updates

Backend/src/main.py

@@ -49,6 +49,9 @@ from .content.routes import privacy_routes
 app = FastAPI(title=settings.APP_NAME, description='Enterprise-grade Hotel Booking API', version=settings.APP_VERSION, docs_url='/api/docs' if not settings.is_production else None, redoc_url='/api/redoc' if not settings.is_production else None, openapi_url='/api/openapi.json' if not settings.is_production else None)
 app.add_middleware(RequestIDMiddleware)
 app.add_middleware(CookieConsentMiddleware)
+# Add API versioning middleware
+from .shared.middleware.api_versioning import APIVersioningMiddleware
+app.add_middleware(APIVersioningMiddleware, default_version='v1')
 if settings.REQUEST_TIMEOUT > 0:
     app.add_middleware(TimeoutMiddleware)
 app.add_middleware(SecurityHeadersMiddleware)
@@ -61,10 +64,12 @@ if settings.IP_WHITELIST_ENABLED:
     app.add_middleware(AdminIPWhitelistMiddleware)
     logger.info(f'Admin IP whitelisting enabled with {len(settings.ADMIN_IP_WHITELIST)} IP(s)/CIDR range(s)')
 if settings.RATE_LIMIT_ENABLED:
-    limiter = Limiter(key_func=get_remote_address, default_limits=[f'{settings.RATE_LIMIT_PER_MINUTE}/minute'])
+    # Use role-based rate limiting
+    from .security.middleware.role_based_rate_limit import create_role_based_limiter
+    limiter = create_role_based_limiter()
     app.state.limiter = limiter
     app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
-    logger.info(f'Rate limiting enabled: {settings.RATE_LIMIT_PER_MINUTE} requests/minute')
+    logger.info(f'Role-based rate limiting enabled: Admin={settings.RATE_LIMIT_ADMIN_PER_MINUTE}/min, Staff={settings.RATE_LIMIT_STAFF_PER_MINUTE}/min, Accountant={settings.RATE_LIMIT_ACCOUNTANT_PER_MINUTE}/min, Customer={settings.RATE_LIMIT_CUSTOMER_PER_MINUTE}/min, Default={settings.RATE_LIMIT_PER_MINUTE}/min')
 
 # CORS middleware must be added LAST to handle OPTIONS preflight requests before other middleware
 # In FastAPI/Starlette, middleware is executed in reverse order (last added = first executed = outermost)
@@ -211,8 +216,11 @@ from .guest_management.routes.complaint_routes import router as complaint_routes
 from .notifications.routes import chat_routes, notification_routes, email_campaign_routes
 from .analytics.routes import analytics_routes, report_routes, audit_routes
 from .security.routes import security_routes, compliance_routes
-from .system.routes import system_settings_routes, workflow_routes, task_routes
+from .system.routes import system_settings_routes, workflow_routes, task_routes, approval_routes, backup_routes
 from .ai.routes import ai_assistant_routes
+from .compliance.routes import gdpr_routes
+from .integrations.routes import webhook_routes, api_key_routes
+from .auth.routes import session_routes
 
 # Register all routes with /api prefix (removed duplicate registrations)
 # Using /api prefix as standard, API versioning can be handled via headers if needed
@@ -264,6 +272,12 @@ app.include_router(email_campaign_routes.router, prefix=api_prefix)
 app.include_router(page_content_routes.router, prefix=api_prefix)
 app.include_router(blog_routes.router, prefix=api_prefix)
 app.include_router(ai_assistant_routes.router, prefix=api_prefix)
+app.include_router(approval_routes.router, prefix=api_prefix)
+app.include_router(gdpr_routes.router, prefix=api_prefix)
+app.include_router(webhook_routes.router, prefix=api_prefix)
+app.include_router(api_key_routes.router, prefix=api_prefix)
+app.include_router(session_routes.router, prefix=api_prefix)
+app.include_router(backup_routes.router, prefix=api_prefix)
 logger.info('All routes registered successfully')
 
 def ensure_jwt_secret():