From ac64920dbf5393dd50de2cfd3f3138547cd56d5d Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Wed, 25 Feb 2026 18:21:38 +0000
Subject: [PATCH 01/27] fix_scroll - Added overflow: auto to message-content
 css class to allow horizontal scroll in response window while preserving
 access to drop down menus.

---
 application/single_app/static/css/chats.css | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/application/single_app/static/css/chats.css b/application/single_app/static/css/chats.css
index 38e11c3a..f672b28f 100644
--- a/application/single_app/static/css/chats.css
+++ b/application/single_app/static/css/chats.css
@@ -1046,7 +1046,7 @@ a.citation-link:hover {
 .message-content {
   display: flex;
   align-items: flex-end;
-  overflow: visible; /* Allow dropdown menus to appear outside content */
+  overflow: auto; /* Preserving higher level visible property while allowing response message scroll if needed */
 }
 
 .message-content.flex-row-reverse {

From d31afe0ec30fdec9422ce70bad9a693d0978d8a9 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Wed, 4 Mar 2026 22:07:12 +0000
Subject: [PATCH 02/27] feedback-user-timeout - Added user idle timeout feature
 that auto logs out of oig chat and clears app session after certain time of
 inactivity.

---
 application/single_app/app.py                 |  83 ++++++-
 application/single_app/config.py              |   8 +-
 .../route_frontend_authentication.py          |  26 +++
 .../single_app/static/images/custom_logo.png  | Bin 11877 -> 0 bytes
 .../static/images/custom_logo_dark.png        | Bin 13468 -> 0 bytes
 .../static/js/idle-logout-warning.js          | 221 ++++++++++++++++++
 application/single_app/templates/base.html    |  35 +++
 functional_tests/test_idle_logout_timeout.py  | 179 ++++++++++++++
 8 files changed, 550 insertions(+), 2 deletions(-)
 delete mode 100644 application/single_app/static/images/custom_logo.png
 delete mode 100644 application/single_app/static/images/custom_logo_dark.png
 create mode 100644 application/single_app/static/js/idle-logout-warning.js
 create mode 100644 functional_tests/test_idle_logout_timeout.py

diff --git a/application/single_app/app.py b/application/single_app/app.py
index cd04ff67..504a9db8 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -98,6 +98,8 @@
 app.config['SESSION_TYPE'] = SESSION_TYPE
 app.config['VERSION'] = VERSION
 app.config['SECRET_KEY'] = SECRET_KEY
+app.config['IDLE_TIMEOUT_MINUTES'] = IDLE_TIMEOUT_MINUTES
+app.config['IDLE_WARNING_MINUTES'] = IDLE_WARNING_MINUTES
 
 # Ensure filesystem session directory (when used) points to a writable path inside container.
 if SESSION_TYPE == 'filesystem':
@@ -423,7 +425,12 @@ def inject_settings():
         print(f"Error injecting user settings: {e}")
         log_event(f"Error injecting user settings: {e}", level=logging.ERROR)
         user_settings = {}
-    return dict(app_settings=public_settings, user_settings=user_settings)
+    return dict(
+        app_settings=public_settings,
+        user_settings=user_settings,
+        idle_timeout_minutes=app.config.get('IDLE_TIMEOUT_MINUTES', 30),
+        idle_warning_minutes=app.config.get('IDLE_WARNING_MINUTES', 28)
+    )
 
 @app.template_filter('to_datetime')
 def to_datetime_filter(value):
@@ -447,6 +454,69 @@ def reload_kernel_if_needed():
         """
         setattr(builtins, "kernel_reload_needed", False)
 
+IDLE_TIMEOUT_EXEMPT_PATHS = {
+    '/login',
+    '/logout',
+    '/logout/local',
+    '/getAToken',
+    '/getATokenApi',
+    '/robots933456.txt',
+    '/favicon.ico'
+}
+
+IDLE_TIMEOUT_EXEMPT_PREFIXES = (
+    '/static/',
+    '/health',
+    '/api/health'
+)
+
+def _is_idle_timeout_exempt(path):
+    if path in IDLE_TIMEOUT_EXEMPT_PATHS:
+        return True
+    return any(path.startswith(prefix) for prefix in IDLE_TIMEOUT_EXEMPT_PREFIXES)
+
+@app.before_request
+def enforce_idle_session_timeout():
+    if 'user' not in session:
+        return None
+
+    if request.method == 'OPTIONS' or _is_idle_timeout_exempt(request.path):
+        return None
+
+    idle_timeout_minutes = app.config.get('IDLE_TIMEOUT_MINUTES', 30)
+    now_epoch = int(time.time())
+    last_activity_epoch = session.get('last_activity_epoch')
+
+    if last_activity_epoch is not None:
+        try:
+            idle_seconds = now_epoch - int(float(last_activity_epoch))
+            if idle_seconds >= (idle_timeout_minutes * 60):
+                user_id = session.get('user', {}).get('oid') or session.get('user', {}).get('sub')
+                session.clear()
+
+                log_event(
+                    f"Session expired due to {idle_timeout_minutes} minute inactivity timeout for user {user_id or 'unknown'}.",
+                    level=logging.INFO
+                )
+
+                if request.path.startswith('/api/'):
+                    return jsonify({
+                        'error': 'Session expired',
+                        'message': 'Your session expired due to inactivity. Please sign in again.',
+                        'requires_reauth': True
+                    }), 401
+
+                return redirect(url_for('local_logout'))
+        except Exception as e:
+            log_event(f"Idle timeout evaluation failed: {e}", level=logging.WARNING)
+
+    if request.path.startswith('/api/'):
+        return None
+
+    session['last_activity_epoch'] = now_epoch
+    session.modified = True
+    return None
+
 @app.after_request
 def add_security_headers(response):
     """
@@ -529,6 +599,17 @@ def serve_js_modules(filename):
 def acceptable_use_policy():
     return render_template('acceptable_use_policy.html')
 
+@app.route('/api/session/heartbeat', methods=['POST'])
+@swagger_route(security=get_auth_security())
+@login_required
+def session_heartbeat():
+    session['last_activity_epoch'] = int(time.time())
+    session.modified = True
+    return jsonify({
+        'message': 'Session refreshed',
+        'idle_timeout_minutes': app.config.get('IDLE_TIMEOUT_MINUTES', 30)
+    }), 200
+
 @app.route('/api/semantic-kernel/plugins')
 @swagger_route(security=get_auth_security())
 def list_semantic_kernel_plugins():
diff --git a/application/single_app/config.py b/application/single_app/config.py
index a6a3bc99..85304ca3 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -88,10 +88,16 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.238.024"
+VERSION = "0.238.026"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
+# Session idle timeout configuration (inactivity-based logout)
+IDLE_TIMEOUT_MINUTES = max(1, int(os.getenv('IDLE_TIMEOUT_MINUTES', '30')))
+IDLE_WARNING_MINUTES = max(0, int(os.getenv('IDLE_WARNING_MINUTES', '28')))
+if IDLE_WARNING_MINUTES >= IDLE_TIMEOUT_MINUTES:
+    IDLE_WARNING_MINUTES = max(0, IDLE_TIMEOUT_MINUTES - 1)
+
 # Security Headers Configuration
 SECURITY_HEADERS = {
     'X-Content-Type-Options': 'nosniff',
diff --git a/application/single_app/route_frontend_authentication.py b/application/single_app/route_frontend_authentication.py
index 022ecf84..c71adc11 100644
--- a/application/single_app/route_frontend_authentication.py
+++ b/application/single_app/route_frontend_authentication.py
@@ -35,6 +35,7 @@ def login():
         # Clear potentially stale cache/user info before starting new login
         session.pop("user", None)
         session.pop("token_cache", None)
+        session.pop("last_activity_epoch", None)
 
         # Use helper to build app (cache not strictly needed here, but consistent)
         msal_app = _build_msal_app()
@@ -121,6 +122,7 @@ def authorized():
         debug_print(f" [claims] User claims: {result.get('id_token_claims', {})}")
 
         session["user"] = result.get("id_token_claims")
+        session["last_activity_epoch"] = int(time.time())
 
         # --- CRITICAL: Save the entire cache (contains tokens) to session ---
         _save_cache(msal_app.token_cache)
@@ -207,6 +209,30 @@ def authorized_api():
 
         return jsonify(result, 200)
 
+    @app.route('/logout/local')
+    @swagger_route(security=get_auth_security())
+    def local_logout():
+        user_name = session.get("user", {}).get("name", "User")
+        session.clear()
+
+        from functions_settings import get_settings
+        settings = get_settings()
+
+        if settings.get('enable_front_door', False):
+            front_door_url = settings.get('front_door_url')
+            if front_door_url:
+                home_url, _ = build_front_door_urls(front_door_url)
+                logout_uri = home_url
+            elif HOME_REDIRECT_URL:
+                logout_uri = HOME_REDIRECT_URL
+            else:
+                logout_uri = url_for('index', _external=True, _scheme='https')
+        else:
+            logout_uri = url_for('index', _external=True, _scheme='https')
+
+        print(f"{user_name} locally logged out. Redirecting to {logout_uri}.")
+        return redirect(logout_uri)
+
     @app.route('/logout')
     @swagger_route(security=get_auth_security())
     def logout():
diff --git a/application/single_app/static/images/custom_logo.png b/application/single_app/static/images/custom_logo.png
deleted file mode 100644
index ecf6e6521a737af56bcc82321caff1acefb63494..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 11877
zcmbVSQ*b5FvOTe_iEZ1)1QR=%Boo`VCg#L8C$??dIx$YHiF0#by`T5{K6dY_UHhlI
zR`qJE2qlH@Nbq>@0000<Mp{DU>mL0&Ca}<7b|BOr0RUiPkdY8o^T@jJMM%>#bv@Df
z>>)PKO&_BW7h~gs!t;bf7a<GMg!O<rz`&xfTLo1W>v$*A>2x(aEdiEwn!I$+Dm1*i
zUM$Pel3##J;C)7YK|jk#q$A;wC`f-$v8SgyKY|SY>3$mL`c7x1^RmlOP<Z!E^ES-*
zz12MUy#cV)ltiKaKgOXKOlSkC449|O4GDurfCx**|MG{}CQ+@gFM{OFM%nB8aRFnl
zCc@9f{_PFWGyEgo^4Nl6PmjILk9or|u;^$&r535>u|hzRFk0~Qul?@VOSxT=!1q8B
zWZGM(?G^g^>n1hOl`y~J{t9gY7;UF~ea%%x%%4A{n^y?u;!y0U*+Wq{H91xaThg$&
z%^Gogfl@&_{%YPA)q4BFby>dM*1!M=dtnDeL7ItF=Bv!CEFa|rYHQR3S;;jzvRf>G
zj7UhhF4!+;#%rRo6`ZXe-`B_NV)H4^R<HWE*-w)ct{oUL0C>>e=VSD{VVA!D!{XxN
zI~Mg?X~0{YilaQ3APO3iMv}-OJYLLVjJsr(Y%hYcc$dB~XBkxPKQaF(VyMBekz7}2
zj~Cb}-q%dTu5A62Pvb@6D%}=4LUNek*K<f;p~wO`lassmbR4J%9H?>}D0#me%{wB#
z+fj0BHx(3UK~O;YzE_uDh9*Li0Sdb?JbMk%QMXXgB!Vv%W2FAi?vFO)SECyXtDT*l
zp2~Dee`pbVXo;PV5)o$vaJKuwNWoFa@JZgiK+G5LMVl9WgD2vwjEwd*WHwhN@^_)0
zqaBIx<I`gZPm^}B(es?7Bno|^k(&z`gbHDR$h8k!5CvTqPRMMc>|{IK{k3W}3+#I;
z$1pxjOn6g^Ry9oDT_<NuktYhE6ARJ{kai;``R<cYB+2WmpP?8p0nF#Mj|Z?Gzrs4o
zXO(h4=YOKn6D4E$Is{jT`^C(F+)2)up@pO8b4yOyynTm6A6b8$W`4wt7#NTD!FUIg
z=<Hnkeo9gRu`&0!0i=@Ra^K))6MRcpD!mQ>N%_wQJ?S4jM*-MtPu&El>`>RDJxBiQ
zWWP@^>mc{cJ}B~jHjoVj+~YuE8q(ZfB_r1p1LShePB>>p%e=$8+G=`w{L97K!HTuO
zVQ~Rb8leek4}Wn=b%A(bqdxF*cl_EcDAf{>5#TCN_e8??{yX|BC5d^xGx#Qp(#dE_
zQZE<+N-m&R{I#y+gzl@r@Y%=-=tiv{(y;_Y9MIcc;;3Cu`xM>KP}LHG3_31!^oWzR
zkf_p1_Y?<bDFRc~nzFt)m;xe2Dkdf@(V?;f7ebT;N|C_*2QS|cy%Xee3AW_7c+8(*
zkwzr90lg4pxlZlui2Xa=FC>K~FzCQWj0|_(3=anx9i#k$rQY6NRtn%hC0LC?!IVPT
zlfLLww0$&`!Q!YFXob;)bMWy+O1f$NRIYthYkdzkbf3U*^<+26&1;fnd8Pb8O3R#&
z{C%cJ^r}n~8K)}PYm<mQC&h4j-;kPjAWXG@yOGge`n)UFxpCeyx8Q|_1{Zp@y94Q{
zn22*^p2llD>waiCPTd;U!Ih7RA0`d+JrUlwZ#<PQxfl)W62&@IkNh@7_fOsJT*PO`
z9?E5_zd<X(ixr-6IS&1BeFCU&@wr9sfS}Ka0*e^UyRn+EziBn?IrNm`aRq@Vl+J0V
zC|<|~<!qvUu~bAl=``j08VXnx+dbwpIcNY_IilOnBKPZ#V6%p2b&+;>85uts%aEK0
zT#bX6CImp7@7vADiVLpCh`Nurhx0w0Id8ij2odJ6ko~a&=eWEjbw*qIHNW!J)ziJy
zwKml~wfp+Kr6A-7IrfiK2jb>CZAsLw*|qfV@Ubk=Le1CO$s12>S~aT;9ydlB3C}ic
z!KUKc$qGbGw`Fnkl06j7exz_BMi{k_#m(e%D3E&{f-~M<fq<xoO<gC?Bv%VD;~h69
zlbxC7L&iZorLr$^OfKeWut_;?we}9wU%$fEO{a17Zow~Y3y*{_wv#9=<abq89jhnf
zCEg?T{${;0Z8<*zhHrHX3`SX=!*J!Qsej*aLbg_$7o4GToR3-inLpQRxlp1N`tdK|
zB)be)N&-Zdcsus0y1J~Zt5fb~ne))tgec91{$QUWSmS18{WG8vK>3VLKuAbgoP-*N
zz<GNzniK0DQ5Y8bLP>UE(rr#U<Gkx>{5%T#BT3x!Y~qamw*2i$V8S5J3G2rDy_Z-r
z`P1lh9xKjftKBu#SE5wB^2z&fJbA8KuR}p8jVQIK5q$N41oA0|;Co1%M^u-=54+q=
zONl35LTjg`zv}PZGjn_Z{=4kfA54WD@<aQHaptuURB|(;=`Kjf$V6+>_#**9h5H;;
z4XWe+-qi{=4?MR^zMT0Kk<bsnd`E!ClO&hn0V}|<us*)NzBcS|yWmTKBuu3`MfGkI
z5FRZ~(pB2U5EmC0*p8Wh?_mQSh-nFAe_`)E&UX7A7VHfVoX<R`&g9yHwwNVMb)Lg_
z^&@3!Db%a0TVUwE)`iWtY~TI+9O2NCnO@J)Cvw3PW}p?o5+S3(;aTKf3$K)!eyawX
zQRn_mYJPLn-?}H_25|R4O4H6Q*MRW6r&Hyof&A<pabhF#)2RKB;13l83R;fTV5ZNm
zzmb#EZT|dkko$if<;3EyAyL912P$j$GP<tv<OVLnf^X9bK5I_FEi^M>)Z_}*ngAzx
z6nZMurk91u+eu4AQ0bC)5~!cAZe633_}wpjFwnXpU=_&ox;6GMe&O#(g69#5CJ7@J
ze>O!#M1)OTWiBP=l>RHg3^|;G)jj{Casu;_9wQjjVeS!&0kd>{?cnR;a-TqOq5|+@
z1!HV7k_OGE2zoXE+6hBCnbITe>&#K46}xZ^$nLE_X5<Cb)9^zwlC7&6i}{Y|?z=VG
zYc#p^yZxwe^_&HFJ+I<9<FpL#t*A;S2<QJ1UF<dR>fbi~QA~)_0ig!^<HN{5aenIb
zylc0`+|VKKWG&3xi20AB479BMvmh7y7J7AU^}$5wTvCIOe05m`6G42_XN-CDg112>
zd@F3lzp-Y|sBw>koC8W;pY(OxnZwvwL4plh8K3oDtyt6IUI?wc_xm??V_oIZnz3_j
z{c+6mv+Qj;-MB6*fryS!vs4&j$Tp(jBpNqId9uggZim5oyYP^=VL!vmRdCp@)0W?L
zGCRFP$*ywA%6$4d)?5#!E>?ii>0=UIvw7icmad}2TW1b?Pu@`QO|Ar!atmOt{icu~
zf{fe6Pm>JcT?$!3)0kHZcqS6!-qIVgl?qbxFNmc&3eL_vkclwF{17DVPUNBa=CT@f
z83z}(Tl;OQc=gw>%8vkC*h;jrp7JFtdn4NT!YF6aT&O^~*@tw4s7F7s+_ZuGSdL%B
zf5b3x!`4uHllA|Nf^B?cjif^wF)7h(#9^Y!NY{;^yiYi(?O=&@0@f^};&s8az<Y?B
z5>sMoH<2&==N+vHuzzcj54LbO94U5Y{HwQ%T}$s>^_;S>e7R~GTv51W=iq3h2@e9n
zUekx~X)W&C9HqD8v!C-=(1sk-!H`ZX(7vY9z;6fNSsd5QM;60~1eyFD!pl?@s6;k`
zM7Q%%IEyTGzj(7$Lih-mB%rr+p({f+{3YZ>Sz~03Kf5~4Gj7ozt|Qf0&?Uh{Q~&Gk
zW$O(970Kw-v!s*d!>BtK38xlPzC)vjH^-?0Uld)h_}m24L4OiDNMjR|9PB3DYE8Jc
zG==U6MGZW}>_VM13j6nkrWkf6B@hYQUh>Di=WGaS4cTDN0@&}~@O(5Chv>2hw%%xI
z5MCP<hS%Ud4*Lh*8i^!nEE!abG%a&lIg;A^j!k2E_ABmKdSYhiFx9Z#k>e2!ocOHt
zcX^(hv<Ub(9NzsPDv#mgq2G~z^Z-XRkVO)?v1d&WccMoISV0cKEQka6B6G+&wtF&l
zI(Rk0;z~R$$}GdgsfjO(YMUNPzds25P7Ks*!j7HOWXJkdn-L#YwJ&}xDh&#q9I_X3
zx5Qf@NhL!>-rKKN+E7K#h4wfn)t2-QTaL+zA#BEKp8@3nq{!5H?q@RQ5*#T!ITm*W
zM}H?dT~HhJ0mVy2D;0GowISgr#shh6)%&fsgtK_@de7C*kSxE#vOoV&ZObQu2LlK!
z0g;7BMG>?n6kHZoynx(0ZE6f6DUuuh?yFn@2yS}q2gdI8Jbmx#g#xPOKEB<RH&93t
zgCC{DIt8=GRBdCQB1^a!5t@u(=t~2T%xv<90g@Q0nM{rWmSms(r6PrPIF=mq!B>jj
zGW_<z40TV5tg;wv@C~r_ErCNVrRzfJdq5LpEtfJpN!<6hj877<t)swyg@J*AuWpx{
zV<{AO;R%xE_^`7xHjLiiOB?^>G3u1DC}M+TLH?K4^ius~72jnYf2=49&=So!t5fIU
zknPn$+uu9Y4)g!xn38su0>^jxa|fAN0EhZyKYy1q)?mYmmK_P6N@hhIXU1Zt2l5Zm
zU!{p9h>+5ULwah?CSFj&X0aKq_qLpSF;YI$U_DGO`lfk`7I=Fcel5p^2sR&4WPt=r
zz_BmMkiyo|h|FlxqZ*1%UcAU18Wv{IX}i&U#9<&e!p-R1jO1yV0l3At;;w`lbe6`)
zqH%cPzWvdr1{0(UIron(KF*6kK6M^F!3CPO9TJMDd`JnqOn07uE$&D1%lWuu)a5Fl
zkWjmDy)+J9R52@8>^`$<b$5YrUH}hK)DXINg#5KdgtFHz$;2fMrnKWXH~}1hP=cu2
z$jQ^mfd160u%UrRZ1(kbnV4aeJwGRVLrYI{n*0r{zH-iZ{Z%0h^Z5RK&!Fm!|IFU~
z!^qG`&TmM2%Hl_@(8BeTBB}r&>$1hW94&IgbA8xtQDu6!K#oNxsddS5n7#uU%?pQO
zV}yfS42ud%1J%Ky*nOm>?LQmhsOcLAK6<{khRMTKf0qsl#}CID;m3nU+)uOh@SV)z
zQ!Gn%-w@_b3>r=UA8qSZe}a`PUkn%+@3puw#IkCgO^&@8shx!g@AjIjH&_@p$TS?r
zy}q-c5)=jq_3oj!RE6y6*kI*ZRG{t!Ri^8sj;xvA@^o|NM1S(iB-j_n-1|noU{^^6
z%~;18C4Rf;#HCN^#hNjhnvf%V6$<I{%p+=L81qAMdLdxh;IK&`x7HqG6sUye=rgez
zauQYr&%rK9OFv>!dE?7_+G5abdF8xn{-W*2AMh2PZD@7ySY<K8$>$lA6ZnaK)I{2z
zvs+g*AKdDH^|KX9KJ}4fJiiesEbzS7$M3~t@HZL3RAx?BGo_?Q;DGs&$<?<EJ9f6+
z6R`5~KD*$RUQtT=S4&0&iR<h%4zq};xcFE`PubJbYo&lJeQfS@?{LYtX<x#n#(BCQ
zcEgAj_yiUU<}3t~Dc7hWBiPk5ge(6HI&kny;-NhlK@PgFIpj}H1=~qP8E8-1)uERp
z6gyJOp85uSJM&<i=S#I_{%0p}AEY@v>;hUp9khA>_f?e*Cz`z=tKB0t8Xr~Om&i+N
zSAUGmiHk>NJ)ywB2JtYn7Rh+E!R*E4VS0CHi<%rpWo9_RwsR)83<fQyWr*gJ9a4!0
zMxxG4(QKSRZHLKXR$@dJ+ZD=8*qCI5o9b)*-s`}4ai2JH|1KI6OxCBMW^VB#{s*Nn
zAPC=+v_P4JvD%U~f|hJzChq53MpO-he7$$<9nRQ(j{l?=$-2th<-NZ(H~?&7rCJZP
zu5>0XBi!sW@?!Cf`y>04FJ=K{V@QLhhjONI!TOCth6t_`2tIySm2$!!l+J`JC<(SV
z|J4h;-0IB9w(obEX&}6Bp1D;|odSVC^dYhYDT=PNt<S6ha>%{!Rm8MsZ1yGc!#<Z|
zexLpcL5|;lUf{c036Ke0l^-3*O<Zhh*0!KH6DCZV-L?01OO^)qPl%T1#?SLrMZ~dL
znhT%|C#aD1K2qb453mV1RZAl$VEJ@Pg?><XMCgM5PG3$iDAy9!^D-T?@9?sdU@Upr
zEC5kcQMvJbH%aw78wyc*D{PQ-mC&S-LL+&42}Qyupad=E-?OLHHx$k>NiRd_R4pnF
z4-orY_jRkx0M_)?DX7z{L5|`kbCP901UuW?Ub-k9EvVRebB)<scPu!X;nB}$U9__=
z#HrGb28IZo^%xZSLx&ws$hPGQv<g{o*f4npjj}RL6Vc^~XuXcYlfS<ucQq@MNgW1{
zM78}|{$?ov6|loPp3v;jR=0ao$f0STJOUE=Yo&66Ku*rrx$g}7)K*56ol$-+R(!%B
z=1NzfHO=+Z4?788@JC#mqRwRWx2vTA0)4m57sk3t;4fwH##+Xu=bd&^!F6Oa?kcAk
zPsz;YwSrMU!Qsr|XVw)H;Qe#bIhCXa#8gvguBJ#b<+Km%KI$t*dR0#6=H@JWGL+d4
zR!5m%2q54|Klg-YAIg4c9BuZlMDoP;?6360h|XJCFE1P0L__y#dCu3HPP}A;4UKu0
z1V^iSm9)EYQS&sA{FsJOqCt3iQdJau0H3)FVyiQB49=D(EQ<5Bk5J(#As$q>(Q$(_
zhQ#oQ?utNOtQU^8lAXS6Fm-<drsWMe66IF1xpD=1;hNUsp=q+<*WPE@0vY}_pCU_-
z9!npdseTQadK^b$2~~@^S}ejB^t}rR7Zx$5X4DdF?T+CWL~`x9GWXd`Tr09S&q9WV
zNyz!89tqwVgs)2zDzlZ78=G-2o1jBe90O~N?=C!mp2E`mt4fR8f$z-ens;1)h^3H~
z8VYal-pHF9M+L176FV6MnHoy#Q`F%E*4Z5Fr~U*JP?3#oyQ+ls9z%Ce;$&^sDmrr(
zk6nU7^uC;Ns2&8g=7X`i-|sF(!ZO%?AVJ{aH@YDzL%^y9N({?XrDx>$;t=FL|N31e
zp-uG9Do&e7A%J&f+$v`?NF8u3FSn~=o5|oXFfC$jm)*OhBHNg78U0jJ6zQ6NlIc9@
z9Rsp7l!D16AxWmNTwV}g%~(O3u=HU#ngo*cu4<h^ADcBwnQp<`9xfqV)|Ho+m*V_7
zT3nGOy;2{(tsJ7<g02FRc)tkt9HERj+Mo@Z2bTPTPl?yfE)(!3IL}Lw9<$Q6p55eZ
zU!vg~YPST6`RY!&!k4n5^I$0*@>La_EOZC?me2B7$AIe2ln}F%#aQ|W6K@DDv${9L
zJ^!kldG|h(*a#i++n$JtDy=!@ofO3W;}tE(kIJ2<B2Z*%4DBb_G9$Z$(`muBr6HPQ
ztg66g>7mW59RCIrh$`3KI9^TdoqfsGk>mW3^dR0?Q`*)?BWl@M=;A-Igdi0#w(sM3
zEI6#GS%$x$!HYpb+gWA<ZU@0gYnA!i5rp$o6W=<^b~a_-;@wPe&?X5uu-1;H$+}uP
zJ|Z+K!#pxAGN!|xXq4tIo@Un2CONb=ln30YJWd^|3c@&XfE_5(+%U(&Tvt{bfNVr_
zA3p5EFk6gCfGautwO{%u)O|rwH3ZWtDyjBCFw3O^HH<5n1^BKWhFoCld&y=^(K0Ik
zL--&38{39mgseoRGP^rt4DWZi#z_n8sP@RDbs4*R3U9f!bAw7!!gXU;BDa)vC1P82
zHx+46?{c7xl!ysAsx>7>BXOk`0$LqGAH!tlBx6`;Xikf{)eIhD0nC0~-IQ~!cNk0T
z5mmr-PaqIKmI>d?%1mU#5Q<62)T7mJr`eW|StOOk_0A}mir}yzbRnp7jjP#MF@Lt@
zG}asLuE>zF!WLnHFxpkup{jU8rG2%FA&ikXyXMU{3r>t-O0U4e5Ny`tFQqn0XQ|vX
zPjQL$gbrF)xuUk(-VJtlw5g$nW3@DWH0?SPWCtU9t3vXMh9`^M@6mdBZUboo18mtr
zV%ONS25hVT=iN+hdp}X+=P2np+{nd@y0IJe@Y-+l!!Q8gev0@#S==4xxzQUgj0fzP
za*Z2<PCG2S#*IXZJc5`F1UC%(JSs+$Itz-i3dk-f-4-yOH0!lodBEN?Mw=oUWyG&b
z!=Me$^4EDtr|>`uY6G054S{;`^=x7djaN}{P)GWf6B@_mB*HDUrO3wuRsO=l6-OQs
zu<%cek_P^f6;qlnWYzK^E=4j@{v9%hq|?r|{w1<%q6HcP0zx~(>5U9vW9WCJ>Q(ff
z`J6c;I%`9<3OSWbFKG+X;MDR`43<BxYD&QwZAOL^=)$gPhX?Lvhb@G1+oZXRt@@x!
zc(Vr6c&soJ`Jd}$!Af*ix)Ly=RO?$uIvI65=gzc{3O$n<P8ieXRM`B~%qyAZJ<b~b
z;w78tlsn?}ldKf?;L{ThN?)mhE`S9F#(Fl{ojB)tEbxf5kbO%j9)(`psr5}HfwBfF
zfO#4?k`7miEB(_Z&0*~$kCQ(qV1&8dVvCFa@_eB7WDL)V^uhJ2CCK0;FC!?5zk%U1
zDK~#=o}Xl^uCTWUyOyyQ-{vsmxWOE2-V4=(lV-ISWJ2ECR=k5a0`kl`BCp|9%?<<4
zwcixak|SAlsbXEgcJz=zm8@w=+l(6jyWgmioMTiaE3j+Z*Q^n=Wk=``Yni%N&5x&(
zk>o~m>Sb0xE|@tY-DtOp;J2Mol2SGG)=ONtKx8Z7Ys^>gY#1V20w>!w63hL-Q&Z`2
zAd1?V0hwJ*4#6`xc<My;_B;NXiT{$(NGC<D>9;N(YR!Y){WTHjH<oE(`lBC$<KHPk
zR`(``ICes>Z5ZeRb{oT6CqLzzkB47>jJNoB-M0TCaQApEg$X@wVF*9v6KA{S*d=oQ
z>h}{tEwumrq&Hq}35DCd+ZJyE>Jv+@xW9Yw${r|ARG}Vc<vMK5{4I_izL=}k5DsTa
zBb5t>TdEh%zp-(S*i|g!yx1AeVC9=35IW6jK;lAks^_1Mf@!kaXe~8V6%0xzIz6Bc
zQ6ad3`7l_gAUpZVLy3ybJKx>ieF%R$lkr4ntiskgPzNg(xVK>|Z<}5n-8FW5iVkvA
zBP=9&F(+A-<fEC7fTn6!mUD>|(vDnbf;AXXCSe~r=A1t_$ld%n5NyiuFZVT?2&g3*
zTmqbpMa2sG%?v8~Z!+(OP58D_;r)*LE$TDz-Ohj47Gy8%OG!TV^3YZF{!A7gK9Vr<
zC(Ygxq=H6e=v_nTPcvB0BWH&&aLs7FQtjF<ZT>A#2uE^GjtUQ>1ws~imYtP<D1iSr
z>20yUZ#m&Kk#<I#<;4Y+esY>Zl#exdt4Lh@g5||}4$87?V~yl;yU-xy`ReQWNuyU^
z8wIYkM+eSJ?%AvkAL!4i6`QF4b&wg}PC>9ljJ&1`gA<qpN*7D4eS<t(y)UT|Z)B0N
zypEfdf)5MOxetlr&D+|#4y=+ZE|lf?4VC%2yVY)sPqQU}FT4~ZF_9(dxQMPpv_&3x
z_M>+v%(qW(PUIRdl@dl1B1Z3RZ=isoqfT-5)L1(wro?l3HPLh`f&t|P_)}DsyQb&;
zU`SJM37=Y9WQ`ac_ct;9UU(MedJwXqS+Y)KKEbJ+`_^5}zps@_sj|PzSZ_jLDl#Hs
z7MkRob!YD@dCk!$OY!*#&Cpn{Xr$BwJv)R#5?bE%@)zyGj5|@=rz~WoCbY9o<!*o*
zZ#oe=wnt5wjvjHt&rS{2D<KVPMYr=H$O2R11`v*EEy`8-L}O4trJ-*Pf=E2NVg?z5
zn9@=2AD*elXFpqImjr3nyqUCW93;6ng{jPNZ)PqViqqGt0<*L2+p5O7ti@Sxn8Qak
zqUWB8W53sbWCRbk_`HVNf6~APAyl2Hp(-Ak%B3vE!jgX~I-_zIVn*3=dd6PtH94B4
z3?Mbpv|eCUq!3S&^Pt7`IM*@9dGQ7Rp1s5L@-hdDpvml5D6&UYxR%kImUdkt%<!0j
zzbnqnz~Z8&;(~4hMoHXr#r`1;$WtHhlKwE%8Au!;MXXq02;*SH{p9tmH!VMCny^zh
zH{WaHPLzlbg1Nf7XHLVl&5T;kts>r_YQUNRAwE~D%x!CV$k`2t$l6N6t}|5aT5=JQ
zrP6ApK}8$O8zXj1IEi?ckiBS-TV8(6MSG4tyEC1YiZH(q@n(gC`(}Fr#nyF@vF(D8
zO$M{<#^;l!E)~E}NJ<Fn)j{;lG6asDyoduRGzC3o3ITvXcE5C36XYL<kAI1U+TO=T
zf>@r)<Bc-OIHf)P?sKH33tq_ZlT3Jw=uLU40$8Xi6MaT_a``%+C+T_rSf!I8yNA$5
z%oY{1$OQ4zEkKt^(8i8Gov0t%OxENWTVa!FS=`NC-|o^kU#vdj2Y3*HvnE*Bt9sW7
zD#$>YB9Q)~J<u-I*6FBld`W_Y$;|De=~uhCI90n9`EE(bwcV1Us=d~XH-hLFpHSXq
z`d&|#62W<i7HNmg>4ObBWMwIsB;F1K1LIi9xLmYRRl-aKw^CB$Bow)39m08T8t~-A
zlx#qun&EDmb=P-AdlK@@C<$p$Y$XSLPA!h$YErn;jiC6pH0@#7A<dAHN9A~ni#y6m
zGL(siE92r-gMquo5>IYbv&<TK@(ts$zi0JahlC4qEX7f*fqU8qkyKNWL7St|Za;;v
z5@%mm@%2~FJ@{n3#BpqhD1=|dM++)c2X7n_1d7D@0FXL5WXJL=C#c#jr7-GdeAVy%
zTh%vP_yC|7A<n>QM#)bL!|y9#+?62S&p^XDs@eYXhvkvKiGGb*l0vD1s3NH&j&Ch`
z)+D^1W6;Q0I}i2?7$xgHI9U^X9!>0s_4=$uf}7q~0@1eCe`ov6>-t^Mtztd*pi0P5
z!EK=$19Q1dg5i=h`Y#x(wIrWeec*PED}LCbkuarYWULEW2Xa}HxY5!U|4N*81BG8O
zjBS%a;09r))`y#rg*63^gol-Y+I6B-(W($6ahh2Q_v$lA$svi^nzqEfreX>Cb3&Uy
zf^|1%(Xrn9>`EZb*>5Wx8;Kpe#=AJbW;X^pbkHR_ogi0KfR@LdIojD32(A;>8ZE{n
zv19Z*pVT;TP{d2L{L4-S#-Hbp){EU)>(0h8^@egYCo!&CtoNdGRHQ@Cj#<8T!{CNy
z(!3%R5Y?;s6>cXoT)2@7P(-SK!``7KaQ}3r(E9-#e%jW6Hak;M^y(y-rKu1fuZRLC
zZk4{5%d2`0`YQN4*12TC4X_w$VEfE?cZ^#Wy4~XfA8Wme>4PvM+gUr-AM#tufOSA;
zp@Z5v@vHN%uAh<8TQrPwmS!<y2R$>?m6wPr*6poB`_aWJSoW5?ASli<X$g7ENTE?|
zET4*ta4m^u{?BekSSua%dif+hv2#21eSbq~i3+*iPrqcMnBo}oZlXgZ<+u^29$s1T
zF&+*Vbu`g(blxWwj=2tnmh;%QmCx;x&AlZ}19?XR|Jl1CxxmE-uO4K*Fc}MMJF+BR
ze)(gHyG!M04q2RR*7+Eb>ZiUxoxHY^K`1B^@78-`Pq}7QIjQ1Xmoh31mYoa~r|0Y>
zO&&VN$wtl7Xt_Sw^ez`@@m=4k-5<d1Zh4Nfua1NDx;8`eR?hH>%IvV&Paii1R&rs(
z<i#B_f2%;crCkk|P2tAU?f8t#RLrQhwPPn4#nF3H+&^tRafvr-z18Rc)PXkaNm0>7
z0}5(>jKSz{+i>Nk6<X!H*fu5UwdgVHNW>Kp%~)<Veg48L)s)R^5Gl`Og!#7`dX?~-
zL-P0<tpOulA)iE*GBhg4BM&Hp0*q7SyD4gTJYT!hnp@`13wof4Ma(n^9NTI!i_(O|
zl~vH0`9ov=<1W=O{tDZD@g>zSM84nQaud>)ISVX1*enR~_2o5A@%BwD;LV4O4-Sx$
z-`i``x=e>$Xo)u0DzZ%%a|scUSwPah6grGElXa@6GVUz8X9|nz&LGQFcc(^lOiYu`
ztL|&*%Y&;ZRPc|{GP%SNgPJltPJ5g;QOodmJstrm`;`?anq$|Q$y*N1RA&0LdBgmV
zt?TP6_Cq$#$W3NoKt*U{$Seu)V4lMFlM9ggnef1TDO`a&;!YM8z5%LCCq0&zgW4OC
zA#V%xKLLSsvk%rxA<ujuc`{;X6lUtc3F6+}Bw7vPTk|z4Y#lh`kIz1VzdRNXO#C>*
zAKT{e`$?XfYW=33o}NmybM|HFMYRxSC`NZg0?g?HjFoyt45J%a>B@KoFHuGQ1)%O2
zaA9uOx`J9OqBcK}RWm|jU*~6Fn$32bkYN41%a&ntJa$7+=cXB^tv^`~AM}J8k8bMp
z1<zjLMSmLSZ~mH=h}!pPQ?WXfFfO2S<%^E>Q#HgCilMd3&B$=dU#@MDOhQp{=zz_|
zGQY{Dyr~mGRlpJ%T%n3N@Ln!Av-JZV^!CbElq8gs2X;{mqlz}^T$Gc*=6oY0B=k-h
z)=PR|&@WfUL`p0oPo&T$7>}nvqM5nd`x@6*g+Hm4Q!Jj_Hc9szyw<!Q-h_E>C_dlF
z*ki~AmlDGo)bHnq{LVbLb}+oYL)#gbgg$!BNq^ivfjpkeJw18YdOhRqYBumUhum%N
zGgEZZ!%4Ni%6K2Q7J^a+I*n|lfOmcSwds0?>%RH@-QD)#$n#=z#+*Xi-k0CDv?(@t
z#!QNoCuGtum$AB#Kq3C>(EF(H=N035#qng#d)1G-bgFM10^TJz?)ySJtedItVX>Yg
zxZ!7SE8z{lEh*Z>H~ps79j1Bl*P3~+TsFU?N2X~#{%t`-Kba*t|MokVO)v_yjO0E(
zyFqJOgHrk2ne2fKwKMc{>a{zfBe3gN8lfwXrftOc<Kjegke*DUnHTcG^r?fZ%A~`7
z0q=}P>b3TLe0!VNi0dW;en?&T?+sh6!DwG!V*z#K4c7^&&WMc*v5XwmKITxbsC1CL
z*L^3r=(%K2pCU<ESoc*|alA0(GyX|6HF-hsbgNfNv~DwmX=94Oyhx$4|2};g2xvOA
z3jS7=RMS60SWGAC(X=Berp}!(*xw$N{l3@aoIDSA9wwh?h}JlL)R^485apBE^?;W_
zw?RpMNPVf5D1*<zX%EL_%VFU@69X>)g?##UAS~IyNg|R(_q#g;=_)i*TT|tNCAO%%
zRXeNsd^W1}R`5<Orh2Rt$)IQQPBra+&_puH)c=n1N~G>29&z-!WB3QU>%KCeqa+$>
zGP3bZvkZ(DJ3+J@dXMfudHI^?<vy%d!y~KAMwxu+1e8&ix(~h^V&8|D#Nt8mH3}TW
z-`W}qc1~`yt4eo$$iFzj>|BKiQ42DjJ?XvX3e0qD#)03G<yt+gHy!RAS<o{Xba&2F
zJd^8VradmbjVw<SAy<DX&bEa^n(Z%Di8p(0cOEwjB%?ky7~Ta>@*{_wc7gPy>mQS`
zSAlsgd9!UBS=jv0vbN4x!%9GS@Rtr2_|IR}wtwM%4N{EHv$Ky~(>VSejry*~{}*SL
z^RLv%$c*?PDI_qGjg~~{^Rhc$&NHLn8+!oww|z2{A{vcOe9vn40hx!;3P@Vo?80h)
z>Vlv7XRhL5!RU05js+vqPllvJ{)aXK<4cgJogK`TxdI$KF7*_SDdTtcj-GIAuDwEn
zU)xuwX4}7Wht+o<SnMLzPSZCFo?GA&HOfe4x!~j5Vx3p%D!hl06AvVZ_eX7)s^vb+
zCii5cCoZEWivknd^0MZnFFC#Z&jdv-cqWaZHHjqlj5`K>`A}Yt-<9tLgyA0{eVe`_
z$rSc-W{302`5DIG6yhWCk-N5_&y6PcbgN8nWD5acA~S>+OjBecA`PMb=ndBblk}Y%
z=@6)~_Wr8!G@q4O4kZKO`+*grC%$^-xXVG=@9*z&{OfG=qe?l)E3PGEORu0EhL!y4
zygibVPLjWxU`E2J@{|R-crnn&ZZML{c6Wqby}Bs8TQRa*yRUu%Fs4o3{UADvj;eC*
zrd%K9@4E_2MO`tiH_*e@81qpEV6@%&2=a12GmcLwA9Z-cEYtra%PC3}AC05<KMhpv
z<ehwyBB<9Ept(+?25}!BM!s)P;hsbWnfCln8NlC<@rMXte@K@i&6pwcvRER&_05&c
z4W;Lb7iUs3tOV!}A4-nDI!!JuHq|b7L|uAe!1rMdHP>jdzU|-K+&Cy28~p}^IgxRZ
zy-hJ_G&}LRl*f6QGj$$iSpWQ6eO4zA!%1)kYXm-wwdndxWURf;A@|p+jc7OPw6fhP
z1~V9NoxF_D#)elxBpKqR5$jz(R{RHad41WS9F8%SGI|}%sN2j^LZyGQB`Q$^^P6){
z<UV0IXLw66tx&fR=mx0FLqc{%n+TvSGSi!Lwu8~zR&#3pZq@zkfPo(Il+Lp`BlEqE
zqVImMs)XQnXMu7Dv$*@Z#`UL&*DbrqDE>mYz*M$nGY*UHaYo)tq_s<L{<P>hI##<~
zek|qKok4CPx?D{N)TH0E?1hHqBT)#?5NAf)FpsL+&`@fKSIF^m&kS|z;}OBdq~|~;
zkD|UQLaV}%=NpsowX<Gk0zIeGgUcWu+|$$mGXMGbpFe*Dow3aAh$H9<iZGB}A?JYk
z9wJ~}5jZkAbM)u>{@Ic>LtmN`p1CZZFu5I>c;gQDt8JbIc6mmD7;>cI#ZTAchi<CN
ze6d<ikgdjMMhy8WBP?68UJy7A#!9c`HwjGprH5O&*T}VuftgGj1*eElkk{%D_0$k<
zGF?hT*Z%xi60as%TKh@$m*dfmE|RWLaru&xk`IG0N*dxd!CM%>lcjz{(1`|M(?T}g
zZI{k=L&SppN+Kd7GlmQ9rDJmr$t6aocrjBHe$VMLa#2rWeJ)&uEHy`6wl6Q<;V<@(
zlWV$UJntYC)4$nu^1nfDJd3WVdg|_9x*k$d7l<&@e3A6B`^-+xtSYV{e)dCA!B%NB
zJ*fUcHQE5?NvedjcT0GO4yq<%H-rvenwG~b?>{Y}sEP~4S%H2fdvB(6W7C>4Zu;xe
z205Jbnw39qIvZT{elg+1*1F9VNPfr3JeY+2Nxoi28rCk;g8v1*JrR;ocTg8Aq?gLL
zF`JU`t(bk`u{VC_Y)=?$cbH0T7I8ulexlTE_B?dbLO{~mWAp&0nJ2S7-fnfedJ7r_
z(|&g1{UtU@x1oATea-N(pe`W5m!~r>cjre&YWs${ZSY2cZKy2{vS}IWU?j=cUQ8Hj
z*E4AVqNJYZiRQ)zZB$Na@6^j%WxIte41dAwP0IVqCI~Lm-4h|a50{qRe&m;|j-#dj
zc5Y3DlYY%g7~Bb?PL{C|G0<I>Qbg}>)uVwlWi`YQCAa53S-TG}!<94HI^u;%CcCgE
zx{CHeMc%w9{H&350!17W3QCX5%G2e9$ecCU$v6GhA{w;tI9Sr|F9oaSg<ykDSUj+V
zVagu~D@F^&3pZL>9mssAw$;DmEBy5D)*hQ9Y#hxX{`fgN9%1_!_+cXO9>+8-Fcqj#
zrSnh|XZJF+LNkSIezz&HGk9l+PIR6CFhlBSC0F#UL59kS7rvYi7007XZy=1!f~mf2
zb6K1Bqcu&kQ_Sr6Wuj=gbZ^F21>{A+3UVRFX!(>#7vtCNSvey$y>U(PsA^8qUY|H-
zJXlxARXk*15Dg*eic=i=DhdCW)c=Rs|BnIWs9t}99kq6189+p7f62!IGLi}s)ndPb
F{sTGwC=37q

