From ba249914ef797d32002bcfefacd924fc71e2c603 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:35:05 +0100
Subject: [PATCH 01/73] feat: add wizard_step table and model for setup wizard

---
 .../20260119185828-create-wizard_step.js      | 56 ++++++++++++++++++
 backend/db/models/wizard_step.js              | 59 +++++++++++++++++++
 2 files changed, 115 insertions(+)
 create mode 100644 backend/db/migrations/20260119185828-create-wizard_step.js
 create mode 100644 backend/db/models/wizard_step.js

diff --git a/backend/db/migrations/20260119185828-create-wizard_step.js b/backend/db/migrations/20260119185828-create-wizard_step.js
new file mode 100644
index 000000000..53a484b2c
--- /dev/null
+++ b/backend/db/migrations/20260119185828-create-wizard_step.js
@@ -0,0 +1,56 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        await queryInterface.createTable('wizard_step', {
+            id: {
+                allowNull: false,
+                autoIncrement: true,
+                primaryKey: true,
+                type: Sequelize.INTEGER,
+            },
+            key: {
+                type: Sequelize.STRING,
+                allowNull: false,
+                unique: true,
+            },
+            order: {
+                type: Sequelize.INTEGER,
+                allowNull: false,
+            },
+            title: {
+                type: Sequelize.STRING,
+                allowNull: false,
+            },
+            description: {
+                type: Sequelize.STRING,
+                allowNull: true,
+            },
+            type: {
+                type: Sequelize.STRING,
+                allowNull: false,
+            },
+            deleted: {
+                type: Sequelize.BOOLEAN,
+                defaultValue: false,
+            },
+            createdAt: {
+                allowNull: false,
+                type: Sequelize.DATE,
+            },
+            updatedAt: {
+                allowNull: false,
+                type: Sequelize.DATE,
+            },
+            deletedAt: {
+                allowNull: true,
+                type: Sequelize.DATE,
+            },
+        });
+    },
+
+    async down(queryInterface, Sequelize) {
+        await queryInterface.dropTable('wizard_step');
+    },
+};
diff --git a/backend/db/models/wizard_step.js b/backend/db/models/wizard_step.js
new file mode 100644
index 000000000..8ce7149fb
--- /dev/null
+++ b/backend/db/models/wizard_step.js
@@ -0,0 +1,59 @@
+'use strict';
+
+const MetaModel = require('../MetaModel.js');
+
+module.exports = (sequelize, DataTypes) => {
+    class WizardStep extends MetaModel {
+        static autoTable = false;
+
+        static associate(models) {
+            // no associations
+        }
+    }
+
+    WizardStep.init(
+        {
+            id: {
+                allowNull: false,
+                autoIncrement: true,
+                primaryKey: true,
+                type: DataTypes.INTEGER,
+            },
+            key: {
+                type: DataTypes.STRING,
+                allowNull: false,
+                unique: true,
+            },
+            order: {
+                type: DataTypes.INTEGER,
+                allowNull: false,
+            },
+            title: {
+                type: DataTypes.STRING,
+                allowNull: false,
+            },
+            description: {
+                type: DataTypes.STRING,
+                allowNull: true,
+            },
+            type: {
+                type: DataTypes.STRING,
+                allowNull: false,
+            },
+            deleted: {
+                type: DataTypes.BOOLEAN,
+                defaultValue: false,
+            },
+            createdAt: DataTypes.DATE,
+            updatedAt: DataTypes.DATE,
+            deletedAt: DataTypes.DATE,
+        },
+        {
+            sequelize,
+            modelName: 'wizard_step',
+            tableName: 'wizard_step',
+        }
+    );
+
+    return WizardStep;
+};

From 9d5e6cfe3cfd7d7413c2065d0a8b68be6647f487 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:38:33 +0100
Subject: [PATCH 02/73] feat: add wizard columns to setting table
 (showInWizard, wizardOrder, requiredInWizard, wizardStep)

---
 .../20260119185850-extend-setting-wizard.js   | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 backend/db/migrations/20260119185850-extend-setting-wizard.js

diff --git a/backend/db/migrations/20260119185850-extend-setting-wizard.js b/backend/db/migrations/20260119185850-extend-setting-wizard.js
new file mode 100644
index 000000000..6b77210f3
--- /dev/null
+++ b/backend/db/migrations/20260119185850-extend-setting-wizard.js
@@ -0,0 +1,30 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        await queryInterface.addColumn('setting', 'showInWizard', {
+            type: Sequelize.BOOLEAN,
+            defaultValue: false,
+        });
+        await queryInterface.addColumn('setting', 'wizardOrder', {
+            type: Sequelize.INTEGER,
+            allowNull: true,
+        });
+        await queryInterface.addColumn('setting', 'requiredInWizard', {
+            type: Sequelize.BOOLEAN,
+            defaultValue: false,
+        });
+        await queryInterface.addColumn('setting', 'wizardStep', {
+            type: Sequelize.STRING,
+            allowNull: true,
+        });
+    },
+
+    async down(queryInterface, Sequelize) {
+        await queryInterface.removeColumn('setting', 'showInWizard');
+        await queryInterface.removeColumn('setting', 'wizardOrder');
+        await queryInterface.removeColumn('setting', 'requiredInWizard');
+        await queryInterface.removeColumn('setting', 'wizardStep');
+    },
+};

From 3130b7a7ec8f99f5250132fe33eb466ea47618fc Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:41:28 +0100
Subject: [PATCH 03/73] feat: add wizard steps and wizard completion settings

---
 .../20260119190004-basic-setting-setup.js     | 32 +++++++++++++++++++
 .../20260119192230-basic-wizard_steps.js      | 22 +++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 backend/db/migrations/20260119190004-basic-setting-setup.js
 create mode 100644 backend/db/migrations/20260119192230-basic-wizard_steps.js

diff --git a/backend/db/migrations/20260119190004-basic-setting-setup.js b/backend/db/migrations/20260119190004-basic-setting-setup.js
new file mode 100644
index 000000000..6a5cd5239
--- /dev/null
+++ b/backend/db/migrations/20260119190004-basic-setting-setup.js
@@ -0,0 +1,32 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        const now = new Date();
+        await queryInterface.bulkInsert('setting', [
+            {
+                key: 'app.setup.wizardCompleted',
+                value: 'false',
+                type: 'boolean',
+                description: 'Whether the setup wizard has been completed',
+                createdAt: now,
+                updatedAt: now,
+            },
+            {
+                key: 'app.setup.wizardCurrentStep',
+                value: '0',
+                type: 'string',
+                description: 'Current step index in the setup wizard',
+                createdAt: now,
+                updatedAt: now,
+            },
+        ], {});
+    },
+
+    async down(queryInterface, Sequelize) {
+        await queryInterface.bulkDelete('setting', {
+            key: ['app.setup.wizardCompleted', 'app.setup.wizardCurrentStep'],
+        }, {});
+    },
+};
diff --git a/backend/db/migrations/20260119192230-basic-wizard_steps.js b/backend/db/migrations/20260119192230-basic-wizard_steps.js
new file mode 100644
index 000000000..5511d95ee
--- /dev/null
+++ b/backend/db/migrations/20260119192230-basic-wizard_steps.js
@@ -0,0 +1,22 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        const now = new Date();
+        await queryInterface.bulkInsert('wizard_step', [
+            { key: 'admin', order: 1, title: 'Admin Account', description: 'Create the administrator account', type: 'admin', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
+            { key: 'general', order: 2, title: 'General Settings', description: 'Copyright, consent, guest login, study mode, external links', type: 'general', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
+            { key: 'mail', order: 3, title: 'Mail Configuration', description: 'Enable email service and configure SMTP/sendmail', type: 'mail', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
+            { key: 'registration', order: 4, title: 'User Registration', description: 'What is required at signup', type: 'registration', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
+            { key: 'moodle', order: 5, title: 'Moodle Integration', description: 'Optional: API URL, key, course ID', type: 'moodle', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
+            { key: 'summary', order: 6, title: 'Summary', description: 'Review your choices before finishing', type: 'summary', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
+        ], {});
+    },
+
+    async down(queryInterface, Sequelize) {
+        await queryInterface.bulkDelete('wizard_step', {
+            key: ['admin', 'general', 'mail', 'registration', 'moodle', 'summary'],
+        }, {});
+    },
+};

From a3796673bf946bfffe90e455883d70fe83983c94 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:42:00 +0100
Subject: [PATCH 04/73] feat: assign wizard settings to steps (general, mail,
 registration, moodle)

---
 ...20260119194252-transform-setting-wizard.js | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 backend/db/migrations/20260119194252-transform-setting-wizard.js

diff --git a/backend/db/migrations/20260119194252-transform-setting-wizard.js b/backend/db/migrations/20260119194252-transform-setting-wizard.js
new file mode 100644
index 000000000..d4754e988
--- /dev/null
+++ b/backend/db/migrations/20260119194252-transform-setting-wizard.js
@@ -0,0 +1,72 @@
+'use strict';
+
+/**
+ * Wizard settings per step requiredInWizard: true only where the setting must be filled.
+ */
+const WIZARD_SETTINGS = [
+    // general
+    { key: 'app.config.copyright', wizardStep: 'general', wizardOrder: 1, requiredInWizard: true },
+    { key: 'app.config.consent.enabled', wizardStep: 'general', wizardOrder: 2, requiredInWizard: false },
+    { key: 'app.login.guest', wizardStep: 'general', wizardOrder: 3, requiredInWizard: false },
+    { key: 'app.login.forgotPassword', wizardStep: 'general', wizardOrder: 4, requiredInWizard: false },
+    { key: 'app.study.enabled', wizardStep: 'general', wizardOrder: 5, requiredInWizard: false },
+    { key: 'app.landing.showDocs', wizardStep: 'general', wizardOrder: 6, requiredInWizard: false },
+    { key: 'app.landing.linkDocs', wizardStep: 'general', wizardOrder: 7, requiredInWizard: true },
+    { key: 'app.landing.showProject', wizardStep: 'general', wizardOrder: 8, requiredInWizard: false },
+    { key: 'app.landing.linkProject', wizardStep: 'general', wizardOrder: 9, requiredInWizard: false },
+    { key: 'app.landing.showFeedback', wizardStep: 'general', wizardOrder: 10, requiredInWizard: false },
+    { key: 'app.landing.linkFeedback', wizardStep: 'general', wizardOrder: 11, requiredInWizard: false },
+    // mail
+    { key: 'system.mailService.enabled', wizardStep: 'mail', wizardOrder: 12, requiredInWizard: false },
+    { key: 'system.mailService.sendMail.enabled', wizardStep: 'mail', wizardOrder: 13, requiredInWizard: false },
+    { key: 'system.mailService.sendMail.path', wizardStep: 'mail', wizardOrder: 14, requiredInWizard: false },
+    { key: 'system.mailService.senderAddress', wizardStep: 'mail', wizardOrder: 15, requiredInWizard: false },
+    { key: 'system.mailService.smtp.enabled', wizardStep: 'mail', wizardOrder: 16, requiredInWizard: false },
+    { key: 'system.mailService.smtp.host', wizardStep: 'mail', wizardOrder: 17, requiredInWizard: false },
+    { key: 'system.mailService.smtp.port', wizardStep: 'mail', wizardOrder: 18, requiredInWizard: false },
+    { key: 'system.mailService.smtp.secure', wizardStep: 'mail', wizardOrder: 19, requiredInWizard: false },
+    { key: 'system.mailService.smtp.auth.enabled', wizardStep: 'mail', wizardOrder: 20, requiredInWizard: false },
+    { key: 'system.mailService.smtp.auth.user', wizardStep: 'mail', wizardOrder: 21, requiredInWizard: false },
+    { key: 'system.mailService.smtp.auth.pass', wizardStep: 'mail', wizardOrder: 22, requiredInWizard: false },
+    { key: 'system.baseUrl', wizardStep: 'mail', wizardOrder: 23, requiredInWizard: false },
+    { key: 'app.register.emailVerification', wizardStep: 'mail', wizardOrder: 24, requiredInWizard: false },
+    // app.login.forgotPassword already in general; in mail step it's a toggle in UI, same key
+    // registration
+    { key: 'app.register.requestName', wizardStep: 'registration', wizardOrder: 25, requiredInWizard: false },
+    { key: 'app.register.requestStats', wizardStep: 'registration', wizardOrder: 26, requiredInWizard: false },
+    { key: 'app.register.requestData', wizardStep: 'registration', wizardOrder: 27, requiredInWizard: false },
+    { key: 'app.register.acceptStats.default', wizardStep: 'registration', wizardOrder: 28, requiredInWizard: false },
+    { key: 'app.register.acceptDataSharing.default', wizardStep: 'registration', wizardOrder: 29, requiredInWizard: false },
+    { key: 'app.register.terms', wizardStep: 'registration', wizardOrder: 30, requiredInWizard: false },
+    // moodle
+    { key: 'rpc.moodleAPI.apiUrl', wizardStep: 'moodle', wizardOrder: 31, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.apiKey', wizardStep: 'moodle', wizardOrder: 32, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.courseID', wizardStep: 'moodle', wizardOrder: 33, requiredInWizard: false },
+];
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        for (const { key, wizardStep, wizardOrder, requiredInWizard } of WIZARD_SETTINGS) {
+            await queryInterface.sequelize.query(
+                `UPDATE setting SET "showInWizard" = true, "wizardStep" = :wizardStep, "wizardOrder" = :wizardOrder, "requiredInWizard" = :requiredInWizard, "updatedAt" = :now WHERE key = :key`,
+                {
+                    replacements: { key, wizardStep, wizardOrder, requiredInWizard, now: new Date() },
+                    type: Sequelize.QueryTypes.UPDATE,
+                }
+            );
+        }
+    },
+
+    async down(queryInterface, Sequelize) {
+        for (const { key } of WIZARD_SETTINGS) {
+            await queryInterface.sequelize.query(
+                `UPDATE setting SET "showInWizard" = false, "wizardStep" = NULL, "wizardOrder" = NULL, "requiredInWizard" = false, "updatedAt" = :now WHERE key = :key`,
+                {
+                    replacements: { key, now: new Date() },
+                    type: Sequelize.QueryTypes.UPDATE,
+                }
+            );
+        }
+    },
+};

From bcaaad38fb3c87a88638939f25a14a4a386e1cb5 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:42:36 +0100
Subject: [PATCH 05/73] refactor: remove default admin to require setup wizard

---
 .../20260119192356-transform-user-admin.js    | 94 +++++++++++++++++++
 1 file changed, 94 insertions(+)
 create mode 100644 backend/db/migrations/20260119192356-transform-user-admin.js

diff --git a/backend/db/migrations/20260119192356-transform-user-admin.js b/backend/db/migrations/20260119192356-transform-user-admin.js
new file mode 100644
index 000000000..a13b87a14
--- /dev/null
+++ b/backend/db/migrations/20260119192356-transform-user-admin.js
@@ -0,0 +1,94 @@
+'use strict';
+
+const { genSalt, genPwdHash } = require('../../utils/auth');
+
+/**
+ * Names of the 5 Exposé configurations created by basic-configuration (20250919125851).
+ * They are reassigned to Bot (userId 2) before deleting the admin to satisfy the
+ * configuration.userId FK to user. POST /auth/setup-admin then reassigns them to the new admin.
+ */
+const EXPOSE_CONFIG_NAMES = [
+    'Exposé assessment configuration',
+    'Exposé feedback configuration',
+    'UKP Exposé Submission Validator',
+    'Exposé assessment configuration (German)',
+    'Exposé feedback configuration (German)',
+];
+
+/**
+ * Removes the default admin user created by basic-users so the first admin
+ * must be created via the setup wizard. Runs after basic-configuration; the 5
+ * Exposé configs are first reassigned to Bot (userId 2) to satisfy the FK, then
+ * the admin is deleted. POST /auth/setup-admin reassigns them from Bot to the new admin.
+ *
+ * @type {import('sequelize-cli').Migration}
+ */
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        const rows = await queryInterface.sequelize.query(
+            'SELECT id FROM "user" WHERE "userName" = \'admin\' AND "deleted" = false',
+            { type: queryInterface.sequelize.QueryTypes.SELECT }
+        );
+        const admin = rows && rows[0];
+        if (!admin) {
+            return;
+        }
+        const adminId = admin.id;
+        const BOT_USER_ID = 2;
+
+        for (const name of EXPOSE_CONFIG_NAMES) {
+            await queryInterface.sequelize.query(
+                `UPDATE configuration SET "userId" = :botId, "updatedAt" = :now WHERE name = :name AND "userId" = :adminId`,
+                {
+                    replacements: { botId: BOT_USER_ID, adminId, name, now: new Date() },
+                    type: Sequelize.QueryTypes.UPDATE,
+                }
+            );
+        }
+
+        await queryInterface.bulkDelete('user_role_matching', { userId: adminId }, {});
+        await queryInterface.bulkDelete('user', { userName: 'admin' }, {});
+    },
+
+    async down(queryInterface, Sequelize) {
+        const salt = genSalt();
+        const passwordHash = await genPwdHash(process.env.ADMIN_PWD || 'admin', salt);
+        const email = process.env.ADMIN_EMAIL || 'admin@localhost';
+        const now = new Date();
+
+        await queryInterface.bulkInsert('user', [{
+            firstName: 'admin',
+            lastName: 'user',
+            userName: 'admin',
+            email: email,
+            passwordHash: passwordHash,
+            salt: salt,
+            acceptStats: true,
+            acceptTerms: true,
+            deleted: false,
+            createdAt: now,
+            updatedAt: now,
+        }], {});
+
+        const userRows = await queryInterface.sequelize.query(
+            'SELECT id FROM "user" WHERE "userName" = \'admin\'',
+            { type: queryInterface.sequelize.QueryTypes.SELECT }
+        );
+        const roleRows = await queryInterface.sequelize.query(
+            'SELECT id FROM "user_role" WHERE name = \'admin\'',
+            { type: queryInterface.sequelize.QueryTypes.SELECT }
+        );
+        const inserted = userRows && userRows[0];
+        const adminRole = roleRows && roleRows[0];
+        if (inserted && adminRole) {
+            await queryInterface.bulkInsert('user_role_matching', [{
+                userId: inserted.id,
+                userRoleId: adminRole.id,
+                deleted: false,
+                createdAt: now,
+                updatedAt: now,
+                deletedAt: null,
+            }], {});
+        }
+    },
+};

From 59a6fc58c8db47c3f72e8b470bf22d04c3f0a7c9 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:43:53 +0100
Subject: [PATCH 06/73] feat: add getWizardSettingsByStep and setup config
 route

---
 backend/db/models/setting.js      | 44 +++++++++++++++++++++
 backend/webserver/Server.js       |  1 +
 backend/webserver/routes/setup.js | 64 +++++++++++++++++++++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 backend/webserver/routes/setup.js

diff --git a/backend/db/models/setting.js b/backend/db/models/setting.js
index 45ec7e6af..8841cbd79 100644
--- a/backend/db/models/setting.js
+++ b/backend/db/models/setting.js
@@ -48,6 +48,46 @@ module.exports = (sequelize, DataTypes) => {
             }
         }
 
+        /**
+         * Get settings that are shown in the setup wizard, ordered by wizardOrder.
+         * @returns {Promise<object[]>}
+         */
+        static async getWizardSettings() {
+            try {
+                return await Setting.findAll({
+                    where: { showInWizard: true, deleted: false },
+                    order: [['wizardOrder', 'ASC']],
+                    attributes: ['key', 'value', 'type', 'description', 'requiredInWizard', 'wizardStep'],
+                    raw: true,
+                });
+            } catch (e) {
+                console.log(e);
+                return [];
+            }
+        }
+
+        /**
+         * Get wizard settings grouped by wizardStep for frontend consumption.
+         * Settings without wizardStep are placed in 'general'.
+         * @returns {Promise<object>}
+         */
+        static async getWizardSettingsByStep() {
+            try {
+                const settings = await Setting.getWizardSettings();
+                const byStep = { general: [], mail: [], registration: [], moodle: [] };
+                for (const s of settings) {
+                    const step = (s.wizardStep && Object.prototype.hasOwnProperty.call(byStep, s.wizardStep))
+                        ? s.wizardStep
+                        : 'general';
+                    byStep[step].push(s);
+                }
+                return byStep;
+            } catch (e) {
+                console.log(e);
+                return { general: [], mail: [], registration: [], moodle: [] };
+            }
+        }
+
         /**
          * Set setting value by key
          * @param {string} key setting key
@@ -78,6 +118,10 @@ module.exports = (sequelize, DataTypes) => {
         type: DataTypes.STRING,
         description: DataTypes.STRING,
         onlyAdmin: DataTypes.BOOLEAN,
+        showInWizard: DataTypes.BOOLEAN,
+        wizardOrder: DataTypes.INTEGER,
+        requiredInWizard: DataTypes.BOOLEAN,
+        wizardStep: DataTypes.STRING,
         deleted: DataTypes.BOOLEAN,
         deletedAt: DataTypes.DATE
 
diff --git a/backend/webserver/Server.js b/backend/webserver/Server.js
index 7fd46df6f..3199f5cbe 100644
--- a/backend/webserver/Server.js
+++ b/backend/webserver/Server.js
@@ -80,6 +80,7 @@ module.exports = class Server {
         this.logger.debug("Initializing Routes for config...");
         require("./routes/config")(this);
         require('./routes/auth')(this);
+        require("./routes/setup")(this);
 
         // all further urls reference to frontend
         this.app.use("/*", express.static(`${__dirname}/../../dist/index.html`));
diff --git a/backend/webserver/routes/setup.js b/backend/webserver/routes/setup.js
new file mode 100644
index 000000000..918bb39d5
--- /dev/null
+++ b/backend/webserver/routes/setup.js
@@ -0,0 +1,64 @@
+/**
+ * Setup wizard routes. GET /setup/config returns needsSetup, steps, wizardSettings, and
+ * wizardSettingsByStep when no admin exists (first-time setup) or when ?reRun=true with an
+ * authenticated admin (re-run wizard). When setup is not needed, returns empty steps and settings.
+ *
+ * @author Mohammad Elwan
+ */
+
+/**
+ * Register setup routes
+ * @param {import("../Server").Server} server
+ */
+module.exports = function (server) {
+    /**
+     * GET /setup/config
+     * Returns wizard config for first-time setup or re-run. needsSetup is true when no admin exists.
+     * When setup is needed (or reRun=true with an admin): steps, wizardSettings,
+     * and wizardSettingsByStep (grouped by general, mail, registration, moodle).
+     * When setup is not needed: empty steps and wizardSettings.
+     */
+    server.app.get("/setup/config", async function (req, res) {
+        try {
+            const admins = await server.db.models["user"].getUsersByRole("admin");
+            const needsSetup = admins.length === 0;
+
+            // reRun=true: admin only; return steps, wizardSettings, wizardSettingsByStep for re-run.
+            if (req.query.reRun === "true" && req.user) {
+                const isAdmin = admins.some((a) => a.id === req.user.id);
+                if (isAdmin) {
+                    const WizardStep = server.db.models["wizard_step"];
+                    const steps = await WizardStep.findAll({
+                        where: { deleted: false },
+                        order: [["order", "ASC"]],
+                        attributes: ["key", "title", "description", "type", "order"],
+                        raw: true,
+                    });
+                    const wizardSettings = await server.db.models["setting"].getWizardSettings();
+                    const wizardSettingsByStep = await server.db.models["setting"].getWizardSettingsByStep();
+                    return res.status(200).json({ needsSetup: false, steps, wizardSettings, wizardSettingsByStep });
+                }
+            }
+
+            if (!needsSetup) {
+                return res.status(200).json({ needsSetup: false, steps: [], wizardSettings: [] });
+            }
+
+            const WizardStep = server.db.models["wizard_step"];
+            const steps = await WizardStep.findAll({
+                where: { deleted: false },
+                order: [["order", "ASC"]],
+                attributes: ["key", "title", "description", "type", "order"],
+                raw: true,
+            });
+
+            const wizardSettings = await server.db.models["setting"].getWizardSettings();
+            const wizardSettingsByStep = await server.db.models["setting"].getWizardSettingsByStep();
+
+            return res.status(200).json({ needsSetup: true, steps, wizardSettings, wizardSettingsByStep });
+        } catch (err) {
+            server.logger.error("GET /setup/config error: " + err);
+            return res.status(500).json({ message: "Internal server error." });
+        }
+    });
+};

From b3eb522c63f67d43827aeeca7d6031a6717b0386 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:45:06 +0100
Subject: [PATCH 07/73] feat: add setup wizard support to auth routes (check,
 setup-admin)

---
 backend/webserver/routes/auth.js | 121 +++++++++++++++++++++++++++++--
 1 file changed, 113 insertions(+), 8 deletions(-)

diff --git a/backend/webserver/routes/auth.js b/backend/webserver/routes/auth.js
index 143d0a3fc..8f5529f26 100644
--- a/backend/webserver/routes/auth.js
+++ b/backend/webserver/routes/auth.js
@@ -7,7 +7,7 @@
  * @author Nils Dycke, Dennis Zyska
  */
 const passport = require('passport');
-const { generateToken, decodeToken } = require('../../utils/auth');
+const { generateToken, decodeToken, relevantFields } = require('../../utils/auth');
 
 /**
  * Route for user management
@@ -136,16 +136,121 @@ module.exports = function (server) {
     })
 
     /**
-     * Check whether user is logged in
+     * Check whether user is logged in. If not logged in and no admin exists, returns needsSetup for the setup wizard.
      */
-    server.app.get('/auth/check', function (req, res) {
-        if (req.user) {
-            res.status(200).send({user: req.user});
-        } else {
-            res.status(401);
-        }
+    server.app.get('/auth/check', async function (req, res) {
         server.logger.debug(`req.session.passport: ${JSON.stringify(req.session.passport)}`);
         server.logger.debug(`req.user: ${JSON.stringify(req.user)}`);
+        if (req.user) {
+            const wizardCompleted = (await server.db.models['setting'].get('app.setup.wizardCompleted')) === 'true';
+            return res.status(200).send({ user: req.user, wizardCompleted });
+        }
+        try {
+            const admins = await server.db.models['user'].getUsersByRole('admin');
+            if (admins.length === 0) {
+                return res.status(200).send({ needsSetup: true });
+            }
+        } catch (err) {
+            server.logger.error('Error checking admin in /auth/check: ' + err);
+        }
+        res.status(401).send();
+    });
+
+    /**
+     * Create the first admin account (setup wizard step 1). Allowed only when no admin exists.
+     * Reassigns the 5 Exposé configurations from Bot (userId=2) to the new admin.
+     */
+    server.app.post('/auth/setup-admin', async function (req, res) {
+        const { userName, email, password } = req.body || {};
+
+        try {
+            const admins = await server.db.models['user'].getUsersByRole('admin');
+            if (admins.length > 0) {
+                return res.status(403).json({ message: 'An admin account already exists.' });
+            }
+
+            if (!userName || (typeof userName === 'string' && !userName.trim())) {
+                return res.status(400).json({ message: 'Please provide a user name.' });
+            }
+            const existingByName = await server.db.models['user'].getUserIdByName(userName);
+            if (existingByName !== 0) {
+                return res.status(400).json({ message: 'Username already taken.' });
+            }
+
+            if (!email || (typeof email === 'string' && !email.trim())) {
+                return res.status(400).json({ message: 'Please provide an email.' });
+            }
+            const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+            if (!emailRegex.test(email)) {
+                return res.status(400).json({ message: 'Please provide a valid email.' });
+            }
+            const existingByEmail = await server.db.models['user'].getUserIdByEmail(email);
+            if (existingByEmail !== 0) {
+                return res.status(400).json({ message: 'E-Mail already taken.' });
+            }
+
+            if (!password || (typeof password === 'string' && password.length < 8)) {
+                return res.status(400).json({ message: 'Password does not meet requirements (min 8 characters).' });
+            }
+
+            const User = server.db.models['user'];
+            const Configuration = server.db.models['configuration'];
+            const { Op } = server.db.Sequelize;
+
+            const EXPOSE_CONFIG_NAMES = [
+                'Exposé assessment configuration',
+                'Exposé feedback configuration',
+                'UKP Exposé Submission Validator',
+                'Exposé assessment configuration (German)',
+                'Exposé feedback configuration (German)',
+            ];
+            const BOT_USER_ID = 2;
+
+            const transaction = await User.sequelize.transaction();
+            try {
+                const user = await User.add(
+                    {
+                        userName: userName.trim(),
+                        email: email.trim(),
+                        password,
+                        firstName: userName.trim(),
+                        lastName: 'User',
+                        acceptTerms: true,
+                        acceptStats: true,
+                        emailVerified: true,
+                    },
+                    { transaction, context: { userRoles: 'admin' } }
+                );
+
+                await Configuration.update(
+                    { userId: user.id },
+                    {
+                        where: {
+                            name: { [Op.in]: EXPOSE_CONFIG_NAMES },
+                            userId: BOT_USER_ID,
+                        },
+                        transaction,
+                    }
+                );
+
+                await transaction.commit();
+
+                req.logIn(user, function (err) {
+                    if (err) {
+                        server.logger.error('setup-admin logIn error: ' + err);
+                        return res.status(500).json({ message: 'Failed to complete setup.' });
+                    }
+                    return res.status(200).json({ user: relevantFields(user) });
+                });
+            } catch (err) {
+                await transaction.rollback();
+                server.logger.error('Cannot create setup admin: ' + err);
+                return res.status(400).json({ message: 'Failed to create admin.', error: err.message });
+            }
+        } catch (err) {
+            server.logger.error('setup-admin error: ' + err);
+            return res.status(500).json({ message: 'Internal server error.' });
+        }
     });
 
     /**

From e427b62b7255f819474c4f1ff16bc31b972dfe8d Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:45:28 +0100
Subject: [PATCH 08/73] feat: add Collapsible form component for sections

---
 frontend/src/basic/form/Collapsible.vue | 85 +++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 frontend/src/basic/form/Collapsible.vue

diff --git a/frontend/src/basic/form/Collapsible.vue b/frontend/src/basic/form/Collapsible.vue
new file mode 100644
index 000000000..9c1aee0bb
--- /dev/null
+++ b/frontend/src/basic/form/Collapsible.vue
@@ -0,0 +1,85 @@
+<template>
+  <div class="card my-3">
+    <div class="card-header collapsible-header" style="cursor: pointer" @click="toggleCollapse">
+      <LoadIcon :icon-name="isCollapsed ? 'arrow-right-short' : 'arrow-down-short'" class="me-1"></LoadIcon>
+      <span class="collapsible-title">{{ title }}</span>
+      <span v-if="description" class="text-secondary ms-2 collapsible-description">
+        {{ description }}
+      </span>
+    </div>
+    <div v-if="!isCollapsed" class="card-body">
+      <slot></slot>
+    </div>
+  </div>
+</template>
+
+<script>
+import LoadIcon from "@/basic/Icon.vue";
+
+/**
+ * Collapsible - Card-based collapsible section for forms.
+ * Used to group optional/advanced fields (e.g. Mail step SMTP/sendmail config) to reduce clutter.
+ *
+ * @param {string} [title] - Section title (default: "Advanced Settings")
+ * @param {string} [description] - Optional description shown next to the title
+ * @param {boolean} [collapsed] - Initial collapsed state (default: true)
+ */
+export default {
+  name: "Collapsible",
+  components: { LoadIcon },
+  props: {
+    title: {
+      type: String,
+      default: "Advanced Settings"
+    },
+    description: {
+      type: String,
+      required: false,
+      default: null
+    },
+    collapsed: {
+      type: Boolean,
+      default: true
+    }
+  },
+  data() {
+    return {
+      isCollapsed: true
+    };
+  },
+  watch: {
+    collapsed: {
+      immediate: true,
+      handler(newVal) {
+        this.isCollapsed = newVal;
+      }
+    }
+  },
+  methods: {
+    toggleCollapse() {
+      this.isCollapsed = !this.isCollapsed;
+    }
+  }
+};
+</script>
+
+<style scoped>
+.card-header {
+  user-select: none;
+}
+
+.collapsible-header {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.collapsible-title {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.collapsible-description {
+  font-size: 0.9rem;
+  font-weight: 400;
+}
+</style>

From 0736ee8b54af218a702c3d135427d05e1f18746f Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:46:40 +0100
Subject: [PATCH 09/73] feat: add SetupWizard with 6 steps, collapsibles, and
 JSON import modal

---
 frontend/src/auth/SetupWizard.vue | 1179 +++++++++++++++++++++++++++++
 1 file changed, 1179 insertions(+)
 create mode 100644 frontend/src/auth/SetupWizard.vue

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
new file mode 100644
index 000000000..a578e490a
--- /dev/null
+++ b/frontend/src/auth/SetupWizard.vue
@@ -0,0 +1,1179 @@
+<template>
+  <div class="setup-wizard">
+    <div class="col-md-10 mx-auto my-4">
+      <div class="text-center mb-4">
+        <IconAsset :height="160" name="logo" />
+      </div>
+
+      <!-- Stepper -->
+      <div v-if="displaySteps.length" class="stepper mb-4">
+        <div
+          v-for="(step, index) in displaySteps"
+          :key="step.key"
+          :class="{ active: currentStep === index }"
+          :data-index="index + 1"
+        >
+          {{ step.title }}
+        </div>
+      </div>
+
+      <!-- Step: Admin -->
+      <div v-show="displaySteps[currentStep]?.type === 'admin'" class="card">
+        <div class="card-header step-card-header">Setup – Create admin account</div>
+        <div class="card-body mx-4 my-4">
+          <template v-if="adminCreatedThisSession">
+            <p class="text-muted mb-3">
+              The administrator account has been created. Continue to configure settings.
+            </p>
+            <button class="btn btn-primary" type="button" @click="currentStep++">
+              Continue
+            </button>
+          </template>
+          <template v-else>
+            <p class="text-muted mb-3">
+              No administrator account exists. Create one to finish setting up CARE.
+            </p>
+            <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+            <form @submit.prevent="submitAdmin">
+            <div class="form-group row my-2">
+              <label class="col-md-4 col-form-label text-md-right" for="setup-username">Username</label>
+              <div class="col-md-6">
+                <input
+                  id="setup-username"
+                  v-model="formData.userName"
+                  autocomplete="username"
+                  class="form-control"
+                  placeholder="admin"
+                  type="text"
+                  @blur="checkVal('userName')"
+                />
+                <div class="feedback-invalid" :class="{invalid: validity['userName'] && !validUserName}">
+                  Please provide a user name.
+                </div>
+              </div>
+            </div>
+            <div class="form-group row my-2">
+              <label class="col-md-4 col-form-label text-md-right" for="setup-email">Email</label>
+              <div class="col-md-6">
+                <input
+                  id="setup-email"
+                  v-model="formData.email"
+                  autocomplete="email"
+                  class="form-control"
+                  placeholder="admin@example.com"
+                  type="email"
+                  @blur="checkVal('email')"
+                />
+                <div class="feedback-invalid" :class="{invalid: validity['email'] && !validEmail}">
+                  Please provide a valid email.
+                </div>
+              </div>
+            </div>
+            <div class="form-group row my-2">
+              <label class="col-md-4 col-form-label text-md-right" for="setup-password">Password</label>
+              <div class="col-md-6">
+                <input
+                  id="setup-password"
+                  v-model="formData.password"
+                  autocomplete="new-password"
+                  class="form-control"
+                  placeholder="Min. 8 characters"
+                  type="password"
+                  @blur="checkVal('password')"
+                />
+                <div class="feedback-invalid" :class="{invalid: validity['password'] && !validPassword}">
+                  Please provide a password of at least 8 characters.
+                </div>
+              </div>
+            </div>
+            <div class="col-md-6 offset-md-4 my-4">
+              <button class="btn btn-primary" type="submit">Create admin and continue</button>
+            </div>
+          </form>
+          </template>
+        </div>
+      </div>
+
+      <!-- Step: General -->
+      <div v-show="displaySteps[currentStep]?.type === 'general'" class="card">
+        <div class="card-header step-card-header d-flex justify-content-between align-items-center">
+          General Settings
+          <button
+            class="btn btn-outline-secondary btn-sm"
+            type="button"
+            title="Import settings from a JSON file (overrides form values)"
+            @click="openImportModal"
+          >
+            Import JSON
+          </button>
+        </div>
+        <div class="card-body mx-4 my-4">
+          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+
+          <template v-if="settingsFromFile && Object.keys(settingsFromFile).length > 0">
+            <p class="text-success mb-2">
+              Loaded {{ Object.keys(settingsFromFile).length }} setting(s) from file. Click Next to continue to the summary.
+            </p>
+            <button
+              class="btn btn-link btn-sm p-0 text-secondary"
+              type="button"
+              @click="clearImport"
+            >
+              Clear and configure manually instead
+            </button>
+          </template>
+          <template v-else>
+            <p class="text-muted mb-3">
+              Configure copyright notice, consent requirements, guest access, study mode, and links shown on the landing page.
+            </p>
+
+            <FormCollapsible
+              v-for="group in generalFieldGroups"
+              :key="group.title"
+              :title="group.title"
+              :collapsed="true"
+              class="mb-3"
+            >
+              <div
+                v-for="s in group.settings"
+                :key="s.key"
+                class="form-group row my-2"
+              >
+                <label
+                  class="col-md-4 col-form-label text-md-right"
+                  :for="'set-' + s.key"
+                  @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+                >
+                  {{ settingLabel(s.key) }}
+                </label>
+                <div class="col-md-6 d-flex align-items-start">
+                  <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                    <div class="form-check form-switch">
+                      <input
+                        :id="'set-' + s.key"
+                        :checked="formSettings[s.key] === 'true'"
+                        class="form-check-input"
+                        type="checkbox"
+                        @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
+                      />
+                    </div>
+                  </template>
+                  <template v-else-if="s.type === 'edits'">
+                    <textarea
+                      :id="'set-' + s.key"
+                      v-model="formSettings[s.key]"
+                      class="form-control w-100"
+                      rows="2"
+                    />
+                  </template>
+                  <input
+                    v-else
+                    :id="'set-' + s.key"
+                    v-model="formSettings[s.key]"
+                    class="form-control"
+                    type="text"
+                  />
+                  <FormHelp v-if="s.description" :help="s.description" class="ms-1" />
+                </div>
+                <div v-if="s.requiredInWizard" class="col-md-6 offset-md-4">
+                  <div class="feedback-invalid" :class="{invalid: settingsTouched && !(formSettings[s.key] != null && String(formSettings[s.key]).trim() !== '')}">
+                    This field is required.
+                  </div>
+                </div>
+              </div>
+            </FormCollapsible>
+          </template>
+
+          <div class="d-flex justify-content-between mt-4">
+            <button v-if="currentStep > 0" class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
+            <button
+              class="btn btn-primary"
+              :class="{ 'ms-auto': currentStep === 0 }"
+              type="button"
+              @click="onStepNext"
+            >
+              Next
+            </button>
+          </div>
+        </div>
+      </div>
+
+      <!-- Step: Mail -->
+      <div v-show="displaySteps[currentStep]?.type === 'mail'" class="card">
+        <div class="card-header step-card-header">Mail Configuration</div>
+        <div class="card-body mx-4 my-4">
+          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+
+          <div class="form-check form-switch mb-3">
+            <input
+              id="mail-enabled"
+              :checked="formSettings['system.mailService.enabled'] === 'true'"
+              class="form-check-input"
+              type="checkbox"
+              @change="formSettings['system.mailService.enabled'] = $event.target.checked ? 'true' : 'false'"
+            />
+            <label class="form-check-label" for="mail-enabled" @click.prevent>
+              Enable email service (required for password reset and email verification)
+            </label>
+          </div>
+
+          <template v-if="formSettings['system.mailService.enabled'] === 'true'">
+            <FormCollapsible
+              title="Email delivery configuration"
+              description="Choose Sendmail or SMTP. If both are enabled, Sendmail takes precedence."
+              :collapsed="true"
+              class="mb-3"
+            >
+              <div class="form-check form-switch mb-3">
+                <input
+                  id="sendmail-enabled"
+                  :checked="formSettings['system.mailService.sendMail.enabled'] === 'true'"
+                  class="form-check-input"
+                  type="checkbox"
+                  @change="formSettings['system.mailService.sendMail.enabled'] = $event.target.checked ? 'true' : 'false'"
+                />
+                <label class="form-check-label" for="sendmail-enabled" @click.prevent>
+                  Use Sendmail (Unix system mail command)
+                </label>
+                <FormHelp
+                  :help="'If enabled, Sendmail is used for outgoing mail even when SMTP is also enabled.'"
+                  class="ms-1"
+                />
+              </div>
+              <FormCollapsible
+                v-if="formSettings['system.mailService.sendMail.enabled'] === 'true'"
+                title="Sendmail settings"
+                description="Path to the sendmail binary on your system"
+                :collapsed="false"
+              >
+                <div
+                  v-for="s in sendmailSettings"
+                  :key="s.key"
+                  class="form-group row my-2"
+                >
+                  <label
+                    class="col-md-4 col-form-label text-md-right"
+                    :for="'set-' + s.key"
+                    @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+                  >
+                    {{ settingLabel(s.key) }}
+                  </label>
+                  <div class="col-md-6 d-flex align-items-start">
+                    <input
+                      :id="'set-' + s.key"
+                      v-model="formSettings[s.key]"
+                      class="form-control"
+                      type="text"
+                    />
+                    <FormHelp v-if="s.description" :help="s.description" class="ms-1" />
+                  </div>
+                </div>
+              </FormCollapsible>
+
+              <div class="form-check form-switch mb-3 mt-3">
+                <input
+                  id="smtp-enabled"
+                  :checked="formSettings['system.mailService.smtp.enabled'] === 'true'"
+                  class="form-check-input"
+                  type="checkbox"
+                  @change="formSettings['system.mailService.smtp.enabled'] = $event.target.checked ? 'true' : 'false'"
+                />
+                <label class="form-check-label" for="smtp-enabled" @click.prevent>
+                  Use SMTP server
+                </label>
+                <FormHelp
+                  :help="'Used only when Sendmail is disabled. Configure your SMTP host and credentials.'"
+                  class="ms-1"
+                />
+              </div>
+              <FormCollapsible
+                v-if="formSettings['system.mailService.smtp.enabled'] === 'true'"
+                title="SMTP settings"
+                description="Host, port, and authentication for your SMTP server"
+                :collapsed="false"
+              >
+                <div
+                  v-for="s in smtpSettings"
+                  :key="s.key"
+                  class="form-group row my-2"
+                >
+                  <label
+                    class="col-md-4 col-form-label text-md-right"
+                    :for="'set-' + s.key"
+                    @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+                  >
+                    {{ settingLabel(s.key) }}
+                  </label>
+                  <div class="col-md-6 d-flex align-items-start">
+                    <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                      <div class="form-check form-switch">
+                        <input
+                          :id="'set-' + s.key"
+                          :checked="formSettings[s.key] === 'true'"
+                          class="form-check-input"
+                          type="checkbox"
+                          @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
+                        />
+                      </div>
+                    </template>
+                    <input
+                      v-else
+                      :id="'set-' + s.key"
+                      v-model="formSettings[s.key]"
+                      class="form-control"
+                      type="text"
+                    />
+                    <FormHelp v-if="s.description" :help="s.description" class="ms-1" />
+                  </div>
+                </div>
+              </FormCollapsible>
+
+              <FormCollapsible
+                title="Sender and application URL"
+                description="Required for all outgoing emails: the From address and base URL for links"
+                :collapsed="true"
+                class="mt-3"
+              >
+                <div class="form-group row my-2">
+                  <label class="col-md-4 col-form-label text-md-right" for="set-sender-address">
+                    {{ settingLabel("system.mailService.senderAddress") }}
+                  </label>
+                  <div class="col-md-6 d-flex align-items-start">
+                    <input
+                      id="set-sender-address"
+                      v-model="formSettings['system.mailService.senderAddress']"
+                      class="form-control"
+                      type="text"
+                    />
+                    <FormHelp
+                      :help="'The From address used for all outgoing emails.'"
+                      class="ms-1"
+                    />
+                  </div>
+                </div>
+                <div class="form-group row my-2">
+                  <label class="col-md-4 col-form-label text-md-right" for="set-base-url">
+                    {{ settingLabel("system.baseUrl") }}
+                  </label>
+                  <div class="col-md-6 d-flex align-items-start">
+                    <input
+                      id="set-base-url"
+                      v-model="formSettings['system.baseUrl']"
+                      class="form-control"
+                      type="text"
+                    />
+                    <FormHelp
+                      :help="'Base URL of this application (e.g. https://care.example.com). Required for password reset and email verification links.'"
+                      class="ms-1"
+                    />
+                  </div>
+                </div>
+              </FormCollapsible>
+            </FormCollapsible>
+            <FormCollapsible
+              title="Features that use email"
+              description="Optional features that require the email service to be enabled"
+              :collapsed="true"
+              class="mb-3 mt-3"
+            >
+              <div class="form-check form-switch">
+                <input
+                  id="forgot-password"
+                  :checked="formSettings['app.login.forgotPassword'] === 'true'"
+                  class="form-check-input"
+                  type="checkbox"
+                  @change="formSettings['app.login.forgotPassword'] = $event.target.checked ? 'true' : 'false'"
+                />
+                <label class="form-check-label" for="forgot-password" @click.prevent>
+                  Allow users to reset their password via email
+                </label>
+              </div>
+            </FormCollapsible>
+          </template>
+
+          <div class="d-flex justify-content-between mt-4">
+            <button class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
+            <button class="btn btn-primary ms-auto" type="button" @click="onStepNext">
+              Next
+            </button>
+          </div>
+        </div>
+      </div>
+
+      <!-- Step: Registration -->
+      <div v-show="displaySteps[currentStep]?.type === 'registration'" class="card">
+        <div class="card-header step-card-header">User Registration</div>
+        <div class="card-body mx-4 my-4">
+          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+          <p class="text-muted mb-3">
+            Configure which information and consents are requested from users during registration.
+          </p>
+
+          <FormCollapsible
+            v-for="group in registrationFieldGroups"
+            :key="group.title"
+            :title="group.title"
+            :collapsed="true"
+            class="mb-3"
+          >
+            <div
+              v-for="s in group.settings"
+              :key="s.key"
+              class="form-group row my-2"
+            >
+              <label
+                class="col-md-4 col-form-label text-md-right"
+                :for="'set-' + s.key"
+                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+              >
+                {{ settingLabel(s.key) }}
+              </label>
+              <div class="col-md-6 d-flex align-items-start">
+                <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                  <div class="form-check form-switch">
+                    <input
+                      :id="'set-' + s.key"
+                      :checked="formSettings[s.key] === 'true'"
+                      class="form-check-input"
+                      type="checkbox"
+                      @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
+                    />
+                  </div>
+                </template>
+                <template v-else-if="s.type === 'edits'">
+                  <textarea
+                    :id="'set-' + s.key"
+                    v-model="formSettings[s.key]"
+                    class="form-control w-100"
+                    rows="2"
+                  />
+                </template>
+                <input
+                  v-else
+                  :id="'set-' + s.key"
+                  v-model="formSettings[s.key]"
+                  class="form-control"
+                  type="text"
+                />
+                <FormHelp
+                  v-if="settingDescription(s.key) || s.description"
+                  :help="settingDescription(s.key) || s.description"
+                  class="ms-1"
+                />
+              </div>
+            </div>
+          </FormCollapsible>
+          <FormCollapsible
+            v-if="mailEnabled"
+            title="Email verification"
+            description="Require new users to verify their email before accessing the application"
+            :collapsed="true"
+            class="mb-3"
+          >
+            <div class="form-group row my-2">
+              <label class="col-md-4 col-form-label text-md-right" for="email-verification-reg" @click.prevent>
+                {{ settingLabel("app.register.emailVerification") }}
+              </label>
+              <div class="col-md-6 d-flex align-items-start">
+                <div class="form-check form-switch">
+                  <input
+                    id="email-verification-reg"
+                    :checked="formSettings['app.register.emailVerification'] === 'true'"
+                    class="form-check-input"
+                    type="checkbox"
+                    @change="formSettings['app.register.emailVerification'] = $event.target.checked ? 'true' : 'false'"
+                  />
+                </div>
+                <FormHelp
+                  :help="'Require new users to verify their email address before accessing the application.'"
+                  class="ms-1"
+                />
+              </div>
+            </div>
+          </FormCollapsible>
+
+          <div class="d-flex justify-content-between mt-4">
+            <button class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
+            <button class="btn btn-primary ms-auto" type="button" @click="onStepNext">
+              Next
+            </button>
+          </div>
+        </div>
+      </div>
+
+      <!-- Step: Moodle -->
+      <div v-show="displaySteps[currentStep]?.type === 'moodle'" class="card">
+        <div class="card-header step-card-header d-flex align-items-center">
+          Moodle Integration
+          <span class="badge bg-secondary ms-2">Optional</span>
+        </div>
+        <div class="card-body mx-4 my-4">
+          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+          <div class="alert alert-info mb-3 py-2" role="alert">
+            <strong>This step is optional.</strong> Configure it only if you use Moodle. You can skip it now and configure Moodle integration later in Settings.
+          </div>
+
+          <div v-for="group in moodleFieldGroups" :key="group.title" class="mb-4">
+            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">{{ group.title }}</h6>
+            <div
+              v-for="s in group.settings"
+              :key="s.key"
+              class="form-group row my-2"
+            >
+              <label
+                class="col-md-4 col-form-label text-md-right"
+                :for="'set-' + s.key"
+                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+              >
+                {{ settingLabel(s.key) }}
+              </label>
+              <div class="col-md-6 d-flex align-items-start">
+                <input
+                  :id="'set-' + s.key"
+                  v-model="formSettings[s.key]"
+                  class="form-control"
+                  type="text"
+                />
+                <FormHelp v-if="s.description" :help="s.description" class="ms-1" />
+              </div>
+            </div>
+          </div>
+
+          <div class="d-flex justify-content-between mt-4">
+            <button class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
+            <button class="btn btn-primary ms-auto" type="button" @click="onStepNext">
+              Next
+            </button>
+          </div>
+        </div>
+      </div>
+
+      <!-- Step: Summary -->
+      <div v-show="displaySteps[currentStep]?.type === 'summary'" class="card">
+        <div class="card-header step-card-header">Summary</div>
+        <div class="card-body mx-4 my-4">
+          <p class="text-muted mb-3">Review your choices before finishing.</p>
+
+          <FormCollapsible
+            v-if="!hasAdmin"
+            title="Admin"
+            :collapsed="false"
+            class="mb-3"
+          >
+            <ul class="list-unstyled mb-0">
+              <li><strong>Username:</strong> {{ formData.userName || "—" }}</li>
+              <li><strong>Email:</strong> {{ formData.email || "—" }}</li>
+              <li><strong>Password:</strong> Password set</li>
+            </ul>
+          </FormCollapsible>
+
+          <FormCollapsible
+            v-for="group in summaryFieldGroups"
+            :key="group.title"
+            :title="group.title"
+            :collapsed="false"
+            class="mb-3"
+          >
+            <ul class="list-unstyled ms-2 mb-0">
+              <li v-for="s in group.settings" :key="s.key">
+                <strong>{{ settingLabel(s.key) }}:</strong> {{ summarySettingValue(s.key) }}
+              </li>
+            </ul>
+          </FormCollapsible>
+
+          <div v-if="settingsFromFile && Object.keys(settingsFromFile).length" class="mt-4">
+            <button
+              class="btn btn-link p-0 text-secondary"
+              type="button"
+              @click="showFileSettings = !showFileSettings"
+            >
+              {{ showFileSettings ? "▼" : "▶" }} Additional settings from file ({{ Object.keys(settingsFromFile).length }})
+            </button>
+            <ul v-show="showFileSettings" class="list-unstyled mt-2 ms-3 small">
+              <li v-for="(v, k) in settingsFromFile" :key="k"><strong>{{ k }}:</strong> {{ v }}</li>
+            </ul>
+          </div>
+
+          <div class="d-flex justify-content-between mt-4">
+            <button v-if="currentStep > 0" class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
+            <button
+              class="btn btn-primary"
+              :class="{ 'ms-auto': currentStep === 0 }"
+              type="button"
+              :disabled="finishing"
+              @click="finish"
+            >
+              {{ finishing ? "Saving…" : "Finish" }}
+            </button>
+          </div>
+        </div>
+      </div>
+
+      <!-- Import JSON Modal -->
+      <Modal ref="importModal" name="wizardImportSettings">
+        <template #title>Import Settings</template>
+        <template #body>
+          <p class="mb-2">
+            Select a JSON file with settings. Loaded values will override the form and skip the following steps: Mail, Registration, and Moodle.
+          </p>
+          <input
+            ref="jsonFileInput"
+            type="file"
+            class="form-control"
+            accept=".json"
+            @change="onJsonFileChange"
+          />
+          <p v-if="importError" class="text-danger small mt-2 mb-0">{{ importError }}</p>
+        </template>
+        <template #footer>
+          <button
+            class="btn btn-secondary me-2"
+            type="button"
+            :disabled="importing"
+            @click="$refs.importModal.close()"
+          >
+            Close
+          </button>
+          <button
+            class="btn btn-primary"
+            type="button"
+            :disabled="!importFile || importing"
+            @click="confirmImport"
+          >
+            <span
+              v-if="importing"
+              class="spinner-border spinner-border-sm me-1"
+              role="status"
+              aria-hidden="true"
+            />
+            Import
+          </button>
+        </template>
+      </Modal>
+    </div>
+  </div>
+</template>
+
+<script>
+/**
+ * First-time setup wizard: Admin, General (with optional JSON import), Mail, Registration, Moodle, Summary.
+ * Fetches /setup/config for steps and wizardSettings. On Finish, calls settingSave and redirects.
+ *
+ * @author CARE
+ */
+import IconAsset from "@/basic/icon/IconAsset.vue";
+import FormHelp from "@/basic/form/Help.vue";
+import FormCollapsible from "@/basic/form/Collapsible.vue";
+import Modal from "@/basic/Modal.vue";
+import axios from "axios";
+import getServerURL from "@/assets/serverUrl";
+
+/** User-facing labels for setting keys hardcoded for now later will create db migration to change to more descriptive labels*/
+const SETTING_LABELS = {
+  "app.config.copyright": "Copyright notice",
+  "app.config.consent.enabled": "Require consent before first use",
+  "app.login.guest": "Allow guest login",
+  "app.login.forgotPassword": "Enable forgot password",
+  "app.study.enabled": "Enable study mode",
+  "app.landing.showDocs": "Show documentation link",
+  "app.landing.linkDocs": "Documentation URL",
+  "app.landing.showProject": "Show project link",
+  "app.landing.linkProject": "Project URL",
+  "app.landing.showFeedback": "Show feedback link",
+  "app.landing.linkFeedback": "Feedback URL",
+  "system.mailService.enabled": "Enable email service",
+  "system.mailService.senderAddress": "Sender address",
+  "system.mailService.sendMail.enabled": "Use Sendmail",
+  "system.mailService.sendMail.path": "Path to sendmail binary",
+  "system.mailService.smtp.enabled": "Use SMTP",
+  "system.mailService.smtp.host": "SMTP host",
+  "system.mailService.smtp.port": "SMTP port",
+  "system.mailService.smtp.secure": "Use secure connection (TLS)",
+  "system.mailService.smtp.auth.enabled": "SMTP authentication",
+  "system.mailService.smtp.auth.user": "SMTP username",
+  "system.mailService.smtp.auth.pass": "SMTP password",
+  "system.baseUrl": "Application base URL",
+  "app.register.emailVerification": "Require email verification",
+  "app.register.requestName": "Ask for display name at registration",
+  "app.register.requestStats": "Ask for usage statistics consent at registration",
+  "app.register.requestData": "Ask for annotation data sharing consent at registration",
+  "app.register.acceptStats.default": "Pre-select statistics consent checkbox for new users",
+  "app.register.acceptDataSharing.default": "Pre-select data sharing consent checkbox for new users",
+  "app.register.terms": "Terms and conditions (URL or text)",
+  "rpc.moodleAPI.apiUrl": "Moodle API URL",
+  "rpc.moodleAPI.apiKey": "Moodle API key",
+  "rpc.moodleAPI.courseID": "Moodle course ID",
+};
+
+/** Override descriptions for settings where the default is unclear, hardcoded for now later will create db migration to change to more descriptive descriptions */
+const SETTING_DESCRIPTIONS = {
+  "app.register.acceptStats.default":
+    "When you ask new users for consent to collect anonymous usage statistics (e.g. how often features are used) to improve CARE, this sets whether that checkbox is pre-checked or unchecked by default.",
+  "app.register.acceptDataSharing.default":
+    "When you ask new users for consent to share their annotation data (their labels and annotations on documents) for research purposes, this sets whether that checkbox is pre-checked or unchecked by default.",
+};
+
+export default {
+  name: "SetupWizard",
+  components: { IconAsset, FormHelp, FormCollapsible, Modal },
+  data() {
+    return {
+      currentStep: 0,
+      steps: [],
+      wizardSettings: [],
+      hasAdmin: false,
+      formData: { userName: "admin", email: "", password: "" },
+      validity: null,
+      formSettings: {},
+      settingsFromFile: null,
+      importFile: null,
+      importing: false,
+      importError: null,
+      settingsTouched: false,
+      showFileSettings: false,
+      showError: false,
+      errorMessage: "",
+      finishing: false,
+      adminCreatedThisSession: false,
+    };
+  },
+  computed: {
+    isReRun() {
+      return this.$route.query.reRun === "true";
+    },
+    displaySteps() {
+      const stepTypes = ["admin", "general", "mail", "registration", "moodle", "summary"];
+      let filtered = this.steps.filter((s) => stepTypes.includes(s.type));
+      if (this.hasAdmin) {
+        filtered = filtered.filter((s) => s.type !== "admin");
+      }
+      if (this.settingsFromFile && Object.keys(this.settingsFromFile).length > 0) {
+        filtered = filtered.filter((s) => !["mail", "registration", "moodle"].includes(s.type));
+      }
+      return filtered;
+    },
+    generalFieldGroups() {
+      const keyToSetting = (this.wizardSettings || []).reduce((acc, s) => {
+        acc[s.key] = s;
+        return acc;
+      }, {});
+      const groups = [
+        {
+          title: "Copyright and consent",
+          keys: ["app.config.copyright", "app.config.consent.enabled"],
+        },
+        {
+          title: "Login options",
+          keys: ["app.login.guest", "app.login.forgotPassword"],
+        },
+        {
+          title: "Study mode",
+          keys: ["app.study.enabled"],
+        },
+        {
+          title: "Landing page links",
+          keys: [
+            "app.landing.showDocs",
+            "app.landing.linkDocs",
+            "app.landing.showProject",
+            "app.landing.linkProject",
+            "app.landing.showFeedback",
+            "app.landing.linkFeedback",
+          ],
+        },
+      ];
+      return groups.map((g) => ({
+        title: g.title,
+        settings: g.keys.map((k) => keyToSetting[k]).filter(Boolean),
+      })).filter((g) => g.settings.length > 0);
+    },
+    registrationFieldGroups() {
+      const keyToSetting = (this.wizardSettings || []).reduce((acc, s) => {
+        acc[s.key] = s;
+        return acc;
+      }, {});
+      const groups = [
+        {
+          title: "Information requested at registration",
+          keys: ["app.register.requestName", "app.register.requestStats", "app.register.requestData"],
+        },
+        {
+          title: "Consent options",
+          keys: ["app.register.acceptStats.default", "app.register.acceptDataSharing.default"],
+        },
+        {
+          title: "Terms and conditions",
+          keys: ["app.register.terms"],
+        },
+      ];
+      return groups.map((g) => ({
+        title: g.title,
+        settings: g.keys.map((k) => keyToSetting[k]).filter(Boolean),
+      })).filter((g) => g.settings.length > 0);
+    },
+    mailEnabled() {
+      return this.formSettings["system.mailService.enabled"] === "true";
+    },
+    sendmailSettings() {
+      const keys = ["system.mailService.sendMail.path"];
+      return (this.wizardSettings || []).filter((s) => keys.includes(s.key));
+    },
+    smtpSettings() {
+      const keys = [
+        "system.mailService.smtp.host",
+        "system.mailService.smtp.port",
+        "system.mailService.smtp.secure",
+        "system.mailService.smtp.auth.enabled",
+        "system.mailService.smtp.auth.user",
+        "system.mailService.smtp.auth.pass",
+      ];
+      return (this.wizardSettings || []).filter((s) => keys.includes(s.key));
+    },
+    moodleFieldGroups() {
+      const keyToSetting = (this.wizardSettings || []).reduce((acc, s) => {
+        acc[s.key] = s;
+        return acc;
+      }, {});
+      const groups = [
+        {
+          title: "Connection",
+          keys: ["rpc.moodleAPI.apiUrl", "rpc.moodleAPI.apiKey"],
+        },
+        {
+          title: "Course",
+          keys: ["rpc.moodleAPI.courseID"],
+        },
+      ];
+      return groups.map((g) => ({
+        title: g.title,
+        settings: g.keys.map((k) => keyToSetting[k]).filter(Boolean),
+      })).filter((g) => g.settings.length > 0);
+    },
+    summaryFieldGroups() {
+      const stepTitles = {
+        general: "General",
+        mail: "Mail",
+        registration: "Registration",
+        moodle: "Moodle",
+      };
+      const byStep = {};
+      for (const s of this.wizardSettings || []) {
+        const step = s.wizardStep || "general";
+        if (!byStep[step]) byStep[step] = [];
+        byStep[step].push(s);
+      }
+      const order = ["general", "mail", "registration", "moodle"];
+      return order.filter((step) => byStep[step]?.length).map((step) => ({
+        title: stepTitles[step],
+        settings: byStep[step],
+      }));
+    },
+    validUserName() {
+      return typeof this.formData.userName === "string" && this.formData.userName.trim() !== "";
+    },
+    validEmail() {
+      const e = this.formData.email;
+      if (!e || typeof e !== "string") return false;
+      return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e.trim());
+    },
+    validPassword() {
+      return typeof this.formData.password === "string" && this.formData.password.length >= 8;
+    },
+    adminFormValid() {
+      return this.validUserName && this.validEmail && this.validPassword;
+    },
+    currentStepType() {
+      return this.displaySteps[this.currentStep]?.type;
+    },
+    settingsStepValid() {
+      if (this.settingsFromFile && Object.keys(this.settingsFromFile).length > 0) {
+        const required = (this.wizardSettings || []).filter((s) => s.requiredInWizard);
+        const missing = required.filter((s) => {
+          const v = this.settingsFromFile[s.key];
+          return v == null || String(v).trim() === "";
+        });
+        return missing.length === 0;
+      }
+      const stepType = this.currentStepType;
+      const stepSettings = (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
+      const required = stepSettings.filter((s) => s.requiredInWizard);
+      return required.every(
+        (s) => this.formSettings[s.key] != null && String(this.formSettings[s.key]).trim() !== ""
+      );
+    },
+  },
+  beforeMount() {
+    this.validity = Object.fromEntries(Object.keys(this.formData).map(key => [key, false]));
+  },
+  async mounted() {
+    const check = await axios.get(getServerURL() + "/auth/check", { withCredentials: true });
+    this.hasAdmin = !!(check.data && check.data.user);
+
+    if (check.data.user && !this.isReRun) {
+      if (check.data.wizardCompleted) {
+        await this.$router.push("/dashboard");
+        return;
+      }
+      this.hasAdmin = true;
+    }
+    if (!check.data.user && check.data.needsSetup !== true) {
+      await this.$router.push("/login");
+      return;
+    }
+
+    const url = (this.hasAdmin || this.isReRun) ? getServerURL() + "/setup/config?reRun=true" : getServerURL() + "/setup/config";
+    const config = await axios.get(url, { withCredentials: true });
+    if (config.data && config.data.steps) {
+      this.steps = config.data.steps;
+    }
+    if (config.data && config.data.wizardSettings) {
+      this.wizardSettings = config.data.wizardSettings;
+      this.formSettings = config.data.wizardSettings.reduce((acc, s) => {
+        acc[s.key] = s.value != null && s.value !== undefined ? String(s.value) : "";
+        return acc;
+      }, {});
+    }
+    if (this.hasAdmin && this.$socket && !this.$socket.connected) {
+      this.$socket.connect();
+    }
+  },
+  methods: {
+    settingsForStep(stepType) {
+      return (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
+    },
+    settingLabel(key) {
+      return SETTING_LABELS[key] || key;
+    },
+    settingDescription(key) {
+      return SETTING_DESCRIPTIONS[key] || null;
+    },
+    checkVal(key) {
+      this.validity[key] = true;
+    },
+    submitAdmin() {
+      Object.keys(this.validity).forEach(k => { this.validity[k] = true; });
+      if (!this.adminFormValid) return;
+      this.doSubmitAdmin();
+    },
+    async doSubmitAdmin() {
+      this.showError = false;
+      try {
+        const res = await axios.post(
+          getServerURL() + "/auth/setup-admin",
+          {
+            userName: this.formData.userName.trim(),
+            email: this.formData.email.trim(),
+            password: this.formData.password,
+          },
+          {
+            withCredentials: true,
+            validateStatus: function (status) {
+              return status === 200 || (status >= 400 && status < 500);
+            },
+          }
+        );
+        if (res.status === 200) {
+          this.adminCreatedThisSession = true;
+          if (this.$socket && !this.$socket.connected) {
+            this.$socket.connect();
+          }
+          this.currentStep = 1;
+        } else {
+          this.showError = true;
+          this.errorMessage = (res.data && res.data.message) || "Setup failed. Please try again.";
+        }
+      } catch (err) {
+        this.showError = true;
+        this.errorMessage = err.message || "Setup failed. Please try again.";
+      }
+    },
+    onPrevious() {
+      if (this.displaySteps[this.currentStep]?.type === "summary") {
+        this.clearImport();
+      }
+      this.currentStep--;
+    },
+    onStepNext() {
+      this.settingsTouched = true;
+      if (!this.settingsStepValid) {
+        if (this.settingsFromFile && Object.keys(this.settingsFromFile).length > 0 && this.currentStepType === "general") {
+          this.showError = true;
+          const required = (this.wizardSettings || []).filter((s) => s.requiredInWizard);
+          const missing = required.filter((s) => {
+            const v = this.settingsFromFile[s.key];
+            return v == null || String(v).trim() === "";
+          });
+          this.errorMessage =
+            missing.length > 0
+              ? "The file must include non-empty values for: " + missing.map((s) => s.key).join(", ")
+              : "Please upload a JSON file with key-value pairs.";
+        } else {
+          this.showError = false;
+        }
+        return;
+      }
+      this.showError = false;
+      this.currentStep++;
+    },
+    openImportModal() {
+      this.importFile = null;
+      this.importError = null;
+      if (this.$refs.jsonFileInput) this.$refs.jsonFileInput.value = "";
+      this.$refs.importModal.open();
+    },
+    onJsonFileChange(ev) {
+      this.importFile = ev.target.files && ev.target.files[0] || null;
+      this.importError = null;
+    },
+    confirmImport() {
+      if (!this.importFile) return;
+      this.importing = true;
+      this.importError = null;
+      const reader = new FileReader();
+      reader.onload = () => {
+        try {
+          const json = JSON.parse(reader.result);
+          if (typeof json !== "object" || json === null || Array.isArray(json)) {
+            this.importError = "The JSON must be an object of key/value pairs.";
+            return;
+          }
+          this.settingsFromFile = this.normalizeFileSettings(json);
+          this.importFile = null;
+          if (this.$refs.jsonFileInput) this.$refs.jsonFileInput.value = "";
+          this.$refs.importModal.close();
+          this.showError = false;
+        } catch (e) {
+          this.importError = "Invalid JSON: " + (e.message || String(e));
+        } finally {
+          this.importing = false;
+        }
+      };
+      reader.readAsText(this.importFile);
+    },
+    clearImport() {
+      this.settingsFromFile = null;
+      if (this.$refs.jsonFileInput) this.$refs.jsonFileInput.value = "";
+    },
+    normalizeFileSettings(obj) {
+      const out = {};
+      for (const [k, v] of Object.entries(obj)) {
+        if (v === null || v === undefined) {
+          out[k] = "";
+        } else if (typeof v === "boolean") {
+          out[k] = v ? "true" : "false";
+        } else if (typeof v === "object") {
+          out[k] = JSON.stringify(v);
+        } else {
+          out[k] = String(v);
+        }
+      }
+      return out;
+    },
+    summarySettingValue(key) {
+      if (this.settingsFromFile && Object.prototype.hasOwnProperty.call(this.settingsFromFile, key)) {
+        return this.settingsFromFile[key];
+      }
+      return this.formSettings[key] != null ? this.formSettings[key] : "—";
+    },
+    finish() {
+      this.settingsTouched = true;
+      if (!this.$socket || !this.$socket.connected) {
+        this.showError = true;
+        this.errorMessage = "Connection not ready. Please wait and try again.";
+        return;
+      }
+      const merged = { ...this.formSettings, ...(this.settingsFromFile || {}), "app.setup.wizardCompleted": "true" };
+      if (merged["system.mailService.enabled"] !== "true") {
+        merged["app.register.emailVerification"] = "false";
+      }
+      const payload = Object.entries(merged).map(([key, v]) => ({
+        key,
+        value: v === null || v === undefined ? "" : (typeof v === "boolean" ? (v ? "true" : "false") : (typeof v === "object" ? JSON.stringify(v) : String(v))),
+      }));
+      this.finishing = true;
+      this.showError = false;
+      this.$socket.emit("settingSave", payload, (res) => {
+        this.finishing = false;
+        if (res.success) {
+          this.$router.push("/dashboard");
+          this.$router.go(0);
+        } else {
+          this.showError = true;
+          this.errorMessage = (res && res.message) || "Failed to save settings.";
+        }
+      });
+    },
+  },
+};
+</script>
+
+<style scoped>
+.setup-wizard {
+  min-height: 100vh;
+  max-height: 100vh;
+  overflow-y: auto;
+  overflow-x: hidden;
+}
+
+.stepper {
+  display: flex;
+  justify-content: space-between;
+  position: relative;
+}
+
+.stepper::after {
+  content: "";
+  position: absolute;
+  top: 15px;
+  left: 0;
+  right: 0;
+  height: 2px;
+  background-color: #ccc;
+}
+
+.stepper > div {
+  z-index: 1;
+  background-color: white;
+  padding: 0 5px;
+}
+
+.stepper > div::before {
+  --dim: 28px;
+  content: attr(data-index);
+  margin-right: 6px;
+  display: inline-flex;
+  width: var(--dim);
+  height: var(--dim);
+  border-radius: 50%;
+  align-items: center;
+  justify-content: center;
+  border: 1px solid #6c6b6b;
+}
+
+.stepper > div.active::before {
+  color: white;
+  background-color: #0d6efd;
+  border-color: #0d6efd;
+}
+
+.feedback-invalid {
+  font-size: 0.75em;
+  color: firebrick;
+  visibility: hidden;
+  padding-top: 4px;
+}
+
+.feedback-invalid.invalid {
+  visibility: visible;
+}
+
+.step-group-heading {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.step-card-header {
+  font-size: 1.2rem;
+  font-weight: 600;
+}
+</style>

