Multi-user: self-serve sign-up gated by admin-toggleable flag

Schema
- User.isAdmin: Boolean default false (Prisma)
- New InstanceSettings singleton (id=1) holding signupsOpen flag

Boot-time compat ALTERs (docker_entrypoint.sh)
- Adds User.isAdmin column to legacy snapshots; auto-promotes the oldest
  user to admin if no admin exists yet, so workout-log -> proof-of-work
  cutover preserves admin functionality with no manual SQL.
- Creates InstanceSettings table + singleton row (signupsOpen=0) for any
  snapshot that doesn't have it.

App: sign-up flow
- /auth/signup page: server component that reads InstanceSettings
  upfront. If sign-ups are closed it shows a closed-instance message and
  a back-to-sign-in link rather than a dead form. If open it renders
  SignupForm (client) which calls signupAction (server).
- signupAction: re-checks the flag (defense in depth), validates email
  format / 8-char password / matching confirm, blocks duplicate-email
  enumeration with a generic error, creates the user with isAdmin=false,
  seeds default UserPreferences, ensures the curated exercise library
  for the new user (lib/library.ts upserts every entry), then issues a
  session cookie.
- Login page now links to /auth/signup; old "Demo: admin@example.com /
  password" footer (which was wrong anyway) removed.

App: admin in-app toggle
- Settings page renders new AdminInstanceSettings component for admins
  only. Optimistic toggle posts to /api/admin/signups; error rollback
  on failure.
- /api/admin/signups: GET returns current flag (any authed user, so the
  UI knows whether to show the sign-up CTA later); POST flips it
  (admin only).

StartOS package action
- toggle-signups: same setter as the in-app toggle, accessible from the
  StartOS UI without an admin login. Single boolean input. Asserts the
  read-back value matches what was written before reporting success.
- changeAdminCredentials now keys the UPDATE on
  `WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1` (was: just
  ORDER BY createdAt) — correct under multi-user.

Release notes / docs
- v1.0.0:1 release notes expanded to call out multi-user as part of
  the cutover release (no separate version needed since this is the
  first proof-of-work release shipping to anyone).
- Root README: short Multi-user section explaining both toggle paths
  and that new users get the curated library automatically.
- README dev setup adds `npx prisma generate` step (required after
  schema changes for local dev).

README.md

@@ -20,11 +20,27 @@ Everything else is generated at build time.
 ```sh
 cd proof-of-work
 npm install
+npx prisma generate       # important after schema changes
 npx prisma db push        # create the dev DB at prisma/data/app.db
-npm run db:seed           # admin@local / workout123 + curated exercise library
+npm run db:seed           # admin@local / workout123 + curated library + admin flag
 npm run dev               # http://localhost:3000
 ```
 
+## Multi-user
+
+Every install starts with one admin user (`admin@local`) and **sign-ups
+closed**. To open the instance to additional users:
+
+- In-app: log in as admin -> **Settings -> Instance Settings ->
+  Allow new sign-ups**.
+- StartOS: **Services -> Proof of Work -> Actions -> Set new signups**.
+
+Both write to the same `InstanceSettings` row; either path works.
+
+When sign-ups are open, anyone reaching the URL can create an account at
+`/auth/signup`. New users start with no admin privileges and are
+automatically seeded the full curated exercise library.
+
 ## Building the StartOS package
 
 See **[start9/0.4/DEPLOY_040.md](start9/0.4/DEPLOY_040.md)** for the full

proof-of-work/app/api/admin/signups/route.ts

@@ -0,0 +1,46 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { z } from 'zod';
+import { getCurrentUser } from '@/lib/auth';
+import { getInstanceSettings, setSignupsOpen } from '@/lib/instanceSettings';
+
+/**
+ * GET  -> { signupsOpen }    any authenticated user (UI needs to know
+ *                            whether to show the admin toggle / sign-up CTA)
+ * POST -> { signupsOpen }    admin only; flips the singleton flag
+ */
+
+export async function GET() {
+  const user = await getCurrentUser();
+  if (!user) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+  const settings = await getInstanceSettings();
+  return NextResponse.json({ signupsOpen: settings.signupsOpen });
+}
+
+const bodySchema = z.object({ signupsOpen: z.boolean() });
+
+export async function POST(request: NextRequest) {
+  const user = await getCurrentUser();
+  if (!user) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+  if (!user.isAdmin) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
+  }
+  let body: unknown;
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON' }, { status: 400 });
+  }
+  const parsed = bodySchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json(
+      { error: 'Invalid body', details: parsed.error.errors },
+      { status: 400 },
+    );
+  }
+  const updated = await setSignupsOpen(parsed.data.signupsOpen);
+  return NextResponse.json({ signupsOpen: updated.signupsOpen });
+}

proof-of-work/app/auth/login/page.tsx

@@ -95,13 +95,16 @@ export default function LoginPage() {
                 {loading ? 'Signing in...' : 'Sign In'}
               </button>
             </form>
-          </div>
-        </div>
 
