From 1394b3ba6c36e4a638d96df10ef2054f3f34ec63 Mon Sep 17 00:00:00 2001
From: Mario Fetka <mario.fetka@gmail.com>
Date: Thu, 21 May 2026 21:56:28 +0200
Subject: [PATCH] feat: add web login, logout and runtime logging improvements

---
 apply.pl                     |   3 +
 mars-nwe-webui.service.cmake |   2 +
 settings.pl                  |  47 ++--
 smart.cmake                  | 450 ++++++++++++++++++++++++++++++++---
 smart.conf.cmake             |   4 +
 static/menu.html             |  29 ++-
 6 files changed, 478 insertions(+), 57 deletions(-)

diff --git a/apply.pl b/apply.pl
index 8590a55..4eeb4d7 100644
--- a/apply.pl
+++ b/apply.pl
@@ -271,6 +271,7 @@ EOF
 		}
 		
 		redirect( '/settings/users' );
+		return( 1 );
 	}
 	elsif( $c[1] eq 'groups' )
 	{
@@ -324,6 +325,7 @@ EOF
 		}
 		
 		redirect( '/settings/groups' );
+		return( 1 );
 	}
 	elsif( $c[1] eq 'queues' )
 	{
@@ -393,6 +395,7 @@ EOF
 		}
 		
 		redirect( '/settings/queues' );
+		return( 1 );
 	}
 
 	elsif( $c[1] eq 'advanced' )
diff --git a/mars-nwe-webui.service.cmake b/mars-nwe-webui.service.cmake
index e86d211..7bcedf6 100644
--- a/mars-nwe-webui.service.cmake
+++ b/mars-nwe-webui.service.cmake
@@ -8,6 +8,8 @@ Documentation=man:systemd.service(5)
 Type=simple
 User=root
 Group=root
+RuntimeDirectory=mars-nwe-webui
+RuntimeDirectoryMode=0700
 WorkingDirectory=/
 
 ExecStartPre=/bin/mkdir -p @MARS_NWE_LOG_DIR@
diff --git a/settings.pl b/settings.pl
index 4cc511c..303badd 100644
--- a/settings.pl
+++ b/settings.pl
@@ -40,7 +40,8 @@ sub settings_nav_bar()
 	return <<'EOF_NAV';
 <div class="settings-nav" style="position:sticky;top:0;z-index:20;margin:0 0 14px 0;padding:10px;background:#fffdf9;border:1px solid #ddcfba;border-radius:12px;box-shadow:0 4px 12px rgba(80,55,30,0.06);">
   <a class="settings-nav-back" style="display:inline-block;margin-right:10px;padding:7px 12px;border-radius:9px;background:#6d5d53;color:#fff;text-decoration:none;font-weight:bold;" href="javascript:history.back()">Back</a>
-  <a class="settings-nav-main" style="display:inline-block;padding:7px 12px;border-radius:9px;background:#a32020;color:#fff;text-decoration:none;font-weight:bold;" href="/" target="_top">Main menu</a>
+  <a class="settings-nav-main" style="display:inline-block;margin-right:10px;padding:7px 12px;border-radius:9px;background:#a32020;color:#fff;text-decoration:none;font-weight:bold;" href="/" target="_top">Main menu</a>
+  <a class="settings-nav-logout" style="display:inline-block;padding:7px 12px;border-radius:9px;background:#8b4a1d;color:#fff;text-decoration:none;font-weight:bold;" href="/logout" target="_top">Logout</a>
 </div>
 EOF_NAV
 }
@@ -708,40 +709,44 @@ sub unix_user_defaults_from_query()
 
 	my $want = '';
 
