new applets app for cross-board usage of Applet() & UserApplet() models; dashboard migrations reset and apps reseeded w. new default specs; core.settings & many tests thru-out suite updated accordingly

.woodpecker.yaml

@@ -6,31 +6,48 @@ services:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
 
+  - name: redis
+    image: redis:7
+
 steps:
   - name: test-UTs-n-ITs
     image: python:3.13-slim
     environment:
       DATABASE_URL: postgresql://postgres:postgres@postgres/python_tdd_test
+      CELERY_BROKER_URL: redis://redis:6379/0
+      REDIS_URL: redis://redis:6379/1
     commands:
       - pip install -r requirements.txt
       - cd ./src
       - python manage.py test apps
+    when:
+      - event: push
 
   - name: test-FTs
     image: gitea.earthmanrpg.me/discoman/python-tdd-ci:latest
     environment:
       HEADLESS: 1
+      CELERY_BROKER_URL: redis://redis:6379/0
+      REDIS_URL: redis://redis:6379/1
+      STRIPE_SECRET_KEY:
+        from_secret: stripe_secret_key
+      STRIPE_PUBLISHABLE_KEY:
+        from_secret: stripe_publishable_key
     commands:
+      - pip install -r requirements.txt
       - cd ./src
       - python manage.py collectstatic --noinput
       - python manage.py test functional_tests
+    when:
+      - event: push
 
   - name: screendumps
     image: gitea.earthmanrpg.me/discoman/python-tdd-ci:latest
-    when:
-      - status: failure
     commands:
       - cat ./src/functional_tests/screendumps/*.html || echo "No screendumps found"
+    when:
+      - event: push
+        status: failure
 
   - name: build-and-push
     image: docker:cli
@@ -43,7 +60,7 @@ steps:
       - docker push gitea.earthmanrpg.me/discoman/gamearray:latest
     when:
       - branch: main
-      - event: push
+        event: push
 
   - name: deploy
     image: alpine
@@ -58,5 +75,5 @@ steps:
       - ssh -o StrictHostKeyChecking=no discoman@staging.earthmanrpg.me /opt/gamearray/deploy.sh
     when:
       - branch: main
-      - event: push
+        event: push
     

Dockerfile

@@ -15,6 +15,8 @@ RUN python manage.py collectstatic --noinput
 
 ENV DJANGO_DEBUG_FALSE=1
 
+RUN DJANGO_SECRET_KEY=build-dummy DJANGO_ALLOWED_HOST=localhost python manage.py compress
+
 RUN adduser --uid 1234 nonroot
 
 USER nonroot

infra/deploy-playbook.yaml

@@ -114,6 +114,15 @@
           POSTGRES_USER: gamearray
           POSTGRES_PASSWORD: "{{ postgres_password }}"
 
+    - name: Start Redis container
+      community.docker.docker_container:
+        name: gamearray_redis
+        image: redis:7
+        state: started
+        restart_policy: unless-stopped
+        networks:
+          - name: gamearray_net
+
     - name: Run container
       community.docker.docker_container:
         name: gamearray
@@ -124,13 +133,36 @@
           DJANGO_DEBUG_FALSE: "1"
           DJANGO_SECRET_KEY: "{{ secret_key.content | b64decode }}"
           DJANGO_ALLOWED_HOST: "{{ django_allowed_host }}"
+          DJANGO_SUPERUSER_EMAIL: "{{ django_superuser_email }}"
+          DJANGO_SUPERUSER_PASSWORD: "{{ django_superuser_password }}"
           DATABASE_URL: "postgresql://gamearray:{{ postgres_password }}@gamearray_postgres/gamearray"
           MAILGUN_API_KEY: "{{  mailgun_api_key }}"
+          CELERY_BROKER_URL: "redis://gamearray_redis:6379/0"
+          REDIS_URL: "redis://gamearray_redis:6379/1"
         networks:
           - name: gamearray_net
         ports:
           127.0.0.1:8888:8888
 
+    - name: Start Celery worker container
+      community.docker.docker_container:
+        name: gamearray_celery
+        image: gitea.earthmanrpg.me/discoman/gamearray:latest
+        state: started
+        recreate: true
+        env:
+          DJANGO_DEBUG_FALSE: "1"
+          DJANGO_SECRET_KEY: "{{ secret_key.content | b64decode }}"
+          DJANGO_ALLOWED_HOST: "{{ django_allowed_host }}"
+          DATABASE_URL: "postgresql://gamearray:{{ postgres_password }}@gamearray_postgres/gamearray"
+          MAILGUN_API_KEY: "{{  mailgun_api_key }}"
+          CELERY_BROKER_URL: "redis://gamearray_redis:6379/0"
+          REDIS_URL: "redis://gamearray_redis:6379/1"
+        networks:
+          - name: gamearray_net
+        command: "python -m celery -A core worker -l info"
+
+
     - name: Create static files directory
       ansible.builtin.file:
         path: /var/www/gamearray/static
@@ -149,6 +181,11 @@
         container: gamearray
         command: python manage.py migrate
 
+    - name: Ensure superuser exists
+      community.docker.docker_container_exec:
+        container: gamearray
+        command: python manage.py ensure_superuser
+
   handlers:
     - name: Restart nginx
       ansible.builtin.service:

infra/deploy.sh.j2

@@ -17,9 +17,22 @@ docker run -d --name gamearray \
     -p 127.0.0.1:8888:8888 \
     "$IMAGE"
 
+echo "==> Stopping old celery worker..."
+docker stop gamearray_celery 2>/dev/null || true
+docker rm gamearray_celery 2>/dev/null || true
+
+echo "==> Starting new celery worker..."
+docker run -d --name gamearray_celery \
+    --env-file /opt/gamearray/gamearray.env \
+    --network gamearray_net \
+    "$IMAGE" python -m celery -A core worker -l info
+
 echo "==> Running migrations..."
 docker exec gamearray python ./manage.py migrate
 
+echo "==> Ensuring superuser exists..."
+docker exec gamearray python manage.py ensure_superuser
+
 echo "==> Copying static files..."
 sudo docker cp gamearray:/src/static/. /var/www/gamearray/static/
 

infra/gamearray.env.j2

@@ -1,5 +1,12 @@
 DJANGO_DEBUG_FALSE=1
 DJANGO_SECRET_KEY={{ secret_key.content | b64decode }}
 DJANGO_ALLOWED_HOST={{ django_allowed_host }}
+DJANGO_SUPERUSER_EMAIL={{ django_superuser_email }}
+DJANGO_SUPERUSER_PASSWORD={{ django_superuser_password }}
 DATABASE_URL=postgresql://gamearray:{{ postgres_password }}@gamearray_postgres/gamearray
 MAILGUN_API_KEY={{ mailgun_api_key }}
+STRIPE_PUBLISHABLE_KEY={{ stripe_publishable_key }}
+STRIPE_SECRET_KEY={{ stripe_secret_key }}
+CELERY_BROKER_URL=redis://gamearray_redis:6379/0
+REDIS_URL=redis://gamearray_redis:6379/1
+

infra/group_vars/staging/vault.yaml

@@ -1,23 +1,42 @@
 $ANSIBLE_VAULT;1.1;AES256
-33616230376431343735626631623932393166343538653732383533323436326335343463646664
-6565373531623465613661613533376231373837326438300a393665613839646231633737313938
-64633035336663313163333634623732323537326363646132313136376131636666636538323066
-3037373930303537320a313062646166353862633836373466316261363939633433663039323866
-62333739303662343836306538393734343830366336323265393138343438363533353166383031
-32313461313137643039376237346633316466646136353038633861333031663164656233366634
-38303363383130376264373861393863623330623733643135643461383132613339376633353031
-32313863323039646534633733383661333361313832333830383066633130396239626661643264
-65636335303339613432326533343337366261356632313639623634386633383836333733663536
-39383361353530646166643531333535356636326535383534326237666638326137616162646261
-65316466323335653932636338653565383038313531383638393839313736643739363037353230
-35653632353531656435396663316537333133653632366437613339303033333536643937353166
-64363037653733303332643931343362303261643432366531326262383465313965633064356338
-31336333373665373035656533633864316139303934623030383934393434356334643962666163
-33343739366336613263333764306365333566363536616662383733616237396563346132336633
-38663239613339376335386233386330396634323033343332366130616162666339393861306336
-35383566383831356530633130313732356331616164646132626665646235396635386237313538
-38656631336261646530303761643334303937613036363766303637376262373466316431323731
-38666462313639353131303134646434646135366136343361353932326165626666306361393431
-62646238323265346263386363373462313766616333326366366461346436383064336535376339
-31356566356336386262393831616631666233633930393263623563386265343237323133313832
-3430363635363332303963316530663765613666306233376463
+38383061343764656262613934313230656462366163363263653462333338333863326338343838
+3664646437643462346636623231633639396239333532340a363338313839353734326238643735
+39343237396433336436366430626332343666666461613636656433363838613432393539386266
+3237336434346333350a663530623334633438616135376437666631313064333735653633396461
+31306163343838336465626663373661343839653037333235313361633335646337353339616333
+35343233346562346236636364316265313936646235373866636333353866623161663935626637
+31633864366339653930626365373237326531366632626337636163333266656434323063333365
+38373437383261613439306666373764633737623466626235356465636365646337306534326535
+36633866663161613632613434666134343465383663633165663330376535653537333763376232
+61653265303134656338393033303834663630653064666134633638393235346631346461633030
+35343332393961363361613661633633613262663231366236396663636239326534373134623762
+30653139333134616236666238616466633733656633326331386138363839653566333434346534
+63326539333461383265316332336333656365386531393630663537363365643061363263313738
+37633564363533633762393736636333306433306534393539636231656162343562383232663932
+62646339363266303564383438636636373661656465666663613863396639633732636635326166
+39323738303338373466366236623665633538363134616565326665386564613735393638656630
+31326431316163376132623064376634643737313864336464623431333834663361336133353838
+32303635663261333732306137383133623134373363613837306637663566303634653863343766
+33613936626362653466333537666462373633313038376565623363666631353162643634653730
+30323532623261643136666237316561353038323265303930336364633731333533386563623133
+31343965643336613933663431626435333235366639363334653065303434386165333739336632
+61363030376664643638653365626365623936623864666663326534343863613962616431376666
+39363837386639393235316339323932326466616330303165613032663637616232656162653335
+61613266376262626234383135306238313366346330656333383465383861663962653638303362
+34353833646461383839386238626661346263363131643438343461393739336132386466373665
+32646238633161363064666335626639653335306236613866333934646366323564306133396131
+36343032623964316138386538333863363530396330646431373466646538663063326330663639
+32323762356632336364333162336133336335623865323861663131626232633066643238333237
+32343938353166353037316162653832663433343534626331633936633866356666653932656665
+38396533356131326262633431653435306362633966383531356236396639376437396333616130
+35666435393461316232323234653865346338326330623065373461323961393663306262313066
+30313430353065616230356135333565333338373663643434353561363438656233383739663233
+35653832353062396634613832353837333835636461616234343462626239636634613430373931
+31656534343764643065643733326637343631356633653531313062633362663461313732633331
+35626364393563373339636466346339383032383635303865306636623737343237333863353238
+63306132396262656365323833323635633563653735366630313363386236613231346339643430
+63396230353566633830383932666335373665356434656438336338633035653465613665613862
+31663565653338376662323866613538363566306635333735646363363730646331306234353839
+30346363393231623563646439623261643634663831313338393761343865303930373133633733
+31656466303365316164396463373335396464643130643337656361333339653238333633373662
+6539

infra/inventory.ini

@@ -1,5 +1,5 @@
 [staging]
-staging.earthmanrpg.me ansible_user=discoman ansible_ssh_private_key_file=~/.ssh/id_ed25519_wsl_python-tdd
+staging.earthmanrpg.me ansible_user=discoman ansible_ssh_private_key_file=~/.ssh/id_ed25519_wsl_python-tdd letsencrypt_domain=staging.earthmanrpg.me
 
 [production]
 www.earthmanrpg.me ansible_user=discoman ansible_ssh_private_key_file=~/.ssh/id_ed25519_wsl_python-tdd

infra/nginx.conf.j2

@@ -1,6 +1,15 @@
 server {
     listen 80;
     server_name {{ django_allowed_host | replace(',', ' ')}};
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ django_allowed_host | replace(',', ' ') }};
+
+    ssl_certificate /etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem;
 
     location /static/ {
         alias /var/www/gamearray/static/;
@@ -11,6 +20,6 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto https;
     }
 }

requirements.dev.txt

@@ -7,8 +7,12 @@ coverage
 cssselect==1.3.0
 dj-database-url
 Django==6.0
+django-compressor
+django-htmx
+django-libsass
 django-stubs==5.2.8
 django-stubs-ext==5.2.8
+djangorestframework
 gunicorn==23.0.0
 h11==0.16.0
 idna==3.11
@@ -17,11 +21,13 @@ outcome==1.3.0.post0
 packaging==25.0
 pycparser==2.23
 PySocks==1.7.1
+python-dotenv
 requests==2.32.5
 selenium==4.39.0
 sniffio==1.3.1
 sortedcontainers==2.4.0
 sqlparse==0.5.5
+stripe
 trio==0.32.0
 trio-websocket==0.12.2
 types-PyYAML==6.0.12.20250915

requirements.txt

@@ -1,10 +1,17 @@
+celery
 cssselect==1.3.0
 Django==6.0
 dj-database-url
+django-compressor
+django-htmx
+django-libsass
 django-stubs==5.2.8
 django-stubs-ext==5.2.8
+djangorestframework
 gunicorn==23.0.0
 lxml==6.0.2
 psycopg2-binary
+redis
 requests==2.31.0
+stripe
 whitenoise==6.11.0

src/apps/api/serializers.py

@@ -0,0 +1,32 @@
+from rest_framework import serializers
+
+from apps.dashboard.models import Item, List
+from apps.lyric.models import User
+
+
+class ItemSerializer(serializers.ModelSerializer):
+    text = serializers.CharField()
+
+    def validate_text(self, value):
+        list_ = self.context["list"]
+        if list_.item_set.filter(text=value).exists():
+            raise serializers.ValidationError("duplicate")
+        return value
+
+    class Meta:
+        model = Item
+        fields = ["id", "text"]
+
+class ListSerializer(serializers.ModelSerializer):
+    name = serializers.ReadOnlyField()
+    url = serializers.CharField(source="get_absolute_url", read_only=True)
+    items = ItemSerializer(many=True, read_only=True, source="item_set")
+
+    class Meta:
+        model = List
+        fields = ["id", "name", "url", "items"]
+
+class UserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = ["id", "username"]

src/apps/api/tests/integrated/test_views.py

@@ -0,0 +1,115 @@
+from django.test import TestCase
+from rest_framework.test import APIClient
+
+from apps.dashboard.models import Item, List
+from apps.lyric.models import User
+
+class BaseAPITest(TestCase):
+    # Helper fns
+    def setUp(self):
+        self.client = APIClient()
+        self.user = User.objects.create_user("test@example.com")
+        self.client.force_authenticate(user=self.user)
+
+class ListDetailAPITest(BaseAPITest):
+    def test_returns_list_with_items(self):
+        list_ = List.objects.create(owner=self.user)
+        Item.objects.create(text="item 1", list=list_)
+        Item.objects.create(text="item 2", list=list_)
+
+        response = self.client.get(f"/api/lists/{list_.id}/")
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data["id"], str(list_.id))
+        self.assertEqual(len(response.data["items"]), 2)
+
+class ListItemsAPITest(BaseAPITest):
+    def test_can_add_item_to_list(self):
+        list_ = List.objects.create(owner=self.user)
+
+        response = self.client.post(
+            f"/api/lists/{list_.id}/items/",
+            {"text": "a new item"},
+        )
+
+        self.assertEqual(response.status_code, 201)
+        self.assertEqual(Item.objects.count(), 1)
+        self.assertEqual(Item.objects.first().text, "a new item")
+
+    def test_cannot_add_empty_item_to_list(self):
+        list_ = List.objects.create(owner=self.user)
+
+        response = self.client.post(
+            f"/api/lists/{list_.id}/items/",
+            {"text": ""},
+        )
+
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(Item.objects.count(), 0)
+
+    def test_cannot_add_duplicate_item_to_list(self):
+        list_ = List.objects.create(owner=self.user)
+        Item.objects.create(text="list item", list=list_)
+        duplicate_response = self.client.post(
+            f"/api/lists/{list_.id}/items/",
+            {"text": "list item"},
+        )
+
+        self.assertEqual(duplicate_response.status_code, 400)
+        self.assertEqual(Item.objects.count(), 1)
+
+class ListsAPITest(BaseAPITest):
+    def test_get_returns_only_users_lists(self):
+        list1 = List.objects.create(owner=self.user)
+        Item.objects.create(text="item 1", list=list1)
+        other_user = User.objects.create_user("other@example.com")
+        List.objects.create(owner=other_user)
+
+        response = self.client.get("/api/lists/")
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data), 1)
+        self.assertEqual(response.data[0]["id"], str(list1.id))
+
+    def test_post_creates_list_with_item(self):
+        response = self.client.post(
+            "/api/lists/",
+            {"text": "first item"},
+        )
+
+        self.assertEqual(response.status_code, 201)
+        self.assertEqual(List.objects.count(), 1)
+        self.assertEqual(List.objects.first().owner, self.user)
+        self.assertEqual(Item.objects.first().text, "first item")
+
+class UserSearchAPITest(BaseAPITest):
+    def test_returns_users_matching_username(self):
+        disco = User.objects.create_user("disco@example.com")
+        disco.username = "discoman"
+        disco.searchable = True
+        disco.save()
+
+        response = self.client.get("/api/users/?q=disc")
+
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data), 1)
+        self.assertEqual(response.data[0]["username"], "discoman")
+
+    def test_non_searchable_users_are_excluded(self):
+        alice = User.objects.create_user("alice@example.com")
+        alice.username = "princessAli"
+        alice.save() # searchable defaults to False
+
+        response = self.client.get("/api/users/?q=prin")
+
+        self.assertEqual(response.data, [])
+
+    def test_response_does_not_include_email(self):
+        alice = User.objects.create_user("alice@example.com")
+        alice.username = "princessAli"
+        alice.searchable = True
+        alice.save()
+
+        response = self.client.get("/api/users/?q=prin")
+
+        self.assertNotIn("email", response.data[0])

src/apps/api/tests/unit/test_serializers.py

@@ -0,0 +1,20 @@
+from django.test import SimpleTestCase
+from apps.api.serializers import ItemSerializer, ListSerializer
+
+
+class ItemSerializerTest(SimpleTestCase):
+    def test_fields(self):
+        serializer = ItemSerializer()
+        self.assertEqual(
+            set(serializer.fields.keys()),
+            {"id", "text"},
+        )
+
+class ListSerializerTest(SimpleTestCase):
+    def test_fields(self):
+        serializer = ListSerializer()
+        self.assertEqual(
+            set(serializer.fields.keys()),
+            {"id", "name", "url", "items"},
+        )
+        

src/apps/api/urls.py

@@ -0,0 +1,12 @@
+from django.urls import path
+
+from . import views
+
+
+urlpatterns = [
+    path('lists/', views.ListsAPI.as_view(), name='api_lists'),
+    path('lists/<uuid:list_id>/', views.ListDetailAPI.as_view(), name='api_list_detail'),
+    path('lists/<uuid:list_id>/items/', views.ListItemsAPI.as_view(), name='api_list_items'),
+    path('users/', views.UserSearchAPI.as_view(), name='api_users'),
+]
+

