdate(db, w, r, userID)
+		case http.MethodDelete:
+			handleUserDelete(db, w, r, userID)
 		case http.MethodOptions:
 			w.WriteHeader(http.StatusOK)
 		default:
@@ -210,6 +215,17 @@ func handleUserUpdate(db *sql.DB, w http.ResponseWriter, r *http.Request, userID
 		return
 	}
 
+	payload.Code = strings.TrimSpace(payload.Code)
+	payload.FullName = strings.TrimSpace(payload.FullName)
+	payload.Email = strings.TrimSpace(payload.Email)
+	payload.Mobile = strings.TrimSpace(payload.Mobile)
+	payload.Address = strings.TrimSpace(payload.Address)
+
+	if payload.Code == "" {
+		http.Error(w, "Kullanıcı kodu zorunludur", http.StatusUnprocessableEntity)
+		return
+	}
+
 	tx, err := db.Begin()
 	if err != nil {
 		http.Error(w, "Transaction başlatılamadı", http.StatusInternalServerError)
@@ -228,31 +244,81 @@ func handleUserUpdate(db *sql.DB, w http.ResponseWriter, r *http.Request, userID
 		payload.Address,
 	)
 	if err != nil {
+		log.Printf("❌ [UserDetail] UpdateUserHeader failed user_id=%d err=%v payload=%+v", userID, err, payload)
 		http.Error(w, "Header güncellenemedi", http.StatusInternalServerError)
 		return
 	}
 
-	tx.Exec(`DELETE FROM dfrole_usr WHERE dfusr_id = $1`, userID)
+	if _, err := tx.Exec(`DELETE FROM dfrole_usr WHERE dfusr_id = $1`, userID); err != nil {
+		log.Printf("❌ [UserDetail] delete roles failed user_id=%d err=%v", userID, err)
+		http.Error(w, "Roller temizlenemedi", http.StatusInternalServerError)
+		return
+	}
 	for _, code := range payload.Roles {
-		tx.Exec(queries.InsertUserRole, userID, code)
+		code = strings.TrimSpace(code)
+		if code == "" {
+			continue
+		}
+		if _, err := tx.Exec(queries.InsertUserRole, userID, code); err != nil {
+			log.Printf("❌ [UserDetail] insert role failed user_id=%d role=%q err=%v", userID, code, err)
+			http.Error(w, "Rol eklenemedi", http.StatusInternalServerError)
+			return
+		}
 	}
 
-	tx.Exec(`DELETE FROM dfusr_dprt WHERE dfusr_id = $1`, userID)
+	if _, err := tx.Exec(`DELETE FROM dfusr_dprt WHERE dfusr_id = $1`, userID); err != nil {
+		log.Printf("❌ [UserDetail] delete departments failed user_id=%d err=%v", userID, err)
+		http.Error(w, "Departmanlar temizlenemedi", http.StatusInternalServerError)
+		return
+	}
 	for _, d := range payload.Departments {
-		tx.Exec(queries.InsertUserDepartment, userID, d.Code)
+		code := strings.TrimSpace(d.Code)
+		if code == "" {
+			continue
+		}
+		if _, err := tx.Exec(queries.InsertUserDepartment, userID, code); err != nil {
+			log.Printf("❌ [UserDetail] insert department failed user_id=%d dept=%q err=%v", userID, code, err)
+			http.Error(w, "Departman eklenemedi", http.StatusInternalServerError)
+			return
+		}
 	}
 
-	tx.Exec(`DELETE FROM dfusr_piyasa WHERE dfusr_id = $1`, userID)
+	if _, err := tx.Exec(`DELETE FROM dfusr_piyasa WHERE dfusr_id = $1`, userID); err != nil {
+		log.Printf("❌ [UserDetail] delete piyasalar failed user_id=%d err=%v", userID, err)
+		http.Error(w, "Piyasalar temizlenemedi", http.StatusInternalServerError)
+		return
+	}
 	for _, p := range payload.Piyasalar {
-		tx.Exec(queries.InsertUserPiyasa, userID, p.Code)
+		code := strings.TrimSpace(p.Code)
+		if code == "" {
+			continue
+		}
+		if _, err := tx.Exec(queries.InsertUserPiyasa, userID, code); err != nil {
+			log.Printf("❌ [UserDetail] insert piyasa failed user_id=%d piyasa=%q err=%v", userID, code, err)
+			http.Error(w, "Piyasa eklenemedi", http.StatusInternalServerError)
+			return
+		}
 	}
 
-	tx.Exec(`DELETE FROM dfusr_nebim_user WHERE dfusr_id = $1`, userID)
+	if _, err := tx.Exec(`DELETE FROM dfusr_nebim_user WHERE dfusr_id = $1`, userID); err != nil {
+		log.Printf("❌ [UserDetail] delete nebim users failed user_id=%d err=%v", userID, err)
+		http.Error(w, "Nebim kullanıcıları temizlenemedi", http.StatusInternalServerError)
+		return
+	}
 	for _, n := range payload.NebimUsers {
-		tx.Exec(queries.InsertUserNebim, userID, n.Username)
+		username := strings.TrimSpace(n.Username)
+		if username == "" {
+			continue
+		}
+		if _, err := tx.Exec(queries.InsertUserNebim, userID, username); err != nil {
+			log.Printf("❌ [UserDetail] insert nebim user failed user_id=%d username=%q err=%v", userID, username, err)
+			http.Error(w, "Nebim kullanıcısı eklenemedi", http.StatusInternalServerError)
+			return
+		}
 	}
 
 	if err := tx.Commit(); err != nil {
+		log.Printf("❌ [UserDetail] commit failed user_id=%d err=%v", userID, err)
 		http.Error(w, "Commit başarısız", http.StatusInternalServerError)
 		return
 	}
@@ -260,6 +326,102 @@ func handleUserUpdate(db *sql.DB, w http.ResponseWriter, r *http.Request, userID
 	_ = json.NewEncoder(w).Encode(map[string]any{"success": true})
 }
 
+// ======================================================
+// 🗑️ DELETE USER (HARD DELETE)
+// ======================================================
+func handleUserDelete(db *sql.DB, w http.ResponseWriter, r *http.Request, userID int64) {
+	claims, _ := auth.GetClaimsFromContext(r.Context())
+	if claims != nil && int64(claims.ID) == userID {
+		http.Error(w, "Kendi kullanicinizi silemezsiniz", http.StatusConflict)
+		return
+	}
+
+	tx, err := db.Begin()
+	if err != nil {
+		http.Error(w, "Transaction baslatilamadi", http.StatusInternalServerError)
+		return
+	}
+	defer tx.Rollback()
+
+	var username string
+	_ = tx.QueryRow(`
+		SELECT username
+		FROM mk_dfusr
+		WHERE id = $1
+	`, userID).Scan(&username)
+
+	if strings.TrimSpace(username) == "" {
+		_ = tx.QueryRow(`
+			SELECT code
+			FROM dfusr
+			WHERE id = $1
+		`, userID).Scan(&username)
+	}
+
+	if strings.TrimSpace(username) == "" {
+		http.Error(w, "Kullanici bulunamadi", http.StatusNotFound)
+		return
+	}
+
+	cleanupQueries := []string{
+		`DELETE FROM mk_refresh_tokens WHERE mk_user_id = $1`,
+		`DELETE FROM mk_dfusr_password_reset WHERE mk_dfusr_id = $1`,
+		`DELETE FROM dfusr_password_reset WHERE dfusr_id = $1`,
+		`DELETE FROM mk_sys_user_permissions WHERE user_id = $1`,
+		`DELETE FROM dfrole_usr WHERE dfusr_id = $1`,
+		`DELETE FROM dfusr_dprt WHERE dfusr_id = $1`,
+		`DELETE FROM dfusr_piyasa WHERE dfusr_id = $1`,
+		`DELETE FROM dfusr_nebim_user WHERE dfusr_id = $1`,
+	}
+
+	for _, q := range cleanupQueries {
+		if _, err := tx.Exec(q, userID); err != nil {
+			log.Printf("❌ [UserDetail] cleanup failed user_id=%d err=%v query=%s", userID, err, q)
+			http.Error(w, "Kullanici baglantilari silinemedi", http.StatusInternalServerError)
+			return
+		}
+	}
+
+	if _, err := tx.Exec(`DELETE FROM mk_dfusr WHERE id = $1`, userID); err != nil {
+		log.Printf("❌ [UserDetail] delete mk_dfusr failed user_id=%d err=%v", userID, err)
+		http.Error(w, "Kullanici silinemedi", http.StatusInternalServerError)
+		return
+	}
+
+	if _, err := tx.Exec(`DELETE FROM dfusr WHERE id = $1`, userID); err != nil {
+		log.Printf("❌ [UserDetail] delete dfusr failed user_id=%d err=%v", userID, err)
+		http.Error(w, "Kullanici silinemedi", http.StatusInternalServerError)
+		return
+	}
+
+	if err := tx.Commit(); err != nil {
+		log.Printf("❌ [UserDetail] delete commit failed user_id=%d err=%v", userID, err)
+		http.Error(w, "Commit basarisiz", http.StatusInternalServerError)
+		return
+	}
+
+	if claims != nil {
+		auditlog.Enqueue(r.Context(), auditlog.ActivityLog{
+			ActionType:     "user_delete",
+			ActionCategory: "user_admin",
+			ActionTarget:   fmt.Sprintf("/api/users/%d", userID),
+			Description:    "user deleted from mk_dfusr and dfusr",
+			Username:       claims.Username,
+			RoleCode:       claims.RoleCode,
+			DfUsrID:        int64(claims.ID),
+			TargetDfUsrID:  userID,
+			TargetUsername: username,
+			IsSuccess:      true,
+		})
+	}
+
+	_ = json.NewEncoder(w).Encode(map[string]any{
+		"success":  true,
+		"deleted":  userID,
+		"username": username,
+	})
+}
+
 // ======================================================
 // 🔐 ADMIN — PASSWORD RESET MAIL
 // ======================================================

svc/services/auth.go

@@ -2,6 +2,10 @@ package services
 
 import (
 	"bssapp-backend/models"
+	"crypto/md5"
+	"crypto/sha1"
+	"encoding/hex"
+	"log"
 	"strings"
 
 	"golang.org/x/crypto/bcrypt"
@@ -16,7 +20,6 @@ func CheckPasswordWithLegacy(user *models.User, plain string) bool {
 		return false
 	}
 
-	plain = strings.TrimSpace(plain)
 	if plain == "" {
 		return false
 	}
@@ -28,11 +31,100 @@ func CheckPasswordWithLegacy(user *models.User, plain string) bool {
 
 	// 1️⃣ bcrypt hash mi?
 	if isBcryptHash(stored) {
-		return bcrypt.CompareHashAndPassword([]byte(stored), []byte(plain)) == nil
+		candidates := make([]string, 0, 10)
+		seen := map[string]struct{}{}
+		add := func(v string) {
+			if v == "" {
+				return
+			}
+			if _, ok := seen[v]; ok {
+				return
+			}
+			seen[v] = struct{}{}
+			candidates = append(candidates, v)
+		}
+
+		add(plain)
+		trimmed := strings.TrimSpace(plain)
+		add(trimmed)
+
+		bases := append([]string(nil), candidates...)
+		for _, base := range bases {
+			md5Sum := md5.Sum([]byte(base))
+			md5Hex := hex.EncodeToString(md5Sum[:])
+			add(md5Hex)
+			add(strings.ToUpper(md5Hex))
+
+			sha1Sum := sha1.Sum([]byte(base))
+			sha1Hex := hex.EncodeToString(sha1Sum[:])
+			add(sha1Hex)
+			add(strings.ToUpper(sha1Hex))
+		}
+
+		var lastErr error
+		for _, candidate := range candidates {
+			if err := bcrypt.CompareHashAndPassword([]byte(stored), []byte(candidate)); err == nil {
+				return true
+			} else {
+				lastErr = err
+			}
+			if encoded, ok := encodeLegacySingleByte(candidate); ok {
+				if err := bcrypt.CompareHashAndPassword([]byte(stored), encoded); err == nil {
+					return true
+				} else {
+					lastErr = err
+				}
+			}
+		}
+		if lastErr != nil {
+			log.Printf(
+				"LEGACY BCRYPT MISMATCH stored_len=%d candidates=%d last_err=%v",
+				len(stored),
+				len(candidates),
+				lastErr,
+			)
+		}
+
+		return false
 	}
 
 	// 2️⃣ TAM LEGACY — düz metin (eski kayıtlar)
-	return stored == plain
+	if stored == plain {
+		return true
+	}
+	trimmed := strings.TrimSpace(plain)
+	if trimmed != plain && trimmed != "" && stored == trimmed {
+		return true
+	}
+
+	// 3️⃣ Legacy hash variants seen in old dfusr.upass data.
+	if isHexDigest(stored, 32) {
+		sumRaw := md5.Sum([]byte(plain))
+		if strings.EqualFold(stored, hex.EncodeToString(sumRaw[:])) {
+			return true
+		}
+		if trimmed != plain && trimmed != "" {
+			sumTrim := md5.Sum([]byte(trimmed))
+			if strings.EqualFold(stored, hex.EncodeToString(sumTrim[:])) {
+				return true
+			}
+		}
+	}
+
+	if isHexDigest(stored, 40) {
+		sumRaw := sha1.Sum([]byte(plain))
+		if strings.EqualFold(stored, hex.EncodeToString(sumRaw[:])) {
+			return true
+		}
+		if trimmed != plain && trimmed != "" {
+			sumTrim := sha1.Sum([]byte(trimmed))
+			if strings.EqualFold(stored, hex.EncodeToString(sumTrim[:])) {
+				return true
+			}
+		}
+	}
+
+	return false
 }
 
 func isBcryptHash(s string) bool {
@@ -40,3 +132,46 @@ func isBcryptHash(s string) bool {
 		strings.HasPrefix(s, "$2b$") ||
 		strings.HasPrefix(s, "$2y$")
 }
+
+func isHexDigest(s string, expectedLen int) bool {
+	if len(s) != expectedLen {
+		return false
+	}
+	for _, r := range s {
+		if (r < '0' || r > '9') &&
+			(r < 'a' || r > 'f') &&
+			(r < 'A' || r > 'F') {
+			return false
+		}
+	}
+	return true
+}
+
+// encodeLegacySingleByte converts text to a Turkish-compatible single-byte
+// representation (similar to Windows-1254 / ISO-8859-9) for legacy bcrypt data.
+func encodeLegacySingleByte(s string) ([]byte, bool) {
+	out := make([]byte, 0, len(s))
+	for _, r := range s {
+		switch r {
+		case 'Ğ':
+			out = append(out, 0xD0)
+		case 'ğ':
+			out = append(out, 0xF0)
+		case 'İ':
+			out = append(out, 0xDD)
+		case 'ı':
+			out = append(out, 0xFD)
+		case 'Ş':
+			out = append(out, 0xDE)
+		case 'ş':
+			out = append(out, 0xFE)
+		default:
+			if r >= 0 && r <= 0xFF {
+				out = append(out, byte(r))
+			} else {
+				return nil, false
+			}
+		}
+	}
+	return out, true
+}

ui/.env.development

@@ -0,0 +1 @@
+VITE_API_BASE_URL=http://localhost:8080/api

ui/.env.production

@@ -0,0 +1 @@
+VITE_API_BASE_URL=/api

ui/.quasar/dev-spa/client-entry.js

@@ -146,8 +146,6 @@ createQuasarApp(createApp, quasarUserOptions)
 
     return Promise[ method ]([
       
-      import(/* webpackMode: "eager" */ 'boot/axios'),
-      
       import(/* webpackMode: "eager" */ 'boot/dayjs')
       
     ]).then(bootFiles => {

ui/package-lock.json

@@ -7,7 +7,6 @@
     "": {
       "name": "baggisowtfaresystem",
       "version": "0.0.1",
-      "hasInstallScript": true,
       "dependencies": {
         "@quasar/extras": "^1.16.4",
         "axios": "^1.12.2",
@@ -20,7 +19,8 @@
       },
       "devDependencies": {
         "@quasar/app-webpack": "^4.1.0",
-        "autoprefixer": "^10.4.2"
+        "autoprefixer": "^10.4.2",
+        "baseline-browser-mapping": "^2.9.19"
       },
       "engines": {
         "node": "^28 || ^26 || ^24 || ^22 || ^20 || ^18",
@@ -3856,9 +3856,9 @@
       "license": "MIT"
     },
     "node_modules/baseline-browser-mapping": {
-      "version": "2.8.12",
+      "version": "2.9.19",
-      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.8.12.tgz",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.9.19.tgz",
-      "integrity": "sha512-vAPMQdnyKCBtkmQA6FMCBvU9qFIppS3nzyXnEM+Lo2IAhG4Mpjv9cCxMudhgV3YdNNJv6TNqXy97dfRVL2LmaQ==",
+      "integrity": "sha512-ipDqC8FrAl/76p2SSWKSI+H9tFwm7vYqXQrItCuiVPt26Km0jS+NzSsBWAaBusvSbQcfJG+JitdMm+wZAgTYqg==",
       "dev": true,
       "license": "Apache-2.0",
       "bin": {

ui/package.json

@@ -9,8 +9,7 @@
   "scripts": {
     "test": "echo \"No test specified\" && exit 0",
     "dev": "quasar dev",
-    "build": "quasar build",
+    "build": "quasar build"
-    "postinstall": "quasar prepare"
   },
   "dependencies": {
     "@quasar/extras": "^1.16.4",
@@ -24,7 +23,8 @@
   },
   "devDependencies": {
     "@quasar/app-webpack": "^4.1.0",
-    "autoprefixer": "^10.4.2"
+    "autoprefixer": "^10.4.2",
+    "baseline-browser-mapping": "^2.9.19"
   },
   "browserslist": [
     "last 10 Chrome versions",

ui/quasar.config.js

@@ -2,54 +2,97 @@
 import { defineConfig } from '#q-app/wrappers'
 
 export default defineConfig(() => {
+  const apiBaseUrl = (process.env.VITE_API_BASE_URL || '/api').trim()
+
   return {
 
-    // ✅ UYGULAMA KİMLİĞİ (WEB'DE GÖRÜNEN İSİM)
+    /* =====================================================
+       APP INFO
+    ===================================================== */
     productName: 'Baggi BSS',
     productDescription: 'Baggi Tekstil Business Support System',
 
-    // 🔹 Boot dosyaları
+    /* =====================================================
-    boot: ['axios', 'dayjs'],
+       BOOT FILES
+    ===================================================== */
+    boot: ['dayjs'],
 
-    // 🔹 Global CSS
+    /* =====================================================
+       GLOBAL CSS
+    ===================================================== */
     css: ['app.css'],
 
-    // 🔹 Ekstra icon/font setleri
+    /* =====================================================
+       ICONS / FONTS
+    ===================================================== */
     extras: [
       'roboto-font',
       'material-icons'
     ],
 