-	# Preferred import route:
-	# /settings/users_import/<unixuser>
-	if( defined( $c[1] ) && $c[1] eq 'users_import' && defined( $c[2] ) && $c[2] ne '' )
+	# The router puts imported users here after /settings/users_import/<user>
+	# was normalized to /settings/users/add_new.
+	if( defined( $p{unix_user} ) && $p{unix_user} ne '' )
+	{
+		$want = $p{unix_user};
+	}
+	# Compatibility for direct /settings/users_import/<user>, before normalization.
+	elsif( defined( $c[1] ) && $c[1] eq 'users_import' && defined( $c[2] ) && $c[2] ne '' )
 	{
 		$want = $c[2];
 	}
-	# Compatibility route:
-	# /settings/users/add_new/<unixuser>
+	# Compatibility for /settings/users/add_new/<user>.
 	elsif( defined( $c[3] ) && $c[3] ne '' )
 	{
 		$want = $c[3];
 	}
-	elsif( defined( $p{unix_user} ) && $p{unix_user} ne '' )
-	{
-		$want = $p{unix_user};
-	}
 
 	if( $want ne '' )
 	{
 		$want =~ s/[^-_\.A-Za-z0-9]//g;
 
-		foreach my $u ( unix_userlist() )
-		{
-			next if ! defined( $u->{name} ) || $u->{name} ne $want;
+		# Minimal import: use the Unix user parameter that reaches settings.pl.
+		$defaults{unix_user} = $want;
 
-			my $gecos = defined( $u->{gecos} ) ? $u->{gecos} : '';
-			$gecos =~ s/,.*$//;
+		$defaults{name} = uc( $want );
+		$defaults{name} =~ s/[^-_\.A-Za-z0-9]//g;
 
-			$defaults{name} = uc( $u->{name} );
-			$defaults{name} =~ s/[^-_\.A-Za-z0-9]//g;
-			$defaults{unix_user} = $u->{name};
-			$defaults{fullname} = $gecos;
-			last;
-		}
+		# Step 2: if no GECOS/fullname is available yet, use a friendly
+		# fallback from the Unix account name.  "mario" -> "Mario",
+		# "mario_fetka" -> "Mario Fetka".
+		my $full = $want;
+		$full =~ s/[_\.\-]+/ /g;
+		$full =~ s/\s+/ /g;
+		$full =~ s/^\s+//;
+		$full =~ s/\s+$//;
+		$full = join( ' ', map { ucfirst( lc( $_ ) ) } split( / /, $full ) );
+
+		$defaults{fullname} = $full;
 	}
 
 	return %defaults;
diff --git a/smart.cmake b/smart.cmake
index 8846ffe..f821722 100644
--- a/smart.cmake
+++ b/smart.cmake
@@ -31,7 +31,21 @@ do( '@MARS_NWE_INSTALL_FULL_CONFDIR@/smart.conf' )
 	or die "Could not load @MARS_NWE_INSTALL_FULL_CONFDIR@/smart.conf: $@ $!";
 
 close( STDERR );
-open( STDERR, '>>' . $smart_log_path )
+
+# Prefix all raw STDERR from helper tools with timestamp/component before it
+# reaches smart.log.  This also catches output from nwbols/nwbpset/nwpasswd
+# and systemctl warnings.
+my $smart_stderr_filter = "perl -MPOSIX=strftime -ne 'chomp; " .
+	"my \\$v=\\$ENV{SMART_VERSION}||q{0.99.pl28}; " .
+	"my \\$f=\\$ENV{SMART_LOG_FILE}||q{stderr}; " .
+	"print strftime(q{[%Y-%m-%d %H:%M:%S]}, localtime), qq{ [ERROR] [SMArT \\$v] [\\$f] \\$_\\n};' >> " .
+	quotemeta( $smart_log_path );
+
+$ENV{SMART_VERSION} = defined( $smart_version ) && $smart_version ne '' ? $smart_version : '0.99.pl28';
+$ENV{SMART_LOG_FILE} = 'stderr';
+
+open( STDERR, '|-', $smart_stderr_filter )
+	or open( STDERR, '>>' . $smart_log_path )
 	or die "Could not open $smart_log_path: $!";
 
