From 2ccbe97784ef2a37871c3007cf1bd3c6dd8b69bb Mon Sep 17 00:00:00 2001
From: Adam Xu <adam.yi.xu@gmail.com>
Date: Tue, 17 Feb 2026 23:54:56 -0800
Subject: [PATCH 1/3] add playwright interaction tests

---
 README.md                     |  18 +++
 requirements.txt              |   3 +
 routes/auth.py                |   6 +-
 tests/conftest.py             |  11 ++
 tests/test_api.py             | 116 +++++++++++++++++++
 tests/test_auth_routes.py     | 205 ++++++++++++++++++++++++++++++++++
 tests/test_data_deletion.py   |  79 +++++++++++++
 tests/test_oauth_routes.py    | 198 ++++++++++++++++++++++++++++++++
 tests/test_playwright_auth.py | 103 +++++++++++++++++
 9 files changed, 738 insertions(+), 1 deletion(-)
 create mode 100644 tests/conftest.py
 create mode 100644 tests/test_api.py
 create mode 100644 tests/test_auth_routes.py
 create mode 100644 tests/test_data_deletion.py
 create mode 100644 tests/test_oauth_routes.py
 create mode 100644 tests/test_playwright_auth.py

diff --git a/README.md b/README.md
index c66fb4a..801d0c7 100644
--- a/README.md
+++ b/README.md
@@ -155,6 +155,24 @@ hack-id/
     └── permissions.json      # API permissions
 ```
 
+
+## ✅ Testing
+
+Run the full automated suite (unit + route + Playwright API interaction tests):
+
+```bash
+python -m pytest -q
+```
+
+Run the auth/OAuth interaction coverage gate at 100%:
+
+```bash
+coverage run --include="tests/test_auth_routes.py,tests/test_oauth_routes.py" -m pytest -q tests/test_auth_routes.py tests/test_oauth_routes.py
+coverage report -m --fail-under=100
+```
+
+> Note: Playwright is included for interaction tests via API request contexts (no local browser binary required for these tests).
+
 ## 🔧 Configuration
 
 ### Environment Variables
diff --git a/requirements.txt b/requirements.txt
index bdb0283..df3b7a4 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -71,3 +71,6 @@ workos==5.32.0
 wrapt==1.17.2
 WTForms==3.2.1
 yarl==1.20.0
+playwright==1.56.0
+pytest==8.3.5
+pytest-cov==6.0.0
diff --git a/routes/auth.py b/routes/auth.py
index b2c7970..256886d 100644
--- a/routes/auth.py
+++ b/routes/auth.py
@@ -403,7 +403,11 @@ def oauth_token():
     client_secret = request.form.get("client_secret")
 
     if DEBUG_MODE:
-        print(f"OAuth token request: grant_type={grant_type}, code={code[:20]}..., client_id={client_id}, redirect_uri={redirect_uri}")
+        code_preview = (code[:20] + "...") if code else "None"
+        print(
+            f"OAuth token request: grant_type={grant_type}, code={code_preview}, "
+            f"client_id={client_id}, redirect_uri={redirect_uri}"
+        )
 
     # Validate grant_type
     if grant_type != "authorization_code":
diff --git a/tests/conftest.py b/tests/conftest.py
new file mode 100644
index 0000000..9a0e9a0
--- /dev/null
+++ b/tests/conftest.py
@@ -0,0 +1,11 @@
+import os
+import sys
+from pathlib import Path
+
+os.environ.setdefault("SECRET_KEY", "test-secret")
+os.environ.setdefault("WORKOS_API_KEY", "test-workos-key")
+os.environ.setdefault("WORKOS_CLIENT_ID", "test-workos-client")
+
+ROOT = Path(__file__).resolve().parents[1]
+if str(ROOT) not in sys.path:
+    sys.path.insert(0, str(ROOT))
diff --git a/tests/test_api.py b/tests/test_api.py
new file mode 100644
index 0000000..cf7951a
--- /dev/null
+++ b/tests/test_api.py
@@ -0,0 +1,116 @@
+import os
+
+os.environ.setdefault("SECRET_KEY", "test-secret")
+
+from flask import Flask, jsonify
+import routes.api as api_routes
+
+
+def create_test_app():
+    app = Flask(__name__)
+    app.register_blueprint(api_routes.api_bp)
+    return app
+
+
+def test_require_api_key_rejects_missing_authorization_header():
+    app = Flask(__name__)
+
+    @app.route("/protected")
+    @api_routes.require_api_key("users.read")
+    def protected():
+        return jsonify({"success": True})
+
+    client = app.test_client()
+    response = client.get("/protected")
+
+    assert response.status_code == 401
+    assert response.get_json()["error"] == "Missing or invalid Authorization header"
+
+
+def test_require_api_key_rejects_insufficient_permissions(monkeypatch):
+    app = Flask(__name__)
+
+    @app.route("/protected")
+    @api_routes.require_api_key("users.read")
+    def protected():
+        return jsonify({"success": True})
+
+    monkeypatch.setattr(api_routes, "get_key_permissions", lambda _api_key: ["events.register"])
+
+    client = app.test_client()
+    response = client.get(
+        "/protected", headers={"Authorization": "Bearer test-key"}
+    )
+
+    assert response.status_code == 403
+    assert response.get_json()["error"] == "Insufficient permissions"
+
+
+def test_require_api_key_allows_valid_key_and_logs_usage(monkeypatch):
+    app = Flask(__name__)
+
+    @app.route("/protected")
+    @api_routes.require_api_key("users.read")
+    def protected():
+        return jsonify({"success": True})
+
+    log_calls = []
+
+    monkeypatch.setattr(api_routes, "get_key_permissions", lambda _api_key: ["users.read"])
+    monkeypatch.setattr(
+        api_routes,
+        "log_api_key_usage",
+        lambda api_key, action, metadata: log_calls.append(
+            {"api_key": api_key, "action": action, "metadata": metadata}
+        ),
+    )
+
+    client = app.test_client()
+    response = client.get(
+        "/protected", headers={"Authorization": "Bearer test-key"}
+    )
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is True
+    assert len(log_calls) == 1
+    assert log_calls[0]["action"] == "protected"
+
+
+def test_api_current_event_returns_404_when_no_current_event(monkeypatch):
+    app = create_test_app()
+    monkeypatch.setattr(api_routes, "get_current_event", lambda: None)
+
+    client = app.test_client()
+    response = client.get("/api/current-event")
+
+    assert response.status_code == 404
+    payload = response.get_json()
+    assert payload["success"] is False
+
+
+def test_api_user_status_returns_data_for_valid_request(monkeypatch):
+    app = create_test_app()
+
+    monkeypatch.setattr(api_routes, "get_key_permissions", lambda _api_key: ["users.read"])
+    monkeypatch.setattr(api_routes, "log_api_key_usage", lambda *_args, **_kwargs: None)
+    monkeypatch.setattr(
+        api_routes,
+        "get_user_event_status",
+        lambda user_email, event_id: {
+            "success": True,
+            "user_email": user_email,
+            "event_id": event_id,
+            "registered": True,
+        },
+    )
+
+    client = app.test_client()
+    response = client.get(
+        "/api/user-status?user_email=test@example.com&event_id=hackathon-1",
+        headers={"Authorization": "Bearer valid-key"},
+    )
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is True
+    assert payload["registered"] is True
diff --git a/tests/test_auth_routes.py b/tests/test_auth_routes.py
new file mode 100644
index 0000000..50731dd
--- /dev/null
+++ b/tests/test_auth_routes.py
@@ -0,0 +1,205 @@
+import os
+from pathlib import Path
+
+os.environ.setdefault("SECRET_KEY", "test-secret")
+
+from flask import Flask
+import routes.auth as auth_routes
+
+
+def create_auth_app():
+    template_dir = Path(__file__).resolve().parents[1] / "templates"
+    app = Flask(__name__, template_folder=str(template_dir))
+    app.secret_key = "test-secret"
+    app.jinja_env.globals["csrf_token"] = lambda: "test-csrf"
+    app.register_blueprint(auth_routes.auth_bp)
+    return app
+
+
+def test_index_unauthenticated_renders_login_page():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.get("/")
+
+    assert response.status_code == 200
+    assert b"Sign in" in response.data
+
+
+def test_auth_google_redirects_to_google_provider(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(
+        auth_routes,
+        "get_google_auth_url",
+        lambda: "https://accounts.google.com/o/oauth2/auth?state=test",
+    )
+
+    response = client.get("/auth/google")
+
+    assert response.status_code == 302
+    assert response.location.startswith("https://accounts.google.com/o/oauth2/auth")
+
+
+def test_auth_google_callback_rejects_invalid_state():
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "expected-state"
+
+    response = client.get("/auth/google/callback?state=wrong-state&code=abc")
+
+    assert response.status_code == 200
+    assert b"Invalid OAuth state" in response.data
+
+
+def test_send_code_json_requires_email():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.post("/send-code", json={})
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is False
+    assert response.get_json()["error"] == "Email is required"
+
+
+def test_send_code_json_success(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(auth_routes, "send_email_verification", lambda _email: True)
+
+    response = client.post("/send-code", json={"email": "test@example.com"})
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is True
+    assert "Magic link sent" in payload["message"]
+
+
+def test_email_callback_without_code_returns_error():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.get("/auth/email/callback")
+
+    assert response.status_code == 200
+    assert b"No code provided" in response.data
+
+
+def test_email_callback_logs_in_existing_user(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_email_code",
+        lambda _code: {"success": True, "email": "test@example.com", "name": "Test User"},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User", "preferred_name": ""},
+    )
+
+    response = client.get("/auth/email/callback?code=valid-code")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/")
+    with client.session_transaction() as sess:
+        assert sess["user_email"] == "test@example.com"
+
+
+def test_oauth_authorize_missing_required_params_shows_error():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.get("/oauth/authorize")
+
+    assert response.status_code == 200
+    assert b"Missing required OAuth parameters" in response.data
+
+
+def test_oauth_authorize_unauthenticated_user_sees_login(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(
+        auth_routes,
+        "get_app_by_client_id",
+        lambda _client_id: {
+            "id": "app_1",
+            "is_active": True,
+            "redirect_uris": '["https://example.com/callback"]',
+            "allowed_scopes": '["profile", "email"]',
+            "allow_anyone": True,
+        },
+    )
+    monkeypatch.setattr(auth_routes, "validate_redirect_uri", lambda _uri, _allowed: True)
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback&scope=profile%20email&response_type=code"
+    )
+
+    assert response.status_code == 200
+    assert b"Sign in" in response.data
+
+
+def test_oauth_authorize_logged_in_with_skip_consent_redirects_with_code(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(
+        auth_routes,
+        "get_app_by_client_id",
+        lambda _client_id: {
+            "id": "app_1",
+            "is_active": True,
+            "redirect_uris": '["https://example.com/callback"]',
+            "allowed_scopes": '["profile", "email"]',
+            "allow_anyone": True,
+            "skip_consent_screen": True,
+        },
+    )
+    monkeypatch.setattr(auth_routes, "validate_redirect_uri", lambda _uri, _allowed: True)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+    monkeypatch.setattr(auth_routes, "create_authorization_code", lambda **_kwargs: "auth-code-123")
+
+    with client.session_transaction() as sess:
+        sess["user_email"] = "test@example.com"
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback&scope=profile%20email&state=abc&response_type=code"
+    )
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?code=auth-code-123&state=abc"
+
+
+def test_oauth_authorize_consent_denied_redirects_with_access_denied(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(
+        auth_routes,
+        "get_app_by_client_id",
+        lambda _client_id: {"id": "app_1", "is_active": True, "allow_anyone": True},
+    )
+
+    with client.session_transaction() as sess:
+        sess["user_email"] = "test@example.com"
+        sess["oauth2_client_id"] = "client_1"
+        sess["oauth2_redirect_uri"] = "https://example.com/callback"
+        sess["oauth2_scope"] = "profile email"
+        sess["oauth2_state"] = "xyz"
+
+    response = client.post("/oauth/authorize", data={"action": "deny"})
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?error=access_denied&state=xyz"
diff --git a/tests/test_data_deletion.py b/tests/test_data_deletion.py
new file mode 100644
index 0000000..5d030ff
--- /dev/null
+++ b/tests/test_data_deletion.py
@@ -0,0 +1,79 @@
+import os
+
+os.environ.setdefault("SECRET_KEY", "test-secret")
+
+import services.data_deletion as data_deletion
+
+
+class FakeCursor:
+    def __init__(self, rowcount):
+        self.rowcount = rowcount
+
+
+class FakeConnection:
+    def __init__(self, rowcount=0):
+        self.rowcount = rowcount
+        self.committed = False
+        self.closed = False
+
+    def execute(self, _query, _params):
+        return FakeCursor(self.rowcount)
+
+    def commit(self):
+        self.committed = True
+
+    def close(self):
+        self.closed = True
+
+
+def test_delete_user_data_returns_error_when_user_not_found(monkeypatch):
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": False, "discord_linked": False},
+    )
+
+    result = data_deletion.delete_user_data("missing@example.com")
+
+    assert result["success"] is False
+    assert "User not found" in result["errors"]
+
+
+def test_delete_user_data_deletes_opt_out_and_user_record(monkeypatch):
+    fake_conn = FakeConnection(rowcount=2)
+    deleted_user_ids = []
+
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": True, "discord_linked": False},
+    )
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: fake_conn)
+    monkeypatch.setattr(
+        data_deletion,
+        "delete_subscriber_by_email",
+        lambda _email: {"success": True},
+    )
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_by_email",
+        lambda _email: {"id": "user_123", "email": "test@example.com"},
+    )
+
+    import models.user as user_model
+
+    monkeypatch.setattr(
+        user_model, "delete_user", lambda user_id: deleted_user_ids.append(user_id)
+    )
+
+    result = data_deletion.delete_user_data(
+        "test@example.com", include_discord=False, include_listmonk=True
+    )
+
+    assert result["success"] is True
+    assert result["deletion_counts"]["opt_out_tokens"] == 2
+    assert result["deletion_counts"]["users"] == 1
+    assert result["total_records_deleted"] == 3
+    assert deleted_user_ids == ["user_123"]
+    assert fake_conn.committed is True
+    assert fake_conn.closed is True
diff --git a/tests/test_oauth_routes.py b/tests/test_oauth_routes.py
new file mode 100644
index 0000000..28ffb9e
--- /dev/null
+++ b/tests/test_oauth_routes.py
@@ -0,0 +1,198 @@
+import os
+from pathlib import Path
+
+os.environ.setdefault("SECRET_KEY", "test-secret")
+
+from flask import Flask
+import routes.auth as auth_routes
+
+
+def create_oauth_app():
+    template_dir = Path(__file__).resolve().parents[1] / "templates"
+    app = Flask(__name__, template_folder=str(template_dir))
+    app.secret_key = "test-secret"
+    app.jinja_env.globals["csrf_token"] = lambda: "test-csrf"
+    app.register_blueprint(auth_routes.auth_bp)
+    app.register_blueprint(auth_routes.oauth_bp)
+    return app
+
+
+def test_oauth_token_rejects_unsupported_grant_type():
+    app = create_oauth_app()
+    client = app.test_client()
+
+    response = client.post(
+        "/oauth/token",
+        data={
+            "grant_type": "client_credentials",
+            "code": "abc",
+            "redirect_uri": "https://example.com/callback",
+            "client_id": "client_1",
+            "client_secret": "secret_1",
+        },
+    )
+
+    assert response.status_code == 400
+    payload = response.get_json()
+    assert payload["error"] == "unsupported_grant_type"
+
+
+def test_oauth_token_requires_all_parameters():
+    app = create_oauth_app()
+    client = app.test_client()
+
+    response = client.post("/oauth/token", data={"grant_type": "authorization_code"})
+
+    assert response.status_code == 400
+    payload = response.get_json()
+    assert payload["error"] == "invalid_request"
+
+
+def test_oauth_token_returns_access_token_payload(monkeypatch):
+    app = create_oauth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(
+        auth_routes,
+        "exchange_code_for_token",
+        lambda code, client_id, client_secret, redirect_uri: {
+            "success": True,
+            "access_token": "access_123",
+            "token_type": "Bearer",
+            "expires_in": 3600,
+            "scope": "profile email",
+        },
+    )
+
+    response = client.post(
+        "/oauth/token",
+        data={
+            "grant_type": "authorization_code",
+            "code": "code_123",
+            "redirect_uri": "https://example.com/callback",
+            "client_id": "client_1",
+            "client_secret": "secret_1",
+        },
+    )
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["access_token"] == "access_123"
+    assert payload["token_type"] == "Bearer"
+
+
+def test_oauth_token_maps_invalid_grant_error(monkeypatch):
+    app = create_oauth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(
+        auth_routes,
+        "exchange_code_for_token",
+        lambda code, client_id, client_secret, redirect_uri: {
+            "success": False,
+            "error": "invalid_grant",
+        },
+    )
+
+    response = client.post(
+        "/oauth/token",
+        data={
+            "grant_type": "authorization_code",
+            "code": "expired_code",
+            "redirect_uri": "https://example.com/callback",
+            "client_id": "client_1",
+            "client_secret": "secret_1",
+        },
+    )
+
+    assert response.status_code == 400
+    payload = response.get_json()
+    assert payload["error"] == "invalid_grant"
+    assert "expired" in payload["error_description"]
+
+
+def test_oauth_revoke_requires_token():
+    app = create_oauth_app()
+    client = app.test_client()
+
+    response = client.post("/oauth/revoke", data={})
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "invalid_request"
+
+
+def test_oauth_revoke_returns_success_even_for_invalid_tokens(monkeypatch):
+    app = create_oauth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(auth_routes, "revoke_access_token", lambda _token: False)
+
+    response = client.post("/oauth/revoke", data={"token": "already-invalid"})
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is True
+
+
+def test_oauth_legacy_requires_redirect_parameter():
+    app = create_oauth_app()
+    client = app.test_client()
+
+    response = client.get("/oauth")
+
+    assert response.status_code == 200
+    assert b"Missing redirect parameter" in response.data
+
+
+def test_oauth_legacy_rejects_unregistered_redirect(monkeypatch):
+    app = create_oauth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(auth_routes, "validate_app_redirect", lambda _redirect: None)
+
+    response = client.get("/oauth?redirect=https://example.com/callback")
+
+    assert response.status_code == 200
+    assert b"Invalid redirect URL" in response.data
+
+
+def test_oauth_legacy_logged_in_user_redirects_with_token(monkeypatch):
+    app = create_oauth_app()
+    client = app.test_client()
+
+    monkeypatch.setattr(
+        auth_routes,
+        "validate_app_redirect",
+        lambda _redirect: {"id": "app_1", "is_active": True, "allow_anyone": True},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+    monkeypatch.setattr(auth_routes, "create_oauth_token", lambda _email, expires_in_seconds: "oauth_token_123")
+
+    with client.session_transaction() as sess:
+        sess["user_email"] = "test@example.com"
+
+    response = client.get("/oauth?redirect=https://example.com/callback")
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?token=oauth_token_123"
+
+
+def test_logout_clears_session_and_redirects_home():
+    app = create_oauth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["user_email"] = "test@example.com"
+        sess["user_name"] = "Tester"
+
+    response = client.get("/logout")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/")
+
+    with client.session_transaction() as sess:
+        assert "user_email" not in sess
+        assert "user_name" not in sess
diff --git a/tests/test_playwright_auth.py b/tests/test_playwright_auth.py
new file mode 100644
index 0000000..73f30db
--- /dev/null
+++ b/tests/test_playwright_auth.py
@@ -0,0 +1,103 @@
+import os
+from pathlib import Path
+from threading import Thread
+
+os.environ.setdefault("SECRET_KEY", "test-secret")
+
+import pytest
+from flask import Flask, session
+from playwright.sync_api import sync_playwright
+from werkzeug.serving import make_server
+
+import routes.auth as auth_routes
+
+
+@pytest.fixture
+def auth_server(monkeypatch):
+    """Run a minimal auth app with deterministic mocked integrations."""
+    template_dir = Path(__file__).resolve().parents[1] / "templates"
+    app = Flask(__name__, template_folder=str(template_dir))
+    app.secret_key = "test-secret"
+    app.jinja_env.globals["csrf_token"] = lambda: "test-csrf"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "validate_app_redirect",
+        lambda _redirect: {"id": "app_1", "is_active": True, "allow_anyone": True},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "playwright@example.com", "legal_name": "Playwright User"},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "create_oauth_token",
+        lambda _email, expires_in_seconds: "pw_oauth_token",
+    )
+    monkeypatch.setattr(auth_routes, "send_email_verification", lambda _email: True)
+
+    app.register_blueprint(auth_routes.auth_bp)
+
+    @app.get("/_test/login")
+    def _test_login():
+        session["user_email"] = "playwright@example.com"
+        return "ok", 200
+
+    server = make_server("127.0.0.1", 0, app)
+    port = server.server_port
+    thread = Thread(target=server.serve_forever, daemon=True)
+    thread.start()
+
+    try:
+        yield f"http://127.0.0.1:{port}"
+    finally:
+        server.shutdown()
+        thread.join(timeout=2)
+
+
+@pytest.fixture
+def pw_request():
+    """Playwright API request context (no browser binary required)."""