src/apps/api/views.py

@@ -0,0 +1,45 @@
+from django.shortcuts import get_object_or_404
+from rest_framework.views import APIView
+from rest_framework.response import Response
+
+from apps.api.serializers import ItemSerializer, ListSerializer, UserSerializer
+from apps.dashboard.models import Item, List
+from apps.lyric.models import User
+
+
+class ListDetailAPI(APIView):
+    def get(self, request, list_id):
+        list_ = get_object_or_404(List, id=list_id)
+        serializer = ListSerializer(list_)
+        return Response(serializer.data)
+    
+class ListItemsAPI(APIView):
+    def post(self, request, list_id):
+        list_ = get_object_or_404(List, id=list_id)
+        serializer = ItemSerializer(data=request.data, context={"list": list_})
+        if serializer.is_valid():
+            serializer.save(list=list_)
+            return Response(serializer.data, status=201)
+        return Response(serializer.errors, status=400)
+    
+class ListsAPI(APIView):
+    def get(self, request):
+        lists = List.objects.filter(owner=request.user)
+        serializer = ListSerializer(lists, many=True)
+        return Response(serializer.data)
+
+    def post(self, request):
+        list_ = List.objects.create(owner=request.user)
+        item = Item.objects.create(text=request.data.get("text", ""), list=list_)
+        serializer = ListSerializer(list_)
+        return Response(serializer.data, status=201)
+    
+class UserSearchAPI(APIView):
+    def get(self, request):
+        q = request.query_params.get("q", "")
+        users = User.objects.filter(
+            username__icontains=q,
+            searchable=True,
+        )
+        serializer = UserSerializer(users, many=True)
+        return Response(serializer.data)

src/apps/applets/admin.py

@@ -0,0 +1,11 @@
+from django.contrib import admin
+
+from apps.applets.models import Applet, UserApplet
+
+
+@admin.register(Applet)
+class AppletAdmin(admin.ModelAdmin):
+    list_display = ['slug', 'name', 'default_visible', 'grid_cols', 'grid_rows']
+    list_editable = ['grid_cols', 'grid_rows']
+
+admin.site.register(UserApplet)

src/apps/applets/apps.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class AppletsConfig(AppConfig):
+    name = 'apps.applets'

src/apps/applets/migrations/0001_initial.py

@@ -0,0 +1,36 @@
+import django.db.models.deletion
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    initial = True
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Applet',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('slug', models.SlugField(unique=True)),
+                ('name', models.CharField(max_length=100)),
+                ('context', models.CharField(choices=[('dashboard', 'Dashboard'), ('gameboard', 'Gameboard')], default='dashboard', max_length=20)),
+                ('default_visible', models.BooleanField(default=True)),
+                ('grid_cols', models.PositiveSmallIntegerField(default=12)),
+                ('grid_rows', models.PositiveSmallIntegerField(default=3)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='UserApplet',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('visible', models.BooleanField(default=True)),
+                ('applet', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='applets.applet')),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='user_applets', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={'unique_together': {('user', 'applet')}},
+        ),
+    ]

src/apps/applets/migrations/0002_seed_applets.py

@@ -0,0 +1,29 @@
+from django.db import migrations
+
+
+def seed_applets(apps, schema_editor):
+    Applet = apps.get_model('applets', 'Applet')
+    for slug, name, cols, rows, context in [
+        ('wallet', 'Wallet', 12, 3, 'dashboard'),
+        ('new-list', 'New List', 9, 3, 'dashboard'),
+        ('my-lists', 'My Lists', 3, 3, 'dashboard'),
+        ('username', 'Username', 6, 3, 'dashboard'),
+        ('palette', 'Palette', 6, 3, 'dashboard'),
+        ('new-game', 'New Game', 4, 2, 'gameboard'),
+        ('my-games', 'My Games', 4, 4, 'gameboard'),
+        ('game-kit', 'Game Kit', 4, 2, 'gameboard'),
+    ]:
+        Applet.objects.get_or_create(
+            slug=slug,
+            defaults={'name': name, 'grid_cols': cols, 'grid_rows': rows, 'context': context},
+        )
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('applets', '0001_initial')
+    ]
+
+    operations = [
+        migrations.RunPython(seed_applets, migrations.RunPython.noop)
+    ]

src/apps/applets/models.py

@@ -0,0 +1,34 @@
+from django.db import models
+
+class Applet(models.Model):
+    DASHBOARD = "dashboard"
+    GAMEBOARD = "gameboard"
+    CONTEXT_CHOICES = [
+        (DASHBOARD, "Dashboard"),
+        (GAMEBOARD, "Gameboard"),
+    ]
+
+    slug = models.SlugField(unique=True)
+    name = models.CharField(max_length=100)
+    context = models.CharField(max_length=20, choices=CONTEXT_CHOICES, default=DASHBOARD)
+    default_visible = models.BooleanField(default=True)
+    grid_cols = models.PositiveSmallIntegerField(default=12)
+    grid_rows = models.PositiveSmallIntegerField(default=3)
+
+    def __str__(self):
+        return self.name
+    
+class UserApplet(models.Model):
+    user = models.ForeignKey(
+        "lyric.User",
+        related_name="user_applets",
+        on_delete=models.CASCADE,
+    )
+    applet = models.ForeignKey(
+        Applet,
+        on_delete=models.CASCADE,
+    )
+    visible = models.BooleanField(default=True)
+
+    class Meta:
+        unique_together = ("user", "applet")

src/apps/applets/tests.py

@@ -0,0 +1,3 @@
+from django.test import TestCase
+
+# Create your tests here.

src/apps/applets/tests/integrated/test_models.py

@@ -0,0 +1,40 @@
+from django.db.utils import IntegrityError
+from django.test import TestCase
+
+from apps.applets.models import Applet, UserApplet
+from apps.lyric.models import User
+
+
+class AppletModelTest(TestCase):
+    def setUp(self):
+        self.applet = Applet.objects.create(
+            slug="my-applet", name="My Applet", default_visible=True
+        )
+
+    def test_applet_can_be_created(self):
+        self.assertEqual(Applet.objects.get(slug="my-applet"), self.applet)
+
+    def test_applet_slug_is_unique(self):
+        with self.assertRaises(IntegrityError):
+            Applet.objects.create(slug="my-applet", name="Second")
+
+    def test_applet_str(self):
+        self.assertEqual(str(self.applet), "My Applet")
+
+    def test_applet_grid_defaults(self):
+        self.assertEqual(self.applet.grid_cols, 12)
+        self.assertEqual(self.applet.grid_rows, 3)
+
+class UserAppletModelTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="a@b.cde")
+        self.applet, _ = Applet.objects.get_or_create(slug="username", defaults={"name": "Username"})
+
+    def test_user_applet_links_user_to_applet(self):
+        ua = UserApplet.objects.create(user=self.user, applet=self.applet, visible=True)
+        self.assertIn(ua, self.user.user_applets.all())
+
+    def test_user_applet_unique_per_user_and_applet(self):
+        UserApplet.objects.create(user=self.user, applet=self.applet, visible=True)
+        with self.assertRaises(IntegrityError):
+            UserApplet.objects.create(user=self.user, applet=self.applet, visible=False)

src/apps/applets/views.py

@@ -0,0 +1,3 @@
+from django.shortcuts import render
+
+# Create your views here.

src/apps/dashboard/admin.py

@@ -1,3 +1 @@
 from django.contrib import admin
-
-# Register your models here.

src/apps/dashboard/migrations/0001_initial.py

@@ -1,6 +1,8 @@
-# Generated by Django 6.0 on 2026-02-08 01:19
+# Generated by Django 6.0 on 2026-02-23 04:30
 
 import django.db.models.deletion
+import uuid
+from django.conf import settings
 from django.db import migrations, models
 
 
@@ -9,13 +11,16 @@ class Migration(migrations.Migration):
     initial = True
 
     dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
     ]
 
     operations = [
         migrations.CreateModel(
             name='List',
             fields=[
-                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
+                ('owner', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='lists', to=settings.AUTH_USER_MODEL)),
+                ('shared_with', models.ManyToManyField(blank=True, related_name='shared_lists', to=settings.AUTH_USER_MODEL)),
             ],
         ),
         migrations.CreateModel(

src/apps/dashboard/migrations/0002_list_owner.py

@@ -1,21 +0,0 @@
-# Generated by Django 6.0 on 2026-02-09 03:29
-
-import django.db.models.deletion
-from django.conf import settings
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('dashboard', '0001_initial'),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='list',
-            name='owner',
-            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='lists', to=settings.AUTH_USER_MODEL),
-        ),
-    ]

src/apps/dashboard/migrations/0003_list_shared_with.py

@@ -1,20 +0,0 @@
-# Generated by Django 6.0 on 2026-02-18 18:13
-
-from django.conf import settings
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('dashboard', '0002_list_owner'),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='list',
-            name='shared_with',
-            field=models.ManyToManyField(blank=True, related_name='shared_lists', to=settings.AUTH_USER_MODEL),
-        ),
-    ]

src/apps/dashboard/models.py

@@ -1,7 +1,11 @@
+import uuid
+
 from django.db import models
 from django.urls import reverse
 
+
 class List(models.Model):
+    id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
     owner = models.ForeignKey(
         "lyric.User",
         related_name="lists",
@@ -32,5 +36,4 @@ class Item(models.Model):
         unique_together = ("list", "text")
 
     def __str__(self):
-        return self.text
-    
+        return self.text    

src/apps/dashboard/static/apps/scripts/dashboard.js

@@ -2,8 +2,29 @@
 const initialize = (inputSelector) => {
     // console.log("initialize called!");
     const textInput = document.querySelector(inputSelector);
+    if (!textInput) return;
     textInput.oninput = () => {
         // console.log("oninput triggered");
         textInput.classList.remove("is-invalid");
     };
+};
+
+const initGearMenu = () => {
+    const gear = document.getElementById('id_dash_gear');
+    if (!gear) return;
+
+    gear.addEventListener('click', (e) => {
+        e.stopPropagation();
+        const menu = document.getElementById('id_applet_menu');
+        if (!menu) return;
+        menu.style.display = menu.style.display === 'none' ? 'block' : 'none';
+    });
+
+    document.addEventListener('click', (e) => {
+        const menu = document.getElementById('id_applet_menu');
+        if (!menu || menu.style.display === 'none') return;
+        if (e.target.closest('#id_applet_menu_cancel') || !menu.contains(e.target)) {
+            menu.style.display = 'none';
+        }
+    });
 };

src/apps/dashboard/static/apps/scripts/wallet.js

@@ -0,0 +1,43 @@
+const initWallet = () => {
+    let stripe, elements;
+
+    const addBtn = document.getElementById('id_add_payment_method');
+    const saveBtn = document.getElementById('id_save_payment_method');
+    if (!addBtn) return;
+
+    const getCsrf = () => document.cookie.match(/csrftoken=([^;]+)/)[1];
+
+    addBtn.addEventListener('click', async () => {
+        const res = await fetch('/dashboard/wallet/setup-intent', {
+            method: 'POST',
+            headers: {'X-CSRFToken': getCsrf()},
+        });
+        const {client_secret, publishable_key} = await res.json();
+        stripe = Stripe(publishable_key);
+        elements = stripe.elements({clientSecret: client_secret});
+        elements.create('payment').mount('#id_stripe_payment_element');
+        saveBtn.hidden = false;
+    });
+
+    saveBtn.addEventListener('click', async () => {
+        const {error, setupIntent} = await stripe.confirmSetup({
+            elements,
+            redirect: 'if_required',
+        });
+        if (error) { console.error(error); return; }
+        const res = await fetch('/dashboard/wallet/save-payment-method', {
+            method: 'POST',
+            headers: {
+                'X-CSRFToken': getCsrf(),
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: `payment_method_id=${setupIntent.payment_method}`,
+        });
+        const {last4, brand} = await res.json();
+        const pm = document.createElement('div');
+        pm.textContent = `${brand} ····${last4}`;
+        document.getElementById('id_payment_methods').appendChild(pm);
+    });
+};
+
+document.addEventListener('DOMContentLoaded', initWallet);

src/apps/dashboard/tests/integrated/test_models.py

@@ -43,7 +43,7 @@ class ItemModelTest(TestCase):
 class ListModelTest(TestCase):
         def test_get_absolute_url(self):
             mylist = List.objects.create()
-            self.assertEqual(mylist.get_absolute_url(), f"/apps/dashboard/{mylist.id}/")
+            self.assertEqual(mylist.get_absolute_url(), f"/dashboard/list/{mylist.id}/")
 
         def test_list_items_order(self):
             list1 = List.objects.create()

src/apps/dashboard/tests/integrated/test_stripe_views.py

@@ -0,0 +1,79 @@
+from unittest import mock
+from django.test import TestCase
+
+from apps.lyric.models import PaymentMethod, User
+
+
+class SetupIntentViewTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="capman@test.io")
+        self.client.force_login(self.user)
+
+    def test_setup_intent_requires_login(self):
+        self.client.logout()
+        response = self.client.post("/dashboard/wallet/setup-intent")
+        self.assertRedirects(
+            response, "/?next=/dashboard/wallet/setup-intent",
+            fetch_redirect_response=False,
+        )
+
+    @mock.patch("apps.dashboard.views.stripe")
+    def test_returns_client_secret(self, mock_stripe):
+        mock_stripe.Customer.create.return_value = mock.Mock(id="cus_test123")
+        mock_stripe.SetupIntent.create.return_value = mock.Mock(client_secret="seti_secret")
+        response = self.client.post("/dashboard/wallet/setup-intent")
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["client_secret"], "seti_secret")
+        self.assertIn("publishable_key", response.json())
+
+    @mock.patch("apps.dashboard.views.stripe")
+    def test_reuses_existing_stripe_customer(self, mock_stripe):
+        self.user.stripe_customer_id = "cus_existing"
+        self.user.save()
+        mock_stripe.SetupIntent.create.return_value = mock.Mock(client_secret="seti_secret")
+        self.client.post("/dashboard/wallet/setup-intent")
+        mock_stripe.Customer.create.assert_not_called()
+        mock_stripe.SetupIntent.create.assert_called_once_with(customer="cus_existing")
+
+class SavePaymentMethodViewTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="capman@test.io")
+        self.user.stripe_customer_id = "cus_test123"
+        self.user.save()
+        self.client.force_login(self.user)
+
+    def test_save_payment_method_requires_login(self):
+        self.client.logout()
+        response = self.client.post(
+            "/dashboard/wallet/save-payment-method", {"payment_method_id": "pm_test"}
+        )
+        self.assertRedirects(
+            response, "/?next=/dashboard/wallet/save-payment-method",
+            fetch_redirect_response=False,
+        )
+
+    @mock.patch("apps.dashboard.views.stripe")
+    def test_creates_payment_method_record(self, mock_stripe):
+        mock_stripe.PaymentMethod.retrieve.return_value = mock.Mock(
+            card=mock.Mock(last4="4242", brand="visa")
+        )
+        self.client.post(
+            "/dashboard/wallet/save-payment-method",
+            {"payment_method_id": "pm_test123"},
+        )
+        pm = PaymentMethod.objects.get(user=self.user)
+        self.assertEqual(pm.last4, "4242")
+        self.assertEqual(pm.brand, "visa")
+
+    @mock.patch("apps.dashboard.views.stripe")
+    def test_returns_json_with_last4_and_brand(self, mock_stripe):
+        mock_stripe.PaymentMethod.retrieve.return_value = mock.Mock(
+            card=mock.Mock(last4="4242", brand="visa")
+        )
+        response = self.client.post(
+            "/dashboard/wallet/save-payment-method",
+            {"payment_method_id": "pm_test123"},
+        )
+        data = response.json()
+        self.assertEqual(data["last4"], "4242")
+        self.assertEqual(data["brand"], "visa")

src/apps/dashboard/tests/integrated/test_views.py

@@ -1,9 +1,11 @@
 import lxml.html
-from unittest import skip
 
-from django.test import TestCase
+from django.contrib.messages import get_messages
+from django.test import override_settings, TestCase
+from django.urls import reverse
 from django.utils import html
 
+from apps.applets.models import Applet, UserApplet
 from apps.dashboard.forms import (
     DUPLICATE_ITEM_ERROR,
     EMPTY_ITEM_ERROR,
@@ -13,6 +15,11 @@ from apps.lyric.models import User
 
 
 class HomePageTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="disco@test.io")
+        self.client.force_login(self.user)
+        Applet.objects.get_or_create(slug="new-list", defaults={"name": "New List"})
+
     def test_uses_home_template(self):
         response = self.client.get('/')
         self.assertTemplateUsed(response, 'apps/dashboard/home.html')
@@ -21,26 +28,30 @@ class HomePageTest(TestCase):
         response = self.client.get('/')
         parsed = lxml.html.fromstring(response.content)
         forms = parsed.cssselect('form[method=POST]')
-        self.assertIn("/apps/dashboard/new_list", [form.get("action") for form in forms])
-        [form] = [form for form in forms if form.get("action") == "/apps/dashboard/new_list"]
+        self.assertIn("/dashboard/new_list", [form.get("action") for form in forms])
+        [form] = [form for form in forms if form.get("action") == "/dashboard/new_list"]
         inputs = form.cssselect("input")
         self.assertIn("text", [input.get("name") for input in inputs])
 
 class NewListTest(TestCase):
+    def setUp(self):
+        user = User.objects.create(email="disco@test.io")
+        self.client.force_login(user)
+
     def test_can_save_a_POST_request(self):
-        self. client.post("/apps/dashboard/new_list", data={"text": "A new list item"})
+        self.client.post("/dashboard/new_list", data={"text": "A new list item"})
         self.assertEqual(Item.objects.count(), 1)
         new_item = Item.objects.get()
         self.assertEqual(new_item.text, "A new list item")
 
     def test_redirects_after_POST(self):
-        response = self.client.post("/apps/dashboard/new_list", data={"text": "A new list item"})
+        response = self.client.post("/dashboard/new_list", data={"text": "A new list item"})
         new_list = List.objects.get()
-        self.assertRedirects(response, f"/apps/dashboard/{new_list.id}/")
+        self.assertRedirects(response, f"/dashboard/list/{new_list.id}/")
 
