.kiro/specs/vcl-aggregated-burndown/design.md

# Design Document: VCL Aggregated Burndown

## Overview

This feature adds an aggregated (cross-vertical) burndown forecast to the CCP Metrics overview page. Currently, burndown data is only available per-vertical via `GET /api/compliance/vcl-multi/vertical/:code/burndown`. This feature introduces a new endpoint `GET /api/compliance/vcl-multi/burndown` that rolls up burndown data across all verticals, a new pure helper function `computeAggregatedBurndown` for testable computation logic, and a new `AggregatedBurndownChart` React component displayed on the overview page.

The design reuses the existing `computeVerticalBurndown` pattern from `vclHelpers.js` and extends it with hostname deduplication (a device appearing in multiple metrics counts once) and per-vertical contribution breakdown. The frontend component follows the same Recharts `BarChart` pattern used in the per-vertical burndown chart within `VerticalDetailView`.

## Architecture

```mermaid
sequenceDiagram
    participant FE as CCPMetricsPage
    participant BE as Express Backend
    participant DB as PostgreSQL

    Note over FE,DB: Overview Page Load (existing + new)
    FE->>BE: GET /api/compliance/vcl-multi/stats
    BE->>DB: Aggregate stats across verticals
    BE-->>FE: { stats, donut, vertical_breakdown }

    FE->>BE: GET /api/compliance/vcl-multi/trend
    BE->>DB: Monthly snapshots
    BE-->>FE: { months: [...] }

    FE->>BE: GET /api/compliance/vcl-multi/burndown
    BE->>DB: SELECT hostname, resolution_date, vertical FROM compliance_items WHERE vertical IS NOT NULL AND status = 'active'
    BE->>BE: Deduplicate by hostname (earliest resolution_date)
    BE->>BE: computeAggregatedBurndown(devices)
    BE-->>FE: { total_non_compliant, blockers, with_dates, monthly_forecast, projected_clear_date, by_vertical }

    FE->>FE: Render AggregatedBurndownChart
```

### Data Flow

1. **Query** — Fetch all active non-compliant devices across all verticals from `compliance_items`.
2. **Deduplicate** — Group by hostname, keeping the earliest non-null `resolution_date` across metric entries. A device appearing in 3 metrics counts as 1 device.
3. **Compute** — Pass deduplicated device list to `computeAggregatedBurndown` which produces totals, monthly buckets, cumulative projection, and per-vertical breakdown.
4. **Respond** — Return the computed burndown data to the frontend.
5. **Render** — `AggregatedBurndownChart` displays a bar chart of monthly remediations, summary stats header, and per-vertical contribution table.

## Components and Interfaces

### Backend

#### New Endpoint

**`GET /api/compliance/vcl-multi/burndown`**

Returns aggregated burndown forecast across all verticals.

- Auth: `requireAuth()`
- Route file: `backend/routes/vclMultiVertical.js`
- Response:
```json
{
  "total_non_compliant": 400,
  "blockers": 120,
  "with_dates": 280,
  "monthly_forecast": {
    "2026-06": 85,
    "2026-07": 110,
    "2026-08": 55,
    "2026-09": 30
  },
  "projected_clear_date": "2026-09",
  "by_vertical": [
    { "vertical": "NTS_AEO", "total": 180, "blockers": 50, "with_dates": 130 },
    { "vertical": "SDIT_CISO", "total": 120, "blockers": 40, "with_dates": 80 },
    { "vertical": "TSI", "total": 100, "blockers": 30, "with_dates": 70 }
  ]
}
```

When no active non-compliant devices exist:
```json
{
  "total_non_compliant": 0,
  "blockers": 0,
  "with_dates": 0,
  "monthly_forecast": {},
  "projected_clear_date": null,
  "by_vertical": []
}
```