-        <p className="text-center text-xs text-zinc-600 mt-6 uppercase tracking-wider">
+            <p className="text-center text-xs text-zinc-500 mt-6">
-          Demo: admin@example.com / password
+              Don&apos;t have an account?{' '}
+              <a href="/auth/signup" className="text-white underline hover:text-zinc-300">
+                Sign up
+              </a>
             </p>
           </div>
         </div>
+      </div>
+    </div>
   );
 }

proof-of-work/app/auth/signup/SignupForm.tsx

@@ -0,0 +1,126 @@
+'use client';
+
+import { useState } from 'react';
+import { useRouter } from 'next/navigation';
+import { signupAction } from './actions';
+
+export default function SignupForm() {
+  const router = useRouter();
+  const [email, setEmail] = useState('');
+  const [name, setName] = useState('');
+  const [password, setPassword] = useState('');
+  const [passwordConfirm, setPasswordConfirm] = useState('');
+  const [error, setError] = useState('');
+  const [loading, setLoading] = useState(false);
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setError('');
+    setLoading(true);
+
+    try {
+      const result = await signupAction(email, password, passwordConfirm, name);
+      if (result.error) {
+        setError(result.error);
+        setLoading(false);
+        return;
+      }
+      if (result.success) {
+        router.push('/main/dashboard');
+      }
+    } catch (err) {
+      setError('An unexpected error occurred');
+      setLoading(false);
+    }
+  };
+
+  return (
+    <form onSubmit={handleSubmit} className="space-y-5">
+      <div className="space-y-2">
+        <label htmlFor="email" className="text-xs font-semibold text-white uppercase tracking-wider">
+          Email
+        </label>
+        <input
+          id="email"
+          type="email"
+          placeholder="you@example.com"
+          value={email}
+          onChange={(e) => setEmail(e.target.value)}
+          required
+          className="w-full px-4 py-2.5 rounded border border-zinc-700 bg-zinc-800 text-white placeholder:text-zinc-500 focus:outline-none focus:ring-2 focus:ring-white focus:ring-offset-0 focus:border-white transition-all"
+          disabled={loading}
+        />
+      </div>
+
+      <div className="space-y-2">
+        <label htmlFor="name" className="text-xs font-semibold text-white uppercase tracking-wider">
+          Name <span className="text-zinc-500 normal-case">(optional)</span>
+        </label>
+        <input
+          id="name"
+          type="text"
+          placeholder="What should we call you?"
+          value={name}
+          onChange={(e) => setName(e.target.value)}
+          className="w-full px-4 py-2.5 rounded border border-zinc-700 bg-zinc-800 text-white placeholder:text-zinc-500 focus:outline-none focus:ring-2 focus:ring-white focus:ring-offset-0 focus:border-white transition-all"
+          disabled={loading}
+        />
+      </div>
+
+      <div className="space-y-2">
+        <label htmlFor="password" className="text-xs font-semibold text-white uppercase tracking-wider">
+          Password
+        </label>
+        <input
+          id="password"
+          type="password"
+          placeholder="At least 8 characters"
+          value={password}
+          onChange={(e) => setPassword(e.target.value)}
+          required
+          minLength={8}
+          className="w-full px-4 py-2.5 rounded border border-zinc-700 bg-zinc-800 text-white placeholder:text-zinc-500 focus:outline-none focus:ring-2 focus:ring-white focus:ring-offset-0 focus:border-white transition-all"
+          disabled={loading}
+        />
+      </div>
+
+      <div className="space-y-2">
+        <label htmlFor="passwordConfirm" className="text-xs font-semibold text-white uppercase tracking-wider">
+          Confirm password
+        </label>
+        <input
+          id="passwordConfirm"
+          type="password"
+          placeholder="Retype your password"
+          value={passwordConfirm}
+          onChange={(e) => setPasswordConfirm(e.target.value)}
+          required
+          minLength={8}
+          className="w-full px-4 py-2.5 rounded border border-zinc-700 bg-zinc-800 text-white placeholder:text-zinc-500 focus:outline-none focus:ring-2 focus:ring-white focus:ring-offset-0 focus:border-white transition-all"
+          disabled={loading}
+        />
+      </div>
+
+      {error && (
+        <div className="rounded bg-red-900/50 px-4 py-3 border border-red-800 text-sm text-red-400">
+          {error}
+        </div>
+      )}
+
+      <button
+        type="submit"
+        disabled={loading}
+        className="w-full py-2.5 px-4 rounded bg-white text-black font-bold text-sm uppercase tracking-wider transition-all duration-200 hover:bg-gray-100 disabled:bg-zinc-700 disabled:text-zinc-500 disabled:cursor-not-allowed"
+      >
+        {loading ? 'Creating account...' : 'Create account'}
+      </button>
+
+      <p className="text-center text-xs text-zinc-500 pt-2">
+        Already have an account?{' '}
+        <a href="/auth/login" className="text-white underline hover:text-zinc-300">
+          Sign in
+        </a>
+      </p>
+    </form>
+  );
+}