-    // 🔹 Derleme Ayarları
+    /* =====================================================
+       BUILD (PRODUCTION)
+    ===================================================== */
     build: {
       vueRouterMode: 'hash',
       env: {
-        VITE_API_BASE_URL: 'http://localhost:8080/api'
+        VITE_API_BASE_URL: apiBaseUrl
       },
+
       esbuildTarget: {
         browser: ['es2022', 'firefox115', 'chrome115', 'safari14'],
         node: 'node20'
-      }
+      },
+
+      // Cache & performance
+      gzip: true,
+      preloadChunks: true
     },
 
-    // 🔹 Geliştirme Sunucusu
+    /* =====================================================
+       DEV SERVER (LOCAL)
+    ===================================================== */
     devServer: {
       server: { type: 'http' },
       port: 9000,
-      open: true
+      open: true,
+
+      // DEV proxy (CORS'suz)
+      proxy: [
+        {
+          context: ['/api'],
+          target: 'http://localhost:8080',
+          changeOrigin: true,
+          secure: false
+        }
+      ]
     },
 
-    // 🔹 Quasar Framework ayarları
+    /* =====================================================
+       QUASAR FRAMEWORK
+    ===================================================== */
     framework: {
       config: {
-        notify: { position: 'top', timeout: 2500 }
+        notify: {
+          position: 'top',
+          timeout: 2500
+        }
       },
+
       lang: 'tr',
-      plugins: ['Loading', 'Dialog', 'Notify']
+
+      plugins: [
+        'Loading',
+        'Dialog',
+        'Notify'
+      ]
     },
 
     animations: [],
 
+    /* =====================================================
+       SSR / PWA (DISABLED)
+    ===================================================== */
     ssr: {
       prodPort: 3000,
       middlewares: ['render'],
@@ -60,6 +103,9 @@ export default defineConfig(() => {
       workboxMode: 'GenerateSW'
     },
 
+    /* =====================================================
+       MOBILE / DESKTOP
+    ===================================================== */
     capacitor: {
       hideSplashscreen: true
     },
@@ -68,7 +114,10 @@ export default defineConfig(() => {
       preloadScripts: ['electron-preload'],
       inspectPort: 5858,
       bundler: 'packager',
-      builder: { appId: 'baggisowtfaresystem' }
+
+      builder: {
+        appId: 'baggisowtfaresystem'
+      }
     },
 
     bex: {
@@ -76,3 +125,4 @@ export default defineConfig(() => {
     }
   }
 })
+

ui/quasar.config.js.temporary.compiled.1771572283583.mjs

@@ -0,0 +1,125 @@
+/* eslint-disable */
+/**
+ * THIS FILE IS GENERATED AUTOMATICALLY.
+ * 1. DO NOT edit this file directly as it won't do anything.
+ * 2. EDIT the original quasar.config file INSTEAD.
+ * 3. DO NOT git commit this file. It should be ignored.
+ *
+ * This file is still here because there was an error in
+ * the original quasar.config file and this allows you to
+ * investigate the Node.js stack error.
+ *
+ * After you fix the original file, this file will be
+ * deleted automatically.
+ **/
+
+
+// quasar.config.js
+import { defineConfig } from "@quasar/app-webpack/wrappers";
+var quasar_config_default = defineConfig(() => {
+  const apiBaseUrl = (process.env.VITE_API_BASE_URL || "/api").trim();
+  return {
+    /* =====================================================
+       APP INFO
+    ===================================================== */
+    productName: "Baggi BSS",
+    productDescription: "Baggi Tekstil Business Support System",
+    /* =====================================================
+       BOOT FILES
+    ===================================================== */
+    boot: ["dayjs"],
+    /* =====================================================
+       GLOBAL CSS
+    ===================================================== */
+    css: ["app.css"],
+    /* =====================================================
+       ICONS / FONTS
+    ===================================================== */
+    extras: [
+      "roboto-font",
+      "material-icons"
+    ],
+    /* =====================================================
+       BUILD (PRODUCTION)
+    ===================================================== */
+    build: {
+      vueRouterMode: "hash",
+      env: {
+        VITE_API_BASE_URL: apiBaseUrl
+      },
+      esbuildTarget: {
+        browser: ["es2022", "firefox115", "chrome115", "safari14"],
+        node: "node20"
+      },
+      // Cache & performance
+      gzip: true,
+      preloadChunks: true
+    },
+    /* =====================================================
+       DEV SERVER (LOCAL)
+    ===================================================== */
+    devServer: {
+      server: { type: "http" },
+      port: 9e3,
+      open: true,
+      // DEV proxy (CORS'suz)
+      proxy: [
+        {
+          context: ["/api"],
+          target: "http://localhost:8080",
+          changeOrigin: true,
+          secure: false
+        }
+      ]
+    },
+    /* =====================================================
+       QUASAR FRAMEWORK
+    ===================================================== */
+    framework: {
+      config: {
+        notify: {
+          position: "top",
+          timeout: 2500
+        }
+      },
+      lang: "tr",
+      plugins: [
+        "Loading",
+        "Dialog",
+        "Notify"
+      ]
+    },
+    animations: [],
+    /* =====================================================
+       SSR / PWA (DISABLED)
+    ===================================================== */
+    ssr: {
+      prodPort: 3e3,
+      middlewares: ["render"],
+      pwa: false
+    },
+    pwa: {
+      workboxMode: "GenerateSW"
+    },
+    /* =====================================================
+       MOBILE / DESKTOP
+    ===================================================== */
+    capacitor: {
+      hideSplashscreen: true
+    },
+    electron: {
+      preloadScripts: ["electron-preload"],
+      inspectPort: 5858,
+      bundler: "packager",
+      builder: {
+        appId: "baggisowtfaresystem"
+      }
+    },
+    bex: {
+      extraScripts: []
+    }
+  };
+});
+export {
+  quasar_config_default as default
+};

ui/src/boot/axios.js

@@ -1,21 +0,0 @@
-import { boot } from 'quasar/wrappers'
-import axios from 'axios'
-
-export const api = axios.create({
-  baseURL: 'http://localhost:8080/api',
-  timeout: 180000,
-  withCredentials: true // refresh cookie kullanıyorsan kalsın
-})
-
-export default boot(() => {
-  api.interceptors.request.use((config) => {
-    const token = localStorage.getItem('token') // ✅ senin authStore key’in
-
-    if (token) {
-      config.headers = config.headers || {}
-      config.headers.Authorization = `Bearer ${token}`
-    }
-
-    return config
-  })
-})

ui/src/css/app.css

@@ -21,7 +21,7 @@
 }
 
 .q-page {
-  margin-top: 5px;
+  margin-top: 0;
 }
 
 @media (max-width: 768px) {
@@ -288,6 +288,11 @@ body {
   overflow-y: auto;
   overflow-x: visible;
   background: #fff;
+  padding-top: 0 !important;
+}
+/* Quasar header offsetunu sadece order sayfasında sıfırla */
+.q-page-container .order-page {
+  margin-top: calc(-1 * var(--header-h) - 58px);
 }
 
 .body--drawer-left-open .q-page-container {
@@ -344,16 +349,33 @@ body {
 .filter-bar {
   background: #fafafa;
   border-bottom: 1px solid #ddd;
-  padding: 12px 24px;
+  padding: 8px 12px;
   margin-top:0 !important;
 }
+.filter-bar .q-field__label {
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  line-height: 1.1;
+  font-size: 12px;
+}
+.filter-bar .q-field__control,
+.filter-bar .q-field__native,
+.filter-bar .q-field__marginal {
+  min-height: 36px;
+}
+.filter-bar-desc {
+  padding: 0 12px 6px;
+  background: #fafafa;
+  border-bottom: 1px solid #ddd;
+}
 
 /* 🔹 Save toolbar */
 .save-toolbar {
   background: var(--baggi-gold-pale);
   border-top: 1px solid #ddd;
   border-bottom: 1px solid #ddd;
-  padding: 10px 16px;
+  padding: 6px 10px;
   display: flex;
   justify-content: space-between;
   align-items: center;
@@ -454,8 +476,9 @@ body {
 .order-grid-header .total-row {
   display: flex;
   align-items: stretch;
-  justify-content: space-between;
+  justify-content: flex-start;
   background: #fff59d;
+  grid-column: 7 / -1;
 }
 .order-grid-header .total-cell {
   width: var(--col-adet);
@@ -469,6 +492,9 @@ body {
   font-weight: 700;
   font-size: 12px;
 }
+.order-grid-header .total-cell:last-child {
+  width: var(--col-termin);
+}
 /* ===========================================================
    6️⃣ SUB-HEADER (ÜRÜN GRUBU BAR) — TAM HİZALANMIŞ
    =========================================================== */
@@ -614,6 +640,108 @@ body {
    padding-top: var(--sub-header-h); 
   z-index: 100;
 }
+.order-scroll-y.compact-grid-header {
+  --grid-header-h: var(--beden-h);
+}
+.order-scroll-y.compact-grid-header .order-grid-header .col-fixed {
+  writing-mode: horizontal-tb;
+  transform: none;
+  height: var(--grid-header-h);
+  font-size: 10px;
+  line-height: 1;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  padding: 0 4px;
+}
+.order-scroll-y.compact-grid-header .order-grid-header .total-cell {
+  writing-mode: horizontal-tb;
+  transform: none;
+  height: var(--grid-header-h);
+  font-size: 10px;
+  line-height: 1;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  padding: 0 4px;
+}
+.order-grid-header.compact {
+  height: var(--beden-h);
+}
+.order-grid-header.compact .beden-block {
+  height: var(--beden-h);
+}
+.order-grid-header.compact .col-fixed,
+.order-grid-header.compact .total-cell {
+  writing-mode: horizontal-tb;
+  transform: none;
+  height: var(--beden-h);
+  font-size: 10px;
+  line-height: 1;
+  white-space: nowrap;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  padding: 0 4px;
+}
+.order-grid-header.compact .total-cell {
+  width: var(--col-adet);
+}
+.order-grid-header.compact .total-cell:nth-child(2) {
+  width: var(--col-fiyat);
+}
+.order-grid-header.compact .total-cell:nth-child(3) {
+  width: var(--col-pb);
+}
+.order-grid-header.compact .total-cell:nth-child(4) {
+  width: var(--col-tutar);
+}
+.order-grid-header.compact .total-cell:nth-child(5) {
+  width: var(--col-termin);
+}
+.order-grid-header.compact .grp-row {
+  height: var(--beden-h);
+}
+.order-grid-header.compact .grp-row:not(:first-child) {
+  display: none;
+}
+.order-grid-header.compact .grp-title {
+  display: none;
+}
+.order-grid-header.compact .grp-row:first-child .grp-title {
+  display: block;
+  font-size: 10px;
+  line-height: 1;
+  white-space: nowrap;
+  padding-right: 4px;
+}
+.order-grid-header.compact .grp-body {
+  height: var(--beden-h);
+  align-items: center;
+}
+.order-grid-header.compact .grp-cell.hdr {
+  height: var(--beden-h);
+  font-size: 10px;
+}
+.order-scroll-y.compact-grid-header .order-grid-header .grp-title {
+  display: none;
+}
+.order-scroll-y.compact-grid-header .order-grid-header .grp-row {
+  align-items: center;
+  height: var(--beden-h);
+}
+.order-scroll-y.compact-grid-header .order-grid-header .grp-body {
+  grid-template-rows: var(--beden-h);
+  align-items: center;
+}
+.order-scroll-y.compact-grid-header .order-grid-header .grp-cell.hdr {
+  height: var(--beden-h);
+}
+.order-scroll-y.compact-grid-header .order-grid-header .total-row {
+  align-items: center;
+}
+.order-scroll-y.compact-grid-header .order-grid-body {
+  padding-top: var(--sub-header-h);
+}
 
 .summary-row {
   display: grid;
@@ -1086,7 +1214,7 @@ body {
   z-index: 600;
   background: #fff;
   border-bottom: 1px solid #ddd;
-  padding: 10px 16px;
+  padding: 6px 10px;
   box-shadow: 0 1px 2px rgba(0,0,0,0.06);
   min-height: var(--ol-filter-h);
   display: flex;
@@ -1309,7 +1437,7 @@ body {
   z-index: 620;
   background: #fff;
   border-bottom: 1px solid #ddd;
-  padding: 10px 16px;
+  padding: 6px 10px;
   box-shadow: 0 1px 2px rgba(0,0,0,0.06);
 }
 
@@ -1530,3 +1658,21 @@ body {
     gap: 2px;
 }
 
+/* ===========================================================
+   ORDER ENTRY POPUP EDITOR
+   =========================================================== */
+.order-editor-card {
+  width: 98vw;
+  max-width: 1900px;
+}
+.order-editor-card .editor {
+  max-height: 76vh;
+  overflow: auto;
+}
+.order-editor-dialog .q-dialog__inner--minimized {
+  max-width: 98vw;
+}
+.order-editor-dialog .q-dialog__inner > div {
+  width: 98vw;
+  max-width: 1900px;
+}

ui/src/layouts/MainLayout.vue

@@ -209,6 +209,11 @@ const menuItems = [
         to: '/app/order-gateway',
         permission: 'order:view'
       },
+      {
+        label: 'Üretime Verilen Siparişleri Güncelle',
+        to: '/app/orderproductionupdate',
+        permission: 'order:update'
+      },
       {
         label: 'Tamamlanan Siparişleri Toplu Kapatma',
         to: '/app/order-bulk-close',
@@ -226,25 +231,25 @@ const menuItems = [
       {
         label: 'Rol + Departman Yetkileri',
         to: '/app/role-dept-permissions',
-        permission: 'user:update'
+        permission: 'system:update'
       },
 
       {
         label: 'Kullanıcı Yetkileri',
         to: '/app/user-permissions',
-        permission: 'user:update'
+        permission: 'system:update'
       },
 
       {
         label: 'Loglar',
         to: '/app/activity-logs',
-        permission: 'user:view'
+        permission: 'system:read'
       },
 
       {
         label: 'Test Mail',
         to: '/app/test-mail',
-        permission: 'user:insert'
+        permission: 'system:update'
       }
 
     ]
@@ -258,7 +263,7 @@ const menuItems = [
       {
         label: 'Kullanıcılar',
         to: '/app/users',
-        permission: 'user:view'
+        permission: 'system:read'
       }
     ]
   }

ui/src/pages/ChangePassword.vue

@@ -11,6 +11,7 @@ Mevcut şifrenizi girerek yeni şifre belirleyin
 
 <q-separator />
 
+<q-form @submit.prevent="submit">
 <q-card-section>
 <q-input
 v-model="current"
@@ -46,13 +47,14 @@ class="bg-red-1 text-red q-mt-md"
 <q-card-actions align="right">
 <q-btn
 v-if="canUpdateSystem"
+type="submit"
 label="GÜNCELLE"
 color="primary"
 :loading="loading"
 :disable="!canSubmit"
-@click="submit"
 />
 </q-card-actions>
+</q-form>
 </q-card>
 
 </q-page>

ui/src/pages/FirstPasswordChange.vue

@@ -8,48 +8,50 @@
         </div>
       </q-card-section>
 
-      <q-card-section class="q-gutter-md">
+      <q-form @submit.prevent="submit">
-        <q-input
+        <q-card-section class="q-gutter-md">
-          v-model="currentPassword"
+          <q-input
-          type="password"
+            v-model="currentPassword"
-          label="Mevcut Şifre"
+            type="password"
-          outlined
+            label="Mevcut Şifre"
-          dense
+            outlined
-        />
+            dense
+          />
 
-        <q-input
+          <q-input
-          v-model="newPassword"
+            v-model="newPassword"
-          type="password"
+            type="password"
-          label="Yeni Şifre"
+            label="Yeni Şifre"
-          outlined
+            outlined
-          dense
+            dense
-        />
+          />
 
-        <q-input
+          <q-input
-          v-model="newPassword2"
+            v-model="newPassword2"
-          type="password"
+            type="password"
-          label="Yeni Şifre (Tekrar)"
+            label="Yeni Şifre (Tekrar)"
-          outlined
+            outlined
-          dense
+            dense
-        />
+          />
 
-        <q-banner
+          <q-banner
-          v-if="error"
+            v-if="error"
-          class="bg-red-1 text-red q-mt-sm"
+            class="bg-red-1 text-red q-mt-sm"
-          rounded
+            rounded
-        >
+          >
-          {{ error }}
+            {{ error }}
-        </q-banner>
+          </q-banner>
-      </q-card-section>
+        </q-card-section>
 
-      <q-card-actions align="right">
+        <q-card-actions align="right">
-        <q-btn
+          <q-btn
-          label="Kaydet"
+            type="submit"
-          color="primary"
+            label="Kaydet"
-          :loading="loading"
+            color="primary"
-          @click="submit"
+            :loading="loading"
-        />
+          />
-      </q-card-actions>
+        </q-card-actions>
+      </q-form>
     </q-card>
   </q-page>
 </template>
@@ -57,7 +59,7 @@
 <script setup>
 import { ref } from 'vue'
 import { useRouter } from 'vue-router'
-import api from 'src/services/api'
+import api, { extractApiErrorDetail } from 'src/services/api'
 import { useAuthStore } from 'stores/authStore.js'
 
 const router = useRouter()
@@ -69,6 +71,33 @@ const newPassword2 = ref('')
 const loading = ref(false)
 const error = ref('')
 
+function resolveFirstPasswordError(status, detail) {
+  const text = String(detail || '').trim()
+  const lower = text.toLowerCase()
+
+  if (status === 401) {
+    if (lower.includes('mevcut sifre') || lower.includes('current password')) {
+      return 'Mevcut şifreyi yanlış girdiniz.'
+    }
+
+    if (lower.includes('token') || lower.includes('authorization')) {
+      return 'Oturum doğrulanamadı. Lütfen tekrar giriş yapın.'
+    }
+
+    return text || 'Kimlik doğrulama hatası (401). Lütfen tekrar giriş yapın.'
+  }
+
+  if (status === 403) {
+    if (lower.includes('permission')) {
+      return 'Şifre değiştirme yetkiniz yok (403). Sistem yöneticinize başvurun.'
+    }
+
+    return text || 'Bu işlem için yetkiniz yok (403).'
+  }
+
+  return text || 'Şifre güncellenemedi'
+}
+
 async function submit () {
   error.value = ''
 
@@ -84,29 +113,25 @@ async function submit () {
 
   loading.value = true
   try {
-    // 🔐 TOKEN interceptor ile otomatik
+    await api.post('/password/change', {
-    const res = await api.post('/password/change', {
       current_password: currentPassword.value,
       new_password: newPassword.value
     })
 
