Merge pull request 'fix: Remove the Approved From and Approved to search field' (#137) from claude/issue-136 into master

Reviewed-on: #137

App/CLAUDE.md

@@ -104,6 +104,12 @@ A PO's **cost centre is a Vessel** (the `Vessel` model). `PurchaseOrder.vesselId
 
 The three PO forms (`new-po-form`, `edit-po-form`, `manager-edit-po-form`) render a shared `<DeliveryLocationField>` — a native `<select name="placeOfDelivery">` populated from the **active** locations, each formatted by `lib/delivery-location.ts` `formatDeliveryLocation(company, address)` → `"Company — address"`. **`PurchaseOrder.placeOfDelivery` stays a free-text snapshot** (no FK): the dropdown only changes how the value is picked, so the export, import, and historical/imported POs are unchanged. On edit, a current value not in the active list is preserved as a leading "(current)" option so it's never silently dropped. Deleting a location is therefore always safe (no PO references it).
 
+### Project Codes (issue #124)
+
+`ProjectCode` (a unique `code` string + `isActive`) is an admin-managed list that backs the PO **Project Code** dropdown — it replaced an earlier hardcoded `PROJECT_CODES` array. Managed at `/admin/project-codes`, gated by the **`manage_project_codes`** permission (Manager + SuperUser + Admin), mirroring Delivery Locations (table + Add/Edit dialogs + activate/deactivate + delete). The migration seeds the five originally-hardcoded codes so the dropdown stays populated.
+
+The three PO forms render a shared `<ProjectCodeField options={…}>` — a native `<select name="projectCode">` populated from the **active** codes plus an empty "— none —" option (the field stays **optional**). **`PurchaseOrder.projectCode` stays a nullable free-text snapshot** (no FK): the dropdown only changes how the value is picked, so the export, import, and historical/imported POs are unchanged. On edit, a current value not in the active list is preserved as a leading "(current)" option so it's never silently dropped. Deleting a code is therefore always safe (no PO references it).
+
 ### Terms & Conditions catalogue (issue #11)
 
 Admin-managed T&C with **user-defined categories** (not a fixed set) feeding a **dynamic PO editor**.
@@ -141,6 +147,8 @@ An **Email to vendor** button on the PO detail (`po-detail.tsx`, available once
 
 The pipeline (no mailto attachment — `mailto:` can't carry files): `prepareVendorEmail(poId)` (`po/[id]/email-actions.ts`) → `renderPoPdf` (`lib/pdf-service.ts`) → **PdfService** (a standalone Express + Playwright microservice, the GstService/EpfoService pattern) renders the existing `/api/po/[id]/export?format=pdf&pdf=1` page to a real PDF via headless Chromium → `uploadBuffer` to R2 (`po-pdf/…`) → `generateDownloadUrl` (presigned, **7-day** TTL) → returns a `mailto:` with the link. The export route accepts a server-only `svc` token (`PDF_SERVICE_TOKEN`) so PdfService can fetch the page without a user session, and `pdf=1` drops the on-screen print button + `window.print()` auto-trigger. Gated by `PDF_SERVICE_URL`/`PDF_SERVICE_TOKEN` — if unset the action returns a friendly "not configured" error. **No new DB model/migration.**
 
+**Caching:** the PDF is stored at a **deterministic per-PO key** (`buildPoPdfKey` → `po-pdf/<poId>/<slug>.pdf`, no timestamp). On each send, `statObject(key)` checks for an existing copy: if one exists and its `lastModified >= po.updatedAt`, it's **reused** (no re-render, no re-upload) and only a **fresh presigned URL is minted** (refreshing the 7-day timer). It re-renders only when there's no copy yet or the PO changed since the cached one.
+
 ### Inventory (feature-flagged)
 
 Inventory (`ItemInventory`, keyed by `productId` + `siteId`) is **incremented at PO approval** — not on close — for the ordered quantities, when the PO has a `siteId`. The whole inventory surface (site stock, consumption) is gated by `NEXT_PUBLIC_INVENTORY_ENABLED` (see `lib/feature-flags.ts`); the vendor/product catalogue used for PO creation stays available regardless.
@@ -164,6 +172,8 @@ Spend analytics under a **Reports** sidebar section (with a **"Purchasing"** sub
 
 **Filters** live in the **URL query** so the server component re-renders — no client fetching: `gran` (**weekly** / monthly / yearly), `fy`, `month` (weekly), `scope` (Top/Bottom-N), `parent` (accounting drill), `tier` / `break` / `topn` (detail breakdowns), and `sel` + `cmp` (the **custom "Add to graph"** multi-select — tick rows via the `<SelectCheckbox>` links, then `cmp=1` compares just the selected set). Weekly focuses one FY month and buckets by week-of-month (W1–W5). The shared `<ReportsToolbar>` (client) writes the params; charts are **recharts** (`components/reports/charts.tsx`) — the comparison chart plots **one colour-coded series per item** (cost centre / accounting code) in every granularity, including the yearly grouped-bars view (x-axis = FYs, a coloured bar per item — not one colour per year); KPIs/tables/breadcrumbs are server-rendered. Export → `/api/reports/spend?dim=…` (CSV mirroring the on-screen view, incl. the custom selection).
 
+**Drill to POs (#126):** each detail page (`/reports/cost-centres/[id]`, `/reports/accounting-codes/[id]`) has a **"View POs"** link to **PO History** pre-filtered to that cost centre / accounting code over the period in view — `periodRange(gran, fy, month, fys)` (`lib/reports.ts`) maps the on-screen period onto History's `approvedFrom`/`approvedTo` (weekly → the focused month, monthly → the FY, yearly → the full FY span; spend is dated by `approvedAt`). PO History (`/history`) gained an **`accountId`** filter that accepts **any** account-tree node and matches a PO whose **PO-level account or any line-item account** is a leaf under it (`accountLeafIds()` expands the node) — the same attribution basis the reports use. The History page **and** its CSV/PDF export route (`/api/reports/export`) build their `where` from one shared `lib/history-filter.ts` `buildPoHistoryWhere()` so they stay in lockstep.
+
 Sites are **not** cost centres (only vessels are).
 
 ### Crewing (feature-flagged)

App/app/(portal)/admin/project-codes/actions.ts

@@ -0,0 +1,82 @@
+"use server";
+
+import { auth } from "@/auth";
+import { db } from "@/lib/db";
+import { hasPermission } from "@/lib/permissions";
+import { revalidatePath } from "next/cache";
+import { Prisma } from "@prisma/client";
+import { z } from "zod";
+
+const schema = z.object({
+  code: z.string().trim().min(1, "Project code is required"),
+});
+
+type Result = { ok: true } | { error: string };
+
+async function guard(): Promise<{ ok: true } | { error: string }> {
+  const session = await auth();
+  if (!session?.user || !hasPermission(session.user.role, "manage_project_codes")) {
+    return { error: "Forbidden" };
+  }
+  return { ok: true };
+}
+
+export async function createProjectCode(formData: FormData): Promise<Result> {
+  const g = await guard();
+  if ("error" in g) return g;
+
+  const parsed = schema.safeParse(Object.fromEntries(formData));
+  if (!parsed.success) return { error: parsed.error.errors[0].message };
+
+  try {
+    await db.projectCode.create({ data: { code: parsed.data.code } });
+  } catch (e) {
+    if (e instanceof Prisma.PrismaClientKnownRequestError && e.code === "P2002") {
+      return { error: "That project code already exists." };
+    }
+    throw e;
+  }
+  revalidatePath("/admin/project-codes");
+  return { ok: true };
+}
+
+export async function updateProjectCode(id: string, formData: FormData): Promise<Result> {
+  const g = await guard();
+  if ("error" in g) return g;
+
+  const parsed = schema.safeParse(Object.fromEntries(formData));
+  if (!parsed.success) return { error: parsed.error.errors[0].message };
+
+  try {
+    await db.projectCode.update({ where: { id }, data: { code: parsed.data.code } });
+  } catch (e) {
+    if (e instanceof Prisma.PrismaClientKnownRequestError && e.code === "P2002") {
+      return { error: "That project code already exists." };
+    }
+    throw e;
+  }
+  revalidatePath("/admin/project-codes");
+  return { ok: true };
+}
+
+export async function toggleProjectCodeActive(id: string): Promise<Result> {
+  const g = await guard();
+  if ("error" in g) return g;
+
+  const code = await db.projectCode.findUnique({ where: { id }, select: { isActive: true } });
+  if (!code) return { error: "Not found" };
+  await db.projectCode.update({ where: { id }, data: { isActive: !code.isActive } });
+  revalidatePath("/admin/project-codes");
+  return { ok: true };
+}
+
+export async function deleteProjectCode(id: string): Promise<Result> {
+  const g = await guard();
+  if ("error" in g) return g;
+
+  // Safe to delete: POs keep their project code as a text snapshot, so no
+  // purchase order references this row.
+  await db.projectCode.delete({ where: { id } });
+  revalidatePath("/admin/project-codes");
+  return { ok: true };
+}

App/app/(portal)/admin/project-codes/page.tsx

@@ -0,0 +1,28 @@
+import { auth } from "@/auth";
+import { db } from "@/lib/db";
+import { hasPermission } from "@/lib/permissions";
+import { redirect } from "next/navigation";
+import { ProjectCodesTable } from "./project-codes-table";
+import type { Metadata } from "next";
+
+export const metadata: Metadata = { title: "Project Codes" };
+
+export default async function ProjectCodesPage() {
+  const session = await auth();
+  if (!session?.user) redirect("/login");
+  if (!hasPermission(session.user.role, "manage_project_codes")) redirect("/dashboard");
+
+  const projectCodes = await db.projectCode.findMany({
+    orderBy: [{ isActive: "desc" }, { code: "asc" }],
+  });
+
+  return (
+    <ProjectCodesTable
+      projectCodes={projectCodes.map((c) => ({
+        id: c.id,
+        code: c.code,
+        isActive: c.isActive,
+      }))}
+    />
+  );
+}

App/app/(portal)/admin/project-codes/project-code-form.tsx

@@ -0,0 +1,96 @@
+"use client";
+
+import { useState } from "react";
+import { useRouter } from "next/navigation";
+import { AdminDialog } from "@/components/ui/admin-dialog";
+import { createProjectCode, updateProjectCode } from "./actions";
+
+const INPUT = "w-full rounded-lg border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-2 focus:ring-primary-500/20";
+
+export type ProjectCodeRow = {
+  id: string;
+  code: string;
+  isActive: boolean;
+};
+
+function Fields({ projectCode }: { projectCode?: ProjectCodeRow }) {
+  return (
+    <div className="space-y-3">
+      <div>
+        <label className="block text-xs font-medium text-neutral-700 mb-1">Project code *</label>
+        <input name="code" defaultValue={projectCode?.code ?? ""} required className={INPUT} placeholder="e.g. Petronet LNG Cochin" />
+      </div>
+    </div>
+  );
+}
+
+export function AddProjectCodeButton() {
+  const router = useRouter();
+  const [open, setOpen] = useState(false);
+  const [pending, setPending] = useState(false);
+  const [error, setError] = useState("");
+
+  async function handleSubmit(e: React.FormEvent<HTMLFormElement>) {
+    e.preventDefault(); setPending(true); setError("");
+    const result = await createProjectCode(new FormData(e.currentTarget));
+    if ("error" in result) { setError(result.error); setPending(false); }
+    else { setPending(false); setOpen(false); router.refresh(); }
+  }
+
+  return (
+    <>
+      <button onClick={() => setOpen(true)} className="rounded-lg bg-primary-600 px-4 py-2 text-sm font-semibold text-white hover:bg-primary-700">
+        + Add Project Code
+      </button>
+      <AdminDialog open={open} onClose={() => setOpen(false)} title="Add Project Code">
+        <form onSubmit={handleSubmit} className="space-y-4">
+          <Fields />
+          {error && <p className="text-sm text-danger-700 bg-danger-50 rounded px-3 py-2">{error}</p>}
+          <div className="flex gap-3 justify-end">
+            <button type="button" onClick={() => setOpen(false)} className="rounded-lg border border-neutral-300 px-4 py-2 text-sm font-medium text-neutral-700">Cancel</button>
+            <button type="submit" disabled={pending} className="rounded-lg bg-primary-600 px-4 py-2 text-sm font-semibold text-white disabled:opacity-60">{pending ? "Saving…" : "Create"}</button>
+          </div>
+        </form>
+      </AdminDialog>
+    </>
+  );
+}
+
+export function EditProjectCodeButton({
+  projectCode,
+  open: controlledOpen,
+  onOpenChange,
+}: {
+  projectCode: ProjectCodeRow;
+  open?: boolean;
+  onOpenChange?: (v: boolean) => void;
+}) {
+  const router = useRouter();
+  const [internalOpen, setInternalOpen] = useState(false);
+  const [pending, setPending] = useState(false);
+  const [error, setError] = useState("");
+
+  const isControlled = controlledOpen !== undefined;
+  const open = isControlled ? controlledOpen : internalOpen;
+  const setOpen = isControlled ? (onOpenChange ?? (() => {})) : setInternalOpen;
+
+  async function handleSubmit(e: React.FormEvent<HTMLFormElement>) {
+    e.preventDefault(); setPending(true); setError("");
+    const result = await updateProjectCode(projectCode.id, new FormData(e.currentTarget));
+    if ("error" in result) { setError(result.error); setPending(false); }
+    else { setPending(false); setOpen(false); router.refresh(); }
+  }
+
+  return (
+    <AdminDialog open={open} onClose={() => setOpen(false)} title="Edit Project Code">
+      <form onSubmit={handleSubmit} className="space-y-4">
+        <Fields projectCode={projectCode} />
+        {error && <p className="text-sm text-danger-700 bg-danger-50 rounded px-3 py-2">{error}</p>}
+        <div className="flex justify-end gap-3">
+          <button type="button" onClick={() => setOpen(false)} className="rounded-lg border border-neutral-300 px-4 py-2 text-sm font-medium text-neutral-700">Cancel</button>
+          <button type="submit" disabled={pending} className="rounded-lg bg-primary-600 px-4 py-2 text-sm font-semibold text-white disabled:opacity-60">{pending ? "Saving…" : "Save"}</button>
+        </div>
+      </form>
+    </AdminDialog>
+  );
+}

