Initial commit: enterprise digital platform with portal SSO, DigiServer, IT Assets, NetworkView, Server Monitor

2026-05-10 21:07:50 +03:00
commit 8d9df56b0b
364 changed files with 73655 additions and 0 deletions
@@ -0,0 +1,74 @@
+import os
+from datetime import datetime
+from flask import Flask
+from config import config
+from app.extensions import db, migrate, login_manager
+
+
+def create_app(config_name='production'):
+    app = Flask(__name__)
+    app.config.from_object(config.get(config_name, config['default']))
+
+    data_dir = os.environ.get('DATA_DIR', '/app/data')
+    os.makedirs(data_dir, exist_ok=True)
+
+    db.init_app(app)
+    migrate.init_app(app, db)
+    login_manager.init_app(app)
+
+    from app.models import user, app_access, api_key, module_config  # noqa: F401
+
+    from app.routes.auth import bp as auth_bp
+    from app.routes.dashboard import bp as dashboard_bp
+    from app.routes.settings import bp as settings_bp
+    from app.routes.api import bp as api_bp
+
+    app.register_blueprint(auth_bp)
+    app.register_blueprint(dashboard_bp)
+    app.register_blueprint(settings_bp)
+    app.register_blueprint(api_bp)
+
+    with app.app_context():
+        db.create_all()
+        _seed_admin(app)
+        _seed_modules(app)
+
+    @app.context_processor
+    def inject_globals():
+        return {'now': datetime.utcnow(), 'registered_apps': app.config['REGISTERED_APPS']}
+
+    return app
+
+
+def _seed_admin(app):
+    from app.models.user import PortalUser
+    from app.extensions import db
+    from werkzeug.security import generate_password_hash
+
+    if PortalUser.query.count() == 0:
+        admin = PortalUser(
+            username=app.config['ADMIN_USERNAME'],
+            email=app.config['ADMIN_EMAIL'],
+            password_hash=generate_password_hash(app.config['ADMIN_PASSWORD']),
+            is_admin=True,
+            is_active=True,
+        )
+        db.session.add(admin)
+        db.session.flush()
+
+        # Grant admin access to all apps with explicit admin role
+        from app.models.app_access import AppAccess
+        for reg_app in app.config['REGISTERED_APPS']:
+            db.session.add(AppAccess(user_id=admin.id, app_name=reg_app['id'],
+                                     is_active=True, app_role='admin'))
+
+        db.session.commit()
+
+
+def _seed_modules(app):
+    """Ensure every registered app has a ModuleConfig row (default: enabled)."""
+    from app.models.module_config import ModuleConfig
+    for reg_app in app.config['REGISTERED_APPS']:
+        if not ModuleConfig.query.filter_by(app_id=reg_app['id']).first():
+            db.session.add(ModuleConfig(app_id=reg_app['id'], enabled=True))
+    db.session.commit()
@@ -0,0 +1,10 @@
+from flask_sqlalchemy import SQLAlchemy
+from flask_migrate import Migrate
+from flask_login import LoginManager
+
+db = SQLAlchemy()
+migrate = Migrate()
+login_manager = LoginManager()
+login_manager.login_view = 'auth.login'
+login_manager.login_message = 'Please sign in to access the platform.'
+login_manager.login_message_category = 'info'
@@ -0,0 +1,6 @@
+from app.models.user import PortalUser
+from app.models.app_access import AppAccess
+from app.models.api_key import ApiKey
+from app.models.module_config import ModuleConfig
+
+__all__ = ['PortalUser', 'AppAccess', 'ApiKey', 'ModuleConfig']
@@ -0,0 +1,24 @@
+import secrets
+from datetime import datetime
+from app.extensions import db
+
+
+class ApiKey(db.Model):
+    """Per-user API keys for programmatic access to sub-applications."""
+    __tablename__ = 'api_keys'
+
+    id = db.Column(db.Integer, primary_key=True)
+    user_id = db.Column(db.Integer, db.ForeignKey('portal_users.id'), nullable=False)
+    key = db.Column(db.String(64), unique=True, nullable=False, index=True)
+    app_name = db.Column(db.String(50), nullable=False)
+    description = db.Column(db.String(200), nullable=True)
+    is_active = db.Column(db.Boolean, default=True)
+    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    last_used_at = db.Column(db.DateTime, nullable=True)
+
+    @staticmethod
+    def generate_key():
+        return secrets.token_hex(32)
+
+    def __repr__(self):
+        return f'<ApiKey user={self.user_id} app={self.app_name}>'
@@ -0,0 +1,20 @@
+from datetime import datetime
+from app.extensions import db
+
+
+class AppAccess(db.Model):
+    """Controls which portal users have access to which sub-applications."""
+    __tablename__ = 'app_access'
+
+    id         = db.Column(db.Integer, primary_key=True)
+    user_id    = db.Column(db.Integer, db.ForeignKey('portal_users.id'), nullable=False)
+    app_name   = db.Column(db.String(50), nullable=False)  # 'digiserver' | 'networkview' | 'itassets'
+    is_active  = db.Column(db.Boolean, default=True)
+    # Per-app role override: 'admin' | 'user' | None (None = inherit the portal-level role)
+    app_role   = db.Column(db.String(20), nullable=True)
+    granted_at = db.Column(db.DateTime, default=datetime.utcnow)
+
+    __table_args__ = (db.UniqueConstraint('user_id', 'app_name', name='uq_user_app'),)
+
+    def __repr__(self):
+        return f'<AppAccess user={self.user_id} app={self.app_name} role={self.app_role}>'
@@ -0,0 +1,15 @@
+from datetime import datetime
+from app.extensions import db
+
+
+class ModuleConfig(db.Model):
+    """Tracks whether each sub-application is enabled at the platform level."""
+    __tablename__ = 'module_config'
+
+    id         = db.Column(db.Integer, primary_key=True)
+    app_id     = db.Column(db.String(50), unique=True, nullable=False)
+    enabled    = db.Column(db.Boolean, default=True, nullable=False)
+    updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow)
+
+    def __repr__(self):
+        return f'<ModuleConfig {self.app_id}={self.enabled}>'
@@ -0,0 +1,38 @@
+from datetime import datetime
+from flask_login import UserMixin
+from app.extensions import db, login_manager
+
+
+class PortalUser(UserMixin, db.Model):
+    __tablename__ = 'portal_users'
+
+    id = db.Column(db.Integer, primary_key=True)
+    username = db.Column(db.String(80), unique=True, nullable=False, index=True)
+    email = db.Column(db.String(200), unique=True, nullable=False)
+    password_hash = db.Column(db.String(256), nullable=False)
+    is_admin = db.Column(db.Boolean, default=False)
+    is_active = db.Column(db.Boolean, default=True)
+    created_at = db.Column(db.DateTime, default=datetime.utcnow)
+    last_login = db.Column(db.DateTime, nullable=True)
+
+    app_accesses = db.relationship('AppAccess', backref='user', lazy='dynamic', cascade='all, delete-orphan')
+    api_keys = db.relationship('ApiKey', backref='user', lazy='dynamic', cascade='all, delete-orphan')
+
+    def get_accessible_apps(self):
+        return [a.app_name for a in self.app_accesses.filter_by(is_active=True).all()]
+
+    def can_access(self, app_name):
+        return self.app_accesses.filter_by(app_name=app_name, is_active=True).first() is not None
+
+    def app_role(self, app_name):
+        """Return the per-app role override ('admin'|'user'), or None if not set."""
+        access = self.app_accesses.filter_by(app_name=app_name, is_active=True).first()
+        return access.app_role if access else None
+
+    def __repr__(self):
+        return f'<PortalUser {self.username}>'
+
+
+@login_manager.user_loader
+def load_user(user_id):
+    return PortalUser.query.get(int(user_id))
@@ -0,0 +1,6 @@
+from app.routes.auth import bp as auth_bp
+from app.routes.dashboard import bp as dashboard_bp
+from app.routes.settings import bp as settings_bp
+from app.routes.api import bp as api_bp
+
+__all__ = ['auth_bp', 'dashboard_bp', 'settings_bp', 'api_bp']
@@ -0,0 +1,70 @@
+from flask import Blueprint, request, make_response, current_app
+import jwt
+
+bp = Blueprint('api', __name__, url_prefix='/api')
+
+
+@bp.route('/verify-token')
+def verify_token():
+    """
+    Called internally by nginx auth_request.
+    Reads the platform JWT cookie, verifies it, and returns 200 with user
+    identity headers on success, or 401/403 on failure.