diff --git a/application/single_app/static/images/custom_logo_dark.png b/application/single_app/static/images/custom_logo_dark.png
deleted file mode 100644
index 4f28194576a32f4463ff13ac96521f979e739bb0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 13468
zcmbVzRZtvVv^CBE0}MX+Ac4W%-6gmLcXubj-3JQ}36|jQ!QCOaBm@uc791|$U;op6
zybry*>hwd`>9cF^wbxo5qoyK<iB5tJ2M33#ATO=)b{~1WECDEQu|F~h0}hVcLP1(W
z>(iH$0JI-u+FAPoC5vm$>wiE|Uuy@&C7o|4tu(`t;-R7W79bhQ!ymAO6$}6Eo_(6E
znHdQiq~ViEVe&QDSY}5F0s><~4AifN4=tpYBpgoR^rUNbVPQer>*wQ(=ANg{#|P(4
zSxA}K!OH4_c8SVYkCy-efDA|i2}k<>5PHY4&fl+w0E~Tlz&Y-#rZ8f`=naBI2#llN
z=gJx(Pp3*BIYkP)Ss`{~0|^+H!BOn^yHO$H7L$}0dd`{{v+epbkc!c8<?OC$$#~`V
z6A~K**n&T^<)0z$edspo%JP&DY6!f3lRbf6r*9Kq#*t|)pYxw+*7jr0pype>?m&^r
zy(=be<#rHNsx*>F*T>tn_zInx>V9e2FP1OC9J1^~o{o-=$Wq6ssk4NA04{WMg2E?S
z7!Y}m=|iQi0Ns>ajjP&T1(j|RDW5ZKZI9VzADq*A*YkYwQEnuT2#UI=u*Jjx_%W4(
z67L!)b*vDde-aiJ*K7uJ`lSLHQxW-rE8yPx$0Vn?)tC=RPSt}9BczCYaX(soDgtj0
zW2Gzj3iJ%clL~O$1c;@{zsqQ^B2>bCWdZw$+KsqZ`WR@kp=M@8p|MDJYcZ17K*!Q{
z>Mq{_3#=}5m1x4Fdo6oysbS!!Z}@uYgG2N~luYqyf&Kpf5MdX)`3l8woHwmRV!2Ga
zYn(|+L1@(<^;!5p2T*b{GQ$sLT3vbLJH{=}t8IF2-vHLw;h=82mH8`Slu8;P*sQX2
zOhP8fm^(Ds7#^cpi}77;=qn1%(~Pb#@3MVU(l&ponV#q&&Ea`L1pJV$w)TzXD!YpF
z?|-Pn&5o`87uiSbL)h2baF9rNkdo*a2oZM0E=y8ko>_bN_q)xIxs9Ol)%DHM(mLXE
zPSrAD??lhtchEFf@Q_<&a2R_57!M}F%OAZVBLXw@Z#8sgP)}Wdw>4V9P!yJul9IdX
zsDUCCeJ?UU{XXO)3fs^Im%BcTe$A4|(p9M$*oBwps#>z(oIxDxhumGRdmYypp<guy
zv{0UqvX%}7ESDUY5RT}uR2{&P2=4WSlkZ&*n>jOsM)9KJ%&)R#jMvbiw`wlke50qY
zfE<?g5V!`DxdZH?w;&fpAUPOYiQqIvePvq|`z-1#;*wZq5WCmI*jzV=u!UB`JUnlP
z`x#%n8dT_^vg1clpmi^mxh?H#8r<}H&O>E$KP?NgOP}0vw;S7^jI<^*YGKB<sBBW*
zsw4u1amZ*B7|s1w{JQrDNEMC*F+Z?kg@8V6pfvfeQp#gK8I@`I;#)k?#L&hOvV4}m
z>DJcv`L=ORA=9Dy651;fU|x9Hu3wdnmtHB~kuBHbjvLb4)a0Ryk4p8pY=VPPsSSBC
zg^A^<l$bd2kgyJclaxz0$YM&1%V;SQnY#AQnw%a*E6iTU>Pd3`d^q9&?@0^8kH8bw
zIG2ZU6r_IsP%#L#SaMly^OFA()$0%ZQ0d6qUdO4fS5l6yLWgHhovb#Ch}fpxg5Fl#
zX^@$P{Zr3R4{p2WCma{6g%@Zav;(Q-ml$9mjEjqr6xFX-fXb2yz#(WtikJzx6vpjD
zPJB-@%&m`iHB|(5^nML3DjTF!_3JY+SG<g768qWAxj`|2hdrR*<~rkEoxPq9=c9*z
z<v4~+kmT^$A!f3Xt-5a+9eC>Zf}A?jSYB$tP(;d^1$!4LR?5uCM%lwIQ5n~RPE)k!
z6U7@EjF-fw24hpDO}Q97q}>PFM|nW(Nl?5E*0$$MYD`+)ch3A|xL|JNRG!!!=n;LL
zk#>e>ZLD{4zkOqDv4s-0Ifhu*8|~)AD)pPjP|3Dr@qh`w)u^k9pimuBYWmF(M55La
zxH9lA?k>cV5`L|~EBshWbKt*HRWg=YchyTsVO^@Bqp3~sn0u=eOeW-g%q|(-JJ2_j
z?}#V|CMIqzIN<I^F9fqwR!?)GoOKmK(TAj!v5PZG<_?$*AHPvPLn|9xgU~FLBCF1)
z)5;#OZoeM#47Q%A5fig=WlV#AMfxv3JJ}S!sJ>Gib2|+{adYg3ilBUJQxlVntnfB4
zEy`k2;#n-rdnAv&)^G)}HjD4Y6>VK~?ZKl_oot3s;>*}^lX&&BpTfHx|4mVKzR~cw
zSj|AxWX)JwIJz0vRu)2!T<2CgUoMpW#xYZSQkTB%Se)u!G5@>C!Olg<WB&<eC_|kI
znkp8iq;pwmb^`ve%j5l#rUC{OchWaDc%SI=lDfI3KkwbXm7%YWb9s}k&$-_yOUuVr
zRn5l`vHDna3LQ?5uSI=as@JC27q|Q&um+Nn44_1~Z5T!1-6sDKKUPA*xhv97!NB|l
z`=(DLqitSC#hCGHjdm&ZzBl$2YS2G~iG!jVUn@obHg))c&AJzPo=<niGtQ1XWv^xK
zci4jLSoP`$)|(uNL?8CQ!Iv$kvlxunm3);=6nnX|R$af)R28x6vEip&OXS}IG=DrZ
zu6Ny(4D9ms?Q^lPu)q*L{u*xR$vL!~A5E=1!wBA{XCF#rGwJG};1wEw4F3)Hnq&<g
zQeasZL%V;WcCNX?=_?nEVF+MOmKUzG9Q`~Rcydkb=YH0COESH8?)J%8Tl*P<tz#N(
z-9WfM4-&3&p4kGvhyDb>yZ_P9zEO}--w^N~^*}EC2}YajBTN%#%WE)dX~}y_AaE`7
z5fbboM)V35KphM?U*XCw76~{kE0HvL{uN2x=`Vaxkeqyqsrx;)5csM3BiO>R=FV;`
z2DKA`qD_l2pw+k{D9F|oy43K4%2x~L0Tq&pPFP-7w`DcVV*GTwV86g=QQT~EMgit|
zy~9i3qhrJq0!g~;8sV?qRT;G8Zup)$1@~D0`HPaN*tC^Xm#J5#<sO24$$5SRdn-IL
z!~r6O`=y_#6A*?uZfhVV2Y2B~C1VC-E$WGZEIE^+@6M<Kqzum1efi^O64j(%=dU{7
z6+45=34uI>*3QGu59zCSQg)7xDZ~1&!h*v3NgURj7s=5LR^#bhZ>9K^Lp{q@ff84C
zS?J(zic-7XYbeJ*w;z14sp)CZC%N^LhnK8aNy5Pi{_tod%^|RRw(?s}bPj5`<&>AU
z2!dU}1mU*DcRW*9wFT%5E!gh1B-r-*-G+j3Ie6GcOKj$_&W0J=FM}YVA$Fz0=w>S5
zsF%^ayMcGB;cs<jqM)7jm)Ak?I;z-f9X0K4IAk`o#q&U;LYHyjE+50-ldYEj9Jls(
z!;8?+T|cL=KI^%t)0l;7OvZO>`TCc@<lfY+h!|=Ax;gixYTFZu_`&UwDy_~nh|mT?
zd2y${I=(c+&Jd?!K&sNanY-N1r!EVF;jUot!?-T9^>1%H^}K?}Rk-Y_)m$LIa38vQ
zDxUJ(-FK%I9pR*@{=O&GOjlT)0TjR5Qt<IHlUNA1&k3S5;g;QaU@9vPMx(_AE6Ql6
zZUg&2<!x_#Bp4r@vWaRi$+F(Ui?quf5uz>>5C<yLrj-72q(F`n%oy)f=Yp{vw(*Yb
zjk&><WjU=hp3H31=HbX_6CJh%Ru@9|9@4#TmY0`5($Uj*!#JwRqX$2pG%YC(SPYuG
zv8azMWLMh|q(O%5s1BQxRvQtq=sw{~MMJ{}xRps4y#jtX>*=Jmq`Fv(KKj$8{CXG`
z|J>>hN@x{_M=zR{$}VQLYtm0GNH7Od(WWotN80(9a)0m@&6|2XIb5h%b%j2iuD0v3
z31!UmY~8`Il^Jfxh6{4f{JQqy_Dr?h$TFjOQ4#Jb*2ss=GEJwhgmJ%@_n6zvH|HSX
z9TTBPoM8gLuZxL_CfMHyLcnO|@UG&spOnN+OFTp}TD_KZ2&~LFDcZ|)nFW72{-cl3
z*gX3@I=>ezsk&(25x>C+Jd=cAQV=i4ANigaf~iqaP^!lX&@X0^lW(5sawYv+x7GM5
zL)M6{M_roq(amk^)u0{Y?D3QcGxem+Qx~9Is(kxc_FU9>GvJrt`>rV>W-3c)ZnQ}l
zTGxIED#fRDVw*4OU+gc+^23ziU74mLE>1vn0%zj;ibW>00D&#iHnWaIPD&8M_o$wa
zxE(QjTNw!Ly&Ih8<WT}D7^Nf}lXpc`#aEH$b$2n2ynZx)i%k7Dk}Q8xr(avrD7p-X
zcf@n*PMIGdrHiVRz`1Q*-0eA9cb6HmzOpGEkiTs?s}?}j03Trmn~Weq!eZz;?~#Z6
zMSa02pdPA-3j?FbI>+U))rOh4tYGes9AVD&Z2R3lh&Q<g<KuHrslbSau}|TW3OIB3
z+}@K)9Y<=EaoZ0}I8^$64RszOFX=rF(^etr-3d*@;#tEQ;90Wg5ld65WXc#H+}zwW
zDAvsnZj=ZLrJ_%_lCU769$3RH%sJ!lDI>r^9p+*#(lZ<=@4a$M%#AiToxdd>m>S%^
zAb=*E`k(irvI#t2&z+qvMH$QGdlsUq(~%>64p)fQKAwHgMlPNC#GR#>t5fx%*Av?U
ze&7RRP1gpQgk0E5AI49+sT}PZKWVDbPt-3i5t6L&7yFo+GJ)M%*2Zf%iU+DkO}{CO
z=6XLP$Hj!X7WH#D>ZR8lJd~P|yvBkUiQ*y*-WT<m5XKEIt$kb%K<sgs@W(aw`T4b&
zYc4Y6a^m;eH+bKF@$^n1`>YbxoIb=TK^QxDk?j1Ub#~c`oLOqP7yRL)J=Bq}M*n1W
zqm_r@(fwg&Bul|i8h>^qrG;=PKVck0jI>6~utjWPxzR(WBL<>|W~@ZeRluttdpsij
z>Tt)XU8p#=09IEbegqIc1D9$a)G;a$U44Y~kf&IbYROq9Y0~5Vvj?_T_qKceZ!_oY
zR2W`T-8=uK91le9%>NUZEQG9Eu$hUfwHFk!HqAs3?bU2%3h^>7(r}~dX=I^y$L6q@
zZn0!6%H&ANELPY$7s=A%QQo#7tYk`9E<e+>=ga9b8>*%xWvYb#yN_ufFv=foIP&e=
zH^11ytu|@u7t9)cCyvPLgmLHw9Y|+~AFBiixymkf!;!svgBc;fxx0WmU1q9qUJKZn
za><-k*_WwVjTzpO#;OVTVo99{C~<~ssNDhWLpa4-ebN=KUj7iq>(m~M_99Zq{Szd>
zLy<_i$4&lMGtVNpBiCUkm2<^eBOE!(6gGs1R%E7^?!=>*nba9w$1TO2B2PE>VHG_!
z-xZD-V$g6fjCY}9kbZ*#yKo}az5U+e!gwytOrrL%f;a@e+~&}{kQnvSPi(JRqyg5I
zaBN36;8Ue4(4~w<Iw88lr%|1__2@bYBoL|6M*1JVJ|?WVh!Fu>%nMNWdLH-&$Rau+
z^~p)!)aa&nuI{H;!1}c)Nr*9@M1F*8j3sBPM`kxalZMZn%zsP7ku*g?CAPMqie!zU
z--_ZBcLe^xq8G=<XV;eLO6+b3c>FgpTl5}Vp70=0uWq9NUZMWiF`q}o9|0*T47M6A
z#xG8hD28JMv8g^R<JhS(Fnr~?ggKsPe%Q=A2%Q#VTGaT?B^!<;-{g=+2r*DPuMUuK
z`WW`JL=a*P%#?uyc~)BlG85`#HwVxU-Fak9sCs}=w;-8RPAh?8RCn*eOmrqm2=8e>
zv$Iy8Yh$M>+wmTsY32pGd3s)(`CtI1>Z*no>N4-ma<M>?Nx`M2uJw{B4j{=EmfszK
zGuifc7f552zGF!rW;ToPe;D`M|LKQzR?pZzJ$&)_Sr$Rrpa%V7ShG;0rM)wkZASa0
zSc(H}SE;dxmwEhs$()T6=Mx9)V#!h;0X;^IO8BJNI+O;7Ds^hFcY5pX)23)CKa&DP
zosK-HKTNR$w;o>_a*qN$cgE6MuCsPYJzD=fSbw`u(`ELKaN_fag<hlBViYo?prELf
zE;vwz2ac)HUb~N=+Qq@)KeyO>UHXkmOCsCDk%vbSg%MJ#_{)TL^`O2X1A9HM^?GJ(
zm04hb9W%}=t<?T$U0t2Q+bnSqOr}Wy4|4a+Gx-r6;pYV+2OFC99(bT#g=`5;?y6F(
zUhL;I{5nPqCJR1y4La8bVq>pw_`N*7Z5Y?Gow8tI42sx^F;HD&#hG=B;NAn4AU(&T
z+f<^v!dY>C@t{uLAbXGgyZ)#P+X3z?x`_lI#$E%Gz0P^v`|p^iXTug8TW_t25f5)K
z9tQgZ9D%<@k))9Z33GB@?vIR&?1B3B?z>)*qPbJmNvsh<oUIYv?ts#ci1Zn4HW0}s
zg?vEr{<W&R&RqDh{f5CESBzyJ(na!7Txd=|zs68`*PaPrgep#Sq>$p0M^LbhDP^>y
z#BPNztaNO!|0jz=!!OJElDy?s4;$dX&HcZ&vldF}NEj?3p)dOR4KcQn;$7Zrakl>0
zY1?3fi$SG83D=&LI=JJ@MF8Z1LmTx_Vnw8fhjC-#lEYY`_~=V880={q|HD^r1Chen
zQ~@-@5nQg{#-<^+dHj>sgKl3E(OL}#!M0|QtzM7aD<7VmN#_xwD@rB06bI&t8G>?b
z>0WNk*;<lBORlVL-1>H43#y0L%A-oaYYj`qg}3rj!lfZLf6VzBYOz7&@+Q?fdUsTm
z@b}OsYAq*mf?kGJ75K|`?TR3#oXNls(ok0^shUi5fXBrk5z`xqG_oG_`s|WGzxDB;
zt!~7_C|8HZQ=S5vt@tjn@o>=qNAk7Kc7}RQPI*Ml92_RvcqQ>28aI8pGrszG)*VFk
z?YKU2VPgb`8tF@t7JWrfx4Wg)eXieWjMJYVbp#2YlWM(=J_P)#w_1CfTdLi&Cwan?
zz|q#Yq-LuF6U!HAiaWsYX_xSy+uh8Z=<h!F<lAs&o$)yN&6gYGxfxX9Qe{RJgk2Ve
zxRZ=T8VjwJzkk`y3!9LF)h*b5>N;~k3_GaVy}a*Eqc+kRR<P*^qbo)|SGbmcz9fE<
zrVa_1dcDZ9$-O62;}B0++pAo#f6_yv=3_!HVRAC2jTVds2LD)(I_ec%a?lIegX6m0
z-?v5N_!pN+9M(@>LBZ#6`JT{erI`hblGkPJ&)Ezu>L$Mx35wl(Rh0M1Z!ZEEo-|ue
z=i}(MsSHvfN?;Dxl(2`~xLrUbDb)aHMlnxveGjzIC2Cu|%&OKLnw>#oU*d&Ao#{_e
zZ1-Cr#?n1x&y5;#{b`6>S(}dDflcW{WEU2F*Dg;@oe!>|Y2|@0i%A!mWZHf#0aNa|
z;h7D)&bi}dFJx4Q56JG^Q9VBP;6AF5vCE&C`SxZ!;l0<)@tv+}=ooQRn-~1hG1&ln
z>Ms1dufYeMJI&(sAt8V9>zxE0ZKy6i4V@p9=<xF1*dzhFhvPOMdBelcKT8fB<aq%l
zyqC+=upkUTtq<2cY?-L%BjS`kGa)5{SQLl|5uJioHrS37MC5+Z{w|#&czt*%HnIQn
zuRU6o2po6^&AZyZp6oy5zY*c+tZJ_tzbxud{XqixKR?`XX-v<|%=FC1PAd;;9FWX$
ztJsAa<7aBMrc^K3_YO~_sEXRL8h0!oc-GNuAdl{!Bp;)M8uxn<nwdw+(SS9z=kTYl
za=~PkUoxlml=<b{DbD8|vKN~pdu`TlB^uq?hy22XPkF_2)G86RW{V28LatD*J`~DC
z({ajU=bk!WNMegzPvcBlb8WYt3IOXG*!xQCvwiuYcHRwWh@faDPNMMF-an_9^%Z-M
zuZ>r^Uq4cK{Nqptc@40v2+G^=c+WM|61-pX`s-^9En<Sxg>9Tz!$cUEJp)j6o3|eW
zdG?(@(qw{aCDjirgph5%{wx?8+u?LgPC{n2{D<5DuYre9{dnyvrV_8MUAADK0^ZE)
zEz03@$#sI^u5|ct4fOg%XdJu}7vBqvjN8TO!9sKhuFGi{)5bQz78FkT<&tLrgSy}F
zaUy)Cp9GM<GD7@5uk`TuwtfTF;qHIWJwql#qYDGo;)h~<ZGq3bkAOH+hgbQMgA!K8
z-x2M+s6-}&uz><Xc5!x_BGvg7bv_MlvJ*(Sowp%kr7C{x9=pZW8*gHj0e3P{#1&P^
zhT#^Zgi8|@{qhWs`|=|P)_t$*f1F6gTESN?XgQm#<xTnStDgh{SH5F=Jd>f`rCGZ5
z^LNdFk~WGz_H_A~?%Uz}LHU~D1QQXfd;R7M_??f{U`^#Yg7sU<QS18ly=+>#G8Ty!
zMAn)w_`dA6(Hfu>U|M~@6*y^+3W!^5iPm>I!%Nmyz0ylE6bY#;iPFR1i<Pg(AZ<gI
zJF)7P#0Eu=KeLgE?3_KpnHw4tY%17xnRY2Q%D=~);)0XL;e3}7*6)LME|B7Lf{~@P
zOY}Awd;@QCL6)(Y*^@qijeY$$K@$M}in5>!QN9yVojcV}k_5T9A@`O4p5S=(e+*Yr
ziEjto6D)b%)p^;jDk+ECIj;;-^)m;1sJN|6BX5{!1doX!nnZ*OIwW;rDqeU%{<(|w
zivmgu2rUkbxm@HG&Zy;Qv8iD|j_H!Ho``=bm+z%>dG2^OXuviQgpi>0v(V+svlELS
zcvNs>qBV!$5nWDYGh=~~Kq`6uUYUJl;Zj$|L086bcprh3(c@|Sld4JU22kAK4`k}U
zq#Fe|xfm$#IuH_yG|HO&SF31Mv3*w<e_2eYVjT+n)fm5-CX9MC6rc$`XD`e377FqG
zp@X`4REFBRqpNAw^lKeguIFpp!;JbY$Dj119(Ty;FNxis-#(&n53KmWD5k#~|A`D1
z(H?9oX2`C_bH(my$MHRAljT;{+~B+aJRFvx;weRsuFlP_O%wj3+om}gjH)z%?!(j$
zD$r%7kOAl&_!tv&qLp0PN8)|$fuW|yYLt0)7TdjIUE2AD4&3+EH^8M1lDc#x$FV2n
z%`8~UTcUr74mc&fG;U-`seGl*@&-yKvaX6q;AH$lglCg?dF?a#_YX?-HRnPVLA%EV
zp;u8ZdfQ_xISEiia%h%aF7da9TL9x{a6vWP2$x^6Ep?@!S42DF?Hj2JLL<=?64GI>
zb$!U?+vMPeSD#!}U03Nnbf5b;@B>b)l^cZ?k*mgzPg!zg)gwOxm3Q89u2^|@V`D=@
zQa)0{7e&eu$;`7av;aBoU&7flQ~0!w1pJqH9X!WB!AftWL8bAwfIR24%BS)o4{W9d
zdu_Y%O!$VAClX$Zh(&vy(wJyU`#k7ZcD4itk0I_oy8PDy-accmeS6C5{o*Bfw!i6I
zL(BD1l!15bu#4Q*a07Wf&f-r+#SS1NrYFW;bJ|!0j9;9d+X6nAx*5Ph+wt&_PS(E!
zSj6<uLO*GWSm6-7A!+KeMTe#w=*?@?oPAal&XzKYo4xQB!dgiGh&PIGVmwXw>;bm}
zZ%(XT=sE{TV)Mzq2;I#<SgDM@E;fHM=VDhIP_>1FmJuR9gartdw=pVEyUWDk65Uz;
zX-;E(h;&8EFz+a+W<yk1&n5#1u&UnWtwc>kaTC~z23#VEgtre>kqdcqM@2;y(Lj5?
zVs)ai0w%scLJy3X-a})lyDTUy-&o(m_?na2w2g5sY4*xsq$xC<!7?pQqnyf+gnup#
z@04aeS$y5lZt<FEjDMK^J!-4w7Y*=#!w_tZUz<1=%QY9I*|`|BJRej*za*kB>Ff${
z1BP?=sK@pdPq8Hd##iW@`ZEE6Ihq}dl{-8K!SJfqjA{A^gKnfB!lGiuE#E=anpcr(
zb{*c7ua!^MtBX|+O3eQez#EwsT}L*!G1B7jZTJWiS~4MCPh?8d%}y(+0b~)I%ZUum
z(RH=e*NRcp!Q>OA4N+LPXGlR4@eNY6;sz}Q<Me;}`t+{FWxan?V+_G6dhSu<0(t#B
zds;gj9XUSQF%yzTgw6{$cJ#xtu(ohzyTb-ilAFHjRwR6&c<HlCfX!kOZX=4`^pX%l
zG{grW!bo4rOZMDbxy*VcO^TUHabkhN;F^ZstF=xYg%Vd}ycj*;@2CERxaEeGSL<27
zzu6>yPnaEvlBl^Kk&+jbgr^=4?$$1>K}6%GX_CV-Dk%NcdmNL~T}Dv+NQsuD88Q)V
z#^39kWB>)Vx=TF(Dco1J>2J;1aJde!3#0S+VfLHQYXns(V#5}^k@+}DM=U{k(?PU*
z()R61Yt<|OP)aAU?OkWYDiq-*$~8*LRt2IZmMqV#gTKSXNlV}8+Se1$R14|N37itS
zB`ae1z0^<G@Dmkfi*$hF1>CjR`wEd+NNP~2&Hra(7Jv?kIc==;mC?qpc8g#(QFFqZ
zb$Erxsy1xJrN&Nm-66dXErmM|fZv?hyQ*2jd~T`xbX@J;`h;~SlIlc~8WQ?ht2@Y(
zSkU*pMSjUyW^|rNL-8<<PUFn6mj1M~p(G&_<MTweBf<v+D-v?@0AZ7n^)#iTHNYRl
zi{%$@HHN>mYDRM};S9$*MH&YU<>iw5gQ;Ec`GE5BK+U<Eq9k{;uB4<9q&V5SN<k~p
zN3<{4=7uiJ=^fqv`+*hsWDzVxO0@y71~wHmyC|8-2+oM611zR2l@EBFKEvwM9N5Uc
z5xF>AV%m&p;=oSX$no&9ii!4+mACVq<5qs`Ds~uN#>~O({VbD`#H&o=?cr#}^GLe6
zv=zOSpnVqWZ#!4ddm4<5XVKBF26a^Wj!PLD&dhEc!$i<N6Aa3`QXHIZ;e=ihxfk?P
zXPDQGuojt8k&`lYz~ea~7Qt-Wcon1T>$DhGWdQA18i<yO%hkii5&o~d`0pvA=*mT%
zewE_rfX?&qNqjZQwVhWcoAXfl#Yo*8R1_cTt;P{JFdEq2lpxvY&&9&)Mc>}{lN&8v
z5oil2%{89!p6m`^4L(f)s13N4SCF^hXn^Q~U!s%UMP>I9l$W$dB0yRGn{c?4x_+I;
zulFM(@_LpK6o-n8M5NK*nxf1))&gjQo36J+I`#s(B%!$&ZvN>Y#rJ50+BF|5QG@#r
zX4RM98KO`^i_q~?qX#YWSkm6x?7hDy%^W>N7!>&~#&qxhqNV-r%nI<@TJBI*yn0QA
zE-uI<)2_6@J%aK`Z5-blJ&SdLa{vjU?~J2~oBg(BDw?-9qW8u(H!vTeYina-8?JG3
z;aNbjk)NNhG+I6F>vW&Yi!?%BytTiDJX?dUDT{$7GT=FpsiH1bXdi2A)^2OpS)KtS
zfs1O%3;}pMw)<*RH6;Qg;hWzORb<>A6uFnn6qUlIXu6MC5|45S{7PfN6*XM(n1RaK
zR;C7h8h>jfl)0Ii!Bvrvleij@5ax~52;~ouV}S|>eZoFr$R<G0(H3Qv`zw744+(GR
z9{{dpA96pYT>wm7TU)~46(kjeIUG{Ytlt=&hgf9R7qA^$#H_X?=ZbXo?Ffw~K-UE1
zAJm=y?O2u4e*u-B1N(-2ZAAcK&aE(M2(K&e2kz%aNX?Gn*pr9B<YL2H10$7bM5lJE
z(=t@js%OqsB2H@D9l8FaHlD;NmZaj4l6F`{LqkJqS(NTgX4vwX;#z78b&4NI;qXRH
zbjfG>GRtR@JeAm6&06t)(TGTmbb74QJvMAv5abidTr-BIp@-)aWn%wS@W!<Qdd`JJ
zTA>-ePqmQ%#Hw>^mZcuFRa@)nhb6AeVRz!_5z<6UR(GkD(gq^J@ABZYhGt5HBQ%*A
zPj*mahYJUs&E-+lz$o)5$P6{Bw2UHkLCo_wM0egO`AKf;vh2>ifsh0#pSq~vvvb;t
zbKGDMGpH#){J=8cl1+tDpp&@@O3hHr^=<RxDZ?;yq~7+ng+>TtT!#o5OEGOiUm?m=
z&}fspk)=vu$ytYGkJxM-IFr;utW&WNu#(*e>N&{@7q_N~rbWk>3huJa_WfRbBo|tg
zyrL6;9b)p$xFW*iY~{8H=JUq9R4g4P3M5=n>AD^*dI<?@FKRbR;4@&5qZR#83~h7Y
z8LJ^cZ%sy)!dTZV(-NQgTl5kkU$X3-#A2Jd%TQjPOPv9_>;4pU<mF1y-zBmMe-4@Y
zK4U9P$o2e@%_!Tcx6`=YdNSDhaCyN{%{)mGDhL!qy<rir90dHLjr`MV%5Q@;{)<fv
zP}yW*;!)Y@b+p*Bbky`p2A1!Phzdh&-#XU)&VtctNjb*&4-rk%r7pI2<UQt`7I9Ia
zQ~ke~IXTtW)6|u^o9RFmiQk@1dG%sWdL2&P>)89ygMdZ0-idq!A8WYWTbxVEa05hZ
z0PkyA^~pORbxbJ%mj#D7R##?^^IjW}_Z|8@!yOo|CEaP%E$V_CEN|!C9|(JRiLl8F
z_;)1^@H_H^57}s{K)`t~YjO*l>O$hln+nR;uR1*Ne5hA!LPw{ClnH0qd=;Fe^J*K>
zQ7e?EuHR?>&O2vGT_jMot8zH^K7*BfmFB2uNBEzlp#(jzDIO*QFtI?Vzy?Qx;!pUI
z3FBp}i4Cux?rDaBF=0aFVQ8Xb(BIE(3wNRArN*4eS|Oi99HcGBFOVrYKS%9;$CO|(
zUS^e8Qm{7_FY0=&o%3V`laoJt|M+bN4kzvl!;~-!iIzdQqy<wyrXlVOm3yni3R6Ce
z?FD#$sO&L;LubDh`0*ipIJojuXe8?d+;?{#IPQQ0T?}zQx!r*j6cLdq8DkLBJY5t!
zxloXhXavu4PCO#(bJb8#Ge)1s(uKTJoENtSqB|s6au)HBP739CU-^#+;%}??wdWsg
z)Z#wlUjffDL88r_>JyxY2$j}i_ZO;b+Bua0dhgI<hqombGQ3gBp(|(un%6Dlq;!w5
zN!Vs|W%I$m9e;OwIqp5Z86+?l3$NRW@t@hTZW_Ti1e6>+^5UsdyENY=ewE~eO681(
zOh8i!g!57J*znPlczp<l?zTP&=LXAtTqP_?Rht*zr|Xj&@6YDA<AY==hWz!LR@Xnp
zOJBHKTAdPmJ>hX!)G8TQpbyV1(^7P5twukQmwDs3zgf>Yqb@1rr<T8I0;o8=_`^MM
zBZKA~(}~tRgldGeS&HSj1>Xly%wc;z_Wkw~>H7ny8i?pOK0A;=IR1CKD?`J>L_o~m
zbf{6SYI*0KY;S=LPt~x-=zNa-!YCUa>{U2fDO;r?0-{KyVedDDg+6R1g({L%kiIRf
z-clL#aF7`E<kTv4p=IR>EgBQ|6(>j-^mZ15AqvYiX{?rX`HfVfW9%LpmU)so{ayk|
zuBFP;YE7$}33WnpK3AB}1|n!bn7$XOBo(aLn041z<vm<n(t#xgA)+!gb6$Nu%1;!H
z?Gma3KOZEi{9Heh4DxXTNJDm!$%|<kZ?VEv9;qxgnDkF5r(HiX$T~0AhP<(a!qFgK
zBFE9iS`s4m(4RJ<M(|`R>S@v-|D}Wq_`i1dFl~{gRR#7j8tFis#Ni+w%_{wa#EWE;
zwFbYbcxBhkkM3U!{IO}{uOye?lD5##+N#f*4sU|e@KZy=89Vk_N|2eZf1Te4h`V<Y
zl`o)22jK6A4Md7R$)$pdNJN9mUo;hm>4t8f@*+?8)i7oLA<qWkNHvN0{ZrC`8WsO>
zSC0}(getJ;)gujUb!Uw4oauQTDGn`@jP1vim%r=V@~hYpobbxKGO7vY=t5THw`%yM
zsERzmnzTJ@pKL?Vh_`ML7{!g)lNc-6V^SyNS-P&TF3Xj*P8H5dMoKEwZd}ogXy(ak
zv5y2>MlfCyADEW1B0PM=Tyi?OG`xkE9C7M8TVFhNkeB`}|HBf^o5JS!B!!~QxOe~Z
zM{zb|=wGGwnCZXRpxOK_dTf`zPtP##G#`xP!?M_)W{>|)7^bd_Wf(+eZv*h4w5gsU
zYCMwHBB`@`kx@|}Z?$w&Tj#Gp2$y513eZ@C*a}aXb=rTHe~nc+!~-X|3EIuN-{nlM
z)j6&3D)ZZ#F)z5c`iJiM$b~(}5Gg_i=u<`aeAedPgrbGqlO~(WdeKCO2qA>QkEN6T
zv_p5cQ&%W4D)_s7SXS9p(6NT<BT<YT>PhSP@Bq>XIw79w!Z{TUZ&Tz}3ou(y>FpOW
z{XVVI9{8Gcz)S3#+Xz`QY4hgJb7@S!W2?X>&6O=|=D}%JV8I(<j({jf*~$a{i-pR~
zwqu1<WNi6lIXMrv_E&cy|KfWbH7O*5w81q5BlrUHt%VwF_x?h?M4{~admHKcbA6oW
zziEF4F*-B5A_oL)i9lNgWuU9XTy?16h{vQ%RF6`0Q5XlX?`e$wQxH06%F6{5?8E3O
zT!LG6wGiZN{2>hbyLsXLPi~atv|*vq=9O)1lXgVj_MzM^tto6!n;7jMx0Fl&Yi$w~
zN%@F>w?2F15`EKbF0`RUsAegyONtuCGuu;(H6~&;W%Y1Zbx|YmGD(149A9fi{{0^U
zSj@H}KNkVJXoV61MR2$F;ZksY$-2S^4B6v|a5$(w5y8+$#F;t&JRp8-M?{P3+9#wd
zRGiQbcX7mF+hFMT6F`WhVc9&KV>Vt+F|GyDBih@;2?@b{!=+~_t3r2+aR;9eOC_qp
zEPCku{F1*U1%?ncO*AAFfW<F;d`Ey#5HMI03VnE6p#E>wm=_eI8vtkCoIimxkRnka
z7@hTb-48Fi7y(d<7>E0pL5V<!wq-DV?8Z=}yFSmORn&jd(R2a-aYfD*5IVt-dHMyh
zDd#XyT>8%o0F>o}9DW5E+qpb~7P-iRS@5jTjeC&xI@3R1?eFjZ%+lb2k5Mu9y|iKP
zi{i>VS>Qeq#0mWw;CJae5)}+qbS}SnHu+B;;mF}uBd#`LCR~>T5O21ZXr6UPMum00
zJQ%Ungv{$G&!uZBTE%axFmloomZ29>L}2<0E7gudA6qszH(44EmU;m=p`L`;_y!bO
z_&Y+nRA<~gc+J(j#2!fpvH`D(I&Mn@af7ch952@0$TUQoX!KviGpDKrpQ8Isn%+!`
zzu$}uHBp8%S=#6aaJ6JchY1uucgcAu_d5}L-o4bFQZKwxCd7`_qo6h_WV@L1*nh`s
z&xAwEC)ARk@~D~I&qS5Z(}LUwHupYMXn#LH9#aumg_wyzO{4?R)2?SQrn=#Tuv`SR
z1Qw|hA)K^NU5}^l&0uHpw0JfP_B_U~Wiz(o=>_p1!9{jp{DY^hDf@H0WC7eSB0i<G
z8vru%Y}i4Jeid&x2Zd^pMgWm;@p5FSy)Z%Y&uZDK%Fg$IR`%p*Y$Yv5mL9Esc2#Ja
zV$Ha9Lr%&2tccGYc-!0Ykxp0ol|U-!d2!sn+(=_s=fwS5RPLUH!gRHub`%NOCA_n^
zUI-pI^5SC{2Fg^qfftblCzgRI*BEEaCvzkYPuX#&RlxmmlYW(q*3SF4N#)0yQ@LNP
zic}{9L|pNQh7TBQt@Z_u(GRX~QnBS1v+xeE0b86PEtspon%TNfq&htB;a#$V^qVnk
z`@<^9qPEk#_Mf>-)f!GuBOYbEhqjmp&sGaQxj*SbZz55DY~ho>@Cp_2k(ay&NcT@i
zum|f$X1Y76G)3gt1*)l=MQcvtE_S3;kmMO#daM*iWaL`81BvhE{hnwf=z&?cz?a3q
zw3RVEmJ^Zk?BZXkS~^|clvJIS?)<q?aRLhIJCxa<ji6bh^oMydqRS@^SuttYV02*z
zs+s3Z0=W?3TYHdp9&T368P8yIaj}9+V%o{wT)3jL%-ulW*JZO;!{+4wjw8+LEThhv
zFu2W8s%5@1nHQe`d-Cm%#C&-3=J{+QL34q~>2D%$n{Smf^#HTv$W>vy9RpLUw=P#(
z@z+O|;0$R7d~`3pPtLr*Yvxt`*MoGZv!>0i)YD4&d~;jgymp;@Z$w1p(qU5jQ&m~B
zL=v@?Xr7L9=gkKb8GE%UZuu&WU|TYuzsX|_Q=&&wk?Ty*gTvq+s(6S~&%P%+OId6v
z0rIPcBPu!8Y7&8LET90RjrByTsP{FQg6!|Ri2Na+f}}@$e8XNwIyD7!#-~m3X0dfQ
zGHdWI3{3r=`DD4SzjW#7ERxW%qAo=vTND4C*}{?E=dyW8rSnIy#d;RwSH9GQSUEYl
zgTV~ru}@{~J?Rl4rjE<C@IilRDB<(41?M-D79}j}IL6ez=un3{CF1xX5UO`$2AitK
zOe&6g`ne)4adwH24Dpkz7FVkle_mG^z+G3O#amaT!&_JS{&{@?^BH}~L!|VYD=urp
zhC64G)KgO|CSy-(pKt>qOQ|>({J^8yPG{Mu%bfeJxiMG0CWIu0{KZwCEvgF?FW+9w
zR?`y$z-WeB(V0Anwt^g9Gf7j0>{*Wd_5?SiZ$qG4DAYLkh8}})G}Fwty!f$vSN{Lt
zjre-{7PYi*49u^zOxf1$1XxHChePHJ;pwM_EKcJl+xR`3Z)3%Ks94OKQsSUHqUc6*
z>fd(AnWUM8BR+AqlN4pT;3B5A(F-p<axMRs-i;4)S7GqNmuZ#eyH*t+6rU*e?z;iw
zvDT7eF4K|34jARI?GjI6NHA~m`!{$%11_5%PutH98-5BpxEGVCp`RxSoF;fdd*2Qh
z7eFN=dG6<*NR%3gH*{y>-b#k$*Hu8KOqZgdt9(?I^r{T_)nGn|?mE#VA&4M!ayj+y
zO>v%lJ~dz_OkCiO*OC3={J7Q3A)&dJrHDyOSE0?8rC6L2^LNKRhw)Rzl6{ZfMhgu{
zs@7%`+q%i7U|FKE1j`F4N-%WfSZKLm#CiD@&hOwLG7#t3x9M&A^NYysO-4d5BtVZ)
z#U^id6(IvtQlkF-A#%)od=Z9JFS4sL67p5(qdw%aha%Km6XH5H7>3>mPV#IEl;q$q
z(q-&g@-h&<t23^6?GV*->7lR#av;+HmoXDYuX@~vz<%B0Nm)QkbCV>Z_MGWnv?%V-
z=)&RrGf@pFL13y1w((n9ikI=FDi&d@C@DP=rOtP6#WKMp3tU?Z8Fh3R(~3tYRql>9
zJBJ<{*ItlT2oZ4=+-%->@w+|@w(F}R;q`iiTW1C$gw`9WR>Q!m;-iunmY<h2zi>7{
zMsQu}*Bcut)qCX1_?K;$h&wvic^pq8o^D$CsAw1;{OF4Tf*^(i$#CjuL+zS{=HV^3
zG!9ShzWu!e<O5WUh`u1bbZrf<6WLlMHn398hyE8cx|I9DYbtVcKjg^Hy}UivlmPhH
zEH1icN5DV)W8?#ZlGH$PO>K(wKIkL7Ys-pD_bMo-5O-M}oJ36H8CP6ZJDk6D^s+<s
zs$deVKPo|)8Kw6sN;c*?LKD5LK=9^QAUckGmK}CpON$;>XQq%lxHh%!oesUyJeb#5
zW`q#Nm8HcT27Skk!3JDZyr)Z+2rAP;f0~sl3rURyk%o%!JgnxJSz`f#rD|13165_I
z9?K=F>S;_=WJt{pAMkewrxi}SUjua<Cln}s_o+q;oHewyIV?DqLyuF`#K}N5+3bPF
zEXe=<n8Gk8rb;P<UFG9+aV7oCpEiFx)EGS{jIY(DKU_Pd))xWl_{~SuwVMXO?RK9&
zWistPS4wH1`fSC}?<>%My?%~~iP52o96I@STwMhe$KKrI>hSVEyTfMCf>Ir?ox8xz
zrYbRre3(hidDEVOKBe5kf={T#A<R>0zG|!)?cJQlt?*2D?Aq#P8D-x<lGwK~=R0}Y
z+5zr`oEM0vrL_CG#LdCc8)}ipjN{c-f8TWWm?##d28Hqmnx6LouK+A<5Fr2Bw_x+p
zupVvm&zq09ov5SuY9eYXN15_(>*h(0&D=lF;#~msKI&%!X?&sokF)+C*!o{#nhEPg
aj13{1xX1-4^7hveoPvysbhV^u=>Gr|kZNTB

diff --git a/application/single_app/static/js/idle-logout-warning.js b/application/single_app/static/js/idle-logout-warning.js
new file mode 100644
index 00000000..afbb9c37
--- /dev/null
+++ b/application/single_app/static/js/idle-logout-warning.js
@@ -0,0 +1,221 @@
+// idle-logout-warning.js
+
+(function () {
+    'use strict';
+
+    const defaultConfig = {
+        enabled: false,
+        timeoutMinutes: 30,
+        warningMinutes: 28,
+        heartbeatUrl: '/api/session/heartbeat',
+        localLogoutUrl: '/logout/local',
+        logoutUrl: '/logout'
+    };
+
+    const mergedConfig = Object.assign({}, defaultConfig, window.idleLogoutConfig || {});
+
+    if (!mergedConfig.enabled) {
+        return;
+    }
+
+    document.addEventListener('DOMContentLoaded', function () {
+        if (typeof bootstrap === 'undefined' || !bootstrap.Modal) {
+            return;
+        }
+
+        const warningModalElement = document.getElementById('idleTimeoutWarningModal');
+        const countdownElement = document.getElementById('idleTimeoutCountdown');
+        const staySignedInButton = document.getElementById('idleStaySignedInButton');
+        const logoutNowButton = document.getElementById('idleLogoutNowButton');
+
+        if (!warningModalElement || !countdownElement || !staySignedInButton || !logoutNowButton) {
+            return;
+        }
+
+        const timeoutMinutes = Number(mergedConfig.timeoutMinutes);
+        const warningMinutes = Number(mergedConfig.warningMinutes);
+
+        if (!Number.isFinite(timeoutMinutes) || timeoutMinutes <= 0) {
+            return;
+        }
+
+        if (!Number.isFinite(warningMinutes) || warningMinutes < 0 || warningMinutes >= timeoutMinutes) {
+            return;
+        }
+
+        const timeoutMs = timeoutMinutes * 60 * 1000;
+        const warningMs = warningMinutes * 60 * 1000;
+        const warningModal = bootstrap.Modal.getOrCreateInstance(warningModalElement);
+
+        let warningTimer = null;
+        let logoutTimer = null;
+        let countdownInterval = null;
+        let logoutDeadlineMs = null;
+        let isRefreshingSession = false;
+        let lastActivityResetAt = 0;
+        let lastServerHeartbeatAt = Date.now();
+
+        const HEARTBEAT_MIN_INTERVAL_MS = 60000;
+
+        const activityEvents = [
+            'mousedown',
+            'mousemove',
+            'keydown',
+            'scroll',
+            'touchstart',
+            'click'
+        ];
+
+        function clearTimers() {
+            if (warningTimer) {
+                clearTimeout(warningTimer);
+                warningTimer = null;
+            }
+
+            if (logoutTimer) {
+                clearTimeout(logoutTimer);
+                logoutTimer = null;
+            }
+        }
+
+        function stopCountdown() {
+            if (countdownInterval) {
+                clearInterval(countdownInterval);
+                countdownInterval = null;
+            }
+        }
+
+        function updateCountdown() {
+            if (!logoutDeadlineMs) {
+                return;
+            }
+
+            const remainingMs = Math.max(0, logoutDeadlineMs - Date.now());
+            const remainingSeconds = Math.ceil(remainingMs / 1000);
+            countdownElement.textContent = String(remainingSeconds);
+        }
+
+        function startCountdown() {
+            stopCountdown();
+            updateCountdown();
+            countdownInterval = setInterval(updateCountdown, 1000);
+        }
+
+        function hideWarningModal() {
+            if (warningModalElement.classList.contains('show')) {
+                warningModal.hide();
+            }
+            stopCountdown();
+        }
+
+        function logoutNow() {
+            clearTimers();
+            stopCountdown();
+            const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.logoutUrl;
+            window.location.href = logoutTarget;
+        }
+
+        function scheduleIdleTimers() {
+            clearTimers();
+            logoutDeadlineMs = Date.now() + timeoutMs;
+
+            warningTimer = setTimeout(function () {
+                warningModal.show();
+                startCountdown();
+            }, warningMs);
+
+            logoutTimer = setTimeout(logoutNow, timeoutMs);
+        }
+
+        async function refreshServerSession(forceLogoutOnFailure, userInitiated) {
+            if (isRefreshingSession) {
+                return;
+            }
+
+            isRefreshingSession = true;
+            if (userInitiated) {
+                staySignedInButton.disabled = true;
+            }
+
+            try {
+                const response = await fetch(mergedConfig.heartbeatUrl, {
+                    method: 'POST',
+                    credentials: 'same-origin',
+                    headers: {
+                        'Content-Type': 'application/json',
+                        'X-Requested-With': 'XMLHttpRequest'
+                    },
+                    body: '{}'
+                });
+
+                if (!response.ok) {
+                    if (forceLogoutOnFailure) {
+                        logoutNow();
+                    }
+                    return;
+                }
+
+                lastServerHeartbeatAt = Date.now();
+
+                if (userInitiated) {
+                    hideWarningModal();
+                    scheduleIdleTimers();
+                }
+            } catch (error) {
+                console.error('Session heartbeat failed:', error);
+                if (forceLogoutOnFailure) {
+                    logoutNow();
+                }
+            } finally {
+                isRefreshingSession = false;
+                if (userInitiated) {
+                    staySignedInButton.disabled = false;
+                }
+            }
+        }
+
+        staySignedInButton.addEventListener('click', function () {
+            refreshServerSession(true, true);
+        });
+
+        logoutNowButton.addEventListener('click', function () {
+            logoutNow();
+        });
+
+        warningModalElement.addEventListener('hidden.bs.modal', function () {
+            stopCountdown();
+        });
+
+        activityEvents.forEach(function (eventName) {
+            document.addEventListener(eventName, handleUserActivity);
+        });
+
+        document.addEventListener('visibilitychange', function () {
+            if (!document.hidden) {
+                handleUserActivity();
+            }
+        });
+
+        scheduleIdleTimers();
+
+        function handleUserActivity() {
+            const now = Date.now();
+
+            if (now - lastActivityResetAt < 1000) {
+                return;
+            }
+
+            lastActivityResetAt = now;
+
+            if (warningModalElement.classList.contains('show')) {
+                hideWarningModal();
+            }
+
+            scheduleIdleTimers();
+
+            if ((now - lastServerHeartbeatAt) >= HEARTBEAT_MIN_INTERVAL_MS) {
+                refreshServerSession(false, false);
+            }
+        }
+    });
+})();
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index fa8d060f..b8b11654 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -351,12 +351,47 @@
   <script src="{{ url_for('static', filename='js/profile-image.js') }}"></script>
   <!-- Notifications JavaScript (for badge polling on all pages) -->
   <script src="{{ url_for('static', filename='js/notifications.js') }}"></script>
+  {% if session.get('user') %}
+  <script>
+    window.idleLogoutConfig = {
+      enabled: true,
+      timeoutMinutes: {{ idle_timeout_minutes | default(30) | int }},
+      warningMinutes: {{ idle_warning_minutes | default(28) | int }},
+      heartbeatUrl: "{{ url_for('session_heartbeat') }}",
+      localLogoutUrl: "{{ url_for('local_logout') }}",
+      fullSsoLogoutUrl: "{{ url_for('logout') }}"
+    };
+  </script>
+  <script src="{{ url_for('static', filename='js/idle-logout-warning.js') }}"></script>
+  {% endif %}
   <!-- User Agreement JavaScript (for file upload prompts) -->
   {% if app_settings.enable_user_agreement %}
   <script src="{{ url_for('static', filename='js/user-agreement.js') }}"></script>
   {% endif %}
   {% block scripts %}{% endblock %}
 
+  {% if session.get('user') %}
+  <div class="modal fade" id="idleTimeoutWarningModal" tabindex="-1" aria-labelledby="idleTimeoutWarningModalLabel" aria-hidden="false" data-bs-backdrop="static" data-bs-keyboard="false">
+    <div class="modal-dialog modal-dialog-centered">
+      <div class="modal-content">
+        <div class="modal-header bg-primary">
+          <h5 class="modal-title" id="idleTimeoutWarningModalLabel">
+            <i class="bi bi-clock me-2"></i>Session Expiring Soon
+          </h5>
+        </div>
+        <div class="modal-body">
+          <p class="mb-2">You've been inactive for a while.</p>
+          <p class="mb-0">You will be signed out in <strong><span id="idleTimeoutCountdown">60</span> seconds</strong> unless you continue your session.</p>
+        </div>
+        <div class="modal-footer">
+          <button type="button" class="btn btn-outline-secondary" id="idleLogoutNowButton">Logout now</button>
+          <button type="button" class="btn btn-primary" id="idleStaySignedInButton">Stay signed in</button>
+        </div>
+      </div>
+    </div>
+  </div>
+  {% endif %}
+
   <!-- User Agreement Upload Modal (shown before file uploads when enabled) -->
   {% if app_settings.enable_user_agreement %}
   <div class="modal fade" id="userAgreementUploadModal" tabindex="-1" aria-labelledby="userAgreementUploadModalLabel" aria-hidden="true">
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
new file mode 100644
index 00000000..0e265caa
--- /dev/null
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -0,0 +1,179 @@
+#!/usr/bin/env python3
+"""
+Functional test for idle session auto-logout.
+Version: 0.238.026
+Implemented in: 0.238.026
+
+This test ensures that server-side idle timeout enforcement and
+client-side warning/logout wiring are present for a 30-minute inactivity window.
+"""
+
+import os
+import sys
+
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+
+
+def _read_file(*path_parts):
+    file_path = os.path.join(
+        os.path.dirname(os.path.abspath(__file__)),
+        "..",
+        *path_parts
+    )
+    with open(file_path, 'r', encoding='utf-8') as file_handle:
+        return file_handle.read()
+
+
+def test_server_idle_timeout_wiring():
+    """Validate idle-timeout and heartbeat backend wiring exists."""
+    print("🔍 Testing server-side idle-timeout wiring...")
+
+    try:
+        app_content = _read_file("application", "single_app", "app.py")
+        config_content = _read_file("application", "single_app", "config.py")
+        auth_route_content = _read_file("application", "single_app", "route_frontend_authentication.py")
+
+        required_app_markers = [
+            "def enforce_idle_session_timeout():",
+            "last_activity_epoch",
+            "IDLE_TIMEOUT_EXEMPT_PATHS",
+            "'/logout/local'",
+            "redirect(url_for('local_logout'))",
+            "@app.route('/api/session/heartbeat', methods=['POST'])",
+            "def session_heartbeat():"
+        ]
+
+        missing_app_markers = [marker for marker in required_app_markers if marker not in app_content]
+        if missing_app_markers:
+            print(f"❌ Missing backend markers in app.py: {missing_app_markers}")
+            return False
+
+        required_config_markers = [
+            "IDLE_TIMEOUT_MINUTES",
+            "IDLE_WARNING_MINUTES",
+            "VERSION = \"0.238.026\""
+        ]
+
+        missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
+        if missing_config_markers:
+            print(f"❌ Missing config markers: {missing_config_markers}")
+            return False
+
+        required_auth_markers = [
+            "session.pop(\"last_activity_epoch\", None)",
+            "session[\"last_activity_epoch\"] = int(time.time())"
+        ]
+
+        missing_auth_markers = [marker for marker in required_auth_markers if marker not in auth_route_content]
+        if missing_auth_markers:
+            print(f"❌ Missing authentication flow markers: {missing_auth_markers}")
+            return False
+
+        print("✅ Server-side idle-timeout wiring is present")
+        return True
+
+    except Exception as error:
+        print(f"❌ Error testing server-side wiring: {error}")
+        import traceback
+        traceback.print_exc()
+        return False
+
+
+def test_base_template_warning_modal_wiring():
+    """Validate warning modal and JS config are wired in base template."""
+    print("🔍 Testing base template warning modal wiring...")
+
+    try:
+        base_html_content = _read_file("application", "single_app", "templates", "base.html")
+
+        required_markers = [
+            "window.idleLogoutConfig",
+            "idleTimeoutWarningModal",
+            "idleTimeoutCountdown",
+            "idleStaySignedInButton",
+            "idleLogoutNowButton",
+            "js/idle-logout-warning.js",
+            "localLogoutUrl",
+            "fullSsoLogoutUrl",
+            "session_heartbeat"
+        ]
+
+        missing_markers = [marker for marker in required_markers if marker not in base_html_content]
+        if missing_markers:
+            print(f"❌ Missing base template markers: {missing_markers}")
+            return False
+
+        print("✅ Base template warning modal wiring is present")
+        return True
+
+    except Exception as error:
+        print(f"❌ Error testing template wiring: {error}")
+        import traceback
+        traceback.print_exc()
+        return False
+
+
+def test_idle_warning_javascript_wiring():
+    """Validate client-side warning and heartbeat logic markers exist."""
+    print("🔍 Testing idle warning JavaScript wiring...")
+
+    try:
+        js_content = _read_file("application", "single_app", "static", "js", "idle-logout-warning.js")
+
+        required_markers = [
+            "heartbeatUrl",
+            "localLogoutUrl",
+            "warningMinutes",
+            "logoutNow",
+            "scheduleIdleTimers",
+            "idleTimeoutWarningModal",
+            "idleStaySignedInButton",
+            "fetch(mergedConfig.heartbeatUrl",
+            "const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.logoutUrl",
+            "window.location.href = logoutTarget"
+        ]
+
+        missing_markers = [marker for marker in required_markers if marker not in js_content]
+        if missing_markers:
+            print(f"❌ Missing JavaScript markers: {missing_markers}")
+            return False
+
+        print("✅ Client-side idle warning/logout wiring is present")
+        return True
+
+    except Exception as error:
+        print(f"❌ Error testing JavaScript wiring: {error}")
+        import traceback
+        traceback.print_exc()
+        return False
+
+
+def main():
+    """Run all idle-timeout functional checks."""
+    print("🧪 Running Idle Timeout Functional Tests...\n")
+
+    tests = [
+        test_server_idle_timeout_wiring,
+        test_base_template_warning_modal_wiring,
+        test_idle_warning_javascript_wiring
+    ]
+
+    results = []
+    for test in tests:
+        print(f"\n🧪 Running {test.__name__}...")
+        results.append(test())
+
+    success = all(results)
+    print(f"\n📊 Results: {sum(results)}/{len(results)} tests passed")
+
+    if success:
+        print("✅ All idle-timeout functional tests passed!")
+    else:
+        print("❌ Some idle-timeout functional tests failed.")
+
+    return success
+
+
+if __name__ == "__main__":
+    test_success = main()
+    sys.exit(0 if test_success else 1)

From 765a8470290c8dd45db650ca21742fe51614ecc3 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Thu, 5 Mar 2026 20:06:20 +0000
Subject: [PATCH 03/27] feedback-user-timeout - Moved new settings variables to
 app admin setting section.

---
 application/single_app/app.py                 | 38 ++++++++--
 application/single_app/config.py              |  8 +--
 application/single_app/functions_settings.py  |  2 +
 .../route_frontend_admin_settings.py          | 12 ++++
 .../single_app/templates/admin_settings.html  | 22 ++++++
 docs/explanation/release_notes.md             | 11 +++
 functional_tests/test_idle_logout_timeout.py  | 69 ++++++++++++++++---
 7 files changed, 141 insertions(+), 21 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 3876f63e..e37add91 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -99,8 +99,6 @@
 app.config['SESSION_TYPE'] = SESSION_TYPE
 app.config['VERSION'] = VERSION
 app.config['SECRET_KEY'] = SECRET_KEY
-app.config['IDLE_TIMEOUT_MINUTES'] = IDLE_TIMEOUT_MINUTES
-app.config['IDLE_WARNING_MINUTES'] = IDLE_WARNING_MINUTES
 
 # Ensure filesystem session directory (when used) points to a writable path inside container.
 if SESSION_TYPE == 'filesystem':
@@ -411,10 +409,37 @@ def check_retention_policy():
     # Unified session setup
     configure_sessions(settings)
 
+
+def get_idle_timeout_settings(settings=None):
+    if settings is None:
+        settings = get_settings() or {}
+
+    timeout_raw = settings.get('idle_timeout_minutes', 30)
+    warning_raw = settings.get('idle_warning_minutes', 28)
+
+    try:
+        timeout_minutes = int(timeout_raw)
+    except (TypeError, ValueError):
+        timeout_minutes = 30
+
+    try:
+        warning_minutes = int(warning_raw)
+    except (TypeError, ValueError):
+        warning_minutes = 28
+
+    timeout_minutes = max(1, timeout_minutes)
+    warning_minutes = max(0, warning_minutes)
+
+    if warning_minutes >= timeout_minutes:
+        warning_minutes = max(0, timeout_minutes - 1)
+
+    return timeout_minutes, warning_minutes
+
 @app.context_processor
 def inject_settings():
     settings = get_settings()
     public_settings = sanitize_settings_for_user(settings)
+    idle_timeout_minutes, idle_warning_minutes = get_idle_timeout_settings(settings)
     # Inject per-user settings if logged in
     user_settings = {}
     try:
@@ -429,8 +454,8 @@ def inject_settings():
     return dict(
         app_settings=public_settings,
         user_settings=user_settings,
-        idle_timeout_minutes=app.config.get('IDLE_TIMEOUT_MINUTES', 30),
-        idle_warning_minutes=app.config.get('IDLE_WARNING_MINUTES', 28)
+        idle_timeout_minutes=idle_timeout_minutes,
+        idle_warning_minutes=idle_warning_minutes
     )
 
 @app.template_filter('to_datetime')
@@ -484,7 +509,7 @@ def enforce_idle_session_timeout():
     if request.method == 'OPTIONS' or _is_idle_timeout_exempt(request.path):
         return None
 
-    idle_timeout_minutes = app.config.get('IDLE_TIMEOUT_MINUTES', 30)
+    idle_timeout_minutes, _ = get_idle_timeout_settings()
     now_epoch = int(time.time())
     last_activity_epoch = session.get('last_activity_epoch')
 
@@ -606,9 +631,10 @@ def acceptable_use_policy():
 def session_heartbeat():
     session['last_activity_epoch'] = int(time.time())
     session.modified = True
+    idle_timeout_minutes, _ = get_idle_timeout_settings()
     return jsonify({
         'message': 'Session refreshed',
-        'idle_timeout_minutes': app.config.get('IDLE_TIMEOUT_MINUTES', 30)
+        'idle_timeout_minutes': idle_timeout_minutes
     }), 200
 
 @app.route('/api/semantic-kernel/plugins')
diff --git a/application/single_app/config.py b/application/single_app/config.py
index 7c01f79d..40d17d3c 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,16 +94,10 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.239.002"
+VERSION = "0.239.003"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
-# Session idle timeout configuration (inactivity-based logout)
-IDLE_TIMEOUT_MINUTES = max(1, int(os.getenv('IDLE_TIMEOUT_MINUTES', '30')))
-IDLE_WARNING_MINUTES = max(0, int(os.getenv('IDLE_WARNING_MINUTES', '28')))
-if IDLE_WARNING_MINUTES >= IDLE_TIMEOUT_MINUTES:
-    IDLE_WARNING_MINUTES = max(0, IDLE_TIMEOUT_MINUTES - 1)
-
 # Security Headers Configuration
 SECURITY_HEADERS = {
     'X-Content-Type-Options': 'nosniff',
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 8176939d..4dcd4875 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -259,6 +259,8 @@ def get_settings(use_cosmos=False):
         # Other
         'max_file_size_mb': 150,
         'conversation_history_limit': 10,
+        'idle_timeout_minutes': 30,
+        'idle_warning_minutes': 28,
         'default_system_prompt': '',
         'enable_file_processing_logs': True,
         'file_processing_logs_timer_enabled': False,
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index 578e1545..d0deeaf3 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -288,10 +288,20 @@ def admin_settings():
             form_data = request.form # Use a variable for easier access
             user_id = get_current_user_id()
 
+            def safe_int(raw_value, fallback_value):
+                try:
+                    return int(raw_value)
+                except (TypeError, ValueError):
+                    return fallback_value
+
             # --- Fetch all other form data as before ---
             app_title = form_data.get('app_title', 'AI Chat Application')
             max_file_size_mb = int(form_data.get('max_file_size_mb', 16))
             conversation_history_limit = int(form_data.get('conversation_history_limit', 10))
+            idle_timeout_minutes = max(1, safe_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30)))
+            idle_warning_minutes = max(0, safe_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28)))
+            if idle_warning_minutes >= idle_timeout_minutes:
+                idle_warning_minutes = max(0, idle_timeout_minutes - 1)
             # ... (fetch all other fields using form_data.get) ...
             enable_video_file_support = form_data.get('enable_video_file_support') == 'on'
             enable_audio_file_support = form_data.get('enable_audio_file_support') == 'on'
@@ -868,6 +878,8 @@ def is_valid_url(url):
                 # Other
                 'max_file_size_mb': max_file_size_mb,
                 'conversation_history_limit': conversation_history_limit,
+                'idle_timeout_minutes': idle_timeout_minutes,
+                'idle_warning_minutes': idle_warning_minutes,
                 'default_system_prompt': form_data.get('default_system_prompt', '').strip(),
 
                 # Video file settings with Azure Video Indexer Settings
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index 7d01f7da..b77c6b8a 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -1423,6 +1423,28 @@ <h5>
                         <input type="number" class="form-control" id="conversation_history_limit"
                             name="conversation_history_limit" value="{{ settings.conversation_history_limit }}">
                     </div>
+                    <div class="mb-3">
+                        <label for="idle_timeout_minutes" class="form-label">Idle Logout Timeout (Minutes)</label>
+                        <input
+                            type="number"
+                            class="form-control"
+                            id="idle_timeout_minutes"
+                            name="idle_timeout_minutes"
+                            min="1"
+                            value="{{ settings.idle_timeout_minutes | default(30) }}">
+                        <small class="form-text text-muted">Users are logged out locally after this many minutes of inactivity.</small>
+                    </div>
+                    <div class="mb-3">
+                        <label for="idle_warning_minutes" class="form-label">Idle Warning Lead Time (Minutes)</label>
+                        <input
+                            type="number"
+                            class="form-control"
+                            id="idle_warning_minutes"
+                            name="idle_warning_minutes"
+                            min="0"
+                            value="{{ settings.idle_warning_minutes | default(28) }}">
+                        <small class="form-text text-muted">Show the warning modal this many minutes before automatic logout.</small>
+                    </div>
                     <div class="mb-3">
                         <label for="default_system_prompt" class="form-label">Default System Prompt</label>
                         <textarea class="form-control" id="default_system_prompt" name="default_system_prompt"
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index 8077ff3f..376a76dc 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -2,6 +2,17 @@
 
 # Feature Release
 
+### **(v0.239.003)**
+
+#### New Features
+
+*   **Admin-Managed Idle Session Timeout Settings**
+    *   Added idle session configuration variables to Admin Settings so timeout values are managed in-app and persisted in Cosmos DB.
+    *   Added configurable fields for idle logout timeout and warning lead time in the General > System Settings section.
+    *   Updated runtime enforcement and heartbeat responses to read these values from persisted settings with safe bounds validation.
+    *   Includes version update to align configuration and release metadata.
+    *   (Ref: `application/single_app/functions_settings.py`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/templates/admin_settings.html`, `application/single_app/app.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
+
 ### **(v0.239.001)**
 
 #### New Features
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 0e265caa..55e87131 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -1,11 +1,11 @@
 #!/usr/bin/env python3
 """
 Functional test for idle session auto-logout.
-Version: 0.238.026
-Implemented in: 0.238.026
+Version: 0.239.003
+Implemented in: 0.239.003
 
 This test ensures that server-side idle timeout enforcement and
-client-side warning/logout wiring are present for a 30-minute inactivity window.
+client-side warning/logout wiring are present and sourced from admin settings.
 """
 
 import os
@@ -34,13 +34,17 @@ def test_server_idle_timeout_wiring():
         auth_route_content = _read_file("application", "single_app", "route_frontend_authentication.py")
 
         required_app_markers = [
+            "def get_idle_timeout_settings(settings=None):",
+            "settings.get('idle_timeout_minutes', 30)",
+            "settings.get('idle_warning_minutes', 28)",
             "def enforce_idle_session_timeout():",
             "last_activity_epoch",
             "IDLE_TIMEOUT_EXEMPT_PATHS",
             "'/logout/local'",
             "redirect(url_for('local_logout'))",
             "@app.route('/api/session/heartbeat', methods=['POST'])",
-            "def session_heartbeat():"
+            "def session_heartbeat():",
+            "idle_timeout_minutes, _ = get_idle_timeout_settings()"
         ]
 
         missing_app_markers = [marker for marker in required_app_markers if marker not in app_content]
@@ -49,9 +53,7 @@ def test_server_idle_timeout_wiring():
             return False
 
         required_config_markers = [
-            "IDLE_TIMEOUT_MINUTES",
-            "IDLE_WARNING_MINUTES",
-            "VERSION = \"0.238.026\""
+            "VERSION = \"0.239.003\""
         ]
 
         missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
@@ -148,6 +150,56 @@ def test_idle_warning_javascript_wiring():
         return False
 
 
+def test_admin_idle_settings_wiring():
+    """Validate admin settings and Cosmos defaults for idle timeout are wired."""
+    print("🔍 Testing admin idle settings wiring...")
+
+    try:
+        settings_content = _read_file("application", "single_app", "functions_settings.py")
+        admin_route_content = _read_file("application", "single_app", "route_frontend_admin_settings.py")
+        admin_template_content = _read_file("application", "single_app", "templates", "admin_settings.html")
+
+        required_settings_markers = [
+            "'idle_timeout_minutes': 30",
+            "'idle_warning_minutes': 28"
+        ]
+        missing_settings_markers = [marker for marker in required_settings_markers if marker not in settings_content]
+        if missing_settings_markers:
+            print(f"❌ Missing settings default markers: {missing_settings_markers}")
+            return False
+
+        required_route_markers = [
+            "form_data.get('idle_timeout_minutes')",
+            "form_data.get('idle_warning_minutes')",
+            "'idle_timeout_minutes': idle_timeout_minutes",
+            "'idle_warning_minutes': idle_warning_minutes"
+        ]
+        missing_route_markers = [marker for marker in required_route_markers if marker not in admin_route_content]
+        if missing_route_markers:
+            print(f"❌ Missing admin route markers: {missing_route_markers}")
+            return False
+
+        required_template_markers = [
+            "id=\"idle_timeout_minutes\"",
+            "name=\"idle_timeout_minutes\"",
+            "id=\"idle_warning_minutes\"",
+            "name=\"idle_warning_minutes\""
+        ]
+        missing_template_markers = [marker for marker in required_template_markers if marker not in admin_template_content]
+        if missing_template_markers:
+            print(f"❌ Missing admin template markers: {missing_template_markers}")
+            return False
+
+        print("✅ Admin idle settings wiring is present")
+        return True
+
+    except Exception as error:
+        print(f"❌ Error testing admin settings wiring: {error}")
+        import traceback
+        traceback.print_exc()
+        return False
+
+
 def main():
     """Run all idle-timeout functional checks."""
     print("🧪 Running Idle Timeout Functional Tests...\n")
@@ -155,7 +207,8 @@ def main():
     tests = [
         test_server_idle_timeout_wiring,
         test_base_template_warning_modal_wiring,
-        test_idle_warning_javascript_wiring
+        test_idle_warning_javascript_wiring,
+        test_admin_idle_settings_wiring
     ]
 
     results = []

From b8c62a191967dfaaf1574b6b22281b3c3778c42e Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Fri, 6 Mar 2026 16:54:57 +0000
Subject: [PATCH 04/27] feedback-user-timeout - Cleaned up code as per some of
 copilot's suggestions.

