Multi-user: self-serve sign-up gated by admin-toggleable flag

Schema
- User.isAdmin: Boolean default false (Prisma)
- New InstanceSettings singleton (id=1) holding signupsOpen flag

Boot-time compat ALTERs (docker_entrypoint.sh)
- Adds User.isAdmin column to legacy snapshots; auto-promotes the oldest
  user to admin if no admin exists yet, so workout-log -> proof-of-work
  cutover preserves admin functionality with no manual SQL.
- Creates InstanceSettings table + singleton row (signupsOpen=0) for any
  snapshot that doesn't have it.

App: sign-up flow
- /auth/signup page: server component that reads InstanceSettings
  upfront. If sign-ups are closed it shows a closed-instance message and
  a back-to-sign-in link rather than a dead form. If open it renders
  SignupForm (client) which calls signupAction (server).
- signupAction: re-checks the flag (defense in depth), validates email
  format / 8-char password / matching confirm, blocks duplicate-email
  enumeration with a generic error, creates the user with isAdmin=false,
  seeds default UserPreferences, ensures the curated exercise library
  for the new user (lib/library.ts upserts every entry), then issues a
  session cookie.
- Login page now links to /auth/signup; old "Demo: admin@example.com /
  password" footer (which was wrong anyway) removed.

App: admin in-app toggle
- Settings page renders new AdminInstanceSettings component for admins
  only. Optimistic toggle posts to /api/admin/signups; error rollback
  on failure.
- /api/admin/signups: GET returns current flag (any authed user, so the
  UI knows whether to show the sign-up CTA later); POST flips it
  (admin only).

StartOS package action
- toggle-signups: same setter as the in-app toggle, accessible from the
  StartOS UI without an admin login. Single boolean input. Asserts the
  read-back value matches what was written before reporting success.
- changeAdminCredentials now keys the UPDATE on
  `WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1` (was: just
  ORDER BY createdAt) — correct under multi-user.

Release notes / docs
- v1.0.0:1 release notes expanded to call out multi-user as part of
  the cutover release (no separate version needed since this is the
  first proof-of-work release shipping to anyone).
- Root README: short Multi-user section explaining both toggle paths
  and that new users get the curated library automatically.
- README dev setup adds `npx prisma generate` step (required after
  schema changes for local dev).

proof-of-work/app/auth/signup/SignupForm.tsx

@@ -0,0 +1,126 @@
+'use client';
+
+import { useState } from 'react';
+import { useRouter } from 'next/navigation';
+import { signupAction } from './actions';
+
+export default function SignupForm() {
+  const router = useRouter();
+  const [email, setEmail] = useState('');
+  const [name, setName] = useState('');
+  const [password, setPassword] = useState('');
+  const [passwordConfirm, setPasswordConfirm] = useState('');
+  const [error, setError] = useState('');
+  const [loading, setLoading] = useState(false);
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setError('');
+    setLoading(true);
+
+    try {
+      const result = await signupAction(email, password, passwordConfirm, name);
+      if (result.error) {
+        setError(result.error);
+        setLoading(false);
+        return;
+      }
+      if (result.success) {
+        router.push('/main/dashboard');
+      }
+    } catch (err) {
+      setError('An unexpected error occurred');
+      setLoading(false);
+    }
+  };
+
+  return (
+    <form onSubmit={handleSubmit} className="space-y-5">
+      <div className="space-y-2">
+        <label htmlFor="email" className="text-xs font-semibold text-white uppercase tracking-wider">
+          Email
+        </label>
+        <input
+          id="email"
+          type="email"
+          placeholder="you@example.com"
+          value={email}
+          onChange={(e) => setEmail(e.target.value)}
+          required
+          className="w-full px-4 py-2.5 rounded border border-zinc-700 bg-zinc-800 text-white placeholder:text-zinc-500 focus:outline-none focus:ring-2 focus:ring-white focus:ring-offset-0 focus:border-white transition-all"
+          disabled={loading}
+        />
+      </div>
+
+      <div className="space-y-2">
+        <label htmlFor="name" className="text-xs font-semibold text-white uppercase tracking-wider">
+          Name <span className="text-zinc-500 normal-case">(optional)</span>
+        </label>
+        <input
+          id="name"
+          type="text"
+          placeholder="What should we call you?"
+          value={name}
+          onChange={(e) => setName(e.target.value)}
+          className="w-full px-4 py-2.5 rounded border border-zinc-700 bg-zinc-800 text-white placeholder:text-zinc-500 focus:outline-none focus:ring-2 focus:ring-white focus:ring-offset-0 focus:border-white transition-all"
+          disabled={loading}
+        />
+      </div>
+
+      <div className="space-y-2">
+        <label htmlFor="password" className="text-xs font-semibold text-white uppercase tracking-wider">
+          Password
+        </label>
+        <input
+          id="password"
+          type="password"
+          placeholder="At least 8 characters"
+          value={password}
+          onChange={(e) => setPassword(e.target.value)}
+          required
+          minLength={8}
+          className="w-full px-4 py-2.5 rounded border border-zinc-700 bg-zinc-800 text-white placeholder:text-zinc-500 focus:outline-none focus:ring-2 focus:ring-white focus:ring-offset-0 focus:border-white transition-all"
+          disabled={loading}
+        />
+      </div>
+
+      <div className="space-y-2">
+        <label htmlFor="passwordConfirm" className="text-xs font-semibold text-white uppercase tracking-wider">
+          Confirm password
+        </label>
+        <input
+          id="passwordConfirm"
+          type="password"
+          placeholder="Retype your password"
+          value={passwordConfirm}
+          onChange={(e) => setPasswordConfirm(e.target.value)}
+          required
+          minLength={8}
+          className="w-full px-4 py-2.5 rounded border border-zinc-700 bg-zinc-800 text-white placeholder:text-zinc-500 focus:outline-none focus:ring-2 focus:ring-white focus:ring-offset-0 focus:border-white transition-all"
+          disabled={loading}
+        />
+      </div>
+
+      {error && (
+        <div className="rounded bg-red-900/50 px-4 py-3 border border-red-800 text-sm text-red-400">
+          {error}
+        </div>
+      )}
+
+      <button
+        type="submit"
+        disabled={loading}
+        className="w-full py-2.5 px-4 rounded bg-white text-black font-bold text-sm uppercase tracking-wider transition-all duration-200 hover:bg-gray-100 disabled:bg-zinc-700 disabled:text-zinc-500 disabled:cursor-not-allowed"
+      >
+        {loading ? 'Creating account...' : 'Create account'}
+      </button>
+
+      <p className="text-center text-xs text-zinc-500 pt-2">
+        Already have an account?{' '}
+        <a href="/auth/login" className="text-white underline hover:text-zinc-300">
+          Sign in
+        </a>
+      </p>
+    </form>
+  );
+}

