Implement comprehensive HR Management Backend System

- FastAPI application with JWT authentication and role-based access control
- Complete employee management with CRUD operations
- Department management with manager assignments
- Leave management system with approval workflow
- Payroll processing with overtime and deductions calculation
- Attendance tracking with clock in/out functionality
- SQLite database with proper migrations using Alembic
- Role-based permissions (Admin, HR Manager, Manager, Employee)
- Comprehensive API documentation and health checks
- CORS enabled for cross-origin requests

Environment Variables Required:
- SECRET_KEY: JWT secret key for token signing

Features implemented:
- User registration and authentication
- Employee profile management
- Department hierarchy management
- Leave request creation and approval
- Payroll record processing
- Daily attendance tracking
- Hours calculation for attendance
- Proper error handling and validation

README.md

@@ -1,3 +1,187 @@
-# FastAPI Application
+# HR Management Backend Service
 
-This is a FastAPI application bootstrapped by BackendIM, the AI-powered backend generation platform.
+A comprehensive HR management backend system built with FastAPI, providing APIs for managing employees, departments, leave requests, payroll, and attendance tracking.
+
+## Features
+
+- **User Authentication**: JWT-based authentication with role-based access control
+- **Employee Management**: Complete employee profile management with hierarchical permissions
+- **Department Management**: Create and manage company departments with managers
+- **Leave Management**: Employee leave request system with approval workflow
+- **Payroll Management**: Payroll processing with overtime, bonuses, and deductions
+- **Attendance Tracking**: Clock in/out system with hours calculation
+- **Role-Based Access**: Admin, HR Manager, Manager, and Employee roles with appropriate permissions
+
+## Tech Stack
+
+- **FastAPI**: Modern, fast web framework for building APIs
+- **SQLAlchemy**: SQL toolkit and ORM
+- **SQLite**: Lightweight database for data storage
+- **Alembic**: Database migration tool
+- **JWT**: Token-based authentication
+- **Pydantic**: Data validation using Python type annotations
+- **Ruff**: Fast Python linter and formatter
+
+## Project Structure
+
+```
+├── app/
+│   ├── core/           # Core functionality (security, dependencies)
+│   ├── db/             # Database configuration and session management
+│   ├── models/         # SQLAlchemy database models
+│   ├── routers/        # API route handlers
+│   ├── schemas/        # Pydantic schemas for request/response
+│   └── services/       # Business logic services
+├── migrations/         # Alembic database migrations
+├── main.py            # FastAPI application entry point
+├── requirements.txt   # Python dependencies
+└── alembic.ini       # Alembic configuration
+```
+
+## Installation
+
+1. Clone the repository
+2. Install dependencies:
+   ```bash
+   pip install -r requirements.txt
+   ```
+
+## Running the Application
+
+Start the FastAPI server with uvicorn:
+```bash
+uvicorn main:app --host 0.0.0.0 --port 8000 --reload
+```
+
+The API will be available at:
+- **Base URL**: http://localhost:8000
+- **API Documentation**: http://localhost:8000/docs
+- **Alternative Docs**: http://localhost:8000/redoc
+- **Health Check**: http://localhost:8000/health
+
+## Environment Variables
+
+The following environment variables should be set for production:
+
+- `SECRET_KEY`: JWT secret key for token signing (default: "your-secret-key-change-in-production")
+
+## API Endpoints
+
+### Authentication
+- `POST /auth/register` - Register a new user
+- `POST /auth/login` - Login and get access token
+- `GET /auth/me` - Get current user information
+
+### Employees
+- `POST /employees` - Create employee profile
+- `GET /employees` - List all employees
+- `GET /employees/{id}` - Get employee by ID
+- `PUT /employees/{id}` - Update employee
+- `DELETE /employees/{id}` - Delete employee
+
+### Departments
+- `POST /departments` - Create department
+- `GET /departments` - List departments
+- `GET /departments/{id}` - Get department by ID
+- `PUT /departments/{id}` - Update department
+- `DELETE /departments/{id}` - Delete department
+
+### Leave Management
+- `POST /leaves` - Create leave request
+- `GET /leaves` - List leave requests
+- `GET /leaves/{id}` - Get leave request by ID
+- `PUT /leaves/{id}/approve` - Approve/reject leave request
+- `PUT /leaves/{id}` - Update leave request
+- `DELETE /leaves/{id}` - Delete leave request
+
+### Payroll
+- `POST /payroll` - Create payroll record
+- `GET /payroll` - List payroll records
+- `GET /payroll/{id}` - Get payroll record by ID
+- `PUT /payroll/{id}` - Update payroll record
+- `POST /payroll/{id}/process` - Process payroll record
+- `DELETE /payroll/{id}` - Delete payroll record
+
+### Attendance
+- `POST /attendance` - Create attendance record
+- `GET /attendance` - List attendance records
+- `GET /attendance/{id}` - Get attendance record by ID
+- `PUT /attendance/{id}` - Update attendance record
+- `POST /attendance/{id}/clock-out` - Clock out from attendance record
+- `DELETE /attendance/{id}` - Delete attendance record
+
+## User Roles
+
+### Admin
+- Full access to all system features
+- Can manage all users, employees, departments
+- Can view and process all payroll records
+- Can delete any records
+
+### HR Manager
+- Can manage employees and departments
+- Can view and approve leave requests
+- Can create and process payroll records
+- Can view all attendance records
+
+### Manager
+- Can view employees in their department
+- Can approve leave requests for their department
+- Can view attendance records for their team
+
+### Employee
+- Can view and update their own profile
+- Can create and manage their own leave requests
+- Can view their own payroll records
+- Can create and update their own attendance records
+
+## Database
+
+The application uses SQLite database with the following main tables:
+- `users` - User accounts and authentication
+- `employees` - Employee profiles and information
+- `departments` - Company departments
+- `leave_requests` - Leave request records
+- `payroll_records` - Payroll and salary information
+- `attendance_records` - Daily attendance tracking
+
+Database files are stored in `/app/storage/db/` directory.
+
+## Development
+
+### Running Linter
+```bash
+ruff check . --fix
+```
+
+### Database Migrations
+The initial migration is included. For new migrations:
+```bash
+# Create a new migration
+alembic revision --autogenerate -m "description"
+
+# Apply migrations
+alembic upgrade head
+```
+
+## Authentication
+
+The API uses JWT (JSON Web Tokens) for authentication. Include the token in the Authorization header:
+```
+Authorization: Bearer <your-jwt-token>
+```
+
+## Error Handling
+
+The API returns appropriate HTTP status codes:
+- `200` - Success
+- `201` - Created
+- `400` - Bad Request
+- `401` - Unauthorized
+- `403` - Forbidden
+- `404` - Not Found
+- `422` - Validation Error
+
+## License
+
+This project is proprietary software for HR management purposes.

