mop-agent 0.1.8 → 0.1.9

package/README.md

@@ -5,8 +5,8 @@ through MOP-FLOW. It stores project memory, performs semantic recall and
 consolidation, serves grounded chat, and can request approved actions from a
 linked FLOW node.
 
-> **Release status:** npm package `mop-agent@0.1.8` contains the corrected VPS
-> installer, first-run Admin/Assistant flow, and shared retro application shell.
+> **Release status:** npm package `mop-agent@0.1.9` contains the corrected VPS
+> installer, one-time Admin setup/login flow, and shared retro application shell.
 > The canonical installation command is exactly `npx mop-agent`.
 
 ## Current status
@@ -55,7 +55,8 @@ The first run copies the npm-packaged runtime from the temporary npx cache into
 
 - `Install` — installs nginx/Certbot and immediately continues through the
   complete domain, SQLite, HTTPS, and systemd setup.
-- `Update` — updates only MOP-AGENT, migrates/builds, and restarts it.
+- `Update` — migrates/builds/restarts MOP-AGENT, restores the installer-owned
+  nginx vhost, reloads nginx, and verifies both local and domain proxy health.
 - `Status` — reports service health and filesystem locations.
 - `Delete` — removes the service and nginx configuration while preserving data
   unless purge is explicitly requested.
@@ -63,12 +64,15 @@ The first run copies the npm-packaged runtime from the temporary npx cache into
 After installation, open the configured URL in a browser. The application flow
 is intentionally separate from the server installer:
 
-1. On a fresh database, `/` redirects to **Create Admin account**.
+1. On a fresh database, `/setup` shows **Create Admin account** once.
 2. Creating the first Admin also signs that account in.
-3. Returning users are shown the login form.
-4. Successful setup/login opens the main **Assistant**. It can be used before
+3. After an Admin exists, `/setup` always redirects to `/login` when signed out
+   or `/assistant` when already signed in.
+4. Admin creates ready-to-login accounts under **Settings → Users**; there is
+   no public invited-account signup link.
+5. Successful setup/login opens the main **Assistant**. It can be used before
    any project is linked; Brain is the optional memory/project control surface.
-5. Add OpenRouter or Anthropic under **Providers** for full model responses.
+6. Add OpenRouter or Anthropic under **Settings → Providers** for full model responses.
    Until then, the built-in offline echo provider confirms the chat pipeline.
 
 During `setup`, choose one deployment mode:

package/apps/web/app/api/members/route.ts

@@ -1,4 +1,5 @@
-/** GET /api/members — list users + roles (owner). */
+/** GET/POST /api/members — list users or create a login directly (owner). */
+import { auth } from "@/lib/auth";
 import { getSqlite } from "@/lib/db/client";
 import { requireRole } from "@/lib/authz";
 
@@ -14,3 +15,40 @@ export async function GET(req: Request): Promise<Response> {
     .all();
   return Response.json({ members });
 }
+
+export async function POST(req: Request): Promise<Response> {
+  const access = await requireRole(req, ["owner"]);
+  if (!access.ok) return access.response;
+
+  const body = (await req.json()) as { name?: string; email?: string; password?: string; role?: "member" | "owner" };
+  const name = body.name?.trim();
+  const email = body.email?.trim().toLowerCase();
+  const password = body.password ?? "";
+  const role = body.role === "owner" ? "owner" : "member";
+  if (!name || !email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+    return Response.json({ error: "invalid_name_or_email" }, { status: 400 });
+  }
+  if (password.length < 8) return Response.json({ error: "password_too_short" }, { status: 400 });
+
+  const sqlite = getSqlite();
+  const exists = sqlite.prepare("SELECT 1 FROM user WHERE lower(email) = lower(?) LIMIT 1").get(email);
+  if (exists) return Response.json({ error: "user_already_exists" }, { status: 409 });
+
+  const now = Date.now();
+  sqlite.prepare(
+    `INSERT INTO invite(email, role, expires_at, used_at, invited_by, created_at)
+     VALUES(?, ?, ?, NULL, ?, ?)
+     ON CONFLICT(email) DO UPDATE SET role=excluded.role, expires_at=excluded.expires_at,
+       used_at=NULL, invited_by=excluded.invited_by`,
+  ).run(email, role, now + 10 * 60_000, access.userId, now);
+
+  try {
+    await auth.api.signUpEmail({ body: { name, email, password } });
+  } catch (error) {
+    sqlite.prepare("DELETE FROM invite WHERE email = ? AND used_at IS NULL").run(email);
+    const message = error instanceof Error ? error.message : "create_user_failed";
+    return Response.json({ error: message }, { status: 400 });
+  }
+
+  return Response.json({ ok: true, user: { name, email, role } }, { status: 201 });
+}

