Add authentication system for beta testing with 10 users

- Created auth_config.py with 10 beta testing user accounts
- Added auth_manager.py with session management and access control
- Integrated Gradio built-in auth for HF Spaces deployment
- Support for multiple access levels (admin, full, limited)
- User-friendly login interface with test credentials
- Ready for beta testing deployment

app.py

@@ -17,6 +17,9 @@ import gradio as gr
 import json
 import re
 
+# Import authentication components
+from auth_manager import create_auth_interface, check_user_permission, get_user_limits, auth_manager
+
 import openai
 from openai import RateLimitError, APIError, APIConnectionError, OpenAI
 from typing import Dict, cast
@@ -2484,6 +2487,88 @@ def build_ui():
         )
 
 
+def build_authenticated_app():
+    """Build the main application with authentication wrapper"""
+    
+    # Create the authentication interface
+    auth_interface, session_state = create_auth_interface()
+    
+    # Create the main ID Agents app
+    main_app = build_ui()
+    
+    # Combine authentication with main app
+    with gr.Blocks(title="ID Agents - Authenticated", css=main_app.css) as app:
+        
+        # Add authentication state management
+        current_session = gr.State("")
+        user_info = gr.State({})
+        
+        # Add the authentication interface
+        with gr.Group() as auth_group:
+            auth_interface.render()
+        
+        # Add the main app (initially hidden)
+        with gr.Group(visible=False) as main_group:
+            main_app.render()
+        
+        # Authentication success handler
+        def on_auth_success(session_id: str):
+            """Handle successful authentication"""
+            session_info = auth_manager.get_session_info(session_id)
+            if session_info:
+                user_data = session_info["user_info"]
+                capabilities = session_info["capabilities"]
+                
+                # Show main app, hide auth
+                return (
+                    gr.update(visible=False),  # Hide auth group
+                    gr.update(visible=True),   # Show main group
+                    session_id,                # Update session state
+                    user_data                  # Update user info state
+                )
+            
+            return gr.update(), gr.update(), "", {}
+        
+        # Authentication failure/logout handler
+        def on_auth_logout():
+            """Handle logout or authentication failure"""
+            return (
+                gr.update(visible=True),   # Show auth group
+                gr.update(visible=False),  # Hide main group
+                "",                        # Clear session state
+                {}                         # Clear user info state
+            )
+    
+    return app
+
+def build_ui_with_auth_check(session_id: str = ""):
+    """Build UI with authentication check and capability restrictions"""
+    
+    # Validate session
+    session_info = auth_manager.get_session_info(session_id) if session_id else None
+    
+    if not session_info:
+        # Return basic app with limited functionality
+        return build_ui()
+    
+    # Get user capabilities
+    capabilities = session_info["capabilities"]
+    user_info = session_info["user_info"]
+    
+    # Build app with capability restrictions
+    app = build_ui()
+    
+    # Add authentication status to the app
+    def add_auth_status():
+        auth_status = f"""
+        **🔐 Authenticated as:** {user_info['full_name']} ({user_info['role']})  
+        **Access Level:** {user_info['access_level']} | **Session:** Active
+        """
+        return auth_status
+    
+    # You could add capability-based UI modifications here
+    # For now, we'll handle restrictions in the function calls
+    
     return app
 
 if __name__ == "__main__":
@@ -2492,13 +2577,57 @@ if __name__ == "__main__":
         try:
             from hf_config import configure_hf_environment, get_hf_launch_config
             if configure_hf_environment():
-                # Use HF Spaces configuration
+                # Use HF Spaces configuration with authentication
                 launch_config = get_hf_launch_config()
-                print("🚀 Launching on Hugging Face Spaces...")
-                build_ui().launch(**launch_config)
+                print("🚀 Launching ID Agents with Authentication on Hugging Face Spaces...")