+    """
+    token = request.cookies.get(current_app.config['PORTAL_COOKIE_NAME'])
+    if not token:
+        return '', 401
+
+    try:
+        payload = jwt.decode(
+            token,
+            current_app.config['PORTAL_JWT_SECRET'],
+            algorithms=['HS256'],
+            options={'require': ['exp', 'sub', 'user_id']},
+        )
+    except jwt.ExpiredSignatureError:
+        return '', 401
+    except jwt.InvalidTokenError:
+        return '', 401
+
+    # Per-app access check based on the original request URI
+    original_uri = request.headers.get('X-Original-URI', '')
+    required_app = _app_from_uri(original_uri)
+    user_id = payload.get('user_id')
+    portal_role = payload.get('role', 'user')
+
+    if required_app:
+        user_apps = payload.get('apps', [])
+        if required_app not in user_apps:
+            return '', 403
+
+    # Resolve the effective role for this specific app.
+    # If the admin has set a per-app role override in AppAccess, use that;
+    # otherwise fall back to the portal-level role from the JWT.
+    effective_role = portal_role
+    if required_app and user_id:
+        try:
+            from app.models.app_access import AppAccess
+            access = AppAccess.query.filter_by(
+                user_id=user_id, app_name=required_app, is_active=True
+            ).first()
+            if access and access.app_role:
+                effective_role = access.app_role
+        except Exception:
+            pass  # fall back to portal role
+
+    resp = make_response('', 200)
+    resp.headers['X-Auth-User-Id'] = str(user_id or '')
+    resp.headers['X-Auth-Username'] = payload.get('sub', '')
+    resp.headers['X-Auth-Role'] = effective_role
+    return resp
+
+
+def _app_from_uri(uri):
+    if uri.startswith('/digiserver/'):
+        return 'digiserver'
+    if uri.startswith('/itassets/'):
+        return 'itassets'
+    if uri.startswith('/networkview/'):
+        return 'networkview'
+    return None
@@ -0,0 +1,76 @@
+from datetime import datetime
+from flask import Blueprint, render_template, redirect, url_for, flash, request, make_response, current_app
+from flask_login import login_user, logout_user, login_required, current_user
+from werkzeug.security import check_password_hash
+import jwt
+
+from app.extensions import db
+from app.models.user import PortalUser
+
+bp = Blueprint('auth', __name__)
+
+
+def _issue_portal_cookie(user, response):
+    """Sign and attach the platform-wide JWT cookie to a response."""
+    import time
+    expiry_hours = current_app.config['JWT_EXPIRY_HOURS']
+    now = int(time.time())
+    payload = {
+        'sub': user.username,
+        'user_id': user.id,
+        'email': user.email,
+        'role': 'admin' if user.is_admin else 'user',
+        'apps': user.get_accessible_apps(),
+        'iss': 'enterprise-digital-platform',
+        'iat': now,
+        'exp': now + expiry_hours * 3600,
+    }
+    token = jwt.encode(payload, current_app.config['PORTAL_JWT_SECRET'], algorithm='HS256')
+    response.set_cookie(
+        current_app.config['PORTAL_COOKIE_NAME'],
+        token,
+        httponly=True,
+        samesite='Lax',
+        max_age=expiry_hours * 3600,
+        path='/',
+    )
+    return response
+
+
+@bp.route('/login', methods=['GET', 'POST'])
+def login():
+    if current_user.is_authenticated:
+        return redirect(url_for('dashboard.index'))
+
+    if request.method == 'POST':
+        username = request.form.get('username', '').strip()
+        password = request.form.get('password', '')
+
+        if not username or not password:
+            flash('Please enter username and password.', 'danger')
+            return render_template('auth/login.html')
+
+        user = PortalUser.query.filter_by(username=username, is_active=True).first()
+        if user and check_password_hash(user.password_hash, password):
+            user.last_login = datetime.utcnow()
+            db.session.commit()
+            login_user(user, remember=False)
+
+            next_page = request.args.get('next') or url_for('dashboard.index')
+            resp = make_response(redirect(next_page))
+            _issue_portal_cookie(user, resp)
+            return resp
+
+        flash('Invalid username or password.', 'danger')
+
+    return render_template('auth/login.html')
+
+
+@bp.route('/logout')
+@login_required
+def logout():
+    logout_user()
+    resp = make_response(redirect(url_for('auth.login')))
+    resp.delete_cookie(current_app.config['PORTAL_COOKIE_NAME'], path='/')
+    flash('You have been signed out.', 'info')
+    return resp
@@ -0,0 +1,25 @@
+from flask import Blueprint, render_template, redirect, url_for, current_app
+from flask_login import login_required, current_user
+
+bp = Blueprint('dashboard', __name__)
+
+
+@bp.route('/')
+@login_required
+def index():
+    user_apps = set(current_user.get_accessible_apps())
+    apps = []
+    for app_def in current_app.config['REGISTERED_APPS']:
+        apps.append({**app_def, 'has_access': app_def['id'] in user_apps})
+    return render_template('dashboard/index.html', apps=apps)
+
+
+@bp.route('/access-denied')
+@login_required
+def access_denied():
+    return render_template('dashboard/access_denied.html'), 403
+
+
+@bp.route('/health')
+def health():
+    return {'status': 'ok'}, 200
@@ -0,0 +1,295 @@
+from flask import Blueprint, render_template, redirect, url_for, flash, request, current_app
+from flask_login import login_required, current_user
+from werkzeug.security import generate_password_hash
+
+from app.extensions import db
+from app.models.user import PortalUser
+from app.models.app_access import AppAccess
+from app.models.api_key import ApiKey
+
+bp = Blueprint('settings', __name__, url_prefix='/settings')
+
+
+def _sync_user_to_app(app_id, username, role):
+    """
+    Notify an app's internal /internal/sync-user endpoint so the user is
+    pre-created / role-updated in that app's own DB.
+    Silently swallows errors so it never breaks the portal flow.
+    """
+    import urllib.request
+    import json
+
+    registered = {a['id']: a for a in current_app.config.get('REGISTERED_APPS', [])}
+    app_meta = registered.get(app_id)
+    if not app_meta or not app_meta.get('internal_url'):
+        return
+
+    secret = current_app.config.get('INTERNAL_SYNC_SECRET', '')
+    url = app_meta['internal_url'].rstrip('/') + '/internal/sync-user'
+    body = json.dumps({'username': username, 'role': role}).encode()
+    req = urllib.request.Request(
+        url,
+        data=body,
+        headers={
+            'Content-Type': 'application/json',
+            'X-Internal-Token': secret,
+        },
+        method='POST',
+    )
+    try:
+        with urllib.request.urlopen(req, timeout=3):
+            pass
+    except Exception:
+        pass  # Best-effort; SSO will sync on first login anyway
+
+
+def _admin_required(f):
+    from functools import wraps
+    from flask_login import current_user
+    from flask import abort
+
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        if not current_user.is_admin:
+            abort(403)
+        return f(*args, **kwargs)
+    return decorated
+
+
+@bp.route('/')
+@login_required
+@_admin_required
+def index():
+    users = PortalUser.query.order_by(PortalUser.username).all()
+    registered_apps = current_app.config['REGISTERED_APPS']
+    return render_template('settings/index.html', users=users, registered_apps=registered_apps)
+
+
+# ── User management ────────────────────────────────────────────────────────────
+
+@bp.route('/users/new', methods=['GET', 'POST'])
+@login_required
+@_admin_required
+def new_user():
+    registered_apps = current_app.config['REGISTERED_APPS']
+    if request.method == 'POST':
+        username = request.form.get('username', '').strip()
+        email = request.form.get('email', '').strip()
+        password = request.form.get('password', '')
+        is_admin = request.form.get('is_admin') == 'on'
+
+        if not username or not email or not password:
+            flash('Username, email and password are required.', 'danger')
+            return render_template('settings/new_user.html', registered_apps=registered_apps)
+
+        if PortalUser.query.filter_by(username=username).first():
+            flash('Username already exists.', 'danger')
+            return render_template('settings/new_user.html', registered_apps=registered_apps)
+
+        user = PortalUser(
+            username=username,
+            email=email,
+            password_hash=generate_password_hash(password),
+            is_admin=is_admin,
+            is_active=True,
+        )
+        db.session.add(user)
+        db.session.flush()
+
+        for app in registered_apps:
+            app_id = app['id']
+            role_val = request.form.get(f'role_{app_id}', 'none').strip()
+            if role_val in ('admin', 'user'):
+                db.session.add(AppAccess(user_id=user.id, app_name=app_id,
+                                         is_active=True, app_role=role_val))
+