     # Post invalid input helper
     def post_invalid_input(self):
-        return self.client.post("/apps/dashboard/new_list", data={"text": ""})
+        return self.client.post("/dashboard/new_list", data={"text": ""})
 
     def test_for_invalid_input_nothing_saved_to_db(self):
         self.post_invalid_input()
@@ -58,12 +69,12 @@ class NewListTest(TestCase):
 class ListViewTest(TestCase):
     def test_uses_list_template(self):
         mylist = List.objects.create()
-        response = self.client.get(f"/apps/dashboard/{mylist.id}/")
+        response = self.client.get(f"/dashboard/list/{mylist.id}/")
         self.assertTemplateUsed(response, "apps/dashboard/list.html")
 
     def test_renders_input_form(self):
         mylist = List.objects.create()
-        url = f"/apps/dashboard/{mylist.id}/"
+        url = f"/dashboard/list/{mylist.id}/"
         response = self.client.get(url)
         parsed = lxml.html.fromstring(response.content)
         forms = parsed.cssselect("form[method=POST]")
@@ -80,7 +91,7 @@ class ListViewTest(TestCase):
         other_list = List.objects.create()
         Item.objects.create(text="other list item", list=other_list)
         # When/Act
-        response = self.client.get(f"/apps/dashboard/{correct_list.id}/")
+        response = self.client.get(f"/dashboard/list/{correct_list.id}/")
         # Then/Assert
         self.assertContains(response, "itemey 1")
         self.assertContains(response, "itemey 2")
@@ -91,7 +102,7 @@ class ListViewTest(TestCase):
         correct_list = List.objects.create()
 
         self.client.post(
-            f"/apps/dashboard/{correct_list.id}/",
+            f"/dashboard/list/{correct_list.id}/",
             data={"text": "A new item for an existing list"},
         )
 
@@ -105,16 +116,16 @@ class ListViewTest(TestCase):
         correct_list = List.objects.create()
 
         response = self.client.post(
-            f"/apps/dashboard/{correct_list.id}/",
+            f"/dashboard/list/{correct_list.id}/",
             data={"text": "A new item for an existing list"},
         )
 
-        self.assertRedirects(response, f"/apps/dashboard/{correct_list.id}/")
+        self.assertRedirects(response, f"/dashboard/list/{correct_list.id}/")
 
     # Post invalid input helper
     def post_invalid_input(self):
         mylist = List.objects.create()
-        return self.client.post(f"/apps/dashboard/{mylist.id}/", data={"text": ""})
+        return self.client.post(f"/dashboard/list/{mylist.id}/", data={"text": ""})
 
     def test_for_invalid_input_nothing_saved_to_db(self):
         self.post_invalid_input()
@@ -140,7 +151,7 @@ class ListViewTest(TestCase):
         Item.objects.create(list=list1, text="lorem ipsum")
 
         response = self.client.post(
-            f"/apps/dashboard/{list1.id}/",
+            f"/dashboard/list/{list1.id}/",
             data={"text": "lorem ipsum"},
         )
 
@@ -153,26 +164,26 @@ class MyListsTest(TestCase):
     def test_my_lists_url_renders_my_lists_template(self):
         user = User.objects.create(email="a@b.cde")
         self.client.force_login(user)
-        response = self.client.get(f"/apps/dashboard/users/{user.id}/")
+        response = self.client.get(f"/dashboard/users/{user.id}/")
         self.assertTemplateUsed(response, "apps/dashboard/my_lists.html")
 
     def test_passes_correct_owner_to_template(self):
         User.objects.create(email="wrongowner@example.com")
         correct_user = User.objects.create(email="a@b.cde")
         self.client.force_login(correct_user)
-        response = self.client.get(f"/apps/dashboard/users/{correct_user.id}/")
+        response = self.client.get(f"/dashboard/users/{correct_user.id}/")
         self.assertEqual(response.context["owner"], correct_user)
 
     def test_list_owner_is_saved_if_user_is_authenticated(self):
         user = User.objects.create(email="a@b.cde")
         self.client.force_login(user)
-        self.client.post("/apps/dashboard/new_list", data={"text": "new item"})
+        self.client.post("/dashboard/new_list", data={"text": "new item"})
         new_list = List.objects.get()
         self.assertEqual(new_list.owner, user)
 
     def test_my_lists_redirects_if_not_logged_in(self):
         user  = User.objects.create(email="a@b.cde")
-        response = self.client.get(f"/apps/dashboard/users/{user.id}/")
+        response = self.client.get(f"/dashboard/users/{user.id}/")
         self.assertRedirects(response, "/")
 
     def test_my_lists_returns_403_for_wrong_user(self):
@@ -180,7 +191,7 @@ class MyListsTest(TestCase):
         user1 = User.objects.create(email="a@b.cde")
         user2 = User.objects.create(email="wrongowner@example.com")
         self.client.force_login(user2)
-        response = self.client.get(f"/apps/dashboard/users/{user1.id}/")
+        response = self.client.get(f"/dashboard/users/{user1.id}/")
         # assert 403
         self.assertEqual(response.status_code, 403)
 
@@ -189,16 +200,16 @@ class ShareListTest(TestCase):
         our_list = List.objects.create()
         alice = User.objects.create(email="alice@example.com")
         response = self.client.post(
-            f"/apps/dashboard/{our_list.id}/share_list",
+            f"/dashboard/list/{our_list.id}/share_list",
             data={"recipient": "alice@example.com"},
         )
-        self.assertRedirects(response, f"/apps/dashboard/{our_list.id}/")
+        self.assertRedirects(response, f"/dashboard/list/{our_list.id}/")
 
     def test_post_with_email_adds_user_to_shared_with(self):
         our_list = List.objects.create()
         alice = User.objects.create(email="alice@example.com")
         self.client.post(
-            f"/apps/dashboard/{our_list.id}/share_list",
+            f"/dashboard/list/{our_list.id}/share_list",
             data={"recipient": "alice@example.com"},
         )
         self.assertIn(alice, our_list.shared_with.all())
@@ -206,7 +217,241 @@ class ShareListTest(TestCase):
     def test_post_with_nonexistent_email_redirects_to_list(self):
         our_list = List.objects.create()
         response = self.client.post(
-            f"/apps/dashboard/{our_list.id}/share_list",
+            f"/dashboard/list/{our_list.id}/share_list",
             data={"recipient": "nobody@example.com"},
         )
-        self.assertRedirects(response, f"/apps/dashboard/{our_list.id}/")
+        self.assertRedirects(
+            response,
+            f"/dashboard/list/{our_list.id}/",
+            fetch_redirect_response=False,
+        )
+
+    def test_share_list_does_not_add_owner_as_recipient(self):
+        owner = User.objects.create(email="owner@example.com")
+        our_list = List.objects.create(owner=owner)
+        self.client.force_login(owner)
+        self.client.post(reverse("share_list", args=[our_list.id]),
+                         data={"recipient": "owner@example.com"})
+        self.assertNotIn(owner, our_list.shared_with.all())
+
+    @override_settings(MESSAGE_STORAGE='django.contrib.messages.storage.session.SessionStorage')
+    def test_share_list_shows_privacy_safe_message(self):
+        our_list = List.objects.create()
+        response = self.client.post(
+            f"/dashboard/list/{our_list.id}/share_list",
+            data={"recipient": "nobody@example.com"},
+            follow=True,
+        )
+        messages = list(get_messages(response.wsgi_request))
+        self.assertEqual(
+            str(messages[0]),
+            "An invite has been sent if that address is registered.",
+        )
+
+class ViewAuthListTest(TestCase):
+    def setUp(self):
+        self.owner = User.objects.create(email="disco@example.com")
+        self.our_list = List.objects.create(owner=self.owner)
+
+    def test_anonymous_user_is_redirected(self):
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertRedirects(response, "/", fetch_redirect_response=False)
+
+    def test_non_owner_non_shared_user_gets_403(self):
+        stranger = User.objects.create(email="stranger@example.com")
+        self.client.force_login(stranger)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 403)
+
+    def test_shared_with_user_can_access_list(self):
+        guest = User.objects.create(email="guest@example.com")
+        self.our_list.shared_with.add(guest)
+        self.client.force_login(guest)
+        response = self.client.get(reverse("view_list", args=[self.our_list.id]))
+        self.assertEqual(response.status_code, 200)
+
+@override_settings(COMPRESS_ENABLED=False)
+class SetPaletteTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="a@b.cde")
+        self.client.force_login(self.user)
+        self.url = reverse("home")
+        Applet.objects.get_or_create(slug="palette", defaults={"name": "Palette"})
+    
+    def test_anonymous_user_is_redirected_home(self):
+        response = self.client.post("/dashboard/set_palette")
+        self.assertRedirects(response, "/", fetch_redirect_response=False)
+
+    def test_set_palette_updates_user_palette(self):
+        User.objects.filter(pk=self.user.pk).update(palette="palette-sheol")
+        self.client.post("/dashboard/set_palette", data={"palette": "palette-default"})
+        self.user.refresh_from_db()
+        self.assertEqual(self.user.palette, "palette-default")
+
+    def test_locked_palette_is_rejected(self):
+        response = self.client.post("/dashboard/set_palette", data={"palette": "palette-nirvana"})
+        self.user.refresh_from_db()
+        self.assertEqual(self.user.palette, "palette-default")
+        self.assertRedirects(response, "/", fetch_redirect_response=False)
+
+    def test_set_palette_redirects_home(self):
+        response = self.client.post("/dashboard/set_palette", data={"palette": "palette-default"})
+        self.assertRedirects(response, "/", fetch_redirect_response=False)
+
+    def test_my_lists_contains_set_palette_form(self):
+        response = self.client.get(self.url)
+        parsed = lxml.html.fromstring(response.content)
+        forms = parsed.cssselect('form[action="/dashboard/set_palette"]')
+        self.assertEqual(len(forms), 1)
+
+    def test_active_palette_swatch_has_active_class(self):
+        response = self.client.get(self.url)
+        parsed = lxml.html.fromstring(response.content)
+        [active] = parsed.cssselect(".swatch.active")
+        self.assertIn("palette-default", active.classes)
+
+    def test_locked_palettes_are_not_forms(self):
+        response = self.client.get(self.url)
+        parsed = lxml.html.fromstring(response.content)
+        locked = parsed.cssselect(".swatch.locked")
+        expected_locked = [p for p in response.context["palettes"] if p["locked"]]
+        self.assertEqual(len(locked), len(expected_locked))
+        # they mustn't be button els
+        for swatch in locked:
+            self.assertNotEqual(swatch.tag, "button")
+
+    def test_palette_picker_count_matches_context(self):
+        response = self.client.get(self.url)
+        parsed = lxml.html.fromstring(response.content)
+        swatches = parsed.cssselect(".swatch")
+        self.assertEqual(len(swatches), len(response.context["palettes"]))
+
+@override_settings(COMPRESS_ENABLED=False)
+class ProfileViewTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="discoman@example.com")
+        self.client.force_login(self.user)
+
+    def test_post_username_saves_to_user(self):
+        self.client.post("/dashboard/set_profile", data={"username": "discoman"})
+        self.user.refresh_from_db()
+        self.assertEqual(self.user.username, "discoman")
+
+    def test_post_username_requires_login(self):
+        self.client.logout()
+        response = self.client.post("/dashboard/set_profile", data={"username": "somnambulist"})
+        self.assertRedirects(response, "/?next=/dashboard/set_profile", fetch_redirect_response=False)
+
+    def test_dash_renders_username_applet(self):
+        response = self.client.get("/")
+        parsed = lxml.html.fromstring(response.content)
+        [applet] = parsed.cssselect("#id_applet_username")
+        self.assertIn("@", applet.text_content())
+        [input_el] = parsed.cssselect("#id_new_username")
+        self.assertEqual("", input_el.get("value"))
+
+    def test_dash_shows_display_name_in_applet(self):
+        self.user.username = "discoman"
+        self.user.save()
+        response = self.client.get("/")
+        parsed = lxml.html.fromstring(response.content)
+        [username_input] = parsed.cssselect("#id_new_username")
+        self.assertEqual("discoman", username_input.get("value"))
+
+class ToggleAppletsViewTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="disco@test.io")
+        self.client.force_login(self.user)
+        self.username_applet, _ = Applet.objects.get_or_create(slug="username", defaults={"name": "Username"})
+        self.palette_applet, _ = Applet.objects.get_or_create(slug="palette", defaults={"name": "Palette"})
+        self.url = reverse("toggle_applets")
+
+    def test_unauthenticated_user_is_redirected(self):
+        self.client.logout()
+        response = self.client.post(self.url)
+        self.assertRedirects(
+            response, f"/?next={self.url}", fetch_redirect_response=False
+        )
+
+    def test_unchecked_applet_gets_user_applet_with_visible_false(self):
+        self.client.post(self.url, {"applets": ["username"]})
+        ua = UserApplet.objects.get(user=self.user, applet=self.palette_applet)
+        self.assertFalse(ua.visible)
+
+    def test_redirects_on_normal_post(self):
+        response = self.client.post(
+            self.url, {"applets": ["username", "palette"]}
+        )
+        self.assertRedirects(response, reverse("home"), fetch_redirect_response=False)
+
+    def test_returns_200_on_htmx_post(self):
+        response = self.client.post(
+            self.url,
+            {"applets": ["username", "palette"]},
+            HTTP_HX_REQUEST="true",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_htmx_post_renders_visible_applets_only(self):
+        response = self.client.post(
+            self.url,
+            {"applets": ["username"]},
+            HTTP_HX_REQUEST="true",
+        )
+        parsed = lxml.html.fromstring(response.content)
+        self.assertEqual(len(parsed.cssselect("#id_applet_username")), 1)
+        self.assertEqual(len(parsed.cssselect("#id_applet_palette")), 0)
+
+class AppletVisibilityContextTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="disco@test.io")
+        self.client.force_login(self.user)
+        self.username_applet, _ = Applet.objects.get_or_create(slug="username", defaults={"name": "Username"})
+        self.palette_applet, _ = Applet.objects.get_or_create(slug="palette", defaults={"name": "Palette"})
+        UserApplet.objects.create(user=self.user, applet=self.palette_applet, visible=False)
+
+    def test_dash_reflects_user_applet_visibility(self):
+        response = self.client.get("/")
+        applet_map = {entry["applet"].slug: entry["visible"] for entry in response.context["applets"]}
+        self.assertFalse(applet_map["palette"])
+        self.assertTrue(applet_map["username"])
+
+class FooterNavTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="disco@test.io")
+        self.client.force_login(self.user)
+
+    def test_footer_nav_present_on_dashboard(self):
+        response = self.client.get("/")
+        parsed = lxml.html.fromstring(response.content)
+        [nav] = parsed.cssselect("#id_footer_nav")
+        self.assertIsNotNone(nav)
+    
+    def test_footer_nav_has_dashboard_link(self):
+        response = self.client.get("/")
+        parsed = lxml.html.fromstring(response.content)
+        [nav] = parsed.cssselect("#id_footer_nav")
+        links = [a.get("href") for a in nav.cssselect("a")]
+        self.assertIn("/", links)
+
+    def test_footer_nav_has_gameboard_link(self):
+        response = self.client.get("/")
+        parsed = lxml.html.fromstring(response.content)
+        [nav] = parsed.cssselect("#id_footer_nav")
+        links = [a.get("href") for a in nav.cssselect("a")]
+        self.assertIn("/gameboard/", links)        
+
+class WalletAppletTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="disco@test.io")
+        self.client.force_login(self.user)
+        Applet.objects.get_or_create(slug="wallet", defaults={"name": "Wallet"})
+        response = self.client.get("/")
+        self.parsed = lxml.html.fromstring(response.content)
+
+    def test_wallet_applet_present_on_dash(self):
+        [_] = self.parsed.cssselect("#id_applet_wallet")
+
+    def test_wallet_applet_has_manage_link(self):
+        [link] = self.parsed.cssselect("#id_applet_wallet a.wallet-manage-link")
+        self.assertEqual(link.get("href"), "/dashboard/wallet/")

src/apps/dashboard/tests/integrated/test_wallet_views.py

@@ -0,0 +1,49 @@
+import lxml.html
+
+from django.test import TestCase
+
+from apps.lyric.models import Token, User, Wallet
+
+
+class WalletViewTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="capman@test.io")
+        self.client.force_login(self.user)
+        response = self.client.get("/dashboard/wallet/")
+        self.parsed = lxml.html.fromstring(response.content)
+
+    def test_wallet_page_requires_login(self):
+        self.client.logout()
+        response = self.client.get("/dashboard/wallet/")
+        self.assertRedirects(
+            response, "/?next=/dashboard/wallet/", fetch_redirect_response=False
+        )
+
+    def test_wallet_page_renders(self):
+        [el] = self.parsed.cssselect("#id_writs_balance")
+        self.assertEqual(el.text_content().strip(), "144")
+
+    def test_wallet_page_shows_esteem_balance(self):
+        [el] = self.parsed.cssselect("#id_esteem_balance")
+        self.assertEqual(el.text_content().strip(), "0")
+
+    def test_wallet_page_shows_coin_on_a_string(self):
+        [_] = self.parsed.cssselect("#id_coin_on_a_string")
+        
+    def test_wallet_page_shows_free_token(self):
+        [_] = self.parsed.cssselect("#id_free_token_0")
+
+    def test_wallet_page_shows_payment_methods_section(self):
+        [_] = self.parsed.cssselect("#id_add_payment_method")
+
+    def test_wallet_page_shows_stripe_payment_element(self):
+        [_] = self.parsed.cssselect("#id_stripe_payment_element")
+
+    def test_wallet_page_shows_tithe_token_shop(self):
+        [_] = self.parsed.cssselect("#id_tithe_token_shop")
+
+    def test_tithe_token_shop_shows_bundle(self):
+        bundles = self.parsed.cssselect("#id_tithe_token_shop .token-bundle")
+        self.assertGreater(len(bundles), 0)
+
+        

src/apps/dashboard/tests/unit/test_templates.py

@@ -0,0 +1,9 @@
+from datetime import date
+from django.test import SimpleTestCase
+from django.template.loader import render_to_string
+
+
+class FooterTemplateTest(SimpleTestCase):
+    def test_footer_shows_current_year(self):
+        rendered = render_to_string("core/_partials/_footer.html")
+        self.assertIn(str(date.today().year), rendered)

src/apps/dashboard/urls.py

@@ -3,7 +3,13 @@ from . import views
 
 urlpatterns = [
     path('new_list', views.new_list, name='new_list'),
-    path('<int:list_id>/', views.view_list, name='view_list'),
+    path('list/<uuid:list_id>/', views.view_list, name='view_list'),
+    path('list/<uuid:list_id>/share_list', views.share_list, name="share_list"),
+    path('set_palette', views.set_palette, name='set_palette'),
+    path('set_profile', views.set_profile, name='set_profile'),
     path('users/<uuid:user_id>/', views.my_lists, name='my_lists'),
-    path('<int:list_id>/share_list', views.share_list, name="share_list"),
+    path('toggle_applets', views.toggle_applets, name="toggle_applets"),
+    path('wallet/', views.wallet, name='wallet'),
+    path('wallet/setup-intent', views.setup_intent, name='setup_intent'),
+    path('wallet/save-payment-method', views.save_payment_method, name='save_payment_method'),
 ]