From 0cf693d3a68bab5411d661e797acc4e028c56c63 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 13:47:32 +0100
Subject: [PATCH 10/73] feat: add router guard to redirect when wizard not
 completed

---
 frontend/src/App.vue   | 21 ++++++++++++++-------
 frontend/src/router.js | 31 ++++++++++++++++++++++++++++---
 2 files changed, 42 insertions(+), 10 deletions(-)

diff --git a/frontend/src/App.vue b/frontend/src/App.vue
index b96a43102..702b53c6a 100644
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@@ -156,6 +156,9 @@ export default {
   },
   watch: {
     $route(to, from) {
+      if (to.meta && to.meta.checkLogin) {
+        this.runCheckLoginFlow();
+      }
       if (to.fullPath !== from.fullPath && this.behaviorLogger) {
         this.behaviorLogger.reportRouteChange(from, to);
       }
@@ -192,13 +195,7 @@ export default {
   },
   async mounted() {
     if (this.$route.meta.checkLogin) {
-      // Check if user already authenticated, if so, we redirect him to the dashboard.
-      const response = await axios.get(getServerURL() + "/auth/check", {
-        withCredentials: true,
-      });
-      if (response.data.user) {
-        await this.$router.push("/dashboard");
-      }
+      await this.runCheckLoginFlow();
     }
   },
   beforeUnmount() {
@@ -207,6 +204,16 @@ export default {
     }
   },
   methods: {
+    async runCheckLoginFlow() {
+      const response = await axios.get(getServerURL() + "/auth/check", {
+        withCredentials: true,
+      });
+      if (response.data.user) {
+        await this.$router.push(response.data.wizardCompleted === false ? "/wizard" : "/dashboard");
+      } else if (response.data.needsSetup) {
+        await this.$router.push("/wizard");
+      }
+    },
     connect() {
       if (this.$route.meta.requireAuth && !this.$socket.connected) {
         this.$socket.connect();
diff --git a/frontend/src/router.js b/frontend/src/router.js
index f8f090162..b78c7a80b 100644
--- a/frontend/src/router.js
+++ b/frontend/src/router.js
@@ -9,6 +9,7 @@
  * @author: Dennis Zyska, Nils Dycke
 **/
 import * as VueRouter from 'vue-router'
+import getServerURL from "@/assets/serverUrl";
 
 const routes = [
     {
@@ -45,6 +46,12 @@ const routes = [
         component: () => import("@/auth/ResetPassword.vue"),
         meta: {requireAuth: false, hideTopbar: true, checkLogin: true}
     },
+    {
+        path: "/wizard",
+        name: "wizard",
+        component: () => import("@/auth/SetupWizard.vue"),
+        meta: {requireAuth: false, hideTopbar: true}
+    },
     {
         path: "/document/:documentHash",
         component: () => import('@/components/Document.vue'),
@@ -82,9 +89,27 @@ const router = VueRouter.createRouter({
     history: VueRouter.createWebHistory(),
     hashbang: false,
     routes: routes,
-    mode: 'html5',
-    root: "/"
-})
+    mode: "html5",
+    root: "/",
+});
+
+/**
+ * If the user is logged in and the setup wizard is not completed, redirect to /wizard
+ * so they cannot bypass it by typing /dashboard, /login, etc.
+ */
+router.beforeEach(async (to, from, next) => {
+    if (to.path === "/wizard") return next();
+    if (!to.meta.requireAuth && !to.meta.checkLogin) return next();
+    try {
+        const r = await fetch(getServerURL() + "/auth/check", { credentials: "include" });
+        if (!r.ok) return next();
+        const d = await r.json();
+        if (d.user && d.wizardCompleted === false) {
+            return next({ path: "/wizard" });
+        }
+    } catch (_) {}
+    next();
+});
 
 // Navigation guard to check if self-registration is enabled
 router.beforeEach((to, from, next) => {

From e686bc163d0d69557fddfbfc6c6f67fe6cfc59c1 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 14:19:43 +0100
Subject: [PATCH 11/73] feat : add app_state migration for wizard state storage

---
 .../20260119190004-basic-setting-setup.js     | 32 -----------------
 .../20260223130010-create-app_state.js        | 35 +++++++++++++++++++
 2 files changed, 35 insertions(+), 32 deletions(-)
 delete mode 100644 backend/db/migrations/20260119190004-basic-setting-setup.js
 create mode 100644 backend/db/migrations/20260223130010-create-app_state.js

diff --git a/backend/db/migrations/20260119190004-basic-setting-setup.js b/backend/db/migrations/20260119190004-basic-setting-setup.js
deleted file mode 100644
index 6a5cd5239..000000000
--- a/backend/db/migrations/20260119190004-basic-setting-setup.js
+++ /dev/null
@@ -1,32 +0,0 @@
-'use strict';
-
-/** @type {import('sequelize-cli').Migration} */
-module.exports = {
-    async up(queryInterface, Sequelize) {
-        const now = new Date();
-        await queryInterface.bulkInsert('setting', [
-            {
-                key: 'app.setup.wizardCompleted',
-                value: 'false',
-                type: 'boolean',
-                description: 'Whether the setup wizard has been completed',
-                createdAt: now,
-                updatedAt: now,
-            },
-            {
-                key: 'app.setup.wizardCurrentStep',
-                value: '0',
-                type: 'string',
-                description: 'Current step index in the setup wizard',
-                createdAt: now,
-                updatedAt: now,
-            },
-        ], {});
-    },
-
-    async down(queryInterface, Sequelize) {
-        await queryInterface.bulkDelete('setting', {
-            key: ['app.setup.wizardCompleted', 'app.setup.wizardCurrentStep'],
-        }, {});
-    },
-};
diff --git a/backend/db/migrations/20260223130010-create-app_state.js b/backend/db/migrations/20260223130010-create-app_state.js
new file mode 100644
index 000000000..389af1507
--- /dev/null
+++ b/backend/db/migrations/20260223130010-create-app_state.js
@@ -0,0 +1,35 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        await queryInterface.createTable('app_state', {
+            key: {
+                allowNull: false,
+                type: Sequelize.STRING,
+                primaryKey: true,
+            },
+            value: {
+                type: Sequelize.TEXT,
+            },
+            createdAt: {
+                allowNull: false,
+                type: Sequelize.DATE,
+            },
+            updatedAt: {
+                allowNull: false,
+                type: Sequelize.DATE,
+            },
+        });
+
+        const now = new Date();
+        await queryInterface.bulkInsert('app_state', [
+            { key: 'setup.wizardCompleted', value: 'false', createdAt: now, updatedAt: now },
+            { key: 'setup.wizardCurrentStep', value: '0', createdAt: now, updatedAt: now },
+        ], {});
+    },
+
+    async down(queryInterface, Sequelize) {
+        await queryInterface.dropTable('app_state');
+    },
+};

From 69459e6d95ac77ccab3855fac526c378eeca143f Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 14:20:00 +0100
Subject: [PATCH 12/73] feat : add AppState model with get and set methods

---
 backend/db/models/app_state.js | 73 ++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 backend/db/models/app_state.js

diff --git a/backend/db/models/app_state.js b/backend/db/models/app_state.js
new file mode 100644
index 000000000..8e6e7c897
--- /dev/null
+++ b/backend/db/models/app_state.js
@@ -0,0 +1,73 @@
+'use strict';
+
+/**
+ * AppState model — key-value store for internal runtime state (e.g. wizard progress).
+ * Not user-configurable; separate from the setting table.
+ *
+ */
+module.exports = (sequelize, DataTypes) => {
+    const { Model } = require('sequelize');
+
+    class AppState extends Model {
+        static associate(models) {
+            // no associations
+        }
+
+        /**
+         * Get value by key
+         * @param {string} key
+         * @returns {Promise<string|null>}
+         */
+        static async get(key) {
+            try {
+                const row = await AppState.findOne({ where: { key }, raw: true });
+                return row ? row.value : null;
+            } catch (e) {
+                console.log(e);
+                return null;
+            }
+        }
+
+        /**
+         * Set value by key (upsert)
+         * @param {string} key
+         * @param {string} value
+         * @param {object} options 
+         * @returns {Promise<object|null>}
+         */
+        static async set(key, value, options = {}) {
+            try {
+                const [instance] = await AppState.upsert(
+                    { key, value },
+                    { conflictFields: ['key'], ...options }
+                );
+                return instance?.dataValues ?? null;
+            } catch (e) {
+                console.log(e);
+                return null;
+            }
+        }
+    }
+
+    AppState.init(
+        {
+            key: {
+                type: DataTypes.STRING,
+                allowNull: false,
+                primaryKey: true,
+            },
+            value: {
+                type: DataTypes.TEXT,
+            },
+        },
+        {
+            sequelize,
+            modelName: 'app_state',
+            tableName: 'app_state',
+        }
+    );
+
+    AppState.removeAttribute('id');
+
+    return AppState;
+};

From 17dcdbe940d5785ebfb0b9896f620ca80ca87cc2 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 14:20:12 +0100
Subject: [PATCH 13/73] refactor : use AppState for wizardCompleted in auth
 check

---
 backend/webserver/routes/auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/webserver/routes/auth.js b/backend/webserver/routes/auth.js
index 8f5529f26..ffa2807c7 100644
--- a/backend/webserver/routes/auth.js
+++ b/backend/webserver/routes/auth.js
@@ -142,7 +142,7 @@ module.exports = function (server) {
         server.logger.debug(`req.session.passport: ${JSON.stringify(req.session.passport)}`);
         server.logger.debug(`req.user: ${JSON.stringify(req.user)}`);
         if (req.user) {
-            const wizardCompleted = (await server.db.models['setting'].get('app.setup.wizardCompleted')) === 'true';
+            const wizardCompleted = (await server.db.models['app_state'].get('setup.wizardCompleted')) === 'true';
             return res.status(200).send({ user: req.user, wizardCompleted });
         }
         try {

From 8a5d985ccd08a47d5d799845cb9c0380bfcc1d75 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 14:20:30 +0100
Subject: [PATCH 14/73] feat : add PATCH /setup/state endpoint for wizard state

---
 backend/webserver/routes/setup.js | 33 +++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/backend/webserver/routes/setup.js b/backend/webserver/routes/setup.js
index 918bb39d5..523a39922 100644
--- a/backend/webserver/routes/setup.js
+++ b/backend/webserver/routes/setup.js
@@ -61,4 +61,37 @@ module.exports = function (server) {
             return res.status(500).json({ message: "Internal server error." });
         }
     });
+
+    /**
+     * PATCH /setup/state
+     * Updates wizard state in app_state.
+     * Body: { wizardCompleted?: string, wizardCurrentStep?: string }
+     */
+    server.app.patch("/setup/state", async function (req, res) {
+        if (!req.user) {
+            return res.status(401).json({ message: "Authentication required." });
+        }
+        try {
+            const admins = await server.db.models["user"].getUsersByRole("admin");
+            const isAdmin = admins.some((a) => a.id === req.user.id);
+            if (!isAdmin) {
+                return res.status(403).json({ message: "Admin access required." });
+            }
+
+            const { wizardCompleted, wizardCurrentStep } = req.body || {};
+            const AppState = server.db.models["app_state"];
+
+            if (wizardCompleted !== undefined) {
+                await AppState.set("setup.wizardCompleted", String(wizardCompleted));
+            }
+            if (wizardCurrentStep !== undefined) {
+                await AppState.set("setup.wizardCurrentStep", String(wizardCurrentStep));
+            }
+
+            return res.status(200).json({ success: true });
+        } catch (err) {
+            server.logger.error("PATCH /setup/state error: " + err);
+            return res.status(500).json({ message: "Internal server error." });
+        }
+    });
 };

From 376f870bdc1e2e3cbff677f73b3b94e5d3a41024 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 23 Feb 2026 14:20:42 +0100
Subject: [PATCH 15/73] refactor : save wizard state via PATCH /setup/state in
 SetupWizard

---
 frontend/src/auth/SetupWizard.vue | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index a578e490a..e7103e920 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -1075,14 +1075,14 @@ export default {
       }
       return this.formSettings[key] != null ? this.formSettings[key] : "—";
     },
-    finish() {
+    async finish() {
       this.settingsTouched = true;
       if (!this.$socket || !this.$socket.connected) {
         this.showError = true;
         this.errorMessage = "Connection not ready. Please wait and try again.";
         return;
       }
-      const merged = { ...this.formSettings, ...(this.settingsFromFile || {}), "app.setup.wizardCompleted": "true" };
+      const merged = { ...this.formSettings, ...(this.settingsFromFile || {}) };
       if (merged["system.mailService.enabled"] !== "true") {
         merged["app.register.emailVerification"] = "false";
       }
@@ -1092,14 +1092,21 @@ export default {
       }));
       this.finishing = true;
       this.showError = false;
-      this.$socket.emit("settingSave", payload, (res) => {
-        this.finishing = false;
-        if (res.success) {
+      this.$socket.emit("settingSave", payload, async (res) => {
+        if (!res.success) {
+          this.finishing = false;
+          this.showError = true;
+          this.errorMessage = (res && res.message) || "Failed to save settings.";
+          return;
+        }
+        try {
+          await axios.patch(getServerURL() + "/setup/state", { wizardCompleted: "true" }, { withCredentials: true });
           this.$router.push("/dashboard");
           this.$router.go(0);
-        } else {
+        } catch (err) {
+          this.finishing = false;
           this.showError = true;
-          this.errorMessage = (res && res.message) || "Failed to save settings.";
+          this.errorMessage = err?.response?.data?.message || err?.message || "Failed to complete setup.";
         }
       });
     },

From 692a3701eadfe91038e5e0dc395b32e5886cc5ae Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 26 Feb 2026 03:01:20 +0100
Subject: [PATCH 16/73] feat: add displayName and displayGroup columns to
 settings

---
 ...260225234559-extend-setting-displayName.js | 231 ++++++++++++++++++
 backend/db/models/setting.js                  |   4 +-
 2 files changed, 234 insertions(+), 1 deletion(-)
 create mode 100644 backend/db/migrations/20260225234559-extend-setting-displayName.js

diff --git a/backend/db/migrations/20260225234559-extend-setting-displayName.js b/backend/db/migrations/20260225234559-extend-setting-displayName.js
new file mode 100644
index 000000000..f37e4d4e9
--- /dev/null
+++ b/backend/db/migrations/20260225234559-extend-setting-displayName.js
@@ -0,0 +1,231 @@
+'use strict';
+
+/**
+ * Add displayName and displayGroup columns.
+ * displayName: user-facing label from CSV Suggested Name
+ * displayGroup: section grouping for non-wizard settings from CSV Suggested group naming
+ *
+ * @type {import('sequelize-cli').Migration}
+ */
+
+const KEY_TO_DISPLAY_GROUP = {
+    'annotator.collab.response': 'Annotations',
+    'annotator.comments.defaultNumsShown.levelOneUp': 'Annotations',
+    'annotator.comments.defaultNumsShown.levelZero': 'Annotations',
+    'annotator.comments.votes.enabled': 'Annotations',
+    'annotator.comments.votes.onlyUpvote': 'Annotations',
+    'annotator.download.enabledBeforeStudyClosing': 'Annotations',
+    'annotator.nlp.activated': 'Annotations',
+    'annotator.nlp.request.timeout': 'Annotations',
+    'annotator.nlp.sentiment_analysis.activated': 'Annotations',
+    'annotator.nlp.summarization.activated': 'Annotations',
+    'annotator.nlp.summarization.annoLength': 'Annotations',
+    'annotator.nlp.summarization.maxLength': 'Annotations',
+    'annotator.nlp.summarization.minLength': 'Annotations',
+    'annotator.nlp.summarization.skillName': 'Annotations',
+    'annotator.sidebar.maxWidth': 'Annotations',
+    'annotator.sidebar.minWidth': 'Annotations',
+    'app.login.passwordResetRateLimit': 'General',
+    'app.register.emailVerificationRateLimit': 'Registration',
+    'dashboard.navigation.component.default': 'Interface',
+    'editor.document.showButtonCreate': 'Text Editor',
+    'editor.document.showButtonDeltaDownload': 'Text Editor',
+    'editor.document.showButtonHTMLDownload': 'Text Editor',
+    'editor.document.showButtonPDFDownload': 'Text Editor',
+    'editor.edits.debounceTime': 'Text Editor',
+    'editor.edits.historyGroupTime': 'Text Editor',
+    'editor.edits.showHistoryForUser': 'Text Editor',
+    'editor.toolbar.showHTMLDownload': 'Text Editor',
+    'editor.toolbar.tools.align': 'Text Editor',
+    'editor.toolbar.tools.background': 'Text Editor',
+    'editor.toolbar.tools.blockquote': 'Text Editor',
+    'editor.toolbar.tools.bold': 'Text Editor',
+    'editor.toolbar.tools.checkList': 'Text Editor',
+    'editor.toolbar.tools.clean': 'Text Editor',
+    'editor.toolbar.tools.code-block': 'Text Editor',
+    'editor.toolbar.tools.color': 'Text Editor',
+    'editor.toolbar.tools.direction': 'Text Editor',
+    'editor.toolbar.tools.font': 'Text Editor',
+    'editor.toolbar.tools.formula': 'Text Editor',
+    'editor.toolbar.tools.header': 'Text Editor',
+    'editor.toolbar.tools.image': 'Text Editor',
+    'editor.toolbar.tools.indent': 'Text Editor',
+    'editor.toolbar.tools.italic': 'Text Editor',
+    'editor.toolbar.tools.link': 'Text Editor',
+    'editor.toolbar.tools.orderedList': 'Text Editor',
+    'editor.toolbar.tools.size': 'Text Editor',
+    'editor.toolbar.tools.strike': 'Text Editor',
+    'editor.toolbar.tools.subscript': 'Text Editor',
+    'editor.toolbar.tools.superscript': 'Text Editor',
+    'editor.toolbar.tools.underline': 'Text Editor',
+    'editor.toolbar.tools.unorderedList': 'Text Editor',
+    'editor.toolbar.tools.video': 'Text Editor',
+    'editor.toolbar.visibility': 'Text Editor',
+    'modal.nlp.request.timeout': 'AI & NLP',
+    'modal.nlp.rotation_timer.long': 'AI & NLP',
+    'modal.nlp.rotation_timer.short': 'AI & NLP',
+    'projects.default': 'Interface',
+    'rpc.moodleAPI.showInput.apiKey': 'Moodle',
+    'rpc.moodleAPI.showInput.apiUrl': 'Moodle',
+    'rpc.moodleAPI.showInput.courseID': 'Moodle',
+    'service.nlp.enabled': 'AI & NLP',
+    'service.nlp.retryDelay': 'AI & NLP',
+    'service.nlp.test.fallback': 'AI & NLP',
+    'service.nlp.timeout': 'AI & NLP',
+    'service.nlp.url': 'AI & NLP',
+    'statistics.batch.size': 'Interface',
+    'statistics.tracking.mouseDebounceTime': 'Interface',
+    'system.auth.tokenExpiry.emailVerification': 'System',
+    'system.auth.tokenExpiry.passwordReset': 'System',
+    'tags.recencySortingIsOn': 'Interface',
+    'tags.tagSet.default': 'Interface',
+    'topBar.projects.hideProjectButton': 'Interface',
+};
+
+const DISPLAY_NAMES = {
+    'annotator.collab.response': 'Comment replies',
+    'annotator.comments.defaultNumsShown.levelOneUp': 'Level 1+ comments shown by default',
+    'annotator.comments.defaultNumsShown.levelZero': 'Level 0 comments shown by default',
+    'annotator.comments.votes.enabled': 'Voting on comments',
+    'annotator.comments.votes.onlyUpvote': 'Only upvote on comments',
+    'annotator.download.enabledBeforeStudyClosing': 'Download before study closing',
+    'annotator.nlp.activated': 'NLP in annotation view',
+    'annotator.nlp.request.timeout': 'NLP request timeout',
+    'annotator.nlp.sentiment_analysis.activated': 'Sentiment analysis in comments',
+    'annotator.nlp.summarization.activated': 'Summarization activated',
+    'annotator.nlp.summarization.annoLength': 'Summarization annotation length',
+    'annotator.nlp.summarization.maxLength': 'Summarization max length',
+    'annotator.nlp.summarization.minLength': 'Summarization min length',
+    'annotator.nlp.summarization.skillName': 'Summarization skill name',
+    'annotator.sidebar.maxWidth': 'Sidebar max width',
+    'annotator.sidebar.minWidth': 'Sidebar min width',
+    'app.config.consent.enabled': 'Consent update feature',
+    'app.config.copyright': 'Copyright notice',
+    'app.landing.linkDocs': 'Documentation URL',
+    'app.landing.linkFeedback': 'Feedback form URL',
+    'app.landing.linkProject': 'Project page URL',
+    'app.landing.showDocs': 'Show documentation link',
+    'app.landing.showFeedback': 'Show feedback link',
+    'app.landing.showProject': 'Show project link',
+    'app.login.forgotPassword': 'Forgot password',
+    'app.login.guest': 'Allow guest login',
+    'app.login.passwordResetRateLimit': 'Password reset rate limit',
+    'app.register.acceptDataSharing.default': 'Default accept data sharing',
+    'app.register.acceptStats.default': 'Default accept tracking',
+    'app.register.emailVerification': 'Email verification required',
+    'app.register.enabled': 'Enable self-registration',
+    'app.register.emailVerificationRateLimit': 'Email verification rate limit',
+    'app.register.requestData': 'Request data sharing at registration',
+    'app.register.requestName': 'Request name at registration',
+    'app.register.requestStats': 'Request usage-stats consent at registration',
+    'app.register.terms': 'Terms and conditions',
+    'app.study.enabled': 'Enable study mode',
+    'dashboard.navigation.component.default': 'Default dashboard component',
+    'editor.document.showButtonCreate': 'Show create document button',
+    'editor.document.showButtonDeltaDownload': 'Show delta download button',
+    'editor.document.showButtonHTMLDownload': 'Show HTML download button',
+    'editor.document.showButtonPDFDownload': 'Show PDF download button',
+    'editor.edits.debounceTime': 'Edit debounce time',
+    'editor.edits.historyGroupTime': 'Edit history group time',
+    'editor.edits.showHistoryForUser': 'Show edit history to users',
+    'editor.toolbar.showHTMLDownload': 'Toolbar HTML download',
+    'editor.toolbar.tools.align': 'Toolbar align',
+    'editor.toolbar.tools.background': 'Toolbar background',
+    'editor.toolbar.tools.blockquote': 'Toolbar blockquote',
+    'editor.toolbar.tools.bold': 'Toolbar bold',
+    'editor.toolbar.tools.checkList': 'Toolbar check list',
+    'editor.toolbar.tools.clean': 'Toolbar clean',
+    'editor.toolbar.tools.code-block': 'Toolbar code-block',
+    'editor.toolbar.tools.color': 'Toolbar color',
+    'editor.toolbar.tools.direction': 'Toolbar direction',
+    'editor.toolbar.tools.font': 'Toolbar font',
+    'editor.toolbar.tools.formula': 'Toolbar formula',
+    'editor.toolbar.tools.header': 'Toolbar header',
+    'editor.toolbar.tools.image': 'Toolbar image',
+    'editor.toolbar.tools.indent': 'Toolbar indent',
+    'editor.toolbar.tools.italic': 'Toolbar italic',
+    'editor.toolbar.tools.link': 'Toolbar link',
+    'editor.toolbar.tools.orderedList': 'Toolbar ordered list',
+    'editor.toolbar.tools.size': 'Toolbar size',
+    'editor.toolbar.tools.strike': 'Toolbar strike',
+    'editor.toolbar.tools.subscript': 'Toolbar subscript',
+    'editor.toolbar.tools.superscript': 'Toolbar superscript',
+    'editor.toolbar.tools.underline': 'Toolbar underline',
+    'editor.toolbar.tools.unorderedList': 'Toolbar unordered list',
+    'editor.toolbar.tools.video': 'Toolbar video',
+    'editor.toolbar.visibility': 'Toolbar visibility',
+    'modal.nlp.request.timeout': 'Modal NLP request timeout',
+    'modal.nlp.rotation_timer.long': 'Modal NLP rotation long',
+    'modal.nlp.rotation_timer.short': 'Modal NLP rotation short',
+    'projects.default': 'Default project',
+    'rpc.moodleAPI.apiKey': 'Moodle API key',
+    'rpc.moodleAPI.apiUrl': 'Moodle API URL',
+    'rpc.moodleAPI.courseID': 'Moodle course ID',
+    'rpc.moodleAPI.showInput.apiKey': 'Show Moodle API key input',
+    'rpc.moodleAPI.showInput.apiUrl': 'Show Moodle API URL input',
+    'rpc.moodleAPI.showInput.courseID': 'Show Moodle course ID input',
+    'service.nlp.enabled': 'Enable NLP features',
+    'service.nlp.retryDelay': 'NLP retry delay',
+    'service.nlp.test.fallback': 'NLP test fallback',
+    'service.nlp.timeout': 'NLP timeout',
+    'service.nlp.url': 'NLP service URL',
+    'statistics.batch.size': 'Statistics batch size',
+    'statistics.tracking.mouseDebounceTime': 'Mouse debounce time',
+    'system.auth.tokenExpiry.emailVerification': 'Email verification token expiry',
+    'system.auth.tokenExpiry.passwordReset': 'Password reset token expiry',
+    'system.baseUrl': 'Base URL for emails',
+    'system.mailService.enabled': 'Mail service enabled',
+    'system.mailService.sendMail.enabled': 'Sendmail enabled',
+    'system.mailService.sendMail.path': 'Sendmail path',
+    'system.mailService.senderAddress': 'Mail sender address',
+    'system.mailService.smtp.auth.enabled': 'SMTP auth enabled',
+    'system.mailService.smtp.auth.pass': 'SMTP auth password',
+    'system.mailService.smtp.auth.user': 'SMTP auth user',
+    'system.mailService.smtp.enabled': 'SMTP enabled',
+    'system.mailService.smtp.host': 'SMTP host',
+    'system.mailService.smtp.port': 'SMTP port',
+    'system.mailService.smtp.secure': 'SMTP secure',
+    'tags.recencySortingIsOn': 'Tag recency sorting',
+    'tags.tagSet.default': 'Default tag set',
+    'topBar.projects.hideProjectButton': 'Hide project button in topbar',
+};
+
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        await queryInterface.addColumn('setting', 'displayName', {
+            type: Sequelize.STRING(256),
+            allowNull: true,
+        });
+        await queryInterface.addColumn('setting', 'displayGroup', {
+            type: Sequelize.STRING(128),
+            allowNull: true,
+        });
+
+        const [results] = await queryInterface.sequelize.query(
+            "SELECT key FROM setting WHERE deleted = false"
+        );
+
+        for (const row of results) {
+            const key = row.key;
+            const displayName = DISPLAY_NAMES[key];
+            const displayGroup = KEY_TO_DISPLAY_GROUP[key];
+            if (displayName) {
+                await queryInterface.sequelize.query(
+                    'UPDATE setting SET "displayName" = :displayName WHERE key = :key',
+                    { replacements: { displayName, key } }
+                );
+            }
+            if (displayGroup) {
+                await queryInterface.sequelize.query(
+                    'UPDATE setting SET "displayGroup" = :displayGroup WHERE key = :key',
+                    { replacements: { displayGroup, key } }
+                );
+            }
+        }
+    },
+
+    async down(queryInterface, Sequelize) {
+        await queryInterface.removeColumn('setting', 'displayName');
+        await queryInterface.removeColumn('setting', 'displayGroup');
+    },
+};
\ No newline at end of file
diff --git a/backend/db/models/setting.js b/backend/db/models/setting.js
index 8841cbd79..7e0d99a73 100644
--- a/backend/db/models/setting.js
+++ b/backend/db/models/setting.js
@@ -57,7 +57,7 @@ module.exports = (sequelize, DataTypes) => {
                 return await Setting.findAll({
                     where: { showInWizard: true, deleted: false },
                     order: [['wizardOrder', 'ASC']],
-                    attributes: ['key', 'value', 'type', 'description', 'requiredInWizard', 'wizardStep'],
+                    attributes: ['key', 'value', 'type', 'description', 'displayName', 'requiredInWizard', 'wizardStep'],
                     raw: true,
                 });
             } catch (e) {
@@ -117,6 +117,8 @@ module.exports = (sequelize, DataTypes) => {
         value: DataTypes.TEXT,
         type: DataTypes.STRING,
         description: DataTypes.STRING,
+        displayName: DataTypes.STRING,
+        displayGroup: DataTypes.STRING,
         onlyAdmin: DataTypes.BOOLEAN,
         showInWizard: DataTypes.BOOLEAN,
         wizardOrder: DataTypes.INTEGER,

From 21653b8f7d1819dd7a3af2509ad77cb3cc670f35 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 26 Feb 2026 03:01:38 +0100
Subject: [PATCH 17/73] feat: add app.register.enabled to wizard registration
 step

---
 ...20260119194252-transform-setting-wizard.js | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/backend/db/migrations/20260119194252-transform-setting-wizard.js b/backend/db/migrations/20260119194252-transform-setting-wizard.js
index d4754e988..e9b323a11 100644
--- a/backend/db/migrations/20260119194252-transform-setting-wizard.js
+++ b/backend/db/migrations/20260119194252-transform-setting-wizard.js
@@ -32,16 +32,17 @@ const WIZARD_SETTINGS = [
     { key: 'app.register.emailVerification', wizardStep: 'mail', wizardOrder: 24, requiredInWizard: false },
     // app.login.forgotPassword already in general; in mail step it's a toggle in UI, same key
     // registration
-    { key: 'app.register.requestName', wizardStep: 'registration', wizardOrder: 25, requiredInWizard: false },
-    { key: 'app.register.requestStats', wizardStep: 'registration', wizardOrder: 26, requiredInWizard: false },
-    { key: 'app.register.requestData', wizardStep: 'registration', wizardOrder: 27, requiredInWizard: false },
-    { key: 'app.register.acceptStats.default', wizardStep: 'registration', wizardOrder: 28, requiredInWizard: false },
-    { key: 'app.register.acceptDataSharing.default', wizardStep: 'registration', wizardOrder: 29, requiredInWizard: false },
-    { key: 'app.register.terms', wizardStep: 'registration', wizardOrder: 30, requiredInWizard: false },
+    { key: 'app.register.enabled', wizardStep: 'registration', wizardOrder: 25, requiredInWizard: false },
+    { key: 'app.register.requestName', wizardStep: 'registration', wizardOrder: 26, requiredInWizard: false },
+    { key: 'app.register.requestStats', wizardStep: 'registration', wizardOrder: 27, requiredInWizard: false },
+    { key: 'app.register.requestData', wizardStep: 'registration', wizardOrder: 28, requiredInWizard: false },
+    { key: 'app.register.acceptStats.default', wizardStep: 'registration', wizardOrder: 29, requiredInWizard: false },
+    { key: 'app.register.acceptDataSharing.default', wizardStep: 'registration', wizardOrder: 30, requiredInWizard: false },
+    { key: 'app.register.terms', wizardStep: 'registration', wizardOrder: 31, requiredInWizard: false },
     // moodle
-    { key: 'rpc.moodleAPI.apiUrl', wizardStep: 'moodle', wizardOrder: 31, requiredInWizard: false },
-    { key: 'rpc.moodleAPI.apiKey', wizardStep: 'moodle', wizardOrder: 32, requiredInWizard: false },
-    { key: 'rpc.moodleAPI.courseID', wizardStep: 'moodle', wizardOrder: 33, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.apiUrl', wizardStep: 'moodle', wizardOrder: 32, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.apiKey', wizardStep: 'moodle', wizardOrder: 33, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.courseID', wizardStep: 'moodle', wizardOrder: 34, requiredInWizard: false },
 ];
 
 /** @type {import('sequelize-cli').Migration} */

From c6f48be818d442e7f81b8fab928d43767cffcfe6 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 26 Feb 2026 03:02:05 +0100
Subject: [PATCH 18/73] refactor: use displayGroup for settings page layout

---
 .../src/components/dashboard/Settings.vue     |  82 ++++++++-----
 .../dashboard/settings/SettingItem.vue        | 108 ++++++++----------
 .../dashboard/settings/SettingsSection.vue    |  94 +++++++++++++++
 3 files changed, 191 insertions(+), 93 deletions(-)
 create mode 100644 frontend/src/components/dashboard/settings/SettingsSection.vue

diff --git a/frontend/src/components/dashboard/Settings.vue b/frontend/src/components/dashboard/Settings.vue
index 874868612..13d5793b1 100644
--- a/frontend/src/components/dashboard/Settings.vue
+++ b/frontend/src/components/dashboard/Settings.vue
@@ -65,11 +65,12 @@
         <Loading v-if="settings === null"/>
 
         <div v-else class="mt-3">
-          <SettingItem
-              v-for="(group, key) in groupedSettings"
-              :key="key"
-              :group="group"
-              :title="key"
+          <SettingsSection
+              v-for="section in sectionLayout"
+              :key="section.title"
+              :title="section.title"
+              :subsections="section.subsections"
+              :settings="displaySettings"
           />
         </div>
       </template>
@@ -142,11 +143,11 @@
 import Card from "@/basic/dashboard/card/Card.vue";
 import Loading from "@/basic/Loading.vue";
 import LoadIcon from "@/basic/Icon.vue";
-import SettingItem from "@/components/dashboard/settings/SettingItem.vue";
+import SettingsSection from "@/components/dashboard/settings/SettingsSection.vue";
 import Modal from "@/basic/Modal.vue";
 import BasicButton from "@/basic/Button.vue";
 import {downloadObjectsAs} from "@/assets/utils";
-import {onBeforeRouteUpdate} from 'vue-router'
+import {onBeforeRouteUpdate} from "vue-router";
 import ChangeUserSettingsModal from "@/components/dashboard/settings/ChangeUserSettingsModal.vue";
 
 export default {
@@ -155,7 +156,7 @@ export default {
     Card,
     LoadIcon,
     Loading,
-    SettingItem,
+    SettingsSection,
     BasicButton,
     Modal,
     ChangeUserSettingsModal,
@@ -163,21 +164,54 @@ export default {
   data() {
     return {
       settings: null,
-      collapseFirst: {},
       uploadFile: null,
       uploading: false,
       originalSettingsSnapshot: null,
     };
   },
   computed: {
-    groupedSettings() {
-      if (!this.settings) return {};
-      return this.settings.reduce((acc, setting) => {
-        const keys = setting.key.split(".");
-        if (!acc[keys[0]]) acc[keys[0]] = {};
-        this.nestSettings(acc[keys[0]], keys.slice(1), setting);
-        return acc;
-      }, {});
+    displaySettings() {
+      if (!this.settings) return [];
+      return this.settings.filter((s) => !s.key.startsWith("app.setup."));
+    },
+    sectionLayout() {
+      if (!this.displaySettings.length) return [];
+      const wizardSteps = ["general", "mail", "registration", "moodle"];
+      const sections = [];
+      for (const step of wizardSteps) {
+        let keys = this.displaySettings
+          .filter((s) => s.wizardStep === step && s.showInWizard)
+          .sort((a, b) => (a.wizardOrder || 0) - (b.wizardOrder || 0))
+          .map((s) => s.key);
+        const otherInStep = this.displaySettings.filter(
+          (s) => !s.showInWizard && (s.displayGroup || "").toLowerCase() === step
+        );
+        if (otherInStep.length) {
+          keys = [...keys, ...otherInStep.map((s) => s.key)];
+        }
+        if (keys.length) {
+          sections.push({
+            title: step.charAt(0).toUpperCase() + step.slice(1),
+            subsections: [{ title: "", keys }],
+          });
+        }
+      }
+      const other = this.displaySettings.filter((s) => !s.showInWizard);
+      const mergedSteps = new Set(wizardSteps);
+      const otherGroups = {};
+      for (const s of other) {
+        const group = s.displayGroup || "Other";
+        if (mergedSteps.has((group || "").toLowerCase())) continue;
+        if (!otherGroups[group]) otherGroups[group] = [];
+        otherGroups[group].push(s.key);
+      }
+      for (const [title, keys] of Object.entries(otherGroups).sort((a, b) => a[0].localeCompare(b[0]))) {
+        sections.push({
+          title,
+          subsections: [{ title: "", keys }],
+        });
+      }
+      return sections;
     },
     hasUnsavedChanges() {
       if (!this.settings || this.originalSettingsSnapshot === null) return false;
@@ -205,15 +239,6 @@ export default {
     });
   },
   methods: {
-    nestSettings(obj, keys, setting) {
-      if (keys.length === 1) {
-        if (!obj[keys[0]]) obj[keys[0]] = [];
-        obj[keys[0]].push(setting);
-      } else {
-        if (!obj[keys[0]]) obj[keys[0]] = {};
-        this.nestSettings(obj[keys[0]], keys.slice(1), setting);
-      }
-    },
     setSettingsSnapshot() {
       if (!this.settings) {
         this.originalSettingsSnapshot = null;
@@ -250,11 +275,6 @@ export default {
             });
           }
           this.settings = res.data.sort((a, b) => (a.key > b.key ? 1 : -1));
-          this.collapseFirst = this.settings.reduce((acc, setting) => {
-            const key = setting.key.split(".")[0];
-            acc[key] = true;
-            return acc;
-          }, {});
           this.setSettingsSnapshot();
         } else {
           this.eventBus.emit("toast", {
diff --git a/frontend/src/components/dashboard/settings/SettingItem.vue b/frontend/src/components/dashboard/settings/SettingItem.vue
index 4382324cd..404b8d1e6 100644
--- a/frontend/src/components/dashboard/settings/SettingItem.vue
+++ b/frontend/src/components/dashboard/settings/SettingItem.vue
@@ -1,76 +1,60 @@
 <template>
-  <div>
-    <div class="card my-3">
-      <div>
-        <div class="card-header" style="cursor: pointer" @click="toggleCollapse">
-          <LoadIcon :icon-name="collapsed ? 'arrow-right-short' : 'arrow-down-short'" class="me-1"></LoadIcon>
-          {{ title }}
-          <br>
-          <span v-if="title === 'app'" class="text-secondary">
-            <small>Main settings of the application <br>Note: Make sure that no sensitive data are present!</small>
-          </span>
-          <span v-if="title === 'editor'" class="text-secondary">
-            <small>Note: When the toolbar is disabled, all the tools will be hidden!</small>
-          </span>
+  <template v-if="setting">
+    <label
+      class="col-md-4 col-form-label text-md-right"
+      :for="'set-' + setting.key"
+      @click="(setting.type === 'boolean' || setting.type === 'bool') && $event.preventDefault()"
+    >
+      {{ setting.displayName || setting.key }}
+    </label>
+    <div class="col-md-6 d-flex align-items-start">
+      <template v-if="setting.type === 'edits'">
+        <EditorModal
+          :model-value="setting.value"
+          :title="'Edit ' + setting.key"
+          @update:model-value="$emit('update:value', $event)"
+        />
+      </template>
+      <template v-else-if="setting.type === 'boolean' || setting.type === 'bool'">
+        <div class="form-check form-switch">
+          <input
+            :id="'set-' + setting.key"
+            :checked="setting.value === 'true'"
+            class="form-check-input"
+            type="checkbox"
+            @change="$emit('update:value', $event.target.checked ? 'true' : 'false')"
+          />
         </div>
-        <div v-if="!collapsed" class="card-body">
-          <template v-for="(value, key) in group">
-            <div v-if="Array.isArray(value)" :key="`array-${key}`" class="mb-3">
-              
-              <div v-for="setting in value" :key="setting.key" class="row">
-                <div class="col-12">
-                  <div class="card mt-3">
-                    <div class="card-body">
-                      <h5 class="card-title">{{ setting.key }}</h5>
-                      <h6 class="card-subtitle mb-2 text-muted">{{ setting.description }}</h6>
-                      <p class="card-text">
-                        <div v-if="setting.type === 'edits'">
-                          <EditorModal v-model="setting.value" :title="'Edit ' + setting.key"></EditorModal>
-                        </div>
-                        <div v-else-if="setting.type === 'boolean' || setting.type === 'bool'" class="form-check form-switch">
-                          <input v-model="setting.value" :checked="setting.value"
-                                 class="form-check-input" role="switch" title="Activate/Deactivate NLP support"
-                                 type="checkbox">
-                        </div>
-                        <input v-else v-model="setting.value" class="w-50" type="text">
-                      </p>
-                    </div>
-                  </div>
-                </div>
-              </div>
-            </div>
-            <SettingItem v-else :key="`object-${key}`" :group="value" :title="key" />
-          </template>
-        </div>
-      </div>
+      </template>
+      <input
+        v-else
+        :id="'set-' + setting.key"
+        :value="setting.value"
+        class="form-control"
+        type="text"
+        @input="$emit('update:value', $event.target.value)"
+      />
+      <FormHelp v-if="setting.description" :help="setting.description" class="ms-1" />
     </div>
-  </div>
+  </template>
 </template>
 
 <script>
-import LoadIcon from "@/basic/Icon.vue";
 import EditorModal from "@/basic/editor/Modal.vue";
+import FormHelp from "@/basic/form/Help.vue";
 
+/**
+ * SettingItem - Renders a single setting row (label + input).
+ * Uses displayName and description from DB.
+ */
 export default {
   name: "SettingItem",
-  components: { LoadIcon, EditorModal },
+  components: { EditorModal, FormHelp },
   props: {
-    group: Object,
-    title: String
-  },
-  data() {
-    return {
-      collapsed: true
-    };
+    setting: {
+      type: Object,
+      default: null,
+    },
   },
-  methods: {
-    toggleCollapse() {
-      this.collapsed = !this.collapsed;
-    }
-  }
 };
 </script>
-
-<style scoped>
-/* Add your styles here if needed */
-</style>
diff --git a/frontend/src/components/dashboard/settings/SettingsSection.vue b/frontend/src/components/dashboard/settings/SettingsSection.vue
new file mode 100644
index 000000000..7789ced00
--- /dev/null
+++ b/frontend/src/components/dashboard/settings/SettingsSection.vue
@@ -0,0 +1,94 @@
+<template>
+  <div class="card my-3">
+    <div class="card-header step-card-header section-header" style="cursor: pointer" @click="toggleCollapse">
+      <LoadIcon :icon-name="isCollapsed ? 'arrow-right-short' : 'arrow-down-short'" class="me-1" />
+      {{ title }}
+    </div>
+    <div v-if="!isCollapsed" class="card-body mx-4 my-4">
+      <template v-for="(subsection, idx) in visibleSubsections" :key="subsection.title || idx">
+        <div class="mb-4">
+          <h6 v-if="subsection.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">{{ subsection.title }}</h6>
+          <div
+            v-for="key in subsection.keys"
+            :key="key"
+            class="form-group row my-2"
+          >
+            <SettingItem
+              :setting="getSetting(key)"
+              @update:value="(v) => setSettingValue(key, v)"
+            />
+          </div>
+        </div>
+      </template>
+    </div>
+  </div>
+</template>
+
+<script>
+import LoadIcon from "@/basic/Icon.vue";
+import SettingItem from "@/components/dashboard/settings/SettingItem.vue";
+
+/**
+ * SettingsSection - Renders a collapsible settings section with subsections.
+ *
+ * @param {string} title - Section heading (e.g. "General", "Mail")
+ * @param {Array<{title: string, keys: string[]}>} subsections - Subsections with keys
+ * @param {Array} settings - Flat array of setting objects
+ */
+export default {
+  name: "SettingsSection",
+  components: { LoadIcon, SettingItem },
+  props: {
+    title: { type: String, required: true },
+    subsections: { type: Array, required: true },
+    settings: { type: Array, default: () => [] },
+    collapsed: { type: Boolean, default: true },
+  },
+  data() {
+    return {
+      isCollapsed: true,
+    };
+  },
+  watch: {
+    collapsed: {
+      immediate: true,
+      handler(val) {
+        this.isCollapsed = val;
+      },
+    },
+  },
+  computed: {
+    visibleSubsections() {
+      return this.subsections;
+    },
+  },
+  methods: {
+    toggleCollapse() {
+      this.isCollapsed = !this.isCollapsed;
+    },
+    getSetting(key) {
+      return this.settings.find((s) => s.key === key) || null;
+    },
+    setSettingValue(key, value) {
+      const s = this.settings.find((x) => x.key === key);
+      if (s) s.value = value;
+    },
+  },
+};
+</script>
+
+<style scoped>
+.step-group-heading {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.step-card-header {
+  font-size: 1.2rem;
+  font-weight: 600;
+}
+
+.section-header {
+  user-select: none;
+}
+</style>

From 5ad0ea0a22b9e85704b128d4e2c8f2caa6195f77 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 26 Feb 2026 03:02:18 +0100
Subject: [PATCH 19/73] refactor: use displayName from backend in setup wizard

---
 frontend/src/auth/SetupWizard.vue | 55 +++++--------------------------
 1 file changed, 8 insertions(+), 47 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index e7103e920..d4640e1dc 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -668,51 +668,6 @@ import Modal from "@/basic/Modal.vue";
 import axios from "axios";
 import getServerURL from "@/assets/serverUrl";
 
-/** User-facing labels for setting keys hardcoded for now later will create db migration to change to more descriptive labels*/
-const SETTING_LABELS = {
-  "app.config.copyright": "Copyright notice",
-  "app.config.consent.enabled": "Require consent before first use",
-  "app.login.guest": "Allow guest login",
-  "app.login.forgotPassword": "Enable forgot password",
-  "app.study.enabled": "Enable study mode",
-  "app.landing.showDocs": "Show documentation link",
-  "app.landing.linkDocs": "Documentation URL",
-  "app.landing.showProject": "Show project link",
-  "app.landing.linkProject": "Project URL",
-  "app.landing.showFeedback": "Show feedback link",
-  "app.landing.linkFeedback": "Feedback URL",
-  "system.mailService.enabled": "Enable email service",
-  "system.mailService.senderAddress": "Sender address",
-  "system.mailService.sendMail.enabled": "Use Sendmail",
-  "system.mailService.sendMail.path": "Path to sendmail binary",
-  "system.mailService.smtp.enabled": "Use SMTP",
-  "system.mailService.smtp.host": "SMTP host",
-  "system.mailService.smtp.port": "SMTP port",
-  "system.mailService.smtp.secure": "Use secure connection (TLS)",
-  "system.mailService.smtp.auth.enabled": "SMTP authentication",
-  "system.mailService.smtp.auth.user": "SMTP username",
-  "system.mailService.smtp.auth.pass": "SMTP password",
-  "system.baseUrl": "Application base URL",
-  "app.register.emailVerification": "Require email verification",
-  "app.register.requestName": "Ask for display name at registration",
-  "app.register.requestStats": "Ask for usage statistics consent at registration",
-  "app.register.requestData": "Ask for annotation data sharing consent at registration",
-  "app.register.acceptStats.default": "Pre-select statistics consent checkbox for new users",
-  "app.register.acceptDataSharing.default": "Pre-select data sharing consent checkbox for new users",
-  "app.register.terms": "Terms and conditions (URL or text)",
-  "rpc.moodleAPI.apiUrl": "Moodle API URL",
-  "rpc.moodleAPI.apiKey": "Moodle API key",
-  "rpc.moodleAPI.courseID": "Moodle course ID",
-};
-
-/** Override descriptions for settings where the default is unclear, hardcoded for now later will create db migration to change to more descriptive descriptions */
-const SETTING_DESCRIPTIONS = {
-  "app.register.acceptStats.default":
-    "When you ask new users for consent to collect anonymous usage statistics (e.g. how often features are used) to improve CARE, this sets whether that checkbox is pre-checked or unchecked by default.",
-  "app.register.acceptDataSharing.default":
-    "When you ask new users for consent to share their annotation data (their labels and annotations on documents) for research purposes, this sets whether that checkbox is pre-checked or unchecked by default.",
-};
-
 export default {
   name: "SetupWizard",
   components: { IconAsset, FormHelp, FormCollapsible, Modal },
@@ -793,6 +748,10 @@ export default {
         return acc;
       }, {});
       const groups = [
+        {
+          title: "Enable registration",
+          keys: ["app.register.enabled"],
+        },
         {
           title: "Information requested at registration",
           keys: ["app.register.requestName", "app.register.requestStats", "app.register.requestData"],
@@ -942,10 +901,12 @@ export default {
       return (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
     },
     settingLabel(key) {
-      return SETTING_LABELS[key] || key;
+      const s = (this.wizardSettings || []).find((x) => x.key === key);
+      return s?.displayName || key;
     },
     settingDescription(key) {
-      return SETTING_DESCRIPTIONS[key] || null;
+      const s = (this.wizardSettings || []).find((x) => x.key === key);
+      return s?.description || null;
     },
     checkVal(key) {
       this.validity[key] = true;

