@logboard/cli 1.0.0

package/routes/audit.js

@@ -0,0 +1,50 @@
+'use strict';
+const { Router } = require('express');
+const svc = require('../services/AuditService');
+const { authenticate } = require('../middleware/auth');
+const requireRole = require('../middleware/roles');
+
+const router = Router();
+const admin = [authenticate, requireRole('admin')];
+const auth = [authenticate];
+
+// List audit entries
+router.get('/', ...admin, async (req, res) => {
+	try {
+		const { limit=200, offset=0, q='', action='' } = req.query;
+		res.json(await svc.list({ limit: Number(limit), offset: Number(offset), q, action }));
+	} catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+// Analytics
+router.get('/analytics', ...admin, async (req, res) => {
+	try {
+		const days = Number(req.query.days||7);
+		res.json(await svc.getAnalytics(days));
+	} catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+// Page view beacon (called from client JS on page unload)
+router.post('/page-view', ...auth, async (req, res) => {
+	try {
+		const { page, durationSec } = req.body;
+		await svc.logPageView(req.user.username, page, durationSec, req.ip);
+		res.json({ ok: true });
+	} catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+// Log view event
+router.post('/log-view', ...auth, async (req, res) => {
+	try {
+		const { service, date, q } = req.body;
+		await svc.logLogAccess(req.user.username, service, date, q, req.ip);
+		res.json({ ok: true });
+	} catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+// Clear
+router.delete('/', ...admin, async (req, res) => {
+	try { await svc.clear(); res.json({ success: true }); } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+module.exports = router;

package/routes/auth.js

@@ -0,0 +1,22 @@
+'use strict';
+const { Router } = require('express');
+const AuthService = require('../services/AuthService');
+const AuthController = require('../controllers/AuthController');
+const { authenticate } = require('../middleware/auth');
+const rateLimit = require('../middleware/rateLimit');
+
+const router = Router();
+const svc = new AuthService();
+const ctrl = new AuthController(svc);
+const loginLimit = rateLimit({ windowMs: 15 * 60_000, max: 10, message: 'Too many login attempts' });
+
+router.post('/login', loginLimit, (req, res) => ctrl.login(req, res));
+router.post('/logout', (req, res) => ctrl.logout(req, res));
+router.get('/verify', (req, res) => ctrl.verify(req, res));
+router.get('/2fa/setup', authenticate, (req, res) => ctrl.setup2fa(req, res));
+router.post('/2fa/enable', authenticate, (req, res) => ctrl.enable2fa(req, res));
+router.post('/2fa/disable', authenticate, (req, res) => ctrl.disable2fa(req, res));
+router.get('/2fa/status', authenticate, (req, res) => ctrl.totpStatus(req, res));
+router.post('/change-password', authenticate, (req, res) => ctrl.changePassword(req, res));
+
+module.exports = router;

package/routes/bookmarks.js

@@ -0,0 +1,13 @@
+'use strict';
+const { Router } = require('express');
+const svc = require('../services/BookmarkService');
+const { authenticate } = require('../middleware/auth');
+
+const router = Router();
+
+router.get('/', authenticate, async (req, res) => { try { res.json(await svc.getAll(req.user.username)); } catch (e) { res.status(500).json({ error: e.message }); } });
+router.post('/', authenticate, async (req, res) => { try { res.status(201).json(await svc.create(req.user.username, req.body)); } catch (e) { res.status(e.status||500).json({ error: e.message }); } });
+router.put('/:id/note', authenticate, async (req, res) => { try { res.json(await svc.updateNote(req.user.username, req.params.id, req.body.note||'')); } catch (e) { res.status(500).json({ error: e.message }); } });
+router.delete('/:id', authenticate, async (req, res) => { try { await svc.delete(req.user.username, req.params.id); res.json({ success: true }); } catch (e) { res.status(500).json({ error: e.message }); } });
+
+module.exports = router;