src/apps/dashboard/views.py

@@ -1,11 +1,61 @@
-from django.http import HttpResponseForbidden
+import stripe
+
+from django.conf import settings
+from django.contrib import messages
+from django.contrib.auth.decorators import login_required
+from django.db.models import Max, Q
+from django.http import HttpResponse, HttpResponseForbidden, JsonResponse
 from django.shortcuts import redirect, render
-from .forms import ExistingListItemForm, ItemForm
-from .models import Item, List
-from apps.lyric.models import User
+from django.views.decorators.csrf import ensure_csrf_cookie
+
+from apps.applets.models import Applet, UserApplet
+from apps.dashboard.forms import ExistingListItemForm, ItemForm
+from apps.dashboard.models import Item, List
+from apps.lyric.models import PaymentMethod, Token, User, Wallet
+
+
+APPLET_ORDER = ["wallet", "new-list", "my-lists", "username", "palette"]
+UNLOCKED_PALETTES = frozenset(["palette-default"])
+PALETTES = [
+    {"name": "palette-default", "label": "Earthman", "locked": False},
+    {"name": "palette-nirvana", "label": "Nirvana", "locked": True},
+    {"name": "palette-sheol", "label": "Sheol", "locked": True},
+    {"name": "palette-inferno", "label": "Inferno", "locked": True},
+    {"name": "palette-terrestre", "label": "Terrestre", "locked": True},
+    {"name": "palette-celestia", "label": "Celestia", "locked": True},
+]
+
+
+def _recent_lists(user, limit=3):
+    return (
+        List
+            .objects
+            .filter(Q(owner=user) | Q(shared_with=user))
+            .annotate(last_item=Max('item__id'))
+            .order_by('-last_item')
+            .distinct()[:limit]
+    )
+
+def _applet_context(user):
+    ua_map = {ua.applet_id: ua.visible for ua in user.user_applets.all()}
+    applets = {a.slug: a for a in Applet.objects.all()}
+    return [
+        {"applet": applets[slug], "visible": ua_map.get(applets[slug].pk, applets[slug].default_visible)}
+        for slug in APPLET_ORDER
+        if slug in applets
+    ]
+
 
 def home_page(request):
-    return render(request, "apps/dashboard/home.html", {"form": ItemForm()})
+    context = {
+        "form": ItemForm(),
+        "palettes": PALETTES,
+        "page_class": "page-dashboard",
+    }
+    if request.user.is_authenticated:
+        context["applets"] = _applet_context(request.user)
+        context["recent_lists"] = _recent_lists(request.user)
+    return render(request, "apps/dashboard/home.html", context)
 
 def new_list(request):
     form = ItemForm(data=request.POST)
@@ -17,10 +67,25 @@ def new_list(request):
         form.save(for_list=nulist)
         return redirect(nulist)
     else:
-        return render(request, "apps/dashboard/home.html", {"form": form})
+        context = {
+            "form": form,
+            "palettes": PALETTES,
+            "page_class": "page-dashboard",
+        }
+        if request.user.is_authenticated:
+            context["applets"] = _applet_context(request.user)
+            context["recent_lists"] = _recent_lists(request.user)
+        return render(request, "apps/dashboard/home.html", context)
 
 def view_list(request, list_id):
     our_list = List.objects.get(id=list_id)
+
+    if our_list.owner:
+        if not request.user.is_authenticated:
+            return redirect("/")
+        if request.user != our_list.owner and request.user not in our_list.shared_with.all():
+            return HttpResponseForbidden()
+
     form = ExistingListItemForm(for_list=our_list)
 
     if request.method == "POST":
@@ -29,7 +94,7 @@ def view_list(request, list_id):
             form.save()
             return redirect(our_list)
     return render(request, "apps/dashboard/list.html", {"list": our_list, "form": form})
-            
+       
 def my_lists(request, user_id):
     owner = User.objects.get(id=user_id)
     if not request.user.is_authenticated:
@@ -42,7 +107,85 @@ def share_list(request, list_id):
     our_list = List.objects.get(id=list_id)
     try:
         recipient = User.objects.get(email=request.POST["recipient"])
+        if recipient == request.user:
+            return redirect(our_list)
         our_list.shared_with.add(recipient)
     except User.DoesNotExist:
         pass
+    messages.success(request, "An invite has been sent if that address is registered.")
     return redirect(our_list)
+
+@login_required(login_url="/")
+def set_palette(request):
+    if request.method == "POST":
+        palette = request.POST.get("palette", "")
+        if palette in UNLOCKED_PALETTES:
+            request.user.palette = palette
+            request.user.save(update_fields=["palette"])
+    return redirect("home")
+
+@login_required(login_url="/")
+def set_profile(request):
+    if request.method == "POST":
+        username = request.POST.get("username", "")
+        request.user.username = username
+        request.user.save(update_fields=["username"])
+    return redirect("/")
+
+@login_required(login_url="/")
+def toggle_applets(request):
+    checked = request.POST.getlist("applets")
+    for applet in Applet.objects.all():
+        UserApplet.objects.update_or_create(
+            user=request.user,
+            applet=applet,
+            defaults={"visible": applet.slug in checked},
+        )
+    if request.headers.get("HX-Request"):
+        return render(request, "apps/dashboard/_partials/_applets.html", {
+            "applets": _applet_context(request.user),
+            "palettes": PALETTES,
+            "form": ItemForm(),
+            "recent_lists": _recent_lists(request.user),
+        })
+    return redirect("home")
+
+@login_required(login_url="/")
+@ensure_csrf_cookie
+def wallet(request):
+    wallet = request.user.wallet
+    coin = request.user.tokens.filter(token_type=Token.COIN).first()
+    free_tokens = list(request.user.tokens.filter(token_type=Token.FREE))
+    return render(request, "apps/dashboard/wallet.html", {
+        "wallet": wallet,
+        "coin": coin,
+        "free_tokens": free_tokens,
+    })
+
+@login_required(login_url="/")
+def setup_intent(request):
+    stripe.api_key = settings.STRIPE_SECRET_KEY
+    user = request.user
+    if not user.stripe_customer_id:
+        customer = stripe.Customer.create(email=user.email)
+        user.stripe_customer_id = customer.id
+        user.save(update_fields=["stripe_customer_id"])
+    intent = stripe.SetupIntent.create(customer=user.stripe_customer_id)
+    return JsonResponse({
+        "client_secret": intent.client_secret,
+        "publishable_key": settings.STRIPE_PUBLISHABLE_KEY,
+    })
+
+@login_required(login_url="/")
+def save_payment_method(request):
+    stripe.api_key = settings.STRIPE_SECRET_KEY
+    pm_id = request.POST.get("payment_method_id")
+    pm = stripe.PaymentMethod.retrieve(pm_id)
+    stripe.PaymentMethod.attach(pm_id, customer=request.user.stripe_customer_id)
+    PaymentMethod.objects.create(
+        user=request.user,
+        stripe_pm_id=pm_id,
+        last4=pm.card.last4,
+        brand=pm.card.brand,
+    )
+    return JsonResponse({"last4": pm.card.last4, "brand": pm.card.brand})

src/apps/gameboard/admin.py

@@ -0,0 +1,3 @@
+from django.contrib import admin
+
+# Register your models here.

src/apps/gameboard/apps.py

@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class GameboardConfig(AppConfig):
+    name = 'apps.gameboard'

src/apps/gameboard/models.py

@@ -0,0 +1,3 @@
+from django.db import models
+
+# Create your models here.

src/apps/gameboard/tests/integrated/test_views.py

@@ -0,0 +1,52 @@
+import lxml.html
+
+from django.test import TestCase
+
+from apps.lyric.models import User
+
+
+class GameboardViewTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="capman@test.io")
+        self.client.force_login(self.user)
+        response = self.client.get("/gameboard/")
+        self.parsed = lxml.html.fromstring(response.content)
+
+    def test_gameboard_requires_login(self):
+        self.client.logout()
+        response = self.client.get("/gameboard/")
+        self.assertRedirects(
+            response, "/?next=/gameboard/", fetch_redirect_response=False
+        )
+    
+    def test_gameboard_renders(self):
+        response = self.client.get("/gameboard/")
+        self.assertEqual(response.status_code, 200)
+
+    def test_gameboard_shows_my_games_applet(self):
+        [_] = self.parsed.cssselect("#id_applet_my_games")
+
+    def test_gameboard_shows_new_game_applet(self):
+        [_] = self.parsed.cssselect("#id_applet_new_game")
+    
+    def test_gameboard_shows_game_kit_btn(self):
+        [_] = self.parsed.cssselect("#id_game_kit_btn")
+
+    def test_gameboard_shows_game_gear(self):
+        [_] = self.parsed.cssselect("#id_game_gear")
+
+    def test_my_games_has_no_game_items_for_new_user(self):
+        game_items = self.parsed.cssselect("#id_applet_my_games .game-item")
+        self.assertEqual(len(game_items), 0)
+
+    def test_game_kit_has_coin_on_a_string(self):
+        [_] = self.parsed.cssselect("#id_game_kit #id_kit_coin_on_a_string")
+
+    def test_game_kit_has_free_token(self):
+        [_] = self.parsed.cssselect("#id_game_kit #id_kit_free_token_0")
+
+    def test_game_kit_has_card_deck_placeholder(self):
+        [_] = self.parsed.cssselect("#id_game_kit #id_kit_card_deck")
+
+    def test_game_kit_has_dice_set_placeholder(self):
+        [_] = self.parsed.cssselect("#id_game_kit #id_kit_dice_set")

src/apps/gameboard/urls.py

@@ -0,0 +1,9 @@
+from django.urls import path
+
+from . import views
+
+
+urlpatterns = [
+    path('', views.gameboard, name='gameboard'),
+]
+

src/apps/gameboard/views.py

@@ -0,0 +1,16 @@
+from django.contrib.auth.decorators import login_required
+from django.shortcuts import render
+
+from apps.lyric.models import Token
+
+
+@login_required(login_url="/")
+def gameboard(request):
+    coin = request.user.tokens.filter(token_type=Token.COIN).first()
+    free_tokens = list(request.user.tokens.filter(token_type=Token.FREE))
+    return render(
+        request, "apps/gameboard/gameboard.html", {
+            "coin": coin,
+            "free_tokens": free_tokens,
+        }
+    )

src/apps/lyric/admin.py

@@ -1,6 +1,12 @@
 from django.contrib import admin
-from .models import Token, User
+
+from .models import LoginToken, Token, User
 
 
-admin.site.register(User)
+class UserAdmin(admin.ModelAdmin):
+    list_display = ["email"]
+    search_fields = ["email"]
+
+admin.site.register(User, UserAdmin)
+admin.site.register(LoginToken)
 admin.site.register(Token)

src/apps/lyric/authentication.py

@@ -1,5 +1,5 @@
 from django.core.exceptions import ValidationError
-from .models import Token, User
+from .models import LoginToken, User
 
 
 class PasswordlessAuthenticationBackend:
@@ -7,13 +7,13 @@ class PasswordlessAuthenticationBackend:
         if uid is None:
             return None
         try:
-            token = Token.objects.get(uid=uid)
-        except (Token.DoesNotExist, ValidationError):
+            login_token = LoginToken.objects.get(uid=uid)
+        except (LoginToken.DoesNotExist, ValidationError):
             return None
         try:
-            return User.objects.get(email=token.email)
+            return User.objects.get(email=login_token.email)
         except User.DoesNotExist:
-            return User.objects.create_user(email=token.email)
+            return User.objects.create_user(email=login_token.email)
 
     def get_user(self, user_id):
         try:

src/apps/lyric/management/commands/ensure_superuser.py

@@ -0,0 +1,21 @@
+import os
+
+from django.core.management.base import BaseCommand
+
+from apps.lyric.models import User
+
+
+class Command(BaseCommand):
+    help = "Create a superuser if none exists"
+
+    def handle(self, *args, **options):
+        if User.objects.filter(is_superuser=True).exists():
+            self.stdout.write("Superuser already exists!")
+            return
+        email = os.environ.get('DJANGO_SUPERUSER_EMAIL')
+        password = os.environ.get('DJANGO_SUPERUSER_PASSWORD')
+        if not email or not password:
+            self.stdout.write("Superuser credentials not set!—skipping")
+            return
+        User.objects.create_superuser(email=email, password=password)
+        self.stdout.write("Superuser created!")

src/apps/lyric/migrations/0002_user_searchable_user_username.py

@@ -0,0 +1,23 @@
+# Generated by Django 6.0 on 2026-03-02 01:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('lyric', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='searchable',
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AddField(
+            model_name='user',
+            name='username',
+            field=models.CharField(blank=True, max_length=35, null=True, unique=True),
+        ),
+    ]

src/apps/lyric/migrations/0003_user_theme.py

@@ -0,0 +1,18 @@
+# Generated by Django 6.0 on 2026-03-02 04:15
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('lyric', '0002_user_searchable_user_username'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='theme',
+            field=models.CharField(default='theme-default', max_length=32),
+        ),
+    ]

src/apps/lyric/migrations/0004_remove_user_theme_user_palette.py

@@ -0,0 +1,22 @@
+# Generated by Django 6.0 on 2026-03-05 19:01
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('lyric', '0003_user_theme'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='user',
+            name='theme',
+        ),
+        migrations.AddField(
+            model_name='user',
+            name='palette',
+            field=models.CharField(default='palette-default', max_length=32),
+        ),
+    ]

src/apps/lyric/migrations/0005_rename_logintoken.py

@@ -0,0 +1,14 @@
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('lyric', '0004_remove_user_theme_user_palette'),
+    ]
+
+    operations = [
+        migrations.RenameModel(
+            old_name="Token",
+            new_name="LoginToken",
+        ),
+    ]

src/apps/lyric/migrations/0006_token_wallet.py

@@ -0,0 +1,33 @@
+# Generated by Django 6.0 on 2026-03-08 18:19
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('lyric', '0005_rename_logintoken'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Token',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('token_type', models.CharField(choices=[('coin', 'Coin-on-a-String'), ('Free', 'Free Token'), ('tithe', 'Tithe Token')], max_length=8)),
+                ('expires_at', models.DateTimeField(blank=True, null=True)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='tokens', to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='Wallet',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('writs', models.IntegerField(default=0)),
+                ('esteem', models.IntegerField(default=0)),
+                ('user', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, related_name='wallet', to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]

src/apps/lyric/migrations/0007_user_stripe_customer_id_paymentmethod.py

@@ -0,0 +1,30 @@
+# Generated by Django 6.0 on 2026-03-08 20:26
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('lyric', '0006_token_wallet'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='user',
+            name='stripe_customer_id',
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.CreateModel(
+            name='PaymentMethod',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('stripe_pm_id', models.CharField(max_length=255)),
+                ('last4', models.CharField(max_length=4)),
+                ('brand', models.CharField(max_length=32)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='payment_methods', to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]

src/apps/lyric/models.py

@@ -1,7 +1,11 @@
 import uuid
 
+from datetime import timedelta
 from django.contrib.auth.base_user import AbstractBaseUser, BaseUserManager
 from django.db import models
+from django.db.models.signals import post_save
+from django.dispatch import receiver
+from django.utils import timezone
 
 
 class UserManager(BaseUserManager):
@@ -17,13 +21,18 @@ class UserManager(BaseUserManager):
         user.save(using=self._db)
         return user
 
-class Token(models.Model):
+class LoginToken(models.Model):
     email = models.EmailField()
     uid = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
 
 class User(AbstractBaseUser):
     id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
     email = models.EmailField(unique=True)
+    username = models.CharField(max_length=35, unique=True, null=True, blank=True)
+    searchable = models.BooleanField(default=False)
+    palette = models.CharField(max_length=32, default="palette-default")
+    stripe_customer_id = models.CharField(max_length=255, null=True, blank=True)
+
     is_staff = models.BooleanField(default=False)
     is_superuser = models.BooleanField(default=False)
 
@@ -36,3 +45,57 @@ class User(AbstractBaseUser):
     
     def has_module_perms(self, app_label):
         return self.is_superuser
+    
+class Wallet(models.Model):
+    user = models.OneToOneField(User, on_delete=models.CASCADE, related_name="wallet")
+    writs = models.IntegerField(default=0)
+    esteem = models.IntegerField(default=0)
+
+class Token(models.Model):
+    COIN = "coin"
+    FREE = "Free"
+    TITHE = "tithe"
+    TOKEN_TYPE_CHOICES = [
+        (COIN, "Coin-on-a-String"),
+        (FREE, "Free Token"),
+        (TITHE, "Tithe Token"),
+    ]
+
+    user = models.ForeignKey(User, on_delete=models.CASCADE, related_name="tokens")
+    token_type = models.CharField(max_length=8, choices=TOKEN_TYPE_CHOICES)
+    expires_at = models.DateTimeField(null=True, blank=True)
+
+    def tooltip_text(self):
+        if self.token_type == self.COIN:
+            return (
+                "Coin-on-a-String: Admit 1 Entry"
+                " (and another after that, and another after that\u2026)"
+                " \u2014 no expiry"
+            )
+        if self.token_type == self.FREE:
+            return (
+                f"Free Token: Admit 1 Entry"
+                f" \u2014 Expires {self.expires_at.strftime('%Y-%m-%d')}"
+            )
+        return self.get_token_type_display()
+    
+class PaymentMethod(models.Model):
+    user = models.ForeignKey(User, on_delete=models.CASCADE, related_name="payment_methods")
+    stripe_pm_id = models.CharField(max_length=255)
+    last4 = models.CharField(max_length=4)
+    brand = models.CharField(max_length=32)
+
+    def __str__(self):
+        return f"{self.brand} ....{self.last4}"
+    
+@receiver(post_save, sender=User)
+def create_wallet_and_tokens(sender, instance, created, **kwargs):
+    if not created:
+        return
+    Wallet.objects.create(user=instance, writs=144)
+    Token.objects.create(user=instance, token_type=Token.COIN)
+    Token.objects.create(
+        user=instance,
+        token_type=Token.FREE,
+        expires_at=timezone.now() + timedelta(days=7),
+    )

src/apps/lyric/tasks.py

@@ -0,0 +1,24 @@
+import requests
+
+from celery import shared_task
+from django.conf import settings
+
+
+@shared_task
+def send_login_email_task(email, url):
+    message_body = f"Use this magic link to login to your Dashboard:\n\n{url}"
+    # Send mail via Mailgun HTTP API
+    response = requests.post(
+        f"https://api.mailgun.net/v3/{settings.MAILGUN_DOMAIN}/messages",
+        auth=("api", settings.MAILGUN_API_KEY),
+        data={
+            "from": "adman@howdy.earthmanrpg.com",
+            "to": email,
+            "subject": "A magic login link to your Dashboard",
+            "text": message_body,
+        }
+    )
+
+    # Log any errors
+    if response.status_code != 200:
+        print(f"Mailgun API error: {response.status_code}: {response.text}")

src/apps/lyric/templatetags/lyric_extras.py

@@ -0,0 +1,26 @@
+from django import template
+
+register = template.Library()
+
+
+def truncate_email(email):
+    local, domain = email.split("@", 1)
+    domain_name, domain_tld = domain.rsplit(".", 1)
+
+    def truncate_segment(segment, n=2):
+        return segment[:n] + "…" + segment[-n:]
+
+    if len(local) >= 8:
+        local = truncate_segment(local)
+    if len(domain_name) >= 6:
+        domain_name = truncate_segment(domain_name, 1)
+    
+    return local + "@" + domain_name + "." + domain_tld
+
+@register.filter
+def display_name(user):
+    if user is None:
+        return ""
+    if user.username:
+        return user.username
+    return truncate_email(user.email)

src/apps/lyric/tests/integrated/test_admin.py

@@ -0,0 +1,25 @@
+from django.test import TestCase
+
+from apps.lyric.models import User
+
+
+class UserAdminTest(TestCase):
+    def setUp(self):
+        self.superuser = User.objects.create_superuser(
+            email="admin@example.com", password="secret"
+        )
+        self.client.force_login(self.superuser)
+
+    def test_user_changelist_loads(self):
+        response = self.client.get("/admin/lyric/user/")
+        self.assertEqual(response.status_code, 200)
+
+    def test_user_changelist_displays_email(self):
+        response = self.client.get("/admin/lyric/user/")
+        self.assertContains(response, "admin@example.com")
+
+    def test_user_changelist_search_by_email(self):
+        User.objects.create_superuser(email="other@example.com", password="x")
+        response = self.client.get("/admin/lyric/user/?q=admin")
+        self.assertContains(response, "admin@example.com")
+        self.assertNotContains(response, "other@example.com")

src/apps/lyric/tests/integrated/test_authentication.py

@@ -3,39 +3,39 @@ from django.http import HttpRequest
 from django.test import TestCase
 
 from apps.lyric.authentication import PasswordlessAuthenticationBackend
-from apps.lyric.models import Token, User
+from apps.lyric.models import LoginToken, User
 
 
 class AuthenticateTest(TestCase):
-    def test_returns_None_if_token_uuid_not_found(self):
+    def test_returns_None_if_login_token_uuid_not_found(self):
         uid = uuid.uuid4()
         result = PasswordlessAuthenticationBackend().authenticate(
             HttpRequest(), uid
         )
         self.assertIsNone(result)
 