package/apps/web/app/login/layout.tsx

@@ -0,0 +1,16 @@
+import type { ReactNode } from "react";
+import { unstable_noStore as noStore } from "next/cache";
+import { headers } from "next/headers";
+import { redirect } from "next/navigation";
+import { auth, ownerExists } from "@/lib/auth";
+
+export const dynamic = "force-dynamic";
+export const revalidate = 0;
+
+export default async function LoginLayout({ children }: { children: ReactNode }) {
+  noStore();
+  if (!ownerExists()) redirect("/setup");
+  const session = await auth.api.getSession({ headers: await headers() });
+  if (session) redirect("/assistant");
+  return children;
+}

package/apps/web/app/login/page.tsx

@@ -0,0 +1,83 @@
+"use client";
+
+import { useState } from "react";
+import { signIn } from "@/lib/auth-client";
+
+type SetupStatus = { authenticated: boolean };
+
+async function waitForSession(): Promise<boolean> {
+  for (let attempt = 0; attempt < 5; attempt += 1) {
+    try {
+      const response = await fetch(`/api/setup/status?t=${Date.now()}`, { cache: "no-store", credentials: "include" });
+      const status = await response.json() as SetupStatus;
+      if (status.authenticated) return true;
+    } catch {
+      // Retry a short proxy/session propagation gap.
+    }
+    await new Promise((resolve) => setTimeout(resolve, 250));
+  }
+  return false;
+}
+
+export default function LoginPage() {
+  const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
+  const [msg, setMsg] = useState("");
+  const [busy, setBusy] = useState(false);
+
+  async function submit(e: React.FormEvent) {
+    e.preventDefault();
+    setBusy(true);
+    setMsg("");
+    const result = await signIn.email({ email, password });
+    if (result.error) {
+      setMsg(result.error.message ?? "Sign in failed.");
+      setBusy(false);
+      return;
+    }
+    if (await waitForSession()) {
+      window.location.replace(`/assistant?auth=${Date.now()}`);
+      return;
+    }
+    setMsg("Sign in succeeded, but the session cookie was not accepted. Use the configured domain and HTTPS address.");
+    setBusy(false);
+  }
+
+  return (
+    <main className="mop-setup-shell" style={shell}>
+      <section className="mop-setup-brand" style={brandPanel}>
+        <img src="/icon.svg" alt="MOP-AGENT" style={heroLogo} />
+      </section>
+      <section className="mop-setup-form" style={formWrap}>
+        <div style={formCard}>
+          <p style={eyebrow}>WELCOME BACK</p>
+          <h1 style={{ fontSize: 27, margin: "8px 0" }}>Sign in to MOP-AGENT</h1>
+          <p style={description}>Use the account created for you by the Administrator.</p>
+          <form onSubmit={submit} style={{ display: "grid", gap: 14, marginTop: 28 }}>
+            <label style={label}>Email
+              <input placeholder="you@example.com" type="email" autoComplete="email" required value={email} onChange={(e) => setEmail(e.target.value)} style={inputStyle} />
+            </label>
+            <label style={label}>Password
+              <input placeholder="Your password" type="password" autoComplete="current-password" required value={password} onChange={(e) => setPassword(e.target.value)} style={inputStyle} />
+            </label>
+            <button type="submit" disabled={busy} style={{ ...buttonStyle, opacity: busy ? 0.65 : 1 }}>
+              {busy ? "Signing in…" : "Sign in"}
+            </button>
+          </form>
+          {msg && <p role="alert" style={{ marginTop: 16, color: "#742220" }}>{msg}</p>}
+        </div>
+      </section>
+    </main>
+  );
+}
+
+const shell: React.CSSProperties = { minHeight: "100vh", display: "grid", gridTemplateColumns: "minmax(0, 1.25fr) minmax(380px, .75fr)", background: "#fef9e1" };
+const brandPanel: React.CSSProperties = { padding: "clamp(48px, 8vw, 110px)", display: "flex", alignItems: "center", justifyContent: "center", overflow: "hidden", background: "radial-gradient(circle at 50% 45%, #49685c 0, #2d4a3e 58%, #21382f 100%)" };
+const heroLogo: React.CSSProperties = { display: "block", width: "min(72%, 560px)", height: "auto", maxHeight: "72vh", objectFit: "contain", filter: "drop-shadow(0 24px 34px rgba(0,0,0,.28))" };
+const formWrap: React.CSSProperties = { display: "flex", alignItems: "center", justifyContent: "center", padding: 28, background: "#fef9e1", borderLeft: "1px solid #2d4a3e" };
+const formCard: React.CSSProperties = { width: "min(100%, 430px)", padding: "38px 34px", border: "1px solid rgba(45,74,62,.45)", borderRadius: 18, background: "#fffdf2", boxShadow: "0 24px 70px rgba(45,74,62,.14)" };
+const eyebrow: React.CSSProperties = { margin: "20px 0 0", color: "#742220", fontSize: 12, fontWeight: 800, letterSpacing: ".16em" };
+const description: React.CSSProperties = { color: "#7f8da2", lineHeight: 1.55, marginTop: 0 };
+const label: React.CSSProperties = { display: "grid", gap: 7, color: "#2d4a3e", fontSize: 13, fontWeight: 650 };
+const inputStyle: React.CSSProperties = { padding: "12px 13px", borderRadius: 9, border: "1px solid rgba(45,74,62,.42)", outline: "none", background: "#fef9e1", color: "#2d4a3e", fontSize: 15 };
+const buttonStyle: React.CSSProperties = { marginTop: 4, padding: "12px 14px", borderRadius: 9, border: "1px solid #742220", background: "#742220", color: "#fef9e1", fontWeight: 750, fontSize: 15, cursor: "pointer" };