+        db.session.commit()
+
+        # Best-effort: pre-create user in each app that supports sync
+        for app in registered_apps:
+            app_id = app['id']
+            role_val = request.form.get(f'role_{app_id}', 'none').strip()
+            if role_val in ('admin', 'user'):
+                _sync_user_to_app(app_id, username, role_val)
+
+        flash(f'User "{username}" created successfully.', 'success')
+        return redirect(url_for('settings.index'))
+
+    return render_template('settings/new_user.html', registered_apps=registered_apps)
+
+
+@bp.route('/users/<int:user_id>/access', methods=['POST'])
+@login_required
+@_admin_required
+def update_access(user_id):
+    user = PortalUser.query.get_or_404(user_id)
+    registered_apps = current_app.config['REGISTERED_APPS']
+
+    for app in registered_apps:
+        app_id = app['id']
+        # The UI sends role_<app_id> = 'admin' | 'user' | 'none'
+        role_val = request.form.get(f'role_{app_id}', 'none').strip()
+        should_have = role_val in ('admin', 'user')
+        app_role = role_val if role_val in ('admin', 'user') else None
+
+        existing = AppAccess.query.filter_by(user_id=user.id, app_name=app_id).first()
+        if existing:
+            existing.is_active = should_have
+            existing.app_role = app_role
+        elif should_have:
+            db.session.add(AppAccess(user_id=user.id, app_name=app_id,
+                                     is_active=True, app_role=app_role))
+
+    db.session.commit()
+
+    # Best-effort: pre-create / update user in each app that supports sync
+    for app in registered_apps:
+        app_id = app['id']
+        role_val = request.form.get(f'role_{app_id}', 'none').strip()
+        if role_val in ('admin', 'user'):
+            _sync_user_to_app(app_id, user.username, role_val)
+
+    flash(f'Access for "{user.username}" updated.', 'success')
+    return redirect(url_for('settings.index'))
+
+
+@bp.route('/users/<int:user_id>/delete', methods=['POST'])
+@login_required
+@_admin_required
+def delete_user(user_id):
+    if user_id == current_user.id:
+        flash('You cannot delete your own account.', 'danger')
+        return redirect(url_for('settings.index'))
+    user = PortalUser.query.get_or_404(user_id)
+    db.session.delete(user)
+    db.session.commit()
+    flash(f'User "{user.username}" deleted.', 'success')
+    return redirect(url_for('settings.index'))
+
+
+# ── API key management ─────────────────────────────────────────────────────────
+
+@bp.route('/api-keys')
+@login_required
+@_admin_required
+def api_keys():
+    keys = ApiKey.query.order_by(ApiKey.created_at.desc()).all()
+    registered_apps = current_app.config['REGISTERED_APPS']
+    users = PortalUser.query.order_by(PortalUser.username).all()
+    return render_template('settings/api_keys.html', keys=keys, registered_apps=registered_apps, users=users)
+
+
+@bp.route('/api-keys/new', methods=['POST'])
+@login_required
+@_admin_required
+def new_api_key():
+    user_id = request.form.get('user_id', type=int)
+    app_name = request.form.get('app_name', '').strip()
+    description = request.form.get('description', '').strip()
+
+    if not user_id or not app_name:
+        flash('User and application are required.', 'danger')
+        return redirect(url_for('settings.api_keys'))
+
+    key = ApiKey(
+        user_id=user_id,
+        key=ApiKey.generate_key(),
+        app_name=app_name,
+        description=description or None,
+    )
+    db.session.add(key)
+    db.session.commit()
+    flash(f'API key created: {key.key}', 'success')
+    return redirect(url_for('settings.api_keys'))
+
+
+@bp.route('/api-keys/<int:key_id>/revoke', methods=['POST'])
+@login_required
+@_admin_required
+def revoke_api_key(key_id):
+    key = ApiKey.query.get_or_404(key_id)
+    key.is_active = False
+    db.session.commit()
+    flash('API key revoked.', 'success')
+    return redirect(url_for('settings.api_keys'))
+
+
+# ── Module management ──────────────────────────────────────────────────────────
+
+@bp.route('/modules')
+@login_required
+@_admin_required
+def modules():
+    from app.models.module_config import ModuleConfig
+    from app.services import module_manager
+
+    registered_apps = current_app.config['REGISTERED_APPS']
+    cfg_map = {m.app_id: m for m in ModuleConfig.query.all()}
+
+    module_statuses = []
+    for app in registered_apps:
+        cfg = cfg_map.get(app['id'])
+        enabled = cfg.enabled if cfg else True
+        running = module_manager.is_running(app['id'])
+        module_statuses.append({
+            'app': app,
+            'enabled': enabled,
+            'running': running,
+        })
+
+    return render_template('settings/modules.html', module_statuses=module_statuses)
+
+
+@bp.route('/modules/<app_id>/toggle', methods=['POST'])
+@login_required
+@_admin_required
+def toggle_module(app_id):
+    from app.models.module_config import ModuleConfig
+    from app.services import module_manager
+
+    registered_ids = {a['id'] for a in current_app.config['REGISTERED_APPS']}
+    if app_id not in registered_ids:
+        flash('Unknown application.', 'danger')
+        return redirect(url_for('settings.modules'))
+
+    action = request.form.get('action')   # 'enable' or 'disable'
+    if action not in ('enable', 'disable'):
+        flash('Invalid action.', 'danger')
+        return redirect(url_for('settings.modules'))
+
+    cfg = ModuleConfig.query.filter_by(app_id=app_id).first()
+    if cfg is None:
+        cfg = ModuleConfig(app_id=app_id, enabled=True)
+        db.session.add(cfg)
+
+    app_meta = next(a for a in current_app.config['REGISTERED_APPS'] if a['id'] == app_id)
+    name = app_meta['name']
+
+    if action == 'disable':
+        cfg.enabled = False
+        db.session.commit()
+        module_manager.write_module_state(app_id, False)
+        if module_manager.is_running(app_id):
+            module_manager.stop_service(app_id)
+            flash(f'{name} has been disabled and stopped.', 'success')
+        else:
+            flash(f'{name} has been disabled.', 'success')
+
+    else:  # enable
+        cfg.enabled = True
+        db.session.commit()
+        module_manager.write_module_state(app_id, True)
+        if not module_manager.is_running(app_id):
+            ok = module_manager.start_service(app_id)
+            if ok:
+                flash(f'{name} has been enabled and is starting up.', 'success')
+            else:
+                flash(
+                    f'{name} enabled. No launch spec found — '
+                    'run ./start-dev.sh to start it.',
+                    'warning',
+                )
+        else:
+            flash(f'{name} is already running and has been re-enabled.', 'success')
+
+    return redirect(url_for('settings.modules'))
@@ -0,0 +1 @@
+# services package
@@ -0,0 +1,197 @@
+"""
+module_manager.py — start/stop/status helpers for EDP sub-services.
+
+Used exclusively in development mode (start-dev.sh launcher).  Each service
+writes its PID to   .dev-logs/<name>.pid  so the portal can signal it.
+Module state (enabled/disabled) is persisted in the portal's SQLite DB
+(ModuleConfig table) and mirrored to  .dev-module-state.json  so that
+start-dev.sh can respect it on the next launch.
+"""
+import json
+import logging
+import os
+import signal
+import subprocess
+from typing import Optional
+
+log = logging.getLogger(__name__)
+
+
+# ── Directory helpers ─────────────────────────────────────────────────────────
+
+def _root() -> str:
+    """Return the Enterprise_digital-platform root directory at runtime."""
+    # This file lives at:  portal/app/services/module_manager.py
+    # → services/  → app/  → portal/  → ROOT
+    return os.path.dirname(
+        os.path.dirname(
+            os.path.dirname(
+                os.path.dirname(os.path.abspath(__file__))
+            )
+        )
+    )
+
+
+def _log_dir() -> str:
+    return os.path.join(_root(), '.dev-logs')
+
+
+def _pid_path(app_id: str) -> str:
+    return os.path.join(_log_dir(), f'{app_id}.pid')
+
+
+def _state_path() -> str:
+    return os.path.join(_root(), '.dev-module-state.json')
+
+
+# ── PID file helpers ──────────────────────────────────────────────────────────
+
+def _read_pid(app_id: str) -> Optional[int]:
+    path = _pid_path(app_id)
+    if not os.path.exists(path):
+        return None
+    try:
+        with open(path) as fp:
+            return int(fp.read().strip())
+    except (ValueError, OSError):
+        return None
+
+
+def _write_pid(app_id: str, pid: int) -> None:
+    os.makedirs(_log_dir(), exist_ok=True)
+    with open(_pid_path(app_id), 'w') as fp:
+        fp.write(str(pid))
+
+
+def _clear_pid(app_id: str) -> None:
+    path = _pid_path(app_id)
+    try:
+        os.unlink(path)
+    except OSError:
+        pass
+
+
+# ── Module state file ─────────────────────────────────────────────────────────
+
+def write_module_state(app_id: str, enabled: bool) -> None:
+    """Mirror enabled/disabled state to .dev-module-state.json for start-dev.sh."""