-    // 🔄 Session güncelle
+    auth.clearSession()
-    auth.setSession(res.data)
+    router.replace('/login')
-    auth.forcePasswordChange = false
-    localStorage.setItem('forcePasswordChange', '0')
-
-    router.replace('/app')
-
   } catch (e) {
-    error.value =
+    const status = e?.response?.status
-      e?.data?.message ||
+    const detail = await extractApiErrorDetail(e)
-      e?.message ||
+
-      'Şifre güncellenemedi'
+    console.error('FIRST_PASSWORD_CHANGE failed', {
+      status,
+      detail
+    })
+
+    error.value = resolveFirstPasswordError(status, detail)
   } finally {
     loading.value = false
   }
 }
 </script>
-
-
-

ui/src/pages/MainPage.vue

@@ -10,66 +10,68 @@
         <div class="login-title q-mt-sm">Kullanıcı Girişi</div>
       </q-card-section>
 
-      <!-- FORM -->
+      <q-form @submit.prevent="login">
-      <q-card-section>
+        <!-- FORM -->
-        <q-input
+        <q-card-section>
-          v-model="username"
+          <q-input
-          label="Kullanıcı Adı"
+            v-model="username"
-          dense
+            label="Kullanıcı Adı"
-          standout="bg-white"
+            dense
-          class="q-mb-md custom-input"
+            standout="bg-white"
-          autocomplete="username"
+            class="q-mb-md custom-input"
-        />
+            autocomplete="username"
+          />
 
-        <q-input
+          <q-input
-          v-model="password"
+            v-model="password"
-          type="password"
+            type="password"
-          label="Şifre"
+            label="Şifre"
-          dense
+            dense
-          standout="bg-white"
+            standout="bg-white"
-          class="custom-input"
+            class="custom-input"
-          autocomplete="current-password"
+            autocomplete="current-password"
-        />
+          />
 
-        <div class="q-mt-md row items-center justify-between">
+          <div class="q-mt-md row items-center justify-between">
-          <div>
+            <div>
-            <q-checkbox
+              <q-checkbox
-              v-model="rememberUser"
+                v-model="rememberUser"
-              label="Kullanıcıyı hatırla"
+                label="Kullanıcıyı hatırla"
-              color="secondary"
+                color="secondary"
-              dense
+                dense
-            />
+              />
-            <q-checkbox
+              <q-checkbox
-              v-model="rememberPass"
+                v-model="rememberPass"
-              label="Parolayı kaydet"
+                label="Parolayı kaydet"
-              color="secondary"
+                color="secondary"
+                dense
+              />
+            </div>
+
+            <q-btn
+              flat
               dense
+              color="primary"
+              label="Şifremi Unuttum"
+              @click="forgotOpen = true"
             />
           </div>
+        </q-card-section>
 
+        <!-- ACTION -->
+        <q-card-actions align="center">
           <q-btn
-            flat
+            type="submit"
-            dense
+            label="Giriş Yap"
             color="primary"
-            label="Şifremi Unuttum"
+            glossy
-            @click="forgotOpen = true"
+            unelevated
+            icon="login"
+            class="full-width"
+            :loading="loading"
           />
-        </div>
+        </q-card-actions>
-      </q-card-section>
+      </q-form>
-
-      <!-- ACTION -->
-      <q-card-actions align="center">
-        <q-btn
-          label="Giriş Yap"
-          color="primary"
-          glossy
-          unelevated
-          icon="login"
-          class="full-width"
-          :loading="loading"
-          @click="login"
-        />
-      </q-card-actions>
     </q-card>
 
     <!-- 🔐 FORGOT PASSWORD -->

ui/src/pages/MePassword.vue

@@ -11,46 +11,48 @@
 
       <q-separator />
 
-      <q-card-section class="q-gutter-sm">
+      <q-form @submit.prevent="submit">
-        <q-input
+        <q-card-section class="q-gutter-sm">
-          v-model="current"
+          <q-input
-          type="password"
+            v-model="current"
-          label="Mevcut Şifre"
+            type="password"
-          dense filled
+            label="Mevcut Şifre"
-        />
+            dense filled
+          />
 
-        <q-input
+          <q-input
-          v-model="password"
+            v-model="password"
-          type="password"
+            type="password"
-          label="Yeni Şifre"
+            label="Yeni Şifre"
-          dense filled
+            dense filled
-        />
+          />
 
-        <q-input
+          <q-input
-          v-model="password2"
+            v-model="password2"
-          type="password"
+            type="password"
-          label="Yeni Şifre (Tekrar)"
+            label="Yeni Şifre (Tekrar)"
-          dense filled
+            dense filled
-        />
+          />
 
-        <q-banner
+          <q-banner
-          v-if="error"
+            v-if="error"
-          class="bg-red-1 text-red q-mt-sm"
+            class="bg-red-1 text-red q-mt-sm"
-          rounded
+            rounded
-        >
+          >
-          {{ error }}
+            {{ error }}
-        </q-banner>
+          </q-banner>
-      </q-card-section>
+        </q-card-section>
 
-      <q-card-actions align="right">
+        <q-card-actions align="right">
-        <q-btn
+          <q-btn
-          label="GÜNCELLE"
+            type="submit"
-          color="primary"
+            label="GÜNCELLE"
-          :loading="loading"
+            color="primary"
-          :disable="!canSubmit"
+            :loading="loading"
-          @click="submit"
+            :disable="!canSubmit"
-        />
+          />
-      </q-card-actions>
+        </q-card-actions>
+      </q-form>
 
     </q-card>
   </q-page>

ui/src/pages/OrderEntry.vue

@@ -1,4 +1,4 @@
-<template>
+<template>
   <!-- ===========================================================
        🧾 ORDER ENTRY PAGE (BSSApp)
        v23 — Sticky-stack + Drawer uyumlu yapı
@@ -8,14 +8,15 @@
     class="order-page"
   >
     <!-- 🔄 SAYFA LOADERI -->
-    <q-inner-loading :showing="loadingHeader || loadingCari || loadingModels" color="primary">
+    <q-inner-loading :showing="isPageBlocking" color="primary">
       <q-spinner size="50px" />
     </q-inner-loading>
 
-    <!-- =======================================================
+    <template v-if="!isPageBlocking">
-         🔹 STICKY STACK (Filter + Save + Header)
+      <!-- =======================================================
-    ======================================================== -->
+           🔹 STICKY STACK (Filter + Save + Header)
-    <div class="sticky-stack">
+      ======================================================== -->
+      <div class="sticky-stack">
 
       <!-- 🔸 1. Satır: Filtre Bar -->
       <div class="filter-bar row q-col-gutter-md q-mb-sm">
@@ -168,8 +169,22 @@
           </template>
         </div>
 
-
+      </div>
-
+      <!-- 📝 Sipariş Genel Açıklaması (filter bar altında) -->
+      <div class="filter-bar-desc q-mt-sm">
+        <q-input
+          v-model="form.Description"
+          type="textarea"
+          label="Sipariş Genel Açıklaması"
+          filled
+          dense
+          autogrow
+          maxlength="1500"
+          counter
+          placeholder="Siparişe genel açıklama giriniz (örn. teslimat, üretim notu, müşteri isteği...)"
+          :disable="isClosedRow"
+          :readonly="isViewOnly"
+        />
       </div>
       <!-- 🔹 Cari Bilgi Barı -->
       <q-slide-transition>
@@ -212,6 +227,14 @@
       <div class="save-toolbar">
         <div class="text-subtitle2 text-weight-bold">Sipariş Formu</div>
         <div>
+          <q-btn
+            flat
+            color="grey-7"
+            class="q-ml-sm"
+            :label="compactGridHeader ? 'BAŞLIK GENİŞLET' : 'BAŞLIK DARALT'"
+            :icon="compactGridHeader ? 'unfold_more' : 'unfold_less'"
+            @click="compactGridHeader = !compactGridHeader"
+          />
           <q-btn
             v-if="isViewOnly && canExportOrder"
             label="🖨 SİPARİŞİ YAZDIR"
@@ -222,7 +245,16 @@
           />
 
           <q-btn
-            v-else-if="canSubmitOrder"
+            v-if="canMutateRows"
+            label="SATIR EKLE"
+            color="secondary"
+            icon="add"
+            class="q-ml-sm"
+            @click="openNewRowEditor"
+            :disable="isClosedRow || isViewOnly || !canMutateRows"
+          />
+          <q-btn
+            v-if="canSubmitOrder"
             :label="isEditMode ? 'TÜMÜNÜ GÜNCELLE' : 'TÜMÜNÜ KAYDET'"
             color="primary"
             icon="save"
@@ -231,24 +263,15 @@
             :disable="!canSubmitOrder"
             @click="confirmAndSubmit"
           />
-          <q-btn
-            label="YENİ SİPARİŞ"
-            v-if="canWriteOrder"
-            color="secondary"
-            icon="add_circle"
-            class="q-ml-sm"
-            @click="onResetEditorClick"
-            :disable="isClosedRow || !canWriteOrder"
-          />
         </div>
       </div>
 
       <!-- 🔹 Grid Header -->
-      <div class="order-grid-header">
+      <div class="order-grid-header" :class="{ compact: compactGridHeader }">
         <div class="col-fixed model">MODEL</div>
         <div class="col-fixed renk">RENK</div>
-        <div class="col-fixed ana">ÜRÜN ANA<br />GRUBU</div>
+        <div class="col-fixed ana">ÜRÜN ANA GRUBU</div>
-        <div class="col-fixed alt">ÜRÜN ALT<br />GRUBU</div>
+        <div class="col-fixed alt">ÜRÜN ALT GRUBU</div>
         <div class="col-fixed aciklama-col">AÇIKLAMA</div>
 
         <div class="beden-block">
@@ -289,7 +312,7 @@
     <!-- =======================================================
          🔹 GRID BODY (Final Stabil) + EDITOR aynı scroll’da
     ======================================================== -->
-    <div class="order-scroll-y"> <!-- ✅ YENİ: Grid + Editor ortak dikey scroll -->
+    <div class="order-scroll-y" :class="{ 'compact-grid-header': compactGridHeader }"> <!-- ✅ YENİ: Grid + Editor ortak dikey scroll -->
       <div class="order-grid-body">
         <template v-for="grp in groupedRows" :key="grp.name">
           <div :class="['summary-group', grp.open ? 'open' : 'closed']">
@@ -424,7 +447,24 @@
       <!-- =======================================================
            🔹 SATIR DÜZENLEYİCİ FORM (EDITOR)
       ======================================================== -->
-      <div class="editor q-mt-lg q-pa-sm">
+      <q-dialog
+        v-model="showEditor"
+        class="order-editor-dialog"
+        :maximized="$q.screen.lt.md"
+        full-width
+        transition-show="jump-down"
+        transition-hide="jump-up"
+        persistent
+      >
+        <q-card class="order-editor-card">
+          <q-card-section class="row items-center justify-between">
+            <div class="text-subtitle1 text-weight-bold">
+              {{ isEditing ? 'Satır Düzenle' : 'Yeni Satır' }}
+            </div>
+            <q-btn flat round icon="close" @click="showEditor = false" />
+          </q-card-section>
+          <q-separator />
+          <q-card-section class="editor q-pa-sm">
 
         <!-- 🔸 1. Satır: Model ve Ürün Bilgileri -->
         <div class="row q-col-gutter-sm q-mb-sm">
@@ -717,28 +757,11 @@
           butonuna basarak işlemleri kaydedebilirsiniz.
         </div>
 
-        <!-- =======================================================
+          </q-card-section>
-             🔹 SİPARİŞ GENEL AÇIKLAMASI
+        </q-card>
-        ======================================================== -->
+      </q-dialog>
-        <div class="row q-mt-md">
+      </div> <!-- ✅ order-scroll-y -->
-          <div class="col-12">
+    </template>
-            <q-input
-              v-model="form.Description"
-              type="textarea"
-              label="Sipariş Genel Açıklaması"
-              filled
-              dense
-              autogrow
-              maxlength="1500"
-              counter
-              placeholder="Siparişe genel açıklama giriniz (örn. teslimat, üretim notu, müşteri isteği...)"
-              :disable="isClosedRow"
-            />
-          </div>
-        </div>
-
-      </div> <!-- editor -->
-    </div> <!-- ✅ order-scroll-y -->
 
   </q-page>
   <q-page
@@ -777,6 +800,8 @@ const canExportOrder = canExport('order')
 const formatDate = formatDateDisplay
 
 
+const showEditor = ref(false)
+const compactGridHeader = ref(false)
 
 
 
@@ -1094,6 +1119,16 @@ const seriMultiplier = ref(1)
 const loadingHeader = ref(true)
 const loadingCari = ref(true)
 const loadingModels = ref(true)
+const isPageBlocking = computed(() => {
+  if (!isEditMode.value) return false
+  const headerReady = !!orderStore.header
+  return (
+    loadingHeader.value ||
+    loadingCari.value ||
+    loadingModels.value ||
+    !headerReady
+  )
+})
 /* ===========================================================
    🔹 CARİ INFO STATE
 =========================================================== */
@@ -2346,11 +2381,22 @@ const editRow = async (row) => {
       notify: true,
       loadSizes: true
     })
+    showEditor.value = true
   } catch (err) {
     console.error('❌ editRow hata:', err)
   }
 }
 
+const openNewRowEditor = async () => {
+  if (!hasRowMutationPermission()) {
+    notifyNoPermission('Siparis satiri ekleme/guncelleme yetkiniz yok')
+    return
+  }
+
+  await resetEditor(true)
+  showEditor.value = true
+}
+
 
 
 
@@ -2765,6 +2811,7 @@ const onSaveOrUpdateRow = async () => {
     stockMap,
     $q
   })
+  showEditor.value = false
 }
 
 

ui/src/pages/OrderList.vue

@@ -126,6 +126,13 @@
           </q-icon>
         </q-td>
       </template>
+      <template #body-cell-HasUretimUrunu="props">
+        <q-td :props="props" class="text-left">
+          <span v-if="props.row.HasUretimUrunu" class="text-weight-bold text-negative">
+            ÜRETİME VERİLECEK ÜRÜNÜ VAR
+          </span>
+        </q-td>
+      </template>
 
       <template #body-cell-OrderDate="props">
         <q-td :props="props" class="text-center">
@@ -233,6 +240,7 @@ import { useQuasar } from 'quasar'
 import { useOrderListStore } from 'src/stores/OrdernewListStore'
 import { useAuthStore } from 'src/stores/authStore'
 import { usePermission } from 'src/composables/usePermission'
+import api, { extractApiErrorDetail } from 'src/services/api'
 
 const { canRead } = usePermission()
 const canReadOrder = canRead('order')
@@ -270,22 +278,24 @@ function exportExcel () {
     OrderDate: store.filters.OrderDate || ''
   })
 
-  const url = `http://localhost:8080/api/orders/export?${params.toString()}`
+  api.get(`/orders/export?${params.toString()}`, {
-
+    responseType: 'blob'
-  fetch(url, {
-    headers: {
-      Authorization: `Bearer ${auth.token}`
-    }
   })
-    .then(res => res.blob())
+    .then(res => res.data)
     .then(blob => {
       const link = document.createElement('a')
       link.href = URL.createObjectURL(blob)
       link.download = 'siparis_listesi.xlsx'
       link.click()
     })
+    .catch(() => {
+      $q.notify({
+        type: 'negative',
+        message: 'Excel dosyasi indirilemedi',
+        position: 'top-right'
+      })
+    })
 }
-
 function formatDate (s) {
   if (!s) return ''
   const [y, m, d] = String(s).split('-')
@@ -363,6 +373,7 @@ const columns = [
     format: val => Number(val || 0).toLocaleString('tr-TR', { minimumFractionDigits: 2 }) + ' %'
   },
   { name: 'IsCreditableConfirmed', label: 'Durum', field: 'IsCreditableConfirmed', align: 'center', sortable: true },
+  { name: 'HasUretimUrunu', label: 'Üretim', field: 'HasUretimUrunu', align: 'left', sortable: true, style: 'min-width:190px;white-space:nowrap', headerStyle: 'min-width:190px;white-space:nowrap' },
   { name: 'Description', label: 'Açıklama', field: 'Description', align: 'left', sortable: false, classes: 'ol-col-desc', headerClasses: 'ol-col-desc', style: 'width:160px;max-width:160px', headerStyle: 'width:160px;max-width:160px' },
   { name: 'pdf', label: 'PDF', field: 'pdf', align: 'center', sortable: false }
 ]
@@ -383,23 +394,19 @@ function selectOrder (row) {
 async function printPDF (row) {
   if (!row?.OrderHeaderID) return
 
-  const token = useAuthStore().token
-  const url = `http://localhost:8080/api/order/pdf/${row.OrderHeaderID}`
-
   try {
-    const res = await fetch(url, {
+    const res = await api.get(`/order/pdf/${row.OrderHeaderID}`, {
-      headers: { Authorization: `Bearer ${token}` }
+      responseType: 'blob'
     })
 
