From 347bbe0543d80694693563c95619548838321730 Mon Sep 17 00:00:00 2001
From: win gutmann <winthropgutmann@gmail.com>
Date: Sun, 1 Feb 2026 20:37:43 -0500
Subject: [PATCH] =?UTF-8?q?feat(plugin):=20complete=20SimHub=20POC=20?=
 =?UTF-8?q?=E2=80=94=20PKCE=20auth,=20minimal=20UI,=20E2E=20docs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- API: GET /api/auth/config for Discord client ID (PKCE)
- Plugin: PkceHelper, browser PKCE flow, WinPodiumsSettingsControl (WPF)
- PluginMain: IWPFSettingsV2, AuthenticateWithBrowserAsync
- Docs: manual E2E steps in development.md, next-steps link
---
 apps/api/src/index.ts                         |   8 ++
 .../WinPodiums.Plugin/Auth/PkceHelper.cs      |  49 ++++++++
 .../WinPodiums.Plugin/Core/PluginMain.cs      | 110 +++++++++++++++++-
 .../WinPodiums.Plugin/Services/ApiClient.cs   |  62 +++++++++-
 .../UI/WinPodiumsSettingsControl.xaml         |  26 +++++
 .../UI/WinPodiumsSettingsControl.xaml.cs      |  87 ++++++++++++++
 .../WinPodiums.Plugin.csproj                  |   1 +
 docs/architecture/next-steps.md               |   2 +-
 docs/guides/development.md                    |  19 +++
 package-lock.json                             |   2 +-
 10 files changed, 360 insertions(+), 6 deletions(-)
 create mode 100644 apps/plugin/WinPodiums.Plugin/Auth/PkceHelper.cs
 create mode 100644 apps/plugin/WinPodiums.Plugin/UI/WinPodiumsSettingsControl.xaml
 create mode 100644 apps/plugin/WinPodiums.Plugin/UI/WinPodiumsSettingsControl.xaml.cs

diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index a1fb09a..3fe16de 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -213,6 +213,14 @@ export default {
     if (path.startsWith("/api/")) {
       const rest = path.slice(5).replace(/\/$/, "");
 
+      // GET /api/auth/config — public config for plugin (Discord client ID for PKCE authorize URL)
+      if (method === "GET" && rest === "auth/config") {
+        return jsonResponse({
+          success: true,
+          data: { discordClientId: env.DISCORD_CLIENT_ID ?? "" },
+        });
+      }
+
       // POST /api/auth/discord/callback — server-side web callback (if frontend posts code)
       if (method === "POST" && rest === "auth/discord/callback") {
         let body: { code?: string; state?: string; redirect_uri?: string };
diff --git a/apps/plugin/WinPodiums.Plugin/Auth/PkceHelper.cs b/apps/plugin/WinPodiums.Plugin/Auth/PkceHelper.cs
new file mode 100644
index 0000000..7483454
--- /dev/null
+++ b/apps/plugin/WinPodiums.Plugin/Auth/PkceHelper.cs
@@ -0,0 +1,49 @@
+using System;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace WinPodiums.Plugin.Auth
+{
+    /// <summary>
+    /// PKCE code verifier and code challenge (S256) for Discord OAuth2.
+    /// See TP-SPOC-002 and docs/design/integrations/discord-integration.md.
