OPC # 0001: Extract Clarity into standalone repo

.dockerignore

@@ -0,0 +1,12 @@
+**/.vs
+**/.git
+**/.idea
+**/bin
+**/obj
+**/node_modules
+**/.env
+**/npm-debug.log
+**/.dockerignore
+**/Dockerfile*
+**/docker-compose*
+ClientAssets/

.gitignore

@@ -0,0 +1,366 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Ww][Ii][Nn]32/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Oo]ut/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# ASP.NET Scaffolding
+ScaffoldingReadMe.txt
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Coverlet is a free, cross platform Code Coverage Tool
+coverage*.json
+coverage*.xml
+coverage*.info
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/
+
+# Fody - auto-generated XML schema
+FodyWeavers.xsd
+
+VaultData/
+ClientAssets/

Clarity.AppHost/AppHost.cs

@@ -0,0 +1,80 @@
+using Microsoft.Extensions.Hosting;
+using Scalar.Aspire;
+
+var builder = DistributedApplication.CreateBuilder(args);
+
+#region MINIO
+var minio = builder.AddMinioContainer("minio");
+#endregion
+
+#region REDIS
+var cache = builder.AddRedis("cache");
+#endregion
+
+#region POSTGRESQL AND PGADMIN
+var postgres = builder.AddPostgres("postgres")
+    .WithLifetime(ContainerLifetime.Persistent)
+    .WithHostPort(5432)
+    .WithPgAdmin();
+
+var postgresdb = postgres.AddDatabase("postgresdb");
+#endregion
+
+#region KEYCLOAK
+var keycloakDb = postgres.AddDatabase("authdb");
+
+var keycloak = builder.AddKeycloak("keycloak", 8080)
+    .WithEnvironment(async ctx =>
+    {
+        var connString = await keycloakDb.Resource.ConnectionStringExpression.GetValueAsync(CancellationToken.None);
+        var conn = new Npgsql.NpgsqlConnectionStringBuilder(connString);
+        ctx.EnvironmentVariables["KC_DB"] = "postgres";
+        ctx.EnvironmentVariables["KC_DB_URL"] = $"jdbc:postgresql://postgres:5432/{keycloakDb.Resource.DatabaseName}";
+        ctx.EnvironmentVariables["KC_DB_USERNAME"] = conn.Username!;
+        ctx.EnvironmentVariables["KC_DB_PASSWORD"] = conn.Password!;
+    })
+    .WaitFor(keycloakDb)
+    .WithRealmImport("KeycloakConfig/");
+#endregion
+
+#region EFCORE MIGRATION WORKER
+var migrations = builder.AddProject<Projects.Clarity_MigrationService>("clarity-migrationservice")
+    .WithReference(postgresdb)
+    .WaitFor(postgresdb);
+#endregion
+
+#region REST API 
+var server = builder.AddProject<Projects.Clarity_Server>("server")
+    .WaitFor(keycloak)
+    .WithReference(cache)
+    .WithReference(postgresdb)
+    .WaitFor(cache)
+    .WaitFor(postgresdb)
+    .WithReference(migrations)
+    .WithReference(minio)
+    .WaitForCompletion(migrations)
+    .WithHttpHealthCheck("/health")
+    .WithHttpEndpoint(port: 5416, name: "clarity-http")
+    .WithExternalHttpEndpoints();
+#endregion
+
+#region REACT
+var webfrontend = builder.AddViteApp("webfrontend", "../frontend")
+    .WaitFor(keycloak)
+    .WithReference(server)
+    .WaitFor(server)
+    .WithEnvironment("VITE_KEYCLOAK_URL", keycloak.GetEndpoint("http"))
+    .WithEnvironment("VITE_KEYCLOAK_REALM", "clarity")
+    .WithEnvironment("VITE_KEYCLOAK_CLIENT_ID", "clarity-web-app");
+
+server.PublishWithContainerFiles(webfrontend, "wwwroot");
+#endregion
+
+#region SCALAR API DOCS
+var scalar = builder.AddScalarApiReference();
+scalar
+    .WithApiReference(server);
+//    .WithApiReference(webfrontend);
+#endregion
+
+builder.Build().Run();

Clarity.AppHost/Clarity.AppHost.csproj

@@ -0,0 +1,30 @@
+<Project Sdk="Aspire.AppHost.Sdk/13.2.2">
+
+	<PropertyGroup>
+		<OutputType>Exe</OutputType>
+		<TargetFramework>net10.0</TargetFramework>
+		<ImplicitUsings>enable</ImplicitUsings>
+		<Nullable>enable</Nullable>
+		<UserSecretsId>a37b81ab-bcb8-4599-a049-4c21e1e4ff17</UserSecretsId>
+	</PropertyGroup>
+
+	<ItemGroup>
+		<ProjectReference Include="..\Clarity.MigrationService\Clarity.MigrationService.csproj" />
+		<ProjectReference Include="..\Clarity.Server\Clarity.Server.csproj" />
+	</ItemGroup>
+
+	<ItemGroup>
+		<PackageReference Include="Aspire.Hosting.JavaScript" />
+		<PackageReference Include="Aspire.Hosting.Keycloak" />
+		<PackageReference Include="Aspire.Hosting.PostgreSQL" />
+		<PackageReference Include="Aspire.Hosting.Redis" />
+		<PackageReference Include="CommunityToolkit.Aspire.Hosting.Minio" />
+		<PackageReference Include="Scalar.Aspire" />
+	</ItemGroup>
+
+	<ItemGroup>
+	  <None Update="KeycloakConfig\realm-export.json">
+	    <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+	  </None>
+	</ItemGroup>
+</Project>

Clarity.AppHost/Properties/launchSettings.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "https://clarity.dev.localhost:17052;http://clarity.dev.localhost:15033",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "DOTNET_ENVIRONMENT": "Development",
+        "ASPIRE_DASHBOARD_OTLP_ENDPOINT_URL": "https://localhost:21214",
+        "ASPIRE_DASHBOARD_MCP_ENDPOINT_URL": "https://localhost:23283",
+        "ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL": "https://localhost:22072"
+      }
+    },
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "http://clarity.dev.localhost:15033",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "DOTNET_ENVIRONMENT": "Development",
+        "ASPIRE_DASHBOARD_OTLP_ENDPOINT_URL": "http://localhost:19177",
+        "ASPIRE_DASHBOARD_MCP_ENDPOINT_URL": "http://localhost:18052",
+        "ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL": "http://localhost:20131"
+      }
+    }
+  }
+}

Clarity.AppHost/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

Clarity.AppHost/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning",
+      "Aspire.Hosting.Dcp": "Warning"
+    }
+  }
+}

Clarity.MigrationService/Clarity.MigrationService.csproj

@@ -0,0 +1,21 @@
+<Project Sdk="Microsoft.NET.Sdk.Worker">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <UserSecretsId>dotnet-Clarity.MigrationService-bf435d60-c671-4bd2-bd5a-41edaf989137</UserSecretsId>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.EntityFrameworkCore" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" />
+    <PackageReference Include="Microsoft.Extensions.Hosting" />
+    <PackageReference Include="Aspire.Npgsql.EntityFrameworkCore.PostgreSQL" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Clarity.Server\Clarity.Server.csproj" />
+    <ProjectReference Include="..\Clarity.ServiceDefaults\Clarity.ServiceDefaults.csproj" />
+  </ItemGroup>
+</Project>

Clarity.MigrationService/Program.cs

@@ -0,0 +1,16 @@
+using Clarity.MigrationService;
+using Clarity.Server.Data;
+using Microsoft.EntityFrameworkCore;
+
+var builder = Host.CreateApplicationBuilder(args);
+builder.AddServiceDefaults();
+builder.Services.AddHostedService<Worker>();
+
+var connectionString = builder.Configuration.GetConnectionString("postgresdb")
+    ?? throw new InvalidOperationException("Connection string 'postgresdb' not found.");
+
+builder.Services.AddDbContext<ApplicationDbContext>(options =>
+    options.UseNpgsql(connectionString));
+
+var host = builder.Build();
+host.Run();

Clarity.MigrationService/Properties/launchSettings.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "Clarity.MigrationService": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "environmentVariables": {
+        "DOTNET_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

Clarity.MigrationService/Worker.cs

@@ -0,0 +1,46 @@
+using Clarity.Server.Data;
+using Microsoft.EntityFrameworkCore;
+using System.Diagnostics;
+
+namespace Clarity.MigrationService;
+
+public class Worker(
+    IServiceProvider serviceProvider,
+    IHostApplicationLifetime hostApplicationLifetime) : BackgroundService
+{
+    public const string ActivitySourceName = "Migrations";
+    private static readonly ActivitySource s_activitySource = new(ActivitySourceName);
+
+    protected override async Task ExecuteAsync(
+        CancellationToken cancellationToken)
+    {
+        using var activity = s_activitySource.StartActivity(
+            "Migrating database", ActivityKind.Client);
+
+        try
+        {
+            using var scope = serviceProvider.CreateScope();
+            var dbContext = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
+
+            await RunMigrationAsync(dbContext, cancellationToken);
+        }
+        catch (Exception ex)
+        {
+            activity?.AddException(ex);
+            throw;
+        }
+
+        hostApplicationLifetime.StopApplication();
+    }
+
+    private static async Task RunMigrationAsync(
+        ApplicationDbContext dbContext, CancellationToken cancellationToken)
+    {
+        var strategy = dbContext.Database.CreateExecutionStrategy();
+        await strategy.ExecuteAsync(async () =>
+        {
+            // Run migration in a transaction to avoid partial migration if it fails.
+            await dbContext.Database.MigrateAsync(cancellationToken);
+        });
+    }
+}

Clarity.MigrationService/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.Hosting.Lifetime": "Information"
+    }
+  }
+}

Clarity.MigrationService/appsettings.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.Hosting.Lifetime": "Information"
+    }
+  }
+}

Clarity.Server/Clarity.Server.csproj

@@ -0,0 +1,34 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Aspire.Keycloak.Authentication" />
+    <PackageReference Include="Aspire.Npgsql.EntityFrameworkCore.PostgreSQL" />
+    <PackageReference Include="Aspire.StackExchange.Redis.OutputCaching" />
+    <PackageReference Include="CommunityToolkit.Aspire.Minio.Client" />
+    <PackageReference Include="Microsoft.AspNetCore.OpenApi" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Design">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+    <PackageReference Include="Microsoft.Extensions.Http.Resilience" />
+    <PackageReference Include="Microsoft.Extensions.ServiceDiscovery" />
+    <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" />
+    <PackageReference Include="OpenTelemetry.Extensions.Hosting" />
+    <PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" />
+    <PackageReference Include="OpenTelemetry.Instrumentation.Http" />
+    <PackageReference Include="OpenTelemetry.Instrumentation.Runtime" />
+    <PackageReference Include="Scalar.Aspire" />
+    <PackageReference Include="VaultSharp" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\Clarity.ServiceDefaults\Clarity.ServiceDefaults.csproj" />
+  </ItemGroup>
+</Project>

Clarity.Server/Clarity.Server.http

@@ -0,0 +1,6 @@
+@Server_HostAddress = http://localhost:5416
+
+GET {{Server_HostAddress}}/api/weatherforecast/
+Accept: application/json
+
+###

Clarity.Server/Data/ApplicationDbContext.cs

@@ -0,0 +1,27 @@
+using Clarity.Server.Entity;
+using Microsoft.EntityFrameworkCore;
+
+namespace Clarity.Server.Data
+{
+    public class ApplicationDbContext : DbContext
+    {
+        public DbSet<Profile> Profiles => Set<Profile>();
+        public DbSet<SysParams> SysParams => Set<SysParams>();
+
+
+        public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options)
+        : base(options)
+        {
+        }
+
+        protected override void OnModelCreating(ModelBuilder modelBuilder)
+        {
+            modelBuilder.Entity<Profile>(entity =>
+            {
+                entity.HasKey(p => p.Id);
+                entity.HasIndex(p => p.KeycloakSubject).IsUnique();
+                entity.Property(p => p.KeycloakSubject).IsRequired();
+            });
+        }
+    }
+}

Clarity.Server/Data/ApplicationDbContextFactory.cs

@@ -0,0 +1,22 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Design;
+
+namespace Clarity.Server.Data;
+
+public class ApplicationDbContextFactory : IDesignTimeDbContextFactory<ApplicationDbContext>
+{
+    public ApplicationDbContext CreateDbContext(string[] args)
+    {
+        var configuration = new ConfigurationBuilder()
+            .SetBasePath(Directory.GetCurrentDirectory())
+            .AddJsonFile("appsettings.json", optional: false)
+            .AddJsonFile("appsettings.Development.json", optional: true)
+            .AddEnvironmentVariables()
+            .Build();
+
+        var optionsBuilder = new DbContextOptionsBuilder<ApplicationDbContext>();
+        optionsBuilder.UseNpgsql(configuration.GetConnectionString("postgresdb"));
+
+        return new ApplicationDbContext(optionsBuilder.Options);
+    }
+}