 $ENV{HOME} = '@MARS_NWE_INSTALL_FULL_CONFDIR@';
@@ -45,11 +59,14 @@ $smart_systemctl_path = '@SYSTEMCTL_EXECUTABLE@' unless defined $smart_systemctl
 $l = <STDIN>;
 $l =~ s/[\n\r]//g;
 $request_uri = "";
+$post_body = "";
+%hl = ();
+
 @c = split( ' ', $l );
 if( scalar( @c ) > 2 )
 {
 	$request_uri = $c[1];
-	while( keys( %h ) < 15 )	# Who would ever want to send more headers???
+	while( keys( %h ) < 50 )
 	{
 		$l = <STDIN>;
 		$l =~ s/[\n\r]//g;
@@ -59,36 +76,32 @@ if( scalar( @c ) > 2 )
 		$n =~ s/:[^:]*$//g;
 		$v = $l;
 		$v =~ s/^[^:]*://g;
+		$v =~ s/^\s+//;
+		$v =~ s/\s+$//;
 		$h{$n} = $v;
+		$hl{lc( $n )} = $v;
 	}
 }
 
 $c[0] = uc( $c[0] );
+$request_method = $c[0];
 
-if( $h{Authorization} eq '' )
-	{ error( 401 ); }
-else
+if( $request_method eq 'POST' )
 {
-	@s = split( ' ', $h{Authorization} );
-	if( $s[0] ne 'Basic' or length( $h{Authorization} ) > 80 )	# We can't be too careful, can we...
-		{ error( 401 ); }
-	else
+	my $content_length = 0;
+
+	if( defined( $hl{'content-length'} ) && $hl{'content-length'} =~ /^[0-9]+$/ )
 	{
-		$s[1] =~ tr#A-Za-z0-9+/##cd;
-		$s[1] =~ tr#A-Za-z0-9+/# -_#;
-		$s[1] = pack( 'c', 32 + 0.75 * length( $s[1] ) ) . $s[1];
-		$s[1] = unpack( 'u', $s[1] );
-		$s[1] =~ s/[\r\n]//g;
-		@l = split( ':', $s[1] );
-		if( $l[0] ne 'root' )
-			{ error( 401 ); }
-		else
-			{ if( $x = system( $smart_check_login, @l ) )
-				{ error( 401 ); } }
+		$content_length = int( $hl{'content-length'} );
+	}
+
+	if( $content_length > 0 && $content_length < 8192 )
+	{
+		read( STDIN, $post_body, $content_length );
 	}
 }
 
-if( $c[0] ne 'GET' )
+if( $request_method ne 'GET' && $request_method ne 'POST' )
 {
 	error( 501 );
 }
@@ -97,19 +110,39 @@ if( $c[0] ne 'GET' )
 $cc = $c[1];
 $cc =~ s/[^\?]*\?//;
 $c = substr( shift( @p ), 1 );
-@p = split( '&', $p[0] );
-foreach $p ( @p )
-{
-	$n = $p;
-	$n =~ s/=.*//;
-	$v = $p;
-	$v =~ s/.*=//;
-	$v =~ s/\+/ /g;
-	$v =~ s/%([0-9A-F][0-9A-F])/pack('c',hex($1))/gie;
-	$p{$n} = $v;
-}
+
+parse_params( $p[0] );
+parse_params( $post_body ) if $request_method eq 'POST';
+
 @c = split( '/', $c );
 
+if( $c[0] eq 'login' )
+{
+	handle_login_route();
+	exit;
+}
+
+if( $c[0] eq 'logout' )
+{
+	handle_logout_route();
+	exit;
+}
+
+# Static assets must be available before login, otherwise the login page
+# cannot load the SMArT logo and icons.
+if( $c[0] eq 'static' )
+{
+	do( $smart_libexec_dir . '/static.pl' );
+	handle_request();
+	exit;
+}
+
+if( ! valid_session() )
+{
+	redirect( '/login' );
+	exit;
+}
+
 if( ( $c[0] eq 'service' && $c[1] eq 'control' ) ||
     ( $c[0] eq 'cgi-bin' && $c[1] eq 'control' ) )
 {
@@ -176,6 +209,359 @@ exit;
 ##### END OF MAIN  PROCEDURES FOLLOW #####
 ##########################################
 