#### New Pure Helper Function

Added to `backend/helpers/vclHelpers.js`:

```javascript
/**
 * Deduplicates devices by hostname, keeping the earliest non-null resolution_date.
 * A device appearing in multiple metrics counts once.
 *
 * @param {Array<{ hostname: string, resolution_date: string|null, vertical: string }>} items
 * @returns {Array<{ hostname: string, resolution_date: string|null, vertical: string }>}
 */
function deduplicateByHostname(items) { ... }

/**
 * Computes aggregated burndown from a deduplicated array of device objects.
 * Each device has { hostname, resolution_date, vertical }.
 *
 * @param {Array<{ hostname: string, resolution_date: string|null, vertical: string }>} devices
 * @returns {{
 *   total: number,
 *   blockers: number,
 *   with_dates: number,
 *   monthly: Object<string, number>,
 *   projection: Object<string, { remediated: number, remaining: number }>,
 *   projected_clear_date: string|null,
 *   by_vertical: Array<{ vertical: string, total: number, blockers: number, with_dates: number }>
 * }}
 */
function computeAggregatedBurndown(devices) { ... }
```

**`deduplicateByHostname` logic:**
- Groups items by hostname
- For each hostname, selects the earliest non-null `resolution_date` across all entries
- If all entries for a hostname have null dates, the device is a blocker
- Preserves the `vertical` from the first entry (for per-vertical breakdown, the endpoint groups separately)

**`computeAggregatedBurndown` logic:**
- Counts total devices, blockers (null date), and with_dates (non-null date)
- Buckets with_dates devices by YYYY-MM of resolution_date into `monthly`
- Sorts monthly keys chronologically
- Computes `projection` as cumulative remaining: starts at `total`, subtracts each month's count
- Sets `projected_clear_date` to the last month key if blockers = 0, otherwise null
- Groups devices by vertical for `by_vertical`, sorted descending by total, omitting verticals with zero devices

#### Endpoint Implementation Pattern

The endpoint follows the same pattern as the existing per-vertical burndown:

```javascript
router.get('/burndown', async (req, res) => {
    try {
        const { rows } = await pool.query(
            `SELECT hostname, resolution_date, vertical
             FROM compliance_items
             WHERE vertical IS NOT NULL AND status = 'active'`
        );

        // Deduplicate by hostname (earliest non-null resolution_date)
        const devices = deduplicateByHostname(rows);
        const burndown = computeAggregatedBurndown(devices);

        res.json({
            total_non_compliant: burndown.total,
            blockers: burndown.blockers,
            with_dates: burndown.with_dates,
            monthly_forecast: burndown.monthly,
            projected_clear_date: burndown.projected_clear_date,
            by_vertical: burndown.by_vertical,
        });
    } catch (err) {
        console.error('[VCL Multi] GET /burndown error:', err.message);
        res.status(500).json({ error: 'Database error' });
    }
});
```

### Frontend

#### New Component: `AggregatedBurndownChart`

Inline component within `CCPMetricsPage.js` (following the existing pattern where `StatsBar`, `DonutChart`, `TrendChart`, and `VerticalTable` are all defined in the same file).

**Placement:** Below the existing charts row (TrendChart + DonutChart), above the VerticalTable.

**Behavior:**
- Fetches `GET /api/compliance/vcl-multi/burndown` on page load alongside existing stats/trend calls
- Displays a summary header with total non-compliant, blockers, in-progress, and projected clear date
- Renders a Recharts `BarChart` with one bar per monthly bucket (purple fill, matching existing burndown chart style)
- Below the chart, renders a compact per-vertical contribution table sorted by total descending
- Shows "No non-compliant devices" message when total = 0
- Shows "All X non-compliant devices lack remediation dates" when monthly_forecast is empty but blockers > 0
- Shows loading spinner while fetching
- Shows inline error message on API failure

**Chart specification:**
```javascript
<ResponsiveContainer width="100%" height={200}>
    <BarChart data={monthlyData}>
        <CartesianGrid stroke="rgba(255,255,255,0.05)" strokeDasharray="3 3" />
        <XAxis dataKey="month" tick={{ fontSize: 10, fill: '#64748B' }} />
        <YAxis tick={{ fontSize: 10, fill: '#64748B' }} />
        <Tooltip contentStyle={{ background: '#1E293B', border: '1px solid #334155', borderRadius: '0.5rem', fontSize: '0.75rem' }} />
        <Bar dataKey="count" fill="#A78BFA" fillOpacity={0.7} name="Projected Remediations" />
    </BarChart>
</ResponsiveContainer>
```

## Data Models

No schema changes required. The feature reads from the existing `compliance_items` table:

```sql
-- Existing columns used:
--   hostname     TEXT
--   vertical     TEXT (nullable)
--   status       TEXT ('active'|'resolved')
--   resolution_date  DATE (nullable)
```

The query for the aggregated burndown:
```sql
SELECT hostname, resolution_date, vertical
FROM compliance_items
WHERE vertical IS NOT NULL AND status = 'active'
```

This is the same data source used by the per-vertical burndown endpoint, just without the `vertical = $1` filter.

