add docs to gitignore

front
add internal gorm erros
2026-01-03 15:47:04 +02:00 · 2026-01-03 15:46:06 +02:00 · 2026-01-03 15:45:47 +02:00 · 2026-01-03 15:45:34 +02:00 · 2026-01-03 15:45:23 +02:00 · 2026-01-03 15:44:48 +02:00
124 changed files with 7427 additions and 114 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,8 @@
-bin/
+bin/
+config.yaml
+*.sqlite3
+panic.log
+testdata/
+secret/
+data/
+docs/
--- a/11
+++ b/11
@@ -7,6 +7,7 @@ BINARY = ${BIN_DIR}/$(NAME)
 CHECK_LINTER = command -v golangci-lint >/dev/null 2>&1
 CHECK_IMPORTS = command -v goimports >/dev/null 2>&1
 PATH := $(PATH):$(HOME)/go/bin
+VERSION = 0.0.1-dev

 lint-tools:
 	@if ! $(CHECK_LINTER); then \
@@ -19,7 +20,7 @@ imports-tools:
 		go install golang.org/x/tools/cmd/goimports@latest; \
 	fi

-.PHONY: all build run test lint fmt imports
+.PHONY: all swag build run test lint fmt imports

 all: build

@@ -27,7 +28,13 @@ run: build
 	@echo "-- running $(NAME)"
 	@$(BINARY)

-#BUILD_PARAMS = -trimpath
+BUILD_PARAMS = -trimpath -ldflags "-X git.oblat.lv/alex/triggerssmith/internal/vars.Version=$(VERSION)"
+
+build-with-swag: swag build
+
+swag:
+	@echo "-- generating swagger docs"
+	@swag init -g cmd/serve.go