package/apps/web/app/settings/page.tsx

@@ -6,7 +6,6 @@ import { useEffect, useState } from "react";
 type Section = "providers" | "users";
 type Masked = { configured: boolean; provider?: string; model?: string | null; keyHint?: string };
 type Member = { id: string; email: string; name: string; role: string };
-type Invite = { email: string; role: string; expiresAt: number; usedAt: number | null };
 
 export default function SettingsPage() {
   const [section, setSection] = useState<Section>("providers");
@@ -17,8 +16,9 @@ export default function SettingsPage() {
   const [model, setModel] = useState("");
   const [providerMsg, setProviderMsg] = useState("");
   const [members, setMembers] = useState<Member[]>([]);
-  const [invites, setInvites] = useState<Invite[]>([]);
+  const [userName, setUserName] = useState("");
   const [email, setEmail] = useState("");
+  const [password, setPassword] = useState("");
   const [role, setRole] = useState<"member" | "owner">("member");
   const [userMsg, setUserMsg] = useState("");
 
@@ -31,7 +31,6 @@ export default function SettingsPage() {
 
   function loadUsers() {
     fetch("/api/members").then((r) => (r.ok ? r.json() : { members: [] })).then((data) => setMembers(data.members ?? [])).catch(() => {});
-    fetch("/api/invites").then((r) => (r.ok ? r.json() : { invites: [] })).then((data) => setInvites(data.invites ?? [])).catch(() => {});
   }
 
   useEffect(() => {
@@ -61,21 +60,21 @@ export default function SettingsPage() {
     if (response.ok) setConfig(data.config);
   }
 
-  async function invite(e: React.FormEvent) {
+  async function createUser(e: React.FormEvent) {
     e.preventDefault();
-    setUserMsg("Creating invite…");
-    const response = await fetch("/api/invites", {
+    setUserMsg("Creating user…");
+    const response = await fetch("/api/members", {
       method: "POST",
       headers: { "content-type": "application/json" },
-      body: JSON.stringify({ email, role }),
+      body: JSON.stringify({ name: userName, email, password, role }),
     });
-    setUserMsg(response.ok ? `Invite created for ${email}.` : `Unable to invite (error ${response.status}).`);
-    if (response.ok) setEmail("");
-    loadUsers();
-  }
-
-  async function revoke(inviteEmail: string) {
-    await fetch(`/api/invites?email=${encodeURIComponent(inviteEmail)}`, { method: "DELETE" });
+    const data = await response.json();
+    setUserMsg(response.ok ? `User ${email} created and ready to sign in.` : `Unable to create user: ${data.error ?? response.status}`);
+    if (response.ok) {
+      setUserName("");
+      setEmail("");
+      setPassword("");
+    }
     loadUsers();
   }
 
