diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..d2dc1c1
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,27 @@
+# Core
+DB_PASSWORD=mastermind
+DATABASE_URL=postgres://postgres:${DB_PASSWORD}@db:5432/mastermind
+
+# Public base URL (set to https://... when live)
+BASE_URL=http://100.101.78.42:3005
+
+# REQUIRED in production (>=24 chars). Generate with: openssl rand -base64 48
+SESSION_SECRET=change-this-to-a-long-random-string
+
+# If running behind a reverse proxy (Traefik/Nginx/Caddy), enable this so req.ip and secure cookies work
+TRUST_PROXY=true
+
+# If public site is HTTPS, set COOKIE_SECURE=true (or just make BASE_URL https://...)
+COOKIE_SECURE=false
+
+# One-time bootstrap local owner (only used if there are no local identities yet)
+BOOTSTRAP_OWNER_EMAIL=
+BOOTSTRAP_OWNER_PASSWORD=
+
+# Google OAuth (optional)
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# Microsoft OAuth (optional)
+MICROSOFT_CLIENT_ID=
+MICROSOFT_CLIENT_SECRET=
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..933e93d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,26 @@
+.env
+.env.*
+!.env.example
+
+# node
+node_modules/
+
+# logs
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# data
+/data/
+web/data/
+worker/data/
+
+# uploads/attachments
+**/uploads/
+**/attachments/
+
+# OS
+.DS_Store
+
+# misc
+*.swp
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..728f34c
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,10 @@
+# Changelog
+
+## Unreleased
+- Initial MVP scaffold
+- Local/Google/Microsoft auth
+- Owner user management + password change
+- Audit logs + viewer
+- Projects module
+- Inbox import (.eml) + triage + rules-based auto-assign
+- Email connectors + rules UI (placeholders until OAuth)
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
new file mode 100644
index 0000000..0b1feee
--- /dev/null
+++ b/DEVELOPMENT.md
@@ -0,0 +1,38 @@
+# DEVELOPMENT — Mastermind MVP
+
+## Web app
+- Entry point: `web/src/index.js`
+- Views: `web/src/views/*.ejs`
+
+## Database
+Schema is created/altered on startup (MVP style) in `ensureSchema()`.
+
+Tables of interest:
+- `users`, `identities` — auth + multi-provider identities
+- `audit_logs` — append-only audit trail
+- `projects`, `project_members` — project profiles + membership
+- `ingested_emails` — unified inbox store (upload now, OAuth later)
+- `email_connectors` — gmail/microsoft status rows
+- `email_rules` — sorting/assignment rules
+
+## Audit logging convention
+Use:
+```js
+await audit(req, 'namespace.action', { targetType, targetId, metadata })
+```
+
+Examples:
+- `auth.login_success`
+- `admin.user_created`
+- `project.created`
+- `inbox.email_imported`
+
+## Adding a new feature (pattern)
+1) Add DB table/column in `ensureSchema()`
+2) Add routes in `web/src/index.js`
+3) Add views in `web/src/views/`
+4) Log all state changes to `audit_logs`
+
+## Worker
+- `worker/src/worker.js` is a placeholder loop.
+- Later it will pull from connectors, OCR, classify, and run rule assignment.
diff --git a/INSTALL.md b/INSTALL.md
new file mode 100644
index 0000000..e68d23c
--- /dev/null
+++ b/INSTALL.md
@@ -0,0 +1,53 @@
+# INSTALL — Mastermind MVP
+
+## Prerequisites
+- Docker + Docker Compose
+- A stable hostname/IP you can reach (LAN or Tailscale)
+
+## Configure
+```bash
+cd /root/clawd/mastermind-mvp
+cp .env.example .env
+```
+
+Edit `.env`:
+- `SESSION_SECRET` — set to a long random value
+- `BASE_URL` — the URL you use to reach the app (Tailscale IP recommended)
+
+OAuth is optional for now:
+- `GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET`
+- `MICROSOFT_CLIENT_ID/MICROSOFT_CLIENT_SECRET`
+
+## Start
+```bash
+docker compose up -d --build
+```
+
+App:
+- http://<BASE_URL_HOST>:3005/login
+
+## First login (important)
+On first run the app creates:
+- `owner@local` / `owner`
+
+Immediately change it:
+- http://<host>:3005/account/password
+
+## Create your first project
+- http://<host>:3005/projects
+
+## Import email (until OAuth is connected)
+Export emails as `.eml` and upload:
+- http://<host>:3005/inbox
+
+## Enable connector placeholders
+- http://<host>:3005/admin/email
+
+Connectors will show **Configured: no** until OAuth client credentials are added.
+
+## OAuth callbacks (when you’re ready)
+These are the callback URLs the app expects:
+- Google: `BASE_URL/auth/google/callback`
+- Microsoft: `BASE_URL/auth/microsoft/callback`
+
+Set `BASE_URL` correctly before authorizing.
diff --git a/OPERATIONS.md b/OPERATIONS.md
new file mode 100644
index 0000000..2c702a9
--- /dev/null
+++ b/OPERATIONS.md
@@ -0,0 +1,59 @@
+# OPERATIONS — Mastermind MVP
+
+## Logs
+```bash
+cd /root/clawd/mastermind-mvp
+docker compose logs -f web
+docker compose logs -f db
+```
+
+## Restart
+```bash
+docker compose restart
+```
+
+## Update (pull latest code and rebuild)
+```bash
+docker compose down
+docker compose up -d --build
+```
+
+## Data persistence
+Data is stored under `./data/`:
+- `data/postgres/` — Postgres volume
+- `data/uploads/` — stored imported `.eml` files
+
+## Backup (manual for now)
+```bash
+# Stop app for a consistent snapshot
+docker compose down
+
+tar -czf mastermind_backup_$(date +%Y%m%d_%H%M%S).tar.gz data .env docker-compose.yml
+
+# Start again
+docker compose up -d --build
+```
+
+## Restore
+```bash
+docker compose down
+rm -rf data
+
+tar -xzf mastermind_backup_YYYYMMDD_HHMMSS.tar.gz
+
+docker compose up -d --build
+```
+
+## Move to a new server (portability)
+Copy:
+- the whole `mastermind-mvp/` folder (or at minimum: `docker-compose.yml`, `web/`, `worker/`, `data/`, `.env`)
+
+On new host:
+```bash
+cd mastermind-mvp
+docker compose up -d --build
+```
+
+Then verify:
+- `/health`
+- login works
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..e520195
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,48 @@
+services:
+  db:
+    image: postgres:16
+    environment:
+      POSTGRES_DB: mastermind
+      POSTGRES_USER: mastermind
+      POSTGRES_PASSWORD: ${DB_PASSWORD:-mastermind}
+    volumes:
+      - ./data/postgres:/var/lib/postgresql/data
+    ports:
+      - "5433:5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U mastermind -d mastermind"]
+      interval: 5s
+      timeout: 5s
+      retries: 20
+
+  web:
+    build: ./web
+    environment:
+      NODE_ENV: development
+      PORT: 3005
+      DATABASE_URL: postgres://mastermind:${DB_PASSWORD:-mastermind}@db:5432/mastermind
+      SESSION_SECRET: ${SESSION_SECRET:-change-me}
+      BASE_URL: ${BASE_URL:-http://localhost:3005}
+      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID:-}
+      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET:-}
+      MICROSOFT_CLIENT_ID: ${MICROSOFT_CLIENT_ID:-}
+      MICROSOFT_CLIENT_SECRET: ${MICROSOFT_CLIENT_SECRET:-}
+    depends_on:
+      db:
+        condition: service_healthy
+    ports:
+      - "3005:3005"
+    volumes:
+      - ./data:/app/data
+
+  worker:
+    build: ./worker
+    environment:
+      NODE_ENV: development
+      DATABASE_URL: postgres://mastermind:${DB_PASSWORD:-mastermind}@db:5432/mastermind
+    depends_on:
+      db:
+        condition: service_healthy
+    # (MVP) no bind-mount to avoid masking node_modules inside container
+
+volumes: {}
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..8ab6b8a
--- /dev/null
+++ b/package.json
@@ -0,0 +1,13 @@
+{
+  "name": "mastermind-mvp",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "type": "commonjs"
+}
diff --git a/scripts/backup.sh b/scripts/backup.sh
new file mode 100755
index 0000000..4abb3f9
--- /dev/null
+++ b/scripts/backup.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+HERE=$(cd "$(dirname "$0")/.." && pwd)
+TS=$(date +%Y%m%d_%H%M%S)
+OUT="$HERE/backups"
+mkdir -p "$OUT"
+
+ARCHIVE="$OUT/mastermind_backup_${TS}.tar.gz"
+
+echo "[backup] stopping containers for consistent snapshot..."
+cd "$HERE"
+docker compose down
+
+echo "[backup] creating archive: $ARCHIVE"
+tar -czf "$ARCHIVE" \
+  data \
+  .env \
+  docker-compose.yml \
+  README.md INSTALL.md OPERATIONS.md DEVELOPMENT.md CHANGELOG.md \
+  web worker scripts \
+  2>/dev/null || true
+
+echo "[backup] starting containers..."
+docker compose up -d --build
+
+echo "[backup] done: $ARCHIVE"
diff --git a/scripts/restore.sh b/scripts/restore.sh
new file mode 100755
index 0000000..8e9d62f
--- /dev/null
+++ b/scripts/restore.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ $# -ne 1 ]; then
+  echo "Usage: $0 <backup-archive.tar.gz>"
+  exit 1
+fi
+
+ARCHIVE="$1"
+HERE=$(cd "$(dirname "$0")/.." && pwd)
+
+cd "$HERE"
+
+echo "[restore] stopping containers..."
+docker compose down
+
+echo "[restore] wiping data/..."
+rm -rf data
+
+echo "[restore] extracting $ARCHIVE"
+tar -xzf "$ARCHIVE" -C "$HERE"
+
+echo "[restore] starting containers..."
+docker compose up -d --build
+
+echo "[restore] done"
diff --git a/web/Dockerfile b/web/Dockerfile
new file mode 100644
index 0000000..b59a36c
--- /dev/null
+++ b/web/Dockerfile
@@ -0,0 +1,7 @@
+FROM node:22-alpine
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+EXPOSE 3005
+CMD ["npm","run","dev"]
diff --git a/web/core b/web/core
new file mode 100644
index 0000000..da83c62
Binary files /dev/null and b/web/core differ
diff --git a/web/package-lock.json b/web/package-lock.json
new file mode 100644
index 0000000..ac450e6
--- /dev/null
+++ b/web/package-lock.json
@@ -0,0 +1,1825 @@
+{
+  "name": "mastermind-web",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "mastermind-web",
+      "dependencies": {
+        "bcryptjs": "^2.4.3",
+        "connect-pg-simple": "^10.0.0",
+        "dotenv": "^16.4.5",
+        "ejs": "^3.1.10",
+        "express": "^4.19.2",
+        "express-rate-limit": "^7.4.0",
+        "express-session": "^1.18.1",
+        "helmet": "^7.1.0",
+        "mailparser": "^3.7.2",
+        "markdown-it": "^14.1.0",
+        "marked": "^12.0.2",
+        "multer": "^1.4.5-lts.1",
+        "passport": "^0.7.0",
+        "passport-azure-ad-oauth2": "^0.0.4",
+        "passport-google-oauth20": "^2.0.0",
+        "passport-local": "^1.0.0",
+        "pg": "^8.12.0"
+      }
+    },
+    "node_modules/@selderee/plugin-htmlparser2": {
+      "version": "0.11.0",
+      "resolved": "https://registry.npmjs.org/@selderee/plugin-htmlparser2/-/plugin-htmlparser2-0.11.0.tgz",
+      "integrity": "sha512-P33hHGdldxGabLFjPPpaTxVolMrzrcegejx+0GxjrIb9Zv48D8yAIA/QTDR2dFl7Uz7urX8aX6+5bCZslr+gWQ==",
+      "license": "MIT",
+      "dependencies": {
+        "domhandler": "^5.0.3",
+        "selderee": "^0.11.0"
+      },
+      "funding": {
+        "url": "https://ko-fi.com/killymxi"
+      }
+    },
+    "node_modules/@zone-eu/mailsplit": {
+      "version": "5.4.8",
+      "resolved": "https://registry.npmjs.org/@zone-eu/mailsplit/-/mailsplit-5.4.8.tgz",
+      "integrity": "sha512-eEyACj4JZ7sjzRvy26QhLgKEMWwQbsw1+QZnlLX+/gihcNH07lVPOcnwf5U6UAL7gkc//J3jVd76o/WS+taUiA==",
+      "license": "(MIT OR EUPL-1.1+)",
+      "dependencies": {
+        "libbase64": "1.3.0",
+        "libmime": "5.3.7",
+        "libqp": "2.1.1"
+      }
+    },
+    "node_modules/accepts": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
+      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-types": "~2.1.34",
+        "negotiator": "0.6.3"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/append-field": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/append-field/-/append-field-1.0.0.tgz",
+      "integrity": "sha512-klpgFSWLW1ZEs8svjfb7g4qWY0YS5imI82dTg+QahUvJ8YqAY0P10Uk8tTyh9ZGuYEZEMaeJYCF5BFuX552hsw==",
+      "license": "MIT"
+    },
+    "node_modules/argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
+      "license": "Python-2.0"
+    },
+    "node_modules/array-flatten": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
+      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
+      "license": "MIT"
+    },
+    "node_modules/async": {
+      "version": "3.2.6",
+      "resolved": "https://registry.npmjs.org/async/-/async-3.2.6.tgz",
+      "integrity": "sha512-htCUDlxyyCLMgaM3xXg0C0LW2xqfuQ6p05pCEIsXuyQ+a1koYKTuBMzRNwmybfLgvJDMd0r1LTn4+E0Ti6C2AA==",
+      "license": "MIT"
+    },
+    "node_modules/balanced-match": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
+      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
+      "license": "MIT"
+    },
+    "node_modules/base64url": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/base64url/-/base64url-3.0.1.tgz",
+      "integrity": "sha512-ir1UPr3dkwexU7FdV8qBBbNDRUhMmIekYMFZfi+C/sLNnRESKPl23nB9b2pltqfOQNnGzsDdId90AEtG5tCx4A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/bcryptjs": {
+      "version": "2.4.3",
+      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz",
+      "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ==",
+      "license": "MIT"
+    },
+    "node_modules/body-parser": {
+      "version": "1.20.4",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.4.tgz",
+      "integrity": "sha512-ZTgYYLMOXY9qKU/57FAo8F+HA2dGX7bqGc71txDRC1rS4frdFI5R7NhluHxH6M0YItAP0sHB4uqAOcYKxO6uGA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "content-type": "~1.0.5",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "~1.2.0",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "on-finished": "~2.4.1",
+        "qs": "~6.14.0",
+        "raw-body": "~2.5.3",
+        "type-is": "~1.6.18",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/brace-expansion": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
+      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^1.0.0"
+      }
+    },
+    "node_modules/buffer-from": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz",
+      "integrity": "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==",
+      "license": "MIT"
+    },
+    "node_modules/busboy": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/busboy/-/busboy-1.6.0.tgz",
+      "integrity": "sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==",
+      "dependencies": {
+        "streamsearch": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=10.16.0"
+      }
+    },
+    "node_modules/bytes": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
+      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/call-bound": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz",
+      "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "get-intrinsic": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/concat-stream": {
+      "version": "1.6.2",
+      "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.2.tgz",
+      "integrity": "sha512-27HBghJxjiZtIk3Ycvn/4kbJk/1uZuJFfuPEns6LaEvpvG1f0hTea8lilrouyo9mVc2GWdcEZ8OLoGmSADlrCw==",
+      "engines": [
+        "node >= 0.8"
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "buffer-from": "^1.0.0",
+        "inherits": "^2.0.3",
+        "readable-stream": "^2.2.2",
+        "typedarray": "^0.0.6"
+      }
+    },
+    "node_modules/connect-pg-simple": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/connect-pg-simple/-/connect-pg-simple-10.0.0.tgz",
+      "integrity": "sha512-pBGVazlqiMrackzCr0eKhn4LO5trJXsOX0nQoey9wCOayh80MYtThCbq8eoLsjpiWgiok/h+1/uti9/2/Una8A==",
+      "license": "MIT",
+      "dependencies": {
+        "pg": "^8.12.0"
+      },
+      "engines": {
+        "node": "^18.18.0 || ^20.9.0 || >=22.0.0"
+      }
+    },
+    "node_modules/content-disposition": {
+      "version": "0.5.4",
+      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
+      "integrity": "sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==",
+      "license": "MIT",
+      "dependencies": {
+        "safe-buffer": "5.2.1"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/content-type": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
+      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie-signature": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
+      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
+      "license": "MIT"
+    },
+    "node_modules/core-util-is": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz",
+      "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==",
+      "license": "MIT"
+    },
+    "node_modules/debug": {
+      "version": "2.6.9",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
+    "node_modules/deepmerge": {
+      "version": "4.3.1",
+      "resolved": "https://registry.npmjs.org/deepmerge/-/deepmerge-4.3.1.tgz",
+      "integrity": "sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/depd": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
+      "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/destroy": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
+      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/dom-serializer": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/dom-serializer/-/dom-serializer-2.0.0.tgz",
+      "integrity": "sha512-wIkAryiqt/nV5EQKqQpo3SToSOV9J0DnbJqwK7Wv/Trc92zIAYZ4FlMu+JPFW1DfGFt81ZTCGgDEabffXeLyJg==",
+      "license": "MIT",
+      "dependencies": {
+        "domelementtype": "^2.3.0",
+        "domhandler": "^5.0.2",
+        "entities": "^4.2.0"
+      },
+      "funding": {
+        "url": "https://github.com/cheeriojs/dom-serializer?sponsor=1"
+      }
+    },
+    "node_modules/domelementtype": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/domelementtype/-/domelementtype-2.3.0.tgz",
+      "integrity": "sha512-OLETBj6w0OsagBwdXnPdN0cnMfF9opN69co+7ZrbfPGrdpPVNBUj02spi6B1N7wChLQiPn4CSH/zJvXw56gmHw==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fb55"
+        }
+      ],
+      "license": "BSD-2-Clause"
+    },
+    "node_modules/domhandler": {
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-5.0.3.tgz",
+      "integrity": "sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==",
+      "license": "BSD-2-Clause",
+      "dependencies": {
+        "domelementtype": "^2.3.0"
+      },
+      "engines": {
+        "node": ">= 4"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/domhandler?sponsor=1"
+      }
+    },
+    "node_modules/domutils": {
+      "version": "3.2.2",
+      "resolved": "https://registry.npmjs.org/domutils/-/domutils-3.2.2.tgz",
+      "integrity": "sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==",
+      "license": "BSD-2-Clause",
+      "dependencies": {
+        "dom-serializer": "^2.0.0",
+        "domelementtype": "^2.3.0",