 build:
 	@echo "-- building $(NAME)"
--- a/api/acl_admin/common_models.go
+++ b/api/acl_admin/common_models.go
@@ -0,0 +1,11 @@
+package api_acladmin
+
+type errorInvalidRequestBody struct {
+	Error   string `json:"error" example:"INVALID_REQUEST_BODY"`
+	Details string `json:"details" example:"Request body is not valid JSON"`
+}
+
+type errorInternalServerError struct {
+	Error   string `json:"error"`
+	Details string `json:"details"`
+}
--- a/api/acl_admin/errors.go
+++ b/api/acl_admin/errors.go
@@ -0,0 +1,28 @@
+package api_acladmin
+
+const (
+	ErrorInvalidRequestBody  = "INVALID_REQUEST_BODY"
+	ErrorInternalServerError = "INTERNAL_SERVER_ERROR"
+
+	// Roles
+	ErrorFailedToCreateRole = "FAILED_TO_CREATE_ROLE"
+	ErrorFailedToGetRole    = "FAILED_TO_GET_ROLE"
+	ErrorFailedToUpdateRole = "FAILED_TO_UPDATE_ROLE"
+	ErrorFailedToDeleteRole = "FAILED_TO_DELETE_ROLE"
+
+	ErrorInvalidRoleID = "INVALID_ROLE_ID"
+	ErrorRoleNotFound  = "ROLE_NOT_FOUND"
+
+	// Resources
+	ErrorFailedToCreateResource = "FAILED_TO_CREATE_RESOURCE"
+	ErrorFailedToGetResource    = "FAILED_TO_GET_RESOURCE"
+	ErrorFailedToUpdateResource = "FAILED_TO_UPDATE_RESOURCE"
+	ErrorFailedToDeleteResource = "FAILED_TO_DELETE_RESOURCE"
+
+	ErrorInvalidResourceID = "INVALID_RESOURCE_ID"
+	ErrorResourceNotFound  = "RESOURCE_NOT_FOUND"
+)
+
+const (
+	ErrorACLServiceNotInitialized = "ACL service is not initialized"
+)
--- a/api/acl_admin/handle.go
+++ b/api/acl_admin/handle.go
@@ -0,0 +1,259 @@
+package api_acladmin
+
+import (
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+
+	//"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+type aclAdminHandler struct {
+	cfg  *config.Config
+	a    *acl.Service
+	auth *auth.Service
+}
+
+func MustRoute(config *config.Config, aclService *acl.Service, authService *auth.Service) func(chi.Router) {
+	if config == nil {
+		panic("config is nil")
+	}
+	if aclService == nil {
+		panic("aclService is nil")
+	}
+	if authService == nil {
+		panic("authService is nil")
+	}
+	h := &aclAdminHandler{
+		cfg:  config,
+		a:    aclService,
+		auth: authService,
+	}
+	// GET    /roles            — список ролей
+	// POST   /roles            — создать роль
+	// GET    /roles/{roleId}   — получить роль
+	// PATCH  /roles/{roleId}   — обновить роль (если нужно)
+	// DELETE /roles/{roleId}   — удалить роль
+
+	// GET    /resources              — список ресурсов
+	// POST   /resources              — создать ресурс
+	// GET    /resources/{resId}      — получить ресурс
+	// PATCH  /resources/{resId}      — обновить ресурс
+	// DELETE /resources/{resId}      — удалить ресурс
+
+	// GET    /users/{userId}/roles           — роли пользователя
+	// POST   /users/{userId}/roles           — назначить роль пользователю
+	// DELETE /users/{userId}/roles/{roleId}  — снять роль
+
+	// GET    /roles/{roleId}/resources           — ресурсы роли
+	// POST   /roles/{roleId}/resources           — назначить ресурс роли
+	// DELETE /roles/{roleId}/resources/{resId}   — убрать ресурс
+	return func(r chi.Router) {
+		// Roles
+		r.Get("/roles", h.getRoles)                                             // list all roles
+		r.Post("/roles", h.createRole)                                          // create a new role
+		r.Get("/roles/{roleId}", h.getRole)                                     // get a role by ID
+		r.Get("/roles/{roleId}/users", h.getRoleUsers)                          // get all assigned users to a role
+		r.Get("/roles/{roleId}/resources", h.getRoleResources)                  // get all resources assigned to a role
+		r.Patch("/roles/{roleId}", h.updateRole)                                // update a role by ID
+		r.Delete("/roles/{roleId}", h.deleteRole)                               // delete a role by ID
+		r.Post("/roles/{roleId}/resources", h.assignResourceToRole)             // assign a resource to a role
+		r.Delete("/roles/{roleId}/resources/{resId}", h.removeResourceFromRole) // remove a resource from a role
+
+		// Resources
+		r.Get("/resources", h.getResources)                   // list all resources
+		r.Post("/resources", h.createResource)                // create a new resource
+		r.Get("/resources/{resourceId}", h.getResource)       // get a resource by ID
+		r.Patch("/resources/{resourceId}", h.updateResource)  // update a resource by ID
+		r.Delete("/resources/{resourceId}", h.deleteResource) // delete a resource by ID
+
+		// Users
+		r.Get("/users/{userId}/roles", h.getUserRoles)                   // get all roles for a user
+		r.Post("/users/{userId}/roles", h.assignRoleToUser)              // assign a role to a user
+		r.Delete("/users/{userId}/roles/{roleId}", h.removeRoleFromUser) // remove a role from a user
+
+		// Users
+		// r.Get("/users/{userId}/roles", h.getUserRoles) // get all roles for a user
+		// r.Post("/users/{userId}/roles", h.assignRoleToUser) // assign a role to a user
+		// r.Delete("/users/{userId}/roles/{roleId}", h.removeRoleFromUser) // remove a role from a user
+
+		// r.Get("/roles", h.getRoles)
+		// r.Post("/create-role", h.createRole)
+		// r.Post("/assign-role", h.assignRoleToUser)
+		// r.Get("/user-roles", h.getUserRoles)
+		// r.Post("/remove-role", h.removeRoleFromUser)
+
+		// r.Get("/resources", h.getResources)
+		// r.Post("/create-resource", h.createResource)
+		// r.Post("/assign-resource", h.assignResourceToRole)
+		// r.Get("/role-resources", h.getRoleResources)
+		// r.Post("/remove-resource", h.removeResourceFromRole)
+
+		// r.Get("/permissions", h.getResources)                   // legacy support
+		// r.Post("/create-permissions", h.createResource)         // legacy support
+		// r.Post("/assign-permissions", h.assignResourceToRole)   // legacy support
+		// r.Get("/role-permissions", h.getRoleResources)          // legacy support
+		// r.Post("/remove-permissions", h.removeResourceFromRole) // legacy support
+	}
+}
+
+// type assignRoleRequest struct {
+// 	UserID int `json:"userId"`
+// 	RoleID int `json:"roleId"`
+// }
+
+// func (h *aclAdminHandler) assignRoleToUser(w http.ResponseWriter, r *http.Request) {
+// 	var req assignRoleRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.UserID < 0 || req.RoleID < 0 {
+// 		http.Error(w, "Invalid user or role ID", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if err := h.a.AssignRoleToUser(uint(req.RoleID), uint(req.UserID)); err != nil {
+// 		http.Error(w, "Failed to assign role to user", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusCreated)
+// }
+
+// type getUserRolesResponse getRolesResponse
+
+// func (h *aclAdminHandler) getUserRoles(w http.ResponseWriter, r *http.Request) {
+// 	uidStr := r.URL.Query().Get("userId")
+// 	if uidStr == "" {
+// 		http.Error(w, "Missing userId parameter", http.StatusBadRequest)
+// 		return
+// 	}
+// 	userID, err := strconv.Atoi(uidStr)
+// 	if err != nil || userID < 0 {
+// 		http.Error(w, "Invalid userId parameter", http.StatusBadRequest)
+// 		return
+// 	}
+// 	roles, err := h.a.GetUserRoles(uint(userID))
+// 	if err != nil {
+// 		http.Error(w, "Internal server error", http.StatusInternalServerError)
+// 		return
+// 	}
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(func() getUserRolesResponse {
+// 		// Transform acl.Role to getUserRolesResponse
+// 		resp := make(getUserRolesResponse, 0, len(roles))
+// 		for _, role := range roles {
+// 			resp = append(resp, struct {
+// 				ID   uint   `json:"id"`
+// 				Name string `json:"name"`
+// 			}{
+// 				ID:   role.ID,
+// 				Name: role.Name,
+// 			})
+// 		}
+// 		return resp
+// 	}())
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// type removeRoleRequest struct {
+// 	UserID int `json:"userId"`
+// 	RoleID int `json:"roleId"`
+// }
+
+// func (h *aclAdminHandler) removeRoleFromUser(w http.ResponseWriter, r *http.Request) {
+// 	var req removeRoleRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.UserID < 0 || req.RoleID < 0 {
+// 		http.Error(w, "Invalid user or role ID", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if err := h.a.RemoveRoleFromUser(uint(req.RoleID), uint(req.UserID)); err != nil {
+// 		http.Error(w, "Failed to remove role from user", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusNoContent)
+// }
+
+// type getResourcesResponse getRolesResponse
+
+// func (h *aclAdminHandler) getResources(w http.ResponseWriter, r *http.Request) {
+// 	resources, err := h.a.GetResources()
+// 	if err != nil {
+// 		http.Error(w, "Internal server error", http.StatusInternalServerError)
+// 		return
+// 	}
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(func() getResourcesResponse {
+// 		// Transform acl.Resource to getResourcesResponse
+// 		resp := make(getResourcesResponse, 0, len(resources))
+// 		for _, res := range resources {
+// 			resp = append(resp, struct {
+// 				ID   uint   `json:"id"`
+// 				Name string `json:"name"`
+// 			}{
+// 				ID:   res.ID,
+// 				Name: res.Key,
+// 			})
+// 		}
+// 		return resp
+// 	}())
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// type createResourceRequest struct {
+// 	Name string `json:"name"`
+// }
+
+// type createResourceResponse struct {
+// 	ID   uint   `json:"id"`
+// 	Name string `json:"name"`
+// }
+
+// func (h *aclAdminHandler) createResource(w http.ResponseWriter, r *http.Request) {
+// 	var req createResourceRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.Name == "" {
+// 		http.Error(w, "Name is required", http.StatusBadRequest)
+// 		return
+// 	}
+// 	id, err := h.a.CreateResource(req.Name)
+// 	if err != nil {
+// 		http.Error(w, "Failed to create resource", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusCreated)
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(createResourceResponse{
+// 		ID:   id,
+// 		Name: req.Name,
+// 	})
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// func (h *aclAdminHandler) assignResourceToRole(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
+
+// func (h *aclAdminHandler) getRoleResources(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
+
+// func (h *aclAdminHandler) removeResourceFromRole(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
--- a/api/acl_admin/resources.go
+++ b/api/acl_admin/resources.go
@@ -0,0 +1,224 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get all resources
+// @Tags		acl/resources
+// @Produce	json
+// @Success	200	{object}	getResourcesResponse
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/resources [get]
+func (h *aclAdminHandler) getResources(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resources, err := h.a.GetResources()
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	type R struct {
+		ID  uint   `json:"id" example:"1"`
+		Key string `json:"key" example:"html.view"`
+	}
+
+	resp := make([]R, 0, len(resources))
+	for _, res := range resources {
+		resp = append(resp, R{ID: res.ID, Key: res.Key})
+	}
+
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Get resource by ID
+// @Tags		acl/resources
+// @Produce	json
+// @Param		resourceId	path		int	true	"Resource ID"	example(1)
+// @Success	200			{object}	getResourceResponse
+// @Failure	400			{object}	server.ProblemDetails
+// @Failure	404			{object}	server.ProblemDetails
+// @Failure	500			{object}	server.ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [get]
+func (h *aclAdminHandler) getResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	resource, err := h.a.GetResourceByID(uint(resourceID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(getResourceResponse{
+		ID:  resource.ID,
+		Key: resource.Key,
+	})
+}
+
+// @Summary	Create resource
+// @Tags		acl/resources
+// @Accept		json
+// @Produce	json
+// @Param		request	body		createResourceRequest	true	"Resource"
+// @Success	201		{object}	createResourceResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	409		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/resources [post]
+func (h *aclAdminHandler) createResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req createResourceRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	resourceID, err := h.a.CreateResource(req.Key)
+	if err != nil {
+		slog.Error("Failed to create resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrInvalidResourceKey:
+			server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-key", "Invalid resource key", "Resource key must be non-empty", r)
+		case acl.ErrResourceAlreadyExists:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/resource-already-exists", "Resource already exists", "Resource '"+req.Key+"' already exists", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	_ = json.NewEncoder(w).Encode(createResourceResponse{
+		ID:  resourceID,
+		Key: req.Key,
+	})
+}
+
+// @Summary	Update resource
+// @Tags		acl/resources
+// @Accept		json
+// @Produce	json
+// @Param		resourceId	path		int						true	"Resource ID"	example(1)
+// @Param		request		body		updateResourceRequest	true	"Resource"
+// @Success	200			{object}	updateResourceResponse
+// @Failure	400			{object}	server.ProblemDetails
+// @Failure	404			{object}	server.ProblemDetails
+// @Failure	409			{object}	server.ProblemDetails
+// @Failure	500			{object}	server.ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [patch]
+func (h *aclAdminHandler) updateResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req updateResourceRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.UpdateResource(uint(resourceID), req.Key)
+	if err != nil {
+		slog.Error("Failed to update resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrInvalidResourceKey:
+			server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-key", "Invalid resource key", "Resource key must be non-empty", r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		case acl.ErrSameResourceKey:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/resource-key-already-exists", "Resource key already exists", "Resource key '"+req.Key+"' already exists", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(updateResourceResponse{
+		ID:  uint(resourceID),
+		Key: req.Key,
+	})
+}
+
+// @Summary	Delete resource
+// @Tags		acl/resources
+// @Produce	json
+// @Param		resourceId	path	int	true	"Resource ID"	example(1)
+// @Success	200
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	409	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [delete]
+func (h *aclAdminHandler) deleteResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.DeleteResource(uint(resourceID))
+	if err != nil {
+		slog.Error("Failed to delete resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		case acl.ErrResourceInUse:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/resource-in-use", "Resource in use", "Resource "+resourceIDStr+" is in use", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+}
--- a/api/acl_admin/resources_models.go
+++ b/api/acl_admin/resources_models.go
@@ -0,0 +1,39 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getResources()
+type getResourcesResponse []struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+var _ getResourcesResponse // for documentation
+
+/*******************************************************************/
+// used in getResource()
+type getResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+/*******************************************************************/
+// used in createResource()
+type createResourceRequest struct {
+	Key string `json:"key" example:"html.view"`
+}
+
+type createResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+/*******************************************************************/
+// used in updateResource()
+type updateResourceRequest struct {
+	Key string `json:"key" example:"html.view"`
+}
+
+type updateResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
--- a/api/acl_admin/roles.go
+++ b/api/acl_admin/roles.go
@@ -0,0 +1,391 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get all roles
+// @Tags		acl/roles
+// @Produce	json
+// @Success	200	{array}		getRolesResponse
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/roles [get]
+func (h *aclAdminHandler) getRoles(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roles, err := h.a.GetRoles()
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	type R struct {
+		ID   uint   `json:"id" example:"1"`
+		Name string `json:"name" example:"admin"`
+	}
+
+	resp := make([]R, 0, len(roles))
+	for _, role := range roles {
+		resp = append(resp, R{ID: role.ID, Name: role.Name})
+	}
+
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Get role by ID
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{object}	getRoleResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId} [get]
+func (h *aclAdminHandler) getRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(getRoleResponse{
+		ID:   role.ID,
+		Name: role.Name,
+	})
+}
+
+// @Summary	Get role users
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{array}		getRoleUsersResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId}/users [get]
+func (h *aclAdminHandler) getRoleUsers(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	if len(role.Users) == 0 {
+		server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-has-no-users", "Role has no users", "Role has no users", r)
+		return
+	}
+	var respUsers getRoleUsersResponse
+	for _, user := range role.Users {
+		respUsers = append(respUsers, getRoleUser{
+			ID:    user.ID,
+			Name:  user.Username,
+			Email: user.Email,
+		})
+	}
+	_ = json.NewEncoder(w).Encode(respUsers)
+}
+
+// @Summary	Get role resources
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{array}		getRoleResourcesResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources [get]
+func (h *aclAdminHandler) getRoleResources(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	if len(role.Resources) == 0 {
+		server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-has-no-users", "Role has no users", "Role has no users", r)
+		return
+	}
+	var respResources getRoleResourcesResponse
+	for _, user := range role.Resources {
+		respResources = append(respResources, getRoleResource{
+			ID:   user.ID,
+			Name: user.Key,
+		})
+	}
+	_ = json.NewEncoder(w).Encode(respResources)
+}
+
+// @Summary	Create role
+// @Tags		acl/roles
+// @Accept		json
+// @Produce	json
+// @Param		request	body		createRoleRequest	true	"Role"
+// @Success	201		{object}	createRoleResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	409		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles [post]
+func (h *aclAdminHandler) createRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req createRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	roleID, err := h.a.CreateRole(req.Name)
+	if err != nil {
+		slog.Error("Failed to create role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrInvalidRoleName:
+			server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-name", "Invalid role name", "Role name must be non-empty", r)
+		case acl.ErrRoleAlreadyExists:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/role-already-exists", "Role already exists", "Role '"+req.Name+"' already exists", r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	_ = json.NewEncoder(w).Encode(createRoleResponse{
+		ID:   roleID,
+		Name: req.Name,
+	})
+}
+
+// @Summary	Update role
+// @Tags		acl/roles
+// @Accept		json
+// @Produce	json
+// @Param		roleId	path		int					true	"Role ID"	example(1)
+// @Param		request	body		updateRoleRequest	true	"Role"
+// @Success	200		{object}	updateRoleResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	409		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId} [patch]
+func (h *aclAdminHandler) updateRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req updateRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.UpdateRole(uint(roleID), req.Name)
+	if err != nil {
+		slog.Error("Failed to update role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrInvalidRoleName:
+			server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-name", "Invalid role name", "Role name must be non-empty", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrSameRoleName:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/role-name-already-exists", "Role name already exists", "Role '"+req.Name+"' already exists", r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(updateRoleResponse{
+		ID:   uint(roleID),
+		Name: req.Name,
+	})
+}
+
+// @Summary	Delete role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int	true	"Role ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	409	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId} [delete]
+func (h *aclAdminHandler) deleteRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.DeleteRole(uint(roleID))
+	if err != nil {
+		slog.Error("Failed to delete role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrRoleInUse:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/role-in-use", "Role in use", "Role "+roleIDStr+" is assigned to at least one user and cannot be deleted", r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// @Summary	Assign resource to role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int							true	"Role ID"	example(1)
+// @Param		request	body	assignResourceToRoleRequest	true	"Resource"
+// @Success	201
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	409	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources [post]
+func (h *aclAdminHandler) assignResourceToRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	var req assignResourceToRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-request-body", "Invalid request body", "Invalid JSON body", r)
+		return
+	}
+	if err := h.a.AssignResourceToRole(uint(roleID), req.ResourceID); err != nil {
+		slog.Error("Failed to assign resource to role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+strconv.Itoa(int(req.ResourceID)), r)
+		case acl.ErrResourceAlreadyAssigned:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/resource-already-assigned", "Resource already assigned", "Resource with ID "+strconv.Itoa(int(req.ResourceID))+" is already assigned to role with ID "+roleIDStr, r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+// @Summary	Remove resource from role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int	true	"Role ID"		example(1)
+// @Param		resId	path	int	true	"Resource ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources/{resId} [delete]
+func (h *aclAdminHandler) removeResourceFromRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	resourceIDStr := chi.URLParam(r, "resId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+	if err := h.a.RemoveResourceFromRole(uint(roleID), uint(resourceID)); err != nil {
+		slog.Error("Failed to remove resource from role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+strconv.Itoa(int(resourceID)), r)
+		case acl.ErrRoleResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-resource-not-found", "Role resource not found", "No role-resource pair with role ID "+roleIDStr+" and resource ID "+strconv.Itoa(int(resourceID)), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
--- a/api/acl_admin/roles_models.go
+++ b/api/acl_admin/roles_models.go
@@ -0,0 +1,62 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getRoles()
+type getRolesResponse []struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+var _ getRolesResponse
+
+/*******************************************************************/
+// used in getRole()
+type getRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in getRoleUsers()
+type getRoleUser struct {
+	ID    uint   `json:"id" example:"1"`
+	Name  string `json:"username" example:"admin"`
+	Email string `json:"email" example:"admin@triggerssmith.com"`
+}
+type getRoleUsersResponse []getRoleUser
+
+/*******************************************************************/
+// used in getRoleResources()
+type getRoleResource struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"*"`
+}
+type getRoleResourcesResponse []getRoleResource
+
+/*******************************************************************/
+// used in createRole()
+type createRoleRequest struct {
+	Name string `json:"name" example:"admin"`
+}
+
+type createRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in updateRole()
+type updateRoleRequest struct {
+	Name string `json:"name" example:"admin"`
+}
+
+type updateRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in assignResourceToRole()
+type assignResourceToRoleRequest struct {
+	ResourceID uint `json:"resourceId" example:"1"`
+}
--- a/api/acl_admin/users.go
+++ b/api/acl_admin/users.go
@@ -0,0 +1,137 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get user roles by user ID
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path		int	true	"User ID"	example(1)
+// @Success	200		{object}	getUserRolesResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/users/{userId}/roles [get]
+func (h *aclAdminHandler) getUserRoles(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	roles, err := h.a.GetUserRoles(uint(userID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	resp := make(getUserRolesResponse, 0, len(roles))
+	for _, role := range roles {
+		resp = append(resp, getUserRole{ID: role.ID, Name: role.Name})
+	}
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Assign role to user
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path	int						true	"User ID"	example(1)
+// @Param		body	body	assignRoleToUserRequest	true	"Role ID"
+// @Success	201
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	409	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/users/{userId}/roles [post]
+func (h *aclAdminHandler) assignRoleToUser(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil || userID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	var req assignRoleToUserRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-request-body", "Invalid request body", "Invalid JSON body", r)
+		return
+	}
+	if err := h.a.AssignRoleToUser(req.RoleID, uint(userID)); err != nil {
+		slog.Error("Failed to assign role to user", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		case acl.ErrRoleAlreadyAssigned:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/role-already-assigned", "Role already assigned", "Role with ID "+strconv.Itoa(int(req.RoleID))+" is already assigned to user "+strconv.Itoa(userID), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+// @Summary	Remove role from user
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path	int	true	"User ID"	example(1)
+// @Param		roleId	path	int	true	"Role ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/users/{userId}/roles/{roleId} [delete]
+func (h *aclAdminHandler) removeRoleFromUser(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil || userID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	err = h.a.RemoveRoleFromUser(uint(roleID), uint(userID))
+	if err != nil {
+		slog.Error("Failed to remove role from user", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		case acl.ErrUserRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/user-role-not-found", "User role not found", "User "+strconv.Itoa(userID)+" does not have role "+strconv.Itoa(roleID), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
--- a/api/acl_admin/users_models.go
+++ b/api/acl_admin/users_models.go
@@ -0,0 +1,16 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getUserRoles()
+type getUserRole struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"*"`
+}
+
+type getUserRolesResponse []getUserRole
+
+/*******************************************************************/
+// used in assignRoleToUser()
+type assignRoleToUserRequest struct {
+	RoleID uint `json:"roleId" example:"1"`
+}
--- a/api/auth/errors.go
+++ b/api/auth/errors.go
@@ -0,0 +1,7 @@
+package api_auth
+
+const (
+	ErrorInvalidCredentials = "INVALID_CREDENTIALS"
+	ErrorInvalidToken       = "INVALID_TOKEN"
+	ErrorExpiredToken       = "EXPIRED_TOKEN"
+)
--- a/api/auth/get_user_data.go
+++ b/api/auth/get_user_data.go
@@ -0,0 +1,35 @@
+package api_auth
+
+import (
+	"encoding/json"
+	"net/http"
+)
+
+type GetUserDataResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+	Email    string `json:"email"`
+}
+
+func (h *authHandler) handleGetUserData(w http.ResponseWriter, r *http.Request) {
+	by := r.URL.Query().Get("by")
+	value := r.URL.Query().Get("value")
+	if value == "" {
+		value = r.URL.Query().Get(by)
+	}
+	user, err := h.a.Get(by, value)
+	if err != nil {
+		http.Error(w, "Failed to get user", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(meResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+		Email:    user.Email,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+}
--- a/api/auth/handle.go
+++ b/api/auth/handle.go
@@ -0,0 +1,55 @@
+// Package auth provides authentication-related API endpoints for the Triggersmith application.
+// It handles login, logout, and user management operations.
+package api_auth
+
+import (
+	"net/http"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"github.com/go-chi/chi/v5"
+)
+
+func setRefreshCookie(w http.ResponseWriter, token string, ttl time.Duration, secure bool) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    token,
+		Path:     "/api/auth/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   int(ttl.Seconds()),
+		Secure:   secure,
+	})
+}
+
+type authHandler struct {
+	cfg *config.Config
+	a   *auth.Service
+}
+
+func MustRoute(config *config.Config, authService *auth.Service) func(chi.Router) {
+	if config == nil {
+		panic("config is nil")
+	}
+	if authService == nil {
+		panic("authService is nil")
+	}
+	h := &authHandler{
+		cfg: config,
+		a:   authService,
+	}
+	return func(r chi.Router) {
+		r.Get("/getUserData", h.handleGetUserData) // legacy support
+
+		r.Post("/register", h.handleRegister)
+		r.Post("/login", h.handleLogin)
+		r.Post("/logout", h.handleLogout)   // !requires authentication
+		r.Post("/refresh", h.handleRefresh) // !requires authentication
+
+		r.Get("/me", h.handleMe) // !requires authentication
+		r.Get("/get-user-data", h.handleGetUserData)
+
+		r.Post("/revoke", h.handleRevoke) // not implemented
+	}
+}
--- a/api/auth/login.go
+++ b/api/auth/login.go
@@ -0,0 +1,55 @@
+package api_auth
+
+import (
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+)
+
+type loginRequest struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type loginResponse struct {
+	Token string `json:"accessToken"`
+}
+
+// @Summary	Login
+// @Tags		auth
+// @Produce	json
+// @Param		request	body	loginRequest	true	"Login request"
+// @Success	200		{object}	loginResponse
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	401	{object}	server.ProblemDetails
+// @Router 	/api/auth/login [post]
+func (h *authHandler) handleLogin(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	var req loginRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	tokens, err := h.a.Login(req.Username, req.Password)
+	if err != nil {
+		slog.Error("Login failed", "error", err.Error())
+		switch err {
+		case auth.ErrInvalidUsername:
+			server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/invalid-credentials", "Invalid credentials", fmt.Sprintf("User with username %s not found", req.Username), r)
+		case auth.ErrInvalidPassword:
+			server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/invalid-credentials", "Invalid credentials", fmt.Sprintf("Invalid password for user %s", req.Username), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	setRefreshCookie(w, tokens.Refresh, h.cfg.Auth.RefreshTokenTTL, false)
+	_ = json.NewEncoder(w).Encode(loginResponse{Token: tokens.Access})
+}
--- a/api/auth/logout.go
+++ b/api/auth/logout.go
@@ -0,0 +1,82 @@
+package api_auth
+
+import (
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// @Summary Logout
+// @Description Requires valid refresh token
+// @Tags auth
+// @Success 204
+// @Failure 401 {object} server.ProblemDetails
+// @Failure 500 {object} server.ProblemDetails
+// @Router /api/auth/logout [post]
+func (h *authHandler) handleLogout(w http.ResponseWriter, r *http.Request) {
+	// claims, err := h.a.AuthenticateRequest(r)
+	// if err != nil {
+	// 	slog.Error("failed to AuthenticateRequest", "error", err.Error())
+	// 	switch err {
+	// 	case auth.ErrInvalidToken:
+	// 		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/invalid-token", "Invalid token", "Invalid token: taking cookies anyways", r)
+	// 	case auth.ErrTokenIsMissing:
+	// 		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/invalid-token", "Invalid token", "Token is missing: taking cookies anyway", r)
+	// 	default:
+	// 		server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error: taking cookies anyway", r)
+	// 	}
+	// 	http.SetCookie(w, &http.Cookie{
+	// 		Name:     "refresh_token",
+	// 		Value:    "",
+	// 		MaxAge:   -1,
+	// 		Path:     "/api/auth/",
+	// 		HttpOnly: true,
+	// 		SameSite: http.SameSiteLaxMode,
+	// 	})
+	// 	return
+	// }
+	// rjti := claims.(jwt.MapClaims)["rjti"].(string)
+	refreshCookie, err := r.Cookie("refresh_token")
+	if err != nil && errors.Is(err, http.ErrNoCookie) {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	refreshStr := refreshCookie.Value
+	if refreshStr == "" {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	claims, err := h.a.ValidateRefreshToken(refreshStr)
+	if err != nil {
+		slog.Error("failed to ValidateRefreshToken", "error", err.Error())
+		server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error while validating refresh token: maybe invalid", r)
+		return
+	}
+	rjti := claims.(jwt.MapClaims)["jti"].(string)
+	err = h.a.Logout(rjti)
+	if err != nil {
+		slog.Error("failed to Logout", "error", err.Error())
+		switch err {
+		case auth.ErrInvalidToken:
+			server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/already-revoked", "Token already revoked", fmt.Sprintf("Token with rjti '%s' is already revoked", rjti), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error: taking cookies anyway", r)
+		}
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    "",
+		MaxAge:   -1,
+		Path:     "/api/auth/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	if err == nil {
+		w.WriteHeader(http.StatusNoContent)
+	}
+}
--- a/api/auth/me.go
+++ b/api/auth/me.go
@@ -0,0 +1,42 @@
+package api_auth
+
+import (
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+)
+
+type meResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+	Email    string `json:"email"`
+}
+
+func (h *authHandler) handleMe(w http.ResponseWriter, r *http.Request) {
+	server.NotImplemented(w)
+	// refresh_token_cookie, err := r.Cookie("refresh_token")
+	// if err != nil {
+	// 	w.WriteHeader(http.StatusUnauthorized)
+	// 	return
+	// }
+	// userID, err := h.a.ValidateRefreshToken(refresh_token_cookie.Value)
+	// if err != nil {
+	// 	w.WriteHeader(http.StatusUnauthorized)
+	// 	return
+	// }
+	// user, err := h.a.Get("id", fmt.Sprint(userID))
+	// if err != nil {
+	// 	http.Error(w, "Failed to get user", http.StatusInternalServerError)
+	// 	return
+	// }
+	// w.Header().Set("Content-Type", "application/json")
+	// err = json.NewEncoder(w).Encode(meResponse{
+	// 	UserID:   user.ID,
+	// 	Username: user.Username,
+	// 	Email:    user.Email,
+	// })
+	// if err != nil {
+	// 	http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+	// 	return
+	// }
+}
--- a/api/auth/refresh.go
+++ b/api/auth/refresh.go
@@ -0,0 +1,56 @@
+package api_auth
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+)
+
+type refreshResponse struct {
+	Access string `json:"accessToken"`
+}
+
+// @Summary Refresh tokens
+// @Description Requires valid HttpOnly refresh_token cookie
+// @Tags auth
+// @Produce json
+// @Security RefreshCookieAuth
+// @Success 200 {object} refreshResponse
+// @Failure 401 {object} server.ProblemDetails
+// @Failure 500 {object} server.ProblemDetails
+// @Router /api/auth/refresh [post]
+func (h *authHandler) handleRefresh(w http.ResponseWriter, r *http.Request) {
+	refreshCookie, err := r.Cookie("refresh_token")
+	if err != nil && errors.Is(err, http.ErrNoCookie) {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	refreshStr := refreshCookie.Value
+	if refreshStr == "" {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	tokens, err := h.a.RefreshTokens(refreshStr)
+	if err != nil {
+		if errors.Is(err, auth.ErrInvalidToken) {
+			server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-invalid", "Refresh token is invalid", "Refresh token is invalid", r)
+		} else {
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error: taking cookies anyway", r)
+		}
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    tokens.Refresh,
+		MaxAge:   3600,
+		Path:     "/api/auth/refresh",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	var resp refreshResponse
+	resp.Access = tokens.Access
+	_ = json.NewEncoder(w).Encode(resp)
+}
--- a/api/auth/register.go
+++ b/api/auth/register.go
@@ -0,0 +1,45 @@
+package api_auth
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+)
+
+type registerRequest struct {
+	Username string `json:"username"`
+	Email    string `json:"email"`
+	Password string `json:"password"`
+}
+
+type registerResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+}
+
+func (h *authHandler) handleRegister(w http.ResponseWriter, r *http.Request) {
+	var req registerRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		http.Error(w, "Invalid request payload", http.StatusBadRequest)
+		return
+	}
+
+	user, err := h.a.Register(req.Username, req.Email, req.Password)
+	if err != nil {
+		slog.Error("Failed to register user", "error", err)
+		http.Error(w, "Registration failed", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(registerResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
--- a/api/auth/revoke.go
+++ b/api/auth/revoke.go
@@ -0,0 +1,11 @@
+package api_auth
+
+import (
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+)
+
+func (h *authHandler) handleRevoke(w http.ResponseWriter, r *http.Request) {
+	server.NotImplemented(w)
+}
--- a/api/block/handle.go
+++ b/api/block/handle.go
@@ -0,0 +1,111 @@
+// Package block provides functionality to load HTML blocks with associated content, JavaScript, and CSS from the filesystem.
+// API Endpoint:
+//
+//	/api/block/{blockPath}
+//
+// Example:
+//
+//	/api/block/header would load the block located at {BlockDir}/header/
+package api_block
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+type Block struct {
+	Content string `json:"content"`
+	JS      string `json:"js"`
+	CSS     string `json:"css"`
+}
+
+type blockHandler struct {
+	cfg *config.Config
+}
+
+func MustRoute(config *config.Config) func(chi.Router) {
+	if config == nil {
+		panic("config is nil")
+	}
+	h := &blockHandler{
+		cfg: config,
+	}
+	return func(r chi.Router) {
+		r.Get("/*", h.handleBlock)
+	}
+}
+
+// @Summary	Get block
+// @Tags		block
+// @Produce	json
+// @Param blockPath	path		string	true	"Block Path"	example(menu)
+// @Success	200			{object}	Block
+// @Failure	403			{object}	server.ProblemDetails
+// @Failure	404			{object}	server.ProblemDetails
+// @Failure	500			{object}	server.ProblemDetails
+// @Router		/api/block/{blockPath} [get]
+func (h *blockHandler) handleBlock(w http.ResponseWriter, r *http.Request) {
+	if !h.cfg.Server.BlockConfig.Enabled {
+		server.WriteProblem(w, http.StatusForbidden, "/errors/block/block-serving-disabled", "Block serving is disabled", "Block serving is disabled", r)
+		return
+	}
+
+	blockPath := r.URL.Path[len("/api/block/"):]
+	block, err := LoadBlock(blockPath, h.cfg)
+	if err != nil {
+		slog.Error("failed to load block", slog.String("path", blockPath), slog.String("err", err.Error()))
+		server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "failed to load block", r)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte(block.ToJSON()))
+}
+
+// LoadBlock loads a block from the filesystem given its path and configuration.
+// It reads the content, JavaScript, and CSS files associated with the block.
+// If err is not nil, it indicates a failure in reading the block files.
+func LoadBlock(path string, cfg *config.Config) (*Block, error) {
+	slog.Debug("loading block", slog.String("path", path))
+	path = filepath.Join(cfg.Server.BlockConfig.BlockDir, path)
+	var block Block
+	var err error
+	contentPath := filepath.Join(path, "content.md")
+	jsPath := filepath.Join(path, "script.js")
+	cssPath := filepath.Join(path, "style.css")
+	if b, err := os.ReadFile(contentPath); err == nil {
+		block.Content = string(b)
+	} else {
+		slog.Warn("failed to read block content", slog.String("path", contentPath), slog.String("err", err.Error()))
+	}
+
+	if b, err := os.ReadFile(jsPath); err == nil {
+		block.JS = string(b)
+	} else {
+		slog.Warn("failed to read block JS", slog.String("path", contentPath), slog.String("err", err.Error()))
+	}
+
+	if b, err := os.ReadFile(cssPath); err == nil {
+		block.CSS = string(b)
+	} else {
+		slog.Warn("failed to read block CSS", slog.String("path", contentPath), slog.String("err", err.Error()))
+	}
+
+	return &block, err
+}
+
+func (b *Block) ToJSON() string {
+	jsonData, err := json.Marshal(b)
+	if err != nil {
+		slog.Error("failed to marshal block to JSON", slog.String("err", err.Error()))
+		return "{}"
+	}
+	return string(jsonData)
+}
--- a/api/invoke/worker.go
+++ b/api/invoke/worker.go
@@ -0,0 +1,143 @@
+package invoke
+
+import (
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/worker"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+type Function struct {
+	ID           uint           `gorm:"primaryKey;autoIncrement"`
+	FunctionName string         `gorm:"not null"`
+	Version      string         `gorm:"not null"`
+	Path         string         `gorm:"not null"`
+	CreatedAt    time.Time      `gorm:"autoCreateTime"`
+	DeletedAt    gorm.DeletedAt `gorm:"index"`
+}
+
+type TerminalLogger struct {
+	fc *worker.FuncConfig
+}
+
+func (l *TerminalLogger) Write(line string) {
+	slog.Warn("function stderr", slog.String("line", line), slog.String("n:v", fmt.Sprintf("%s:%s", l.fc.Name, l.fc.Version)))
+}
+
+type JSONFileLogger struct {
+	fc     *worker.FuncConfig
+	logger *slog.Logger
+}
+
+func NewJSONFileLogger(fc *worker.FuncConfig, path string) (*JSONFileLogger, error) {
+	dir := filepath.Dir(path)
+	if err := os.MkdirAll(dir, 0755); err != nil {
+		return nil, err
+	}
+	file, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return nil, err
+	}
+
+	handler := slog.NewJSONHandler(file, &slog.HandlerOptions{})
+	logger := slog.New(handler)
+
+	return &JSONFileLogger{
+		fc:     fc,
+		logger: logger,
+	}, nil
+}
+
+func (l *JSONFileLogger) Write(line string) {
+	l.logger.Warn("function stderr",
+		slog.String("function", l.fc.Name),
+		slog.String("version", l.fc.Version),
+		slog.String("line", line),
+	)
+}
+
+func InvokeHandler(cfg *config.Config) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		id := chi.URLParam(r, "function_id")
+		version := chi.URLParam(r, "function_version")
+		slog.Debug("executing a function", slog.String("id", id), slog.String("version", version))
+		root := cfg.Functions.FunctionDir
+		treeCfg, _ := worker.LoadTreeConfig(root)
+		db, err := worker.OpenDB(treeCfg, root)
+		if err != nil {
+			slog.Error("Failed to open db", slog.String("err", err.Error()))
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		//f, _ := worker.FindFunction(db, "echo", "0.0.1-00130112025")
+		f, err := worker.FindFunction(db, id, version)
+		if err != nil {
+			slog.Error("Failed to find function", slog.String("err", err.Error()))
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		fc, err := worker.LoadFunctionConfig(root, f.FunctionName, f.Path)
+		if err != nil {
+			slog.Error("Failed to load function config", slog.String("err", err.Error()))
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+
+		var logger worker.Logger
+		switch fc.Log.Output {
+		case "stdout":
+			logger = &TerminalLogger{
+				fc: fc,
+			}
+		case "file":
+			fileLogger, err := NewJSONFileLogger(fc, filepath.Join(treeCfg.Log.Path, fmt.Sprintf("%s:%s", fc.Name, f.Path), "event.log.json"))
+			if err != nil {
+				slog.Error("Failed to create file logger", slog.String("err", err.Error()))
+				w.WriteHeader(http.StatusInternalServerError)
+				return
+			}
+			logger = fileLogger
+		}
+
+		var frmt = func(s1 string, s2 string) string {
+			return fmt.Sprintf("FAAS_%s=%s", s1, s2)
+		}
+		var env = []string{
+			frmt("PROTOCOL", r.Proto),
+
+			frmt("METHOD", r.Method),
+			frmt("PATH", r.URL.Path),
+			frmt("QUERY", r.URL.RawQuery),
+		}
+
+		for k, v := range r.Header {
+			key := "FAAS_HEADER_" + strings.ReplaceAll(k, "-", "_")
+			env = append(env, key+"="+v[0])
+		}
+
+		input, _ := io.ReadAll(r.Body)
+		path := filepath.Join(root, f.FunctionName, f.Path, fc.Entry)
+		output, err := worker.RunFunction(&worker.RunOps{
+			Path:       path,
+			FuncConfig: fc,
+			Log:        logger,
+			Env:        env,
+		}, input)
+		if err != nil {
+			slog.Error("Failed to run function", slog.String("err", err.Error()))
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		slog.Debug("executing done", slog.Any("in", input), slog.Any("out", output))
+		w.Write(output)
+	}
+}
--- a/api/router.go
+++ b/api/router.go
@@ -0,0 +1,121 @@
+// Package api provides the main API router and route handlers for the Triggersmith application.
+package api
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"path/filepath"
+	"time"
+
+	api_acladmin "git.oblat.lv/alex/triggerssmith/api/acl_admin"
+	api_auth "git.oblat.lv/alex/triggerssmith/api/auth"
+	api_block "git.oblat.lv/alex/triggerssmith/api/block"
+	_ "git.oblat.lv/alex/triggerssmith/docs"
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"git.oblat.lv/alex/triggerssmith/internal/vars"
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
+	httpSwagger "github.com/swaggo/http-swagger"
+)
+
+type Router struct {
+	r chi.Router
+
+	cfg *config.Config
+
+	authService *auth.Service
+
+	aclService *acl.Service
+}
+
+type RouterDependencies struct {
+	AuthService   *auth.Service
+	Configuration *config.Config
+	ACLService    *acl.Service
+}
+
+func NewRouter(deps RouterDependencies) *Router {
+	if deps.AuthService == nil {
+		panic("AuthService is required")
+	}
+	if deps.Configuration == nil {
+		panic("Configuration is required")
+	}
+	if deps.ACLService == nil {
+		panic("ACLService is required")
+	}
+	r := chi.NewRouter()
+	return &Router{
+		r:           r,
+		cfg:         deps.Configuration,
+		authService: deps.AuthService,
+		aclService:  deps.ACLService,
+	}
+}
+
+// RouteHandler sets up the routes and middleware for the router.
+// TODO: implement hot reload for static files enabled/disabled
+func (r *Router) MustRoute() chi.Router {
+	r.r.Use(middleware.RealIP)
+	r.r.Use(middleware.Logger)
+	r.r.Use(middleware.Recoverer)
+	r.r.Use(middleware.Timeout(r.cfg.Server.TimeoutSeconds))
+
+	if r.cfg.Server.StaticConfig.Enabled {
+		slog.Debug("Static file serving is enabled",
+			slog.String("dir", r.cfg.Server.StaticConfig.Dir),
+			slog.String("index_file", r.cfg.Server.StaticConfig.IndexFile),
+		)
+		r.r.Get("/*", func(w http.ResponseWriter, req *http.Request) {
+			http.ServeFile(w, req, filepath.Join(r.cfg.Server.StaticConfig.Dir, r.cfg.Server.StaticConfig.IndexFile))
+		})
+		fs := http.FileServer(http.Dir(r.cfg.Server.StaticConfig.Dir))
+		r.r.Handle("/static/*", http.StripPrefix("/static/", fs))
+	} else {
+		slog.Info("Static file serving is disabled")
+		r.r.Get("/", func(w http.ResponseWriter, req *http.Request) {
+			http.Error(w, "Static serving is disabled", http.StatusForbidden)
+		})
+		r.r.HandleFunc("/static/*", func(w http.ResponseWriter, req *http.Request) {
+			http.Error(w, "Static serving is disabled", http.StatusForbidden)
+		})
+	}
+
+	r.r.Route("/api", func(api chi.Router) {
+		api.Get("/swagger/*", httpSwagger.Handler(
+			httpSwagger.URL("/api/swagger/doc.json"),
+		))
+		api.Route("/block", api_block.MustRoute(r.cfg))
+		authRoute := api_auth.MustRoute(r.cfg, r.authService)
+		api.Route("/auth", authRoute)
+		//api.Route("/users", authRoute) // legacy support
+		aclAdminRoute := api_acladmin.MustRoute(r.cfg, r.aclService, r.authService)
+		api.Route("/acl", aclAdminRoute)
+		api.Route("/acl-admin", aclAdminRoute) // legacy support
+	})
+
+	r.r.Get("/health", func(w http.ResponseWriter, r *http.Request) {
+		b, _ := json.Marshal(struct {
+			Status string `json:"status"`
+			Uptime string `json:"uptime"`
+		}{
+			Status: "ok",
+			Uptime: time.Since(vars.START_TIME).String(),
+		})
+		w.Write([]byte(b))
+	})
+	r.r.NotFound(func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Set("Content-Type", "application/problem+json")
+		server.WriteProblem(w, http.StatusNotFound, "/errors/not-found", "Not found", "Requested page not found", req)
+	})
+	r.r.MethodNotAllowed(func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Set("Content-Type", "application/problem+json")
+		server.WriteProblem(w, http.StatusMethodNotAllowed, "/errors/method-not-allowed", "Method not allowed", "Requested method not allowed", req)
+	})
+	//r.r.Handle("/invoke/function/{function_id}/{function_version}", invoke.InvokeHandler(r.cfg))
+	return r.r
+}
--- a/cmd/reload.go
+++ b/cmd/reload.go
@@ -0,0 +1,75 @@
+package cmd
+
+import (
+	"io/ioutil"
+	"log/slog"
+	"os"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"git.oblat.lv/alex/triggerssmith/internal/vars"
+	"github.com/spf13/cobra"
+)
+
+var optsReloadCmd = struct {
+	Debug *bool
+	PID   *int
+}{}
+
+func readPID(path string) (int, error) {
+	data, err := ioutil.ReadFile(path)
+	if err != nil {
+		return 0, err
+	}
+
+	s := strings.TrimSpace(string(data))
+
+	pid, err := strconv.Atoi(s)
+	if err != nil {
+		return 0, err
+	}
+
+	return pid, nil
+}
+
+var reloadCmd = &cobra.Command{
+	Use:   "reload",
+	Short: "Reload active server by PID using SIGHUP",
+	Run: func(cmd *cobra.Command, args []string) {
+		defer func() {
+			if r := recover(); r != nil {
+				slog.Error("Application panicked", slog.Any("error", r))
+			}
+		}()
+		// configure logger
+		if *optsReloadCmd.Debug {
+			slog.SetDefault(slog.New(slog.NewTextHandler(cmd.OutOrStdout(), &slog.HandlerOptions{Level: slog.LevelDebug, AddSource: true})))
+		} else {
+			slog.SetDefault(slog.New(slog.NewTextHandler(cmd.OutOrStdout(), &slog.HandlerOptions{Level: slog.LevelInfo})))
+		}
+		pid, err := readPID(vars.PID_PATH)
+		if err != nil {
+			panic(err)
+		}
+		*optsReloadCmd.PID = pid
+		slog.Debug("restarting server", slog.Int("pid", *optsReloadCmd.PID))
+		proc, err := os.FindProcess(*optsReloadCmd.PID)
+		if err != nil {
+			slog.Error("failed to find process", slog.Int("pid", *optsReloadCmd.PID), slog.String("err", err.Error()))
+		}
+		err = proc.Signal(syscall.SIGHUP)
+		if err != nil {
+			slog.Error("failed to reload process", slog.Int("pid", *optsReloadCmd.PID), slog.String("err", err.Error()))
+		} else {
+			slog.Debug("done")
+		}
+
+	},
+}
+
+func init() {
+	optsReloadCmd.Debug = reloadCmd.Flags().BoolP("debug", "d", false, "Enable debug logs")
+	optsReloadCmd.PID = reloadCmd.Flags().IntP("pid", "p", -1, "Define server PID")
+	rootCmd.AddCommand(reloadCmd)
+}
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -4,63 +4,139 @@ import (
 	"fmt"
 	"log/slog"
 	"net"
-	"net/http"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"runtime/debug"
+	"syscall"
 	"time"