proof-of-work/app/auth/signup/actions.ts

@@ -0,0 +1,83 @@
+'use server';
+
+import { cookies } from 'next/headers';
+import { hashPassword, createSession } from '@/lib/auth';
+import { prisma } from '@/lib/prisma';
+import { getInstanceSettings } from '@/lib/instanceSettings';
+import { ensureLibraryForUser } from '@/lib/library';
+
+const EMAIL_RE = /^[A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,}$/;
+
+export async function signupAction(
+  email: string,
+  password: string,
+  passwordConfirm: string,
+  name?: string,
+) {
+  try {
+    const settings = await getInstanceSettings();
+    if (!settings.signupsOpen) {
+      return { error: 'New sign-ups are not enabled on this instance.' };
+    }
+
+    if (!EMAIL_RE.test(email)) {
+      return { error: 'Enter a valid email address.' };
+    }
+    if (password.length < 8) {
+      return { error: 'Password must be at least 8 characters.' };
+    }
+    if (password !== passwordConfirm) {
+      return { error: 'Passwords do not match.' };
+    }
+
+    const existing = await prisma.user.findUnique({ where: { email } });
+    if (existing) {
+      // Don't leak existence — generic message keeps probing harder.
+      return { error: 'Could not create account with that email.' };
+    }
+
+    const passwordHash = await hashPassword(password);
+
+    const user = await prisma.user.create({
+      data: {
+        email,
+        passwordHash,
+        name: name?.trim() || null,
+        isAdmin: false,
+        userPreferences: {
+          create: {
+            theme: 'system',
+            defaultWeightUnit: 'lbs',
+            defaultRestSeconds: 90,
+            enableClaudeAI: false,
+          },
+        },
+      },
+    });
+
+    // Seed the curated exercise library for the new user immediately so they
+    // see exercises on first load. The boot-time ensure step would do this
+    // on next restart anyway, but we don't want them to wait.
+    await ensureLibraryForUser(user.id);
+
+    const session = await createSession(user.id);
+    const cookieStore = await cookies();
+    cookieStore.set('sessionToken', session.token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 60 * 60 * 24 * 30,
+      path: '/',
+    });
+
+    return { success: true };
+  } catch (error) {
+    console.error('Signup error:', error);
+    return { error: 'An error occurred during sign-up.' };
+  }
+}
+
+export async function getSignupsOpen(): Promise<boolean> {
+  const settings = await getInstanceSettings();
+  return settings.signupsOpen;
+}

proof-of-work/app/auth/signup/page.tsx

@@ -0,0 +1,56 @@
+import { redirect } from 'next/navigation';
+import { getSignupsOpen } from './actions';
+import SignupForm from './SignupForm';
+import { getCurrentUser } from '@/lib/auth';
+
+/**
+ * Server component wrapper. Reads the InstanceSettings.signupsOpen flag
+ * before rendering so closed instances don't even paint a form. Already-
+ * authenticated users get bounced to the dashboard rather than seeing
+ * sign-up.
+ */
+export default async function SignupPage() {
+  const user = await getCurrentUser();
+  if (user) {
+    redirect('/main/dashboard');
+  }
+
+  const open = await getSignupsOpen();
+
+  return (
+    <div className="min-h-screen bg-[#0A0A0A] flex items-center justify-center px-4">
+      <div className="w-full max-w-md">
+        <div className="bg-zinc-900 rounded border border-zinc-800 shadow-2xl">
+          <div className="flex flex-col space-y-2 p-8 text-center">
+            <h1 className="text-3xl font-bold leading-none tracking-tight text-white">
+              Proof of Work
+            </h1>
+            <p className="text-xs text-zinc-500 mt-2 uppercase tracking-widest">
+              {open ? 'Create an account' : 'Sign-ups are closed'}
+            </p>
+          </div>
+
+          <div className="p-8 pt-6">
+            {open ? (
+              <SignupForm />
+            ) : (
+              <div className="space-y-4">
+                <p className="text-sm text-zinc-400">
+                  This Proof of Work instance isn&apos;t accepting new
+                  sign-ups right now. Ask the admin to enable sign-ups
+                  from Settings (or via the StartOS Action) and try again.
+                </p>
+                <a
+                  href="/auth/login"
+                  className="block w-full text-center py-2.5 px-4 rounded border border-zinc-700 text-white font-bold text-sm uppercase tracking-wider hover:bg-zinc-800 transition-all"
+                >
+                  Back to sign in
+                </a>
+              </div>
+            )}
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}