@@ -166,29 +165,21 @@ export default function SettingsPage() {
                 </table>
               </div>
 
-              <div style={invitePanel}>
-                <h3 style={{ margin: 0, fontSize: 15 }}>Invite a user</h3>
-                <form onSubmit={invite} style={{ display: "grid", gridTemplateColumns: "minmax(180px,1fr) 130px auto", gap: 9, marginTop: 13 }} className="mop-user-invite-form">
+              <div style={userPanel}>
+                <h3 style={{ margin: 0, fontSize: 15 }}>Add a user</h3>
+                <p style={{ ...muted, margin: "6px 0 0", fontSize: 12 }}>Create the account here, then give the user their email and temporary password.</p>
+                <form onSubmit={createUser} style={{ display: "grid", gridTemplateColumns: "minmax(140px,.8fr) minmax(190px,1fr) minmax(150px,.8fr) 110px auto", gap: 9, marginTop: 13 }} className="mop-user-invite-form">
+                  <input placeholder="Display name" required value={userName} onChange={(e) => setUserName(e.target.value)} style={inputStyle} />
                   <input placeholder="user@example.com" type="email" required value={email} onChange={(e) => setEmail(e.target.value)} style={inputStyle} />
+                  <input placeholder="Temporary password" type="password" minLength={8} required value={password} onChange={(e) => setPassword(e.target.value)} style={inputStyle} />
                   <select value={role} onChange={(e) => setRole(e.target.value as "member" | "owner")} style={inputStyle}>
                     <option value="member">Member</option>
                     <option value="owner">Admin</option>
                   </select>
-                  <button type="submit" style={primaryButton}>CREATE INVITE</button>
+                  <button type="submit" style={primaryButton}>ADD USER</button>
                 </form>
                 {userMsg && <p style={messageStyle}>{userMsg}</p>}
               </div>
-
-              <h3 style={{ margin: "26px 0 10px", fontSize: 14 }}>Pending invites</h3>
-              <div style={{ display: "grid", gap: 7 }}>
-                {invites.filter((item) => !item.usedAt).map((item) => (
-                  <div key={item.email} style={inviteRow}>
-                    <span><strong>{item.email}</strong><small style={{ ...muted, marginLeft: 8 }}>{item.role === "owner" ? "admin" : "member"}</small></span>
-                    <button onClick={() => revoke(item.email)} style={secondaryButton}>REVOKE</button>
-                  </div>
-                ))}
-                {invites.filter((item) => !item.usedAt).length === 0 && <p style={muted}>No pending invites.</p>}
-              </div>
             </>
           )}
         </section>
@@ -207,11 +198,9 @@ const formGrid: CSSProperties = { display: "grid", gap: 13, marginTop: 20 };
 const labelStyle: CSSProperties = { display: "grid", gap: 6, color: "#742220", fontFamily: '"SFMono-Regular", Consolas, monospace', fontSize: 11, fontWeight: 800, letterSpacing: ".07em", textTransform: "uppercase" };
 const inputStyle: CSSProperties = { width: "100%", minHeight: 40, padding: "9px 11px", border: "1px solid rgba(45,74,62,.4)", background: "#fffdf2", color: "#2d4a3e" };
 const primaryButton: CSSProperties = { minHeight: 40, padding: "9px 15px", border: "1px solid #742220", background: "#742220", color: "#fef9e1", fontFamily: '"SFMono-Regular", Consolas, monospace', fontSize: 10, fontWeight: 900, cursor: "pointer" };
-const secondaryButton: CSSProperties = { padding: "6px 10px", border: "1px solid #742220", background: "transparent", color: "#742220", fontSize: 9, fontWeight: 900, cursor: "pointer" };
 const messageStyle: CSSProperties = { padding: "9px 11px", borderLeft: "3px solid #742220", background: "rgba(116,34,32,.06)", fontSize: 13 };
 const tableStyle: CSSProperties = { width: "100%", borderCollapse: "collapse", fontSize: 13 };
 const miniAvatar: CSSProperties = { width: 28, height: 28, display: "inline-grid", placeItems: "center", marginRight: 9, background: "#2d4a3e", color: "#fef9e1", fontWeight: 900 };
 const ownerRole: CSSProperties = { padding: "4px 7px", background: "#742220", color: "#fef9e1", fontSize: 9, fontWeight: 900 };
 const memberRole: CSSProperties = { ...ownerRole, color: "#2d4a3e", background: "rgba(45,74,62,.12)" };
-const invitePanel: CSSProperties = { marginTop: 26, padding: 16, border: "1px solid rgba(45,74,62,.27)", background: "rgba(254,249,225,.55)" };
-const inviteRow: CSSProperties = { display: "flex", alignItems: "center", justifyContent: "space-between", gap: 12, padding: 10, border: "1px solid rgba(45,74,62,.22)" };
+const userPanel: CSSProperties = { marginTop: 26, padding: 16, border: "1px solid rgba(45,74,62,.27)", background: "rgba(254,249,225,.55)" };