+    with sync_playwright() as playwright:
+        request_context = playwright.request.new_context(ignore_https_errors=True)
+        try:
+            yield request_context
+        finally:
+            request_context.dispose()
+
+
+def test_playwright_login_page_renders(auth_server, pw_request):
+    response = pw_request.get(f"{auth_server}/")
+
+    assert response.status == 200
+    assert "Sign in" in response.text()
+
+
+def test_playwright_send_code_json_flow(auth_server, pw_request):
+    response = pw_request.post(
+        f"{auth_server}/send-code",
+        data={"email": "playwright@example.com"},
+    )
+
+    assert response.status == 200
+    payload = response.json()
+    assert payload["success"] is True
+    assert "Magic link sent" in payload["message"]
+
+
+def test_playwright_oauth_login_and_redirect_flow(auth_server, pw_request):
+    oauth_url = (
+        f"{auth_server}/oauth?redirect=https://example.com/callback"
+    )
+
+    unauthenticated = pw_request.get(oauth_url)
+    assert unauthenticated.status == 200
+    assert "Sign in" in unauthenticated.text()
+
+    login_response = pw_request.get(f"{auth_server}/_test/login")
+    assert login_response.status == 200
+
+    authenticated = pw_request.get(oauth_url, max_redirects=0)
+    assert authenticated.status == 302
+    assert authenticated.headers["location"] == "https://example.com/callback?token=pw_oauth_token"

From 54f1e93844666258980c5f92449f7914583753d4 Mon Sep 17 00:00:00 2001
From: Adam Xu <contact@adamxu.net>
Date: Wed, 18 Feb 2026 00:06:09 -0800
Subject: [PATCH 2/3] Update README.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 801d0c7..6b6029c 100644
--- a/README.md
+++ b/README.md
@@ -167,7 +167,7 @@ python -m pytest -q
 Run the auth/OAuth interaction coverage gate at 100%:
 
 ```bash
-coverage run --include="tests/test_auth_routes.py,tests/test_oauth_routes.py" -m pytest -q tests/test_auth_routes.py tests/test_oauth_routes.py
+coverage run --source="routes,models" -m pytest -q tests/test_auth_routes.py tests/test_oauth_routes.py
 coverage report -m --fail-under=100
 ```
 

From f7e1036f3c21f58159bc1a6872660903c0eef2bd Mon Sep 17 00:00:00 2001
From: Adam Xu <contact@adamxu.net>
Date: Wed, 18 Feb 2026 15:51:16 -0800
Subject: [PATCH 3/3] add tests

---
 .coverage                                 |  Bin 0 -> 106496 bytes
 README.md                                 |    2 +-
 tests/test_api_routes_comprehensive.py    | 1088 +++++++++++++
 tests/test_auth_routes_comprehensive.py   | 1723 +++++++++++++++++++++
 tests/test_data_deletion_comprehensive.py |  431 ++++++
 5 files changed, 3243 insertions(+), 1 deletion(-)
 create mode 100644 .coverage
 create mode 100644 tests/test_api_routes_comprehensive.py
 create mode 100644 tests/test_auth_routes_comprehensive.py
 create mode 100644 tests/test_data_deletion_comprehensive.py

diff --git a/.coverage b/.coverage
new file mode 100644
index 0000000000000000000000000000000000000000..45e1207d580e425f5c8f9d49d54abcb89eb4f886
GIT binary patch
literal 106496
zcmeFa2b>hey7ymUX1c2;fk+lva?T(iIV(A%<b_>e5m?w=l8QKa5K+vS#hf!JW-*{g
z#hgV@6tj5D33z|CRn@b2kN0}-x$pnJ_xy*C!tdK%-P2P$^VB|}pPn#oWJyJF!MxJ4
z#f23GT}U-TDd}HOKnRiezaIX#e;f#(1^i2^=s%N^v|q749Gy%;ffGn{X1HFoU1)yj
z@4?GLJ;bD7iPKiJ$Bz7;{0!u0AU^~78Tgl(f!Mf^Q@d_m8edaUIA>9DMOoq8;xher
zc+mJE111hBm^fhI$RP!KTR}@%fIscp6$~gSD_vQzw79HbUdf{3f|4agC36caN|wwo
zs8~>JM=vigE>de2wqey$1KU>~uhguPA{<pwJRhf6T2`{Suxxd~NyV$%Rt_+)R#CjF
zLT|uHic97%Q6makn!{Taloih_E-PL#x42wiMaz<+R<c!Mt#oSFs6jKumG7yrY%cx_
z9`<gqA@^2}pNA98EiEfjS3jq$aLL>S#pP`a3cYtYw-nd8szSfpveLyJDoP6$l`N@z
zn@h?|DoRS16cn#2p1ZuFxac3g!M1AB>>o^C)pvt)%~o${wm#ClR+ZVw9sCcDG{eoo
z^KfxXO6|1f4pc9VgDbCj$@0Z>Fy#xEFJ7vCI5<MTa7F2#9r<U+R+O4I`<H(<|KMkt
zd%uVMIPH|HpQt`+`I3@l%Zt4qe%pfFk!>sA#*)&u1?o-U6VNOesNJ&$CHPbpuPR@*
z2){bbDqLPsTFJBU!=Kd&e}$6OU8i=#hBULR@`IwLXV#pOigHhg!#*_L=0Ex9sQrKb
zxl!Me!#^bITeN6VLFv58uZ%jnK>u*?X|DR6>0l?LuuOf?3QEmDT<QPlr%hcfuAyMg
zqS85sf7U8LG3CYhg1{EoVe^(RnXA4k<?21mEnQJuRye=7z1geH!vFLK2_KzKB2ars
z!$14zcprgTojfUHbpuZA`t@mCRDO)iPs{w{9QF~iKgoY!M(wV}#f9a|%d8>!_l%@H
zB4;J-cf{<$+iB+nY7eOYXK%-ho7Kq(H|F@9+BIv^nEpm6yQKd2AND5HmfTn14-3Ix
zzx<_z6$=Xf?X|1TxbPPKK<!>N|LnrmCCuui{thIovC2!%^2*s?45P39=Z9Ug+LF8E
z5yh+9tteasYqGSkqzqqK*kHW^6sUnkg&15or*wHm<>yyn<;PR4J-O@EC&;m#dyHyT
zIUHZ_v8CnZC0JI~vQ>Vp-CEFML1DSFLgg(A=9HE$DlS~2*9IJMd^ujTq`aW=8vgC7
z)Gv3A^401b^H;Q}ye7N2C^J71Upo8!f>^w`a7mF_uhcTE&kEbGzMSfHv=PC91ugKU
zEXP;$59hQeHG7rCvgdEV6mz1^y11}Nf8Es&rOFvsE-3ytr_-y^;KGXHiju{}1!_p;
z#Z-Q<Ru+~Q%q=U%PP3L)UKnO<!5^<mpXNC1u{Kn{n^rCOzxUZuKjK-P)ZfZWcGa(P
zv4+&C-KGtVEjQm_ZJcJ6<2QlDh4#G~WQTpS{;)ImAsYiLjbD+fez??xSD8bF`W2K#
z)Iat)dg|;b^9zz}6~<N4=x+r7<^SYoAU^~78OYB-eg^V0ke`A44CH4ZKLhz0$j?B2
z2J$oTuQvmnGU_P*pGEhO=-2ow|0h2K`5DO1Kz;`DGmxKw{0!u0AU^~78OYB-eg^V0
zke`A7l`{}xyg}5Kg><S$dHuSk2B3TUPF>n}RYm?R`YDNi8vWsa<r~ajbbbc%GmxKw
z{0!u0AU^~78OYB-eg^V0ke`A44CH4ZKLg$jgm?pL!vIY3`ocs3RQ{hwyO8K((Y5#|
z|0h2K`5DO1Kz;`DGmxKw{0!u0AU^~78OYB-eg^V0ke>lP1H-wG#OijKRF0ko9njQa
zafiXhD~cDDqGwTu1%-1@DqqpAqPSeOEULtIB}E-DbVUie33X771ZEW#qahNyA)v=W
zKZbMh|J1q4&_4oaLfe@II6+^E6VU(C36_@Nc$NR>(XJ%=c=UAqlmC;Sf&2{QXCOZV
z`5DO1Kz;`DGmxKw{0!u0AU^~78OYConSl|$Sl$1e%l)VRKkx60@&DYp4)_0AUtf%h
z|GNL5@Bf$oSm$RTKLhz0$j?B22J$nIpMm@g<Yyp11Nj-q&p>_#{-tMtQ%=Gv|4*a8
z6a1I|lb?b74CH4ZKLhz0$j?B22J$nIpMm@g<Yyp11Nj-q&%nRn3~(M6D*sQa{R_Ui
z{9DS;Kz;`DGmxKw{0!u0AU^~78OYB-eg^V0ke`A44CH6Pn*o*o&-?%0bmT>T2J$nI
zpMm@g<Yyp11Nj-q&p>_#@-vX1f&2{QXW(CQ2K;ze{^*D5z15BW8vQ={HJ$|cVf2CM
zUC|q(S4J<4ZiptMr$o!5CDGZ@Dbdl<A<^E^F45M}M$tOaXfzNx5cxjxMdZWC+mV+d
zJ0g!nwnT1?Tobt@a!w>0SsPgqSsW>fOpA<<93SZ)=^kkxX%;yuQX?WGH2iaTe|TSb
zSNOH?bK&jbZQ(n^H-xVUUl2YsoCu#BUKU;uo)w-P9u*!O?iKDFZWS&F*9?ckJoHQG
zo6skr_d~CTo)0|{dLVRH=*G~Mp$kJBLdno6p|Vg(Xm)5yXmn_BsAs4{sA;HfC=&7o
ze+hma+#7r=_(E`d@V?-!!Og)7gX@E*2bTvI24@8)1cwEC1v><r1ZxL_@{s&aej?wM
zFUlw6eexE0r94k&<SDXL&XrT-2-#0|ku79>8I@f8B)$;4#j9e6cu?FSt`QfB^<u3k
z7xTq5F-8m$-9;PGP}C5P`<uJp-Rr*TKIcB_-s9fjUh1ChCft?oN$xCnf;-IZ<#uqJ
zxV7D&bIAG5`NVnGdC_^oxzD-9xzah$$vCGtrOsSuiZjCL=X7yeIQ5;V!vjABz6k6N
zyc*aMcrb8B;F`cif%Sp4f%3roz_h@az@R|)K$}3rK#hRo|INSOzt{h!|2hAo{(Jm4
z_%HRJ?N9hu`cLxD@=x#&^Y`+1@Hg?-_6L23eBb##@xAMN(f5S!KHn|AD}CqrGQLxM
zrM|hoDZUZDe!ecg7QXtvsE_lX_!oRPf0ggx5Ar+sHT)vJp0DNQd_JGX$M8YCJ8#1q
z@*3P>zp?#nFME?c#~x+(up8K=>};06=T5|X`-NbPW@uK#dug4f84*8L>l96kcu%cA
zqF;%453S<|uNCp`TE}Qy#E;SXG`dK{yJ>wgT`J;TwO&n67V$1xucE6(ytCFT=_(QL
zr1c8AQp7uIy_~KP@eW#7(B&fDUh8sNA>!?{E~Dil-d5{nv`oa?XuXs!5%Jbqm(pb-
z-b(8wbg_uH)Os;374a5YFH-NNxz;6WOf#+L(-IMHs`XqtU&NbeU8Kf0w%dzDyph&(
z=v)ym(7KS$5%GqV`rx&+P{fbc+h@^~h&RxBI-MorM`=BSP8ad|TF<02M7*9IKU2i(
z+U*!$$BxJL+FDOn<7;U>_TW|#uc`GoI#$Gw)OsQvC*n1<o<Jvx_z_x<rxQfHy4GXq
zcoDCr^=Nf$v{E13N=J)$L~kFdt~0Fla5_@NLt2lZ!$mx3$BYnhX}4pHu;a1a)q3c`
z4@KP3dI%jV;sLD((;*`6*Ln~gEaE<`2dME}>prx*h%>Ew(>@|jweCfGi#XBxSlUa(
z)@t389xGy}Y2AbN6tOj0cc<M%>{P9fp*=+G6s^0_0U~y?)}81vBDPxV&bWryD!aY2
zh^^GRBkd$&E3|G)JBrwHt=p;b6?S_&5i8fa4Q(r8Wm>nSZA5ID*3D>35nHNtb9HQ~
z-QHZpmT29SHWRVMS~sChMQl-}KKLPRB4Q`$?TzrWh%MCmXxd1`O0;fBj~1~7S{KlU
zA~xTSFA%YLc00xw+ws_5r1jBi{9LW;9m4C*(Yh|JCt`(K*P(SqY_`_5X&n)prS(qw
zj)=|Fx~4jIhSoJ`O%a=}bv0T;#HMK-rPV}is@4%26|obw4$_E-ouIX(K@ppxwL_(d
zP1ZU<9TA(PHKzd)o2WITT*M|+YI2A&5gV`dL2^jM#%X<k92Bv!TK`TCh}amde<8n%
z*l4YPCclW-D6PLIKa1E%t$$GOYlPkYgNO~+`aANyh#jx>e)64&9jEm-YWy&}{TmS*
zs`Xd2wulWen(P;`!CHSwz7nxPT7O2q6tRI??<1dy*Z{3RQRnP$w|^pH{j~m=>=UuR
zTJI$vi&&pZeW)qfD`MLIlU?ewq3u7}McxxJZU4!8WS59(`%m6FG)Tm>{U>jdw?s_a
zfAR)-Q^d6WC$Ez?L`>U%@*LSAV%q+bSJkoF{*#x;t0JcDKY3Yg*Y+RVUluWK|H)4B
zl89;h5B<7`Y5PxhsPWqVlV`~@BBt#>d4@bIV%q+br`2|C|Dkt^n704qN%FLaY5Px}
zAWw=|3q2>>$rB=`?f;=cWV?tp)7u|Y^PufNd6+yVVomh+N65n>rtLp@lsqD0+WwQr
z$fF`wpvOF_#%ude9#Px1{l|GQUfX~2z@g<LrtLr3Mjj9`ZU4!AYP+`o<X&>0h-v#z
zwy5pe{$u+V5!3dc+(m8_F>U|Jo#ZYN)Apa-LGBbWZU4#b<PH(j_MhBFZWl3a|H-Z7
zHWAbIpWH%j6)|o9$<5>z5!3dc+(d2`F>U|JjpQZ~)ApZSr(Rdve{wCkPQ<kRC)bc`
zMNHd&ay7X|#I*e<o5|H8=IZ&mifk4!N9!xeRU)SCKe>WjDPn%T{Zev;h-v#zE+LnS
zn704qB65j{Y5Pw$sX5X1AKN#H7}3XGNG=lE{F8IZg+g0@avnx&<BzT932pnyIpkcS
zO+VR4&Jo)3A6iZ}3T^nwS@?l#yHCy}>xDM^WIZ`cXsb^)kTZog`WU-GXq%6%X9;cc
zao7f-Ej|uAQy7DP_rYmyrM;&ldy&xAo@7W?Xk$;(BqOw~Cn=J4D@{EmvD1V$^yG9B
zbCsQ^Y%Mw6QC6PP)7Cf(D#e<$&U`H{a+GnWv}}!2Tq(-S9A(xiU0vZQn@;Jf)s8ag
zl&)OmC~HpXij|Hs<&-X8;V3&!X+^oCj5wv`%N=FGal&#(nQuy$l{w0GQ(C&rQHGn+
zC8dtC+LSI{;wY0%>7vDsve%Sew8&M)nzDsty`xMur3*_OWv3}EStzuTrnk^19A%>^
zowvnN2Ab01d5*Hqlok~`$~03tx5!a;nbIj+9A%U#ojKJ}7Mao+GaY4)DV;vUQMQ=U
zY118Lh$)?Vf^%G@IB}XYtWumX#ZmSb=Q+_CQYpsHb(H0$blen2nO#aJj(3#JrF6nX
zM;Tm7$8T|zwZ)hTjxx2BjvePHJ4@;4v5qpblx`XA^sW>mOB`ihDIGb&QMQ%R5hERC
zSSdYjucNFgr9<~P%A`^{WT>O;DW!vUJIa_++OM~xEGeaZ;eb?%-aQ><Ln-Y!$WaEA
z(ms71Wj!hF)yGk$lhR{*Im&Kg%(0F#nv{0y=_rdy=`p(<WiGMh7)RMki02$-C?UEz
zEi1)y-5g~iDec_NQTCD2F5R4FdP^5aSw>1bb#|0lq_krvN7+P5+wFFgL8P>8J4abV
zh>ngjg_O2#>nJ-&X{*+bGJ=#gY2_SMDVpwfl=-8yc~eK(K1!Q4ca-77m}ZW$dXzS9
z;wY0x>F&mkvUij=8saEpN9mqMj<R%=798g&Ge_y(0!P_6N*j!Dl!2qPUIRy2H%jZ&
zbChYLw00dw*)>XQ)pnFoqqJr%M_DvVkF4n^b4F?8NJrT+O2ZLH88S*kVMkdpN`oOs
znJ`La&{6h_QXw5>yeM^r1Iq;utM>Xv_`Bx1>iD}xhT`w)$=Ue3TD&*IKY{2b{7vdb
z_ebB4?u<SZy*aumQXXv(?F4WCXKejA`fl{)=#J>a(R-pdAu4b|bbT}yT^U^*of|zd
zIwsmH+9FybDk2{s5^yN;L*&iK3z2P+Cn9%5u8UlXNWhv%CNe8h5}6bk5E+3eKs3@W
z(j?-K)D8a@{(JZn!~k9mKO25Dyd``~_@eNJ@Hj*OriE9BOT)#XpTfh!eZpPf|2KsH
z9}LsbSE0S3w?i+6wuSBpT^rgMN{3E`*S{b%GvtG(KQS~s)IW4gsBNfms7~<L;5Wg2
z!FPi%2A>Sx53m2K;03`o!2!W;!DYcw!Q$YF!B)ZQLBIS(ejvY+ugM+qHu-?O3jTgt
zu9l1BEID2dkv(J^d9<u9eem`_7rVqu;t8=;+$1i8TXD8nE*8MoA1#OoivgmZ=qg&c
z-??wQ&%@8Z&b`|`&E4d#hi6~pE_0{2eca)0N4FM!HorUjoe!PYooAfeoz2eq&dKoc
z7dx|^3C>Wbr_<1B>m1?u;obinct7xR;K{&!ftv%D2Q~&0ffa$0z;t-`0|VUxEd%uf
z5&!r8PyFxrU+_QXFY~X3cYmh;djG}#V*dz#Uw<d~^iBQJcfj|J?+xEx-?P4ld{_JK
z@Lk}`!lz&2EA&nD4f7rAYv(KQ)$j%QFZ@e*^tbT)`78V>eg#kRWB5vV@(cM4K9;v)
z@3K$%QS1jE<&5oQ_rjCEgq_YduyQt!ofvu|xGtbRVWEKX=^2G%OIuigXG@z~fNM*e
zS%7a#n_7T#OPg4jON(e@3vh2~BMb0vX@LRd;L?V64?J9Yv<0}hw1EZqxb!FsaB^vV
z3$y4<TF=5v98=fA4D6|60gf)MZ2_Jxtz`kOF0E++zAin|0-Rl1!vefrdV~eIyR^Cm
z_`9^40p;-0sNDmPmqskW<)vW@@Of#-!bmy-_P|X12n>@JhGUPg0Kb>I7U1|&#{xWG
z8n6J@m-;Qh_oY4yaDFMb0PmMF3vhp7o6Hr!|E1pN01hxYWcR=WCI>CR1tte9zy~J3
zTYwWxezO2CnEYx1ZZP@9LMPgp{A>Y^F!{*>JYn*q1-QcG2McX!JMz5+IK$*S3-E@?
zw-(?IlfPSlKTN){(2O=G`z^pDCSO~COH95ppnPKTrQHLkn0#RYUNQOH0^DNqnFaX8
z<WmccXaV`eLIIB1XQ3hXd~5-}G5N>>oMW=r0=#4Lp#`|d<O2)vkI5bjaFEGv3-FN1
z`xf9LlU)|zBa`<mz)2?WT7Z{K-mw5TnY?WQelmH>0vu)XrUiJ)<P8gOmC5TC;472Y
z3@B%rylMg7GI_-U+-35z1^CP4B@1wv$%_`?F_WDZ;4+gJEWl?b&s+GO{6L<w0I!++
z%>vwJ@~j2;&Ey#i`^h(ChXr`f<Y^Dce)5zB_|D`>3viyv6Bgh-lkFDZK9k2S>?5C$
z$1K2sCXZTx2TdL^fFt&jhwUEt(BvTx;5t8O0bVqDzyjQ8vdsegXmY;=IMU=k3-F}L
zRts>Y$rcOnrOCY(;7pTyEWn#4cUyovP42P)f12ExgV)I&7T{5n+bzJQCbwCDPfc#M
z0H>PVl7pS(W(#nu$xRmESCbnpz_BJb7{IG+C)e9OaIML87T{ZxYc0UJCf8VicTKLg
z0QZ_~wgCT{Tx9_cHo4LQJZy4>1-RJcatrXW$z>McWRpuRz{@6=Sb&>NF17$an{2WG
zN1I$^0iHIw&;nd-a)AZ-+T?r-aJI>L7T|4@b1lH#Cg)gyzfCq;fWuABws0f-@3Snx
z<t7^}z~?4sT7c6{)?0wrP0p|Yx0|f90Kc1LEx_?684K{dN!kKjZ<4YA-<u>Y!1*Q#
z3-G>4+ydNh60-pRo17l3T#Tslz}H$07yLA<;e)TS8cz7BR>KQF#b~_1#*^)K_~EOq
zh9kbpYIx!+t%fVU!fN>9%dLhpUST!7@p7x-j+Yrt;g2tq>YAx?$d}q7@W@N8hD*N0
zYWU=f?eN%Xi|l52<tM4llu@|l3x$%(FE24_&DsT4T{PdQvNiLJDlaQGYIQ}CQL9$Z
zHEQLmIYzBmS!mSq6|;@1D4%6i`SO`Ym6gvhYFXKIqe_=eGipicRHGIzInk&^i%&4>
zqD5288-c4n*=$@`GRdftg%iztR^IvqvvuB<@kSNT8)sBe@mQng7L74#%9hba&73;Q
zs2MXy8Z~{!2&1M=A8ypt6OK3P#A(MFb;6WkMol?!s8M6*4l!!nl)*+#96!jY2@?kz
zHGazgJ8nXMqsETwXVmDieT~{Ox{pyKOL|*1qL)!4MjmU_aeI3jHFQr8qlOIaZq%UN
z#~9VGcQ>Q@_Umd?@19+Z>N%*hQGNP$GOAafjz%5ZtAibPY<r`+^=xO<F}vH^ZO62+
z>bcfdb!%nRbKP1R)wx>>qq=l!Znt%5W>lxnO^xc<sfkhTb~iSvZM#NRbu2Kdb=!tU
zwQ7B|QB7JkFskY9ql{|aw7yZzn%A@An$<O`ag#bm?QUG#s76C-8MUWTO`{5qJJP7V
z1vQLnFyaWK>NTitRGoU&jH+EHYE-S-5u<9>3LAA~%@7nks5;>QRW20c5C2}|zY1Gw
z*)8nS16zGtvE@j+g)XJb_|w>OL=Z<&%Gkic>^*SQSVPvI4WN6mA!0Vr%HN^$_y1!`
z@_+I(ke`A44CH4ZKLhz0$j?B22J$nIpMm@g<Yyp11OMVPfcyVxz~?9aN2A|G_eI~1
zJ|BHFdUy1?=qBX&Pm3;#7NP2YM07y3d$e7&Nwh9%{+-A{)ck)Q*%Nsq@_b}_<o?L*
zk!w-$zcG@IoEj;MEQrjEOpFXiz5g+hwvon>I*~}k7ydQ;4XXX$3%?S6Cj3bF-tf)g
ztHKwe);}Iz6<!i93QrA>4G#_XMx}qt@X_HT!!k@lKZd>xeHeNxv@`T1>iq8vT_3tE
zbZ#gcIxSQYT8JwD$)S;<fuSCu_Nel&7pfKt1b+|yJ@`p*SMcTFj^M+=dxAFwuSCXw
zeJ~bW8C)Eki+ul>;1E>$cM3KS)(b|1T>d1#kb98%e?~qe@08cdP4Y~6x~z~3<a9Y!