package/routes/health.js

@@ -0,0 +1,11 @@
+'use strict';
+const { Router } = require('express');
+const HealthController = require('../controllers/HealthController');
+
+const router = Router();
+const ctrl = new HealthController();
+
+router.get('/', (req, res) => ctrl.health(req, res));
+router.get('/metrics', (req, res) => ctrl.metrics(req, res));
+
+module.exports = router;

package/routes/logs.js

@@ -0,0 +1,88 @@
+'use strict';
+const { Router } = require('express');
+const LogController = require('../controllers/LogController');
+const validateApiKey = require('../middleware/apiKey');
+const { authenticate } = require('../middleware/auth');
+const requireRole = require('../middleware/roles');
+const rateLimit = require('../middleware/rateLimit');
+
+const router = Router();
+const ingestLimit = rateLimit({ windowMs: 60_000, max: 1000, message: 'Ingest rate limit exceeded' });
+
+// batchWriter is injected by server.js via module.exports.setWriter
+let ctrl;
+module.exports.setWriter = function (batchWriter) {
+	const LogService = require('../services/LogService');
+	ctrl = new LogController(new LogService(batchWriter));
+};
+
+// ── Ingest (API key auth) ────────────────────────────────────────────────
+router.post('/', validateApiKey(), ingestLimit, (req, res) => ctrl.ingest(req, res));
+
+router.post('/bulk', validateApiKey(), ingestLimit, (req, res) => ctrl.ingest(req, res));
+
+// ── Read (JWT auth, viewer+) ─────────────────────────────────────────────
+router.get('/services', authenticate, (req, res) => ctrl.services(req, res));
+router.get('/tail/:appName/:date', authenticate, (req, res) => ctrl.tail(req, res));
+router.get('/search', authenticate, (req, res) => ctrl.search(req, res));
+router.get('/replay', authenticate, (req, res) => ctrl.replay(req, res));
+router.get('/download/:appName/:date', authenticate, (req, res) => ctrl.download(req, res));
+router.get('/context/:appName/:date', authenticate, (req, res) => ctrl.context(req, res));
+
+router.get('/global-search', authenticate, async (req, res) => {
+	try {
+		const { q, limit = 50, dates } = req.query;
+		if (!q || q.length < 2) { return res.json([]); }
+		const ls = ctrl ? ctrl.svc : new (require('../services/LogService'))(null);
+		const services = await ls.getServices();
+		const today = new Date().toISOString().slice(0, 10);
+		const yesterday = new Date(Date.now()-864e5).toISOString().slice(0, 10);
+		const searchDates = dates ? dates.split(',').filter(Boolean) : [today, yesterday];
+		const results = [];
+		const ql = q.toLowerCase();
+
+		for (const { appName } of services.slice(0, 15)) {
+			for (const date of searchDates) {
+				try {
+					const r = await ls.tail(appName, date, 300);
+					const matches = (r.lines||[]).filter((l) => l.toLowerCase().includes(ql)).slice(0, 4);
+					matches.forEach((line) => {
+						let msg=line, ts='';
+						try { const p=JSON.parse(line); msg=p.message||line; ts=p.ts?p.ts.replace('T', ' ').slice(0, 19):''; } catch {}
+						results.push({ appName, date, msg: msg.slice(0, 120), ts });
+					});
+				} catch {}
+				if (results.length >= Number(limit)) { break; }
+			}
+			if (results.length >= Number(limit)) { break; }
+		}
+		res.json(results.slice(0, Number(limit)));
+	} catch (e) { res.status(500).json({ error: e.message }); }
+});
+router.get('/trace', authenticate, (req, res) => {
+	if (!ctrl) { return res.status(503).json({ error: 'Log service not ready yet' }); }
+	ctrl.traceSearch(req, res);
+});
+router.get('/search-range', authenticate, (req, res) => {
+	if (!ctrl) { return res.status(503).json({ error: 'Log service not ready yet' }); }
+	ctrl.searchRange(req, res);
+});
+router.get('/clusters/:appName/:date', authenticate, (req, res) => {
+	if (!ctrl) { return res.status(503).json({ error: 'Log service not ready yet' }); }
+	ctrl.clusters(req, res);
+});
+router.get('/clusters-range/:appName', authenticate, async (req, res) => {
+	if (!ctrl) { return res.status(503).json({ error: 'Log service not ready yet' }); }
+	try {
+		const { fromDate, toDate } = req.query;
+		if (!fromDate || !toDate) { return res.status(400).json({ error: 'fromDate and toDate required' }); }
+		res.json(await ctrl.svc.clusterErrorsRange(req.params.appName, fromDate, toDate));
+	} catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+router.get('/anomalies/:appName', authenticate, (req, res) => {
+	if (!ctrl) { return res.status(503).json({ error: 'Log service not ready yet' }); }
+	ctrl.anomalies(req, res);
+});
+
+module.exports.router = router;

package/routes/metrics.js

@@ -0,0 +1,66 @@
+"use strict";
+const { Router } = require("express");
+const { authenticate } = require("../middleware/auth");
+const validateApiKey = require("../middleware/apiKey");
+const MetricsService = require("../services/MetricsService");
+
+const router = Router();
+
+// Helper to get org-aware MetricsService
+function getSvc(req) {
+  return new MetricsService(req.org || null);
+}
+
+// POST /api/metrics — SDK pushes metrics (API key auth, scope: metrics:write or logs:write)
+router.post("/", validateApiKey("logs:write"), async (req, res) => {
+  // Attach org from API key's orgSlug if available
+  if (!req.org && req.apiKey) {
+    const slug = req.apiKey.orgSlug || "default";
+    try {
+      const OrgService = require("../services/OrgService");
+      req.org = await OrgService.getOrg(slug);
+    } catch {}
+  }
+  try {
+    const appName = req.body.appName || req.apiKey?.name;
+    if (!appName) {
+      return res.status(400).json({ error: "appName required" });
+    }
+    await getSvc(req).ingest(appName, req.body);
+    res.json({ success: true });
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// GET /api/metrics/services — list services that have metrics
+router.get("/services", authenticate, async (req, res) => {
+  try {
+    res.json({ services: await getSvc(req).listServices() });
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// GET /api/metrics/latest — latest snapshot per service (for status cards)
+router.get("/latest", authenticate, async (req, res) => {
+  try {
+    const allowedApps = req.query.apps ? req.query.apps.split(",") : [];
+    res.json({ services: await getSvc(req).getLatestAll(allowedApps) });
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+// GET /api/metrics/:appName?range=1440 — time series for one service
+router.get("/:appName", authenticate, async (req, res) => {
+  try {
+    const range = parseInt(req.query.range) || 1440;
+    const rows = await getSvc(req).getTimeSeries(req.params.appName, range);
+    res.json({ appName: req.params.appName, count: rows.length, rows });
+  } catch (e) {
+    res.status(500).json({ error: e.message });
+  }
+});
+
+module.exports = router;

package/routes/notifications.js

@@ -0,0 +1,14 @@
+'use strict';
+const { Router } = require('express');
+const svc = require('../services/NotificationService');
+const { authenticate } = require('../middleware/auth');
+
+const router = Router();
+
+router.get('/', authenticate, async (req, res) => { try { res.json(await svc.getAll(100)); } catch (e) { res.status(500).json({ error: e.message }); } });
+router.get('/unread', authenticate, async (req, res) => { try { res.json({ count: await svc.countUnread() }); } catch (e) { res.status(500).json({ error: e.message }); } });
+router.put('/read', authenticate, async (req, res) => { try { await svc.markRead(null); res.json({ success: true }); } catch (e) { res.status(500).json({ error: e.message }); } });
+router.put('/read/:id', authenticate, async (req, res) => { try { await svc.markRead(req.params.id); res.json({ success: true }); } catch (e) { res.status(500).json({ error: e.message }); } });
+router.delete('/:id', authenticate, async (req, res) => { try { await svc.delete(req.params.id); res.json({ success: true }); } catch (e) { res.status(500).json({ error: e.message }); } });
+
+module.exports = router;

package/routes/orgs.js

@@ -0,0 +1,98 @@
+'use strict';
+const { Router }       = require('express');
+const OrgService       = require('../services/OrgService');
+const OrgController    = require('../controllers/OrgController');
+const { authenticate, authenticateUI } = require('../middleware/auth');
+const { requireSuperAdmin } = require('../middleware/org');
+const requireRole      = require('../middleware/roles');
+
+const router = Router();
+const ctrl   = new OrgController();
+
+// ── Public ────────────────────────────────────────────────────────────────
+router.get ('/invites/:token',   (req,res) => ctrl.getInvite(req,res));
+router.post('/invites/accept',   (req,res) => ctrl.acceptInvite(req,res));
+router.get ('/invite/:token',    (req,res) => ctrl.invitePage(req,res));  // UI page
+
+// ── Org admin: invite users ────────────────────────────────────────────────
+router.post('/invites', authenticate, requireRole('admin'), (req,res) => ctrl.createInvite(req,res));
+
+// ── Super-admin: list + create orgs ──────────────────────────────────────
+router.get ('/', authenticate, requireSuperAdmin, (req,res) => ctrl.listOrgs(req,res));
+router.post('/', authenticate, requireSuperAdmin, (req,res) => ctrl.createOrg(req,res));
+
+// ── Super-admin: bootstrap + migration (no auth required for first-time setup) ──
+router.post('/super-admin/create', (req,res) => ctrl.createSuperAdmin(req,res));
+router.post('/migrate', authenticate, requireSuperAdmin, (req,res) => ctrl.runMigration(req,res));
+
+// ── IMPORTANT: specific /:slug/sub routes MUST come before /:slug wildcard ──
+
+// ── Super-admin: org detail ───────────────────────────────────────────────
+router.get('/:slug/detail', authenticate, requireSuperAdmin, async (req, res) => {
+  try {
+    const org = await OrgService.getOrg(req.params.slug);
+    if (!org) return res.status(404).json({ error: 'Org not found' });
+    const fsP  = require('fs').promises;
+    const path = require('path');
+
+    let users = [];
+    try {
+      const raw = JSON.parse(await fsP.readFile(org.usersFile, 'utf8'));
+      users = Object.values(raw).map(u => ({ username: u.username, role: u.role, email: u.email||null, createdAt: u.createdAt }));
+    } catch {}
+
+    const SettingsService = require('../services/SettingsService');
+    let settings = {};
+    try { settings = await new SettingsService(org).get(); } catch {}
+
+    let services = [];
+    try {
+      const dirs = await fsP.readdir(org.logsDir);
+      services = dirs.filter(d => !['_archive','app','unknown'].includes(d));
+    } catch {}
+
+    res.json({ slug: org.slug, name: org.name, plan: org.plan, logsDir: org.logsDir, users, settings, services, createdAt: org.createdAt });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+// ── Super-admin: create user in org ──────────────────────────────────────
+router.post('/:slug/create-user', authenticate, requireSuperAdmin, async (req, res) => {
+  try {
+    const org = await OrgService.getOrg(req.params.slug);
+    if (!org) return res.status(404).json({ error: 'Org not found' });
+    const { username, password, role = 'admin' } = req.body;
+    if (!username || !password || password.length < 8) return res.status(400).json({ error: 'Username and password (min 8 chars) required' });
+    const fsP    = require('fs').promises;
+    const bcrypt = require('bcryptjs');
+    let users = {};
+    try { users = JSON.parse(await fsP.readFile(org.usersFile, 'utf8')); } catch {}
+    if (users[username]) return res.status(409).json({ error: 'Username already exists in this org' });
+    users[username] = { username, role, password: await bcrypt.hash(password, 10), createdAt: new Date().toISOString() };
+    await fsP.writeFile(org.usersFile, JSON.stringify(users, null, 2), 'utf8');
+    res.json({ success: true, username, role });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+// ── Super-admin: remove user from org ────────────────────────────────────
+router.delete('/:slug/users/:username', authenticate, requireSuperAdmin, async (req, res) => {
+  try {
+    const org = await OrgService.getOrg(req.params.slug);
+    if (!org) return res.status(404).json({ error: 'Org not found' });
+    const fsP = require('fs').promises;
+    let users = {};
+    try { users = JSON.parse(await fsP.readFile(org.usersFile, 'utf8')); } catch {}
+    if (!users[req.params.username]) return res.status(404).json({ error: 'User not found' });
+    delete users[req.params.username];
+    await fsP.writeFile(org.usersFile, JSON.stringify(users, null, 2), 'utf8');
+    res.json({ success: true });
+  } catch (e) { res.status(500).json({ error: e.message }); }
+});
+
+// ── /:slug wildcard (must be last) ────────────────────────────────────────
+router.get   ('/:slug', authenticate, requireSuperAdmin, (req,res) => ctrl.getOrg(req,res));
+router.delete('/:slug', authenticate, requireSuperAdmin, (req,res) => ctrl.deleteOrg(req,res));
+
+// ── Super-admin UI ─────────────────────────────────────────────────────────
+router.get('/ui/orgs', authenticateUI, requireSuperAdmin, (req,res) => ctrl.orgsPage(req,res));
+
+module.exports = router;

package/routes/registration.js

@@ -0,0 +1,202 @@
+'use strict';
+const { Router }     = require('express');
+const bcrypt         = require('bcryptjs');
+const jwt            = require('jsonwebtoken');
+const OrgService     = require('../services/OrgService');
+const GlobalSettings = require('../services/GlobalSettingsService');
+const config         = require('../config');
+
+const router = Router();
+
+// ── Email registration ────────────────────────────────────────────────────
+router.post('/register', async (req, res) => {
+  try {
+    const gs = await GlobalSettings.get();
+    if (gs.registrationMode !== 'open') return res.status(403).json({ error: 'Registration is currently closed. Contact your administrator.' });
+
+    const { orgName, username, email, password } = req.body;
+    if (!orgName || !username || !email || !password) return res.status(400).json({ error: 'All fields required' });
+    if (password.length < 8) return res.status(400).json({ error: 'Password must be at least 8 characters' });
+    if (!/^[a-zA-Z0-9._-]{3,32}$/.test(username)) return res.status(400).json({ error: 'Username must be 3–32 alphanumeric chars' });
+
+    const org = await OrgService.create({
+      name:          orgName,
+      ownerUsername: username,
+      ownerPassword: password,
+      plan:          gs.defaultPlan || 'free',
+    });
+
+    // Set email on user record
+    try {
+      const fsP  = require('fs').promises;
+      const users = JSON.parse(await fsP.readFile(org.usersFile,'utf8'));
+      users[username].email = email;
+      await fsP.writeFile(org.usersFile, JSON.stringify(users, null, 2), 'utf8');
+    } catch {}
+
+    // Issue JWT
+    const token = jwt.sign({ username, role: 'admin', orgSlug: org.slug }, config.JWT_SECRET, { expiresIn: config.JWT_EXPIRES_IN || '24h' });
+    res.cookie(config.SESSION_NAME, token, { httpOnly: true, sameSite: 'strict', maxAge: 86400000 });
+    res.json({ success: true, token, orgSlug: org.slug, redirect: '/dashboard' });
+  } catch(e) { res.status(e.status || 500).json({ error: e.message }); }
+});
+
+// ── Registration page ─────────────────────────────────────────────────────
+router.get('/register', async (req, res) => {
+  try {
+    const gs       = await GlobalSettings.get();
+    const settings = {};
+    try {
+      const SettingsService = require('../services/SettingsService');
+      Object.assign(settings, await new SettingsService(null).get());
+    } catch {}
+    const { buildThemeSnippet } = require('../lib/theme');
+    res.render('register', {
+      title:         'Create Organisation',
+      settings,
+      themeSnippet:  buildThemeSnippet(settings),
+      allowedPages:  [],
+      allowedCards:  [],
+      user:          null,
+      error:         req.query.error || null,
+      githubEnabled: !!(gs.githubClientId && gs.githubClientSecret),
+      googleEnabled: !!(gs.googleClientId && gs.googleClientSecret),
+      registrationOpen: gs.registrationMode === 'open',
+      sessionName:   config.SESSION_NAME,
+      baseUrl:       gs.appBaseUrl || `http://localhost:${config.PORT}`,
+    });
+  } catch(e) { res.status(500).send(e.message); }
+});
+
+// ── GitHub OAuth ──────────────────────────────────────────────────────────
