# Task 016 — Settings & Administration

**Status:** done  
**Phase:** 2 / 10  
**Depends on:** Task 003 (auth), Task 004 (models)

## Objective

Centralize platform administration: users, roles, permissions, mailboxes, AI settings (env keys only), system branding, and import tuning.

## Delivered

- `src/lib/permissions.ts` — roles and `hasPermission` / `hasRole` / `canAccessSettings`
- `src/lib/api-auth.ts` — `requireAdminApiSession()`
- `src/lib/secret-crypto.ts` — mailbox password encryption
- `SystemSetting` model + `settings.service.ts`
- `settings-user.service.ts`, `mailbox-settings.service.ts`
- Admin APIs under `/api/settings/**`
- UI `/settings` + subpages (users, mailboxes, ai, system, imports)
- Sidebar Settings link admin-only
- `resolveAIProvider()` respects DB AI overrides
- `mailboxId` on Campaign and EmailMessage models

## Acceptance criteria

- [x] `npm run lint` succeeds
- [x] `npm run build` succeeds
- [x] `/settings` exists with hub and subpages
- [x] Users management (CRUD, activate, reset password)
- [x] Roles: admin, manager, sales, marketing, viewer
- [x] Permissions helpers
- [x] Mailbox management (multi-mailbox, verify, default)
- [x] AI settings page (no keys in DB, test classify)
- [x] System and import settings persist
- [x] Admin-only API and UI protection
- [x] Documentation updated

## Documentation updates required

- [x] `docs/01-architecture.md`
- [x] `docs/02-database-schema.md`
- [x] `docs/03-api-specification.md`
- [x] `docs/04-ui-pages.md`
- [x] `docs/10-environment-variables.md`
- [x] `docs/11-security.md`
- [x] `docs/14-roadmap.md`
- [x] `docs/16-changelog.md`
- [x] `docs/18-settings-administration.md` (new)
- [x] `tasks/README.md`

## Next

Task 017 — Production Readiness (`task-023-production-readiness.md`)