z4wl_zYuP|nL#6+Z;xqA{cu{N@Tf~jxQgIfF#P0TACn`|uKUItp{Y4kiT+|gI_mKOo
z`?32LD*YdE?{cqoFLKXt*SJgFx$b25c(*s|{2RM9UDx@|zsdR9`M`P2+2K6k+~!<`
zI{&n@+F9hxa>hGDoE}aa=V+(8<3pAI=Yd^;mjX`&wgzqrToyPx5DzR5EI^I_=)izL
z*FcLvy+AlX{NMTa`QP?G?_cjf&A-fF<e%an?(gI8h`N5%s`!5Q?e~4?d)@bp??K<~
zzRkY#QPqF4Z?SK-Z-Q^AucxoAuc7Y<pP&DXn*R6s%lt`xAHSJj&NuP|U%^ZGbX4>Y
z<lT5nUY|!eW#6+;*gNb6_898<uV)vtGuc{J#){bqx%B^GDfYt>>4#<F56jUXmSX>l
ziS)yg?}ug856jV4O|c_CUL~vk=ehI4QtXE%-~R=&>VHV2S4pw|c~<=oiS#Nd_CI9R
z2Qiz}qko=a|3g;2O1}NCrP%3VS@l0pmmii@KP-2CSn~a_wERDvRsUxb=}34!$GpVm
zjbt11(w8@qdznpN9_YeeVe@QY_y6VO`ycY{RWk8^o_zm9zP(B&{+~|1{~_OAB@_SG
zlJBZ!{r^_J{je1KAF}FI^6h^}u~*5eAC_-FEPMawDfYuM@hDu+rPvQkzW=p+JM!aI
zQtW@8J3lPNepn*?uuS}6Ir{%fiv15+^(y)He2Sf^^7dSc{SR67D*5(5Pq81KR?nr|
z|3ZpgmA89o^*>9QS52!|O`rc+8eXN<ZEpPk+f@30Pue_}hR>zu|HD+e%7!ERx0s~p
z3nrs@SX%u*NT!=Z{%QjKzdLQ7OUVBR$#O5LJ}#Fw_fqcvD1rWeFKwPnk>?WV|1eqZ
zCDnU+Y4a+{axa12EtfX;lI7jJ1bUSextBKY{8y9ZUWz=IHvdP-@_&>V&!x?Csq`lQ
zAX%PEk>?WQ|9m=JRj)*j44O}8I3kS-g@sYUkZTkQ;f)gbu<Obf7gh6G`COk-+{ayP
z!>KuQ)J`D|nO(U|elE|Ss{+VXF662*P^Mz)P%5j1%&%gH6`UPbsCQUl=wZdahgC8k
zJcXV?2b!}ToJMb^vn}+b&(k#)8q>Yh)^Qz-(jTd<WjnBsHKewT@xbG3Ftr7!2VyMA
z8p+TLWIwxs{2QNtc(hNnBRu|EsO$edvLAQ&zaDue@*sTu&5`p_&wn!R?4KQ(5E&Zj
z2`|54<cQE?p?lz=UmQ9ibf!2RcfijRCyJ4xUuXpC;t49^_nDgbyHORdD&kK=J$w-=
z;!zKeI{5vlkQZ((RK=@`_y<uFe?F?>GpLGhi)#4AsEJpV@eM0$;#Ecb7p5k@1l902
zqb6Qe##h$Fi!P{&r-6v7j2A8Z--p(Q%1|ADrm2s=r?N7>47Kqm_(%8-_$4ajYokWK
zDXQc5`rZ)rP#=E*>f;|mg?z3)K7h*jVW^KsmAtNxcl%UU$Df1x`1?^SpX4k3Yf&M8
z6mNwp`D0KgKd7=k{)bRs_9?35-(`=hO8HPHL@H{BWbgp)OV}HHBlv9aq2L|Cs}ZBf
z22Tkt2^Iz?q7%Wf!FIudV2xk^_a%HOcgt7gQ}TZFA-F=GBa?EaTqtKCHZe#ZBU{O%
z(1n1BAH=8PU9nR<F76dKh)cwVP;oAv6Y-<h!WZH9!!L)Q4Bv;y%jMyXxWi&axFkG1
zJSIFa+zm08`r!!ft@s|D72XNGfQtSNsOhh)=w~BYKh`-H1~VTyHk%bPZebRi$(V(i
ztcdw@Fq=^eGw=x{7N)ZWERchl)Ru>{X>2;R<>Bmv1CLX$BK!b7L~S`J{hc15wj7lH
z2DIg%^k<;;n&>b1LfCRp?D>V-a!~pc(E3yO&iq8JKSjT1^{A}?rGKa2Q(FN_zXjR~
zQ2HIvR)AvAchpvZLVize1t<o6M{NZt4*!<g3Q+nL{hHbeQ2NEe#?)4T(og6Y)K-Af
zPl2`qlzs-V6`<Jj8MPIl*#0TC6`=HEpsfI<9|3IzC``pi)K-Af4{$-Y=##z=v_+qE
zH_#S+(mg<1^oc=xs4e=0{D9h`PYl{aZP6zV-%V}NCw=!|Pil)k={xjYYKuPUTiBB}
zp9A^^eT&+nPx>Oz7Jbr}Fw7Qx(pTt9)E0fxmw~qE6UV$vPq$~=30!O8dAgIHX5nwR
zx>GIepns#MSa^o+peI{+mOevQTlgD&maek!ERI=e;Th~%VPOZ3S#IG;80`uRPtYf6
zxrN8*-L%ZY*Z9#dv#^!kOP5-Bh;F5&79OMz(Iplhpbyf;7Pip`=pqaE({1!53-{6c
z=|T%z=zX-r!aZ~gU0~r>dJmm%;Wk{g7f!f?-bRb<p4;giw8+A(^maPe!Y%YxI>*Az
zsKzX`a3f}PmWAu+jdZ4k>*;lLhJ_pG^>n(08|e*nnuQy1%v1~4W6y~euEQ}WShyOi
z<rE8>>D6?yh0Ez?I?2M77&g(u<@8EA!NMi<ays6^#q<(7&cY^oF&%5+9J+~)v2ZRu
zhmN*z9!@>V!Ugm^I?}@V^a47<!nyQ(I^4oJ^jvzpg^f7daTd;`8|g3$8*u8O7S5y_
z=nxC*>6vt}g)``SI><s6(>uUIie_nl3u)XS)z3l}omcu=$j~(HlY=bnZ2>J=XfF%s
z$wH5{fTk?8rv-Fnp*<|1Eeq{#0exBMF&5C6g?6)m&MdU61+-?NT`ZtC3+-$H%~@zC
z3+T>5J6b?{7TUoA`m@mX7SN!DwzGf^Ewrr#v}mDiETBgVZEXQfT4*Z^l{d!N8e>(R
zZMCX5wu8{hg|@Wt7jJp{!(DE<``=hs){VYr&c?d1uJm0ComnUPj)hLF2Yo*WUFh2u
zIv&_Z-?Gq_HK%V{Xv5mlH!QSfZRqP3TCvvjH480SEBdO17OW+G#X@t|j9F^{*@C`o
z_cUWonEn2;rmPu#$?j>2J@#7)*@@YC12m;C+F^}Y6S~tv0qe!==baU>M)Y~Rry(n#
z&sk`|`q3RZIEp@H;V9OCKAD61^l1zA*-`X~9Mq%FTBwI(p2<Ody4^x;{1WlFg<7mO
zeau1)Ch4OVs<9A#&_a||qYqe!uqfSTA<QE5ehVQMqz_vNvKsV}9E9n879_6Va|;2+
z={*+wEI{wJ;A4Jzmj&FRN$<75n2+A+0e+F%Vgd02dWQvqI}dL60K*<KKo8+Ux8{J*
z+bsOVYBBpd`0kv>?6u(z%^35ptsCo1ciCg^rS~vzk-CRI#wOZ5f9;M>+@V?JCeO;d
zH<8Qip$ev_uxa#wIUC>v`kRHx>=brm4yMpwElgmO=`R+>vkCNP3uD+Q`lE%>Yz+Ou
z!YKS|`jdr`Y&88o2P5cr7Dlk~_|+dCrn<HfY$W~G!f-Z%{@ubboNd2_p=>z)CI`dl
z*A|Abq4X;YgV_-JrG<fPE&VJ91L(&V2C#wjqa5_7`z%yeh3B9j{loz7d988_Y(9<0
za5wD#vp2`WLmNmxwLivwtUvwGLT@YuA6V$cdec1?da#akH|qasZ?s{<eg5A>Kf(R~
zucHFsiG2UReE+|E|G#|yKeQ3SuLf9K^ZoxY5BdIo`ty+Q|EK36-~X?29?+N|-~SJG
zGT;AC^~1tE<oo~WdC2$w%lH4w_y5cH|3ihr|6u<=yt>bIRNGP%I`{&rXQ`k(K-C6u
zNcsOw**JpE|DQ(Ri@p?nGJ1dX*63By^P}15snMmV|34u*GTJ}dHQF+IRJ2;u7x_8z
zC2Id)Lp8udkvmcOzbSHN<n%}d>i(xk#zqE5dY~SlAaZ2H4gZds|Bu3Ng`W>UhKm0i
z!<QlNoJ76<qVVkS#PD&b_U{;O8m@z`{sfulPebp8UP7h+{h?b!SB1_;o&Tw!rJ*9!
z6O2ShzpkN{p`%da?+gAM{4%&F_*(E8<j(I5UK`vLJQIEVD}oDx(}QD!gM&SSZIL}c
zGU&?R<u~#p`IdZMJ|^##H_FT8M&!>|p|9U;IZ+-bd&`cpsjMSIl8En-L4OaO{hk!}
zi(AE2;(U=6r;4SbNSuHwhW?_PXeAnm>ca2-;(q0R;J)rY>pqO?{_EU}-3@NcUGA2+
zGu(0R5Vxn>&TWMHe&HN&{_cG2yzRW;Jnn39ZgMVn&T&$x?_cZ`I+L8^ojy({r<qgN
z2|G0KL*O%1_`e)@DzGhZTVQkGg21}Kn!vI^ap1(jDAf3O3$zL}2viUF{lECX@_*oe
z-T$orVgFtJ>(J+KgFoh9?l1Ar@Q?Ek@%Qw%^EdLNB_%rk{oVJm?`_`;zQ=uAd^h<n
z_nqTQ`BtOiztA_ycf7BUuamEtudXlbqx=W{8Q+DP|EKsiejDG+FW~F=8orDd^Aq_f
zJ^)q!t#|`oo%`7@>?`&Gd!0SY9%gs3>rnT<fyLNzR>EfBgCvrwWh(-mFR>RzQgv;G
zev!Q-lB#hl^iH*1^=^fJf$bDY)xH%P=>w5e9bBRRb|5B_s);M~v+QposrtA=Kg}Kz
zN!7{~8c79_RNY*mpJ0!O<YcY4vnNDylGcy2?INkVy25)yh*>0cV^@`f5Xtd+%wz0v
zkyOoHah^vR#;E?T(2uZ(MN+kRg?^YlDw3+pEA&I^+Ek-g=xyu{kyO22q3>kdL{gc1
z=&kH7kyIUDp|`NDBB`3bLf^}_h@|TK3Vjc|S0q*ISLnOhJtC>Pzd|GNA(E;AEc9LM
zPLWhSV4?41cZ;NI0}FkJx(3w=7W#HIW`NeWvS&q7^@GLsTiNX*sanE9-^^|mN!1k=
z`g(SyNUFxL&{wMSsNS&9SF!6wQniPLzJ_fUN!1}1`f7HKNUA2W(3{y+BB}bsR*t_~
zBvq?e=quFrW3;}UT_KX)w7!&GE|RKeEXG`>UQ4x&g}#(sCX$`CzJy&WlB#(uwqMLH
z5lPiQ7WynTUbT>gzJQ%2lB$a=^x5nJkyMRjp*OO#MN;*Wg+7;U6iL-i7Wy1^u1Knm
zvX$e{5lPil7J7pkulmYDuV))XQni+aK7*|nN!48zI?c`yN!4H$I-{;Z^_Z>Po)Jma
zW)?cd(juuk%|a(xN+cUqYE@DtlB(Y<w#V5EBB@%=La$|UkyKr0p-*RPMN&1Mg^sb)
zMN;*itsIZnQtf9ew`08OKwCK;+f@@<=(TFR>O%{C>Vd~aQnjLmK82kslKQuAwu+UC
zB)<J>`%<<_BvnsZ=;dsgNUFB9&=qXCNFJeeIjay!)tnaF%UHQcs{XXl%h*zpR4r<u
zm$EXER9$MJOV#VDMzzo<sWGZoE%aiwUA3!)Uc?rQr0Q5(IcAYas;0Hj3)x8`sruGJ
zFJKErQnjvyE@Cr8GN3ief<#g^u*G&%5{V>w*eYGfW{IR)#-LGqB$8?+gGT9*NUGJW
za{O$OBwC}^NF>&3Jso2br)iDiB9U05H4;T4ajMp+GZKkY?Di8x;$*ESvne96T5BYU
zL}HcJ$PtOeO0AIy5{VUBBV8mC%e6+fNF*w>Mt(>n%B>zD5@lK=AtVyZv_?KiB$jH8
z43J2aYK_#8NG!42hl#{ut&s~7iA7o?6(kZTRcck|ClU+wcH|93qC{(Ch(uz6)<_wM
z#C)y$vwk8mPwN4!zep6@@dHGn$Zp5@xpq9Z&(Rv$29YS#8p#Hcn5{K(4I*LeKT-`M
zVeCJ$)*@l-KN5l>VeCJW-XdY_KXTq8VeCIr-XdY_e<#*OB#iw>j$0&*{YQ#hB#iw>
zhFc_z{YQdZB((i!$Zv~;vHwVKi-fWN$Zm^-vH!?ti-fWN$Y6_vvHwU@i-fWN$WptB
zQFxD36<LdfG5<(Wi-a-%$WV)fHvg*rQY4J|ug~g<gfag}HH(BX|43qs#85qLN3r@M
zVa$I6c9cjAw%aj&kk&|Gi-a-%_0)J{{*j~>iT-*Fa?~PW%s*1pB4Nxw63ilD%s(>E
zB4Nxwp@&4mn15ukMZ%bWB(X)pn1AH3MZ%bWq_9Q8nExOPi-b1+DoHF7#{4sNPGkO&
ziWUiD{*k>F31j||ycP*#{*k*D31j||triJm{*j*+31j||o)(FAmG2R+MMOfIf0P2^
zwY2$Hg@GcW&A+M(6bWtqRau}&X!EbC0!2cbe^nGH63z8FQ4=T<+Wf1MK#^!#xm^|2
zibNAV2GxNg(O7E~2a1F?|Ee}nBntF)lm?1~Hvg(JP$abZSA~Hhq0PUl3ls@${#99^
zNNDq~sscqqn}1alC=%NIqoD5#k<jK}l>~}}Hvg(3P$abZR|SD0q0PUl2NVfy{#7}k
zNNDq~ssTkpn}1adC=%NIqXuoSNNDq~>H<YVn}1anC=%NItExbe(B@wi1&V|=|EeZX
zB((WgC4nNL&A+M$6bWtqRY9OgX!Eb?0YyTae^m}B5&=DLs0I`XZT?j;ph)=icGLoj
z1lJm+fFgm<3QWGL1QZEv{#7BMNDw>zWf9lrA9a5(inuoaD4O0W;@bS9pzwJS*XAG9
zeD906HvcGB`<sYs^N(7-9U`vHKZ^XG5piw)G5%Q**XAGFF<zU0jK_9u{&60R*XEz1
z5KzRm`KPD@6mf0-DarsvT$_K2DnJp}<{wpm_lmeS|0w#y1C_M-N6p_uBCgFpO8y=c
zac%xl@%Mm;Yx9qSzilF}%|Gh>?iX=w{!#9CpNMPok6(wkh`2WYDBQb8#OLXGL+PK0
zYx9p%zuQE-NN-2spNP-Z8g+jnK1XYm{fW3X|ENyCMZ~rFSGDRQuFXHH_b`Xr{G%f6
zMiJNMAGLeeiMTfZDC)aj#I^ay_!~rAn}2M_cy0bM9^19~$9XVbn}3SJKM~jFABBEb
zi?}xbsOH-&;@bRERQ-v#HviaurHE_uk0QUzMO>SI)c9Q@;@bS9#P4De*XAEJd7DIB
zn|~DRog?DP{NuBSaz7E*_8;Ya=ZUzs|ETV}K*Y8E$N2L_T-$$~=Ufrj_8+BvIFGjf
zsNdTt;zRX0QRgS(+Wuqv1`!{ux1-8W#I^m$EdlFAd|>5vR0W<P;@bYBzz_4O?LTT`
zvLdeSKT7pdBChQ}#$-fX+ke#ar6oI_e9L+f|5@-MEBy2QQ~jg-{rz41&HZ)#Av_80
zTX>Lf`JVGV;=9Xtt?we=8NM~XrFah9WcZK0eI0y_eKmb9|BZj0t2h7W?<M%pSFC$?
zADpS`{X@lw8jJ|_{SWKy=L9DOk3&Cz_Q6Jo7&!7*JOyBnd{sUzx5-=a+`n^W3h{!I
z<V-p4Kk5bW&-4M{-B~X_giqjwxaa;AzQ_5>+3mcHr~lcgLHfVt>3>z8{f9gIZ{b(+
z^LU1z!b^Ei-i|loHMw91*x%X5>}|N_kHdAniCqq7D#cc_#rOq$5<6Zn+i{XuaRB$v
z_yfF@e689}F5b!x*%p+GmU80h#q6NfC0p46tLH6Zzk9lb{bqIXJoc;AbBft7Ru|4;
zKU+P!ko{!!jIHbktEbOqKYDrw``+rQ)7f`cPnpcVwR-Xt_O++CvcFqBX)621)05d(
zR!^K{-}~=H{7Qeu(t!@_HQxswjb-=vp7CfJyV>`s|57qZ&C=L0>@$0|F=N>$p5Dqn
zw|ew=_NAxCuzgmK8qHAHg(jbHct()x*+<?>Y-OW-D?Hl8TKFb-^bu?5v!%((mtsC!
z2lPL2BS*eO4?nzt?B6ZX!!0)x)n{eIaJJX}?1ztFA6h+ZJKJOR&|z%1)kB7|_pKg0
zgzd6gHH5W#z(Dq{)%}LEw>{mLy=8UZe(X)Fd%eltu)0Tg_L|k*d$3nM{U&?e>TYkc
zm#yyFoxS4eZtNwiJ9T9{t?t-~y=Zm&j_d`i+qGxUS>3i5`<tiRvFELB-IqP<=~nC+
zt6Q~ZJFITrialj@v*zqctD7`qPgvc!3EOUUqsHuUs|y;j$E>bbz#g@_Zawyh)phE!
zhpnz%hdpF<xHfyx>QI<HU^Nf1Z4%#M^(E%)ekE0}-$U#^JL1i@>}jjF4`A<Dy>%4(
z)PAWCO(nPU4weqSPCM{T9-TtZ=5Kq{mp<hSdDMZv>8oYF|GW{pM_g;6fHz{-SU4Jc
zuC`F02iax|wRtUerG;9&HoGDRVRn^;nizJug(G=QcA145{781Gg(G+kc8P`R{0Mfj
zg=)My+hifitFenLM0k{4XaP?JW*1lp@%qe`Df1AIu=DMnAl}b;79>BK*$QYbae{O0
z9+yjYj)ees*+vTt53xPl0Df2p*aiy+foEDcz<y`zE&LA8_bd<CL3W0P-*7qWEc}XN
zvKD^Ep0tIZ*sm;;gP&Q-!jJ4HmbCB#`;jFqe8;|IF$>?Yui0r9_Oox;8Vg?|lz*y)
zuh@5NZ4UOcQ!IRm%Q@M?7d*h?9^eG4Equ-km{)rKIs1aGvU@&bKd{qt@Hty)VITX9
zt+23{y~mbY*u&muWfpd`J#3kU_t`F1ZebUmDO{0*-E66a_i)u-z5BatAM;Aw-^B?^
z?Xb6TbLJ8YZ{ate#TH)22^Ly-jlIPd<=}NzV&PTx8e3rD74|BdZviO~HoNk65q!;G
zI>d_X4&+1FtQ_oQg%*$<VKZ~^0-Iyu1spRs2Rqpe3&@tRX%>(!VN)$2UxG(6naXn{
zN!Sz%$da(h7LX=klPn+~!p2)bLWGU8fQ$$mYvExeV{XgAqil=?BuLn33&@Z#@7E5b
zMc4?t2YC@T+yW9K?05^vjIiS@AT`2<SwKF74Y7cP3mch(yV+n1NRO~V7H-E?-<pFv
z*+2`(maqXixSjR4fP4w-X8{Ql*4F|uBdnJNq(<1W7LXfZJuM)a!g}Z6YSzO7QZB5I
z1>{XwcMC|IuwyJBTf(|pKpKU0%fV%=iv=W4SZ50tBhPb74lZGxEFgcvI#@uWgtfJR
zObKga0qGRh&I0l*tbGp7VXZA7Gs8Ms*np(X%{e%mwX%Q&3u|cs85Y*U0@5n1nFZuq
zSo0iYSW^qgvalu=kY-_xEg-kT3UUx*M_Gs=?@~Vpr?UnYPDi$-UJll>qb(pi!y4w`
zbXL~_axAQl1teKmZ41b<uv!+7T46_8KyHQAuz=(WJHi68E3CQ&q*quq3&_*3nmH(A
zQ47enu!seuSXjscax5%p0f`tE&cPxkEg<E>gazbWm}>z^7v`w^e<L=9nEe0C(Wj!@
zqPImi;~9VJqHECquNY7G8-@OV-J-4VM8N7%f8>|QS9sFj>yc+84@d686aFraY>31n
z%kg}_8If_3A?OFtF48DcGa|wV@N~bA!*7RQ2tSTz``v{5&d&*_@La#e;ll8w@bP%A
zU#D=haNTeicb@+c`Yg07^m6DaJlF5G(B{wup>?4(p=I#oPYjI;4G47$wF)%|RS)@t
zzXbOOKMuZA`AolU!P|q^paNh+Fpds?i*Wz^<lu;4e>~r>b+92kdLa+W@8qX)7w)0o
zfewFn$?N5%r~*jIlVzzak|)a1xR1VvY$pq3O)14e@g3>_c8OQS4)Kt<OI(jWe;Y+g
zoGeOF32-8w@;6BI5bZ=`QCoxrb$@ifaQC1V;BR==-@Wcl?iKENZWg`%mbvrXY3>+z
zpxe!D>DG56E_HrzK6Bo4UUas@tH05?)H%zEIm?{|&NOGVGr;NUv~cQGRswt<_$2U7
z;Dx~Bfh~a>1D6KQ3d8~xf%$={r~~L9=n`lis2d3R5Bb0Kf9!wD|D693Q~_M;zsP@v
ze~o{sf3APB|9F3Ie+PeK)Bw1?-+W*DKJdNf+u?h_cbo4j-+8_?DgYMwX8FeZhWL8;
z+W3z4RrmS$PyBP_|6k%y@U8qNei=WT$N6%;fKTJ2k^S$=Tkv{3%n5!+*oQUpd8Eqk
zM(%$TzSgJV(_e&-P}M&&L;aNxub^QXkr`qjNE^!ZS`Wf9eVPH^p{X*x#(+b8GJUE6
zJR?k|Pch)90hvD89z*>yz1je(Tx5Ec267OO!%VL<fM<ls^a=|!DAUUg{6-GQbcKOm
z$!{`UZuiiZGF@ii7xJr2FSDTbEH&^W`9-En4g5fUl<6e~(9KMy7aPE%#AJGrfp5uo
zGJTSP&(+&rXy7aIxlETBzyrf%dVzs2$d@ub-yTE0km-2_K2ygO8~BubE7L{Zo=;_Z
zuD9ninVw_d6M{X32GHkBre_=2tuAMlfe*=UnVxCj1M;Cv&oHoud?3@)?J;DJOiwfL
zzB*>A2m56DL<76X`!aokfj89aOfm2_c|)cr8+ePnEz^?>;K5`vJ<%RR-jwMH2Jm1q
znI7-KE}0%@;6-)nu?AitFUs^7122<TWO}p#bWM}#QT7<}l1z^@uu~l~!h_dkdboiX
z$WEC)-oVr9b&fOeEO}a{hZ%T=JS)>f4eTJ#$n+3<4A~*mgAF{Tjv3^^3o<>>z{BJz
znI2%^5%oI#4LnXBk?DR09wU#-bYBB_7MV=<vB!`{WxBTkG)j}{UIrc@56kqi2JkF0
zneJ)eezHxbdl<Nn+%MDJ4QwU%$@DP>?jm=~bT<R{sIzr7a5uR}rn?wG39w9eHh>3{
z$#f?Jcrckvcl2PZOn1<roLQM}Z}!|k+sJe~3*>s4ZfoFra)U^>QGllcUb9uCTN}L@
z=W1mJT}3v_bV~zx#F$LCFn~vl$#ioAm*eT)>1GOWt_yK|Q?uh@a-mE&F|dhTEYpn*
zp#7OlH!^?<Uzsj2aDh6ep@H+s1u}iKf%C}uGTp$y8F=V-`X~i>%?)_X`ew&QvO%Wn
z891A4l<B$#&LU^abR7eDh?q>*Hh?y0GF{66`kl#iO#^3;^)h{=fpz2zk*)!NAF`IL
z6X_$=4!nLGuV38^N|CrsS2K_#DVdHMNRXsVM-0SCLZ-t8V(OTX0X%d}q=SIUS2^8H
zOQk7Wv(`-uEl*t|(ykt{f?VUK9ld$=sct%;<*L<g+OOrxRc_j+<%*SVnrm6U)lD-k
zm#%QrYMsGrEG>7_M9W1>-IQ8muyyfPH>Fk>$VH3Ylv-aPOR!a~E|BvUxhb`_C|TmB
z)XD-`JkL$3bp>)xv71t>3S{9NH>K7T$k~N%O06i6(`UOWwVpuEz<JebqPEU(Q)(@N
zoI2f2sg(qB%49dC))C0b7^_wh$VpS(lv+a|Cr)xxOU!^NZc42mY5)#Xs|V!h@oq}3
z9gyQEx+%4CK#sx5)VcvVc8r@+s|MuOQEp1D8EU{-H>Fk#$k7;})(gl{qeV)s7Wi=?