+sub smart_log_line( $$$ )
+{
+	my( $level, $file, $msg ) = @_;
+
+	$level = 'INFO' unless defined( $level ) && $level ne '';
+	$file = 'smart' unless defined( $file ) && $file ne '';
+	$msg = '' unless defined( $msg );
+
+	my( $sec, $min, $hour, $mday, $mon, $year ) = localtime( time() );
+	my $ts = sprintf( "%04d-%02d-%02d %02d:%02d:%02d",
+		$year + 1900, $mon + 1, $mday, $hour, $min, $sec );
+
+	my $version = defined( $smart_version ) && $smart_version ne '' ? $smart_version : '0.99.pl28';
+
+	if( open( my $fh, '>>', $smart_log_path ) )
+	{
+		print( $fh '[' . $ts . '] [' . $level . '] [SMArT ' . $version . '] [' . $file . '] ' . $msg . "\n" );
+		close( $fh );
+	}
+}
+
+
+sub smart_auth_log( $ )
+{
+	my $msg = $_[0];
+	$msg = '' unless defined $msg;
+
+	my( $sec, $min, $hour, $mday, $mon, $year ) = localtime( time() );
+	my $ts = sprintf( "%04d-%02d-%02d %02d:%02d:%02d",
+		$year + 1900, $mon + 1, $mday, $hour, $min, $sec );
+
+	my $version = defined( $smart_version ) && $smart_version ne '' ? $smart_version : '0.99.pl28';
+
+	if( open( my $fh, '>>', $smart_log_path ) )
+	{
+		print( $fh '[' . $ts . '] [INFO] [SMArT ' . $version . '] [smart] ' . $msg . "\n" );
+		close( $fh );
+	}
+}
+
+
+sub parse_params( $ )
+{
+	my $qs = $_[0];
+
+	return if ! defined( $qs ) || $qs eq '';
+
+	my @items = split( '&', $qs );
+
+	foreach my $item ( @items )
+	{
+		my $n = $item;
+		my $v = $item;
+
+		$n =~ s/=.*//;
+		$v =~ s/^[^=]*=?//;
+
+		$n =~ s/\+/ /g;
+		$v =~ s/\+/ /g;
+
+		$n =~ s/%([0-9A-Fa-f][0-9A-Fa-f])/pack('c',hex($1))/gie;
+		$v =~ s/%([0-9A-Fa-f][0-9A-Fa-f])/pack('c',hex($1))/gie;
+
+		$p{$n} = $v;
+	}
+}
+
+sub smart_html_escape( $ )
+{
+	my $s = $_[0];
+	$s = '' unless defined $s;
+	$s =~ s/&/&amp;/g;
+	$s =~ s/</&lt;/g;
+	$s =~ s/>/&gt;/g;
+	$s =~ s/"/&quot;/g;
+	return $s;
+}
+
+sub session_timeout()
+{
+	return $smart_session_timeout if defined( $smart_session_timeout ) && $smart_session_timeout =~ /^[0-9]+$/ && $smart_session_timeout > 0;
+	return 3600;
+}
+
+sub session_dir()
+{
+	my $dir = defined( $smart_session_dir ) && $smart_session_dir ne '' ? $smart_session_dir : '/run/mars-nwe-webui';
+
+	if( ! -d $dir )
+	{
+		if( ! mkdir( $dir, 0700 ) )
+		{
+			smart_auth_log( 'could not create session dir ' . $dir . ': ' . $! );
+		}
+	}
+
+	if( -d $dir )
+	{
+		chmod( 0700, $dir );
+	}
+	else
+	{
+		smart_auth_log( 'session dir is not available: ' . $dir );
+	}
+
+	return $dir;
+}
+
+sub session_token()
+{
+	my $token = '';
+
+	if( open( my $fh, '<', '/dev/urandom' ) )
+	{
+		my $buf = '';
+		read( $fh, $buf, 24 );
+		close( $fh );
+		$token = unpack( 'H*', $buf );
+	}
+
+	if( $token eq '' )
+	{
+		$token = sprintf( "%08x%08x%08x%08x", time(), $$, int( rand( 0xffffffff ) ), int( rand( 0xffffffff ) ) );
+	}
+
+	$token =~ s/[^A-Fa-f0-9]//g;
+	return $token;
+}
+
+sub session_file( $ )
+{
+	my $token = $_[0];
+	$token = '' unless defined $token;
+	$token =~ s/[^A-Fa-f0-9]//g;
+
+	return '' if $token eq '';
+
+	return session_dir() . '/' . $token;
+}
+
+sub cookie_session_id()
+{
+	my $cookie = defined( $hl{'cookie'} ) ? $hl{'cookie'} : '';
+
+	foreach my $part ( split( /;/, $cookie ) )
+	{
+		$part =~ s/^\s+//;
+		$part =~ s/\s+$//;
+
+		if( $part =~ /^SMArT_SID=([A-Fa-f0-9]+)$/ )
+		{
+			return $1;
+		}
+	}
+
+	return '';
+}
+
+sub valid_session()
+{
+	my $token = cookie_session_id();
+	my $file = session_file( $token );
+
+	return 0 if $token eq '';
+	return 0 if $file eq '';
+
+	if( ! -f $file )
+	{
+		smart_auth_log( 'session cookie exists but file is missing: ' . $file );
+		return 0;
+	}
+
+	my @st = stat( $file );
