Merge pull request 'dev-deploy: production mirror + full observability behind the /_gm gate' (#88 ) from feature/dev-prod-mirror into development

docs: observability stack + the single /_gm gate for Grafana/Mailpit
- ARCHITECTURE §17: the dev (production-mirror) collection stack (Prometheus / Loki / Tempo / promtail / node-exporter / cAdvisor) and the single /_gm Basic Auth gate fronting Grafana and the Mailpit UI. - tools/dev-deploy/monitoring/README.md (new): services, what is collected, Grafana-behind-the-gate access, config delivery, tuning. - tools/dev-deploy/README.md: an Observability section; the Mailpit UI under /_gm/mailpit/; Networking diagram and Files list updated. - FUNCTIONAL §10.2.1 (+ ru mirror): the operator console nav links to Grafana and Mailpit under the same /_gm gate, one sign-in for all.
2026-06-01 04:56:45 +00:00 · 2026-06-01 06:37:24 +02:00 · 2026-06-01 06:30:15 +02:00 · 2026-06-01 06:11:25 +02:00 · 2026-06-01 05:46:19 +02:00 · 2026-05-31 23:39:06 +02:00
411 changed files with 102997 additions and 18216 deletions
@@ -148,14 +148,102 @@ jobs:
            -v "${{ gitea.workspace }}/pkg/geoip/test-data/test-data:/src:ro" \
            alpine sh -c 'cp /src/GeoIP2-Country-Test.mmdb /dst/geoip.mmdb'
      - name: Seed mailpit relay config
        env:
          GALAXY_DEV_MAIL_RELAY_USERNAME: ${{ secrets.GALAXY_DEV_MAIL_RELAY_USERNAME }}
          GALAXY_DEV_MAIL_RELAY_PASSWORD: ${{ secrets.GALAXY_DEV_MAIL_RELAY_PASSWORD }}
        run: |
          # Render the Mailpit relay upstream config from the template,
          # substituting the Gmail App Password from a Gitea secret, then
          # seed it into a named volume (same rationale as the geoip seed:
          # a workspace bind-mount would vanish with the runner workspace).
          # The secret never lands in git or a committed file; it is
          # rendered to a tmpfile outside the repo and removed after. Gmail
          # App Passwords are [a-z]{16}, so the `|` sed delimiter is safe.
          # When the secret is unset the creds render empty and the compose
          # default relay-match is non-routable, so the stack only captures.
          rendered="$(mktemp)"
          sed -e "s|\${GALAXY_DEV_MAIL_RELAY_USERNAME}|${GALAXY_DEV_MAIL_RELAY_USERNAME}|g" \
              -e "s|\${GALAXY_DEV_MAIL_RELAY_PASSWORD}|${GALAXY_DEV_MAIL_RELAY_PASSWORD}|g" \
              "${{ gitea.workspace }}/tools/dev-deploy/mailpit/relay.conf.tmpl" > "$rendered"
          docker volume create galaxy-dev-mailpit-config >/dev/null
          docker run --rm \
            -v galaxy-dev-mailpit-config:/dst \
            -v "$rendered:/src/relay.conf:ro" \
            alpine sh -c 'cp /src/relay.conf /dst/relay.conf && chmod 600 /dst/relay.conf'
          rm -f "$rendered"
      - name: Recycle engine containers on image drift
        run: |
          # Compare the freshly-built `galaxy-engine:dev` SHA against
          # every running `galaxy-game-*` container. The backend
          # reconciler adopts pre-existing labelled engine containers
          # without checking image drift, so a running game would
          # otherwise keep serving the previous engine code until the
          # container is recycled by hand. This step makes the recycle
          # automatic but only when it is actually needed:
          #
          #   * BuildKit cache hit on the `Build galaxy-engine image`
          #     step → `galaxy-engine:dev` keeps its previous SHA →
          #     no drift → no-op (no engine source change to deploy).
          #   * engine source change → fresh SHA → for each drifted
          #     container we stop the backend, remove the container,
          #     wipe its bind-mounted state directory (Engine.Init()
          #     writes turn-0 over any pre-existing `turn-N` files —
          #     silent state corruption otherwise), and cascade-delete
          #     the lobby `games` row (the FKs in `00001_init.sql`
          #     drop the matching `runtime_records`, `memberships`,
          #     `player_mappings`, etc. in the same write).
          #
          # Backend is stopped first to keep the reconciler from
          # racing the recycle (mid-stream adoption / restart). The
          # subsequent `Bring up the stack` step restarts it.
          set -u
          new_sha=$(docker image inspect galaxy-engine:dev --format '{{.Id}}')
          echo "fresh galaxy-engine:dev = $new_sha"
          drift=()
          for c in $(docker ps --filter "name=galaxy-game-" --format '{{.Names}}'); do
            cur=$(docker inspect "$c" --format '{{.Image}}')
            if [ "$cur" != "$new_sha" ]; then
              drift+=("${c#galaxy-game-}")
              echo "  drift: $c was on $cur"
            else
              echo "  match: $c"
            fi
          done
          if [ ${#drift[@]} -eq 0 ]; then
            echo "no drift detected — recycle skipped"
          else
            docker stop -t 30 galaxy-dev-backend >/dev/null 2>&1 || true
            state_root="$HOME/.galaxy-dev/game-state"
            for gid in "${drift[@]}"; do
              echo "recycling $gid"
              docker rm -f "galaxy-game-$gid" >/dev/null 2>&1 || true
              # Wipe the per-game state dir as root inside a throwaway
              # container so we can remove files left behind by the
              # engine container even when its uid differs from the
              # runner's.
              docker run --rm -v "$state_root:/state" alpine \
                sh -c "rm -rf -- /state/$gid"
            done
            ids_csv=$(printf "'%s'," "${drift[@]}")
            ids_csv=${ids_csv%,}
            docker exec galaxy-dev-postgres psql -v ON_ERROR_STOP=1 \
              -U galaxy -d galaxy_backend \
              -c "DELETE FROM backend.games WHERE game_id IN (${ids_csv});"
          fi
      - name: Reap stray dev-deploy containers
        run: |
          # Remove any non-running compose-managed containers from
          # earlier deploys before `compose up`. Filter by the stack
          # label so we never touch unrelated workloads on the same
-          # daemon. Running containers (incl. engine instances backend
+          # daemon. Running engine containers spawned by backend with
-          # spawned itself with the same label) are left intact —
+          # the same label are left intact when their image SHA still
-          # those are reattached by the backend reconciler on boot.
+          # matches the freshly-built `galaxy-engine:dev` (handled by
          # the preceding `Recycle engine containers on image drift`
          # step); the reconciler reattaches them on backend boot.
          ids=$(docker ps -aq \
            --filter "label=galaxy.stack=dev-deploy" \
            --filter "status=exited" \
@@ -168,11 +256,24 @@ jobs:
      - name: Bring up the stack
        working-directory: tools/dev-deploy
        env:
          # Recipient regex Mailpit auto-relays to the owner's Gmail.
          # Unset/empty → the compose default (non-routable) keeps the
          # stack capture-only.
          GALAXY_DEV_MAIL_RELAY_MATCH: ${{ vars.GALAXY_DEV_MAIL_RELAY_MATCH }}
          # Grafana admin password; unset/empty -> compose default 'admin'.
          GALAXY_DEV_GRAFANA_ADMIN_PASSWORD: ${{ secrets.GALAXY_DEV_GRAFANA_ADMIN_PASSWORD }}
        run: |
          # Resolve in the shell, not in YAML expressions — `env.HOME`
          # is empty at the workflow-evaluation stage.
          export GALAXY_DEV_GAME_STATE_DIR="$HOME/.galaxy-dev/game-state"
          mkdir -p "$GALAXY_DEV_GAME_STATE_DIR"
          # Seed the monitoring config to a stable, reboot-surviving host
          # path (compose binds \${GALAXY_DEV_MONITORING_DIR} read-only).
          export GALAXY_DEV_MONITORING_DIR="$HOME/.galaxy-dev/monitoring"
          rm -rf "$GALAXY_DEV_MONITORING_DIR"
          mkdir -p "$GALAXY_DEV_MONITORING_DIR"
          cp -r monitoring/. "$GALAXY_DEV_MONITORING_DIR/"
          docker compose up -d --wait --remove-orphans
      - name: Probe the stack
@@ -0,0 +1,80 @@
 name: Tests · FBS codegen
 # Guards that the committed FlatBuffers bindings (Go under
 # pkg/schema/fbs/<schema>/ and TS under ui/frontend/src/proto/galaxy/fbs/)
 # are exactly what the pinned flatc produces from the .fbs schemas.
 # Catches both "changed a schema but forgot to regenerate" and
 # "regenerated with the wrong flatc version" (e.g. a distro's older
 # flatbuffers-compiler), which silently churns output and can flip
 # nullable-scalar wire defaults. Path-filtered so it only runs when the
 # schemas, the generated trees, the fbs Makefiles, or this workflow change.
 on:
  push:
    paths:
      - 'pkg/schema/fbs/**'
      - 'ui/frontend/src/proto/galaxy/fbs/**'
      - 'ui/Makefile'
      - '.gitea/workflows/fbs-codegen.yaml'
  pull_request:
    paths:
      - 'pkg/schema/fbs/**'
      - 'ui/frontend/src/proto/galaxy/fbs/**'
      - 'ui/Makefile'
      - '.gitea/workflows/fbs-codegen.yaml'
 concurrency:
  group: fbs-codegen-${{ github.ref }}
  cancel-in-progress: true
 env:
  FLATC_VERSION: 25.9.23
 jobs:
  codegen:
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: recursive
      - name: Cache flatc
        id: cache-flatc
        uses: actions/cache@v4
        with:
          path: ${{ runner.temp }}/flatc-bin
          key: flatc-${{ env.FLATC_VERSION }}-linux-g++13
      - name: Install pinned flatc
        if: steps.cache-flatc.outputs.cache-hit != 'true'
        run: |
          mkdir -p "${{ runner.temp }}/flatc-bin"
          curl -sSL -o /tmp/flatc.zip \
            "https://github.com/google/flatbuffers/releases/download/v${FLATC_VERSION}/Linux.flatc.binary.g++-13.zip"
          python3 -m zipfile -e /tmp/flatc.zip "${{ runner.temp }}/flatc-bin"
          chmod +x "${{ runner.temp }}/flatc-bin/flatc"
      - name: Add flatc to PATH
        run: echo "${{ runner.temp }}/flatc-bin" >> "$GITHUB_PATH"
      - name: Verify flatc version
        run: flatc --version
      - name: Regenerate Go + TS bindings
        run: |
          make -C pkg/schema/fbs fbs-go
          make -C ui fbs-ts
      - name: Assert no drift
        run: |
          if ! git diff --exit-code || [ -n "$(git status --porcelain)" ]; then
            echo "::error::Committed FlatBuffers bindings differ from a flatc ${FLATC_VERSION} regeneration."
            echo "Run 'make -C pkg/schema/fbs fbs-go' and 'make -C ui fbs-ts' with flatc ${FLATC_VERSION} and commit the result."
            git status --porcelain
            git --no-pager diff
            exit 1
          fi
@@ -119,3 +119,16 @@ jobs:
          name: playwright-traces
          path: ui/frontend/test-results/
          retention-days: 14
      - name: Remove root-owned build artifacts
        if: always()
        # In host-mode the job runs as root, so vite (test:pwa),
        # svelte-kit and Playwright write these outputs root-owned into
        # the shared host workspace. The act_runner (non-root) then
        # cannot remove them at teardown ("unlinkat ... permission
        # denied"), which spuriously fails this or a sibling job that
        # inherits the dirty workspace (observed on go-unit). Clean them
        # here while the step still has root, after the uploads above.
        run: |
          rm -rf ui/frontend/build ui/frontend/.svelte-kit \
                 ui/frontend/test-results ui/frontend/playwright-report
@@ -16,6 +16,12 @@ This repository hosts the Galaxy Game project.
  mirrored into `docs/FUNCTIONAL_ru.md` in the same patch (translate
  the changed paragraphs only, do not re-translate the whole file).
  A full re-translation only happens on explicit owner request.
 - `site/ru/rules.md` — the player-facing game rules (ported from the
  former `game/rules.txt`). **Russian is authoritative here**, inverting
  the usual English-first rule: the game's rules and lore are
  Russian-native, so `site/ru/rules.md` leads and the English
  `site/rules.md` is its mirror. Mirror point edits the same way as
  `docs/FUNCTIONAL.md`, but RU → EN.
 - `docs/TESTING.md` — testing layers (unit / integration), the
  integration runbook, and the principles every test must follow
  (no-op observability for testcontainers, `t.Fatal` on
@@ -27,10 +27,16 @@ The implementation specification lives in `PLAN.md`.
 | ------------------ | ----------------------------------------------- | ------------------------------------- |
 | `/api/v1/public/*` | none                                            | Registration, code confirmation       |
 | `/api/v1/user/*`   | `X-User-ID` injected by gateway                 | Authenticated end users               |
-| `/api/v1/admin/*`  | HTTP Basic Auth against `admin_accounts`        | Platform administrators               |
+| `/api/v1/admin/*`  | HTTP Basic Auth against `admin_accounts`        | Platform administrators (JSON)        |
 | `/_gm`, `/_gm/*`   | HTTP Basic Auth against `admin_accounts`        | Operator console (server-rendered HTML)|
 | `/healthz`         | none                                            | Liveness probe                        |
 | `/readyz`          | none                                            | Readiness probe                       |
 The `/_gm` operator console is the human-facing surface for the admin
 operations; it reuses the admin Basic Auth verifier, renders with
 `html/template`, and is the only admin surface exposed publicly (through
 the gateway). See `docs/admin-console.md`.
 The full contract is documented in `openapi.yaml` and validated at
 runtime by the contract tests under `internal/server/`.
@@ -100,6 +106,7 @@ fast.
 | `BACKEND_GAME_STATE_ROOT`               | yes      | —                             | Host directory bind-mounted into engine containers.   |
 | `BACKEND_ADMIN_BOOTSTRAP_USER`          | no       | —                             | Initial admin username; idempotent insert.            |
 | `BACKEND_ADMIN_BOOTSTRAP_PASSWORD`      | no       | —                             | Initial admin password; required if user is set.      |
 | `BACKEND_ADMIN_CONSOLE_CSRF_KEY`        | no       | random per-process            | Secret keying the `/_gm` console CSRF token. Set a shared value across replicas; unset uses a per-process random key (forms reset on restart). |
 | `BACKEND_GEOIP_DB_PATH`                 | yes      | —                             | Filesystem path to GeoLite2 Country `.mmdb`.          |
 | `BACKEND_OTEL_TRACES_EXPORTER`          | no       | `otlp`                        | `none`, `otlp`, `stdout`.                             |
 | `BACKEND_OTEL_METRICS_EXPORTER`         | no       | `otlp`                        | `none`, `otlp`, `stdout`, `prometheus`.               |
@@ -257,11 +264,13 @@ introduce its own request/response types.
 Endpoints used:
- `POST /api/v1/admin/init`
+- `POST /api/v1/admin/init` — the runtime worker passes the canonical
  `game_id` (the same UUID that names the engine container and the
  host bind-mount directory) in the request body so the engine's
  `state.json` shares identity with the backend's `games.game_id`.
 - `GET  /api/v1/admin/status`
 - `PUT  /api/v1/admin/turn`
 - `POST /api/v1/admin/race/banish`
 - `PUT  /api/v1/command`
 - `PUT  /api/v1/order`
 - `GET  /api/v1/report`
 - `GET  /healthz`
@@ -22,10 +22,10 @@ import (
 	_ "time/tzdata"
 	"galaxy/backend/internal/admin"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/app"
 	"galaxy/backend/internal/auth"
 	"galaxy/backend/internal/config"
 	"galaxy/backend/internal/devsandbox"
 	"galaxy/backend/internal/diplomail"
 	"galaxy/backend/internal/diplomail/detector"
 	"galaxy/backend/internal/diplomail/translator"
@@ -37,6 +37,7 @@ import (
 	"galaxy/backend/internal/mail"
 	"galaxy/backend/internal/metricsapi"
 	"galaxy/backend/internal/notification"
 	"galaxy/backend/internal/opsstatus"
 	backendpostgres "galaxy/backend/internal/postgres"
 	"galaxy/backend/push"
 	"galaxy/backend/internal/runtime"
@@ -272,29 +273,18 @@ func run(ctx context.Context) (err error) {
 	)
 	runtimeGateway.svc = runtimeSvc
-	// Run a single reconciliation pass before the dev-sandbox
+	// Run a single reconciliation pass at startup so any runtime row
-	// bootstrap so any runtime row pointing at a vanished engine
+	// pointing at a vanished engine container (a host reboot wiped
-	// container (host reboot wiped /tmp/galaxy-game-state/<uuid>;
+	// /tmp/galaxy-game-state/<uuid>; `tools/local-dev`'s
-	// `tools/local-dev`'s `prune-broken-engines` target reaped the
+	// `prune-broken-engines` target reaped the husk) is cascaded
-	// husk) is already cascaded through `markRemoved` → lobby
+	// through `markRemoved` → lobby `cancelled` before the server
-	// `cancelled` by the time the bootstrap walks the sandbox list.
+	// starts serving requests. Failures are
 	// Without this pre-tick the bootstrap would reuse the
 	// soon-to-be-cancelled game and force the developer into a
 	// second `make up` cycle to land a healthy sandbox. Failures are
 	// non-fatal: the periodic ticker started later catches up, and
 	// the worst case degrades to the legacy two-cycle recovery.
 	if err := runtimeSvc.Reconciler().Tick(ctx); err != nil {
 		logger.Warn("pre-bootstrap reconciler tick failed", zap.Error(err))
 	}
 	if err := devsandbox.Bootstrap(ctx, devsandbox.Deps{
 		Users:          userSvc,
 		Lobby:          lobbySvc,
 		EngineVersions: engineVersionSvc,
 	}, cfg.DevSandbox, logger); err != nil {
 		return fmt.Errorf("dev sandbox bootstrap: %w", err)
 	}
 	notifStore := notification.NewStore(db)
 	notifSvc := notification.NewService(notification.Deps{
 		Store:    notifStore,
@@ -360,6 +350,32 @@ func run(ctx context.Context) (err error) {
 		return authCache.Ready() && userCache.Ready() && adminCache.Ready() && lobbyCache.Ready() && runtimeCache.Ready()
 	}
 	var consoleCSRF *adminconsole.CSRF
 	if cfg.AdminConsole.CSRFKey != "" {
 		consoleCSRF = adminconsole.NewCSRF([]byte(cfg.AdminConsole.CSRFKey))
 	} else {
 		consoleCSRF, err = adminconsole.NewRandomCSRF()
 		if err != nil {
 			return fmt.Errorf("init admin console CSRF: %w", err)
 		}
 		logger.Warn("admin console CSRF key not set; using a per-process random key (forms reset on restart, not valid across replicas)",
 			zap.String("env", "BACKEND_ADMIN_CONSOLE_CSRF_KEY"))
 	}
 	adminConsoleHandlers := backendserver.NewAdminConsoleHandlers(backendserver.AdminConsoleDeps{
 		CSRF:    consoleCSRF,
 		Monitor:        opsstatus.NewStore(db),
 		Ready:          ready,
 		Users:          userSvc,
 		Games:          lobbySvc,
 		Runtime:        runtimeSvc,
 		EngineVersions: engineVersionSvc,
 		Operators:      adminSvc,
 		Mail:           mailSvc,
 		Notifications:  notifSvc,
 		Diplomail:      diplomailSvc,
 		Logger:         logger,
 	})
 	handler, err := backendserver.NewRouter(backendserver.RouterDependencies{
 		Logger:                logger,
 		Telemetry:             telemetryRT,
@@ -388,6 +404,7 @@ func run(ctx context.Context) (err error) {
 		AdminGeo:              adminGeoHandlers,
 		UserGames:             userGamesHandlers,
 		UserMail:              userMailHandlers,
 		AdminConsole:          adminConsoleHandlers,
 	})
 	if err != nil {
 		return fmt.Errorf("build backend router: %w", err)
@@ -485,6 +502,17 @@ func (a *userEntitlementAdapter) GetMaxRegisteredRaceNames(ctx context.Context,
 	return snap.MaxRegisteredRaceNames, nil
 }
 func (a *userEntitlementAdapter) IsPaid(ctx context.Context, userID uuid.UUID) (bool, error) {
 	if a == nil || a.svc == nil {
 		return false, nil
 	}
 	snap, err := a.svc.GetEntitlementSnapshot(ctx, userID)
 	if err != nil {
 		return false, err
 	}
 	return snap.IsPaid, nil
 }
 // runtimeGatewayAdapter implements `lobby.RuntimeGateway` by
 // delegating to `*runtime.Service`. The svc pointer is patched after
 // the services are constructed — runtime depends on lobby
@@ -0,0 +1,128 @@
 # Operator console (`/_gm`)
 The operator console is a server-rendered web UI for the platform's admin
 operations. It is the human-facing counterpart to the JSON admin API under
 `/api/v1/admin/*`: both call the same service layer, but the console renders
 HTML pages an operator drives in a browser, while the JSON API stays internal
 to the deployment for programmatic and test use.
 ## Design choices
 - **Server-rendered, no client framework.** Pages are rendered with the
  standard library's `html/template`. Navigation is by ordinary links and
  query parameters; every state change is an HTML form `POST` answered with a
  Post/Redirect/Get redirect. There is no build step, no JavaScript framework,
  and no separate asset pipeline — a single embedded stylesheet under
  `/_gm/assets/`.
 - **Reuses the existing admin auth.** The console mounts behind the same
  `basicauth.Middleware(admin.Service)` verifier that gates `/api/v1/admin/*`,
  so there is one credential store (`admin_accounts`, bcrypt-12) and no second
  secret to manage.
 - **Lives in the backend.** The backend owns the admin domain and the data, so
  rendering there lets the console call the service layer directly. The gateway
  stays a thin proxy.
 ## Request path
 ```
 Browser ── /_gm/* ──► edge Caddy ──► gateway (public listener)
   gateway: anti-abuse `admin` class (per-IP rate limit, body + method limits)
            └─► reverse proxy ──► backend  /_gm/*
   backend: basicauth.Middleware(admin.Service)
            └─► CSRF guard (state-changing methods)
                └─► console handler ──► admin service layer ──► html/template
 ```
 The gateway preserves the inbound `Host` and relays the backend's `401` Basic
 Auth challenge unchanged, so the browser shows its native credential dialog.
 The gateway adds only the edge anti-abuse layer; authentication and every state
 change are enforced by the backend. The gateway answers `502` when the backend
 is unreachable. See the gateway README "Operator Console Proxy" section for the
 `admin` route-class env vars.
 ## Components (package `internal/adminconsole`)
 The package is framework-agnostic (no gin) so it unit-tests in isolation:
 - `Renderer` — parses the embedded layout plus one content page per route and
  renders a named page wrapped in the shared layout. Rendering goes through an
  intermediate buffer, so a template failure never emits a partial document.
 - `CSRF` — issues and verifies the stateless anti-CSRF token: HMAC-SHA256 over
  the authenticated username, keyed by `BACKEND_ADMIN_CONSOLE_CSRF_KEY`. When
  the key is unset a per-process random key is used (secure, but forms reset on
  restart and do not validate across replicas — set a shared key for
  multi-replica deployments).
 - `Assets` — the embedded stylesheet filesystem served under `/_gm/assets/`.
 The gin glue (route group, Basic Auth, the CSRF guard middleware, the per-page
 handlers) lives in `internal/server/handlers_admin_console.go` and
 `internal/server/router.go` (`registerAdminConsoleRoutes`).
 ## CSRF protection
 Because the console is sessionless (HTTP Basic Auth, whose credentials the
 browser replays automatically), state-changing requests are double-guarded:
 1. A stateless per-operator token (`_csrf` form field) that a cross-site page
   cannot read or forge.
 2. A same-origin `Origin`/`Referer` check (when the browser sends one), which
   relies on the gateway preserving the inbound `Host`.
 Safe methods (`GET`/`HEAD`/`OPTIONS`) pass without a token.
 ## Monitoring
 The dashboard is the console landing page. It surfaces backend-visible
 operational state — service health, game-runtime status, and queue depths —
 read through the existing service and persistence layers. Richer cross-service
 metrics are out of scope for the console itself: the `/metrics` Prometheus
 exporters on `backend` and `gateway` are wired and enabled in the dev
 deployment so a future Prometheus + Grafana stack can scrape them without code
 changes.
 ## Pages
 | Path                              | Method   | Purpose                                                        |
 | --------------------------------- | -------- | -------------------------------------------------------------- |
 | `/_gm`, `/_gm/`                   | GET      | Dashboard: health, runtime/mail/notification status, queues.   |
 | `/_gm/assets/*`                   | GET      | Embedded stylesheet.                                           |
 | `/_gm/users`                      | GET      | Paginated account list.                                        |
 | `/_gm/users/{id}`                 | GET      | Account detail: profile, entitlement, active sanctions.        |
 | `/_gm/users/{id}/block`           | POST     | Apply a permanent block (reason required).                     |
 | `/_gm/users/{id}/entitlement`     | POST     | Set the entitlement tier.                                      |
 | `/_gm/users/{id}/soft-delete`     | POST     | Soft-delete the account (cascades).                            |
 | `/_gm/games`                      | GET/POST | Paginated game list; POST creates a public game.               |
 | `/_gm/games/{id}`                 | GET      | Game detail with the runtime snapshot.                         |
 | `/_gm/games/{id}/force-start`     | POST     | Force-start the game.                                          |
 | `/_gm/games/{id}/force-stop`      | POST     | Force-stop the game.                                          |
 | `/_gm/games/{id}/ban-member`      | POST     | Ban a member (user id + reason).                               |
 | `/_gm/games/{id}/runtime/restart` | POST     | Restart the engine container.                                  |
 | `/_gm/games/{id}/runtime/patch`   | POST     | Patch the runtime to a target version.                         |
 | `/_gm/games/{id}/runtime/force-next-turn` | POST | Force the next turn now.                                  |
 | `/_gm/engine-versions`            | GET/POST | Version registry; POST registers a version.                    |
 | `/_gm/engine-versions/{ver}/disable` | POST  | Disable a registered version.                                  |
 | `/_gm/operators`                  | GET/POST | Admin-account list; POST creates an operator.                  |
 | `/_gm/operators/{user}/disable`   | POST     | Disable an operator.                                          |
 | `/_gm/operators/{user}/enable`    | POST     | Re-enable an operator.                                        |
 | `/_gm/operators/{user}/reset-password` | POST | Reset an operator's password.                                  |
 | `/_gm/mail`                       | GET      | Mail deliveries (paginated) + a dead-letter snapshot.          |
 | `/_gm/mail/deliveries/{id}`       | GET      | Delivery detail with its attempts.                             |
 | `/_gm/mail/deliveries/{id}/resend`| POST     | Re-enqueue a non-sent delivery.                                |
 | `/_gm/notifications`              | GET      | Notifications, dead-letters, and malformed intents overview.   |
 | `/_gm/broadcast`                  | GET/POST | Admin multi-game diplomatic broadcast.                         |
 Each page reuses the same service layer as the corresponding `/api/v1/admin/*`
 JSON endpoint; the console adds no business logic. Collection-mutating POSTs are
 mounted on the collection path (`POST /_gm/games`, `POST /_gm/engine-versions`)
 so a static action segment never collides with a path parameter in the gin
 router. Unblocking a user is not yet available because the JSON admin API
 exposes no remove-sanction endpoint.
 ## Configuration
 | Variable                          | Where   | Notes                                                        |
 | --------------------------------- | ------- | ------------------------------------------------------------ |
 | `BACKEND_ADMIN_CONSOLE_CSRF_KEY`  | backend | CSRF token key; unset → per-process random key.              |
 | `BACKEND_ADMIN_BOOTSTRAP_USER`    | backend | Bootstrap operator account (shared with the JSON admin API). |
 | `BACKEND_ADMIN_BOOTSTRAP_PASSWORD`| backend | Bootstrap operator password.                                 |
 | `GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_*` | gateway | `admin` route-class rate-limit and body budgets.      |
@@ -234,8 +234,8 @@ sequenceDiagram
    Workers->>Docker: pull / create / start engine container
    Docker-->>Workers: container id
-    Workers->>Engine: POST /api/v1/admin/init
+    Workers->>Engine: POST /api/v1/admin/init {gameId, races}
-    Engine-->>Workers: ok / error
+    Engine-->>Workers: StateResponse{id == gameId} / error
    Workers->>Runtime: write runtime_records (running or start_failed)
    Workers->>Lobby: OnRuntimeJobResult
@@ -141,7 +141,10 @@ boot).
  polls the engine `/healthz` until the listener is bound (Docker
  marks a container running as soon as the entrypoint starts; the
  Go binary inside takes a moment to bind its TCP port). Only after
-  `/healthz` succeeds does the worker call `/admin/init`.
+  `/healthz` succeeds does the worker call `/admin/init`, passing the
  same `game_id` the backend uses to mount the engine's storage
  directory; the engine echoes it back in `StateResponse.id`. The
  engine rejects a mismatched gameId with `409 Conflict`.
 - **Runtime scheduler** (`internal/runtime.SchedulerComponent`) —
  `pkg/cronutil` schedule per running game; each tick invokes the
  engine `admin/turn`. Force-next-turn flips a one-shot skip flag in
@@ -0,0 +1,103 @@
 /* Admin console stylesheet. Deliberately small and dependency-free: the
   console is an internal operator tool, not a public surface. */
 :root {
  --bg: #11151c;
  --panel: #1b2230;
  --panel-hi: #232c3d;
  --ink: #e6ebf2;
  --ink-dim: #9aa7ba;
  --line: #2c3850;
  --accent: #5aa9ff;
  --danger: #ff6b6b;
  --ok: #4ecb8d;
 }
 * { box-sizing: border-box; }
 body {
  margin: 0;
  background: var(--bg);
  color: var(--ink);
  font: 15px/1.5 ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
 }
 a { color: var(--accent); text-decoration: none; }
 a:hover { text-decoration: underline; }
 .topbar {
  display: flex;
  align-items: center;
  gap: 1.5rem;
  padding: 0.6rem 1.2rem;
  background: var(--panel);
  border-bottom: 1px solid var(--line);
 }
 .topbar .brand { font-weight: 700; letter-spacing: 0.04em; }
 .topbar .mainnav { display: flex; gap: 1rem; flex: 1; }
 .topbar .mainnav a.active { color: var(--ink); border-bottom: 2px solid var(--accent); }
 .topbar .who { color: var(--ink-dim); }
 .content { padding: 1.5rem; max-width: 1100px; margin: 0 auto; }
 h1 { font-size: 1.4rem; margin: 0 0 0.4rem; }
 .lede { color: var(--ink-dim); margin-top: 0; }
 .cards { display: grid; grid-template-columns: repeat(auto-fit, minmax(220px, 1fr)); gap: 1rem; margin-top: 1.5rem; }
 .card {
  display: block;
  padding: 1rem 1.2rem;
  background: var(--panel);
  border: 1px solid var(--line);
  border-radius: 8px;
  color: var(--ink);
 }
 .card:hover { background: var(--panel-hi); text-decoration: none; }
 .card h2 { font-size: 1.05rem; margin: 0 0 0.3rem; color: var(--accent); }
 .card p { margin: 0; color: var(--ink-dim); font-size: 0.9rem; }
 .panel {
  padding: 0.9rem 1.1rem;
  background: var(--panel);
  border: 1px solid var(--line);
  border-radius: 8px;
  margin-bottom: 1rem;
 }
 .panel h2 { font-size: 1rem; margin: 0 0 0.6rem; color: var(--ink); }
 .grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(220px, 1fr)); gap: 1rem; margin-bottom: 1rem; }
 .grid .panel { margin-bottom: 0; }
 .kv { list-style: none; margin: 0; padding: 0; }
 .kv li { padding: 0.15rem 0; color: var(--ink-dim); }
 .counts { width: 100%; border-collapse: collapse; font-size: 0.9rem; }
 .counts td { padding: 0.2rem 0; border-bottom: 1px solid var(--line); color: var(--ink-dim); }
 .counts td.num { text-align: right; color: var(--ink); font-variant-numeric: tabular-nums; }
 .bignum { font-size: 1.6rem; margin: 0; color: var(--ink); }
 .note { color: var(--ink-dim); font-style: italic; margin: 0.2rem 0; }
 .errors { border-color: var(--danger); }
 .errors ul { margin: 0; padding-left: 1.1rem; color: var(--danger); }
 .ok { color: var(--ok); }
 .bad { color: var(--danger); }
 .list { width: 100%; border-collapse: collapse; font-size: 0.9rem; margin-bottom: 1rem; }
 .list th, .list td { text-align: left; padding: 0.35rem 0.6rem; border-bottom: 1px solid var(--line); }
 .list th { color: var(--ink-dim); font-weight: 600; }
 .list tr:hover td { background: var(--panel-hi); }
 .pager { display: flex; gap: 1rem; align-items: center; color: var(--ink-dim); }
 .form { display: flex; flex-wrap: wrap; gap: 0.6rem; align-items: end; margin-top: 0.8rem; }
 .form label { display: flex; flex-direction: column; gap: 0.2rem; font-size: 0.85rem; color: var(--ink-dim); }
 .form input, .form select {
  background: var(--bg);
  color: var(--ink);
  border: 1px solid var(--line);
  border-radius: 6px;
  padding: 0.35rem 0.5rem;
  font: inherit;
 }
 button {
  background: var(--accent);
  color: #06121f;
  border: 0;
  border-radius: 6px;
  padding: 0.4rem 0.9rem;
  font: inherit;
  font-weight: 600;
  cursor: pointer;
 }
 button:hover { filter: brightness(1.1); }
 button.danger { background: var(--danger); color: #1a0606; }
 code { background: var(--bg); padding: 0.05rem 0.3rem; border-radius: 4px; }
 .actions { display: flex; flex-wrap: wrap; gap: 0.6rem; margin: 0.8rem 0; }
 .actions form { margin: 0; }
 .subnav { color: var(--ink-dim); margin: -0.3rem 0 1rem; font-size: 0.9rem; }
@@ -0,0 +1,54 @@
 package adminconsole
 import (
 	"crypto/hmac"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 )
 // CSRF issues and verifies the stateless anti-CSRF token used by the admin
 // console. The token is an HMAC-SHA256 over the authenticated operator's
 // username keyed by a process secret, so a cross-site request cannot forge it
 // without already being able to read an authenticated page. The console is
 // sessionless (HTTP Basic Auth), which makes a stateless, per-operator token
 // the natural fit.
 type CSRF struct {
 	key []byte
 }
 // NewCSRF returns a CSRF signer keyed by key. A shared key across backend
 // replicas lets a form rendered by one replica validate on another; callers
 // that pass a per-process random key (see NewRandomCSRF) accept that forms do
 // not survive a restart or span replicas.
 func NewCSRF(key []byte) *CSRF {
 	return &CSRF{key: key}
 }
 // NewRandomCSRF returns a CSRF signer keyed by a fresh 32-byte random secret.
 // It is the secure default when no shared key is configured.
 func NewRandomCSRF() (*CSRF, error) {
 	key := make([]byte, 32)
 	if _, err := rand.Read(key); err != nil {
 		return nil, fmt.Errorf("generate admin console CSRF key: %w", err)
 	}
 	return &CSRF{key: key}, nil
 }
 // Token returns the anti-CSRF token bound to username.
 func (c *CSRF) Token(username string) string {
 	mac := hmac.New(sha256.New, c.key)
 	mac.Write([]byte(username))
 	return base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
 }
 // Verify reports whether token is the valid anti-CSRF token for username. The
 // comparison runs in constant time relative to the token bytes.
 func (c *CSRF) Verify(username, token string) bool {
 	if token == "" {
 		return false
 	}
 	expected := c.Token(username)
 	return hmac.Equal([]byte(token), []byte(expected))
 }
@@ -0,0 +1,42 @@
 package adminconsole
 import "testing"
 func TestCSRFTokenRoundTrip(t *testing.T) {
 	signer := NewCSRF([]byte("shared-secret"))
 	token := signer.Token("alice")
 	if !signer.Verify("alice", token) {
 		t.Fatal("valid token rejected")
 	}
 	if signer.Verify("bob", token) {
 		t.Fatal("token accepted for a different operator")
 	}
 	if signer.Verify("alice", "") {
 		t.Fatal("empty token accepted")
 	}
 	if signer.Verify("alice", token+"x") {
 		t.Fatal("tampered token accepted")
 	}
 }
 func TestCSRFKeySeparation(t *testing.T) {
 	a := NewCSRF([]byte("key-a"))
 	b := NewCSRF([]byte("key-b"))
 	if a.Token("operator") == b.Token("operator") {
 		t.Fatal("tokens collide across distinct keys")
 	}
 	if b.Verify("operator", a.Token("operator")) {
 		t.Fatal("token minted under one key verified under another")
 	}
 }
 func TestRandomCSRFRoundTrip(t *testing.T) {
 	signer, err := NewRandomCSRF()
 	if err != nil {
 		t.Fatalf("NewRandomCSRF: %v", err)
 	}
 	if !signer.Verify("operator", signer.Token("operator")) {
 		t.Fatal("random-key token failed to round-trip")
 	}
 }
@@ -0,0 +1,24 @@
 package adminconsole
 // StatusCount pairs a status label with its current row count for the
 // dashboard's per-status tables. It is the view-layer counterpart of the
 // data gathered by the ops-status reader; the server handler maps between
 // them so this package stays free of database concerns.
 type StatusCount struct {
 	Status string
 	Count  int64
 }
 // DashboardData is the view model for the console landing page. MonitorAvailable
 // is false when no ops-status reader is wired, in which case the monitoring
 // panels are omitted. Errors carries non-fatal probe failures for display.
 type DashboardData struct {
 	MonitorAvailable      bool
 	BackendReady          bool
 	PostgresHealthy       bool
 	Runtimes              []StatusCount
 	MailDeliveries        []StatusCount
 	NotificationRoutes    []StatusCount
 	NotificationMalformed int64
 	Errors                []string
 }
@@ -0,0 +1,18 @@
 // Package adminconsole renders the server-side operator console mounted by the
 // backend under the `/_gm` route group.
 //
 // The console is a multi-page, server-rendered surface built on the standard
 // library's html/template package: navigation is driven by request path and
 // query, state changes are submitted with HTML forms and answered with a
 // Post/Redirect/Get redirect. The package owns three concerns and nothing
 // transport-specific:
 //
 //   - Renderer composes the shared layout with one content page per route.
 //   - CSRF issues and verifies the stateless anti-CSRF token embedded in every
 //     state-changing form.
 //   - Assets exposes the embedded stylesheet served under `/_gm/assets/`.
 //
 // The gin glue (route registration, Basic Auth, the CSRF guard middleware, and
 // the per-page handlers) lives in package server; this package stays free of
 // the web framework so it can be unit-tested in isolation.
 package adminconsole
@@ -0,0 +1,67 @@
 package adminconsole
 // GameRow is one line in the games list table.
 type GameRow struct {
 	GameID       string
 	GameName     string
 	Visibility   string
 	Status       string
 	Owner        string
 	Players      string
 	TurnSchedule string
 	CreatedAt    string
 }
 // GamesListData is the view model for the paginated games list.
 type GamesListData struct {
 	Items    []GameRow
 	Page     int
 	PageSize int
 	Total    int
 	HasPrev  bool
 	HasNext  bool
 	PrevPage int
 	NextPage int
 }
 // GameDetailData is the view model for a single game, combining the lobby
 // record with the runtime snapshot and the available actions.
 type GameDetailData struct {
 	GameID              string
 	GameName            string
 	Description         string
 	Visibility          string
 	Status              string
 	Owner               string
 	MinPlayers          int32
 	MaxPlayers          int32
 	StartGapHours       int32
 	StartGapPlayers     int32
 	TurnSchedule        string
 	TargetEngineVersion string
 	EnrollmentEndsAt    string
 	CreatedAt           string
 	StartedAt           string
 	FinishedAt          string
 	HasRuntime           bool
 	RuntimeStatus        string
 	CurrentEngineVersion string
 	EngineHealth         string
 	CurrentTurn          int32
 	NextGenerationAt     string
 	Paused               bool
 }
 // EngineVersionRow is one line in the engine-version registry table.
 type EngineVersionRow struct {
 	Version   string
 	ImageRef  string
 	Enabled   bool
 	CreatedAt string
 }
 // EngineVersionsData is the view model for the engine-version registry page.
 type EngineVersionsData struct {
 	Items []EngineVersionRow
 }
@@ -0,0 +1,86 @@
 package adminconsole
 // MailDeliveryRow is one line in the mail deliveries table.
 type MailDeliveryRow struct {
 	DeliveryID  string
 	Template    string
 	Status      string
 	Attempts    int32
 	NextAttempt string
 	Created     string
 }
 // MailDeadLetterRow is one line in the mail dead-letters table.
 type MailDeadLetterRow struct {
 	DeliveryID string
 	Reason     string
 	Archived   string
 }
 // MailData is the view model for the mail page: a paginated deliveries list
 // plus a snapshot of dead-letters.
 type MailData struct {
 	Deliveries  []MailDeliveryRow
 	DeadLetters []MailDeadLetterRow
 	Page        int
 	PageSize    int
 	Total       int64
 	HasPrev     bool
 	HasNext     bool
 	PrevPage    int
 	NextPage    int
 }
 // MailAttemptRow is one delivery attempt on the mail detail page.
 type MailAttemptRow struct {
 	AttemptNo int32
 	Outcome   string
 	Started   string
 	Finished  string
 	Error     string
 }
 // MailDeliveryDetail is the view model for a single delivery.
 type MailDeliveryDetail struct {
 	DeliveryID   string
 	Template     string
 	Status       string
 	Attempts     int32
 	NextAttempt  string
 	LastError    string
 	Created      string
 	Sent         string
 	DeadLettered string
 	CanResend    bool
 	AttemptRows  []MailAttemptRow
 }
 // NotificationRow is one line in the notifications table.
 type NotificationRow struct {
 	NotificationID string
 	Kind           string
 	UserID         string
 	Created        string
 }
 // NotificationDeadLetterRow is one line in the notification dead-letters table.
 type NotificationDeadLetterRow struct {
 	NotificationID string
 	RouteID        string
 	Reason         string
 	Archived       string
 }
 // MalformedRow is one line in the malformed-intents table.
 type MalformedRow struct {
 	ID       string
 	Reason   string
 	Received string
 }
 // NotificationsData is the view model for the notifications overview page.
 type NotificationsData struct {
 	Notifications []NotificationRow
 	DeadLetters   []NotificationDeadLetterRow
 	Malformed     []MalformedRow
 }
@@ -0,0 +1,11 @@
 package adminconsole
 // MessageData is the view model for the generic message page used to render
 // not-found, validation, and operation-failure notices. Class selects the CSS
 // styling (for example "bad" for errors); BackHref, when set, renders a link
 // back to a relevant page.
 type MessageData struct {
 	Message  string
 	Class    string
 	BackHref string
 }
@@ -0,0 +1,14 @@
 package adminconsole
 // OperatorRow is one line in the operators (admin accounts) table.
 type OperatorRow struct {
 	Username   string
 	CreatedAt  string
 	LastUsedAt string
 	Disabled   bool
 }
 // OperatorsData is the view model for the operators page.
 type OperatorsData struct {
 	Items []OperatorRow
 }
@@ -0,0 +1,107 @@
 package adminconsole
 import (
 	"bytes"
 	"embed"
 	"fmt"
 	"html/template"
 	"io"
 	"io/fs"
 	"path"
 	"strings"
 )
 //go:embed templates
 var templatesFS embed.FS
 //go:embed assets
 var assetsFS embed.FS
 // Renderer holds the parsed admin console templates. It composes one template
 // set per content page, each combining the shared layout (defining the page
 // chrome and the "layout" entry template) with that page's "content" block, so
 // rendering a page is a single ExecuteTemplate call against the "layout" name.
 type Renderer struct {
 	pages map[string]*template.Template
 }
 // PageData is the view model passed to every admin console page. Title is the
 // document title; Username is the authenticated operator; CSRFToken is the
 // per-operator token embedded into state-changing forms; ActiveNav marks the
 // highlighted navigation entry; Data carries the page-specific payload.
 type PageData struct {
 	Title     string
 	Username  string
 	CSRFToken string
 	ActiveNav string
 	Data      any
 }
 // NewRenderer parses the embedded layout and every content page under
 // templates/pages, returning a Renderer ready to serve them. It fails when a
 // template cannot be parsed.
 func NewRenderer() (*Renderer, error) {
 	base, err := template.New("layout").ParseFS(templatesFS, "templates/layout.gohtml")
 	if err != nil {
 		return nil, fmt.Errorf("parse admin console layout: %w", err)
 	}
 	pageFiles, err := fs.Glob(templatesFS, "templates/pages/*.gohtml")
 	if err != nil {
 		return nil, fmt.Errorf("enumerate admin console pages: %w", err)
 	}
 	if len(pageFiles) == 0 {
 		return nil, fmt.Errorf("admin console: no page templates found under templates/pages")
 	}
 	pages := make(map[string]*template.Template, len(pageFiles))
 	for _, file := range pageFiles {
 		name := strings.TrimSuffix(path.Base(file), ".gohtml")
 		clone, err := base.Clone()
 		if err != nil {
 			return nil, fmt.Errorf("clone admin console layout for %q: %w", name, err)
 		}
 		if _, err := clone.ParseFS(templatesFS, file); err != nil {
 			return nil, fmt.Errorf("parse admin console page %q: %w", name, err)
 		}
 		pages[name] = clone
 	}
 	return &Renderer{pages: pages}, nil
 }
 // MustNewRenderer is like NewRenderer but panics on error. The templates are
 // embedded at build time, so a parse failure is a programmer error rather than
 // a runtime condition.
 func MustNewRenderer() *Renderer {
 	renderer, err := NewRenderer()
 	if err != nil {
 		panic(err)
 	}
 	return renderer
 }
 // Render writes the named page, wrapped in the shared layout, to w using data.