+        "domhandler": "^5.0.3"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/domutils?sponsor=1"
+      }
+    },
+    "node_modules/dotenv": {
+      "version": "16.6.1",
+      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.6.1.tgz",
+      "integrity": "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://dotenvx.com"
+      }
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/ee-first": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
+      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
+      "license": "MIT"
+    },
+    "node_modules/ejs": {
+      "version": "3.1.10",
+      "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.10.tgz",
+      "integrity": "sha512-UeJmFfOrAQS8OJWPZ4qtgHyWExa088/MtK5UEyoJGFH67cDEXkZSviOiKRCZ4Xij0zxI3JECgYs3oKx+AizQBA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "jake": "^10.8.5"
+      },
+      "bin": {
+        "ejs": "bin/cli.js"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/encodeurl": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
+      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/encoding-japanese": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/encoding-japanese/-/encoding-japanese-2.2.0.tgz",
+      "integrity": "sha512-EuJWwlHPZ1LbADuKTClvHtwbaFn4rOD+dRAbWysqEOXRc2Uui0hJInNJrsdH0c+OhJA4nrCBdSkW4DD5YxAo6A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.10.0"
+      }
+    },
+    "node_modules/entities": {
+      "version": "4.5.0",
+      "resolved": "https://registry.npmjs.org/entities/-/entities-4.5.0.tgz",
+      "integrity": "sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=0.12"
+      },
+      "funding": {
+        "url": "https://github.com/fb55/entities?sponsor=1"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/escape-html": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
+      "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==",
+      "license": "MIT"
+    },
+    "node_modules/etag": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
+      "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/express": {
+      "version": "4.22.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz",
+      "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==",
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "accepts": "~1.3.8",
+        "array-flatten": "1.1.1",
+        "body-parser": "~1.20.3",
+        "content-disposition": "~0.5.4",
+        "content-type": "~1.0.4",
+        "cookie": "~0.7.1",
+        "cookie-signature": "~1.0.6",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "finalhandler": "~1.3.1",
+        "fresh": "~0.5.2",
+        "http-errors": "~2.0.0",
+        "merge-descriptors": "1.0.3",
+        "methods": "~1.1.2",
+        "on-finished": "~2.4.1",
+        "parseurl": "~1.3.3",
+        "path-to-regexp": "~0.1.12",
+        "proxy-addr": "~2.0.7",
+        "qs": "~6.14.0",
+        "range-parser": "~1.2.1",
+        "safe-buffer": "5.2.1",
+        "send": "~0.19.0",
+        "serve-static": "~1.16.2",
+        "setprototypeof": "1.2.0",
+        "statuses": "~2.0.1",
+        "type-is": "~1.6.18",
+        "utils-merge": "1.0.1",
+        "vary": "~1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/express-rate-limit": {
+      "version": "7.5.1",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz",
+      "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/express-rate-limit"
+      },
+      "peerDependencies": {
+        "express": ">= 4.11"
+      }
+    },
+    "node_modules/express-session": {
+      "version": "1.19.0",
+      "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.19.0.tgz",
+      "integrity": "sha512-0csaMkGq+vaiZTmSMMGkfdCOabYv192VbytFypcvI0MANrp+4i/7yEkJ0sbAEhycQjntaKGzYfjfXQyVb7BHMA==",
+      "license": "MIT",
+      "dependencies": {
+        "cookie": "~0.7.2",
+        "cookie-signature": "~1.0.7",
+        "debug": "~2.6.9",
+        "depd": "~2.0.0",
+        "on-headers": "~1.1.0",
+        "parseurl": "~1.3.3",
+        "safe-buffer": "~5.2.1",
+        "uid-safe": "~2.1.5"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/filelist": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/filelist/-/filelist-1.0.4.tgz",
+      "integrity": "sha512-w1cEuf3S+DrLCQL7ET6kz+gmlJdbq9J7yXCSjK/OZCPA+qEN1WyF4ZAf0YYJa4/shHJra2t/d/r8SV4Ji+x+8Q==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "minimatch": "^5.0.1"
+      }
+    },
+    "node_modules/finalhandler": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.2.tgz",
+      "integrity": "sha512-aA4RyPcd3badbdABGDuTXCMTtOneUCAYH/gxoYRTZlIJdF0YPWuGqiAsIrhNnnqdXGswYk6dGujem4w80UJFhg==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "2.6.9",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "on-finished": "~2.4.1",
+        "parseurl": "~1.3.3",
+        "statuses": "~2.0.2",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/forwarded": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
+      "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fresh": {
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
+      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "license": "MIT",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/he": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/he/-/he-1.2.0.tgz",
+      "integrity": "sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==",
+      "license": "MIT",
+      "bin": {
+        "he": "bin/he"
+      }
+    },
+    "node_modules/helmet": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.2.0.tgz",
+      "integrity": "sha512-ZRiwvN089JfMXokizgqEPXsl2Guk094yExfoDXR0cBYWxtBbaSww/w+vT4WEJsBW2iTUi1GgZ6swmoug3Oy4Xw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
+    "node_modules/html-to-text": {
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/html-to-text/-/html-to-text-9.0.5.tgz",
+      "integrity": "sha512-qY60FjREgVZL03vJU6IfMV4GDjGBIoOyvuFdpBDIX9yTlDw0TjxVBQp+P8NvpdIXNJvfWBTNul7fsAQJq2FNpg==",
+      "license": "MIT",
+      "dependencies": {
+        "@selderee/plugin-htmlparser2": "^0.11.0",
+        "deepmerge": "^4.3.1",
+        "dom-serializer": "^2.0.0",
+        "htmlparser2": "^8.0.2",
+        "selderee": "^0.11.0"
+      },
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/htmlparser2": {
+      "version": "8.0.2",
+      "resolved": "https://registry.npmjs.org/htmlparser2/-/htmlparser2-8.0.2.tgz",
+      "integrity": "sha512-GYdjWKDkbRLkZ5geuHs5NY1puJ+PXwP7+fHPRz06Eirsb9ugf6d8kkXav6ADhcODhFFPMIXyxkxSuMf3D6NCFA==",
+      "funding": [
+        "https://github.com/fb55/htmlparser2?sponsor=1",
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fb55"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "domelementtype": "^2.3.0",
+        "domhandler": "^5.0.3",
+        "domutils": "^3.0.1",
+        "entities": "^4.4.0"
+      }
+    },
+    "node_modules/http-errors": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
+      "license": "MIT",
+      "dependencies": {
+        "depd": "~2.0.0",
+        "inherits": "~2.0.4",
+        "setprototypeof": "~1.2.0",
+        "statuses": "~2.0.2",
+        "toidentifier": "~1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/iconv-lite": {
+      "version": "0.4.24",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
+      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "license": "ISC"
+    },
+    "node_modules/ipaddr.js": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
+      "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/isarray": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
+      "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==",
+      "license": "MIT"
+    },
+    "node_modules/jake": {
+      "version": "10.9.4",
+      "resolved": "https://registry.npmjs.org/jake/-/jake-10.9.4.tgz",
+      "integrity": "sha512-wpHYzhxiVQL+IV05BLE2Xn34zW1S223hvjtqk0+gsPrwd/8JNLXJgZZM/iPFsYc1xyphF+6M6EvdE5E9MBGkDA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "async": "^3.2.6",
+        "filelist": "^1.0.4",
+        "picocolors": "^1.1.1"
+      },
+      "bin": {
+        "jake": "bin/cli.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/leac": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/leac/-/leac-0.6.0.tgz",
+      "integrity": "sha512-y+SqErxb8h7nE/fiEX07jsbuhrpO9lL8eca7/Y1nuWV2moNlXhyd59iDGcRf6moVyDMbmTNzL40SUyrFU/yDpg==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://ko-fi.com/killymxi"
+      }
+    },
+    "node_modules/libbase64": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/libbase64/-/libbase64-1.3.0.tgz",
+      "integrity": "sha512-GgOXd0Eo6phYgh0DJtjQ2tO8dc0IVINtZJeARPeiIJqge+HdsWSuaDTe8ztQ7j/cONByDZ3zeB325AHiv5O0dg==",
+      "license": "MIT"
+    },
+    "node_modules/libmime": {
+      "version": "5.3.7",
+      "resolved": "https://registry.npmjs.org/libmime/-/libmime-5.3.7.tgz",
+      "integrity": "sha512-FlDb3Wtha8P01kTL3P9M+ZDNDWPKPmKHWaU/cG/lg5pfuAwdflVpZE+wm9m7pKmC5ww6s+zTxBKS1p6yl3KpSw==",
+      "license": "MIT",
+      "dependencies": {
+        "encoding-japanese": "2.2.0",
+        "iconv-lite": "0.6.3",
+        "libbase64": "1.3.0",
+        "libqp": "2.1.1"
+      }
+    },
+    "node_modules/libmime/node_modules/iconv-lite": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
+      "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==",
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/libqp": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/libqp/-/libqp-2.1.1.tgz",
+      "integrity": "sha512-0Wd+GPz1O134cP62YU2GTOPNA7Qgl09XwCqM5zpBv87ERCXdfDtyKXvV7c9U22yWJh44QZqBocFnXN11K96qow==",
+      "license": "MIT"
+    },
+    "node_modules/linkify-it": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz",
+      "integrity": "sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==",
+      "license": "MIT",
+      "dependencies": {
+        "uc.micro": "^2.0.0"
+      }
+    },
+    "node_modules/mailparser": {
+      "version": "3.9.3",
+      "resolved": "https://registry.npmjs.org/mailparser/-/mailparser-3.9.3.tgz",
+      "integrity": "sha512-AnB0a3zROum6fLaa52L+/K2SoRJVyFDk78Ea6q1D0ofcZLxWEWDtsS1+OrVqKbV7r5dulKL/AwYQccFGAPpuYQ==",
+      "license": "MIT",
+      "dependencies": {
+        "@zone-eu/mailsplit": "5.4.8",
+        "encoding-japanese": "2.2.0",
+        "he": "1.2.0",
+        "html-to-text": "9.0.5",
+        "iconv-lite": "0.7.2",
+        "libmime": "5.3.7",
+        "linkify-it": "5.0.0",
+        "nodemailer": "7.0.13",
+        "punycode.js": "2.3.1",
+        "tlds": "1.261.0"
+      }
+    },
+    "node_modules/mailparser/node_modules/iconv-lite": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz",
+      "integrity": "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==",
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/markdown-it": {
+      "version": "14.1.1",
+      "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.1.tgz",
+      "integrity": "sha512-BuU2qnTti9YKgK5N+IeMubp14ZUKUUw7yeJbkjtosvHiP0AZ5c8IAgEMk79D0eC8F23r4Ac/q8cAIFdm2FtyoA==",
+      "license": "MIT",
+      "dependencies": {
+        "argparse": "^2.0.1",
+        "entities": "^4.4.0",
+        "linkify-it": "^5.0.0",
+        "mdurl": "^2.0.0",
+        "punycode.js": "^2.3.1",
+        "uc.micro": "^2.1.0"
+      },
+      "bin": {
+        "markdown-it": "bin/markdown-it.mjs"
+      }
+    },
+    "node_modules/marked": {
+      "version": "12.0.2",
+      "resolved": "https://registry.npmjs.org/marked/-/marked-12.0.2.tgz",
+      "integrity": "sha512-qXUm7e/YKFoqFPYPa3Ukg9xlI5cyAtGmyEIzMfW//m6kXwCy2Ps9DYf5ioijFKQ8qyuscrHoY04iJGctu2Kg0Q==",
+      "license": "MIT",
+      "bin": {
+        "marked": "bin/marked.js"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/mdurl": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-2.0.0.tgz",
+      "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==",
+      "license": "MIT"
+    },
+    "node_modules/media-typer": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
+      "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/merge-descriptors": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
+      "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/methods": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
+      "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
+      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
+      "license": "MIT",
+      "bin": {
+        "mime": "cli.js"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/minimatch": {
+      "version": "5.1.6",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
+      "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
+      "license": "ISC",
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/minimist": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/mkdirp": {
+      "version": "0.5.6",
+      "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz",
+      "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==",
+      "license": "MIT",
+      "dependencies": {
+        "minimist": "^1.2.6"
+      },
+      "bin": {
+        "mkdirp": "bin/cmd.js"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
+    },
+    "node_modules/multer": {
+      "version": "1.4.5-lts.2",
+      "resolved": "https://registry.npmjs.org/multer/-/multer-1.4.5-lts.2.tgz",
+      "integrity": "sha512-VzGiVigcG9zUAoCNU+xShztrlr1auZOlurXynNvO9GiWD1/mTBbUljOKY+qMeazBqXgRnjzeEgJI/wyjJUHg9A==",
+      "deprecated": "Multer 1.x is impacted by a number of vulnerabilities, which have been patched in 2.x. You should upgrade to the latest 2.x version.",
+      "license": "MIT",
+      "dependencies": {
+        "append-field": "^1.0.0",
+        "busboy": "^1.0.0",
+        "concat-stream": "^1.5.2",
+        "mkdirp": "^0.5.4",
+        "object-assign": "^4.1.1",
+        "type-is": "^1.6.4",
+        "xtend": "^4.0.0"
+      },
+      "engines": {
+        "node": ">= 6.0.0"
+      }
+    },
+    "node_modules/negotiator": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
+      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/nodemailer": {
+      "version": "7.0.13",
+      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.13.tgz",
+      "integrity": "sha512-PNDFSJdP+KFgdsG3ZzMXCgquO7I6McjY2vlqILjtJd0hy8wEvtugS9xKRF2NWlPNGxvLCXlTNIae4serI7dinw==",
+      "license": "MIT-0",
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/oauth": {
+      "version": "0.9.15",
+      "resolved": "https://registry.npmjs.org/oauth/-/oauth-0.9.15.tgz",
+      "integrity": "sha512-a5ERWK1kh38ExDEfoO6qUHJb32rd7aYmPHuyCu3Fta/cnICvYmgd2uhuKXvPD+PXB+gCEYYEaQdIRAjCOwAKNA==",
+      "license": "MIT"
+    },
+    "node_modules/object-assign": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
+      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-inspect": {
+      "version": "1.13.4",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
+      "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/on-finished": {
+      "version": "2.4.1",
+      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
+      "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
+      "license": "MIT",
+      "dependencies": {
+        "ee-first": "1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/on-headers": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/on-headers/-/on-headers-1.1.0.tgz",
+      "integrity": "sha512-737ZY3yNnXy37FHkQxPzt4UZ2UWPWiCZWLvFZ4fu5cueciegX0zGPnrlY6bwRg4FdQOe9YU8MkmJwGhoMybl8A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/parseley": {
+      "version": "0.12.1",
+      "resolved": "https://registry.npmjs.org/parseley/-/parseley-0.12.1.tgz",
+      "integrity": "sha512-e6qHKe3a9HWr0oMRVDTRhKce+bRO8VGQR3NyVwcjwrbhMmFCX9KszEV35+rn4AdilFAq9VPxP/Fe1wC9Qjd2lw==",
+      "license": "MIT",
+      "dependencies": {
+        "leac": "^0.6.0",
+        "peberminta": "^0.9.0"
+      },
+      "funding": {
+        "url": "https://ko-fi.com/killymxi"
+      }
+    },
+    "node_modules/parseurl": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
+      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/passport": {
+      "version": "0.7.0",
+      "resolved": "https://registry.npmjs.org/passport/-/passport-0.7.0.tgz",
+      "integrity": "sha512-cPLl+qZpSc+ireUvt+IzqbED1cHHkDoVYMo30jbJIdOOjQ1MQYZBPiNvmi8UM6lJuOpTPXJGZQk0DtC4y61MYQ==",
+      "license": "MIT",
+      "dependencies": {
+        "passport-strategy": "1.x.x",
+        "pause": "0.0.1",
+        "utils-merge": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.4.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/jaredhanson"
+      }
+    },
+    "node_modules/passport-azure-ad-oauth2": {
+      "version": "0.0.4",
+      "resolved": "https://registry.npmjs.org/passport-azure-ad-oauth2/-/passport-azure-ad-oauth2-0.0.4.tgz",
+      "integrity": "sha512-yjwi0qXzGPIrR8yI5mBql2wO6tf/G5+HAFllkwwZ6f2EBCVvRv5z+6CwQeBvlrDbFh8RCXdj/IfB17r8LYDQQQ==",
+      "dependencies": {
+        "passport-oauth": "1.0.x"
+      }
+    },
+    "node_modules/passport-google-oauth20": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/passport-google-oauth20/-/passport-google-oauth20-2.0.0.tgz",
+      "integrity": "sha512-KSk6IJ15RoxuGq7D1UKK/8qKhNfzbLeLrG3gkLZ7p4A6DBCcv7xpyQwuXtWdpyR0+E0mwkpjY1VfPOhxQrKzdQ==",
+      "license": "MIT",
+      "dependencies": {
+        "passport-oauth2": "1.x.x"
+      },
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/passport-local": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/passport-local/-/passport-local-1.0.0.tgz",
+      "integrity": "sha512-9wCE6qKznvf9mQYYbgJ3sVOHmCWoUNMVFoZzNoznmISbhnNNPhN9xfY3sLmScHMetEJeoY7CXwfhCe7argfQow==",
+      "dependencies": {
+        "passport-strategy": "1.x.x"
+      },
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/passport-oauth": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/passport-oauth/-/passport-oauth-1.0.0.tgz",
+      "integrity": "sha512-4IZNVsZbN1dkBzmEbBqUxDG8oFOIK81jqdksE3HEb/vI3ib3FMjbiZZ6MTtooyYZzmKu0BfovjvT1pdGgIq+4Q==",
+      "dependencies": {
+        "passport-oauth1": "1.x.x",
+        "passport-oauth2": "1.x.x"
+      },
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/passport-oauth1": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/passport-oauth1/-/passport-oauth1-1.3.0.tgz",