Clarity.Server/Data/BlindIndexHelper.cs

@@ -0,0 +1,37 @@
+using System.Security.Cryptography;
+using System.Text;
+
+namespace Clarity.Server.Data;
+
+public static class BlindIndexHelper
+{
+    // In a real environment, this "Pepper" comes from your TenantKeyProvider or Vault!
+    // It must NEVER change once records are written, or searches will break.
+    public static string Compute(string? input, byte[] staticPepper)
+    {
+        if (string.IsNullOrWhiteSpace(input)) return string.Empty;
+
+        // 1. Normalize (Remove dashes, spaces, make uppercase)
+        var normalized = input.Replace("-", "").Replace(" ", "").ToUpperInvariant();
+
+        // 2. Hash using HMAC-SHA256 and the static Pepper
+        using var hmac = new HMACSHA256(staticPepper);
+        var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(normalized));
+
+        // 3. Return Base64 for database storage
+        return Convert.ToBase64String(hashBytes);
+    }
+}
+
+[AttributeUsage(AttributeTargets.Property)]
+public class BlindIndexedAttribute : Attribute
+{
+    public string TargetPropertyName { get; }
+
+    public BlindIndexedAttribute(string targetPropertyName)
+    {
+        TargetPropertyName = targetPropertyName;
+    }
+}
+
+

Clarity.Server/Data/Migrations/20260424021033_InitialCreate.Designer.cs

@@ -0,0 +1,95 @@
+// <auto-generated />
+using System;
+using Clarity.Server.Data;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Clarity.Server.Data.Migrations
+{
+    [DbContext(typeof(ApplicationDbContext))]
+    [Migration("20260424021033_InitialCreate")]
+    partial class InitialCreate
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "10.0.6")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Clarity.Server.Data.SysParams", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("EncryptedKek")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("SysParams");
+                });
+
+            modelBuilder.Entity("Clarity.Server.Entity.Profile", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte[]>("EncryptedDek")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<string>("FirstName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("KeycloakSubject")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("LastName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("MiddleName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<bool>("OnboardingComplete")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Ssn")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Tenant")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("KeycloakSubject")
+                        .IsUnique();
+
+                    b.ToTable("Profiles");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

Clarity.Server/Data/Migrations/20260424021033_InitialCreate.cs

@@ -0,0 +1,65 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Clarity.Server.Data.Migrations
+{
+    /// <inheritdoc />
+    public partial class InitialCreate : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "Profiles",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uuid", nullable: false),
+                    KeycloakSubject = table.Column<string>(type: "text", nullable: false),
+                    FirstName = table.Column<string>(type: "text", nullable: false),
+                    MiddleName = table.Column<string>(type: "text", nullable: false),
+                    LastName = table.Column<string>(type: "text", nullable: false),
+                    Ssn = table.Column<string>(type: "text", nullable: false),
+                    OnboardingComplete = table.Column<bool>(type: "boolean", nullable: false),
+                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
+                    EncryptedDek = table.Column<byte[]>(type: "bytea", nullable: false),
+                    Tenant = table.Column<string>(type: "text", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_Profiles", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "SysParams",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    EncryptedKek = table.Column<string>(type: "text", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_SysParams", x => x.Id);
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Profiles_KeycloakSubject",
+                table: "Profiles",
+                column: "KeycloakSubject",
+                unique: true);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "Profiles");
+
+            migrationBuilder.DropTable(
+                name: "SysParams");
+        }
+    }
+}

Clarity.Server/Data/Migrations/ApplicationDbContextModelSnapshot.cs

@@ -0,0 +1,92 @@
+// <auto-generated />
+using System;
+using Clarity.Server.Data;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace Clarity.Server.Data.Migrations
+{
+    [DbContext(typeof(ApplicationDbContext))]
+    partial class ApplicationDbContextModelSnapshot : ModelSnapshot
+    {
+        protected override void BuildModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "10.0.6")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Clarity.Server.Data.SysParams", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("EncryptedKek")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("SysParams");
+                });
+
+            modelBuilder.Entity("Clarity.Server.Entity.Profile", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uuid");
+
+                    b.Property<DateTimeOffset>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<byte[]>("EncryptedDek")
+                        .IsRequired()
+                        .HasColumnType("bytea");
+
+                    b.Property<string>("FirstName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("KeycloakSubject")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("LastName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("MiddleName")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<bool>("OnboardingComplete")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Ssn")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("Tenant")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("KeycloakSubject")
+                        .IsUnique();
+
+                    b.ToTable("Profiles");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

Clarity.Server/Data/PIIEncryptInterceptor.cs

@@ -0,0 +1,272 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Diagnostics;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json.Serialization;
+using VaultSharp;
+using VaultSharp.V1.SecretsEngines;
+using VaultSharp.V1.SecretsEngines.Transit;
+using VaultSharp.V1.Commons;
+using System.Collections.Generic;
+
+namespace Clarity.Server.Data;
+
+public interface IPIIEntity
+{
+    public byte[] EncryptedDek { get; set; }
+    public string Tenant { get; set; }
+}
+
+public interface IPIIVault
+{
+    Task<(byte[] PlaintextKey, string CiphertextKey)> GenerateTenantKEKAsync(string tenantId);
+    Task<byte[]> DecryptTenantKEKAsync(string encryptedKek, string tenantId);
+    Task<string> RewrapTenantKEKAsync(string encryptedKek, string tenantId);
+}
+
+
+public class TenantKeyProvider
+{
+    public byte[]? CurrentKey { get; private set; }
+    public void SetKey(byte[] key) => CurrentKey = key;
+}
+
+public class PIIVault : IPIIVault
+{
+    private readonly IVaultClient _vaultClient;
+
+    private const string TransitPath = "clarity-transit";
+    private const string MasterKeyName = "master-key";
+
+    public PIIVault(IVaultClient vaultClient)
+    {
+        _vaultClient = vaultClient;
+    }
+
+    // https://github.com/rajanadar/VaultSharp/blob/master/test/VaultSharp.Samples/Backends/Secrets/TransitSecretsBackendSamples.cs
+    public async Task<(byte[] PlaintextKey, string CiphertextKey)> GenerateTenantKEKAsync(string tenantId)
+    {
+        var encodedContext = Convert.ToBase64String(Encoding.UTF8.GetBytes(tenantId));
+        var dataKeyOptions = new DataKeyRequestOptions
+        {
+            DataKeyType = TransitDataKeyType.plaintext, 
+            Base64EncodedContext = encodedContext
+        };
+
+        Secret<DataKeyResponse> response = await _vaultClient.V1.Secrets.Transit.GenerateDataKeyAsync(
+            MasterKeyName,
+            dataKeyOptions,
+            TransitPath);
+
+        byte[] rawPlaintextBytes = Convert.FromBase64String(response.Data.Base64EncodedPlainText);
+        string ciphertext = response.Data.CipherText;
+
+        return (rawPlaintextBytes, ciphertext);
+    }
+
+    public async Task<byte[]> DecryptTenantKEKAsync(string encryptedKek, string tenantId)
+    {
+        var encodedContext = Convert.ToBase64String(Encoding.UTF8.GetBytes(tenantId));
+        var decryptOptions = new DecryptRequestOptions
+        {
+            CipherText = encryptedKek,
+            Base64EncodedContext = encodedContext
+        };
+
+        Secret<DecryptionResponse> response = await _vaultClient.V1.Secrets.Transit.DecryptAsync(
+            MasterKeyName,
+            decryptOptions,
+            TransitPath);
+
+        return Convert.FromBase64String(response.Data.Base64EncodedPlainText);
+    }
+
+    public async Task<string> RewrapTenantKEKAsync(string encryptedKek, string tenantId)
+    {
+        var encodedContext = Convert.ToBase64String(Encoding.UTF8.GetBytes(tenantId));
+
+        var rewrapOptions = new RewrapRequestOptions
+        {
+            CipherText = encryptedKek,
+            Base64EncodedContext = encodedContext
+        };
+
+        var response = await _vaultClient.V1.Secrets.Transit.RewrapAsync(
+            MasterKeyName,
+            rewrapOptions,
+            TransitPath);
+
+        return response.Data.CipherText;
+    }
+}
+public static class TenantSecurityExtensions
+{
+    public static async Task InitializeTenantSecurityAsync(this WebApplication app)
+    {
+        using var scope = app.Services.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
+        var piiVault = scope.ServiceProvider.GetRequiredService<IPIIVault>();
+        var keyProvider = scope.ServiceProvider.GetRequiredService<TenantKeyProvider>();
+
+        var tenantId = app.Configuration["Tenant__Id"] ?? "CLARITY_01000000";
+
+        var settings = await db.SysParams.FirstOrDefaultAsync();
+
+        if (settings == null)
+        {
+            // Generate the key!
+            var (plaintext, ciphertext) = await piiVault.GenerateTenantKEKAsync(tenantId);
+
+            // Save ciphertext to DB so we have it for the next restart
+            db.SysParams.Add(new SysParams { EncryptedKek = ciphertext });
+            await db.SaveChangesAsync();
+
+            // Store plaintext in RAM
+            keyProvider.SetKey(plaintext);
+        }
+        else
+        {
+            // Ask Vault to unwrap the existing key using the Master Key + Context
+            var plaintext = await piiVault.DecryptTenantKEKAsync(settings.EncryptedKek, tenantId);
+
+            // Store plaintext back in RAM
+            keyProvider.SetKey(plaintext);
+        }
+    }
+}
+
+[AttributeUsage(AttributeTargets.Property)]
+public class PiiDataAttribute : Attribute
+{
+
+}
+
+
+public class EnvelopeEncryptionInterceptor : SaveChangesInterceptor, IMaterializationInterceptor
+{
+    private readonly TenantKeyProvider _keyProvider;
+
+    public EnvelopeEncryptionInterceptor(TenantKeyProvider keyProvider)
+    {
+        _keyProvider = keyProvider;
+    }
+
+    public override InterceptionResult<int> SavingChanges(DbContextEventData eventData, InterceptionResult<int> result)
+    {
+        EncryptEntities(eventData.Context);
+        return base.SavingChanges(eventData, result);
+    }
+
+    public override ValueTask<InterceptionResult<int>> SavingChangesAsync(DbContextEventData eventData, InterceptionResult<int> result, CancellationToken cancellationToken = default)
+    {
+        EncryptEntities(eventData.Context);
+        return base.SavingChangesAsync(eventData, result, cancellationToken);
+    }
+
+    public object InitializedInstance(MaterializationInterceptionData materializationData, object entity)
+    {
+        if (entity is not IPIIEntity piiEntity || _keyProvider.CurrentKey == null || piiEntity.EncryptedDek == null)
+        {
+            return entity;
+        }
+
+        try
+        {
+            // 1. Open the Envelope (Unwrap Row DEK)
+            byte[] rowDek = AesGcmHelper.Decrypt(piiEntity.EncryptedDek, _keyProvider.CurrentKey);
+
+            var props = entity.GetType().GetProperties()
+                .Where(p => p.PropertyType == typeof(string) && Attribute.IsDefined(p, typeof(PiiDataAttribute)));
+
+            foreach (var prop in props)
+            {
+                var cipherText = (string?)prop.GetValue(entity);
+                if (!string.IsNullOrEmpty(cipherText))
+                {
+                    prop.SetValue(entity, AesGcmHelper.DecryptString(cipherText, rowDek));
+                }
+            }
+        }
+        catch (CryptographicException) { /* Log unauthorized tampering! */ }
+
+        return entity;
+    }
+
+    private void EncryptEntities(DbContext? context)
+    {
+        if (context == null || _keyProvider.CurrentKey == null) return;
+
+        var entries = context.ChangeTracker.Entries<IPIIEntity>()
+            .Where(e => e.State == EntityState.Added || e.State == EntityState.Modified);
+
+        foreach (var entry in entries)
+        {
+            var entity = entry.Entity;
+            byte[] rowDek = RandomNumberGenerator.GetBytes(32);
+
+            // 2. Wrap the Row DEK
+            entity.EncryptedDek = AesGcmHelper.Encrypt(rowDek, _keyProvider.CurrentKey);
+
+            var props = entity.GetType().GetProperties()
+                .Where(p => p.PropertyType == typeof(string) && Attribute.IsDefined(p, typeof(PiiDataAttribute)));
+
+            foreach (var prop in props)
+            {
+                var plainText = (string?)prop.GetValue(entity);
+                if (!string.IsNullOrEmpty(plainText))
+                {
+                    prop.SetValue(entity, AesGcmHelper.EncryptString(plainText, rowDek));
+                }
+            }
+        }
+    }
+}
+
+/// <summary>
+/// AES-GCM High-Performance Helper
+/// Uses Span<byte> for speed, but returns byte[] for EF Core storage.
+/// </summary>
+public static class AesGcmHelper
+{
+    private const int NonceSize = 12; // AesGcm.NonceByteSizes.MaxSize
+    private const int TagSize = 16;   // AesGcm.TagByteSizes.MaxSize
+
+    public static byte[] Encrypt(ReadOnlySpan<byte> data, ReadOnlySpan<byte> key)
+    {
+        // Final buffer: [Nonce (12)] [Tag (16)] [Ciphertext (N)]
+        byte[] result = new byte[NonceSize + TagSize + data.Length];
+
+        Span<byte> nonce = result.AsSpan(0, NonceSize);
+        Span<byte> tag = result.AsSpan(NonceSize, TagSize);
+        Span<byte> cipher = result.AsSpan(NonceSize + TagSize);
+
+        RandomNumberGenerator.Fill(nonce);
+
+        using var aes = new AesGcm(key);
+        aes.Encrypt(nonce, data, cipher, tag);
+
+        return result;
+    }
+
+    public static byte[] Decrypt(ReadOnlySpan<byte> encryptedData, ReadOnlySpan<byte> key)
+    {
+        if (encryptedData.Length < NonceSize + TagSize)
+            throw new CryptographicException("Ciphertext too short.");
+
+        ReadOnlySpan<byte> nonce = encryptedData.Slice(0, NonceSize);
+        ReadOnlySpan<byte> tag = encryptedData.Slice(NonceSize, TagSize);
+        ReadOnlySpan<byte> cipher = encryptedData.Slice(NonceSize + TagSize);
+
+        byte[] result = new byte[cipher.Length];
+        using var aes = new AesGcm(key);
+        aes.Decrypt(nonce, cipher, tag, result);
+
+        return result;
+    }
+
+    public static string EncryptString(string text, byte[] key) =>
+        Convert.ToBase64String(Encrypt(System.Text.Encoding.UTF8.GetBytes(text), key));
+
+    public static string DecryptString(string cipher, byte[] key) =>
+        System.Text.Encoding.UTF8.GetString(Decrypt(Convert.FromBase64String(cipher), key));
+}