## Correctness Properties

*A property is a characteristic or behavior that should hold true across all valid executions of a system — essentially, a formal statement about what the system should do. Properties serve as the bridge between human-readable specifications and machine-verifiable correctness guarantees.*

### Property 1: Partition Invariant

*For any* array of device objects passed to `computeAggregatedBurndown`, the result must satisfy `blockers + with_dates = total`. Every device is either a blocker (null resolution_date) or in-progress (non-null resolution_date), with no device uncounted or double-counted.

**Validates: Requirements 2.2**

### Property 2: Monthly Bucket Conservation

*For any* array of device objects passed to `computeAggregatedBurndown`, the sum of all values in the `monthly` object must equal `with_dates`. Every in-progress device appears in exactly one monthly bucket, and no device is lost or duplicated during bucketing.

**Validates: Requirements 2.3, 1.5**

### Property 3: Chronological Monthly Ordering

*For any* array of device objects passed to `computeAggregatedBurndown`, the keys of the `monthly` object must be in ascending chronological order (lexicographic sort of YYYY-MM strings).

**Validates: Requirements 2.4**

### Property 4: Cumulative Projection Consistency

*For any* array of device objects passed to `computeAggregatedBurndown`, the `projection` object must satisfy: for each month in chronological order, `projection[month].remaining = total - (cumulative sum of monthly[m] for all m <= month)`. The first month's remaining equals `total - monthly[first_month]`.

**Validates: Requirements 2.5**

### Property 5: Projected Clear Date Logic

*For any* array of device objects passed to `computeAggregatedBurndown`: if `blockers > 0`, then `projected_clear_date` must be `null`; if `blockers = 0` and `with_dates > 0`, then `projected_clear_date` must equal the last (chronologically greatest) key in `monthly`.

**Validates: Requirements 1.7**

### Property 6: Hostname Deduplication with Earliest Date

*For any* array of items where the same hostname appears multiple times with different resolution_dates, `deduplicateByHostname` must produce exactly one entry per unique hostname, and that entry's `resolution_date` must be the earliest non-null date among all entries for that hostname (or null if all entries have null dates).

**Validates: Requirements 1.6**

### Property 7: Aggregation Consistency with Per-Vertical Computation

*For any* array of device objects spanning multiple verticals, the aggregated `total` must equal the sum of per-vertical totals, the aggregated `blockers` must equal the sum of per-vertical blockers, the aggregated `with_dates` must equal the sum of per-vertical with_dates, and for each month key, the aggregated monthly count must equal the sum of that month's count across all per-vertical computations.

**Validates: Requirements 4.1, 4.2, 4.3, 4.4**

### Property 8: By-Vertical Sorting and Filtering

*For any* array of device objects spanning multiple verticals, the `by_vertical` array must be sorted in descending order by `total`, must not contain any entry where `total = 0`, and the sum of all `by_vertical[i].total` must equal the overall `total`.

**Validates: Requirements 5.1, 5.2, 5.4**

## Error Handling

| Condition | HTTP Status | Response | Behavior |
|---|---|---|---|
| Database error | 500 | `{ "error": "Database error" }` | Log error, return 500 |
| Unauthenticated request | 401 | `{ "error": "Authentication required" }` | Middleware rejects |
| No active non-compliant devices | 200 | Zero/empty response (see above) | Graceful empty state |

Frontend error handling:
- API failure: inline error message in red monospace text, consistent with existing error patterns on the page
- Loading state: `<Loader />` spinner with "Loading..." text
- Empty state (total = 0): informational message instead of empty chart
- All blockers (monthly empty, blockers > 0): message indicating all devices lack dates

## Testing Strategy

### Property-Based Testing

Use `fast-check` (already used in this project). Each correctness property maps to a single property-based test with minimum 100 iterations.