App/app/(portal)/admin/project-codes/project-codes-table.tsx

@@ -0,0 +1,131 @@
+"use client";
+
+import { useState } from "react";
+import { useTableControls } from "@/components/ui/use-table-controls";
+import { TableControls, SortableTh } from "@/components/ui/table-controls";
+import { RowActionsMenu, RowActionsItem, RowActionsDestructiveItem, RowActionsSeparator } from "@/components/ui/row-actions-menu";
+import { DeleteConfirmDialog } from "@/components/ui/delete-confirm-dialog";
+import { ConfirmDialog } from "@/components/ui/confirm-dialog";
+import {
+  AddProjectCodeButton,
+  EditProjectCodeButton,
+  type ProjectCodeRow,
+} from "./project-code-form";
+import { deleteProjectCode, toggleProjectCodeActive } from "./actions";
+
+const CHIPS = ["Active", "Inactive"];
+
+function ProjectCodeActionsMenu({ projectCode }: { projectCode: ProjectCodeRow }) {
+  const [editOpen, setEditOpen] = useState(false);
+  const [deleteOpen, setDeleteOpen] = useState(false);
+  const [toggleOpen, setToggleOpen] = useState(false);
+
+  return (
+    <>
+      <RowActionsMenu>
+        <RowActionsItem onClick={() => setEditOpen(true)}>Edit</RowActionsItem>
+        <RowActionsItem onClick={() => setToggleOpen(true)}>
+          {projectCode.isActive ? "Deactivate" : "Activate"}
+        </RowActionsItem>
+        <RowActionsSeparator />
+        <RowActionsDestructiveItem onClick={() => setDeleteOpen(true)}>Delete</RowActionsDestructiveItem>
+      </RowActionsMenu>
+
+      <EditProjectCodeButton projectCode={projectCode} open={editOpen} onOpenChange={setEditOpen} />
+      <DeleteConfirmDialog
+        open={deleteOpen}
+        onOpenChange={setDeleteOpen}
+        label={projectCode.code}
+        onConfirm={() => deleteProjectCode(projectCode.id)}
+      />
+      <ConfirmDialog
+        open={toggleOpen}
+        onOpenChange={setToggleOpen}
+        title={projectCode.isActive ? "Deactivate project code?" : "Activate project code?"}
+        description={
+          projectCode.isActive
+            ? "It will no longer appear in the Project Code dropdown."
+            : "It will appear in the Project Code dropdown again."
+        }
+        confirmLabel={projectCode.isActive ? "Deactivate" : "Activate"}
+        onConfirm={() => toggleProjectCodeActive(projectCode.id)}
+      />
+    </>
+  );
+}
+
+export function ProjectCodesTable({ projectCodes }: { projectCodes: ProjectCodeRow[] }) {
+  const { search, setSearch, sortKey, sortDir, toggleSort, activeFilters, toggleFilter, filtered } =
+    useTableControls<ProjectCodeRow>({
+      rows: projectCodes,
+      defaultSortKey: "code",
+      searchText: (c) => [c.code, c.isActive ? "active" : "inactive"].join(" "),
+      chipMatch: (c, chip) => {
+        if (chip.toLowerCase() === "active") return c.isActive;
+        if (chip.toLowerCase() === "inactive") return !c.isActive;
+        return false;
+      },
+      sortValue: (c, key) => {
+        if (key === "isActive") return c.isActive ? "Active" : "Inactive";
+        const val = c[key as keyof ProjectCodeRow];
+        return typeof val === "string" || typeof val === "boolean" ? val : String(val ?? "");
+      },
+    });
+
+  return (
+    <div>
+      <div className="mb-6 flex items-center justify-between">
+        <div>
+          <h1 className="text-2xl font-semibold text-neutral-900">Project Codes</h1>
+          <p className="text-sm text-neutral-500 mt-0.5">Codes that populate the PO &ldquo;Project Code&rdquo; dropdown</p>
+        </div>
+        <AddProjectCodeButton />
+      </div>
+
+      <TableControls
+        search={search}
+        onSearch={setSearch}
+        searchPlaceholder="Search project code…"
+        chips={CHIPS}
+        activeFilters={activeFilters}
+        onToggleFilter={toggleFilter}
+      />
+
+      <div className="rounded-lg border border-neutral-200 bg-white overflow-hidden">
+        <table className="w-full text-sm">
+          <thead className="bg-neutral-50 border-b border-neutral-200">
+            <tr>
+              <SortableTh sortKey="code" activeSortKey={sortKey as string | null} sortDir={sortDir} onSort={(k) => toggleSort(k as keyof ProjectCodeRow)}>Project Code</SortableTh>
+              <SortableTh sortKey="isActive" activeSortKey={sortKey as string | null} sortDir={sortDir} onSort={(k) => toggleSort(k as keyof ProjectCodeRow)}>Status</SortableTh>
+              <th className="px-4 py-3 w-10"></th>
+            </tr>
+          </thead>
+          <tbody className="divide-y divide-neutral-100">
+            {filtered.length === 0 && (
+              <tr>
+                <td colSpan={3} className="px-4 py-8 text-center text-neutral-400">
+                  No project codes yet. Add one to populate the Project Code dropdown.
+                </td>
+              </tr>
+            )}
+            {filtered.map((projectCode) => (
+              <tr key={projectCode.id} className="hover:bg-neutral-50">
+                <td className="px-4 py-3 font-medium text-neutral-900">{projectCode.code}</td>
+                <td className="px-4 py-3">
+                  <span className={`rounded-full px-2.5 py-0.5 text-xs font-medium ${
+                    projectCode.isActive ? "bg-success-100 text-success-700" : "bg-neutral-100 text-neutral-500"
+                  }`}>
+                    {projectCode.isActive ? "Active" : "Inactive"}
+                  </span>
+                </td>
+                <td className="px-4 py-3">
+                  <ProjectCodeActionsMenu projectCode={projectCode} />
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </div>
+    </div>
+  );
+}

App/app/(portal)/approvals/[id]/manager-edit-po-form.tsx

@@ -10,6 +10,7 @@ import type { VesselOption, AccountGroup, CompanyOption } from "@/app/(portal)/p
 import { SearchableSelect } from "@/components/ui/searchable-select";
 import { VendorSelect } from "@/components/ui/vendor-select";
 import { DeliveryLocationField } from "@/components/po/delivery-location-field";
+import { ProjectCodeField } from "@/components/po/project-code-field";
 import { PoTermsEditor } from "@/components/po/po-terms-editor";
 import type { CatalogueCategory, PoTerm } from "@/lib/terms";
 
@@ -43,6 +44,7 @@ interface Props {
   vendors: Vendor[];
   companies: CompanyOption[];
   deliveryOptions: string[];
+  projectCodeOptions: string[];
   termsCatalogue: CatalogueCategory[];
   initialTerms: PoTerm[];
 }
@@ -57,7 +59,7 @@ function ManagerAccountSelect({ accountId, accounts }: { accountId: string; acco
   return <SearchableSelect name="accountId" value={value} onChange={setValue} groups={accounts} placeholder="Search accounting code…" required />;
 }
 
-export function ManagerEditPoForm({ po, vessels, accounts, vendors, companies, deliveryOptions, termsCatalogue, initialTerms }: Props) {
+export function ManagerEditPoForm({ po, vessels, accounts, vendors, companies, deliveryOptions, projectCodeOptions, termsCatalogue, initialTerms }: Props) {
   const router = useRouter();
   const [editing, setEditing] = useState(false);
   const [pending, setPending] = useState(false);
@@ -195,7 +197,7 @@ export function ManagerEditPoForm({ po, vessels, accounts, vendors, companies, d
             </div>
             <div>
               <label className={LABEL}>Project Code</label>
-              <input name="projectCode" defaultValue={po.projectCode ?? ""} className={INPUT} placeholder="Optional" />
+              <ProjectCodeField options={projectCodeOptions} current={po.projectCode} className={INPUT} />
             </div>
             <div>
               <label className={LABEL}>Delivery Date Required</label>

App/app/(portal)/approvals/[id]/page.tsx

@@ -32,7 +32,7 @@ export default async function ApprovalDetailPage({ params }: Props) {
   });
   const hasSignature = !!(currentUser?.signatureKey);
 
-  const [po, vessels, leafAccounts, vendors, companies, deliveryLocations] = await Promise.all([
+  const [po, vessels, leafAccounts, vendors, companies, deliveryLocations, projectCodes] = await Promise.all([
     db.purchaseOrder.findUnique({
       where: { id },
       include: {
@@ -56,6 +56,7 @@ export default async function ApprovalDetailPage({ params }: Props) {
     db.vendor.findMany({ where: { isActive: true }, orderBy: { name: "asc" } }),
     db.company.findMany({ where: { isActive: true }, orderBy: { name: "asc" }, select: { id: true, name: true, code: true } }),
     db.deliveryLocation.findMany({ where: { isActive: true }, orderBy: { createdAt: "asc" }, include: { company: { select: { name: true } } } }),
+    db.projectCode.findMany({ where: { isActive: true }, orderBy: { code: "asc" }, select: { code: true } }),
   ]);
 
   if (!po) notFound();
@@ -63,6 +64,7 @@ export default async function ApprovalDetailPage({ params }: Props) {
 
   const accounts = buildAccountGroups(leafAccounts);
   const deliveryOptions = deliveryLocations.map((l) => formatDeliveryLocation(l.company.name, l.address));
+  const projectCodeOptions = projectCodes.map((c) => c.code);
   const termsCatalogue = await getTermsCatalogue();
   const savedTerms = parsePoTerms(po.terms);
   const initialTerms = savedTerms.length > 0 ? savedTerms : legacyPoTerms(po);
@@ -107,6 +109,7 @@ export default async function ApprovalDetailPage({ params }: Props) {
           vendors={vendors}
           companies={companies}
           deliveryOptions={deliveryOptions}
+          projectCodeOptions={projectCodeOptions}
           termsCatalogue={termsCatalogue}
           initialTerms={initialTerms}
         />

App/app/(portal)/history/history-filters.tsx

@@ -2,6 +2,8 @@
 
 import { useRouter, useSearchParams } from "next/navigation";
 import { useEffect, useRef, useState } from "react";
+import { SearchableSelect } from "@/components/ui/searchable-select";
+import type { AccountGroup } from "@/app/(portal)/po/new/new-po-form";
 
 const STATUSES = [
   { value: "DRAFT", label: "Draft" },
@@ -19,11 +21,12 @@ const STATUSES = [
 
 interface Props {
   vessels: { id: string; name: string }[];
+  accounts: AccountGroup[];
   perPageOptions: number[];
   defaultPerPage: number;
 }
 
-export function HistoryFilters({ vessels, perPageOptions, defaultPerPage }: Props) {
+export function HistoryFilters({ vessels, accounts, perPageOptions, defaultPerPage }: Props) {
   const router = useRouter();
   const sp = useSearchParams();
 