+    /// </summary>
+    public static class PkceHelper
+    {
+        /// <summary>Generate a cryptographically random code verifier (43–128 chars, base64url).</summary>
+        public static string GenerateVerifier()
+        {
+            var bytes = new byte[32];
+            using (var rng = RandomNumberGenerator.Create())
+                rng.GetBytes(bytes);
+            return Base64UrlEncode(bytes);
+        }
+
+        /// <summary>Compute code challenge = base64url(SHA256(utf8(verifier))). Method S256.</summary>
+        public static string GenerateChallenge(string codeVerifier)
+        {
+            if (string.IsNullOrEmpty(codeVerifier))
+                throw new ArgumentNullException(nameof(codeVerifier));
+            var bytes = Encoding.UTF8.GetBytes(codeVerifier);
+            byte[] hash;
+            using (var sha = SHA256.Create())
+                hash = sha.ComputeHash(bytes);
+            return Base64UrlEncode(hash);
+        }
+
+        /// <summary>Generate a random state string for OAuth2 CSRF protection.</summary>
+        public static string GenerateState()
+        {
+            var bytes = new byte[16];
+            using (var rng = RandomNumberGenerator.Create())
+                rng.GetBytes(bytes);
+            return Base64UrlEncode(bytes);
+        }
+
+        private static string Base64UrlEncode(byte[] bytes)
+        {
+            var base64 = Convert.ToBase64String(bytes);
+            return base64.TrimEnd('=').Replace('+', '-').Replace('/', '_');
+        }
+    }
+}
diff --git a/apps/plugin/WinPodiums.Plugin/Core/PluginMain.cs b/apps/plugin/WinPodiums.Plugin/Core/PluginMain.cs
index 2491d90..dbd5c96 100644
--- a/apps/plugin/WinPodiums.Plugin/Core/PluginMain.cs
+++ b/apps/plugin/WinPodiums.Plugin/Core/PluginMain.cs
@@ -1,21 +1,25 @@
 using System;
+using System.Diagnostics;
+using System.Net;
 using System.Threading.Tasks;
+using System.Windows.Controls;
 using System.Windows.Media;
 using GameReaderCommon;
 using SimHub.Plugins;
 using WinPodiums.Plugin.Auth;
 using WinPodiums.Plugin.Services;
+using WinPodiums.Plugin.UI;
 
 namespace WinPodiums.Plugin.Core
 {
     /// <summary>
-    /// SimHub plugin entry point. Phase 1: manual token auth + one heartbeat API call.
+    /// SimHub plugin entry point. Phase 1: browser PKCE primary; manual token debug-only; one heartbeat API call.
     /// Implements IPlugin and IDataPlugin so SimHub loads the DLL. See docs/design/components/simhub-plugin.md.
     /// </summary>
     [PluginName("WinPodiums")]
     [PluginDescription("WinPodiums telemetry verification and podium submission.")]
     [PluginAuthor("WinPodiums")]
-    public class PluginMain : IPlugin, IDataPlugin
+    public class PluginMain : IPlugin, IDataPlugin, IWPFSettingsV2
     {
         private ApiClient? _apiClient;
         private string _apiBaseUrl = "https://winpodiums.com";
@@ -82,7 +86,99 @@ public string? DiscordId
         }
 
         /// <summary>
-        /// Authenticate using a one-time token from the website (manual flow).
+        /// Authenticate using browser-launched Discord OAuth (PKCE). Primary auth per PRD-001.
+        /// Opens browser; user signs in with Discord; callback returns to plugin; tokens stored with DPAPI.
+        /// </summary>
+        /// <returns>True if auth succeeded and tokens were stored.</returns>
+        public async Task<bool> AuthenticateWithBrowserAsync()
+        {
+            if (_apiClient == null)
+                return false;
+
+            const int callbackPort = 54321;
+            var redirectUri = $"http://127.0.0.1:{callbackPort}/callback";
+
+            AuthConfigResult config;
+            try
+            {
+                config = await _apiClient.GetAuthConfigAsync();
+            }
+            catch
+            {
+                return false;
+            }
+
+            if (string.IsNullOrEmpty(config.DiscordClientId))
+                return false;
+
+            var state = PkceHelper.GenerateState();
+            var codeVerifier = PkceHelper.GenerateVerifier();
+            var codeChallenge = PkceHelper.GenerateChallenge(codeVerifier);
+
+            var authUrl =
+                "https://discord.com/api/oauth2/authorize?" +
+                $"client_id={Uri.EscapeDataString(config.DiscordClientId)}" +
+                $"&redirect_uri={Uri.EscapeDataString(redirectUri)}" +
+                "&response_type=code" +
+                "&scope=identify" +
+                $"&state={Uri.EscapeDataString(state)}" +
+                $"&code_challenge={Uri.EscapeDataString(codeChallenge)}" +