-    if (!res.ok) throw new Error()
+    window.open(URL.createObjectURL(res.data), '_blank')
-
+  } catch (err) {
-    const blob = await res.blob()
+    const detail = await extractApiErrorDetail(err)
-    window.open(URL.createObjectURL(blob), '_blank')
+    const status = err?.status || err?.response?.status || '-'
-  } catch {
+    console.error(`PDF load error [${status}] /order/pdf/${row.OrderHeaderID}: ${detail}`)
-    $q.notify({ type: 'negative', message: 'PDF yüklenemedi' })
+    $q.notify({ type: 'negative', message: `PDF yuklenemedi (${status}): ${detail}` })
   }
 }
-
 function clearFilters () {
   store.filters.search = ''
   store.filters.CurrAccCode = ''
@@ -562,3 +569,4 @@ onMounted(() => {
   }
 }
 </style>
+

ui/src/pages/OrderProductionUpdate.vue

@@ -0,0 +1,372 @@
+<template>
+  <q-page class="q-pa-md">
+  <div class="row items-center justify-between">
+    <div>
+      <div class="text-h6 text-weight-bold">Uretime Verilen Urunleri Guncelle</div>
+      <div class="text-caption text-grey-7 q-mt-xs">
+        OrderHeaderID: {{ orderHeaderID || '-' }}
+      </div>
+    </div>
+    <q-btn
+      color="primary"
+      icon="refresh"
+      label="Yenile"
+      :loading="store.loading"
+      @click="refreshAll"
+    />
+  </div>
+
+    <div class="filter-bar row q-col-gutter-md q-mt-md">
+      <div class="col-5">
+        <q-input
+          :model-value="cariLabel"
+          label="Cari Secimi"
+          filled
+          dense
+          readonly
+        />
+      </div>
+      <div class="col-2">
+        <q-input
+          :model-value="header?.OrderNumber || ''"
+          label="Siparis No"
+          filled
+          dense
+          readonly
+        />
+      </div>
+      <div class="col-2">
+        <q-input
+          :model-value="formatDate(header?.OrderDate)"
+          label="Olusturulma Tarihi"
+          filled
+          dense
+          readonly
+        />
+      </div>
+      <div class="col-2">
+        <q-input
+          :model-value="formatDate(header?.AverageDueDate)"
+          label="Tahmini Termin Tarihi"
+          filled
+          dense
+          readonly
+        />
+      </div>
+    </div>
+
+  <q-table
+      class="q-mt-md"
+      flat
+      bordered
+      dense
+      separator="cell"
+      row-key="OrderLineID"
+      :rows="rows"
+      :columns="columns"
+      :loading="store.loading"
+      no-data-label="Uretime verilecek urun bulunamadi"
+      :rows-per-page-options="[0]"
+      hide-bottom
+    >
+      <template #body-cell-actions="props">
+        <q-td :props="props" class="text-center">
+          <q-btn
+            color="primary"
+            icon="save"
+            flat
+            round
+            dense
+            :loading="rowSavingId === props.row.OrderLineID"
+            @click="onRowSubmit(props.row)"
+          >
+            <q-tooltip>Satiri Guncelle</q-tooltip>
+          </q-btn>
+        </q-td>
+      </template>
+
+      <template #body-cell-NewItemCode="props">
+        <q-td :props="props">
+          <q-input
+            v-model="props.row.NewItemCode"
+            dense
+            filled
+            label="Yeni Urun"
+            @update:model-value="val => onNewItemChange(props.row, val)"
+          >
+            <template #append>
+              <q-icon name="arrow_drop_down" class="cursor-pointer" />
+            </template>
+            <q-menu
+              anchor="bottom left"
+              self="top left"
+              fit
+            >
+              <div class="q-pa-sm" style="min-width:260px">
+                <q-input
+                  v-model="productSearch"
+                  dense
+                  filled
+                  debounce="200"
+                  placeholder="Urun ara..."
+                />
+                <q-list class="q-mt-xs" bordered separator>
+                  <q-item
+                    v-for="opt in filteredProducts"
+                    :key="opt.ProductCode"
+                    clickable
+                    @click="onSelectProduct(props.row, opt.ProductCode)"
+                  >
+                    <q-item-section>{{ opt.ProductCode }}</q-item-section>
+                  </q-item>
+                </q-list>
+              </div>
+            </q-menu>
+          </q-input>
+        </q-td>
+      </template>
+
+      <template #body-cell-NewColor="props">
+        <q-td :props="props">
+          <q-select
+            v-model="props.row.NewColor"
+            :options="getColorOptions(props.row)"
+            option-label="colorLabel"
+            option-value="color_code"
+            emit-value
+            map-options
+            use-input
+            dense
+            filled
+            label="Yeni Renk"
+            @update:model-value="() => onNewColorChange(props.row)"
+          />
+        </q-td>
+      </template>
+
+      <template #body-cell-NewDim2="props">
+        <q-td :props="props">
+          <q-select
+            v-model="props.row.NewDim2"
+            :options="getSecondColorOptions(props.row)"
+            option-label="item_dim2_code"
+            option-value="item_dim2_code"
+            emit-value
+            map-options
+            use-input
+            dense
+            filled
+            label="Yeni 2. Renk"
+          />
+        </q-td>
+      </template>
+
+      <template #body-cell-NewDesc="props">
+        <q-td :props="props">
+          <q-input
+            v-model="props.row.NewDesc"
+            dense
+            filled
+            label="Yeni Aciklama"
+          />
+        </q-td>
+      </template>
+    </q-table>
+
+    <q-banner v-if="store.error" class="bg-red text-white q-mt-sm">
+      Hata: {{ store.error }}
+    </q-banner>
+  </q-page>
+</template>
+
+<script setup>
+import { computed, onMounted, ref, watch } from 'vue'
+import { useRoute } from 'vue-router'
+import { useQuasar } from 'quasar'
+import { useOrderProductionItemStore } from 'src/stores/OrderProductionItemStore'
+
+const route = useRoute()
+const $q = useQuasar()
+const store = useOrderProductionItemStore()
+
+const orderHeaderID = computed(() => String(route.params.orderHeaderID || '').trim())
+const header = computed(() => store.header || {})
+const cariLabel = computed(() => {
+  const code = header.value?.CurrAccCode || ''
+  const name = header.value?.CurrAccDescription || ''
+  if (!code && !name) return ''
+  if (!name) return code
+  return `${code} - ${name}`
+})
+
+const rows = ref([])
+const productOptions = ref([])
+const productSearch = ref('')
+const rowSavingId = ref('')
+
+const columns = [
+  { name: 'OldItemCode', label: 'Eski Urun Kodu', field: 'OldItemCode', align: 'left', sortable: true, style: 'min-width:140px;white-space:nowrap', headerStyle: 'min-width:140px;white-space:nowrap' },
+  { name: 'OldColor', label: 'Eski Urun Rengi', field: 'OldColor', align: 'left', sortable: true, style: 'min-width:120px;white-space:nowrap', headerStyle: 'min-width:120px;white-space:nowrap' },
+  { name: 'OldDim2', label: 'Eski 2. Renk', field: 'OldDim2', align: 'left', sortable: true, style: 'min-width:110px;white-space:nowrap', headerStyle: 'min-width:110px;white-space:nowrap' },
+  { name: 'OldDesc', label: 'Eski Aciklama', field: 'OldDesc', align: 'left', sortable: false, style: 'min-width:180px;white-space:nowrap', headerStyle: 'min-width:180px;white-space:nowrap' },
+  { name: 'NewItemCode', label: 'Yeni Urun Kodu', field: 'NewItemCode', align: 'left', sortable: false, style: 'min-width:190px;', headerStyle: 'min-width:190px;' },
+  { name: 'NewColor', label: 'Yeni Urun Rengi', field: 'NewColor', align: 'left', sortable: false, style: 'min-width:160px;', headerStyle: 'min-width:160px;' },
+  { name: 'NewDim2', label: 'Yeni 2. Renk', field: 'NewDim2', align: 'left', sortable: false, style: 'min-width:160px;', headerStyle: 'min-width:160px;' },
+  { name: 'NewDesc', label: 'Yeni Aciklama', field: 'NewDesc', align: 'left', sortable: false, style: 'min-width:220px;', headerStyle: 'min-width:220px;' },
+  { name: 'actions', label: '', field: 'actions', align: 'center', sortable: false, style: 'width:60px;', headerStyle: 'width:60px;' }
+]
+
+onMounted(async () => {
+  await refreshAll()
+})
+
+watch(orderHeaderID, async (id) => {
+  await refreshAll()
+})
+
+watch(
+  () => store.items,
+  (items) => {
+    rows.value = (items || []).map(item => ({
+      ...item,
+      NewItemCode: '',
+      NewColor: '',
+      NewDim2: '',
+      NewDesc: ''
+    }))
+  },
+  { immediate: true }
+)
+
+watch(
+  () => store.products,
+  (products) => {
+    productOptions.value = products || []
+  },
+  { immediate: true }
+)
+
+function formatDate (val) {
+  if (!val) return ''
+  const text = String(val)
+  return text.length >= 10 ? text.slice(0, 10) : text
+}
+
+const filteredProducts = computed(() => {
+  const needle = String(productSearch.value || '').toLowerCase()
+  if (!needle) return productOptions.value.slice(0, 50)
+  return productOptions.value.filter(p =>
+    String(p?.ProductCode || '').toLowerCase().includes(needle)
+  ).slice(0, 50)
+})
+
+function onSelectProduct (row, code) {
+  productSearch.value = ''
+  onNewItemChange(row, code)
+}
+
+function onNewItemChange (row, val) {
+  const next = String(val || '').trim()
+  if (next && !isValidModelCode(next)) {
+    $q.notify({ type: 'negative', message: 'Model kodu formati gecersiz. Ornek: S000-DMY00001' })
+    row.NewItemCode = ''
+    row.NewColor = ''
+    row.NewDim2 = ''
+    return
+  }
+  row.NewItemCode = next ? next.toUpperCase() : ''
+  row.NewColor = ''
+  row.NewDim2 = ''
+  if (row.NewItemCode) {
+    store.fetchColors(row.NewItemCode)
+  }
+}
+
+function onNewColorChange (row) {
+  row.NewDim2 = ''
+  if (row.NewItemCode && row.NewColor) {
+    store.fetchSecondColors(row.NewItemCode, row.NewColor)
+  }
+}
+
+function getColorOptions (row) {
+  const code = row?.NewItemCode || ''
+  const list = store.colorOptionsByCode[code] || []
+  return list.map(c => ({
+    ...c,
+    colorLabel: `${c.color_code} - ${c.color_description || ''}`.trim()
+  }))
+}
+
+function getSecondColorOptions (row) {
+  const code = row?.NewItemCode || ''
+  const color = row?.NewColor || ''
+  const key = `${code}::${color}`
+  return store.secondColorOptionsByKey[key] || []
+}
+
+function isValidModelCode (value) {
+  const text = String(value || '').trim().toUpperCase()
+  return /^[A-Z][0-9]{3}-[A-Z]{3}[0-9]{5}$/.test(text)
+}
+
+function buildPayloadLines () {
+  return rows.value.map(r => ({
+    OrderLineID: r.OrderLineID,
+    NewItemCode: String(r.NewItemCode || '').trim(),
+    NewColor: String(r.NewColor || '').trim(),
+    NewDim2: String(r.NewDim2 || '').trim(),
+    NewDesc: String(r.NewDesc || '').trim()
+  }))
+}
+
+async function refreshAll () {
+  await store.fetchHeader(orderHeaderID.value)
+  await store.fetchItems(orderHeaderID.value)
+  await store.fetchProducts()
+}
+
+async function onRowSubmit (row) {
+  const line = {
+    OrderLineID: row.OrderLineID,
+    NewItemCode: String(row.NewItemCode || '').trim(),
+    NewColor: String(row.NewColor || '').trim(),
+    NewDim2: String(row.NewDim2 || '').trim(),
+    NewDesc: String(row.NewDesc || '').trim()
+  }
+
+  if (!line.NewItemCode || !line.NewColor) {
+    $q.notify({ type: 'negative', message: 'Yeni urun ve renk zorunludur.' })
+    return
+  }
+
+  rowSavingId.value = row.OrderLineID
+  try {
+    const validate = await store.validateUpdates(orderHeaderID.value, [line])
+    const missingCount = validate?.missingCount || 0
+    if (missingCount > 0) {
+      const missingList = (validate?.missing || []).map(v => (
+        `${v.ItemCode} / ${v.ColorCode} / ${v.ItemDim1Code} / ${v.ItemDim2Code}`
+      ))
+      $q.dialog({
+        title: 'Eksik Varyantlar',
+        message: `Eksik varyant bulundu: ${missingCount}<br><br>${missingList.join('<br>')}`,
+        html: true,
+        ok: { label: 'Ekle ve Guncelle', color: 'primary' },
+        cancel: { label: 'Vazgec', flat: true }
+      }).onOk(async () => {
+        await store.applyUpdates(orderHeaderID.value, [line], true)
+        await store.fetchItems(orderHeaderID.value)
+      })
+      return
+    }
+
+    await store.applyUpdates(orderHeaderID.value, [line], false)
+    await store.fetchItems(orderHeaderID.value)
+  } catch (err) {
+    $q.notify({ type: 'negative', message: 'Islem basarisiz.' })
+  } finally {
+    rowSavingId.value = ''
+  }
+}
+</script>

ui/src/pages/OrderProductionUpdateList.vue

@@ -0,0 +1,357 @@
+<template>
+  <q-page v-if="canReadOrder" class="ol-page">
+    <div class="ol-filter-bar">
+      <div class="ol-filter-row">
+        <q-input
+          v-model="store.filters.search"
+          class="ol-filter-input ol-search"
+          dense
+          filled
+          debounce="300"
+          clearable
+          label="Arama (Sipariş No / Cari / Açıklama)"
+        >
+          <template #append>
+            <q-icon name="search" />
+          </template>
+        </q-input>
+
+        <q-input
+          v-model="store.filters.CurrAccCode"
+          class="ol-filter-input"
+          dense
+          filled
+          clearable
+          label="Cari Kodu"
+        />
+
+        <q-input
+          v-model="store.filters.OrderDate"
+          class="ol-filter-input"
+          dense
+          filled
+          type="date"
+          label="Sipariş Tarihi"
+        />
+
+        <div class="ol-filter-actions">
+          <q-btn
+            label="Temizle"
+            icon="clear"
+            color="grey-7"
+            flat
+            :disable="store.loading"
+            @click="clearFilters"
+          >
+            <q-tooltip>Tüm filtreleri temizle</q-tooltip>
+          </q-btn>
+
+          <q-btn
+            label="Yenile"
+            color="primary"
+            icon="refresh"
+            :loading="store.loading"
+            @click="store.fetchOrders"
+          />
+
+          <q-btn
+            label="Excel'e Aktar"
+            icon="download"
+            color="primary"
+            outline
+            :disable="store.loading || productionOrders.length === 0"
+            @click="exportExcel"
+          />
+        </div>
+
+        <div class="ol-filter-total">
+          <div class="ol-total-line">
+            <span class="ol-total-label">Toplam USD:</span>
+            <strong class="ol-total-value">
+              {{ totalVisibleUSD.toLocaleString('tr-TR', { minimumFractionDigits: 2, maximumFractionDigits: 2 }) }}
+            </strong>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <q-table
+      title="Üretime Verilecek Ürünleri Olan Siparişler"
+      class="ol-table"
+      flat
+      bordered
+      dense
+      separator="cell"
+      row-key="OrderHeaderID"
+      :rows="productionOrders"
+      :columns="columns"
+      :loading="store.loading"
+      no-data-label="Üretime verilecek sipariş bulunamadı"
+      :rows-per-page-options="[0]"
+      hide-bottom
+    >
+      <template #body-cell-open="props">
+        <q-td :props="props" class="text-center">
+          <q-btn
+            icon="open_in_new"
+            color="primary"
+            flat
+            round
+            dense
+            @click="selectOrder(props.row)"
+          >
+            <q-tooltip>Siparişi Aç</q-tooltip>
+          </q-btn>
+        </q-td>
+      </template>
+
+      <template #body-cell-IsCreditableConfirmed="props">
+        <q-td :props="props" class="text-center q-gutter-sm">
+          <q-btn
+            icon="picture_as_pdf"
+            color="red"
+            flat
+            round
+            dense
+            @click="printPDF(props.row)"
+          >
+            <q-tooltip>Siparişi PDF olarak aç</q-tooltip>
+          </q-btn>
+
+          <q-icon
+            :name="props.row.IsCreditableConfirmed ? 'check_circle' : 'cancel'"
+            :color="props.row.IsCreditableConfirmed ? 'green' : 'red'"
+            size="20px"
+          >
+            <q-tooltip>
+              {{ props.row.IsCreditableConfirmed ? 'Onaylı' : 'Onaysız' }}
+            </q-tooltip>
+          </q-icon>
+        </q-td>
+      </template>
+
+      <template #body-cell-OrderDate="props">
+        <q-td :props="props" class="text-center">
+          {{ formatDate(props.row.OrderDate) }}
+        </q-td>
+      </template>
+
+      <template #body-cell-CreditableConfirmedDate="props">
+        <q-td :props="props" class="text-center">
+          {{ formatDate(props.row.CreditableConfirmedDate) }}
+        </q-td>
+      </template>
+
+
+      <template #body-cell-CurrAccDescription="props">
+        <q-td :props="props" class="ol-col-cari">
+          <div class="ol-col-multiline">{{ props.value }}</div>
+          <q-tooltip v-if="props.value">
+            {{ props.value }}
+          </q-tooltip>
+        </q-td>
+      </template>
+
+      <template #body-cell-MusteriTemsilcisi="props">
+        <q-td :props="props" class="ol-col-short">
+          <div class="ol-col-multiline">{{ props.value }}</div>
+          <q-tooltip v-if="props.value">
+            {{ props.value }}
+          </q-tooltip>
+        </q-td>
+      </template>
+
+      <template #body-cell-Piyasa="props">
+        <q-td :props="props" class="ol-col-short">
+          <div class="ol-col-multiline">{{ props.value }}</div>
+          <q-tooltip v-if="props.value">
+            {{ props.value }}
+          </q-tooltip>
+        </q-td>
+      </template>
+
+      <template #body-cell-Description="props">
+        <q-td :props="props" class="ol-col-desc">
+          <div class="ol-col-multiline">{{ props.value }}</div>
+          <q-tooltip v-if="props.value">
+            {{ props.value }}
+          </q-tooltip>
+        </q-td>
+      </template>
+
+      <template #body-cell-HasUretimUrunu="props">
+        <q-td :props="props" class="text-center">
+          <q-icon
+            :name="props.row.HasUretimUrunu ? 'check_circle' : 'cancel'"
+            :color="props.row.HasUretimUrunu ? 'green' : 'grey-5'"
+            size="18px"
+          />
+        </q-td>
+      </template>
+    </q-table>
+
+    <q-banner v-if="store.error" class="bg-red text-white q-mt-sm">
+      Hata: {{ store.error }}
+    </q-banner>
+  </q-page>
+
+  <q-page v-else class="q-pa-md flex flex-center">
+    <div class="text-negative text-subtitle1">
+      Bu modüle erişim yetkiniz yok.
+    </div>
+  </q-page>
+</template>
+
+<script setup>
+import { computed, onMounted, watch } from 'vue'
+import { useRouter } from 'vue-router'
+import { useQuasar } from 'quasar'
+import { useOrderProductionUpdateStore } from 'src/stores/OrderProductionUpdateStore'
+import { useAuthStore } from 'src/stores/authStore'
+import { usePermission } from 'src/composables/usePermission'
+import api, { extractApiErrorDetail } from 'src/services/api'
+
+const { canRead } = usePermission()
+const canReadOrder = canRead('order')
+
+const router = useRouter()
+const $q = useQuasar()
+const store = useOrderProductionUpdateStore()
+
+let searchTimer = null
+watch(
+  () => store.filters.search,
+  () => {
+    clearTimeout(searchTimer)
+    searchTimer = setTimeout(() => {
+      store.fetchOrders()
+    }, 400)
+  }
+)
+
+const productionOrders = computed(() => store.filteredOrders)
+
+const totalVisibleUSD = computed(() =>
+  productionOrders.value.reduce((sum, o) => {
+    const v = Number(o.TotalAmountUSD || 0)
+    return sum + (Number.isFinite(v) ? v : 0)
+  }, 0)
+)
+
+function clearFilters () {
+  store.filters.search = ''
+  store.filters.CurrAccCode = ''
+  store.filters.OrderDate = ''
+  store.fetchOrders()
+}
+
+function formatDate (v) {
+  if (!v) return ''
+  return String(v)
+}
+
+function selectOrder (row) {
+  if (!row?.OrderHeaderID) {
+    $q.notify({ type: 'warning', message: 'OrderHeaderID bulunamadı' })
+    return
+  }
+
+  router.push({
+    name: 'orderproductionupdate',
+    params: { orderHeaderID: row.OrderHeaderID }
+  })
+}
+
+async function printPDF (row) {
+  try {
+    const auth = useAuthStore()
+    if (!auth?.token) {
+      $q.notify({ type: 'warning', message: 'Oturum bulunamadı' })
+      return
+    }
+
+    const res = await api.get(`/order/pdf/${row.OrderHeaderID}`, {
+      responseType: 'blob'
+    })
+
+    const blob = new Blob([res.data], { type: 'application/pdf' })
+    const url = URL.createObjectURL(blob)
+    window.open(url, '_blank')
+    setTimeout(() => URL.revokeObjectURL(url), 2000)
+  } catch (err) {
+    const status = err?.response?.status
+    const detail = extractApiErrorDetail(err)
+    console.error(`PDF load error [${status}] /order/pdf/${row?.OrderHeaderID}: ${detail}`)
+    $q.notify({ type: 'negative', message: `PDF alınamadı: ${detail}` })
+  }
+}
+
+function exportExcel () {
+  const auth = useAuthStore()
+
+  if (!auth?.token) {
+    $q.notify({
+      type: 'negative',
+      message: 'Oturum bulunamadı'
+    })
+    return
+  }
+
+  const params = new URLSearchParams()
+  if (store.filters.search) params.append('search', store.filters.search)
+
+  api.get(`/orders/production-list?${params.toString()}`, {
+    responseType: 'blob'
+  }).then((res) => {
+    const blob = new Blob([res.data], { type: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' })
+    const url = URL.createObjectURL(blob)
+    const a = document.createElement('a')
+    a.href = url
+    a.download = 'uretime_verilecek_siparisler.xlsx'
+    a.click()
+    URL.revokeObjectURL(url)
+  }).catch((err) => {
+    const detail = extractApiErrorDetail(err)
+    $q.notify({ type: 'negative', message: `Excel alınamadı: ${detail}` })
+  })
+}
+
+onMounted(() => {
+  store.fetchOrders()
+})
+
+const columns = [
+  { name: 'open', label: '', field: 'open', align: 'center', sortable: false },
+  { name: 'OrderNumber', label: 'Sipariş No', field: 'OrderNumber', align: 'left', sortable: true, style: 'min-width:108px;white-space:nowrap', headerStyle: 'min-width:108px;white-space:nowrap' },
+  { name: 'OrderDate', label: 'Tarih', field: 'OrderDate', align: 'center', sortable: true, style: 'min-width:82px;white-space:nowrap', headerStyle: 'min-width:82px;white-space:nowrap' },
+  { name: 'CurrAccCode', label: 'Cari Kod', field: 'CurrAccCode', align: 'left', sortable: true, style: 'min-width:82px;white-space:nowrap', headerStyle: 'min-width:82px;white-space:nowrap' },
+  { name: 'CurrAccDescription', label: 'Cari Adı', field: 'CurrAccDescription', align: 'left', sortable: true, classes: 'ol-col-cari', headerClasses: 'ol-col-cari', style: 'width:160px;max-width:160px', headerStyle: 'width:160px;max-width:160px' },
+  { name: 'MusteriTemsilcisi', label: 'Temsilci', field: 'MusteriTemsilcisi', align: 'left', sortable: true, classes: 'ol-col-short', headerClasses: 'ol-col-short', style: 'width:88px;max-width:88px', headerStyle: 'width:88px;max-width:88px' },
+  { name: 'Piyasa', label: 'Piyasa', field: 'Piyasa', align: 'left', sortable: true, classes: 'ol-col-short', headerClasses: 'ol-col-short', style: 'width:72px;max-width:72px', headerStyle: 'width:72px;max-width:72px' },
+  { name: 'CreditableConfirmedDate', label: 'Onay', field: 'CreditableConfirmedDate', align: 'center', sortable: true, style: 'min-width:86px;white-space:nowrap', headerStyle: 'min-width:86px;white-space:nowrap' },
+  { name: 'DocCurrencyCode', label: 'PB', field: 'DocCurrencyCode', align: 'center', sortable: true, style: 'min-width:46px;white-space:nowrap', headerStyle: 'min-width:46px;white-space:nowrap' },
+  {
+    name: 'TotalAmount',
+    label: 'Tutar',
+    field: 'TotalAmount',
+    align: 'right',
+    sortable: true,
+    style: 'min-width:120px;white-space:nowrap',
+    headerStyle: 'min-width:120px;white-space:nowrap',
+    format: (val, row) => Number(val || 0).toLocaleString('tr-TR', { minimumFractionDigits: 2 }) + ' ' + row.DocCurrencyCode
+  },
+  {
+    name: 'TotalAmountUSD',
+    label: 'Tutar (USD)',
+    field: 'TotalAmountUSD',
+    align: 'right',
+    sortable: true,
+    style: 'min-width:120px;white-space:nowrap',
+    headerStyle: 'min-width:120px;white-space:nowrap',
+    format: val => Number(val || 0).toLocaleString('tr-TR', { minimumFractionDigits: 2 }) + ' USD'
+  },
+  { name: 'IsCreditableConfirmed', label: 'Durum', field: 'IsCreditableConfirmed', align: 'center', sortable: true },
+  { name: 'HasUretimUrunu', label: 'Üretim', field: 'HasUretimUrunu', align: 'left', sortable: true, style: 'min-width:190px;white-space:nowrap', headerStyle: 'min-width:190px;white-space:nowrap' },
+  { name: 'Description', label: 'Açıklama', field: 'Description', align: 'left', sortable: false, classes: 'ol-col-desc', headerClasses: 'ol-col-desc', style: 'width:160px;max-width:160px', headerStyle: 'width:160px;max-width:160px' }
+]
+</script>