+      "integrity": "sha512-8T/nX4gwKTw0PjxP1xfD0QhrydQNakzeOpZ6M5Uqdgz9/a/Ag62RmJxnZQ4LkbdXGrRehQHIAHNAu11rCP46Sw==",
+      "license": "MIT",
+      "dependencies": {
+        "oauth": "0.9.x",
+        "passport-strategy": "1.x.x",
+        "utils-merge": "1.x.x"
+      },
+      "engines": {
+        "node": ">= 0.4.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/jaredhanson"
+      }
+    },
+    "node_modules/passport-oauth2": {
+      "version": "1.8.0",
+      "resolved": "https://registry.npmjs.org/passport-oauth2/-/passport-oauth2-1.8.0.tgz",
+      "integrity": "sha512-cjsQbOrXIDE4P8nNb3FQRCCmJJ/utnFKEz2NX209f7KOHPoX18gF7gBzBbLLsj2/je4KrgiwLLGjf0lm9rtTBA==",
+      "license": "MIT",
+      "dependencies": {
+        "base64url": "3.x.x",
+        "oauth": "0.10.x",
+        "passport-strategy": "1.x.x",
+        "uid2": "0.0.x",
+        "utils-merge": "1.x.x"
+      },
+      "engines": {
+        "node": ">= 0.4.0"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/jaredhanson"
+      }
+    },
+    "node_modules/passport-oauth2/node_modules/oauth": {
+      "version": "0.10.2",
+      "resolved": "https://registry.npmjs.org/oauth/-/oauth-0.10.2.tgz",
+      "integrity": "sha512-JtFnB+8nxDEXgNyniwz573xxbKSOu3R8D40xQKqcjwJ2CDkYqUDI53o6IuzDJBx60Z8VKCm271+t8iFjakrl8Q==",
+      "license": "MIT"
+    },
+    "node_modules/passport-strategy": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/passport-strategy/-/passport-strategy-1.0.0.tgz",
+      "integrity": "sha512-CB97UUvDKJde2V0KDWWB3lyf6PC3FaZP7YxZ2G8OAtn9p4HI9j9JLP9qjOGZFvyl8uwNT8qM+hGnz/n16NI7oA==",
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/path-to-regexp": {
+      "version": "0.1.12",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.12.tgz",
+      "integrity": "sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==",
+      "license": "MIT"
+    },
+    "node_modules/pause": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/pause/-/pause-0.0.1.tgz",
+      "integrity": "sha512-KG8UEiEVkR3wGEb4m5yZkVCzigAD+cVEJck2CzYZO37ZGJfctvVptVO192MwrtPhzONn6go8ylnOdMhKqi4nfg=="
+    },
+    "node_modules/peberminta": {
+      "version": "0.9.0",
+      "resolved": "https://registry.npmjs.org/peberminta/-/peberminta-0.9.0.tgz",
+      "integrity": "sha512-XIxfHpEuSJbITd1H3EeQwpcZbTLHc+VVr8ANI9t5sit565tsI4/xK3KWTUFE2e6QiangUkh3B0jihzmGnNrRsQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://ko-fi.com/killymxi"
+      }
+    },
+    "node_modules/pg": {
+      "version": "8.18.0",
+      "resolved": "https://registry.npmjs.org/pg/-/pg-8.18.0.tgz",
+      "integrity": "sha512-xqrUDL1b9MbkydY/s+VZ6v+xiMUmOUk7SS9d/1kpyQxoJ6U9AO1oIJyUWVZojbfe5Cc/oluutcgFG4L9RDP1iQ==",
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "pg-connection-string": "^2.11.0",
+        "pg-pool": "^3.11.0",
+        "pg-protocol": "^1.11.0",
+        "pg-types": "2.2.0",
+        "pgpass": "1.0.5"
+      },
+      "engines": {
+        "node": ">= 16.0.0"
+      },
+      "optionalDependencies": {
+        "pg-cloudflare": "^1.3.0"
+      },
+      "peerDependencies": {
+        "pg-native": ">=3.0.1"
+      },
+      "peerDependenciesMeta": {
+        "pg-native": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/pg-cloudflare": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/pg-cloudflare/-/pg-cloudflare-1.3.0.tgz",
+      "integrity": "sha512-6lswVVSztmHiRtD6I8hw4qP/nDm1EJbKMRhf3HCYaqud7frGysPv7FYJ5noZQdhQtN2xJnimfMtvQq21pdbzyQ==",
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/pg-connection-string": {
+      "version": "2.11.0",
+      "resolved": "https://registry.npmjs.org/pg-connection-string/-/pg-connection-string-2.11.0.tgz",
+      "integrity": "sha512-kecgoJwhOpxYU21rZjULrmrBJ698U2RxXofKVzOn5UDj61BPj/qMb7diYUR1nLScCDbrztQFl1TaQZT0t1EtzQ==",
+      "license": "MIT"
+    },
+    "node_modules/pg-int8": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/pg-int8/-/pg-int8-1.0.1.tgz",
+      "integrity": "sha512-WCtabS6t3c8SkpDBUlb1kjOs7l66xsGdKpIPZsg4wR+B3+u9UAum2odSsF9tnvxg80h4ZxLWMy4pRjOsFIqQpw==",
+      "license": "ISC",
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
+    "node_modules/pg-pool": {
+      "version": "3.11.0",
+      "resolved": "https://registry.npmjs.org/pg-pool/-/pg-pool-3.11.0.tgz",
+      "integrity": "sha512-MJYfvHwtGp870aeusDh+hg9apvOe2zmpZJpyt+BMtzUWlVqbhFmMK6bOBXLBUPd7iRtIF9fZplDc7KrPN3PN7w==",
+      "license": "MIT",
+      "peerDependencies": {
+        "pg": ">=8.0"
+      }
+    },
+    "node_modules/pg-protocol": {
+      "version": "1.11.0",
+      "resolved": "https://registry.npmjs.org/pg-protocol/-/pg-protocol-1.11.0.tgz",
+      "integrity": "sha512-pfsxk2M9M3BuGgDOfuy37VNRRX3jmKgMjcvAcWqNDpZSf4cUmv8HSOl5ViRQFsfARFn0KuUQTgLxVMbNq5NW3g==",
+      "license": "MIT"
+    },
+    "node_modules/pg-types": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/pg-types/-/pg-types-2.2.0.tgz",
+      "integrity": "sha512-qTAAlrEsl8s4OiEQY69wDvcMIdQN6wdz5ojQiOy6YRMuynxenON0O5oCpJI6lshc6scgAY8qvJ2On/p+CXY0GA==",
+      "license": "MIT",
+      "dependencies": {
+        "pg-int8": "1.0.1",
+        "postgres-array": "~2.0.0",
+        "postgres-bytea": "~1.0.0",
+        "postgres-date": "~1.0.4",
+        "postgres-interval": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/pgpass": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/pgpass/-/pgpass-1.0.5.tgz",
+      "integrity": "sha512-FdW9r/jQZhSeohs1Z3sI1yxFQNFvMcnmfuj4WBMUTxOrAyLMaTcE1aAMBiTlbMNaXvBCQuVi0R7hd8udDSP7ug==",
+      "license": "MIT",
+      "dependencies": {
+        "split2": "^4.1.0"
+      }
+    },
+    "node_modules/picocolors": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+      "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
+      "license": "ISC"
+    },
+    "node_modules/postgres-array": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-2.0.0.tgz",
+      "integrity": "sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/postgres-bytea": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/postgres-bytea/-/postgres-bytea-1.0.1.tgz",
+      "integrity": "sha512-5+5HqXnsZPE65IJZSMkZtURARZelel2oXUEO8rH83VS/hxH5vv1uHquPg5wZs8yMAfdv971IU+kcPUczi7NVBQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postgres-date": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/postgres-date/-/postgres-date-1.0.7.tgz",
+      "integrity": "sha512-suDmjLVQg78nMK2UZ454hAG+OAW+HQPZ6n++TNDUX+L0+uUlLywnoxJKDou51Zm+zTCjrCl0Nq6J9C5hP9vK/Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postgres-interval": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/postgres-interval/-/postgres-interval-1.2.0.tgz",
+      "integrity": "sha512-9ZhXKM/rw350N1ovuWHbGxnGh/SNJ4cnxHiM0rxE4VN41wsg8P8zWn9hv/buK00RP4WvlOyr/RBDiptyxVbkZQ==",
+      "license": "MIT",
+      "dependencies": {
+        "xtend": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/process-nextick-args": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz",
+      "integrity": "sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==",
+      "license": "MIT"
+    },
+    "node_modules/proxy-addr": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
+      "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==",
+      "license": "MIT",
+      "dependencies": {
+        "forwarded": "0.2.0",
+        "ipaddr.js": "1.9.1"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/punycode.js": {
+      "version": "2.3.1",
+      "resolved": "https://registry.npmjs.org/punycode.js/-/punycode.js-2.3.1.tgz",
+      "integrity": "sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/qs": {
+      "version": "6.14.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
+      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "side-channel": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/random-bytes": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/random-bytes/-/random-bytes-1.0.0.tgz",
+      "integrity": "sha512-iv7LhNVO047HzYR3InF6pUcUsPQiHTM1Qal51DcGSuZFBil1aBBWG5eHPNek7bvILMaYJ/8RU1e8w1AMdHmLQQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/range-parser": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
+      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/raw-body": {
+      "version": "2.5.3",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz",
+      "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/readable-stream": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz",
+      "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==",
+      "license": "MIT",
+      "dependencies": {
+        "core-util-is": "~1.0.0",
+        "inherits": "~2.0.3",
+        "isarray": "~1.0.0",
+        "process-nextick-args": "~2.0.0",
+        "safe-buffer": "~5.1.1",
+        "string_decoder": "~1.1.1",
+        "util-deprecate": "~1.0.1"
+      }
+    },
+    "node_modules/readable-stream/node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
+      "license": "MIT"
+    },
+    "node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT"
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "license": "MIT"
+    },
+    "node_modules/selderee": {
+      "version": "0.11.0",
+      "resolved": "https://registry.npmjs.org/selderee/-/selderee-0.11.0.tgz",
+      "integrity": "sha512-5TF+l7p4+OsnP8BCCvSyZiSPc4x4//p5uPwK8TCnVPJYRmU2aYKMpOXvw8zM5a5JvuuCGN1jmsMwuU2W02ukfA==",
+      "license": "MIT",
+      "dependencies": {
+        "parseley": "^0.12.0"
+      },
+      "funding": {
+        "url": "https://ko-fi.com/killymxi"
+      }
+    },
+    "node_modules/send": {
+      "version": "0.19.2",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.19.2.tgz",
+      "integrity": "sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "1.2.0",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "fresh": "~0.5.2",
+        "http-errors": "~2.0.1",
+        "mime": "1.6.0",
+        "ms": "2.1.3",
+        "on-finished": "~2.4.1",
+        "range-parser": "~1.2.1",
+        "statuses": "~2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/send/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
+    "node_modules/serve-static": {
+      "version": "1.16.3",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.3.tgz",
+      "integrity": "sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==",
+      "license": "MIT",
+      "dependencies": {
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "parseurl": "~1.3.3",
+        "send": "~0.19.1"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/setprototypeof": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz",
+      "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
+      "license": "ISC"
+    },
+    "node_modules/side-channel": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
+      "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.3",
+        "side-channel-list": "^1.0.0",
+        "side-channel-map": "^1.0.1",
+        "side-channel-weakmap": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-list": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz",
+      "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-map": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz",
+      "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-weakmap": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz",
+      "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3",
+        "side-channel-map": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/split2": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/split2/-/split2-4.2.0.tgz",
+      "integrity": "sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==",
+      "license": "ISC",
+      "engines": {
+        "node": ">= 10.x"
+      }
+    },
+    "node_modules/statuses": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/streamsearch": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-1.1.0.tgz",
+      "integrity": "sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==",
+      "engines": {
+        "node": ">=10.0.0"
+      }
+    },
+    "node_modules/string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "license": "MIT",
+      "dependencies": {
+        "safe-buffer": "~5.1.0"
+      }
+    },
+    "node_modules/string_decoder/node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
+      "license": "MIT"
+    },
+    "node_modules/tlds": {
+      "version": "1.261.0",
+      "resolved": "https://registry.npmjs.org/tlds/-/tlds-1.261.0.tgz",
+      "integrity": "sha512-QXqwfEl9ddlGBaRFXIvNKK6OhipSiLXuRuLJX5DErz0o0Q0rYxulWLdFryTkV5PkdZct5iMInwYEGe/eR++1AA==",
+      "license": "MIT",
+      "bin": {
+        "tlds": "bin.js"
+      }
+    },
+    "node_modules/toidentifier": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz",
+      "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.6"
+      }
+    },
+    "node_modules/type-is": {
+      "version": "1.6.18",
+      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
+      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
+      "license": "MIT",
+      "dependencies": {
+        "media-typer": "0.3.0",
+        "mime-types": "~2.1.24"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/typedarray": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz",
+      "integrity": "sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==",
+      "license": "MIT"
+    },
+    "node_modules/uc.micro": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-2.1.0.tgz",
+      "integrity": "sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==",
+      "license": "MIT"
+    },
+    "node_modules/uid-safe": {
+      "version": "2.1.5",
+      "resolved": "https://registry.npmjs.org/uid-safe/-/uid-safe-2.1.5.tgz",
+      "integrity": "sha512-KPHm4VL5dDXKz01UuEd88Df+KzynaohSL9fBh096KWAxSKZQDI2uBrVqtvRM4rwrIrRRKsdLNML/lnaaVSRioA==",
+      "license": "MIT",
+      "dependencies": {
+        "random-bytes": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/uid2": {
+      "version": "0.0.4",
+      "resolved": "https://registry.npmjs.org/uid2/-/uid2-0.0.4.tgz",
+      "integrity": "sha512-IevTus0SbGwQzYh3+fRsAMTVVPOoIVufzacXcHPmdlle1jUpq7BRL+mw3dgeLanvGZdwwbWhRV6XrcFNdBmjWA==",
+      "license": "MIT"
+    },
+    "node_modules/unpipe": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
+      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
+      "license": "MIT"
+    },
+    "node_modules/utils-merge": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
+      "integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/vary": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
+      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/xtend": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
+      "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.4"
+      }
+    }
+  }
+}
diff --git a/web/package.json b/web/package.json
new file mode 100644
index 0000000..29d8068
--- /dev/null
+++ b/web/package.json
@@ -0,0 +1,28 @@
+{
+  "name": "mastermind-web",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "node --watch src/index.js",
+    "start": "node src/index.js"
+  },
+  "dependencies": {
+    "bcryptjs": "^2.4.3",
+    "connect-pg-simple": "^10.0.0",
+    "dotenv": "^16.4.5",
+    "ejs": "^3.1.10",
+    "express": "^4.19.2",
+    "express-rate-limit": "^7.4.0",
+    "express-session": "^1.18.1",
+    "helmet": "^7.1.0",
+    "mailparser": "^3.7.2",
+    "multer": "^1.4.5-lts.1",
+    "marked": "^12.0.2",
+    "markdown-it": "^14.1.0",
+    "passport": "^0.7.0",
+    "passport-azure-ad-oauth2": "^0.0.4",
+    "passport-google-oauth20": "^2.0.0",
+    "passport-local": "^1.0.0",
+    "pg": "^8.12.0"
+  }
+}
diff --git a/web/src/index.js b/web/src/index.js
new file mode 100644
index 0000000..c0876c3
--- /dev/null
+++ b/web/src/index.js
@@ -0,0 +1,1284 @@
+import 'dotenv/config';
+import express from 'express';
+import session from 'express-session';
+import pg from 'pg';
+import connectPgSimple from 'connect-pg-simple';
+import helmet from 'helmet';
+import rateLimit from 'express-rate-limit';
+import passport from 'passport';
+import { Strategy as LocalStrategy } from 'passport-local';
+import bcrypt from 'bcryptjs';
+import GoogleStrategy from 'passport-google-oauth20';
+import AzureAdOAuth2Strategy from 'passport-azure-ad-oauth2';
+import multer from 'multer';
+import { simpleParser } from 'mailparser';
+import crypto from 'crypto';
+import fs from 'fs';
+import { marked } from 'marked';
+import MarkdownIt from 'markdown-it';
+
+const { Pool } = pg;
+const PgStore = connectPgSimple(session);
+
+const app = express();
+app.set('view engine', 'ejs');
+app.set('views', new URL('./views', import.meta.url).pathname);
+
+const PORT = process.env.PORT || 3005;
+const BASE_URL = process.env.BASE_URL || `http://localhost:${PORT}`;
+const isProd = process.env.NODE_ENV === 'production';
+const trustProxy = process.env.TRUST_PROXY === '1' || process.env.TRUST_PROXY === 'true';
+if (trustProxy) app.set('trust proxy', 1);
+
+if (isProd && (!process.env.SESSION_SECRET || process.env.SESSION_SECRET.length < 24)) {
+  throw new Error('SESSION_SECRET must be set (>=24 chars) in production');
+}
+
+function baseHost() {
+  try {
+    return new URL(BASE_URL).host;
+  } catch {
+    return null;
+  }
+}
+
+const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+
+app.use(
+  helmet({
+    // We use inline styles in EJS templates; keep CSP permissive but present.
+    contentSecurityPolicy: {
+      useDefaults: true,
+      directives: {
+        defaultSrc: ["'self'"],
+        imgSrc: ["'self'", 'data:'],
+        styleSrc: ["'self'", "'unsafe-inline'"],
+        scriptSrc: ["'self'"],
+        connectSrc: ["'self'"],
+        frameAncestors: ["'none'"]
+      }
+    },
+    crossOriginEmbedderPolicy: false
+  })
+);
+app.use(express.urlencoded({ extended: false }));
+app.use(express.json());
+
+// Basic CSRF mitigation: require same-origin POSTs
+app.use((req, res, next) => {
+  if (req.method !== 'POST') return next();
+  // Allow OAuth callbacks (they are GET in our app anyway) and health checks
+  const origin = req.get('origin');
+  const referer = req.get('referer');
+  const host = baseHost();
+  if (!host) return next();
+
+  const ok = (value) => {
+    if (!value) return false;
+    try {
+      return new URL(value).host === host;
+    } catch {
+      return false;
+    }
+  };
+
+  // Some clients omit Origin; allow Referer as fallback.