Property tests target the pure helper functions exported from `backend/helpers/vclHelpers.js`:
- `deduplicateByHostname` — Property 6
- `computeAggregatedBurndown` — Properties 1, 2, 3, 4, 5, 7, 8

Tag format: **Feature: vcl-aggregated-burndown, Property {number}: {title}**

Test file: `backend/__tests__/vcl-aggregated-burndown.property.test.js`

### Unit Testing

Unit tests cover specific examples and edge cases:

- **Empty input** — verify all-zero response (Requirement 2.6)
- **All blockers** — verify with_dates = 0, monthly = {}, projected_clear_date = null (Requirement 2.7)
- **Single device, single metric** — verify basic computation
- **Duplicate hostnames across metrics** — verify deduplication picks earliest date
- **Duplicate hostnames where all dates are null** — verify device is a blocker
- **API endpoint integration** — verify response shape with mocked DB data
- **Auth middleware** — verify 401 without session

Test file: `backend/__tests__/vcl-aggregated-burndown.test.js`

### Frontend Testing

- Component renders loading state
- Component renders empty state message when total = 0
- Component renders blocker-only message when monthly is empty
- Component renders bar chart with correct data
- Component renders per-vertical table sorted correctly
- Component renders error message on API failure
Auto-sync .kiro/ from master (post-checkout hook) 2026-05-19 15:01:25 -06:00			`# Design Document: VCL Aggregated Burndown`

			`## Overview`

			This feature adds an aggregated (cross-vertical) burndown forecast to the CCP Metrics overview page. Currently, burndown data is only available per-vertical via `GET /api/compliance/vcl-multi/vertical/:code/burndown`. This feature introduces a new endpoint `GET /api/compliance/vcl-multi/burndown` that rolls up burndown data across all verticals, a new pure helper function `computeAggregatedBurndown` for testable computation logic, and a new `AggregatedBurndownChart` React component displayed on the overview page.

			The design reuses the existing `computeVerticalBurndown` pattern from `vclHelpers.js` and extends it with hostname deduplication (a device appearing in multiple metrics counts once) and per-vertical contribution breakdown. The frontend component follows the same Recharts `BarChart` pattern used in the per-vertical burndown chart within `VerticalDetailView`.

			`## Architecture`

			```mermaid
			`sequenceDiagram`
			`participant FE as CCPMetricsPage`
			`participant BE as Express Backend`
			`participant DB as PostgreSQL`

			`Note over FE,DB: Overview Page Load (existing + new)`
			`FE->>BE: GET /api/compliance/vcl-multi/stats`
			`BE->>DB: Aggregate stats across verticals`
			`BE-->>FE: { stats, donut, vertical_breakdown }`

			`FE->>BE: GET /api/compliance/vcl-multi/trend`
			`BE->>DB: Monthly snapshots`
			`BE-->>FE: { months: [...] }`

			`FE->>BE: GET /api/compliance/vcl-multi/burndown`
			`BE->>DB: SELECT hostname, resolution_date, vertical FROM compliance_items WHERE vertical IS NOT NULL AND status = 'active'`
			`BE->>BE: Deduplicate by hostname (earliest resolution_date)`
			`BE->>BE: computeAggregatedBurndown(devices)`
			`BE-->>FE: { total_non_compliant, blockers, with_dates, monthly_forecast, projected_clear_date, by_vertical }`

			`FE->>FE: Render AggregatedBurndownChart`
			```

			`### Data Flow`

			1. Query — Fetch all active non-compliant devices across all verticals from `compliance_items`.
			2. Deduplicate — Group by hostname, keeping the earliest non-null `resolution_date` across metric entries. A device appearing in 3 metrics counts as 1 device.
			3. Compute — Pass deduplicated device list to `computeAggregatedBurndown` which produces totals, monthly buckets, cumulative projection, and per-vertical breakdown.
			`4. Respond — Return the computed burndown data to the frontend.`
			5. Render — `AggregatedBurndownChart` displays a bar chart of monthly remediations, summary stats header, and per-vertical contribution table.