@@ -33,9 +36,8 @@ export function HistoryFilters({ vessels, perPageOptions, defaultPerPage }: Prop
 
   const [dateFrom, setDateFrom] = useState(sp.get("dateFrom") ?? "");
   const [dateTo, setDateTo] = useState(sp.get("dateTo") ?? "");
-  const [approvedFrom, setApprovedFrom] = useState(sp.get("approvedFrom") ?? "");
-  const [approvedTo, setApprovedTo] = useState(sp.get("approvedTo") ?? "");
   const [vesselId, setVesselId] = useState(sp.get("vesselId") ?? "");
+  const [accountId, setAccountId] = useState(sp.get("accountId") ?? "");
   const [statuses, setStatuses] = useState<string[]>(sp.getAll("status"));
   const [statusOpen, setStatusOpen] = useState(false);
   const statusRef = useRef<HTMLDivElement>(null);
@@ -61,9 +63,8 @@ export function HistoryFilters({ vessels, perPageOptions, defaultPerPage }: Prop
     const params = new URLSearchParams();
     if (dateFrom) params.set("dateFrom", dateFrom);
     if (dateTo) params.set("dateTo", dateTo);
-    if (approvedFrom) params.set("approvedFrom", approvedFrom);
-    if (approvedTo) params.set("approvedTo", approvedTo);
     if (vesselId) params.set("vesselId", vesselId);
+    if (accountId) params.set("accountId", accountId);
     for (const s of statuses) params.append("status", s);
     if (nextPerPage !== defaultPerPage) params.set("perPage", String(nextPerPage));
     return params;
@@ -78,14 +79,14 @@ export function HistoryFilters({ vessels, perPageOptions, defaultPerPage }: Prop
   }
 
   function clear() {
-    setDateFrom(""); setDateTo(""); setApprovedFrom(""); setApprovedTo(""); setVesselId(""); setStatuses([]);
+    setDateFrom(""); setDateTo(""); setVesselId(""); setAccountId(""); setStatuses([]);
     const params = new URLSearchParams();
     if (perPage !== defaultPerPage) params.set("perPage", String(perPage));
     const qs = params.toString();
     router.push(qs ? `/history?${qs}` : "/history");
   }
 
-  const hasFilters = dateFrom || dateTo || approvedFrom || approvedTo || vesselId || statuses.length > 0;
+  const hasFilters = dateFrom || dateTo || vesselId || accountId || statuses.length > 0;
 
   const statusLabel =
     statuses.length === 0
@@ -107,16 +108,6 @@ export function HistoryFilters({ vessels, perPageOptions, defaultPerPage }: Prop
           <input type="date" value={dateTo} onChange={(e) => setDateTo(e.target.value)}
             className="w-full rounded-lg border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-2 focus:ring-primary-500/20" />
         </div>
-        <div>
-          <label className="block text-xs font-medium text-neutral-600 mb-1">Approved From</label>
-          <input type="date" value={approvedFrom} onChange={(e) => setApprovedFrom(e.target.value)}
-            className="w-full rounded-lg border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-2 focus:ring-primary-500/20" />
-        </div>
-        <div>
-          <label className="block text-xs font-medium text-neutral-600 mb-1">Approved To</label>
-          <input type="date" value={approvedTo} onChange={(e) => setApprovedTo(e.target.value)}
-            className="w-full rounded-lg border border-neutral-300 px-3 py-2 text-sm focus:border-primary-500 focus:outline-none focus:ring-2 focus:ring-primary-500/20" />
-        </div>
         <div>
           <label className="block text-xs font-medium text-neutral-600 mb-1">Cost Centre</label>
           <select value={vesselId} onChange={(e) => setVesselId(e.target.value)}
@@ -125,6 +116,16 @@ export function HistoryFilters({ vessels, perPageOptions, defaultPerPage }: Prop
             {vessels.map((v) => <option key={v.id} value={v.id}>{v.name}</option>)}
           </select>
         </div>
+        <div>
+          <label className="block text-xs font-medium text-neutral-600 mb-1">Accounting Code</label>
+          <SearchableSelect
+            name="accountId"
+            value={accountId}
+            onChange={setAccountId}
+            groups={accounts}
+            placeholder="All accounting codes"
+          />
+        </div>
         <div className="relative" ref={statusRef}>
           <label className="block text-xs font-medium text-neutral-600 mb-1">Status</label>
           <button type="button" onClick={() => setStatusOpen((o) => !o)}

App/app/(portal)/history/page.tsx

@@ -6,10 +6,11 @@ import Link from "next/link";
 import { formatCurrency, formatDate } from "@/lib/utils";
 import { PoStatusBadge } from "@/components/po/po-status-badge";
 import { HistoryFilters } from "./history-filters";
+import { buildAccountGroups } from "@/lib/cost-centre-groups";
+import { buildPoHistoryWhere } from "@/lib/history-filter";
 import { resolvePagination } from "@/lib/pagination";
 import { Suspense } from "react";
 import type { Metadata } from "next";
-import type { POStatus } from "@prisma/client";
 
 export const metadata: Metadata = { title: "History" };
 
@@ -23,6 +24,7 @@ interface Props {
     approvedFrom?: string;
     approvedTo?: string;
     vesselId?: string;
+    accountId?: string;
     status?: string | string[];
     page?: string;
     perPage?: string;
@@ -42,33 +44,13 @@ export default async function HistoryPage({ searchParams }: Props) {
     redirect("/dashboard");
   }
 
-  const { dateFrom, dateTo, approvedFrom, approvedTo, vesselId, status, page: pageParam, perPage: perPageParam } =
+  const { dateFrom, dateTo, approvedFrom, approvedTo, vesselId, accountId, status, page: pageParam, perPage: perPageParam } =
     await searchParams;
 
-  const where: NonNullable<Parameters<typeof db.purchaseOrder.findMany>[0]>["where"] = {};
-  if (dateFrom || dateTo) {
-    const createdAt: { gte?: Date; lt?: Date } = {};
-    if (dateFrom) createdAt.gte = new Date(dateFrom);
-    if (dateTo) {
-      const end = new Date(dateTo);
-      end.setDate(end.getDate() + 1);
-      createdAt.lt = end;
-    }
-    where.createdAt = createdAt;
-  }
-  if (approvedFrom || approvedTo) {
-    const approvedAt: { gte?: Date; lt?: Date } = {};
-    if (approvedFrom) approvedAt.gte = new Date(approvedFrom);
-    if (approvedTo) {
-      const end = new Date(approvedTo);
-      end.setDate(end.getDate() + 1);
-      approvedAt.lt = end;
-    }
-    where.approvedAt = approvedAt;
-  }
-  if (vesselId) where.vesselId = vesselId;
   const statuses = (Array.isArray(status) ? status : status ? [status] : []).filter(Boolean);
-  if (statuses.length > 0) where.status = { in: statuses as POStatus[] };
+  const where = await buildPoHistoryWhere({
+    dateFrom, dateTo, approvedFrom, approvedTo, vesselId, accountId, statuses,
+  });
 
   const total = await db.purchaseOrder.count({ where });
   const { perPage, page, totalPages, skip, take } = resolvePagination({
@@ -79,7 +61,7 @@ export default async function HistoryPage({ searchParams }: Props) {
     defaultPerPage: DEFAULT_PER_PAGE,
   });
 
-  const [orders, vessels] = await Promise.all([
+  const [orders, vessels, leafAccounts] = await Promise.all([
     db.purchaseOrder.findMany({
       where,
       include: { submitter: true, vessel: true, account: true },
@@ -88,8 +70,15 @@ export default async function HistoryPage({ searchParams }: Props) {
       take,
     }),
     db.vessel.findMany({ orderBy: { name: "asc" }, select: { id: true, name: true } }),
+    db.account.findMany({
+      where: { isActive: true, children: { none: {} } },
+      orderBy: { code: "asc" },
+      select: { id: true, code: true, name: true, parent: { select: { name: true, code: true, parent: { select: { name: true, code: true } } } } },
+    }),
   ]);
 
+  const accounts = buildAccountGroups(leafAccounts);
+
   // Shared filter params for the pagination footer links (everything except `page`).
   const pageParams = new URLSearchParams();
   if (dateFrom) pageParams.set("dateFrom", dateFrom);
@@ -97,6 +86,7 @@ export default async function HistoryPage({ searchParams }: Props) {
   if (approvedFrom) pageParams.set("approvedFrom", approvedFrom);
   if (approvedTo) pageParams.set("approvedTo", approvedTo);
   if (vesselId) pageParams.set("vesselId", vesselId);
+  if (accountId) pageParams.set("accountId", accountId);
   for (const s of statuses) pageParams.append("status", s);
   pageParams.set("perPage", String(perPage));
 
@@ -115,6 +105,7 @@ export default async function HistoryPage({ searchParams }: Props) {
   if (approvedFrom) exportParams.set("approvedFrom", approvedFrom);
   if (approvedTo) exportParams.set("approvedTo", approvedTo);
   if (vesselId) exportParams.set("vesselId", vesselId);
+  if (accountId) exportParams.set("accountId", accountId);
   for (const s of statuses) exportParams.append("status", s);
 
   return (
@@ -140,7 +131,7 @@ export default async function HistoryPage({ searchParams }: Props) {
       </div>
 
       <Suspense>
-        <HistoryFilters vessels={vessels} perPageOptions={PER_PAGE_OPTIONS} defaultPerPage={DEFAULT_PER_PAGE} />
+        <HistoryFilters vessels={vessels} accounts={accounts} perPageOptions={PER_PAGE_OPTIONS} defaultPerPage={DEFAULT_PER_PAGE} />
       </Suspense>
 
       <div className="rounded-lg border border-neutral-200 bg-white overflow-hidden">
@@ -150,6 +141,7 @@ export default async function HistoryPage({ searchParams }: Props) {
               <th className="px-4 py-3 text-left font-medium text-neutral-600">PO Number</th>
               <th className="px-4 py-3 text-left font-medium text-neutral-600">Title</th>
               <th className="px-4 py-3 text-left font-medium text-neutral-600">Cost Centre</th>
+              <th className="px-4 py-3 text-left font-medium text-neutral-600">Accounting Code</th>
               <th className="px-4 py-3 text-left font-medium text-neutral-600">Submitter</th>
               <th className="px-4 py-3 text-left font-medium text-neutral-600">Status</th>
               <th className="px-4 py-3 text-right font-medium text-neutral-600">Amount</th>
@@ -169,6 +161,9 @@ export default async function HistoryPage({ searchParams }: Props) {
                 </td>
                 <td className="px-4 py-3 font-medium text-neutral-900 max-w-xs truncate">{po.title}</td>
                 <td className="px-4 py-3 text-neutral-600">{po.vessel.name}</td>
+                <td className="px-4 py-3 text-neutral-600">
+                  <span className="font-mono text-xs text-neutral-400">{po.account.code}</span> {po.account.name}
+                </td>
                 <td className="px-4 py-3 text-neutral-600">{po.submitter.name}</td>
                 <td className="px-4 py-3">
                   <PoStatusBadge status={po.status} />

App/app/(portal)/po/[id]/edit/edit-po-form.tsx

@@ -9,6 +9,7 @@ import { LineItemsEditor } from "@/components/po/po-line-items-editor";
 import { SearchableSelect } from "@/components/ui/searchable-select";
 import { VendorSelect } from "@/components/ui/vendor-select";
 import { DeliveryLocationField } from "@/components/po/delivery-location-field";
+import { ProjectCodeField } from "@/components/po/project-code-field";
 import { PoTermsEditor } from "@/components/po/po-terms-editor";
 import { UnsavedChangesGuard } from "@/components/po/unsaved-changes-guard";
 import type { CatalogueCategory, PoTerm } from "@/lib/terms";
@@ -45,12 +46,13 @@ interface Props {
   vendors: Vendor[];
   companies: CompanyOption[];
   deliveryOptions: string[];
+  projectCodeOptions: string[];
   termsCatalogue: CatalogueCategory[];
   initialTerms: PoTerm[];
   managerNoteAuthor?: string | null;
 }
 
-export function EditPoForm({ po, vessels, accounts, vendors, companies, deliveryOptions, termsCatalogue, initialTerms, managerNoteAuthor }: Props) {
+export function EditPoForm({ po, vessels, accounts, vendors, companies, deliveryOptions, projectCodeOptions, termsCatalogue, initialTerms, managerNoteAuthor }: Props) {
   const router = useRouter();
   const [lineItems, setLineItems] = useState<LineItemInput[]>(
     po.lineItems.map((li) => ({
@@ -197,7 +199,7 @@ export function EditPoForm({ po, vessels, accounts, vendors, companies, delivery
           </div>
           <div>
             <label className="block text-sm font-medium text-neutral-700 mb-1.5">Project Code</label>
-            <input name="projectCode" defaultValue={po.projectCode ?? ""} className={INPUT_CLS} placeholder="Optional" />
+            <ProjectCodeField options={projectCodeOptions} current={po.projectCode} className={INPUT_CLS} />
           </div>
           <div>
             <label className="block text-sm font-medium text-neutral-700 mb-1.5">Delivery Date Required</label>

App/app/(portal)/po/[id]/edit/page.tsx

@@ -32,7 +32,7 @@ export default async function EditPoPage({ params }: Props) {
   const canEdit = po.submitterId === session.user.id || session.user.role === "SUPERUSER";
   if (!canEdit) redirect(`/po/${id}`);
 