Clarity.Server/Data/SysParams.cs

@@ -0,0 +1,12 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Clarity.Server.Data
+{
+    public class SysParams
+    {
+        [Key]
+        public int Id { get; set; } = 1;
+
+        public string EncryptedKek { get; set; } = string.Empty;
+    }
+}

Clarity.Server/Dockerfile

@@ -0,0 +1,38 @@
+# -- Stage 1: Build Vite frontend ---------------------------------------------
+FROM node:22-alpine AS frontend
+WORKDIR /frontend
+
+COPY frontend/package.json frontend/package-lock.json* ./
+RUN npm ci --legacy-peer-deps
+
+COPY frontend/ ./
+RUN npm run build
+# Output lands in /frontend/dist
+
+# -- Stage 2: Build .NET server -----------------------------------------------
+FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
+WORKDIR /src
+
+COPY ["Clarity.Server/Clarity.Server.csproj",                   "Clarity.Server/"]
+COPY ["Clarity.ServiceDefaults/Clarity.ServiceDefaults.csproj", "Clarity.ServiceDefaults/"]
+COPY ["Directory.Packages.props", "./"]
+
+RUN dotnet restore "Clarity.Server/Clarity.Server.csproj"
+
+COPY . .
+
+# Embed the Vite build into wwwroot (mirrors Aspire PublishWithContainerFiles)
+COPY --from=frontend /frontend/dist ./Clarity.Server/wwwroot/
+
+RUN dotnet publish "Clarity.Server/Clarity.Server.csproj" \
+    -c Release -o /app/publish
+
+# -- Stage 3: Runtime ----------------------------------------------------------
+FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS runtime
+WORKDIR /app
+
+COPY --from=build /app/publish .
+
+EXPOSE 8080
+
+ENTRYPOINT ["dotnet", "Clarity.Server.dll"]

Clarity.Server/Endpoints/DebugEndpoints.cs

@@ -0,0 +1,33 @@
+using System.Runtime.CompilerServices;
+using System.Security.Claims;
+
+namespace Clarity.Server.Endpoints
+{
+    public static class DebugEndpoints
+    {
+        public static IEndpointRouteBuilder MapDebugEndpoints(this IEndpointRouteBuilder app)
+        {
+            var api = app.MapGroup("/api").RequireAuthorization();
+
+            api.MapGet("debug/claims", (ClaimsPrincipal user) =>
+            {
+                var sub = user.FindFirstValue(ClaimTypes.NameIdentifier) ?? user.FindFirstValue("sub");
+
+                return Results.Ok(new
+                {
+                    Subject = sub,
+                    Username = user.FindFirstValue("preferred_username"),
+                    Email = user.FindFirstValue(ClaimTypes.Email) ?? user.FindFirstValue("email"),
+                    IsAuthenticated = user.Identity?.IsAuthenticated,
+                    AllClaims = user.Claims.Select(c => new { c.Type, c.Value })
+                });
+            });
+
+            // Sanity check - no auth required, confirms API is reachable
+            api.MapGet("auth/ping", () => Results.Ok(new { Status = "ok", Time = DateTimeOffset.UtcNow }))
+               .AllowAnonymous();
+
+            return app;
+        }
+    }
+}

Clarity.Server/Endpoints/ProfileEndpoints.cs

@@ -0,0 +1,57 @@
+using Clarity.Server.Services;
+using Microsoft.AspNetCore.Mvc;
+using System.Security.Claims;
+
+namespace Clarity.Server.Endpoints
+{
+    public static class ProfileEndpoints
+    {
+        public record OnboardingRequest(string FirstName, string? MiddleName, string LastName, string Ssn);
+
+        public static IEndpointRouteBuilder MapProfileEndpoints(this IEndpointRouteBuilder app)
+        {
+            var group = app.MapGroup("/api/profile").RequireAuthorization();
+
+            group.MapGet("/", async (ClaimsPrincipal user, ProfileService svc, CancellationToken ct) =>
+            {
+                var sub = user.FindFirstValue(ClaimTypes.NameIdentifier) ?? user.FindFirstValue("sub");
+                if (sub is null) return Results.Unauthorized();
+
+                var profile = await svc.GetBySubjectAsync(sub, ct);
+                if (profile is null)
+                    return Results.NotFound(new { onboardingComplete = false });
+
+                return Results.Ok(profile);
+            });
+
+            group.MapGet("/{subject}", async (string subject, ProfileService profileService) =>
+            {
+                var profile = await profileService.GetBySubjectAsync(subject);
+
+                if (profile == null)
+                    return Results.NotFound(new { message = "Profile not found!" });
+
+                return Results.Ok(profile);
+            });
+
+            group.MapPost("/onboarding", async (
+                [FromBody] OnboardingRequest req,
+                ClaimsPrincipal user,
+                ProfileService svc,
+                CancellationToken ct) =>
+            {
+                var sub = user.FindFirstValue(ClaimTypes.NameIdentifier) ?? user.FindFirstValue("sub");
+                if (sub is null) return Results.Unauthorized();
+
+                var existing = await svc.GetBySubjectAsync(sub, ct);
+                if (existing is not null)
+                    return Results.Conflict(new { message = "Profile already exists." });
+
+                var profile = await svc.CreateAsync(sub, req.FirstName, req.MiddleName, req.LastName, req.Ssn, ct);
+                return Results.Ok(profile);
+            });
+
+            return app;
+        }
+    }
+}

Clarity.Server/Entity/Profile.cs

@@ -0,0 +1,32 @@
+using Clarity.Server.Data;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace Clarity.Server.Entity
+{
+    public class Profile : IPIIEntity
+    {
+        public Guid Id { get; set; }
+        /// <summary>Keycloak subject ID (the "sub" claim). Unique per user.</summary>
+        public string KeycloakSubject { get; set; } = string.Empty;
+
+
+        // Actual Application data
+        [PiiData]
+        public string FirstName { get; set; }
+        [PiiData]
+        public string MiddleName { get; set; }
+        [PiiData]
+        public string LastName { get; set; }
+
+        [PiiData]
+        public string Ssn { get; set; }
+
+        // Audit
+        // Onboarding Flow
+        public bool OnboardingComplete { get; set; } = false;
+        public DateTimeOffset CreatedAt { get; set; } = DateTimeOffset.UtcNow;
+
+        public byte[] EncryptedDek { get; set; } = Array.Empty<byte>();
+        public string Tenant { get; set; } = string.Empty;
+    }
+}

Clarity.Server/MinioExtensions.cs

@@ -0,0 +1,38 @@
+using Minio;
+using Minio.DataModel.Args;
+
+namespace Clarity.Server.Extensions;
+
+public static class MinioExtensions
+{
+    /// <summary>
+    /// Idempotently provisions MinIO buckets on application startup.
+    /// </summary>
+    public static async Task ProvisionBucketsAsync(this WebApplication app, params string[] bucketNames)
+    {
+        // Skip entirely if Minio isn't configured (e.g. tenant containers without Minio env var)
+        var connStr = app.Configuration.GetConnectionString("minio");
+        if (string.IsNullOrWhiteSpace(connStr)) return;
+
+        using var scope = app.Services.CreateScope();
+        var minioClient = scope.ServiceProvider.GetRequiredService<IMinioClient>();
+        var logger = scope.ServiceProvider.GetRequiredService<ILogger<Program>>();
+
+        foreach (var bucket in bucketNames)
+        {
+            try
+            {
+                var exists = await minioClient.BucketExistsAsync(new BucketExistsArgs().WithBucket(bucket));
+                if (!exists)
+                {
+                    await minioClient.MakeBucketAsync(new MakeBucketArgs().WithBucket(bucket));
+                    logger.LogInformation("🚀 Project Clarity: Successfully provisioned MinIO bucket '{Bucket}'", bucket);
+                }
+            }
+            catch (Exception ex)
+            {
+                logger.LogError(ex, "❌ Project Clarity: Failed to provision MinIO bucket '{Bucket}'", bucket);
+            }
+        }
+    }
+}