+router.get('/auth/github', async (req, res) => {
+  try {
+    const gs = await GlobalSettings.get();
+    if (!gs.githubClientId) return res.redirect('/register?error=GitHub+OAuth+not+configured');
+    const base  = gs.appBaseUrl || `http://localhost:${config.PORT}`;
+    const state = require('crypto').randomBytes(16).toString('hex');
+    res.cookie('oauth_state', state, { httpOnly: true, maxAge: 600000 });
+    const url = `https://github.com/login/oauth/authorize?client_id=${gs.githubClientId}&redirect_uri=${encodeURIComponent(base+'/auth/github/callback')}&scope=user:email&state=${state}`;
+    res.redirect(url);
+  } catch(e) { res.redirect('/register?error='+encodeURIComponent(e.message)); }
+});
+
+router.get('/auth/github/callback', async (req, res) => {
+  try {
+    const gs = await GlobalSettings.get();
+    const { code, state } = req.query;
+    if (!code) return res.redirect('/register?error=GitHub+auth+cancelled');
+
+    // Exchange code for token
+    const axios = require('axios');
+    const tokenRes = await axios.post('https://github.com/login/oauth/access_token', {
+      client_id: gs.githubClientId, client_secret: gs.githubClientSecret, code,
+    }, { headers: { Accept: 'application/json' } });
+
+    const accessToken = tokenRes.data.access_token;
+    if (!accessToken) return res.redirect('/register?error=GitHub+token+exchange+failed');
+
+    // Get GitHub user
+    const userRes = await axios.get('https://api.github.com/user', { headers: { Authorization: `token ${accessToken}` } });
+    const ghUser  = userRes.data;
+    const username = ghUser.login;
+    const email    = ghUser.email || username + '@github.oauth';
+
+    await _oauthLogin(req, res, { provider: 'github', id: String(ghUser.id), username, email, displayName: ghUser.name || username }, gs);
+  } catch(e) { res.redirect('/register?error='+encodeURIComponent(e.message)); }
+});
+
+// ── Google OAuth ──────────────────────────────────────────────────────────
+router.get('/auth/google', async (req, res) => {
+  try {
+    const gs = await GlobalSettings.get();
+    if (!gs.googleClientId) return res.redirect('/register?error=Google+OAuth+not+configured');
+    const base  = gs.appBaseUrl || `http://localhost:${config.PORT}`;
+    const state = require('crypto').randomBytes(16).toString('hex');
+    res.cookie('oauth_state', state, { httpOnly: true, maxAge: 600000 });
+    const params = new URLSearchParams({
+      client_id: gs.googleClientId, redirect_uri: base+'/auth/google/callback',
+      response_type: 'code', scope: 'openid email profile', state,
+    });
+    res.redirect('https://accounts.google.com/o/oauth2/v2/auth?' + params.toString());
+  } catch(e) { res.redirect('/register?error='+encodeURIComponent(e.message)); }
+});
+
+router.get('/auth/google/callback', async (req, res) => {
+  try {
+    const gs = await GlobalSettings.get();
+    const { code } = req.query;
+    if (!code) return res.redirect('/register?error=Google+auth+cancelled');
+    const base = gs.appBaseUrl || `http://localhost:${config.PORT}`;
+
+    const axios = require('axios');
+    const tokenRes = await axios.post('https://oauth2.googleapis.com/token', {