proof-of-work/app/auth/signup/actions.ts

@@ -0,0 +1,83 @@
+'use server';
+
+import { cookies } from 'next/headers';
+import { hashPassword, createSession } from '@/lib/auth';
+import { prisma } from '@/lib/prisma';
+import { getInstanceSettings } from '@/lib/instanceSettings';
+import { ensureLibraryForUser } from '@/lib/library';
+
+const EMAIL_RE = /^[A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,}$/;
+
+export async function signupAction(
+  email: string,
+  password: string,
+  passwordConfirm: string,
+  name?: string,
+) {
+  try {
+    const settings = await getInstanceSettings();
+    if (!settings.signupsOpen) {
+      return { error: 'New sign-ups are not enabled on this instance.' };
+    }
+
+    if (!EMAIL_RE.test(email)) {
+      return { error: 'Enter a valid email address.' };
+    }
+    if (password.length < 8) {
+      return { error: 'Password must be at least 8 characters.' };
+    }
+    if (password !== passwordConfirm) {
+      return { error: 'Passwords do not match.' };
+    }
+
+    const existing = await prisma.user.findUnique({ where: { email } });
+    if (existing) {
+      // Don't leak existence — generic message keeps probing harder.
+      return { error: 'Could not create account with that email.' };
+    }
+
+    const passwordHash = await hashPassword(password);
+
+    const user = await prisma.user.create({
+      data: {
+        email,
+        passwordHash,
+        name: name?.trim() || null,
+        isAdmin: false,
+        userPreferences: {
+          create: {
+            theme: 'system',
+            defaultWeightUnit: 'lbs',
+            defaultRestSeconds: 90,
+            enableClaudeAI: false,
+          },
+        },
+      },
+    });
+
+    // Seed the curated exercise library for the new user immediately so they
+    // see exercises on first load. The boot-time ensure step would do this
+    // on next restart anyway, but we don't want them to wait.
+    await ensureLibraryForUser(user.id);
+
+    const session = await createSession(user.id);
+    const cookieStore = await cookies();
+    cookieStore.set('sessionToken', session.token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 60 * 60 * 24 * 30,
+      path: '/',
+    });
+
+    return { success: true };
+  } catch (error) {
+    console.error('Signup error:', error);
+    return { error: 'An error occurred during sign-up.' };
+  }
+}
+
+export async function getSignupsOpen(): Promise<boolean> {
+  const settings = await getInstanceSettings();
+  return settings.signupsOpen;
+}