Clarity.Server/Program.cs

@@ -0,0 +1,179 @@
+using Clarity.Server;
+using Clarity.Server.Data;
+using Clarity.Server.Endpoints;
+using Clarity.Server.Extensions;
+using Clarity.Server.Services;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.EntityFrameworkCore;
+using System.Net;
+using System.Security.Claims;
+
+var builder = WebApplication.CreateBuilder(args);
+
+// Add service defaults & Aspire client integrations.
+builder.AddServiceDefaults();
+if (!string.IsNullOrEmpty(builder.Configuration.GetConnectionString("cache")))
+{
+    builder.AddRedisClientBuilder("cache")
+        .WithOutputCache();
+}
+else
+{
+    builder.Services.AddOutputCache();
+}
+
+#region HASHICORP_VAULT
+var keyProvider = new TenantKeyProvider();
+var encryptionInterceptor = new EnvelopeEncryptionInterceptor(keyProvider);
+
+// Add them to DI so your bootstrapper can still resolve them!
+builder.Services.AddSingleton(keyProvider);
+builder.Services.AddSingleton(encryptionInterceptor);
+builder.Services.AddClarityVaultCryptography(builder.Configuration);
+//builder.Services.AddSingleton<EnvelopeEncryptionInterceptor>();
+//builder.Services.AddSingleton<TenantKeyProvider>();
+builder.Services.AddSingleton<IPIIVault, PIIVault>();
+#endregion
+
+#region POSTGRESQL
+//builder.AddNpgsqlDbContext<ApplicationDbContext>(connectionName: "postgresdb");
+builder.AddNpgsqlDbContext<ApplicationDbContext>(
+    connectionName: "postgresdb",
+    configureDbContextOptions: options =>
+    {
+        options.AddInterceptors(encryptionInterceptor);
+    });
+#endregion
+
+#region MINIO
+builder.AddMinioClient("minio");
+#endregion
+
+builder.Services.AddScoped<ProfileService>();
+
+// Add services to the container.
+builder.Services.AddProblemDetails();
+
+// Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
+builder.Services.AddOpenApi();
+
+// Keycloak__BaseUrl and Keycloak__Realm are injected by ClarityContainerService at container creation.
+// Fall back to Aspire service-discovery var for local dev (running outside Docker).
+// BaseUrl = internal URL for fetching OIDC discovery (host.docker.internal:8080 inside Docker)
+// PublicUrl = public-facing issuer URL that appears in JWT `iss` claim (localhost:8080)
+// PublicUrl  = browser-facing issuer (matches `iss` claim in JWT) e.g. https://keycloak.clarity.test
+// InternalUrl = container-internal URL for OIDC metadata fetch — avoids self-signed cert issues
+// BaseUrl is legacy fallback kept for local dev outside Docker
+var keycloakPublicUrl   = builder.Configuration["Keycloak:BaseUrl"]
+                          ?? builder.Configuration["services__keycloak__http__0"]
+                          ?? "http://localhost:8080";
+var keycloakInternalUrl = builder.Configuration["Keycloak:InternalUrl"]
+                          ?? "http://keycloak:8080";
+var keycloakRealm       = builder.Configuration["Keycloak:Realm"] ?? "clarity";
+
+// AddKeycloakJwtBearer uses the named IHttpClientFactory client "KeycloakBackchannel" for all
+// backchannel requests (discovery + JWKS). Register our rewriting handler on that named client
+// so every request to keycloak.clarity.test[:port] is rewritten to http://keycloak:8080 before
+// it leaves the container — avoiding self-signed cert issues and DNS failures.
+builder.Services.AddTransient<InternalKeycloakHandler>();
+builder.Services.AddHttpClient("KeycloakBackchannel")
+    .AddHttpMessageHandler<InternalKeycloakHandler>();
+
+builder.Services.AddAuthentication()
+    .AddKeycloakJwtBearer("keycloak", realm: keycloakRealm,
+        options =>
+        {
+            // Authority = public issuer, must match `iss` claim in the JWT
+            options.Authority = $"{keycloakPublicUrl}/realms/{keycloakRealm}";
+            options.Audience  = "clarity-rest-api";
+            options.RequireHttpsMetadata = false;
+            // Fetch OIDC discovery doc over internal HTTP to avoid self-signed cert trust issues
+            options.MetadataAddress = $"{keycloakInternalUrl}/realms/{keycloakRealm}/.well-known/openid-configuration";
+            options.TokenValidationParameters.ValidIssuers =
+            [
+                $"{keycloakPublicUrl}/realms/{keycloakRealm}",
+                $"{keycloakInternalUrl}/realms/{keycloakRealm}",
+                // Keycloak advertises http://keycloak.clarity.test:8080 as issuer when accessed
+                // directly on port 8080 (before KC_HOSTNAME_URL takes full effect).
+                $"http://keycloak.clarity.test:8080/realms/{keycloakRealm}",
+                $"http://keycloak.clarity.test/realms/{keycloakRealm}",
+            ];
+        });
+
+builder.Services.AddAuthorization();
+
+var app = builder.Build();
+
+// Run EF Core migrations on every cold start — safe, idempotent, self-healing.
+// One container = one tenant = no concurrent migrator race.
+await using (var scope = app.Services.CreateAsyncScope())
+{
+    var db = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
+    await db.Database.MigrateAsync();
+}
+
+await app.InitializeTenantSecurityAsync();
+
+#region MINIO PROVISION BUCKETS
+await app.ProvisionBucketsAsync("clarity-documents", "clarity-profile-pictures");
+#endregion
+
+// Configure the HTTP request pipeline.
+app.UseExceptionHandler();
+
+if (app.Environment.IsDevelopment())
+{
+    app.MapOpenApi();
+}
+
+app.UseOutputCache();
+
+app.UseAuthentication();
+app.UseAuthorization();
+
+// Serves Keycloak config to the frontend at runtime so the realm (which is per-tenant)
+// doesn't have to be baked in at image build time.
+app.MapGet("/api/config", (IConfiguration cfg) => Results.Ok(new
+{
+    keycloakUrl = cfg["Keycloak:BaseUrl"] ?? "http://localhost:8080",
+    realm       = cfg["Keycloak:Realm"]  ?? "clarity",
+    clientId    = "clarity-web-app",
+})).AllowAnonymous();
+
+#if DEBUG
+app.MapDebugEndpoints();
+#endif
+
+app.MapProfileEndpoints();
+app.MapDefaultEndpoints();
+
+app.UseFileServer();
+
+app.Run();
+
+/// <summary>
+/// Delegating handler registered on the "KeycloakBackchannel" IHttpClientFactory named client.
+/// Rewrites any backchannel request targeting the public Keycloak hostname
+/// (e.g. jwks_uri returned by the OIDC discovery doc) to the internal Docker DNS URL,
+/// avoiding self-signed cert issues inside tenant containers.
+/// </summary>
+sealed class InternalKeycloakHandler : DelegatingHandler
+{
+    // Matches http:// or https:// + keycloak.clarity.test + optional :port
+    private static readonly System.Text.RegularExpressions.Regex PublicHostPattern =
+        new(@"https?://keycloak\.clarity\.test(:\d+)?", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
+
+    private const string InternalUrl = "http://keycloak:8080";
+
+    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken ct)
+    {
+        if (request.RequestUri is not null)
+        {
+            var rewritten = PublicHostPattern.Replace(request.RequestUri.ToString(), InternalUrl);
+            request.RequestUri = new Uri(rewritten);
+        }
+        return base.SendAsync(request, ct);
+    }
+}
+

Clarity.Server/Properties/launchSettings.json

@@ -0,0 +1,23 @@
+{
+  "$schema": "https://json.schemastore.org/launchsettings.json",
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": false,
+      "applicationUrl": "http://localhost:5416",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": false,
+      "applicationUrl": "https://localhost:7308;http://localhost:5416",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

Clarity.Server/Services/ProfileService.cs

@@ -0,0 +1,42 @@
+using Clarity.Server.Data;
+using Clarity.Server.Entity;
+using Microsoft.EntityFrameworkCore;
+
+namespace Clarity.Server.Services
+{
+    public class ProfileService
+    {
+        private readonly ApplicationDbContext db;
+        private readonly IPIIVault piiVault;
+
+        public ProfileService(ApplicationDbContext db, IPIIVault piiVault)
+        {
+            this.db = db;
+            this.piiVault = piiVault;
+        }
+
+        public Task<Profile?> GetBySubjectAsync(string sub, CancellationToken ct = default) =>
+            db.Profiles.FirstOrDefaultAsync(p => p.KeycloakSubject == sub, ct);
+
+
+
+        public async Task<Profile> CreateAsync(string sub, string firstName, string? middleName, string lastName, string ssn, CancellationToken ct = default)
+        {
+            var profile = new Profile
+            {
+                Id = Guid.NewGuid(),
+                KeycloakSubject = sub,
+                FirstName = firstName,
+                MiddleName = middleName ?? string.Empty,
+                LastName = lastName,
+                Ssn = ssn,
+                OnboardingComplete = true,
+                CreatedAt = DateTimeOffset.UtcNow,
+            };
+
+            db.Profiles.Add(profile);
+            await db.SaveChangesAsync(ct);
+            return profile;
+        }
+    }
+}

Clarity.Server/VaultSharpExtensions.cs

@@ -0,0 +1,26 @@
+using Clarity.Server.Data;
+using System.Runtime.Serialization;
+using VaultSharp;
+using VaultSharp.Core;
+using VaultSharp.V1.AuthMethods;
+using VaultSharp.V1.AuthMethods.Token;
+
+namespace Clarity.Server
+{
+    public static class VaultSharpExtensions
+    {
+        public static IServiceCollection AddClarityVaultCryptography(this IServiceCollection services, IConfiguration config)
+        {
+            var vaultAddress = config["Vault:Address"] ?? "http://localhost:8200";
+            var vaultToken   = config["Vault:Token"]   ?? "root";
+
+            IAuthMethodInfo authMethod = new TokenAuthMethodInfo(vaultToken);
+            var vaultClientSettings = new VaultClientSettings(vaultAddress, authMethod);
+            IVaultClient vaultClient = new VaultClient(vaultClientSettings);
+            services.AddSingleton<IVaultClient>(vaultClient);
+
+            return services;
+        }
+
+    }
+}

Clarity.Server/appsettings.Development.json

@@ -0,0 +1,11 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "ConnectionStrings": {
+    "postgresdb": "Host=localhost;Port=56235;Database=postgresdb;Username=postgres;Password=WdW+Q3wzq.Ssuzq6rT4A}_"
+  }
+}

Clarity.Server/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}

Clarity.ServiceDefaults/Clarity.ServiceDefaults.csproj

@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <IsAspireSharedProject>true</IsAspireSharedProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
+
+    <PackageReference Include="Microsoft.Extensions.Http.Resilience" />
+    <PackageReference Include="Microsoft.Extensions.ServiceDiscovery" />
+    <PackageReference Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" />
+    <PackageReference Include="OpenTelemetry.Extensions.Hosting" />
+    <PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" />
+    <PackageReference Include="OpenTelemetry.Instrumentation.Http" />
+    <PackageReference Include="OpenTelemetry.Instrumentation.Runtime" />
+  </ItemGroup>
+
+</Project>

Clarity.ServiceDefaults/Extensions.cs

@@ -0,0 +1,127 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Diagnostics.HealthChecks;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.ServiceDiscovery;
+using OpenTelemetry;
+using OpenTelemetry.Metrics;
+using OpenTelemetry.Trace;
+
+namespace Microsoft.Extensions.Hosting;
+
+// Adds common Aspire services: service discovery, resilience, health checks, and OpenTelemetry.
+// This project should be referenced by each service project in your solution.
+// To learn more about using this project, see https://aka.ms/dotnet/aspire/service-defaults
+public static class Extensions
+{
+    private const string HealthEndpointPath = "/health";
+    private const string AlivenessEndpointPath = "/alive";
+
+    public static TBuilder AddServiceDefaults<TBuilder>(this TBuilder builder) where TBuilder : IHostApplicationBuilder
+    {
+        builder.ConfigureOpenTelemetry();
+
+        builder.AddDefaultHealthChecks();
+
+        builder.Services.AddServiceDiscovery();
+
+        builder.Services.ConfigureHttpClientDefaults(http =>
+        {
+            // Turn on resilience by default
+            http.AddStandardResilienceHandler();
+
+            // Turn on service discovery by default
+            http.AddServiceDiscovery();
+        });
+
+        // Uncomment the following to restrict the allowed schemes for service discovery.
+        // builder.Services.Configure<ServiceDiscoveryOptions>(options =>
+        // {
+        //     options.AllowedSchemes = ["https"];
+        // });
+
+        return builder;
+    }
+
+    public static TBuilder ConfigureOpenTelemetry<TBuilder>(this TBuilder builder) where TBuilder : IHostApplicationBuilder
+    {
+        builder.Logging.AddOpenTelemetry(logging =>
+        {
+            logging.IncludeFormattedMessage = true;
+            logging.IncludeScopes = true;
+        });
+
+        builder.Services.AddOpenTelemetry()
+            .WithMetrics(metrics =>
+            {
+                metrics.AddAspNetCoreInstrumentation()
+                    .AddHttpClientInstrumentation()
+                    .AddRuntimeInstrumentation();
+            })
+            .WithTracing(tracing =>
+            {
+                tracing.AddSource(builder.Environment.ApplicationName)
+                    .AddAspNetCoreInstrumentation(tracing =>
+                        // Exclude health check requests from tracing
+                        tracing.Filter = context =>
+                            !context.Request.Path.StartsWithSegments(HealthEndpointPath)
+                            && !context.Request.Path.StartsWithSegments(AlivenessEndpointPath)
+                    )
+                    // Uncomment the following line to enable gRPC instrumentation (requires the OpenTelemetry.Instrumentation.GrpcNetClient package)
+                    //.AddGrpcClientInstrumentation()
+                    .AddHttpClientInstrumentation();
+            });
+
+        builder.AddOpenTelemetryExporters();
+
+        return builder;
+    }
+
+    private static TBuilder AddOpenTelemetryExporters<TBuilder>(this TBuilder builder) where TBuilder : IHostApplicationBuilder
+    {
+        var useOtlpExporter = !string.IsNullOrWhiteSpace(builder.Configuration["OTEL_EXPORTER_OTLP_ENDPOINT"]);
+
+        if (useOtlpExporter)
+        {
+            builder.Services.AddOpenTelemetry().UseOtlpExporter();
+        }
+
+        // Uncomment the following lines to enable the Azure Monitor exporter (requires the Azure.Monitor.OpenTelemetry.AspNetCore package)
+        //if (!string.IsNullOrEmpty(builder.Configuration["APPLICATIONINSIGHTS_CONNECTION_STRING"]))
+        //{
+        //    builder.Services.AddOpenTelemetry()
+        //       .UseAzureMonitor();
+        //}
+
+        return builder;
+    }
+
+    public static TBuilder AddDefaultHealthChecks<TBuilder>(this TBuilder builder) where TBuilder : IHostApplicationBuilder
+    {
+        builder.Services.AddHealthChecks()
+            // Add a default liveness check to ensure app is responsive
+            .AddCheck("self", () => HealthCheckResult.Healthy(), ["live"]);
+
+        return builder;
+    }
+
+    public static WebApplication MapDefaultEndpoints(this WebApplication app)
+    {
+        // Adding health checks endpoints to applications in non-development environments has security implications.
+        // See https://aka.ms/dotnet/aspire/healthchecks for details before enabling these endpoints in non-development environments.
+        if (app.Environment.IsDevelopment())
+        {
+            // All health checks must pass for app to be considered ready to accept traffic after starting
+            app.MapHealthChecks(HealthEndpointPath);
+
+            // Only health checks tagged with the "live" tag must pass for app to be considered alive
+            app.MapHealthChecks(AlivenessEndpointPath, new HealthCheckOptions
+            {
+                Predicate = r => r.Tags.Contains("live")
+            });
+        }
+
+        return app;
+    }
+}

