diff --git a/Makefile b/Makefile
index 71c83e6a..9b4e59e3 100644
--- a/Makefile
+++ b/Makefile
@@ -21,10 +21,6 @@ GCP_STAGING_PROJECT_ID := krow-workforce-staging
 IAP_SERVICE_ACCOUNT    := service-933560802882@gcp-sa-iap.iam.gserviceaccount.com
 
 # --- Cloud Run Configuration ---
-CR_LAUNCHPAD_SERVICE_NAME := internal-launchpad
-CR_LAUNCHPAD_REGION       := us-central1
-CR_LAUNCHPAD_IMAGE_URI    := us-docker.pkg.dev/$(GCP_DEV_PROJECT_ID)/gcr-io/$(CR_LAUNCHPAD_SERVICE_NAME)
-
 CR_ADMIN_SERVICE_NAME     := admin-console
 CR_ADMIN_REGION           := us-central1
 CR_ADMIN_IMAGE_URI        = us-docker.pkg.dev/$(GCP_PROJECT_ID)/gcr-io/$(CR_ADMIN_SERVICE_NAME)
@@ -68,6 +64,7 @@ help:
 	@echo "  make install          - Installs web frontend dependencies."
 	@echo "  make dev              - Starts the local web frontend server."
 	@echo "  make build            - Builds the web frontend for production."
+	@echo "  make launchpad-dev    - Starts the local launchpad server (Firebase Hosting emulator)."
 	@echo ""
 	@echo "  --- MOBILE APP DEVELOPMENT ---"
 	@echo "  make mobile-client-install        - Install dependencies for client app"
@@ -79,7 +76,7 @@ help:
 	@echo "  make mobile-staff-build           - Build staff app (requires ENV & PLATFORM, optional BUILD_TYPE=apk)"
 	@echo ""
 	@echo "  --- DEPLOYMENT ---"
-	@echo "  make deploy-launchpad-full - Deploys internal launchpad to Cloud Run (dev only) with IAP."
+	@echo "  make deploy-launchpad-hosting - Deploys internal launchpad to Firebase Hosting (Auth via Firebase)."
 	@echo "  make deploy-admin-full [ENV=staging] - Deploys Admin Console to Cloud Run with IAP (default: dev)."
 	@echo "  make deploy-app [ENV=staging] - Builds and deploys the main web app via Firebase Hosting (default: dev)."
 	@echo ""
@@ -125,29 +122,21 @@ build:
 	@echo "--> Building web frontend for production..."
 	@cd frontend-web && VITE_APP_ENV=$(ENV) npm run build
 
-# --- Deployment ---
-deploy-launchpad:
-	@echo "--> Building and deploying Internal Launchpad to Cloud Run..."
-	@echo "    - Step 1: Building container image..."
-	@cd firebase/internal-launchpad && gcloud builds submit \
-		--tag $(CR_LAUNCHPAD_IMAGE_URI) \
-		--project=$(GCP_DEV_PROJECT_ID)
-	@echo "    - Step 2: Deploying to Cloud Run..."
-	@gcloud run deploy $(CR_LAUNCHPAD_SERVICE_NAME) \
-		--image $(CR_LAUNCHPAD_IMAGE_URI) \
-		--platform managed \
-		--region $(CR_LAUNCHPAD_REGION) \
-		--no-allow-unauthenticated \
-		--project=$(GCP_DEV_PROJECT_ID)
-	@echo "    - Step 3: Enabling IAP on the service..."
-	@gcloud beta run services update $(CR_LAUNCHPAD_SERVICE_NAME) \
-		--region=$(CR_LAUNCHPAD_REGION) \
-		--project=$(GCP_DEV_PROJECT_ID) \
-		--iap
-	@echo "--> ✅ Deployment to Cloud Run successful."
+launchpad-dev:
+	@echo "--> Starting local Launchpad server using Firebase Hosting emulator..."
+	@echo "    - Generating secure email hashes..."
+	@node scripts/generate-allowed-hashes.js
+	@firebase serve --only hosting:launchpad --project=$(FIREBASE_ALIAS)
 
-deploy-launchpad-full: deploy-launchpad configure-iap-launchpad
-	@echo "✅ Launchpad deployed and IAP configured successfully!"
+# --- Deployment ---
+deploy-launchpad-hosting:
+	@echo "--> Deploying Internal Launchpad to Firebase Hosting..."
+	@echo "    - Generating secure email hashes..."
+	@node scripts/generate-allowed-hashes.js
+	@echo "    - Target: hosting:launchpad"
+	@echo "    - Project: $(FIREBASE_ALIAS)"
+	@firebase deploy --only hosting:launchpad --project=$(FIREBASE_ALIAS)
+	@echo "--> ✅ Deployment to Firebase Hosting successful."
 