+    path = _state_path()
+    state: dict = {}
+    if os.path.exists(path):
+        try:
+            with open(path) as fp:
+                state = json.load(fp)
+        except (json.JSONDecodeError, OSError):
+            state = {}
+    state[app_id] = enabled
+    with open(path, 'w') as fp:
+        json.dump(state, fp, indent=2)
+
+
+# ── Public API ────────────────────────────────────────────────────────────────
+
+def is_running(app_id: str) -> bool:
+    """Return True if the service process is alive."""
+    pid = _read_pid(app_id)
+    if pid is None:
+        return False
+    try:
+        os.kill(pid, 0)
+        return True
+    except ProcessLookupError:
+        _clear_pid(app_id)
+        return False
+    except PermissionError:
+        return True  # process exists, owned by another uid
+
+
+def stop_service(app_id: str) -> bool:
+    """Send SIGTERM to the service. Returns True if signal was delivered."""
+    pid = _read_pid(app_id)
+    if pid is None:
+        return False
+    try:
+        os.kill(pid, signal.SIGTERM)
+        _clear_pid(app_id)
+        log.info('Sent SIGTERM to %s (PID %d)', app_id, pid)
+        return True
+    except ProcessLookupError:
+        _clear_pid(app_id)
+        return False
+
+
+def start_service(app_id: str) -> bool:
+    """Spawn the service as a detached background process. Returns True on success."""
+    root = _root()
+    spec = _get_spec(app_id, root)
+    if spec is None:
+        log.warning('No service spec for app_id=%s', app_id)
+        return False
+
+    log_file = os.path.join(_log_dir(), f'{app_id}.log')
+    os.makedirs(_log_dir(), exist_ok=True)
+
+    env = {**os.environ, **spec.get('env', {})}
+    with open(log_file, 'a') as lf:
+        proc = subprocess.Popen(
+            spec['cmd'],
+            env=env,
+            cwd=spec.get('cwd'),
+            stdout=lf,
+            stderr=lf,
+            start_new_session=True,   # detach from the Flask process group
+        )
+    _write_pid(app_id, proc.pid)
+    log.info('Started %s as PID %d', app_id, proc.pid)
+    return True
+
+
+# ── Service command specs ─────────────────────────────────────────────────────
+
+def _get_spec(app_id: str, root: str) -> Optional[dict]:
+    """Return the launch spec for a given app_id, or None if unknown."""
+    jwt = os.environ.get('PORTAL_JWT_SECRET', 'change-this-jwt-secret-in-production')
+
+    specs: dict = {
+        'digiserver': {
+            'cmd': [
+                f'{root}/digiserver-v2/.venv/bin/gunicorn',
+                '--bind', '0.0.0.0:5002',
+                '--workers', '2',
+                '--timeout', '120',
+                '--chdir', f'{root}/digiserver-v2',
+                'wsgi:application',
+            ],
+            'env': {
+                'FLASK_ENV': 'development',
+                'ADMIN_USERNAME': os.environ.get('ADMIN_USERNAME', 'admin'),
+                'ADMIN_PASSWORD': os.environ.get('ADMIN_PASSWORD', 'admin123'),
+                'PORTAL_JWT_SECRET': jwt,
+            },
+            'cwd': f'{root}/digiserver-v2',
+        },
+        'itassets': {
+            'cmd': [
+                f'{root}/IT_asset_management/.venv/bin/python',
+                f'{root}/IT_asset_management/run.py',
+            ],
+            'env': {
+                'FLASK_ENV': 'development',
+                'SQLALCHEMY_DATABASE_URI': f'sqlite:///{root}/IT_asset_management/data/itassets.db',
+                'PORTAL_JWT_SECRET': jwt,
+                'FLASK_APP': 'run.py',
+            },
+            'cwd': f'{root}/IT_asset_management',
+        },
+        'networkview': {
+            'cmd': ['node', f'{root}/NetworkView/backend/src/index.js'],
+            'env': {
+                'PORT': '3001',
+                'PORTAL_JWT_SECRET': jwt,
+                'NODE_ENV': 'development',
+                'DB_PATH': f'{root}/NetworkView/data/networkview.db',
+            },
+            'cwd': f'{root}/NetworkView/backend',
+        },
+    }
+    return specs.get(app_id)
@@ -0,0 +1,448 @@
+/* ─────────────────────────────────────────────────────────────────────────────
+   Enterprise Digital Platform — Portal CSS
+   Dark-mode enterprise dashboard
+───────────────────────────────────────────────────────────────────────────── */
+
+:root {
+  --bg-base:       #0d1117;
+  --bg-surface:    #161b22;
+  --bg-card:       #1c2128;
+  --bg-card-hover: #21262d;
+  --border:        #30363d;
+  --border-subtle: #21262d;
+  --text-primary:  #e6edf3;
+  --text-secondary:#8b949e;
+  --text-muted:    #6e7681;
+  --accent-blue:   #388bfd;
+  --accent-green:  #3fb950;
+  --accent-amber:  #d29922;
+  --accent-red:    #f85149;
+  --radius:        10px;
+  --radius-sm:     6px;
+  --shadow:        0 4px 24px rgba(0,0,0,0.4);
+  --font:          -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+}
+
+*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+
+html, body {
+  height: 100%;
+  background: var(--bg-base);
+  color: var(--text-primary);
+  font-family: var(--font);
+  font-size: 15px;
+  line-height: 1.6;
+}
+
+a { color: var(--accent-blue); text-decoration: none; }
+a:hover { text-decoration: underline; }
+code { font-family: 'SFMono-Regular', Consolas, monospace; font-size: 0.85em; }
+
+/* ── Top Bar ────────────────────────────────────────────────────────────────── */
+.topbar {
+  display: flex;
+  align-items: center;
+  gap: 1.5rem;
+  padding: 0 1.5rem;
+  height: 56px;
+  background: var(--bg-surface);
+  border-bottom: 1px solid var(--border);
+  position: sticky;
+  top: 0;
+  z-index: 100;
+}
+
+.topbar-brand {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  font-weight: 700;
+  font-size: 1rem;
+  color: var(--text-primary);
+  flex-shrink: 0;
+}
+
+.brand-icon { font-size: 1.4rem; color: var(--accent-blue); }
+
+.topbar-nav {
+  display: flex;
+  gap: 0.25rem;
+  flex: 1;
+}
+
+.nav-link {
+  padding: 0.35rem 0.75rem;
+  border-radius: var(--radius-sm);
+  color: var(--text-secondary);
+  font-size: 0.9rem;
+  transition: color 0.15s, background 0.15s;
+}
+.nav-link:hover { color: var(--text-primary); background: var(--bg-card); text-decoration: none; }
+.nav-link.active { color: var(--text-primary); background: var(--bg-card); }
+
+.topbar-user {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  flex-shrink: 0;
+}
+
+.user-badge {
+  width: 30px;
+  height: 30px;
+  border-radius: 50%;
+  background: var(--accent-blue);
+  color: #fff;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  font-size: 0.8rem;
+  font-weight: 700;
+}
+
+.user-name { font-size: 0.9rem; color: var(--text-secondary); }
+.role-tag {
+  font-size: 0.7rem;
+  padding: 2px 6px;
+  border-radius: 20px;
+  background: rgba(56,139,253,0.2);
+  color: var(--accent-blue);
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+}
+
+.btn-logout {
+  color: var(--text-muted);
+  font-size: 1.1rem;
+  padding: 4px 8px;
+  border-radius: var(--radius-sm);
+  transition: color 0.15s, background 0.15s;
+}
+.btn-logout:hover { color: var(--accent-red); background: rgba(248,81,73,0.1); text-decoration: none; }
+
+/* ── Flash Messages ─────────────────────────────────────────────────────────── */
+.flash-container { padding: 0.75rem 1.5rem 0; }
+.flash {
+  padding: 0.75rem 1rem;
+  border-radius: var(--radius-sm);
+  margin-bottom: 0.5rem;
+  font-size: 0.9rem;
+  border-left: 3px solid;
+}
+.flash-success { background: rgba(63,185,80,0.1);  border-color: var(--accent-green); color: #7ee787; }
+.flash-danger  { background: rgba(248,81,73,0.1);  border-color: var(--accent-red);   color: #ff7b72; }
+.flash-info    { background: rgba(56,139,253,0.1); border-color: var(--accent-blue);  color: #79c0ff; }
+.flash-warning { background: rgba(210,153,34,0.1); border-color: var(--accent-amber); color: #e3b341; }
+
+/* ── Page Content ────────────────────────────────────────────────────────────── */
+.page-content { padding: 2rem 1.5rem; max-width: 1280px; margin: 0 auto; }
+
+/* ── Login Page ─────────────────────────────────────────────────────────────── */
+.login-wrapper {
+  min-height: 100vh;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  padding: 2rem;
+  background:
+    radial-gradient(ellipse at 20% 20%, rgba(56,139,253,0.08) 0%, transparent 60%),
+    radial-gradient(ellipse at 80% 80%, rgba(63,185,80,0.06) 0%, transparent 60%),
+    var(--bg-base);
+}
+
+.login-card {
+  width: 100%;
+  max-width: 400px;
+  background: var(--bg-surface);
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  padding: 2.5rem;
+  box-shadow: var(--shadow);
+}
+
+.login-logo { text-align: center; margin-bottom: 2rem; }
+.brand-icon-lg { font-size: 2.5rem; }