+  if ((origin && ok(origin)) || (!origin && referer && ok(referer))) return next();
+
+  return res.status(403).send('Blocked (CSRF)');
+});
+
+const uploadDir = '/app/data/uploads';
+const attachmentDir = '/app/data/attachments';
+fs.mkdirSync(uploadDir, { recursive: true });
+fs.mkdirSync(attachmentDir, { recursive: true });
+const upload = multer({ dest: uploadDir, limits: { fileSize: 50 * 1024 * 1024 } });
+
+app.use(rateLimit({ windowMs: 60_000, limit: 120 }));
+
+const loginLimiter = rateLimit({ windowMs: 60_000, limit: 10 });
+const uploadLimiter = rateLimit({ windowMs: 60_000, limit: 20 });
+
+app.use(
+  session({
+    name: 'mm.sid',
+    store: new PgStore({ pool, createTableIfMissing: true }),
+    secret: process.env.SESSION_SECRET || 'change-me',
+    resave: false,
+    saveUninitialized: false,
+    rolling: true,
+    cookie: {
+      httpOnly: true,
+      sameSite: 'lax',
+      secure: (process.env.COOKIE_SECURE === 'true') || BASE_URL.startsWith('https://'),
+      maxAge: 1000 * 60 * 60 * 12 // 12 hours
+    }
+  })
+);
+
+app.use(passport.initialize());
+app.use(passport.session());
+
+async function ensureSchema() {
+  await pool.query(`
+    create table if not exists users (
+      id uuid primary key default gen_random_uuid(),
+      email text unique,
+      display_name text,
+      role text not null default 'owner',
+      disabled boolean not null default false,
+      created_at timestamptz not null default now()
+    );
+
+    create table if not exists identities (
+      id uuid primary key default gen_random_uuid(),
+      user_id uuid not null references users(id) on delete cascade,
+      provider text not null,
+      provider_user_id text,
+      email text,
+      password_hash text,
+      created_at timestamptz not null default now(),
+      unique(provider, provider_user_id),
+      unique(provider, email)
+    );
+
+    create table if not exists app_settings (
+      key text primary key,
+      value jsonb not null
+    );
+
+    create table if not exists audit_logs (
+      id uuid primary key default gen_random_uuid(),
+      created_at timestamptz not null default now(),
+      actor_user_id uuid references users(id) on delete set null,
+      actor_email text,
+      action text not null,
+      target_type text,
+      target_id text,
+      ip text,
+      user_agent text,
+      metadata jsonb not null default '{}'::jsonb
+    );
+
+    create table if not exists projects (
+      id uuid primary key default gen_random_uuid(),
+      created_at timestamptz not null default now(),
+      updated_at timestamptz not null default now(),
+      created_by_user_id uuid references users(id) on delete set null,
+      name text not null,
+      job_number text,
+      role_mode text not null default 'ec',
+      gc_name text,
+      address text,
+      city text,
+      state text,
+      postal_code text,
+      keywords text,
+      active boolean not null default true
+    );
+
+    create table if not exists project_members (
+      project_id uuid references projects(id) on delete cascade,
+      user_id uuid references users(id) on delete cascade,
+      project_role text not null default 'apm',
+      created_at timestamptz not null default now(),
+      primary key(project_id, user_id)
+    );
+
+    create table if not exists ingested_emails (
+      id uuid primary key default gen_random_uuid(),
+      created_at timestamptz not null default now(),
+      created_by_user_id uuid references users(id) on delete set null,
+      source text not null default 'upload',
+      source_message_id text,
+      thread_key text,
+      from_addr text,
+      to_addr text,
+      cc_addr text,
+      subject text,
+      date timestamptz,
+      body_text text,
+      body_html text,
+      has_attachments boolean not null default false,
+      raw_path text,
+      sha256 text,
+      project_id uuid references projects(id) on delete set null,
+      confidence real,
+      status text not null default 'unsorted'
+    );
+
+    create table if not exists email_attachments (
+      id uuid primary key default gen_random_uuid(),
+      created_at timestamptz not null default now(),
+      email_id uuid references ingested_emails(id) on delete cascade,
+      filename text,
+      content_type text,
+      size_bytes int,
+      sha256 text,
+      storage_path text
+    );
+
+    create index if not exists email_attachments_email_id_idx on email_attachments(email_id);
+
+    create index if not exists ingested_emails_project_id_idx on ingested_emails(project_id);
+    create index if not exists ingested_emails_status_idx on ingested_emails(status);
+
+    create table if not exists email_connectors (
+      id uuid primary key default gen_random_uuid(),
+      created_at timestamptz not null default now(),
+      updated_at timestamptz not null default now(),
+      provider text not null, -- gmail|microsoft
+      enabled boolean not null default false,
+      configured boolean not null default false,
+      authorized boolean not null default false,
+      last_sync_at timestamptz,
+      last_error text,
+      unique(provider)
+    );
+
+    create table if not exists email_rules (
+      id uuid primary key default gen_random_uuid(),
+      created_at timestamptz not null default now(),
+      created_by_user_id uuid references users(id) on delete set null,
+      enabled boolean not null default true,
+      priority int not null default 100,
+      project_id uuid references projects(id) on delete cascade,
+      match_type text not null, -- from_contains|from_domain|subject_contains|body_contains|thread_key
+      match_value text not null
+    );
+
+    create table if not exists pco_drafts (
+      id uuid primary key default gen_random_uuid(),
+      created_at timestamptz not null default now(),
+      updated_at timestamptz not null default now(),
+      created_by_user_id uuid references users(id) on delete set null,
+      project_id uuid references projects(id) on delete set null,
+      source_email_id uuid references ingested_emails(id) on delete set null,
+      status text not null default 'draft',
+      title text,
+      body text
+    );
+
+    create table if not exists rfi_drafts (
+      id uuid primary key default gen_random_uuid(),
+      created_at timestamptz not null default now(),
+      updated_at timestamptz not null default now(),
+      created_by_user_id uuid references users(id) on delete set null,
+      project_id uuid references projects(id) on delete set null,
+      source_email_id uuid references ingested_emails(id) on delete set null,
+      status text not null default 'draft',
+      title text,
+      body text
+    );
+
+    create index if not exists email_rules_project_id_idx on email_rules(project_id);
+  `);
+}
+
+passport.serializeUser((user, done) => done(null, user.id));
+passport.deserializeUser(async (id, done) => {
+  try {
+    const { rows } = await pool.query('select * from users where id=$1', [id]);
+    done(null, rows[0] || null);
+  } catch (e) {
+    done(e);
+  }
+});
+
+passport.use(
+  new LocalStrategy({ usernameField: 'email' }, async (email, password, done) => {
+    try {
+      const { rows } = await pool.query(
+        `select u.*, i.password_hash from users u
+         join identities i on i.user_id=u.id
+         where i.provider='local' and lower(i.email)=lower($1)
+         limit 1`,
+        [email]
+      );
+      const row = rows[0];
+      if (!row?.password_hash) return done(null, false, { message: 'Invalid login' });
+      if (row.disabled) return done(null, false, { message: 'Account disabled' });
+      const ok = await bcrypt.compare(password, row.password_hash);
+      if (!ok) return done(null, false, { message: 'Invalid login' });
+      return done(null, { id: row.id });
+    } catch (e) {
+      return done(e);
+    }
+  })
+);
+
+// Google OAuth (optional)
+if (process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET) {
+  passport.use(
+    new GoogleStrategy.Strategy(
+      {
+        clientID: process.env.GOOGLE_CLIENT_ID,
+        clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+        callbackURL: `${BASE_URL}/auth/google/callback`
+      },
+      async (_accessToken, _refreshToken, profile, done) => {
+        try {
+          const email = (profile.emails?.[0]?.value || '').toLowerCase();
+          const providerUserId = profile.id;
+          const displayName = profile.displayName || email;
+
+          // find identity
+          const { rows: idRows } = await pool.query(
+            `select user_id from identities where provider='google' and provider_user_id=$1 limit 1`,
+            [providerUserId]
+          );
+
+          let userId = idRows[0]?.user_id;
+          if (!userId) {
+            // create/get user by email
+            const { rows: uRows } = await pool.query(
+              `insert into users(email, display_name) values ($1,$2)
+               on conflict(email) do update set display_name=excluded.display_name
+               returning id`,
+              [email || null, displayName]
+            );
+            userId = uRows[0].id;
+            await pool.query(
+              `insert into identities(user_id, provider, provider_user_id, email)
+               values ($1,'google',$2,$3)
+               on conflict(provider, provider_user_id) do nothing`,
+              [userId, providerUserId, email || null]
+            );
+          }
+
+          return done(null, { id: userId });
+        } catch (e) {
+          return done(e);
+        }
+      }
+    )
+  );
+}
+
+// Microsoft OAuth (optional) via Azure AD v2
+if (process.env.MICROSOFT_CLIENT_ID && process.env.MICROSOFT_CLIENT_SECRET) {
+  passport.use(
+    new AzureAdOAuth2Strategy(
+      {
+        clientID: process.env.MICROSOFT_CLIENT_ID,
+        clientSecret: process.env.MICROSOFT_CLIENT_SECRET,
+        callbackURL: `${BASE_URL}/auth/microsoft/callback`,
+        // for multi-tenant use 'common'; can be configured later
+        tenant: 'common',
+        resource: '00000003-0000-0000-c000-000000000000' // Microsoft Graph
+      },
+      async (_accessToken, _refreshToken, params, _profile, done) => {
+        try {
+          // id_token is a JWT; we can decode basic claims without verifying for MVP
+          const idToken = params?.id_token;
+          if (!idToken) return done(null, false);
+          const payload = JSON.parse(Buffer.from(idToken.split('.')[1], 'base64').toString('utf-8'));
+          const providerUserId = payload.oid || payload.sub;
+          const email = (payload.preferred_username || payload.upn || '').toLowerCase();
+          const displayName = payload.name || email;
+
+          const { rows: idRows } = await pool.query(
+            `select user_id from identities where provider='microsoft' and provider_user_id=$1 limit 1`,
+            [providerUserId]
+          );
+
+          let userId = idRows[0]?.user_id;
+          if (!userId) {
+            const { rows: uRows } = await pool.query(
+              `insert into users(email, display_name) values ($1,$2)
+               on conflict(email) do update set display_name=excluded.display_name
+               returning id`,
+              [email || null, displayName]
+            );
+            userId = uRows[0].id;
+            await pool.query(
+              `insert into identities(user_id, provider, provider_user_id, email)
+               values ($1,'microsoft',$2,$3)
+               on conflict(provider, provider_user_id) do nothing`,
+              [userId, providerUserId, email || null]
+            );
+          }
+
+          return done(null, { id: userId });
+        } catch (e) {
+          return done(e);
+        }
+      }
+    )
+  );
+}
+
+function requireAuth(req, res, next) {
+  if (req.user) return next();
+  return res.redirect('/login');
+}
+
+function requireOwner(req, res, next) {
+  if (!req.user) return res.redirect('/login');
+  if (req.user.role !== 'owner') return res.status(403).send('Forbidden');
+  return next();
+}
+
+app.get('/health', (_req, res) => res.json({ ok: true }));
+
+app.get('/login', (req, res) => {
+  res.render('login', {
+    googleEnabled: Boolean(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET),
+    microsoftEnabled: Boolean(process.env.MICROSOFT_CLIENT_ID && process.env.MICROSOFT_CLIENT_SECRET)
+  });
+});
+
+app.post('/login', loginLimiter, (req, res, next) => {
+  passport.authenticate('local', async (err, user) => {
+    if (err) return next(err);
+    if (!user) {
+      await audit(req, 'auth.login_failed', { metadata: { provider: 'local', email: req.body.email } });
+      return res.redirect('/login');
+    }
+    req.logIn(user, async (e) => {
+      if (e) return next(e);
+      await audit(req, 'auth.login_success', { metadata: { provider: 'local' } });
+      return res.redirect('/');
+    });
+  })(req, res, next);
+});
+
+app.get('/logout', async (req, res) => {
+  await audit(req, 'auth.logout');
+  req.logout(() => res.redirect('/login'));
+});
+
+app.get('/auth/google', passport.authenticate('google', { scope: ['profile', 'email'] }));
+app.get('/auth/google/callback', (req, res, next) => {
+  passport.authenticate('google', async (err, user) => {
+    if (err) return next(err);
+    if (!user) {
+      await audit(req, 'auth.login_failed', { metadata: { provider: 'google' } });
+      return res.redirect('/login');
+    }
+    req.logIn(user, async (e) => {
+      if (e) return next(e);
+      await audit(req, 'auth.login_success', { metadata: { provider: 'google' } });
+      return res.redirect('/');
+    });
+  })(req, res, next);
+});
+
+app.get('/auth/microsoft', passport.authenticate('azure_ad_oauth2', { scope: ['openid', 'profile', 'email', 'offline_access', 'Mail.Read'] }));
+app.get('/auth/microsoft/callback', (req, res, next) => {
+  passport.authenticate('azure_ad_oauth2', async (err, user) => {
+    if (err) return next(err);
+    if (!user) {
+      await audit(req, 'auth.login_failed', { metadata: { provider: 'microsoft' } });
+      return res.redirect('/login');
+    }
+    req.logIn(user, async (e) => {
+      if (e) return next(e);
+      await audit(req, 'auth.login_success', { metadata: { provider: 'microsoft' } });
+      return res.redirect('/');
+    });
+  })(req, res, next);
+});
+
+async function audit(req, action, { targetType=null, targetId=null, metadata={} } = {}) {
+  try {
+    const actor = req.user || null;
+    await pool.query(
+      `insert into audit_logs(actor_user_id, actor_email, action, target_type, target_id, ip, user_agent, metadata)
+       values ($1,$2,$3,$4,$5,$6,$7,$8)`,
+      [
+        actor?.id || null,
+        actor?.email || null,
+        action,
+        targetType,
+        targetId,
+        req.ip || null,
+        req.get('user-agent') || null,
+        metadata
+      ]
+    );
+  } catch (_) {
+    // do not block main flow
+  }
+}
+
+app.get('/', requireAuth, async (req, res) => {
+  res.render('home', { user: req.user, baseUrl: BASE_URL });
+});
+
+app.get('/setup', requireAuth, (req, res) => {
+  res.render('setup', { baseUrl: BASE_URL });
+});
+
+// Projects
+app.get('/projects', requireAuth, async (req, res) => {
+  const { rows } = await pool.query(
+    `select p.*
+     from projects p
+     join project_members pm on pm.project_id=p.id and pm.user_id=$1
+     order by p.updated_at desc`,
+    [req.user.id]
+  );
+  res.render('projects', { projects: rows });
+});
+
+app.post('/projects/create', requireAuth, async (req, res) => {
+  const name = (req.body.name || '').trim();
+  const jobNumber = (req.body.jobNumber || '').trim();
+  const roleMode = (req.body.roleMode || 'ec').trim();
+  const gcName = (req.body.gcName || '').trim();
+  const city = (req.body.city || '').trim();
+  const state = (req.body.state || '').trim();
+  const keywords = (req.body.keywords || '').trim();
+
+  if (!name) return res.status(400).send('name required');
+
+  const { rows } = await pool.query(
+    `insert into projects(created_by_user_id,name,job_number,role_mode,gc_name,city,state,keywords)
+     values ($1,$2,$3,$4,$5,$6,$7,$8)
+     returning id`,
+    [req.user.id, name, jobNumber || null, roleMode, gcName || null, city || null, state || null, keywords || null]
+  );
+  const projectId = rows[0].id;
+  await pool.query(
+    `insert into project_members(project_id,user_id,project_role) values ($1,$2,'owner')
+     on conflict do nothing`,
+    [projectId, req.user.id]
+  );
+  await audit(req, 'project.created', { targetType: 'project', targetId: projectId, metadata: { name, jobNumber, roleMode } });
+  res.redirect(`/projects/${projectId}`);
+});
+
+app.get('/projects/:id', requireAuth, async (req, res) => {
+  const projectId = req.params.id;
+  const { rows } = await pool.query(
+    `select p.*
+     from projects p
+     join project_members pm on pm.project_id=p.id and pm.user_id=$1
+     where p.id=$2
+     limit 1`,
+    [req.user.id, projectId]
+  );
+  if (!rows[0]) return res.status(404).send('Not found');
+  res.render('project_detail', { project: rows[0] });
+});
+
+app.get('/projects/:id/inbox', requireAuth, async (req, res) => {
+  const projectId = req.params.id;
+  const { rows: pr } = await pool.query(
+    `select p.*
+     from projects p
+     join project_members pm on pm.project_id=p.id and pm.user_id=$1
+     where p.id=$2
+     limit 1`,
+    [req.user.id, projectId]
+  );
+  if (!pr[0]) return res.status(404).send('Not found');
+
+  const { rows: emails } = await pool.query(
+    `select id, from_addr, subject, date, source
+     from ingested_emails
+     where project_id=$1
+     order by date desc nulls last, created_at desc
+     limit 300`,
+    [projectId]
+  );
+  res.render('project_inbox', { project: pr[0], emails });
+});
+
+app.post('/projects/:id/update', requireAuth, async (req, res) => {
+  const projectId = req.params.id;
+  const name = (req.body.name || '').trim();
+  const jobNumber = (req.body.jobNumber || '').trim();
+  const roleMode = (req.body.roleMode || 'ec').trim();
+  const gcName = (req.body.gcName || '').trim();
+  const keywords = (req.body.keywords || '').trim();
+
+  await pool.query(
+    `update projects
+     set name=$1, job_number=$2, role_mode=$3, gc_name=$4, keywords=$5, updated_at=now()
+     where id=$6`,
+    [name, jobNumber || null, roleMode, gcName || null, keywords || null, projectId]
+  );
+  await audit(req, 'project.updated', { targetType: 'project', targetId: projectId, metadata: { name, jobNumber, roleMode } });
+  res.redirect(`/projects/${projectId}`);
+});
+
+app.post('/projects/:id/toggle', requireAuth, async (req, res) => {
+  const projectId = req.params.id;
+  await pool.query('update projects set active = not active, updated_at=now() where id=$1', [projectId]);
+  const { rows } = await pool.query('select active from projects where id=$1', [projectId]);
+  await audit(req, 'project.toggled', { targetType: 'project', targetId: projectId, metadata: { active: rows[0]?.active } });
+  res.redirect('/projects');
+});
+
+// Inbox (manual import until OAuth)
+app.get('/inbox', requireAuth, async (req, res) => {
+  const { rows: projects } = await pool.query(
+    `select p.id, p.name, p.job_number
+     from projects p
+     join project_members pm on pm.project_id=p.id and pm.user_id=$1
+     where p.active=true
+     order by p.updated_at desc`,
+    [req.user.id]
+  );
+  const { rows: emails } = await pool.query(
+    `select id, from_addr, subject, date, status
+     from ingested_emails
+     where status='unsorted'
+     order by created_at desc
+     limit 200`
+  );
+  res.render('inbox', { emails, projects });
+});
+
+app.post('/inbox/upload', requireAuth, uploadLimiter, upload.array('emls', 50), async (req, res) => {
+  const source = (req.body.source || 'upload').trim();
+  const files = req.files || [];
+
+  const { rows: rules } = await pool.query(
+    `select * from email_rules where enabled=true order by priority asc, created_at asc`
+  );
+
+  for (const f of files) {
+    const raw = fs.readFileSync(f.path);
+    const sha256 = crypto.createHash('sha256').update(raw).digest('hex');
+    const parsed = await simpleParser(raw);
+
+    const fromAddr = parsed.from?.text || '';
+    const toAddr = parsed.to?.text || '';
+    const ccAddr = parsed.cc?.text || '';
+    const subject = parsed.subject || '';
+    const date = parsed.date ? new Date(parsed.date) : null;
+    const bodyText = (parsed.text || '').slice(0, 200000);
+    const bodyHtml = (parsed.html ? String(parsed.html) : '').slice(0, 200000);
+    const hasAttachments = (parsed.attachments || []).length > 0;
+
+    // insert as unsorted first
+    const { rows } = await pool.query(
+      `insert into ingested_emails(created_by_user_id, source, from_addr, to_addr, cc_addr, subject, date, body_text, body_html, has_attachments, raw_path, sha256, status)
+       values ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,'unsorted')
+       returning *`,
+      [req.user.id, source, fromAddr, toAddr, ccAddr, subject, date, bodyText, bodyHtml, hasAttachments, f.path, sha256]
+    );
+
+    const emailRow = rows[0];
+
+    // persist attachments (if any)
+    for (const att of (parsed.attachments || [])) {
+      const buf = att.content;
+      const attSha = crypto.createHash('sha256').update(buf).digest('hex');
+      const safeName = (att.filename || 'attachment').replace(/[^A-Za-z0-9._-]+/g, '_');
+      const outPath = `${attachmentDir}/${emailRow.id}_${attSha}_${safeName}`;
+      fs.writeFileSync(outPath, buf);
+      await pool.query(
+        `insert into email_attachments(email_id, filename, content_type, size_bytes, sha256, storage_path)
+         values ($1,$2,$3,$4,$5,$6)`,
+        [emailRow.id, att.filename || safeName, att.contentType || null, buf.length, attSha, outPath]
+      );
+    }
+
+    await audit(req, 'inbox.email_imported', { targetType: 'email', targetId: emailRow.id, metadata: { source, subject, attachments: (parsed.attachments||[]).length } });
+
+    const match = await applyRulesToEmail(emailRow, rules);
+    if (match?.projectId) {
+      await pool.query(
+        `update ingested_emails set project_id=$1, status='assigned', confidence=$2 where id=$3`,
+        [match.projectId, match.confidence, emailRow.id]
+      );
+      await audit(req, 'inbox.email_auto_assigned', { targetType: 'email', targetId: emailRow.id, metadata: { projectId: match.projectId, ruleId: match.ruleId } });
+    }
+  }
+
+  res.redirect('/inbox');
+});
+
+app.get('/inbox/:id', requireAuth, async (req, res) => {
+  const emailId = req.params.id;
+  const { rows } = await pool.query('select * from ingested_emails where id=$1 limit 1', [emailId]);
+  if (!rows[0]) return res.status(404).send('Not found');
+  const { rows: attachments } = await pool.query('select * from email_attachments where email_id=$1 order by created_at asc', [emailId]);
+  res.render('inbox_email', { email: rows[0], attachments });
+});
+
+function extractDomain(fromAddr) {
+  const m = String(fromAddr || '').match(/@([A-Za-z0-9.-]+)/);
+  return m ? m[1].toLowerCase() : '';
+}
+
+function extractFirstJobNumber(text) {
+  const t = String(text || '');
+  // heuristic: prefer 8+ digit job numbers (e.g., 0222600001)
+  const m = t.match(/\b\d{8,}\b/);
+  return m ? m[0] : '';
+}
+
+function validatePassword(pw) {
+  const p = String(pw || '');
+  if (p.length < 12) return 'Password must be at least 12 characters.';
+  if (!/[A-Z]/.test(p)) return 'Password must include an uppercase letter.';
+  if (!/[a-z]/.test(p)) return 'Password must include a lowercase letter.';
+  if (!/\d/.test(p)) return 'Password must include a number.';
+  return null;
+}
+
+app.post('/inbox/:id/assign', requireAuth, async (req, res) => {
+  const emailId = req.params.id;
+  const projectId = (req.body.projectId || '').trim();
+  if (!projectId) return res.redirect('/inbox');
+
+  await pool.query(
+    `update ingested_emails set project_id=$1, status='assigned', confidence=1.0 where id=$2`,
+    [projectId, emailId]
+  );
+  await audit(req, 'inbox.email_assigned', { targetType: 'email', targetId: emailId, metadata: { projectId } });
+  res.redirect('/inbox');
+});
+
+// Create rule from an email (from domain)
+app.post('/inbox/:id/rule/from_domain', requireOwner, async (req, res) => {
+  const emailId = req.params.id;
+  const projectId = (req.body.projectId || '').trim();
+  const { rows } = await pool.query('select from_addr from ingested_emails where id=$1', [emailId]);
+  const fromAddr = rows[0]?.from_addr || '';
+  const domain = extractDomain(fromAddr);
+  if (!projectId || !domain) return res.redirect('/inbox');
+
+  const { rows: r } = await pool.query(
+    `insert into email_rules(created_by_user_id, project_id, match_type, match_value, priority)
+     values ($1,$2,'from_domain',$3,50)
+     returning id`,
+    [req.user.id, projectId, domain]
+  );
+
+  await audit(req, 'inbox.rule_created', { targetType: 'email_rule', targetId: r[0].id, metadata: { emailId, projectId, matchType: 'from_domain', matchValue: domain } });
+  res.redirect('/admin/email-rules');
+});
+
+// Create rule from an email (subject job number)
+app.post('/inbox/:id/rule/subject_job', requireOwner, async (req, res) => {
+  const emailId = req.params.id;
+  const projectId = (req.body.projectId || '').trim();
+  const { rows } = await pool.query('select subject from ingested_emails where id=$1', [emailId]);
+  const subject = rows[0]?.subject || '';
+  const job = extractFirstJobNumber(subject);
+  if (!projectId || !job) return res.redirect('/inbox');
+
+  const { rows: r } = await pool.query(
+    `insert into email_rules(created_by_user_id, project_id, match_type, match_value, priority)
+     values ($1,$2,'subject_contains',$3,40)
+     returning id`,
+    [req.user.id, projectId, job]
+  );
+
+  await audit(req, 'inbox.rule_created', { targetType: 'email_rule', targetId: r[0].id, metadata: { emailId, projectId, matchType: 'subject_contains', matchValue: job } });
+  res.redirect('/admin/email-rules');
+});
+
+app.post('/setup/base-url', requireAuth, async (req, res) => {
+  const baseUrl = req.body.baseUrl?.trim();
+  if (!baseUrl) return res.status(400).send('baseUrl required');
+  await pool.query(
+    `insert into app_settings(key,value) values('base_url',$1)
+     on conflict(key) do update set value=excluded.value`,
+    [JSON.stringify({ baseUrl })]
+  );
+  res.redirect('/setup');
+});
+
+await ensureSchema();
+
+// Backfill schema changes (safe alters)
+await pool.query(`alter table users add column if not exists disabled boolean not null default false;`);
+try {
+  await pool.query(`alter table identities add constraint identities_provider_email_unique unique (provider, email);`);
+} catch (_) {
+  // constraint may already exist
+}
+
+// Create an initial local owner account if none exists (bootstrap)
+// For safety, we do NOT create a default owner/owner in production.