 deploy-app: build
 	@echo "--> Deploying Frontend Web App to [$(ENV)] environment..."
@@ -214,30 +203,6 @@ free-dev: dataconnect-sync
 	@cd frontend-web-free && npm run dev -- --port 5174
 
 # --- Cloud IAP Configuration ---
-configure-iap-launchpad:
-	@echo "--> Configuring IAP for Cloud Run service [$(CR_LAUNCHPAD_SERVICE_NAME)]..."
-	@echo "    - Granting Cloud Run Invoker role to IAP Service Account..."
-	@gcloud run services add-iam-policy-binding $(CR_LAUNCHPAD_SERVICE_NAME) \
-		--region=$(CR_LAUNCHPAD_REGION) \
-		--project=$(GCP_DEV_PROJECT_ID) \
-		--member=\"serviceAccount:$(IAP_SERVICE_ACCOUNT)\" \
-		--role='roles/run.invoker' \
-		--quiet
-	@echo "    - Adding users from iap-users.txt..."
-	@cd firebase/internal-launchpad && \
-	grep -v '^#' iap-users.txt | grep -v '^$$' | while read -r member; do \
-		echo "      Adding $$member as IAP-secured Web App User..."; \
-		gcloud beta iap web add-iam-policy-binding \
-			--project=$(GCP_DEV_PROJECT_ID) \
-			--resource-type=cloud-run \
-			--service=$(CR_LAUNCHPAD_SERVICE_NAME) \
-			--region=$(CR_LAUNCHPAD_REGION) \
-			--member=\"$$member\" \
-			--role='roles/iap.httpsResourceAccessor' \
-			--quiet; \
-	done
-	@echo "✅ IAP configuration for Launchpad complete."
-
 configure-iap-admin:
 	@echo "--> Configuring IAP for Cloud Run service [$(CR_ADMIN_SERVICE_NAME)] in [$(ENV)]..."
 	@echo "    - Granting Cloud Run Invoker role to IAP Service Account..."
diff --git a/firebase.json b/firebase.json
index 8900d6b8..88dc5410 100644
--- a/firebase.json
+++ b/firebase.json
@@ -11,6 +11,7 @@
       "public": "firebase/internal-launchpad",
       "ignore": [
         "firebase.json",
+        "iap-users.txt",
         "**/.*",
         "**/node_modules/**"
       ]
@@ -48,7 +49,6 @@
     {
       "target": "api-harness-dev",
       "public": "internal-api-harness/dist",
-      "site": "krow-api-harness-dev",
       "ignore": [
         "firebase.json",
         "**/.*",
@@ -64,7 +64,6 @@
     {
       "target": "api-harness-staging",
       "public": "internal-api-harness/dist",
-      "site": "krow-api-harness-staging",
       "ignore": [
         "firebase.json",
         "**/.*",
diff --git a/firebase/internal-launchpad/.gcloudignore b/firebase/internal-launchpad/.gcloudignore
deleted file mode 100644
index 28b93809..00000000
--- a/firebase/internal-launchpad/.gcloudignore
+++ /dev/null
@@ -1,18 +0,0 @@
-# This file specifies files that are *not* uploaded to Google Cloud
-# using gcloud. It follows the same syntax as .gitignore, with the addition of
-# "#!include" directives (which insert the entries of the given .gitignore-style
-# file at that point).
-#
-# For more information, run:
-#   $ gcloud topic gcloudignore
-#
-.gcloudignore
-# If you would like to upload your .git directory, .gitignore file or files
-# from your .gitignore file, remove the corresponding line
-# below:
-.git
-.gitignore
-
-# Node.js dependencies:
-node_modules/
-*.log
\ No newline at end of file
diff --git a/firebase/internal-launchpad/Dockerfile b/firebase/internal-launchpad/Dockerfile
deleted file mode 100644
index 84bf1d83..00000000
--- a/firebase/internal-launchpad/Dockerfile
+++ /dev/null
@@ -1,28 +0,0 @@
-# Utiliser nginx pour servir les fichiers statiques
-FROM nginx:alpine
-
-# Copier les fichiers statiques
-COPY index.html /usr/share/nginx/html/
-COPY assets /usr/share/nginx/html/assets/
-COPY favicon.svg /usr/share/nginx/html/
-COPY logo.svg /usr/share/nginx/html/
-
-# Configuration nginx pour le routing SPA
-RUN echo 'server { \
-    listen 8080; \
-    server_name _; \
-    root /usr/share/nginx/html; \
-    index index.html; \
-    location / { \
-        try_files $uri $uri/ /index.html; \
-    } \
-    # Headers de sécurité \
-    add_header X-Frame-Options "SAMEORIGIN" always; \
-    add_header X-Content-Type-Options "nosniff" always; \
-    add_header X-XSS-Protection "1; mode=block" always; \
-}' > /etc/nginx/conf.d/default.conf
-
-# Nginx écoute sur le port 8080 (requis par Cloud Run)
-EXPOSE 8080
-
-CMD ["nginx", "-g", "daemon off;"]
\ No newline at end of file
diff --git a/firebase/internal-launchpad/allowed-hashes.json b/firebase/internal-launchpad/allowed-hashes.json
new file mode 100644
index 00000000..a3f1512d
--- /dev/null
+++ b/firebase/internal-launchpad/allowed-hashes.json
@@ -0,0 +1,5 @@
+[
+  "1b2e22bdec8f6493bf71ee535b6db6b4b5cd2d373f0ffb25524e229f3b5b7f5f",
+  "e075ff357ef35be2d55b0e383d59c5256980c492ada7ab84c84b2bb5ac26a73f",
+  "994b31c1aef3d59fe59bc3b8e1dec860a6fb3c73cbf41bdf45028e2c1ecbcf7a"
+]
\ No newline at end of file
diff --git a/firebase/internal-launchpad/iap-users.txt b/firebase/internal-launchpad/iap-users.txt
index 4b166559..a9e897ef 100644
--- a/firebase/internal-launchpad/iap-users.txt
+++ b/firebase/internal-launchpad/iap-users.txt
@@ -1,9 +1,14 @@
-# List of authorized users for the Internal Launchpad
+# List of authorized users for the Krow DevOps Launchpad
 # Format: one email per line, lines starting with # are comments
 #
-# IMPORTANT: These users must belong to the 'krowwithus.com' organization.
-# This is a known limitation of enabling IAP directly on Cloud Run.
-# See: https://docs.cloud.google.com/run/docs/securing/identity-aware-proxy-cloud-run#known_limitations
+# Users must be listed here to access the Launchpad via Firebase Auth.
+# Both internal (@krowwithus.com) and external emails are supported.
 