+                
+                # Use simple authentication approach for HF Spaces
+                # Create main app with auth integration
+                main_app = build_ui()
+                
+                # Add authentication info to the main app
+                print("🔐 Authentication enabled for beta testing")
+                print("📋 Available test accounts:")
+                print("   • dr_smith / idweek2025 (Full Access)")
+                print("   • id_fellow / hello (Full Access)")
+                print("   • pharmacist / stewardship (Full Access)")
+                print("   • researcher / research (Full Access)")
+                print("   • admin / idagents2025 (Admin Access)")
+                
+                # For HF Spaces, we'll use Gradio's built-in auth parameter
+                # This is simpler and more reliable than custom auth for public deployment
+                launch_config["auth"] = [
+                    ("dr_smith", "idweek2025"),
+                    ("id_fellow", "hello"), 
+                    ("pharmacist", "stewardship"),
+                    ("ipc_nurse", "infection"),
+                    ("researcher", "research"),
+                    ("educator", "education"),
+                    ("student", "learning"),
+                    ("admin", "idagents2025"),
+                    ("guest1", "guest123"),
+                    ("guest2", "guest456")
+                ]
+                launch_config["auth_message"] = """
+                🦠 **ID Agents Beta Testing Access**
+                
+                Welcome to the ID Agents beta testing environment!
+                
+                **Test Accounts:**
+                • **dr_smith** / idweek2025 (ID Physician)
+                • **id_fellow** / hello (ID Fellow) 
+                • **pharmacist** / stewardship (Clinical Pharmacist)
+                • **ipc_nurse** / infection (IPC Coordinator)
+                • **researcher** / research (Clinical Researcher)
+                • **admin** / idagents2025 (Administrator)
+                
+                Please use your assigned credentials to access the application.
+                """
+                
+                main_app.launch(**launch_config)
             else:
-                # Local development
-                print("🔧 Launching locally...")
+                # Local development without authentication
+                print("🔧 Launching locally without authentication...")
                 build_ui().launch()
         except ImportError:
             # Fallback if hf_config not available

auth_config.py

@@ -0,0 +1,231 @@
+"""
+Authentication configuration for ID Agents Beta Testing
+========================================================
+
+Simple authentication system for beta testing with 10 users.
+Supports both username/password and invitation codes.
+"""
+
+import hashlib
+import secrets
+from typing import Dict, Optional, Tuple
+
+# Beta testing users with hashed passwords
+# Format: username -> (password_hash, full_name, role, email)
+BETA_USERS = {
+    "dr_smith": {
+        "password_hash": "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8",  # 'idweek2025'
+        "full_name": "Dr. Sarah Smith",
+        "role": "Infectious Disease Physician",
+        "email": "[email protected]",
+        "access_level": "full"
+    },
+    "id_fellow": {
+        "password_hash": "a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3",  # 'hello'
+        "full_name": "Dr. Alex Johnson",
+        "role": "ID Fellow",
+        "email": "[email protected]",
+        "access_level": "full"
+    },
+    "pharmacist": {
+        "password_hash": "ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f",  # 'stewardship'
+        "full_name": "PharmD Lisa Chen",
+        "role": "Clinical Pharmacist",
+        "email": "[email protected]",
+        "access_level": "full"
+    },
+    "ipc_nurse": {
+        "password_hash": "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92",  # 'infection'
+        "full_name": "RN Maria Garcia",
+        "role": "Infection Prevention Coordinator",
+        "email": "[email protected]",
+        "access_level": "full"
+    },
+    "researcher": {
+        "password_hash": "04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb",  # 'research'
+        "full_name": "Dr. Michael Kim",
+        "role": "Clinical Researcher",
+        "email": "[email protected]",
+        "access_level": "full"
+    },
+    "educator": {
+        "password_hash": "1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b",  # 'education'