ui/src/pages/ResetPassword.vue

@@ -21,76 +21,78 @@
 
       <q-separator />
 
-      <q-card-section>
+      <q-form @submit.prevent="submit">
-        <!-- NEW PASSWORD -->
+        <q-card-section>
-        <q-input
+          <!-- NEW PASSWORD -->
-          v-model="password"
+          <q-input
-          :type="showPassword ? 'text' : 'password'"
+            v-model="password"
-          label="Yeni Parola"
+            :type="showPassword ? 'text' : 'password'"
-          dense
+            label="Yeni Parola"
-          filled
+            dense
-          :rules="[passwordRule]"
+            filled
-        >
+            :rules="[passwordRule]"
-          <template #append>
+          >
-            <q-icon
+            <template #append>
-              :name="showPassword ? 'visibility_off' : 'visibility'"
+              <q-icon
-              class="cursor-pointer"
+                :name="showPassword ? 'visibility_off' : 'visibility'"
-              @click="showPassword = !showPassword"
+                class="cursor-pointer"
-            />
+                @click="showPassword = !showPassword"
-          </template>
+              />
-        </q-input>
+            </template>
+          </q-input>
 
-        <!-- STRENGTH -->
+          <!-- STRENGTH -->
-        <div class="q-mt-xs">
+          <div class="q-mt-xs">
-          <q-linear-progress
+            <q-linear-progress
-            :value="passwordStrength.value"
+              :value="passwordStrength.value"
-            :color="passwordStrength.color"
+              :color="passwordStrength.color"
-            rounded
+              rounded
-            size="6px"
+              size="6px"
-          />
+            />
-          <div class="text-caption q-mt-xs" :class="passwordStrength.textColor">
+            <div class="text-caption q-mt-xs" :class="passwordStrength.textColor">
-            {{ passwordStrength.label }}
+              {{ passwordStrength.label }}
+            </div>
           </div>
-        </div>
 
-        <!-- CONFIRM -->
+          <!-- CONFIRM -->
-        <q-input
+          <q-input
-          v-model="password2"
+            v-model="password2"
-          :type="showPassword2 ? 'text' : 'password'"
+            :type="showPassword2 ? 'text' : 'password'"
-          label="Parola Tekrar"
+            label="Parola Tekrar"
-          dense
+            dense
-          filled
+            filled
-          class="q-mt-sm"
+            class="q-mt-sm"
-          :rules="[confirmRule]"
+            :rules="[confirmRule]"
-        >
+          >
-          <template #append>
+            <template #append>
-            <q-icon
+              <q-icon
-              :name="showPassword2 ? 'visibility_off' : 'visibility'"
+                :name="showPassword2 ? 'visibility_off' : 'visibility'"
-              class="cursor-pointer"
+                class="cursor-pointer"
-              @click="showPassword2 = !showPassword2"
+                @click="showPassword2 = !showPassword2"
-            />
+              />
-          </template>
+            </template>
-        </q-input>
+          </q-input>
 
-        <!-- ERROR -->
+          <!-- ERROR -->
-        <q-banner
+          <q-banner
-          v-if="error"
+            v-if="error"
-          class="bg-red-1 text-red q-mt-md"
+            class="bg-red-1 text-red q-mt-md"
-          rounded
+            rounded
-        >
+          >
-          {{ error }}
+            {{ error }}
-        </q-banner>
+          </q-banner>
-      </q-card-section>
+        </q-card-section>
 
-      <q-card-actions align="right">
+        <q-card-actions align="right">
-        <q-btn
+          <q-btn
-          label="PAROLAYI GÜNCELLE"
+            type="submit"
-          color="primary"
+            label="PAROLAYI GÜNCELLE"
-          :loading="loading"
+            color="primary"
-          :disable="!canSubmit"
+            :loading="loading"
-          @click="submit"
+            :disable="!canSubmit"
-        />
+          />
-      </q-card-actions>
+        </q-card-actions>
+      </q-form>
     </q-card>
 
     <!-- ❌ TOKEN INVALID -->

ui/src/pages/RoleDepartmentPermissionList.vue

@@ -46,6 +46,9 @@
               <q-item clickable @click="selectAllModules">
                 <q-item-section>Tümünü Seç</q-item-section>
               </q-item>
+              <q-item clickable @click="clearAllModules">
+                <q-item-section>Tümünü Temizle</q-item-section>
+              </q-item>
               <q-separator />
               <q-item
                 v-for="m in store.modules"
@@ -78,6 +81,9 @@
               <q-item clickable @click="selectAllActionsForActive">
                 <q-item-section>Tümünü Seç</q-item-section>
               </q-item>
+              <q-item clickable @click="clearAllActionsForActive">
+                <q-item-section>Tümünü Temizle</q-item-section>
+              </q-item>
               <q-separator />
               <q-item
                 v-for="a in actionsForActiveModule"
@@ -180,6 +186,7 @@ const canUpdateUser = canUpdate('user')
 const selectedModules = ref([])
 const selectedActionsByModule = ref({})
 const activeModuleCode = ref('')
+const allowEmptySelection = ref(false)
 
 const actionLabelMap = {
   update: 'Güncelleme',
@@ -284,9 +291,15 @@ function syncSelections () {
   }
 
   const selected = selectedModules.value.filter((m) => availableModules.includes(m))
-  selectedModules.value = selected.length ? selected : [...availableModules]
+  if (selected.length) {
+    selectedModules.value = selected
+  } else {
+    selectedModules.value = allowEmptySelection.value ? [] : [...availableModules]
+  }
 
-  if (!selectedModules.value.includes(activeModuleCode.value)) {
+  if (!selectedModules.value.length) {
+    activeModuleCode.value = ''
+  } else if (!selectedModules.value.includes(activeModuleCode.value)) {
     activeModuleCode.value = selectedModules.value[0]
   }
 
@@ -295,7 +308,7 @@ function syncSelections () {
     const allActions = actionsByModule.value[m] || []
     const prev = selectedActionsByModule.value[m] || []
     const filtered = prev.filter((a) => allActions.includes(a))
-    next[m] = filtered.length ? filtered : [...allActions]
+    next[m] = filtered.length ? filtered : (allowEmptySelection.value ? [] : [...allActions])
   })
   selectedActionsByModule.value = next
 }
@@ -313,6 +326,7 @@ function isModuleSelected (moduleCode) {
 }
 
 function toggleModule (moduleCode, checked) {
+  allowEmptySelection.value = false
   const set = new Set(selectedModules.value)
   if (checked) {
     set.add(moduleCode)
@@ -321,9 +335,8 @@ function toggleModule (moduleCode, checked) {
   }
   selectedModules.value = [...set]
   if (!selectedModules.value.length) {
-    selectedModules.value = [moduleCode]
+    activeModuleCode.value = ''
-  }
+  } else if (!selectedModules.value.includes(activeModuleCode.value)) {
-  if (!selectedModules.value.includes(activeModuleCode.value)) {
     activeModuleCode.value = selectedModules.value[0]
   }
   syncSelections()
@@ -334,24 +347,31 @@ function onModuleRowClick (moduleCode) {
 }
 
 function selectAllModules () {
+  allowEmptySelection.value = false
   selectedModules.value = (store.modules || []).map((m) => m.value)
   syncSelections()
 }
 
+function clearAllModules () {
+  allowEmptySelection.value = true
+  selectedModules.value = []
+  selectedActionsByModule.value = {}
+  activeModuleCode.value = ''
+  syncSelections()
+}
+
 function isActionSelected (moduleCode, action) {
   return (selectedActionsByModule.value[moduleCode] || []).includes(action)
 }
 
 function toggleAction (moduleCode, action, checked) {
+  allowEmptySelection.value = false
   const current = new Set(selectedActionsByModule.value[moduleCode] || [])
   if (checked) {
     current.add(action)
   } else {
     current.delete(action)
   }
-  if (current.size === 0) {
-    current.add(action)
-  }
   selectedActionsByModule.value = {
     ...selectedActionsByModule.value,
     [moduleCode]: [...current]
@@ -359,6 +379,7 @@ function toggleAction (moduleCode, action, checked) {
 }
 
 function selectAllActionsForActive () {
+  allowEmptySelection.value = false
   if (!activeModuleCode.value) return
   selectedActionsByModule.value = {
     ...selectedActionsByModule.value,
@@ -366,6 +387,15 @@ function selectAllActionsForActive () {
   }
 }
 
+function clearAllActionsForActive () {
+  allowEmptySelection.value = true
+  if (!activeModuleCode.value) return
+  selectedActionsByModule.value = {
+    ...selectedActionsByModule.value,
+    [activeModuleCode.value]: []
+  }
+}
+
 const permissionColumns = computed(() => {
   const cols = []
   selectedModules.value.forEach((m) => {

ui/src/pages/UserDetail.vue

@@ -12,7 +12,7 @@
       <div class="filter-bar row q-col-gutter-md q-mb-sm">
         <div class="col-3">
           <div class="text-caption text-grey-7 q-mb-xs">Kullanıcı Kodu</div>
-          <q-input v-model="form.code" dense filled />
+          <q-input v-model="form.code" dense filled :rules="[codeRule]" lazy-rules />
         </div>
 
         <div class="col-4">
@@ -46,6 +46,15 @@
             :loading="saving"
             @click="onSave"
           />
+          <q-btn
+            v-if="canDeleteThisUser"
+            label="SIL"
+            color="negative"
+            icon="delete"
+            class="q-ml-sm"
+            :loading="deleting"
+            @click="confirmDeleteUser"
+          />
           <q-btn
             v-if="canReadUser"
             label="LİSTEYE DÖN"
@@ -156,12 +165,22 @@
                 filled
                 behavior="menu"
               >
+                <template #selected-item="scope">
+                  <q-chip
+                    removable
+                    dense
+                    class="q-mr-xs"
+                    @remove="scope.removeAtIndex(scope.index)"
+                  >
+                    {{ scope.opt.label }}
+                  </q-chip>
+                </template>
                 <template #option="scope">
-                  <q-item v-bind="scope.itemProps" clickable>
+                  <q-item v-bind="scope.itemProps">
                     <q-item-section avatar>
                       <q-checkbox
                         :model-value="scope.selected"
-                        @update:model-value="scope.toggleOption(scope.opt)"
+                        tabindex="-1"
                       />
                     </q-item-section>
                     <q-item-section>
@@ -205,12 +224,33 @@
                 filled
                 behavior="menu"
               >
+                <template #before-options>
+                  <q-item clickable @click="selectAllPiyasalar">
+                    <q-item-section>Tümünü Seç</q-item-section>
+                  </q-item>
+                  <q-item clickable @click="clearPiyasalar">
+                    <q-item-section>Temizle</q-item-section>
+                  </q-item>
+                  <q-separator />
+                </template>
+                <template #selected-item="scope">
+                  <q-chip
+                    removable
+                    dense
+                    class="q-mr-xs"
+                    @remove="scope.removeAtIndex(scope.index)"
+                  >
+                    {{ scope.opt.label }}
+                  </q-chip>
+                </template>
                 <template #option="scope">
-                  <q-item v-bind="scope.itemProps" clickable>
+                  <q-item v-bind="scope.itemProps">
                     <q-item-section avatar>
                       <q-checkbox
                         :model-value="scope.selected"
-                        @update:model-value="scope.toggleOption(scope.opt)"
+                        tabindex="-1"
+                        @update:model-value="() => scope.toggleOption(scope.opt)"
+                        @click.stop
                       />
                     </q-item-section>
                     <q-item-section>
@@ -259,10 +299,11 @@ import { storeToRefs } from 'pinia'
 import { useUserDetailStore } from 'src/stores/UserDetailStore'
 import { usePermission } from 'src/composables/usePermission'
 
-const { canRead, canWrite, canUpdate } = usePermission()
+const { canRead, canWrite, canUpdate, canDelete } = usePermission()
 const canReadUser = canRead('user')
 const canWriteUser = canWrite('user')
 const canUpdateUser = canUpdate('user')
+const canDeleteUser = canDelete('user')
 
 const $q = useQuasar()
 const route = useRoute()
@@ -274,6 +315,7 @@ const {
   form,
   loading,
   saving,
+  deleting,
   roleOptions,
   departmentOptions,
   piyasaOptions,
@@ -296,6 +338,11 @@ const canAccessPage = computed(() => {
 const canSaveUser = computed(() => isNew.value ? canWriteUser.value : canUpdateUser.value)
 
 const userId = computed(() => (isEdit.value || isView.value) ? Number(route.params.id) : null)
+const canDeleteThisUser = computed(() =>
+  (isEdit.value || isView.value) &&
+  !!userId.value &&
+  canDeleteUser.value
+)
 
 const hasPassword = computed(() => store.hasPassword)
 
@@ -316,6 +363,16 @@ const canSendPasswordMail = computed(() => {
   return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test((form.value.email || '').trim())
 })
 
+function selectAllPiyasalar () {
+  form.value.piyasalar = (piyasaOptions.value || [])
+    .map((o) => o.value)
+    .filter(Boolean)
+}
+
+function clearPiyasalar () {
+  form.value.piyasalar = []
+}
+
 /* ================= LIFECYCLE ================= */
 watch(
   () => userId.value,
@@ -341,6 +398,11 @@ async function onSave () {
     return
   }
 
+  if (!(form.value.code || '').trim()) {
+    $q.notify({ type: 'negative', message: 'Kullanıcı kodu zorunludur' })
+    return
+  }
+
   try {
     console.log('🟢 onSave() START', { mode: mode.value })
 