+.login-title { font-size: 1.4rem; font-weight: 700; margin-top: 0.5rem; }
+.login-subtitle { color: var(--text-secondary); font-size: 0.9rem; }
+
+/* ── Forms ───────────────────────────────────────────────────────────────────── */
+.form-group { margin-bottom: 1.25rem; }
+.form-label { display: block; font-size: 0.875rem; font-weight: 600; margin-bottom: 0.4rem; color: var(--text-secondary); }
+.form-input, .form-select {
+  width: 100%;
+  padding: 0.6rem 0.85rem;
+  background: var(--bg-card);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  color: var(--text-primary);
+  font-size: 0.9rem;
+  transition: border-color 0.15s;
+  outline: none;
+}
+.form-input:focus, .form-select:focus { border-color: var(--accent-blue); box-shadow: 0 0 0 3px rgba(56,139,253,0.15); }
+.form-select option { background: var(--bg-card); }
+.form-row { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
+.form-group--grow { flex: 1; }
+.form-group--action { min-width: 140px; }
+.form-actions { display: flex; gap: 0.75rem; margin-top: 1.5rem; }
+.form-card { background: var(--bg-card); border: 1px solid var(--border); border-radius: var(--radius); padding: 1.5rem; margin-bottom: 1.5rem; }
+.form-inline-card { background: var(--bg-card); border: 1px solid var(--border); border-radius: var(--radius); padding: 1rem 1.25rem; margin-bottom: 1.5rem; }
+
+/* Toggle switch */
+.toggle,
+.module-toggle { display: flex; align-items: center; gap: 0.75rem; cursor: pointer; user-select: none; }
+.toggle input,
+.module-toggle-input { display: none; }
+.toggle-slider {
+  width: 38px; height: 22px; border-radius: 11px;
+  background: var(--border); transition: background 0.2s; flex-shrink: 0; position: relative;
+}
+.toggle-slider::after {
+  content: '';
+  width: 16px; height: 16px;
+  border-radius: 50%; background: #fff;
+  position: absolute; top: 3px; left: 3px;
+  transition: transform 0.2s;
+}
+.toggle input:checked + .toggle-slider,
+.module-toggle-input:checked + .toggle-slider { background: var(--accent, var(--accent-blue)); }
+.toggle input:checked + .toggle-slider::after,
+.module-toggle-input:checked + .toggle-slider::after { transform: translateX(16px); }
+.toggle-label { font-size: 0.9rem; color: var(--text-secondary); }
+
+/* ── Buttons ─────────────────────────────────────────────────────────────────── */
+.btn {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  padding: 0.55rem 1.1rem;
+  border-radius: var(--radius-sm);
+  font-size: 0.9rem;
+  font-weight: 600;
+  border: none;
+  cursor: pointer;
+  text-decoration: none;
+  transition: opacity 0.15s, filter 0.15s;
+}
+.btn:hover { filter: brightness(1.15); text-decoration: none; }
+.btn:active { filter: brightness(0.9); }
+.btn-primary   { background: var(--accent-blue);  color: #fff; }
+.btn-secondary { background: var(--bg-card);       color: var(--text-primary); border: 1px solid var(--border); }
+.btn-danger    { background: rgba(248,81,73,0.15); color: var(--accent-red); border: 1px solid rgba(248,81,73,0.3); }
+.btn-full      { width: 100%; }
+.btn-sm        { padding: 0.3rem 0.7rem; font-size: 0.82rem; }
+
+/* App launch button */
+.btn-app {
+  padding: 0.55rem 1.25rem;
+  border-radius: var(--radius-sm);
+  font-size: 0.9rem;
+  font-weight: 700;
+  background: color-mix(in srgb, var(--accent) 20%, transparent);
+  color: var(--accent);
+  border: 1px solid color-mix(in srgb, var(--accent) 40%, transparent);
+  cursor: pointer;
+  transition: background 0.15s, border-color 0.15s;
+}
+.btn-app:hover { background: color-mix(in srgb, var(--accent) 30%, transparent); text-decoration: none; }
+.btn-app--disabled {
+  background: rgba(110,118,129,0.1);
+  color: var(--text-muted);
+  border: 1px solid var(--border-subtle);
+  cursor: not-allowed;
+}
+
+/* ── Dashboard App Grid ───────────────────────────────────────────────────────── */
+.dashboard-wrapper { max-width: 1100px; }
+.dashboard-header { margin-bottom: 2rem; }
+.section-title    { font-size: 1.5rem; font-weight: 700; margin-bottom: 0.25rem; }
+.section-subtitle { color: var(--text-secondary); font-size: 0.9rem; }
+.section-hint     { color: var(--text-secondary); font-size: 0.875rem; margin-bottom: 1.25rem; }
+
+.app-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(300px, 1fr));
+  gap: 1.25rem;
+}
+
+.app-card {
+  background: var(--bg-card);
+  border: 1px solid var(--border);
+  border-top: 3px solid var(--accent);
+  border-radius: var(--radius);
+  padding: 1.5rem;
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+  transition: transform 0.15s, box-shadow 0.15s;
+}
+.app-card:hover { transform: translateY(-2px); box-shadow: var(--shadow); }
+.app-card--locked { opacity: 0.55; }
+.app-card--locked:hover { transform: none; box-shadow: none; }
+
+.app-card-header { display: flex; align-items: center; justify-content: space-between; }
+.app-icon        { font-size: 2rem; }
+
+.app-status      { display: flex; align-items: center; gap: 0.4rem; }
+.status-dot      { width: 8px; height: 8px; border-radius: 50%; }
+.status-dot--active   { background: var(--accent-green); box-shadow: 0 0 6px var(--accent-green); }
+.status-dot--inactive { background: var(--text-muted); }
+.status-label    { font-size: 0.8rem; color: var(--text-secondary); }
+
+.app-name        { font-size: 1.1rem; font-weight: 700; }
+.app-desc        { font-size: 0.875rem; color: var(--text-secondary); line-height: 1.5; }
+.app-card-body   { flex: 1; }
+.app-card-footer { padding-top: 0.5rem; border-top: 1px solid var(--border-subtle); }
+
+/* ── Settings ────────────────────────────────────────────────────────────────── */
+.settings-wrapper { max-width: 1200px; }
+.settings-header  { margin-bottom: 1.5rem; display: flex; flex-direction: column; gap: 0.75rem; }
+
+.settings-tabs { display: flex; gap: 0.25rem; border-bottom: 1px solid var(--border); padding-bottom: 0; }
+.tab-link {
+  padding: 0.5rem 1rem;
+  border-bottom: 2px solid transparent;
+  color: var(--text-secondary);
+  font-size: 0.9rem;
+  font-weight: 500;
+  transition: color 0.15s, border-color 0.15s;
+  margin-bottom: -1px;
+}
+.tab-link:hover { color: var(--text-primary); text-decoration: none; }
+.tab-link.active { color: var(--accent-blue); border-bottom-color: var(--accent-blue); }
+
+.settings-section { margin-top: 1.5rem; }
+.section-toolbar  { display: flex; align-items: center; justify-content: space-between; margin-bottom: 1rem; }
+.section-toolbar h3 { font-size: 1rem; font-weight: 600; }
+
+/* ── Table ───────────────────────────────────────────────────────────────────── */
+.table-wrapper { overflow-x: auto; border: 1px solid var(--border); border-radius: var(--radius); }
+.data-table    { width: 100%; border-collapse: collapse; font-size: 0.875rem; }
+.data-table th {
+  background: var(--bg-surface);
+  color: var(--text-secondary);
+  font-weight: 600;
+  font-size: 0.8rem;
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+  padding: 0.65rem 1rem;
+  text-align: left;
+  border-bottom: 1px solid var(--border);
+}
+.data-table td {
+  padding: 0.75rem 1rem;
+  border-bottom: 1px solid var(--border-subtle);
+  vertical-align: middle;
+}
+.data-table tr:last-child td { border-bottom: none; }
+.data-table tr:hover td { background: var(--bg-card-hover); }
+.row-inactive td { opacity: 0.5; }
+.app-col   { text-align: center; }
+.center    { text-align: center; }
+.text-muted { color: var(--text-secondary); }
+.empty-row  { text-align: center; color: var(--text-muted); padding: 2rem; }
+.key-cell  { background: var(--bg-surface); padding: 2px 8px; border-radius: 4px; font-size: 0.8rem; }
+
+/* ── Per-app role select ─────────────────────────────────────────────────────── */
+.app-role-select {
+  appearance: none;
+  background: var(--bg-surface);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  color: var(--text-secondary);
+  font-size: 0.78rem;
+  padding: 0.2rem 0.55rem;
+  cursor: pointer;
+  outline: none;
+  transition: border-color 0.15s, color 0.15s;
+  min-width: 90px;
+}
+.app-role-select:focus { border-color: var(--app-color, var(--accent-blue)); }
+.app-role-select option { background: var(--bg-card); }
+/* Colour the cell when a real role is selected */
+.app-role-select:not([value="none"]) { border-color: var(--app-color, var(--accent-blue)); }
+/* highlight the select based on selected option via JS */
+.app-role-select.has-access { color: var(--app-color, var(--accent-blue)); border-color: var(--app-color, var(--accent-blue)); }
+
+/* ── Badges ──────────────────────────────────────────────────────────────────── */
+.badge {
+  display: inline-block;
+  padding: 2px 8px;
+  border-radius: 20px;
+  font-size: 0.72rem;
+  font-weight: 700;
+  text-transform: uppercase;
+  letter-spacing: 0.04em;
+}