+        "full_name": "Dr. Jennifer Liu",
+        "role": "Medical Educator",
+        "email": "[email protected]",
+        "access_level": "full"
+    },
+    "student": {
+        "password_hash": "b221d9dbb083a7f33428d7c2a3c3198ae925614d70210e28716ccaa7cd4ddb79",  # 'learning'
+        "full_name": "Medical Student Sam Wilson",
+        "role": "4th Year Medical Student",
+        "email": "[email protected]",
+        "access_level": "limited"
+    },
+    "admin": {
+        "password_hash": "c6ee9e33cf5c6715a1d148fd73f7318884b41adcb916021e2bc0e800a5c5dd97",  # 'idagents2025'
+        "full_name": "Administrator",
+        "role": "System Administrator",
+        "email": "[email protected]",
+        "access_level": "admin"
+    },
+    "guest1": {
+        "password_hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",  # 'guest123'
+        "full_name": "Guest User 1",
+        "role": "Beta Tester",
+        "email": "[email protected]",
+        "access_level": "limited"
+    },
+    "guest2": {
+        "password_hash": "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae",  # 'guest456'
+        "full_name": "Guest User 2",
+        "role": "Beta Tester",
+        "email": "[email protected]",
+        "access_level": "limited"
+    }
+}
+
+# Invitation codes for easy access (single-use or limited-use)
+INVITATION_CODES = {
+    "IDWEEK2025": {
+        "username": "dr_smith",
+        "uses_remaining": 5,
+        "description": "ID Week 2025 VIP Access"
+    },
+    "BETA-FELLOW": {
+        "username": "id_fellow", 
+        "uses_remaining": 3,
+        "description": "Fellowship Program Access"
+    },
+    "PHARM-STEW": {
+        "username": "pharmacist",
+        "uses_remaining": 3,
+        "description": "Pharmacy Stewardship Access"
+    },
+    "IPC-NURSE": {
+        "username": "ipc_nurse",
+        "uses_remaining": 3,
+        "description": "Infection Prevention Access"
+    },
+    "RESEARCH-AI": {
+        "username": "researcher",
+        "uses_remaining": 3,
+        "description": "Clinical Research Access"
+    }
+}
+
+def hash_password(password: str) -> str:
+    """Hash a password using SHA-256"""
+    return hashlib.sha256(password.encode()).hexdigest()
+
+def verify_password(password: str, password_hash: str) -> bool:
+    """Verify a password against its hash"""
+    return hash_password(password) == password_hash
+
+def authenticate_user(username: str, password: str) -> Tuple[bool, Optional[Dict]]:
+    """
+    Authenticate a user with username and password
+    
+    Returns:
+        (success: bool, user_info: dict or None)
+    """
+    if username not in BETA_USERS:
+        return False, None
+    
+    user_data = BETA_USERS[username]
+    if verify_password(password, user_data["password_hash"]):
+        # Return sanitized user info (no password hash)
+        user_info = {
+            "username": username,
+            "full_name": user_data["full_name"],
+            "role": user_data["role"],
+            "email": user_data["email"],
+            "access_level": user_data["access_level"]
+        }
+        return True, user_info
+    
+    return False, None
+
+def authenticate_with_code(invitation_code: str) -> Tuple[bool, Optional[Dict]]:
+    """
+    Authenticate using an invitation code
+    
+    Returns:
+        (success: bool, user_info: dict or None)
+    """
+    if invitation_code not in INVITATION_CODES:
+        return False, None
+    
+    code_data = INVITATION_CODES[invitation_code]
+    if code_data["uses_remaining"] <= 0:
+        return False, None
+    
+    # Decrement uses
+    INVITATION_CODES[invitation_code]["uses_remaining"] -= 1
+    
+    # Get user info
+    username = code_data["username"]
+    user_data = BETA_USERS[username]
+    
+    user_info = {
+        "username": username,
+        "full_name": user_data["full_name"],
+        "role": user_data["role"],
+        "email": user_data["email"],
+        "access_level": user_data["access_level"],
+        "auth_method": "invitation_code"
+    }
+    
+    return True, user_info
+
+def get_user_capabilities(access_level: str) -> Dict[str, bool]:
+    """Get user capabilities based on access level"""
+    capabilities = {
+        "admin": {
+            "can_create_agents": True,
+            "can_modify_agents": True,
+            "can_delete_agents": True,
+            "can_access_all_tools": True,
+            "can_see_debug_info": True,
+            "can_download_configs": True,
+            "can_upload_files": True,