+                "&code_challenge_method=S256";
+
+            var listener = new HttpListener();
+            listener.Prefixes.Add($"http://127.0.0.1:{callbackPort}/callback/");
+            listener.Start();
+
+            try
+            {
+                Process.Start(new ProcessStartInfo(authUrl) { UseShellExecute = true });
+
+                var getContextTask = listener.GetContextAsync();
+                var delayTask = Task.Delay(TimeSpan.FromMinutes(5));
+                var completed = await Task.WhenAny(getContextTask, delayTask).ConfigureAwait(false);
+
+                if (completed == delayTask)
+                {
+                    listener.Stop();
+                    return false;
+                }
+
+                var context = await getContextTask.ConfigureAwait(false);
+                var query = context.Request.QueryString;
+                var receivedState = query["state"];
+                var code = query["code"];
+
+                var responseHtml = "<!DOCTYPE html><html><head><meta charset=\"utf-8\"/><title>WinPodiums</title></head><body><p>Success, you can close this window.</p></body></html>";
+                var responseBytes = System.Text.Encoding.UTF8.GetBytes(responseHtml);
+                context.Response.ContentType = "text/html; charset=utf-8";
+                context.Response.ContentLength64 = responseBytes.Length;
+                await context.Response.OutputStream.WriteAsync(responseBytes, 0, responseBytes.Length).ConfigureAwait(false);
+                context.Response.OutputStream.Close();
+
+                if (receivedState != state || string.IsNullOrEmpty(code))
+                {
+                    listener.Stop();
+                    return false;
+                }
+
+                listener.Stop();
+
+                var result = await _apiClient.DiscordExchangeAsync(code, codeVerifier, redirectUri).ConfigureAwait(false);
+                if (string.IsNullOrEmpty(result.AccessToken) || string.IsNullOrEmpty(result.DiscordId))
+                    return false;
+
+                TokenStorage.Save(result.AccessToken!, result.DiscordId!);
+                return true;
+            }
+            catch
+            {
+                try { listener.Stop(); } catch { }
+                return false;
+            }
+        }
+
+        /// <summary>
+        /// Authenticate using a one-time token from the website (manual flow). Debug only, feature-flagged.
         /// Call after user pastes token from https://winpodiums.com/auth/token.
         /// </summary>
         /// <param name="tokenCode">The 8-character token from the website.</param>
@@ -133,5 +229,13 @@ public void Logout()
         {
             TokenStorage.Clear();
         }
+
+        /// <summary>
+        /// Return the WPF settings control for SimHub (Link to Discord, Send heartbeat, status). TP-SPOC-004.
+        /// </summary>
+        public Control GetWPFSettingsControl(PluginManager pluginManager)
+        {
+            return new WinPodiumsSettingsControl(this);
+        }
     }
 }
diff --git a/apps/plugin/WinPodiums.Plugin/Services/ApiClient.cs b/apps/plugin/WinPodiums.Plugin/Services/ApiClient.cs
index 8845e6f..84db611 100644
--- a/apps/plugin/WinPodiums.Plugin/Services/ApiClient.cs
+++ b/apps/plugin/WinPodiums.Plugin/Services/ApiClient.cs
@@ -24,7 +24,62 @@ public ApiClient(string baseUrl = "https://winpodiums.com")
         }
 
         /// <summary>
-        /// Exchange a one-time manual token for Discord ID and access token.
+        /// Get public auth config (e.g. Discord client ID for PKCE authorize URL). No auth required.
+        /// </summary>
+        public async Task<AuthConfigResult> GetAuthConfigAsync()
+        {
+            var url = $"{_baseUrl}/api/auth/config";
+            var res = await _http.GetAsync(url);
+            var json = await res.Content.ReadAsStringAsync();
+            if (!res.IsSuccessStatusCode)
+            {
+                var err = TryParseError(json);
+                throw new ApiException(err ?? $"HTTP {(int)res.StatusCode}", (int)res.StatusCode);
+            }
+            var obj = JObject.Parse(json);
+            var data = obj["data"];
+            if (data == null)
+                throw new ApiException("Invalid response: missing data", 200);
+            return new AuthConfigResult
+            {
+                DiscordClientId = data["discordClientId"]?.ToString() ?? ""
+            };
+        }
+
+        /// <summary>
+        /// Exchange PKCE authorization code for Discord ID and access token (plugin browser flow).