proof-of-work/app/auth/signup/page.tsx

@@ -0,0 +1,56 @@
+import { redirect } from 'next/navigation';
+import { getSignupsOpen } from './actions';
+import SignupForm from './SignupForm';
+import { getCurrentUser } from '@/lib/auth';
+
+/**
+ * Server component wrapper. Reads the InstanceSettings.signupsOpen flag
+ * before rendering so closed instances don't even paint a form. Already-
+ * authenticated users get bounced to the dashboard rather than seeing
+ * sign-up.
+ */
+export default async function SignupPage() {
+  const user = await getCurrentUser();
+  if (user) {
+    redirect('/main/dashboard');
+  }
+
+  const open = await getSignupsOpen();
+
+  return (
+    <div className="min-h-screen bg-[#0A0A0A] flex items-center justify-center px-4">
+      <div className="w-full max-w-md">
+        <div className="bg-zinc-900 rounded border border-zinc-800 shadow-2xl">
+          <div className="flex flex-col space-y-2 p-8 text-center">
+            <h1 className="text-3xl font-bold leading-none tracking-tight text-white">
+              Proof of Work
+            </h1>
+            <p className="text-xs text-zinc-500 mt-2 uppercase tracking-widest">
+              {open ? 'Create an account' : 'Sign-ups are closed'}
+            </p>
+          </div>
+
+          <div className="p-8 pt-6">
+            {open ? (
+              <SignupForm />
+            ) : (
+              <div className="space-y-4">
+                <p className="text-sm text-zinc-400">
+                  This Proof of Work instance isn&apos;t accepting new
+                  sign-ups right now. Ask the admin to enable sign-ups
+                  from Settings (or via the StartOS Action) and try again.
+                </p>
+                <a
+                  href="/auth/login"
+                  className="block w-full text-center py-2.5 px-4 rounded border border-zinc-700 text-white font-bold text-sm uppercase tracking-wider hover:bg-zinc-800 transition-all"
+                >
+                  Back to sign in
+                </a>
+              </div>
+            )}
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}

proof-of-work/app/main/settings/page.tsx

@@ -1,6 +1,8 @@
 import { redirect } from "next/navigation";
 import { getCurrentUser } from "@/lib/auth";
 import SettingsForm from "@/components/settings/SettingsForm";
+import AdminInstanceSettings from "@/components/settings/AdminInstanceSettings";
+import { getInstanceSettings } from "@/lib/instanceSettings";
 
 export default async function SettingsPage() {
   const user = await getCurrentUser();
@@ -9,6 +11,8 @@ export default async function SettingsPage() {
     redirect("/auth/login");
   }
 
+  const instanceSettings = user.isAdmin ? await getInstanceSettings() : null;
+
   return (
     <div className="min-h-screen bg-[#0A0A0A]">
       <div className="border-b border-zinc-800 px-4 py-4 sm:px-6">
@@ -20,8 +24,13 @@ export default async function SettingsPage() {
         </div>
       </div>
 
-      <div className="max-w-2xl mx-auto px-4 py-6 sm:px-6">
+      <div className="max-w-2xl mx-auto px-4 py-6 sm:px-6 space-y-8">
         <SettingsForm user={user} />
+        {user.isAdmin && instanceSettings && (
+          <AdminInstanceSettings
+            initialSignupsOpen={instanceSettings.signupsOpen}
+          />
+        )}
       </div>
     </div>
   );

proof-of-work/components/settings/AdminInstanceSettings.tsx

@@ -0,0 +1,83 @@
+'use client';
+
+import { useState } from 'react';
+
+export default function AdminInstanceSettings({
+  initialSignupsOpen,
+}: {
+  initialSignupsOpen: boolean;
+}) {
+  const [signupsOpen, setSignupsOpen] = useState(initialSignupsOpen);
+  const [saving, setSaving] = useState(false);
+  const [error, setError] = useState('');
+
+  const toggle = async (next: boolean) => {
+    setSaving(true);
+    setError('');
+    const previous = signupsOpen;
+    setSignupsOpen(next); // optimistic
+    try {
+      const res = await fetch('/api/admin/signups', {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ signupsOpen: next }),
+      });
+      if (!res.ok) {
+        setSignupsOpen(previous);
+        const body = await res.json().catch(() => ({}));
+        setError(body.error ?? `Save failed (${res.status})`);
+      }
+    } catch (e) {
+      setSignupsOpen(previous);
+      setError('Network error');
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  return (
+    <section className="bg-zinc-900 rounded border border-zinc-800 p-6 space-y-4">
+      <header>
+        <h2 className="text-sm font-semibold text-white uppercase tracking-wider">
+          Instance settings
+        </h2>
+        <p className="text-xs text-zinc-500 mt-1">
+          Admin only. Visible to admin accounts only.
+        </p>
+      </header>
+
+      <div className="flex items-start justify-between gap-4">
+        <div className="flex-1">
+          <p className="text-sm font-medium text-white">Allow new sign-ups</p>
+          <p className="text-xs text-zinc-500 mt-1">
+            When enabled, anyone with the URL can create an account on this
+            instance. New users start with the curated exercise library and
+            no admin privileges.
+          </p>
+        </div>
+        <button
+          type="button"
+          role="switch"
+          aria-checked={signupsOpen}
+          onClick={() => toggle(!signupsOpen)}
+          disabled={saving}
+          className={`relative inline-flex h-6 w-11 shrink-0 items-center rounded-full transition-colors ${
+            signupsOpen ? 'bg-white' : 'bg-zinc-700'
+          } disabled:opacity-50`}
+        >
+          <span
+            className={`inline-block h-4 w-4 transform rounded-full bg-zinc-900 transition-transform ${
+              signupsOpen ? 'translate-x-6' : 'translate-x-1'
+            }`}
+          />
+        </button>
+      </div>
+
+      {error && (
+        <div className="rounded bg-red-900/50 px-3 py-2 border border-red-800 text-xs text-red-400">
+          {error}
+        </div>
+      )}
+    </section>
+  );
+}