Clarity.slnx

@@ -0,0 +1,16 @@
+<Solution>
+  <Folder Name="/Solution Items/">
+    <File Path="Directory.Packages.props" />
+  </Folder>
+
+  <Folder Name="/Clarity (Product)/">
+    <Project Path="Clarity.AppHost/Clarity.AppHost.csproj" />
+    <Project Path="Clarity.MigrationService/Clarity.MigrationService.csproj" />
+    <Project Path="Clarity.Server/Clarity.Server.csproj" />
+    <Project Path="Clarity.ServiceDefaults/Clarity.ServiceDefaults.csproj" Id="8aaa5e11-244b-4722-b3be-ab1c0540cc2b" />
+    <Project Path="frontend/frontend.esproj">
+      <Build />
+      <Deploy />
+    </Project>
+  </Folder>
+</Solution>

Directory.Packages.props

@@ -0,0 +1,53 @@
+<Project>
+  <PropertyGroup>
+    <!-- Enable central package management, https://learn.microsoft.com/en-us/nuget/consume-packages/Central-Package-Management -->
+    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+  </PropertyGroup>
+  <!-- Aspire Packages -->
+  <ItemGroup>
+    <PackageVersion Include="Aspire.Hosting.PostgreSQL" Version="13.2.2" />
+    <PackageVersion Include="Aspire.Keycloak.Authentication" Version="13.2.2-preview.1.26207.2" />
+    <PackageVersion Include="Aspire.Npgsql.EntityFrameworkCore.PostgreSQL" Version="13.2.2" />
+    <PackageVersion Include="Aspire.StackExchange.Redis.OutputCaching" Version="13.2.2" />
+    <PackageVersion Include="Aspire.Hosting.JavaScript" Version="13.2.2" />
+    <PackageVersion Include="Aspire.Hosting.Keycloak" Version="13.2.2-preview.1.26207.2" />
+    <PackageVersion Include="Aspire.Hosting.Redis" Version="13.2.2" />
+    <PackageVersion Include="CommunityToolkit.Aspire.Hosting.Minio" Version="13.2.1-beta.532" />
+    <PackageVersion Include="CommunityToolkit.Aspire.Minio.Client" Version="13.2.1-beta.532" />
+    <PackageVersion Include="Docker.DotNet" Version="3.125.15" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="10.0.6" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.6" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore.Tools" Version="10.0.6" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.7" />
+    <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.7" />
+    <PackageVersion Include="Npgsql" Version="10.0.2" />
+    <PackageVersion Include="LibGit2Sharp" Version="0.31.0" />
+    <PackageVersion Include="Scalar.Aspire" Version="0.9.24" />
+    <PackageVersion Include="VaultSharp" Version="1.17.5.1" />
+    <PackageVersion Include="Yarp.ReverseProxy" Version="2.3.0" />
+  </ItemGroup>
+  <!-- Clarity.MigrationService -->
+  <ItemGroup>
+    <PackageVersion Include="Microsoft.Extensions.Hosting" Version="10.0.6" />
+  </ItemGroup>
+  <!-- ControlPlane -->
+  <ItemGroup>
+    <PackageVersion Include="Aspire.Hosting.Sdk" Version="13.2.2" />
+    <PackageVersion Include="Aspire.Hosting.RabbitMQ" Version="13.2.2" />
+    <PackageVersion Include="Aspire.RabbitMQ.Client" Version="13.2.2" />
+    <PackageVersion Include="Keycloak.AuthServices.Sdk" Version="2.9.0" />
+    <PackageVersion Include="MassTransit" Version="8.4.1" />
+    <PackageVersion Include="MassTransit.RabbitMQ" Version="8.4.1" />
+  </ItemGroup>
+  <!-- Clarity.Server -->
+  <ItemGroup>
+    <PackageVersion Include="Microsoft.AspNetCore.OpenApi" Version="10.0.6" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="10.5.0" />
+    <PackageVersion Include="Microsoft.Extensions.ServiceDiscovery" Version="10.5.0" />
+    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.15.2" />
+    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.15.2" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.15.1" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.15.0" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.Runtime" Version="1.15.0" />
+  </ItemGroup>
+</Project>

frontend/.dockerignore

@@ -0,0 +1,2 @@
+node_modules/
+dist/

frontend/.gitignore

@@ -0,0 +1,24 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
+
+node_modules
+dist
+dist-ssr
+*.local
+
+# Editor directories and files
+.vscode/*
+!.vscode/extensions.json
+.idea
+.DS_Store
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+*.sw?

frontend/.npmrc

@@ -0,0 +1 @@
+legacy-peer-deps=true

frontend/eslint.config.js

@@ -0,0 +1,28 @@
+import js from '@eslint/js'
+import globals from 'globals'
+import reactHooks from 'eslint-plugin-react-hooks'
+import reactRefresh from 'eslint-plugin-react-refresh'
+import tseslint from 'typescript-eslint'
+
+export default tseslint.config(
+  { ignores: ['dist'] },
+  {
+    extends: [js.configs.recommended, ...tseslint.configs.recommended],
+    files: ['**/*.{ts,tsx}'],
+    languageOptions: {
+      ecmaVersion: 2020,
+      globals: globals.browser,
+    },
+    plugins: {
+      'react-hooks': reactHooks,
+      'react-refresh': reactRefresh,
+    },
+    rules: {
+      ...reactHooks.configs.recommended.rules,
+      'react-refresh/only-export-components': [
+        'warn',
+        { allowConstantExport: true },
+      ],
+    },
+  },
+)

frontend/frontend.esproj

@@ -0,0 +1,10 @@
+<Project Sdk="Microsoft.VisualStudio.JavaScript.Sdk/1.0.4110890">
+  <PropertyGroup>
+    <ShouldRunNpmInstall>false</ShouldRunNpmInstall>
+    <ShouldRunBuildScript>false</ShouldRunBuildScript>
+  </PropertyGroup>
+  <ItemGroup>
+    <Folder Include="src\Admin\" />
+    <Folder Include="src\Onboarding\" />
+  </ItemGroup>
+</Project>

frontend/index.html

@@ -0,0 +1,13 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <link rel="icon" type="image/svg+xml" href="/Aspire.png" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Aspire Starter</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>

frontend/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "frontend",
+  "private": true,
+  "version": "0.0.0",
+  "type": "module",
+  "scripts": {
+    "dev": "vite",
+    "build": "tsc -b && vite build",
+    "lint": "eslint .",
+    "preview": "vite preview"
+  },
+  "dependencies": {
+    "@blueprintjs/core": "^5.19.1",
+    "@blueprintjs/icons": "^5.18.0",
+    "keycloak-js": "^26.2.3",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "react-multistep": "^7.0.0"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.39.1",
+    "@types/node": "^24.10.1",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "@vitejs/plugin-react": "^5.1.1",
+    "eslint": "^9.39.1",
+    "eslint-plugin-react-hooks": "^5.2.0",
+    "eslint-plugin-react-refresh": "^0.4.24",
+    "globals": "^16.5.0",
+    "typescript": "~5.9.3",
+    "typescript-eslint": "^8.48.1",
+    "vite": "^7.2.6"
+  }
+}

frontend/public/github.svg

@@ -0,0 +1,3 @@
+<svg width="24" height="24" viewBox="0 0 24 24" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
+  <path d="M12 0c-6.626 0-12 5.373-12 12 0 5.302 3.438 9.8 8.207 11.387.599.111.793-.261.793-.577v-2.234c-3.338.726-4.033-1.416-4.033-1.416-.546-1.387-1.333-1.756-1.333-1.756-1.089-.745.083-.729.083-.729 1.205.084 1.839 1.237 1.839 1.237 1.07 1.834 2.807 1.304 3.492.997.107-.775.418-1.305.762-1.604-2.665-.305-5.467-1.334-5.467-5.931 0-1.311.469-2.381 1.236-3.221-.124-.303-.535-1.524.117-3.176 0 0 1.008-.322 3.301 1.23.957-.266 1.983-.399 3.003-.404 1.02.005 2.047.138 3.006.404 2.291-1.552 3.297-1.23 3.297-1.23.653 1.653.242 2.874.118 3.176.77.84 1.235 1.911 1.235 3.221 0 4.609-2.807 5.624-5.479 5.921.43.372.823 1.102.823 2.222v3.293c0 .319.192.694.801.576 4.765-1.589 8.199-6.086 8.199-11.386 0-6.627-5.373-12-12-12z"/>
+</svg>