+.badge-admin    { background: rgba(56,139,253,0.2);  color: var(--accent-blue); }
+.badge-user     { background: rgba(110,118,129,0.2); color: var(--text-secondary); }
+.badge-active   { background: rgba(63,185,80,0.2);  color: var(--accent-green); }
+.badge-inactive { background: rgba(110,118,129,0.2); color: var(--text-muted); }
+
+/* ── App role grid (new user form) ───────────────────────────────────────────── */
+.app-role-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(200px, 1fr));
+  gap: 1rem;
+}
+.app-role-card {
+  background: var(--bg-surface);
+  border: 1px solid var(--border);
+  border-top: 3px solid var(--app-color, var(--accent-blue));
+  border-radius: var(--radius-sm);
+  padding: 1rem;
+  display: flex;
+  flex-direction: column;
+  gap: 0.5rem;
+}
+.app-role-card-header {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+}
+.app-role-desc {
+  font-size: 0.78rem;
+  color: var(--text-secondary);
+  margin: 0;
+  flex: 1;
+}
+.app-role-new-select {
+  appearance: none;
+  background: var(--bg-card);
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  color: var(--text-secondary);
+  font-size: 0.82rem;
+  padding: 0.3rem 0.55rem;
+  cursor: pointer;
+  width: 100%;
+}
+
+/* ── App checkbox grid (new user form, legacy) ──────────────────────────────── */
+.app-checkbox-grid { display: flex; gap: 0.75rem; flex-wrap: wrap; }
+.app-checkbox-item {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.6rem 1rem;
+  border: 1px solid var(--border);
+  border-radius: var(--radius-sm);
+  cursor: pointer;
+  transition: border-color 0.15s, background 0.15s;
+}
+.app-checkbox-item:hover { border-color: var(--accent); background: color-mix(in srgb, var(--accent) 8%, transparent); }
+.app-checkbox-item input { accent-color: var(--accent); cursor: pointer; }
+.app-checkbox-icon { font-size: 1.1rem; }
+.app-checkbox-name { font-size: 0.875rem; font-weight: 500; }
+
+/* ── Error page ──────────────────────────────────────────────────────────────── */
+.error-wrapper { min-height: 60vh; display: flex; align-items: center; justify-content: center; }
+.error-card { text-align: center; max-width: 400px; }
+.error-icon { font-size: 3rem; margin-bottom: 1rem; }
+.error-card h2 { font-size: 1.4rem; margin-bottom: 0.5rem; }
+.error-card p { color: var(--text-secondary); margin-bottom: 1.5rem; }
+
+/* ── Access checkbox (inline form) ───────────────────────────────────────────── */
+.inline-form { display: inline; }
+.access-checkbox { cursor: pointer; accent-color: var(--accent-blue); width: 16px; height: 16px; }
@@ -0,0 +1,49 @@
+{% extends 'base.html' %}
+{% block title %}Sign In — Enterprise Digital Platform{% endblock %}
+
+{% block content %}
+<div class="login-wrapper">
+  <div class="login-card">
+    <div class="login-logo">
+      <span class="brand-icon-lg">⬡</span>
+      <h1 class="login-title">Enterprise Digital Platform</h1>
+      <p class="login-subtitle">Sign in to continue</p>
+    </div>
+
+    {% with messages = get_flashed_messages(with_categories=true) %}
+      {% if messages %}
+        {% for category, message in messages %}
+          <div class="flash flash-{{ category }}">{{ message }}</div>
+        {% endfor %}
+      {% endif %}
+    {% endwith %}
+
+    <form method="POST" action="{{ url_for('auth.login', next=request.args.get('next', '')) }}" autocomplete="off">
+      <div class="form-group">
+        <label for="username" class="form-label">Username</label>
+        <input
+          id="username"
+          name="username"
+          type="text"
+          class="form-input"
+          placeholder="Enter username"
+          required
+          autofocus
+        />
+      </div>
+      <div class="form-group">
+        <label for="password" class="form-label">Password</label>
+        <input
+          id="password"
+          name="password"
+          type="password"
+          class="form-input"
+          placeholder="Enter password"
+          required
+        />
+      </div>
+      <button type="submit" class="btn btn-primary btn-full">Sign In</button>
+    </form>
+  </div>
+</div>
+{% endblock %}
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>{% block title %}Enterprise Digital Platform{% endblock %}</title>
+  <link rel="stylesheet" href="{{ url_for('static', filename='css/portal.css') }}" />
+</head>
+<body>
+  {% if current_user.is_authenticated %}
+  <header class="topbar">
+    <div class="topbar-brand">
+      <span class="brand-icon">⬡</span>
+      <span class="brand-name">Enterprise Digital Platform</span>
+    </div>
+    <nav class="topbar-nav">
+      <a href="{{ url_for('dashboard.index') }}" class="nav-link {% if request.endpoint == 'dashboard.index' %}active{% endif %}">Dashboard</a>
+      {% if current_user.is_admin %}
+      <a href="{{ url_for('settings.index') }}" class="nav-link {% if request.blueprint == 'settings' %}active{% endif %}">Settings</a>
+      {% endif %}
+    </nav>
+    <div class="topbar-user">
+      <span class="user-badge">{{ current_user.username[0].upper() }}</span>
+      <span class="user-name">{{ current_user.username }}</span>
+      {% if current_user.is_admin %}<span class="role-tag">admin</span>{% endif %}
+      <a href="{{ url_for('auth.logout') }}" class="btn-logout" title="Sign out">⏏</a>
+    </div>
+  </header>
+  {% endif %}
+
+  <main class="page-content">
+    {% with messages = get_flashed_messages(with_categories=true) %}
+      {% if messages %}
+        <div class="flash-container">
+          {% for category, message in messages %}
+            <div class="flash flash-{{ category }}">{{ message }}</div>
+          {% endfor %}
+        </div>
+      {% endif %}
+    {% endwith %}
+    {% block content %}{% endblock %}
+  </main>
+</body>
+</html>
@@ -0,0 +1,13 @@
+{% extends 'base.html' %}
+{% block title %}Access Denied — Enterprise Digital Platform{% endblock %}
+
+{% block content %}
+<div class="error-wrapper">
+  <div class="error-card">
+    <div class="error-icon">🚫</div>
+    <h2>Access Denied</h2>
+    <p>You do not have permission to access this application.<br>Contact your administrator to request access.</p>
+    <a href="{{ url_for('dashboard.index') }}" class="btn btn-primary">← Back to Dashboard</a>
+  </div>
+</div>
+{% endblock %}
@@ -0,0 +1,45 @@
+{% extends 'base.html' %}
+{% block title %}Dashboard — Enterprise Digital Platform{% endblock %}
+
+{% block content %}
+<div class="dashboard-wrapper">
+  <div class="dashboard-header">
+    <h2 class="section-title">Applications</h2>
+    <p class="section-subtitle">Click <strong>Open</strong> to launch an application. Your session carries over automatically.</p>
+  </div>
+
+  <div class="app-grid">
+    {% for app in apps %}
+    <div class="app-card {% if not app.has_access %}app-card--locked{% endif %}" style="--accent: {{ app.color }};">
+      <div class="app-card-header">
+        <span class="app-icon">{{ app.icon }}</span>
+        <div class="app-status">
+          {% if app.has_access %}
+            <span class="status-dot status-dot--active"></span>
+            <span class="status-label">Access granted</span>
+          {% else %}
+            <span class="status-dot status-dot--inactive"></span>
+            <span class="status-label">No access</span>
+          {% endif %}
+        </div>
+      </div>
+      <div class="app-card-body">
+        <h3 class="app-name">{{ app.name }}</h3>
+        <p class="app-desc">{{ app.description }}</p>
+      </div>
+      <div class="app-card-footer">
+        {% if app.has_access %}
+          <a href="{{ app.url }}" class="btn btn-app" style="--accent: {{ app.color }};" target="_self">
+            Open →
+          </a>
+        {% else %}
+          <span class="btn btn-app btn-app--disabled" title="Contact your administrator to request access.">
+            No Access
+          </span>
+        {% endif %}
+      </div>
+    </div>
+    {% endfor %}
+  </div>
+</div>
+{% endblock %}
@@ -0,0 +1,105 @@
+{% extends 'base.html' %}
+{% block title %}API Keys — Settings{% endblock %}
+
+{% block content %}
+<div class="settings-wrapper">
+  <div class="settings-header">
+    <h2 class="section-title">Settings</h2>
+    <div class="settings-tabs">
+      <a href="{{ url_for('settings.index') }}" class="tab-link">Users &amp; Access</a>
+      <a href="{{ url_for('settings.api_keys') }}" class="tab-link active">API Keys</a>
+      <a href="{{ url_for('settings.modules') }}" class="tab-link">Modules</a>
+    </div>
+  </div>
+
+  <div class="settings-section">
+    <div class="section-toolbar">
+      <h3>API Keys</h3>
+    </div>
+    <p class="section-hint">
+      API keys allow programmatic access to sub-applications.