proof-of-work/lib/instanceSettings.ts

@@ -0,0 +1,23 @@
+import { prisma } from "./prisma";
+
+/**
+ * Read the singleton InstanceSettings row, defensively creating it if
+ * missing. The compat ALTERs in docker_entrypoint.sh insert this row at
+ * boot time, but we still upsert here so that fresh dev installs (or
+ * any boot path that didn't run the entrypoint) see something usable.
+ */
+export async function getInstanceSettings() {
+  return prisma.instanceSettings.upsert({
+    where: { id: 1 },
+    update: {},
+    create: { id: 1, signupsOpen: false },
+  });
+}
+
+export async function setSignupsOpen(open: boolean) {
+  return prisma.instanceSettings.upsert({
+    where: { id: 1 },
+    update: { signupsOpen: open },
+    create: { id: 1, signupsOpen: open },
+  });
+}

proof-of-work/lib/library.ts

@@ -0,0 +1,69 @@
+import * as fs from "fs";
+import * as path from "path";
+import { prisma } from "./prisma";
+
+/**
+ * In-process equivalent of prisma/ensureExerciseLibrary.cjs (which runs at
+ * container boot via docker_entrypoint.sh). Used when a new user signs up
+ * mid-runtime so they don't have to wait for the next boot to see the
+ * curated library.
+ *
+ * Reads the curated library from prisma/exercises.seed.json, then upserts
+ * each entry for the given user. Idempotent; never overwrites a user's
+ * own custom exercises (the unique constraint on (userId, name) prevents
+ * duplicates and `update: {}` on upsert keeps existing rows untouched).
+ */
+
+interface LibraryExercise {
+  name: string;
+  description: string | null;
+  type: string;
+  muscleGroups: string[];
+  inputFields: string[];
+  defaultWeightUnit: string | null;
+}
+
+let cached: LibraryExercise[] | null = null;
+
+function loadLibrary(): LibraryExercise[] {
+  if (cached) return cached;
+  const candidates = [
+    // standalone runtime (Next.js server.js / Node)
+    path.resolve(process.cwd(), "prisma/exercises.seed.json"),
+    // .next/standalone runtime
+    path.resolve(process.cwd(), "../prisma/exercises.seed.json"),
+    // dev: cwd is repo subdir
+    path.resolve(__dirname, "../prisma/exercises.seed.json"),
+  ];
+  for (const p of candidates) {
+    if (fs.existsSync(p)) {
+      cached = JSON.parse(fs.readFileSync(p, "utf8")) as LibraryExercise[];
+      return cached;
+    }
+  }
+  console.warn("[library] exercises.seed.json not found in any candidate path");
+  return [];
+}
+
+export async function ensureLibraryForUser(userId: string): Promise<number> {
+  const library = loadLibrary();
+  let inserted = 0;
+  for (const ex of library) {
+    const result = await prisma.exercise.upsert({
+      where: { userId_name: { userId, name: ex.name } },
+      update: {},
+      create: {
+        userId,
+        name: ex.name,
+        description: ex.description,
+        muscleGroups: JSON.stringify(ex.muscleGroups),
+        type: ex.type,
+        inputFields: JSON.stringify(ex.inputFields),
+        defaultWeightUnit: ex.defaultWeightUnit,
+        isCustom: false,
+      },
+    });
+    if (result) inserted++;
+  }
+  return inserted;
+}

proof-of-work/prisma/schema.prisma

@@ -15,6 +15,7 @@ model User {
   email              String    @unique
   passwordHash       String
   name               String?
+  isAdmin            Boolean   @default(false)
   createdAt          DateTime  @default(now())
   updatedAt          DateTime  @updatedAt
 