@@ -381,6 +443,36 @@ function goList () {
   router.push({ name: 'user-list' })
 }
 
+function confirmDeleteUser () {
+  if (!canDeleteThisUser.value) {
+    $q.notify({ type: 'negative', message: 'Silme yetkiniz yok' })
+    return
+  }
+
+  const code = (form.value.code || '').trim()
+  const label = code || `ID ${userId.value}`
+
+  $q.dialog({
+    title: 'Kullanici silinsin mi?',
+    message: `${label} kaydi tablodan silinecek. Bu islem geri alinamaz.`,
+    cancel: true,
+    persistent: true
+  }).onOk(async () => {
+    await deleteUser()
+  })
+}
+
+async function deleteUser () {
+  try {
+    await store.deleteUser(userId.value)
+    $q.notify({ type: 'positive', message: 'Kullanici silindi' })
+    await router.replace({ name: 'user-list' })
+    window.location.reload()
+  } catch {
+    $q.notify({ type: 'negative', message: store.error || 'Kullanici silinemedi' })
+  }
+}
+
 
 function confirmSendPasswordMail () {
   $q.dialog({

ui/src/pages/statementofaccount.vue

@@ -1,5 +1,5 @@
 <template>
-  <q-page v-if="canReadFinance" class="q-pa-md page-col">
+  <q-page v-if="canReadFinance" class="q-pa-md page-col statement-page">
 
     <!-- 🔹 Cari Kod / İsim (sabit) -->
     <div class="filter-sticky">
@@ -47,7 +47,12 @@
                 <template #append>
                   <q-icon name="event" class="cursor-pointer">
                     <q-popup-proxy cover transition-show="scale" transition-hide="scale">
-                      <q-date v-model="dateFrom" mask="YYYY-MM-DD" locale="tr-TR"/>
+                      <q-date
+                        v-model="dateFrom"
+                        mask="YYYY-MM-DD"
+                        locale="tr-TR"
+                        :options="isValidFromDate"
+                      />
                     </q-popup-proxy>
                   </q-icon>
                 </template>
@@ -63,7 +68,12 @@
                 <template #append>
                   <q-icon name="event" class="cursor-pointer">
                     <q-popup-proxy cover transition-show="scale" transition-hide="scale">
-                      <q-date v-model="dateTo" mask="YYYY-MM-DD" locale="tr-TR" />
+                      <q-date
+                        v-model="dateTo"
+                        mask="YYYY-MM-DD"
+                        locale="tr-TR"
+                        :options="isValidToDate"
+                      />
                     </q-popup-proxy>
                   </q-icon>
                 </template>
@@ -163,19 +173,21 @@
 
       <!-- Ana Tablo -->
       <q-table
-        class="sticky-table"
+        class="sticky-table statement-table"
         title="Hareketler"
         :rows="statementheaderStore.groupedRows"
         :columns="columns"
         :visible-columns="visibleColumns"
-        :row-key="row => row.OrderHeaderID + '_' + row.OrderNumber"
+        :row-key="rowKeyFn"
 
         flat
         bordered
         dense
+        hide-bottom
+        wrap-cells
         :rows-per-page-options="[0]"
         :loading="statementheaderStore.loading"
-        :table-style="{ tableLayout: 'auto', minWidth: '1600px' }"
+        :table-style="{ tableLayout: 'fixed', width: '100%' }"
       >
         <template #body="props">
 
@@ -332,6 +344,29 @@ onMounted(async () => {
 const dateFrom = ref(dayjs().startOf('year').format('YYYY-MM-DD'))
 const dateTo   = ref(dayjs().format('YYYY-MM-DD'))
 
+function isValidFromDate (date) {
+  if (!dateTo.value) return true
+  return !dayjs(date).isAfter(dayjs(dateTo.value), 'day')
+}
+
+function isValidToDate (date) {
+  if (!dateFrom.value) return true
+  return !dayjs(date).isBefore(dayjs(dateFrom.value), 'day')
+}
+
+function hasInvalidDateRange () {
+  if (!dateFrom.value || !dateTo.value) return false
+  return dayjs(dateFrom.value).isAfter(dayjs(dateTo.value), 'day')
+}
+
+function notifyInvalidDateRange () {
+  $q.notify({
+    type: 'warning',
+    message: '⚠️ Başlangıç tarihi bitiş tarihinden sonra olamaz.',
+    position: 'top-right'
+  })
+}
+
 /* Parasal İşlem Tipi */
 const monetaryTypeOptions = [
   { label: '1-2 hesap', value: ['1', '2'] },
@@ -373,6 +408,11 @@ async function onFilterClick() {
     return
   }
 
+  if (hasInvalidDateRange()) {
+    notifyInvalidDateRange()
+    return
+  }
+
   await statementheaderStore.loadStatements({
     startdate: dateFrom.value,
     enddate: dateTo.value,
@@ -483,6 +523,11 @@ async function handleDownload() {
     return
   }
 
+  if (hasInvalidDateRange()) {
+    notifyInvalidDateRange()
+    return
+  }
+
   // ✅ Seçilen parasal işlem tipini gönder
   const result = await downloadstpdfStore.downloadPDF(
     selectedCari.value,   // accountCode
@@ -524,6 +569,11 @@ async function CurrheadDownload() {
     return
   }
 
+  if (hasInvalidDateRange()) {
+    notifyInvalidDateRange()
+    return
+  }
+
   // ✅ Yeni store fonksiyonu doğru şekilde çağrılıyor
   const result = await downloadstHeadStore.handlestHeadDownload(
     selectedCari.value,   // accountCode
@@ -542,3 +592,100 @@ async function CurrheadDownload() {
 }
 
 </script>
+
+<style scoped>
+.statement-page {
+  height: calc(100vh - 56px);
+  display: flex;
+  flex-direction: column;
+  overflow: hidden;
+}
+
+.table-scroll {
+  flex: 1;
+  min-height: 0;
+  overflow: hidden;
+  display: flex;
+  flex-direction: column;
+}
+
+.sticky-bar {
+  position: sticky;
+  top: 0;
+  z-index: 20;
+  flex: 0 0 auto;
+}
+
+.statement-table {
+  flex: 1;
+  min-height: 0;
+}
+
+.statement-table :deep(.q-table__container) {
+  height: 100%;
+  display: flex;
+  flex-direction: column;
+}
+
+.statement-table :deep(.q-table__top) {
+  flex: 0 0 auto;
+}
+
+.statement-table :deep(.q-table__middle) {
+  flex: 1 1 auto;
+  min-height: 0;
+  overflow: auto !important;
+  max-height: none !important;
+}
+
+.statement-table :deep(thead th) {
+  position: sticky;
+  top: 0;
+  z-index: 10;
+  background: #fff;
+}
+
+.statement-table :deep(th),
+.statement-table :deep(td) {
+  padding: 3px 6px !important;
+  font-size: 11px !important;
+  line-height: 1.2 !important;
+}
+
+.statement-table :deep(td) {
+  white-space: nowrap !important;
+  overflow: hidden !important;
+  text-overflow: ellipsis !important;
+  max-width: 120px;
+}
+
+.statement-table :deep(td[data-col="aciklama"]),
+.statement-table :deep(th[data-col="aciklama"]) {
+  max-width: 220px;
+}
+
+.statement-table :deep(.resizable-cell-content) {
+  display: -webkit-box;
+  -webkit-line-clamp: 2;
+  -webkit-box-orient: vertical;
+  overflow: hidden;
+  white-space: normal !important;
+}
+
+@media (max-width: 1366px) {
+  .statement-table :deep(th),
+  .statement-table :deep(td) {
+    font-size: 10px !important;
+    padding: 2px 4px !important;
+  }
+
+  .statement-table :deep(td) {
+    max-width: 100px;
+  }
+
+  .statement-table :deep(td[data-col="aciklama"]),
+  .statement-table :deep(th[data-col="aciklama"]) {
+    max-width: 180px;
+  }
+}
+</style>

ui/src/router/index.js

@@ -14,6 +14,9 @@ export default route(function () {
     routes
   })
 
+  if (typeof window !== 'undefined' && process.env.DEV) {
+    window.__router = router
+  }
 
   /* ============================================================
      🔐 GLOBAL GUARD
@@ -23,6 +26,17 @@ export default route(function () {
     const auth = useAuthStore()
     const perm = usePermissionStore()
 
+    if (typeof window !== 'undefined') {
+      console.warn('🧭 ROUTE GUARD HIT:', {
+        path: to.fullPath,
+        meta: to.meta
+      })
+    }
+
+    if (typeof window !== 'undefined' && process.env.DEV) {
+      window.__auth = auth
+      window.__perm = perm
+    }
 
     /* ================= PUBLIC ================= */
 

ui/src/router/routes.js

@@ -69,7 +69,7 @@ const routes = [
         path: '',
         name: 'dashboard',
         component: () => import('pages/Dashboard.vue'),
-        meta: { permission: 'system:read' }
+        meta: {}
       },
 
 
@@ -86,28 +86,28 @@ const routes = [
         path: 'role-dept-permissions',
         name: 'role-dept-permissions',
         component: () => import('pages/RoleDepartmentPermissionGateway.vue'),
-        meta: { permission: 'user:update' }
+        meta: { permission: 'system:update' }
       },
 
       {
         path: 'role-dept-permissions/list',
         name: 'role-dept-permissions-list',
         component: () => import('pages/RoleDepartmentPermissionList.vue'),
-        meta: { permission: 'user:update' }
+        meta: { permission: 'system:update' }
       },
 
       {
         path: 'role-dept-permissions/editor',
         name: 'role-dept-permissions-editor',
         component: () => import('pages/RoleDepartmentPermissionPage.vue'),
-        meta: { permission: 'user:update' }
+        meta: { permission: 'system:update' }
       },
 
       {
         path: 'user-permissions',
         name: 'user-permissions',
         component: () => import('pages/UserPermissionPage.vue'),
-        meta: { permission: 'user:update' }
+        meta: { permission: 'system:update' }
       },
 
 
@@ -190,7 +190,7 @@ const routes = [
         path: 'activity-logs',
         name: 'activity-logs',
         component: () => import('pages/ActivityLogs.vue'),
-        meta: { permission: 'user:view' }
+        meta: { permission: 'system:read' }
       },
 
 
@@ -200,7 +200,7 @@ const routes = [
         path: 'test-mail',
         name: 'test-mail',
         component: () => import('pages/TestMail.vue'),
-        meta: { permission: 'user:insert' }
+        meta: { permission: 'system:update' }
       },
 
 
@@ -242,6 +242,20 @@ const routes = [
         meta: { permission: 'order:view' }
       },
 
+      {
+        path: 'orderproductionupdate',
+        name: 'orderproductionupdate-list',
+        component: () => import('pages/OrderProductionUpdateList.vue'),
+        meta: { permission: 'order:update' }
+      },
+      {
+        path: 'orderproductionupdate/:orderHeaderID',
+        name: 'orderproductionupdate',
+        component: () => import('pages/OrderProductionUpdate.vue'),
+        props: true,
+        meta: { permission: 'order:update' }
+      },
+
       {
         path: 'order-bulk-close',
         name: 'order-bulk-close',

ui/src/services/api.js

@@ -1,28 +1,84 @@
-// src/services/api.js
 import axios from 'axios'
 import qs from 'qs'
 import { useAuthStore } from 'stores/authStore'
 
+const rawBaseUrl =
+  (typeof process !== 'undefined' && process.env?.VITE_API_BASE_URL) || '/api'
+
+export const API_BASE_URL = String(rawBaseUrl).trim().replace(/\/+$/, '')
+const AUTH_REFRESH_PATH = '/auth/refresh'
+
 const api = axios.create({
-  baseURL: 'http://localhost:8080/api',
+  baseURL: API_BASE_URL,
   timeout: 180000,
   paramsSerializer: params =>
-    qs.stringify(params, { arrayFormat: 'repeat' })
+    qs.stringify(params, { arrayFormat: 'repeat' }),
+  withCredentials: true
 })
 
-// REQUEST
+function isPublicPath(url) {
+  return (
+    url.startsWith('/auth/login') ||
+    url.startsWith(AUTH_REFRESH_PATH) ||
+    url.startsWith('/password/forgot') ||
+    url.startsWith('/password/reset')
+  )
+}
+
+function extractToken(payload) {
+  return (
+    payload?.token ||
+    payload?.access_token ||
+    payload?.data?.token ||
+    payload?.data?.access_token ||
+    ''
+  )
+}
+
+function isHtmlLike(value) {
+  const text = String(value || '').trim().toLowerCase()
+  return text.startsWith('<!doctype html') || text.startsWith('<html')
+}
+
+function sanitizeApiErrorDetail(detail, status) {
+  const normalized = String(detail || '').trim()
+
+  if (!normalized) {
+    if (status === 504) {
+      return 'Gateway timeout: origin server did not respond in time.'
+    }
+    return ''
+  }
+
+  if (isHtmlLike(normalized)) {
+    if (status === 504) {
+      return 'Gateway timeout: origin server did not respond in time.'
+    }
+    if (status >= 500) {
+      return `Upstream server error (${status}).`
+    }
+    return `Unexpected HTML error response (${status || '-'})`
+  }
+
+  const compact = normalized.replace(/\s+/g, ' ').trim()
+  if (compact.length > 320) {
+    return `${compact.slice(0, 320)}...`
+  }
+
+  return compact
+}
+
+function redirectToLogin() {
+  if (typeof window === 'undefined') return
+  if (window.location.hash === '#/login') return
+  window.location.hash = '/login'
+}
+
 api.interceptors.request.use((config) => {
   const auth = useAuthStore()
   const url = config.url || ''
 
-  const isPublic =
+  if (!isPublicPath(url) && auth?.token) {
-    url.startsWith('/auth/login') ||
-    url.startsWith('/auth/refresh') ||
-    url.startsWith('/password/forgot') ||
-    url.startsWith('/password/reset')
-
-
-  if (!isPublic && auth?.token) {
     config.headers ||= {}
     config.headers.Authorization = `Bearer ${auth.token}`
   }
@@ -30,24 +86,113 @@ api.interceptors.request.use((config) => {
   return config
 })
 
-// RESPONSE
 let isLoggingOut = false
+let refreshPromise = null
+
+async function refreshAccessToken() {
+  if (refreshPromise) {
+    return refreshPromise
+  }
+
+  refreshPromise = (async () => {
+    const auth = useAuthStore()
+    const response = await api.post(
+      AUTH_REFRESH_PATH,
+      {},
+      {
+        skipAuthRefresh: true,
+        skipAutoLogout: true
+      }
+    )
+
+    const rawToken = extractToken(response?.data)
+    const token = typeof rawToken === 'string' ? rawToken.trim() : ''
+    const isJwt = token.split('.').length === 3
+
+    if (!token || !isJwt) {
+      throw new Error('Invalid refresh token response')
+    }
+
+    auth.setSession({
+      token,
+      user: auth.user || null
+    })
+
+    return token
+  })().finally(() => {
+    refreshPromise = null
+  })
+
+  return refreshPromise
+}
+
+function clearSessionAndRedirect() {
+  if (isLoggingOut) return
+
+  isLoggingOut = true
+  try {
+    useAuthStore().clearSession()
+  } finally {
+    isLoggingOut = false
+    redirectToLogin()
+  }
+}
+
 api.interceptors.response.use(
   r => r,
   async (error) => {
-    if (error?.response?.status === 401 && !isLoggingOut) {
+    const requestConfig = error?.config || {}
-      isLoggingOut = true
+    const status = error?.response?.status
+    const requestUrl = String(requestConfig.url || '')
+    const hasBlob = typeof Blob !== 'undefined' && error?.response?.data instanceof Blob
+    const isPasswordChangeRequest =
+      requestUrl.startsWith('/password/change') ||
+      requestUrl.startsWith('/me/password')
+    const isPublicRequest = isPublicPath(requestUrl)
+
+    if ((status >= 500 || hasBlob) && error) {
+      const method = String(requestConfig.method || 'GET').toUpperCase()
+      const detail = sanitizeApiErrorDetail(
+        await extractApiErrorDetail(error),
+        status
+      )
+      error.parsedMessage = detail
+      console.error(`API ${status || '-'} ${method} ${requestUrl}: ${detail}`)
+    }
+
+    const shouldTryRefresh =
+      status === 401 &&
+      !requestConfig._retry &&
+      !requestConfig.skipAuthRefresh &&
+      !isPasswordChangeRequest &&
+      !isPublicRequest
+
+    if (shouldTryRefresh) {
+      requestConfig._retry = true
       try {
-        useAuthStore().clearSession()
+        const newToken = await refreshAccessToken()
-      } finally {
+        requestConfig.headers ||= {}
-        isLoggingOut = false
+        requestConfig.headers.Authorization = `Bearer ${newToken}`
+        return api(requestConfig)
+      } catch {
+        // fall through to logout
       }
     }
+
+    // Password change endpoints may return 401 for business reasons
+    // (for example current password mismatch). Keep session in that case.
+    if (
+      status === 401 &&
+      !isPasswordChangeRequest &&
+      !requestConfig.skipAutoLogout
+    ) {
+      clearSessionAndRedirect()
+    }
+
     return Promise.reject(error)
   }
 )
 
-// HELPERS
 export const get = (u, p = {}, c = {}) =>
   api.get(u, { params: p, ...c }).then(r => r.data)
 
@@ -60,8 +205,75 @@ export const put = (u, b = {}, c = {}) =>
 export const del = (u, p = {}, c = {}) =>
   api.delete(u, { params: p, ...c }).then(r => r.data)
 