+const { rows: existing } = await pool.query("select count(*)::int as c from identities where provider='local'");
+if (existing[0].c === 0) {
+  const email = (process.env.BOOTSTRAP_OWNER_EMAIL || '').trim().toLowerCase();
+  const password = (process.env.BOOTSTRAP_OWNER_PASSWORD || '').trim();
+
+  if (!email || !password) {
+    console.warn('No local identities exist. Set BOOTSTRAP_OWNER_EMAIL and BOOTSTRAP_OWNER_PASSWORD to create the initial owner account.');
+  } else {
+    const hash = await bcrypt.hash(password, 12);
+    const { rows } = await pool.query(
+      "insert into users(email, display_name, role) values ($1,'Owner','owner') returning id",
+      [email]
+    );
+    await pool.query(
+      "insert into identities(user_id, provider, email, password_hash) values ($1,'local',$2,$3)",
+      [rows[0].id, email, hash]
+    );
+    console.log(`Created bootstrap local owner: ${email} (change password ASAP)`);
+  }
+}
+
+// Admin: user management
+app.get('/admin/users', requireOwner, async (_req, res) => {
+  const { rows } = await pool.query(`
+    select u.id, u.email, u.display_name, u.role, u.disabled,
+           coalesce(string_agg(distinct i.provider, ','), '') as providers
+    from users u
+    left join identities i on i.user_id=u.id
+    group by u.id
+    order by u.created_at desc
+  `);
+  res.render('admin_users', { users: rows });
+});
+
+app.post('/admin/users/create', requireOwner, async (req, res) => {
+  const email = (req.body.email || '').trim().toLowerCase();
+  const displayName = (req.body.displayName || '').trim();
+  const role = (req.body.role || 'apm').trim();
+  const tempPassword = (req.body.tempPassword || '').trim();
+  if (!email || !tempPassword) return res.status(400).send('email and tempPassword required');
+  const pwErr = validatePassword(tempPassword);
+  if (pwErr) return res.status(400).send(pwErr);
+
+  const hash = await bcrypt.hash(tempPassword, 12);
+  const { rows } = await pool.query(
+    `insert into users(email, display_name, role) values ($1,$2,$3)
+     on conflict(email) do update set display_name=excluded.display_name, role=excluded.role
+     returning id`,
+    [email, displayName || email, role]
+  );
+  const userId = rows[0].id;
+  await pool.query(
+    `insert into identities(user_id, provider, email, password_hash) values ($1,'local',$2,$3)
+     on conflict(provider, email) do update set password_hash=excluded.password_hash, user_id=excluded.user_id`,
+    [userId, email, hash]
+  );
+
+  await audit(req, 'admin.user_created', { targetType: 'user', targetId: userId, metadata: { email, role } });
+  res.redirect('/admin/users');
+});
+
+app.post('/admin/users/:id/reset', requireOwner, async (req, res) => {
+  const userId = req.params.id;
+  const newPassword = (req.body.newPassword || '').trim();
+  if (!newPassword) return res.redirect('/admin/users');
+  const pwErr = validatePassword(newPassword);
+  if (pwErr) return res.status(400).send(pwErr);
+  const hash = await bcrypt.hash(newPassword, 12);
+
+  const { rows } = await pool.query('select email from users where id=$1', [userId]);
+  const email = rows[0]?.email;
+  if (!email) return res.redirect('/admin/users');
+
+  await pool.query(
+    `insert into identities(user_id, provider, email, password_hash) values ($1,'local',$2,$3)
+     on conflict(provider, email) do update set password_hash=excluded.password_hash, user_id=excluded.user_id`,
+    [userId, email, hash]
+  );
+
+  await audit(req, 'admin.password_reset', { targetType: 'user', targetId: userId, metadata: { provider: 'local' } });
+  res.redirect('/admin/users');
+});
+
+app.post('/admin/users/:id/toggle', requireOwner, async (req, res) => {
+  const userId = req.params.id;
+  await pool.query('update users set disabled = not disabled where id=$1', [userId]);
+  const { rows } = await pool.query('select disabled,email from users where id=$1', [userId]);
+  await audit(req, 'admin.user_toggled', { targetType: 'user', targetId: userId, metadata: { disabled: rows[0]?.disabled, email: rows[0]?.email } });
+  res.redirect('/admin/users');
+});
+
+app.post('/admin/users/:id/delete', requireOwner, async (req, res) => {
+  const userId = req.params.id;
+  const { rows } = await pool.query('select email,role from users where id=$1', [userId]);
+  await pool.query('delete from users where id=$1', [userId]);
+  await audit(req, 'admin.user_deleted', { targetType: 'user', targetId: userId, metadata: { email: rows[0]?.email, role: rows[0]?.role } });
+  res.redirect('/admin/users');
+});
+
+// Account: change password
+const md = new MarkdownIt({ html: false, linkify: true, breaks: true });
+
+async function upsertConnector(provider) {
+  const configured = (provider === 'gmail')
+    ? Boolean(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET)
+    : Boolean(process.env.MICROSOFT_CLIENT_ID && process.env.MICROSOFT_CLIENT_SECRET);
+
+  await pool.query(
+    `insert into email_connectors(provider, configured) values ($1,$2)
+     on conflict(provider) do update set configured=excluded.configured, updated_at=now()`,
+    [provider, configured]
+  );
+}
+
+await upsertConnector('gmail');
+await upsertConnector('microsoft');
+
+async function applyRulesToEmail(emailRow, rules) {
+  const from = (emailRow.from_addr || '').toLowerCase();
+  const subj = (emailRow.subject || '').toLowerCase();
+  const body = (emailRow.body_text || '').toLowerCase();
+  const thread = (emailRow.thread_key || '').toLowerCase();
+
+  for (const r of rules) {
+    if (!r.enabled) continue;
+    const v = (r.match_value || '').toLowerCase();
+    let hit = false;
+    if (r.match_type === 'from_domain') {
+      hit = v && from.includes('@') && from.split('@').pop()?.includes(v.replace(/^@/, ''));
+    } else if (r.match_type === 'from_contains') {
+      hit = v && from.includes(v);
+    } else if (r.match_type === 'subject_contains') {
+      hit = v && subj.includes(v);
+    } else if (r.match_type === 'body_contains') {
+      hit = v && body.includes(v);
+    } else if (r.match_type === 'thread_key') {
+      hit = v && thread && thread === v;
+    }
+
+    if (hit) {
+      return { projectId: r.project_id, confidence: 0.9, ruleId: r.id };
+    }
+  }
+  return null;
+}
+
+app.get('/account/password', requireAuth, (req, res) => {
+  res.render('account_password');
+});
+
+app.post('/account/password', requireAuth, async (req, res) => {
+  const currentPassword = (req.body.currentPassword || '').trim();
+  const newPassword = (req.body.newPassword || '').trim();
+  const confirmPassword = (req.body.confirmPassword || '').trim();
+  if (!newPassword || newPassword !== confirmPassword) return res.status(400).send('Password mismatch');
+
+  // do they have a local identity?
+  const { rows: idRows } = await pool.query(
+    `select password_hash from identities where user_id=$1 and provider='local' limit 1`,
+    [req.user.id]
+  );
+
+  if (idRows[0]?.password_hash) {
+    // verify current if set
+    const ok = currentPassword ? await bcrypt.compare(currentPassword, idRows[0].password_hash) : false;
+    if (!ok) return res.status(400).send('Current password incorrect');
+  }
+
+  const hash = await bcrypt.hash(newPassword, 12);
+  const email = req.user.email;
+  await pool.query(
+    `insert into identities(user_id, provider, email, password_hash) values ($1,'local',$2,$3)
+     on conflict(provider, email) do update set password_hash=excluded.password_hash, user_id=excluded.user_id`,
+    [req.user.id, email, hash]
+  );
+
+  await audit(req, 'account.password_changed', { targetType: 'user', targetId: req.user.id, metadata: { provider: 'local' } });
+  res.redirect('/');
+});
+
+// Admin: email connectors
+app.get('/admin/email', requireOwner, async (_req, res) => {
+  // ensure connector rows exist + configured flag reflects env
+  await upsertConnector('gmail');
+  await upsertConnector('microsoft');
+  const { rows } = await pool.query(`select * from email_connectors order by provider asc`);
+  res.render('email_settings', { connectors: rows });
+});
+
+app.post('/admin/email-connectors/:provider/toggle', requireOwner, async (req, res) => {
+  const provider = req.params.provider;
+  await pool.query(`update email_connectors set enabled = not enabled, updated_at=now() where provider=$1`, [provider]);
+  const { rows } = await pool.query(`select enabled, configured, authorized from email_connectors where provider=$1`, [provider]);
+  await audit(req, 'admin.email_connector_toggled', { targetType: 'connector', targetId: provider, metadata: rows[0] || {} });
+  res.redirect('/admin/email');
+});
+
+// Admin: email rules
+// Docs (in-app)
+const DOCS = [
+  { slug: 'readme', title: 'README', path: '/app/README.md' },
+  { slug: 'install', title: 'INSTALL', path: '/app/INSTALL.md' },
+  { slug: 'operations', title: 'OPERATIONS', path: '/app/OPERATIONS.md' },
+  { slug: 'development', title: 'DEVELOPMENT', path: '/app/DEVELOPMENT.md' },
+  { slug: 'changelog', title: 'CHANGELOG', path: '/app/CHANGELOG.md' }
+];
+
+app.get('/docs', requireAuth, (req, res) => res.redirect('/docs/readme'));
+
+app.get('/docs/:slug', requireAuth, (req, res) => {
+  const slug = req.params.slug;
+  const current = DOCS.find((d) => d.slug === slug) || DOCS[0];
+  const md = fs.readFileSync(current.path, 'utf-8');
+  const html = marked.parse(md);
+  res.render('docs', { docs: DOCS, current, html });
+});
+
+// Attachments download
+app.get('/attachments/:id', requireAuth, async (req, res) => {
+  const id = req.params.id;
+  const { rows } = await pool.query('select * from email_attachments where id=$1', [id]);
+  const a = rows[0];
+  if (!a) return res.status(404).send('Not found');
+  res.setHeader('Content-Type', a.content_type || 'application/octet-stream');
+  res.setHeader('Content-Disposition', `attachment; filename="${(a.filename || 'attachment').replace(/\"/g,'')}"`);
+  fs.createReadStream(a.storage_path).pipe(res);
+});
+
+// Drafts list
+app.get('/drafts', requireAuth, async (req, res) => {
+  const { rows: pcos } = await pool.query(
+    `select d.*, p.name as project_name
+     from pco_drafts d left join projects p on p.id=d.project_id
+     order by d.updated_at desc limit 200`
+  );
+  const { rows: rfis } = await pool.query(
+    `select d.*, p.name as project_name
+     from rfi_drafts d left join projects p on p.id=d.project_id
+     order by d.updated_at desc limit 200`
+  );
+  res.render('drafts_list', { pcos, rfis });
+});
+
+function buildPCOBody(email, project) {
+  return [
+    `# Potential Change Order (PCO) — Draft`,
+    ``,
+    `**Project:** ${project?.name || ''}`,
+    `**Job #:** ${project?.job_number || ''}`,
+    `**Source email:** ${email?.subject || ''} (${email?.id || ''})`,
+    `**From:** ${email?.from_addr || ''}`,
+    `**Date:** ${email?.date || ''}`,
+    ``,
+    `## Description / Change event`,
+    `- (Describe what changed and why)`,
+    ``,
+    `## Contract / drawing references`,
+    `- (Sheet/spec refs)`,
+    ``,
+    `## Cost / schedule impact`,
+    `- Labor:`,
+    `- Material:`,
+    `- Equipment:`,
+    `- Schedule impact:`,
+    ``,
+    `## Supporting info`,
+    `- Email excerpt:`,
+    ``,
+    `> ${String(email?.body_text || '').slice(0, 1200).replace(/\n/g,'\n> ')}`
+  ].join('\n');
+}
+
+function buildRFIBody(email, project) {
+  return [
+    `# RFI — Draft`,
+    ``,
+    `**Project:** ${project?.name || ''}`,
+    `**Job #:** ${project?.job_number || ''}`,
+    `**Source email:** ${email?.subject || ''} (${email?.id || ''})`,
+    `**From:** ${email?.from_addr || ''}`,
+    `**Date:** ${email?.date || ''}`,
+    ``,
+    `## Question`,
+    `- (Write the question clearly)`,
+    ``,
+    `## Background`,
+    `- (Why this is needed / conflict)`,
+    ``,
+    `## Drawing/spec references`,
+    `- (Sheet/detail/spec section)`,
+    ``,
+    `## Proposed resolution (optional)`,
+    `-`,
+    ``,
+    `## Supporting excerpt`,
+    `> ${String(email?.body_text || '').slice(0, 1200).replace(/\n/g,'\n> ')}`
+  ].join('\n');
+}
+
+// Create drafts from email
+app.post('/drafts/pco/from-email', requireAuth, async (req, res) => {
+  const emailId = (req.body.emailId || '').trim();
+  const { rows } = await pool.query('select * from ingested_emails where id=$1', [emailId]);
+  const email = rows[0];
+  if (!email) return res.status(404).send('Email not found');
+
+  let project = null;
+  if (email.project_id) {
+    const pr = await pool.query('select * from projects where id=$1', [email.project_id]);
+    project = pr.rows[0] || null;
+  }
+
+  const title = `PCO: ${email.subject || 'Untitled'}`.slice(0, 200);
+  const body = buildPCOBody(email, project);
+
+  const ins = await pool.query(
+    `insert into pco_drafts(created_by_user_id, project_id, source_email_id, title, body)
+     values ($1,$2,$3,$4,$5) returning id`,
+    [req.user.id, email.project_id || null, emailId, title, body]
+  );
+  const draftId = ins.rows[0].id;
+  await audit(req, 'draft.pco_created', { targetType: 'pco_draft', targetId: draftId, metadata: { emailId } });
+  res.redirect(`/drafts/pco/${draftId}`);
+});
+
+app.post('/drafts/rfi/from-email', requireAuth, async (req, res) => {
+  const emailId = (req.body.emailId || '').trim();
+  const { rows } = await pool.query('select * from ingested_emails where id=$1', [emailId]);
+  const email = rows[0];
+  if (!email) return res.status(404).send('Email not found');
+
+  let project = null;
+  if (email.project_id) {
+    const pr = await pool.query('select * from projects where id=$1', [email.project_id]);
+    project = pr.rows[0] || null;
+  }
+
+  const title = `RFI: ${email.subject || 'Untitled'}`.slice(0, 200);
+  const body = buildRFIBody(email, project);
+
+  const ins = await pool.query(
+    `insert into rfi_drafts(created_by_user_id, project_id, source_email_id, title, body)
+     values ($1,$2,$3,$4,$5) returning id`,
+    [req.user.id, email.project_id || null, emailId, title, body]
+  );
+  const draftId = ins.rows[0].id;
+  await audit(req, 'draft.rfi_created', { targetType: 'rfi_draft', targetId: draftId, metadata: { emailId } });
+  res.redirect(`/drafts/rfi/${draftId}`);
+});
+
+// Draft edit + save
+app.get('/drafts/pco/:id', requireAuth, async (req, res) => {
+  const id = req.params.id;
+  const d = await pool.query('select * from pco_drafts where id=$1', [id]);
+  const draft = d.rows[0];
+  if (!draft) return res.status(404).send('Not found');
+  const e = draft.source_email_id ? await pool.query('select * from ingested_emails where id=$1', [draft.source_email_id]) : { rows: [] };
+  const email = e.rows[0] || null;
+  const p = draft.project_id ? await pool.query('select * from projects where id=$1', [draft.project_id]) : { rows: [] };
+  const project = p.rows[0] || null;
+  const previewHtml = md.render(draft.body || '');
+  res.render('draft_edit', { kind: 'pco', draft, email, project, previewHtml });
+});
+
+app.post('/drafts/pco/:id/save', requireAuth, async (req, res) => {
+  const id = req.params.id;
+  const title = (req.body.title || '').trim();
+  const status = (req.body.status || 'draft').trim();
+  const body = (req.body.body || '').trim();
+  await pool.query('update pco_drafts set title=$1, status=$2, body=$3, updated_at=now() where id=$4', [title, status, body, id]);
+  await audit(req, 'draft.pco_saved', { targetType: 'pco_draft', targetId: id, metadata: { status } });
+  res.redirect(`/drafts/pco/${id}`);
+});
+
+app.get('/drafts/pco/:id/export.md', requireAuth, async (req, res) => {
+  const id = req.params.id;
+  const d = await pool.query('select * from pco_drafts where id=$1', [id]);
+  const draft = d.rows[0];
+  if (!draft) return res.status(404).send('Not found');
+  res.setHeader('Content-Type', 'text/markdown; charset=utf-8');
+  res.setHeader('Content-Disposition', `attachment; filename="PCO_${id}.md"`);
+  await audit(req, 'draft.pco_exported', { targetType: 'pco_draft', targetId: id, metadata: { format: 'md' } });
+  res.send(draft.body || '');
+});
+
+app.get('/drafts/rfi/:id', requireAuth, async (req, res) => {
+  const id = req.params.id;
+  const d = await pool.query('select * from rfi_drafts where id=$1', [id]);
+  const draft = d.rows[0];
+  if (!draft) return res.status(404).send('Not found');
+  const e = draft.source_email_id ? await pool.query('select * from ingested_emails where id=$1', [draft.source_email_id]) : { rows: [] };
+  const email = e.rows[0] || null;
+  const p = draft.project_id ? await pool.query('select * from projects where id=$1', [draft.project_id]) : { rows: [] };
+  const project = p.rows[0] || null;
+  const previewHtml = md.render(draft.body || '');
+  res.render('draft_edit', { kind: 'rfi', draft, email, project, previewHtml });
+});
+
+app.post('/drafts/rfi/:id/save', requireAuth, async (req, res) => {
+  const id = req.params.id;
+  const title = (req.body.title || '').trim();
+  const status = (req.body.status || 'draft').trim();
+  const body = (req.body.body || '').trim();
+  await pool.query('update rfi_drafts set title=$1, status=$2, body=$3, updated_at=now() where id=$4', [title, status, body, id]);
+  await audit(req, 'draft.rfi_saved', { targetType: 'rfi_draft', targetId: id, metadata: { status } });
+  res.redirect(`/drafts/rfi/${id}`);
+});
+
+app.get('/drafts/rfi/:id/export.md', requireAuth, async (req, res) => {
+  const id = req.params.id;
+  const d = await pool.query('select * from rfi_drafts where id=$1', [id]);
+  const draft = d.rows[0];
+  if (!draft) return res.status(404).send('Not found');
+  res.setHeader('Content-Type', 'text/markdown; charset=utf-8');
+  res.setHeader('Content-Disposition', `attachment; filename="RFI_${id}.md"`);
+  await audit(req, 'draft.rfi_exported', { targetType: 'rfi_draft', targetId: id, metadata: { format: 'md' } });
+  res.send(draft.body || '');
+});
+
+app.get('/admin/email-rules', requireOwner, async (req, res) => {
+  const { rows: projects } = await pool.query(
+    `select p.id, p.name, p.job_number
+     from projects p
+     join project_members pm on pm.project_id=p.id and pm.user_id=$1
+     where p.active=true
+     order by p.updated_at desc`,
+    [req.user.id]
+  );
+  const { rows: rules } = await pool.query(
+    `select r.*, p.name as project_name
+     from email_rules r
+     join projects p on p.id=r.project_id