-  const [vessels, leafAccounts, vendors, companies, deliveryLocations, noteAction] = await Promise.all([
+  const [vessels, leafAccounts, vendors, companies, deliveryLocations, projectCodes, noteAction] = await Promise.all([
     db.vessel.findMany({ where: { isActive: true }, orderBy: { name: "asc" }, select: { id: true, name: true, code: true } }),
     db.account.findMany({
       where: { isActive: true, children: { none: {} } },
@@ -42,6 +42,7 @@ export default async function EditPoPage({ params }: Props) {
     db.vendor.findMany({ where: { isActive: true }, orderBy: { name: "asc" } }),
     db.company.findMany({ where: { isActive: true }, orderBy: { name: "asc" }, select: { id: true, name: true, code: true } }),
     db.deliveryLocation.findMany({ where: { isActive: true }, orderBy: { createdAt: "asc" }, include: { company: { select: { name: true } } } }),
+    db.projectCode.findMany({ where: { isActive: true }, orderBy: { code: "asc" }, select: { code: true } }),
     po.status === "EDITS_REQUESTED"
       ? db.pOAction.findFirst({
           where: { poId: po.id, actionType: "EDITS_REQUESTED", note: { not: null } },
@@ -53,6 +54,7 @@ export default async function EditPoPage({ params }: Props) {
 
   const accounts = buildAccountGroups(leafAccounts);
   const deliveryOptions = deliveryLocations.map((l) => formatDeliveryLocation(l.company.name, l.address));
+  const projectCodeOptions = projectCodes.map((c) => c.code);
   const termsCatalogue = await getTermsCatalogue();
   const savedTerms = parsePoTerms(po.terms);
   const initialTerms = savedTerms.length > 0 ? savedTerms : legacyPoTerms(po);
@@ -82,6 +84,7 @@ export default async function EditPoPage({ params }: Props) {
         vendors={vendors}
         companies={companies}
         deliveryOptions={deliveryOptions}
+        projectCodeOptions={projectCodeOptions}
         termsCatalogue={termsCatalogue}
         initialTerms={initialTerms}
         managerNoteAuthor={noteAction?.actor.name ?? null}

App/app/(portal)/po/[id]/email-actions.ts

@@ -2,7 +2,7 @@
 
 import { auth } from "@/auth";
 import { db } from "@/lib/db";
-import { buildStorageKey, uploadBuffer, generateDownloadUrl } from "@/lib/storage";
+import { buildPoPdfKey, uploadBuffer, generateDownloadUrl, statObject } from "@/lib/storage";
 import { renderPoPdf, isPdfServiceConfigured, PdfServiceError } from "@/lib/pdf-service";
 
 type Result = { ok: true; mailto: string; to: string } | { error: string };
@@ -47,13 +47,20 @@ export async function prepareVendorEmail(poId: string): Promise<Result> {
     return { error: "PDF emailing is not configured on this environment." };
   }
 
-  // Render → store → presigned link.
+  // Render → store → presigned link. The PDF is cached at a deterministic
+  // per-PO key: if a copy already exists and is at least as new as the PO's last
+  // change, reuse it and only mint a fresh presigned URL (refreshing the 7-day
+  // timer). Re-render only when there's no copy yet or the PO changed since.
   let link: string;
   try {
-    const pdf = await renderPoPdf(poId);
     const slug = po.poNumber.replace(/\//g, "-");
-    const key = buildStorageKey("po-pdf", poId, `${slug}.pdf`);
-    await uploadBuffer(key, pdf, "application/pdf");
+    const key = buildPoPdfKey(poId, `${slug}.pdf`);
+    const cached = await statObject(key);
+    const isFresh = cached !== null && cached.lastModified >= po.updatedAt;
+    if (!isFresh) {
+      const pdf = await renderPoPdf(poId);
+      await uploadBuffer(key, pdf, "application/pdf");
+    }
     link = await generateDownloadUrl(key, LINK_TTL_SECONDS);
   } catch (e) {
     if (e instanceof PdfServiceError) return { error: `Could not generate the PO PDF: ${e.message}` };

App/app/(portal)/po/new/new-po-form.tsx

@@ -9,6 +9,7 @@ import { FileUploader } from "@/components/po/file-uploader";
 import { SearchableSelect } from "@/components/ui/searchable-select";
 import { VendorSelect } from "@/components/ui/vendor-select";
 import { DeliveryLocationField } from "@/components/po/delivery-location-field";
+import { ProjectCodeField } from "@/components/po/project-code-field";
 import { PoTermsEditor } from "@/components/po/po-terms-editor";
 import { UnsavedChangesGuard } from "@/components/po/unsaved-changes-guard";
 import type { CatalogueCategory, PoTerm } from "@/lib/terms";
@@ -30,6 +31,7 @@ interface Props {
   vendors: Vendor[];
   companies: CompanyOption[];
   deliveryOptions: string[];
+  projectCodeOptions: string[];
   termsCatalogue: CatalogueCategory[];
   defaultTerms: PoTerm[];
   initialLineItems?: LineItemInput[];
@@ -38,7 +40,7 @@ interface Props {
   initialCompanyId?: string;
 }
 
-export function NewPoForm({ vessels, accounts, vendors, companies, deliveryOptions, termsCatalogue, defaultTerms, initialLineItems, initialVendorId, initialVesselId, initialCompanyId }: Props) {
+export function NewPoForm({ vessels, accounts, vendors, companies, deliveryOptions, projectCodeOptions, termsCatalogue, defaultTerms, initialLineItems, initialVendorId, initialVesselId, initialCompanyId }: Props) {
   const router = useRouter();
   const [lineItems, setLineItems] = useState<LineItemInput[]>(
     initialLineItems && initialLineItems.length > 0 ? initialLineItems : [EMPTY_LINE]
@@ -161,7 +163,12 @@ export function NewPoForm({ vessels, accounts, vendors, companies, deliveryOptio
           </div>
           <div>
             <label className="block text-sm font-medium text-neutral-700 mb-1.5">Project Code</label>
-            <input name="projectCode" className={INPUT_CLS} placeholder="Optional" />
+            <ProjectCodeField options={projectCodeOptions} className={INPUT_CLS} />
+            {projectCodeOptions.length === 0 && (
+              <p className="mt-1.5 text-xs text-neutral-500">
+                No project codes configured yet — a Manager can add them under Administration → Project Codes.
+              </p>
+            )}
           </div>
           <div>
             <label className="block text-sm font-medium text-neutral-700 mb-1.5">Delivery Date Required</label>

App/app/(portal)/po/new/page.tsx

@@ -48,7 +48,7 @@ export default async function NewPoPage({ searchParams }: Props) {
     }
   }
 
-  const [vessels, leafAccounts, vendors, companies, deliveryLocations] = await Promise.all([
+  const [vessels, leafAccounts, vendors, companies, deliveryLocations, projectCodes] = await Promise.all([
     db.vessel.findMany({ where: { isActive: true }, orderBy: { name: "asc" }, select: { id: true, name: true, code: true } }),
     db.account.findMany({
       where: { isActive: true, children: { none: {} } },
@@ -58,10 +58,12 @@ export default async function NewPoPage({ searchParams }: Props) {
     db.vendor.findMany({ where: { isActive: true }, orderBy: { name: "asc" } }),
     db.company.findMany({ where: { isActive: true }, orderBy: { name: "asc" }, select: { id: true, name: true, code: true } }),
     db.deliveryLocation.findMany({ where: { isActive: true }, orderBy: { createdAt: "asc" }, include: { company: { select: { name: true } } } }),
+    db.projectCode.findMany({ where: { isActive: true }, orderBy: { code: "asc" }, select: { code: true } }),
   ]);
 
   const accounts = buildAccountGroups(leafAccounts);
   const deliveryOptions = deliveryLocations.map((l) => formatDeliveryLocation(l.company.name, l.address));
+  const projectCodeOptions = projectCodes.map((c) => c.code);
   const [termsCatalogue, defaultTerms] = await Promise.all([getTermsCatalogue(), getDefaultPoTerms()]);
 
   return (
@@ -78,6 +80,7 @@ export default async function NewPoPage({ searchParams }: Props) {
         vendors={vendors}
         companies={companies}
         deliveryOptions={deliveryOptions}
+        projectCodeOptions={projectCodeOptions}
         termsCatalogue={termsCatalogue}
         defaultTerms={defaultTerms}
         initialLineItems={initialLineItems}

App/app/(portal)/reports/accounting-codes/[id]/page.tsx

@@ -11,6 +11,7 @@ import {
   accountNodeWeekly,
   costCentresForAccount,
   childBreakdown,
+  periodRange,
   parseGranularity,
   resolveFy,
   resolveMonth,
@@ -89,6 +90,10 @@ export default async function AccountingCodeDetail({
     return `${base}?${p.toString()}`;
   };
   const exportHref = `/api/reports/spend?dim=accounting-code-detail&id=${id}&fy=${fy}&gran=${gran}&break=${breakMode}`;
+  // Drill into the POs behind this spend: PO History filtered to this accounting
+  // code (expanded to its leaves) over the period in view (dated by approvedAt).
+  const { from, to } = periodRange(gran, fy, month, ds.fys);
+  const poListHref = `/history?accountId=${id}&approvedFrom=${from}&approvedTo=${to}`;
 
   const path = idx.pathTo(id);
   const trail = [
@@ -111,12 +116,17 @@ export default async function AccountingCodeDetail({
         exportHref={exportHref}
       />
 
-      <Link
-        href={node.parentId ? `/reports/accounting-codes?fy=${fy}&gran=${gran}&parent=${node.parentId}` : `/reports/accounting-codes?fy=${fy}&gran=${gran}`}
-        className="mb-4 inline-flex items-center gap-1.5 text-sm font-medium text-primary-600 hover:text-primary-700"
-      >
-        ← Back to Accounting Codes
-      </Link>
+      <div className="mb-4 flex items-center justify-between gap-3">
+        <Link
+          href={node.parentId ? `/reports/accounting-codes?fy=${fy}&gran=${gran}&parent=${node.parentId}` : `/reports/accounting-codes?fy=${fy}&gran=${gran}`}
+          className="inline-flex items-center gap-1.5 text-sm font-medium text-primary-600 hover:text-primary-700"
+        >
+          ← Back to Accounting Codes
+        </Link>
+        <Link href={poListHref} className="inline-flex items-center gap-1.5 rounded-lg border border-neutral-300 bg-white px-3 py-2 text-sm font-medium text-neutral-700 hover:bg-neutral-50 transition-colors">
+          View POs · {periodLabel} →
+        </Link>
+      </div>
 
       <ReportTitle
         title={`${node.code} · ${node.name}`}

App/app/(portal)/reports/cost-centres/[id]/page.tsx

@@ -10,6 +10,7 @@ import {
   costCentreRows,
   costCentreWeekly,
   topAccountsForCostCentre,
+  periodRange,
   parseGranularity,
   resolveFy,
   resolveMonth,
@@ -80,6 +81,10 @@ export default async function CostCentreDetail({
     return `${base}?${p.toString()}`;
   };
   const exportHref = `/api/reports/spend?dim=cost-centre-detail&id=${id}&fy=${fy}&gran=${gran}&tier=${tier}`;
+  // Drill into the POs behind this spend: PO History filtered to this cost centre
+  // over the period currently in view (spend is dated by approvedAt).
+  const { from, to } = periodRange(gran, fy, month, ds.fys);
+  const poListHref = `/history?vesselId=${id}&approvedFrom=${from}&approvedTo=${to}`;
 
   return (
     <div>
@@ -93,9 +98,14 @@ export default async function CostCentreDetail({
         exportHref={exportHref}
       />
 
-      <Link href={`/reports/cost-centres?fy=${fy}&gran=${gran}`} className="mb-4 inline-flex items-center gap-1.5 text-sm font-medium text-primary-600 hover:text-primary-700">
-        ← Back to Cost Centres
-      </Link>
+      <div className="mb-4 flex items-center justify-between gap-3">
+        <Link href={`/reports/cost-centres?fy=${fy}&gran=${gran}`} className="inline-flex items-center gap-1.5 text-sm font-medium text-primary-600 hover:text-primary-700">
+          ← Back to Cost Centres
+        </Link>
+        <Link href={poListHref} className="inline-flex items-center gap-1.5 rounded-lg border border-neutral-300 bg-white px-3 py-2 text-sm font-medium text-neutral-700 hover:bg-neutral-50 transition-colors">
+          View POs · {periodLabel} →
+        </Link>
+      </div>
 
       <ReportTitle title={row.name} subtitle={`Approved spend · ${periodLabel}`} />
 

App/app/api/reports/export/route.ts

@@ -1,8 +1,8 @@
 import { auth } from "@/auth";
 import { db } from "@/lib/db";
 import { hasPermission, submitterCanViewAll } from "@/lib/permissions";
+import { buildPoHistoryWhere } from "@/lib/history-filter";
 import { NextRequest, NextResponse } from "next/server";
-import type { POStatus } from "@prisma/client";
 
 const PO_STATUS_LABELS: Record<string, string> = {
   DRAFT: "Draft", SUBMITTED: "Submitted", MGR_REVIEW: "Pending Approval",
@@ -25,36 +25,16 @@ export async function GET(request: NextRequest) {
 
   const sp = request.nextUrl.searchParams;
   const format = sp.get("format") ?? "csv";
-  const dateFrom = sp.get("dateFrom");
-  const dateTo = sp.get("dateTo");
-  const approvedFrom = sp.get("approvedFrom");
-  const approvedTo = sp.get("approvedTo");
-  const vesselId = sp.get("vesselId");
-  const statuses = sp.getAll("status").filter(Boolean);
 