 // It returns an error when page is unknown or template execution fails; the
 // page is rendered into an intermediate buffer first so a mid-render failure
 // never emits a partial document to w.
 func (r *Renderer) Render(w io.Writer, page string, data PageData) error {
 	tmpl, ok := r.pages[page]
 	if !ok {
 		return fmt.Errorf("admin console: unknown page %q", page)
 	}
 	var buf bytes.Buffer
 	if err := tmpl.ExecuteTemplate(&buf, "layout", data); err != nil {
 		return fmt.Errorf("render admin console page %q: %w", page, err)
 	}
 	_, err := buf.WriteTo(w)
 	return err
 }
 // Assets returns the embedded static asset tree rooted at the assets directory,
 // suitable for serving under `/_gm/assets/`.
 func Assets() (fs.FS, error) {
 	return fs.Sub(assetsFS, "assets")
 }
@@ -0,0 +1,67 @@
 package adminconsole
 import (
 	"bytes"
 	"io/fs"
 	"strings"
 	"testing"
 )
 func TestRendererRendersDashboard(t *testing.T) {
 	renderer, err := NewRenderer()
 	if err != nil {
 		t.Fatalf("NewRenderer: %v", err)
 	}
 	var buf bytes.Buffer
 	err = renderer.Render(&buf, "dashboard", PageData{
 		Title:     "Dashboard",
 		Username:  "ops-bob",
 		ActiveNav: "dashboard",
 	})
 	if err != nil {
 		t.Fatalf("Render: %v", err)
 	}
 	out := buf.String()
 	for _, want := range []string{
 		"<!DOCTYPE html>",
 		"Dashboard",
 		"ops-bob",
 		`href="/_gm/users"`,
 		"/_gm/assets/console.css",
 	} {
 		if !strings.Contains(out, want) {
 			t.Errorf("rendered page missing %q\n--- page ---\n%s", want, out)
 		}
 	}
 }
 func TestRendererUnknownPage(t *testing.T) {
 	renderer := MustNewRenderer()
 	if err := renderer.Render(&bytes.Buffer{}, "does-not-exist", PageData{}); err == nil {
 		t.Fatal("expected an error rendering an unknown page")
 	}
 }
 func TestRendererEscapesUsername(t *testing.T) {
 	renderer := MustNewRenderer()
 	var buf bytes.Buffer
 	if err := renderer.Render(&buf, "dashboard", PageData{Username: "<script>evil</script>"}); err != nil {
 		t.Fatalf("Render: %v", err)
 	}
 	if strings.Contains(buf.String(), "<script>evil</script>") {
 		t.Error("username was not HTML-escaped in the rendered page")
 	}
 }
 func TestAssetsContainsStylesheet(t *testing.T) {
 	fsys, err := Assets()
 	if err != nil {
 		t.Fatalf("Assets: %v", err)
 	}
 	if _, err := fs.Stat(fsys, "console.css"); err != nil {
 		t.Fatalf("console.css missing from embedded assets: %v", err)
 	}
 }
@@ -0,0 +1,30 @@
 {{define "layout" -}}
 <!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="utf-8">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta name="robots" content="noindex, nofollow">
 <title>{{.Title}} · Galaxy GM</title>
 <link rel="stylesheet" href="/_gm/assets/console.css">
 </head>
 <body>
 <header class="topbar">
  <span class="brand">Galaxy · GM</span>
  <nav class="mainnav">
    <a href="/_gm/"{{if eq .ActiveNav "dashboard"}} class="active"{{end}}>Dashboard</a>
    <a href="/_gm/users"{{if eq .ActiveNav "users"}} class="active"{{end}}>Users</a>
    <a href="/_gm/games"{{if eq .ActiveNav "games"}} class="active"{{end}}>Games</a>
    <a href="/_gm/operators"{{if eq .ActiveNav "operators"}} class="active"{{end}}>Operators</a>
    <a href="/_gm/mail"{{if eq .ActiveNav "mail"}} class="active"{{end}}>Mail</a>
    <a href="/_gm/grafana/" target="_blank" rel="noopener">Grafana</a>
    <a href="/_gm/mailpit/" target="_blank" rel="noopener">Mailpit</a>
  </nav>
  <span class="who">{{.Username}}</span>
 </header>
 <main class="content">
 {{template "content" .}}
 </main>
 </body>
 </html>
 {{- end}}
@@ -0,0 +1,21 @@
 {{define "content" -}}
 {{$csrf := .CSRFToken}}
 <h1>Broadcast</h1>
 <nav class="subnav"><a href="/_gm/mail">Deliveries</a> · <a href="/_gm/notifications">Notifications</a> · <a href="/_gm/broadcast">Broadcast</a></nav>
 <section class="panel">
 <h2>Admin broadcast</h2>
 <form method="post" action="/_gm/broadcast" class="form">
 <input type="hidden" name="_csrf" value="{{$csrf}}">
 <label>Scope
 <select name="scope"><option value="all_running">all running games</option><option value="selected">selected games</option></select>
 </label>
 <label>Game IDs (comma-separated, for "selected") <input type="text" name="game_ids" placeholder="uuid,uuid"></label>
 <label>Recipients
 <select name="recipients"><option value="active">active members</option><option value="active_and_removed">active and removed</option><option value="all_members">all members</option></select>
 </label>
 <label>Subject <input type="text" name="subject"></label>
 <label>Body <input type="text" name="body" required></label>
 <button type="submit">Send broadcast</button>
 </form>
 </section>
 {{- end}}
@@ -0,0 +1,69 @@
 {{define "content" -}}
 <h1>Dashboard</h1>
 <p class="lede">Signed in as <strong>{{.Username}}</strong>.</p>
 {{with .Data}}
 <section class="panel">
  <h2>Health</h2>
  <ul class="kv">
    <li>Backend ready: {{if .BackendReady}}<span class="ok">yes</span>{{else}}<span class="bad">no</span>{{end}}</li>
    <li>Postgres: {{if .PostgresHealthy}}<span class="ok">healthy</span>{{else}}<span class="bad">unreachable</span>{{end}}</li>
  </ul>
 </section>
 {{if .MonitorAvailable}}
 <div class="grid">
  <section class="panel">
    <h2>Game runtimes</h2>
    {{template "statuscounts" .Runtimes}}
  </section>
  <section class="panel">
    <h2>Mail deliveries</h2>
    {{template "statuscounts" .MailDeliveries}}
  </section>
  <section class="panel">
    <h2>Notification routes</h2>
    {{template "statuscounts" .NotificationRoutes}}
  </section>
  <section class="panel">
    <h2>Malformed notifications</h2>
    <p class="bignum {{if gt .NotificationMalformed 0}}bad{{end}}">{{.NotificationMalformed}}</p>
  </section>
 </div>
 {{if .Errors}}
 <section class="panel errors">
  <h2>Collection errors</h2>
  <ul>{{range .Errors}}<li>{{.}}</li>{{end}}</ul>
 </section>
 {{end}}
 {{else}}
 <p class="note">Monitoring is not wired in this deployment.</p>
 {{end}}
 {{end}}
 <section class="cards">
  <a class="card" href="/_gm/users">
    <h2>Users</h2>
    <p>Accounts, sanctions, entitlements, soft-delete.</p>
  </a>
  <a class="card" href="/_gm/games">
    <h2>Games &amp; runtimes</h2>
    <p>Lobby state, engine versions, turn control.</p>
  </a>
  <a class="card" href="/_gm/operators">
    <h2>Operators</h2>
    <p>Admin accounts: create, disable, reset password.</p>
  </a>
  <a class="card" href="/_gm/mail">
    <h2>Mail &amp; notifications</h2>
    <p>Deliveries, dead-letters, broadcasts.</p>
  </a>
 </section>
 {{- end}}
 {{define "statuscounts" -}}
 {{if .}}
 <table class="counts"><tbody>
 {{range .}}<tr><td>{{.Status}}</td><td class="num">{{.Count}}</td></tr>{{end}}
 </tbody></table>
 {{else}}
 <p class="note">none</p>
 {{end}}
 {{- end}}
@@ -0,0 +1,30 @@
 {{define "content" -}}
 {{$csrf := .CSRFToken}}
 <h1>Engine versions</h1>
 {{with .Data}}
 <table class="list">
 <thead><tr><th>Version</th><th>Image</th><th>Enabled</th><th>Created</th><th></th></tr></thead>
 <tbody>
 {{range .Items}}
 <tr>
 <td>{{.Version}}</td>
 <td><code>{{.ImageRef}}</code></td>
 <td>{{if .Enabled}}<span class="ok">yes</span>{{else}}<span class="bad">no</span>{{end}}</td>
 <td>{{.CreatedAt}}</td>
 <td>{{if .Enabled}}<form method="post" action="/_gm/engine-versions/{{.Version}}/disable" onsubmit="return confirm('Disable {{.Version}}?');"><input type="hidden" name="_csrf" value="{{$csrf}}"><button type="submit" class="danger">Disable</button></form>{{end}}</td>
 </tr>
 {{else}}<tr><td colspan="5"><span class="note">no engine versions</span></td></tr>{{end}}
 </tbody>
 </table>
 {{end}}
 <section class="panel">
 <h2>Register version</h2>
 <form method="post" action="/_gm/engine-versions" class="form">
 <input type="hidden" name="_csrf" value="{{$csrf}}">
 <label>Version <input type="text" name="version" placeholder="semver e.g. 0.1.0" required></label>
 <label>Image ref <input type="text" name="image_ref" required></label>
 <label>Enabled <input type="checkbox" name="enabled" value="true" checked></label>
 <button type="submit">Register</button>
 </form>
 </section>
 {{- end}}
@@ -0,0 +1,65 @@
 {{define "content" -}}
 {{$csrf := .CSRFToken}}
 {{with .Data}}
 <p><a href="/_gm/games">&laquo; all games</a></p>
 <h1>{{if .GameName}}{{.GameName}}{{else}}(unnamed){{end}}</h1>
 <section class="panel">
 <h2>Game</h2>
 <ul class="kv">
 <li>Game ID: <code>{{.GameID}}</code></li>
 <li>Visibility: {{.Visibility}}</li>
 <li>Status: {{.Status}}</li>
 <li>Owner: {{.Owner}}</li>
 <li>Players: {{.MinPlayers}}–{{.MaxPlayers}}</li>
 <li>Start gap: {{.StartGapHours}}h / {{.StartGapPlayers}} players</li>
 <li>Turn schedule: {{.TurnSchedule}}</li>
 <li>Target engine: {{.TargetEngineVersion}}</li>
 <li>Enrollment ends: {{.EnrollmentEndsAt}}</li>
 <li>Created: {{.CreatedAt}}</li>
 <li>Started: {{if .StartedAt}}{{.StartedAt}}{{else}}—{{end}}</li>
 <li>Finished: {{if .FinishedAt}}{{.FinishedAt}}{{else}}—{{end}}</li>
 </ul>
 {{if .Description}}<p>{{.Description}}</p>{{end}}
 <div class="actions">
 <form method="post" action="/_gm/games/{{.GameID}}/force-start" onsubmit="return confirm('Force-start this game?');"><input type="hidden" name="_csrf" value="{{$csrf}}"><button type="submit">Force start</button></form>
 <form method="post" action="/_gm/games/{{.GameID}}/force-stop" onsubmit="return confirm('Force-stop this game?');"><input type="hidden" name="_csrf" value="{{$csrf}}"><button type="submit" class="danger">Force stop</button></form>
 </div>
 </section>
 <section class="panel">
 <h2>Runtime</h2>
 {{if .HasRuntime}}
 <ul class="kv">
 <li>Status: {{.RuntimeStatus}}</li>
 <li>Engine version: {{.CurrentEngineVersion}}</li>
 <li>Engine health: {{.EngineHealth}}</li>
 <li>Current turn: {{.CurrentTurn}}</li>
 <li>Next generation: {{if .NextGenerationAt}}{{.NextGenerationAt}}{{else}}—{{end}}</li>
 <li>Paused: {{if .Paused}}yes{{else}}no{{end}}</li>
 </ul>
 <div class="actions">
 <form method="post" action="/_gm/games/{{.GameID}}/runtime/restart" onsubmit="return confirm('Restart the engine container?');"><input type="hidden" name="_csrf" value="{{$csrf}}"><button type="submit">Restart</button></form>
 <form method="post" action="/_gm/games/{{.GameID}}/runtime/force-next-turn" onsubmit="return confirm('Force the next turn now?');"><input type="hidden" name="_csrf" value="{{$csrf}}"><button type="submit">Force next turn</button></form>
 </div>
 <form method="post" action="/_gm/games/{{.GameID}}/runtime/patch" class="form">
 <input type="hidden" name="_csrf" value="{{$csrf}}">
 <label>Patch to version <input type="text" name="target_version" placeholder="e.g. 0.1.1" required></label>
 <button type="submit">Patch</button>
 </form>
 {{else}}
 <p class="note">No runtime record for this game yet.</p>
 {{end}}
 </section>
 <section class="panel">
 <h2>Ban member</h2>
 <form method="post" action="/_gm/games/{{.GameID}}/ban-member" class="form" onsubmit="return confirm('Ban this member from the game?');">
 <input type="hidden" name="_csrf" value="{{$csrf}}">
 <label>User ID <input type="text" name="user_id" required></label>
 <label>Reason <input type="text" name="reason"></label>
 <button type="submit" class="danger">Ban member</button>
 </form>
 </section>
 {{end}}
 {{- end}}
@@ -0,0 +1,43 @@
 {{define "content" -}}
 {{$csrf := .CSRFToken}}
 <h1>Games</h1>
 {{with .Data}}
 <table class="list">
 <thead><tr><th>Name</th><th>Visibility</th><th>Status</th><th>Owner</th><th>Players</th><th>Schedule</th><th>Created</th></tr></thead>
 <tbody>
 {{range .Items}}
 <tr>
 <td><a href="/_gm/games/{{.GameID}}">{{if .GameName}}{{.GameName}}{{else}}(unnamed){{end}}</a></td>
 <td>{{.Visibility}}</td>
 <td>{{.Status}}</td>
 <td>{{.Owner}}</td>
 <td>{{.Players}}</td>
 <td>{{.TurnSchedule}}</td>
 <td>{{.CreatedAt}}</td>
 </tr>
 {{else}}<tr><td colspan="7"><span class="note">no games</span></td></tr>{{end}}
 </tbody>
 </table>
 <nav class="pager">
 {{if .HasPrev}}<a href="/_gm/games?page={{.PrevPage}}&amp;page_size={{.PageSize}}">&laquo; prev</a>{{end}}
 <span>page {{.Page}} · {{.Total}} total</span>
 {{if .HasNext}}<a href="/_gm/games?page={{.NextPage}}&amp;page_size={{.PageSize}}">next &raquo;</a>{{end}}
 </nav>
 {{end}}
 <section class="panel">
 <h2>Create public game</h2>
 <form method="post" action="/_gm/games" class="form">
 <input type="hidden" name="_csrf" value="{{$csrf}}">
 <label>Name <input type="text" name="game_name" required></label>
 <label>Description <input type="text" name="description"></label>
 <label>Min players <input type="number" name="min_players" value="2" min="1"></label>
 <label>Max players <input type="number" name="max_players" value="8" min="1"></label>
 <label>Start gap hours <input type="number" name="start_gap_hours" value="0" min="0"></label>
 <label>Start gap players <input type="number" name="start_gap_players" value="0" min="0"></label>
 <label>Enrollment ends <input type="datetime-local" name="enrollment_ends_at" required></label>
 <label>Turn schedule <input type="text" name="turn_schedule" placeholder="e.g. @every 24h" required></label>
 <label>Engine version <input type="text" name="target_engine_version" placeholder="e.g. 0.1.0" required></label>
 <button type="submit">Create</button>
 </form>
 </section>
 {{- end}}
@@ -0,0 +1,32 @@
 {{define "content" -}}
 <h1>Mail</h1>
 <nav class="subnav"><a href="/_gm/mail">Deliveries</a> · <a href="/_gm/notifications">Notifications</a> · <a href="/_gm/broadcast">Broadcast</a></nav>
 {{with .Data}}
 <section class="panel">
 <h2>Deliveries</h2>
 <table class="list">
 <thead><tr><th>Delivery</th><th>Template</th><th>Status</th><th>Attempts</th><th>Next attempt</th><th>Created</th></tr></thead>
 <tbody>
 {{range .Deliveries}}
 <tr><td><a href="/_gm/mail/deliveries/{{.DeliveryID}}"><code>{{.DeliveryID}}</code></a></td><td>{{.Template}}</td><td>{{.Status}}</td><td>{{.Attempts}}</td><td>{{if .NextAttempt}}{{.NextAttempt}}{{else}}—{{end}}</td><td>{{.Created}}</td></tr>
 {{else}}<tr><td colspan="6"><span class="note">no deliveries</span></td></tr>{{end}}
 </tbody>
 </table>
 <nav class="pager">
 {{if .HasPrev}}<a href="/_gm/mail?page={{.PrevPage}}&amp;page_size={{.PageSize}}">&laquo; prev</a>{{end}}
 <span>page {{.Page}} · {{.Total}} total</span>
 {{if .HasNext}}<a href="/_gm/mail?page={{.NextPage}}&amp;page_size={{.PageSize}}">next &raquo;</a>{{end}}
 </nav>
 </section>
 <section class="panel">
 <h2>Dead-letters</h2>
 <table class="list">
 <thead><tr><th>Delivery</th><th>Reason</th><th>Archived</th></tr></thead>
 <tbody>
 {{range .DeadLetters}}<tr><td><a href="/_gm/mail/deliveries/{{.DeliveryID}}"><code>{{.DeliveryID}}</code></a></td><td>{{.Reason}}</td><td>{{.Archived}}</td></tr>
 {{else}}<tr><td colspan="3"><span class="note">no dead-letters</span></td></tr>{{end}}
 </tbody>
 </table>
 </section>
 {{end}}
 {{- end}}
@@ -0,0 +1,33 @@
 {{define "content" -}}
 {{$csrf := .CSRFToken}}
 {{with .Data}}
 <p><a href="/_gm/mail">&laquo; mail</a></p>
 <h1>Delivery</h1>
 <section class="panel">
 <ul class="kv">
 <li>Delivery ID: <code>{{.DeliveryID}}</code></li>
 <li>Template: {{.Template}}</li>
 <li>Status: {{.Status}}</li>
 <li>Attempts: {{.Attempts}}</li>
 <li>Next attempt: {{if .NextAttempt}}{{.NextAttempt}}{{else}}—{{end}}</li>
 <li>Created: {{.Created}}</li>
 <li>Sent: {{if .Sent}}{{.Sent}}{{else}}—{{end}}</li>
 <li>Dead-lettered: {{if .DeadLettered}}{{.DeadLettered}}{{else}}—{{end}}</li>
 <li>Last error: {{if .LastError}}{{.LastError}}{{else}}—{{end}}</li>
 </ul>
 {{if .CanResend}}
 <form method="post" action="/_gm/mail/deliveries/{{.DeliveryID}}/resend" class="form" onsubmit="return confirm('Resend this delivery?');"><input type="hidden" name="_csrf" value="{{$csrf}}"><button type="submit">Resend</button></form>
 {{else}}<p class="note">Already sent — resend is not available.</p>{{end}}
 </section>
 <section class="panel">
 <h2>Attempts</h2>
 <table class="list">
 <thead><tr><th>#</th><th>Outcome</th><th>Started</th><th>Finished</th><th>Error</th></tr></thead>
 <tbody>
 {{range .AttemptRows}}<tr><td>{{.AttemptNo}}</td><td>{{.Outcome}}</td><td>{{.Started}}</td><td>{{if .Finished}}{{.Finished}}{{else}}—{{end}}</td><td>{{.Error}}</td></tr>
 {{else}}<tr><td colspan="5"><span class="note">no attempts</span></td></tr>{{end}}
 </tbody>
 </table>
 </section>
 {{end}}
 {{- end}}
@@ -0,0 +1,7 @@
 {{define "content" -}}
 <h1>{{.Title}}</h1>
 {{with .Data}}
 <p class="{{.Class}}">{{.Message}}</p>
 {{if .BackHref}}<p><a href="{{.BackHref}}">&laquo; back</a></p>{{end}}
 {{end}}
 {{- end}}
@@ -0,0 +1,27 @@
 {{define "content" -}}
 <h1>Notifications</h1>
 <nav class="subnav"><a href="/_gm/mail">Deliveries</a> · <a href="/_gm/notifications">Notifications</a> · <a href="/_gm/broadcast">Broadcast</a></nav>
 {{with .Data}}
 <section class="panel">
 <h2>Recent notifications</h2>
 <table class="list"><thead><tr><th>ID</th><th>Kind</th><th>User</th><th>Created</th></tr></thead><tbody>
 {{range .Notifications}}<tr><td><code>{{.NotificationID}}</code></td><td>{{.Kind}}</td><td>{{.UserID}}</td><td>{{.Created}}</td></tr>
 {{else}}<tr><td colspan="4"><span class="note">none</span></td></tr>{{end}}
 </tbody></table>
 </section>
 <section class="panel">
 <h2>Dead-letters</h2>
 <table class="list"><thead><tr><th>Notification</th><th>Route</th><th>Reason</th><th>Archived</th></tr></thead><tbody>
 {{range .DeadLetters}}<tr><td><code>{{.NotificationID}}</code></td><td><code>{{.RouteID}}</code></td><td>{{.Reason}}</td><td>{{.Archived}}</td></tr>
 {{else}}<tr><td colspan="4"><span class="note">none</span></td></tr>{{end}}
 </tbody></table>
 </section>
 <section class="panel">
 <h2>Malformed intents</h2>
 <table class="list"><thead><tr><th>ID</th><th>Reason</th><th>Received</th></tr></thead><tbody>
 {{range .Malformed}}<tr><td><code>{{.ID}}</code></td><td>{{.Reason}}</td><td>{{.Received}}</td></tr>
 {{else}}<tr><td colspan="3"><span class="note">none</span></td></tr>{{end}}
 </tbody></table>
 </section>
 {{end}}
 {{- end}}
@@ -0,0 +1,38 @@
 {{define "content" -}}
 {{$csrf := .CSRFToken}}
 <h1>Operators</h1>
 {{with .Data}}
 <table class="list">
 <thead><tr><th>Username</th><th>Status</th><th>Created</th><th>Last used</th><th>Actions</th></tr></thead>
 <tbody>
 {{range .Items}}
 <tr>
 <td>{{.Username}}</td>
 <td>{{if .Disabled}}<span class="bad">disabled</span>{{else}}<span class="ok">active</span>{{end}}</td>
 <td>{{.CreatedAt}}</td>
 <td>{{if .LastUsedAt}}{{.LastUsedAt}}{{else}}—{{end}}</td>
 <td>
 <div class="actions">
 {{if .Disabled}}
 <form method="post" action="/_gm/operators/{{.Username}}/enable"><input type="hidden" name="_csrf" value="{{$csrf}}"><button type="submit">Enable</button></form>
 {{else}}
 <form method="post" action="/_gm/operators/{{.Username}}/disable" onsubmit="return confirm('Disable {{.Username}}?');"><input type="hidden" name="_csrf" value="{{$csrf}}"><button type="submit" class="danger">Disable</button></form>
 {{end}}
 <form method="post" action="/_gm/operators/{{.Username}}/reset-password" class="form"><input type="hidden" name="_csrf" value="{{$csrf}}"><input type="password" name="password" placeholder="new password" required><button type="submit">Reset</button></form>
 </div>
 </td>
 </tr>
 {{else}}<tr><td colspan="5"><span class="note">no operators</span></td></tr>{{end}}
 </tbody>
 </table>
 {{end}}
 <section class="panel">
 <h2>Create operator</h2>
 <form method="post" action="/_gm/operators" class="form">
 <input type="hidden" name="_csrf" value="{{$csrf}}">
 <label>Username <input type="text" name="username" required></label>
 <label>Password <input type="password" name="password" required></label>
 <button type="submit">Create</button>
 </form>
 </section>
 {{- end}}
@@ -0,0 +1,68 @@
 {{define "content" -}}
 {{$csrf := .CSRFToken}}
 {{with .Data}}
 <p><a href="/_gm/users">&laquo; all users</a></p>
 <h1>{{.Email}}</h1>
 {{if .Deleted}}<p class="bad">This account is soft-deleted.</p>{{end}}
 <section class="panel">
 <h2>Account</h2>
 <ul class="kv">
 <li>User ID: <code>{{.UserID}}</code></li>
 <li>User name: {{.UserName}}</li>
 <li>Display name: {{.DisplayName}}</li>
 <li>Preferred language: {{.PreferredLanguage}}</li>
 <li>Time zone: {{.TimeZone}}</li>
 <li>Declared country: {{.DeclaredCountry}}</li>
 <li>Status: {{if .Blocked}}<span class="bad">blocked</span>{{else}}<span class="ok">active</span>{{end}}</li>
 <li>Created: {{.CreatedAt}}</li>
 <li>Updated: {{.UpdatedAt}}</li>
 </ul>
 </section>
 <section class="panel">
 <h2>Entitlement</h2>
 <ul class="kv">
 <li>Tier: <strong>{{.Tier}}</strong> ({{if .IsPaid}}paid{{else}}free{{end}})</li>
 <li>Source: {{.EntitlementSource}}</li>
 <li>Reason: {{.EntitlementReason}}</li>
 <li>Ends: {{if .EntitlementEnds}}{{.EntitlementEnds}}{{else}}—{{end}}</li>
 </ul>
 <form method="post" action="/_gm/users/{{.UserID}}/entitlement" class="form">
 <input type="hidden" name="_csrf" value="{{$csrf}}">
 <label>Tier
 <select name="tier">{{range .Tiers}}<option value="{{.}}">{{.}}</option>{{end}}</select>
 </label>
 <label>Source <input type="text" name="source" value="admin"></label>
 <label>Reason <input type="text" name="reason_code" placeholder="optional"></label>
 <button type="submit">Update entitlement</button>
 </form>
 </section>
 <section class="panel">
 <h2>Active sanctions</h2>
 {{if .Sanctions}}
 <table class="counts"><tbody>
 {{range .Sanctions}}<tr><td>{{.SanctionCode}}</td><td>{{.Scope}}</td><td>{{.ReasonCode}}</td><td>{{.AppliedAt}}</td></tr>{{end}}
 </tbody></table>
 {{else}}<p class="note">none</p>{{end}}
 {{if .Blocked}}
 <p class="note">User is permanently blocked. Unblock is not available in the current admin API.</p>
 {{else}}
 <form method="post" action="/_gm/users/{{.UserID}}/block" class="form" onsubmit="return confirm('Permanently block this user?');">
 <input type="hidden" name="_csrf" value="{{$csrf}}">
 <label>Reason <input type="text" name="reason_code" required></label>
 <button type="submit" class="danger">Permanently block</button>
 </form>
 {{end}}
 </section>
 <section class="panel">
 <h2>Danger zone</h2>
 <form method="post" action="/_gm/users/{{.UserID}}/soft-delete" class="form" onsubmit="return confirm('Soft-delete this account? This cascades to sessions, memberships, and owned games.');">
 <input type="hidden" name="_csrf" value="{{$csrf}}">
 <button type="submit" class="danger">Soft-delete account</button>
 </form>
 </section>
 {{end}}
 {{- end}}
@@ -0,0 +1,27 @@
 {{define "content" -}}
 <h1>Users</h1>
 {{with .Data}}
 <table class="list">
 <thead><tr><th>Email</th><th>User name</th><th>Display</th><th>Tier</th><th>Status</th><th>Created</th></tr></thead>
 <tbody>
 {{range .Items}}
 <tr>
 <td><a href="/_gm/users/{{.UserID}}">{{.Email}}</a></td>
 <td>{{.UserName}}</td>
 <td>{{.DisplayName}}</td>
 <td>{{.Tier}}</td>
 <td>{{if .Deleted}}<span class="bad">deleted</span>{{else if .Blocked}}<span class="bad">blocked</span>{{else}}<span class="ok">active</span>{{end}}</td>
 <td>{{.CreatedAt}}</td>
 </tr>
 {{else}}
 <tr><td colspan="6"><span class="note">no users</span></td></tr>
 {{end}}
 </tbody>
 </table>
 <nav class="pager">
 {{if .HasPrev}}<a href="/_gm/users?page={{.PrevPage}}&amp;page_size={{.PageSize}}">&laquo; prev</a>{{end}}
 <span>page {{.Page}} · {{.Total}} total</span>
 {{if .HasNext}}<a href="/_gm/users?page={{.NextPage}}&amp;page_size={{.PageSize}}">next &raquo;</a>{{end}}
 </nav>
 {{end}}
 {{- end}}
@@ -0,0 +1,61 @@
 package adminconsole
 // UserRow is one line in the users list table.
 type UserRow struct {
 	UserID      string
 	Email       string
 	UserName    string
 	DisplayName string
 	Tier        string
 	Blocked     bool
 	Deleted     bool
 	CreatedAt   string
 }
 // UsersListData is the view model for the paginated users list.
 type UsersListData struct {
 	Items    []UserRow
 	Page     int
 	PageSize int
 	Total    int
 	HasPrev  bool
 	HasNext  bool
 	PrevPage int
 	NextPage int
 }
 // SanctionView is one active sanction shown on the user detail page.
 type SanctionView struct {
 	SanctionCode string
 	Scope        string
 	ReasonCode   string
 	AppliedAt    string
 	ExpiresAt    string
 }
 // UserDetailData is the view model for a single user's detail page,
 // combining the account aggregate with the form option lists.
 type UserDetailData struct {
 	UserID            string
 	Email             string
 	UserName          string
 	DisplayName       string
 	PreferredLanguage string
 	TimeZone          string
 	DeclaredCountry   string
 	Blocked           bool
 	Deleted           bool
 	CreatedAt         string
 	UpdatedAt         string
 	Tier              string
 	IsPaid            bool
 	EntitlementSource string
 	EntitlementReason string
 	EntitlementEnds   string
 	Sanctions []SanctionView
 	// Tiers lists the selectable entitlement tiers for the form.
 	Tiers []string
 }
@@ -55,6 +55,8 @@ const (
 	envAdminBootstrapUser = "BACKEND_ADMIN_BOOTSTRAP_USER"
 	envAdminBootstrapPassword = "BACKEND_ADMIN_BOOTSTRAP_PASSWORD"
 	envAdminConsoleCSRFKey = "BACKEND_ADMIN_CONSOLE_CSRF_KEY"
 	envGeoIPDBPath = "BACKEND_GEOIP_DB_PATH"
 	envOTelTracesExporter = "BACKEND_OTEL_TRACES_EXPORTER"
@@ -103,11 +105,6 @@ const (
 	envDiplomailTranslatorTimeout = "BACKEND_DIPLOMAIL_TRANSLATOR_TIMEOUT"
 	envDiplomailTranslatorMaxAttempts = "BACKEND_DIPLOMAIL_TRANSLATOR_MAX_ATTEMPTS"
 	envDiplomailWorkerInterval = "BACKEND_DIPLOMAIL_WORKER_INTERVAL"
 	envDevSandboxEmail = "BACKEND_DEV_SANDBOX_EMAIL"
 	envDevSandboxEngineImage = "BACKEND_DEV_SANDBOX_ENGINE_IMAGE"
 	envDevSandboxEngineVersion = "BACKEND_DEV_SANDBOX_ENGINE_VERSION"
 	envDevSandboxPlayerCount = "BACKEND_DEV_SANDBOX_PLAYER_COUNT"
 )
 // Default values applied when an environment variable is absent.
@@ -176,9 +173,6 @@ const (
 	defaultDiplomailTranslatorTimeout = 10 * time.Second
 	defaultDiplomailTranslatorMaxAttempts = 5
 	defaultDiplomailWorkerInterval = 2 * time.Second
 	defaultDevSandboxEngineVersion = "0.1.0"
 	defaultDevSandboxPlayerCount = 20
 )
 // Allowed values for the closed-set string options.
@@ -208,6 +202,7 @@ type Config struct {
 	Docker DockerConfig
 	Game GameConfig
 	Admin AdminBootstrapConfig
 	AdminConsole AdminConsoleConfig
 	GeoIP GeoIPConfig
 	Telemetry TelemetryConfig
 	Auth AuthConfig
@@ -216,29 +211,12 @@ type Config struct {
 	Runtime RuntimeConfig
 	Notification NotificationConfig
 	Diplomail DiplomailConfig
 	DevSandbox DevSandboxConfig
 	// FreshnessWindow mirrors the gateway freshness window and is used by the
 	// push server to bound the cursor TTL.
 	FreshnessWindow time.Duration
 }
 // DevSandboxConfig configures the boot-time bootstrap implemented in
 // `backend/internal/devsandbox`. When Email is empty the bootstrap
 // is a no-op, which is the production posture. When Email is set —
 // from `BACKEND_DEV_SANDBOX_EMAIL` in the `tools/local-dev` stack —
 // the bootstrap idempotently provisions a real user, the configured
 // number of dummy participants, a private "Dev Sandbox" game, the
 // matching memberships, and drives the lifecycle to `running`. The
 // engine image and engine version refer to a row that the bootstrap
 // also seeds in `engine_versions`.
 type DevSandboxConfig struct {
 	Email string
 	EngineImage string
 	EngineVersion string
 	PlayerCount int
 }
 // LoggingConfig stores the parameters used by the structured logger.
 type LoggingConfig struct {
 	// Level is the zap level name (e.g. "debug", "info", "warn", "error").
@@ -308,6 +286,15 @@ type AdminBootstrapConfig struct {
 	Password string
 }
 // AdminConsoleConfig configures the server-rendered operator console.
 // CSRFKey is the secret keying the console's stateless anti-CSRF token.
 // When empty the console falls back to a per-process random key, which is
 // secure but means forms do not survive a restart and do not validate across
 // replicas; set a shared key when running more than one backend instance.
 type AdminConsoleConfig struct {
 	CSRFKey string
 }
 // GeoIPConfig configures the GeoLite2 country database used by geo lookups.
 type GeoIPConfig struct {
 	DBPath string
@@ -560,10 +547,6 @@ func DefaultConfig() Config {
 			TranslatorMaxAttempts: defaultDiplomailTranslatorMaxAttempts,
 			WorkerInterval: defaultDiplomailWorkerInterval,
 		},
 		DevSandbox: DevSandboxConfig{
 			EngineVersion: defaultDevSandboxEngineVersion,
 			PlayerCount: defaultDevSandboxPlayerCount,
 		},
 		Runtime: RuntimeConfig{
 			WorkerPoolSize: defaultRuntimeWorkerPoolSize,
 			JobQueueSize: defaultRuntimeJobQueueSize,
@@ -644,6 +627,8 @@ func LoadFromEnv() (Config, error) {
 	cfg.Admin.User = loadString(envAdminBootstrapUser, cfg.Admin.User)
 	cfg.Admin.Password = loadString(envAdminBootstrapPassword, cfg.Admin.Password)
 	cfg.AdminConsole.CSRFKey = loadString(envAdminConsoleCSRFKey, cfg.AdminConsole.CSRFKey)
 	cfg.GeoIP.DBPath = loadString(envGeoIPDBPath, cfg.GeoIP.DBPath)
 	cfg.Telemetry.TracesExporter = strings.ToLower(loadString(envOTelTracesExporter, cfg.Telemetry.TracesExporter))
@@ -741,13 +726,6 @@ func LoadFromEnv() (Config, error) {
 		return Config{}, err
 	}
 	cfg.DevSandbox.Email = strings.TrimSpace(loadString(envDevSandboxEmail, cfg.DevSandbox.Email))
 	cfg.DevSandbox.EngineImage = strings.TrimSpace(loadString(envDevSandboxEngineImage, cfg.DevSandbox.EngineImage))
 	cfg.DevSandbox.EngineVersion = strings.TrimSpace(loadString(envDevSandboxEngineVersion, cfg.DevSandbox.EngineVersion))
 	if cfg.DevSandbox.PlayerCount, err = loadInt(envDevSandboxPlayerCount, cfg.DevSandbox.PlayerCount); err != nil {
 		return Config{}, err
 	}
 	if err := cfg.Validate(); err != nil {
 		return Config{}, err
 	}
@@ -959,21 +937,6 @@ func (c Config) Validate() error {
 		}
 	}
 	if email := strings.TrimSpace(c.DevSandbox.Email); email != "" {
 		if _, err := netmail.ParseAddress(email); err != nil {
 			return fmt.Errorf("%s must be a valid RFC 5322 address: %w", envDevSandboxEmail, err)
 		}
 		if strings.TrimSpace(c.DevSandbox.EngineImage) == "" {
 			return fmt.Errorf("%s must not be empty when %s is set", envDevSandboxEngineImage, envDevSandboxEmail)
 		}
 		if strings.TrimSpace(c.DevSandbox.EngineVersion) == "" {
 			return fmt.Errorf("%s must not be empty when %s is set", envDevSandboxEngineVersion, envDevSandboxEmail)
 		}
 		if c.DevSandbox.PlayerCount <= 0 {
 			return fmt.Errorf("%s must be positive when %s is set", envDevSandboxPlayerCount, envDevSandboxEmail)
 		}
 	}
 	return nil
 }
@@ -1,287 +0,0 @@
 // Package devsandbox provisions a ready-to-play game on backend boot
 // for the `tools/local-dev` stack.
 //
 // Bootstrap is invoked from `backend/cmd/backend/main.go` after the
 // admin bootstrap and before the HTTP listener starts. It reads
 // `cfg.DevSandbox`; when `Email` is empty (the production posture)
 // the function logs "skipped" and returns nil. When set, it
 // idempotently:
 //
 //   1. registers the configured engine version and image;
 //   2. find-or-creates the real dev user with the configured email;
 //   3. find-or-creates `cfg.PlayerCount - 1` deterministic dummy
 //      users so the engine's minimum-players constraint is met;
 //   4. find-or-creates a private "Dev Sandbox" game owned by the
 //      real user with min/max_players = cfg.PlayerCount and a
 //      year-out turn schedule (effectively frozen at turn 1);
 //   5. inserts memberships for all participants bypassing the
 //      application/approval flow;
 //   6. drives the lifecycle to `running` (or as far as possible if
 //      the runtime is busy).
 //
 // The function is a no-op on subsequent boots once the game is
 // running; partial states from earlier crashes are recovered.
 package devsandbox
 import (
 	"context"
 	"errors"
 	"fmt"
 	"time"
 	"galaxy/backend/internal/config"
 	"galaxy/backend/internal/lobby"
 	"galaxy/backend/internal/runtime"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 )
 // SandboxGameName is the display name used to identify the
 // auto-provisioned game on subsequent reboots. The combination of
 // game_name and owner_user_id is unique enough in practice — only
 // the dev sandbox bootstrap creates a game owned by the configured
 // real user with this exact name.
 const SandboxGameName = "Dev Sandbox"
 // SandboxTurnSchedule keeps the game on turn 1 by scheduling the
 // next turn a year out. The runtime scheduler still parses this and
 // will tick once a year — long enough to never interfere with
 // solo UI development.
 const SandboxTurnSchedule = "0 0 1 1 *"
 // UserEnsurer matches `auth.UserEnsurer`. We define a local
 // interface to avoid importing the auth package and circular
 // dependencies — the production wiring passes the same `*user.Service`
 // instance used by auth.
 type UserEnsurer interface {
 	EnsureByEmail(ctx context.Context, email, preferredLanguage, timeZone, declaredCountry string) (uuid.UUID, error)
 }
 // Deps aggregates the collaborators Bootstrap needs.
 type Deps struct {
 	Users          UserEnsurer
 	Lobby          *lobby.Service
 	EngineVersions *runtime.EngineVersionService
 }
 // Bootstrap runs the seven-step provisioning flow described on the
 // package doc comment. Errors are returned to the caller; the boot
 // path in `cmd/backend/main.go` aborts startup if Bootstrap fails so
 // a misconfigured dev environment surfaces immediately rather than
 // silently leaving the lobby empty.
 func Bootstrap(ctx context.Context, deps Deps, cfg config.DevSandboxConfig, logger *zap.Logger) error {
 	if logger == nil {
 		logger = zap.NewNop()
 	}
 	logger = logger.Named("dev_sandbox")
 	if cfg.Email == "" {
 		logger.Info("skipped (no email)")
 		return nil
 	}
 	if deps.Users == nil || deps.Lobby == nil || deps.EngineVersions == nil {
 		return errors.New("dev_sandbox: deps.Users, deps.Lobby and deps.EngineVersions are required")
 	}
 	if cfg.PlayerCount <= 0 {
 		return fmt.Errorf("dev_sandbox: PlayerCount must be positive, got %d", cfg.PlayerCount)
 	}
 	if err := ensureEngineVersion(ctx, deps.EngineVersions, cfg, logger); err != nil {
 		return err
 	}
 	realID, err := deps.Users.EnsureByEmail(ctx, cfg.Email, "en", "UTC", "")
 	if err != nil {
 		return fmt.Errorf("dev_sandbox: ensure real user: %w", err)
 	}
 	dummyIDs := make([]uuid.UUID, 0, cfg.PlayerCount-1)
 	for i := 1; i < cfg.PlayerCount; i++ {
 		email := fmt.Sprintf("dev-dummy-%02d@local.test", i)
 		id, err := deps.Users.EnsureByEmail(ctx, email, "en", "UTC", "")
 		if err != nil {
 			return fmt.Errorf("dev_sandbox: ensure dummy %d: %w", i, err)
 		}
 		dummyIDs = append(dummyIDs, id)
 	}
 	if err := purgeTerminalSandboxGames(ctx, deps.Lobby, realID, logger); err != nil {
 		return err
 	}
 	game, err := findOrCreateSandboxGame(ctx, deps.Lobby, realID, cfg)
 	if err != nil {
 		return err
 	}
 	game, err = ensureMembershipsAndDrive(ctx, deps.Lobby, game, realID, dummyIDs, logger)
 	if err != nil {
 		return err
 	}
 	logger.Info("bootstrap complete",
 		zap.String("user_id", realID.String()),
 		zap.String("game_id", game.GameID.String()),
 		zap.String("status", game.Status),
 	)
 	return nil
 }
 func ensureEngineVersion(ctx context.Context, svc *runtime.EngineVersionService, cfg config.DevSandboxConfig, logger *zap.Logger) error {
 	_, err := svc.Register(ctx, runtime.RegisterInput{
 		Version:  cfg.EngineVersion,
 		ImageRef: cfg.EngineImage,
 	})
 	switch {
 	case err == nil:
 		logger.Info("engine version registered",
 			zap.String("version", cfg.EngineVersion),
 			zap.String("image", cfg.EngineImage),
 		)
 		return nil
 	case errors.Is(err, runtime.ErrEngineVersionTaken):
 		logger.Debug("engine version already registered",
 			zap.String("version", cfg.EngineVersion),
 		)
 		return nil
 	default:
 		return fmt.Errorf("dev_sandbox: register engine version: %w", err)
 	}
 }
 // terminalSandboxStatus reports whether a sandbox game has reached a
 // state from which it can no longer be driven back to running. We
 // treat such games as "absent" so the next bootstrap creates a fresh
 // one rather than handing the developer a dead lobby tile.
 func terminalSandboxStatus(status string) bool {
 	switch status {
 	case lobby.GameStatusCancelled, lobby.GameStatusFinished, lobby.GameStatusStartFailed:
 		return true
 	}
 	return false
 }
 // purgeTerminalSandboxGames deletes every previous "Dev Sandbox" game
 // the dev user owns that has reached a terminal state
 // (cancelled / finished / start_failed). The cascade declared in
 // `00001_init.sql` removes the matching memberships, applications,
 // invites, runtime records, and player mappings in the same write,
 // so the developer's lobby never piles up dead tiles between
 // `make rebuild` cycles. Non-terminal games are left untouched —
 // a `running` sandbox from a previous boot is the happy path.
 func purgeTerminalSandboxGames(ctx context.Context, svc *lobby.Service, ownerID uuid.UUID, logger *zap.Logger) error {
 	games, err := svc.ListMyGames(ctx, ownerID)
 	if err != nil {
 		return fmt.Errorf("dev_sandbox: list my games: %w", err)
 	}
 	for _, g := range games {
 		if g.GameName != SandboxGameName || g.OwnerUserID == nil || *g.OwnerUserID != ownerID {
 			continue
 		}
 		if !terminalSandboxStatus(g.Status) {
 			continue
 		}
 		if err := svc.DeleteGame(ctx, g.GameID); err != nil {
 			return fmt.Errorf("dev_sandbox: delete terminal sandbox %s: %w", g.GameID, err)
 		}
 		logger.Info("purged terminal sandbox game",
 			zap.String("game_id", g.GameID.String()),
 			zap.String("status", g.Status),
 		)
 	}
 	return nil
 }
 func findOrCreateSandboxGame(ctx context.Context, svc *lobby.Service, ownerID uuid.UUID, cfg config.DevSandboxConfig) (lobby.GameRecord, error) {
 	games, err := svc.ListMyGames(ctx, ownerID)
 	if err != nil {
 		return lobby.GameRecord{}, fmt.Errorf("dev_sandbox: list my games: %w", err)
 	}
 	for _, g := range games {
 		if g.GameName != SandboxGameName || g.OwnerUserID == nil || *g.OwnerUserID != ownerID {
 			continue
 		}
 		// `purgeTerminalSandboxGames` ran before us, so any sandbox
 		// game still in the list is either a live one we should
 		// reuse or a transient state we can drive forward.
 		return g, nil
 	}
 	rec, err := svc.CreateGame(ctx, lobby.CreateGameInput{
 		OwnerUserID:         &ownerID,
 		Visibility:          lobby.VisibilityPrivate,
 		GameName:            SandboxGameName,
 		Description:         "Auto-provisioned by backend/internal/devsandbox for solo UI development.",
 		MinPlayers:          int32(cfg.PlayerCount),
 		MaxPlayers:          int32(cfg.PlayerCount),
 		StartGapHours:       0,
 		StartGapPlayers:     0,
 		EnrollmentEndsAt:    time.Now().Add(365 * 24 * time.Hour),
 		TurnSchedule:        SandboxTurnSchedule,
 		TargetEngineVersion: cfg.EngineVersion,
 	})
 	if err != nil {
 		return lobby.GameRecord{}, fmt.Errorf("dev_sandbox: create game: %w", err)
 	}
 	return rec, nil
 }
 func ensureMembershipsAndDrive(ctx context.Context, svc *lobby.Service, game lobby.GameRecord, realID uuid.UUID, dummyIDs []uuid.UUID, logger *zap.Logger) (lobby.GameRecord, error) {
 	caller := realID
 	if game.Status == lobby.GameStatusDraft {
 		next, err := svc.OpenEnrollment(ctx, &caller, false, game.GameID)
 		if err != nil {
 			return game, fmt.Errorf("dev_sandbox: open enrollment: %w", err)
 		}
 		game = next
 	}
 	if game.Status == lobby.GameStatusEnrollmentOpen {
 		users := append([]uuid.UUID{realID}, dummyIDs...)
 		for i, uid := range users {
 			raceName := fmt.Sprintf("Sandbox-%02d", i+1)
 			if _, err := svc.InsertMembershipDirect(ctx, lobby.InsertMembershipDirectInput{
 				GameID:   game.GameID,
 				UserID:   uid,
 				RaceName: raceName,
 			}); err != nil {
 				return game, fmt.Errorf("dev_sandbox: insert membership %d: %w", i+1, err)
 			}
 		}
 		logger.Info("memberships ensured",
 			zap.Int("count", len(users)),
 			zap.String("game_id", game.GameID.String()),
 		)
 		next, err := svc.ReadyToStart(ctx, &caller, false, game.GameID)
 		if err != nil {
 			return game, fmt.Errorf("dev_sandbox: ready to start: %w", err)
 		}
 		game = next
 	}
 	if game.Status == lobby.GameStatusReadyToStart {
 		next, err := svc.Start(ctx, &caller, false, game.GameID)
 		if err != nil {
 			return game, fmt.Errorf("dev_sandbox: start: %w", err)
 		}
 		game = next
 	}
 	if game.Status == lobby.GameStatusStartFailed {
 		next, err := svc.RetryStart(ctx, &caller, false, game.GameID)
 		if err != nil {
 			logger.Warn("retry start failed", zap.Error(err))
 			return game, nil
 		}
 		game = next
 		if game.Status == lobby.GameStatusReadyToStart {
 			next, err := svc.Start(ctx, &caller, false, game.GameID)
 			if err != nil {
 				return game, fmt.Errorf("dev_sandbox: start after retry: %w", err)
 			}
 			game = next
 		}
 	}
 	return game, nil
 }
@@ -1,106 +0,0 @@
 package devsandbox
 import (
 	"context"
 	"errors"
 	"testing"
 	"galaxy/backend/internal/config"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 )
 // TestBootstrapSkippedWhenEmailEmpty exercises the no-op branch: with
 // the production posture (Email == "") Bootstrap must return without
 // touching any dependency. The fact that Users/Lobby/EngineVersions
 // are nil here doubles as a check that the early-return runs first.
 func TestBootstrapSkippedWhenEmailEmpty(t *testing.T) {
 	err := Bootstrap(
 		context.Background(),
 		Deps{},
 		config.DevSandboxConfig{},
 		zap.NewNop(),
 	)
 	if err != nil {
 		t.Fatalf("expected nil error on empty email, got: %v", err)
 	}
 }
 // TestBootstrapRejectsZeroPlayerCount confirms the validation
 // short-circuits the flow before any DB call when PlayerCount is
 // non-positive but Email is set. The error path is fast and never
 // dereferences the (still-nil) Users/Lobby deps.
 func TestBootstrapRejectsZeroPlayerCount(t *testing.T) {
 	err := Bootstrap(
 		context.Background(),
 		Deps{Users: stubEnsurer{}, Lobby: nil, EngineVersions: nil},
 		config.DevSandboxConfig{
 			Email:         "dev@local.test",
 			EngineImage:   "galaxy-engine:local-dev",
 			EngineVersion: "0.0.0-local-dev",
 			PlayerCount:   0,
 		},
 		zap.NewNop(),
 	)
 	if err == nil {
 		t.Fatal("expected error on zero PlayerCount, got nil")
 	}
 }
 // TestBootstrapRejectsMissingDeps checks that a misconfigured wiring
 // (Email set but one of the required services nil) fails fast rather
 // than panicking when the bootstrap reaches its first service call.
 func TestBootstrapRejectsMissingDeps(t *testing.T) {
 	err := Bootstrap(
 		context.Background(),
 		Deps{Users: stubEnsurer{}, Lobby: nil, EngineVersions: nil},
 		config.DevSandboxConfig{
 			Email:         "dev@local.test",
 			EngineImage:   "galaxy-engine:local-dev",
 			EngineVersion: "0.0.0-local-dev",
 			PlayerCount:   20,
 		},
 		zap.NewNop(),
 	)
 	if err == nil {
 		t.Fatal("expected error on missing deps, got nil")
 	}
 	if !errors.Is(err, errMissingDepsSentinel) && err.Error() == "" {
 		// The exact wording is not part of the contract; this branch
 		// only asserts the error is non-nil and human-readable.
 		t.Fatalf("error has empty message: %v", err)
 	}
 }
 // errMissingDepsSentinel exists so the assertion above can compile;
 // the real error is constructed via errors.New inside Bootstrap and
 // is intentionally not exported. The test only needs to confirm the
 // returned error has a message.
 var errMissingDepsSentinel = errors.New("sentinel")
 // TestTerminalSandboxStatus pins the contract that decides whether a
 // previously created sandbox game gets purged on the next boot.