alembic.ini

@@ -0,0 +1,102 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts
+script_location = migrations
+
+# template used to generate migration file names; The default value is %%(rev)s_%%(slug)s
+# Uncomment the line below if you want the files to be prepended with date and time
+# file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s
+
+# sys.path path, will be prepended to sys.path if present.
+# defaults to the current working directory.
+prepend_sys_path = .
+
+# timezone to use when rendering the date within the migration file
+# as well as the filename.
+# If specified, requires the python-dateutil library that can be
+# installed by adding `alembic[tz]` to the pip requirements
+# string value is passed to dateutil.tz.gettz()
+# leave blank for localtime
+# timezone =
+
+# max length of characters to apply to the
+# "slug" field
+# truncate_slug_length = 40
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+# set to 'true' to allow .pyc and .pyo files without
+# a source .py file to be detected as revisions in the
+# versions/ directory
+# sourceless = false
+
+# version files to retain and their associated metadata
+version_table_name = alembic_version
+version_table_schema = 
+
+# version path separator; As mentioned above, this is the character used to split
+# version_locations. The default within new alembic.ini files is "os", which uses
+# os.pathsep. If this key is omitted entirely, it falls back to the legacy
+# behavior of splitting on spaces and/or commas.
+# Valid values for version_path_separator are:
+#
+# version_path_separator = :
+# version_path_separator = ;
+# version_path_separator = space
+version_path_separator = os
+
+# the output encoding used when revision files
+# are written from script.py.mako
+# output_encoding = utf-8
+
+sqlalchemy.url = sqlite:////app/storage/db/db.sqlite
+
+
+[post_write_hooks]
+# post_write_hooks defines scripts or Python functions that are run
+# on newly generated revision scripts.  See the documentation for further
+# detail and examples
+
+# format using "black" - use the console_scripts runner, against the "black" entrypoint
+# hooks = black
+# black.type = console_scripts
+# black.entrypoint = black
+# black.options = -l 79 REVISION_SCRIPT_FILENAME
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

app/core/deps.py

@@ -0,0 +1,55 @@
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from sqlalchemy.orm import Session
+from app.db.session import get_db
+from app.core.security import verify_token
+from app.models.users import User
+from app.models.employees import Employee
+
+security = HTTPBearer()
+
+def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security),
+    db: Session = Depends(get_db)
+) -> User:
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    
+    payload = verify_token(credentials.credentials)
+    if payload is None:
+        raise credentials_exception
+    
+    email: str = payload.get("sub")
+    if email is None:
+        raise credentials_exception
+    
+    user = db.query(User).filter(User.email == email).first()
+    if user is None:
+        raise credentials_exception
+    
+    return user
+
+def get_current_employee(
+    current_user: User = Depends(get_current_user),
+    db: Session = Depends(get_db)
+) -> Employee:
+    employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+    if not employee:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Employee profile not found"
+        )
+    return employee
+
+def require_role(required_roles: list):
+    def role_checker(current_user: User = Depends(get_current_user)):
+        if current_user.role not in required_roles:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Not enough permissions"
+            )
+        return current_user
+    return role_checker

app/core/security.py

@@ -0,0 +1,34 @@
+import os
+from datetime import datetime, timedelta
+from typing import Any, Union
+from jose import jwt
+from passlib.context import CryptContext
+
+SECRET_KEY = os.getenv("SECRET_KEY", "your-secret-key-change-in-production")
+ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_MINUTES = 30
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+def create_access_token(subject: Union[str, Any], expires_delta: timedelta = None):
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
+    
+    to_encode = {"exp": expire, "sub": str(subject)}
+    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+    return encoded_jwt
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    return pwd_context.verify(plain_password, hashed_password)
+
+def get_password_hash(password: str) -> str:
+    return pwd_context.hash(password)
+
+def verify_token(token: str):
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        return payload
+    except jwt.JWTError:
+        return None

app/db/base.py

@@ -0,0 +1,3 @@
+from sqlalchemy.ext.declarative import declarative_base
+
+Base = declarative_base()

app/db/session.py

@@ -0,0 +1,22 @@
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+from pathlib import Path
+
+DB_DIR = Path("/app") / "storage" / "db"
+DB_DIR.mkdir(parents=True, exist_ok=True)
+
+SQLALCHEMY_DATABASE_URL = f"sqlite:///{DB_DIR}/db.sqlite"
+
+engine = create_engine(
+    SQLALCHEMY_DATABASE_URL,
+    connect_args={"check_same_thread": False}
+)
+
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+
+def get_db():
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()

app/models/__init__.py

@@ -0,0 +1 @@
+from . import users as users, employees as employees, departments as departments, leaves as leaves, payroll as payroll, attendance as attendance

app/models/attendance.py

@@ -0,0 +1,28 @@
+from sqlalchemy import Column, Integer, String, DateTime, ForeignKey, Date, Time, Enum
+from sqlalchemy.sql import func
+from sqlalchemy.orm import relationship
+from app.db.base import Base
+import enum
+
+class AttendanceStatus(enum.Enum):
+    PRESENT = "present"
+    ABSENT = "absent"
+    LATE = "late"
+    HALF_DAY = "half_day"
+
+class AttendanceRecord(Base):
+    __tablename__ = "attendance_records"
+    
+    id = Column(Integer, primary_key=True, index=True)
+    employee_id = Column(Integer, ForeignKey("employees.id"), nullable=False)
+    date = Column(Date, nullable=False)
+    clock_in = Column(Time)
+    clock_out = Column(Time)
+    hours_worked = Column(String)
+    status = Column(Enum(AttendanceStatus), default=AttendanceStatus.PRESENT)
+    notes = Column(String)
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), onupdate=func.now())
+    
+    # Relationships
+    employee = relationship("Employee", back_populates="attendance_records")

app/models/departments.py

@@ -0,0 +1,18 @@
+from sqlalchemy import Column, Integer, String, DateTime, ForeignKey
+from sqlalchemy.sql import func
+from sqlalchemy.orm import relationship
+from app.db.base import Base
+
+class Department(Base):
+    __tablename__ = "departments"
+    
+    id = Column(Integer, primary_key=True, index=True)
+    name = Column(String, unique=True, index=True, nullable=False)
+    description = Column(String)
+    manager_id = Column(Integer, ForeignKey("employees.id"))
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), onupdate=func.now())
+    
+    # Relationships
+    manager = relationship("Employee", foreign_keys=[manager_id], back_populates="managed_departments")
+    employees = relationship("Employee", foreign_keys="Employee.department_id", back_populates="department")

app/models/employees.py

@@ -0,0 +1,36 @@
+from sqlalchemy import Column, Integer, String, DateTime, ForeignKey, Date, Numeric, Enum
+from sqlalchemy.sql import func
+from sqlalchemy.orm import relationship
+from app.db.base import Base
+import enum
+
+class EmploymentStatus(enum.Enum):
+    ACTIVE = "active"
+    INACTIVE = "inactive"
+    TERMINATED = "terminated"
+
+class Employee(Base):
+    __tablename__ = "employees"
+    
+    id = Column(Integer, primary_key=True, index=True)
+    user_id = Column(Integer, ForeignKey("users.id"), unique=True, nullable=False)
+    employee_id = Column(String, unique=True, index=True, nullable=False)
+    department_id = Column(Integer, ForeignKey("departments.id"))
+    position = Column(String, nullable=False)
+    salary = Column(Numeric(10, 2))
+    hire_date = Column(Date, nullable=False)
+    status = Column(Enum(EmploymentStatus), default=EmploymentStatus.ACTIVE)
+    phone = Column(String)
+    address = Column(String)
+    emergency_contact = Column(String)
+    emergency_phone = Column(String)
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), onupdate=func.now())
+    
+    # Relationships
+    user = relationship("User")
+    department = relationship("Department", foreign_keys=[department_id], back_populates="employees")
+    managed_departments = relationship("Department", foreign_keys="Department.manager_id", back_populates="manager")
+    leave_requests = relationship("LeaveRequest", back_populates="employee")
+    payroll_records = relationship("PayrollRecord", back_populates="employee")
+    attendance_records = relationship("AttendanceRecord", back_populates="employee")