package/apps/web/app/setup/layout.tsx

@@ -0,0 +1,15 @@
+import type { ReactNode } from "react";
+import { unstable_noStore as noStore } from "next/cache";
+import { headers } from "next/headers";
+import { redirect } from "next/navigation";
+import { auth, ownerExists } from "@/lib/auth";
+
+export const dynamic = "force-dynamic";
+export const revalidate = 0;
+
+export default async function SetupLayout({ children }: { children: ReactNode }) {
+  noStore();
+  if (!ownerExists()) return children;
+  const session = await auth.api.getSession({ headers: await headers() });
+  redirect(session ? "/assistant" : "/login");
+}

package/apps/web/app/setup/page.tsx

@@ -1,6 +1,6 @@
 "use client";
 
-import { useEffect, useState } from "react";
+import { useState } from "react";
 import { signIn, signUp } from "@/lib/auth-client";
 
 type SetupStatus = { ownerExists: boolean; authenticated: boolean };
@@ -20,7 +20,7 @@ async function waitForSession(): Promise<boolean> {
     try {
       if ((await getSetupStatus()).authenticated) return true;
     } catch {
-      // A short deployment/network gap should not strand the form in busy mode.
+      // Allow a short deployment/network gap before falling back to Login.
     }
     await new Promise((resolve) => setTimeout(resolve, 250));
   }
@@ -28,78 +28,34 @@ async function waitForSession(): Promise<boolean> {
 }
 
 export default function SetupPage() {
-  const [ownerExists, setOwnerExists] = useState<boolean | null>(null);
   const [email, setEmail] = useState("");
   const [password, setPassword] = useState("");
   const [name, setName] = useState("");
   const [msg, setMsg] = useState("");
   const [busy, setBusy] = useState(false);
-  const [mode, setMode] = useState<"signup" | "signin">("signup");
-
-  useEffect(() => {
-    getSetupStatus()
-      .then((status) => {
-        if (status.authenticated) {
-          window.location.replace(`/assistant?auth=${Date.now()}`);
-          return;
-        }
-        setOwnerExists(status.ownerExists);
-        setMode(status.ownerExists ? "signin" : "signup");
-      })
-      .catch(() => setMsg("Unable to reach MOP-AGENT. Please refresh."));
-  }, []);
 
   async function submit(e: React.FormEvent) {
     e.preventDefault();
     setBusy(true);
     setMsg("");
 
-    if (mode === "signup") {
-      const res = await signUp.email({ email, password, name: name.trim() || email });
-      if (res.error) {
-        setMsg(res.error.message ?? "Account setup failed.");
-        setBusy(false);
-        return;
-      }
-      // Verify the cookie before entering a server-protected route. If the
-      // signup response did not establish it, explicitly sign in once.
-      if (!(await waitForSession())) {
-        const login = await signIn.email({ email, password });
-        if (login.error) {
-          setMode("signin");
-          setOwnerExists(true);
-          setMsg(login.error.message ?? "Admin created, but sign in failed. Please sign in below.");
-          setBusy(false);
-          return;
-        }
-      }
-      if (await waitForSession()) {
-        window.location.replace(`/assistant?auth=${Date.now()}`);
-        return;
-      }
-      setMode("signin");
-      setOwnerExists(true);
-      setMsg("Admin created, but the session cookie was not accepted. Please sign in again.");
+    const result = await signUp.email({ email, password, name: name.trim() || email });
+    if (result.error) {
+      setMsg(result.error.message ?? "Admin setup failed.");
       setBusy(false);
       return;
     }
 