 // Terminal states are deleted (cascade-style) so the developer's
 // lobby never piles up dead tiles between `make rebuild` cycles.
 func TestTerminalSandboxStatus(t *testing.T) {
 	terminal := []string{"cancelled", "finished", "start_failed"}
 	live := []string{"draft", "enrollment_open", "ready_to_start", "starting", "running", "paused"}
 	for _, status := range terminal {
 		if !terminalSandboxStatus(status) {
 			t.Errorf("expected %q to be terminal", status)
 		}
 	}
 	for _, status := range live {
 		if terminalSandboxStatus(status) {
 			t.Errorf("expected %q to be non-terminal", status)
 		}
 	}
 }
 type stubEnsurer struct{}
 func (stubEnsurer) EnsureByEmail(_ context.Context, _, _, _, _ string) (uuid.UUID, error) {
 	return uuid.UUID{}, nil
 }
@@ -23,7 +23,6 @@ const (
 	pathAdminStatus     = "/api/v1/admin/status"
 	pathAdminTurn       = "/api/v1/admin/turn"
 	pathAdminRaceBanish = "/api/v1/admin/race/banish"
 	pathPlayerCommand   = "/api/v1/command"
 	pathPlayerOrder     = "/api/v1/order"
 	pathPlayerReport    = "/api/v1/report"
 	pathPlayerBattle    = "/api/v1/battle"
@@ -183,16 +182,10 @@ func (c *Client) BanishRace(ctx context.Context, baseURL, raceName string) error
 	}
 }
-// ExecuteCommands calls `PUT /api/v1/command` with payload forwarded
+// PutOrders calls `PUT /api/v1/order` with the payload forwarded
 // verbatim. The engine response body is returned verbatim; on 4xx the
-// body is returned alongside ErrEngineValidation so callers can
+// body is returned alongside ErrEngineValidation so callers can forward
-// forward the per-command error.
+// the per-command error.
 func (c *Client) ExecuteCommands(ctx context.Context, baseURL string, payload json.RawMessage) (json.RawMessage, error) {
 	return c.forwardPlayerWrite(ctx, baseURL, pathPlayerCommand, payload, "engine command")
 }
 // PutOrders calls `PUT /api/v1/order` with the same forwarding
 // semantics as ExecuteCommands.
 func (c *Client) PutOrders(ctx context.Context, baseURL string, payload json.RawMessage) (json.RawMessage, error) {
 	return c.forwardPlayerWrite(ctx, baseURL, pathPlayerOrder, payload, "engine order")
 }
@@ -26,6 +26,7 @@ func newTestClient(t *testing.T, srv *httptest.Server) *Client {
 func TestClientInitSuccess(t *testing.T) {
 	wantID := uuid.New()
 	var gotReq rest.InitRequest
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != pathAdminInit {
 			t.Fatalf("unexpected path: %s", r.URL.Path)
@@ -33,13 +34,16 @@ func TestClientInitSuccess(t *testing.T) {
 		if r.Method != http.MethodPost {
 			t.Fatalf("unexpected method: %s", r.Method)
 		}
 		if err := json.NewDecoder(r.Body).Decode(&gotReq); err != nil {
 			t.Fatalf("decode request: %v", err)
 		}
 		w.Header().Set("Content-Type", "application/json")
 		_ = json.NewEncoder(w).Encode(rest.StateResponse{ID: wantID, Turn: 1, Players: []rest.PlayerState{{ID: uuid.New(), RaceName: "alpha"}}})
 	}))
 	t.Cleanup(srv.Close)
 	cli := newTestClient(t, srv)
-	got, err := cli.Init(context.Background(), srv.URL, rest.InitRequest{Races: []rest.InitRace{{RaceName: "alpha"}}})
+	got, err := cli.Init(context.Background(), srv.URL, rest.InitRequest{GameID: wantID, Races: []rest.InitRace{{RaceName: "alpha"}}})
 	if err != nil {
 		t.Fatalf("Init returned error: %v", err)
 	}
@@ -49,6 +53,9 @@ func TestClientInitSuccess(t *testing.T) {
 	if got.Turn != 1 {
 		t.Fatalf("Turn = %d, want 1", got.Turn)
 	}
 	if gotReq.GameID != wantID {
 		t.Fatalf("request gameId = %s, want %s", gotReq.GameID, wantID)
 	}
 }
 func TestClientInitValidationError(t *testing.T) {
@@ -149,27 +156,6 @@ func TestClientBanishRace(t *testing.T) {
 	}
 }
 func TestClientCommandsForwardsBody(t *testing.T) {
 	want := json.RawMessage(`{"actor":"alpha","cmd":[{"@type":"raceQuit"}]}`)
 	gotResp := json.RawMessage(`{"applied":true}`)
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != pathPlayerCommand || r.Method != http.MethodPut {
 			t.Fatalf("unexpected request: %s %s", r.Method, r.URL.Path)
 		}
 		_, _ = w.Write(gotResp)
 	}))
 	t.Cleanup(srv.Close)
 	cli := newTestClient(t, srv)
 	resp, err := cli.ExecuteCommands(context.Background(), srv.URL, want)
 	if err != nil {
 		t.Fatalf("ExecuteCommands: %v", err)
 	}
 	if string(resp) != string(gotResp) {
 		t.Fatalf("response = %s, want %s", string(resp), string(gotResp))
 	}
 }
 func TestClientReportsForwardsQuery(t *testing.T) {
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != pathPlayerReport {
@@ -9,14 +9,21 @@ import (
 // EntitlementProvider is the read-only view the lobby needs over the
 // user-domain entitlement snapshot. The canonical implementation is
-// `*user.Service` exposing `GetEntitlement(ctx, userID)`; tests substitute
+// `*user.Service` exposing `GetEntitlementSnapshot(ctx, userID)`; tests
-// a fake.
+// substitute a fake.
 //
-// `MaxRegisteredRaceNames` is the only field consumed by when
+// `GetMaxRegisteredRaceNames` is consumed at race-name registration time
-// the caller attempts to register a `pending_registration` row the lobby
+// — when the caller attempts to register a `pending_registration` row the
-// counts already-`registered` rows for that user against this limit.
+// lobby counts already-`registered` rows for that user against this limit.
 //
 // `IsPaid` is consumed by the user-facing private-game creation gate at
 // the HTTP handler level (`POST /api/v1/user/lobby/games`): free-tier
 // callers are rejected with `403 forbidden` before the lobby Service is
 // invoked. Admin-driven public-game creation
 // (`POST /api/v1/admin/games`) bypasses the gate.
 type EntitlementProvider interface {
 	GetMaxRegisteredRaceNames(ctx context.Context, userID uuid.UUID) (int32, error)
 	IsPaid(ctx context.Context, userID uuid.UUID) (bool, error)
 }
 // RuntimeGateway is the outbound surface the lobby uses to ask the runtime
@@ -274,11 +274,10 @@ func (s *Service) ListFinishedGamesBefore(ctx context.Context, cutoff time.Time)
 // `ON DELETE CASCADE` constraints declared in `00001_init.sql`.
 // Idempotent: returns nil when no game matches.
 //
-// Phase 14 introduces this method for the dev-sandbox bootstrap so a
+// `DeleteGame` is destructive — a hard delete that bypasses the
-// terminal "Dev Sandbox" tile from a previous local-dev session can
+// cascade-notification machinery — so production callers stay on the
-// be scrubbed before a fresh game spawns. Production callers must
+// regular cancel / finish lifecycle. It is exercised by the lobby
-// stay on the regular cancel / finish lifecycle — `DeleteGame` is
+// integration tests.
 // destructive and bypasses the cascade-notification machinery.
 func (s *Service) DeleteGame(ctx context.Context, gameID uuid.UUID) error {
 	if err := s.deps.Store.DeleteGame(ctx, gameID); err != nil {
 		return err
@@ -20,6 +20,7 @@
 package lobby
 import (
 	"context"
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
@@ -28,6 +29,7 @@ import (
 	"galaxy/backend/internal/config"
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgconn"
 	"go.uber.org/zap"
 )
@@ -207,6 +209,17 @@ func (s *Service) Config() config.LobbyConfig {
 	return s.deps.Config
 }
 // IsPaid reports whether userID currently sits on a paid tier. Thin
 // pass-through over EntitlementProvider used by the HTTP handler that
 // fronts user-driven private-game creation; admin-driven public-game
 // creation does not consult this gate.
 func (s *Service) IsPaid(ctx context.Context, userID uuid.UUID) (bool, error) {
 	if s == nil || s.deps.Entitlement == nil {
 		return false, fmt.Errorf("lobby: entitlement provider not configured")
 	}
 	return s.deps.Entitlement.IsPaid(ctx, userID)
 }
 // generateInviteCode produces an `inviteCodeBytes`-byte hex code used
 // for code-based invites. The function uses `crypto/rand`; a failure to
 // read entropy is propagated to the caller.
@@ -103,6 +103,10 @@ func (s stubEntitlement) GetMaxRegisteredRaceNames(_ context.Context, _ uuid.UUI
 	return s.max, nil
 }
 func (s stubEntitlement) IsPaid(_ context.Context, _ uuid.UUID) (bool, error) {
 	return true, nil
 }
 func newServiceForTest(t *testing.T, db *sql.DB, now func() time.Time, max int32) *lobby.Service {
 	t.Helper()
 	store := lobby.NewStore(db)
@@ -244,8 +248,8 @@ func TestEndToEndPrivateGameFlow(t *testing.T) {
 	}
 }
-// TestDeleteGameCascadesEverything pins the contract the dev-sandbox
+// TestDeleteGameCascadesEverything pins the DeleteGame contract:
-// bootstrap relies on: removing a game wipes every referencing row
+// removing a game wipes every referencing row
 // (memberships, applications, invites, runtime_records,
 // player_mappings) in a single SQL statement. Before this is wired
 // the developer's lobby pile up cancelled tiles between
@@ -20,9 +20,9 @@ type InsertMembershipDirectInput struct {
 // writes as ApproveApplication: the per-game race-name reservation
 // row plus the membership row, and refreshes the in-memory caches.
 //
-// The method is intended for boot-time provisioning by
+// The method is intended for trusted boot-time provisioning and
-// `backend/internal/devsandbox` and similar trusted callers. It is
+// integration tests; it is not exposed through any HTTP handler. The
-// not exposed through any HTTP handler. The caller must guarantee
+// caller must guarantee
 // game.Status == GameStatusEnrollmentOpen — the function returns
 // ErrConflict otherwise — and that the race-name policy and
 // canonical-key invariants are honoured (the implementation reuses
@@ -30,9 +30,8 @@ type InsertMembershipDirectInput struct {
 // or unsuitable name still fails).
 //
 // Idempotency: if a membership for (GameID, UserID) already exists
-// the function returns the existing row without modifying state.
+// the function returns the existing row without modifying state, so
-// This makes the helper safe to call on every backend boot from
+// the helper is safe to call repeatedly.
 // devsandbox.Bootstrap.
 func (s *Service) InsertMembershipDirect(ctx context.Context, in InsertMembershipDirectInput) (Membership, error) {
 	displayName, err := ValidateDisplayName(in.RaceName)
 	if err != nil {
@@ -236,9 +236,8 @@ func (s *Store) ListMyGames(ctx context.Context, userID uuid.UUID) ([]GameRecord
 // referencing table (memberships / applications / invites /
 // runtime_records / player_mappings — all declared with ON DELETE
 // CASCADE in `00001_init.sql`). Idempotent: returns nil when no row
-// matches. Used by the dev-sandbox bootstrap to scrub terminal
+// matches. A hard delete for trusted callers and integration tests;
-// games on every backend boot so the developer's lobby never piles
+// production lifecycle uses cancel / finish.
 // up cancelled tiles.
 func (s *Store) DeleteGame(ctx context.Context, gameID uuid.UUID) error {
 	g := table.Games
 	stmt := g.DELETE().WHERE(g.GameID.EQ(postgres.UUID(gameID)))
@@ -0,0 +1,139 @@
 // Package opsstatus reads point-in-time operational signals from Postgres for
 // the admin console dashboard: database reachability, per-status counts of game
 // runtimes, mail deliveries, and notification routes, plus the malformed
 // notification-intent count.
 //
 // It is a read-only projection built entirely through the go-jet query builder
 // against the generated table bindings; it owns no business logic and mutates
 // nothing. Richer, historical metrics are out of scope — those belong to the
 // Prometheus exporters wired on `backend` and `gateway`.
 package opsstatus
 import (
 	"context"
 	"database/sql"
 	"fmt"
 	"time"
 	"galaxy/backend/internal/postgres/jet/backend/table"
 	"github.com/go-jet/jet/v2/postgres"
 )
 // defaultCollectTimeout bounds a single Collect call so a slow or wedged
 // database cannot hang the dashboard request.
 const defaultCollectTimeout = 3 * time.Second
 // StatusCount pairs a status value with the number of rows currently in it.
 type StatusCount struct {
 	Status string
 	Count  int64
 }
 // Snapshot is a point-in-time view of the operational signals rendered on the
 // dashboard. Errors collects per-query failures so a single failing probe
 // degrades to a visible note rather than failing the whole page.
 type Snapshot struct {
 	PostgresHealthy       bool
 	Runtimes              []StatusCount
 	MailDeliveries        []StatusCount
 	NotificationRoutes    []StatusCount
 	NotificationMalformed int64
 	Errors                []string
 }
 // Reader collects an operational Snapshot. The admin console depends on this
 // interface so the dashboard can be tested without a database.
 type Reader interface {
 	Collect(ctx context.Context) Snapshot
 }
 // Store is the Postgres-backed Reader.
 type Store struct {
 	db      *sql.DB
 	timeout time.Duration
 }
 // NewStore constructs a Store reading from db.
 func NewStore(db *sql.DB) *Store {
 	return &Store{db: db, timeout: defaultCollectTimeout}
 }
 // Collect gathers the dashboard signals within a bounded timeout. It never
 // returns an error: a failed probe is recorded in Snapshot.Errors and the
 // remaining probes still run, except that a failed Postgres ping short-circuits
 // the rest (the dependent queries would only fail the same way).
 func (s *Store) Collect(ctx context.Context) Snapshot {
 	ctx, cancel := context.WithTimeout(ctx, s.timeout)
 	defer cancel()
 	var snap Snapshot
 	if err := s.db.PingContext(ctx); err != nil {
 		snap.Errors = append(snap.Errors, fmt.Sprintf("postgres ping: %v", err))
 		return snap
 	}
 	snap.PostgresHealthy = true
 	if counts, err := s.statusCounts(ctx, table.RuntimeRecords.Status, table.RuntimeRecords); err != nil {
 		snap.Errors = append(snap.Errors, fmt.Sprintf("runtime status counts: %v", err))
 	} else {
 		snap.Runtimes = counts
 	}
 	if counts, err := s.statusCounts(ctx, table.MailDeliveries.Status, table.MailDeliveries); err != nil {
 		snap.Errors = append(snap.Errors, fmt.Sprintf("mail delivery counts: %v", err))
 	} else {
 		snap.MailDeliveries = counts
 	}
 	if counts, err := s.statusCounts(ctx, table.NotificationRoutes.Status, table.NotificationRoutes); err != nil {
 		snap.Errors = append(snap.Errors, fmt.Sprintf("notification route counts: %v", err))
 	} else {
 		snap.NotificationRoutes = counts
 	}
 	if n, err := s.countAll(ctx, table.NotificationMalformedIntents); err != nil {
 		snap.Errors = append(snap.Errors, fmt.Sprintf("malformed notification count: %v", err))
 	} else {
 		snap.NotificationMalformed = n
 	}
 	return snap
 }
 // statusCounts runs `SELECT status, COUNT(*) FROM <from> GROUP BY status`
 // through jet and returns the rows ordered by status.
 func (s *Store) statusCounts(ctx context.Context, status postgres.ColumnString, from postgres.ReadableTable) ([]StatusCount, error) {
 	stmt := postgres.SELECT(
 		status.AS("status_count.status"),
 		postgres.COUNT(postgres.STAR).AS("status_count.count"),
 	).FROM(from).GROUP_BY(status).ORDER_BY(status.ASC())
 	var rows []struct {
 		Status string `alias:"status_count.status"`
 		Count  int64  `alias:"status_count.count"`
 	}
 	if err := stmt.QueryContext(ctx, s.db, &rows); err != nil {
 		return nil, err
 	}
 	out := make([]StatusCount, len(rows))
 	for i, row := range rows {
 		out[i] = StatusCount{Status: row.Status, Count: row.Count}
 	}
 	return out, nil
 }
 // countAll runs `SELECT COUNT(*) FROM <from>` through jet.
 func (s *Store) countAll(ctx context.Context, from postgres.ReadableTable) (int64, error) {
 	stmt := postgres.SELECT(postgres.COUNT(postgres.STAR).AS("count")).FROM(from)
 	var row struct {
 		Count int64 `alias:"count"`
 	}
 	if err := stmt.QueryContext(ctx, s.db, &row); err != nil {
 		return 0, err
 	}
 	return row.Count, nil
 }
@@ -0,0 +1,155 @@
 package opsstatus_test
 import (
 	"context"
 	"database/sql"
 	"net/url"
 	"testing"
 	"time"
 	"galaxy/backend/internal/mail"
 	"galaxy/backend/internal/opsstatus"
 	backendpg "galaxy/backend/internal/postgres"
 	pgshared "galaxy/postgres"
 	"github.com/google/uuid"
 	testcontainers "github.com/testcontainers/testcontainers-go"
 	tcpostgres "github.com/testcontainers/testcontainers-go/modules/postgres"
 	"github.com/testcontainers/testcontainers-go/wait"
 )
 const (
 	pgImage    = "postgres:16-alpine"
 	pgUser     = "galaxy"
 	pgPassword = "galaxy"
 	pgDatabase = "galaxy_backend"
 	pgSchema   = "backend"
 	pgStartup  = 90 * time.Second
 	pgOpTO     = 10 * time.Second
 )
 // startPostgres mirrors the per-package scaffolding used by the other store
 // tests: spin up Postgres, apply migrations, return *sql.DB.
 func startPostgres(t *testing.T) *sql.DB {
 	t.Helper()
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Minute)
 	t.Cleanup(cancel)
 	pgContainer, err := tcpostgres.Run(ctx, pgImage,
 		tcpostgres.WithDatabase(pgDatabase),
 		tcpostgres.WithUsername(pgUser),
 		tcpostgres.WithPassword(pgPassword),
 		testcontainers.WithWaitStrategy(
 			wait.ForLog("database system is ready to accept connections").
 				WithOccurrence(2).
 				WithStartupTimeout(pgStartup),
 		),
 	)
 	if err != nil {
 		t.Skipf("postgres testcontainer unavailable, skipping: %v", err)
 	}
 	t.Cleanup(func() {
 		if termErr := testcontainers.TerminateContainer(pgContainer); termErr != nil {
 			t.Errorf("terminate postgres container: %v", termErr)
 		}
 	})
 	baseDSN, err := pgContainer.ConnectionString(ctx, "sslmode=disable")
 	if err != nil {
 		t.Fatalf("connection string: %v", err)
 	}
 	scopedDSN, err := dsnWithSearchPath(baseDSN, pgSchema)
 	if err != nil {
 		t.Fatalf("scope dsn: %v", err)
 	}
 	cfg := pgshared.DefaultConfig()
 	cfg.PrimaryDSN = scopedDSN
 	cfg.OperationTimeout = pgOpTO
 	db, err := pgshared.OpenPrimary(ctx, cfg, backendpg.NoObservabilityOptions()...)
 	if err != nil {
 		t.Fatalf("open primary: %v", err)
 	}
 	t.Cleanup(func() { _ = db.Close() })
 	if err := pgshared.Ping(ctx, db, cfg.OperationTimeout); err != nil {
 		t.Fatalf("ping: %v", err)
 	}
 	if err := backendpg.ApplyMigrations(ctx, db); err != nil {
 		t.Fatalf("apply migrations: %v", err)
 	}
 	return db
 }
 func dsnWithSearchPath(baseDSN, schema string) (string, error) {
 	parsed, err := url.Parse(baseDSN)
 	if err != nil {
 		return "", err
 	}
 	values := parsed.Query()
 	values.Set("search_path", schema)
 	if values.Get("sslmode") == "" {
 		values.Set("sslmode", "disable")
 	}
 	parsed.RawQuery = values.Encode()
 	return parsed.String(), nil
 }
 func TestStoreCollect(t *testing.T) {
 	db := startPostgres(t)
 	store := opsstatus.NewStore(db)
 	ctx := context.Background()
 	// Empty schema: queries must execute cleanly with zero counts.
 	empty := store.Collect(ctx)
 	if !empty.PostgresHealthy {
 		t.Fatal("PostgresHealthy must be true against a reachable database")
 	}
 	if len(empty.Errors) != 0 {
 		t.Fatalf("unexpected collection errors: %v", empty.Errors)
 	}
 	if got := totalCount(empty.MailDeliveries); got != 0 {
 		t.Fatalf("mail deliveries total = %d, want 0", got)
 	}
 	if len(empty.Runtimes) != 0 || len(empty.NotificationRoutes) != 0 {
 		t.Fatalf("expected empty status slices, got runtimes=%v routes=%v", empty.Runtimes, empty.NotificationRoutes)
 	}
 	if empty.NotificationMalformed != 0 {
 		t.Fatalf("malformed notifications = %d, want 0", empty.NotificationMalformed)
 	}
 	// Enqueue one mail delivery and confirm the GROUP BY count reflects it.
 	mailStore := mail.NewStore(db)
 	inserted, err := mailStore.InsertEnqueue(ctx, mail.EnqueueArgs{
 		DeliveryID:     uuid.New(),
 		TemplateID:     mail.TemplateLoginCode,
 		IdempotencyKey: uuid.NewString(),
 		Recipients:     []string{"ops@example.test"},
 		ContentType:    "text/plain",
 		Subject:        "hello",
 		Body:           []byte("hi"),
 	})
 	if err != nil {
 		t.Fatalf("insert mail delivery: %v", err)
 	}
 	if !inserted {
 		t.Fatal("expected the delivery to be inserted")
 	}
 	after := store.Collect(ctx)
 	if len(after.Errors) != 0 {
 		t.Fatalf("unexpected collection errors after insert: %v", after.Errors)
 	}
 	if got := totalCount(after.MailDeliveries); got != 1 {
 		t.Fatalf("mail deliveries total after insert = %d, want 1 (statuses: %v)", got, after.MailDeliveries)
 	}
 }
 func totalCount(counts []opsstatus.StatusCount) int64 {
 	var total int64
 	for _, c := range counts {
 		total += c.Count
 	}
 	return total
 }
@@ -10,7 +10,10 @@ package postgres
 import (
 	"context"
 	"database/sql"
 	"database/sql/driver"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
 	"galaxy/backend/internal/config"
@@ -67,18 +70,84 @@ func Open(ctx context.Context, cfg config.PostgresConfig, runtime *telemetry.Run
 // backend table lives here.
 const schemaName = "backend"
 // migrationRetryAttempts and migrationRetryBackoff bound the transient-error
 // retry around ApplyMigrations. A freshly started Postgres — notably a test
 // container — can reset a pooled connection moments after it reports ready,
 // which surfaces as `driver: bad connection` mid-migration; a handful of quick
 // retries rides over that without masking real failures.
 const (
 	migrationRetryAttempts = 5
 	migrationRetryBackoff  = 250 * time.Millisecond
 )
 // ApplyMigrations runs every pending Up migration embedded in the backend
 // binary against db. The schema is created upfront so goose's bookkeeping
 // table (`goose_db_version`, scoped to the DSN `search_path = backend`)
 // has somewhere to land before the first migration runs; migration
 // `00001_init.sql` re-asserts the schema with `IF NOT EXISTS`, so the
 // double-create is idempotent.
 //
 // The apply is retried on transient connection errors (see retryOnTransient).
 // Both steps are idempotent — `CREATE SCHEMA IF NOT EXISTS` and goose's
 // version tracking — so a retry after a dropped connection re-runs cleanly and
 // resumes from the last committed migration.
 func ApplyMigrations(ctx context.Context, db *sql.DB) error {
-	if _, err := db.ExecContext(ctx, "CREATE SCHEMA IF NOT EXISTS "+schemaName); err != nil {
+	return retryOnTransient(ctx, migrationRetryAttempts, migrationRetryBackoff, func() error {
-		return fmt.Errorf("ensure backend schema: %w", err)
+		if _, err := db.ExecContext(ctx, "CREATE SCHEMA IF NOT EXISTS "+schemaName); err != nil {
-	}
+			return fmt.Errorf("ensure backend schema: %w", err)
-	if err := pgshared.RunMigrations(ctx, db, migrations.Migrations(), "."); err != nil {
+		}
-		return fmt.Errorf("apply backend migrations: %w", err)
+		if err := pgshared.RunMigrations(ctx, db, migrations.Migrations(), "."); err != nil {
-	}
+			return fmt.Errorf("apply backend migrations: %w", err)
-	return nil
+		}
 		return nil
 	})
 }
 // retryOnTransient runs op up to attempts times, retrying only when op fails
 // with a transient connection error (see isTransientConnError) — a dropped,
 // reset, or refused connection, as opposed to a deterministic SQL error. It
 // waits backoff between attempts and stops early if ctx is cancelled. A
 // non-transient error, or the error from the final attempt, is returned as-is.
 func retryOnTransient(ctx context.Context, attempts int, backoff time.Duration, op func() error) error {
 	var err error
 	for attempt := 1; attempt <= attempts; attempt++ {
 		if err = op(); err == nil {
 			return nil
 		}
 		if attempt == attempts || !isTransientConnError(err) {
 			return err
 		}
 		select {
 		case <-ctx.Done():
 			return errors.Join(err, ctx.Err())
 		case <-time.After(backoff):
 		}
 	}
 	return err
 }
 // isTransientConnError reports whether err is a transient connection-level
 // failure worth retrying. It matches database/sql's driver.ErrBadConn and the
 // connection-failure messages Postgres drivers surface, while leaving
 // deterministic SQL errors (syntax, constraint violations) to fail fast.
 func isTransientConnError(err error) bool {
 	if err == nil {
 		return false
 	}
 	if errors.Is(err, driver.ErrBadConn) {
 		return true
 	}
 	msg := strings.ToLower(err.Error())
 	for _, s := range []string{
 		"bad connection",
 		"connection refused",
 		"connection reset",
 		"broken pipe",
 		"server closed the connection",
 	} {
 		if strings.Contains(msg, s) {
 			return true
 		}
 	}
 	return false
 }
@@ -0,0 +1,103 @@
 package postgres
 import (
 	"context"
 	"database/sql/driver"
 	"errors"
 	"fmt"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestIsTransientConnError(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name string
 		err  error
 		want bool
 	}{
 		{"nil", nil, false},
 		{"driver.ErrBadConn", driver.ErrBadConn, true},
 		{"wrapped ErrBadConn", fmt.Errorf("run migrations: %w", driver.ErrBadConn), true},
 		// The exact shape observed flaking CI: goose surfaces the driver
 		// error as a plain string, so errors.Is can't see ErrBadConn.
 		{"bad connection string", errors.New(`apply backend migrations: run migrations: ERROR 00001_init.sql: CREATE TABLE race_names: driver: bad connection`), true},
 		{"connection refused", errors.New("dial tcp 127.0.0.1:5432: connect: connection refused"), true},
 		{"connection reset", errors.New("read tcp: connection reset by peer"), true},
 		{"broken pipe", errors.New("write tcp: broken pipe"), true},
 		{"server closed", errors.New("pq: server closed the connection unexpectedly"), true},
 		{"syntax error is not transient", errors.New(`pq: syntax error at or near "TABL"`), false},
 		{"constraint violation is not transient", errors.New("pq: duplicate key value violates unique constraint"), false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			assert.Equal(t, tt.want, isTransientConnError(tt.err))
 		})
 	}
 }
 func TestRetryOnTransientSucceedsAfterTransientFailures(t *testing.T) {
 	t.Parallel()
 	calls := 0
 	err := retryOnTransient(context.Background(), 5, time.Millisecond, func() error {
 		calls++
 		if calls < 3 {
 			return fmt.Errorf("attempt %d: %w", calls, driver.ErrBadConn)
 		}
 		return nil
 	})
 	require.NoError(t, err)
 	assert.Equal(t, 3, calls, "should retry until the transient error clears")
 }
 func TestRetryOnTransientStopsOnNonTransient(t *testing.T) {
 	t.Parallel()
 	sentinel := errors.New(`pq: syntax error at or near "TABL"`)
 	calls := 0
 	err := retryOnTransient(context.Background(), 5, time.Millisecond, func() error {
 		calls++
 		return sentinel
 	})
 	require.ErrorIs(t, err, sentinel)
 	assert.Equal(t, 1, calls, "a deterministic SQL error must not be retried")
 }
 func TestRetryOnTransientExhaustsAttempts(t *testing.T) {
 	t.Parallel()
 	calls := 0
 	err := retryOnTransient(context.Background(), 3, time.Millisecond, func() error {
 		calls++
 		return driver.ErrBadConn
 	})
 	require.ErrorIs(t, err, driver.ErrBadConn)
 	assert.Equal(t, 3, calls, "must stop after the attempt budget is spent")
 }
 func TestRetryOnTransientRespectsContextCancellation(t *testing.T) {
 	t.Parallel()
 	ctx, cancel := context.WithCancel(context.Background())
 	cancel()
 	calls := 0
 	err := retryOnTransient(ctx, 5, time.Hour, func() error {
 		calls++
 		return driver.ErrBadConn
 	})
 	require.ErrorIs(t, err, context.Canceled)
 	require.ErrorIs(t, err, driver.ErrBadConn, "the underlying transient error is preserved")
 	assert.Equal(t, 1, calls, "cancellation during backoff stops further attempts")
 }
@@ -52,7 +52,7 @@ var (
 	ErrTurnAlreadyClosed = errors.New("runtime: turn already closed")
 	// ErrGamePaused reports that the game is not in a state that
-	// accepts user-games commands or orders: the runtime row
+	// accepts user-games orders: the runtime row
 	// carries `paused = true`, or the runtime status lands on any
 	// terminal value (`engine_unreachable`, `generation_failed`,
 	// `stopped`, `finished`, `removed`), or the game has not yet
@@ -258,10 +258,10 @@ func (s *Service) ResolvePlayerMapping(ctx context.Context, gameID, userID uuid.
 }
 // CheckOrdersAccept verifies that the runtime is in a state that
-// accepts user-games commands and orders. It is called by the user
+// accepts user-games orders. It is called by the user game-proxy
-// game-proxy handlers (`Commands`, `Orders`) before forwarding to
+// handler (`Orders`) before forwarding to engine, so the backend's
-// engine, so the backend's turn-cutoff and pause guards run before
+// turn-cutoff and pause guards run before network traffic leaves the
-// network traffic leaves the host. The decision itself lives in the
+// host. The decision itself lives in the
 // pure helper `OrdersAcceptStatus` so it can be unit-tested without
 // constructing a full Service.
 //
@@ -276,7 +276,7 @@ func (s *Service) CheckOrdersAccept(ctx context.Context, gameID uuid.UUID) error
 }
 // OrdersAcceptStatus inspects a runtime record and returns the
-// matching sentinel for the user-games order/command pre-check:
+// matching sentinel for the user-games order pre-check:
 //
 //   - `runtime_status = generation_in_progress` → `ErrTurnAlreadyClosed`.
 //     The cron-driven `Scheduler.tick` has flipped the row before
@@ -607,7 +607,7 @@ func (s *Service) runStart(ctx context.Context, op OperationLog) error {
 		return err
 	}
-	initResp, err := s.deps.Engine.Init(ctx, runResult.EngineEndpoint, rest.InitRequest{Races: races})
+	initResp, err := s.deps.Engine.Init(ctx, runResult.EngineEndpoint, rest.InitRequest{GameID: gameID, Races: races})
 	if err != nil {
 		s.deps.Logger.Warn("engine init failed",
 			zap.String("game_id", gameID.String()),
@@ -203,6 +203,13 @@ func TestServiceStartGameEndToEnd(t *testing.T) {
 		case "/healthz":
 			w.WriteHeader(http.StatusOK)
 		case "/api/v1/admin/init":
 			var got rest.InitRequest
 			if err := json.NewDecoder(r.Body).Decode(&got); err != nil {
 				t.Errorf("decode init request: %v", err)
 			}
 			if got.GameID != gameID {
 				t.Errorf("init request gameId = %s, want %s", got.GameID, gameID)
 			}
 			_ = json.NewEncoder(w).Encode(rest.StateResponse{ID: gameID, Turn: 0, Players: []rest.PlayerState{{RaceName: "Alpha", Planets: 3, Population: 10}}})
 		case "/api/v1/admin/status":
 			_ = json.NewEncoder(w).Encode(rest.StateResponse{ID: gameID, Turn: 1, Players: []rest.PlayerState{{RaceName: "Alpha", Planets: 5, Population: 12}}})
@@ -0,0 +1,235 @@
 package server
 import (
 	"bytes"
 	"net/http"
 	"net/url"
 	"strings"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/opsstatus"
 	"galaxy/backend/internal/server/httperr"
 	"galaxy/backend/internal/server/middleware/basicauth"
 	"github.com/gin-gonic/gin"
 	"go.uber.org/zap"
 )
 // AdminConsoleHandlers renders the server-side operator console mounted under
 // the `/_gm` route group. It wraps the framework-agnostic
 // adminconsole.Renderer and CSRF signer with the gin glue: the per-page
 // handlers, the embedded static-asset handler, and the CSRF guard middleware
 // applied to state-changing requests. Authentication is provided by the shared
 // admin Basic Auth middleware mounted on the group, so this type assumes the
 // caller has already been verified.
 type AdminConsoleHandlers struct {
 	renderer *adminconsole.Renderer
 	csrf     *adminconsole.CSRF
 	assets   http.Handler
 	monitor        opsstatus.Reader
 	ready          func() bool
 	users          UserAdmin
 	games          GameAdmin
 	runtime        RuntimeAdmin
 	engineVersions EngineVersionAdmin
 	operators      OperatorAdmin
 	mail           MailAdmin
 	notifications  NotificationAdmin
 	diplomail      DiplomailAdmin
 	logger         *zap.Logger
 }
 // AdminConsoleDeps bundles the collaborators for the operator console. Every
 // field is optional: a nil Renderer or CSRF falls back to the embedded default
 // templates and a per-process random key; a nil Monitor renders the dashboard
 // without the monitoring panels; a nil Ready reports backend readiness as not
 // ready; a nil Logger falls back to zap.NewNop.
 type AdminConsoleDeps struct {
 	Renderer *adminconsole.Renderer
 	CSRF     *adminconsole.CSRF
 	Monitor        opsstatus.Reader
 	Ready          func() bool
 	Users          UserAdmin
 	Games          GameAdmin
 	Runtime        RuntimeAdmin
 	EngineVersions EngineVersionAdmin
 	Operators      OperatorAdmin
 	Mail           MailAdmin
 	Notifications  NotificationAdmin
 	Diplomail      DiplomailAdmin
 	Logger         *zap.Logger
 }
 // NewAdminConsoleHandlers constructs the console handler set from deps. It
 // panics only on conditions that are unrecoverable at startup (template parse
 // failure or crypto/rand failure), both of which indicate a broken build or
 // host rather than a runtime input.
 func NewAdminConsoleHandlers(deps AdminConsoleDeps) *AdminConsoleHandlers {
 	logger := deps.Logger
 	if logger == nil {
 		logger = zap.NewNop()
 	}
 	renderer := deps.Renderer
 	if renderer == nil {
 		renderer = adminconsole.MustNewRenderer()
 	}
 	csrf := deps.CSRF
 	if csrf == nil {
 		generated, err := adminconsole.NewRandomCSRF()
 		if err != nil {
 			panic(err)
 		}
 		csrf = generated
 	}
 	assetsFS, err := adminconsole.Assets()
 	if err != nil {
 		panic(err)
 	}
 	return &AdminConsoleHandlers{
 		renderer: renderer,
 		csrf:     csrf,
 		assets:   http.StripPrefix("/_gm/assets/", http.FileServer(http.FS(assetsFS))),
 		monitor:        deps.Monitor,
 		ready:          deps.Ready,
 		users:          deps.Users,
 		games:          deps.Games,
 		runtime:        deps.Runtime,
 		engineVersions: deps.EngineVersions,
 		operators:      deps.Operators,
 		mail:           deps.Mail,
 		notifications:  deps.Notifications,
 		diplomail:      deps.Diplomail,
 		logger:         logger.Named("http.admin.console"),
 	}
 }
 // Dashboard renders the console landing page (GET /_gm and GET /_gm/),
 // including the monitoring panels when an ops-status reader is wired.
 func (h *AdminConsoleHandlers) Dashboard() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		data := adminconsole.DashboardData{}
 		if h.ready != nil {
 			data.BackendReady = h.ready()
 		}
 		if h.monitor != nil {
 			data.MonitorAvailable = true
 			snapshot := h.monitor.Collect(c.Request.Context())
 			data.PostgresHealthy = snapshot.PostgresHealthy
 			data.Runtimes = toViewCounts(snapshot.Runtimes)
 			data.MailDeliveries = toViewCounts(snapshot.MailDeliveries)
 			data.NotificationRoutes = toViewCounts(snapshot.NotificationRoutes)
 			data.NotificationMalformed = snapshot.NotificationMalformed
 			data.Errors = snapshot.Errors
 		}
 		h.render(c, http.StatusOK, "dashboard", "dashboard", "Dashboard", data)
 	}
 }
 // toViewCounts maps ops-status counts to the console's view-layer counts.
 func toViewCounts(in []opsstatus.StatusCount) []adminconsole.StatusCount {
 	if len(in) == 0 {
 		return nil
 	}
 	out := make([]adminconsole.StatusCount, len(in))
 	for i, sc := range in {
 		out[i] = adminconsole.StatusCount{Status: sc.Status, Count: sc.Count}
 	}
 	return out
 }
 // Asset serves the embedded console static assets under `/_gm/assets/`.
 func (h *AdminConsoleHandlers) Asset() gin.HandlerFunc {
 	return gin.WrapH(h.assets)
 }
 // RequireCSRF returns middleware guarding state-changing requests against
 // cross-site request forgery. Safe methods pass through untouched. For unsafe
 // methods it requires both a same-origin Origin/Referer header (when the
 // browser sends one) and a valid per-operator token in the `_csrf` form field;
 // either check failing yields 403.
 func (h *AdminConsoleHandlers) RequireCSRF() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if isSafeHTTPMethod(c.Request.Method) {
 			c.Next()
 			return
 		}
 		if !sameOriginRequest(c.Request) {
 			httperr.Abort(c, http.StatusForbidden, httperr.CodeForbidden, "cross-origin request rejected")
 			return
 		}
 		username, _ := basicauth.UsernameFromContext(c.Request.Context())
 		if !h.csrf.Verify(username, c.PostForm("_csrf")) {
 			httperr.Abort(c, http.StatusForbidden, httperr.CodeForbidden, "invalid or missing CSRF token")
 			return
 		}
 		c.Next()
 	}
 }
 // render composes the data common to every console page (operator name, CSRF
 // token, active navigation entry) and writes the named page. It renders into an
 // intermediate buffer so a template failure surfaces as a clean 500 without
 // emitting a partial document.
 func (h *AdminConsoleHandlers) render(c *gin.Context, status int, page, activeNav, title string, data any) {
 	username, _ := basicauth.UsernameFromContext(c.Request.Context())
 	var buf bytes.Buffer
 	err := h.renderer.Render(&buf, page, adminconsole.PageData{
 		Title:     title,
 		Username:  username,
 		CSRFToken: h.csrf.Token(username),
 		ActiveNav: activeNav,
 		Data:      data,
 	})
 	if err != nil {
 		h.logger.Error("render admin console page", zap.String("page", page), zap.Error(err))
 		httperr.Abort(c, http.StatusInternalServerError, httperr.CodeInternalError, "failed to render page")
 		return
 	}
 	c.Data(status, "text/html; charset=utf-8", buf.Bytes())
 }
 // renderMessage renders the generic message page (not-found, validation, or
 // operation-failure notices). class selects the CSS styling and backHref, when
 // non-empty, adds a back link.
 func (h *AdminConsoleHandlers) renderMessage(c *gin.Context, status int, activeNav, title, message, class, backHref string) {
 	h.render(c, status, "message", activeNav, title, adminconsole.MessageData{
 		Message:  message,
 		Class:    class,
 		BackHref: backHref,
 	})
 }
 // isSafeHTTPMethod reports whether method is a read-only HTTP method that the
 // CSRF guard may let through without a token.
 func isSafeHTTPMethod(method string) bool {
 	switch method {
 	case http.MethodGet, http.MethodHead, http.MethodOptions:
 		return true
 	default:
 		return false
 	}
 }
 // sameOriginRequest reports whether the request's Origin (or, failing that,
 // Referer) names the same host as the request itself. A request that carries
 // neither header is treated as same-origin, leaving the CSRF token as the sole
 // guard; a malformed or cross-host value is rejected. This relies on the
 // gateway reverse proxy preserving the inbound Host header.
 func sameOriginRequest(r *http.Request) bool {
 	source := r.Header.Get("Origin")
 	if source == "" {
 		source = r.Header.Get("Referer")
 	}
 	if source == "" {
 		return true
 	}
 	parsed, err := url.Parse(source)
 	if err != nil || parsed.Host == "" {
 		return false
 	}
 	return strings.EqualFold(parsed.Host, r.Host)
 }
@@ -0,0 +1,423 @@
 package server
 import (
 	"context"
 	"errors"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/lobby"
 	"galaxy/backend/internal/runtime"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 )
 // GameAdmin is the subset of the lobby service the console uses for games.