+        /// </summary>
+        public async Task<TokenExchangeResult> DiscordExchangeAsync(string code, string codeVerifier, string redirectUri)
+        {
+            var url = $"{_baseUrl}/api/auth/discord/exchange";
+            var body = new JObject
+            {
+                ["code"] = code?.Trim(),
+                ["code_verifier"] = codeVerifier?.Trim(),
+                ["redirect_uri"] = redirectUri?.Trim()
+            };
+            var content = new StringContent(body.ToString(), Encoding.UTF8, "application/json");
+            var res = await _http.PostAsync(url, content);
+            var json = await res.Content.ReadAsStringAsync();
+            if (!res.IsSuccessStatusCode)
+            {
+                var err = TryParseError(json);
+                throw new ApiException(err ?? $"HTTP {(int)res.StatusCode}", (int)res.StatusCode);
+            }
+            var obj = JObject.Parse(json);
+            var data = obj["data"];
+            if (data == null)
+                throw new ApiException("Invalid response: missing data", 200);
+            return new TokenExchangeResult
+            {
+                DiscordId = data["discordId"]?.ToString(),
+                AccessToken = data["access_token"]?.ToString(),
+                ExpiresIn = data["expires_in"]?.Value<int>() ?? 0
+            };
+        }
+
+        /// <summary>
+        /// Exchange a one-time manual token for Discord ID and access token (debug only).
         /// </summary>
         public async Task<TokenExchangeResult> TokenExchangeAsync(string tokenCode)
         {
@@ -85,6 +140,11 @@ public async Task HeartbeatAsync(string accessToken, string pluginVersion = "1.0
         }
     }
 
+    public class AuthConfigResult
+    {
+        public string DiscordClientId { get; set; } = "";
+    }
+
     public class TokenExchangeResult
     {
         public string? DiscordId { get; set; }
diff --git a/apps/plugin/WinPodiums.Plugin/UI/WinPodiumsSettingsControl.xaml b/apps/plugin/WinPodiums.Plugin/UI/WinPodiumsSettingsControl.xaml
new file mode 100644
index 0000000..734dfec
--- /dev/null
+++ b/apps/plugin/WinPodiums.Plugin/UI/WinPodiumsSettingsControl.xaml
@@ -0,0 +1,26 @@
+<UserControl x:Class="WinPodiums.Plugin.UI.WinPodiumsSettingsControl"
+             xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+             xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+             xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
+             xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
+             mc:Ignorable="d"
+             d:DesignHeight="280" d:DesignWidth="360">
+  <StackPanel Margin="16">
+    <TextBlock Text="WinPodiums" FontSize="18" FontWeight="SemiBold" Margin="0,0,0,12"/>
+
+    <!-- Auth section -->
+    <TextBlock Text="Authentication" FontWeight="SemiBold" Margin="0,0,0,6"/>
+    <StackPanel Orientation="Horizontal" Margin="0,0,0,8">
+      <Button x:Name="LinkButton" Content="Link to Discord" Padding="12,6" Margin="0,0,8,0" Click="LinkButton_Click"/>
+      <Button x:Name="UnlinkButton" Content="Unlink" Padding="12,6" Margin="0,0,8,0" Click="UnlinkButton_Click" IsEnabled="False"/>
+    </StackPanel>
+    <TextBlock x:Name="AuthStatusText" Text="Not linked" Margin="0,0,0,16"/>
+
+    <!-- Heartbeat section -->
+    <TextBlock Text="Verification" FontWeight="SemiBold" Margin="0,0,0,6"/>
+    <StackPanel Orientation="Horizontal" Margin="0,0,0,8">
+      <Button x:Name="HeartbeatButton" Content="Send heartbeat" Padding="12,6" Margin="0,0,8,0" Click="HeartbeatButton_Click" IsEnabled="False"/>
+    </StackPanel>
+    <TextBlock x:Name="HeartbeatStatusText" Text="—" Margin="0,0,0,0"/>
+  </StackPanel>
+</UserControl>
diff --git a/apps/plugin/WinPodiums.Plugin/UI/WinPodiumsSettingsControl.xaml.cs b/apps/plugin/WinPodiums.Plugin/UI/WinPodiumsSettingsControl.xaml.cs
new file mode 100644
index 0000000..6a51263
--- /dev/null
+++ b/apps/plugin/WinPodiums.Plugin/UI/WinPodiumsSettingsControl.xaml.cs
@@ -0,0 +1,87 @@
+using System;
+using System.Windows;
+using System.Windows.Controls;
+using WinPodiums.Plugin.Core;
+
+namespace WinPodiums.Plugin.UI
+{
+    /// <summary>
+    /// Minimal SimHub settings panel: Link to Discord, Send heartbeat, status (TP-SPOC-004).