+     order by r.enabled desc, r.priority asc, r.created_at asc`
+  );
+  res.render('email_rules', { projects, rules });
+});
+
+app.post('/admin/email-rules/create', requireOwner, async (req, res) => {
+  const projectId = (req.body.projectId || '').trim();
+  const matchType = (req.body.matchType || '').trim();
+  const matchValue = (req.body.matchValue || '').trim();
+  const priority = parseInt(req.body.priority || '100', 10);
+  if (!projectId || !matchType || !matchValue) return res.status(400).send('missing fields');
+
+  const { rows } = await pool.query(
+    `insert into email_rules(created_by_user_id, project_id, match_type, match_value, priority)
+     values ($1,$2,$3,$4,$5)
+     returning id`,
+    [req.user.id, projectId, matchType, matchValue, isNaN(priority) ? 100 : priority]
+  );
+  await audit(req, 'admin.email_rule_created', { targetType: 'email_rule', targetId: rows[0].id, metadata: { projectId, matchType, matchValue, priority } });
+  res.redirect('/admin/email-rules');
+});
+
+app.post('/admin/email-rules/:id/toggle', requireOwner, async (req, res) => {
+  const ruleId = req.params.id;
+  await pool.query(`update email_rules set enabled = not enabled where id=$1`, [ruleId]);
+  const { rows } = await pool.query('select enabled from email_rules where id=$1', [ruleId]);
+  await audit(req, 'admin.email_rule_toggled', { targetType: 'email_rule', targetId: ruleId, metadata: { enabled: rows[0]?.enabled } });
+  res.redirect('/admin/email-rules');
+});
+
+app.post('/admin/email-rules/:id/delete', requireOwner, async (req, res) => {
+  const ruleId = req.params.id;
+  await pool.query('delete from email_rules where id=$1', [ruleId]);
+  await audit(req, 'admin.email_rule_deleted', { targetType: 'email_rule', targetId: ruleId });
+  res.redirect('/admin/email-rules');
+});
+
+// Admin: audit log viewer
+app.get('/admin/audit', requireOwner, async (_req, res) => {
+  const { rows } = await pool.query(
+    `select created_at, actor_email, action, target_type, target_id, ip, metadata
+     from audit_logs
+     order by created_at desc
+     limit 250`
+  );
+  res.render('admin_audit', { logs: rows });
+});
+
+app.listen(PORT, () => {
+  // eslint-disable-next-line no-console
+  console.log(`Mastermind web listening on ${BASE_URL}`);
+});
diff --git a/web/src/views/account_password.ejs b/web/src/views/account_password.ejs
new file mode 100644
index 0000000..67d3027
--- /dev/null
+++ b/web/src/views/account_password.ejs
@@ -0,0 +1,45 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Change Password</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:700px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    label{display:block;margin:10px 0 6px;color:#a9b7c6}
+    input{width:100%;padding:12px;border-radius:10px;border:1px solid #233043;background:#0e1520;color:#e8eef7}
+    button{padding:12px 14px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7;margin-top:12px;width:100%}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6;font-size:13px;line-height:1.4}
+  </style>
+</head>
+<body>
+  <header>
+    <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+      <div style="font-weight:700">Change Password</div>
+      <div style="display:flex;gap:10px">
+        <a href="/">Dashboard</a>
+        <a href="/logout">Logout</a>
+      </div>
+    </div>
+  </header>
+
+  <main>
+    <div class="card">
+      <p class="muted">This changes your <b>local</b> password (SSO passwords are managed by Google/Microsoft). If you don’t have a local identity yet, this will create one.</p>
+      <form method="post" action="/account/password">
+        <label>Current password (leave blank if you have no local password yet)</label>
+        <input name="currentPassword" type="password" />
+        <label>New password</label>
+        <input name="newPassword" type="password" required />
+        <label>Confirm new password</label>
+        <input name="confirmPassword" type="password" required />
+        <button type="submit">Update password</button>
+      </form>
+    </div>
+  </main>
+</body>
+</html>
diff --git a/web/src/views/admin_audit.ejs b/web/src/views/admin_audit.ejs
new file mode 100644
index 0000000..7cd1dc6
--- /dev/null
+++ b/web/src/views/admin_audit.ejs
@@ -0,0 +1,64 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Audit Log</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1200px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    table{width:100%;border-collapse:collapse}
+    th,td{border-bottom:1px solid #233043;padding:10px 6px;text-align:left;color:#a9b7c6;font-size:13px;vertical-align:top}
+    th{color:#e8eef7}
+    code{font-family:ui-monospace,Menlo,Consolas,monospace;color:#d6e3f3}
+  </style>
+</head>
+<body>
+  <header>
+    <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+      <div style="font-weight:700">Audit Log</div>
+      <div style="display:flex;gap:10px">
+        <a href="/admin/users">Users</a>
+        <a href="/">Dashboard</a>
+        <a href="/logout">Logout</a>
+      </div>
+    </div>
+  </header>
+
+  <main>
+    <div class="card">
+      <div class="muted">Showing latest <%= logs.length %> events (most recent first).</div>
+      <div style="overflow:auto;margin-top:10px">
+        <table>
+          <thead>
+            <tr>
+              <th>Time</th>
+              <th>Actor</th>
+              <th>Action</th>
+              <th>Target</th>
+              <th>IP</th>
+              <th>Metadata</th>
+            </tr>
+          </thead>
+          <tbody>
+            <% logs.forEach(l => { %>
+              <tr>
+                <td><%= l.created_at %></td>
+                <td><%= l.actor_email || '' %></td>
+                <td><code><%= l.action %></code></td>
+                <td><%= l.target_type || '' %> <%= l.target_id || '' %></td>
+                <td><%= l.ip || '' %></td>
+                <td><code><%= JSON.stringify(l.metadata || {}) %></code></td>
+              </tr>
+            <% }) %>
+          </tbody>
+        </table>
+      </div>
+    </div>
+  </main>
+</body>
+</html>
diff --git a/web/src/views/admin_users.ejs b/web/src/views/admin_users.ejs
new file mode 100644
index 0000000..f013b39
--- /dev/null
+++ b/web/src/views/admin_users.ejs
@@ -0,0 +1,119 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Users</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1100px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    table{width:100%;border-collapse:collapse}
+    th,td{border-bottom:1px solid #233043;padding:10px 6px;text-align:left;color:#a9b7c6;font-size:13px;vertical-align:top}
+    th{color:#e8eef7}
+    input,select{padding:10px;border-radius:10px;border:1px solid #233043;background:#0e1520;color:#e8eef7;width:100%}
+    button{padding:10px 12px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7}
+    .grid{display:grid;grid-template-columns:repeat(12,1fr);gap:12px}
+    .col6{grid-column:span 12}
+    @media(min-width:900px){.col6{grid-column:span 6}}
+    .pill{display:inline-block;padding:2px 8px;border:1px solid #233043;border-radius:999px;font-size:12px;color:#a9b7c6}
+    .danger{background:#2b1216;border-color:#5a1e28}
+  </style>
+</head>
+<body>
+  <header>
+    <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+      <div style="font-weight:700">User Management</div>
+      <div style="display:flex;gap:10px">
+        <a href="/">Dashboard</a>
+        <a href="/logout">Logout</a>
+      </div>
+    </div>
+  </header>
+
+  <main>
+    <div class="card">
+      <h2 style="margin:0 0 8px">Create local user</h2>
+      <form method="post" action="/admin/users/create" class="grid">
+        <div class="col6">
+          <label class="muted">Email</label>
+          <input name="email" placeholder="user@company.com" required />
+        </div>
+        <div class="col6">
+          <label class="muted">Display name</label>
+          <input name="displayName" placeholder="Jane Doe" />
+        </div>
+        <div class="col6">
+          <label class="muted">Role</label>
+          <select name="role">
+            <option value="apm">apm</option>
+            <option value="pm">pm</option>
+            <option value="viewer">viewer</option>
+            <option value="owner">owner</option>
+          </select>
+        </div>
+        <div class="col6">
+          <label class="muted">Temporary password</label>
+          <input name="tempPassword" placeholder="Temp password" required />
+        </div>
+        <div style="grid-column:span 12">
+          <button type="submit">Create user</button>
+        </div>
+      </form>
+      <p class="muted" style="margin-top:10px">SSO users (Google/Microsoft) will appear here after their first login.</p>
+    </div>
+
+    <div class="card">
+      <h2 style="margin:0 0 8px">Users</h2>
+      <table>
+        <thead>
+          <tr>
+            <th>Email</th>
+            <th>Name</th>
+            <th>Role</th>
+            <th>Status</th>
+            <th>Identities</th>
+            <th>Actions</th>
+          </tr>
+        </thead>
+        <tbody>
+          <% users.forEach(u => { %>
+            <tr>
+              <td><%= u.email || '(no email)' %></td>
+              <td><%= u.display_name || '' %></td>
+              <td><span class="pill"><%= u.role %></span></td>
+              <td>
+                <% if (u.disabled) { %>
+                  <span class="pill danger">disabled</span>
+                <% } else { %>
+                  <span class="pill">active</span>
+                <% } %>
+              </td>
+              <td class="muted">
+                <%= (u.providers || '').split(',').filter(Boolean).join(', ') %>
+              </td>
+              <td>
+                <form method="post" action="/admin/users/<%= u.id %>/reset" style="display:inline-block;min-width:220px">
+                  <input name="newPassword" placeholder="New temp password" />
+                  <button type="submit" style="margin-top:6px;width:100%">Reset local password</button>
+                </form>
+                <div style="height:8px"></div>
+                <form method="post" action="/admin/users/<%= u.id %>/toggle" style="display:inline-block;width:220px">
+                  <button type="submit" style="width:100%"><%= u.disabled ? 'Enable user' : 'Disable user' %></button>
+                </form>
+                <div style="height:8px"></div>
+                <form method="post" action="/admin/users/<%= u.id %>/delete" onsubmit="return confirm('Delete user? This cannot be undone.');" style="display:inline-block;width:220px">
+                  <button type="submit" style="width:100%;background:#2b1216;border-color:#5a1e28">Delete user</button>
+                </form>
+              </td>
+            </tr>
+          <% }) %>
+        </tbody>
+      </table>
+    </div>
+  </main>
+</body>
+</html>
diff --git a/web/src/views/docs.ejs b/web/src/views/docs.ejs
new file mode 100644
index 0000000..9bc2a51
--- /dev/null
+++ b/web/src/views/docs.ejs
@@ -0,0 +1,59 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Docs</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1100px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    .grid{display:grid;grid-template-columns:repeat(12,1fr);gap:12px}
+    .nav{grid-column:span 12}
+    .content{grid-column:span 12}
+    @media(min-width:900px){.nav{grid-column:span 3}.content{grid-column:span 9}}
+    .nav a{display:block;padding:10px;border:1px solid #233043;border-radius:10px;margin-bottom:8px;background:#0e1520}
+    .doc{background:#0e1520;border:1px solid #233043;border-radius:10px;padding:14px;overflow:auto}
+    .doc h1,.doc h2,.doc h3{color:#e8eef7}
+    .doc p,.doc li{color:#a9b7c6;line-height:1.45}
+    .doc code,.doc pre{font-family:ui-monospace,Menlo,Consolas,monospace}
+    .doc pre{background:#0b0f14;border:1px solid #233043;border-radius:10px;padding:12px;color:#d6e3f3;overflow:auto}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div style="font-weight:700">Docs</div>
+    <div style="display:flex;gap:10px">
+      <a href="/">Dashboard</a>
+      <a href="/logout">Logout</a>
+    </div>
+  </div>
+</header>
+
+<main>
+  <div class="grid">
+    <div class="nav">
+      <div class="card">
+        <% docs.forEach(d => { %>
+          <a href="/docs/<%= d.slug %>"><%= d.title %></a>
+        <% }) %>
+      </div>
+    </div>
+
+    <div class="content">
+      <div class="card">
+        <div class="muted">Viewing: <b><%= current.title %></b></div>
+        <div class="muted">Source file: <code><%= current.path %></code></div>
+      </div>
+      <div class="doc">
+        <%- html %>
+      </div>
+    </div>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/draft_edit.ejs b/web/src/views/draft_edit.ejs
new file mode 100644
index 0000000..3477ef4
--- /dev/null
+++ b/web/src/views/draft_edit.ejs
@@ -0,0 +1,75 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Draft</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1100px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    textarea,input,select{width:100%;padding:12px;border-radius:10px;border:1px solid #233043;background:#0e1520;color:#e8eef7}
+    button{padding:12px 14px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7}
+    .grid{display:grid;grid-template-columns:repeat(12,1fr);gap:12px}
+    .col6{grid-column:span 12}
+    @media(min-width:900px){.col6{grid-column:span 6}}
+    pre{white-space:pre-wrap;background:#0e1520;border:1px solid #233043;border-radius:10px;padding:12px;color:#d6e3f3}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div style="font-weight:700"><%= kind.toUpperCase() %> Draft</div>
+    <div style="display:flex;gap:10px">
+      <a href="/">Dashboard</a>
+      <a href="/logout">Logout</a>
+    </div>
+  </div>
+</header>
+<main>
+  <div class="card">
+    <div class="muted"><b>Project:</b> <%= project ? project.name : '(unassigned)' %></div>
+    <div class="muted"><b>Source email:</b> <% if (email) { %><a href="/inbox/<%= email.id %>"><%= email.subject || email.id %></a><% } else { %>—<% } %></div>
+  </div>
+
+  <div class="card">
+    <div style="display:flex;gap:10px;flex-wrap:wrap;justify-content:flex-end;margin-bottom:10px">
+      <a href="/drafts/<%= kind %>/<%= draft.id %>/export.md">Download .md</a>
+    </div>
+
+    <form method="post" action="/drafts/<%= kind %>/<%= draft.id %>/save" class="grid">
+      <div class="col6">
+        <label class="muted">Title</label>
+        <input name="title" value="<%= draft.title || '' %>" />
+      </div>
+      <div class="col6">
+        <label class="muted">Status</label>
+        <select name="status">
+          <% ['draft','ready','sent'].forEach(s => { %>
+            <option value="<%= s %>" <%= draft.status===s?'selected':'' %>><%= s %></option>
+          <% }) %>
+        </select>
+      </div>
+      <div style="grid-column:span 12">
+        <label class="muted">Body (Markdown)</label>
+        <textarea name="body" rows="14"><%= draft.body || '' %></textarea>
+      </div>
+      <div style="grid-column:span 12">
+        <button type="submit">Save</button>
+      </div>
+    </form>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">Preview</h2>
+    <div class="muted" style="margin-bottom:8px">Rendered Markdown preview</div>
+    <div style="background:#0e1520;border:1px solid #233043;border-radius:10px;padding:12px;overflow:auto">
+      <%- previewHtml %>
+    </div>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/drafts_list.ejs b/web/src/views/drafts_list.ejs
new file mode 100644
index 0000000..61b7732
--- /dev/null
+++ b/web/src/views/drafts_list.ejs
@@ -0,0 +1,70 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Drafts</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1200px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    table{width:100%;border-collapse:collapse}
+    th,td{border-bottom:1px solid #233043;padding:10px 6px;text-align:left;color:#a9b7c6;font-size:13px;vertical-align:top}
+    th{color:#e8eef7}
+    .pill{display:inline-block;padding:2px 8px;border:1px solid #233043;border-radius:999px;font-size:12px;color:#a9b7c6}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div style="font-weight:700">Drafts</div>
+    <div style="display:flex;gap:10px">
+      <a href="/">Dashboard</a>
+      <a href="/logout">Logout</a>
+    </div>
+  </div>
+</header>
+<main>
+  <div class="card">
+    <div class="muted">PCO and RFI drafts generated from emails. Nothing is sent automatically.</div>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">PCO drafts</h2>
+    <table>
+      <thead><tr><th>Created</th><th>Project</th><th>Title</th><th>Status</th></tr></thead>
+      <tbody>
+        <% pcos.forEach(d => { %>
+          <tr>
+            <td><%= d.created_at %></td>
+            <td><%= d.project_name || '' %></td>
+            <td><a href="/drafts/pco/<%= d.id %>"><%= d.title || '(untitled)' %></a></td>
+            <td><span class="pill"><%= d.status %></span></td>
+          </tr>
+        <% }) %>
+      </tbody>
+    </table>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">RFI drafts</h2>
+    <table>
+      <thead><tr><th>Created</th><th>Project</th><th>Title</th><th>Status</th></tr></thead>
+      <tbody>
+        <% rfis.forEach(d => { %>
+          <tr>
+            <td><%= d.created_at %></td>
+            <td><%= d.project_name || '' %></td>
+            <td><a href="/drafts/rfi/<%= d.id %>"><%= d.title || '(untitled)' %></a></td>
+            <td><span class="pill"><%= d.status %></span></td>
+          </tr>
+        <% }) %>
+      </tbody>
+    </table>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/email_rules.ejs b/web/src/views/email_rules.ejs
new file mode 100644
index 0000000..557ea68
--- /dev/null
+++ b/web/src/views/email_rules.ejs
@@ -0,0 +1,110 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Email Rules</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1200px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    input,select{padding:12px;border-radius:10px;border:1px solid #233043;background:#0e1520;color:#e8eef7;width:100%}
+    button{padding:12px 14px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7}
+    table{width:100%;border-collapse:collapse}
+    th,td{border-bottom:1px solid #233043;padding:10px 6px;text-align:left;color:#a9b7c6;font-size:13px;vertical-align:top}
+    th{color:#e8eef7}
+    .grid{display:grid;grid-template-columns:repeat(12,1fr);gap:12px}
+    .col4{grid-column:span 12}
+    @media(min-width:900px){.col4{grid-column:span 4}}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div style="font-weight:700">Email Rules</div>
+    <div style="display:flex;gap:10px">
+      <a href="/admin/email">Email Accounts</a>
+      <a href="/">Dashboard</a>
+      <a href="/logout">Logout</a>
+    </div>
+  </div>
+</header>
+
+<main>
+  <div class="card">
+    <h2 style="margin:0 0 8px">Create rule</h2>
+    <form method="post" action="/admin/email-rules/create" class="grid">
+      <div class="col4">
+        <label class="muted">Project</label>
+        <select name="projectId" required>
+          <% projects.forEach(p => { %>
+            <option value="<%= p.id %>"><%= p.name %> (<%= p.job_number || '—' %>)</option>
+          <% }) %>
+        </select>
+      </div>
+      <div class="col4">
+        <label class="muted">Match type</label>
+        <select name="matchType">
+          <option value="from_domain">From domain</option>
+          <option value="from_contains">From contains</option>
+          <option value="subject_contains">Subject contains</option>
+          <option value="body_contains">Body contains</option>
+          <option value="thread_key">Thread key</option>
+        </select>
+      </div>
+      <div class="col4">
+        <label class="muted">Match value</label>
+        <input name="matchValue" placeholder="@gc.com or 0222600001 or project name" required />
+      </div>
+      <div class="col4">
+        <label class="muted">Priority (lower = earlier)</label>
+        <input name="priority" value="100" />
+      </div>
+      <div style="grid-column:span 12">
+        <button type="submit">Add rule</button>
+      </div>
+    </form>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">Rules</h2>
+    <div style="overflow:auto">
+      <table>
+        <thead>
+          <tr>
+            <th>Enabled</th>
+            <th>Priority</th>
+            <th>Project</th>
+            <th>Type</th>
+            <th>Value</th>
+            <th></th>
+          </tr>
+        </thead>
+        <tbody>
+          <% rules.forEach(r => { %>
+            <tr>
+              <td><%= r.enabled ? 'yes' : 'no' %></td>
+              <td><%= r.priority %></td>
+              <td><%= r.project_name %></td>
+              <td><%= r.match_type %></td>
+              <td><%= r.match_value %></td>
+              <td>
+                <form method="post" action="/admin/email-rules/<%= r.id %>/toggle" style="display:inline">
+                  <button type="submit"><%= r.enabled ? 'Disable' : 'Enable' %></button>
+                </form>
+                <form method="post" action="/admin/email-rules/<%= r.id %>/delete" onsubmit="return confirm('Delete rule?');" style="display:inline">
+                  <button type="submit" style="background:#2b1216;border-color:#5a1e28">Delete</button>
+                </form>
+              </td>
+            </tr>
+          <% }) %>
+        </tbody>
+      </table>
+    </div>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/email_settings.ejs b/web/src/views/email_settings.ejs
new file mode 100644
index 0000000..c663604
--- /dev/null
+++ b/web/src/views/email_settings.ejs
@@ -0,0 +1,86 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Email Accounts</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1100px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    table{width:100%;border-collapse:collapse}
+    th,td{border-bottom:1px solid #233043;padding:10px 6px;text-align:left;color:#a9b7c6;font-size:13px;vertical-align:top}
+    th{color:#e8eef7}
+    button{padding:10px 12px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7}
+    .pill{display:inline-block;padding:2px 8px;border:1px solid #233043;border-radius:999px;font-size:12px;color:#a9b7c6}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div style="font-weight:700">Email Accounts</div>
+    <div style="display:flex;gap:10px">
+      <a href="/admin/email-rules">Rules</a>
+      <a href="/">Dashboard</a>
+      <a href="/logout">Logout</a>
+    </div>
+  </div>
+</header>
+<main>
+  <div class="card">
+    <p class="muted">Connectors are first-class from day 1. They’ll show <b>Not configured</b> until you provide OAuth credentials. Manual .eml upload works now.</p>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">Connectors</h2>
+    <table>
+      <thead>
+        <tr>
+          <th>Provider</th>
+          <th>Enabled</th>
+          <th>Configured</th>
+          <th>Authorized</th>
+          <th>Last sync</th>
+          <th>Last error</th>
+          <th>Action</th>
+        </tr>
+      </thead>
+      <tbody>
+        <% connectors.forEach(c => { %>
+          <tr>
+            <td><b><%= c.provider %></b></td>
+            <td><span class="pill"><%= c.enabled ? 'yes' : 'no' %></span></td>
+            <td><span class="pill"><%= c.configured ? 'yes' : 'no' %></span></td>
+            <td><span class="pill"><%= c.authorized ? 'yes' : 'no' %></span></td>
+            <td><%= c.last_sync_at || '' %></td>
+            <td><%= c.last_error || '' %></td>
+            <td>
+              <form method="post" action="/admin/email-connectors/<%= c.provider %>/toggle">
+                <button type="submit"><%= c.enabled ? 'Disable' : 'Enable' %></button>
+              </form>
+              <div class="muted" style="margin-top:6px">
+                <% if (!c.configured) { %>
+                  Not configured — add OAuth credentials in <code>.env</code> (we’ll add UI later).
+                <% } else if (!c.authorized) { %>
+                  Configured — needs OAuth authorization (pending).
+                <% } else { %>
+                  Connected.
+                <% } %>
+              </div>
+            </td>
+          </tr>
+        <% }) %>
+      </tbody>
+    </table>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">Manual import</h2>
+    <p><a href="/inbox">→ Inbox import + triage</a></p>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/home.ejs b/web/src/views/home.ejs
new file mode 100644
index 0000000..0bc2fe7
--- /dev/null
+++ b/web/src/views/home.ejs
@@ -0,0 +1,73 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Dashboard</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{position:sticky;top:0;background:#111824;border-bottom:1px solid #233043;padding:14px 16px}
+    main{max-width:1100px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    a:hover{text-decoration:underline}
+    .muted{color:#a9b7c6}
+    .grid{display:grid;grid-template-columns:repeat(12,1fr);gap:12px}
+    .col6{grid-column:span 12}
+    @media(min-width:900px){.col6{grid-column:span 6}}
+  </style>
+</head>
+<body>
+  <header>
+    <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+      <div>
+        <div style="font-weight:700">Mastermind</div>
+        <div class="muted" style="font-size:13px">Logged in as <%= user.email || user.display_name || user.id %></div>
+      </div>
+      <div style="display:flex;gap:10px">
+        <a href="/account/password">Password</a>
+        <a href="/setup">Setup</a>
+        <a href="/docs">Docs</a>
+        <% if (user.role === 'owner') { %>
+          <a href="/admin/email">Email</a>
+          <a href="/admin/email-rules">Rules</a>
+          <a href="/admin/users">Users</a>
+          <a href="/admin/audit">Audit</a>
+        <% } %>
+        <a href="/logout">Logout</a>
+      </div>
+    </div>
+  </header>
+
+  <main>
+    <div class="grid">
+      <div class="card col6">
+        <h2 style="margin:0 0 8px">MVP status</h2>
+        <div class="muted">Auth is wired (local + optional Google/Microsoft). Next: project wizard + inbox ingestion.</div>
+      </div>
+      <div class="card col6">
+        <h2 style="margin:0 0 8px">Base URL</h2>
+        <div class="muted">Current: <code><%= baseUrl %></code></div>
+        <div class="muted" style="margin-top:6px">If OAuth callbacks don’t work, update Base URL under Setup.</div>
+      </div>
+    </div>
+
+    <div class="card">
+      <h2 style="margin:0 0 8px">Start</h2>
+      <p class="muted">Create a project profile so Mastermind can sort your single mailbox automatically.</p>
+      <p><a href="/projects">→ Projects</a></p>
+      <p><a href="/inbox">→ Inbox (import + triage)</a></p>
+      <p><a href="/drafts">→ Drafts (PCO / RFI)</a></p>
+    </div>
+
+    <div class="card">
+      <h2 style="margin:0 0 8px">Next build steps</h2>
+      <ol class="muted">
+        <li>Inbox triage queue (single mailbox → auto-sort per project)</li>
+        <li>RFI/Submittal/PCO logs + draft generators with citations</li>
+        <li>Email connectors (Gmail + Microsoft) behind OAuth + local fallback imports</li>
+      </ol>
+    </div>
+  </main>
+</body>
+</html>
diff --git a/web/src/views/inbox.ejs b/web/src/views/inbox.ejs
new file mode 100644
index 0000000..2cb0020
--- /dev/null
+++ b/web/src/views/inbox.ejs
@@ -0,0 +1,114 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Inbox</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1200px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    input,select{padding:12px;border-radius:10px;border:1px solid #233043;background:#0e1520;color:#e8eef7;width:100%}
+    button{padding:12px 14px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7}
+    table{width:100%;border-collapse:collapse}
+    th,td{border-bottom:1px solid #233043;padding:10px 6px;text-align:left;color:#a9b7c6;font-size:13px;vertical-align:top}
+    th{color:#e8eef7}
+    .grid{display:grid;grid-template-columns:repeat(12,1fr);gap:12px}
+    .col6{grid-column:span 12}
+    @media(min-width:900px){.col6{grid-column:span 6}}
+    .actions{display:flex;gap:8px;flex-wrap:wrap}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div style="font-weight:700">Inbox</div>
+    <div style="display:flex;gap:10px">
+      <a href="/projects">Projects</a>
+      <a href="/">Dashboard</a>
+      <a href="/logout">Logout</a>
+    </div>
+  </div>
+</header>
+<main>
+  <div class="card">
+    <h2 style="margin:0 0 8px">Import emails (until OAuth is connected)</h2>
+    <div class="muted">Upload .eml files. Mastermind stores them and puts them into the Unsorted queue for triage.</div>
+    <form method="post" action="/inbox/upload" enctype="multipart/form-data" class="grid" style="margin-top:10px">
+      <div class="col6">
+        <label class="muted">.eml files</label>
+        <input type="file" name="emls" multiple accept=".eml,message/rfc822" required />
+      </div>
+      <div class="col6">
+        <label class="muted">Source label</label>
+        <input name="source" placeholder="outlook-export" value="upload" />
+      </div>
+      <div style="grid-column:span 12">
+        <button type="submit">Import</button>
+      </div>
+    </form>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">Unsorted</h2>
+    <div class="muted">Assign each email to a project. Later this will be automated with rules + OAuth sync.</div>
+    <div style="overflow:auto;margin-top:10px">
+      <table>
+        <thead>
+          <tr>
+            <th>Date</th>
+            <th>From</th>
+            <th>Subject</th>
+            <th>Assign</th>
+          </tr>
+        </thead>
+        <tbody>
+          <% emails.forEach(e => { %>
+            <tr>
+              <td><%= e.date || '' %></td>
+              <td><%= e.from_addr || '' %></td>
+              <td><a href="/inbox/<%= e.id %>"><%= e.subject || '(no subject)' %></a></td>
+              <td>
+                <form method="post" action="/inbox/<%= e.id %>/assign" class="actions" style="margin-bottom:8px">
+                  <select name="projectId" required>
+                    <option value="" disabled selected>Select project…</option>
+                    <% projects.forEach(p => { %>
+                      <option value="<%= p.id %>"><%= p.name %> (<%= p.job_number || '—' %>)</option>
+                    <% }) %>
+                  </select>
+                  <button type="submit">Assign</button>
+                </form>
+
+                <div class="muted" style="font-size:12px;margin-bottom:6px">Make a rule from this email:</div>
+                <form method="post" action="/inbox/<%= e.id %>/rule/from_domain" class="actions" style="margin-bottom:8px">
+                  <select name="projectId" required>
+                    <option value="" disabled selected>Project…</option>
+                    <% projects.forEach(p => { %>
+                      <option value="<%= p.id %>"><%= p.name %></option>
+                    <% }) %>
+                  </select>
+                  <button type="submit">Rule: From domain</button>
+                </form>
+
+                <form method="post" action="/inbox/<%= e.id %>/rule/subject_job" class="actions">
+                  <select name="projectId" required>
+                    <option value="" disabled selected>Project…</option>
+                    <% projects.forEach(p => { %>
+                      <option value="<%= p.id %>"><%= p.name %></option>
+                    <% }) %>
+                  </select>
+                  <button type="submit">Rule: Subject job#</button>
+                </form>
+              </td>
+            </tr>
+          <% }) %>
+        </tbody>
+      </table>
+    </div>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/inbox_email.ejs b/web/src/views/inbox_email.ejs
new file mode 100644
index 0000000..f38b79e
--- /dev/null
+++ b/web/src/views/inbox_email.ejs
@@ -0,0 +1,88 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Email</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1100px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    pre{white-space:pre-wrap;background:#0e1520;border:1px solid #233043;border-radius:10px;padding:12px;color:#d6e3f3}
+    table{width:100%;border-collapse:collapse}
+    th,td{border-bottom:1px solid #233043;padding:10px 6px;text-align:left;color:#a9b7c6;font-size:13px;vertical-align:top}
+    th{color:#e8eef7}
+    button{padding:10px 12px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div style="font-weight:700">Email</div>
+    <div style="display:flex;gap:10px">
+      <a href="/inbox">Inbox</a>
+      <a href="/projects">Projects</a>
+      <a href="/">Dashboard</a>
+    </div>
+  </div>
+</header>
+<main>
+  <div class="card">
+    <div class="muted"><b>Date:</b> <%= email.date || '' %></div>
+    <div class="muted"><b>From:</b> <%= email.from_addr || '' %></div>
+    <div class="muted"><b>To:</b> <%= email.to_addr || '' %></div>
+    <div class="muted"><b>Subject:</b> <%= email.subject || '' %></div>
+    <div class="muted"><b>Status:</b> <%= email.status %></div>
+    <div class="muted"><b>Raw file:</b> <%= email.raw_path || '' %></div>
+
+    <div style="height:10px"></div>
+    <div style="display:flex;gap:10px;flex-wrap:wrap">
+      <form method="post" action="/drafts/pco/from-email">
+        <input type="hidden" name="emailId" value="<%= email.id %>" />
+        <button type="submit">Create PCO draft from this email</button>
+      </form>
+      <form method="post" action="/drafts/rfi/from-email">
+        <input type="hidden" name="emailId" value="<%= email.id %>" />
+        <button type="submit">Create RFI draft from this email</button>
+      </form>
+    </div>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">Attachments</h2>
+    <% if (!attachments.length) { %>
+      <div class="muted">No attachments stored for this email.</div>
+    <% } else { %>
+      <table>
+        <thead>
+          <tr>
+            <th>Filename</th>
+            <th>Type</th>
+            <th>Size</th>
+            <th></th>
+          </tr>
+        </thead>
+        <tbody>
+          <% attachments.forEach(a => { %>
+            <tr>
+              <td><%= a.filename || '' %></td>
+              <td><%= a.content_type || '' %></td>
+              <td><%= a.size_bytes || '' %></td>
+              <td><a href="/attachments/<%= a.id %>">Download</a></td>
+            </tr>
+          <% }) %>
+        </tbody>
+      </table>
+    <% } %>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">Body (text)</h2>
+    <pre><%= email.body_text || '' %></pre>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/login.ejs b/web/src/views/login.ejs
new file mode 100644
index 0000000..9a6ebe6
--- /dev/null
+++ b/web/src/views/login.ejs
@@ -0,0 +1,49 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Login</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    .wrap{max-width:420px;margin:0 auto;padding:28px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:16px}
+    label{display:block;margin:10px 0 6px;color:#a9b7c6}
+    input{width:100%;padding:12px;border-radius:10px;border:1px solid #233043;background:#0e1520;color:#e8eef7}
+    button{width:100%;padding:12px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7;margin-top:12px}
+    .row{display:flex;gap:10px;margin-top:12px}
+    .row a{flex:1;text-align:center;text-decoration:none;padding:12px;border-radius:10px;border:1px solid #233043;color:#7cc4ff;background:#0e1520}
+    .muted{color:#a9b7c6;font-size:13px;line-height:1.4}
+  </style>
+</head>
+<body>
+  <div class="wrap">
+    <h1 style="margin:0 0 8px">Mastermind</h1>
+    <div class="muted">Local login + Google/Microsoft OAuth. Mobile friendly.</div>
+    <div style="height:12px"></div>
+
+    <div class="card">
+      <form method="post" action="/login">
+        <label>Email</label>
+        <input name="email" placeholder="you@company.com" />
+        <label>Password</label>
+        <input name="password" type="password" placeholder="••••••••" />
+        <button type="submit">Sign in (local)</button>
+      </form>
+
+      <div class="row">
+        <% if (googleEnabled) { %>
+          <a href="/auth/google">Google</a>
+        <% } %>
+        <% if (microsoftEnabled) { %>
+          <a href="/auth/microsoft">Microsoft</a>
+        <% } %>
+      </div>
+
+      <p class="muted" style="margin-top:12px">
+        First run creates <b>owner@local / owner</b> (change ASAP).