-  const where: NonNullable<Parameters<typeof db.purchaseOrder.findMany>[0]>["where"] = {};
-  if (dateFrom || dateTo) {
-    const createdAt: { gte?: Date; lt?: Date } = {};
-    if (dateFrom) createdAt.gte = new Date(dateFrom);
-    if (dateTo) {
-      const end = new Date(dateTo);
-      end.setDate(end.getDate() + 1);
-      createdAt.lt = end;
-    }
-    where.createdAt = createdAt;
-  }
-  if (approvedFrom || approvedTo) {
-    const approvedAt: { gte?: Date; lt?: Date } = {};
-    if (approvedFrom) approvedAt.gte = new Date(approvedFrom);
-    if (approvedTo) {
-      const end = new Date(approvedTo);
-      end.setDate(end.getDate() + 1);
-      approvedAt.lt = end;
-    }
-    where.approvedAt = approvedAt;
-  }
-  if (vesselId) where.vesselId = vesselId;
-  if (statuses.length > 0) where.status = { in: statuses as POStatus[] };
+  const where = await buildPoHistoryWhere({
+    dateFrom: sp.get("dateFrom"),
+    dateTo: sp.get("dateTo"),
+    approvedFrom: sp.get("approvedFrom"),
+    approvedTo: sp.get("approvedTo"),
+    vesselId: sp.get("vesselId"),
+    accountId: sp.get("accountId"),
+    statuses: sp.getAll("status"),
+  });
 
   const orders = await db.purchaseOrder.findMany({
     where,

App/components/layout/sidebar.tsx

@@ -35,6 +35,7 @@ import {
   Gauge,
   BadgeCheck,
   Truck,
+  FolderKanban,
   ScrollText,
   ChevronRight,
 } from "lucide-react";
@@ -123,6 +124,7 @@ const MANAGER_ADMIN_ITEMS: NavItem[] = [
   { href: "/admin/vendors",            label: "Vendors",            icon: Store,   roles: ["MANAGER", "ACCOUNTS", "ADMIN"] },
   { href: "/admin/products",           label: "Items",              icon: Package, roles: ["MANAGER", "ADMIN"] },
   { href: "/admin/delivery-locations", label: "Delivery Locations", icon: Truck,      roles: ["MANAGER", "SUPERUSER", "ADMIN"] },
+  { href: "/admin/project-codes",      label: "Project Codes",      icon: FolderKanban, roles: ["MANAGER", "SUPERUSER", "ADMIN"] },
   { href: "/admin/terms",              label: "Terms & Conditions", icon: ScrollText, roles: ["MANAGER", "SUPERUSER", "ADMIN"] },
   // Crewing reference data — gated by the crewing flag; held by manage_ranks (MGR/ADMIN).
   ...(CREWING_ENABLED

App/components/po/project-code-field.tsx

@@ -0,0 +1,35 @@
+/**
+ * Project Code dropdown (issue #124) — a native <select name="projectCode">
+ * sourced from the admin-managed project codes, plus an empty "— none —" option
+ * (the field stays optional). Plain HTML so it works with the forms' native
+ * FormData submission (no client state needed), matching DeliveryLocationField.
+ *
+ * `options` are the active project-code strings (also the stored value).
+ * `current` is the PO's existing project code; if it isn't one of the active
+ * options (legacy / imported / a since-removed code) it is preserved as a
+ * leading "(current)" option so an edit never silently drops it.
+ */
+export function ProjectCodeField({
+  options,
+  current,
+  className,
+}: {
+  options: string[];
+  current?: string | null;
+  className?: string;
+}) {
+  const cur = (current ?? "").trim();
+  const currentMissing = cur.length > 0 && !options.includes(cur);
+
+  return (
+    <select name="projectCode" defaultValue={cur} className={className}>
+      <option value="">— none —</option>
+      {currentMissing && <option value={cur}>{cur} (current)</option>}
+      {options.map((code) => (
+        <option key={code} value={code}>
+          {code}
+        </option>
+      ))}
+    </select>
+  );
+}

App/lib/history-filter.ts

@@ -0,0 +1,68 @@
+/**
+ * Shared `where` builder for the PO History list (`/history` page) and its
+ * CSV/PDF export route, so the two never drift. Filters: created-date range,
+ * approved-date range, cost centre (vessel), status, and — for report
+ * drill-downs (issue #124 review) — an accounting code.
+ *
+ * The `accountId` filter accepts any account-tree node (Heading / Sub-heading /
+ * Leaf); it expands to the leaf codes underneath via `accountLeafIds` and
+ * matches a PO whose **PO-level account** or **any line item account** is in
+ * that leaf set — the same attribution basis the spend reports use.
+ */
+import { db } from "@/lib/db";
+import { accountLeafIds } from "@/lib/reports";
+import type { POStatus } from "@prisma/client";
+
+type PoWhere = NonNullable<Parameters<typeof db.purchaseOrder.findMany>[0]>["where"];
+
+export interface HistoryFilterParams {
+  dateFrom?: string | null;
+  dateTo?: string | null;
+  approvedFrom?: string | null;
+  approvedTo?: string | null;
+  vesselId?: string | null;
+  accountId?: string | null;
+  statuses?: string[];
+}
+
+export async function buildPoHistoryWhere(p: HistoryFilterParams): Promise<PoWhere> {
+  const where: NonNullable<PoWhere> = {};
+
+  if (p.dateFrom || p.dateTo) {
+    const createdAt: { gte?: Date; lt?: Date } = {};
+    if (p.dateFrom) createdAt.gte = new Date(p.dateFrom);
+    if (p.dateTo) {
+      const end = new Date(p.dateTo);
+      end.setDate(end.getDate() + 1);
+      createdAt.lt = end;
+    }
+    where.createdAt = createdAt;
+  }
+
+  if (p.approvedFrom || p.approvedTo) {
+    const approvedAt: { gte?: Date; lt?: Date } = {};
+    if (p.approvedFrom) approvedAt.gte = new Date(p.approvedFrom);
+    if (p.approvedTo) {
+      const end = new Date(p.approvedTo);
+      end.setDate(end.getDate() + 1);
+      approvedAt.lt = end;
+    }
+    where.approvedAt = approvedAt;
+  }
+
+  if (p.vesselId) where.vesselId = p.vesselId;
+
+  const statuses = (p.statuses ?? []).filter(Boolean);
+  if (statuses.length > 0) where.status = { in: statuses as POStatus[] };
+
+  if (p.accountId) {
+    const accounts = await db.account.findMany({ select: { id: true, parentId: true } });
+    const leaves = accountLeafIds(accounts, p.accountId);
+    where.OR = [
+      { accountId: { in: leaves } },
+      { lineItems: { some: { accountId: { in: leaves } } } },
+    ];
+  }
+
+  return where;
+}

App/lib/pdf-export-auth.ts

@@ -0,0 +1,24 @@
+// Service-token auth for the PO export route, shared by the auth middleware and
+// (conceptually) the export route handler.
+//
+// PdfService ("Email PO to vendor", issue #14) fetches `/api/po/<id>/export`
+// WITHOUT a user session, authenticating with a `svc` query param that must equal
+// PDF_SERVICE_TOKEN. The route handler validates that token, but the auth
+// middleware runs first and would otherwise redirect the unauthenticated request
+// to /login — so the middleware uses this to let exactly that one route through
+// when the token matches.
+//
+// Kept dependency-free so it's safe to import into the Edge middleware and easy to
+// unit-test. `token` is `process.env.PDF_SERVICE_TOKEN` (undefined when the PDF
+// service isn't configured → always denied).
+const EXPORT_PATH = /^\/api\/po\/[^/]+\/export\/?$/;
+
+export function isPdfExportServiceRequest(
+  pathname: string,
+  svc: string | null | undefined,
+  token: string | undefined
+): boolean {
+  if (!token || !svc) return false;
+  if (svc !== token) return false;
+  return EXPORT_PATH.test(pathname);
+}

App/lib/permissions.ts

@@ -23,6 +23,7 @@ export type Permission =
   | "manage_products"
   | "manage_sites"
   | "manage_delivery_locations"
+  | "manage_project_codes"
   | "manage_terms"
   // ── Crewing (feature-flagged) — mirrors Crewing-Implementation-Spec §6 ──────
   | "raise_requisition"
@@ -84,6 +85,7 @@ const PO_ROLE_PERMISSIONS: Record<Role, Permission[]> = {
     "manage_products",
     "manage_sites",
     "manage_delivery_locations",
+    "manage_project_codes",
     "manage_terms",
     "confirm_receipt",
     "process_payment"
@@ -105,6 +107,7 @@ const PO_ROLE_PERMISSIONS: Record<Role, Permission[]> = {
     "export_reports",
     "create_vendor",
     "manage_delivery_locations",
+    "manage_project_codes",
     "manage_terms",
   ],
   AUDITOR: ["view_own_pos", "view_all_pos", "view_analytics", "export_reports"],
@@ -120,6 +123,7 @@ const PO_ROLE_PERMISSIONS: Record<Role, Permission[]> = {
     "manage_products",
     "manage_sites",
     "manage_delivery_locations",
+    "manage_project_codes",
     "manage_terms",
   ],
   SITE_STAFF: [],

App/lib/reports.ts

@@ -350,3 +350,65 @@ export function parseSel(v: string | undefined): string[] {
 export function toggleSel(sel: string[], id: string): string[] {
   return sel.includes(id) ? sel.filter((x) => x !== id) : [...sel, id];
 }
+
+// ── Report → PO drill-down ─────────────────────────────────────────────────
+
+/**
+ * Leaf account ids under `accountId` (the node itself when it is already a
+ * leaf), from the raw `{ id, parentId }` account rows. A report drill-down can
+ * target any tier, but a PO / line item only ever carries a leaf code — so this
+ * translates a drilled node into the concrete leaf set PO History filters by.
+ * Returns `[]` for an unknown id.
+ */
+export function accountLeafIds(
+  accounts: { id: string; parentId: string | null }[],
+  accountId: string,
+): string[] {
+  const ids = new Set(accounts.map((a) => a.id));
+  if (!ids.has(accountId)) return [];
+  const kids = new Map<string, string[]>();
+  for (const a of accounts) {
+    if (a.parentId === null) continue;
+    if (!kids.has(a.parentId)) kids.set(a.parentId, []);
+    kids.get(a.parentId)!.push(a.id);
+  }
+  const out: string[] = [];
+  const walk = (id: string) => {
+    const cs = kids.get(id) ?? [];
+    if (cs.length === 0) out.push(id);
+    else cs.forEach(walk);
+  };
+  walk(accountId);
+  return out;
+}
+
+/**
+ * The approved-date window (`from`..`to`, inclusive `YYYY-MM-DD`) a report
+ * detail view currently shows, so drilling into the underlying POs carries
+ * "that period" onto PO History's `approvedFrom`/`approvedTo` (spend is dated by
+ * `approvedAt`). Mirrors the on-screen period label:
+ *  - weekly  → the focused FY month
+ *  - monthly → the whole selected FY (Apr–Mar)
+ *  - yearly  → the full span of FYs in the dataset
+ */
+export function periodRange(
+  gran: Granularity,
+  fy: number,
+  month: number,
+  fys: number[],
+): { from: string; to: string } {
+  const iso = (y: number, m: number, d: number) =>
+    `${y}-${String(m).padStart(2, "0")}-${String(d).padStart(2, "0")}`;
+  if (gran === "yearly") {
+    const first = fys[0] ?? fy;
+    const last = fys[fys.length - 1] ?? fy;
+    return { from: iso(first, 4, 1), to: iso(last + 1, 3, 31) };
+  }
+  if (gran === "weekly") {
+    const cal = (month + 3) % 12; // FY-month index (Apr=0) → calendar month 0–11
+    const year = fy + (month >= 9 ? 1 : 0); // Jan–Mar roll into the next calendar year
+    const lastDay = new Date(year, cal + 1, 0).getDate();
+    return { from: iso(year, cal + 1, 1), to: iso(year, cal + 1, lastDay) };
+  }
+  return { from: iso(fy, 4, 1), to: iso(fy + 1, 3, 31) };
+}

App/lib/storage.ts

@@ -59,6 +59,16 @@ export function buildSignatureKey(userId: string, ext: string): string {
   return `signatures/${userId}.${ext}`;
 }
 
