feat(ui): overridable favicon/logo with branded default

Replace the ⚓ emoji with a real logo image used as the in-app brand
mark and the favicon. Default bundled public/logo.svg is the
HangmanLab mark recolored to the Foundry-Deck ember (#ff6a1a).
Override at deploy time via HARBORFORGE_LOGO_URL (injected into
runtime-config.js; getLogoUrl() + favicon swap), no rebuild needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -12,5 +12,19 @@ RUN npm install -g serve@14
 WORKDIR /app
 COPY --from=build /app ./
 ENV FRONTEND_DEV_MODE=0
+# OIDC-only mode flag. Injected into the SPA at container start as
+# /runtime-config.js so the setup wizard knows it before the backend
+# exists; /auth/config remains authoritative once the backend is up.
+ARG HARBORFORGE_OIDC_ONLY=false
+ENV HARBORFORGE_OIDC_ONLY=${HARBORFORGE_OIDC_ONLY}
+# Optional deploy-time branding override: a URL the SPA uses for the
+# logo + favicon. Empty → bundled /logo.svg default.
+ARG HARBORFORGE_LOGO_URL=
+ENV HARBORFORGE_LOGO_URL=${HARBORFORGE_LOGO_URL}
 EXPOSE 3000
-CMD ["sh", "-c", "if [ \"$FRONTEND_DEV_MODE\" = \"1\" ]; then npm run dev -- --host 0.0.0.0 --port 3000 --strictPort; else serve -s dist -l 3000; fi"]
+CMD ["sh", "-c", "\
+  if [ \"$HARBORFORGE_OIDC_ONLY\" = \"true\" ]; then OO=true; else OO=false; fi; \
+  CFG=\"window.__HF_RUNTIME__={\\\"oidc_only\\\":$OO,\\\"logo_url\\\":\\\"$HARBORFORGE_LOGO_URL\\\"};\"; \
+  mkdir -p public; printf '%s' \"$CFG\" > public/runtime-config.js; \
+  [ -d dist ] && printf '%s' \"$CFG\" > dist/runtime-config.js; \
+  if [ \"$FRONTEND_DEV_MODE\" = \"1\" ]; then npm run dev -- --host 0.0.0.0 --port 3000 --strictPort; else serve -s dist -l 3000; fi"]

README.md

@@ -1,3 +1,181 @@
 # HarborForge.Frontend
 
-HarborForge Frontend - React + TypeScript
+Single-page web client for HarborForge — the agent/human collaborative
+task-management platform. It provides the operator UI for projects,
+milestones, tasks, proposals, calendar/meetings, users, roles and the
+live monitor, and walks operators through first-time provisioning via the
+SSH-tunnel Setup Wizard.
+
+Part of the [HarborForge](../README.md) platform.
+
+## Tech Stack
+
+- **React 18** (`react`, `react-dom`)
+- **TypeScript 5**
+- **Vite 5** dev server / bundler (`@vitejs/plugin-react`)
+- **react-router-dom 6** for client-side routing
+- **axios** for HTTP, with a shared request/response interceptor layer
+- **dayjs** for date handling
+- **Vitest 4** + Testing Library (`@testing-library/react`, `jsdom`) for unit tests
+
+Path alias `@` → `src/` (configured in `vite.config.ts` and `tsconfig.json`).
+
+## Pages
+
+Routes are declared in `src/App.tsx`. The app gates rendering on three
+states — `checking` (probing configuration), `setup` (Setup Wizard), and
+`ready` (authenticated app). `/monitor`, `/login`, `/roles` and `/users`
+are reachable without an authenticated session; everything else requires login.
+
+| Route | Page | Purpose |
+|---|---|---|
+| `/` | `DashboardPage` | Landing dashboard |
+| `/tasks` | `TasksPage` | Task list / filtering |
+| `/tasks/:taskCode` | `TaskDetailPage` | Task detail, transitions, comments |
+| `/projects` | `ProjectsPage` | Project list |
+| `/projects/:id` | `ProjectDetailPage` | Project detail / editor |
+| `/milestones` | `MilestonesPage` | Milestone list |
+| `/milestones/:milestoneCode` | `MilestoneDetailPage` | Milestone detail / actions |
+| `/proposals` (`/proposes`) | `ProposalsPage` | Proposal list |
+| `/proposals/:proposalCode` (`/proposes/:proposalCode`) | `ProposalDetailPage` | Proposal detail, accept/reject/reopen |
+| `/calendar` | `CalendarPage` | Calendar view |
+| `/meetings/:meetingCode` | `MeetingDetailPage` | Meeting detail |
+| `/supports/:supportCode` | `SupportDetailPage` | Support request detail |
+| `/notifications` | `NotificationsPage` | Notification inbox |
+| `/roles` | `RoleEditorPage` | Role / permission (RBAC) editor |
+| `/users` | `UsersPage` | User management |
+| `/monitor` | `MonitorPage` | Live system monitor (public) |
+| `/login` | `LoginPage` | Authentication |
+| _(state-gated)_ | `SetupWizardPage` | First-run provisioning wizard |
+
+Shared building blocks live in `src/components/` (`Sidebar`,
+`CreateTaskModal`, `MilestoneFormModal`, `ProjectFormModal`,
+`CopyableCode`); the auth hook is `src/hooks/useAuth.ts`; shared types are
+in `src/types/index.ts`.
+
+## How It Talks to the Backend
+
+All API access goes through the shared axios instance in
+`src/services/api.ts`:
+
+- The base URL is **resolved at runtime** from
+  `localStorage['HF_BACKEND_BASE_URL']` (re-read on every request via an
+  axios request interceptor), not baked in at build time.
+- A bearer token from `localStorage['token']` is attached automatically
+  when present.
+- A response interceptor clears the token and redirects to `/login` on
+  HTTP `401`, except on the public paths `/monitor` and `/login`.
+
+Authentication (`src/hooks/useAuth.ts`) posts form-encoded credentials to
+`/auth/token`, stores the returned `access_token`, and loads the current
+user from `/auth/me`.
+
+In local dev, `vite.config.ts` also proxies `/api/*` to
+`http://backend:8000` (stripping the `/api` prefix) for same-origin
+development against a Compose backend.
+
+## Setup Wizard / SSH-Tunnel Flow
+
+On startup `App.tsx` runs `checkInitialized()`:
+
+1. It calls the backend `GET /config/status`. If that returns
+   `initialized: true`, the app is `ready` (and `backend_url`, if present,
+   is cached into `localStorage['HF_BACKEND_BASE_URL']`).
+2. Otherwise, if a wizard port was previously saved
+   (`localStorage['HF_WIZARD_PORT']`), it tries
+   `http://127.0.0.1:<port>/api/v1/config/harborforge.json` directly.
+3. If neither indicates an initialized install, it renders
+   `SetupWizardPage`.
+
+The Setup Wizard (`src/pages/SetupWizardPage.tsx`) is a 4-step flow —
+**Wizard → Admin → Backend → Finish**:
+
+- **Wizard**: the operator enters the local port that an SSH tunnel
+  forwards to **AbstractWizard**
+  (`ssh -L <port>:127.0.0.1:<port> user@server`). The UI health-checks
+  `http://127.0.0.1:<port>/health` and stores the port.
+- **Admin**: collects the first admin account (username, password, email,
+  full name).
+- **Backend**: optional backend base URL override.
+- **Finish**: writes the assembled config to AbstractWizard via
+  `PUT http://127.0.0.1:<port>/api/v1/config/harborforge.json`, caches the
+  backend URL locally, and instructs the operator to
+  `docker compose restart` on the server before refreshing.
+
+## Local Development
+
+```bash
+npm install
+npm run dev          # Vite dev server on http://0.0.0.0:3000
+```
+
+The dev server proxies `/api` to `http://backend:8000` and allows the
+hosts `frontend`, `127.0.0.1`, `localhost`.
+
+### Build
+
+```bash
+npm run build        # tsc type-check, then vite build → dist/
+npm run preview      # serve the production build locally
+```
+
+### Test
+
+```bash
+npm test             # vitest run (jsdom)
+npm run test:watch   # watch mode
+npm run test:ui      # Vitest UI
+```
+
+Tests live in `src/test/**/*.test.{ts,tsx}` (e.g. `calendar.test.tsx`,
+`proposal-essential.test.tsx`) with global setup in `src/test/setup.ts`.
+
+### Docker
+
+```bash
+docker build -t harborforge-frontend .
+docker run -p 3000:3000 harborforge-frontend
+```
+
+The multi-stage `Dockerfile` builds with Node 20 and serves `dist/` via
+`serve` on port 3000. Set `FRONTEND_DEV_MODE=1` to run the Vite dev server
+inside the container instead of serving the static build.
+
+## Environment / Configuration
+
+- **`VITE_API_BASE`** (`.env`, default `http://backend:8000`) — a build
+  hint for the default backend location.
+- The effective backend base URL is determined at **runtime** from
+  `localStorage['HF_BACKEND_BASE_URL']`, which is populated by the Setup
+  Wizard or by the backend's `/config/status` response — so changing the
+  backend target does not require a rebuild.
+- `localStorage['HF_WIZARD_PORT']` — last AbstractWizard tunnel port.
+- `localStorage['token']` — current JWT bearer token.
+
+## Theming
+
+The entire visual design is a single self-contained design system in
+**`src/index.css`** — there is no CSS-in-JS, no Tailwind, and no
+per-component stylesheets. Components only reference global CSS classes;
+all colors, typography, spacing and effects are driven by CSS custom
+properties on `:root`. To re-theme the app, edit this one file.
+
+The theme is **"Foundry Deck"** — a shipwright's drafting table meets a
+foundry control panel:
+
+- **Blackened-steel dark palette** — cool-tinted near-black surfaces
+  (`--bg`, `--bg-card`, `--bg-hover`, `--bg-sink`) with machined,
+  tight-radius borders.
+- **Molten-ember accent** — a single hot orange accent
+  (`--accent`, `--accent-hover`, `--ember` gradient, ember glow) used
+  sparingly as the signature element.
+- **Oxidized-steel secondary** plus a forge-mapped status palette
+  (patina success, heat-amber warning, rust danger, arc violet).
+- **Blueprint-grid background** — layered radial ember/steel vignettes, a
+  fine 40px draughting grid, and a subtle SVG film-grain overlay.
+- **Technical web fonts** loaded via a Google Fonts `@import` at the top
+  of `src/index.css`: **Saira Condensed** (headings), **Hanken Grotesk**
+  (body), and **JetBrains Mono** (code/monospace).
+
+Selectors are kept 1:1 with the existing markup, so theming changes are
+made entirely in `src/index.css` via the CSS variables and global classes.

index.html

@@ -2,12 +2,22 @@
 <html lang="en">
   <head>
     <meta charset="UTF-8" />
-    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
+    <link id="hf-favicon" rel="icon" type="image/svg+xml" href="/logo.svg" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>HarborForge</title>
   </head>
   <body>
     <div id="root"></div>
+    <!-- Runtime config injected by the container entrypoint (deploy-time
+         HARBORFORGE_OIDC_ONLY). Absent in dev → app falls back to /auth/config. -->
+    <script src="/runtime-config.js"></script>
+    <script>
+      // Optional deploy-time branding override (HARBORFORGE_LOGO_URL).
+      try {
+        var u = window.__HF_RUNTIME__ && window.__HF_RUNTIME__.logo_url;
+        if (u) document.getElementById('hf-favicon').href = u;
+      } catch (e) {}
+    </script>
     <script type="module" src="/src/main.tsx"></script>
   </body>
 </html>