 user:admin@krowwithus.com
-# user:boris@oloodi.com # External users are not supported with this IAP method
+
+# External users - Oloodi employees
+user:boris@oloodi.com
+user:achintha.isuru@oloodi.com
+
+# External users - Legendary employees
+
diff --git a/firebase/internal-launchpad/index.html b/firebase/internal-launchpad/index.html
index 5857dfd4..472f97d7 100644
--- a/firebase/internal-launchpad/index.html
+++ b/firebase/internal-launchpad/index.html
@@ -4,7 +4,7 @@
 <head>
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>KROW Launchpad</title>
+    <title>Krow DevOps Launchpad</title>
     <link rel="icon" type="image/x-icon" href="favicon.svg">
 
     <!-- Tailwind CSS -->
@@ -73,15 +73,8 @@
         }
 
         @keyframes pulse {
-
-            0%,
-            100% {
-                opacity: 1;
-            }
-
-            50% {
-                opacity: .7;
-            }
+            0%, 100% { opacity: 1; }
+            50% { opacity: .7; }
         }
 
         .scrollbar-hide::-webkit-scrollbar {
@@ -106,18 +99,14 @@
             padding: 0.75rem 1rem;
             font-size: 0.875rem;
             color: #4b5563;
-            /* text-gray-600 */
             text-align: left;
             background-color: #f9fafb;
-            /* bg-gray-50 */
             border-radius: 0.5rem;
-            /* rounded-lg */
             transition: background-color 0.2s ease;
         }
 
         .accordion-button:hover {
             background-color: #f3f4f6;
-            /* bg-gray-100 */
         }
 
         .accordion-button .chevron {
@@ -134,182 +123,78 @@
             max-height: 0;
         }
 