+	if( scalar( @st ) == 0 )
+	{
+		smart_auth_log( 'could not stat session file: ' . $file );
+		return 0;
+	}
+
+	if( time() - $st[9] > session_timeout() )
+	{
+		unlink( $file );
+		smart_auth_log( 'session expired: ' . $file );
+		return 0;
+	}
+
+	utime( time(), time(), $file );
+	return 1;
+}
+
+sub create_session( $ )
+{
+	my $user = $_[0];
+	my $token = session_token();
+	my $file = session_file( $token );
+
+	if( $file eq '' )
+	{
+		smart_auth_log( 'could not build session file path' );
+		return '';
+	}
+
+	if( open( my $fh, '>', $file ) )
+	{
+		print( $fh $user . "\n" . time() . "\n" );
+		close( $fh );
+		chmod( 0600, $file );
+		smart_auth_log( 'created session for ' . $user . ' at ' . $file );
+		return $token;
+	}
+
+	smart_auth_log( 'could not create session file ' . $file . ': ' . $! );
+	return '';
+}
+
+sub destroy_session()
+{
+	my $token = cookie_session_id();
+	my $file = session_file( $token );
+
+	unlink( $file ) if $file ne '' && -f $file;
+}
+
+sub check_login_password( $$ )
+{
+	my( $user, $pass ) = @_;
+
+	return 0 if ! defined( $user ) || ! defined( $pass );
+	return 0 if $user ne 'root';
+
+	if( ! defined( $smart_check_login ) || $smart_check_login eq '' || ! -x $smart_check_login )
+	{
+		return -1;
+	}
+
+	return system( $smart_check_login, $user, $pass ) == 0 ? 1 : 0;
+}
+
+sub print_login_page( $ )
+{
+	my $msg = smart_html_escape( $_[0] );
+
+	print <<EOF;
+HTTP/1.0 200 OK
+Content-Type: text/html
+$server_id
+
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>SMArT Login</title>
+<style>
+:root{--bg:#f4f1ea;--panel:#faf8f4;--line:#dfd2bf;--text:#3d342c;--muted:#6f6257;--accent:#ad1d1c;--gold:#b9813d}
+*{box-sizing:border-box}
+html,body{margin:0;padding:0;min-height:100%;background:var(--bg);color:var(--text);font:15px/1.5 Arial,Helvetica,sans-serif}
+body{display:flex;align-items:center;justify-content:center;padding:24px}
+.login{width:min(440px,100%);background:var(--panel);border:1px solid var(--line);border-radius:20px;box-shadow:0 18px 45px rgba(64,36,12,.12);overflow:hidden}
+.hero{padding:26px 28px;background:linear-gradient(135deg,#a80f18,#c44731 60%,#d79a54);color:white}
+.hero{display:flex;align-items:center;gap:18px}.hero img{width:120px;max-width:34%;height:auto;display:block;background:#fff;border-radius:16px;padding:8px 10px;box-shadow:0 8px 20px rgba(0,0,0,.12)}.hero h1{margin:0;font-size:28px}
+.hero p{margin:6px 0 0;opacity:.95}
+form{padding:24px 28px 28px}
+label{display:block;font-weight:bold;margin:0 0 7px}
+input{width:100%;border:1px solid #cdbb9f;border-radius:12px;padding:10px 12px;background:#fffdf9;color:var(--text);font-size:15px;margin:0 0 16px}
+button{width:100%;border:1px solid #a33d2f;border-radius:12px;padding:11px 14px;background:#b84434;color:#fff;font-weight:bold;font-size:15px;cursor:pointer}
+.msg{margin:0 0 16px;padding:10px 12px;border-radius:12px;background:#fff3e0;border:1px solid #ead0a4;color:#7a3d18}
+.note{margin-top:14px;color:var(--muted);font-size:13px;text-align:center;line-height:1.45;word-break:break-word}.note a{color:var(--muted);text-decoration:none}.note a:hover{text-decoration:underline}
+</style>
+</head>
+<body>
+<div class="login">
+  <div class="hero">
+    <img src="/static/smart.jpg" alt="SMArT logo">
+    <div>
+      <h1>SMArT Login</h1>
+      <p>MARS_NWE web administration</p>
+    </div>
+  </div>
+  <form method="POST" action="/login">
+EOF
+
+	if( $msg ne '' )
+	{
+		print '<div class="msg">' . $msg . "</div>\n";
+	}
+
+	print <<EOF;
+    <label for="user">User</label>
+    <input id="user" name="user" value="root" autocomplete="username">