-    const res = await signIn.email({ email, password });
-    if (res.error) {
-      setMsg(res.error.message ?? "Sign in failed.");
-      setBusy(false);
-      return;
-    }
+    // Better Auth normally creates the session during signup. Explicitly sign
+    // in once if a proxy/browser did not retain that first response cookie.
+    if (!(await waitForSession())) await signIn.email({ email, password });
     if (await waitForSession()) {
       window.location.replace(`/assistant?auth=${Date.now()}`);
       return;
     }
-    setMsg("Sign in succeeded, but the session cookie was not accepted. Check that you are using the configured HTTPS domain.");
-    setBusy(false);
+    window.location.replace("/login?admin-created=1");
   }
 
-  const loading = ownerExists === null && !msg;
-
   return (
     <main className="mop-setup-shell" style={shell}>
       <section className="mop-setup-brand" style={brandPanel}>
@@ -108,45 +64,26 @@ export default function SetupPage() {
 
       <section className="mop-setup-form" style={formWrap}>
         <div style={formCard}>
-          <p style={eyebrow}>{mode === "signup" ? "FIRST-RUN SETUP" : "WELCOME BACK"}</p>
-          <h2 style={{ fontSize: 27, margin: "8px 0" }}>
-            {loading ? "Checking server…" : mode === "signup" ? "Create Admin account" : "Sign in to MOP-AGENT"}
-          </h2>
-          <p style={{ color: "#8c9bb0", lineHeight: 1.55, marginTop: 0 }}>
-            {mode === "signup"
-              ? "This first account controls providers, team access, projects, and system memory."
-              : "Use your Admin or invited team account."}
-          </p>
-
-          {!loading && (
-            <form onSubmit={submit} style={{ display: "grid", gap: 14, marginTop: 28 }}>
-              {mode === "signup" && (
-                <label style={label}>Display name
-                  <input placeholder="Admin" autoComplete="name" value={name} onChange={(e) => setName(e.target.value)} style={inputStyle} />
-                </label>
-              )}
-              <label style={label}>Email
-                <input placeholder="admin@example.com" type="email" autoComplete="email" required value={email} onChange={(e) => setEmail(e.target.value)} style={inputStyle} />
-              </label>
-              <label style={label}>Password
-                <input placeholder="Minimum 8 characters" type="password" autoComplete={mode === "signup" ? "new-password" : "current-password"} required minLength={8} value={password} onChange={(e) => setPassword(e.target.value)} style={inputStyle} />
-              </label>
-              <button type="submit" disabled={busy} style={{ ...buttonStyle, opacity: busy ? 0.65 : 1 }}>
-                {busy ? "Please wait…" : mode === "signup" ? "Create Admin & continue" : "Sign in"}
-              </button>
-            </form>
-          )}
+          <p style={eyebrow}>FIRST-RUN SETUP</p>
+          <h1 style={{ fontSize: 27, margin: "8px 0" }}>Create Admin account</h1>
+          <p style={description}>This one-time account controls providers, users, projects, and system memory.</p>
+
+          <form onSubmit={submit} style={{ display: "grid", gap: 14, marginTop: 28 }}>
+            <label style={label}>Display name
+              <input placeholder="Admin" autoComplete="name" value={name} onChange={(e) => setName(e.target.value)} style={inputStyle} />
+            </label>
+            <label style={label}>Email
+              <input placeholder="admin@example.com" type="email" autoComplete="email" required value={email} onChange={(e) => setEmail(e.target.value)} style={inputStyle} />
+            </label>
+            <label style={label}>Password
+              <input placeholder="Minimum 8 characters" type="password" autoComplete="new-password" required minLength={8} value={password} onChange={(e) => setPassword(e.target.value)} style={inputStyle} />
+            </label>
+            <button type="submit" disabled={busy} style={{ ...buttonStyle, opacity: busy ? 0.65 : 1 }}>
+              {busy ? "Creating Admin…" : "Create Admin & continue"}
+            </button>
+          </form>
 
           {msg && <p role="alert" style={{ marginTop: 16, color: "#742220" }}>{msg}</p>}
-
-          {!loading && (
-            <p style={{ marginTop: 22, fontSize: 13, color: "#7f8da2" }}>
-              {mode === "signin" ? "Invited team member? " : "Already created an account? "}
-              <button type="button" onClick={() => { setMode(mode === "signin" ? "signup" : "signin"); setMsg(""); }} style={textButton}>
-                {mode === "signin" ? "Create invited account" : "Sign in"}
-              </button>
-            </p>
-          )}
         </div>
       </section>
     </main>
@@ -159,7 +96,7 @@ const heroLogo: React.CSSProperties = { display: "block", width: "min(72%, 560px
 const formWrap: React.CSSProperties = { display: "flex", alignItems: "center", justifyContent: "center", padding: 28, background: "#fef9e1", borderLeft: "1px solid #2d4a3e" };
 const formCard: React.CSSProperties = { width: "min(100%, 430px)", padding: "38px 34px", border: "1px solid rgba(45,74,62,.45)", borderRadius: 18, background: "#fffdf2", boxShadow: "0 24px 70px rgba(45,74,62,.14)" };
 const eyebrow: React.CSSProperties = { margin: "20px 0 0", color: "#742220", fontSize: 12, fontWeight: 800, letterSpacing: ".16em" };
+const description: React.CSSProperties = { color: "#7f8da2", lineHeight: 1.55, marginTop: 0 };
 const label: React.CSSProperties = { display: "grid", gap: 7, color: "#2d4a3e", fontSize: 13, fontWeight: 650 };
 const inputStyle: React.CSSProperties = { padding: "12px 13px", borderRadius: 9, border: "1px solid rgba(45,74,62,.42)", outline: "none", background: "#fef9e1", color: "#2d4a3e", fontSize: 15 };
 const buttonStyle: React.CSSProperties = { marginTop: 4, padding: "12px 14px", borderRadius: 9, border: "1px solid #742220", background: "#742220", color: "#fef9e1", fontWeight: 750, fontSize: 15, cursor: "pointer" };
-const textButton: React.CSSProperties = { padding: 0, border: 0, background: "none", color: "#742220", cursor: "pointer" };

package/apps/web/components/AppShell.tsx

@@ -29,7 +29,7 @@ export function AppShell({ viewer, children }: { viewer: AppViewer; children: Re
 
   async function logout() {
     await signOut();
-    window.location.replace("/setup");
+    window.location.replace("/login");
   }
 
   const nav = [
@@ -61,7 +61,7 @@ export function AppShell({ viewer, children }: { viewer: AppViewer; children: Re
           <div className="mop-topbar-center">MOP MEMORYCORE</div>
           <div className="mop-topbar-meta">
             <span>{isAdmin ? "ADMIN" : "MEMBER"}</span>
-            <span className="mop-version">v0.1.8</span>
+            <span className="mop-version">v0.1.9</span>
           </div>
         </div>
       </header>

package/apps/web/lib/page-auth.ts

@@ -10,7 +10,7 @@ export async function requirePageSession() {
   if (!ownerExists()) redirect("/setup");
 
   const session = await auth.api.getSession({ headers: await headers() });
-  if (!session) redirect("/setup");
+  if (!session) redirect("/login");
   return session;
 }
 

package/installer/mop-agent.mjs

@@ -12,7 +12,7 @@
  */
 import { spawnSync } from "node:child_process";
 import { randomBytes } from "node:crypto";
-import { chmodSync, writeFileSync, mkdirSync, existsSync } from "node:fs";
+import { chmodSync, writeFileSync, mkdirSync, existsSync, readFileSync } from "node:fs";
 import { createInterface } from "node:readline/promises";
 import { stdin as input, stdout as output } from "node:process";
 import { dirname, resolve } from "node:path";
@@ -102,6 +102,57 @@ function q(value) {
   return `'${String(value).replaceAll("'", `'"'"'`)}'`;
 }
 