From 91a7311f8b25a398255eaa7a3720d48dc3e1066b Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 1 Mar 2026 17:41:09 +0100
Subject: [PATCH 20/73] feat: add displaySubsection to settings

---
 ...260225234559-extend-setting-displayName.js | 125 +++++++++++++++++-
 backend/db/models/setting.js                  |   3 +-
 2 files changed, 125 insertions(+), 3 deletions(-)

diff --git a/backend/db/migrations/20260225234559-extend-setting-displayName.js b/backend/db/migrations/20260225234559-extend-setting-displayName.js
index f37e4d4e9..d2cb7e015 100644
--- a/backend/db/migrations/20260225234559-extend-setting-displayName.js
+++ b/backend/db/migrations/20260225234559-extend-setting-displayName.js
@@ -1,13 +1,122 @@
 'use strict';
 
 /**
- * Add displayName and displayGroup columns.
+ * Add displayName, displayGroup, and displaySubsection columns.
  * displayName: user-facing label from CSV Suggested Name
  * displayGroup: section grouping for non-wizard settings from CSV Suggested group naming
+ * displaySubsection: subsection within a section for Settings page and SetupWizard
  *
  * @type {import('sequelize-cli').Migration}
  */
 
+const KEY_TO_DISPLAY_SUBSECTION = {
+    'annotator.collab.response': 'Comments',
+    'annotator.comments.defaultNumsShown.levelOneUp': 'Comments',
+    'annotator.comments.defaultNumsShown.levelZero': 'Comments',
+    'annotator.comments.votes.enabled': 'Comments',
+    'annotator.comments.votes.onlyUpvote': 'Comments',
+    'annotator.download.enabledBeforeStudyClosing': 'Download',
+    'annotator.nlp.activated': 'NLP in annotations',
+    'annotator.nlp.request.timeout': 'NLP in annotations',
+    'annotator.nlp.sentiment_analysis.activated': 'NLP in annotations',
+    'annotator.nlp.summarization.activated': 'NLP in annotations',
+    'annotator.nlp.summarization.annoLength': 'NLP in annotations',
+    'annotator.nlp.summarization.maxLength': 'NLP in annotations',
+    'annotator.nlp.summarization.minLength': 'NLP in annotations',
+    'annotator.nlp.summarization.skillName': 'NLP in annotations',
+    'annotator.sidebar.maxWidth': 'Sidebar',
+    'annotator.sidebar.minWidth': 'Sidebar',
+    'app.config.consent.enabled': 'Copyright and consent',
+    'app.config.copyright': 'Copyright and consent',
+    'app.landing.linkDocs': 'Landing page links',
+    'app.landing.linkFeedback': 'Landing page links',
+    'app.landing.linkProject': 'Landing page links',
+    'app.landing.showDocs': 'Landing page links',
+    'app.landing.showFeedback': 'Landing page links',
+    'app.landing.showProject': 'Landing page links',
+    'app.login.forgotPassword': 'Login options',
+    'app.login.guest': 'Login options',
+    'app.login.passwordResetRateLimit': 'Login options',
+    'app.register.acceptDataSharing.default': 'Consent options',
+    'app.register.acceptStats.default': 'Consent options',
+    'app.register.emailVerification': 'Base URL and verification',
+    'app.register.emailVerificationRateLimit': 'Email verification rate limit',
+    'app.register.enabled': 'Enable registration',
+    'app.register.requestData': 'Information requested at registration',
+    'app.register.requestName': 'Information requested at registration',
+    'app.register.requestStats': 'Information requested at registration',
+    'app.register.terms': 'Terms and conditions',
+    'app.study.enabled': 'Study mode',
+    'dashboard.navigation.component.default': 'Navigation and dashboard',
+    'editor.document.showButtonCreate': 'Document buttons',
+    'editor.document.showButtonDeltaDownload': 'Document buttons',
+    'editor.document.showButtonHTMLDownload': 'Document buttons',
+    'editor.document.showButtonPDFDownload': 'Document buttons',
+    'editor.edits.debounceTime': 'Edit history',
+    'editor.edits.historyGroupTime': 'Edit history',
+    'editor.edits.showHistoryForUser': 'Edit history',
+    'editor.toolbar.showHTMLDownload': 'Toolbar',
+    'editor.toolbar.tools.align': 'Toolbar',
+    'editor.toolbar.tools.background': 'Toolbar',
+    'editor.toolbar.tools.blockquote': 'Toolbar',
+    'editor.toolbar.tools.bold': 'Toolbar',
+    'editor.toolbar.tools.checkList': 'Toolbar',
+    'editor.toolbar.tools.clean': 'Toolbar',
+    'editor.toolbar.tools.code-block': 'Toolbar',
+    'editor.toolbar.tools.color': 'Toolbar',
+    'editor.toolbar.tools.direction': 'Toolbar',
+    'editor.toolbar.tools.font': 'Toolbar',
+    'editor.toolbar.tools.formula': 'Toolbar',
+    'editor.toolbar.tools.header': 'Toolbar',
+    'editor.toolbar.tools.image': 'Toolbar',
+    'editor.toolbar.tools.indent': 'Toolbar',
+    'editor.toolbar.tools.italic': 'Toolbar',
+    'editor.toolbar.tools.link': 'Toolbar',
+    'editor.toolbar.tools.orderedList': 'Toolbar',
+    'editor.toolbar.tools.size': 'Toolbar',
+    'editor.toolbar.tools.strike': 'Toolbar',
+    'editor.toolbar.tools.subscript': 'Toolbar',
+    'editor.toolbar.tools.superscript': 'Toolbar',
+    'editor.toolbar.tools.underline': 'Toolbar',
+    'editor.toolbar.tools.unorderedList': 'Toolbar',
+    'editor.toolbar.tools.video': 'Toolbar',
+    'editor.toolbar.visibility': 'Toolbar',
+    'modal.nlp.request.timeout': 'Modal NLP',
+    'modal.nlp.rotation_timer.long': 'Modal NLP',
+    'modal.nlp.rotation_timer.short': 'Modal NLP',
+    'projects.default': 'Projects',
+    'rpc.moodleAPI.apiKey': 'Connection',
+    'rpc.moodleAPI.apiUrl': 'Connection',
+    'rpc.moodleAPI.courseID': 'Course',
+    'rpc.moodleAPI.showInput.apiKey': 'Show inputs',
+    'rpc.moodleAPI.showInput.apiUrl': 'Show inputs',
+    'rpc.moodleAPI.showInput.courseID': 'Show inputs',
+    'service.nlp.enabled': 'NLP service',
+    'service.nlp.retryDelay': 'NLP service',
+    'service.nlp.test.fallback': 'NLP service',
+    'service.nlp.timeout': 'NLP service',
+    'service.nlp.url': 'NLP service',
+    'statistics.batch.size': 'Statistics and tags',
+    'statistics.tracking.mouseDebounceTime': 'Statistics and tags',
+    'system.auth.tokenExpiry.emailVerification': 'Token expiry',
+    'system.auth.tokenExpiry.passwordReset': 'Token expiry',
+    'system.baseUrl': 'Base URL and verification',
+    'system.mailService.enabled': 'Mail service',
+    'system.mailService.sendMail.enabled': 'Sendmail',
+    'system.mailService.sendMail.path': 'Sendmail',
+    'system.mailService.senderAddress': 'Mail service',
+    'system.mailService.smtp.auth.enabled': 'SMTP',
+    'system.mailService.smtp.auth.pass': 'SMTP',
+    'system.mailService.smtp.auth.user': 'SMTP',
+    'system.mailService.smtp.enabled': 'SMTP',
+    'system.mailService.smtp.host': 'SMTP',
+    'system.mailService.smtp.port': 'SMTP',
+    'system.mailService.smtp.secure': 'SMTP',
+    'tags.recencySortingIsOn': 'Statistics and tags',
+    'tags.tagSet.default': 'Statistics and tags',
+    'topBar.projects.hideProjectButton': 'Projects',
+};
+
 const KEY_TO_DISPLAY_GROUP = {
     'annotator.collab.response': 'Annotations',
     'annotator.comments.defaultNumsShown.levelOneUp': 'Annotations',
@@ -175,7 +284,7 @@ const DISPLAY_NAMES = {
     'system.auth.tokenExpiry.passwordReset': 'Password reset token expiry',
     'system.baseUrl': 'Base URL for emails',
     'system.mailService.enabled': 'Mail service enabled',
-    'system.mailService.sendMail.enabled': 'Sendmail enabled',
+    'system.mailService.sendMail.enabled': 'Sendmail enabled (takes precedence over SMTP)',
     'system.mailService.sendMail.path': 'Sendmail path',
     'system.mailService.senderAddress': 'Mail sender address',
     'system.mailService.smtp.auth.enabled': 'SMTP auth enabled',
@@ -200,6 +309,10 @@ module.exports = {
             type: Sequelize.STRING(128),
             allowNull: true,
         });
+        await queryInterface.addColumn('setting', 'displaySubsection', {
+            type: Sequelize.STRING(128),
+            allowNull: true,
+        });
 
         const [results] = await queryInterface.sequelize.query(
             "SELECT key FROM setting WHERE deleted = false"
@@ -221,11 +334,19 @@ module.exports = {
                     { replacements: { displayGroup, key } }
                 );
             }
+            const displaySubsection = KEY_TO_DISPLAY_SUBSECTION[key];
+            if (displaySubsection) {
+                await queryInterface.sequelize.query(
+                    'UPDATE setting SET "displaySubsection" = :displaySubsection WHERE key = :key',
+                    { replacements: { displaySubsection, key } }
+                );
+            }
         }
     },
 
     async down(queryInterface, Sequelize) {
         await queryInterface.removeColumn('setting', 'displayName');
         await queryInterface.removeColumn('setting', 'displayGroup');
+        await queryInterface.removeColumn('setting', 'displaySubsection');
     },
 };
\ No newline at end of file
diff --git a/backend/db/models/setting.js b/backend/db/models/setting.js
index 7e0d99a73..f769bd1da 100644
--- a/backend/db/models/setting.js
+++ b/backend/db/models/setting.js
@@ -57,7 +57,7 @@ module.exports = (sequelize, DataTypes) => {
                 return await Setting.findAll({
                     where: { showInWizard: true, deleted: false },
                     order: [['wizardOrder', 'ASC']],
-                    attributes: ['key', 'value', 'type', 'description', 'displayName', 'requiredInWizard', 'wizardStep'],
+                    attributes: ['key', 'value', 'type', 'description', 'displayName', 'displaySubsection', 'requiredInWizard', 'wizardStep'],
                     raw: true,
                 });
             } catch (e) {
@@ -119,6 +119,7 @@ module.exports = (sequelize, DataTypes) => {
         description: DataTypes.STRING,
         displayName: DataTypes.STRING,
         displayGroup: DataTypes.STRING,
+        displaySubsection: DataTypes.STRING,
         onlyAdmin: DataTypes.BOOLEAN,
         showInWizard: DataTypes.BOOLEAN,
         wizardOrder: DataTypes.INTEGER,

From ba11464215524781d3cdaee389d7a5bc828e28cb Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 1 Mar 2026 17:41:54 +0100
Subject: [PATCH 21/73] refactor: use displayGroup and displaySubsection for
 Settings layout

---
 .../src/components/dashboard/Settings.vue     | 56 +++++++++++++++++--
 .../dashboard/settings/SettingsSection.vue    | 28 +++++++---
 2 files changed, 71 insertions(+), 13 deletions(-)

diff --git a/frontend/src/components/dashboard/Settings.vue b/frontend/src/components/dashboard/Settings.vue
index 13d5793b1..c48fc5303 100644
--- a/frontend/src/components/dashboard/Settings.vue
+++ b/frontend/src/components/dashboard/Settings.vue
@@ -150,6 +150,21 @@ import {downloadObjectsAs} from "@/assets/utils";
 import {onBeforeRouteUpdate} from "vue-router";
 import ChangeUserSettingsModal from "@/components/dashboard/settings/ChangeUserSettingsModal.vue";
 
+/**
+ * Order of subsections within each section (for display).
+ */
+const SUBSECTION_ORDER = {
+  general: ["Copyright and consent", "Login options", "Study mode", "Landing page links"],
+  mail: ["Mail service", "Sendmail", "SMTP", "Base URL and verification"],
+  registration: ["Enable registration", "Information requested at registration", "Consent options", "Terms and conditions", "Email verification rate limit"],
+  moodle: ["Connection", "Course", "Show inputs"],
+  annotations: ["Comments", "Download", "NLP in annotations", "Sidebar"],
+  interface: ["Navigation and dashboard", "Projects", "Statistics and tags"],
+  "text editor": ["Document buttons", "Edit history", "Toolbar"],
+  "ai & nlp": ["Modal NLP", "NLP service"],
+  system: ["Token expiry"],
+};
+
 export default {
   name: "DashboardSettings",
   components: {
@@ -190,9 +205,10 @@ export default {
           keys = [...keys, ...otherInStep.map((s) => s.key)];
         }
         if (keys.length) {
+          const settingsInSection = keys.map((k) => this.displaySettings.find((s) => s.key === k)).filter(Boolean);
           sections.push({
             title: step.charAt(0).toUpperCase() + step.slice(1),
-            subsections: [{ title: "", keys }],
+            subsections: this.buildSubsections(step, settingsInSection),
           });
         }
       }
@@ -203,12 +219,12 @@ export default {
         const group = s.displayGroup || "Other";
         if (mergedSteps.has((group || "").toLowerCase())) continue;
         if (!otherGroups[group]) otherGroups[group] = [];
-        otherGroups[group].push(s.key);
+        otherGroups[group].push(s);
       }
-      for (const [title, keys] of Object.entries(otherGroups).sort((a, b) => a[0].localeCompare(b[0]))) {
+      for (const [groupTitle, settingsInGroup] of Object.entries(otherGroups).sort((a, b) => a[0].localeCompare(b[0]))) {
         sections.push({
-          title,
-          subsections: [{ title: "", keys }],
+          title: groupTitle,
+          subsections: this.buildSubsections(groupTitle.toLowerCase(), settingsInGroup),
         });
       }
       return sections;
@@ -239,6 +255,36 @@ export default {
     });
   },
   methods: {
+    /**
+     * Build subsections from settings grouped by displaySubsection.
+     * @param {string} sectionKey - Section key (e.g. "general", "annotations")
+     * @param {Array} settingsInSection - Setting objects in this section
+     * @returns {Array<{title: string, keys: string[]}>}
+     */
+    buildSubsections(sectionKey, settingsInSection) {
+      if (!settingsInSection.length) return [];
+      const order = SUBSECTION_ORDER[sectionKey];
+      const bySubsection = {};
+      for (const s of settingsInSection) {
+        const sub = s.displaySubsection || "";
+        if (!bySubsection[sub]) bySubsection[sub] = [];
+        bySubsection[sub].push(s.key);
+      }
+      const result = [];
+      if (order) {
+        for (const title of order) {
+          if (bySubsection[title]?.length) {
+            result.push({ title, keys: bySubsection[title] });
+          }
+        }
+      }
+      for (const [title, keys] of Object.entries(bySubsection)) {
+        if (!order || !order.includes(title)) {
+          result.push({ title: title || "", keys });
+        }
+      }
+      return result.length ? result : [{ title: "", keys: settingsInSection.map((s) => s.key) }];
+    },
     setSettingsSnapshot() {
       if (!this.settings) {
         this.originalSettingsSnapshot = null;
diff --git a/frontend/src/components/dashboard/settings/SettingsSection.vue b/frontend/src/components/dashboard/settings/SettingsSection.vue
index 7789ced00..87bb54609 100644
--- a/frontend/src/components/dashboard/settings/SettingsSection.vue
+++ b/frontend/src/components/dashboard/settings/SettingsSection.vue
@@ -6,8 +6,24 @@
     </div>
     <div v-if="!isCollapsed" class="card-body mx-4 my-4">
       <template v-for="(subsection, idx) in visibleSubsections" :key="subsection.title || idx">
-        <div class="mb-4">
-          <h6 v-if="subsection.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">{{ subsection.title }}</h6>
+        <FormCollapsible
+          v-if="subsection.title"
+          :title="subsection.title"
+          :collapsed="false"
+          class="mb-3"
+        >
+          <div
+            v-for="key in subsection.keys"
+            :key="key"
+            class="form-group row my-2"
+          >
+            <SettingItem
+              :setting="getSetting(key)"
+              @update:value="(v) => setSettingValue(key, v)"
+            />
+          </div>
+        </FormCollapsible>
+        <div v-else class="mb-4">
           <div
             v-for="key in subsection.keys"
             :key="key"
@@ -26,6 +42,7 @@
 
 <script>
 import LoadIcon from "@/basic/Icon.vue";
+import FormCollapsible from "@/basic/form/Collapsible.vue";
 import SettingItem from "@/components/dashboard/settings/SettingItem.vue";
 
 /**
@@ -37,7 +54,7 @@ import SettingItem from "@/components/dashboard/settings/SettingItem.vue";
  */
 export default {
   name: "SettingsSection",
-  components: { LoadIcon, SettingItem },
+  components: { LoadIcon, FormCollapsible, SettingItem },
   props: {
     title: { type: String, required: true },
     subsections: { type: Array, required: true },
@@ -78,11 +95,6 @@ export default {
 </script>
 
 <style scoped>
-.step-group-heading {
-  font-size: 1.1rem;
-  font-weight: 600;
-}
-
 .step-card-header {
   font-size: 1.2rem;
   font-weight: 600;

From 9bc2213bb1e1a29323b13f2efae19921c186d8f0 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 1 Mar 2026 17:42:11 +0100
Subject: [PATCH 22/73] refactor: use displaySubsection in SetupWizard

---
 frontend/src/auth/SetupWizard.vue | 350 +++++++++---------------------
 1 file changed, 99 insertions(+), 251 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index d4640e1dc..430eb6c38 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -217,176 +217,59 @@
             </label>
           </div>
 
-          <template v-if="formSettings['system.mailService.enabled'] === 'true'">
+          <template v-if="mailEnabled">
             <FormCollapsible
-              title="Email delivery configuration"
-              description="Choose Sendmail or SMTP. If both are enabled, Sendmail takes precedence."
+              v-for="group in mailFieldGroups"
+              :key="group.title"
+              :title="group.title"
               :collapsed="true"
               class="mb-3"
             >
-              <div class="form-check form-switch mb-3">
-                <input
-                  id="sendmail-enabled"
-                  :checked="formSettings['system.mailService.sendMail.enabled'] === 'true'"
-                  class="form-check-input"
-                  type="checkbox"
-                  @change="formSettings['system.mailService.sendMail.enabled'] = $event.target.checked ? 'true' : 'false'"
-                />
-                <label class="form-check-label" for="sendmail-enabled" @click.prevent>
-                  Use Sendmail (Unix system mail command)
-                </label>
-                <FormHelp
-                  :help="'If enabled, Sendmail is used for outgoing mail even when SMTP is also enabled.'"
-                  class="ms-1"
-                />
-              </div>
-              <FormCollapsible
-                v-if="formSettings['system.mailService.sendMail.enabled'] === 'true'"
-                title="Sendmail settings"
-                description="Path to the sendmail binary on your system"
-                :collapsed="false"
+              <div
+                v-for="s in group.settings"
+                :key="s.key"
+                class="form-group row my-2"
               >
-                <div
-                  v-for="s in sendmailSettings"
-                  :key="s.key"
-                  class="form-group row my-2"
+                <label
+                  class="col-md-4 col-form-label text-md-right"
+                  :for="'set-' + s.key"
+                  @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
                 >
-                  <label
-                    class="col-md-4 col-form-label text-md-right"
-                    :for="'set-' + s.key"
-                    @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-                  >
-                    {{ settingLabel(s.key) }}
-                  </label>
-                  <div class="col-md-6 d-flex align-items-start">
-                    <input
-                      :id="'set-' + s.key"
-                      v-model="formSettings[s.key]"
-                      class="form-control"
-                      type="text"
-                    />
-                    <FormHelp v-if="s.description" :help="s.description" class="ms-1" />
-                  </div>
-                </div>
-              </FormCollapsible>
-
-              <div class="form-check form-switch mb-3 mt-3">
-                <input
-                  id="smtp-enabled"
-                  :checked="formSettings['system.mailService.smtp.enabled'] === 'true'"
-                  class="form-check-input"
-                  type="checkbox"
-                  @change="formSettings['system.mailService.smtp.enabled'] = $event.target.checked ? 'true' : 'false'"
-                />
-                <label class="form-check-label" for="smtp-enabled" @click.prevent>
-                  Use SMTP server
+                  {{ settingLabel(s.key) }}
                 </label>
-                <FormHelp
-                  :help="'Used only when Sendmail is disabled. Configure your SMTP host and credentials.'"
-                  class="ms-1"
-                />
-              </div>
-              <FormCollapsible
-                v-if="formSettings['system.mailService.smtp.enabled'] === 'true'"
-                title="SMTP settings"
-                description="Host, port, and authentication for your SMTP server"
-                :collapsed="false"
-              >
-                <div
-                  v-for="s in smtpSettings"
-                  :key="s.key"
-                  class="form-group row my-2"
-                >
-                  <label
-                    class="col-md-4 col-form-label text-md-right"
-                    :for="'set-' + s.key"
-                    @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-                  >
-                    {{ settingLabel(s.key) }}
-                  </label>
-                  <div class="col-md-6 d-flex align-items-start">
-                    <template v-if="s.type === 'boolean' || s.type === 'bool'">
-                      <div class="form-check form-switch">
-                        <input
-                          :id="'set-' + s.key"
-                          :checked="formSettings[s.key] === 'true'"
-                          class="form-check-input"
-                          type="checkbox"
-                          @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
-                        />
-                      </div>
-                    </template>
-                    <input
-                      v-else
+                <div class="col-md-6 d-flex align-items-start">
+                  <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                    <div class="form-check form-switch">
+                      <input
+                        :id="'set-' + s.key"
+                        :checked="formSettings[s.key] === 'true'"
+                        class="form-check-input"
+                        type="checkbox"
+                        @change="onMailSettingChange(s.key, $event.target.checked ? 'true' : 'false')"
+                      />
+                    </div>
+                  </template>
+                  <template v-else-if="s.type === 'edits'">
+                    <textarea
                       :id="'set-' + s.key"
                       v-model="formSettings[s.key]"
-                      class="form-control"
-                      type="text"
-                    />
-                    <FormHelp v-if="s.description" :help="s.description" class="ms-1" />
-                  </div>
-                </div>
-              </FormCollapsible>
-
-              <FormCollapsible
-                title="Sender and application URL"
-                description="Required for all outgoing emails: the From address and base URL for links"
-                :collapsed="true"
-                class="mt-3"
-              >
-                <div class="form-group row my-2">
-                  <label class="col-md-4 col-form-label text-md-right" for="set-sender-address">
-                    {{ settingLabel("system.mailService.senderAddress") }}
-                  </label>
-                  <div class="col-md-6 d-flex align-items-start">
-                    <input
-                      id="set-sender-address"
-                      v-model="formSettings['system.mailService.senderAddress']"
-                      class="form-control"
-                      type="text"
-                    />
-                    <FormHelp
-                      :help="'The From address used for all outgoing emails.'"
-                      class="ms-1"
-                    />
-                  </div>
-                </div>
-                <div class="form-group row my-2">
-                  <label class="col-md-4 col-form-label text-md-right" for="set-base-url">
-                    {{ settingLabel("system.baseUrl") }}
-                  </label>
-                  <div class="col-md-6 d-flex align-items-start">
-                    <input
-                      id="set-base-url"
-                      v-model="formSettings['system.baseUrl']"
-                      class="form-control"
-                      type="text"
-                    />
-                    <FormHelp
-                      :help="'Base URL of this application (e.g. https://care.example.com). Required for password reset and email verification links.'"
-                      class="ms-1"
+                      class="form-control w-100"
+                      rows="2"
                     />
-                  </div>
+                  </template>
+                  <input
+                    v-else
+                    :id="'set-' + s.key"
+                    v-model="formSettings[s.key]"
+                    class="form-control"
+                    type="text"
+                  />
+                  <FormHelp
+                    v-if="settingDescription(s.key) || s.description"
+                    :help="settingDescription(s.key) || s.description"
+                    class="ms-1"
+                  />
                 </div>
-              </FormCollapsible>
-            </FormCollapsible>
-            <FormCollapsible
-              title="Features that use email"
-              description="Optional features that require the email service to be enabled"
-              :collapsed="true"
-              class="mb-3 mt-3"
-            >
-              <div class="form-check form-switch">
-                <input
-                  id="forgot-password"
-                  :checked="formSettings['app.login.forgotPassword'] === 'true'"
-                  class="form-check-input"
-                  type="checkbox"
-                  @change="formSettings['app.login.forgotPassword'] = $event.target.checked ? 'true' : 'false'"
-                />
-                <label class="form-check-label" for="forgot-password" @click.prevent>
-                  Allow users to reset their password via email
-                </label>
               </div>
             </FormCollapsible>
           </template>
@@ -668,6 +551,14 @@ import Modal from "@/basic/Modal.vue";
 import axios from "axios";
 import getServerURL from "@/assets/serverUrl";
 
+/** Order of subsections within each wizard step (from displaySubsection in DB). */
+const SUBSECTION_ORDER = {
+  general: ["Copyright and consent", "Login options", "Study mode", "Landing page links"],
+  mail: ["Mail service", "Sendmail", "SMTP", "Base URL and verification"],
+  registration: ["Enable registration", "Information requested at registration", "Consent options", "Terms and conditions", "Email verification rate limit"],
+  moodle: ["Connection", "Course", "Show inputs"],
+};
+
 export default {
   name: "SetupWizard",
   components: { IconAsset, FormHelp, FormCollapsible, Modal },
@@ -708,105 +599,24 @@ export default {
       return filtered;
     },
     generalFieldGroups() {
-      const keyToSetting = (this.wizardSettings || []).reduce((acc, s) => {
-        acc[s.key] = s;
-        return acc;
-      }, {});
-      const groups = [
-        {
-          title: "Copyright and consent",
-          keys: ["app.config.copyright", "app.config.consent.enabled"],
-        },
-        {
-          title: "Login options",
-          keys: ["app.login.guest", "app.login.forgotPassword"],
-        },
-        {
-          title: "Study mode",
-          keys: ["app.study.enabled"],
-        },
-        {
-          title: "Landing page links",
-          keys: [
-            "app.landing.showDocs",
-            "app.landing.linkDocs",
-            "app.landing.showProject",
-            "app.landing.linkProject",
-            "app.landing.showFeedback",
-            "app.landing.linkFeedback",
-          ],
-        },
-      ];
-      return groups.map((g) => ({
-        title: g.title,
-        settings: g.keys.map((k) => keyToSetting[k]).filter(Boolean),
-      })).filter((g) => g.settings.length > 0);
-    },
-    registrationFieldGroups() {
-      const keyToSetting = (this.wizardSettings || []).reduce((acc, s) => {
-        acc[s.key] = s;
-        return acc;
-      }, {});
-      const groups = [
-        {
-          title: "Enable registration",
-          keys: ["app.register.enabled"],
-        },
-        {
-          title: "Information requested at registration",
-          keys: ["app.register.requestName", "app.register.requestStats", "app.register.requestData"],
-        },
-        {
-          title: "Consent options",
-          keys: ["app.register.acceptStats.default", "app.register.acceptDataSharing.default"],
-        },
-        {
-          title: "Terms and conditions",
-          keys: ["app.register.terms"],
-        },
-      ];
-      return groups.map((g) => ({
-        title: g.title,
-        settings: g.keys.map((k) => keyToSetting[k]).filter(Boolean),
-      })).filter((g) => g.settings.length > 0);
+      return this.fieldGroupsForStep("general");
     },
     mailEnabled() {
       return this.formSettings["system.mailService.enabled"] === "true";
     },
-    sendmailSettings() {
-      const keys = ["system.mailService.sendMail.path"];
-      return (this.wizardSettings || []).filter((s) => keys.includes(s.key));
+    mailFieldGroups() {
+      const groups = this.fieldGroupsForStep("mail");
+      const forgotPassword = (this.wizardSettings || []).find((s) => s.key === "app.login.forgotPassword");
+      if (forgotPassword && this.mailEnabled) {
+        groups.push({ title: "Features that use email", settings: [forgotPassword] });
+      }
+      return groups;
     },
-    smtpSettings() {
-      const keys = [
-        "system.mailService.smtp.host",
-        "system.mailService.smtp.port",
-        "system.mailService.smtp.secure",
-        "system.mailService.smtp.auth.enabled",
-        "system.mailService.smtp.auth.user",
-        "system.mailService.smtp.auth.pass",
-      ];
-      return (this.wizardSettings || []).filter((s) => keys.includes(s.key));
+    registrationFieldGroups() {
+      return this.fieldGroupsForStep("registration");
     },
     moodleFieldGroups() {
-      const keyToSetting = (this.wizardSettings || []).reduce((acc, s) => {
-        acc[s.key] = s;
-        return acc;
-      }, {});
-      const groups = [
-        {
-          title: "Connection",
-          keys: ["rpc.moodleAPI.apiUrl", "rpc.moodleAPI.apiKey"],
-        },
-        {
-          title: "Course",
-          keys: ["rpc.moodleAPI.courseID"],
-        },
-      ];
-      return groups.map((g) => ({
-        title: g.title,
-        settings: g.keys.map((k) => keyToSetting[k]).filter(Boolean),
-      })).filter((g) => g.settings.length > 0);
+      return this.fieldGroupsForStep("moodle");
     },
     summaryFieldGroups() {
       const stepTitles = {
@@ -897,6 +707,44 @@ export default {
     }
   },
   methods: {
+    /**
+     * Handle mail step setting changes.
+     * @param {string} key - Setting key
+     * @param {string} value - New value ('true' or 'false')
+     */
+    onMailSettingChange(key, value) {
+      this.formSettings[key] = value;
+    },
+    /**
+     * Group wizard settings by displaySubsection for a given step.
+     * @param {string} stepType - general, registration, or moodle
+     * @returns {Array<{title: string, settings: object[]}>}
+     */
+    fieldGroupsForStep(stepType) {
+      const settings = (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
+      if (!settings.length) return [];
+      const order = SUBSECTION_ORDER[stepType];
+      const bySubsection = {};
+      for (const s of settings) {
+        const sub = s.displaySubsection || "";
+        if (!bySubsection[sub]) bySubsection[sub] = [];
+        bySubsection[sub].push(s);
+      }
+      const result = [];
+      if (order) {
+        for (const title of order) {
+          if (bySubsection[title]?.length) {
+            result.push({ title, settings: bySubsection[title] });
+          }
+        }
+      }
+      for (const [title, settingsList] of Object.entries(bySubsection)) {
+        if (!order || !order.includes(title)) {
+          result.push({ title: title || "", settings: settingsList });
+        }
+      }
+      return result.length ? result : [{ title: "", settings }];
+    },
     settingsForStep(stepType) {
       return (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
     },

From f861e64012ca104a11cd05d24e1b2f88edcc9941 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 26 Mar 2026 13:22:34 +0200
Subject: [PATCH 23/73] refactor: simplify wizard steps and settings mapping

---
 backend/db/migrations/20260119192230-basic-wizard_steps.js | 3 +--
 .../migrations/20260119194252-transform-setting-wizard.js  | 7 +------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/backend/db/migrations/20260119192230-basic-wizard_steps.js b/backend/db/migrations/20260119192230-basic-wizard_steps.js
index 5511d95ee..bcbaa28e7 100644
--- a/backend/db/migrations/20260119192230-basic-wizard_steps.js
+++ b/backend/db/migrations/20260119192230-basic-wizard_steps.js
@@ -6,10 +6,9 @@ module.exports = {
         const now = new Date();
         await queryInterface.bulkInsert('wizard_step', [
             { key: 'admin', order: 1, title: 'Admin Account', description: 'Create the administrator account', type: 'admin', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
-            { key: 'general', order: 2, title: 'General Settings', description: 'Copyright, consent, guest login, study mode, external links', type: 'general', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
+            { key: 'general', order: 2, title: 'General Settings', description: 'Copyright, consent, guest login, external links', type: 'general', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
             { key: 'mail', order: 3, title: 'Mail Configuration', description: 'Enable email service and configure SMTP/sendmail', type: 'mail', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
             { key: 'registration', order: 4, title: 'User Registration', description: 'What is required at signup', type: 'registration', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
-            { key: 'moodle', order: 5, title: 'Moodle Integration', description: 'Optional: API URL, key, course ID', type: 'moodle', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
             { key: 'summary', order: 6, title: 'Summary', description: 'Review your choices before finishing', type: 'summary', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
         ], {});
     },
diff --git a/backend/db/migrations/20260119194252-transform-setting-wizard.js b/backend/db/migrations/20260119194252-transform-setting-wizard.js
index e9b323a11..ab4fc5f2d 100644
--- a/backend/db/migrations/20260119194252-transform-setting-wizard.js
+++ b/backend/db/migrations/20260119194252-transform-setting-wizard.js
@@ -9,7 +9,6 @@ const WIZARD_SETTINGS = [
     { key: 'app.config.consent.enabled', wizardStep: 'general', wizardOrder: 2, requiredInWizard: false },
     { key: 'app.login.guest', wizardStep: 'general', wizardOrder: 3, requiredInWizard: false },
     { key: 'app.login.forgotPassword', wizardStep: 'general', wizardOrder: 4, requiredInWizard: false },
-    { key: 'app.study.enabled', wizardStep: 'general', wizardOrder: 5, requiredInWizard: false },
     { key: 'app.landing.showDocs', wizardStep: 'general', wizardOrder: 6, requiredInWizard: false },
     { key: 'app.landing.linkDocs', wizardStep: 'general', wizardOrder: 7, requiredInWizard: true },
     { key: 'app.landing.showProject', wizardStep: 'general', wizardOrder: 8, requiredInWizard: false },
@@ -38,11 +37,7 @@ const WIZARD_SETTINGS = [
     { key: 'app.register.requestData', wizardStep: 'registration', wizardOrder: 28, requiredInWizard: false },
     { key: 'app.register.acceptStats.default', wizardStep: 'registration', wizardOrder: 29, requiredInWizard: false },
     { key: 'app.register.acceptDataSharing.default', wizardStep: 'registration', wizardOrder: 30, requiredInWizard: false },
-    { key: 'app.register.terms', wizardStep: 'registration', wizardOrder: 31, requiredInWizard: false },
-    // moodle
-    { key: 'rpc.moodleAPI.apiUrl', wizardStep: 'moodle', wizardOrder: 32, requiredInWizard: false },
-    { key: 'rpc.moodleAPI.apiKey', wizardStep: 'moodle', wizardOrder: 33, requiredInWizard: false },
-    { key: 'rpc.moodleAPI.courseID', wizardStep: 'moodle', wizardOrder: 34, requiredInWizard: false },
+    { key: 'app.register.terms', wizardStep: 'general', wizardOrder: 5, requiredInWizard: false },
 ];
 
 /** @type {import('sequelize-cli').Migration} */

From 9fbd2d80de9b282cb302777c2beba1cff7a34cbe Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 26 Mar 2026 13:23:08 +0200
Subject: [PATCH 24/73] refactor: simplify setup wizard and create admin on
 finish

---
 frontend/src/auth/SetupWizard.vue | 341 ++++++++++++++++--------------
 1 file changed, 186 insertions(+), 155 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index 430eb6c38..3546ef9f1 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -19,22 +19,13 @@
 
       <!-- Step: Admin -->
       <div v-show="displaySteps[currentStep]?.type === 'admin'" class="card">
-        <div class="card-header step-card-header">Setup – Create admin account</div>
+        <div class="card-header step-card-header">Setup – Admin account</div>
         <div class="card-body mx-4 my-4">
-          <template v-if="adminCreatedThisSession">
-            <p class="text-muted mb-3">
-              The administrator account has been created. Continue to configure settings.
-            </p>
-            <button class="btn btn-primary" type="button" @click="currentStep++">
-              Continue
-            </button>
-          </template>
-          <template v-else>
-            <p class="text-muted mb-3">
-              No administrator account exists. Create one to finish setting up CARE.
-            </p>
-            <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
-            <form @submit.prevent="submitAdmin">
+          <p class="text-muted mb-3">
+            No administrator account exists. Enter credentials now; the account is created on Finish.
+          </p>
+          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+          <form @submit.prevent="submitAdmin">
             <div class="form-group row my-2">
               <label class="col-md-4 col-form-label text-md-right" for="setup-username">Username</label>
               <div class="col-md-6">
@@ -87,10 +78,9 @@
               </div>
             </div>
             <div class="col-md-6 offset-md-4 my-4">
-              <button class="btn btn-primary" type="submit">Create admin and continue</button>
+              <button class="btn btn-primary" type="submit">Continue</button>
             </div>
           </form>
-          </template>
         </div>
       </div>
 
@@ -124,16 +114,13 @@
           </template>
           <template v-else>
             <p class="text-muted mb-3">
-              Configure copyright notice, consent requirements, guest access, study mode, and links shown on the landing page.
+              Configure copyright notice, consent requirements, guest access, and links shown on the landing page.
             </p>
 
-            <FormCollapsible
-              v-for="group in generalFieldGroups"
-              :key="group.title"
-              :title="group.title"
-              :collapsed="true"
-              class="mb-3"
-            >
+            <div v-for="group in generalFieldGroups" :key="group.title" class="mb-4">
+              <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
+                {{ group.title }}
+              </h6>
               <div
                 v-for="s in group.settings"
                 :key="s.key"
@@ -146,7 +133,7 @@
                 >
                   {{ settingLabel(s.key) }}
                 </label>
-                <div class="col-md-6 d-flex align-items-start">
+                <div class="col-md-6 d-flex flex-column">
                   <template v-if="s.type === 'boolean' || s.type === 'bool'">
                     <div class="form-check form-switch">
                       <input
@@ -158,12 +145,19 @@
                       />
                     </div>
                   </template>
+                  <template v-else-if="s.key === 'app.register.terms'">
+                    <BasicEditor
+                      :model-value="formSettings[s.key]"
+                      :read-only="false"
+                      @update:model-value="formSettings[s.key] = $event"
+                    />
+                  </template>
                   <template v-else-if="s.type === 'edits'">
                     <textarea
                       :id="'set-' + s.key"
                       v-model="formSettings[s.key]"
                       class="form-control w-100"
-                      rows="2"
+                      rows="5"
                     />
                   </template>
                   <input
@@ -173,7 +167,11 @@
                     class="form-control"
                     type="text"
                   />
-                  <FormHelp v-if="s.description" :help="s.description" class="ms-1" />
+                  <div
+                    v-if="settingDescription(s.key) || s.description"
+                    class="small text-muted mt-1"
+                    v-html="settingDescription(s.key) || s.description"
+                  />
                 </div>
                 <div v-if="s.requiredInWizard" class="col-md-6 offset-md-4">
                   <div class="feedback-invalid" :class="{invalid: settingsTouched && !(formSettings[s.key] != null && String(formSettings[s.key]).trim() !== '')}">
@@ -181,7 +179,7 @@
                   </div>
                 </div>
               </div>
-            </FormCollapsible>
+            </div>
           </template>
 
           <div class="d-flex justify-content-between mt-4">
@@ -218,13 +216,10 @@
           </div>
 
           <template v-if="mailEnabled">
-            <FormCollapsible
-              v-for="group in mailFieldGroups"
-              :key="group.title"
-              :title="group.title"
-              :collapsed="true"
-              class="mb-3"
-            >
+            <div v-for="group in mailFieldGroups" :key="group.title" class="mb-4">
+              <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
+                {{ group.title }}
+              </h6>
               <div
                 v-for="s in group.settings"
                 :key="s.key"
@@ -237,7 +232,7 @@
                 >
                   {{ settingLabel(s.key) }}
                 </label>
-                <div class="col-md-6 d-flex align-items-start">
+                <div class="col-md-6 d-flex flex-column">
                   <template v-if="s.type === 'boolean' || s.type === 'bool'">
                     <div class="form-check form-switch">
                       <input
@@ -254,7 +249,7 @@
                       :id="'set-' + s.key"
                       v-model="formSettings[s.key]"
                       class="form-control w-100"
-                      rows="2"
+                      rows="4"
                     />
                   </template>
                   <input
@@ -264,14 +259,14 @@
                     class="form-control"
                     type="text"
                   />
-                  <FormHelp
+                  <div
                     v-if="settingDescription(s.key) || s.description"
-                    :help="settingDescription(s.key) || s.description"
-                    class="ms-1"
+                    class="small text-muted mt-1"
+                    v-html="settingDescription(s.key) || s.description"
                   />
                 </div>
               </div>
-            </FormCollapsible>
+            </div>
           </template>
 
           <div class="d-flex justify-content-between mt-4">
@@ -292,13 +287,10 @@
             Configure which information and consents are requested from users during registration.
           </p>
 
-          <FormCollapsible
-            v-for="group in registrationFieldGroups"
-            :key="group.title"
-            :title="group.title"
-            :collapsed="true"
-            class="mb-3"
-          >
+          <div v-for="group in registrationFieldGroups" :key="group.title" class="mb-4">
+            <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
+              {{ group.title }}
+            </h6>
             <div
               v-for="s in group.settings"
               :key="s.key"
@@ -311,7 +303,7 @@
               >
                 {{ settingLabel(s.key) }}
               </label>
-              <div class="col-md-6 d-flex align-items-start">
+              <div class="col-md-6 d-flex flex-column">
                 <template v-if="s.type === 'boolean' || s.type === 'bool'">
                   <div class="form-check form-switch">
                     <input
@@ -328,7 +320,7 @@
                     :id="'set-' + s.key"
                     v-model="formSettings[s.key]"
                     class="form-control w-100"
-                    rows="2"
+                    rows="4"
                   />
                 </template>
                 <input
@@ -338,26 +330,22 @@
                   class="form-control"
                   type="text"
                 />
-                <FormHelp
+                <div
                   v-if="settingDescription(s.key) || s.description"
-                  :help="settingDescription(s.key) || s.description"
-                  class="ms-1"
+                  class="small text-muted mt-1"
+                  v-html="settingDescription(s.key) || s.description"
                 />
               </div>
             </div>
-          </FormCollapsible>
-          <FormCollapsible
-            v-if="mailEnabled"
-            title="Email verification"
-            description="Require new users to verify their email before accessing the application"
-            :collapsed="true"
-            class="mb-3"
-          >
+          </div>
+
+          <div v-if="mailEnabled" class="mb-4">
+            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Email verification</h6>
             <div class="form-group row my-2">
               <label class="col-md-4 col-form-label text-md-right" for="email-verification-reg" @click.prevent>
                 {{ settingLabel("app.register.emailVerification") }}
               </label>
-              <div class="col-md-6 d-flex align-items-start">
+              <div class="col-md-6 d-flex flex-column">
                 <div class="form-check form-switch">
                   <input
                     id="email-verification-reg"
@@ -367,57 +355,9 @@
                     @change="formSettings['app.register.emailVerification'] = $event.target.checked ? 'true' : 'false'"
                   />
                 </div>
-                <FormHelp
-                  :help="'Require new users to verify their email address before accessing the application.'"
-                  class="ms-1"
-                />
-              </div>
-            </div>
-          </FormCollapsible>
-
-          <div class="d-flex justify-content-between mt-4">
-            <button class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
-            <button class="btn btn-primary ms-auto" type="button" @click="onStepNext">
-              Next
-            </button>
-          </div>
-        </div>
-      </div>
-
-      <!-- Step: Moodle -->
-      <div v-show="displaySteps[currentStep]?.type === 'moodle'" class="card">
-        <div class="card-header step-card-header d-flex align-items-center">
-          Moodle Integration
-          <span class="badge bg-secondary ms-2">Optional</span>
-        </div>
-        <div class="card-body mx-4 my-4">
-          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
-          <div class="alert alert-info mb-3 py-2" role="alert">
-            <strong>This step is optional.</strong> Configure it only if you use Moodle. You can skip it now and configure Moodle integration later in Settings.
-          </div>
-
-          <div v-for="group in moodleFieldGroups" :key="group.title" class="mb-4">
-            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">{{ group.title }}</h6>
-            <div
-              v-for="s in group.settings"
-              :key="s.key"
-              class="form-group row my-2"
-            >
-              <label
-                class="col-md-4 col-form-label text-md-right"
-                :for="'set-' + s.key"
-                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-              >
-                {{ settingLabel(s.key) }}
-              </label>
-              <div class="col-md-6 d-flex align-items-start">
-                <input
-                  :id="'set-' + s.key"
-                  v-model="formSettings[s.key]"
-                  class="form-control"
-                  type="text"
-                />
-                <FormHelp v-if="s.description" :help="s.description" class="ms-1" />
+                <div class="small text-muted mt-1">
+                  Require new users to verify their email address before accessing the application.
+                </div>
               </div>
             </div>
           </div>
@@ -437,32 +377,29 @@
         <div class="card-body mx-4 my-4">
           <p class="text-muted mb-3">Review your choices before finishing.</p>
 
-          <FormCollapsible
-            v-if="!hasAdmin"
-            title="Admin"
-            :collapsed="false"
-            class="mb-3"
-          >
+          <div v-if="!hasAdmin" class="mb-4">
+            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Admin</h6>
             <ul class="list-unstyled mb-0">
               <li><strong>Username:</strong> {{ formData.userName || "—" }}</li>
               <li><strong>Email:</strong> {{ formData.email || "—" }}</li>
               <li><strong>Password:</strong> Password set</li>
             </ul>
-          </FormCollapsible>
-
-          <FormCollapsible
-            v-for="group in summaryFieldGroups"
-            :key="group.title"
-            :title="group.title"
-            :collapsed="false"
-            class="mb-3"
-          >
+          </div>
+
+          <div v-for="group in summaryFieldGroups" :key="group.title" class="mb-4">
+            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">{{ group.title }}</h6>
             <ul class="list-unstyled ms-2 mb-0">
-              <li v-for="s in group.settings" :key="s.key">
-                <strong>{{ settingLabel(s.key) }}:</strong> {{ summarySettingValue(s.key) }}
+              <li v-for="s in group.settings" :key="s.key" class="mb-2">
+                <template v-if="s.key === 'app.register.terms'">
+                  <div class="fw-semibold mb-1">{{ settingLabel(s.key) }}</div>
+                  <BasicEditor :model-value="summarySettingValue(s.key)" :read-only="true" />
+                </template>
+                <template v-else>
+                  <strong>{{ settingLabel(s.key) }}:</strong> {{ summarySettingValue(s.key) }}
+                </template>
               </li>
             </ul>
-          </FormCollapsible>
+          </div>
 
           <div v-if="settingsFromFile && Object.keys(settingsFromFile).length" class="mt-4">
             <button
@@ -497,7 +434,7 @@
         <template #title>Import Settings</template>
         <template #body>
           <p class="mb-2">
-            Select a JSON file with settings. Loaded values will override the form and skip the following steps: Mail, Registration, and Moodle.
+            Select a JSON file with settings. Loaded values will override the form and skip the following steps: Mail and Registration.
           </p>
           <input
             ref="jsonFileInput"
@@ -545,23 +482,22 @@
  * @author CARE
  */
 import IconAsset from "@/basic/icon/IconAsset.vue";
-import FormHelp from "@/basic/form/Help.vue";
-import FormCollapsible from "@/basic/form/Collapsible.vue";
+import BasicEditor from "@/basic/editor/Editor.vue";
 import Modal from "@/basic/Modal.vue";
 import axios from "axios";
 import getServerURL from "@/assets/serverUrl";
 
 /** Order of subsections within each wizard step (from displaySubsection in DB). */
 const SUBSECTION_ORDER = {
-  general: ["Copyright and consent", "Login options", "Study mode", "Landing page links"],
+  general: ["Copyright and consent", "Terms and conditions", "Login options", "Landing page links"],
   mail: ["Mail service", "Sendmail", "SMTP", "Base URL and verification"],
-  registration: ["Enable registration", "Information requested at registration", "Consent options", "Terms and conditions", "Email verification rate limit"],
+  registration: ["Enable registration", "Information requested at registration", "Consent options", "Email verification rate limit"],
   moodle: ["Connection", "Course", "Show inputs"],
 };
 
 export default {
   name: "SetupWizard",
-  components: { IconAsset, FormHelp, FormCollapsible, Modal },
+  components: { IconAsset, BasicEditor, Modal },
   data() {
     return {
       currentStep: 0,
@@ -580,7 +516,6 @@ export default {
       showError: false,
       errorMessage: "",
       finishing: false,
-      adminCreatedThisSession: false,
     };
   },
   computed: {
@@ -588,13 +523,13 @@ export default {
       return this.$route.query.reRun === "true";
     },
     displaySteps() {
-      const stepTypes = ["admin", "general", "mail", "registration", "moodle", "summary"];
+      const stepTypes = ["admin", "general", "mail", "registration", "summary"];
       let filtered = this.steps.filter((s) => stepTypes.includes(s.type));
       if (this.hasAdmin) {
         filtered = filtered.filter((s) => s.type !== "admin");
       }
       if (this.settingsFromFile && Object.keys(this.settingsFromFile).length > 0) {
-        filtered = filtered.filter((s) => !["mail", "registration", "moodle"].includes(s.type));
+        filtered = filtered.filter((s) => !["mail", "registration"].includes(s.type));
       }
       return filtered;
     },
@@ -605,25 +540,53 @@ export default {
       return this.formSettings["system.mailService.enabled"] === "true";
     },
     mailFieldGroups() {
-      const groups = this.fieldGroupsForStep("mail");
+      const sendmailEnabled = this.formSettings["system.mailService.sendMail.enabled"] === "true";
+      const smtpEnabled = this.formSettings["system.mailService.smtp.enabled"] === "true";
+      const sendmailKey = "system.mailService.sendMail.enabled";
+      const smtpKey = "system.mailService.smtp.enabled";
+
+      const groups = this.fieldGroupsForStep("mail")
+        .map((g) => ({
+          ...g,
+          settings: (g.settings || []).filter((s) => s.key !== "system.mailService.enabled"),
+        }))
+        .filter((g) => g.settings.length > 0);
+
+      const filteredGroups = groups.filter((g) => {
+        if (sendmailEnabled && g.title === "SMTP") return false;
+        if (smtpEnabled && g.title === "Sendmail") return false;
+        return true;
+      });
+
+      const normalizedGroups = filteredGroups
+        .map((g) => {
+          if (g.title === "Sendmail" && !sendmailEnabled) {
+            return { ...g, settings: g.settings.filter((s) => s.key === sendmailKey) };
+          }
+          if (g.title === "SMTP" && !smtpEnabled) {
+            return { ...g, settings: g.settings.filter((s) => s.key === smtpKey) };
+          }
+          return g;
+        })
+        .filter((g) => g.settings.length > 0);
+
       const forgotPassword = (this.wizardSettings || []).find((s) => s.key === "app.login.forgotPassword");
       if (forgotPassword && this.mailEnabled) {
-        groups.push({ title: "Features that use email", settings: [forgotPassword] });
+        normalizedGroups.push({ title: "Features that use email", settings: [forgotPassword] });
       }
-      return groups;
+      return normalizedGroups;
     },
     registrationFieldGroups() {
-      return this.fieldGroupsForStep("registration");
-    },
-    moodleFieldGroups() {
-      return this.fieldGroupsForStep("moodle");
+      return this.fieldGroupsForStep("registration").map((g) => ({
+        ...g,
+        settings: (g.settings || []).filter((s) => s.key !== "app.register.terms"),
+      })).filter((g) => g.settings.length > 0);
     },
     summaryFieldGroups() {
       const stepTitles = {
         general: "General",
         mail: "Mail",
         registration: "Registration",
-        moodle: "Moodle",
       };
       const byStep = {};
       for (const s of this.wizardSettings || []) {
@@ -631,7 +594,7 @@ export default {
         if (!byStep[step]) byStep[step] = [];
         byStep[step].push(s);
       }
-      const order = ["general", "mail", "registration", "moodle"];
+      const order = ["general", "mail", "registration"];
       return order.filter((step) => byStep[step]?.length).map((step) => ({
         title: stepTitles[step],
         settings: byStep[step],
@@ -701,12 +664,47 @@ export default {
         acc[s.key] = s.value != null && s.value !== undefined ? String(s.value) : "";
         return acc;
       }, {});
+
+      // Keep sendmail and smtp mutually exclusive; sendmail takes precedence.
+      if (this.formSettings["system.mailService.sendMail.enabled"] === "true") {
+        this.formSettings["system.mailService.smtp.enabled"] = "false";
+      }
     }
     if (this.hasAdmin && this.$socket && !this.$socket.connected) {
       this.$socket.connect();
     }
   },
   methods: {
+    waitForSocketConnect() {
+      return new Promise((resolve, reject) => {
+        if (!this.$socket) {
+          reject(new Error("Socket not available"));
+          return;
+        }
+        if (this.$socket.connected) {
+          resolve(true);
+          return;
+        }
+
+        const onConnect = () => {
+          cleanup();
+          resolve(true);
+        };
+        const onError = (err) => {
+          cleanup();
+          reject(err || new Error("Socket connect error"));
+        };
+        const cleanup = () => {
+          try { this.$socket.off("connect", onConnect); } catch (e) {}
+          try { this.$socket.off("connect_error", onError); } catch (e) {}
+          try { this.$socket.off("error", onError); } catch (e) {}
+        };
+
+        try { this.$socket.on("connect", onConnect); } catch (e) {}
+        try { this.$socket.on("connect_error", onError); } catch (e) {}
+        try { this.$socket.on("error", onError); } catch (e) {}
+      });
+    },
     /**
      * Handle mail step setting changes.
      * @param {string} key - Setting key
@@ -714,6 +712,15 @@ export default {
      */
     onMailSettingChange(key, value) {
       this.formSettings[key] = value;
+
+      const sendmailKey = "system.mailService.sendMail.enabled";
+      const smtpKey = "system.mailService.smtp.enabled";
+      if (key === sendmailKey && value === "true") {
+        this.formSettings[smtpKey] = "false";
+      }
+      if (key === smtpKey && value === "true") {
+        this.formSettings[sendmailKey] = "false";
+      }
     },
     /**
      * Group wizard settings by displaySubsection for a given step.
@@ -762,7 +769,9 @@ export default {
     submitAdmin() {
       Object.keys(this.validity).forEach(k => { this.validity[k] = true; });
       if (!this.adminFormValid) return;
-      this.doSubmitAdmin();
+      this.showError = false;
+      this.errorMessage = "";
+      this.currentStep++;
     },
     async doSubmitAdmin() {
       this.showError = false;
@@ -782,18 +791,20 @@ export default {
           }
         );
         if (res.status === 200) {
-          this.adminCreatedThisSession = true;
+          this.hasAdmin = true;
           if (this.$socket && !this.$socket.connected) {
             this.$socket.connect();
           }
-          this.currentStep = 1;
+          return true;
         } else {
           this.showError = true;
           this.errorMessage = (res.data && res.data.message) || "Setup failed. Please try again.";
+          return false;
         }
       } catch (err) {
         this.showError = true;
         this.errorMessage = err.message || "Setup failed. Please try again.";
+        return false;
       }
     },
     onPrevious() {
@@ -886,11 +897,31 @@ export default {
     },
     async finish() {
       this.settingsTouched = true;
-      if (!this.$socket || !this.$socket.connected) {
+      this.showError = false;
+      this.errorMessage = "";
+
+      if (!this.hasAdmin) {
+        const created = await this.doSubmitAdmin();
+        if (!created) return;
+      }
+
+      if (!this.$socket) {
         this.showError = true;
-        this.errorMessage = "Connection not ready. Please wait and try again.";
+        this.errorMessage = "Connection not available. Please reload and try again.";
         return;
       }
+
+      if (!this.$socket.connected) {
+        try {
+          this.$socket.connect();
+          await this.waitForSocketConnect();
+        } catch (err) {
+          this.showError = true;
+          this.errorMessage = "Connection not ready. Please try again.";
+          return;
+        }
+      }
+
       const merged = { ...this.formSettings, ...(this.settingsFromFile || {}) };
       if (merged["system.mailService.enabled"] !== "true") {
         merged["app.register.emailVerification"] = "false";

From 18c22c82bee269d4ee486d3d412db5a8f2084c3a Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 26 Mar 2026 13:23:19 +0200
Subject: [PATCH 25/73] refactor: show terms of service in registration
 settings

---
 frontend/src/components/dashboard/Settings.vue | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/frontend/src/components/dashboard/Settings.vue b/frontend/src/components/dashboard/Settings.vue
index c48fc5303..fdc2c20b6 100644
--- a/frontend/src/components/dashboard/Settings.vue
+++ b/frontend/src/components/dashboard/Settings.vue
@@ -204,6 +204,12 @@ export default {
         if (otherInStep.length) {
           keys = [...keys, ...otherInStep.map((s) => s.key)];
         }
+
+        // Terms of Service should be visible in both "General" and "Registration".
+        if (step === "registration" && this.displaySettings.some((s) => s.key === "app.register.terms")) {
+          if (!keys.includes("app.register.terms")) keys.push("app.register.terms");
+        }
+
         if (keys.length) {
           const settingsInSection = keys.map((k) => this.displaySettings.find((s) => s.key === k)).filter(Boolean);
           sections.push({

From e3c2e338cec43fc842ec587632e127670525d180 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 29 Mar 2026 22:48:45 +0200
Subject: [PATCH 26/73] feat: add optional moodle keys to wizard settings
 migration

---
 .../migrations/20260119194252-transform-setting-wizard.js  | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/backend/db/migrations/20260119194252-transform-setting-wizard.js b/backend/db/migrations/20260119194252-transform-setting-wizard.js
index ab4fc5f2d..475ea50c0 100644
--- a/backend/db/migrations/20260119194252-transform-setting-wizard.js
+++ b/backend/db/migrations/20260119194252-transform-setting-wizard.js
@@ -38,6 +38,13 @@ const WIZARD_SETTINGS = [
     { key: 'app.register.acceptStats.default', wizardStep: 'registration', wizardOrder: 29, requiredInWizard: false },
     { key: 'app.register.acceptDataSharing.default', wizardStep: 'registration', wizardOrder: 30, requiredInWizard: false },
     { key: 'app.register.terms', wizardStep: 'general', wizardOrder: 5, requiredInWizard: false },
+    // Optional Moodle (wizardStep moodle keeps Settings > Moodle grouping; shown on General screen in SetupWizard)
+    { key: 'rpc.moodleAPI.apiUrl', wizardStep: 'moodle', wizardOrder: 31, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.apiKey', wizardStep: 'moodle', wizardOrder: 32, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.courseID', wizardStep: 'moodle', wizardOrder: 33, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.showInput.apiUrl', wizardStep: 'moodle', wizardOrder: 34, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.showInput.apiKey', wizardStep: 'moodle', wizardOrder: 35, requiredInWizard: false },
+    { key: 'rpc.moodleAPI.showInput.courseID', wizardStep: 'moodle', wizardOrder: 36, requiredInWizard: false },
 ];
 
 /** @type {import('sequelize-cli').Migration} */

From 595252f6d9c6e5497dad483a2198cdea66da088c Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 29 Mar 2026 22:49:35 +0200
Subject: [PATCH 27/73] docs: clarify moodle wizard note in setup route