+/**
+ * Deterministic key for a PO's rendered PDF (one object per PO, no timestamp) so
+ * "Email to vendor" can reuse a previously rendered copy instead of re-rendering
+ * and re-uploading on every send (see `prepareVendorEmail`).
+ */
+export function buildPoPdfKey(poId: string, fileName: string): string {
+  const safe = fileName.replace(/[^a-zA-Z0-9._-]/g, "_");
+  return `po-pdf/${poId}/${safe}`;
+}
+
 /**
  * Storage key for a company branding asset (logo or stamp/seal).
  * Deterministic per company+type so a re-upload overwrites the previous file.
@@ -106,6 +116,36 @@ export async function uploadBuffer(
   }
 }
 
+/**
+ * Lightweight existence/metadata check for a stored object (no body transfer).
+ * Returns `{ lastModified }` when the object exists, or `null` when it doesn't.
+ * Used to reuse a cached PO PDF when it's still current.
+ */
+export async function statObject(key: string): Promise<{ lastModified: Date } | null> {
+  try {
+    if (isDev) {
+      const fs = await import("fs/promises");
+      const path = await import("path");
+      const filePath = path.join(process.cwd(), ".dev-uploads", ...key.split("/"));
+      const s = await fs.stat(filePath);
+      return { lastModified: s.mtime };
+    }
+    const { S3Client, HeadObjectCommand } = await import("@aws-sdk/client-s3");
+    const s3 = new S3Client({
+      region: "auto",
+      endpoint: `https://${process.env.R2_ACCOUNT_ID}.r2.cloudflarestorage.com`,
+      credentials: {
+        accessKeyId: process.env.R2_ACCESS_KEY_ID!,
+        secretAccessKey: process.env.R2_SECRET_ACCESS_KEY!,
+      },
+    });
+    const r = await s3.send(new HeadObjectCommand({ Bucket: process.env.R2_BUCKET_NAME!, Key: key }));
+    return { lastModified: r.LastModified ?? new Date(0) };
+  } catch {
+    return null; // missing object (404/NotFound) or any access error → treat as absent
+  }
+}
+
 /**
  * Fetch a stored file as a Buffer (server-side).
  */

App/middleware.ts

@@ -1,11 +1,20 @@
 import { auth } from "@/auth";
 import { NextResponse } from "next/server";
+import { isPdfExportServiceRequest } from "@/lib/pdf-export-auth";
 
 export default auth((req) => {
   const isAuthenticated = !!req.auth;
   const pathname = req.nextUrl.pathname;
   const isLoginPage = pathname === "/login";
 
+  // PdfService fetches the PO export page unauthenticated, using a `svc` token
+  // that matches PDF_SERVICE_TOKEN (the route handler re-validates it). Let that
+  // one route through so the service token isn't bounced to /login by the gate
+  // below. Everything else stays auth-protected.
+  if (isPdfExportServiceRequest(pathname, req.nextUrl.searchParams.get("svc"), process.env.PDF_SERVICE_TOKEN)) {
+    return NextResponse.next();
+  }
+
   if (!isAuthenticated && !isLoginPage) {
     const loginUrl = new URL("/login", req.url);
     loginUrl.searchParams.set("callbackUrl", pathname);

App/prisma/migrations/20260626120000_project_codes/migration.sql

@@ -0,0 +1,22 @@
+-- CreateTable
+CREATE TABLE "ProjectCode" (
+    "id" TEXT NOT NULL,
+    "code" TEXT NOT NULL,
+    "isActive" BOOLEAN NOT NULL DEFAULT true,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "ProjectCode_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ProjectCode_code_key" ON "ProjectCode"("code");
+
+-- Seed the previously-hardcoded project codes so the dropdown stays populated
+-- after this feature replaces the static list (issue #124).
+INSERT INTO "ProjectCode" ("id", "code", "updatedAt") VALUES
+  ('pcseed_petronet', 'Petronet LNG Cochin', CURRENT_TIMESTAMP),
+  ('pcseed_comacoe_trombay', 'COMACOE Trombay', CURRENT_TIMESTAMP),
+  ('pcseed_haldia_reach', 'Haldia Reach', CURRENT_TIMESTAMP),
+  ('pcseed_haldia_mmt', 'Haldia MMT', CURRENT_TIMESTAMP),
+  ('pcseed_comacoe_mandvi', 'COMACOE Mandvi', CURRENT_TIMESTAMP);

App/prisma/schema.prisma

@@ -410,6 +410,19 @@ model DeliveryLocation {
   @@index([companyId])
 }
 
+// Admin-managed project codes (issue #124). An admin-curated list of project
+// codes that backs the PO "Project Code" dropdown (previously a hardcoded list).
+// The PO stores the chosen text snapshot in PurchaseOrder.projectCode (nullable,
+// point-in-time document), so editing/removing a code never rewrites historical
+// POs. Managed by manage_project_codes.
+model ProjectCode {
+  id        String   @id @default(cuid())
+  code      String   @unique
+  isActive  Boolean  @default(true)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+}
+
 // Admin-managed Terms & Conditions catalogue (issue #11). Categories are
 // user-defined data (not a fixed set) — admins add new ones — and every PO T&C
 // line is a catalogued clause, including the standard "fixed" lines (seeded under

App/tests/integration/email-vendor.test.ts

@@ -17,13 +17,15 @@ vi.mock("@/lib/storage", async (importOriginal) => {
     ...actual,
     uploadBuffer: vi.fn(async () => {}),
     generateDownloadUrl: vi.fn(async () => "https://files.example/po.pdf?sig=abc"),
+    statObject: vi.fn(async () => null), // default: no cached object → render
   };
 });
 
 import { auth } from "@/auth";
 import { db } from "@/lib/db";
 import { prepareVendorEmail } from "@/app/(portal)/po/[id]/email-actions";
-import { isPdfServiceConfigured } from "@/lib/pdf-service";
+import { isPdfServiceConfigured, renderPoPdf } from "@/lib/pdf-service";
+import { statObject, uploadBuffer, generateDownloadUrl } from "@/lib/storage";
 import { makeSession, getSeedUser, getSeedVessel, getSeedAccount } from "./helpers";
 
 const PREFIX = "INTTEST_EMAILVENDOR_";
@@ -98,6 +100,34 @@ describe("prepareVendorEmail", () => {
     expect(decodeURIComponent(result.mailto)).toContain("https://files.example/po.pdf?sig=abc");
   });
 
+  it("reuses the cached PDF on a second send and only refreshes the link (7-day timer)", async () => {
+    as(techId, "TECHNICAL");
+    const poId = await makePo("MGR_APPROVED", vendorWithEmailId);
+
+    // 1st send: no cached object → render + upload once.
+    vi.mocked(statObject).mockResolvedValueOnce(null);
+    expect("ok" in (await prepareVendorEmail(poId))).toBe(true);
+    expect(vi.mocked(renderPoPdf)).toHaveBeenCalledTimes(1);
+    expect(vi.mocked(uploadBuffer)).toHaveBeenCalledTimes(1);
+
+    // 2nd send: a cached object newer than the PO → reuse, no re-render, fresh link.
+    vi.mocked(statObject).mockResolvedValueOnce({ lastModified: new Date(Date.now() + 60_000) });
+    expect("ok" in (await prepareVendorEmail(poId))).toBe(true);
+    expect(vi.mocked(renderPoPdf)).toHaveBeenCalledTimes(1); // unchanged — reused
+    expect(vi.mocked(uploadBuffer)).toHaveBeenCalledTimes(1); // unchanged — reused
+    expect(vi.mocked(generateDownloadUrl)).toHaveBeenCalledTimes(2); // re-presigned each send
+  });
+
+  it("re-renders when the PO changed since the cached copy", async () => {
+    as(techId, "TECHNICAL");
+    const poId = await makePo("MGR_APPROVED", vendorWithEmailId);
+    // Cached object older than the PO's updatedAt → stale → re-render.
+    vi.mocked(statObject).mockResolvedValueOnce({ lastModified: new Date(0) });
+    expect("ok" in (await prepareVendorEmail(poId))).toBe(true);
+    expect(vi.mocked(renderPoPdf)).toHaveBeenCalledTimes(1);
+    expect(vi.mocked(uploadBuffer)).toHaveBeenCalledTimes(1);
+  });
+
   it("is available once payment is recorded too (PARTIALLY_PAID)", async () => {
     as(techId, "TECHNICAL");
     const poId = await makePo("PARTIALLY_PAID", vendorWithEmailId);

App/tests/integration/history-account-filter.test.ts

@@ -0,0 +1,128 @@
+/**
+ * Integration test for the PO History accounting-code filter (PR #126 review).
+ *
+ * Report drill-downs link from a cost-centre / accounting-code detail page into
+ * `/history` with the code (and period) applied as filters. `buildPoHistoryWhere`
+ * powers both the History page and its export route. The accounting-code filter
+ * accepts any tree node and must match a PO whose **PO-level account** OR **any
+ * line item account** falls under that node's leaves — the same attribution
+ * basis the spend reports use.
+ */
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+
+import { db } from "@/lib/db";
+import { buildPoHistoryWhere } from "@/lib/history-filter";
+import { deletePosByTitle } from "./helpers";
+
+const PREFIX = "INTTEST_HIST_ACCT_";
+const CODE = `INTTEST_${Date.now()}_`;
+
+let submitterId: string;
+let vesselId: string;
+let topId: string; // heading
+let leafAId: string;
+let leafBId: string;
+let leafXId: string; // unrelated leaf
+
+const approvedAt = new Date("2025-06-15T12:00:00Z"); // FY 2025–26
+
+async function makePo(opts: {
+  title: string;
+  accountId: string;
+  lineAccountId?: string | null;
+}) {
+  return db.purchaseOrder.create({
+    data: {
+      poNumber: `${PREFIX}${opts.title}`,
+      title: `${PREFIX}${opts.title}`,
+      status: "CLOSED",
+      totalAmount: 1000,
+      approvedAt,
+      submitterId,
+      vesselId,
+      accountId: opts.accountId,
+      lineItems: {
+        create: [
+          {
+            name: "Item",
+            quantity: 1,
+            unit: "pc",
+            unitPrice: 1000,
+            totalPrice: 1000,
+            accountId: opts.lineAccountId ?? null,
+          },
+        ],
+      },
+    },
+  });
+}
+
+beforeAll(async () => {
+  const [user, vessel] = await Promise.all([
+    db.user.findFirstOrThrow({ where: { role: "MANAGER" } }),
+    db.vessel.findFirstOrThrow(),
+  ]);
+  submitterId = user.id;
+  vesselId = vessel.id;
+
+  // Brand-new account subtree (T → S → A, B) + an unrelated leaf X, so no
+  // pre-existing prod PO references them and counts isolate to our fixtures.
+  const top = await db.account.create({ data: { code: `${CODE}T`, name: "IntTest Top" } });
+  const sub = await db.account.create({ data: { code: `${CODE}S`, name: "IntTest Sub", parentId: top.id } });
+  const a = await db.account.create({ data: { code: `${CODE}A`, name: "IntTest Leaf A", parentId: sub.id } });
+  const b = await db.account.create({ data: { code: `${CODE}B`, name: "IntTest Leaf B", parentId: sub.id } });
+  const x = await db.account.create({ data: { code: `${CODE}X`, name: "IntTest Leaf X" } });
+  topId = top.id;
+  leafAId = a.id;
+  leafBId = b.id;
+  leafXId = x.id;
+
+  await makePo({ title: "po1_levelA", accountId: leafAId }); // PO-level A
+  await makePo({ title: "po2_levelX_lineB", accountId: leafXId, lineAccountId: leafBId }); // line item B
+  await makePo({ title: "po3_levelX", accountId: leafXId }); // X only
+});
+
+afterAll(async () => {
+  await deletePosByTitle(PREFIX);
+  await db.account.deleteMany({ where: { code: { startsWith: CODE } } });
+});
+
+async function countMine(accountId: string) {
+  const where = await buildPoHistoryWhere({ accountId });
+  return db.purchaseOrder.count({ where: { ...where, title: { startsWith: PREFIX } } });
+}
+
+describe("PO History accounting-code filter", () => {
+  it("a heading expands to its leaves and matches PO-level or line-item accounts", async () => {
+    // T → {A, B}: po1 (PO-level A) and po2 (line item B); not po3 (X only).
+    expect(await countMine(topId)).toBe(2);
+  });
+
+  it("a leaf matches only POs carrying that exact code (PO-level)", async () => {
+    expect(await countMine(leafAId)).toBe(1); // po1
+  });
+
+  it("matches a PO via a line-item account even when the PO-level account differs", async () => {
+    expect(await countMine(leafBId)).toBe(1); // po2 (PO-level X, line item B)
+  });
+
+  it("the unrelated leaf matches its own POs", async () => {
+    expect(await countMine(leafXId)).toBe(2); // po2 + po3 (both PO-level X)
+  });
+
+  it("combines with the approved-date window", async () => {
+    const inWindow = await buildPoHistoryWhere({
+      accountId: topId,
+      approvedFrom: "2025-04-01",
+      approvedTo: "2026-03-31",
+    });
+    expect(await db.purchaseOrder.count({ where: { ...inWindow, title: { startsWith: PREFIX } } })).toBe(2);
+
+    const outOfWindow = await buildPoHistoryWhere({
+      accountId: topId,
+      approvedFrom: "2024-04-01",
+      approvedTo: "2025-03-31",
+    });
+    expect(await db.purchaseOrder.count({ where: { ...outOfWindow, title: { startsWith: PREFIX } } })).toBe(0);
+  });
+});