 type GameAdmin interface {
 	ListAdminGames(ctx context.Context, page, pageSize int) (lobby.GamePage, error)
 	GetGame(ctx context.Context, gameID uuid.UUID) (lobby.GameRecord, error)
 	CreateGame(ctx context.Context, input lobby.CreateGameInput) (lobby.GameRecord, error)
 	AdminForceStart(ctx context.Context, gameID uuid.UUID) (lobby.GameRecord, error)
 	AdminForceStop(ctx context.Context, gameID uuid.UUID) (lobby.GameRecord, error)
 	AdminBanMember(ctx context.Context, gameID, userID uuid.UUID, reason string) (lobby.Membership, error)
 }
 // RuntimeAdmin is the subset of the runtime service the console uses.
 type RuntimeAdmin interface {
 	GetRuntime(ctx context.Context, gameID uuid.UUID) (runtime.RuntimeRecord, error)
 	AdminRestart(ctx context.Context, gameID uuid.UUID) (runtime.OperationLog, error)
 	AdminPatch(ctx context.Context, gameID uuid.UUID, targetVersion string) (runtime.OperationLog, error)
 	AdminForceNextTurn(ctx context.Context, gameID uuid.UUID) (runtime.OperationLog, error)
 }
 // EngineVersionAdmin is the subset of the engine-version service the console uses.
 type EngineVersionAdmin interface {
 	List(ctx context.Context) ([]runtime.EngineVersion, error)
 	Register(ctx context.Context, in runtime.RegisterInput) (runtime.EngineVersion, error)
 	Disable(ctx context.Context, version string) (runtime.EngineVersion, error)
 }
 // GamesList renders GET /_gm/games.
 func (h *AdminConsoleHandlers) GamesList() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.games == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "games", "Games", "Game administration is not available.", "bad", "/_gm/")
 			return
 		}
 		page := parsePositiveQueryInt(c.Query("page"), 1)
 		pageSize := parsePositiveQueryInt(c.Query("page_size"), 50)
 		result, err := h.games.ListAdminGames(c.Request.Context(), page, pageSize)
 		if err != nil {
 			h.logger.Error("admin console: list games", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "games", "Games", "Failed to load games.", "bad", "/_gm/")
 			return
 		}
 		h.render(c, http.StatusOK, "games", "games", "Games", toGamesListData(result))
 	}
 }
 // GameCreate handles POST /_gm/games — create a public game.
 func (h *AdminConsoleHandlers) GameCreate() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.games == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "games", "Games", "Game administration is not available.", "bad", "/_gm/")
 			return
 		}
 		enrollmentEndsAt, err := parseConsoleDateTime(c.PostForm("enrollment_ends_at"))
 		if err != nil {
 			h.renderMessage(c, http.StatusBadRequest, "games", "Invalid input", "Enrollment end must be a valid date/time.", "bad", "/_gm/games")
 			return
 		}
 		game, err := h.games.CreateGame(c.Request.Context(), lobby.CreateGameInput{
 			OwnerUserID:         nil,
 			Visibility:          lobby.VisibilityPublic,
 			GameName:            strings.TrimSpace(c.PostForm("game_name")),
 			Description:         strings.TrimSpace(c.PostForm("description")),
 			MinPlayers:          formInt32(c, "min_players"),
 			MaxPlayers:          formInt32(c, "max_players"),
 			StartGapHours:       formInt32(c, "start_gap_hours"),
 			StartGapPlayers:     formInt32(c, "start_gap_players"),
 			EnrollmentEndsAt:    enrollmentEndsAt,
 			TurnSchedule:        strings.TrimSpace(c.PostForm("turn_schedule")),
 			TargetEngineVersion: strings.TrimSpace(c.PostForm("target_engine_version")),
 		})
 		if err != nil {
 			if errors.Is(err, lobby.ErrInvalidInput) {
 				h.renderMessage(c, http.StatusBadRequest, "games", "Invalid input", "The game could not be created: check the fields.", "bad", "/_gm/games")
 				return
 			}
 			h.logger.Error("admin console: create game", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "games", "Create failed", "Failed to create the game.", "bad", "/_gm/games")
 			return
 		}
 		c.Redirect(http.StatusSeeOther, "/_gm/games/"+game.GameID.String())
 	}
 }
 // GameDetail renders GET /_gm/games/:game_id with the runtime snapshot.
 func (h *AdminConsoleHandlers) GameDetail() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.games == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "games", "Games", "Game administration is not available.", "bad", "/_gm/")
 			return
 		}
 		gameID, ok := parseGameIDParam(c)
 		if !ok {
 			return
 		}
 		game, err := h.games.GetGame(c.Request.Context(), gameID)
 		if err != nil {
 			if errors.Is(err, lobby.ErrNotFound) {
 				h.renderMessage(c, http.StatusNotFound, "games", "Game not found", "No such game.", "bad", "/_gm/games")
 				return
 			}
 			h.logger.Error("admin console: get game", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "games", "Games", "Failed to load the game.", "bad", "/_gm/games")
 			return
 		}
 		var runtimeRecord *runtime.RuntimeRecord
 		if h.runtime != nil {
 			if record, rtErr := h.runtime.GetRuntime(c.Request.Context(), gameID); rtErr == nil {
 				runtimeRecord = &record
 			}
 		}
 		h.render(c, http.StatusOK, "game_detail", "games", game.GameName, toGameDetailData(game, runtimeRecord))
 	}
 }
 // GameForceStart handles POST /_gm/games/:game_id/force-start.
 func (h *AdminConsoleHandlers) GameForceStart() gin.HandlerFunc {
 	return h.gameAction("force-start", func(ctx context.Context, gameID uuid.UUID) error {
 		_, err := h.games.AdminForceStart(ctx, gameID)
 		return err
 	})
 }
 // GameForceStop handles POST /_gm/games/:game_id/force-stop.
 func (h *AdminConsoleHandlers) GameForceStop() gin.HandlerFunc {
 	return h.gameAction("force-stop", func(ctx context.Context, gameID uuid.UUID) error {
 		_, err := h.games.AdminForceStop(ctx, gameID)
 		return err
 	})
 }
 // GameBanMember handles POST /_gm/games/:game_id/ban-member.
 func (h *AdminConsoleHandlers) GameBanMember() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.games == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "games", "Games", "Game administration is not available.", "bad", "/_gm/")
 			return
 		}
 		gameID, ok := parseGameIDParam(c)
 		if !ok {
 			return
 		}
 		back := "/_gm/games/" + gameID.String()
 		userID, err := uuid.Parse(strings.TrimSpace(c.PostForm("user_id")))
 		if err != nil {
 			h.renderMessage(c, http.StatusBadRequest, "games", "Invalid input", "User ID must be a valid UUID.", "bad", back)
 			return
 		}
 		if _, err := h.games.AdminBanMember(c.Request.Context(), gameID, userID, strings.TrimSpace(c.PostForm("reason"))); err != nil {
 			h.logger.Error("admin console: ban member", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "games", "Ban failed", "Failed to ban the member.", "bad", back)
 			return
 		}
 		c.Redirect(http.StatusSeeOther, back)
 	}
 }
 // RuntimeRestart handles POST /_gm/games/:game_id/runtime/restart.
 func (h *AdminConsoleHandlers) RuntimeRestart() gin.HandlerFunc {
 	return h.runtimeAction("restart", func(ctx context.Context, gameID uuid.UUID) error {
 		_, err := h.runtime.AdminRestart(ctx, gameID)
 		return err
 	})
 }
 // RuntimeForceNextTurn handles POST /_gm/games/:game_id/runtime/force-next-turn.
 func (h *AdminConsoleHandlers) RuntimeForceNextTurn() gin.HandlerFunc {
 	return h.runtimeAction("force-next-turn", func(ctx context.Context, gameID uuid.UUID) error {
 		_, err := h.runtime.AdminForceNextTurn(ctx, gameID)
 		return err
 	})
 }
 // RuntimePatch handles POST /_gm/games/:game_id/runtime/patch.
 func (h *AdminConsoleHandlers) RuntimePatch() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.runtime == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "games", "Runtime", "Runtime administration is not available.", "bad", "/_gm/games")
 			return
 		}
 		gameID, ok := parseGameIDParam(c)
 		if !ok {
 			return
 		}
 		back := "/_gm/games/" + gameID.String()
 		target := strings.TrimSpace(c.PostForm("target_version"))
 		if target == "" {
 			h.renderMessage(c, http.StatusBadRequest, "games", "Invalid input", "A target version is required.", "bad", back)
 			return
 		}
 		if _, err := h.runtime.AdminPatch(c.Request.Context(), gameID, target); err != nil {
 			h.logger.Error("admin console: runtime patch", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "games", "Patch failed", "Failed to patch the runtime.", "bad", back)
 			return
 		}
 		c.Redirect(http.StatusSeeOther, back)
 	}
 }
 // gameAction is the shared shape for game-state POST actions that take only the
 // game id and redirect back to the detail page.
 func (h *AdminConsoleHandlers) gameAction(label string, run func(context.Context, uuid.UUID) error) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.games == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "games", "Games", "Game administration is not available.", "bad", "/_gm/")
 			return
 		}
 		gameID, ok := parseGameIDParam(c)
 		if !ok {
 			return
 		}
 		back := "/_gm/games/" + gameID.String()
 		if err := run(c.Request.Context(), gameID); err != nil {
 			h.logger.Error("admin console: game "+label, zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "games", "Action failed", "The "+label+" action failed.", "bad", back)
 			return
 		}
 		c.Redirect(http.StatusSeeOther, back)
 	}
 }
 // runtimeAction is the shared shape for runtime POST actions that take only the
 // game id and redirect back to the detail page.
 func (h *AdminConsoleHandlers) runtimeAction(label string, run func(context.Context, uuid.UUID) error) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.runtime == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "games", "Runtime", "Runtime administration is not available.", "bad", "/_gm/games")
 			return
 		}
 		gameID, ok := parseGameIDParam(c)
 		if !ok {
 			return
 		}
 		back := "/_gm/games/" + gameID.String()
 		if err := run(c.Request.Context(), gameID); err != nil {
 			h.logger.Error("admin console: runtime "+label, zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "games", "Action failed", "The runtime "+label+" action failed.", "bad", back)
 			return
 		}
 		c.Redirect(http.StatusSeeOther, back)
 	}
 }
 // EngineVersionsList renders GET /_gm/engine-versions.
 func (h *AdminConsoleHandlers) EngineVersionsList() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.engineVersions == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "engine-versions", "Engine versions", "Engine-version administration is not available.", "bad", "/_gm/")
 			return
 		}
 		items, err := h.engineVersions.List(c.Request.Context())
 		if err != nil {
 			h.logger.Error("admin console: list engine versions", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "engine-versions", "Engine versions", "Failed to load engine versions.", "bad", "/_gm/")
 			return
 		}
 		h.render(c, http.StatusOK, "engine_versions", "games", "Engine versions", toEngineVersionsData(items))
 	}
 }
 // EngineVersionRegister handles POST /_gm/engine-versions.
 func (h *AdminConsoleHandlers) EngineVersionRegister() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.engineVersions == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "engine-versions", "Engine versions", "Engine-version administration is not available.", "bad", "/_gm/")
 			return
 		}
 		enabled := c.PostForm("enabled") == "true"
 		_, err := h.engineVersions.Register(c.Request.Context(), runtime.RegisterInput{
 			Version:  strings.TrimSpace(c.PostForm("version")),
 			ImageRef: strings.TrimSpace(c.PostForm("image_ref")),
 			Enabled:  &enabled,
 		})
 		if err != nil {
 			if errors.Is(err, runtime.ErrInvalidInput) || errors.Is(err, runtime.ErrEngineVersionTaken) {
 				h.renderMessage(c, http.StatusBadRequest, "engine-versions", "Invalid input", "The version could not be registered (invalid semver, missing image, or duplicate).", "bad", "/_gm/engine-versions")
 				return
 			}
 			h.logger.Error("admin console: register engine version", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "engine-versions", "Register failed", "Failed to register the engine version.", "bad", "/_gm/engine-versions")
 			return
 		}
 		c.Redirect(http.StatusSeeOther, "/_gm/engine-versions")
 	}
 }
 // EngineVersionDisable handles POST /_gm/engine-versions/:version/disable.
 func (h *AdminConsoleHandlers) EngineVersionDisable() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.engineVersions == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "engine-versions", "Engine versions", "Engine-version administration is not available.", "bad", "/_gm/")
 			return
 		}
 		version := strings.TrimSpace(c.Param("version"))
 		if _, err := h.engineVersions.Disable(c.Request.Context(), version); err != nil {
 			h.logger.Error("admin console: disable engine version", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "engine-versions", "Disable failed", "Failed to disable the engine version.", "bad", "/_gm/engine-versions")
 			return
 		}
 		c.Redirect(http.StatusSeeOther, "/_gm/engine-versions")
 	}
 }
 // formInt32 reads a non-negative int32 form field, defaulting to 0.
 func formInt32(c *gin.Context, name string) int32 {
 	parsed, err := strconv.Atoi(strings.TrimSpace(c.PostForm(name)))
 	if err != nil || parsed < 0 {
 		return 0
 	}
 	return int32(parsed)
 }
 // parseConsoleDateTime parses the value of an <input type="datetime-local">
 // (or an RFC 3339 timestamp) as UTC.
 func parseConsoleDateTime(raw string) (time.Time, error) {
 	raw = strings.TrimSpace(raw)
 	for _, layout := range []string{"2006-01-02T15:04", "2006-01-02T15:04:05", time.RFC3339} {
 		if t, err := time.ParseInLocation(layout, raw, time.UTC); err == nil {
 			return t.UTC(), nil
 		}
 	}
 	return time.Time{}, errors.New("invalid date/time")
 }
 // toGamesListData maps a game page into the games list view model.
 func toGamesListData(page lobby.GamePage) adminconsole.GamesListData {
 	data := adminconsole.GamesListData{
 		Items:    make([]adminconsole.GameRow, 0, len(page.Items)),
 		Page:     page.Page,
 		PageSize: page.PageSize,
 		Total:    page.Total,
 		PrevPage: page.Page - 1,
 		NextPage: page.Page + 1,
 		HasPrev:  page.Page > 1,
 		HasNext:  page.Page*page.PageSize < page.Total,
 	}
 	for _, game := range page.Items {
 		data.Items = append(data.Items, adminconsole.GameRow{
 			GameID:       game.GameID.String(),
 			GameName:     game.GameName,
 			Visibility:   game.Visibility,
 			Status:       game.Status,
 			Owner:        ownerLabel(game.OwnerUserID),
 			Players:      strconv.Itoa(int(game.MinPlayers)) + "–" + strconv.Itoa(int(game.MaxPlayers)),
 			TurnSchedule: game.TurnSchedule,
 			CreatedAt:    fmtConsoleTime(game.CreatedAt),
 		})
 	}
 	return data
 }
 // toGameDetailData maps a game record and optional runtime record into the
 // detail view model.
 func toGameDetailData(game lobby.GameRecord, rec *runtime.RuntimeRecord) adminconsole.GameDetailData {
 	data := adminconsole.GameDetailData{
 		GameID:              game.GameID.String(),
 		GameName:            game.GameName,
 		Description:         game.Description,
 		Visibility:          game.Visibility,
 		Status:              game.Status,
 		Owner:               ownerLabel(game.OwnerUserID),
 		MinPlayers:          game.MinPlayers,
 		MaxPlayers:          game.MaxPlayers,
 		StartGapHours:       game.StartGapHours,
 		StartGapPlayers:     game.StartGapPlayers,
 		TurnSchedule:        game.TurnSchedule,
 		TargetEngineVersion: game.TargetEngineVersion,
 		EnrollmentEndsAt:    fmtConsoleTime(game.EnrollmentEndsAt),
 		CreatedAt:           fmtConsoleTime(game.CreatedAt),
 		StartedAt:           fmtConsoleTimePtr(game.StartedAt),
 		FinishedAt:          fmtConsoleTimePtr(game.FinishedAt),
 	}
 	if rec != nil {
 		data.HasRuntime = true
 		data.RuntimeStatus = rec.Status
 		data.CurrentEngineVersion = rec.CurrentEngineVersion
 		data.EngineHealth = rec.EngineHealth
 		data.CurrentTurn = rec.CurrentTurn
 		data.NextGenerationAt = fmtConsoleTimePtr(rec.NextGenerationAt)
 		data.Paused = rec.Paused
 	}
 	return data
 }
 // toEngineVersionsData maps engine versions into the registry view model.
 func toEngineVersionsData(items []runtime.EngineVersion) adminconsole.EngineVersionsData {
 	data := adminconsole.EngineVersionsData{Items: make([]adminconsole.EngineVersionRow, 0, len(items))}
 	for _, v := range items {
 		data.Items = append(data.Items, adminconsole.EngineVersionRow{
 			Version:   v.Version,
 			ImageRef:  v.ImageRef,
 			Enabled:   v.Enabled,
 			CreatedAt: fmtConsoleTime(v.CreatedAt),
 		})
 	}
 	return data
 }
 // ownerLabel renders an optional owner id; public games have no owner.
 func ownerLabel(ownerID *uuid.UUID) string {
 	if ownerID == nil {
 		return "—"
 	}
 	return ownerID.String()
 }
@@ -0,0 +1,353 @@
 package server
 import (
 	"context"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/lobby"
 	"galaxy/backend/internal/runtime"
 	"galaxy/backend/internal/server/middleware/basicauth"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 )
 type fakeGameAdmin struct {
 	page    lobby.GamePage
 	game    lobby.GameRecord
 	getErr  error
 	created lobby.CreateGameInput
 	createCalls     int
 	forceStartCalls int
 	forceStopCalls  int
 	banCalls        int
 	lastBanUser     uuid.UUID
 	lastBanReason   string
 }
 func (f *fakeGameAdmin) ListAdminGames(context.Context, int, int) (lobby.GamePage, error) {
 	return f.page, nil
 }
 func (f *fakeGameAdmin) GetGame(context.Context, uuid.UUID) (lobby.GameRecord, error) {
 	return f.game, f.getErr
 }
 func (f *fakeGameAdmin) CreateGame(_ context.Context, in lobby.CreateGameInput) (lobby.GameRecord, error) {
 	f.createCalls++
 	f.created = in
 	return f.game, nil
 }
 func (f *fakeGameAdmin) AdminForceStart(context.Context, uuid.UUID) (lobby.GameRecord, error) {
 	f.forceStartCalls++
 	return f.game, nil
 }
 func (f *fakeGameAdmin) AdminForceStop(context.Context, uuid.UUID) (lobby.GameRecord, error) {
 	f.forceStopCalls++
 	return f.game, nil
 }
 func (f *fakeGameAdmin) AdminBanMember(_ context.Context, _, userID uuid.UUID, reason string) (lobby.Membership, error) {
 	f.banCalls++
 	f.lastBanUser = userID
 	f.lastBanReason = reason
 	return lobby.Membership{}, nil
 }
 type fakeRuntimeAdmin struct {
 	record           runtime.RuntimeRecord
 	getErr           error
 	restartCalls     int
 	forceNextCalls   int
 	patchCalls       int
 	lastPatchVersion string
 }
 func (f *fakeRuntimeAdmin) GetRuntime(context.Context, uuid.UUID) (runtime.RuntimeRecord, error) {
 	return f.record, f.getErr
 }
 func (f *fakeRuntimeAdmin) AdminRestart(context.Context, uuid.UUID) (runtime.OperationLog, error) {
 	f.restartCalls++
 	return runtime.OperationLog{}, nil
 }
 func (f *fakeRuntimeAdmin) AdminPatch(_ context.Context, _ uuid.UUID, target string) (runtime.OperationLog, error) {
 	f.patchCalls++
 	f.lastPatchVersion = target
 	return runtime.OperationLog{}, nil
 }
 func (f *fakeRuntimeAdmin) AdminForceNextTurn(context.Context, uuid.UUID) (runtime.OperationLog, error) {
 	f.forceNextCalls++
 	return runtime.OperationLog{}, nil
 }
 type fakeEngineVersionAdmin struct {
 	list          []runtime.EngineVersion
 	registered    runtime.RegisterInput
 	registerCalls int
 	disableCalls  int
 	lastDisabled  string
 }
 func (f *fakeEngineVersionAdmin) List(context.Context) ([]runtime.EngineVersion, error) {
 	return f.list, nil
 }
 func (f *fakeEngineVersionAdmin) Register(_ context.Context, in runtime.RegisterInput) (runtime.EngineVersion, error) {
 	f.registerCalls++
 	f.registered = in
 	return runtime.EngineVersion{}, nil
 }
 func (f *fakeEngineVersionAdmin) Disable(_ context.Context, version string) (runtime.EngineVersion, error) {
 	f.disableCalls++
 	f.lastDisabled = version
 	return runtime.EngineVersion{}, nil
 }
 func newGamesConsoleRouter(t *testing.T, games GameAdmin, rt RuntimeAdmin, ev EngineVersionAdmin) (http.Handler, *adminconsole.CSRF) {
 	t.Helper()
 	csrf := adminconsole.NewCSRF([]byte("test-key"))
 	handler, err := NewRouter(RouterDependencies{
 		Logger:        zap.NewNop(),
 		AdminVerifier: basicauth.NewStaticVerifier("secret"),
 		AdminConsole: NewAdminConsoleHandlers(AdminConsoleDeps{
 			CSRF: csrf, Games: games, Runtime: rt, EngineVersions: ev,
 		}),
 	})
 	if err != nil {
 		t.Fatalf("NewRouter: %v", err)
 	}
 	return handler, csrf
 }
 func consoleGet(t *testing.T, router http.Handler, path string) *httptest.ResponseRecorder {
 	t.Helper()
 	req := httptest.NewRequest(http.MethodGet, path, nil)
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	return rec
 }
 func consolePost(t *testing.T, router http.Handler, path, form string) *httptest.ResponseRecorder {
 	t.Helper()
 	req := httptest.NewRequest(http.MethodPost, "http://galaxy.lan"+path, strings.NewReader(form))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Origin", "https://galaxy.lan")
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	return rec
 }
 func TestConsoleGamesList(t *testing.T) {
 	games := &fakeGameAdmin{page: lobby.GamePage{
 		Items: []lobby.GameRecord{{GameID: uuid.New(), GameName: "Nova", Visibility: "public", Status: "enrollment_open"}},
 		Page:  1, PageSize: 50, Total: 1,
 	}}
 	router, _ := newGamesConsoleRouter(t, games, nil, nil)
 	rec := consoleGet(t, router, "/_gm/games")
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	for _, want := range []string{"Nova", "public", "enrollment_open", "Create public game"} {
 		if !strings.Contains(rec.Body.String(), want) {
 			t.Errorf("games list missing %q", want)
 		}
 	}
 }
 func TestConsoleGameDetailWithRuntime(t *testing.T) {
 	id := uuid.New()
 	games := &fakeGameAdmin{game: lobby.GameRecord{GameID: id, GameName: "Nova", Status: "running"}}
 	rt := &fakeRuntimeAdmin{record: runtime.RuntimeRecord{GameID: id, Status: "running", CurrentEngineVersion: "0.1.0", CurrentTurn: 7}}
 	router, csrf := newGamesConsoleRouter(t, games, rt, nil)
 	rec := consoleGet(t, router, "/_gm/games/"+id.String())
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	for _, want := range []string{"Nova", "Force start", "Force stop", "0.1.0", "Patch", "Ban member", csrf.Token("ops")} {
 		if !strings.Contains(rec.Body.String(), want) {
 			t.Errorf("game detail missing %q", want)
 		}
 	}
 }
 func TestConsoleGameDetailNoRuntime(t *testing.T) {
 	id := uuid.New()
 	games := &fakeGameAdmin{game: lobby.GameRecord{GameID: id, GameName: "Nova"}}
 	rt := &fakeRuntimeAdmin{getErr: errors.New("not found")}
 	router, _ := newGamesConsoleRouter(t, games, rt, nil)
 	rec := consoleGet(t, router, "/_gm/games/"+id.String())
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200", rec.Code)
 	}
 	if !strings.Contains(rec.Body.String(), "No runtime record") {
 		t.Error("expected a no-runtime note")
 	}
 }
 func TestConsoleGameCreate(t *testing.T) {
 	id := uuid.New()
 	games := &fakeGameAdmin{game: lobby.GameRecord{GameID: id}}
 	router, csrf := newGamesConsoleRouter(t, games, nil, nil)
 	form := "_csrf=" + csrf.Token("ops") +
 		"&game_name=Nova&description=d&min_players=2&max_players=8&start_gap_hours=0&start_gap_players=0" +
 		"&enrollment_ends_at=2030-01-02T15:04&turn_schedule=@every+24h&target_engine_version=0.1.0"
 	rec := consolePost(t, router, "/_gm/games", form)
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303; body=%s", rec.Code, rec.Body.String())
 	}
 	if got := rec.Header().Get("Location"); got != "/_gm/games/"+id.String() {
 		t.Errorf("redirect = %q, want detail page", got)
 	}
 	if games.createCalls != 1 {
 		t.Fatalf("CreateGame called %d times, want 1", games.createCalls)
 	}
 	if games.created.Visibility != lobby.VisibilityPublic {
 		t.Errorf("visibility = %q, want public", games.created.Visibility)
 	}
 	if games.created.GameName != "Nova" {
 		t.Errorf("game name = %q", games.created.GameName)
 	}
 	if games.created.EnrollmentEndsAt.Year() != 2030 {
 		t.Errorf("enrollment year = %d, want 2030", games.created.EnrollmentEndsAt.Year())
 	}
 	if games.created.OwnerUserID != nil {
 		t.Error("public game must have a nil owner")
 	}
 }
 func TestConsoleGameForceStart(t *testing.T) {
 	id := uuid.New()
 	games := &fakeGameAdmin{game: lobby.GameRecord{GameID: id}}
 	router, csrf := newGamesConsoleRouter(t, games, nil, nil)
 	rec := consolePost(t, router, "/_gm/games/"+id.String()+"/force-start", "_csrf="+csrf.Token("ops"))
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303", rec.Code)
 	}
 	if games.forceStartCalls != 1 {
 		t.Errorf("AdminForceStart called %d times, want 1", games.forceStartCalls)
 	}
 }
 func TestConsoleGameForceStartRejectsBadCSRF(t *testing.T) {
 	id := uuid.New()
 	games := &fakeGameAdmin{game: lobby.GameRecord{GameID: id}}
 	router, _ := newGamesConsoleRouter(t, games, nil, nil)
 	rec := consolePost(t, router, "/_gm/games/"+id.String()+"/force-start", "")
 	if rec.Code != http.StatusForbidden {
 		t.Fatalf("status = %d, want 403", rec.Code)
 	}
 	if games.forceStartCalls != 0 {
 		t.Error("force-start must not run without a CSRF token")
 	}
 }
 func TestConsoleGameBanMember(t *testing.T) {
 	gameID := uuid.New()
 	target := uuid.New()
 	games := &fakeGameAdmin{game: lobby.GameRecord{GameID: gameID}}
 	router, csrf := newGamesConsoleRouter(t, games, nil, nil)
 	form := "_csrf=" + csrf.Token("ops") + "&user_id=" + target.String() + "&reason=cheating"
 	rec := consolePost(t, router, "/_gm/games/"+gameID.String()+"/ban-member", form)
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303; body=%s", rec.Code, rec.Body.String())
 	}
 	if games.banCalls != 1 || games.lastBanUser != target || games.lastBanReason != "cheating" {
 		t.Errorf("ban recorded %d user=%s reason=%q", games.banCalls, games.lastBanUser, games.lastBanReason)
 	}
 }
 func TestConsoleGameBanMemberRejectsBadUUID(t *testing.T) {
 	gameID := uuid.New()
 	games := &fakeGameAdmin{game: lobby.GameRecord{GameID: gameID}}
 	router, csrf := newGamesConsoleRouter(t, games, nil, nil)
 	rec := consolePost(t, router, "/_gm/games/"+gameID.String()+"/ban-member", "_csrf="+csrf.Token("ops")+"&user_id=not-a-uuid")
 	if rec.Code != http.StatusBadRequest {
 		t.Fatalf("status = %d, want 400", rec.Code)
 	}
 	if games.banCalls != 0 {
 		t.Error("ban must not run with an invalid user id")
 	}
 }
 func TestConsoleRuntimePatch(t *testing.T) {
 	id := uuid.New()
 	games := &fakeGameAdmin{game: lobby.GameRecord{GameID: id}}
 	rt := &fakeRuntimeAdmin{}
 	router, csrf := newGamesConsoleRouter(t, games, rt, nil)
 	rec := consolePost(t, router, "/_gm/games/"+id.String()+"/runtime/patch", "_csrf="+csrf.Token("ops")+"&target_version=0.1.1")
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303", rec.Code)
 	}
 	if rt.patchCalls != 1 || rt.lastPatchVersion != "0.1.1" {
 		t.Errorf("patch recorded %d version=%q", rt.patchCalls, rt.lastPatchVersion)
 	}
 }
 func TestConsoleRuntimePatchMissingVersion(t *testing.T) {
 	id := uuid.New()
 	games := &fakeGameAdmin{game: lobby.GameRecord{GameID: id}}
 	rt := &fakeRuntimeAdmin{}
 	router, csrf := newGamesConsoleRouter(t, games, rt, nil)
 	rec := consolePost(t, router, "/_gm/games/"+id.String()+"/runtime/patch", "_csrf="+csrf.Token("ops"))
 	if rec.Code != http.StatusBadRequest {
 		t.Fatalf("status = %d, want 400", rec.Code)
 	}
 	if rt.patchCalls != 0 {
 		t.Error("patch must not run without a target version")
 	}
 }
 func TestConsoleEngineVersions(t *testing.T) {
 	ev := &fakeEngineVersionAdmin{list: []runtime.EngineVersion{{Version: "0.1.0", ImageRef: "img:0.1.0", Enabled: true}}}
 	router, csrf := newGamesConsoleRouter(t, nil, nil, ev)
 	rec := consoleGet(t, router, "/_gm/engine-versions")
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	for _, want := range []string{"0.1.0", "img:0.1.0", "Register version", "Disable"} {
 		if !strings.Contains(rec.Body.String(), want) {
 			t.Errorf("engine versions page missing %q", want)
 		}
 	}
 	rec = consolePost(t, router, "/_gm/engine-versions", "_csrf="+csrf.Token("ops")+"&version=0.2.0&image_ref=img:0.2.0&enabled=true")
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("register status = %d, want 303", rec.Code)
 	}
 	if ev.registerCalls != 1 || ev.registered.Version != "0.2.0" || ev.registered.Enabled == nil || !*ev.registered.Enabled {
 		t.Errorf("register recorded %d version=%q enabled=%v", ev.registerCalls, ev.registered.Version, ev.registered.Enabled)
 	}
 	rec = consolePost(t, router, "/_gm/engine-versions/0.1.0/disable", "_csrf="+csrf.Token("ops"))
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("disable status = %d, want 303", rec.Code)
 	}
 	if ev.disableCalls != 1 || ev.lastDisabled != "0.1.0" {
 		t.Errorf("disable recorded %d version=%q", ev.disableCalls, ev.lastDisabled)
 	}
 }
 func TestConsoleGamesUnavailable(t *testing.T) {
 	router, _ := newGamesConsoleRouter(t, nil, nil, nil)
 	rec := consoleGet(t, router, "/_gm/games")
 	if rec.Code != http.StatusServiceUnavailable {
 		t.Fatalf("status = %d, want 503", rec.Code)
 	}
 }
@@ -0,0 +1,327 @@
 package server
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net/http"
 	"strings"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/diplomail"
 	"galaxy/backend/internal/mail"
 	"galaxy/backend/internal/notification"
 	"galaxy/backend/internal/server/clientip"
 	"galaxy/backend/internal/server/middleware/basicauth"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 )
 // MailAdmin is the subset of the mail service the console uses.
 type MailAdmin interface {
 	AdminListDeliveries(ctx context.Context, page, pageSize int) (mail.AdminListDeliveriesPage, error)
 	AdminGetDelivery(ctx context.Context, deliveryID uuid.UUID) (mail.Delivery, error)
 	AdminListAttempts(ctx context.Context, deliveryID uuid.UUID) ([]mail.Attempt, error)
 	AdminResendDelivery(ctx context.Context, deliveryID uuid.UUID) (mail.Delivery, error)
 	AdminListDeadLetters(ctx context.Context, page, pageSize int) (mail.AdminListDeadLettersPage, error)
 }
 // NotificationAdmin is the subset of the notification service the console uses.
 type NotificationAdmin interface {
 	AdminListNotifications(ctx context.Context, page, pageSize int) (notification.AdminListNotificationsPage, error)
 	AdminListDeadLetters(ctx context.Context, page, pageSize int) (notification.AdminListDeadLettersPage, error)
 	AdminListMalformed(ctx context.Context, page, pageSize int) (notification.AdminListMalformedPage, error)
 }
 // DiplomailAdmin is the subset of the diplomail service the console uses.
 type DiplomailAdmin interface {
 	SendAdminMultiGameBroadcast(ctx context.Context, in diplomail.SendMultiGameBroadcastInput) ([]diplomail.Message, int, error)
 }
 const consoleSnapshotPageSize = 50
 // MailPage renders GET /_gm/mail — paginated deliveries plus a dead-letter snapshot.
 func (h *AdminConsoleHandlers) MailPage() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.mail == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "mail", "Mail", "Mail administration is not available.", "bad", "/_gm/")
 			return
 		}
 		page := parsePositiveQueryInt(c.Query("page"), 1)
 		pageSize := parsePositiveQueryInt(c.Query("page_size"), 50)
 		ctx := c.Request.Context()
 		deliveries, err := h.mail.AdminListDeliveries(ctx, page, pageSize)
 		if err != nil {
 			h.logger.Error("admin console: list deliveries", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "mail", "Mail", "Failed to load deliveries.", "bad", "/_gm/")
 			return
 		}
 		dead, err := h.mail.AdminListDeadLetters(ctx, 1, consoleSnapshotPageSize)
 		if err != nil {
 			h.logger.Error("admin console: list mail dead-letters", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "mail", "Mail", "Failed to load dead-letters.", "bad", "/_gm/")
 			return
 		}
 		h.render(c, http.StatusOK, "mail", "mail", "Mail", toMailData(deliveries, dead))
 	}
 }
 // MailDeliveryDetail renders GET /_gm/mail/deliveries/:delivery_id.
 func (h *AdminConsoleHandlers) MailDeliveryDetail() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.mail == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "mail", "Mail", "Mail administration is not available.", "bad", "/_gm/")
 			return
 		}
 		deliveryID, ok := parseConsoleDeliveryID(c, h)
 		if !ok {
 			return
 		}
 		ctx := c.Request.Context()
 		delivery, err := h.mail.AdminGetDelivery(ctx, deliveryID)
 		if err != nil {
 			if errors.Is(err, mail.ErrDeliveryNotFound) {
 				h.renderMessage(c, http.StatusNotFound, "mail", "Delivery not found", "No such delivery.", "bad", "/_gm/mail")
 				return
 			}
 			h.logger.Error("admin console: get delivery", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "mail", "Mail", "Failed to load the delivery.", "bad", "/_gm/mail")
 			return
 		}
 		attempts, err := h.mail.AdminListAttempts(ctx, deliveryID)
 		if err != nil {
 			h.logger.Error("admin console: list attempts", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "mail", "Mail", "Failed to load attempts.", "bad", "/_gm/mail")
 			return
 		}
 		h.render(c, http.StatusOK, "mail_delivery", "mail", "Delivery", toMailDeliveryDetail(delivery, attempts))
 	}
 }
 // MailResend handles POST /_gm/mail/deliveries/:delivery_id/resend.
 func (h *AdminConsoleHandlers) MailResend() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.mail == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "mail", "Mail", "Mail administration is not available.", "bad", "/_gm/")
 			return
 		}
 		deliveryID, ok := parseConsoleDeliveryID(c, h)
 		if !ok {
 			return
 		}
 		back := "/_gm/mail/deliveries/" + deliveryID.String()
 		if _, err := h.mail.AdminResendDelivery(c.Request.Context(), deliveryID); err != nil {
 			h.logger.Error("admin console: resend delivery", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "mail", "Resend failed", "Failed to resend the delivery (it may already be sent).", "bad", back)
 			return
 		}
 		c.Redirect(http.StatusSeeOther, back)
 	}
 }
 // NotificationsPage renders GET /_gm/notifications — notifications, dead-letters,
 // and malformed intents on one overview page.
 func (h *AdminConsoleHandlers) NotificationsPage() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.notifications == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "mail", "Notifications", "Notification administration is not available.", "bad", "/_gm/")
 			return
 		}
 		ctx := c.Request.Context()
 		notifications, err := h.notifications.AdminListNotifications(ctx, 1, consoleSnapshotPageSize)
 		if err != nil {
 			h.logger.Error("admin console: list notifications", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "mail", "Notifications", "Failed to load notifications.", "bad", "/_gm/")
 			return
 		}
 		dead, err := h.notifications.AdminListDeadLetters(ctx, 1, consoleSnapshotPageSize)
 		if err != nil {
 			h.logger.Error("admin console: list notification dead-letters", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "mail", "Notifications", "Failed to load dead-letters.", "bad", "/_gm/")
 			return
 		}
 		malformed, err := h.notifications.AdminListMalformed(ctx, 1, consoleSnapshotPageSize)
 		if err != nil {
 			h.logger.Error("admin console: list malformed intents", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "mail", "Notifications", "Failed to load malformed intents.", "bad", "/_gm/")
 			return
 		}
 		h.render(c, http.StatusOK, "notifications", "mail", "Notifications", toNotificationsData(notifications, dead, malformed))
 	}
 }
 // BroadcastForm renders GET /_gm/broadcast.
 func (h *AdminConsoleHandlers) BroadcastForm() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.diplomail == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "mail", "Broadcast", "Broadcast is not available.", "bad", "/_gm/")
 			return
 		}
 		h.render(c, http.StatusOK, "broadcast", "mail", "Broadcast", nil)
 	}
 }
 // BroadcastSend handles POST /_gm/broadcast — multi-game admin broadcast.
 func (h *AdminConsoleHandlers) BroadcastSend() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.diplomail == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "mail", "Broadcast", "Broadcast is not available.", "bad", "/_gm/")
 			return
 		}
 		username, _ := basicauth.UsernameFromContext(c.Request.Context())
 		gameIDs, err := parseGameIDList(c.PostForm("game_ids"))
 		if err != nil {
 			h.renderMessage(c, http.StatusBadRequest, "mail", "Invalid input", "Game IDs must be valid UUIDs.", "bad", "/_gm/broadcast")
 			return
 		}
 		_, total, err := h.diplomail.SendAdminMultiGameBroadcast(c.Request.Context(), diplomail.SendMultiGameBroadcastInput{
 			CallerUsername: username,
 			Scope:          strings.TrimSpace(c.PostForm("scope")),
 			GameIDs:        gameIDs,
 			RecipientScope: strings.TrimSpace(c.PostForm("recipients")),
 			Subject:        strings.TrimSpace(c.PostForm("subject")),
 			Body:           c.PostForm("body"),
 			SenderIP:       clientip.ExtractSourceIP(c),
 		})
 		if err != nil {
 			if errors.Is(err, diplomail.ErrInvalidInput) {
 				h.renderMessage(c, http.StatusBadRequest, "mail", "Invalid input", "The broadcast was rejected: check the scope, recipients, and body.", "bad", "/_gm/broadcast")
 				return
 			}
 			h.logger.Error("admin console: broadcast", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "mail", "Broadcast failed", "Failed to send the broadcast.", "bad", "/_gm/broadcast")
 			return
 		}
 		h.renderMessage(c, http.StatusOK, "mail", "Broadcast sent", fmt.Sprintf("Broadcast delivered to %d recipients.", total), "ok", "/_gm/broadcast")
 	}
 }
 // parseConsoleDeliveryID parses the delivery_id path parameter, rendering a
 // console message page on failure.
 func parseConsoleDeliveryID(c *gin.Context, h *AdminConsoleHandlers) (uuid.UUID, bool) {
 	parsed, err := uuid.Parse(c.Param("delivery_id"))
 	if err != nil {
 		h.renderMessage(c, http.StatusBadRequest, "mail", "Invalid input", "delivery_id must be a valid UUID.", "bad", "/_gm/mail")
 		return uuid.Nil, false
 	}
 	return parsed, true
 }
 // parseGameIDList parses a comma-separated list of UUIDs, ignoring blanks.
 func parseGameIDList(raw string) ([]uuid.UUID, error) {
 	fields := strings.Split(raw, ",")
 	ids := make([]uuid.UUID, 0, len(fields))
 	for _, field := range fields {
 		field = strings.TrimSpace(field)
 		if field == "" {
 			continue
 		}
 		parsed, err := uuid.Parse(field)
 		if err != nil {
 			return nil, err
 		}
 		ids = append(ids, parsed)
 	}
 	return ids, nil
 }
 func toMailData(deliveries mail.AdminListDeliveriesPage, dead mail.AdminListDeadLettersPage) adminconsole.MailData {
 	data := adminconsole.MailData{
 		Deliveries:  make([]adminconsole.MailDeliveryRow, 0, len(deliveries.Items)),
 		DeadLetters: make([]adminconsole.MailDeadLetterRow, 0, len(dead.Items)),
 		Page:        deliveries.Page,
 		PageSize:    deliveries.PageSize,
 		Total:       deliveries.Total,
 		PrevPage:    deliveries.Page - 1,
 		NextPage:    deliveries.Page + 1,
 		HasPrev:     deliveries.Page > 1,
 		HasNext:     int64(deliveries.Page*deliveries.PageSize) < deliveries.Total,
 	}
 	for _, d := range deliveries.Items {
 		data.Deliveries = append(data.Deliveries, adminconsole.MailDeliveryRow{
 			DeliveryID:  d.DeliveryID.String(),
 			Template:    d.TemplateID,
 			Status:      d.Status,
 			Attempts:    d.Attempts,
 			NextAttempt: fmtConsoleTimePtr(d.NextAttemptAt),
 			Created:     fmtConsoleTime(d.CreatedAt),
 		})
 	}
 	for _, d := range dead.Items {
 		data.DeadLetters = append(data.DeadLetters, adminconsole.MailDeadLetterRow{
 			DeliveryID: d.DeliveryID.String(),
 			Reason:     d.Reason,
 			Archived:   fmtConsoleTime(d.ArchivedAt),
 		})
 	}
 	return data
 }
 func toMailDeliveryDetail(d mail.Delivery, attempts []mail.Attempt) adminconsole.MailDeliveryDetail {
 	detail := adminconsole.MailDeliveryDetail{
 		DeliveryID:   d.DeliveryID.String(),
 		Template:     d.TemplateID,
 		Status:       d.Status,
 		Attempts:     d.Attempts,
 		NextAttempt:  fmtConsoleTimePtr(d.NextAttemptAt),
 		LastError:    d.LastError,
 		Created:      fmtConsoleTime(d.CreatedAt),
 		Sent:         fmtConsoleTimePtr(d.SentAt),
 		DeadLettered: fmtConsoleTimePtr(d.DeadLetteredAt),
 		CanResend:    d.Status != mail.StatusSent,
 		AttemptRows:  make([]adminconsole.MailAttemptRow, 0, len(attempts)),
 	}
 	for _, a := range attempts {
 		detail.AttemptRows = append(detail.AttemptRows, adminconsole.MailAttemptRow{
 			AttemptNo: a.AttemptNo,
 			Outcome:   a.Outcome,
 			Started:   fmtConsoleTime(a.StartedAt),
 			Finished:  fmtConsoleTimePtr(a.FinishedAt),
 			Error:     a.Error,
 		})
 	}
 	return detail
 }
 func toNotificationsData(notifications notification.AdminListNotificationsPage, dead notification.AdminListDeadLettersPage, malformed notification.AdminListMalformedPage) adminconsole.NotificationsData {
 	data := adminconsole.NotificationsData{
 		Notifications: make([]adminconsole.NotificationRow, 0, len(notifications.Items)),
 		DeadLetters:   make([]adminconsole.NotificationDeadLetterRow, 0, len(dead.Items)),
 		Malformed:     make([]adminconsole.MalformedRow, 0, len(malformed.Items)),
 	}
 	for _, n := range notifications.Items {
 		data.Notifications = append(data.Notifications, adminconsole.NotificationRow{
 			NotificationID: n.NotificationID.String(),
 			Kind:           n.Kind,
 			UserID:         optionalUUID(n.UserID),
 			Created:        fmtConsoleTime(n.CreatedAt),
 		})
 	}
 	for _, d := range dead.Items {
 		data.DeadLetters = append(data.DeadLetters, adminconsole.NotificationDeadLetterRow{
 			NotificationID: d.NotificationID.String(),
 			RouteID:        d.RouteID.String(),
 			Reason:         d.Reason,
 			Archived:       fmtConsoleTime(d.ArchivedAt),
 		})
 	}
 	for _, m := range malformed.Items {
 		data.Malformed = append(data.Malformed, adminconsole.MalformedRow{
 			ID:       m.ID.String(),
 			Reason:   m.Reason,
 			Received: fmtConsoleTime(m.ReceivedAt),
 		})
 	}
 	return data
 }
 // optionalUUID renders a nullable user id; system-scoped rows have none.