+	"git.oblat.lv/alex/triggerssmith/api"
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
 	application "git.oblat.lv/alex/triggerssmith/internal/app"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
 	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/jwt"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"git.oblat.lv/alex/triggerssmith/internal/token"
+	"git.oblat.lv/alex/triggerssmith/internal/user"
+	"git.oblat.lv/alex/triggerssmith/internal/vars"
 	"github.com/spf13/cobra"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
 )

-var opts = struct {
-	ConfigPath *string
-	Debug      *bool
+var optsServeCmd = struct {
+	ConfigPath    *string
+	Debug         *bool
+	HideGreetings *bool
+	NoPIDFile     *bool
 }{}

-// simple middleware for request logging
-func loggingMiddleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		start := time.Now()
+// // simple middleware for request logging
+// func loggingMiddleware(next http.Handler) http.Handler {
+// 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+// 		start := time.Now()

-		slog.Info("HTTP request",
-			slog.String("method", r.Method),
-			slog.String("path", r.URL.Path),
-			slog.String("remote", r.RemoteAddr),
-		)
+// 		slog.Info("HTTP request",
+// 			slog.String("method", r.Method),
+// 			slog.String("path", r.URL.Path),
+// 			slog.String("remote", r.RemoteAddr),
+// 		)

-		next.ServeHTTP(w, r)
+// 		next.ServeHTTP(w, r)

-		slog.Debug("HTTP request finished",
-			slog.String("method", r.Method),
-			slog.String("path", r.URL.Path),
-			slog.Duration("latency", time.Since(start)),
-		)
-	})
+// 		slog.Debug("HTTP request finished",
+// 			slog.String("method", r.Method),
+// 			slog.String("path", r.URL.Path),
+// 			slog.Duration("latency", time.Since(start)),
+// 		)
+// 	})
+// }
+
+func writePID(path string) error {
+	dir := filepath.Dir(path)
+	err := os.MkdirAll(dir, 0644)
+	if err != nil {
+		return nil
+	}
+	pid := os.Getpid()
+
+	f, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	_, err = fmt.Fprintf(f, "%d\n", pid)
+	return err
 }

 var serveCmd = &cobra.Command{
 	Use:   "serve",
 	Short: "Start the server",
 	Run: func(cmd *cobra.Command, args []string) {
-		// defer func() {
-		// 	if r := recover(); r != nil {
-		// 		slog.Error("Application panicked", slog.Any("error", r))
-		// 	}
-		// }()
+		text := fmt.Sprintf(`
+  _______ _____ 
+ |__   __/ ____|
+    | | | (___  
+    | |  \___ \ 
+    | |  ____) |
+    |_| |_____/ 
+                
+ TriggerSmith - v%s                                                                  
+		`, vars.Version)
+		if !*optsServeCmd.HideGreetings {
+			fmt.Println(text)
+		}
+		defer func() {
+			if r := recover(); r != nil {
+				slog.Debug("panic recovered: preparing panic.log", slog.Any("error", r))
+				stack := debug.Stack()
+
+				f, err := os.OpenFile("panic.log", os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0644)
+				if err != nil {
+					slog.Error("Failed to open panic.log", slog.Any("error", err))
+				} else {
+					defer f.Close()
+					slog.Debug("flushing stack in to panic.log")
+					fmt.Fprintf(f, "\n--------------------------------------------------------\n")
+					fmt.Fprintf(f, "Time: %s\n", time.Now().Format(time.RFC3339))
+					fmt.Fprintln(f, "If this is unexpected, please report: https://git.oblat.lv/alex/triggerssmith/issues")
+					fmt.Fprintf(f, "\n--------------------------------------------------------\n")
+					fmt.Fprintf(f, "Panic: %v\n", r)
+					f.Write(stack)
+					f.WriteString("\n\n")
+					slog.Error("Application panicked: the stack is flushed to disk", slog.Any("error", r))
+				}
+				os.Exit(-1)
+			}
+		}()
+
 		// configure logger
-		if *opts.Debug {
+		if *optsServeCmd.Debug {
 			slog.SetDefault(slog.New(slog.NewTextHandler(cmd.OutOrStdout(), &slog.HandlerOptions{Level: slog.LevelDebug, AddSource: true})))
 		} else {
 			slog.SetDefault(slog.New(slog.NewTextHandler(cmd.OutOrStdout(), &slog.HandlerOptions{Level: slog.LevelInfo})))
 		}

-		slog.Debug("Starting server")
+		if !*optsServeCmd.NoPIDFile {
+			pid := os.Getpid()
+			slog.Debug("Starting server", slog.Int("pid", pid))
+			if err := writePID(vars.PID_PATH); err != nil {
+				panic(err)
+			}
+			slog.Debug("created pid file", slog.String("path", vars.PID_PATH))
+			defer os.Remove(vars.PID_PATH)
+		} else {
+			slog.Warn("Starting server without PID file as requested by --no-pidfile flag: this may complicate process management")
+		}

 		// load config
-		slog.Debug("Reading configuration", slog.String("path", *opts.ConfigPath))
-		cfg, err := config.LoadConfig(*opts.ConfigPath)
+		slog.Debug("Reading configuration", slog.String("path", *optsServeCmd.ConfigPath))
+		cfg, err := config.LoadConfig(*optsServeCmd.ConfigPath)
 		if err != nil {
-			slog.Error("Failed to load configuration", slog.String("path", *opts.ConfigPath), slog.String("error", err.Error()))
+			slog.Error("Failed to load configuration", slog.String("path", *optsServeCmd.ConfigPath), slog.String("error", err.Error()))
 			return
 		}
 		slog.Debug("Configuration loaded", slog.Any("config", cfg))
@@ -73,55 +149,119 @@ var serveCmd = &cobra.Command{
 		}
 		app.LoadConfiguration(cfg)

-		/*
-			// setup handlers
-			mux := http.NewServeMux()
+		srv := app.Server()

-			// static files
-			staticPath := cfg.Server.StaticFilesPath
-			slog.Debug("Setting up static file server", slog.String("path", staticPath))
-			fs := http.FileServer(http.Dir(staticPath))
-			mux.Handle("/static/", http.StripPrefix("/static/", fs))
-			handler := loggingMiddleware(mux)
-		*/
+		// Services initialization
+		var jwtSigner jwt.Signer
+		// TODO: support more signing algorithms
+		//     : support hot config reload for signing alg and secret
+		switch cfg.Auth.SignAlg {
+		case "HS256":
+			secretBytes, err := os.ReadFile(cfg.Auth.HMACSecretPath)
+			if err != nil {
+				slog.Error("Failed to read HMAC secret file", slog.String("path", cfg.Auth.HMACSecretPath), slog.String("error", err.Error()))
+				return
+			}
+			jwtSigner = jwt.NewHMACSigner(secretBytes)
+		default:
+			slog.Error("Unsupported JWT signing algorithm", slog.String("alg", cfg.Auth.SignAlg))
+			return
+		}
+		jwtService := jwt.NewService(jwtSigner)

-		// start server
-		/*addr := fmt.Sprintf("%s:%d", cfg.Server.Addr, cfg.Server.Port)
-		slog.Debug("Binding listener", slog.String("address", addr))
-
-		ln, err := net.Listen("tcp", addr)
+		err = os.MkdirAll(cfg.Data.DataPath, 0755)
 		if err != nil {
-			slog.Error("Failed to start listener", slog.String("address", addr), slog.String("error", err.Error()))
+			slog.Error("Failed to create data directory", slog.String("path", cfg.Data.DataPath), slog.String("error", err.Error()))
 			return
 		}

-		srv := &http.Server{
-			Addr:    addr,
-			Handler: handler,
+		tokenDb, err := gorm.Open(sqlite.Open(filepath.Join(cfg.Data.DataPath, "tokens.sqlite3")), &gorm.Config{})
+		if err != nil {
+			slog.Error("Failed to open token database", slog.String("error", err.Error()))
+			return
+		}
+		// err = tokenDb.AutoMigrate(&token.Token{})
+		// if err != nil {
+		// 	slog.Error("Failed to migrate token database", slog.String("error", err.Error()))
+		// 	return
+		// }
+		tokenStore, err := token.NewSQLiteTokenStore(tokenDb)
+		if err != nil {
+			slog.Error("Failed to create token store", slog.String("error", err.Error()))
+			return
+		}
+		tokenService, err := token.NewTokenService(&cfg.Auth, tokenStore)
+		if err != nil {
+			slog.Error("Failed to create token service", slog.String("error", err.Error()))
+			return
+		}
+		err = tokenService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize token service", slog.String("error", err.Error()))
+			return
 		}

-		slog.Info("Server started", slog.String("address", addr))
+		// also acl !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+		userData, err := gorm.Open(sqlite.Open(filepath.Join(cfg.Data.DataPath, "user_data.sqlite3")+"?_foreign_keys=on"), &gorm.Config{})
+		if err != nil {
+			slog.Error("Failed to open user database", slog.String("error", err.Error()))
+			return
+		}
+		// err =
+		// if err != nil {
+		// 	slog.Error("Failed to migrate user database", slog.String("error", err.Error()))
+		// 	return
+		// }
+		userStore, err := user.NewGormUserStore(userData)
+		if err != nil {
+			slog.Error("Failed to create user store", slog.String("error", err.Error()))
+			return
+		}
+		userService, err := user.NewService(userStore)
+		if err != nil {
+			slog.Error("Failed to create user service", slog.String("error", err.Error()))
+			return
+		}
+		err = userService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize user service", slog.String("error", err.Error()))
+			return
+		}
+		aclService, err := acl.NewService(userData)
+		if err != nil {
+			slog.Error("Failed to create acl service", slog.String("error", err.Error()))
+			return
+		}
+		err = aclService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize acl service", slog.String("error", err.Error()))
+			return
+		}

-		if err := srv.Serve(ln); err != nil && err != http.ErrServerClosed {
-			slog.Error("HTTP server stopped with error", slog.String("error", err.Error()))
-		}*/
+		authService, err := auth.NewAuthService(auth.AuthServiceDependencies{
+			Configuration: cfg,

-		server := app.Server()
-		mux := http.NewServeMux()
+			JWTService:   jwtService,
+			UserService:  userService,
+			TokenService: tokenService,
+		})
+		if err != nil {
+			slog.Error("Failed to create auth service", slog.String("error", err.Error()))
+			return
+		}

-		// static files
-		staticPath := cfg.Server.StaticFilesPath
-		slog.Debug("Setting up static file server", slog.String("path", staticPath))
-		fs := http.FileServer(http.Dir(staticPath))
-		mux.Handle("/static/", http.StripPrefix("/static/", fs))
-		handler := loggingMiddleware(mux)
+		router := api.NewRouter(api.RouterDependencies{
+			AuthService:   authService,
+			Configuration: cfg,
+			ACLService:    aclService,
+		})

-		server.SetHandler(handler)
-		server.Init()
+		srv.SetHandler(router.MustRoute())
+		srv.Init()

 		var addr = net.JoinHostPort(cfg.Server.Addr, fmt.Sprintf("%d", cfg.Server.Port))
 		slog.Debug("Binding listener", slog.String("address", addr))
-		err = server.Start(addr)
+		err = srv.Start(addr)
 		if err != nil {
 			slog.Error("Failed to start server", slog.String("error", err.Error()))
 			return
@@ -129,26 +269,53 @@ var serveCmd = &cobra.Command{
 			slog.Info("Server started", slog.String("address", net.JoinHostPort(cfg.Server.Addr, fmt.Sprintf("%d", cfg.Server.Port))))
 		}

+		sigch := make(chan os.Signal, 1)
+		signal.Notify(sigch, syscall.SIGHUP, syscall.SIGINT, syscall.SIGTERM)
 		for true {
-			fmt.Scanln()
-			if err := config.ReloadConfig(cfg); err != nil {
-				slog.Error("Failed to reload configuration", slog.String("error", err.Error()))
-			} else {
-				slog.Info("Configuration reloaded", slog.Any("config", cfg))
-				var addr = net.JoinHostPort(cfg.Server.Addr, fmt.Sprintf("%d", cfg.Server.Port))
-				err = server.Reload(addr)
-				if err != nil {
-					slog.Error("Failed to restart server with new configuration", slog.String("error", err.Error()))
+			sig := <-sigch
+			slog.Debug("got signal", slog.Any("os.Signal", sig))
+			switch sig {
+			case syscall.SIGHUP:
+				if err := config.ReloadConfig(cfg); err != nil {
+					slog.Error("Failed to reload configuration", slog.String("error", err.Error()))
 				} else {
-					slog.Info("Server restarted with new configuration", slog.String("address", net.JoinHostPort(cfg.Server.Addr, fmt.Sprintf("%d", cfg.Server.Port))))
+					slog.Info("Configuration reloaded")
+					var addr = net.JoinHostPort(cfg.Server.Addr, fmt.Sprintf("%d", cfg.Server.Port))
+					slog.Debug("New configuration", slog.Any("config", cfg))
+					err = srv.Reload(addr)
+					if err != nil {
+						slog.Error("Failed to restart server with new configuration", slog.String("error", err.Error()))
+					}
 				}
+			case syscall.SIGINT:
+				slog.Info("Stopping server by SIGINT")
+				os.Remove(vars.PID_PATH)
+				_ = server.StopAll()
+				//err := srv.Stop()
+				// if err != nil {
+				// 	slog.Error("Failed to stop server", slog.String("err", err.Error()))
+				// 	os.Exit(1)
+				// }
+				return
+			case syscall.SIGTERM:
+				slog.Info("Stopping server by SIGTERM")
+				os.Remove(vars.PID_PATH)
+				_ = server.StopAll()
+				//err := srv.Stop()
+				// if err != nil {
+				// 	slog.Error("Failed to stop server", slog.String("err", err.Error()))
+				// 	os.Exit(1)
+				// }
+				return
 			}
 		}
 	},
 }

 func init() {
-	opts.Debug = serveCmd.Flags().BoolP("debug", "d", false, "Enable debug logs")
-	opts.ConfigPath = serveCmd.Flags().StringP("config", "c", "config.yaml", "Path to configuration file")
+	optsServeCmd.Debug = serveCmd.Flags().BoolP("debug", "d", false, "Enable debug logs")
+	optsServeCmd.ConfigPath = serveCmd.Flags().StringP("config", "c", "config.yaml", "Path to configuration file")
+	optsServeCmd.HideGreetings = serveCmd.Flags().BoolP("hide-greetings", "g", false, "Hide the welcome message and version when starting the server")
+	optsServeCmd.NoPIDFile = serveCmd.Flags().BoolP("no-pidfile", "p", false, "Do not write a PID file")
 	rootCmd.AddCommand(serveCmd)
 }
--- a/cmd/stop.go
+++ b/cmd/stop.go
@@ -0,0 +1,67 @@
+package cmd
+
+import (
+	"log/slog"
+	"os"
+	"syscall"
+
+	"git.oblat.lv/alex/triggerssmith/internal/vars"
+	"github.com/spf13/cobra"
+)
+
+var optsStopCmd = struct {
+	Debug *bool
+	PID   *int
+	Force *bool
+}{}
+
+var stopCmd = &cobra.Command{
+	Use:   "stop",
+	Short: "Stop active server by PID using SIGTERM",
+	Run: func(cmd *cobra.Command, args []string) {
+		defer func() {
+			if r := recover(); r != nil {
+				slog.Error("Application panicked", slog.Any("error", r))
+			}
+		}()
+		// configure logger
+		if *optsReloadCmd.Debug {
+			slog.SetDefault(slog.New(slog.NewTextHandler(cmd.OutOrStdout(), &slog.HandlerOptions{Level: slog.LevelDebug, AddSource: true})))
+		} else {
+			slog.SetDefault(slog.New(slog.NewTextHandler(cmd.OutOrStdout(), &slog.HandlerOptions{Level: slog.LevelInfo})))
+		}
+		pid, err := readPID(vars.PID_PATH)
+		if err != nil {
+			panic(err)
+		}
+		*optsStopCmd.PID = pid
+		proc, err := os.FindProcess(*optsStopCmd.PID)
+		if err != nil {
+			slog.Error("failed to find process", slog.Int("pid", *optsStopCmd.PID), slog.String("err", err.Error()))
+		}
+		if *optsStopCmd.Force {
+			slog.Debug("force stopping server by SIGKILL", slog.Int("pid", *optsStopCmd.PID))
+			err = proc.Signal(syscall.SIGKILL)
+			if err != nil {
+				slog.Error("failed to reload process", slog.Int("pid", *optsReloadCmd.PID), slog.String("err", err.Error()))
+			} else {
+				slog.Debug("done")
+			}
+		} else {
+			slog.Debug("stopping server", slog.Int("pid", *optsStopCmd.PID))
+			err = proc.Signal(syscall.SIGTERM)
+			if err != nil {
+				slog.Error("failed to reload process", slog.Int("pid", *optsReloadCmd.PID), slog.String("err", err.Error()))
+			} else {
+				slog.Debug("done")
+			}
+		}
+	},
+}
+
+func init() {
+	optsStopCmd.Debug = stopCmd.Flags().BoolP("debug", "d", false, "Enable debug logs")
+	optsStopCmd.PID = stopCmd.Flags().IntP("pid", "p", -1, "Define server PID")
+	optsStopCmd.Force = stopCmd.Flags().BoolP("force", "f", false, "Force stop using SIGKILL")
+	rootCmd.AddCommand(stopCmd)
+}
--- a/config.yaml
+++ b/config.yaml
@@ -1,3 +0,0 @@
-server:
-  address: "0.0.0.0"
-  port: 8089
--- a/functions/config.json
+++ b/functions/config.json
@@ -0,0 +1,9 @@
+{
+	"data": {
+		"driver": "sqlite",
+		"path": "data.sqlite3"
+	},
+	"log": {
+		"log_root_path": "log"
+	}
+}
--- a/functions/echo/1d965976/config.json
+++ b/functions/echo/1d965976/config.json
@@ -0,0 +1,9 @@
+{
+	"name": "echo",
+	"version": "0.0.1-00130112025",
+	"entry": "echo.sh",
+	"runtime": "exec",
+	"log": {
+		"output": "stdout"
+	}
+}
--- a/functions/echo/1d965976/echo.sh
+++ b/functions/echo/1d965976/echo.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+urldecode() {
+	local data="${1//+/ }"
+	printf '%b' "${data//%/\\x}"
+}
+
+declare -A QUERY
+
+IFS='&' read -ra pairs <<< "$FAAS_QUERY"
+
+for pair in "${pairs[@]}"; do
+	IFS='=' read -r raw_key raw_value <<< "$pair"
+	key=$(urldecode "$raw_key")
+	value=$(urldecode "$raw_value")
+	QUERY["$key"]="$value"
+done
+
+echo "a = ${QUERY[a]}"
+echo "b = ${QUERY[b]}"
+#echo $(ls)
--- a/go.mod
+++ b/go.mod
@@ -5,11 +5,33 @@ go 1.24.9
 require (
 	github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204
 	github.com/spf13/cobra v1.10.1
+	github.com/swaggo/http-swagger v1.3.4
+	github.com/swaggo/swag v1.16.6
+	golang.org/x/crypto v0.46.0
+)
+
+require (
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/spec v0.20.6 // indirect
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe // indirect
+	golang.org/x/mod v0.30.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