@@ -266,6 +267,16 @@ model AISuggestion {
   @@index([type])
 }
 
+/// Singleton row keyed on id=1. Holds instance-wide settings that aren't
+/// tied to any single user (multi-user signup gate, feature flags, etc.).
+/// Use `getInstanceSettings()` from lib/instanceSettings.ts to read; it
+/// upserts the row defensively on first read so callers never see null.
+model InstanceSettings {
+  id            Int      @id @default(1)
+  signupsOpen   Boolean  @default(false)
+  updatedAt     DateTime @updatedAt
+}
+
 model UserPreferences {
   id                 String    @id @default(cuid())
   userId             String    @unique

proof-of-work/prisma/seed.ts

@@ -48,15 +48,24 @@ async function main() {
 
   const user = await prisma.user.upsert({
     where: { email: "admin@local" },
-    update: {},
+    update: { isAdmin: true },
     create: {
       email: "admin@local",
       passwordHash: hashedPassword,
       name: "Admin User",
+      isAdmin: true,
     },
   });
 
-  console.log("Created/verified user:", user.id);
+  console.log("Created/verified admin user:", user.id);
+
+  await prisma.instanceSettings.upsert({
+    where: { id: 1 },
+    update: {},
+    create: { id: 1, signupsOpen: false },
+  });
+
+  console.log("Created/verified InstanceSettings (signupsOpen: false)");
 
   await prisma.userPreferences.upsert({
     where: { userId: user.id },

start9/0.4/docker_entrypoint.sh

@@ -75,6 +75,35 @@ if command -v sqlite3 >/dev/null 2>&1 && [ -f "$DB_PATH" ]; then
     log "adding missing column Workout.deletedAt"
     sqlite3 "$DB_PATH" "ALTER TABLE Workout ADD COLUMN deletedAt DATETIME;"
   fi
+
+  # Multi-user support shipped in v1.0.0:1: User.isAdmin column +
+  # InstanceSettings singleton. New install: seed.ts creates both. Upgrade
+  # from a snapshot pulled off the legacy `workout-log` package: this block
+  # adds them in place, then promotes the oldest user to admin so the
+  # in-app admin Settings panel + change-credentials action keep working.
+  if ! sqlite3 "$DB_PATH" "PRAGMA table_info('User');" 2>/dev/null | grep -q "|isAdmin|"; then
+    log "adding missing column User.isAdmin (default 0)"
+    sqlite3 "$DB_PATH" "ALTER TABLE User ADD COLUMN isAdmin INTEGER NOT NULL DEFAULT 0;"
+    log "promoting oldest user to admin (one-shot, only if no admin exists)"
+    sqlite3 "$DB_PATH" \
+      "UPDATE User SET isAdmin = 1 \
+       WHERE id = (SELECT id FROM User ORDER BY createdAt ASC LIMIT 1) \
+         AND NOT EXISTS (SELECT 1 FROM User WHERE isAdmin = 1);"
+  fi
+
+  if ! sqlite3 "$DB_PATH" \
+    "SELECT name FROM sqlite_master WHERE type='table' AND name='InstanceSettings';" \
+    2>/dev/null | grep -q InstanceSettings; then
+    log "creating InstanceSettings table + singleton row (signupsOpen=0)"
+    sqlite3 "$DB_PATH" \
+      "CREATE TABLE InstanceSettings ( \
+         id INTEGER PRIMARY KEY DEFAULT 1, \
+         signupsOpen INTEGER NOT NULL DEFAULT 0, \
+         updatedAt DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP \
+       );"
+    sqlite3 "$DB_PATH" \
+      "INSERT OR IGNORE INTO InstanceSettings (id, signupsOpen) VALUES (1, 0);"
+  fi
 fi
 
 # -----------------------------------------------------------------------------

start9/0.4/startos/actions/changeAdminCredentials.ts

@@ -26,17 +26,19 @@ import { sdk } from '../sdk'
  *   subcontainer. The plaintext password never lands in /proc, the SQL log,
  *   or anywhere persistent.
  *
- * - The UPDATE is keyed on `id = (SELECT id FROM User ORDER BY createdAt ASC
+ * - The UPDATE is keyed on the oldest user with `isAdmin = 1`, i.e. the
- *   LIMIT 1)` rather than `WHERE email = 'admin@local'` (the original 0.3.5
+ *   primary admin identity. Safe to re-run after a previous rotation, and
- *   default). That makes the action safe to re-run after a previous rotation.
+ *   correct under the multi-user model: non-admin users created via
- *   The app is single-user by design, so this targets the only User row.
+ *   /auth/signup are not targeted (admins reset other users' passwords
+ *   from the in-app user management UI).
  *
  * - We assert exactly 1 row was updated (`changes() == 1`). Anything else
  *   means the schema/data is in an unexpected state and we abort without
  *   reporting success, so the user is forced to investigate before assuming
- *   credentials rotated successfully.
+ *   credentials rotated successfully. If you see "expected exactly 1 user
- *
+ *   row updated", check that at least one User has isAdmin=1 — the boot-
- * Available from package version 0.1.0:20 onward.
+ *   time compat ALTERs auto-promote the oldest user, but a corrupt or
+ *   externally-edited DB might not have a valid admin.
  */
 
 const EMAIL_PATTERN = '^[A-Za-z0-9._%+\\-]+@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}$'
@@ -137,7 +139,7 @@ export const changeAdminCredentials = sdk.Action.withInput(
           `SET email = ${sqlQuote(input.email)},`,
           `    passwordHash = ${sqlQuote(passwordHash)},`,
           `    updatedAt = (strftime('%s','now') * 1000)`,
-          `WHERE id = (SELECT id FROM User ORDER BY createdAt ASC LIMIT 1);`,
+          `WHERE id = (SELECT id FROM User WHERE isAdmin = 1 ORDER BY createdAt ASC LIMIT 1);`,
           'SELECT changes();',
           'COMMIT;',
         ].join('\n')

start9/0.4/startos/actions/index.ts

@@ -1,11 +1,17 @@
 import { sdk } from '../sdk'
 import { changeAdminCredentials } from './changeAdminCredentials'
+import { toggleSignups } from './toggleSignups'
 
 /**
  * Package actions registered with StartOS.
  *
- * - change-admin-credentials (added v0.1.0:20): rotate the admin email +
+ * - change-admin-credentials: rotate the admin email + password from the
- *   password from the StartOS UI without dropping to a shell. See
+ *   StartOS UI without dropping to a shell. See changeAdminCredentials.ts
- *   ./changeAdminCredentials.ts for full design notes.
+ *   for the full design notes.
+ * - toggle-signups: open/close the multi-user sign-up gate. The same
+ *   toggle is also available in-app at Settings -> Instance Settings
+ *   (admin only). See toggleSignups.ts.
  */
-export const actions = sdk.Actions.of().addAction(changeAdminCredentials)
+export const actions = sdk.Actions.of()
+  .addAction(changeAdminCredentials)
+  .addAction(toggleSignups)