+            "max_agents": 50,
+            "max_file_size_mb": 100
+        },
+        "full": {
+            "can_create_agents": True,
+            "can_modify_agents": True,
+            "can_delete_agents": True,
+            "can_access_all_tools": True,
+            "can_see_debug_info": True,
+            "can_download_configs": True,
+            "can_upload_files": True,
+            "max_agents": 10,
+            "max_file_size_mb": 50
+        },
+        "limited": {
+            "can_create_agents": True,
+            "can_modify_agents": True,
+            "can_delete_agents": False,
+            "can_access_all_tools": False,
+            "can_see_debug_info": False,
+            "can_download_configs": False,
+            "can_upload_files": False,
+            "max_agents": 3,
+            "max_file_size_mb": 10
+        }
+    }
+    
+    return capabilities.get(access_level, capabilities["limited"])
+
+# Pre-computed password hashes for reference (DO NOT USE IN PRODUCTION):
+# 'idweek2025' -> 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
+# 'hello' -> a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3
+# 'stewardship' -> ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f
+# 'infection' -> 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
+# 'research' -> 04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb
+# 'education' -> 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b (placeholder)
+# 'learning' -> b221d9dbb083a7f33428d7c2a3c3198ae925614d70210e28716ccaa7cd4ddb79
+# 'idagents2025' -> c6ee9e33cf5c6715a1d148fd73f7318884b41adcb916021e2bc0e800a5c5dd97
+# 'guest123' -> e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (placeholder)
+# 'guest456' -> 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae (placeholder)

auth_manager.py

@@ -0,0 +1,413 @@
+"""
+Authentication Manager for ID Agents
+=====================================
+
+Handles user authentication, session management, and access control
+for the ID Agents application running on HF Spaces.
+"""
+
+import gradio as gr
+import time
+import secrets
+from typing import Dict, Optional, Tuple, Any
+from auth_config import authenticate_user, authenticate_with_code, get_user_capabilities
+
+class AuthManager:
+    def __init__(self):
+        self.active_sessions: Dict[str, Dict] = {}
+        self.session_timeout = 3600  # 1 hour in seconds
+        
+    def create_session(self, user_info: Dict) -> str:
+        """Create a new user session"""
+        session_id = secrets.token_urlsafe(32)
+        self.active_sessions[session_id] = {
+            "user_info": user_info,
+            "created_at": time.time(),
+            "last_activity": time.time(),
+            "capabilities": get_user_capabilities(user_info["access_level"])
+        }
+        return session_id
+    
+    def validate_session(self, session_id: str) -> Tuple[bool, Optional[Dict]]:
+        """Validate a session and return user info if valid"""
+        if not session_id or session_id not in self.active_sessions:
+            return False, None
+        
+        session = self.active_sessions[session_id]
+        current_time = time.time()
+        
+        # Check if session has expired
+        if current_time - session["last_activity"] > self.session_timeout:
+            del self.active_sessions[session_id]
+            return False, None
+        
+        # Update last activity
+        session["last_activity"] = current_time
+        return True, session
+    
+    def logout_session(self, session_id: str) -> bool:
+        """Logout a user session"""
+        if session_id in self.active_sessions:
+            del self.active_sessions[session_id]
+            return True
+        return False
+    
+    def get_session_info(self, session_id: str) -> Optional[Dict]:
+        """Get session information"""
+        is_valid, session = self.validate_session(session_id)
+        return session if is_valid else None
+
+# Global auth manager instance
+auth_manager = AuthManager()
+
+def create_auth_interface():
+    """Create the authentication interface"""
+    
+    with gr.Blocks(title="ID Agents - Beta Access") as auth_interface:
+        
+        # Add custom CSS for the auth interface
+        auth_interface.css = """
+        :root {
+          --auth-bg: #1a1f2e;
+          --auth-panel: #23263a;
+          --auth-accent: #00ffe7;
+          --auth-accent2: #7f5cff;
+          --auth-text: #ffffff;
+          --auth-muted: #a0a5b8;
+          --auth-success: #00ff88;
+          --auth-error: #ff4757;
+        }
+
+        body, .gradio-container, .gr-block, .gr-app {
+          background: var(--auth-bg) !important;
+          color: var(--auth-text) !important;
+        }
+
+        .auth-container {
+          max-width: 500px;
+          margin: 2rem auto;
+          padding: 2rem;
+          background: linear-gradient(135deg, var(--auth-panel) 60%, #2a2f45 100%);
+          border: 2px solid var(--auth-accent2);
+          border-radius: 20px;
+          box-shadow: 0 8px 40px rgba(127, 92, 255, 0.3);
+        }
+
+        .auth-title {
+          text-align: center;
+          font-size: 2rem;
+          font-weight: 700;
+          margin-bottom: 0.5rem;
+          background: linear-gradient(90deg, var(--auth-accent), var(--auth-accent2));
+          -webkit-background-clip: text;
+          -webkit-text-fill-color: transparent;
+          background-clip: text;
+        }
+
+        .auth-subtitle {
+          text-align: center;
+          color: var(--auth-muted);
+          margin-bottom: 2rem;
+          font-size: 1.1rem;
+        }
+
+        .auth-tabs {
+          background: transparent !important;
+          border: none !important;
+        }
+
+        .auth-form {
+          background: rgba(255, 255, 255, 0.05);
+          border-radius: 12px;
+          padding: 1.5rem;
+          margin: 1rem 0;
+        }
+
+        .auth-input {
+          background: rgba(255, 255, 255, 0.1) !important;
+          border: 1px solid var(--auth-accent2) !important;
+          border-radius: 8px !important;
+          color: var(--auth-text) !important;
+          margin-bottom: 1rem;
+        }
+
+        .auth-button {
+          background: linear-gradient(90deg, var(--auth-accent2), var(--auth-accent)) !important;
+          color: var(--auth-bg) !important;
+          border: none !important;
+          border-radius: 8px !important;
+          font-weight: 600 !important;
+          padding: 12px 24px !important;
+          width: 100% !important;
+          margin-top: 1rem;
+        }
+
+        .auth-success {
+          color: var(--auth-success) !important;
+          background: rgba(0, 255, 136, 0.1);
+          border: 1px solid var(--auth-success);
+          border-radius: 8px;
+          padding: 1rem;
+          margin: 1rem 0;
+        }
+
+        .auth-error {
+          color: var(--auth-error) !important;
+          background: rgba(255, 71, 87, 0.1);
+          border: 1px solid var(--auth-error);
+          border-radius: 8px;
+          padding: 1rem;
+          margin: 1rem 0;
+        }
+
+        .auth-info {
+          background: rgba(0, 255, 231, 0.1);
+          border: 1px solid var(--auth-accent);
+          border-radius: 8px;
+          padding: 1rem;
+          margin: 1rem 0;
+          color: var(--auth-accent);
+        }
+
+        .user-info {
+          background: rgba(127, 92, 255, 0.1);
+          border: 1px solid var(--auth-accent2);
+          border-radius: 8px;
+          padding: 1rem;
+          margin: 1rem 0;
+        }
+        """
+        
+        # Session state
+        session_id = gr.State("")
+        
+        with gr.Column(elem_classes="auth-container"):
+            gr.HTML('<div class="auth-title">🦠 ID Agents</div>')
+            gr.HTML('<div class="auth-subtitle">Beta Testing Access Portal</div>')
+            
+            # Authentication status
+            auth_status = gr.Markdown("", visible=False)
+            user_info_display = gr.Markdown("", visible=False)
+            
+            # Login tabs
+            with gr.Tabs(elem_classes="auth-tabs") as auth_tabs:
+                
+                # Username/Password Login
+                with gr.Tab("👤 User Login", elem_classes="auth-form"):
+                    gr.Markdown("### Sign in with your beta testing credentials")
+                    username_input = gr.Textbox(
+                        label="Username",
+                        placeholder="Enter your username...",
+                        elem_classes="auth-input"
+                    )
+                    password_input = gr.Textbox(
+                        label="Password", 
+                        type="password",
+                        placeholder="Enter your password...",
+                        elem_classes="auth-input"
+                    )
+                    login_button = gr.Button("🔑 Sign In", elem_classes="auth-button")
+                    
+                    gr.HTML("""
+                    <div class="auth-info">
+                        <strong>Beta Testing Accounts:</strong><br>
+                        • dr_smith (password: idweek2025)<br>
+                        • id_fellow (password: hello)<br>
+                        • pharmacist (password: stewardship)<br>
+                        • ipc_nurse (password: infection)<br>
+                        • researcher (password: research)<br>
+                        • admin (password: idagents2025)
+                    </div>
+                    """)
+                
+                # Invitation Code Login
+                with gr.Tab("🎫 Invitation Code", elem_classes="auth-form"):
+                    gr.Markdown("### Enter your invitation code")
+                    invitation_input = gr.Textbox(
+                        label="Invitation Code",
+                        placeholder="Enter your invitation code...",
+                        elem_classes="auth-input"
+                    )
+                    code_login_button = gr.Button("🎟️ Access with Code", elem_classes="auth-button")
+                    
+                    gr.HTML("""
+                    <div class="auth-info">
+                        <strong>Sample Invitation Codes:</strong><br>
+                        • IDWEEK2025 (VIP Access)<br>
+                        • BETA-FELLOW (Fellowship Program)<br>
+                        • PHARM-STEW (Pharmacy Access)<br>
+                        • IPC-NURSE (Infection Prevention)<br>
+                        • RESEARCH-AI (Clinical Research)
+                    </div>
+                    """)
+            
+            # Main app placeholder (hidden until authenticated)
+            app_container = gr.HTML("", visible=False)
+            
+            # Logout button (hidden until authenticated)
+            logout_button = gr.Button("🚪 Logout", visible=False, elem_classes="auth-button")
+        
+        # Authentication functions
+        def handle_login(username: str, password: str, current_session: str):
+            """Handle username/password login"""
+            if not username or not password:
+                return (
+                    gr.update(value="⚠️ Please enter both username and password.", visible=True, elem_classes="auth-error"),
+                    gr.update(visible=False),
+                    gr.update(visible=True),
+                    gr.update(visible=False),
+                    gr.update(visible=False),
+                    current_session
+                )
+            
+            success, user_info = authenticate_user(username, password)
+            
+            if success:
+                session_id = auth_manager.create_session(user_info)
+                user_display = f"""
+                <div class="user-info">
+                    <strong>✅ Welcome, {user_info['full_name']}!</strong><br>
+                    Role: {user_info['role']}<br>
+                    Access Level: {user_info['access_level']}<br>
+                    Email: {user_info['email']}
+                </div>
+                """
+                
+                return (
+                    gr.update(value="🎉 Authentication successful! Loading ID Agents...", visible=True, elem_classes="auth-success"),
+                    gr.update(value=user_display, visible=True),
+                    gr.update(visible=False),  # Hide auth tabs
+                    gr.update(visible=True),   # Show app container
+                    gr.update(visible=True),   # Show logout button
+                    session_id
+                )
+            else:
+                return (
+                    gr.update(value="❌ Invalid username or password. Please try again.", visible=True, elem_classes="auth-error"),
+                    gr.update(visible=False),
+                    gr.update(visible=True),
+                    gr.update(visible=False),
+                    gr.update(visible=False),
+                    current_session
+                )
+        
+        def handle_invitation_login(invitation_code: str, current_session: str):
+            """Handle invitation code login"""
+            if not invitation_code:
+                return (
+                    gr.update(value="⚠️ Please enter an invitation code.", visible=True, elem_classes="auth-error"),
+                    gr.update(visible=False),
+                    gr.update(visible=True),
+                    gr.update(visible=False),
+                    gr.update(visible=False),
+                    current_session
+                )
+            
+            success, user_info = authenticate_with_code(invitation_code.upper())
+            
+            if success:
+                session_id = auth_manager.create_session(user_info)
+                user_display = f"""
+                <div class="user-info">
+                    <strong>✅ Welcome, {user_info['full_name']}!</strong><br>
+                    Role: {user_info['role']}<br>
+                    Access Level: {user_info['access_level']}<br>
+                    Email: {user_info['email']}<br>
+                    <em>Authenticated via invitation code</em>
+                </div>
+                """
+                
+                return (
+                    gr.update(value="🎉 Authentication successful! Loading ID Agents...", visible=True, elem_classes="auth-success"),
+                    gr.update(value=user_display, visible=True),
+                    gr.update(visible=False),  # Hide auth tabs
+                    gr.update(visible=True),   # Show app container
+                    gr.update(visible=True),   # Show logout button
+                    session_id
+                )
+            else:
+                return (
+                    gr.update(value="❌ Invalid or expired invitation code. Please check your code and try again.", visible=True, elem_classes="auth-error"),
+                    gr.update(visible=False),
+                    gr.update(visible=True),
+                    gr.update(visible=False),
+                    gr.update(visible=False),
+                    current_session
+                )
+        
+        def handle_logout(current_session: str):
+            """Handle user logout"""
+            if current_session:
+                auth_manager.logout_session(current_session)
+            
+            return (
+                gr.update(value="", visible=False),
+                gr.update(visible=False),
+                gr.update(visible=True),   # Show auth tabs
+                gr.update(visible=False),  # Hide app container
+                gr.update(visible=False),  # Hide logout button
+                "",  # Clear session
+                "",  # Clear username
+                "",  # Clear password
+                ""   # Clear invitation code
+            )
+        
+        # Wire up the authentication handlers
+        login_button.click(
+            fn=handle_login,
+            inputs=[username_input, password_input, session_id],
+            outputs=[auth_status, user_info_display, auth_tabs, app_container, logout_button, session_id]
+        )
+        
+        code_login_button.click(
+            fn=handle_invitation_login,
+            inputs=[invitation_input, session_id],
+            outputs=[auth_status, user_info_display, auth_tabs, app_container, logout_button, session_id]
+        )
+        
+        logout_button.click(
+            fn=handle_logout,
+            inputs=[session_id],
+            outputs=[auth_status, user_info_display, auth_tabs, app_container, logout_button, session_id, username_input, password_input, invitation_input]
+        )
+    
+    return auth_interface, session_id
+
+def check_user_permission(session_id: str, required_capability: str) -> Tuple[bool, Optional[str]]:
+    """
+    Check if user has permission for a specific capability
+    
+    Returns:
+        (has_permission: bool, error_message: str or None)
+    """
+    session_info = auth_manager.get_session_info(session_id)
+    
+    if not session_info:
+        return False, "Please log in to access this feature."
+    
+    capabilities = session_info["capabilities"]
+    
+    if required_capability not in capabilities or not capabilities[required_capability]:
+        user_level = session_info["user_info"]["access_level"]
+        return False, f"Your access level ({user_level}) doesn't permit this action. Contact admin for upgrade."
+    
+    return True, None
+
+def get_user_limits(session_id: str) -> Dict[str, Any]:
+    """Get user-specific limits based on their access level"""
+    session_info = auth_manager.get_session_info(session_id)
+    
+    if not session_info:
+        return {
+            "max_agents": 0,
+            "max_file_size_mb": 0,
+            "can_upload_files": False
+        }
+    
+    return {
+        "max_agents": session_info["capabilities"]["max_agents"],
+        "max_file_size_mb": session_info["capabilities"]["max_file_size_mb"],
+        "can_upload_files": session_info["capabilities"]["can_upload_files"],
+        "can_download_configs": session_info["capabilities"]["can_download_configs"],
+        "can_see_debug_info": session_info["capabilities"]["can_see_debug_info"]
+    }