+    /// </summary>
+    public partial class WinPodiumsSettingsControl : UserControl
+    {
+        private readonly PluginMain _plugin;
+
+        public WinPodiumsSettingsControl(PluginMain plugin)
+        {
+            InitializeComponent();
+            _plugin = plugin ?? throw new ArgumentNullException(nameof(plugin));
+            Loaded += (_, __) => RefreshStatus();
+        }
+
+        private void RefreshStatus()
+        {
+            var linked = _plugin.IsAuthenticated;
+            AuthStatusText.Text = linked ? $"Linked" + (string.IsNullOrEmpty(_plugin.DiscordId) ? "" : $" ({_plugin.DiscordId})") : "Not linked";
+            LinkButton.Visibility = linked ? Visibility.Collapsed : Visibility.Visible;
+            UnlinkButton.Visibility = linked ? Visibility.Visible : Visibility.Collapsed;
+            UnlinkButton.IsEnabled = linked;
+            HeartbeatButton.IsEnabled = linked;
+        }
+
+        private async void LinkButton_Click(object sender, RoutedEventArgs e)
+        {
+            LinkButton.IsEnabled = false;
+            AuthStatusText.Text = "Linking…";
+            try
+            {
+                var ok = await _plugin.AuthenticateWithBrowserAsync().ConfigureAwait(true);
+                if (ok)
+                {
+                    AuthStatusText.Text = "Linked" + (string.IsNullOrEmpty(_plugin.DiscordId) ? "" : $" ({_plugin.DiscordId})");
+                    LinkButton.Visibility = Visibility.Collapsed;
+                    UnlinkButton.Visibility = Visibility.Visible;
+                    UnlinkButton.IsEnabled = true;
+                    HeartbeatButton.IsEnabled = true;
+                }
+                else
+                {
+                    AuthStatusText.Text = "Link failed";
+                }
+            }
+            catch
+            {
+                AuthStatusText.Text = "Link failed";
+            }
+            finally
+            {
+                LinkButton.IsEnabled = true;
+            }
+        }
+
+        private void UnlinkButton_Click(object sender, RoutedEventArgs e)
+        {
+            _plugin.Logout();
+            RefreshStatus();
+        }
+
+        private async void HeartbeatButton_Click(object sender, RoutedEventArgs e)
+        {
+            HeartbeatButton.IsEnabled = false;
+            HeartbeatStatusText.Text = "Sending…";
+            try
+            {
+                var ok = await _plugin.SendHeartbeatAsync("1.0.0").ConfigureAwait(true);
+                HeartbeatStatusText.Text = ok ? "Heartbeat OK" : "Heartbeat failed";
+            }
+            catch
+            {
+                HeartbeatStatusText.Text = "Heartbeat failed";
+            }
+            finally
+            {
+                HeartbeatButton.IsEnabled = true;
+            }
+        }
+    }
+}
diff --git a/apps/plugin/WinPodiums.Plugin/WinPodiums.Plugin.csproj b/apps/plugin/WinPodiums.Plugin/WinPodiums.Plugin.csproj
index 8c1f6de..79653b0 100644
--- a/apps/plugin/WinPodiums.Plugin/WinPodiums.Plugin.csproj
+++ b/apps/plugin/WinPodiums.Plugin/WinPodiums.Plugin.csproj
@@ -6,6 +6,7 @@
     <OutputType>Library</OutputType>
     <LangVersion>latest</LangVersion>
     <Nullable>enable</Nullable>
+    <UseWPF>true</UseWPF>
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
diff --git a/docs/architecture/next-steps.md b/docs/architecture/next-steps.md
index c1a5a19..d37ab5c 100644
--- a/docs/architecture/next-steps.md
+++ b/docs/architecture/next-steps.md
@@ -17,7 +17,7 @@
 | **Create D1 tables** | `apps/api` | Run the initial schema (empty tables): `npx wrangler d1 migrations apply winpodiums-dev-db --local` (or `--remote` when deploying). SQL in `apps/api/migrations/0001_initial_schema.sql`. |
 | **Configure Discord + secrets** | `apps/api` | Copy `.dev.vars.example` to `.dev.vars`; set `DISCORD_CLIENT_ID`, `DISCORD_CLIENT_SECRET`, `SESSION_SECRET`. In Discord Developer Portal, add redirect URI `http://localhost:8787/auth/callback` (and production URL when you deploy). |