---
 backend/webserver/routes/setup.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/webserver/routes/setup.js b/backend/webserver/routes/setup.js
index 523a39922..8b2708654 100644
--- a/backend/webserver/routes/setup.js
+++ b/backend/webserver/routes/setup.js
@@ -15,7 +15,7 @@ module.exports = function (server) {
      * GET /setup/config
      * Returns wizard config for first-time setup or re-run. needsSetup is true when no admin exists.
      * When setup is needed (or reRun=true with an admin): steps, wizardSettings,
-     * and wizardSettingsByStep (grouped by general, mail, registration, moodle).
+     * and wizardSettingsByStep (grouped by general, mail, registration). Moodle fields appear in the General wizard step in the UI.
      * When setup is not needed: empty steps and wizardSettings.
      */
     server.app.get("/setup/config", async function (req, res) {

From 512420e507001f1c527b52498c7a42d164a9e295 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 29 Mar 2026 22:49:53 +0200
Subject: [PATCH 28/73] feat: show setting help beside label in setting item

---
 .../dashboard/settings/SettingItem.vue        | 23 +++++++++++++++----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/frontend/src/components/dashboard/settings/SettingItem.vue b/frontend/src/components/dashboard/settings/SettingItem.vue
index 404b8d1e6..1b6ba7f25 100644
--- a/frontend/src/components/dashboard/settings/SettingItem.vue
+++ b/frontend/src/components/dashboard/settings/SettingItem.vue
@@ -5,7 +5,21 @@
       :for="'set-' + setting.key"
       @click="(setting.type === 'boolean' || setting.type === 'bool') && $event.preventDefault()"
     >
-      {{ setting.displayName || setting.key }}
+      <div class="d-inline-flex align-items-center gap-1 flex-wrap justify-content-md-end">
+        <span>{{ setting.displayName || setting.key }}</span>
+        <span
+          v-if="setting.description"
+          class="text-muted flex-shrink-0"
+          aria-hidden="true"
+        >
+          <LoadIcon icon-name="info-circle" :size="14" />
+        </span>
+      </div>
+      <div
+        v-if="setting.description"
+        class="small text-muted mt-1 fw-normal text-break"
+        v-html="setting.description"
+      />
     </label>
     <div class="col-md-6 d-flex align-items-start">
       <template v-if="setting.type === 'edits'">
@@ -34,22 +48,21 @@
         type="text"
         @input="$emit('update:value', $event.target.value)"
       />
-      <FormHelp v-if="setting.description" :help="setting.description" class="ms-1" />
     </div>
   </template>
 </template>
 
 <script>
 import EditorModal from "@/basic/editor/Modal.vue";
-import FormHelp from "@/basic/form/Help.vue";
+import LoadIcon from "@/basic/Icon.vue";
 
 /**
  * SettingItem - Renders a single setting row (label + input).
- * Uses displayName and description from DB.
+ * Uses displayName and description from DB; description is shown under the label (wizard-style) with a gray (i) hint next to the title.
  */
 export default {
   name: "SettingItem",
-  components: { EditorModal, FormHelp },
+  components: { EditorModal, LoadIcon },
   props: {
     setting: {
       type: Object,

From 7536e2a98a3f443c3a5eacb7c07c442d3e30e7b0 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 29 Mar 2026 22:50:39 +0200
Subject: [PATCH 29/73] feat: add moodle block, import flow, and terms modal to
 setup wizard

---
 frontend/src/auth/SetupWizard.vue | 155 +++++++++++++++++++++++++-----
 1 file changed, 132 insertions(+), 23 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index 3546ef9f1..cc545facd 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -86,16 +86,27 @@
 
       <!-- Step: General -->
       <div v-show="displaySteps[currentStep]?.type === 'general'" class="card">
-        <div class="card-header step-card-header d-flex justify-content-between align-items-center">
-          General Settings
-          <button
-            class="btn btn-outline-secondary btn-sm"
-            type="button"
-            title="Import settings from a JSON file (overrides form values)"
-            @click="openImportModal"
-          >
-            Import JSON
-          </button>
+        <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+          <span>General Settings</span>
+          <div class="d-flex flex-wrap gap-2">
+            <button
+              class="btn btn-outline-secondary btn-sm"
+              type="button"
+              :disabled="!wizardSettingsLoaded"
+              :title="wizardSettingsLoaded ? 'Download JSON with current wizard setting values' : 'Available after settings load'"
+              @click="downloadImportTemplate"
+            >
+              Download template
+            </button>
+            <button
+              class="btn btn-outline-secondary btn-sm"
+              type="button"
+              title="Load settings from a JSON file exported from another CARE instance"
+              @click="openImportModal"
+            >
+              Import from previous instance
+            </button>
+          </div>
         </div>
         <div class="card-body mx-4 my-4">
           <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
@@ -146,11 +157,14 @@
                     </div>
                   </template>
                   <template v-else-if="s.key === 'app.register.terms'">
-                    <BasicEditor
-                      :model-value="formSettings[s.key]"
-                      :read-only="false"
-                      @update:model-value="formSettings[s.key] = $event"
-                    />
+                    <div class="d-flex align-items-center flex-wrap gap-2">
+                      <EditorModal
+                        :model-value="formSettings[s.key]"
+                        :title="'Edit ' + settingLabel(s.key)"
+                        @update:model-value="formSettings[s.key] = $event"
+                      />
+                      <span class="small text-muted">Open the editor to change terms and conditions.</span>
+                    </div>
                   </template>
                   <template v-else-if="s.type === 'edits'">
                     <textarea
@@ -160,6 +174,13 @@
                       rows="5"
                     />
                   </template>
+                  <input
+                    v-else-if="s.type === 'integer'"
+                    :id="'set-' + s.key"
+                    v-model.number="formSettings[s.key]"
+                    class="form-control"
+                    type="number"
+                  />
                   <input
                     v-else
                     :id="'set-' + s.key"
@@ -180,6 +201,60 @@
                 </div>
               </div>
             </div>
+
+            <div v-if="moodleSettingsFlat.length" class="mb-4 mt-4">
+              <h6 class="step-group-heading text-muted border-bottom pb-1 mb-2">
+                Moodle <span class="fw-normal small">(optional)</span>
+              </h6>
+              <p class="small text-muted mb-3">
+                Configure Moodle if you use it for enrollments or submissions. You can change these later under Settings → Moodle.
+              </p>
+              <div
+                v-for="s in moodleSettingsFlat"
+                :key="s.key"
+                class="form-group row my-2"
+              >
+                <label
+                  class="col-md-4 col-form-label text-md-right"
+                  :for="'set-' + s.key"
+                  @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+                >
+                  {{ settingLabel(s.key) }}
+                </label>
+                <div class="col-md-6 d-flex flex-column">
+                  <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                    <div class="form-check form-switch">
+                      <input
+                        :id="'set-' + s.key"
+                        :checked="formSettings[s.key] === 'true'"
+                        class="form-check-input"
+                        type="checkbox"
+                        @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
+                      />
+                    </div>
+                  </template>
+                  <input
+                    v-else-if="s.type === 'integer'"
+                    :id="'set-' + s.key"
+                    v-model.number="formSettings[s.key]"
+                    class="form-control"
+                    type="number"
+                  />
+                  <input
+                    v-else
+                    :id="'set-' + s.key"
+                    v-model="formSettings[s.key]"
+                    class="form-control"
+                    type="text"
+                  />
+                  <div
+                    v-if="settingDescription(s.key) || s.description"
+                    class="small text-muted mt-1"
+                    v-html="settingDescription(s.key) || s.description"
+                  />
+                </div>
+              </div>
+            </div>
           </template>
 
           <div class="d-flex justify-content-between mt-4">
@@ -431,10 +506,15 @@
 
       <!-- Import JSON Modal -->
       <Modal ref="importModal" name="wizardImportSettings">
-        <template #title>Import Settings</template>
+        <template #title>Import JSON from previous instance</template>
         <template #body>
           <p class="mb-2">
-            Select a JSON file with settings. Loaded values will override the form and skip the following steps: Mail and Registration.
+            This is an alternative to filling the wizard by hand. Upload a JSON file you exported from another CARE server
+            (<strong>Dashboard → Settings → Export JSON</strong>). Loaded keys replace values in this setup form and
+            <strong>skip the Mail and Registration steps</strong> (you can still review everything on the Summary).
+          </p>
+          <p class="small text-muted mb-3">
+            For a minimal example, use <strong>Download template</strong> on the General step, or export from Settings on an existing instance.
           </p>
           <input
             ref="jsonFileInput"
@@ -476,28 +556,37 @@
 
 <script>
 /**
- * First-time setup wizard: Admin, General (with optional JSON import), Mail, Registration, Moodle, Summary.
+ * First-time setup wizard: Admin, General (optional Moodle + JSON import), Mail, Registration, Summary.
  * Fetches /setup/config for steps and wizardSettings. On Finish, calls settingSave and redirects.
  *
  * @author CARE
  */
 import IconAsset from "@/basic/icon/IconAsset.vue";
 import BasicEditor from "@/basic/editor/Editor.vue";
+import EditorModal from "@/basic/editor/Modal.vue";
 import Modal from "@/basic/Modal.vue";
 import axios from "axios";
 import getServerURL from "@/assets/serverUrl";
+import {downloadObjectsAs} from "@/assets/utils";
 
 /** Order of subsections within each wizard step (from displaySubsection in DB). */
 const SUBSECTION_ORDER = {
-  general: ["Copyright and consent", "Terms and conditions", "Login options", "Landing page links"],
+  general: [
+    "Copyright and consent",
+    "Terms and conditions",
+    "Login options",
+    "Landing page links",
+    "Connection",
+    "Course",
+    "Show inputs",
+  ],
   mail: ["Mail service", "Sendmail", "SMTP", "Base URL and verification"],
   registration: ["Enable registration", "Information requested at registration", "Consent options", "Email verification rate limit"],
-  moodle: ["Connection", "Course", "Show inputs"],
 };
 
 export default {
   name: "SetupWizard",
-  components: { IconAsset, BasicEditor, Modal },
+  components: { IconAsset, BasicEditor, EditorModal, Modal },
   data() {
     return {
       currentStep: 0,
@@ -522,6 +611,10 @@ export default {
     isReRun() {
       return this.$route.query.reRun === "true";
     },
+    /** True once GET /setup/config has returned at least one wizard setting (enables template download). */
+    wizardSettingsLoaded() {
+      return Array.isArray(this.wizardSettings) && this.wizardSettings.length > 0;
+    },
     displaySteps() {
       const stepTypes = ["admin", "general", "mail", "registration", "summary"];
       let filtered = this.steps.filter((s) => stepTypes.includes(s.type));
@@ -536,6 +629,10 @@ export default {
     generalFieldGroups() {
       return this.fieldGroupsForStep("general");
     },
+    moodleSettingsFlat() {
+      const list = (this.wizardSettings || []).filter((s) => s.wizardStep === "moodle");
+      return [...list].sort((a, b) => (a.wizardOrder || 0) - (b.wizardOrder || 0));
+    },
     mailEnabled() {
       return this.formSettings["system.mailService.enabled"] === "true";
     },
@@ -587,6 +684,7 @@ export default {
         general: "General",
         mail: "Mail",
         registration: "Registration",
+        moodle: "Moodle",
       };
       const byStep = {};
       for (const s of this.wizardSettings || []) {
@@ -594,7 +692,7 @@ export default {
         if (!byStep[step]) byStep[step] = [];
         byStep[step].push(s);
       }
-      const order = ["general", "mail", "registration"];
+      const order = ["general", "mail", "registration", "moodle"];
       return order.filter((step) => byStep[step]?.length).map((step) => ({
         title: stepTitles[step],
         settings: byStep[step],
@@ -724,7 +822,7 @@ export default {
     },
     /**
      * Group wizard settings by displaySubsection for a given step.
-     * @param {string} stepType - general, registration, or moodle
+     * @param {string} stepType - general, mail, registration, moodle
      * @returns {Array<{title: string, settings: object[]}>}
      */
     fieldGroupsForStep(stepType) {
@@ -841,6 +939,17 @@ export default {
       if (this.$refs.jsonFileInput) this.$refs.jsonFileInput.value = "";
       this.$refs.importModal.open();
     },
+    /**
+     * JSON template from current wizard settings (DB values for showInWizard keys), same shape as import.
+     */
+    downloadImportTemplate() {
+      const flat = (this.wizardSettings || []).reduce((acc, s) => {
+        const v = s.value;
+        acc[s.key] = v === null || v === undefined ? "" : v;
+        return acc;
+      }, {});
+      downloadObjectsAs(flat, "care-settings-template", "json");
+    },
     onJsonFileChange(ev) {
       this.importFile = ev.target.files && ev.target.files[0] || null;
       this.importError = null;

From 17648313c8527f5893ebd1697b934704639fa16c Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Tue, 7 Apr 2026 12:46:14 +0200
Subject: [PATCH 30/73] feat : reinitialize mail transport after mail settings
 save

---
 backend/webserver/Server.js          | 19 ++++++++--
 backend/webserver/sockets/setting.js | 52 ++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 2 deletions(-)

diff --git a/backend/webserver/Server.js b/backend/webserver/Server.js
index 3199f5cbe..a0f2b8be1 100644
--- a/backend/webserver/Server.js
+++ b/backend/webserver/Server.js
@@ -86,7 +86,7 @@ module.exports = class Server {
         this.app.use("/*", express.static(`${__dirname}/../../dist/index.html`));
 
         this.httpServer = http.createServer(this.app);
-        Promise.resolve(this.#initMailServer()).then(() => {
+        Promise.resolve(this.refreshMailServer()).then(() => {
             if (this.mailer) {
                 this.logger.info("Mail server initialized");
             } else {
@@ -119,10 +119,25 @@ module.exports = class Server {
     }
 
     /**
-     * Initialize the mail server
+     * Re-read mail settings from the database and rebuild the nodemailer transport.
+     * Used at startup and after admin saves mail-related settings (see SettingSocket).
+     * @returns {Promise<void>}
+     */
+    async refreshMailServer() {
+        try {
+            await this.#initMailServer();
+        } catch (err) {
+            this.logger.error("refreshMailServer failed: " + err);
+        }
+    }
+
+    /**
+     * Initialize the mail server from current DB settings.
+     * Clears any previous transport first so disabled mail or changed mode is reflected.
      * @returns {Promise<void>}
      */
     async #initMailServer() {
+        this.mailer = null;
 
         if (await this.db.models['setting'].get("system.mailService.enabled") === "true") {
             if (await this.db.models['setting'].get("system.mailService.sendMail.enabled") === "true") {
diff --git a/backend/webserver/sockets/setting.js b/backend/webserver/sockets/setting.js
index 096712e1b..385d55685 100644
--- a/backend/webserver/sockets/setting.js
+++ b/backend/webserver/sockets/setting.js
@@ -1,4 +1,26 @@
 const Socket = require("../Socket.js");
+const mailTest = require("../utils/mailTest.js");
+
+const MAIL_SERVICE_KEY_PREFIX = "system.mailService.";
+
+/**
+ * @param {Array<{ key: string }>|undefined} data Settings payload from settingSave
+ * @returns {boolean} True if any saved key is under system.mailService.*
+ */
+function payloadTouchesMailService(data) {
+    if (!Array.isArray(data)) {
+        return false;
+    }
+    for (const setting of data) {
+        if (!setting || typeof setting.key !== "string") {
+            continue;
+        }
+        if (setting.key.startsWith(MAIL_SERVICE_KEY_PREFIX)) {
+            return true;
+        }
+    }
+    return false;
+}
 
 /**
  * Handle settings through websocket
@@ -42,6 +64,8 @@ class SettingSocket extends Socket {
             throw new Error("You do not have permission to save settings.");
         }
 
+        const shouldRefreshMail = payloadTouchesMailService(data);
+
         for (const setting of data) {
             let value = setting.value;
             if (typeof value === "object") {
@@ -54,6 +78,9 @@ class SettingSocket extends Socket {
         }
 
         options.transaction.afterCommit(async () => {
+            if (shouldRefreshMail) {
+                await this.server.refreshMailServer();
+            }
             await this.getSocket("AppSocket").sendSettings(true); // Notify all clients of new settings
             this.emit("settingData", await this.models["setting"].getAll(true)); // Refresh settings on this socket
         });
@@ -61,9 +88,34 @@ class SettingSocket extends Socket {
         return "Settings saved successfully.";
     }
 
+    /**
+     * Sends a fixed test email using current DB mail settings.
+     *
+     * @socketEvent mailSendTest
+     * @param {{ to: string }} data Recipient address.
+     * @returns {Promise<string>} Success message.
+     */
+    async mailSendTest(data) {
+        if (!(await this.isAdmin())) {
+            throw new Error("You do not have permission to send test mail.");
+        }
+        const to = data && data.to != null ? String(data.to).trim() : "";
+        if (!to || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(to)) {
+            throw new Error("A valid recipient email address is required.");
+        }
+
+        const rows = await this.models["setting"].getAll(false);
+        const map = mailTest.buildMailMapFromSettingsRows(rows);
+        const transport = mailTest.buildTransportFromMailSettings(map);
+        const from = map["system.mailService.senderAddress"] || "";
+        await mailTest.sendFixedTestMail(transport, { from, to });
+        return "Test email sent.";
+    }
+
     init() {
         this.createSocket("settingGetData", this.sendSettings, {}, false);
         this.createSocket("settingSave", this.saveSettings, {}, true);
+        this.createSocket("mailSendTest", this.mailSendTest, {}, false);
     }
 }
 

From 4b0d8e8f471cd57f68f22cce84a3a6e628c68028 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Tue, 7 Apr 2026 12:46:36 +0200
Subject: [PATCH 31/73] feat : add admin mail send test socket and shared mail
 test helpers

---
 backend/webserver/utils/mailTest.js | 90 +++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 backend/webserver/utils/mailTest.js

diff --git a/backend/webserver/utils/mailTest.js b/backend/webserver/utils/mailTest.js
new file mode 100644
index 000000000..ea2bc1c87
--- /dev/null
+++ b/backend/webserver/utils/mailTest.js
@@ -0,0 +1,90 @@
+"use strict";
+
+const nodemailer = require("nodemailer");
+
+const TEST_MAIL_SUBJECT = "CARE test email";
+const TEST_MAIL_TEXT =
+    "This is a test message from CARE. If you received this, your outgoing mail configuration works.";
+
+function get(map, key) {
+    const v = map[key];
+    if (v === null || v === undefined) {
+        return null;
+    }
+    return String(v);
+}
+
+function buildTransportFromMailSettings(map) {
+    if (get(map, "system.mailService.enabled") !== "true") {
+        throw new Error("Email service is not enabled.");
+    }
+    if (get(map, "system.mailService.sendMail.enabled") === "true") {
+        const sendmailPath = get(map, "system.mailService.sendMail.path");
+        if (!sendmailPath) {
+            throw new Error("Sendmail path is not configured.");
+        }
+        return nodemailer.createTransport({
+            sendmail: true,
+            newline: "unix",
+            path: sendmailPath,
+        });
+    }
+    if (get(map, "system.mailService.smtp.enabled") === "true") {
+        const host = get(map, "system.mailService.smtp.host");
+        const portStr = get(map, "system.mailService.smtp.port");
+        const secure = get(map, "system.mailService.smtp.secure") === "true";
+        const authEnabled = get(map, "system.mailService.smtp.auth.enabled") === "true";
+        if (!host || !portStr) {
+            throw new Error("SMTP host and port are required.");
+        }
+        const port = parseInt(portStr, 10);
+        if (Number.isNaN(port)) {
+            throw new Error("SMTP port must be a number.");
+        }
+        const transportConfig = {
+            host,
+            port,
+            secure,
+        };
+        if (authEnabled) {
+            const user = get(map, "system.mailService.smtp.auth.user");
+            const pass = get(map, "system.mailService.smtp.auth.pass");
+            if (user && pass) {
+                transportConfig.auth = { user, pass };
+            }
+        }
+        return nodemailer.createTransport(transportConfig);
+    }
+    throw new Error("Neither sendmail nor SMTP is enabled for mail delivery.");
+}
+
+async function sendFixedTestMail(transport, { from, to }) {
+    if (!from || !to) {
+        throw new Error("From and to addresses are required.");
+    }
+    await transport.sendMail({
+        from,
+        to,
+        subject: TEST_MAIL_SUBJECT,
+        text: TEST_MAIL_TEXT,
+    });
+}
+
+function buildMailMapFromSettingsRows(rows) {
+    const map = {};
+    for (const row of rows || []) {
+        if (row.key && String(row.key).startsWith("system.mailService.")) {
+            map[row.key] =
+                row.value != null && row.value !== undefined ? String(row.value) : "";
+        }
+    }
+    return map;
+}
+
+module.exports = {
+    TEST_MAIL_SUBJECT,
+    TEST_MAIL_TEXT,
+    buildTransportFromMailSettings,
+    sendFixedTestMail,
+    buildMailMapFromSettingsRows,
+};

From 59bed6952e73758ae007d5ff051c4dbaddce611d Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Tue, 7 Apr 2026 12:49:52 +0200
Subject: [PATCH 32/73] feat : add setup config and test-mail endpoints

---
 backend/webserver/routes/setup.js | 43 ++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/backend/webserver/routes/setup.js b/backend/webserver/routes/setup.js
index 8b2708654..1ac8cb074 100644
--- a/backend/webserver/routes/setup.js
+++ b/backend/webserver/routes/setup.js
@@ -11,6 +11,7 @@
  * @param {import("../Server").Server} server
  */
 module.exports = function (server) {
+    const mailTest = require("../utils/mailTest.js");
     /**
      * GET /setup/config
      * Returns wizard config for first-time setup or re-run. needsSetup is true when no admin exists.
@@ -54,14 +55,54 @@ module.exports = function (server) {
 
             const wizardSettings = await server.db.models["setting"].getWizardSettings();
             const wizardSettingsByStep = await server.db.models["setting"].getWizardSettingsByStep();
+            const allSettings = await server.db.models["setting"].getAll(false);
 
-            return res.status(200).json({ needsSetup: true, steps, wizardSettings, wizardSettingsByStep });
+            return res.status(200).json({ needsSetup: true, steps, wizardSettings, wizardSettingsByStep, allSettings });
         } catch (err) {
             server.logger.error("GET /setup/config error: " + err);
             return res.status(500).json({ message: "Internal server error." });
         }
     });
 
+    /**
+     * POST /setup/test-mail
+     * Sends a fixed test message using mail settings from DB with optional body.settings overrides.
+     * Only allowed while needsSetup is true (no admin account).
+     */
+    server.app.post("/setup/test-mail", async function (req, res) {
+        try {
+            const admins = await server.db.models["user"].getUsersByRole("admin");
+            if (admins.length > 0) {
+                return res.status(403).json({ success: false, message: "Test mail is only available during initial setup." });
+            }
+
+            const to = req.body && req.body.to != null ? String(req.body.to).trim() : "";
+            if (!to || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(to)) {
+                return res.status(400).json({ success: false, message: "A valid recipient email address is required." });
+            }
+
+            const rows = await server.db.models["setting"].getAll(false);
+            const baseMap = mailTest.buildMailMapFromSettingsRows(rows);
+            const overlay = req.body && req.body.settings && typeof req.body.settings === "object" && !Array.isArray(req.body.settings)
+                ? req.body.settings
+                : {};
+            const map = { ...baseMap };
+            for (const [k, v] of Object.entries(overlay)) {
+                if (k && String(k).startsWith("system.mailService.")) {
+                    map[String(k)] = v != null && v !== undefined ? String(v) : "";
+                }
+            }
+
+            const transport = mailTest.buildTransportFromMailSettings(map);
+            const from = map["system.mailService.senderAddress"] || "";
+            await mailTest.sendFixedTestMail(transport, { from, to });
+            return res.status(200).json({ success: true, message: "Test email sent." });
+        } catch (err) {
+            server.logger.error("POST /setup/test-mail error: " + err);
+            return res.status(400).json({ success: false, message: err?.message || "Failed to send test email." });
+        }
+    });
+
     /**
      * PATCH /setup/state
      * Updates wizard state in app_state.

From 8be802688921831e891174dc1196d1e395a5b5a5 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Tue, 7 Apr 2026 12:55:30 +0200
Subject: [PATCH 33/73] feat : update setup wizard general step with download
 template and test email on mail step

---
 frontend/src/auth/SetupWizard.vue | 125 ++++++++++++++++++++++++++----
 1 file changed, 110 insertions(+), 15 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index cc545facd..cfd0d725d 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -92,8 +92,8 @@
             <button
               class="btn btn-outline-secondary btn-sm"
               type="button"
-              :disabled="!wizardSettingsLoaded"
-              :title="wizardSettingsLoaded ? 'Download JSON with current wizard setting values' : 'Available after settings load'"
+              :disabled="!allSettingsLoaded"
+              :title="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
               @click="downloadImportTemplate"
             >
               Download template
@@ -342,6 +342,43 @@
                 </div>
               </div>
             </div>
+
+            <div v-if="mailEnabled" class="border-top pt-3 mt-4">
+              <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Send test email</h6>
+              <p class="small text-muted mb-2">
+                Sends a short fixed message so you can verify delivery before finishing setup.
+              </p>
+              <div class="form-group row my-2">
+                <label class="col-md-4 col-form-label text-md-right" for="setup-test-mail-to">Recipient</label>
+                <div class="col-md-6 d-flex flex-column flex-sm-row gap-2 align-items-sm-start">
+                  <input
+                    id="setup-test-mail-to"
+                    v-model="testMailTo"
+                    class="form-control"
+                    type="email"
+                    placeholder="you@example.com"
+                    autocomplete="email"
+                  />
+                  <button
+                    class="btn btn-outline-primary flex-shrink-0"
+                    type="button"
+                    :disabled="testMailSending || !testMailTo.trim()"
+                    @click="sendSetupTestMail"
+                  >
+                    <span
+                      v-if="testMailSending"
+                      class="spinner-border spinner-border-sm me-1"
+                      role="status"
+                      aria-hidden="true"
+                    />
+                    Send test email
+                  </button>
+                </div>
+              </div>
+              <p v-if="testMailMessage" class="small mb-0" :class="testMailError ? 'text-danger' : 'text-success'">
+                {{ testMailMessage }}
+              </p>
+            </div>
           </template>
 
           <div class="d-flex justify-content-between mt-4">
@@ -514,7 +551,7 @@
             <strong>skip the Mail and Registration steps</strong> (you can still review everything on the Summary).
           </p>
           <p class="small text-muted mb-3">
-            For a minimal example, use <strong>Download template</strong> on the General step, or export from Settings on an existing instance.
+            For a minimal example, use <strong>Download template</strong> on the General step (full settings snapshot with current wizard values), or export from Settings of an existing instance.
           </p>
           <input
             ref="jsonFileInput"
@@ -584,6 +621,13 @@ const SUBSECTION_ORDER = {
   registration: ["Enable registration", "Information requested at registration", "Consent options", "Email verification rate limit"],
 };
 
+function wizardValueToFormString(v) {
+  if (v === null || v === undefined) return "";
+  if (typeof v === "boolean") return v ? "true" : "false";
+  if (typeof v === "object") return JSON.stringify(v);
+  return String(v);
+}
+
 export default {
   name: "SetupWizard",
   components: { IconAsset, BasicEditor, EditorModal, Modal },
@@ -605,15 +649,19 @@ export default {
       showError: false,
       errorMessage: "",
       finishing: false,
+      allSettingsFromDb: null,
+      testMailTo: "",
+      testMailSending: false,
+      testMailMessage: "",
+      testMailError: false,
     };
   },
   computed: {
     isReRun() {
       return this.$route.query.reRun === "true";
     },
-    /** True once GET /setup/config has returned at least one wizard setting (enables template download). */
-    wizardSettingsLoaded() {
-      return Array.isArray(this.wizardSettings) && this.wizardSettings.length > 0;
+    allSettingsLoaded() {
+      return Array.isArray(this.allSettingsFromDb);
     },
     displaySteps() {
       const stepTypes = ["admin", "general", "mail", "registration", "summary"];
@@ -759,7 +807,7 @@ export default {
     if (config.data && config.data.wizardSettings) {
       this.wizardSettings = config.data.wizardSettings;
       this.formSettings = config.data.wizardSettings.reduce((acc, s) => {
-        acc[s.key] = s.value != null && s.value !== undefined ? String(s.value) : "";
+        acc[s.key] = wizardValueToFormString(s.value);
         return acc;
       }, {});
 
@@ -768,6 +816,9 @@ export default {
         this.formSettings["system.mailService.smtp.enabled"] = "false";
       }
     }
+    if (config.data && Array.isArray(config.data.allSettings)) {
+      this.allSettingsFromDb = config.data.allSettings;
+    }
     if (this.hasAdmin && this.$socket && !this.$socket.connected) {
       this.$socket.connect();
     }
@@ -939,17 +990,61 @@ export default {
       if (this.$refs.jsonFileInput) this.$refs.jsonFileInput.value = "";
       this.$refs.importModal.open();
     },
-    /**
-     * JSON template from current wizard settings (DB values for showInWizard keys), same shape as import.
-     */
     downloadImportTemplate() {
-      const flat = (this.wizardSettings || []).reduce((acc, s) => {
-        const v = s.value;
-        acc[s.key] = v === null || v === undefined ? "" : v;
-        return acc;
-      }, {});
+      const serialize = (v) => {
+        if (v === null || v === undefined) return "";
+        if (typeof v === "boolean") return v ? "true" : "false";
+        if (typeof v === "object") return JSON.stringify(v);
+        return String(v);
+      };
+      const flat = {};
+      for (const row of this.allSettingsFromDb || []) {
+        if (!row || !row.key) continue;
+        flat[row.key] = serialize(row.value);
+      }
+      for (const [k, v] of Object.entries(this.formSettings || {})) {
+        flat[k] = serialize(v);
+      }
       downloadObjectsAs(flat, "care-settings-template", "json");
     },
+    mailSettingsPayloadFromForm() {
+      const settings = {};
+      for (const [k, v] of Object.entries(this.formSettings || {})) {
+        if (k.startsWith("system.mailService.")) {
+          settings[k] = v === null || v === undefined ? "" : String(v);
+        }
+      }
+      return settings;
+    },
+    async sendSetupTestMail() {
+      const to = (this.testMailTo || "").trim();
+      if (!to) return;
+      this.testMailSending = true;
+      this.testMailMessage = "";
+      this.testMailError = false;
+      try {
+        const res = await axios.post(
+          getServerURL() + "/setup/test-mail",
+          { to, settings: this.mailSettingsPayloadFromForm() },
+          {
+            withCredentials: true,
+            validateStatus: (status) => status === 200 || (status >= 400 && status < 500),
+          }
+        );
+        if (res.status === 200 && res.data && res.data.success) {
+          this.testMailMessage = res.data.message || "Test email sent.";
+          this.testMailError = false;
+        } else {
+          this.testMailError = true;
+          this.testMailMessage = (res.data && res.data.message) || "Failed to send test email.";
+        }
+      } catch (err) {
+        this.testMailError = true;
+        this.testMailMessage = err?.response?.data?.message || err.message || "Failed to send test email.";
+      } finally {
+        this.testMailSending = false;
+      }
+    },
     onJsonFileChange(ev) {
       this.importFile = ev.target.files && ev.target.files[0] || null;
       this.importError = null;

From e1eabbbd20e69257a029e6f11daad0feb900ecc9 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Tue, 7 Apr 2026 13:01:22 +0200
Subject: [PATCH 34/73] feat : add mail test area via settings section footer
 slot and switch setting descriptions to info help icon

---
 frontend/src/basic/form/Help.vue              | 15 +++--
 .../src/components/dashboard/Settings.vue     | 62 ++++++++++++++++++-
 .../dashboard/settings/SettingItem.vue        | 20 +++---
 .../dashboard/settings/SettingsSection.vue    |  1 +
 4 files changed, 80 insertions(+), 18 deletions(-)

diff --git a/frontend/src/basic/form/Help.vue b/frontend/src/basic/form/Help.vue
index 232d73c6b..d37a374a5 100644
--- a/frontend/src/basic/form/Help.vue
+++ b/frontend/src/basic/form/Help.vue
@@ -1,7 +1,8 @@
 <template>
   <span
     v-if="help"
-    class="btn btn-sm mt-0 pt-0"
+    class="btn btn-sm mt-0 pt-0 border-0"
+    :class="buttonClass"
     :title="help"
     ref="tooltip"
     data-bs-html="true"
@@ -10,15 +11,13 @@
   >
     <LoadIcon
       :size="16"
-      icon-name="question-square-fill"
+      :icon-name="iconName"
     />
   </span>
 </template>
 
 <script>
 import LoadIcon from "@/basic/Icon.vue";
-// as directive
-import { VBTooltip } from 'bootstrap-vue-3';
 
 /**
  * Show help icon with tooltip if help is provided.
@@ -34,6 +33,14 @@ export default {
       required: false,
       default: null,
     },
+    iconName: {
+      type: String,
+      default: "question-square-fill",
+    },
+    buttonClass: {
+      type: [String, Object, Array],
+      default: null,
+    },
   },
   mounted() {
     //new Tooltip(this.$refs.tooltip, {trigger: "click"});
diff --git a/frontend/src/components/dashboard/Settings.vue b/frontend/src/components/dashboard/Settings.vue
index fdc2c20b6..0960b0b08 100644
--- a/frontend/src/components/dashboard/Settings.vue
+++ b/frontend/src/components/dashboard/Settings.vue
@@ -71,7 +71,46 @@
               :title="section.title"
               :subsections="section.subsections"
               :settings="displaySettings"
-          />
+          >
+            <template v-if="section.title === 'Mail'" #footer>
+              <div class="border-top pt-3 mt-2">
+                <h6 class="step-group-heading text-muted border-bottom pb-1 mb-2">Send test email</h6>
+                <p class="small text-muted mb-2">
+                  Sends a short fixed message using the currently saved mail configuration.
+                </p>
+                <div class="form-group row my-2">
+                  <label class="col-md-4 col-form-label text-md-right" for="settings-test-mail-to">Recipient</label>
+                  <div class="col-md-6 d-flex flex-column flex-sm-row gap-2 align-items-sm-start">
+                    <input
+                        id="settings-test-mail-to"
+                        v-model="mailTestTo"
+                        class="form-control"
+                        type="email"
+                        placeholder="you@example.com"
+                        autocomplete="email"
+                    />
+                    <button
+                        class="btn btn-outline-primary flex-shrink-0"
+                        type="button"
+                        :disabled="mailTestSending || !mailTestTo.trim()"
+                        @click="sendMailTest"
+                    >
+                      <span
+                          v-if="mailTestSending"
+                          class="spinner-border spinner-border-sm me-1"
+                          role="status"
+                          aria-hidden="true"
+                      />
+                      Send test email
+                    </button>
+                  </div>
+                </div>
+                <p v-if="mailTestMessage" class="small mb-0" :class="mailTestError ? 'text-danger' : 'text-success'">
+                  {{ mailTestMessage }}
+                </p>
+              </div>
+            </template>
+          </SettingsSection>
         </div>
       </template>
     </Card>
@@ -182,6 +221,10 @@ export default {
       uploadFile: null,
       uploading: false,
       originalSettingsSnapshot: null,
+      mailTestTo: "",
+      mailTestSending: false,
+      mailTestMessage: "",
+      mailTestError: false,
     };
   },
   computed: {
@@ -298,6 +341,23 @@ export default {
       }
       this.originalSettingsSnapshot = JSON.stringify(this.settings);
     },
+    sendMailTest() {
+      const to = (this.mailTestTo || "").trim();
+      if (!to || !this.$socket) return;
+      this.mailTestSending = true;
+      this.mailTestMessage = "";
+      this.mailTestError = false;
+      this.$socket.emit("mailSendTest", { to }, (res) => {
+        this.mailTestSending = false;
+        if (res.success) {
+          this.mailTestError = false;
+          this.mailTestMessage = typeof res.data === "string" ? res.data : "Test email sent.";
+        } else {
+          this.mailTestError = true;
+          this.mailTestMessage = res.message || "Failed to send test email.";
+        }
+      });
+    },
     save() {
       this.$socket.emit("settingSave", this.settings, (res) => {
         if (res.success) {
diff --git a/frontend/src/components/dashboard/settings/SettingItem.vue b/frontend/src/components/dashboard/settings/SettingItem.vue
index 1b6ba7f25..845363be2 100644
--- a/frontend/src/components/dashboard/settings/SettingItem.vue
+++ b/frontend/src/components/dashboard/settings/SettingItem.vue
@@ -7,19 +7,13 @@
     >
       <div class="d-inline-flex align-items-center gap-1 flex-wrap justify-content-md-end">
         <span>{{ setting.displayName || setting.key }}</span>
-        <span
+        <FormHelp
           v-if="setting.description"
-          class="text-muted flex-shrink-0"
-          aria-hidden="true"
-        >
-          <LoadIcon icon-name="info-circle" :size="14" />
-        </span>
+          :help="setting.description"
+          icon-name="info-circle"
+          button-class="text-muted flex-shrink-0"
+        />
       </div>
-      <div
-        v-if="setting.description"
-        class="small text-muted mt-1 fw-normal text-break"
-        v-html="setting.description"
-      />
     </label>
     <div class="col-md-6 d-flex align-items-start">
       <template v-if="setting.type === 'edits'">
@@ -54,7 +48,7 @@
 
 <script>
 import EditorModal from "@/basic/editor/Modal.vue";
-import LoadIcon from "@/basic/Icon.vue";
+import FormHelp from "@/basic/form/Help.vue";
 
 /**
  * SettingItem - Renders a single setting row (label + input).
@@ -62,7 +56,7 @@ import LoadIcon from "@/basic/Icon.vue";
  */
 export default {
   name: "SettingItem",
-  components: { EditorModal, LoadIcon },
+  components: { EditorModal, FormHelp },
   props: {
     setting: {
       type: Object,
diff --git a/frontend/src/components/dashboard/settings/SettingsSection.vue b/frontend/src/components/dashboard/settings/SettingsSection.vue
index 87bb54609..6d88f687f 100644
--- a/frontend/src/components/dashboard/settings/SettingsSection.vue
+++ b/frontend/src/components/dashboard/settings/SettingsSection.vue
@@ -36,6 +36,7 @@
           </div>
         </div>
       </template>
+      <slot name="footer" />
     </div>
   </div>
 </template>

From 26e219976aaf48ad7cc1a144094a50ca5d9fc1e5 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Tue, 7 Apr 2026 13:02:25 +0200
Subject: [PATCH 35/73] fix : sync editor modal inner state from model value
 using immediate watcher

---
 frontend/src/basic/editor/Modal.vue | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/frontend/src/basic/editor/Modal.vue b/frontend/src/basic/editor/Modal.vue
index 162985a8f..5f04ae72e 100644
--- a/frontend/src/basic/editor/Modal.vue
+++ b/frontend/src/basic/editor/Modal.vue
@@ -42,15 +42,15 @@ export default {
     }
   },
   watch: {
+    modelValue: {
+      immediate: true,
+      handler() {
+        this.currentData = this.modelValue ?? "";
+      },
+    },
     currentData() {
       this.$emit("update:modelValue", this.currentData);
     },
-    modelValue() {
-      this.currentData = this.modelValue;
-    },
-  },
-  mounted() {
-    this.currentData = this.modelValue;
   },
   methods: {
     open() {

From dc87a7f3b547ffe78303c0c09a3a9ea126c0310c Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 17:27:40 +0200
Subject: [PATCH 36/73] refactor : use basicbutton and btn-group for import
 settings modal

---
 frontend/src/auth/SetupWizard.vue             | 37 ++++++++-----------
 .../src/components/dashboard/Settings.vue     | 36 +++++++-----------
 2 files changed, 29 insertions(+), 44 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index cfd0d725d..c35aedcfd 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -563,28 +563,20 @@
           <p v-if="importError" class="text-danger small mt-2 mb-0">{{ importError }}</p>
         </template>
         <template #footer>
-          <button
-            class="btn btn-secondary me-2"
-            type="button"
-            :disabled="importing"
-            @click="$refs.importModal.close()"
-          >
-            Close
-          </button>
-          <button
-            class="btn btn-primary"
-            type="button"
-            :disabled="!importFile || importing"
-            @click="confirmImport"
-          >
-            <span
-              v-if="importing"
-              class="spinner-border spinner-border-sm me-1"
-              role="status"
-              aria-hidden="true"
+          <span class="btn-group">
+            <BasicButton
+              class="btn btn-secondary"
+              title="Close"
+              :disabled="importing"
+              @click="$refs.importModal.close()"
             />
-            Import
-          </button>
+            <BasicButton
+              class="btn btn-primary"
+              :title="importing ? 'Importing…' : 'Import'"
+              :disabled="!importFile || importing"
+              @click="confirmImport"
+            />
+          </span>
         </template>
       </Modal>
     </div>
@@ -599,6 +591,7 @@
  * @author CARE
  */
 import IconAsset from "@/basic/icon/IconAsset.vue";
+import BasicButton from "@/basic/Button.vue";
 import BasicEditor from "@/basic/editor/Editor.vue";
 import EditorModal from "@/basic/editor/Modal.vue";
 import Modal from "@/basic/Modal.vue";
@@ -630,7 +623,7 @@ function wizardValueToFormString(v) {
 
 export default {
   name: "SetupWizard",
-  components: { IconAsset, BasicEditor, EditorModal, Modal },
+  components: { IconAsset, BasicButton, BasicEditor, EditorModal, Modal },
   data() {
     return {
       currentStep: 0,
diff --git a/frontend/src/components/dashboard/Settings.vue b/frontend/src/components/dashboard/Settings.vue
index 0960b0b08..c628289cd 100644
--- a/frontend/src/components/dashboard/Settings.vue
+++ b/frontend/src/components/dashboard/Settings.vue
@@ -144,28 +144,20 @@
       </template>
 
       <template #footer>
-        <button
-            class="btn btn-secondary me-2"
-            type="button"
-            :disabled="uploading"
-            @click="$refs.settingsUploadModal.close()"
-        >
-          Close
-        </button>
-        <button
-            class="btn btn-primary"
-            type="button"
-            :disabled="!uploadFile || uploading"
-            @click="importSettings"
-        >
-          <span
-              v-if="uploading"
-              class="spinner-border spinner-border-sm me-1"
-              role="status"
-              aria-hidden="true"
-          ></span>
-          Import
-        </button>
+        <span class="btn-group">
+          <BasicButton
+              class="btn btn-secondary"
+              title="Close"
+              :disabled="uploading"
+              @click="$refs.settingsUploadModal.close()"
+          />
+          <BasicButton
+              class="btn btn-primary"
+              :title="uploading ? 'Importing…' : 'Import'"
+              :disabled="!uploadFile || uploading"
+              @click="importSettings"
+          />
+        </span>
       </template>
     </Modal>
   </div>

From a7d5fa65bd256872fa51a9c4649ca2722420b836 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 19:05:11 +0200
Subject: [PATCH 37/73] refactor : extract initial admin creation into shared
 helper

---
 backend/webserver/routes/auth.js      |  87 ++++------------------
 backend/webserver/utils/setupAdmin.js | 101 ++++++++++++++++++++++++++
 2 files changed, 115 insertions(+), 73 deletions(-)
 create mode 100644 backend/webserver/utils/setupAdmin.js

diff --git a/backend/webserver/routes/auth.js b/backend/webserver/routes/auth.js
index ffa2807c7..1c940c9d9 100644
--- a/backend/webserver/routes/auth.js
+++ b/backend/webserver/routes/auth.js
@@ -8,6 +8,7 @@
  */
 const passport = require('passport');
 const { generateToken, decodeToken, relevantFields } = require('../../utils/auth');
+const { createInitialAdmin } = require('../utils/setupAdmin');
 
 /**
  * Route for user management
@@ -169,84 +170,24 @@ module.exports = function (server) {
                 return res.status(403).json({ message: 'An admin account already exists.' });
             }
 
-            if (!userName || (typeof userName === 'string' && !userName.trim())) {
-                return res.status(400).json({ message: 'Please provide a user name.' });
-            }
-            const existingByName = await server.db.models['user'].getUserIdByName(userName);
-            if (existingByName !== 0) {
-                return res.status(400).json({ message: 'Username already taken.' });
-            }
-
-            if (!email || (typeof email === 'string' && !email.trim())) {
-                return res.status(400).json({ message: 'Please provide an email.' });
-            }
-            const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-            if (!emailRegex.test(email)) {
-                return res.status(400).json({ message: 'Please provide a valid email.' });
-            }
-            const existingByEmail = await server.db.models['user'].getUserIdByEmail(email);
-            if (existingByEmail !== 0) {
-                return res.status(400).json({ message: 'E-Mail already taken.' });
-            }
-
-            if (!password || (typeof password === 'string' && password.length < 8)) {
-                return res.status(400).json({ message: 'Password does not meet requirements (min 8 characters).' });
-            }
-
-            const User = server.db.models['user'];
-            const Configuration = server.db.models['configuration'];
-            const { Op } = server.db.Sequelize;
-
-            const EXPOSE_CONFIG_NAMES = [
-                'Exposé assessment configuration',
-                'Exposé feedback configuration',
-                'UKP Exposé Submission Validator',
-                'Exposé assessment configuration (German)',
-                'Exposé feedback configuration (German)',
-            ];
-            const BOT_USER_ID = 2;
-
-            const transaction = await User.sequelize.transaction();
+            let user;
             try {
-                const user = await User.add(
-                    {
-                        userName: userName.trim(),
-                        email: email.trim(),
-                        password,
-                        firstName: userName.trim(),
-                        lastName: 'User',
-                        acceptTerms: true,
-                        acceptStats: true,
-                        emailVerified: true,
-                    },
-                    { transaction, context: { userRoles: 'admin' } }
-                );
-
-                await Configuration.update(
-                    { userId: user.id },
-                    {
-                        where: {
-                            name: { [Op.in]: EXPOSE_CONFIG_NAMES },
-                            userId: BOT_USER_ID,
-                        },
-                        transaction,
-                    }
-                );
-
-                await transaction.commit();
-
-                req.logIn(user, function (err) {
-                    if (err) {
-                        server.logger.error('setup-admin logIn error: ' + err);
-                        return res.status(500).json({ message: 'Failed to complete setup.' });
-                    }
-                    return res.status(200).json({ user: relevantFields(user) });
-                });
+                user = await createInitialAdmin(server, { userName, email, password });
             } catch (err) {
-                await transaction.rollback();
+                if (err && err.statusCode === 400) {
+                    return res.status(400).json({ message: err.message });
+                }
                 server.logger.error('Cannot create setup admin: ' + err);
                 return res.status(400).json({ message: 'Failed to create admin.', error: err.message });
             }
+
+            req.logIn(user, function (err) {
+                if (err) {
+                    server.logger.error('setup-admin logIn error: ' + err);
+                    return res.status(500).json({ message: 'Failed to complete setup.' });
+                }
+                return res.status(200).json({ user: relevantFields(user) });
+            });
         } catch (err) {
             server.logger.error('setup-admin error: ' + err);
             return res.status(500).json({ message: 'Internal server error.' });
diff --git a/backend/webserver/utils/setupAdmin.js b/backend/webserver/utils/setupAdmin.js
new file mode 100644
index 000000000..67cf00bac
--- /dev/null
+++ b/backend/webserver/utils/setupAdmin.js
@@ -0,0 +1,101 @@
+'use strict';
+
+/**
+ * Shared helper for creating the first admin account, used by the wizard route
+ * (POST /auth/setup-admin) and the dev admin setup (see devAdmin.js).
+ */
+
+/**
+ * Build a validation error tagged with statusCode=400 so HTTP callers can map it
+ * to a client error without inspecting the message.
+ * @param {string} message
+ * @returns {Error}
+ */
+function validationError(message) {
+    const err = new Error(message);
+    err.statusCode = 400;
+    return err;
+}
+
+/**
+ * Create the first admin account and reassign the 5 Exposé configurations from
+ * Bot (userId=2) to the new admin in a single transaction.
+ *
+ * @param {Server} server main server instance
+ * @param {{userName: string, email: string, password: string}} input
+ * @returns {Promise<object>} created user
+ */
+async function createInitialAdmin(server, { userName, email, password }) {
+    if (!userName || (typeof userName === 'string' && !userName.trim())) {
+        throw validationError('Please provide a user name.');
+    }
+    const existingByName = await server.db.models['user'].getUserIdByName(userName);
+    if (existingByName !== 0) {
+        throw validationError('Username already taken.');
+    }
+
+    if (!email || (typeof email === 'string' && !email.trim())) {
+        throw validationError('Please provide an email.');
+    }
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    if (!emailRegex.test(email)) {
+        throw validationError('Please provide a valid email.');
+    }
+    const existingByEmail = await server.db.models['user'].getUserIdByEmail(email);
+    if (existingByEmail !== 0) {
+        throw validationError('E-Mail already taken.');
+    }
+
+    if (!password || (typeof password === 'string' && password.length < 8)) {
+        throw validationError('Password does not meet requirements (min 8 characters).');
+    }
+
+    const User = server.db.models['user'];
+    const Configuration = server.db.models['configuration'];
+    const { Op } = server.db.Sequelize;
+
+    const EXPOSE_CONFIG_NAMES = [
+        'Exposé assessment configuration',
+        'Exposé feedback configuration',
+        'UKP Exposé Submission Validator',
+        'Exposé assessment configuration (German)',
+        'Exposé feedback configuration (German)',
+    ];
+    const BOT_USER_ID = 2;
+
+    const transaction = await User.sequelize.transaction();
+    try {
+        const user = await User.add(
+            {
+                userName: userName.trim(),
+                email: email.trim(),
+                password,
+                firstName: userName.trim(),
+                lastName: 'User',
+                acceptTerms: true,
+                acceptStats: true,
+                emailVerified: true,
+            },
+            { transaction, context: { userRoles: 'admin' } }
+        );
+
+        await Configuration.update(
+            { userId: user.id },
+            {
+                where: {
+                    name: { [Op.in]: EXPOSE_CONFIG_NAMES },
+                    userId: BOT_USER_ID,
+                },
+                transaction,
+            }
+        );
+
+        await transaction.commit();
+        return user;
+    } catch (err) {
+        await transaction.rollback();
+        throw err;
+    }
+}
+
+module.exports = { createInitialAdmin };

From 527b6919d3c5d837c1f7c76a406a6d615ddd0a98 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 19:06:29 +0200
Subject: [PATCH 38/73] feat : add dev admin setup to skip wizard on boot

---
 backend/webserver/Server.js         |  2 ++
 backend/webserver/utils/devAdmin.js | 44 +++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 backend/webserver/utils/devAdmin.js

diff --git a/backend/webserver/Server.js b/backend/webserver/Server.js
index a0f2b8be1..d8e1aa934 100644
--- a/backend/webserver/Server.js
+++ b/backend/webserver/Server.js
@@ -20,6 +20,7 @@ const Service = require(path.resolve(__dirname, "./Service.js"));
 const RPC = require(path.resolve(__dirname,"./RPC.js"));
 const statsScheduler = require('../db/stats');
 const nodemailer = require('nodemailer');
+const { setupDevAdmin } = require('./utils/devAdmin');
 
 /**
  * Defines Express Webserver of Content Server
@@ -93,6 +94,7 @@ module.exports = class Server {
                 this.logger.warn("Mail server not available!");
             }
         });
+        Promise.resolve(setupDevAdmin(this));
         this.#initWebsocketServer();
         this.#discoverComponents("./rpcs", RPC, this.addRPC.bind(this));
         this.#discoverComponents("./sockets", Socket, this.addSocket.bind(this));
diff --git a/backend/webserver/utils/devAdmin.js b/backend/webserver/utils/devAdmin.js
new file mode 100644
index 000000000..f9c5f2087
--- /dev/null
+++ b/backend/webserver/utils/devAdmin.js
@@ -0,0 +1,44 @@
+"use strict";
+
+const { createInitialAdmin } = require("./setupAdmin");
+
+/**
+ * Set up a dev admin from ADMIN_EMAIL/ADMIN_PWD and mark the setup wizard
+ * complete, skipping the first-time wizard. Active only when DEV_SKIP_WIZARD=true
+ * and NODE_ENV !== "production". No-op if an admin already exists.
+ *
+ * @param {Server} server 
+ * @returns {Promise<void>}
+ */
+async function setupDevAdmin(server) {
+    if (process.env.DEV_SKIP_WIZARD !== "true") {
+        return;
+    }
+    if (process.env.NODE_ENV === "production") {
+        server.logger.warn("DEV_SKIP_WIZARD ignored: NODE_ENV=production");
+        return;
+    }
+
+    try {
+        const admins = await server.db.models["user"].getUsersByRole("admin");
+        if (admins.length > 0) {
+            return;
+        }
+
+        const email = process.env.ADMIN_EMAIL;
+        const password = process.env.ADMIN_PWD;
+        if (!email || !password) {
+            server.logger.warn("DEV_SKIP_WIZARD set but ADMIN_EMAIL/ADMIN_PWD are missing.");
+            return;
+        }
+
+        await createInitialAdmin(server, { userName: "admin", email, password });
+        await server.db.models["app_state"].set("setup.wizardCompleted", "true");
+
+        server.logger.info(`DEV_SKIP_WIZARD: created admin <${email}> and marked wizard complete.`);
+    } catch (err) {
+        server.logger.error("DEV_SKIP_WIZARD failed: " + (err && err.message ? err.message : err));
+    }
+}
+
+module.exports = { setupDevAdmin };

From b8b26c4e1a876386805a85233ec96530443f8c47 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 19:13:56 +0200
Subject: [PATCH 39/73] chore : add make dev-no-wizard

---
 Makefile | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Makefile b/Makefile
index 89aa5a36c..e8e846312 100644
--- a/Makefile
+++ b/Makefile
@@ -12,6 +12,7 @@ default: help
 help:
 	@echo "make help             		 		Show this help message"
 	@echo "make dev             		  		Run in development mode (only unix)"
+	@echo "make dev-no-wizard   		  		Run dev mode and skip the first-time setup wizard"
 	@echo "make doc 							Build the documentation"
 	@echo "make dev-build       		  		Build the frontend (make dev-build-frontend) and run the backend in development mode"
 	@echo "make dev-backend      		 		Run backend in development mode"
@@ -80,6 +81,10 @@ init: modules db
 dev: frontend/node_modules/.uptodate backend/node_modules/.uptodate
 	cd frontend && npm run frontend-dev & cd backend && npm run start
 
+.PHONY: dev-no-wizard
+dev-no-wizard:
+	DEV_SKIP_WIZARD=true $(MAKE) dev
+
 .PHONY: dev-frontend
 dev-frontend: frontend/node_modules/.uptodate
 	cd frontend && npm run frontend-dev

From e7808060d726e9fb816facbd805ef3cabf080445 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 19:15:06 +0200
Subject: [PATCH 40/73] refactor : remove unused rerun wizard parameter

---
 backend/webserver/routes/setup.js | 35 +++++++++----------------------
 frontend/src/auth/SetupWizard.vue |  8 ++-----
 2 files changed, 12 insertions(+), 31 deletions(-)

diff --git a/backend/webserver/routes/setup.js b/backend/webserver/routes/setup.js
index 1ac8cb074..7084c5fcb 100644
--- a/backend/webserver/routes/setup.js
+++ b/backend/webserver/routes/setup.js
@@ -1,7 +1,7 @@
 /**
  * Setup wizard routes. GET /setup/config returns needsSetup, steps, wizardSettings, and
- * wizardSettingsByStep when no admin exists (first-time setup) or when ?reRun=true with an
- * authenticated admin (re-run wizard). When setup is not needed, returns empty steps and settings.
+ * wizardSettingsByStep while initial setup is in progress. Once an admin exists and the
+ * wizard is marked complete, returns empty steps and settings.
  *
  * @author Mohammad Elwan
  */
@@ -14,34 +14,19 @@ module.exports = function (server) {
     const mailTest = require("../utils/mailTest.js");
     /**
      * GET /setup/config
-     * Returns wizard config for first-time setup or re-run. needsSetup is true when no admin exists.
-     * When setup is needed (or reRun=true with an admin): steps, wizardSettings,
-     * and wizardSettingsByStep (grouped by general, mail, registration). Moodle fields appear in the General wizard step in the UI.
-     * When setup is not needed: empty steps and wizardSettings.
+     * Returns wizard config while initial setup is in progress: needsSetup is true when no
+     * admin exists; steps, wizardSettings, and wizardSettingsByStep (grouped by general,
+     * mail, registration) are returned until app_state.setup.wizardCompleted is true.
+     * Moodle fields appear in the General wizard step in the UI. When setup is fully
+     * complete, returns empty steps and wizardSettings.
      */
     server.app.get("/setup/config", async function (req, res) {
         try {
             const admins = await server.db.models["user"].getUsersByRole("admin");
             const needsSetup = admins.length === 0;
+            const wizardCompleted = (await server.db.models["app_state"].get("setup.wizardCompleted")) === "true";
 
-            // reRun=true: admin only; return steps, wizardSettings, wizardSettingsByStep for re-run.
-            if (req.query.reRun === "true" && req.user) {
-                const isAdmin = admins.some((a) => a.id === req.user.id);
-                if (isAdmin) {
-                    const WizardStep = server.db.models["wizard_step"];
-                    const steps = await WizardStep.findAll({
-                        where: { deleted: false },
-                        order: [["order", "ASC"]],
-                        attributes: ["key", "title", "description", "type", "order"],
-                        raw: true,
-                    });
-                    const wizardSettings = await server.db.models["setting"].getWizardSettings();
-                    const wizardSettingsByStep = await server.db.models["setting"].getWizardSettingsByStep();
-                    return res.status(200).json({ needsSetup: false, steps, wizardSettings, wizardSettingsByStep });
-                }
-            }
-
-            if (!needsSetup) {
+            if (!needsSetup && wizardCompleted) {
                 return res.status(200).json({ needsSetup: false, steps: [], wizardSettings: [] });
             }
 
@@ -57,7 +42,7 @@ module.exports = function (server) {
             const wizardSettingsByStep = await server.db.models["setting"].getWizardSettingsByStep();
             const allSettings = await server.db.models["setting"].getAll(false);
 
-            return res.status(200).json({ needsSetup: true, steps, wizardSettings, wizardSettingsByStep, allSettings });
+            return res.status(200).json({ needsSetup, steps, wizardSettings, wizardSettingsByStep, allSettings });
         } catch (err) {
             server.logger.error("GET /setup/config error: " + err);
             return res.status(500).json({ message: "Internal server error." });
diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index c35aedcfd..07e67852a 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -650,9 +650,6 @@ export default {
     };
   },
   computed: {
-    isReRun() {
-      return this.$route.query.reRun === "true";
-    },
     allSettingsLoaded() {
       return Array.isArray(this.allSettingsFromDb);
     },
@@ -780,7 +777,7 @@ export default {
     const check = await axios.get(getServerURL() + "/auth/check", { withCredentials: true });
     this.hasAdmin = !!(check.data && check.data.user);
 
-    if (check.data.user && !this.isReRun) {
+    if (check.data.user) {
       if (check.data.wizardCompleted) {
         await this.$router.push("/dashboard");
         return;
@@ -792,8 +789,7 @@ export default {
       return;
     }
 
-    const url = (this.hasAdmin || this.isReRun) ? getServerURL() + "/setup/config?reRun=true" : getServerURL() + "/setup/config";
-    const config = await axios.get(url, { withCredentials: true });
+    const config = await axios.get(getServerURL() + "/setup/config", { withCredentials: true });
     if (config.data && config.data.steps) {
       this.steps = config.data.steps;
     }