+function readRuntimeConfig() {
+  const envPath = `${APP_DIR}/apps/web/.env`;
+  if (!existsSync(envPath)) throw new Error(`Runtime environment is missing: ${envPath}`);
+  const env = {};
+  for (const raw of readFileSync(envPath, "utf8").split(/\r?\n/)) {
+    const line = raw.trim();
+    if (!line || line.startsWith("#")) continue;
+    const at = line.indexOf("=");
+    if (at < 1) continue;
+    env[line.slice(0, at)] = line.slice(at + 1).replace(/^(['"])(.*)\1$/, "$2");
+  }
+  const port = env.PORT || "3000";
+  if (!isValidPort(port)) throw new Error(`Invalid PORT in ${envPath}: ${port}`);
+  let publicUrl;
+  try {
+    publicUrl = new URL(env.BETTER_AUTH_URL || `http://localhost:${port}`);
+  } catch {
+    throw new Error(`Invalid BETTER_AUTH_URL in ${envPath}`);
+  }
+  return { env, port, publicUrl };
+}
+
+/** Restore the installer-owned vhost after every update, including TLS. */
+function reconcileNginx() {
+  const os = detectOS();
+  const { port, publicUrl } = readRuntimeConfig();
+  const domain = publicUrl.hostname;
+  if (!isValidDomain(domain) && domain !== "localhost") {
+    throw new Error(`Invalid domain in BETTER_AUTH_URL: ${domain}`);
+  }
+  const nginx = nginxPaths(os.family);
+  const certDir = `/etc/letsencrypt/live/${domain}`;
+  const hasTls = publicUrl.protocol === "https:" && existsSync(`${certDir}/fullchain.pem`) && existsSync(`${certDir}/privkey.pem`);
+  const vhost = hasTls ? renderNginxTlsVhost({ domain, port }) : renderNginxVhost({ domain, port });
+
+  console.log(c("cyan", "▸ Restore nginx reverse proxy"));
+  writeConf(nginx.conf, vhost, { privileged: true });
+  runSteps([
+    ...(nginx.enabled ? [{ label: "Enable nginx vhost", cmd: `ln -sf ${nginx.conf} ${nginx.enabled}` }] : []),
+    { label: "Verify nginx configuration", cmd: "nginx -t" },
+    { label: "Enable + start nginx", cmd: "systemctl enable --now nginx" },
+    { label: "Reload nginx", cmd: "systemctl reload nginx" },
+    { label: "Verify local application", cmd: `curl --fail --silent --show-error --max-time 15 ${q(`http://127.0.0.1:${port}/api/setup/status`)} >/dev/null` },
+    {
+      label: "Verify domain reverse proxy",
+      cmd: `curl --fail --silent --show-error --max-time 15 --resolve ${q(`${domain}:${hasTls ? "443" : "80"}:127.0.0.1`)} ${q(`${hasTls ? "https" : "http"}://${domain}/api/setup/status`)} >/dev/null`,
+    },
+  ], { privileged: true });
+  return { domain, port, protocol: hasTls ? "https" : "http" };
+}
+
 // ---- commands ----------------------------------------------------------
 
 async function cmdInstall() {
@@ -242,21 +293,29 @@ function cmdUpdate() {
     { label: "Start new service", cmd: "systemctl start mop-agent", privileged: true },
     { label: "Verify service", cmd: "sleep 2 && systemctl is-active --quiet mop-agent", privileged: true },
   ]);
-  console.log(c("green", "\n✓ updated, rebuilt, and service verified\n"));
+  const proxy = reconcileNginx();
+  console.log(c("green", `\n✓ updated and verified through ${proxy.protocol}://${proxy.domain}\n`));
 }
 
 function cmdStatus() {
   banner();
   if (!printInstallLocations()) return;
+  let runtime;
+  try { runtime = readRuntimeConfig(); } catch { runtime = null; }
+  const os = detectOS();
+  const nginx = nginxPaths(os.family);
   const checks = [
     ["service", "systemctl is-active mop-agent 2>/dev/null || echo inactive"],
     ["nginx", "systemctl is-active nginx 2>/dev/null || echo inactive"],
+    ["nginx conf", `test -f ${q(nginx.conf)} && echo present || echo missing`],
+    ...(nginx.enabled ? [["nginx link", `test -L ${q(nginx.enabled)} && echo present || echo missing`]] : []),
     [".env", existsSync(`${APP_DIR}/apps/web/.env`) ? "echo present" : "echo missing"],
+    ...(runtime ? [["local app", `curl --silent --output /dev/null --write-out '%{http_code}' --max-time 5 ${q(`http://127.0.0.1:${runtime.port}/api/setup/status`)} || echo failed`]] : []),
   ];
   for (const [label, cmd] of checks) {
     const r = run(cmd, { capture: true });
     const val = DRY ? "(dry-run)" : r.stdout.trim();
-    console.log(`  ${label.padEnd(10)} ${val === "active" || val === "present" ? c("green", val) : c("yellow", val)}`);
+    console.log(`  ${label.padEnd(10)} ${val === "active" || val === "present" || val === "200" ? c("green", val) : c("yellow", val)}`);
   }
   console.log("");
 }

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "mop-agent",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "mop-agent",
-      "version": "0.1.8",
+      "version": "0.1.9",
       "license": "UNLICENSED",
       "workspaces": [
         "packages/*",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mop-agent",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Self-hosted AI assistant with persistent cross-project memory, installed with npx mop-agent.",
   "author": "BURHANDEV ENTERPRISE",
   "license": "UNLICENSED",