			`## Components and Interfaces`

			`### Backend`

			`#### New Endpoint`

			`GET /api/compliance/vcl-multi/burndown`

			`Returns aggregated burndown forecast across all verticals.`

			- Auth: `requireAuth()`
			- Route file: `backend/routes/vclMultiVertical.js`
			`- Response:`
			```json
			`{`
			`"total_non_compliant": 400,`
			`"blockers": 120,`
			`"with_dates": 280,`
			`"monthly_forecast": {`
			`"2026-06": 85,`
			`"2026-07": 110,`
			`"2026-08": 55,`
			`"2026-09": 30`
			`},`
			`"projected_clear_date": "2026-09",`
			`"by_vertical": [`
			`{ "vertical": "NTS_AEO", "total": 180, "blockers": 50, "with_dates": 130 },`
			`{ "vertical": "SDIT_CISO", "total": 120, "blockers": 40, "with_dates": 80 },`
			`{ "vertical": "TSI", "total": 100, "blockers": 30, "with_dates": 70 }`
			`]`
			`}`
			```

			`When no active non-compliant devices exist:`
			```json
			`{`
			`"total_non_compliant": 0,`
			`"blockers": 0,`
			`"with_dates": 0,`
			`"monthly_forecast": {},`
			`"projected_clear_date": null,`
			`"by_vertical": []`
			`}`
			```

			`#### New Pure Helper Function`

			Added to `backend/helpers/vclHelpers.js`:

			```javascript
			`/**`
			`* Deduplicates devices by hostname, keeping the earliest non-null resolution_date.`
			`* A device appearing in multiple metrics counts once.`
			`*`
			`* @param {Array<{ hostname: string, resolution_date: string\|null, vertical: string }>} items`
			`* @returns {Array<{ hostname: string, resolution_date: string\|null, vertical: string }>}`
			`*/`
			`function deduplicateByHostname(items) { ... }`

			`/**`
			`* Computes aggregated burndown from a deduplicated array of device objects.`
			`* Each device has { hostname, resolution_date, vertical }.`
			`*`
			`* @param {Array<{ hostname: string, resolution_date: string\|null, vertical: string }>} devices`
			`* @returns {{`
			`* total: number,`
			`* blockers: number,`
			`* with_dates: number,`
			`* monthly: Object<string, number>,`
			`* projection: Object<string, { remediated: number, remaining: number }>,`
			`* projected_clear_date: string\|null,`
			`* by_vertical: Array<{ vertical: string, total: number, blockers: number, with_dates: number }>`
			`* }}`
			`*/`
			`function computeAggregatedBurndown(devices) { ... }`
			```

			`deduplicateByHostname` logic:
			`- Groups items by hostname`
			- For each hostname, selects the earliest non-null `resolution_date` across all entries
			`- If all entries for a hostname have null dates, the device is a blocker`
			- Preserves the `vertical` from the first entry (for per-vertical breakdown, the endpoint groups separately)

			`computeAggregatedBurndown` logic:
			`- Counts total devices, blockers (null date), and with_dates (non-null date)`
			- Buckets with_dates devices by YYYY-MM of resolution_date into `monthly`
			`- Sorts monthly keys chronologically`
			- Computes `projection` as cumulative remaining: starts at `total`, subtracts each month's count
			- Sets `projected_clear_date` to the last month key if blockers = 0, otherwise null
			- Groups devices by vertical for `by_vertical`, sorted descending by total, omitting verticals with zero devices

			`#### Endpoint Implementation Pattern`

			`The endpoint follows the same pattern as the existing per-vertical burndown:`

			```javascript
			`router.get('/burndown', async (req, res) => {`
			`try {`
			`const { rows } = await pool.query(`
			`SELECT hostname, resolution_date, vertical
			`FROM compliance_items`
			WHERE vertical IS NOT NULL AND status = 'active'`
			`);`

			`// Deduplicate by hostname (earliest non-null resolution_date)`
			`const devices = deduplicateByHostname(rows);`
			`const burndown = computeAggregatedBurndown(devices);`

			`res.json({`
			`total_non_compliant: burndown.total,`
			`blockers: burndown.blockers,`
			`with_dates: burndown.with_dates,`
			`monthly_forecast: burndown.monthly,`
			`projected_clear_date: burndown.projected_clear_date,`
			`by_vertical: burndown.by_vertical,`
			`});`
			`} catch (err) {`
			`console.error('[VCL Multi] GET /burndown error:', err.message);`
			`res.status(500).json({ error: 'Database error' });`
			`}`
			`});`
			```