From d5a5c2a4bba4a43f0727a21ca9c754805bc5b25f Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 19:15:19 +0200
Subject: [PATCH 41/73] fix : redirect /wizard to home when setup is complete

---
 frontend/src/router.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/frontend/src/router.js b/frontend/src/router.js
index b78c7a80b..3131b8d41 100644
--- a/frontend/src/router.js
+++ b/frontend/src/router.js
@@ -98,7 +98,17 @@ const router = VueRouter.createRouter({
  * so they cannot bypass it by typing /dashboard, /login, etc.
  */
 router.beforeEach(async (to, from, next) => {
-    if (to.path === "/wizard") return next();
+    if (to.path === "/wizard") {
+        try {
+            const r = await fetch(getServerURL() + "/auth/check", { credentials: "include" });
+            if (!r.ok) return next({ path: "/" });
+            const d = await r.json();
+            if (d.needsSetup === true) return next();
+            if (d.user && d.wizardCompleted === false) return next();
+            return next({ path: "/" });
+        } catch (_) {}
+        return next();
+    }
     if (!to.meta.requireAuth && !to.meta.checkLogin) return next();
     try {
         const r = await fetch(getServerURL() + "/auth/check", { credentials: "include" });

From dcc0f7a8e713b27f87cc6fd4fe8eb8bb0ec97d78 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 21:09:19 +0200
Subject: [PATCH 42/73] feat: add migration for new settings display metadata

---
 ...end-setting-displayName-email_templates.js | 72 +++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 backend/db/migrations/20260419183159-extend-setting-displayName-email_templates.js

diff --git a/backend/db/migrations/20260419183159-extend-setting-displayName-email_templates.js b/backend/db/migrations/20260419183159-extend-setting-displayName-email_templates.js
new file mode 100644
index 000000000..8915c0d16
--- /dev/null
+++ b/backend/db/migrations/20260419183159-extend-setting-displayName-email_templates.js
@@ -0,0 +1,72 @@
+'use strict';
+
+/**
+ * Set displayName, displayGroup, and displaySubsection for settings whose rows are
+ * created or extended after extend-setting-displayName (email templates including
+ * twoFactorOtp / passwordResetSuccess, logo, external auth / 2FA).
+ *
+ * @type {import('sequelize-cli').Migration}
+ */
+
+const UPDATES = [
+    { key: 'email.template.passwordReset', displayName: 'Password reset email', displayGroup: 'Mail', displaySubsection: 'Email templates' },
+    { key: 'email.template.verification', displayName: 'Email verification', displayGroup: 'Mail', displaySubsection: 'Email templates' },
+    { key: 'email.template.registration', displayName: 'Registration welcome email', displayGroup: 'Mail', displaySubsection: 'Email templates' },
+    { key: 'email.template.sessionStart', displayName: 'Study session start email', displayGroup: 'Mail', displaySubsection: 'Email templates' },
+    { key: 'email.template.sessionFinish', displayName: 'Study session finish email', displayGroup: 'Mail', displaySubsection: 'Email templates' },
+    { key: 'email.template.assignment', displayName: 'Assignment notification email', displayGroup: 'Mail', displaySubsection: 'Email templates' },
+    { key: 'email.template.studyClosed', displayName: 'Study closed email', displayGroup: 'Mail', displaySubsection: 'Email templates' },
+    { key: 'email.template.twoFactorOtp', displayName: 'Two-factor OTP email', displayGroup: 'Mail', displaySubsection: 'Email templates' },
+    { key: 'email.template.passwordResetSuccess', displayName: 'Password reset success email', displayGroup: 'Mail', displaySubsection: 'Email templates' },
+
+    { key: 'logo.reBgColor', displayName: 'Logo RE section background colour', displayGroup: 'Interface', displaySubsection: 'Branding' },
+
+    { key: 'system.auth.orcid.enabled', displayName: 'Enable ORCID login', displayGroup: 'General', displaySubsection: 'ORCID login' },
+    { key: 'system.auth.orcid.clientId', displayName: 'ORCID client ID', displayGroup: 'General', displaySubsection: 'ORCID login' },
+    { key: 'system.auth.orcid.clientSecret', displayName: 'ORCID client secret', displayGroup: 'General', displaySubsection: 'ORCID login' },
+    { key: 'system.auth.orcid.callbackUrl', displayName: 'ORCID callback URL', displayGroup: 'General', displaySubsection: 'ORCID login' },
+    { key: 'system.auth.orcid.sandbox', displayName: 'ORCID sandbox mode', displayGroup: 'General', displaySubsection: 'ORCID login' },
+
+    { key: 'system.auth.ldap.enabled', displayName: 'Enable LDAP login', displayGroup: 'General', displaySubsection: 'LDAP login' },
+    { key: 'system.auth.ldap.url', displayName: 'LDAP server URL', displayGroup: 'General', displaySubsection: 'LDAP login' },
+    { key: 'system.auth.ldap.bindDN', displayName: 'LDAP bind DN', displayGroup: 'General', displaySubsection: 'LDAP login' },
+    { key: 'system.auth.ldap.bindCredentials', displayName: 'LDAP bind password', displayGroup: 'General', displaySubsection: 'LDAP login' },
+    { key: 'system.auth.ldap.searchBase', displayName: 'LDAP search base', displayGroup: 'General', displaySubsection: 'LDAP login' },
+    { key: 'system.auth.ldap.searchFilter', displayName: 'LDAP search filter', displayGroup: 'General', displaySubsection: 'LDAP login' },
+
+    { key: 'system.auth.saml.enabled', displayName: 'Enable SAML login', displayGroup: 'General', displaySubsection: 'SAML login' },
+    { key: 'system.auth.saml.entryPoint', displayName: 'SAML IdP entry point', displayGroup: 'General', displaySubsection: 'SAML login' },
+    { key: 'system.auth.saml.issuer', displayName: 'SAML SP issuer', displayGroup: 'General', displaySubsection: 'SAML login' },
+    { key: 'system.auth.saml.cert', displayName: 'SAML IdP certificate', displayGroup: 'General', displaySubsection: 'SAML login' },
+    { key: 'system.auth.saml.callbackUrl', displayName: 'SAML callback URL', displayGroup: 'General', displaySubsection: 'SAML login' },
+
+    { key: 'system.auth.local.2fa.required', displayName: 'Require 2FA for local login', displayGroup: 'General', displaySubsection: 'Two-factor authentication' },
+    { key: 'system.auth.orcid.2fa.required', displayName: 'Require 2FA for ORCID login', displayGroup: 'General', displaySubsection: 'Two-factor authentication' },
+    { key: 'system.auth.ldap.2fa.required', displayName: 'Require 2FA for LDAP login', displayGroup: 'General', displaySubsection: 'Two-factor authentication' },
+    { key: 'system.auth.saml.2fa.required', displayName: 'Require 2FA for SAML login', displayGroup: 'General', displaySubsection: 'Two-factor authentication' },
+
+    { key: 'system.auth.redirect.baseUrl', displayName: 'Frontend base URL for auth redirects', displayGroup: 'General', displaySubsection: 'Auth redirects' },
+];
+
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        const now = new Date();
+        for (const u of UPDATES) {
+            await queryInterface.sequelize.query(
+                `UPDATE setting SET "displayName" = :dn, "displayGroup" = :dg, "displaySubsection" = :ds, "updatedAt" = :now WHERE key = :k`,
+                { replacements: { dn: u.displayName, dg: u.displayGroup, ds: u.displaySubsection, k: u.key, now } }
+            );
+        }
+    },
+
+    async down(queryInterface, Sequelize) {
+        const now = new Date();
+        const keys = UPDATES.map((u) => u.key);
+        for (const k of keys) {
+            await queryInterface.sequelize.query(
+                `UPDATE setting SET "displayName" = NULL, "displayGroup" = NULL, "displaySubsection" = NULL, "updatedAt" = :now WHERE key = :k`,
+                { replacements: { k, now } }
+            );
+        }
+    },
+};

From 4d378837dd03f4054a311bd57620e137986cb2eb Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 21:09:45 +0200
Subject: [PATCH 43/73] feat: extend dashboard settings subsection ordering

---
 frontend/src/components/dashboard/Settings.vue | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/frontend/src/components/dashboard/Settings.vue b/frontend/src/components/dashboard/Settings.vue
index a105e0410..6872a7ef6 100644
--- a/frontend/src/components/dashboard/Settings.vue
+++ b/frontend/src/components/dashboard/Settings.vue
@@ -185,12 +185,22 @@ import ChangeUserSettingsModal from "@/components/dashboard/settings/ChangeUserS
  * Order of subsections within each section (for display).
  */
 const SUBSECTION_ORDER = {
-  general: ["Copyright and consent", "Login options", "Study mode", "Landing page links"],
-  mail: ["Mail service", "Sendmail", "SMTP", "Base URL and verification"],
+  general: [
+    "Copyright and consent",
+    "Login options",
+    "Study mode",
+    "Landing page links",
+    "ORCID login",
+    "LDAP login",
+    "SAML login",
+    "Two-factor authentication",
+    "Auth redirects",
+  ],
+  mail: ["Mail service", "Sendmail", "SMTP", "Base URL and verification", "Email templates"],
   registration: ["Enable registration", "Information requested at registration", "Consent options", "Terms and conditions", "Email verification rate limit"],
   moodle: ["Connection", "Course", "Show inputs"],
   annotations: ["Comments", "Download", "NLP in annotations", "Sidebar"],
-  interface: ["Navigation and dashboard", "Projects", "Statistics and tags"],
+  interface: ["Navigation and dashboard", "Branding", "Projects", "Statistics and tags"],
   "text editor": ["Document buttons", "Edit history", "Toolbar"],
   "ai & nlp": ["Modal NLP", "NLP service"],
   system: ["Token expiry"],

From e692b5b5c156c3da0605b768baf57e9653cac0c9 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 21:11:20 +0200
Subject: [PATCH 44/73] docs: revise settingitem row description

---
 frontend/src/components/dashboard/settings/SettingItem.vue | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/frontend/src/components/dashboard/settings/SettingItem.vue b/frontend/src/components/dashboard/settings/SettingItem.vue
index 1339e14db..e29ce7737 100644
--- a/frontend/src/components/dashboard/settings/SettingItem.vue
+++ b/frontend/src/components/dashboard/settings/SettingItem.vue
@@ -112,11 +112,7 @@ import FormHelp from "@/basic/form/Help.vue";
 import LogoSvg, { DEFAULT_RE_BG } from "@/basic/icon/LogoSvg.vue";
 
 /**
- * SettingItem - Renders a single setting row (label + input).
- * Uses displayName and description from DB; description is shown next to the title via a gray (i) tooltip.
- *
- * Supported setting types: edits, boolean/bool, text (textarea), color (picker + hex + optional reset/preview),
- * email.template.* (select bound to the template table), and a plain text input fallback.
+ * Renders one setting row: label (displayName, optional description tooltip) and input for setting.type.
  */
 export default {
   name: "SettingItem",

From 6197fd1dbeb0d625341f7d0ef9e39dda5e271dc4 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 19 Apr 2026 21:13:29 +0200
Subject: [PATCH 45/73] fix: return json payload from auth check endpoint

---
 backend/webserver/routes/auth/login.js | 34 ++++++++++++++++++++------
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/backend/webserver/routes/auth/login.js b/backend/webserver/routes/auth/login.js
index e262208a2..e3615f5e2 100644
--- a/backend/webserver/routes/auth/login.js
+++ b/backend/webserver/routes/auth/login.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const passport = require('passport');
+const { relevantFields } = require('../../../utils/auth');
 
 /**
  * Register login/logout/session-check routes, including local and external provider entrypoints.
@@ -231,16 +232,33 @@ function registerLoginRoutes(server, helpers) {
     });
 
     /**
-     * Return the current authenticated user, if any.
+     * Return the current authenticated user (if any), needsSetup and wizardCompleted.
      */
-    server.app.get('/auth/check', (req, res) => {
-        if (req.user) {
-            res.status(200).send({ user: req.user });
-        } else {
-            res.status(401);
+    server.app.get('/auth/check', async (req, res) => {
+        try {
+            const admins = await server.db.models['user'].getUsersByRole('admin');
+            const needsSetup = admins.length === 0;
+            const wizardCompleted = (await server.db.models['app_state'].get('setup.wizardCompleted')) === 'true';
+
+            server.logger.debug(`req.session.passport: ${JSON.stringify(req.session && req.session.passport)}`);
+            server.logger.debug(`req.user: ${JSON.stringify(req.user)}`);
+
+            if (req.user) {
+                return res.status(200).json({
+                    user: relevantFields(req.user),
+                    needsSetup,
+                    wizardCompleted,
+                });
+            }
+            return res.status(200).json({
+                user: null,
+                needsSetup,
+                wizardCompleted,
+            });
+        } catch (err) {
+            server.logger.error('auth/check error: ' + err);
+            return res.status(500).json({ message: 'Internal server error' });
         }
-        server.logger.debug(`req.session.passport: ${JSON.stringify(req.session.passport)}`);
-        server.logger.debug(`req.user: ${JSON.stringify(req.user)}`);
     });
 }
 

From 04a35758914a0d193d38a09ac068f3c98569d6fa Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 20 Apr 2026 14:30:42 +0200
Subject: [PATCH 46/73] refactor: make dev skip setup wizard by default

---
 Makefile | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index d1f5c43ed..be35edb60 100644
--- a/Makefile
+++ b/Makefile
@@ -11,8 +11,8 @@ default: help
 .PHONY: help
 help:
 	@echo "make help             		 		Show this help message"
-	@echo "make dev             		  		Run in development mode (only unix)"
-	@echo "make dev-no-wizard   		  		Run dev mode and skip the first-time setup wizard"
+	@echo "make dev             		  		Run in development mode, skipping the first-time setup wizard (only unix)"
+	@echo "make dev-wizard         		  		Run dev mode and go through the first-time setup wizard"
 	@echo "make doc 							Build the documentation"
 	@echo "make dev-build       		  		Build the frontend (make dev-build-frontend) and run the backend in development mode"
 	@echo "make dev-backend      		 		Run backend in development mode"
@@ -80,11 +80,11 @@ init: modules db
 
 .PHONY: dev
 dev: frontend/node_modules/.uptodate backend/node_modules/.uptodate
-	cd frontend && npm run frontend-dev & cd backend && npm run start
+	cd frontend && npm run frontend-dev & cd backend && DEV_SKIP_WIZARD=true npm run start
 
-.PHONY: dev-no-wizard
-dev-no-wizard:
-	DEV_SKIP_WIZARD=true $(MAKE) dev
+.PHONY: dev-wizard
+dev-wizard: frontend/node_modules/.uptodate backend/node_modules/.uptodate
+	cd frontend && npm run frontend-dev & cd backend && npm run start
 
 .PHONY: dev-frontend
 dev-frontend: frontend/node_modules/.uptodate

From 7ce292c4dcb4ffca03780a225f3dd597df85ee23 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 20 Apr 2026 16:31:51 +0200
Subject: [PATCH 47/73] fix: validate wizard JSON import keys and show import
 result toasts

---
 frontend/src/auth/SetupWizard.vue | 137 +++++++++++++++++++++++++++---
 1 file changed, 123 insertions(+), 14 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index 07e67852a..64d99df82 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -273,7 +273,28 @@
 
       <!-- Step: Mail -->
       <div v-show="displaySteps[currentStep]?.type === 'mail'" class="card">
-        <div class="card-header step-card-header">Mail Configuration</div>
+        <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+          <span>Mail Configuration</span>
+          <div class="d-flex flex-wrap gap-2">
+            <button
+              class="btn btn-outline-secondary btn-sm"
+              type="button"
+              :disabled="!allSettingsLoaded"
+              :title="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+              @click="downloadImportTemplate"
+            >
+              Download template
+            </button>
+            <button
+              class="btn btn-outline-secondary btn-sm"
+              type="button"
+              title="Load settings from a JSON file exported from another CARE instance"
+              @click="openImportModal"
+            >
+              Import from previous instance
+            </button>
+          </div>
+        </div>
         <div class="card-body mx-4 my-4">
           <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
 
@@ -392,7 +413,28 @@
 
       <!-- Step: Registration -->
       <div v-show="displaySteps[currentStep]?.type === 'registration'" class="card">
-        <div class="card-header step-card-header">User Registration</div>
+        <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+          <span>User Registration</span>
+          <div class="d-flex flex-wrap gap-2">
+            <button
+              class="btn btn-outline-secondary btn-sm"
+              type="button"
+              :disabled="!allSettingsLoaded"
+              :title="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+              @click="downloadImportTemplate"
+            >
+              Download template
+            </button>
+            <button
+              class="btn btn-outline-secondary btn-sm"
+              type="button"
+              title="Load settings from a JSON file exported from another CARE instance"
+              @click="openImportModal"
+            >
+              Import from previous instance
+            </button>
+          </div>
+        </div>
         <div class="card-body mx-4 my-4">
           <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
           <p class="text-muted mb-3">
@@ -485,7 +527,28 @@
 
       <!-- Step: Summary -->
       <div v-show="displaySteps[currentStep]?.type === 'summary'" class="card">
-        <div class="card-header step-card-header">Summary</div>
+        <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+          <span>Summary</span>
+          <div class="d-flex flex-wrap gap-2">
+            <button
+              class="btn btn-outline-secondary btn-sm"
+              type="button"
+              :disabled="!allSettingsLoaded"
+              :title="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+              @click="downloadImportTemplate"
+            >
+              Download template
+            </button>
+            <button
+              class="btn btn-outline-secondary btn-sm"
+              type="button"
+              title="Load settings from a JSON file exported from another CARE instance"
+              @click="openImportModal"
+            >
+              Import from previous instance
+            </button>
+          </div>
+        </div>
         <div class="card-body mx-4 my-4">
           <p class="text-muted mb-3">Review your choices before finishing.</p>
 
@@ -545,13 +608,11 @@
       <Modal ref="importModal" name="wizardImportSettings">
         <template #title>Import JSON from previous instance</template>
         <template #body>
-          <p class="mb-2">
-            This is an alternative to filling the wizard by hand. Upload a JSON file you exported from another CARE server
-            (<strong>Dashboard → Settings → Export JSON</strong>). Loaded keys replace values in this setup form and
-            <strong>skip the Mail and Registration steps</strong> (you can still review everything on the Summary).
-          </p>
-          <p class="small text-muted mb-3">
-            For a minimal example, use <strong>Download template</strong> on the General step (full settings snapshot with current wizard values), or export from Settings of an existing instance.
+          <p class="mb-3">
+            Upload a JSON file exported from another CARE instance
+            (<strong>Dashboard → Settings → Export JSON</strong>) or generated by <strong>Download template</strong>.
+            Loaded settings replace the corresponding wizard settings and <strong>skip the remaining setup steps</strong>;
+            you can still review everything on the <strong>Summary</strong> before finishing.
           </p>
           <input
             ref="jsonFileInput"
@@ -653,6 +714,11 @@ export default {
     allSettingsLoaded() {
       return Array.isArray(this.allSettingsFromDb);
     },
+    validSettingKeys() {
+      return Array.isArray(this.allSettingsFromDb)
+        ? new Set(this.allSettingsFromDb.map((s) => s.key))
+        : null;
+    },
     displaySteps() {
       const stepTypes = ["admin", "general", "mail", "registration", "summary"];
       let filtered = this.steps.filter((s) => stepTypes.includes(s.type));
@@ -1047,16 +1113,40 @@ export default {
         try {
           const json = JSON.parse(reader.result);
           if (typeof json !== "object" || json === null || Array.isArray(json)) {
-            this.importError = "The JSON must be an object of key/value pairs.";
-            return;
+            throw new Error("The JSON must be an object of key/value pairs.");
+          }
+          const normalized = this.normalizeFileSettings(json);
+          const { accepted, ignored } = this.filterKnownSettings(normalized);
+          if (Object.keys(accepted).length === 0) {
+            throw new Error(ignored.length
+              ? `None of the keys in the file match known settings.`
+              : "The file contains no settings.");
           }
-          this.settingsFromFile = this.normalizeFileSettings(json);
+          this.settingsFromFile = accepted;
+          const importedCount = Object.keys(accepted).length;
           this.importFile = null;
           if (this.$refs.jsonFileInput) this.$refs.jsonFileInput.value = "";
+          const nextSteps = this.displaySteps || [];
+          const summaryIndex = nextSteps.findIndex((s) => s?.type === "summary");
+          this.currentStep = summaryIndex >= 0 ? summaryIndex : Math.max(nextSteps.length - 1, 0);
           this.$refs.importModal.close();
           this.showError = false;
+          const ignoredCount = ignored.length;
+          this.eventBus.emit("toast", {
+            title: "Settings imported",
+            message: ignoredCount
+              ? `Loaded ${importedCount} setting${importedCount === 1 ? "" : "s"}; ignored ${ignoredCount} unknown key${ignoredCount === 1 ? "" : "s"}.`
+              : `Loaded ${importedCount} setting${importedCount === 1 ? "" : "s"} from file.`,
+            variant: ignoredCount ? "warning" : "success",
+          });
         } catch (e) {
-          this.importError = "Invalid JSON: " + (e.message || String(e));
+          const msg = e?.message || String(e);
+          this.importError = msg.startsWith("The JSON") ? msg : "Invalid JSON: " + msg;
+          this.eventBus.emit("toast", {
+            title: "Import failed",
+            message: this.importError,
+            variant: "danger",
+          });
         } finally {
           this.importing = false;
         }
@@ -1067,6 +1157,25 @@ export default {
       this.settingsFromFile = null;
       if (this.$refs.jsonFileInput) this.$refs.jsonFileInput.value = "";
     },
+    /**
+     * Partition imported settings into known and unknown keys against /setup/config.
+     * Accepts all keys while validSettingKeys is still loading.
+     * @param {Record<string, string>} obj - Normalized imported settings
+     * @returns {{accepted: Record<string, string>, ignored: string[]}}
+     */
+    filterKnownSettings(obj) {
+      const valid = this.validSettingKeys;
+      const accepted = {};
+      const ignored = [];
+      for (const [k, v] of Object.entries(obj)) {
+        if (!valid || valid.has(k)) {
+          accepted[k] = v;
+        } else {
+          ignored.push(k);
+        }
+      }
+      return { accepted, ignored };
+    },
     normalizeFileSettings(obj) {
       const out = {};
       for (const [k, v] of Object.entries(obj)) {

From 9f68bdc12dad863397e56a0c8b5290d2f30ce3f0 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 20 Apr 2026 16:32:10 +0200
Subject: [PATCH 48/73] fix: remove duplicate modal close trigger from editor
 footer button

---
 frontend/src/basic/editor/Modal.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/basic/editor/Modal.vue b/frontend/src/basic/editor/Modal.vue
index 5f04ae72e..853f5f0b4 100644
--- a/frontend/src/basic/editor/Modal.vue
+++ b/frontend/src/basic/editor/Modal.vue
@@ -7,7 +7,7 @@
       <Editor ref="editor" v-model="currentData"></Editor>
     </template>
     <template #footer>
-      <button class="btn btn-secondary" data-bs-dismiss="modal" type="button"
+      <button class="btn btn-secondary" type="button"
               @click="$refs.editorModal.close()">Close
       </button>
     </template>

From 6e964f6c579fc3adcd3177c3b7391c50bfb26a4b Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Mon, 20 Apr 2026 17:25:41 +0200
Subject: [PATCH 49/73] docs : add setup wizard and settings documentation

---
 .../for_developers/basics/user_stories.rst    | 65 ++++++++++++++
 .../for_developers/before_you_start.rst       | 11 ++-
 .../for_developers/examples/settings.rst      | 29 ++++++-
 .../for_developers/frontend/frontend.rst      |  2 +-
 .../for_developers/frontend/setup_wizard.rst  | 84 +++++++++++++++++++
 docs/source/for_researchers/basics.rst        |  6 ++
 docs/source/getting_started/installation.rst  |  1 +
 docs/source/getting_started/quickstart.rst    | 11 +--
 8 files changed, 200 insertions(+), 9 deletions(-)
 create mode 100644 docs/source/for_developers/frontend/setup_wizard.rst

diff --git a/docs/source/for_developers/basics/user_stories.rst b/docs/source/for_developers/basics/user_stories.rst
index 4fd7d30fc..8ac11bbda 100644
--- a/docs/source/for_developers/basics/user_stories.rst
+++ b/docs/source/for_developers/basics/user_stories.rst
@@ -8,6 +8,58 @@ Landing and Authentication
 
 -----
 
+First-Time Setup Wizard
+-----------------------
+
+.. container:: user-story
+
+   :Description:
+     I as an administrator, am guided through an initial setup wizard on a fresh CARE instance instead of being dropped into fragmented configuration screens.
+
+   :Acceptance:
+     When no admin account exists, opening CARE leads to a setup wizard with steps for admin account creation, general settings, mail settings, registration settings, and a summary. I can move through the steps, review values on summary, and finish setup. After completion, the instance is marked as configured and normal login/dashboard access is used.
+
+-----
+
+Import Setup Settings from JSON
+-------------------------------
+
+.. container:: user-story
+
+   :Description:
+     I as an administrator, can import setup values from a JSON file exported from another CARE instance to avoid re-entering settings manually.
+
+   :Acceptance:
+     In setup wizard steps after admin creation, I can open the import modal and select a JSON file with setting key/value pairs. Valid keys are loaded into the wizard state and reflected on the summary page. Unknown keys are ignored and this is shown in feedback. If the file is invalid JSON, I receive an error message and no values are imported.
+
+-----
+
+Export Setup Settings to JSON
+-----------------------------
+
+.. container:: user-story
+
+   :Description:
+     I as an administrator, can export the current setup configuration as a JSON snapshot to reuse it in another CARE instance.
+
+   :Acceptance:
+     In setup wizard steps after admin creation, I can use the download action to export a JSON file containing the current setup values. The exported file can be used as input for the setup import flow on another instance.
+
+-----
+
+Test Mail During Setup
+----------------------
+
+.. container:: user-story
+
+   :Description:
+     I as an administrator, can test mail delivery during setup before finishing the wizard.
+
+   :Acceptance:
+     In the mail step, I can enter a recipient address and trigger a test email. I receive clear success or error feedback based on the response of the test mail endpoint and can continue editing mail settings before finishing setup.
+
+-----
+
 Landing Page
 ------------
 
@@ -525,6 +577,19 @@ Admin Settings
 
 -----
 
+Wizard-Style Settings Configuration
+-----------------------------------
+
+.. container:: user-story
+
+   :Description:
+     I as an admin can edit system settings in a structured, step-based layout consistent with first-time setup, including mail and registration dependencies.
+
+   :Acceptance:
+     In the Settings area, I see grouped, user-facing labels and subsections aligned with the setup flow. Mail-dependent options are shown consistently with the mail service state. A test mail action is available to validate mail configuration. When I change mail settings and click "Save Settings", the new values are applied immediately without requiring a backend restart.
+
+-----
+
 Admin Logs
 ----------
 
diff --git a/docs/source/for_developers/before_you_start.rst b/docs/source/for_developers/before_you_start.rst
index d86c1c52b..ef8f6873b 100644
--- a/docs/source/for_developers/before_you_start.rst
+++ b/docs/source/for_developers/before_you_start.rst
@@ -128,11 +128,16 @@ the backend, just run the basic build using the following commands in different
 
     make docker # starts the docker containers needed for development
     make init   # initializes the database
-    make dev    # starts the development server (backend & frontend) - only linux!
+    make dev    # starts the development server (backend & frontend, wizard skipped) - only Linux!
 
 This will start the development server for the backend as well as the frontend. This also starts up
 a database in a docker container and populates it with the necessary schemas.
 
+.. note::
+
+    ``make dev`` runs with ``DEV_SKIP_WIZARD=true`` for faster iterative development.
+    If you need to test the first-time setup flow, use ``make dev-wizard``.
+
 .. note::
 
     When starting the application for the first time, you need to initialize the database!
@@ -228,7 +233,9 @@ More Commands
     * - ``make doc_clean``
       - Clean the Sphinx documentation.
     * - ``make dev``
-      - Run frontend (dev) and backend (dev) together. (Unix only)
+      - Run frontend (dev) and backend (dev) together, with setup wizard skipped. (Unix only)
+    * - ``make dev-wizard``
+      - Run frontend (dev) and backend (dev) together, with setup wizard enabled. (Unix only)
     * - ``make dev-backend``
       - Run backend in development mode.
     * - ``make dev-frontend``
diff --git a/docs/source/for_developers/examples/settings.rst b/docs/source/for_developers/examples/settings.rst
index f1b467f3f..106130a7a 100644
--- a/docs/source/for_developers/examples/settings.rst
+++ b/docs/source/for_developers/examples/settings.rst
@@ -155,4 +155,31 @@ You must manually parse them as needed based on the setting's ``type``.
 
    Changes made to settings in the frontend **are not automatically saved** to the database.
    After modifying any setting through the UI, you **must** click the ``Save Settings`` button.
-   Otherwise, your changes will be lost and not persisted.
\ No newline at end of file
+   Otherwise, your changes will be lost and not persisted.
+
+Wizard and Settings UI Metadata
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Settings can expose additional metadata so they render with user-friendly labels and
+grouping in both setup and dashboard settings views.
+
+Relevant fields on ``setting`` rows:
+
+- ``displayName``: human-readable field label
+- ``displayGroup``: top-level settings group
+- ``displaySubsection``: subsection title inside the group
+- ``showInWizard``: include in setup wizard
+- ``wizardStep``: wizard step assignment (e.g. ``general``, ``mail``, ``registration``)
+- ``wizardOrder``: field order within the step
+- ``requiredInWizard``: required flag for setup validation
+
+When adding new settings, populate these fields during migration so the setup wizard
+and the dashboard settings page stay aligned.
+
+Mail Settings Runtime Behavior
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mail configuration changes made from the dashboard settings page are applied on
+``Save Settings`` and do not require a backend restart.
+
+This includes toggles and provider-specific values under ``system.mailService.*``.
\ No newline at end of file
diff --git a/docs/source/for_developers/frontend/frontend.rst b/docs/source/for_developers/frontend/frontend.rst
index 76d6c8745..b17e91c92 100644
--- a/docs/source/for_developers/frontend/frontend.rst
+++ b/docs/source/for_developers/frontend/frontend.rst
@@ -10,7 +10,7 @@ This includes adding new dashboard components, loading settings and extending th
 
    basic/basic
    components/components
-   auth
+   setup_wizard
    plugins
    vuex_store
    app
diff --git a/docs/source/for_developers/frontend/setup_wizard.rst b/docs/source/for_developers/frontend/setup_wizard.rst
new file mode 100644
index 000000000..4ed4824b6
--- /dev/null
+++ b/docs/source/for_developers/frontend/setup_wizard.rst
@@ -0,0 +1,84 @@
+Setup Wizard
+============
+
+The setup wizard provides the first-time configuration flow in CARE and is implemented in
+``frontend/src/auth/SetupWizard.vue``.
+
+When it is used
+---------------
+
+The wizard is shown for fresh instances where no admin account exists.
+Instead of going directly to login, the user is guided through setup and then redirected
+to the regular application flow.
+
+Backend endpoints used by this flow:
+
+- ``GET /setup/config``: fetch steps, wizard settings, and full settings snapshot.
+- ``POST /auth/setup-admin``: create the initial admin account.
+- ``POST /setup/test-mail``: send a test mail during setup.
+- ``PATCH /setup/state``: mark setup as completed.
+
+Wizard Steps
+------------
+
+The current step sequence is:
+
+1. **Admin** (create first admin account)
+2. **General** (base app behavior)
+3. **Mail** (mail service and provider fields)
+4. **Registration** (registration and consent-related settings)
+5. **Summary** (final review and save)
+
+.. note::
+
+   Moodle-related wizard settings are currently grouped under **General** via subsection metadata.
+
+How Settings Are Rendered
+-------------------------
+
+Wizard fields come from setting metadata in the database. For the setup flow and the
+dashboard settings rework to stay aligned, settings should define:
+
+- ``displayName``
+- ``displayGroup``
+- ``displaySubsection``
+- ``showInWizard``
+- ``wizardStep``
+- ``wizardOrder``
+- ``requiredInWizard``
+
+For details and migration examples, see :doc:`../examples/settings`.
+
+Import and Export
+-----------------
+
+The wizard supports JSON import/export to simplify migration from an existing CARE instance.
+
+- **Download** exports a JSON snapshot based on loaded settings plus current wizard form values.
+- **Import** accepts key/value JSON and normalizes values to strings for settings persistence.
+- Imported keys are validated against known setting keys from ``/setup/config``.
+- Unknown keys are ignored and reported in toast feedback.
+- After successful import, the wizard moves to **Summary** for review before finishing.
+
+Mail Test During Setup
+----------------------
+
+The mail step includes a test action that calls ``POST /setup/test-mail`` with the current
+mail configuration and recipient address.
+
+This allows validating SMTP/sendmail setup before finishing setup.
+
+Extending the Wizard
+--------------------
+
+To add or change setup fields:
+
+1. Add/update setting rows via migration (including wizard and display metadata).
+2. Ensure the new keys are returned by ``/setup/config``.
+3. If needed, update step-specific logic in ``SetupWizard.vue`` (validation, dependency toggles, and summary rendering).
+4. Verify import/export behavior for the new keys.
+
+To change the setup order or visible steps:
+
+- Update wizard step definitions returned by ``/setup/config``.
+- Keep frontend step filtering consistent with dependency rules.
diff --git a/docs/source/for_researchers/basics.rst b/docs/source/for_researchers/basics.rst
index 6f3f16dc7..4ae8f54c5 100644
--- a/docs/source/for_researchers/basics.rst
+++ b/docs/source/for_researchers/basics.rst
@@ -16,6 +16,12 @@ For more advanced deployment scenarios such as conducting multiple user studies,
 Please check out the details of hosting the CARE server described in the
 :doc:`getting started chapter <../getting_started/installation>`.
 
+.. note::
+
+    On a fresh CARE instance, the application opens a setup wizard before the regular login is available.
+    Complete this initial setup before inviting participants to your study.
+    After setup is finished, CARE continues with the standard login and dashboard workflow.
+
 .. note::
 
     For running internal pilot studies, running an NGINX server along with CARE is not strictly necessary, but this is highly recommended
diff --git a/docs/source/getting_started/installation.rst b/docs/source/getting_started/installation.rst
index 19d4c034e..aa9cba839 100644
--- a/docs/source/getting_started/installation.rst
+++ b/docs/source/getting_started/installation.rst
@@ -112,6 +112,7 @@ The email can be sent again when trying to login without being verified. The Del
 
     If you want to change the settings (e.g., using an external SMTP server or disable it), you can change the settings in the frontend dashboard under "Settings".
     If you disable the mail server, make sure you also disable email notifications/verification.
+    Changes to ``system.mailService.*`` are applied when you click ``Save Settings`` and do not require a backend restart.
 
 
 
diff --git a/docs/source/getting_started/quickstart.rst b/docs/source/getting_started/quickstart.rst
index 2a74e3f5f..885e8d74c 100644
--- a/docs/source/getting_started/quickstart.rst
+++ b/docs/source/getting_started/quickstart.rst
@@ -42,13 +42,14 @@ The code is structured accordingly:
 
 The Frontend
 ------------
-The frontend essentially consists of three major views:
+The frontend essentially consists of the following major views:
 
     1. the landing page (login and register view)
-    2. the dashboard (connecting all other views)
-    3. the annotator (view for annotating documents)
-    4. the editor (view for editing documents)
-    5. the studies including study dashboard and study sessions (view for managing and using user studies)
+    2. the first-time setup wizard (shown when no admin account exists)
+    3. the dashboard (connecting all other views)
+    4. the annotator (view for annotating documents)
+    5. the editor (view for editing documents)
+    6. the studies including study dashboard and study sessions (view for managing and using user studies)
 
 All management functionality is realized within the :doc:`dashboard <../for_developers/frontend/components/dashboard>`.
 If you intend to extend CARE, you usually add new :doc:`components <../for_developers/frontend/components/components>` here.

From 7a6565714cabf8cd1beffceebdf4063e110bb328 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 26 Apr 2026 18:36:34 +0300
Subject: [PATCH 50/73] refactor: rename and align displayname metadata
 migrations

---
 ...260225234559-basic-setting-displayName.js} | 31 +++++++++----------
 1 file changed, 14 insertions(+), 17 deletions(-)
 rename backend/db/migrations/{20260225234559-extend-setting-displayName.js => 20260225234559-basic-setting-displayName.js} (95%)

diff --git a/backend/db/migrations/20260225234559-extend-setting-displayName.js b/backend/db/migrations/20260225234559-basic-setting-displayName.js
similarity index 95%
rename from backend/db/migrations/20260225234559-extend-setting-displayName.js
rename to backend/db/migrations/20260225234559-basic-setting-displayName.js
index d2cb7e015..036db9f29 100644
--- a/backend/db/migrations/20260225234559-extend-setting-displayName.js
+++ b/backend/db/migrations/20260225234559-basic-setting-displayName.js
@@ -1,7 +1,7 @@
 'use strict';
 
 /**
- * Add displayName, displayGroup, and displaySubsection columns.
+ * Populate displayName, displayGroup, and displaySubsection columns.
  * displayName: user-facing label from CSV Suggested Name
  * displayGroup: section grouping for non-wizard settings from CSV Suggested group naming
  * displaySubsection: subsection within a section for Settings page and SetupWizard
@@ -301,19 +301,6 @@ const DISPLAY_NAMES = {
 
 module.exports = {
     async up(queryInterface, Sequelize) {
-        await queryInterface.addColumn('setting', 'displayName', {
-            type: Sequelize.STRING(256),
-            allowNull: true,
-        });
-        await queryInterface.addColumn('setting', 'displayGroup', {
-            type: Sequelize.STRING(128),
-            allowNull: true,
-        });
-        await queryInterface.addColumn('setting', 'displaySubsection', {
-            type: Sequelize.STRING(128),
-            allowNull: true,
-        });
-
         const [results] = await queryInterface.sequelize.query(
             "SELECT key FROM setting WHERE deleted = false"
         );
@@ -345,8 +332,18 @@ module.exports = {
     },
 
     async down(queryInterface, Sequelize) {
-        await queryInterface.removeColumn('setting', 'displayName');
-        await queryInterface.removeColumn('setting', 'displayGroup');
-        await queryInterface.removeColumn('setting', 'displaySubsection');
+        const [results] = await queryInterface.sequelize.query(
+            "SELECT key FROM setting WHERE deleted = false"
+        );
+
+        for (const row of results) {
+            const key = row.key;
+            if (DISPLAY_NAMES[key] || KEY_TO_DISPLAY_GROUP[key] || KEY_TO_DISPLAY_SUBSECTION[key]) {
+                await queryInterface.sequelize.query(
+                    'UPDATE setting SET "displayName" = NULL, "displayGroup" = NULL, "displaySubsection" = NULL WHERE key = :key',
+                    { replacements: { key } }
+                );
+            }
+        }
     },
 };
\ No newline at end of file

From bf27c68b70478ddb0dcb3ce09faa3deeae1124f9 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 26 Apr 2026 18:45:19 +0300
Subject: [PATCH 51/73] refactor: use wizard_step fk for setting wizard mapping

---
 .../20260119185850-extend-setting-wizard.js   | 27 ++++++++++++++++---
 ...20260119194252-transform-setting-wizard.js | 10 +++++--
 backend/db/models/setting.js                  | 24 ++++++++++++++---
 backend/db/models/wizard_step.js              |  5 +++-
 4 files changed, 57 insertions(+), 9 deletions(-)

diff --git a/backend/db/migrations/20260119185850-extend-setting-wizard.js b/backend/db/migrations/20260119185850-extend-setting-wizard.js
index 6b77210f3..8bd12b81d 100644
--- a/backend/db/migrations/20260119185850-extend-setting-wizard.js
+++ b/backend/db/migrations/20260119185850-extend-setting-wizard.js
@@ -15,16 +15,37 @@ module.exports = {
             type: Sequelize.BOOLEAN,
             defaultValue: false,
         });
-        await queryInterface.addColumn('setting', 'wizardStep', {
-            type: Sequelize.STRING,
+        await queryInterface.addColumn('setting', 'wizardStepId', {
+            type: Sequelize.INTEGER,
+            allowNull: true,
+            references: {
+                model: 'wizard_step',
+                key: 'id',
+            },
+            onUpdate: 'CASCADE',
+            onDelete: 'SET NULL',
+        });
+        await queryInterface.addColumn('setting', 'displayName', {
+            type: Sequelize.STRING(256),
+            allowNull: true,
+        });
+        await queryInterface.addColumn('setting', 'displayGroup', {
+            type: Sequelize.STRING(128),
+            allowNull: true,
+        });
+        await queryInterface.addColumn('setting', 'displaySubsection', {
+            type: Sequelize.STRING(128),
             allowNull: true,
         });
     },
 
     async down(queryInterface, Sequelize) {
+        await queryInterface.removeColumn('setting', 'displaySubsection');
+        await queryInterface.removeColumn('setting', 'displayGroup');
+        await queryInterface.removeColumn('setting', 'displayName');
         await queryInterface.removeColumn('setting', 'showInWizard');
         await queryInterface.removeColumn('setting', 'wizardOrder');
         await queryInterface.removeColumn('setting', 'requiredInWizard');
-        await queryInterface.removeColumn('setting', 'wizardStep');
+        await queryInterface.removeColumn('setting', 'wizardStepId');
     },
 };
diff --git a/backend/db/migrations/20260119194252-transform-setting-wizard.js b/backend/db/migrations/20260119194252-transform-setting-wizard.js
index 475ea50c0..f8e4befc6 100644
--- a/backend/db/migrations/20260119194252-transform-setting-wizard.js
+++ b/backend/db/migrations/20260119194252-transform-setting-wizard.js
@@ -52,7 +52,13 @@ module.exports = {
     async up(queryInterface, Sequelize) {
         for (const { key, wizardStep, wizardOrder, requiredInWizard } of WIZARD_SETTINGS) {
             await queryInterface.sequelize.query(
-                `UPDATE setting SET "showInWizard" = true, "wizardStep" = :wizardStep, "wizardOrder" = :wizardOrder, "requiredInWizard" = :requiredInWizard, "updatedAt" = :now WHERE key = :key`,
+                `UPDATE setting
+                 SET "showInWizard" = true,
+                     "wizardStepId" = (SELECT id FROM wizard_step WHERE key = :wizardStep),
+                     "wizardOrder" = :wizardOrder,
+                     "requiredInWizard" = :requiredInWizard,
+                     "updatedAt" = :now
+                 WHERE key = :key`,
                 {
                     replacements: { key, wizardStep, wizardOrder, requiredInWizard, now: new Date() },
                     type: Sequelize.QueryTypes.UPDATE,
@@ -64,7 +70,7 @@ module.exports = {
     async down(queryInterface, Sequelize) {
         for (const { key } of WIZARD_SETTINGS) {
             await queryInterface.sequelize.query(
-                `UPDATE setting SET "showInWizard" = false, "wizardStep" = NULL, "wizardOrder" = NULL, "requiredInWizard" = false, "updatedAt" = :now WHERE key = :key`,
+                `UPDATE setting SET "showInWizard" = false, "wizardStepId" = NULL, "wizardOrder" = NULL, "requiredInWizard" = false, "updatedAt" = :now WHERE key = :key`,
                 {
                     replacements: { key, now: new Date() },
                     type: Sequelize.QueryTypes.UPDATE,
diff --git a/backend/db/models/setting.js b/backend/db/models/setting.js
index f769bd1da..c53e0f327 100644
--- a/backend/db/models/setting.js
+++ b/backend/db/models/setting.js
@@ -10,7 +10,10 @@ module.exports = (sequelize, DataTypes) => {
          * The `models/index` file will call this method automatically.
          */
         static associate(models) {
-            // define association here
+            Setting.belongsTo(models["wizard_step"], {
+                foreignKey: "wizardStepId",
+                as: "wizardStep",
+            });
         }
 
         /**
@@ -57,7 +60,22 @@ module.exports = (sequelize, DataTypes) => {
                 return await Setting.findAll({
                     where: { showInWizard: true, deleted: false },
                     order: [['wizardOrder', 'ASC']],
-                    attributes: ['key', 'value', 'type', 'description', 'displayName', 'displaySubsection', 'requiredInWizard', 'wizardStep'],
+                    attributes: [
+                        'key',
+                        'value',
+                        'type',
+                        'description',
+                        'displayName',
+                        'displaySubsection',
+                        'requiredInWizard',
+                        [sequelize.col('wizardStep.key'), 'wizardStep'],
+                    ],
+                    include: [{
+                        model: sequelize.models["wizard_step"],
+                        as: "wizardStep",
+                        attributes: [],
+                        required: false,
+                    }],
                     raw: true,
                 });
             } catch (e) {
@@ -124,7 +142,7 @@ module.exports = (sequelize, DataTypes) => {
         showInWizard: DataTypes.BOOLEAN,
         wizardOrder: DataTypes.INTEGER,
         requiredInWizard: DataTypes.BOOLEAN,
-        wizardStep: DataTypes.STRING,
+        wizardStepId: DataTypes.INTEGER,
         deleted: DataTypes.BOOLEAN,
         deletedAt: DataTypes.DATE
 
diff --git a/backend/db/models/wizard_step.js b/backend/db/models/wizard_step.js
index 8ce7149fb..44f1769b6 100644
--- a/backend/db/models/wizard_step.js
+++ b/backend/db/models/wizard_step.js
@@ -7,7 +7,10 @@ module.exports = (sequelize, DataTypes) => {
         static autoTable = false;
 
         static associate(models) {
-            // no associations
+            WizardStep.hasMany(models["setting"], {
+                foreignKey: "wizardStepId",
+                as: "settings",
+            });
         }
     }
 

From 4ad98a54d5c4831c007263e49bf13330f3c98c23 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 26 Apr 2026 18:46:58 +0300
Subject: [PATCH 52/73] refactor: store setup wizard state in setting keys

---
 .../20260223130010-basic-setting-app_setup.js | 42 +++++++++++
 .../20260223130010-create-app_state.js        | 35 ---------
 backend/db/models/app_state.js                | 73 -------------------
 backend/webserver/routes/auth/login.js        |  2 +-
 backend/webserver/routes/setup.js             | 12 +--
 backend/webserver/utils/devAdmin.js           |  2 +-
 6 files changed, 50 insertions(+), 116 deletions(-)
 create mode 100644 backend/db/migrations/20260223130010-basic-setting-app_setup.js
 delete mode 100644 backend/db/migrations/20260223130010-create-app_state.js
 delete mode 100644 backend/db/models/app_state.js

diff --git a/backend/db/migrations/20260223130010-basic-setting-app_setup.js b/backend/db/migrations/20260223130010-basic-setting-app_setup.js
new file mode 100644
index 000000000..3ff8fc2e5
--- /dev/null
+++ b/backend/db/migrations/20260223130010-basic-setting-app_setup.js
@@ -0,0 +1,42 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        const now = new Date();
+        await queryInterface.bulkInsert('setting', [
+            {
+                key: 'app.setup.wizardCompleted',
+                value: 'false',
+                type: 'boolean',
+                description: 'Internal setup wizard completion state.',
+                onlyAdmin: true,
+                showInWizard: false,
+                requiredInWizard: false,
+                deleted: false,
+                createdAt: now,
+                updatedAt: now,
+                deletedAt: null,
+            },
+            {
+                key: 'app.setup.wizardCurrentStep',
+                value: '0',
+                type: 'integer',
+                description: 'Internal setup wizard current step.',
+                onlyAdmin: true,
+                showInWizard: false,
+                requiredInWizard: false,
+                deleted: false,
+                createdAt: now,
+                updatedAt: now,
+                deletedAt: null,
+            },
+        ], {});
+    },
+
+    async down(queryInterface, Sequelize) {
+        await queryInterface.bulkDelete('setting', {
+            key: ['app.setup.wizardCompleted', 'app.setup.wizardCurrentStep'],
+        }, {});
+    },
+};
diff --git a/backend/db/migrations/20260223130010-create-app_state.js b/backend/db/migrations/20260223130010-create-app_state.js
deleted file mode 100644
index 389af1507..000000000
--- a/backend/db/migrations/20260223130010-create-app_state.js
+++ /dev/null
@@ -1,35 +0,0 @@
-'use strict';
-
-/** @type {import('sequelize-cli').Migration} */
-module.exports = {
-    async up(queryInterface, Sequelize) {
-        await queryInterface.createTable('app_state', {
-            key: {
-                allowNull: false,
-                type: Sequelize.STRING,
-                primaryKey: true,
-            },
-            value: {
-                type: Sequelize.TEXT,
-            },
-            createdAt: {
-                allowNull: false,
-                type: Sequelize.DATE,
-            },
-            updatedAt: {
-                allowNull: false,
-                type: Sequelize.DATE,
-            },
-        });
-
-        const now = new Date();
-        await queryInterface.bulkInsert('app_state', [
-            { key: 'setup.wizardCompleted', value: 'false', createdAt: now, updatedAt: now },
-            { key: 'setup.wizardCurrentStep', value: '0', createdAt: now, updatedAt: now },
-        ], {});
-    },
-
-    async down(queryInterface, Sequelize) {
-        await queryInterface.dropTable('app_state');
-    },
-};
diff --git a/backend/db/models/app_state.js b/backend/db/models/app_state.js
deleted file mode 100644
index 8e6e7c897..000000000
--- a/backend/db/models/app_state.js
+++ /dev/null
@@ -1,73 +0,0 @@
-'use strict';
-
-/**
- * AppState model — key-value store for internal runtime state (e.g. wizard progress).
- * Not user-configurable; separate from the setting table.
- *
- */
-module.exports = (sequelize, DataTypes) => {
-    const { Model } = require('sequelize');
-
-    class AppState extends Model {
-        static associate(models) {
-            // no associations
-        }
-
-        /**
-         * Get value by key
-         * @param {string} key
-         * @returns {Promise<string|null>}
-         */
-        static async get(key) {
-            try {
-                const row = await AppState.findOne({ where: { key }, raw: true });
-                return row ? row.value : null;
-            } catch (e) {
-                console.log(e);
-                return null;
-            }
-        }
-
-        /**
-         * Set value by key (upsert)
-         * @param {string} key
-         * @param {string} value
-         * @param {object} options 
-         * @returns {Promise<object|null>}
-         */
-        static async set(key, value, options = {}) {
-            try {
-                const [instance] = await AppState.upsert(
-                    { key, value },
-                    { conflictFields: ['key'], ...options }
-                );
-                return instance?.dataValues ?? null;
-            } catch (e) {
-                console.log(e);
-                return null;
-            }
-        }
-    }
-
-    AppState.init(
-        {
-            key: {
-                type: DataTypes.STRING,
-                allowNull: false,
-                primaryKey: true,
-            },
-            value: {
-                type: DataTypes.TEXT,
-            },
-        },
-        {
-            sequelize,
-            modelName: 'app_state',
-            tableName: 'app_state',
-        }
-    );
-
-    AppState.removeAttribute('id');
-
-    return AppState;
-};
diff --git a/backend/webserver/routes/auth/login.js b/backend/webserver/routes/auth/login.js
index e3615f5e2..ed3b0610b 100644
--- a/backend/webserver/routes/auth/login.js
+++ b/backend/webserver/routes/auth/login.js
@@ -238,7 +238,7 @@ function registerLoginRoutes(server, helpers) {
         try {
             const admins = await server.db.models['user'].getUsersByRole('admin');
             const needsSetup = admins.length === 0;
-            const wizardCompleted = (await server.db.models['app_state'].get('setup.wizardCompleted')) === 'true';
+            const wizardCompleted = (await server.db.models['setting'].get('app.setup.wizardCompleted')) === 'true';
 
             server.logger.debug(`req.session.passport: ${JSON.stringify(req.session && req.session.passport)}`);
             server.logger.debug(`req.user: ${JSON.stringify(req.user)}`);
diff --git a/backend/webserver/routes/setup.js b/backend/webserver/routes/setup.js
index 7084c5fcb..562168f80 100644
--- a/backend/webserver/routes/setup.js
+++ b/backend/webserver/routes/setup.js
@@ -16,7 +16,7 @@ module.exports = function (server) {
      * GET /setup/config
      * Returns wizard config while initial setup is in progress: needsSetup is true when no
      * admin exists; steps, wizardSettings, and wizardSettingsByStep (grouped by general,
-     * mail, registration) are returned until app_state.setup.wizardCompleted is true.
+     * mail, registration) are returned until app.setup.wizardCompleted is true.
      * Moodle fields appear in the General wizard step in the UI. When setup is fully
      * complete, returns empty steps and wizardSettings.
      */
@@ -24,7 +24,7 @@ module.exports = function (server) {
         try {
             const admins = await server.db.models["user"].getUsersByRole("admin");
             const needsSetup = admins.length === 0;
-            const wizardCompleted = (await server.db.models["app_state"].get("setup.wizardCompleted")) === "true";
+            const wizardCompleted = (await server.db.models["setting"].get("app.setup.wizardCompleted")) === "true";
 
             if (!needsSetup && wizardCompleted) {
                 return res.status(200).json({ needsSetup: false, steps: [], wizardSettings: [] });
@@ -90,7 +90,7 @@ module.exports = function (server) {
 
     /**
      * PATCH /setup/state
-     * Updates wizard state in app_state.
+     * Updates wizard state in settings.
      * Body: { wizardCompleted?: string, wizardCurrentStep?: string }
      */
     server.app.patch("/setup/state", async function (req, res) {
@@ -105,13 +105,13 @@ module.exports = function (server) {
             }
 
             const { wizardCompleted, wizardCurrentStep } = req.body || {};
-            const AppState = server.db.models["app_state"];
+            const Setting = server.db.models["setting"];
 
             if (wizardCompleted !== undefined) {
-                await AppState.set("setup.wizardCompleted", String(wizardCompleted));
+                await Setting.set("app.setup.wizardCompleted", String(wizardCompleted));
             }
             if (wizardCurrentStep !== undefined) {
-                await AppState.set("setup.wizardCurrentStep", String(wizardCurrentStep));
+                await Setting.set("app.setup.wizardCurrentStep", String(wizardCurrentStep));
             }
 
             return res.status(200).json({ success: true });
diff --git a/backend/webserver/utils/devAdmin.js b/backend/webserver/utils/devAdmin.js
index f9c5f2087..64e7fce5c 100644
--- a/backend/webserver/utils/devAdmin.js
+++ b/backend/webserver/utils/devAdmin.js
@@ -33,7 +33,7 @@ async function setupDevAdmin(server) {
         }
 
         await createInitialAdmin(server, { userName: "admin", email, password });
-        await server.db.models["app_state"].set("setup.wizardCompleted", "true");
+        await server.db.models["setting"].set("app.setup.wizardCompleted", "true");
 
         server.logger.info(`DEV_SKIP_WIZARD: created admin <${email}> and marked wizard complete.`);
     } catch (err) {

From 24e4ebb7c1d9425ea689e7a02ed700ce1d8d9691 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Sun, 26 Apr 2026 18:47:08 +0300
Subject: [PATCH 53/73] fix: exclude internal setup keys from settings import
 export

---
 frontend/src/components/dashboard/Settings.vue | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/frontend/src/components/dashboard/Settings.vue b/frontend/src/components/dashboard/Settings.vue
index 6872a7ef6..79c42ac29 100644
--- a/frontend/src/components/dashboard/Settings.vue
+++ b/frontend/src/components/dashboard/Settings.vue
@@ -405,7 +405,7 @@ export default {
     },
     exportSettings() {
       downloadObjectsAs(
-          this.settings.reduce(
+          this.displaySettings.reduce(
               (acc, {key, value}) => ({...acc, [key]: value}),
               {}
           ),
@@ -472,10 +472,11 @@ export default {
 
         let updatedCount = 0;
         const flat = json;
+        const visibleKeys = new Set(this.displaySettings.map((setting) => setting.key));
 
         // Overwrite only existing keys
         this.settings = this.settings.map((setting) => {
-          if (Object.prototype.hasOwnProperty.call(flat, setting.key)) {
+          if (visibleKeys.has(setting.key) && Object.prototype.hasOwnProperty.call(flat, setting.key)) {
             setting.value = flat[setting.key];
             updatedCount++;
           }

From 659a373d860e966aac5d18a68ea3a1adac280ae4 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 29 Apr 2026 16:59:47 +0300
Subject: [PATCH 54/73] docs : reorder frontend major views for setup flow

---
 docs/source/getting_started/quickstart.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/source/getting_started/quickstart.rst b/docs/source/getting_started/quickstart.rst
index 885e8d74c..dcd2633e7 100644
--- a/docs/source/getting_started/quickstart.rst
+++ b/docs/source/getting_started/quickstart.rst
@@ -44,8 +44,8 @@ The Frontend
 ------------
 The frontend essentially consists of the following major views:
 
-    1. the landing page (login and register view)
-    2. the first-time setup wizard (shown when no admin account exists)
+    1. the first-time setup wizard (shown when no admin account exists)
+    2. the landing page (login and register view)
     3. the dashboard (connecting all other views)
     4. the annotator (view for annotating documents)
     5. the editor (view for editing documents)

From dff971ed96d4b33902e92a9a4980b3d4f0bb84f2 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 29 Apr 2026 17:00:27 +0300
Subject: [PATCH 55/73] refactor : unify router guards and reduce auth check
 duplication

---
 frontend/src/router.js | 61 +++++++++++++++++++++---------------------
 1 file changed, 30 insertions(+), 31 deletions(-)

diff --git a/frontend/src/router.js b/frontend/src/router.js
index 0563588fe..d544784bb 100644
--- a/frontend/src/router.js
+++ b/frontend/src/router.js
@@ -124,10 +124,24 @@ const router = VueRouter.createRouter({
 });
 
 /**
- * If the user is logged in and the setup wizard is not completed, redirect to /wizard
- * so they cannot bypass it by typing /dashboard, /login, etc.
+ * Single navigation guard: registration toggle, /wizard access rules, and forcing
+ * incomplete setup to /wizard only for requireAuth routes (checkLogin flows use
+ * App.vue runCheckLoginFlow to avoid duplicate /auth/check).
  */
 router.beforeEach(async (to, from, next) => {
+    if (to.name === "register") {
+        const isSelfRegistrationEnabled = window.config && window.config["app.register.enabled"] === "true";
+        if (!isSelfRegistrationEnabled) {
+            return next({
+                name: "login",
+                query: {
+                    redirectedFrom: to.query.redirectedFrom,
+                    registrationDisabled: "true"
+                }
+            });
+        }
+    }
+
     if (to.path === "/wizard") {
         try {
             const r = await fetch(getServerURL() + "/auth/check", { credentials: "include" });
@@ -136,39 +150,24 @@ router.beforeEach(async (to, from, next) => {
             if (d.needsSetup === true) return next();
             if (d.user && d.wizardCompleted === false) return next();
             return next({ path: "/" });
-        } catch (_) {}
-        return next();
+        } catch (_) {
+            return next();
+        }
     }
+
     if (!to.meta.requireAuth && !to.meta.checkLogin) return next();
-    try {
-        const r = await fetch(getServerURL() + "/auth/check", { credentials: "include" });
-        if (!r.ok) return next();
-        const d = await r.json();
-        if (d.user && d.wizardCompleted === false) {
-            return next({ path: "/wizard" });
-        }
-    } catch (_) {}
-    next();
-});
 