zj_jt?Vu8&ghPx@XR6q_NAya0dpw}Hd#ZArD+lOs;Q)-#OkfFoelv*SphYWR7YKedx
zJj6|@1p;#5U^k_f2gm^f-IQ7!Ah!>2Q)+2|?1$G=3xkq<-IQ7uAp7=nQ)*Fw?DeLb
zQcD74cSyA$K=$bFrqptvw)SvSYB7N9imhrXfb52`Y9UZtySXW~3_y15<fhaj0NJUl
zn^H>vWc!Y8N-Y48ZQHpiW&R=CwRcm>_^YkG+>|o?kgai%%J3`M%1tS=580}<n^Hy}
z^3AqxN|}7f<`|$1K4i1zZc3SZ$R^F)lrr{^jhnbBW$GatHFi_|wJd1lrj(h-)_MhQ
zN*Q^`y7k<YGVzdg>bfaq;2~?*aZ}2?LxyX+DP`OtLt!_iOgkhGIVok>@pI-*N?CP$
z_YaAbF4#bXtiDL;f(?Yhjut6hut9N8zewqV4RuSuNa=zNI)}zY$`ouM;v-U~U<2V6
zk?K&Hlte^jpGdXWiOV*0kVv)D+YvMnDP6FEy2Xb@N*8P>7gD5j!3Lbhi$zKoY^d(H
zBBcv97;fDcDP6FEo9M@jRP)Mn;$f8AM5>w9_li{0O0B}0BBcv9IHH;&r3*GVf|?@L
zNRL5GQ>1jk2Cv1#BBcv9IKrDEr3*H&y|zf{f(<0duw55yaD+2ON*8Q!L^DN77i@3@
zGet@lY@l5B2$9kS8yulbk<tYlXbo0Pq;$as8fiyGN*8S47wnKo>4FUvxfCf~u)z_y
z6e(S>p+c1+r3*GVB9$Vg3pO|cl_C|@?+bBCk&0AmhWMjMg|$Y=Qlxaj1_F`z4CsOl
z1TudYDP6FEFyuivJbFALlp>`IHV}lw7+tV|u;Z^H70_c4s}w1})<3bIMari&f|DYp
z3pNn_`%$EH!3IP8P^73HgD|B?>4FW!0e=ulU9f?m;&&pc3pNn0{8}V+!3IO{QY3Z3
z24b3DiKH&r!1(<lsS7q3f|Vkv3pNmf#28($!4QxXNnNmk*ZN!}b-@PQna@O07i=Ju
z_?}4Wf(?WS_ll%0*gzz5mq_Y@4Fn?J7fD^P!4Q@dNnNmk@w-K`RKG6-7)5f4)`%~P
z<YKK6UKB}Puz{fATOw%+HqZ-0Bz3_CL)1|ub-@P4ye^WuU;}Z**F;hmY@pfmt0FnC
z@|=iKz9N#v`uxpVGdEeJG)25oBz3(8f+a7Bq^{RM`8CQ?3-$09*-rHTC;Rxb1fF9N
zI^vB)?!T+Qg}=T(>gT?nd|&u>`(B0b_#nFBU4!iZdf!@Kxo^I2ns1D6kgq$u$A;*P
z=OF*TpYP>wnkd4H=pb-k^p@zA(et9|=<4W6(HYUP(Sf*!pn0@TRHC2Y*SLe=mB^Ek
z`yw|*E=BxcZDd(wZe&vAxX7`%d*J9uwFnD;kLLxv6@Cs+3%E0Ub@=>n8g~vXM8~?(
z;r@6^K+|xoup9anPY8G)cMWV0-HYCXn?h&co`EHJGQjxI;LtI+W1wCr6g-GtdmrL{
zfv1D_2X78u7CZ}g3zP+m5Ggngo%Y%Wj}BG~GWosShdTxSh8V%^@+##0lX3-~0WejL
zlznlRKx26%dP)8)KF2)*JH=z-ZgH)+5O)ZiEEb8GVyqY_x{Btaj*#x}?$?M2yy8CT
zZgp>TFLBRApTni@9CxBS)a~K6c8@|VfH>beA31NJ&*1~kt<DwBMknr6IP;tnoZ(Jy
zr@d2vE{DFrkAY7S2Y5d4NZ`)E)q(Q^>A<SMLi9KsjVM6pK+{02fb0L&|E2$Z|4aVu
z{(I5aa1&wxr}Ag{gZwt+_Rm4r{^fi=>i0+RKD-0+`!!I#{}Vp^@8T2jC}OeKAjFqJ
zZvP}ig2u1`Xf@OfooybXkNRw;2&FRD@_kk43jT>l7t>9AuSY1D;U89^i@2AVrWeu6
z`N!VAi*THmC8rnCi})UI-v#tSzT2bo=mq?JkItp%@m(IFn1;XS5z1-!yB?iQH}ZEp
zO4IH9ttyn_Z+e72R{RZ*;s;;nuX%*#Rs2<tPNOmYibrecY5Zl6PNi%3OCFs<PvtLq
zw2Gd>U+@V1toZXDRnVpUZyup<6@S(vG_K-a^#Hn4mGK?kzNK^}f36DQ(VreI#(VH`
zolDC(wVA{Je^h3${r3HipUA$j`oFc_!k+Y>P0V{gvPE<;f6}88x`;pF(E?h+w|g|7
zF5r)QG>^{bk9jl~AErmE&^-Q#N3-#vc-W&^bT)s;BRqS9Kj_gkI-Nh@(NsE(Z}aFx
zI+fq=(Ik2zzt5xbbQ0g{(KtGn-&=*o^DQ2Y#<kqz(I`5a-|f+GI*Q-r(eZRRztf}R
z=<)mxkA~6X`0XAIq2u_iRcIK$&7;9|2*1Un{<IIj$)kR>KflqVzO)~|!J|I3FTXxV
zxayld>P-jpYpYNnew|0h(%$?Uk9yK$`PClvpgs9!kGj(y{3?&S(2o2Hk2=#X{Bn=*
zFb;m1M;&P=erb+yWmkICfp+H?SD}vl5|7%_6u+nnwc!_fga>r+3p{FhXevM7qo%YW
zKi8usv?)KwqsFue-{?^z+L)j1Q2}kl&+-V*+~6B>gjYDvqoY7)dQ_ht#n*dOht}t3
zcvPF#;p;rAMQih{M>T0Jp7E$U4fB*o)o68|^e9TJ@q|Ya8s%}1!n7t&SD^@xd4vEq
zKfMZt`C5+<wdQL)LfD$0>Jj4B{1lIT)Xz`O5#IZ09wCm+S6fnnY`)5)12o82<cJ*P
zD?R#+w&dkGA_w?#j}Y4C6(0S9k;`&Ke&uBzA)w8ddW48JFZBo^ZN9`K#I*Thj}X-6
zi#$Rgn=kYTk!)V#5klE~fk&T{FZlc%VJ1%U2%&90uL^z2i#$T4n-^E1&-h%A5Z>l<
zJVJb%7kY%4HlO7Yg4%qhM~G_k86NE>d-(Jm;mT%v^ge!No?3-=^JyL-&dpEs2(fKG
z#Uli_`DBj}-R52)A$fzm$tQaI5FqC#c=S5i#m85nH~0jP5aQ-zJwl9|kMRgWZa&(h
z7s*R}RF3cp<2>3)UgsmK(2IPeM+kfK;T|E>&5!d4v2H%hBLutoP>-G_JNS?s;q{L9
z=qd67A5?{&=7T*#kem1S2vKg{&m)And0&t4s1V*KM|gz+9wCU%2Uej+cyEso1?Rmy
zLKvJM>k;DMyr)M9g!3LAArj8JdxYpW@8%K0-@L0w2$S<;JVG>_cku|}aNgOY+sRhm
zu?pS6J9&g4IB%aLay@V75yIdcS^UZ{u8M<mWbqAb-pX5h<E|o`c`J_)3g<07LM)uO
z@Cd<h-rOTZz<E=T5CZ2-JVFedH}(iYaNfv!@e8-|X5KD@#Cd^7h>7!t9w8{skM;<`
zZ(iRcM8A1Gj}ZRmbv;7-n<FQ0-s^^~{3vf1qT#%@M+k@WS{@<n&Kp#r^}MD>>&WH4
z9aZQIexyf;iu39oAuP_Td4#w)k9vf_I7h19Tv&W7Kf>FEFgXu<gg7}z8Xs{u6oDcf
z&rvR5;dCCfzh16c%ca$)uHnM!)u(dD>Q$?G!0MH&xZj=#!FBH19V=FHpVj4CIk$T0
z3eHsizZ&aE{#RD-|F?C^7ge5DAUca?@Z^K;LHF<ONA8=*?LX|^>0aYr=&o~5bxYyP
zPjZiQd%5j#m;aHj<NS(h{XNdB&eP5|c=J~}=i(m!RnAGyOlO=k*y--Hb{aU<91ef}
zv%q_S7X#b>cjfijaMlMO5c5Z_GwCAKzbuvOOuC3IVWo1NNf)6mWr<v8(nWwv<vNot
zVhay!mFrBph|OmU<vNuv!nXjhSgup~B4~aizhACX86&l)kX<3yshp95A~s*HQ%NHQ
zb6JsGr_x3W=CHYPok|=jC}eZwI+Z$7fckd1P9={N%wV(SI+Z?BFrCei>r?_s!DMx9
zDutxrL^fGwRT4?T3G76fRcRyzXeTSPDv_iB_Xf+XN+l_nq>fR^Bn{JLR;7~^Okk5_
zRwa}ajA0XGR;82_jKzy)RZ>as87s3YtpqrLT7H>Ti6ymX6dNP6Dz&6w1iMaVRdPwg
zaG6!<B?Y*BSY}m%Nx`rKyJS|Sm=p|V!(>(^nG_6BdsLc9?-?SqD$%515F0GBD%GT*
zw;HCBO$z$6-ZHDwO$u<!ugt21lY+jipUkS1lY&01ugt2XlY-u?kIbsHlY$=V1S;{Q
zpgS8RvnutZpr?8rm3vaqgY}eIm3>mso%N7elYe5}Sa+FK`6soflR8FapcLQ^VVPAq
zsLDO8v&^b2l!EqZkIF+SXvezAtja_w=%7xZa#0G}vko$=vQY}!vGy{n@=*%fuy!)5
zGExd!ur@NQa#9LfsXZzyr2zL6%dE;vDZmZIGOIFE&<Ai6hRmwml-kpj;fJNNQyQAc
ztjbR*zzxPSt1?sy3J!cEvnofW0QVBhtjbbBAHYo<GOO}bYEJ`(6R1p;hNEOw<*F2*
z^|j2ZY?Xq#2l3`qzDhwY1uA2upeCy&vnpq$;0RVzW>wZoL3MV7%&NSVf(WZFvnq3?
zz)>eqxhn;dIWnuVR|*7^GOO}e3S1^+R%NghILwt<mBUgHP{*h&7Bp_)4als@W2rqv
zomyqG6mUjlR^_r30A*HXvy{Z5DYGh{r2uyW%dARisU5f-SZ0qgaDYW*wwncdNM^el
z_=(k(*)9ftQPA1Iuk?V-cCvfuuQJ=w0PYZ$*$xJ9i?GbLH}F0ENoLy_z|Flf+t$Dr
z^gEetW8h2m=2{!rPrsDeRtCPN`(?JJ0o?g3vn}i~^edTdZr}@bOfv%?tFtvV@G1RR
zW}6tmEx$6`*uXyeiOe>#$IyK;TVUWLbxcDKzL43Y4SY!P;cH-EH~mm%k23I%deQm@
z-lgxzY(2Y&zALkJ4ZN-P)bU`q%+@yWCVg9GYiT%$TM%TnrrGlf!>9L13-o1~tziJS
z^vdiJ26i5VbusG?eU9#wS+oAoXVf0E{;1n-W!9`efahe^tUvTAx<h8o`g0JsM98dJ
ze{f4KUev5VfbBAC)*rf^J|VMa{h<#XJVj<5b2*RFhh)~QKPqZ2vu6FFkElIn{h<%j
zM`YHlKN$9~%$oHF_wU{>vu6EKH}J}=S$}W`??W<U)*pHoUNmFYAKb%xm&};;2hR!F
zA~R<F!5zK#%8Xfm@NAKLWX7yN^e%e0%$W6u-l<Mt)*rw&nKA1R9_DeU%$W5D&-}Pu
zX3YA78*;Cc8MFT2$sV`Kj9GsuZs(O5v;N>-T?{kpkGfe`X3YA7Vb{xyS%2uYYM5Dn
z=oRYCne_*IZjl+Y{@_mDD`dv3KlBQ^S!T@oL$6YM%=&}pcU&biX8pmiD`jTB`T1O~
zhMDz8B{F2jtUoFrAu~m0*d}_B%$W5Dw*YUF8MFSVdw^xetUovgd(8Tyk`^*!)*syZ
zd!fvj^#{-VxIkvi`h%N)&yyLm{;0cuWyY*O>h@omG3yUSx<Y2m`hy#K&z2dp{@~8t
z?J{H5A9WkA%$W6uB5@%zX8pk}oH)j;KNLv}nKA1RMGiw|%=$x5qcNE=>kmZ+LuSnS
zLy^Fc8MFRS<S%5#tUt&cO_dq5{@__0_+gp#2hZYIB{OFI!NWXO%8Xfm@c50TGGo>s
zJbt4>X3YA7$8VI&%rG<Y$Z5!oS$}YXWim6w>_HAgW(FHTbX;c4`a=;Mml?DEP{hV%
z#;iXSp>dfp>kma_TxQJrLlGF4nZD+1bLl*pvFi`Q;xc2_AGA51Ei-2Q!IPn9$&6Wl
zC}QF=W7Z#vkhsj4^@k!NE;DxhK|ow)?D~UvxXjq~XB-_bGj{z!Y+PpS`h#G&%-Hn@
zv2dBO>kmTVGGo^tM8ajpu0IHb%S?Ooeh>$j8N2=rp~Gaxu0M#0%Zy!r5CoSQyZ-c1
zFKX8x1jJ>=u0M!}%S;P%YJ|gO#;!kzhRaMdv!}N@rl|*mWyY>Q2!6|qU4Ib!mKnSL
zAoMLWcKt!*TW0L~(@|Z{(dKN3g3F9ue-H$h8N2=<1}-yp{Xqy^X6*XYK^<e)9|XW<
z#;iZ;mN=QQ>kq=;GGo>s+7<<d8N2=<_$@Pb{Xy(oX6*XYP=Q^45C@kTyZ#^yE;Dxh
zK@?nO?D~TsxXeV%`#}s`X6*Wd5V*{k^@k$nEi-ogLC9NX?D~U<x6Ih}2LW%HvFi`w
z-7;g>AB4MQ#;!kzTFZ>zyeLB7GUGFV$hXYc^#_4(nX&5+;@&F%|0y3!@XYtm`FngP
ze~jPFujLo=EI*kq;xnTkMc;@%gXaO<8oeUAF&d9nMCYL+;P7bgX!~eE^a%6={4w$=
zI{%H1^pA9oG>z0k-@jkOU*c(VFNL?G>)-X^P2n@br-qlH=im77;P5ec)?B@CD0DFN
zP3XhWYoVt@_XiuJQa>PnmY>V_<WBVJyIWo>FT`?uGCK9m#FOp@%C53G`t(WhyZBn{
zL3RF<Vyn0j&$&BOoQ58KbHqe36m|Kn@tnbL-CN<czu`XMK7(rfjcy!%dT+M^_4p^?
zNrMH>JMIy#&-u~$)Op@{#JSVC8qXO_!(U(MOm{{*{hiKEQ>T{W{-5^FJzmQ(?fch#
zo#%0`>pt##t%V2`k&;4tWg4_kQKSt?B^7O`q!bECs%x_d*$$(zX-J~68Jl<pjXi_G
z5X0DSrU}U~w0VE$eVymA*89BgGw=I(o@YMq=Xsy;*YUm2>)y1|eXQT_cb&(H69#`U
z8_mm5>(`q5Ok!4=ab~`mZibq^ritll%H{xikharT^Z~s_Pthv6ffitj!dbYF;&>WB
z-RU6OiT0*Yf1<bGzWX=zb2w9QjlM!J(sT4=-9eAigY*&F=v{S-VzXjRc~$v_@}=bk
zm|ifke0+I8xqJDb^4^$u7?!q_K2bwTZ<e0J#KSeE6{Rami%N4a?{HLUQ0a(LhuY0G
z8){ytc?{DSZ^qe-i)+rQnHt_+`FnAX<2=6%_vxPrl{`GZChQNX)wXhFv#`didv8%;
zzTe0Cs|NIe-X!!+_(%P@(A(iV`m=i4)?RNEdOdtYe^^gg`&j6;aD)D&0llt25PCJ-
zq5sr?UeWIftq-5pZwfsbuGfDM!lpL;hS1~T6Z&<bN5ggcRiSm^qxzM4+BQW0Ug(kV
zas65YTBlzYdMJEE|4!(E@P7S*5H_^w=Y<x8%c(x;`!8}Uf%Rl`CVvK)GFoytYu@NO
zS%WR3V<Gr5dZ`eM8NEaZ&Wv6x1ZzfLA_Q+nODbp08GW&=!JW|yg<#KU$>FR&qZh~;
z3>tl*5F8pUd78Cow4`#@qtTMefktad<*ZAiC6%)_jg}nF`ZQW{IIIoPbLIVD&gip+
z;LhmT4d^H>shss^^jWe7gGSF3f<vRv6oN&gC3%B;(@#tCW=$GBO|FDXqt6h6O`|12
zvp$WM9L^dwdWu{Lr$$c}f>om@3Bjw;rwPHV(WeT*t<jRhS-VD0kTv)<db|(}8!gG3
zb!_xFS%YPxPZsJJcG8l=S<^;K4rg5(EjgUEZM0-<*0<4;!&&1-OY&x&8!ZW%wQlqY
z@_z7cwB&HsywM|M4epH|E(FI$4{bpE>Endp+2|ocFm1FXZ`QTZlDt``Mh}uJG1W~=
z)@HpLE$NyyYxF?55^jwiAOyQcA1MUCM)wzjVWayA!LiYjr&-HJ_mMStHoCVEOdBnk
znRRV+Pg#R)qk9O!x6zWkS>r}a@@AbIE$N!IZnUIp@MV;ibj_MKTGBP^-e^hJtbL=q
z`S&ZpztNJQ+39Zj5LttRqq_*f!qJkh72x6MPW5YrA9P0{xH!6l5NsUXUI;#pmaNUX
z*7{PvW({q9nI}8JO-l|}fS02sZNq7<U+Ok;CEOf+fY8RmUv%qw!q4nLA$Udlpa!&2
z?=J*@M@tfCXS(VAWDO3FZXxt>;S;@YJ>eZ%34K)fvu@siKGypP!Sm4)#bILG2U?Oc
z9Mrl&OE70AwP^|F3UGw9q;G|{3h(JX<TYUfX$kELuzvLJvIe_H?^aKRSM;tzFnn|)
zAvivI7a>?adS@YcK6)o1_&mC%0X?H@g<$(=iQlZ%qf4>|uSc^G%pP47g2AJ!gkb7u
z@)XvgBit>Ng>`zBP#R|X4k2uP*0&2S2^Z<xgcgTO^sPeJ@T_kUS`=QQZ>}f2-%6p2
z@hZO%S{PoeR|s7cCi<5RXraDI2%Dhw&xPiP=jxvcVSlr}Ug*4Vp1w}#-0(boZ9U<$
z+#qxgUga90x#2nbYN0vd0)1lxnyar8njOy3%Z0F0T3;!2W;jb<A%v(&UoM2KNiXwc
z-8HR+?7gd|0X?c!J#C+-BO!QiIuwHWrVB!F-*g}Z$4zY)g5{>R3BhwyTZLe{sUL;l
zx~U)PY5P32LkPZ``o00JReuwL4X3^nf)A(uDg^IMZ4rVkr@j?}`=&Mv!G2R;3&EyS
z-!!0=>Z^L%J}-P<2o{|BO9Q%1eJKP-PHhx|3#Yyif(@rW7lK`<{@j3WQlEJWufzX6
z_X}McUZ?L9x+c6<-z#)=c#Zy*&{g5pdacm%@G5<e&@%k{TO)K?xJ=(AbZK~*UhT>H
zjcSw7f8*PmvC-yIeP^Ekcl>AmKdX2e_V*7e_W1ui|6hh(0dv$8HCi33dSj~p0jeps
zAQi$b;iusS><jn}=B=#6hO7+3#?J~*MfiO*ltV}F5Coh$Ll1+@mvib2J@x3;iJUq^
zPpwmra_S5{Y(`kesWbG{!|D-EouQ{5w9j#dp1NP%!KpL!)GBp9r_Rt*_ozELb%vf=
ztM1{{8G2Y*%c(Q;)ZKQ)8G34sx|>sH=wUO&8cv;|r&g=GICX{|Mj)=@)ERns)76|h
zLr>jdKbtf3a6bYrbB3N;sUGIk8G3-*Idz7fx<#$z)ERo}W_1gv&d|eVjGH-ihMrns
zU)mXZSXsfTGxY2*!D3o5^srU$#vPnGKTqALZs64Ud6>;`Bd5;KQ`c=PaO(U#b&a}?