app/models/leaves.py

@@ -0,0 +1,40 @@
+from sqlalchemy import Column, Integer, DateTime, ForeignKey, Date, Text, Enum
+from sqlalchemy.sql import func
+from sqlalchemy.orm import relationship
+from app.db.base import Base
+import enum
+
+class LeaveType(enum.Enum):
+    VACATION = "vacation"
+    SICK = "sick"
+    PERSONAL = "personal"
+    MATERNITY = "maternity"
+    PATERNITY = "paternity"
+    EMERGENCY = "emergency"
+
+class LeaveStatus(enum.Enum):
+    PENDING = "pending"
+    APPROVED = "approved"
+    REJECTED = "rejected"
+    CANCELLED = "cancelled"
+
+class LeaveRequest(Base):
+    __tablename__ = "leave_requests"
+    
+    id = Column(Integer, primary_key=True, index=True)
+    employee_id = Column(Integer, ForeignKey("employees.id"), nullable=False)
+    leave_type = Column(Enum(LeaveType), nullable=False)
+    start_date = Column(Date, nullable=False)
+    end_date = Column(Date, nullable=False)
+    days_requested = Column(Integer, nullable=False)
+    reason = Column(Text)
+    status = Column(Enum(LeaveStatus), default=LeaveStatus.PENDING)
+    approved_by = Column(Integer, ForeignKey("users.id"))
+    approved_at = Column(DateTime(timezone=True))
+    comments = Column(Text)
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), onupdate=func.now())
+    
+    # Relationships
+    employee = relationship("Employee", back_populates="leave_requests")
+    approver = relationship("User", foreign_keys=[approved_by])

app/models/payroll.py

@@ -0,0 +1,35 @@
+from sqlalchemy import Column, Integer, DateTime, ForeignKey, Date, Numeric, Enum
+from sqlalchemy.sql import func
+from sqlalchemy.orm import relationship
+from app.db.base import Base
+import enum
+
+class PayrollStatus(enum.Enum):
+    DRAFT = "draft"
+    PROCESSED = "processed"
+    PAID = "paid"
+
+class PayrollRecord(Base):
+    __tablename__ = "payroll_records"
+    
+    id = Column(Integer, primary_key=True, index=True)
+    employee_id = Column(Integer, ForeignKey("employees.id"), nullable=False)
+    pay_period_start = Column(Date, nullable=False)
+    pay_period_end = Column(Date, nullable=False)
+    base_salary = Column(Numeric(10, 2), nullable=False)
+    overtime_hours = Column(Numeric(5, 2), default=0)
+    overtime_rate = Column(Numeric(5, 2), default=0)
+    bonus = Column(Numeric(10, 2), default=0)
+    deductions = Column(Numeric(10, 2), default=0)
+    gross_pay = Column(Numeric(10, 2), nullable=False)
+    tax_deductions = Column(Numeric(10, 2), default=0)
+    net_pay = Column(Numeric(10, 2), nullable=False)
+    status = Column(Enum(PayrollStatus), default=PayrollStatus.DRAFT)
+    processed_by = Column(Integer, ForeignKey("users.id"))
+    processed_at = Column(DateTime(timezone=True))
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), onupdate=func.now())
+    
+    # Relationships
+    employee = relationship("Employee", back_populates="payroll_records")
+    processor = relationship("User", foreign_keys=[processed_by])

app/models/users.py

@@ -0,0 +1,22 @@
+from sqlalchemy import Column, Integer, String, Boolean, DateTime, Enum
+from sqlalchemy.sql import func
+from app.db.base import Base
+import enum
+
+class UserRole(enum.Enum):
+    ADMIN = "admin"
+    HR_MANAGER = "hr_manager"
+    MANAGER = "manager"
+    EMPLOYEE = "employee"
+
+class User(Base):
+    __tablename__ = "users"
+    
+    id = Column(Integer, primary_key=True, index=True)
+    email = Column(String, unique=True, index=True, nullable=False)
+    hashed_password = Column(String, nullable=False)
+    full_name = Column(String, nullable=False)
+    role = Column(Enum(UserRole), default=UserRole.EMPLOYEE)
+    is_active = Column(Boolean, default=True)
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), onupdate=func.now())