 func optionalUUID(id *uuid.UUID) string {
 	if id == nil {
 		return "—"
 	}
 	return id.String()
 }
@@ -0,0 +1,242 @@
 package server
 import (
 	"context"
 	"net/http"
 	"strings"
 	"testing"
 	"time"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/diplomail"
 	"galaxy/backend/internal/mail"
 	"galaxy/backend/internal/notification"
 	"galaxy/backend/internal/server/middleware/basicauth"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 )
 type fakeMailAdmin struct {
 	deliveries  mail.AdminListDeliveriesPage
 	dead        mail.AdminListDeadLettersPage
 	delivery    mail.Delivery
 	getErr      error
 	attempts    []mail.Attempt
 	resendCalls int
 }
 func (f *fakeMailAdmin) AdminListDeliveries(context.Context, int, int) (mail.AdminListDeliveriesPage, error) {
 	return f.deliveries, nil
 }
 func (f *fakeMailAdmin) AdminGetDelivery(context.Context, uuid.UUID) (mail.Delivery, error) {
 	return f.delivery, f.getErr
 }
 func (f *fakeMailAdmin) AdminListAttempts(context.Context, uuid.UUID) ([]mail.Attempt, error) {
 	return f.attempts, nil
 }
 func (f *fakeMailAdmin) AdminResendDelivery(context.Context, uuid.UUID) (mail.Delivery, error) {
 	f.resendCalls++
 	return f.delivery, nil
 }
 func (f *fakeMailAdmin) AdminListDeadLetters(context.Context, int, int) (mail.AdminListDeadLettersPage, error) {
 	return f.dead, nil
 }
 type fakeNotificationAdmin struct {
 	notifications notification.AdminListNotificationsPage
 	dead          notification.AdminListDeadLettersPage
 	malformed     notification.AdminListMalformedPage
 }
 func (f *fakeNotificationAdmin) AdminListNotifications(context.Context, int, int) (notification.AdminListNotificationsPage, error) {
 	return f.notifications, nil
 }
 func (f *fakeNotificationAdmin) AdminListDeadLetters(context.Context, int, int) (notification.AdminListDeadLettersPage, error) {
 	return f.dead, nil
 }
 func (f *fakeNotificationAdmin) AdminListMalformed(context.Context, int, int) (notification.AdminListMalformedPage, error) {
 	return f.malformed, nil
 }
 type fakeDiplomailAdmin struct {
 	total          int
 	err            error
 	broadcastCalls int
 	last           diplomail.SendMultiGameBroadcastInput
 }
 func (f *fakeDiplomailAdmin) SendAdminMultiGameBroadcast(_ context.Context, in diplomail.SendMultiGameBroadcastInput) ([]diplomail.Message, int, error) {
 	f.broadcastCalls++
 	f.last = in
 	if f.err != nil {
 		return nil, 0, f.err
 	}
 	return nil, f.total, nil
 }
 func mailConsoleRouter(t *testing.T, m MailAdmin, n NotificationAdmin, d DiplomailAdmin) (http.Handler, *adminconsole.CSRF) {
 	t.Helper()
 	csrf := adminconsole.NewCSRF([]byte("test-key"))
 	handler, err := NewRouter(RouterDependencies{
 		Logger:        zap.NewNop(),
 		AdminVerifier: basicauth.NewStaticVerifier("secret"),
 		AdminConsole:  NewAdminConsoleHandlers(AdminConsoleDeps{CSRF: csrf, Mail: m, Notifications: n, Diplomail: d}),
 	})
 	if err != nil {
 		t.Fatalf("NewRouter: %v", err)
 	}
 	return handler, csrf
 }
 func TestConsoleMailPage(t *testing.T) {
 	id := uuid.New()
 	m := &fakeMailAdmin{
 		deliveries: mail.AdminListDeliveriesPage{
 			Items: []mail.Delivery{{DeliveryID: id, TemplateID: "auth.login_code", Status: "pending", CreatedAt: time.Now()}},
 			Page:  1, PageSize: 50, Total: 1,
 		},
 		dead: mail.AdminListDeadLettersPage{
 			Items: []mail.DeadLetter{{DeliveryID: uuid.New(), Reason: "smtp 550", ArchivedAt: time.Now()}},
 		},
 	}
 	router, _ := mailConsoleRouter(t, m, nil, nil)
 	rec := consoleGet(t, router, "/_gm/mail")
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	for _, want := range []string{"auth.login_code", "pending", "Dead-letters", "smtp 550"} {
 		if !strings.Contains(rec.Body.String(), want) {
 			t.Errorf("mail page missing %q", want)
 		}
 	}
 }
 func TestConsoleMailDeliveryDetail(t *testing.T) {
 	id := uuid.New()
 	m := &fakeMailAdmin{
 		delivery: mail.Delivery{DeliveryID: id, TemplateID: "auth.login_code", Status: "pending", Attempts: 2},
 		attempts: []mail.Attempt{{AttemptNo: 1, Outcome: "transient_failure", StartedAt: time.Now(), Error: "timeout"}},
 	}
 	router, _ := mailConsoleRouter(t, m, nil, nil)
 	rec := consoleGet(t, router, "/_gm/mail/deliveries/"+id.String())
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	for _, want := range []string{id.String(), "auth.login_code", "Attempts", "transient_failure", "Resend"} {
 		if !strings.Contains(rec.Body.String(), want) {
 			t.Errorf("delivery detail missing %q", want)
 		}
 	}
 }
 func TestConsoleMailDeliveryDetailNotFound(t *testing.T) {
 	m := &fakeMailAdmin{getErr: mail.ErrDeliveryNotFound}
 	router, _ := mailConsoleRouter(t, m, nil, nil)
 	rec := consoleGet(t, router, "/_gm/mail/deliveries/"+uuid.New().String())
 	if rec.Code != http.StatusNotFound {
 		t.Fatalf("status = %d, want 404", rec.Code)
 	}
 }
 func TestConsoleMailResend(t *testing.T) {
 	id := uuid.New()
 	m := &fakeMailAdmin{delivery: mail.Delivery{DeliveryID: id}}
 	router, csrf := mailConsoleRouter(t, m, nil, nil)
 	rec := consolePost(t, router, "/_gm/mail/deliveries/"+id.String()+"/resend", "_csrf="+csrf.Token("ops"))
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303", rec.Code)
 	}
 	if m.resendCalls != 1 {
 		t.Errorf("AdminResendDelivery called %d times, want 1", m.resendCalls)
 	}
 }
 func TestConsoleMailResendRejectsBadCSRF(t *testing.T) {
 	id := uuid.New()
 	m := &fakeMailAdmin{delivery: mail.Delivery{DeliveryID: id}}
 	router, _ := mailConsoleRouter(t, m, nil, nil)
 	rec := consolePost(t, router, "/_gm/mail/deliveries/"+id.String()+"/resend", "")
 	if rec.Code != http.StatusForbidden {
 		t.Fatalf("status = %d, want 403", rec.Code)
 	}
 	if m.resendCalls != 0 {
 		t.Error("resend must not run without a CSRF token")
 	}
 }
 func TestConsoleNotificationsPage(t *testing.T) {
 	n := &fakeNotificationAdmin{
 		notifications: notification.AdminListNotificationsPage{Items: []notification.Notification{{NotificationID: uuid.New(), Kind: "lobby.invite.received"}}},
 		dead:          notification.AdminListDeadLettersPage{Items: []notification.DeadLetter{{NotificationID: uuid.New(), RouteID: uuid.New(), Reason: "push gone"}}},
 		malformed:     notification.AdminListMalformedPage{Items: []notification.MalformedIntent{{ID: uuid.New(), Reason: "bad shape"}}},
 	}
 	router, _ := mailConsoleRouter(t, nil, n, nil)
 	rec := consoleGet(t, router, "/_gm/notifications")
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	for _, want := range []string{"lobby.invite.received", "push gone", "bad shape", "Malformed intents"} {
 		if !strings.Contains(rec.Body.String(), want) {
 			t.Errorf("notifications page missing %q", want)
 		}
 	}
 }
 func TestConsoleBroadcastForm(t *testing.T) {
 	router, _ := mailConsoleRouter(t, nil, nil, &fakeDiplomailAdmin{})
 	rec := consoleGet(t, router, "/_gm/broadcast")
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200", rec.Code)
 	}
 	if !strings.Contains(rec.Body.String(), "Send broadcast") {
 		t.Error("broadcast form missing")
 	}
 }
 func TestConsoleBroadcastSend(t *testing.T) {
 	d := &fakeDiplomailAdmin{total: 5}
 	router, csrf := mailConsoleRouter(t, nil, nil, d)
 	form := "_csrf=" + csrf.Token("ops") + "&scope=all_running&recipients=active&body=hello"
 	rec := consolePost(t, router, "/_gm/broadcast", form)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	if !strings.Contains(rec.Body.String(), "5 recipients") {
 		t.Errorf("broadcast result missing recipient count; body=%s", rec.Body.String())
 	}
 	if d.broadcastCalls != 1 || d.last.Scope != "all_running" || d.last.Body != "hello" || d.last.CallerUsername != "ops" {
 		t.Errorf("broadcast input = %+v (calls=%d)", d.last, d.broadcastCalls)
 	}
 }
 func TestConsoleBroadcastSendBadGameIDs(t *testing.T) {
 	d := &fakeDiplomailAdmin{}
 	router, csrf := mailConsoleRouter(t, nil, nil, d)
 	form := "_csrf=" + csrf.Token("ops") + "&scope=selected&game_ids=not-a-uuid&body=hello"
 	rec := consolePost(t, router, "/_gm/broadcast", form)
 	if rec.Code != http.StatusBadRequest {
 		t.Fatalf("status = %d, want 400", rec.Code)
 	}
 	if d.broadcastCalls != 0 {
 		t.Error("broadcast must not run with invalid game ids")
 	}
 }
 func TestConsoleMailUnavailable(t *testing.T) {
 	router, _ := mailConsoleRouter(t, nil, nil, nil)
 	rec := consoleGet(t, router, "/_gm/mail")
 	if rec.Code != http.StatusServiceUnavailable {
 		t.Fatalf("status = %d, want 503", rec.Code)
 	}
 }
@@ -0,0 +1,149 @@
 package server
 import (
 	"context"
 	"errors"
 	"net/http"
 	"strings"
 	"galaxy/backend/internal/admin"
 	"galaxy/backend/internal/adminconsole"
 	"github.com/gin-gonic/gin"
 	"go.uber.org/zap"
 )
 // OperatorAdmin is the subset of the admin-account service the console uses.
 // *admin.Service satisfies it.
 type OperatorAdmin interface {
 	List(ctx context.Context) ([]admin.Admin, error)
 	Create(ctx context.Context, in admin.CreateInput) (admin.Admin, error)
 	Disable(ctx context.Context, username string) (admin.Admin, error)
 	Enable(ctx context.Context, username string) (admin.Admin, error)
 	ResetPassword(ctx context.Context, username, password string) (admin.Admin, error)
 }
 // OperatorsList renders GET /_gm/operators.
 func (h *AdminConsoleHandlers) OperatorsList() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.operators == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "operators", "Operators", "Operator administration is not available.", "bad", "/_gm/")
 			return
 		}
 		admins, err := h.operators.List(c.Request.Context())
 		if err != nil {
 			h.logger.Error("admin console: list operators", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "operators", "Operators", "Failed to load operators.", "bad", "/_gm/")
 			return
 		}
 		h.render(c, http.StatusOK, "operators", "operators", "Operators", toOperatorsData(admins))
 	}
 }
 // OperatorCreate handles POST /_gm/operators.
 func (h *AdminConsoleHandlers) OperatorCreate() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.operators == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "operators", "Operators", "Operator administration is not available.", "bad", "/_gm/")
 			return
 		}
 		_, err := h.operators.Create(c.Request.Context(), admin.CreateInput{
 			Username: strings.TrimSpace(c.PostForm("username")),
 			Password: c.PostForm("password"),
 		})
 		if err != nil {
 			switch {
 			case errors.Is(err, admin.ErrUsernameTaken):
 				h.renderMessage(c, http.StatusConflict, "operators", "Username taken", "That username is already in use.", "bad", "/_gm/operators")
 			case errors.Is(err, admin.ErrInvalidInput):
 				h.renderMessage(c, http.StatusBadRequest, "operators", "Invalid input", "Username and password are required.", "bad", "/_gm/operators")
 			default:
 				h.logger.Error("admin console: create operator", zap.Error(err))
 				h.renderMessage(c, http.StatusInternalServerError, "operators", "Create failed", "Failed to create the operator.", "bad", "/_gm/operators")
 			}
 			return
 		}
 		c.Redirect(http.StatusSeeOther, "/_gm/operators")
 	}
 }
 // OperatorDisable handles POST /_gm/operators/:username/disable.
 func (h *AdminConsoleHandlers) OperatorDisable() gin.HandlerFunc {
 	return h.operatorAction("disable", func(ctx context.Context, username string) error {
 		_, err := h.operators.Disable(ctx, username)
 		return err
 	})
 }
 // OperatorEnable handles POST /_gm/operators/:username/enable.
 func (h *AdminConsoleHandlers) OperatorEnable() gin.HandlerFunc {
 	return h.operatorAction("enable", func(ctx context.Context, username string) error {
 		_, err := h.operators.Enable(ctx, username)
 		return err
 	})
 }
 // OperatorResetPassword handles POST /_gm/operators/:username/reset-password.
 func (h *AdminConsoleHandlers) OperatorResetPassword() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.operators == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "operators", "Operators", "Operator administration is not available.", "bad", "/_gm/")
 			return
 		}
 		username := c.Param("username")
 		password := c.PostForm("password")
 		if strings.TrimSpace(password) == "" {
 			h.renderMessage(c, http.StatusBadRequest, "operators", "Invalid input", "A new password is required.", "bad", "/_gm/operators")
 			return
 		}
 		if _, err := h.operators.ResetPassword(c.Request.Context(), username, password); err != nil {
 			if errors.Is(err, admin.ErrNotFound) {
 				h.renderMessage(c, http.StatusNotFound, "operators", "Operator not found", "No such operator.", "bad", "/_gm/operators")
 				return
 			}
 			if errors.Is(err, admin.ErrInvalidInput) {
 				h.renderMessage(c, http.StatusBadRequest, "operators", "Invalid input", "The password was rejected.", "bad", "/_gm/operators")
 				return
 			}
 			h.logger.Error("admin console: reset operator password", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "operators", "Reset failed", "Failed to reset the password.", "bad", "/_gm/operators")
 			return
 		}
 		c.Redirect(http.StatusSeeOther, "/_gm/operators")
 	}
 }
 // operatorAction is the shared shape for operator POST actions that take only
 // the username and redirect back to the list.
 func (h *AdminConsoleHandlers) operatorAction(label string, run func(context.Context, string) error) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.operators == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "operators", "Operators", "Operator administration is not available.", "bad", "/_gm/")
 			return
 		}
 		if err := run(c.Request.Context(), c.Param("username")); err != nil {
 			if errors.Is(err, admin.ErrNotFound) {
 				h.renderMessage(c, http.StatusNotFound, "operators", "Operator not found", "No such operator.", "bad", "/_gm/operators")
 				return
 			}
 			h.logger.Error("admin console: operator "+label, zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "operators", "Action failed", "The "+label+" action failed.", "bad", "/_gm/operators")
 			return
 		}
 		c.Redirect(http.StatusSeeOther, "/_gm/operators")
 	}
 }
 // toOperatorsData maps admin accounts into the operators view model.
 func toOperatorsData(admins []admin.Admin) adminconsole.OperatorsData {
 	data := adminconsole.OperatorsData{Items: make([]adminconsole.OperatorRow, 0, len(admins))}
 	for _, a := range admins {
 		data.Items = append(data.Items, adminconsole.OperatorRow{
 			Username:   a.Username,
 			CreatedAt:  fmtConsoleTime(a.CreatedAt),
 			LastUsedAt: fmtConsoleTimePtr(a.LastUsedAt),
 			Disabled:   a.DisabledAt != nil,
 		})
 	}
 	return data
 }
@@ -0,0 +1,166 @@
 package server
 import (
 	"context"
 	"net/http"
 	"strings"
 	"testing"
 	"galaxy/backend/internal/admin"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/server/middleware/basicauth"
 	"go.uber.org/zap"
 )
 type fakeOperatorAdmin struct {
 	list      []admin.Admin
 	createErr error
 	created       admin.CreateInput
 	createCalls   int
 	disableCalls  int
 	enableCalls   int
 	resetCalls    int
 	lastResetUser string
 	lastResetPass string
 }
 func (f *fakeOperatorAdmin) List(context.Context) ([]admin.Admin, error) { return f.list, nil }
 func (f *fakeOperatorAdmin) Create(_ context.Context, in admin.CreateInput) (admin.Admin, error) {
 	f.createCalls++
 	f.created = in
 	if f.createErr != nil {
 		return admin.Admin{}, f.createErr
 	}
 	return admin.Admin{Username: in.Username}, nil
 }
 func (f *fakeOperatorAdmin) Disable(_ context.Context, username string) (admin.Admin, error) {
 	f.disableCalls++
 	return admin.Admin{Username: username}, nil
 }
 func (f *fakeOperatorAdmin) Enable(_ context.Context, username string) (admin.Admin, error) {
 	f.enableCalls++
 	return admin.Admin{Username: username}, nil
 }
 func (f *fakeOperatorAdmin) ResetPassword(_ context.Context, username, password string) (admin.Admin, error) {
 	f.resetCalls++
 	f.lastResetUser = username
 	f.lastResetPass = password
 	return admin.Admin{Username: username}, nil
 }
 func operatorsRouter(t *testing.T, operators OperatorAdmin) (http.Handler, *adminconsole.CSRF) {
 	t.Helper()
 	csrf := adminconsole.NewCSRF([]byte("test-key"))
 	handler, err := NewRouter(RouterDependencies{
 		Logger:        zap.NewNop(),
 		AdminVerifier: basicauth.NewStaticVerifier("secret"),
 		AdminConsole:  NewAdminConsoleHandlers(AdminConsoleDeps{CSRF: csrf, Operators: operators}),
 	})
 	if err != nil {
 		t.Fatalf("NewRouter: %v", err)
 	}
 	return handler, csrf
 }
 func TestConsoleOperatorsList(t *testing.T) {
 	fake := &fakeOperatorAdmin{list: []admin.Admin{{Username: "root"}}}
 	router, _ := operatorsRouter(t, fake)
 	rec := consoleGet(t, router, "/_gm/operators")
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	for _, want := range []string{"root", "Create operator", "Reset"} {
 		if !strings.Contains(rec.Body.String(), want) {
 			t.Errorf("operators page missing %q", want)
 		}
 	}
 }
 func TestConsoleOperatorCreate(t *testing.T) {
 	fake := &fakeOperatorAdmin{}
 	router, csrf := operatorsRouter(t, fake)
 	rec := consolePost(t, router, "/_gm/operators", "_csrf="+csrf.Token("ops")+"&username=mod&password=s3cret")
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303; body=%s", rec.Code, rec.Body.String())
 	}
 	if fake.createCalls != 1 || fake.created.Username != "mod" || fake.created.Password != "s3cret" {
 		t.Errorf("create recorded %d username=%q", fake.createCalls, fake.created.Username)
 	}
 }
 func TestConsoleOperatorCreateConflict(t *testing.T) {
 	fake := &fakeOperatorAdmin{createErr: admin.ErrUsernameTaken}
 	router, csrf := operatorsRouter(t, fake)
 	rec := consolePost(t, router, "/_gm/operators", "_csrf="+csrf.Token("ops")+"&username=root&password=x")
 	if rec.Code != http.StatusConflict {
 		t.Fatalf("status = %d, want 409", rec.Code)
 	}
 }
 func TestConsoleOperatorDisableEnable(t *testing.T) {
 	fake := &fakeOperatorAdmin{}
 	router, csrf := operatorsRouter(t, fake)
 	if rec := consolePost(t, router, "/_gm/operators/root/disable", "_csrf="+csrf.Token("ops")); rec.Code != http.StatusSeeOther {
 		t.Fatalf("disable status = %d, want 303", rec.Code)
 	}
 	if rec := consolePost(t, router, "/_gm/operators/root/enable", "_csrf="+csrf.Token("ops")); rec.Code != http.StatusSeeOther {
 		t.Fatalf("enable status = %d, want 303", rec.Code)
 	}
 	if fake.disableCalls != 1 || fake.enableCalls != 1 {
 		t.Errorf("disable=%d enable=%d, want 1/1", fake.disableCalls, fake.enableCalls)
 	}
 }
 func TestConsoleOperatorResetPassword(t *testing.T) {
 	fake := &fakeOperatorAdmin{}
 	router, csrf := operatorsRouter(t, fake)
 	rec := consolePost(t, router, "/_gm/operators/root/reset-password", "_csrf="+csrf.Token("ops")+"&password=newpass")
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303", rec.Code)
 	}
 	if fake.resetCalls != 1 || fake.lastResetUser != "root" || fake.lastResetPass != "newpass" {
 		t.Errorf("reset recorded %d user=%q", fake.resetCalls, fake.lastResetUser)
 	}
 }
 func TestConsoleOperatorResetPasswordMissing(t *testing.T) {
 	fake := &fakeOperatorAdmin{}
 	router, csrf := operatorsRouter(t, fake)
 	rec := consolePost(t, router, "/_gm/operators/root/reset-password", "_csrf="+csrf.Token("ops"))
 	if rec.Code != http.StatusBadRequest {
 		t.Fatalf("status = %d, want 400", rec.Code)
 	}
 	if fake.resetCalls != 0 {
 		t.Error("reset must not run without a password")
 	}
 }
 func TestConsoleOperatorRejectsBadCSRF(t *testing.T) {
 	fake := &fakeOperatorAdmin{}
 	router, _ := operatorsRouter(t, fake)
 	rec := consolePost(t, router, "/_gm/operators/root/disable", "")
 	if rec.Code != http.StatusForbidden {
 		t.Fatalf("status = %d, want 403", rec.Code)
 	}
 	if fake.disableCalls != 0 {
 		t.Error("disable must not run without a CSRF token")
 	}
 }
 func TestConsoleOperatorsUnavailable(t *testing.T) {
 	router, _ := operatorsRouter(t, nil)
 	rec := consoleGet(t, router, "/_gm/operators")
 	if rec.Code != http.StatusServiceUnavailable {
 		t.Fatalf("status = %d, want 503", rec.Code)
 	}
 }
@@ -0,0 +1,214 @@
 package server
 import (
 	"context"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/opsstatus"
 	"galaxy/backend/internal/server/middleware/basicauth"
 	"github.com/gin-gonic/gin"
 	"go.uber.org/zap"
 )
 // fakeMonitor is a static opsstatus.Reader for dashboard rendering tests.
 type fakeMonitor struct {
 	snapshot opsstatus.Snapshot
 }
 func (f fakeMonitor) Collect(context.Context) opsstatus.Snapshot {
 	return f.snapshot
 }
 func newConsoleTestRouter(t *testing.T) http.Handler {
 	t.Helper()
 	handler, err := NewRouter(RouterDependencies{
 		Logger:        zap.NewNop(),
 		AdminVerifier: basicauth.NewStaticVerifier("secret"),
 		AdminConsole:  NewAdminConsoleHandlers(AdminConsoleDeps{CSRF: adminconsole.NewCSRF([]byte("test-key"))}),
 	})
 	if err != nil {
 		t.Fatalf("NewRouter: %v", err)
 	}
 	return handler
 }
 func TestAdminConsoleRequiresAuth(t *testing.T) {
 	router := newConsoleTestRouter(t)
 	req := httptest.NewRequest(http.MethodGet, "/_gm/", nil)
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusUnauthorized {
 		t.Fatalf("status = %d, want 401", rec.Code)
 	}
 	if got := rec.Header().Get("WWW-Authenticate"); !strings.Contains(got, "Basic") {
 		t.Fatalf("WWW-Authenticate = %q, want a Basic challenge", got)
 	}
 }
 func TestAdminConsoleDashboardRenders(t *testing.T) {
 	router := newConsoleTestRouter(t)
 	for _, path := range []string{"/_gm", "/_gm/"} {
 		req := httptest.NewRequest(http.MethodGet, path, nil)
 		req.SetBasicAuth("ops", "secret")
 		rec := httptest.NewRecorder()
 		router.ServeHTTP(rec, req)
 		if rec.Code != http.StatusOK {
 			t.Fatalf("GET %s status = %d, want 200; body=%s", path, rec.Code, rec.Body.String())
 		}
 		if ct := rec.Header().Get("Content-Type"); !strings.HasPrefix(ct, "text/html") {
 			t.Errorf("GET %s content-type = %q, want text/html", path, ct)
 		}
 		body := rec.Body.String()
 		if !strings.Contains(body, "Dashboard") {
 			t.Errorf("GET %s body missing the dashboard heading", path)
 		}
 		if !strings.Contains(body, "ops") {
 			t.Errorf("GET %s body missing the operator name", path)
 		}
 	}
 }
 func TestAdminConsoleDashboardShowsMonitoring(t *testing.T) {
 	monitor := fakeMonitor{snapshot: opsstatus.Snapshot{
 		PostgresHealthy:       true,
 		Runtimes:              []opsstatus.StatusCount{{Status: "running", Count: 3}, {Status: "stopped", Count: 1}},
 		MailDeliveries:        []opsstatus.StatusCount{{Status: "pending", Count: 2}},
 		NotificationRoutes:    []opsstatus.StatusCount{{Status: "published", Count: 9}},
 		NotificationMalformed: 4,
 		Errors:                []string{"notification route counts: boom"},
 	}}
 	handler, err := NewRouter(RouterDependencies{
 		Logger:        zap.NewNop(),
 		AdminVerifier: basicauth.NewStaticVerifier("secret"),
 		AdminConsole: NewAdminConsoleHandlers(AdminConsoleDeps{
 			CSRF:    adminconsole.NewCSRF([]byte("test-key")),
 			Monitor: monitor,
 			Ready:   func() bool { return true },
 		}),
 	})
 	if err != nil {
 		t.Fatalf("NewRouter: %v", err)
 	}
 	req := httptest.NewRequest(http.MethodGet, "/_gm/", nil)
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	body := rec.Body.String()
 	for _, want := range []string{
 		"Game runtimes", "running", "stopped",
 		"Mail deliveries", "pending",
 		"Notification routes", "published",
 		"Malformed notifications",
 		"notification route counts: boom",
 		"healthy",
 	} {
 		if !strings.Contains(body, want) {
 			t.Errorf("dashboard body missing %q", want)
 		}
 	}
 }
 func TestAdminConsoleDashboardWithoutMonitor(t *testing.T) {
 	router := newConsoleTestRouter(t) // no monitor wired
 	req := httptest.NewRequest(http.MethodGet, "/_gm/", nil)
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200", rec.Code)
 	}
 	if !strings.Contains(rec.Body.String(), "Monitoring is not wired") {
 		t.Error("dashboard without a monitor should note that monitoring is unavailable")
 	}
 }
 func TestAdminConsoleServesAsset(t *testing.T) {
 	router := newConsoleTestRouter(t)
 	req := httptest.NewRequest(http.MethodGet, "/_gm/assets/console.css", nil)
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("asset status = %d, want 200", rec.Code)
 	}
 	if ct := rec.Header().Get("Content-Type"); !strings.Contains(ct, "text/css") {
 		t.Errorf("asset content-type = %q, want text/css", ct)
 	}
 }
 func TestAdminConsoleRequireCSRF(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	csrf := adminconsole.NewCSRF([]byte("test-key"))
 	console := NewAdminConsoleHandlers(AdminConsoleDeps{CSRF: csrf})
 	engine := gin.New()
 	engine.Use(func(c *gin.Context) {
 		c.Request = c.Request.WithContext(basicauth.WithUsername(c.Request.Context(), "ops"))
 		c.Next()
 	})
 	engine.Use(console.RequireCSRF())
 	engine.GET("/x", func(c *gin.Context) { c.Status(http.StatusOK) })
 	engine.POST("/x", func(c *gin.Context) { c.Status(http.StatusOK) })
 	token := csrf.Token("ops")
 	cases := []struct {
 		name   string
 		method string
 		form   string
 		origin string
 		host   string
 		want   int
 	}{
 		{"get is a safe method", http.MethodGet, "", "", "galaxy.lan", http.StatusOK},
 		{"valid token, same origin", http.MethodPost, "_csrf=" + token, "https://galaxy.lan", "galaxy.lan", http.StatusOK},
 		{"valid token, no origin header", http.MethodPost, "_csrf=" + token, "", "galaxy.lan", http.StatusOK},
 		{"missing token", http.MethodPost, "", "https://galaxy.lan", "galaxy.lan", http.StatusForbidden},
 		{"wrong token", http.MethodPost, "_csrf=bogus", "https://galaxy.lan", "galaxy.lan", http.StatusForbidden},
 		{"cross-origin", http.MethodPost, "_csrf=" + token, "https://evil.example", "galaxy.lan", http.StatusForbidden},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			var body io.Reader
 			if tc.form != "" {
 				body = strings.NewReader(tc.form)
 			}
 			req := httptest.NewRequest(tc.method, "/x", body)
 			if tc.form != "" {
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 			}
 			if tc.origin != "" {
 				req.Header.Set("Origin", tc.origin)
 			}
 			req.Host = tc.host
 			rec := httptest.NewRecorder()
 			engine.ServeHTTP(rec, req)
 			if rec.Code != tc.want {
 				t.Fatalf("status = %d, want %d (body=%s)", rec.Code, tc.want, rec.Body.String())
 			}
 		})
 	}
 }
@@ -0,0 +1,252 @@
 package server
 import (
 	"context"
 	"errors"
 	"net/http"
 	"strings"
 	"time"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/server/middleware/basicauth"
 	"galaxy/backend/internal/user"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 )
 // UserAdmin is the subset of the user service the operator console depends on.
 // *user.Service satisfies it; tests supply a fake so the console pages render
 // without a database.
 type UserAdmin interface {
 	ListAccounts(ctx context.Context, page, pageSize int) (user.AccountPage, error)
 	GetAccount(ctx context.Context, userID uuid.UUID) (user.Account, error)
 	ApplySanction(ctx context.Context, input user.ApplySanctionInput) (user.Account, error)
 	ApplyEntitlement(ctx context.Context, input user.ApplyEntitlementInput) (user.Account, error)
 	SoftDelete(ctx context.Context, userID uuid.UUID, actor user.ActorRef) error
 }
 // consoleTiers lists the selectable entitlement tiers in display order.
 var consoleTiers = []string{user.TierFree, user.TierMonthly, user.TierYearly, user.TierPermanent}
 // UsersList renders GET /_gm/users — the paginated account list.
 func (h *AdminConsoleHandlers) UsersList() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.users == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "users", "Users", "User administration is not available.", "bad", "/_gm/")
 			return
 		}
 		page := parsePositiveQueryInt(c.Query("page"), 1)
 		pageSize := parsePositiveQueryInt(c.Query("page_size"), 50)
 		result, err := h.users.ListAccounts(c.Request.Context(), page, pageSize)
 		if err != nil {
 			h.logger.Error("admin console: list users", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "users", "Users", "Failed to load users.", "bad", "/_gm/")
 			return
 		}
 		h.render(c, http.StatusOK, "users", "users", "Users", toUsersListData(result))
 	}
 }
 // UserDetail renders GET /_gm/users/:user_id.
 func (h *AdminConsoleHandlers) UserDetail() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.users == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "users", "Users", "User administration is not available.", "bad", "/_gm/")
 			return
 		}
 		userID, ok := parseUserIDParam(c)
 		if !ok {
 			return
 		}
 		account, err := h.users.GetAccount(c.Request.Context(), userID)
 		if err != nil {
 			if errors.Is(err, user.ErrAccountNotFound) {
 				h.renderMessage(c, http.StatusNotFound, "users", "User not found", "No such user, or the account has been soft-deleted.", "bad", "/_gm/users")
 				return
 			}
 			h.logger.Error("admin console: get user", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "users", "Users", "Failed to load the user.", "bad", "/_gm/users")
 			return
 		}
 		h.render(c, http.StatusOK, "user_detail", "users", account.Email, toUserDetailData(account))
 	}
 }
 // UserBlock handles POST /_gm/users/:user_id/block — applies a permanent block.
 func (h *AdminConsoleHandlers) UserBlock() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.users == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "users", "Users", "User administration is not available.", "bad", "/_gm/")
 			return
 		}
 		userID, ok := parseUserIDParam(c)
 		if !ok {
 			return
 		}
 		back := "/_gm/users/" + userID.String()
 		reason := strings.TrimSpace(c.PostForm("reason_code"))
 		if reason == "" {
 			h.renderMessage(c, http.StatusBadRequest, "users", "Invalid input", "A reason is required to block a user.", "bad", back)
 			return
 		}
 		_, err := h.users.ApplySanction(c.Request.Context(), user.ApplySanctionInput{
 			UserID:       userID,
 			SanctionCode: user.SanctionCodePermanentBlock,
 			Scope:        "account",
 			ReasonCode:   reason,
 			Actor:        actorFromContext(c),
 		})
 		if err != nil {
 			h.logger.Error("admin console: block user", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "users", "Block failed", "Failed to block the user.", "bad", back)
 			return
 		}
 		c.Redirect(http.StatusSeeOther, back)
 	}
 }
 // UserEntitlement handles POST /_gm/users/:user_id/entitlement.
 func (h *AdminConsoleHandlers) UserEntitlement() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.users == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "users", "Users", "User administration is not available.", "bad", "/_gm/")
 			return
 		}
 		userID, ok := parseUserIDParam(c)
 		if !ok {
 			return
 		}
 		back := "/_gm/users/" + userID.String()
 		tier := strings.TrimSpace(c.PostForm("tier"))
 		source := strings.TrimSpace(c.PostForm("source"))
 		if source == "" {
 			source = "admin"
 		}
 		_, err := h.users.ApplyEntitlement(c.Request.Context(), user.ApplyEntitlementInput{
 			UserID:     userID,
 			Tier:       tier,
 			Source:     source,
 			Actor:      actorFromContext(c),
 			ReasonCode: strings.TrimSpace(c.PostForm("reason_code")),
 		})
 		if err != nil {
 			if errors.Is(err, user.ErrInvalidInput) {
 				h.renderMessage(c, http.StatusBadRequest, "users", "Invalid input", "The entitlement request was rejected: check the tier.", "bad", back)
 				return
 			}
 			h.logger.Error("admin console: apply entitlement", zap.Error(err))
 			h.renderMessage(c, http.StatusInternalServerError, "users", "Entitlement failed", "Failed to update the entitlement.", "bad", back)
 			return
 		}
 		c.Redirect(http.StatusSeeOther, back)
 	}
 }
 // UserSoftDelete handles POST /_gm/users/:user_id/soft-delete.
 func (h *AdminConsoleHandlers) UserSoftDelete() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if h.users == nil {
 			h.renderMessage(c, http.StatusServiceUnavailable, "users", "Users", "User administration is not available.", "bad", "/_gm/")
 			return
 		}
 		userID, ok := parseUserIDParam(c)
 		if !ok {
 			return
 		}
 		if err := h.users.SoftDelete(c.Request.Context(), userID, actorFromContext(c)); err != nil {
 			if errors.Is(err, user.ErrAccountNotFound) {
 				h.renderMessage(c, http.StatusNotFound, "users", "User not found", "No such user.", "bad", "/_gm/users")
 				return
 			}
 			// A cascade error does not undo the soft delete; log and proceed.
 			h.logger.Warn("admin console: soft-delete cascade returned error", zap.Error(err))
 		}
 		c.Redirect(http.StatusSeeOther, "/_gm/users")
 	}
 }
 // actorFromContext builds the admin ActorRef for audit trails from the
 // authenticated operator username stored by the Basic Auth middleware.
 func actorFromContext(c *gin.Context) user.ActorRef {
 	username, _ := basicauth.UsernameFromContext(c.Request.Context())
 	return user.ActorRef{Type: "admin", ID: username}
 }
 // toUsersListData maps an account page into the users list view model.
 func toUsersListData(page user.AccountPage) adminconsole.UsersListData {
 	data := adminconsole.UsersListData{
 		Items:    make([]adminconsole.UserRow, 0, len(page.Items)),
 		Page:     page.Page,
 		PageSize: page.PageSize,
 		Total:    page.Total,
 		PrevPage: page.Page - 1,
 		NextPage: page.Page + 1,
 		HasPrev:  page.Page > 1,
 		HasNext:  page.Page*page.PageSize < page.Total,
 	}
 	for _, account := range page.Items {
 		data.Items = append(data.Items, adminconsole.UserRow{
 			UserID:      account.UserID.String(),
 			Email:       account.Email,
 			UserName:    account.UserName,
 			DisplayName: account.DisplayName,
 			Tier:        account.Entitlement.Tier,
 			Blocked:     account.PermanentBlock,
 			Deleted:     account.DeletedAt != nil,
 			CreatedAt:   fmtConsoleTime(account.CreatedAt),
 		})
 	}
 	return data
 }
 // toUserDetailData maps an account aggregate into the detail view model.
 func toUserDetailData(account user.Account) adminconsole.UserDetailData {
 	data := adminconsole.UserDetailData{
 		UserID:            account.UserID.String(),
 		Email:             account.Email,
 		UserName:          account.UserName,
 		DisplayName:       account.DisplayName,
 		PreferredLanguage: account.PreferredLanguage,
 		TimeZone:          account.TimeZone,
 		DeclaredCountry:   account.DeclaredCountry,
 		Blocked:           account.PermanentBlock,
 		Deleted:           account.DeletedAt != nil,
 		CreatedAt:         fmtConsoleTime(account.CreatedAt),
 		UpdatedAt:         fmtConsoleTime(account.UpdatedAt),
 		Tier:              account.Entitlement.Tier,
 		IsPaid:            account.Entitlement.IsPaid,
 		EntitlementSource: account.Entitlement.Source,
 		EntitlementReason: account.Entitlement.ReasonCode,
 		EntitlementEnds:   fmtConsoleTimePtr(account.Entitlement.EndsAt),
 		Tiers:             consoleTiers,
 	}
 	for _, sanction := range account.ActiveSanctions {
 		data.Sanctions = append(data.Sanctions, adminconsole.SanctionView{
 			SanctionCode: sanction.SanctionCode,
 			Scope:        sanction.Scope,
 			ReasonCode:   sanction.ReasonCode,
 			AppliedAt:    fmtConsoleTime(sanction.AppliedAt),
 			ExpiresAt:    fmtConsoleTimePtr(sanction.ExpiresAt),
 		})
 	}
 	return data
 }
 // fmtConsoleTime renders a timestamp for display in the console.
 func fmtConsoleTime(t time.Time) string {
 	if t.IsZero() {
 		return ""
 	}
 	return t.UTC().Format("2006-01-02 15:04 UTC")
 }
 // fmtConsoleTimePtr renders an optional timestamp, returning "" when nil.
 func fmtConsoleTimePtr(t *time.Time) string {
 	if t == nil {
 		return ""
 	}
 	return fmtConsoleTime(*t)
 }
@@ -0,0 +1,288 @@
 package server
 import (
 	"context"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"galaxy/backend/internal/adminconsole"
 	"galaxy/backend/internal/server/middleware/basicauth"
 	"galaxy/backend/internal/user"
 	"github.com/google/uuid"
 	"go.uber.org/zap"
 )
 // fakeUserAdmin records calls so the console handlers can be exercised without
 // a database.
 type fakeUserAdmin struct {
 	page    user.AccountPage
 	account user.Account
 	getErr  error
 	sanctionCalls   int
 	lastSanction    user.ApplySanctionInput
 	entitlementCall int
 	lastEntitlement user.ApplyEntitlementInput
 	softDeleteCalls int
 	lastSoftActor   user.ActorRef
 }
 func (f *fakeUserAdmin) ListAccounts(context.Context, int, int) (user.AccountPage, error) {
 	return f.page, nil
 }
 func (f *fakeUserAdmin) GetAccount(context.Context, uuid.UUID) (user.Account, error) {
 	return f.account, f.getErr
 }
 func (f *fakeUserAdmin) ApplySanction(_ context.Context, in user.ApplySanctionInput) (user.Account, error) {
 	f.sanctionCalls++
 	f.lastSanction = in
 	return f.account, nil
 }
 func (f *fakeUserAdmin) ApplyEntitlement(_ context.Context, in user.ApplyEntitlementInput) (user.Account, error) {
 	f.entitlementCall++
 	f.lastEntitlement = in
 	return f.account, nil
 }
 func (f *fakeUserAdmin) SoftDelete(_ context.Context, _ uuid.UUID, actor user.ActorRef) error {
 	f.softDeleteCalls++
 	f.lastSoftActor = actor
 	return nil
 }
 func newUsersConsoleRouter(t *testing.T, users UserAdmin) (http.Handler, *adminconsole.CSRF) {
 	t.Helper()
 	csrf := adminconsole.NewCSRF([]byte("test-key"))
 	handler, err := NewRouter(RouterDependencies{
 		Logger:        zap.NewNop(),
 		AdminVerifier: basicauth.NewStaticVerifier("secret"),
 		AdminConsole:  NewAdminConsoleHandlers(AdminConsoleDeps{CSRF: csrf, Users: users}),
 	})
 	if err != nil {
 		t.Fatalf("NewRouter: %v", err)
 	}
 	return handler, csrf
 }
 func TestConsoleUsersList(t *testing.T) {
 	fake := &fakeUserAdmin{page: user.AccountPage{
 		Items: []user.Account{
 			{UserID: uuid.New(), Email: "alice@example.test", UserName: "alice"},
 			{UserID: uuid.New(), Email: "bob@example.test", UserName: "bob", PermanentBlock: true},
 		},
 		Page: 1, PageSize: 50, Total: 2,
 	}}
 	router, _ := newUsersConsoleRouter(t, fake)
 	req := httptest.NewRequest(http.MethodGet, "/_gm/users", nil)
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	body := rec.Body.String()
 	for _, want := range []string{"alice@example.test", "bob@example.test", "blocked", "page 1"} {
 		if !strings.Contains(body, want) {
 			t.Errorf("users list missing %q", want)
 		}
 	}
 }
 func TestConsoleUserDetailRendersForms(t *testing.T) {
 	id := uuid.New()
 	fake := &fakeUserAdmin{account: user.Account{
 		UserID: id, Email: "alice@example.test", UserName: "alice",
 		Entitlement: user.EntitlementSnapshot{Tier: user.TierFree},
 	}}
 	router, csrf := newUsersConsoleRouter(t, fake)
 	req := httptest.NewRequest(http.MethodGet, "/_gm/users/"+id.String(), nil)
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusOK {
 		t.Fatalf("status = %d, want 200; body=%s", rec.Code, rec.Body.String())
 	}
 	body := rec.Body.String()
 	for _, want := range []string{
 		"alice@example.test",
 		"Permanently block",
 		"Update entitlement",
 		"Soft-delete account",
 		csrf.Token("ops"),
 	} {
 		if !strings.Contains(body, want) {
 			t.Errorf("user detail missing %q", want)
 		}
 	}
 }
 func TestConsoleUserDetailNotFound(t *testing.T) {
 	fake := &fakeUserAdmin{getErr: user.ErrAccountNotFound}
 	router, _ := newUsersConsoleRouter(t, fake)
 	req := httptest.NewRequest(http.MethodGet, "/_gm/users/"+uuid.New().String(), nil)
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusNotFound {
 		t.Fatalf("status = %d, want 404", rec.Code)
 	}
 	if !strings.Contains(rec.Body.String(), "not found") {
 		t.Error("expected a not-found message")
 	}
 }
 func TestConsoleUserBlock(t *testing.T) {
 	id := uuid.New()
 	fake := &fakeUserAdmin{account: user.Account{UserID: id}}
 	router, csrf := newUsersConsoleRouter(t, fake)
 	form := "_csrf=" + csrf.Token("ops") + "&reason_code=spam"
 	req := httptest.NewRequest(http.MethodPost, "http://galaxy.lan/_gm/users/"+id.String()+"/block", strings.NewReader(form))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Origin", "https://galaxy.lan")
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303; body=%s", rec.Code, rec.Body.String())
 	}
 	if fake.sanctionCalls != 1 {
 		t.Fatalf("ApplySanction called %d times, want 1", fake.sanctionCalls)
 	}
 	if fake.lastSanction.SanctionCode != user.SanctionCodePermanentBlock {
 		t.Errorf("sanction code = %q, want permanent_block", fake.lastSanction.SanctionCode)
 	}
 	if fake.lastSanction.Scope != "account" {
 		t.Errorf("scope = %q, want account", fake.lastSanction.Scope)
 	}
 	if fake.lastSanction.ReasonCode != "spam" {
 		t.Errorf("reason = %q, want spam", fake.lastSanction.ReasonCode)
 	}
 	if fake.lastSanction.Actor.Type != "admin" || fake.lastSanction.Actor.ID != "ops" {
 		t.Errorf("actor = %+v, want admin/ops", fake.lastSanction.Actor)
 	}
 	if fake.lastSanction.UserID != id {
 		t.Errorf("sanction user id = %s, want %s", fake.lastSanction.UserID, id)
 	}
 }
 func TestConsoleUserBlockMissingReason(t *testing.T) {
 	id := uuid.New()
 	fake := &fakeUserAdmin{account: user.Account{UserID: id}}
 	router, csrf := newUsersConsoleRouter(t, fake)
 	form := "_csrf=" + csrf.Token("ops")
 	req := httptest.NewRequest(http.MethodPost, "http://galaxy.lan/_gm/users/"+id.String()+"/block", strings.NewReader(form))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Origin", "https://galaxy.lan")
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusBadRequest {
 		t.Fatalf("status = %d, want 400", rec.Code)
 	}
 	if fake.sanctionCalls != 0 {
 		t.Errorf("ApplySanction must not be called without a reason")
 	}
 }
 func TestConsoleUserBlockRejectsBadCSRF(t *testing.T) {
 	id := uuid.New()
 	fake := &fakeUserAdmin{account: user.Account{UserID: id}}
 	router, _ := newUsersConsoleRouter(t, fake)
 	req := httptest.NewRequest(http.MethodPost, "http://galaxy.lan/_gm/users/"+id.String()+"/block", strings.NewReader("reason_code=spam"))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Origin", "https://galaxy.lan")
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusForbidden {
 		t.Fatalf("status = %d, want 403", rec.Code)
 	}
 	if fake.sanctionCalls != 0 {
 		t.Errorf("ApplySanction must not run when the CSRF token is missing")
 	}
 }
 func TestConsoleUserEntitlement(t *testing.T) {
 	id := uuid.New()
 	fake := &fakeUserAdmin{account: user.Account{UserID: id}}
 	router, csrf := newUsersConsoleRouter(t, fake)
 	form := "_csrf=" + csrf.Token("ops") + "&tier=monthly&source=admin&reason_code=promo"
 	req := httptest.NewRequest(http.MethodPost, "http://galaxy.lan/_gm/users/"+id.String()+"/entitlement", strings.NewReader(form))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Origin", "https://galaxy.lan")
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303; body=%s", rec.Code, rec.Body.String())
 	}
 	if fake.entitlementCall != 1 {
 		t.Fatalf("ApplyEntitlement called %d times, want 1", fake.entitlementCall)
 	}
 	if fake.lastEntitlement.Tier != user.TierMonthly {
 		t.Errorf("tier = %q, want monthly", fake.lastEntitlement.Tier)
 	}
 	if fake.lastEntitlement.Actor.ID != "ops" {
 		t.Errorf("actor id = %q, want ops", fake.lastEntitlement.Actor.ID)
 	}
 }
 func TestConsoleUserSoftDelete(t *testing.T) {
 	id := uuid.New()
 	fake := &fakeUserAdmin{account: user.Account{UserID: id}}
 	router, csrf := newUsersConsoleRouter(t, fake)
 	form := "_csrf=" + csrf.Token("ops")
 	req := httptest.NewRequest(http.MethodPost, "http://galaxy.lan/_gm/users/"+id.String()+"/soft-delete", strings.NewReader(form))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Origin", "https://galaxy.lan")
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusSeeOther {
 		t.Fatalf("status = %d, want 303", rec.Code)
 	}
 	if got := rec.Header().Get("Location"); got != "/_gm/users" {
 		t.Errorf("redirect Location = %q, want /_gm/users", got)
 	}
 	if fake.softDeleteCalls != 1 {
 		t.Fatalf("SoftDelete called %d times, want 1", fake.softDeleteCalls)
 	}
 	if fake.lastSoftActor.ID != "ops" {
 		t.Errorf("soft-delete actor = %q, want ops", fake.lastSoftActor.ID)
 	}
 }
 func TestConsoleUsersUnavailable(t *testing.T) {
 	router, _ := newUsersConsoleRouter(t, nil) // no user service wired
 	req := httptest.NewRequest(http.MethodGet, "/_gm/users", nil)
 	req.SetBasicAuth("ops", "secret")
 	rec := httptest.NewRecorder()
 	router.ServeHTTP(rec, req)
 	if rec.Code != http.StatusServiceUnavailable {
 		t.Fatalf("status = %d, want 503", rec.Code)
 	}
 }
@@ -39,55 +39,6 @@ func NewUserGamesHandlers(rt *runtime.Service, engine *engineclient.Client, logg
 	return &UserGamesHandlers{runtime: rt, engine: engine, logger: logger.Named("http.user.games")}
 }
 // Commands handles POST /api/v1/user/games/{game_id}/commands.
 func (h *UserGamesHandlers) Commands() gin.HandlerFunc {
 	if h == nil || h.runtime == nil || h.engine == nil {
 		return handlers.NotImplemented("userGamesCommands")
 	}
 	return func(c *gin.Context) {
 		gameID, ok := parseGameIDParam(c)
 		if !ok {
 			return
 		}
 		userID, ok := userid.FromContext(c.Request.Context())
 		if !ok {
 			httperr.Abort(c, http.StatusBadRequest, httperr.CodeInvalidRequest, "user id missing")
 			return
 		}
 		body, err := io.ReadAll(c.Request.Body)
 		if err != nil {
 			httperr.Abort(c, http.StatusBadRequest, httperr.CodeInvalidRequest, "request body could not be read")
 			return
 		}
 		ctx := c.Request.Context()
 		if err := h.runtime.CheckOrdersAccept(ctx, gameID); err != nil {
 			respondGameProxyError(c, h.logger, "user games commands", ctx, err)
 			return
 		}
 		mapping, err := h.runtime.ResolvePlayerMapping(ctx, gameID, userID)
 		if err != nil {
 			respondGameProxyError(c, h.logger, "user games commands", ctx, err)
 			return
 		}
 		endpoint, err := h.runtime.EngineEndpoint(ctx, gameID)
 		if err != nil {
 			respondGameProxyError(c, h.logger, "user games commands", ctx, err)
 			return
 		}
 		payload, err := rebindActor(body, mapping.RaceName)
 		if err != nil {
 			httperr.Abort(c, http.StatusBadRequest, httperr.CodeInvalidRequest, "request body must be a JSON object")
 			return
 		}
 		resp, err := h.engine.ExecuteCommands(ctx, endpoint, payload)
 		if err != nil {
 			respondEngineProxyError(c, h.logger, "user games commands", ctx, resp, err)
 			return
 		}
 		c.Data(http.StatusOK, "application/json", resp)
 	}
 }
 // Orders handles POST /api/v1/user/games/{game_id}/orders.
 func (h *UserGamesHandlers) Orders() gin.HandlerFunc {
 	if h == nil || h.runtime == nil || h.engine == nil {
@@ -86,6 +86,15 @@ func (h *UserLobbyGamesHandlers) Create() gin.HandlerFunc {
 			return
 		}
 		ctx := c.Request.Context()
 		paid, err := h.svc.IsPaid(ctx, userID)
 		if err != nil {
 			respondLobbyError(c, h.logger, "user lobby games create", ctx, err)
 			return
 		}
 		if !paid {
 			httperr.Abort(c, http.StatusForbidden, httperr.CodeForbidden, "creating private games requires a paid subscription")
 			return
 		}
 		owner := userID
 		game, err := h.svc.CreateGame(ctx, lobby.CreateGameInput{
 			OwnerUserID: &owner,
@@ -81,6 +81,13 @@ type RouterDependencies struct {
 	AdminGeo *AdminGeoHandlers
 	InternalSessions *InternalSessionsHandlers
 	InternalUsers *InternalUsersHandlers
 	// AdminConsole, when non-nil, mounts the server-rendered operator
 	// console under the `/_gm` route group behind the same admin Basic
 	// Auth verifier as `/api/v1/admin`. A nil value leaves the console
 	// unmounted, which keeps routers built without console wiring (the
 	// contract test, most unit tests) unchanged.
 	AdminConsole *AdminConsoleHandlers
 }
 // NewRouter constructs the backend gin engine wired with the documented
@@ -123,6 +130,7 @@ func NewRouter(deps RouterDependencies) (http.Handler, error) {
 	registerUserRoutes(router, instruments, deps)
 	registerAdminRoutes(router, instruments, deps)
 	registerInternalRoutes(router, instruments, deps)
 	registerAdminConsoleRoutes(router, deps)
 	router.NoMethod(func(c *gin.Context) {
 		if allow := allowedMethodsForPath(c.Request.URL.Path); allow != "" {
@@ -270,7 +278,6 @@ func registerUserRoutes(router *gin.Engine, instruments *metrics.Instruments, de
 	raceNames.POST("/register", deps.UserLobbyRaceNames.Register())
 	userGames := group.Group("/games")
 	userGames.POST("/:game_id/commands", deps.UserGames.Commands())
 	userGames.POST("/:game_id/orders", deps.UserGames.Orders())
 	userGames.GET("/:game_id/orders", deps.UserGames.GetOrders())
 	userGames.GET("/:game_id/reports/:turn", deps.UserGames.Report())
@@ -365,6 +372,57 @@ func registerInternalRoutes(router *gin.Engine, instruments *metrics.Instruments
 	users.GET("/:user_id/account-internal", deps.InternalUsers.GetAccountInternal())
 }
 // registerAdminConsoleRoutes mounts the server-rendered operator console under
 // `/_gm` when deps.AdminConsole is wired. The group reuses the same admin Basic
 // Auth verifier as `/api/v1/admin`; the CSRF guard then protects every
 // state-changing request. A nil AdminConsole leaves the surface unmounted.
 func registerAdminConsoleRoutes(router *gin.Engine, deps RouterDependencies) {
 	if deps.AdminConsole == nil {
 		return
 	}
 	group := router.Group("/_gm")
 	group.Use(basicauth.Middleware(deps.AdminVerifier, adminBasicAuthRealm))
 	group.Use(deps.AdminConsole.RequireCSRF())
 	group.GET("/assets/*filepath", deps.AdminConsole.Asset())
 	group.GET("", deps.AdminConsole.Dashboard())
 	group.GET("/", deps.AdminConsole.Dashboard())
 	group.GET("/users", deps.AdminConsole.UsersList())
 	group.GET("/users/:user_id", deps.AdminConsole.UserDetail())
 	group.POST("/users/:user_id/block", deps.AdminConsole.UserBlock())
 	group.POST("/users/:user_id/entitlement", deps.AdminConsole.UserEntitlement())
 	group.POST("/users/:user_id/soft-delete", deps.AdminConsole.UserSoftDelete())
 	group.GET("/games", deps.AdminConsole.GamesList())
 	group.POST("/games", deps.AdminConsole.GameCreate())
 	group.GET("/games/:game_id", deps.AdminConsole.GameDetail())
 	group.POST("/games/:game_id/force-start", deps.AdminConsole.GameForceStart())
 	group.POST("/games/:game_id/force-stop", deps.AdminConsole.GameForceStop())
 	group.POST("/games/:game_id/ban-member", deps.AdminConsole.GameBanMember())
 	group.POST("/games/:game_id/runtime/restart", deps.AdminConsole.RuntimeRestart())
 	group.POST("/games/:game_id/runtime/patch", deps.AdminConsole.RuntimePatch())
 	group.POST("/games/:game_id/runtime/force-next-turn", deps.AdminConsole.RuntimeForceNextTurn())
 	group.GET("/engine-versions", deps.AdminConsole.EngineVersionsList())
 	group.POST("/engine-versions", deps.AdminConsole.EngineVersionRegister())
 	group.POST("/engine-versions/:version/disable", deps.AdminConsole.EngineVersionDisable())
 	group.GET("/operators", deps.AdminConsole.OperatorsList())
 	group.POST("/operators", deps.AdminConsole.OperatorCreate())
 	group.POST("/operators/:username/disable", deps.AdminConsole.OperatorDisable())
 	group.POST("/operators/:username/enable", deps.AdminConsole.OperatorEnable())
 	group.POST("/operators/:username/reset-password", deps.AdminConsole.OperatorResetPassword())
 	group.GET("/mail", deps.AdminConsole.MailPage())
 	group.GET("/mail/deliveries/:delivery_id", deps.AdminConsole.MailDeliveryDetail())
 	group.POST("/mail/deliveries/:delivery_id/resend", deps.AdminConsole.MailResend())
 	group.GET("/notifications", deps.AdminConsole.NotificationsPage())
 	group.GET("/broadcast", deps.AdminConsole.BroadcastForm())
 	group.POST("/broadcast", deps.AdminConsole.BroadcastSend())
 }
 // allowedMethodsForPath returns the comma-separated list of methods
 // the gin router accepts on requestPath. Only the probe paths declare
 // a non-empty list so NoMethod can advertise a useful `Allow` header
@@ -265,7 +265,12 @@ paths:
      summary: Create a new private lobby game owned by the caller
      description: |
        Always emits a `private` game owned by `X-User-ID`. Public games
-        are created via `POST /api/v1/admin/games`.
+        are created via `POST /api/v1/admin/games`. The endpoint is
        gated by the caller's paid tier: free-tier accounts receive
        `403 forbidden` (code `forbidden`) and no `draft` row is
        created. The tier is read through
        `EntitlementProvider.IsPaid(userID)` from the user-domain
        service.
      security:
        - UserHeader: []
      parameters:
@@ -285,6 +290,8 @@ paths:
                $ref: "#/components/schemas/LobbyGameDetail"
        "400":
          $ref: "#/components/responses/InvalidRequestError"
        "403":
          $ref: "#/components/responses/ForbiddenError"
        "501":
          $ref: "#/components/responses/NotImplementedError"
        "500":
@@ -974,37 +981,6 @@ paths:
          $ref: "#/components/responses/NotImplementedError"
        "500":
          $ref: "#/components/responses/InternalError"
  /api/v1/user/games/{game_id}/commands:
    post:
      tags: [User]
      operationId: userGamesCommands
      summary: Forward an engine command batch
      security:
        - UserHeader: []
      parameters:
        - $ref: "#/components/parameters/XUserID"
        - $ref: "#/components/parameters/GameID"
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: "#/components/schemas/EngineCommand"
      responses:
        "200":
          description: Engine command result passed through.
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/PassthroughObject"
        "400":
          $ref: "#/components/responses/InvalidRequestError"
        "404":
          $ref: "#/components/responses/NotFoundError"
        "501":
          $ref: "#/components/responses/NotImplementedError"
        "500":
          $ref: "#/components/responses/InternalError"
  /api/v1/user/games/{game_id}/orders:
    post:
      tags: [User]
@@ -3531,14 +3507,6 @@ components:
      properties:
        name:
          type: string
    EngineCommand:
      type: object
      additionalProperties: true
      description: |
        Engine command request body. The schema is permissive because the
        engine proxy passes the body through verbatim; the typed shape
        lives in `pkg/model/rest.Command` and is enforced by
        `internal/engineclient` before the engine call leaves backend.
    EngineOrder:
      type: object
      additionalProperties: true
@@ -142,7 +142,9 @@ because they cross domain boundaries:
 - **Public lobby games are admin-created** through
  `POST /api/v1/admin/games`. The user-facing
  `POST /api/v1/user/lobby/games` always emits `private` games owned by
-  `X-User-ID`. Public games carry `owner_user_id IS NULL`; the partial
+  `X-User-ID`, and is gated by `EntitlementProvider.IsPaid` — free-tier
  callers receive `403 forbidden` before the lobby service is invoked.
  Public games carry `owner_user_id IS NULL`; the partial
  index on `(owner_user_id) WHERE visibility = 'private'` keeps the
  private-owner lookup efficient.
 - **Authenticated lobby commands** flow through the gateway envelope
@@ -373,9 +375,9 @@ Authenticated client traffic for in-game operations crosses three
 serialisation boundaries: signed-gRPC FlatBuffers (client ↔ gateway),
 JSON over REST (gateway ↔ backend), and JSON over REST again
 (backend ↔ engine). Gateway owns the FB ↔ JSON transcoding for the
-four message types `user.games.command`, `user.games.order`,
+three message types `user.games.order`, `user.games.order.get`,
-`user.games.order.get`, `user.games.report` (FB schemas in
+`user.games.report` (FB schemas in `pkg/schema/fbs/{order,report}`,
-`pkg/schema/fbs/{order,report}`, encoders in `pkg/transcoder`).
+encoders in `pkg/transcoder`).
 `user.games.order.get` reads back the player's stored order for a
 given turn — paired with the POST `user.games.order` so the client
 can hydrate its local draft after a cache loss without re-deriving
@@ -400,6 +402,14 @@ Container state is owned by `backend/internal/runtime`:
  always `http://galaxy-game-{game_id}:8080`.
 - Engine probes (`/healthz`) feed `runtime` health observations and turn
  generation status.
 - Canonical game identity is owned by backend. The `game_id` allocated
  at game-create time is reused everywhere downstream: it names the
  container, the host bind-mount directory, and is passed verbatim to
  the engine in `POST /api/v1/admin/init`'s `gameId` field. The engine
  persists this value into `state.json` and echoes it in every
  `StateResponse`; the engine never mints its own game UUID. A zero
  UUID or a conflict with an existing `state.json` is rejected by the
  engine (`400` / `409` respectively).
 ## 10. Geo Profile (reduced)
@@ -571,6 +581,36 @@ directly.
  `/api/v1/admin/notifications/*`) reuse the per-domain logic of the
  module they target.
 ### 14.1 Operator console (`/_gm`)
 `backend` also serves a server-rendered operator console under the `/_gm`
 route group — the human-facing surface for the admin operations otherwise
 exposed as JSON under `/api/v1/admin/*`. It reuses the `admin_accounts`
 Basic Auth verifier and renders pages with the standard library's
 `html/template` (navigation by path and query, Post/Redirect/Get on
 writes; no client framework or build step).
 Unlike the internal-only JSON admin API, the console is reachable from the
 public edge: Caddy routes `/_gm/*` to the gateway public listener, which
 classifies it as the `admin` anti-abuse class (per-IP rate limit, body and
 method limits) and reverse-proxies it to `backend`'s `/_gm` surface. The
 gateway preserves the inbound `Host` and relays the backend's 401 Basic
 Auth challenge unchanged, so the browser shows its native credential
 dialog. Authentication is enforced by `backend`; the gateway contributes
 only the edge anti-abuse layer.
 State-changing requests are guarded against CSRF by a stateless token
 (HMAC-SHA256 over the authenticated username, keyed by
 `BACKEND_ADMIN_CONSOLE_CSRF_KEY`; a per-process random key is used when the
 variable is unset) plus a same-origin `Origin`/`Referer` check.
 The console landing page is a dashboard that surfaces backend-visible
 operational signals — database reachability, per-status game-runtime counts,
 and mail/notification queue depths — read directly through the persistence
 layer; richer historical metrics come from the Prometheus exporters on
 `backend` and `gateway` (see [§17](#17-observability)). See
 `backend/docs/admin-console.md` for the console design.
 ## 15. Transport Security Model (gateway boundary)
 This section describes the secure exchange model between client and
@@ -813,7 +853,8 @@ business validation and authorisation.
 | Session revocation propagation                           | backend → gateway       | `session_invalidation` over the gRPC push stream flips the gateway-side cache entry to revoked and closes any active push stream. |
 | Authorisation, ownership, state transitions              | backend                 | `X-User-ID` is the sole identity input on the user surface.                                     |
 | Edge rate limiting                                       | gateway                 | Backend has no rate-limit responsibility in MVP.                                                |
-| Admin authentication                                     | backend                 | Basic Auth against `admin_accounts`.                                                            |
+| Admin authentication                                     | backend                 | Basic Auth against `admin_accounts`; the `/_gm` operator console reuses the same verifier.       |
 | Admin console CSRF                                        | backend                 | Stateless HMAC token (`BACKEND_ADMIN_CONSOLE_CSRF_KEY`) + same-origin `Origin`/`Referer` check on `/_gm` writes. |
 | Engine API authentication                                | network                 | Engine listens only on the trusted network; backend is the only caller.                         |
 ### Backend ↔ Gateway trust
@@ -847,6 +888,19 @@ addition.
 - Health probes are unauthenticated `GET /healthz` (process liveness) and
  `GET /readyz` (Postgres reachable, migrations applied, gRPC listener
  bound). Probes are excluded from anti-replay and rate limiting.
 - **Collection (dev, production mirror).** The long-lived dev environment
  (`tools/dev-deploy/`) runs a full metrics + logs + traces stack on its
  internal network with no host ports: Prometheus scrapes the backend
  (`:9100`) and gateway (`:9191`) endpoints plus `node-exporter` and
  cAdvisor; Tempo ingests OTLP traces from backend and gateway; Loki
  stores container logs shipped by promtail (Docker service-discovery on
  the `galaxy.stack=dev-deploy` label). Grafana (provisioned datasources
  + dashboards) and the Mailpit capture UI are reached only through the
  operator console's single `/_gm` Basic Auth gate (§14.1) — at
  `/_gm/grafana/` and `/_gm/mailpit/` — so one password covers the
  console and both UIs. Retention is tuned small (Prometheus 15d, Loki
  7d, Tempo 3d). The same compose fragment is meant to back production.
  See `tools/dev-deploy/monitoring/README.md`.
 ## 18. CI and Environments
@@ -363,6 +363,18 @@ records the new game with `owner_user_id` set to the caller and
 visibility `private`, in state `draft`, with the request body's
 configuration as initial values.
 The user surface is gated by the caller's paid tier. Backend reads
 `EntitlementProvider.IsPaid(userID)` before invoking the lobby
 service; free-tier callers are rejected with HTTP
 `403 forbidden` (canonical error code `forbidden`) and no `draft`
 row is created. The matching UI affordances — the `private games`
 sidebar sub-panel and its `create new game` button — are hidden from
 free-tier sessions in the lobby shell; the
 `VITE_GALAXY_DEV_AFFORDANCES` build flag overrides the UI gate so the
 owner can exercise both branches from a single test account in DEV
 bundles. Admin-driven public-game creation
 ([Section 10](#10-administration)) bypasses the tier gate.
 Public games are created exclusively through the admin surface
 ([Section 10](#10-administration)). The user surface never produces a public game; this
 asymmetry is enforced in backend, not at the route level.
@@ -607,10 +619,10 @@ not duplicated here.
 ### 6.2 Backend's role: pass-through with authorisation
-The signed authenticated-edge pipeline for in-game traffic uses four
+The signed authenticated-edge pipeline for in-game traffic uses three
-message types on the authenticated surface — `user.games.command`,
+message types on the authenticated surface — `user.games.order`,
-`user.games.order`, `user.games.order.get`, `user.games.report` —
+`user.games.order.get`, `user.games.report` — each with a typed
-each with a typed FlatBuffers payload. Gateway transcodes the FB
+FlatBuffers payload. Gateway transcodes the FB
 request into the JSON shape backend expects, forwards over plain
 REST to the corresponding `/api/v1/user/games/{game_id}/*` endpoint,
 then transcodes the JSON response back into FB before signing the
@@ -636,6 +648,20 @@ validity and ordering of in-game decisions. Gateway needs to know
 the typed FB shape only to transcode the wire format; the per-command
 semantics live in the engine.
 For `user.games.order` specifically, the engine validates every
 command in the submitted order against a transient view of the
 current game state and reports the outcome per command on each
 command's meta (`cmdApplied`, `cmdErrorCode`) inside the same
 `UserGamesOrder` body. The order is persisted with these per-command
 verdicts even when some commands are rejected — for example, deleting
 the "create ship class X" command from an order that still contains
 "produce ship X" makes the second command fail with a per-command
 `cmdErrorCode` for "entity does not exist", while the rest of the
 order remains stored and the response is still a `202 Accepted`. A
 `400` is returned only for order-level structural rejections
 (`quit` not the last command, unrecognized command type, malformed
 input); `500` only for genuine engine-internal failures.
 ### 6.3 Turn cutoff and auto-pause
 A running game continuously alternates between a command-accepting
@@ -645,7 +671,7 @@ in `runtime_records.turn_schedule`. The backend scheduler
 `/admin/turn` call between two `runtime_status` flips:
 - Before the engine call: `running → generation_in_progress`.
-  The user-games command/order handlers
+  The user-games order handlers
  (`backend/internal/server/handlers_user_games.go`) consult the
  per-game runtime record on every request and reject with
  HTTP 409 + `code = turn_already_closed` while the runtime sits in
@@ -678,14 +704,26 @@ demand. Backend authorises the caller and forwards the request;
 there is no caching or denormalisation in this path.
 The web client renders the report as one section per FBS array
-(galaxy summary, votes, player status, my / foreign sciences, my /
+(galaxy summary, races leaving soon, votes, player status, my /
-foreign ship classes, battles, bombings, approaching groups, my /
+foreign sciences, my / foreign ship classes, battles, bombings,
-foreign / uninhabited / unknown planets, ships in production,
+approaching groups, my / foreign / uninhabited / unknown planets,
-cargo routes, my fleets, my / foreign / unidentified ship groups).
+ships in production, cargo routes, my fleets, my / foreign /
-Empty sections render explicit empty-state copy. Section anchors
+unidentified ship groups). Empty sections render explicit
-are exposed in a sticky table of contents (a `<select>` on mobile)
+empty-state copy; "races leaving soon" is the exception and hides
-and the scroll position is preserved across active-view switches
+entirely when no race is near removal. When the local race is
-via SvelteKit's `Snapshot` API.
+itself within five turns of being auto-removed for inactivity, a
 danger-styled personal warning banner above the section list
 carries its own turns-remaining countdown; the public "races
 leaving soon" section lists every other race within three turns
 of removal. Section
 navigation is exposed through a sticky icon-popup menu pinned to
 the top-right of the report column (an anchored popover on desktop
 and a fixed bottom-sheet on mobile); the trigger label tracks the
 section currently in view, and picking a menuitem scrolls the
 matching section into view. Re-entering the report active view
 remounts the component and resets the scroll position; the active
 highlight is re-derived from the IntersectionObserver as the user
 scrolls.
 The Bombings section is a flat read-only table — one row per
 bombing event, columns for `attacker`, `attack_power`, `wiped`
@@ -808,8 +846,12 @@ every change applies within one frame (no Pixi remount):
  `VisibilityDistance(localPlayerDrive)` circles around LOCAL
  planets; LOCAL planets are always exempt — the toggle is
  named after the visible part of the map rather than the
-  obscured one) plus the torus / no-wrap radio that switches
+  obscured one). The renderer always runs in torus mode; the
-  the renderer mode while preserving the camera centre.
+  earlier torus / no-wrap radio was removed in F8 polish
  (issue #48 п.8) because the topology is a server-side concept
  rather than a per-session UI affordance. The renderer-side
  no-wrap path is retained for the day the engine surfaces a
  bounded-plane mode.
 LOCAL planets are always rendered — they have no toggle. Every
 other toggle defaults to ON. Hiding a planet cascades onto every
@@ -1120,6 +1162,31 @@ operator's password manager can match it across deployments.
 After the first deployment, the bootstrap password should be
 rotated through the admin surface.
 ### 10.2.1 Operator console (`/_gm`)
 Administrators drive these operations either programmatically through
 the JSON admin API or through a server-rendered web console at `/_gm`.
 The console authenticates with the same Basic Auth credentials: opening
 any `/_gm` page prompts the browser's native credential dialog, and the
 operator stays signed in for the session. Navigation is by ordinary
 links and query parameters; every change is submitted as a form and
 answered with a redirect back to the affected page.
 The console is the only admin surface reachable from outside the trusted
 network. It is fronted by the gateway, so it inherits the same edge rate
 limiting and request limits as the public API, and it carries an
 anti-CSRF token on every change. The JSON admin API stays internal to
 the deployment.
 The console landing page is a dashboard that summarises operational
 health: whether the backend is ready and the database reachable, how many
 game runtimes sit in each state, and the depth of the mail and
 notification queues. It is a read-only point-in-time view for quick
 triage, not a metrics history. The console nav also links to Grafana
 (metrics, logs and traces) and the Mailpit capture UI, which the
 deployment serves under the same `/_gm` Basic Auth gate — one sign-in
 covers the console and both UIs.
 ### 10.3 Admin account management
 Existing admins can list other admins, create new ones, look up a
@@ -377,6 +377,18 @@ cancelled достижим из любого pre-finished-состояния.
 visibility `private`, в состоянии `draft`, с конфигурацией из
 тела запроса в качестве начальных значений.
 User-surface гейтится платным тарифом вызывающего. Backend читает
 `EntitlementProvider.IsPaid(userID)` перед вызовом lobby-сервиса;
 free-tier-вызовы отклоняются с HTTP `403 forbidden`
 (канонический код ошибки `forbidden`), и `draft`-запись не
 создаётся. Соответствующие UI-аффордансы — подраздел
 `private games` в сайдбаре и кнопка `create new game` внутри него —
 скрыты в lobby-shell для free-tier-сессий; build-флаг
 `VITE_GALAXY_DEV_AFFORDANCES` переопределяет UI-гейт, чтобы owner
 мог в DEV-сборке проверять обе ветки с одного тестового аккаунта.
 Admin-создание public-игр ([Раздел 10](#10-администрирование))
 обходит тир-гейт.
 Public-игры создаются исключительно через admin-surface
 ([Раздел 10](#10-администрирование)). User-surface никогда не
 производит public-игру; асимметрия enforced в backend, не на
@@ -625,9 +637,9 @@ Wire-формат команд, приказов и отчётов — собс
 ### 6.2 Роль backend: pass-through с авторизацией
 Подписанный конвейер аутентифицированного edge для in-game-трафика
-использует четыре message types на аутентифицированной поверхности —
+использует три message types на аутентифицированной поверхности —
-`user.games.command`, `user.games.order`, `user.games.order.get`,
+`user.games.order`, `user.games.order.get`, `user.games.report` —
-`user.games.report` — у каждого типизированный FlatBuffers-payload.
+у каждого типизированный FlatBuffers-payload.
 Gateway транскодирует FB-запрос в JSON-форму, которую ждёт backend,
 форвардит её REST'ом в соответствующий
 `/api/v1/user/games/{game_id}/*` endpoint, после чего транскодирует
@@ -654,6 +666,20 @@ Backend не парсит содержимое payload команд или пр
 FB-форму только чтобы транскодировать wire-формат; per-command-
 семантика живёт в движке.
 Специально для `user.games.order` движок валидирует каждую команду
 приказа на транзиентном слепке текущего состояния игры и записывает
 итог по каждой команде в её мету (`cmdApplied`, `cmdErrorCode`) в
 том же ответе `UserGamesOrder`. Приказ сохраняется с этими
 per-command-вердиктами даже если часть команд была отклонена —
 например, удаление команды «создать класс корабля X» из приказа,
 в котором остаётся «строить X», приводит к тому, что вторая команда
 возвращается с `cmdErrorCode` «сущность не существует», а остальные
 команды приказа остаются сохранёнными, и ответ остаётся
 `202 Accepted`. `400` возвращается только для структурных отказов
 на уровне приказа (`quit` не последняя команда, неизвестный
 command type, малформированный вход); `500` — только для реальных
 внутренних сбоев движка.
 ### 6.3 Окно хода и auto-pause
 Запущенная игра постоянно чередуется между окном приёма команд
@@ -696,14 +722,26 @@ Backend авторизует вызывающего и форвардит зап
 нет ни кэширования, ни денормализации.
 Web-клиент рендерит отчёт как одну секцию на каждый FBS-массив
-(общие сведения, голоса, статус игроков, мои / чужие науки, мои /
+(общие сведения, скоро покидающие игру расы, голоса, статус
-чужие классы кораблей, сражения, бомбардировки, приближающиеся
+игроков, мои / чужие науки, мои / чужие классы кораблей, сражения,
-группы, мои / чужие / необитаемые / неопознанные планеты, корабли в
+бомбардировки, приближающиеся группы, мои / чужие / необитаемые /
-производстве, грузовые маршруты, мои флоты, мои / чужие /
+неопознанные планеты, корабли в производстве, грузовые маршруты,
-неопознанные группы кораблей). Пустые секции получают явную копию
+мои флоты, мои / чужие / неопознанные группы кораблей). Пустые
-empty-state. Якоря секций отображены в sticky-TOC (на мобильном —
+секции получают явную копию empty-state; исключение — секция
-`<select>`); позиция скролла сохраняется при переключении активного
+«скоро покидающие игру расы»: она полностью скрывается, когда ни
-представления через SvelteKit `Snapshot` API.
+одна раса не близка к исключению. Если же близка к исключению за
 неактивность сама локальная раса (осталось не более пяти ходов),
 над списком секций показывается персональный
 баннер-предупреждение (стиль danger) с числом оставшихся ходов;
 публичная секция «скоро покидающие игру расы» перечисляет все
 прочие расы, до исключения которых осталось не более трёх ходов.
 Навигация по секциям — sticky icon-popup в правом
 верхнем углу колонки отчёта (анкорный popover на десктопе и фикс.
 bottom-sheet на мобильном); подпись на кнопке отслеживает раздел,
 который сейчас в зоне видимости, выбор пункта меню — скролл к
 нужной секции. При возврате в активный вью отчёт перемонтируется,
 позиция скролла сбрасывается к началу, а IntersectionObserver
 заново рассчитывает подсветку при прокрутке.
 Секция бомбардировок — это плоская read-only-таблица: одна строка на
 событие, колонки `attacker`, `attack_power`, признак `wiped` и
@@ -828,9 +866,12 @@ Directory-промоушен ([Раздел 5](#5-реестр-названий-
  объединения окружностей
  `VisibilityDistance(localPlayerDrive)` вокруг LOCAL-планет;
  LOCAL-планеты всегда вне фильтра — тоггл назван по видимой
-  области карты, а не по затемнённой) плюс радиогруппа
+  области карты, а не по затемнённой). Рендерер всегда работает
-  «торус / без переноса», переключающая режим рендерера с
+  в торическом режиме; прежняя радиогруппа «торус / без
-  сохранением центра камеры.
+  переноса» была удалена в полишинге F8 (issue #48 п.8),
  поскольку топология карты — серверная сущность, а не
  per-session UI-настройка. Код-путь без переноса в рендерере
  оставлен на день, когда движок выставит режим bounded plane.
 LOCAL-планеты отрисовываются всегда — для них тоггла нет.
 Остальные тогглы по умолчанию включены. Скрытие планеты
@@ -1156,6 +1197,31 @@ deployments.
 После первого деплоя bootstrap-пароль должен быть ротирован
 через admin-surface.
 ### 10.2.1 Операторская консоль (`/_gm`)
 Администраторы выполняют эти операции либо программно через JSON
 admin-API, либо через серверно-рендеримую веб-консоль на `/_gm`.
 Консоль аутентифицируется теми же Basic Auth-учётными данными:
 открытие любой страницы `/_gm` вызывает нативный диалог браузера для
 ввода учётных данных, и оператор остаётся залогинен на время сессии.
 Навигация — обычными ссылками и query-параметрами; каждое изменение
 отправляется формой и завершается редиректом обратно на затронутую
 страницу.
 Консоль — единственная admin-поверхность, достижимая извне
 доверенной сети. Она проксируется через gateway, поэтому наследует те
 же edge-rate-limiting и лимиты запросов, что и публичный API, и несёт
 анти-CSRF-токен на каждом изменении. JSON admin-API остаётся
 внутренним для деплоя.
 Стартовая страница консоли — дашборд, сводящий операционное
 здоровье: готов ли backend и доступна ли БД, сколько игровых рантаймов
 в каждом состоянии, какова глубина очередей почты и уведомлений. Это
 read-only-срез на текущий момент для быстрой диагностики, не история
 метрик. Навигация консоли также ведёт в Grafana (метрики, логи и
 трейсы) и в UI захвата почты Mailpit, которые деплой отдаёт под тем же
 шлюзом Basic Auth `/_gm` — один вход покрывает консоль и оба UI.
 ### 10.3 Управление admin-аккаунтами
 Существующие админы могут перечислять других админов, создавать
@@ -43,11 +43,10 @@ described below. Endpoints split into two route classes:
 | Class | Path | Caller | Purpose |
 | --- | --- | --- | --- |
-| Admin (GM-only) | `POST /api/v1/admin/init` | `Game Master` | Initialise the engine with the race roster. |
+| Admin (GM-only) | `POST /api/v1/admin/init` | `Game Master` | Initialise the engine with a canonical `gameId` and the race roster. |
 | Admin (GM-only) | `GET /api/v1/admin/status` | `Game Master` | Read the full game state. |
 | Admin (GM-only) | `PUT /api/v1/admin/turn` | `Game Master` | Generate the next turn. |
 | Admin (GM-only) | `POST /api/v1/admin/race/banish` | `Game Master` | Deactivate a race after a permanent platform removal. |
 | Player | `PUT /api/v1/command` | `Game Master` (forwarded from `Edge Gateway`) | Execute a batch of player commands. |
 | Player | `PUT /api/v1/order` | `Game Master` | Validate and store a batch of player orders. |
 | Player | `GET /api/v1/order` | `Game Master` | Fetch the previously stored player order for a turn. |
 | Player | `GET /api/v1/report` | `Game Master` | Fetch the per-player turn report. |
@@ -65,6 +64,24 @@ Documented in [`openapi.yaml`](openapi.yaml). When the engine has not been
 initialised through `POST /api/v1/admin/init`, game endpoints respond
 `501 Not Implemented` to make the uninitialised state unambiguous.
 ### `POST /api/v1/admin/init`
 The canonical game identity is owned by the orchestrator (`Game Master`),
 not by the engine. The request body is `{ "gameId": "<uuid>", "races": [...] }`
 where:
 - `gameId` is a non-zero UUID generated by the orchestrator before the
  engine container is launched. The same value names the engine's host
  storage directory and is persisted into `state.json`. The engine
  rejects the zero UUID with `400 Bad Request` and any value that
  conflicts with an existing `state.json` on disk with
  `409 Conflict`. A second `init` on the same `gameId` is also
  rejected with `409`; idempotency is not part of the contract.
 - `races` is the race roster; minimum 10 entries.
 On success the engine responds `201 Created` with a `StateResponse`
 whose `id` echoes the supplied `gameId`.
 ### `StateResponse.finished`
 `StateResponse` (returned by `GET /api/v1/admin/status` and
@@ -85,9 +102,13 @@ remove-and-banish flow.
  non-empty and must match an existing race in the engine's roster.
 - Successful response: `204 No Content` with an empty body.
 - Error responses follow the same `400` / `500` envelope shape as the
-  other admin endpoints. The engine-side mechanics of `banish` (what
+  other admin endpoints. `banish` only flags the race extinct, so it can
-  exactly happens to the race's planets, fleets, and pending orders) are
+  no longer submit or have orders applied; its assets are released at the
-  owned by the engine maintainers.
+  start of the next turn generation (`TurnWipeExtinctRaces`), the same way
  an idle/quit timeout is handled but without the wait — ship groups and
  fleets are removed, its planets become uninhabited (the working industry
  and the capital stockpile are cleared, raw material is retained), and
  votes cast for it are reset.
 ### `GET /healthz`
@@ -148,19 +169,17 @@ Alternatives considered and rejected:
 `game/internal/router/handler/handler.go` exports `ResolveStoragePath`,
 which returns the engine storage path from the env-var pair above and
-an error when neither is set. `cmd/http/main.go` calls it before
+an error when neither is set. `cmd/http/main.go` calls it once at
-constructing the router, prints the error to stderr, and exits non-zero.
+startup, prints the error to stderr and exits non-zero on failure, then
-The existing `initConfig` closure also calls `ResolveStoragePath` to
+builds the engine service (`controller.NewService(path)`) and hands it
-populate `controller.Param.StoragePath` at request time; the error there
+to `router.NewRouter`.
 is dropped because `main` already validated the environment at startup.
-This keeps the public router surface (`router.NewRouter`) unchanged —
+Storage is resolved exactly once, at construction, rather than per
-the env binding is satisfied by one helper plus a startup check, with
+request: the `Service` holds the file-backed repo for the process
-no API ripple. Moving env reading entirely into `main` and changing
+lifetime and `router.NewRouter` takes the `handler.Engine` it routes
-`NewRouter` / `NewDefaultExecutor` to accept an explicit path was
+to (in production, the `Service`). This keeps the env binding in one
-rejected: it churns multiple call sites for no functional gain. The
+place — a startup helper plus the `main` check — and leaves the
-current shape leaves the configurer closure ready for future
+handlers free of configuration concerns.
 config-injection refactors without forcing one now.
 ## Build
@@ -4,17 +4,25 @@ import (
 	"fmt"
 	"os"
 	"galaxy/game/internal/controller"
 	"galaxy/game/internal/router"
 	"galaxy/game/internal/router/handler"
 )
 func main() {
-	if _, err := handler.ResolveStoragePath(); err != nil {
+	path, err := handler.ResolveStoragePath()
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
-	r := router.NewRouter()
+	svc, err := controller.NewService(path)
 	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
 	r := router.NewRouter(svc)
 	if err := r.Run(); err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
@@ -1,7 +1,6 @@
 package controller
 import (
 	"iter"
 	"maps"
 	"math/rand/v2"
 	"slices"
@@ -19,8 +18,9 @@ type Battle struct {
 	InitialNumbers map[int]uint // Initial number of ships in the group
 	Protocol       []BattleAction
-	shipAmmo map[int]uint
+	// attacker maps an attacking group to every opponent group it is able to
-	attacker map[int]map[int]float64 // a group able to attack and destroy an opponent with some probability > 0
+	// destroy, with that pair's per-ship destruction probability (> 0).
 	attacker map[int]map[int]float64
 }
 type BattleAction struct {
@@ -32,14 +32,23 @@ type BattleAction struct {
 func CollectPlanetGroups(c *Cache) map[uint]map[int]bool {
 	planetGroup := make(map[uint]map[int]bool)
 	for groupIndex := range c.ShipGroupsIndex() {
-		state := c.ShipGroup(groupIndex).State()
+		sg := c.ShipGroup(groupIndex)
-		if state == game.StateInOrbit || state == game.StateUpgrade {
+		var planetNumber uint
-			planetNumber := c.ShipGroup(groupIndex).Destination
+		switch sg.State() {
-			if _, ok := planetGroup[planetNumber]; !ok {
+		case game.StateInOrbit, game.StateUpgrade:
-				planetGroup[planetNumber] = make(map[int]bool)
+			planetNumber = sg.Destination
-			}
+		case game.StateLaunched:
-			planetGroup[planetNumber][groupIndex] = false
+			// Ordered to depart but still physically at the origin planet, so
 			// it joins the pre-departure battle there; only survivors then
 			// enter hyperspace.
 			planetNumber = sg.StateInSpace.Origin
 		default:
 			continue
 		}
 		if _, ok := planetGroup[planetNumber]; !ok {
 			planetGroup[planetNumber] = make(map[int]bool)
 		}
 		planetGroup[planetNumber][groupIndex] = false
 	}
 	for pl := range planetGroup {
 		if len(planetGroup[pl]) < 2 {
@@ -50,7 +59,18 @@ func CollectPlanetGroups(c *Cache) map[uint]map[int]bool {
 }
 func FilterBattleGroups(c *Cache, groups map[int]bool) []int {
-	return slices.DeleteFunc(slices.Collect(maps.Keys(groups)), func(groupIndex int) bool { return c.ShipGroup(groupIndex).State() != game.StateInOrbit })
+	return slices.DeleteFunc(slices.Collect(maps.Keys(groups)), func(groupIndex int) bool {
 		// Everything physically present at the planet fights: ships in orbit,
 		// ships being upgraded, and ships ordered to depart that have not yet
 		// entered hyperspace (Launched). Only ships already in hyperspace are
 		// out of reach.
 		switch c.ShipGroup(groupIndex).State() {
 		case game.StateInOrbit, game.StateUpgrade, game.StateLaunched:
 			return false
 		default:
 			return true
 		}
 	})
 }
 func FilterBattleOpponents(c *Cache, attIdx, defIdx int, cacheProbability map[int]map[int]float64) bool {
@@ -65,12 +85,20 @@ func FilterBattleOpponents(c *Cache, attIdx, defIdx int, cacheProbability map[in
 		return true
 	}
 	defSg := c.ShipGroup(defIdx)
 	if defSg.Number == 0 {
 		return true
 	}
 	defSt := c.ShipGroupShipClass(defIdx)
 	// The shot targets a single enemy ship, so the defending mass is the
 	// per-ship full mass: a group's full mass spreads evenly across its
 	// ships, hence FullMass / Number, not the whole group's mass.
 	p := calc.DestructionProbability(
 		c.ShipGroupShipClass(attIdx).Weapons.F(),
 		c.ShipGroup(attIdx).TechLevel(game.TechWeapons).F(),
-		c.ShipGroupShipClass(defIdx).Shields.F(),
+		defSt.Shields.F(),
-		c.ShipGroup(defIdx).TechLevel(game.TechShields).F(),
+		defSg.TechLevel(game.TechShields).F(),
-		c.ShipGroup(defIdx).FullMass(c.ShipGroupShipClass(defIdx)),
+		defSg.FullMass(defSt)/float64(defSg.Number),
 	)
 	// Exclude opponent's group which cannot be probably destroyed
 	if p <= 0 {
@@ -108,7 +136,6 @@ func ProduceBattles(c *Cache) []*Battle {
 			ObserverGroups: observerGroups,
 			InitialNumbers: make(map[int]uint),
 			attacker:       make(map[int]map[int]float64),
 			shipAmmo:       make(map[int]uint),
 		}
 		for sgi := range observerGroups {
 			b.InitialNumbers[sgi] = c.ShipGroup(sgi).Number
@@ -126,12 +153,11 @@ func ProduceBattles(c *Cache) []*Battle {
 				return FilterBattleOpponents(c, attIdx, defIdx, cacheProbability)
 			})
 			if len(opponents) > 0 {
 				b.shipAmmo[attIdx] = c.ShipGroupShipClass(attIdx).Armament
 				b.ObserverGroups[attIdx] = true
 				if b.attacker[attIdx] == nil {
 					b.attacker[attIdx] = make(map[int]float64)
 				}
 				for _, defIdx := range opponents {
 					if _, ok := b.attacker[attIdx][defIdx]; !ok {
 						b.attacker[attIdx] = make(map[int]float64)
 					}
 					b.attacker[attIdx][defIdx] = cacheProbability[attIdx][defIdx]
 					b.ObserverGroups[defIdx] = true
 				}
@@ -145,78 +171,111 @@ func ProduceBattles(c *Cache) []*Battle {
 		}
 		clear(b.attacker)
 		clear(b.shipAmmo)
 	}
 	return result
 }
 // SingleBattle resolves one battle ship by ship. In every round each still
 // living ship gets to fire, chosen in random order across all groups; a ship
 // fires all of its guns (Armament), each at a randomly chosen enemy ship it is
 // able to destroy. A ship destroyed before its turn comes does not fire. The
 // battle ends once no ship can damage any remaining enemy.
 func SingleBattle(c *Cache, b *Battle) {
-	roundShooters := make(map[int]bool)
+	for {
-	for len(b.attacker) > 0 {
+		// Snapshot this round's shooters: one entry per living ship of every
-		// список участников раунда
+		// group that still has destroyable opponents.
-		clear(roundShooters)
+		shooters := make([]int, 0)
-		for sgi := range b.attacker {
+		for attIdx := range b.attacker {
-			roundShooters[sgi] = true
+			for range c.ShipGroup(attIdx).Number {
 				shooters = append(shooters, attIdx)
 			}
 		}
 		if len(shooters) == 0 {
 			return
 		}
 		rand.Shuffle(len(shooters), func(i, j int) { shooters[i], shooters[j] = shooters[j], shooters[i] })
-		for len(roundShooters) > 0 {
+		// fired counts, per group, how many of its ships have already shot
-			// attacke group id among round participants
+		// this round; a token beyond the group's current (post-casualty) ship
-			attIdx := randomValue(maps.Keys(roundShooters))
+		// count belongs to a ship destroyed earlier in the round and is skipped.