-    def test_returns_new_user_with_correct_email_if_token_exists(self):
+    def test_returns_new_user_with_correct_email_if_login_token_exists(self):
         email = "discoman@example.com"
-        token = Token.objects.create(email=email)
+        login_token = LoginToken.objects.create(email=email)
         user = PasswordlessAuthenticationBackend().authenticate(
-            HttpRequest(), token.uid
+            HttpRequest(), login_token.uid
         )
         new_user = User.objects.get(email=email)
         self.assertEqual(user, new_user)
 
-    def test_returns_existing_user_with_correct_email_if_token_exists(self):
+    def test_returns_existing_user_with_correct_email_if_login_token_exists(self):
         email = "discoman@example.com"
         existing_user = User.objects.create(email=email)
-        token = Token.objects.create(email=email)
+        login_token = LoginToken.objects.create(email=email)
         user = PasswordlessAuthenticationBackend().authenticate(
-            HttpRequest(), token.uid
+            HttpRequest(), login_token.uid
         )
         self.assertEqual(user, existing_user)
 
-    def test_can_retrieve_token_by_uuid(self):
-        token = Token.objects.create(email="a@b.cde")
-        fetched = Token.objects.get(pk=token.uid)
-        self.assertEqual(fetched, token)
+    def test_can_retrieve_login_token_by_uuid(self):
+        login_token = LoginToken.objects.create(email="a@b.cde")
+        fetched = LoginToken.objects.get(pk=login_token.uid)
+        self.assertEqual(fetched, login_token)
 
 class GetUserTest(TestCase):
     def test_gets_user_by_uuid(self):

src/apps/lyric/tests/integrated/test_management_commands.py

@@ -0,0 +1,34 @@
+import os
+
+from django.core.management import call_command
+from django.test import TestCase
+from unittest.mock import patch
+
+# from apps.lyric.management.commands.ensure_superuser import EnsureSuperuserCommand
+from apps.lyric.models import User
+
+
+FAKE_ENV = {
+    'DJANGO_SUPERUSER_EMAIL': 'admin@example.com',
+    'DJANGO_SUPERUSER_PASSWORD': 'secret',
+}
+
+
+class EnsureSuperuserCommandTest(TestCase):
+    def test_creates_superuser_if_none_exists(self):
+        with patch.dict('os.environ', FAKE_ENV):
+            call_command('ensure_superuser')
+        self.assertEqual(User.objects.filter(is_superuser=True).count(), 1)
+
+    def test_does_not_create_duplicate_if_superuser_exists(self):
+        User.objects.create_superuser(email="admin@example.com", password="secret")
+        with patch.dict('os.environ', FAKE_ENV):
+            call_command('ensure_superuser')
+        self.assertEqual(User.objects.filter(is_superuser=True).count(), 1)
+
+    def test_skips_creation_if_credentials_not_set(self):
+        with patch.dict("os.environ", {}):
+            os.environ.pop("DJANGO_SUPERUSER_EMAIL", None)
+            os.environ.pop("DJANGO_SUPERUSER_PASSWORD", None)
+            call_command("ensure_superuser")
+        self.assertEqual(User.objects.filter(is_superuser=True).count(), 0)

src/apps/lyric/tests/integrated/test_models.py

@@ -1,8 +1,9 @@
 import uuid
 from django.contrib import auth
 from django.test import TestCase
+from django.utils import timezone
 
-from apps.lyric.models import Token, User
+from apps.lyric.models import LoginToken, Token, User, Wallet
 
 
 class UserModelTest(TestCase):
@@ -18,12 +19,22 @@ class UserModelTest(TestCase):
         user = User(id="123")
         self.assertEqual(user.pk, "123")
 
-class TokenModelTest(TestCase):
+    def test_user_can_have_a_username(self):
+        user = User.objects.create(email="a@b.cde")
+        user.username = "stardust"
+        user.save()
+        self.assertEqual(User.objects.get(pk=user.pk).username, "stardust")
+
+    def test_searchable_defaults_to_false(self):
+        user = User.objects.create(email="a@b.cde")
+        self.assertFalse(user.searchable)
+
+class LoginTokenModelTest(TestCase):
     def test_links_user_with_autogen_uid(self):
-        token1 = Token.objects.create(email="a@b.cde")
-        token2 = Token.objects.create(email="v@w.xyz")
-        self.assertNotEqual(token1.pk, token2.pk)
-        self.assertIsInstance(token1.pk, uuid.UUID)
+        login_token1 = LoginToken.objects.create(email="a@b.cde")
+        login_token2 = LoginToken.objects.create(email="v@w.xyz")
+        self.assertNotEqual(login_token1.pk, login_token2.pk)
+        self.assertIsInstance(login_token1.pk, uuid.UUID)
 
 class UserManagerTest(TestCase):
     def test_create_superuser_sets_is_staff_and_is_superuser(self):
@@ -40,3 +51,48 @@ class UserManagerTest(TestCase):
             password="correct-password",
         )
         self.assertTrue(user.check_password("correct-password"))
+
+class UserPaletteTest(TestCase):
+    def test_palette_field_defaults_to_palette_default(self):
+        user = User.objects.create(email="a@b.cde")
+        self.assertEqual(user.palette, "palette-default")
+
+class WalletCreationTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="capman@test.io")
+
+    def test_wallet_is_created_for_new_user(self):
+        self.assertTrue(Wallet.objects.filter(user=self.user).exists())
+    
+    def test_new_wallet_has_144_writs(self):
+        wallet = Wallet.objects.get(user = self.user)
+        self.assertEqual(wallet.writs, 144)
+
+    def test_new_wallet_has_0_esteem(self):
+        wallet = Wallet.objects.get(user=self.user)
+        self.assertEqual(wallet.esteem, 0)
+
+class TokenCreationTest(TestCase):
+    def setUp(self):
+        self.user = User.objects.create(email="capman@test.io")
+
+    def test_coin_on_a_string_created_for_new_user(self):
+        self.assertTrue(
+            Token.objects.filter(user=self.user, token_type=Token.COIN).exists()
+        )
+
+    def test_free_token_created_for_new_user(self):
+        self.assertTrue(
+            Token.objects.filter(user=self.user, token_type=Token.FREE).exists()
+        )
+
+    def test_coin_on_a_string_has_no_expiry(self):
+        coin = Token.objects.get(user=self.user, token_type=Token.COIN)
+        self.assertIsNone(coin.expires_at)
+
+    def test_free_token_has_expiry_within_7_days(self):
+        free = Token.objects.get(user=self.user, token_type=Token.FREE)
+        self.assertIsNotNone(free.expires_at)
+        delta = free.expires_at - timezone.now()
+        self.assertLessEqual(delta.days, 7)
+        self.assertGreater(delta.total_seconds(), 0)

src/apps/lyric/tests/integrated/test_views.py

@@ -2,32 +2,28 @@ from django.contrib import auth
 from django.test import TestCase
 from unittest import mock
 
-from apps.lyric.models import Token
-
+from apps.lyric.models import LoginToken
 
 
+@mock.patch("apps.lyric.views.send_login_email_task.delay")
 class SendLoginEmailViewTest(TestCase):
-    def test_redirects_to_home_page(self):
+    def test_redirects_to_home_page(self, mock_delay):
         response = self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
         )
         self.assertRedirects(response, "/")
 
-    @mock.patch("apps.lyric.views.requests.post")
-    def test_sends_mail_to_address_from_post(self, mock_post):
+    def test_sends_mail_to_address_from_post(self, mock_delay):
         self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
         )
 
-        self.assertEqual(mock_post.called, True)
-        data = mock_post.call_args.kwargs["data"]
-        self.assertEqual(data["subject"], "A magic login link to your Dashboard")
-        self.assertEqual(data["from"], "adman@howdy.earthmanrpg.com")
-        self.assertEqual(data["to"], "discoman@example.com")
+        self.assertEqual(mock_delay.called, True)
+        self.assertEqual(mock_delay.call_args.args[0], "discoman@example.com")
 
-    def test_adds_success_message(self):
+    def test_adds_success_message(self, mock_delay):
         response = self.client.post(
-            "/apps/lyric/send_login_email",
+            "/lyric/send_login_email",
             data={"email": "discoman@example.com"},
             follow=True
         )
@@ -39,43 +35,40 @@ class SendLoginEmailViewTest(TestCase):
         )
         self.assertEqual(message.tags, "success")
 
-    def test_creates_token_associated_with_email(self):
+    def test_creates_login_token_associated_with_email(self, mock_delay):
         self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
         )
-        token = Token.objects.get()
-        self.assertEqual(token.email, "discoman@example.com")
+        login_token = LoginToken.objects.get()
+        self.assertEqual(login_token.email, "discoman@example.com")
         
-
-    @mock.patch("apps.lyric.views.requests.post")
-    def test_sends_link_to_login_using_token_uid(self, mock_post):
+    def test_sends_link_to_login_using_login_token_uid(self, mock_delay):
         self.client.post(
-            "/apps/lyric/send_login_email", data={"email": "discoman@example.com"}
+            "/lyric/send_login_email", data={"email": "discoman@example.com"}
         )
 
-        token = Token.objects.get()
-        expected_url = f"http://testserver/apps/lyric/login?token={token.uid}"
-        data = mock_post.call_args.kwargs["data"]
-        self.assertIn(expected_url, data["text"])
+        login_token = LoginToken.objects.get()
+        expected_url = f"http://testserver/lyric/login?token={login_token.uid}"
+        self.assertEqual(mock_delay.call_args.args[1], expected_url)
 
 class LoginViewTest(TestCase):
     def test_redirects_to_home_page(self):
-        response = self.client.get("/apps/lyric/login?token=abc123")
+        response = self.client.get("/lyric/login?token=abc123")
         self.assertRedirects(response, "/")
 
-    def test_logs_in_if_given_valid_token(self):
+    def test_logs_in_if_given_valid_login_token(self):
         anon_user = auth.get_user(self.client)
         self.assertEqual(anon_user.is_authenticated, False)
 
-        token = Token.objects.create(email="discoman@example.com")
-        self.client.get(f"/apps/lyric/login?token={token.uid}", follow=True)
+        login_token = LoginToken.objects.create(email="discoman@example.com")
+        self.client.get(f"/lyric/login?token={login_token.uid}", follow=True)
 
         user = auth.get_user(self.client)
         self.assertEqual(user.is_authenticated, True)
         self.assertEqual(user.email, "discoman@example.com")
 
-    def test_shows_login_error_if_token_invalid(self):
-        response = self.client.get("/apps/lyric/login?token=invalid-token", follow=True)
+    def test_shows_login_error_if_login_token_invalid(self):
+        response = self.client.get("/lyric/login?token=invalid-token", follow=True)
         user = auth.get_user(self.client)
         self.assertEqual(user.is_authenticated, False)
         message = list(response.context["messages"])[0]
@@ -87,7 +80,7 @@ class LoginViewTest(TestCase):
 
     @mock.patch("apps.lyric.views.auth")
     def test_calls_authenticate_with_uid_from_get_request(self, mock_auth):
-        self.client.get("/apps/lyric/login?token=abc123")
+        self.client.get("/lyric/login?token=abc123")
         self.assertEqual(
             mock_auth.authenticate.call_args,
             mock.call(uid="abc123")

src/apps/lyric/tests/unit/test_tasks.py

@@ -0,0 +1,16 @@
+from django.test import SimpleTestCase
+from unittest import mock
+
+from apps.lyric.tasks import send_login_email_task
+
+
+class SendLoginEmailTaskTest(SimpleTestCase):
+    @mock.patch("apps.lyric.tasks.requests.post")
+    def test_sends_mail_via_mailgun(self, mock_post):
+        send_login_email_task("discoman@example.com", "http://example.com/login?token=abc123")
+        self.assertEqual(mock_post.called, True)
+        data = mock_post.call_args.kwargs["data"]
+        self.assertEqual(data["subject"], "A magic login link to your Dashboard")
+        self.assertEqual(data["from"], "adman@howdy.earthmanrpg.com")
+        self.assertEqual(data["to"], "discoman@example.com")
+        self.assertIn("http://example.com/login?token=abc123", data["text"])

src/apps/lyric/tests/unit/test_templatetags.py

@@ -0,0 +1,36 @@
+from django.test import SimpleTestCase
+from unittest.mock import Mock
+
+from apps.lyric.templatetags.lyric_extras import display_name, truncate_email
+
+
+class TruncateEmailTest(SimpleTestCase):
+    def test_truncates_neither_short_local_nor_short_domain(self):
+        self.assertEqual(truncate_email("abc@d.e"), "abc@d.e")
+
+    def test_truncates_only_long_local_not_short_domain(self):
+        self.assertEqual(truncate_email("sesquipedalian@abc.de"), "se…an@abc.de")
+
+    def test_truncates_not_short_local_only_long_domain(self):
+        self.assertEqual(truncate_email("abc@longexample.com"), "abc@l…e.com")
+
+    def test_truncates_both_long_local_and_long_domain(self):
+        self.assertEqual(truncate_email("onomatopoeia@earthmanrpg.com"), "on…ia@e…g.com")
+
+    def test_boundary_case_longish_segments_no_truncate(self):
+        self.assertEqual(truncate_email("abcdefg@gmail.com"), "abcdefg@gmail.com")
+
+    def test_boundary_case_exact_segments_do_truncate(self):
+        self.assertEqual(truncate_email("abcdefgh@icloud.com"), "ab…gh@i…d.com")
+
+class DisplayNameFilterTest(SimpleTestCase):
+    def test_returns_empty_string_for_none_user(self):
+        self.assertEqual(display_name(None), "")
+
+    def test_returns_truncated_email_when_no_username(self):
+        user = Mock(username="", email="sesquipedalian@abc.de")
+        self.assertEqual(display_name(user), "se…an@abc.de")
+
+    def test_returns_username_when_set(self):
+        user = Mock(username="earthman", email="sesquipedalian@abc.de")
+        self.assertEqual(display_name(user), "earthman")

src/apps/lyric/tests/unit/test_tokens.py

@@ -0,0 +1,43 @@
+from django.test import SimpleTestCase
+from unittest.mock import MagicMock
+
+from apps.lyric.models import Token
+
+
+class CoinTooltipTest(SimpleTestCase):
+    def setUp(self):
+        self.coin = Token ()
+        self.coin.token_type = Token.COIN
+        self.coin.expires_at = None
+
+    def test_tooltip_contains_name(self):
+        self.assertIn("Coin-on-a-String", self.coin.tooltip_text())
+
+    def test_tooltip_contains_entry(self):
+        self.assertIn("Admit 1 Entry", self.coin.tooltip_text())
+
+    def test_tooltip_contains_reuse_description(self):
+        self.assertIn("and another after that", self.coin.tooltip_text())
+
+    def test_tooltip_contains_no_expiry(self):
+        self.assertIn("no expiry", self.coin.tooltip_text())
+
+class FreeTokenTooltipTest(SimpleTestCase):
+    def setUp(self):
+        self.token = Token()
+        self.token.token_type = Token.FREE
+        self.token.expires_at = MagicMock()
+        self.token.expires_at.strftime = lambda fmt: "2026-03-15"
+
+    def test_tooltip_contains_name(self):
+        self.assertIn("Free Token", self.token.tooltip_text())
+
+    def test_tooltip_contains_entry(self):
+        self.assertIn("Admit 1 Entry", self.token.tooltip_text())
+
+    def test_tooltip_contains_expires(self):
+        self.assertIn("Expires", self.token.tooltip_text())
+
+    def test_tooltip_contains_expiry_date(self):
+        self.assertIn("2026-03-15", self.token.tooltip_text())
+

src/apps/lyric/views.py

@@ -1,37 +1,24 @@
-import requests
 from django.contrib import auth, messages
-from django.conf import settings
-# from django.core.mail import send_mail
 from django.shortcuts import redirect
 from django.urls import reverse
-from .models import Token
+
+from .models import LoginToken
+from .tasks import send_login_email_task
+
 
 def send_login_email(request):
     email = request.POST["email"]
-    token = Token.objects.create(email=email)
+    login_token = LoginToken.objects.create(email=email)
     url = request.build_absolute_uri(
-        reverse("login") + "?token=" + str(token.uid),
+        reverse("login") + "?token=" + str(login_token.uid),
     )
-    message_body = f"Use this magic link to login to your Dashboard:\n\n{url}"
-    # Send mail via Mailgun HTTP API
-    response = requests.post(
-        f"https://api.mailgun.net/v3/{settings.MAILGUN_DOMAIN}/messages",
-        auth=("api", settings.MAILGUN_API_KEY),
-        data={
-            "from": "adman@howdy.earthmanrpg.com",
-            "to": email,
-            "subject": "A magic login link to your Dashboard",
-            "text": message_body,
-        },
-    )
-    # Log any errors
-    if response.status_code != 200:
-        print(f"Mailgun API error: {response.status_code}: {response.text}")
 
+    send_login_email_task.delay(email, url)
     messages.success(
         request,
         "Check your email!—there you'll find a magic login link. But hurry… it's only temporary!",
     )
+
     return redirect("/")
 
 def login(request):

src/core/__init__.py

@@ -0,0 +1,3 @@
+from .celery import app as celery_app
+
+__all__ = ("celery_app",)

src/core/celery.py

@@ -0,0 +1,10 @@
+import os
+
+from celery import Celery
+
+
+os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'core.settings')
+
+app = Celery('core')
+app.config_from_object('django.conf:settings', namespace='CELERY')
+app.autodiscover_tasks()

src/core/context_processors.py

@@ -0,0 +1,4 @@
+def user_palette(request):
+    if request.user.is_authenticated:
+        return {"user_palette": request.user.palette}
+    return {"user_palette": "palette-default"}

src/core/settings.py

@@ -11,8 +11,11 @@ https://docs.djangoproject.com/en/6.0/ref/settings/
 """
 
 from pathlib import Path
-import os
 import dj_database_url
+import os
+import sys
+if 'test' in sys.argv:
+    COMPRESS_ENABLED = False
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -34,6 +37,7 @@ if 'DJANGO_DEBUG_FALSE' in os.environ:
     SECURE_HSTS_SECONDS = 60
     SECURE_HSTS_INCLUDE_SUBDOMAINS = True
     SECURE_HSTS_PRELOAD = True
+    COMPRESS_OFFLINE = True
 else:
     DEBUG = True
     # SECURITY WARNING: keep the secret key used in production secret!
@@ -51,11 +55,18 @@ INSTALLED_APPS = [
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
-    # Custom apps
+    # Board apps
     'apps.dashboard',
+    'apps.gameboard',
+    # Gamer apps
     'apps.lyric',
+    # Custom apps
+    'apps.api',
+    'apps.applets',
     'functional_tests',
     # Depend apps
+    'compressor',
+    'rest_framework',
 ]
 