---
 application/single_app/app.py                 |  28 +-
 application/single_app/config.py              |   2 +-
 .../route_frontend_authentication.py          |   2 +-
 application/single_app/static/css/chats.css   |   2 +-
 .../static/js/idle-logout-warning.js          |   3 +-
 application/single_app/templates/base.html    |   2 +-
 docs/explanation/release_notes.md             |   2 +-
 functional_tests/test_idle_logout_timeout.py  | 269 ++++++++----------
 8 files changed, 148 insertions(+), 162 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index e37add91..19b42ad8 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -412,7 +412,7 @@ def check_retention_policy():
 
 def get_idle_timeout_settings(settings=None):
     if settings is None:
-        settings = get_settings() or {}
+        settings = get_request_settings()
 
     timeout_raw = settings.get('idle_timeout_minutes', 30)
     warning_raw = settings.get('idle_warning_minutes', 28)
@@ -435,9 +435,17 @@ def get_idle_timeout_settings(settings=None):
 
     return timeout_minutes, warning_minutes
 
+
+def get_request_settings():
+    request_settings = getattr(g, 'request_settings', None)
+    if request_settings is None:
+        request_settings = get_settings() or {}
+        g.request_settings = request_settings
+    return request_settings
+
 @app.context_processor
 def inject_settings():
-    settings = get_settings()
+    settings = get_request_settings()
     public_settings = sanitize_settings_for_user(settings)
     idle_timeout_minutes, idle_warning_minutes = get_idle_timeout_settings(settings)
     # Inject per-user settings if logged in
@@ -501,6 +509,20 @@ def _is_idle_timeout_exempt(path):
         return True
     return any(path.startswith(prefix) for prefix in IDLE_TIMEOUT_EXEMPT_PREFIXES)
 
+
+@app.before_request
+def load_request_settings_cache():
+    g.request_settings = None
+
+    if request.method == 'OPTIONS' or _is_idle_timeout_exempt(request.path):
+        return None
+
+    if 'user' not in session:
+        return None
+
+    g.request_settings = get_settings() or {}
+    return None
+
 @app.before_request
 def enforce_idle_session_timeout():
     if 'user' not in session:
@@ -631,7 +653,7 @@ def acceptable_use_policy():
 def session_heartbeat():
     session['last_activity_epoch'] = int(time.time())
     session.modified = True
-    idle_timeout_minutes, _ = get_idle_timeout_settings()
+    idle_timeout_minutes, _ = get_idle_timeout_settings(get_request_settings())
     return jsonify({
         'message': 'Session refreshed',
         'idle_timeout_minutes': idle_timeout_minutes
diff --git a/application/single_app/config.py b/application/single_app/config.py
index 40d17d3c..aa991a85 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.239.003"
+VERSION = "0.239.006"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/route_frontend_authentication.py b/application/single_app/route_frontend_authentication.py
index c71adc11..c3273ff9 100644
--- a/application/single_app/route_frontend_authentication.py
+++ b/application/single_app/route_frontend_authentication.py
@@ -230,7 +230,7 @@ def local_logout():
         else:
             logout_uri = url_for('index', _external=True, _scheme='https')
 
-        print(f"{user_name} locally logged out. Redirecting to {logout_uri}.")
+        # print(f"{user_name} locally logged out. Redirecting to {logout_uri}.")
         return redirect(logout_uri)
 
     @app.route('/logout')
diff --git a/application/single_app/static/css/chats.css b/application/single_app/static/css/chats.css
index f672b28f..c7f30dfe 100644
--- a/application/single_app/static/css/chats.css
+++ b/application/single_app/static/css/chats.css
@@ -1046,7 +1046,7 @@ a.citation-link:hover {
 .message-content {
   display: flex;
   align-items: flex-end;
-  overflow: auto; /* Preserving higher level visible property while allowing response message scroll if needed */
+  overflow: auto; /* Make message content scrollable when it overflows while minimizing effects elsewhere. */
 }
 
 .message-content.flex-row-reverse {
diff --git a/application/single_app/static/js/idle-logout-warning.js b/application/single_app/static/js/idle-logout-warning.js
index afbb9c37..18e47bb6 100644
--- a/application/single_app/static/js/idle-logout-warning.js
+++ b/application/single_app/static/js/idle-logout-warning.js
@@ -9,6 +9,7 @@
         warningMinutes: 28,
         heartbeatUrl: '/api/session/heartbeat',
         localLogoutUrl: '/logout/local',
+        fullSsoLogoutUrl: '/logout',
         logoutUrl: '/logout'
     };
 
@@ -111,7 +112,7 @@
         function logoutNow() {
             clearTimers();
             stopCountdown();
-            const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.logoutUrl;
+            const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.fullSsoLogoutUrl || mergedConfig.logoutUrl;
             window.location.href = logoutTarget;
         }
 
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index b8b11654..b7e6dc34 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -371,7 +371,7 @@
   {% block scripts %}{% endblock %}
 
   {% if session.get('user') %}
-  <div class="modal fade" id="idleTimeoutWarningModal" tabindex="-1" aria-labelledby="idleTimeoutWarningModalLabel" aria-hidden="false" data-bs-backdrop="static" data-bs-keyboard="false">
+  <div class="modal fade" id="idleTimeoutWarningModal" tabindex="-1" aria-labelledby="idleTimeoutWarningModalLabel" aria-hidden="true" data-bs-backdrop="static" data-bs-keyboard="false">
     <div class="modal-dialog modal-dialog-centered">
       <div class="modal-content">
         <div class="modal-header bg-primary">
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index 376a76dc..49b598e8 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -2,7 +2,7 @@
 
 # Feature Release
 
-### **(v0.239.003)**
+### **(v0.239.005)**
 
 #### New Features
 
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 55e87131..1a84bb37 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -1,8 +1,8 @@
 #!/usr/bin/env python3
 """
 Functional test for idle session auto-logout.
-Version: 0.239.003
-Implemented in: 0.239.003
+Version: 0.239.006
+Implemented in: 0.239.006
 
 This test ensures that server-side idle timeout enforcement and
 client-side warning/logout wiring are present and sourced from admin settings.
@@ -10,6 +10,7 @@
 
 import os
 import sys
+import traceback
 
 sys.path.append(os.path.dirname(os.path.abspath(__file__)))
 
@@ -28,176 +29,129 @@ def test_server_idle_timeout_wiring():
     """Validate idle-timeout and heartbeat backend wiring exists."""
     print("🔍 Testing server-side idle-timeout wiring...")
 
-    try:
-        app_content = _read_file("application", "single_app", "app.py")
-        config_content = _read_file("application", "single_app", "config.py")
-        auth_route_content = _read_file("application", "single_app", "route_frontend_authentication.py")
-
-        required_app_markers = [
-            "def get_idle_timeout_settings(settings=None):",
-            "settings.get('idle_timeout_minutes', 30)",
-            "settings.get('idle_warning_minutes', 28)",
-            "def enforce_idle_session_timeout():",
-            "last_activity_epoch",
-            "IDLE_TIMEOUT_EXEMPT_PATHS",
-            "'/logout/local'",
-            "redirect(url_for('local_logout'))",
-            "@app.route('/api/session/heartbeat', methods=['POST'])",
-            "def session_heartbeat():",
-            "idle_timeout_minutes, _ = get_idle_timeout_settings()"
-        ]
-
-        missing_app_markers = [marker for marker in required_app_markers if marker not in app_content]
-        if missing_app_markers:
-            print(f"❌ Missing backend markers in app.py: {missing_app_markers}")
-            return False
-
-        required_config_markers = [
-            "VERSION = \"0.239.003\""
-        ]
-
-        missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
-        if missing_config_markers:
-            print(f"❌ Missing config markers: {missing_config_markers}")
-            return False
-
-        required_auth_markers = [
-            "session.pop(\"last_activity_epoch\", None)",
-            "session[\"last_activity_epoch\"] = int(time.time())"
-        ]
-
-        missing_auth_markers = [marker for marker in required_auth_markers if marker not in auth_route_content]
-        if missing_auth_markers:
-            print(f"❌ Missing authentication flow markers: {missing_auth_markers}")
-            return False
-
-        print("✅ Server-side idle-timeout wiring is present")
-        return True
-
-    except Exception as error:
-        print(f"❌ Error testing server-side wiring: {error}")
-        import traceback
-        traceback.print_exc()
-        return False
+    app_content = _read_file("application", "single_app", "app.py")
+    config_content = _read_file("application", "single_app", "config.py")
+    auth_route_content = _read_file("application", "single_app", "route_frontend_authentication.py")
+
+    required_app_markers = [
+        "def get_idle_timeout_settings(settings=None):",
+        "settings.get('idle_timeout_minutes', 30)",
+        "settings.get('idle_warning_minutes', 28)",
+        "def enforce_idle_session_timeout():",
+        "last_activity_epoch",
+        "IDLE_TIMEOUT_EXEMPT_PATHS",
+        "'/logout/local'",
+        "redirect(url_for('local_logout'))",
+        "@app.route('/api/session/heartbeat', methods=['POST'])",
+        "def session_heartbeat():",
+        "idle_timeout_minutes, _ = get_idle_timeout_settings()"
+    ]
+
+    missing_app_markers = [marker for marker in required_app_markers if marker not in app_content]
+    assert not missing_app_markers, f"Missing backend markers in app.py: {missing_app_markers}"
+
+    required_config_markers = [
+        "VERSION = \"0.239.006\""
+    ]
+
+    missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
+    assert not missing_config_markers, f"Missing config markers: {missing_config_markers}"
+
+    required_auth_markers = [
+        "session.pop(\"last_activity_epoch\", None)",
+        "session[\"last_activity_epoch\"] = int(time.time())"
+    ]
+
+    missing_auth_markers = [marker for marker in required_auth_markers if marker not in auth_route_content]
+    assert not missing_auth_markers, f"Missing authentication flow markers: {missing_auth_markers}"
+
+    print("✅ Server-side idle-timeout wiring is present")
 
 
 def test_base_template_warning_modal_wiring():
     """Validate warning modal and JS config are wired in base template."""
     print("🔍 Testing base template warning modal wiring...")
 
-    try:
-        base_html_content = _read_file("application", "single_app", "templates", "base.html")
-
-        required_markers = [
-            "window.idleLogoutConfig",
-            "idleTimeoutWarningModal",
-            "idleTimeoutCountdown",
-            "idleStaySignedInButton",
-            "idleLogoutNowButton",
-            "js/idle-logout-warning.js",
-            "localLogoutUrl",
-            "fullSsoLogoutUrl",
-            "session_heartbeat"
-        ]
-
-        missing_markers = [marker for marker in required_markers if marker not in base_html_content]
-        if missing_markers:
-            print(f"❌ Missing base template markers: {missing_markers}")
-            return False
+    base_html_content = _read_file("application", "single_app", "templates", "base.html")
+
+    required_markers = [
+        "window.idleLogoutConfig",
+        "idleTimeoutWarningModal",
+        "idleTimeoutCountdown",
+        "idleStaySignedInButton",
+        "idleLogoutNowButton",
+        "js/idle-logout-warning.js",
+        "localLogoutUrl",
+        "fullSsoLogoutUrl",
+        "session_heartbeat"
+    ]
 
-        print("✅ Base template warning modal wiring is present")
-        return True
+    missing_markers = [marker for marker in required_markers if marker not in base_html_content]
+    assert not missing_markers, f"Missing base template markers: {missing_markers}"
 
-    except Exception as error:
-        print(f"❌ Error testing template wiring: {error}")
-        import traceback
-        traceback.print_exc()
-        return False
+    print("✅ Base template warning modal wiring is present")
 
 
 def test_idle_warning_javascript_wiring():
     """Validate client-side warning and heartbeat logic markers exist."""
     print("🔍 Testing idle warning JavaScript wiring...")
 
-    try:
-        js_content = _read_file("application", "single_app", "static", "js", "idle-logout-warning.js")
-
-        required_markers = [
-            "heartbeatUrl",
-            "localLogoutUrl",
-            "warningMinutes",
-            "logoutNow",
-            "scheduleIdleTimers",
-            "idleTimeoutWarningModal",
-            "idleStaySignedInButton",
-            "fetch(mergedConfig.heartbeatUrl",
-            "const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.logoutUrl",
-            "window.location.href = logoutTarget"
-        ]
-
-        missing_markers = [marker for marker in required_markers if marker not in js_content]
-        if missing_markers:
-            print(f"❌ Missing JavaScript markers: {missing_markers}")
-            return False
-
-        print("✅ Client-side idle warning/logout wiring is present")
-        return True
-
-    except Exception as error:
-        print(f"❌ Error testing JavaScript wiring: {error}")
-        import traceback
-        traceback.print_exc()
-        return False
+    js_content = _read_file("application", "single_app", "static", "js", "idle-logout-warning.js")
+
+    required_markers = [
+        "heartbeatUrl",
+        "localLogoutUrl",
+        "fullSsoLogoutUrl",
+        "warningMinutes",
+        "logoutNow",
+        "scheduleIdleTimers",
+        "idleTimeoutWarningModal",
+        "idleStaySignedInButton",
+        "fetch(mergedConfig.heartbeatUrl",
+        "const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.fullSsoLogoutUrl || mergedConfig.logoutUrl",
+        "window.location.href = logoutTarget"
+    ]
+
+    missing_markers = [marker for marker in required_markers if marker not in js_content]
+    assert not missing_markers, f"Missing JavaScript markers: {missing_markers}"
+
+    print("✅ Client-side idle warning/logout wiring is present")
 
 
 def test_admin_idle_settings_wiring():
     """Validate admin settings and Cosmos defaults for idle timeout are wired."""
     print("🔍 Testing admin idle settings wiring...")
 
-    try:
-        settings_content = _read_file("application", "single_app", "functions_settings.py")
-        admin_route_content = _read_file("application", "single_app", "route_frontend_admin_settings.py")
-        admin_template_content = _read_file("application", "single_app", "templates", "admin_settings.html")
-
-        required_settings_markers = [
-            "'idle_timeout_minutes': 30",
-            "'idle_warning_minutes': 28"
-        ]
-        missing_settings_markers = [marker for marker in required_settings_markers if marker not in settings_content]
-        if missing_settings_markers:
-            print(f"❌ Missing settings default markers: {missing_settings_markers}")
-            return False
-
-        required_route_markers = [
-            "form_data.get('idle_timeout_minutes')",
-            "form_data.get('idle_warning_minutes')",
-            "'idle_timeout_minutes': idle_timeout_minutes",
-            "'idle_warning_minutes': idle_warning_minutes"
-        ]
-        missing_route_markers = [marker for marker in required_route_markers if marker not in admin_route_content]
-        if missing_route_markers:
-            print(f"❌ Missing admin route markers: {missing_route_markers}")
-            return False
-
-        required_template_markers = [
-            "id=\"idle_timeout_minutes\"",
-            "name=\"idle_timeout_minutes\"",
-            "id=\"idle_warning_minutes\"",
-            "name=\"idle_warning_minutes\""
-        ]
-        missing_template_markers = [marker for marker in required_template_markers if marker not in admin_template_content]
-        if missing_template_markers:
-            print(f"❌ Missing admin template markers: {missing_template_markers}")
-            return False
-
-        print("✅ Admin idle settings wiring is present")
-        return True
-
-    except Exception as error:
-        print(f"❌ Error testing admin settings wiring: {error}")
-        import traceback
-        traceback.print_exc()
-        return False
+    settings_content = _read_file("application", "single_app", "functions_settings.py")
+    admin_route_content = _read_file("application", "single_app", "route_frontend_admin_settings.py")
+    admin_template_content = _read_file("application", "single_app", "templates", "admin_settings.html")
+
+    required_settings_markers = [
+        "'idle_timeout_minutes': 30",
+        "'idle_warning_minutes': 28"
+    ]
+    missing_settings_markers = [marker for marker in required_settings_markers if marker not in settings_content]
+    assert not missing_settings_markers, f"Missing settings default markers: {missing_settings_markers}"
+
+    required_route_markers = [
+        "form_data.get('idle_timeout_minutes')",
+        "form_data.get('idle_warning_minutes')",
+        "'idle_timeout_minutes': idle_timeout_minutes",
+        "'idle_warning_minutes': idle_warning_minutes"
+    ]
+    missing_route_markers = [marker for marker in required_route_markers if marker not in admin_route_content]
+    assert not missing_route_markers, f"Missing admin route markers: {missing_route_markers}"
+
+    required_template_markers = [
+        "id=\"idle_timeout_minutes\"",
+        "name=\"idle_timeout_minutes\"",
+        "id=\"idle_warning_minutes\"",
+        "name=\"idle_warning_minutes\""
+    ]
+    missing_template_markers = [marker for marker in required_template_markers if marker not in admin_template_content]
+    assert not missing_template_markers, f"Missing admin template markers: {missing_template_markers}"
+
+    print("✅ Admin idle settings wiring is present")
 
 
 def main():
@@ -214,7 +168,16 @@ def main():
     results = []
     for test in tests:
         print(f"\n🧪 Running {test.__name__}...")
-        results.append(test())
+        try:
+            test()
+            results.append(True)
+        except AssertionError as error:
+            print(f"❌ {test.__name__} failed: {error}")
+            results.append(False)
+        except Exception as error:
+            print(f"❌ {test.__name__} error: {error}")
+            traceback.print_exc()
+            results.append(False)
 
     success = all(results)
     print(f"\n📊 Results: {sum(results)}/{len(results)} tests passed")

From 8f692f99bbf8606aa72b7415a675e6cccd957413 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Fri, 6 Mar 2026 21:14:36 +0000
Subject: [PATCH 05/27] feedback-user-timeout - Added admin settings toggle to
 allow turning on/off and fixed some bugs.

---
 application/single_app/app.py                 | 22 +++++++-
 application/single_app/config.py              |  2 +-
 application/single_app/functions_settings.py  |  1 +
 .../route_frontend_admin_settings.py          |  2 +
 .../static/js/admin/admin_settings.js         | 10 ++++
 .../single_app/templates/admin_settings.html  | 52 ++++++++++++-------
 application/single_app/templates/base.html    |  2 +-
 docs/explanation/release_notes.md             | 30 +++++++++++
 functional_tests/test_idle_logout_timeout.py  | 17 ++++--
 9 files changed, 112 insertions(+), 26 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 19b42ad8..840c0cfe 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -436,6 +436,18 @@ def get_idle_timeout_settings(settings=None):
     return timeout_minutes, warning_minutes
 
 
+def is_idle_timeout_enabled(settings=None):
+    if settings is None:
+        settings = get_request_settings()
+
+    enabled_raw = settings.get('enable_idle_timeout', True)
+
+    if isinstance(enabled_raw, str):
+        return enabled_raw.strip().lower() in ('1', 'true', 'yes', 'on')
+
+    return bool(enabled_raw)
+
+
 def get_request_settings():
     request_settings = getattr(g, 'request_settings', None)
     if request_settings is None:
@@ -447,6 +459,7 @@ def get_request_settings():
 def inject_settings():
     settings = get_request_settings()
     public_settings = sanitize_settings_for_user(settings)
+    idle_timeout_enabled = is_idle_timeout_enabled(settings)
     idle_timeout_minutes, idle_warning_minutes = get_idle_timeout_settings(settings)
     # Inject per-user settings if logged in
     user_settings = {}
@@ -462,6 +475,7 @@ def inject_settings():
     return dict(
         app_settings=public_settings,
         user_settings=user_settings,
+        idle_timeout_enabled=idle_timeout_enabled,
         idle_timeout_minutes=idle_timeout_minutes,
         idle_warning_minutes=idle_warning_minutes
     )
@@ -531,8 +545,14 @@ def enforce_idle_session_timeout():
     if request.method == 'OPTIONS' or _is_idle_timeout_exempt(request.path):
         return None
 
-    idle_timeout_minutes, _ = get_idle_timeout_settings()
     now_epoch = int(time.time())
+    request_settings = get_request_settings()
+    if not is_idle_timeout_enabled(request_settings):
+        session['last_activity_epoch'] = now_epoch
+        session.modified = True
+        return None
+
+    idle_timeout_minutes, _ = get_idle_timeout_settings(request_settings)
     last_activity_epoch = session.get('last_activity_epoch')
 
     if last_activity_epoch is not None:
diff --git a/application/single_app/config.py b/application/single_app/config.py
index aa991a85..b3cca7b9 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.239.006"
+VERSION = "0.239.008"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 4dcd4875..d87eed40 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -259,6 +259,7 @@ def get_settings(use_cosmos=False):
         # Other
         'max_file_size_mb': 150,
         'conversation_history_limit': 10,
+        'enable_idle_timeout': True,
         'idle_timeout_minutes': 30,
         'idle_warning_minutes': 28,
         'default_system_prompt': '',
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index d0deeaf3..76611d02 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -298,6 +298,7 @@ def safe_int(raw_value, fallback_value):
             app_title = form_data.get('app_title', 'AI Chat Application')
             max_file_size_mb = int(form_data.get('max_file_size_mb', 16))
             conversation_history_limit = int(form_data.get('conversation_history_limit', 10))
+            enable_idle_timeout = form_data.get('enable_idle_timeout') == 'on'
             idle_timeout_minutes = max(1, safe_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30)))
             idle_warning_minutes = max(0, safe_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28)))
             if idle_warning_minutes >= idle_timeout_minutes:
@@ -878,6 +879,7 @@ def is_valid_url(url):
                 # Other
                 'max_file_size_mb': max_file_size_mb,
                 'conversation_history_limit': conversation_history_limit,
+                'enable_idle_timeout': enable_idle_timeout,
                 'idle_timeout_minutes': idle_timeout_minutes,
                 'idle_warning_minutes': idle_warning_minutes,
                 'default_system_prompt': form_data.get('default_system_prompt', '').strip(),
diff --git a/application/single_app/static/js/admin/admin_settings.js b/application/single_app/static/js/admin/admin_settings.js
index 85719128..a547ba48 100644
--- a/application/single_app/static/js/admin/admin_settings.js
+++ b/application/single_app/static/js/admin/admin_settings.js
@@ -1538,6 +1538,16 @@ function setupToggles() {
         });
     }
 
+    const enableIdleTimeoutToggle = document.getElementById('enable_idle_timeout');
+    const idleTimeoutSettingsDiv = document.getElementById('idle_timeout_settings');
+    if (enableIdleTimeoutToggle && idleTimeoutSettingsDiv) {
+        idleTimeoutSettingsDiv.classList.toggle('d-none', !enableIdleTimeoutToggle.checked);
+        enableIdleTimeoutToggle.addEventListener('change', function () {
+            idleTimeoutSettingsDiv.classList.toggle('d-none', !this.checked);
+            markFormAsModified();
+        });
+    }
+
     const enableEnhancedCitation = document.getElementById('enable_enhanced_citations');
     if (enableEnhancedCitation) {
         toggleEnhancedCitation(enableEnhancedCitation.checked);
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index b77c6b8a..04bd2f6e 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -1423,27 +1423,41 @@ <h5>
                         <input type="number" class="form-control" id="conversation_history_limit"
                             name="conversation_history_limit" value="{{ settings.conversation_history_limit }}">
                     </div>
-                    <div class="mb-3">
-                        <label for="idle_timeout_minutes" class="form-label">Idle Logout Timeout (Minutes)</label>
+                    <div class="form-check form-switch mb-3">
                         <input
-                            type="number"
-                            class="form-control"
-                            id="idle_timeout_minutes"
-                            name="idle_timeout_minutes"
-                            min="1"
-                            value="{{ settings.idle_timeout_minutes | default(30) }}">
-                        <small class="form-text text-muted">Users are logged out locally after this many minutes of inactivity.</small>
+                            type="checkbox"
+                            class="form-check-input"
+                            id="enable_idle_timeout"
+                            name="enable_idle_timeout"
+                            {% if settings.enable_idle_timeout is not defined or settings.enable_idle_timeout %}checked{% endif %}>
+                        <label class="form-check-label ms-2" for="enable_idle_timeout">
+                            Enable Idle Session Timeout and Warning
+                        </label>
+                        <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="When enabled, inactive users receive a warning and are automatically logged out after the configured timeout."></i>
                     </div>
-                    <div class="mb-3">
-                        <label for="idle_warning_minutes" class="form-label">Idle Warning Lead Time (Minutes)</label>
-                        <input
-                            type="number"
-                            class="form-control"
-                            id="idle_warning_minutes"
-                            name="idle_warning_minutes"
-                            min="0"
-                            value="{{ settings.idle_warning_minutes | default(28) }}">
-                        <small class="form-text text-muted">Show the warning modal this many minutes before automatic logout.</small>
+                    <div id="idle_timeout_settings" class="{% if settings.enable_idle_timeout is defined and not settings.enable_idle_timeout %}d-none{% endif %}">
+                        <div class="mb-3">
+                            <label for="idle_timeout_minutes" class="form-label">Idle Logout Timeout (Minutes)</label>
+                            <input
+                                type="number"
+                                class="form-control"
+                                id="idle_timeout_minutes"
+                                name="idle_timeout_minutes"
+                                min="1"
+                                value="{{ settings.idle_timeout_minutes | default(30) }}">
+                            <small class="form-text text-muted">Users are logged out locally after this many minutes of inactivity.</small>
+                        </div>
+                        <div class="mb-3">
+                            <label for="idle_warning_minutes" class="form-label">Idle Warning Time (Minutes)</label>
+                            <input
+                                type="number"
+                                class="form-control"
+                                id="idle_warning_minutes"
+                                name="idle_warning_minutes"
+                                min="0"
+                                value="{{ settings.idle_warning_minutes | default(28) }}">
+                            <small class="form-text text-muted">Show the warning modal after this many minutes of inactivity. (Countdown starts from this time)</small>
+                        </div>
                     </div>
                     <div class="mb-3">
                         <label for="default_system_prompt" class="form-label">Default System Prompt</label>
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index b7e6dc34..e419d8c5 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -354,7 +354,7 @@
   {% if session.get('user') %}
   <script>
     window.idleLogoutConfig = {
-      enabled: true,
+      enabled: {{ idle_timeout_enabled | default(true) | tojson }},
       timeoutMinutes: {{ idle_timeout_minutes | default(30) | int }},
       warningMinutes: {{ idle_warning_minutes | default(28) | int }},
       heartbeatUrl: "{{ url_for('session_heartbeat') }}",
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index 49b598e8..5b30ae21 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -2,6 +2,36 @@
 
 # Feature Release
 
+### **(v0.239.008)**
+
+#### Bug Fixes
+
+*   **Idle Timeout Re-Enable Immediate Logout Fix**
+    *   Fixed an issue where users could be logged out immediately after an admin re-enabled idle timeout.
+    *   **Root Cause**: While idle timeout was disabled, `last_activity_epoch` was not refreshed on requests, allowing stale inactivity duration to accumulate.
+    *   **Fix**: Requests now refresh `last_activity_epoch` even when timeout enforcement is disabled, so re-enabling the feature starts from current activity instead of stale idle time.
+    *   Updated functional test version markers to reflect the fix release.
+    *   (Ref: `application/single_app/app.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
+
+### **(v0.239.007)**
+
+#### New Features
+
+*   **Idle Timeout Feature Toggle in Admin Settings**
+    *   Added a new admin switch to enable or disable idle session timeout and warning behavior without changing environment variables.
+    *   Timeout and warning inputs are now grouped under a toggleable section in General > System Settings.
+    *   Server-side timeout enforcement now respects the toggle so inactivity auto-logout can be centrally turned on or off.
+    *   Frontend idle warning script now reads the server-provided enabled flag instead of using a hardcoded value.
+    *   (Ref: `application/single_app/templates/admin_settings.html`, `application/single_app/static/js/admin/admin_settings.js`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/functions_settings.py`, `application/single_app/app.py`, `application/single_app/templates/base.html`)
+
+#### Bug Fixes
+
+*   **Idle Logout Config Key Alignment**
+    *   Resolved config drift between template and client script by explicitly supporting `fullSsoLogoutUrl` while retaining backward compatibility with legacy `logoutUrl`.
+    *   Logout target resolution now uses `localLogoutUrl` first, then `fullSsoLogoutUrl`, then `logoutUrl`.
+    *   Updated functional test markers to validate the new key precedence and runtime wiring.
+    *   (Ref: `application/single_app/static/js/idle-logout-warning.js`, `application/single_app/templates/base.html`, `functional_tests/test_idle_logout_timeout.py`)
+
 ### **(v0.239.005)**
 
 #### New Features
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 1a84bb37..948ea1fe 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -1,8 +1,8 @@
 #!/usr/bin/env python3
 """
 Functional test for idle session auto-logout.
-Version: 0.239.006
-Implemented in: 0.239.006
+Version: 0.239.008
+Implemented in: 0.239.008
 
 This test ensures that server-side idle timeout enforcement and
 client-side warning/logout wiring are present and sourced from admin settings.
@@ -35,23 +35,25 @@ def test_server_idle_timeout_wiring():
 
     required_app_markers = [
         "def get_idle_timeout_settings(settings=None):",
+        "def is_idle_timeout_enabled(settings=None):",
         "settings.get('idle_timeout_minutes', 30)",
         "settings.get('idle_warning_minutes', 28)",
         "def enforce_idle_session_timeout():",
+        "if not is_idle_timeout_enabled(request_settings):",
         "last_activity_epoch",
         "IDLE_TIMEOUT_EXEMPT_PATHS",
         "'/logout/local'",
         "redirect(url_for('local_logout'))",
         "@app.route('/api/session/heartbeat', methods=['POST'])",
         "def session_heartbeat():",
-        "idle_timeout_minutes, _ = get_idle_timeout_settings()"
+        "idle_timeout_minutes, _ = get_idle_timeout_settings(request_settings)"
     ]
 
     missing_app_markers = [marker for marker in required_app_markers if marker not in app_content]
     assert not missing_app_markers, f"Missing backend markers in app.py: {missing_app_markers}"
 
     required_config_markers = [
-        "VERSION = \"0.239.006\""
+        "VERSION = \"0.239.008\""
     ]
 
     missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
@@ -83,6 +85,7 @@ def test_base_template_warning_modal_wiring():
         "js/idle-logout-warning.js",
         "localLogoutUrl",
         "fullSsoLogoutUrl",
+        "enabled: {{ idle_timeout_enabled | default(true) | tojson }}",
         "session_heartbeat"
     ]
 
@@ -127,6 +130,7 @@ def test_admin_idle_settings_wiring():
     admin_template_content = _read_file("application", "single_app", "templates", "admin_settings.html")
 
     required_settings_markers = [
+        "'enable_idle_timeout': True",
         "'idle_timeout_minutes': 30",
         "'idle_warning_minutes': 28"
     ]
@@ -134,8 +138,10 @@ def test_admin_idle_settings_wiring():
     assert not missing_settings_markers, f"Missing settings default markers: {missing_settings_markers}"
 
     required_route_markers = [
+        "form_data.get('enable_idle_timeout')",
         "form_data.get('idle_timeout_minutes')",
         "form_data.get('idle_warning_minutes')",
+        "'enable_idle_timeout': enable_idle_timeout",
         "'idle_timeout_minutes': idle_timeout_minutes",
         "'idle_warning_minutes': idle_warning_minutes"
     ]
@@ -143,6 +149,9 @@ def test_admin_idle_settings_wiring():
     assert not missing_route_markers, f"Missing admin route markers: {missing_route_markers}"
 
     required_template_markers = [
+        "id=\"enable_idle_timeout\"",
+        "name=\"enable_idle_timeout\"",
+        "id=\"idle_timeout_settings\"",
         "id=\"idle_timeout_minutes\"",
         "name=\"idle_timeout_minutes\"",
         "id=\"idle_warning_minutes\"",

From 7fd6a0af6fce0aea96a94ca277c946a6a333b2bc Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Tue, 10 Mar 2026 22:19:30 +0000
Subject: [PATCH 06/27] feedback-user-timeout - Added logging and method
 comments.

---
 application/single_app/app.py                 | 227 +++++++++++++++++-
 application/single_app/config.py              |   4 +-
 application/single_app/functions_settings.py  |  75 +++++-
 .../route_frontend_admin_settings.py          |  29 ++-
 .../route_frontend_authentication.py          |  11 +
 docs/explanation/release_notes.md             |  28 +++
 functional_tests/test_idle_logout_timeout.py  |  10 +-
 7 files changed, 366 insertions(+), 18 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 840c0cfe..28acb60b 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -411,6 +411,19 @@ def check_retention_policy():
 
 
 def get_idle_timeout_settings(settings=None):
+    """
+    Resolve and normalize idle timeout settings used for warning and logout enforcement.
+
+    Args:
+        settings (dict, optional): Settings dictionary to use. If None, uses request-scoped settings.
+
+    Returns:
+        tuple[int, int]: A tuple of (idle_timeout_minutes, idle_warning_minutes)
+                         after parsing, fallback handling, and boundary normalization.
+
+    Raises:
+        None: Invalid values are handled via fallback defaults and warning logs.
+    """
     if settings is None:
         settings = get_request_settings()
 
@@ -421,22 +434,85 @@ def get_idle_timeout_settings(settings=None):
         timeout_minutes = int(timeout_raw)
     except (TypeError, ValueError):
         timeout_minutes = 30
+        log_event(
+            "Invalid idle timeout value detected; using default.",
+            extra={
+                "setting": "idle_timeout_minutes",
+                "raw_value": str(timeout_raw),
+                "fallback_value": 30
+            },
+            level=logging.WARNING
+        )
 
     try:
         warning_minutes = int(warning_raw)
     except (TypeError, ValueError):
         warning_minutes = 28
+        log_event(
+            "Invalid idle warning value detected; using default.",
+            extra={
+                "setting": "idle_warning_minutes",
+                "raw_value": str(warning_raw),
+                "fallback_value": 28
+            },
+            level=logging.WARNING
+        )
+
+    normalized_timeout = max(1, timeout_minutes)
+    if normalized_timeout != timeout_minutes:
+        log_event(
+            "Idle timeout value normalized to minimum allowed value.",
+            extra={
+                "setting": "idle_timeout_minutes",
+                "original_value": timeout_minutes,
+                "normalized_value": normalized_timeout
+            },
+            level=logging.WARNING
+        )
+    timeout_minutes = normalized_timeout
 
-    timeout_minutes = max(1, timeout_minutes)
-    warning_minutes = max(0, warning_minutes)
+    normalized_warning = max(0, warning_minutes)
+    if normalized_warning != warning_minutes:
+        log_event(
+            "Idle warning value normalized to minimum allowed value.",
+            extra={
+                "setting": "idle_warning_minutes",
+                "original_value": warning_minutes,
+                "normalized_value": normalized_warning
+            },
+            level=logging.WARNING
+        )
+    warning_minutes = normalized_warning
 
     if warning_minutes >= timeout_minutes:
+        previous_warning_minutes = warning_minutes
         warning_minutes = max(0, timeout_minutes - 1)
+        log_event(
+            "Idle warning value adjusted to remain below idle timeout.",
+            extra={
+                "idle_timeout_minutes": timeout_minutes,
+                "original_idle_warning_minutes": previous_warning_minutes,
+                "adjusted_idle_warning_minutes": warning_minutes
+            },
+            level=logging.WARNING
+        )
 
     return timeout_minutes, warning_minutes
 
 
 def is_idle_timeout_enabled(settings=None):
+    """
+    Determine whether idle-timeout enforcement is enabled.
+
+    Args:
+        settings (dict, optional): Settings dictionary to use. If None, uses request-scoped settings.
+
+    Returns:
+        bool: True when idle-timeout enforcement should run; otherwise False.
+
+    Raises:
+        None: Unexpected values are coerced to boolean-compatible behavior.
+    """
     if settings is None:
         settings = get_request_settings()
 
@@ -448,11 +524,89 @@ def is_idle_timeout_enabled(settings=None):
     return bool(enabled_raw)
 
 
+settings_source_counters = {}
+settings_source_counters_lock = threading.Lock()
+
+
+def record_request_settings_source(source):
+    """
+    Record and log the source used to resolve request settings.
+
+    Args:
+        source (str): Settings source label (for example: cache, cosmos_fallback, cosmos_forced).
+
+    Returns:
+        None: Updates in-memory counters and request context diagnostics.
+
+    Raises:
+        None: Counter updates and diagnostics are handled internally.
+    """
+    normalized_source = source or 'unknown'
+    with settings_source_counters_lock:
+        settings_source_counters[normalized_source] = settings_source_counters.get(normalized_source, 0) + 1
+        cache_hits = settings_source_counters.get('cache', 0)
+        cosmos_fallback_hits = settings_source_counters.get('cosmos_fallback', 0)
+        cosmos_forced_hits = settings_source_counters.get('cosmos_forced', 0)
+        unknown_hits = settings_source_counters.get('unknown', 0)
+
+    g.request_settings_source = normalized_source
+    debug_print(
+        f"[SETTINGS SOURCE] path={request.path} source={normalized_source}",
+        category="SETTINGS",
+        cache_hits=cache_hits,
+        cosmos_fallback_hits=cosmos_fallback_hits,
+        cosmos_forced_hits=cosmos_forced_hits,
+        unknown_hits=unknown_hits
+    )
+
+    if normalized_source != 'cache':
+        log_event(
+            "Request settings source is non-cache.",
+            extra={
+                "path": request.path,
+                "settings_source": normalized_source,
+                "cache_hits": cache_hits,
+                "cosmos_fallback_hits": cosmos_fallback_hits,
+                "cosmos_forced_hits": cosmos_forced_hits,
+                "unknown_hits": unknown_hits
+            },
+            level=logging.WARNING
+        )
+
+
 def get_request_settings():
+    """
+    Get request-scoped settings, resolving and caching them when needed.
+
+    Args:
+        None
+
+    Returns:
+        dict: Request settings dictionary cached on Flask `g` for the current request.
+
+    Raises:
+        None: Unexpected resolver response shapes are logged and handled with safe fallbacks.
+    """
     request_settings = getattr(g, 'request_settings', None)
     if request_settings is None:
-        request_settings = get_settings() or {}
+        settings_result = get_settings(include_source=True)
+        if isinstance(settings_result, tuple) and len(settings_result) == 2:
+            request_settings, settings_source = settings_result
+        else:
+            request_settings = settings_result
+            settings_source = 'unknown'
+            log_event(
+                "Unexpected settings response shape in get_request_settings.",
+                extra={
+                    "path": request.path,
+                    "response_type": type(settings_result).__name__
+                },
+                level=logging.WARNING
+            )
+
+        request_settings = request_settings or {}
         g.request_settings = request_settings
+        record_request_settings_source(settings_source)
     return request_settings
 
 @app.context_processor
@@ -519,6 +673,18 @@ def reload_kernel_if_needed():
 )
 
 def _is_idle_timeout_exempt(path):
+    """
+    Check whether a request path is exempt from idle-timeout processing.
+
+    Args:
+        path (str): Request path to evaluate.
+
+    Returns:
+        bool: True if the path is exempt from idle-timeout checks; otherwise False.
+
+    Raises:
+        None
+    """
     if path in IDLE_TIMEOUT_EXEMPT_PATHS:
         return True
     return any(path.startswith(prefix) for prefix in IDLE_TIMEOUT_EXEMPT_PREFIXES)
@@ -526,7 +692,20 @@ def _is_idle_timeout_exempt(path):
 
 @app.before_request
 def load_request_settings_cache():
+    """
+    Preload request-scoped settings for authenticated, non-exempt requests.
+
+    Args:
+        None
+
+    Returns:
+        None: Always returns None to continue Flask request processing.
+
+    Raises:
+        None: Unexpected settings resolver shapes are logged and converted to safe fallbacks.
+    """
     g.request_settings = None
+    g.request_settings_source = None
 
     if request.method == 'OPTIONS' or _is_idle_timeout_exempt(request.path):
         return None
@@ -534,11 +713,39 @@ def load_request_settings_cache():
     if 'user' not in session:
         return None
 
-    g.request_settings = get_settings() or {}
+    settings_result = get_settings(include_source=True)
+    if isinstance(settings_result, tuple) and len(settings_result) == 2:
+        request_settings, settings_source = settings_result
+    else:
+        request_settings = settings_result
+        settings_source = 'unknown'
+        log_event(
+            "Unexpected settings response shape in load_request_settings_cache.",
+            extra={
+                "path": request.path,
+                "response_type": type(settings_result).__name__
+            },
+            level=logging.WARNING
+        )
+
+    g.request_settings = request_settings or {}
+    record_request_settings_source(settings_source)
     return None
 
 @app.before_request
 def enforce_idle_session_timeout():
+    """
+    Enforce server-side idle session timeout for authenticated requests.
+
+    Args:
+        None
+
+    Returns:
+        Response | None: A redirect/401 response when timeout is exceeded; otherwise None.
+
+    Raises:
+        None: Runtime issues in timeout evaluation are logged and request processing continues safely.
+    """
     if 'user' not in session:
         return None
 
@@ -671,6 +878,18 @@ def acceptable_use_policy():
 @swagger_route(security=get_auth_security())
 @login_required
 def session_heartbeat():
+    """
+    Refresh the authenticated session activity timestamp used by idle-timeout enforcement.
+
+    Args:
+        None
+
+    Returns:
+        tuple[Response, int]: JSON response containing refresh confirmation and timeout metadata.
+
+    Raises:
+        None
+    """
     session['last_activity_epoch'] = int(time.time())
     session.modified = True
     idle_timeout_minutes, _ = get_idle_timeout_settings(get_request_settings())
diff --git a/application/single_app/config.py b/application/single_app/config.py
index b3cca7b9..86d05764 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.239.008"
+VERSION = "0.239.013"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
@@ -559,7 +559,7 @@ def ensure_custom_favicon_file_exists(app, settings):
     except (base64.binascii.Error, TypeError, OSError) as ex: # Catch specific errors
         print(f"Failed to write/overwrite {favicon_filename}: {ex}")
     except Exception as ex: # Catch any other unexpected errors
-         print(f"Unexpected error during favicon file write for {favicon_filename}: {ex}")
+        print(f"Unexpected error during favicon file write for {favicon_filename}: {ex}")
 
 def initialize_clients(settings):
     """
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index d87eed40..4513e461 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -5,7 +5,7 @@
 import app_settings_cache
 import inspect
 
-def get_settings(use_cosmos=False):
+def get_settings(use_cosmos=False, include_source=False):
     import secrets
     default_settings = {
         # External health check
@@ -326,6 +326,11 @@ def get_settings(use_cosmos=False):
         'default_retention_document_public': 'none',
     }
 
+    def _format_result(settings_payload, source):
+        if include_source:
+            return settings_payload, source
+        return settings_payload
+
     try:
         # Attempt to read the existing doc
         if use_cosmos:
@@ -333,17 +338,35 @@ def get_settings(use_cosmos=False):
                 item="app_settings",
                 partition_key="app_settings"
             )
+            settings_source = "cosmos_forced"
+            log_event(
+                "App settings loaded from Cosmos DB (forced).",
+                extra={
+                    "settings_source": settings_source,
+                    "use_cosmos": True
+                },
+                level=logging.INFO
+            )
         else:
             settings_item = None
+            settings_source = "cache"
 
             cache_accessor = getattr(app_settings_cache, "get_settings_cache", None)
             if callable(cache_accessor):
                 try:
                     settings_item = cache_accessor()
-                except Exception:
+                except Exception as cache_error:
                     settings_item = None
+                    log_event(
+                        "Error reading app settings from cache accessor.",
+                        extra={
+                            "error": str(cache_error)
+                        },
+                        level=logging.WARNING
+                    )
 
             if not settings_item:
+                settings_source = "cosmos_fallback"
                 settings_item = cosmos_settings_container.read_item(
                     item="app_settings",
                     partition_key="app_settings"
@@ -361,11 +384,28 @@ def get_settings(use_cosmos=False):
                         "Warning: Failed to get settings from cache, read from Cosmos DB instead. "
                         f"Called from {caller_file}:{caller_line} in {caller_func}()."
                     )
+                    log_event(
+                        "App settings cache miss. Falling back to Cosmos DB.",
+                        extra={
+                            "settings_source": settings_source,
+                            "caller_file": caller_file,
+                            "caller_line": caller_line,
+                            "caller_func": caller_func
+                        },
+                        level=logging.WARNING
+                    )
                 else:
                     print(
                         "Warning: Failed to get settings from cache, "
                         "read from Cosmos DB instead. (no caller frame)"
                     )
+                    log_event(
+                        "App settings cache miss. Falling back to Cosmos DB (no caller frame).",
+                        extra={
+                            "settings_source": settings_source
+                        },
+                        level=logging.WARNING
+                    )
         #print("Successfully retrieved settings from Cosmos DB.")
 
         # Merge default_settings in, to fill in any missing or nested keys
@@ -375,19 +415,42 @@ def get_settings(use_cosmos=False):
         if merged != settings_item:
             cosmos_settings_container.upsert_item(merged)
             print("App Settings had missing keys and was updated in Cosmos DB.")
-            return merged
+            log_event(
+                "App settings missing keys were merged and persisted to Cosmos DB.",
+                extra={
+                    "settings_source": settings_source
+                },
+                level=logging.INFO
+            )
+            return _format_result(merged, settings_source)
         else:
             # If merged is unchanged, no new keys needed
-            return merged
+            return _format_result(merged, settings_source)
 
     except CosmosResourceNotFoundError:
         cosmos_settings_container.create_item(body=default_settings)
         print("Default settings created in Cosmos and returned.")
-        return default_settings
+        log_event(
+            "App settings document not found. Default settings created in Cosmos DB.",
+            extra={
+                "settings_source": "cosmos_default_created"
+            },
+            level=logging.WARNING
+        )
+        return _format_result(default_settings, "cosmos_default_created")
 
     except Exception as e:
         print(f"Error retrieving settings: {str(e)}")
-        return None
+        log_event(
+            "Error retrieving app settings.",
+            extra={
+                "error": str(e),
+                "use_cosmos": use_cosmos
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
+        return _format_result(None, "error")
 
 def update_settings(new_settings):
     try:
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index 76611d02..454d5337 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -288,10 +288,33 @@ def admin_settings():
             form_data = request.form # Use a variable for easier access
             user_id = get_current_user_id()
 
-            def safe_int(raw_value, fallback_value):
+            def safe_int(raw_value, fallback_value, field_name="unknown"):
+                """
+                Safely convert an admin form value to an integer with fallback handling.
+
+                Args:
+                    raw_value (object): The submitted form value to parse.
+                    fallback_value (int): The value to use when parsing fails.
+                    field_name (str): The admin settings field name being parsed.
+
+                Returns:
+                    int: The parsed integer value or the fallback value when invalid.
+                Raises:
+                    None.
+                """
                 try:
                     return int(raw_value)
                 except (TypeError, ValueError):
+                    log_event(
+                        "Invalid admin settings integer input detected; using fallback value.",
+                        extra={
+                            "field": field_name,
+                            "raw_value": str(raw_value),
+                            "fallback_value": fallback_value,
+                            "user_id": user_id
+                        },
+                        level=logging.WARNING
+                    )
                     return fallback_value
 
             # --- Fetch all other form data as before ---
@@ -299,8 +322,8 @@ def safe_int(raw_value, fallback_value):
             max_file_size_mb = int(form_data.get('max_file_size_mb', 16))
             conversation_history_limit = int(form_data.get('conversation_history_limit', 10))
             enable_idle_timeout = form_data.get('enable_idle_timeout') == 'on'
-            idle_timeout_minutes = max(1, safe_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30)))
-            idle_warning_minutes = max(0, safe_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28)))
+            idle_timeout_minutes = max(1, safe_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes'))
+            idle_warning_minutes = max(0, safe_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28), 'idle_warning_minutes'))
             if idle_warning_minutes >= idle_timeout_minutes:
                 idle_warning_minutes = max(0, idle_timeout_minutes - 1)
             # ... (fetch all other fields using form_data.get) ...
diff --git a/application/single_app/route_frontend_authentication.py b/application/single_app/route_frontend_authentication.py
index c3273ff9..9ce29959 100644
--- a/application/single_app/route_frontend_authentication.py
+++ b/application/single_app/route_frontend_authentication.py
@@ -212,6 +212,17 @@ def authorized_api():
     @app.route('/logout/local')
     @swagger_route(security=get_auth_security())
     def local_logout():
+        """
+        Clear the local Flask session and redirect to the configured home destination.
+
+        Args:
+            None.
+
+        Returns:
+            Response: A redirect response to the local or Front Door home URL.
+        Raises:
+            None.
+        """
         user_name = session.get("user", {}).get("name", "User")
         session.clear()
 
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index 5b30ae21..5bc6d07c 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -2,6 +2,34 @@
 
 # Feature Release
 
+### **(v0.239.013)**
+
+#### Bug Fixes
+
+*   **Idle Timeout Route Documentation Standardization**
+    *   Added method comments/docstrings to new idle timeout methods for clearer maintenance and handoff.
+    *   (Ref: `application/single_app/app.py`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/route_frontend_authentication.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
+
+### **(v0.239.011)**
+
+#### Bug Fixes
+
+*   **Idle Timeout Input Validation Logging Enhancements**
+    *   Added structured `log_event` telemetry for idle-timeout parsing and normalization in runtime settings resolution, including fallback defaults and warning/timeout boundary adjustments.
+    *   Added structured `log_event` telemetry to admin settings integer parsing (`safe_int`) so invalid submitted values are captured with field context and fallback values.
+    *   Improves diagnostics and traceability for misconfigured timeout values without changing existing idle-timeout behavior.
+    *   (Ref: `application/single_app/app.py`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
+
+### **(v0.239.009)**
+
+#### Bug Fixes
+
+*   **Settings Cache Source Diagnostics for Request Path**
+    *   Added source-aware settings retrieval diagnostics to confirm whether request settings were served from app settings cache or required Cosmos DB fallback.
+    *   Added per-request source capture and thread-safe counters in the idle-timeout settings path to improve troubleshooting of cache behavior.
+    *   Updated functional test markers and version metadata to validate the new diagnostics wiring.
+    *   (Ref: `application/single_app/functions_settings.py`, `application/single_app/app.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
+
 ### **(v0.239.008)**
 
 #### Bug Fixes
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 948ea1fe..de7d13af 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -1,8 +1,8 @@
 #!/usr/bin/env python3
 """
 Functional test for idle session auto-logout.
-Version: 0.239.008
-Implemented in: 0.239.008
+Version: 0.239.013
+Implemented in: 0.239.013
 
 This test ensures that server-side idle timeout enforcement and
 client-side warning/logout wiring are present and sourced from admin settings.
@@ -36,6 +36,10 @@ def test_server_idle_timeout_wiring():
     required_app_markers = [
         "def get_idle_timeout_settings(settings=None):",
         "def is_idle_timeout_enabled(settings=None):",
+        "settings_source_counters = {}",
+        "def record_request_settings_source(source):",
+        "get_settings(include_source=True)",
+        "record_request_settings_source(settings_source)",
         "settings.get('idle_timeout_minutes', 30)",
         "settings.get('idle_warning_minutes', 28)",
         "def enforce_idle_session_timeout():",
@@ -53,7 +57,7 @@ def test_server_idle_timeout_wiring():
     assert not missing_app_markers, f"Missing backend markers in app.py: {missing_app_markers}"
 
     required_config_markers = [
-        "VERSION = \"0.239.008\""
+        "VERSION = \"0.239.013\""
     ]
 
     missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]

From 0519999c6be10f0000462e090e15380375a2dbc3 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Wed, 11 Mar 2026 23:00:39 +0000
Subject: [PATCH 07/27] feedback-user-timeout - Updated/cleaned up release
 notes and added minor bug fix.

---
 application/single_app/config.py              |   2 +-
 application/single_app/functions_settings.py  |   5 +-
 .../route_frontend_authentication.py          |   2 -
 .../SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md    |  52 +++++++++
 docs/explanation/release_notes.md             |  83 +++-----------
 functional_tests/test_idle_logout_timeout.py  |   6 +-
 ...est_settings_deep_merge_persistence_fix.py | 101 ++++++++++++++++++
 7 files changed, 177 insertions(+), 74 deletions(-)
 create mode 100644 docs/explanation/fixes/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
 create mode 100644 functional_tests/test_settings_deep_merge_persistence_fix.py

diff --git a/application/single_app/config.py b/application/single_app/config.py
index ae530dbc..c8232bfa 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.239.005"
+VERSION = "0.239.006"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 4513e461..69d3de89 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -4,6 +4,7 @@
 from functions_appinsights import log_event
 import app_settings_cache
 import inspect
+import copy
 
 def get_settings(use_cosmos=False, include_source=False):
     import secrets
@@ -408,11 +409,13 @@ def _format_result(settings_payload, source):
                     )
         #print("Successfully retrieved settings from Cosmos DB.")
 
+        original_settings_item = copy.deepcopy(settings_item)
+
         # Merge default_settings in, to fill in any missing or nested keys
         merged = deep_merge_dicts(default_settings, settings_item)
 
         # If merging added anything new, upsert back to Cosmos so future reads remain up to date
-        if merged != settings_item:
+        if merged != original_settings_item:
             cosmos_settings_container.upsert_item(merged)
             print("App Settings had missing keys and was updated in Cosmos DB.")
             log_event(
diff --git a/application/single_app/route_frontend_authentication.py b/application/single_app/route_frontend_authentication.py
index 9ce29959..a60f7734 100644
--- a/application/single_app/route_frontend_authentication.py
+++ b/application/single_app/route_frontend_authentication.py
@@ -223,7 +223,6 @@ def local_logout():
         Raises:
             None.
         """
-        user_name = session.get("user", {}).get("name", "User")
         session.clear()
 
         from functions_settings import get_settings
@@ -241,7 +240,6 @@ def local_logout():
         else:
             logout_uri = url_for('index', _external=True, _scheme='https')
 
-        # print(f"{user_name} locally logged out. Redirecting to {logout_uri}.")
         return redirect(logout_uri)
 
     @app.route('/logout')
diff --git a/docs/explanation/fixes/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md b/docs/explanation/fixes/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
new file mode 100644
index 00000000..a0181ef5
--- /dev/null
+++ b/docs/explanation/fixes/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
@@ -0,0 +1,52 @@
+# SETTINGS DEEP MERGE PERSISTENCE FIX
+
+## Overview
+
+- **Issue**: App settings default-key merge changes were not being persisted back to Cosmos DB.
+- **Root Cause**: `deep_merge_dicts(default_settings, settings_item)` mutates `settings_item` in place, and `get_settings()` compared `merged` against the same mutated object, so `merged != settings_item` evaluated false.
+- **Fixed/Implemented in version: `0.239.006`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "0.239.006"`.
+
+## Technical Details
+
+### Files Modified
+
+- `application/single_app/functions_settings.py`
+- `application/single_app/config.py`
+- `functional_tests/test_settings_deep_merge_persistence_fix.py`
+
+### Code Changes Summary
+
+- Added `import copy` in `functions_settings.py`.
+- Captured a pre-merge snapshot with `original_settings_item = copy.deepcopy(settings_item)`.
+- Updated change detection to compare `merged` against `original_settings_item`.
+- Preserved existing merge behavior and upsert/logging flow.
+
+### Testing Approach
+
+- Added functional regression test: `functional_tests/test_settings_deep_merge_persistence_fix.py`.
+- Test validates marker-based wiring for:
+  - deep-copy snapshot creation,
+  - comparison against pre-merge state,
+  - Cosmos upsert path availability,
+  - version alignment in `config.py`.
+
+### Impact Analysis
+
+- Restores intended persistence behavior for newly introduced default settings keys.
+- Reduces risk of drift between in-memory merged settings and persisted Cosmos settings.
+- Maintains compatibility with existing callers and return shapes.
+
+## Validation
+
+### Before
+
+- Missing default keys could be merged in memory but not persisted, because the change check compared a mutated object to itself.
+
+### After
+
+- Missing default keys trigger the upsert path and persistence logging because merge output is compared against a deep-copied pre-merge snapshot.
+
+### Test Result
+
+- Verified by running `py -3 functional_tests/test_settings_deep_merge_persistence_fix.py`.
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index 3f187c9b..21c4cb9b 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -2,80 +2,31 @@
 
 # Feature Release
 
-<<<<<<< HEAD
-### **(v0.239.013)**
-
-#### Bug Fixes
-
-*   **Idle Timeout Route Documentation Standardization**
-    *   Added method comments/docstrings to new idle timeout methods for clearer maintenance and handoff.
-    *   (Ref: `application/single_app/app.py`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/route_frontend_authentication.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
-
-### **(v0.239.011)**
-
-#### Bug Fixes
-
-*   **Idle Timeout Input Validation Logging Enhancements**
-    *   Added structured `log_event` telemetry for idle-timeout parsing and normalization in runtime settings resolution, including fallback defaults and warning/timeout boundary adjustments.
-    *   Added structured `log_event` telemetry to admin settings integer parsing (`safe_int`) so invalid submitted values are captured with field context and fallback values.
-    *   Improves diagnostics and traceability for misconfigured timeout values without changing existing idle-timeout behavior.
-    *   (Ref: `application/single_app/app.py`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
-
-### **(v0.239.009)**
-
-#### Bug Fixes
-
-*   **Settings Cache Source Diagnostics for Request Path**
-    *   Added source-aware settings retrieval diagnostics to confirm whether request settings were served from app settings cache or required Cosmos DB fallback.
-    *   Added per-request source capture and thread-safe counters in the idle-timeout settings path to improve troubleshooting of cache behavior.
-    *   Updated functional test markers and version metadata to validate the new diagnostics wiring.
-    *   (Ref: `application/single_app/functions_settings.py`, `application/single_app/app.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
-
-### **(v0.239.008)**
-
-#### Bug Fixes
-
-*   **Idle Timeout Re-Enable Immediate Logout Fix**
-    *   Fixed an issue where users could be logged out immediately after an admin re-enabled idle timeout.
-    *   **Root Cause**: While idle timeout was disabled, `last_activity_epoch` was not refreshed on requests, allowing stale inactivity duration to accumulate.
-    *   **Fix**: Requests now refresh `last_activity_epoch` even when timeout enforcement is disabled, so re-enabling the feature starts from current activity instead of stale idle time.
-    *   Updated functional test version markers to reflect the fix release.
-    *   (Ref: `application/single_app/app.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
-
-### **(v0.239.007)**
+### **(v0.239.006)**
 
 #### New Features
 
-*   **Idle Timeout Feature Toggle in Admin Settings**
-    *   Added a new admin switch to enable or disable idle session timeout and warning behavior without changing environment variables.
-    *   Timeout and warning inputs are now grouped under a toggleable section in General > System Settings.
-    *   Server-side timeout enforcement now respects the toggle so inactivity auto-logout can be centrally turned on or off.
-    *   Frontend idle warning script now reads the server-provided enabled flag instead of using a hardcoded value.
-    *   (Ref: `application/single_app/templates/admin_settings.html`, `application/single_app/static/js/admin/admin_settings.js`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/functions_settings.py`, `application/single_app/app.py`, `application/single_app/templates/base.html`)
+*   **Idle Session Timeout Feature**
+    *   Added a new idle timer that auto clears the user session after a configurable set time and redirects to the main chat login page.
+    *   Added a frontend idle warning modal that pops up after a configurable set time, but disappears if the user mouses over the chat window or interacts with the app in any way.
+    *   Default values are used if the idle logout and warning values are not set. 
+    *   Idle logout and idle warning values are validated and auto-fixed as needed.
+    *   Added a new admin switch to enable or disable idle session timeout and warning behavior.
+    *   Timeout and warning inputs are grouped under a toggleable section in General > System Settings.
+    *   (Ref: `application/single_app/templates/admin_settings.html`, `application/single_app/static/js/admin/admin_settings.js`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/functions_settings.py`, `application/single_app/app.py`, `application/single_app/templates/base.html`, `application/single_app/static/js/idle-logout-warning.js`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`, `application/single_app/route_frontend_authentication.py`,)
 
 #### Bug Fixes
 
-*   **Idle Logout Config Key Alignment**
-    *   Resolved config drift between template and client script by explicitly supporting `fullSsoLogoutUrl` while retaining backward compatibility with legacy `logoutUrl`.
-    *   Logout target resolution now uses `localLogoutUrl` first, then `fullSsoLogoutUrl`, then `logoutUrl`.
-    *   Updated functional test markers to validate the new key precedence and runtime wiring.
-    *   (Ref: `application/single_app/static/js/idle-logout-warning.js`, `application/single_app/templates/base.html`, `functional_tests/test_idle_logout_timeout.py`)
-
-=======
->>>>>>> Development
+*   **Settings Default Merge Persistence Fix**
+    *   Fixed app settings merge detection in `get_settings()` where `deep_merge_dicts()` mutates the existing settings object in place, causing change detection to always evaluate as unchanged.
+    *   Added pre-merge snapshot comparison with `copy.deepcopy()` so missing default keys correctly trigger `upsert_item()` and are persisted back to Cosmos DB.
+    *   Added a functional regression test to validate the merge detection and persistence markers.
+    *   (Ref: `application/single_app/functions_settings.py`, `application/single_app/config.py`, `functional_tests/test_settings_deep_merge_persistence_fix.py`)
+    
 ### **(v0.239.005)**
 
 #### New Features
 
-<<<<<<< HEAD
-*   **Admin-Managed Idle Session Timeout Settings**
-    *   Added idle session configuration variables to Admin Settings so timeout values are managed in-app and persisted in Cosmos DB.
-    *   Added configurable fields for idle logout timeout and warning lead time in the General > System Settings section.
-    *   Updated runtime enforcement and heartbeat responses to read these values from persisted settings with safe bounds validation.
-    *   Includes version update to align configuration and release metadata.
-    *   (Ref: `application/single_app/functions_settings.py`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/templates/admin_settings.html`, `application/single_app/app.py`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`)
-
-=======
 *   **Redis Key Vault Authentication**
     *   Added a new `key_vault` authentication type for Redis, allowing the Redis access key to be retrieved securely from Azure Key Vault at runtime rather than stored directly in settings.
     *   Applies across all Redis usage paths: app settings cache (`app_settings_cache.py`), session management (`app.py`), and the Redis test connection flow (`route_backend_settings.py`).
@@ -124,7 +75,7 @@
     *   Ensures Python package installation works reliably in environments requiring custom certificate trust and pip configuration.
     *   (Ref: Docker customization, CA cert setup, `pip.conf` handling)
     
->>>>>>> Development
+
 ### **(v0.239.001)**
 
 #### New Features
@@ -1150,8 +1101,6 @@
     *   **Benefits**: Improved workspace identification, consistent with Group scope naming pattern, better navigation between workspace scopes.
     *   (Ref: `chat-documents.js`, scope label updates, dynamic workspace display)
 
-=======
-
 ##### User Interface and Content Rendering Fixes
 
 *   **Unicode Table Rendering Fix**
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index de7d13af..7f0d4f37 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -1,8 +1,8 @@
 #!/usr/bin/env python3
 """
 Functional test for idle session auto-logout.
-Version: 0.239.013
-Implemented in: 0.239.013
+Version: 0.239.006
+Implemented in: 0.239.006
 
 This test ensures that server-side idle timeout enforcement and
 client-side warning/logout wiring are present and sourced from admin settings.
@@ -57,7 +57,7 @@ def test_server_idle_timeout_wiring():
     assert not missing_app_markers, f"Missing backend markers in app.py: {missing_app_markers}"
 
     required_config_markers = [
-        "VERSION = \"0.239.013\""
+        "VERSION = \"0.239.006\""
     ]
 
     missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
diff --git a/functional_tests/test_settings_deep_merge_persistence_fix.py b/functional_tests/test_settings_deep_merge_persistence_fix.py
new file mode 100644
index 00000000..23244b3f
--- /dev/null
+++ b/functional_tests/test_settings_deep_merge_persistence_fix.py
@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+"""
+Functional test for settings deep-merge persistence fix.
+Version: 0.239.006
+Implemented in: 0.239.006
+
+This test ensures get_settings compares merged settings against a pre-merge deep copy
+so missing default keys are persisted back to Cosmos DB.
+"""
+
+import os
+import sys
+import traceback
+
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+
+
+def _read_file(*path_parts):
+    file_path = os.path.join(
+        os.path.dirname(os.path.abspath(__file__)),
+        "..",
+        *path_parts
+    )
+    with open(file_path, "r", encoding="utf-8") as file_handle:
+        return file_handle.read()
+
+
+def test_merge_detection_uses_pre_merge_snapshot():
+    """Validate deep-copy comparison markers exist in settings merge path."""
+    print("🔍 Testing settings merge persistence detection wiring...")
+
+    settings_content = _read_file("application", "single_app", "functions_settings.py")
+
+    required_markers = [
+        "import copy",
+        "original_settings_item = copy.deepcopy(settings_item)",
+        "merged = deep_merge_dicts(default_settings, settings_item)",
+        "if merged != original_settings_item:",
+        "cosmos_settings_container.upsert_item(merged)",
+        "App settings missing keys were merged and persisted to Cosmos DB."
+    ]
+
+    missing_markers = [marker for marker in required_markers if marker not in settings_content]
+    assert not missing_markers, f"Missing merge persistence markers in functions_settings.py: {missing_markers}"
+
+    print("✅ Settings merge persistence detection wiring is present")
+
+
+def test_version_alignment_for_fix_release():
+    """Validate config version reflects this fix release."""
+    print("🔍 Testing fix release version alignment...")
+
+    config_content = _read_file("application", "single_app", "config.py")
+
+    required_markers = [
+        "VERSION = \"0.239.006\""
+    ]
+
+    missing_markers = [marker for marker in required_markers if marker not in config_content]
+    assert not missing_markers, f"Missing config markers: {missing_markers}"
+
+    print("✅ Fix release version markers are aligned")
+
+
+def main():
+    """Run all functional checks for deep-merge persistence fix."""
+    print("🧪 Running Settings Deep Merge Persistence Functional Tests...\n")
+
+    tests = [
+        test_merge_detection_uses_pre_merge_snapshot,
+        test_version_alignment_for_fix_release
+    ]
+
+    results = []
+    for test in tests:
+        print(f"\n🧪 Running {test.__name__}...")
+        try:
+            test()
+            results.append(True)
+        except AssertionError as error:
+            print(f"❌ {test.__name__} failed: {error}")
+            results.append(False)
+        except Exception as error:
+            print(f"❌ {test.__name__} error: {error}")
+            traceback.print_exc()
+            results.append(False)
+
+    success = all(results)
+    print(f"\n📊 Results: {sum(results)}/{len(results)} tests passed")
+
+    if success:
+        print("✅ All deep-merge persistence functional tests passed!")
+    else:
+        print("❌ Some deep-merge persistence functional tests failed.")
+
+    return success
+
+
+if __name__ == "__main__":
+    test_success = main()
+    sys.exit(0 if test_success else 1)

From 6431de2d8f82a423ac2583891a43ec058df81bc7 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Wed, 11 Mar 2026 23:31:56 +0000
Subject: [PATCH 08/27] feedback-user-timeout - More code clean up for safe_int
 method and css class.

---
 .../route_frontend_admin_settings.py          |  31 ++++--
 application/single_app/templates/base.html    |   2 +-
 .../ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md   |  49 +++++++++
 ...st_admin_settings_safe_int_fallback_fix.py | 101 ++++++++++++++++++
 4 files changed, 175 insertions(+), 8 deletions(-)
 create mode 100644 docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
 create mode 100644 functional_tests/test_admin_settings_safe_int_fallback_fix.py

diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index 454d5337..50d08d65 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -288,42 +288,59 @@ def admin_settings():
             form_data = request.form # Use a variable for easier access
             user_id = get_current_user_id()
 
-            def safe_int(raw_value, fallback_value, field_name="unknown"):
+            def safe_int(raw_value, fallback_value, field_name="unknown", hard_default=0):
                 """
                 Safely convert an admin form value to an integer with fallback handling.
 
                 Args:
                     raw_value (object): The submitted form value to parse.
-                    fallback_value (int): The value to use when parsing fails.
+                    fallback_value (object): The fallback value to parse when input conversion fails.
                     field_name (str): The admin settings field name being parsed.
+                    hard_default (int): The guaranteed integer fallback used when both values are invalid.
 
                 Returns:
-                    int: The parsed integer value or the fallback value when invalid.
+                    int: A valid integer derived from input, fallback, or hard default.
                 Raises:
                     None.
                 """
                 try:
                     return int(raw_value)
                 except (TypeError, ValueError):
+                    try:
+                        parsed_fallback = int(fallback_value)
+                    except (TypeError, ValueError):
+                        log_event(
+                            "Invalid admin settings integer input and fallback detected; using hard default value.",
+                            extra={
+                                "field": field_name,
+                                "raw_value": str(raw_value),
+                                "fallback_value": str(fallback_value),
+                                "hard_default": hard_default,
+                                "user_id": user_id
+                            },
+                            level=logging.WARNING
+                        )
+                        return int(hard_default)
+
                     log_event(
                         "Invalid admin settings integer input detected; using fallback value.",
                         extra={
                             "field": field_name,
                             "raw_value": str(raw_value),
-                            "fallback_value": fallback_value,
+                            "fallback_value": str(fallback_value),
                             "user_id": user_id
                         },
                         level=logging.WARNING
                     )
-                    return fallback_value
+                    return parsed_fallback
 
             # --- Fetch all other form data as before ---
             app_title = form_data.get('app_title', 'AI Chat Application')
             max_file_size_mb = int(form_data.get('max_file_size_mb', 16))
             conversation_history_limit = int(form_data.get('conversation_history_limit', 10))
             enable_idle_timeout = form_data.get('enable_idle_timeout') == 'on'
-            idle_timeout_minutes = max(1, safe_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes'))
-            idle_warning_minutes = max(0, safe_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28), 'idle_warning_minutes'))
+            idle_timeout_minutes = max(1, safe_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes', 30))
+            idle_warning_minutes = max(0, safe_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28), 'idle_warning_minutes', 28))
             if idle_warning_minutes >= idle_timeout_minutes:
                 idle_warning_minutes = max(0, idle_timeout_minutes - 1)
             # ... (fetch all other fields using form_data.get) ...
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index e419d8c5..f9e0983a 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -374,7 +374,7 @@
   <div class="modal fade" id="idleTimeoutWarningModal" tabindex="-1" aria-labelledby="idleTimeoutWarningModalLabel" aria-hidden="true" data-bs-backdrop="static" data-bs-keyboard="false">
     <div class="modal-dialog modal-dialog-centered">
       <div class="modal-content">
-        <div class="modal-header bg-primary">
+        <div class="modal-header bg-primary text-white">
           <h5 class="modal-title" id="idleTimeoutWarningModalLabel">
             <i class="bi bi-clock me-2"></i>Session Expiring Soon
           </h5>
diff --git a/docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md b/docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
new file mode 100644
index 00000000..ae7f3f69
--- /dev/null
+++ b/docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
@@ -0,0 +1,49 @@
+# ADMIN SETTINGS SAFE INT FALLBACK FIX
+
+## Overview
+
+- **Issue**: Admin settings save flow could throw a `TypeError` when `safe_int()` returned a non-integer fallback value.
+- **Root Cause**: `safe_int()` returned `fallback_value` as-is after parse failure; if persisted fallback values were malformed (for example strings that cannot be converted), subsequent `max(1, ...)` / `max(0, ...)` operations could fail.
+- **Fixed/Implemented in version: `0.239.006`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "0.239.006"`.
+
+## Technical Details
+
+### Files Modified
+
+- `application/single_app/route_frontend_admin_settings.py`
+- `application/single_app/config.py`
+- `functional_tests/test_admin_settings_safe_int_fallback_fix.py`
+- `functional_tests/test_idle_logout_timeout.py`
+- `functional_tests/test_settings_deep_merge_persistence_fix.py`
+
+### Code Changes Summary
+
+- Hardened `safe_int()` to always return an integer.
+- Added fallback coercion (`int(fallback_value)`) before returning fallback.
+- Added guaranteed hard default path when both raw value and fallback are invalid.
+- Updated idle-timeout call sites to pass explicit hard defaults (`30` and `28`).
+
+### Testing Approach
+
+- Added `functional_tests/test_admin_settings_safe_int_fallback_fix.py` to validate hardening markers and version alignment.
+- Kept existing functional tests version-aligned with release version.
+
+### Impact Analysis
+
+- Prevents runtime `TypeError` in admin settings save flow for malformed persisted fallback values.
+- Improves resiliency of idle-timeout configuration handling without changing intended behavior for valid values.
+
+## Validation
+
+### Before
+
+- Invalid form input could cause `safe_int()` to return non-int fallback values, potentially raising `TypeError` in `max()`.
+
+### After
+
+- `safe_int()` always returns a valid integer from raw input, parsed fallback, or hard default.
+
+### Test Result
+
+- Verified by running `py -3 functional_tests/test_admin_settings_safe_int_fallback_fix.py`.
diff --git a/functional_tests/test_admin_settings_safe_int_fallback_fix.py b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
new file mode 100644
index 00000000..83dd1165
--- /dev/null
+++ b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
@@ -0,0 +1,101 @@
+#!/usr/bin/env python3
+"""
+Functional test for admin safe_int fallback hardening.
+Version: 0.239.006
+Implemented in: 0.239.006
+
+This test ensures admin settings integer parsing always returns ints,
+including when persisted fallback values are malformed.
+"""
+
+import os
+import sys
+import traceback
+
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+
+
+def _read_file(*path_parts):
+    file_path = os.path.join(
+        os.path.dirname(os.path.abspath(__file__)),
+        "..",
+        *path_parts
+    )
+    with open(file_path, "r", encoding="utf-8") as file_handle:
+        return file_handle.read()
+
+
+def test_safe_int_hardening_markers():
+    """Validate safe_int hard fallback handling is wired."""
+    print("🔍 Testing admin safe_int fallback hardening wiring...")
+
+    route_content = _read_file("application", "single_app", "route_frontend_admin_settings.py")
+
+    required_markers = [
+        "def safe_int(raw_value, fallback_value, field_name=\"unknown\", hard_default=0):",
+        "parsed_fallback = int(fallback_value)",
+        "Invalid admin settings integer input and fallback detected; using hard default value.",
+        "return int(hard_default)",
+        "idle_timeout_minutes = max(1, safe_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes', 30))",
+        "idle_warning_minutes = max(0, safe_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28), 'idle_warning_minutes', 28))"
+    ]
+
+    missing_markers = [marker for marker in required_markers if marker not in route_content]
+    assert not missing_markers, f"Missing safe_int hardening markers: {missing_markers}"
+
+    print("✅ Admin safe_int fallback hardening wiring is present")
+
+
+def test_version_alignment_for_safe_int_fix():
+    """Validate config version aligns with safe_int fix release."""
+    print("🔍 Testing version alignment for safe_int fallback fix...")
+
+    config_content = _read_file("application", "single_app", "config.py")
+
+    required_markers = [
+        "VERSION = \"0.239.006\""
+    ]
+
+    missing_markers = [marker for marker in required_markers if marker not in config_content]
+    assert not missing_markers, f"Missing config markers: {missing_markers}"
+
+    print("✅ Safe_int fix release version markers are aligned")
+
+
+def main():
+    """Run all safe_int fallback hardening functional checks."""
+    print("🧪 Running Admin Safe Int Fallback Functional Tests...\n")
+
+    tests = [
+        test_safe_int_hardening_markers,
+        test_version_alignment_for_safe_int_fix
+    ]
+
+    results = []
+    for test in tests:
+        print(f"\n🧪 Running {test.__name__}...")
+        try:
+            test()
+            results.append(True)
+        except AssertionError as error:
+            print(f"❌ {test.__name__} failed: {error}")
+            results.append(False)
+        except Exception as error:
+            print(f"❌ {test.__name__} error: {error}")
+            traceback.print_exc()
+            results.append(False)
+
+    success = all(results)
+    print(f"\n📊 Results: {sum(results)}/{len(results)} tests passed")
+
+    if success:
+        print("✅ All admin safe_int fallback functional tests passed!")
+    else:
+        print("❌ Some admin safe_int fallback functional tests failed.")
+
+    return success
+
+
+if __name__ == "__main__":
+    test_success = main()
+    sys.exit(0 if test_success else 1)

From 8ea5b818436b5713762266160d67757c3087dc8f Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Thu, 12 Mar 2026 15:24:02 +0000
Subject: [PATCH 09/27] feedback-user-timeout - More code clean up for unit
 tests and making safe_int a util function.

---
 application/single_app/app.py                 |   2 +-
 .../route_frontend_admin_settings.py          |  46 ++--
 .../ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md   |  10 +-
 ...st_admin_settings_safe_int_fallback_fix.py | 130 ++++++++--
 functional_tests/test_idle_logout_timeout.py  | 240 +++++++++++++++---
 ...est_settings_deep_merge_persistence_fix.py | 189 ++++++++++++--
 6 files changed, 520 insertions(+), 97 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 121021e2..81d67e12 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -586,7 +586,7 @@ def record_request_settings_source(source):
                 "cosmos_forced_hits": cosmos_forced_hits,
                 "unknown_hits": unknown_hits
             },
-            level=logging.WARNING
+            level=logging.INFO
         )
 
 
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index 50d08d65..a545e4e0 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -8,6 +8,7 @@
 from functions_logging import *
 from swagger_wrapper import swagger_route, get_auth_security
 from datetime import datetime, timedelta
+from admin_settings_int_utils import safe_int_with_source
 
 def allowed_file(filename, allowed_extensions):
     return '.' in filename and \
@@ -288,40 +289,36 @@ def admin_settings():
             form_data = request.form # Use a variable for easier access
             user_id = get_current_user_id()
 
-            def safe_int(raw_value, fallback_value, field_name="unknown", hard_default=0):
+            def parse_admin_int(raw_value, fallback_value, field_name="unknown", hard_default=0):
                 """
-                Safely convert an admin form value to an integer with fallback handling.
+                Parse an admin form value to an integer with structured fallback diagnostics.
 
                 Args:
                     raw_value (object): The submitted form value to parse.
                     fallback_value (object): The fallback value to parse when input conversion fails.
                     field_name (str): The admin settings field name being parsed.
-                    hard_default (int): The guaranteed integer fallback used when both values are invalid.
+                    hard_default (int): Final integer default when both input and fallback are invalid.
 
                 Returns:
                     int: A valid integer derived from input, fallback, or hard default.
                 Raises:
                     None.
                 """
-                try:
-                    return int(raw_value)
-                except (TypeError, ValueError):
-                    try:
-                        parsed_fallback = int(fallback_value)
-                    except (TypeError, ValueError):
-                        log_event(
-                            "Invalid admin settings integer input and fallback detected; using hard default value.",
-                            extra={
-                                "field": field_name,
-                                "raw_value": str(raw_value),
-                                "fallback_value": str(fallback_value),
-                                "hard_default": hard_default,
-                                "user_id": user_id
-                            },
-                            level=logging.WARNING
-                        )
-                        return int(hard_default)
+                parsed_value, parse_source = safe_int_with_source(raw_value, fallback_value, hard_default)
 
+                if parse_source == "hard_default":
+                    log_event(
+                        "Invalid admin settings integer input and fallback detected; using hard default value.",
+                        extra={
+                            "field": field_name,
+                            "raw_value": str(raw_value),
+                            "fallback_value": str(fallback_value),
+                            "hard_default": hard_default,
+                            "user_id": user_id
+                        },
+                        level=logging.WARNING
+                    )
+                elif parse_source == "fallback":
                     log_event(
                         "Invalid admin settings integer input detected; using fallback value.",
                         extra={
@@ -332,15 +329,16 @@ def safe_int(raw_value, fallback_value, field_name="unknown", hard_default=0):
                         },
                         level=logging.WARNING
                     )
-                    return parsed_fallback
+
+                return parsed_value
 
             # --- Fetch all other form data as before ---
             app_title = form_data.get('app_title', 'AI Chat Application')
             max_file_size_mb = int(form_data.get('max_file_size_mb', 16))
             conversation_history_limit = int(form_data.get('conversation_history_limit', 10))
             enable_idle_timeout = form_data.get('enable_idle_timeout') == 'on'
-            idle_timeout_minutes = max(1, safe_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes', 30))
-            idle_warning_minutes = max(0, safe_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28), 'idle_warning_minutes', 28))
+            idle_timeout_minutes = max(1, parse_admin_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes', 30))
+            idle_warning_minutes = max(0, parse_admin_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28), 'idle_warning_minutes', 28))
             if idle_warning_minutes >= idle_timeout_minutes:
                 idle_warning_minutes = max(0, idle_timeout_minutes - 1)
             # ... (fetch all other fields using form_data.get) ...
diff --git a/docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md b/docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
index ae7f3f69..80affd01 100644
--- a/docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
+++ b/docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
@@ -12,6 +12,7 @@
 ### Files Modified
 
 - `application/single_app/route_frontend_admin_settings.py`
+- `application/single_app/admin_settings_int_utils.py`
 - `application/single_app/config.py`
 - `functional_tests/test_admin_settings_safe_int_fallback_fix.py`
 - `functional_tests/test_idle_logout_timeout.py`
@@ -19,14 +20,13 @@
 
 ### Code Changes Summary
 
-- Hardened `safe_int()` to always return an integer.
-- Added fallback coercion (`int(fallback_value)`) before returning fallback.
-- Added guaranteed hard default path when both raw value and fallback are invalid.
-- Updated idle-timeout call sites to pass explicit hard defaults (`30` and `28`).
+- Extracted integer parsing into module-level helper functions (`safe_int`, `safe_int_with_source`) in `admin_settings_int_utils.py`.
+- Updated admin settings route to use the extracted helper while preserving existing fallback and hard-default `log_event` diagnostics.
+- Kept idle-timeout call sites using explicit hard defaults (`30` and `28`).
 
 ### Testing Approach
 
-- Added `functional_tests/test_admin_settings_safe_int_fallback_fix.py` to validate hardening markers and version alignment.
+- Refactored `functional_tests/test_admin_settings_safe_int_fallback_fix.py` to behavior-level helper tests (malformed raw and fallback values) plus AST route wiring validation.
 - Kept existing functional tests version-aligned with release version.
 
 ### Impact Analysis
diff --git a/functional_tests/test_admin_settings_safe_int_fallback_fix.py b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
index 83dd1165..0035cb61 100644
--- a/functional_tests/test_admin_settings_safe_int_fallback_fix.py
+++ b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
@@ -8,42 +8,135 @@
 including when persisted fallback values are malformed.
 """
 
+import ast
 import os
 import sys
 import traceback
 
-sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+ROOT_DIR = os.path.join(os.path.dirname(os.path.abspath(__file__)), "..")
+APP_DIR = os.path.join(ROOT_DIR, "application", "single_app")
+
+if APP_DIR not in sys.path:
+    sys.path.append(APP_DIR)
+
+from admin_settings_int_utils import safe_int, safe_int_with_source
 
 
 def _read_file(*path_parts):
     file_path = os.path.join(
-        os.path.dirname(os.path.abspath(__file__)),
-        "..",
+        ROOT_DIR,
         *path_parts
     )
     with open(file_path, "r", encoding="utf-8") as file_handle:
         return file_handle.read()
 
 
-def test_safe_int_hardening_markers():
-    """Validate safe_int hard fallback handling is wired."""
-    print("🔍 Testing admin safe_int fallback hardening wiring...")
+def _parse_python_file(*path_parts):
+    """Read and parse a Python source file into AST."""
+    source = _read_file(*path_parts)
+    return source, ast.parse(source)
 
-    route_content = _read_file("application", "single_app", "route_frontend_admin_settings.py")
 
-    required_markers = [
-        "def safe_int(raw_value, fallback_value, field_name=\"unknown\", hard_default=0):",
-        "parsed_fallback = int(fallback_value)",
-        "Invalid admin settings integer input and fallback detected; using hard default value.",
-        "return int(hard_default)",
-        "idle_timeout_minutes = max(1, safe_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes', 30))",
-        "idle_warning_minutes = max(0, safe_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28), 'idle_warning_minutes', 28))"
+def _find_top_level_function(module_tree, function_name):
+    """Find a top-level function definition by name."""
+    for node in module_tree.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
+
+
+def _find_nested_function(parent_function, function_name):
+    """Find a nested function definition by name in a parent function body."""
+    for node in parent_function.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
+
+
+def test_safe_int_behavior_with_malformed_values():
+    """Validate helper behavior for raw, fallback, and hard-default parsing paths."""
+    print("🔍 Testing admin safe_int helper behavior...")
+
+    behavior_cases = [
+        ("42", "30", 0, 42),
+        ("abc", "30", 0, 30),
+        (None, "28", 0, 28),
+        ("bad", "still_bad", 17, 17),
+        ("-5", "10", 3, -5)
     ]
 
-    missing_markers = [marker for marker in required_markers if marker not in route_content]
-    assert not missing_markers, f"Missing safe_int hardening markers: {missing_markers}"
+    for raw_value, fallback_value, hard_default, expected in behavior_cases:
+        parsed_value = safe_int(raw_value, fallback_value, hard_default)
+        assert isinstance(parsed_value, int), (
+            f"safe_int should always return int; got {type(parsed_value).__name__} "
+            f"for raw={raw_value}, fallback={fallback_value}, hard_default={hard_default}"
+        )
+        assert parsed_value == expected, (
+            f"Unexpected safe_int result for raw={raw_value}, fallback={fallback_value}, hard_default={hard_default}. "
+            f"Expected {expected}, got {parsed_value}"
+        )
+
+    parsed_value, parse_source = safe_int_with_source("9", "30", 0)
+    assert parsed_value == 9 and parse_source == "raw", "Expected raw parse source for valid raw input"
+
+    parsed_value, parse_source = safe_int_with_source("bad", "30", 0)
+    assert parsed_value == 30 and parse_source == "fallback", "Expected fallback parse source when raw input is invalid"
+
+    parsed_value, parse_source = safe_int_with_source("bad", "still_bad", 11)
+    assert parsed_value == 11 and parse_source == "hard_default", "Expected hard_default parse source when raw and fallback are invalid"
+
+    print("✅ Admin safe_int helper behavior is valid")
+
+
+def test_route_wiring_uses_module_safe_int_helper():
+    """Validate admin settings route uses extracted module helper for integer parsing."""
+    print("🔍 Testing admin route wiring for extracted safe_int helper...")
+
+    _, route_tree = _parse_python_file("application", "single_app", "route_frontend_admin_settings.py")
+
+    has_helper_import = any(
+        isinstance(node, ast.ImportFrom)
+        and node.module == "admin_settings_int_utils"
+        and any(alias.name == "safe_int_with_source" for alias in node.names)
+        for node in route_tree.body
+    )
+    assert has_helper_import, "Missing 'from admin_settings_int_utils import safe_int_with_source' import"
+
+    register_route_def = _find_top_level_function(route_tree, "register_route_frontend_admin_settings")
+    assert register_route_def is not None, "Missing register_route_frontend_admin_settings function"
+
+    admin_settings_def = _find_nested_function(register_route_def, "admin_settings")
+    assert admin_settings_def is not None, "Missing nested admin_settings route function"
+
+    has_legacy_nested_safe_int = any(
+        isinstance(node, ast.FunctionDef) and node.name == "safe_int"
+        for node in ast.walk(admin_settings_def)
+    )
+    assert not has_legacy_nested_safe_int, "Legacy nested safe_int function should be removed after extraction"
+
+    has_parse_admin_int = any(
+        isinstance(node, ast.FunctionDef) and node.name == "parse_admin_int"
+        for node in ast.walk(admin_settings_def)
+    )
+    assert has_parse_admin_int, "Missing parse_admin_int wrapper for route logging and helper usage"
+
+    has_safe_int_with_source_call = any(
+        isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Name)
+        and node.func.id == "safe_int_with_source"
+        for node in ast.walk(admin_settings_def)
+    )
+    assert has_safe_int_with_source_call, "Missing safe_int_with_source helper call in admin settings route"
+
+    parse_admin_int_calls = [
+        node for node in ast.walk(admin_settings_def)
+        if isinstance(node, ast.Call)
+        and isinstance(node.func, ast.Name)
+        and node.func.id == "parse_admin_int"
+    ]
+    assert len(parse_admin_int_calls) >= 2, "Expected parse_admin_int usage for idle timeout and warning fields"
 
-    print("✅ Admin safe_int fallback hardening wiring is present")
+    print("✅ Admin route wiring for extracted safe_int helper is present")
 
 
 def test_version_alignment_for_safe_int_fix():
@@ -67,7 +160,8 @@ def main():
     print("🧪 Running Admin Safe Int Fallback Functional Tests...\n")
 
     tests = [
-        test_safe_int_hardening_markers,
+        test_safe_int_behavior_with_malformed_values,
+        test_route_wiring_uses_module_safe_int_helper,
         test_version_alignment_for_safe_int_fix
     ]
 
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 7f0d4f37..ae67d9a9 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -10,6 +10,7 @@
 
 import os
 import sys
+import ast
 import traceback
 
 sys.path.append(os.path.dirname(os.path.abspath(__file__)))
@@ -25,36 +26,175 @@ def _read_file(*path_parts):
         return file_handle.read()
 
 
+def _parse_python_file(*path_parts):
+    """Read and parse a Python source file into AST."""
+    source = _read_file(*path_parts)
+    return source, ast.parse(source)
+
+
+def _find_top_level_function(module_tree, function_name):
+    """Find a top-level function definition by name."""
+    for node in module_tree.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
+
+
+def _find_nested_function(parent_function, function_name):
+    """Find a nested function definition by name in a parent function body."""
+    for node in parent_function.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
+
+
 def test_server_idle_timeout_wiring():
     """Validate idle-timeout and heartbeat backend wiring exists."""
     print("🔍 Testing server-side idle-timeout wiring...")
 
-    app_content = _read_file("application", "single_app", "app.py")
+    _, app_tree = _parse_python_file("application", "single_app", "app.py")
     config_content = _read_file("application", "single_app", "config.py")
-    auth_route_content = _read_file("application", "single_app", "route_frontend_authentication.py")
-
-    required_app_markers = [
-        "def get_idle_timeout_settings(settings=None):",
-        "def is_idle_timeout_enabled(settings=None):",
-        "settings_source_counters = {}",
-        "def record_request_settings_source(source):",
-        "get_settings(include_source=True)",
-        "record_request_settings_source(settings_source)",
-        "settings.get('idle_timeout_minutes', 30)",
-        "settings.get('idle_warning_minutes', 28)",
-        "def enforce_idle_session_timeout():",
-        "if not is_idle_timeout_enabled(request_settings):",
-        "last_activity_epoch",
-        "IDLE_TIMEOUT_EXEMPT_PATHS",
-        "'/logout/local'",
-        "redirect(url_for('local_logout'))",
-        "@app.route('/api/session/heartbeat', methods=['POST'])",
-        "def session_heartbeat():",
-        "idle_timeout_minutes, _ = get_idle_timeout_settings(request_settings)"
+    _, auth_tree = _parse_python_file("application", "single_app", "route_frontend_authentication.py")
+
+    required_app_functions = [
+        "get_idle_timeout_settings",
+        "is_idle_timeout_enabled",
+        "record_request_settings_source",
+        "get_request_settings",
+        "load_request_settings_cache",
+        "enforce_idle_session_timeout",
+        "session_heartbeat"
     ]
-
-    missing_app_markers = [marker for marker in required_app_markers if marker not in app_content]
-    assert not missing_app_markers, f"Missing backend markers in app.py: {missing_app_markers}"
+    missing_app_functions = [
+        function_name for function_name in required_app_functions
+        if _find_top_level_function(app_tree, function_name) is None
+    ]
+    assert not missing_app_functions, f"Missing backend functions in app.py: {missing_app_functions}"
+
+    has_settings_source_counter_dict = any(
+        isinstance(node, ast.Assign)
+        and any(isinstance(target, ast.Name) and target.id == "settings_source_counters" for target in node.targets)
+        and isinstance(node.value, ast.Dict)
+        and len(node.value.keys) == 0
+        for node in app_tree.body
+    )
+    assert has_settings_source_counter_dict, "Missing settings_source_counters = {} assignment"
+
+    idle_settings_def = _find_top_level_function(app_tree, "get_idle_timeout_settings")
+    has_idle_timeout_default_get = False
+    has_idle_warning_default_get = False
+    for node in ast.walk(idle_settings_def):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Attribute)
+            and isinstance(node.func.value, ast.Name)
+            and node.func.value.id == "settings"
+            and node.func.attr == "get"
+            and len(node.args) >= 2
+            and isinstance(node.args[0], ast.Constant)
+            and isinstance(node.args[1], ast.Constant)
+        ):
+            if node.args[0].value == "idle_timeout_minutes" and node.args[1].value == 30:
+                has_idle_timeout_default_get = True
+            if node.args[0].value == "idle_warning_minutes" and node.args[1].value == 28:
+                has_idle_warning_default_get = True
+
+    assert has_idle_timeout_default_get, "Missing settings.get('idle_timeout_minutes', 30) in get_idle_timeout_settings"
+    assert has_idle_warning_default_get, "Missing settings.get('idle_warning_minutes', 28) in get_idle_timeout_settings"
+
+    has_include_source_get_settings = False
+    has_record_settings_source_call = False
+    for node in ast.walk(app_tree):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "get_settings"
+            and any(
+                isinstance(keyword, ast.keyword)
+                and keyword.arg == "include_source"
+                and isinstance(keyword.value, ast.Constant)
+                and keyword.value.value is True
+                for keyword in node.keywords
+            )
+        ):
+            has_include_source_get_settings = True
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "record_request_settings_source"
+            and len(node.args) == 1
+            and isinstance(node.args[0], ast.Name)
+            and node.args[0].id == "settings_source"
+        ):
+            has_record_settings_source_call = True
+
+    assert has_include_source_get_settings, "Missing get_settings(include_source=True) wiring in app.py"
+    assert has_record_settings_source_call, "Missing record_request_settings_source(settings_source) wiring in app.py"
+
+    has_idle_timeout_exempt_logout_local = False
+    for node in app_tree.body:
+        if isinstance(node, ast.Assign) and any(
+            isinstance(target, ast.Name) and target.id == "IDLE_TIMEOUT_EXEMPT_PATHS"
+            for target in node.targets
+        ):
+            if isinstance(node.value, ast.Set):
+                has_idle_timeout_exempt_logout_local = any(
+                    isinstance(element, ast.Constant) and element.value == "/logout/local"
+                    for element in node.value.elts
+                )
+
+    assert has_idle_timeout_exempt_logout_local, "Missing '/logout/local' in IDLE_TIMEOUT_EXEMPT_PATHS"
+
+    enforce_idle_timeout_def = _find_top_level_function(app_tree, "enforce_idle_session_timeout")
+    has_is_idle_timeout_enabled_guard = False
+    has_local_logout_redirect = False
+    for node in ast.walk(enforce_idle_timeout_def):
+        if isinstance(node, ast.If):
+            test_node = node.test
+            if (
+                isinstance(test_node, ast.UnaryOp)
+                and isinstance(test_node.op, ast.Not)
+                and isinstance(test_node.operand, ast.Call)
+                and isinstance(test_node.operand.func, ast.Name)
+                and test_node.operand.func.id == "is_idle_timeout_enabled"
+                and len(test_node.operand.args) == 1
+                and isinstance(test_node.operand.args[0], ast.Name)
+                and test_node.operand.args[0].id == "request_settings"
+            ):
+                has_is_idle_timeout_enabled_guard = True
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "redirect"
+            and len(node.args) == 1
+            and isinstance(node.args[0], ast.Call)
+            and isinstance(node.args[0].func, ast.Name)
+            and node.args[0].func.id == "url_for"
+            and len(node.args[0].args) == 1
+            and isinstance(node.args[0].args[0], ast.Constant)
+            and node.args[0].args[0].value == "local_logout"
+        ):
+            has_local_logout_redirect = True
+
+    assert has_is_idle_timeout_enabled_guard, "Missing 'if not is_idle_timeout_enabled(request_settings)' guard"
+    assert has_local_logout_redirect, "Missing redirect(url_for('local_logout')) in enforce_idle_session_timeout"
+
+    session_heartbeat_def = _find_top_level_function(app_tree, "session_heartbeat")
+    has_heartbeat_refresh_call = False
+    for node in ast.walk(session_heartbeat_def):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "get_idle_timeout_settings"
+            and len(node.args) == 1
+            and isinstance(node.args[0], ast.Call)
+            and isinstance(node.args[0].func, ast.Name)
+            and node.args[0].func.id == "get_request_settings"
+        ):
+            has_heartbeat_refresh_call = True
+    assert has_heartbeat_refresh_call, "Missing get_idle_timeout_settings(get_request_settings()) in session_heartbeat"
 
     required_config_markers = [
         "VERSION = \"0.239.006\""
@@ -63,13 +203,51 @@ def test_server_idle_timeout_wiring():
     missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
     assert not missing_config_markers, f"Missing config markers: {missing_config_markers}"
 
-    required_auth_markers = [
-        "session.pop(\"last_activity_epoch\", None)",
-        "session[\"last_activity_epoch\"] = int(time.time())"
-    ]
-
-    missing_auth_markers = [marker for marker in required_auth_markers if marker not in auth_route_content]
-    assert not missing_auth_markers, f"Missing authentication flow markers: {missing_auth_markers}"
+    auth_register_def = _find_top_level_function(auth_tree, "register_route_frontend_authentication")
+    assert auth_register_def is not None, "Missing register_route_frontend_authentication function"
+
+    login_def = _find_nested_function(auth_register_def, "login")
+    authorized_def = _find_nested_function(auth_register_def, "authorized")
+    assert login_def is not None, "Missing login route function in authentication route"
+    assert authorized_def is not None, "Missing authorized route function in authentication route"
+
+    has_last_activity_pop = False
+    for node in ast.walk(login_def):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Attribute)
+            and isinstance(node.func.value, ast.Name)
+            and node.func.value.id == "session"
+            and node.func.attr == "pop"
+            and len(node.args) >= 1
+            and isinstance(node.args[0], ast.Constant)
+            and node.args[0].value == "last_activity_epoch"
+        ):
+            has_last_activity_pop = True
+    assert has_last_activity_pop, "Missing session.pop('last_activity_epoch', ...) in login flow"
+
+    has_last_activity_assignment = False
+    for node in ast.walk(authorized_def):
+        if isinstance(node, ast.Assign) and len(node.targets) == 1:
+            target = node.targets[0]
+            if (
+                isinstance(target, ast.Subscript)
+                and isinstance(target.value, ast.Name)
+                and target.value.id == "session"
+                and isinstance(target.slice, ast.Constant)
+                and target.slice.value == "last_activity_epoch"
+                and isinstance(node.value, ast.Call)
+                and isinstance(node.value.func, ast.Name)
+                and node.value.func.id == "int"
+                and len(node.value.args) == 1
+                and isinstance(node.value.args[0], ast.Call)
+                and isinstance(node.value.args[0].func, ast.Attribute)
+                and isinstance(node.value.args[0].func.value, ast.Name)
+                and node.value.args[0].func.value.id == "time"
+                and node.value.args[0].func.attr == "time"
+            ):
+                has_last_activity_assignment = True
+    assert has_last_activity_assignment, "Missing session['last_activity_epoch'] = int(time.time()) in authorized flow"
 
     print("✅ Server-side idle-timeout wiring is present")
 
diff --git a/functional_tests/test_settings_deep_merge_persistence_fix.py b/functional_tests/test_settings_deep_merge_persistence_fix.py
index 23244b3f..9d614b80 100644
--- a/functional_tests/test_settings_deep_merge_persistence_fix.py
+++ b/functional_tests/test_settings_deep_merge_persistence_fix.py
@@ -4,10 +4,11 @@
 Version: 0.239.006
 Implemented in: 0.239.006
 
-This test ensures get_settings compares merged settings against a pre-merge deep copy
-so missing default keys are persisted back to Cosmos DB.
+This test ensures merge persistence logic is validated using AST structure checks
+and controlled runtime behavior validation for deep_merge_dicts.
 """
 
+import ast
 import os
 import sys
 import traceback
@@ -25,26 +26,177 @@ def _read_file(*path_parts):
         return file_handle.read()
 
 
-def test_merge_detection_uses_pre_merge_snapshot():
-    """Validate deep-copy comparison markers exist in settings merge path."""
-    print("🔍 Testing settings merge persistence detection wiring...")
-
+def _load_functions_settings_ast():
+    """Load and parse functions_settings.py into an AST tree."""
     settings_content = _read_file("application", "single_app", "functions_settings.py")
+    return settings_content, ast.parse(settings_content)
 
-    required_markers = [
-        "import copy",
-        "original_settings_item = copy.deepcopy(settings_item)",
-        "merged = deep_merge_dicts(default_settings, settings_item)",
-        "if merged != original_settings_item:",
-        "cosmos_settings_container.upsert_item(merged)",
-        "App settings missing keys were merged and persisted to Cosmos DB."
-    ]
 
-    missing_markers = [marker for marker in required_markers if marker not in settings_content]
-    assert not missing_markers, f"Missing merge persistence markers in functions_settings.py: {missing_markers}"
+def _find_top_level_function(module_tree, function_name):
+    """Find a top-level function definition by name."""
+    for node in module_tree.body:
+        if isinstance(node, ast.FunctionDef) and node.name == function_name:
+            return node
+    return None
 
-    print("✅ Settings merge persistence detection wiring is present")
 
+def test_get_settings_merge_detection_ast_wiring():
+    """Validate get_settings merge persistence logic through AST structure checks."""
+    print("🔍 Testing get_settings merge persistence AST wiring...")
+
+    _, module_tree = _load_functions_settings_ast()
+
+    has_copy_import = any(
+        isinstance(node, ast.Import) and any(alias.name == "copy" for alias in node.names)
+        for node in module_tree.body
+    )
+    assert has_copy_import, "Missing 'import copy' in functions_settings.py"
+
+    get_settings_def = _find_top_level_function(module_tree, "get_settings")
+    assert get_settings_def is not None, "Missing get_settings function in functions_settings.py"
+
+    has_snapshot_assignment = False
+    has_merged_assignment = False
+    merge_comparison_if = None
+
+    for node in ast.walk(get_settings_def):
+        if isinstance(node, ast.Assign):
+            for target in node.targets:
+                if isinstance(target, ast.Name) and target.id == "original_settings_item":
+                    if (
+                        isinstance(node.value, ast.Call)
+                        and isinstance(node.value.func, ast.Attribute)
+                        and isinstance(node.value.func.value, ast.Name)
+                        and node.value.func.value.id == "copy"
+                        and node.value.func.attr == "deepcopy"
+                        and len(node.value.args) == 1
+                        and isinstance(node.value.args[0], ast.Name)
+                        and node.value.args[0].id == "settings_item"
+                    ):
+                        has_snapshot_assignment = True
+
+                if isinstance(target, ast.Name) and target.id == "merged":
+                    if (
+                        isinstance(node.value, ast.Call)
+                        and isinstance(node.value.func, ast.Name)
+                        and node.value.func.id == "deep_merge_dicts"
+                        and len(node.value.args) == 2
+                        and isinstance(node.value.args[0], ast.Name)
+                        and node.value.args[0].id == "default_settings"
+                        and isinstance(node.value.args[1], ast.Name)
+                        and node.value.args[1].id == "settings_item"
+                    ):
+                        has_merged_assignment = True
+
+        if isinstance(node, ast.If) and isinstance(node.test, ast.Compare):
+            compare_node = node.test
+            if (
+                isinstance(compare_node.left, ast.Name)
+                and compare_node.left.id == "merged"
+                and len(compare_node.ops) == 1
+                and isinstance(compare_node.ops[0], ast.NotEq)
+                and len(compare_node.comparators) == 1
+                and isinstance(compare_node.comparators[0], ast.Name)
+                and compare_node.comparators[0].id == "original_settings_item"
+            ):
+                merge_comparison_if = node
+
+    assert has_snapshot_assignment, "Missing original_settings_item copy.deepcopy(settings_item) assignment"
+    assert has_merged_assignment, "Missing merged = deep_merge_dicts(default_settings, settings_item) assignment"
+    assert merge_comparison_if is not None, "Missing if merged != original_settings_item comparison"
+
+    has_upsert_in_branch = False
+    has_log_event_in_branch = False
+
+    for node in ast.walk(merge_comparison_if):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Attribute)
+            and isinstance(node.func.value, ast.Name)
+            and node.func.value.id == "cosmos_settings_container"
+            and node.func.attr == "upsert_item"
+            and len(node.args) == 1
+            and isinstance(node.args[0], ast.Name)
+            and node.args[0].id == "merged"
+        ):
+            has_upsert_in_branch = True
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "log_event"
+            and node.args
+            and isinstance(node.args[0], ast.Constant)
+            and isinstance(node.args[0].value, str)
+            and "missing keys were merged and persisted to Cosmos DB" in node.args[0].value
+        ):
+            has_log_event_in_branch = True
+
+    assert has_upsert_in_branch, "Missing cosmos_settings_container.upsert_item(merged) in merge-detected branch"
+    assert has_log_event_in_branch, "Missing merge persistence log_event message in merge-detected branch"
+
+    print("✅ Get_settings merge persistence AST wiring is present")
+
+
+def test_deep_merge_dicts_ast_behavior_wiring():
+    """Validate deep_merge_dicts merge behavior through AST structure checks."""
+    print("🔍 Testing deep_merge_dicts AST behavior wiring...")
+
+    _, module_tree = _load_functions_settings_ast()
+    deep_merge_def = _find_top_level_function(module_tree, "deep_merge_dicts")
+    assert deep_merge_def is not None, "Missing deep_merge_dicts function in functions_settings.py"
+
+    has_not_in_guard = False
+    has_missing_key_assignment = False
+    has_recursive_merge_call = False
+    returns_existing_dict = False
+
+    for node in ast.walk(deep_merge_def):
+        if isinstance(node, ast.Compare):
+            if (
+                isinstance(node.left, ast.Name)
+                and node.left.id == "k"
+                and len(node.ops) == 1
+                and isinstance(node.ops[0], ast.NotIn)
+                and len(node.comparators) == 1
+                and isinstance(node.comparators[0], ast.Name)
+                and node.comparators[0].id == "existing_dict"
+            ):
+                has_not_in_guard = True
+
+        if isinstance(node, ast.Assign) and len(node.targets) == 1:
+            target = node.targets[0]
+            if (
+                isinstance(target, ast.Subscript)
+                and isinstance(target.value, ast.Name)
+                and target.value.id == "existing_dict"
+                and isinstance(node.value, ast.Name)
+                and node.value.id == "default_val"
+            ):
+                has_missing_key_assignment = True
+
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "deep_merge_dicts"
+            and len(node.args) == 2
+            and isinstance(node.args[0], ast.Name)
+            and node.args[0].id == "default_val"
+            and isinstance(node.args[1], ast.Name)
+            and node.args[1].id == "existing_val"
+        ):
+            has_recursive_merge_call = True
+
+        if isinstance(node, ast.Return):
+            if isinstance(node.value, ast.Name) and node.value.id == "existing_dict":
+                returns_existing_dict = True
+
+    assert has_not_in_guard, "Missing 'if k not in existing_dict' guard in deep_merge_dicts"
+    assert has_missing_key_assignment, "Missing existing_dict[k] = default_val assignment in deep_merge_dicts"
+    assert has_recursive_merge_call, "Missing recursive deep_merge_dicts(default_val, existing_val) call"
+    assert returns_existing_dict, "Missing return existing_dict in deep_merge_dicts"
+
+    print("✅ deep_merge_dicts AST behavior wiring is present")
 
 def test_version_alignment_for_fix_release():
     """Validate config version reflects this fix release."""
@@ -67,7 +219,8 @@ def main():
     print("🧪 Running Settings Deep Merge Persistence Functional Tests...\n")
 
     tests = [
-        test_merge_detection_uses_pre_merge_snapshot,
+        test_get_settings_merge_detection_ast_wiring,
+        test_deep_merge_dicts_ast_behavior_wiring,
         test_version_alignment_for_fix_release
     ]
 

From 4b869f24a51d29796b138ce45457d67658979a36 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Thu, 12 Mar 2026 15:53:12 +0000
Subject: [PATCH 10/27] feedback-user-timeout - Added missing utils file to
 repo.