-// Navigation guard to check if self-registration is enabled
-router.beforeEach((to, from, next) => {
-    // Check if trying to access register page
-    if (to.name === "register") {
-        // Check if self-registration is enabled
-        const isSelfRegistrationEnabled = window.config && window.config["app.register.enabled"] === "true";
-        if (!isSelfRegistrationEnabled) {
-            // Redirect to login
-            next({
-                name: "login",
-                query: { 
-                    redirectedFrom: to.query.redirectedFrom,
-                    registrationDisabled: "true"
-                }
-            });
-            return;
-        }
+    if (to.meta.requireAuth) {
+        try {
+            const r = await fetch(getServerURL() + "/auth/check", { credentials: "include" });
+            if (!r.ok) return next();
+            const d = await r.json();
+            if (d.user && d.wizardCompleted === false) {
+                return next({ path: "/wizard" });
+            }
+        } catch (_) {}
     }
+
     next();
 });
 

From 6466d147cbc32aa414fae2356f68aeb4bf28edfe Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 29 Apr 2026 17:03:14 +0300
Subject: [PATCH 56/73] refactor : align mail test JSDoc and settings retrieval

---
 backend/db/models/setting.js         | 21 ++++++++
 backend/webserver/routes/setup.js    |  8 +---
 backend/webserver/sockets/setting.js | 56 ++++++++++++++--------
 backend/webserver/utils/mailTest.js  | 72 ++++++++++++++++++++--------
 4 files changed, 113 insertions(+), 44 deletions(-)

diff --git a/backend/db/models/setting.js b/backend/db/models/setting.js
index c53e0f327..81c347b51 100644
--- a/backend/db/models/setting.js
+++ b/backend/db/models/setting.js
@@ -106,6 +106,27 @@ module.exports = (sequelize, DataTypes) => {
             }
         }
 
+        /**
+         * Mail service settings only (keys under system.mailService.*).
+         * Used for test mail and mail transport helpers without loading all settings.
+         * @returns {Promise<object[]>}
+         */
+        static async getMailServiceSettings() {
+            try {
+                return await Setting.findAll({
+                    where: {
+                        deleted: false,
+                        key: {[Op.like]: 'system.mailService.%'},
+                    },
+                    attributes: ['key', 'value'],
+                    raw: true,
+                });
+            } catch (e) {
+                console.log(e);
+                return [];
+            }
+        }
+
         /**
          * Set setting value by key
          * @param {string} key setting key
diff --git a/backend/webserver/routes/setup.js b/backend/webserver/routes/setup.js
index 562168f80..5c579179d 100644
--- a/backend/webserver/routes/setup.js
+++ b/backend/webserver/routes/setup.js
@@ -61,12 +61,7 @@ module.exports = function (server) {
                 return res.status(403).json({ success: false, message: "Test mail is only available during initial setup." });
             }
 
-            const to = req.body && req.body.to != null ? String(req.body.to).trim() : "";
-            if (!to || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(to)) {
-                return res.status(400).json({ success: false, message: "A valid recipient email address is required." });
-            }
-
-            const rows = await server.db.models["setting"].getAll(false);
+            const rows = await server.db.models["setting"].getMailServiceSettings();
             const baseMap = mailTest.buildMailMapFromSettingsRows(rows);
             const overlay = req.body && req.body.settings && typeof req.body.settings === "object" && !Array.isArray(req.body.settings)
                 ? req.body.settings
@@ -80,6 +75,7 @@ module.exports = function (server) {
 
             const transport = mailTest.buildTransportFromMailSettings(map);
             const from = map["system.mailService.senderAddress"] || "";
+            const to = req.body && req.body.to != null ? String(req.body.to).trim() : "";
             await mailTest.sendFixedTestMail(transport, { from, to });
             return res.status(200).json({ success: true, message: "Test email sent." });
         } catch (err) {
diff --git a/backend/webserver/sockets/setting.js b/backend/webserver/sockets/setting.js
index 385d55685..203ebdbdb 100644
--- a/backend/webserver/sockets/setting.js
+++ b/backend/webserver/sockets/setting.js
@@ -4,10 +4,14 @@ const mailTest = require("../utils/mailTest.js");
 const MAIL_SERVICE_KEY_PREFIX = "system.mailService.";
 
 /**
- * @param {Array<{ key: string }>|undefined} data Settings payload from settingSave
- * @returns {boolean} True if any saved key is under system.mailService.*
+ * Returns whether a settingSave payload includes any key under system.mailService.*.
+ * Used to decide if the nodemailer transport should be rebuilt after commit.
+ *
+ * @param {object} data     Settings array from settingSave
+ * @param {string} data.key Setting key
+ * @returns {boolean}
  */
-function payloadTouchesMailService(data) {
+function savePayloadTouchesMailService(data) {
     if (!Array.isArray(data)) {
         return false;
     }
@@ -30,6 +34,20 @@ function payloadTouchesMailService(data) {
  * @class SettingSocket
  */
 class SettingSocket extends Socket {
+    /**
+     * Build dashboard settings payload and enrich wizard settings with wizardStep key
+     * (string), so frontend grouping can use the same shape as setup wizard config.
+     * @returns {Promise<object[]>}
+     */
+    async getDashboardSettingsPayload() {
+        const settings = await this.models["setting"].getAll(true);
+        const wizardSettings = await this.models["setting"].getWizardSettings();
+        const wizardStepByKey = new Map(wizardSettings.map((s) => [s.key, s.wizardStep]));
+        return settings.map((setting) => ({
+            ...setting,
+            wizardStep: wizardStepByKey.get(setting.key) || setting.wizardStep || null,
+        }));
+    }
 
     /**
      * Fetches all system settings from the database.
@@ -46,7 +64,7 @@ class SettingSocket extends Socket {
             throw new Error("You do not have permission to access settings.");
         }
 
-        return await this.models["setting"].getAll(true);
+        return await this.getDashboardSettingsPayload();
     }
 
    /**
@@ -64,7 +82,7 @@ class SettingSocket extends Socket {
             throw new Error("You do not have permission to save settings.");
         }
 
-        const shouldRefreshMail = payloadTouchesMailService(data);
+        const shouldRefreshMail = savePayloadTouchesMailService(data);
 
         for (const setting of data) {
             let value = setting.value;
@@ -79,35 +97,35 @@ class SettingSocket extends Socket {
 
         options.transaction.afterCommit(async () => {
             if (shouldRefreshMail) {
-                await this.server.refreshMailServer();
+                await this.server.initMailServer();
             }
             await this.getSocket("AppSocket").sendSettings(true); // Notify all clients of new settings
-            this.emit("settingData", await this.models["setting"].getAll(true)); // Refresh settings on this socket
+            this.emit("settingData", await this.getDashboardSettingsPayload()); // Refresh settings on this socket
         });
 
         return "Settings saved successfully.";
     }
 
     /**
-     * Sends a fixed test email using current DB mail settings.
+     * Sends a fixed test email using current mail settings from the database.
      *
      * @socketEvent mailSendTest
-     * @param {{ to: string }} data Recipient address.
-     * @returns {Promise<string>} Success message.
+     * @param {object} data       The input data from the frontend
+     * @param {string} data.to    Recipient email address
+     * @param {object} options
+     * @returns {Promise<string>} A promise that resolves with a success message once the test email is sent.
+     * @throws {Error}            If the user is not an admin or mail fails
      */
-    async mailSendTest(data) {
+    async mailSendTest(data, options) {
         if (!(await this.isAdmin())) {
             throw new Error("You do not have permission to send test mail.");
         }
-        const to = data && data.to != null ? String(data.to).trim() : "";
-        if (!to || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(to)) {
-            throw new Error("A valid recipient email address is required.");
-        }
 
-        const rows = await this.models["setting"].getAll(false);
-        const map = mailTest.buildMailMapFromSettingsRows(rows);
-        const transport = mailTest.buildTransportFromMailSettings(map);
-        const from = map["system.mailService.senderAddress"] || "";
+        const rows = await this.models["setting"].getMailServiceSettings();
+        const mailSettings = mailTest.buildMailMapFromSettingsRows(rows);
+        const transport = mailTest.buildTransportFromMailSettings(mailSettings);
+        const from = mailSettings["system.mailService.senderAddress"] || "";
+        const to = data && data.to != null ? String(data.to).trim() : "";
         await mailTest.sendFixedTestMail(transport, { from, to });
         return "Test email sent.";
     }
diff --git a/backend/webserver/utils/mailTest.js b/backend/webserver/utils/mailTest.js
index ea2bc1c87..131a1047d 100644
--- a/backend/webserver/utils/mailTest.js
+++ b/backend/webserver/utils/mailTest.js
@@ -6,20 +6,34 @@ const TEST_MAIL_SUBJECT = "CARE test email";
 const TEST_MAIL_TEXT =
     "This is a test message from CARE. If you received this, your outgoing mail configuration works.";
 
-function get(map, key) {
-    const v = map[key];
+/** Basic email shape check (same rule as setup/test-mail and dashboard test mail). */
+const RECIPIENT_EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
+/**
+ * Read a string value from the mail settings object.
+ * @param {Object} mailSettings object with string keys and string values
+ * @param {string} key
+ * @returns {string|null}
+ */
+function get(mailSettings, key) {
+    const v = mailSettings[key];
     if (v === null || v === undefined) {
         return null;
     }
     return String(v);
 }
 
-function buildTransportFromMailSettings(map) {
-    if (get(map, "system.mailService.enabled") !== "true") {
+/**
+ * Build a nodemailer transport from DB mail settings (system.mailService.* map).
+ * @param {Object} mailSettings object with string keys and string values
+ * @returns {Object}
+ */
+function buildTransportFromMailSettings(mailSettings) {
+    if (get(mailSettings, "system.mailService.enabled") !== "true") {
         throw new Error("Email service is not enabled.");
     }
-    if (get(map, "system.mailService.sendMail.enabled") === "true") {
-        const sendmailPath = get(map, "system.mailService.sendMail.path");
+    if (get(mailSettings, "system.mailService.sendMail.enabled") === "true") {
+        const sendmailPath = get(mailSettings, "system.mailService.sendMail.path");
         if (!sendmailPath) {
             throw new Error("Sendmail path is not configured.");
         }
@@ -29,11 +43,11 @@ function buildTransportFromMailSettings(map) {
             path: sendmailPath,
         });
     }
-    if (get(map, "system.mailService.smtp.enabled") === "true") {
-        const host = get(map, "system.mailService.smtp.host");
-        const portStr = get(map, "system.mailService.smtp.port");
-        const secure = get(map, "system.mailService.smtp.secure") === "true";
-        const authEnabled = get(map, "system.mailService.smtp.auth.enabled") === "true";
+    if (get(mailSettings, "system.mailService.smtp.enabled") === "true") {
+        const host = get(mailSettings, "system.mailService.smtp.host");
+        const portStr = get(mailSettings, "system.mailService.smtp.port");
+        const secure = get(mailSettings, "system.mailService.smtp.secure") === "true";
+        const authEnabled = get(mailSettings, "system.mailService.smtp.auth.enabled") === "true";
         if (!host || !portStr) {
             throw new Error("SMTP host and port are required.");
         }
@@ -47,8 +61,8 @@ function buildTransportFromMailSettings(map) {
             secure,
         };
         if (authEnabled) {
-            const user = get(map, "system.mailService.smtp.auth.user");
-            const pass = get(map, "system.mailService.smtp.auth.pass");
+            const user = get(mailSettings, "system.mailService.smtp.auth.user");
+            const pass = get(mailSettings, "system.mailService.smtp.auth.pass");
             if (user && pass) {
                 transportConfig.auth = { user, pass };
             }
@@ -58,32 +72,52 @@ function buildTransportFromMailSettings(map) {
     throw new Error("Neither sendmail nor SMTP is enabled for mail delivery.");
 }
 
+/**
+ * Send a fixed plain-text test message. Validates recipient format; `from` must be non-empty.
+ * @param {Object} transport
+ * @param {Object} addresses
+ * @param {string} addresses.from
+ * @param {string} addresses.to
+ * @returns {Promise<void>}
+ */
 async function sendFixedTestMail(transport, { from, to }) {
-    if (!from || !to) {
-        throw new Error("From and to addresses are required.");
+    if (!from || !String(from).trim()) {
+        throw new Error("From address is required.");
+    }
+    const toTrim = to != null ? String(to).trim() : "";
+    if (!toTrim || !RECIPIENT_EMAIL_RE.test(toTrim)) {
+        throw new Error("A valid recipient email address is required.");
     }
     await transport.sendMail({
         from,
-        to,
+        to: toTrim,
         subject: TEST_MAIL_SUBJECT,
         text: TEST_MAIL_TEXT,
     });
 }
 
+/**
+ * Build a mail settings map from setting rows (key/value), only system.mailService.* keys.
+ * @param {Object[]} rows
+ * @param {string}   rows.key
+ * @param {string}   rows.value
+ * @returns {Object}
+ */
 function buildMailMapFromSettingsRows(rows) {
-    const map = {};
+    const mailSettings = {};
     for (const row of rows || []) {
         if (row.key && String(row.key).startsWith("system.mailService.")) {
-            map[row.key] =
+            mailSettings[row.key] =
                 row.value != null && row.value !== undefined ? String(row.value) : "";
         }
     }
-    return map;
+    return mailSettings;
 }
 
 module.exports = {
     TEST_MAIL_SUBJECT,
     TEST_MAIL_TEXT,
+    RECIPIENT_EMAIL_RE,
     buildTransportFromMailSettings,
     sendFixedTestMail,
     buildMailMapFromSettingsRows,

From ec769d67544feb8b5f8053a7a0f0e9c777caf59a Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 29 Apr 2026 17:03:37 +0300
Subject: [PATCH 57/73] refactor : simplify mail server init flow naming

---
 backend/webserver/Server.js | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/backend/webserver/Server.js b/backend/webserver/Server.js
index 36527c746..d7458a2e6 100644
--- a/backend/webserver/Server.js
+++ b/backend/webserver/Server.js
@@ -106,14 +106,16 @@ module.exports = class Server {
         });
 
         this.httpServer = http.createServer(this.app);
-        Promise.resolve(this.refreshMailServer()).then(() => {
+        Promise.resolve(this.initMailServer()).then(() => {
             if (this.mailer) {
                 this.logger.info("Mail server initialized");
             } else {
                 this.logger.warn("Mail server not available!");
             }
+        }).catch((err) => {
+            this.logger.error("initMailServer failed: " + err);
         });
-        Promise.resolve(setupDevAdmin(this));
+        Promise.resolve(setupDevAdmin(this)); // When DEV_SKIP_WIZARD=true only: creates first admin from env and marks wizard complete.
         this.#initWebsocketServer();
         this.#discoverComponents("./rpcs", RPC, this.addRPC.bind(this));
         this.#discoverComponents("./sockets", Socket, this.addSocket.bind(this));
@@ -139,25 +141,12 @@ module.exports = class Server {
         process.on('SIGTERM', handleShutdown);
     }
 
-    /**
-     * Re-read mail settings from the database and rebuild the nodemailer transport.
-     * Used at startup and after admin saves mail-related settings (see SettingSocket).
-     * @returns {Promise<void>}
-     */
-    async refreshMailServer() {
-        try {
-            await this.#initMailServer();
-        } catch (err) {
-            this.logger.error("refreshMailServer failed: " + err);
-        }
-    }
-
     /**
      * Initialize the mail server from current DB settings.
      * Clears any previous transport first so disabled mail or changed mode is reflected.
      * @returns {Promise<void>}
      */
-    async #initMailServer() {
+    async initMailServer() {
         this.mailer = null;
 
         if (await this.db.models['setting'].get("system.mailService.enabled") === "true") {

From 1c99b6f58ccef7cce4eab738acc0edb3dc5e0b41 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 29 Apr 2026 17:04:04 +0300
Subject: [PATCH 58/73] chore : configure dev skip wizard behavior for demo
 environments

---
 .env.dev                            | 3 +++
 .env.main                           | 3 +++
 backend/webserver/utils/devAdmin.js | 8 ++------
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.env.dev b/.env.dev
index 498921b58..79502d324 100644
--- a/.env.dev
+++ b/.env.dev
@@ -15,6 +15,9 @@ ADMIN_PWD=admincare
 GUEST_EMAIL=guest@guest.com
 GUEST_PWD=guestguest
 
+# Skip first-time setup wizard: create admin from ADMIN_EMAIL / ADMIN_PWD and mark wizard complete (demo / dev pipelines).
+DEV_SKIP_WIZARD=true
+
 # nlp server
 SERVICE_NLP_ENABLED=true
 SERVICE_NLP_URL=http://care.ukp.informatik.tu-darmstadt.de:4853
diff --git a/.env.main b/.env.main
index e4396f067..34c0cca74 100644
--- a/.env.main
+++ b/.env.main
@@ -15,6 +15,9 @@ ADMIN_PWD=admincare
 GUEST_EMAIL=guest@guest.com
 GUEST_PWD=guestguest
 
+# Skip first-time setup wizard: create admin from ADMIN_EMAIL / ADMIN_PWD and mark wizard complete (demo / dev pipelines).
+DEV_SKIP_WIZARD=true
+
 # nlp server
 SERVICE_NLP_ENABLED=true
 SERVICE_NLP_URL=http://care.ukp.informatik.tu-darmstadt.de:4852
diff --git a/backend/webserver/utils/devAdmin.js b/backend/webserver/utils/devAdmin.js
index 64e7fce5c..7a5413e69 100644
--- a/backend/webserver/utils/devAdmin.js
+++ b/backend/webserver/utils/devAdmin.js
@@ -4,8 +4,8 @@ const { createInitialAdmin } = require("./setupAdmin");
 
 /**
  * Set up a dev admin from ADMIN_EMAIL/ADMIN_PWD and mark the setup wizard
- * complete, skipping the first-time wizard. Active only when DEV_SKIP_WIZARD=true
- * and NODE_ENV !== "production". No-op if an admin already exists.
+ * complete, skipping the first-time wizard. Active only when DEV_SKIP_WIZARD=true.
+ * No-op if an admin already exists.
  *
  * @param {Server} server 
  * @returns {Promise<void>}
@@ -14,10 +14,6 @@ async function setupDevAdmin(server) {
     if (process.env.DEV_SKIP_WIZARD !== "true") {
         return;
     }
-    if (process.env.NODE_ENV === "production") {
-        server.logger.warn("DEV_SKIP_WIZARD ignored: NODE_ENV=production");
-        return;
-    }
 
     try {
         const admins = await server.db.models["user"].getUsersByRole("admin");

From 6a45dfcf9a5ccae651c8885bd4aa8d8e9a910a1e Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 29 Apr 2026 17:05:27 +0300
Subject: [PATCH 59/73] fix : handle setup wizard description warning

---
 frontend/src/auth/SetupWizard.vue | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index 64d99df82..366d9d4b1 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -191,8 +191,9 @@
                   <div
                     v-if="settingDescription(s.key) || s.description"
                     class="small text-muted mt-1"
-                    v-html="settingDescription(s.key) || s.description"
-                  />
+                  >
+                    {{ settingDescription(s.key) || s.description }}
+                  </div>
                 </div>
                 <div v-if="s.requiredInWizard" class="col-md-6 offset-md-4">
                   <div class="feedback-invalid" :class="{invalid: settingsTouched && !(formSettings[s.key] != null && String(formSettings[s.key]).trim() !== '')}">
@@ -250,8 +251,9 @@
                   <div
                     v-if="settingDescription(s.key) || s.description"
                     class="small text-muted mt-1"
-                    v-html="settingDescription(s.key) || s.description"
-                  />
+                  >
+                    {{ settingDescription(s.key) || s.description }}
+                  </div>
                 </div>
               </div>
             </div>
@@ -358,8 +360,9 @@
                   <div
                     v-if="settingDescription(s.key) || s.description"
                     class="small text-muted mt-1"
-                    v-html="settingDescription(s.key) || s.description"
-                  />
+                  >
+                    {{ settingDescription(s.key) || s.description }}
+                  </div>
                 </div>
               </div>
             </div>
@@ -487,8 +490,9 @@
                 <div
                   v-if="settingDescription(s.key) || s.description"
                   class="small text-muted mt-1"
-                  v-html="settingDescription(s.key) || s.description"
-                />
+                >
+                  {{ settingDescription(s.key) || s.description }}
+                </div>
               </div>
             </div>
           </div>
@@ -649,7 +653,7 @@
  * First-time setup wizard: Admin, General (optional Moodle + JSON import), Mail, Registration, Summary.
  * Fetches /setup/config for steps and wizardSettings. On Finish, calls settingSave and redirects.
  *
- * @author CARE
+ * @author Mohammad Elwan
  */
 import IconAsset from "@/basic/icon/IconAsset.vue";
 import BasicButton from "@/basic/Button.vue";

From af2fc15f89fd1c894ba634ce76ea9062cbebe7f6 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 30 Apr 2026 16:12:57 +0300
Subject: [PATCH 60/73] refactor : reassign setup configurations by owner
 instead of hardcoded names

---
 .../20260119192356-transform-user-admin.js    | 36 ++++++-------------
 backend/webserver/routes/auth/setup.js        |  2 +-
 backend/webserver/utils/setupAdmin.js         | 23 +++++-------
 3 files changed, 20 insertions(+), 41 deletions(-)

diff --git a/backend/db/migrations/20260119192356-transform-user-admin.js b/backend/db/migrations/20260119192356-transform-user-admin.js
index a13b87a14..dc0c1e8b8 100644
--- a/backend/db/migrations/20260119192356-transform-user-admin.js
+++ b/backend/db/migrations/20260119192356-transform-user-admin.js
@@ -2,24 +2,12 @@
 
 const { genSalt, genPwdHash } = require('../../utils/auth');
 
-/**
- * Names of the 5 Exposé configurations created by basic-configuration (20250919125851).
- * They are reassigned to Bot (userId 2) before deleting the admin to satisfy the
- * configuration.userId FK to user. POST /auth/setup-admin then reassigns them to the new admin.
- */
-const EXPOSE_CONFIG_NAMES = [
-    'Exposé assessment configuration',
-    'Exposé feedback configuration',
-    'UKP Exposé Submission Validator',
-    'Exposé assessment configuration (German)',
-    'Exposé feedback configuration (German)',
-];
-
 /**
  * Removes the default admin user created by basic-users so the first admin
- * must be created via the setup wizard. Runs after basic-configuration; the 5
- * Exposé configs are first reassigned to Bot (userId 2) to satisfy the FK, then
- * the admin is deleted. POST /auth/setup-admin reassigns them from Bot to the new admin.
+ * must be created via the setup wizard. Runs after basic-configuration; all
+ * configurations owned by the default admin are first reassigned to Bot (userId 2)
+ * to satisfy the configuration.userId FK, then the admin is deleted.
+ * POST /auth/setup-admin reassigns those configurations from Bot to the new admin.
  *
  * @type {import('sequelize-cli').Migration}
  */
@@ -36,15 +24,13 @@ module.exports = {
         const adminId = admin.id;
         const BOT_USER_ID = 2;
 
-        for (const name of EXPOSE_CONFIG_NAMES) {
-            await queryInterface.sequelize.query(
-                `UPDATE configuration SET "userId" = :botId, "updatedAt" = :now WHERE name = :name AND "userId" = :adminId`,
-                {
-                    replacements: { botId: BOT_USER_ID, adminId, name, now: new Date() },
-                    type: Sequelize.QueryTypes.UPDATE,
-                }
-            );
-        }
+        await queryInterface.sequelize.query(
+            `UPDATE configuration SET "userId" = :botId, "updatedAt" = :now WHERE "userId" = :adminId`,
+            {
+                replacements: { botId: BOT_USER_ID, adminId, now: new Date() },
+                type: Sequelize.QueryTypes.UPDATE,
+            }
+        );
 
         await queryInterface.bulkDelete('user_role_matching', { userId: adminId }, {});
         await queryInterface.bulkDelete('user', { userName: 'admin' }, {});
diff --git a/backend/webserver/routes/auth/setup.js b/backend/webserver/routes/auth/setup.js
index 56bd5db15..15df5cc1f 100644
--- a/backend/webserver/routes/auth/setup.js
+++ b/backend/webserver/routes/auth/setup.js
@@ -11,7 +11,7 @@ const { createInitialAdmin } = require('../../utils/setupAdmin');
 function registerSetupRoutes(server) {
     /**
      * Create the first admin account (setup wizard step 1). Allowed only when no admin exists.
-     * Reassigns the Exposé configurations from Bot to the new admin.
+     * Reassigns setup-time Bot-owned configurations to the new admin.
      */
     server.app.post('/auth/setup-admin', async function (req, res) {
         const { userName, email, password } = req.body || {};
diff --git a/backend/webserver/utils/setupAdmin.js b/backend/webserver/utils/setupAdmin.js
index 67cf00bac..db61b8776 100644
--- a/backend/webserver/utils/setupAdmin.js
+++ b/backend/webserver/utils/setupAdmin.js
@@ -18,12 +18,15 @@ function validationError(message) {
 }
 
 /**
- * Create the first admin account and reassign the 5 Exposé configurations from
- * Bot (userId=2) to the new admin in a single transaction.
+ * Create the first admin account and reassign configurations from Bot (userId=2)
+ * to the new admin in a single transaction.
  *
- * @param {Server} server main server instance
- * @param {{userName: string, email: string, password: string}} input
- * @returns {Promise<object>} created user
+ * @param {Server} server         main server instance
+ * @param {Object} input          setup-admin input
+ * @param {string} input.userName admin user name
+ * @param {string} input.email    admin email address
+ * @param {string} input.password admin password
+ * @returns {Promise<object>}     
  */
 async function createInitialAdmin(server, { userName, email, password }) {
     if (!userName || (typeof userName === 'string' && !userName.trim())) {
@@ -52,15 +55,6 @@ async function createInitialAdmin(server, { userName, email, password }) {
 
     const User = server.db.models['user'];
     const Configuration = server.db.models['configuration'];
-    const { Op } = server.db.Sequelize;
-
-    const EXPOSE_CONFIG_NAMES = [
-        'Exposé assessment configuration',
-        'Exposé feedback configuration',
-        'UKP Exposé Submission Validator',
-        'Exposé assessment configuration (German)',
-        'Exposé feedback configuration (German)',
-    ];
     const BOT_USER_ID = 2;
 
     const transaction = await User.sequelize.transaction();
@@ -83,7 +77,6 @@ async function createInitialAdmin(server, { userName, email, password }) {
             { userId: user.id },
             {
                 where: {
-                    name: { [Op.in]: EXPOSE_CONFIG_NAMES },
                     userId: BOT_USER_ID,
                 },
                 transaction,

From d3f1343af1635f2f4e043621f85146237a152f0f Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 30 Apr 2026 16:14:17 +0300
Subject: [PATCH 61/73] refactor : share setting save logic for setup and
 socket flows

---
 backend/db/models/setting.js           | 15 +++---
 backend/webserver/sockets/setting.js   | 43 ++-------------
 backend/webserver/utils/settingSave.js | 73 ++++++++++++++++++++++++++
 3 files changed, 87 insertions(+), 44 deletions(-)
 create mode 100644 backend/webserver/utils/settingSave.js

diff --git a/backend/db/models/setting.js b/backend/db/models/setting.js
index 81c347b51..d4e6861c6 100644
--- a/backend/db/models/setting.js
+++ b/backend/db/models/setting.js
@@ -129,18 +129,21 @@ module.exports = (sequelize, DataTypes) => {
 
         /**
          * Set setting value by key
-         * @param {string} key setting key
-         * @param {string} value setting value
-         * @returns {Promise<object|null>} setting object
+         * @param {string} key                   setting key
+         * @param {string} value                 setting value
+         * @param {Object} [options]             additional sequelize options
+         * @param {Object} [options.transaction] sequelize transaction
+         * @returns {Promise<object>}            
          */
-        static async set(key, value) {
+        static async set(key, value, options = {}) {
             try {
-                const [instance, created] =
+                const [instance] =
                     await Setting.upsert({
                         key: key,
                         value: value,
                     }, {
-                        conflictFields: ['key']
+                        conflictFields: ['key'],
+                        transaction: options.transaction,
                     });
                 return instance['dataValues'];
             } catch (e) {
diff --git a/backend/webserver/sockets/setting.js b/backend/webserver/sockets/setting.js
index 203ebdbdb..3c1c3e7b8 100644
--- a/backend/webserver/sockets/setting.js
+++ b/backend/webserver/sockets/setting.js
@@ -1,30 +1,6 @@
 const Socket = require("../Socket.js");
 const mailTest = require("../utils/mailTest.js");
-
-const MAIL_SERVICE_KEY_PREFIX = "system.mailService.";
-
-/**
- * Returns whether a settingSave payload includes any key under system.mailService.*.
- * Used to decide if the nodemailer transport should be rebuilt after commit.
- *
- * @param {object} data     Settings array from settingSave
- * @param {string} data.key Setting key
- * @returns {boolean}
- */
-function savePayloadTouchesMailService(data) {
-    if (!Array.isArray(data)) {
-        return false;
-    }
-    for (const setting of data) {
-        if (!setting || typeof setting.key !== "string") {
-            continue;
-        }
-        if (setting.key.startsWith(MAIL_SERVICE_KEY_PREFIX)) {
-            return true;
-        }
-    }
-    return false;
-}
+const { saveSettings } = require("../utils/settingSave.js");
 
 /**
  * Handle settings through websocket
@@ -82,21 +58,12 @@ class SettingSocket extends Socket {
             throw new Error("You do not have permission to save settings.");
         }
 
-        const shouldRefreshMail = savePayloadTouchesMailService(data);
-
-        for (const setting of data) {
-            let value = setting.value;
-            if (typeof value === "object") {
-                value = JSON.stringify(value);
-            }
-
-            await this.models["setting"].set(setting.key, value, {
-                transaction: options.transaction,
-            });
-        }
+        const { touchesMailService } = await saveSettings(this.models["setting"], data, {
+            transaction: options.transaction,
+        });
 
         options.transaction.afterCommit(async () => {
-            if (shouldRefreshMail) {
+            if (touchesMailService) {
                 await this.server.initMailServer();
             }
             await this.getSocket("AppSocket").sendSettings(true); // Notify all clients of new settings
diff --git a/backend/webserver/utils/settingSave.js b/backend/webserver/utils/settingSave.js
new file mode 100644
index 000000000..0b7857b18
--- /dev/null
+++ b/backend/webserver/utils/settingSave.js
@@ -0,0 +1,73 @@
+"use strict";
+
+const MAIL_SERVICE_KEY_PREFIX = "system.mailService.";
+
+/**
+ * Returns whether a settings payload includes any key under system.mailService.*.
+ *
+ * @param {Object[]} settings setting entries
+ * @param {string} settings.key setting key
+ * @param {*} settings.value setting value
+ * @returns {boolean}
+ */
+function payloadTouchesMailService(settings) {
+    if (!Array.isArray(settings)) {
+        return false;
+    }
+    for (const setting of settings) {
+        if (!setting || typeof setting.key !== "string") {
+            continue;
+        }
+        if (setting.key.startsWith(MAIL_SERVICE_KEY_PREFIX)) {
+            return true;
+        }
+    }
+    return false;
+}
+
+/**
+ * Normalize setting values to string payload format expected by the settings model.
+ *
+ * @param {*} value setting value
+ * @returns {string}
+ */
+function normalizeSettingValue(value) {
+    if (value === null || value === undefined) {
+        return "";
+    }
+    if (typeof value === "object") {
+        return JSON.stringify(value);
+    }
+    return String(value);
+}
+
+/**
+ * Persist settings through the setting model and report if mail transport must refresh.
+ *
+ * @param {Object} Setting setting model
+ * @param {Object[]} settings setting entries
+ * @param {string} settings.key setting key
+ * @param {*} settings.value setting value
+ * @param {Object} [options] additional options
+ * @param {Object} [options.transaction] sequelize transaction
+ * @returns {Promise<object>} result with touchesMailService flag
+ */
+async function saveSettings(Setting, settings, options = {}) {
+    const list = Array.isArray(settings) ? settings : [];
+    const touchesMailService = payloadTouchesMailService(list);
+    for (const setting of list) {
+        if (!setting || typeof setting.key !== "string" || setting.key.trim() === "") {
+            continue;
+        }
+        await Setting.set(setting.key, normalizeSettingValue(setting.value), {
+            transaction: options.transaction,
+        });
+    }
+    return { touchesMailService };
+}
+
+module.exports = {
+    payloadTouchesMailService,
+    normalizeSettingValue,
+    saveSettings,
+};

From 3708f8e8b09675a77bd2d6bcf8012a3ea0e86477 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 30 Apr 2026 16:18:57 +0300
Subject: [PATCH 62/73] feat : complete setup wizard through backend route and
 standardize wizard buttons

---
 backend/webserver/routes/setup.js |  42 +++++
 frontend/src/auth/SetupWizard.vue | 263 ++++++++++--------------------
 2 files changed, 131 insertions(+), 174 deletions(-)

diff --git a/backend/webserver/routes/setup.js b/backend/webserver/routes/setup.js
index 5c579179d..95e1040c6 100644
--- a/backend/webserver/routes/setup.js
+++ b/backend/webserver/routes/setup.js
@@ -12,6 +12,7 @@
  */
 module.exports = function (server) {
     const mailTest = require("../utils/mailTest.js");
+    const { saveSettings } = require("../utils/settingSave.js");
     /**
      * GET /setup/config
      * Returns wizard config while initial setup is in progress: needsSetup is true when no
@@ -116,4 +117,45 @@ module.exports = function (server) {
             return res.status(500).json({ message: "Internal server error." });
         }
     });
+
+    /**
+     * POST /setup/complete
+     * Saves wizard settings and marks setup complete in one flow.
+     */
+    server.app.post("/setup/complete", async function (req, res) {
+        if (!req.user) {
+            return res.status(401).json({ message: "Authentication required." });
+        }
+        const settings = req.body && Array.isArray(req.body.settings) ? req.body.settings : null;
+        if (!settings) {
+            return res.status(400).json({ message: "A settings array is required." });
+        }
+        try {
+            const admins = await server.db.models["user"].getUsersByRole("admin");
+            const isAdmin = admins.some((a) => a.id === req.user.id);
+            if (!isAdmin) {
+                return res.status(403).json({ message: "Admin access required." });
+            }
+
+            const transaction = await server.db.sequelize.transaction();
+            try {
+                const { touchesMailService } = await saveSettings(server.db.models["setting"], settings, {
+                    transaction,
+                });
+                await server.db.models["setting"].set("app.setup.wizardCompleted", "true", { transaction });
+                await transaction.commit();
+                if (touchesMailService) {
+                    await server.initMailServer();
+                }
+            } catch (err) {
+                await transaction.rollback();
+                throw err;
+            }
+
+            return res.status(200).json({ success: true });
+        } catch (err) {
+            server.logger.error("POST /setup/complete error: " + err);
+            return res.status(500).json({ message: "Internal server error." });
+        }
+    });
 };
diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index 366d9d4b1..fd3be3774 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -78,7 +78,7 @@
               </div>
             </div>
             <div class="col-md-6 offset-md-4 my-4">
-              <button class="btn btn-primary" type="submit">Continue</button>
+              <BasicButton class="btn btn-primary" title="Continue" @click="submitAdmin" />
             </div>
           </form>
         </div>
@@ -89,23 +89,19 @@
         <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
           <span>General Settings</span>
           <div class="d-flex flex-wrap gap-2">
-            <button
+            <BasicButton
               class="btn btn-outline-secondary btn-sm"
-              type="button"
+              text="Download template"
               :disabled="!allSettingsLoaded"
-              :title="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+              :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
               @click="downloadImportTemplate"
-            >
-              Download template
-            </button>
-            <button
+            />
+            <BasicButton
               class="btn btn-outline-secondary btn-sm"
-              type="button"
-              title="Load settings from a JSON file exported from another CARE instance"
+              text="Import from previous instance"
+              tooltip="Load settings from a JSON file exported from another CARE instance"
               @click="openImportModal"
-            >
-              Import from previous instance
-            </button>
+            />
           </div>
         </div>
         <div class="card-body mx-4 my-4">
@@ -260,15 +256,13 @@
           </template>
 
           <div class="d-flex justify-content-between mt-4">
-            <button v-if="currentStep > 0" class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
-            <button
+            <BasicButton v-if="currentStep > 0" class="btn btn-secondary" title="Previous" @click="onPrevious" />
+            <BasicButton
               class="btn btn-primary"
               :class="{ 'ms-auto': currentStep === 0 }"
-              type="button"
+              title="Next"
               @click="onStepNext"
-            >
-              Next
-            </button>
+            />
           </div>
         </div>
       </div>
@@ -278,23 +272,19 @@
         <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
           <span>Mail Configuration</span>
           <div class="d-flex flex-wrap gap-2">
-            <button
+            <BasicButton
               class="btn btn-outline-secondary btn-sm"
-              type="button"
+              text="Download template"
               :disabled="!allSettingsLoaded"
-              :title="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+              :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
               @click="downloadImportTemplate"
-            >
-              Download template
-            </button>
-            <button
+            />
+            <BasicButton
               class="btn btn-outline-secondary btn-sm"
-              type="button"
-              title="Load settings from a JSON file exported from another CARE instance"
+              text="Import from previous instance"
+              tooltip="Load settings from a JSON file exported from another CARE instance"
               @click="openImportModal"
-            >
-              Import from previous instance
-            </button>
+            />
           </div>
         </div>
         <div class="card-body mx-4 my-4">
@@ -383,20 +373,12 @@
                     placeholder="you@example.com"
                     autocomplete="email"
                   />
-                  <button
+                  <BasicButton
                     class="btn btn-outline-primary flex-shrink-0"
-                    type="button"
+                    :title="testMailSending ? 'Sending...' : 'Send test email'"
                     :disabled="testMailSending || !testMailTo.trim()"
                     @click="sendSetupTestMail"
-                  >
-                    <span
-                      v-if="testMailSending"
-                      class="spinner-border spinner-border-sm me-1"
-                      role="status"
-                      aria-hidden="true"
-                    />
-                    Send test email
-                  </button>
+                  />
                 </div>
               </div>
               <p v-if="testMailMessage" class="small mb-0" :class="testMailError ? 'text-danger' : 'text-success'">
@@ -406,10 +388,8 @@
           </template>
 
           <div class="d-flex justify-content-between mt-4">
-            <button class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
-            <button class="btn btn-primary ms-auto" type="button" @click="onStepNext">
-              Next
-            </button>
+            <BasicButton class="btn btn-secondary" title="Previous" @click="onPrevious" />
+            <BasicButton class="btn btn-primary ms-auto" title="Next" @click="onStepNext" />
           </div>
         </div>
       </div>
@@ -419,23 +399,19 @@
         <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
           <span>User Registration</span>
           <div class="d-flex flex-wrap gap-2">
-            <button
+            <BasicButton
               class="btn btn-outline-secondary btn-sm"
-              type="button"
+              text="Download template"
               :disabled="!allSettingsLoaded"
-              :title="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+              :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
               @click="downloadImportTemplate"
-            >
-              Download template
-            </button>
-            <button
+            />
+            <BasicButton
               class="btn btn-outline-secondary btn-sm"
-              type="button"
-              title="Load settings from a JSON file exported from another CARE instance"
+              text="Import from previous instance"
+              tooltip="Load settings from a JSON file exported from another CARE instance"
               @click="openImportModal"
-            >
-              Import from previous instance
-            </button>
+            />
           </div>
         </div>
         <div class="card-body mx-4 my-4">
@@ -521,10 +497,8 @@
           </div>
 
           <div class="d-flex justify-content-between mt-4">
-            <button class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
-            <button class="btn btn-primary ms-auto" type="button" @click="onStepNext">
-              Next
-            </button>
+            <BasicButton class="btn btn-secondary" title="Previous" @click="onPrevious" />
+            <BasicButton class="btn btn-primary ms-auto" title="Next" @click="onStepNext" />
           </div>
         </div>
       </div>
@@ -534,23 +508,19 @@
         <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
           <span>Summary</span>
           <div class="d-flex flex-wrap gap-2">
-            <button
+            <BasicButton
               class="btn btn-outline-secondary btn-sm"
-              type="button"
+              text="Download template"
               :disabled="!allSettingsLoaded"
-              :title="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+              :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
               @click="downloadImportTemplate"
-            >
-              Download template
-            </button>
-            <button
+            />
+            <BasicButton
               class="btn btn-outline-secondary btn-sm"
-              type="button"
-              title="Load settings from a JSON file exported from another CARE instance"
+              text="Import from previous instance"
+              tooltip="Load settings from a JSON file exported from another CARE instance"
               @click="openImportModal"
-            >
-              Import from previous instance
-            </button>
+            />
           </div>
         </div>
         <div class="card-body mx-4 my-4">
@@ -581,29 +551,25 @@
           </div>
 
           <div v-if="settingsFromFile && Object.keys(settingsFromFile).length" class="mt-4">
-            <button
+            <BasicButton
               class="btn btn-link p-0 text-secondary"
-              type="button"
+              :title="`${showFileSettings ? '▼' : '▶'} Additional settings from file (${Object.keys(settingsFromFile).length})`"
               @click="showFileSettings = !showFileSettings"
-            >
-              {{ showFileSettings ? "▼" : "▶" }} Additional settings from file ({{ Object.keys(settingsFromFile).length }})
-            </button>
+            />
             <ul v-show="showFileSettings" class="list-unstyled mt-2 ms-3 small">
               <li v-for="(v, k) in settingsFromFile" :key="k"><strong>{{ k }}:</strong> {{ v }}</li>
             </ul>
           </div>
 
           <div class="d-flex justify-content-between mt-4">
-            <button v-if="currentStep > 0" class="btn btn-secondary" type="button" @click="onPrevious">Previous</button>
-            <button
+            <BasicButton v-if="currentStep > 0" class="btn btn-secondary" title="Previous" @click="onPrevious" />
+            <BasicButton
               class="btn btn-primary"
               :class="{ 'ms-auto': currentStep === 0 }"
-              type="button"
+              :title="finishing ? 'Saving…' : 'Finish'"
               :disabled="finishing"
               @click="finish"
-            >
-              {{ finishing ? "Saving…" : "Finish" }}
-            </button>
+            />
           </div>
         </div>
       </div>
@@ -664,28 +630,6 @@ import axios from "axios";
 import getServerURL from "@/assets/serverUrl";
 import {downloadObjectsAs} from "@/assets/utils";
 
-/** Order of subsections within each wizard step (from displaySubsection in DB). */
-const SUBSECTION_ORDER = {
-  general: [
-    "Copyright and consent",
-    "Terms and conditions",
-    "Login options",
-    "Landing page links",
-    "Connection",
-    "Course",
-    "Show inputs",
-  ],
-  mail: ["Mail service", "Sendmail", "SMTP", "Base URL and verification"],
-  registration: ["Enable registration", "Information requested at registration", "Consent options", "Email verification rate limit"],
-};
-
-function wizardValueToFormString(v) {
-  if (v === null || v === undefined) return "";
-  if (typeof v === "boolean") return v ? "true" : "false";
-  if (typeof v === "object") return JSON.stringify(v);
-  return String(v);
-}
-
 export default {
   name: "SetupWizard",
   components: { IconAsset, BasicButton, BasicEditor, EditorModal, Modal },
@@ -712,6 +656,19 @@ export default {
       testMailSending: false,
       testMailMessage: "",
       testMailError: false,
+      subsectionOrder: {
+        general: [
+          "Copyright and consent",
+          "Terms and conditions",
+          "Login options",
+          "Landing page links",
+          "Connection",
+          "Course",
+          "Show inputs",
+        ],
+        mail: ["Mail service", "Sendmail", "SMTP", "Base URL and verification"],
+        registration: ["Enable registration", "Information requested at registration", "Consent options", "Email verification rate limit"],
+      },
     };
   },
   computed: {
@@ -866,7 +823,7 @@ export default {
     if (config.data && config.data.wizardSettings) {
       this.wizardSettings = config.data.wizardSettings;
       this.formSettings = config.data.wizardSettings.reduce((acc, s) => {
-        acc[s.key] = wizardValueToFormString(s.value);
+        acc[s.key] = this.wizardValueToFormString(s.value);
         return acc;
       }, {});
 
@@ -878,40 +835,13 @@ export default {
     if (config.data && Array.isArray(config.data.allSettings)) {
       this.allSettingsFromDb = config.data.allSettings;
     }
-    if (this.hasAdmin && this.$socket && !this.$socket.connected) {
-      this.$socket.connect();
-    }
   },
   methods: {
-    waitForSocketConnect() {
-      return new Promise((resolve, reject) => {
-        if (!this.$socket) {
-          reject(new Error("Socket not available"));
-          return;
-        }
-        if (this.$socket.connected) {
-          resolve(true);
-          return;
-        }
-
-        const onConnect = () => {
-          cleanup();
-          resolve(true);
-        };
-        const onError = (err) => {
-          cleanup();
-          reject(err || new Error("Socket connect error"));
-        };
-        const cleanup = () => {
-          try { this.$socket.off("connect", onConnect); } catch (e) {}
-          try { this.$socket.off("connect_error", onError); } catch (e) {}
-          try { this.$socket.off("error", onError); } catch (e) {}
-        };
-
-        try { this.$socket.on("connect", onConnect); } catch (e) {}
-        try { this.$socket.on("connect_error", onError); } catch (e) {}
-        try { this.$socket.on("error", onError); } catch (e) {}
-      });
+    wizardValueToFormString(v) {
+      if (v === null || v === undefined) return "";
+      if (typeof v === "boolean") return v ? "true" : "false";
+      if (typeof v === "object") return JSON.stringify(v);
+      return String(v);
     },
     /**
      * Handle mail step setting changes.
@@ -938,7 +868,7 @@ export default {
     fieldGroupsForStep(stepType) {
       const settings = (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
       if (!settings.length) return [];
-      const order = SUBSECTION_ORDER[stepType];
+      const order = this.subsectionOrder[stepType];
       const bySubsection = {};
       for (const s of settings) {
         const sub = s.displaySubsection || "";
@@ -1000,9 +930,6 @@ export default {
         );
         if (res.status === 200) {
           this.hasAdmin = true;
-          if (this.$socket && !this.$socket.connected) {
-            this.$socket.connect();
-          }
           return true;
         } else {
           this.showError = true;
@@ -1211,23 +1138,6 @@ export default {
         if (!created) return;
       }
 
-      if (!this.$socket) {
-        this.showError = true;
-        this.errorMessage = "Connection not available. Please reload and try again.";
-        return;
-      }
-
-      if (!this.$socket.connected) {
-        try {
-          this.$socket.connect();
-          await this.waitForSocketConnect();
-        } catch (err) {
-          this.showError = true;
-          this.errorMessage = "Connection not ready. Please try again.";
-          return;
-        }
-      }
-
       const merged = { ...this.formSettings, ...(this.settingsFromFile || {}) };
       if (merged["system.mailService.enabled"] !== "true") {
         merged["app.register.emailVerification"] = "false";
@@ -1238,23 +1148,28 @@ export default {
       }));
       this.finishing = true;
       this.showError = false;
-      this.$socket.emit("settingSave", payload, async (res) => {
-        if (!res.success) {
+      try {
+        const res = await axios.post(
+          getServerURL() + "/setup/complete",
+          { settings: payload },
+          {
+            withCredentials: true,
+            validateStatus: (status) => status === 200 || (status >= 400 && status < 500),
+          }
+        );
+        if (res.status !== 200 || !res.data?.success) {
           this.finishing = false;
           this.showError = true;
-          this.errorMessage = (res && res.message) || "Failed to save settings.";
+          this.errorMessage = res.data?.message || "Failed to save settings.";
           return;
         }
-        try {
-          await axios.patch(getServerURL() + "/setup/state", { wizardCompleted: "true" }, { withCredentials: true });
-          this.$router.push("/dashboard");
-          this.$router.go(0);
-        } catch (err) {
-          this.finishing = false;
-          this.showError = true;
-          this.errorMessage = err?.response?.data?.message || err?.message || "Failed to complete setup.";
-        }
-      });
+        this.$router.push("/dashboard");
+        this.$router.go(0);
+      } catch (err) {
+        this.finishing = false;
+        this.showError = true;
+        this.errorMessage = err?.response?.data?.message || err?.message || "Failed to complete setup.";
+      }
     },
   },
 };

From 4428f2ff9cc3aac2262beb9bda9fe635ca42911f Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 30 Apr 2026 16:19:25 +0300
Subject: [PATCH 63/73] refactor : reduce route auth checks

---
 frontend/src/router.js | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/frontend/src/router.js b/frontend/src/router.js
index d544784bb..e817c8a63 100644
--- a/frontend/src/router.js
+++ b/frontend/src/router.js
@@ -125,8 +125,7 @@ const router = VueRouter.createRouter({
 
 /**
  * Single navigation guard: registration toggle, /wizard access rules, and forcing
- * incomplete setup to /wizard only for requireAuth routes (checkLogin flows use
- * App.vue runCheckLoginFlow to avoid duplicate /auth/check).
+ * incomplete setup to /wizard only for requireAuth routes.
  */
 router.beforeEach(async (to, from, next) => {
     if (to.name === "register") {
@@ -155,7 +154,7 @@ router.beforeEach(async (to, from, next) => {
         }
     }
 
-    if (!to.meta.requireAuth && !to.meta.checkLogin) return next();
+    if (!to.meta.requireAuth) return next();
 
     if (to.meta.requireAuth) {
         try {

From 6abf3680270486c9d4b0b698cc880183ff8d8dde Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 30 Apr 2026 17:18:42 +0300
Subject: [PATCH 64/73] refactor : split setup wizard into focused components
 and simplify step prop wiring

---
 frontend/src/auth/SetupWizard.vue             | 684 ++++--------------
 .../wizard/SetupWizardAdminStep.vue           | 125 ++++
 .../wizard/SetupWizardSettingsStep.vue        | 478 ++++++++++++
 .../wizard/SetupWizardSummaryStep.vue         | 137 ++++
 4 files changed, 865 insertions(+), 559 deletions(-)
 create mode 100644 frontend/src/components/wizard/SetupWizardAdminStep.vue
 create mode 100644 frontend/src/components/wizard/SetupWizardSettingsStep.vue
 create mode 100644 frontend/src/components/wizard/SetupWizardSummaryStep.vue

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index fd3be3774..b39ab5533 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -17,562 +17,68 @@
         </div>
       </div>
 
