Much work.

app/controllers/api/rules_controller.rb

@@ -2,6 +2,10 @@
 
 module Api
   class RulesController < ApplicationController
+    # NOTE: This controller is now SECONDARY/UNUSED for primary agent synchronization
+    # Agents get rule updates via event responses (see Api::EventsController)
+    # These endpoints are kept for administrative/debugging purposes only
+
     skip_before_action :verify_authenticity_token
     before_action :authenticate_project!
     before_action :check_project_enabled

app/controllers/application_controller.rb

@@ -1,4 +1,5 @@
 class ApplicationController < ActionController::Base
+  include Authentication
   # Only allow modern browsers supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has.
   allow_browser versions: :modern
 
@@ -6,4 +7,40 @@ class ApplicationController < ActionController::Base
   stale_when_importmap_changes
 
   include Pagy::Backend
+
+  helper_method :current_user, :user_signed_in?, :current_user_admin?, :current_user_viewer?
+
+  private
+
+  def current_user
+    Current.session&.user
+  end
+
+  def user_signed_in?
+    current_user.present?
+  end
+
+  def current_user_admin?
+    current_user&.admin?
+  end
+
+  def current_user_viewer?
+    current_user&.viewer?
+  end
+
+  def require_admin
+    unless current_user_admin?
+      redirect_to root_path, alert: "Admin access required"
+    end
+  end
+
+  def require_write_access
+    if current_user_viewer?
+      redirect_to root_path, alert: "Viewer access - cannot make changes"
+    end
+  end
+
+  def after_authentication_url
+    session.delete(:return_to_after_authenticating) || root_url
+  end
 end

app/controllers/concerns/authentication.rb

@@ -0,0 +1,52 @@
+module Authentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :require_authentication
+    helper_method :authenticated?
+  end
+
+  class_methods do
+    def allow_unauthenticated_access(**options)
+      skip_before_action :require_authentication, **options
+    end
+  end
+
+  private
+    def authenticated?
+      resume_session
+    end
+
+    def require_authentication
+      resume_session || request_authentication
+    end
+
+    def resume_session
+      Current.session ||= find_session_by_cookie
+    end
+
+    def find_session_by_cookie
+      Session.find_by(id: cookies.signed[:session_id]) if cookies.signed[:session_id]
+    end
+
+    def request_authentication
+      session[:return_to_after_authenticating] = request.url
+      redirect_to new_session_path
+    end
+
+    def after_authentication_url
+      session.delete(:return_to_after_authenticating) || root_url
+    end
+
+    def start_new_session_for(user)
+      user.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip).tap do |session|
+        Current.session = session
+        cookies.signed.permanent[:session_id] = { value: session.id, httponly: true, same_site: :lax }
+      end
+    end
+
+    def terminate_session
+      Current.session.destroy
+      cookies.delete(:session_id)
+    end
+end

app/controllers/omniauth_callbacks_controller.rb

@@ -0,0 +1,26 @@
+class OmniauthCallbacksController < ApplicationController
+  allow_unauthenticated_access only: [:oidc, :failure]
+
+  def oidc
+    auth_hash = request.env['omniauth.auth']
+
+    user = User.from_oidc(auth_hash)
+
+    if user
+      start_new_session_for(user)
+      redirect_to after_login_path, notice: "Successfully signed in via OIDC"
+    else
+      redirect_to new_session_path, alert: "Failed to sign in via OIDC - email not found"
+    end
+  end
+
+  def failure
+    redirect_to new_session_path, alert: "Authentication failed: #{params[:message]}"
+  end
+
+  private
+
+  def after_login_path
+    session.delete(:return_to_after_authenticating) || root_url
+  end
+end

app/controllers/passwords_controller.rb

@@ -0,0 +1,35 @@
+class PasswordsController < ApplicationController
+  allow_unauthenticated_access
+  before_action :set_user_by_token, only: %i[ edit update ]
+  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_password_path, alert: "Try again later." }
+
+  def new
+  end
+
+  def create
+    if user = User.find_by(email_address: params[:email_address])
+      PasswordsMailer.reset(user).deliver_later
+    end
+
+    redirect_to new_session_path, notice: "Password reset instructions sent (if user with that email address exists)."
+  end
+
+  def edit
+  end
+
+  def update
+    if @user.update(params.permit(:password, :password_confirmation))
+      @user.sessions.destroy_all
+      redirect_to new_session_path, notice: "Password has been reset."
+    else
+      redirect_to edit_password_path(params[:token]), alert: "Passwords did not match."
+    end
+  end
+
+  private
+    def set_user_by_token
+      @user = User.find_by_password_reset_token!(params[:token])
+    rescue ActiveSupport::MessageVerifier::InvalidSignature
+      redirect_to new_password_path, alert: "Password reset link is invalid or has expired."
+    end
+end

app/controllers/registrations_controller.rb

@@ -0,0 +1,31 @@
+class RegistrationsController < ApplicationController
+  allow_unauthenticated_access only: [:new, :create]
+  before_action :ensure_no_users_exist, only: [:new, :create]
+
+  def new
+    @user = User.new
+  end
+
+  def create
+    @user = User.new(user_params)
+
+    if @user.save
+      start_new_session_for(@user)
+      redirect_to root_path, notice: "Welcome! Your admin account has been created successfully."
+    else
+      render :new, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def user_params
+    params.require(:user).permit(:email_address, :password, :password_confirmation)
+  end
+
+  def ensure_no_users_exist
+    if User.exists?
+      redirect_to new_session_path, alert: "Registration is not allowed. Users already exist."
+    end
+  end
+end

app/controllers/sessions_controller.rb

@@ -0,0 +1,32 @@
+class SessionsController < ApplicationController
+  allow_unauthenticated_access only: %i[ new create ]
+  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }
+
+  def new
+    @show_oidc_login = oidc_configured?
+    @oidc_provider_name = ENV['OIDC_PROVIDER_NAME'] || 'OpenID Connect'
+    @show_registration = User.none?
+  end
+
+  def create
+    if user = User.authenticate_by(params.permit(:email_address, :password))
+      start_new_session_for user
+      redirect_to after_authentication_url
+    else
+      redirect_to new_session_path, alert: "Try another email address or password."
+    end
+  end
+
+  def destroy
+    terminate_session
+    redirect_to new_session_path, status: :see_other
+  end
+
+  private
+
+  def oidc_configured?
+    ENV['OIDC_DISCOVERY_URL'].present? &&
+    ENV['OIDC_CLIENT_ID'].present? &&
+    ENV['OIDC_CLIENT_SECRET'].present?
+  end
+end

app/controllers/users_controller.rb

@@ -0,0 +1,32 @@
+class UsersController < ApplicationController
+  before_action :require_admin
+  before_action :set_user, only: [:show, :edit, :update]
+
+  def index
+    @users = User.order(created_at: :desc)
+  end
+
+  def show
+  end
+
+  def edit
+  end
+
+  def update
+    if @user.update(user_params)
+      redirect_to @user, notice: "User was successfully updated."
+    else
+      render :edit, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def set_user
+    @user = User.find(params[:id])
+  end
+
+  def user_params
+    params.require(:user).permit(:role)
+  end
+end