---
 .../single_app/admin_settings_int_utils.py    | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 application/single_app/admin_settings_int_utils.py

diff --git a/application/single_app/admin_settings_int_utils.py b/application/single_app/admin_settings_int_utils.py
new file mode 100644
index 00000000..70e41b5e
--- /dev/null
+++ b/application/single_app/admin_settings_int_utils.py
@@ -0,0 +1,38 @@
+# admin_settings_int_utils.py
+
+
+def safe_int_with_source(raw_value, fallback_value, hard_default=0):
+    """
+    Safely parse an integer value using raw input, fallback, then hard default.
+
+    Args:
+        raw_value (object): Primary value to parse.
+        fallback_value (object): Secondary value to parse when raw parsing fails.
+        hard_default (int): Final integer default when both values are invalid.
+
+    Returns:
+        tuple[int, str]: Parsed integer and parse source (`raw`, `fallback`, `hard_default`).
+    """
+    try:
+        return int(raw_value), "raw"
+    except (TypeError, ValueError):
+        try:
+            return int(fallback_value), "fallback"
+        except (TypeError, ValueError):
+            return int(hard_default), "hard_default"
+
+
+def safe_int(raw_value, fallback_value, hard_default=0):
+    """
+    Safely parse an integer using raw input, fallback, then hard default.
+
+    Args:
+        raw_value (object): Primary value to parse.
+        fallback_value (object): Secondary value to parse when raw parsing fails.
+        hard_default (int): Final integer default when both values are invalid.
+
+    Returns:
+        int: Parsed integer value.
+    """
+    parsed_value, _ = safe_int_with_source(raw_value, fallback_value, hard_default)
+    return parsed_value

From 1be8338089ae73a71f520c6ec796b6cb9433593f Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Thu, 12 Mar 2026 16:53:58 +0000
Subject: [PATCH 11/27] feedback-user-timeout - Made api call's interaction
 with idle timeout more intelligent.

---
 application/single_app/app.py                 |  8 +++-
 .../IDLE_SESSION_API_ACTIVITY_SEED_FIX.md     | 36 ++++++++++++++++++
 docs/explanation/release_notes.md             |  2 +-
 functional_tests/test_idle_logout_timeout.py  | 38 +++++++++++++++++++
 4 files changed, 82 insertions(+), 2 deletions(-)
 create mode 100644 docs/explanation/fixes/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 81d67e12..d171602e 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -777,10 +777,13 @@ def enforce_idle_session_timeout():
 
     idle_timeout_minutes, _ = get_idle_timeout_settings(request_settings)
     last_activity_epoch = session.get('last_activity_epoch')
+    has_valid_last_activity_epoch = False
 
     if last_activity_epoch is not None:
         try:
-            idle_seconds = now_epoch - int(float(last_activity_epoch))
+            parsed_last_activity_epoch = int(float(last_activity_epoch))
+            has_valid_last_activity_epoch = True
+            idle_seconds = now_epoch - parsed_last_activity_epoch
             if idle_seconds >= (idle_timeout_minutes * 60):
                 user_id = session.get('user', {}).get('oid') or session.get('user', {}).get('sub')
                 session.clear()
@@ -802,6 +805,9 @@ def enforce_idle_session_timeout():
             log_event(f"Idle timeout evaluation failed: {e}", level=logging.WARNING)
 
     if request.path.startswith('/api/'):
+        if not has_valid_last_activity_epoch:
+            session['last_activity_epoch'] = now_epoch
+            session.modified = True
         return None
 
     session['last_activity_epoch'] = now_epoch
diff --git a/docs/explanation/fixes/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md b/docs/explanation/fixes/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
new file mode 100644
index 00000000..3791973b
--- /dev/null
+++ b/docs/explanation/fixes/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
@@ -0,0 +1,36 @@
+# IDLE SESSION API ACTIVITY SEED FIX
+
+## Header Information
+
+- **Fix Title**: Idle timeout API activity timestamp seeding
+- **Issue Description**: `enforce_idle_session_timeout()` returned early for `/api/...` requests without updating `session['last_activity_epoch']`. If an authenticated session did not already have that key, idle-timeout tracking could fail to start for API-only traffic.
+- **Root Cause Analysis**: API-path early return happened before timestamp update logic, and the function only updated `last_activity_epoch` for non-API requests (or when idle-timeout was disabled).
+- **Version Implemented**: **0.239.006**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.006"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/app.py`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Added `has_valid_last_activity_epoch` tracking in `enforce_idle_session_timeout()`.
+  - For API requests, seed `session['last_activity_epoch']` only when the existing value is missing or invalid, then return.
+  - Kept existing behavior where non-API requests refresh activity timestamp normally.
+  - Added AST regression assertion to ensure API-path timestamp seeding remains wired.
+- **Testing Approach**:
+  - Functional AST wiring checks in `functional_tests/test_idle_logout_timeout.py` now assert API-path `last_activity_epoch` assignment logic.
+- **Impact Analysis**:
+  - Eliminates idle-timeout bypass risk for authenticated API-only sessions lacking initial activity timestamp.
+  - Avoids changing existing design where every API request does not automatically extend active session lifetime.
+
+## Validation
+
+- **Test Results**:
+  - Updated idle-timeout functional test validates the API-path timestamp seeding wiring.
+- **Before/After Comparison**:
+  - **Before**: API requests could return without ever initializing `last_activity_epoch`.
+  - **After**: API requests initialize `last_activity_epoch` when missing/invalid, enabling consistent timeout enforcement.
+- **User Experience Improvements**:
+  - Idle-timeout behavior is consistent for users interacting mainly through API traffic while preserving expected session-expiry behavior.
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index 21c4cb9b..401a34ed 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -13,7 +13,7 @@
     *   Idle logout and idle warning values are validated and auto-fixed as needed.
     *   Added a new admin switch to enable or disable idle session timeout and warning behavior.
     *   Timeout and warning inputs are grouped under a toggleable section in General > System Settings.
-    *   (Ref: `application/single_app/templates/admin_settings.html`, `application/single_app/static/js/admin/admin_settings.js`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/functions_settings.py`, `application/single_app/app.py`, `application/single_app/templates/base.html`, `application/single_app/static/js/idle-logout-warning.js`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`, `application/single_app/route_frontend_authentication.py`,)
+    *   (Ref: `application/single_app/templates/admin_settings.html`, `application/single_app/static/js/admin/admin_settings.js`, `application/single_app/route_frontend_admin_settings.py`, `application/single_app/functions_settings.py`, `application/single_app/app.py`, `application/single_app/templates/base.html`, `application/single_app/static/js/idle-logout-warning.js`, `application/single_app/config.py`, `functional_tests/test_idle_logout_timeout.py`, `application/single_app/route_frontend_authentication.py`)
 
 #### Bug Fixes
 
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index ae67d9a9..1b81e937 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -178,8 +178,46 @@ def test_server_idle_timeout_wiring():
         ):
             has_local_logout_redirect = True
 
+    has_api_activity_seed_assignment = False
+    for node in ast.walk(enforce_idle_timeout_def):
+        if not isinstance(node, ast.If):
+            continue
+
+        test_node = node.test
+        is_api_path_check = (
+            isinstance(test_node, ast.Call)
+            and isinstance(test_node.func, ast.Attribute)
+            and isinstance(test_node.func.value, ast.Attribute)
+            and isinstance(test_node.func.value.value, ast.Name)
+            and test_node.func.value.value.id == "request"
+            and test_node.func.value.attr == "path"
+            and test_node.func.attr == "startswith"
+            and len(test_node.args) == 1
+            and isinstance(test_node.args[0], ast.Constant)
+            and test_node.args[0].value == "/api/"
+        )
+        if not is_api_path_check:
+            continue
+
+        has_seed_assign_in_api_block = any(
+            isinstance(inner_node, ast.Assign)
+            and len(inner_node.targets) == 1
+            and isinstance(inner_node.targets[0], ast.Subscript)
+            and isinstance(inner_node.targets[0].value, ast.Name)
+            and inner_node.targets[0].value.id == "session"
+            and isinstance(inner_node.targets[0].slice, ast.Constant)
+            and inner_node.targets[0].slice.value == "last_activity_epoch"
+            and isinstance(inner_node.value, ast.Name)
+            and inner_node.value.id == "now_epoch"
+            for inner_node in ast.walk(node)
+        )
+        if has_seed_assign_in_api_block:
+            has_api_activity_seed_assignment = True
+            break
+
     assert has_is_idle_timeout_enabled_guard, "Missing 'if not is_idle_timeout_enabled(request_settings)' guard"
     assert has_local_logout_redirect, "Missing redirect(url_for('local_logout')) in enforce_idle_session_timeout"
+    assert has_api_activity_seed_assignment, "Missing API-path last_activity_epoch seeding in enforce_idle_session_timeout"
 
     session_heartbeat_def = _find_top_level_function(app_tree, "session_heartbeat")
     has_heartbeat_refresh_call = False

From dce26d7ff2fac5f3af2040d90e7e47de45051fa7 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Thu, 12 Mar 2026 17:34:05 +0000
Subject: [PATCH 12/27] feedback-user-timeout - Adjusted idle timeout
 initialization to account for extreme edge case.

---
 .../static/js/idle-logout-warning.js          |  4 +--
 .../fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md      | 35 +++++++++++++++++++
 functional_tests/test_idle_logout_timeout.py  |  2 ++
 3 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md

diff --git a/application/single_app/static/js/idle-logout-warning.js b/application/single_app/static/js/idle-logout-warning.js
index 18e47bb6..8a3dea63 100644
--- a/application/single_app/static/js/idle-logout-warning.js
+++ b/application/single_app/static/js/idle-logout-warning.js
@@ -54,9 +54,9 @@
         let logoutDeadlineMs = null;
         let isRefreshingSession = false;
         let lastActivityResetAt = 0;
-        let lastServerHeartbeatAt = Date.now();
+        let lastServerHeartbeatAt = 0;
 
-        const HEARTBEAT_MIN_INTERVAL_MS = 60000;
+        const HEARTBEAT_MIN_INTERVAL_MS = Math.min(60000, timeoutMs / 2);
 
         const activityEvents = [
             'mousedown',
diff --git a/docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md b/docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md
new file mode 100644
index 00000000..30592069
--- /dev/null
+++ b/docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md
@@ -0,0 +1,35 @@
+# IDLE HEARTBEAT INTERVAL FIX
+
+## Header Information
+
+- **Fix Title**: Idle heartbeat timing alignment for short timeout configurations
+- **Issue Description**: The client initialized `lastServerHeartbeatAt` with `Date.now()` and used a fixed 60-second heartbeat minimum interval. With `timeoutMinutes = 1`, active users could miss a heartbeat before server-side timeout and be logged out unexpectedly.
+- **Root Cause Analysis**: Heartbeat throttling was static and did not account for short configured timeout windows, delaying the first heartbeat too long for aggressive timeout settings.
+- **Version Implemented**: **0.239.007**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.007"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/static/js/idle-logout-warning.js`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Set `lastServerHeartbeatAt` to `0` so first user activity can trigger an immediate heartbeat.
+  - Replaced fixed heartbeat interval with dynamic interval: `Math.min(60000, timeoutMs / 2)`.
+  - Added functional test markers to assert both initialization and dynamic heartbeat interval logic.
+- **Testing Approach**:
+  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript wiring assertions.
+- **Impact Analysis**:
+  - Prevents active users from timing out in short (1-minute) idle-timeout configurations due to delayed client heartbeat.
+  - Preserves lower heartbeat frequency for normal/larger timeout configurations.
+
+## Validation
+
+- **Test Results**:
+  - Functional idle-timeout test includes marker checks for dynamic heartbeat timing logic.
+- **Before/After Comparison**:
+  - **Before**: First heartbeat could be delayed up to 60 seconds regardless of timeout size.
+  - **After**: First heartbeat is eligible on first activity, and recurring heartbeat interval scales with timeout.
+- **User Experience Improvements**:
+  - More reliable stay-signed-in behavior during active interaction when short idle timeout settings are configured.
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 1b81e937..f6dd397d 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -330,6 +330,8 @@ def test_idle_warning_javascript_wiring():
         "scheduleIdleTimers",
         "idleTimeoutWarningModal",
         "idleStaySignedInButton",
+        "let lastServerHeartbeatAt = 0",
+        "const HEARTBEAT_MIN_INTERVAL_MS = Math.min(60000, timeoutMs / 2)",
         "fetch(mergedConfig.heartbeatUrl",
         "const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.fullSsoLogoutUrl || mergedConfig.logoutUrl",
         "window.location.href = logoutTarget"

From 1de1b06ad004fa229aad260afbea4fd46a9839eb Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Thu, 12 Mar 2026 18:35:13 +0000
Subject: [PATCH 13/27] feedback-user-timeout - Adjusted idle heartbeat reauth
 handling.

---
 .../static/js/idle-logout-warning.js          | 13 ++++++-
 .../fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md      |  4 +--
 .../IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md     | 35 +++++++++++++++++++
 functional_tests/test_idle_logout_timeout.py  |  3 ++
 4 files changed, 52 insertions(+), 3 deletions(-)
 create mode 100644 docs/explanation/fixes/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md

diff --git a/application/single_app/static/js/idle-logout-warning.js b/application/single_app/static/js/idle-logout-warning.js
index 8a3dea63..bc5e804b 100644
--- a/application/single_app/static/js/idle-logout-warning.js
+++ b/application/single_app/static/js/idle-logout-warning.js
@@ -150,7 +150,18 @@
                 });
 
                 if (!response.ok) {
-                    if (forceLogoutOnFailure) {
+                    let requiresReauth = response.status === 401 || response.status === 403;
+
+                    if (!requiresReauth) {
+                        try {
+                            const responseBody = await response.clone().json();
+                            requiresReauth = Boolean(responseBody && responseBody.requires_reauth);
+                        } catch (_parseError) {
+                            requiresReauth = false;
+                        }
+                    }
+
+                    if (forceLogoutOnFailure || requiresReauth) {
                         logoutNow();
                     }
                     return;
diff --git a/docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md b/docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md
index 30592069..46df27bf 100644
--- a/docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md
+++ b/docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md
@@ -5,8 +5,8 @@
 - **Fix Title**: Idle heartbeat timing alignment for short timeout configurations
 - **Issue Description**: The client initialized `lastServerHeartbeatAt` with `Date.now()` and used a fixed 60-second heartbeat minimum interval. With `timeoutMinutes = 1`, active users could miss a heartbeat before server-side timeout and be logged out unexpectedly.
 - **Root Cause Analysis**: Heartbeat throttling was static and did not account for short configured timeout windows, delaying the first heartbeat too long for aggressive timeout settings.
-- **Version Implemented**: **0.239.007**
-- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.007"`.
+- **Version Implemented**: **0.239.006**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.006"`.
 
 ## Technical Details
 
diff --git a/docs/explanation/fixes/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md b/docs/explanation/fixes/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
new file mode 100644
index 00000000..25ebc3dd
--- /dev/null
+++ b/docs/explanation/fixes/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
@@ -0,0 +1,35 @@
+# IDLE HEARTBEAT REAUTH HANDLING FIX
+
+## Header Information
+
+- **Fix Title**: Background heartbeat reauth synchronization
+- **Issue Description**: Background heartbeat requests that returned non-OK responses (such as `401` after server-side idle expiry) could return without redirecting, leaving the UI active while the backend session was already cleared.
+- **Root Cause Analysis**: `refreshServerSession()` only forced logout for non-OK responses when `forceLogoutOnFailure` was `true` (user-initiated path), but the background path used `false` and silently returned.
+- **Version Implemented**: **0.239.006**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.006"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/static/js/idle-logout-warning.js`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Added hard-logout handling for heartbeat responses with HTTP `401`/`403` even in background heartbeat mode.
+  - Added fallback parsing of non-OK JSON payloads to check `requires_reauth` and trigger logout accordingly.
+  - Kept existing behavior where transient non-auth failures still avoid forced logout for background heartbeats.
+- **Testing Approach**:
+  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript marker assertions for status-based and payload-based reauth handling.
+- **Impact Analysis**:
+  - Prevents client/server auth-state divergence after backend session expiration.
+  - Reduces false “still signed in” UI state when the server has already invalidated the session.
+
+## Validation
+
+- **Test Results**:
+  - Idle-timeout functional test validates the new reauth marker logic in heartbeat handling.
+- **Before/After Comparison**:
+  - **Before**: Non-user-initiated heartbeats could silently ignore server reauth responses.
+  - **After**: Background heartbeats force logout on auth-failure signals (`401`, `403`, or `requires_reauth`).
+- **User Experience Improvements**:
+  - Consistent logout behavior when session expiration is detected during background activity monitoring.
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index f6dd397d..1988e686 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -332,6 +332,9 @@ def test_idle_warning_javascript_wiring():
         "idleStaySignedInButton",
         "let lastServerHeartbeatAt = 0",
         "const HEARTBEAT_MIN_INTERVAL_MS = Math.min(60000, timeoutMs / 2)",
+        "response.status === 401 || response.status === 403",
+        "const responseBody = await response.clone().json()",
+        "responseBody && responseBody.requires_reauth",
         "fetch(mergedConfig.heartbeatUrl",
         "const logoutTarget = mergedConfig.localLogoutUrl || mergedConfig.fullSsoLogoutUrl || mergedConfig.logoutUrl",
         "window.location.href = logoutTarget"

From 567d661587b021cd2cd27818e5e4b9a8d9ee013a Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Thu, 12 Mar 2026 20:21:28 +0000
Subject: [PATCH 14/27] feedback-user-timeout - Moved fixes documentation into
 v0.239.006 folder to follow pattern.

---
 .../{ => v0.239.006}/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md      | 0
 .../fixes/{ => v0.239.006}/IDLE_HEARTBEAT_INTERVAL_FIX.md         | 0
 .../fixes/{ => v0.239.006}/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md  | 0
 .../fixes/{ => v0.239.006}/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md  | 0
 .../fixes/{ => v0.239.006}/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md | 0
 5 files changed, 0 insertions(+), 0 deletions(-)
 rename docs/explanation/fixes/{ => v0.239.006}/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md (100%)
 rename docs/explanation/fixes/{ => v0.239.006}/IDLE_HEARTBEAT_INTERVAL_FIX.md (100%)
 rename docs/explanation/fixes/{ => v0.239.006}/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md (100%)
 rename docs/explanation/fixes/{ => v0.239.006}/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md (100%)
 rename docs/explanation/fixes/{ => v0.239.006}/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md (100%)

diff --git a/docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md b/docs/explanation/fixes/v0.239.006/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
similarity index 100%
rename from docs/explanation/fixes/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
rename to docs/explanation/fixes/v0.239.006/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
diff --git a/docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md b/docs/explanation/fixes/v0.239.006/IDLE_HEARTBEAT_INTERVAL_FIX.md
similarity index 100%
rename from docs/explanation/fixes/IDLE_HEARTBEAT_INTERVAL_FIX.md
rename to docs/explanation/fixes/v0.239.006/IDLE_HEARTBEAT_INTERVAL_FIX.md
diff --git a/docs/explanation/fixes/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md b/docs/explanation/fixes/v0.239.006/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
similarity index 100%
rename from docs/explanation/fixes/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
rename to docs/explanation/fixes/v0.239.006/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
diff --git a/docs/explanation/fixes/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md b/docs/explanation/fixes/v0.239.006/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
similarity index 100%
rename from docs/explanation/fixes/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
rename to docs/explanation/fixes/v0.239.006/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
diff --git a/docs/explanation/fixes/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md b/docs/explanation/fixes/v0.239.006/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
similarity index 100%
rename from docs/explanation/fixes/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
rename to docs/explanation/fixes/v0.239.006/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md

From c87df0a0556fbee10923dc6b0366bb4889aa9efd Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Fri, 13 Mar 2026 17:23:15 +0000
Subject: [PATCH 15/27] feedback-user-timeout - Updated doc folder name to
 match new update version.

---
 .../ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md   | 49 +++++++++++++++++
 .../v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md | 35 +++++++++++++
 .../IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md     | 35 +++++++++++++
 .../IDLE_SESSION_API_ACTIVITY_SEED_FIX.md     | 36 +++++++++++++
 .../SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md    | 52 +++++++++++++++++++
 5 files changed, 207 insertions(+)
 create mode 100644 docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
 create mode 100644 docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
 create mode 100644 docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
 create mode 100644 docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
 create mode 100644 docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md

diff --git a/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md b/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
new file mode 100644
index 00000000..f57e0b45
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
@@ -0,0 +1,49 @@
+# ADMIN SETTINGS SAFE INT FALLBACK FIX
+
+## Overview
+
+- **Issue**: Admin settings save flow could throw a `TypeError` when `safe_int()` returned a non-integer fallback value.
+- **Root Cause**: `safe_int()` returned `fallback_value` as-is after parse failure; if persisted fallback values were malformed (for example strings that cannot be converted), subsequent `max(1, ...)` / `max(0, ...)` operations could fail.
+- **Fixed/Implemented in version: `0.239.012`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+### Files Modified
+
+- `application/single_app/route_frontend_admin_settings.py`
+- `application/single_app/admin_settings_int_utils.py`
+- `application/single_app/config.py`
+- `functional_tests/test_admin_settings_safe_int_fallback_fix.py`
+- `functional_tests/test_idle_logout_timeout.py`
+- `functional_tests/test_settings_deep_merge_persistence_fix.py`
+
+### Code Changes Summary
+
+- Extracted integer parsing into module-level helper functions (`safe_int`, `safe_int_with_source`) in `admin_settings_int_utils.py`.
+- Updated admin settings route to use the extracted helper while preserving existing fallback and hard-default `log_event` diagnostics.
+- Kept idle-timeout call sites using explicit hard defaults (`30` and `28`).
+
+### Testing Approach
+
+- Refactored `functional_tests/test_admin_settings_safe_int_fallback_fix.py` to behavior-level helper tests (malformed raw and fallback values) plus AST route wiring validation.
+- Kept existing functional tests version-aligned with release version.
+
+### Impact Analysis
+
+- Prevents runtime `TypeError` in admin settings save flow for malformed persisted fallback values.
+- Improves resiliency of idle-timeout configuration handling without changing intended behavior for valid values.
+
+## Validation
+
+### Before
+
+- Invalid form input could cause `safe_int()` to return non-int fallback values, potentially raising `TypeError` in `max()`.
+
+### After
+
+- `safe_int()` always returns a valid integer from raw input, parsed fallback, or hard default.
+
+### Test Result
+
+- Verified by running `py -3 functional_tests/test_admin_settings_safe_int_fallback_fix.py`.
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
new file mode 100644
index 00000000..68f52386
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
@@ -0,0 +1,35 @@
+# IDLE HEARTBEAT INTERVAL FIX
+
+## Header Information
+
+- **Fix Title**: Idle heartbeat timing alignment for short timeout configurations
+- **Issue Description**: The client initialized `lastServerHeartbeatAt` with `Date.now()` and used a fixed 60-second heartbeat minimum interval. With `timeoutMinutes = 1`, active users could miss a heartbeat before server-side timeout and be logged out unexpectedly.
+- **Root Cause Analysis**: Heartbeat throttling was static and did not account for short configured timeout windows, delaying the first heartbeat too long for aggressive timeout settings.
+- **Version Implemented**: **0.239.012**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/static/js/idle-logout-warning.js`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Set `lastServerHeartbeatAt` to `0` so first user activity can trigger an immediate heartbeat.
+  - Replaced fixed heartbeat interval with dynamic interval: `Math.min(60000, timeoutMs / 2)`.
+  - Added functional test markers to assert both initialization and dynamic heartbeat interval logic.
+- **Testing Approach**:
+  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript wiring assertions.
+- **Impact Analysis**:
+  - Prevents active users from timing out in short (1-minute) idle-timeout configurations due to delayed client heartbeat.
+  - Preserves lower heartbeat frequency for normal/larger timeout configurations.
+
+## Validation
+
+- **Test Results**:
+  - Functional idle-timeout test includes marker checks for dynamic heartbeat timing logic.
+- **Before/After Comparison**:
+  - **Before**: First heartbeat could be delayed up to 60 seconds regardless of timeout size.
+  - **After**: First heartbeat is eligible on first activity, and recurring heartbeat interval scales with timeout.
+- **User Experience Improvements**:
+  - More reliable stay-signed-in behavior during active interaction when short idle timeout settings are configured.
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
new file mode 100644
index 00000000..b7719726
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
@@ -0,0 +1,35 @@
+# IDLE HEARTBEAT REAUTH HANDLING FIX
+
+## Header Information
+
+- **Fix Title**: Background heartbeat reauth synchronization
+- **Issue Description**: Background heartbeat requests that returned non-OK responses (such as `401` after server-side idle expiry) could return without redirecting, leaving the UI active while the backend session was already cleared.
+- **Root Cause Analysis**: `refreshServerSession()` only forced logout for non-OK responses when `forceLogoutOnFailure` was `true` (user-initiated path), but the background path used `false` and silently returned.
+- **Version Implemented**: **0.239.012**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/static/js/idle-logout-warning.js`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Added hard-logout handling for heartbeat responses with HTTP `401`/`403` even in background heartbeat mode.
+  - Added fallback parsing of non-OK JSON payloads to check `requires_reauth` and trigger logout accordingly.
+  - Kept existing behavior where transient non-auth failures still avoid forced logout for background heartbeats.
+- **Testing Approach**:
+  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript marker assertions for status-based and payload-based reauth handling.
+- **Impact Analysis**:
+  - Prevents client/server auth-state divergence after backend session expiration.
+  - Reduces false “still signed in” UI state when the server has already invalidated the session.
+
+## Validation
+
+- **Test Results**:
+  - Idle-timeout functional test validates the new reauth marker logic in heartbeat handling.
+- **Before/After Comparison**:
+  - **Before**: Non-user-initiated heartbeats could silently ignore server reauth responses.
+  - **After**: Background heartbeats force logout on auth-failure signals (`401`, `403`, or `requires_reauth`).
+- **User Experience Improvements**:
+  - Consistent logout behavior when session expiration is detected during background activity monitoring.
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
new file mode 100644
index 00000000..68055a95
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
@@ -0,0 +1,36 @@
+# IDLE SESSION API ACTIVITY SEED FIX
+
+## Header Information
+
+- **Fix Title**: Idle timeout API activity timestamp seeding
+- **Issue Description**: `enforce_idle_session_timeout()` returned early for `/api/...` requests without updating `session['last_activity_epoch']`. If an authenticated session did not already have that key, idle-timeout tracking could fail to start for API-only traffic.
+- **Root Cause Analysis**: API-path early return happened before timestamp update logic, and the function only updated `last_activity_epoch` for non-API requests (or when idle-timeout was disabled).
+- **Version Implemented**: **0.239.012**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/app.py`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Added `has_valid_last_activity_epoch` tracking in `enforce_idle_session_timeout()`.
+  - For API requests, seed `session['last_activity_epoch']` only when the existing value is missing or invalid, then return.
+  - Kept existing behavior where non-API requests refresh activity timestamp normally.
+  - Added AST regression assertion to ensure API-path timestamp seeding remains wired.
+- **Testing Approach**:
+  - Functional AST wiring checks in `functional_tests/test_idle_logout_timeout.py` now assert API-path `last_activity_epoch` assignment logic.
+- **Impact Analysis**:
+  - Eliminates idle-timeout bypass risk for authenticated API-only sessions lacking initial activity timestamp.
+  - Avoids changing existing design where every API request does not automatically extend active session lifetime.
+
+## Validation
+
+- **Test Results**:
+  - Updated idle-timeout functional test validates the API-path timestamp seeding wiring.
+- **Before/After Comparison**:
+  - **Before**: API requests could return without ever initializing `last_activity_epoch`.
+  - **After**: API requests initialize `last_activity_epoch` when missing/invalid, enabling consistent timeout enforcement.
+- **User Experience Improvements**:
+  - Idle-timeout behavior is consistent for users interacting mainly through API traffic while preserving expected session-expiry behavior.
diff --git a/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md b/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
new file mode 100644
index 00000000..9557036d
--- /dev/null
+++ b/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
@@ -0,0 +1,52 @@
+# SETTINGS DEEP MERGE PERSISTENCE FIX
+
+## Overview
+
+- **Issue**: App settings default-key merge changes were not being persisted back to Cosmos DB.
+- **Root Cause**: `deep_merge_dicts(default_settings, settings_item)` mutates `settings_item` in place, and `get_settings()` compared `merged` against the same mutated object, so `merged != settings_item` evaluated false.
+- **Fixed/Implemented in version: `0.239.012`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+
+## Technical Details
+
+### Files Modified
+
+- `application/single_app/functions_settings.py`
+- `application/single_app/config.py`
+- `functional_tests/test_settings_deep_merge_persistence_fix.py`
+
+### Code Changes Summary
+
+- Added `import copy` in `functions_settings.py`.
+- Captured a pre-merge snapshot with `original_settings_item = copy.deepcopy(settings_item)`.
+- Updated change detection to compare `merged` against `original_settings_item`.
+- Preserved existing merge behavior and upsert/logging flow.
+
+### Testing Approach
+
+- Added functional regression test: `functional_tests/test_settings_deep_merge_persistence_fix.py`.
+- Test validates marker-based wiring for:
+  - deep-copy snapshot creation,
+  - comparison against pre-merge state,
+  - Cosmos upsert path availability,
+  - version alignment in `config.py`.
+
+### Impact Analysis
+
+- Restores intended persistence behavior for newly introduced default settings keys.
+- Reduces risk of drift between in-memory merged settings and persisted Cosmos settings.
+- Maintains compatibility with existing callers and return shapes.
+
+## Validation
+
+### Before
+
+- Missing default keys could be merged in memory but not persisted, because the change check compared a mutated object to itself.
+
+### After
+
+- Missing default keys trigger the upsert path and persistence logging because merge output is compared against a deep-copied pre-merge snapshot.
+
+### Test Result
+
+- Verified by running `py -3 functional_tests/test_settings_deep_merge_persistence_fix.py`.

From 8daeecc487e03c60976bc7a59ce490259e96693a Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Fri, 13 Mar 2026 19:32:45 +0000
Subject: [PATCH 16/27] trigger cla check


From a5a95f40d828c7ffbd58be27b2a260dff6d7d54b Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Mon, 16 Mar 2026 21:34:28 +0000
Subject: [PATCH 17/27] feedback-user-timeout - Updated default idle enabled
 values to false, added default values to admin settings and moved global
 config variables to config.py file.

---
 application/single_app/app.py                 | 17 +----
 application/single_app/config.py              | 17 +++++
 application/single_app/functions_settings.py  |  2 +-
 .../route_frontend_admin_settings.py          |  8 +++
 .../single_app/templates/admin_settings.html  |  4 +-
 application/single_app/templates/base.html    |  2 +-
 functional_tests/test_idle_logout_timeout.py  | 70 +++++++++++++++----
 7 files changed, 85 insertions(+), 35 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 9f62fbe6..423c1b8a 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -532,7 +532,7 @@ def is_idle_timeout_enabled(settings=None):
     if settings is None:
         settings = get_request_settings()
 
-    enabled_raw = settings.get('enable_idle_timeout', True)
+    enabled_raw = settings.get('enable_idle_timeout', False)
 
     if isinstance(enabled_raw, str):
         return enabled_raw.strip().lower() in ('1', 'true', 'yes', 'on')
@@ -672,21 +672,6 @@ def reload_kernel_if_needed():
         """
         setattr(builtins, "kernel_reload_needed", False)
 
-IDLE_TIMEOUT_EXEMPT_PATHS = {
-    '/login',
-    '/logout',
-    '/logout/local',
-    '/getAToken',
-    '/getATokenApi',
-    '/robots933456.txt',
-    '/favicon.ico'
-}
-
-IDLE_TIMEOUT_EXEMPT_PREFIXES = (
-    '/static/',
-    '/health',
-    '/api/health'
-)
 
 def _is_idle_timeout_exempt(path):
     """
diff --git a/application/single_app/config.py b/application/single_app/config.py
index d7820228..6bf31105 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -186,6 +186,23 @@ def get_allowed_extensions(enable_video=False, enable_audio=False):
 CUSTOM_OIDC_METADATA_URL_VALUE = os.getenv("CUSTOM_OIDC_METADATA_URL_VALUE", "")
 
 
+# Optional User Idle Timeout Configuration
+IDLE_TIMEOUT_EXEMPT_PATHS = {
+    '/login',
+    '/logout',
+    '/logout/local',
+    '/getAToken',
+    '/getATokenApi',
+    '/robots933456.txt',
+    '/favicon.ico'
+}
+
+IDLE_TIMEOUT_EXEMPT_PREFIXES = (
+    '/static/',
+    '/health',
+    '/api/health'
+)
+
 # Azure AD Configuration
 CLIENT_ID = os.getenv("CLIENT_ID")
 APP_URI = f"api://{CLIENT_ID}"
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index c8d97a47..f447440c 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -260,7 +260,7 @@ def get_settings(use_cosmos=False, include_source=False):
         # Other
         'max_file_size_mb': 150,
         'conversation_history_limit': 10,
-        'enable_idle_timeout': True,
+        'enable_idle_timeout': False,
         'idle_timeout_minutes': 30,
         'idle_warning_minutes': 28,
         'default_system_prompt': '',
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index 70805a7f..99a2171e 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -204,6 +204,14 @@ def admin_settings():
         if 'multimodal_vision_model' not in settings:
             settings['multimodal_vision_model'] = ''
 
+        # --- Add defaults for user idle timeout ---
+        if 'enable_idle_timeout' not in settings:
+            settings['enable_idle_timeout'] = False
+        if 'idle_timeout_minutes' not in settings:
+            settings['idle_timeout_minutes'] = 30
+        if 'idle_warning_minutes' not in settings:
+            settings['idle_warning_minutes'] = 28
+            
         if request.method == 'GET':
             # --- Model fetching logic remains the same ---
             gpt_deployments = []
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index c649049a..77d6b217 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -1429,13 +1429,13 @@ <h5>
                             class="form-check-input"
                             id="enable_idle_timeout"
                             name="enable_idle_timeout"
-                            {% if settings.enable_idle_timeout is not defined or settings.enable_idle_timeout %}checked{% endif %}>
+                            {% if settings.enable_idle_timeout %}checked{% endif %}>
                         <label class="form-check-label ms-2" for="enable_idle_timeout">
                             Enable Idle Session Timeout and Warning
                         </label>
                         <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="When enabled, inactive users receive a warning and are automatically logged out after the configured timeout."></i>
                     </div>
-                    <div id="idle_timeout_settings" class="{% if settings.enable_idle_timeout is defined and not settings.enable_idle_timeout %}d-none{% endif %}">
+                    <div id="idle_timeout_settings" class="{% if settings.enable_idle_timeout is not defined or not settings.enable_idle_timeout %}d-none{% endif %}">
                         <div class="mb-3">
                             <label for="idle_timeout_minutes" class="form-label">Idle Logout Timeout (Minutes)</label>
                             <input
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index f9e0983a..674e7e98 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -354,7 +354,7 @@
   {% if session.get('user') %}
   <script>
     window.idleLogoutConfig = {
-      enabled: {{ idle_timeout_enabled | default(true) | tojson }},
+      enabled: {{ idle_timeout_enabled | default(false) | tojson }},
       timeoutMinutes: {{ idle_timeout_minutes | default(30) | int }},
       warningMinutes: {{ idle_warning_minutes | default(28) | int }},
       heartbeatUrl: "{{ url_for('session_heartbeat') }}",
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 11756009..ebc2ac8f 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -48,6 +48,53 @@ def _find_nested_function(parent_function, function_name):
     return None
 
 
+def _extract_constant_string_set(value_node):
+    """Extract constant string values from supported AST set expressions."""
+    if isinstance(value_node, ast.Set):
+        return {
+            element.value
+            for element in value_node.elts
+            if isinstance(element, ast.Constant) and isinstance(element.value, str)
+        }
+
+    if (
+        isinstance(value_node, ast.Call)
+        and isinstance(value_node.func, ast.Name)
+        and value_node.func.id == "set"
+        and len(value_node.args) == 1
+        and isinstance(value_node.args[0], (ast.Set, ast.List, ast.Tuple))
+    ):
+        return {
+            element.value
+            for element in value_node.args[0].elts
+            if isinstance(element, ast.Constant) and isinstance(element.value, str)
+        }
+
+    return set()
+
+
+def _get_top_level_constant_string_set(module_tree, variable_name):
+    """Return constant string values for a top-level set variable assignment."""
+    for node in module_tree.body:
+        if isinstance(node, ast.Assign):
+            has_target = any(
+                isinstance(target, ast.Name) and target.id == variable_name
+                for target in node.targets
+            )
+            if has_target:
+                return _extract_constant_string_set(node.value)
+
+        if (
+            isinstance(node, ast.AnnAssign)
+            and isinstance(node.target, ast.Name)
+            and node.target.id == variable_name
+            and node.value is not None
+        ):
+            return _extract_constant_string_set(node.value)
+
+    return set()
+
+
 def test_server_idle_timeout_wiring():
     """Validate idle-timeout and heartbeat backend wiring exists."""
     print("🔍 Testing server-side idle-timeout wiring...")
@@ -55,6 +102,7 @@ def test_server_idle_timeout_wiring():
     _, app_tree = _parse_python_file("application", "single_app", "app.py")
     config_content = _read_file("application", "single_app", "config.py")
     _, auth_tree = _parse_python_file("application", "single_app", "route_frontend_authentication.py")
+    _, config_tree = _parse_python_file("application", "single_app", "config.py")
 
     required_app_functions = [
         "get_idle_timeout_settings",
@@ -132,19 +180,11 @@ def test_server_idle_timeout_wiring():
     assert has_include_source_get_settings, "Missing get_settings(include_source=True) wiring in app.py"
     assert has_record_settings_source_call, "Missing record_request_settings_source(settings_source) wiring in app.py"
 
-    has_idle_timeout_exempt_logout_local = False
-    for node in app_tree.body:
-        if isinstance(node, ast.Assign) and any(
-            isinstance(target, ast.Name) and target.id == "IDLE_TIMEOUT_EXEMPT_PATHS"
-            for target in node.targets
-        ):
-            if isinstance(node.value, ast.Set):
-                has_idle_timeout_exempt_logout_local = any(
-                    isinstance(element, ast.Constant) and element.value == "/logout/local"
-                    for element in node.value.elts
-                )
-
-    assert has_idle_timeout_exempt_logout_local, "Missing '/logout/local' in IDLE_TIMEOUT_EXEMPT_PATHS"
+    idle_timeout_exempt_paths = _get_top_level_constant_string_set(
+        config_tree,
+        "IDLE_TIMEOUT_EXEMPT_PATHS"
+    )
+    assert "/logout/local" in idle_timeout_exempt_paths, "Missing '/logout/local' in IDLE_TIMEOUT_EXEMPT_PATHS"
 
     enforce_idle_timeout_def = _find_top_level_function(app_tree, "enforce_idle_session_timeout")
     has_is_idle_timeout_enabled_guard = False
@@ -305,7 +345,7 @@ def test_base_template_warning_modal_wiring():
         "js/idle-logout-warning.js",
         "localLogoutUrl",
         "fullSsoLogoutUrl",
-        "enabled: {{ idle_timeout_enabled | default(true) | tojson }}",
+        "enabled: {{ idle_timeout_enabled | default(false) | tojson }}",
         "session_heartbeat"
     ]
 
@@ -355,7 +395,7 @@ def test_admin_idle_settings_wiring():
     admin_template_content = _read_file("application", "single_app", "templates", "admin_settings.html")
 
     required_settings_markers = [
-        "'enable_idle_timeout': True",
+        "'enable_idle_timeout': False",
         "'idle_timeout_minutes': 30",
         "'idle_warning_minutes': 28"
     ]

From 296fa939d0ac751e4494c98b964bb72ddfac87ac Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Tue, 17 Mar 2026 18:20:40 +0000
Subject: [PATCH 18/27] feedback-user-timeout - Addressed issues flagged by
 github copilot.

---
 application/single_app/app.py                 | 43 -------------------
 application/single_app/functions_settings.py  | 13 ++++++
 .../static/js/idle-logout-warning.js          | 17 ++++++--
 application/single_app/templates/base.html    |  4 +-
 functional_tests/test_idle_logout_timeout.py  | 12 +++++-
 5 files changed, 40 insertions(+), 49 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 423c1b8a..6b9d070b 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -690,49 +690,6 @@ def _is_idle_timeout_exempt(path):
         return True
     return any(path.startswith(prefix) for prefix in IDLE_TIMEOUT_EXEMPT_PREFIXES)
 
-
-@app.before_request
-def load_request_settings_cache():
-    """
-    Preload request-scoped settings for authenticated, non-exempt requests.
-
-    Args:
-        None
-
-    Returns:
-        None: Always returns None to continue Flask request processing.
-
-    Raises:
-        None: Unexpected settings resolver shapes are logged and converted to safe fallbacks.
-    """
-    g.request_settings = None
-    g.request_settings_source = None
-
-    if request.method == 'OPTIONS' or _is_idle_timeout_exempt(request.path):
-        return None
-
-    if 'user' not in session:
-        return None
-
-    settings_result = get_settings(include_source=True)
-    if isinstance(settings_result, tuple) and len(settings_result) == 2:
-        request_settings, settings_source = settings_result
-    else:
-        request_settings = settings_result
-        settings_source = 'unknown'
-        log_event(
-            "Unexpected settings response shape in load_request_settings_cache.",
-            extra={
-                "path": request.path,
-                "response_type": type(settings_result).__name__
-            },
-            level=logging.WARNING
-        )
-
-    g.request_settings = request_settings or {}
-    record_request_settings_source(settings_source)
-    return None
-
 @app.before_request
 def enforce_idle_session_timeout():
     """
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index f447440c..191da5ed 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -420,6 +420,19 @@ def _format_result(settings_payload, source):
         # If merging added anything new, upsert back to Cosmos so future reads remain up to date
         if merged != original_settings_item:
             cosmos_settings_container.upsert_item(merged)
+            cache_updater = getattr(app_settings_cache, "update_settings_cache", None)
+            if callable(cache_updater):
+                try:
+                    cache_updater(copy.deepcopy(merged))
+                except Exception as cache_error:
+                    log_event(
+                        "App settings cache update failed after merge upsert.",
+                        extra={
+                            "settings_source": settings_source,
+                            "error": str(cache_error)
+                        },
+                        level=logging.WARNING
+                    )
             print("App Settings had missing keys and was updated in Cosmos DB.")
             log_event(
                 "App settings missing keys were merged and persisted to Cosmos DB.",
diff --git a/application/single_app/static/js/idle-logout-warning.js b/application/single_app/static/js/idle-logout-warning.js
index bc5e804b..dd735f6d 100644
--- a/application/single_app/static/js/idle-logout-warning.js
+++ b/application/single_app/static/js/idle-logout-warning.js
@@ -53,6 +53,7 @@
         let countdownInterval = null;
         let logoutDeadlineMs = null;
         let isRefreshingSession = false;
+        let pendingUserInitiatedRefresh = false;
         let lastActivityResetAt = 0;
         let lastServerHeartbeatAt = 0;
 
@@ -130,11 +131,16 @@
 
         async function refreshServerSession(forceLogoutOnFailure, userInitiated) {
             if (isRefreshingSession) {
+                if (userInitiated) {
+                    pendingUserInitiatedRefresh = true;
+                    staySignedInButton.disabled = true;
+                }
                 return;
             }
 
             isRefreshingSession = true;
-            if (userInitiated) {
+            const isUserInitiatedRefresh = Boolean(userInitiated);
+            if (isUserInitiatedRefresh) {
                 staySignedInButton.disabled = true;
             }
 
@@ -169,7 +175,7 @@
 
                 lastServerHeartbeatAt = Date.now();
 
-                if (userInitiated) {
+                if (isUserInitiatedRefresh) {
                     hideWarningModal();
                     scheduleIdleTimers();
                 }
@@ -180,9 +186,14 @@
                 }
             } finally {
                 isRefreshingSession = false;
-                if (userInitiated) {
+                if (isUserInitiatedRefresh) {
                     staySignedInButton.disabled = false;
                 }
+
+                if (pendingUserInitiatedRefresh) {
+                    pendingUserInitiatedRefresh = false;
+                    refreshServerSession(true, true);
+                }
             }
         }
 
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index 674e7e98..ff9b0501 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -376,12 +376,12 @@
       <div class="modal-content">
         <div class="modal-header bg-primary text-white">
           <h5 class="modal-title" id="idleTimeoutWarningModalLabel">
-            <i class="bi bi-clock me-2"></i>Session Expiring Soon
+            <i class="bi bi-clock me-2" aria-hidden="true"></i>Session Expiring Soon
           </h5>
         </div>
         <div class="modal-body">
           <p class="mb-2">You've been inactive for a while.</p>
-          <p class="mb-0">You will be signed out in <strong><span id="idleTimeoutCountdown">60</span> seconds</strong> unless you continue your session.</p>
+          <p class="mb-0" aria-live="polite">You will be signed out in <strong><span id="idleTimeoutCountdown">60</span> seconds</strong> unless you continue your session.</p>
         </div>
         <div class="modal-footer">
           <button type="button" class="btn btn-outline-secondary" id="idleLogoutNowButton">Logout now</button>
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index ebc2ac8f..7e81af74 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -109,7 +109,6 @@ def test_server_idle_timeout_wiring():
         "is_idle_timeout_enabled",
         "record_request_settings_source",
         "get_request_settings",
-        "load_request_settings_cache",
         "enforce_idle_session_timeout",
         "session_heartbeat"
     ]
@@ -119,6 +118,17 @@ def test_server_idle_timeout_wiring():
     ]
     assert not missing_app_functions, f"Missing backend functions in app.py: {missing_app_functions}"
 
+    removed_app_functions = [
+        "load_request_settings_cache"
+    ]
+    unexpected_app_functions = [
+        function_name for function_name in removed_app_functions
+        if _find_top_level_function(app_tree, function_name) is not None
+    ]
+    assert not unexpected_app_functions, (
+        f"Unexpected removed backend functions in app.py: {unexpected_app_functions}"
+    )
+
     has_settings_source_counter_dict = any(
         isinstance(node, ast.Assign)
         and any(isinstance(target, ast.Name) and target.id == "settings_source_counters" for target in node.targets)

From 4045e55bd7d1fb4f473ceccdd67e8b9735cff648 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Tue, 17 Mar 2026 21:08:49 +0000
Subject: [PATCH 19/27] feedback-user-timeout - Addressed more issues flagged
 by github copilot.

---
 application/single_app/app.py                     |  2 +-
 .../single_app/route_frontend_authentication.py   |  8 ++++----
 .../single_app/static/js/idle-logout-warning.js   | 15 ++++++++++++---
 .../single_app/templates/admin_settings.html      |  9 ++++++++-
 application/single_app/templates/base.html        |  2 +-
 5 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 6b9d070b..1d3be87c 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -526,7 +526,7 @@ def is_idle_timeout_enabled(settings=None):
     Returns:
         bool: True when idle-timeout enforcement should run; otherwise False.
 
-    Raises:
+    Raise
         None: Unexpected values are coerced to boolean-compatible behavior.
     """
     if settings is None:
diff --git a/application/single_app/route_frontend_authentication.py b/application/single_app/route_frontend_authentication.py
index a60f7734..77cfe218 100644
--- a/application/single_app/route_frontend_authentication.py
+++ b/application/single_app/route_frontend_authentication.py
@@ -236,9 +236,9 @@ def local_logout():
             elif HOME_REDIRECT_URL:
                 logout_uri = HOME_REDIRECT_URL
             else:
-                logout_uri = url_for('index', _external=True, _scheme='https')
+                logout_uri = url_for('index', _external=True)
         else:
-            logout_uri = url_for('index', _external=True, _scheme='https')
+            logout_uri = url_for('index', _external=True)
 
         return redirect(logout_uri)
 
@@ -266,9 +266,9 @@ def logout():
                 # Fall back to environment variable if Front Door is enabled but no URL is set
                 logout_uri = HOME_REDIRECT_URL
             else:
-                logout_uri = url_for('index', _external=True, _scheme='https')
+                logout_uri = url_for('index', _external=True)
         else:
-            logout_uri = url_for('index', _external=True, _scheme='https')
+            logout_uri = url_for('index', _external=True)
         
         print(f"Front Door enabled: {settings.get('enable_front_door', False)}")
         print(f"Front Door URL: {settings.get('front_door_url')}")
diff --git a/application/single_app/static/js/idle-logout-warning.js b/application/single_app/static/js/idle-logout-warning.js
index dd735f6d..78e3a9d6 100644
--- a/application/single_app/static/js/idle-logout-warning.js
+++ b/application/single_app/static/js/idle-logout-warning.js
@@ -192,13 +192,22 @@
 
                 if (pendingUserInitiatedRefresh) {
                     pendingUserInitiatedRefresh = false;
-                    refreshServerSession(true, true);
+                    fireAndForgetSessionRefresh(true, true);
                 }
             }
         }
 
+        function fireAndForgetSessionRefresh(forceLogoutOnFailure, userInitiated) {
+            void refreshServerSession(forceLogoutOnFailure, userInitiated).catch(function (error) {
+                console.error('Unexpected session refresh error:', error);
+                if (forceLogoutOnFailure) {
+                    logoutNow();
+                }
+            });
+        }
+
         staySignedInButton.addEventListener('click', function () {
-            refreshServerSession(true, true);
+            fireAndForgetSessionRefresh(true, true);
         });
 
         logoutNowButton.addEventListener('click', function () {
@@ -237,7 +246,7 @@
             scheduleIdleTimers();
 
             if ((now - lastServerHeartbeatAt) >= HEARTBEAT_MIN_INTERVAL_MS) {
-                refreshServerSession(false, false);
+                fireAndForgetSessionRefresh(false, false);
             }
         }
     });
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index 77d6b217..c30ad580 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -1433,7 +1433,14 @@ <h5>
                         <label class="form-check-label ms-2" for="enable_idle_timeout">
                             Enable Idle Session Timeout and Warning
                         </label>
-                        <i class="bi bi-info-circle ms-2" data-bs-toggle="tooltip" title="When enabled, inactive users receive a warning and are automatically logged out after the configured timeout."></i>
+                        <button
+                             type="button"
+                             class="btn btn-link p-0 ms-2"
+                             data-bs-toggle="tooltip"
+                             title="When enabled, inactive users receive a warning and are automatically logged out after the configured timeout."
+                             aria-label="More information about idle timeout settings">
+                             <i class="bi bi-info-circle" aria-hidden="true"></i>
+                         </button>
                     </div>
                     <div id="idle_timeout_settings" class="{% if settings.enable_idle_timeout is not defined or not settings.enable_idle_timeout %}d-none{% endif %}">
                         <div class="mb-3">
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index ff9b0501..7619e540 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -381,7 +381,7 @@ <h5 class="modal-title" id="idleTimeoutWarningModalLabel">
         </div>
         <div class="modal-body">
           <p class="mb-2">You've been inactive for a while.</p>
-          <p class="mb-0" aria-live="polite">You will be signed out in <strong><span id="idleTimeoutCountdown">60</span> seconds</strong> unless you continue your session.</p>
+          <p class="mb-0">You will be signed out in <strong><span id="idleTimeoutCountdown" aria-live="polite" aria-atomic="true">60</span> seconds</strong> unless you continue your session.</p>
         </div>
         <div class="modal-footer">
           <button type="button" class="btn btn-outline-secondary" id="idleLogoutNowButton">Logout now</button>

From f3a63f8f126efa43292c39c4c0ffed8ce78cd872 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Wed, 18 Mar 2026 15:36:48 +0000
Subject: [PATCH 20/27] feedback-user-timeout - Addressed even more issues
 flagged by github copilot.