+      code, client_id: gs.googleClientId, client_secret: gs.googleClientSecret,
+      redirect_uri: base+'/auth/google/callback', grant_type: 'authorization_code',
+    });
+    const idToken  = tokenRes.data.id_token;
+    const payload  = JSON.parse(Buffer.from(idToken.split('.')[1], 'base64').toString());
+    const username = (payload.email.split('@')[0]).replace(/[^a-zA-Z0-9._-]/g, '_');
+    const email    = payload.email;
+
+    await _oauthLogin(req, res, { provider: 'google', id: payload.sub, username, email, displayName: payload.name }, gs);
+  } catch(e) { res.redirect('/register?error='+encodeURIComponent(e.message)); }
+});
+
+// ── Shared OAuth login/register logic ─────────────────────────────────────
+async function _oauthLogin(req, res, profile, gs) {
+  const fsP = require('fs').promises;
+  const OrgSvc = require('../services/OrgService');
+
+  // Check if this OAuth account is linked to an existing org
+  const orgs = await OrgSvc.getOrgs();
+  for (const slug of Object.keys(orgs)) {
+    const p = OrgSvc.orgPaths(slug);
+    try {
+      const users = JSON.parse(await fsP.readFile(p.usersFile,'utf8'));
+      for (const u of Object.values(users)) {
+        if (u.oauthProvider === profile.provider && u.oauthId === profile.id) {
+          // Existing user — issue JWT and log in
+          const token = jwt.sign({ username: u.username, role: u.role||'admin', orgSlug: slug }, config.JWT_SECRET, { expiresIn: '24h' });
+          res.cookie(config.SESSION_NAME, token, { httpOnly: true, sameSite: 'strict', maxAge: 86400000 });
+          return res.redirect('/dashboard');
+        }
+      }
+    } catch {}
+  }
+
+  // New user — create org
+  if (gs.registrationMode !== 'open') return res.redirect('/register?error=Registration+is+closed');
+
+  let username = profile.username;
+  // Ensure username is unique across orgs
+  const taken = await _isUsernameTaken(username, orgs);
+  if (taken) username = username + '_' + Date.now().toString(36).slice(-4);
+
+  const org = await OrgSvc.create({ name: profile.displayName + "'s Org", ownerUsername: username, ownerPassword: require('crypto').randomBytes(32).toString('hex'), plan: gs.defaultPlan || 'free' });
+
+  // Update user record with OAuth info
+  try {
+    const users = JSON.parse(await fsP.readFile(org.usersFile,'utf8'));
+    users[username].email         = profile.email;
+    users[username].oauthProvider = profile.provider;
+    users[username].oauthId       = profile.id;
+    users[username].displayName   = profile.displayName;
+    await fsP.writeFile(org.usersFile, JSON.stringify(users, null, 2), 'utf8');
+  } catch {}
+
+  const token = jwt.sign({ username, role: 'admin', orgSlug: org.slug }, config.JWT_SECRET, { expiresIn: '24h' });
+  res.cookie(config.SESSION_NAME, token, { httpOnly: true, sameSite: 'strict', maxAge: 86400000 });
+  res.redirect('/dashboard');
+}
+
+async function _isUsernameTaken(username, orgs) {
+  const fsP = require('fs').promises;
+  for (const slug of Object.keys(orgs)) {
+    const p = require('../services/OrgService').orgPaths(slug);
+    try { const u = JSON.parse(await fsP.readFile(p.usersFile,'utf8')); if (u[username]) return true; } catch {}
+  }
+  return false;
+}
+
+module.exports = router;