+    <label for="pass">Password</label>
+    <input id="pass" name="pass" type="password" autocomplete="current-password" autofocus>
+    <button type="submit">Login</button>
+    <div class="note">&copy; Copyright 2026 Mario Fetka<br><a href="mailto:mario.fetka@disconnected-by-peer.at">mario.fetka@disconnected-by-peer.at</a></div>
+  </form>
+</div>
+</body>
+</html>
+EOF
+}
+
+sub handle_login_route()
+{
+	if( $request_method ne 'POST' )
+	{
+		print_login_page( '' );
+		return;
+	}
+
+	my $rv = check_login_password( $p{user}, $p{pass} );
+
+	if( $rv == -1 )
+	{
+		print_login_page( 'Login helper check_login is missing or not executable.' );
+		return;
+	}
+
+	if( $rv != 1 )
+	{
+		print_login_page( 'Login failed.' );
+		return;
+	}
+
+	my $token = create_session( $p{user} );
+
+	if( $token eq '' )
+	{
+		print_login_page( 'Could not create login session.' );
+		return;
+	}
+
+	print <<EOF;
+HTTP/1.0 302 Found
+Location: /
+Set-Cookie: SMArT_SID=$token; Path=/; HttpOnly; Max-Age=3600
+$server_id
+
+EOF
+}
+
+sub handle_logout_route()
+{
+	destroy_session();
+
+	print <<EOF;
+HTTP/1.0 302 Found
+Location: /login
+Set-Cookie: SMArT_SID=deleted; Path=/; HttpOnly; Max-Age=0
+$server_id
+
+EOF
+}
+
+
 sub error( $ )
 {
 	if( $_[0] eq '401' )
diff --git a/smart.conf.cmake b/smart.conf.cmake
index b0d5371..d0f8293 100644
--- a/smart.conf.cmake
+++ b/smart.conf.cmake
@@ -146,3 +146,7 @@ $nw_cert_file = '@MARS_NWE_INSTALL_FULL_CONFDIR@/server.crt';
 # TLS private key file in PEM format.
 # Required only when HTTPS is enabled.
 $nw_key_file = '@MARS_NWE_INSTALL_FULL_CONFDIR@/server.key';
+
+# Directory for HTML login cookie sessions. Created by systemd RuntimeDirectory.
+$smart_session_dir = '/run/mars-nwe-webui';
+$smart_session_timeout = 3600;
diff --git a/static/menu.html b/static/menu.html
index 0736bbc..09ec5e4 100644
--- a/static/menu.html
+++ b/static/menu.html
@@ -19,7 +19,7 @@ body{padding:18px}
 a{color:inherit} code,tt{font-family:"DejaVu Sans Mono",monospace}
 .shell{max-width:1250px;margin:0 auto}
 .hero{display:flex;align-items:center;justify-content:space-between;gap:18px;padding:22px 24px;border:1px solid var(--line);border-radius:18px;background:linear-gradient(135deg,#a80f18,#c44731 60%,#d79a54);color:#fff;box-shadow:0 12px 30px rgba(64,36,12,.08)}
-.hero img{height:42px;width:auto;display:block;background:#fff;border-radius:10px;padding:5px;box-shadow:0 8px 20px rgba(0,0,0,.12)}
+.hero-actions{display:flex;align-items:center;gap:12px}.hero img{height:42px;width:auto;display:block;background:#fff;border-radius:10px;padding:5px;box-shadow:0 8px 20px rgba(0,0,0,.12)}.logout-button{display:inline-block;text-decoration:none;border:1px solid rgba(255,255,255,.6);border-radius:10px;padding:8px 13px;background:rgba(255,255,255,.14);color:#fff;font-weight:bold;box-shadow:0 8px 18px rgba(0,0,0,.10)}.logout-button:hover{background:rgba(255,255,255,.22)}
 .hero h1{margin:0;font-size:28px;line-height:1.1}
 .hero p{margin:6px 0 0;font-size:15px;opacity:.95}
 .workspace{margin-top:18px;display:grid;grid-template-columns:180px minmax(0,1fr);gap:18px;align-items:start}
@@ -83,18 +83,18 @@ a{color:inherit} code,tt{font-family:"DejaVu Sans Mono",monospace}
       <h1>Main menu</h1>
       <p>Choose a section from the icon list. The explanation opens here on the left, and the editor opens on the right.</p>
     </div>
-    <img src="/static/smart_icon.jpg" alt="SMArT logo">
+    <div class="hero-actions"><a class="logout-button" href="/logout" target="_top">Logout</a><img src="/static/smart_icon.jpg" alt="SMArT logo"></div>
   </div>
 