App/tests/integration/project-codes.test.ts

@@ -0,0 +1,81 @@
+/**
+ * Integration tests for the Project Codes admin CRUD (issue #124).
+ * Covers create/update/toggle/delete + the manage_project_codes guard.
+ */
+import { vi, describe, it, expect, afterAll } from "vitest";
+
+vi.mock("@/auth", () => ({ auth: vi.fn() }));
+vi.mock("next/cache", () => ({ revalidatePath: vi.fn() }));
+
+import { auth } from "@/auth";
+import { db } from "@/lib/db";
+import {
+  createProjectCode,
+  updateProjectCode,
+  toggleProjectCodeActive,
+  deleteProjectCode,
+} from "@/app/(portal)/admin/project-codes/actions";
+import { makeSession, fd } from "./helpers";
+
+const mockedAuth = vi.mocked(auth);
+const PREFIX = "INTTEST_PROJCODE_";
+
+const asManager = () => mockedAuth.mockResolvedValue(makeSession("u-mgr", "MANAGER") as never);
+
+afterAll(async () => {
+  await db.projectCode.deleteMany({ where: { code: { startsWith: PREFIX } } });
+});
+
+describe("createProjectCode", () => {
+  it("persists an active project code", async () => {
+    asManager();
+    const result = await createProjectCode(fd({ code: `${PREFIX}Alpha` }));
+    expect(result).toEqual({ ok: true });
+
+    const code = await db.projectCode.findFirstOrThrow({ where: { code: `${PREFIX}Alpha` } });
+    expect(code.isActive).toBe(true);
+  });
+
+  it("requires a non-empty code", async () => {
+    asManager();
+    expect("error" in (await createProjectCode(fd({ code: "  " })))).toBe(true);
+  });
+
+  it("rejects a duplicate code", async () => {
+    asManager();
+    await createProjectCode(fd({ code: `${PREFIX}Dup` }));
+    const result = await createProjectCode(fd({ code: `${PREFIX}Dup` }));
+    expect("error" in result).toBe(true);
+  });
+
+  it("refuses callers without manage_project_codes", async () => {
+    mockedAuth.mockResolvedValue(makeSession("u-tech", "TECHNICAL") as never);
+    expect(await createProjectCode(fd({ code: `${PREFIX}X` }))).toEqual({ error: "Forbidden" });
+    mockedAuth.mockResolvedValue(makeSession("u-acc", "ACCOUNTS") as never);
+    expect(await createProjectCode(fd({ code: `${PREFIX}X` }))).toEqual({ error: "Forbidden" });
+  });
+});
+
+describe("updateProjectCode / toggle / delete", () => {
+  it("edits, toggles active, then deletes a project code", async () => {
+    asManager();
+    await createProjectCode(fd({ code: `${PREFIX}Old` }));
+    const code = await db.projectCode.findFirstOrThrow({ where: { code: `${PREFIX}Old` } });
+
+    expect(await updateProjectCode(code.id, fd({ code: `${PREFIX}New` }))).toEqual({ ok: true });
+    expect((await db.projectCode.findUniqueOrThrow({ where: { id: code.id } })).code).toBe(`${PREFIX}New`);
+
+    expect(await toggleProjectCodeActive(code.id)).toEqual({ ok: true });
+    expect((await db.projectCode.findUniqueOrThrow({ where: { id: code.id } })).isActive).toBe(false);
+
+    expect(await deleteProjectCode(code.id)).toEqual({ ok: true });
+    expect(await db.projectCode.findUnique({ where: { id: code.id } })).toBeNull();
+  });
+
+  it("guards update/toggle/delete behind the permission", async () => {
+    mockedAuth.mockResolvedValue(makeSession("u-tech", "TECHNICAL") as never);
+    expect(await updateProjectCode("x", fd({ code: "y" }))).toEqual({ error: "Forbidden" });
+    expect(await toggleProjectCodeActive("x")).toEqual({ error: "Forbidden" });
+    expect(await deleteProjectCode("x")).toEqual({ error: "Forbidden" });
+  });
+});

App/tests/staging/issue-121-history-accounting-code.spec.ts

@@ -0,0 +1,26 @@
+import { test, expect } from "@playwright/test";
+import { USERS, login } from "./helpers";
+
+/**
+ * Issue #121 — PO History gains an Accounting Code filter. The control is the
+ * shared type-to-search combobox; picking a code and applying narrows the list
+ * via an `accountId` query param (mirrored by the CSV/PDF export links).
+ */
+test("#121 history can be filtered by accounting code", async ({ page }) => {
+  await login(page, USERS.MANAGER);
+  await page.goto("/history");
+
+  // The Accounting Code control is present (its trigger shows the empty label).
+  const trigger = page.getByRole("button", { name: "All accounting codes" });
+  await expect(trigger).toBeVisible();
+
+  // Open it and pick the first accounting code from the searchable list.
+  await trigger.click();
+  await expect(page.getByPlaceholder("Type code or name…")).toBeVisible();
+  await page.locator(".max-h-72 button").first().click();
+
+  await page.getByRole("button", { name: "Apply" }).click();
+
+  // Applying the filter drives an accountId query param.
+  await expect(page).toHaveURL(/accountId=/);
+});

App/tests/unit/history-filters.test.tsx

@@ -0,0 +1,36 @@
+import { describe, it, expect, vi } from "vitest";
+import { render, screen } from "@testing-library/react";
+
+// HistoryFilters reads the URL via next/navigation; mock both hooks it uses.
+vi.mock("next/navigation", () => ({
+  useRouter: () => ({ push: vi.fn(), refresh: vi.fn() }),
+  useSearchParams: () => new URLSearchParams(""),
+}));
+
+import { HistoryFilters } from "@/app/(portal)/history/history-filters";
+
+const props = {
+  vessels: [{ id: "v1", name: "Vessel One" }],
+  accounts: [],
+  perPageOptions: [25, 50, 100],
+  defaultPerPage: 25,
+};
+
+describe("HistoryFilters", () => {
+  // Regression guard for issue #136: the "Approved From" / "Approved To" date
+  // filters were removed from PO History. They must not reappear.
+  it("does not render the Approved From / Approved To filters", () => {
+    render(<HistoryFilters {...props} />);
+    expect(screen.queryByText("Approved From")).toBeNull();
+    expect(screen.queryByText("Approved To")).toBeNull();
+  });
+
+  it("still renders the remaining filters (created-date range, cost centre, accounting code, status)", () => {
+    render(<HistoryFilters {...props} />);
+    expect(screen.getByText("From")).toBeInTheDocument();
+    expect(screen.getByText("To")).toBeInTheDocument();
+    expect(screen.getByText("Cost Centre")).toBeInTheDocument();
+    expect(screen.getByText("Accounting Code")).toBeInTheDocument();
+    expect(screen.getByText("Status")).toBeInTheDocument();
+  });
+});

App/tests/unit/pdf-export-auth.test.ts

@@ -0,0 +1,26 @@
+import { describe, it, expect } from "vitest";
+import { isPdfExportServiceRequest } from "@/lib/pdf-export-auth";
+
+const TOKEN = "a".repeat(64);
+
+describe("isPdfExportServiceRequest", () => {
+  it("allows the export route when the svc token matches", () => {
+    expect(isPdfExportServiceRequest("/api/po/cmqrug123/export", TOKEN, TOKEN)).toBe(true);
+    expect(isPdfExportServiceRequest("/api/po/cmqrug123/export/", TOKEN, TOKEN)).toBe(true); // trailing slash
+  });
+
+  it("denies when the token is missing, empty, or wrong", () => {
+    expect(isPdfExportServiceRequest("/api/po/x/export", TOKEN, undefined)).toBe(false); // service not configured
+    expect(isPdfExportServiceRequest("/api/po/x/export", null, TOKEN)).toBe(false); // no svc on request
+    expect(isPdfExportServiceRequest("/api/po/x/export", "", TOKEN)).toBe(false);
+    expect(isPdfExportServiceRequest("/api/po/x/export", "wrong", TOKEN)).toBe(false);
+  });
+
+  it("only matches the PO export route, not other paths", () => {
+    expect(isPdfExportServiceRequest("/api/po/x/export/extra", TOKEN, TOKEN)).toBe(false);
+    expect(isPdfExportServiceRequest("/api/po/x", TOKEN, TOKEN)).toBe(false);
+    expect(isPdfExportServiceRequest("/dashboard", TOKEN, TOKEN)).toBe(false);
+    expect(isPdfExportServiceRequest("/api/reports/spend", TOKEN, TOKEN)).toBe(false);
+    expect(isPdfExportServiceRequest("/api/po//export", TOKEN, TOKEN)).toBe(false); // empty id
+  });
+});

App/tests/unit/project-code-field.test.tsx

@@ -0,0 +1,55 @@
+import { describe, it, expect } from "vitest";
+import { render, screen } from "@testing-library/react";
+import { ProjectCodeField } from "@/components/po/project-code-field";
+
+const OPTIONS = ["Petronet LNG Cochin", "Haldia Reach", "COMACOE Mandvi"];
+
+function options(container: HTMLElement) {
+  return Array.from(container.querySelectorAll("option")).map((o) => ({
+    value: o.getAttribute("value"),
+    text: o.textContent,
+  }));
+}
+
+describe("ProjectCodeField", () => {
+  it("renders a select named projectCode with an empty option + every supplied code", () => {
+    const { container } = render(<ProjectCodeField options={OPTIONS} />);
+    const select = container.querySelector("select");
+    expect(select?.getAttribute("name")).toBe("projectCode");
+
+    const opts = options(container);
+    // empty "none" option first, then exactly the supplied codes
+    expect(opts[0].value).toBe("");
+    expect(opts.slice(1).map((o) => o.value)).toEqual(OPTIONS);
+  });
+
+  it("selects a current value that is one of the options (no duplicate option)", () => {
+    const { container } = render(<ProjectCodeField options={OPTIONS} current="Haldia Reach" />);
+    const select = container.querySelector("select") as HTMLSelectElement;
+    expect(select.value).toBe("Haldia Reach");
+    // only the options + empty option — no extra "(current)" entry
+    expect(container.querySelectorAll("option")).toHaveLength(OPTIONS.length + 1);
+  });
+
+  it("preserves a legacy current value not in the list as a leading (current) option", () => {
+    const { container } = render(<ProjectCodeField options={OPTIONS} current="Legacy Project X" />);
+    const select = container.querySelector("select") as HTMLSelectElement;
+    expect(select.value).toBe("Legacy Project X");
+    expect(screen.getByText("Legacy Project X (current)")).toBeInTheDocument();
+    // empty + (current) + options
+    expect(container.querySelectorAll("option")).toHaveLength(OPTIONS.length + 2);
+  });
+
+  it("defaults to the empty option when no current value is given", () => {
+    const { container } = render(<ProjectCodeField options={OPTIONS} current={null} />);
+    const select = container.querySelector("select") as HTMLSelectElement;
+    expect(select.value).toBe("");
+  });
+
+  it("renders just the empty option when no codes are configured", () => {
+    const { container } = render(<ProjectCodeField options={[]} />);
+    const opts = options(container);
+    expect(opts).toHaveLength(1);
+    expect(opts[0].value).toBe("");
+  });
+});

App/tests/unit/reports.test.ts

@@ -21,6 +21,8 @@ import {
   parseSel,
   toggleSel,
   allocatePoSpend,
+  accountLeafIds,
+  periodRange,
   type ReportDataset,
   type AccountNode,
 } from "@/lib/reports";
@@ -49,6 +51,49 @@ const DS: ReportDataset = {
   ],
 };
 
+describe("accountLeafIds (report → PO drill-down)", () => {
+  const RAW = ACCOUNTS.map((a) => ({ id: a.id, parentId: a.parentId }));
+
+  it("expands a heading to every leaf underneath it", () => {
+    expect(accountLeafIds(RAW, "H").sort()).toEqual(["L1", "L2"]);
+    expect(accountLeafIds(RAW, "S").sort()).toEqual(["L1", "L2"]);
+  });
+  it("returns a leaf node as itself", () => {
+    expect(accountLeafIds(RAW, "L1")).toEqual(["L1"]);
+  });
+  it("returns [] for an unknown id", () => {
+    expect(accountLeafIds(RAW, "nope")).toEqual([]);
+  });
+});
+
+describe("periodRange (report → PO History approved window)", () => {
+  it("monthly → the whole selected FY (Apr–Mar)", () => {
+    expect(periodRange("monthly", 2025, 0, [2024, 2025])).toEqual({
+      from: "2025-04-01",
+      to: "2026-03-31",
+    });
+  });
+  it("yearly → the full span of FYs in the dataset", () => {
+    expect(periodRange("yearly", 2025, 0, [2024, 2025])).toEqual({
+      from: "2024-04-01",
+      to: "2026-03-31",
+    });
+  });
+  it("weekly → the focused FY month (Apr=0)", () => {
+    expect(periodRange("weekly", 2025, 0, [2025])).toEqual({
+      from: "2025-04-01",
+      to: "2025-04-30",
+    });
+  });
+  it("weekly → a Jan–Mar month rolls into the next calendar year", () => {
+    // FY-month index 9 = Jan, which belongs to calendar year fy+1.
+    expect(periodRange("weekly", 2025, 9, [2025])).toEqual({
+      from: "2026-01-01",
+      to: "2026-01-31",
+    });
+  });
+});
+
 describe("financial-year helpers", () => {
   it("maps Apr–Mar to the Indian FY start year", () => {
     expect(fyStartYear(new Date(2025, 3, 1))).toBe(2025); // Apr