 | **Test Worker locally** | Repo root + `apps/api` | Run API: `docker compose up`. Run tests against Docker: `docker compose up -d && cd apps/api && npm test`. Hit `/`, `/auth/discord`, `/auth/token`, `/api/health`, `/api/profile/me` (after login). |
-| **Test plugin** | `apps/plugin` | Build plugin; deploy DLL to `C:\Program Files (x86)\SimHub\Plugins`. Primary auth: browser (PKCE). For debug only (feature-flagged): generate token at `/auth/token`, then in plugin call `AuthenticateWithManualTokenAsync(token)` and `SendHeartbeatAsync()`. |
+| **Test plugin** | `apps/plugin` | Build plugin; deploy DLL to `C:\Program Files (x86)\SimHub\Plugins`. Primary auth: browser (PKCE). For debug only (feature-flagged): generate token at `/auth/token`, then in plugin call `AuthenticateWithManualTokenAsync(token)` and `SendHeartbeatAsync()`. Manual E2E steps: see [Development guide — Manual E2E (SimHub Plugin POC)](../guides/development.md#manual-e2e--simhub-plugin-poc). |
 | **Deploy** | When ready | Create D1/KV/R2 in Cloudflare if needed; set bindings in `wrangler.toml`; apply D1 schema `--remote`; then `wrangler deploy`. See [Deployment Guide](../guides/deployment.md). |
 
 **Implemented in Phase 1 (Step 4):**
diff --git a/docs/guides/development.md b/docs/guides/development.md
index ddc7669..418490d 100644
--- a/docs/guides/development.md
+++ b/docs/guides/development.md
@@ -114,6 +114,25 @@ The plugin targets .NET Framework 4.8 and SimHub on Windows. Build and run on th
 
 **Implementation order:** TP-SPOC-001 (skeleton, SDK, config) → 002 (auth PKCE, token storage) → 003 (API client, heartbeat) → 004 (minimal SimHub UI) → 005 (testing, POC completion). Manual E2E and minimum automated tests per TP-005 define “POC complete.”
 
+### Manual E2E — SimHub Plugin POC
+
+To confirm POC completion, run the full flow from the SimHub UI only (no code changes). Documented per [TP-SPOC-005](../tech-plans/simhub-plugin-poc/005-poc-testing-completion.md).
+
+**Prerequisites:**
+
+- For browser PKCE, the **Discord app** must have redirect URI `http://127.0.0.1:54321/callback` (canonical port). Add it in the Discord Developer Portal under your application → OAuth2 → Redirects.
+- For heartbeat to succeed, the API must be running (e.g. `docker compose up`). For local testing, use `http://localhost:8787`; the plugin uses the default API base URL unless you set it (e.g. via `SetApiBaseUrl` programmatically; UI for base URL is optional for POC).
+
+**Steps:**
+
+1. **Build plugin DLL** — From repo root: `dotnet build apps/plugin/WinPodiums.Plugin/WinPodiums.Plugin.csproj --configuration Release`. Output: `apps/plugin/WinPodiums.Plugin/bin/Release/net48/WinPodiums.Plugin.dll`.
+2. **Install in SimHub** — Stop SimHub if running. Copy `WinPodiums.Plugin.dll` (and `Newtonsoft.Json.dll` from the same output folder if SimHub reports a missing assembly) to `C:\Program Files (x86)\SimHub\Plugins`. Start SimHub.
+3. **Open plugin settings** — In SimHub, open the plugin list/settings and select WinPodiums. Open the plugin settings panel (WPF control with "Link to Discord", "Send heartbeat", status).
+4. **Confirm initial state** — You should see "Link to Discord" and status "Not linked".
+5. **Link to Discord** — Click "Link to Discord". A browser opens to Discord OAuth; sign in and authorize. After redirect, the plugin shows "Linked" (and optionally your Discord ID).
+6. **Send heartbeat** — Click "Send heartbeat". Status should show "Heartbeat OK" (or "Heartbeat failed" if the API is down or unreachable).
+7. **Optional (local API)** — To test against a local API: ensure the API is running (`docker compose up`), set the plugin API base URL to `http://localhost:8787` if exposed (e.g. in a future UI or via programmatic `SetApiBaseUrl`), then repeat steps 5–6.
+
 ## Wrangler bindings (D1, R2, KV)
 
 - **D1 and R2**: `apps/api/wrangler.toml` defines bindings for local dev (`winpodiums-dev-db`, `winpodiums-dev-storage`). Docker runs Wrangler with the same config.
diff --git a/package-lock.json b/package-lock.json
index 54da906..a4c90a8 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,5 +1,5 @@
 {
-  "name": "snu",
+  "name": "srq",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {}