Merge pull request 'main' (#111) from main into production

Reviewed-on: #111

cmd/silod/main.go

@@ -20,6 +20,7 @@ import (
 	"github.com/kindredsystems/silo/internal/config"
 	"github.com/kindredsystems/silo/internal/db"
 	"github.com/kindredsystems/silo/internal/jobdef"
+	"github.com/kindredsystems/silo/internal/modules"
 	"github.com/kindredsystems/silo/internal/schema"
 	"github.com/kindredsystems/silo/internal/storage"
 	"github.com/rs/zerolog"
@@ -219,6 +220,16 @@ func main() {
 		}
 	}
 
+	// Initialize module registry
+	registry := modules.NewRegistry()
+	if err := modules.LoadState(registry, cfg, database.Pool()); err != nil {
+		logger.Fatal().Err(err).Msg("failed to load module state")
+	}
+	for _, m := range registry.All() {
+		logger.Info().Str("module", m.ID).Bool("enabled", registry.IsEnabled(m.ID)).
+			Bool("required", m.Required).Msg("module")
+	}
+
 	// Create SSE broker and server state
 	broker := api.NewBroker(logger)
 	serverState := api.NewServerState(logger, store, broker)
@@ -232,27 +243,30 @@ func main() {
 	// Create API server
 	server := api.NewServer(logger, database, schemas, cfg.Schemas.Directory, store,
 		authService, sessionManager, oidcBackend, &cfg.Auth, broker, serverState,
-		jobDefs, cfg.Jobs.Directory)
+		jobDefs, cfg.Jobs.Directory, registry, cfg)
 	router := api.NewRouter(server, logger)
 
-	// Start background sweepers for job/runner timeouts
-	go func() {
-		ticker := time.NewTicker(time.Duration(cfg.Jobs.JobTimeoutCheck) * time.Second)
-		defer ticker.Stop()
-		for range ticker.C {
-			if n, err := jobRepo.TimeoutExpiredJobs(ctx); err != nil {
-				logger.Error().Err(err).Msg("job timeout sweep failed")
-			} else if n > 0 {
-				logger.Info().Int64("count", n).Msg("timed out expired jobs")
-			}
+	// Start background sweepers for job/runner timeouts (only when jobs module enabled)
+	if registry.IsEnabled(modules.Jobs) {
+		go func() {
+			ticker := time.NewTicker(time.Duration(cfg.Jobs.JobTimeoutCheck) * time.Second)
+			defer ticker.Stop()
+			for range ticker.C {
+				if n, err := jobRepo.TimeoutExpiredJobs(ctx); err != nil {
+					logger.Error().Err(err).Msg("job timeout sweep failed")
+				} else if n > 0 {
+					logger.Info().Int64("count", n).Msg("timed out expired jobs")
+				}
 
-			if n, err := jobRepo.ExpireStaleRunners(ctx, time.Duration(cfg.Jobs.RunnerTimeout)*time.Second); err != nil {
-				logger.Error().Err(err).Msg("runner expiry sweep failed")
-			} else if n > 0 {
-				logger.Info().Int64("count", n).Msg("expired stale runners")
+				if n, err := jobRepo.ExpireStaleRunners(ctx, time.Duration(cfg.Jobs.RunnerTimeout)*time.Second); err != nil {
+					logger.Error().Err(err).Msg("runner expiry sweep failed")
+				} else if n > 0 {
+					logger.Info().Int64("count", n).Msg("expired stale runners")
+				}
 			}
-		}
-	}()
+		}()
+		logger.Info().Msg("job/runner sweepers started")
+	}
 
 	// Create HTTP server
 	addr := fmt.Sprintf("%s:%d", cfg.Server.Host, cfg.Server.Port)

internal/api/auth_handlers_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/kindredsystems/silo/internal/auth"
 	"github.com/kindredsystems/silo/internal/db"
+	"github.com/kindredsystems/silo/internal/modules"
 	"github.com/kindredsystems/silo/internal/schema"
 	"github.com/kindredsystems/silo/internal/testutil"
 	"github.com/rs/zerolog"
@@ -38,8 +39,10 @@ func newAuthTestServer(t *testing.T) *Server {
 		nil,     // authConfig
 		broker,
 		state,
-		nil, // jobDefs
-		"",  // jobDefsDir
+		nil,                   // jobDefs
+		"",                    // jobDefsDir
+		modules.NewRegistry(), // modules
+		nil,                   // cfg
 	)
 }
 

internal/api/bom_handlers_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/kindredsystems/silo/internal/auth"
 	"github.com/kindredsystems/silo/internal/db"
+	"github.com/kindredsystems/silo/internal/modules"
 	"github.com/kindredsystems/silo/internal/schema"
 	"github.com/kindredsystems/silo/internal/testutil"
 	"github.com/rs/zerolog"
@@ -35,8 +36,10 @@ func newTestServer(t *testing.T) *Server {
 		nil, // authConfig (nil = dev mode)
 		broker,
 		state,
-		nil, // jobDefs
-		"",  // jobDefsDir
+		nil,                   // jobDefs
+		"",                    // jobDefsDir
+		modules.NewRegistry(), // modules
+		nil,                   // cfg
 	)
 }
 

internal/api/csv_handlers_test.go

@@ -13,6 +13,7 @@ import (
 	"testing"
 
 	"github.com/go-chi/chi/v5"
+	"github.com/kindredsystems/silo/internal/modules"
 	"github.com/kindredsystems/silo/internal/schema"
 	"github.com/kindredsystems/silo/internal/testutil"
 	"github.com/rs/zerolog"
@@ -64,8 +65,10 @@ func newTestServerWithSchemas(t *testing.T) *Server {
 		nil, // authConfig
 		broker,
 		state,
-		nil, // jobDefs
-		"",  // jobDefsDir
+		nil,                   // jobDefs
+		"",                    // jobDefsDir
+		modules.NewRegistry(), // modules
+		nil,                   // cfg
 	)
 }
 

internal/api/dag_handlers_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 	"github.com/kindredsystems/silo/internal/db"
+	"github.com/kindredsystems/silo/internal/modules"
 	"github.com/kindredsystems/silo/internal/schema"
 	"github.com/kindredsystems/silo/internal/testutil"
 	"github.com/rs/zerolog"
@@ -29,6 +30,7 @@ func newDAGTestServer(t *testing.T) *Server {
 		nil, nil, nil, nil, nil,
 		broker, state,
 		nil, "",
+		modules.NewRegistry(), nil,
 	)
 }
 

internal/api/handlers.go

@@ -19,6 +19,7 @@ import (
 	"github.com/kindredsystems/silo/internal/config"
 	"github.com/kindredsystems/silo/internal/db"
 	"github.com/kindredsystems/silo/internal/jobdef"
+	"github.com/kindredsystems/silo/internal/modules"
 	"github.com/kindredsystems/silo/internal/partnum"
 	"github.com/kindredsystems/silo/internal/schema"
 	"github.com/kindredsystems/silo/internal/storage"
@@ -46,8 +47,12 @@ type Server struct {
 	serverState   *ServerState
 	dag           *db.DAGRepository
 	jobs          *db.JobRepository
+	locations     *db.LocationRepository
 	jobDefs       map[string]*jobdef.Definition
 	jobDefsDir    string
+	modules       *modules.Registry
+	cfg           *config.Config
+	settings      *db.SettingsRepository
 }
 
 // NewServer creates a new API server.
@@ -65,6 +70,8 @@ func NewServer(
 	state *ServerState,
 	jobDefs map[string]*jobdef.Definition,
 	jobDefsDir string,
+	registry *modules.Registry,
+	cfg *config.Config,
 ) *Server {
 	items := db.NewItemRepository(database)
 	projects := db.NewProjectRepository(database)
@@ -72,6 +79,8 @@ func NewServer(
 	itemFiles := db.NewItemFileRepository(database)
 	dag := db.NewDAGRepository(database)
 	jobs := db.NewJobRepository(database)
+	settings := db.NewSettingsRepository(database)
+	locations := db.NewLocationRepository(database)
 	seqStore := &dbSequenceStore{db: database, schemas: schemas}
 	partgen := partnum.NewGenerator(schemas, seqStore)
 
@@ -94,8 +103,12 @@ func NewServer(
 		serverState:   state,
 		dag:           dag,
 		jobs:          jobs,
+		locations:     locations,
 		jobDefs:       jobDefs,
 		jobDefsDir:    jobDefsDir,
+		modules:       registry,
+		cfg:           cfg,
+		settings:      settings,
 	}
 }
 
@@ -166,6 +179,54 @@ func (s *Server) HandleReady(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
+// HandleGetModules returns the public module discovery response.
+// No authentication required — clients call this pre-login.
+func (s *Server) HandleGetModules(w http.ResponseWriter, r *http.Request) {
+	mods := make(map[string]any, 10)
+	for _, m := range s.modules.All() {
+		entry := map[string]any{
+			"enabled":  s.modules.IsEnabled(m.ID),
+			"required": m.Required,
+			"name":     m.Name,
+		}
+		if m.Version != "" {
+			entry["version"] = m.Version
+		}
+		if len(m.DependsOn) > 0 {
+			entry["depends_on"] = m.DependsOn
+		}
+
+		// Public config (non-secret) for specific modules.
+		switch m.ID {
+		case "auth":
+			if s.cfg != nil {
+				entry["config"] = map[string]any{
+					"local_enabled":   s.cfg.Auth.Local.Enabled,
+					"ldap_enabled":    s.cfg.Auth.LDAP.Enabled,
+					"oidc_enabled":    s.cfg.Auth.OIDC.Enabled,
+					"oidc_issuer_url": s.cfg.Auth.OIDC.IssuerURL,
+				}
+			}
+		case "freecad":
+			if s.cfg != nil {
+				entry["config"] = map[string]any{
+					"uri_scheme": s.cfg.FreeCAD.URIScheme,
+				}
+			}
+		}
+
+		mods[m.ID] = entry
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"modules": mods,
+		"server": map[string]any{
+			"version":   "0.2",
+			"read_only": s.serverState.IsReadOnly(),
+		},
+	})
+}
+
 // Schema handlers
 
 // SchemaResponse represents a schema in API responses.

internal/api/job_handlers_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 	"github.com/kindredsystems/silo/internal/db"
+	"github.com/kindredsystems/silo/internal/modules"
 	"github.com/kindredsystems/silo/internal/schema"
 	"github.com/kindredsystems/silo/internal/testutil"
 	"github.com/rs/zerolog"
@@ -29,6 +30,7 @@ func newJobTestServer(t *testing.T) *Server {
 		nil, nil, nil, nil, nil,
 		broker, state,
 		nil, "",
+		modules.NewRegistry(), nil,
 	)
 }
 

internal/api/location_handlers.go

@@ -0,0 +1,234 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/kindredsystems/silo/internal/db"
+)
+
+// LocationResponse is the API representation of a location.
+type LocationResponse struct {
+	ID           string         `json:"id"`
+	Path         string         `json:"path"`
+	Name         string         `json:"name"`
+	ParentID     *string        `json:"parent_id,omitempty"`
+	LocationType string         `json:"location_type"`
+	Depth        int            `json:"depth"`
+	Metadata     map[string]any `json:"metadata,omitempty"`
+	CreatedAt    string         `json:"created_at"`
+}
+
+// CreateLocationRequest represents a request to create a location.
+type CreateLocationRequest struct {
+	Path         string         `json:"path"`
+	Name         string         `json:"name"`
+	LocationType string         `json:"location_type"`
+	Metadata     map[string]any `json:"metadata,omitempty"`
+}
+
+// UpdateLocationRequest represents a request to update a location.
+type UpdateLocationRequest struct {
+	Name         string         `json:"name"`
+	LocationType string         `json:"location_type"`
+	Metadata     map[string]any `json:"metadata,omitempty"`
+}
+
+func locationToResponse(loc *db.Location) LocationResponse {
+	return LocationResponse{
+		ID:           loc.ID,
+		Path:         loc.Path,
+		Name:         loc.Name,
+		ParentID:     loc.ParentID,
+		LocationType: loc.LocationType,
+		Depth:        loc.Depth,
+		Metadata:     loc.Metadata,
+		CreatedAt:    loc.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
+	}
+}
+
+// HandleListLocations lists all locations. If ?tree={path} is set, returns that
+// subtree. If ?root=true, returns only root-level locations (depth 0).
+func (s *Server) HandleListLocations(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	treePath := r.URL.Query().Get("tree")
+	if treePath != "" {
+		locs, err := s.locations.GetTree(ctx, treePath)
+		if err != nil {
+			s.logger.Error().Err(err).Str("tree", treePath).Msg("failed to get location tree")
+			writeError(w, http.StatusInternalServerError, "internal_error", "Failed to get location tree")
+			return
+		}
+		writeJSON(w, http.StatusOK, locationsToResponse(locs))
+		return
+	}
+
+	locs, err := s.locations.List(ctx)
+	if err != nil {
+		s.logger.Error().Err(err).Msg("failed to list locations")
+		writeError(w, http.StatusInternalServerError, "internal_error", "Failed to list locations")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, locationsToResponse(locs))
+}
+
+// HandleCreateLocation creates a new location.
+func (s *Server) HandleCreateLocation(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	var req CreateLocationRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_json", err.Error())
+		return
+	}
+
+	if req.Path == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "Path is required")
+		return
+	}
+	if req.Name == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "Name is required")
+		return
+	}
+	if req.LocationType == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "Location type is required")
+		return
+	}
+
+	// Normalize: trim slashes
+	req.Path = strings.Trim(req.Path, "/")
+
+	loc := &db.Location{
+		Path:         req.Path,
+		Name:         req.Name,
+		LocationType: req.LocationType,
+		Metadata:     req.Metadata,
+	}
+	if loc.Metadata == nil {
+		loc.Metadata = map[string]any{}
+	}
+
+	if err := s.locations.Create(ctx, loc); err != nil {
+		if strings.Contains(err.Error(), "parent location") || strings.Contains(err.Error(), "does not exist") {
+			writeError(w, http.StatusBadRequest, "invalid_parent", err.Error())
+			return
+		}
+		if strings.Contains(err.Error(), "duplicate key") || strings.Contains(err.Error(), "unique") {
+			writeError(w, http.StatusConflict, "already_exists", "Location path already exists")
+			return
+		}
+		s.logger.Error().Err(err).Str("path", req.Path).Msg("failed to create location")
+		writeError(w, http.StatusInternalServerError, "create_failed", err.Error())
+		return
+	}
+
+	writeJSON(w, http.StatusCreated, locationToResponse(loc))
+}
+
+// HandleGetLocation retrieves a location by path. The path is the rest of the
+// URL after /api/locations/, which chi captures as a wildcard.
+func (s *Server) HandleGetLocation(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	path := strings.Trim(chi.URLParam(r, "*"), "/")
+
+	if path == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "Location path is required")
+		return
+	}
+
+	loc, err := s.locations.GetByPath(ctx, path)
+	if err != nil {
+		s.logger.Error().Err(err).Str("path", path).Msg("failed to get location")
+		writeError(w, http.StatusInternalServerError, "internal_error", "Failed to get location")
+		return
+	}
+	if loc == nil {
+		writeError(w, http.StatusNotFound, "not_found", "Location not found")
+		return
+	}
+
+	writeJSON(w, http.StatusOK, locationToResponse(loc))
+}
+
+// HandleUpdateLocation updates a location by path.
+func (s *Server) HandleUpdateLocation(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	path := strings.Trim(chi.URLParam(r, "*"), "/")
+
+	if path == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "Location path is required")
+		return
+	}
+
+	var req UpdateLocationRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_json", err.Error())
+		return
+	}
+
+	if req.Name == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "Name is required")
+		return
+	}
+	if req.LocationType == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "Location type is required")
+		return
+	}
+
+	meta := req.Metadata
+	if meta == nil {
+		meta = map[string]any{}
+	}
+
+	if err := s.locations.Update(ctx, path, req.Name, req.LocationType, meta); err != nil {
+		if strings.Contains(err.Error(), "not found") {
+			writeError(w, http.StatusNotFound, "not_found", "Location not found")
+			return
+		}
+		s.logger.Error().Err(err).Str("path", path).Msg("failed to update location")
+		writeError(w, http.StatusInternalServerError, "update_failed", err.Error())
+		return
+	}
+
+	loc, _ := s.locations.GetByPath(ctx, path)
+	writeJSON(w, http.StatusOK, locationToResponse(loc))
+}
+
+// HandleDeleteLocation deletes a location by path. Rejects if inventory exists.
+func (s *Server) HandleDeleteLocation(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	path := strings.Trim(chi.URLParam(r, "*"), "/")
+
+	if path == "" {
+		writeError(w, http.StatusBadRequest, "invalid_request", "Location path is required")
+		return
+	}
+
+	if err := s.locations.Delete(ctx, path); err != nil {
+		if strings.Contains(err.Error(), "inventory record") {
+			writeError(w, http.StatusConflict, "has_inventory", err.Error())
+			return
+		}
+		if strings.Contains(err.Error(), "not found") {
+			writeError(w, http.StatusNotFound, "not_found", "Location not found")
+			return
+		}
+		s.logger.Error().Err(err).Str("path", path).Msg("failed to delete location")
+		writeError(w, http.StatusInternalServerError, "delete_failed", err.Error())
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func locationsToResponse(locs []*db.Location) []LocationResponse {
+	result := make([]LocationResponse, len(locs))
+	for i, l := range locs {
+		result[i] = locationToResponse(l)
+	}
+	return result
+}