 require (
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/google/uuid v1.6.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
@@ -23,8 +45,8 @@ require (
 	github.com/spf13/viper v1.21.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	gorm.io/driver/sqlite v1.6.0 // indirect
-	gorm.io/gorm v1.31.1 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	gorm.io/driver/sqlite v1.6.0
+	gorm.io/gorm v1.31.1
 )
--- a/go.sum
+++ b/go.sum
@@ -1,28 +1,59 @@
+github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
+github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
 github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204 h1:tvG9DIB1e58sWfDbYLdgOcXRdyZxSYy/wk2VHJHgzec=
 github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204/go.mod h1:Sk61563skjfIIYbmTUTJSWqGwBp9ODiBMjza8F5+UFY=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
+github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
+github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
+github.com/go-openapi/spec v0.20.6 h1:ich1RQ3WDbfoeTqTAb+5EIxNmpKVJZWBNah9RAT0jIQ=
+github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
+github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
+github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -45,19 +76,50 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe h1:K8pHPVoTgxFJt1lXuIzzOX7zZhZFldJQK/CgKx9BFIc=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe/go.mod h1:lKJPbtWzJ9JhsTN1k1gZgleJWY/cqq0psdoMmaThG3w=
+github.com/swaggo/http-swagger v1.3.4 h1:q7t/XLx0n15H1Q9/tk3Y9L4n210XzJF5WtnDX64a5ww=
+github.com/swaggo/http-swagger v1.3.4/go.mod h1:9dAh0unqMBAlbp1uE2Uc2mQTxNMU/ha4UbucIg1MFkQ=
+github.com/swaggo/swag v1.16.6 h1:qBNcx53ZaX+M5dxVyTrgQ0PJ/ACK+NzhwcbieTt+9yI=
+github.com/swaggo/swag v1.16.6/go.mod h1:ngP2etMK5a0P3QBizic5MEwpRmluJZPHjXcMoj4Xesg=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
--- a/internal/acl/errors.go
+++ b/internal/acl/errors.go
@@ -0,0 +1,27 @@
+package acl
+
+// TODO: add more specific errors
+
+import "fmt"
+
+var (
+	ErrNotInitialized = fmt.Errorf("acl service is not initialized")
+
+	ErrRoleNotFound        = fmt.Errorf("role not found")
+	ErrRoleAlreadyExists   = fmt.Errorf("role already exists")
+	ErrInvalidRoleName     = fmt.Errorf("role name is invalid")
+	ErrSameRoleName        = fmt.Errorf("role name is the same as another role")
+	ErrRoleInUse           = fmt.Errorf("role is in use")
+	ErrRoleAlreadyAssigned = fmt.Errorf("role is already assigned to user")
+
+	ErrResourceNotFound        = fmt.Errorf("resource not found")
+	ErrResourceAlreadyExists   = fmt.Errorf("resource already exists")
+	ErrInvalidResourceKey      = fmt.Errorf("invalid resource key")
+	ErrResourceInUse           = fmt.Errorf("resource is in use")
+	ErrSameResourceKey         = fmt.Errorf("resource key is the same as another resource")
+	ErrResourceAlreadyAssigned = fmt.Errorf("resource is already assigned to role")
+	ErrRoleResourceNotFound    = fmt.Errorf("assigned resource to role is not found")
+
+	ErrUserNotFound     = fmt.Errorf("user not found")
+	ErrUserRoleNotFound = fmt.Errorf("user role not found")
+)
--- a/internal/acl/models.go
+++ b/internal/acl/models.go
@@ -0,0 +1,32 @@
+package acl
+
+import "git.oblat.lv/alex/triggerssmith/internal/user"
+
+type UserRole struct {
+	UserID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
+	RoleID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
+
+	Role Role      `gorm:"constraint:OnDelete:CASCADE;foreignKey:RoleID;references:ID" json:"role"`
+	User user.User `gorm:"constraint:OnDelete:CASCADE;foreignKey:UserID;references:ID"`
+}
+
+type Resource struct {
+	ID  uint   `gorm:"primaryKey;autoIncrement" json:"id"`
+	Key string `gorm:"unique;not null" json:"key"`
+}
+
+type Role struct {
+	ID   uint   `gorm:"primaryKey;autoIncrement" json:"id"`
+	Name string `gorm:"unique;not null" json:"name"`
+
+	Resources []Resource  `gorm:"many2many:role_resources" json:"resources"`
+	Users     []user.User `gorm:"many2many:user_roles"`
+}
+
+type RoleResource struct {
+	RoleID     uint `gorm:"primaryKey" json:"roleId"`
+	ResourceID uint `gorm:"primaryKey" json:"resourceId"`
+
+	Role     Role     `gorm:"constraint:OnDelete:CASCADE;foreignKey:RoleID;references:ID" json:"role"`
+	Resource Resource `gorm:"constraint:OnDelete:CASCADE;foreignKey:ResourceID;references:ID" json:"resource"`
+}
--- a/internal/acl/resources.go
+++ b/internal/acl/resources.go
@@ -0,0 +1,220 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+// GetResources returns all resources.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetResources() ([]Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var resources []Resource
+	if err := s.db.Order("id").Find(&resources).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return resources, nil
+}
+
+// CreateResource creates a new resource with the given key or returns existing one.
+// Returns ID of created resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceAlreadyExists] or db error.
+func (s *Service) CreateResource(key string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	key = strings.TrimSpace(key)
+	if key == "" {
+		return 0, ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.Where("key = ?", key).First(&res).Error; err == nil {
+		// already exists
+		return res.ID, ErrResourceAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other db error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	res = Resource{Key: key}
+	if err := s.db.Create(&res).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return res.ID, nil
+}
+
+// GetResourceByID returns the resource with the given ID.
+// May return [ErrNotInitialized], [ErrResourceNotFound] or db error.
+func (s *Service) GetResourceByID(resourceID uint) (*Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrResourceNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &res, nil
+}
+
+// UpdateResource updates the key of a resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceNotFound], [ErrSameResourceKey] or db error.
+func (s *Service) UpdateResource(resourceID uint, newKey string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newKey = strings.TrimSpace(newKey)
+	if newKey == "" {
+		return ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// same key?
+	if res.Key == newKey {
+		return ErrSameResourceKey
+	}
+
+	// check if key used by another resource
+	var count int64
+	if err := s.db.Model(&Resource{}).
+		Where("key = ? AND id != ?", newKey, resourceID).
+		Count(&count).Error; err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if count > 0 {
+		return ErrSameResourceKey
+	}
+
+	res.Key = newKey
+	if err := s.db.Save(&res).Error; err != nil {
+		return fmt.Errorf("failed to update resource: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteResource deletes a resource.
+// May return [ErrNotInitialized], [ErrResourceNotFound], [ErrResourceInUse] or db error.
+func (s *Service) DeleteResource(resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Resource{}, resourceID)
+
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrResourceInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrResourceNotFound
+	}
+
+	return nil
+}
+
+// AssignResourceToRole assigns a resource to a role
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrResourceNotFound], [ErrAlreadyAssigned] or db error.
+func (s *Service) AssignResourceToRole(roleID, resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	// check role exists
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	// check resource exists
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("failed to fetch resource: %w", err)
+	}
+
+	rr := RoleResource{
+		RoleID:     roleID,
+		ResourceID: resourceID,
+	}
+
+	tx := s.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&rr)
+	if tx.Error != nil {
+		return fmt.Errorf("failed to assign resource to role: %w", tx.Error)
+	}
+
+	// if nothing inserted — already assigned
+	if tx.RowsAffected == 0 {
+		return ErrResourceAlreadyAssigned
+	}
+
+	return nil
+}
+
+// RemoveResourceFromRole removes a resource from a role
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrResourceNotFound], [ErrRoleResourceNotFound] or db error.
+func (s *Service) RemoveResourceFromRole(roleID, resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+	// check role exists
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	// check resource exists
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("failed to fetch resource: %w", err)
+	}
+
+	tx := s.db.Where("role_id = ? AND resource_id = ?", roleID, resourceID).Delete(&RoleResource{})
+	if tx.Error != nil {
+		return fmt.Errorf("failed to remove resource from role: %w", tx.Error)
+	}
+
+	if tx.RowsAffected == 0 {
+		return ErrRoleResourceNotFound
+	}
+
+	return nil
+}
--- a/internal/acl/roles.go
+++ b/internal/acl/roles.go
@@ -0,0 +1,240 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"git.oblat.lv/alex/triggerssmith/internal/user"
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+// GetRoles returns all roles.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetRoles() ([]Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var roles []Role
+	if err := s.db.Preload("Resources").Preload("Users").Order("id").Find(&roles).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return roles, nil
+}
+
+// CreateRole creates a new role with the given name or returns existing one.
+// Returns the ID of the created role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleAlreadyExists] or db error.
+func (s *Service) CreateRole(name string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return 0, ErrInvalidRoleName
+	}
+
+	var role Role
+	if err := s.db.Where("name = ?", name).First(&role).Error; err == nil {
+		// already exists
+		return role.ID, ErrRoleAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other database error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	role = Role{Name: name}
+	if err := s.db.Create(&role).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return role.ID, nil
+}
+
+// GetRoleByID returns the role with the given ID or an error.
+// May return [ErrNotInitialized], [ErrRoleNotFound] or db error.
+func (s *Service) GetRoleByID(roleID uint) (*Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+	var role Role
+	err := s.db.Preload("Resources").Preload("Users").First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrRoleNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &role, nil
+}
+
+// UpdateRole updates the name of a role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleNotFound], [ErrSameRoleName], or db error.
+func (s *Service) UpdateRole(roleID uint, newName string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newName = strings.TrimSpace(newName)
+	if newName == "" {
+		return ErrInvalidRoleName
+	}
+
+	var role Role
+	err := s.db.First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// check for name conflicts
+	if role.Name == newName {
+		return ErrSameRoleName
+	}
+	var count int64
+	err = s.db.Model(&Role{}).Where("name = ? AND id != ?", newName, roleID).Count(&count).Error
+	if err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+	if count > 0 {
+		return ErrSameRoleName
+	}
+
+	role.Name = newName
+	if err := s.db.Save(&role).Error; err != nil {
+		return fmt.Errorf("failed to update role: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteRole deletes a role.
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrRoleInUse] or db error.
+func (s *Service) DeleteRole(roleID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Role{}, roleID)
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrRoleInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrRoleNotFound
+	}
+
+	return nil
+}
+
+// GetUserRoles returns all roles for a given user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound] or db error.
+func (s *Service) GetUserRoles(userID uint) ([]Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrUserNotFound
+		}
+		return nil, fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var roles []Role
+	err := s.db.
+		Joins("JOIN user_roles ur ON ur.role_id = roles.id").
+		Where("ur.user_id = ?", userID).
+		Find(&roles).Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user roles: %w", err)
+	}
+
+	if len(roles) == 0 {
+		return nil, ErrRoleNotFound
+	}
+	return roles, nil
+}
+
+// AssignRoleToUser assigns a role to a user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound], [ErrRoleAlreadyAssigned] or db error.
+func (s *Service) AssignRoleToUser(roleID, userID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrUserNotFound
+		}
+		return fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	ur := UserRole{
+		UserID: userID,
+		RoleID: roleID,
+	}
+
+	tx := s.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&ur)
+	if tx.Error != nil {
+		return fmt.Errorf("failed to assign resource to role: %w", tx.Error)
+	}
+	if tx.RowsAffected == 0 {
+		return ErrRoleAlreadyAssigned
+	}
+
+	return nil
+}
+
+// RemoveRoleFromUser removes a role from a user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound], [ErrUserRoleNotFound] or db error.
+func (s *Service) RemoveRoleFromUser(roleID, userID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrUserNotFound
+		}
+		return fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	tx := s.db.Where("role_id = ? AND user_id = ?", roleID, userID).Delete(&UserRole{})
+	if tx.Error != nil {
+		return fmt.Errorf("failed to remove role from user: %w", tx.Error)
+	}
+
+	if tx.RowsAffected == 0 {
+		return ErrUserRoleNotFound
+	}
+
+	return nil
+}
--- a/internal/acl/service.go
+++ b/internal/acl/service.go
@@ -0,0 +1,41 @@
+package acl
+
+import (
+	"fmt"
+
+	"gorm.io/gorm"
+)
+
+type Service struct {
+	initialized bool
+
+	db *gorm.DB
+}
+
+func NewService(db *gorm.DB) (*Service, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is required")
+	}
+	return &Service{
+		db: db,
+	}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&UserRole{}, &Resource{}, &Role{}, &RoleResource{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate ACL models: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
--- a/internal/acl_test/crud_test.go
+++ b/internal/acl_test/crud_test.go
@@ -0,0 +1,158 @@
+package acl_test
+
+// DEPRECATED TEST FILE
+
+// import (
+// 	"os"
+// 	"path/filepath"
+// 	"testing"
+
+// 	"git.oblat.lv/alex/triggerssmith/internal/acl"
+// 	"git.oblat.lv/alex/triggerssmith/internal/user"
+// 	"gorm.io/driver/sqlite"
+// 	"gorm.io/gorm"
+// )
+
+// func openTestDB(t *testing.T) *gorm.DB {
+// 	t.Helper()
+
+// 	// Путь к файлу базы
+// 	dbPath := filepath.Join("testdata", "test.db")
+
+// 	// Удаляем старую базу, если есть
+// 	os.Remove(dbPath)
+
+// 	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+// 	if err != nil {
+// 		t.Fatalf("failed to open test db: %v", err)
+// 	}
+
+// 	// Миграция таблицы User для связи с ACL
+// 	if err := db.AutoMigrate(&user.User{}); err != nil {
+// 		t.Fatalf("failed to migrate User: %v", err)
+// 	}
+
+// 	return db
+// }
+
+// func TestACLService_CRUD(t *testing.T) {
+// 	db := openTestDB(t)
+
+// 	// Создаём сервис ACL
+// 	svc, err := acl.NewService(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create ACL service: %v", err)
+// 	}
+
+// 	if err := svc.Init(); err != nil {
+// 		t.Fatalf("failed to init ACL service: %v", err)
+// 	}
+
+// 	// Создаём роли
+// 	if err := svc.CreateRole("admin"); err != nil {
+// 		t.Fatalf("CreateRole failed: %v", err)
+// 	}
+// 	if err := svc.CreateRole("guest"); err != nil {
+// 		t.Fatalf("CreateRole failed: %v", err)
+// 	}
+
+// 	roles, err := svc.GetRoles()
+// 	if err != nil {
+// 		t.Fatalf("GetRoles failed: %v", err)
+// 	}
+// 	if len(roles) != 2 {
+// 		t.Fatalf("expected 2 roles, got %d", len(roles))
+// 	}
+
+// 	// Создаём ресурсы
+// 	if err := svc.CreateResource("*"); err != nil {
+// 		t.Fatalf("CreateResource failed: %v", err)
+// 	}
+// 	if err := svc.CreateResource("html.view.*"); err != nil {
+// 		t.Fatalf("CreateResource failed: %v", err)
+// 	}
+
+// 	resources, err := svc.GetPermissions()
+// 	if err != nil {
+// 		t.Fatalf("GetPermissions failed: %v", err)
+// 	}
+// 	if len(resources) != 2 {
+// 		t.Fatalf("expected 2 resources, got %d", len(resources))
+// 	}
+
+// 	// 1. Создаём сервис user
+// 	store, err := user.NewGormUserStore(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user store: %v", err)
+// 	}
+// 	userSvc, err := user.NewService(store)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user service: %v", err)
+// 	}
+
+// 	// 2. Инициализируем
+// 	if err := userSvc.Init(); err != nil {
+// 		t.Fatalf("failed to init user service: %v", err)
+// 	}
+
+// 	user := &user.User{
+// 		Username: "testuser",
+// 		Email:    "testuser@example.com",
+// 		Password: "secret",
+// 	}
+
+// 	u := user
+
+// 	// 3. Создаём пользователя через сервис
+// 	err = userSvc.Create(user)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user: %v", err)
+// 	}
+
+// 	// Привязываем роль к пользователю
+// 	adminRoleID := roles[0].ID
+// 	if err := svc.AssignRoleToUser(adminRoleID, uint(u.ID)); err != nil {
+// 		t.Fatalf("AssignRoleToUser failed: %v", err)
+// 	}
+
+// 	userRoles, err := svc.GetUserRoles(uint(u.ID))
+// 	if err != nil {
+// 		t.Fatalf("GetUserRoles failed: %v", err)
+// 	}
+// 	if len(userRoles) != 1 || userRoles[0].ID != adminRoleID {
+// 		t.Fatalf("expected user to have admin role")
+// 	}
+
+// 	// Привязываем ресурсы к роли
+// 	for _, res := range resources {
+// 		if err := svc.AssignResourceToRole(adminRoleID, res.ID); err != nil {
+// 			t.Fatalf("AssignResourceToRole failed: %v", err)
+// 		}
+// 	}
+
+// 	roleResources, err := svc.GetRoleResources(adminRoleID)
+// 	if err != nil {
+// 		t.Fatalf("GetRoleResources failed: %v", err)
+// 	}
+// 	if len(roleResources) != 2 {
+// 		t.Fatalf("expected role to have 2 resources")
+// 	}
+
+// 	// Удаляем ресурс из роли
+// 	if err := svc.RemoveResourceFromRole(adminRoleID, resources[0].ID); err != nil {
+// 		t.Fatalf("RemoveResourceFromRole failed: %v", err)
+// 	}
+// 	roleResources, _ = svc.GetRoleResources(adminRoleID)
+// 	if len(roleResources) != 1 {
+// 		t.Fatalf("expected 1 resource after removal")
+// 	}
+
+// 	// Удаляем роль у пользователя
+// 	if err := svc.RemoveRoleFromUser(adminRoleID, uint(u.ID)); err != nil {
+// 		t.Fatalf("RemoveRoleFromUser failed: %v", err)
+// 	}
+// 	userRoles, _ = svc.GetUserRoles(uint(u.ID))
+// 	if len(userRoles) != 0 {
+// 		t.Fatalf("expected user to have 0 roles after removal")
+// 	}
+// }
--- a/internal/auth/errors.go
+++ b/internal/auth/errors.go
@@ -0,0 +1,13 @@
+package auth
+
+import "fmt"
+
+var (
+	ErrUserNotFound    = fmt.Errorf("user not found")
+	ErrInvalidPassword = fmt.Errorf("invalid password")
+	ErrInvalidEmail    = fmt.Errorf("invalid email")
+	ErrInvalidUsername = fmt.Errorf("invalid username")
+
+	ErrTokenIsMissing = fmt.Errorf("token is missing")
+	ErrInvalidToken   = fmt.Errorf("invalid token")
+)
--- a/internal/auth/service.go
+++ b/internal/auth/service.go
@@ -0,0 +1,256 @@
+package auth
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/jwt"
+	"git.oblat.lv/alex/triggerssmith/internal/token"
+	user_p "git.oblat.lv/alex/triggerssmith/internal/user"
+	ejwt "github.com/golang-jwt/jwt/v5"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type Tokens struct {
+	Access  string
+	Refresh string
+}
+
+type Service struct {
+	cfg *config.Config
+
+	services struct {
+		jwt   *jwt.Service
+		user  *user_p.Service
+		token *token.Service
+	}
+}
+
+type AuthServiceDependencies struct {
+	Configuration *config.Config
+
+	JWTService   *jwt.Service
+	UserService  *user_p.Service
+	TokenService *token.Service
+}
+
+func NewAuthService(deps AuthServiceDependencies) (*Service, error) {
+	if deps.Configuration == nil {
+		return nil, fmt.Errorf("config is nil")
+	}
+	if deps.JWTService == nil {
+		return nil, fmt.Errorf("jwt service is nil")
+	}
+	if deps.UserService == nil {
+		return nil, fmt.Errorf("user service is nil")
+	}
+	if deps.TokenService == nil {
+		return nil, fmt.Errorf("token service is nil")
+	}
+	return &Service{
+		cfg: deps.Configuration,
+		services: struct {
+			jwt   *jwt.Service
+			user  *user_p.Service
+			token *token.Service
+		}{
+			jwt:   deps.JWTService,
+			user:  deps.UserService,
+			token: deps.TokenService,
+		},
+	}, nil
+}
+
+// Users
+
+func (s *Service) Get(by, value string) (*user_p.User, error) {
+	return s.services.user.GetBy(by, value)
+}
+
+// Register creates a new user with the given username, email, and password.
+// Password is hashed before storing.
+// Returns the created user or an error.
+func (s *Service) Register(username, email, password string) (*user_p.User, error) {
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, fmt.Errorf("failed to hash password: %w", err)
+	}
+
+	user := &user_p.User{
+		Username: username,
+		Email:    email,
+		Password: string(hashedPassword),
+	}
+
+	err = s.services.user.Create(user)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create user: %w", err)
+	}
+
+	return user, nil
+}
+
+// Login authenticates a user with the given username and password.
+// Returns access and refresh tokens if successful.
+func (s *Service) Login(username, password string) (*Tokens, error) {
+	user, err := s.services.user.GetBy("username", username)
+	if err != nil {
+		if err == user_p.ErrUserNotFound {
+			return nil, ErrInvalidUsername
+		}
+		return nil, fmt.Errorf("failed to get user by username: %w", err)
+	}
+
+	err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
+	if err != nil {
+		return nil, ErrInvalidPassword
+	}
+	refreshToken, rjti, err := s.services.jwt.Generate(s.cfg.Auth.RefreshTokenTTL, ejwt.MapClaims{
+		"sub": user.ID,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+	accessToken, _, err := s.services.jwt.Generate(s.cfg.Auth.AccessTokenTTL, ejwt.MapClaims{
+		"sub":  user.ID,
+		"rjti": rjti,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+	return &Tokens{Access: accessToken, Refresh: refreshToken}, nil
+}
+
+// Logout revokes the refresh token identified by the given rjti.
+func (s *Service) Logout(rjti string) error {
+	err := s.services.token.RevokeByRefreshDefault(rjti)
+	if err != nil {
+		if errors.Is(err, token.ErrTokenIsRevoked) {
+			return ErrInvalidToken
+		}
+		return fmt.Errorf("failed to revoke token: %w", err)
+	}
+	return nil
+}
+
+// Access tokens
+
+// ValidateAccessToken validates the given access token string.
+// Returns claims if valid, or an error.
+func (s *Service) ValidateAccessToken(tokenStr string) (ejwt.Claims, error) {
+	claims, _, err := s.services.jwt.Validate(tokenStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate access token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(claims["rjti"].(string))
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return nil, fmt.Errorf("token is revoked")
+	}
+
+	return claims, nil
+}
+
+// Refresh tokens
+
+// RefreshTokens validates the given refresh token and issues new access and refresh tokens.
+// Returns the new access and refresh tokens or an error.
+// May return [ErrInvalidToken] if the refresh token is invalid or revoked.
+func (s *Service) RefreshTokens(refreshTokenStr string) (*Tokens, error) {
+	claims, rjti, err := s.services.jwt.Validate(refreshTokenStr)
+	if err != nil {
+		return nil, errors.Join(ErrInvalidToken, err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(rjti)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return nil, ErrInvalidToken
+	}
+
+	sub := claims["sub"].(float64)
+
+	newRefreshToken, newRjti, err := s.services.jwt.Generate(s.cfg.Auth.RefreshTokenTTL, ejwt.MapClaims{
+		"sub": sub,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate new refresh token: %w", err)
+	}
+	newAccessToken, _, err := s.services.jwt.Generate(s.cfg.Auth.AccessTokenTTL, ejwt.MapClaims{
+		"sub":  sub,
+		"rjti": newRjti,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate new access token: %w", err)
+	}
+
+	// Revoke the old refresh token
+	if err := s.services.token.RevokeByRefreshDefault(rjti); err != nil {
+		return nil, fmt.Errorf("failed to revoke old refresh token: %w", err)
+	}
+
+	return &Tokens{Access: newAccessToken, Refresh: newRefreshToken}, nil
+}
+
+// ValidateRefreshToken validates the given refresh token string.
+// Returns claims and error.
+func (s *Service) ValidateRefreshToken(tokenStr string) (ejwt.Claims, error) {
+	claims, _, err := s.services.jwt.Validate(tokenStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(claims["jti"].(string))
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return nil, fmt.Errorf("refresh token is revoked")
+	}
+
+	return claims, nil
+}
+
+// RevokeRefresh revokes the refresh token identified by the given token string.
+func (s *Service) RevokeRefresh(token string) error {
+	_, rjti, err := s.services.jwt.Validate(token)
+	if err != nil {
+		return fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	return s.services.token.RevokeByRefreshDefault(rjti)
+}
+
+// IsRefreshRevoked checks if the refresh token identified by the given token string is revoked.
+func (s *Service) IsRefreshRevoked(token string) (bool, error) {
+	_, rjti, err := s.services.jwt.Validate(token)
+	if err != nil {
+		return false, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	return s.services.token.IsRevoked(rjti)
+}
+
+func (s *Service) AuthenticateRequest(r *http.Request) (ejwt.Claims, error) {
+	header := r.Header.Get("Authorization")
+	if header == "" {
+		return nil, ErrTokenIsMissing
+	}
+	if !strings.HasPrefix(header, "Bearer ") {
+		return nil, ErrTokenIsMissing
+	}
+	tokenString := strings.TrimPrefix(header, "Bearer ")
+	tokenClaims, _, err := s.services.jwt.Validate(tokenString)
+	if err != nil {
+		return nil, err
+	}
+	return tokenClaims, nil
+}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -2,26 +2,73 @@ package config

 import (
 	"sync/atomic"
+	"time"

 	"github.com/akyaiy/GSfass/core/config"
 )

+type StaticConfig struct {
+	Enabled   bool   `mapstructure:"enabled"`
+	Dir       string `mapstructure:"static_dir"`
+	IndexFile string `mapstructure:"index_file"`
+}
+
+type BlockConfig struct {
+	Enabled  bool   `mapstructure:"enabled"`
+	BlockDir string `mapstructure:"block_dir"`
+}
+
 type ServerConfig struct {
-	Port            int    `mapstructure:"port"`
-	Addr            string `mapstructure:"address"`
-	StaticFilesPath string `mapstructure:"static_dir"`
-	LogPath         string `mapstructure:"log_path"`
+	StaticConfig   StaticConfig  `mapstructure:"static"`
+	BlockConfig    BlockConfig   `mapstructure:"block"`
+	Port           int           `mapstructure:"port"`
+	Addr           string        `mapstructure:"address"`
+	LogPath        string        `mapstructure:"log_path"`
+	TimeoutSeconds time.Duration `mapstructure:"timeout_seconds"`
+}
+
+type FuncConfig struct {
+	FunctionDir string `mapstructure:"func_dir"`
+}
+
+type Auth struct {
+	SignAlg         string        `mapstructure:"sign_alg"`
+	HMACSecretPath  string        `mapstructure:"hmac_secret_path"`
+	RefreshTokenTTL time.Duration `mapstructure:"refresh_token_ttl"`
+	AccessTokenTTL  time.Duration `mapstructure:"access_token_ttl"`
+}
+
+type Data struct {
+	DataPath string `mapstructure:"data_dir"`
 }

 type Config struct {
-	Server ServerConfig `mapstructure:"server"`
+	Server    ServerConfig `mapstructure:"server"`
+	Functions FuncConfig   `mapstructure:"functions"`
+	Auth      Auth         `mapstructure:"auth"`
+	Data      Data         `mapstructure:"data"`
 }

 var configPath atomic.Value // string
 var defaults = map[string]any{
-	"server.port":       8080,
-	"server.address":    "127.0.0.0",
-	"server.static_dir": "./static",
+	"server.port":              8080,
+	"server.address":           "127.0.0.0",
+	"server.timeout_seconds":   5,
+	"server.log_path":          "./logs/server.log",
+	"server.static.enabled":    true,
+	"server.static.static_dir": "./static",
+	"server.static.index_file": "index.html",
+	"server.block.enabled":     true,
+	"server.block.block_dir":   "./blocks",
+
+	"data.data_dir": "./data",
+
+	"functions.func_dir": "./functions",
+
+	"auth.refresh_token_ttl": 24 * time.Hour,
+	"auth.access_token_ttl":  15 * time.Minute,
+	"auth.sign_alg":          "HS256",
+	"auth.hmac_secret_path":  "./secret/hmac_secret",
 }

 func read(cfg *Config) error {
--- a/internal/jwt/parse.go
+++ b/internal/jwt/parse.go
@@ -0,0 +1,28 @@
+package jwt
+
+import (
+	"fmt"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func Parse(
+	tokenStr string,
+	method jwt.SigningMethod,
+	key any,
+) (jwt.Claims, error) {
+	t, err := jwt.Parse(tokenStr, func(tok *jwt.Token) (any, error) {
+		if tok.Method.Alg() != method.Alg() {
+			return nil, fmt.Errorf("unexpected signing method")
+		}
+		return key, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	// check validity twice: invalid token may return nil error
+	if !t.Valid {
+		return nil, fmt.Errorf("invalid token")
+	}
+	return t.Claims, nil
+}
--- a/internal/jwt/service.go
+++ b/internal/jwt/service.go
@@ -0,0 +1,48 @@
+package jwt
+
+import (
+	"maps"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+)
+
+type Service struct {
+	signer Signer
+}
+
+func NewService(signer Signer) *Service {
+	return &Service{
+		signer: signer,
+	}
+}
+
+// Generate creates a new JWT token for a given user ID and
+// returns the token string along with its JTI(JWT IDentifier).
+func (s *Service) Generate(ttl time.Duration, extraClaims jwt.MapClaims) (string, string, error) {
+	jti := uuid.NewString()
+
+	claims := jwt.MapClaims{
+		"jti": jti,
+		"exp": time.Now().Add(ttl).Unix(),
+		"iat": time.Now().Unix(),
+	}
+	maps.Copy(claims, extraClaims)
+
+	token, err := s.signer.Sign(claims)
+	return token, jti, err
+}
+
+// Validate verifies the JWT token and extracts the claims and JTI(JWT IDentifier).
+// Returns claims, jti, and error if any.
+func (s *Service) Validate(token string) (jwt.MapClaims, string, error) {
+	claims, err := s.signer.Verify(token)
+	if err != nil {
+		return nil, "", err
+	}
+
+	jti := claims.(jwt.MapClaims)["jti"].(string)
+
+	return claims.(jwt.MapClaims), jti, nil
+}
--- a/internal/jwt/signer.go
+++ b/internal/jwt/signer.go
@@ -0,0 +1,8 @@
+package jwt
+
+import "github.com/golang-jwt/jwt/v5"
+
+type Signer interface {
+	Sign(claims jwt.Claims) (string, error)
+	Verify(token string) (jwt.Claims, error)
+}
--- a/internal/jwt/signer_HS256.go
+++ b/internal/jwt/signer_HS256.go
@@ -0,0 +1,20 @@
+package jwt
+
+import "github.com/golang-jwt/jwt/v5"
+
+type HMACSigner struct {
+	secret []byte
+}
+
+func NewHMACSigner(secret []byte) *HMACSigner {
+	return &HMACSigner{secret: secret}
+}
+
+func (s *HMACSigner) Sign(claims jwt.Claims) (string, error) {
+	t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return t.SignedString(s.secret)
+}
+
+func (s *HMACSigner) Verify(tokenStr string) (jwt.Claims, error) {
+	return Parse(tokenStr, jwt.SigningMethodHS256, s.secret)
+}
--- a/internal/server/error.go
+++ b/internal/server/error.go
@@ -0,0 +1,46 @@
+package server
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+)
+
+type ErrorResponse struct {
+	Error   string `json:"error"`
+	Details string `json:"details,omitempty"`
+}
+
+func WriteError(w http.ResponseWriter, error, details string, statusCode int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(statusCode)
+	json.NewEncoder(w).Encode(ErrorResponse{
+		Error:   error,
+		Details: details,
+	})
+}
+
+// RFC-7807 (Problem Details)
+type ProblemDetails struct {
+	Type     string `json:"type" example:"https://api.triggerssmith.com/errors/role-not-found"`
+	Title    string `json:"title" example:"Role not found"`
+	Status   int    `json:"status" example:"404"`
+	Detail   string `json:"detail" example:"No role with ID 42"`
+	Instance string `json:"instance" example:"/api/acl/roles/42"`
+}
+
+var typeDomain = "https://api.triggerssmith.com"
+
+func WriteProblem(w http.ResponseWriter, status int, typ, title, detail string, r *http.Request) {
+	w.Header().Set("Content-Type", "application/problem+json")
+	w.WriteHeader(status)
+	prob := ProblemDetails{
+		Type:     typeDomain + typ,
+		Title:    title,
+		Status:   status,
+		Detail:   detail,
+		Instance: r.URL.Path,
+	}
+	slog.Warn("new problem", "type", typ, "title", title, "detail", detail, "instance", r.URL.Path, "status", status)
+	_ = json.NewEncoder(w).Encode(prob)
+}
--- a/internal/server/notimpl.go
+++ b/internal/server/notimpl.go
@@ -0,0 +1,7 @@
+package server
+
+import "net/http"
+
+func NotImplemented(w http.ResponseWriter) {
+	http.Error(w, "Not implemented", http.StatusNotImplemented)
+}
--- a/internal/server/registry.go
+++ b/internal/server/registry.go
@@ -0,0 +1,27 @@
+package server
+
+import (
+	"sync"
+)
+
+type registry struct {
+	lss map[string]*LiveServer
+	mu  sync.Mutex
+}
+
+var reg = registry{
+	lss: make(map[string]*LiveServer),
+}
+
+func pushLs(ls *LiveServer) {
+	reg.lss[ls.name] = ls
+}
+
+func isExists(name string) bool {
+	_, ok := reg.lss[name]
+	return ok
+}
+
+func deleteLs(name string) {
+	delete(reg.lss, name)
+}
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -94,17 +94,17 @@ type LiveServer struct {
 	handler http.Handler

 	active atomic.Value // *instance
-	mu sync.Mutex
+	mu     sync.Mutex

 	statusMu sync.Mutex
-	status Status
+	status   Status

 	initDone bool
 }

 type instance struct {
 	srv *http.Server
-	ln net.Listener
+	ln  net.Listener

 	addr string
 }
@@ -114,7 +114,12 @@ func Create(name string) (*LiveServer, error) {
 		return nil, fmt.Errorf("server name is empty")
 	}