app/routers/attendance.py

@@ -0,0 +1,207 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+from datetime import datetime, time, date
+from app.db.session import get_db
+from app.schemas.attendance import AttendanceRecord, AttendanceRecordCreate, AttendanceRecordUpdate
+from app.models.attendance import AttendanceRecord as AttendanceRecordModel
+from app.models.users import User, UserRole
+from app.models.employees import Employee
+from app.core.deps import get_current_user, require_role
+
+router = APIRouter()
+
+def calculate_hours_worked(clock_in: time, clock_out: time) -> str:
+    """Calculate hours worked between clock in and clock out times"""
+    if not clock_in or not clock_out:
+        return "0:00"
+    
+    # Convert to datetime for calculation
+    today = date.today()
+    dt_in = datetime.combine(today, clock_in)
+    dt_out = datetime.combine(today, clock_out)
+    
+    # Handle overnight shifts
+    if dt_out < dt_in:
+        dt_out = dt_out.replace(day=today.day + 1)
+    
+    duration = dt_out - dt_in
+    hours = duration.seconds // 3600
+    minutes = (duration.seconds % 3600) // 60
+    
+    return f"{hours}:{minutes:02d}"
+
+@router.post("", response_model=AttendanceRecord)
+def create_attendance_record(
+    attendance: AttendanceRecordCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    # Employees can only create attendance records for themselves unless they're HR/Admin
+    if (current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER]):
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee or attendance.employee_id != current_employee.id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Can only create attendance records for yourself"
+            )
+    
+    # Check if attendance record already exists for this date
+    existing_record = db.query(AttendanceRecordModel).filter(
+        AttendanceRecordModel.employee_id == attendance.employee_id,
+        AttendanceRecordModel.date == attendance.date
+    ).first()
+    
+    if existing_record:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Attendance record already exists for this date"
+        )
+    
+    attendance_data = attendance.dict()
+    
+    # Calculate hours worked if both clock in and out are provided
+    if attendance.clock_in and attendance.clock_out:
+        attendance_data['hours_worked'] = calculate_hours_worked(attendance.clock_in, attendance.clock_out)
+    
+    db_attendance = AttendanceRecordModel(**attendance_data)
+    db.add(db_attendance)
+    db.commit()
+    db.refresh(db_attendance)
+    return db_attendance
+
+@router.get("", response_model=List[AttendanceRecord])
+def read_attendance_records(
+    skip: int = 0,
+    limit: int = 100,
+    employee_id: int = None,
+    start_date: date = None,
+    end_date: date = None,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    query = db.query(AttendanceRecordModel)
+    
+    # Apply filters based on user role
+    if current_user.role in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        # HR and Admin can see all attendance records
+        if employee_id:
+            query = query.filter(AttendanceRecordModel.employee_id == employee_id)
+    else:
+        # Employees can only see their own attendance records
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee:
+            raise HTTPException(status_code=404, detail="Employee profile not found")
+        query = query.filter(AttendanceRecordModel.employee_id == current_employee.id)
+    
+    # Apply date filters
+    if start_date:
+        query = query.filter(AttendanceRecordModel.date >= start_date)
+    if end_date:
+        query = query.filter(AttendanceRecordModel.date <= end_date)
+    
+    attendance_records = query.offset(skip).limit(limit).all()
+    return attendance_records
+
+@router.get("/{attendance_id}", response_model=AttendanceRecord)
+def read_attendance_record(
+    attendance_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    attendance_record = db.query(AttendanceRecordModel).filter(AttendanceRecordModel.id == attendance_id).first()
+    if attendance_record is None:
+        raise HTTPException(status_code=404, detail="Attendance record not found")
+    
+    # Check permissions
+    if current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee or attendance_record.employee_id != current_employee.id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Not enough permissions"
+            )
+    
+    return attendance_record
+
+@router.put("/{attendance_id}", response_model=AttendanceRecord)
+def update_attendance_record(
+    attendance_id: int,
+    attendance_update: AttendanceRecordUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    attendance_record = db.query(AttendanceRecordModel).filter(AttendanceRecordModel.id == attendance_id).first()
+    if attendance_record is None:
+        raise HTTPException(status_code=404, detail="Attendance record not found")
+    
+    # Check permissions
+    if current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee or attendance_record.employee_id != current_employee.id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Not enough permissions"
+            )
+    
+    update_data = attendance_update.dict(exclude_unset=True)
+    for field, value in update_data.items():
+        setattr(attendance_record, field, value)
+    
+    # Recalculate hours worked if times are updated
+    if attendance_record.clock_in and attendance_record.clock_out:
+        attendance_record.hours_worked = calculate_hours_worked(
+            attendance_record.clock_in, 
+            attendance_record.clock_out
+        )
+    
+    db.commit()
+    db.refresh(attendance_record)
+    return attendance_record
+
+@router.post("/{attendance_id}/clock-out")
+def clock_out(
+    attendance_id: int,
+    clock_out_time: time,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    attendance_record = db.query(AttendanceRecordModel).filter(AttendanceRecordModel.id == attendance_id).first()
+    if attendance_record is None:
+        raise HTTPException(status_code=404, detail="Attendance record not found")
+    
+    # Check permissions
+    if current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee or attendance_record.employee_id != current_employee.id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Not enough permissions"
+            )
+    
+    attendance_record.clock_out = clock_out_time
+    
+    # Calculate hours worked
+    if attendance_record.clock_in:
+        attendance_record.hours_worked = calculate_hours_worked(
+            attendance_record.clock_in, 
+            clock_out_time
+        )
+    
+    db.commit()
+    db.refresh(attendance_record)
+    return {"message": "Clocked out successfully", "attendance_record": attendance_record}
+
+@router.delete("/{attendance_id}")
+def delete_attendance_record(
+    attendance_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER]))
+):
+    attendance_record = db.query(AttendanceRecordModel).filter(AttendanceRecordModel.id == attendance_id).first()
+    if attendance_record is None:
+        raise HTTPException(status_code=404, detail="Attendance record not found")
+    
+    db.delete(attendance_record)
+    db.commit()
+    return {"message": "Attendance record deleted successfully"}

app/routers/auth.py

@@ -0,0 +1,35 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from app.db.session import get_db
+from app.schemas.users import User, UserCreate, LoginRequest, Token
+from app.services.auth import authenticate_user, create_user, get_user_by_email
+from app.core.security import create_access_token
+from app.core.deps import get_current_user
+
+router = APIRouter()
+
+@router.post("/register", response_model=User)
+def register(user: UserCreate, db: Session = Depends(get_db)):
+    db_user = get_user_by_email(db, email=user.email)
+    if db_user:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Email already registered"
+        )
+    return create_user(db=db, user=user)
+
+@router.post("/login", response_model=Token)
+def login(login_data: LoginRequest, db: Session = Depends(get_db)):
+    user = authenticate_user(db, login_data.email, login_data.password)
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect email or password",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    access_token = create_access_token(subject=user.email)
+    return {"access_token": access_token, "token_type": "bearer"}
+
+@router.get("/me", response_model=User)
+def read_users_me(current_user: User = Depends(get_current_user)):
+    return current_user

app/routers/departments.py

@@ -0,0 +1,76 @@
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+from typing import List
+from app.db.session import get_db
+from app.schemas.departments import Department, DepartmentCreate, DepartmentUpdate
+from app.models.departments import Department as DepartmentModel
+from app.models.users import User, UserRole
+from app.core.deps import require_role
+
+router = APIRouter()
+
+@router.post("", response_model=Department)
+def create_department(
+    department: DepartmentCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER]))
+):
+    db_department = DepartmentModel(**department.dict())
+    db.add(db_department)
+    db.commit()
+    db.refresh(db_department)
+    return db_department
+
+@router.get("", response_model=List[Department])
+def read_departments(
+    skip: int = 0,
+    limit: int = 100,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER, UserRole.MANAGER]))
+):
+    departments = db.query(DepartmentModel).offset(skip).limit(limit).all()
+    return departments
+
+@router.get("/{department_id}", response_model=Department)
+def read_department(
+    department_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER, UserRole.MANAGER]))
+):
+    department = db.query(DepartmentModel).filter(DepartmentModel.id == department_id).first()
+    if department is None:
+        raise HTTPException(status_code=404, detail="Department not found")
+    return department
+
+@router.put("/{department_id}", response_model=Department)
+def update_department(
+    department_id: int,
+    department_update: DepartmentUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER]))
+):
+    department = db.query(DepartmentModel).filter(DepartmentModel.id == department_id).first()
+    if department is None:
+        raise HTTPException(status_code=404, detail="Department not found")
+    
+    update_data = department_update.dict(exclude_unset=True)
+    for field, value in update_data.items():
+        setattr(department, field, value)
+    
+    db.commit()
+    db.refresh(department)
+    return department
+
+@router.delete("/{department_id}")
+def delete_department(
+    department_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN]))
+):
+    department = db.query(DepartmentModel).filter(DepartmentModel.id == department_id).first()
+    if department is None:
+        raise HTTPException(status_code=404, detail="Department not found")
+    
+    db.delete(department)
+    db.commit()
+    return {"message": "Department deleted successfully"}