frontend/src/App.css

@@ -0,0 +1,794 @@
+/* CSS Variables for theming */
+:root {
+  --bg-gradient-start: #1a1a2e;
+  --bg-gradient-end: #16213e;
+  --card-bg: rgba(30, 30, 46, 0.95);
+  --card-hover-shadow: rgba(0, 0, 0, 0.3);
+  --text-primary: #ffffff;
+  --text-secondary: #e2e8f0;
+  --text-tertiary: #cbd5e0;
+  --accent-gradient-start: #7c92f5;
+  --accent-gradient-end: #8b5ecf;
+  --weather-card-bg: rgba(45, 45, 60, 0.8);
+  --weather-card-border: rgba(255, 255, 255, 0.1);
+  --section-title-color: #f7fafc;
+  --date-color: #cbd5e0;
+  --summary-color: #f7fafc;
+  --temp-unit-color: #e2e8f0;
+  --divider-color: #4a5568;
+  --error-bg: rgba(220, 38, 38, 0.1);
+  --error-border: #ef4444;
+  --error-text: #fca5a5;
+  --skeleton-bg-1: rgba(255, 255, 255, 0.05);
+  --skeleton-bg-2: rgba(255, 255, 255, 0.1);
+  --tile-min-height: 120px;
+  --tile-gap: 0.75rem;
+  --cta-height: 3rem;
+  --card-inner-gap: 1rem;
+  --focus-color: #a78bfa;
+}
+
+@media (prefers-color-scheme: light) {
+  :root {
+    --bg-gradient-start: #f0f4ff;
+    --bg-gradient-end: #e0e7ff;
+    --card-bg: rgba(255, 255, 255, 0.98);
+    --card-hover-shadow: rgba(0, 0, 0, 0.15);
+    --text-primary: #1a202c;
+    --text-secondary: #2d3748;
+    --text-tertiary: #4a5568;
+    --accent-gradient-start: #5b6fd8;
+    --accent-gradient-end: #6b46a3;
+    --weather-card-bg: rgba(255, 255, 255, 0.9);
+    --weather-card-border: rgba(102, 126, 234, 0.15);
+    --section-title-color: #1a202c;
+    --date-color: #2d3748;
+    --summary-color: #1a202c;
+    --temp-unit-color: #4a5568;
+    --divider-color: #cbd5e0;
+    --error-bg: #fee;
+    --error-border: #dc2626;
+    --error-text: #991b1b;
+    --skeleton-bg-1: #f0f0f0;
+    --skeleton-bg-2: #e0e0e0;
+    --tile-min-height: 120px;
+    --tile-gap: 0.75rem;
+    --cta-height: 3rem;
+    --card-inner-gap: 1rem;
+    --focus-color: #5b21b6;
+  }
+}
+
+/* Root container */
+#root {
+  width: 100%;
+  min-height: 100vh;
+  display: flex;
+  flex-direction: column;
+  overflow-x: hidden;
+}
+
+/* Accessibility utilities */
+.visually-hidden {
+  position: absolute;
+  width: 1px;
+  height: 1px;
+  padding: 0;
+  margin: -1px;
+  overflow: hidden;
+  clip: rect(0, 0, 0, 0);
+  white-space: nowrap;
+  border-width: 0;
+}
+
+/* App container */
+.app-container {
+  width: 100%;
+  min-height: 100vh;
+  display: flex;
+  flex-direction: column;
+  background: linear-gradient(135deg, var(--bg-gradient-start) 0%, var(--bg-gradient-end) 100%);
+  color: var(--text-primary);
+}
+
+/* Header */
+.app-header {
+  padding: 2.5rem 2rem 1.5rem;
+  text-align: center;
+  animation: fadeInDown 0.6s ease-out;
+}
+
+.logo-link {
+  display: inline-block;
+  border-radius: 0.5rem;
+}
+
+.logo-link:focus-visible {
+  outline: 3px solid var(--accent-gradient-end);
+  outline-offset: 8px;
+}
+
+.logo {
+  height: 5rem;
+  width: auto;
+  transition: transform 300ms ease, filter 300ms ease;
+  filter: drop-shadow(0 4px 8px rgba(0, 0, 0, 0.2));
+}
+
+.logo:hover {
+  transform: scale(1.1) rotate(5deg);
+  filter: drop-shadow(0 8px 16px rgba(0, 0, 0, 0.3));
+}
+
+.app-title {
+  font-size: 2.75rem;
+  font-weight: 700;
+  margin: 1.25rem 0 0.5rem;
+  background: linear-gradient(135deg, var(--text-primary) 0%, var(--text-secondary) 100%);
+  -webkit-background-clip: text;
+  -webkit-text-fill-color: transparent;
+  background-clip: text;
+  letter-spacing: -0.02em;
+}
+
+.app-subtitle {
+  font-size: 1.05rem;
+  color: var(--text-tertiary);
+  margin: 0;
+  font-weight: 300;
+}
+
+/* Main content */
+.main-content {
+  flex: 1;
+  max-width: 1400px;
+  width: 100%;
+  margin: 0 auto;
+  padding: 0rem 2rem 2rem;
+  display: flex;
+  justify-content: center;
+  align-items: center;
+}
+
+/* Card styles */
+.card {
+  background: var(--card-bg);
+  backdrop-filter: blur(10px);
+  border-radius: 1rem;
+  padding: 1.25rem 1.5rem;
+  box-shadow: 0 8px 32px rgba(0, 0, 0, 0.1);
+  color: var(--text-primary);
+  animation: fadeInUp 0.6s ease-out;
+  border: 1px solid var(--weather-card-border);
+  display: flex;
+  flex-direction: column;
+  gap: var(--card-inner-gap);
+}
+
+/* Section styles */
+.demo-section {
+  animation: fadeInUp 0.6s ease-out;
+}
+
+.weather-section {
+  animation: fadeInUp 0.6s ease-out;
+  animation-delay: 0.1s;
+  flex: 1;
+  max-width: 1200px;
+  width: 100%;
+}
+
+.section-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: flex-start;
+  margin-bottom: 0;
+  flex-wrap: wrap;
+  gap: 1rem;
+}
+
+.header-actions {
+  display: flex;
+  gap: 0.75rem;
+  align-items: center;
+}
+
+.section-title {
+  font-size: 1.25rem;
+  font-weight: 600;
+  margin: 0;
+  color: var(--section-title-color);
+}
+
+/* Counter area */
+.counter-card .section-header {
+  margin-bottom: 0;
+}
+
+.counter-panel {
+  background: var(--weather-card-bg);
+  border-radius: 0.75rem;
+  border: 1px solid var(--weather-card-border);
+  padding: 1.25rem;
+  display: flex;
+  flex-direction: column;
+  gap: var(--tile-gap);
+  min-height: var(--tile-min-height);
+  backdrop-filter: blur(10px);
+  flex: 1;
+}
+
+.counter-value-group {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  justify-content: center;
+  gap: 0.25rem;
+  flex: 1;
+  margin-bottom: var(--tile-gap);
+  text-align: center;
+}
+
+.counter-label {
+  font-size: 0.75rem;
+  text-transform: uppercase;
+  letter-spacing: 0.1em;
+  color: var(--text-tertiary);
+  font-weight: 600;
+}
+
+.counter-value {
+  font-size: 2.25rem;
+  font-weight: 700;
+  line-height: 1;
+  background: linear-gradient(135deg, var(--accent-gradient-start) 0%, var(--accent-gradient-end) 100%);
+  -webkit-background-clip: text;
+  -webkit-text-fill-color: transparent;
+  background-clip: text;
+}
+
+.increment-button {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 0.5rem;
+  background: linear-gradient(135deg, var(--accent-gradient-start) 0%, var(--accent-gradient-end) 100%);
+  color: white;
+  border: none;
+  border-radius: 0.5rem;
+  padding: 0 1.5rem;
+  height: var(--cta-height);
+  font-size: 0.875rem;
+  font-weight: 600;
+  cursor: pointer;
+  transition: all 0.3s ease;
+  box-shadow: 0 2px 8px rgba(102, 126, 234, 0.3);
+  width: 100%;
+  margin-top: auto;
+}
+
+.increment-button:hover {
+  transform: translateY(-1px);
+  box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4);
+}
+
+.increment-button:active {
+  transform: translateY(0);
+}
+
+.increment-button:focus-visible {
+  outline: 3px solid var(--accent-gradient-end);
+  outline-offset: 2px;
+}
+
+.increment-icon {
+  transition: transform 0.3s ease;
+}
+
+.increment-button:hover .increment-icon {
+  transform: scale(1.1);
+}
+
+/* Toggle switch */
+.toggle-switch {
+  display: flex;
+  background: rgba(255, 255, 255, 0.1);
+  border-radius: 0.5rem;
+  padding: 0.25rem;
+  gap: 0.25rem;
+  border: 1px solid var(--weather-card-border);
+  margin: 0;
+  padding: 0.25rem;
+  min-width: 0;
+}
+
+.toggle-switch legend {
+  padding: 0;
+}
+
+@media (prefers-color-scheme: light) {
+  .toggle-switch {
+    background: rgba(102, 126, 234, 0.08);
+  }
+}
+
+.toggle-option {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  background: transparent;
+  color: var(--text-secondary);
+  border: none;
+  border-radius: 0.375rem;
+  padding: 0 1rem;
+  height: 2.5rem;
+  font-size: 0.875rem;
+  font-weight: 600;
+  cursor: pointer;
+  transition: all 0.3s ease;
+  min-width: 3rem;
+  position: relative;
+}
+
+.toggle-option[aria-pressed="true"] {
+  background: linear-gradient(135deg, var(--accent-gradient-start) 0%, var(--accent-gradient-end) 100%);
+  color: white;
+  box-shadow: 0 2px 8px rgba(102, 126, 234, 0.3);
+}
+
+.toggle-option[aria-pressed="false"]:hover {
+  background: rgba(255, 255, 255, 0.05);
+  color: var(--text-primary);
+}
+
+@media (prefers-color-scheme: light) {
+  .toggle-option[aria-pressed="false"]:hover {
+    background: rgba(102, 126, 234, 0.1);
+  }
+}
+
+.toggle-option:focus-visible {
+  outline: 3px solid var(--focus-color);
+  outline-offset: 2px;
+  z-index: 1;
+}
+
+/* Refresh button */
+.refresh-button {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 0.5rem;
+  background: linear-gradient(135deg, var(--accent-gradient-start) 0%, var(--accent-gradient-end) 100%);
+  color: white;
+  border: none;
+  border-radius: 0.5rem;
+  padding: 0 1.5rem;
+  height: var(--cta-height);
+  font-size: 0.875rem;
+  font-weight: 600;
+  cursor: pointer;
+  transition: transform 0.3s ease, box-shadow 0.3s ease, opacity 0.3s ease;
+  box-shadow: 0 2px 8px rgba(102, 126, 234, 0.3);
+  min-width: 140px;
+  white-space: nowrap;
+}
+
+.refresh-button:hover:not(:disabled) {
+  transform: translateY(-1px);
+  box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4);
+}
+
+.refresh-button:disabled {
+  opacity: 0.6;
+  cursor: not-allowed;
+  transform: none;
+}
+
+.refresh-button:focus-visible {
+  outline: 3px solid var(--focus-color);
+  outline-offset: 3px;
+}
+
+.refresh-icon {
+  transition: transform 0.3s ease;
+}
+
+.refresh-icon.spinning {
+  animation: spin 1s linear infinite;
+}
+
+/* Error message */
+.error-message {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+  background-color: var(--error-bg);
+  border-left: 4px solid var(--error-border);
+  color: var(--error-text);
+  padding: 1rem;
+  border-radius: 0.5rem;
+  margin: 1rem 0;
+  animation: slideIn 0.3s ease-out;
+}
+
+/* Loading skeleton */
+.loading-skeleton {
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+  margin-top: 1rem;
+}
+
+.skeleton-row {
+  height: 80px;
+  background: linear-gradient(90deg, var(--skeleton-bg-1) 25%, var(--skeleton-bg-2) 50%, var(--skeleton-bg-1) 75%);
+  background-size: 200% 100%;
+  animation: shimmer 1.5s infinite;
+  border-radius: 0.5rem;
+}
+
+/* Weather grid */
+.weather-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fill, minmax(200px, 1fr));
+  gap: 1rem;
+  margin-top: 0.75rem;
+}
+
+.weather-card {
+  background: var(--weather-card-bg);
+  border-radius: 0.75rem;
+  padding: 1.25rem;
+  display: flex;
+  flex-direction: column;
+  gap: 0.75rem;
+  transition: all 0.3s ease;
+  border: 1px solid var(--weather-card-border);
+  backdrop-filter: blur(10px);
+  min-height: var(--tile-min-height);
+}
+
+.weather-card:hover {
+  transform: translateY(-4px);
+  box-shadow: 0 4px 16px rgba(0, 0, 0, 0.2);
+}
+
+.weather-card:focus-within {
+  outline: 2px solid var(--focus-color);
+  outline-offset: 2px;
+}
+
+.weather-date {
+  font-weight: 600;
+  font-size: 0.875rem;
+  color: var(--date-color);
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  margin: 0;
+}
+
+.weather-summary {
+  font-size: 1.125rem;
+  font-weight: 500;
+  color: var(--summary-color);
+  min-height: 1.5rem;
+  margin: 0;
+}
+
+.weather-temps {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  gap: 0.75rem;
+  margin-top: 0.5rem;
+  padding-top: 0.75rem;
+  border-top: 1px solid var(--weather-card-border);
+}
+
+.temp-group {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  width: 100%;
+}
+
+.temp-value {
+  font-size: 1.5rem;
+  font-weight: 700;
+  background: linear-gradient(135deg, var(--accent-gradient-start) 0%, var(--accent-gradient-end) 100%);
+  -webkit-background-clip: text;
+  -webkit-text-fill-color: transparent;
+  background-clip: text;
+}
+
+.temp-unit {
+  font-size: 0.75rem;
+  color: var(--temp-unit-color);
+  margin-top: 0.125rem;
+}
+
+/* Responsive design */
+@media (max-width: 1024px) {
+  .main-content {
+    padding: 1rem;
+  }
+}
+.app-footer {
+  padding: 1.5rem;
+  text-align: center;
+  background: rgba(0, 0, 0, 0.2);
+  backdrop-filter: blur(10px);
+}
+
+.app-footer nav {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+  gap: 1.5rem;
+}
+
+.app-footer a {
+  color: var(--text-secondary);
+  text-decoration: none;
+  font-weight: 500;
+  transition: color 0.3s ease, border-color 0.3s ease;
+  border-bottom: 2px solid transparent;
+  font-size: 0.875rem;
+  padding-bottom: 0.125rem;
+}
+
+.app-footer a:hover {
+  color: var(--text-primary);
+  border-bottom-color: var(--text-primary);
+}
+
+.app-footer a:focus-visible {
+  outline: 3px solid var(--focus-color);
+  outline-offset: 4px;
+  border-radius: 4px;
+}
+
+/* Animations */
+@keyframes fadeInDown {
+  from {
+    opacity: 0;
+    transform: translateY(-20px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+@keyframes fadeInUp {
+  from {
+    opacity: 0;
+    transform: translateY(20px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+@keyframes slideIn {
+  from {
+    opacity: 0;
+    transform: translateX(-10px);
+  }
+  to {
+    opacity: 1;
+    transform: translateX(0);
+  }
+}
+
+@keyframes spin {
+  from {
+    transform: rotate(0deg);
+  }
+  to {
+    transform: rotate(360deg);
+  }
+}
+
+@keyframes shimmer {
+  0% {
+    background-position: -200% 0;
+  }
+  100% {
+    background-position: 200% 0;
+  }
+}
+
+/* Responsive design */
+@media (max-width: 1024px) {
+  .main-content {
+    grid-template-columns: 1fr;
+    padding: 1rem;
+    gap: 1rem;
+  }
+}
+
+/* Footer */
+.app-footer {
+  padding: 1.5rem 0;
+  text-align: center;
+  background: rgba(0, 0, 0, 0.2);
+  backdrop-filter: blur(10px);
+  display: flex;
+  justify-content: center;
+  align-items: center;
+}
+
+.app-footer > * {
+  max-width: 1400px;
+  width: 100%;
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  padding: 0 2rem;
+  gap: 1rem;
+}
+
+.app-footer a {
+  color: var(--text-secondary);
+  text-decoration: none;
+  font-weight: 500;
+  transition: color 0.3s ease, transform 0.3s ease;
+  border-bottom: 2px solid transparent;
+  font-size: 0.875rem;
+}
+
+.app-footer a:hover {
+  color: var(--text-primary);
+  border-bottom-color: var(--text-primary);
+}
+
+.app-footer a:focus-visible {
+  outline: 2px solid var(--text-primary);
+  outline-offset: 4px;
+  border-radius: 2px;
+}
+
+.github-link {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.5rem;
+  border-bottom: none !important;
+}
+
+.github-link:focus-visible {
+  outline: 3px solid var(--focus-color);
+  outline-offset: 4px;
+  border-radius: 4px;
+}
+
+.github-link img {
+  transition: transform 0.3s ease, opacity 0.3s ease;
+  filter: brightness(0) invert(1);
+}
+
+@media (prefers-color-scheme: light) {
+  .github-link img {
+    filter: brightness(0) invert(0);
+    opacity: 0.7;
+  }
+  
+  .github-link:hover img {
+    opacity: 1;
+  }
+}
+
+.github-link:hover img {
+  transform: scale(1.1);
+}
+
+@media (max-width: 768px) {
+  :root {
+    --cta-height: 2.75rem;
+  }
+
+  .app-header {
+    padding: 1.5rem 1rem 1rem;
+  }
+
+  .logo {
+    height: 3rem;
+  }
+
+  .app-title {
+    font-size: 1.5rem;
+  }
+
+  .app-subtitle {
+    font-size: 0.875rem;
+  }
+
+  .main-content {
+    padding: 0.75rem;
+  }
+
+  .card {
+    padding: 1rem;
+  }
+
+  .section-title {
+    font-size: 1.125rem;
+  }
+
+  .section-header {
+    flex-direction: column;
+    align-items: stretch;
+    gap: 0.75rem;
+  }
+
+  .header-actions {
+    width: 100%;
+  }
+
+  .toggle-switch {
+    flex: 1;
+  }
+
+  .toggle-option {
+    flex: 1;
+  }
+
+  .refresh-button {
+    flex: 1;
+    justify-content: center;
+    padding: 0 1.25rem;
+  }
+
+  .weather-grid {
+    grid-template-columns: 1fr;
+    gap: 0.75rem;
+  }
+
+  .weather-card {
+    padding: 1.25rem;
+  }
+
+  .app-footer {
+    padding: 1rem 0;
+  }
+
+  .app-footer > * {
+    flex-direction: column;
+    padding: 0 1.5rem;
+  }
+
+  .github-link {
+    order: -1;
+  }
+}
+
+/* Reduced motion support */
+@media (prefers-reduced-motion: reduce) {
+  *,
+  *::before,
+  *::after {
+    animation-duration: 0.01ms !important;
+    animation-iteration-count: 1 !important;
+    transition-duration: 0.01ms !important;
+  }
+}
+
+/* High contrast mode support */
+@media (prefers-contrast: high) {
+  .card {
+    border: 2px solid currentColor;
+  }
+
+  .weather-card {
+    border: 1px solid currentColor;
+  }
+}
+
+/* Focus visible support for better keyboard navigation */
+*:focus-visible {
+  outline: 3px solid var(--accent-gradient-end);
+  outline-offset: 2px;
+}
+

frontend/src/App.tsx

@@ -0,0 +1,35 @@
+import { useEffect, useState } from 'react'
+import { getKeycloak } from './keycloak'
+import { OnboardingPage } from './Onboarding'
+import { ProfilePreview } from './Profile/ProfilePreview'
+import './App.css'
+
+type ProfileState = 'loading' | 'onboarding' | 'ready'
+
+async function fetchProfileState(): Promise<ProfileState> {
+  const keycloak = getKeycloak()
+  await keycloak.updateToken(30)
+  const res = await fetch('/api/profile', {
+    headers: { Authorization: `Bearer ${keycloak.token}` },
+  })
+  if (res.status === 404) return 'onboarding'
+  if (res.ok) return 'ready'
+  throw new Error(`Unexpected status ${res.status}`)
+}
+
+function App() {
+  const [state, setState] = useState<ProfileState>('loading')
+
+  useEffect(() => {
+    fetchProfileState().then(setState).catch(() => setState('onboarding'))
+  }, [])
+
+  if (state === 'loading') return <p>Loading…</p>
+
+  if (state === 'onboarding')
+    return <OnboardingPage onComplete={() => setState('ready')} />
+
+  return <ProfilePreview onLogout={() => getKeycloak().logout()} />
+}
+
+export default App

frontend/src/Onboarding/BackgroundWizard.tsx

@@ -0,0 +1,11 @@
+import { OnboardingPage } from './OnboardingPage'
+
+type BackgroundWizardProps = {
+  onComplete: () => void
+}
+
+function BackgroundWizard({ onComplete }: BackgroundWizardProps) {
+  return <OnboardingPage onComplete={onComplete} />
+}
+
+export default BackgroundWizard

frontend/src/Onboarding/OnboardingPage.module.css

@@ -0,0 +1,89 @@
+.container {
+  min-height: 100vh;
+  display: grid;
+  place-items: center;
+  padding: 2rem 1rem;
+  background:
+    radial-gradient(circle at 15% 20%, rgba(52, 152, 219, 0.22), transparent 45%),
+    radial-gradient(circle at 80% 75%, rgba(46, 204, 113, 0.2), transparent 45%),
+    linear-gradient(160deg, #f4f7fb 0%, #e8eef7 100%);
+}
+
+.card {
+  width: min(700px, 100%);
+  display: grid;
+  gap: 1.25rem;
+}
+
+.header {
+  display: grid;
+  gap: 0.5rem;
+}
+
+.title {
+  margin: 0;
+}
+
+.subtitle {
+  margin: 0;
+  color: #5f6b7c;
+}
+
+.stepTabs {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 0.5rem;
+}
+
+.tab,
+.tabActive {
+  border: 1px solid #c8d1e0;
+  border-radius: 999px;
+  padding: 0.35rem 0.9rem;
+  background: #ffffff;
+  color: #394b59;
+  font: inherit;
+}
+
+.tabActive {
+  border-color: #106ba3;
+  color: #106ba3;
+  background: #edf6ff;
+}
+
+.formGrid {
+  display: grid;
+  gap: 0.5rem;
+}
+
+.actions {
+  display: flex;
+  justify-content: space-between;
+  gap: 0.75rem;
+}
+
+.reviewRow {
+  border-top: 1px solid #d8e1ec;
+  padding-top: 0.75rem;
+  margin-top: 0.25rem;
+}
+
+.reviewTitle {
+  margin: 0 0 0.5rem;
+}
+
+.reviewGrid {
+  display: grid;
+  grid-template-columns: max-content 1fr;
+  gap: 0.25rem 0.75rem;
+}
+
+@media (max-width: 640px) {
+  .container {
+    padding: 1rem;
+  }
+
+  .actions {
+    flex-direction: column-reverse;
+  }
+}

frontend/src/Onboarding/OnboardingPage.tsx

@@ -0,0 +1,242 @@
+import React, { useEffect, useMemo, useState, type ReactNode } from 'react'
+import { Button, Callout, Card, FormGroup, H2, H5, InputGroup, Intent, ProgressBar } from '@blueprintjs/core'
+import MultiStep, { type SignalParent, useMultiStep } from 'react-multistep'
+import { getKeycloak } from '../keycloak'
+import styles from './OnboardingPage.module.css'
+
+type OnboardingPayload = {
+  firstName: string
+  middleName: string
+  lastName: string
+  ssn: string
+}
+
+type StepProps = {
+  signalParent?: SignalParent
+  title?: ReactNode
+  value: OnboardingPayload
+  onChange: (updates: Partial<OnboardingPayload>) => void
+  onSubmit?: () => Promise<void>
+  isSubmitting?: boolean
+  error?: string | null
+}
+
+interface OnboardingPageProps {
+  onComplete: () => void
+}
+
+function StepChrome({ children, onSubmit, isSubmitting = false }: { children: ReactNode; onSubmit?: () => Promise<void>; isSubmitting?: boolean }) {
+  const { activeStep, stepCount, steps, currentStepValid, next, previous, goToStep } = useMultiStep()
+  const isLastStep = activeStep === stepCount - 1
+  const progress = ((activeStep + 1) / stepCount) * 100
+
+  const handleAdvance = async () => {
+    if (!isLastStep) {
+      next()
+      return
+    }
+    if (onSubmit) {
+      await onSubmit()
+    }
+  }
+
+  return (
+    <Card className={styles.card} elevation={2}>
+      <div className={styles.header}>
+        <H2 className={styles.title}>Finish Your Profile</H2>
+        <p className={styles.subtitle}>We only need a few details to complete onboarding.</p>
+        <ProgressBar value={progress / 100} animate stripes={false} />
+      </div>
+
+      <div className={styles.stepTabs}>
+        {steps.map(step => (
+          <button
+            key={step.index}
+            type="button"
+            className={step.index === activeStep ? styles.tabActive : styles.tab}
+            onClick={() => goToStep(step.index)}
+          >
+            {(step.title as React.ReactNode) ?? `Step ${step.index + 1}`}
+          </button>
+        ))}
+      </div>
+
+      <div>{children}</div>
+
+      <div className={styles.actions}>
+        <Button disabled={activeStep === 0 || isSubmitting} onClick={previous}>
+          Back
+        </Button>
+        <Button
+          intent={Intent.PRIMARY}
+          loading={isSubmitting}
+          disabled={!currentStepValid || isSubmitting}
+          onClick={() => void handleAdvance()}
+        >
+          {isLastStep ? 'Complete Onboarding' : 'Continue'}
+        </Button>
+      </div>
+    </Card>
+  )
+}
+
+function NameStep({ signalParent, value, onChange }: StepProps) {
+  useEffect(() => {
+    signalParent?.({ isValid: value.firstName.trim().length > 0 })
+  }, [signalParent, value.firstName])
+
+  return (
+    <StepChrome>
+      <div className={styles.formGrid}>
+        <FormGroup label="First name" labelFor="firstName" labelInfo="*">
+          <InputGroup
+            id="firstName"
+            value={value.firstName}
+            onValueChange={nextValue => onChange({ firstName: nextValue })}
+            placeholder="Ada"
+            autoFocus
+          />
+        </FormGroup>
+
+        <FormGroup label="Middle name (optional)" labelFor="middleName">
+          <InputGroup
+            id="middleName"
+            value={value.middleName}
+            onValueChange={nextValue => onChange({ middleName: nextValue })}
+            placeholder="Lovelace"
+          />
+        </FormGroup>
+
+        <FormGroup label="SSN" labelFor="ssn" labelInfo="*">
+          <InputGroup
+            id="ssn"
+            value={value.ssn}
+            onValueChange={nextValue => onChange({ ssn: nextValue })}
+            placeholder="XXX-XX-XXXX"
+            type="password"
+          />
+        </FormGroup>
+      </div>
+    </StepChrome>
+  )
+}
+
+function ReviewStep({ signalParent, value, onChange, onSubmit, isSubmitting = false, error = null }: StepProps) {
+  useEffect(() => {
+    const isValid =
+      value.firstName.trim().length > 0 &&
+      value.lastName.trim().length > 0 &&
+      value.ssn.trim().length > 0
+    signalParent?.({ isValid })
+  }, [signalParent, value.firstName, value.lastName, value.ssn])
+
+  return (
+    <StepChrome onSubmit={onSubmit} isSubmitting={isSubmitting}>
+      <div className={styles.formGrid}>
+        <FormGroup label="Last name" labelFor="lastName" labelInfo="*">
+          <InputGroup
+            id="lastName"
+            value={value.lastName}
+            onValueChange={nextValue => onChange({ lastName: nextValue })}
+            placeholder="Byron"
+          />
+        </FormGroup>
+      </div>
+
+      <div className={styles.reviewRow}>
+        <H5 className={styles.reviewTitle}>Review</H5>
+        <div className={styles.reviewGrid}>
+          <span>First</span>
+          <span>{value.firstName || '-'}</span>
+          <span>Middle</span>
+          <span>{value.middleName || '-'}</span>
+          <span>Last</span>
+          <span>{value.lastName || '-'}</span>
+          <span>SSN</span>
+          <span>{'•'.repeat(value.ssn.length) || '-'}</span>
+        </div>
+      </div>
+
+      {error && (
+        <Callout intent={Intent.DANGER} title="Could not save profile">
+          {error}
+        </Callout>
+      )}
+    </StepChrome>
+  )
+}
+
+export function OnboardingPage({ onComplete }: OnboardingPageProps) {
+  const [form, setForm] = useState<OnboardingPayload>({
+    firstName: '',
+    middleName: '',
+    lastName: '',
+    ssn: '',
+  })
+  const [isSubmitting, setIsSubmitting] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const payload = useMemo(
+    () => ({
+      firstName: form.firstName.trim(),
+      middleName: form.middleName.trim(),
+      lastName: form.lastName.trim(),
+      ssn: form.ssn.trim(),
+    }),
+    [form.firstName, form.middleName, form.lastName, form.ssn],
+  )
+
+  const handleChange = (updates: Partial<OnboardingPayload>) => {
+    setForm(current => ({ ...current, ...updates }))
+  }
+
+  const handleSubmit = async () => {
+    setIsSubmitting(true)
+    setError(null)
+
+    try {
+      const keycloak = getKeycloak()
+      await keycloak.updateToken(30)
+      const response = await fetch('/api/profile/onboarding', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${keycloak.token}`,
+        },
+        body: JSON.stringify(payload),
+      })
+
+      if (response.ok || response.status === 409) {
+        onComplete()
+        return
+      }
+
+      let message = `Status ${response.status}`
+      const data = (await response.json().catch(() => null)) as { message?: string } | null
+      if (data?.message) {
+        message = data.message
+      }
+      setError(message)
+    } catch (submitError) {
+      setError(submitError instanceof Error ? submitError.message : 'Unexpected error')
+    } finally {
+      setIsSubmitting(false)
+    }
+  }
+
+  return (
+    <div className={styles.container}>
+      <MultiStep initialStep={0} onValidationError={() => setError('Please complete required fields before continuing.')}>
+        <NameStep title="Identity" value={form} onChange={handleChange} />
+        <ReviewStep
+          title="Finalize"
+          value={form}
+          onChange={handleChange}
+          onSubmit={handleSubmit}
+          isSubmitting={isSubmitting}
+          error={error}
+        />
+      </MultiStep>
+    </div>
+  )
+}