+	if isExists(name) {
+		return nil, fmt.Errorf("server with this name is already exists")
+	}
+
 	ls := &LiveServer{name: name}
+	pushLs(ls)
 	ls.setStatus(Status{ID: StatusStopped})
 	return ls, nil
 }
@@ -198,10 +203,10 @@ func (ls *LiveServer) Start(addr string) error {
 		return err
 	}
 	srv := &http.Server{Handler: ls.handler}
-	
+
 	ls.active.Store(&instance{
-		srv: srv,
-		ln:  ln,
+		srv:  srv,
+		ln:   ln,
 		addr: addr,
 	})

@@ -241,6 +246,17 @@ func (ls *LiveServer) stop(inst *instance) error {
 	return nil
 }

+func StopAll() (errors []error) {
+	for key, ls := range reg.lss {
+		slog.Debug("stopping LiveServer", slog.String("name", key))
+		err := ls.Stop()
+		if err != nil {
+			errors = append(errors, err)
+		}
+	}
+	return
+}
+
 func (ls *LiveServer) Stop() error {
 	inst := ls.active.Load().(*instance)
 	if inst == nil {
@@ -249,7 +265,6 @@ func (ls *LiveServer) Stop() error {
 	return ls.stop(inst)
 }

-
 func (ls *LiveServer) Reload(newAddr string) error {
 	ls.mu.Lock()
 	oldInstAny := ls.active.Load()
@@ -258,8 +273,7 @@ func (ls *LiveServer) Reload(newAddr string) error {
 		oldAddr = oldInstAny.(*instance).addr
 	}
 	ls.mu.Unlock()
-	
-	println("Old addr:", oldAddr, "New addr:", newAddr)
+
 	if oldAddr == newAddr {
 		return nil
 	}
@@ -282,6 +296,12 @@ func (ls *LiveServer) Reload(newAddr string) error {
 	return nil
 }

+// Close deletes [LiveServer] object from registry, and sets ls to nil
+func (ls *LiveServer) Close() {
+	deleteLs(ls.name)
+	ls = nil
+}
+
 // package server

 // import (
@@ -448,7 +468,6 @@ func (ls *LiveServer) Reload(newAddr string) error {
 // 	// }

 // 	ls.setStatus(Status{ID: StatusStarting})
-	

 // 	err := ls.Start()
 // 	if err != nil {
--- a/internal/server/status.go
+++ b/internal/server/status.go
@@ -11,10 +11,10 @@ const (
 )

 type Status struct {
-	ID    StatusID
-	Err   error
+	ID  StatusID
+	Err error
 }

 func (s Status) Error() string {
 	return s.Err.Error()
-}
+}
--- a/internal/token/errors.go
+++ b/internal/token/errors.go
@@ -0,0 +1,7 @@
+package token
+
+import "fmt"
+
+var (
+	ErrTokenIsRevoked = fmt.Errorf("token is revoked")
+)
--- a/internal/token/service.go
+++ b/internal/token/service.go
@@ -0,0 +1,63 @@
+package token
+
+import (
+	"fmt"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+)
+
+type TokenStore interface {
+	revoke(tokenID string, expiresAt time.Time) error
+	isRevoked(tokenID string) (bool, error)
+
+	init() error
+}
+
+type Service struct {
+	initialized bool
+
+	cfg   *config.Auth
+	store TokenStore
+}
+
+func NewTokenService(cfg *config.Auth, store TokenStore) (*Service, error) {
+	if store == nil {
+		return nil, fmt.Errorf("store is nil")
+	}
+	if cfg == nil {
+		return nil, fmt.Errorf("config is nil")
+	}
+	return &Service{cfg: cfg, store: store}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	err := s.store.init()
+	if err != nil {
+		return fmt.Errorf("failed to initialize token store: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
+
+func (s *Service) Revoke(jti string, exp time.Time) error {
+	return s.store.revoke(jti, exp)
+}
+
+func (s *Service) RevokeByRefreshDefault(jti string) error {
+	expiryTime := time.Now().Add(-time.Duration(s.cfg.RefreshTokenTTL))
+	return s.store.revoke(jti, expiryTime)
+}
+
+func (s *Service) IsRevoked(jti string) (bool, error) {
+	return s.store.isRevoked(jti)
+}
--- a/internal/token/store_sqlite.go
+++ b/internal/token/store_sqlite.go
@@ -0,0 +1,62 @@
+package token
+
+import (
+	"fmt"
+	"time"
+
+	"gorm.io/gorm"
+)
+
+type SQLiteTokenStore struct {
+	db *gorm.DB
+}
+
+type Token struct {
+	TokenID    string    `gorm:"primaryKey"`
+	UserID     int64     `gorm:"index"`
+	Expiration time.Time `gorm:"index"`
+}
+
+// NewSQLiteTokenStore creates a new SQLiteTokenStore with the given GORM DB instance.
+// Actually can be used for any GORM-supported database.
+func NewSQLiteTokenStore(db *gorm.DB) (*SQLiteTokenStore, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is nil")
+	}
+	return &SQLiteTokenStore{
+		db: db,
+	}, nil
+}
+
+func (s *SQLiteTokenStore) revoke(tokenID string, expiresAt time.Time) error {
+	if revoked, err := s.isRevoked(tokenID); err == nil {
+		if revoked {
+			return ErrTokenIsRevoked
+		}
+	} else {
+		return err
+	}
+	return s.db.Create(&Token{
+		TokenID:    tokenID,
+		Expiration: expiresAt,
+	}).Error
+}
+
+func (s *SQLiteTokenStore) isRevoked(tokenID string) (bool, error) {
+	var count int64
+	err := s.db.Model(&Token{}).Where("token_id = ?", tokenID).Count(&count).Error
+	if err != nil {
+		return false, err
+	}
+	return count > 0, nil
+}
+
+func (s *SQLiteTokenStore) init() error {
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&Token{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate Token model: %w", err)
+	}
+
+	return nil
+}
--- a/internal/token/store_sqlite_test.go
+++ b/internal/token/store_sqlite_test.go
@@ -0,0 +1,71 @@
+package token
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func setupTestDB(t *testing.T) *gorm.DB {
+	t.Helper()
+
+	dbPath := filepath.Join("testdata", "tokens.db")
+
+	_ = os.Remove(dbPath)
+
+	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("failed to open db: %v", err)
+	}
+
+	if err := db.AutoMigrate(&Token{}); err != nil {
+		t.Fatalf("failed to migrate: %v", err)
+	}
+
+	return db
+}
+
+func TestSQLiteTokenStore_RevokeAndCheck(t *testing.T) {
+	db := setupTestDB(t)
+
+	store, err := NewSQLiteTokenStore(db)
+	if err != nil {
+		t.Fatalf("failed to create store: %v", err)
+	}
+
+	cfg := &config.Auth{
+		RefreshTokenTTL: 24 * time.Hour,
+	}
+	service, err := NewTokenService(cfg, store)
+	if err != nil {
+		t.Fatalf("failed to create service: %v", err)
+	}
+
+	jti := "test-token-123"
+	exp := time.Now().Add(time.Hour)
+
+	revoked, err := service.IsRevoked(jti)
+	if err != nil {
+		t.Fatalf("isRevoked failed: %v", err)
+	}
+	if revoked {
+		t.Fatalf("token should NOT be revoked initially")
+	}
+
+	if err := service.Revoke(jti, exp); err != nil {
+		t.Fatalf("revoke failed: %v", err)
+	}
+
+	revoked, err = service.IsRevoked(jti)
+	if err != nil {
+		t.Fatalf("isRevoked failed: %v", err)
+	}
+	if !revoked {
+		t.Fatalf("token should be revoked")
+	}
+}
--- a/internal/user/errors.go
+++ b/internal/user/errors.go
@@ -0,0 +1,7 @@
+package user
+
+import "fmt"
+
+var (
+	ErrUserNotFound = fmt.Errorf("user not found")
+)
--- a/internal/user/gorm_store.go
+++ b/internal/user/gorm_store.go
@@ -0,0 +1,60 @@
+package user
+
+import (
+	"errors"
+	"fmt"
+
+	"gorm.io/gorm"
+)
+
+type GormUserStore struct {
+	db *gorm.DB
+}
+
+func NewGormUserStore(db *gorm.DB) (*GormUserStore, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is nil")
+	}
+	return &GormUserStore{
+		db: db,
+	}, nil
+}
+
+func (s *GormUserStore) Create(user *User) error {
+	return s.db.Create(user).Error
+}
+
+// Search returns a user by username or id or email
+// May return [ErrUserNotFound] if user not found
+func (s *GormUserStore) GetBy(by, value string) (*User, error) {
+	if by != "username" && by != "id" && by != "email" {
+		return nil, fmt.Errorf("unsuppored field %s", by)
+	}
+	var user User
+	err := s.db.Where(fmt.Sprintf("%s = ?", by), value).First(&user).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrUserNotFound
+		}
+		return nil, fmt.Errorf("failed to get user: %w", err)
+	}
+	return &user, nil
+}
+
+func (s *GormUserStore) Update(user *User) error {
+	return s.db.Save(user).Error
+}
+
+func (s *GormUserStore) Delete(id int64) error {
+	return s.db.Delete(&User{}, id).Error
+}
+
+func (s *GormUserStore) init() error {
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&User{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate User model: %w", err)
+	}
+
+	return nil
+}
--- a/internal/user/model.go
+++ b/internal/user/model.go
@@ -0,0 +1,13 @@
+package user
+
+import (
+	"gorm.io/gorm"
+)
+
+type User struct {
+	ID        uint           `gorm:"primaryKey"`
+	Username  string         `gorm:"uniqueIndex;not null"`
+	Email     string         `gorm:"uniqueIndex;not null"`
+	Password  string         `gorm:"not null"`
+	DeletedAt gorm.DeletedAt `gorm:"index"`
+}
--- a/internal/user/service.go
+++ b/internal/user/service.go
@@ -0,0 +1,64 @@
+package user
+
+import "fmt"
+
+type Service struct {
+	initialized bool
+
+	store UserCRUD
+}
+
+func NewService(store UserCRUD) (*Service, error) {
+	if store == nil {
+		return nil, fmt.Errorf("store is nil")
+	}
+	return &Service{
+		store: store,
+	}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	err := s.store.init()
+	if err != nil {
+		return fmt.Errorf("failed to initialize user store: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
+
+func (s *Service) Create(user *User) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Create(user)
+}
+
+func (s *Service) GetBy(by, value string) (*User, error) {
+	if !s.isInitialized() {
+		return nil, fmt.Errorf("user service is not initialized")
+	}
+	return s.store.GetBy(by, value)
+}
+
+func (s *Service) Update(user *User) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Update(user)
+}
+
+func (s *Service) Delete(id int64) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Delete(id)
+}
--- a/internal/user/store.go
+++ b/internal/user/store.go
@@ -0,0 +1,10 @@
+package user
+
+type UserCRUD interface {
+	Create(user *User) error
+	GetBy(by, value string) (*User, error)
+	Update(user *User) error
+	Delete(id int64) error
+
+	init() error
+}
--- a/internal/user/user_test.go
+++ b/internal/user/user_test.go
@@ -0,0 +1,86 @@
+package user
+
+// DEPRECATED TEST FILE
+
+// import (
+// 	"os"
+// 	"path/filepath"
+// 	"testing"
+
+// 	"gorm.io/driver/sqlite"
+// 	"gorm.io/gorm"
+// )
+
+// func setupTestDB(t *testing.T) *gorm.DB {
+// 	t.Helper()
+
+// 	dbPath := filepath.Join("testdata", "users.db")
+
+// 	_ = os.Remove(dbPath)
+
+// 	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+// 	if err != nil {
+// 		t.Fatalf("failed to open db: %v", err)
+// 	}
+
+// 	if err := db.AutoMigrate(&User{}); err != nil {
+// 		t.Fatalf("failed to migrate: %v", err)
+// 	}
+
+// 	return db
+// }
+
+// func TestUsersCRUD(t *testing.T) {
+// 	db := setupTestDB(t)
+
+// 	store, err := NewGormUserStore(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create store: %v", err)
+// 	}
+
+// 	service, err := NewService(store)
+// 	if err != nil {
+// 		t.Fatalf("failed to create service: %v", err)
+// 	}
+
+// 	user := &User{
+// 		Username: "testuser",
+// 		Email:    "test@example.com",
+// 		Password: "password123",
+// 	}
+
+// 	if err := service.Create(user); err != nil {
+// 		t.Fatalf("failed to create user: %v", err)
+// 	}
+// 	// retrieved, err := service.GetByID(user.ID)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by ID: %v", err)
+// 	// }
+// 	// if retrieved.Username != user.Username {
+// 	// 	t.Fatalf("expected username %s, got %s", user.Username, retrieved.Username)
+// 	// }
+
+// 	// retrievedByUsername, err := service.GetByUsername(user.Username)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by username: %v", err)
+// 	// }
+// 	// if retrievedByUsername.Email != user.Email {
+// 	// 	t.Fatalf("expected email %s, got %s", user.Email, retrievedByUsername.Email)
+// 	// }
+
+// 	// user.Email = "newemail@example.com"
+// 	// if err := service.Update(user); err != nil {
+// 	// 	t.Fatalf("failed to update user: %v", err)
+// 	// }
+// 	// retrieved, err = service.GetByID(user.ID)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by ID: %v", err)
+// 	// }
+// 	// if retrieved.Email != user.Email {
+// 	// 	t.Fatalf("expected email %s, got %s", user.Email, retrieved.Email)
+// 	// }
+// 	err = service.Delete(user.ID)
+// 	if err != nil {
+// 		t.Fatalf("failed to delete user: %v", err)
+// 	}
+// }
--- a/internal/vars/const.go
+++ b/internal/vars/const.go
@@ -0,0 +1,4 @@
+package vars
+
+const VAR_PATH = "/var/run/triggerssmith/"
+const PID_PATH = VAR_PATH + "serve.pid"
--- a/internal/vars/variables.go
+++ b/internal/vars/variables.go
@@ -0,0 +1,5 @@
+package vars
+
+import "time"
+
+var START_TIME = time.Now()
--- a/internal/vars/version.go
+++ b/internal/vars/version.go
@@ -0,0 +1,3 @@
+package vars
+
+var Version = "0.0.0-none"
--- a/internal/worker/handle.go
+++ b/internal/worker/handle.go
@@ -0,0 +1,101 @@
+package worker
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+type Logger interface {
+	Write(line string)
+}
+
+type RootConfig struct {
+	Data struct {
+		Driver string `json:"driver"`
+		Path   string `json:"path"`
+	} `json:"data"`
+	Log struct {
+		Path string `json:"log_root_path"`
+	} `json:"log"`
+}
+
+type Function struct {
+	ID           uint `gorm:"primaryKey"`
+	FunctionName string
+	Version      string
+	Path         string
+	DeletedAt    gorm.DeletedAt `gorm:"index"`
+}
+
+type FuncConfig struct {
+	Name    string `json:"name"`
+	Version string `json:"version"`
+	Entry   string `json:"entry"`
+	Runtime string `json:"runtime"`
+	Log     struct {
+		Output string `json:"output"`
+	} `json:"log"`
+}
+
+func LoadTreeConfig(root string) (*RootConfig, error) {
+	cfgPath := filepath.Join(root, "config.json")
+	b, err := os.ReadFile(cfgPath)
+	if err != nil {
+		return nil, err
+	}
+	var cfg RootConfig
+	if err := json.Unmarshal(b, &cfg); err != nil {
+		return nil, err
+	}
+	return &cfg, nil
+}
+
+func OpenDB(cfg *RootConfig, root string) (*gorm.DB, error) {
+	switch cfg.Data.Driver {
+	case "sqlite":
+		dbPath := filepath.Join(root, cfg.Data.Path)
+		db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+		if err != nil {
+			return nil, err
+		}
+		return db, nil
+	default:
+		return nil, fmt.Errorf("unsupported db driver: %s", cfg.Data.Driver)
+	}
+}
+
+func FindFunction(db *gorm.DB, name, version string) (*Function, error) {
+	var f Function
+	if version == "latest" {
+		err := db.Where("function_name = ? AND deleted_at IS NULL", name).
+			Order("created_at DESC").
+			First(&f).Error
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		if err := db.Where("function_name = ? AND version = ? AND deleted_at IS NULL", name, version).
+			First(&f).Error; err != nil {
+			return nil, err
+		}
+	}
+	return &f, nil
+}
+
+func LoadFunctionConfig(root, funcName, funcPath string) (*FuncConfig, error) {
+	cfgFile := filepath.Join(root, funcName, funcPath, "config.json")
+	b, err := os.ReadFile(cfgFile)
+	if err != nil {
+		return nil, err
+	}
+	var cfg FuncConfig
+	if err := json.Unmarshal(b, &cfg); err != nil {
+		return nil, err
+	}
+	return &cfg, nil
+}
--- a/internal/worker/run.go
+++ b/internal/worker/run.go
@@ -0,0 +1,49 @@
+package worker
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os/exec"
+)
+
+type RunOps struct {
+	Log        Logger
+	Path       string
+	FuncConfig *FuncConfig
+	Env        []string
+}
+
+func RunFunction(opt *RunOps, input []byte) ([]byte, error) {
+	if opt.FuncConfig.Runtime != "exec" {
+		return nil, fmt.Errorf("unsupported runtime: %s", opt.FuncConfig.Runtime)
+	}
+
+	cmd := exec.Command(opt.Path)
+	cmd.Env = opt.Env
+	cmd.Stdin = bytes.NewReader(input)
+
+	var out bytes.Buffer
+	cmd.Stdout = &out
+	stderrPipe, err := cmd.StderrPipe()
+	if err != nil {
+		return nil, err
+	}
+	go func() {
+		scanner := bufio.NewScanner(stderrPipe)
+		for scanner.Scan() {
+			line := scanner.Text()
+			opt.Log.Write(line)
+		}
+	}()
+
+	if err := cmd.Start(); err != nil {
+		return nil, err
+	}
+
+	if err := cmd.Wait(); err != nil {
+		return nil, fmt.Errorf("failed: %w\noutput: %s", err, out.String())
+	}
+
+	return out.Bytes(), nil
+}
--- a/log/echo:1d965976/event.log.json
+++ b/log/echo:1d965976/event.log.json
@@ -0,0 +1,2 @@
+{"time":"2025-11-30T16:12:41.425709604+02:00","level":"WARN","msg":"function stderr","function":"echo","version":"0.0.1-00130112025","line":"bem bem"}
+{"time":"2025-11-30T16:12:42.487539993+02:00","level":"WARN","msg":"function stderr","function":"echo","version":"0.0.1-00130112025","line":"bem bem"}
--- a/main.go
+++ b/main.go
@@ -1,9 +1,15 @@
+// The main file only starts cobra
+
+// Copyright 2025 TriggerSmith Labs. All rights reserved.
 package main

 import (
+	"os"
+
 	"git.oblat.lv/alex/triggerssmith/cmd"
 )