-export const download = (u, p = {}, c = {}) =>
+async function parseBlobErrorMessage(data) {
-  api.get(u, { params: p, responseType: 'blob', ...c })
+  if (!data) return ''
-    .then(r => r.data)
+
+  if (typeof Blob !== 'undefined' && data instanceof Blob) {
+    try {
+      const text = (await data.text())?.trim()
+      if (!text) return ''
+
+      try {
+        const json = JSON.parse(text)
+        return (
+          json?.detail ||
+          json?.message ||
+          json?.error ||
+          text
+        )
+      } catch {
+        return text
+      }
+    } catch {
+      return ''
+    }
+  }
+
+  if (typeof data === 'string') return data.trim()
+  if (typeof data === 'object') {
+    return (
+      data?.detail ||
+      data?.message ||
+      data?.error ||
+      ''
+    )
+  }
+
+  return ''
+}
+
+export async function extractApiErrorDetail(err) {
+  const status = err?.response?.status
+  let detail =
+    err?.parsedMessage ||
+    err?.response?.data?.detail ||
+    err?.response?.data?.message ||
+    err?.response?.data?.error ||
+    ''
+
+  if (!detail) {
+    detail = await parseBlobErrorMessage(err?.response?.data)
+  }
+
+  if (!detail) {
+    detail = err?.message || 'Request failed'
+  }
+
+  return sanitizeApiErrorDetail(detail, status)
+}
+
+export const download = async (u, p = {}, c = {}) => {
+  try {
+    const r = await api.get(u, { params: p, responseType: 'blob', ...c })
+    return r.data
+  } catch (err) {
+    const detail = await extractApiErrorDetail(err)
+
+    const wrapped = new Error(detail)
+    wrapped.status = err?.response?.status
+    wrapped.original = err
+    throw wrapped
+  }
+}
 
 export default api

ui/src/stores/OrderProductionItemStore.js

@@ -0,0 +1,147 @@
+// src/stores/OrderProductionItemStore.js
+import { defineStore } from 'pinia'
+import api from 'src/services/api'
+
+export const useOrderProductionItemStore = defineStore('orderproductionitems', {
+  state: () => ({
+    items: [],
+    header: null,
+    products: [],
+    colorOptionsByCode: {},
+    secondColorOptionsByKey: {},
+    loading: false,
+    saving: false,
+    error: null
+  }),
+
+  actions: {
+    async fetchHeader (orderHeaderID) {
+      if (!orderHeaderID) {
+        this.header = null
+        return
+      }
+
+      this.loading = true
+      this.error = null
+
+      try {
+        const res = await api.get(`/order/get/${encodeURIComponent(orderHeaderID)}`)
+        this.header = res?.data?.header || null
+      } catch (err) {
+        this.header = null
+        this.error = err?.response?.data || err?.message || 'Siparis bilgisi alinamadi'
+      } finally {
+        this.loading = false
+      }
+    },
+    async fetchItems (orderHeaderID) {
+      if (!orderHeaderID) {
+        this.items = []
+        return
+      }
+
+      this.loading = true
+      this.error = null
+
+      try {
+        const res = await api.get(`/orders/production-items/${encodeURIComponent(orderHeaderID)}`)
+        const data = res?.data
+        this.items = Array.isArray(data) ? data : []
+      } catch (err) {
+        this.items = []
+        this.error = err?.response?.data || err?.message || 'Liste alinamadi'
+      } finally {
+        this.loading = false
+      }
+    },
+    async fetchProducts () {
+      this.error = null
+      try {
+        const res = await api.get('/products')
+        const data = res?.data
+        this.products = Array.isArray(data) ? data : []
+      } catch (err) {
+        this.products = []
+        this.error = err?.response?.data || err?.message || 'Urun listesi alinamadi'
+      }
+    },
+    async fetchColors (productCode) {
+      const code = String(productCode || '').trim()
+      if (!code) return []
+
+      if (this.colorOptionsByCode[code]) {
+        return this.colorOptionsByCode[code]
+      }
+
+      try {
+        const res = await api.get('/product-colors', { params: { code } })
+        const data = res?.data
+        const list = Array.isArray(data) ? data : []
+        this.colorOptionsByCode[code] = list
+        return list
+      } catch (err) {
+        this.error = err?.response?.data || err?.message || 'Renk listesi alinamadi'
+        return []
+      }
+    },
+    async fetchSecondColors (productCode, colorCode) {
+      const code = String(productCode || '').trim()
+      const color = String(colorCode || '').trim()
+      if (!code || !color) return []
+
+      const key = `${code}::${color}`
+      if (this.secondColorOptionsByKey[key]) {
+        return this.secondColorOptionsByKey[key]
+      }
+
+      try {
+        const res = await api.get('/product-secondcolor', { params: { code, color } })
+        const data = res?.data
+        const list = Array.isArray(data) ? data : []
+        this.secondColorOptionsByKey[key] = list
+        return list
+      } catch (err) {
+        this.error = err?.response?.data || err?.message || '2. renk listesi alinamadi'
+        return []
+      }
+    },
+    async validateUpdates (orderHeaderID, lines) {
+      if (!orderHeaderID) return { missingCount: 0, missing: [] }
+
+      this.saving = true
+      this.error = null
+
+      try {
+        const res = await api.post(
+          `/orders/production-items/${encodeURIComponent(orderHeaderID)}/validate`,
+          { lines }
+        )
+        return res?.data || { missingCount: 0, missing: [] }
+      } catch (err) {
+        this.error = err?.response?.data || err?.message || 'Kontrol basarisiz'
+        throw err
+      } finally {
+        this.saving = false
+      }
+    },
+    async applyUpdates (orderHeaderID, lines, insertMissing) {
+      if (!orderHeaderID) return { updated: 0, inserted: 0 }
+
+      this.saving = true
+      this.error = null
+
+      try {
+        const res = await api.post(
+          `/orders/production-items/${encodeURIComponent(orderHeaderID)}/apply`,
+          { lines, insertMissing }
+        )
+        return res?.data || { updated: 0, inserted: 0 }
+      } catch (err) {
+        this.error = err?.response?.data || err?.message || 'Guncelleme basarisiz'
+        throw err
+      } finally {
+        this.saving = false
+      }
+    }
+  }
+})

ui/src/stores/OrderProductionUpdateStore.js

@@ -0,0 +1,166 @@
+// src/stores/OrderProductionUpdateStore.js
+import { defineStore } from 'pinia'
+import api from 'src/services/api'
+
+let lastRequestId = 0
+
+export const useOrderProductionUpdateStore = defineStore('orderproductionupdate', {
+  state: () => ({
+    orders: [],
+    loading: false,
+    error: null,
+
+    filters: {
+      search: '',
+      CurrAccCode: '',
+      OrderDate: ''
+    }
+  }),
+
+  getters: {
+    filteredOrders (state) {
+      let result = state.orders
+
+      if (state.filters.CurrAccCode) {
+        result = result.filter(o => o.CurrAccCode === state.filters.CurrAccCode)
+      }
+
+      if (state.filters.OrderDate) {
+        result = result.filter(o =>
+          o.OrderDate?.startsWith(state.filters.OrderDate)
+        )
+      }
+
+      return result
+    },
+
+    totalVisibleUSD () {
+      return this.filteredOrders.reduce((sum, o) => {
+        const value = Number(o.TotalAmountUSD || 0)
+        return sum + (Number.isFinite(value) ? value : 0)
+      }, 0)
+    },
+
+    totalPackedVisibleUSD () {
+      return this.filteredOrders.reduce((sum, o) => {
+        const value = Number(o.PackedUSD || 0)
+        return sum + (Number.isFinite(value) ? value : 0)
+      }, 0)
+    },
+
+    packedVisibleRatePct () {
+      if (!this.totalVisibleUSD) return 0
+      return (this.totalPackedVisibleUSD / this.totalVisibleUSD) * 100
+    }
+  },
+
+  actions: {
+    async fetchOrders () {
+
+      // ==============================
+      // 📌 REQUEST ID
+      // ==============================
+      const rid = ++lastRequestId
+
+      // ==============================
+      // 📌 SEARCH SNAPSHOT
+      // ==============================
+      const raw = this.filters.search ?? ''
+      const trimmed = String(raw).trim()
+
+      // ==============================
+      // 📌 REQUEST LOG
+      // ==============================
+      console.groupCollapsed(
+        `%c[orders-prod] FETCH rid=${rid}`,
+        'color:#1976d2;font-weight:bold'
+      )
+
+      console.log('raw      =', JSON.stringify(raw), 'len=', String(raw).length)
+      console.log('trimmed  =', JSON.stringify(trimmed), 'len=', trimmed.length)
+      console.log('filters  =', JSON.parse(JSON.stringify(this.filters)))
+      console.log('lastRID  =', lastRequestId)
+
+      console.groupEnd()
+
+      this.loading = true
+      this.error = null
+
+      try {
+
+        // ==============================
+        // 📌 PARAMS
+        // ==============================
+        const params = {}
+        if (trimmed) params.search = trimmed
+
+        // ==============================
+        // 📌 API CALL
+        // ==============================
+        const res = await api.get('/orders/production-list', { params })
+
+        // ==============================
+        // 📌 STALE CHECK
+        // ==============================
+        if (rid !== lastRequestId) {
+          console.warn(
+            `[orders-prod] IGNORE stale response rid=${rid} last=${lastRequestId}`
+          )
+          return
+        }
+
+        // ==============================
+        // 📌 DATA
+        // ==============================
+        const data = res?.data
+        this.orders = Array.isArray(data) ? data : []
+
+        // ==============================
+        // 📌 RESPONSE LOG
+        // ==============================
+        console.groupCollapsed(
+          `%c[orders-prod] RESPONSE rid=${rid} count=${this.orders.length}`,
+          'color:#2e7d32;font-weight:bold'
+        )
+
+        console.log('status =', res?.status)
+
+        console.log(
+          'sample =',
+          this.orders.slice(0, 5).map(o => ({
+            id: o.OrderHeaderID,
+            no: o.OrderNumber,
+            code: o.CurrAccCode,
+            name: o.CurrAccDescription
+          }))
+        )
+
+        console.groupEnd()
+
+      } catch (err) {
+
+        if (rid !== lastRequestId) return
+
+        console.error(
+          '[orders-prod] FETCH FAILED',
+          err?.response?.status,
+          err?.response?.data || err
+        )
+
+        this.orders = []
+
+        this.error =
+          err?.response?.data ||
+          err?.message ||
+          'Sipariş listesi alınamadı'
+
+      } finally {
+
+        if (rid === lastRequestId) {
+          this.loading = false
+        }
+
+      }
+    }
+  }
+})

ui/src/stores/UserDetailStore.js

@@ -1,6 +1,6 @@
 // src/stores/userDetailStore.js
 import { defineStore } from 'pinia'
-import api, { get, post, put } from 'src/services/api'
+import api, { get, post, put, del } from 'src/services/api'
 
 export const useUserDetailStore = defineStore('userDetail', {
   state: () => ({
@@ -11,6 +11,7 @@ export const useUserDetailStore = defineStore('userDetail', {
     /* ================= FLAGS ================= */
     loading: false,
     saving: false,
+    deleting: false,
     error: null,
 
     /* ================= FORM ================= */
@@ -23,9 +24,9 @@ export const useUserDetailStore = defineStore('userDetail', {
       is_active: true,
       address: '',
       roles: [],
-      departments: [],
+      departments: null,
       piyasalar: [],
-      nebim_users: []
+      nebim_users: null
     },
 
     /* ================= LOOKUPS ================= */
@@ -49,9 +50,9 @@ export const useUserDetailStore = defineStore('userDetail', {
         is_active: true,
         address: '',
         roles: [],
-        departments: [],
+        departments: null,
         piyasalar: [],
-        nebim_users: []
+        nebim_users: null
       }
       this.error = null
       this.hasPassword = false
@@ -91,6 +92,14 @@ export const useUserDetailStore = defineStore('userDetail', {
        📦 PAYLOAD BUILDER (BACKEND SÖZLEŞMESİYLE UYUMLU)
     ===================================================== */
     buildPayload () {
+      const departmentCodes = Array.isArray(this.form.departments)
+        ? this.form.departments
+        : (this.form.departments ? [this.form.departments] : [])
+
+      const nebimUsernames = Array.isArray(this.form.nebim_users)
+        ? this.form.nebim_users
+        : (this.form.nebim_users ? [this.form.nebim_users] : [])
+
       return {
         code: this.form.code,
         full_name: this.form.full_name,
@@ -101,14 +110,11 @@ export const useUserDetailStore = defineStore('userDetail', {
 
         roles: this.form.roles,
 
-        // ✅ TEK DEPARTMAN (string → backend array)
+        departments: departmentCodes.map(code => ({ code })),
-        departments: this.form.departments
-          ? [{ code: this.form.departments }]
-          : [],
 
         piyasalar: (this.form.piyasalar || []).map(code => ({ code })),
 
-        nebim_users: (this.form.nebim_users || []).map(username => {
+        nebim_users: nebimUsernames.map(username => {
           const opt = (this.nebimUserOptions || []).find(x => x.value === username)
           return {
             username,
@@ -137,9 +143,9 @@ export const useUserDetailStore = defineStore('userDetail', {
         this.form.address = data.address || ''
 
         this.form.roles = data.roles || []
-        this.form.departments = (data.departments || []).map(x => x.code)
+        this.form.departments = (data.departments || []).map(x => x.code)[0] || null
         this.form.piyasalar = (data.piyasalar || []).map(x => x.code)
-        this.form.nebim_users = (data.nebim_users || []).map(x => x.username)
+        this.form.nebim_users = (data.nebim_users || []).map(x => x.username)[0] || null
 
         this.hasPassword = !!data.has_password
       } catch (e) {
@@ -217,6 +223,23 @@ export const useUserDetailStore = defineStore('userDetail', {
       }
     },
 
+    /* =====================================================
+       🗑️ DELETE USER
+    ===================================================== */
+    async deleteUser (id) {
+      this.deleting = true
+      this.error = null
+
+      try {
+        await del(`/users/${id}`)
+      } catch (e) {
+        this.error = 'Kullanici silinemedi'
+        throw e
+      } finally {
+        this.deleting = false
+      }
+    },
+
     /* =====================================================
        📚 LOOKUPS (NEW + EDIT ORTAK)
     ===================================================== */

ui/src/stores/authStore.js

@@ -3,6 +3,40 @@ import { defineStore } from 'pinia'
 import api from 'src/services/api'
 import { usePermissionStore } from 'stores/permissionStore'
 
+function normalizeRoleCode (value) {
+  return String(value || '').trim().toLowerCase()
+}
+
+function roleCodeFromUser (user) {
+  if (!user || typeof user !== 'object') return ''
+
+  return normalizeRoleCode(
+    user.role_code ??
+    user.roleCode ??
+    user.RoleCode
+  )
+}
+
+function decodeJwtPayload (token) {
+  const raw = String(token || '').trim()
+  if (!raw) return null
+
+  const parts = raw.split('.')
+  if (parts.length !== 3) return null
+
+  try {
+    const base64 = parts[1]
+      .replace(/-/g, '+')
+      .replace(/_/g, '/')
+      .padEnd(Math.ceil(parts[1].length / 4) * 4, '=')
+
+    const json = atob(base64)
+    return JSON.parse(json)
+  } catch {
+    return null
+  }
+}
+
 export const useAuthStore = defineStore('auth', {
   state: () => {
     let user = null
@@ -29,8 +63,13 @@ export const useAuthStore = defineStore('auth', {
     mustChangePassword: s => !!s.forcePasswordChange,
 
     // 🔥 TEK ADMIN KURALI
-    isAdmin: s =>
+    isAdmin: s => {
-      String(s.user?.role_code || '').toLowerCase() === 'admin'
+      const fromUser = roleCodeFromUser(s.user)
+      if (fromUser) return fromUser === 'admin'
+
+      const payload = decodeJwtPayload(s.token)
+      return normalizeRoleCode(payload?.role_code) === 'admin'
+    }
   },
 
   actions: {
@@ -39,7 +78,7 @@ export const useAuthStore = defineStore('auth', {
     ========================================================= */
     setSession ({ token, user }) {
       this.token = token
-      this.user = user ?? null
+      this.user = user || null
       this.forcePasswordChange = !!user?.force_password_change
 
       localStorage.setItem('token', token)

ui/src/stores/downloadstHeadStore.js

@@ -1,6 +1,6 @@
 // src/stores/downloadstHeadStore.js
 import { defineStore } from 'pinia'
-import { download } from 'src/services/api'
+import { download, extractApiErrorDetail } from 'src/services/api'
 
 export const useDownloadstHeadStore = defineStore('downloadstHead', {
   actions: {
@@ -37,12 +37,14 @@ export const useDownloadstHeadStore = defineStore('downloadstHead', {
         return { ok: true, message: '📄 PDF hazırlandı' }
 
       } catch (err) {
-        console.error('❌ PDF açma hatası:', err)
+        const detail = await extractApiErrorDetail(err)
+        const status = err?.status || err?.response?.status || '-'
+        console.error(`? PDF a<>ma hatas<61> [${status}] /exportstamentheaderreport-pdf: ${detail}`)
         return {
           ok: false,
           message:
-            err?.message ||
+            detail ||
-            '❌ PDF açma hatası'
+            'PDF a<EFBFBD>ma hatas<EFBFBD>'
         }
       }
     }

ui/src/stores/downloadstpdfStore.js

@@ -1,6 +1,6 @@
 // src/stores/downloadstpdfStore.js
 import { defineStore } from 'pinia'
-import { download } from 'src/services/api'
+import { download, extractApiErrorDetail } from 'src/services/api'
 
 export const useDownloadstpdfStore = defineStore('downloadstpdf', {
   actions: {
@@ -37,13 +37,15 @@ export const useDownloadstpdfStore = defineStore('downloadstpdf', {
         return { ok: true, message: '📄 PDF hazırlandı' }
 