app/routers/employees.py

@@ -0,0 +1,93 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+from app.db.session import get_db
+from app.schemas.employees import Employee, EmployeeCreate, EmployeeUpdate
+from app.models.employees import Employee as EmployeeModel
+from app.models.users import User, UserRole
+from app.core.deps import get_current_user, require_role
+
+router = APIRouter()
+
+@router.post("", response_model=Employee)
+def create_employee(
+    employee: EmployeeCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER]))
+):
+    # Check if employee already exists for this user
+    existing_employee = db.query(EmployeeModel).filter(EmployeeModel.user_id == employee.user_id).first()
+    if existing_employee:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Employee profile already exists for this user"
+        )
+    
+    db_employee = EmployeeModel(**employee.dict())
+    db.add(db_employee)
+    db.commit()
+    db.refresh(db_employee)
+    return db_employee
+
+@router.get("", response_model=List[Employee])
+def read_employees(
+    skip: int = 0,
+    limit: int = 100,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER, UserRole.MANAGER]))
+):
+    employees = db.query(EmployeeModel).offset(skip).limit(limit).all()
+    return employees
+
+@router.get("/{employee_id}", response_model=Employee)
+def read_employee(
+    employee_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    employee = db.query(EmployeeModel).filter(EmployeeModel.id == employee_id).first()
+    if employee is None:
+        raise HTTPException(status_code=404, detail="Employee not found")
+    
+    # Allow access if user is HR/Admin or viewing their own profile
+    if (current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER] and 
+        employee.user_id != current_user.id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Not enough permissions"
+        )
+    
+    return employee
+
+@router.put("/{employee_id}", response_model=Employee)
+def update_employee(
+    employee_id: int,
+    employee_update: EmployeeUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER]))
+):
+    employee = db.query(EmployeeModel).filter(EmployeeModel.id == employee_id).first()
+    if employee is None:
+        raise HTTPException(status_code=404, detail="Employee not found")
+    
+    update_data = employee_update.dict(exclude_unset=True)
+    for field, value in update_data.items():
+        setattr(employee, field, value)
+    
+    db.commit()
+    db.refresh(employee)
+    return employee
+
+@router.delete("/{employee_id}")
+def delete_employee(
+    employee_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN]))
+):
+    employee = db.query(EmployeeModel).filter(EmployeeModel.id == employee_id).first()
+    if employee is None:
+        raise HTTPException(status_code=404, detail="Employee not found")
+    
+    db.delete(employee)
+    db.commit()
+    return {"message": "Employee deleted successfully"}

app/routers/leaves.py

@@ -0,0 +1,152 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+from datetime import datetime
+from app.db.session import get_db
+from app.schemas.leaves import LeaveRequest, LeaveRequestCreate, LeaveRequestUpdate, LeaveRequestApproval
+from app.models.leaves import LeaveRequest as LeaveRequestModel, LeaveStatus
+from app.models.users import User, UserRole
+from app.models.employees import Employee
+from app.core.deps import get_current_user, require_role
+
+router = APIRouter()
+
+@router.post("", response_model=LeaveRequest)
+def create_leave_request(
+    leave_request: LeaveRequestCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    # Employees can only create leave requests for themselves unless they're HR/Admin
+    if (current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER]):
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee or leave_request.employee_id != current_employee.id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Can only create leave requests for yourself"
+            )
+    
+    db_leave_request = LeaveRequestModel(**leave_request.dict())
+    db.add(db_leave_request)
+    db.commit()
+    db.refresh(db_leave_request)
+    return db_leave_request
+
+@router.get("", response_model=List[LeaveRequest])
+def read_leave_requests(
+    skip: int = 0,
+    limit: int = 100,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    if current_user.role in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        # HR and Admin can see all leave requests
+        leave_requests = db.query(LeaveRequestModel).offset(skip).limit(limit).all()
+    else:
+        # Employees can only see their own leave requests
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee:
+            raise HTTPException(status_code=404, detail="Employee profile not found")
+        leave_requests = db.query(LeaveRequestModel).filter(
+            LeaveRequestModel.employee_id == current_employee.id
+        ).offset(skip).limit(limit).all()
+    
+    return leave_requests
+
+@router.get("/{leave_request_id}", response_model=LeaveRequest)
+def read_leave_request(
+    leave_request_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    leave_request = db.query(LeaveRequestModel).filter(LeaveRequestModel.id == leave_request_id).first()
+    if leave_request is None:
+        raise HTTPException(status_code=404, detail="Leave request not found")
+    
+    # Check permissions
+    if current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee or leave_request.employee_id != current_employee.id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Not enough permissions"
+            )
+    
+    return leave_request
+
+@router.put("/{leave_request_id}/approve", response_model=LeaveRequest)
+def approve_leave_request(
+    leave_request_id: int,
+    approval: LeaveRequestApproval,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER, UserRole.MANAGER]))
+):
+    leave_request = db.query(LeaveRequestModel).filter(LeaveRequestModel.id == leave_request_id).first()
+    if leave_request is None:
+        raise HTTPException(status_code=404, detail="Leave request not found")
+    
+    leave_request.status = approval.status
+    leave_request.comments = approval.comments
+    leave_request.approved_by = current_user.id
+    leave_request.approved_at = datetime.utcnow()
+    
+    db.commit()
+    db.refresh(leave_request)
+    return leave_request
+
+@router.put("/{leave_request_id}", response_model=LeaveRequest)
+def update_leave_request(
+    leave_request_id: int,
+    leave_request_update: LeaveRequestUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    leave_request = db.query(LeaveRequestModel).filter(LeaveRequestModel.id == leave_request_id).first()
+    if leave_request is None:
+        raise HTTPException(status_code=404, detail="Leave request not found")
+    
+    # Only allow updates if pending and user owns the request or is HR/Admin
+    if leave_request.status != LeaveStatus.PENDING:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Can only update pending leave requests"
+        )
+    
+    if current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee or leave_request.employee_id != current_employee.id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Not enough permissions"
+            )
+    
+    update_data = leave_request_update.dict(exclude_unset=True)
+    for field, value in update_data.items():
+        setattr(leave_request, field, value)
+    
+    db.commit()
+    db.refresh(leave_request)
+    return leave_request
+
+@router.delete("/{leave_request_id}")
+def delete_leave_request(
+    leave_request_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    leave_request = db.query(LeaveRequestModel).filter(LeaveRequestModel.id == leave_request_id).first()
+    if leave_request is None:
+        raise HTTPException(status_code=404, detail="Leave request not found")
+    
+    # Check permissions
+    if current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee or leave_request.employee_id != current_employee.id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Not enough permissions"
+            )
+    
+    db.delete(leave_request)
+    db.commit()
+    return {"message": "Leave request deleted successfully"}