-        /* Modal styles */
-        .modal-overlay {
-            backdrop-filter: blur(4px);
-            animation: fadeIn 0.2s ease-out;
-        }
-
-        @keyframes fadeIn {
-            from {
-                opacity: 0;
-            }
-
-            to {
-                opacity: 1;
-            }
-        }
-
-        .modal-content {
-            animation: slideUp 0.3s ease-out;
-        }
-
-        @keyframes slideUp {
-            from {
-                opacity: 0;
-                transform: translateY(20px);
-            }
-
-            to {
-                opacity: 1;
-                transform: translateY(0);
-            }
-        }
-
         /* Markdown styling */
-        .markdown-content {
-            line-height: 1.7;
-            color: #374151;
-        }
+        .markdown-content { line-height: 1.7; color: #374151; }
+        .markdown-content h1 { font-size: 2em; font-weight: 700; margin-top: 1.5em; margin-bottom: 0.5em; padding-bottom: 0.3em; border-bottom: 2px solid #e5e7eb; color: #111827; }
+        .markdown-content h1:first-child { margin-top: 0; }
+        .markdown-content h2 { font-size: 1.5em; font-weight: 600; margin-top: 1.5em; margin-bottom: 0.5em; padding-bottom: 0.2em; border-bottom: 1px solid #e5e7eb; color: #111827; }
+        .markdown-content h3 { font-size: 1.25em; font-weight: 600; margin-top: 1.2em; margin-bottom: 0.5em; color: #111827; }
+        .markdown-content h4 { font-size: 1.1em; font-weight: 600; margin-top: 1em; margin-bottom: 0.5em; color: #111827; }
+        .markdown-content p { margin-bottom: 1em; }
+        .markdown-content ul, .markdown-content ol { margin-bottom: 1em; padding-left: 2em; }
+        .markdown-content ul { list-style-type: disc; }
+        .markdown-content ol { list-style-type: decimal; }
+        .markdown-content li { margin-bottom: 0.5em; }
+        .markdown-content code { background-color: #f3f4f6; padding: 0.2em 0.4em; border-radius: 0.25em; font-size: 0.9em; font-family: 'Courier New', monospace; color: #dc2626; }
+        .markdown-content pre { background-color: #1f2937; color: #f9fafb; padding: 1em; border-radius: 0.5em; overflow-x: auto; margin-bottom: 1em; }
+        .markdown-content pre code { background-color: transparent; padding: 0; color: inherit; }
+        .markdown-content blockquote { border-left: 4px solid #3b82f6; padding-left: 1em; margin: 1em 0; color: #6b7280; font-style: italic; }
+        .markdown-content a { color: #3b82f6; text-decoration: underline; }
+        .markdown-content a:hover { color: #2563eb; }
+        .markdown-content table { width: 100%; border-collapse: collapse; margin-bottom: 1em; }
+        .markdown-content th, .markdown-content td { border: 1px solid #e5e7eb; padding: 0.5em; text-align: left; }
+        .markdown-content th { background-color: #f9fafb; font-weight: 600; }
+        .markdown-content img { max-width: 100%; height: auto; border-radius: 0.5em; margin: 1em 0; }
+        .markdown-content hr { border: none; border-top: 2px solid #e5e7eb; margin: 2em 0; }
 
-        .markdown-content h1 {
-            font-size: 2em;
-            font-weight: 700;
-            margin-top: 1.5em;
-            margin-bottom: 0.5em;
-            padding-bottom: 0.3em;
-            border-bottom: 2px solid #e5e7eb;
-            color: #111827;
+        /* Loading Overlay */
+        #auth-loading {
+            position: fixed; top: 0; left: 0; right: 0; bottom: 0;
+            background: white; z-index: 50;
+            display: flex; flex-direction: column; align-items: center; justify-content: center;
         }
-
-        .markdown-content h1:first-child {
-            margin-top: 0;
-        }
-
-        .markdown-content h2 {
-            font-size: 1.5em;
-            font-weight: 600;
-            margin-top: 1.5em;
-            margin-bottom: 0.5em;
-            padding-bottom: 0.2em;
-            border-bottom: 1px solid #e5e7eb;
-            color: #111827;
-        }
-
-        .markdown-content h3 {
-            font-size: 1.25em;
-            font-weight: 600;
-            margin-top: 1.2em;
-            margin-bottom: 0.5em;
-            color: #111827;
-        }
-
-        .markdown-content h4 {
-            font-size: 1.1em;
-            font-weight: 600;
-            margin-top: 1em;
-            margin-bottom: 0.5em;
-            color: #111827;
-        }
-
-        .markdown-content p {
-            margin-bottom: 1em;
-        }
-
-        .markdown-content ul,
-        .markdown-content ol {
-            margin-bottom: 1em;
-            padding-left: 2em;
-        }
-
-        .markdown-content ul {
-            list-style-type: disc;
-        }
-
-        .markdown-content ol {
-            list-style-type: decimal;
-        }
-
-        .markdown-content li {
-            margin-bottom: 0.5em;
-        }
-
-        .markdown-content code {
-            background-color: #f3f4f6;
-            padding: 0.2em 0.4em;
-            border-radius: 0.25em;
-            font-size: 0.9em;
-            font-family: 'Courier New', monospace;
-            color: #dc2626;
-        }
-
-        .markdown-content pre {
-            background-color: #1f2937;
-            color: #f9fafb;
-            padding: 1em;
-            border-radius: 0.5em;
-            overflow-x: auto;
-            margin-bottom: 1em;
-        }
-
-        .markdown-content pre code {
-            background-color: transparent;
-            padding: 0;
-            color: inherit;
-        }
-
-        .markdown-content blockquote {
-            border-left: 4px solid #3b82f6;
-            padding-left: 1em;
-            margin: 1em 0;
-            color: #6b7280;
-            font-style: italic;
-        }
-
-        .markdown-content a {
-            color: #3b82f6;
-            text-decoration: underline;
-        }
-
-        .markdown-content a:hover {
-            color: #2563eb;
-        }
-
-        .markdown-content table {
-            width: 100%;
-            border-collapse: collapse;
-            margin-bottom: 1em;
-        }
-
-        .markdown-content th,
-        .markdown-content td {
-            border: 1px solid #e5e7eb;
-            padding: 0.5em;
-            text-align: left;
-        }
-
-        .markdown-content th {
-            background-color: #f9fafb;
-            font-weight: 600;
-        }
-
-        .markdown-content img {
-            max-width: 100%;
-            height: auto;
-            border-radius: 0.5em;
-            margin: 1em 0;
-        }
-
-        .markdown-content hr {
-            border: none;
-            border-top: 2px solid #e5e7eb;
-            margin: 2em 0;
+        #login-screen {
+            display: none;
+            position: fixed; top: 0; left: 0; right: 0; bottom: 0;
+            background: linear-gradient(135deg, #f3f4f6 0%, #e5e7eb 100%);
+            z-index: 40;
+            align-items: center; justify-content: center;
         }
     </style>
 </head>
 