-      <!-- Step: Admin -->
-      <div v-show="displaySteps[currentStep]?.type === 'admin'" class="card">
-        <div class="card-header step-card-header">Setup – Admin account</div>
-        <div class="card-body mx-4 my-4">
-          <p class="text-muted mb-3">
-            No administrator account exists. Enter credentials now; the account is created on Finish.
-          </p>
-          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
-          <form @submit.prevent="submitAdmin">
-            <div class="form-group row my-2">
-              <label class="col-md-4 col-form-label text-md-right" for="setup-username">Username</label>
-              <div class="col-md-6">
-                <input
-                  id="setup-username"
-                  v-model="formData.userName"
-                  autocomplete="username"
-                  class="form-control"
-                  placeholder="admin"
-                  type="text"
-                  @blur="checkVal('userName')"
-                />
-                <div class="feedback-invalid" :class="{invalid: validity['userName'] && !validUserName}">
-                  Please provide a user name.
-                </div>
-              </div>
-            </div>
-            <div class="form-group row my-2">
-              <label class="col-md-4 col-form-label text-md-right" for="setup-email">Email</label>
-              <div class="col-md-6">
-                <input
-                  id="setup-email"
-                  v-model="formData.email"
-                  autocomplete="email"
-                  class="form-control"
-                  placeholder="admin@example.com"
-                  type="email"
-                  @blur="checkVal('email')"
-                />
-                <div class="feedback-invalid" :class="{invalid: validity['email'] && !validEmail}">
-                  Please provide a valid email.
-                </div>
-              </div>
-            </div>
-            <div class="form-group row my-2">
-              <label class="col-md-4 col-form-label text-md-right" for="setup-password">Password</label>
-              <div class="col-md-6">
-                <input
-                  id="setup-password"
-                  v-model="formData.password"
-                  autocomplete="new-password"
-                  class="form-control"
-                  placeholder="Min. 8 characters"
-                  type="password"
-                  @blur="checkVal('password')"
-                />
-                <div class="feedback-invalid" :class="{invalid: validity['password'] && !validPassword}">
-                  Please provide a password of at least 8 characters.
-                </div>
-              </div>
-            </div>
-            <div class="col-md-6 offset-md-4 my-4">
-              <BasicButton class="btn btn-primary" title="Continue" @click="submitAdmin" />
-            </div>
-          </form>
-        </div>
-      </div>
-
-      <!-- Step: General -->
-      <div v-show="displaySteps[currentStep]?.type === 'general'" class="card">
-        <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
-          <span>General Settings</span>
-          <div class="d-flex flex-wrap gap-2">
-            <BasicButton
-              class="btn btn-outline-secondary btn-sm"
-              text="Download template"
-              :disabled="!allSettingsLoaded"
-              :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
-              @click="downloadImportTemplate"
-            />
-            <BasicButton
-              class="btn btn-outline-secondary btn-sm"
-              text="Import from previous instance"
-              tooltip="Load settings from a JSON file exported from another CARE instance"
-              @click="openImportModal"
-            />
-          </div>
-        </div>
-        <div class="card-body mx-4 my-4">
-          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
-
-          <template v-if="settingsFromFile && Object.keys(settingsFromFile).length > 0">
-            <p class="text-success mb-2">
-              Loaded {{ Object.keys(settingsFromFile).length }} setting(s) from file. Click Next to continue to the summary.
-            </p>
-            <button
-              class="btn btn-link btn-sm p-0 text-secondary"
-              type="button"
-              @click="clearImport"
-            >
-              Clear and configure manually instead
-            </button>
-          </template>
-          <template v-else>
-            <p class="text-muted mb-3">
-              Configure copyright notice, consent requirements, guest access, and links shown on the landing page.
-            </p>
-
-            <div v-for="group in generalFieldGroups" :key="group.title" class="mb-4">
-              <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
-                {{ group.title }}
-              </h6>
-              <div
-                v-for="s in group.settings"
-                :key="s.key"
-                class="form-group row my-2"
-              >
-                <label
-                  class="col-md-4 col-form-label text-md-right"
-                  :for="'set-' + s.key"
-                  @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-                >
-                  {{ settingLabel(s.key) }}
-                </label>
-                <div class="col-md-6 d-flex flex-column">
-                  <template v-if="s.type === 'boolean' || s.type === 'bool'">
-                    <div class="form-check form-switch">
-                      <input
-                        :id="'set-' + s.key"
-                        :checked="formSettings[s.key] === 'true'"
-                        class="form-check-input"
-                        type="checkbox"
-                        @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
-                      />
-                    </div>
-                  </template>
-                  <template v-else-if="s.key === 'app.register.terms'">
-                    <div class="d-flex align-items-center flex-wrap gap-2">
-                      <EditorModal
-                        :model-value="formSettings[s.key]"
-                        :title="'Edit ' + settingLabel(s.key)"
-                        @update:model-value="formSettings[s.key] = $event"
-                      />
-                      <span class="small text-muted">Open the editor to change terms and conditions.</span>
-                    </div>
-                  </template>
-                  <template v-else-if="s.type === 'edits'">
-                    <textarea
-                      :id="'set-' + s.key"
-                      v-model="formSettings[s.key]"
-                      class="form-control w-100"
-                      rows="5"
-                    />
-                  </template>
-                  <input
-                    v-else-if="s.type === 'integer'"
-                    :id="'set-' + s.key"
-                    v-model.number="formSettings[s.key]"
-                    class="form-control"
-                    type="number"
-                  />
-                  <input
-                    v-else
-                    :id="'set-' + s.key"
-                    v-model="formSettings[s.key]"
-                    class="form-control"
-                    type="text"
-                  />
-                  <div
-                    v-if="settingDescription(s.key) || s.description"
-                    class="small text-muted mt-1"
-                  >
-                    {{ settingDescription(s.key) || s.description }}
-                  </div>
-                </div>
-                <div v-if="s.requiredInWizard" class="col-md-6 offset-md-4">
-                  <div class="feedback-invalid" :class="{invalid: settingsTouched && !(formSettings[s.key] != null && String(formSettings[s.key]).trim() !== '')}">
-                    This field is required.
-                  </div>
-                </div>
-              </div>
-            </div>
-
-            <div v-if="moodleSettingsFlat.length" class="mb-4 mt-4">
-              <h6 class="step-group-heading text-muted border-bottom pb-1 mb-2">
-                Moodle <span class="fw-normal small">(optional)</span>
-              </h6>
-              <p class="small text-muted mb-3">
-                Configure Moodle if you use it for enrollments or submissions. You can change these later under Settings → Moodle.
-              </p>
-              <div
-                v-for="s in moodleSettingsFlat"
-                :key="s.key"
-                class="form-group row my-2"
-              >
-                <label
-                  class="col-md-4 col-form-label text-md-right"
-                  :for="'set-' + s.key"
-                  @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-                >
-                  {{ settingLabel(s.key) }}
-                </label>
-                <div class="col-md-6 d-flex flex-column">
-                  <template v-if="s.type === 'boolean' || s.type === 'bool'">
-                    <div class="form-check form-switch">
-                      <input
-                        :id="'set-' + s.key"
-                        :checked="formSettings[s.key] === 'true'"
-                        class="form-check-input"
-                        type="checkbox"
-                        @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
-                      />
-                    </div>
-                  </template>
-                  <input
-                    v-else-if="s.type === 'integer'"
-                    :id="'set-' + s.key"
-                    v-model.number="formSettings[s.key]"
-                    class="form-control"
-                    type="number"
-                  />
-                  <input
-                    v-else
-                    :id="'set-' + s.key"
-                    v-model="formSettings[s.key]"
-                    class="form-control"
-                    type="text"
-                  />
-                  <div
-                    v-if="settingDescription(s.key) || s.description"
-                    class="small text-muted mt-1"
-                  >
-                    {{ settingDescription(s.key) || s.description }}
-                  </div>
-                </div>
-              </div>
-            </div>
-          </template>
-
-          <div class="d-flex justify-content-between mt-4">
-            <BasicButton v-if="currentStep > 0" class="btn btn-secondary" title="Previous" @click="onPrevious" />
-            <BasicButton
-              class="btn btn-primary"
-              :class="{ 'ms-auto': currentStep === 0 }"
-              title="Next"
-              @click="onStepNext"
-            />
-          </div>
-        </div>
-      </div>
-
-      <!-- Step: Mail -->
-      <div v-show="displaySteps[currentStep]?.type === 'mail'" class="card">
-        <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
-          <span>Mail Configuration</span>
-          <div class="d-flex flex-wrap gap-2">
-            <BasicButton
-              class="btn btn-outline-secondary btn-sm"
-              text="Download template"
-              :disabled="!allSettingsLoaded"
-              :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
-              @click="downloadImportTemplate"
-            />
-            <BasicButton
-              class="btn btn-outline-secondary btn-sm"
-              text="Import from previous instance"
-              tooltip="Load settings from a JSON file exported from another CARE instance"
-              @click="openImportModal"
-            />
-          </div>
-        </div>
-        <div class="card-body mx-4 my-4">
-          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
-
-          <div class="form-check form-switch mb-3">
-            <input
-              id="mail-enabled"
-              :checked="formSettings['system.mailService.enabled'] === 'true'"
-              class="form-check-input"
-              type="checkbox"
-              @change="formSettings['system.mailService.enabled'] = $event.target.checked ? 'true' : 'false'"
-            />
-            <label class="form-check-label" for="mail-enabled" @click.prevent>
-              Enable email service (required for password reset and email verification)
-            </label>
-          </div>
-
-          <template v-if="mailEnabled">
-            <div v-for="group in mailFieldGroups" :key="group.title" class="mb-4">
-              <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
-                {{ group.title }}
-              </h6>
-              <div
-                v-for="s in group.settings"
-                :key="s.key"
-                class="form-group row my-2"
-              >
-                <label
-                  class="col-md-4 col-form-label text-md-right"
-                  :for="'set-' + s.key"
-                  @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-                >
-                  {{ settingLabel(s.key) }}
-                </label>
-                <div class="col-md-6 d-flex flex-column">
-                  <template v-if="s.type === 'boolean' || s.type === 'bool'">
-                    <div class="form-check form-switch">
-                      <input
-                        :id="'set-' + s.key"
-                        :checked="formSettings[s.key] === 'true'"
-                        class="form-check-input"
-                        type="checkbox"
-                        @change="onMailSettingChange(s.key, $event.target.checked ? 'true' : 'false')"
-                      />
-                    </div>
-                  </template>
-                  <template v-else-if="s.type === 'edits'">
-                    <textarea
-                      :id="'set-' + s.key"
-                      v-model="formSettings[s.key]"
-                      class="form-control w-100"
-                      rows="4"
-                    />
-                  </template>
-                  <input
-                    v-else
-                    :id="'set-' + s.key"
-                    v-model="formSettings[s.key]"
-                    class="form-control"
-                    type="text"
-                  />
-                  <div
-                    v-if="settingDescription(s.key) || s.description"
-                    class="small text-muted mt-1"
-                  >
-                    {{ settingDescription(s.key) || s.description }}
-                  </div>
-                </div>
-              </div>
-            </div>
-
-            <div v-if="mailEnabled" class="border-top pt-3 mt-4">
-              <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Send test email</h6>
-              <p class="small text-muted mb-2">
-                Sends a short fixed message so you can verify delivery before finishing setup.
-              </p>
-              <div class="form-group row my-2">
-                <label class="col-md-4 col-form-label text-md-right" for="setup-test-mail-to">Recipient</label>
-                <div class="col-md-6 d-flex flex-column flex-sm-row gap-2 align-items-sm-start">
-                  <input
-                    id="setup-test-mail-to"
-                    v-model="testMailTo"
-                    class="form-control"
-                    type="email"
-                    placeholder="you@example.com"
-                    autocomplete="email"
-                  />
-                  <BasicButton
-                    class="btn btn-outline-primary flex-shrink-0"
-                    :title="testMailSending ? 'Sending...' : 'Send test email'"
-                    :disabled="testMailSending || !testMailTo.trim()"
-                    @click="sendSetupTestMail"
-                  />
-                </div>
-              </div>
-              <p v-if="testMailMessage" class="small mb-0" :class="testMailError ? 'text-danger' : 'text-success'">
-                {{ testMailMessage }}
-              </p>
-            </div>
-          </template>
-
-          <div class="d-flex justify-content-between mt-4">
-            <BasicButton class="btn btn-secondary" title="Previous" @click="onPrevious" />
-            <BasicButton class="btn btn-primary ms-auto" title="Next" @click="onStepNext" />
-          </div>
-        </div>
-      </div>
-
-      <!-- Step: Registration -->
-      <div v-show="displaySteps[currentStep]?.type === 'registration'" class="card">
-        <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
-          <span>User Registration</span>
-          <div class="d-flex flex-wrap gap-2">
-            <BasicButton
-              class="btn btn-outline-secondary btn-sm"
-              text="Download template"
-              :disabled="!allSettingsLoaded"
-              :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
-              @click="downloadImportTemplate"
-            />
-            <BasicButton
-              class="btn btn-outline-secondary btn-sm"
-              text="Import from previous instance"
-              tooltip="Load settings from a JSON file exported from another CARE instance"
-              @click="openImportModal"
-            />
-          </div>
-        </div>
-        <div class="card-body mx-4 my-4">
-          <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
-          <p class="text-muted mb-3">
-            Configure which information and consents are requested from users during registration.
-          </p>
-
-          <div v-for="group in registrationFieldGroups" :key="group.title" class="mb-4">
-            <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
-              {{ group.title }}
-            </h6>
-            <div
-              v-for="s in group.settings"
-              :key="s.key"
-              class="form-group row my-2"
-            >
-              <label
-                class="col-md-4 col-form-label text-md-right"
-                :for="'set-' + s.key"
-                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-              >
-                {{ settingLabel(s.key) }}
-              </label>
-              <div class="col-md-6 d-flex flex-column">
-                <template v-if="s.type === 'boolean' || s.type === 'bool'">
-                  <div class="form-check form-switch">
-                    <input
-                      :id="'set-' + s.key"
-                      :checked="formSettings[s.key] === 'true'"
-                      class="form-check-input"
-                      type="checkbox"
-                      @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
-                    />
-                  </div>
-                </template>
-                <template v-else-if="s.type === 'edits'">
-                  <textarea
-                    :id="'set-' + s.key"
-                    v-model="formSettings[s.key]"
-                    class="form-control w-100"
-                    rows="4"
-                  />
-                </template>
-                <input
-                  v-else
-                  :id="'set-' + s.key"
-                  v-model="formSettings[s.key]"
-                  class="form-control"
-                  type="text"
-                />
-                <div
-                  v-if="settingDescription(s.key) || s.description"
-                  class="small text-muted mt-1"
-                >
-                  {{ settingDescription(s.key) || s.description }}
-                </div>
-              </div>
-            </div>
-          </div>
-
-          <div v-if="mailEnabled" class="mb-4">
-            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Email verification</h6>
-            <div class="form-group row my-2">
-              <label class="col-md-4 col-form-label text-md-right" for="email-verification-reg" @click.prevent>
-                {{ settingLabel("app.register.emailVerification") }}
-              </label>
-              <div class="col-md-6 d-flex flex-column">
-                <div class="form-check form-switch">
-                  <input
-                    id="email-verification-reg"
-                    :checked="formSettings['app.register.emailVerification'] === 'true'"
-                    class="form-check-input"
-                    type="checkbox"
-                    @change="formSettings['app.register.emailVerification'] = $event.target.checked ? 'true' : 'false'"
-                  />
-                </div>
-                <div class="small text-muted mt-1">
-                  Require new users to verify their email address before accessing the application.
-                </div>
-              </div>
-            </div>
-          </div>
-
-          <div class="d-flex justify-content-between mt-4">
-            <BasicButton class="btn btn-secondary" title="Previous" @click="onPrevious" />
-            <BasicButton class="btn btn-primary ms-auto" title="Next" @click="onStepNext" />
-          </div>
-        </div>
-      </div>
-
-      <!-- Step: Summary -->
-      <div v-show="displaySteps[currentStep]?.type === 'summary'" class="card">
-        <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
-          <span>Summary</span>
-          <div class="d-flex flex-wrap gap-2">
-            <BasicButton
-              class="btn btn-outline-secondary btn-sm"
-              text="Download template"
-              :disabled="!allSettingsLoaded"
-              :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
-              @click="downloadImportTemplate"
-            />
-            <BasicButton
-              class="btn btn-outline-secondary btn-sm"
-              text="Import from previous instance"
-              tooltip="Load settings from a JSON file exported from another CARE instance"
-              @click="openImportModal"
-            />
-          </div>
-        </div>
-        <div class="card-body mx-4 my-4">
-          <p class="text-muted mb-3">Review your choices before finishing.</p>
-
-          <div v-if="!hasAdmin" class="mb-4">
-            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Admin</h6>
-            <ul class="list-unstyled mb-0">
-              <li><strong>Username:</strong> {{ formData.userName || "—" }}</li>
-              <li><strong>Email:</strong> {{ formData.email || "—" }}</li>
-              <li><strong>Password:</strong> Password set</li>
-            </ul>
-          </div>
-
-          <div v-for="group in summaryFieldGroups" :key="group.title" class="mb-4">
-            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">{{ group.title }}</h6>
-            <ul class="list-unstyled ms-2 mb-0">
-              <li v-for="s in group.settings" :key="s.key" class="mb-2">
-                <template v-if="s.key === 'app.register.terms'">
-                  <div class="fw-semibold mb-1">{{ settingLabel(s.key) }}</div>
-                  <BasicEditor :model-value="summarySettingValue(s.key)" :read-only="true" />
-                </template>
-                <template v-else>
-                  <strong>{{ settingLabel(s.key) }}:</strong> {{ summarySettingValue(s.key) }}
-                </template>
-              </li>
-            </ul>
-          </div>
-
-          <div v-if="settingsFromFile && Object.keys(settingsFromFile).length" class="mt-4">
-            <BasicButton
-              class="btn btn-link p-0 text-secondary"
-              :title="`${showFileSettings ? '▼' : '▶'} Additional settings from file (${Object.keys(settingsFromFile).length})`"
-              @click="showFileSettings = !showFileSettings"
-            />
-            <ul v-show="showFileSettings" class="list-unstyled mt-2 ms-3 small">
-              <li v-for="(v, k) in settingsFromFile" :key="k"><strong>{{ k }}:</strong> {{ v }}</li>
-            </ul>
-          </div>
-
-          <div class="d-flex justify-content-between mt-4">
-            <BasicButton v-if="currentStep > 0" class="btn btn-secondary" title="Previous" @click="onPrevious" />
-            <BasicButton
-              class="btn btn-primary"
-              :class="{ 'ms-auto': currentStep === 0 }"
-              :title="finishing ? 'Saving…' : 'Finish'"
-              :disabled="finishing"
-              @click="finish"
-            />
-          </div>
-        </div>
-      </div>
+      <SetupWizardAdminStep
+        v-show="displaySteps[currentStep]?.type === 'admin'"
+        :form-data="formData"
+        :validity="validity"
+        :valid-user-name="validUserName"
+        :valid-email="validEmail"
+        :valid-password="validPassword"
+        :show-error="showError"
+        :error-message="errorMessage"
+        @check-val="checkVal"
+        @submit-admin="submitAdmin"
+      />
+
+      <SetupWizardSettingsStep
+        v-show="displaySteps[currentStep]?.type === 'general'"
+        v-bind="generalStepProps"
+        @download-template="downloadImportTemplate"
+        @open-import-modal="openImportModal"
+        @clear-import="clearImport"
+        @previous="onPrevious"
+        @next="onStepNext"
+      />
+
+      <SetupWizardSettingsStep
+        v-show="displaySteps[currentStep]?.type === 'mail'"
+        v-bind="mailStepProps"
+        @download-template="downloadImportTemplate"
+        @open-import-modal="openImportModal"
+        @mail-setting-change="onMailSettingChange"
+        @update-test-mail-to="testMailTo = $event"
+        @send-test-mail="sendSetupTestMail"
+        @previous="onPrevious"
+        @next="onStepNext"
+      />
+
+      <SetupWizardSettingsStep
+        v-show="displaySteps[currentStep]?.type === 'registration'"
+        v-bind="registrationStepProps"
+        @download-template="downloadImportTemplate"
+        @open-import-modal="openImportModal"
+        @previous="onPrevious"
+        @next="onStepNext"
+      />
+
+      <SetupWizardSummaryStep
+        v-show="displaySteps[currentStep]?.type === 'summary'"
+        :all-settings-loaded="allSettingsLoaded"
+        :has-admin="hasAdmin"
+        :form-data="formData"
+        :summary-field-groups="summaryFieldGroups"
+        :settings-from-file="settingsFromFile"
+        :show-file-settings="showFileSettings"
+        :current-step="currentStep"
+        :finishing="finishing"
+        :setting-label="settingLabel"
+        :summary-setting-value="summarySettingValue"
+        @download-template="downloadImportTemplate"
+        @open-import-modal="openImportModal"
+        @toggle-show-file-settings="showFileSettings = !showFileSettings"
+        @previous="onPrevious"
+        @finish="finish"
+      />
 
       <!-- Import JSON Modal -->
       <Modal ref="importModal" name="wizardImportSettings">
@@ -623,16 +129,24 @@
  */
 import IconAsset from "@/basic/icon/IconAsset.vue";
 import BasicButton from "@/basic/Button.vue";
-import BasicEditor from "@/basic/editor/Editor.vue";
-import EditorModal from "@/basic/editor/Modal.vue";
 import Modal from "@/basic/Modal.vue";
+import SetupWizardAdminStep from "@/components/wizard/SetupWizardAdminStep.vue";
+import SetupWizardSettingsStep from "@/components/wizard/SetupWizardSettingsStep.vue";
+import SetupWizardSummaryStep from "@/components/wizard/SetupWizardSummaryStep.vue";
 import axios from "axios";
 import getServerURL from "@/assets/serverUrl";
 import {downloadObjectsAs} from "@/assets/utils";
 
 export default {
   name: "SetupWizard",
-  components: { IconAsset, BasicButton, BasicEditor, EditorModal, Modal },
+  components: {
+    IconAsset,
+    BasicButton,
+    Modal,
+    SetupWizardAdminStep,
+    SetupWizardSettingsStep,
+    SetupWizardSummaryStep,
+  },
   data() {
     return {
       currentStep: 0,
@@ -763,6 +277,58 @@ export default {
         settings: byStep[step],
       }));
     },
+    settingsStepBaseProps() {
+      return {
+        allSettingsLoaded: this.allSettingsLoaded,
+        showError: this.showError,
+        errorMessage: this.errorMessage,
+        formSettings: this.formSettings,
+        mailEnabled: this.mailEnabled,
+        testMailTo: this.testMailTo,
+        testMailSending: this.testMailSending,
+        testMailMessage: this.testMailMessage,
+        testMailError: this.testMailError,
+        settingLabel: this.settingLabel,
+        settingDescription: this.settingDescription,
+        currentStep: this.currentStep,
+      };
+    },
+    generalStepProps() {
+      return {
+        ...this.settingsStepBaseProps,
+        stepType: "general",
+        settingsFromFile: this.settingsFromFile,
+        generalFieldGroups: this.generalFieldGroups,
+        moodleSettingsFlat: this.moodleSettingsFlat,
+        mailFieldGroups: [],
+        registrationFieldGroups: [],
+        settingsTouched: this.settingsTouched,
+      };
+    },
+    mailStepProps() {
+      return {
+        ...this.settingsStepBaseProps,
+        stepType: "mail",
+        settingsFromFile: null,
+        generalFieldGroups: [],
+        moodleSettingsFlat: [],
+        mailFieldGroups: this.mailFieldGroups,
+        registrationFieldGroups: [],
+        settingsTouched: false,
+      };
+    },
+    registrationStepProps() {
+      return {
+        ...this.settingsStepBaseProps,
+        stepType: "registration",
+        settingsFromFile: null,
+        generalFieldGroups: [],
+        moodleSettingsFlat: [],
+        mailFieldGroups: [],
+        registrationFieldGroups: this.registrationFieldGroups,
+        settingsTouched: false,
+      };
+    },
     validUserName() {
       return typeof this.formData.userName === "string" && this.formData.userName.trim() !== "";
     },
diff --git a/frontend/src/components/wizard/SetupWizardAdminStep.vue b/frontend/src/components/wizard/SetupWizardAdminStep.vue
new file mode 100644
index 000000000..410b642ce
--- /dev/null
+++ b/frontend/src/components/wizard/SetupWizardAdminStep.vue
@@ -0,0 +1,125 @@
+<template>
+  <div class="card">
+    <div class="card-header step-card-header">Setup – Admin account</div>
+    <div class="card-body mx-4 my-4">
+      <p class="text-muted mb-3">
+        No administrator account exists. Enter credentials now; the account is created on Finish.
+      </p>
+      <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+      <form @submit.prevent="$emit('submit-admin')">
+        <div class="form-group row my-2">
+          <label class="col-md-4 col-form-label text-md-right" for="setup-username">Username</label>
+          <div class="col-md-6">
+            <input
+              id="setup-username"
+              v-model="formData.userName"
+              autocomplete="username"
+              class="form-control"
+              placeholder="admin"
+              type="text"
+              @blur="$emit('check-val', 'userName')"
+            />
+            <div class="feedback-invalid" :class="{invalid: validity['userName'] && !validUserName}">
+              Please provide a user name.
+            </div>
+          </div>
+        </div>
+        <div class="form-group row my-2">
+          <label class="col-md-4 col-form-label text-md-right" for="setup-email">Email</label>
+          <div class="col-md-6">
+            <input
+              id="setup-email"
+              v-model="formData.email"
+              autocomplete="email"
+              class="form-control"
+              placeholder="admin@example.com"
+              type="email"
+              @blur="$emit('check-val', 'email')"
+            />
+            <div class="feedback-invalid" :class="{invalid: validity['email'] && !validEmail}">
+              Please provide a valid email.
+            </div>
+          </div>
+        </div>
+        <div class="form-group row my-2">
+          <label class="col-md-4 col-form-label text-md-right" for="setup-password">Password</label>
+          <div class="col-md-6">
+            <input
+              id="setup-password"
+              v-model="formData.password"
+              autocomplete="new-password"
+              class="form-control"
+              placeholder="Min. 8 characters"
+              type="password"
+              @blur="$emit('check-val', 'password')"
+            />
+            <div class="feedback-invalid" :class="{invalid: validity['password'] && !validPassword}">
+              Please provide a password of at least 8 characters.
+            </div>
+          </div>
+        </div>
+        <div class="col-md-6 offset-md-4 my-4">
+          <BasicButton class="btn btn-primary" title="Continue" @click="$emit('submit-admin')" />
+        </div>
+      </form>
+    </div>
+  </div>
+</template>
+
+<script>
+import BasicButton from "@/basic/Button.vue";
+
+export default {
+  name: "SetupWizardAdminStep",
+  components: { BasicButton },
+  props: {
+    formData: {
+      type: Object,
+      required: true,
+    },
+    validity: {
+      type: Object,
+      required: true,
+    },
+    validUserName: {
+      type: Boolean,
+      required: true,
+    },
+    validEmail: {
+      type: Boolean,
+      required: true,
+    },
+    validPassword: {
+      type: Boolean,
+      required: true,
+    },
+    showError: {
+      type: Boolean,
+      required: true,
+    },
+    errorMessage: {
+      type: String,
+      required: true,
+    },
+  },
+  emits: ["check-val", "submit-admin"],
+};
+</script>
+
+<style scoped>
+.feedback-invalid {
+  font-size: 0.75em;
+  color: firebrick;
+  visibility: hidden;
+  padding-top: 4px;
+}
+
+.feedback-invalid.invalid {
+  visibility: visible;
+}
+
+.step-card-header {
+  font-size: 1.2rem;
+  font-weight: 600;
+}
+</style>
diff --git a/frontend/src/components/wizard/SetupWizardSettingsStep.vue b/frontend/src/components/wizard/SetupWizardSettingsStep.vue
new file mode 100644
index 000000000..ce36a6f7b
--- /dev/null
+++ b/frontend/src/components/wizard/SetupWizardSettingsStep.vue
@@ -0,0 +1,478 @@
+<template>
+  <div class="card">
+    <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+      <span>{{ stepTitle }}</span>
+      <div class="d-flex flex-wrap gap-2">
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Download template"
+          :disabled="!allSettingsLoaded"
+          :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+          @click="$emit('download-template')"
+        />
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Import from previous instance"
+          tooltip="Load settings from a JSON file exported from another CARE instance"
+          @click="$emit('open-import-modal')"
+        />
+      </div>
+    </div>
+    <div class="card-body mx-4 my-4">
+      <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+
+      <template v-if="stepType === 'general'">
+        <template v-if="settingsFromFile && Object.keys(settingsFromFile).length > 0">
+          <p class="text-success mb-2">
+            Loaded {{ Object.keys(settingsFromFile).length }} setting(s) from file. Click Next to continue to the summary.
+          </p>
+          <button
+            class="btn btn-link btn-sm p-0 text-secondary"
+            type="button"
+            @click="$emit('clear-import')"
+          >
+            Clear and configure manually instead
+          </button>
+        </template>
+        <template v-else>
+          <p class="text-muted mb-3">
+            Configure copyright notice, consent requirements, guest access, and links shown on the landing page.
+          </p>
+
+          <div v-for="group in generalFieldGroups" :key="group.title" class="mb-4">
+            <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
+              {{ group.title }}
+            </h6>
+            <div v-for="s in group.settings" :key="s.key" class="form-group row my-2">
+              <label
+                class="col-md-4 col-form-label text-md-right"
+                :for="'set-' + s.key"
+                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+              >
+                {{ settingLabel(s.key) }}
+              </label>
+              <div class="col-md-6 d-flex flex-column">
+                <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                  <div class="form-check form-switch">
+                    <input
+                      :id="'set-' + s.key"
+                      :checked="formSettings[s.key] === 'true'"
+                      class="form-check-input"
+                      type="checkbox"
+                      @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
+                    />
+                  </div>
+                </template>
+                <template v-else-if="s.key === 'app.register.terms'">
+                  <div class="d-flex align-items-center flex-wrap gap-2">
+                    <EditorModal
+                      :model-value="formSettings[s.key]"
+                      :title="'Edit ' + settingLabel(s.key)"
+                      @update:model-value="formSettings[s.key] = $event"
+                    />
+                    <span class="small text-muted">Open the editor to change terms and conditions.</span>
+                  </div>
+                </template>
+                <template v-else-if="s.type === 'edits'">
+                  <textarea
+                    :id="'set-' + s.key"
+                    v-model="formSettings[s.key]"
+                    class="form-control w-100"
+                    rows="5"
+                  />
+                </template>
+                <input
+                  v-else-if="s.type === 'integer'"
+                  :id="'set-' + s.key"
+                  v-model.number="formSettings[s.key]"
+                  class="form-control"
+                  type="number"
+                />
+                <input
+                  v-else
+                  :id="'set-' + s.key"
+                  v-model="formSettings[s.key]"
+                  class="form-control"
+                  type="text"
+                />
+                <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
+                  {{ settingDescription(s.key) || s.description }}
+                </div>
+              </div>
+              <div v-if="s.requiredInWizard" class="col-md-6 offset-md-4">
+                <div class="feedback-invalid" :class="{invalid: settingsTouched && !(formSettings[s.key] != null && String(formSettings[s.key]).trim() !== '')}">
+                  This field is required.
+                </div>
+              </div>
+            </div>
+          </div>
+
+          <div v-if="moodleSettingsFlat.length" class="mb-4 mt-4">
+            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-2">
+              Moodle <span class="fw-normal small">(optional)</span>
+            </h6>
+            <p class="small text-muted mb-3">
+              Configure Moodle if you use it for enrollments or submissions. You can change these later under Settings -> Moodle.
+            </p>
+            <div v-for="s in moodleSettingsFlat" :key="s.key" class="form-group row my-2">
+              <label
+                class="col-md-4 col-form-label text-md-right"
+                :for="'set-' + s.key"
+                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+              >
+                {{ settingLabel(s.key) }}
+              </label>
+              <div class="col-md-6 d-flex flex-column">
+                <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                  <div class="form-check form-switch">
+                    <input
+                      :id="'set-' + s.key"
+                      :checked="formSettings[s.key] === 'true'"
+                      class="form-check-input"
+                      type="checkbox"
+                      @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
+                    />
+                  </div>
+                </template>
+                <input
+                  v-else-if="s.type === 'integer'"
+                  :id="'set-' + s.key"
+                  v-model.number="formSettings[s.key]"
+                  class="form-control"
+                  type="number"
+                />
+                <input
+                  v-else
+                  :id="'set-' + s.key"
+                  v-model="formSettings[s.key]"
+                  class="form-control"
+                  type="text"
+                />
+                <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
+                  {{ settingDescription(s.key) || s.description }}
+                </div>
+              </div>
+            </div>
+          </div>
+        </template>
+      </template>
+
+      <template v-else-if="stepType === 'mail'">
+        <div class="form-check form-switch mb-3">
+          <input
+            id="mail-enabled"
+            :checked="formSettings['system.mailService.enabled'] === 'true'"
+            class="form-check-input"
+            type="checkbox"
+            @change="formSettings['system.mailService.enabled'] = $event.target.checked ? 'true' : 'false'"
+          />
+          <label class="form-check-label" for="mail-enabled" @click.prevent>
+            Enable email service (required for password reset and email verification)
+          </label>
+        </div>
+
+        <template v-if="mailEnabled">
+          <div v-for="group in mailFieldGroups" :key="group.title" class="mb-4">
+            <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
+              {{ group.title }}
+            </h6>
+            <div v-for="s in group.settings" :key="s.key" class="form-group row my-2">
+              <label
+                class="col-md-4 col-form-label text-md-right"
+                :for="'set-' + s.key"
+                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+              >
+                {{ settingLabel(s.key) }}
+              </label>
+              <div class="col-md-6 d-flex flex-column">
+                <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                  <div class="form-check form-switch">
+                    <input
+                      :id="'set-' + s.key"
+                      :checked="formSettings[s.key] === 'true'"
+                      class="form-check-input"
+                      type="checkbox"
+                      @change="$emit('mail-setting-change', s.key, $event.target.checked ? 'true' : 'false')"
+                    />
+                  </div>
+                </template>
+                <template v-else-if="s.type === 'edits'">
+                  <textarea
+                    :id="'set-' + s.key"
+                    v-model="formSettings[s.key]"
+                    class="form-control w-100"
+                    rows="4"
+                  />
+                </template>
+                <input
+                  v-else
+                  :id="'set-' + s.key"
+                  v-model="formSettings[s.key]"
+                  class="form-control"
+                  type="text"
+                />
+                <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
+                  {{ settingDescription(s.key) || s.description }}
+                </div>
+              </div>
+            </div>
+          </div>
+
+          <div class="border-top pt-3 mt-4">
+            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Send test email</h6>
+            <p class="small text-muted mb-2">
+              Sends a short fixed message so you can verify delivery before finishing setup.
+            </p>
+            <div class="form-group row my-2">
+              <label class="col-md-4 col-form-label text-md-right" for="setup-test-mail-to">Recipient</label>
+              <div class="col-md-6 d-flex flex-column flex-sm-row gap-2 align-items-sm-start">
+                <input
+                  id="setup-test-mail-to"
+                  :value="testMailTo"
+                  class="form-control"
+                  type="email"
+                  placeholder="you@example.com"
+                  autocomplete="email"
+                  @input="$emit('update-test-mail-to', $event.target.value)"
+                />
+                <BasicButton
+                  class="btn btn-outline-primary flex-shrink-0"
+                  :title="testMailSending ? 'Sending...' : 'Send test email'"
+                  :disabled="testMailSending || !testMailTo.trim()"
+                  @click="$emit('send-test-mail')"
+                />
+              </div>
+            </div>
+            <p v-if="testMailMessage" class="small mb-0" :class="testMailError ? 'text-danger' : 'text-success'">
+              {{ testMailMessage }}
+            </p>
+          </div>
+        </template>
+      </template>
+
+      <template v-else>
+        <p class="text-muted mb-3">
+          Configure which information and consents are requested from users during registration.
+        </p>
+        <div v-for="group in registrationFieldGroups" :key="group.title" class="mb-4">
+          <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
+            {{ group.title }}
+          </h6>
+          <div v-for="s in group.settings" :key="s.key" class="form-group row my-2">
+            <label
+              class="col-md-4 col-form-label text-md-right"
+              :for="'set-' + s.key"
+              @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+            >
+              {{ settingLabel(s.key) }}
+            </label>
+            <div class="col-md-6 d-flex flex-column">
+              <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                <div class="form-check form-switch">
+                  <input
+                    :id="'set-' + s.key"
+                    :checked="formSettings[s.key] === 'true'"
+                    class="form-check-input"
+                    type="checkbox"
+                    @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
+                  />
+                </div>
+              </template>
+              <template v-else-if="s.type === 'edits'">
+                <textarea
+                  :id="'set-' + s.key"
+                  v-model="formSettings[s.key]"
+                  class="form-control w-100"
+                  rows="4"
+                />
+              </template>
+              <input
+                v-else
+                :id="'set-' + s.key"
+                v-model="formSettings[s.key]"
+                class="form-control"
+                type="text"
+              />
+              <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
+                {{ settingDescription(s.key) || s.description }}
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <div v-if="mailEnabled" class="mb-4">
+          <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Email verification</h6>
+          <div class="form-group row my-2">
+            <label class="col-md-4 col-form-label text-md-right" for="email-verification-reg" @click.prevent>
+              {{ settingLabel("app.register.emailVerification") }}
+            </label>
+            <div class="col-md-6 d-flex flex-column">
+              <div class="form-check form-switch">
+                <input
+                  id="email-verification-reg"
+                  :checked="formSettings['app.register.emailVerification'] === 'true'"
+                  class="form-check-input"
+                  type="checkbox"
+                  @change="formSettings['app.register.emailVerification'] = $event.target.checked ? 'true' : 'false'"
+                />
+              </div>
+              <div class="small text-muted mt-1">
+                Require new users to verify their email address before accessing the application.
+              </div>
+            </div>
+          </div>
+        </div>
+      </template>
+
+      <div class="d-flex justify-content-between mt-4">
+        <BasicButton
+          v-if="stepType === 'general' ? currentStep > 0 : true"
+          class="btn btn-secondary"
+          title="Previous"
+          @click="$emit('previous')"
+        />
+        <BasicButton
+          class="btn btn-primary"
+          :class="nextButtonClass"
+          title="Next"
+          @click="$emit('next')"
+        />
+      </div>
+    </div>
+  </div>
+</template>
+
+<script>
+import BasicButton from "@/basic/Button.vue";
+import EditorModal from "@/basic/editor/Modal.vue";
+
+export default {
+  name: "SetupWizardSettingsStep",
+  components: { BasicButton, EditorModal },
+  props: {
+    stepType: {
+      type: String,
+      required: true,
+    },
+    currentStep: {
+      type: Number,
+      required: true,
+    },
+    allSettingsLoaded: {
+      type: Boolean,
+      required: true,
+    },
+    showError: {
+      type: Boolean,
+      required: true,
+    },
+    errorMessage: {
+      type: String,
+      required: true,
+    },
+    settingsFromFile: {
+      type: Object,
+      required: false,
+      default: null,
+    },
+    generalFieldGroups: {
+      type: Array,
+      required: true,
+    },
+    moodleSettingsFlat: {
+      type: Array,
+      required: true,
+    },
+    mailFieldGroups: {
+      type: Array,
+      required: true,
+    },
+    registrationFieldGroups: {
+      type: Array,
+      required: true,
+    },
+    formSettings: {
+      type: Object,
+      required: true,
+    },
+    settingsTouched: {
+      type: Boolean,
+      required: true,
+    },
+    mailEnabled: {
+      type: Boolean,
+      required: true,
+    },
+    testMailTo: {
+      type: String,
+      required: true,
+    },
+    testMailSending: {
+      type: Boolean,
+      required: true,
+    },
+    testMailMessage: {
+      type: String,
+      required: true,
+    },
+    testMailError: {
+      type: Boolean,
+      required: true,
+    },
+    settingLabel: {
+      type: Function,
+      required: true,
+    },
+    settingDescription: {
+      type: Function,
+      required: true,
+    },
+  },
+  emits: [
+    "download-template",
+    "open-import-modal",
+    "clear-import",
+    "mail-setting-change",
+    "update-test-mail-to",
+    "send-test-mail",
+    "previous",
+    "next",
+  ],
+  computed: {
+    stepTitle() {
+      if (this.stepType === "mail") return "Mail Configuration";
+      if (this.stepType === "registration") return "User Registration";
+      return "General Settings";
+    },
+    nextButtonClass() {
+      if (this.stepType === "general") {
+        return { "ms-auto": this.currentStep === 0 };
+      }
+      return "ms-auto";
+    },
+  },
+};
+</script>
+
+<style scoped>
+.feedback-invalid {
+  font-size: 0.75em;
+  color: firebrick;
+  visibility: hidden;
+  padding-top: 4px;
+}
+
+.feedback-invalid.invalid {
+  visibility: visible;
+}
+
+.step-group-heading {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.step-card-header {
+  font-size: 1.2rem;
+  font-weight: 600;
+}
+</style>
diff --git a/frontend/src/components/wizard/SetupWizardSummaryStep.vue b/frontend/src/components/wizard/SetupWizardSummaryStep.vue
new file mode 100644
index 000000000..d931f32ba
--- /dev/null
+++ b/frontend/src/components/wizard/SetupWizardSummaryStep.vue
@@ -0,0 +1,137 @@
+<template>
+  <div class="card">
+    <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+      <span>Summary</span>
+      <div class="d-flex flex-wrap gap-2">
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Download template"
+          :disabled="!allSettingsLoaded"
+          :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+          @click="$emit('download-template')"
+        />
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Import from previous instance"
+          tooltip="Load settings from a JSON file exported from another CARE instance"
+          @click="$emit('open-import-modal')"
+        />
+      </div>
+    </div>
+    <div class="card-body mx-4 my-4">
+      <p class="text-muted mb-3">Review your choices before finishing.</p>
+
+      <div v-if="!hasAdmin" class="mb-4">
+        <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Admin</h6>
+        <ul class="list-unstyled mb-0">
+          <li><strong>Username:</strong> {{ formData.userName || "—" }}</li>
+          <li><strong>Email:</strong> {{ formData.email || "—" }}</li>
+          <li><strong>Password:</strong> Password set</li>
+        </ul>
+      </div>
+
+      <div v-for="group in summaryFieldGroups" :key="group.title" class="mb-4">
+        <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">{{ group.title }}</h6>
+        <ul class="list-unstyled ms-2 mb-0">
+          <li v-for="s in group.settings" :key="s.key" class="mb-2">
+            <template v-if="s.key === 'app.register.terms'">
+              <div class="fw-semibold mb-1">{{ settingLabel(s.key) }}</div>
+              <BasicEditor :model-value="summarySettingValue(s.key)" :read-only="true" />
+            </template>
+            <template v-else>
+              <strong>{{ settingLabel(s.key) }}:</strong> {{ summarySettingValue(s.key) }}
+            </template>
+          </li>
+        </ul>
+      </div>
+
+      <div v-if="settingsFromFile && Object.keys(settingsFromFile).length" class="mt-4">
+        <BasicButton
+          class="btn btn-link p-0 text-secondary"
+          :title="`${showFileSettings ? '▼' : '▶'} Additional settings from file (${Object.keys(settingsFromFile).length})`"
+          @click="$emit('toggle-show-file-settings')"
+        />
+        <ul v-show="showFileSettings" class="list-unstyled mt-2 ms-3 small">
+          <li v-for="(v, k) in settingsFromFile" :key="k"><strong>{{ k }}:</strong> {{ v }}</li>
+        </ul>
+      </div>
+
+      <div class="d-flex justify-content-between mt-4">
+        <BasicButton v-if="currentStep > 0" class="btn btn-secondary" title="Previous" @click="$emit('previous')" />
+        <BasicButton
+          class="btn btn-primary"
+          :class="{ 'ms-auto': currentStep === 0 }"
+          :title="finishing ? 'Saving…' : 'Finish'"
+          :disabled="finishing"
+          @click="$emit('finish')"
+        />
+      </div>
+    </div>
+  </div>
+</template>
+
+<script>
+import BasicButton from "@/basic/Button.vue";
+import BasicEditor from "@/basic/editor/Editor.vue";
+
+export default {
+  name: "SetupWizardSummaryStep",
+  components: { BasicButton, BasicEditor },
+  props: {
+    allSettingsLoaded: {
+      type: Boolean,
+      required: true,
+    },
+    hasAdmin: {
+      type: Boolean,
+      required: true,
+    },
+    formData: {
+      type: Object,
+      required: true,
+    },
+    summaryFieldGroups: {
+      type: Array,
+      required: true,
+    },
+    settingsFromFile: {
+      type: Object,
+      required: false,
+      default: null,
+    },
+    showFileSettings: {
+      type: Boolean,
+      required: true,
+    },
+    currentStep: {
+      type: Number,
+      required: true,
+    },
+    finishing: {
+      type: Boolean,
+      required: true,
+    },
+    settingLabel: {
+      type: Function,
+      required: true,
+    },
+    summarySettingValue: {
+      type: Function,
+      required: true,
+    },
+  },
+  emits: ["download-template", "open-import-modal", "toggle-show-file-settings", "previous", "finish"],
+};
+</script>
+
+<style scoped>
+.step-group-heading {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.step-card-header {
+  font-size: 1.2rem;
+  font-weight: 600;
+}
+</style>

From def6a81ed3e67a916c1642ba76936893178d76de Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 30 Apr 2026 17:31:58 +0300
Subject: [PATCH 65/73] refactor : update setup wizard import guidance

---
 frontend/src/auth/SetupWizard.vue | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index b39ab5533..cf7d510a7 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -85,10 +85,7 @@
         <template #title>Import JSON from previous instance</template>
         <template #body>
           <p class="mb-3">
-            Upload a JSON file exported from another CARE instance
-            (<strong>Dashboard → Settings → Export JSON</strong>) or generated by <strong>Download template</strong>.
-            Loaded settings replace the corresponding wizard settings and <strong>skip the remaining setup steps</strong>;
-            you can still review everything on the <strong>Summary</strong> before finishing.
+            Upload a JSON file exported from another CARE instance or generated by <strong>Download template</strong>.
           </p>
           <input
             ref="jsonFileInput"
@@ -97,6 +94,9 @@
             accept=".json"
             @change="onJsonFileChange"
           />
+          <p class="small text-muted mt-2 mb-0">
+            Imported values replace wizard settings and skip to Summary for final review.
+          </p>
           <p v-if="importError" class="text-danger small mt-2 mb-0">{{ importError }}</p>
         </template>
         <template #footer>

From b7d41727deb8f2824cf41351ead590e5ea558a1b Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 30 Apr 2026 17:32:38 +0300
Subject: [PATCH 66/73] refactor : update basic setting display metadata

---
 .../db/migrations/20260225234559-basic-setting-displayName.js   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/db/migrations/20260225234559-basic-setting-displayName.js b/backend/db/migrations/20260225234559-basic-setting-displayName.js
index 036db9f29..655d3e936 100644
--- a/backend/db/migrations/20260225234559-basic-setting-displayName.js
+++ b/backend/db/migrations/20260225234559-basic-setting-displayName.js
@@ -284,7 +284,7 @@ const DISPLAY_NAMES = {
     'system.auth.tokenExpiry.passwordReset': 'Password reset token expiry',
     'system.baseUrl': 'Base URL for emails',
     'system.mailService.enabled': 'Mail service enabled',
-    'system.mailService.sendMail.enabled': 'Sendmail enabled (takes precedence over SMTP)',
+    'system.mailService.sendMail.enabled': 'Sendmail enabled (prioritized over SMTP)',
     'system.mailService.sendMail.path': 'Sendmail path',
     'system.mailService.senderAddress': 'Mail sender address',
     'system.mailService.smtp.auth.enabled': 'SMTP auth enabled',

From a6efd1228239294115aa0191ad9630065495a942 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 30 Apr 2026 17:38:07 +0300
Subject: [PATCH 67/73] docs : update setup wizard documentation and component
 structure notes

---
 docs/source/for_developers/frontend/setup_wizard.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/source/for_developers/frontend/setup_wizard.rst b/docs/source/for_developers/frontend/setup_wizard.rst
index 4ed4824b6..3df4d6932 100644
--- a/docs/source/for_developers/frontend/setup_wizard.rst
+++ b/docs/source/for_developers/frontend/setup_wizard.rst
@@ -16,7 +16,7 @@ Backend endpoints used by this flow:
 - ``GET /setup/config``: fetch steps, wizard settings, and full settings snapshot.
 - ``POST /auth/setup-admin``: create the initial admin account.
 - ``POST /setup/test-mail``: send a test mail during setup.
-- ``PATCH /setup/state``: mark setup as completed.
+- ``POST /setup/complete``: persist setup settings and mark setup as completed.
 
 Wizard Steps
 ------------
@@ -75,7 +75,7 @@ To add or change setup fields:
 
 1. Add/update setting rows via migration (including wizard and display metadata).
 2. Ensure the new keys are returned by ``/setup/config``.
-3. If needed, update step-specific logic in ``SetupWizard.vue`` (validation, dependency toggles, and summary rendering).
+3. If needed, update step-specific rendering in ``frontend/src/components/wizard/`` and orchestration logic in ``frontend/src/auth/SetupWizard.vue``.
 4. Verify import/export behavior for the new keys.
 
 To change the setup order or visible steps:

From e43de5d5d1bfba3e702a71287dd2be95b592751a Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 6 May 2026 23:23:56 +0300
Subject: [PATCH 68/73] feat : add wizard_step_type table and link wizard_step
 to types

---
 .../20260119192230-basic-wizard_steps.js      |  1 +
 .../20260504161006-create-wizard-step-type.js | 94 +++++++++++++++++++
 backend/db/models/wizard_step.js              |  8 +-
 backend/db/models/wizard_step_type.js         | 41 ++++++++
 4 files changed, 142 insertions(+), 2 deletions(-)
 create mode 100644 backend/db/migrations/20260504161006-create-wizard-step-type.js
 create mode 100644 backend/db/models/wizard_step_type.js

diff --git a/backend/db/migrations/20260119192230-basic-wizard_steps.js b/backend/db/migrations/20260119192230-basic-wizard_steps.js
index bcbaa28e7..4ec0ad199 100644
--- a/backend/db/migrations/20260119192230-basic-wizard_steps.js
+++ b/backend/db/migrations/20260119192230-basic-wizard_steps.js
@@ -9,6 +9,7 @@ module.exports = {
             { key: 'general', order: 2, title: 'General Settings', description: 'Copyright, consent, guest login, external links', type: 'general', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
             { key: 'mail', order: 3, title: 'Mail Configuration', description: 'Enable email service and configure SMTP/sendmail', type: 'mail', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
             { key: 'registration', order: 4, title: 'User Registration', description: 'What is required at signup', type: 'registration', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
+            { key: 'moodle', order: 5, title: 'Moodle Settings', description: 'Optional Moodle API settings', type: 'moodle', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
             { key: 'summary', order: 6, title: 'Summary', description: 'Review your choices before finishing', type: 'summary', deleted: false, createdAt: now, updatedAt: now, deletedAt: null },
         ], {});
     },
diff --git a/backend/db/migrations/20260504161006-create-wizard-step-type.js b/backend/db/migrations/20260504161006-create-wizard-step-type.js
new file mode 100644
index 000000000..5a7a24652
--- /dev/null
+++ b/backend/db/migrations/20260504161006-create-wizard-step-type.js
@@ -0,0 +1,94 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+    async up(queryInterface, Sequelize) {
+        const now = new Date();
+        await queryInterface.createTable('wizard_step_type', {
+            id: {
+                allowNull: false,
+                autoIncrement: true,
+                primaryKey: true,
+                type: Sequelize.INTEGER,
+            },
+            key: {
+                type: Sequelize.STRING,
+                allowNull: false,
+                unique: true,
+            },
+            createdAt: {
+                allowNull: false,
+                type: Sequelize.DATE,
+            },
+            updatedAt: {
+                allowNull: false,
+                type: Sequelize.DATE,
+            },
+        });
+
+        await queryInterface.bulkInsert('wizard_step_type', [
+            { key: 'admin', createdAt: now, updatedAt: now },
+            { key: 'general', createdAt: now, updatedAt: now },
+            { key: 'mail', createdAt: now, updatedAt: now },
+            { key: 'registration', createdAt: now, updatedAt: now },
+            { key: 'moodle', createdAt: now, updatedAt: now },
+            { key: 'summary', createdAt: now, updatedAt: now },
+        ], {});
+
+        await queryInterface.addColumn('wizard_step', 'wizardStepTypeId', {
+            type: Sequelize.INTEGER,
+            allowNull: true,
+        });
+
+        await queryInterface.sequelize.query(`
+            UPDATE "wizard_step" AS ws
+            SET "wizardStepTypeId" = wst.id
+            FROM "wizard_step_type" AS wst
+            WHERE ws.type = wst.key
+        `);
+
+        await queryInterface.removeColumn('wizard_step', 'type');
+
+        await queryInterface.changeColumn('wizard_step', 'wizardStepTypeId', {
+            type: Sequelize.INTEGER,
+            allowNull: false,
+        });
+
+        await queryInterface.addConstraint('wizard_step', {
+            fields: ['wizardStepTypeId'],
+            type: 'foreign key',
+            name: 'wizard_step_wizardStepTypeId_fkey',
+            references: {
+                table: 'wizard_step_type',
+                field: 'id',
+            },
+            onUpdate: 'CASCADE',
+            onDelete: 'RESTRICT',
+        });
+    },
+
+    async down(queryInterface, Sequelize) {
+        await queryInterface.removeConstraint('wizard_step', 'wizard_step_wizardStepTypeId_fkey');
+
+        await queryInterface.addColumn('wizard_step', 'type', {
+            type: Sequelize.STRING,
+            allowNull: true,
+        });
+
+        await queryInterface.sequelize.query(`
+            UPDATE "wizard_step" AS ws
+            SET type = wst.key
+            FROM "wizard_step_type" AS wst
+            WHERE ws."wizardStepTypeId" = wst.id
+        `);
+
+        await queryInterface.changeColumn('wizard_step', 'type', {
+            type: Sequelize.STRING,
+            allowNull: false,
+        });
+
+        await queryInterface.removeColumn('wizard_step', 'wizardStepTypeId');
+
+        await queryInterface.dropTable('wizard_step_type');
+    },
+};
diff --git a/backend/db/models/wizard_step.js b/backend/db/models/wizard_step.js
index 44f1769b6..f359d6d35 100644
--- a/backend/db/models/wizard_step.js
+++ b/backend/db/models/wizard_step.js
@@ -11,6 +11,10 @@ module.exports = (sequelize, DataTypes) => {
                 foreignKey: "wizardStepId",
                 as: "settings",
             });
+            WizardStep.belongsTo(models["wizard_step_type"], {
+                foreignKey: "wizardStepTypeId",
+                as: "wizardStepType",
+            });
         }
     }
 
@@ -39,8 +43,8 @@ module.exports = (sequelize, DataTypes) => {
                 type: DataTypes.STRING,
                 allowNull: true,
             },
-            type: {
-                type: DataTypes.STRING,
+            wizardStepTypeId: {
+                type: DataTypes.INTEGER,
                 allowNull: false,
             },
             deleted: {
diff --git a/backend/db/models/wizard_step_type.js b/backend/db/models/wizard_step_type.js
new file mode 100644
index 000000000..942e94a4b
--- /dev/null
+++ b/backend/db/models/wizard_step_type.js
@@ -0,0 +1,41 @@
+'use strict';
+
+const MetaModel = require('../MetaModel.js');
+
+module.exports = (sequelize, DataTypes) => {
+    class WizardStepType extends MetaModel {
+        static autoTable = false;
+
+        static associate(models) {
+            WizardStepType.hasMany(models["wizard_step"], {
+                foreignKey: "wizardStepTypeId",
+                as: "wizardSteps",
+            });
+        }
+    }
+
+    WizardStepType.init(
+        {
+            id: {
+                allowNull: false,
+                autoIncrement: true,
+                primaryKey: true,
+                type: DataTypes.INTEGER,
+            },
+            key: {
+                type: DataTypes.STRING,
+                allowNull: false,
+                unique: true,
+            },
+            createdAt: DataTypes.DATE,
+            updatedAt: DataTypes.DATE,
+        },
+        {
+            sequelize,
+            modelName: "wizard_step_type",
+            tableName: "wizard_step_type",
+        }
+    );
+
+    return WizardStepType;
+};

From 360ee14c822210a6bf427663378558cbe4232cb0 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 6 May 2026 23:26:44 +0300
Subject: [PATCH 69/73] fix : validate setup-admin password

---
 backend/webserver/utils/setupAdmin.js | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/backend/webserver/utils/setupAdmin.js b/backend/webserver/utils/setupAdmin.js
index db61b8776..c8af5ff7f 100644
--- a/backend/webserver/utils/setupAdmin.js
+++ b/backend/webserver/utils/setupAdmin.js
@@ -49,8 +49,13 @@ async function createInitialAdmin(server, { userName, email, password }) {
         throw validationError('E-Mail already taken.');
     }
 
-    if (!password || (typeof password === 'string' && password.length < 8)) {
-        throw validationError('Password does not meet requirements (min 8 characters).');
+    const p = typeof password === "string" ? password : "";
+    const validPassword = p.length >= 8
+        && !/^\s*$/.test(p)
+        && !/[\x00-\x1F\x7F]/.test(p)
+        && ![...p].some((c) => (c.codePointAt(0) || 0) > 0xFFFF);
+    if (!validPassword) {
+        throw validationError("Password must be at least 8 characters. Use letters, numbers, and standard punctuation; no spaces-only or emojis.");
     }
 
     const User = server.db.models['user'];

From a1e4daaf443a6556839ba811e4f7196d717b69d7 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 6 May 2026 23:28:30 +0300
Subject: [PATCH 70/73] feat : add wizard step types and typeId to setup

---
 backend/webserver/routes/setup.js | 32 +++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/backend/webserver/routes/setup.js b/backend/webserver/routes/setup.js
index 95e1040c6..1141f749c 100644
--- a/backend/webserver/routes/setup.js
+++ b/backend/webserver/routes/setup.js
@@ -18,6 +18,7 @@ module.exports = function (server) {
      * Returns wizard config while initial setup is in progress: needsSetup is true when no
      * admin exists; steps, wizardSettings, and wizardSettingsByStep (grouped by general,
      * mail, registration) are returned until app.setup.wizardCompleted is true.
+     * Each step includes typeId (FK to wizard_step_type). wizardStepTypes lists id for setup UI.
      * Moodle fields appear in the General wizard step in the UI. When setup is fully
      * complete, returns empty steps and wizardSettings.
      */
@@ -28,14 +29,30 @@ module.exports = function (server) {
             const wizardCompleted = (await server.db.models["setting"].get("app.setup.wizardCompleted")) === "true";
 
             if (!needsSetup && wizardCompleted) {
-                return res.status(200).json({ needsSetup: false, steps: [], wizardSettings: [] });
+                return res.status(200).json({
+                    needsSetup: false,
+                    steps: [],
+                    wizardSettings: [],
+                    wizardStepTypes: [],
+                });
             }
 
             const WizardStep = server.db.models["wizard_step"];
-            const steps = await WizardStep.findAll({
+            const WizardStepType = server.db.models["wizard_step_type"];
+            const stepRows = await WizardStep.findAll({
                 where: { deleted: false },
                 order: [["order", "ASC"]],
-                attributes: ["key", "title", "description", "type", "order"],
+                attributes: ["key", "title", "description", "order", "wizardStepTypeId"],
+                raw: true,
+            });
+            const steps = stepRows.map((row) => {
+                const { wizardStepTypeId, ...rest } = row;
+                return { ...rest, typeId: wizardStepTypeId };
+            });
+
+            const wizardStepTypes = await WizardStepType.findAll({
+                attributes: ["id", "key"],
+                order: [["id", "ASC"]],
                 raw: true,
             });
 
@@ -43,7 +60,14 @@ module.exports = function (server) {
             const wizardSettingsByStep = await server.db.models["setting"].getWizardSettingsByStep();
             const allSettings = await server.db.models["setting"].getAll(false);
 
-            return res.status(200).json({ needsSetup, steps, wizardSettings, wizardSettingsByStep, allSettings });
+            return res.status(200).json({
+                needsSetup,
+                steps,
+                wizardStepTypes,
+                wizardSettings,
+                wizardSettingsByStep,
+                allSettings,
+            });
         } catch (err) {
             server.logger.error("GET /setup/config error: " + err);
             return res.status(500).json({ message: "Internal server error." });

From 72b5f52c2f0a0f6121edb1fa4fe30baf6a597151 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 6 May 2026 23:32:57 +0300
Subject: [PATCH 71/73] refactor : split settings setup wizard step into
 separate general, mail and registration step components and emit setting
 updates to parent

---
 frontend/src/auth/SetupWizard.vue             | 268 +++-------
 .../wizard/SetupWizardAdminStep.vue           |  23 +-
 .../wizard/SetupWizardGeneralStep.vue         | 337 ++++++++++++
 .../components/wizard/SetupWizardMailStep.vue | 292 +++++++++++
 .../wizard/SetupWizardRegistrationStep.vue    | 225 +++++++++
 .../wizard/SetupWizardSettingsStep.vue        | 478 ------------------
 .../wizard/SetupWizardSummaryStep.vue         |  34 +-
 7 files changed, 966 insertions(+), 691 deletions(-)
 create mode 100644 frontend/src/components/wizard/SetupWizardGeneralStep.vue
 create mode 100644 frontend/src/components/wizard/SetupWizardMailStep.vue
 create mode 100644 frontend/src/components/wizard/SetupWizardRegistrationStep.vue
 delete mode 100644 frontend/src/components/wizard/SetupWizardSettingsStep.vue

diff --git a/frontend/src/auth/SetupWizard.vue b/frontend/src/auth/SetupWizard.vue
index cf7d510a7..952d98742 100644
--- a/frontend/src/auth/SetupWizard.vue
+++ b/frontend/src/auth/SetupWizard.vue
@@ -18,7 +18,7 @@
       </div>
 
       <SetupWizardAdminStep
-        v-show="displaySteps[currentStep]?.type === 'admin'"
+        v-show="displaySteps[currentStep]?.key === 'admin'"
         :form-data="formData"
         :validity="validity"
         :valid-user-name="validUserName"
@@ -28,51 +28,73 @@
         :error-message="errorMessage"
         @check-val="checkVal"
         @submit-admin="submitAdmin"
+        @update-admin-field="setAdminField"
       />
 
-      <SetupWizardSettingsStep
-        v-show="displaySteps[currentStep]?.type === 'general'"
-        v-bind="generalStepProps"
+      <SetupWizardGeneralStep
+        v-show="displaySteps[currentStep]?.key === 'general'"
+        :wizard-settings="wizardSettings"
+        :form-settings="formSettings"
+        :settings-from-file="settingsFromFile"
+        :settings-touched="settingsTouched"
+        :show-error="showError"
+        :error-message="errorMessage"
+        :all-settings-loaded="allSettingsLoaded"
+        :current-step="currentStep"
         @download-template="downloadImportTemplate"
         @open-import-modal="openImportModal"
         @clear-import="clearImport"
+        @update:value="setWizardSettingValue"
         @previous="onPrevious"
         @next="onStepNext"
       />
 
-      <SetupWizardSettingsStep
-        v-show="displaySteps[currentStep]?.type === 'mail'"
-        v-bind="mailStepProps"
+      <SetupWizardMailStep
+        v-show="displaySteps[currentStep]?.key === 'mail'"
+        :wizard-settings="wizardSettings"
+        :form-settings="formSettings"
+        :show-error="showError"
+        :error-message="errorMessage"
+        :all-settings-loaded="allSettingsLoaded"
+        :test-mail-to="testMailTo"
+        :test-mail-sending="testMailSending"
+        :test-mail-message="testMailMessage"
+        :test-mail-error="testMailError"
         @download-template="downloadImportTemplate"
         @open-import-modal="openImportModal"
-        @mail-setting-change="onMailSettingChange"
+        @update:value="setWizardSettingValue"
         @update-test-mail-to="testMailTo = $event"
         @send-test-mail="sendSetupTestMail"
         @previous="onPrevious"
         @next="onStepNext"
       />
 
-      <SetupWizardSettingsStep
-        v-show="displaySteps[currentStep]?.type === 'registration'"
-        v-bind="registrationStepProps"
+      <SetupWizardRegistrationStep
+        v-show="displaySteps[currentStep]?.key === 'registration'"
+        :wizard-settings="wizardSettings"
+        :form-settings="formSettings"
+        :show-error="showError"
+        :error-message="errorMessage"
+        :all-settings-loaded="allSettingsLoaded"
         @download-template="downloadImportTemplate"
         @open-import-modal="openImportModal"
+        @update:value="setWizardSettingValue"
         @previous="onPrevious"
         @next="onStepNext"
       />
 