-			delete(roundShooters, attIdx)
+		fired := make(map[int]uint)
 		progressed := false
 		for _, attIdx := range shooters {
 			if fired[attIdx] >= c.ShipGroup(attIdx).Number {
 				continue
 			}
 			fired[attIdx]++
-			for range b.shipAmmo[attIdx] {
+			for range c.ShipGroupShipClass(attIdx).Armament {
-				// defender group id among all attacker's opponents
+				defIdx, ok := c.pickTargetShip(b, attIdx)
-				defIdx := randomValue(maps.Keys(b.attacker[attIdx]))
+				if !ok {
-
+					break
 				destroyed := false
 				probability := b.attacker[attIdx][defIdx]
 				switch {
 				case probability >= 1:
 					destroyed = true
 				case probability > 0:
 					destroyed = rand.Float64() >= probability
 				default:
 					panic("SingleBattle: probability unexpected: value <= 0")
 				}
-
+				progressed = true
 				destroyed := destructionRoll(b.attacker[attIdx][defIdx])
 				b.Protocol = append(b.Protocol, BattleAction{
 					Attacker:  attIdx,
 					Defender:  defIdx,
 					Destroyed: destroyed,
 				})
 				if destroyed {
 					c.ShipGroupDestroyItem(defIdx)
-				}
+					if c.ShipGroup(defIdx).Number == 0 {
-				if c.ShipGroup(defIdx).Number == 0 {
+						b.removeFromBattle(defIdx)
 					// Eliminated group cant attack anyone
 					delete(b.attacker, defIdx)
 					delete(roundShooters, defIdx)
 					for attIdx := range b.attacker {
 						// Other attackers can't attack eliminated group anymore
 						delete(b.attacker[attIdx], defIdx)
 						if len(b.attacker[attIdx]) == 0 {
 							// Remove attacker if he lost all opponents
 							delete(b.attacker, attIdx)
 							delete(roundShooters, attIdx)
 						}
 					}
 				}
 				// When attacker has no more targets to shoot - break its ammo cycle
 				if len(b.attacker[attIdx]) == 0 {
 					break
 				}
 			}
 		}
 		// No shooter found a target this round: every remaining opponent is
 		// out of reach, the battle is over.
 		if !progressed {
 			return
 		}
 	}
 }
-func randomValue(v iter.Seq[int]) int {
+// pickTargetShip selects a random enemy ship for attacker group attIdx among
-	ids := slices.Collect(v)
+// the groups it is able to destroy, weighted by each group's current ship
-	return ids[rand.IntN(len(ids))]
+// count so that every living enemy ship is equally likely to be hit.
 func (c *Cache) pickTargetShip(b *Battle, attIdx int) (int, bool) {
 	opponents := b.attacker[attIdx]
 	var total uint
 	for defIdx := range opponents {
 		total += c.ShipGroup(defIdx).Number
 	}
 	if total == 0 {
 		return 0, false
 	}
 	r := rand.IntN(int(total))
 	for defIdx := range opponents {
 		r -= int(c.ShipGroup(defIdx).Number)
 		if r < 0 {
 			return defIdx, true
 		}
 	}
 	return 0, false
 }
 // removeFromBattle drops an eliminated group: it can no longer attack, and no
 // one can target it. Attackers left without any opponent are removed as well.
 func (b *Battle) removeFromBattle(groupIdx int) {
 	delete(b.attacker, groupIdx)
 	for attIdx := range b.attacker {
 		delete(b.attacker[attIdx], groupIdx)
 		if len(b.attacker[attIdx]) == 0 {
 			delete(b.attacker, attIdx)
 		}
 	}
 }
 func destructionRoll(probability float64) bool {
 	switch {
 	case probability >= 1:
 		return true
 	case probability > 0:
 		return rand.Float64() < probability
 	default:
 		panic("SingleBattle: probability unexpected: value <= 0")
 	}
 }
@@ -108,7 +108,11 @@ func TestFilterBattleOpponents(t *testing.T) {
 	assert.False(t, controller.FilterBattleOpponents(c, 0, 2, cacheProbability))
 	assert.Contains(t, cacheProbability, 0)
 	assert.Contains(t, cacheProbability[0], 2)
-	assert.InDelta(t, 0.396222, cacheProbability[0][2], 0.0000001)
+	// Group 2 holds 15 ships, but a shot targets a single ship, so the
 	// defending mass is the per-ship full mass (group mass / 15), which
 	// yields a far lower destruction probability than the pre-fix group-mass
 	// calculation (which read ~0.396).
 	assert.InDelta(t, 0.07064783, cacheProbability[0][2], 0.0000001)
 	assert.False(t, controller.FilterBattleOpponents(c, 2, 0, cacheProbability))
 	assert.Contains(t, cacheProbability, 2)
 	assert.Contains(t, cacheProbability[2], 0)
@@ -271,3 +275,107 @@ func TestTransformBattleAggregatesSameShipClass(t *testing.T) {
 			gunship1.Number, gunship1.NumberLeft)
 	}
 }
 // TestDestructionRollDirection guards the corrected probability application:
 // a shot destroys its target with probability p, not 1-p. The pre-fix code
 // compared rand >= p, which inverted the rate (a near-certain hit became a
 // near-certain miss).
 func TestDestructionRollDirection(t *testing.T) {
 	const trials = 100000
 	for _, p := range []float64{0.1, 0.5, 0.9} {
 		hits := 0
 		for range trials {
 			if controller.DestructionRoll(p) {
 				hits++
 			}
 		}
 		rate := float64(hits) / float64(trials)
 		assert.InDelta(t, p, rate, 0.02, "destruction rate must track p=%.2f, not 1-p", p)
 	}
 	assert.True(t, controller.DestructionRoll(1.0))
 	assert.True(t, controller.DestructionRoll(1.5))
 	assert.Panics(t, func() { controller.DestructionRoll(0) })
 	assert.Panics(t, func() { controller.DestructionRoll(-0.1) })
 }
 // TestSingleBattleOneSidedWipe checks the per-ship model end to end: a group
 // of armed ships that always destroys its target wipes a larger group of
 // unarmed transports that cannot fire back, while every shot in the protocol
 // is accounted for and the attacker takes no losses.
 func TestSingleBattleOneSidedWipe(t *testing.T) {
 	c, g := newCache()
 	assert.NoError(t, g.RaceRelation(Race_0.Name, Race_1.Name, game.RelationWar.String()))
 	assert.NoError(t, g.RaceRelation(Race_1.Name, Race_0.Name, game.RelationWar.String()))
 	// Killer's effective attack overwhelms the freighter's shields, so every
 	// shot destroys (probability >= 1).
 	assert.NoError(t, c.ShipClassCreate(Race_0_idx, "Killer", 10, 1, 40, 10, 0))
 	assert.NoError(t, c.CreateShips(Race_0_idx, "Killer", R0_Planet_0_num, 3))                              // group 0
 	c.CreateShipsUnsafe_T(Race_1_idx, c.MustShipClass(Race_1_idx, Race_1_Freighter).ID, R0_Planet_0_num, 5) // group 1
 	battles := controller.ProduceBattles(c)
 	assert.Len(t, battles, 1)
 	assert.Zero(t, c.ShipGroup(1).Number, "all unarmed transports must be destroyed")
 	assert.Equal(t, uint(3), c.ShipGroup(0).Number, "unarmed transports cannot retaliate")
 	kills := 0
 	for _, a := range battles[0].Protocol {
 		if a.Destroyed {
 			kills++
 		}
 	}
 	assert.Equal(t, 5, kills, "exactly the five transports are destroyed")
 }
 // TestCollectPlanetGroupsIncludesLaunchedAndUpgrade checks that every group
 // physically at a planet — in orbit, being upgraded, or ordered to depart but
 // not yet flown (Launched) — is collected for, and kept in, the battle.
 func TestCollectPlanetGroupsIncludesLaunchedAndUpgrade(t *testing.T) {
 	c, _ := newCache()
 	// group 0: in orbit at Planet_0
 	assert.NoError(t, c.CreateShips(Race_0_idx, Race_0_Gunship, R0_Planet_0_num, 1))
 	// group 1: ordered to depart Planet_0 (Launched), still physically there
 	assert.NoError(t, c.CreateShips(Race_0_idx, ShipType_Cruiser, R0_Planet_0_num, 1))
 	c.ShipGroup(1).StateInSpace = &game.InSpace{Origin: R0_Planet_0_num}
 	c.ShipGroup(1).Destination = R0_Planet_2_num
 	assert.Equal(t, game.StateLaunched, c.ShipGroup(1).State())
 	// group 2: being upgraded at Planet_0
 	assert.NoError(t, c.CreateShips(Race_0_idx, ShipType_Cruiser, R0_Planet_0_num, 1))
 	c.ShipGroup(2).StateUpgrade = &game.InUpgrade{UpgradeTech: []game.UpgradePreference{{Tech: game.TechDrive, Level: 2.0, Cost: 100}}}
 	assert.Equal(t, game.StateUpgrade, c.ShipGroup(2).State())
 	pg := controller.CollectPlanetGroups(c)
 	assert.Contains(t, pg, R0_Planet_0_num)
 	assert.Len(t, pg[R0_Planet_0_num], 3)
 	for _, idx := range []int{0, 1, 2} {
 		assert.Contains(t, pg[R0_Planet_0_num], idx)
 	}
 	battleGroups := controller.FilterBattleGroups(c, pg[R0_Planet_0_num])
 	assert.Len(t, battleGroups, 3)
 }
 // TestProduceBattlesLaunchedFightsAtOrigin checks that a group ordered to
 // depart (Launched) still fights the pre-departure battle at its origin
 // planet, rather than escaping into hyperspace before the fight.
 func TestProduceBattlesLaunchedFightsAtOrigin(t *testing.T) {
 	c, g := newCache()
 	assert.NoError(t, g.RaceRelation(Race_0.Name, Race_1.Name, game.RelationWar.String()))
 	assert.NoError(t, g.RaceRelation(Race_1.Name, Race_0.Name, game.RelationWar.String()))
 	// Race_0: armed group in orbit at Planet_0.
 	assert.NoError(t, c.CreateShips(Race_0_idx, Race_0_Gunship, R0_Planet_0_num, 10))
 	// Race_1: armed group ordered to depart Planet_0 (Launched), still there.
 	c.CreateShipsUnsafe_T(Race_1_idx, c.MustShipClass(Race_1_idx, Race_1_Gunship).ID, R0_Planet_0_num, 10)
 	c.ShipGroup(1).StateInSpace = &game.InSpace{Origin: R0_Planet_0_num}
 	c.ShipGroup(1).Destination = R0_Planet_2_num
 	assert.Equal(t, game.StateLaunched, c.ShipGroup(1).State())
 	battles := controller.ProduceBattles(c)
 	assert.Len(t, battles, 1)
 	assert.True(t, battles[0].ObserverGroups[1], "launched group must be marked in-battle")
 	if c.ShipGroup(0).Number == 0 {
 		assert.Greater(t, c.ShipGroup(1).Number, uint(0))
 	} else {
 		assert.Zero(t, c.ShipGroup(1).Number)
 	}
 }
@@ -1,6 +1,10 @@
 package controller
 import (
 	"cmp"
 	"maps"
 	"slices"
 	"galaxy/game/internal/model/game"
 	"github.com/google/uuid"
@@ -13,8 +17,14 @@ func (c *Cache) ProduceBombings() []*game.Bombing {
 		if !p.Owned() {
 			continue
 		}
-		for ri, groups := range enemies {
+		// The planet is hit by all attacking races at once, accounted from the
-			br := c.bombingReport(p, ri, groups)
+		// strongest bombing power downwards, until no population remains.
 		attackers := slices.Collect(maps.Keys(enemies))
 		slices.SortFunc(attackers, func(a, b int) int {
 			return cmp.Compare(c.bombingPower(enemies[b]), c.bombingPower(enemies[a]))
 		})
 		for _, ri := range attackers {
 			br := c.bombingReport(p, ri, enemies[ri])
 			report = append(report, br)
 			if br.Wiped {
 				break
@@ -22,7 +32,11 @@ func (c *Cache) ProduceBombings() []*game.Bombing {
 		}
 		if p.Population == 0 {
 			// Wiped out: the planet turns uninhabited and its industry
 			// collapses, but the material and capital stockpiles survive for
 			// whoever colonises it next (rules "Бомбардировка планет").
 			p.Free()
 			p.Ind(0)
 		} else {
 			// Если на планете остались также и колонисты, то они превращаются в население,
 			// а накопленная промышленность возмещает потери производства.
@@ -33,13 +47,16 @@ func (c *Cache) ProduceBombings() []*game.Bombing {
 	return report
 }
-func (c *Cache) bombingReport(p *game.Planet, ri int, groups []int) *game.Bombing {
+func (c *Cache) bombingPower(groups []int) float64 {
-	attackPower := 0.
+	var power float64
 	for _, i := range groups {
-		sg := c.ShipGroup(i)
+		power += c.ShipGroup(i).BombingPower(c.ShipGroupShipClass(i))
 		st := c.ShipGroupShipClass(i)
 		attackPower += sg.BombingPower(st)
 	}
 	return power
 }
 func (c *Cache) bombingReport(p *game.Planet, ri int, groups []int) *game.Bombing {
 	attackPower := c.bombingPower(groups)
 	r := &game.Bombing{
 		ID:            uuid.New(),
 		PlanetOwnedID: *p.Owner,
@@ -141,3 +141,59 @@ func TestProduceBombings(t *testing.T) {
 		}
 	}
 }
 // TestBombingOrderByPower checks that attacking races are accounted from the
 // strongest bombing power downwards (the report order), not in the random map
 // iteration order the engine used before.
 func TestBombingOrderByPower(t *testing.T) {
 	c, g := newCache()
 	assert.NoError(t, g.RaceRelation(Race_1.Name, Race_0.Name, game.RelationWar.String()))
 	weakIdx, _ := c.AddRace("Weakling")
 	assert.NoError(t, c.UpdateRelation(weakIdx, Race_0_idx, game.RelationWar))
 	assert.NoError(t, c.ShipClassCreate(weakIdx, "Pebble", 1, 1, 1, 1, 0))
 	// Planet_0 (Race_0) survives both attacks.
 	c.MustPlanet(R0_Planet_0_num).Population = 1000
 	// Strong: one Race_1 gunship (~358.9 power); weak: one Pebble (~1.1 power).
 	c.CreateShipsUnsafe_T(Race_1_idx, c.MustShipClass(Race_1_idx, Race_1_Gunship).ID, R0_Planet_0_num, 1)
 	c.CreateShipsUnsafe_T(weakIdx, c.MustShipClass(weakIdx, "Pebble").ID, R0_Planet_0_num, 1)
 	reports := c.ProduceBombings()
 	assert.Len(t, reports, 2)
 	assert.Equal(t, Race_1.Name, reports[0].Attacker, "strongest attacker comes first")
 	assert.Equal(t, "Weakling", reports[1].Attacker)
 	assert.Greater(t, reports[0].AttackPower.F(), reports[1].AttackPower.F())
 }
 // TestBombingWipeZeroesIndustry checks that a planet bombed to extinction loses
 // its industry but keeps its material and capital stockpiles for the next
 // colonist (rules "Бомбардировка планет").
 func TestBombingWipeZeroesIndustry(t *testing.T) {
 	c, _ := newCache()
 	bomberIdx, _ := c.AddRace("Bomber")
 	assert.NoError(t, c.UpdateRelation(bomberIdx, Race_0_idx, game.RelationWar))
 	// Bombing power ~106.5 (W=60, A=1, weapons tech 1.0): wipes pop 50 while
 	// only partly converting industry, so the leftover industry is observable.
 	assert.NoError(t, c.ShipClassCreate(bomberIdx, "Reaper", 1, 1, 60, 1, 0))
 	p := c.MustPlanet(R0_Planet_0_num)
 	p.Population = 50
 	p.Industry = 200
 	p.Capital = 30
 	p.Material = 20
 	p.Colonists = 0
 	c.CreateShipsUnsafe_T(bomberIdx, c.MustShipClass(bomberIdx, "Reaper").ID, R0_Planet_0_num, 1)
 	reports := c.ProduceBombings()
 	assert.Len(t, reports, 1)
 	assert.True(t, reports[0].Wiped)
 	pl := c.MustPlanet(R0_Planet_0_num)
 	assert.False(t, pl.Owned())
 	assert.Equal(t, 0., pl.Population.F())
 	assert.Equal(t, 0., pl.Industry.F(), "industry collapses on wipe")
 	assert.Equal(t, 30., pl.Capital.F(), "capital stockpile survives")
 	assert.InDelta(t, 126.476, pl.Material.F(), 0.01, "material keeps the converted industry")
 }
@@ -2,8 +2,10 @@ package controller
 import (
 	"errors"
 	"fmt"
 	"time"
 	e "galaxy/error"
 	"galaxy/game/internal/model/game"
 	"github.com/google/uuid"
@@ -14,162 +16,147 @@ import (
 	"galaxy/game/internal/repo"
 )
-type Configurer func(*Param)
+// Service is the engine's application service: it owns persistence and exposes
-
+// the operations the HTTP handlers invoke. It is safe for concurrent use —
-type Repo interface {
+// reads are lock-free and the writers that mutate the canonical state file
-	// Lock must be called before any repository operations
+// (init/turn/banish) are serialised at the router by a shared LimitMiddleware.
-	Lock() error
+type Service struct {
-
+	repo *repo.Repo
 	// Release must be called after first and only repository operation
 	Release() error
 	// SaveTurn stores just generated new turn
 	SaveNewTurn(uint, *game.Game) error
 	// SaveState stores current game state updated between turns
 	SaveLastState(*game.Game) error
 	// LoadState retrieves game current state with required lock acquisition
 	LoadState() (*game.Game, error)
 	// LoadStateSafe retrieves game current state without preliminary locking
 	LoadStateSafe() (*game.Game, error)
 	// SaveBattle stores a new battle protocol and battle meta data for turn t
 	SaveBattle(uint, *report.BattleReport, *game.BattleMeta) error
 	// LoadBattle reads battle's protocol for turn t and battle id.
 	// Returns false if battle with such id was never stored at turn t
 	LoadBattle(t uint, id uuid.UUID) (*report.BattleReport, bool, error)
 	// SaveBombing stores all prodused bombings for turn t
 	SaveBombings(uint, []*game.Bombing) error
 	// SaveReport stores latest report for a race
 	SaveReport(uint, *report.Report) error
 	// LoadReport loads report for specific turn and player id
 	LoadReport(uint, uuid.UUID) (*report.Report, error)
 	// SaveOrder stores order for given turn
 	SaveOrder(uint, uuid.UUID, *order.UserGamesOrder) error
 	// LoadOrder loads order for specific turn and player id
 	LoadOrder(uint, uuid.UUID) (*order.UserGamesOrder, bool, error)
 }
-type Ctrl interface {
+// NewService opens the file-backed storage at storagePath and returns a ready
-	ValidateOrder(actor string, cmd ...order.DecodableCommand) error
+// Service. The directory must already exist and be writable.
-	// remove below funcs if /command api will be deleted
+func NewService(storagePath string) (*Service, error) {
-	RaceID(actor string) (uuid.UUID, error)
+	r, err := repo.NewFileRepo(storagePath)
 	RaceQuit(actor string) error
 	RaceVote(actor, acceptor string) error
 	RaceRelation(actor, acceptor string, rel string) error
 	ShipClassCreate(actor, typeName string, drive float64, ammo int, weapons, shileds, cargo float64) error
 	ShipClassMerge(actor, name, targetName string) error
 	ShipClassRemove(actor, typeName string) error
 	ShipGroupLoad(actor string, groupID uuid.UUID, cargoType string, quantity float64) error
 	ShipGroupUnload(actor string, groupID uuid.UUID, quantity float64) error
 	ShipGroupSend(actor string, groupID uuid.UUID, planetNumber uint) error
 	ShipGroupUpgrade(actor string, groupID uuid.UUID, techInput string, limitLevel float64) error
 	ShipGroupBreak(actor string, groupID, newID uuid.UUID, quantity uint) error
 	ShipGroupMerge(actor string) error
 	ShipGroupDismantle(actor string, groupID uuid.UUID) error
 	ShipGroupTransfer(actor, acceptor string, groupID uuid.UUID) error
 	ShipGroupJoinFleet(actor, fleetName string, groupID uuid.UUID) error
 	FleetMerge(actor, fleetSourceName, fleetTargetName string) error
 	FleetSend(actor, fleetName string, planetNumber uint) error
 	ScienceCreate(actor, typeName string, drive, weapons, shields, cargo float64) error
 	ScienceRemove(actor, typeName string) error
 	PlanetRename(actor string, planetNumber int, typeName string) error
 	PlanetProduce(actor string, planetNumber int, prodType, subject string) error
 	PlanetRouteSet(actor, loadType string, origin, destination uint) error
 	PlanetRouteRemove(actor, loadType string, origin uint) error
 }
 func GenerateGame(configure func(*Param), races []string) (s game.State, err error) {
 	ec, err := NewRepoController(configure)
 	if err != nil {
 		return nil, err
 	}
 	return &Service{repo: r}, nil
 }
 // GenerateGame initialises a fresh game in storage under the supplied
 // canonical gameID. The orchestrator must allocate gameID before the engine
 // container is started and pass it here as the request body of
 // POST /api/v1/admin/init. A zero UUID is rejected with ErrGameInitNilUUID; an
 // attempt to init on top of an existing state.json is rejected with
 // ErrGameAlreadyInit.
 func (s *Service) GenerateGame(gameID uuid.UUID, races []string) (game.State, error) {
 	if gameID == uuid.Nil {
 		return game.State{}, ErrGameInitNilUUID
 	}
 	if existing, loadErr := s.repo.LoadState(); loadErr == nil {
 		return game.State{}, fmt.Errorf("%w: stored gameId=%s, requested=%s", ErrGameAlreadyInit, existing.ID, gameID)
 	} else if !isGameNotInitialized(loadErr) {
 		return game.State{}, fmt.Errorf("check existing state: %w", loadErr)
 	}
 	if _, err := NewGame(s.repo, gameID, races); err != nil {
 		return game.State{}, err
 	}
-	if err = ec.Repo.Lock(); err != nil {
+
 	return s.GameState()
 }
 // GenerateTurn advances the game by one turn (applying every stored order) and
 // returns the resulting game state.
 func (s *Service) GenerateTurn() (game.State, error) {
 	if err := s.execute(func(_ uint, c *Controller) error { return c.MakeTurn() }); err != nil {
 		return game.State{}, err
 	}
 	return s.GameState()
 }
 // isGameNotInitialized reports whether err is the engine's canonical
 // "no state.json on disk" signal returned by Repo.LoadState on a fresh
 // storage directory.
 func isGameNotInitialized(err error) bool {
 	var ge *e.GenericError
 	return errors.As(err, &ge) && ge.Code == e.ErrGameNotInitialized
 }
 // LoadReport returns the stored turn report for actor at the given turn.
 func (s *Service) LoadReport(actor string, turn uint) (r *report.Report, err error) {
 	execErr := s.execute(func(_ uint, c *Controller) (exErr error) {
 		id, exErr := c.RaceID(actor)
 		if exErr == nil {
 			r, exErr = s.repo.LoadReport(turn, id)
 		}
 		return
 	})
 	err = errors.Join(err, execErr)
 	return
 }
 // ValidateOrder validates cmd against a transient view of the current state,
 // records the per-command outcome on each command's meta, and stores the
 // resulting order for the current turn. Game-state rejections are reported per
 // command, not as a returned error.
 func (s *Service) ValidateOrder(actor string, cmd ...order.DecodableCommand) (o *order.UserGamesOrder, err error) {
 	err = s.execute(func(t uint, c *Controller) error {
 		id, err := c.RaceID(actor)
 		if err != nil {
 			return err
 		}
 		if err := c.ValidateOrder(actor, cmd...); err != nil {
 			return err
 		}
 		o = &order.UserGamesOrder{
 			GameID:    c.Cache.g.ID,
 			UpdatedAt: time.Now().UTC().UnixMilli(),
 			Commands:  make([]order.DecodableCommand, len(cmd)),
 		}
 		copy(o.Commands, cmd)
 		return s.repo.SaveOrder(t, id, o)
 	})
 	if err != nil {
 		return nil, err
 	}
 	return
 }
 // FetchOrder returns the order actor stored for the given turn. ok is false
 // when no order was ever stored.
 func (s *Service) FetchOrder(actor string, turn uint) (o *order.UserGamesOrder, ok bool, err error) {
 	err = s.execute(func(_ uint, c *Controller) error {
 		id, err := c.RaceID(actor)
 		if err != nil {
 			return err
 		}
 		o, ok, err = s.repo.LoadOrder(turn, id)
 		return err
 	})
 	if err != nil {
 		return
 	}
-	defer func() {
+	return
-		err = errors.Join(err, ec.Repo.Release())
+}
-		if err == nil {
+
-			s, err = GameState(configure)
+// FetchBattle returns the battle report stored at turn under ID. exists is
 // false when no such battle was recorded.
 func (s *Service) FetchBattle(turn uint, ID uuid.UUID) (b *report.BattleReport, exists bool, err error) {
 	err = s.execute(func(_ uint, c *Controller) error {
 		b, exists, err = s.repo.LoadBattle(turn, ID)
 		return err
 	})
 	return
 }
 // BanishRace deactivates actor's race after a permanent platform removal and
 // persists the updated state.
 func (s *Service) BanishRace(actor string) error {
 	return s.execute(func(_ uint, c *Controller) error {
 		if err := c.RaceBanish(actor); err != nil {
 			return err
 		}
-	}()
+		return c.saveState()
-
+	})
 	_, err = NewGame(ec.Repo, races)
 	return
 }
-func GenerateTurn(configure func(*Param)) (err error) {
+// GameState loads the current state and projects it into the transport-facing
-	ec, err := NewRepoController(configure)
+// game.State summary (player roster with planet counts and population).
-	if err != nil {
+func (s *Service) GameState() (game.State, error) {
-		return err
+	g, err := s.repo.LoadState()
 	}
 	err = ec.executeLocked(func(c *Controller) error { return c.MakeTurn() })
 	return
 }
 func LoadReport(configure func(*Param), actor string, turn uint) (*report.Report, error) {
 	ec, err := NewRepoController(configure)
 	if err != nil {
 		return nil, err
 	}
 	return ec.loadReport(actor, turn)
 }
 func ExecuteCommand(configure func(*Param), consumer func(c Ctrl) error) (err error) {
 	ec, err := NewRepoController(configure)
 	if err != nil {
 		return err
 	}
 	return ec.executeCommand(func(c *Controller) error { return consumer(c) })
 }
 func ValidateOrder(configure func(*Param), actor string, cmd ...order.DecodableCommand) (*order.UserGamesOrder, error) {
 	ec, err := NewRepoController(configure)
 	if err != nil {
 		return nil, err
 	}
 	return ec.validateOrder(actor, cmd...)
 }
 func FetchOrder(configure func(*Param), actor string, turn uint) (order *order.UserGamesOrder, ok bool, err error) {
 	ec, err := NewRepoController(configure)
 	if err != nil {
 		return nil, false, err
 	}
 	return ec.fetchOrder(actor, turn)
 }
 func FetchBattle(configure func(*Param), turn uint, ID uuid.UUID) (b *report.BattleReport, exists bool, err error) {
 	ec, err := NewRepoController(configure)
 	if err != nil {
 		return nil, false, err
 	}
 	return ec.fetchBattle(turn, ID)
 }
 func BanishRace(configure func(*Param), actor string) error {
 	ec, err := NewRepoController(configure)
 	if err != nil {
 		return err
 	}
 	return ec.banishRace(actor)
 }
 func GameState(configure func(*Param)) (s game.State, err error) {
 	ec, err := NewRepoController(configure)
 	if err != nil {
 		return game.State{}, err
 	}
 	g, err := ec.Repo.LoadStateSafe()
 	if err != nil {
 		return game.State{}, err
 	}
@@ -207,149 +194,26 @@ func GameState(configure func(*Param)) (s game.State, err error) {
 	return *result, nil
 }
-type RepoController struct {
+// execute loads the current game state, wraps it in a Controller and runs
-	Repo Repo
+// consumer against it. Reads and writes are lock-free; concurrent writers to
-}
+// the state file (init/turn/banish) are serialised at the router by a shared
-
+// LimitMiddleware, so this helper holds no lock of its own.
-func NewRepoController(config Configurer) (*RepoController, error) {
+func (s *Service) execute(consumer func(uint, *Controller) error) error {
-	c := &Param{
+	g, err := s.repo.LoadState()
 		StoragePath: ".",
 	}
 	if config != nil {
 		config(c)
 	}
 	r, err := repo.NewFileRepo(c.StoragePath)
 	if err != nil {
 		return nil, err
 	}
 	return &RepoController{
 		Repo: r,
 	}, nil
 }
 func (ec *RepoController) NewGameController(g *game.Game) *Controller {
 	return &Controller{
 		RepoController: ec,
 		Cache:          NewCache(g),
 	}
 }
 func (ec *RepoController) validateOrder(actor string, cmd ...order.DecodableCommand) (o *order.UserGamesOrder, err error) {
 	err = ec.executeSafe(func(t uint, c *Controller) error {
 		id, err := c.RaceID(actor)
 		if err != nil {
 			return err
 		}
 		err = c.ValidateOrder(actor, cmd...)
 		if err != nil {
 			return err
 		}
 		o = &order.UserGamesOrder{
 			GameID:    c.Cache.g.ID,
 			UpdatedAt: time.Now().UTC().UnixMilli(),
 			Commands:  make([]order.DecodableCommand, len(cmd)),
 		}
 		copy(o.Commands, cmd)
 		return ec.Repo.SaveOrder(t, id, o)
 	})
 	if err != nil {
 		return nil, err
 	}
 	return
 }
 func (ec *RepoController) fetchOrder(actor string, turn uint) (order *order.UserGamesOrder, ok bool, err error) {
 	err = ec.executeSafe(func(t uint, c *Controller) error {
 		id, err := c.RaceID(actor)
 		if err != nil {
 			return err
 		}
 		order, ok, err = ec.Repo.LoadOrder(turn, id)
 		return err
 	})
 	if err != nil {
 		return
 	}
 	return
 }
 func (ec *RepoController) fetchBattle(turn uint, ID uuid.UUID) (order *report.BattleReport, exists bool, err error) {
 	err = ec.executeSafe(func(t uint, c *Controller) error {
 		order, exists, err = ec.Repo.LoadBattle(turn, ID)
 		return err
 	})
 	return
 }
 func (ec *RepoController) loadReport(actor string, turn uint) (r *report.Report, err error) {
 	execErr := ec.executeSafe(func(t uint, c *Controller) (exErr error) {
 		id, exErr := c.RaceID(actor)
 		if exErr == nil {
 			r, exErr = ec.Repo.LoadReport(turn, id)
 		}
 		return
 	})
 	err = errors.Join(err, execErr)
 	return
 }
 func (ec *RepoController) executeCommand(consumer func(*Controller) error) (err error) {
 	return ec.executeLocked(func(c *Controller) error {
 		err = consumer(c)
 		if err == nil {
 			c.Cache.StageCommand()
 			err = c.saveState()
 		}
 		return err
 	})
 }
 func (ec *RepoController) banishRace(actor string) (err error) {
 	return ec.executeLocked(func(c *Controller) error {
 		err = c.RaceBanish(actor)
 		if err != nil {
 			return err
 		}
 		return c.saveState()
 	})
 }
 func (ec *RepoController) executeSafe(consumer func(uint, *Controller) error) (err error) {
 	g, err := ec.Repo.LoadStateSafe()
 	if err != nil {
 		return err
 	}
-
+	return consumer(g.Turn, &Controller{repo: s.repo, Cache: NewCache(g)})
 	err = consumer(g.Turn, ec.NewGameController(g))
 	return
 }
 func (ec *RepoController) executeLocked(consumer func(*Controller) error) (err error) {
 	if err := ec.Repo.Lock(); err != nil {
 		return err
 	}
 	defer func() {
 		err = errors.Join(err, ec.Repo.Release())
 	}()
 	g, err := ec.Repo.LoadState()
 	if err != nil {
 		return err
 	}
 	err = consumer(ec.NewGameController(g))
 	return
 }
 func (c *Controller) saveState() error {
 	return c.Repo.SaveLastState(c.Cache.g)
 }
 // Controller is the per-turn execution context: a loaded game state (Cache)
 // plus the repo it persists through. It carries the engine's game-logic
 // methods (in command.go, order.go, generate_turn.go, …).
 type Controller struct {
-	*RepoController
+	repo  *repo.Repo
 	Cache *Cache
 }
-type Param struct {
+func (c *Controller) saveState() error {
-	StoragePath string
+	return c.repo.SaveLastState(c.Cache.g)
 }
@@ -149,3 +149,7 @@ func (c *Cache) WipeRace(ri int) {
 func (c *Cache) UnsafeDeleteShipGroup(sgi int) {
 	c.unsafeDeleteShipGroup(sgi)
 }
 func DestructionRoll(probability float64) bool {
 	return destructionRoll(probability)
 }
@@ -131,8 +131,7 @@ func newGame() *game.Game {
 func newCache() (*controller.Cache, *controller.Controller) {
 	ctl := &controller.Controller{
-		RepoController: nil,
+		Cache: controller.NewCache(newGame()),
 		Cache:          controller.NewCache(newGame()),
 	}
 	assertNoError(ctl.Cache.ShipClassCreate(Race_0_idx, Race_0_Gunship, 60, 3, 30, 100, 0))
 	assertNoError(ctl.Cache.ShipClassCreate(Race_0_idx, Race_0_Freighter, 8, 0, 0, 2, 10))
@@ -57,7 +57,7 @@ func TestFleetSend(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.FleetSend(Race_Extinct.Name, fleetSending, 2),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.FleetSend(Race_0.Name, "UnknownFleet", 2),
 		e.GenericErrorText(e.ErrInputEntityNotExists))
@@ -37,7 +37,7 @@ func TestShipGroupJoinFleet(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.ShipGroupJoinFleet(Race_Extinct.Name, fleetOne, groupIndex),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	// ensure race has no Fleets
 	assert.Len(t, slices.Collect(c.ListFleets(Race_0_idx)), 0)
@@ -124,14 +124,14 @@ func TestFleetMerge(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.FleetMerge(Race_Extinct.Name, fleetSourceOne, fleetTargetTwo),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.ShipGroupJoinFleet(UnknownRace, fleetSourceOne, c.ShipGroup(0).ID),
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.ShipGroupJoinFleet(Race_Extinct.Name, fleetSourceOne, c.ShipGroup(0).ID),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.NoError(t, g.ShipGroupJoinFleet(Race_0.Name, fleetSourceOne, c.ShipGroup(0).ID))
@@ -7,22 +7,26 @@ import (
 	"galaxy/game/internal/generator"
 	"galaxy/game/internal/model/game"
 	"galaxy/game/internal/repo"
 	"github.com/google/uuid"
 )
-func NewGame(r Repo, races []string) (uuid.UUID, error) {
+// NewGame initialises a fresh game in storage under the supplied
 // gameID. The caller is expected to have validated gameID against
 // uuid.Nil and to have ruled out collisions with existing state.
 func NewGame(r *repo.Repo, gameID uuid.UUID, races []string) (uuid.UUID, error) {
 	m, err := generator.Generate(func(ms *generator.MapSetting) {
 		ms.Players = uint32(len(races))
 	})
 	if err != nil {
 		return uuid.Nil, fmt.Errorf("generate map: %s", err)
 	}
-	return newGameOnMap(r, races, m)
+	return newGameOnMap(r, gameID, races, m)
 }
-func newGameOnMap(r Repo, races []string, m generator.Map) (uuid.UUID, error) {
+func newGameOnMap(r *repo.Repo, gameID uuid.UUID, races []string, m generator.Map) (uuid.UUID, error) {
-	g, err := buildGameOnMap(races, m)
+	g, err := buildGameOnMap(gameID, races, m)
 	if err != nil {
 		return uuid.Nil, err
 	}
@@ -38,14 +42,10 @@ func newGameOnMap(r Repo, races []string, m generator.Map) (uuid.UUID, error) {
 	return g.ID, nil
 }
-func buildGameOnMap(races []string, m generator.Map) (*game.Game, error) {
+func buildGameOnMap(gameID uuid.UUID, races []string, m generator.Map) (*game.Game, error) {
 	if len(races) != len(m.HomePlanets) {
 		return nil, fmt.Errorf("generate map: wrong number of home planets: %d, expected: %d ", len(m.HomePlanets), len(races))
 	}
 	gameID, err := uuid.NewRandom()
 	if err != nil {
 		return nil, fmt.Errorf("generate game uuid: %s", err)
 	}
 	g := &game.Game{
 		ID:   gameID,
 		Turn: 0,
@@ -28,16 +28,17 @@ func TestNewGame(t *testing.T) {
 	for i := range players {
 		races[i] = fmt.Sprintf("race_%02d", i)
 	}
-	assert.NoError(t, r.Lock())
+	requestedID := uuid.New()
-	gameID, err := controller.NewGame(r, races)
+	gameID, err := controller.NewGame(r, requestedID, races)
 	assert.NoError(t, err)
 	assert.Equal(t, requestedID, gameID, "NewGame must echo the supplied gameID")
 	assert.FileExists(t, filepath.Join(root, "state.json"))
 	assert.FileExists(t, filepath.Join(root, "0000/state.json"))
 	g, err := r.LoadState()
 	assert.NoError(t, err)
-	assert.Equal(t, gameID, g.ID)
+	assert.Equal(t, requestedID, g.ID, "persisted game.ID must match the supplied gameID")
 	assert.Equal(t, uint(0), g.Turn)
 	assert.Equal(t, players, len(g.Race))
@@ -65,6 +66,38 @@ func TestNewGame(t *testing.T) {
 		numShuffled = numShuffled || p.Number != uint(i)
 	}
 	assert.True(t, numShuffled)
-
+}
-	assert.NoError(t, r.Release())
+
 func TestGenerateGameRejectsExistingState(t *testing.T) {
 	root, cleanup := util.CreateWorkDir(t)
 	defer cleanup()
 	races := make([]string, 10)
 	for i := range races {
 		races[i] = fmt.Sprintf("race_%02d", i)
 	}
 	svc, err := controller.NewService(root)
 	assert.NoError(t, err)
 	firstID := uuid.New()
 	_, err = svc.GenerateGame(firstID, races)
 	assert.NoError(t, err)
 	_, err = svc.GenerateGame(uuid.New(), races)
 	assert.ErrorIs(t, err, controller.ErrGameAlreadyInit)
 }
 func TestGenerateGameRejectsNilUUID(t *testing.T) {
 	root, cleanup := util.CreateWorkDir(t)
 	defer cleanup()
 	races := make([]string, 10)
 	for i := range races {
 		races[i] = fmt.Sprintf("race_%02d", i)
 	}
 	svc, err := controller.NewService(root)
 	assert.NoError(t, err)
 	_, err = svc.GenerateGame(uuid.Nil, races)
 	assert.ErrorIs(t, err, controller.ErrGameInitNilUUID)
 }
@@ -20,25 +20,29 @@ func (c *Controller) MakeTurn() error {
 	c.Cache.g.Turn += 1
 	c.Cache.g.Stage = 0
-	// 01. Вышедшие расы удаляются из списка участвующих рас перед началом просчета очередного хода
+	// 01. Вышедшие расы удаляются из списка участвующих рас перед началом просчёта очередного хода.
 	c.Cache.TurnWipeExtinctRaces()
-	// 02. Товары загружаются на корабли, находящиеся в начале грузовых маршрутов, и корабли входят в гиперпространство (но ещё не полетели)
+	// 02. Корабли, где это возможно, объединяются в группы (до боя и до отправки по маршрутам).
 	c.Cache.SendRoutedGroups()
 	// 03. Корабли, где это возможно, объединяются в группы.
 	c.Cache.TurnMergeEqualShipGroups()
-	// 04. Враждующие корабли вступают в схватку.
+	// 03. Враждующие корабли вступают в схватку у планеты отправления. Корабли, которым отдан
 	//     приказ на отлёт (статус Launched), ещё стоят на планете и участвуют в бою; в
 	//     гиперпространство уходят только уцелевшие — так нельзя уклониться от боя.
 	battles := ProduceBattles(c.Cache)
 	// 04. Товары загружаются на корабли в начале грузовых маршрутов, и эти корабли входят в
 	//     гиперпространство. Загрузка после боя: маршрутные транспорты сражаются пустыми и не
 	//     могут уклониться от боя, скрывшись в гиперпространстве.
 	c.Cache.SendRoutedGroups()
 	// 05. Корабли пролетают сквозь гиперпространство.
 	c.Cache.MoveShipGroups()
 	// 06. Корабли, где это возможно, объединяются в группы.
 	c.Cache.TurnMergeEqualShipGroups()
-	// 07. Враждующие корабли снова вступают в схватку (это происходит после выхода из гиперпространства).
+	// 07. Враждующие корабли снова вступают в схватку (после выхода из гиперпространства).
 	battles = append(battles, ProduceBattles(c.Cache)...)
 	// 08. Корабли бомбят вражеские планеты.
@@ -67,7 +71,7 @@ func (c *Controller) MakeTurn() error {
 	// Store bombings
 	bombingReport := make([]*report.Bombing, len(bombings))
 	if len(bombings) > 0 {
-		if err := c.Repo.SaveBombings(c.Cache.g.Turn, bombings); err != nil {
+		if err := c.repo.SaveBombings(c.Cache.g.Turn, bombings); err != nil {
 			return err
 		}
 		for i := range bombings {
@@ -107,7 +111,7 @@ func (c *Controller) MakeTurn() error {
 			}
 			report := TransformBattle(c.Cache, b)
-			if err := c.Repo.SaveBattle(c.Cache.g.Turn, report, &battleMeta[i]); err != nil {
+			if err := c.repo.SaveBattle(c.Cache.g.Turn, report, &battleMeta[i]); err != nil {
 				return err
 			}
 			battleReport[i] = report
@@ -118,12 +122,12 @@ func (c *Controller) MakeTurn() error {
 	c.Cache.DeleteKilledShipGroups()
 	// Store game state for the new turn and 'current' state as well
-	if err := c.Repo.SaveNewTurn(c.Cache.g.Turn, c.Cache.g); err != nil {
+	if err := c.repo.SaveNewTurn(c.Cache.g.Turn, c.Cache.g); err != nil {
 		return err
 	}
 	for rep := range c.Cache.Report(c.Cache.g.Turn, battleReport, bombingReport) {
-		if err := c.Repo.SaveReport(c.Cache.g.Turn, rep); err != nil {
+		if err := c.repo.SaveReport(c.Cache.g.Turn, rep); err != nil {
 			return err
 		}
 	}
@@ -0,0 +1,14 @@
 package controller
 import "errors"
 // ErrGameInitNilUUID is returned by GenerateGame when the supplied
 // game UUID is the zero value. The HTTP layer maps it to 400.
 var ErrGameInitNilUUID = errors.New("game init: gameId must not be the zero UUID")
 // ErrGameAlreadyInit is returned by GenerateGame when the engine
 // storage directory already contains a state.json. The HTTP layer
 // maps it to 409. Repeated init on the same gameId is intentionally
 // rejected rather than treated as a no-op; full idempotency is not
 // part of the contract.
 var ErrGameAlreadyInit = errors.New("game init: game already initialized")
@@ -13,17 +13,24 @@ import (
 	"github.com/google/uuid"
 )
-func (c *Controller) ValidateOrder(actor string, commands ...order.DecodableCommand) (err error) {
+// ValidateOrder applies every command in the order against a transient
 // view of the engine state, records the per-command outcome in each
 // command's CommandMeta via applyCommand, and reports only order-level
 // structural errors as the function return. Per-command rejections are
 // surfaced through CommandMeta.Result so the caller can persist and
 // forward them as `cmdApplied`/`cmdErrorCode` in the response body.
 func (c *Controller) ValidateOrder(actor string, commands ...order.DecodableCommand) error {
 	for i := range commands {
-		if _, ok := commands[i].(order.CommandRaceQuit); ok && i != len(commands)-1 {
+		if _, ok := commands[i].(*order.CommandRaceQuit); ok && i != len(commands)-1 {
-			err = e.NewQuitCommandFollowedByCommandError()
+			return e.NewQuitCommandFollowedByCommandError()
 		}
-		if err != nil {
+		// applyCommand never returns a non-GenericError outside of
-			return err
+		// programmer-error panics; the per-command code, if any, is
-		}
+		// already recorded on the command's meta and must not abort
-		err = errors.Join(err, c.applyCommand(actor, commands[i]))
+		// validation of the remaining commands in this order.