---
 application/single_app/app.py                 | 24 ++++++-
 application/single_app/functions_settings.py  | 14 ++--
 ...est_settings_deep_merge_persistence_fix.py | 70 ++++++++++---------
 3 files changed, 67 insertions(+), 41 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 1d3be87c..2b74f8ae 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -526,7 +526,7 @@ def is_idle_timeout_enabled(settings=None):
     Returns:
         bool: True when idle-timeout enforcement should run; otherwise False.
 
-    Raise
+    Raises:
         None: Unexpected values are coerced to boolean-compatible behavior.
     """
     if settings is None:
@@ -713,8 +713,26 @@ def enforce_idle_session_timeout():
     now_epoch = int(time.time())
     request_settings = get_request_settings()
     if not is_idle_timeout_enabled(request_settings):
-        session['last_activity_epoch'] = now_epoch
-        session.modified = True
+        disabled_refresh_interval_seconds = 60
+        last_activity_epoch = session.get('last_activity_epoch')
+        should_refresh_last_activity = False
+
+        if last_activity_epoch is None:
+            should_refresh_last_activity = True
+        else:
+            try:
+                parsed_last_activity_epoch = int(float(last_activity_epoch))
+                if (
+                    parsed_last_activity_epoch > now_epoch
+                    or (now_epoch - parsed_last_activity_epoch) >= disabled_refresh_interval_seconds
+                ):
+                    should_refresh_last_activity = True
+            except (TypeError, ValueError):
+                should_refresh_last_activity = True
+
+        if should_refresh_last_activity:
+            session['last_activity_epoch'] = now_epoch
+            session.modified = True
         return None
 
     idle_timeout_minutes, _ = get_idle_timeout_settings(request_settings)
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 191da5ed..0af27496 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -412,13 +412,12 @@ def _format_result(settings_payload, source):
                     )
         #print("Successfully retrieved settings from Cosmos DB.")
 
-        original_settings_item = copy.deepcopy(settings_item)
-
         # Merge default_settings in, to fill in any missing or nested keys
-        merged = deep_merge_dicts(default_settings, settings_item)
+        merged = settings_item
+        settings_changed = deep_merge_dicts(default_settings, merged)
 
         # If merging added anything new, upsert back to Cosmos so future reads remain up to date
-        if merged != original_settings_item:
+        if settings_changed:
             cosmos_settings_container.upsert_item(merged)
             cache_updater = getattr(app_settings_cache, "update_settings_cache", None)
             if callable(cache_updater):
@@ -606,15 +605,18 @@ def extract_latest_version_from_html(html_content):
         return None
     
 def deep_merge_dicts(default_dict, existing_dict):
+    changed = False
     for k, default_val in default_dict.items():
         if k not in existing_dict:
             existing_dict[k] = default_val
+            changed = True
         else:
             existing_val = existing_dict[k]
             if isinstance(default_val, dict) and isinstance(existing_val, dict):
-                deep_merge_dicts(default_val, existing_val)
+                if deep_merge_dicts(default_val, existing_val):
+                    changed = True
             # For lists or other types, we skip overwriting.
-    return existing_dict
+    return changed
 
 def encrypt_key(key):
     cipher_suite = Fernet(app.config['SECRET_KEY'])
diff --git a/functional_tests/test_settings_deep_merge_persistence_fix.py b/functional_tests/test_settings_deep_merge_persistence_fix.py
index 7a2c93f8..32bdce99 100644
--- a/functional_tests/test_settings_deep_merge_persistence_fix.py
+++ b/functional_tests/test_settings_deep_merge_persistence_fix.py
@@ -55,27 +55,21 @@ def test_get_settings_merge_detection_ast_wiring():
     get_settings_def = _find_top_level_function(module_tree, "get_settings")
     assert get_settings_def is not None, "Missing get_settings function in functions_settings.py"
 
-    has_snapshot_assignment = False
     has_merged_assignment = False
+    has_settings_changed_assignment = False
     merge_comparison_if = None
 
     for node in ast.walk(get_settings_def):
         if isinstance(node, ast.Assign):
             for target in node.targets:
-                if isinstance(target, ast.Name) and target.id == "original_settings_item":
+                if isinstance(target, ast.Name) and target.id == "merged":
                     if (
-                        isinstance(node.value, ast.Call)
-                        and isinstance(node.value.func, ast.Attribute)
-                        and isinstance(node.value.func.value, ast.Name)
-                        and node.value.func.value.id == "copy"
-                        and node.value.func.attr == "deepcopy"
-                        and len(node.value.args) == 1
-                        and isinstance(node.value.args[0], ast.Name)
-                        and node.value.args[0].id == "settings_item"
+                        isinstance(node.value, ast.Name)
+                        and node.value.id == "settings_item"
                     ):
-                        has_snapshot_assignment = True
+                        has_merged_assignment = True
 
-                if isinstance(target, ast.Name) and target.id == "merged":
+                if isinstance(target, ast.Name) and target.id == "settings_changed":
                     if (
                         isinstance(node.value, ast.Call)
                         and isinstance(node.value.func, ast.Name)
@@ -84,26 +78,17 @@ def test_get_settings_merge_detection_ast_wiring():
                         and isinstance(node.value.args[0], ast.Name)
                         and node.value.args[0].id == "default_settings"
                         and isinstance(node.value.args[1], ast.Name)
-                        and node.value.args[1].id == "settings_item"
+                        and node.value.args[1].id == "merged"
                     ):
-                        has_merged_assignment = True
+                        has_settings_changed_assignment = True
 
-        if isinstance(node, ast.If) and isinstance(node.test, ast.Compare):
-            compare_node = node.test
-            if (
-                isinstance(compare_node.left, ast.Name)
-                and compare_node.left.id == "merged"
-                and len(compare_node.ops) == 1
-                and isinstance(compare_node.ops[0], ast.NotEq)
-                and len(compare_node.comparators) == 1
-                and isinstance(compare_node.comparators[0], ast.Name)
-                and compare_node.comparators[0].id == "original_settings_item"
-            ):
+        if isinstance(node, ast.If) and isinstance(node.test, ast.Name):
+            if node.test.id == "settings_changed":
                 merge_comparison_if = node
 
-    assert has_snapshot_assignment, "Missing original_settings_item copy.deepcopy(settings_item) assignment"
-    assert has_merged_assignment, "Missing merged = deep_merge_dicts(default_settings, settings_item) assignment"
-    assert merge_comparison_if is not None, "Missing if merged != original_settings_item comparison"
+    assert has_merged_assignment, "Missing merged = settings_item assignment"
+    assert has_settings_changed_assignment, "Missing settings_changed = deep_merge_dicts(default_settings, merged) assignment"
+    assert merge_comparison_if is not None, "Missing if settings_changed branch"
 
     has_upsert_in_branch = False
     has_log_event_in_branch = False
@@ -149,7 +134,9 @@ def test_deep_merge_dicts_ast_behavior_wiring():
     has_not_in_guard = False
     has_missing_key_assignment = False
     has_recursive_merge_call = False
-    returns_existing_dict = False
+    has_changed_init = False
+    has_changed_true_assignment = False
+    returns_changed = False
 
     for node in ast.walk(deep_merge_def):
         if isinstance(node, ast.Compare):
@@ -166,6 +153,23 @@ def test_deep_merge_dicts_ast_behavior_wiring():
 
         if isinstance(node, ast.Assign) and len(node.targets) == 1:
             target = node.targets[0]
+
+            if (
+                isinstance(target, ast.Name)
+                and target.id == "changed"
+                and isinstance(node.value, ast.Constant)
+                and node.value.value is False
+            ):
+                has_changed_init = True
+
+            if (
+                isinstance(target, ast.Name)
+                and target.id == "changed"
+                and isinstance(node.value, ast.Constant)
+                and node.value.value is True
+            ):
+                has_changed_true_assignment = True
+
             if (
                 isinstance(target, ast.Subscript)
                 and isinstance(target.value, ast.Name)
@@ -188,13 +192,15 @@ def test_deep_merge_dicts_ast_behavior_wiring():
             has_recursive_merge_call = True
 
         if isinstance(node, ast.Return):
-            if isinstance(node.value, ast.Name) and node.value.id == "existing_dict":
-                returns_existing_dict = True
+            if isinstance(node.value, ast.Name) and node.value.id == "changed":
+                returns_changed = True
 
     assert has_not_in_guard, "Missing 'if k not in existing_dict' guard in deep_merge_dicts"
     assert has_missing_key_assignment, "Missing existing_dict[k] = default_val assignment in deep_merge_dicts"
     assert has_recursive_merge_call, "Missing recursive deep_merge_dicts(default_val, existing_val) call"
-    assert returns_existing_dict, "Missing return existing_dict in deep_merge_dicts"
+    assert has_changed_init, "Missing changed = False initialization in deep_merge_dicts"
+    assert has_changed_true_assignment, "Missing changed = True assignment in deep_merge_dicts"
+    assert returns_changed, "Missing return changed in deep_merge_dicts"
 
     print("✅ deep_merge_dicts AST behavior wiring is present")
 

From 57b117f791ac0e0d35c6f3c337a0d247c52489b0 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Wed, 18 Mar 2026 19:01:34 +0000
Subject: [PATCH 21/27] feedback-user-timeout - Addressed yet more issues
 flagged by github copilot.

---
 application/single_app/app.py                     | 15 ++++++++++++++-
 .../test_admin_settings_safe_int_fallback_fix.py  |  1 +
 functional_tests/test_idle_logout_timeout.py      |  1 +
 .../test_settings_deep_merge_persistence_fix.py   |  1 +
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 2b74f8ae..f6d46bc4 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -738,11 +738,24 @@ def enforce_idle_session_timeout():
     idle_timeout_minutes, _ = get_idle_timeout_settings(request_settings)
     last_activity_epoch = session.get('last_activity_epoch')
     has_valid_last_activity_epoch = False
+    max_allowed_future_skew_seconds = 60
 
     if last_activity_epoch is not None:
         try:
             parsed_last_activity_epoch = int(float(last_activity_epoch))
-            has_valid_last_activity_epoch = True
+            if parsed_last_activity_epoch <= (now_epoch + max_allowed_future_skew_seconds):
+                has_valid_last_activity_epoch = True
+            else:
+                log_event(
+                    "Idle timeout last_activity_epoch is in the future; resetting timestamp.",
+                    extra={
+                        "path": request.path,
+                        "parsed_last_activity_epoch": parsed_last_activity_epoch,
+                        "now_epoch": now_epoch,
+                        "max_allowed_future_skew_seconds": max_allowed_future_skew_seconds
+                    },
+                    level=logging.WARNING
+                )
             idle_seconds = now_epoch - parsed_last_activity_epoch
             if idle_seconds >= (idle_timeout_minutes * 60):
                 user_id = session.get('user', {}).get('oid') or session.get('user', {}).get('sub')
diff --git a/functional_tests/test_admin_settings_safe_int_fallback_fix.py b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
index 9638f3ec..2c8d3dff 100644
--- a/functional_tests/test_admin_settings_safe_int_fallback_fix.py
+++ b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python3
+# test_admin_settings_safe_int_fallback_fix.py
 """
 Functional test for admin safe_int fallback hardening.
 Version: 0.239.012
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 7e81af74..7e1144bd 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python3
+# test_idle_logout_timeout.py
 """
 Functional test for idle session auto-logout.
 Version: 0.239.012
diff --git a/functional_tests/test_settings_deep_merge_persistence_fix.py b/functional_tests/test_settings_deep_merge_persistence_fix.py
index 32bdce99..e82efcfd 100644
--- a/functional_tests/test_settings_deep_merge_persistence_fix.py
+++ b/functional_tests/test_settings_deep_merge_persistence_fix.py
@@ -1,4 +1,5 @@
 #!/usr/bin/env python3
+# test_settings_deep_merge_persistence_fix.py
 """
 Functional test for settings deep-merge persistence fix.
 Version: 0.239.012

From b1aa8f3c60f6a38e94948766bde640942ab0303b Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Wed, 18 Mar 2026 20:18:57 +0000
Subject: [PATCH 22/27] feedback-user-timeout - Addressed another round of
 issues flagged by github copilot.

---
 .../route_frontend_authentication.py          | 16 +++++-----
 application/single_app/templates/base.html    | 16 +++++-----
 functional_tests/test_idle_logout_timeout.py  | 32 ++++++++++++++++++-
 ...est_settings_deep_merge_persistence_fix.py |  5 ++-
 4 files changed, 49 insertions(+), 20 deletions(-)

diff --git a/application/single_app/route_frontend_authentication.py b/application/single_app/route_frontend_authentication.py
index 77cfe218..a51ee87e 100644
--- a/application/single_app/route_frontend_authentication.py
+++ b/application/single_app/route_frontend_authentication.py
@@ -42,7 +42,7 @@ def login():
         
         # Get settings from database, with environment variable fallback
         from functions_settings import get_settings
-        settings = get_settings()
+        settings = get_settings() or {}
         
         # Only use Front Door redirect URL if Front Door is enabled
         if settings.get('enable_front_door', False):
@@ -89,7 +89,7 @@ def authorized():
 
         # Get settings from database, with environment variable fallback
         from functions_settings import get_settings
-        settings = get_settings()
+        settings = get_settings() or {}
         
         # Only use Front Door redirect URL if Front Door is enabled
         if settings.get('enable_front_door', False):
@@ -142,7 +142,7 @@ def authorized():
         # You might want to store the original destination in the session during /login
         # Get settings from database, with environment variable fallback
         from functions_settings import get_settings
-        settings = get_settings()
+        settings = get_settings() or {}
         
         debug_print(f"HOME_REDIRECT_URL (env): {HOME_REDIRECT_URL}")
         debug_print(f"front_door_url (db): {settings.get('front_door_url')}")
@@ -184,7 +184,7 @@ def authorized_api():
 
         # Get settings for redirect URI (same logic as other routes)
         from functions_settings import get_settings
-        settings = get_settings()
+        settings = get_settings() or {}
         
         if settings.get('enable_front_door', False):
             front_door_url = settings.get('front_door_url')
@@ -226,7 +226,7 @@ def local_logout():
         session.clear()
 
         from functions_settings import get_settings
-        settings = get_settings()
+        settings = get_settings() or {}
 
         if settings.get('enable_front_door', False):
             front_door_url = settings.get('front_door_url')
@@ -236,9 +236,9 @@ def local_logout():
             elif HOME_REDIRECT_URL:
                 logout_uri = HOME_REDIRECT_URL
             else:
-                logout_uri = url_for('index', _external=True)
+                logout_uri = url_for('index')
         else:
-            logout_uri = url_for('index', _external=True)
+            logout_uri = url_for('index')
 
         return redirect(logout_uri)
 
@@ -254,7 +254,7 @@ def logout():
         # MSAL provides a helper for this too, but constructing manually is fine
         # Get settings from database, with environment variable fallback
         from functions_settings import get_settings
-        settings = get_settings()
+        settings = get_settings() or {}
         
         # Only use Front Door redirect URL if Front Door is enabled
         if settings.get('enable_front_door', False):
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index 7619e540..0ba03e35 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -353,14 +353,14 @@
   <script src="{{ url_for('static', filename='js/notifications.js') }}"></script>
   {% if session.get('user') %}
   <script>
-    window.idleLogoutConfig = {
-      enabled: {{ idle_timeout_enabled | default(false) | tojson }},
-      timeoutMinutes: {{ idle_timeout_minutes | default(30) | int }},
-      warningMinutes: {{ idle_warning_minutes | default(28) | int }},
-      heartbeatUrl: "{{ url_for('session_heartbeat') }}",
-      localLogoutUrl: "{{ url_for('local_logout') }}",
-      fullSsoLogoutUrl: "{{ url_for('logout') }}"
-    };
+    window.idleLogoutConfig = {{ {
+      'enabled': idle_timeout_enabled | default(false),
+      'timeoutMinutes': idle_timeout_minutes | default(30) | int,
+      'warningMinutes': idle_warning_minutes | default(28) | int,
+      'heartbeatUrl': url_for('session_heartbeat'),
+      'localLogoutUrl': url_for('local_logout'),
+      'fullSsoLogoutUrl': url_for('logout')
+    } | tojson | safe }};
   </script>
   <script src="{{ url_for('static', filename='js/idle-logout-warning.js') }}"></script>
   {% endif %}
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 7e1144bd..8b746f2c 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -297,8 +297,10 @@ def test_server_idle_timeout_wiring():
 
     login_def = _find_nested_function(auth_register_def, "login")
     authorized_def = _find_nested_function(auth_register_def, "authorized")
+    local_logout_def = _find_nested_function(auth_register_def, "local_logout")
     assert login_def is not None, "Missing login route function in authentication route"
     assert authorized_def is not None, "Missing authorized route function in authentication route"
+    assert local_logout_def is not None, "Missing local_logout route function in authentication route"
 
     has_last_activity_pop = False
     for node in ast.walk(login_def):
@@ -338,6 +340,33 @@ def test_server_idle_timeout_wiring():
                 has_last_activity_assignment = True
     assert has_last_activity_assignment, "Missing session['last_activity_epoch'] = int(time.time()) in authorized flow"
 
+    has_relative_index_url_for = False
+    has_external_index_url_for = False
+    for node in ast.walk(local_logout_def):
+        if (
+            isinstance(node, ast.Call)
+            and isinstance(node.func, ast.Name)
+            and node.func.id == "url_for"
+            and len(node.args) == 1
+            and isinstance(node.args[0], ast.Constant)
+            and node.args[0].value == "index"
+        ):
+            if len(node.keywords) == 0:
+                has_relative_index_url_for = True
+
+            has_external_keyword = any(
+                isinstance(keyword, ast.keyword)
+                and keyword.arg == "_external"
+                and isinstance(keyword.value, ast.Constant)
+                and keyword.value.value is True
+                for keyword in node.keywords
+            )
+            if has_external_keyword:
+                has_external_index_url_for = True
+
+    assert has_relative_index_url_for, "Missing relative url_for('index') fallback in local_logout"
+    assert not has_external_index_url_for, "Unexpected url_for('index', _external=True) in local_logout"
+
     print("✅ Server-side idle-timeout wiring is present")
 
 
@@ -356,7 +385,8 @@ def test_base_template_warning_modal_wiring():
         "js/idle-logout-warning.js",
         "localLogoutUrl",
         "fullSsoLogoutUrl",
-        "enabled: {{ idle_timeout_enabled | default(false) | tojson }}",
+        "'enabled': idle_timeout_enabled | default(false)",
+        "| tojson | safe",
         "session_heartbeat"
     ]
 
diff --git a/functional_tests/test_settings_deep_merge_persistence_fix.py b/functional_tests/test_settings_deep_merge_persistence_fix.py
index e82efcfd..bc61ea8b 100644
--- a/functional_tests/test_settings_deep_merge_persistence_fix.py
+++ b/functional_tests/test_settings_deep_merge_persistence_fix.py
@@ -29,9 +29,8 @@ def _read_file(*path_parts):
 
 def _load_functions_settings_ast():
     """Load and parse functions_settings.py into an AST tree."""
-    settings_content = _read_file("application", "single_app", "functions_settings.py")
-    return settings_content, ast.parse(settings_content)
-
+    source = _read_file("application", "single_app", "functions_settings.py")
+    return source, ast.parse(source)
 
 def _find_top_level_function(module_tree, function_name):
     """Find a top-level function definition by name."""

From 3f2b8e82a0d590b235f35280104886badc7051e6 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Wed, 18 Mar 2026 20:41:12 +0000
Subject: [PATCH 23/27] feedback-user-timeout - Updated docs and added
 docstring.

---
 application/single_app/functions_settings.py     | 14 ++++++++++++++
 .../SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md       | 16 ++++++++--------
 docs/explanation/release_notes.md                |  2 +-
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 0af27496..46d76407 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -605,6 +605,20 @@ def extract_latest_version_from_html(html_content):
         return None
     
 def deep_merge_dicts(default_dict, existing_dict):
+    """
+    Recursively merge keys from default_dict into existing_dict in place.
+    This function DOES NOT return a merged dictionary. Instead, it mutates
+    existing_dict directly, adding any keys that are missing (and, for nested
+    dict values, recursing to merge their contents as well). Non-dict values
+    in existing_dict are left as-is and are not overwritten.
+
+    Args:
+        default_dict (dict): Source of default values.
+        existing_dict (dict): Target dictionary that will be updated in place.
+        
+    Returns:
+        bool: True if existing_dict was modified at any depth, otherwise False.
+    """
     changed = False
     for k, default_val in default_dict.items():
         if k not in existing_dict:
diff --git a/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md b/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
index 9557036d..6c94bc11 100644
--- a/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
+++ b/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
@@ -17,18 +17,18 @@
 
 ### Code Changes Summary
 
-- Added `import copy` in `functions_settings.py`.
-- Captured a pre-merge snapshot with `original_settings_item = copy.deepcopy(settings_item)`.
-- Updated change detection to compare `merged` against `original_settings_item`.
-- Preserved existing merge behavior and upsert/logging flow.
+ - Updated `deep_merge_dicts()` in `functions_settings.py` to return a boolean `changed` flag indicating whether any values were added or updated during the merge.
+ - Updated `get_settings()` (and related callers) to use the returned `settings_changed` flag to decide whether to upsert the merged settings back to Cosmos DB.
+ - Kept the merge semantics the same while fixing the persistence condition so that only genuinely changed settings trigger an upsert.
+ - Preserved existing upsert behavior, logging flow, and return shapes for callers.
 
 ### Testing Approach
 
 - Added functional regression test: `functional_tests/test_settings_deep_merge_persistence_fix.py`.
 - Test validates marker-based wiring for:
-  - deep-copy snapshot creation,
-  - comparison against pre-merge state,
-  - Cosmos upsert path availability,
+  - the `changed` flag returned from `deep_merge_dicts()`,
+  - the `settings_changed` gate that controls whether the Cosmos upsert path is invoked,
+  - Cosmos upsert path availability and logging when defaults introduce new keys,
   - version alignment in `config.py`.
 
 ### Impact Analysis
@@ -45,7 +45,7 @@
 
 ### After
 
-- Missing default keys trigger the upsert path and persistence logging because merge output is compared against a deep-copied pre-merge snapshot.
+- Missing default keys trigger the upsert path and persistence logging because `deep_merge_dicts()` reports that changes occurred and `settings_changed` evaluates `True`, causing the merged settings to be written back to Cosmos DB.
 
 ### Test Result
 
diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md
index 37c3c7cc..0269a9cf 100644
--- a/docs/explanation/release_notes.md
+++ b/docs/explanation/release_notes.md
@@ -19,7 +19,7 @@
 
 *   **Settings Default Merge Persistence Fix**
     *   Fixed app settings merge detection in `get_settings()` where `deep_merge_dicts()` mutates the existing settings object in place, causing change detection to always evaluate as unchanged.
-    *   Added pre-merge snapshot comparison with `copy.deepcopy()` so missing default keys correctly trigger `upsert_item()` and are persisted back to Cosmos DB.
+    *   Updated `deep_merge_dicts()` to return a boolean `changed` flag and wired `get_settings()` to call `upsert_item()` when `settings_changed` is `True`, so missing default keys correctly trigger persistence back to Cosmos DB.
     *   Added a functional regression test to validate the merge detection and persistence markers.
     *   (Ref: `application/single_app/functions_settings.py`, `application/single_app/config.py`, `functional_tests/test_settings_deep_merge_persistence_fix.py`)
     

From 8df1620c2caacfda839c7a4d4cc7f252d556cda0 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Wed, 18 Mar 2026 21:35:32 +0000
Subject: [PATCH 24/27] feedback-user-timeout - Toned down potential log
 entries.

---
 application/single_app/app.py                | 28 +++++++++++++++++++-
 functional_tests/test_idle_logout_timeout.py | 17 +++++++++++-
 2 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/application/single_app/app.py b/application/single_app/app.py
index f6d46bc4..1a8deca9 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -542,6 +542,9 @@ def is_idle_timeout_enabled(settings=None):
 
 settings_source_counters = {}
 settings_source_counters_lock = threading.Lock()
+settings_source_last_observed = None
+settings_source_last_non_cache_log_epoch = 0
+settings_source_non_cache_log_interval_seconds = 60
 
 
 def record_request_settings_source(source):
@@ -558,6 +561,11 @@ def record_request_settings_source(source):
         None: Counter updates and diagnostics are handled internally.
     """
     normalized_source = source or 'unknown'
+    now_epoch = int(time.time())
+
+    global settings_source_last_observed
+    global settings_source_last_non_cache_log_epoch
+
     with settings_source_counters_lock:
         settings_source_counters[normalized_source] = settings_source_counters.get(normalized_source, 0) + 1
         cache_hits = settings_source_counters.get('cache', 0)
@@ -565,6 +573,22 @@ def record_request_settings_source(source):
         cosmos_forced_hits = settings_source_counters.get('cosmos_forced', 0)
         unknown_hits = settings_source_counters.get('unknown', 0)
 
+        previous_source = settings_source_last_observed
+        source_changed = normalized_source != previous_source
+        settings_source_last_observed = normalized_source
+
+        non_cache_log_window_elapsed = (
+            now_epoch - settings_source_last_non_cache_log_epoch
+        ) >= settings_source_non_cache_log_interval_seconds
+
+        should_log_non_cache_info = (
+            normalized_source != 'cache'
+            and (source_changed or non_cache_log_window_elapsed)
+        )
+
+        if should_log_non_cache_info:
+            settings_source_last_non_cache_log_epoch = now_epoch
+
     g.request_settings_source = normalized_source
     debug_print(
         f"[SETTINGS SOURCE] path={request.path} source={normalized_source}",
@@ -575,12 +599,14 @@ def record_request_settings_source(source):
         unknown_hits=unknown_hits
     )
 
-    if normalized_source != 'cache':
+    if should_log_non_cache_info:
         log_event(
             "Request settings source is non-cache.",
             extra={
                 "path": request.path,
                 "settings_source": normalized_source,
+                "source_changed": source_changed,
+                "non_cache_log_window_elapsed": non_cache_log_window_elapsed,
                 "cache_hits": cache_hits,
                 "cosmos_fallback_hits": cosmos_fallback_hits,
                 "cosmos_forced_hits": cosmos_forced_hits,
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 8b746f2c..27d91c60 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -100,7 +100,7 @@ def test_server_idle_timeout_wiring():
     """Validate idle-timeout and heartbeat backend wiring exists."""
     print("🔍 Testing server-side idle-timeout wiring...")
 
-    _, app_tree = _parse_python_file("application", "single_app", "app.py")
+    app_content, app_tree = _parse_python_file("application", "single_app", "app.py")
     config_content = _read_file("application", "single_app", "config.py")
     _, auth_tree = _parse_python_file("application", "single_app", "route_frontend_authentication.py")
     _, config_tree = _parse_python_file("application", "single_app", "config.py")
@@ -139,6 +139,21 @@ def test_server_idle_timeout_wiring():
     )
     assert has_settings_source_counter_dict, "Missing settings_source_counters = {} assignment"
 
+    required_settings_source_logging_markers = [
+        "settings_source_last_observed = None",
+        "settings_source_last_non_cache_log_epoch = 0",
+        "settings_source_non_cache_log_interval_seconds = 60",
+        "should_log_non_cache_info",
+        "if should_log_non_cache_info:"
+    ]
+    missing_settings_source_logging_markers = [
+        marker for marker in required_settings_source_logging_markers
+        if marker not in app_content
+    ]
+    assert not missing_settings_source_logging_markers, (
+        f"Missing settings-source logging throttling markers: {missing_settings_source_logging_markers}"
+    )
+
     idle_settings_def = _find_top_level_function(app_tree, "get_idle_timeout_settings")
     has_idle_timeout_default_get = False
     has_idle_warning_default_get = False

From 2b63923819c75413e1168e67011db0d617efbe45 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Tue, 24 Mar 2026 19:29:32 +0000
Subject: [PATCH 25/27] feedback-user-timeout - Added custom message field,
 enforce min 10 minute timeout and allow warning dialog to be disabled.

---
 application/single_app/app.py                 |   8 +++---
 application/single_app/config.py              |   2 +-
 application/single_app/functions_settings.py  |   1 +
 .../route_frontend_admin_settings.py          |  15 +++++++++---
 .../single_app/static/images/custom_logo.png  | Bin 11877 -> 0 bytes
 .../static/images/custom_logo_dark.png        | Bin 13468 -> 0 bytes
 .../static/js/idle-logout-warning.js          |  15 ++++++++----
 .../single_app/templates/admin_settings.html  |  16 +++++++++---
 application/single_app/templates/base.html    |   2 +-
 .../ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md   |   4 +--
 .../v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md |   4 +--
 .../IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md     |   4 +--
 .../IDLE_SESSION_API_ACTIVITY_SEED_FIX.md     |   4 +--
 .../SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md    |   4 +--
 ...st_admin_settings_safe_int_fallback_fix.py |   6 ++---
 functional_tests/test_idle_logout_timeout.py  |  23 +++++++++++++-----
 ...est_settings_deep_merge_persistence_fix.py |   6 ++---
 17 files changed, 75 insertions(+), 39 deletions(-)
 delete mode 100644 application/single_app/static/images/custom_logo.png
 delete mode 100644 application/single_app/static/images/custom_logo_dark.png

diff --git a/application/single_app/app.py b/application/single_app/app.py
index 0d84519c..1b1adc34 100644
--- a/application/single_app/app.py
+++ b/application/single_app/app.py
@@ -360,7 +360,7 @@ def get_idle_timeout_settings(settings=None):
             level=logging.WARNING
         )
 
-    normalized_timeout = max(1, timeout_minutes)
+    normalized_timeout = max(10, timeout_minutes)
     if normalized_timeout != timeout_minutes:
         log_event(
             "Idle timeout value normalized to minimum allowed value.",
@@ -386,11 +386,11 @@ def get_idle_timeout_settings(settings=None):
         )
     warning_minutes = normalized_warning
 
-    if warning_minutes >= timeout_minutes:
+    if warning_minutes > timeout_minutes:
         previous_warning_minutes = warning_minutes
-        warning_minutes = max(0, timeout_minutes - 1)
+        warning_minutes = timeout_minutes
         log_event(
-            "Idle warning value adjusted to remain below idle timeout.",
+            "Idle warning value adjusted to not exceed idle timeout.",
             extra={
                 "idle_timeout_minutes": timeout_minutes,
                 "original_idle_warning_minutes": previous_warning_minutes,
diff --git a/application/single_app/config.py b/application/single_app/config.py
index d34db4a6..42b73ca2 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.239.150"
+VERSION = "v0.240.002"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 9b56ad2b..68fb923e 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -268,6 +268,7 @@ def get_settings(use_cosmos=False, include_source=False):
         'enable_idle_timeout': False,
         'idle_timeout_minutes': 30,
         'idle_warning_minutes': 28,
+        'idle_warning_message': "You've been inactive for a while.",
         'default_system_prompt': '',
         # Access denied message shown on the home page for signed-in users who lack required roles.
         # Default is hard-coded; admins can override via Admin Settings (persisted in Cosmos DB).
diff --git a/application/single_app/route_frontend_admin_settings.py b/application/single_app/route_frontend_admin_settings.py
index 838809a3..be879bcb 100644
--- a/application/single_app/route_frontend_admin_settings.py
+++ b/application/single_app/route_frontend_admin_settings.py
@@ -227,6 +227,8 @@ def admin_settings():
             settings['idle_timeout_minutes'] = 30
         if 'idle_warning_minutes' not in settings:
             settings['idle_warning_minutes'] = 28
+        if 'idle_warning_message' not in settings:
+            settings['idle_warning_message'] = "You've been inactive for a while."
             
         if request.method == 'GET':
             # --- Model fetching logic remains the same ---
@@ -361,10 +363,16 @@ def parse_admin_int(raw_value, fallback_value, field_name="unknown", hard_defaul
             max_file_size_mb = int(form_data.get('max_file_size_mb', 16))
             conversation_history_limit = int(form_data.get('conversation_history_limit', 10))
             enable_idle_timeout = form_data.get('enable_idle_timeout') == 'on'
-            idle_timeout_minutes = max(1, parse_admin_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes', 30))
+            idle_timeout_minutes = max(10, parse_admin_int(form_data.get('idle_timeout_minutes'), settings.get('idle_timeout_minutes', 30), 'idle_timeout_minutes', 30))
             idle_warning_minutes = max(0, parse_admin_int(form_data.get('idle_warning_minutes'), settings.get('idle_warning_minutes', 28), 'idle_warning_minutes', 28))
-            if idle_warning_minutes >= idle_timeout_minutes:
-                idle_warning_minutes = max(0, idle_timeout_minutes - 1)
+            idle_warning_message = form_data.get(
+                'idle_warning_message',
+                settings.get('idle_warning_message', "You've been inactive for a while.")
+            ).strip()
+            if idle_warning_minutes > idle_timeout_minutes:
+                idle_warning_minutes = idle_timeout_minutes
+            if not idle_warning_message:
+                idle_warning_message = "You've been inactive for a while."
             # ... (fetch all other fields using form_data.get) ...
             enable_video_file_support = form_data.get('enable_video_file_support') == 'on'
             enable_audio_file_support = form_data.get('enable_audio_file_support') == 'on'
@@ -946,6 +954,7 @@ def is_valid_url(url):
                 'enable_idle_timeout': enable_idle_timeout,
                 'idle_timeout_minutes': idle_timeout_minutes,
                 'idle_warning_minutes': idle_warning_minutes,
+                'idle_warning_message': idle_warning_message,
                 'default_system_prompt': form_data.get('default_system_prompt', '').strip(),
                 'access_denied_message': form_data.get('access_denied_message', settings.get('access_denied_message', '')).strip(),
 
diff --git a/application/single_app/static/images/custom_logo.png b/application/single_app/static/images/custom_logo.png
deleted file mode 100644
index ecf6e6521a737af56bcc82321caff1acefb63494..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 11877
zcmbVSQ*b5FvOTe_iEZ1)1QR=%Boo`VCg#L8C$??dIx$YHiF0#by`T5{K6dY_UHhlI
zR`qJE2qlH@Nbq>@0000<Mp{DU>mL0&Ca}<7b|BOr0RUiPkdY8o^T@jJMM%>#bv@Df
z>>)PKO&_BW7h~gs!t;bf7a<GMg!O<rz`&xfTLo1W>v$*A>2x(aEdiEwn!I$+Dm1*i
zUM$Pel3##J;C)7YK|jk#q$A;wC`f-$v8SgyKY|SY>3$mL`c7x1^RmlOP<Z!E^ES-*
zz12MUy#cV)ltiKaKgOXKOlSkC449|O4GDurfCx**|MG{}CQ+@gFM{OFM%nB8aRFnl
zCc@9f{_PFWGyEgo^4Nl6PmjILk9or|u;^$&r535>u|hzRFk0~Qul?@VOSxT=!1q8B
zWZGM(?G^g^>n1hOl`y~J{t9gY7;UF~ea%%x%%4A{n^y?u;!y0U*+Wq{H91xaThg$&
z%^Gogfl@&_{%YPA)q4BFby>dM*1!M=dtnDeL7ItF=Bv!CEFa|rYHQR3S;;jzvRf>G
zj7UhhF4!+;#%rRo6`ZXe-`B_NV)H4^R<HWE*-w)ct{oUL0C>>e=VSD{VVA!D!{XxN
zI~Mg?X~0{YilaQ3APO3iMv}-OJYLLVjJsr(Y%hYcc$dB~XBkxPKQaF(VyMBekz7}2
zj~Cb}-q%dTu5A62Pvb@6D%}=4LUNek*K<f;p~wO`lassmbR4J%9H?>}D0#me%{wB#
z+fj0BHx(3UK~O;YzE_uDh9*Li0Sdb?JbMk%QMXXgB!Vv%W2FAi?vFO)SECyXtDT*l
zp2~Dee`pbVXo;PV5)o$vaJKuwNWoFa@JZgiK+G5LMVl9WgD2vwjEwd*WHwhN@^_)0
zqaBIx<I`gZPm^}B(es?7Bno|^k(&z`gbHDR$h8k!5CvTqPRMMc>|{IK{k3W}3+#I;
z$1pxjOn6g^Ry9oDT_<NuktYhE6ARJ{kai;``R<cYB+2WmpP?8p0nF#Mj|Z?Gzrs4o
zXO(h4=YOKn6D4E$Is{jT`^C(F+)2)up@pO8b4yOyynTm6A6b8$W`4wt7#NTD!FUIg
z=<Hnkeo9gRu`&0!0i=@Ra^K))6MRcpD!mQ>N%_wQJ?S4jM*-MtPu&El>`>RDJxBiQ
zWWP@^>mc{cJ}B~jHjoVj+~YuE8q(ZfB_r1p1LShePB>>p%e=$8+G=`w{L97K!HTuO
zVQ~Rb8leek4}Wn=b%A(bqdxF*cl_EcDAf{>5#TCN_e8??{yX|BC5d^xGx#Qp(#dE_
zQZE<+N-m&R{I#y+gzl@r@Y%=-=tiv{(y;_Y9MIcc;;3Cu`xM>KP}LHG3_31!^oWzR
zkf_p1_Y?<bDFRc~nzFt)m;xe2Dkdf@(V?;f7ebT;N|C_*2QS|cy%Xee3AW_7c+8(*
zkwzr90lg4pxlZlui2Xa=FC>K~FzCQWj0|_(3=anx9i#k$rQY6NRtn%hC0LC?!IVPT
zlfLLww0$&`!Q!YFXob;)bMWy+O1f$NRIYthYkdzkbf3U*^<+26&1;fnd8Pb8O3R#&
z{C%cJ^r}n~8K)}PYm<mQC&h4j-;kPjAWXG@yOGge`n)UFxpCeyx8Q|_1{Zp@y94Q{
zn22*^p2llD>waiCPTd;U!Ih7RA0`d+JrUlwZ#<PQxfl)W62&@IkNh@7_fOsJT*PO`
z9?E5_zd<X(ixr-6IS&1BeFCU&@wr9sfS}Ka0*e^UyRn+EziBn?IrNm`aRq@Vl+J0V
zC|<|~<!qvUu~bAl=``j08VXnx+dbwpIcNY_IilOnBKPZ#V6%p2b&+;>85uts%aEK0
zT#bX6CImp7@7vADiVLpCh`Nurhx0w0Id8ij2odJ6ko~a&=eWEjbw*qIHNW!J)ziJy
zwKml~wfp+Kr6A-7IrfiK2jb>CZAsLw*|qfV@Ubk=Le1CO$s12>S~aT;9ydlB3C}ic
z!KUKc$qGbGw`Fnkl06j7exz_BMi{k_#m(e%D3E&{f-~M<fq<xoO<gC?Bv%VD;~h69
zlbxC7L&iZorLr$^OfKeWut_;?we}9wU%$fEO{a17Zow~Y3y*{_wv#9=<abq89jhnf
zCEg?T{${;0Z8<*zhHrHX3`SX=!*J!Qsej*aLbg_$7o4GToR3-inLpQRxlp1N`tdK|
zB)be)N&-Zdcsus0y1J~Zt5fb~ne))tgec91{$QUWSmS18{WG8vK>3VLKuAbgoP-*N
zz<GNzniK0DQ5Y8bLP>UE(rr#U<Gkx>{5%T#BT3x!Y~qamw*2i$V8S5J3G2rDy_Z-r
z`P1lh9xKjftKBu#SE5wB^2z&fJbA8KuR}p8jVQIK5q$N41oA0|;Co1%M^u-=54+q=
zONl35LTjg`zv}PZGjn_Z{=4kfA54WD@<aQHaptuURB|(;=`Kjf$V6+>_#**9h5H;;
z4XWe+-qi{=4?MR^zMT0Kk<bsnd`E!ClO&hn0V}|<us*)NzBcS|yWmTKBuu3`MfGkI
z5FRZ~(pB2U5EmC0*p8Wh?_mQSh-nFAe_`)E&UX7A7VHfVoX<R`&g9yHwwNVMb)Lg_
z^&@3!Db%a0TVUwE)`iWtY~TI+9O2NCnO@J)Cvw3PW}p?o5+S3(;aTKf3$K)!eyawX
zQRn_mYJPLn-?}H_25|R4O4H6Q*MRW6r&Hyof&A<pabhF#)2RKB;13l83R;fTV5ZNm
zzmb#EZT|dkko$if<;3EyAyL912P$j$GP<tv<OVLnf^X9bK5I_FEi^M>)Z_}*ngAzx
z6nZMurk91u+eu4AQ0bC)5~!cAZe633_}wpjFwnXpU=_&ox;6GMe&O#(g69#5CJ7@J
ze>O!#M1)OTWiBP=l>RHg3^|;G)jj{Casu;_9wQjjVeS!&0kd>{?cnR;a-TqOq5|+@
z1!HV7k_OGE2zoXE+6hBCnbITe>&#K46}xZ^$nLE_X5<Cb)9^zwlC7&6i}{Y|?z=VG
zYc#p^yZxwe^_&HFJ+I<9<FpL#t*A;S2<QJ1UF<dR>fbi~QA~)_0ig!^<HN{5aenIb
zylc0`+|VKKWG&3xi20AB479BMvmh7y7J7AU^}$5wTvCIOe05m`6G42_XN-CDg112>
zd@F3lzp-Y|sBw>koC8W;pY(OxnZwvwL4plh8K3oDtyt6IUI?wc_xm??V_oIZnz3_j
z{c+6mv+Qj;-MB6*fryS!vs4&j$Tp(jBpNqId9uggZim5oyYP^=VL!vmRdCp@)0W?L
zGCRFP$*ywA%6$4d)?5#!E>?ii>0=UIvw7icmad}2TW1b?Pu@`QO|Ar!atmOt{icu~
zf{fe6Pm>JcT?$!3)0kHZcqS6!-qIVgl?qbxFNmc&3eL_vkclwF{17DVPUNBa=CT@f
z83z}(Tl;OQc=gw>%8vkC*h;jrp7JFtdn4NT!YF6aT&O^~*@tw4s7F7s+_ZuGSdL%B
zf5b3x!`4uHllA|Nf^B?cjif^wF)7h(#9^Y!NY{;^yiYi(?O=&@0@f^};&s8az<Y?B
z5>sMoH<2&==N+vHuzzcj54LbO94U5Y{HwQ%T}$s>^_;S>e7R~GTv51W=iq3h2@e9n
zUekx~X)W&C9HqD8v!C-=(1sk-!H`ZX(7vY9z;6fNSsd5QM;60~1eyFD!pl?@s6;k`
zM7Q%%IEyTGzj(7$Lih-mB%rr+p({f+{3YZ>Sz~03Kf5~4Gj7ozt|Qf0&?Uh{Q~&Gk
zW$O(970Kw-v!s*d!>BtK38xlPzC)vjH^-?0Uld)h_}m24L4OiDNMjR|9PB3DYE8Jc
zG==U6MGZW}>_VM13j6nkrWkf6B@hYQUh>Di=WGaS4cTDN0@&}~@O(5Chv>2hw%%xI
z5MCP<hS%Ud4*Lh*8i^!nEE!abG%a&lIg;A^j!k2E_ABmKdSYhiFx9Z#k>e2!ocOHt
zcX^(hv<Ub(9NzsPDv#mgq2G~z^Z-XRkVO)?v1d&WccMoISV0cKEQka6B6G+&wtF&l
zI(Rk0;z~R$$}GdgsfjO(YMUNPzds25P7Ks*!j7HOWXJkdn-L#YwJ&}xDh&#q9I_X3
zx5Qf@NhL!>-rKKN+E7K#h4wfn)t2-QTaL+zA#BEKp8@3nq{!5H?q@RQ5*#T!ITm*W
zM}H?dT~HhJ0mVy2D;0GowISgr#shh6)%&fsgtK_@de7C*kSxE#vOoV&ZObQu2LlK!
z0g;7BMG>?n6kHZoynx(0ZE6f6DUuuh?yFn@2yS}q2gdI8Jbmx#g#xPOKEB<RH&93t
zgCC{DIt8=GRBdCQB1^a!5t@u(=t~2T%xv<90g@Q0nM{rWmSms(r6PrPIF=mq!B>jj
zGW_<z40TV5tg;wv@C~r_ErCNVrRzfJdq5LpEtfJpN!<6hj877<t)swyg@J*AuWpx{
zV<{AO;R%xE_^`7xHjLiiOB?^>G3u1DC}M+TLH?K4^ius~72jnYf2=49&=So!t5fIU
zknPn$+uu9Y4)g!xn38su0>^jxa|fAN0EhZyKYy1q)?mYmmK_P6N@hhIXU1Zt2l5Zm
zU!{p9h>+5ULwah?CSFj&X0aKq_qLpSF;YI$U_DGO`lfk`7I=Fcel5p^2sR&4WPt=r
zz_BmMkiyo|h|FlxqZ*1%UcAU18Wv{IX}i&U#9<&e!p-R1jO1yV0l3At;;w`lbe6`)
zqH%cPzWvdr1{0(UIron(KF*6kK6M^F!3CPO9TJMDd`JnqOn07uE$&D1%lWuu)a5Fl
zkWjmDy)+J9R52@8>^`$<b$5YrUH}hK)DXINg#5KdgtFHz$;2fMrnKWXH~}1hP=cu2
z$jQ^mfd160u%UrRZ1(kbnV4aeJwGRVLrYI{n*0r{zH-iZ{Z%0h^Z5RK&!Fm!|IFU~
z!^qG`&TmM2%Hl_@(8BeTBB}r&>$1hW94&IgbA8xtQDu6!K#oNxsddS5n7#uU%?pQO
zV}yfS42ud%1J%Ky*nOm>?LQmhsOcLAK6<{khRMTKf0qsl#}CID;m3nU+)uOh@SV)z
zQ!Gn%-w@_b3>r=UA8qSZe}a`PUkn%+@3puw#IkCgO^&@8shx!g@AjIjH&_@p$TS?r
zy}q-c5)=jq_3oj!RE6y6*kI*ZRG{t!Ri^8sj;xvA@^o|NM1S(iB-j_n-1|noU{^^6
z%~;18C4Rf;#HCN^#hNjhnvf%V6$<I{%p+=L81qAMdLdxh;IK&`x7HqG6sUye=rgez
zauQYr&%rK9OFv>!dE?7_+G5abdF8xn{-W*2AMh2PZD@7ySY<K8$>$lA6ZnaK)I{2z
zvs+g*AKdDH^|KX9KJ}4fJiiesEbzS7$M3~t@HZL3RAx?BGo_?Q;DGs&$<?<EJ9f6+
z6R`5~KD*$RUQtT=S4&0&iR<h%4zq};xcFE`PubJbYo&lJeQfS@?{LYtX<x#n#(BCQ
zcEgAj_yiUU<}3t~Dc7hWBiPk5ge(6HI&kny;-NhlK@PgFIpj}H1=~qP8E8-1)uERp
z6gyJOp85uSJM&<i=S#I_{%0p}AEY@v>;hUp9khA>_f?e*Cz`z=tKB0t8Xr~Om&i+N
zSAUGmiHk>NJ)ywB2JtYn7Rh+E!R*E4VS0CHi<%rpWo9_RwsR)83<fQyWr*gJ9a4!0
zMxxG4(QKSRZHLKXR$@dJ+ZD=8*qCI5o9b)*-s`}4ai2JH|1KI6OxCBMW^VB#{s*Nn
zAPC=+v_P4JvD%U~f|hJzChq53MpO-he7$$<9nRQ(j{l?=$-2th<-NZ(H~?&7rCJZP
zu5>0XBi!sW@?!Cf`y>04FJ=K{V@QLhhjONI!TOCth6t_`2tIySm2$!!l+J`JC<(SV
z|J4h;-0IB9w(obEX&}6Bp1D;|odSVC^dYhYDT=PNt<S6ha>%{!Rm8MsZ1yGc!#<Z|
zexLpcL5|;lUf{c036Ke0l^-3*O<Zhh*0!KH6DCZV-L?01OO^)qPl%T1#?SLrMZ~dL
znhT%|C#aD1K2qb453mV1RZAl$VEJ@Pg?><XMCgM5PG3$iDAy9!^D-T?@9?sdU@Upr
zEC5kcQMvJbH%aw78wyc*D{PQ-mC&S-LL+&42}Qyupad=E-?OLHHx$k>NiRd_R4pnF
z4-orY_jRkx0M_)?DX7z{L5|`kbCP901UuW?Ub-k9EvVRebB)<scPu!X;nB}$U9__=
z#HrGb28IZo^%xZSLx&ws$hPGQv<g{o*f4npjj}RL6Vc^~XuXcYlfS<ucQq@MNgW1{
zM78}|{$?ov6|loPp3v;jR=0ao$f0STJOUE=Yo&66Ku*rrx$g}7)K*56ol$-+R(!%B
z=1NzfHO=+Z4?788@JC#mqRwRWx2vTA0)4m57sk3t;4fwH##+Xu=bd&^!F6Oa?kcAk
zPsz;YwSrMU!Qsr|XVw)H;Qe#bIhCXa#8gvguBJ#b<+Km%KI$t*dR0#6=H@JWGL+d4
zR!5m%2q54|Klg-YAIg4c9BuZlMDoP;?6360h|XJCFE1P0L__y#dCu3HPP}A;4UKu0
z1V^iSm9)EYQS&sA{FsJOqCt3iQdJau0H3)FVyiQB49=D(EQ<5Bk5J(#As$q>(Q$(_
zhQ#oQ?utNOtQU^8lAXS6Fm-<drsWMe66IF1xpD=1;hNUsp=q+<*WPE@0vY}_pCU_-
z9!npdseTQadK^b$2~~@^S}ejB^t}rR7Zx$5X4DdF?T+CWL~`x9GWXd`Tr09S&q9WV
zNyz!89tqwVgs)2zDzlZ78=G-2o1jBe90O~N?=C!mp2E`mt4fR8f$z-ens;1)h^3H~
z8VYal-pHF9M+L176FV6MnHoy#Q`F%E*4Z5Fr~U*JP?3#oyQ+ls9z%Ce;$&^sDmrr(
zk6nU7^uC;Ns2&8g=7X`i-|sF(!ZO%?AVJ{aH@YDzL%^y9N({?XrDx>$;t=FL|N31e
zp-uG9Do&e7A%J&f+$v`?NF8u3FSn~=o5|oXFfC$jm)*OhBHNg78U0jJ6zQ6NlIc9@
z9Rsp7l!D16AxWmNTwV}g%~(O3u=HU#ngo*cu4<h^ADcBwnQp<`9xfqV)|Ho+m*V_7
zT3nGOy;2{(tsJ7<g02FRc)tkt9HERj+Mo@Z2bTPTPl?yfE)(!3IL}Lw9<$Q6p55eZ
zU!vg~YPST6`RY!&!k4n5^I$0*@>La_EOZC?me2B7$AIe2ln}F%#aQ|W6K@DDv${9L
zJ^!kldG|h(*a#i++n$JtDy=!@ofO3W;}tE(kIJ2<B2Z*%4DBb_G9$Z$(`muBr6HPQ
ztg66g>7mW59RCIrh$`3KI9^TdoqfsGk>mW3^dR0?Q`*)?BWl@M=;A-Igdi0#w(sM3
zEI6#GS%$x$!HYpb+gWA<ZU@0gYnA!i5rp$o6W=<^b~a_-;@wPe&?X5uu-1;H$+}uP
zJ|Z+K!#pxAGN!|xXq4tIo@Un2CONb=ln30YJWd^|3c@&XfE_5(+%U(&Tvt{bfNVr_
zA3p5EFk6gCfGautwO{%u)O|rwH3ZWtDyjBCFw3O^HH<5n1^BKWhFoCld&y=^(K0Ik
zL--&38{39mgseoRGP^rt4DWZi#z_n8sP@RDbs4*R3U9f!bAw7!!gXU;BDa)vC1P82
zHx+46?{c7xl!ysAsx>7>BXOk`0$LqGAH!tlBx6`;Xikf{)eIhD0nC0~-IQ~!cNk0T
z5mmr-PaqIKmI>d?%1mU#5Q<62)T7mJr`eW|StOOk_0A}mir}yzbRnp7jjP#MF@Lt@
zG}asLuE>zF!WLnHFxpkup{jU8rG2%FA&ikXyXMU{3r>t-O0U4e5Ny`tFQqn0XQ|vX
zPjQL$gbrF)xuUk(-VJtlw5g$nW3@DWH0?SPWCtU9t3vXMh9`^M@6mdBZUboo18mtr
zV%ONS25hVT=iN+hdp}X+=P2np+{nd@y0IJe@Y-+l!!Q8gev0@#S==4xxzQUgj0fzP
za*Z2<PCG2S#*IXZJc5`F1UC%(JSs+$Itz-i3dk-f-4-yOH0!lodBEN?Mw=oUWyG&b
z!=Me$^4EDtr|>`uY6G054S{;`^=x7djaN}{P)GWf6B@_mB*HDUrO3wuRsO=l6-OQs
zu<%cek_P^f6;qlnWYzK^E=4j@{v9%hq|?r|{w1<%q6HcP0zx~(>5U9vW9WCJ>Q(ff
z`J6c;I%`9<3OSWbFKG+X;MDR`43<BxYD&QwZAOL^=)$gPhX?Lvhb@G1+oZXRt@@x!
zc(Vr6c&soJ`Jd}$!Af*ix)Ly=RO?$uIvI65=gzc{3O$n<P8ieXRM`B~%qyAZJ<b~b
z;w78tlsn?}ldKf?;L{ThN?)mhE`S9F#(Fl{ojB)tEbxf5kbO%j9)(`psr5}HfwBfF
zfO#4?k`7miEB(_Z&0*~$kCQ(qV1&8dVvCFa@_eB7WDL)V^uhJ2CCK0;FC!?5zk%U1
zDK~#=o}Xl^uCTWUyOyyQ-{vsmxWOE2-V4=(lV-ISWJ2ECR=k5a0`kl`BCp|9%?<<4
zwcixak|SAlsbXEgcJz=zm8@w=+l(6jyWgmioMTiaE3j+Z*Q^n=Wk=``Yni%N&5x&(
zk>o~m>Sb0xE|@tY-DtOp;J2Mol2SGG)=ONtKx8Z7Ys^>gY#1V20w>!w63hL-Q&Z`2
zAd1?V0hwJ*4#6`xc<My;_B;NXiT{$(NGC<D>9;N(YR!Y){WTHjH<oE(`lBC$<KHPk
zR`(``ICes>Z5ZeRb{oT6CqLzzkB47>jJNoB-M0TCaQApEg$X@wVF*9v6KA{S*d=oQ
z>h}{tEwumrq&Hq}35DCd+ZJyE>Jv+@xW9Yw${r|ARG}Vc<vMK5{4I_izL=}k5DsTa
zBb5t>TdEh%zp-(S*i|g!yx1AeVC9=35IW6jK;lAks^_1Mf@!kaXe~8V6%0xzIz6Bc
zQ6ad3`7l_gAUpZVLy3ybJKx>ieF%R$lkr4ntiskgPzNg(xVK>|Z<}5n-8FW5iVkvA
zBP=9&F(+A-<fEC7fTn6!mUD>|(vDnbf;AXXCSe~r=A1t_$ld%n5NyiuFZVT?2&g3*
zTmqbpMa2sG%?v8~Z!+(OP58D_;r)*LE$TDz-Ohj47Gy8%OG!TV^3YZF{!A7gK9Vr<
zC(Ygxq=H6e=v_nTPcvB0BWH&&aLs7FQtjF<ZT>A#2uE^GjtUQ>1ws~imYtP<D1iSr
z>20yUZ#m&Kk#<I#<;4Y+esY>Zl#exdt4Lh@g5||}4$87?V~yl;yU-xy`ReQWNuyU^
z8wIYkM+eSJ?%AvkAL!4i6`QF4b&wg}PC>9ljJ&1`gA<qpN*7D4eS<t(y)UT|Z)B0N
zypEfdf)5MOxetlr&D+|#4y=+ZE|lf?4VC%2yVY)sPqQU}FT4~ZF_9(dxQMPpv_&3x
z_M>+v%(qW(PUIRdl@dl1B1Z3RZ=isoqfT-5)L1(wro?l3HPLh`f&t|P_)}DsyQb&;
zU`SJM37=Y9WQ`ac_ct;9UU(MedJwXqS+Y)KKEbJ+`_^5}zps@_sj|PzSZ_jLDl#Hs
z7MkRob!YD@dCk!$OY!*#&Cpn{Xr$BwJv)R#5?bE%@)zyGj5|@=rz~WoCbY9o<!*o*
zZ#oe=wnt5wjvjHt&rS{2D<KVPMYr=H$O2R11`v*EEy`8-L}O4trJ-*Pf=E2NVg?z5
zn9@=2AD*elXFpqImjr3nyqUCW93;6ng{jPNZ)PqViqqGt0<*L2+p5O7ti@Sxn8Qak
zqUWB8W53sbWCRbk_`HVNf6~APAyl2Hp(-Ak%B3vE!jgX~I-_zIVn*3=dd6PtH94B4
z3?Mbpv|eCUq!3S&^Pt7`IM*@9dGQ7Rp1s5L@-hdDpvml5D6&UYxR%kImUdkt%<!0j
zzbnqnz~Z8&;(~4hMoHXr#r`1;$WtHhlKwE%8Au!;MXXq02;*SH{p9tmH!VMCny^zh
zH{WaHPLzlbg1Nf7XHLVl&5T;kts>r_YQUNRAwE~D%x!CV$k`2t$l6N6t}|5aT5=JQ
zrP6ApK}8$O8zXj1IEi?ckiBS-TV8(6MSG4tyEC1YiZH(q@n(gC`(}Fr#nyF@vF(D8
zO$M{<#^;l!E)~E}NJ<Fn)j{;lG6asDyoduRGzC3o3ITvXcE5C36XYL<kAI1U+TO=T
zf>@r)<Bc-OIHf)P?sKH33tq_ZlT3Jw=uLU40$8Xi6MaT_a``%+C+T_rSf!I8yNA$5
z%oY{1$OQ4zEkKt^(8i8Gov0t%OxENWTVa!FS=`NC-|o^kU#vdj2Y3*HvnE*Bt9sW7
zD#$>YB9Q)~J<u-I*6FBld`W_Y$;|De=~uhCI90n9`EE(bwcV1Us=d~XH-hLFpHSXq
z`d&|#62W<i7HNmg>4ObBWMwIsB;F1K1LIi9xLmYRRl-aKw^CB$Bow)39m08T8t~-A
zlx#qun&EDmb=P-AdlK@@C<$p$Y$XSLPA!h$YErn;jiC6pH0@#7A<dAHN9A~ni#y6m
zGL(siE92r-gMquo5>IYbv&<TK@(ts$zi0JahlC4qEX7f*fqU8qkyKNWL7St|Za;;v
z5@%mm@%2~FJ@{n3#BpqhD1=|dM++)c2X7n_1d7D@0FXL5WXJL=C#c#jr7-GdeAVy%
zTh%vP_yC|7A<n>QM#)bL!|y9#+?62S&p^XDs@eYXhvkvKiGGb*l0vD1s3NH&j&Ch`
z)+D^1W6;Q0I}i2?7$xgHI9U^X9!>0s_4=$uf}7q~0@1eCe`ov6>-t^Mtztd*pi0P5
z!EK=$19Q1dg5i=h`Y#x(wIrWeec*PED}LCbkuarYWULEW2Xa}HxY5!U|4N*81BG8O
zjBS%a;09r))`y#rg*63^gol-Y+I6B-(W($6ahh2Q_v$lA$svi^nzqEfreX>Cb3&Uy
zf^|1%(Xrn9>`EZb*>5Wx8;Kpe#=AJbW;X^pbkHR_ogi0KfR@LdIojD32(A;>8ZE{n
zv19Z*pVT;TP{d2L{L4-S#-Hbp){EU)>(0h8^@egYCo!&CtoNdGRHQ@Cj#<8T!{CNy
z(!3%R5Y?;s6>cXoT)2@7P(-SK!``7KaQ}3r(E9-#e%jW6Hak;M^y(y-rKu1fuZRLC
zZk4{5%d2`0`YQN4*12TC4X_w$VEfE?cZ^#Wy4~XfA8Wme>4PvM+gUr-AM#tufOSA;
zp@Z5v@vHN%uAh<8TQrPwmS!<y2R$>?m6wPr*6poB`_aWJSoW5?ASli<X$g7ENTE?|
zET4*ta4m^u{?BekSSua%dif+hv2#21eSbq~i3+*iPrqcMnBo}oZlXgZ<+u^29$s1T
zF&+*Vbu`g(blxWwj=2tnmh;%QmCx;x&AlZ}19?XR|Jl1CxxmE-uO4K*Fc}MMJF+BR
ze)(gHyG!M04q2RR*7+Eb>ZiUxoxHY^K`1B^@78-`Pq}7QIjQ1Xmoh31mYoa~r|0Y>
zO&&VN$wtl7Xt_Sw^ez`@@m=4k-5<d1Zh4Nfua1NDx;8`eR?hH>%IvV&Paii1R&rs(
z<i#B_f2%;crCkk|P2tAU?f8t#RLrQhwPPn4#nF3H+&^tRafvr-z18Rc)PXkaNm0>7
z0}5(>jKSz{+i>Nk6<X!H*fu5UwdgVHNW>Kp%~)<Veg48L)s)R^5Gl`Og!#7`dX?~-
zL-P0<tpOulA)iE*GBhg4BM&Hp0*q7SyD4gTJYT!hnp@`13wof4Ma(n^9NTI!i_(O|
zl~vH0`9ov=<1W=O{tDZD@g>zSM84nQaud>)ISVX1*enR~_2o5A@%BwD;LV4O4-Sx$
z-`i``x=e>$Xo)u0DzZ%%a|scUSwPah6grGElXa@6GVUz8X9|nz&LGQFcc(^lOiYu`
ztL|&*%Y&;ZRPc|{GP%SNgPJltPJ5g;QOodmJstrm`;`?anq$|Q$y*N1RA&0LdBgmV
zt?TP6_Cq$#$W3NoKt*U{$Seu)V4lMFlM9ggnef1TDO`a&;!YM8z5%LCCq0&zgW4OC
zA#V%xKLLSsvk%rxA<ujuc`{;X6lUtc3F6+}Bw7vPTk|z4Y#lh`kIz1VzdRNXO#C>*
zAKT{e`$?XfYW=33o}NmybM|HFMYRxSC`NZg0?g?HjFoyt45J%a>B@KoFHuGQ1)%O2
zaA9uOx`J9OqBcK}RWm|jU*~6Fn$32bkYN41%a&ntJa$7+=cXB^tv^`~AM}J8k8bMp
z1<zjLMSmLSZ~mH=h}!pPQ?WXfFfO2S<%^E>Q#HgCilMd3&B$=dU#@MDOhQp{=zz_|
zGQY{Dyr~mGRlpJ%T%n3N@Ln!Av-JZV^!CbElq8gs2X;{mqlz}^T$Gc*=6oY0B=k-h
z)=PR|&@WfUL`p0oPo&T$7>}nvqM5nd`x@6*g+Hm4Q!Jj_Hc9szyw<!Q-h_E>C_dlF
z*ki~AmlDGo)bHnq{LVbLb}+oYL)#gbgg$!BNq^ivfjpkeJw18YdOhRqYBumUhum%N
zGgEZZ!%4Ni%6K2Q7J^a+I*n|lfOmcSwds0?>%RH@-QD)#$n#=z#+*Xi-k0CDv?(@t
z#!QNoCuGtum$AB#Kq3C>(EF(H=N035#qng#d)1G-bgFM10^TJz?)ySJtedItVX>Yg
zxZ!7SE8z{lEh*Z>H~ps79j1Bl*P3~+TsFU?N2X~#{%t`-Kba*t|MokVO)v_yjO0E(
zyFqJOgHrk2ne2fKwKMc{>a{zfBe3gN8lfwXrftOc<Kjegke*DUnHTcG^r?fZ%A~`7
z0q=}P>b3TLe0!VNi0dW;en?&T?+sh6!DwG!V*z#K4c7^&&WMc*v5XwmKITxbsC1CL
z*L^3r=(%K2pCU<ESoc*|alA0(GyX|6HF-hsbgNfNv~DwmX=94Oyhx$4|2};g2xvOA
z3jS7=RMS60SWGAC(X=Berp}!(*xw$N{l3@aoIDSA9wwh?h}JlL)R^485apBE^?;W_
zw?RpMNPVf5D1*<zX%EL_%VFU@69X>)g?##UAS~IyNg|R(_q#g;=_)i*TT|tNCAO%%
zRXeNsd^W1}R`5<Orh2Rt$)IQQPBra+&_puH)c=n1N~G>29&z-!WB3QU>%KCeqa+$>
zGP3bZvkZ(DJ3+J@dXMfudHI^?<vy%d!y~KAMwxu+1e8&ix(~h^V&8|D#Nt8mH3}TW
z-`W}qc1~`yt4eo$$iFzj>|BKiQ42DjJ?XvX3e0qD#)03G<yt+gHy!RAS<o{Xba&2F
zJd^8VradmbjVw<SAy<DX&bEa^n(Z%Di8p(0cOEwjB%?ky7~Ta>@*{_wc7gPy>mQS`
zSAlsgd9!UBS=jv0vbN4x!%9GS@Rtr2_|IR}wtwM%4N{EHv$Ky~(>VSejry*~{}*SL
z^RLv%$c*?PDI_qGjg~~{^Rhc$&NHLn8+!oww|z2{A{vcOe9vn40hx!;3P@Vo?80h)
z>Vlv7XRhL5!RU05js+vqPllvJ{)aXK<4cgJogK`TxdI$KF7*_SDdTtcj-GIAuDwEn
zU)xuwX4}7Wht+o<SnMLzPSZCFo?GA&HOfe4x!~j5Vx3p%D!hl06AvVZ_eX7)s^vb+
zCii5cCoZEWivknd^0MZnFFC#Z&jdv-cqWaZHHjqlj5`K>`A}Yt-<9tLgyA0{eVe`_
z$rSc-W{302`5DIG6yhWCk-N5_&y6PcbgN8nWD5acA~S>+OjBecA`PMb=ndBblk}Y%
z=@6)~_Wr8!G@q4O4kZKO`+*grC%$^-xXVG=@9*z&{OfG=qe?l)E3PGEORu0EhL!y4
zygibVPLjWxU`E2J@{|R-crnn&ZZML{c6Wqby}Bs8TQRa*yRUu%Fs4o3{UADvj;eC*
zrd%K9@4E_2MO`tiH_*e@81qpEV6@%&2=a12GmcLwA9Z-cEYtra%PC3}AC05<KMhpv
z<ehwyBB<9Ept(+?25}!BM!s)P;hsbWnfCln8NlC<@rMXte@K@i&6pwcvRER&_05&c
z4W;Lb7iUs3tOV!}A4-nDI!!JuHq|b7L|uAe!1rMdHP>jdzU|-K+&Cy28~p}^IgxRZ
zy-hJ_G&}LRl*f6QGj$$iSpWQ6eO4zA!%1)kYXm-wwdndxWURf;A@|p+jc7OPw6fhP
z1~V9NoxF_D#)elxBpKqR5$jz(R{RHad41WS9F8%SGI|}%sN2j^LZyGQB`Q$^^P6){
z<UV0IXLw66tx&fR=mx0FLqc{%n+TvSGSi!Lwu8~zR&#3pZq@zkfPo(Il+Lp`BlEqE
zqVImMs)XQnXMu7Dv$*@Z#`UL&*DbrqDE>mYz*M$nGY*UHaYo)tq_s<L{<P>hI##<~
zek|qKok4CPx?D{N)TH0E?1hHqBT)#?5NAf)FpsL+&`@fKSIF^m&kS|z;}OBdq~|~;
zkD|UQLaV}%=NpsowX<Gk0zIeGgUcWu+|$$mGXMGbpFe*Dow3aAh$H9<iZGB}A?JYk
z9wJ~}5jZkAbM)u>{@Ic>LtmN`p1CZZFu5I>c;gQDt8JbIc6mmD7;>cI#ZTAchi<CN
ze6d<ikgdjMMhy8WBP?68UJy7A#!9c`HwjGprH5O&*T}VuftgGj1*eElkk{%D_0$k<
zGF?hT*Z%xi60as%TKh@$m*dfmE|RWLaru&xk`IG0N*dxd!CM%>lcjz{(1`|M(?T}g
zZI{k=L&SppN+Kd7GlmQ9rDJmr$t6aocrjBHe$VMLa#2rWeJ)&uEHy`6wl6Q<;V<@(
zlWV$UJntYC)4$nu^1nfDJd3WVdg|_9x*k$d7l<&@e3A6B`^-+xtSYV{e)dCA!B%NB
zJ*fUcHQE5?NvedjcT0GO4yq<%H-rvenwG~b?>{Y}sEP~4S%H2fdvB(6W7C>4Zu;xe
z205Jbnw39qIvZT{elg+1*1F9VNPfr3JeY+2Nxoi28rCk;g8v1*JrR;ocTg8Aq?gLL
zF`JU`t(bk`u{VC_Y)=?$cbH0T7I8ulexlTE_B?dbLO{~mWAp&0nJ2S7-fnfedJ7r_
z(|&g1{UtU@x1oATea-N(pe`W5m!~r>cjre&YWs${ZSY2cZKy2{vS}IWU?j=cUQ8Hj
z*E4AVqNJYZiRQ)zZB$Na@6^j%WxIte41dAwP0IVqCI~Lm-4h|a50{qRe&m;|j-#dj
zc5Y3DlYY%g7~Bb?PL{C|G0<I>Qbg}>)uVwlWi`YQCAa53S-TG}!<94HI^u;%CcCgE
zx{CHeMc%w9{H&350!17W3QCX5%G2e9$ecCU$v6GhA{w;tI9Sr|F9oaSg<ykDSUj+V
zVagu~D@F^&3pZL>9mssAw$;DmEBy5D)*hQ9Y#hxX{`fgN9%1_!_+cXO9>+8-Fcqj#
zrSnh|XZJF+LNkSIezz&HGk9l+PIR6CFhlBSC0F#UL59kS7rvYi7007XZy=1!f~mf2
zb6K1Bqcu&kQ_Sr6Wuj=gbZ^F21>{A+3UVRFX!(>#7vtCNSvey$y>U(PsA^8qUY|H-
zJXlxARXk*15Dg*eic=i=DhdCW)c=Rs|BnIWs9t}99kq6189+p7f62!IGLi}s)ndPb
F{sTGwC=37q