 # if 'DJANGO_DEBUG_FALSE' not in os.environ:
@@ -70,6 +81,7 @@ MIDDLEWARE = [
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django_htmx.middleware.HtmxMiddleware',
 ]
 
 ROOT_URLCONF = 'core.urls'
@@ -84,6 +96,7 @@ TEMPLATES = [
                 'django.template.context_processors.request',
                 'django.contrib.auth.context_processors.auth',
                 'django.contrib.messages.context_processors.messages',
+                'core.context_processors.user_palette',
             ],
         },
     },
@@ -107,6 +120,17 @@ else:
         }
     }
 
+# Celery & Redis
+CELERY_BROKER_URL = os.environ.get('CELERY_BROKER_URL', 'redis://localhost:6379/0')
+REDIS_URL = os.environ.get('REDIS_URL')
+if REDIS_URL:
+    CACHES = {
+        'default': {
+            'BACKEND': 'django.core.cache.backends.redis.RedisCache',
+            'LOCATION': REDIS_URL,
+        }
+    }
+    SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
 
 # Password validation
 # https://docs.djangoproject.com/en/6.0/ref/settings/#auth-password-validators
@@ -154,6 +178,14 @@ STATIC_ROOT = BASE_DIR / 'static'
 STATICFILES_DIRS = [
     BASE_DIR / 'static_src',
 ]
+STATICFILES_FINDERS = [
+    'django.contrib.staticfiles.finders.FileSystemFinder',
+    'django.contrib.staticfiles.finders.AppDirectoriesFinder',
+    'compressor.finders.CompressorFinder',
+]
+COMPRESS_PRECOMPILERS = [
+    ('text/x-scss', 'django_libsass.SassCompiler'),
+]
 
 LOGGING = {
     "version": 1,
@@ -168,4 +200,8 @@ LOGGING = {
 
 # Mailgun API settings (for HTTP API instead of SMTP)
 MAILGUN_API_KEY = os.environ.get("MAILGUN_API_KEY")
-MAILGUN_DOMAIN = "howdy.earthmanrpg.com" # Your Mailgun domain
+MAILGUN_DOMAIN = "howdy.earthmanrpg.com" # Your Mailgun domain
+
+# Stripe payment settings
+STRIPE_PUBLISHABLE_KEY = os.environ.get("STRIPE_PUBLISHABLE_KEY", "")
+STRIPE_SECRET_KEY = os.environ.get("STRIPE_SECRET_KEY", "")

src/core/urls.py

@@ -1,13 +1,17 @@
 from django.contrib import admin
 from django.http import HttpResponse
 from django.urls import include, path
+
 from apps.dashboard import views as dash_views
 
+
 urlpatterns = [
     path('admin/', admin.site.urls),
     path('', dash_views.home_page, name='home'),
-    path('apps/dashboard/', include('apps.dashboard.urls')),
-    path('apps/lyric/', include('apps.lyric.urls')),
+    path('api/', include('apps.api.urls')),
+    path('dashboard/', include('apps.dashboard.urls')),
+    path('lyric/', include('apps.lyric.urls')),
+    path('gameboard/', include('apps.gameboard.urls')),
 ]
 
 # Please remove the following urlpattern

src/functional_tests/base.py

@@ -8,10 +8,10 @@ from pathlib import Path
 from selenium import webdriver
 from selenium.common.exceptions import WebDriverException
 from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
 
 from .container_commands import create_session_on_server, reset_database
 from .management.commands.create_session import create_pre_authenticated_session
+from apps.applets.models import Applet
 
 
 
@@ -44,6 +44,7 @@ class FunctionalTest(StaticLiveServerTestCase):
         if self.test_server:
             self.live_server_url = 'http://' + self.test_server
             reset_database(self.test_server)
+        Applet.objects.get_or_create(slug="new-list", defaults={"name": "New List"})
     
     def tearDown(self):
         if self._test_has_failed():
@@ -65,7 +66,7 @@ class FunctionalTest(StaticLiveServerTestCase):
     def dump_html(self):
         path = SCREEN_DUMP_LOCATION / self._get_filename("html")
         print("dumping page html to", path)
-        path.write_text(self.browser.page_source)
+        path.write_text(self.browser.page_source, encoding="utf-8")
 
     def _get_filename(self, extension):
         timestamp = datetime.now().isoformat().replace(":", ".")

src/functional_tests/my_lists_page.py

@@ -1,5 +1,7 @@
 from selenium.webdriver.common.by import By
 
+from apps.lyric.models import User
+
 
 class MyListsPage:
     def __init__(self, test):
@@ -7,7 +9,10 @@ class MyListsPage:
     
     def go_to_my_lists_page(self, email):
         self.test.browser.get(self.test.live_server_url)
-        self.test.browser.find_element(By.LINK_TEXT, "My lists").click()
+        user = User.objects.get(email=email)
+        self.test.browser.get(
+            self.test.live_server_url + f'/dashboard/users/{user.id}/'
+        )
         self.test.wait_for(
             lambda: self.test.assertIn(
                 email,

src/functional_tests/test_applet_palette.py

@@ -0,0 +1,10 @@
+from selenium.webdriver.common.by import By
+
+from .base import FunctionalTest
+
+
+class SiteThemeTest(FunctionalTest):
+    def test_page_renders_with_earthman_palette(self):
+        self.browser.get(self.live_server_url)
+        body = self.browser.find_element(By.TAG_NAME, "body")
+        self.assertIn("palette-default", body.get_attribute("class"))

src/functional_tests/test_dashboard.py

@@ -0,0 +1,160 @@
+from selenium.common.exceptions import NoSuchElementException
+from selenium.webdriver.common.by import By
+from selenium.webdriver.common.keys import Keys
+
+from .base import FunctionalTest
+from apps.applets.models import Applet
+
+
+class DashboardMaintenanceTest(FunctionalTest):
+    def setUp(self):
+        super().setUp()
+        Applet.objects.get_or_create(slug="new-list", defaults={"name": "New List"})
+        Applet.objects.get_or_create(slug="username", defaults={"name": "Username"})
+        Applet.objects.get_or_create(slug="palette", defaults={"name": "Palette"})
+        
+    def test_user_without_username_can_claim_unclaimed_username(self):
+        # 1. Create a pre-authenticated session for discoman@example.com
+        self.create_pre_authenticated_session("discoman@example.com")
+        # 2. Navigate to self.live_server_url + "/"
+        self.browser.get(self.live_server_url)
+        # 3. Find the username applet on the page; look for a <section> or <div> with id="id_username_applet"
+        self.browser.find_element(By.ID, "id_applet_username")
+        # 5. Find the username input field inside the applet & type a username
+        username_input = self.browser.find_element(By.CSS_SELECTOR, "#id_new_username")
+        # 4. Assert it shows the current display name (truncated email: di…an@e…e.com) NOPE the username value itself now
+        self.assertEqual("", username_input.get_attribute("value"))
+        # 6. Type a username, e.g., discoman
+        username_input.send_keys("discoman")
+        self.wait_for(
+            lambda: self.browser.find_element(By.CSS_SELECTOR, "#id_new_username:valid")
+        )
+        # 7. Submit the form (click a btn or press Enter)
+        username_input.send_keys(Keys.ENTER)
+        # 8. Without a page reload, wait for the navbar to update; user wait_for() to check that the navbar text now contains "discoman"
+        self.wait_for(
+            lambda: self.assertIn(
+                "discoman",
+                self.browser.find_element(By.CLASS_NAME, "navbar-text").text
+            )
+        )
+        # 9. Also assert the applet input now shows "discoman" as its value
+        self.wait_for(
+            lambda: self.assertEqual(
+                "discoman",
+                self.browser.find_element(By.CSS_SELECTOR, "#id_new_username").get_attribute("value")
+            )
+        )
+
+    def test_user_can_toggle_applet_visibility_via_gear_menu(self):
+        # 1. Auth as discoman@example.com, navigate home
+        self.create_pre_authenticated_session("discoman@example.com")
+        self.browser.get(self.live_server_url)
+        # 2. Assert both applets present on page (id_applet_username, id_applet_palette)
+        self.browser.find_element(By.ID, "id_applet_username")
+        self.browser.find_element(By.ID, "id_applet_palette")
+        # 3. Click el w. id="id_dash_gear"
+        dash_gear = self.browser.find_element(By.ID, "id_dash_gear")
+        dash_gear.click()
+        # 4. A menu appears; wait_for el w. id="id_applet_menu"
+        self.wait_for(
+            lambda: self.assertTrue(
+                self.browser.find_element(By.ID, "id_applet_menu").is_displayed()
+            )
+        )
+        # 5. Find two checkboxes in menu, name="username" & name="palette"; assert both .is_selected()
+        menu = self.browser.find_element(By.ID, "id_applet_menu")
+        username_cb = menu.find_element(By.CSS_SELECTOR, '[name="applets"][value="username"]')
+        palette_cb = menu.find_element(By.CSS_SELECTOR, '[name="applets"][value="palette"]')
+        self.assertTrue(username_cb.is_selected())
+        self.assertTrue(palette_cb.is_selected())
+        # 6. Click palette box to uncheck it
+        palette_cb.click()
+        self.assertFalse(palette_cb.is_selected())
+        self.browser.execute_script("window.__no_reload_marker = true")
+        # 7. Submit the menu form via [type="submit"] btn inside menu
+        menu.find_element(By.CSS_SELECTOR, '[type="submit"]').click()
+        self.wait_for(
+            lambda: self.assertFalse(
+                self.browser.find_element(By.ID, "id_applet_menu").is_displayed()
+            )
+        )
+        # 8. wait_for palette applet to be gone
+        self.wait_for(
+            lambda: self.assertRaises(
+                NoSuchElementException,
+                self.browser.find_element,
+                By.ID, "id_applet_palette"
+            )
+        )
+        # 9. assert id_applet_username remains
+        self.browser.find_element(By.ID, "id_applet_username")
+        # 10. Click gear again, find menu, find palette checkbox; assert now NOT selected
+        dash_gear.click()
+        self.wait_for(
+            lambda: self.assertTrue(
+                self.browser.find_element(By.ID, "id_applet_menu").is_displayed()
+            )
+        )
+        menu = self.browser.find_element(By.ID, "id_applet_menu")
+        palette_cb = menu.find_element(By.CSS_SELECTOR, '[name="applets"][value="palette"]')
+        self.assertFalse(palette_cb.is_selected())
+        # 11. Click it to re-check box; submit
+        palette_cb.click()
+        self.assertTrue(palette_cb.is_selected())
+        menu.find_element(By.CSS_SELECTOR, '[type="submit"]').click()
+        # 12. wait_for id_applet_palette to reappear
+        self.wait_for(
+            lambda: self.assertFalse(
+                self.browser.find_element(By.ID, "id_applet_menu").is_displayed()
+            )
+        )
+        self.wait_for(
+            lambda: self.assertTrue(
+                self.browser.find_element(By.ID, "id_applet_palette")
+            )
+        )
+        self.assertTrue(self.browser.execute_script("return window.__no_reload_marker === true"))
+
+class AppletMenuDismissTest(FunctionalTest):
+    def setUp(self):
+        super().setUp()
+        Applet.objects.get_or_create(slug="username", defaults={"name": "Username"})
+        Applet.objects.get_or_create(slug="palette", defaults={"name": "Palette"})
+        self.create_pre_authenticated_session("discoman@example.com")
+        self.browser.get(self.live_server_url)
+
+    def _open_menu(self):
+        self.browser.find_element(By.ID, "id_dash_gear").click()
+        self.wait_for(
+            lambda: self.assertTrue(
+                self.browser.find_element(By.ID, "id_applet_menu").is_displayed()
+            )
+        )
+
+    def test_gear_click_toggles_menu_closed(self):
+        self._open_menu()
+        self.browser.find_element(By.ID, "id_dash_gear").click()
+        self.wait_for(
+            lambda: self.assertFalse(
+                self.browser.find_element(By.ID, "id_applet_menu").is_displayed()
+            )
+        )
+
+    def test_nvm_btn_closes_menu(self):
+        self._open_menu()
+        self.browser.find_element(By.ID, "id_applet_menu_cancel").click()
+        self.wait_for(
+            lambda: self.assertFalse(
+                self.browser.find_element(By.ID, "id_applet_menu").is_displayed()
+            )
+        )
+
+    def test_click_outside_closes_menu(self):
+        self._open_menu()
+        self.browser.find_element(By.TAG_NAME, "h2").click()
+        self.wait_for(
+            lambda: self.assertFalse(
+                self.browser.find_element(By.ID, "id_applet_menu").is_displayed()
+            )
+        )

src/functional_tests/test_gameboard.py

@@ -0,0 +1,93 @@
+from selenium.webdriver.common.action_chains import ActionChains
+from selenium.webdriver.common.by import By
+
+from .base import FunctionalTest
+
+
+class GameboardNavigationTest(FunctionalTest):
+    def test_footer_links_to_gameboard(self):
+        # 1. Log in, nav to dashboard
+        self.create_pre_authenticated_session("capman@test.io")
+        self.browser.get(self.live_server_url)
+        # 2. Assert footer nav present w. dash- & gameboard tabs
+        self.browser.find_element(By.ID, "id_footer_nav")
+        self.browser.find_element(By.CSS_SELECTOR, '#id_footer_nav a[href="/"]')
+        self.browser.find_element(By.CSS_SELECTOR, '#id_footer_nav a[href="/gameboard/"]')
+        # 3. Click the gameboard tab
+        self.browser.find_element(
+            By.CSS_SELECTOR, '#id_footer_nav a[href="/gameboard/"]'
+        ).click()
+        # 4. Assert user landed on gameboard
+        self.wait_for(
+            lambda: self.assertRegex(self.browser.current_url, r"/gameboard/$")
+        )
+
+    def test_gameboard_shows_game_applets(self):
+        # 1. Log in, nav directly to gameboard
+        self.create_pre_authenticated_session("capman@test.io")
+        self.browser.get(self.live_server_url + "/gameboard/")
+        # 2. Assert My Games applet present
+        self.wait_for(
+            lambda: self.browser.find_element(By.ID, "id_applet_my_games")
+        )
+        # 3. Assert no games listed yet for new user
+        my_games = self.browser.find_element(By.ID, "id_applet_my_games")
+        game_items = my_games.find_elements(By.CSS_SELECTOR, ".game-item")
+        self.assertEqual(len(game_items), 0)
+        # 4. Assert New Game applet present
+        self.browser.find_element(By.ID, "id_applet_new_game")
+
+    def test_game_kit_panel_shows_token_inventory(self):
+        # 1. Log in, nav to gameboard
+        self.create_pre_authenticated_session("capman@test.io")
+        self.browser.get(self.live_server_url + "/gameboard/")
+        # 2. Assert game kit & gear btns both present (stacked vertically)
+        self.wait_for(
+            lambda: self.browser.find_element(By.ID, "id_game_kit_btn")
+        )
+        self.browser.find_element(By.ID, "id_game_gear")
+        # 3. Click game kit btn to open panel
+        self.browser.find_element(By.ID, "id_game_kit_btn").click()
+        # 4. Wait for game kit panel to become visible
+        self.wait_for(
+            lambda: self.assertTrue(
+                self.browser.find_element(By.ID, "id_game_kit").is_displayed()
+            )
+        )
+        # 5. Assert Coin-on-a-String present in kit
+        coin = self.browser.find_element(By.ID, "id_kit_coin_on_a_string")
+        # 6. Hover over it; assert tooltip shows name, entry text & reuse description
+        ActionChains(self.browser).move_to_element(coin).perform()
+        self.wait_for(
+            lambda: self.assertTrue(
+                self.browser.find_element(
+                    By.CSS_SELECTOR, "#id_kit_coin_on_a_string .token-tooltip"
+                ).is_displayed()
+            )
+        )
+        coin_tooltip = self.browser.find_element(
+            By.CSS_SELECTOR, "#id_kit_coin_on_a_string .token-tooltip"
+        ).text
+        self.assertIn("Coin-on-a-String", coin_tooltip)
+        self.assertIn("Admit 1 Entry", coin_tooltip)
+        self.assertIn("and another after that", coin_tooltip)
+        # 7. Assert 1× Free Token (complimentary) present in kit
+        free_token = self.browser.find_element(By.ID, "id_kit_free_token_0")
+        # 8. Hover over it; assert tooltip shows name, entry text & expiry date
+        ActionChains(self.browser).move_to_element(free_token).perform()
+        self.wait_for(
+            lambda: self.assertTrue(
+                self.browser.find_element(
+                    By.CSS_SELECTOR, "#id_kit_free_token_0 .token-tooltip"
+                ).is_displayed()
+            )
+        )
+        free_tooltip = self.browser.find_element(
+            By.CSS_SELECTOR, "#id_kit_free_token_0 .token-tooltip"
+        ).text
+        self.assertIn("Free Token", free_tooltip)
+        self.assertIn("Admit 1 Entry", free_tooltip)
+        self.assertIn("Expires", free_tooltip)
+        # 9. Assert card deck & dice set placeholder present
+        self.browser.find_element(By.ID, "id_kit_card_deck")
+        self.browser.find_element(By.ID, "id_kit_dice_set")

src/functional_tests/test_layout_and_styling.py

@@ -1,12 +1,10 @@
-from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
-
 from .base import FunctionalTest
 from .list_page import ListPage
 
 
 class LayoutAndStylingTest(FunctionalTest):
     def test_layout_and_styling(self):
+        self.create_pre_authenticated_session("disco@test.io")
         self.browser.get(self.live_server_url)
         list_page = ListPage(self)
 

src/functional_tests/test_list_item_validation.py

@@ -12,6 +12,7 @@ class ItemValidationTest(FunctionalTest):
 
     # Test methods
     def test_cannot_add_empty_list_items(self):
+        self.create_pre_authenticated_session("disco@test.io")
         self.browser.get(self.live_server_url)
         list_page = ListPage(self)
         list_page.get_item_input_box().send_keys(Keys.ENTER)
@@ -46,6 +47,7 @@ class ItemValidationTest(FunctionalTest):
         list_page.wait_for_row_in_list_table("Make tea", 2)
 
     def test_cannot_add_duplicate_items(self):
+        self.create_pre_authenticated_session("disco@test.io")
         self.browser.get(self.live_server_url)
         list_page = ListPage(self)
         list_page.add_list_item("Witness divinity")
@@ -61,6 +63,7 @@ class ItemValidationTest(FunctionalTest):
         )
 
     def test_error_messages_are_cleared_on_input(self):
+        self.create_pre_authenticated_session("disco@test.io")
         self.browser.get(self.live_server_url)
         list_page = ListPage(self)
         list_page.add_list_item("Gobbledygook")

src/functional_tests/test_login.py

@@ -1,18 +1,22 @@
 import re
+
 from unittest.mock import patch
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 
 from .base import FunctionalTest
+from apps.lyric.tasks import send_login_email_task
 
 
-TEST_EMAIL = "discoman@example.com"
+TEST_EMAIL = "disco@test.io"
 SUBJECT = "A magic login link to your Dashboard"
 
 
 class LoginTest(FunctionalTest):
-    @patch('apps.lyric.views.requests.post')
-    def test_login_using_magic_link(self, mock_post):
+    @patch('apps.lyric.tasks.requests.post')
+    @patch('apps.lyric.views.send_login_email_task.delay',
+           side_effect=send_login_email_task)
+    def test_login_using_magic_link(self, mock_delay, mock_post):
         # Mock successful Mailgun API response
         mock_post.return_value.status_code = 200
 

src/functional_tests/test_my_lists.py

@@ -8,7 +8,7 @@ from .my_lists_page import MyListsPage
 class MyListsTest(FunctionalTest):
 
     def test_logged_in_users_lists_are_saved_as_my_lists(self):
-        self.create_pre_authenticated_session("discoman@example.com")
+        self.create_pre_authenticated_session("disco@test.io")
 
         self.browser.get(self.live_server_url)
         list_page = ListPage(self)
@@ -16,7 +16,7 @@ class MyListsTest(FunctionalTest):
         list_page.add_list_item("Regurgitate spines")
         first_list_url = self.browser.current_url
 
-        MyListsPage(self).go_to_my_lists_page("discoman@example.com")
+        MyListsPage(self).go_to_my_lists_page("disco@test.io")
 
         self.wait_for(
             lambda: self.browser.find_element(By.LINK_TEXT, "Reticulate splines")
@@ -30,11 +30,10 @@ class MyListsTest(FunctionalTest):
         list_page.add_list_item("Ribbon of death")
         second_list_url = self.browser.current_url
 
-        self.browser.find_element(By.LINK_TEXT, "My lists").click()
+        MyListsPage(self).go_to_my_lists_page("disco@test.io")
         self.wait_for(
             lambda: self.browser.find_element(By.LINK_TEXT, "Ribbon of death")
         )
-        MyListsPage(self).go_to_my_lists_page("discoman@example.com")
 
         self.browser.find_element(By.CSS_SELECTOR, "#id_logout").click()
         self.wait_for(

src/functional_tests/test_sharing.py

@@ -1,5 +1,6 @@
 import os
 
+from django.conf import settings
 from selenium import webdriver
 from selenium.webdriver.common.by import By
 
@@ -19,7 +20,7 @@ def quit_if_possible(browser):
 # Test mdls
 class SharingTest(FunctionalTest):
     def test_can_share_a_list_with_another_user(self):
-        self.create_pre_authenticated_session("discoman@example.com")
+        self.create_pre_authenticated_session("disco@test.io")
         disco_browser = self.browser
         self.addCleanup(lambda: quit_if_possible(disco_browser))
 
@@ -29,7 +30,7 @@ class SharingTest(FunctionalTest):
         ali_browser = webdriver.Firefox(options=options)
         self.addCleanup(lambda: quit_if_possible(ali_browser))
         self.browser = ali_browser
-        self.create_pre_authenticated_session("alice@example.com")
+        self.create_pre_authenticated_session("alice@test.io")
 
         self.browser = disco_browser
         self.browser.get(self.live_server_url)
@@ -41,15 +42,15 @@ class SharingTest(FunctionalTest):
             "friend@example.com",
         )
 
-        list_page.share_list_with("alice@example.com")
+        list_page.share_list_with("alice@test.io")
 
         self.browser = ali_browser
-        MyListsPage(self).go_to_my_lists_page("alice@example.com")
+        MyListsPage(self).go_to_my_lists_page("alice@test.io")
 
         self.browser.find_element(By.LINK_TEXT, "Send help").click()
 
         self.wait_for(
-            lambda: self.assertEqual(list_page.get_list_owner(), "discoman@example.com")
+            lambda: self.assertEqual(list_page.get_list_owner(), "disco@test.io")
         )
 
         list_page.add_list_item("At your command, Disco King")
@@ -57,3 +58,16 @@ class SharingTest(FunctionalTest):
         self.browser = disco_browser
         self.browser.refresh()
         list_page.wait_for_row_in_list_table("At your command, Disco King", 2)
+
+class ListAccessTest(FunctionalTest):
+    def test_stranger_cannot_access_owned_list(self):
+        self.create_pre_authenticated_session("disco@test.io")
+        self.browser.get(self.live_server_url)
+        list_page = ListPage(self).add_list_item("private eye")
+        list_url = self.browser.current_url
+
+        self.browser.delete_cookie(settings.SESSION_COOKIE_NAME)
+        self.browser.get(list_url)
+
+        self.assertNotEqual(self.browser.current_url, list_url)
+

src/functional_tests/test_simple_list_creation.py

@@ -8,6 +8,7 @@ from .list_page import ListPage
 class NewVisitorTest(FunctionalTest):
     # Test methods
     def test_can_start_a_todo_list(self):
+        self.create_pre_authenticated_session("alice@test.io")
         self.browser.get(self.live_server_url)
         list_page = ListPage(self)
 
@@ -29,15 +30,20 @@ class NewVisitorTest(FunctionalTest):
         list_page.wait_for_row_in_list_table("Buy peacock feathers", 1)
 
     def test_multiple_users_can_start_lists_at_different_urls(self):
+        self.create_pre_authenticated_session("alice@test.io")
         self.browser.get(self.live_server_url)
         list_page = ListPage(self)
         list_page.add_list_item("Buy peacock feathers")
 
         edith_dash_url = self.browser.current_url
-        self.assertRegex(edith_dash_url, '/apps/dashboard/.+')
+        self.assertRegex(
+            edith_dash_url,
+            r'/dashboard/list/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/$',
+        )
 
         self.browser.delete_all_cookies()
 
+        self.create_pre_authenticated_session("disco@test.io")
         self.browser.get(self.live_server_url)
         list_page = ListPage(self)
         page_text = self.browser.find_element(By.TAG_NAME, 'body').text
@@ -46,7 +52,10 @@ class NewVisitorTest(FunctionalTest):
         list_page.add_list_item("Buy milk")
 
         francis_dash_url = self.browser.current_url
-        self.assertRegex(francis_dash_url, '/apps/dashboard/.+')
+        self.assertRegex(
+            francis_dash_url,
+            r'/dashboard/list/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/$',
+        )
         self.assertNotEqual(francis_dash_url, edith_dash_url)
 
         page_text = self.browser.find_element(By.TAG_NAME, 'body').text

src/functional_tests/test_wallet.py

@@ -0,0 +1,154 @@
+from selenium.webdriver.common.action_chains import ActionChains
+from selenium.webdriver.common.by import By
+
+from .base import FunctionalTest
+from apps.applets.models import Applet
+
+
+class WalletDisplayTest(FunctionalTest):
+    def setUp(self):
+        super().setUp()
+        Applet.objects.get_or_create(slug="wallet", defaults={"name": "Wallet"})
+
+    def test_new_user_wallet_shows_starting_balances(self):
+        # 1. Log in as new user
+        self.create_pre_authenticated_session("capman@test.io")
+        # 2. Navigate to dashboard
+        self.browser.get(self.live_server_url)
+        # 3. Find wallet applet summary card
+        self.wait_for(
+            lambda: self.browser.find_element(By.ID, "id_applet_wallet")
+        )
+        # 4. Click thru to full wallet page via manage link
+        self.browser.find_element(
+            By.CSS_SELECTOR, "#id_applet_wallet a.wallet-manage-link"
+        ).click()
+        # 5. Assert user landed on wallet page
+        self.wait_for(
+            lambda: self.assertRegex(self.browser.current_url, r"/dashboard/wallet/$")
+        )
+        # 6. Assert writs balance shows 144 (complimentary bundle on signup)
+        self.wait_for(
+            lambda: self.assertEqual(
+                "144",
+                self.browser.find_element(By.ID, "id_writs_balance").text,
+            )
+        )
+        # 7. Assert esteem balance shows 0
+        self.assertEqual(
+            "0",
+            self.browser.find_element(By.ID, "id_esteem_balance").text,
+        )
+        # 8. Assert Coin-on-a-String token element present
+        coin = self.browser.find_element(By.ID, "id_coin_on_a_string")
+        # 9. Hover over it; assert tooltip appears w. name, entry text, 'no expiry'
+        ActionChains(self.browser).move_to_element(coin).perform()
+        self.wait_for(
+            lambda: self.assertTrue(
+                self.browser.find_element(
+                    By.CSS_SELECTOR, "#id_coin_on_a_string .token-tooltip"
+                ).is_displayed()
+            )
+        )
+        coin_tooltip = self.browser.find_element(
+            By.CSS_SELECTOR, "#id_coin_on_a_string .token-tooltip"
+        ).text
+        self.assertIn("Coin-on-a-String", coin_tooltip)
+        self.assertIn("Admit 1 Entry", coin_tooltip)
+        self.assertIn("no expiry", coin_tooltip)
+        # 10. Assert ×1 Free Token present (complimentary on signup)
+        free_token = self.browser.find_element(By.ID, "id_free_token_0")
+        # 11. Hover over it; assert tooltip shows name, entry text, expiry date
+        ActionChains(self.browser).move_to_element(free_token).perform()
+        self.wait_for(
+            lambda: self.assertTrue(
+                self.browser.find_element(
+                    By.CSS_SELECTOR, "#id_free_token_0 .token-tooltip"
+                ).is_displayed()
+            )
+        )
+        free_tooltip = self.browser.find_element(
+            By.CSS_SELECTOR, "#id_free_token_0 .token-tooltip"
+        ).text
+        self.assertIn("Free Token", free_tooltip)
+        self.assertIn("Admit 1 Entry", free_tooltip)
+        self.assertIn("Expires", free_tooltip)
+
+    def test_wallet_payment_section_renders(self):
+        # 1. Log in, navigate directly to wallet page
+        self.create_pre_authenticated_session("capman@test.io")
+        self.browser.get(self.live_server_url + "/dashboard/wallet/")
+        # 2. Assert saved payment methods section present
+        self.wait_for(
+            lambda: self.browser.find_element(By.ID, "id_payment_methods")
+        )
+        # 3. Assert the add-payment-method button is visible
+        self.browser.find_element(By.ID, "id_add_payment_method")
+        # 4. Assert Stripe Payment Element mount point exists
+        self.browser.find_element(By.ID, "id_stripe_payment_element")
+
+    def test_user_can_save_a_payment_method(self):
+        # 1. Log in, navigate to wallet page
+        self.create_pre_authenticated_session("capman@test.io")
+        self.browser.get(self.live_server_url + "/dashboard/wallet/")
+        # 2. Click add-payment-method btn
+        self.browser.find_element(By.ID, "id_add_payment_method").click()
+        # 3. Wait for Stripe Payment Element iframe to appear inside mount point
+        self.wait_for(
+            lambda: self.browser.find_element(
+                By.CSS_SELECTOR, "#id_stripe_payment_element iframe"
+            )
+        )
+        # 4. Switch into Stripe iframe to interact w. card fields
+        stripe_frame = self.browser.find_element(
+            By.CSS_SELECTOR, "#id_stripe_payment_element iframe"
+        )
+        self.browser.switch_to.frame(stripe_frame)
+        # 4a. Wait for card inputs to render inside iframe
+        self.wait_for(
+            lambda: self.browser.find_element(
+                By.CSS_SELECTOR, 'input[placeholder="1234 1234 1234 1234"]'
+            )
+        )
+        # 5. Fill in Stripe test card details
+        self.browser.find_element(
+            By.CSS_SELECTOR, 'input[placeholder="1234 1234 1234 1234"]'
+        ).send_keys("4242424242424242")
+        self.browser.find_element(
+            By.CSS_SELECTOR, 'input[placeholder="MM / YY"]'
+        ).send_keys("12 / 26")
+        self.browser.find_element(
+            By.CSS_SELECTOR, 'input[placeholder="CVC"]'
+        ).send_keys("424")
+        self.browser.find_element(
+            By.CSS_SELECTOR, 'input[placeholder="12345"]'
+        ).send_keys("42424")
+        # 6. Return to main doc & submit form
+        self.browser.switch_to.default_content()
+        self.browser.find_element(By.ID, "id_save_payment_method").click()
+        # 7. Wait for saved card to appear in payment methods list
+        # Assert last 4 digits shown
+        self.wait_for(
+            lambda: self.assertIn(
+                "4242",
+                self.browser.find_element(By.ID, "id_payment_methods").text,
+            )
+        )
+
+    def test_user_can_purchase_tithe_token_bundle(self):
+        # 1. Log in, navigate to wallet page
+        self.create_pre_authenticated_session("capman@test.io")
+        self.browser.get(self.live_server_url + "/dashboard/wallet/")
+        # 2. Assert Tithe Token purchase section present
+        self.wait_for(
+            lambda: self.browser.find_element(By.ID, "id_tithe_token_shop")
+        )
+        # 3. Assert min. +1 bundle option is visible
+        bundle = self.browser.find_element(
+            By.CSS_SELECTOR, "#id_tithe_token_shop .token-bundle"
+        )
+        # 4. Assert ea. bundle shows token count & writ bonus placeholder
+        self.assertIn("Tithe Token", bundle.text)
+        self.assertIn("Writ", bundle.text)
+        # 5. (Placeholder) Purchase flow via Stripe not driven in this FT:
+        # Full charge assertion deferred until Stripe webhook handling implemented

src/manage.py

@@ -6,6 +6,11 @@ import sys
 
 def main():
     """Run administrative tasks."""
+    try:
+        from dotenv import load_dotenv
+        load_dotenv()
+    except ImportError:
+        pass
     os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'core.settings')
     try:
         from django.core.management import execute_from_command_line

src/static_src/scss/_base.scss

@@ -0,0 +1,200 @@
+body {
+    display: flex;
+    flex-direction: column;
+    background-color: rgba(var(--priUser), 1);
+    color: rgba(var(--secUser), 1);
+    font-family: Georgia, serif;
+    height: 100vh;
+
+    a {
+        text-decoration: none;
+        font-weight: 700;
+        color: rgba(var(--terUser), 1);
+
+        &:hover {
+            color: rgba(var(--ninUser), 1);
+            text-shadow: 0 0 0.5rem rgba(var(--terUser), 1);
+        }
+    }
+
+    .container {
+        max-width: 960px;
+        margin: 0 auto;
+        padding: 1rem;
+        flex: 1;
+
+        .navbar {
+            padding: 0.75rem 0;
+            border-bottom: 0.1rem solid rgba(var(--secUser), 0.4);
+
+            .navbar-brand {
+                h1 {
+                    font-size: 2rem;
+                }
+            }
+            
+            .container-fluid {
+                display: flex;
+                align-items: center;
+                gap: 1rem;
+
+                > form { flex-shrink: 0; margin-left: auto; }
+            }
+
+            .navbar-text,
+            .navbar-link {
+                flex: 1;
+                min-width: 0;
+                text-align: center;
+
+                .navbar-label {
+                    display: block;
+                    color: rgba(var(--secUser), 0.7);
+                    font-size: 0.75rem;
+                }
+
+                .navbar-identity {
+                    display: block;
+                    color: rgba(var(--quaUser), 1);
+                    font-size: 0.875rem;
+                    overflow: hidden;
+                    text-overflow: ellipsis;
+                    white-space: nowrap;
+                }
+            }
+        }
+
+        .input-group {
+            display: flex;
+            flex-direction: column;
+            align-items: center;
+            gap: 0.5rem;
+
+            .form-control {
+                width: auto;
+            }
+        }
+
+        .form-control {
+            background-color: rgba(var(--priUser), 1);
+            color: rgba(var(--secUser), 1);
+            border: 0.1rem solid rgba(var(--secUser), 0.5);
+            --_pad-v: 0.5rem;
+            padding: var(--_pad-v) 0.75rem;
+            border-radius: calc((var(--_pad-v) * 2 + 1em) / 3);
+            width: 100%;
+            font-family: inherit;
+
+            &.is-invalid {
+                border-color: rgba(var(--priRd), 1);
+            }
+
+            &.form-control-lg {
+                --_pad-v: 0.75rem;
+                padding: var(--_pad-v) 1rem;
+                font-size: 1.125rem;
+            }
+
+            &.is-invalid ~ .invalid-feedback {
+                display: block;
+            }
+
+            &:focus {
+                border-color: rgba(var(--terUser), 0.75);
+                box-shadow: 0 0 0.75rem rgba(var(--terUser), 0.5);
+            }
+        }
+
+        .invalid-feedback {
+            display: none;
+            color: rgba(var(--priRd), 1);
+            font-size: 0.875rem;
+            margin-top: 0.25rem;
+        }
+
+        .alert {
+            padding: 0.75rem 1rem;
+            margin: 0.75rem 0;
+            border-radius: 0.5rem;
+            border: 0.1rem solid rgba(var(--priYl), 0.5);
+            color: rgba(var(--priYl), 1);
+
+            &.alert-success {
+                border-color: rgba(var(--priGn), 0.5);
+                color: rgba(var(--priGn), 1);
+            }
+
+            &.alert-warning {
+                border-color: rgba(var(--priOr), 0.5);
+                color: rgba(var(--priOr), 1);
+            }
+        }
+
+        .row {
+            padding: 2rem 0;
+
+            .col-md-12 {
+                width: 100%;
+                justify-content: center;
+            }
+
+            .col-lg-6 {
+                max-width: 600px;
+                margin: 0 auto;
+
+                h2 {
+                    font-size: 2.5rem;
+                    color: rgba(var(--quaUser), 1);
+                    margin-bottom: 1rem;
+                }
+            }
+        }
+    }
+}
+
+#id_footer {
+    flex-shrink: 0;
+    height: 5rem;
+    display: flex;
+    flex-direction: column;
+    gap: 0.5rem;
+    align-items: center;
+    padding: 1rem 1rem;
+    border-top: 0.1rem solid rgba(var(--secUser), 0.3);
+    background: linear-gradient(
+        to top,
+        rgba(var(--priUser), 1) 25%,
+        transparent 100%
+    );
+
+    #id_footer_nav {
+        display: flex;
+        justify-content: space-evenly;
+        width: 80%;
+        max-width: 500px;
+
+        a {
+            font-size: 1.75rem;
+            color: rgba(var(--quaUser), 0.9);
+            text-shadow:
+                0 0 0.25rem rgba(0, 0, 0, 0.5),
+            ;
+            
+            &:hover {
+                color: rgba(var(--quaUser), 1);
+                text-shadow:
+                    0 0 1rem rgba(0, 0, 0, 0.25),
+                    0 0 0.5rem rgba(var(--ninUser), 0.25)
+                ;
+                
+            }
+        }
+    }
+
+    .footer-container {
+        small {
+            font-size: 0.7rem;
+            opacity: 0.6;
+        }
+    }
+}