			`### Frontend`

			#### New Component: `AggregatedBurndownChart`

			Inline component within `CCPMetricsPage.js` (following the existing pattern where `StatsBar`, `DonutChart`, `TrendChart`, and `VerticalTable` are all defined in the same file).

			`Placement: Below the existing charts row (TrendChart + DonutChart), above the VerticalTable.`

			`Behavior:`
			- Fetches `GET /api/compliance/vcl-multi/burndown` on page load alongside existing stats/trend calls
			`- Displays a summary header with total non-compliant, blockers, in-progress, and projected clear date`
			- Renders a Recharts `BarChart` with one bar per monthly bucket (purple fill, matching existing burndown chart style)
			`- Below the chart, renders a compact per-vertical contribution table sorted by total descending`
			`- Shows "No non-compliant devices" message when total = 0`
			`- Shows "All X non-compliant devices lack remediation dates" when monthly_forecast is empty but blockers > 0`
			`- Shows loading spinner while fetching`
			`- Shows inline error message on API failure`

			`Chart specification:`
			```javascript
			`<ResponsiveContainer width="100%" height={200}>`
			`<BarChart data={monthlyData}>`
			`<CartesianGrid stroke="rgba(255,255,255,0.05)" strokeDasharray="3 3" />`
			`<XAxis dataKey="month" tick={{ fontSize: 10, fill: '#64748B' }} />`
			`<YAxis tick={{ fontSize: 10, fill: '#64748B' }} />`
			`<Tooltip contentStyle={{ background: '#1E293B', border: '1px solid #334155', borderRadius: '0.5rem', fontSize: '0.75rem' }} />`
			`<Bar dataKey="count" fill="#A78BFA" fillOpacity={0.7} name="Projected Remediations" />`
			`</BarChart>`
			`</ResponsiveContainer>`
			```

			`## Data Models`

			No schema changes required. The feature reads from the existing `compliance_items` table:

			```sql
			`-- Existing columns used:`
			`-- hostname TEXT`
			`-- vertical TEXT (nullable)`
			`-- status TEXT ('active'\|'resolved')`
			`-- resolution_date DATE (nullable)`
			```

			`The query for the aggregated burndown:`
			```sql
			`SELECT hostname, resolution_date, vertical`
			`FROM compliance_items`
			`WHERE vertical IS NOT NULL AND status = 'active'`
			```

			This is the same data source used by the per-vertical burndown endpoint, just without the `vertical = $1` filter.

			`## Correctness Properties`

			`A property is a characteristic or behavior that should hold true across all valid executions of a system — essentially, a formal statement about what the system should do. Properties serve as the bridge between human-readable specifications and machine-verifiable correctness guarantees.`

			`### Property 1: Partition Invariant`

			For any array of device objects passed to `computeAggregatedBurndown`, the result must satisfy `blockers + with_dates = total`. Every device is either a blocker (null resolution_date) or in-progress (non-null resolution_date), with no device uncounted or double-counted.

			`Validates: Requirements 2.2`

			`### Property 2: Monthly Bucket Conservation`

			For any array of device objects passed to `computeAggregatedBurndown`, the sum of all values in the `monthly` object must equal `with_dates`. Every in-progress device appears in exactly one monthly bucket, and no device is lost or duplicated during bucketing.

			`Validates: Requirements 2.3, 1.5`

			`### Property 3: Chronological Monthly Ordering`

			For any array of device objects passed to `computeAggregatedBurndown`, the keys of the `monthly` object must be in ascending chronological order (lexicographic sort of YYYY-MM strings).