+      Pass the key as an <code>X-Api-Key</code> header in your requests.
+    </p>
+
+    <!-- New key form -->
+    <form method="POST" action="{{ url_for('settings.new_api_key') }}" class="form-inline-card">
+      <div class="form-row">
+        <div class="form-group">
+          <label class="form-label">User</label>
+          <select name="user_id" class="form-select" required>
+            <option value="">— select user —</option>
+            {% for u in users %}
+            <option value="{{ u.id }}">{{ u.username }}</option>
+            {% endfor %}
+          </select>
+        </div>
+        <div class="form-group">
+          <label class="form-label">Application</label>
+          <select name="app_name" class="form-select" required>
+            <option value="">— select app —</option>
+            {% for app in registered_apps %}
+            <option value="{{ app['id'] }}">{{ app.icon }} {{ app.name }}</option>
+            {% endfor %}
+          </select>
+        </div>
+        <div class="form-group form-group--grow">
+          <label class="form-label">Description (optional)</label>
+          <input type="text" name="description" class="form-input" placeholder="e.g. CI/CD integration" />
+        </div>
+        <div class="form-group form-group--action">
+          <label class="form-label">&nbsp;</label>
+          <button type="submit" class="btn btn-primary">Generate Key</button>
+        </div>
+      </div>
+    </form>
+
+    <!-- Keys table -->
+    <div class="table-wrapper">
+      <table class="data-table">
+        <thead>
+          <tr>
+            <th>User</th>
+            <th>Application</th>
+            <th>Key</th>
+            <th>Description</th>
+            <th>Status</th>
+            <th>Created</th>
+            <th>Last Used</th>
+            <th>Actions</th>
+          </tr>
+        </thead>
+        <tbody>
+          {% for k in keys %}
+          <tr class="{{ 'row-inactive' if not k.is_active }}">
+            <td>{{ k.user.username }}</td>
+            <td>{{ k.app_name }}</td>
+            <td><code class="key-cell">{{ k.key[:16] }}…</code></td>
+            <td class="text-muted">{{ k.description or '—' }}</td>
+            <td>
+              {% if k.is_active %}
+                <span class="badge badge-active">active</span>
+              {% else %}
+                <span class="badge badge-inactive">revoked</span>
+              {% endif %}
+            </td>
+            <td class="text-muted">{{ k.created_at.strftime('%Y-%m-%d') }}</td>
+            <td class="text-muted">{{ k.last_used_at.strftime('%Y-%m-%d') if k.last_used_at else '—' }}</td>
+            <td>
+              {% if k.is_active %}
+              <form method="POST" action="{{ url_for('settings.revoke_api_key', key_id=k.id) }}"
+                    onsubmit="return confirm('Revoke this API key?')">
+                <button type="submit" class="btn btn-sm btn-danger">Revoke</button>
+              </form>
+              {% endif %}
+            </td>
+          </tr>
+          {% endfor %}
+          {% if not keys %}
+          <tr><td colspan="8" class="empty-row">No API keys yet.</td></tr>
+          {% endif %}
+        </tbody>
+      </table>
+    </div>
+  </div>
+</div>
+{% endblock %}
@@ -0,0 +1,124 @@
+{% extends 'base.html' %}
+{% block title %}Settings — Enterprise Digital Platform{% endblock %}
+
+{% block content %}
+<div class="settings-wrapper">
+  <div class="settings-header">
+    <h2 class="section-title">Settings</h2>
+    <div class="settings-tabs">
+      <a href="{{ url_for('settings.index') }}" class="tab-link active">Users &amp; Access</a>
+      <a href="{{ url_for('settings.api_keys') }}" class="tab-link">API Keys</a>
+      <a href="{{ url_for('settings.modules') }}" class="tab-link">Modules</a>
+    </div>
+  </div>
+
+  <div class="settings-section">
+    <div class="section-toolbar">
+      <h3>Portal Users</h3>
+      <a href="{{ url_for('settings.new_user') }}" class="btn btn-primary btn-sm">+ New User</a>
+    </div>
+
+    <div class="table-wrapper">
+      <table class="data-table">
+        <thead>
+          <tr>
+            <th>Username</th>
+            <th>Email</th>
+            <th>Role</th>
+            <th>Last Login</th>
+            {% for app in registered_apps %}
+            <th class="app-col" style="border-top: 3px solid {{ app.color }};">
+              {{ app.icon }} {{ app.name }}<br/>
+              <small style="font-weight:400; color:var(--text-muted);">access / role</small>
+            </th>
+            {% endfor %}
+            <th>Actions</th>
+          </tr>
+        </thead>
+        <tbody>
+          {% for user in users %}
+          <tr>
+            <td><strong>{{ user.username }}</strong></td>
+            <td class="text-muted">{{ user.email }}</td>
+            <td>
+              {% if user.is_admin %}
+                <span class="badge badge-admin">admin</span>
+              {% else %}
+                <span class="badge badge-user">user</span>
+              {% endif %}
+            </td>
+            <td class="text-muted">
+              {{ user.last_login.strftime('%Y-%m-%d %H:%M') if user.last_login else '—' }}
+            </td>
+
+            {# Per-app role dropdown — auto-submits on change #}
+            {% for app in registered_apps %}
+            {% set cur_access = user.app_accesses.filter_by(app_name=app['id']).first() %}
+            {% set cur_role = cur_access.app_role if cur_access and cur_access.is_active and cur_access.app_role else ('active' if (cur_access and cur_access.is_active) else 'none') %}
+            <td class="center">
+              <form method="POST" action="{{ url_for('settings.update_access', user_id=user.id) }}"
+                    class="inline-form">
+                {# Carry all other apps' current values as hidden inputs #}
+                {% for other in registered_apps %}
+                  {% if other['id'] != app['id'] %}
+                    {% set oa = user.app_accesses.filter_by(app_name=other['id']).first() %}
+                    {% if oa and oa.is_active %}
+                    <input type="hidden" name="role_{{ other['id'] }}"
+                           value="{{ oa.app_role if oa.app_role else 'user' }}" />
+                    {% else %}
+                    <input type="hidden" name="role_{{ other['id'] }}" value="none" />
+                    {% endif %}
+                  {% endif %}
+                {% endfor %}
+
+                <select name="role_{{ app['id'] }}"
+                        class="app-role-select"
+                        style="--app-color: {{ app.color }};"
+                        onchange="this.closest('form').submit()"
+                        title="{{ app['name'] }} access for {{ user.username }}"
+                        {% if user.id == current_user.id and app['id'] == 'portal' %}disabled{% endif %}>
+                  <option value="none"  {% if not (cur_access and cur_access.is_active) %}selected{% endif %}>
+                    — no access
+                  </option>
+                  <option value="user"
+                    {% if cur_access and cur_access.is_active and (not cur_access.app_role or cur_access.app_role == 'user') %}selected{% endif %}>
+                    ✓ user
+                  </option>
+                  <option value="admin"
+                    {% if cur_access and cur_access.is_active and cur_access.app_role == 'admin' %}selected{% endif %}>
+                    ★ admin
+                  </option>
+                </select>
+              </form>
+            </td>
+            {% endfor %}
+
+            <td>
+              {% if user.id != current_user.id %}
+              <form method="POST" action="{{ url_for('settings.delete_user', user_id=user.id) }}"
+                    onsubmit="return confirm('Delete user {{ user.username }}?')">
+                <button type="submit" class="btn btn-sm btn-danger">Delete</button>
+              </form>
+              {% else %}
+              <span class="text-muted">—</span>
+              {% endif %}
+            </td>
+          </tr>
+          {% endfor %}
+        </tbody>
+      </table>
+    </div>
+  </div>
+</div>
+
+<script>
+  document.querySelectorAll('.app-role-select').forEach(function(sel) {
+    function refresh() {
+      if (sel.value !== 'none') sel.classList.add('has-access');
+      else sel.classList.remove('has-access');
+    }
+    refresh();
+    sel.addEventListener('change', refresh);
+  });
+</script>
+{% endblock %}
@@ -0,0 +1,109 @@
+{% extends 'base.html' %}
+{% block title %}Modules — Enterprise Digital Platform{% endblock %}
+
+{% block content %}
+<div class="settings-wrapper">
+  <div class="settings-header">
+    <h2 class="section-title">Settings</h2>
+    <div class="settings-tabs">
+      <a href="{{ url_for('settings.index') }}" class="tab-link">Users &amp; Access</a>
+      <a href="{{ url_for('settings.api_keys') }}" class="tab-link">API Keys</a>
+      <a href="{{ url_for('settings.modules') }}" class="tab-link active">Modules</a>
+    </div>
+  </div>
+
+  <div class="settings-section">
+    <div class="section-toolbar">
+      <h3>Installed Modules</h3>
+      <span class="text-muted" style="font-size:0.875rem;">
+        Enable or disable services to control which applications run on this instance.