CHANGELOG.md

@@ -4,6 +4,15 @@
 
 ### Added
 
+- **Reports — Purchasing spend analytics** (`view_analytics`: Manager / SuperUser / Auditor / Admin) — `/reports/cost-centres` and `/reports/accounting-codes`, each an index → drill-down → detail. KPI tiles, comparison + trend charts (one colour per item), Top-N tables, per-row sparklines, and CSV export; URL-driven filters (granularity Weekly / Monthly / Yearly, financial year, Top/Bottom-N, an "Add to graph" custom comparison). Spend = post-approval POs by `approvedAt`/`totalAmount`, allocated across each PO's line-item accounting codes. Pure, unit-tested core in `lib/reports.ts`.
+- **Report → PO drill-down** (#126) — the Cost Centre and Accounting Code report detail pages gain a **"View POs"** link that opens **PO History** pre-filtered to that cost centre / accounting code and the period currently in view (mapped to the approved-date window, since spend is dated by `approvedAt`). PO History gains an **Accounting Code** filter that accepts any tree node and matches a PO whose PO-level account **or** any line-item account falls under that node's leaves. The History page and its CSV/PDF export share one `buildPoHistoryWhere` builder so they never diverge.
+- **Email PO to vendor** (issue #14) — one-click Outlook draft to the vendor's primary contact with a **7-day download link** to the PO PDF. Rendered by the new **PdfService** microservice (Express + Playwright → headless Chromium) and stored in R2; the PDF is **cached per PO**, so repeat sends reuse the copy and only refresh the link.
+- **Microservices** — `EpfoService` (UAN / EPFO assisted-lookup proxy; live portal nav stubbed behind `EPFO_LIVE`) and `PdfService` (PO → PDF) join `GstService`. All three are **auto-deployed on each release tag** via the root `ecosystem.config.js` + `deploy.yml` (`pm2 startOrReload … --update-env`).
+- **Unsaved-changes prompt** (issue #18) — leaving the PO create/edit screen with unsaved edits offers **Save as draft / Discard / Stay** (in-app navigation) or the browser's native warning (refresh / close).
+- **Crew login on hire** (crewing, feature-flagged) — onboarding, direct placement, and admin crew-create accept an explicit **login email + initial password** for management ranks (`Rank.grantsLogin`), creating the `SITE_STAFF` login in one step.
+- **Delivery Locations** (issue #19) — admin-managed `Company`+address list backing the PO "Place of Delivery" dropdown, gated by `manage_delivery_locations` (Manager / SuperUser / Admin).
+- **Terms & Conditions catalogue** (issue #11) — admin-managed, user-defined T&C categories + clauses feeding a dynamic PO terms editor; the chosen rows are a JSON snapshot on `PurchaseOrder.terms`.
+- **Advance payment on approval** (issue #92) — the approving Manager sets how much is paid first; the resolved absolute amount is stored on `PurchaseOrder.suggestedAdvancePayment` and prefills the first Accounts payment.
 - **Companies (multi-company invoicing)** — new `Company` model and `/admin/companies` CRUD. A PO is billed under a selected company (name, short `code`, GST number, address, phone/mobile, contact + invoice email, invoice address). The company's details populate the exported PO header / invoice block.
 - **Structured PO numbers** (`lib/po-number.ts`) — `COMPANY/VESSEL/ID/FY` (e.g. `PMS/HNR1/9000/2024-25`); Indian financial year; system-generated IDs start at 9000. Imported POs keep their original number.
 - **3-level accounting-code hierarchy** — `Account.parentId` self-relation (Top Category → Sub-Category → Leaf), 6-digit numeric codes seeded from `prisma/accounting-codes-data.ts`. Only leaf codes are PO-selectable, via a searchable, portal-rendered combobox.
@@ -29,4 +38,6 @@
 
 ### Fixed
 
+- **"Email to vendor" never rendered a real PDF** (issue #14) — the auth middleware redirected PdfService's unauthenticated `svc`-token export fetch to `/login` before the route's token check ran, so the bypass never executed. `/api/po/<id>/export` is now allowed through when its `svc` token matches `PDF_SERVICE_TOKEN` (`lib/pdf-export-auth.ts`); everything else stays auth-gated.
+- **Reports comparison charts all rendered one colour** — `SERIES_COLORS` lived in a `"use client"` module and was imported by the server-component report pages, where a plain value becomes a client-reference proxy (so `SERIES_COLORS[i]` was `undefined` and recharts fell back to its default stroke). Moved the palette to a dependency-free shared module (`lib/report-colors.ts`).
 - Production `P2022 … column does not exist` after deploy — caused by shipping code whose Prisma client expected a column before `migrate deploy` had run. Migrations must be applied before the new build serves traffic (now documented in the README).

PdfService/README.md

@@ -0,0 +1,54 @@
+# PdfService
+
+Renders a PPMS purchase order to a real **PDF** for the **"Email PO to vendor"**
+feature — a standalone **Express + Playwright** microservice, mirroring
+`GstService` / `EpfoService`.
+
+The app's `/api/po/:id/export?format=pdf&pdf=1` produces a print-styled HTML page;
+PdfService loads that URL in **headless Chromium** and prints it to an A4 PDF. The
+export URL carries a short-lived **`svc` token** so the export route serves the
+page without a user session (the app's auth middleware allows that one route
+through when the token matches — see `App/lib/pdf-export-auth.ts`).
+
+## Endpoints
+
+| Method | Path | Body / Headers | Returns |
+|---|---|---|---|
+| GET  | `/health` | — | `{ status, browser }` |
+| POST | `/pdf` | `{ url }` + header `x-pdf-token` | `application/pdf` (else `401` / `400` / `403` / `502`) |
+
+## Security
+
+- **Token** — when `PDF_SERVICE_TOKEN` is set, `/pdf` requires a matching
+  `x-pdf-token` header (the app and PdfService share the secret).
+- **Origin allow-list (anti-SSRF)** — when `ALLOWED_ORIGIN` is set, PdfService
+  only navigates to URLs whose origin matches it.
+- Both unset (dev) → checks are skipped.
+
+## Env
+
+```
+PORT=3005
+PDF_SERVICE_TOKEN=     # shared secret with the app (app side: PDF_SERVICE_TOKEN)
+ALLOWED_ORIGIN=        # e.g. http://localhost:3000 (optional)
+```
+
+## Run
+
+```
+npm install
+npm run dev                  # tsx watch src/index.ts
+npm run build && npm start   # node dist/index.js
+```
+
+## App integration
+
+`App/lib/pdf-service.ts` (`renderPoPdf`) POSTs `{ url }` to `/pdf`. The app gates
+the feature on `PDF_SERVICE_URL` + `PDF_SERVICE_TOKEN` (`isPdfServiceConfigured()`),
+uploads the returned PDF to R2 at a **per-PO key** (reused across sends), and
+returns a `mailto:` with a 7-day presigned link. `APP_INTERNAL_URL` is the base URL
+PdfService reaches the app at (falls back to `NEXTAUTH_URL`).
+
+On **pms1** the service is auto-deployed on each release tag via the root
+`ecosystem.config.js` (pm2 `pdf-service`, port 3005) — see
+[Deployment and Operations](https://git.pelagiamarine.com/shad0w/pelagia-portal/wiki/Deployment-and-Operations#microservices).

automation/README.md

@@ -60,6 +60,11 @@ requires an interactive ESLint migration (a follow-up). Integration tests are
 type-checked here but executed against the `pelagia_test` DB by the autofix / locally
 (not in this shared CI, to avoid prod-mirror schema drift).
 
+The **issue watcher pre-applies gate 1 (test-presence) locally** before opening a PR:
+if Claude's fix changes code under `App/app|lib|components|hooks` but adds no test, the
+watcher does **not** open a PR — it marks the issue `claude-failed` and comments — so it
+never raises a PR that this CI would immediately reject. Re-queue (`claude-queue`) to retry.
+
 A [`PULL_REQUEST_TEMPLATE.md`](../.forgejo/PULL_REQUEST_TEMPLATE.md) carries the checklist.
 
 ## Components
@@ -221,6 +226,11 @@ before a release tag deploys them to prod.
 - A fixed banner **"INTERNAL DEV / STAGING - NOT PRODUCTION"** is shown (driven by
   `NEXT_PUBLIC_ENV_LABEL` in the staging `.env`; the `EnvBanner` component renders nothing
   when the var is unset, so production is unaffected).
+- **Feature flags on staging:** `staging-up.sh` enables
+  `NEXT_PUBLIC_SUBMITTER_VIEW_ALL_ENABLED=true`, so submitters (TECHNICAL/MANNING) can
+  read every PO and open the History page here (read-only) for testing ahead of a prod
+  rollout. The line is appended idempotently, so already-provisioned staging `.env`s pick
+  it up on the next refresh.
 - Log in with a password user (SSO is off here), e.g. `admin@pelagiamarine.com`.
 
 ## Issue label lifecycle

automation/claude-issue-watcher.sh

@@ -339,6 +339,22 @@ while [ "$f" -lt "$n_fix" ]; do
 
     commits=$(git -C "$WORKDIR" rev-list "origin/$BASE_BRANCH..HEAD" --count)
     if [ "$commits" -gt 0 ]; then
+        # Test-presence gate -- mirror .forgejo/workflows/pr-checks.yml so the watcher
+        # never opens a PR the CI will immediately reject. "Code" = app source under
+        # App/(app|lib|components|hooks); tests, prisma, config, docs are exempt.
+        changed=$(git -C "$WORKDIR" diff --name-only "origin/$BASE_BRANCH...HEAD")
+        code_changed=$(printf '%s\n' "$changed" | grep -E '^App/(app|lib|components|hooks)/' | grep -vE '(\.test\.|\.spec\.|/tests/)' || true)
+        test_changed=$(printf '%s\n' "$changed" | grep -E '(\.test\.|\.spec\.|/tests/)' || true)
+        if [ -n "$code_changed" ] && [ -z "$test_changed" ]; then
+            log "Test-presence gate FAILED for #$num: code changed with no test; not opening a PR"
+            set_labels "$num" "claude-working" "claude-failed"
+            add_comment "$num" "$BOT_MARKER
+[Claude] Implemented a change but added **no test**, so no PR was opened. The contribution policy (\`pr-checks.yml\`) requires a test for any change under \`App/app|lib|components|hooks\`, and would reject this. Re-add \`claude-queue\` to retry, or pick it up interactively.
+
+Code files that needed an accompanying test:
+$code_changed"
+            continue
+        fi
         log "Claude made $commits commit(s); pushing $branch"
         if ! git -C "$WORKDIR" push -f -u origin "$branch" -q 2>>"$LOG_FILE"; then
             log "push failed for #$num"; set_labels "$num" "claude-working" "claude-failed"; continue

automation/staging-up.sh

@@ -42,12 +42,20 @@ AZURE_AD_CLIENT_SECRET="dev-placeholder"
 AZURE_AD_TENANT_ID="dev-placeholder"
 DATABASE_URL="$TEST_URL"
 GST_SERVICE_URL="http://localhost:3003"
+NEXT_PUBLIC_SUBMITTER_VIEW_ALL_ENABLED=true
 NEXT_PUBLIC_ENV_LABEL="INTERNAL DEV / STAGING - NOT PRODUCTION"
 PORT=$PORT
 EOF
     chmod 600 "$DIR/App/.env"
 fi
 
+# Ensure feature flags are present on already-provisioned staging envs too (the
+# .env above is written only once, so a flag added later won't appear without
+# this). Let submitters (TECHNICAL/MANNING) read all POs + open History on staging.
+if ! grep -qE '^NEXT_PUBLIC_SUBMITTER_VIEW_ALL_ENABLED=' "$DIR/App/.env"; then
+    printf 'NEXT_PUBLIC_SUBMITTER_VIEW_ALL_ENABLED=true\n' >> "$DIR/App/.env"
+fi
+
 # pm2-run wrapper so the dev server always gets nvm on PATH and the right port.
 # Bind to 127.0.0.1 only -- staging is reachable solely via SSH tunnel
 # (ssh -L 3200:localhost:3200 ...), never directly from the public internet.