Multi-user: self-serve sign-up gated by admin-toggleable flag

Schema
- User.isAdmin: Boolean default false (Prisma)
- New InstanceSettings singleton (id=1) holding signupsOpen flag

Boot-time compat ALTERs (docker_entrypoint.sh)
- Adds User.isAdmin column to legacy snapshots; auto-promotes the oldest
  user to admin if no admin exists yet, so workout-log -> proof-of-work
  cutover preserves admin functionality with no manual SQL.
- Creates InstanceSettings table + singleton row (signupsOpen=0) for any
  snapshot that doesn't have it.

App: sign-up flow
- /auth/signup page: server component that reads InstanceSettings
  upfront. If sign-ups are closed it shows a closed-instance message and
  a back-to-sign-in link rather than a dead form. If open it renders
  SignupForm (client) which calls signupAction (server).
- signupAction: re-checks the flag (defense in depth), validates email
  format / 8-char password / matching confirm, blocks duplicate-email
  enumeration with a generic error, creates the user with isAdmin=false,
  seeds default UserPreferences, ensures the curated exercise library
  for the new user (lib/library.ts upserts every entry), then issues a
  session cookie.
- Login page now links to /auth/signup; old "Demo: admin@example.com /
  password" footer (which was wrong anyway) removed.

App: admin in-app toggle
- Settings page renders new AdminInstanceSettings component for admins
  only. Optimistic toggle posts to /api/admin/signups; error rollback
  on failure.
- /api/admin/signups: GET returns current flag (any authed user, so the
  UI knows whether to show the sign-up CTA later); POST flips it
  (admin only).

StartOS package action
- toggle-signups: same setter as the in-app toggle, accessible from the
  StartOS UI without an admin login. Single boolean input. Asserts the
  read-back value matches what was written before reporting success.
- changeAdminCredentials now keys the UPDATE on
  `WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1` (was: just
  ORDER BY createdAt) — correct under multi-user.

Release notes / docs
- v1.0.0:1 release notes expanded to call out multi-user as part of
  the cutover release (no separate version needed since this is the
  first proof-of-work release shipping to anyone).
- Root README: short Multi-user section explaining both toggle paths
  and that new users get the curated library automatically.
- README dev setup adds `npx prisma generate` step (required after
  schema changes for local dev).

proof-of-work/app/auth/signup/actions.ts

@@ -0,0 +1,83 @@
+'use server';
+
+import { cookies } from 'next/headers';
+import { hashPassword, createSession } from '@/lib/auth';
+import { prisma } from '@/lib/prisma';
+import { getInstanceSettings } from '@/lib/instanceSettings';
+import { ensureLibraryForUser } from '@/lib/library';
+
+const EMAIL_RE = /^[A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,}$/;
+
+export async function signupAction(
+  email: string,
+  password: string,
+  passwordConfirm: string,
+  name?: string,
+) {
+  try {
+    const settings = await getInstanceSettings();
+    if (!settings.signupsOpen) {
+      return { error: 'New sign-ups are not enabled on this instance.' };
+    }
+
+    if (!EMAIL_RE.test(email)) {
+      return { error: 'Enter a valid email address.' };
+    }
+    if (password.length < 8) {
+      return { error: 'Password must be at least 8 characters.' };
+    }
+    if (password !== passwordConfirm) {
+      return { error: 'Passwords do not match.' };
+    }
+
+    const existing = await prisma.user.findUnique({ where: { email } });
+    if (existing) {
+      // Don't leak existence — generic message keeps probing harder.
+      return { error: 'Could not create account with that email.' };
+    }
+
+    const passwordHash = await hashPassword(password);
+
+    const user = await prisma.user.create({
+      data: {
+        email,
+        passwordHash,
+        name: name?.trim() || null,
+        isAdmin: false,
+        userPreferences: {
+          create: {
+            theme: 'system',
+            defaultWeightUnit: 'lbs',
+            defaultRestSeconds: 90,
+            enableClaudeAI: false,
+          },
+        },
+      },
+    });
+
+    // Seed the curated exercise library for the new user immediately so they
+    // see exercises on first load. The boot-time ensure step would do this
+    // on next restart anyway, but we don't want them to wait.
+    await ensureLibraryForUser(user.id);
+
+    const session = await createSession(user.id);
+    const cookieStore = await cookies();
+    cookieStore.set('sessionToken', session.token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 60 * 60 * 24 * 30,
+      path: '/',
+    });
+
+    return { success: true };
+  } catch (error) {
+    console.error('Signup error:', error);
+    return { error: 'An error occurred during sign-up.' };
+  }
+}
+
+export async function getSignupsOpen(): Promise<boolean> {
+  const settings = await getInstanceSettings();
+  return settings.signupsOpen;
+}