diff --git a/application/single_app/static/images/custom_logo_dark.png b/application/single_app/static/images/custom_logo_dark.png
deleted file mode 100644
index 4f28194576a32f4463ff13ac96521f979e739bb0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 13468
zcmbVzRZtvVv^CBE0}MX+Ac4W%-6gmLcXubj-3JQ}36|jQ!QCOaBm@uc791|$U;op6
zybry*>hwd`>9cF^wbxo5qoyK<iB5tJ2M33#ATO=)b{~1WECDEQu|F~h0}hVcLP1(W
z>(iH$0JI-u+FAPoC5vm$>wiE|Uuy@&C7o|4tu(`t;-R7W79bhQ!ymAO6$}6Eo_(6E
znHdQiq~ViEVe&QDSY}5F0s><~4AifN4=tpYBpgoR^rUNbVPQer>*wQ(=ANg{#|P(4
zSxA}K!OH4_c8SVYkCy-efDA|i2}k<>5PHY4&fl+w0E~Tlz&Y-#rZ8f`=naBI2#llN
z=gJx(Pp3*BIYkP)Ss`{~0|^+H!BOn^yHO$H7L$}0dd`{{v+epbkc!c8<?OC$$#~`V
z6A~K**n&T^<)0z$edspo%JP&DY6!f3lRbf6r*9Kq#*t|)pYxw+*7jr0pype>?m&^r
zy(=be<#rHNsx*>F*T>tn_zInx>V9e2FP1OC9J1^~o{o-=$Wq6ssk4NA04{WMg2E?S
z7!Y}m=|iQi0Ns>ajjP&T1(j|RDW5ZKZI9VzADq*A*YkYwQEnuT2#UI=u*Jjx_%W4(
z67L!)b*vDde-aiJ*K7uJ`lSLHQxW-rE8yPx$0Vn?)tC=RPSt}9BczCYaX(soDgtj0
zW2Gzj3iJ%clL~O$1c;@{zsqQ^B2>bCWdZw$+KsqZ`WR@kp=M@8p|MDJYcZ17K*!Q{
z>Mq{_3#=}5m1x4Fdo6oysbS!!Z}@uYgG2N~luYqyf&Kpf5MdX)`3l8woHwmRV!2Ga
zYn(|+L1@(<^;!5p2T*b{GQ$sLT3vbLJH{=}t8IF2-vHLw;h=82mH8`Slu8;P*sQX2
zOhP8fm^(Ds7#^cpi}77;=qn1%(~Pb#@3MVU(l&ponV#q&&Ea`L1pJV$w)TzXD!YpF
z?|-Pn&5o`87uiSbL)h2baF9rNkdo*a2oZM0E=y8ko>_bN_q)xIxs9Ol)%DHM(mLXE
zPSrAD??lhtchEFf@Q_<&a2R_57!M}F%OAZVBLXw@Z#8sgP)}Wdw>4V9P!yJul9IdX
zsDUCCeJ?UU{XXO)3fs^Im%BcTe$A4|(p9M$*oBwps#>z(oIxDxhumGRdmYypp<guy
zv{0UqvX%}7ESDUY5RT}uR2{&P2=4WSlkZ&*n>jOsM)9KJ%&)R#jMvbiw`wlke50qY
zfE<?g5V!`DxdZH?w;&fpAUPOYiQqIvePvq|`z-1#;*wZq5WCmI*jzV=u!UB`JUnlP
z`x#%n8dT_^vg1clpmi^mxh?H#8r<}H&O>E$KP?NgOP}0vw;S7^jI<^*YGKB<sBBW*
zsw4u1amZ*B7|s1w{JQrDNEMC*F+Z?kg@8V6pfvfeQp#gK8I@`I;#)k?#L&hOvV4}m
z>DJcv`L=ORA=9Dy651;fU|x9Hu3wdnmtHB~kuBHbjvLb4)a0Ryk4p8pY=VPPsSSBC
zg^A^<l$bd2kgyJclaxz0$YM&1%V;SQnY#AQnw%a*E6iTU>Pd3`d^q9&?@0^8kH8bw
zIG2ZU6r_IsP%#L#SaMly^OFA()$0%ZQ0d6qUdO4fS5l6yLWgHhovb#Ch}fpxg5Fl#
zX^@$P{Zr3R4{p2WCma{6g%@Zav;(Q-ml$9mjEjqr6xFX-fXb2yz#(WtikJzx6vpjD
zPJB-@%&m`iHB|(5^nML3DjTF!_3JY+SG<g768qWAxj`|2hdrR*<~rkEoxPq9=c9*z
z<v4~+kmT^$A!f3Xt-5a+9eC>Zf}A?jSYB$tP(;d^1$!4LR?5uCM%lwIQ5n~RPE)k!
z6U7@EjF-fw24hpDO}Q97q}>PFM|nW(Nl?5E*0$$MYD`+)ch3A|xL|JNRG!!!=n;LL
zk#>e>ZLD{4zkOqDv4s-0Ifhu*8|~)AD)pPjP|3Dr@qh`w)u^k9pimuBYWmF(M55La
zxH9lA?k>cV5`L|~EBshWbKt*HRWg=YchyTsVO^@Bqp3~sn0u=eOeW-g%q|(-JJ2_j
z?}#V|CMIqzIN<I^F9fqwR!?)GoOKmK(TAj!v5PZG<_?$*AHPvPLn|9xgU~FLBCF1)
z)5;#OZoeM#47Q%A5fig=WlV#AMfxv3JJ}S!sJ>Gib2|+{adYg3ilBUJQxlVntnfB4
zEy`k2;#n-rdnAv&)^G)}HjD4Y6>VK~?ZKl_oot3s;>*}^lX&&BpTfHx|4mVKzR~cw
zSj|AxWX)JwIJz0vRu)2!T<2CgUoMpW#xYZSQkTB%Se)u!G5@>C!Olg<WB&<eC_|kI
znkp8iq;pwmb^`ve%j5l#rUC{OchWaDc%SI=lDfI3KkwbXm7%YWb9s}k&$-_yOUuVr
zRn5l`vHDna3LQ?5uSI=as@JC27q|Q&um+Nn44_1~Z5T!1-6sDKKUPA*xhv97!NB|l
z`=(DLqitSC#hCGHjdm&ZzBl$2YS2G~iG!jVUn@obHg))c&AJzPo=<niGtQ1XWv^xK
zci4jLSoP`$)|(uNL?8CQ!Iv$kvlxunm3);=6nnX|R$af)R28x6vEip&OXS}IG=DrZ
zu6Ny(4D9ms?Q^lPu)q*L{u*xR$vL!~A5E=1!wBA{XCF#rGwJG};1wEw4F3)Hnq&<g
zQeasZL%V;WcCNX?=_?nEVF+MOmKUzG9Q`~Rcydkb=YH0COESH8?)J%8Tl*P<tz#N(
z-9WfM4-&3&p4kGvhyDb>yZ_P9zEO}--w^N~^*}EC2}YajBTN%#%WE)dX~}y_AaE`7
z5fbboM)V35KphM?U*XCw76~{kE0HvL{uN2x=`Vaxkeqyqsrx;)5csM3BiO>R=FV;`
z2DKA`qD_l2pw+k{D9F|oy43K4%2x~L0Tq&pPFP-7w`DcVV*GTwV86g=QQT~EMgit|
zy~9i3qhrJq0!g~;8sV?qRT;G8Zup)$1@~D0`HPaN*tC^Xm#J5#<sO24$$5SRdn-IL
z!~r6O`=y_#6A*?uZfhVV2Y2B~C1VC-E$WGZEIE^+@6M<Kqzum1efi^O64j(%=dU{7
z6+45=34uI>*3QGu59zCSQg)7xDZ~1&!h*v3NgURj7s=5LR^#bhZ>9K^Lp{q@ff84C
zS?J(zic-7XYbeJ*w;z14sp)CZC%N^LhnK8aNy5Pi{_tod%^|RRw(?s}bPj5`<&>AU
z2!dU}1mU*DcRW*9wFT%5E!gh1B-r-*-G+j3Ie6GcOKj$_&W0J=FM}YVA$Fz0=w>S5
zsF%^ayMcGB;cs<jqM)7jm)Ak?I;z-f9X0K4IAk`o#q&U;LYHyjE+50-ldYEj9Jls(
z!;8?+T|cL=KI^%t)0l;7OvZO>`TCc@<lfY+h!|=Ax;gixYTFZu_`&UwDy_~nh|mT?
zd2y${I=(c+&Jd?!K&sNanY-N1r!EVF;jUot!?-T9^>1%H^}K?}Rk-Y_)m$LIa38vQ
zDxUJ(-FK%I9pR*@{=O&GOjlT)0TjR5Qt<IHlUNA1&k3S5;g;QaU@9vPMx(_AE6Ql6
zZUg&2<!x_#Bp4r@vWaRi$+F(Ui?quf5uz>>5C<yLrj-72q(F`n%oy)f=Yp{vw(*Yb
zjk&><WjU=hp3H31=HbX_6CJh%Ru@9|9@4#TmY0`5($Uj*!#JwRqX$2pG%YC(SPYuG
zv8azMWLMh|q(O%5s1BQxRvQtq=sw{~MMJ{}xRps4y#jtX>*=Jmq`Fv(KKj$8{CXG`
z|J>>hN@x{_M=zR{$}VQLYtm0GNH7Od(WWotN80(9a)0m@&6|2XIb5h%b%j2iuD0v3
z31!UmY~8`Il^Jfxh6{4f{JQqy_Dr?h$TFjOQ4#Jb*2ss=GEJwhgmJ%@_n6zvH|HSX
z9TTBPoM8gLuZxL_CfMHyLcnO|@UG&spOnN+OFTp}TD_KZ2&~LFDcZ|)nFW72{-cl3
z*gX3@I=>ezsk&(25x>C+Jd=cAQV=i4ANigaf~iqaP^!lX&@X0^lW(5sawYv+x7GM5
zL)M6{M_roq(amk^)u0{Y?D3QcGxem+Qx~9Is(kxc_FU9>GvJrt`>rV>W-3c)ZnQ}l
zTGxIED#fRDVw*4OU+gc+^23ziU74mLE>1vn0%zj;ibW>00D&#iHnWaIPD&8M_o$wa
zxE(QjTNw!Ly&Ih8<WT}D7^Nf}lXpc`#aEH$b$2n2ynZx)i%k7Dk}Q8xr(avrD7p-X
zcf@n*PMIGdrHiVRz`1Q*-0eA9cb6HmzOpGEkiTs?s}?}j03Trmn~Weq!eZz;?~#Z6
zMSa02pdPA-3j?FbI>+U))rOh4tYGes9AVD&Z2R3lh&Q<g<KuHrslbSau}|TW3OIB3
z+}@K)9Y<=EaoZ0}I8^$64RszOFX=rF(^etr-3d*@;#tEQ;90Wg5ld65WXc#H+}zwW
zDAvsnZj=ZLrJ_%_lCU769$3RH%sJ!lDI>r^9p+*#(lZ<=@4a$M%#AiToxdd>m>S%^
zAb=*E`k(irvI#t2&z+qvMH$QGdlsUq(~%>64p)fQKAwHgMlPNC#GR#>t5fx%*Av?U
ze&7RRP1gpQgk0E5AI49+sT}PZKWVDbPt-3i5t6L&7yFo+GJ)M%*2Zf%iU+DkO}{CO
z=6XLP$Hj!X7WH#D>ZR8lJd~P|yvBkUiQ*y*-WT<m5XKEIt$kb%K<sgs@W(aw`T4b&
zYc4Y6a^m;eH+bKF@$^n1`>YbxoIb=TK^QxDk?j1Ub#~c`oLOqP7yRL)J=Bq}M*n1W
zqm_r@(fwg&Bul|i8h>^qrG;=PKVck0jI>6~utjWPxzR(WBL<>|W~@ZeRluttdpsij
z>Tt)XU8p#=09IEbegqIc1D9$a)G;a$U44Y~kf&IbYROq9Y0~5Vvj?_T_qKceZ!_oY
zR2W`T-8=uK91le9%>NUZEQG9Eu$hUfwHFk!HqAs3?bU2%3h^>7(r}~dX=I^y$L6q@
zZn0!6%H&ANELPY$7s=A%QQo#7tYk`9E<e+>=ga9b8>*%xWvYb#yN_ufFv=foIP&e=
zH^11ytu|@u7t9)cCyvPLgmLHw9Y|+~AFBiixymkf!;!svgBc;fxx0WmU1q9qUJKZn
za><-k*_WwVjTzpO#;OVTVo99{C~<~ssNDhWLpa4-ebN=KUj7iq>(m~M_99Zq{Szd>
zLy<_i$4&lMGtVNpBiCUkm2<^eBOE!(6gGs1R%E7^?!=>*nba9w$1TO2B2PE>VHG_!
z-xZD-V$g6fjCY}9kbZ*#yKo}az5U+e!gwytOrrL%f;a@e+~&}{kQnvSPi(JRqyg5I
zaBN36;8Ue4(4~w<Iw88lr%|1__2@bYBoL|6M*1JVJ|?WVh!Fu>%nMNWdLH-&$Rau+
z^~p)!)aa&nuI{H;!1}c)Nr*9@M1F*8j3sBPM`kxalZMZn%zsP7ku*g?CAPMqie!zU
z--_ZBcLe^xq8G=<XV;eLO6+b3c>FgpTl5}Vp70=0uWq9NUZMWiF`q}o9|0*T47M6A
z#xG8hD28JMv8g^R<JhS(Fnr~?ggKsPe%Q=A2%Q#VTGaT?B^!<;-{g=+2r*DPuMUuK
z`WW`JL=a*P%#?uyc~)BlG85`#HwVxU-Fak9sCs}=w;-8RPAh?8RCn*eOmrqm2=8e>
zv$Iy8Yh$M>+wmTsY32pGd3s)(`CtI1>Z*no>N4-ma<M>?Nx`M2uJw{B4j{=EmfszK
zGuifc7f552zGF!rW;ToPe;D`M|LKQzR?pZzJ$&)_Sr$Rrpa%V7ShG;0rM)wkZASa0
zSc(H}SE;dxmwEhs$()T6=Mx9)V#!h;0X;^IO8BJNI+O;7Ds^hFcY5pX)23)CKa&DP
zosK-HKTNR$w;o>_a*qN$cgE6MuCsPYJzD=fSbw`u(`ELKaN_fag<hlBViYo?prELf
zE;vwz2ac)HUb~N=+Qq@)KeyO>UHXkmOCsCDk%vbSg%MJ#_{)TL^`O2X1A9HM^?GJ(
zm04hb9W%}=t<?T$U0t2Q+bnSqOr}Wy4|4a+Gx-r6;pYV+2OFC99(bT#g=`5;?y6F(
zUhL;I{5nPqCJR1y4La8bVq>pw_`N*7Z5Y?Gow8tI42sx^F;HD&#hG=B;NAn4AU(&T
z+f<^v!dY>C@t{uLAbXGgyZ)#P+X3z?x`_lI#$E%Gz0P^v`|p^iXTug8TW_t25f5)K
z9tQgZ9D%<@k))9Z33GB@?vIR&?1B3B?z>)*qPbJmNvsh<oUIYv?ts#ci1Zn4HW0}s
zg?vEr{<W&R&RqDh{f5CESBzyJ(na!7Txd=|zs68`*PaPrgep#Sq>$p0M^LbhDP^>y
z#BPNztaNO!|0jz=!!OJElDy?s4;$dX&HcZ&vldF}NEj?3p)dOR4KcQn;$7Zrakl>0
zY1?3fi$SG83D=&LI=JJ@MF8Z1LmTx_Vnw8fhjC-#lEYY`_~=V880={q|HD^r1Chen
zQ~@-@5nQg{#-<^+dHj>sgKl3E(OL}#!M0|QtzM7aD<7VmN#_xwD@rB06bI&t8G>?b
z>0WNk*;<lBORlVL-1>H43#y0L%A-oaYYj`qg}3rj!lfZLf6VzBYOz7&@+Q?fdUsTm
z@b}OsYAq*mf?kGJ75K|`?TR3#oXNls(ok0^shUi5fXBrk5z`xqG_oG_`s|WGzxDB;
zt!~7_C|8HZQ=S5vt@tjn@o>=qNAk7Kc7}RQPI*Ml92_RvcqQ>28aI8pGrszG)*VFk
z?YKU2VPgb`8tF@t7JWrfx4Wg)eXieWjMJYVbp#2YlWM(=J_P)#w_1CfTdLi&Cwan?
zz|q#Yq-LuF6U!HAiaWsYX_xSy+uh8Z=<h!F<lAs&o$)yN&6gYGxfxX9Qe{RJgk2Ve
zxRZ=T8VjwJzkk`y3!9LF)h*b5>N;~k3_GaVy}a*Eqc+kRR<P*^qbo)|SGbmcz9fE<
zrVa_1dcDZ9$-O62;}B0++pAo#f6_yv=3_!HVRAC2jTVds2LD)(I_ec%a?lIegX6m0
z-?v5N_!pN+9M(@>LBZ#6`JT{erI`hblGkPJ&)Ezu>L$Mx35wl(Rh0M1Z!ZEEo-|ue
z=i}(MsSHvfN?;Dxl(2`~xLrUbDb)aHMlnxveGjzIC2Cu|%&OKLnw>#oU*d&Ao#{_e
zZ1-Cr#?n1x&y5;#{b`6>S(}dDflcW{WEU2F*Dg;@oe!>|Y2|@0i%A!mWZHf#0aNa|
z;h7D)&bi}dFJx4Q56JG^Q9VBP;6AF5vCE&C`SxZ!;l0<)@tv+}=ooQRn-~1hG1&ln
z>Ms1dufYeMJI&(sAt8V9>zxE0ZKy6i4V@p9=<xF1*dzhFhvPOMdBelcKT8fB<aq%l
zyqC+=upkUTtq<2cY?-L%BjS`kGa)5{SQLl|5uJioHrS37MC5+Z{w|#&czt*%HnIQn
zuRU6o2po6^&AZyZp6oy5zY*c+tZJ_tzbxud{XqixKR?`XX-v<|%=FC1PAd;;9FWX$
ztJsAa<7aBMrc^K3_YO~_sEXRL8h0!oc-GNuAdl{!Bp;)M8uxn<nwdw+(SS9z=kTYl
za=~PkUoxlml=<b{DbD8|vKN~pdu`TlB^uq?hy22XPkF_2)G86RW{V28LatD*J`~DC
z({ajU=bk!WNMegzPvcBlb8WYt3IOXG*!xQCvwiuYcHRwWh@faDPNMMF-an_9^%Z-M
zuZ>r^Uq4cK{Nqptc@40v2+G^=c+WM|61-pX`s-^9En<Sxg>9Tz!$cUEJp)j6o3|eW
zdG?(@(qw{aCDjirgph5%{wx?8+u?LgPC{n2{D<5DuYre9{dnyvrV_8MUAADK0^ZE)
zEz03@$#sI^u5|ct4fOg%XdJu}7vBqvjN8TO!9sKhuFGi{)5bQz78FkT<&tLrgSy}F
zaUy)Cp9GM<GD7@5uk`TuwtfTF;qHIWJwql#qYDGo;)h~<ZGq3bkAOH+hgbQMgA!K8
z-x2M+s6-}&uz><Xc5!x_BGvg7bv_MlvJ*(Sowp%kr7C{x9=pZW8*gHj0e3P{#1&P^
zhT#^Zgi8|@{qhWs`|=|P)_t$*f1F6gTESN?XgQm#<xTnStDgh{SH5F=Jd>f`rCGZ5
z^LNdFk~WGz_H_A~?%Uz}LHU~D1QQXfd;R7M_??f{U`^#Yg7sU<QS18ly=+>#G8Ty!
zMAn)w_`dA6(Hfu>U|M~@6*y^+3W!^5iPm>I!%Nmyz0ylE6bY#;iPFR1i<Pg(AZ<gI
zJF)7P#0Eu=KeLgE?3_KpnHw4tY%17xnRY2Q%D=~);)0XL;e3}7*6)LME|B7Lf{~@P
zOY}Awd;@QCL6)(Y*^@qijeY$$K@$M}in5>!QN9yVojcV}k_5T9A@`O4p5S=(e+*Yr
ziEjto6D)b%)p^;jDk+ECIj;;-^)m;1sJN|6BX5{!1doX!nnZ*OIwW;rDqeU%{<(|w
zivmgu2rUkbxm@HG&Zy;Qv8iD|j_H!Ho``=bm+z%>dG2^OXuviQgpi>0v(V+svlELS
zcvNs>qBV!$5nWDYGh=~~Kq`6uUYUJl;Zj$|L086bcprh3(c@|Sld4JU22kAK4`k}U
zq#Fe|xfm$#IuH_yG|HO&SF31Mv3*w<e_2eYVjT+n)fm5-CX9MC6rc$`XD`e377FqG
zp@X`4REFBRqpNAw^lKeguIFpp!;JbY$Dj119(Ty;FNxis-#(&n53KmWD5k#~|A`D1
z(H?9oX2`C_bH(my$MHRAljT;{+~B+aJRFvx;weRsuFlP_O%wj3+om}gjH)z%?!(j$
zD$r%7kOAl&_!tv&qLp0PN8)|$fuW|yYLt0)7TdjIUE2AD4&3+EH^8M1lDc#x$FV2n
z%`8~UTcUr74mc&fG;U-`seGl*@&-yKvaX6q;AH$lglCg?dF?a#_YX?-HRnPVLA%EV
zp;u8ZdfQ_xISEiia%h%aF7da9TL9x{a6vWP2$x^6Ep?@!S42DF?Hj2JLL<=?64GI>
zb$!U?+vMPeSD#!}U03Nnbf5b;@B>b)l^cZ?k*mgzPg!zg)gwOxm3Q89u2^|@V`D=@
zQa)0{7e&eu$;`7av;aBoU&7flQ~0!w1pJqH9X!WB!AftWL8bAwfIR24%BS)o4{W9d
zdu_Y%O!$VAClX$Zh(&vy(wJyU`#k7ZcD4itk0I_oy8PDy-accmeS6C5{o*Bfw!i6I
zL(BD1l!15bu#4Q*a07Wf&f-r+#SS1NrYFW;bJ|!0j9;9d+X6nAx*5Ph+wt&_PS(E!
zSj6<uLO*GWSm6-7A!+KeMTe#w=*?@?oPAal&XzKYo4xQB!dgiGh&PIGVmwXw>;bm}
zZ%(XT=sE{TV)Mzq2;I#<SgDM@E;fHM=VDhIP_>1FmJuR9gartdw=pVEyUWDk65Uz;
zX-;E(h;&8EFz+a+W<yk1&n5#1u&UnWtwc>kaTC~z23#VEgtre>kqdcqM@2;y(Lj5?
zVs)ai0w%scLJy3X-a})lyDTUy-&o(m_?na2w2g5sY4*xsq$xC<!7?pQqnyf+gnup#
z@04aeS$y5lZt<FEjDMK^J!-4w7Y*=#!w_tZUz<1=%QY9I*|`|BJRej*za*kB>Ff${
z1BP?=sK@pdPq8Hd##iW@`ZEE6Ihq}dl{-8K!SJfqjA{A^gKnfB!lGiuE#E=anpcr(
zb{*c7ua!^MtBX|+O3eQez#EwsT}L*!G1B7jZTJWiS~4MCPh?8d%}y(+0b~)I%ZUum
z(RH=e*NRcp!Q>OA4N+LPXGlR4@eNY6;sz}Q<Me;}`t+{FWxan?V+_G6dhSu<0(t#B
zds;gj9XUSQF%yzTgw6{$cJ#xtu(ohzyTb-ilAFHjRwR6&c<HlCfX!kOZX=4`^pX%l
zG{grW!bo4rOZMDbxy*VcO^TUHabkhN;F^ZstF=xYg%Vd}ycj*;@2CERxaEeGSL<27
zzu6>yPnaEvlBl^Kk&+jbgr^=4?$$1>K}6%GX_CV-Dk%NcdmNL~T}Dv+NQsuD88Q)V
z#^39kWB>)Vx=TF(Dco1J>2J;1aJde!3#0S+VfLHQYXns(V#5}^k@+}DM=U{k(?PU*
z()R61Yt<|OP)aAU?OkWYDiq-*$~8*LRt2IZmMqV#gTKSXNlV}8+Se1$R14|N37itS
zB`ae1z0^<G@Dmkfi*$hF1>CjR`wEd+NNP~2&Hra(7Jv?kIc==;mC?qpc8g#(QFFqZ
zb$Erxsy1xJrN&Nm-66dXErmM|fZv?hyQ*2jd~T`xbX@J;`h;~SlIlc~8WQ?ht2@Y(
zSkU*pMSjUyW^|rNL-8<<PUFn6mj1M~p(G&_<MTweBf<v+D-v?@0AZ7n^)#iTHNYRl
zi{%$@HHN>mYDRM};S9$*MH&YU<>iw5gQ;Ec`GE5BK+U<Eq9k{;uB4<9q&V5SN<k~p
zN3<{4=7uiJ=^fqv`+*hsWDzVxO0@y71~wHmyC|8-2+oM611zR2l@EBFKEvwM9N5Uc
z5xF>AV%m&p;=oSX$no&9ii!4+mACVq<5qs`Ds~uN#>~O({VbD`#H&o=?cr#}^GLe6
zv=zOSpnVqWZ#!4ddm4<5XVKBF26a^Wj!PLD&dhEc!$i<N6Aa3`QXHIZ;e=ihxfk?P
zXPDQGuojt8k&`lYz~ea~7Qt-Wcon1T>$DhGWdQA18i<yO%hkii5&o~d`0pvA=*mT%
zewE_rfX?&qNqjZQwVhWcoAXfl#Yo*8R1_cTt;P{JFdEq2lpxvY&&9&)Mc>}{lN&8v
z5oil2%{89!p6m`^4L(f)s13N4SCF^hXn^Q~U!s%UMP>I9l$W$dB0yRGn{c?4x_+I;
zulFM(@_LpK6o-n8M5NK*nxf1))&gjQo36J+I`#s(B%!$&ZvN>Y#rJ50+BF|5QG@#r
zX4RM98KO`^i_q~?qX#YWSkm6x?7hDy%^W>N7!>&~#&qxhqNV-r%nI<@TJBI*yn0QA
zE-uI<)2_6@J%aK`Z5-blJ&SdLa{vjU?~J2~oBg(BDw?-9qW8u(H!vTeYina-8?JG3
z;aNbjk)NNhG+I6F>vW&Yi!?%BytTiDJX?dUDT{$7GT=FpsiH1bXdi2A)^2OpS)KtS
zfs1O%3;}pMw)<*RH6;Qg;hWzORb<>A6uFnn6qUlIXu6MC5|45S{7PfN6*XM(n1RaK
zR;C7h8h>jfl)0Ii!Bvrvleij@5ax~52;~ouV}S|>eZoFr$R<G0(H3Qv`zw744+(GR
z9{{dpA96pYT>wm7TU)~46(kjeIUG{Ytlt=&hgf9R7qA^$#H_X?=ZbXo?Ffw~K-UE1
zAJm=y?O2u4e*u-B1N(-2ZAAcK&aE(M2(K&e2kz%aNX?Gn*pr9B<YL2H10$7bM5lJE
z(=t@js%OqsB2H@D9l8FaHlD;NmZaj4l6F`{LqkJqS(NTgX4vwX;#z78b&4NI;qXRH
zbjfG>GRtR@JeAm6&06t)(TGTmbb74QJvMAv5abidTr-BIp@-)aWn%wS@W!<Qdd`JJ
zTA>-ePqmQ%#Hw>^mZcuFRa@)nhb6AeVRz!_5z<6UR(GkD(gq^J@ABZYhGt5HBQ%*A
zPj*mahYJUs&E-+lz$o)5$P6{Bw2UHkLCo_wM0egO`AKf;vh2>ifsh0#pSq~vvvb;t
zbKGDMGpH#){J=8cl1+tDpp&@@O3hHr^=<RxDZ?;yq~7+ng+>TtT!#o5OEGOiUm?m=
z&}fspk)=vu$ytYGkJxM-IFr;utW&WNu#(*e>N&{@7q_N~rbWk>3huJa_WfRbBo|tg
zyrL6;9b)p$xFW*iY~{8H=JUq9R4g4P3M5=n>AD^*dI<?@FKRbR;4@&5qZR#83~h7Y
z8LJ^cZ%sy)!dTZV(-NQgTl5kkU$X3-#A2Jd%TQjPOPv9_>;4pU<mF1y-zBmMe-4@Y
zK4U9P$o2e@%_!Tcx6`=YdNSDhaCyN{%{)mGDhL!qy<rir90dHLjr`MV%5Q@;{)<fv
zP}yW*;!)Y@b+p*Bbky`p2A1!Phzdh&-#XU)&VtctNjb*&4-rk%r7pI2<UQt`7I9Ia
zQ~ke~IXTtW)6|u^o9RFmiQk@1dG%sWdL2&P>)89ygMdZ0-idq!A8WYWTbxVEa05hZ
z0PkyA^~pORbxbJ%mj#D7R##?^^IjW}_Z|8@!yOo|CEaP%E$V_CEN|!C9|(JRiLl8F
z_;)1^@H_H^57}s{K)`t~YjO*l>O$hln+nR;uR1*Ne5hA!LPw{ClnH0qd=;Fe^J*K>
zQ7e?EuHR?>&O2vGT_jMot8zH^K7*BfmFB2uNBEzlp#(jzDIO*QFtI?Vzy?Qx;!pUI
z3FBp}i4Cux?rDaBF=0aFVQ8Xb(BIE(3wNRArN*4eS|Oi99HcGBFOVrYKS%9;$CO|(
zUS^e8Qm{7_FY0=&o%3V`laoJt|M+bN4kzvl!;~-!iIzdQqy<wyrXlVOm3yni3R6Ce
z?FD#$sO&L;LubDh`0*ipIJojuXe8?d+;?{#IPQQ0T?}zQx!r*j6cLdq8DkLBJY5t!
zxloXhXavu4PCO#(bJb8#Ge)1s(uKTJoENtSqB|s6au)HBP739CU-^#+;%}??wdWsg
z)Z#wlUjffDL88r_>JyxY2$j}i_ZO;b+Bua0dhgI<hqombGQ3gBp(|(un%6Dlq;!w5
zN!Vs|W%I$m9e;OwIqp5Z86+?l3$NRW@t@hTZW_Ti1e6>+^5UsdyENY=ewE~eO681(
zOh8i!g!57J*znPlczp<l?zTP&=LXAtTqP_?Rht*zr|Xj&@6YDA<AY==hWz!LR@Xnp
zOJBHKTAdPmJ>hX!)G8TQpbyV1(^7P5twukQmwDs3zgf>Yqb@1rr<T8I0;o8=_`^MM
zBZKA~(}~tRgldGeS&HSj1>Xly%wc;z_Wkw~>H7ny8i?pOK0A;=IR1CKD?`J>L_o~m
zbf{6SYI*0KY;S=LPt~x-=zNa-!YCUa>{U2fDO;r?0-{KyVedDDg+6R1g({L%kiIRf
z-clL#aF7`E<kTv4p=IR>EgBQ|6(>j-^mZ15AqvYiX{?rX`HfVfW9%LpmU)so{ayk|
zuBFP;YE7$}33WnpK3AB}1|n!bn7$XOBo(aLn041z<vm<n(t#xgA)+!gb6$Nu%1;!H
z?Gma3KOZEi{9Heh4DxXTNJDm!$%|<kZ?VEv9;qxgnDkF5r(HiX$T~0AhP<(a!qFgK
zBFE9iS`s4m(4RJ<M(|`R>S@v-|D}Wq_`i1dFl~{gRR#7j8tFis#Ni+w%_{wa#EWE;
zwFbYbcxBhkkM3U!{IO}{uOye?lD5##+N#f*4sU|e@KZy=89Vk_N|2eZf1Te4h`V<Y
zl`o)22jK6A4Md7R$)$pdNJN9mUo;hm>4t8f@*+?8)i7oLA<qWkNHvN0{ZrC`8WsO>
zSC0}(getJ;)gujUb!Uw4oauQTDGn`@jP1vim%r=V@~hYpobbxKGO7vY=t5THw`%yM
zsERzmnzTJ@pKL?Vh_`ML7{!g)lNc-6V^SyNS-P&TF3Xj*P8H5dMoKEwZd}ogXy(ak
zv5y2>MlfCyADEW1B0PM=Tyi?OG`xkE9C7M8TVFhNkeB`}|HBf^o5JS!B!!~QxOe~Z
zM{zb|=wGGwnCZXRpxOK_dTf`zPtP##G#`xP!?M_)W{>|)7^bd_Wf(+eZv*h4w5gsU
zYCMwHBB`@`kx@|}Z?$w&Tj#Gp2$y513eZ@C*a}aXb=rTHe~nc+!~-X|3EIuN-{nlM
z)j6&3D)ZZ#F)z5c`iJiM$b~(}5Gg_i=u<`aeAedPgrbGqlO~(WdeKCO2qA>QkEN6T
zv_p5cQ&%W4D)_s7SXS9p(6NT<BT<YT>PhSP@Bq>XIw79w!Z{TUZ&Tz}3ou(y>FpOW
z{XVVI9{8Gcz)S3#+Xz`QY4hgJb7@S!W2?X>&6O=|=D}%JV8I(<j({jf*~$a{i-pR~
zwqu1<WNi6lIXMrv_E&cy|KfWbH7O*5w81q5BlrUHt%VwF_x?h?M4{~admHKcbA6oW
zziEF4F*-B5A_oL)i9lNgWuU9XTy?16h{vQ%RF6`0Q5XlX?`e$wQxH06%F6{5?8E3O
zT!LG6wGiZN{2>hbyLsXLPi~atv|*vq=9O)1lXgVj_MzM^tto6!n;7jMx0Fl&Yi$w~
zN%@F>w?2F15`EKbF0`RUsAegyONtuCGuu;(H6~&;W%Y1Zbx|YmGD(149A9fi{{0^U
zSj@H}KNkVJXoV61MR2$F;ZksY$-2S^4B6v|a5$(w5y8+$#F;t&JRp8-M?{P3+9#wd
zRGiQbcX7mF+hFMT6F`WhVc9&KV>Vt+F|GyDBih@;2?@b{!=+~_t3r2+aR;9eOC_qp
zEPCku{F1*U1%?ncO*AAFfW<F;d`Ey#5HMI03VnE6p#E>wm=_eI8vtkCoIimxkRnka
z7@hTb-48Fi7y(d<7>E0pL5V<!wq-DV?8Z=}yFSmORn&jd(R2a-aYfD*5IVt-dHMyh
zDd#XyT>8%o0F>o}9DW5E+qpb~7P-iRS@5jTjeC&xI@3R1?eFjZ%+lb2k5Mu9y|iKP
zi{i>VS>Qeq#0mWw;CJae5)}+qbS}SnHu+B;;mF}uBd#`LCR~>T5O21ZXr6UPMum00
zJQ%Ungv{$G&!uZBTE%axFmloomZ29>L}2<0E7gudA6qszH(44EmU;m=p`L`;_y!bO
z_&Y+nRA<~gc+J(j#2!fpvH`D(I&Mn@af7ch952@0$TUQoX!KviGpDKrpQ8Isn%+!`
zzu$}uHBp8%S=#6aaJ6JchY1uucgcAu_d5}L-o4bFQZKwxCd7`_qo6h_WV@L1*nh`s
z&xAwEC)ARk@~D~I&qS5Z(}LUwHupYMXn#LH9#aumg_wyzO{4?R)2?SQrn=#Tuv`SR
z1Qw|hA)K^NU5}^l&0uHpw0JfP_B_U~Wiz(o=>_p1!9{jp{DY^hDf@H0WC7eSB0i<G
z8vru%Y}i4Jeid&x2Zd^pMgWm;@p5FSy)Z%Y&uZDK%Fg$IR`%p*Y$Yv5mL9Esc2#Ja
zV$Ha9Lr%&2tccGYc-!0Ykxp0ol|U-!d2!sn+(=_s=fwS5RPLUH!gRHub`%NOCA_n^
zUI-pI^5SC{2Fg^qfftblCzgRI*BEEaCvzkYPuX#&RlxmmlYW(q*3SF4N#)0yQ@LNP
zic}{9L|pNQh7TBQt@Z_u(GRX~QnBS1v+xeE0b86PEtspon%TNfq&htB;a#$V^qVnk
z`@<^9qPEk#_Mf>-)f!GuBOYbEhqjmp&sGaQxj*SbZz55DY~ho>@Cp_2k(ay&NcT@i
zum|f$X1Y76G)3gt1*)l=MQcvtE_S3;kmMO#daM*iWaL`81BvhE{hnwf=z&?cz?a3q
zw3RVEmJ^Zk?BZXkS~^|clvJIS?)<q?aRLhIJCxa<ji6bh^oMydqRS@^SuttYV02*z
zs+s3Z0=W?3TYHdp9&T368P8yIaj}9+V%o{wT)3jL%-ulW*JZO;!{+4wjw8+LEThhv
zFu2W8s%5@1nHQe`d-Cm%#C&-3=J{+QL34q~>2D%$n{Smf^#HTv$W>vy9RpLUw=P#(
z@z+O|;0$R7d~`3pPtLr*Yvxt`*MoGZv!>0i)YD4&d~;jgymp;@Z$w1p(qU5jQ&m~B
zL=v@?Xr7L9=gkKb8GE%UZuu&WU|TYuzsX|_Q=&&wk?Ty*gTvq+s(6S~&%P%+OId6v
z0rIPcBPu!8Y7&8LET90RjrByTsP{FQg6!|Ri2Na+f}}@$e8XNwIyD7!#-~m3X0dfQ
zGHdWI3{3r=`DD4SzjW#7ERxW%qAo=vTND4C*}{?E=dyW8rSnIy#d;RwSH9GQSUEYl
zgTV~ru}@{~J?Rl4rjE<C@IilRDB<(41?M-D79}j}IL6ez=un3{CF1xX5UO`$2AitK
zOe&6g`ne)4adwH24Dpkz7FVkle_mG^z+G3O#amaT!&_JS{&{@?^BH}~L!|VYD=urp
zhC64G)KgO|CSy-(pKt>qOQ|>({J^8yPG{Mu%bfeJxiMG0CWIu0{KZwCEvgF?FW+9w
zR?`y$z-WeB(V0Anwt^g9Gf7j0>{*Wd_5?SiZ$qG4DAYLkh8}})G}Fwty!f$vSN{Lt
zjre-{7PYi*49u^zOxf1$1XxHChePHJ;pwM_EKcJl+xR`3Z)3%Ks94OKQsSUHqUc6*
z>fd(AnWUM8BR+AqlN4pT;3B5A(F-p<axMRs-i;4)S7GqNmuZ#eyH*t+6rU*e?z;iw
zvDT7eF4K|34jARI?GjI6NHA~m`!{$%11_5%PutH98-5BpxEGVCp`RxSoF;fdd*2Qh
z7eFN=dG6<*NR%3gH*{y>-b#k$*Hu8KOqZgdt9(?I^r{T_)nGn|?mE#VA&4M!ayj+y
zO>v%lJ~dz_OkCiO*OC3={J7Q3A)&dJrHDyOSE0?8rC6L2^LNKRhw)Rzl6{ZfMhgu{
zs@7%`+q%i7U|FKE1j`F4N-%WfSZKLm#CiD@&hOwLG7#t3x9M&A^NYysO-4d5BtVZ)
z#U^id6(IvtQlkF-A#%)od=Z9JFS4sL67p5(qdw%aha%Km6XH5H7>3>mPV#IEl;q$q
z(q-&g@-h&<t23^6?GV*->7lR#av;+HmoXDYuX@~vz<%B0Nm)QkbCV>Z_MGWnv?%V-
z=)&RrGf@pFL13y1w((n9ikI=FDi&d@C@DP=rOtP6#WKMp3tU?Z8Fh3R(~3tYRql>9
zJBJ<{*ItlT2oZ4=+-%->@w+|@w(F}R;q`iiTW1C$gw`9WR>Q!m;-iunmY<h2zi>7{
zMsQu}*Bcut)qCX1_?K;$h&wvic^pq8o^D$CsAw1;{OF4Tf*^(i$#CjuL+zS{=HV^3
zG!9ShzWu!e<O5WUh`u1bbZrf<6WLlMHn398hyE8cx|I9DYbtVcKjg^Hy}UivlmPhH
zEH1icN5DV)W8?#ZlGH$PO>K(wKIkL7Ys-pD_bMo-5O-M}oJ36H8CP6ZJDk6D^s+<s
zs$deVKPo|)8Kw6sN;c*?LKD5LK=9^QAUckGmK}CpON$;>XQq%lxHh%!oesUyJeb#5
zW`q#Nm8HcT27Skk!3JDZyr)Z+2rAP;f0~sl3rURyk%o%!JgnxJSz`f#rD|13165_I
z9?K=F>S;_=WJt{pAMkewrxi}SUjua<Cln}s_o+q;oHewyIV?DqLyuF`#K}N5+3bPF
zEXe=<n8Gk8rb;P<UFG9+aV7oCpEiFx)EGS{jIY(DKU_Pd))xWl_{~SuwVMXO?RK9&
zWistPS4wH1`fSC}?<>%My?%~~iP52o96I@STwMhe$KKrI>hSVEyTfMCf>Ir?ox8xz
zrYbRre3(hidDEVOKBe5kf={T#A<R>0zG|!)?cJQlt?*2D?Aq#P8D-x<lGwK~=R0}Y
z+5zr`oEM0vrL_CG#LdCc8)}ipjN{c-f8TWWm?##d28Hqmnx6LouK+A<5Fr2Bw_x+p
zupVvm&zq09ov5SuY9eYXN15_(>*h(0&D=lF;#~msKI&%!X?&sokF)+C*!o{#nhEPg
aj13{1xX1-4^7hveoPvysbhV^u=>Gr|kZNTB

diff --git a/application/single_app/static/js/idle-logout-warning.js b/application/single_app/static/js/idle-logout-warning.js
index 78e3a9d6..ea187ae2 100644
--- a/application/single_app/static/js/idle-logout-warning.js
+++ b/application/single_app/static/js/idle-logout-warning.js
@@ -40,12 +40,13 @@
             return;
         }
 