internal/api/location_handlers_test.go

@@ -0,0 +1,323 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func newLocationRouter(s *Server) http.Handler {
+	r := chi.NewRouter()
+	r.Get("/api/locations", s.HandleListLocations)
+	r.Post("/api/locations", s.HandleCreateLocation)
+	r.Get("/api/locations/*", s.HandleGetLocation)
+	r.Put("/api/locations/*", s.HandleUpdateLocation)
+	r.Delete("/api/locations/*", s.HandleDeleteLocation)
+	return r
+}
+
+func TestHandleListLocationsEmpty(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	req := httptest.NewRequest("GET", "/api/locations", nil)
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("status: got %d, want %d; body: %s", w.Code, http.StatusOK, w.Body.String())
+	}
+
+	var locs []LocationResponse
+	if err := json.Unmarshal(w.Body.Bytes(), &locs); err != nil {
+		t.Fatalf("decoding response: %v", err)
+	}
+	if len(locs) != 0 {
+		t.Fatalf("expected 0 locations, got %d", len(locs))
+	}
+}
+
+func TestHandleCreateAndGetLocation(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	// Create root location
+	body := `{"path": "lab", "name": "Lab", "location_type": "building"}`
+	req := httptest.NewRequest("POST", "/api/locations", strings.NewReader(body))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusCreated {
+		t.Fatalf("create status: got %d, want %d; body: %s", w.Code, http.StatusCreated, w.Body.String())
+	}
+
+	var created LocationResponse
+	if err := json.Unmarshal(w.Body.Bytes(), &created); err != nil {
+		t.Fatalf("decoding create response: %v", err)
+	}
+	if created.Path != "lab" {
+		t.Errorf("path: got %q, want %q", created.Path, "lab")
+	}
+	if created.Name != "Lab" {
+		t.Errorf("name: got %q, want %q", created.Name, "Lab")
+	}
+	if created.Depth != 0 {
+		t.Errorf("depth: got %d, want 0", created.Depth)
+	}
+	if created.ID == "" {
+		t.Error("expected ID to be set")
+	}
+
+	// Get by path
+	req = httptest.NewRequest("GET", "/api/locations/lab", nil)
+	w = httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("get status: got %d, want %d; body: %s", w.Code, http.StatusOK, w.Body.String())
+	}
+
+	var got LocationResponse
+	if err := json.Unmarshal(w.Body.Bytes(), &got); err != nil {
+		t.Fatalf("decoding get response: %v", err)
+	}
+	if got.ID != created.ID {
+		t.Errorf("ID mismatch: got %q, want %q", got.ID, created.ID)
+	}
+}
+
+func TestHandleCreateNestedLocation(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	// Create root
+	body := `{"path": "warehouse", "name": "Warehouse", "location_type": "building"}`
+	req := httptest.NewRequest("POST", "/api/locations", strings.NewReader(body))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusCreated {
+		t.Fatalf("create root: got %d; body: %s", w.Code, w.Body.String())
+	}
+
+	// Create child
+	body = `{"path": "warehouse/shelf-a", "name": "Shelf A", "location_type": "shelf"}`
+	req = httptest.NewRequest("POST", "/api/locations", strings.NewReader(body))
+	w = httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusCreated {
+		t.Fatalf("create child: got %d; body: %s", w.Code, w.Body.String())
+	}
+
+	var child LocationResponse
+	json.Unmarshal(w.Body.Bytes(), &child)
+	if child.Depth != 1 {
+		t.Errorf("child depth: got %d, want 1", child.Depth)
+	}
+	if child.ParentID == nil {
+		t.Error("expected parent_id to be set")
+	}
+
+	// Create grandchild
+	body = `{"path": "warehouse/shelf-a/bin-3", "name": "Bin 3", "location_type": "bin"}`
+	req = httptest.NewRequest("POST", "/api/locations", strings.NewReader(body))
+	w = httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusCreated {
+		t.Fatalf("create grandchild: got %d; body: %s", w.Code, w.Body.String())
+	}
+
+	var gc LocationResponse
+	json.Unmarshal(w.Body.Bytes(), &gc)
+	if gc.Depth != 2 {
+		t.Errorf("grandchild depth: got %d, want 2", gc.Depth)
+	}
+
+	// Get nested path
+	req = httptest.NewRequest("GET", "/api/locations/warehouse/shelf-a/bin-3", nil)
+	w = httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("get nested: got %d; body: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestHandleCreateLocationMissingParent(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	body := `{"path": "nonexistent/child", "name": "Child", "location_type": "shelf"}`
+	req := httptest.NewRequest("POST", "/api/locations", strings.NewReader(body))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400, got %d; body: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestHandleUpdateLocation(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	// Create
+	body := `{"path": "office", "name": "Office", "location_type": "room"}`
+	req := httptest.NewRequest("POST", "/api/locations", strings.NewReader(body))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusCreated {
+		t.Fatalf("create: got %d; body: %s", w.Code, w.Body.String())
+	}
+
+	// Update
+	body = `{"name": "Main Office", "location_type": "building", "metadata": {"floor": 2}}`
+	req = httptest.NewRequest("PUT", "/api/locations/office", strings.NewReader(body))
+	w = httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("update: got %d; body: %s", w.Code, w.Body.String())
+	}
+
+	var updated LocationResponse
+	json.Unmarshal(w.Body.Bytes(), &updated)
+	if updated.Name != "Main Office" {
+		t.Errorf("name: got %q, want %q", updated.Name, "Main Office")
+	}
+	if updated.LocationType != "building" {
+		t.Errorf("type: got %q, want %q", updated.LocationType, "building")
+	}
+}
+
+func TestHandleDeleteLocation(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	// Create
+	body := `{"path": "temp", "name": "Temp", "location_type": "area"}`
+	req := httptest.NewRequest("POST", "/api/locations", strings.NewReader(body))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusCreated {
+		t.Fatalf("create: got %d; body: %s", w.Code, w.Body.String())
+	}
+
+	// Delete
+	req = httptest.NewRequest("DELETE", "/api/locations/temp", nil)
+	w = httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusNoContent {
+		t.Fatalf("delete: got %d, want %d; body: %s", w.Code, http.StatusNoContent, w.Body.String())
+	}
+
+	// Verify gone
+	req = httptest.NewRequest("GET", "/api/locations/temp", nil)
+	w = httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("get after delete: got %d, want %d", w.Code, http.StatusNotFound)
+	}
+}
+
+func TestHandleDeleteLocationNotFound(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	req := httptest.NewRequest("DELETE", "/api/locations/doesnotexist", nil)
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusNotFound {
+		t.Fatalf("delete missing: got %d, want %d; body: %s", w.Code, http.StatusNotFound, w.Body.String())
+	}
+}
+
+func TestHandleListLocationsTree(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	// Create hierarchy
+	for _, loc := range []string{
+		`{"path": "site", "name": "Site", "location_type": "site"}`,
+		`{"path": "site/bldg", "name": "Building", "location_type": "building"}`,
+		`{"path": "site/bldg/room1", "name": "Room 1", "location_type": "room"}`,
+		`{"path": "other", "name": "Other", "location_type": "site"}`,
+	} {
+		req := httptest.NewRequest("POST", "/api/locations", strings.NewReader(loc))
+		w := httptest.NewRecorder()
+		router.ServeHTTP(w, req)
+		if w.Code != http.StatusCreated {
+			t.Fatalf("create: got %d; body: %s", w.Code, w.Body.String())
+		}
+	}
+
+	// List tree under "site"
+	req := httptest.NewRequest("GET", "/api/locations?tree=site", nil)
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("tree: got %d; body: %s", w.Code, w.Body.String())
+	}
+
+	var locs []LocationResponse
+	json.Unmarshal(w.Body.Bytes(), &locs)
+	if len(locs) != 3 {
+		t.Fatalf("tree count: got %d, want 3 (site + bldg + room1)", len(locs))
+	}
+
+	// Full list should have 4
+	req = httptest.NewRequest("GET", "/api/locations", nil)
+	w = httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	json.Unmarshal(w.Body.Bytes(), &locs)
+	if len(locs) != 4 {
+		t.Fatalf("full list: got %d, want 4", len(locs))
+	}
+}
+
+func TestHandleCreateLocationDuplicate(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	body := `{"path": "dup", "name": "Dup", "location_type": "area"}`
+	req := httptest.NewRequest("POST", "/api/locations", strings.NewReader(body))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusCreated {
+		t.Fatalf("first create: got %d; body: %s", w.Code, w.Body.String())
+	}
+
+	// Duplicate
+	req = httptest.NewRequest("POST", "/api/locations", strings.NewReader(body))
+	w = httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+	if w.Code != http.StatusConflict {
+		t.Fatalf("duplicate: got %d, want %d; body: %s", w.Code, http.StatusConflict, w.Body.String())
+	}
+}
+
+func TestHandleCreateLocationValidation(t *testing.T) {
+	s := newTestServer(t)
+	router := newLocationRouter(s)
+
+	tests := []struct {
+		name string
+		body string
+	}{
+		{"missing path", `{"name": "X", "location_type": "area"}`},
+		{"missing name", `{"path": "x", "location_type": "area"}`},
+		{"missing type", `{"path": "x", "name": "X"}`},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			req := httptest.NewRequest("POST", "/api/locations", strings.NewReader(tc.body))
+			w := httptest.NewRecorder()
+			router.ServeHTTP(w, req)
+			if w.Code != http.StatusBadRequest {
+				t.Fatalf("got %d, want 400; body: %s", w.Code, w.Body.String())
+			}
+		})
+	}
+}

internal/api/middleware.go

@@ -183,6 +183,22 @@ func (s *Server) RequireRunnerAuth(next http.Handler) http.Handler {
 	})
 }
 
+// RequireModule returns middleware that rejects requests with 404 when
+// the named module is not enabled.
+func (s *Server) RequireModule(id string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if !s.modules.IsEnabled(id) {
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusNotFound)
+				w.Write([]byte(`{"error":"module '` + id + `' is not enabled"}`))
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
 func extractBearerToken(r *http.Request) string {
 	h := r.Header.Get("Authorization")
 	if strings.HasPrefix(h, "Bearer ") {

internal/api/routes.go

@@ -58,6 +58,7 @@ func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
 	r.Get("/auth/callback", server.HandleOIDCCallback)
 
 	// Public API endpoints (no auth required)
+	r.Get("/api/modules", server.HandleGetModules)
 	r.Get("/api/auth/config", server.HandleAuthConfig)
 
 	// API routes (require auth, no CSRF — token auth instead)
@@ -101,6 +102,7 @@ func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
 
 		// Projects (read: viewer, write: editor)
 		r.Route("/projects", func(r chi.Router) {
+			r.Use(server.RequireModule("projects"))
 			r.Get("/", server.HandleListProjects)
 			r.Get("/{code}", server.HandleGetProject)
 			r.Get("/{code}/items", server.HandleGetProjectItems)
@@ -115,6 +117,26 @@ func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
 			})
 		})
 
+		// Locations (read: viewer, write: editor)
+		r.Route("/locations", func(r chi.Router) {
+			r.Get("/", server.HandleListLocations)
+
+			r.Group(func(r chi.Router) {
+				r.Use(server.RequireWritable)
+				r.Use(server.RequireRole(auth.RoleEditor))
+				r.Post("/", server.HandleCreateLocation)
+			})
+
+			// Wildcard routes for path-based lookup (e.g., /api/locations/lab/shelf-a/bin-3)
+			r.Get("/*", server.HandleGetLocation)
+			r.Group(func(r chi.Router) {
+				r.Use(server.RequireWritable)
+				r.Use(server.RequireRole(auth.RoleEditor))
+				r.Put("/*", server.HandleUpdateLocation)
+				r.Delete("/*", server.HandleDeleteLocation)
+			})
+		})
+
 		// Items (read: viewer, write: editor)
 		r.Route("/items", func(r chi.Router) {
 			r.Get("/", server.HandleListItems)
@@ -150,10 +172,20 @@ func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
 				r.Get("/bom/export.csv", server.HandleExportBOMCSV)
 				r.Get("/bom/export.ods", server.HandleExportBOMODS)
 
-				// DAG (read: viewer, write: editor)
-				r.Get("/dag", server.HandleGetDAG)
-				r.Get("/dag/forward-cone/{nodeKey}", server.HandleGetForwardCone)
-				r.Get("/dag/dirty", server.HandleGetDirtySubgraph)
+				// DAG (gated by dag module)
+				r.Route("/dag", func(r chi.Router) {
+					r.Use(server.RequireModule("dag"))
+					r.Get("/", server.HandleGetDAG)
+					r.Get("/forward-cone/{nodeKey}", server.HandleGetForwardCone)
+					r.Get("/dirty", server.HandleGetDirtySubgraph)
+
+					r.Group(func(r chi.Router) {
+						r.Use(server.RequireWritable)
+						r.Use(server.RequireRole(auth.RoleEditor))
+						r.Put("/", server.HandleSyncDAG)
+						r.Post("/mark-dirty/{nodeKey}", server.HandleMarkDirty)
+					})
+				})
 
 				r.Group(func(r chi.Router) {
 					r.Use(server.RequireWritable)
@@ -174,20 +206,20 @@ func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
 					r.Post("/bom/merge", server.HandleMergeBOM)
 					r.Put("/bom/{childPartNumber}", server.HandleUpdateBOMEntry)
 					r.Delete("/bom/{childPartNumber}", server.HandleDeleteBOMEntry)
-					r.Put("/dag", server.HandleSyncDAG)
-					r.Post("/dag/mark-dirty/{nodeKey}", server.HandleMarkDirty)
 				})
 			})
 		})
 
 		// Audit (read-only, viewer role)
 		r.Route("/audit", func(r chi.Router) {
+			r.Use(server.RequireModule("audit"))
 			r.Get("/completeness", server.HandleAuditCompleteness)
 			r.Get("/completeness/{partNumber}", server.HandleAuditItemDetail)
 		})
 
 		// Integrations (read: viewer, write: editor)
 		r.Route("/integrations/odoo", func(r chi.Router) {
+			r.Use(server.RequireModule("odoo"))
 			r.Get("/config", server.HandleGetOdooConfig)
 			r.Get("/sync-log", server.HandleGetOdooSyncLog)
 
@@ -210,6 +242,7 @@ func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
 
 		// Jobs (read: viewer, write: editor)
 		r.Route("/jobs", func(r chi.Router) {
+			r.Use(server.RequireModule("jobs"))
 			r.Get("/", server.HandleListJobs)
 			r.Get("/{jobID}", server.HandleGetJob)
 			r.Get("/{jobID}/logs", server.HandleGetJobLogs)
@@ -224,6 +257,7 @@ func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
 
 		// Job definitions (read: viewer, reload: admin)
 		r.Route("/job-definitions", func(r chi.Router) {
+			r.Use(server.RequireModule("jobs"))
 			r.Get("/", server.HandleListJobDefinitions)
 			r.Get("/{name}", server.HandleGetJobDefinition)
 
@@ -235,6 +269,7 @@ func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
 
 		// Runners (admin)
 		r.Route("/runners", func(r chi.Router) {
+			r.Use(server.RequireModule("jobs"))
 			r.Use(server.RequireRole(auth.RoleAdmin))
 			r.Get("/", server.HandleListRunners)
 			r.Post("/", server.HandleRegisterRunner)
@@ -247,10 +282,20 @@ func NewRouter(server *Server, logger zerolog.Logger) http.Handler {
 			r.Use(server.RequireRole(auth.RoleEditor))
 			r.Post("/generate-part-number", server.HandleGeneratePartNumber)
 		})
+
+		// Admin settings (admin only)
+		r.Route("/admin/settings", func(r chi.Router) {
+			r.Use(server.RequireRole(auth.RoleAdmin))
+			r.Get("/", server.HandleGetAllSettings)
+			r.Get("/{module}", server.HandleGetModuleSettings)
+			r.Put("/{module}", server.HandleUpdateModuleSettings)
+			r.Post("/{module}/test", server.HandleTestModuleConnectivity)
+		})
 	})
 
 	// Runner-facing API (runner token auth, not user auth)
 	r.Route("/api/runner", func(r chi.Router) {
+		r.Use(server.RequireModule("jobs"))
 		r.Use(server.RequireRunnerAuth)
 		r.Post("/heartbeat", server.HandleRunnerHeartbeat)
 		r.Post("/claim", server.HandleRunnerClaim)

internal/api/settings_handlers.go

@@ -0,0 +1,316 @@
+package api
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/kindredsystems/silo/internal/auth"
+)
+
+// HandleGetAllSettings returns the full config grouped by module with secrets redacted.
+func (s *Server) HandleGetAllSettings(w http.ResponseWriter, r *http.Request) {
+	resp := map[string]any{
+		"core":     s.buildCoreSettings(),
+		"schemas":  s.buildSchemasSettings(),
+		"storage":  s.buildStorageSettings(r.Context()),
+		"database": s.buildDatabaseSettings(r.Context()),
+		"auth":     s.buildAuthSettings(),
+		"projects": map[string]any{"enabled": s.modules.IsEnabled("projects")},
+		"audit":    map[string]any{"enabled": s.modules.IsEnabled("audit")},
+		"odoo":     s.buildOdooSettings(),
+		"freecad":  s.buildFreecadSettings(),
+		"jobs":     s.buildJobsSettings(),
+		"dag":      map[string]any{"enabled": s.modules.IsEnabled("dag")},
+	}
+	writeJSON(w, http.StatusOK, resp)
+}
+
+// HandleGetModuleSettings returns settings for a single module.
+func (s *Server) HandleGetModuleSettings(w http.ResponseWriter, r *http.Request) {
+	module := chi.URLParam(r, "module")
+
+	var settings any
+	switch module {
+	case "core":
+		settings = s.buildCoreSettings()
+	case "schemas":
+		settings = s.buildSchemasSettings()
+	case "storage":
+		settings = s.buildStorageSettings(r.Context())
+	case "database":
+		settings = s.buildDatabaseSettings(r.Context())
+	case "auth":
+		settings = s.buildAuthSettings()
+	case "projects":
+		settings = map[string]any{"enabled": s.modules.IsEnabled("projects")}
+	case "audit":
+		settings = map[string]any{"enabled": s.modules.IsEnabled("audit")}
+	case "odoo":
+		settings = s.buildOdooSettings()
+	case "freecad":
+		settings = s.buildFreecadSettings()
+	case "jobs":
+		settings = s.buildJobsSettings()
+	case "dag":
+		settings = map[string]any{"enabled": s.modules.IsEnabled("dag")}
+	default:
+		writeError(w, http.StatusNotFound, "not_found", "Unknown module: "+module)
+		return
+	}
+
+	writeJSON(w, http.StatusOK, settings)
+}
+
+// HandleUpdateModuleSettings handles module toggle and config overrides.
+func (s *Server) HandleUpdateModuleSettings(w http.ResponseWriter, r *http.Request) {
+	module := chi.URLParam(r, "module")
+
+	// Validate module exists
+	if s.modules.Get(module) == nil {
+		writeError(w, http.StatusNotFound, "not_found", "Unknown module: "+module)
+		return
+	}
+
+	var body map[string]any
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid_json", err.Error())
+		return
+	}
+
+	user := auth.UserFromContext(r.Context())
+	username := "system"
+	if user != nil {
+		username = user.Username
+	}
+
+	var updated []string
+	restartRequired := false
+
+	// Handle module toggle
+	if enabledVal, ok := body["enabled"]; ok {
+		enabled, ok := enabledVal.(bool)
+		if !ok {
+			writeError(w, http.StatusBadRequest, "invalid_value", "'enabled' must be a boolean")
+			return
+		}
+
+		if err := s.modules.SetEnabled(module, enabled); err != nil {
+			writeError(w, http.StatusBadRequest, "toggle_failed", err.Error())
+			return
+		}
+
+		if err := s.settings.SetModuleState(r.Context(), module, enabled, username); err != nil {
+			s.logger.Error().Err(err).Str("module", module).Msg("failed to persist module state")
+			writeError(w, http.StatusInternalServerError, "persist_failed", "Failed to save module state")
+			return
+		}
+
+		updated = append(updated, module+".enabled")
+	}
+
+	// Handle config overrides (future use — persisted but not hot-reloaded)
+	for key, value := range body {
+		if key == "enabled" {
+			continue
+		}
+
+		fullKey := module + "." + key
+		if err := s.settings.SetOverride(r.Context(), fullKey, value, username); err != nil {
+			s.logger.Error().Err(err).Str("key", fullKey).Msg("failed to persist setting override")
+			writeError(w, http.StatusInternalServerError, "persist_failed", "Failed to save setting: "+key)
+			return
+		}
+		updated = append(updated, fullKey)
+
+		// These namespaces require a restart to take effect
+		if strings.HasPrefix(fullKey, "database.") ||
+			strings.HasPrefix(fullKey, "storage.") ||
+			strings.HasPrefix(fullKey, "server.") ||
+			strings.HasPrefix(fullKey, "schemas.") {
+			restartRequired = true
+		}
+	}
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"updated":          updated,
+		"restart_required": restartRequired,
+	})
+
+	// Publish SSE event
+	s.broker.Publish("settings.changed", mustMarshal(map[string]any{
+		"module":       module,
+		"changed_keys": updated,
+		"updated_by":   username,
+	}))
+}
+
+// HandleTestModuleConnectivity tests external connectivity for a module.
+func (s *Server) HandleTestModuleConnectivity(w http.ResponseWriter, r *http.Request) {
+	module := chi.URLParam(r, "module")
+
+	start := time.Now()
+	var success bool
+	var message string
+
+	switch module {
+	case "database":
+		if err := s.db.Pool().Ping(r.Context()); err != nil {
+			success = false
+			message = "Database ping failed: " + err.Error()
+		} else {
+			success = true
+			message = "Database connection OK"
+		}
+	case "storage":
+		if s.storage == nil {
+			success = false
+			message = "Storage not configured"
+		} else if err := s.storage.Ping(r.Context()); err != nil {
+			success = false
+			message = "Storage ping failed: " + err.Error()
+		} else {
+			success = true
+			message = "Storage connection OK"
+		}
+	case "auth", "odoo":
+		success = false
+		message = "Connectivity test not implemented for " + module
+	default:
+		writeError(w, http.StatusBadRequest, "not_testable", "No connectivity test available for module: "+module)
+		return
+	}
+
+	latency := time.Since(start).Milliseconds()
+
+	writeJSON(w, http.StatusOK, map[string]any{
+		"success":    success,
+		"message":    message,
+		"latency_ms": latency,
+	})
+}
+
+// --- build helpers (read config, redact secrets) ---
+
+func redact(s string) string {
+	if s == "" {
+		return ""
+	}
+	return "****"
+}
+
+func (s *Server) buildCoreSettings() map[string]any {
+	return map[string]any{
+		"enabled":  true,
+		"host":     s.cfg.Server.Host,
+		"port":     s.cfg.Server.Port,
+		"base_url": s.cfg.Server.BaseURL,
+		"readonly": s.cfg.Server.ReadOnly,
+	}
+}
+
+func (s *Server) buildSchemasSettings() map[string]any {
+	return map[string]any{
+		"enabled":   true,
+		"directory": s.cfg.Schemas.Directory,
+		"default":   s.cfg.Schemas.Default,
+		"count":     len(s.schemas),
+	}
+}
+
+func (s *Server) buildStorageSettings(ctx context.Context) map[string]any {
+	result := map[string]any{
+		"enabled":  true,
+		"endpoint": s.cfg.Storage.Endpoint,
+		"bucket":   s.cfg.Storage.Bucket,
+		"use_ssl":  s.cfg.Storage.UseSSL,
+		"region":   s.cfg.Storage.Region,
+	}
+	if s.storage != nil {
+		if err := s.storage.Ping(ctx); err != nil {
+			result["status"] = "unavailable"
+		} else {
+			result["status"] = "ok"
+		}
+	} else {
+		result["status"] = "not_configured"
+	}
+	return result
+}
+
+func (s *Server) buildDatabaseSettings(ctx context.Context) map[string]any {
+	result := map[string]any{
+		"enabled":         true,
+		"host":            s.cfg.Database.Host,
+		"port":            s.cfg.Database.Port,
+		"name":            s.cfg.Database.Name,
+		"user":            s.cfg.Database.User,
+		"password":        redact(s.cfg.Database.Password),
+		"sslmode":         s.cfg.Database.SSLMode,
+		"max_connections": s.cfg.Database.MaxConnections,
+	}
+	if err := s.db.Pool().Ping(ctx); err != nil {
+		result["status"] = "unavailable"
+	} else {
+		result["status"] = "ok"
+	}
+	return result
+}
+
+func (s *Server) buildAuthSettings() map[string]any {
+	return map[string]any{
+		"enabled":        s.modules.IsEnabled("auth"),
+		"session_secret": redact(s.cfg.Auth.SessionSecret),
+		"local": map[string]any{
+			"enabled":                s.cfg.Auth.Local.Enabled,
+			"default_admin_username": s.cfg.Auth.Local.DefaultAdminUsername,
+			"default_admin_password": redact(s.cfg.Auth.Local.DefaultAdminPassword),
+		},
+		"ldap": map[string]any{
+			"enabled":       s.cfg.Auth.LDAP.Enabled,
+			"url":           s.cfg.Auth.LDAP.URL,
+			"base_dn":       s.cfg.Auth.LDAP.BaseDN,
+			"bind_dn":       s.cfg.Auth.LDAP.BindDN,
+			"bind_password": redact(s.cfg.Auth.LDAP.BindPassword),
+		},
+		"oidc": map[string]any{
+			"enabled":       s.cfg.Auth.OIDC.Enabled,
+			"issuer_url":    s.cfg.Auth.OIDC.IssuerURL,
+			"client_id":     s.cfg.Auth.OIDC.ClientID,
+			"client_secret": redact(s.cfg.Auth.OIDC.ClientSecret),
+			"redirect_url":  s.cfg.Auth.OIDC.RedirectURL,
+		},
+	}
+}
+
+func (s *Server) buildOdooSettings() map[string]any {
+	return map[string]any{
+		"enabled":  s.modules.IsEnabled("odoo"),
+		"url":      s.cfg.Odoo.URL,
+		"database": s.cfg.Odoo.Database,
+		"username": s.cfg.Odoo.Username,
+		"api_key":  redact(s.cfg.Odoo.APIKey),
+	}
+}
+
+func (s *Server) buildFreecadSettings() map[string]any {
+	return map[string]any{
+		"enabled":    s.modules.IsEnabled("freecad"),
+		"uri_scheme": s.cfg.FreeCAD.URIScheme,
+		"executable": s.cfg.FreeCAD.Executable,
+	}
+}
+
+func (s *Server) buildJobsSettings() map[string]any {
+	return map[string]any{
+		"enabled":           s.modules.IsEnabled("jobs"),
+		"directory":         s.cfg.Jobs.Directory,
+		"runner_timeout":    s.cfg.Jobs.RunnerTimeout,
+		"job_timeout_check": s.cfg.Jobs.JobTimeoutCheck,
+		"default_priority":  s.cfg.Jobs.DefaultPriority,
+		"definitions_count": len(s.jobDefs),
+	}
+}

internal/api/settings_handlers_test.go

@@ -0,0 +1,285 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/kindredsystems/silo/internal/auth"
+	"github.com/kindredsystems/silo/internal/config"
+	"github.com/kindredsystems/silo/internal/db"
+	"github.com/kindredsystems/silo/internal/modules"
+	"github.com/kindredsystems/silo/internal/schema"
+	"github.com/kindredsystems/silo/internal/testutil"
+	"github.com/rs/zerolog"
+)
+
+func newSettingsTestServer(t *testing.T) *Server {
+	t.Helper()
+	pool := testutil.MustConnectTestPool(t)
+	database := db.NewFromPool(pool)
+	broker := NewBroker(zerolog.Nop())
+	state := NewServerState(zerolog.Nop(), nil, broker)
+	cfg := &config.Config{
+		Server: config.ServerConfig{Host: "0.0.0.0", Port: 8080},
+		Database: config.DatabaseConfig{
+			Host: "localhost", Port: 5432, Name: "silo_test",
+			User: "silo", Password: "secret", SSLMode: "disable",
+			MaxConnections: 10,
+		},
+		Storage: config.StorageConfig{
+			Endpoint: "minio:9000", Bucket: "silo", Region: "us-east-1",
+			AccessKey: "minioadmin", SecretKey: "miniosecret",
+		},
+		Schemas: config.SchemasConfig{Directory: "/etc/silo/schemas", Default: "kindred-rd"},
+		Auth: config.AuthConfig{
+			SessionSecret: "supersecret",
+			Local:         config.LocalAuth{Enabled: true, DefaultAdminUsername: "admin", DefaultAdminPassword: "changeme"},
+			LDAP:          config.LDAPAuth{Enabled: false, BindPassword: "ldapsecret"},
+			OIDC:          config.OIDCAuth{Enabled: false, ClientSecret: "oidcsecret"},
+		},
+		FreeCAD: config.FreeCADConfig{URIScheme: "silo"},
+		Odoo:    config.OdooConfig{URL: "https://odoo.example.com", APIKey: "odoo-api-key"},
+		Jobs:    config.JobsConfig{Directory: "/etc/silo/jobdefs", RunnerTimeout: 90, JobTimeoutCheck: 30, DefaultPriority: 100},
+	}
+	return NewServer(
+		zerolog.Nop(),
+		database,
+		map[string]*schema.Schema{"test": {Name: "test"}},
+		cfg.Schemas.Directory,
+		nil, // storage
+		nil, // authService
+		nil, // sessionManager
+		nil, // oidcBackend
+		nil, // authConfig
+		broker,
+		state,
+		nil,                   // jobDefs
+		"",                    // jobDefsDir
+		modules.NewRegistry(), // modules
+		cfg,
+	)
+}
+
+func newSettingsRouter(s *Server) http.Handler {
+	r := chi.NewRouter()
+	r.Route("/api/admin/settings", func(r chi.Router) {
+		r.Get("/", s.HandleGetAllSettings)
+		r.Get("/{module}", s.HandleGetModuleSettings)
+		r.Put("/{module}", s.HandleUpdateModuleSettings)
+		r.Post("/{module}/test", s.HandleTestModuleConnectivity)
+	})
+	return r
+}
+
+func adminSettingsRequest(r *http.Request) *http.Request {
+	u := &auth.User{
+		ID:       "admin-id",
+		Username: "testadmin",
+		Role:     auth.RoleAdmin,
+	}
+	return r.WithContext(auth.ContextWithUser(r.Context(), u))
+}
+
+func viewerSettingsRequest(r *http.Request) *http.Request {
+	u := &auth.User{
+		ID:       "viewer-id",
+		Username: "testviewer",
+		Role:     auth.RoleViewer,
+	}
+	return r.WithContext(auth.ContextWithUser(r.Context(), u))
+}
+
+func TestGetAllSettings(t *testing.T) {
+	s := newSettingsTestServer(t)
+	router := newSettingsRouter(s)
+
+	req := adminSettingsRequest(httptest.NewRequest("GET", "/api/admin/settings", nil))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("status: got %d, want %d; body: %s", w.Code, http.StatusOK, w.Body.String())
+	}
+
+	var resp map[string]any
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("decoding: %v", err)
+	}
+
+	// Verify all module keys present
+	expectedModules := []string{"core", "schemas", "storage", "database", "auth", "projects", "audit", "odoo", "freecad", "jobs", "dag"}
+	for _, mod := range expectedModules {
+		if _, ok := resp[mod]; !ok {
+			t.Errorf("missing module key: %s", mod)
+		}
+	}
+
+	// Verify secrets are redacted
+	dbSettings, _ := resp["database"].(map[string]any)
+	if dbSettings["password"] != "****" {
+		t.Errorf("database password not redacted: got %v", dbSettings["password"])
+	}
+
+	authSettings, _ := resp["auth"].(map[string]any)
+	if authSettings["session_secret"] != "****" {
+		t.Errorf("session_secret not redacted: got %v", authSettings["session_secret"])
+	}
+
+	ldap, _ := authSettings["ldap"].(map[string]any)
+	if ldap["bind_password"] != "****" {
+		t.Errorf("ldap bind_password not redacted: got %v", ldap["bind_password"])
+	}
+
+	oidc, _ := authSettings["oidc"].(map[string]any)
+	if oidc["client_secret"] != "****" {
+		t.Errorf("oidc client_secret not redacted: got %v", oidc["client_secret"])
+	}
+
+	odoo, _ := resp["odoo"].(map[string]any)
+	if odoo["api_key"] != "****" {
+		t.Errorf("odoo api_key not redacted: got %v", odoo["api_key"])
+	}
+}
+
+func TestGetModuleSettings(t *testing.T) {
+	s := newSettingsTestServer(t)
+	router := newSettingsRouter(s)
+
+	req := adminSettingsRequest(httptest.NewRequest("GET", "/api/admin/settings/jobs", nil))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("status: got %d, want %d; body: %s", w.Code, http.StatusOK, w.Body.String())
+	}
+
+	var resp map[string]any
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("decoding: %v", err)
+	}
+
+	if resp["directory"] != "/etc/silo/jobdefs" {
+		t.Errorf("jobs directory: got %v, want /etc/silo/jobdefs", resp["directory"])
+	}
+	if resp["runner_timeout"] != float64(90) {
+		t.Errorf("runner_timeout: got %v, want 90", resp["runner_timeout"])
+	}
+}
+
+func TestGetModuleSettings_Unknown(t *testing.T) {
+	s := newSettingsTestServer(t)
+	router := newSettingsRouter(s)
+
+	req := adminSettingsRequest(httptest.NewRequest("GET", "/api/admin/settings/nonexistent", nil))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusNotFound {
+		t.Errorf("status: got %d, want %d", w.Code, http.StatusNotFound)
+	}
+}
+
+func TestToggleModule(t *testing.T) {
+	s := newSettingsTestServer(t)
+	router := newSettingsRouter(s)
+
+	// Projects is enabled by default; disable it
+	body := `{"enabled": false}`
+	req := adminSettingsRequest(httptest.NewRequest("PUT", "/api/admin/settings/projects", strings.NewReader(body)))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("status: got %d, want %d; body: %s", w.Code, http.StatusOK, w.Body.String())
+	}
+
+	var resp map[string]any
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("decoding: %v", err)
+	}
+
+	updated, _ := resp["updated"].([]any)
+	if len(updated) != 1 || updated[0] != "projects.enabled" {
+		t.Errorf("updated: got %v, want [projects.enabled]", updated)
+	}
+
+	// Verify registry state
+	if s.modules.IsEnabled("projects") {
+		t.Error("projects should be disabled after toggle")
+	}
+}
+
+func TestToggleModule_DependencyError(t *testing.T) {
+	s := newSettingsTestServer(t)
+	router := newSettingsRouter(s)
+
+	// DAG depends on Jobs. Jobs is disabled by default.
+	// Enabling DAG without Jobs should fail.
+	body := `{"enabled": true}`
+	req := adminSettingsRequest(httptest.NewRequest("PUT", "/api/admin/settings/dag", strings.NewReader(body)))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status: got %d, want %d; body: %s", w.Code, http.StatusBadRequest, w.Body.String())
+	}
+}
+
+func TestToggleRequiredModule(t *testing.T) {
+	s := newSettingsTestServer(t)
+	router := newSettingsRouter(s)
+
+	body := `{"enabled": false}`
+	req := adminSettingsRequest(httptest.NewRequest("PUT", "/api/admin/settings/core", strings.NewReader(body)))
+	req.Header.Set("Content-Type", "application/json")
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status: got %d, want %d; body: %s", w.Code, http.StatusBadRequest, w.Body.String())
+	}
+}
+
+func TestTestConnectivity_Database(t *testing.T) {
+	s := newSettingsTestServer(t)
+	router := newSettingsRouter(s)
+
+	req := adminSettingsRequest(httptest.NewRequest("POST", "/api/admin/settings/database/test", nil))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Fatalf("status: got %d, want %d; body: %s", w.Code, http.StatusOK, w.Body.String())
+	}
+
+	var resp map[string]any
+	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil {
+		t.Fatalf("decoding: %v", err)
+	}
+
+	if resp["success"] != true {
+		t.Errorf("expected success=true, got %v; message: %v", resp["success"], resp["message"])
+	}
+	if resp["latency_ms"] == nil {
+		t.Error("expected latency_ms in response")
+	}
+}
+
+func TestTestConnectivity_NotTestable(t *testing.T) {
+	s := newSettingsTestServer(t)
+	router := newSettingsRouter(s)
+
+	req := adminSettingsRequest(httptest.NewRequest("POST", "/api/admin/settings/core/test", nil))
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status: got %d, want %d; body: %s", w.Code, http.StatusBadRequest, w.Body.String())
+	}
+}

internal/config/config.go

@@ -18,6 +18,25 @@ type Config struct {
 	Odoo     OdooConfig     `yaml:"odoo"`
 	Auth     AuthConfig     `yaml:"auth"`
 	Jobs     JobsConfig     `yaml:"jobs"`
+	Modules  ModulesConfig  `yaml:"modules"`
+}
+
+// ModulesConfig holds explicit enable/disable toggles for optional modules.
+// A nil pointer means "use the module's default state".
+type ModulesConfig struct {
+	Auth     *ModuleToggle `yaml:"auth"`
+	Projects *ModuleToggle `yaml:"projects"`
+	Audit    *ModuleToggle `yaml:"audit"`
+	Odoo     *ModuleToggle `yaml:"odoo"`
+	FreeCAD  *ModuleToggle `yaml:"freecad"`
+	Jobs     *ModuleToggle `yaml:"jobs"`
+	DAG      *ModuleToggle `yaml:"dag"`
+}
+
+// ModuleToggle holds an optional enabled flag. The pointer allows
+// distinguishing "not set" (nil) from "explicitly false".
+type ModuleToggle struct {
+	Enabled *bool `yaml:"enabled"`
 }
 
 // AuthConfig holds authentication and authorization settings.