       <SetupWizardSummaryStep
-        v-show="displaySteps[currentStep]?.type === 'summary'"
+        v-show="displaySteps[currentStep]?.key === 'summary'"
         :all-settings-loaded="allSettingsLoaded"
         :has-admin="hasAdmin"
         :form-data="formData"
+        :wizard-settings="wizardSettings"
+        :form-settings="formSettings"
         :summary-field-groups="summaryFieldGroups"
         :settings-from-file="settingsFromFile"
         :show-file-settings="showFileSettings"
         :current-step="currentStep"
         :finishing="finishing"
-        :setting-label="settingLabel"
-        :summary-setting-value="summarySettingValue"
         @download-template="downloadImportTemplate"
         @open-import-modal="openImportModal"
         @toggle-show-file-settings="showFileSettings = !showFileSettings"
@@ -123,7 +145,7 @@
 <script>
 /**
  * First-time setup wizard: Admin, General (optional Moodle + JSON import), Mail, Registration, Summary.
- * Fetches /setup/config for steps and wizardSettings. On Finish, calls settingSave and redirects.
+ * Loads /setup/config (steps, wizardStepTypes, and wizardSettings). On Finish uses POST /setup/complete.
  *
  * @author Mohammad Elwan
  */
@@ -131,7 +153,9 @@ import IconAsset from "@/basic/icon/IconAsset.vue";
 import BasicButton from "@/basic/Button.vue";
 import Modal from "@/basic/Modal.vue";
 import SetupWizardAdminStep from "@/components/wizard/SetupWizardAdminStep.vue";
-import SetupWizardSettingsStep from "@/components/wizard/SetupWizardSettingsStep.vue";
+import SetupWizardGeneralStep from "@/components/wizard/SetupWizardGeneralStep.vue";
+import SetupWizardMailStep from "@/components/wizard/SetupWizardMailStep.vue";
+import SetupWizardRegistrationStep from "@/components/wizard/SetupWizardRegistrationStep.vue";
 import SetupWizardSummaryStep from "@/components/wizard/SetupWizardSummaryStep.vue";
 import axios from "axios";
 import getServerURL from "@/assets/serverUrl";
@@ -144,13 +168,16 @@ export default {
     BasicButton,
     Modal,
     SetupWizardAdminStep,
-    SetupWizardSettingsStep,
+    SetupWizardGeneralStep,
+    SetupWizardMailStep,
+    SetupWizardRegistrationStep,
     SetupWizardSummaryStep,
   },
   data() {
     return {
       currentStep: 0,
       steps: [],
+      wizardStepTypes: [],
       wizardSettings: [],
       hasAdmin: false,
       formData: { userName: "admin", email: "", password: "" },
@@ -170,19 +197,6 @@ export default {
       testMailSending: false,
       testMailMessage: "",
       testMailError: false,
-      subsectionOrder: {
-        general: [
-          "Copyright and consent",
-          "Terms and conditions",
-          "Login options",
-          "Landing page links",
-          "Connection",
-          "Course",
-          "Show inputs",
-        ],
-        mail: ["Mail service", "Sendmail", "SMTP", "Base URL and verification"],
-        registration: ["Enable registration", "Information requested at registration", "Consent options", "Email verification rate limit"],
-      },
     };
   },
   computed: {
@@ -195,69 +209,16 @@ export default {
         : null;
     },
     displaySteps() {
-      const stepTypes = ["admin", "general", "mail", "registration", "summary"];
-      let filtered = this.steps.filter((s) => stepTypes.includes(s.type));
+      const stepKeys = ["admin", "general", "mail", "registration", "summary"];
+      let filtered = this.steps.filter((s) => stepKeys.includes(s.key));
       if (this.hasAdmin) {
-        filtered = filtered.filter((s) => s.type !== "admin");
+        filtered = filtered.filter((s) => s.key !== "admin");
       }
       if (this.settingsFromFile && Object.keys(this.settingsFromFile).length > 0) {
-        filtered = filtered.filter((s) => !["mail", "registration"].includes(s.type));
+        filtered = filtered.filter((s) => !["mail", "registration"].includes(s.key));
       }
       return filtered;
     },
-    generalFieldGroups() {
-      return this.fieldGroupsForStep("general");
-    },
-    moodleSettingsFlat() {
-      const list = (this.wizardSettings || []).filter((s) => s.wizardStep === "moodle");
-      return [...list].sort((a, b) => (a.wizardOrder || 0) - (b.wizardOrder || 0));
-    },
-    mailEnabled() {
-      return this.formSettings["system.mailService.enabled"] === "true";
-    },
-    mailFieldGroups() {
-      const sendmailEnabled = this.formSettings["system.mailService.sendMail.enabled"] === "true";
-      const smtpEnabled = this.formSettings["system.mailService.smtp.enabled"] === "true";
-      const sendmailKey = "system.mailService.sendMail.enabled";
-      const smtpKey = "system.mailService.smtp.enabled";
-
-      const groups = this.fieldGroupsForStep("mail")
-        .map((g) => ({
-          ...g,
-          settings: (g.settings || []).filter((s) => s.key !== "system.mailService.enabled"),
-        }))
-        .filter((g) => g.settings.length > 0);
-
-      const filteredGroups = groups.filter((g) => {
-        if (sendmailEnabled && g.title === "SMTP") return false;
-        if (smtpEnabled && g.title === "Sendmail") return false;
-        return true;
-      });
-
-      const normalizedGroups = filteredGroups
-        .map((g) => {
-          if (g.title === "Sendmail" && !sendmailEnabled) {
-            return { ...g, settings: g.settings.filter((s) => s.key === sendmailKey) };
-          }
-          if (g.title === "SMTP" && !smtpEnabled) {
-            return { ...g, settings: g.settings.filter((s) => s.key === smtpKey) };
-          }
-          return g;
-        })
-        .filter((g) => g.settings.length > 0);
-
-      const forgotPassword = (this.wizardSettings || []).find((s) => s.key === "app.login.forgotPassword");
-      if (forgotPassword && this.mailEnabled) {
-        normalizedGroups.push({ title: "Features that use email", settings: [forgotPassword] });
-      }
-      return normalizedGroups;
-    },
-    registrationFieldGroups() {
-      return this.fieldGroupsForStep("registration").map((g) => ({
-        ...g,
-        settings: (g.settings || []).filter((s) => s.key !== "app.register.terms"),
-      })).filter((g) => g.settings.length > 0);
-    },
     summaryFieldGroups() {
       const stepTitles = {
         general: "General",
@@ -277,58 +238,6 @@ export default {
         settings: byStep[step],
       }));
     },
-    settingsStepBaseProps() {
-      return {
-        allSettingsLoaded: this.allSettingsLoaded,
-        showError: this.showError,
-        errorMessage: this.errorMessage,
-        formSettings: this.formSettings,
-        mailEnabled: this.mailEnabled,
-        testMailTo: this.testMailTo,
-        testMailSending: this.testMailSending,
-        testMailMessage: this.testMailMessage,
-        testMailError: this.testMailError,
-        settingLabel: this.settingLabel,
-        settingDescription: this.settingDescription,
-        currentStep: this.currentStep,
-      };
-    },
-    generalStepProps() {
-      return {
-        ...this.settingsStepBaseProps,
-        stepType: "general",
-        settingsFromFile: this.settingsFromFile,
-        generalFieldGroups: this.generalFieldGroups,
-        moodleSettingsFlat: this.moodleSettingsFlat,
-        mailFieldGroups: [],
-        registrationFieldGroups: [],
-        settingsTouched: this.settingsTouched,
-      };
-    },
-    mailStepProps() {
-      return {
-        ...this.settingsStepBaseProps,
-        stepType: "mail",
-        settingsFromFile: null,
-        generalFieldGroups: [],
-        moodleSettingsFlat: [],
-        mailFieldGroups: this.mailFieldGroups,
-        registrationFieldGroups: [],
-        settingsTouched: false,
-      };
-    },
-    registrationStepProps() {
-      return {
-        ...this.settingsStepBaseProps,
-        stepType: "registration",
-        settingsFromFile: null,
-        generalFieldGroups: [],
-        moodleSettingsFlat: [],
-        mailFieldGroups: [],
-        registrationFieldGroups: this.registrationFieldGroups,
-        settingsTouched: false,
-      };
-    },
     validUserName() {
       return typeof this.formData.userName === "string" && this.formData.userName.trim() !== "";
     },
@@ -338,13 +247,18 @@ export default {
       return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e.trim());
     },
     validPassword() {
-      return typeof this.formData.password === "string" && this.formData.password.length >= 8;
+      const p = this.formData.password || "";
+      return typeof p === "string"
+        && p.length >= 8
+        && !/^\s*$/.test(p)
+        && !/[\x00-\x1F\x7F]/.test(p)
+        && ![...p].some((c) => (c.codePointAt(0) || 0) > 0xFFFF);
     },
     adminFormValid() {
       return this.validUserName && this.validEmail && this.validPassword;
     },
-    currentStepType() {
-      return this.displaySteps[this.currentStep]?.type;
+    currentStepKey() {
+      return this.displaySteps[this.currentStep]?.key;
     },
     settingsStepValid() {
       if (this.settingsFromFile && Object.keys(this.settingsFromFile).length > 0) {
@@ -355,8 +269,8 @@ export default {
         });
         return missing.length === 0;
       }
-      const stepType = this.currentStepType;
-      const stepSettings = (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
+      const stepKey = this.currentStepKey;
+      const stepSettings = (this.wizardSettings || []).filter((s) => s.wizardStep === stepKey);
       const required = stepSettings.filter((s) => s.requiredInWizard);
       return required.every(
         (s) => this.formSettings[s.key] != null && String(this.formSettings[s.key]).trim() !== ""
@@ -386,6 +300,9 @@ export default {
     if (config.data && config.data.steps) {
       this.steps = config.data.steps;
     }
+    if (config.data && Array.isArray(config.data.wizardStepTypes)) {
+      this.wizardStepTypes = config.data.wizardStepTypes;
+    }
     if (config.data && config.data.wizardSettings) {
       this.wizardSettings = config.data.wizardSettings;
       this.formSettings = config.data.wizardSettings.reduce((acc, s) => {
@@ -410,11 +327,12 @@ export default {
       return String(v);
     },
     /**
-     * Handle mail step setting changes.
-     * @param {string} key - Setting key
-     * @param {string} value - New value ('true' or 'false')
+     * Handle setting change from General, Mail, or Registration. Turning sendmail or SMTP on
+     * clears the other transport.
+     * @param {string} key          - Setting key
+     * @param {string|number} value - New value
      */
-    onMailSettingChange(key, value) {
+    setWizardSettingValue(key, value) {
       this.formSettings[key] = value;
 
       const sendmailKey = "system.mailService.sendMail.enabled";
@@ -426,46 +344,8 @@ export default {
         this.formSettings[sendmailKey] = "false";
       }
     },
-    /**
-     * Group wizard settings by displaySubsection for a given step.
-     * @param {string} stepType - general, mail, registration, moodle
-     * @returns {Array<{title: string, settings: object[]}>}
-     */
-    fieldGroupsForStep(stepType) {
-      const settings = (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
-      if (!settings.length) return [];
-      const order = this.subsectionOrder[stepType];
-      const bySubsection = {};
-      for (const s of settings) {
-        const sub = s.displaySubsection || "";
-        if (!bySubsection[sub]) bySubsection[sub] = [];
-        bySubsection[sub].push(s);
-      }
-      const result = [];
-      if (order) {
-        for (const title of order) {
-          if (bySubsection[title]?.length) {
-            result.push({ title, settings: bySubsection[title] });
-          }
-        }
-      }
-      for (const [title, settingsList] of Object.entries(bySubsection)) {
-        if (!order || !order.includes(title)) {
-          result.push({ title: title || "", settings: settingsList });
-        }
-      }
-      return result.length ? result : [{ title: "", settings }];
-    },
-    settingsForStep(stepType) {
-      return (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
-    },
-    settingLabel(key) {
-      const s = (this.wizardSettings || []).find((x) => x.key === key);
-      return s?.displayName || key;
-    },
-    settingDescription(key) {
-      const s = (this.wizardSettings || []).find((x) => x.key === key);
-      return s?.description || null;
+    setAdminField(field, value) {
+      this.formData[field] = value;
     },
     checkVal(key) {
       this.validity[key] = true;
@@ -509,7 +389,7 @@ export default {
       }
     },
     onPrevious() {
-      if (this.displaySteps[this.currentStep]?.type === "summary") {
+      if (this.displaySteps[this.currentStep]?.key === "summary") {
         this.clearImport();
       }
       this.currentStep--;
@@ -517,7 +397,7 @@ export default {
     onStepNext() {
       this.settingsTouched = true;
       if (!this.settingsStepValid) {
-        if (this.settingsFromFile && Object.keys(this.settingsFromFile).length > 0 && this.currentStepType === "general") {
+        if (this.settingsFromFile && Object.keys(this.settingsFromFile).length > 0 && this.currentStepKey === "general") {
           this.showError = true;
           const required = (this.wizardSettings || []).filter((s) => s.requiredInWizard);
           const missing = required.filter((s) => {
@@ -624,7 +504,7 @@ export default {
           this.importFile = null;
           if (this.$refs.jsonFileInput) this.$refs.jsonFileInput.value = "";
           const nextSteps = this.displaySteps || [];
-          const summaryIndex = nextSteps.findIndex((s) => s?.type === "summary");
+          const summaryIndex = nextSteps.findIndex((s) => s?.key === "summary");
           this.currentStep = summaryIndex >= 0 ? summaryIndex : Math.max(nextSteps.length - 1, 0);
           this.$refs.importModal.close();
           this.showError = false;
@@ -688,12 +568,6 @@ export default {
       }
       return out;
     },
-    summarySettingValue(key) {
-      if (this.settingsFromFile && Object.prototype.hasOwnProperty.call(this.settingsFromFile, key)) {
-        return this.settingsFromFile[key];
-      }
-      return this.formSettings[key] != null ? this.formSettings[key] : "—";
-    },
     async finish() {
       this.settingsTouched = true;
       this.showError = false;
diff --git a/frontend/src/components/wizard/SetupWizardAdminStep.vue b/frontend/src/components/wizard/SetupWizardAdminStep.vue
index 410b642ce..8189509da 100644
--- a/frontend/src/components/wizard/SetupWizardAdminStep.vue
+++ b/frontend/src/components/wizard/SetupWizardAdminStep.vue
@@ -1,6 +1,8 @@
 <template>
   <div class="card">
-    <div class="card-header step-card-header">Setup – Admin account</div>
+    <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+      <span>Setup – Admin account</span>
+    </div>
     <div class="card-body mx-4 my-4">
       <p class="text-muted mb-3">
         No administrator account exists. Enter credentials now; the account is created on Finish.
@@ -12,12 +14,13 @@
           <div class="col-md-6">
             <input
               id="setup-username"
-              v-model="formData.userName"
+              :value="formData.userName"
               autocomplete="username"
               class="form-control"
               placeholder="admin"
               type="text"
               @blur="$emit('check-val', 'userName')"
+              @input="$emit('update-admin-field', 'userName', $event.target.value)"
             />
             <div class="feedback-invalid" :class="{invalid: validity['userName'] && !validUserName}">
               Please provide a user name.
@@ -29,12 +32,13 @@
           <div class="col-md-6">
             <input
               id="setup-email"
-              v-model="formData.email"
+              :value="formData.email"
               autocomplete="email"
               class="form-control"
               placeholder="admin@example.com"
               type="email"
               @blur="$emit('check-val', 'email')"
+              @input="$emit('update-admin-field', 'email', $event.target.value)"
             />
             <div class="feedback-invalid" :class="{invalid: validity['email'] && !validEmail}">
               Please provide a valid email.
@@ -46,20 +50,21 @@
           <div class="col-md-6">
             <input
               id="setup-password"
-              v-model="formData.password"
+              :value="formData.password"
               autocomplete="new-password"
               class="form-control"
               placeholder="Min. 8 characters"
               type="password"
               @blur="$emit('check-val', 'password')"
+              @input="$emit('update-admin-field', 'password', $event.target.value)"
             />
             <div class="feedback-invalid" :class="{invalid: validity['password'] && !validPassword}">
-              Please provide a password of at least 8 characters.
+              Password must be at least 8 characters. Use letters, numbers, and standard punctuation; no spaces-only or emojis.
             </div>
           </div>
         </div>
         <div class="col-md-6 offset-md-4 my-4">
-          <BasicButton class="btn btn-primary" title="Continue" @click="$emit('submit-admin')" />
+          <BasicButton class="btn btn-primary" title="Next" @click="$emit('submit-admin')" />
         </div>
       </form>
     </div>
@@ -69,6 +74,10 @@
 <script>
 import BasicButton from "@/basic/Button.vue";
 
+/**
+ * Renders the first-time setup wizard admin account step: username, email, password, and
+ * validation text under each field when the value is invalid.
+ */
 export default {
   name: "SetupWizardAdminStep",
   components: { BasicButton },
@@ -102,7 +111,7 @@ export default {
       required: true,
     },
   },
-  emits: ["check-val", "submit-admin"],
+  emits: ["check-val", "submit-admin", "update-admin-field"],
 };
 </script>
 
diff --git a/frontend/src/components/wizard/SetupWizardGeneralStep.vue b/frontend/src/components/wizard/SetupWizardGeneralStep.vue
new file mode 100644
index 000000000..d64e32d59
--- /dev/null
+++ b/frontend/src/components/wizard/SetupWizardGeneralStep.vue
@@ -0,0 +1,337 @@
+<template>
+  <div class="card">
+    <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+      <span>General Settings</span>
+      <div class="d-flex flex-wrap gap-2">
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Download template"
+          :disabled="!allSettingsLoaded"
+          :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+          @click="$emit('download-template')"
+        />
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Import from previous instance"
+          tooltip="Load settings from a JSON file exported from another CARE instance"
+          @click="$emit('open-import-modal')"
+        />
+      </div>
+    </div>
+    <div class="card-body mx-4 my-4">
+      <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+
+      <template v-if="settingsFromFile && Object.keys(settingsFromFile).length > 0">
+        <p class="text-success mb-2">
+          Loaded {{ Object.keys(settingsFromFile).length }} setting(s) from file. Click Next to continue to the summary.
+        </p>
+        <button
+          class="btn btn-link btn-sm p-0 text-secondary"
+          type="button"
+          @click="$emit('clear-import')"
+        >
+          Clear and configure manually instead
+        </button>
+      </template>
+      <template v-else>
+        <p class="text-muted mb-3">
+          Configure copyright notice, consent requirements, guest access, and links shown on the landing page.
+        </p>
+
+        <div v-for="group in generalFieldGroups" :key="group.title" class="mb-4">
+          <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
+            {{ group.title }}
+          </h6>
+          <div v-for="s in group.settings" :key="s.key" class="form-group row my-2">
+            <label
+              class="col-md-4 col-form-label text-md-right"
+              :for="'set-' + s.key"
+              @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+            >
+              {{ settingLabel(s.key) }}
+            </label>
+            <div class="col-md-6 d-flex flex-column">
+              <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                <div class="form-check form-switch">
+                  <input
+                    :id="'set-' + s.key"
+                    :checked="formSettings[s.key] === 'true'"
+                    class="form-check-input"
+                    type="checkbox"
+                    @change="$emit('update:value', s.key, $event.target.checked ? 'true' : 'false')"
+                  />
+                </div>
+              </template>
+              <template v-else-if="s.key === 'app.register.terms'">
+                <div class="d-flex align-items-center flex-wrap gap-2">
+                  <EditorModal
+                    :model-value="formSettings[s.key]"
+                    :title="'Edit ' + settingLabel(s.key)"
+                    @update:model-value="$emit('update:value', s.key, $event)"
+                  />
+                  <span class="small text-muted">Open the editor to change terms and conditions.</span>
+                </div>
+              </template>
+              <template v-else-if="s.type === 'edits'">
+                <textarea
+                  :id="'set-' + s.key"
+                  :value="formSettings[s.key]"
+                  class="form-control w-100"
+                  rows="5"
+                  @input="$emit('update:value', s.key, $event.target.value)"
+                />
+              </template>
+              <input
+                v-else-if="s.type === 'integer'"
+                :id="'set-' + s.key"
+                :value="formSettings[s.key]"
+                class="form-control"
+                type="number"
+                @input="onIntegerInput(s.key, $event)"
+              />
+              <input
+                v-else
+                :id="'set-' + s.key"
+                :value="formSettings[s.key]"
+                class="form-control"
+                type="text"
+                @input="$emit('update:value', s.key, $event.target.value)"
+              />
+              <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
+                {{ settingDescription(s.key) || s.description }}
+              </div>
+            </div>
+            <div v-if="s.requiredInWizard" class="col-md-6 offset-md-4">
+              <div
+                class="feedback-invalid"
+                :class="{invalid: settingsTouched && !(formSettings[s.key] != null && String(formSettings[s.key]).trim() !== '')}"
+              >
+                This field is required.
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <div v-if="moodleSettingsFlat.length" class="mb-4 mt-4">
+          <h6 class="step-group-heading text-muted border-bottom pb-1 mb-2">
+            Moodle <span class="fw-normal small">(optional)</span>
+          </h6>
+          <p class="small text-muted mb-3">
+            Configure Moodle if you use it for enrollments or submissions. You can change these later under Settings -> Moodle.
+          </p>
+          <div v-for="s in moodleSettingsFlat" :key="s.key" class="form-group row my-2">
+            <label
+              class="col-md-4 col-form-label text-md-right"
+              :for="'set-' + s.key"
+              @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+            >
+              {{ settingLabel(s.key) }}
+            </label>
+            <div class="col-md-6 d-flex flex-column">
+              <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                <div class="form-check form-switch">
+                  <input
+                    :id="'set-' + s.key"
+                    :checked="formSettings[s.key] === 'true'"
+                    class="form-check-input"
+                    type="checkbox"
+                    @change="$emit('update:value', s.key, $event.target.checked ? 'true' : 'false')"
+                  />
+                </div>
+              </template>
+              <input
+                v-else-if="s.type === 'integer'"
+                :id="'set-' + s.key"
+                :value="formSettings[s.key]"
+                class="form-control"
+                type="number"
+                @input="onIntegerInput(s.key, $event)"
+              />
+              <input
+                v-else
+                :id="'set-' + s.key"
+                :value="formSettings[s.key]"
+                class="form-control"
+                type="text"
+                @input="$emit('update:value', s.key, $event.target.value)"
+              />
+              <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
+                {{ settingDescription(s.key) || s.description }}
+              </div>
+            </div>
+          </div>
+        </div>
+      </template>
+
+      <div class="d-flex justify-content-between mt-4">
+        <BasicButton
+          v-if="currentStep > 0"
+          class="btn btn-secondary"
+          title="Previous"
+          @click="$emit('previous')"
+        />
+        <BasicButton
+          class="btn btn-primary"
+          :class="{ 'ms-auto': currentStep === 0 }"
+          title="Next"
+          @click="$emit('next')"
+        />
+      </div>
+    </div>
+  </div>
+</template>
+
+<script>
+import BasicButton from "@/basic/Button.vue";
+import EditorModal from "@/basic/editor/Modal.vue";
+
+/**
+ * Renders the first-time setup wizard general step: subsection-grouped general settings, and optional Moodle fields
+ */
+export default {
+  name: "SetupWizardGeneralStep",
+  components: { BasicButton, EditorModal },
+  props: {
+    wizardSettings: {
+      type: Array,
+      required: true,
+    },
+    formSettings: {
+      type: Object,
+      required: true,
+    },
+    settingsFromFile: {
+      type: Object,
+      required: false,
+      default: null,
+    },
+    settingsTouched: {
+      type: Boolean,
+      required: true,
+    },
+    showError: {
+      type: Boolean,
+      required: true,
+    },
+    errorMessage: {
+      type: String,
+      required: true,
+    },
+    allSettingsLoaded: {
+      type: Boolean,
+      required: true,
+    },
+    currentStep: {
+      type: Number,
+      required: true,
+    },
+  },
+  emits: ["download-template", "open-import-modal", "clear-import", "previous", "next", "update:value"],
+  data() {
+    return {
+      subsectionOrder: [
+        "Copyright and consent",
+        "Terms and conditions",
+        "Login options",
+        "Landing page links",
+        "Connection",
+        "Course",
+        "Show inputs",
+      ],
+    };
+  },
+  computed: {
+    generalFieldGroups() {
+      return this.fieldGroupsForStep("general");
+    },
+    moodleSettingsFlat() {
+      const list = (this.wizardSettings || []).filter((s) => s.wizardStep === "moodle");
+      return [...list].sort((a, b) => (a.wizardOrder || 0) - (b.wizardOrder || 0));
+    },
+  },
+  methods: {
+    /**
+     * Group wizard settings by displaySubsection for a given step.
+     * @param {string} stepType  - Wizard step key
+     * @returns {Array<Object>}  - Each item has title and settings.
+     */
+    fieldGroupsForStep(stepType) {
+      const settings = (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
+      if (!settings.length) return [];
+      const order = this.subsectionOrder;
+      const bySubsection = {};
+      for (const s of settings) {
+        const sub = s.displaySubsection || "";
+        if (!bySubsection[sub]) bySubsection[sub] = [];
+        bySubsection[sub].push(s);
+      }
+      const result = [];
+      if (order) {
+        for (const title of order) {
+          if (bySubsection[title]?.length) {
+            result.push({ title, settings: bySubsection[title] });
+          }
+        }
+      }
+      for (const [title, settingsList] of Object.entries(bySubsection)) {
+        if (!order || !order.includes(title)) {
+          result.push({ title: title || "", settings: settingsList });
+        }
+      }
+      return result.length ? result : [{ title: "", settings }];
+    },
+    /**
+     * Resolve the display label for a setting key using wizard metadata when available.
+     * @param {string} key  - Setting key.
+     * @returns {string}
+     */
+    settingLabel(key) {
+      const s = (this.wizardSettings || []).find((x) => x.key === key);
+      return s?.displayName || key;
+    },
+    /**
+     * Resolve the description for a setting key from wizard metadata, if defined.
+     * @param {string} key  Setting key.
+     * @returns {string|null}
+     */
+    settingDescription(key) {
+      const s = (this.wizardSettings || []).find((x) => x.key === key);
+      return s?.description || null;
+    },
+    /**
+     * Forward number input updates as a numeric value when possible so `formSettings` matches prior
+     * v-model.number behaviour.
+     * @param {string} key   - Setting key.
+     * @param {Event} event  - Native input event from the number control.
+     */
+    onIntegerInput(key, event) {
+      const raw = event.target.value;
+      const n = raw === "" ? "" : Number(raw);
+      this.$emit("update:value", key, Number.isNaN(n) ? raw : n);
+    },
+  },
+};
+</script>
+
+<style scoped>
+.feedback-invalid {
+  font-size: 0.75em;
+  color: firebrick;
+  visibility: hidden;
+  padding-top: 4px;
+}
+
+.feedback-invalid.invalid {
+  visibility: visible;
+}
+
+.step-group-heading {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.step-card-header {
+  font-size: 1.2rem;
+  font-weight: 600;
+}
+</style>
diff --git a/frontend/src/components/wizard/SetupWizardMailStep.vue b/frontend/src/components/wizard/SetupWizardMailStep.vue
new file mode 100644
index 000000000..e6f4e7f43
--- /dev/null
+++ b/frontend/src/components/wizard/SetupWizardMailStep.vue
@@ -0,0 +1,292 @@
+<template>
+  <div class="card">
+    <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+      <span>Mail Configuration</span>
+      <div class="d-flex flex-wrap gap-2">
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Download template"
+          :disabled="!allSettingsLoaded"
+          :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+          @click="$emit('download-template')"
+        />
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Import from previous instance"
+          tooltip="Load settings from a JSON file exported from another CARE instance"
+          @click="$emit('open-import-modal')"
+        />
+      </div>
+    </div>
+    <div class="card-body mx-4 my-4">
+      <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+
+      <div class="form-check form-switch mb-3">
+        <input
+          id="mail-enabled"
+          :checked="formSettings['system.mailService.enabled'] === 'true'"
+          class="form-check-input"
+          type="checkbox"
+          @change="$emit('update:value', 'system.mailService.enabled', $event.target.checked ? 'true' : 'false')"
+        />
+        <label class="form-check-label" for="mail-enabled" @click.prevent>
+          Enable email service (required for password reset and email verification)
+        </label>
+      </div>
+
+      <template v-if="mailEnabled">
+        <div v-for="group in mailFieldGroups" :key="group.title" class="mb-4">
+          <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
+            {{ group.title }}
+          </h6>
+          <div v-for="s in group.settings" :key="s.key" class="form-group row my-2">
+            <label
+              class="col-md-4 col-form-label text-md-right"
+              :for="'set-' + s.key"
+              @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+            >
+              {{ settingLabel(s.key) }}
+            </label>
+            <div class="col-md-6 d-flex flex-column">
+              <template v-if="s.type === 'boolean' || s.type === 'bool'">
+                <div class="form-check form-switch">
+                  <input
+                    :id="'set-' + s.key"
+                    :checked="formSettings[s.key] === 'true'"
+                    class="form-check-input"
+                    type="checkbox"
+                    @change="$emit('update:value', s.key, $event.target.checked ? 'true' : 'false')"
+                  />
+                </div>
+              </template>
+              <template v-else-if="s.type === 'edits'">
+                <textarea
+                  :id="'set-' + s.key"
+                  :value="formSettings[s.key]"
+                  class="form-control w-100"
+                  rows="4"
+                  @input="$emit('update:value', s.key, $event.target.value)"
+                />
+              </template>
+              <input
+                v-else
+                :id="'set-' + s.key"
+                :value="formSettings[s.key]"
+                class="form-control"
+                type="text"
+                @input="$emit('update:value', s.key, $event.target.value)"
+              />
+              <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
+                {{ settingDescription(s.key) || s.description }}
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <div class="border-top pt-3 mt-4">
+          <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Send test email</h6>
+          <p class="small text-muted mb-2">
+            Sends a short fixed message so you can verify delivery before finishing setup.
+          </p>
+          <div class="form-group row my-2">
+            <label class="col-md-4 col-form-label text-md-right" for="setup-test-mail-to">Recipient</label>
+            <div class="col-md-6 d-flex flex-column flex-sm-row gap-2 align-items-sm-start">
+              <input
+                id="setup-test-mail-to"
+                :value="testMailTo"
+                class="form-control"
+                type="email"
+                placeholder="you@example.com"
+                autocomplete="email"
+                @input="$emit('update-test-mail-to', $event.target.value)"
+              />
+              <BasicButton
+                class="btn btn-outline-primary flex-shrink-0"
+                :title="testMailSending ? 'Sending...' : 'Send test email'"
+                :disabled="testMailSending || !testMailTo.trim()"
+                @click="$emit('send-test-mail')"
+              />
+            </div>
+          </div>
+          <p v-if="testMailMessage" class="small mb-0" :class="testMailError ? 'text-danger' : 'text-success'">
+            {{ testMailMessage }}
+          </p>
+        </div>
+      </template>
+
+      <div class="d-flex justify-content-between mt-4">
+        <BasicButton class="btn btn-secondary" title="Previous" @click="$emit('previous')" />
+        <BasicButton class="btn btn-primary ms-auto" title="Next" @click="$emit('next')" />
+      </div>
+    </div>
+  </div>
+</template>
+
+<script>
+import BasicButton from "@/basic/Button.vue";
+
+/**
+ * Renders the first-time setup wizard mail step: mail service master toggle, sendmail versus SMTP subsection
+ * groups, and optional "features that use email" row.
+ */
+export default {
+  name: "SetupWizardMailStep",
+  components: { BasicButton },
+  props: {
+    wizardSettings: {
+      type: Array,
+      required: true,
+    },
+    formSettings: {
+      type: Object,
+      required: true,
+    },
+    showError: {
+      type: Boolean,
+      required: true,
+    },
+    errorMessage: {
+      type: String,
+      required: true,
+    },
+    allSettingsLoaded: {
+      type: Boolean,
+      required: true,
+    },
+    testMailTo: {
+      type: String,
+      required: true,
+    },
+    testMailSending: {
+      type: Boolean,
+      required: true,
+    },
+    testMailMessage: {
+      type: String,
+      required: true,
+    },
+    testMailError: {
+      type: Boolean,
+      required: true,
+    },
+  },
+  emits: [
+    "download-template",
+    "open-import-modal",
+    "update:value",
+    "update-test-mail-to",
+    "send-test-mail",
+    "previous",
+    "next",
+  ],
+  data() {
+    return {
+      subsectionOrder: ["Mail service", "Sendmail", "SMTP", "Base URL and verification"],
+    };
+  },
+  computed: {
+    mailEnabled() {
+      return this.formSettings["system.mailService.enabled"] === "true";
+    },
+    mailFieldGroups() {
+      const sendmailEnabled = this.formSettings["system.mailService.sendMail.enabled"] === "true";
+      const smtpEnabled = this.formSettings["system.mailService.smtp.enabled"] === "true";
+      const sendmailKey = "system.mailService.sendMail.enabled";
+      const smtpKey = "system.mailService.smtp.enabled";
+
+      const groups = this.fieldGroupsForStep("mail")
+        .map((g) => ({
+          ...g,
+          settings: (g.settings || []).filter((s) => s.key !== "system.mailService.enabled"),
+        }))
+        .filter((g) => g.settings.length > 0);
+
+      const filteredGroups = groups.filter((g) => {
+        if (sendmailEnabled && g.title === "SMTP") return false;
+        if (smtpEnabled && g.title === "Sendmail") return false;
+        return true;
+      });
+
+      const normalizedGroups = filteredGroups
+        .map((g) => {
+          if (g.title === "Sendmail" && !sendmailEnabled) {
+            return { ...g, settings: g.settings.filter((s) => s.key === sendmailKey) };
+          }
+          if (g.title === "SMTP" && !smtpEnabled) {
+            return { ...g, settings: g.settings.filter((s) => s.key === smtpKey) };
+          }
+          return g;
+        })
+        .filter((g) => g.settings.length > 0);
+
+      const forgotPassword = (this.wizardSettings || []).find((s) => s.key === "app.login.forgotPassword");
+      if (forgotPassword && this.mailEnabled) {
+        normalizedGroups.push({ title: "Features that use email", settings: [forgotPassword] });
+      }
+      return normalizedGroups;
+    },
+  },
+  methods: {
+    /**
+     * Group wizard settings by displaySubsection for a given step.
+     * @param {string} stepType  Wizard step key
+     * @returns {Array<Object>} Each item has title and settings.
+     */
+    fieldGroupsForStep(stepType) {
+      const settings = (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
+      if (!settings.length) return [];
+      const order = this.subsectionOrder;
+      const bySubsection = {};
+      for (const s of settings) {
+        const sub = s.displaySubsection || "";
+        if (!bySubsection[sub]) bySubsection[sub] = [];
+        bySubsection[sub].push(s);
+      }
+      const result = [];
+      if (order) {
+        for (const title of order) {
+          if (bySubsection[title]?.length) {
+            result.push({ title, settings: bySubsection[title] });
+          }
+        }
+      }
+      for (const [title, settingsList] of Object.entries(bySubsection)) {
+        if (!order || !order.includes(title)) {
+          result.push({ title: title || "", settings: settingsList });
+        }
+      }
+      return result.length ? result : [{ title: "", settings }];
+    },
+    /**
+     * Resolve the display label for a setting key using wizard metadata when available.
+     * @param {string} key  Setting key.
+     * @returns {string}
+     */
+    settingLabel(key) {
+      const s = (this.wizardSettings || []).find((x) => x.key === key);
+      return s?.displayName || key;
+    },
+    /**
+     * Resolve the description for a setting key from wizard metadata, if defined.
+     * @param {string} key  Setting key.
+     * @returns {string|null}
+     */
+    settingDescription(key) {
+      const s = (this.wizardSettings || []).find((x) => x.key === key);
+      return s?.description || null;
+    },
+  },
+};
+</script>
+
+<style scoped>
+.step-group-heading {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.step-card-header {
+  font-size: 1.2rem;
+  font-weight: 600;
+}
+</style>
diff --git a/frontend/src/components/wizard/SetupWizardRegistrationStep.vue b/frontend/src/components/wizard/SetupWizardRegistrationStep.vue
new file mode 100644
index 000000000..c6229f8d8
--- /dev/null
+++ b/frontend/src/components/wizard/SetupWizardRegistrationStep.vue
@@ -0,0 +1,225 @@
+<template>
+  <div class="card">
+    <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
+      <span>User Registration</span>
+      <div class="d-flex flex-wrap gap-2">
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Download template"
+          :disabled="!allSettingsLoaded"
+          :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
+          @click="$emit('download-template')"
+        />
+        <BasicButton
+          class="btn btn-outline-secondary btn-sm"
+          text="Import from previous instance"
+          tooltip="Load settings from a JSON file exported from another CARE instance"
+          @click="$emit('open-import-modal')"
+        />
+      </div>
+    </div>
+    <div class="card-body mx-4 my-4">
+      <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
+
+      <p class="text-muted mb-3">
+        Configure which information and consents are requested from users during registration.
+      </p>
+      <div v-for="group in registrationFieldGroups" :key="group.title" class="mb-4">
+        <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
+          {{ group.title }}
+        </h6>
+        <div v-for="s in group.settings" :key="s.key" class="form-group row my-2">
+          <label
+            class="col-md-4 col-form-label text-md-right"
+            :for="'set-' + s.key"
+            @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
+          >
+            {{ settingLabel(s.key) }}
+          </label>
+          <div class="col-md-6 d-flex flex-column">
+            <template v-if="s.type === 'boolean' || s.type === 'bool'">
+              <div class="form-check form-switch">
+                <input
+                  :id="'set-' + s.key"
+                  :checked="formSettings[s.key] === 'true'"
+                  class="form-check-input"
+                  type="checkbox"
+                  @change="$emit('update:value', s.key, $event.target.checked ? 'true' : 'false')"
+                />
+              </div>
+            </template>
+            <template v-else-if="s.type === 'edits'">
+              <textarea
+                :id="'set-' + s.key"
+                :value="formSettings[s.key]"
+                class="form-control w-100"
+                rows="4"
+                @input="$emit('update:value', s.key, $event.target.value)"
+              />
+            </template>
+            <input
+              v-else
+              :id="'set-' + s.key"
+              :value="formSettings[s.key]"
+              class="form-control"
+              type="text"
+              @input="$emit('update:value', s.key, $event.target.value)"
+            />
+            <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
+              {{ settingDescription(s.key) || s.description }}
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <div v-if="mailEnabled" class="mb-4">
+        <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Email verification</h6>
+        <div class="form-group row my-2">
+          <label class="col-md-4 col-form-label text-md-right" for="email-verification-reg" @click.prevent>
+            {{ settingLabel("app.register.emailVerification") }}
+          </label>
+          <div class="col-md-6 d-flex flex-column">
+            <div class="form-check form-switch">
+              <input
+                id="email-verification-reg"
+                :checked="formSettings['app.register.emailVerification'] === 'true'"
+                class="form-check-input"
+                type="checkbox"
+                @change="$emit('update:value', 'app.register.emailVerification', $event.target.checked ? 'true' : 'false')"
+              />
+            </div>
+            <div class="small text-muted mt-1">
+              Require new users to verify their email address before accessing the application.
+            </div>
+          </div>
+        </div>
+      </div>
+
+      <div class="d-flex justify-content-between mt-4">
+        <BasicButton class="btn btn-secondary" title="Previous" @click="$emit('previous')" />
+        <BasicButton class="btn btn-primary ms-auto" title="Next" @click="$emit('next')" />
+      </div>
+    </div>
+  </div>
+</template>
+
+<script>
+import BasicButton from "@/basic/Button.vue";
+
+/**
+ * Renders the first-time setup wizard registration step: subsection-grouped registration settings,
+ * and email verification controls when mail is enabled.
+ */
+export default {
+  name: "SetupWizardRegistrationStep",
+  components: { BasicButton },
+  props: {
+    wizardSettings: {
+      type: Array,
+      required: true,
+    },
+    formSettings: {
+      type: Object,
+      required: true,
+    },
+    showError: {
+      type: Boolean,
+      required: true,
+    },
+    errorMessage: {
+      type: String,
+      required: true,
+    },
+    allSettingsLoaded: {
+      type: Boolean,
+      required: true,
+    },
+  },
+  emits: ["download-template", "open-import-modal", "previous", "next", "update:value"],
+  data() {
+    return {
+      subsectionOrder: [
+        "Enable registration",
+        "Information requested at registration",
+        "Consent options",
+        "Email verification rate limit",
+      ],
+    };
+  },
+  computed: {
+    mailEnabled() {
+      return this.formSettings["system.mailService.enabled"] === "true";
+    },
+    registrationFieldGroups() {
+      return this.fieldGroupsForStep("registration")
+        .map((g) => ({
+          ...g,
+          settings: (g.settings || []).filter((s) => s.key !== "app.register.terms"),
+        }))
+        .filter((g) => g.settings.length > 0);
+    },
+  },
+  methods: {
+    /**
+     * Group wizard settings by displaySubsection for a given step.
+     * @param {string} stepType  Wizard step key
+     * @returns {Array<Object>}  Each item has title and settings.
+     */
+    fieldGroupsForStep(stepType) {
+      const settings = (this.wizardSettings || []).filter((s) => s.wizardStep === stepType);
+      if (!settings.length) return [];
+      const order = this.subsectionOrder;
+      const bySubsection = {};
+      for (const s of settings) {
+        const sub = s.displaySubsection || "";
+        if (!bySubsection[sub]) bySubsection[sub] = [];
+        bySubsection[sub].push(s);
+      }
+      const result = [];
+      if (order) {
+        for (const title of order) {
+          if (bySubsection[title]?.length) {
+            result.push({ title, settings: bySubsection[title] });
+          }
+        }
+      }
+      for (const [title, settingsList] of Object.entries(bySubsection)) {
+        if (!order || !order.includes(title)) {
+          result.push({ title: title || "", settings: settingsList });
+        }
+      }
+      return result.length ? result : [{ title: "", settings }];
+    },
+    /**
+     * Resolve the display label for a setting key using wizard metadata when available.
+     * @param {string} key  Setting key.
+     * @returns {string}
+     */
+    settingLabel(key) {
+      const s = (this.wizardSettings || []).find((x) => x.key === key);
+      return s?.displayName || key;
+    },
+    /**
+     * Resolve the description for a setting key from wizard metadata, if defined.
+     * @param {string} key  Setting key.
+     * @returns {string|null}
+     */
+    settingDescription(key) {
+      const s = (this.wizardSettings || []).find((x) => x.key === key);
+      return s?.description || null;
+    },
+  },
+};
+</script>
+
+<style scoped>
+.step-group-heading {
+  font-size: 1.1rem;
+  font-weight: 600;
+}
+
+.step-card-header {
+  font-size: 1.2rem;
+  font-weight: 600;
+}
+</style>
diff --git a/frontend/src/components/wizard/SetupWizardSettingsStep.vue b/frontend/src/components/wizard/SetupWizardSettingsStep.vue
deleted file mode 100644
index ce36a6f7b..000000000
--- a/frontend/src/components/wizard/SetupWizardSettingsStep.vue
+++ /dev/null
@@ -1,478 +0,0 @@
-<template>
-  <div class="card">
-    <div class="card-header step-card-header d-flex flex-wrap justify-content-between align-items-center gap-2">
-      <span>{{ stepTitle }}</span>
-      <div class="d-flex flex-wrap gap-2">
-        <BasicButton
-          class="btn btn-outline-secondary btn-sm"
-          text="Download template"
-          :disabled="!allSettingsLoaded"
-          :tooltip="allSettingsLoaded ? 'Download JSON: full settings snapshot with current wizard values applied' : 'Available after settings load'"
-          @click="$emit('download-template')"
-        />
-        <BasicButton
-          class="btn btn-outline-secondary btn-sm"
-          text="Import from previous instance"
-          tooltip="Load settings from a JSON file exported from another CARE instance"
-          @click="$emit('open-import-modal')"
-        />
-      </div>
-    </div>
-    <div class="card-body mx-4 my-4">
-      <p v-if="showError" class="text-danger text-center">{{ errorMessage }}</p>
-
-      <template v-if="stepType === 'general'">
-        <template v-if="settingsFromFile && Object.keys(settingsFromFile).length > 0">
-          <p class="text-success mb-2">
-            Loaded {{ Object.keys(settingsFromFile).length }} setting(s) from file. Click Next to continue to the summary.
-          </p>
-          <button
-            class="btn btn-link btn-sm p-0 text-secondary"
-            type="button"
-            @click="$emit('clear-import')"
-          >
-            Clear and configure manually instead
-          </button>
-        </template>
-        <template v-else>
-          <p class="text-muted mb-3">
-            Configure copyright notice, consent requirements, guest access, and links shown on the landing page.
-          </p>
-
-          <div v-for="group in generalFieldGroups" :key="group.title" class="mb-4">
-            <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
-              {{ group.title }}
-            </h6>
-            <div v-for="s in group.settings" :key="s.key" class="form-group row my-2">
-              <label
-                class="col-md-4 col-form-label text-md-right"
-                :for="'set-' + s.key"
-                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-              >
-                {{ settingLabel(s.key) }}
-              </label>
-              <div class="col-md-6 d-flex flex-column">
-                <template v-if="s.type === 'boolean' || s.type === 'bool'">
-                  <div class="form-check form-switch">
-                    <input
-                      :id="'set-' + s.key"
-                      :checked="formSettings[s.key] === 'true'"
-                      class="form-check-input"
-                      type="checkbox"
-                      @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
-                    />
-                  </div>
-                </template>
-                <template v-else-if="s.key === 'app.register.terms'">
-                  <div class="d-flex align-items-center flex-wrap gap-2">
-                    <EditorModal
-                      :model-value="formSettings[s.key]"
-                      :title="'Edit ' + settingLabel(s.key)"
-                      @update:model-value="formSettings[s.key] = $event"
-                    />
-                    <span class="small text-muted">Open the editor to change terms and conditions.</span>
-                  </div>
-                </template>
-                <template v-else-if="s.type === 'edits'">
-                  <textarea
-                    :id="'set-' + s.key"
-                    v-model="formSettings[s.key]"
-                    class="form-control w-100"
-                    rows="5"
-                  />
-                </template>
-                <input
-                  v-else-if="s.type === 'integer'"
-                  :id="'set-' + s.key"
-                  v-model.number="formSettings[s.key]"
-                  class="form-control"
-                  type="number"
-                />
-                <input
-                  v-else
-                  :id="'set-' + s.key"
-                  v-model="formSettings[s.key]"
-                  class="form-control"
-                  type="text"
-                />
-                <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
-                  {{ settingDescription(s.key) || s.description }}
-                </div>
-              </div>
-              <div v-if="s.requiredInWizard" class="col-md-6 offset-md-4">
-                <div class="feedback-invalid" :class="{invalid: settingsTouched && !(formSettings[s.key] != null && String(formSettings[s.key]).trim() !== '')}">
-                  This field is required.
-                </div>
-              </div>
-            </div>
-          </div>
-
-          <div v-if="moodleSettingsFlat.length" class="mb-4 mt-4">
-            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-2">
-              Moodle <span class="fw-normal small">(optional)</span>
-            </h6>
-            <p class="small text-muted mb-3">
-              Configure Moodle if you use it for enrollments or submissions. You can change these later under Settings -> Moodle.
-            </p>
-            <div v-for="s in moodleSettingsFlat" :key="s.key" class="form-group row my-2">
-              <label
-                class="col-md-4 col-form-label text-md-right"
-                :for="'set-' + s.key"
-                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-              >
-                {{ settingLabel(s.key) }}
-              </label>
-              <div class="col-md-6 d-flex flex-column">
-                <template v-if="s.type === 'boolean' || s.type === 'bool'">
-                  <div class="form-check form-switch">
-                    <input
-                      :id="'set-' + s.key"
-                      :checked="formSettings[s.key] === 'true'"
-                      class="form-check-input"
-                      type="checkbox"
-                      @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
-                    />
-                  </div>
-                </template>
-                <input
-                  v-else-if="s.type === 'integer'"
-                  :id="'set-' + s.key"
-                  v-model.number="formSettings[s.key]"
-                  class="form-control"
-                  type="number"
-                />
-                <input
-                  v-else
-                  :id="'set-' + s.key"
-                  v-model="formSettings[s.key]"
-                  class="form-control"
-                  type="text"
-                />
-                <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
-                  {{ settingDescription(s.key) || s.description }}
-                </div>
-              </div>
-            </div>
-          </div>
-        </template>
-      </template>
-
-      <template v-else-if="stepType === 'mail'">
-        <div class="form-check form-switch mb-3">
-          <input
-            id="mail-enabled"
-            :checked="formSettings['system.mailService.enabled'] === 'true'"
-            class="form-check-input"
-            type="checkbox"
-            @change="formSettings['system.mailService.enabled'] = $event.target.checked ? 'true' : 'false'"
-          />
-          <label class="form-check-label" for="mail-enabled" @click.prevent>
-            Enable email service (required for password reset and email verification)
-          </label>
-        </div>
-
-        <template v-if="mailEnabled">
-          <div v-for="group in mailFieldGroups" :key="group.title" class="mb-4">
-            <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
-              {{ group.title }}
-            </h6>
-            <div v-for="s in group.settings" :key="s.key" class="form-group row my-2">
-              <label
-                class="col-md-4 col-form-label text-md-right"
-                :for="'set-' + s.key"
-                @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-              >
-                {{ settingLabel(s.key) }}
-              </label>
-              <div class="col-md-6 d-flex flex-column">
-                <template v-if="s.type === 'boolean' || s.type === 'bool'">
-                  <div class="form-check form-switch">
-                    <input
-                      :id="'set-' + s.key"
-                      :checked="formSettings[s.key] === 'true'"
-                      class="form-check-input"
-                      type="checkbox"
-                      @change="$emit('mail-setting-change', s.key, $event.target.checked ? 'true' : 'false')"
-                    />
-                  </div>
-                </template>
-                <template v-else-if="s.type === 'edits'">
-                  <textarea
-                    :id="'set-' + s.key"
-                    v-model="formSettings[s.key]"
-                    class="form-control w-100"
-                    rows="4"
-                  />
-                </template>
-                <input
-                  v-else
-                  :id="'set-' + s.key"
-                  v-model="formSettings[s.key]"
-                  class="form-control"
-                  type="text"
-                />
-                <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
-                  {{ settingDescription(s.key) || s.description }}
-                </div>
-              </div>
-            </div>
-          </div>
-
-          <div class="border-top pt-3 mt-4">
-            <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Send test email</h6>
-            <p class="small text-muted mb-2">
-              Sends a short fixed message so you can verify delivery before finishing setup.
-            </p>
-            <div class="form-group row my-2">
-              <label class="col-md-4 col-form-label text-md-right" for="setup-test-mail-to">Recipient</label>
-              <div class="col-md-6 d-flex flex-column flex-sm-row gap-2 align-items-sm-start">
-                <input
-                  id="setup-test-mail-to"
-                  :value="testMailTo"
-                  class="form-control"
-                  type="email"
-                  placeholder="you@example.com"
-                  autocomplete="email"
-                  @input="$emit('update-test-mail-to', $event.target.value)"
-                />
-                <BasicButton
-                  class="btn btn-outline-primary flex-shrink-0"
-                  :title="testMailSending ? 'Sending...' : 'Send test email'"
-                  :disabled="testMailSending || !testMailTo.trim()"
-                  @click="$emit('send-test-mail')"
-                />
-              </div>
-            </div>
-            <p v-if="testMailMessage" class="small mb-0" :class="testMailError ? 'text-danger' : 'text-success'">
-              {{ testMailMessage }}
-            </p>
-          </div>
-        </template>
-      </template>
-
-      <template v-else>
-        <p class="text-muted mb-3">
-          Configure which information and consents are requested from users during registration.
-        </p>
-        <div v-for="group in registrationFieldGroups" :key="group.title" class="mb-4">
-          <h6 v-if="group.title" class="step-group-heading text-muted border-bottom pb-1 mb-3">
-            {{ group.title }}
-          </h6>
-          <div v-for="s in group.settings" :key="s.key" class="form-group row my-2">
-            <label
-              class="col-md-4 col-form-label text-md-right"
-              :for="'set-' + s.key"
-              @click="(s.type === 'boolean' || s.type === 'bool') && $event.preventDefault()"
-            >
-              {{ settingLabel(s.key) }}
-            </label>
-            <div class="col-md-6 d-flex flex-column">
-              <template v-if="s.type === 'boolean' || s.type === 'bool'">
-                <div class="form-check form-switch">
-                  <input
-                    :id="'set-' + s.key"
-                    :checked="formSettings[s.key] === 'true'"
-                    class="form-check-input"
-                    type="checkbox"
-                    @change="formSettings[s.key] = $event.target.checked ? 'true' : 'false'"
-                  />
-                </div>
-              </template>
-              <template v-else-if="s.type === 'edits'">
-                <textarea
-                  :id="'set-' + s.key"
-                  v-model="formSettings[s.key]"
-                  class="form-control w-100"
-                  rows="4"
-                />
-              </template>
-              <input
-                v-else
-                :id="'set-' + s.key"
-                v-model="formSettings[s.key]"
-                class="form-control"
-                type="text"
-              />
-              <div v-if="settingDescription(s.key) || s.description" class="small text-muted mt-1">
-                {{ settingDescription(s.key) || s.description }}
-              </div>
-            </div>
-          </div>
-        </div>
-
-        <div v-if="mailEnabled" class="mb-4">
-          <h6 class="step-group-heading text-muted border-bottom pb-1 mb-3">Email verification</h6>
-          <div class="form-group row my-2">
-            <label class="col-md-4 col-form-label text-md-right" for="email-verification-reg" @click.prevent>
-              {{ settingLabel("app.register.emailVerification") }}
-            </label>
-            <div class="col-md-6 d-flex flex-column">
-              <div class="form-check form-switch">
-                <input
-                  id="email-verification-reg"
-                  :checked="formSettings['app.register.emailVerification'] === 'true'"
-                  class="form-check-input"
-                  type="checkbox"
-                  @change="formSettings['app.register.emailVerification'] = $event.target.checked ? 'true' : 'false'"
-                />
-              </div>
-              <div class="small text-muted mt-1">
-                Require new users to verify their email address before accessing the application.
-              </div>
-            </div>
-          </div>
-        </div>
-      </template>
-
-      <div class="d-flex justify-content-between mt-4">
-        <BasicButton
-          v-if="stepType === 'general' ? currentStep > 0 : true"
-          class="btn btn-secondary"
-          title="Previous"
-          @click="$emit('previous')"
-        />
-        <BasicButton
-          class="btn btn-primary"
-          :class="nextButtonClass"
-          title="Next"
-          @click="$emit('next')"
-        />
-      </div>
-    </div>
-  </div>
-</template>
-
-<script>
-import BasicButton from "@/basic/Button.vue";
-import EditorModal from "@/basic/editor/Modal.vue";
-
-export default {
-  name: "SetupWizardSettingsStep",
-  components: { BasicButton, EditorModal },
-  props: {
-    stepType: {
-      type: String,
-      required: true,
-    },
-    currentStep: {
-      type: Number,
-      required: true,
-    },
-    allSettingsLoaded: {
-      type: Boolean,
-      required: true,
-    },
-    showError: {
-      type: Boolean,
-      required: true,
-    },
-    errorMessage: {
-      type: String,
-      required: true,
-    },
-    settingsFromFile: {
-      type: Object,
-      required: false,
-      default: null,
-    },
-    generalFieldGroups: {
-      type: Array,
-      required: true,
-    },
-    moodleSettingsFlat: {
-      type: Array,
-      required: true,
-    },
-    mailFieldGroups: {
-      type: Array,
-      required: true,
-    },
-    registrationFieldGroups: {
-      type: Array,
-      required: true,
-    },
-    formSettings: {
-      type: Object,
-      required: true,
-    },
-    settingsTouched: {
-      type: Boolean,
-      required: true,
-    },
-    mailEnabled: {
-      type: Boolean,
-      required: true,
-    },
-    testMailTo: {
-      type: String,
-      required: true,
-    },
-    testMailSending: {
-      type: Boolean,
-      required: true,
-    },
-    testMailMessage: {
-      type: String,
-      required: true,
-    },
-    testMailError: {
-      type: Boolean,
-      required: true,
-    },
-    settingLabel: {
-      type: Function,
-      required: true,
-    },
-    settingDescription: {
-      type: Function,
-      required: true,
-    },
-  },
-  emits: [
-    "download-template",
-    "open-import-modal",
-    "clear-import",
-    "mail-setting-change",
-    "update-test-mail-to",
-    "send-test-mail",
-    "previous",
-    "next",
-  ],
-  computed: {
-    stepTitle() {
-      if (this.stepType === "mail") return "Mail Configuration";
-      if (this.stepType === "registration") return "User Registration";
-      return "General Settings";
-    },
-    nextButtonClass() {
-      if (this.stepType === "general") {
-        return { "ms-auto": this.currentStep === 0 };
-      }
-      return "ms-auto";
-    },
-  },
-};
-</script>
-
-<style scoped>
-.feedback-invalid {
-  font-size: 0.75em;
-  color: firebrick;
-  visibility: hidden;
-  padding-top: 4px;
-}
-
-.feedback-invalid.invalid {
-  visibility: visible;
-}
-
-.step-group-heading {
-  font-size: 1.1rem;
-  font-weight: 600;
-}
-
-.step-card-header {
-  font-size: 1.2rem;
-  font-weight: 600;
-}
-</style>
diff --git a/frontend/src/components/wizard/SetupWizardSummaryStep.vue b/frontend/src/components/wizard/SetupWizardSummaryStep.vue
index d931f32ba..bc1885eed 100644
--- a/frontend/src/components/wizard/SetupWizardSummaryStep.vue
+++ b/frontend/src/components/wizard/SetupWizardSummaryStep.vue
@@ -36,10 +36,10 @@
           <li v-for="s in group.settings" :key="s.key" class="mb-2">
             <template v-if="s.key === 'app.register.terms'">
               <div class="fw-semibold mb-1">{{ settingLabel(s.key) }}</div>
-              <BasicEditor :model-value="summarySettingValue(s.key)" :read-only="true" />
+              <BasicEditor :model-value="resolvedSummaryValue(s.key)" :read-only="true" />
             </template>
             <template v-else>
-              <strong>{{ settingLabel(s.key) }}:</strong> {{ summarySettingValue(s.key) }}
+              <strong>{{ settingLabel(s.key) }}:</strong> {{ resolvedSummaryValue(s.key) }}
             </template>
           </li>
         </ul>
@@ -74,6 +74,10 @@
 import BasicButton from "@/basic/Button.vue";
 import BasicEditor from "@/basic/editor/Editor.vue";
 
+/**
+ * Renders the first-time setup wizard summary step: admin recap, grouped settings for review,
+ * optional imported JSON (expandable), import/download actions, and previous or finish controls.
+ */
 export default {
   name: "SetupWizardSummaryStep",
   components: { BasicButton, BasicEditor },
@@ -90,6 +94,14 @@ export default {
       type: Object,
       required: true,
     },
+    wizardSettings: {
+      type: Array,
+      required: true,
+    },
+    formSettings: {
+      type: Object,
+      required: true,
+    },
     summaryFieldGroups: {
       type: Array,
       required: true,
@@ -111,16 +123,20 @@ export default {
       type: Boolean,
       required: true,
     },
-    settingLabel: {
-      type: Function,
-      required: true,
+  },
+  emits: ["download-template", "open-import-modal", "toggle-show-file-settings", "previous", "finish"],
+  methods: {
+    settingLabel(key) {
+      const s = (this.wizardSettings || []).find((x) => x.key === key);
+      return s?.displayName || key;
     },
-    summarySettingValue: {
-      type: Function,
-      required: true,
+    resolvedSummaryValue(key) {
+      if (this.settingsFromFile && Object.prototype.hasOwnProperty.call(this.settingsFromFile, key)) {
+        return this.settingsFromFile[key];
+      }
+      return this.formSettings[key] != null ? this.formSettings[key] : "—";
     },
   },
-  emits: ["download-template", "open-import-modal", "toggle-show-file-settings", "previous", "finish"],
 };
 </script>
 

From a68a31c997b1e8cdf04a04a0cf0f700a4bbaba15 Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Wed, 6 May 2026 23:34:45 +0300
Subject: [PATCH 72/73] docs : update setup wizard frontend documentation

---
 .../for_developers/frontend/setup_wizard.rst    | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/docs/source/for_developers/frontend/setup_wizard.rst b/docs/source/for_developers/frontend/setup_wizard.rst
index 3df4d6932..4042b0b3c 100644
--- a/docs/source/for_developers/frontend/setup_wizard.rst
+++ b/docs/source/for_developers/frontend/setup_wizard.rst
@@ -13,7 +13,7 @@ to the regular application flow.
 
 Backend endpoints used by this flow:
 
-- ``GET /setup/config``: fetch steps, wizard settings, and full settings snapshot.
+- ``GET /setup/config``: fetch steps (``key``, ``title``, ``description``, ``order``, ``typeId``), ``wizardStepTypes`` (``id``, ``key``), wizard settings, and full settings snapshot.
 - ``POST /auth/setup-admin``: create the initial admin account.
 - ``POST /setup/test-mail``: send a test mail during setup.
 - ``POST /setup/complete``: persist setup settings and mark setup as completed.
@@ -33,6 +33,21 @@ The current step sequence is:
 
    Moodle-related wizard settings are currently grouped under **General** via subsection metadata.
 
+Frontend components
+-------------------
+
+Step components live under ``frontend/src/components/wizard/``.
+
+- ``SetupWizardAdminStep.vue``: create the first admin account
+- ``SetupWizardGeneralStep.vue``: general settings and Moodle block
+- ``SetupWizardMailStep.vue``: mail service, provider fields and send test email
+- ``SetupWizardRegistrationStep.vue``: registration and consent fields
+- ``SetupWizardSummaryStep.vue``: review and finish
+
+``SetupWizard.vue`` keeps ``formData`` for the admin account fields and ``formSettings`` for all other setting values edited in the wizard.
+``wizardSettings`` supplies display names and subsection grouping for the settings and summary steps.
+Credential changes use ``update-admin-field``; setting field changes run through ``setWizardSettingValue``. Navigation, JSON import, and test mail use additional events on the parent.
+
 How Settings Are Rendered
 -------------------------
 

From e37fc0083a57511f30180b5585ef0e74a6894c6f Mon Sep 17 00:00:00 2001
From: Mohammad Elwan <mohammadsherifl11@gmail.com>
Date: Thu, 7 May 2026 16:30:36 +0300
Subject: [PATCH 73/73] refactor : use BasicButton for settings mail test

---
 frontend/src/components/dashboard/Settings.vue | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/frontend/src/components/dashboard/Settings.vue b/frontend/src/components/dashboard/Settings.vue
index 79c42ac29..ed1f1b321 100644
--- a/frontend/src/components/dashboard/Settings.vue
+++ b/frontend/src/components/dashboard/Settings.vue
@@ -89,20 +89,12 @@
                         placeholder="you@example.com"
                         autocomplete="email"
                     />
-                    <button
+                    <BasicButton
                         class="btn btn-outline-primary flex-shrink-0"
-                        type="button"
+                        :title="mailTestSending ? 'Sending...' : 'Send test email'"
                         :disabled="mailTestSending || !mailTestTo.trim()"
                         @click="sendMailTest"
-                    >
-                      <span
-                          v-if="mailTestSending"
-                          class="spinner-border spinner-border-sm me-1"
-                          role="status"
-                          aria-hidden="true"
-                      />
-                      Send test email
-                    </button>
+                    />
                   </div>
                 </div>
                 <p v-if="mailTestMessage" class="small mb-0" :class="mailTestError ? 'text-danger' : 'text-success'">