 func main() {
 	cmd.Execute()
+	os.Exit(0)
 }
--- a/static/base/css/style.css
+++ b/static/base/css/style.css
@@ -0,0 +1,76 @@
+body {font-family: system-ui, sans-serif; margin: 0; display: flex; flex-direction: column; min-height: 100vh;}
+header {display: flex; align-items: center; justify-content: space-between; background: #333; color: white; padding: 10px 15px; position: relative;}
+footer {background: #333; color: white; text-align: center; padding: 10px;}
+main {flex: 1; padding: 20px; max-width: 1000px; margin: 0 auto;}
+button {cursor:pointer; border-radius: 8px; border: 1px solid #ccc; background:#e4e4e4; padding: 10px 12px; font-size: 16px;}
+button:hover {background: #aa92f8;}
+input {background: #ffffff; padding: 10px 12px; font-size: 15px; border-radius: 8px; border: 1px solid #ccc; transition: border 0.2s, box-shadow 0.2s; width:200px;}
+input:focus {border-color: #7f57ff; box-shadow: 0 0 0 2px rgba(127, 87, 255, 0.2); outline: none;}
+select{background: #ffffff; padding: 10px 12px; font-size: 15px; border-radius: 8px; border: 1px solid #ccc; transition: border 0.2s, box-shadow 0.2s; width:225px;}
+select:focus {border-color: #7f57ff; box-shadow: 0 0 0 2px rgba(127, 87, 255, 0.2); outline: none;}
+/* навигация */
+nav ul {list-style: none; display: flex; gap: 20px; margin: 0; padding: 0;}
+nav a {color: white; text-decoration: none; font-weight: 500;}
+nav a:hover {text-decoration: underline;}
+/* бургер */
+.burger {display: none; flex-direction: column; justify-content: center; gap: 5px; width: 30px; height: 25px; background: none; border: none; cursor: pointer;}
+.burger span {display: block; height: 3px; width: 100%; background: white; border-radius: 2px; transition: 0.3s;}
+.burger.active span:nth-child(1) {transform: translateY(8px) rotate(45deg);}
+.burger.active span:nth-child(2) {opacity: 0;}
+.burger.active span:nth-child(3) {transform: translateY(-8px) rotate(-45deg);}
+/* сетка */
+.grid-3 {display: grid; grid-template-columns: 15% 70% 15%; gap: 20px; margin-top: 20px;}
+.grid-block {background: #f5f5f5; padding: 15px; border-radius: 10px; box-shadow: 0 2px 5px rgba(0,0,0,0.1);}
+/* Полупрозрачный фон */
+.overlay {position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(0,0,0,0.5); display: flex; justify-content: center; align-items: center; z-index: 1000;}
+
+/* Окна */
+/* Message */
+.window-popup {width:400px; height:150px; background:#fff; border-radius:10px; display:flex; flex-direction:column; justify-content:center; align-items:center; padding:20px; box-shadow:0 0 10px rgba(0,0,0,0.3); }
+
+
+/* Menu */
+.window-menu { position:absolute; background:#fff; border-radius:10px; border:1px solid rgba(0,0,0,0.12); box-shadow:0 6px 18px rgba(0,0,0,0.12); min-width:160px; z-index:9999; overflow:hidden; }
+.window-item { padding:8px 12px; cursor:pointer; white-space:nowrap; font-size:14px; }
+.window-item:hover { background:rgba(0,0,0,0.04); }
+
+/* File */
+.window-panel { width:420px; background:#f0f0f0; border:1px solid #888; border-radius:10px; box-shadow:0 0 12px rgba(0,0,0,0.4); position:fixed; top:50%; left:50%; transform:translate(-50%,-50%); user-select:none; display:flex; flex-direction:column; }
+.window-header { background:#f0f0f0; padding:10px; font-size:16px; font-weight:600; border-bottom:1px solid #aaa; cursor:move; }
+.window-tabs { display:flex; border-bottom:1px solid #aaa; background:#f0f0f0; }
+.window-tab { padding:8px 14px; cursor:pointer; border-right:1px solid #aaa; user-select:none; }
+.window-tab.active { background:#fff; font-weight:600; border-bottom:2px solid #fff; }
+.window-content { display:none; padding:15px; background:#fff; }
+.window-content.active { display:block; }
+.window-row { display:flex; justify-content:space-between; margin-bottom:8px; font-size:14px; }
+.window-buttons { display:flex; justify-content:flex-end; padding:10px; gap:8px; border-top:1px solid #aaa; background:#f0f0f0; }
+.window-buttons button { padding:6px 16px; cursor:pointer; }
+
+/* адаптив */
+@media (max-width: 425px) {
+  .grid-3 {grid-template-columns: 1fr;}
+  .burger {display: flex;}
+  nav {position: absolute; top: 100%; left: 0; width: 100%; background: #222; display: none; flex-direction: column; text-align: center; padding: 10px 0; z-index: 10;}
+  nav.open {display: flex; animation: slideDown 0.3s ease;}
+  nav ul {flex-direction: column; gap: 10px;}
+  @keyframes slideDown {
+    from { opacity: 0; transform: translateY(-10px); }
+    to { opacity: 1; transform: translateY(0); }
+  }
+}
+.ui-overlay {position: fixed; inset: 0; background: rgba(0,0,0,.4); display: flex; align-items: center; justify-content: center;}
+.ui-alert {background: #fff; padding: 20px; border-radius: 16px; min-width: 300px; font-family: sans-serif; text-align: center;}
+/* .ui-alert button {margin-top: 20px; border: 1px solid #ccc; padding: 8px 16px; cursor: pointer; border-radius: 8px;} */
+.ui-popup-list {position: fixed; background: #fff; border: 1px solid #ccc; border-radius: 6px; box-shadow: 0 4px 10px rgba(0,0,0,.15); z-index: 1000;}
+.ui-popup-list .icon {width: 16px; text-align: center;}
+.ui-popup-list div {padding: 8px 12px; cursor: pointer; display: flex; align-items: center;}
+.ui-popup-list div:hover {background: #eee;}
+.ui-window {background: #fff; padding: 16px; border-radius: 8px; min-width: 300px; font-family: sans-serif; width: 360px;}
+.ui-window .header {display: flex; justify-content: space-between; font-weight: bold; margin-bottom: 10px; cursor: move; user-select: none;}
+.ui-window .row {display: flex; justify-content: space-between; padding: 4px 0;}
+/* Tabs */
+.tabs {display: flex; border-bottom: 1px solid #ccc; margin-bottom: 10px;}
+.tab {padding: 6px 12px; cursor: pointer;}
+.tab.active {border-bottom: 2px solid #0078d7; font-weight: bold;}
+.tab-content {display: none;}
+.tab-content.active {display: block;}
--- a/static/base/img/favicon.png
+++ b/static/base/img/favicon.png
--- a/static/base/js/app.js
+++ b/static/base/js/app.js
@@ -0,0 +1,561 @@
+/***********************************************************************
+ *  access-token хранится только в памяти (без localStorage)
+ **********************************************************************/
+let accessToken = null;   
+
+/***********************************************************************
+ *  user объект в котором хранятся данные пользователя
+ **********************************************************************/
+const user = {
+  id: 0,
+  name: ""
+}
+
+/***********************************************************************
+ *  apiProtected — это удобная функция для защищённых API-запросов, 
+ * которая: 
+ *  
+ *  - Подставляет стандартные и пользовательские настройки запроса.
+ *  - Добавляет Authorization с токеном.
+ *  - Автоматически сериализует JSON-тело.
+ *  - Парсит ответ.
+ *  - Обрабатывает устаревший токен (401) и повторяет запрос.
+ *  - Выбрасывает ошибки для внешнего try...catch.
+ ***********************************************************************/
+async function apiProtected(path, options = {}) {
+    // Базовые настройки
+    const defaultOptions = {
+        //method: "GET",
+        headers: { "Content-Type": "application/json" },
+        credentials: "include"
+    };
+    // Объединяем настройки
+    const finalOptions = {
+        ...defaultOptions,
+        ...options,
+        headers: { ...defaultOptions.headers, ...(options.headers || {}) }
+    };
+    // Если есть тело и это объект — сериализуем
+    if (finalOptions.body && typeof finalOptions.body === "object") {
+        finalOptions.body = JSON.stringify(finalOptions.body);
+    }
+    // Вспомогательная функция отправки запроса
+    const send = async () => {
+        try {
+            // Добавляем Authorization, если токен есть
+            if (accessToken) {
+                finalOptions.headers.Authorization = `Bearer ${accessToken}`;
+            }
+            // Отправляем fetch запрос.
+            const res = await fetch(path, finalOptions);
+            const text = await res.text();
+            let data;
+            // Пытаемся распарсить ответ как JSON, если не получается 
+            // — возвращаем текст.
+            try {
+                data = JSON.parse(text);
+            } catch {
+                data = text;
+            }
+            return { res, data };
+        } catch (err) {
+            return { res: null, data: err.toString() };
+        }
+    };
+    // Первый запрос
+    let { res, data } = await send();
+    // Если 401 — обновляем токен и повторяем
+    if (res && res.status === 401) {
+        await refreshAccess();       // обновляем accessToken
+        ({ res, data } = await send()); // повторный запрос
+    }
+    // Если всё равно ошибка — кидаем
+    if (!res || !res.ok) {
+        throw { status: res ? res.status : 0, data };
+    }
+    return data; // возвращаем распарсенный JSON или текст
+}
+
+/***************************************************************************
+ * refreshAccess() Обнавление токенов:
+ * 
+ * - Отправляет POST на /api/users/refresh, используя refresh-токен в cookie.
+ * - Проверяет успешность ответа.
+ * - Сохраняет новый access-токен.
+ * - Декодирует токен, чтобы получить user_id.
+ * - Обновляет глобальные данные о пользователе (id и name).
+ ****************************************************************************/
+async function refreshAccess (){
+    //Отправка запроса на обновление токена
+    const rr = await fetch("/api/auth/refresh", {
+        method: "POST",
+        credentials: "include"
+    });
+    // Проверка ответа
+    if (!rr.ok) throw "refresh failed";
+    // Получение нового токена
+    const j = await rr.json();
+    accessToken = j.access_token;
+    // Декодирование payload JWT
+    const payload = JSON.parse(
+            atob(accessToken.split(".")[1].replace(/-/g, "+").replace(/_/g, "/"))
+    );
+    // Обновление данных пользователя
+    user.id = payload.user_id;
+    user.name = (await getUserDataByID(user.id)).name;
+}
+
+/********************************************************************************
+ * loadMenu функция загрузки блока меню страницы в формате Markdown            
+ ********************************************************************************/
+async function loadMenu() {
+     await loadBlock("menu/top1", "header");
+}
+/********************************************************************************
+ * loadPage функция загрузки блока страницы в формате Markdown                 
+ ********************************************************************************/
+ async function loadPage(path) {
+     await loadBlock(path, "content");
+ }
+
+/*********************************************************************************
+ * loadMdScript функция загрузки Markdown библиотеки                
+ *********************************************************************************/
+ function loadMdScript(src) {
+    return new Promise((resolve, reject) => {
+        const script = document.createElement('script');
+        script.src = src;
+        script.defer = true;
+        script.onload = () => resolve();
+        script.onerror = () => reject(new Error(`Failed to load script: ${src}`));
+        document.head.appendChild(script);
+    });
+}
+
+/**********************************************************************************
+ * loadBlock — это универсальная функция для динамического контента:
+ *
+ * - Находит контейнер по id.
+ * - Очищает старый контент и связанные скрипты/стили.
+ * - Запрашивает блок через apiProtected.
+ * - Преобразует Markdown в HTML.
+ * - Добавляет CSS и JS динамически.
+ * - Вызывает pageInit() блока, если есть.
+ * - Обрабатывает ошибки.
+ **********************************************************************************/
+async function loadBlock(path, block_Name) {
+    // Получаем контейнер блока
+    const container = document.getElementById(block_Name);
+    if (!container) {
+        return;
+    }
+    // Обработка пути
+    path = path.replace(/\/$/, "");
+    if (!container) {
+        console.error(`loadBlock ERROR: element #${block_Name} not found`);
+        return;
+    }
+    const blockName = path === "pages" ? "pages/home" : path;
+    try {
+        // Очистка контейнера и старых динамических стилей/скриптов
+        container.innerHTML = '';
+        document.querySelectorAll('style[data-dynamic], script[data-dynamic]').forEach(el => {
+            const name = el.getAttribute('data-dynamic');
+            if (name === block_Name || !document.getElementById(name)) {
+                el.remove();
+            }
+        });
+        // Получение блока с сервера
+        const response = await apiProtected(`/api/block/${blockName}`, {method: "GET"});
+        // Динамически подгружаем markdown-it, если он ещё не загружен
+        if (!window.markdownit) {
+            await loadMdScript('/static/js/markdown-it.min.js');
+        }
+        const { content: mdContent, css, js } = response;
+       // Преобразуем markdown в HTML
+        if (mdContent) {
+            const md = window.markdownit({ html: true, linkify: true, typographer: true });
+            container.innerHTML = md.render(mdContent);
+            container?.id?.match(/^loadedBlock_\d+_view$/) && (document.getElementById(container.id.replace('_view', '_html')).innerHTML = mdContent);
+        }
+        // Добавление CSS блока
+        if (css) {
+            const style = document.createElement('style');
+            style.dataset.dynamic = block_Name;
+            style.textContent = css;
+            document.head.appendChild(style);
+        }
+        // Добавление JS блока
+        if (js) {
+            const script = document.createElement('script');
+            script.dataset.dynamic = block_Name;
+            script.textContent = `
+                (() => {
+                    try {
+                        ${js}
+                        if (typeof pageInit === "function") pageInit();
+                    } catch (e) {
+                        console.error("Block script error:", e);
+                    }
+                })();
+            `;
+            document.body.appendChild(script);
+        }
+    // Обработка ошибок
+    } catch (err) {
+        console.error(err);
+        container.innerHTML = "<h2>блок не найден</h2>";
+    }
+}
+
+/*****************************************************************************
+ * SPA-навигация
+ *****************************************************************************/
+function navigateTo(url, target) {
+    const clean = url.replace(/^\//, "");
+    history.pushState({}, "", "/" + clean);
+    loadBlock("pages/" + clean, target);
+}
+
+/*****************************************************************************
+ * Поддержка кнопки "назад/вперед"
+ *****************************************************************************/
+window.addEventListener("popstate", () => {loadBlock(location.pathname);});
+
+/*****************************************************************************
+ * Обработка истории браузера
+ *****************************************************************************/
+window.addEventListener("popstate", () => loadBlock(window.location.pathname));
+
+/*****************************************************************************
+ * Инициализация после загрузки DOM
+ *****************************************************************************/
+window.onload = async function ()  {
+    let url = window.location.href;
+   // Убираем слеш в конце, если он есть
+    if (url.endsWith("/")) {
+        url = url.slice(0, -1);
+        // Меняем URL в адресной строке без перезагрузки страницы
+        window.history.replaceState(null, "", url);
+    }
+    //console.assert("читаем меню")
+    await loadMenu();
+    await loadPage("pages"+window.location.pathname);
+};
+
+/*****************************************************************************
+ * Перехватчик ссылок
+ *****************************************************************************/
+window.addEventListener("click", (event) => {
+    const a = event.target.closest("a");
+    if (!a) return;
+    const href = a.getAttribute("href");
+    // игнорируем внешние ссылки и mailto:
+    if (!href || href.startsWith("http") || href.startsWith("mailto:")) return;
+    const target = a.dataset.target || "content"; // default = content
+    event.preventDefault();
+    navigateTo(href, target);
+});
+
+
+/*****************************************************************************
+ * Переключение видимости пароля
+ *****************************************************************************/
+document.addEventListener("click", (e) => {
+    if (!e.target.classList.contains("toggle-pass")) return;
+console.log("toggle");
+    const input = e.target.previousElementSibling;
+    if (!input) return;
+
+    if (input.type === "password") {
+        input.type = "text";
+        e.target.textContent = "*";//🔓
+    } else {
+        input.type = "password";
+        e.target.textContent = "A";//🔒
+    }
+});
+
+/*****************************************************************************
+ * Получение данных пользователя. Пример использования:
+ * btn.onclick = async function () {
+ *      const user = await getUserDataByID(3);
+ *      alert(user.name);
+ *  };
+ *****************************************************************************/
+async function getUserDataByID(id) {
+    const data = await apiProtected(
+        `/api/users/getUserData?userid=${encodeURIComponent(id)}&by=id`
+    );
+    return {
+        id: data.ID,
+        name: data.Username
+    }
+}
+
+/******************************************************************************
+ * Функция userLogin:
+ *
+ * - пытается залогиниться через API,
+ * - возвращает accessToken при успехе,
+ * - бросает понятные ошибки (INVALID_CREDENTIALS, LOGIN_FAILED) при неудаче.
+ ******************************************************************************/
+async function userLogin(username, password) {
+    try {
+        // Запрос логина
+        const r = await apiProtected(`/api/auth/login`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json"
+            },
+            body: JSON.stringify({
+                username,
+                password
+            })
+        });
+        // Проверка access token
+        if (!r?.access_token) {
+            throw new Error("Token not received");
+        }
+        const payload = JSON.parse(
+            atob(r.access_token.split(".")[1].replace(/-/g, "+").replace(/_/g, "/"))
+    );
+        // Успешный результат
+        user.name = username;
+        user.id = payload.user_id;
+        return {
+            accessToken: r.access_token
+        };
+    // Обработка ошибок (catch)    
+    } catch (err) {
+        // err — объект { status, data } из apiProtected
+        if (err?.status === 401) {
+            throw new Error("INVALID_CREDENTIALS");
+        }
+        // Неверный логин / пароль
+        console.error("Login error:", err);
+        throw new Error("LOGIN_FAILED");
+    }
+}
+
+/******************************************************************************
+ * userLogout — это функция выхода пользователя из системы.
+ ******************************************************************************/
+async function userLogout() {
+    accessToken = "";
+    await fetch("/api/auth/logout", { method: "POST", credentials: "include" });
+};
+
+/******************************************************************************
+ * userRegister функция которая:
+ *
+ * - регистрирует нового пользователя,
+ * - возвращает ответ сервера при успехе,
+ * - преобразует HTTP-ошибки в бизнес-ошибки, понятные UI.
+ ******************************************************************************/
+async function userRegister(username, password) {
+    try {
+        // Запрос регистрации
+        const data = await apiProtected("/api/auth/register", {
+            method: "POST",
+            body: {
+                username,
+                password
+            }
+        });
+        // Успешный результат
+        return data;
+    // Перехват ошибок
+    } catch (err) {
+        // Сюда прилетают ошибки, брошенные apiProtected:
+        // Логирование
+        console.error("Register error:", err);
+        // Маппинг HTTP → бизнес-ошибки
+        // Некорректные данные
+        if (err?.status === 400) {
+            throw new Error("BAD_REQUEST");
+        }
+        // Пользователь уже существует
+        if (err?.status === 409) {
+            throw new Error("USER_EXISTS");
+        }
+        // Любая другая ошибка
+        throw new Error("REGISTER_FAILED");
+    }
+}
+
+/***************************************************************************
+ * Класса UIComponents это статический UI-helper, который:
+ *
+ * - не хранит состояние приложения
+ * - не зависит от фреймворков
+ * - создаёт всплывающие UI-элементы поверх страницы
+ * 
+ * Содержит методы:
+ * 
+ * - UIComponents.showAlert(...)
+ * - UIComponents.confirm(...)
+ * - UIComponents.showPopupList(...)
+ * - UIComponents.showFileProperties(...)
+ ***************************************************************************/
+class UIComponents {
+    /* ============== 1. АЛЕРТ С ОВЕРЛЕЕМ ============== */
+    /*  Показывает модальное окно с кнопкой OK.  
+        с затемняющим фоном, который перекрывает страницу*/
+    static showAlert(message) {//, title = 'Сообщение'
+        const overlay = document.createElement('div');
+        overlay.className = 'ui-overlay';
+
+        const alertBox = document.createElement('div');
+        alertBox.className = 'window-popup';//ui-alert
+
+        alertBox.innerHTML = 
+            //<h3>${title}</h3>
+            `<p>${message}</p>
+            <button>OK</button>
+        `;
+
+        alertBox.querySelector('button').onclick = () => {
+            overlay.remove();
+        };
+
+        overlay.appendChild(alertBox);
+        document.body.appendChild(overlay);
+    }
+
+    /*==================== 2. confirm ===================== */
+    /*                Аналог window.confirm                 */
+    static confirm(message, title = 'Подтверждение') {
+    return new Promise(resolve => {
+        const overlay = document.createElement('div');
+        overlay.className = 'ui-overlay';
+
+        const box = document.createElement('div');
+        box.className = 'ui-alert';
+
+        box.innerHTML = `
+            <h3>${title}</h3>
+            <p>${message}</p>
+            <div style="display:flex;justify-content:center;gap:12px;margin-top:16px">
+                <button data-yes>Да</button>
+                <button data-no>Нет</button>
+            </div>
+        `;
+
+        const close = (result) => {
+            overlay.remove();
+            resolve(result);
+        };
+
+        box.querySelector('[data-yes]').onclick = () => close(true);
+        box.querySelector('[data-no]').onclick = () => close(false);
+
+        overlay.appendChild(box);
+        document.body.appendChild(overlay);
+    });
+}
+
+
+    /* ========== 3. ПОПАП СПИСОК ========== */
+static showPopupList(items = {}, x = 0, y = 0) {
+    // Удаляем предыдущий popup
+    if (UIComponents.currentPopup) {
+        UIComponents.currentPopup.remove();
+        UIComponents.currentPopup = null;
+    }
+
+    const popup = document.createElement('div');
+    popup.className = 'ui-popup-list';
+    popup.style.left = x + 'px';
+    popup.style.top = y + 'px';
+
+    for (const [name, fn] of Object.entries(items)) {
+        const el = document.createElement('div');
+        el.textContent = name;
+        el.onclick = () => {
+            fn();                 // вызываем конкретную функцию
+            popup.remove();
+            UIComponents.currentPopup = null;
+        };
+        popup.appendChild(el);
+    }
+
+    document.body.appendChild(popup);
+    UIComponents.currentPopup = popup;
+
+    const removePopup = () => {
+        if (UIComponents.currentPopup) {
+            UIComponents.currentPopup.remove();
+            UIComponents.currentPopup = null;
+        }
+        document.removeEventListener('click', removePopup);
+    };
+    setTimeout(() => document.addEventListener('click', removePopup), 0);
+}
+
+    /* ========== 4. ОКНО "СВОЙСТВА ФАЙЛА" ========== */
+    static showFileProperties(general = {}, details = {}) {
+        const overlay = document.createElement('div');
+        overlay.className = 'ui-overlay';
+
+        const win = document.createElement('div');
+        win.className = 'ui-window';
+        win.style.position = 'absolute';
+
+        const rows = obj =>
+            Object.entries(obj)
+                .map(([k, v]) => `<div class="row"><span>${k}</span><span>${v}</span></div>`)