app/routers/payroll.py

@@ -0,0 +1,168 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+from datetime import datetime
+from decimal import Decimal
+from app.db.session import get_db
+from app.schemas.payroll import PayrollRecord, PayrollRecordCreate, PayrollRecordUpdate
+from app.models.payroll import PayrollRecord as PayrollRecordModel, PayrollStatus
+from app.models.users import User, UserRole
+from app.models.employees import Employee
+from app.core.deps import get_current_user, require_role
+
+router = APIRouter()
+
+def calculate_payroll(payroll_data: dict) -> dict:
+    """Calculate gross pay and net pay"""
+    base_salary = payroll_data.get('base_salary', Decimal('0'))
+    overtime_hours = payroll_data.get('overtime_hours', Decimal('0'))
+    overtime_rate = payroll_data.get('overtime_rate', Decimal('0'))
+    bonus = payroll_data.get('bonus', Decimal('0'))
+    deductions = payroll_data.get('deductions', Decimal('0'))
+    tax_deductions = payroll_data.get('tax_deductions', Decimal('0'))
+    
+    overtime_pay = overtime_hours * overtime_rate
+    gross_pay = base_salary + overtime_pay + bonus
+    net_pay = gross_pay - deductions - tax_deductions
+    
+    return {
+        'gross_pay': gross_pay,
+        'net_pay': net_pay
+    }
+
+@router.post("", response_model=PayrollRecord)
+def create_payroll_record(
+    payroll: PayrollRecordCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER]))
+):
+    payroll_data = payroll.dict()
+    calculated_values = calculate_payroll(payroll_data)
+    
+    db_payroll = PayrollRecordModel(
+        **payroll_data,
+        **calculated_values
+    )
+    db.add(db_payroll)
+    db.commit()
+    db.refresh(db_payroll)
+    return db_payroll
+
+@router.get("", response_model=List[PayrollRecord])
+def read_payroll_records(
+    skip: int = 0,
+    limit: int = 100,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    if current_user.role in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        # HR and Admin can see all payroll records
+        payroll_records = db.query(PayrollRecordModel).offset(skip).limit(limit).all()
+    else:
+        # Employees can only see their own payroll records
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee:
+            raise HTTPException(status_code=404, detail="Employee profile not found")
+        payroll_records = db.query(PayrollRecordModel).filter(
+            PayrollRecordModel.employee_id == current_employee.id
+        ).offset(skip).limit(limit).all()
+    
+    return payroll_records
+
+@router.get("/{payroll_id}", response_model=PayrollRecord)
+def read_payroll_record(
+    payroll_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    payroll_record = db.query(PayrollRecordModel).filter(PayrollRecordModel.id == payroll_id).first()
+    if payroll_record is None:
+        raise HTTPException(status_code=404, detail="Payroll record not found")
+    
+    # Check permissions
+    if current_user.role not in [UserRole.ADMIN, UserRole.HR_MANAGER]:
+        current_employee = db.query(Employee).filter(Employee.user_id == current_user.id).first()
+        if not current_employee or payroll_record.employee_id != current_employee.id:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Not enough permissions"
+            )
+    
+    return payroll_record
+
+@router.put("/{payroll_id}", response_model=PayrollRecord)
+def update_payroll_record(
+    payroll_id: int,
+    payroll_update: PayrollRecordUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER]))
+):
+    payroll_record = db.query(PayrollRecordModel).filter(PayrollRecordModel.id == payroll_id).first()
+    if payroll_record is None:
+        raise HTTPException(status_code=404, detail="Payroll record not found")
+    
+    # Can only update draft records
+    if payroll_record.status != PayrollStatus.DRAFT:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Can only update draft payroll records"
+        )
+    
+    update_data = payroll_update.dict(exclude_unset=True)
+    for field, value in update_data.items():
+        setattr(payroll_record, field, value)
+    
+    # Recalculate totals
+    payroll_data = {
+        'base_salary': payroll_record.base_salary,
+        'overtime_hours': payroll_record.overtime_hours,
+        'overtime_rate': payroll_record.overtime_rate,
+        'bonus': payroll_record.bonus,
+        'deductions': payroll_record.deductions,
+        'tax_deductions': payroll_record.tax_deductions
+    }
+    calculated_values = calculate_payroll(payroll_data)
+    payroll_record.gross_pay = calculated_values['gross_pay']
+    payroll_record.net_pay = calculated_values['net_pay']
+    
+    db.commit()
+    db.refresh(payroll_record)
+    return payroll_record
+
+@router.post("/{payroll_id}/process")
+def process_payroll_record(
+    payroll_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN, UserRole.HR_MANAGER]))
+):
+    payroll_record = db.query(PayrollRecordModel).filter(PayrollRecordModel.id == payroll_id).first()
+    if payroll_record is None:
+        raise HTTPException(status_code=404, detail="Payroll record not found")
+    
+    if payroll_record.status != PayrollStatus.DRAFT:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Can only process draft payroll records"
+        )
+    
+    payroll_record.status = PayrollStatus.PROCESSED
+    payroll_record.processed_by = current_user.id
+    payroll_record.processed_at = datetime.utcnow()
+    
+    db.commit()
+    db.refresh(payroll_record)
+    return {"message": "Payroll record processed successfully"}
+
+@router.delete("/{payroll_id}")
+def delete_payroll_record(
+    payroll_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_role([UserRole.ADMIN]))
+):
+    payroll_record = db.query(PayrollRecordModel).filter(PayrollRecordModel.id == payroll_id).first()
+    if payroll_record is None:
+        raise HTTPException(status_code=404, detail="Payroll record not found")
+    
+    db.delete(payroll_record)
+    db.commit()
+    return {"message": "Payroll record deleted successfully"}

app/schemas/attendance.py

@@ -0,0 +1,30 @@
+from pydantic import BaseModel
+from typing import Optional
+from datetime import datetime, date, time
+from app.models.attendance import AttendanceStatus
+
+class AttendanceRecordBase(BaseModel):
+    employee_id: int
+    date: date
+    clock_in: Optional[time] = None
+    clock_out: Optional[time] = None
+    status: AttendanceStatus = AttendanceStatus.PRESENT
+    notes: Optional[str] = None
+
+class AttendanceRecordCreate(AttendanceRecordBase):
+    pass
+
+class AttendanceRecordUpdate(BaseModel):
+    clock_in: Optional[time] = None
+    clock_out: Optional[time] = None
+    status: Optional[AttendanceStatus] = None
+    notes: Optional[str] = None
+
+class AttendanceRecord(AttendanceRecordBase):
+    id: int
+    hours_worked: Optional[str] = None
+    created_at: datetime
+    updated_at: Optional[datetime] = None
+    
+    class Config:
+        from_attributes = True

app/schemas/departments.py

@@ -0,0 +1,24 @@
+from pydantic import BaseModel
+from typing import Optional
+from datetime import datetime
+
+class DepartmentBase(BaseModel):
+    name: str
+    description: Optional[str] = None
+    manager_id: Optional[int] = None
+
+class DepartmentCreate(DepartmentBase):
+    pass
+
+class DepartmentUpdate(BaseModel):
+    name: Optional[str] = None
+    description: Optional[str] = None
+    manager_id: Optional[int] = None
+
+class Department(DepartmentBase):
+    id: int
+    created_at: datetime
+    updated_at: Optional[datetime] = None
+    
+    class Config:
+        from_attributes = True

app/schemas/employees.py

@@ -0,0 +1,39 @@
+from pydantic import BaseModel
+from typing import Optional
+from datetime import datetime, date
+from decimal import Decimal
+from app.models.employees import EmploymentStatus
+
+class EmployeeBase(BaseModel):
+    employee_id: str
+    department_id: Optional[int] = None
+    position: str
+    salary: Optional[Decimal] = None
+    hire_date: date
+    phone: Optional[str] = None
+    address: Optional[str] = None
+    emergency_contact: Optional[str] = None
+    emergency_phone: Optional[str] = None
+
+class EmployeeCreate(EmployeeBase):
+    user_id: int
+
+class EmployeeUpdate(BaseModel):
+    department_id: Optional[int] = None
+    position: Optional[str] = None
+    salary: Optional[Decimal] = None
+    status: Optional[EmploymentStatus] = None
+    phone: Optional[str] = None
+    address: Optional[str] = None
+    emergency_contact: Optional[str] = None
+    emergency_phone: Optional[str] = None
+
+class Employee(EmployeeBase):
+    id: int
+    user_id: int
+    status: EmploymentStatus
+    created_at: datetime
+    updated_at: Optional[datetime] = None
+    
+    class Config:
+        from_attributes = True