frontend/src/Onboarding/index.ts

@@ -0,0 +1 @@
+export { OnboardingPage } from './OnboardingPage'

frontend/src/Profile/ProfilePreview.module.css

@@ -0,0 +1,126 @@
+.container {
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  min-height: 100vh;
+  background: #f5f7fa;
+}
+
+.card {
+  width: 100%;
+  max-width: 480px;
+  padding: 2.5rem;
+  border: 1px solid #e0e0e0;
+  border-radius: 12px;
+  background: #fff;
+  display: flex;
+  flex-direction: column;
+  gap: 1.5rem;
+}
+
+.header {
+  display: flex;
+  flex-direction: column;
+  gap: 0.25rem;
+}
+
+.title {
+  margin: 0;
+  font-size: 1.4rem;
+  font-weight: 600;
+  color: #111;
+}
+
+.subtitle {
+  margin: 0;
+  font-size: 0.85rem;
+  color: #6b7280;
+}
+
+.badge {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.35rem;
+  padding: 0.2rem 0.65rem;
+  border-radius: 999px;
+  font-size: 0.78rem;
+  font-weight: 500;
+  background: #dcfce7;
+  color: #15803d;
+  width: fit-content;
+}
+
+.dot {
+  width: 7px;
+  height: 7px;
+  border-radius: 50%;
+  background: #16a34a;
+}
+
+.fields {
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+}
+
+.field {
+  display: flex;
+  flex-direction: column;
+  gap: 0.2rem;
+}
+
+.label {
+  font-size: 0.75rem;
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  color: #9ca3af;
+}
+
+.value {
+  font-size: 1rem;
+  color: #111;
+  padding: 0.55rem 0.75rem;
+  border: 1px solid #e5e7eb;
+  border-radius: 6px;
+  background: #f9fafb;
+  font-family: monospace;
+}
+
+.divider {
+  border: none;
+  border-top: 1px solid #e5e7eb;
+  margin: 0;
+}
+
+.meta {
+  font-size: 0.8rem;
+  color: #9ca3af;
+  display: flex;
+  flex-direction: column;
+  gap: 0.25rem;
+}
+
+.actions {
+  display: flex;
+  justify-content: flex-end;
+}
+
+.logout {
+  padding: 0.55rem 1.25rem;
+  border: 1px solid #ccc;
+  border-radius: 6px;
+  background: transparent;
+  font-size: 0.9rem;
+  cursor: pointer;
+  color: #374151;
+}
+
+.logout:hover {
+  background: #f3f4f6;
+}
+
+.error {
+  color: #dc2626;
+  font-size: 0.9rem;
+}

frontend/src/Profile/ProfilePreview.tsx

@@ -0,0 +1,113 @@
+import { useEffect, useState } from 'react'
+import { getKeycloak } from '../keycloak'
+import styles from './ProfilePreview.module.css'
+
+interface Profile {
+  id: string
+  keycloakSubject: string
+  firstName: string
+  middleName: string
+  lastName: string
+  onboardingComplete: boolean
+  createdAt: string
+  tenant: string
+}
+
+interface Props {
+  onLogout: () => void
+}
+
+export function ProfilePreview({ onLogout }: Props) {
+  const [profile, setProfile] = useState<Profile | null>(null)
+  const [error, setError] = useState<string | null>(null)
+
+  useEffect(() => {
+    async function load() {
+      try {
+        const keycloak = getKeycloak()
+        await keycloak.updateToken(30)
+        const res = await fetch('/api/profile', {
+          headers: { Authorization: `Bearer ${keycloak.token}` },
+        })
+        if (!res.ok) throw new Error(`Status ${res.status}`)
+        setProfile(await res.json())
+      } catch (e) {
+        setError(e instanceof Error ? e.message : 'Failed to load profile')
+      }
+    }
+    load()
+  }, [])
+
+  if (error) {
+    return (
+      <div className={styles.container}>
+        <div className={styles.card}>
+          <p className={styles.error}>Error: {error}</p>
+        </div>
+      </div>
+    )
+  }
+
+  if (!profile) {
+    return (
+      <div className={styles.container}>
+        <div className={styles.card}>
+          <p>Loading profile…</p>
+        </div>
+      </div>
+    )
+  }
+
+  return (
+    <div className={styles.container}>
+      <div className={styles.card}>
+        <div className={styles.header}>
+          <h1 className={styles.title}>Profile Preview</h1>
+          <p className={styles.subtitle}>
+            Decrypted PII read back from the database via the API
+          </p>
+        </div>
+
+        <div className={styles.badge}>
+          <span className={styles.dot} />
+          Decryption successful
+        </div>
+
+        <div className={styles.fields}>
+          <div className={styles.field}>
+            <span className={styles.label}>First Name</span>
+            <span className={styles.value}>{profile.firstName}</span>
+          </div>
+          {profile.middleName && (
+            <div className={styles.field}>
+              <span className={styles.label}>Middle Name</span>
+              <span className={styles.value}>{profile.middleName}</span>
+            </div>
+          )}
+          <div className={styles.field}>
+            <span className={styles.label}>Last Name</span>
+            <span className={styles.value}>{profile.lastName}</span>
+          </div>
+        </div>
+
+        <hr className={styles.divider} />
+
+        <div className={styles.meta}>
+          <span>Profile ID: {profile.id}</span>
+          <span>Subject: {profile.keycloakSubject}</span>
+          <span>Tenant: {profile.tenant || '(none)'}</span>
+          <span>Created: {new Date(profile.createdAt).toLocaleString()}</span>
+          <span>
+            Onboarding complete: {profile.onboardingComplete ? 'Yes' : 'No'}
+          </span>
+        </div>
+
+        <div className={styles.actions}>
+          <button className={styles.logout} onClick={onLogout}>
+            Logout
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}

frontend/src/index.css

@@ -0,0 +1,55 @@
+:root {
+  font-family: system-ui, Avenir, Helvetica, Arial, sans-serif;
+  line-height: 1.5;
+  font-weight: 400;
+
+  color-scheme: light dark;
+
+  font-synthesis: none;
+  text-rendering: optimizeLegibility;
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+/* Reset and base styles */
+*,
+*::before,
+*::after {
+  box-sizing: border-box;
+}
+
+html {
+  margin: 0;
+  padding: 0;
+  width: 100%;
+  height: 100%;
+  overflow-x: hidden;
+}
+
+body {
+  margin: 0;
+  padding: 0;
+  width: 100%;
+  min-height: 100vh;
+  overflow-x: hidden;
+}
+
+/* Remove default Vite styles that conflict with our design */
+h1 {
+  margin: 0;
+}
+
+button {
+  font-family: inherit;
+  cursor: pointer;
+}
+
+@media (prefers-reduced-motion: reduce) {
+  *,
+  *::before,
+  *::after {
+    animation-duration: 0.01ms !important;
+    animation-iteration-count: 1 !important;
+    transition-duration: 0.01ms !important;
+  }
+}

frontend/src/keycloak.ts

@@ -0,0 +1,33 @@
+import Keycloak from 'keycloak-js'
+
+// Keycloak instance is created dynamically after fetching /api/config from the server.
+// This is necessary because the realm is per-tenant and unknown at build time.
+let _keycloak: Keycloak | null = null
+
+export interface TenantConfig {
+  keycloakUrl: string
+  realm: string
+  clientId: string
+}
+
+export async function loadTenantConfig(): Promise<TenantConfig> {
+  const res = await fetch('/api/config')
+  if (!res.ok) throw new Error(`Failed to load tenant config: ${res.status}`)
+  return res.json()
+}
+
+export function createKeycloak(cfg: TenantConfig): Keycloak {
+  _keycloak = new Keycloak({
+    url:      cfg.keycloakUrl,
+    realm:    cfg.realm,
+    clientId: cfg.clientId,
+  })
+  return _keycloak
+}
+
+// Use this everywhere instead of the default import.
+// Guaranteed non-null after main.tsx calls createKeycloak().
+export function getKeycloak(): Keycloak {
+  if (!_keycloak) throw new Error('Keycloak not initialised yet')
+  return _keycloak
+}

frontend/src/main.tsx

@@ -0,0 +1,26 @@
+import { StrictMode } from 'react'
+import { createRoot } from 'react-dom/client'
+import '@blueprintjs/core/lib/css/blueprint.css'
+import '@blueprintjs/icons/lib/css/blueprint-icons.css'
+import './index.css'
+import App from './App.tsx'
+import { loadTenantConfig, createKeycloak } from './keycloak.ts'
+
+loadTenantConfig()
+  .then(cfg => {
+    const keycloak = createKeycloak(cfg)
+    return keycloak.init({ onLoad: 'login-required', pkceMethod: 'S256', checkLoginIframe: false })
+  })
+  .then(() => {
+    createRoot(document.getElementById('root')!).render(
+      <StrictMode>
+        <App />
+      </StrictMode>,
+    )
+  })
+  .catch(err => {
+    console.error('Failed to initialise app:', err)
+    document.getElementById('root')!.innerHTML =
+      `<pre style="color:red;padding:2rem">Failed to initialise: ${err}</pre>`
+  })
+

frontend/src/vite-env.d.ts

@@ -0,0 +1 @@
+/// <reference types="vite/client" />

frontend/tsconfig.app.json

@@ -0,0 +1,27 @@
+{
+  "compilerOptions": {
+    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.app.tsbuildinfo",
+    "target": "ES2020",
+    "useDefineForClassFields": true,
+    "lib": ["ES2020", "DOM", "DOM.Iterable"],
+    "module": "ESNext",
+    "skipLibCheck": true,
+
+    /* Bundler mode */
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "moduleDetection": "force",
+    "noEmit": true,
+    "jsx": "react-jsx",
+
+    /* Linting */
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "erasableSyntaxOnly": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedSideEffectImports": true
+  },
+  "include": ["src"]
+}

frontend/tsconfig.json

@@ -0,0 +1,7 @@
+{
+  "files": [],
+  "references": [
+    { "path": "./tsconfig.app.json" },
+    { "path": "./tsconfig.node.json" }
+  ]
+}

frontend/tsconfig.node.json

@@ -0,0 +1,25 @@
+{
+  "compilerOptions": {
+    "tsBuildInfoFile": "./node_modules/.tmp/tsconfig.node.tsbuildinfo",
+    "target": "ES2022",
+    "lib": ["ES2023"],
+    "module": "ESNext",
+    "skipLibCheck": true,
+
+    /* Bundler mode */
+    "moduleResolution": "bundler",
+    "allowImportingTsExtensions": true,
+    "verbatimModuleSyntax": true,
+    "moduleDetection": "force",
+    "noEmit": true,
+
+    /* Linting */
+    "strict": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "erasableSyntaxOnly": true,
+    "noFallthroughCasesInSwitch": true,
+    "noUncheckedSideEffectImports": true
+  },
+  "include": ["vite.config.ts"]
+}

frontend/vite.config.ts

@@ -0,0 +1,22 @@
+import { defineConfig } from 'vite'
+import react from '@vitejs/plugin-react'
+
+// https://vite.dev/config/
+export default defineConfig({
+  plugins: [react()],
+  resolve: {
+    dedupe: ['react', 'react-dom'],
+  },
+  optimizeDeps: {
+    include: ['react-multistep'],
+  },
+  server: {
+    proxy: {
+      // Proxy API calls to the app service
+      '/api': {
+        target: process.env.SERVER_HTTPS || process.env.SERVER_HTTP,
+        changeOrigin: true
+      }
+    }
+  }
+})