-        if (!Number.isFinite(warningMinutes) || warningMinutes < 0 || warningMinutes >= timeoutMinutes) {
+        if (!Number.isFinite(warningMinutes) || warningMinutes < 0 || warningMinutes > timeoutMinutes) {
             return;
         }
 
         const timeoutMs = timeoutMinutes * 60 * 1000;
         const warningMs = warningMinutes * 60 * 1000;
+        const warningDisabled = warningMinutes === timeoutMinutes;
         const warningModal = bootstrap.Modal.getOrCreateInstance(warningModalElement);
 
         let warningTimer = null;
@@ -121,10 +122,14 @@
             clearTimers();
             logoutDeadlineMs = Date.now() + timeoutMs;
 
-            warningTimer = setTimeout(function () {
-                warningModal.show();
-                startCountdown();
-            }, warningMs);
+            if (!warningDisabled) {
+                warningTimer = setTimeout(function () {
+                    warningModal.show();
+                    startCountdown();
+                }, warningMs);
+            } else {
+                hideWarningModal();
+            }
 
             logoutTimer = setTimeout(logoutNow, timeoutMs);
         }
diff --git a/application/single_app/templates/admin_settings.html b/application/single_app/templates/admin_settings.html
index 093737c4..7964f503 100644
--- a/application/single_app/templates/admin_settings.html
+++ b/application/single_app/templates/admin_settings.html
@@ -1456,9 +1456,9 @@ <h5>
                                 class="form-control"
                                 id="idle_timeout_minutes"
                                 name="idle_timeout_minutes"
-                                min="1"
+                                min="10"
                                 value="{{ settings.idle_timeout_minutes | default(30) }}">
-                            <small class="form-text text-muted">Users are logged out locally after this many minutes of inactivity.</small>
+                            <small class="form-text text-muted">Users are logged out locally after this many minutes of inactivity. Minimum value: 10 minutes.</small>
                         </div>
                         <div class="mb-3">
                             <label for="idle_warning_minutes" class="form-label">Idle Warning Time (Minutes)</label>
@@ -1469,7 +1469,17 @@ <h5>
                                 name="idle_warning_minutes"
                                 min="0"
                                 value="{{ settings.idle_warning_minutes | default(28) }}">
-                            <small class="form-text text-muted">Show the warning modal after this many minutes of inactivity. (Countdown starts from this time)</small>
+                            <small class="form-text text-muted">Show the warning modal after this many minutes of inactivity. Set this equal to the logout timeout to disable the warning dialog window.</small>
+                        </div>
+                        <div class="mb-3">
+                            <label for="idle_warning_message" class="form-label">Idle Warning Message</label>
+                            <input
+                                type="text"
+                                class="form-control"
+                                id="idle_warning_message"
+                                name="idle_warning_message"
+                                value="{{ settings.idle_warning_message | default("You've been inactive for a while.") }}">
+                            <small class="form-text text-muted">Custom text shown at the top of the idle warning dialog.</small>
                         </div>
                     </div>
                     <div class="mb-3">
diff --git a/application/single_app/templates/base.html b/application/single_app/templates/base.html
index 0ba03e35..56794e16 100644
--- a/application/single_app/templates/base.html
+++ b/application/single_app/templates/base.html
@@ -380,7 +380,7 @@ <h5 class="modal-title" id="idleTimeoutWarningModalLabel">
           </h5>
         </div>
         <div class="modal-body">
-          <p class="mb-2">You've been inactive for a while.</p>
+          <p class="mb-2">{{ app_settings.idle_warning_message | default("You've been inactive for a while.") }}</p>
           <p class="mb-0">You will be signed out in <strong><span id="idleTimeoutCountdown" aria-live="polite" aria-atomic="true">60</span> seconds</strong> unless you continue your session.</p>
         </div>
         <div class="modal-footer">
diff --git a/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md b/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
index f57e0b45..d6844a91 100644
--- a/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
+++ b/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
@@ -4,8 +4,8 @@
 
 - **Issue**: Admin settings save flow could throw a `TypeError` when `safe_int()` returned a non-integer fallback value.
 - **Root Cause**: `safe_int()` returned `fallback_value` as-is after parse failure; if persisted fallback values were malformed (for example strings that cannot be converted), subsequent `max(1, ...)` / `max(0, ...)` operations could fail.
-- **Fixed/Implemented in version: `0.239.012`**
-- **Related version update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+- **Fixed/Implemented in version: `v0.240.002`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
 
 ## Technical Details
 
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
index 68f52386..8e18c920 100644
--- a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
+++ b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
@@ -5,8 +5,8 @@
 - **Fix Title**: Idle heartbeat timing alignment for short timeout configurations
 - **Issue Description**: The client initialized `lastServerHeartbeatAt` with `Date.now()` and used a fixed 60-second heartbeat minimum interval. With `timeoutMinutes = 1`, active users could miss a heartbeat before server-side timeout and be logged out unexpectedly.
 - **Root Cause Analysis**: Heartbeat throttling was static and did not account for short configured timeout windows, delaying the first heartbeat too long for aggressive timeout settings.
-- **Version Implemented**: **0.239.012**
-- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+- **Version Implemented**: **v0.240.002**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
 
 ## Technical Details
 
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
index b7719726..c79a0967 100644
--- a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
+++ b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
@@ -5,8 +5,8 @@
 - **Fix Title**: Background heartbeat reauth synchronization
 - **Issue Description**: Background heartbeat requests that returned non-OK responses (such as `401` after server-side idle expiry) could return without redirecting, leaving the UI active while the backend session was already cleared.
 - **Root Cause Analysis**: `refreshServerSession()` only forced logout for non-OK responses when `forceLogoutOnFailure` was `true` (user-initiated path), but the background path used `false` and silently returned.
-- **Version Implemented**: **0.239.012**
-- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+- **Version Implemented**: **v0.240.002**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
 
 ## Technical Details
 
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
index 68055a95..c3956043 100644
--- a/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
+++ b/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
@@ -5,8 +5,8 @@
 - **Fix Title**: Idle timeout API activity timestamp seeding
 - **Issue Description**: `enforce_idle_session_timeout()` returned early for `/api/...` requests without updating `session['last_activity_epoch']`. If an authenticated session did not already have that key, idle-timeout tracking could fail to start for API-only traffic.
 - **Root Cause Analysis**: API-path early return happened before timestamp update logic, and the function only updated `last_activity_epoch` for non-API requests (or when idle-timeout was disabled).
-- **Version Implemented**: **0.239.012**
-- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+- **Version Implemented**: **v0.240.002**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
 
 ## Technical Details
 
diff --git a/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md b/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
index 6c94bc11..04bf9425 100644
--- a/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
+++ b/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
@@ -4,8 +4,8 @@
 
 - **Issue**: App settings default-key merge changes were not being persisted back to Cosmos DB.
 - **Root Cause**: `deep_merge_dicts(default_settings, settings_item)` mutates `settings_item` in place, and `get_settings()` compared `merged` against the same mutated object, so `merged != settings_item` evaluated false.
-- **Fixed/Implemented in version: `0.239.012`**
-- **Related version update**: `application/single_app/config.py` updated to `VERSION = "0.239.012"`.
+- **Fixed/Implemented in version: `v0.240.002`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
 
 ## Technical Details
 
diff --git a/functional_tests/test_admin_settings_safe_int_fallback_fix.py b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
index 2c8d3dff..a95e9e12 100644
--- a/functional_tests/test_admin_settings_safe_int_fallback_fix.py
+++ b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
@@ -2,8 +2,8 @@
 # test_admin_settings_safe_int_fallback_fix.py
 """
 Functional test for admin safe_int fallback hardening.
-Version: 0.239.012
-Implemented in: 0.239.012
+Version: v0.240.002
+Implemented in: v0.240.002
 
 This test ensures admin settings integer parsing always returns ints,
 including when persisted fallback values are malformed.
@@ -147,7 +147,7 @@ def test_version_alignment_for_safe_int_fix():
     config_content = _read_file("application", "single_app", "config.py")
 
     required_markers = [
-        "VERSION = \"0.239.012\""
+        "VERSION = \"v0.240.002\""
     ]
 
     missing_markers = [marker for marker in required_markers if marker not in config_content]
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index 27d91c60..f3ae5d03 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -2,8 +2,8 @@
 # test_idle_logout_timeout.py
 """
 Functional test for idle session auto-logout.
-Version: 0.239.012
-Implemented in: 0.239.012
+Version: v0.240.002
+Implemented in: v0.240.002
 
 This test ensures that server-side idle timeout enforcement and
 client-side warning/logout wiring are present and sourced from admin settings.
@@ -301,7 +301,7 @@ def test_server_idle_timeout_wiring():
     assert has_heartbeat_refresh_call, "Missing get_idle_timeout_settings(get_request_settings()) in session_heartbeat"
 
     required_config_markers = [
-        "VERSION = \"0.239.012\""
+        "VERSION = \"v0.240.002\""
     ]
 
     missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
@@ -398,6 +398,8 @@ def test_base_template_warning_modal_wiring():
         "idleStaySignedInButton",
         "idleLogoutNowButton",
         "js/idle-logout-warning.js",
+        "idle_warning_message",
+        "app_settings.idle_warning_message",
         "localLogoutUrl",
         "fullSsoLogoutUrl",
         "'enabled': idle_timeout_enabled | default(false)",
@@ -422,6 +424,8 @@ def test_idle_warning_javascript_wiring():
         "localLogoutUrl",
         "fullSsoLogoutUrl",
         "warningMinutes",
+        "const warningDisabled = warningMinutes === timeoutMinutes",
+        "if (!warningDisabled)",
         "logoutNow",
         "scheduleIdleTimers",
         "idleTimeoutWarningModal",
@@ -453,7 +457,8 @@ def test_admin_idle_settings_wiring():
     required_settings_markers = [
         "'enable_idle_timeout': False",
         "'idle_timeout_minutes': 30",
-        "'idle_warning_minutes': 28"
+        "'idle_warning_minutes': 28",
+        "'idle_warning_message': \"You've been inactive for a while.\""
     ]
     missing_settings_markers = [marker for marker in required_settings_markers if marker not in settings_content]
     assert not missing_settings_markers, f"Missing settings default markers: {missing_settings_markers}"
@@ -462,9 +467,12 @@ def test_admin_idle_settings_wiring():
         "form_data.get('enable_idle_timeout')",
         "form_data.get('idle_timeout_minutes')",
         "form_data.get('idle_warning_minutes')",
+        "max(10, parse_admin_int(form_data.get('idle_timeout_minutes')",
+        "idle_warning_message',",
         "'enable_idle_timeout': enable_idle_timeout",
         "'idle_timeout_minutes': idle_timeout_minutes",
-        "'idle_warning_minutes': idle_warning_minutes"
+        "'idle_warning_minutes': idle_warning_minutes",
+        "'idle_warning_message': idle_warning_message"
     ]
     missing_route_markers = [marker for marker in required_route_markers if marker not in admin_route_content]
     assert not missing_route_markers, f"Missing admin route markers: {missing_route_markers}"
@@ -475,8 +483,11 @@ def test_admin_idle_settings_wiring():
         "id=\"idle_timeout_settings\"",
         "id=\"idle_timeout_minutes\"",
         "name=\"idle_timeout_minutes\"",
+        "min=\"10\"",
         "id=\"idle_warning_minutes\"",
-        "name=\"idle_warning_minutes\""
+        "name=\"idle_warning_minutes\"",
+        "id=\"idle_warning_message\"",
+        "name=\"idle_warning_message\""
     ]
     missing_template_markers = [marker for marker in required_template_markers if marker not in admin_template_content]
     assert not missing_template_markers, f"Missing admin template markers: {missing_template_markers}"
diff --git a/functional_tests/test_settings_deep_merge_persistence_fix.py b/functional_tests/test_settings_deep_merge_persistence_fix.py
index bc61ea8b..07d27ba8 100644
--- a/functional_tests/test_settings_deep_merge_persistence_fix.py
+++ b/functional_tests/test_settings_deep_merge_persistence_fix.py
@@ -2,8 +2,8 @@
 # test_settings_deep_merge_persistence_fix.py
 """
 Functional test for settings deep-merge persistence fix.
-Version: 0.239.012
-Implemented in: 0.239.012
+Version: v0.240.002
+Implemented in: v0.240.002
 
 This test ensures merge persistence logic is validated using AST structure checks
 and controlled runtime behavior validation for deep_merge_dicts.
@@ -211,7 +211,7 @@ def test_version_alignment_for_fix_release():
     config_content = _read_file("application", "single_app", "config.py")
 
     required_markers = [
-        "VERSION = \"0.239.012\""
+        "VERSION = \"v0.240.002\""
     ]
 
     missing_markers = [marker for marker in required_markers if marker not in config_content]

From e178c24b520795212abfaf1524f717008b924f9a Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Tue, 24 Mar 2026 20:06:02 +0000
Subject: [PATCH 26/27] feedback-user-timeout - Updated/fixed issues flagged by
 github copilot.

---
 application/single_app/config.py              |   2 +-
 application/single_app/functions_settings.py  | 165 +++++++++++++++---
 .../route_frontend_authentication.py          |   8 +-
 .../ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md   |  49 ------
 .../v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md |  35 ----
 .../IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md     |  35 ----
 .../IDLE_SESSION_API_ACTIVITY_SEED_FIX.md     |  36 ----
 .../SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md    |  52 ------
 ...st_admin_settings_safe_int_fallback_fix.py |   2 +-
 functional_tests/test_idle_logout_timeout.py  |   2 +-
 ...est_settings_deep_merge_persistence_fix.py |   2 +-
 11 files changed, 144 insertions(+), 244 deletions(-)
 delete mode 100644 docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
 delete mode 100644 docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
 delete mode 100644 docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
 delete mode 100644 docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
 delete mode 100644 docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md

diff --git a/application/single_app/config.py b/application/single_app/config.py
index 42b73ca2..2170264b 100644
--- a/application/single_app/config.py
+++ b/application/single_app/config.py
@@ -94,7 +94,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "v0.240.002"
+VERSION = "0.240.002"
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')
 
diff --git a/application/single_app/functions_settings.py b/application/single_app/functions_settings.py
index 68fb923e..9ecb7add 100644
--- a/application/single_app/functions_settings.py
+++ b/application/single_app/functions_settings.py
@@ -390,10 +390,10 @@ def _format_result(settings_payload, source):
                     caller_file = code.co_filename
                     caller_line = caller.f_lineno
                     caller_func = code.co_name
-                    print(
-                        "Warning: Failed to get settings from cache, read from Cosmos DB instead. "
-                        f"Called from {caller_file}:{caller_line} in {caller_func}()."
-                    )
+                    # print(
+                    #     "Warning: Failed to get settings from cache, read from Cosmos DB instead. "
+                    #     f"Called from {caller_file}:{caller_line} in {caller_func}()."
+                    # )
                     log_event(
                         "App settings cache miss. Falling back to Cosmos DB.",
                         extra={
@@ -405,10 +405,10 @@ def _format_result(settings_payload, source):
                         level=logging.WARNING
                     )
                 else:
-                    print(
-                        "Warning: Failed to get settings from cache, "
-                        "read from Cosmos DB instead. (no caller frame)"
-                    )
+                    # print(
+                    #     "Warning: Failed to get settings from cache, "
+                    #     "read from Cosmos DB instead. (no caller frame)"
+                    # )
                     log_event(
                         "App settings cache miss. Falling back to Cosmos DB (no caller frame).",
                         extra={
@@ -438,7 +438,7 @@ def _format_result(settings_payload, source):
                         },
                         level=logging.WARNING
                     )
-            print("App Settings had missing keys and was updated in Cosmos DB.")
+            # print("App Settings had missing keys and was updated in Cosmos DB.")
             log_event(
                 "App settings missing keys were merged and persisted to Cosmos DB.",
                 extra={
@@ -453,7 +453,7 @@ def _format_result(settings_payload, source):
 
     except CosmosResourceNotFoundError:
         cosmos_settings_container.create_item(body=default_settings)
-        print("Default settings created in Cosmos and returned.")
+        # print("Default settings created in Cosmos and returned.")
         log_event(
             "App settings document not found. Default settings created in Cosmos DB.",
             extra={
@@ -464,7 +464,7 @@ def _format_result(settings_payload, source):
         return _format_result(default_settings, "cosmos_default_created")
 
     except Exception as e:
-        print(f"Error retrieving settings: {str(e)}")
+        # print(f"Error retrieving settings: {str(e)}")
         log_event(
             "Error retrieving app settings.",
             extra={
@@ -488,10 +488,20 @@ def update_settings(new_settings):
         cache_updater = getattr(app_settings_cache, "update_settings_cache", None)
         if callable(cache_updater):
             cache_updater(settings_item)
-        print("Settings updated successfully.")
+        log_event(
+            "App settings updated successfully.",
+            level=logging.INFO
+        )
         return True
     except Exception as e:
-        print(f"Error updating settings: {str(e)}")
+        log_event(
+            "Error updating app settings.",
+            extra={
+                "error": str(e)
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
         return False
 
 def compare_versions(v1_str, v2_str):
@@ -518,7 +528,14 @@ def compare_versions(v1_str, v2_str):
         v2_parts = [int(part) for part in v2_str.split('.')]
     except ValueError:
         # Handle cases where parts are not integers or contain invalid chars
-        print(f"Invalid version format encountered: '{v1_str}' or '{v2_str}'")
+        log_event(
+            "Invalid version format encountered during comparison.",
+            extra={
+                "version_1": v1_str,
+                "version_2": v2_str
+            },
+            level=logging.WARNING
+        )
         return None
 
     # Compare parts element by element
@@ -550,7 +567,10 @@ def extract_latest_version_from_html(html_content):
              valid versions are found or an error occurs.
     """
     if not html_content:
-        print("HTML content is empty.")
+        log_event(
+            "Latest-version extraction skipped because HTML content is empty.",
+            level=logging.WARNING
+        )
         return None
 
     try:
@@ -583,7 +603,10 @@ def extract_latest_version_from_html(html_content):
                     continue # Skip to the next link
 
         if not versions_found:
-            print("No valid version tags found in HTML matching the pattern.")
+            log_event(
+                "No valid release version tags found in HTML content.",
+                level=logging.WARNING
+            )
             return None
 
         # Now compare the found versions to find the latest
@@ -601,16 +624,36 @@ def extract_latest_version_from_html(html_content):
                     latest_version = current_version
                 elif comparison_result is None:
                      # Log if comparison fails, but continue trying others
-                     print(f"Warning: Could not compare version '{current_version}' with '{latest_version}'. Skipping this comparison.")
+                     log_event(
+                         "Could not compare release version values while scanning HTML.",
+                         extra={
+                             "current_version": current_version,
+                             "latest_version": latest_version
+                         },
+                         level=logging.WARNING
+                     )
                 # else: comparison is -1 or 0, keep existing latest_version
                 #     print(f"  -> '{latest_version}' remains latest.")
 
 
-        print(f"Latest version identified from HTML: {latest_version}")
+        log_event(
+            "Latest release version identified from HTML.",
+            extra={
+                "latest_version": latest_version
+            },
+            level=logging.INFO
+        )
         return latest_version
 
     except Exception as e:
-        print(f"Error parsing HTML or finding latest version: {e}")
+        log_event(
+            "Error parsing HTML while identifying latest release version.",
+            extra={
+                "error": str(e)
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
         return None
     
 def deep_merge_dicts(default_dict, existing_dict):
@@ -653,7 +696,10 @@ def decrypt_key(encrypted_key):
         decrypted_key = cipher_suite.decrypt(encrypted_key_bytes).decode()
         return decrypted_key
     except InvalidToken:
-        print("Decryption failed: Invalid token")
+        log_event(
+            "Decryption failed due to invalid token.",
+            level=logging.WARNING
+        )
         return None
 
 def get_user_settings(user_id):
@@ -692,7 +738,14 @@ def get_user_settings(user_id):
                 doc['settings']['profileImage'] = profile_image
                 updated = True
             except Exception as e:
-                print(f"Warning: Could not fetch profile image for user {user_id}: {e}")
+                log_event(
+                    "Could not fetch profile image for existing user.",
+                    extra={
+                        "user_id": user_id,
+                        "error": str(e)
+                    },
+                    level=logging.WARNING
+                )
                 doc['settings']['profileImage'] = None
                 updated = True
         
@@ -716,13 +769,28 @@ def get_user_settings(user_id):
             profile_image = get_user_profile_image()
             doc['settings']['profileImage'] = profile_image
         except Exception as e:
-            print(f"Warning: Could not fetch profile image for new user {user_id}: {e}")
+            log_event(
+                "Could not fetch profile image for new user.",
+                extra={
+                    "user_id": user_id,
+                    "error": str(e)
+                },
+                level=logging.WARNING
+            )
             doc['settings']['profileImage'] = None
             
         cosmos_user_settings_container.upsert_item(body=doc)
         return doc
     except Exception as e:
-        print(f"Error in get_user_settings for {user_id}: {e}")
+        log_event(
+            "Error retrieving user settings.",
+            extra={
+                "user_id": user_id,
+                "error": str(e)
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
         raise # Re-raise the exception to be handled by the route
     
 def update_user_settings(user_id, settings_to_update):
@@ -738,7 +806,6 @@ def update_user_settings(user_id, settings_to_update):
     Returns:
         bool: True if the update was successful, False otherwise.
     """
-    log_prefix = f"User settings update for {user_id}:"
     sanitized_settings_to_update = sanitize_settings_for_logging(settings_to_update)
     log_event("[UserSettings] Update Attempt", {"user_id": user_id, "settings_to_update": sanitized_settings_to_update})
 
@@ -872,12 +939,28 @@ def update_user_settings(user_id, settings_to_update):
         return True
 
     except exceptions.CosmosHttpResponseError as e:
-        print(f"{log_prefix} Cosmos DB HTTP error: {e}")
+        log_event(
+            "User settings update failed with Cosmos DB HTTP error.",
+            extra={
+                "user_id": user_id,
+                "error": str(e)
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
 
         return False
     except Exception as e:
         # Catch any other unexpected errors during the update process
-        print(f"{log_prefix} Unexpected error during update: {e}")
+        log_event(
+            "User settings update failed with unexpected error.",
+            extra={
+                "user_id": user_id,
+                "error": str(e)
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
 
         return False
 
@@ -965,7 +1048,15 @@ def get_user_search_history(user_id):
     except exceptions.CosmosResourceNotFoundError:
         return []
     except Exception as e:
-        print(f"Error getting search history: {e}")
+        log_event(
+            "Error retrieving user search history.",
+            extra={
+                "user_id": user_id,
+                "error": str(e)
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
         return []
 
 def add_search_to_history(user_id, search_term):
@@ -995,7 +1086,15 @@ def add_search_to_history(user_id, search_term):
         
         return search_history
     except Exception as e:
-        print(f"Error adding search to history: {e}")
+        log_event(
+            "Error adding search term to user history.",
+            extra={
+                "user_id": user_id,
+                "error": str(e)
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
         return []
 
 def clear_user_search_history(user_id):
@@ -1011,5 +1110,13 @@ def clear_user_search_history(user_id):
         
         return True
     except Exception as e:
-        print(f"Error clearing search history: {e}")
+        log_event(
+            "Error clearing user search history.",
+            extra={
+                "user_id": user_id,
+                "error": str(e)
+            },
+            level=logging.ERROR,
+            exceptionTraceback=True
+        )
         return False
\ No newline at end of file
diff --git a/application/single_app/route_frontend_authentication.py b/application/single_app/route_frontend_authentication.py
index a51ee87e..a7f8e2a6 100644
--- a/application/single_app/route_frontend_authentication.py
+++ b/application/single_app/route_frontend_authentication.py
@@ -270,9 +270,9 @@ def logout():
         else:
             logout_uri = url_for('index', _external=True)
         
-        print(f"Front Door enabled: {settings.get('enable_front_door', False)}")
-        print(f"Front Door URL: {settings.get('front_door_url')}")
-        print(f"Logout redirect URI: {logout_uri}")
+        # print(f"Front Door enabled: {settings.get('enable_front_door', False)}")
+        # print(f"Front Door URL: {settings.get('front_door_url')}")
+        # print(f"Logout redirect URI: {logout_uri}")
         
         logout_url = (
             f"{AUTHORITY}/oauth2/v2.0/logout"
@@ -282,5 +282,5 @@ def logout():
         if user_email:
             logout_url += f"&logout_hint={quote(user_email)}"
         
-        print(f"{user_name} logged out. Redirecting to Azure AD logout.")
+        # print(f"{user_name} logged out. Redirecting to Azure AD logout.")
         return redirect(logout_url)
\ No newline at end of file
diff --git a/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md b/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
deleted file mode 100644
index d6844a91..00000000
--- a/docs/explanation/fixes/v0.239.012/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
+++ /dev/null
@@ -1,49 +0,0 @@
-# ADMIN SETTINGS SAFE INT FALLBACK FIX
-
-## Overview
-
-- **Issue**: Admin settings save flow could throw a `TypeError` when `safe_int()` returned a non-integer fallback value.
-- **Root Cause**: `safe_int()` returned `fallback_value` as-is after parse failure; if persisted fallback values were malformed (for example strings that cannot be converted), subsequent `max(1, ...)` / `max(0, ...)` operations could fail.
-- **Fixed/Implemented in version: `v0.240.002`**
-- **Related version update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
-
-## Technical Details
-
-### Files Modified
-
-- `application/single_app/route_frontend_admin_settings.py`
-- `application/single_app/admin_settings_int_utils.py`
-- `application/single_app/config.py`
-- `functional_tests/test_admin_settings_safe_int_fallback_fix.py`
-- `functional_tests/test_idle_logout_timeout.py`
-- `functional_tests/test_settings_deep_merge_persistence_fix.py`
-
-### Code Changes Summary
-
-- Extracted integer parsing into module-level helper functions (`safe_int`, `safe_int_with_source`) in `admin_settings_int_utils.py`.
-- Updated admin settings route to use the extracted helper while preserving existing fallback and hard-default `log_event` diagnostics.
-- Kept idle-timeout call sites using explicit hard defaults (`30` and `28`).
-
-### Testing Approach
-
-- Refactored `functional_tests/test_admin_settings_safe_int_fallback_fix.py` to behavior-level helper tests (malformed raw and fallback values) plus AST route wiring validation.
-- Kept existing functional tests version-aligned with release version.
-
-### Impact Analysis
-
-- Prevents runtime `TypeError` in admin settings save flow for malformed persisted fallback values.
-- Improves resiliency of idle-timeout configuration handling without changing intended behavior for valid values.
-
-## Validation
-
-### Before
-
-- Invalid form input could cause `safe_int()` to return non-int fallback values, potentially raising `TypeError` in `max()`.
-
-### After
-
-- `safe_int()` always returns a valid integer from raw input, parsed fallback, or hard default.
-
-### Test Result
-
-- Verified by running `py -3 functional_tests/test_admin_settings_safe_int_fallback_fix.py`.
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
deleted file mode 100644
index 8e18c920..00000000
--- a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_INTERVAL_FIX.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# IDLE HEARTBEAT INTERVAL FIX
-
-## Header Information
-
-- **Fix Title**: Idle heartbeat timing alignment for short timeout configurations
-- **Issue Description**: The client initialized `lastServerHeartbeatAt` with `Date.now()` and used a fixed 60-second heartbeat minimum interval. With `timeoutMinutes = 1`, active users could miss a heartbeat before server-side timeout and be logged out unexpectedly.
-- **Root Cause Analysis**: Heartbeat throttling was static and did not account for short configured timeout windows, delaying the first heartbeat too long for aggressive timeout settings.
-- **Version Implemented**: **v0.240.002**
-- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
-
-## Technical Details
-
-- **Files Modified**:
-  - `application/single_app/static/js/idle-logout-warning.js`
-  - `functional_tests/test_idle_logout_timeout.py`
-  - `application/single_app/config.py`
-- **Code Changes Summary**:
-  - Set `lastServerHeartbeatAt` to `0` so first user activity can trigger an immediate heartbeat.
-  - Replaced fixed heartbeat interval with dynamic interval: `Math.min(60000, timeoutMs / 2)`.
-  - Added functional test markers to assert both initialization and dynamic heartbeat interval logic.
-- **Testing Approach**:
-  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript wiring assertions.
-- **Impact Analysis**:
-  - Prevents active users from timing out in short (1-minute) idle-timeout configurations due to delayed client heartbeat.
-  - Preserves lower heartbeat frequency for normal/larger timeout configurations.
-
-## Validation
-
-- **Test Results**:
-  - Functional idle-timeout test includes marker checks for dynamic heartbeat timing logic.
-- **Before/After Comparison**:
-  - **Before**: First heartbeat could be delayed up to 60 seconds regardless of timeout size.
-  - **After**: First heartbeat is eligible on first activity, and recurring heartbeat interval scales with timeout.
-- **User Experience Improvements**:
-  - More reliable stay-signed-in behavior during active interaction when short idle timeout settings are configured.
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
deleted file mode 100644
index c79a0967..00000000
--- a/docs/explanation/fixes/v0.239.012/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# IDLE HEARTBEAT REAUTH HANDLING FIX
-
-## Header Information
-
-- **Fix Title**: Background heartbeat reauth synchronization
-- **Issue Description**: Background heartbeat requests that returned non-OK responses (such as `401` after server-side idle expiry) could return without redirecting, leaving the UI active while the backend session was already cleared.
-- **Root Cause Analysis**: `refreshServerSession()` only forced logout for non-OK responses when `forceLogoutOnFailure` was `true` (user-initiated path), but the background path used `false` and silently returned.
-- **Version Implemented**: **v0.240.002**
-- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
-
-## Technical Details
-
-- **Files Modified**:
-  - `application/single_app/static/js/idle-logout-warning.js`
-  - `functional_tests/test_idle_logout_timeout.py`
-  - `application/single_app/config.py`
-- **Code Changes Summary**:
-  - Added hard-logout handling for heartbeat responses with HTTP `401`/`403` even in background heartbeat mode.
-  - Added fallback parsing of non-OK JSON payloads to check `requires_reauth` and trigger logout accordingly.
-  - Kept existing behavior where transient non-auth failures still avoid forced logout for background heartbeats.
-- **Testing Approach**:
-  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript marker assertions for status-based and payload-based reauth handling.
-- **Impact Analysis**:
-  - Prevents client/server auth-state divergence after backend session expiration.
-  - Reduces false “still signed in” UI state when the server has already invalidated the session.
-
-## Validation
-
-- **Test Results**:
-  - Idle-timeout functional test validates the new reauth marker logic in heartbeat handling.
-- **Before/After Comparison**:
-  - **Before**: Non-user-initiated heartbeats could silently ignore server reauth responses.
-  - **After**: Background heartbeats force logout on auth-failure signals (`401`, `403`, or `requires_reauth`).
-- **User Experience Improvements**:
-  - Consistent logout behavior when session expiration is detected during background activity monitoring.
diff --git a/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md b/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
deleted file mode 100644
index c3956043..00000000
--- a/docs/explanation/fixes/v0.239.012/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# IDLE SESSION API ACTIVITY SEED FIX
-
-## Header Information
-
-- **Fix Title**: Idle timeout API activity timestamp seeding
-- **Issue Description**: `enforce_idle_session_timeout()` returned early for `/api/...` requests without updating `session['last_activity_epoch']`. If an authenticated session did not already have that key, idle-timeout tracking could fail to start for API-only traffic.
-- **Root Cause Analysis**: API-path early return happened before timestamp update logic, and the function only updated `last_activity_epoch` for non-API requests (or when idle-timeout was disabled).
-- **Version Implemented**: **v0.240.002**
-- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
-
-## Technical Details
-
-- **Files Modified**:
-  - `application/single_app/app.py`
-  - `functional_tests/test_idle_logout_timeout.py`
-  - `application/single_app/config.py`
-- **Code Changes Summary**:
-  - Added `has_valid_last_activity_epoch` tracking in `enforce_idle_session_timeout()`.
-  - For API requests, seed `session['last_activity_epoch']` only when the existing value is missing or invalid, then return.
-  - Kept existing behavior where non-API requests refresh activity timestamp normally.
-  - Added AST regression assertion to ensure API-path timestamp seeding remains wired.
-- **Testing Approach**:
-  - Functional AST wiring checks in `functional_tests/test_idle_logout_timeout.py` now assert API-path `last_activity_epoch` assignment logic.
-- **Impact Analysis**:
-  - Eliminates idle-timeout bypass risk for authenticated API-only sessions lacking initial activity timestamp.
-  - Avoids changing existing design where every API request does not automatically extend active session lifetime.
-
-## Validation
-
-- **Test Results**:
-  - Updated idle-timeout functional test validates the API-path timestamp seeding wiring.
-- **Before/After Comparison**:
-  - **Before**: API requests could return without ever initializing `last_activity_epoch`.
-  - **After**: API requests initialize `last_activity_epoch` when missing/invalid, enabling consistent timeout enforcement.
-- **User Experience Improvements**:
-  - Idle-timeout behavior is consistent for users interacting mainly through API traffic while preserving expected session-expiry behavior.
diff --git a/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md b/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
deleted file mode 100644
index 04bf9425..00000000
--- a/docs/explanation/fixes/v0.239.012/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
+++ /dev/null
@@ -1,52 +0,0 @@
-# SETTINGS DEEP MERGE PERSISTENCE FIX
-
-## Overview
-
-- **Issue**: App settings default-key merge changes were not being persisted back to Cosmos DB.
-- **Root Cause**: `deep_merge_dicts(default_settings, settings_item)` mutates `settings_item` in place, and `get_settings()` compared `merged` against the same mutated object, so `merged != settings_item` evaluated false.
-- **Fixed/Implemented in version: `v0.240.002`**
-- **Related version update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
-
-## Technical Details
-
-### Files Modified
-
-- `application/single_app/functions_settings.py`
-- `application/single_app/config.py`
-- `functional_tests/test_settings_deep_merge_persistence_fix.py`
-
-### Code Changes Summary
-
- - Updated `deep_merge_dicts()` in `functions_settings.py` to return a boolean `changed` flag indicating whether any values were added or updated during the merge.
- - Updated `get_settings()` (and related callers) to use the returned `settings_changed` flag to decide whether to upsert the merged settings back to Cosmos DB.
- - Kept the merge semantics the same while fixing the persistence condition so that only genuinely changed settings trigger an upsert.
- - Preserved existing upsert behavior, logging flow, and return shapes for callers.
-
-### Testing Approach
-
-- Added functional regression test: `functional_tests/test_settings_deep_merge_persistence_fix.py`.
-- Test validates marker-based wiring for:
-  - the `changed` flag returned from `deep_merge_dicts()`,
-  - the `settings_changed` gate that controls whether the Cosmos upsert path is invoked,
-  - Cosmos upsert path availability and logging when defaults introduce new keys,
-  - version alignment in `config.py`.
-
-### Impact Analysis
-
-- Restores intended persistence behavior for newly introduced default settings keys.
-- Reduces risk of drift between in-memory merged settings and persisted Cosmos settings.
-- Maintains compatibility with existing callers and return shapes.
-
-## Validation
-
-### Before
-
-- Missing default keys could be merged in memory but not persisted, because the change check compared a mutated object to itself.
-
-### After
-
-- Missing default keys trigger the upsert path and persistence logging because `deep_merge_dicts()` reports that changes occurred and `settings_changed` evaluates `True`, causing the merged settings to be written back to Cosmos DB.
-
-### Test Result
-
-- Verified by running `py -3 functional_tests/test_settings_deep_merge_persistence_fix.py`.
diff --git a/functional_tests/test_admin_settings_safe_int_fallback_fix.py b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
index a95e9e12..924489b9 100644
--- a/functional_tests/test_admin_settings_safe_int_fallback_fix.py
+++ b/functional_tests/test_admin_settings_safe_int_fallback_fix.py
@@ -147,7 +147,7 @@ def test_version_alignment_for_safe_int_fix():
     config_content = _read_file("application", "single_app", "config.py")
 
     required_markers = [
-        "VERSION = \"v0.240.002\""
+        "VERSION = \"0.240.002\""
     ]
 
     missing_markers = [marker for marker in required_markers if marker not in config_content]
diff --git a/functional_tests/test_idle_logout_timeout.py b/functional_tests/test_idle_logout_timeout.py
index f3ae5d03..8857d862 100644
--- a/functional_tests/test_idle_logout_timeout.py
+++ b/functional_tests/test_idle_logout_timeout.py
@@ -301,7 +301,7 @@ def test_server_idle_timeout_wiring():
     assert has_heartbeat_refresh_call, "Missing get_idle_timeout_settings(get_request_settings()) in session_heartbeat"
 
     required_config_markers = [
-        "VERSION = \"v0.240.002\""
+        "VERSION = \"0.240.002\""
     ]
 
     missing_config_markers = [marker for marker in required_config_markers if marker not in config_content]
diff --git a/functional_tests/test_settings_deep_merge_persistence_fix.py b/functional_tests/test_settings_deep_merge_persistence_fix.py
index 07d27ba8..d4f45f0c 100644
--- a/functional_tests/test_settings_deep_merge_persistence_fix.py
+++ b/functional_tests/test_settings_deep_merge_persistence_fix.py
@@ -211,7 +211,7 @@ def test_version_alignment_for_fix_release():
     config_content = _read_file("application", "single_app", "config.py")
 
     required_markers = [
-        "VERSION = \"v0.240.002\""
+        "VERSION = \"0.240.002\""
     ]
 
     missing_markers = [marker for marker in required_markers if marker not in config_content]

From 79d3e18452c0e6a7526f482dca8e07d1dd4f9c06 Mon Sep 17 00:00:00 2001
From: Chad Palmer <chadpalmer@gmail.com>
Date: Tue, 24 Mar 2026 20:07:06 +0000
Subject: [PATCH 27/27] feedback-user-timeout - Added doc files in new folder.

---
 .../ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md   | 49 +++++++++++++++++
 .../v0.240.002/IDLE_HEARTBEAT_INTERVAL_FIX.md | 35 +++++++++++++
 .../IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md     | 35 +++++++++++++
 .../IDLE_SESSION_API_ACTIVITY_SEED_FIX.md     | 36 +++++++++++++
 .../SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md    | 52 +++++++++++++++++++
 5 files changed, 207 insertions(+)
 create mode 100644 docs/explanation/fixes/v0.240.002/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
 create mode 100644 docs/explanation/fixes/v0.240.002/IDLE_HEARTBEAT_INTERVAL_FIX.md
 create mode 100644 docs/explanation/fixes/v0.240.002/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
 create mode 100644 docs/explanation/fixes/v0.240.002/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
 create mode 100644 docs/explanation/fixes/v0.240.002/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md

diff --git a/docs/explanation/fixes/v0.240.002/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md b/docs/explanation/fixes/v0.240.002/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
new file mode 100644
index 00000000..d6844a91
--- /dev/null
+++ b/docs/explanation/fixes/v0.240.002/ADMIN_SETTINGS_SAFE_INT_FALLBACK_FIX.md
@@ -0,0 +1,49 @@
+# ADMIN SETTINGS SAFE INT FALLBACK FIX
+
+## Overview
+
+- **Issue**: Admin settings save flow could throw a `TypeError` when `safe_int()` returned a non-integer fallback value.
+- **Root Cause**: `safe_int()` returned `fallback_value` as-is after parse failure; if persisted fallback values were malformed (for example strings that cannot be converted), subsequent `max(1, ...)` / `max(0, ...)` operations could fail.
+- **Fixed/Implemented in version: `v0.240.002`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
+
+## Technical Details
+
+### Files Modified
+
+- `application/single_app/route_frontend_admin_settings.py`
+- `application/single_app/admin_settings_int_utils.py`
+- `application/single_app/config.py`
+- `functional_tests/test_admin_settings_safe_int_fallback_fix.py`
+- `functional_tests/test_idle_logout_timeout.py`
+- `functional_tests/test_settings_deep_merge_persistence_fix.py`
+
+### Code Changes Summary
+
+- Extracted integer parsing into module-level helper functions (`safe_int`, `safe_int_with_source`) in `admin_settings_int_utils.py`.
+- Updated admin settings route to use the extracted helper while preserving existing fallback and hard-default `log_event` diagnostics.
+- Kept idle-timeout call sites using explicit hard defaults (`30` and `28`).
+
+### Testing Approach
+
+- Refactored `functional_tests/test_admin_settings_safe_int_fallback_fix.py` to behavior-level helper tests (malformed raw and fallback values) plus AST route wiring validation.
+- Kept existing functional tests version-aligned with release version.
+
+### Impact Analysis
+
+- Prevents runtime `TypeError` in admin settings save flow for malformed persisted fallback values.
+- Improves resiliency of idle-timeout configuration handling without changing intended behavior for valid values.
+
+## Validation
+
+### Before
+
+- Invalid form input could cause `safe_int()` to return non-int fallback values, potentially raising `TypeError` in `max()`.
+
+### After
+
+- `safe_int()` always returns a valid integer from raw input, parsed fallback, or hard default.
+
+### Test Result
+
+- Verified by running `py -3 functional_tests/test_admin_settings_safe_int_fallback_fix.py`.
diff --git a/docs/explanation/fixes/v0.240.002/IDLE_HEARTBEAT_INTERVAL_FIX.md b/docs/explanation/fixes/v0.240.002/IDLE_HEARTBEAT_INTERVAL_FIX.md
new file mode 100644
index 00000000..8e18c920
--- /dev/null
+++ b/docs/explanation/fixes/v0.240.002/IDLE_HEARTBEAT_INTERVAL_FIX.md
@@ -0,0 +1,35 @@
+# IDLE HEARTBEAT INTERVAL FIX
+
+## Header Information
+
+- **Fix Title**: Idle heartbeat timing alignment for short timeout configurations
+- **Issue Description**: The client initialized `lastServerHeartbeatAt` with `Date.now()` and used a fixed 60-second heartbeat minimum interval. With `timeoutMinutes = 1`, active users could miss a heartbeat before server-side timeout and be logged out unexpectedly.
+- **Root Cause Analysis**: Heartbeat throttling was static and did not account for short configured timeout windows, delaying the first heartbeat too long for aggressive timeout settings.
+- **Version Implemented**: **v0.240.002**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/static/js/idle-logout-warning.js`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Set `lastServerHeartbeatAt` to `0` so first user activity can trigger an immediate heartbeat.
+  - Replaced fixed heartbeat interval with dynamic interval: `Math.min(60000, timeoutMs / 2)`.
+  - Added functional test markers to assert both initialization and dynamic heartbeat interval logic.
+- **Testing Approach**:
+  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript wiring assertions.
+- **Impact Analysis**:
+  - Prevents active users from timing out in short (1-minute) idle-timeout configurations due to delayed client heartbeat.
+  - Preserves lower heartbeat frequency for normal/larger timeout configurations.
+
+## Validation
+
+- **Test Results**:
+  - Functional idle-timeout test includes marker checks for dynamic heartbeat timing logic.
+- **Before/After Comparison**:
+  - **Before**: First heartbeat could be delayed up to 60 seconds regardless of timeout size.
+  - **After**: First heartbeat is eligible on first activity, and recurring heartbeat interval scales with timeout.
+- **User Experience Improvements**:
+  - More reliable stay-signed-in behavior during active interaction when short idle timeout settings are configured.
diff --git a/docs/explanation/fixes/v0.240.002/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md b/docs/explanation/fixes/v0.240.002/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
new file mode 100644
index 00000000..c79a0967
--- /dev/null
+++ b/docs/explanation/fixes/v0.240.002/IDLE_HEARTBEAT_REAUTH_HANDLING_FIX.md
@@ -0,0 +1,35 @@
+# IDLE HEARTBEAT REAUTH HANDLING FIX
+
+## Header Information
+
+- **Fix Title**: Background heartbeat reauth synchronization
+- **Issue Description**: Background heartbeat requests that returned non-OK responses (such as `401` after server-side idle expiry) could return without redirecting, leaving the UI active while the backend session was already cleared.
+- **Root Cause Analysis**: `refreshServerSession()` only forced logout for non-OK responses when `forceLogoutOnFailure` was `true` (user-initiated path), but the background path used `false` and silently returned.
+- **Version Implemented**: **v0.240.002**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/static/js/idle-logout-warning.js`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Added hard-logout handling for heartbeat responses with HTTP `401`/`403` even in background heartbeat mode.
+  - Added fallback parsing of non-OK JSON payloads to check `requires_reauth` and trigger logout accordingly.
+  - Kept existing behavior where transient non-auth failures still avoid forced logout for background heartbeats.
+- **Testing Approach**:
+  - Extended `functional_tests/test_idle_logout_timeout.py` JavaScript marker assertions for status-based and payload-based reauth handling.
+- **Impact Analysis**:
+  - Prevents client/server auth-state divergence after backend session expiration.
+  - Reduces false “still signed in” UI state when the server has already invalidated the session.
+
+## Validation
+
+- **Test Results**:
+  - Idle-timeout functional test validates the new reauth marker logic in heartbeat handling.
+- **Before/After Comparison**:
+  - **Before**: Non-user-initiated heartbeats could silently ignore server reauth responses.
+  - **After**: Background heartbeats force logout on auth-failure signals (`401`, `403`, or `requires_reauth`).
+- **User Experience Improvements**:
+  - Consistent logout behavior when session expiration is detected during background activity monitoring.
diff --git a/docs/explanation/fixes/v0.240.002/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md b/docs/explanation/fixes/v0.240.002/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
new file mode 100644
index 00000000..c3956043
--- /dev/null
+++ b/docs/explanation/fixes/v0.240.002/IDLE_SESSION_API_ACTIVITY_SEED_FIX.md
@@ -0,0 +1,36 @@
+# IDLE SESSION API ACTIVITY SEED FIX
+
+## Header Information
+
+- **Fix Title**: Idle timeout API activity timestamp seeding
+- **Issue Description**: `enforce_idle_session_timeout()` returned early for `/api/...` requests without updating `session['last_activity_epoch']`. If an authenticated session did not already have that key, idle-timeout tracking could fail to start for API-only traffic.
+- **Root Cause Analysis**: API-path early return happened before timestamp update logic, and the function only updated `last_activity_epoch` for non-API requests (or when idle-timeout was disabled).
+- **Version Implemented**: **v0.240.002**
+- **Related Config Update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
+
+## Technical Details
+
+- **Files Modified**:
+  - `application/single_app/app.py`
+  - `functional_tests/test_idle_logout_timeout.py`
+  - `application/single_app/config.py`
+- **Code Changes Summary**:
+  - Added `has_valid_last_activity_epoch` tracking in `enforce_idle_session_timeout()`.
+  - For API requests, seed `session['last_activity_epoch']` only when the existing value is missing or invalid, then return.
+  - Kept existing behavior where non-API requests refresh activity timestamp normally.
+  - Added AST regression assertion to ensure API-path timestamp seeding remains wired.
+- **Testing Approach**:
+  - Functional AST wiring checks in `functional_tests/test_idle_logout_timeout.py` now assert API-path `last_activity_epoch` assignment logic.
+- **Impact Analysis**:
+  - Eliminates idle-timeout bypass risk for authenticated API-only sessions lacking initial activity timestamp.
+  - Avoids changing existing design where every API request does not automatically extend active session lifetime.
+
+## Validation
+
+- **Test Results**:
+  - Updated idle-timeout functional test validates the API-path timestamp seeding wiring.
+- **Before/After Comparison**:
+  - **Before**: API requests could return without ever initializing `last_activity_epoch`.
+  - **After**: API requests initialize `last_activity_epoch` when missing/invalid, enabling consistent timeout enforcement.
+- **User Experience Improvements**:
+  - Idle-timeout behavior is consistent for users interacting mainly through API traffic while preserving expected session-expiry behavior.
diff --git a/docs/explanation/fixes/v0.240.002/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md b/docs/explanation/fixes/v0.240.002/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
new file mode 100644
index 00000000..04bf9425
--- /dev/null
+++ b/docs/explanation/fixes/v0.240.002/SETTINGS_DEEP_MERGE_PERSISTENCE_FIX.md
@@ -0,0 +1,52 @@
+# SETTINGS DEEP MERGE PERSISTENCE FIX
+
+## Overview
+
+- **Issue**: App settings default-key merge changes were not being persisted back to Cosmos DB.
+- **Root Cause**: `deep_merge_dicts(default_settings, settings_item)` mutates `settings_item` in place, and `get_settings()` compared `merged` against the same mutated object, so `merged != settings_item` evaluated false.
+- **Fixed/Implemented in version: `v0.240.002`**
+- **Related version update**: `application/single_app/config.py` updated to `VERSION = "v0.240.002"`.
+
+## Technical Details
+
+### Files Modified
+
+- `application/single_app/functions_settings.py`
+- `application/single_app/config.py`
+- `functional_tests/test_settings_deep_merge_persistence_fix.py`
+
+### Code Changes Summary
+
+ - Updated `deep_merge_dicts()` in `functions_settings.py` to return a boolean `changed` flag indicating whether any values were added or updated during the merge.
+ - Updated `get_settings()` (and related callers) to use the returned `settings_changed` flag to decide whether to upsert the merged settings back to Cosmos DB.
+ - Kept the merge semantics the same while fixing the persistence condition so that only genuinely changed settings trigger an upsert.
+ - Preserved existing upsert behavior, logging flow, and return shapes for callers.
+
+### Testing Approach
+
+- Added functional regression test: `functional_tests/test_settings_deep_merge_persistence_fix.py`.
+- Test validates marker-based wiring for:
+  - the `changed` flag returned from `deep_merge_dicts()`,
+  - the `settings_changed` gate that controls whether the Cosmos upsert path is invoked,
+  - Cosmos upsert path availability and logging when defaults introduce new keys,
+  - version alignment in `config.py`.
+
+### Impact Analysis
+
+- Restores intended persistence behavior for newly introduced default settings keys.
+- Reduces risk of drift between in-memory merged settings and persisted Cosmos settings.
+- Maintains compatibility with existing callers and return shapes.
+
+## Validation
+
+### Before
+
+- Missing default keys could be merged in memory but not persisted, because the change check compared a mutated object to itself.
+
+### After
+
+- Missing default keys trigger the upsert path and persistence logging because `deep_merge_dicts()` reports that changes occurred and `settings_changed` evaluates `True`, causing the merged settings to be written back to Cosmos DB.
+
+### Test Result
+
+- Verified by running `py -3 functional_tests/test_settings_deep_merge_persistence_fix.py`.