start9/0.4/startos/actions/toggleSignups.ts

@@ -0,0 +1,118 @@
+import { sdk } from '../sdk'
+
+/**
+ * toggle-signups — StartOS Package Action.
+ *
+ * Sets `InstanceSettings.signupsOpen` (the multi-user signup gate).
+ * When `true`, anyone with the URL can create an account from the app's
+ * /auth/signup page. New users start with no admin privileges and the
+ * full curated exercise library.
+ *
+ * The same toggle is also available in-app at Settings -> Instance
+ * Settings (admin only). Both write to the same singleton row, so
+ * either path works. This StartOS action is the safety hatch for
+ * operators who don't have a working admin login (or aren't logged in
+ * yet on first install).
+ *
+ * Design notes:
+ *   - allowedStatuses: 'only-running'. The app must be running for the
+ *     write to be visible without restart, and the subcontainer needs
+ *     /data mounted writable. We don't require a stop because the
+ *     UPDATE is a single-row write that can't conflict with the
+ *     long-running Next.js server.
+ *   - Single explicit boolean input. Avoids the "I clicked it but did it
+ *     turn on or off?" ambiguity of toggle-style actions.
+ *   - The action does NOT report the current state in `getInput`. It's a
+ *     setter, not a viewer; the in-app Settings page is the dashboard.
+ */
+
+export const toggleSignups = sdk.Action.withInput(
+  'toggle-signups',
+  async () => ({
+    name: 'Set new signups',
+    description:
+      'Allow or disallow anyone with the URL to create a Proof of Work account on this instance. The same toggle exists at in-app Settings -> Instance Settings (admin only).',
+    warning:
+      'When sign-ups are open, anyone who can reach the URL can create an account. Make sure the instance is on a network you trust (LAN, Tor, VPN) before enabling.',
+    visibility: 'enabled',
+    allowedStatuses: 'only-running',
+    group: null,
+  }),
+  sdk.InputSpec.of({
+    signupsOpen: sdk.Value.toggle({
+      name: 'Allow new signups',
+      description: 'On = anyone with the URL can register. Off = closed.',
+      default: false,
+    }),
+  }),
+  async () => null,
+  async ({ effects, input }) => {
+    const flag = input.signupsOpen ? 1 : 0
+
+    await sdk.SubContainer.withTemp(
+      effects,
+      { imageId: 'main' },
+      sdk.Mounts.of().mountVolume({
+        volumeId: 'main',
+        subpath: null,
+        mountpoint: '/data',
+        readonly: false,
+      }),
+      'toggle-signups',
+      async (sc) => {
+        // Defensive: make sure the table exists. The boot-time compat ALTERs
+        // create it, but if this action runs before a first proper boot we
+        // want it to still succeed.
+        const sql = [
+          `CREATE TABLE IF NOT EXISTS InstanceSettings (`,
+          `  id INTEGER PRIMARY KEY DEFAULT 1,`,
+          `  signupsOpen INTEGER NOT NULL DEFAULT 0,`,
+          `  updatedAt DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP`,
+          `);`,
+          `INSERT OR IGNORE INTO InstanceSettings (id, signupsOpen) VALUES (1, ${flag});`,
+          `UPDATE InstanceSettings SET signupsOpen = ${flag}, updatedAt = CURRENT_TIMESTAMP WHERE id = 1;`,
+          `SELECT signupsOpen FROM InstanceSettings WHERE id = 1;`,
+        ].join('\n')
+
+        const res = await sc.execFail(
+          ['sqlite3', '/data/app.db'],
+          { input: sql },
+          30_000,
+        )
+        const observed = res.stdout
+          .toString()
+          .split('\n')
+          .map((s) => s.trim())
+          .filter(Boolean)
+          .pop()
+        if (observed !== String(flag)) {
+          throw new Error(
+            `Aborting: wrote signupsOpen=${flag} but read back ${observed}. /data/app.db may be corrupt.`,
+          )
+        }
+      },
+    )
+
+    return {
+      version: '1',
+      title: input.signupsOpen ? 'Sign-ups enabled' : 'Sign-ups disabled',
+      message: input.signupsOpen
+        ? 'New visitors can now create accounts at /auth/signup.'
+        : 'New sign-ups are now closed. Existing users can still sign in.',
+      result: {
+        type: 'group',
+        value: [
+          {
+            type: 'single',
+            name: 'signupsOpen',
+            description: 'Current value of InstanceSettings.signupsOpen',
+            value: String(input.signupsOpen),
+            copyable: false,
+            qr: false,
+            masked: false,
+          },
+        ],
+      },
+    }
+  },
+)

start9/0.4/startos/versions/v1.0.0.1.ts

@@ -25,7 +25,7 @@ export const v_1_0_0_1 = VersionInfo.of({
   version: '1.0.0:1',
   releaseNotes: {
     en_US:
-      'Initial Proof of Work release. Replaces the legacy `workout-log` package with multi-user support and a curated exercise library shared across all users on the instance. Bakes a one-time seed of /data into the image and copies it into the new volume only on truly-fresh first boot, so an operator migrating from `workout-log` keeps every workout, exercise, and preference.',
+      'Initial Proof of Work release. Replaces the legacy `workout-log` package with: (1) multi-user support — anyone with the URL can sign up when admin enables it, via Settings or the new "Set new signups" StartOS action; (2) a curated exercise library shared across all users — additive on every upgrade, so new exercises shipped by the maintainer reach existing installs without overwriting users\' own custom entries; (3) one-time seeded cutover from /data on the legacy `workout-log` host so every workout, exercise, and preference comes across; (4) the `change-admin-credentials` StartOS action targeting the primary admin (User.isAdmin = 1).',
   },
   migrations: {
     up: async () => {},