			`Validates: Requirements 2.4`

			`### Property 4: Cumulative Projection Consistency`

			For any array of device objects passed to `computeAggregatedBurndown`, the `projection` object must satisfy: for each month in chronological order, `projection[month].remaining = total - (cumulative sum of monthly[m] for all m <= month)`. The first month's remaining equals `total - monthly[first_month]`.

			`Validates: Requirements 2.5`

			`### Property 5: Projected Clear Date Logic`

			For any array of device objects passed to `computeAggregatedBurndown`: if `blockers > 0`, then `projected_clear_date` must be `null`; if `blockers = 0` and `with_dates > 0`, then `projected_clear_date` must equal the last (chronologically greatest) key in `monthly`.

			`Validates: Requirements 1.7`

			`### Property 6: Hostname Deduplication with Earliest Date`

			For any array of items where the same hostname appears multiple times with different resolution_dates, `deduplicateByHostname` must produce exactly one entry per unique hostname, and that entry's `resolution_date` must be the earliest non-null date among all entries for that hostname (or null if all entries have null dates).

			`Validates: Requirements 1.6`

			`### Property 7: Aggregation Consistency with Per-Vertical Computation`

			For any array of device objects spanning multiple verticals, the aggregated `total` must equal the sum of per-vertical totals, the aggregated `blockers` must equal the sum of per-vertical blockers, the aggregated `with_dates` must equal the sum of per-vertical with_dates, and for each month key, the aggregated monthly count must equal the sum of that month's count across all per-vertical computations.

			`Validates: Requirements 4.1, 4.2, 4.3, 4.4`

			`### Property 8: By-Vertical Sorting and Filtering`

			For any array of device objects spanning multiple verticals, the `by_vertical` array must be sorted in descending order by `total`, must not contain any entry where `total = 0`, and the sum of all `by_vertical[i].total` must equal the overall `total`.

			`Validates: Requirements 5.1, 5.2, 5.4`

			`## Error Handling`

			`\| Condition \| HTTP Status \| Response \| Behavior \|`
			`\|---\|---\|---\|---\|`
			\| Database error \| 500 \| `{ "error": "Database error" }` \| Log error, return 500 \|
			\| Unauthenticated request \| 401 \| `{ "error": "Authentication required" }` \| Middleware rejects \|
			`\| No active non-compliant devices \| 200 \| Zero/empty response (see above) \| Graceful empty state \|`

			`Frontend error handling:`
			`- API failure: inline error message in red monospace text, consistent with existing error patterns on the page`
			- Loading state: `<Loader />` spinner with "Loading..." text
			`- Empty state (total = 0): informational message instead of empty chart`
			`- All blockers (monthly empty, blockers > 0): message indicating all devices lack dates`

			`## Testing Strategy`

			`### Property-Based Testing`

			Use `fast-check` (already used in this project). Each correctness property maps to a single property-based test with minimum 100 iterations.

			Property tests target the pure helper functions exported from `backend/helpers/vclHelpers.js`:
			- `deduplicateByHostname` — Property 6
			- `computeAggregatedBurndown` — Properties 1, 2, 3, 4, 5, 7, 8

			`Tag format: Feature: vcl-aggregated-burndown, Property {number}: {title}`

			Test file: `backend/__tests__/vcl-aggregated-burndown.property.test.js`

			`### Unit Testing`

			`Unit tests cover specific examples and edge cases:`

			`- Empty input — verify all-zero response (Requirement 2.6)`
			`- All blockers — verify with_dates = 0, monthly = {}, projected_clear_date = null (Requirement 2.7)`
			`- Single device, single metric — verify basic computation`
			`- Duplicate hostnames across metrics — verify deduplication picks earliest date`
			`- Duplicate hostnames where all dates are null — verify device is a blocker`
			`- API endpoint integration — verify response shape with mocked DB data`
			`- Auth middleware — verify 401 without session`

			Test file: `backend/__tests__/vcl-aggregated-burndown.test.js`

			`### Frontend Testing`

			`- Component renders loading state`
			`- Component renders empty state message when total = 0`
			`- Component renders blocker-only message when monthly is empty`
			`- Component renders bar chart with correct data`
			`- Component renders per-vertical table sorted correctly`
			`- Component renders error message on API failure`