 		_ = c.applyCommand(actor, commands[i])
 	}
-	return
+	return nil
 }
 func (c *Controller) applyCommand(actor string, cmd order.DecodableCommand) (err error) {
@@ -102,11 +109,11 @@ func (c *Controller) applyCommand(actor string, cmd order.DecodableCommand) (err
 	}
 	if ge, ok := errors.AsType[*e.GenericError](err); ok {
-		m.Result(ge.Code)
+		m.Result(ge.Code, ge.Error())
 	} else if err != nil {
 		panic(fmt.Errorf("error applying command has unknown origin: %w", err))
 	} else {
-		m.Result(0)
+		m.Result(0, "")
 	}
 	return
@@ -120,7 +127,7 @@ func (c *Controller) applyOrders(t uint) error {
 	cmdApplied := make(map[string]bool)
 	for ri := range c.Cache.listRaceActingIdx() {
-		o, ok, err := c.Repo.LoadOrder(t, c.Cache.g.Race[ri].ID)
+		o, ok, err := c.repo.LoadOrder(t, c.Cache.g.Race[ri].ID)
 		if err != nil {
 			return err
 		}
@@ -159,7 +166,7 @@ func (c *Controller) applyOrders(t uint) error {
 			_ = c.applyCommand(commandRace[cmd.CommandID()], cmd)
 		}
 		// re-save order to persist possible changed commands result outcome
-		if err := c.Repo.SaveOrder(t, c.Cache.g.Race[ri].ID, &order.UserGamesOrder{
+		if err := c.repo.SaveOrder(t, c.Cache.g.Race[ri].ID, &order.UserGamesOrder{
 			GameID:    c.Cache.g.ID,
 			UpdatedAt: raceOrderUpdated[ri],
 			Commands:  raceOrder[ri],
@@ -0,0 +1,145 @@
 package controller_test
 import (
 	"errors"
 	"testing"
 	e "galaxy/error"
 	"galaxy/model/order"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // TestValidateOrderRejectsCommandReferencingMissingShipClass mirrors
 // the scenario reported in issue #59: an order whose only command
 // builds a ship of a class that does not exist must not turn into a
 // generic engine failure. The engine records the rejection in the
 // command's meta and reports no order-level error so the caller can
 // persist the partial result and forward it as a per-command status.
 func TestValidateOrderRejectsCommandReferencingMissingShipClass(t *testing.T) {
 	_, ctl := newCache()
 	cmd := &order.CommandPlanetProduce{
 		CommandMeta: order.CommandMeta{
 			CmdID:   uuid.NewString(),
 			CmdType: order.CommandTypePlanetProduce,
 		},
 		Number:     int(R0_Planet_0_num),
 		Production: "SHIP",
 		Subject:    "Nonexistent",
 	}
 	err := ctl.ValidateOrder(Race_0.Name, cmd)
 	assert.NoError(t, err, "per-command rejection must not become an order-level error")
 	require.NotNil(t, cmd.CmdApplied, "cmdApplied must be set on every processed command")
 	assert.False(t, *cmd.CmdApplied)
 	require.NotNil(t, cmd.CmdErrCode, "cmdErrorCode must be set when the command is rejected")
 	assert.Equal(t, e.ErrInputEntityNotExists, *cmd.CmdErrCode)
 }
 // TestValidateOrderContinuesAfterRejection — when one command in an
 // order is rejected, every remaining command is still validated and
 // receives its own per-command status. Without this property, the
 // engine would silently drop the tail of an order on the first
 // failure, which is exactly what produced the issue #59 symptom.
 func TestValidateOrderContinuesAfterRejection(t *testing.T) {
 	_, ctl := newCache()
 	rejected := &order.CommandPlanetProduce{
 		CommandMeta: order.CommandMeta{
 			CmdID:   uuid.NewString(),
 			CmdType: order.CommandTypePlanetProduce,
 		},
 		Number:     int(R0_Planet_0_num),
 		Production: "SHIP",
 		Subject:    "Nonexistent",
 	}
 	succeeding := &order.CommandPlanetRename{
 		CommandMeta: order.CommandMeta{
 			CmdID:   uuid.NewString(),
 			CmdType: order.CommandTypePlanetRename,
 		},
 		Number: int(R0_Planet_0_num),
 		Name:   "Homeworld",
 	}
 	err := ctl.ValidateOrder(Race_0.Name, rejected, succeeding)
 	assert.NoError(t, err)
 	require.NotNil(t, rejected.CmdApplied)
 	assert.False(t, *rejected.CmdApplied)
 	require.NotNil(t, rejected.CmdErrCode)
 	assert.Equal(t, e.ErrInputEntityNotExists, *rejected.CmdErrCode)
 	require.NotNil(t, succeeding.CmdApplied)
 	assert.True(t, *succeeding.CmdApplied)
 	require.NotNil(t, succeeding.CmdErrCode)
 	assert.Equal(t, 0, *succeeding.CmdErrCode)
 }
 // TestValidateOrderSimulatesPriorCommands — a later command may
 // depend on the in-memory state mutation performed by an earlier
 // command in the same order. Creating a ship class and producing a
 // ship of that class in the same batch should both succeed because
 // validation runs the commands against the transient state in
 // submission order.
 func TestValidateOrderSimulatesPriorCommands(t *testing.T) {
 	_, ctl := newCache()
 	create := &order.CommandShipClassCreate{
 		CommandMeta: order.CommandMeta{
 			CmdID:   uuid.NewString(),
 			CmdType: order.CommandTypeShipClassCreate,
 		},
 		Name:  "Drone",
 		Drive: 1,
 	}
 	produce := &order.CommandPlanetProduce{
 		CommandMeta: order.CommandMeta{
 			CmdID:   uuid.NewString(),
 			CmdType: order.CommandTypePlanetProduce,
 		},
 		Number:     int(R0_Planet_0_num),
 		Production: "SHIP",
 		Subject:    "Drone",
 	}
 	err := ctl.ValidateOrder(Race_0.Name, create, produce)
 	assert.NoError(t, err)
 	require.NotNil(t, create.CmdApplied)
 	assert.True(t, *create.CmdApplied)
 	require.NotNil(t, produce.CmdApplied)
 	assert.True(t, *produce.CmdApplied)
 }
 // TestValidateOrderRejectsQuitFollowedByCommand — quit must be the
 // last command in the order; if it is followed by another command,
 // validation aborts at the order level with a structural error so
 // the caller can surface HTTP 400.
 func TestValidateOrderRejectsQuitFollowedByCommand(t *testing.T) {
 	_, ctl := newCache()
 	quit := &order.CommandRaceQuit{
 		CommandMeta: order.CommandMeta{
 			CmdID:   uuid.NewString(),
 			CmdType: order.CommandTypeRaceQuit,
 		},
 	}
 	follow := &order.CommandRaceVote{
 		CommandMeta: order.CommandMeta{
 			CmdID:   uuid.NewString(),
 			CmdType: order.CommandTypeRaceVote,
 		},
 		Acceptor: Race_1.Name,
 	}
 	err := ctl.ValidateOrder(Race_0.Name, quit, follow)
 	require.Error(t, err)
 	var ge *e.GenericError
 	require.True(t, errors.As(err, &ge), "expected GenericError")
 	assert.Equal(t, e.ErrInputQuitCommandFollowedByCommand, ge.Code)
 }
@@ -162,7 +162,7 @@ func (c *Cache) PlanetProductionCapacity(planetNumber uint) float64 {
 	p := c.MustPlanet(planetNumber)
 	var busyResources float64
 	for sg := range c.shipGroupsInUpgrade(p.Number) {
-		busyResources += sg.StateUpgrade.Cost()
+		busyResources += c.upgradeCostNow(sg)
 	}
 	return p.ProductionCapacity() - busyResources
 }
@@ -181,10 +181,15 @@ func (c *Cache) TurnPlanetProductions() {
 		ri := c.RaceIndex(*p.Owner)
 		r := &c.g.Race[ri]
-		// upgrade groups and return to in_orbit state
+		// Upgrade groups (most expensive first) and return them to the
-		productionAvailable := c.PlanetProductionCapacity(pn)
+		// in-orbit state, paying for each upgrade once out of the planet's
 		// full production potential; whatever remains feeds this turn's
 		// production below. Starting from PlanetProductionCapacity here would
 		// have charged every applied upgrade twice, since that helper already
 		// nets out the reserved upgrade cost for the report.
 		productionAvailable := p.ProductionCapacity()
 		for sg := range c.shipGroupsInUpgrade(p.Number) {
-			cost := sg.StateUpgrade.Cost()
+			cost := c.upgradeCostNow(sg)
 			if productionAvailable >= cost {
 				for i := range sg.StateUpgrade.UpgradeTech {
 					sg.Tech = sg.Tech.Set(sg.StateUpgrade.UpgradeTech[i].Tech, util.Fixed3(sg.StateUpgrade.UpgradeTech[i].Level.F()))
@@ -27,7 +27,7 @@ func TestPlanetRename(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.PlanetRename(Race_Extinct.Name, int(R0_Planet_0_num), "Home_World"),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.PlanetRename(Race_0.Name, -1, "Home_World"),
 		e.GenericErrorText(e.ErrInputPlanetNumber))
@@ -107,7 +107,7 @@ func TestPlanetProduce(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.PlanetProduce(Race_Extinct.Name, pn, "DRIVE", ""),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.PlanetProduce(Race_0.Name, pn, "Hyperdrive", ""),
 		e.GenericErrorText(e.ErrInputProductionInvalid))
@@ -208,7 +208,40 @@ func TestProduceShips(t *testing.T) {
 	assert.Equal(t, game.StateInOrbit, c.ShipGroup(0).State())
 	assert.Equal(t, 1.5, c.ShipGroup(0).TechLevel(game.TechDrive).F())
-	assert.Equal(t, 4346.676567656759, c.MustPlanet(R0_Planet_0_num).Material.F())
+	// The pending upgrade is now charged once (not twice) against the planet's
 	// production potential, so MAT production keeps the budget it previously
 	// lost to the double charge (the pre-fix value here was ~4346.68).
 	assert.InDelta(t, 7173.3432, c.MustPlanet(R0_Planet_0_num).Material.F(), 0.001)
 }
 // TestUpgradeDoesNotDoubleChargeProduction guards that a pending upgrade is
 // paid for once out of the planet's production potential, leaving the rest for
 // the turn's production. The pre-fix code subtracted the upgrade cost twice
 // (PlanetProductionCapacity already nets it out for the report, and the apply
 // loop netted it again), which both starved production and could skip
 // affordable upgrades.
 func TestUpgradeDoesNotDoubleChargeProduction(t *testing.T) {
 	c, _ := newCache()
 	p := c.MustPlanet(R0_Planet_0_num)
 	p.Population = 1000
 	p.Industry = 1000 // ProductionCapacity = 1000*0.75 + 1000*0.25 = 1000
 	p.Resources = 1   // material produced == leftover production budget
 	p.Colonists = 0
 	p.Material = 0
 	assert.NoError(t, c.PlanetProduce(Race_0_idx, int(R0_Planet_0_num), game.ProductionMaterial, ""))
 	// One Cruiser with a pending drive upgrade 1.1 -> 2.0:
 	// block cost = (1 - 1.1/2.0) * 10 * 15 = 67.5 for the single ship.
 	assert.NoError(t, c.CreateShips(Race_0_idx, ShipType_Cruiser, R0_Planet_0_num, 1))
 	c.ShipGroup(0).StateUpgrade = &game.InUpgrade{
 		UpgradeTech: []game.UpgradePreference{{Tech: game.TechDrive, Level: 2.0}},
 	}
 	c.TurnPlanetProductions()
 	assert.InDelta(t, 2.0, c.ShipGroup(0).TechLevel(game.TechDrive).F(), 0.0001)
 	// 1000 - 67.5 = 932.5; the pre-fix double charge would have left 865.
 	assert.InDelta(t, 932.5, c.MustPlanet(R0_Planet_0_num).Material.F(), 0.01)
 }
 func TestProduceShip(t *testing.T) {
@@ -98,7 +98,7 @@ func (c *Cache) validRace(name string) (int, error) {
 		return -1, err
 	}
 	if c.g.Race[i].Extinct {
-		return -1, e.NewRaceExinctError(name)
+		return -1, e.NewRaceExtinctError(name)
 	}
 	return i, nil
 }
@@ -117,13 +117,34 @@ func (c *Cache) raceTechLevel(ri int, t game.Tech, v float64) {
 }
 func (c *Cache) TurnWipeExtinctRaces() {
-	for i := range c.listRaceActingIdx() {
+	for i := range c.listRaceIdx() {
-		if (c.g.Race[i].Extinct && c.g.Race[i].TTL > 0) || (!c.g.Race[i].Extinct && c.g.Race[i].TTL == 0) {
+		r := &c.g.Race[i]
 		// Idle timeout or voluntary quit: a still-active race whose TTL ran
 		// out. Administrative banish: a race already flagged extinct that
 		// still holds assets to release. Once a race is wiped it owns nothing,
 		// so the asset check keeps this idempotent across later turns.
 		if (!r.Extinct && r.TTL == 0) || (r.Extinct && c.raceHasAssets(i)) {
 			c.wipeRace(i)
 		}
 	}
 }
 // raceHasAssets reports whether the race still owns a planet or a ship group.
 func (c *Cache) raceHasAssets(ri int) bool {
 	id := c.g.Race[ri].ID
 	for i := range c.g.Map.Planet {
 		if c.g.Map.Planet[i].OwnedBy(id) {
 			return true
 		}
 	}
 	for i := range c.g.ShipGroups {
 		if c.g.ShipGroups[i].OwnerID == id {
 			return true
 		}
 	}
 	return false
 }
 func (c *Cache) wipeRace(ri int) {
 	c.validateRaceIndex(ri)
 	r := &c.g.Race[ri]
@@ -1,6 +1,7 @@
 package controller_test
 import (
 	"slices"
 	"testing"
 	e "galaxy/error"
@@ -28,10 +29,10 @@ func TestRaceVote(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.RaceVote(Race_0.Name, Race_Extinct.Name),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.RaceVote(Race_Extinct.Name, Race_1.Name),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 }
 func TestRaceRelation(t *testing.T) {
@@ -54,10 +55,10 @@ func TestRaceRelation(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.RaceRelation(Race_0.Name, Race_Extinct.Name, "War"),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.RaceRelation(Race_Extinct.Name, Race_0.Name, "War"),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 }
 func TestRaceQuit(t *testing.T) {
@@ -69,7 +70,7 @@ func TestRaceQuit(t *testing.T) {
 	assert.ErrorContains(t,
 		g.RaceQuit(Race_Extinct.Name),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.NoError(t, g.RaceQuit(Race_0.Name))
 	assert.Equal(t, 3, int(c.Race(Race_0_idx).TTL))
@@ -84,9 +85,45 @@ func TestRaceID(t *testing.T) {
 	assert.ErrorContains(t, err, e.GenericErrorText(e.ErrInputUnknownRace))
 	_, err = g.RaceID(Race_Extinct.Name)
-	assert.ErrorContains(t, err, e.GenericErrorText(e.ErrRaceExinct))
+	assert.ErrorContains(t, err, e.GenericErrorText(e.ErrRaceExtinct))
 	id, err := g.RaceID(Race_0.Name)
 	assert.NoError(t, err)
 	assert.Equal(t, Race_0_ID, id)
 }
 // TestBanishReleasesAssets checks that an administratively banished race only
 // gets flagged extinct, and its planets and ships are released during turn
 // generation; a second pass is a no-op.
 func TestBanishReleasesAssets(t *testing.T) {
 	c, g := newCache()
 	c.CreateShipsUnsafe_T(Race_1_idx, c.MustShipClass(Race_1_idx, Race_1_Gunship).ID, R1_Planet_1_num, 3)
 	assert.True(t, c.MustPlanet(R1_Planet_1_num).OwnedBy(Race_1_ID))
 	assert.Len(t, slices.Collect(c.RaceShipGroups(Race_1_idx)), 1)
 	assert.NoError(t, g.RaceBanish(Race_1.Name))
 	assert.True(t, c.Race(Race_1_idx).Extinct)
 	assert.True(t, c.MustPlanet(R1_Planet_1_num).OwnedBy(Race_1_ID), "still owned until the turn runs")
 	c.TurnWipeExtinctRaces()
 	assert.False(t, c.MustPlanet(R1_Planet_1_num).Owned())
 	assert.Len(t, slices.Collect(c.RaceShipGroups(Race_1_idx)), 0)
 	// Idempotent: re-running over an already-wiped (asset-less) race is a no-op.
 	c.TurnWipeExtinctRaces()
 	assert.False(t, c.MustPlanet(R1_Planet_1_num).Owned())
 }
 // TestIdleRaceWipedOnTimeout guards that a still-active race whose TTL ran out
 // (idle timeout or quit) is still wiped after the iterator change.
 func TestIdleRaceWipedOnTimeout(t *testing.T) {
 	c, _ := newCache()
 	c.CreateShipsUnsafe_T(Race_1_idx, c.MustShipClass(Race_1_idx, Race_1_Gunship).ID, R1_Planet_1_num, 1)
 	c.Race(Race_1_idx).TTL = 0
 	assert.False(t, c.Race(Race_1_idx).Extinct)
 	c.TurnWipeExtinctRaces()
 	assert.True(t, c.Race(Race_1_idx).Extinct)
 	assert.False(t, c.MustPlanet(R1_Planet_1_num).Owned())
 	assert.Len(t, slices.Collect(c.RaceShipGroups(Race_1_idx)), 0)
 }
@@ -129,13 +129,16 @@ func (c *Cache) ReportRace(ri int, rep *mr.Report, battles []*mr.BattleReport, b
 		rep.Player[i].Relation = "-"
 	}
 	// race exit warnings
 	c.ReportExitWarnings(ri, rep)
 	// sciences
 	c.ReportLocalScience(ri, rep)
 	c.ReportOtherScience(ri, rep)
 	// ship classes
 	c.ReportLocalShipClass(ri, rep)
-	c.ReportOtherShipClass(ri, rep)
+	c.ReportOtherShipClass(ri, rep, battles)
 	// battles
 	c.ReportBattle(ri, rep, battles)
@@ -177,6 +180,36 @@ func (c *Cache) ReportRace(ri int, rep *mr.Report, battles []*mr.BattleReport, b
 	c.ReportUnidentifiedGroup(ri, rep)
 }
 // ReportExitWarnings fills the inactivity-removal warnings. A race's TTL at
 // report time equals the number of turns remaining before it is auto-removed
 // (it is wiped at the start of turn T+TTL). The recipient gets a personal
 // countdown once it is 5 turns out (rep.PersonalExitWarning); every other
 // non-extinct race within 3 turns of removal is listed publicly
 // (rep.RacesLeavingSoon). Voluntary quit and idle timeout share the TTL
 // countdown and are intentionally not distinguished here.
 func (c *Cache) ReportExitWarnings(ri int, rep *mr.Report) {
 	c.validateRaceIndex(ri)
 	rep.PersonalExitWarning = 0
 	if ttl := c.g.Race[ri].TTL; ttl > 0 && ttl <= 5 {
 		rep.PersonalExitWarning = ttl
 	}
 	rep.RacesLeavingSoon = rep.RacesLeavingSoon[:0]
 	for i := range c.g.Race {
 		r := &c.g.Race[i]
 		if i == ri || r.Extinct {
 			continue
 		}
 		if r.TTL > 0 && r.TTL <= 3 {
 			rep.RacesLeavingSoon = append(rep.RacesLeavingSoon, mr.RaceExitNotice{
 				Race:      r.Name,
 				TurnsLeft: r.TTL,
 			})
 		}
 	}
 }
 func (c *Cache) ReportLocalScience(ri int, rep *mr.Report) {
 	c.validateRaceIndex(ri)
 	r := &c.g.Race[ri]
@@ -249,7 +282,7 @@ func (c *Cache) ReportLocalShipClass(ri int, report *mr.Report) {
 	slices.SortFunc(report.LocalShipClass, func(a, b mr.ShipClass) int { return cmp.Compare(a.Name, b.Name) })
 }
-func (c *Cache) ReportOtherShipClass(ri int, rep *mr.Report) {
+func (c *Cache) ReportOtherShipClass(ri int, rep *mr.Report, battles []*mr.BattleReport) {
 	c.validateRaceIndex(ri)
 	r := &c.g.Race[ri]
@@ -273,26 +306,46 @@ func (c *Cache) ReportOtherShipClass(ri int, rep *mr.Report) {
 		return false
 	}
-	// add visible ship classes from battles
+	// Ship classes seen in battles the recipient took part in or witnessed.
-	// for bi := range battle {
+	// The battle report carries the class name and owner race; the class
-	// 	for si := range battle[bi].Ships {
+	// design is looked up from that race's ship types, which stay present in
-	// 		g := battle[bi].Ships[si]
+	// the state even though the groups themselves are deleted before reports
-	// 		if skip(g.OwnerID, g.ClassName) {
+	// are generated.
-	// 			continue
+	for bi := range battles {
-	// 		}
+		br := battles[bi]
-
+		visible := false
-	// 		sliceIndexValidate(&rep.OtherShipClass, i)
+		for k := range br.Races {
-	// 		rep.OtherShipClass[i].Race = c.g.Race[c.RaceIndex(g.OwnerID)].Name
+			if br.Races[k] == r.ID {
-	// 		rep.OtherShipClass[i].Name = g.ClassName
+				visible = true
-	// 		rep.OtherShipClass[i].Drive = g.DriveTech
+				break
-	// 		rep.OtherShipClass[i].Armament = g.ClassArmament
+			}
-	// 		rep.OtherShipClass[i].Weapons = g.WeaponsTech
+		}
-	// 		rep.OtherShipClass[i].Shields = g.ShieldsTech
+		if !visible {
-	// 		rep.OtherShipClass[i].Cargo = g.CargoTech
+			continue
-	// 		rep.OtherShipClass[i].Mass = g.ClassMass
+		}
-	// 		i++
+		for si := range br.Ships {
-	// 	}
+			bg := br.Ships[si]
-	// }
+			ownerIdx, err := c.raceIndex(bg.Race)
 			if err != nil {
 				continue
 			}
 			ownerID := c.g.Race[ownerIdx].ID
 			st, _, ok := c.ShipClass(ownerIdx, bg.ClassName)
 			if !ok || skip(ownerID, st.Name) {
 				continue
 			}
 			sliceIndexValidate(&rep.OtherShipClass, i)
 			rep.OtherShipClass[i].Race = bg.Race
 			rep.OtherShipClass[i].Name = st.Name
 			rep.OtherShipClass[i].Drive = mr.F(st.Drive.F())
 			rep.OtherShipClass[i].Armament = st.Armament
 			rep.OtherShipClass[i].Weapons = mr.F(st.Weapons.F())
 			rep.OtherShipClass[i].Shields = mr.F(st.Shields.F())
 			rep.OtherShipClass[i].Cargo = mr.F(st.Cargo.F())
 			rep.OtherShipClass[i].Mass = mr.F(st.EmptyMass())
 			i++
 		}
 	}
 	// add visible ships from owned and observed planets
 	for pn := range rep.OnPlanetGroupCache {
@@ -392,13 +445,30 @@ func (c *Cache) ReportIncomingGroup(ri int, rep *mr.Report) {
 		if sg.OwnerID == r.ID || sg.State() != game.StateInSpace {
 			continue
 		}
 		p1 := c.MustPlanet(sg.StateInSpace.Origin)
 		p2 := c.MustPlanet(sg.Destination)
 		if !p2.OwnedBy(r.ID) {
 			continue
 		}
 		// Beyond the visibility range (driveTech*30) of every owned planet the
 		// group is not shown at all, even though it heads to one of them.
 		visible := false
 		for pi := range c.g.Map.Planet {
 			op := &c.g.Map.Planet[pi]
 			if !op.OwnedBy(r.ID) {
 				continue
 			}
 			if d, ok := rep.InSpaceGroupRangeCache[sgi][op.Number]; ok && d <= r.VisibilityDistance() {
 				visible = true
 				break
 			}
 		}
 		if !visible {
 			continue
 		}
-		distance := calc.ShortDistance(c.g.Map.Width, c.g.Map.Height, p1.X.F(), p1.Y.F(), p2.X.F(), p2.Y.F())
+		// Remaining distance is measured from the group's current position in
 		// hyperspace to the destination, not from its origin planet.
 		distance := calc.ShortDistance(c.g.Map.Width, c.g.Map.Height, sg.StateInSpace.X.F(), sg.StateInSpace.Y.F(), p2.X.F(), p2.Y.F())
 		var speed, mass float64
 		if sg.FleetID != nil {
 			speed, mass = c.FleetSpeedAndMass(c.MustFleetIndex(*sg.FleetID))
@@ -541,12 +611,12 @@ func (c *Cache) ReportShipProduction(ri int, rep *mr.Report) {
 		st := c.MustShipType(ri, *p.Production.SubjectID)
 		sliceIndexValidate(&rep.ShipProduction, i)
-		rep.ShipProduction[pi].Planet = p.Number
+		rep.ShipProduction[i].Planet = p.Number
-		rep.ShipProduction[pi].Class = st.Name
+		rep.ShipProduction[i].Class = st.Name
-		rep.ShipProduction[pi].Cost = mr.F(calc.ShipProductionCost(st.EmptyMass()))
+		rep.ShipProduction[i].Cost = mr.F(calc.ShipProductionCost(st.EmptyMass()))
-		rep.ShipProduction[pi].Free = mr.F(c.PlanetProductionCapacity(p.Number))
+		rep.ShipProduction[i].Free = mr.F(c.PlanetProductionCapacity(p.Number))
-		rep.ShipProduction[pi].ProdUsed = mr.F((*p.Production.ProdUsed).F())
+		rep.ShipProduction[i].ProdUsed = mr.F((*p.Production.ProdUsed).F())
-		rep.ShipProduction[pi].Percent = mr.F((*p.Production.Progress).F())
+		rep.ShipProduction[i].Percent = mr.F((*p.Production.Progress).F())
 		i++
 	}
 }
@@ -685,33 +755,44 @@ func (c *Cache) ReportOtherGroup(ri int, rep *mr.Report) {
 func (c *Cache) ReportUnidentifiedGroup(ri int, rep *mr.Report) {
 	c.validateRaceIndex(ri)
 	r := &c.g.Race[ri]
-	flightDistance := r.FlightDistance()
+	visibility := r.VisibilityDistance()
 	clear(rep.UnidentifiedGroup)
 	i := 0
 	for sgi := range rep.InSpaceGroupRangeCache {
 		sg := c.ShipGroup(sgi)
-		if sg.OwnerID == rep.RaceID {
+		if sg.OwnerID == r.ID {
 			continue
 		}
 		if sg.StateInSpace == nil {
 			panic(fmt.Sprintf("pre-calculated distance group not in space: i=%d", sgi))
 		}
 		// Groups heading to one of the recipient's planets are listed in full
 		// under "incoming groups"; the unidentified list is for the rest.
 		if c.MustPlanet(sg.Destination).OwnedBy(r.ID) {
 			continue
 		}
 		// Shown once, and only within the visibility range (driveTech*30) of at
 		// least one of the recipient's planets.
 		visible := false
 		for pi := range c.g.Map.Planet {
 			p := &c.g.Map.Planet[pi]
 			if !p.OwnedBy(r.ID) {
 				continue
 			}
-			if v, ok := rep.InSpaceGroupRangeCache[sgi][p.Number]; !ok {
+			if v, ok := rep.InSpaceGroupRangeCache[sgi][p.Number]; ok && v <= visibility {
-				panic(fmt.Sprintf("distance cache not pre-calculated: i=%d p=#%d", sgi, p.Number))
+				visible = true
-			} else if v <= flightDistance {
+				break
 				sliceIndexValidate(&rep.UnidentifiedGroup, i)
 				rep.UnidentifiedGroup[i].X = mr.F(sg.StateInSpace.X.F())
 				rep.UnidentifiedGroup[i].Y = mr.F(sg.StateInSpace.Y.F())
 				i++
 			}
 		}
 		if !visible {
 			continue
 		}
 		sliceIndexValidate(&rep.UnidentifiedGroup, i)
 		rep.UnidentifiedGroup[i].X = mr.F(sg.StateInSpace.X.F())
 		rep.UnidentifiedGroup[i].Y = mr.F(sg.StateInSpace.Y.F())
 		i++
 	}
 }
@@ -733,6 +814,7 @@ func (c *Cache) otherGroup(v *mr.OtherGroup, sg *game.ShipGroup, st *game.ShipTy
 	}
 	v.Speed = mr.F(sg.Speed(st))
 	v.Mass = mr.F(st.EmptyMass())
 	v.Race = c.g.Race[c.RaceIndex(sg.OwnerID)].Name
 }
 func (c *Cache) localPlanet(v *mr.LocalPlanet, p *game.Planet) {
@@ -3,8 +3,10 @@ package controller_test
 import (
 	"testing"
 	"galaxy/game/internal/model/game"
 	"galaxy/model/report"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
@@ -86,3 +88,142 @@ func TestReportLocalShipClass(t *testing.T) {
 		}
 	}
 }
 // TestReportIncomingGroupVisibility checks that a group heading to one of the
 // recipient's planets is reported only while within the recipient's visibility
 // range (driveTech*30); beyond it the group is hidden even though it is inbound.
 func TestReportIncomingGroupVisibility(t *testing.T) {
 	c, _ := newCache()
 	gi := c.CreateShipsUnsafe_T(Race_1_idx, c.MustShipClass(Race_1_idx, Race_1_Gunship).ID, R1_Planet_1_num, 5)
 	c.ShipGroup(gi).Destination = R0_Planet_0_num
 	// Within Race_0 visibility (driveTech 1.1 -> 33 ly), near Planet_2 (3,3).
 	c.ShipGroup(gi).StateInSpace = &game.InSpace{Origin: R1_Planet_1_num, X: floatRef(5), Y: floatRef(5)}
 	rep := c.InitReport(1)
 	c.ReportIncomingGroup(Race_0_idx, rep)
 	assert.Len(t, rep.IncomingGroup, 1)
 	// Beyond the visibility of every Race_0 planet: hidden.
 	c.ShipGroup(gi).StateInSpace = &game.InSpace{Origin: R1_Planet_1_num, X: floatRef(40), Y: floatRef(40)}
 	rep = c.InitReport(1)
 	c.ReportIncomingGroup(Race_0_idx, rep)
 	assert.Len(t, rep.IncomingGroup, 0)
 }
 // TestReportUnidentifiedGroup checks the three rules for the unidentified list:
 // groups heading to the recipient's planets are excluded (they are "incoming"),
 // only groups within visibility (driveTech*30) appear, and each group appears
 // once even when several owned planets are in range.
 func TestReportUnidentifiedGroup(t *testing.T) {
 	c, _ := newCache()
 	cls := c.MustShipClass(Race_1_idx, Race_1_Gunship).ID
 	// Not inbound to Race_0, within visibility of BOTH Planet_0 and Planet_2.
 	g0 := c.CreateShipsUnsafe_T(Race_1_idx, cls, R1_Planet_1_num, 1)
 	c.ShipGroup(g0).Destination = Uninhabited_Planet_3_num
 	c.ShipGroup(g0).StateInSpace = &game.InSpace{Origin: R1_Planet_1_num, X: floatRef(5), Y: floatRef(5)}
 	// Inbound to a Race_0 planet -> reported as incoming, not unidentified.
 	g1 := c.CreateShipsUnsafe_T(Race_1_idx, cls, R1_Planet_1_num, 1)
 	c.ShipGroup(g1).Destination = R0_Planet_0_num
 	c.ShipGroup(g1).StateInSpace = &game.InSpace{Origin: R1_Planet_1_num, X: floatRef(5), Y: floatRef(5)}
 	// Not inbound, beyond visibility -> hidden.
 	g2 := c.CreateShipsUnsafe_T(Race_1_idx, cls, R1_Planet_1_num, 1)
 	c.ShipGroup(g2).Destination = Uninhabited_Planet_3_num
 	c.ShipGroup(g2).StateInSpace = &game.InSpace{Origin: R1_Planet_1_num, X: floatRef(40), Y: floatRef(40)}
 	rep := c.InitReport(1)
 	c.ReportUnidentifiedGroup(Race_0_idx, rep)
 	assert.Len(t, rep.UnidentifiedGroup, 1)
 }
 // TestReportOtherShipClassFromBattle checks that the class of a foreign ship
 // met in a battle the recipient witnessed is surfaced in OtherShipClass, with
 // its design looked up from the owner race's ship types, while the recipient's
 // own class is skipped.
 func TestReportOtherShipClassFromBattle(t *testing.T) {
 	c, _ := newCache()
 	br := &report.BattleReport{
 		Races: map[int]uuid.UUID{0: Race_0.ID, 1: Race_1.ID},
 		Ships: map[int]report.BattleReportGroup{
 			0: {Race: Race_1.Name, ClassName: Race_1_Gunship},
 			1: {Race: Race_0.Name, ClassName: Race_0_Gunship}, // recipient's own -> skipped
 		},
 	}
 	rep := c.InitReport(1)
 	c.ReportOtherShipClass(Race_0_idx, rep, []*report.BattleReport{br})
 	assert.Len(t, rep.OtherShipClass, 1)
 	g := rep.OtherShipClass[0]
 	assert.Equal(t, Race_1.Name, g.Race)
 	assert.Equal(t, Race_1_Gunship, g.Name)
 	assert.Equal(t, report.F(60.), g.Drive)
 	assert.Equal(t, uint(3), g.Armament)
 	assert.Equal(t, report.F(30.), g.Weapons)
 	assert.Equal(t, report.F(100.), g.Shields)
 	assert.Equal(t, report.F(0.), g.Cargo)
 	assert.Equal(t, report.F(220.), g.Mass)
 }
 // TestReportShipProductionIndex guards the report index: when the only
 // ship-producing planet is not the first planet in the map, its entry must
 // land at the compacted report index, not the planet's map index (which would
 // write out of the grown slice and panic).
 func TestReportShipProductionIndex(t *testing.T) {
 	c, _ := newCache()
 	assert.NoError(t, c.PlanetProduce(Race_0_idx, int(R0_Planet_2_num), game.ProductionShip, ShipType_Cruiser))
 	rep := c.InitReport(1)
 	c.ReportShipProduction(Race_0_idx, rep)
 	assert.Len(t, rep.ShipProduction, 1)
 	assert.Equal(t, R0_Planet_2_num, rep.ShipProduction[0].Planet)
 }
 // TestReportIncomingGroupRemainingDistance checks the reported distance is the
 // remaining distance from the group's current hyperspace position to the
 // destination, not the full origin-to-destination route.
 func TestReportIncomingGroupRemainingDistance(t *testing.T) {
 	c, _ := newCache()
 	gi := c.CreateShipsUnsafe_T(Race_1_idx, c.MustShipClass(Race_1_idx, Race_1_Gunship).ID, R1_Planet_1_num, 1)
 	c.ShipGroup(gi).Destination = R0_Planet_0_num // Planet_0 at (1,1)
 	c.ShipGroup(gi).StateInSpace = &game.InSpace{Origin: R1_Planet_1_num, X: floatRef(5), Y: floatRef(5)}
 	rep := c.InitReport(1)
 	c.ReportIncomingGroup(Race_0_idx, rep)
 	assert.Len(t, rep.IncomingGroup, 1)
 	// current (5,5) -> dest (1,1) = sqrt(32) ≈ 5.657; the origin (2,2) -> dest
 	// route would be sqrt(2) ≈ 1.414.
 	assert.InDelta(t, 5.657, rep.IncomingGroup[0].Distance.F(), 0.01)
 }
 // TestReportExitWarnings checks the inactivity-removal warnings: the recipient
 // gets a personal countdown only at TTL 1..5, other non-extinct races within 3
 // turns are listed publicly, the recipient is excluded from its own public
 // list, and extinct races never appear.
 func TestReportExitWarnings(t *testing.T) {
 	c, _ := newCache()
 	c.Race(Race_0_idx).TTL = 5
 	c.Race(Race_1_idx).TTL = 2
 	c.Race(2).TTL = 2 // Race_Extinct: extinct, must never appear publicly
 	// Race_0's report: personal countdown 5; only Race_1 (TTL 2) is public.
 	r0 := &report.Report{}
 	c.ReportExitWarnings(Race_0_idx, r0)
 	assert.Equal(t, uint(5), r0.PersonalExitWarning)
 	assert.Len(t, r0.RacesLeavingSoon, 1)
 	assert.Equal(t, Race_1.Name, r0.RacesLeavingSoon[0].Race)
 	assert.Equal(t, uint(2), r0.RacesLeavingSoon[0].TurnsLeft)
 	// Race_1's report: personal countdown 2; Race_0 (TTL 5 > 3) is not public.
 	r1 := &report.Report{}
 	c.ReportExitWarnings(Race_1_idx, r1)
 	assert.Equal(t, uint(2), r1.PersonalExitWarning)
 	assert.Empty(t, r1.RacesLeavingSoon)
 	// TTL above the 5-turn window → no personal warning.
 	c.Race(Race_0_idx).TTL = 6
 	r0b := &report.Report{}
 	c.ReportExitWarnings(Race_0_idx, r0b)
 	assert.Zero(t, r0b.PersonalExitWarning)
 }
@@ -49,7 +49,7 @@ func TestPlanetRouteSet(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.PlanetRouteSet(Race_Extinct.Name, "COL", 0, 2),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.PlanetRouteSet(Race_0.Name, "IND", 0, 2),
 		e.GenericErrorText(e.ErrInputCargoTypeInvalid))
@@ -87,7 +87,7 @@ func TestPlanetRouteRemove(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.PlanetRouteRemove(Race_Extinct.Name, "COL", 0),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.PlanetRouteRemove(Race_0.Name, "IND", 0),
 		e.GenericErrorText(e.ErrInputCargoTypeInvalid))
@@ -2,6 +2,7 @@ package controller
 import (
 	"fmt"
 	"math"
 	"slices"
 	"galaxy/util"
@@ -36,7 +37,9 @@ func (c *Cache) ScienceCreate(ri int, name string, drive, weapons, shileds, carg
 		return e.NewCargoValueError(cargo)
 	}
 	sum := drive + weapons + shileds + cargo
-	if sum != 1 {
+	// The proportions must add up to one; a small tolerance keeps inputs like
 	// 0.1+0.2+0.3+0.4 (which is 1 only up to float rounding) from being rejected.
 	if math.Abs(sum-1) > 1e-9 {
 		return e.NewScienceSumValuesError("D=%f W=%f S=%f C=%f sum=%f", drive, weapons, shileds, cargo, sum)
 	}
 	c.g.Race[ri].Sciences = append(c.g.Race[ri].Sciences, game.Science{
@@ -33,7 +33,7 @@ func TestScienceCreate(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.ScienceCreate(Race_Extinct.Name, second, 0.4, 0, 0.6, 0),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.ScienceCreate(Race_0.Name, BadEntityName, 0.4, 0, 0.6, 0),
 		e.GenericErrorText(e.ErrInputEntityTypeNameInvalid))
@@ -95,7 +95,7 @@ func TestScienceRemove(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.ScienceRemove(Race_Extinct.Name, second),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.ScienceRemove(Race_0.Name, first),
 		e.GenericErrorText(e.ErrInputEntityNotExists))
@@ -136,3 +136,14 @@ func TestResearchTech(t *testing.T) {
 	assert.Equal(t, 1.35, rr.Tech.Value(game.TechShields))
 	assert.Equal(t, 1.45, rr.Tech.Value(game.TechCargo))
 }
 // TestScienceCreateFloatTolerance checks that proportions which sum to 1 only
 // up to float rounding (0.1+0.2+0.3+0.4 == 1.0000000000000002) are accepted,
 // while a sum clearly off one is still rejected.
 func TestScienceCreateFloatTolerance(t *testing.T) {
 	_, g := newCache()
 	assert.NoError(t, g.ScienceCreate(Race_0.Name, "FloatSum", 0.1, 0.2, 0.3, 0.4))
 	assert.ErrorContains(t,
 		g.ScienceCreate(Race_0.Name, "NotOne", 0.1, 0.2, 0.3, 0.3),
 		e.GenericErrorText(e.ErrInputScienceSumValues))
 }
@@ -0,0 +1,76 @@
 package controller_test
 import (
 	"fmt"
 	"testing"
 	"galaxy/model/order"
 	"galaxy/util"
 	"galaxy/game/internal/controller"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // TestServiceOrderStoredThenAppliedAtTurn is the end-to-end regression for the
 // order lifecycle against a real Service backed by a temporary storage
 // directory: an order submitted through ValidateOrder is persisted (FetchOrder
 // returns it before the turn), applied when the turn is produced (GenerateTurn
 // advances the turn), and its per-command verdict survives turn production
 // (FetchOrder still returns it with cmdApplied set). It guards the wiring the
 // Stage 3 collapse reworked — Service methods threading the concrete repo
 // through validate → store → produce → read-back.
 func TestServiceOrderStoredThenAppliedAtTurn(t *testing.T) {
 	root, cleanup := util.CreateWorkDir(t)
 	defer cleanup()
 	svc, err := controller.NewService(root)
 	require.NoError(t, err)
 	races := make([]string, 10)
 	for i := range races {
 		races[i] = fmt.Sprintf("race_%02d", i)
 	}
 	if _, err := svc.GenerateGame(uuid.New(), races); err != nil {
 		t.Fatalf("init game: %v", err)
 	}
 	vote := &order.CommandRaceVote{
 		CommandMeta: order.CommandMeta{CmdID: uuid.NewString(), CmdType: order.CommandTypeRaceVote},
 		Acceptor:    races[1],
 	}
 	stored, err := svc.ValidateOrder(races[0], vote)
 	require.NoError(t, err)
 	require.Len(t, stored.Commands, 1)
 	// The order is persisted and retrievable for the current turn (0)
 	// before the turn is produced.
 	got, ok, err := svc.FetchOrder(races[0], 0)
 	require.NoError(t, err)
 	require.True(t, ok, "submitted order must be retrievable before the turn")
 	require.Len(t, got.Commands, 1)
 	// Producing the turn applies stored orders and advances the turn.
 	state, err := svc.GenerateTurn()
 	require.NoError(t, err)
 	assert.Equal(t, uint(1), state.Turn, "turn must advance after production")
 	// The turn-0 order still carries its per-command verdict, recorded by
 	// turn production.
 	applied, ok, err := svc.FetchOrder(races[0], 0)
 	require.NoError(t, err)
 	require.True(t, ok)
 	require.Len(t, applied.Commands, 1)
 	v, ok := order.AsCommand[*order.CommandRaceVote](applied.Commands[0])
 	require.True(t, ok, "stored command must round-trip to its concrete type")
 	require.NotNil(t, v.CmdApplied, "turn production must record cmdApplied")
 	assert.True(t, *v.CmdApplied, "a valid vote must apply at turn production")
 	// Orders are per-turn: the freshly produced turn carries no order yet.
 	_, ok, err = svc.FetchOrder(races[0], 1)
 	require.NoError(t, err)
 	assert.False(t, ok, "the freshly produced turn carries no stored order")
 }
@@ -31,7 +31,7 @@ func TestShipClassCreate(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.ShipClassCreate(Race_Extinct.Name, "Drone", 1, 0, 0, 0, 0),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.ShipClassCreate(Race_0.Name, BadEntityName, 1, 0, 0, 0, 0),
 		e.GenericErrorText(e.ErrInputEntityTypeNameInvalid))
@@ -109,7 +109,7 @@ func TestShipClassMerge(t *testing.T) {
 		e.GenericErrorText(e.ErrInputEntityNotExists))
 	assert.ErrorContains(t,
 		g.ShipClassMerge(Race_Extinct.Name, "Spy", "Drone"),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.ShipClassMerge(Race_0.Name, "Spy", "Spy"),
 		e.GenericErrorText(e.ErrInputEntityTypeNameEquality))
@@ -134,7 +134,7 @@ func TestShipClassRemove(t *testing.T) {
 		e.GenericErrorText(e.ErrInputUnknownRace))
 	assert.ErrorContains(t,
 		g.ShipClassRemove(Race_Extinct.Name, Race_0_Freighter),
-		e.GenericErrorText(e.ErrRaceExinct))
+		e.GenericErrorText(e.ErrRaceExtinct))
 	assert.ErrorContains(t,
 		g.ShipClassRemove(Race_0.Name, "Elephant"),
 		e.GenericErrorText(e.ErrInputEntityNotExists))
@@ -177,6 +177,12 @@ func (c *Cache) shipGroupDismantle(ri int, groupIndex uuid.UUID) error {
 		case game.CargoColonist:
 			if p.OwnedBy(c.g.Race[ri].ID) {
 				p = game.UnloadColonists(p, load)
 			} else if !p.Owned() {
 				// Over a neutral planet the colonists settle it: the planet
 				// becomes the dismantling race's and the colonists join its
 				// population. Over a foreign planet they are simply lost.
 				p.Own(c.g.Race[ri].ID)
 				p = game.UnloadColonists(p, load)
 			}
 		case game.CargoMaterial:
 			p.Material = p.Material.Add(load)
@@ -408,7 +414,7 @@ func (c *Cache) ShipGroupBreak(ri int, groupID, newID uuid.UUID, quantity uint)
 	}
 	if c.ShipGroup(sgi).Number < quantity {
-		return e.NewBeakGroupNumberNotEnoughError("%d<%d", c.ShipGroup(sgi).Number, quantity)
+		return e.NewBreakGroupNumberNotEnoughError("%d<%d", c.ShipGroup(sgi).Number, quantity)
 	}
 	if quantity > 0 && quantity < c.ShipGroup(sgi).Number {
@@ -491,7 +497,7 @@ func (c *Cache) shipGroupsInUpgrade(planetNumber uint) iter.Seq[*game.ShipGroup]
 			}
 		}
 		slices.SortFunc(result, func(a, b int) int {
-			return cmp.Compare(c.g.ShipGroups[b].StateUpgrade.Cost(), c.g.ShipGroups[a].StateUpgrade.Cost())
+			return cmp.Compare(c.upgradeCostNow(&c.g.ShipGroups[b]), c.upgradeCostNow(&c.g.ShipGroups[a]))
 		})
 		for i := range result {
 			if !yield(&c.g.ShipGroups[result[i]]) {
@@ -34,15 +34,20 @@ func (c *Cache) MoveShipGroups() {
 func (c *Cache) moveShipGroup(i int, delta float64) {
 	sg := c.ShipGroup(i)
-	originX, originY, ok := sg.Coord()
+	var originX, originY float64
-	if !ok {
+	switch sg.State() {
-		panic(fmt.Sprintf("ship group state invalid: %v", sg.State()))
+	case game.StateLaunched:
 		// Just launched: the group is still at its origin planet and has not
 		// stored a hyperspace position yet, so the first leg starts there.
 		origin := c.MustPlanet(sg.StateInSpace.Origin)
 		originX, originY = origin.X.F(), origin.Y.F()
 	case game.StateInSpace:
 		originX, originY = sg.StateInSpace.X.F(), sg.StateInSpace.Y.F()
 	default:
 		panic(fmt.Sprintf("ship group state invalid for move: %v", sg.State()))
 	}
 	destPlanet := c.MustPlanet(sg.Destination)
-	arrived := false
+	x, y, arrived := util.NextTravelCoord(c.g.Map.Width, c.g.Map.Height, originX, originY, destPlanet.X.F(), destPlanet.Y.F(), delta)
 	var x, y float64
 	x, y, arrived =
 		util.NextTravelCoord(c.g.Map.Width, c.g.Map.Height, originX, originY, destPlanet.X.F(), destPlanet.Y.F(), delta)
 	fx, fy := game.F(x), game.F(y)
 	sg.StateInSpace.X = &fx
 	sg.StateInSpace.Y = &fy
@@ -45,3 +45,20 @@ func TestListMoveableGroupIds(t *testing.T) {
 		assert.NotEqual(t, game.StateTransfer, sg.State())
 	}
 }
 // TestMoveLaunchedGroupFromOrigin guards the launched-coordinate fix: a group
 // just sent by an order is Launched with no stored hyperspace position, so its
 // first leg must start from the origin planet. The pre-fix code dereferenced
 // the nil launch coordinate and panicked.
 func TestMoveLaunchedGroupFromOrigin(t *testing.T) {
 	c, g := newCache()
 	assert.NoError(t, c.CreateShips(Race_0_idx, ShipType_Cruiser, R0_Planet_0_num, 1))
 	assert.NoError(t, g.ShipGroupSend(Race_0.Name, c.ShipGroup(0).ID, R0_Planet_2_num))
 	assert.Equal(t, game.StateLaunched, c.ShipGroup(0).State())
 	// Must not panic on the nil launch coordinate. Planet_0 (1,1) -> Planet_2
 	// (3,3) is ~2.83 ly; a Cruiser covers it in one turn and arrives.
 	c.MoveShipGroups()
 	assert.Equal(t, game.StateInOrbit, c.ShipGroup(0).State())
 	assert.Equal(t, R0_Planet_2_num, c.ShipGroup(0).Destination)
 }
--- a/Show More
+++ b/Show More