       } catch (err) {
-        console.error('❌ PDF açma hatası:', err)
+        const detail = await extractApiErrorDetail(err)
+        const status = err?.status || err?.response?.status || '-'
+        console.error(`? PDF a<>ma hatas<61> [${status}] /export-pdf: ${detail}`)
 
         return {
           ok: false,
           message:
-            err?.message ||
+            detail ||
-            '❌ PDF alınamadı'
+            'PDF al<EFBFBD>namad<EFBFBD>'
         }
       }
     }

ui/src/stores/orderentryStore.js

@@ -3,7 +3,7 @@
 =========================================================== */
 
 import { defineStore } from 'pinia'
-import api from 'src/services/api'
+import api, { extractApiErrorDetail } from 'src/services/api'
 import dayjs from 'src/boot/dayjs'
 import { ref, toRaw, nextTick } from 'vue'   // ✅ düzeltildi
 import { useAuthStore } from 'src/stores/authStore'
@@ -43,12 +43,12 @@ export function buildComboKey(row, beden) {
 
 
 export const BEDEN_SCHEMA = [
+  { key: 'tak', title: 'TAKIM ELBISE', values: ['44','46','48','50','52','54','56','58','60','62','64','66','68','70','72','74'] },
   { key: 'ayk', title: 'AYAKKABI', values: ['39','40','41','42','43','44','45'] },
-  { key: 'yas', title: 'YAŞ', values: ['2','4','6','8','10','12','14'] },
+  { key: 'yas', title: 'YAS', values: ['2','4','6','8','10','12','14'] },
   { key: 'pan', title: 'PANTOLON', values: ['38','40','42','44','46','48','50','52','54','56','58','60','62','64','66','68'] },
-  { key: 'gom', title: 'GÖMLEK', values: ['XS','S','M','L','XL','2XL','3XL','4XL','5XL','6XL','7XL'] },
+  { key: 'gom', title: 'GOMLEK', values: ['XS','S','M','L','XL','2XL','3XL','4XL','5XL','6XL','7XL'] },
-  { key: 'tak', title: 'TAKIM ELBİSE', values: ['44','46','48','50','52','54','56','58','60','62','64','66','68','70','72','74'] },
+  { key: 'aksbir', title: 'AKSESUAR', values: [' ', '44', 'STD', '110', '115', '120', '125', '130', '135'] }
-  { key: 'aksbir', title: 'AKSESUAR', values: [' ', '44', 'STD', '110CM', '115CM', '120CM', '125CM', '130CM', '135CM'] }
 ]
 
 export const schemaByKey = BEDEN_SCHEMA.reduce((m, g) => {
@@ -268,7 +268,7 @@ export const useOrderEntryStore = defineStore('orderentry', {
       if (!Array.isArray(invalidList) || invalidList.length === 0) return
 
       return new Promise(resolve => {
-        $q.dialog({
+        const dlg = $q.dialog({
           title: '🚨 Tanımsız Ürün Kombinasyonları',
           message: `
         <div style="max-height:60vh;overflow:auto">
@@ -309,16 +309,18 @@ export const useOrderEntryStore = defineStore('orderentry', {
         })
           .onOk(() => resolve())
           .onDismiss(() => resolve())
-          .onShown(() => {
+
-            // Satıra tıklama → scroll + highlight
+        // Quasar v2 chain API'de onShown yok; dialog DOM'u render olduktan sonra bağla.
-            const nodes = document.querySelectorAll('.invalid-row')
+        setTimeout(() => {
-            nodes.forEach(n => {
+          if (!dlg) return
-              n.addEventListener('click', () => {
+          const nodes = document.querySelectorAll('.invalid-row')
-                const ck = n.getAttribute('data-clientkey')
+          nodes.forEach(n => {
-                this.scrollToInvalidRow?.(ck)
+            n.addEventListener('click', () => {
-              })
+              const ck = n.getAttribute('data-clientkey')
+              this.scrollToInvalidRow?.(ck)
             })
           })
+        }, 0)
       })
     }
     ,
@@ -389,8 +391,10 @@ export const useOrderEntryStore = defineStore('orderentry', {
         })
         return resp.data
       } catch (err) {
-        console.error("❌ fetchOrderPdf hata:", err)
+        const detail = await extractApiErrorDetail(err)
-        throw err
+        const status = err?.status || err?.response?.status || '-'
+        console.error(`? fetchOrderPdf hata [${status}] order=${orderId}: ${detail}`)
+        throw new Error(detail)
       }
     }
     ,
@@ -414,8 +418,11 @@ export const useOrderEntryStore = defineStore('orderentry', {
         setTimeout(() => URL.revokeObjectURL(url), 60_000)
 
       } catch (err) {
-        console.error('❌ PDF açma hatası:', err)
+        const detail = await extractApiErrorDetail(err)
-        throw err
+        const orderId = id || this.header?.OrderHeaderID || '-'
+        const status = err?.status || err?.response?.status || '-'
+        console.error(`? PDF a<>ma hatas<61> [${status}] order=${orderId}: ${detail}`)
+        throw new Error(detail)
       }
     }
 
@@ -1694,14 +1701,15 @@ export const useOrderEntryStore = defineStore('orderentry', {
                 : {}
 
           /* ===== SAME COMBO → UPDATE ===== */
-          if (sameCombo) {
+            if (sameCombo) {
-            rows[idx] = {
+              rows[idx] = {
-              ...prev,
+                ...prev,
-              ...newRow,
+                ...newRow,
-              id: prev.id,
+                _dirty: true,
-              OrderLineID: prev.OrderLineID || null,
+                id: prev.id,
-              lineIdMap: preservedLineIdMap
+                OrderLineID: prev.OrderLineID || null,
-            }
+                lineIdMap: preservedLineIdMap
+              }
 
             this.summaryRows = rows
             this.orders = rows
@@ -1754,12 +1762,13 @@ export const useOrderEntryStore = defineStore('orderentry', {
             comboLineIds: { ...(prev.comboLineIds || {}) }
           }
 
-          const insertedRow = {
+            const insertedRow = {
-            ...newRow,
+              ...newRow,
-            id: crypto.randomUUID(),
+              _dirty: true,
-            OrderLineID: null,
+              id: crypto.randomUUID(),
-            lineIdMap: {}
+              OrderLineID: null,
-          }
+              lineIdMap: {}
+            }
 
           rows.splice(idx, 1, insertedRow)
 
@@ -1817,7 +1826,9 @@ export const useOrderEntryStore = defineStore('orderentry', {
             // MERGE: bedenleri topluyoruz (override değil)
             const merged = { ...(prevMap || {}) }
             for (const [k, v] of Object.entries(newMap || {})) {
-              const beden = (k == null || String(k).trim() === '') ? ' ' : String(k).trim()
+              const beden = (k == null || String(k).trim() === '')
+                ? ' '
+                : normalizeBedenLabel(String(k))
               merged[beden] = Number(merged[beden] || 0) + Number(v || 0)
             }
 
@@ -1826,13 +1837,14 @@ export const useOrderEntryStore = defineStore('orderentry', {
             const price = Number(newRow?.fiyat ?? prev?.fiyat ?? 0)
             const totalTutar = Number((totalAdet * price).toFixed(2))
 
-            rows[dupIdx] = {
+              rows[dupIdx] = {
-              ...prev,
+                ...prev,
-              ...newRow,
+                ...newRow,
+                _dirty: true,
 
-              // kritik korumalar
+                // kritik korumalar
-              id: prev.id,
+                id: prev.id,
-              OrderLineID: prev.OrderLineID || null,
+                OrderLineID: prev.OrderLineID || null,
               lineIdMap: { ...(prev.lineIdMap || {}) },
 
               // MERGED bedenMap
@@ -1860,12 +1872,13 @@ export const useOrderEntryStore = defineStore('orderentry', {
         }
 
         // dup yoksa (veya dup delete satırıydı) → yeni satır
-        rows.push({
+          rows.push({
-          ...newRow,
+            ...newRow,
-          id: newRow.id || crypto.randomUUID(),
+            _dirty: true,
-          OrderLineID: null,
+            id: newRow.id || crypto.randomUUID(),
-          lineIdMap: { ...(newRow.lineIdMap || {}) }
+            OrderLineID: null,
-        })
+            lineIdMap: { ...(newRow.lineIdMap || {}) }
+          })
 
         this.summaryRows = rows
         this.orders = rows
@@ -2231,11 +2244,11 @@ export const useOrderEntryStore = defineStore('orderentry', {
 
         merged[modelKey] ??= []
 
-        const beden = (
+        const bedenRaw =
-          raw.ItemDim1Code == null || String(raw.ItemDim1Code).trim() === ''
+          raw.ItemDim1Code == null
-            ? ' '
+            ? ''
-            : String(raw.ItemDim1Code).trim().toUpperCase()
+            : String(raw.ItemDim1Code).trim()
-        )
+        const beden = bedenRaw === '' ? ' ' : normalizeBedenLabel(bedenRaw)
 
         const qty = Number(raw.Qty1 || raw.Qty || 0)
 
@@ -2310,8 +2323,25 @@ export const useOrderEntryStore = defineStore('orderentry', {
             row.kategori
           )
 
+          const cleanedMap = { ...row.__tmpMap }
+          const hasNonBlankBeden = Object.keys(cleanedMap)
+            .some(k => String(k).trim() !== '')
+
+          // Gomlek/takim/pantolon gibi gruplarda bos beden sadece legacy kirli veri olabilir.
+          // Gecerli bedenler varsa bos bedeni payload/UI'dan temizliyoruz.
+          if (grpKey !== 'aksbir' && hasNonBlankBeden) {
+            delete cleanedMap[' ']
+            delete cleanedMap['']
+            if (row.lineIdMap && typeof row.lineIdMap === 'object') {
+              delete row.lineIdMap[' ']
+              delete row.lineIdMap['']
+            }
+          }
+
           row.grpKey = grpKey
-          row.bedenMap = { [grpKey]: { ...row.__tmpMap } }
+          row.bedenMap = { [grpKey]: { ...cleanedMap } }
+          row.adet = Object.values(cleanedMap).reduce((a, b) => a + (Number(b) || 0), 0)
+          row.tutar = Number((row.adet * Number(row.fiyat || 0)).toFixed(2))
 
           /* ===================================================
              🔒 AKSBİR — BOŞLUK BEDEN GERÇEK ADETİ ALIR
@@ -2485,9 +2515,9 @@ export const useOrderEntryStore = defineStore('orderentry', {
       const g = (row?.urunAnaGrubu || '').toUpperCase()
       if (g.includes('TAKIM')) return 'tak'
       if (g.includes('PANTOLON')) return 'pan'
-      if (g.includes('GÖMLEK')) return 'gom'
+      if (g.includes('GOMLEK')) return 'gom'
       if (g.includes('AYAKKABI')) return 'ayk'
-      if (g.includes('YAŞ')) return 'yas'
+      if (g.includes('YAS')) return 'yas'
       return 'tak'
     },
     /* =======================================================
@@ -2607,7 +2637,12 @@ export const useOrderEntryStore = defineStore('orderentry', {
         // 🧪 PRE-VALIDATE — prItemVariant ön kontrol
         //   - invalid varsa CREATE/UPDATE ÇALIŞMAZ
         // =======================================================
-        const v = await api.post('/order/validate', { header, lines })
+        const linesToValidate =
+          isNew
+            ? lines
+            : lines.filter(l => l._deleteSignal === true || l._dirty === true || !l.OrderLineID)
+
+        const v = await api.post('/order/validate', { header, lines: linesToValidate })
         const invalid = v?.data?.invalid || []
 
         if (invalid.length > 0) {
@@ -2725,7 +2760,19 @@ export const useOrderEntryStore = defineStore('orderentry', {
         ======================================================= */
         if (choice === 'print') {
           const id = this.header?.OrderHeaderID || serverOrderId
-          if (id) await this.downloadOrderPdf(id)
+          if (id) {
+            try {
+              await this.downloadOrderPdf(id)
+            } catch (pdfErr) {
+              console.error('⚠️ PDF açılamadı, kayıt başarılı:', pdfErr)
+              $q.notify({
+                type: 'warning',
+                message:
+                  pdfErr?.message ||
+                  'Sipariş kaydedildi fakat PDF açılamadı.'
+              })
+            }
+          }
           return
         }
 
@@ -2743,6 +2790,7 @@ export const useOrderEntryStore = defineStore('orderentry', {
         $q.notify({
           type: 'negative',
           message:
+            err?.response?.data?.detail ||
             err?.response?.data?.message ||
             err?.message ||
             'Kayıt sırasında hata'
@@ -2930,10 +2978,12 @@ export const useOrderEntryStore = defineStore('orderentry', {
         // ComboKey stabil kalsın diye bedenKey kullan
         const comboKey = buildComboKey(row, bedenKey)
 
-        const makeLine = () => ({
+          const makeLine = () => ({
-          OrderLineID: orderLineId || '',
+            OrderLineID: orderLineId || '',
-          ClientKey: makeLineClientKey(row, grpKey, bedenKey),
+            ClientKey: makeLineClientKey(row, grpKey, bedenKey),
-          ComboKey: comboKey,
+            ComboKey: comboKey,
+            _dirty: row?._dirty === true,
+            _deleteSignal: isDeleteSignal === true,
 
           SortOrder: 0,
           ItemTypeCode: 1,
@@ -3001,26 +3051,30 @@ export const useOrderEntryStore = defineStore('orderentry', {
           DOVCode: ''
         })
 
-        const existing = lineByCombo.get(comboKey)
+          const existing = lineByCombo.get(comboKey)
 
-        if (!existing) {
+          if (!existing) {
-          const ln = makeLine()
+            const ln = makeLine()
-          lineByCombo.set(comboKey, ln)
+            lineByCombo.set(comboKey, ln)
-          lines.push(ln)
+            lines.push(ln)
-          return
+            return
-        }
+          }
 
         /* DELETE */
-        if (isDeleteSignal) {
+          if (isDeleteSignal) {
-          if (orderLineId && !existing.OrderLineID) {
+            if (orderLineId && !existing.OrderLineID) {
-            existing.OrderLineID = orderLineId
+              existing.OrderLineID = orderLineId
+            }
+            existing._deleteSignal = true
+            existing.Qty1 = 0
+            return
           }
-          existing.Qty1 = 0
-          return
-        }
 
-        /* MERGE */
+          /* MERGE */
-        existing.Qty1 += qty
+          existing.Qty1 += qty
+          if (row?._dirty === true) {
+            existing._dirty = true
+          }
 
         if (this.mode === 'edit' && orderLineId && !existing.OrderLineID) {
           existing.OrderLineID = orderLineId
@@ -3054,6 +3108,12 @@ export const useOrderEntryStore = defineStore('orderentry', {
 
         /* 🔹 BEDENSİZ / AKSBİR */
         if (!hasAnyBeden) {
+          const allowBlankPayload =
+            grpKey === 'aksbir' || row._deleteSignal === true
+          if (!allowBlankPayload) {
+            continue
+          }
+
           const qty = toNum(row.qty ?? row.Qty1 ?? row.miktar ?? 0)
 
           // ✅ ComboKey stabil: bedenKey = '_'
@@ -3067,6 +3127,7 @@ export const useOrderEntryStore = defineStore('orderentry', {
             orderLineId =
               safeStr(lineIdMap?.[bedenKey]) ||
               safeStr(lineIdMap?.[bedenPayload]) ||
+              safeStr(lineIdMap?.[' ']) ||
               safeStr(row.OrderLineID)
           }
 
@@ -3083,6 +3144,15 @@ export const useOrderEntryStore = defineStore('orderentry', {
 
         /* 🔹 BEDENLİ */
         for (const [bedenRaw, qtyRaw] of Object.entries(map)) {
+          const isBlankBeden = safeStr(bedenRaw) === ''
+          if (
+            isBlankBeden &&
+            grpKey !== 'aksbir' &&
+            row._deleteSignal !== true
+          ) {
+            continue
+          }
+
           const qty = toNum(qtyRaw)
 
           // ✅ payload beden: '' / 'S' / 'M' ...
@@ -3096,6 +3166,7 @@ export const useOrderEntryStore = defineStore('orderentry', {
             orderLineId =
               safeStr(lineIdMap?.[bedenKey]) ||
               safeStr(lineIdMap?.[bedenPayload]) ||
+              safeStr(lineIdMap?.[' ']) ||
               (Object.keys(map).length === 1
                 ? safeStr(row.OrderLineID)
                 : '')
@@ -3220,39 +3291,75 @@ export const useOrderEntryStore = defineStore('orderentry', {
 
 
 /* ===========================================================
-   🔹 BEDEN LABEL NORMALİZASYONU (exported helper)
+   Size Label Normalization (frontend helper)
    =========================================================== */
+function safeTrimUpperJs(v) {
+  return (v == null ? '' : String(v)).trim().toUpperCase()
+}
+
+function normalizeTextForMatch(v) {
+  return safeTrimUpperJs(v)
+    .normalize('NFD')
+    .replace(/[\u0300-\u036f]/g, '')
+}
+
+function parseNumericSizeJs(v) {
+  const s = safeTrimUpperJs(v)
+  if (s === '' || !/^\d+$/.test(s)) return null
+  const n = Number.parseInt(s, 10)
+  return Number.isNaN(n) ? null : n
+}
+
 export function normalizeBedenLabel(v) {
-  if (v === null || v === undefined) return ' '
+  let s = (v == null ? '' : String(v)).trim()
-  let s = String(v).trim()
   if (s === '') return ' '
-  // 44R, 50L vb. son ekleri at
+
-  s = s.replace(/(^\d+)\s*[A-Z]?$/i, '$1')
   s = s.toUpperCase()
 
-  // harfli bedenlerin normalizasyonu
+  // Backend parity: normalize common "standard size" aliases.
-  const map = {
+  switch (s) {
-    'XS': 'XS', 'S': 'S', 'M': 'M', 'L': 'L', 'XL': 'XL',
+    case 'STD':
-    'XXL': '2XL', '2XL': '2XL', '3XL': '3XL', '4XL': '4XL',
+    case 'STANDART':
-    '5XL': '5XL', '6XL': '6XL', '7XL': '7XL', 'STD': 'STD'
+    case 'STANDARD':
+    case 'ONE SIZE':
+    case 'ONESIZE':
+      return 'STD'
   }
-  if (map[s]) return map[s]
 
-  // tamamen sayıysa string olarak döndür
+  // Backend parity: only values ending with CM are converted to numeric part.
-  if (/^\d+$/.test(s)) return s
+  if (s.endsWith('CM')) {
+    const num = s.slice(0, -2).trim()
+    if (num !== '') return num
+  }
+
+  switch (s) {
+    case 'XS':
+    case 'S':
+    case 'M':
+    case 'L':
+    case 'XL':
+    case '2XL':
+    case '3XL':
+    case '4XL':
+    case '5XL':
+    case '6XL':
+    case '7XL':
+      return s
+  }
 
-  // virgüllü değer geldiyse ilkini al
-  if (s.includes(',')) return s.split(',')[0].trim()
   return s
 }
 
+// Backward-compatible alias kept for older call sites/bundles.
+export function normalizeBeden(v) {
+  return normalizeBedenLabel(v)
+}
+
 /* ===========================================================
-   🔹 BEDEN GRUBU ALGILAMA HELPER’I
+   Size Group Detection
-   -----------------------------------------------------------
+   - Core logic aligned with backend detectBedenGroupGo
-   Gelen beden listesini, ürün grubu/kategori bilgisine göre
+   - Keeps frontend aksbir bucket for accessory lines
-   doğru grup anahtarına dönüştürür (ayk, yas, pan, gom, tak, aksbir).
+   =========================================================== */
-   -----------------------------------------------------------
-=========================================================== */
 export function detectBedenGroup(bedenList, urunAnaGrubu = '', urunKategori = '') {
   const list = Array.isArray(bedenList) && bedenList.length > 0
     ? bedenList.map(v => (v || '').toString().trim().toUpperCase())
@@ -3302,6 +3409,8 @@ export function detectBedenGroup(bedenList, urunAnaGrubu = '', urunKategori = ''
   return 'tak'
 }
 
+
+
 export function toSummaryRowFromForm(form) {
   if (!form) return null
 
@@ -3316,7 +3425,7 @@ export function toSummaryRowFromForm(form) {
     const lbl =
       rawLbl == null || String(rawLbl).trim() === ''
         ? ' '
-        : String(rawLbl).trim()
+        : normalizeBedenLabel(String(rawLbl))
 
     const val = Number(values[i] || 0)
     if (val > 0) {

ui/src/stores/permissionStore.js

@@ -165,13 +165,12 @@ export const usePermissionStore = defineStore('permission', {
 
       try {
 
-        // API ROUTES
+        const [routesRes, effRes] = await Promise.all([
-        const routesRes = await api.get('/permissions/routes')
+          api.get('/permissions/routes'),
+          api.get('/permissions/effective')
+        ])
+
         this.routes = routesRes.data || []
-
-
-        // EFFECTIVE MATRIX
-        const effRes = await api.get('/permissions/effective')
         this.matrix = effRes.data || []
         console.group('🔐 PERMISSION DEBUG')