+                .join('');
+
+        win.innerHTML = `
+            <div class="header">
+                <span>Свойства</span>
+                <button>&times;</button>
+            </div>
+
+            <div class="tabs">
+                <div class="tab active" data-tab="general">Общие</div>
+                <div class="tab" data-tab="details">Подробно</div>
+            </div>
+
+            <div class="tab-content active" id="general">${rows(general)}</div>
+            <div class="tab-content" id="details">${rows(details)}</div>
+        `;
+
+        win.querySelector('button').onclick = () => overlay.remove();
+
+        /* tabs */
+        win.querySelectorAll('.tab').forEach(tab => {
+            tab.onclick = () => {
+                win.querySelectorAll('.tab, .tab-content')
+                    .forEach(e => e.classList.remove('active'));
+
+                tab.classList.add('active');
+                win.querySelector('#' + tab.dataset.tab).classList.add('active');
+            };
+        });
+
+        /* drag */
+        const header = win.querySelector('.header');
+        header.onmousedown = (e) => {
+            const r = win.getBoundingClientRect();
+            const dx = e.clientX - r.left;
+            const dy = e.clientY - r.top;
+
+            document.onmousemove = e =>
+                Object.assign(win.style, {
+                    left: e.clientX - dx + 'px',
+                    top: e.clientY - dy + 'px'
+                });
+
+            document.onmouseup = () => document.onmousemove = null;
+        };
+
+        overlay.appendChild(win);
+        document.body.appendChild(overlay);
+
+        win.style.left = 'calc(50% - 180px)';
+        win.style.top = '20%';
+    }
+}
+
--- a/static/base/js/markdown-it.min.js
+++ b/static/base/js/markdown-it.min.js
--- a/static/base/main.html
+++ b/static/base/main.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html lang="ru">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <base href="/">   
+  <link rel="icon" type="image/png" href="/img/favicon.png">
+  <title>TS Web</title>
+  <link rel="stylesheet" href="/static/css/style.css">
+  <script defer src="/static/js/app.js"></script>
+</head>
+<body id="body">
+  <header>
+    <div id="header"></div>
+  </header>
+
+  <main id="content"></main>
+
+  <footer>
+    <p>© 2025 TriggersSmith web</p>
+  </footer>
+</body>
+</html>
--- a/static/blocks/menu/top1/content.md
+++ b/static/blocks/menu/top1/content.md
@@ -0,0 +1,22 @@
+<button id="burger" class="burger" aria-label="Меню">
+    <span></span>
+    <span></span>
+    <span></span>
+</button>
+<nav id="nav">
+    <ul>
+        <li><a href="/" data-link="true" data-target="content">Главная</a></li>
+        <li><a href="/about" data-link="true" data-target="content">О нас</a></li>
+        <li><a href="/about copy" data-link="true" data-target="content">О нас 2</a></li>
+        <li><a href="/functions" data-link="true" data-target="content">Функции</a></li>
+        <li><a href="/contact" data-link="true" data-target="content">Контакты</a></li>
+        <li><a href="/fManager" data-link="true" data-target="content">Файловый менеджер</a></li>
+        <li><a href="/users" data-link="true" data-target="content">Юзер</a></li>
+        <li><a href="/login" data-link="true" data-target="content">Вход</a></li>
+        <li><a href="/userSlava" data-link="true" data-target="content">Слава</a></li>
+        <li><a href="/gpt" data-link="true" data-target="content">GPT</a></li>
+        <li><a href="/ACL" data-link="true" data-target="content">ACL</a></li>
+        <li><a href="/userSlava/popup" data-link="true" data-target="content">Сообщения popup</a></li>
+        <li><a href="/session" data-link="true" data-target="content">Сессия</a></li>
+    </ul>
+</nav>
--- a/static/blocks/menu/top1/script.js
+++ b/static/blocks/menu/top1/script.js
@@ -0,0 +1,42 @@
+// /*************************************************
+//  * toggleMenu функция открытия/закрытия меню
+//  *************************************************/
+// function toggleMenu() {
+//   const burger = document.getElementById("burger");
+//   const nav = document.getElementById("nav");
+//   burger.classList.toggle("active");
+//   nav.classList.toggle("open");
+// }
+// /*************************************************
+//  * closeMenu функция закрытия меню
+//  *************************************************/
+// function closeMenu() {
+//   document.getElementById("burger").classList.remove("active");
+//   document.getElementById("nav").classList.remove("open");
+// }
+
+/*************************************************************************
+ * pageInit функция автозапуска скриптов, после подгрузки на страницу    *
+ *************************************************************************/
+function pageInit() {
+ const burger = document.getElementById("burger");
+ // Добавляем обработчик клика
+ burger.addEventListener("click", toggleMenu);
+}
+/*************************************************
+ * toggleMenu функция открытия/закрытия меню
+ *************************************************/
+function toggleMenu() {
+  const burger = document.getElementById("burger");
+  const nav = document.getElementById("nav");
+  burger.classList.toggle("active");
+  nav.classList.toggle("open");
+}
+/*************************************************
+ * closeMenu функция закрытия меню
+ *************************************************/
+function closeMenu() {
+  document.getElementById("burger").classList.remove("active");
+  document.getElementById("nav").classList.remove("open");
+}
+
--- a/static/blocks/menu/top1/style.css
+++ b/static/blocks/menu/top1/style.css
@@ -0,0 +1,90 @@
+ /* навигация
+nav ul {
+  list-style: none;
+  display: flex;
+  gap: 20px;
+  margin: 0;
+  padding: 0;
+}
+
+nav a {
+  color: white;
+  text-decoration: none;
+  font-weight: 500;
+}
+
+nav a:hover {
+  text-decoration: underline;
+}
+
+/* бургер */
+/*
+.burger {
+  display: none;
+  flex-direction: column;
+  justify-content: center;
+  gap: 5px;
+  width: 30px;
+  height: 25px;
+  background: none;
+  border: none;
+  cursor: pointer;
+}
+
+.burger span {
+  display: block;
+  height: 3px;
+  width: 100%;
+  background: white;
+  border-radius: 2px;
+  transition: 0.3s;
+}
+
+.burger.active span:nth-child(1) {
+  transform: translateY(8px) rotate(45deg);
+}
+
+.burger.active span:nth-child(2) {
+  opacity: 0;
+}
+
+.burger.active span:nth-child(3) {
+  transform: translateY(-8px) rotate(-45deg);
+}
+*/
+ /* адаптив */
+ /*
+@media (max-width: 425px) {
+
+  .burger {
+    display: flex;
+  }
+
+  nav {
+    position: absolute;
+    top: 100%;
+    left: 0;
+    width: 100%;
+    background: #222;
+    display: none;
+    flex-direction: column;
+    text-align: center;
+    padding: 10px 0;
+    z-index: 10;
+  }
+
+  nav.open {
+    display: flex;
+    animation: slideDown 0.3s ease;
+  }
+
+  nav ul {
+    flex-direction: column;
+    gap: 10px;
+  }
+
+  @keyframes slideDown {
+    from { opacity: 0; transform: translateY(-10px); }
+    to { opacity: 1; transform: translateY(0); }
+  }
+} */
--- a/static/blocks/pages/ACL/content.md
+++ b/static/blocks/pages/ACL/content.md
@@ -0,0 +1,23 @@
+# Панель администратора ACL
+
+## Создать роль
+
+<input id="roleName" placeholder="имя роли" />
+<button onclick="createRole()">Создавать</button>
+
+## Создать разрешение
+
+<input id="permKey" placeholder="ключ разрешения" />
+<button onclick="createPerm()">Создавать</button>
+
+## Назначить разрешение роли
+
+<input id="roleIdPerm" placeholder="идентификатор роли" />
+<input id="permIdRole" placeholder="идентификатор разрешения" />
+<button onclick="assignPermission()">Назначать</button>
+
+## Назначить роль пользователю
+
+<input id="roleIdUser" placeholder="идентификатор роли" />
+<input id="userIdRole" placeholder="идентификатор пользователя" />
+<button onclick="assignRole()">Назначать</button>
--- a/static/blocks/pages/ACL/script.js
+++ b/static/blocks/pages/ACL/script.js
@@ -0,0 +1,27 @@
+const api = (url, data, m) => fetch(url, {
+method: m,
+headers: { "Content-Type": "application/json" },
+body: JSON.stringify(data)
+}).then(r => r.text());
+
+
+
+
+function createRole() {
+api('/api/acl-admin/create-role', { name: roleName.value }, "POST").then(alert);
+}
+function createPerm() {
+api('/api/acl-admin/create-permission', { name: permKey.value }, "POST").then(alert);
+}
+function assignPermission() {
+api('/api/acl-admin/assign-permission', {
+role_id: Number(roleIdPerm.value),
+perm_id: Number(permIdRole.value)
+}, "POST").then(alert);
+}
+function assignRole() {
+api('/api/acl-admin/assign-role', {
+role_id: Number(roleIdUser.value),
+user_id: Number(userIdRole.value)
+}, "POST").then(alert);
+}
--- a/static/blocks/pages/ACL/style.css
+++ b/static/blocks/pages/ACL/style.css
@@ -0,0 +1,2 @@
+#app { background: white; padding: 20px; border-radius: 8px; max-width: 700px; }
+input, select, button { padding: 8px; margin: 4px 0; }
--- a/static/blocks/pages/about
+++ b/static/blocks/pages/about
@@ -0,0 +1,28 @@
+# О нашей команде
+
+Мы стремимся к тому, чтобы наш проект был простым, гибким и быстрым.  
+Ниже вы видите три блока информации, выровненные по горизонтали.
+
+<div class="grid-3">
+
+<div class="grid-block">
+<h3>Левая колонка</h3>
+<p>Здесь может быть навигация, цитата, боковая информация или полезные ссылки.</p>
+</div>
+
+<div class="grid-block">
+<h3>Центральный блок</h3>
+<p>Основной контент страницы. Здесь вы можете рассказать о компании, истории или услугах.</p>
+<p>Используйте разметку Markdown и HTML, чтобы сделать текст выразительным.</p>
+</div>
+
+<div class="grid-block">
+<h3>Правая колонка</h3>
+<p>Здесь могут быть контактные данные, баннеры или дополнительные ссылки.</p>
+</div>
+
+</div>
+
+---
+
+Блоки выравниваются по сетке `15% 70% 15%` и адаптируются под ширину контейнера.
--- a/static/blocks/pages/about
+++ b/static/blocks/pages/about
--- a/static/blocks/pages/about
+++ b/static/blocks/pages/about
--- a/static/blocks/pages/about/content.md
+++ b/static/blocks/pages/about/content.md
@@ -0,0 +1,28 @@
+# О нашей команде
+
+Мы стремимся к тому, чтобы наш проект был простым, гибким и быстрым.  
+Ниже вы видите три блока информации, выровненные по горизонтали.
+
+<div class="grid-3">
+
+<div class="grid-block">
+<h3>Левая колонка</h3>
+<p>Здесь может быть навигация, цитата, боковая информация или полезные ссылки.</p>
+</div>
+
+<div class="grid-block">
+<h3>Центральный блок</h3>
+<p>Основной контент страницы. Здесь вы можете рассказать о компании, истории или услугах.</p>
+<p>Используйте разметку Markdown и HTML, чтобы сделать текст выразительным.</p>
+</div>
+
+<div class="grid-block">
+<h3>Правая колонка</h3>
+<p>Здесь могут быть контактные данные, баннеры или дополнительные ссылки.</p>
+</div>
+
+</div>
+
+---
+
+Блоки выравниваются по сетке `15% 70% 15%` и адаптируются под ширину контейнера.
--- a/static/blocks/pages/about/script.js
+++ b/static/blocks/pages/about/script.js
--- a/static/blocks/pages/about/style.css
+++ b/static/blocks/pages/about/style.css
--- a/static/blocks/pages/contact/content.md
+++ b/static/blocks/pages/contact/content.md
@@ -0,0 +1,6 @@
+# Контакты
+
+Свяжитесь с нами:
+
+- 📧 **contact@example.com**
+- 🌐 [example.com](https://example.com)
--- a/static/blocks/pages/contact/script.js
+++ b/static/blocks/pages/contact/script.js
--- a/static/blocks/pages/contact/style.css
+++ b/static/blocks/pages/contact/style.css
--- a/static/blocks/pages/fManager/content.md
+++ b/static/blocks/pages/fManager/content.md
@@ -0,0 +1,3 @@
+<input type="text" id="messageInput" placeholder="Введите сообщение">
+<button id="showPopupBtn">Показать Popup</button></br>
+<button id="showfManagerBtn">Открыть файл-менеджер</button>
--- a/static/blocks/pages/fManager/script.js
+++ b/static/blocks/pages/fManager/script.js
@@ -0,0 +1,23 @@
+//loadBlock("plugin/fManager", "content");
+
+showPopupBtn.addEventListener('click', () => {
+    popup(messageInput.value || 'Пустое сообщение');});
+
+showfManagerBtn.addEventListener('click', () => {
+    const div = document.createElement("div");
+    div.id = "fManager";
+
+    document.body.appendChild(div);
+
+//     const testW = document.createElement('div');
+//     testW.id = 'test_W'
+//     testW.className = 'testWW';
+
+    loadBlock("plugin/fManager", "fManager");
+
+ });
+
+    /*
+const overlay = document.createElement('div');
+
+    */ 
--- a/static/blocks/pages/fManager/style.css
+++ b/static/blocks/pages/fManager/style.css
--- a/static/blocks/pages/functions/content.md
+++ b/static/blocks/pages/functions/content.md
@@ -0,0 +1,29 @@
+# Go Функции
+
+### Доступные Функции:
+
+<div id="container">
+    <button id="bt_newFunc" class="all_button">Создать</button>
+    <div id="alternative">
+        <select id="functionList">
+            <option value="">— Выбери —</option>
+        </select>
+        <input id="newfunction" placeholder="Название функции" class="hidden" >
+    </div>
+    <button id="bt_save" class="all_button">Сохранить</button>
+    <button id="bt_delete" class="all_button">Удалить</button><br>
+
+</div>
+<label>Go Код:</label><br>
+
+<div id="codeWrapper">
+    <div id="lineNumbers"></div>
+    <div id="Wrapper"></div>
+    <textarea id="code"></textarea>
+</div><br>
+<button id="bt_compile" class="all_button">Компилировать</button>
+<button id="bt_run" class="all_button">Запустить</button><br>
+<label>Входные аргументы:</label><br>
+<input id="input" /><br>
+<label>Ответ сервера:</label><br>
+<div id="output"></div>
--- a/static/blocks/pages/functions/script.js
+++ b/static/blocks/pages/functions/script.js
@@ -0,0 +1,168 @@
+let nameStringMod;
+let fCodeMod;
+// универсальный обработчик (вставка, ввод, удаление, drag-drop)
+function triggerUpdate() {
+    // вставка иногда происходит позже — даём браузеру завершить операцию
+    requestAnimationFrame(updateLineNumbers);
+}
+
+// ВСЕ события, которые могут менять текст
+code.addEventListener("input", triggerUpdate);
+code.addEventListener("change", triggerUpdate);
+code.addEventListener("keyup", triggerUpdate);
+code.addEventListener("paste", triggerUpdate);
+code.addEventListener("cut", triggerUpdate);
+code.addEventListener("drop", triggerUpdate);
+
+code.addEventListener("scroll", () => {
+    lineNumbers.scrollTop = code.scrollTop;
+});
+lineNumbers.addEventListener("scroll", () => {
+    code.scrollTop = lineNumbers.scrollTop;
+});
+
+updateLineNumbers();
+
+// ==================== ORIGINAL FUNCTIONS ====================
+async function loadSource(name) {
+    if (name != ""){
+        const res = await fetch("/api/functions/source/" + name);
+        if (!res.ok) {
+            code.value = "// source not found or binary only";
+            return;
+        }
+
+        const text = await res.text();
+        code.value = text;
+        } else {
+            code.value = "";    
+        }
+    // ВАЖНО: обновляем нумерацию после программной вставки
+    requestAnimationFrame(updateLineNumbers);
+
+}
+
+async function loadFunctions() {
+    const res = await fetch('/api/functions/list');
+    const list = await res.json();
+
+    //const sel = document.getElementById('functionList');
+    functionList.innerHTML = '<option value="">— select —</option>';
+
+//    Object.keys(list).forEach(name => {
+    list.forEach(name => {
+        const opt = document.createElement('option');
+        opt.value = name;
+        opt.textContent = name;
+        functionList.appendChild(opt);
+    });
+}
+
+function newf() {
+    if (functionList.className == 'hidden'){
+        functionList.classList.remove('hidden');
+        newfunction.classList.add('hidden');
+        selectFunction();
+        bt_newFunc.innerText = 'Создать';
+    } else {
+        functionList.classList.add('hidden');
+        newfunction.classList.remove('hidden');
+        code.value = "";
+        newfunction.value = "";
+        bt_newFunc.innerText = 'Выбрать';
+    }
+    code.value = "";
+    updateLineNumbers();
+}
+
+function selectFunction() {
+    loadSource(functionList.value);
+    requestAnimationFrame(updateLineNumbers);
+}
+
+async function compile() {
+    if (functionList.value != ""){
+    const res = await fetch('/api/functions/compile', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            functionName: functionList.value,
+            goCode: code.value
+        })
+    });
+    output.textContent = await res.text();
+    }
+}
+
+async function savef() {
+    if (newfunction.className == "hidden"){
+//        console.log("open")
+        popup("old")
+    } else {
+//        console.log("new")
+//        await popup("new",() => {return;});
+        await popup("new");
+        return;
+        console.log("test")
+    }
+    if (newfunction.value != ""){
+    const res = await fetch('/api/functions/save', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            functionName: newfunction.value,
+            goCode: code.value
+        })
+    });
+    output.textContent = await res.text();
+    }
+}
+
+async function run() {
+    const name = functionList.value;
+
+    const res = await fetch('/api/functions/run/' + name, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ input: input.value })
+    });
+
+    output.textContent = await res.text();
+}
+
+function updateLineNumbers() {
+    const lines = code.value.split("\n").length;
+    let html = "";
+    for (let i = 1; i <= lines; i++) {
+        html += i + "<br>";
+    }
+    lineNumbers.innerHTML = html;
+}
+
+function btLoc(){
+    if (newfunction.value != ""){
+        //bt_newFunc.disabled = true;
+        nameStringMod = true;
+    } else {
+        //bt_newFunc.disabled = false
+        nameStringMod = false;
+    }
+}
+
+function codLoc(){
+        fCodeMod = true;
+        fCodeMod = false;
+}
+
+//bt_save.addEventListener("click", () => {const message = 'Пустое сообщение'; popup(message);});
+
+
+functionList.addEventListener("change", selectFunction);
+bt_newFunc.addEventListener("click", newf);
+bt_compile.addEventListener("click", compile);
+bt_run.addEventListener("click", run);
+bt_save.addEventListener("click", savef);
+newfunction.addEventListener("input", btLoc)
+code.addEventListener("input", codLoc)
+
+loadFunctions();
--- a/static/blocks/pages/functions/style.css
+++ b/static/blocks/pages/functions/style.css
@@ -0,0 +1,30 @@
+textarea { width: 100%; height: 200px; }
+#codeWrapper {display: flex; width: 100%; position: relative; height: 300px; border: 1px solid #aaa; 
+    border-radius: 4px; overflow: hidden; margin-top: 10px;}
+#lineNumbers {width: 40px; background: #f0f0f0; padding-right: 5px; text-align: right; user-select: none; 
+    font-family: monospace; font-size: 12px; line-height: 1.2em; color: #555; border-right: 1px solid #ccc; 
+    overflow-y: hidden; overflow-x: hidden;}
+#code {width: 100%; margin-left: 5px; white-space: pre; overflow: auto; height: 100%; border: none; outline: none;              
+    resize: none; box-sizing: border-box; font-family: monospace; font-size: 12px; line-height: 1.2em; padding: 0;}
+#output {display: flex; width: 100%; position: relative; height: 100px; border: 1px solid #aaa; 
+    border-radius: 4px; overflow: hidden; margin-top: 10px;}
+#input { width: 100%; height: 20px; margin-bottom: 10px; margin-top: 10px; padding-top: 8px; padding-left: 0px;
+    padding-right: 0px; } 
+#container {display: flex; align-items: center; gap: 10px; height: 40px; margin-top: 10px; margin-bottom: 10px}
+#alternative {position: relative; width: 500px; height: 100%;}
+#functionList, #newfunction{box-sizing: border-box; font-size: 16px; padding: 5px;height: 100%;}
+#functionList, #newfunction {position: absolute; top: 0; left: 0; width: 100%; }
+/* #bt_newFunc{width: 90px;}  , #bt_newFunc, #bt_compile 
+#bt_run{height: 40px; width: 90px; margin-top: 10px; margin-bottom: 10px} */
+.hidden {display: none;}
+.all_button{height: 40px; width: 120px; margin-top: 10px; margin-bottom: 10px}
+  /* Полупрозрачный фон */
+.overlay {position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(0,0,0,0.5);
+    display: flex; justify-content: center; align-items: center; z-index: 1000;}
+  /* Центральный div */
+.popup {width: 400px; height: 150px; background: white; border-radius: 10px; display: flex;
+    flex-direction: column; justify-content: center; align-items: center; padding: 20px;
+    box-shadow: 0 0 10px rgba(0,0,0,0.3);}
+.popup button {margin-top: 20px; padding: 5px 10px;}
+
+
--- a/static/blocks/pages/gpt/content.md
+++ b/static/blocks/pages/gpt/content.md
@@ -0,0 +1,885 @@
+Вставь полноценный acl. Напиши пример реализации CanUserAccess() на SQLite. Сделай декоратор для CRUD ресурсов и admin-панель управления ролями/правами. Создай новые файлы и перепиши существующие.
+
+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+# Project Structure (Go)
+
+Ниже представлено полное содержимое новых и переписанных файлов.
+Используйте каждый раздел как отдельный файл.
+
+---
+
+## internal/acl/models.go
+
+```go
+package acl
+
+
+type Role struct {
+ID int64 `db:"id"`
+Name string `db:"name"`
+}
+
+type Permission struct {
+ID int64 `db:"id"`
+Code string `db:"code"`
+}
+
+// RolePermission binds many-to-many
+// role <-> permission
+
+```
+
+---
+
+## internal/acl/acl.go
+
+```go
+package acl
+
+import (
+    "database/sql"
+    "errors"
+)
+
+type ACL struct {
+    db *sql.DB
+}
+
+func New(db *sql.DB) *ACL {
+    return &ACL{db: db}
+}
+
+// CanUserAccess returns true if user has permission code.
+func (a *ACL) CanUserAccess(userID int64, code string) (bool, error) {
+    const q = `
+        SELECT COUNT(*)
+        FROM users u
+        JOIN user_roles ur ON ur.user_id = u.id
+        JOIN role_permissions rp ON rp.role_id = ur.role_id
+        JOIN permissions p ON p.id = rp.permission_id
+        WHERE u.id = ? AND p.code = ?
+    `
+    var cnt int
+    if err := a.db.QueryRow(q, userID, code).Scan(&cnt); err != nil {
+        return false, err
+    }
+    return cnt > 0, nil
+}
+
+// AssignRole assigns role to user
+func (a *ACL) AssignRole(userID, roleID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO user_roles(user_id, role_id) VALUES(?, ?)`, userID, roleID)
+    return err
+}
+
+// AddPermissionToRole binds permission to role
+func (a *ACL) AddPermissionToRole(roleID, permID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO role_permissions(role_id, permission_id) VALUES(?, ?)`, roleID, permID)
+    return err
+}
+
+// RegisterPermission creates permission if not exists
+func (a *ACL) RegisterPermission(code string) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO permissions(code) VALUES(?)`, code)
+    return err
+}
+```
+
+---
+
+## internal/acl/middleware.go
+
+```go
+package acl
+
+import (
+    "net/http"
+    "strconv"
+)
+
+// ACLMiddleware protects route by permission code
+func (a *ACL) ACLMiddleware(code string) func(http.Handler) http.Handler {
+    return func(next http.Handler) http.Handler {
+        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+            userIDStr := r.Header.Get("X-User-ID")
+            if userIDStr == "" {
+                http.Error(w, "Unauthenticated", http.StatusUnauthorized)
+                return
+            }
+            userID, _ := strconv.ParseInt(userIDStr, 10, 64)
+
+            ok, err := a.CanUserAccess(userID, code)
+            if err != nil || !ok {
+                http.Error(w, "Forbidden", http.StatusForbidden)
+                return
+            }
+            next.ServeHTTP(w, r)
+        })
+    }
+}
+```
+
+---
+
+## internal/acl/decorator.go
+
+```go
+package acl
+
+import "net/http"
+
+// DecorateCRUD wraps CRUD handlers
+func (a *ACL) DecorateCRUD(basePath string, r interface {
+    Get() http.HandlerFunc
+    List() http.HandlerFunc
+    Create() http.HandlerFunc
+    Update() http.HandlerFunc
+    Delete() http.HandlerFunc
+}) map[string]http.HandlerFunc {
+
+    return map[string]http.HandlerFunc{
+        "GET_ONE":    a.ACLMiddleware(basePath+".read")(r.Get()),
+        "GET_LIST":   a.ACLMiddleware(basePath+".list")(r.List()),
+        "CREATE":     a.ACLMiddleware(basePath+".create")(r.Create()),
+        "UPDATE":     a.ACLMiddleware(basePath+".update")(r.Update()),
+        "DELETE":     a.ACLMiddleware(basePath+".delete")(r.Delete()),
+    }
+}
+```
+
+---
+
+## sqliteDB/init_acl.sql (auto executed inside InitDB)
+
+```sql
+CREATE TABLE IF NOT EXISTS roles (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS permissions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    code TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS role_permissions (
+    role_id INTEGER NOT NULL,
+    permission_id INTEGER NOT NULL,
+    UNIQUE(role_id, permission_id)
+);
+
+CREATE TABLE IF NOT EXISTS user_roles (