app/schemas/leaves.py

@@ -0,0 +1,38 @@
+from pydantic import BaseModel
+from typing import Optional
+from datetime import datetime, date
+from app.models.leaves import LeaveType, LeaveStatus
+
+class LeaveRequestBase(BaseModel):
+    leave_type: LeaveType
+    start_date: date
+    end_date: date
+    days_requested: int
+    reason: Optional[str] = None
+
+class LeaveRequestCreate(LeaveRequestBase):
+    employee_id: int
+
+class LeaveRequestUpdate(BaseModel):
+    leave_type: Optional[LeaveType] = None
+    start_date: Optional[date] = None
+    end_date: Optional[date] = None
+    days_requested: Optional[int] = None
+    reason: Optional[str] = None
+
+class LeaveRequestApproval(BaseModel):
+    status: LeaveStatus
+    comments: Optional[str] = None
+
+class LeaveRequest(LeaveRequestBase):
+    id: int
+    employee_id: int
+    status: LeaveStatus
+    approved_by: Optional[int] = None
+    approved_at: Optional[datetime] = None
+    comments: Optional[str] = None
+    created_at: datetime
+    updated_at: Optional[datetime] = None
+    
+    class Config:
+        from_attributes = True

app/schemas/payroll.py

@@ -0,0 +1,39 @@
+from pydantic import BaseModel
+from typing import Optional
+from datetime import datetime, date
+from decimal import Decimal
+from app.models.payroll import PayrollStatus
+
+class PayrollRecordBase(BaseModel):
+    employee_id: int
+    pay_period_start: date
+    pay_period_end: date
+    base_salary: Decimal
+    overtime_hours: Optional[Decimal] = Decimal('0')
+    overtime_rate: Optional[Decimal] = Decimal('0')
+    bonus: Optional[Decimal] = Decimal('0')
+    deductions: Optional[Decimal] = Decimal('0')
+    tax_deductions: Optional[Decimal] = Decimal('0')
+
+class PayrollRecordCreate(PayrollRecordBase):
+    pass
+
+class PayrollRecordUpdate(BaseModel):
+    overtime_hours: Optional[Decimal] = None
+    overtime_rate: Optional[Decimal] = None
+    bonus: Optional[Decimal] = None
+    deductions: Optional[Decimal] = None
+    tax_deductions: Optional[Decimal] = None
+
+class PayrollRecord(PayrollRecordBase):
+    id: int
+    gross_pay: Decimal
+    net_pay: Decimal
+    status: PayrollStatus
+    processed_by: Optional[int] = None
+    processed_at: Optional[datetime] = None
+    created_at: datetime
+    updated_at: Optional[datetime] = None
+    
+    class Config:
+        from_attributes = True

app/schemas/users.py

@@ -0,0 +1,38 @@
+from pydantic import BaseModel, EmailStr
+from typing import Optional
+from datetime import datetime
+from app.models.users import UserRole
+
+class UserBase(BaseModel):
+    email: EmailStr
+    full_name: str
+    role: UserRole = UserRole.EMPLOYEE
+
+class UserCreate(UserBase):
+    password: str
+
+class UserUpdate(BaseModel):
+    email: Optional[EmailStr] = None
+    full_name: Optional[str] = None
+    role: Optional[UserRole] = None
+    is_active: Optional[bool] = None
+
+class User(UserBase):
+    id: int
+    is_active: bool
+    created_at: datetime
+    updated_at: Optional[datetime] = None
+    
+    class Config:
+        from_attributes = True
+
+class Token(BaseModel):
+    access_token: str
+    token_type: str
+
+class TokenData(BaseModel):
+    email: Optional[str] = None
+
+class LoginRequest(BaseModel):
+    email: EmailStr
+    password: str

app/services/auth.py

@@ -0,0 +1,28 @@
+from sqlalchemy.orm import Session
+from app.models.users import User
+from app.schemas.users import UserCreate
+from app.core.security import get_password_hash, verify_password
+
+def get_user_by_email(db: Session, email: str):
+    return db.query(User).filter(User.email == email).first()
+
+def create_user(db: Session, user: UserCreate):
+    hashed_password = get_password_hash(user.password)
+    db_user = User(
+        email=user.email,
+        hashed_password=hashed_password,
+        full_name=user.full_name,
+        role=user.role
+    )
+    db.add(db_user)
+    db.commit()
+    db.refresh(db_user)
+    return db_user
+
+def authenticate_user(db: Session, email: str, password: str):
+    user = get_user_by_email(db, email)
+    if not user:
+        return False
+    if not verify_password(password, user.hashed_password):
+        return False
+    return user

main.py

@@ -0,0 +1,45 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from app.routers import auth, employees, departments, leaves, payroll, attendance
+from app.db.session import engine
+from app.db.base import Base
+
+# Create database tables
+Base.metadata.create_all(bind=engine)
+
+app = FastAPI(
+    title="HR Management System",
+    description="A comprehensive HR management backend system",
+    version="1.0.0",
+    openapi_url="/openapi.json"
+)
+
+# CORS configuration
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# Include routers
+app.include_router(auth.router, prefix="/auth", tags=["Authentication"])
+app.include_router(employees.router, prefix="/employees", tags=["Employees"])
+app.include_router(departments.router, prefix="/departments", tags=["Departments"])
+app.include_router(leaves.router, prefix="/leaves", tags=["Leave Management"])
+app.include_router(payroll.router, prefix="/payroll", tags=["Payroll"])
+app.include_router(attendance.router, prefix="/attendance", tags=["Attendance"])
+
+@app.get("/")
+async def root():
+    return {
+        "title": "HR Management System",
+        "description": "A comprehensive HR management backend system",
+        "documentation": "/docs",
+        "health_check": "/health"
+    }
+
+@app.get("/health")
+async def health_check():
+    return {"status": "healthy", "service": "HR Management Backend"}

migrations/env.py

@@ -0,0 +1,81 @@
+from logging.config import fileConfig
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+from alembic import context
+
+# Add the project root to the Python path
+import sys
+from pathlib import Path
+sys.path.append(str(Path(__file__).parent.parent))
+
+from app.db.base import Base
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+target_metadata = Base.metadata
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection, target_metadata=target_metadata
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

migrations/script.py.mako

@@ -0,0 +1,24 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision = ${repr(up_revision)}
+down_revision = ${repr(down_revision)}
+branch_labels = ${repr(branch_labels)}
+depends_on = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    ${downgrades if downgrades else "pass"}

migrations/versions/001_initial_migration.py

@@ -0,0 +1,152 @@
+"""Initial migration
+
+Revision ID: 001
+Revises: 
+Create Date: 2023-12-01 00:00:00.000000
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision = '001'
+down_revision = None
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # Create users table
+    op.create_table('users',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('email', sa.String(), nullable=False),
+        sa.Column('hashed_password', sa.String(), nullable=False),
+        sa.Column('full_name', sa.String(), nullable=False),
+        sa.Column('role', sa.Enum('ADMIN', 'HR_MANAGER', 'MANAGER', 'EMPLOYEE', name='userrole'), nullable=True),
+        sa.Column('is_active', sa.Boolean(), nullable=True),
+        sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('(CURRENT_TIMESTAMP)'), nullable=True),
+        sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True),
+        sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_users_email'), 'users', ['email'], unique=True)
+    op.create_index(op.f('ix_users_id'), 'users', ['id'], unique=False)
+
+    # Create departments table
+    op.create_table('departments',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('name', sa.String(), nullable=False),
+        sa.Column('description', sa.String(), nullable=True),
+        sa.Column('manager_id', sa.Integer(), nullable=True),
+        sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('(CURRENT_TIMESTAMP)'), nullable=True),
+        sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True),
+        sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_departments_id'), 'departments', ['id'], unique=False)
+    op.create_index(op.f('ix_departments_name'), 'departments', ['name'], unique=True)
+
+    # Create employees table
+    op.create_table('employees',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('user_id', sa.Integer(), nullable=False),
+        sa.Column('employee_id', sa.String(), nullable=False),
+        sa.Column('department_id', sa.Integer(), nullable=True),
+        sa.Column('position', sa.String(), nullable=False),
+        sa.Column('salary', sa.Numeric(precision=10, scale=2), nullable=True),
+        sa.Column('hire_date', sa.Date(), nullable=False),
+        sa.Column('status', sa.Enum('ACTIVE', 'INACTIVE', 'TERMINATED', name='employmentstatus'), nullable=True),
+        sa.Column('phone', sa.String(), nullable=True),
+        sa.Column('address', sa.String(), nullable=True),
+        sa.Column('emergency_contact', sa.String(), nullable=True),
+        sa.Column('emergency_phone', sa.String(), nullable=True),
+        sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('(CURRENT_TIMESTAMP)'), nullable=True),
+        sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True),
+        sa.ForeignKeyConstraint(['department_id'], ['departments.id'], ),
+        sa.ForeignKeyConstraint(['user_id'], ['users.id'], ),
+        sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_employees_employee_id'), 'employees', ['employee_id'], unique=True)
+    op.create_index(op.f('ix_employees_id'), 'employees', ['id'], unique=False)
+
+    # Add foreign key for department manager
+    op.create_foreign_key(None, 'departments', 'employees', ['manager_id'], ['id'])
+
+    # Create leave_requests table
+    op.create_table('leave_requests',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('employee_id', sa.Integer(), nullable=False),
+        sa.Column('leave_type', sa.Enum('VACATION', 'SICK', 'PERSONAL', 'MATERNITY', 'PATERNITY', 'EMERGENCY', name='leavetype'), nullable=False),
+        sa.Column('start_date', sa.Date(), nullable=False),
+        sa.Column('end_date', sa.Date(), nullable=False),
+        sa.Column('days_requested', sa.Integer(), nullable=False),
+        sa.Column('reason', sa.Text(), nullable=True),
+        sa.Column('status', sa.Enum('PENDING', 'APPROVED', 'REJECTED', 'CANCELLED', name='leavestatus'), nullable=True),
+        sa.Column('approved_by', sa.Integer(), nullable=True),
+        sa.Column('approved_at', sa.DateTime(timezone=True), nullable=True),
+        sa.Column('comments', sa.Text(), nullable=True),
+        sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('(CURRENT_TIMESTAMP)'), nullable=True),
+        sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True),
+        sa.ForeignKeyConstraint(['approved_by'], ['users.id'], ),
+        sa.ForeignKeyConstraint(['employee_id'], ['employees.id'], ),
+        sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_leave_requests_id'), 'leave_requests', ['id'], unique=False)
+
+    # Create payroll_records table
+    op.create_table('payroll_records',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('employee_id', sa.Integer(), nullable=False),
+        sa.Column('pay_period_start', sa.Date(), nullable=False),
+        sa.Column('pay_period_end', sa.Date(), nullable=False),
+        sa.Column('base_salary', sa.Numeric(precision=10, scale=2), nullable=False),
+        sa.Column('overtime_hours', sa.Numeric(precision=5, scale=2), nullable=True),
+        sa.Column('overtime_rate', sa.Numeric(precision=5, scale=2), nullable=True),
+        sa.Column('bonus', sa.Numeric(precision=10, scale=2), nullable=True),
+        sa.Column('deductions', sa.Numeric(precision=10, scale=2), nullable=True),
+        sa.Column('gross_pay', sa.Numeric(precision=10, scale=2), nullable=False),
+        sa.Column('tax_deductions', sa.Numeric(precision=10, scale=2), nullable=True),
+        sa.Column('net_pay', sa.Numeric(precision=10, scale=2), nullable=False),
+        sa.Column('status', sa.Enum('DRAFT', 'PROCESSED', 'PAID', name='payrollstatus'), nullable=True),
+        sa.Column('processed_by', sa.Integer(), nullable=True),
+        sa.Column('processed_at', sa.DateTime(timezone=True), nullable=True),
+        sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('(CURRENT_TIMESTAMP)'), nullable=True),
+        sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True),
+        sa.ForeignKeyConstraint(['employee_id'], ['employees.id'], ),
+        sa.ForeignKeyConstraint(['processed_by'], ['users.id'], ),
+        sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_payroll_records_id'), 'payroll_records', ['id'], unique=False)
+
+    # Create attendance_records table
+    op.create_table('attendance_records',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('employee_id', sa.Integer(), nullable=False),
+        sa.Column('date', sa.Date(), nullable=False),
+        sa.Column('clock_in', sa.Time(), nullable=True),
+        sa.Column('clock_out', sa.Time(), nullable=True),
+        sa.Column('hours_worked', sa.String(), nullable=True),
+        sa.Column('status', sa.Enum('PRESENT', 'ABSENT', 'LATE', 'HALF_DAY', name='attendancestatus'), nullable=True),
+        sa.Column('notes', sa.String(), nullable=True),
+        sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('(CURRENT_TIMESTAMP)'), nullable=True),
+        sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True),
+        sa.ForeignKeyConstraint(['employee_id'], ['employees.id'], ),
+        sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_attendance_records_id'), 'attendance_records', ['id'], unique=False)
+
+
+def downgrade() -> None:
+    op.drop_index(op.f('ix_attendance_records_id'), table_name='attendance_records')
+    op.drop_table('attendance_records')
+    op.drop_index(op.f('ix_payroll_records_id'), table_name='payroll_records')
+    op.drop_table('payroll_records')
+    op.drop_index(op.f('ix_leave_requests_id'), table_name='leave_requests')
+    op.drop_table('leave_requests')
+    op.drop_index(op.f('ix_employees_id'), table_name='employees')
+    op.drop_index(op.f('ix_employees_employee_id'), table_name='employees')
+    op.drop_table('employees')
+    op.drop_index(op.f('ix_departments_name'), table_name='departments')
+    op.drop_index(op.f('ix_departments_id'), table_name='departments')
+    op.drop_table('departments')
+    op.drop_index(op.f('ix_users_id'), table_name='users')
+    op.drop_index(op.f('ix_users_email'), table_name='users')
+    op.drop_table('users')

requirements.txt

@@ -0,0 +1,10 @@
+fastapi==0.104.1
+uvicorn[standard]==0.24.0
+sqlalchemy==2.0.23
+alembic==1.12.1
+python-jose[cryptography]==3.3.0
+passlib[bcrypt]==1.7.4
+python-multipart==0.0.6
+python-dotenv==1.0.0
+pydantic[email]==2.5.0
+ruff==0.1.6