+      </p>
+    </div>
+  </div>
+</body>
+</html>
diff --git a/web/src/views/project_detail.ejs b/web/src/views/project_detail.ejs
new file mode 100644
index 0000000..e255fec
--- /dev/null
+++ b/web/src/views/project_detail.ejs
@@ -0,0 +1,80 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Project</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1100px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    .grid{display:grid;grid-template-columns:repeat(12,1fr);gap:12px}
+    .col6{grid-column:span 12}
+    @media(min-width:900px){.col6{grid-column:span 6}}
+    input,select{padding:12px;border-radius:10px;border:1px solid #233043;background:#0e1520;color:#e8eef7;width:100%}
+    button{padding:12px 14px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7}
+    .pill{display:inline-block;padding:2px 8px;border:1px solid #233043;border-radius:999px;font-size:12px;color:#a9b7c6}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div>
+      <div style="font-weight:700"><%= project.name %></div>
+      <div class="muted" style="font-size:13px">Job: <%= project.job_number || '—' %> · Mode: <span class="pill"><%= project.role_mode %></span></div>
+    </div>
+    <div style="display:flex;gap:10px">
+      <a href="/projects/<%= project.id %>/inbox">Inbox</a>
+      <a href="/projects">Projects</a>
+      <a href="/">Dashboard</a>
+    </div>
+  </div>
+</header>
+
+<main>
+  <div class="card">
+    <h2 style="margin:0 0 8px">Project profile</h2>
+    <form method="post" action="/projects/<%= project.id %>/update" class="grid">
+      <div class="col6">
+        <label class="muted">Name</label>
+        <input name="name" value="<%= project.name %>" required />
+      </div>
+      <div class="col6">
+        <label class="muted">Job #</label>
+        <input name="jobNumber" value="<%= project.job_number || '' %>" />
+      </div>
+      <div class="col6">
+        <label class="muted">Mode</label>
+        <select name="roleMode">
+          <option value="ec" <%= project.role_mode==='ec'?'selected':'' %>>Electrical contractor</option>
+          <option value="gc" <%= project.role_mode==='gc'?'selected':'' %>>General contractor</option>
+        </select>
+      </div>
+      <div class="col6">
+        <label class="muted">GC name</label>
+        <input name="gcName" value="<%= project.gc_name || '' %>" />
+      </div>
+      <div style="grid-column:span 12">
+        <label class="muted">Keywords (used for email sorting)</label>
+        <input name="keywords" value="<%= project.keywords || '' %>" />
+      </div>
+      <div style="grid-column:span 12">
+        <button type="submit">Save</button>
+      </div>
+    </form>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">Next modules</h2>
+    <ul class="muted">
+      <li>Inbox for this project (auto-sorted from the single mailbox)</li>
+      <li>Logs: RFI / Submittals / PCO / Procurement</li>
+      <li>Draft tools: create RFI or PCO from an email</li>
+    </ul>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/project_inbox.ejs b/web/src/views/project_inbox.ejs
new file mode 100644
index 0000000..252bcae
--- /dev/null
+++ b/web/src/views/project_inbox.ejs
@@ -0,0 +1,63 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Project Inbox</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1200px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    table{width:100%;border-collapse:collapse}
+    th,td{border-bottom:1px solid #233043;padding:10px 6px;text-align:left;color:#a9b7c6;font-size:13px;vertical-align:top}
+    th{color:#e8eef7}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div>
+      <div style="font-weight:700"><%= project.name %> — Inbox</div>
+      <div class="muted" style="font-size:13px">Job: <%= project.job_number || '—' %></div>
+    </div>
+    <div style="display:flex;gap:10px">
+      <a href="/projects/<%= project.id %>">Project</a>
+      <a href="/projects">Projects</a>
+      <a href="/inbox">Global Inbox</a>
+      <a href="/">Dashboard</a>
+    </div>
+  </div>
+</header>
+
+<main>
+  <div class="card">
+    <h2 style="margin:0 0 8px">Assigned emails</h2>
+    <div style="overflow:auto">
+      <table>
+        <thead>
+          <tr>
+            <th>Date</th>
+            <th>From</th>
+            <th>Subject</th>
+            <th>Source</th>
+          </tr>
+        </thead>
+        <tbody>
+          <% emails.forEach(e => { %>
+            <tr>
+              <td><%= e.date || '' %></td>
+              <td><%= e.from_addr || '' %></td>
+              <td><a href="/inbox/<%= e.id %>"><%= e.subject || '(no subject)' %></a></td>
+              <td><%= e.source %></td>
+            </tr>
+          <% }) %>
+        </tbody>
+      </table>
+    </div>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/projects.ejs b/web/src/views/projects.ejs
new file mode 100644
index 0000000..f9f2272
--- /dev/null
+++ b/web/src/views/projects.ejs
@@ -0,0 +1,113 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Projects</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px;position:sticky;top:0}
+    main{max-width:1100px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    a{color:#7cc4ff;text-decoration:none}
+    .muted{color:#a9b7c6}
+    .grid{display:grid;grid-template-columns:repeat(12,1fr);gap:12px}
+    .col6{grid-column:span 12}
+    @media(min-width:900px){.col6{grid-column:span 6}}
+    input,select{padding:12px;border-radius:10px;border:1px solid #233043;background:#0e1520;color:#e8eef7;width:100%}
+    button{padding:12px 14px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7}
+    table{width:100%;border-collapse:collapse}
+    th,td{border-bottom:1px solid #233043;padding:10px 6px;text-align:left;color:#a9b7c6;font-size:13px;vertical-align:top}
+    th{color:#e8eef7}
+    .pill{display:inline-block;padding:2px 8px;border:1px solid #233043;border-radius:999px;font-size:12px;color:#a9b7c6}
+  </style>
+</head>
+<body>
+<header>
+  <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+    <div style="font-weight:700">Projects</div>
+    <div style="display:flex;gap:10px">
+      <a href="/">Dashboard</a>
+      <a href="/logout">Logout</a>
+    </div>
+  </div>
+</header>
+
+<main>
+  <div class="card">
+    <h2 style="margin:0 0 8px">New project (2-minute setup)</h2>
+    <div class="muted">Minimum fields: name + job #. Add keywords if sorting needs help.</div>
+    <form method="post" action="/projects/create" class="grid" style="margin-top:10px">
+      <div class="col6">
+        <label class="muted">Project name</label>
+        <input name="name" placeholder="1100 Columbia FA" required />
+      </div>
+      <div class="col6">
+        <label class="muted">Job #</label>
+        <input name="jobNumber" placeholder="0222600001" />
+      </div>
+      <div class="col6">
+        <label class="muted">Mode</label>
+        <select name="roleMode">
+          <option value="ec">Electrical contractor</option>
+          <option value="gc">General contractor</option>
+        </select>
+      </div>
+      <div class="col6">
+        <label class="muted">GC name</label>
+        <input name="gcName" placeholder="GC / Construction Manager" />
+      </div>
+      <div class="col6">
+        <label class="muted">City</label>
+        <input name="city" placeholder="Chapel Hill" />
+      </div>
+      <div class="col6">
+        <label class="muted">State</label>
+        <input name="state" placeholder="NC" />
+      </div>
+      <div style="grid-column:span 12">
+        <label class="muted">Keywords (optional)</label>
+        <input name="keywords" placeholder="owner name, building nickname, address fragments, common subject tags" />
+      </div>
+      <div style="grid-column:span 12">
+        <button type="submit">Create project</button>
+      </div>
+    </form>
+  </div>
+
+  <div class="card">
+    <h2 style="margin:0 0 8px">Your projects</h2>
+    <div style="overflow:auto">
+      <table>
+        <thead>
+          <tr>
+            <th>Name</th>
+            <th>Job #</th>
+            <th>Mode</th>
+            <th>GC</th>
+            <th>Status</th>
+            <th></th>
+          </tr>
+        </thead>
+        <tbody>
+          <% projects.forEach(p => { %>
+            <tr>
+              <td><a href="/projects/<%= p.id %>"><%= p.name %></a></td>
+              <td><%= p.job_number || '' %></td>
+              <td><span class="pill"><%= p.role_mode %></span></td>
+              <td><%= p.gc_name || '' %></td>
+              <td><%= p.active ? 'active' : 'archived' %></td>
+              <td>
+                <form method="post" action="/projects/<%= p.id %>/toggle" style="display:inline">
+                  <button type="submit"><%= p.active ? 'Archive' : 'Unarchive' %></button>
+                </form>
+              </td>
+            </tr>
+          <% }) %>
+        </tbody>
+      </table>
+    </div>
+  </div>
+</main>
+</body>
+</html>
diff --git a/web/src/views/setup.ejs b/web/src/views/setup.ejs
new file mode 100644
index 0000000..e146e4b
--- /dev/null
+++ b/web/src/views/setup.ejs
@@ -0,0 +1,37 @@
+<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>Mastermind — Setup</title>
+  <style>
+    body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Arial,sans-serif;margin:0;background:#0b0f14;color:#e8eef7}
+    header{background:#111824;border-bottom:1px solid #233043;padding:14px 16px}
+    main{max-width:700px;margin:0 auto;padding:16px}
+    .card{background:#111824;border:1px solid #233043;border-radius:12px;padding:14px;margin:12px 0}
+    label{display:block;margin:10px 0 6px;color:#a9b7c6}
+    input{width:100%;padding:12px;border-radius:10px;border:1px solid #233043;background:#0e1520;color:#e8eef7}
+    button{padding:12px 14px;border-radius:10px;border:1px solid #233043;background:#1c2a3d;color:#e8eef7;margin-top:12px}
+    a{color:#7cc4ff;text-decoration:none}
+  </style>
+</head>
+<body>
+  <header>
+    <div style="display:flex;justify-content:space-between;align-items:center;gap:10px">
+      <div style="font-weight:700">Setup</div>
+      <a href="/">Back</a>
+    </div>
+  </header>
+  <main>
+    <div class="card">
+      <h2 style="margin:0 0 8px">Public Base URL</h2>
+      <div style="color:#a9b7c6;font-size:13px;line-height:1.4">This should be the URL you use to reach the app (e.g., Tailscale IP). OAuth callbacks rely on this.</div>
+      <form method="post" action="/setup/base-url">
+        <label>Base URL</label>
+        <input name="baseUrl" value="<%= baseUrl %>" />
+        <button type="submit">Save</button>
+      </form>
+    </div>
+  </main>
+</body>
+</html>
diff --git a/worker/Dockerfile b/worker/Dockerfile
new file mode 100644
index 0000000..3fcc40b
--- /dev/null
+++ b/worker/Dockerfile
@@ -0,0 +1,6 @@
+FROM node:22-alpine
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+CMD ["npm","run","dev"]
diff --git a/worker/package-lock.json b/worker/package-lock.json
new file mode 100644
index 0000000..a668f83
--- /dev/null
+++ b/worker/package-lock.json
@@ -0,0 +1,173 @@
+{
+  "name": "mastermind-worker",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "mastermind-worker",
+      "dependencies": {
+        "dotenv": "^16.4.5",
+        "pg": "^8.12.0"
+      }
+    },
+    "node_modules/dotenv": {
+      "version": "16.6.1",
+      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.6.1.tgz",
+      "integrity": "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://dotenvx.com"
+      }
+    },
+    "node_modules/pg": {
+      "version": "8.18.0",
+      "resolved": "https://registry.npmjs.org/pg/-/pg-8.18.0.tgz",
+      "integrity": "sha512-xqrUDL1b9MbkydY/s+VZ6v+xiMUmOUk7SS9d/1kpyQxoJ6U9AO1oIJyUWVZojbfe5Cc/oluutcgFG4L9RDP1iQ==",
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "pg-connection-string": "^2.11.0",
+        "pg-pool": "^3.11.0",
+        "pg-protocol": "^1.11.0",
+        "pg-types": "2.2.0",
+        "pgpass": "1.0.5"
+      },
+      "engines": {
+        "node": ">= 16.0.0"
+      },
+      "optionalDependencies": {
+        "pg-cloudflare": "^1.3.0"
+      },
+      "peerDependencies": {
+        "pg-native": ">=3.0.1"
+      },
+      "peerDependenciesMeta": {
+        "pg-native": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/pg-cloudflare": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/pg-cloudflare/-/pg-cloudflare-1.3.0.tgz",
+      "integrity": "sha512-6lswVVSztmHiRtD6I8hw4qP/nDm1EJbKMRhf3HCYaqud7frGysPv7FYJ5noZQdhQtN2xJnimfMtvQq21pdbzyQ==",
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/pg-connection-string": {
+      "version": "2.11.0",
+      "resolved": "https://registry.npmjs.org/pg-connection-string/-/pg-connection-string-2.11.0.tgz",
+      "integrity": "sha512-kecgoJwhOpxYU21rZjULrmrBJ698U2RxXofKVzOn5UDj61BPj/qMb7diYUR1nLScCDbrztQFl1TaQZT0t1EtzQ==",
+      "license": "MIT"
+    },
+    "node_modules/pg-int8": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/pg-int8/-/pg-int8-1.0.1.tgz",
+      "integrity": "sha512-WCtabS6t3c8SkpDBUlb1kjOs7l66xsGdKpIPZsg4wR+B3+u9UAum2odSsF9tnvxg80h4ZxLWMy4pRjOsFIqQpw==",
+      "license": "ISC",
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
+    "node_modules/pg-pool": {
+      "version": "3.11.0",
+      "resolved": "https://registry.npmjs.org/pg-pool/-/pg-pool-3.11.0.tgz",
+      "integrity": "sha512-MJYfvHwtGp870aeusDh+hg9apvOe2zmpZJpyt+BMtzUWlVqbhFmMK6bOBXLBUPd7iRtIF9fZplDc7KrPN3PN7w==",
+      "license": "MIT",
+      "peerDependencies": {
+        "pg": ">=8.0"
+      }
+    },
+    "node_modules/pg-protocol": {
+      "version": "1.11.0",
+      "resolved": "https://registry.npmjs.org/pg-protocol/-/pg-protocol-1.11.0.tgz",
+      "integrity": "sha512-pfsxk2M9M3BuGgDOfuy37VNRRX3jmKgMjcvAcWqNDpZSf4cUmv8HSOl5ViRQFsfARFn0KuUQTgLxVMbNq5NW3g==",
+      "license": "MIT"
+    },
+    "node_modules/pg-types": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/pg-types/-/pg-types-2.2.0.tgz",
+      "integrity": "sha512-qTAAlrEsl8s4OiEQY69wDvcMIdQN6wdz5ojQiOy6YRMuynxenON0O5oCpJI6lshc6scgAY8qvJ2On/p+CXY0GA==",
+      "license": "MIT",
+      "dependencies": {
+        "pg-int8": "1.0.1",
+        "postgres-array": "~2.0.0",
+        "postgres-bytea": "~1.0.0",
+        "postgres-date": "~1.0.4",
+        "postgres-interval": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/pgpass": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/pgpass/-/pgpass-1.0.5.tgz",
+      "integrity": "sha512-FdW9r/jQZhSeohs1Z3sI1yxFQNFvMcnmfuj4WBMUTxOrAyLMaTcE1aAMBiTlbMNaXvBCQuVi0R7hd8udDSP7ug==",
+      "license": "MIT",
+      "dependencies": {
+        "split2": "^4.1.0"
+      }
+    },
+    "node_modules/postgres-array": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-2.0.0.tgz",
+      "integrity": "sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/postgres-bytea": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/postgres-bytea/-/postgres-bytea-1.0.1.tgz",
+      "integrity": "sha512-5+5HqXnsZPE65IJZSMkZtURARZelel2oXUEO8rH83VS/hxH5vv1uHquPg5wZs8yMAfdv971IU+kcPUczi7NVBQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postgres-date": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/postgres-date/-/postgres-date-1.0.7.tgz",
+      "integrity": "sha512-suDmjLVQg78nMK2UZ454hAG+OAW+HQPZ6n++TNDUX+L0+uUlLywnoxJKDou51Zm+zTCjrCl0Nq6J9C5hP9vK/Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postgres-interval": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/postgres-interval/-/postgres-interval-1.2.0.tgz",
+      "integrity": "sha512-9ZhXKM/rw350N1ovuWHbGxnGh/SNJ4cnxHiM0rxE4VN41wsg8P8zWn9hv/buK00RP4WvlOyr/RBDiptyxVbkZQ==",
+      "license": "MIT",
+      "dependencies": {
+        "xtend": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/split2": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/split2/-/split2-4.2.0.tgz",
+      "integrity": "sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==",
+      "license": "ISC",
+      "engines": {
+        "node": ">= 10.x"
+      }
+    },
+    "node_modules/xtend": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
+      "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.4"
+      }
+    }
+  }
+}
diff --git a/worker/package.json b/worker/package.json
new file mode 100644
index 0000000..a525fc2
--- /dev/null
+++ b/worker/package.json
@@ -0,0 +1,13 @@
+{
+  "name": "mastermind-worker",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "node --watch src/worker.js",
+    "start": "node src/worker.js"
+  },
+  "dependencies": {
+    "dotenv": "^16.4.5",
+    "pg": "^8.12.0"
+  }
+}
\ No newline at end of file
diff --git a/worker/src/worker.js b/worker/src/worker.js
new file mode 100644
index 0000000..acabe16
--- /dev/null
+++ b/worker/src/worker.js
@@ -0,0 +1,20 @@
+import 'dotenv/config';
+import pg from 'pg';
+
+const { Pool } = pg;
+const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+
+// Placeholder worker loop
+async function main() {
+  // eslint-disable-next-line no-console
+  console.log('Mastermind worker started');
+  while (true) {
+    await new Promise((r) => setTimeout(r, 10_000));
+    // future: ingest inbox, OCR docs, classify
+  }
+}
+
+main().catch((e) => {
+  console.error(e);
+  process.exit(1);
+});