internal/db/locations.go

@@ -0,0 +1,230 @@
+package db
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/jackc/pgx/v5"
+)
+
+// Location represents a location in the hierarchy.
+type Location struct {
+	ID           string
+	Path         string
+	Name         string
+	ParentID     *string
+	LocationType string
+	Depth        int
+	Metadata     map[string]any
+	CreatedAt    time.Time
+}
+
+// LocationRepository provides location database operations.
+type LocationRepository struct {
+	db *DB
+}
+
+// NewLocationRepository creates a new location repository.
+func NewLocationRepository(db *DB) *LocationRepository {
+	return &LocationRepository{db: db}
+}
+
+// List returns all locations ordered by path.
+func (r *LocationRepository) List(ctx context.Context) ([]*Location, error) {
+	rows, err := r.db.pool.Query(ctx, `
+		SELECT id, path, name, parent_id, location_type, depth, metadata, created_at
+		FROM locations
+		ORDER BY path
+	`)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	return scanLocations(rows)
+}
+
+// GetByPath returns a location by its path.
+func (r *LocationRepository) GetByPath(ctx context.Context, path string) (*Location, error) {
+	loc := &Location{}
+	var meta []byte
+	err := r.db.pool.QueryRow(ctx, `
+		SELECT id, path, name, parent_id, location_type, depth, metadata, created_at
+		FROM locations
+		WHERE path = $1
+	`, path).Scan(&loc.ID, &loc.Path, &loc.Name, &loc.ParentID, &loc.LocationType, &loc.Depth, &meta, &loc.CreatedAt)
+	if err == pgx.ErrNoRows {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	if meta != nil {
+		json.Unmarshal(meta, &loc.Metadata)
+	}
+	return loc, nil
+}
+
+// GetByID returns a location by its ID.
+func (r *LocationRepository) GetByID(ctx context.Context, id string) (*Location, error) {
+	loc := &Location{}
+	var meta []byte
+	err := r.db.pool.QueryRow(ctx, `
+		SELECT id, path, name, parent_id, location_type, depth, metadata, created_at
+		FROM locations
+		WHERE id = $1
+	`, id).Scan(&loc.ID, &loc.Path, &loc.Name, &loc.ParentID, &loc.LocationType, &loc.Depth, &meta, &loc.CreatedAt)
+	if err == pgx.ErrNoRows {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	if meta != nil {
+		json.Unmarshal(meta, &loc.Metadata)
+	}
+	return loc, nil
+}
+
+// GetChildren returns direct children of a location.
+func (r *LocationRepository) GetChildren(ctx context.Context, parentID string) ([]*Location, error) {
+	rows, err := r.db.pool.Query(ctx, `
+		SELECT id, path, name, parent_id, location_type, depth, metadata, created_at
+		FROM locations
+		WHERE parent_id = $1
+		ORDER BY path
+	`, parentID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	return scanLocations(rows)
+}
+
+// GetTree returns a location and all its descendants (by path prefix).
+func (r *LocationRepository) GetTree(ctx context.Context, rootPath string) ([]*Location, error) {
+	rows, err := r.db.pool.Query(ctx, `
+		SELECT id, path, name, parent_id, location_type, depth, metadata, created_at
+		FROM locations
+		WHERE path = $1 OR path LIKE $2
+		ORDER BY path
+	`, rootPath, rootPath+"/%")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	return scanLocations(rows)
+}
+
+// Create inserts a new location. ParentID and Depth are resolved from the path.
+func (r *LocationRepository) Create(ctx context.Context, loc *Location) error {
+	// Auto-calculate depth from path segments
+	loc.Depth = strings.Count(loc.Path, "/")
+
+	// Resolve parent_id from path if not explicitly set
+	if loc.ParentID == nil && loc.Depth > 0 {
+		parentPath := loc.Path[:strings.LastIndex(loc.Path, "/")]
+		parent, err := r.GetByPath(ctx, parentPath)
+		if err != nil {
+			return fmt.Errorf("looking up parent %q: %w", parentPath, err)
+		}
+		if parent == nil {
+			return fmt.Errorf("parent location %q does not exist", parentPath)
+		}
+		loc.ParentID = &parent.ID
+	}
+
+	meta, err := json.Marshal(loc.Metadata)
+	if err != nil {
+		return fmt.Errorf("marshaling metadata: %w", err)
+	}
+
+	return r.db.pool.QueryRow(ctx, `
+		INSERT INTO locations (path, name, parent_id, location_type, depth, metadata)
+		VALUES ($1, $2, $3, $4, $5, $6)
+		RETURNING id, created_at
+	`, loc.Path, loc.Name, loc.ParentID, loc.LocationType, loc.Depth, meta).Scan(&loc.ID, &loc.CreatedAt)
+}
+
+// Update updates a location's name, type, and metadata.
+func (r *LocationRepository) Update(ctx context.Context, path string, name, locationType string, metadata map[string]any) error {
+	meta, err := json.Marshal(metadata)
+	if err != nil {
+		return fmt.Errorf("marshaling metadata: %w", err)
+	}
+	tag, err := r.db.pool.Exec(ctx, `
+		UPDATE locations
+		SET name = $2, location_type = $3, metadata = $4
+		WHERE path = $1
+	`, path, name, locationType, meta)
+	if err != nil {
+		return err
+	}
+	if tag.RowsAffected() == 0 {
+		return fmt.Errorf("location %q not found", path)
+	}
+	return nil
+}
+
+// Delete removes a location. Returns an error if inventory rows reference it.
+func (r *LocationRepository) Delete(ctx context.Context, path string) error {
+	// Check for inventory references
+	var count int
+	err := r.db.pool.QueryRow(ctx, `
+		SELECT COUNT(*) FROM inventory
+		WHERE location_id = (SELECT id FROM locations WHERE path = $1)
+	`, path).Scan(&count)
+	if err != nil {
+		return err
+	}
+	if count > 0 {
+		return fmt.Errorf("cannot delete location %q: %d inventory record(s) exist", path, count)
+	}
+
+	// Delete children first (cascade by path prefix), deepest first
+	_, err = r.db.pool.Exec(ctx, `
+		DELETE FROM locations
+		WHERE path LIKE $1
+	`, path+"/%")
+	if err != nil {
+		return err
+	}
+
+	tag, err := r.db.pool.Exec(ctx, `DELETE FROM locations WHERE path = $1`, path)
+	if err != nil {
+		return err
+	}
+	if tag.RowsAffected() == 0 {
+		return fmt.Errorf("location %q not found", path)
+	}
+	return nil
+}
+
+// HasInventory checks if a location (or descendants) have inventory records.
+func (r *LocationRepository) HasInventory(ctx context.Context, path string) (bool, error) {
+	var count int
+	err := r.db.pool.QueryRow(ctx, `
+		SELECT COUNT(*) FROM inventory i
+		JOIN locations l ON l.id = i.location_id
+		WHERE l.path = $1 OR l.path LIKE $2
+	`, path, path+"/%").Scan(&count)
+	return count > 0, err
+}
+
+func scanLocations(rows pgx.Rows) ([]*Location, error) {
+	var locs []*Location
+	for rows.Next() {
+		loc := &Location{}
+		var meta []byte
+		if err := rows.Scan(&loc.ID, &loc.Path, &loc.Name, &loc.ParentID, &loc.LocationType, &loc.Depth, &meta, &loc.CreatedAt); err != nil {
+			return nil, err
+		}
+		if meta != nil {
+			json.Unmarshal(meta, &loc.Metadata)
+		}
+		locs = append(locs, loc)
+	}
+	return locs, rows.Err()
+}

internal/db/settings.go

@@ -0,0 +1,105 @@
+package db
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+)
+
+// SettingsRepository provides access to module_state and settings_overrides tables.
+type SettingsRepository struct {
+	db *DB
+}
+
+// NewSettingsRepository creates a new SettingsRepository.
+func NewSettingsRepository(db *DB) *SettingsRepository {
+	return &SettingsRepository{db: db}
+}
+
+// GetModuleStates returns all module enabled/disabled states from the database.
+func (r *SettingsRepository) GetModuleStates(ctx context.Context) (map[string]bool, error) {
+	rows, err := r.db.pool.Query(ctx,
+		`SELECT module_id, enabled FROM module_state`)
+	if err != nil {
+		return nil, fmt.Errorf("querying module states: %w", err)
+	}
+	defer rows.Close()
+
+	states := make(map[string]bool)
+	for rows.Next() {
+		var id string
+		var enabled bool
+		if err := rows.Scan(&id, &enabled); err != nil {
+			return nil, fmt.Errorf("scanning module state: %w", err)
+		}
+		states[id] = enabled
+	}
+	return states, rows.Err()
+}
+
+// SetModuleState persists a module's enabled state. Uses upsert semantics.
+func (r *SettingsRepository) SetModuleState(ctx context.Context, moduleID string, enabled bool, updatedBy string) error {
+	_, err := r.db.pool.Exec(ctx,
+		`INSERT INTO module_state (module_id, enabled, updated_by, updated_at)
+		 VALUES ($1, $2, $3, now())
+		 ON CONFLICT (module_id) DO UPDATE
+		 SET enabled = EXCLUDED.enabled,
+		     updated_by = EXCLUDED.updated_by,
+		     updated_at = now()`,
+		moduleID, enabled, updatedBy)
+	if err != nil {
+		return fmt.Errorf("setting module state: %w", err)
+	}
+	return nil
+}
+
+// GetOverrides returns all settings overrides from the database.
+func (r *SettingsRepository) GetOverrides(ctx context.Context) (map[string]json.RawMessage, error) {
+	rows, err := r.db.pool.Query(ctx,
+		`SELECT key, value FROM settings_overrides`)
+	if err != nil {
+		return nil, fmt.Errorf("querying settings overrides: %w", err)
+	}
+	defer rows.Close()
+
+	overrides := make(map[string]json.RawMessage)
+	for rows.Next() {
+		var key string
+		var value json.RawMessage
+		if err := rows.Scan(&key, &value); err != nil {
+			return nil, fmt.Errorf("scanning settings override: %w", err)
+		}
+		overrides[key] = value
+	}
+	return overrides, rows.Err()
+}
+
+// SetOverride persists a settings override. Uses upsert semantics.
+func (r *SettingsRepository) SetOverride(ctx context.Context, key string, value any, updatedBy string) error {
+	jsonVal, err := json.Marshal(value)
+	if err != nil {
+		return fmt.Errorf("marshaling override value: %w", err)
+	}
+	_, err = r.db.pool.Exec(ctx,
+		`INSERT INTO settings_overrides (key, value, updated_by, updated_at)
+		 VALUES ($1, $2, $3, now())
+		 ON CONFLICT (key) DO UPDATE
+		 SET value = EXCLUDED.value,
+		     updated_by = EXCLUDED.updated_by,
+		     updated_at = now()`,
+		key, jsonVal, updatedBy)
+	if err != nil {
+		return fmt.Errorf("setting override: %w", err)
+	}
+	return nil
+}
+
+// DeleteOverride removes a settings override.
+func (r *SettingsRepository) DeleteOverride(ctx context.Context, key string) error {
+	_, err := r.db.pool.Exec(ctx,
+		`DELETE FROM settings_overrides WHERE key = $1`, key)
+	if err != nil {
+		return fmt.Errorf("deleting override: %w", err)
+	}
+	return nil
+}

internal/modules/loader.go

@@ -0,0 +1,84 @@
+package modules
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/kindredsystems/silo/internal/config"
+)
+
+// LoadState applies module state from config YAML and database overrides.
+//
+// Precedence (highest wins):
+//  1. Database module_state table
+//  2. YAML modules.* toggles
+//  3. Backward-compat YAML fields (auth.enabled, odoo.enabled)
+//  4. Module defaults (set by NewRegistry)
+func LoadState(r *Registry, cfg *config.Config, pool *pgxpool.Pool) error {
+	// Step 1: Apply backward-compat top-level YAML fields.
+	// auth.enabled and odoo.enabled existed before the modules section.
+	// Only apply if the new modules.* section doesn't override them.
+	if cfg.Modules.Auth == nil {
+		r.setEnabledUnchecked(Auth, cfg.Auth.Enabled)
+	}
+	if cfg.Modules.Odoo == nil {
+		r.setEnabledUnchecked(Odoo, cfg.Odoo.Enabled)
+	}
+
+	// Step 2: Apply explicit modules.* YAML toggles (override defaults + compat).
+	applyToggle(r, Auth, cfg.Modules.Auth)
+	applyToggle(r, Projects, cfg.Modules.Projects)
+	applyToggle(r, Audit, cfg.Modules.Audit)
+	applyToggle(r, Odoo, cfg.Modules.Odoo)
+	applyToggle(r, FreeCAD, cfg.Modules.FreeCAD)
+	applyToggle(r, Jobs, cfg.Modules.Jobs)
+	applyToggle(r, DAG, cfg.Modules.DAG)
+
+	// Step 3: Apply database overrides (highest precedence).
+	if pool != nil {
+		if err := loadFromDB(r, pool); err != nil {
+			return err
+		}
+	}
+
+	// Step 4: Validate the final state.
+	return r.ValidateDependencies()
+}
+
+// applyToggle sets a module's state from a YAML ModuleToggle if present.
+func applyToggle(r *Registry, id string, toggle *config.ModuleToggle) {
+	if toggle == nil || toggle.Enabled == nil {
+		return
+	}
+	r.setEnabledUnchecked(id, *toggle.Enabled)
+}
+
+// setEnabledUnchecked sets module state without dependency validation.
+// Used during loading when the full state is being assembled incrementally.
+func (r *Registry) setEnabledUnchecked(id string, enabled bool) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	if m, ok := r.modules[id]; ok && !m.Required {
+		m.enabled = enabled
+	}
+}
+
+// loadFromDB reads module_state rows and applies them to the registry.
+func loadFromDB(r *Registry, pool *pgxpool.Pool) error {
+	rows, err := pool.Query(context.Background(),
+		`SELECT module_id, enabled FROM module_state`)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+
+	for rows.Next() {
+		var id string
+		var enabled bool
+		if err := rows.Scan(&id, &enabled); err != nil {
+			return err
+		}
+		r.setEnabledUnchecked(id, enabled)
+	}
+	return rows.Err()
+}

internal/modules/loader_test.go

@@ -0,0 +1,88 @@
+package modules
+
+import (
+	"testing"
+
+	"github.com/kindredsystems/silo/internal/config"
+)
+
+func boolPtr(v bool) *bool { return &v }
+
+func TestLoadState_DefaultsOnly(t *testing.T) {
+	r := NewRegistry()
+	cfg := &config.Config{}
+
+	if err := LoadState(r, cfg, nil); err != nil {
+		t.Fatalf("LoadState: %v", err)
+	}
+
+	// Auth defaults to true from registry, but cfg.Auth.Enabled is false
+	// (zero value) and backward-compat applies, so auth ends up disabled.
+	if r.IsEnabled(Auth) {
+		t.Error("auth should be disabled (cfg.Auth.Enabled is false by default)")
+	}
+}
+
+func TestLoadState_BackwardCompat(t *testing.T) {
+	r := NewRegistry()
+	cfg := &config.Config{}
+	cfg.Auth.Enabled = true
+	cfg.Odoo.Enabled = true
+
+	if err := LoadState(r, cfg, nil); err != nil {
+		t.Fatalf("LoadState: %v", err)
+	}
+
+	if !r.IsEnabled(Auth) {
+		t.Error("auth should be enabled via cfg.Auth.Enabled")
+	}
+	if !r.IsEnabled(Odoo) {
+		t.Error("odoo should be enabled via cfg.Odoo.Enabled")
+	}
+}
+
+func TestLoadState_YAMLModulesOverrideCompat(t *testing.T) {
+	r := NewRegistry()
+	cfg := &config.Config{}
+	cfg.Auth.Enabled = true                                          // compat says enabled
+	cfg.Modules.Auth = &config.ModuleToggle{Enabled: boolPtr(false)} // explicit says disabled
+
+	if err := LoadState(r, cfg, nil); err != nil {
+		t.Fatalf("LoadState: %v", err)
+	}
+
+	if r.IsEnabled(Auth) {
+		t.Error("modules.auth.enabled=false should override auth.enabled=true")
+	}
+}
+
+func TestLoadState_EnableJobsAndDAG(t *testing.T) {
+	r := NewRegistry()
+	cfg := &config.Config{}
+	cfg.Auth.Enabled = true
+	cfg.Modules.Jobs = &config.ModuleToggle{Enabled: boolPtr(true)}
+	cfg.Modules.DAG = &config.ModuleToggle{Enabled: boolPtr(true)}
+
+	if err := LoadState(r, cfg, nil); err != nil {
+		t.Fatalf("LoadState: %v", err)
+	}
+
+	if !r.IsEnabled(Jobs) {
+		t.Error("jobs should be enabled")
+	}
+	if !r.IsEnabled(DAG) {
+		t.Error("dag should be enabled")
+	}
+}
+
+func TestLoadState_InvalidDependency(t *testing.T) {
+	r := NewRegistry()
+	cfg := &config.Config{}
+	// Auth disabled (default), but enable jobs which depends on auth.
+	cfg.Modules.Jobs = &config.ModuleToggle{Enabled: boolPtr(true)}
+
+	err := LoadState(r, cfg, nil)
+	if err == nil {
+		t.Error("should fail: jobs enabled but auth disabled")
+	}
+}

internal/modules/modules.go

@@ -0,0 +1,163 @@
+// Package modules provides the module registry for Silo.
+// Each module groups API endpoints, UI views, and configuration.
+// Modules can be required (always on) or optional (admin-toggleable).
+package modules
+
+import (
+	"fmt"
+	"sort"
+	"sync"
+)
+
+// Module IDs.
+const (
+	Core     = "core"
+	Schemas  = "schemas"
+	Storage  = "storage"
+	Auth     = "auth"
+	Projects = "projects"
+	Audit    = "audit"
+	Odoo     = "odoo"
+	FreeCAD  = "freecad"
+	Jobs     = "jobs"
+	DAG      = "dag"
+)
+
+// ModuleInfo describes a module's metadata.
+type ModuleInfo struct {
+	ID             string
+	Name           string
+	Description    string
+	Required       bool     // cannot be disabled
+	DefaultEnabled bool     // initial state for optional modules
+	DependsOn      []string // module IDs this module requires
+	Version        string
+}
+
+// registry entries with their runtime enabled state.
+type moduleState struct {
+	ModuleInfo
+	enabled bool
+}
+
+// Registry holds all module definitions and their enabled state.
+type Registry struct {
+	mu      sync.RWMutex
+	modules map[string]*moduleState
+}
+
+// builtinModules defines the complete set of Silo modules.
+var builtinModules = []ModuleInfo{
+	{ID: Core, Name: "Core PDM", Description: "Items, revisions, files, BOM, search, import/export", Required: true, Version: "0.2"},
+	{ID: Schemas, Name: "Schemas", Description: "Part numbering schema parsing and segment management", Required: true},
+	{ID: Storage, Name: "Storage", Description: "MinIO/S3 file storage, presigned uploads", Required: true},
+	{ID: Auth, Name: "Authentication", Description: "Local, LDAP, OIDC authentication and RBAC", DefaultEnabled: true},
+	{ID: Projects, Name: "Projects", Description: "Project management and item tagging", DefaultEnabled: true},
+	{ID: Audit, Name: "Audit", Description: "Audit logging, completeness scoring", DefaultEnabled: true},
+	{ID: Odoo, Name: "Odoo ERP", Description: "Odoo integration (config, sync-log, push/pull)", DependsOn: []string{Auth}},
+	{ID: FreeCAD, Name: "Create Integration", Description: "URI scheme, executable path, client settings", DefaultEnabled: true},
+	{ID: Jobs, Name: "Job Queue", Description: "Async compute jobs, runner management", DependsOn: []string{Auth}},
+	{ID: DAG, Name: "Dependency DAG", Description: "Feature DAG sync, validation states, interference detection", DependsOn: []string{Jobs}},
+}
+
+// NewRegistry creates a registry with all builtin modules set to their default state.
+func NewRegistry() *Registry {
+	r := &Registry{modules: make(map[string]*moduleState, len(builtinModules))}
+	for _, m := range builtinModules {
+		enabled := m.Required || m.DefaultEnabled
+		r.modules[m.ID] = &moduleState{ModuleInfo: m, enabled: enabled}
+	}
+	return r
+}
+
+// IsEnabled returns whether a module is currently enabled.
+func (r *Registry) IsEnabled(id string) bool {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	if m, ok := r.modules[id]; ok {
+		return m.enabled
+	}
+	return false
+}
+
+// SetEnabled changes a module's enabled state with dependency validation.
+func (r *Registry) SetEnabled(id string, enabled bool) error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	m, ok := r.modules[id]
+	if !ok {
+		return fmt.Errorf("unknown module %q", id)
+	}
+
+	if m.Required {
+		return fmt.Errorf("module %q is required and cannot be disabled", id)
+	}
+
+	if enabled {
+		// Check that all dependencies are enabled.
+		for _, dep := range m.DependsOn {
+			if dm, ok := r.modules[dep]; ok && !dm.enabled {
+				return fmt.Errorf("cannot enable %q: dependency %q is disabled", id, dep)
+			}
+		}
+	} else {
+		// Check that no enabled module depends on this one.
+		for _, other := range r.modules {
+			if !other.enabled || other.ID == id {
+				continue
+			}
+			for _, dep := range other.DependsOn {
+				if dep == id {
+					return fmt.Errorf("cannot disable %q: module %q depends on it", id, other.ID)
+				}
+			}
+		}
+	}
+
+	m.enabled = enabled
+	return nil
+}
+
+// All returns info for every module, sorted by ID.
+func (r *Registry) All() []ModuleInfo {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
+	out := make([]ModuleInfo, 0, len(r.modules))
+	for _, m := range r.modules {
+		out = append(out, m.ModuleInfo)
+	}
+	sort.Slice(out, func(i, j int) bool { return out[i].ID < out[j].ID })
+	return out
+}
+
+// Get returns info for a single module, or nil if not found.
+func (r *Registry) Get(id string) *ModuleInfo {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+	if m, ok := r.modules[id]; ok {
+		info := m.ModuleInfo
+		return &info
+	}
+	return nil
+}
+
+// ValidateDependencies checks that every enabled module's dependencies
+// are also enabled. Returns the first violation found.
+func (r *Registry) ValidateDependencies() error {
+	r.mu.RLock()
+	defer r.mu.RUnlock()
+
+	for _, m := range r.modules {
+		if !m.enabled {
+			continue
+		}
+		for _, dep := range m.DependsOn {
+			if dm, ok := r.modules[dep]; ok && !dm.enabled {
+				return fmt.Errorf("module %q is enabled but its dependency %q is disabled", m.ID, dep)
+			}
+		}
+	}
+	return nil
+}

internal/modules/modules_test.go

@@ -0,0 +1,169 @@
+package modules
+
+import (
+	"testing"
+)
+
+func TestNewRegistry_DefaultState(t *testing.T) {
+	r := NewRegistry()
+
+	// Required modules are always enabled.
+	for _, id := range []string{Core, Schemas, Storage} {
+		if !r.IsEnabled(id) {
+			t.Errorf("required module %q should be enabled by default", id)
+		}
+	}
+
+	// Optional modules with DefaultEnabled=true.
+	for _, id := range []string{Auth, Projects, Audit, FreeCAD} {
+		if !r.IsEnabled(id) {
+			t.Errorf("module %q should be enabled by default", id)
+		}
+	}
+
+	// Optional modules with DefaultEnabled=false.
+	for _, id := range []string{Odoo, Jobs, DAG} {
+		if r.IsEnabled(id) {
+			t.Errorf("module %q should be disabled by default", id)
+		}
+	}
+}
+
+func TestSetEnabled_BasicToggle(t *testing.T) {
+	r := NewRegistry()
+
+	// Disable an optional module with no dependents.
+	if err := r.SetEnabled(Projects, false); err != nil {
+		t.Fatalf("disabling projects: %v", err)
+	}
+	if r.IsEnabled(Projects) {
+		t.Error("projects should be disabled after SetEnabled(false)")
+	}
+
+	// Re-enable it.
+	if err := r.SetEnabled(Projects, true); err != nil {
+		t.Fatalf("enabling projects: %v", err)
+	}
+	if !r.IsEnabled(Projects) {
+		t.Error("projects should be enabled after SetEnabled(true)")
+	}
+}
+
+func TestCannotDisableRequired(t *testing.T) {
+	r := NewRegistry()
+
+	for _, id := range []string{Core, Schemas, Storage} {
+		if err := r.SetEnabled(id, false); err == nil {
+			t.Errorf("disabling required module %q should return error", id)
+		}
+	}
+}
+
+func TestDependencyChain_EnableWithoutDep(t *testing.T) {
+	r := NewRegistry()
+
+	// Jobs depends on Auth. Auth is enabled by default, so enabling jobs works.
+	if err := r.SetEnabled(Jobs, true); err != nil {
+		t.Fatalf("enabling jobs (auth enabled): %v", err)
+	}
+
+	// DAG depends on Jobs. Jobs is now enabled, so enabling dag works.
+	if err := r.SetEnabled(DAG, true); err != nil {
+		t.Fatalf("enabling dag (jobs enabled): %v", err)
+	}
+
+	// Now try with deps disabled. Start fresh.
+	r2 := NewRegistry()
+
+	// DAG depends on Jobs, which is disabled by default.
+	if err := r2.SetEnabled(DAG, true); err == nil {
+		t.Error("enabling dag without jobs should fail")
+	}
+}
+
+func TestDisableDependedOn(t *testing.T) {
+	r := NewRegistry()
+
+	// Enable the full chain: auth (already on) → jobs → dag.
+	if err := r.SetEnabled(Jobs, true); err != nil {
+		t.Fatal(err)
+	}
+	if err := r.SetEnabled(DAG, true); err != nil {
+		t.Fatal(err)
+	}
+
+	// Cannot disable jobs while dag depends on it.
+	if err := r.SetEnabled(Jobs, false); err == nil {
+		t.Error("disabling jobs while dag is enabled should fail")
+	}
+
+	// Disable dag first, then jobs should work.
+	if err := r.SetEnabled(DAG, false); err != nil {
+		t.Fatal(err)
+	}
+	if err := r.SetEnabled(Jobs, false); err != nil {
+		t.Fatalf("disabling jobs after dag disabled: %v", err)
+	}
+}
+
+func TestCannotDisableAuthWhileJobsEnabled(t *testing.T) {
+	r := NewRegistry()
+
+	if err := r.SetEnabled(Jobs, true); err != nil {
+		t.Fatal(err)
+	}
+
+	// Auth is depended on by jobs.
+	if err := r.SetEnabled(Auth, false); err == nil {
+		t.Error("disabling auth while jobs is enabled should fail")
+	}
+}
+
+func TestUnknownModule(t *testing.T) {
+	r := NewRegistry()
+
+	if r.IsEnabled("nonexistent") {
+		t.Error("unknown module should not be enabled")
+	}
+	if err := r.SetEnabled("nonexistent", true); err == nil {
+		t.Error("setting unknown module should return error")
+	}
+	if r.Get("nonexistent") != nil {
+		t.Error("getting unknown module should return nil")
+	}
+}
+
+func TestAll_ReturnsAllModules(t *testing.T) {
+	r := NewRegistry()
+	all := r.All()
+
+	if len(all) != 10 {
+		t.Errorf("expected 10 modules, got %d", len(all))
+	}
+
+	// Should be sorted by ID.
+	for i := 1; i < len(all); i++ {
+		if all[i].ID < all[i-1].ID {
+			t.Errorf("modules not sorted: %s before %s", all[i-1].ID, all[i].ID)
+		}
+	}
+}
+
+func TestValidateDependencies(t *testing.T) {
+	r := NewRegistry()
+
+	// Default state should be valid.
+	if err := r.ValidateDependencies(); err != nil {
+		t.Fatalf("default state should be valid: %v", err)
+	}
+
+	// Force an invalid state by directly mutating (bypassing SetEnabled).
+	r.mu.Lock()
+	r.modules[Jobs].enabled = true
+	r.modules[Auth].enabled = false
+	r.mu.Unlock()
+
+	if err := r.ValidateDependencies(); err == nil {
+		t.Error("should detect jobs enabled without auth")
+	}
+}

internal/testutil/testutil.go

@@ -3,7 +3,6 @@ package testutil
 
 import (
 	"context"
-	"fmt"
 	"os"
 	"path/filepath"
 	"sort"
@@ -80,11 +79,12 @@ func TruncateAll(t *testing.T, pool *pgxpool.Pool) {
 
 	_, err := pool.Exec(context.Background(), `
 		TRUNCATE
+			settings_overrides, module_state,
 			job_log, jobs, job_definitions, runners,
 			dag_cross_edges, dag_edges, dag_nodes,
 			audit_log, sync_log, api_tokens, sessions, item_files,
 			item_projects, relationships, revisions, inventory, items,
-			projects, sequences_by_name, users, property_migrations
+			locations, projects, sequences_by_name, users, property_migrations
 		CASCADE
 	`)
 	if err != nil {
@@ -111,6 +111,4 @@ func findProjectRoot(t *testing.T) string {
 		}
 		dir = parent
 	}
-
-	panic(fmt.Sprintf("unreachable"))
 }

migrations/016_module_system.sql

@@ -0,0 +1,15 @@
+-- 016_module_system.sql — settings overrides and module state persistence
+
+CREATE TABLE IF NOT EXISTS settings_overrides (
+    key         TEXT PRIMARY KEY,
+    value       JSONB NOT NULL,
+    updated_by  TEXT NOT NULL,
+    updated_at  TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+CREATE TABLE IF NOT EXISTS module_state (
+    module_id   TEXT PRIMARY KEY,
+    enabled     BOOLEAN NOT NULL,
+    updated_by  TEXT NOT NULL,
+    updated_at  TIMESTAMPTZ NOT NULL DEFAULT now()
+);

web/src/api/types.ts

@@ -352,6 +352,35 @@ export interface UpdateSchemaValueRequest {
   description: string;
 }
 
+// Admin settings — module discovery
+export interface ModuleInfo {
+  enabled: boolean;
+  required: boolean;
+  name: string;
+  version?: string;
+  depends_on?: string[];
+  config?: Record<string, unknown>;
+}
+
+export interface ModulesResponse {
+  modules: Record<string, ModuleInfo>;
+  server: { version: string; read_only: boolean };
+}
+
+// Admin settings — config management
+export type AdminSettingsResponse = Record<string, Record<string, unknown>>;
+
+export interface UpdateSettingsResponse {
+  updated: string[];
+  restart_required: boolean;
+}
+
+export interface TestConnectivityResponse {
+  success: boolean;
+  message: string;
+  latency_ms: number;
+}
+
 // Revision comparison
 export interface RevisionComparison {
   from: number;

web/src/components/settings/AdminModules.tsx

@@ -0,0 +1,180 @@
+import { useEffect, useState } from "react";
+import { get } from "../../api/client";
+import type {
+  ModuleInfo,
+  ModulesResponse,
+  AdminSettingsResponse,
+  UpdateSettingsResponse,
+} from "../../api/types";
+import { ModuleCard } from "./ModuleCard";
+
+const infraModules = ["core", "schemas", "database", "storage"];
+const featureModules = [
+  "auth",
+  "projects",
+  "audit",
+  "freecad",
+  "odoo",
+  "jobs",
+  "dag",
+];
+
+export function AdminModules() {
+  const [modules, setModules] = useState<Record<string, ModuleInfo> | null>(
+    null,
+  );
+  const [settings, setSettings] = useState<AdminSettingsResponse | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+  const [restartRequired, setRestartRequired] = useState(false);
+
+  useEffect(() => {
+    Promise.all([
+      get<ModulesResponse>("/api/modules"),
+      get<AdminSettingsResponse>("/api/admin/settings"),
+    ])
+      .then(([modsResp, settingsResp]) => {
+        setModules(modsResp.modules);
+        setSettings(settingsResp);
+      })
+      .catch((e) =>
+        setError(e instanceof Error ? e.message : "Failed to load settings"),
+      )
+      .finally(() => setLoading(false));
+  }, []);
+
+  const handleSaved = (moduleId: string, result: UpdateSettingsResponse) => {
+    if (result.restart_required) setRestartRequired(true);
+    // Refresh the single module's settings
+    get<Record<string, unknown>>(`/api/admin/settings/${moduleId}`)
+      .then((updated) =>
+        setSettings((prev) => (prev ? { ...prev, [moduleId]: updated } : prev)),
+      )
+      .catch(() => {});
+  };
+
+  const handleToggled = (moduleId: string, enabled: boolean) => {
+    setModules((prev) => {
+      if (!prev || !prev[moduleId]) return prev;
+      const updated: Record<string, ModuleInfo> = {
+        ...prev,
+        [moduleId]: { ...prev[moduleId], enabled },
+      };
+      return updated;
+    });
+  };
+
+  if (loading) {
+    return (
+      <div style={sectionStyle}>
+        <h3 style={sectionTitleStyle}>Module Configuration</h3>
+        <p style={{ color: "var(--ctp-overlay0)" }}>Loading modules...</p>
+      </div>
+    );
+  }
+
+  if (error) {
+    return (
+      <div style={sectionStyle}>
+        <h3 style={sectionTitleStyle}>Module Configuration</h3>
+        <p style={{ color: "var(--ctp-red)", fontSize: "var(--font-body)" }}>
+          {error}
+        </p>
+      </div>
+    );
+  }
+
+  if (!modules || !settings) return null;
+
+  const renderGroup = (title: string, ids: string[]) => {
+    const available = ids.filter((id) => modules[id]);
+    if (available.length === 0) return null;
+    return (
+      <div style={{ marginBottom: "1.25rem" }}>
+        <div style={groupTitleStyle}>{title}</div>
+        {available.map((id) => {
+          const meta = modules[id];
+          if (!meta) return null;
+          return (
+            <ModuleCard
+              key={id}
+              moduleId={id}
+              meta={meta}
+              settings={settings[id] ?? {}}
+              allModules={modules}
+              onSaved={handleSaved}
+              onToggled={handleToggled}
+            />
+          );
+        })}
+      </div>
+    );
+  };
+
+  return (
+    <div style={sectionStyle}>
+      <h3 style={sectionTitleStyle}>Module Configuration</h3>
+
+      {restartRequired && (
+        <div style={restartBannerStyle}>
+          <span style={{ fontWeight: 600 }}>Restart required</span>
+          <span>Some changes require a server restart to take effect.</span>
+          <button
+            onClick={() => setRestartRequired(false)}
+            style={dismissBtnStyle}
+          >
+            Dismiss
+          </button>
+        </div>
+      )}
+
+      {renderGroup("Infrastructure", infraModules)}
+      {renderGroup("Features", featureModules)}
+    </div>
+  );
+}
+
+// --- Styles ---
+
+const sectionStyle: React.CSSProperties = {
+  marginTop: "0.5rem",
+};
+
+const sectionTitleStyle: React.CSSProperties = {
+  marginBottom: "1rem",
+  fontSize: "var(--font-title)",
+};
+
+const groupTitleStyle: React.CSSProperties = {
+  fontSize: "0.7rem",
+  fontWeight: 600,
+  textTransform: "uppercase",
+  letterSpacing: "0.08em",
+  color: "var(--ctp-overlay1)",
+  marginBottom: "0.5rem",
+};
+
+const restartBannerStyle: React.CSSProperties = {
+  display: "flex",
+  gap: "0.75rem",
+  alignItems: "center",
+  padding: "0.75rem 1rem",
+  marginBottom: "1rem",
+  borderRadius: "0.75rem",
+  background: "rgba(249, 226, 175, 0.1)",
+  border: "1px solid rgba(249, 226, 175, 0.3)",
+  color: "var(--ctp-yellow)",
+  fontSize: "var(--font-body)",
+};
+
+const dismissBtnStyle: React.CSSProperties = {
+  marginLeft: "auto",
+  padding: "0.25rem 0.5rem",
+  borderRadius: "0.25rem",
+  border: "none",
+  background: "rgba(249, 226, 175, 0.15)",
+  color: "var(--ctp-yellow)",
+  cursor: "pointer",
+  fontSize: "0.7rem",
+  fontWeight: 500,
+};