+      </span>
+    </div>
+
+    <div class="app-grid" style="margin-top:1.25rem;">
+      {% for ms in module_statuses %}
+      {% set app   = ms.app %}
+      {% set on    = ms.enabled %}
+      {% set alive = ms.running %}
+      <div class="app-card {% if not on %}app-card--locked{% endif %}"
+           style="--accent: {{ app.color }};">
+        <div class="app-card-header">
+          <span class="app-icon">{{ app.icon }}</span>
+          <span class="app-status">
+            <span class="status-dot {% if alive %}status-dot--active{% else %}status-dot--inactive{% endif %}"></span>
+            <span class="status-label">{% if alive %}running{% else %}stopped{% endif %}</span>
+          </span>
+        </div>
+
+        <div class="app-card-body">
+          <div class="app-name">{{ app.name }}</div>
+          <div class="app-desc" style="margin-top:0.4rem;">{{ app.description }}</div>
+        </div>
+
+        <div class="app-card-footer" style="display:flex; align-items:center; justify-content:space-between; gap:1rem;">
+          {# Toggle switch — submits a hidden form on change #}
+          <label class="module-toggle" title="{% if on %}Disable {{ app.name }}{% else %}Enable {{ app.name }}{% endif %}">
+            <input
+              type="checkbox"
+              class="module-toggle-input"
+              data-app="{{ app.id }}"
+              data-action-enable="{{ url_for('settings.toggle_module', app_id=app.id) }}"
+              {% if on %}checked{% endif %}
+            />
+            <span class="toggle-slider"></span>
+            <span class="toggle-label">{% if on %}Enabled{% else %}Disabled{% endif %}</span>
+          </label>
+
+          {# Hidden forms — one per action #}
+          <form id="form-enable-{{ app.id }}" method="POST"
+                action="{{ url_for('settings.toggle_module', app_id=app.id) }}" style="display:none;">
+            <input type="hidden" name="action" value="enable" />
+          </form>
+          <form id="form-disable-{{ app.id }}" method="POST"
+                action="{{ url_for('settings.toggle_module', app_id=app.id) }}" style="display:none;">
+            <input type="hidden" name="action" value="disable" />
+          </form>
+
+          {% if on and alive %}
+          <a href="{{ app.url }}" class="btn btn-sm btn-secondary" target="_blank">Open ↗</a>
+          {% endif %}
+        </div>
+      </div>
+      {% endfor %}
+    </div>
+
+    <div class="form-inline-card" style="margin-top:1.5rem; display:flex; align-items:flex-start; gap:0.75rem;">
+      <span style="font-size:1.25rem; flex-shrink:0;">ℹ️</span>
+      <div style="font-size:0.875rem; color:var(--text-secondary); line-height:1.6;">
+        <strong style="color:var(--text-primary);">How modules work</strong><br/>
+        Disabling a module sends a stop signal to its process and prevents it from being proxied.
+        Enabling a module starts its process in the background.
+        Module state is preserved across page reloads and respected by
+        <code>./start-dev.sh</code> on next launch.
+      </div>
+    </div>
+  </div>
+</div>
+
+<script>
+  document.querySelectorAll('.module-toggle-input').forEach(function(cb) {
+    cb.addEventListener('change', function() {
+      var appId  = this.dataset.app;
+      var action = this.checked ? 'enable' : 'disable';
+      var confirmed = true;
+      if (action === 'disable') {
+        confirmed = confirm(
+          'Disable and stop this service?\n\n' +
+          'Users will lose access until it is re-enabled.'
+        );
+      }
+      if (confirmed) {
+        document.getElementById('form-' + action + '-' + appId).submit();
+      } else {
+        // Revert visual state without submitting
+        this.checked = !this.checked;
+      }
+    });
+  });
+</script>
+{% endblock %}
@@ -0,0 +1,96 @@
+{% extends 'base.html' %}
+{% block title %}New User — Settings{% endblock %}
+
+{% block content %}
+<div class="settings-wrapper">
+  <div class="settings-header">
+    <h2 class="section-title">Settings</h2>
+    <div class="settings-tabs">
+      <a href="{{ url_for('settings.index') }}" class="tab-link active">Users &amp; Access</a>
+      <a href="{{ url_for('settings.api_keys') }}" class="tab-link">API Keys</a>
+      <a href="{{ url_for('settings.modules') }}" class="tab-link">Modules</a>
+    </div>
+  </div>
+
+  <div class="settings-section">
+    <div class="section-toolbar">
+      <h3>Create New User</h3>
+      <a href="{{ url_for('settings.index') }}" class="btn btn-sm btn-secondary">← Back</a>
+    </div>
+
+    <form method="POST" class="form-card">
+      <div class="form-row">
+        <div class="form-group">
+          <label class="form-label">Username</label>
+          <input type="text" name="username" class="form-input" required autofocus />
+        </div>
+        <div class="form-group">
+          <label class="form-label">Email</label>
+          <input type="email" name="email" class="form-input" required />
+        </div>
+      </div>
+      <div class="form-row">
+        <div class="form-group">
+          <label class="form-label">Password</label>
+          <input type="password" name="password" class="form-input" required />
+        </div>
+        <div class="form-group form-group--check">
+          <label class="form-label">Portal Role</label>
+          <label class="toggle">
+            <input type="checkbox" name="is_admin" />
+            <span class="toggle-slider"></span>
+            <span class="toggle-label">Platform administrator</span>
+          </label>
+        </div>
+      </div>
+
+      <div class="form-group">
+        <label class="form-label">Application Access &amp; Role</label>
+        <p style="font-size:0.82rem; color:var(--text-secondary); margin-bottom:0.75rem;">
+          Select the access level for each application. "Admin" grants full management rights
+          inside that app regardless of the portal role above.
+        </p>
+        <div class="app-role-grid">
+          {% for app in registered_apps %}
+          <div class="app-role-card" style="--app-color: {{ app.color }}; border-top-color: {{ app.color }};">
+            <div class="app-role-card-header">
+              <span style="font-size:1.5rem;">{{ app.icon }}</span>
+              <strong>{{ app.name }}</strong>
+            </div>
+            <p class="app-role-desc">{{ app.description }}</p>
+            <select name="role_{{ app['id'] }}" class="form-select app-role-new-select"
+                    data-color="{{ app.color }}">
+              <option value="none">— No access</option>
+              <option value="user">✓ User</option>
+              <option value="admin">★ Admin</option>
+            </select>
+          </div>
+          {% endfor %}
+        </div>
+      </div>
+
+      <div class="form-actions">
+        <button type="submit" class="btn btn-primary">Create User</button>
+        <a href="{{ url_for('settings.index') }}" class="btn btn-secondary">Cancel</a>
+      </div>
+    </form>
+  </div>
+</div>
+
+<script>
+  document.querySelectorAll('.app-role-new-select').forEach(function(sel) {
+    function refresh() {
+      var color = sel.dataset.color;
+      if (sel.value !== 'none') {
+        sel.style.borderColor = color;
+        sel.style.color = color;
+      } else {
+        sel.style.borderColor = '';
+        sel.style.color = '';
+      }
+    }
+    refresh();
+    sel.addEventListener('change', refresh);
+  });
+</script>
+{% endblock %}