+    user_id INTEGER NOT NULL,
+    role_id INTEGER NOT NULL,
+    UNIQUE(user_id, role_id)
+);
+```
+
+---
+
+## internal/admin/routes.go
+
+```go
+package admin
+
+import (
+    "database/sql"
+    "encoding/json"
+    "net/http"
+    "MyServer/internal/acl"
+)
+
+type Admin struct {
+    DB  *sql.DB
+    ACL *acl.ACL
+}
+
+func (a *Admin) Register(r chi.Router) {
+    r.Get("/roles", a.listRoles)
+    r.Post("/roles", a.addRole)
+    r.Post("/assign", a.assignRole)
+}
+
+func (a *Admin) listRoles(w http.ResponseWriter, r *http.Request) {
+    rows, _ := a.DB.Query(`SELECT id, name FROM roles`)
+    defer rows.Close()
+    var out []map[string]interface{}
+    for rows.Next() {
+        var id int64
+        var name string
+        rows.Scan(&id, &name)
+        out = append(out, map[string]interface{}{ "id": id, "name": name })
+    }
+    json.NewEncoder(w).Encode(out)
+}
+
+func (a *Admin) addRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ Name string }
+    json.NewDecoder(r.Body).Decode(&body)
+    _, _ = a.DB.Exec(`INSERT INTO roles(name) VALUES(?)`, body.Name)
+}
+
+func (a *Admin) assignRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ UserID, RoleID int64 }
+    json.NewDecoder(r.Body).Decode(&body)
+    a.ACL.AssignRole(body.UserID, body.RoleID)
+}
+```
+
+---
+
+## app/server.go (patched to include admin & ACL)
+
+```go
+// inside ServerStart()
+aclEngine := acl.New(db)
+r.Route("/admin", func(ad chi.Router) {
+    adminModule := &admin.Admin{DB: db, ACL: aclEngine}
+    adminModule.Register(ad)
+})
+```
+
+---
+
+Готово!
+Я создал полноценную ACL-систему: роли, права, связки, middleware, декоратор CRUD, SQL-инициализацию, admin-панель и интеграцию в сервер.
+Все файлы уже находятся в canvas и готовы к редактированию.
+
+Если хочешь — могу:
+
+✅ добавить UI-панель (HTML + JS)
+✅ расписать пример CRUD-ресурса под декоратор
+✅ написать миграции/сидеры прав
+✅ подключить ACL к существующим handlers/users, functions, files
+✅ сделать auto-register permissions при запуске
+
+Скажи, что добавить или переписать дальше.
+
+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+Подключи ACL к существующим handlers/users, functions, files
+
+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+# Project Structure (Go)
+
+Ниже представлено полное содержимое новых и переписанных файлов.
+Используйте каждый раздел как отдельный файл.
+
+---
+
+## internal/acl/models.go
+
+```go
+package acl
+
+type Role struct {
+    ID   int64  `db:"id"`
+    Name string `db:"name"`
+}
+
+type Permission struct {
+    ID   int64  `db:"id"`
+    Code string `db:"code"`
+}
+
+// RolePermission binds many-to-many
+// role <-> permission
+```
+
+---
+
+## internal/acl/acl.go
+
+```go
+package acl
+
+import (
+    "database/sql"
+    "errors"
+)
+
+type ACL struct {
+    db *sql.DB
+}
+
+func New(db *sql.DB) *ACL {
+    return &ACL{db: db}
+}
+
+// CanUserAccess returns true if user has permission code.
+func (a *ACL) CanUserAccess(userID int64, code string) (bool, error) {
+    const q = `
+        SELECT COUNT(*)
+        FROM users u
+        JOIN user_roles ur ON ur.user_id = u.id
+        JOIN role_permissions rp ON rp.role_id = ur.role_id
+        JOIN permissions p ON p.id = rp.permission_id
+        WHERE u.id = ? AND p.code = ?
+    `
+    var cnt int
+    if err := a.db.QueryRow(q, userID, code).Scan(&cnt); err != nil {
+        return false, err
+    }
+    return cnt > 0, nil
+}
+
+// AssignRole assigns role to user
+func (a *ACL) AssignRole(userID, roleID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO user_roles(user_id, role_id) VALUES(?, ?)`, userID, roleID)
+    return err
+}
+
+// AddPermissionToRole binds permission to role
+func (a *ACL) AddPermissionToRole(roleID, permID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO role_permissions(role_id, permission_id) VALUES(?, ?)`, roleID, permID)
+    return err
+}
+
+// RegisterPermission creates permission if not exists
+func (a *ACL) RegisterPermission(code string) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO permissions(code) VALUES(?)`, code)
+    return err
+}
+```
+
+---
+
+## internal/acl/middleware.go
+
+```go
+package acl
+
+import (
+    "net/http"
+    "strconv"
+)
+
+// ACLMiddleware protects route by permission code
+func (a *ACL) ACLMiddleware(code string) func(http.Handler) http.Handler {
+    return func(next http.Handler) http.Handler {
+        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+            userIDStr := r.Header.Get("X-User-ID")
+            if userIDStr == "" {
+                http.Error(w, "Unauthenticated", http.StatusUnauthorized)
+                return
+            }
+            userID, _ := strconv.ParseInt(userIDStr, 10, 64)
+
+            ok, err := a.CanUserAccess(userID, code)
+            if err != nil || !ok {
+                http.Error(w, "Forbidden", http.StatusForbidden)
+                return
+            }
+            next.ServeHTTP(w, r)
+        })
+    }
+}
+```
+
+---
+
+## internal/acl/decorator.go
+
+```go
+package acl
+
+import "net/http"
+
+// DecorateCRUD wraps CRUD handlers
+func (a *ACL) DecorateCRUD(basePath string, r interface {
+    Get() http.HandlerFunc
+    List() http.HandlerFunc
+    Create() http.HandlerFunc
+    Update() http.HandlerFunc
+    Delete() http.HandlerFunc
+}) map[string]http.HandlerFunc {
+
+    return map[string]http.HandlerFunc{
+        "GET_ONE":    a.ACLMiddleware(basePath+".read")(r.Get()),
+        "GET_LIST":   a.ACLMiddleware(basePath+".list")(r.List()),
+        "CREATE":     a.ACLMiddleware(basePath+".create")(r.Create()),
+        "UPDATE":     a.ACLMiddleware(basePath+".update")(r.Update()),
+        "DELETE":     a.ACLMiddleware(basePath+".delete")(r.Delete()),
+    }
+}
+```
+
+---
+
+## sqliteDB/init_acl.sql (auto executed inside InitDB)
+
+```sql
+CREATE TABLE IF NOT EXISTS roles (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS permissions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    code TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS role_permissions (
+    role_id INTEGER NOT NULL,
+    permission_id INTEGER NOT NULL,
+    UNIQUE(role_id, permission_id)
+);
+
+CREATE TABLE IF NOT EXISTS user_roles (
+    user_id INTEGER NOT NULL,
+    role_id INTEGER NOT NULL,
+    UNIQUE(user_id, role_id)
+);
+```
+
+---
+
+## internal/admin/routes.go
+
+```go
+package admin
+
+import (
+    "database/sql"
+    "encoding/json"
+    "net/http"
+    "MyServer/internal/acl"
+)
+
+type Admin struct {
+    DB  *sql.DB
+    ACL *acl.ACL
+}
+
+func (a *Admin) Register(r chi.Router) {
+    r.Get("/roles", a.listRoles)
+    r.Post("/roles", a.addRole)
+    r.Post("/assign", a.assignRole)
+}
+
+func (a *Admin) listRoles(w http.ResponseWriter, r *http.Request) {
+    rows, _ := a.DB.Query(`SELECT id, name FROM roles`)
+    defer rows.Close()
+    var out []map[string]interface{}
+    for rows.Next() {
+        var id int64
+        var name string
+        rows.Scan(&id, &name)
+        out = append(out, map[string]interface{}{ "id": id, "name": name })
+    }
+    json.NewEncoder(w).Encode(out)
+}
+
+func (a *Admin) addRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ Name string }
+    json.NewDecoder(r.Body).Decode(&body)
+    _, _ = a.DB.Exec(`INSERT INTO roles(name) VALUES(?)`, body.Name)
+}
+
+func (a *Admin) assignRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ UserID, RoleID int64 }
+    json.NewDecoder(r.Body).Decode(&body)
+    a.ACL.AssignRole(body.UserID, body.RoleID)
+}
+```
+
+---
+
+## app/server.go (patched to include admin & ACL)
+
+```go
+// inside ServerStart()
+aclEngine := acl.New(db)
+r.Route("/admin", func(ad chi.Router) {
+    adminModule := &admin.Admin{DB: db, ACL: aclEngine}
+    adminModule.Register(ad)
+})
+```
+
+---
+
+---
+
+## Integration with handlers/users, functions, files
+
+### Example: handlers/users/routes.go
+
+```go
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        gr.With(acl.ACLMiddleware("users.list")).Get("/", listUsers(db))
+        gr.With(acl.ACLMiddleware("users.read")).Get("/{id}", getUser(db))
+        gr.With(acl.ACLMiddleware("users.create")).Post("/", createUser(db))
+        gr.With(acl.ACLMiddleware("users.update")).Put("/{id}", updateUser(db))
+        gr.With(acl.ACLMiddleware("users.delete")).Delete("/{id}", deleteUser(db))
+    })
+}
+```
+
+### Example: handlers/functions/routes.go
+
+```go
+type FuncCRUD struct{}
+// implement Get, List, Create, Update, Delete
+
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        crud := &FuncCRUD{}
+        wrapped := acl.DecorateCRUD("functions", crud)
+
+        gr.Get("/", wrapped["GET_LIST"])
+        gr.Get("/{id}", wrapped["GET_ONE"])
+        gr.Post("/", wrapped["CREATE"])
+        gr.Put("/{id}", wrapped["UPDATE"])
+        gr.Delete("/{id}", wrapped["DELETE"])
+    })
+}
+```
+
+### Example: handlers/files/routes.go
+
+```go
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        gr.With(acl.ACLMiddleware("files.upload")).Post("/upload", uploadFile(db))
+        gr.With(acl.ACLMiddleware("files.download")).Get("/download/{id}", downloadFile(db))
+        gr.With(acl.ACLMiddleware("files.delete")).Delete("/{id}", deleteFile(db))
+    })
+}
+```
+
+### Update app/server.go registration
+
+```go
+aclEngine := acl.New(db)
+
+r.Route("/api", func(api chi.Router) {
+    api.Route("/users", func(u chi.Router) {
+        users.RegisterRoutes(u, db, aut, aclEngine)
+    })
+    api.Route("/functions", func(u chi.Router) {
+        functions.RegisterRoutes(u, db, aut, aclEngine)
+    })
+    api.Route("/files", func(u chi.Router) {
+        files.RegisterRoutes(u, db, aut, aclEngine)
+    })
+})
+```
+
+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+## internal/acl/models.go
+
+```go
+package acl
+
+type Role struct {
+    ID   int64  `db:"id"`
+    Name string `db:"name"`
+}
+
+type Permission struct {
+    ID   int64  `db:"id"`
+    Code string `db:"code"`
+}
+
+// RolePermission binds many-to-many
+// role <-> permission
+```
+
+---
+
+## internal/acl/acl.go
+
+```go
+package acl
+
+import (
+    "database/sql"
+    "errors"
+)
+
+type ACL struct {
+    db *sql.DB
+}
+
+func New(db *sql.DB) *ACL {
+    return &ACL{db: db}
+}
+
+// CanUserAccess returns true if user has permission code.
+func (a *ACL) CanUserAccess(userID int64, code string) (bool, error) {
+    const q = `
+        SELECT COUNT(*)
+        FROM users u
+        JOIN user_roles ur ON ur.user_id = u.id
+        JOIN role_permissions rp ON rp.role_id = ur.role_id
+        JOIN permissions p ON p.id = rp.permission_id
+        WHERE u.id = ? AND p.code = ?
+    `
+    var cnt int
+    if err := a.db.QueryRow(q, userID, code).Scan(&cnt); err != nil {
+        return false, err
+    }
+    return cnt > 0, nil
+}
+
+// AssignRole assigns role to user
+func (a *ACL) AssignRole(userID, roleID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO user_roles(user_id, role_id) VALUES(?, ?)`, userID, roleID)
+    return err
+}
+
+// AddPermissionToRole binds permission to role
+func (a *ACL) AddPermissionToRole(roleID, permID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO role_permissions(role_id, permission_id) VALUES(?, ?)`, roleID, permID)
+    return err
+}
+
+// RegisterPermission creates permission if not exists
+func (a *ACL) RegisterPermission(code string) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO permissions(code) VALUES(?)`, code)
+    return err
+}
+```
+
+---
+
+## internal/acl/middleware.go
+
+```go
+package acl
+
+import (
+    "net/http"
+    "strconv"
+)
+
+// ACLMiddleware protects route by permission code
+func (a *ACL) ACLMiddleware(code string) func(http.Handler) http.Handler {
+    return func(next http.Handler) http.Handler {
+        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+            userIDStr := r.Header.Get("X-User-ID")
+            if userIDStr == "" {
+                http.Error(w, "Unauthenticated", http.StatusUnauthorized)
+                return
+            }
+            userID, _ := strconv.ParseInt(userIDStr, 10, 64)
+
+            ok, err := a.CanUserAccess(userID, code)
+            if err != nil || !ok {
+                http.Error(w, "Forbidden", http.StatusForbidden)
+                return
+            }
+            next.ServeHTTP(w, r)
+        })
+    }
+}
+```
+
+---
+
+## internal/acl/decorator.go
+
+```go
+package acl
+
+import "net/http"
+
+// DecorateCRUD wraps CRUD handlers
+func (a *ACL) DecorateCRUD(basePath string, r interface {
+    Get() http.HandlerFunc
+    List() http.HandlerFunc
+    Create() http.HandlerFunc
+    Update() http.HandlerFunc
+    Delete() http.HandlerFunc
+}) map[string]http.HandlerFunc {
+
+    return map[string]http.HandlerFunc{
+        "GET_ONE":    a.ACLMiddleware(basePath+".read")(r.Get()),
+        "GET_LIST":   a.ACLMiddleware(basePath+".list")(r.List()),
+        "CREATE":     a.ACLMiddleware(basePath+".create")(r.Create()),
+        "UPDATE":     a.ACLMiddleware(basePath+".update")(r.Update()),
+        "DELETE":     a.ACLMiddleware(basePath+".delete")(r.Delete()),
+    }
+}
+```
+
+---
+
+## sqliteDB/init_acl.sql (auto executed inside InitDB)
+
+```sql
+CREATE TABLE IF NOT EXISTS roles (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS permissions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    code TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS role_permissions (
+    role_id INTEGER NOT NULL,
+    permission_id INTEGER NOT NULL,
+    UNIQUE(role_id, permission_id)
+);
+
+CREATE TABLE IF NOT EXISTS user_roles (
+    user_id INTEGER NOT NULL,
+    role_id INTEGER NOT NULL,
+    UNIQUE(user_id, role_id)
+);
+```
+
+---
+
+## internal/admin/routes.go
+
+```go
+package admin
+
+import (
+    "database/sql"
+    "encoding/json"
+    "net/http"
+    "MyServer/internal/acl"
+)
+
+type Admin struct {
+    DB  *sql.DB
+    ACL *acl.ACL
+}
+
+func (a *Admin) Register(r chi.Router) {
+    r.Get("/roles", a.listRoles)
+    r.Post("/roles", a.addRole)
+    r.Post("/assign", a.assignRole)
+}
+
+func (a *Admin) listRoles(w http.ResponseWriter, r *http.Request) {
+    rows, _ := a.DB.Query(`SELECT id, name FROM roles`)
+    defer rows.Close()
+    var out []map[string]interface{}
+    for rows.Next() {
+        var id int64
+        var name string
+        rows.Scan(&id, &name)
+        out = append(out, map[string]interface{}{ "id": id, "name": name })
+    }
+    json.NewEncoder(w).Encode(out)
+}
+
+func (a *Admin) addRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ Name string }
+    json.NewDecoder(r.Body).Decode(&body)
+    _, _ = a.DB.Exec(`INSERT INTO roles(name) VALUES(?)`, body.Name)
+}
+
+func (a *Admin) assignRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ UserID, RoleID int64 }
+    json.NewDecoder(r.Body).Decode(&body)
+    a.ACL.AssignRole(body.UserID, body.RoleID)
+}
+```
+
+---
+
+## app/server.go (patched to include admin & ACL)
+
+```go
+// inside ServerStart()
+aclEngine := acl.New(db)
+r.Route("/admin", func(ad chi.Router) {
+    adminModule := &admin.Admin{DB: db, ACL: aclEngine}
+    adminModule.Register(ad)
+})
+```
+
+---
+
+---
+
+## Integration with handlers/users, functions, files
+
+### Example: handlers/users/routes.go
+
+```go
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        gr.With(acl.ACLMiddleware("users.list")).Get("/", listUsers(db))
+        gr.With(acl.ACLMiddleware("users.read")).Get("/{id}", getUser(db))
+        gr.With(acl.ACLMiddleware("users.create")).Post("/", createUser(db))
+        gr.With(acl.ACLMiddleware("users.update")).Put("/{id}", updateUser(db))
+        gr.With(acl.ACLMiddleware("users.delete")).Delete("/{id}", deleteUser(db))
+    })
+}
+```
+
+### Example: handlers/functions/routes.go
+
+```go
+type FuncCRUD struct{}
+// implement Get, List, Create, Update, Delete
+
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        crud := &FuncCRUD{}
+        wrapped := acl.DecorateCRUD("functions", crud)
+
+        gr.Get("/", wrapped["GET_LIST"])
+        gr.Get("/{id}", wrapped["GET_ONE"])
+        gr.Post("/", wrapped["CREATE"])
+        gr.Put("/{id}", wrapped["UPDATE"])
+        gr.Delete("/{id}", wrapped["DELETE"])
+    })
+}
+```
+
+### Example: handlers/files/routes.go
+
+```go
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        gr.With(acl.ACLMiddleware("files.upload")).Post("/upload", uploadFile(db))
+        gr.With(acl.ACLMiddleware("files.download")).Get("/download/{id}", downloadFile(db))
+        gr.With(acl.ACLMiddleware("files.delete")).Delete("/{id}", deleteFile(db))
+    })
+}
+```
+
+### Update app/server.go registration
+
+```go
+aclEngine := acl.New(db)
+
+r.Route("/api", func(api chi.Router) {
+    api.Route("/users", func(u chi.Router) {
+        users.RegisterRoutes(u, db, aut, aclEngine)
+    })
+    api.Route("/functions", func(u chi.Router) {
+        functions.RegisterRoutes(u, db, aut, aclEngine)
+    })
+    api.Route("/files", func(u chi.Router) {
+        files.RegisterRoutes(u, db, aut, aclEngine)
+    })
+})
+```
+
+Готово — ACL полностью подключён к handlers/users, handlers/functions и handlers/files.
+Если хочешь — могу автоматически зарегистрировать permissions при старте сервера или сделать генерацию прав по CRUD-схеме.
--- a/static/blocks/pages/gpt/script.js
+++ b/static/blocks/pages/gpt/script.js
--- a/static/blocks/pages/gpt/style.css
+++ b/static/blocks/pages/gpt/style.css
--- a/static/blocks/pages/home/content.md
+++ b/static/blocks/pages/home/content.md
@@ -0,0 +1,6 @@
+# Главная страница
+
+Добро пожаловать!  
+Это **SPA на Go**, где контент хранится в файлах Markdown.
+
+Вы можете редактировать эти файлы без перекомпиляции проекта!
--- a/static/blocks/pages/home/script.js
+++ b/static/blocks/pages/home/script.js
--- a/static/blocks/pages/home/style.css
+++ b/static/blocks/pages/home/style.css
--- a/static/blocks/pages/login/content.md
+++ b/static/blocks/pages/login/content.md
@@ -0,0 +1,17 @@
+<div class="form1">
+
+<h1> Вход в систему</h1>
+
+Пожалуйста, введите ваши данные для входа.
+
+<div class="grid-block">
+<h3>Форма входа</h3>
+    <form action="/login" method="post">
+      <label for="username">Имя пользователя</label>
+      <input type="text" id="username" name="username" required>
+      <label for="password">Пароль</label>
+      <input type="password" id="password" name="password" required>
+      <button type="submit">Войти</button>
+    </form>
+</div>
+</div>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Alexey	68bce99e1d	add docs to gitignore	2026-01-03 15:47:04 +02:00
Alexey	d64645599d	front	2026-01-03 15:46:06 +02:00
Alexey	6ce7edd194	add internal gorm erros	2026-01-03 15:45:47 +02:00
Alexey	c718db565e	add internal token erorrs	2026-01-03 15:45:34 +02:00
Alexey	af7770eb06	add user struct returning	2026-01-03 15:45:23 +02:00
Alexey	8e67bae683	add error handling logic	2026-01-03 15:44:48 +02:00
Alexey	5468c831c4	add internal auth errors	2026-01-03 15:44:25 +02:00
Alexey	600cf84776	add revoke method	2026-01-03 15:43:43 +02:00
Alexey	0485fd3bee	add register method	2026-01-03 15:43:22 +02:00
Alexey	f2f7819f8c	add refresh method	2026-01-03 15:43:12 +02:00
Alexey	48d9c14944	add me method (not implemented)	2026-01-03 15:43:00 +02:00
Alexey	cadb42d17a	add logout method	2026-01-03 15:42:29 +02:00
Alexey	0510103125	add login method	2026-01-03 15:42:19 +02:00
Alexey	e75390f673	add get user data method	2026-01-03 15:42:09 +02:00
Alexey	bf96ca1263	errors file	2026-01-03 15:41:39 +02:00
Alexey	ca569d25bc	refactor and documentation	2026-01-03 15:41:21 +02:00
Alexey	1468937589	move ProblemDetails	2026-01-03 15:39:42 +02:00
Alexey	9070b4138e	add real ip logging	2026-01-03 15:39:00 +02:00
Alexey	ac26a981b2	swag fmt	2025-12-21 22:21:58 +02:00
Alexey	e9d8877fbf	fully implement acl backend and interface	2025-12-21 22:18:29 +02:00
Alexey	85f8ac60e7	some changes	2025-12-21 00:00:03 +02:00
Alexey	904f446447	basicly implement acl crud ops with roles and resources	2025-12-20 17:38:15 +02:00
Alexey	c188b46519	gitignore add data dir	2025-12-20 17:37:34 +02:00
Alexey	8e31a84b0e	get some modules	2025-12-20 17:36:52 +02:00
Alexey	bd06d071b2	add swagger	2025-12-20 17:36:36 +02:00
Alexey	f0d7d79e0f	add swagger	2025-12-20 17:36:24 +02:00
Alexey	78a8e46b3e	implement endpoint /roles	2025-12-19 14:27:17 +02:00
Alexey	69281f3337	fmt	2025-12-19 14:27:01 +02:00
Alexey	07ec64b1bb	add acl service	2025-12-19 14:26:37 +02:00
Alexey	cd465d42a3	add init functions	2025-12-19 14:26:28 +02:00
Alexey	c0a187d461	implement basic acl operations and tests	2025-12-19 14:26:05 +02:00
Alexey	5a34a445cf	add acl service	2025-12-19 14:25:43 +02:00
Alexey	e12b4dea12	add legacy route and new	2025-12-19 09:23:03 +02:00
Alexey	beba3cfb4b	comment incorrect test	2025-12-18 20:03:21 +02:00
Alexey	0f966fa17e	remove unused functions	2025-12-18 20:02:49 +02:00
Alexey	7546d1bece	fix issue with NewService and remove unused GetById/Username	2025-12-18 20:02:38 +02:00
Alexey	45f4c76ff5	mod GetBy function	2025-12-18 20:01:28 +02:00
Alexey	73343fd57b	format	2025-12-18 19:59:57 +02:00
Alexey	6c9f8bcec0	fix test	2025-12-18 19:59:49 +02:00
Alexey	f65150cec3	add config to deps	2025-12-18 19:59:22 +02:00
Alexey	99fd0f5776	add function what returns http.StatusNotImplemented	2025-12-18 19:59:06 +02:00
Alexey	524749b329	rename called function	2025-12-18 19:58:41 +02:00
Alexey	c80f7932b4	add doc	2025-12-18 19:58:29 +02:00
Alexey	e2b92f8ba1	make jwt.Parse public	2025-12-18 19:58:21 +02:00
Alexey	a1f6c1ffa9	add jwt config	2025-12-18 19:58:04 +02:00
Alexey	7e581d99f5	create auth package	2025-12-18 19:57:51 +02:00
Alexey	ad980ee600	implement work with services	2025-12-18 19:57:38 +02:00
Alexey	438bed8f13	implement some auth (user) endpoints	2025-12-18 19:57:20 +02:00
Alexey	e9b7f8ca17	rename	2025-12-18 19:56:56 +02:00
Alexey	ae1e5600ae	go mod bcrypt	2025-12-18 19:56:46 +02:00
Alexey	44d39db701	git ignore add secret	2025-12-18 19:56:31 +02:00
Alexey	adf61a4d1d	add token config	2025-12-18 11:25:07 +02:00
Alexey	97253ee9c7	add field UserID	2025-12-18 11:24:57 +02:00
Alexey	4ae85c73bb	remove prefix Token	2025-12-18 11:24:48 +02:00
Alexey	16b6b292c6	make functions more universal	2025-12-18 11:24:34 +02:00
Alexey	6f4657caff	add comments	2025-12-18 10:50:08 +02:00
Alexey	53761db1e0	add user crud interface in impl	2025-12-18 10:49:56 +02:00
Alexey	603f007c63	gitignore add testdata/ and remove cached tokens.db	2025-12-18 10:49:35 +02:00
Alexey	597000f222	add jwt creating and parsing	2025-12-18 10:48:27 +02:00
Alexey	3b74f5c43d	go get uuid	2025-12-18 10:47:58 +02:00
Alexey	8de6a9212a	add auth service to main router's deps	2025-12-18 09:48:14 +02:00
Alexey	64dad6619e	require jwt	2025-12-18 09:47:14 +02:00
Alexey	cdde811e72	add token service, sqlite driver and test	2025-12-18 09:46:57 +02:00
Alexey	8836ea2673	remove comment	2025-12-17 18:51:46 +02:00
Alexey	a9da570877	add prefix api_ to packages	2025-12-17 18:45:34 +02:00
Alexey	b79450ecd4	add some info	2025-12-17 18:45:23 +02:00
Alexey	5011d59912	add some debug messages	2025-12-17 17:15:02 +02:00
Alexey	7d1a0b82bd	add panic.log to gitignore	2025-12-17 14:38:39 +02:00
Alexey	eef77fa240	add some debug info	2025-12-17 14:38:13 +02:00
Alexey	16cb8c7f58	change router's names to names with prefix Must, because they might panic	2025-12-17 14:32:49 +02:00
Alexey	8896188ec4	add sending of additional information to disk during a panic, changed the name of the called routing method	2025-12-17 14:31:35 +02:00
Alexey	d6859d8cf9	fmt	2025-12-17 14:24:29 +02:00
Alexey	99ffa05c61	add doc	2025-12-17 14:24:19 +02:00
Alexey	c6d5fa02d1	add base for auth package	2025-12-17 14:24:07 +02:00
Alexey	b92682177c	back to "old" way to parse url because it dont work with more than 2 "/"	2025-12-17 14:22:40 +02:00
Alexey	4be8faaa67	change error status	2025-12-17 14:15:24 +02:00
Alexey	e78fd22f51	add message for disabled static	2025-12-17 14:15:09 +02:00
Alexey	7a189d56ea	add auth api router, change block api router, fix ussue with "*"	2025-12-17 14:12:29 +02:00
Alexey	441253351d	use modern way to parse URL	2025-12-17 14:10:40 +02:00
Alexey	ffec908ca4	isolate handlers	2025-12-17 14:10:16 +02:00
Alexey	26052db142	add package header documentation	2025-12-17 13:49:04 +02:00
Alexey	cda0edfde2	block logic	2025-12-17 11:09:54 +02:00
Alexey	d78a6bedd5	add blocks	2025-12-17 10:14:13 +02:00
Alexey	18a31be0b1	some changes	2025-12-14 16:34:42 +02:00
Alexey	6aae5f9fb0	add function handling (basic)	2025-11-30 15:28:30 +02:00
Alexey	c1e5fc90ee	some changes	2025-11-30 12:50:38 +02:00
Alexey	004bb7ef7f	fix log message and add force kill	2025-11-30 11:32:34 +02:00
Alexey	847c5a2d08	gitignore	2025-11-30 11:26:50 +02:00
Alexey	ea7358a35f	add reloading and stopping from tsctl	2025-11-30 11:26:22 +02:00
Alexey	c51dfce9ec	add os.Exit(0)	2025-11-30 11:25:39 +02:00
Alexey	04718759c4	delete println	2025-11-30 10:13:08 +02:00