web/src/components/settings/ModuleCard.tsx

@@ -0,0 +1,655 @@
+import { useState } from "react";
+import { put, post } from "../../api/client";
+import type {
+  ModuleInfo,
+  UpdateSettingsResponse,
+  TestConnectivityResponse,
+} from "../../api/types";
+
+interface ModuleCardProps {
+  moduleId: string;
+  meta: ModuleInfo;
+  settings: Record<string, unknown>;
+  allModules: Record<string, ModuleInfo>;
+  onSaved: (moduleId: string, result: UpdateSettingsResponse) => void;
+  onToggled: (moduleId: string, enabled: boolean) => void;
+}
+
+const testableModules = new Set(["database", "storage"]);
+
+export function ModuleCard({
+  moduleId,
+  meta,
+  settings,
+  allModules,
+  onSaved,
+  onToggled,
+}: ModuleCardProps) {
+  const [expanded, setExpanded] = useState(false);
+  const [enabled, setEnabled] = useState(meta.enabled);
+  const [toggling, setToggling] = useState(false);
+  const [toggleError, setToggleError] = useState<string | null>(null);
+  const [saving, setSaving] = useState(false);
+  const [saveError, setSaveError] = useState<string | null>(null);
+  const [saveSuccess, setSaveSuccess] = useState(false);
+  const [testing, setTesting] = useState(false);
+  const [testResult, setTestResult] = useState<TestConnectivityResponse | null>(
+    null,
+  );
+  const [edits, setEdits] = useState<Record<string, unknown>>({});
+
+  const hasEdits = Object.keys(edits).length > 0;
+  const isTestable = testableModules.has(moduleId);
+  const hasFields = !["projects", "audit", "dag"].includes(moduleId);
+  const deps = meta.depends_on ?? [];
+  const status = settings.status as string | undefined;
+
+  const handleToggle = async () => {
+    const next = !enabled;
+    setToggling(true);
+    setToggleError(null);
+    try {
+      const result = await put<UpdateSettingsResponse>(
+        `/api/admin/settings/${moduleId}`,
+        { enabled: next },
+      );
+      setEnabled(next);
+      onToggled(moduleId, next);
+      onSaved(moduleId, result);
+    } catch (e) {
+      setToggleError(e instanceof Error ? e.message : "Toggle failed");
+    } finally {
+      setToggling(false);
+    }
+  };
+
+  const handleSave = async () => {
+    setSaving(true);
+    setSaveError(null);
+    setSaveSuccess(false);
+    try {
+      const result = await put<UpdateSettingsResponse>(
+        `/api/admin/settings/${moduleId}`,
+        edits,
+      );
+      setEdits({});
+      setSaveSuccess(true);
+      onSaved(moduleId, result);
+      setTimeout(() => setSaveSuccess(false), 3000);
+    } catch (e) {
+      setSaveError(e instanceof Error ? e.message : "Save failed");
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  const handleTest = async () => {
+    setTesting(true);
+    setTestResult(null);
+    try {
+      const result = await post<TestConnectivityResponse>(
+        `/api/admin/settings/${moduleId}/test`,
+      );
+      setTestResult(result);
+    } catch (e) {
+      setTestResult({
+        success: false,
+        message: e instanceof Error ? e.message : "Test failed",
+        latency_ms: 0,
+      });
+    } finally {
+      setTesting(false);
+    }
+  };
+
+  const setField = (key: string, value: unknown) => {
+    setEdits((prev) => ({ ...prev, [key]: value }));
+    setSaveSuccess(false);
+  };
+
+  const getFieldValue = (key: string): unknown => {
+    if (key in edits) return edits[key];
+    return settings[key];
+  };
+
+  const statusBadge = () => {
+    if (!enabled && !meta.required)
+      return <span style={badgeStyles.disabled}>Disabled</span>;
+    if (status === "unavailable")
+      return <span style={badgeStyles.error}>Error</span>;
+    return <span style={badgeStyles.active}>Active</span>;
+  };
+
+  return (
+    <div style={cardStyle}>
+      {/* Header */}
+      <div
+        style={headerStyle}
+        onClick={() => hasFields && setExpanded(!expanded)}
+      >
+        <div style={{ display: "flex", alignItems: "center", gap: "0.75rem" }}>
+          {!meta.required && (
+            <button
+              onClick={(e) => {
+                e.stopPropagation();
+                handleToggle();
+              }}
+              disabled={toggling}
+              style={{
+                ...toggleBtnStyle,
+                backgroundColor: enabled
+                  ? "var(--ctp-green)"
+                  : "var(--ctp-surface2)",
+              }}
+              title={enabled ? "Disable module" : "Enable module"}
+            >
+              <span
+                style={{
+                  ...toggleKnobStyle,
+                  transform: enabled ? "translateX(14px)" : "translateX(0)",
+                }}
+              />
+            </button>
+          )}
+          <span style={{ fontWeight: 600, fontSize: "var(--font-title)" }}>
+            {meta.name}
+          </span>
+          {statusBadge()}
+        </div>
+        {hasFields && (
+          <span
+            style={{
+              color: "var(--ctp-overlay1)",
+              fontSize: "0.75rem",
+              transition: "transform 0.15s ease",
+              transform: expanded ? "rotate(180deg)" : "rotate(0)",
+              cursor: "pointer",
+              userSelect: "none",
+            }}
+          >
+            ▼
+          </span>
+        )}
+      </div>
+
+      {/* Toggle error */}
+      {toggleError && (
+        <div style={{ ...errorStyle, margin: "0.5rem 1.5rem 0" }}>
+          {toggleError}
+        </div>
+      )}
+
+      {/* Dependencies note */}
+      {deps.length > 0 && expanded && (
+        <div style={depNoteStyle}>
+          Requires:{" "}
+          {deps.map((d) => allModules[d]?.name ?? d).join(", ")}
+        </div>
+      )}
+
+      {/* Body */}
+      {expanded && hasFields && (
+        <div style={bodyStyle}>
+          {renderModuleFields(moduleId, settings, getFieldValue, setField)}
+
+          {/* Footer */}
+          <div style={footerStyle}>
+            <div style={{ display: "flex", gap: "0.5rem", alignItems: "center" }}>
+              {hasEdits && (
+                <button
+                  onClick={handleSave}
+                  disabled={saving}
+                  style={btnPrimaryStyle}
+                >
+                  {saving ? "Saving..." : "Save"}
+                </button>
+              )}
+              {isTestable && (
+                <button
+                  onClick={handleTest}
+                  disabled={testing}
+                  style={btnSecondaryStyle}
+                >
+                  {testing ? "Testing..." : "Test Connection"}
+                </button>
+              )}
+            </div>
+            <div style={{ display: "flex", alignItems: "center", gap: "0.5rem" }}>
+              {saveSuccess && (
+                <span style={{ color: "var(--ctp-green)", fontSize: "var(--font-body)" }}>
+                  Saved
+                </span>
+              )}
+              {saveError && (
+                <span style={{ color: "var(--ctp-red)", fontSize: "var(--font-body)" }}>
+                  {saveError}
+                </span>
+              )}
+            </div>
+          </div>
+
+          {/* Test result */}
+          {testResult && (
+            <div
+              style={{
+                ...testResultStyle,
+                borderColor: testResult.success
+                  ? "rgba(166, 227, 161, 0.3)"
+                  : "rgba(243, 139, 168, 0.3)",
+                background: testResult.success
+                  ? "rgba(166, 227, 161, 0.08)"
+                  : "rgba(243, 139, 168, 0.08)",
+              }}
+            >
+              <span
+                style={{
+                  color: testResult.success
+                    ? "var(--ctp-green)"
+                    : "var(--ctp-red)",
+                  fontWeight: 600,
+                }}
+              >
+                {testResult.success ? "OK" : "Failed"}
+              </span>
+              <span style={{ color: "var(--ctp-subtext0)", fontSize: "var(--font-body)" }}>
+                {testResult.message}
+              </span>
+              {testResult.latency_ms > 0 && (
+                <span style={{ color: "var(--ctp-overlay1)", fontSize: "var(--font-body)" }}>
+                  {testResult.latency_ms}ms
+                </span>
+              )}
+            </div>
+          )}
+        </div>
+      )}
+    </div>
+  );
+}
+
+// --- Field renderers per module ---
+
+function renderModuleFields(
+  moduleId: string,
+  settings: Record<string, unknown>,
+  getValue: (key: string) => unknown,
+  setValue: (key: string, value: unknown) => void,
+) {
+  switch (moduleId) {
+    case "core":
+      return (
+        <FieldGrid>
+          <ReadOnlyField label="Host" value={settings.host} />
+          <ReadOnlyField label="Port" value={settings.port} />
+          <ReadOnlyField label="Base URL" value={settings.base_url} />
+          <ReadOnlyField
+            label="Read Only"
+            value={settings.readonly ? "Yes" : "No"}
+          />
+        </FieldGrid>
+      );
+    case "schemas":
+      return (
+        <FieldGrid>
+          <ReadOnlyField label="Directory" value={settings.directory} />
+          <ReadOnlyField label="Default" value={settings.default} />
+          <ReadOnlyField label="Schema Count" value={settings.count} />
+        </FieldGrid>
+      );
+    case "database":
+      return (
+        <FieldGrid>
+          <ReadOnlyField label="Host" value={settings.host} />
+          <ReadOnlyField label="Port" value={settings.port} />
+          <ReadOnlyField label="Database" value={settings.name} />
+          <ReadOnlyField label="User" value={settings.user} />
+          <ReadOnlyField label="SSL Mode" value={settings.sslmode} />
+          <ReadOnlyField label="Max Connections" value={settings.max_connections} />
+        </FieldGrid>
+      );
+    case "storage":
+      return (
+        <FieldGrid>
+          <ReadOnlyField label="Endpoint" value={settings.endpoint} />
+          <ReadOnlyField label="Bucket" value={settings.bucket} />
+          <ReadOnlyField label="SSL" value={settings.use_ssl ? "Yes" : "No"} />
+          <ReadOnlyField label="Region" value={settings.region} />
+        </FieldGrid>
+      );
+    case "auth":
+      return renderAuthFields(settings);
+    case "freecad":
+      return (
+        <FieldGrid>
+          <EditableField
+            label="URI Scheme"
+            value={getValue("uri_scheme")}
+            onChange={(v) => setValue("uri_scheme", v)}
+          />
+          <EditableField
+            label="Executable"
+            value={getValue("executable")}
+            onChange={(v) => setValue("executable", v)}
+          />
+        </FieldGrid>
+      );
+    case "odoo":
+      return (
+        <FieldGrid>
+          <EditableField
+            label="URL"
+            value={getValue("url")}
+            onChange={(v) => setValue("url", v)}
+          />
+          <EditableField
+            label="Database"
+            value={getValue("database")}
+            onChange={(v) => setValue("database", v)}
+          />
+          <EditableField
+            label="Username"
+            value={getValue("username")}
+            onChange={(v) => setValue("username", v)}
+          />
+        </FieldGrid>
+      );
+    case "jobs":
+      return (
+        <FieldGrid>
+          <EditableField
+            label="Definitions Directory"
+            value={getValue("directory")}
+            onChange={(v) => setValue("directory", v)}
+          />
+          <EditableField
+            label="Runner Timeout (s)"
+            value={getValue("runner_timeout")}
+            onChange={(v) => setValue("runner_timeout", Number(v))}
+            type="number"
+          />
+          <EditableField
+            label="Timeout Check (s)"
+            value={getValue("job_timeout_check")}
+            onChange={(v) => setValue("job_timeout_check", Number(v))}
+            type="number"
+          />
+          <EditableField
+            label="Default Priority"
+            value={getValue("default_priority")}
+            onChange={(v) => setValue("default_priority", Number(v))}
+            type="number"
+          />
+        </FieldGrid>
+      );
+    default:
+      return null;
+  }
+}
+
+function renderAuthFields(settings: Record<string, unknown>) {
+  const local = (settings.local ?? {}) as Record<string, unknown>;
+  const ldap = (settings.ldap ?? {}) as Record<string, unknown>;
+  const oidc = (settings.oidc ?? {}) as Record<string, unknown>;
+
+  return (
+    <div style={{ display: "flex", flexDirection: "column", gap: "1rem" }}>
+      <SubSection title="Local Auth">
+        <FieldGrid>
+          <ReadOnlyField label="Enabled" value={local.enabled ? "Yes" : "No"} />
+          <ReadOnlyField label="Default Admin" value={local.default_admin_username} />
+        </FieldGrid>
+      </SubSection>
+      <SubSection title="LDAP / FreeIPA">
+        <FieldGrid>
+          <ReadOnlyField label="Enabled" value={ldap.enabled ? "Yes" : "No"} />
+          <ReadOnlyField label="URL" value={ldap.url} />
+          <ReadOnlyField label="Base DN" value={ldap.base_dn} />
+          <ReadOnlyField label="Bind DN" value={ldap.bind_dn} />
+        </FieldGrid>
+      </SubSection>
+      <SubSection title="OIDC / Keycloak">
+        <FieldGrid>
+          <ReadOnlyField label="Enabled" value={oidc.enabled ? "Yes" : "No"} />
+          <ReadOnlyField label="Issuer URL" value={oidc.issuer_url} />
+          <ReadOnlyField label="Client ID" value={oidc.client_id} />
+          <ReadOnlyField label="Redirect URL" value={oidc.redirect_url} />
+        </FieldGrid>
+      </SubSection>
+    </div>
+  );
+}
+
+// --- Shared field components ---
+
+function FieldGrid({ children }: { children: React.ReactNode }) {
+  return <div style={fieldGridStyle}>{children}</div>;
+}
+
+function SubSection({
+  title,
+  children,
+}: {
+  title: string;
+  children: React.ReactNode;
+}) {
+  return (
+    <div>
+      <div style={subSectionTitleStyle}>{title}</div>
+      {children}
+    </div>
+  );
+}
+
+function ReadOnlyField({
+  label,
+  value,
+}: {
+  label: string;
+  value: unknown;
+}) {
+  const display =
+    value === undefined || value === null || value === ""
+      ? "—"
+      : String(value);
+  return (
+    <div>
+      <div style={fieldLabelStyle}>{label}</div>
+      <div style={fieldValueStyle}>{display}</div>
+    </div>
+  );
+}
+
+function EditableField({
+  label,
+  value,
+  onChange,
+  type = "text",
+}: {
+  label: string;
+  value: unknown;
+  onChange: (v: string) => void;
+  type?: string;
+}) {
+  const strVal = value === undefined || value === null ? "" : String(value);
+  const isRedacted = strVal === "****";
+  return (
+    <div>
+      <div style={fieldLabelStyle}>{label}</div>
+      <input
+        type={type}
+        value={isRedacted ? "" : strVal}
+        onChange={(e) => onChange(e.target.value)}
+        placeholder={isRedacted ? "••••••••" : undefined}
+        className="silo-input"
+        style={fieldInputStyle}
+      />
+    </div>
+  );
+}
+
+// --- Styles ---
+
+const cardStyle: React.CSSProperties = {
+  backgroundColor: "var(--ctp-surface0)",
+  borderRadius: "0.75rem",
+  marginBottom: "0.75rem",
+  overflow: "hidden",
+};
+
+const headerStyle: React.CSSProperties = {
+  display: "flex",
+  alignItems: "center",
+  justifyContent: "space-between",
+  padding: "1rem 1.5rem",
+  cursor: "pointer",
+  userSelect: "none",
+};
+
+const bodyStyle: React.CSSProperties = {
+  padding: "0 1.5rem 1.25rem",
+};
+
+const footerStyle: React.CSSProperties = {
+  display: "flex",
+  justifyContent: "space-between",
+  alignItems: "center",
+  marginTop: "1rem",
+  paddingTop: "0.75rem",
+  borderTop: "1px solid var(--ctp-surface1)",
+};
+
+const toggleBtnStyle: React.CSSProperties = {
+  position: "relative",
+  width: 34,
+  height: 20,
+  borderRadius: 10,
+  border: "none",
+  cursor: "pointer",
+  padding: 0,
+  flexShrink: 0,
+  transition: "background-color 0.15s ease",
+};
+
+const toggleKnobStyle: React.CSSProperties = {
+  position: "absolute",
+  top: 3,
+  left: 3,
+  width: 14,
+  height: 14,
+  borderRadius: "50%",
+  backgroundColor: "var(--ctp-crust)",
+  transition: "transform 0.15s ease",
+};
+
+const badgeBase: React.CSSProperties = {
+  display: "inline-block",
+  padding: "0.15rem 0.5rem",
+  borderRadius: "1rem",
+  fontSize: "0.65rem",
+  fontWeight: 600,
+  textTransform: "uppercase",
+  letterSpacing: "0.05em",
+};
+
+const badgeStyles = {
+  active: {
+    ...badgeBase,
+    background: "rgba(166, 227, 161, 0.2)",
+    color: "var(--ctp-green)",
+  } as React.CSSProperties,
+  disabled: {
+    ...badgeBase,
+    background: "rgba(147, 153, 178, 0.15)",
+    color: "var(--ctp-overlay1)",
+  } as React.CSSProperties,
+  error: {
+    ...badgeBase,
+    background: "rgba(243, 139, 168, 0.2)",
+    color: "var(--ctp-red)",
+  } as React.CSSProperties,
+};
+
+const errorStyle: React.CSSProperties = {
+  color: "var(--ctp-red)",
+  fontSize: "var(--font-body)",
+};
+
+const depNoteStyle: React.CSSProperties = {
+  padding: "0 1.5rem",
+  color: "var(--ctp-overlay1)",
+  fontSize: "var(--font-body)",
+  fontStyle: "italic",
+};
+
+const fieldGridStyle: React.CSSProperties = {
+  display: "grid",
+  gridTemplateColumns: "1fr 1fr",
+  gap: "0.75rem 1.5rem",
+};
+
+const subSectionTitleStyle: React.CSSProperties = {
+  fontSize: "0.7rem",
+  fontWeight: 600,
+  textTransform: "uppercase",
+  letterSpacing: "0.05em",
+  color: "var(--ctp-overlay1)",
+  marginBottom: "0.5rem",
+  paddingBottom: "0.25rem",
+  borderBottom: "1px solid var(--ctp-surface1)",
+};
+
+const fieldLabelStyle: React.CSSProperties = {
+  color: "var(--ctp-subtext0)",
+  fontSize: "var(--font-body)",
+  fontWeight: 500,
+  marginBottom: "0.2rem",
+};
+
+const fieldValueStyle: React.CSSProperties = {
+  fontSize: "var(--font-body)",
+  color: "var(--ctp-text)",
+  fontFamily: "'JetBrains Mono', monospace",
+};
+
+const fieldInputStyle: React.CSSProperties = {
+  width: "100%",
+  padding: "0.4rem 0.6rem",
+  backgroundColor: "var(--ctp-base)",
+  border: "1px solid var(--ctp-surface1)",
+  borderRadius: "0.375rem",
+  color: "var(--ctp-text)",
+  fontSize: "var(--font-body)",
+  boxSizing: "border-box",
+};
+
+const btnPrimaryStyle: React.CSSProperties = {
+  padding: "0.4rem 0.75rem",
+  borderRadius: "0.25rem",
+  border: "none",
+  backgroundColor: "var(--ctp-mauve)",
+  color: "var(--ctp-crust)",
+  fontWeight: 500,
+  fontSize: "0.75rem",
+  cursor: "pointer",
+};
+
+const btnSecondaryStyle: React.CSSProperties = {
+  padding: "0.4rem 0.75rem",
+  borderRadius: "0.25rem",
+  border: "1px solid var(--ctp-surface2)",
+  backgroundColor: "transparent",
+  color: "var(--ctp-subtext1)",
+  fontWeight: 500,
+  fontSize: "0.75rem",
+  cursor: "pointer",
+};
+
+const testResultStyle: React.CSSProperties = {
+  display: "flex",
+  gap: "0.75rem",
+  alignItems: "center",
+  marginTop: "0.75rem",
+  padding: "0.5rem 0.75rem",
+  borderRadius: "0.5rem",
+  border: "1px solid",
+};

web/src/pages/SettingsPage.tsx

@@ -2,6 +2,7 @@ import { useEffect, useState, type FormEvent } from "react";
 import { get, post, del } from "../api/client";
 import { useAuth } from "../hooks/useAuth";
 import type { ApiToken, ApiTokenCreated } from "../api/types";
+import { AdminModules } from "../components/settings/AdminModules";
 
 export function SettingsPage() {
   const { user } = useAuth();
@@ -311,6 +312,9 @@ export function SettingsPage() {
           </div>
         )}
       </div>
+
+      {/* Admin: Module Configuration */}
+      {user?.role === "admin" && <AdminModules />}
     </div>
   );
 }