public/logo.svg

@@ -0,0 +1,44 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 733.000000 733.000000" role="img" aria-label="Hangman Lab">
+<g transform="translate(0.000000,733.000000) scale(0.100000,-0.100000)"
+fill="#ff6a1a" stroke="none">
+<path d="M812 6860 c-66 -40 -73 -66 -70 -242 3 -141 5 -159 24 -185 43 -58
+63 -63 262 -64 l182 -1 0 -2694 0 -2694 -290 0 c-314 0 -332 -3 -380 -54 -24
+-27 -25 -32 -28 -199 -3 -195 4 -218 71 -250 32 -16 257 -17 3084 -17 2955 0
+3049 1 3083 19 65 34 75 66 75 236 0 186 -16 224 -104 254 -25 8 -682 11
+-2512 11 l-2479 0 0 1998 0 1997 698 697 697 697 670 -3 c369 -2 680 -4 693
+-5 22 -1 22 -1 22 -269 l0 -268 84 -12 c47 -7 103 -19 125 -27 41 -14 41 -14
+43 283 l3 297 631 1 c698 2 673 -1 714 67 18 28 20 51 20 187 0 173 -8 201
+-72 240 -33 20 -56 20 -2623 20 -2567 0 -2590 0 -2623 -20z m1725 -500 c-1 -3
+-183 -185 -404 -404 l-403 -399 0 405 0 406 405 -1 c223 -1 404 -4 402 -7z
+M4283 5701 c-459 -125 -690 -624 -483 -1046 67 -138 196 -266 335 -335 281
+-139 612 -93 837 118 235 219 297 575 152 870 -85 174 -235 306 -427 375 -111
+40 -302 48 -414 18z m267 -211 c95 -15 201 -70 274 -144 273 -274 173 -723
+-189 -851 -93 -33 -236 -35 -326 -5 -202 68 -340 249 -356 465 -18 242 153
+471 394 529 71 18 119 19 203 6z M5945 4716 c-56 -25 -80 -61 -80 -122 0 -48
+4 -57 36 -90 88 -88 219 -29 219 98 0 45 -34 96 -75 114 -42 17 -61 17 -100 0z
+M5675 4466 c-60 -26 -73 -109 -26 -157 62 -61 161 -19 161 70 0 74 -68 118
+-135 87z M3747 4397 c-10 -7 -226 -223 -479 -482 -307 -313 -467 -483 -479
+-510 -35 -75 -17 -177 38 -227 39 -35 114 -61 160 -54 100 13 104 17 583 554
+l145 162 3 -404 c3 -455 15 -342 -137 -1186 -76 -423 -101 -587 -101 -664 0
+-190 182 -307 377 -242 62 21 136 95 152 152 6 22 29 188 52 369 57 466 109
+839 118 848 4 4 52 6 106 5 l99 -3 67 -210 c38 -115 68 -220 69 -232 0 -12
+-38 -152 -85 -311 -47 -159 -85 -302 -85 -317 0 -128 109 -225 255 -225 109 1
+185 42 228 125 26 51 237 683 237 710 0 11 -54 182 -121 380 -121 360 -121
+360 -134 605 -8 135 -14 292 -14 350 l0 105 152 -158 c84 -87 166 -167 182
+-177 44 -29 98 -26 135 8 38 35 187 379 173 401 -5 8 -34 20 -64 26 -59 11
+-38 -8 -393 362 -89 93 -100 97 -174 59 -59 -30 -161 -62 -229 -71 -52 -7 -53
+-7 -53 -41 0 -44 -21 -84 -61 -118 -38 -32 -41 0 32 -455 l52 -325 -82 -78
+c-45 -43 -85 -78 -89 -78 -4 0 -42 35 -84 78 l-77 77 34 215 c19 118 46 289
+61 379 26 164 26 164 -5 188 -42 33 -54 58 -61 121 -5 54 -5 54 -92 87 -98 38
+-184 89 -243 145 -76 70 -123 87 -168 57z M5504 4170 c-74 -30 -69 -170 6
+-170 19 0 20 -7 20 -123 0 -122 0 -122 -54 -262 -30 -77 -97 -243 -150 -369
+-106 -252 -113 -287 -73 -347 46 -70 38 -69 560 -69 327 0 475 3 490 11 69 35
+107 109 88 172 -5 17 -62 142 -126 277 -225 470 -215 443 -215 586 0 114 2
+124 18 124 57 0 72 101 23 151 -29 29 -29 29 -298 28 -147 0 -278 -4 -289 -9z
+m376 -307 c1 -148 1 -148 81 -333 101 -231 98 -222 68 -216 -13 3 -116 22
+-229 42 -112 19 -208 37 -212 40 -4 2 18 75 48 160 54 156 54 156 54 305 l0
+149 95 0 95 0 0 -147z m-219 -593 c22 0 49 -42 49 -75 0 -46 -29 -75 -74 -75
+-37 0 -76 36 -76 71 0 46 45 94 78 83 8 -2 18 -4 23 -4z m327 -126 c53 -59 -7
+-144 -80 -113 -54 22 -65 83 -22 125 30 31 67 27 102 -12z"/>
+</g>
+</svg>

src/App.tsx

@@ -20,6 +20,8 @@ import UsersPage from '@/pages/UsersPage'
 import CalendarPage from '@/pages/CalendarPage'
 import SupportDetailPage from '@/pages/SupportDetailPage'
 import MeetingDetailPage from '@/pages/MeetingDetailPage'
+import OidcCallbackPage from '@/pages/OidcCallbackPage'
+import OidcSettingsPage from '@/pages/OidcSettingsPage'
 import axios from 'axios'
 
 const getStoredWizardPort = (): number | null => {
@@ -35,7 +37,7 @@ type AppState = 'checking' | 'setup' | 'ready'
 
 export default function App() {
   const [appState, setAppState] = useState<AppState>('checking')
-  const { user, loading, login, logout } = useAuth()
+  const { user, loading, login, loginWithToken, logout } = useAuth()
 
   useEffect(() => {
     checkInitialized()
@@ -100,6 +102,7 @@ export default function App() {
               <Route path="/users" element={<UsersPage />} />
               <Route path="/monitor" element={<MonitorPage />} />
               <Route path="/login" element={<LoginPage onLogin={login} />} />
+              <Route path="/oidc/callback" element={<OidcCallbackPage onToken={loginWithToken} />} />
               <Route path="*" element={<Navigate to="/monitor" />} />
             </Routes>
           </main>
@@ -133,6 +136,8 @@ export default function App() {
             <Route path="/roles" element={<RoleEditorPage />} />
             <Route path="/users" element={<UsersPage />} />
             <Route path="/monitor" element={<MonitorPage />} />
+            {user?.is_admin && <Route path="/settings/oidc" element={<OidcSettingsPage />} />}
+            <Route path="/oidc/callback" element={<OidcCallbackPage onToken={loginWithToken} />} />
             <Route path="*" element={<Navigate to="/" />} />
           </Routes>
         </main>

src/components/Sidebar.tsx

@@ -1,6 +1,8 @@
 import { useState, useEffect } from 'react'
 import { Link, useLocation, useNavigate } from 'react-router-dom'
 import api from '@/services/api'
+import { useAuthConfig, oidcLinkHref } from '@/hooks/useAuthConfig'
+import { getLogoUrl } from '@/runtime'
 import type { User } from '@/types'
 
 interface Props {
@@ -11,6 +13,7 @@ interface Props {
 export default function Sidebar({ user, onLogout }: Props) {
   const { pathname } = useLocation()
   const navigate = useNavigate()
+  const { config: authCfg } = useAuthConfig()
   const [unreadCount, setUnreadCount] = useState(0)
 
   useEffect(() => {
@@ -39,6 +42,7 @@ export default function Sidebar({ user, onLogout }: Props) {
     ...(user.is_admin ? [
       { to: '/users', icon: '👥', label: 'Users' },
       { to: '/roles', icon: '🔐', label: 'Roles' },
+      { to: '/settings/oidc', icon: '🪪', label: 'OIDC' },
     ] : []),
   ] : [
     { to: '/monitor', icon: '📡', label: 'Monitor' },
@@ -47,7 +51,7 @@ export default function Sidebar({ user, onLogout }: Props) {
   return (
     <nav className="sidebar">
       <div className="sidebar-header">
-        <h1>⚓ HarborForge</h1>
+        <h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge</h1>
       </div>
       <ul className="nav-links">
         {links.map((l) => (
@@ -64,6 +68,11 @@ export default function Sidebar({ user, onLogout }: Props) {
           <button onClick={() => navigate('/login')}>Log in</button>
         )}
       </div>
+      {user && authCfg.oidcEnabled && !authCfg.oidcOnly && (
+        <div className="sidebar-footer" style={{ borderTop: 'none', paddingTop: 0 }}>
+          <a href={oidcLinkHref()} title="Link your account to an OIDC identity">🔗 Link OIDC account</a>
+        </div>
+      )}
     </nav>
   )
 }

src/hooks/useAuth.ts

@@ -44,10 +44,16 @@ export function useAuth() {
     await fetchUser()
   }
 
+  const loginWithToken = async (token: string) => {
+    localStorage.setItem('token', token)
+    setState((s) => ({ ...s, token }))
+    await fetchUser()
+  }
+
   const logout = () => {
     localStorage.removeItem('token')
     setState({ user: null, token: null, loading: false })
   }
 
-  return { ...state, login, logout }
+  return { ...state, login, loginWithToken, logout }
 }

src/hooks/useAuthConfig.ts

@@ -0,0 +1,76 @@
+import { useState, useEffect } from 'react'
+import api from '@/services/api'
+
+export interface AuthConfig {
+  oidcEnabled: boolean
+  oidcOnly: boolean
+  passwordLogin: boolean
+  oidcLoginUrl: string
+}
+
+const DEFAULT: AuthConfig = {
+  oidcEnabled: false,
+  oidcOnly: false,
+  passwordLogin: true,
+  oidcLoginUrl: '/auth/oidc/login',
+}
+
+let cache: AuthConfig | null = null
+let inflight: Promise<AuthConfig> | null = null
+
+async function load(): Promise<AuthConfig> {
+  if (cache) return cache
+  if (inflight) return inflight
+  inflight = api
+    .get('/auth/config')
+    .then(({ data }) => {
+      cache = {
+        oidcEnabled: !!data.oidc_enabled,
+        oidcOnly: !!data.oidc_only,
+        passwordLogin: data.password_login !== false,
+        oidcLoginUrl: data.oidc_login_url || '/auth/oidc/login',
+      }
+      return cache
+    })
+    .catch(() => {
+      // Backend unreachable / old backend without /auth/config:
+      // fall back to password-only so login is never fully blocked.
+      cache = { ...DEFAULT }
+      return cache
+    })
+    .finally(() => {
+      inflight = null
+    })
+  return inflight
+}
+
+/** Absolute backend URL for full-page OIDC redirects. */
+export function oidcLoginHref(cfg: AuthConfig): string {
+  const base = localStorage.getItem('HF_BACKEND_BASE_URL') ?? ''
+  return `${base}${cfg.oidcLoginUrl}`
+}
+
+export function oidcLinkHref(): string {
+  const base = localStorage.getItem('HF_BACKEND_BASE_URL') ?? ''
+  return `${base}/auth/oidc/link`
+}
+
+export function useAuthConfig() {
+  const [config, setConfig] = useState<AuthConfig | null>(cache)
+  const [loading, setLoading] = useState(!cache)
+
+  useEffect(() => {
+    let alive = true
+    load().then((c) => {
+      if (alive) {
+        setConfig(c)
+        setLoading(false)
+      }
+    })
+    return () => {
+      alive = false
+    }
+  }, [])
+
+  return { config: config ?? DEFAULT, loading }
+}

src/index.css

@@ -1,227 +1,559 @@
+/* ============================================================================
+   HarborForge — "FOUNDRY DECK"
+   A shipwright's drafting table meets a foundry control panel.
+   Blackened steel, blueprint grid, molten-ember accent, technical type.
+   Full visual redesign — selectors kept 1:1 with existing markup.
+   ========================================================================== */
+
+@import url('https://fonts.googleapis.com/css2?family=Saira+Condensed:wght@500;600;700&family=Hanken+Grotesk:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;700&display=swap');
+
 :root {
-  --bg: #0f1117;
+  /* core surfaces — blackened, cool-tinted steel */
-  --bg-card: #1a1d27;
+  --bg:        #0b0c0f;
-  --bg-hover: #22252f;
+  --bg-card:   #14161c;
-  --border: #2a2d37;
+  --bg-hover:  #1d212b;
-  --text: #e1e4ea;
+  --bg-sink:   #08090b;          /* recessed inputs / wells */
-  --text-dim: #8b8fa3;
+  --border:    #2b2f3a;
-  --accent: #3b82f6;
+  --border-bright: #3b414f;
-  --accent-hover: #2563eb;
+
-  --success: #10b981;
+  /* ink — warm cast-paper on cold metal */
-  --warning: #f59e0b;
+  --text:      #ece6d8;
-  --danger: #ef4444;
+  --text-dim:  #888f9e;
-  --sidebar-w: 220px;
+
+  /* molten ember — the one unforgettable thing */
+  --accent:        #ff6a1a;
+  --accent-hover:  #ff8636;
+  --ember:   linear-gradient(135deg, #ff7a1f 0%, #ffa83a 100%);
+  --ember-soft: rgba(255, 106, 26, .14);
+  --glow:    0 0 0 1px rgba(255,122,31,.40), 0 10px 34px -10px rgba(255,122,31,.55);
+
+  /* oxidized steel — the cold secondary */
+  --steel:   #56c6d6;
+
+  /* forge-mapped status palette */
+  --success: #46b487;            /* patina */
+  --warning: #efa53c;            /* heat amber */
+  --danger:  #e2553c;            /* rust */
+  --violet:  #9a7bff;            /* arc */
+
+  --sidebar-w: 240px;
+  --hair: 1px solid var(--border);
+  --radius: 4px;                 /* tight, machined corners */
 }
 
 * { margin: 0; padding: 0; box-sizing: border-box; }
-body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background: var(--bg); color: var(--text); }
-a { color: var(--accent); text-decoration: none; }
-a:hover { text-decoration: underline; }
 
-/* Layout */
+html { scroll-behavior: smooth; }
-.app-layout { display: flex; min-height: 100vh; }
-.main-content { flex: 1; padding: 24px 32px; margin-left: var(--sidebar-w); }
-.loading { display: flex; align-items: center; justify-content: center; height: 100vh; font-size: 1.2rem; color: var(--text-dim); }
 
-/* Sidebar */
+body {
-.sidebar { position: fixed; top: 0; left: 0; width: var(--sidebar-w); height: 100vh; background: var(--bg-card); border-right: 1px solid var(--border); display: flex; flex-direction: column; padding: 16px 0; }
+  font-family: 'Hanken Grotesk', system-ui, sans-serif;
-.sidebar-header { padding: 8px 20px 24px; }
+  font-size: 15px;
-.sidebar-header h1 { font-size: 1.2rem; }
+  line-height: 1.55;
-.nav-links { list-style: none; flex: 1; }
+  color: var(--text);
-.nav-links li a { display: block; padding: 10px 20px; color: var(--text-dim); transition: .15s; }
+  background-color: var(--bg);
-.nav-links li a:hover, .nav-links li.active a { background: var(--bg-hover); color: var(--text); text-decoration: none; }
+  /* layered atmosphere: ember vignette + blueprint grid + grain */
-.sidebar-footer { padding: 12px 20px; border-top: 1px solid var(--border); display: flex; justify-content: space-between; align-items: center; font-size: .85rem; color: var(--text-dim); }
+  background-image:
-.sidebar-footer button { background: none; border: 1px solid var(--border); color: var(--text-dim); padding: 4px 10px; border-radius: 4px; cursor: pointer; }
+    radial-gradient(120% 80% at 78% -10%, rgba(255,122,31,.13), transparent 55%),
-
+    radial-gradient(90% 70% at 0% 100%, rgba(86,198,214,.06), transparent 60%),
-/* Login */
+    linear-gradient(rgba(255,255,255,.022) 1px, transparent 1px),
-.login-page { display: flex; align-items: center; justify-content: center; height: 100vh; }
+    linear-gradient(90deg, rgba(255,255,255,.022) 1px, transparent 1px);
-.login-card { background: var(--bg-card); padding: 40px; border-radius: 12px; border: 1px solid var(--border); width: 360px; text-align: center; }
+  background-size: 100% 100%, 100% 100%, 40px 40px, 40px 40px;
-.login-card h1 { margin-bottom: 8px; }
+  background-attachment: fixed;
-.login-card .subtitle { color: var(--text-dim); margin-bottom: 24px; }
+  -webkit-font-smoothing: antialiased;
-.login-card form { display: flex; flex-direction: column; gap: 12px; }
+  text-rendering: optimizeLegibility;
-.login-card input { padding: 10px 12px; border: 1px solid var(--border); border-radius: 6px; background: var(--bg); color: var(--text); font-size: .95rem; }
-.login-card button { padding: 10px; background: var(--accent); color: #fff; border: none; border-radius: 6px; font-size: 1rem; cursor: pointer; }
-.login-card button:hover { background: var(--accent-hover); }
-.error { color: var(--danger); font-size: .85rem; }
-
-/* Stats */
-.stats-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(140px, 1fr)); gap: 12px; margin: 16px 0 24px; }
-.stat-card { background: var(--bg-card); border: 1px solid var(--border); border-left: 4px solid var(--accent); border-radius: 8px; padding: 16px; text-align: center; }
-.stat-card.total { border-left-color: var(--success); }
-.stat-number { display: block; font-size: 1.8rem; font-weight: 700; }
-.stat-label { display: block; font-size: .8rem; color: var(--text-dim); margin-top: 4px; text-transform: capitalize; }
-
-/* Bar chart */
-.bar-chart { margin: 12px 0; }
-.bar-row { display: flex; align-items: center; margin: 6px 0; }
-.bar-label { width: 70px; font-size: .85rem; color: var(--text-dim); text-transform: capitalize; }
-.bar { padding: 4px 10px; border-radius: 4px; color: #fff; font-size: .8rem; min-width: 30px; text-align: right; transition: .3s; }
-
-/* Table */
-table { width: 100%; border-collapse: collapse; margin-top: 12px; }
-thead th { text-align: left; padding: 10px 12px; border-bottom: 2px solid var(--border); color: var(--text-dim); font-size: .8rem; text-transform: uppercase; }
-tbody td { padding: 10px 12px; border-bottom: 1px solid var(--border); }
-tr.clickable { cursor: pointer; }
-tr.clickable:hover { background: var(--bg-hover); }
-.task-title { font-weight: 500; max-width: 400px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
-
-/* Badges */
-.badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: .75rem; font-weight: 600; text-transform: capitalize; color: #fff; background: var(--text-dim); }
-.status-open { background: #3b82f6; }
-.status-in_progress { background: #f59e0b; }
-.status-resolved { background: #10b981; }
-.status-closed { background: #6b7280; }
-.status-blocked { background: #ef4444; }
-.status-freeze { background: #8b5cf6; }
-.status-undergoing { background: #f59e0b; }
-.status-completed { background: #10b981; }
-.priority-low { background: #6b7280; }
-.priority-medium { background: #3b82f6; }
-.priority-high { background: #f59e0b; }
-.priority-critical { background: #ef4444; }
-
-/* Page header */
-.page-header { display: flex; justify-content: space-between; align-items: center; margin-bottom: 16px; }
-.btn-primary { background: var(--accent); color: #fff; border: none; padding: 8px 16px; border-radius: 6px; cursor: pointer; font-size: .9rem; }
-.btn-primary:hover { background: var(--accent-hover); }
-.btn-back { background: none; border: 1px solid var(--border); color: var(--text-dim); padding: 6px 12px; border-radius: 6px; cursor: pointer; margin-bottom: 16px; }
-
-/* Filters */
-.filters { margin-bottom: 12px; display: flex; gap: 8px; }
-.filters select { padding: 6px 10px; border: 1px solid var(--border); border-radius: 6px; background: var(--bg-card); color: var(--text); }
-
-/* Pagination */
-.pagination { display: flex; align-items: center; justify-content: center; gap: 12px; margin-top: 16px; }
-.pagination button { padding: 6px 14px; border: 1px solid var(--border); background: var(--bg-card); color: var(--text); border-radius: 6px; cursor: pointer; }
-.pagination button:disabled { opacity: .4; cursor: default; }
-
-/* Task detail */
-.task-header { margin-bottom: 20px; }
-.task-header h2 { margin-bottom: 8px; }
-.task-meta { display: flex; gap: 8px; flex-wrap: wrap; }
-.tags { color: var(--accent); font-size: .85rem; }
-.section { margin: 20px 0; }
-.section h3 { margin-bottom: 8px; color: var(--text-dim); font-size: .9rem; text-transform: uppercase; }
-dl { display: grid; grid-template-columns: 120px 1fr; gap: 6px; }
-dt { color: var(--text-dim); font-size: .85rem; }
-dd { font-size: .9rem; }
-.actions { display: flex; gap: 8px; }
-.btn-transition { padding: 6px 14px; border: 1px solid var(--border); background: var(--bg-card); color: var(--text); border-radius: 6px; cursor: pointer; text-transform: capitalize; }
-.btn-transition:hover { background: var(--bg-hover); }
-
-/* Comments */
-.comment { background: var(--bg-card); border: 1px solid var(--border); border-radius: 8px; padding: 12px; margin-bottom: 8px; }
-.comment-meta { font-size: .8rem; color: var(--text-dim); margin-bottom: 4px; }
-.comment-form { margin-top: 12px; }
-.comment-form textarea { width: 100%; min-height: 80px; padding: 10px; border: 1px solid var(--border); border-radius: 6px; background: var(--bg); color: var(--text); resize: vertical; margin-bottom: 8px; }
-.comment-form button { padding: 8px 16px; background: var(--accent); color: #fff; border: none; border-radius: 6px; cursor: pointer; }
-
-/* Create Task form / modal */
-.create-task form, .task-create-form { max-width: 600px; display: flex; flex-direction: column; gap: 14px; }
-.create-task label, .task-create-form label { display: flex; flex-direction: column; gap: 4px; font-size: .85rem; color: var(--text-dim); }
-.create-task input, .create-task textarea, .create-task select,
-.task-create-form input, .task-create-form textarea, .task-create-form select {
-  padding: 8px 12px; border: 1px solid var(--border); border-radius: 6px; background: var(--bg); color: var(--text); font-size: .95rem;
 }
-.create-task textarea, .task-create-form textarea { min-height: 100px; resize: vertical; }
+
-.task-create-grid { display: grid; grid-template-columns: repeat(2, minmax(0, 1fr)); gap: 12px; }
+/* fine grain overlay over everything */
+body::after {
+  content: '';
+  position: fixed; inset: 0;
+  pointer-events: none; z-index: 9999;
+  opacity: .035;
+  background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='120' height='120'%3E%3Cfilter id='n'%3E%3CfeTurbulence type='fractalNoise' baseFrequency='0.85' numOctaves='2'/%3E%3C/filter%3E%3Crect width='120' height='120' filter='url(%23n)'/%3E%3C/svg%3E");
+}
+
+h1, h2, h3, h4 {
+  font-family: 'Saira Condensed', 'Hanken Grotesk', sans-serif;
+  font-weight: 600;
+  letter-spacing: .02em;
+  line-height: 1.12;
+  color: var(--text);
+}
+h1 { font-size: 1.55rem; text-transform: uppercase; letter-spacing: .06em; }
+h2 { font-size: 1.4rem; }
+h3 { font-size: 1.1rem; }
+
+code, pre, .mono { font-family: 'JetBrains Mono', monospace; }
+
+a { color: var(--accent); text-decoration: none; transition: color .15s; }
+a:hover { color: var(--accent-hover); text-decoration: none; }
+
+::selection { background: rgba(255,122,31,.32); color: #fff; }
+
+:focus-visible {
+  outline: none;
+  box-shadow: 0 0 0 2px var(--bg), 0 0 0 4px rgba(255,122,31,.6);
+  border-radius: 3px;
+}
+
+::-webkit-scrollbar { width: 11px; height: 11px; }
+::-webkit-scrollbar-track { background: var(--bg-sink); }
+::-webkit-scrollbar-thumb { background: #2c313d; border: 3px solid var(--bg-sink); border-radius: 6px; }
+::-webkit-scrollbar-thumb:hover { background: #3c4250; }
+
+input, textarea, select, button { font-family: inherit; }
+
+/* ---- Layout ------------------------------------------------------------- */
+.app-layout { display: flex; min-height: 100vh; }
+.main-content {
+  flex: 1; padding: 34px 44px; margin-left: var(--sidebar-w);
+  max-width: 1500px;
+  animation: deck-in .5s cubic-bezier(.16,1,.3,1) both;
+}
+.loading {
+  display: flex; align-items: center; justify-content: center; height: 100vh;
+  font-family: 'Saira Condensed', sans-serif; text-transform: uppercase;
+  letter-spacing: .35em; font-size: 1rem; color: var(--text-dim);
+}
+.loading::before { content: '◆ '; color: var(--accent); animation: pulse 1.4s ease-in-out infinite; }
+
+@keyframes deck-in { from { opacity: 0; transform: translateY(14px); } to { opacity: 1; transform: none; } }
+@keyframes fadeIn  { from { opacity: 0; transform: translateY(8px); } to { opacity: 1; transform: none; } }
+@keyframes pulse   { 0%,100% { opacity: .35; } 50% { opacity: 1; } }
+@keyframes sheen   { from { background-position: -200% 0; } to { background-position: 200% 0; } }
+
+@media (prefers-reduced-motion: reduce) {
+  *, *::before, *::after { animation: none !important; transition: none !important; scroll-behavior: auto !important; }
+}
+
+/* ---- Sidebar ------------------------------------------------------------ */
+.sidebar {
+  position: fixed; top: 0; left: 0; width: var(--sidebar-w); height: 100vh;
+  background:
+    linear-gradient(180deg, #15171e, #101218);
+  border-right: var(--hair);
+  display: flex; flex-direction: column; padding: 0 0 14px;
+  z-index: 50;
+}
+.sidebar::before {       /* hot edge line */
+  content: ''; position: absolute; top: 0; right: -1px; width: 2px; height: 100%;
+  background: linear-gradient(180deg, transparent, rgba(255,122,31,.5), transparent);
+}
+.sidebar-header { padding: 26px 22px 22px; border-bottom: var(--hair); }
+.sidebar-header h1 {
+  font-size: 1.3rem; letter-spacing: .12em;
+  display: flex; align-items: center; gap: 8px;
+}
+/* Brand logo (overridable via HARBORFORGE_LOGO_URL / public/logo.svg) */
+.brand-logo {
+  height: 1.15em; width: auto; vertical-align: -0.18em;
+  display: inline-block; flex: 0 0 auto;
+}
+.login-card h1 .brand-logo, .setup-header h1 .brand-logo { height: 1.4em; }
+.nav-links { list-style: none; flex: 1; padding: 14px 12px; display: flex; flex-direction: column; gap: 2px; }
+.nav-links li a {
+  display: flex; align-items: center; gap: 10px;
+  padding: 10px 14px; border-radius: var(--radius);
+  color: var(--text-dim); font-size: .82rem;
+  font-weight: 600; letter-spacing: .04em; text-transform: uppercase;
+  position: relative; transition: .15s;
+}
+.nav-links li a:hover { color: var(--text); background: var(--bg-hover); }
+.nav-links li.active a {
+  color: var(--text); background: var(--ember-soft);
+}
+.nav-links li.active a::before {
+  content: ''; position: absolute; left: -12px; top: 6px; bottom: 6px; width: 3px;
+  background: var(--ember); border-radius: 0 3px 3px 0;
+  box-shadow: 0 0 12px rgba(255,122,31,.7);
+}
+.sidebar-footer {
+  margin: 0 12px; padding: 14px; border-top: var(--hair);
+  display: flex; justify-content: space-between; align-items: center;
+  font-size: .8rem; color: var(--text-dim); font-family: 'JetBrains Mono', monospace;
+}
+.sidebar-footer button {
+  background: none; border: var(--hair); color: var(--text-dim);
+  padding: 5px 11px; border-radius: var(--radius); cursor: pointer;
+  font-size: .72rem; text-transform: uppercase; letter-spacing: .08em; transition: .15s;
+}
+.sidebar-footer button:hover { border-color: var(--accent); color: var(--accent); }
+
+/* ---- Login -------------------------------------------------------------- */
+.login-page, .setup-wizard {
+  display: flex; align-items: center; justify-content: center;
+  min-height: 100vh; padding: 24px;
+}
+.login-card {
+  position: relative; background: var(--bg-card); padding: 46px 42px;
+  border: var(--hair); border-radius: 6px; width: 380px; text-align: center;
+  box-shadow: 0 40px 80px -30px rgba(0,0,0,.8);
+  animation: deck-in .55s cubic-bezier(.16,1,.3,1) both;
+}
+.login-card::before {    /* molten top edge */
+  content: ''; position: absolute; left: 0; right: 0; top: 0; height: 3px;
+  background: var(--ember); border-radius: 6px 6px 0 0;
+}
+.login-card::after {     /* corner draftsman tick */
+  content: ''; position: absolute; right: 14px; bottom: 14px; width: 14px; height: 14px;
+  border-right: 2px solid var(--border-bright); border-bottom: 2px solid var(--border-bright);
+}
+.login-card h1 { margin-bottom: 6px; letter-spacing: .1em; }
+.login-card .subtitle, .setup-header p {
+  color: var(--text-dim); margin-bottom: 28px; font-size: .82rem;
+  text-transform: uppercase; letter-spacing: .14em;
+}
+.login-card form, .setup-form { display: flex; flex-direction: column; gap: 14px; }
+.login-card input {
+  padding: 12px 14px; border: var(--hair); border-radius: var(--radius);
+  background: var(--bg-sink); color: var(--text); font-size: .95rem; transition: .15s;
+}
+.login-card input::placeholder { color: #5b6170; text-transform: uppercase; letter-spacing: .08em; font-size: .8rem; }
+.login-card input:focus { border-color: var(--accent); background: var(--bg); }
+.login-card button, .setup-nav button {
+  padding: 12px; background: var(--ember); color: #1a0d02; border: none;
+  border-radius: var(--radius); font-size: .9rem; cursor: pointer;
+  font-family: 'Saira Condensed', sans-serif; font-weight: 700;
+  text-transform: uppercase; letter-spacing: .14em; transition: .18s;
+}
+.login-card button:hover, .setup-nav button:hover { box-shadow: var(--glow); transform: translateY(-1px); }
+.login-card button:disabled { opacity: .55; cursor: default; transform: none; box-shadow: none; }
+.error { color: var(--danger); font-size: .82rem; font-family: 'JetBrains Mono', monospace; }
+
+/* ---- Stats -------------------------------------------------------------- */
+.stats-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(150px, 1fr)); gap: 14px; margin: 18px 0 28px; }
+.stat-card {
+  position: relative; background: var(--bg-card); border: var(--hair);
+  border-radius: var(--radius); padding: 20px 18px; overflow: hidden;
+  transition: .18s; animation: deck-in .5s cubic-bezier(.16,1,.3,1) both;
+}
+.stat-card::before {
+  content: ''; position: absolute; left: 0; top: 0; bottom: 0; width: 3px; background: var(--ember);
+}
+.stat-card.total::before { background: var(--steel); }
+.stat-card:hover { transform: translateY(-3px); border-color: var(--border-bright); box-shadow: 0 16px 30px -18px rgba(0,0,0,.8); }
+.stat-card:nth-child(2) { animation-delay: .05s; }
+.stat-card:nth-child(3) { animation-delay: .1s; }
+.stat-card:nth-child(4) { animation-delay: .15s; }
+.stat-card:nth-child(5) { animation-delay: .2s; }
+.stat-number {
+  display: block; font-family: 'Saira Condensed', sans-serif; font-size: 2.4rem;
+  font-weight: 700; line-height: 1; color: var(--text);
+}
+.stat-label {
+  display: block; font-size: .68rem; color: var(--text-dim); margin-top: 8px;
+  text-transform: uppercase; letter-spacing: .16em;
+}
+
+/* ---- Bar chart ---------------------------------------------------------- */
+.bar-chart { margin: 14px 0; }
+.bar-row { display: flex; align-items: center; margin: 7px 0; }
+.bar-label { width: 80px; font-size: .72rem; color: var(--text-dim); text-transform: uppercase; letter-spacing: .08em; }
+.bar {
+  padding: 5px 11px; border-radius: 2px; color: #fff;
+  font-family: 'JetBrains Mono', monospace; font-size: .76rem;
+  min-width: 30px; text-align: right; transition: width .5s cubic-bezier(.16,1,.3,1);
+}
+
+/* ---- Tables ------------------------------------------------------------- */
+table { width: 100%; border-collapse: collapse; margin-top: 14px; }
+thead th {
+  text-align: left; padding: 11px 14px; border-bottom: 2px solid var(--border-bright);
+  color: var(--text-dim); font-size: .68rem; text-transform: uppercase; letter-spacing: .16em;
+  font-weight: 700;
+}
+tbody td { padding: 12px 14px; border-bottom: var(--hair); font-size: .9rem; }
+tbody tr:last-child td { border-bottom: none; }
+tr.clickable { cursor: pointer; transition: .12s; }
+tr.clickable:hover { background: var(--ember-soft); }
+tr.clickable:hover td:first-child { box-shadow: inset 3px 0 0 var(--accent); }
+.task-title { font-weight: 600; max-width: 420px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+
+/* ---- Badges ------------------------------------------------------------- */
+.badge {
+  display: inline-block; padding: 3px 9px; border-radius: 2px;
+  font-family: 'JetBrains Mono', monospace; font-size: .68rem; font-weight: 700;
+  text-transform: uppercase; letter-spacing: .06em;
+  color: #0b0c0f; background: var(--text-dim);
+  border: 1px solid rgba(255,255,255,.12);
+}
+.status-open        { background: #5b8def; color: #fff; }
+.status-in_progress { background: var(--ember); }
+.status-undergoing  { background: var(--ember); }
+.status-resolved    { background: var(--success); color: #04130d; }
+.status-completed   { background: var(--success); color: #04130d; }
+.status-closed      { background: #5a616f; color: #fff; }
+.status-blocked     { background: var(--danger); color: #fff; }
+.status-freeze      { background: var(--steel); color: #042127; }
+.status-pending     { background: var(--warning); }
+.priority-low       { background: #5a616f; color: #fff; }
+.priority-medium    { background: #5b8def; color: #fff; }
+.priority-high      { background: var(--warning); }
+.priority-critical  { background: var(--danger); color: #fff; }
+
+/* ---- Page header / buttons --------------------------------------------- */
+.page-header {
+  display: flex; justify-content: space-between; align-items: center;
+  margin-bottom: 22px; padding-bottom: 16px; border-bottom: var(--hair);
+}
+.page-header h2 { letter-spacing: .04em; }
+.btn-primary {
+  background: var(--ember); color: #1a0d02; border: none;
+  padding: 9px 18px; border-radius: var(--radius); cursor: pointer;
+  font-family: 'Saira Condensed', sans-serif; font-weight: 700;
+  font-size: .85rem; text-transform: uppercase; letter-spacing: .1em; transition: .18s;
+}
+.btn-primary:hover { box-shadow: var(--glow); transform: translateY(-1px); }
+.btn-back {
+  background: none; border: var(--hair); color: var(--text-dim);
+  padding: 7px 14px; border-radius: var(--radius); cursor: pointer;
+  margin-bottom: 18px; font-size: .8rem; text-transform: uppercase;
+  letter-spacing: .08em; transition: .15s;
+}
+.btn-back:hover { border-color: var(--accent); color: var(--accent); }
+
+/* ---- Filters / pagination ---------------------------------------------- */
+.filters { margin-bottom: 14px; display: flex; gap: 8px; }
+.filters select, .inline-form select, .inline-form input {
+  padding: 8px 12px; border: var(--hair); border-radius: var(--radius);
+  background: var(--bg-card); color: var(--text); font-size: .88rem; transition: .15s;
+}
+.filters select:focus, .inline-form select:focus, .inline-form input:focus { border-color: var(--accent); }
+.pagination { display: flex; align-items: center; justify-content: center; gap: 14px; margin-top: 22px; }
+.pagination button {
+  padding: 7px 16px; border: var(--hair); background: var(--bg-card); color: var(--text);
+  border-radius: var(--radius); cursor: pointer; font-size: .82rem;
+  text-transform: uppercase; letter-spacing: .06em; transition: .15s;
+}
+.pagination button:hover:not(:disabled) { border-color: var(--accent); color: var(--accent); }
+.pagination button:disabled { opacity: .35; cursor: default; }
+
+/* ---- Task / detail ------------------------------------------------------ */
+.task-header { margin-bottom: 24px; }
+.task-header h2 { margin-bottom: 10px; }
+.task-meta { display: flex; gap: 8px; flex-wrap: wrap; }
+.tags { color: var(--steel); font-size: .82rem; font-family: 'JetBrains Mono', monospace; }
+.section { margin: 26px 0; }
+.section h3 {
+  margin-bottom: 12px; color: var(--text-dim); font-size: .72rem;
+  text-transform: uppercase; letter-spacing: .2em;
+  padding-bottom: 8px; border-bottom: var(--hair);
+}
+dl { display: grid; grid-template-columns: 140px 1fr; gap: 8px 12px; }
+dt { color: var(--text-dim); font-size: .72rem; text-transform: uppercase; letter-spacing: .1em; padding-top: 2px; }
+dd { font-size: .92rem; font-family: 'JetBrains Mono', monospace; }
+.actions { display: flex; gap: 8px; }
+.btn-transition {
+  padding: 7px 15px; border: var(--hair); background: var(--bg-card); color: var(--text);
+  border-radius: var(--radius); cursor: pointer; text-transform: uppercase;
+  font-size: .78rem; letter-spacing: .08em; transition: .15s;
+}
+.btn-transition:hover { border-color: var(--accent); color: var(--accent); background: var(--ember-soft); }
+
+/* ---- Comments ----------------------------------------------------------- */
+.comment {
+  background: var(--bg-card); border: var(--hair); border-left: 3px solid var(--border-bright);
+  border-radius: var(--radius); padding: 14px 16px; margin-bottom: 10px;
+}
+.comment:hover { border-left-color: var(--accent); }
+.comment-meta { font-size: .74rem; color: var(--text-dim); margin-bottom: 6px; font-family: 'JetBrains Mono', monospace; }
+.comment-form { margin-top: 14px; }
+.comment-form textarea {
+  width: 100%; min-height: 88px; padding: 12px; border: var(--hair);
+  border-radius: var(--radius); background: var(--bg-sink); color: var(--text);
+  resize: vertical; margin-bottom: 10px; transition: .15s;
+}
+.comment-form textarea:focus { border-color: var(--accent); }
+.comment-form button {
+  padding: 9px 18px; background: var(--ember); color: #1a0d02; border: none;
+  border-radius: var(--radius); cursor: pointer; font-family: 'Saira Condensed', sans-serif;
+  font-weight: 700; text-transform: uppercase; letter-spacing: .1em; transition: .18s;
+}
+.comment-form button:hover { box-shadow: var(--glow); }
+
+/* ---- Forms / modal ------------------------------------------------------ */
+.create-task form, .task-create-form { max-width: 640px; display: flex; flex-direction: column; gap: 16px; }
+.create-task label, .task-create-form label, .setup-form label {
+  display: flex; flex-direction: column; gap: 6px; font-size: .7rem;
+  color: var(--text-dim); text-transform: uppercase; letter-spacing: .12em;
+}
+.create-task input, .create-task textarea, .create-task select,
+.task-create-form input, .task-create-form textarea, .task-create-form select,
+.setup-form input {
+  padding: 10px 13px; border: var(--hair); border-radius: var(--radius);
+  background: var(--bg-sink); color: var(--text); font-size: .92rem;
+  font-family: inherit; transition: .15s;
+}
+.create-task input:focus, .create-task textarea:focus, .create-task select:focus,
+.task-create-form input:focus, .task-create-form textarea:focus, .task-create-form select:focus,
+.setup-form input:focus { border-color: var(--accent); background: var(--bg); }
+.create-task textarea, .task-create-form textarea { min-height: 110px; resize: vertical; }
+.task-create-grid { display: grid; grid-template-columns: repeat(2, minmax(0, 1fr)); gap: 14px; }
 .modal-overlay {
-  position: fixed; inset: 0; background: rgba(0, 0, 0, .6); display: flex; align-items: center; justify-content: center; z-index: 1000; padding: 24px;
+  position: fixed; inset: 0; background: rgba(4,5,7,.78);
+  backdrop-filter: blur(3px); display: flex; align-items: center;
+  justify-content: center; z-index: 1000; padding: 24px;
+  animation: fadeIn .2s ease;
 }
 .modal {
-  width: min(720px, 100%); max-height: calc(100vh - 48px); overflow: auto; background: var(--bg-card); border: 1px solid var(--border); border-radius: 12px; padding: 20px;
+  position: relative; width: min(720px, 100%); max-height: calc(100vh - 48px);
+  overflow: auto; background: var(--bg-card); border: var(--hair);
+  border-radius: 6px; padding: 26px;
+  box-shadow: 0 40px 90px -30px rgba(0,0,0,.85);
+  animation: deck-in .35s cubic-bezier(.16,1,.3,1) both;
 }
-.modal-header { display: flex; align-items: center; justify-content: space-between; gap: 12px; margin-bottom: 16px; }
+.modal::before { content: ''; position: absolute; left: 0; right: 0; top: 0; height: 3px; background: var(--ember); border-radius: 6px 6px 0 0; }
-.modal-actions { display: flex; justify-content: flex-end; gap: 8px; margin-top: 8px; }
+.modal-header { display: flex; align-items: center; justify-content: space-between; gap: 12px; margin-bottom: 20px; padding-bottom: 14px; border-bottom: var(--hair); }
+.modal-actions { display: flex; justify-content: flex-end; gap: 10px; margin-top: 12px; }
 
-/* Project grid */
+/* ---- Cards (project / milestone) --------------------------------------- */
-.project-grid, .milestone-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(280px, 1fr)); gap: 16px; margin-top: 16px; }
+.project-grid, .milestone-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(290px, 1fr)); gap: 18px; margin-top: 18px; }
-.project-card, .milestone-card { background: var(--bg-card); border: 1px solid var(--border); border-radius: 8px; padding: 20px; cursor: pointer; transition: .15s; }
+.project-card, .milestone-card {
-.project-card:hover, .milestone-card:hover { border-color: var(--accent); background: var(--bg-hover); }
+  position: relative; background: var(--bg-card); border: var(--hair);
-.project-card h3, .milestone-card h3 { margin-bottom: 8px; }
+  border-radius: var(--radius); padding: 22px; cursor: pointer;
-.project-desc { color: var(--text-dim); font-size: .9rem; margin-bottom: 12px; }
+  transition: .2s; overflow: hidden;
-.project-meta { font-size: .8rem; color: var(--text-dim); display: flex; gap: 12px; }
+  animation: deck-in .5s cubic-bezier(.16,1,.3,1) both;
+}
+.project-card::after, .milestone-card::after {   /* draftsman corner tick */
+  content: ''; position: absolute; right: 12px; top: 12px; width: 10px; height: 10px;
+  border-top: 2px solid var(--border-bright); border-right: 2px solid var(--border-bright);
+  transition: .2s;
+}
+.project-card:hover, .milestone-card:hover {
+  border-color: var(--accent); background: var(--bg-hover);
+  transform: translateY(-3px); box-shadow: 0 18px 36px -20px rgba(0,0,0,.85);
+}
+.project-card:hover::after, .milestone-card:hover::after { border-color: var(--accent); }
+.project-card h3, .milestone-card h3 { margin-bottom: 10px; }
+.project-desc { color: var(--text-dim); font-size: .88rem; margin-bottom: 14px; }
+.project-meta { font-size: .72rem; color: var(--text-dim); display: flex; gap: 14px; font-family: 'JetBrains Mono', monospace; text-transform: uppercase; letter-spacing: .06em; }
+.milestone-card-header { display: flex; align-items: center; gap: 8px; margin-bottom: 10px; }
+.milestone-item { display: flex; align-items: center; gap: 10px; padding: 11px 8px; border-bottom: var(--hair); cursor: pointer; transition: .12s; }
+.milestone-item:hover { background: var(--ember-soft); box-shadow: inset 3px 0 0 var(--accent); }
+.milestone-title { font-weight: 600; }
 
-/* Milestone card header */
+/* ---- Progress bar ------------------------------------------------------- */
-.milestone-card-header { display: flex; align-items: center; gap: 8px; margin-bottom: 8px; }
+.progress-bar-container {
-.milestone-item { display: flex; align-items: center; gap: 8px; padding: 8px 0; border-bottom: 1px solid var(--border); cursor: pointer; }
+  width: 100%; height: 18px; background: var(--bg-sink); border-radius: 2px;
-.milestone-item:hover { background: var(--bg-hover); }
+  overflow: hidden; border: var(--hair);
-.milestone-title { font-weight: 500; }
+}
+.progress-bar {
+  height: 100%; background: var(--ember);
+  background-image: linear-gradient(135deg, #ff7a1f, #ffa83a), linear-gradient(90deg, transparent, rgba(255,255,255,.35), transparent);
+  background-size: 100% 100%, 200% 100%;
+  color: #1a0d02; font-family: 'JetBrains Mono', monospace; font-size: .68rem; font-weight: 700;
+  display: flex; align-items: center; justify-content: center; min-width: 28px;
+  transition: width .6s cubic-bezier(.16,1,.3,1);
+  animation: sheen 2.6s linear infinite;
+}
 
-/* Progress bar */
+/* ---- Notifications ------------------------------------------------------ */
-.progress-bar-container { width: 100%; height: 20px; background: var(--bg); border-radius: 10px; overflow: hidden; border: 1px solid var(--border); }
+.notification-list { margin-top: 18px; border: var(--hair); border-radius: var(--radius); overflow: hidden; }
-.progress-bar { height: 100%; background: var(--success); color: #fff; font-size: .75rem; display: flex; align-items: center; justify-content: center; min-width: 30px; transition: width .3s; border-radius: 10px; }
+.notification-item { display: flex; gap: 14px; padding: 14px 18px; border-bottom: var(--hair); cursor: pointer; transition: .12s; }
-
+.notification-item:last-child { border-bottom: none; }
-/* Notification list */
-.notification-list { margin-top: 16px; }
-.notification-item { display: flex; gap: 12px; padding: 12px 16px; border-bottom: 1px solid var(--border); cursor: pointer; transition: .15s; }
 .notification-item:hover { background: var(--bg-hover); }
-.notification-item.unread { background: var(--bg-card); }
+.notification-item.unread { background: var(--ember-soft); box-shadow: inset 3px 0 0 var(--accent); }
-.notification-dot { width: 12px; color: var(--accent); font-size: .6rem; padding-top: 4px; }
+.notification-dot { width: 12px; color: var(--accent); font-size: .55rem; padding-top: 5px; }
 .notification-body p { margin-bottom: 4px; }
 
-/* Inline form */
+/* ---- Misc helpers ------------------------------------------------------- */
-.inline-form { display: flex; gap: 8px; margin-bottom: 16px; flex-wrap: wrap; align-items: center; }
+.inline-form { display: flex; gap: 8px; margin-bottom: 18px; flex-wrap: wrap; align-items: center; }
-.inline-form input, .inline-form select { padding: 8px 12px; border: 1px solid var(--border); border-radius: 6px; background: var(--bg); color: var(--text); }
+.filter-check { display: flex; align-items: center; gap: 6px; color: var(--text-dim); font-size: .82rem; cursor: pointer; text-transform: uppercase; letter-spacing: .06em; }
-
-/* Filter checkbox */
-.filter-check { display: flex; align-items: center; gap: 6px; color: var(--text-dim); font-size: .9rem; cursor: pointer; }
-
-/* Member list */
 .member-list { display: flex; gap: 8px; flex-wrap: wrap; }
+.empty {
+  color: var(--text-dim); padding: 28px 0; text-align: center;
+  font-family: 'Saira Condensed', sans-serif; text-transform: uppercase;
+  letter-spacing: .24em; font-size: .9rem;
+}
+.empty::before { content: '— '; color: var(--accent); }
+.empty::after  { content: ' —'; color: var(--accent); }
+.text-dim { color: var(--text-dim); font-size: .82rem; }
 
-/* Empty state */
+/* ---- Setup Wizard ------------------------------------------------------- */
-.empty { color: var(--text-dim); font-style: italic; padding: 16px 0; }
+.setup-container {
-
+  position: relative; background: var(--bg-card); border: var(--hair);
-/* Text dim helper */
+  border-radius: 6px; padding: 44px; max-width: 620px; width: 100%;
-.text-dim { color: var(--text-dim); font-size: .85rem; }
+  box-shadow: 0 40px 80px -30px rgba(0,0,0,.8);
-
+  animation: deck-in .55s cubic-bezier(.16,1,.3,1) both;
-/* Setup Wizard */
+}
-.setup-wizard { display: flex; align-items: center; justify-content: center; min-height: 100vh; padding: 24px; }
+.setup-container::before { content: ''; position: absolute; left: 0; right: 0; top: 0; height: 3px; background: var(--ember); border-radius: 6px 6px 0 0; }
-.setup-container { background: var(--bg-card); border: 1px solid var(--border); border-radius: 16px; padding: 40px; max-width: 600px; width: 100%; }
+.setup-header { text-align: center; margin-bottom: 34px; }
-.setup-header { text-align: center; margin-bottom: 32px; }
+.setup-header h1 { font-size: 1.6rem; margin-bottom: 22px; letter-spacing: .1em; }
-.setup-header h1 { font-size: 1.5rem; margin-bottom: 20px; }
 .setup-steps { display: flex; justify-content: center; gap: 8px; flex-wrap: wrap; }
-.setup-step { font-size: .8rem; color: var(--text-dim); padding: 4px 10px; border-radius: 12px; border: 1px solid var(--border); }
+.setup-step {
-.setup-step.active { color: var(--accent); border-color: var(--accent); background: rgba(59,130,246,.1); }
+  font-size: .68rem; color: var(--text-dim); padding: 5px 12px; border-radius: 2px;
+  border: var(--hair); text-transform: uppercase; letter-spacing: .1em;
+  font-family: 'JetBrains Mono', monospace;
+}
+.setup-step.active { color: var(--accent); border-color: var(--accent); background: var(--ember-soft); }
 .setup-step.done { color: var(--success); border-color: var(--success); }
-.setup-step-content { animation: fadeIn .2s ease; }
+.setup-step-content { animation: fadeIn .25s ease; }
-.setup-step-content h2 { margin-bottom: 8px; font-size: 1.2rem; }
+.setup-step-content h2 { margin-bottom: 10px; font-size: 1.3rem; }
-.setup-form { display: flex; flex-direction: column; gap: 12px; margin: 20px 0; }
+.setup-form { margin: 22px 0; }
-.setup-form label { display: flex; flex-direction: column; gap: 4px; font-size: .85rem; color: var(--text-dim); }
+.setup-nav { display: flex; justify-content: space-between; margin-top: 28px; }
-.setup-form input { padding: 10px 12px; border: 1px solid var(--border); border-radius: 6px; background: var(--bg); color: var(--text); font-size: .95rem; }
+.setup-nav button:disabled { opacity: .5; cursor: default; }
-.setup-nav { display: flex; justify-content: space-between; margin-top: 24px; }
+.setup-error {
-.setup-error { background: rgba(239,68,68,.1); border: 1px solid var(--danger); color: var(--danger); padding: 12px 16px; border-radius: 8px; margin-bottom: 16px; font-size: .9rem; white-space: pre-line; }
+  background: rgba(226,85,60,.12); border: 1px solid var(--danger); color: var(--danger);
-.setup-info { background: rgba(59,130,246,.08); border: 1px solid rgba(59,130,246,.2); padding: 16px; border-radius: 8px; margin: 16px 0; }
+  padding: 13px 16px; border-radius: var(--radius); margin-bottom: 18px;
-.setup-info code { display: block; background: var(--bg); padding: 8px 12px; border-radius: 4px; margin-top: 8px; font-size: .85rem; color: var(--accent); word-break: break-all; }
+  font-size: .85rem; white-space: pre-line; font-family: 'JetBrains Mono', monospace;
-.setup-hint { color: var(--warning); font-size: .85rem; margin-top: 8px; }
+}
+.setup-info { background: rgba(86,198,214,.07); border: 1px solid rgba(86,198,214,.25); padding: 18px; border-radius: var(--radius); margin: 18px 0; }
+.setup-info code {
+  display: block; background: var(--bg-sink); padding: 10px 13px; border-radius: 2px;
+  margin-top: 10px; font-size: .82rem; color: var(--steel); word-break: break-all;
+}
+.setup-hint { color: var(--warning); font-size: .82rem; margin-top: 8px; }
 .setup-done { text-align: center; }
-.setup-done h2 { color: var(--success); margin-bottom: 12px; }
+.setup-done h2 { color: var(--success); margin-bottom: 14px; }
-@keyframes fadeIn { from { opacity: 0; transform: translateY(8px); } to { opacity: 1; transform: none; } }
 
-
+/* ---- Monitor ------------------------------------------------------------ */
-/* Monitor */
+.monitor-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(270px, 1fr)); gap: 18px; margin-top: 14px; }
-.monitor-grid { display: grid; grid-template-columns: repeat(auto-fill, minmax(260px, 1fr)); gap: 16px; margin-top: 12px; }
+.monitor-card {
-.monitor-card { background: var(--bg-card); border: 1px solid var(--border); border-radius: 8px; padding: 16px; }
+  position: relative; background: var(--bg-card); border: var(--hair);
-.monitor-card-header { display: flex; justify-content: space-between; align-items: flex-start; margin-bottom: 8px; }
+  border-radius: var(--radius); padding: 18px; overflow: hidden;
-.monitor-metrics { margin: 8px 0; font-size: .9rem; }
+  animation: deck-in .5s cubic-bezier(.16,1,.3,1) both;
-.monitor-admin { display: grid; grid-template-columns: repeat(auto-fit, minmax(320px, 1fr)); gap: 16px; }
+}
-
+.monitor-card::before { content: ''; position: absolute; left: 0; top: 0; bottom: 0; width: 3px; background: var(--steel); }
-.status-ok { background: var(--success); }
+.monitor-card-header { display: flex; justify-content: space-between; align-items: flex-start; margin-bottom: 10px; }
-.status-error { background: var(--danger); }
+.monitor-metrics { margin: 10px 0; font-size: .86rem; font-family: 'JetBrains Mono', monospace; }
+.monitor-admin { display: grid; grid-template-columns: repeat(auto-fit, minmax(320px, 1fr)); gap: 18px; }
+.status-ok      { background: var(--success); color: #04130d; }
+.status-error   { background: var(--danger); color: #fff; }
 .status-pending { background: var(--warning); }
-.status-online { background: var(--success); }
+.status-online  { background: var(--success); color: #04130d; }
-.status-offline { background: var(--danger); }
+.status-offline { background: #5a616f; color: #fff; }
 
-.btn-secondary { background: none; border: 1px solid var(--border); color: var(--text); padding: 6px 12px; border-radius: 6px; cursor: pointer; }
+/* ---- Secondary / danger buttons ---------------------------------------- */
-.btn-danger { background: var(--danger); color: #fff; border: none; padding: 6px 12px; border-radius: 6px; cursor: pointer; }
+.btn-secondary {
-.btn-danger:hover { opacity: .9; }
+  background: none; border: var(--hair); color: var(--text);
+  padding: 7px 14px; border-radius: var(--radius); cursor: pointer;
+  font-size: .8rem; text-transform: uppercase; letter-spacing: .08em; transition: .15s;
+}
+.btn-secondary:hover { border-color: var(--accent); color: var(--accent); }
+.btn-danger {
+  background: var(--danger); color: #fff; border: none;
+  padding: 7px 14px; border-radius: var(--radius); cursor: pointer;
+  font-family: 'Saira Condensed', sans-serif; font-weight: 700;
+  text-transform: uppercase; letter-spacing: .1em; transition: .15s;
+}
+.btn-danger:hover { box-shadow: 0 8px 24px -8px rgba(226,85,60,.6); transform: translateY(-1px); }
 
-
+/* ---- Tabs --------------------------------------------------------------- */
-/* Tabs */
+.tabs { display: flex; gap: 2px; border-bottom: var(--hair); margin-bottom: 20px; }
-.tabs { display: flex; gap: 4px; border-bottom: 1px solid var(--border); margin-bottom: 16px; }
+.tab {
-.tab { background: none; border: none; padding: 10px 16px; color: var(--text-dim); cursor: pointer; border-bottom: 2px solid transparent; margin-bottom: -1px; }
+  background: none; border: none; padding: 11px 18px; color: var(--text-dim);
+  cursor: pointer; border-bottom: 2px solid transparent; margin-bottom: -1px;
+  font-family: 'Saira Condensed', sans-serif; font-weight: 600;
+  font-size: .92rem; text-transform: uppercase; letter-spacing: .08em; transition: .15s;
+}
 .tab:hover { color: var(--text); }
 .tab.active { color: var(--accent); border-bottom-color: var(--accent); }
-.tab-content { margin-top: 16px; }
+.tab-content { margin-top: 18px; animation: fadeIn .25s ease; }
 
+/* ---- Responsive --------------------------------------------------------- */
+@media (max-width: 860px) {
+  :root { --sidebar-w: 0px; }
+  .sidebar { transform: translateX(-100%); }
+  .main-content { padding: 22px 18px; }
+  .task-create-grid { grid-template-columns: 1fr; }
+}

src/pages/LoginPage.tsx

@@ -1,15 +1,31 @@
 import React, { useState } from 'react'
+import { useAuthConfig, oidcLoginHref } from '@/hooks/useAuthConfig'
+import { getLogoUrl } from '@/runtime'
 
 interface Props {
   onLogin: (username: string, password: string) => Promise<void>
 }
 
+const OIDC_ERRORS: Record<string, string> = {
+  not_linked: 'This OIDC account is not linked to any HarborForge user. Ask an administrator to bind it first.',
+  exchange_failed: 'OIDC sign-in failed during token exchange. Please try again.',
+  no_subject: 'The identity provider did not return a subject. Sign-in aborted.',
+  token_rejected: 'The issued session token was rejected. Please try again.',
+  missing_token: 'No session token was returned. Please try again.',
+  link_not_allowed: 'Account linking is not allowed in this mode.',
+  already_bound: 'That OIDC identity is already bound to another user.',
+}
+
 export default function LoginPage({ onLogin }: Props) {
+  const { config, loading: cfgLoading } = useAuthConfig()
   const [username, setUsername] = useState('')
   const [password, setPassword] = useState('')
   const [error, setError] = useState('')
   const [loading, setLoading] = useState(false)
 
+  const urlError = new URLSearchParams(window.location.search).get('oidc_error')
+  const oidcError = urlError ? (OIDC_ERRORS[urlError] || `OIDC error: ${urlError}`) : ''
+
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault()
     setError('')
@@ -23,31 +39,58 @@ export default function LoginPage({ onLogin }: Props) {
     }
   }
 
+  const showPassword = !cfgLoading && config.passwordLogin && !config.oidcOnly
+  const showOidc = !cfgLoading && config.oidcEnabled
+
   return (
     <div className="login-page">
       <div className="login-card">
-        <h1>⚓ HarborForge</h1>
+        <h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge</h1>
         <p className="subtitle">Agent/Human collaborative task management platform</p>
-        <form onSubmit={handleSubmit}>
+
-          <input
+        {oidcError && <p className="error" style={{ marginBottom: 14 }}>{oidcError}</p>}
-            type="text"
+
-            placeholder="Username"
+        {showPassword && (
-            value={username}
+          <form onSubmit={handleSubmit}>
-            onChange={(e) => setUsername(e.target.value)}
+            <input
-            required
+              type="text"
-          />
+              placeholder="Username"
-          <input
+              value={username}
-            type="password"
+              onChange={(e) => setUsername(e.target.value)}
-            placeholder="Password"
+              required
-            value={password}
+            />
-            onChange={(e) => setPassword(e.target.value)}
+            <input
-            required
+              type="password"
-          />
+              placeholder="Password"
-          {error && <p className="error">{error}</p>}
+              value={password}
-          <button type="submit" disabled={loading}>
+              onChange={(e) => setPassword(e.target.value)}
-            {loading ? 'Signing in...' : 'Sign in'}
+              required
-          </button>
+            />
-        </form>
+            {error && <p className="error">{error}</p>}
+            <button type="submit" disabled={loading}>
+              {loading ? 'Signing in...' : 'Sign in'}
+            </button>
+          </form>
+        )}
+
+        {showPassword && showOidc && (
+          <p className="text-dim" style={{ textAlign: 'center', margin: '14px 0' }}>— or —</p>
+        )}
+
+        {showOidc && (
+          <a
+            className="btn-primary"
+            style={{ display: 'block', textAlign: 'center', textDecoration: 'none' }}
+            href={oidcLoginHref(config)}
+          >
+            Sign in with SSO
+          </a>
+        )}
+
+        {cfgLoading && <p className="subtitle">Loading sign-in options…</p>}
+        {!cfgLoading && !showPassword && !showOidc && (
+          <p className="error">No sign-in method is available. Check server configuration.</p>
+        )}
       </div>
     </div>
   )

src/pages/OidcCallbackPage.tsx

@@ -0,0 +1,56 @@
+import { useEffect, useRef, useState } from 'react'
+import { useNavigate } from 'react-router-dom'
+import { getLogoUrl } from '@/runtime'
+
+interface Props {
+  onToken: (token: string) => Promise<void>
+}
+
+/**
+ * Lands here after the backend OIDC callback redirect.
+ * - sign-in:  URL fragment `#token=<jwt>`  → apply token, go to dashboard
+ * - self-link: query `?oidc_linked=1`        → success notice, go to /users
+ * - failure:  query `?oidc_error=<code>`     → back to /login with the code
+ */
+export default function OidcCallbackPage({ onToken }: Props) {
+  const navigate = useNavigate()
+  const [msg, setMsg] = useState('Completing sign-in…')
+  const ran = useRef(false)
+
+  useEffect(() => {
+    if (ran.current) return
+    ran.current = true
+
+    const hash = new URLSearchParams(window.location.hash.replace(/^#/, ''))
+    const query = new URLSearchParams(window.location.search)
+    const token = hash.get('token')
+    const oidcError = query.get('oidc_error')
+    const linked = query.get('oidc_linked')
+
+    if (oidcError) {
+      navigate(`/login?oidc_error=${encodeURIComponent(oidcError)}`, { replace: true })
+      return
+    }
+    if (linked) {
+      setMsg('OIDC account linked. Redirecting…')
+      const t = setTimeout(() => navigate('/users', { replace: true }), 1200)
+      return () => clearTimeout(t)
+    }
+    if (token) {
+      onToken(token)
+        .then(() => navigate('/', { replace: true }))
+        .catch(() => navigate('/login?oidc_error=token_rejected', { replace: true }))
+      return
+    }
+    navigate('/login?oidc_error=missing_token', { replace: true })
+  }, [navigate, onToken])
+
+  return (
+    <div className="login-page">
+      <div className="login-card">
+        <h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge</h1>
+        <p className="subtitle">{msg}</p>
+      </div>
+    </div>
+  )
+}

src/pages/OidcSettingsPage.tsx

@@ -0,0 +1,171 @@
+import { useEffect, useState } from 'react'
+import api from '@/services/api'
+import { useAuth } from '@/hooks/useAuth'
+
+interface Settings {
+  enabled: boolean
+  issuer: string | null
+  client_id: string | null
+  has_client_secret: boolean
+  redirect_uri: string | null
+  scopes: string | null
+  post_login_redirect: string | null
+  admin_role: string
+  oidc_only: boolean
+  effective_enabled: boolean
+  source: string
+}
+
+export default function OidcSettingsPage() {
+  const { user } = useAuth()
+  const isAdmin = user?.is_admin === true
+
+  const [loaded, setLoaded] = useState<Settings | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [saving, setSaving] = useState(false)
+  const [message, setMessage] = useState('')
+  const [form, setForm] = useState({
+    enabled: false,
+    issuer: '',
+    client_id: '',
+    client_secret: '',
+    redirect_uri: '',
+    scopes: 'openid email profile',
+    post_login_redirect: '',
+    admin_role: 'admin',
+  })
+
+  useEffect(() => {
+    if (!isAdmin) { setLoading(false); return }
+    api.get<Settings>('/auth/oidc/settings')
+      .then(({ data }) => {
+        setLoaded(data)
+        setForm({
+          enabled: data.enabled,
+          issuer: data.issuer || '',
+          client_id: data.client_id || '',
+          client_secret: '',
+          redirect_uri: data.redirect_uri || '',
+          scopes: data.scopes || 'openid email profile',
+          post_login_redirect: data.post_login_redirect || '',
+          admin_role: data.admin_role || 'admin',
+        })
+      })
+      .catch((e) => setMessage(e.response?.data?.detail || 'Failed to load OIDC settings'))
+      .finally(() => setLoading(false))
+  }, [isAdmin])
+
+  const save = async () => {
+    setSaving(true)
+    setMessage('')
+    try {
+      const payload: Record<string, any> = {
+        enabled: form.enabled,
+        issuer: form.issuer.trim(),
+        client_id: form.client_id.trim(),
+        redirect_uri: form.redirect_uri.trim(),
+        scopes: form.scopes.trim(),
+        post_login_redirect: form.post_login_redirect.trim(),
+        admin_role: form.admin_role.trim() || 'admin',
+      }
+      if (form.client_secret) payload.client_secret = form.client_secret
+      const { data } = await api.put<Settings>('/auth/oidc/settings', payload)
+      setLoaded(data)
+      setForm((f) => ({ ...f, client_secret: '' }))
+      setMessage('OIDC settings saved successfully')
+    } catch (e: any) {
+      setMessage(e.response?.data?.detail || 'Failed to save OIDC settings')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  if (loading) return <div className="loading">Loading OIDC settings...</div>
+  if (!isAdmin) {
+    return (
+      <div className="section">
+        <h2>🔐 OIDC Settings</h2>
+        <p className="empty">Admin access required.</p>
+      </div>
+    )
+  }
+
+  const callbackHint = form.redirect_uri.trim() || loaded?.redirect_uri || '(set the Redirect / Callback URL below)'
+
+  return (
+    <div className="section">
+      <div className="page-header">
+        <div>
+          <h2>🔐 OIDC Settings</h2>
+          <div className="text-dim">Configure the OpenID Connect provider. Saved values override environment defaults.</div>
+        </div>
+      </div>
+
+      {message && (
+        <div style={{
+          padding: '10px 12px', marginBottom: 16, borderRadius: 8,
+          background: message.includes('success') ? 'rgba(70,180,135,.14)' : 'rgba(226,85,60,.14)',
+          border: `1px solid ${message.includes('success') ? 'rgba(70,180,135,.4)' : 'rgba(226,85,60,.4)'}`,
+        }}>{message}</div>
+      )}
+
+      <div className="monitor-card" style={{ marginBottom: 16 }}>
+        <div className="monitor-card-header">
+          <div style={{ fontWeight: 600 }}>Status</div>
+          <span className={'badge ' + (loaded?.effective_enabled ? 'status-online' : 'status-offline')}>
+            {loaded?.effective_enabled ? 'OIDC active' : 'OIDC inactive'}
+          </span>
+        </div>
+        <div className="monitor-metrics">
+          config source: <b>{loaded?.source}</b> · OIDC-only mode (deploy env): <b>{loaded?.oidc_only ? 'on' : 'off'}</b>
+        </div>
+        <div style={{ marginTop: 8 }}>
+          <div className="text-dim">Register this Redirect / Callback URL at your identity provider:</div>
+          <code style={{ display: 'block', marginTop: 6, wordBreak: 'break-all' }}>{callbackHint}</code>
+        </div>
+      </div>
+
+      <div className="task-create-form" style={{ maxWidth: 640 }}>
+        <label className="filter-check">
+          <input type="checkbox" checked={form.enabled} onChange={(e) => setForm({ ...form, enabled: e.target.checked })} />
+          Enable OIDC sign-in
+        </label>
+        <label>
+          Issuer (OIDC source)
+          <input placeholder="https://idp.example.com" value={form.issuer} onChange={(e) => setForm({ ...form, issuer: e.target.value })} />
+        </label>
+        <label>
+          Client ID
+          <input value={form.client_id} onChange={(e) => setForm({ ...form, client_id: e.target.value })} />
+        </label>
+        <label>
+          Client Secret
+          <input type="password" placeholder={loaded?.has_client_secret ? '•••••• (leave blank to keep current)' : 'client secret'} value={form.client_secret} onChange={(e) => setForm({ ...form, client_secret: e.target.value })} />
+        </label>
+        <label>
+          Redirect / Callback URL
+          <input placeholder="https://hf-api.example.com/auth/oidc/callback" value={form.redirect_uri} onChange={(e) => setForm({ ...form, redirect_uri: e.target.value })} />
+        </label>
+        <label>
+          Scopes
+          <input value={form.scopes} onChange={(e) => setForm({ ...form, scopes: e.target.value })} />
+        </label>
+        <label>
+          Post-login redirect (frontend)
+          <input placeholder="https://hf.example.com/oidc/callback" value={form.post_login_redirect} onChange={(e) => setForm({ ...form, post_login_redirect: e.target.value })} />
+        </label>
+        <label>
+          Admin role (bootstrap)
+          <input placeholder="admin" value={form.admin_role} onChange={(e) => setForm({ ...form, admin_role: e.target.value })} />
+        </label>
+        <p className="text-dim">
+          OIDC-only bootstrap: before any admin is linked, an IdP user whose token carries this role
+          auto-connects to the HarborForge admin account on first sign-in. Disables itself once an admin is bound.
+        </p>
+        <button className="btn-primary" disabled={saving} onClick={save}>
+          {saving ? 'Saving...' : 'Save OIDC Settings'}
+        </button>
+      </div>
+    </div>
+  )
+}

src/pages/SetupWizardPage.tsx

@@ -1,5 +1,6 @@
 import { useState } from 'react'
 import axios from 'axios'
+import { getRuntimeOidcOnly, getLogoUrl } from '@/runtime'
 
 interface Props {
   initialWizardPort: number | null
@@ -14,9 +15,18 @@ interface SetupForm {
   backend_base_url: string
   project_name: string
   project_description: string
+  oidc_enabled: boolean
+  oidc_issuer: string
+  oidc_client_id: string
+  oidc_client_secret: string
+  oidc_redirect_uri: string
+  oidc_scopes: string
+  oidc_post_login_redirect: string
+  oidc_admin_role: string
 }
 
-const STEPS = ['Wizard', 'Admin', 'Backend', 'Finish']
+const oidcOnly = getRuntimeOidcOnly() === true
+const STEPS = ['Wizard', 'Admin', 'OIDC', 'Backend', 'Finish']
 
 export default function SetupWizardPage({ initialWizardPort, onComplete }: Props) {
   const [step, setStep] = useState(0)
@@ -35,9 +45,17 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
     backend_base_url: '',
     project_name: '',
     project_description: '',
+    oidc_enabled: oidcOnly,
+    oidc_issuer: '',
+    oidc_client_id: '',
+    oidc_client_secret: '',
+    oidc_redirect_uri: '',
+    oidc_scopes: 'openid email profile',
+    oidc_post_login_redirect: '',
+    oidc_admin_role: 'admin',
   })
 
-  const set = (key: keyof SetupForm, value: string | number) =>
+  const set = (key: keyof SetupForm, value: string | number | boolean) =>
     setForm((f) => ({ ...f, [key]: value }))
 
   const checkWizard = async () => {
@@ -61,11 +79,24 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
     }
   }
 
+  const validateOidc = (): string => {
+    if (!oidcOnly && !form.oidc_enabled) return ''
+    if (!form.oidc_issuer.trim()) return 'OIDC issuer is required'
+    if (!form.oidc_client_id.trim()) return 'OIDC client ID is required'
+    if (!form.oidc_client_secret.trim()) return 'OIDC client secret is required'
+    if (!form.oidc_redirect_uri.trim()) return 'OIDC redirect/callback URL is required'
+    if (oidcOnly && !form.oidc_admin_role.trim()) {
+      return 'In OIDC-only mode the admin role is required so the admin can bootstrap'
+    }
+    return ''
+  }
+
   const saveConfig = async () => {
     setError('')
     setSaving(true)
     try {
-      const config = {
+      const includeOidc = oidcOnly || form.oidc_enabled
+      const config: Record<string, any> = {
         initialized: true,
         admin: {
           username: form.admin_username,
@@ -75,6 +106,18 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
         },
         backend_url: form.backend_base_url || undefined,
       }
+      if (includeOidc) {
+        config.oidc = {
+          enabled: true,
+          issuer: form.oidc_issuer.trim(),
+          client_id: form.oidc_client_id.trim(),
+          client_secret: form.oidc_client_secret,
+          redirect_uri: form.oidc_redirect_uri.trim(),
+          scopes: form.oidc_scopes.trim() || 'openid email profile',
+          post_login_redirect: form.oidc_post_login_redirect.trim() || undefined,
+          admin_role: form.oidc_admin_role.trim() || 'admin',
+        }
+      }
 
       await axios.put(`${wizardBase}/api/v1/config/harborforge.json`, config, {
         headers: { 'Content-Type': 'application/json' },
@@ -85,7 +128,7 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
         localStorage.setItem('HF_BACKEND_BASE_URL', form.backend_base_url)
       }
 
-      setStep(3)
+      setStep(4)
     } catch (err: any) {
       setError(`Failed to save configuration: ${err.message}`)
     } finally {
@@ -97,7 +140,7 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
     <div className="setup-wizard">
       <div className="setup-container">
         <div className="setup-header">
-          <h1>⚓ HarborForge Setup Wizard</h1>
+          <h1><img src={getLogoUrl()} className="brand-logo" alt="" /> HarborForge Setup Wizard</h1>
           <div className="setup-steps">
             {STEPS.map((s, i) => (
               <span key={i} className={`setup-step ${i === step ? 'active' : i < step ? 'done' : ''}`}>
@@ -150,6 +193,9 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
               <label>Email <input type="email" value={form.admin_email} onChange={(e) => set('admin_email', e.target.value)} placeholder="admin@example.com" /></label>
               <label>Full name <input value={form.admin_full_name} onChange={(e) => set('admin_full_name', e.target.value)} /></label>
             </div>
+            {oidcOnly && (
+              <p className="setup-hint">OIDC-only deployment: this admin will sign in via OIDC; the password is kept only as a fallback identity record.</p>
+            )}
             <div className="setup-nav">
               <button className="btn-back" onClick={() => setStep(0)}>Back</button>
               <button className="btn-primary" onClick={() => {
@@ -161,8 +207,55 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
           </div>
         )}
 
-        {/* Step 2: Backend */}
+        {/* Step 2: OIDC */}
         {step === 2 && (
+          <div className="setup-step-content">
+            <h2>OIDC {oidcOnly ? '(required)' : '(optional)'}</h2>
+            <p className="text-dim">
+              {oidcOnly
+                ? 'This deployment runs in OIDC-only mode — configure the identity provider now (the admin cannot reach this page again without it).'
+                : 'Optionally configure single sign-on. You can also do this later from the admin OIDC settings page.'}
+            </p>
+            {!oidcOnly && (
+              <label className="filter-check" style={{ marginBottom: 12 }}>
+                <input type="checkbox" checked={form.oidc_enabled} onChange={(e) => set('oidc_enabled', e.target.checked)} />
+                Enable OIDC sign-in
+              </label>
+            )}
+            {(oidcOnly || form.oidc_enabled) && (
+              <div className="setup-form">
+                <label>Issuer (OIDC source) <input value={form.oidc_issuer} onChange={(e) => set('oidc_issuer', e.target.value)} placeholder="https://idp.example.com/realms/hf" /></label>
+                <label>Client ID <input value={form.oidc_client_id} onChange={(e) => set('oidc_client_id', e.target.value)} /></label>
+                <label>Client Secret <input type="password" value={form.oidc_client_secret} onChange={(e) => set('oidc_client_secret', e.target.value)} /></label>
+                <label>Redirect / Callback URL <input value={form.oidc_redirect_uri} onChange={(e) => set('oidc_redirect_uri', e.target.value)} placeholder="https://hf-api.example.com/auth/oidc/callback" /></label>
+                <label>Scopes <input value={form.oidc_scopes} onChange={(e) => set('oidc_scopes', e.target.value)} /></label>
+                <label>Post-login redirect (frontend) <input value={form.oidc_post_login_redirect} onChange={(e) => set('oidc_post_login_redirect', e.target.value)} placeholder="https://hf.example.com/oidc/callback" /></label>
+                <label>Admin role (bootstrap)
+                  <input value={form.oidc_admin_role} onChange={(e) => set('oidc_admin_role', e.target.value)} placeholder="admin" />
+                </label>
+                <p className="setup-hint">Register the Redirect / Callback URL above at your identity provider.</p>
+                {oidcOnly && (
+                  <p className="setup-hint">
+                    OIDC-only: before any admin is linked, the first IdP user whose token carries the
+                    role above auto-connects to the HarborForge admin account. It then disables itself.
+                  </p>
+                )}
+              </div>
+            )}
+            <div className="setup-nav">
+              <button className="btn-back" onClick={() => setStep(1)}>Back</button>
+              <button className="btn-primary" onClick={() => {
+                const e = validateOidc()
+                if (e) { setError(e); return }
+                setError('')
+                setStep(3)
+              }}>Next</button>
+            </div>
+          </div>
+        )}
+
+        {/* Step 3: Backend */}
+        {step === 3 && (
           <div className="setup-step-content">
             <h2>Backend URL</h2>
             <p className="text-dim">Configure the HarborForge backend API URL (leave blank to use the frontend default).</p>
@@ -170,7 +263,7 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
               <label>Backend Base URL <input value={form.backend_base_url} onChange={(e) => set('backend_base_url', e.target.value)} placeholder="http://backend:8000" /></label>
             </div>
             <div className="setup-nav">
-              <button className="btn-back" onClick={() => setStep(1)}>Back</button>
+              <button className="btn-back" onClick={() => setStep(2)}>Back</button>
               <button className="btn-primary" onClick={saveConfig} disabled={saving}>
                 {saving ? 'Saving...' : 'Finish setup'}
               </button>
@@ -178,8 +271,8 @@ export default function SetupWizardPage({ initialWizardPort, onComplete }: Props
           </div>
         )}
 
-        {/* Step 3: Done */}
+        {/* Step 4: Done */}
-        {step === 3 && (
+        {step === 4 && (
           <div className="setup-step-content">
             <div className="setup-done">
               <h2>✅ Setup complete!</h2>

src/pages/UsersPage.tsx

@@ -1,6 +1,7 @@
 import { useEffect, useMemo, useState } from 'react'
 import api from '@/services/api'
 import { useAuth } from '@/hooks/useAuth'
+import { useAuthConfig } from '@/hooks/useAuthConfig'
 import type { User } from '@/types'
 
 interface RoleOption {
@@ -16,8 +17,13 @@ interface ApiKeyPerms {
 
 export default function UsersPage() {
   const { user } = useAuth()
+  const { config: authCfg } = useAuthConfig()
+  const oidcOnly = authCfg.oidcOnly
+  const oidcEnabled = authCfg.oidcEnabled
   const isAdmin = user?.is_admin === true
 
+  const [bindForm, setBindForm] = useState({ issuer: '', subject: '' })
+
   const [users, setUsers] = useState<User[]>([])
   const [roles, setRoles] = useState<RoleOption[]>([])
   const [loading, setLoading] = useState(true)
@@ -105,17 +111,20 @@ export default function UsersPage() {
   }
 
   const handleCreateUser = async () => {
-    if (!createForm.username.trim() || !createForm.email.trim() || !createForm.password.trim()) return
+    if (!createForm.username.trim() || !createForm.email.trim()) return
+    if (!oidcOnly && !createForm.password.trim()) return
     setSaving(true)
     setMessage('')
     try {
-      const payload = {
+      const payload: Record<string, any> = {
         username: createForm.username.trim(),
         email: createForm.email.trim(),
         full_name: createForm.full_name.trim() || null,
-        password: createForm.password,
         role_id: createForm.role_id ? Number(createForm.role_id) : undefined,
       }
+      if (!oidcOnly) {
+        payload.password = createForm.password
+      }
       const { data } = await api.post<User>('/users', payload)
       const guestRole = roles.find((r) => r.name === 'guest') ?? roles[0]
       setCreateForm({
@@ -201,6 +210,42 @@ export default function UsersPage() {
     }
   }
 
+  const handleBindOidc = async () => {
+    if (!selectedUser) return
+    if (!bindForm.issuer.trim() || !bindForm.subject.trim()) return
+    setSaving(true)
+    setMessage('')
+    try {
+      await api.put(`/users/${selectedUser.id}/oidc-binding`, {
+        issuer: bindForm.issuer.trim(),
+        subject: bindForm.subject.trim(),
+      })
+      setBindForm({ issuer: '', subject: '' })
+      setMessage('OIDC identity bound successfully')
+      await fetchData()
+    } catch (err: any) {
+      setMessage(err.response?.data?.detail || 'Failed to bind OIDC identity')
+    } finally {
+      setSaving(false)
+    }
+  }
+
+  const handleUnbindOidc = async () => {
+    if (!selectedUser) return
+    if (!confirm(`Remove the OIDC binding for ${selectedUser.username}?`)) return
+    setSaving(true)
+    setMessage('')
+    try {
+      await api.delete(`/users/${selectedUser.id}/oidc-binding`)
+      setMessage('OIDC binding removed')
+      await fetchData()
+    } catch (err: any) {
+      setMessage(err.response?.data?.detail || 'Failed to remove OIDC binding')
+    } finally {
+      setSaving(false)
+    }
+  }
+
   if (loading) return <div className="loading">Loading users...</div>
 
   if (!isAdmin) {
@@ -251,10 +296,15 @@ export default function UsersPage() {
               Full Name
               <input value={createForm.full_name} onChange={(e) => setCreateForm({ ...createForm, full_name: e.target.value })} />
             </label>
-            <label>
+            {!oidcOnly && (
-              Password
+              <label>
-              <input type="password" value={createForm.password} onChange={(e) => setCreateForm({ ...createForm, password: e.target.value })} />
+                Password
-            </label>
+                <input type="password" value={createForm.password} onChange={(e) => setCreateForm({ ...createForm, password: e.target.value })} />
+              </label>
+            )}
+            {oidcOnly && (
+              <p className="text-dim">OIDC-only mode: users are created without a password and sign in via a bound OIDC identity.</p>
+            )}
             <label>
               Role
               <select value={createForm.role_id} onChange={(e) => setCreateForm({ ...createForm, role_id: e.target.value })}>
@@ -264,7 +314,7 @@ export default function UsersPage() {
                 ))}
               </select>
             </label>
-            <button className="btn-primary" disabled={saving || !createForm.username.trim() || !createForm.email.trim() || !createForm.password.trim() || !createForm.role_id} onClick={handleCreateUser}>
+            <button className="btn-primary" disabled={saving || !createForm.username.trim() || !createForm.email.trim() || (!oidcOnly && !createForm.password.trim()) || !createForm.role_id} onClick={handleCreateUser}>
               {saving ? 'Saving...' : 'Create User'}
             </button>
           </div>
@@ -326,10 +376,12 @@ export default function UsersPage() {
                   Full Name
                   <input value={editForm.full_name} onChange={(e) => setEditForm({ ...editForm, full_name: e.target.value })} />
                 </label>
-                <label>
+                {!oidcOnly && (
-                  Reset Password
+                  <label>
-                  <input type="password" placeholder="Leave blank to keep current password" value={editForm.password} onChange={(e) => setEditForm({ ...editForm, password: e.target.value })} />
+                    Reset Password
-                </label>
+                    <input type="password" placeholder="Leave blank to keep current password" value={editForm.password} onChange={(e) => setEditForm({ ...editForm, password: e.target.value })} />
+                  </label>
+                )}
 
                 <div style={{ marginTop: '8px', padding: '12px', border: '1px solid var(--border)', borderRadius: '8px' }}>
                   <div style={{ fontWeight: 600, marginBottom: '10px' }}>Role</div>
@@ -381,6 +433,36 @@ export default function UsersPage() {
                     )}
                   </div>
                 )}
+
+                {oidcEnabled && (
+                  <div style={{ marginTop: '8px', padding: '12px', border: '1px solid var(--border)', borderRadius: '8px' }}>
+                    <div style={{ fontWeight: 600, marginBottom: '10px' }}>OIDC Binding</div>
+                    {selectedUser.oidc_subject ? (
+                      <div style={{ marginBottom: 10 }}>
+                        <div className="text-dim" style={{ fontFamily: 'monospace', wordBreak: 'break-all' }}>
+                          issuer: {selectedUser.oidc_issuer || '—'}<br />
+                          subject: {selectedUser.oidc_subject}
+                        </div>
+                        <button className="btn-danger" style={{ marginTop: 10 }} disabled={saving} onClick={handleUnbindOidc}>
+                          Unbind OIDC identity
+                        </button>
+                      </div>
+                    ) : (
+                      <div className="text-dim" style={{ marginBottom: 10 }}>No OIDC identity bound.</div>
+                    )}
+                    <label>
+                      Issuer
+                      <input value={bindForm.issuer} placeholder="https://idp.example.com" onChange={(e) => setBindForm({ ...bindForm, issuer: e.target.value })} />
+                    </label>
+                    <label>
+                      Subject (sub)
+                      <input value={bindForm.subject} placeholder="OIDC subject claim" onChange={(e) => setBindForm({ ...bindForm, subject: e.target.value })} />
+                    </label>
+                    <button className="btn-secondary" style={{ marginTop: 10 }} disabled={saving || !bindForm.issuer.trim() || !bindForm.subject.trim()} onClick={handleBindOidc}>
+                      {selectedUser.oidc_subject ? 'Rebind OIDC identity' : 'Bind OIDC identity'}
+                    </button>
+                  </div>
+                )}
               </div>
             </>
           ) : (

src/runtime.ts

@@ -0,0 +1,23 @@
+// Runtime config injected by the container entrypoint into
+// /runtime-config.js (from the deploy-time HARBORFORGE_OIDC_ONLY env).
+// Available before the backend exists — used by the setup wizard.
+declare global {
+  interface Window {
+    __HF_RUNTIME__?: { oidc_only?: boolean; logo_url?: string }
+  }
+}
+
+/** true/false from the injected runtime config, or null when unknown. */
+export function getRuntimeOidcOnly(): boolean | null {
+  const v = typeof window !== 'undefined' ? window.__HF_RUNTIME__?.oidc_only : undefined
+  return typeof v === 'boolean' ? v : null
+}
+
+/** Brand logo URL: deploy-time override (HARBORFORGE_LOGO_URL) or the
+ *  bundled default at /logo.svg. */
+export function getLogoUrl(): string {
+  const u = typeof window !== 'undefined' ? window.__HF_RUNTIME__?.logo_url : undefined
+  return (typeof u === 'string' && u) ? u : '/logo.svg'
+}
+
+export {}

src/types/index.ts

@@ -7,6 +7,8 @@ export interface User {
   is_active: boolean
   role_id: number | null
   role_name: string | null
+  oidc_issuer?: string | null
+  oidc_subject?: string | null
   created_at: string
 }