z(?V|h!NR+S)4;)%xGcHQ!4>LCPA+h8xw?Xr^BpWxmvb`T!DVV0C-WREwJ&g<gH$c$
z<Xi`dN;x^lL97x^=KANTn3FjUme}W<?O?H5!pUq0m#D>@%yKYaUBby(4lcBBI@7^I
zbs;BbI=DzJ<Yb0}1?nPBru*lp1)NNCaDjc!84k`@7jSaAgZb)wPNq7Tr{;4q#lcK9
zkCVv`X4_9N$-!JTo0HQV%u#bWIn}}0Y7Qq8{d3gWoJ?>q%RXnkgR|5uPEK(!Q=P@h
zI0rM-OioUAFip+iWUPZp>S|8LIGC!YaWdM$6g8ETlN?M|Q#ctV&za20i4G>(Kf*`{
zr>IGsoFFiflj9wXQKxV+!ogVkoZ+%EmXl!)MyWBJ40UiEvZ3TS2gj@9I2qz#ggTy+
zV;u}vBRDz6!7w$Plfe##s$rZAa&Vj)%E{3V`q@u#l!L*lA14DH3{rzR8Q|b(HHecV
z9UP^O=A^%af$Atu`Z*Y&26EEZ!I5eJCw(0BS4VQv+d)6opOan=`r0?`>ELkHmy;e2
zdaJ`ZIl@6N)ti&U9rRSaI62Hg57m>CpE@`~_28ttgTvJkoczSWVfNJyb<o}Z5W5K+
z#z|KP?d%Wa5C>gVJ5IVdI7D^jq_cxA>JUykIq0mqaMIC1C)Jsg4h}l1PMoxN&_Q+N
zq@9EIsskqnJ7}lcb8?V_gYBCh=-@zgFehytv{eUk(#Am>yK;bo)~XFBtp(b0vcH3t
zsx>FA9PFoBa?;X43$-67`#IQKwcw<Mtl*_x`%%r*-kkXM(?m7n#J8X3_Bp=&?5&z}
z;@i(&_Bp=&G*f$V;@eMC`vSiGG*L}C@$F|%)r1q@ej2MiIq~fWyMa0J?FZX|Iq~fW
z`++&}?WbBb;>5R~8vEDi+fS{k;l#He>;vY+x1Vae;@c0aYEFFnDcKkB?T1x~6W@M{
ziaGJ^$EYGFzWtCgocQ(=D&oYqA7x+7wI3BK#Yv_8;8r6H_2tC(p8)+Q@%<+VcW~nR
zPq;$`oVflIZrz6eU0nacF+rO+as4O!KKvWUuK!>Q;`bc8{)3@~-*N2vkKHHCvFkth
zjpSR7UH`$@p)DM{{u6G(`^2vQV1Mv89J~HwHwbg=`VV#pf61}yKbVKOiDTD)urGKc
z$FBd_jlmqd{)1nFzTnvPAIw4C%CYM|fKNGg{m14b9J~G#eh|LTvFkrr`G8~BfA9+x
zR$TuH-?pFH^&jjgew$<0f3S7<U5;J<!3e}Za_ssKc51%EvFks0H9W`lA8ZZYz_IH;
z*fWfmcKs)OBYd4>*MD$K(;FO*&;R|{?Zh0r{$pnqbL{#LHWcsR*!3U4D;&H26TT9@
z%CYM|;Y-_waP0a|_<Z;h$FBc`&)Ahw?tPvPpW)c`pYZAMd5&HG36b7#?D`KT5U%Ig
z^&d<ie3E0=e=vdY365R=36aNe?D`K*U&8yi{)54O>o|7(2a^sT<=FKfJO?YT|6oku
zBOJT_gVBNyaqRj}c)xu$*MBgM@P3Y6|FNewaqRk!J+_Hs*MID}O&q)avkfDjId=Ug
zz-{ClyZ(dSwfG^r{$tN^;@I^cj4)iwvFktKs%<B6+}r)!R)?!NcKs*3GhEHF>pym|
zAIGl$Y{MjJj$Qx3@9KDI*M9)FaqRjJrgN?2*!7?AW_x#QclSQO2yf=t^&d<i`~}CZ
z|AaS%D>!!j2jd8D;@I_{@Mrb~T>r5Wo@3X4Fazv5j$Qu=A>cW7{U?Ne=h*chY&E``
zW7mH|sCSNC|FKpY$FBciHensduK!>h;WCb0|G@~u%Q$xZ$BI{uUH^er!E;>y!9cQ%
zW7mJ|!A=~z{)72{3CFJggp2H(y8eSr(2F>B{Rcw_mvHR*k3H#$;}-7c21kx#*MCA-
za2&h-g8_mUbL{#L-e)1luKz$KUBt2LKOyWej$Qu=&$XYx^&gBDJeT7p?tS3IaqRj}
z2qTVT*MG2A`#g?a|G~^aJjeB)5WXA7uK(bD=5p-%4<-=K;n?*bOdy=ivFks`gJ*Fm
z#0IHRg@2tN|Hl&jzn^9QyZ736!EXEgqfOD)%1--+yX^Z{_Sqj=*=gSld+lqm)86i~
ze*^pM-7foDja~Ks>rQ*W&wg=nY=gb_=g`Lg&0hO=vA@24ul;<QPD5!N^`)+K05#Dc
z;Jk$G`YX)ZdrCj32k2G$2Aq;`sa~MZ(i3&};t+k1T8C+SJLynuQJ<(c)pNz(|8}aM
z-xX2wUCrk;8)`TIpYFqe;$5MxP>Z1LC#zBAt1$`T0^CV(8m1tODj!qsjXbP5?j~qk
z-lg<I*_1Y6BElQEpWs)e$4b|iR+gq>D#AkCQ!utPwA3F{5e~L95uo|qRuMJwM0(%X
zCyXRNcU*PuLQkpZ3g_B;aji@yiAk(ZCW%n2P^LO>yIG}7nGmEhr9#lkl;Aa6RbCTf
znc@a(D`=_TVgrRti`8?%*2;yD$aINZ2#rjOgdmdXVj-wxS||jWOcx13C({BU2xYoZ
z2uhhQ5Q0>u^M#<5X}%D|GR+f$8$#m1TRVirfwz7Li9c=)5fWeBIwB<Qyfr>Z9C+(|
zka+G2qM2sN`#~tvOd%*`I#UQznPv!Gs20%ldcvnZO9;}LrU^ki(-}e#&vd#F)H6*L
zf_$baLeS4NSqK7}CJ8}7(`iDG&~&QMY;`tG6oQDR2|`fOG+qcYnobddj;3)!5YlwA
z5R^2H6@rweF+$MNG+GE^nobg$q$blSA;@VuQ3!gPMmC^{bb=5RHA%{>AgO6YgSD|V
zTnM6?h6zDc(@-JEYC28`x|)UvL0HqVLQvLpj1Z(X4Hkm7ra?jw*L1WH)HNL?1bIyZ
zg`lr#fDi;W9VrBbP5p%+v8kUBG&c1Wg2<*mLQvV%TL?0ndI>>iQ%@lXZR#NerA<c&
zL2A?CLeScDm=MG^{Zt5Qo4N}@ZqrYMpttGJ26Py86N2I<NuU)ZHyt8t(A?BT2%?)h
z3qf^LCn3mg>L>)=O&x?Fys5nqlsB~#g7l_?g`mCZAR&lvI#3Aeo7xINep4GE=x;ip
z0kx&pLQvqezYruiwGx5`r<Otx;k2Jn3%o-MA;@srR|q<s_7Q>*r{+RX;<UFAq&V#*
z1T9X@gdoPLsSwmSH4%awr#*$B$7v5C2y)t82#TB<3qg|8ZbH!Hw5t$AIW-c3DyLn9
zAj@fIA?R}2NeIH6YK7oq(rh8zlC54B!d=wrB_U{dsu6;Sr)nXncq$7)##2cMI-Xbv
z+MOaH$a*R^AVpO|kncqG6z(AH$qIN<LQwD&3PHkCK?oY20wIWay+a5pUT+tIjMv+Q
zpyTycAqaW>qY%WqmgLi_cm2JrLB8wn>IrubN}6ibyp~kd%6a{*TnRm|w+KPd>u-dh
z==J6X^r`+DzvakJ!+Pug4}WifuTJOrPp4q4)44)$*6AFfr7EVm^@RTu<_W=Rr#V8f
z+Uaah)~e873jMviJYi7iKg*SHDD)RX|Mz!*!T`~Kk>|m{(4Pvyr_dh>{Uh!bg?FLf
zm3M%7q5miZ_d>rT1p7k2Ed<L#ztw=A(Hn&RtK5GIYeT;%pBk=*mhT_yXXxi-4Tgq(
zRtUa@eyRc8qkk&|=R&U+f?J`V5Q1Hy9~XjOp?_0P+fLF?3c<0^k2Rp%^rJ%XEc7}d
zm=^jGA-ER$VIkNS`XM3s7WzRU7#I52o@~TMOY6U2D?;Ia(hzdx!KypmEQH*Vt`kDM
zNLLFXU!<#q5HQkmAta1+r4S-Ux<UxSCSBivR@3D|h#YB|5cWXpqyhbBNUMJ>rXaMC
z{|BGxPi_AHdF^|(uhl+V`&jM0wYS&aSbIh7lG^z=0pPUSlQ6xnUv2l=_O&f*_pGf!
zgZv(60DMsM2e<~0*E~>jXU&S5t7;NV@tciP0LIn~!yLcEu^XUuO|zPvYfSZz)nDNp
zfDP5Zt6pFIQ1zPXTd*gfu6kkh-0CxM62S4*M`NPjA=PcGn^*5zUBu3SZ_1zHEPz+b
zPnXw~*J7^U&&tcnmz2*d&%mAW`Dp-M%B?ZmueuzRzA1fDdaLw8>0h8_Z^KCdY3V{t
z_dB&T66XLMQR-M~S=znCyp6x&5BUv#7W4h?=9~E{>@Jwc)A<x0&PQ_h%KZOEnDF<v
z;>O~8*kAD5;)BIIi$5>o=<wp);?&|8%=qh5>{@JtJN0XeVf1bES@d@FQuH{c{{IqF
z{_3Iy(JbsSI58R&^@ut}t)e}mQq}gVui-zuS@k@28mz6lwd$Ixr0V>tGpi<49bYvN
zlm6OQwW!(+dkuaxo6P&>HS@H2*xY4Sm@6^s?_6_+IT^bR`k6z`fo5;Bv(fY&eSv9z
zuh4q>HTE0aNXzJAnnP1)G#yL5=@7UOO{s<o*l+Nu<n{k7{`nL5=TCs^^7u;y_hM>(
zT^@g_LhtSGa$O#OsY1^}Z?4PZFIDJ)jc|2&{G|%ruo12<kH1vmQ0y<O%i}M*awyk@
z728%7I%Bh0T^@g_g5A1Sm&aeKV7IPidHkgccI#S}$6u;ocdKQ2{G|$Qu#YXv<1d8`
zYHc~o<1baP8`QG%-21e}r_S>D%Rc8o&hq$66<QbCaF)kkYWur|*2Sz6e-%`r#SYH$
z^h*_*@7S5MJpEEws^Kh8zf@r_Y;eo+^h*_*753sRPrp>5iCxLlFICvH(1f!*{ZfTJ
z3VU)k-F>t@>}7fSr3$-YPg|C!U#id;+t{)^{jw{KIm^>8RoE3f*RnkQQiYuhyK<JN
zU#d`xV?44v{ldq@X0<F&zf_@sJ#AT@eyKv)UY4g{n08qxbC#!Hs=zqyBOC8N8{5nB
z^h*_@0&|w9U-oAZah9iFs$dF=vpoH>D~7W?{Zjaw#Y&!jse;DgBUzq)*~>I%qul$1
z_Od+vvL7_$EKk2wupQ@(WO@3ff^GKW<ms0Re#99iS)P8W;5!@_lI7`_3jP{=$620!
zslXmFlI7`_3bx?Dk}OZZ)Q+8T-bj|GUn=;r(4v@C(yxLFHfEe1lYg|}3!Ed8<>8kK
z?9m}v9)79dv*2^i^6*Oqn4rd49)79dL;IXO{8GV3!H1mX;g?<ch_gKWQo*0>N*;cx
z;C=g?Jp8gN?{k)iUn+PPr-fvB_@#okg10&A?LOPvI3OhJ<={;m1Cr(8mkR!XV?eSz
z{8DyK8fSU<rGi&*3`mxTUn+RnzFHoBso-@BdHAJ**MiqM>+W9q_rYtN<>8kKUJZWF
zSss4bS9_JSJp8h+_6lct_@#p1;ee1V55H9KA`S@2^6*OqF9a`gmWN*|cs6)}vpoD#
zm|gxXXL<Ogg7r8LBg?}t75p|>&siRR*_GdN*3NylC+$ieeyQMz;7QK%@Jj`c2TyR8
zhhHjq)V^9CeyQLw9Kw<1;g?-`jI%uaQo)1vvON4!!6WvvJp59@!@(n*<>8kK>@gr&
z9)8*9Jj7WZeyLzB4ll`CxX<<g&IHN!b#QO+0B3plrGoo#@<*13U-tX;KF;#+O9l2!
zkSq_s?5q8XvpoD#!J6PM&hqd}1$WsG+Qhx|s$dOgdHAJ*JAzf5<>8kKZVT?<EDyg_
zaI1wp{8GV63wiiuFI&l39)79dmf%*-^6<;TZJg!dmkNFn+``$;?oC(VypU`s2ll*>
ztk%H|I4>l_FIAW@qJry#8#t?Wa9wacXJrRh<BX83<N#yOIAaHxdd8XWKFjT^x$YBO
z7A!AjmF|Oork7`&x#klr3ohr(H6L8Hj5F7Kf;ybmlPUMgbvPCzbIm76aS}*|uc*rB
zTpBFkEO4+SSjwquKEdK(38$|41eXMhId#n^z-Tj0UGoVp#)%)PYd!%6n{n!zPk>Qo
zoVw-{EC|wKYMT%4SIltwM{0Wy>e<1UQEFQc##hdKDoSnVK{;b)l-j<7a{7!YwOt40
zwCPc5dk)IUxWINCl&7P#{RZXK)1%aO8<bO~Myc&JC?`#hQrl^4IVDPMpFueRPqSSH
z<-`e5YI}@*bYhg+4uf($9<}`i<+$-tYP$={lgCA=?JX!rpB$yOv!EO^I!bL{v5$_4
z(g}Gv5^rI93LZUiWR#xb9z8Ki$K~Y-c+_?iTrd=`V0#J55hp~c?Ib91%tvbb2+Co@
zqttd0d+o3&wLJvokV#Q$JBTfZMyc%|C<o(F+dXVKBuZ`XKsjh|l-kaLvd^?AwS5ES
zz(G-Jy9UYu1EbXT43vEbM5*l<DEs5D#r6x7IJYCU-NIhbFG_8*K-s5nl-gE-vR9ud
zwT%L0k6uw~+XTv|dPJ#h5-7XRj#AqqP<GoKrM5w!?Ak3#ZF@l3rE8Sh=76$umngNZ
z0cEGoQED3l%66Tiv`=1kY!{`rDcDClMyYKHC_CWMo_X26LzLQfU@vGNrM4NMY=aAI
zD?o`;H&WXOP~y~$)V2YXEn7vYZ2~CwX&I%q1)yw!&ube1N*utE+OL0m!M;&yzx+`)
z-zQ4#S3k<8yG5z};z!w}X_VTpeUvzsBeh@pC~+)DYQOSP;#iK<e&M5RynB?|uX~ic
zHIGvJWskB^<0!RX^(Z$tic<SUkFutFl-jR(l%<*|wO{fmqf(UGuXvPIQIy&*c$B6p
zO6}J>N-|MuzuZx3ic<U4j#BBW)PAuSQC6k<*$0aXw-x7K=^@U1@6Of3f=|Pi0d~U9
zsP13gy}DiXe${(am#c&F7O3!dFk63p`N8t)@{02E@={FKKNA{!WO-1zXSoaJ>o>#x
zbY1$sw6XLjOxS-0`_u0!-3k?+VaEP!>`)(F8dB<8Iuuj(_rV_jh_^zAe}p;vFJPDd
zeSACLfV21(@j2M%KMqQK03U`~`z^84zsx~#3r^yDr}#4V`af7)U0hLIj(Pj@vD<%Q
zab)r6;^D>i#eIv7iWGepeGV=DB2M62iz$6qMQ21yqVu95(O8_m*CpB?N}Q{<R&BzJ
zzV%hFR$X89KvjnG_bz}AA73@Rs=wJ>btq=^)zltV)vPKotIbE|4f70?_(Jn@vkWKi
zon}UwcIGH^nAykd0u}yO`iwTvVtRqj!P$HF(9N`*kRH-8)Cs32w4}!R2b{aNQNOI;
z)lcaA^h$j#&P_O9pQ4B1#Jz61jc%%|)ebdKeT_2{9#S`km#Ej()3_P^GIf!frA}2R
zsGs8Rra6ueQMe)PTij{&7VdSr8%K{`iTgaJhR1|GYd^x+vzE9opy70e*_h8zna&WZ
z0z`uGUUEex81E%lWP<Ttaz!VYxy}%?Lcw_R*vm%eLRD0V@jml^$~#oFi1GGxMT{69
zp;Xj}nI&%yIbzNdf*vt5g&;`GnL<z`W<~>QZl()ClbC5j5GBUP+7(q|PM0;v5;Ii@
zy2MNof-o^Y)~+ZMGfCDUO^lDVE84`IDr*oYW}*<(iJ8!V3TC_z^ocn|2m-~76M{l9
zKGv>C6f;)Vpi#^iA&3++S_mq|oFoL9Vnzu;r<fBxS)pP^3PGuu6NDgD%<)3dDrSTb
z#EKa%1hry@2|=!yp`NT>F~@nbg2muuVf^xfUml=X%(1cr$zqNXf@U#;g&<mtPqizm
z#T+ebkS*pYA?Ow}Pzb`s_*A>1T+ETO2I*pas$J18rk|`qyqLa1P%oyB5af&LEd>2y
zdI>?mn4UsVFvh3a6$xXGkTqx+bGQ&hj5$mQD#rX&2r|ZW7lMv4KM{hEF^394$(U|J
zkTRyL5VVXrL<nNWbP<A@F`b1VXG|v{=o!;d2!h7=RJ)>ROnX^_q%rM;plQs(LJ&2^
zr`i=&V-A!x$QsjD2)f3!5rVKWKGm)$8`E0WAZ^V4LeMs*l@P>@X(<GCWA+n*yfH0=
zpl{5+LJ&A+A0a3l<5TU5#4&rz8Z?gCO9&#zG!uf#F-?Uab4(K<=p3`B5QL7|LkLR8
z>@EbUV;T!V>zLhyAa=~I4d^!0NC<Mr>>>ocV|EsT;4wbcRsj@`sg*TI9#bO(&0~C&
zq5_B><FjfNK=qiCTnX7@xB=Z{ib4=R2FDP)f9{uOrb?C|eT)%;_Aw*`@nduYy38mc
z$R865LI0S75Co73grI=P2iM9<Alfc#&_J|J2qK8K3PA<Yk3x_^^n(y|5dF>mfiT~|
ziXZyU-z+!tDf+9gXUwE;eLZ~!ZSnQA>GX}SPoGI&`+Dl>^p&rtOeKG?2~-ko_K#1R
zLVuBZGHvqp#0lgNKY=EqjsEco6X^?IkDoxF`+D4X`pnlSkE2h0J!Uk0?Ca4d(<f4o
zp^toh;z;_y*CS`rhf@C=Hw}(Bf!_7k3?D&%^!2de^p3BGj;8md9!78bddMW&AoWms
z%h!V^(VJ2ap+ER~&|rGQ*8>O9YrY;Zkbdv${!h^>zV6qbUiNk00raZW{pfeT?lX;E
zm%1;#<m+C2=tW=m=tVF1y8CQ;&ez>G)3d(r+Kry^b(gO6w6E<=mA>xOnfzfss$)BP
z(m&pz9X;;r_8sUqzHZlv)=S-yo{+jd{fn>Lw4=v-y?+~e)Yq-{r**z=*@_<Vb&JjP
zkgxY`K@a+RpO*Bn)cew}ecgN?dcfCBccc4#-J~hq=j%P2(7nFiV^8{(uXo>r*7~~f
z?sSi@cWX{}`?^tMTI1`Q?zGz1r5d`^*HMX9`MN5iJA7@b=yqR|p<nu16Rq?$B-Cw;
zf6Ug&P;{#;@l~aE&@KLo&5h_TUq97@p7;Os;epWin5h1F<(5?JiKP|pJ0i53V*kOn
zf&TXhtZm!Ce=gSd^mkJIfAl>)l}yRRz8Tn1$t)E@s$`Z3AyzVrg^(+mON0<CnMFcK
rmdwRMh?dMkA!JMDA|ZrJW`PjWC3B$=;w5u|5b`B+z7PT?Gyi`8y&u0$

literal 0
HcmV?d00001

diff --git a/README.md b/README.md
index 801d0c7..6b6029c 100644
--- a/README.md
+++ b/README.md
@@ -167,7 +167,7 @@ python -m pytest -q
 Run the auth/OAuth interaction coverage gate at 100%:
 
 ```bash
-coverage run --include="tests/test_auth_routes.py,tests/test_oauth_routes.py" -m pytest -q tests/test_auth_routes.py tests/test_oauth_routes.py
+coverage run --source="routes,models" -m pytest -q tests/test_auth_routes.py tests/test_oauth_routes.py
 coverage report -m --fail-under=100
 ```
 
diff --git a/tests/test_api_routes_comprehensive.py b/tests/test_api_routes_comprehensive.py
new file mode 100644
index 0000000..aa04d7e
--- /dev/null
+++ b/tests/test_api_routes_comprehensive.py
@@ -0,0 +1,1088 @@
+import os
+
+os.environ.setdefault("SECRET_KEY", "test-secret")
+
+from flask import Flask, jsonify
+import pytest
+
+import routes.api as api_routes
+
+
+def create_api_app():
+    app = Flask(__name__)
+    app.secret_key = "test-secret"
+    app.register_blueprint(api_routes.api_bp)
+    return app
+
+
+def auth_header(token="valid-key"):
+    return {"Authorization": f"Bearer {token}"}
+
+
+@pytest.fixture
+def api_client(monkeypatch):
+    app = create_api_app()
+    monkeypatch.setattr(
+        api_routes,
+        "get_key_permissions",
+        lambda _key: ["users.read", "events.register", "oauth", "discord.manage"],
+    )
+    monkeypatch.setattr(api_routes, "log_api_key_usage", lambda *_args, **_kwargs: None)
+    return app.test_client()
+
+
+def test_require_api_key_rejects_invalid_api_key(monkeypatch):
+    app = Flask(__name__)
+
+    @app.route("/protected")
+    @api_routes.require_api_key("users.read")
+    def protected():
+        return jsonify({"success": True})
+
+    monkeypatch.setattr(api_routes, "get_key_permissions", lambda _key: [])
+    client = app.test_client()
+
+    response = client.get("/protected", headers=auth_header("bad-key"))
+
+    assert response.status_code == 403
+    assert response.get_json()["error"] == "Invalid API key"
+
+
+def test_require_api_key_without_required_permissions_allows_valid_key(monkeypatch):
+    app = Flask(__name__)
+    calls = []
+
+    @app.route("/open")
+    @api_routes.require_api_key()
+    def open_route():
+        return jsonify({"success": True})
+
+    monkeypatch.setattr(api_routes, "get_key_permissions", lambda _key: ["any.permission"])
+    monkeypatch.setattr(
+        api_routes,
+        "log_api_key_usage",
+        lambda key, action, _metadata: calls.append((key, action)),
+    )
+    client = app.test_client()
+
+    response = client.get("/open", headers=auth_header("k1"))
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is True
+    assert calls == [("k1", "open_route")]
+
+
+def test_api_current_event_success(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "get_current_event",
+        lambda: {"id": "hack-1", "name": "Hack 1", "description": "Desc", "discord-role-id": "123"},
+    )
+
+    response = api_client.get("/api/current-event")
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is True
+    assert payload["current_event"]["id"] == "hack-1"
+
+
+def test_api_current_event_exception_returns_500(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "DEBUG_MODE", False)
+
+    def raise_exc():
+        raise RuntimeError("boom")
+
+    monkeypatch.setattr(api_routes, "get_current_event", raise_exc)
+
+    response = api_client.get("/api/current-event")
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "Internal server error"
+
+
+def test_api_all_events_success(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "get_all_events",
+        lambda: {
+            "hack-1": {"name": "Hack 1", "description": "Desc", "discord-role-id": "123"},
+            "hack-2": {"name": "Hack 2"},
+        },
+    )
+    monkeypatch.setattr(api_routes, "get_current_event", lambda: {"id": "hack-1"})
+
+    response = api_client.get("/api/events")
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is True
+    assert len(payload["events"]) == 2
+    assert any(event["is_current"] for event in payload["events"])
+
+
+def test_api_all_events_exception_returns_500(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "DEBUG_MODE", False)
+    monkeypatch.setattr(api_routes, "get_all_events", lambda: (_ for _ in ()).throw(RuntimeError("boom")))
+
+    response = api_client.get("/api/events")
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "Internal server error"
+
+
+def test_api_register_event_requires_json(api_client):
+    response = api_client.post(
+        "/api/register-event",
+        data="null",
+        content_type="application/json",
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "JSON data required"
+
+
+def test_api_register_event_validation_failure(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "validate_api_request", lambda *_args: {"valid": False, "errors": ["bad"]})
+    monkeypatch.setattr(
+        api_routes,
+        "handle_validation_error",
+        lambda _result: (api_routes.jsonify({"success": False, "error": "validation"}), 400),
+    )
+
+    response = api_client.post("/api/register-event", json={"foo": "bar"}, headers=auth_header())
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "validation"
+
+
+def test_api_register_event_success_and_optional_fields_passed(api_client, monkeypatch):
+    captured = {}
+
+    monkeypatch.setattr(
+        api_routes,
+        "validate_api_request",
+        lambda data, _required: {"valid": True, "data": data},
+    )
+
+    def fake_register(**kwargs):
+        captured.update(kwargs)
+        return {"success": True, "registered": True}
+
+    monkeypatch.setattr(api_routes, "register_user_for_event", fake_register)
+
+    payload = {
+        "user_email": "test@example.com",
+        "event_id": "hack-1",
+        "phone_number": "123",
+        "address": "addr",
+        "emergency_contact_name": "name",
+        "emergency_contact_email": "ec@example.com",
+        "emergency_contact_phone": "321",
+        "dietary_restrictions": "none",
+        "tshirt_size": "M",
+    }
+    response = api_client.post("/api/register-event", json=payload, headers=auth_header())
+
+    assert response.status_code == 200
+    assert response.get_json()["registered"] is True
+    assert captured["user_email"] == "test@example.com"
+    assert captured["tshirt_size"] == "M"
+
+
+def test_api_register_event_service_failure_returns_400(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "validate_api_request",
+        lambda data, _required: {"valid": True, "data": data},
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "register_user_for_event",
+        lambda **_kwargs: {"success": False, "error": "failed"},
+    )
+
+    response = api_client.post(
+        "/api/register-event", json={"user_email": "test@example.com"}, headers=auth_header()
+    )
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "failed"
+
+
+def test_api_register_event_exception_uses_handle_api_error(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "validate_api_request",
+        lambda data, _required: {"valid": True, "data": data},
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "register_user_for_event",
+        lambda **_kwargs: (_ for _ in ()).throw(RuntimeError("boom")),
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.post(
+        "/api/register-event", json={"user_email": "test@example.com"}, headers=auth_header()
+    )
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_register_event"
+
+
+def test_api_user_status_requires_user_email(api_client):
+    response = api_client.get("/api/user-status", headers=auth_header())
+
+    assert response.status_code == 400
+    assert "user_email parameter is required" in response.get_json()["error"]
+
+
+def test_api_user_status_service_failure(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "get_user_event_status", lambda *_args: {"success": False, "error": "not found"}
+    )
+
+    response = api_client.get("/api/user-status?user_email=test@example.com", headers=auth_header())
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "not found"
+
+
+def test_api_user_status_exception_returns_500(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "DEBUG_MODE", False)
+    monkeypatch.setattr(
+        api_routes, "get_user_event_status", lambda *_args: (_ for _ in ()).throw(RuntimeError("boom"))
+    )
+
+    response = api_client.get("/api/user-status?user_email=test@example.com", headers=auth_header())
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "Internal server error"
+
+
+def test_oauth2_user_info_invalid_header(api_client):
+    response = api_client.get("/api/oauth/user-info")
+
+    assert response.status_code == 401
+    assert response.get_json()["error"] == "invalid_request"
+
+
+def test_oauth2_user_info_invalid_token(api_client, monkeypatch):
+    monkeypatch.setattr("models.oauth.verify_access_token", lambda _token: None)
+
+    response = api_client.get("/api/oauth/user-info", headers=auth_header("oauth-token"))
+
+    assert response.status_code == 401
+    assert response.get_json()["error"] == "invalid_token"
+
+
+def test_oauth2_user_info_user_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(
+        "models.oauth.verify_access_token",
+        lambda _token: {"user_email": "test@example.com", "scope": "profile email"},
+    )
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: None)
+
+    response = api_client.get("/api/oauth/user-info", headers=auth_header("oauth-token"))
+
+    assert response.status_code == 404
+    assert response.get_json()["error"] == "not_found"
+
+
+def test_oauth2_user_info_success_includes_scope_based_fields(api_client, monkeypatch):
+    monkeypatch.setattr(
+        "models.oauth.verify_access_token",
+        lambda _token: {
+            "user_email": "test@example.com",
+            "scope": "profile email dob events discord",
+        },
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "get_user_by_email",
+        lambda _email: {
+            "email": "test@example.com",
+            "legal_name": "Legal Name",
+            "preferred_name": "Nick",
+            "pronouns": "they/them",
+            "dob": "01/01/2000",
+            "events": ["hack-1"],
+            "discord_id": "123",
+            "discord_username": "tester",
+        },
+    )
+    monkeypatch.setattr(api_routes, "is_admin", lambda _email: True)
+
+    response = api_client.get("/api/oauth/user-info", headers=auth_header("oauth-token"))
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["email"] == "test@example.com"
+    assert payload["discord_id"] == "123"
+    assert payload["is_admin"] is True
+
+
+def test_oauth2_user_info_with_no_granted_scopes_returns_is_admin_only(api_client, monkeypatch):
+    monkeypatch.setattr(
+        "models.oauth.verify_access_token",
+        lambda _token: {"user_email": "test@example.com", "scope": ""},
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com"},
+    )
+    monkeypatch.setattr(api_routes, "is_admin", lambda _email: False)
+
+    response = api_client.get("/api/oauth/user-info", headers=auth_header("oauth-token"))
+
+    assert response.status_code == 200
+    assert response.get_json() == {"is_admin": False}
+
+
+def test_oauth2_user_info_exception_returns_server_error(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "DEBUG_MODE", False)
+    monkeypatch.setattr("models.oauth.verify_access_token", lambda _token: (_ for _ in ()).throw(RuntimeError("boom")))
+
+    response = api_client.get("/api/oauth/user-info", headers=auth_header("oauth-token"))
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "server_error"
+
+
+def test_oauth_legacy_user_info_token_required(api_client):
+    response = api_client.post("/api/oauth/user-info", json={}, headers=auth_header())
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "Token is required"
+
+
+def test_oauth_legacy_user_info_invalid_token(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "verify_oauth_token", lambda _token: None)
+
+    response = api_client.post("/api/oauth/user-info", json={"token": "bad"}, headers=auth_header())
+
+    assert response.status_code == 401
+    assert response.get_json()["error"] == "Invalid or expired token"
+
+
+def test_oauth_legacy_user_info_user_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "verify_oauth_token", lambda _token: "test@example.com")
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: None)
+
+    response = api_client.post("/api/oauth/user-info", json={"token": "good"}, headers=auth_header())
+
+    assert response.status_code == 404
+    assert response.get_json()["error"] == "User not found"
+
+
+def test_oauth_legacy_user_info_success(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "verify_oauth_token", lambda _token: "test@example.com")
+    monkeypatch.setattr(
+        api_routes,
+        "get_user_by_email",
+        lambda _email: {
+            "email": "test@example.com",
+            "legal_name": "Legal Name",
+            "preferred_name": "Nick",
+            "pronouns": "they/them",
+            "dob": "01/01/2000",
+        },
+    )
+    monkeypatch.setattr(api_routes, "is_admin", lambda _email: False)
+
+    response = api_client.post("/api/oauth/user-info", json={"token": "good"}, headers=auth_header())
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is True
+    assert payload["user"]["email"] == "test@example.com"
+
+
+def test_oauth_legacy_user_info_exception_returns_500(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "DEBUG_MODE", False)
+    monkeypatch.setattr(api_routes, "verify_oauth_token", lambda _token: (_ for _ in ()).throw(RuntimeError("boom")))
+
+    response = api_client.post("/api/oauth/user-info", json={"token": "good"}, headers=auth_header())
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "Internal server error"
+
+
+def test_api_test_endpoint_success(api_client):
+    response = api_client.get("/api/test", headers=auth_header())
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is True
+
+
+def test_discord_user_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_discord_id", lambda _id: None)
+
+    response = api_client.get("/api/discord/user/123", headers=auth_header())
+
+    assert response.status_code == 404
+    assert response.get_json()["error"] == "User not found"
+
+
+def test_discord_user_success(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "get_user_by_discord_id",
+        lambda _id: {
+            "id": "user-1",
+            "email": "test@example.com",
+            "legal_name": "Legal Name",
+            "preferred_name": "Nick",
+            "pronouns": "they/them",
+            "dob": "01/01/2000",
+            "discord_id": "123",
+            "events": ["hack-1"],
+        },
+    )
+    monkeypatch.setattr("models.admin.is_admin", lambda _email: True)
+
+    response = api_client.get("/api/discord/user/123", headers=auth_header())
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is True
+    assert payload["user"]["is_admin"] is True
+
+
+def test_discord_user_exception_uses_handle_api_error(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "get_user_by_discord_id", lambda _id: (_ for _ in ()).throw(RuntimeError("boom"))
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.get("/api/discord/user/123", headers=auth_header())
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_discord_user"
+
+
+def test_create_verification_token_requires_json(api_client):
+    response = api_client.post(
+        "/api/discord/verification-token",
+        data="null",
+        content_type="application/json",
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "JSON data required"
+
+
+def test_create_verification_token_requires_fields(api_client):
+    response = api_client.post(
+        "/api/discord/verification-token",
+        json={"discord_username": "tester"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+    assert "Missing field: discord_id" in response.get_json()["error"]
+
+
+def test_create_verification_token_success(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "save_verification_token", lambda *_args: "tok_1")
+
+    response = api_client.post(
+        "/api/discord/verification-token",
+        json={"discord_id": 123, "discord_username": "tester", "message_id": "m1"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 200
+    assert response.get_json()["token"] == "tok_1"
+
+
+def test_create_verification_token_exception(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "save_verification_token", lambda *_args: (_ for _ in ()).throw(RuntimeError("boom"))
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.post(
+        "/api/discord/verification-token",
+        json={"discord_id": 123, "discord_username": "tester"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_create_verification_token"
+
+
+def test_get_verification_token_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_verification_token", lambda _token: None)
+
+    response = api_client.get("/api/discord/verification-token/tok_1", headers=auth_header())
+
+    assert response.status_code == 404
+
+
+def test_get_verification_token_success(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "get_verification_token",
+        lambda _token: {
+            "token": "tok_1",
+            "discord_id": "123",
+            "discord_username": "tester",
+            "message_id": "m1",
+            "expires_at": "2026-01-01",
+            "used": 1,
+        },
+    )
+
+    response = api_client.get("/api/discord/verification-token/tok_1", headers=auth_header())
+
+    assert response.status_code == 200
+    assert response.get_json()["token_data"]["used"] is True
+
+
+def test_get_verification_token_exception(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "get_verification_token", lambda _token: (_ for _ in ()).throw(RuntimeError("boom"))
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.get("/api/discord/verification-token/tok_1", headers=auth_header())
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_get_verification_token"
+
+
+def test_mark_token_used_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_verification_token", lambda _token: None)
+
+    response = api_client.delete("/api/discord/verification-token/tok_1", headers=auth_header())
+
+    assert response.status_code == 404
+
+
+def test_mark_token_used_success(api_client, monkeypatch):
+    used = {}
+    monkeypatch.setattr(api_routes, "get_verification_token", lambda _token: {"token": "tok_1"})
+    monkeypatch.setattr(api_routes, "mark_token_used", lambda token: used.setdefault("token", token))
+
+    response = api_client.delete("/api/discord/verification-token/tok_1", headers=auth_header())
+
+    assert response.status_code == 200
+    assert used["token"] == "tok_1"
+
+
+def test_mark_token_used_exception(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "get_verification_token", lambda _token: (_ for _ in ()).throw(RuntimeError("boom"))
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.delete("/api/discord/verification-token/tok_1", headers=auth_header())
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_mark_token_used"
+
+
+def test_discord_role_mappings_success(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "get_all_events",
+        lambda: {"hack-1": {"discord-role-id": "123"}, "hack-2": {"name": "No role"}},
+    )
+
+    response = api_client.get("/api/discord/role-mappings", headers=auth_header())
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["role_mappings"] == {"hack-1": "123"}
+
+
+def test_discord_role_mappings_exception(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_all_events", lambda: (_ for _ in ()).throw(RuntimeError("boom")))
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.get("/api/discord/role-mappings", headers=auth_header())
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_discord_role_mappings"
+
+
+def test_discord_user_roles_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_discord_id", lambda _id: None)
+
+    response = api_client.get("/api/discord/user-roles/123", headers=auth_header())
+
+    assert response.status_code == 404
+
+
+def test_discord_user_roles_success(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_discord_id", lambda _id: {"events": ["hack-1", "hack-2"]})
+    monkeypatch.setattr(
+        api_routes,
+        "get_all_events",
+        lambda: {
+            "hack-1": {"discord-role-id": "123", "name": "Hack 1"},
+            "hack-2": {"name": "Hack 2"},
+        },
+    )
+
+    response = api_client.get("/api/discord/user-roles/123", headers=auth_header())
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["roles_to_assign"] == [{"event_id": "hack-1", "role_id": "123", "event_name": "Hack 1"}]
+
+
+def test_discord_user_roles_exception(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "get_user_by_discord_id", lambda _id: (_ for _ in ()).throw(RuntimeError("boom"))
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.get("/api/discord/user-roles/123", headers=auth_header())
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_discord_user_roles"
+
+
+def test_discord_verified_users_success(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "get_all_users",
+        lambda: [
+            {"id": "1", "email": "a@example.com", "discord_id": "123", "events": [], "preferred_name": "A", "legal_name": "A"},
+            {"id": "2", "email": "b@example.com", "discord_id": "", "events": []},
+        ],
+    )
+
+    response = api_client.get("/api/discord/verified-users", headers=auth_header())
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["count"] == 1
+    assert payload["verified_users"][0]["email"] == "a@example.com"
+
+
+def test_discord_verified_users_exception(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_all_users", lambda: (_ for _ in ()).throw(RuntimeError("boom")))
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.get("/api/discord/verified-users", headers=auth_header())
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_discord_verified_users"
+
+
+def test_discord_complete_verification_requires_json(api_client):
+    response = api_client.post(
+        "/api/discord/complete-verification",
+        data="null",
+        content_type="application/json",
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "JSON data required"
+
+
+def test_discord_complete_verification_requires_fields(api_client):
+    response = api_client.post(
+        "/api/discord/complete-verification",
+        json={"discord_id": "123"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+    assert "Missing field: user_email" in response.get_json()["error"]
+
+
+def test_discord_complete_verification_user_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: None)
+
+    response = api_client.post(
+        "/api/discord/complete-verification",
+        json={"discord_id": "123", "user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 404
+
+
+def test_discord_complete_verification_rejects_id_linked_to_other_user(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: {"id": "user-1", "email": "test@example.com"})
+    monkeypatch.setattr(api_routes, "get_user_by_discord_id", lambda _id: {"email": "other@example.com"})
+
+    response = api_client.post(
+        "/api/discord/complete-verification",
+        json={"discord_id": "123", "user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+    assert "already linked" in response.get_json()["error"]
+
+
+def test_discord_complete_verification_update_value_error(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: {"id": "user-1", "email": "test@example.com"})
+    monkeypatch.setattr(api_routes, "get_user_by_discord_id", lambda _id: None)
+
+    def raise_value_error(*_args, **_kwargs):
+        raise ValueError("invalid")
+
+    monkeypatch.setattr("models.user.update_user", raise_value_error)
+
+    response = api_client.post(
+        "/api/discord/complete-verification",
+        json={"discord_id": "123", "user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "invalid"
+
+
+def test_discord_complete_verification_success(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: {"id": "user-1", "email": "test@example.com"})
+    monkeypatch.setattr(api_routes, "get_user_by_discord_id", lambda _id: None)
+    monkeypatch.setattr("models.user.update_user", lambda *_args, **_kwargs: None)
+
+    response = api_client.post(
+        "/api/discord/complete-verification",
+        json={"discord_id": "123", "user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is True
+
+
+def test_discord_complete_verification_exception(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "get_user_by_email", lambda _email: (_ for _ in ()).throw(RuntimeError("boom"))
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.post(
+        "/api/discord/complete-verification",
+        json={"discord_id": "123", "user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_discord_complete_verification"
+
+
+def test_discord_remove_roles_requires_json(api_client):
+    response = api_client.post(
+        "/api/discord/remove-roles",
+        data="null",
+        content_type="application/json",
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+
+
+def test_discord_remove_roles_requires_identifier(api_client):
+    response = api_client.post("/api/discord/remove-roles", json={"foo": "bar"}, headers=auth_header())
+
+    assert response.status_code == 400
+    assert "Either discord_id or user_email is required" in response.get_json()["error"]
+
+
+def test_discord_remove_roles_user_email_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: None)
+
+    response = api_client.post(
+        "/api/discord/remove-roles",
+        json={"user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 404
+
+
+def test_discord_remove_roles_user_without_discord(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: {"email": "test@example.com", "discord_id": None})
+
+    response = api_client.post(
+        "/api/discord/remove-roles",
+        json={"user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 404
+    assert "no Discord account linked" in response.get_json()["error"]
+
+
+def test_discord_remove_roles_success(api_client, monkeypatch):
+    monkeypatch.setattr(
+        "utils.discord.remove_all_event_roles",
+        lambda _discord_id: {"success": True, "roles_removed": ["a"], "total_removed": 1},
+    )
+
+    response = api_client.post(
+        "/api/discord/remove-roles",
+        json={"discord_id": "123"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is True
+    assert payload["total_removed"] == 1
+
+
+def test_discord_remove_roles_user_email_with_discord_success(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "discord_id": "123"},
+    )
+    monkeypatch.setattr(
+        "utils.discord.remove_all_event_roles",
+        lambda _discord_id: {"success": True, "roles_removed": [], "total_removed": 0},
+    )
+
+    response = api_client.post(
+        "/api/discord/remove-roles",
+        json={"user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is True
+
+
+def test_discord_remove_roles_failure_returns_500(api_client, monkeypatch):
+    monkeypatch.setattr(
+        "utils.discord.remove_all_event_roles",
+        lambda _discord_id: {
+            "success": False,
+            "error": "remove failed",
+            "roles_removed": [],
+            "roles_failed": ["a"],
+        },
+    )
+
+    response = api_client.post(
+        "/api/discord/remove-roles",
+        json={"discord_id": "123"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "remove failed"
+
+
+def test_discord_remove_roles_exception(api_client, monkeypatch):
+    monkeypatch.setattr(
+        "utils.discord.remove_all_event_roles",
+        lambda _discord_id: (_ for _ in ()).throw(RuntimeError("boom")),
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.post(
+        "/api/discord/remove-roles",
+        json={"discord_id": "123"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_discord_remove_roles"
+
+
+def test_discord_unlink_requires_json(api_client):
+    response = api_client.post(
+        "/api/discord/unlink",
+        data="null",
+        content_type="application/json",
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+
+
+def test_discord_unlink_requires_identifier(api_client):
+    response = api_client.post("/api/discord/unlink", json={"foo": "bar"}, headers=auth_header())
+
+    assert response.status_code == 400
+
+
+def test_discord_unlink_discord_id_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_discord_id", lambda _id: None)
+
+    response = api_client.post(
+        "/api/discord/unlink",
+        json={"discord_id": "123"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 404
+    assert "No user found" in response.get_json()["error"]
+
+
+def test_discord_unlink_user_email_not_found(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: None)
+
+    response = api_client.post(
+        "/api/discord/unlink",
+        json={"user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 404
+
+
+def test_discord_unlink_user_without_discord(api_client, monkeypatch):
+    monkeypatch.setattr(api_routes, "get_user_by_email", lambda _email: {"email": "test@example.com", "discord_id": None})
+
+    response = api_client.post(
+        "/api/discord/unlink",
+        json={"user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+    assert "no Discord account linked" in response.get_json()["error"]
+
+
+def test_discord_unlink_success(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "get_user_by_discord_id", lambda _id: {"email": "test@example.com"}
+    )
+    monkeypatch.setattr(
+        "services.auth_service.unlink_discord_account",
+        lambda _email: {
+            "success": True,
+            "user_email": "test@example.com",
+            "previous_discord_id": "123",
+            "roles_removed": [],
+            "roles_failed": [],
+            "total_roles_removed": 0,
+            "total_roles_failed": 0,
+            "role_removal_success": True,
+        },
+    )
+
+    response = api_client.post(
+        "/api/discord/unlink",
+        json={"discord_id": "123"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is True
+
+
+def test_discord_unlink_success_by_user_email(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "discord_id": "123"},
+    )
+    monkeypatch.setattr(
+        "services.auth_service.unlink_discord_account",
+        lambda _email: {
+            "success": True,
+            "user_email": "test@example.com",
+            "previous_discord_id": "123",
+            "roles_removed": [],
+            "roles_failed": [],
+            "total_roles_removed": 0,
+            "total_roles_failed": 0,
+            "role_removal_success": True,
+        },
+    )
+
+    response = api_client.post(
+        "/api/discord/unlink",
+        json={"user_email": "test@example.com"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is True
+
+
+def test_discord_unlink_service_failure(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "get_user_by_discord_id", lambda _id: {"email": "test@example.com"}
+    )
+    monkeypatch.setattr(
+        "services.auth_service.unlink_discord_account",
+        lambda _email: {"success": False, "error": "unlink failed"},
+    )
+
+    response = api_client.post(
+        "/api/discord/unlink",
+        json={"discord_id": "123"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "unlink failed"
+
+
+def test_discord_unlink_exception(api_client, monkeypatch):
+    monkeypatch.setattr(
+        api_routes, "get_user_by_discord_id", lambda _id: (_ for _ in ()).throw(RuntimeError("boom"))
+    )
+    monkeypatch.setattr(
+        api_routes,
+        "handle_api_error",
+        lambda _exc, ctx: (api_routes.jsonify({"success": False, "error": ctx}), 500),
+    )
+
+    response = api_client.post(
+        "/api/discord/unlink",
+        json={"discord_id": "123"},
+        headers=auth_header(),
+    )
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "api_discord_unlink"
diff --git a/tests/test_auth_routes_comprehensive.py b/tests/test_auth_routes_comprehensive.py
new file mode 100644
index 0000000..f8407a8
--- /dev/null
+++ b/tests/test_auth_routes_comprehensive.py
@@ -0,0 +1,1723 @@
+import os
+from pathlib import Path
+
+os.environ.setdefault("SECRET_KEY", "test-secret")
+
+from flask import Flask
+
+import routes.auth as auth_routes
+
+
+def create_auth_app(register_oauth=False):
+    template_dir = Path(__file__).resolve().parents[1] / "templates"
+    app = Flask(__name__, template_folder=str(template_dir))
+    app.secret_key = "test-secret"
+    app.jinja_env.globals["csrf_token"] = lambda: "test-csrf"
+    app.register_blueprint(auth_routes.auth_bp)
+    if register_oauth:
+        app.register_blueprint(auth_routes.oauth_bp)
+    return app
+
+
+def login_session(client, email="test@example.com", name="Tester"):
+    with client.session_transaction() as sess:
+        sess["user_email"] = email
+        sess["user_name"] = name
+
+
+def oauth2_session(client):
+    with client.session_transaction() as sess:
+        sess["oauth2_client_id"] = "client_1"
+        sess["oauth2_redirect_uri"] = "https://example.com/callback"
+        sess["oauth2_scope"] = "profile email"
+        sess["oauth2_state"] = "abc"
+
+
+def test_index_logged_in_profile_incomplete_redirects_to_register(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+
+    monkeypatch.setattr("models.admin.is_admin", lambda _email: False)
+    monkeypatch.setattr(
+        "services.dashboard_service.get_user_dashboard_data",
+        lambda _email: {"profile_complete": False},
+    )
+
+    response = client.get("/")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/register")
+
+
+def test_index_logged_in_profile_complete_renders_dashboard(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+
+    monkeypatch.setattr("models.admin.is_admin", lambda _email: True)
+    monkeypatch.setattr(
+        "services.dashboard_service.get_user_dashboard_data",
+        lambda _email: {"profile_complete": True},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "render_template",
+        lambda template, **ctx: f"{template}:{ctx.get('is_admin')}",
+    )
+
+    response = client.get("/")
+
+    assert response.status_code == 200
+    assert b"dashboard.html:True" in response.data
+
+
+def test_auth_google_callback_missing_code_renders_error():
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+
+    response = client.get("/auth/google/callback?state=state-1")
+
+    assert response.status_code == 200
+    assert b"No authentication code received" in response.data
+
+
+def test_auth_google_callback_provider_error_renders_error(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {"success": False, "error": "oauth failed"},
+    )
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 200
+    assert b"oauth failed" in response.data
+
+
+def test_auth_google_callback_new_user_redirects_register(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {
+            "success": True,
+            "user": {"email": "new@example.com", "name": "New User"},
+        },
+    )
+    monkeypatch.setattr(auth_routes, "get_user_by_email", lambda _email: None)
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/register")
+
+
+def test_auth_google_callback_verification_flow_redirects_verify_complete(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+        sess["verification_token"] = "verify-123"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {
+            "success": True,
+            "user": {"email": "test@example.com", "name": "Test User"},
+        },
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/verify/complete")
+
+
+def test_auth_google_callback_oauth2_session_redirects_authorize(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+        sess["oauth2_client_id"] = "client_1"
+        sess["oauth2_redirect_uri"] = "https://example.com/callback"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {
+            "success": True,
+            "user": {"email": "test@example.com", "name": "Test User"},
+        },
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/oauth/authorize")
+
+
+def test_auth_google_callback_legacy_flow_inactive_app_clears_session(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {
+            "success": True,
+            "user": {"email": "test@example.com", "name": "Test User"},
+        },
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+    monkeypatch.setattr("models.app.get_app_by_id", lambda _app_id: {"is_active": False})
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 200
+    assert b"no longer available" in response.data
+    with client.session_transaction() as sess:
+        assert "oauth_redirect" not in sess
+        assert "oauth_app_id" not in sess
+
+
+def test_auth_google_callback_legacy_restricted_non_admin_denied(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {
+            "success": True,
+            "user": {"email": "test@example.com", "name": "Test User"},
+        },
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _app_id: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: False)
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 200
+    assert b"permission to access this app" in response.data
+    with client.session_transaction() as sess:
+        assert "oauth_redirect" not in sess
+        assert "oauth_app_id" not in sess
+
+
+def test_auth_google_callback_legacy_restricted_no_explicit_permission_denied(
+    monkeypatch,
+):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {
+            "success": True,
+            "user": {"email": "test@example.com", "name": "Test User"},
+        },
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _app_id: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: False)
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 200
+    assert b"permission to access this app" in response.data
+
+
+def test_auth_google_callback_legacy_success_redirects_with_token(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {
+            "success": True,
+            "user": {"email": "test@example.com", "name": "Test User"},
+        },
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _app_id: {"id": "app_1", "is_active": True, "allow_anyone": True},
+    )
+    monkeypatch.setattr(auth_routes, "create_oauth_token", lambda *_args, **_kwargs: "tok_1")
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?token=tok_1"
+
+
+def test_auth_google_callback_default_success_redirects_home(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {
+            "success": True,
+            "user": {"email": "test@example.com", "name": "Test User"},
+        },
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/")
+
+
+def test_auth_google_with_debug_disabled_still_redirects(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "DEBUG_MODE", False)
+    monkeypatch.setattr(auth_routes, "get_google_auth_url", lambda: "https://accounts.example/oauth")
+
+    response = client.get("/auth/google")
+
+    assert response.status_code == 302
+    assert response.location == "https://accounts.example/oauth"
+
+
+def test_auth_google_callback_legacy_restricted_authorized_user_redirects_with_token(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+
+    with client.session_transaction() as sess:
+        sess["oauth_state"] = "state-1"
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "handle_google_oauth_callback",
+        lambda _code: {
+            "success": True,
+            "user": {"email": "test@example.com", "name": "Test User"},
+        },
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Test User"},
+    )
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _app_id: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: True)
+    monkeypatch.setattr(auth_routes, "create_oauth_token", lambda *_args, **_kwargs: "tok_1")
+
+    response = client.get("/auth/google/callback?state=state-1&code=abc")
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?token=tok_1"
+
+
+def oauth_app(
+    *, allow_anyone=True, skip_consent_screen=False, active=True, scopes='["profile", "email"]'
+):
+    return {
+        "id": "app_1",
+        "is_active": active,
+        "redirect_uris": '["https://example.com/callback"]',
+        "allowed_scopes": scopes,
+        "allow_anyone": allow_anyone,
+        "skip_consent_screen": skip_consent_screen,
+    }
+
+
+def test_oauth_authorize_unsupported_response_type(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "get_app_by_client_id", lambda _id: oauth_app())
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback&response_type=token"
+    )
+
+    assert response.status_code == 200
+    assert b"Unsupported response_type" in response.data
+
+
+def test_oauth_authorize_invalid_client(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "get_app_by_client_id", lambda _id: None)
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback"
+    )
+
+    assert response.status_code == 200
+    assert b"Invalid client_id" in response.data
+
+
+def test_oauth_authorize_inactive_client(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(
+        auth_routes, "get_app_by_client_id", lambda _id: oauth_app(active=False)
+    )
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback"
+    )
+
+    assert response.status_code == 200
+    assert b"currently disabled" in response.data
+
+
+def test_oauth_authorize_invalid_redirect_uri(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "get_app_by_client_id", lambda _id: oauth_app())
+    monkeypatch.setattr(auth_routes, "validate_redirect_uri", lambda *_args: False)
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://wrong.example/callback"
+    )
+
+    assert response.status_code == 200
+    assert b"Invalid redirect_uri" in response.data
+
+
+def test_oauth_authorize_invalid_scope(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "get_app_by_client_id", lambda _id: oauth_app())
+    monkeypatch.setattr(auth_routes, "validate_redirect_uri", lambda *_args: True)
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback&scope=admin"
+    )
+
+    assert response.status_code == 200
+    assert b"Invalid scope" in response.data
+
+
+def test_oauth_authorize_restricted_app_permission_denied(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes, "get_app_by_client_id", lambda _id: oauth_app(allow_anyone=False)
+    )
+    monkeypatch.setattr(auth_routes, "validate_redirect_uri", lambda *_args: True)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: False)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: False)
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback"
+    )
+
+    assert response.status_code == 200
+    assert b"permission to access this app" in response.data
+
+
+def test_oauth_authorize_restricted_app_authorized_user_can_continue(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_app_by_client_id",
+        lambda _id: oauth_app(allow_anyone=False, skip_consent_screen=True),
+    )
+    monkeypatch.setattr(auth_routes, "validate_redirect_uri", lambda *_args: True)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: True)
+    monkeypatch.setattr(auth_routes, "create_authorization_code", lambda **_kwargs: "code-1")
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback&state=abc"
+    )
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?code=code-1&state=abc"
+
+
+def test_oauth_authorize_logged_in_shows_consent_screen(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(auth_routes, "get_app_by_client_id", lambda _id: oauth_app())
+    monkeypatch.setattr(auth_routes, "validate_redirect_uri", lambda *_args: True)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback"
+    )
+
+    assert response.status_code == 200
+    assert b"Authorize" in response.data
+
+
+def test_oauth_authorize_logged_in_without_legal_name_shows_login(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(auth_routes, "get_app_by_client_id", lambda _id: oauth_app())
+    monkeypatch.setattr(auth_routes, "validate_redirect_uri", lambda *_args: True)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": ""},
+    )
+
+    response = client.get(
+        "/oauth/authorize?client_id=client_1&redirect_uri=https://example.com/callback"
+    )
+
+    assert response.status_code == 200
+    assert b"Sign in" in response.data
+
+
+def test_oauth_authorize_uses_session_cached_params(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    oauth2_session(client)
+
+    monkeypatch.setattr(
+        auth_routes,
+        "get_app_by_client_id",
+        lambda client_id: oauth_app() if client_id == "client_1" else None,
+    )
+    monkeypatch.setattr(auth_routes, "validate_redirect_uri", lambda *_args: True)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+
+    response = client.get("/oauth/authorize")
+
+    assert response.status_code == 200
+    assert b"Authorize" in response.data
+
+
+def test_oauth_authorize_consent_requires_user_session():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.post("/oauth/authorize", data={"action": "approve"})
+
+    assert response.status_code == 200
+    assert b"Session expired" in response.data
+
+
+def test_oauth_authorize_consent_requires_oauth_session(login_email="test@example.com"):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client, email=login_email)
+
+    response = client.post("/oauth/authorize", data={"action": "approve"})
+
+    assert response.status_code == 200
+    assert b"Invalid OAuth session" in response.data
+
+
+def test_oauth_authorize_consent_inactive_app_redirects_invalid_client(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    oauth2_session(client)
+    monkeypatch.setattr(auth_routes, "get_app_by_client_id", lambda _id: oauth_app(active=False))
+
+    response = client.post("/oauth/authorize", data={"action": "approve"})
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?error=invalid_client&state=abc"
+    with client.session_transaction() as sess:
+        assert "oauth2_client_id" not in sess
+        assert "oauth2_redirect_uri" not in sess
+        assert "oauth2_scope" not in sess
+        assert "oauth2_state" not in sess
+
+
+def test_oauth_authorize_consent_restricted_permission_denied(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    oauth2_session(client)
+    monkeypatch.setattr(
+        auth_routes, "get_app_by_client_id", lambda _id: oauth_app(allow_anyone=False)
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: False)
+
+    response = client.post("/oauth/authorize", data={"action": "approve"})
+
+    assert response.status_code == 302
+    assert (
+        response.location
+        == "https://example.com/callback?error=access_denied&error_description=insufficient_permissions&state=abc"
+    )
+
+
+def test_oauth_authorize_consent_restricted_authorized_user_can_deny(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    oauth2_session(client)
+    monkeypatch.setattr(
+        auth_routes, "get_app_by_client_id", lambda _id: oauth_app(allow_anyone=False)
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: True)
+
+    response = client.post("/oauth/authorize", data={"action": "deny"})
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?error=access_denied&state=abc"
+
+
+def test_oauth_authorize_consent_approve_success_generates_code_and_clears_session(
+    monkeypatch,
+):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    oauth2_session(client)
+
+    monkeypatch.setattr(auth_routes, "get_app_by_client_id", lambda _id: oauth_app())
+    monkeypatch.setattr(
+        auth_routes, "create_authorization_code", lambda **_kwargs: "issued-code-1"
+    )
+
+    response = client.post("/oauth/authorize", data={"action": "approve"})
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?code=issued-code-1&state=abc"
+    with client.session_transaction() as sess:
+        assert "oauth2_client_id" not in sess
+
+
+def test_oauth_token_maps_invalid_client_error(monkeypatch):
+    app = create_auth_app(register_oauth=True)
+    client = app.test_client()
+    monkeypatch.setattr(
+        auth_routes,
+        "exchange_code_for_token",
+        lambda *_args: {"success": False, "error": "invalid_client"},
+    )
+
+    response = client.post(
+        "/oauth/token",
+        data={
+            "grant_type": "authorization_code",
+            "code": "code_1",
+            "redirect_uri": "https://example.com/callback",
+            "client_id": "client_1",
+            "client_secret": "secret_1",
+        },
+    )
+
+    assert response.status_code == 400
+    payload = response.get_json()
+    assert payload["error"] == "invalid_client"
+    assert "client_secret" in payload["error_description"]
+
+
+def test_oauth_token_maps_unknown_exchange_error(monkeypatch):
+    app = create_auth_app(register_oauth=True)
+    client = app.test_client()
+    monkeypatch.setattr(
+        auth_routes,
+        "exchange_code_for_token",
+        lambda *_args: {"success": False, "error": "server_boom"},
+    )
+
+    response = client.post(
+        "/oauth/token",
+        data={
+            "grant_type": "authorization_code",
+            "code": "code_1",
+            "redirect_uri": "https://example.com/callback",
+            "client_id": "client_1",
+            "client_secret": "secret_1",
+        },
+    )
+
+    assert response.status_code == 400
+    payload = response.get_json()
+    assert payload["error"] == "server_boom"
+    assert "Invalid authorization code or client credentials" in payload["error_description"]
+
+
+def test_oauth_token_with_debug_disabled_success(monkeypatch):
+    app = create_auth_app(register_oauth=True)
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "DEBUG_MODE", False)
+    monkeypatch.setattr(
+        auth_routes,
+        "exchange_code_for_token",
+        lambda *_args: {
+            "success": True,
+            "access_token": "access_1",
+            "token_type": "Bearer",
+            "expires_in": 3600,
+            "scope": "profile",
+        },
+    )
+
+    response = client.post(
+        "/oauth/token",
+        data={
+            "grant_type": "authorization_code",
+            "code": "code_1",
+            "redirect_uri": "https://example.com/callback",
+            "client_id": "client_1",
+            "client_secret": "secret_1",
+        },
+    )
+
+    assert response.status_code == 200
+    assert response.get_json()["access_token"] == "access_1"
+
+
+def test_oauth_revoke_invokes_revoke_function(monkeypatch):
+    app = create_auth_app(register_oauth=True)
+    client = app.test_client()
+    revoked = {}
+    monkeypatch.setattr(
+        auth_routes, "revoke_access_token", lambda token: revoked.setdefault("token", token)
+    )
+
+    response = client.post("/oauth/revoke", data={"token": "tok_123"})
+
+    assert response.status_code == 200
+    assert response.get_json()["success"] is True
+    assert revoked["token"] == "tok_123"
+
+
+def test_oauth_legacy_inactive_app_returns_error(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(
+        auth_routes,
+        "validate_app_redirect",
+        lambda _redirect: {"id": "app_1", "is_active": False},
+    )
+
+    response = client.get("/oauth?redirect=https://example.com/callback")
+
+    assert response.status_code == 200
+    assert b"currently disabled" in response.data
+
+
+def test_oauth_legacy_restricted_non_admin_denied(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "validate_app_redirect",
+        lambda _redirect: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: False)
+
+    response = client.get("/oauth?redirect=https://example.com/callback")
+
+    assert response.status_code == 200
+    assert b"Please contact an administrator" in response.data
+
+
+def test_oauth_legacy_restricted_no_permission_denied(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "validate_app_redirect",
+        lambda _redirect: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: False)
+
+    response = client.get("/oauth?redirect=https://example.com/callback")
+
+    assert response.status_code == 200
+    assert b"Please contact an administrator" in response.data
+
+
+def test_oauth_legacy_restricted_authorized_user_gets_token(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "validate_app_redirect",
+        lambda _redirect: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: True)
+    monkeypatch.setattr(auth_routes, "create_oauth_token", lambda *_args, **_kwargs: "tok_1")
+
+    response = client.get("/oauth?redirect=https://example.com/callback")
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?token=tok_1"
+
+
+def test_oauth_legacy_logged_in_without_complete_profile_shows_login(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "validate_app_redirect",
+        lambda _redirect: {"id": "app_1", "is_active": True, "allow_anyone": True},
+    )
+    monkeypatch.setattr(
+        auth_routes, "get_user_by_email", lambda _email: {"email": "test@example.com", "legal_name": ""}
+    )
+
+    response = client.get("/oauth?redirect=https://example.com/callback")
+
+    assert response.status_code == 200
+    assert b"Sign in" in response.data
+
+
+def test_oauth_legacy_success_with_existing_query_uses_ampersand(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "validate_app_redirect",
+        lambda _redirect: {"id": "app_1", "is_active": True, "allow_anyone": True},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(auth_routes, "create_oauth_token", lambda *_args, **_kwargs: "tok_1")
+
+    response = client.get("/oauth?redirect=https%3A%2F%2Fexample.com%2Fcallback%3Fnext%3D1")
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?next=1&token=tok_1"
+
+
+def test_send_code_json_failure(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "send_email_verification", lambda _email: False)
+
+    response = client.post("/send-code", json={"email": "test@example.com"})
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is False
+    assert "Failed to send magic link" in payload["error"]
+
+
+def test_send_code_form_requires_email():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.post("/send-code", data={})
+
+    assert response.status_code == 200
+    assert b"Email is required" in response.data
+
+
+def test_send_code_form_success(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "send_email_verification", lambda _email: True)
+
+    response = client.post("/send-code", data={"email": "test@example.com"})
+
+    assert response.status_code == 200
+    assert b"Check Your Email" in response.data
+
+
+def test_send_code_form_failure(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "send_email_verification", lambda _email: False)
+
+    response = client.post("/send-code", data={"email": "test@example.com"})
+
+    assert response.status_code == 200
+    assert b"Failed to send magic link" in response.data
+
+
+def test_email_callback_failed_verification_renders_error(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(
+        auth_routes, "verify_email_code", lambda _code: {"success": False, "error": "expired"}
+    )
+
+    response = client.get("/auth/email/callback?code=bad")
+
+    assert response.status_code == 200
+    assert b"expired" in response.data
+
+
+def test_email_callback_existing_user_oauth2_redirect(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    oauth2_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_email_code",
+        lambda _code: {"success": True, "email": "test@example.com", "name": "Tester"},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+
+    response = client.get("/auth/email/callback?code=good")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/oauth/authorize")
+
+
+def test_email_callback_existing_user_legacy_inactive_app(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_email_code",
+        lambda _code: {"success": True, "email": "test@example.com", "name": "Tester"},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr("models.app.get_app_by_id", lambda _id: {"is_active": False})
+
+    response = client.get("/auth/email/callback?code=good")
+
+    assert response.status_code == 200
+    assert b"no longer available" in response.data
+
+
+def test_email_callback_existing_user_legacy_restricted_non_admin(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_email_code",
+        lambda _code: {"success": True, "email": "test@example.com", "name": "Tester"},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _id: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: False)
+
+    response = client.get("/auth/email/callback?code=good")
+
+    assert response.status_code == 200
+    assert b"permission to access this app" in response.data
+
+
+def test_email_callback_existing_user_legacy_restricted_missing_permission(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_email_code",
+        lambda _code: {"success": True, "email": "test@example.com", "name": "Tester"},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _id: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: False)
+
+    response = client.get("/auth/email/callback?code=good")
+
+    assert response.status_code == 200
+    assert b"permission to access this app" in response.data
+
+
+def test_email_callback_existing_user_legacy_success_redirects_with_token(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_email_code",
+        lambda _code: {"success": True, "email": "test@example.com", "name": "Tester"},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _id: {"id": "app_1", "is_active": True, "allow_anyone": True},
+    )
+    monkeypatch.setattr(auth_routes, "create_oauth_token", lambda *_args, **_kwargs: "tok_1")
+
+    response = client.get("/auth/email/callback?code=good")
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?token=tok_1"
+
+
+def test_email_callback_existing_user_legacy_restricted_authorized_user(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_email_code",
+        lambda _code: {"success": True, "email": "test@example.com", "name": "Tester"},
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _id: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: True)
+    monkeypatch.setattr(auth_routes, "create_oauth_token", lambda *_args, **_kwargs: "tok_1")
+
+    response = client.get("/auth/email/callback?code=good")
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?token=tok_1"
+
+
+def test_email_callback_new_user_sets_pending_registration(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_email_code",
+        lambda _code: {"success": True, "email": "new@example.com", "name": "New User"},
+    )
+    monkeypatch.setattr(auth_routes, "get_user_by_email", lambda _email: None)
+
+    response = client.get("/auth/email/callback?code=good")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/register")
+    with client.session_transaction() as sess:
+        assert sess["pending_registration"] is True
+        assert sess["user_email"] == "new@example.com"
+
+
+def test_verify_code_route_returns_magic_link_guidance():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.post("/verify-code")
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is False
+    assert "magic link" in payload["error"]
+
+
+def test_verify_discord_missing_token():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.get("/verify")
+
+    assert response.status_code == 200
+    assert b"Missing verification token" in response.data
+
+
+def test_verify_discord_invalid_token(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(auth_routes, "verify_discord_token", lambda _token: None)
+
+    response = client.get("/verify?token=bad")
+
+    assert response.status_code == 200
+    assert b"Invalid or expired verification link" in response.data
+
+
+def test_verify_discord_valid_token_sets_session(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_discord_token",
+        lambda _token: {"discord_id": "123", "discord_username": "tester"},
+    )
+
+    response = client.get("/verify?token=good")
+
+    assert response.status_code == 200
+    assert b"Sign in" in response.data
+    with client.session_transaction() as sess:
+        assert sess["verification_token"] == "good"
+        assert sess["discord_id"] == "123"
+
+
+def test_verify_discord_valid_token_logged_in_redirects_complete(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "verify_discord_token",
+        lambda _token: {"discord_id": "123", "discord_username": "tester"},
+    )
+
+    response = client.get("/verify?token=good")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/verify/complete")
+
+
+def test_verify_complete_requires_verification_token():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.get("/verify/complete")
+
+    assert response.status_code == 200
+    assert b"Invalid verification state" in response.data
+
+
+def test_verify_complete_requires_logged_in_user():
+    app = create_auth_app()
+    client = app.test_client()
+    with client.session_transaction() as sess:
+        sess["verification_token"] = "tok_1"
+
+    response = client.get("/verify/complete")
+
+    assert response.status_code == 200
+    assert b"Please log in first" in response.data
+
+
+def test_verify_complete_success_clears_session(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    with client.session_transaction() as sess:
+        sess["verification_token"] = "tok_1"
+        sess["discord_id"] = "123"
+        sess["discord_username"] = "tester"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "complete_discord_verification",
+        lambda _token, _email: {
+            "success": True,
+            "discord_username": "tester",
+            "roles_assigned": [{"event_id": "hackathon", "role_name": "Hacker"}],
+            "roles_failed": [],
+            "total_roles_assigned": 1,
+            "total_roles_failed": 0,
+        },
+    )
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {
+            "email": "test@example.com",
+            "preferred_name": "Tester",
+            "events": ["event-1"],
+        },
+    )
+
+    response = client.get("/verify/complete")
+
+    assert response.status_code == 200
+    assert b"Discord Verification Successful" in response.data
+    with client.session_transaction() as sess:
+        assert "verification_token" not in sess
+        assert "discord_id" not in sess
+
+
+def test_verify_complete_failure_renders_error(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    with client.session_transaction() as sess:
+        sess["verification_token"] = "tok_1"
+
+    monkeypatch.setattr(
+        auth_routes,
+        "complete_discord_verification",
+        lambda _token, _email: {"success": False, "error": "verification failed"},
+    )
+
+    response = client.get("/verify/complete")
+
+    assert response.status_code == 200
+    assert b"verification failed" in response.data
+
+
+def test_register_requires_logged_in_user():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.get("/register")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/")
+
+
+def test_register_existing_complete_user_redirects_home(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+
+    response = client.get("/register")
+
+    assert response.status_code == 302
+    assert response.location.endswith("/")
+
+
+def test_register_get_renders_form_when_pending(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    with client.session_transaction() as sess:
+        sess["pending_registration"] = True
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"email": "test@example.com", "legal_name": "Legal Name"},
+    )
+
+    response = client.get("/register")
+
+    assert response.status_code == 200
+    assert b"Complete Your Registration" in response.data
+
+
+def test_register_post_validation_errors(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(auth_routes, "get_user_by_email", lambda _email: None)
+
+    response = client.post("/register", data={"legal_name": "", "dob": "", "pronouns": ""})
+
+    assert response.status_code == 200
+    assert b"Legal name is required" in response.data
+    assert b"Date of birth is required" in response.data
+    assert b"Pronouns are required" in response.data
+
+
+def test_register_post_invalid_dob(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(auth_routes, "get_user_by_email", lambda _email: None)
+
+    response = client.post(
+        "/register",
+        data={"legal_name": "Legal Name", "dob": "not-a-date", "pronouns": "they/them"},
+    )
+
+    assert response.status_code == 200
+    assert b"Invalid date format" in response.data
+
+
+def test_register_post_update_user_value_error(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "email": "test@example.com", "legal_name": ""},
+    )
+
+    def raise_value_error(*_args, **_kwargs):
+        raise ValueError("update failed")
+
+    monkeypatch.setattr(auth_routes, "update_user", raise_value_error)
+
+    response = client.post(
+        "/register",
+        data={
+            "legal_name": "Legal Name",
+            "preferred_name": "Nick",
+            "dob": "2000-01-01",
+            "pronouns": "they/them",
+        },
+    )
+
+    assert response.status_code == 200
+    assert b"update failed" in response.data
+
+
+def test_register_post_update_redirects_verify_complete(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    with client.session_transaction() as sess:
+        sess["verification_token"] = "tok_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "email": "test@example.com", "legal_name": ""},
+    )
+    monkeypatch.setattr(auth_routes, "update_user", lambda *_args, **_kwargs: None)
+
+    response = client.post(
+        "/register",
+        data={"legal_name": "Legal Name", "dob": "2000-01-01", "pronouns": "they/them"},
+    )
+
+    assert response.status_code == 302
+    assert response.location.endswith("/verify/complete")
+
+
+def test_register_post_update_redirects_oauth_authorize(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    oauth2_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "email": "test@example.com", "legal_name": ""},
+    )
+    monkeypatch.setattr(auth_routes, "update_user", lambda *_args, **_kwargs: None)
+
+    response = client.post(
+        "/register",
+        data={"legal_name": "Legal Name", "dob": "2000-01-01", "pronouns": "they/them"},
+    )
+
+    assert response.status_code == 302
+    assert response.location.endswith("/oauth/authorize")
+
+
+def test_register_post_update_legacy_inactive_app(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "email": "test@example.com", "legal_name": ""},
+    )
+    monkeypatch.setattr(auth_routes, "update_user", lambda *_args, **_kwargs: None)
+    monkeypatch.setattr("models.app.get_app_by_id", lambda _id: {"is_active": False})
+
+    response = client.post(
+        "/register",
+        data={"legal_name": "Legal Name", "dob": "2000-01-01", "pronouns": "they/them"},
+    )
+
+    assert response.status_code == 200
+    assert b"no longer available" in response.data
+
+
+def test_register_post_update_legacy_restricted_non_admin(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "email": "test@example.com", "legal_name": ""},
+    )
+    monkeypatch.setattr(auth_routes, "update_user", lambda *_args, **_kwargs: None)
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _id: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: False)
+
+    response = client.post(
+        "/register",
+        data={"legal_name": "Legal Name", "dob": "2000-01-01", "pronouns": "they/them"},
+    )
+
+    assert response.status_code == 200
+    assert b"permission to access this app" in response.data
+
+
+def test_register_post_update_legacy_restricted_missing_permission(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "email": "test@example.com", "legal_name": ""},
+    )
+    monkeypatch.setattr(auth_routes, "update_user", lambda *_args, **_kwargs: None)
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _id: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: False)
+
+    response = client.post(
+        "/register",
+        data={"legal_name": "Legal Name", "dob": "2000-01-01", "pronouns": "they/them"},
+    )
+
+    assert response.status_code == 200
+    assert b"permission to access this app" in response.data
+
+
+def test_register_post_update_legacy_success_redirects_with_token(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "email": "test@example.com", "legal_name": ""},
+    )
+    monkeypatch.setattr(auth_routes, "update_user", lambda *_args, **_kwargs: None)
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _id: {"id": "app_1", "is_active": True, "allow_anyone": True},
+    )
+    monkeypatch.setattr(auth_routes, "create_oauth_token", lambda *_args, **_kwargs: "tok_1")
+
+    response = client.post(
+        "/register",
+        data={"legal_name": "Legal Name", "dob": "2000-01-01", "pronouns": "they/them"},
+    )
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?token=tok_1"
+
+
+def test_register_post_update_legacy_restricted_authorized_user_redirects_with_token(
+    monkeypatch,
+):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+        sess["oauth_app_id"] = "app_1"
+    monkeypatch.setattr(
+        auth_routes,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "email": "test@example.com", "legal_name": ""},
+    )
+    monkeypatch.setattr(auth_routes, "update_user", lambda *_args, **_kwargs: None)
+    monkeypatch.setattr(
+        "models.app.get_app_by_id",
+        lambda _id: {"id": "app_1", "is_active": True, "allow_anyone": False},
+    )
+    monkeypatch.setattr(auth_routes, "is_admin", lambda _email: True)
+    monkeypatch.setattr(auth_routes, "has_app_permission", lambda *_args: True)
+    monkeypatch.setattr(auth_routes, "create_oauth_token", lambda *_args, **_kwargs: "tok_1")
+
+    response = client.post(
+        "/register",
+        data={"legal_name": "Legal Name", "dob": "2000-01-01", "pronouns": "they/them"},
+    )
+
+    assert response.status_code == 302
+    assert response.location == "https://example.com/callback?token=tok_1"
+
+
+def test_register_post_create_user_default_redirect_home_without_oauth_redirect(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client, email="new2@example.com")
+    monkeypatch.setattr(auth_routes, "get_user_by_email", lambda _email: None)
+    monkeypatch.setattr(auth_routes, "create_user", lambda **_kwargs: None)
+
+    response = client.post(
+        "/register",
+        data={
+            "legal_name": "Legal Name",
+            "preferred_name": "Nick",
+            "dob": "2000-01-01",
+            "pronouns": "they/them",
+        },
+    )
+
+    assert response.status_code == 302
+    assert response.location.endswith("/")
+
+
+def test_register_post_create_user_and_clear_incomplete_oauth_session(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client, email="new@example.com")
+    with client.session_transaction() as sess:
+        sess["oauth_redirect"] = "https://example.com/callback"
+
+    created = {}
+    monkeypatch.setattr(auth_routes, "get_user_by_email", lambda _email: None)
+    monkeypatch.setattr(
+        auth_routes,
+        "create_user",
+        lambda **kwargs: created.update(kwargs),
+    )
+
+    response = client.post(
+        "/register",
+        data={
+            "legal_name": "Legal Name",
+            "preferred_name": "Nick",
+            "dob": "2000-01-01",
+            "pronouns": "they/them",
+        },
+    )
+
+    assert response.status_code == 302
+    assert response.location.endswith("/")
+    assert created["email"] == "new@example.com"
+    assert created["dob"] == "01/01/2000"
+    with client.session_transaction() as sess:
+        assert "oauth_redirect" not in sess
+
+
+def test_unlink_discord_dashboard_requires_login():
+    app = create_auth_app()
+    client = app.test_client()
+
+    response = client.post("/dashboard/discord/unlink")
+
+    assert response.status_code == 401
+    assert response.get_json()["success"] is False
+
+
+def test_unlink_discord_dashboard_success(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "unlink_discord_account",
+        lambda _email: {
+            "success": True,
+            "total_roles_removed": 2,
+            "total_roles_failed": 0,
+            "role_removal_success": True,
+        },
+    )
+
+    response = client.post("/dashboard/discord/unlink")
+
+    assert response.status_code == 200
+    payload = response.get_json()
+    assert payload["success"] is True
+    assert payload["roles_removed"] == 2
+
+
+def test_unlink_discord_dashboard_service_failure(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(
+        auth_routes,
+        "unlink_discord_account",
+        lambda _email: {"success": False, "error": "unlink failed"},
+    )
+
+    response = client.post("/dashboard/discord/unlink")
+
+    assert response.status_code == 400
+    assert response.get_json()["error"] == "unlink failed"
+
+
+def test_unlink_discord_dashboard_exception_returns_500(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+
+    def raise_exc(_email):
+        raise RuntimeError("boom")
+
+    monkeypatch.setattr(auth_routes, "unlink_discord_account", raise_exc)
+
+    response = client.post("/dashboard/discord/unlink")
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "Internal server error"
+
+
+def test_unlink_discord_dashboard_exception_with_debug_disabled(monkeypatch):
+    app = create_auth_app()
+    client = app.test_client()
+    login_session(client)
+    monkeypatch.setattr(auth_routes, "DEBUG_MODE", False)
+
+    def raise_exc(_email):
+        raise RuntimeError("boom")
+
+    monkeypatch.setattr(auth_routes, "unlink_discord_account", raise_exc)
+
+    response = client.post("/dashboard/discord/unlink")
+
+    assert response.status_code == 500
+    assert response.get_json()["error"] == "Internal server error"
diff --git a/tests/test_data_deletion_comprehensive.py b/tests/test_data_deletion_comprehensive.py
new file mode 100644
index 0000000..cead16e
--- /dev/null
+++ b/tests/test_data_deletion_comprehensive.py
@@ -0,0 +1,431 @@
+import os
+
+os.environ.setdefault("SECRET_KEY", "test-secret")
+
+import builtins
+
+import services.data_deletion as data_deletion
+
+
+class FakeCursor:
+    def __init__(self, rowcount=0, row=None):
+        self.rowcount = rowcount
+        self._row = row
+
+    def fetchone(self):
+        return self._row
+
+
+class FakeConnection:
+    def __init__(self, execute_impl):
+        self._execute_impl = execute_impl
+        self.committed = False
+        self.closed = False
+
+    def execute(self, query, params):
+        return self._execute_impl(query, params)
+
+    def commit(self):
+        self.committed = True
+
+    def close(self):
+        self.closed = True
+
+
+def test_get_user_data_summary_user_not_found(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(row=({"count": 0})))
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(data_deletion, "get_user_by_email", lambda _email: None)
+
+    summary = data_deletion.get_user_data_summary("missing@example.com")
+
+    assert summary["user_found"] is False
+    assert summary["tables_with_data"] == []
+    assert conn.closed is True
+
+
+def test_get_user_data_summary_with_opt_out_tokens(monkeypatch):
+    conn = FakeConnection(
+        lambda _query, _params: FakeCursor(row={"count": 3})
+    )
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "discord_id": "123"},
+    )
+
+    summary = data_deletion.get_user_data_summary("test@example.com")
+
+    assert summary["user_found"] is True
+    assert summary["discord_linked"] is True
+    assert summary["opt_out_tokens"] == 3
+    assert "users" in summary["tables_with_data"]
+    assert "opt_out_tokens" in summary["tables_with_data"]
+    assert conn.closed is True
+
+
+def test_get_user_data_summary_user_with_no_opt_out_tokens(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(row={"count": 0}))
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_by_email",
+        lambda _email: {"id": "user_1", "discord_id": None},
+    )
+
+    summary = data_deletion.get_user_data_summary("test@example.com")
+
+    assert summary["user_found"] is True
+    assert summary["opt_out_tokens"] == 0
+    assert summary["tables_with_data"] == ["users"]
+
+
+def test_remove_discord_roles_when_no_discord_account(monkeypatch):
+    monkeypatch.setattr(
+        data_deletion, "get_user_by_email", lambda _email: {"email": "test@example.com", "discord_id": None}
+    )
+
+    result = data_deletion.remove_discord_roles("test@example.com")
+
+    assert result["success"] is False
+    assert result["error"] == "No Discord account linked"
+
+
+def test_remove_discord_roles_success(monkeypatch):
+    monkeypatch.setattr(data_deletion, "DEBUG_MODE", False)
+    monkeypatch.setattr(
+        data_deletion, "get_user_by_email", lambda _email: {"email": "test@example.com", "discord_id": "123"}
+    )
+    monkeypatch.setattr(
+        "utils.discord.remove_all_event_roles",
+        lambda _discord_id: {"success": True, "roles_removed": ["a"], "total_removed": 1},
+    )
+
+    result = data_deletion.remove_discord_roles("test@example.com")
+
+    assert result["success"] is True
+    assert result["total_removed"] == 1
+    assert result["roles_removed"] == ["a"]
+
+
+def test_remove_discord_roles_partial_failure(monkeypatch):
+    monkeypatch.setattr(data_deletion, "DEBUG_MODE", False)
+    monkeypatch.setattr(
+        data_deletion, "get_user_by_email", lambda _email: {"email": "test@example.com", "discord_id": "123"}
+    )
+    monkeypatch.setattr(
+        "utils.discord.remove_all_event_roles",
+        lambda _discord_id: {
+            "success": False,
+            "error": "remove failed",
+            "roles_removed": ["a"],
+            "roles_failed": ["b"],
+        },
+    )
+
+    result = data_deletion.remove_discord_roles("test@example.com")
+
+    assert result["success"] is False
+    assert result["error"] == "remove failed"
+    assert result["roles_failed"] == ["b"]
+
+
+def test_remove_discord_roles_handles_unexpected_exception(monkeypatch):
+    monkeypatch.setattr(
+        data_deletion, "get_user_by_email", lambda _email: {"email": "test@example.com", "discord_id": "123"}
+    )
+    monkeypatch.setattr(
+        "utils.discord.remove_all_event_roles",
+        lambda _discord_id: (_ for _ in ()).throw(RuntimeError("boom")),
+    )
+
+    result = data_deletion.remove_discord_roles("test@example.com")
+
+    assert result["success"] is False
+    assert "Discord role removal failed" in result["error"]
+
+
+def test_remove_discord_roles_handles_import_error(monkeypatch):
+    monkeypatch.setattr(
+        data_deletion, "get_user_by_email", lambda _email: {"email": "test@example.com", "discord_id": "123"}
+    )
+
+    original_import = builtins.__import__
+
+    def fake_import(name, globals=None, locals=None, fromlist=(), level=0):
+        if name == "utils.discord":
+            raise ImportError("missing discord utilities")
+        return original_import(name, globals, locals, fromlist, level)
+
+    monkeypatch.setattr(builtins, "__import__", fake_import)
+
+    result = data_deletion.remove_discord_roles("test@example.com")
+
+    assert result["success"] is False
+    assert result["error"] == "Discord utilities not available"
+
+
+def test_remove_discord_roles_handles_user_lookup_exception(monkeypatch):
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_by_email",
+        lambda _email: (_ for _ in ()).throw(RuntimeError("lookup boom")),
+    )
+
+    result = data_deletion.remove_discord_roles("test@example.com")
+
+    assert result["success"] is False
+    assert "Error accessing user data" in result["error"]
+
+
+def test_delete_user_data_adds_discord_and_listmonk_errors(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(rowcount=0))
+
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": True, "discord_linked": True},
+    )
+    monkeypatch.setattr(
+        data_deletion,
+        "remove_discord_roles",
+        lambda _email: {"success": False, "error": "discord failed"},
+    )
+    monkeypatch.setattr(
+        data_deletion,
+        "delete_subscriber_by_email",
+        lambda _email: {"success": False, "error": "listmonk failed", "skipped": False},
+    )
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(data_deletion, "get_user_by_email", lambda _email: None)
+
+    result = data_deletion.delete_user_data("test@example.com")
+
+    assert result["success"] is False
+    assert "Discord: discord failed" in result["errors"]
+    assert "Listmonk: listmonk failed" in result["errors"]
+    assert conn.committed is True
+    assert conn.closed is True
+
+
+def test_delete_user_data_discord_success_does_not_add_discord_error(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(rowcount=0))
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": True, "discord_linked": True},
+    )
+    monkeypatch.setattr(
+        data_deletion,
+        "remove_discord_roles",
+        lambda _email: {"success": True, "error": None},
+    )
+    monkeypatch.setattr(
+        data_deletion,
+        "delete_subscriber_by_email",
+        lambda _email: {"success": True},
+    )
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(data_deletion, "get_user_by_email", lambda _email: None)
+
+    result = data_deletion.delete_user_data("test@example.com")
+
+    assert result["success"] is True
+    assert all(not err.startswith("Discord:") for err in result["errors"])
+
+
+def test_delete_user_data_skipped_listmonk_does_not_add_error(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(rowcount=0))
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": True, "discord_linked": False},
+    )
+    monkeypatch.setattr(
+        data_deletion,
+        "delete_subscriber_by_email",
+        lambda _email: {"success": False, "skipped": True},
+    )
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(data_deletion, "get_user_by_email", lambda _email: None)
+
+    result = data_deletion.delete_user_data("test@example.com")
+
+    assert result["success"] is True
+    assert result["errors"] == []
+
+
+def test_delete_user_data_with_listmonk_disabled_skips_external_delete(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(rowcount=0))
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": True, "discord_linked": False},
+    )
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(data_deletion, "get_user_by_email", lambda _email: None)
+
+    result = data_deletion.delete_user_data(
+        "test@example.com", include_discord=False, include_listmonk=False
+    )
+
+    assert result["success"] is True
+    assert result["listmonk_result"] is None
+
+
+def test_delete_user_data_handles_sqlite_delete_error(monkeypatch):
+    def execute_impl(_query, _params):
+        raise RuntimeError("sqlite failed")
+
+    conn = FakeConnection(execute_impl)
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": True, "discord_linked": False},
+    )
+    monkeypatch.setattr(
+        data_deletion,
+        "delete_subscriber_by_email",
+        lambda _email: {"success": True},
+    )
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(data_deletion, "get_user_by_email", lambda _email: None)
+
+    result = data_deletion.delete_user_data("test@example.com")
+
+    assert result["success"] is False
+    assert any("Error deleting from opt_out_tokens" in err for err in result["errors"])
+
+
+def test_delete_user_data_handles_teable_delete_error(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(rowcount=0))
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": True, "discord_linked": False},
+    )
+    monkeypatch.setattr(
+        data_deletion,
+        "delete_subscriber_by_email",
+        lambda _email: {"success": True},
+    )
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(
+        data_deletion, "get_user_by_email", lambda _email: {"id": "user_1", "email": "test@example.com"}
+    )
+
+    def raise_delete(_user_id):
+        raise RuntimeError("teable failed")
+
+    monkeypatch.setattr("models.user.delete_user", raise_delete)
+
+    result = data_deletion.delete_user_data("test@example.com")
+
+    assert result["success"] is False
+    assert any("Error deleting from Teable users" in err for err in result["errors"])
+
+
+def test_delete_user_data_outer_exception_is_captured(monkeypatch):
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: (_ for _ in ()).throw(RuntimeError("critical")),
+    )
+
+    result = data_deletion.delete_user_data("test@example.com")
+
+    assert result["success"] is False
+    assert any("Critical error during data deletion" in err for err in result["errors"])
+
+
+def test_verify_user_deletion_when_fully_deleted(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(row={"count": 0}))
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(data_deletion, "get_user_by_email", lambda _email: None)
+
+    verification = data_deletion.verify_user_deletion("test@example.com")
+
+    assert verification["completely_deleted"] is True
+    assert verification["remaining_data"] == {}
+    assert "opt_out_tokens" in verification["tables_checked"]
+    assert "users" in verification["tables_checked"]
+    assert conn.closed is True
+
+
+def test_verify_user_deletion_detects_remaining_data(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(row={"count": 2}))
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(data_deletion, "get_user_by_email", lambda _email: {"id": "user_1"})
+
+    verification = data_deletion.verify_user_deletion("test@example.com")
+
+    assert verification["completely_deleted"] is False
+    assert verification["remaining_data"]["opt_out_tokens"] == 2
+    assert verification["remaining_data"]["users"] == 1
+
+
+def test_verify_user_deletion_handles_user_lookup_exception(monkeypatch):
+    conn = FakeConnection(lambda _query, _params: FakeCursor(row={"count": 0}))
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_by_email",
+        lambda _email: (_ for _ in ()).throw(RuntimeError("teable lookup failed")),
+    )
+
+    verification = data_deletion.verify_user_deletion("test@example.com")
+
+    assert verification["completely_deleted"] is True
+    assert "users" not in verification["remaining_data"]
+
+
+def test_verify_user_deletion_continues_when_sqlite_check_fails(monkeypatch):
+    def execute_impl(_query, _params):
+        raise RuntimeError("query failed")
+
+    conn = FakeConnection(execute_impl)
+    monkeypatch.setattr(data_deletion, "get_db_connection", lambda: conn)
+    monkeypatch.setattr(data_deletion, "get_user_by_email", lambda _email: None)
+
+    verification = data_deletion.verify_user_deletion("test@example.com")
+
+    assert verification["completely_deleted"] is True
+    assert verification["remaining_data"] == {}
+
+
+def test_get_deletion_preview_user_not_found(monkeypatch):
+    monkeypatch.setattr(data_deletion, "get_user_data_summary", lambda _email: {"user_found": False})
+
+    preview = data_deletion.get_deletion_preview("missing@example.com")
+
+    assert preview["user_found"] is False
+    assert "No account found" in preview["message"]
+
+
+def test_get_deletion_preview_for_discord_linked_user(monkeypatch):
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": True, "discord_linked": True},
+    )
+
+    preview = data_deletion.get_deletion_preview("test@example.com")
+
+    assert preview["user_found"] is True
+    assert preview["discord_warning"] is True
+    assert any("Discord verification status and roles" in item for item in preview["items_to_delete"])
+
+
+def test_get_deletion_preview_for_non_discord_user(monkeypatch):
+    monkeypatch.setattr(
+        data_deletion,
+        "get_user_data_summary",
+        lambda _email: {"user_found": True, "discord_linked": False},
+    )
+
+    preview = data_deletion.get_deletion_preview("test@example.com")
+
+    assert preview["user_found"] is True
+    assert preview["discord_warning"] is False
+    assert all("Discord verification status and roles" not in item for item in preview["items_to_delete"])