   <div class="workspace">
     <aside class="nav-shell">
       <div class="nav-title">Sections</div>
       <div class="nav-list">
-        <button class="nav-item active" type="button" data-target="setup-first" data-href="/settings/smart" aria-pressed="true" title="Setup first">
+        <button class="nav-item active" type="button" data-target="setup-first" data-href="/settings/smart" aria-pressed="false" title="Setup first">
   <span class="nav-icon icon-start"><img src="/static/icon-start.svg" alt="" aria-hidden="true"></span>
   <span class="nav-label">Setup first</span>
 </button>
-        <button class="nav-item" type="button" data-target="mars-nwe-service" data-href="/static/start.html" aria-pressed="false" title="MARS_NWE service">
+        <button class="nav-item active" type="button" data-target="mars-nwe-service" data-href="/static/start.html" aria-pressed="true" title="MARS_NWE service">
   <span class="nav-icon icon-service"><img src="/static/icon-service.svg" alt="" aria-hidden="true"></span>
   <span class="nav-label">MARS_NWE service</span>
 </button>
@@ -626,5 +626,26 @@ default directory.
   }
 })();
 </script>
+
+<script>
+(function smartDefaultSection(){
+  function openDefault(){
+    if (window.location.hash) return;
+    var btn = document.querySelector('[data-target="mars-nwe-service"]');
+    if (btn && typeof btn.click === 'function') {
+      btn.click();
+      return;
+    }
+    var frame = parent && parent.frames ? parent.frames['OPTS'] : null;
+    if (frame) frame.location = '/static/start.html';
+  }
+  if (document.readyState === 'loading') {
+    document.addEventListener('DOMContentLoaded', openDefault);
+  } else {
+    openDefault();
+  }
+})();
+</script>
+
 </body>
 </html>