src/static_src/scss/_button-pad.scss

@@ -0,0 +1,304 @@
+.btn {
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    text-align: center;
+    width: 2rem;
+    height: 2rem;
+    text-shadow: 0 0 0.25rem rgba(0, 0, 0, 0.5);
+    border: 0.15rem solid rgba(var(--priUser), 1);
+    border-radius: 50%;
+    font-weight: 700;
+    font-size: 0.63rem;
+    text-transform: uppercase;
+    margin: 0.25rem;
+    flex-shrink: 0;
+
+    &:hover,
+    &:active {
+        cursor: pointer;
+    }
+
+    &:active {
+        font-size: 0.61rem;
+        border: 0.18rem solid rgba(var(--priUser), 1);
+    }
+
+    &.btn-primary {
+        color: rgba(var(--quaUser), 1);
+        border-color: rgba(var(--quaUser), 1);
+        background-color: rgba(var(--quiUser), 1);
+        box-shadow:
+            0.1rem 0.1rem 0.12rem rgba(var(--quiUser), 0.25),
+            0.12rem 0.12rem 0.25rem rgba(0, 0, 0, 0.25),
+            0.25rem 0.25rem 0.25rem rgba(var(--quiUser), 0.12)
+        ;
+
+        &:hover {
+            text-shadow:
+                0.1rem 0.1rem 0.1rem rgba(0, 0, 0, 0.25),
+                0 0 1rem rgba(var(--quaUser), 1)
+                ;
+            box-shadow:
+                0.12rem 0.12rem 0.5rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--quaUser), 0.12)
+            ;
+        }
+        
+        &:active {
+            border: 0.18rem solid rgba(var(--quaUser), 1);
+            text-shadow:
+                -0.1rem -0.1rem 0.25rem rgba(0, 0, 0, 0.25),
+                0 0 0.12rem rgba(var(--quaUser), 1)
+            ;
+            box-shadow:
+                -0.1rem -0.1rem 0.12rem rgba(var(--quiUser), 0.25),
+                -0.1rem -0.1rem 0.12rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--quaUser), 0.12)
+            ;
+        }
+    }
+
+    &.btn-xl {
+        width: 4rem;
+        height: 4rem;
+        font-size: 0.875rem;
+        border-width: 0.21rem;
+
+        &:hover {
+            text-shadow:
+                0.2rem 0.2rem 0.2rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--quaUser), 1)
+                ;
+            box-shadow:
+                0.24rem 0.24rem 0.5rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--quaUser), 22)
+            ;
+        }
+
+        &:active {
+            border-width: 0.25rem;
+            text-shadow:
+                -0.2rem -0.2rem 0.25rem rgba(0, 0, 0, 0.25),
+                0 0 0.24rem rgba(var(--quaUser), 1)
+            ;
+            box-shadow:
+                -0.2rem -0.2rem 0.24rem rgba(var(--quiUser), 0.25),
+                -0.2rem -0.2rem 0.24rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--quaUser), 0.22)
+            ;
+            }
+    }
+
+    &.btn-cancel {
+        color: rgba(var(--priOr), 1);
+        border-color: rgba(var(--priOr), 1);
+        background-color: rgba(var(--terOr), 1);
+        box-shadow:
+            0.1rem 0.1rem 0.12rem rgba(var(--terOr), 0.25),
+            0.12rem 0.12rem 0.25rem rgba(0, 0, 0, 0.25),
+            0.25rem 0.25rem 0.25rem rgba(var(--terOr), 0.12)
+        ;
+
+        &:hover {
+            text-shadow:
+                0.2rem 0.2rem 0.2rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priOr), 1)
+                ;
+            box-shadow:
+                0.24rem 0.24rem 0.5rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priOr), 0.12)
+            ;
+        }
+        
+        &:active {
+            text-shadow:
+                -0.1rem -0.1rem 0.5rem rgba(0, 0, 0, 0.25),
+                0 0 0.12rem rgba(var(--priOr), 1)
+            ;
+            box-shadow:
+                -0.1rem -0.1rem 0.12rem rgba(var(--terOr), 0.25),
+                -0.1rem -0.1rem 0.12rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priOr), 0.12)
+            ;
+        }
+    }
+
+    &.btn-caution {
+        color: rgba(var(--priYl), 1);
+        border-color: rgba(var(--priYl), 1);
+        background-color: rgba(var(--terYl), 1);
+        box-shadow:
+            0.1rem 0.1rem 0.12rem rgba(var(--terYl), 0.25),
+            0.12rem 0.12rem 0.25rem rgba(0, 0, 0, 0.25),
+            0.25rem 0.25rem 0.25rem rgba(var(--terYl), 0.12)
+        ;
+
+        &:hover {
+            text-shadow:
+                0.1rem 0.1rem 0.1rem rgba(0, 0, 0, 0.25),
+                0 0 1rem rgba(var(--priYl), 1)
+                ;
+            box-shadow:
+                0.12rem 0.12rem 0.5rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priYl), 0.12)
+            ;
+        }
+        
+        &:active {
+            border: 0.18rem solid rgba(var(--priYl), 1);
+            text-shadow:
+                -0.1rem -0.1rem 0.25rem rgba(0, 0, 0, 0.25),
+                0 0 0.12rem rgba(var(--priYl), 1)
+            ;
+            box-shadow:
+                -0.1rem -0.1rem 0.12rem rgba(var(--terYl), 0.25),
+                -0.1rem -0.1rem 0.12rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priYl), 0.12)
+            ;
+        }
+    }
+    
+    &.btn-confirm {
+        color: rgba(var(--priGn), 1);
+        border-color: rgba(var(--priGn), 1);
+        background-color: rgba(var(--terGn), 1);
+        box-shadow:
+            0.1rem 0.1rem 0.12rem rgba(var(--terGn), 0.25),
+            0.12rem 0.12rem 0.25rem rgba(0, 0, 0, 0.25),
+            0.25rem 0.25rem 0.25rem rgba(var(--terGn), 0.12)
+        ;
+
+        &:hover {
+            text-shadow:
+                0.1rem 0.1rem 0.1rem rgba(0, 0, 0, 0.25),
+                0 0 1rem rgba(var(--priGn), 1)
+                ;
+            box-shadow:
+                0.12rem 0.12rem 0.5rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priGn), 0.12)
+            ;
+        }
+        
+        &:active {
+            border: 0.18rem solid rgba(var(--priGn), 1);
+            text-shadow:
+                -0.1rem -0.1rem 0.25rem rgba(0, 0, 0, 0.25),
+                0 0 0.12rem rgba(var(--priGn), 1)
+            ;
+            box-shadow:
+                -0.1rem -0.1rem 0.12rem rgba(var(--terGn), 0.25),
+                -0.1rem -0.1rem 0.12rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priGn), 0.12)
+            ;
+        }
+    }
+
+    &.btn-danger {
+        color: rgba(var(--priRd), 1);
+        background-color: rgba(var(--terRd), 1);
+        border-color: rgba(var(--priRd), 1);
+        box-shadow:
+            0.1rem 0.1rem 0.12rem rgba(var(--terRd), 0.25),
+            0.12rem 0.12rem 0.25rem rgba(0, 0, 0, 0.25),
+            0.25rem 0.25rem 0.25rem rgba(var(--terRd), 0.12)
+        ;
+    
+        &:hover {
+            text-shadow:
+                0.1rem 0.1rem 0.1rem rgba(0, 0, 0, 0.25),
+                0 0 1rem rgba(var(--priRd), 1)
+                ;
+            box-shadow:
+                0.12rem 0.12rem 0.5rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priRd), 0.12)
+            ;
+        }
+        
+        &:active {
+            text-shadow:
+                -0.1rem -0.1rem 0.25rem rgba(0, 0, 0, 0.25),
+                0 0 0.12rem rgba(var(--priRd), 1)
+            ;
+            box-shadow:
+                -0.1rem -0.1rem 0.12rem rgba(var(--terRd), 0.25),
+                -0.1rem -0.1rem 0.12rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priRd), 0.12)
+            ;
+        }
+    
+        &.stop-player {
+            width: 4rem;
+            height: 4rem;
+            font-size: 0.9rem;
+            border: 0.2rem solid rgba(var(--priRd), 1);
+            box-shadow:
+                0.1rem 0.1rem 0.25rem rgba(var(--terRd), 0.5),
+                0.25rem 0.25rem 1rem rgba(0, 0, 0, 0.5),
+                0.5rem 0.5rem 0.5rem rgba(var(--terRd), 0.25)
+            ;
+
+            &:hover {
+                text-shadow:
+                    0.1rem 0.1rem 0.1rem rgba(0, 0, 0, 0.5),
+                    0 0 1rem rgba(var(--priRd), 1)
+                    ;
+                box-shadow:
+                    0.25rem 0.25rem 1rem rgba(0, 0, 0, 0.5),
+                    0 0 1rem rgba(var(--priRd), 0.25)
+                ;
+            }
+            
+            &:active {
+                font-size: 0.88rem;
+                border: 0.25rem solid rgba(var(--priRd), 1);
+                text-shadow:
+                    -0.1rem -0.1rem 0.5rem rgba(0, 0, 0, 0.5),
+                    0 0 0.25rem rgba(var(--priRd), 1)
+                    ;
+                box-shadow:
+                    -0.1rem -0.1rem 0.25rem rgba(var(--terRd), 0.5),
+                    -0.1rem -0.1rem 0.25rem rgba(0, 0, 0, 0.5),
+                    0 0 1rem rgba(var(--priRd), 0.25)
+                ;
+            }
+        }
+    }
+
+    &.btn-disabled {
+        cursor: default !important;
+        font-size: 1.2rem;
+        padding-bottom: 0.1rem;
+        color: rgba(var(--secUser), 0.25);
+        background-color: rgba(var(--priUser), 1);
+        border-color: rgba(var(--secUser), 0.25);
+        box-shadow:
+            0.1rem 0.1rem 0.12rem rgba(var(--priUser), 0.5),
+            0.12rem 0.12rem 0.25rem rgba(0, 0, 0, 0.25),
+            0.25rem 0.25rem 0.25rem rgba(var(--secUser), 0.12)
+            ;
+
+        &:hover {
+            text-shadow:
+                0.1rem 0.1rem 0.1rem rgba(0, 0, 0, 0.25),
+                0 0 1rem rgba(var(--priUser), 1)
+                ;
+            box-shadow:
+                0.12rem 0.12rem 0.5rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--priUser), 0.12)
+                ;
+        }
+        
+        &:active {
+            text-shadow:
+                -0.1rem -0.1rem 0.25rem rgba(0, 0, 0, 0.25),
+                0 0 0.12rem rgba(var(--priUser), 1)
+                ;
+            box-shadow:
+                -0.1rem -0.1rem 0.12rem rgba(var(--priUser), 0.75),
+                -0.1rem -0.1rem 0.12rem rgba(0, 0, 0, 0.25),
+                0 0 0.5rem rgba(var(--secUser), 0.12)
+                ;
+        }
+    }
+}

src/static_src/scss/_dashboard.scss

@@ -0,0 +1,269 @@
+html:has(body.page-dashboard) {
+    overflow: hidden;
+}
+
+body.page-dashboard {
+    overflow: hidden;
+
+    .container {
+        overflow: hidden;
+        display: flex;
+        flex-direction: column;
+        flex: 1;
+        min-height: 0;
+    }
+
+    .row {
+        flex-shrink: 0;
+        margin-bottom: -1rem;
+    }
+}
+
+#id_dash_content {
+    flex: 1;
+    min-width: 425px;
+    overflow: hidden;
+    display: flex;
+    flex-direction: column;
+    position: relative;
+}
+
+#id_dash_gear {
+    position: absolute;
+    bottom: 0.5rem;
+    right: 0.5rem;
+    z-index: 1;
+    background: none;
+    border: none;
+    font-size: 2rem;
+    cursor: pointer;
+    color: rgba(var(--secUser), 1);
+    display: inline-flex;
+    align-items: center;
+    justify-content: center;
+    width: 3rem;
+    height: 3rem;
+    border-radius: 50%;
+    background-color: rgba(var(--priUser), 1);
+    border: 0.15rem solid rgba(var(--secUser), 1);
+}
+
+#id_applet_menu {
+    position: absolute;
+    bottom: 3rem;
+    right: 0.5rem;
+    z-index: 100;
+    background-color: rgba(var(--priUser), 0.95);
+    border: 0.15rem solid rgba(var(--secUser), 0.5);
+    box-shadow:
+        0.1rem 0.1rem 0.12rem rgba(var(--priUser), 0.5),
+        0.12rem 0.12rem 0.5rem rgba(0, 0, 0, 0.25),
+    ;
+    border-radius: 0.75rem;
+    padding: 1rem;
+
+    .menu-btns {
+        display: flex;
+        gap: 0.25rem;
+        margin-top: 0.75rem;
+    }
+
+    form {
+        display: flex;
+        flex-direction: column;
+        gap: 0.5rem;
+    }
+
+    input[type="checkbox"] {
+        appearance: none;
+        -webkit-appearance: none;
+        width: 0.9em;
+        height: 0.9em;
+        border: 0.1rem solid rgba(var(--secUser), 0.4);
+        border-radius: 0.25rem;
+        background: transparent;
+        cursor: pointer;
+        position: relative;
+        flex-shrink: 0;
+        top: 0.1em;
+
+        &:checked::after {
+            content: '';
+            position: absolute;
+            left: 0.2em;
+            bottom: 0.2em;
+            width: 0.55em;
+            height: 1em;
+            border: 0.12em solid rgba(var(--ninUser), 1);
+            border-top: none;
+            border-left: none;
+            transform: rotate(45deg);
+        }
+    }
+}
+
+#id_applets_container {
+    container-type: inline-size;
+    --grid-gap: 0.5rem;
+    flex: 1;
+    overflow-y: auto;
+    overflow-x: hidden;
+    display: grid;
+    grid-template-columns: repeat(12, 1fr);
+    grid-auto-rows: 3rem;
+    gap: var(--grid-gap);
+    padding: 0.75rem;
+    -webkit-overflow-scrolling: touch;
+    mask-image: linear-gradient(
+        to bottom,
+        transparent 0%,
+        black 2%,
+        black 98%,
+        transparent 100%
+    );
+
+    section {
+        border: 0.2rem solid rgba(var(--secUser), 0.5);
+        border-radius: 0.75rem;
+        padding: 1rem;
+        overflow: hidden;
+        min-width: 0;
+        grid-column: span var(--applet-cols, 12);
+        grid-row: span var(--applet-rows, 3);
+    }
+
+    #id_applet_my_lists {
+        padding: 1.25rem 1.5rem;
+        display: flex;
+        flex-direction: column;
+
+        .my-lists-main {
+            font-size: 1.6rem;
+        }
+
+        .my-lists-container {
+            flex: 1;
+            min-height: 0;
+            overflow-y: auto;
+            -webkit-overflow-scrolling: touch;
+            scrollbar-width: none;
+            &::-webkit-scrollbar { display: none; }
+            mask-origin: padding-box;
+            mask-clip: padding-box;
+            mask-image: linear-gradient(
+                to bottom,
+                transparent 0%,
+                black 5%,
+                black 85%,
+                transparent 100%
+            );
+        }
+
+    }
+    
+    #id_applet_palette {
+        padding: 0;
+
+        .palette-scroll {
+            display: flex;
+            gap: 3.5rem;
+            overflow-x: auto;
+            padding: 0.75rem 2rem;
+            height: 100%;
+            scrollbar-width: none;
+            &::-webkit-scrollbar { display: none; }
+            mask-image: linear-gradient(
+                to right,
+                transparent 0%,
+                black 2%,
+                black 98%,
+                transparent 100%
+            );
+        }
+    }
+
+    #id_applet_username {
+        display: flex;
+        align-items: center;
+        overflow: hidden;
+
+        form {
+            min-width: 0;
+            width: 100%;
+            overflow: hidden;
+            display: flex;
+            flex-direction: column;
+
+            .save-btn {
+                align-self: left;
+            }
+        }
+
+        .username-field {
+            display: flex;
+            align-items: baseline;
+            gap: 0.1em;
+            min-width: 0;
+            overflow: hidden;
+
+            .username-at{
+                user-select: none;
+                pointer-events: none;
+                font-size: 1.8rem;
+                font-weight: bold;
+                color: rgba(var(--secUser), 0.875);
+                margin-left: 0.3rem;
+            }
+            
+            input {
+                background: transparent;
+                border: none;
+                outline: none;
+                font-size: 1.8rem;
+                font-weight: bold;
+                color: rgba(var(--secUser), 0.875);;
+                font-family: inherit;
+                padding: 0;
+                flex: 1;
+                min-width: 0;
+                overflow: hidden;
+                text-overflow: ellipsis;
+            }
+        }
+
+    }
+
+}
+
+@media (max-width: 550px) {
+    #id_dash_content {
+        min-width: 0;
+        overflow: hidden;
+    }
+    
+    #id_applets_container {
+        section {
+            grid-column: span 12;
+        }
+    }
+}
+
+@media (min-width: 738px) {
+    #id_dash_content {
+        min-width: 666px;
+        overflow: hidden;
+    }
+}
+
+@media (max-height: 500px) {
+    body.page-dashboard {
+        .container {
+            .row {
+                padding: 0.25rem 0;
+                .col-lg-6 h2 {
+                    margin-bottom: 0.5rem;
+                }
+            }
+        }
+    }
+}

src/static_src/scss/_palette-picker.scss

@@ -0,0 +1,48 @@
+.palette {
+    display: flex;
+    flex-direction: row;
+    overflow-x: auto;
+    overflow-y: hidden;
+    scroll-snap-type: x mandatory;
+    -webkit-overflow-scrolling: touch;
+    gap: 0.75rem;
+    padding-bottom: 0.5rem;
+
+}
+
+.palette-item {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    gap: 0.5rem;
+    flex: 0 0 auto;
+    height: 100%;
+    scroll-snap-align: start;
+}
+
+.swatch {
+    flex: 1;
+    min-height: 0;
+    aspect-ratio: 1;
+    border-radius: 0.5rem;
+    background: linear-gradient(
+        to bottom,
+        rgba(var(--terUser), 1) 0%,
+        rgba(var(--terUser), 1) 33%,
+        rgba(var(--priUser), 1) 33%,
+        rgba(var(--priUser), 1) 66%,
+        rgba(var(--quiUser), 1) 66%,
+        rgba(var(--quiUser), 1) 100%
+    );
+    border: 0.15rem solid rgba(var(--secUser), 0.5);
+
+    &.active {
+        border: 0.2rem solid rgba(var(--ninUser), 1);
+        box-shadow: 0 0 0.5rem rgba(var(--ninUser), 0.5);
+    }
+
+    &.locked {
+        opacity: 0.5;
+        filter: saturate(0.4);
+    }
+}

src/static_src/scss/_wallet-tokens.scss

@@ -0,0 +1,27 @@
+.token {
+    position: relative;
+    display: inline-block;
+    cursor: pointer;
+    color: rgba(var(--terUser), 1);
+
+    .token-tooltip {
+        display: none;
+        position: absolute;
+        bottom: 125%;
+        left: 0;
+        width: 16rem;
+        max-width: 16rem;
+        white-space: normal;
+        background-color: rgba(var(--priUser), 0.95);
+        border: 0.1rem solid rgba(var(--secUser), 0.5);
+        color: rgba(var(--secUser), 1);
+        padding: 0.5rem 0.75rem;
+        border-radius: 0.5rem;
+        z-index: 10;
+        font-size: 0.875rem;
+    }
+
+    &:hover .token-tooltip {
+        display: block;
+    }
+}