 <body class="bg-gradient-to-br from-gray-50 to-gray-100 min-h-screen">
-    <div class="flex h-screen overflow-hidden">
+
+    <!-- Auth Loading State -->
+    <div id="auth-loading">
+        <div class="w-16 h-16 border-4 border-primary-200 border-t-primary-600 rounded-full animate-spin mb-4"></div>
+        <p class="text-gray-500 font-medium">Verifying access...</p>
+    </div>
+
+    <!-- Login Screen -->
+    <div id="login-screen" class="flex">
+        <div class="bg-white p-8 rounded-2xl shadow-xl max-w-md w-full mx-4 text-center">
+            <div class="flex justify-center mb-6">
+                <img src="logo.svg" alt="KROW Logo" class="h-16 w-16" onerror="this.src='https://via.placeholder.com/64?text=KROW'">
+            </div>
+            <h1 class="text-2xl font-bold text-gray-900 mb-2">Internal DevOps Launchpad</h1>
+            <p class="text-gray-500 mb-8">Please sign in to access internal development resources.</p>
+            
+            <button id="google-signin-btn" class="w-full flex items-center justify-center space-x-3 bg-white border border-gray-300 hover:bg-gray-50 text-gray-700 font-medium py-3 px-4 rounded-xl transition-all shadow-sm">
+                <svg class="w-5 h-5" viewBox="0 0 24 24">
+                    <path fill="#4285F4" d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z" />
+                    <path fill="#34A853" d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z" />
+                    <path fill="#FBBC05" d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z" />
+                    <path fill="#EA4335" d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z" />
+                </svg>
+                <span>Sign in with Google</span>
+            </button>
+            <p id="login-error" class="mt-4 text-red-500 text-sm hidden"></p>
+        </div>
+    </div>
+
+    <!-- Main Content (Protected) -->
+    <div id="app-content" class="hidden flex h-screen overflow-hidden">
 
         <!-- Sidebar -->
         <aside class="w-72 bg-white shadow-xl flex flex-col border-r border-gray-200">
@@ -320,8 +205,8 @@
                         <img src="logo.svg" alt="Krow Logo" style="height: 60px;" onerror="this.style.display='none'">
                     </div>
                     <div>
-                        <h1 class="text-xl font-bold text-gray-900">KROW</h1>
-                        <p class="text-xs text-gray-500">Launchpad</p>
+                        <h1 class="text-xl font-bold text-gray-900">KROW DevOps</h1>
+                        <p class="text-xs text-gray-500">Launchpad Hub</p>
                     </div>
                 </div>
             </div>
@@ -347,9 +232,15 @@
 
             <!-- Footer -->
             <div class="p-4 border-t border-gray-200 bg-gray-50">
-                <div class="flex items-center space-x-2 text-xs text-gray-500">
-                    <div class="w-2 h-2 bg-green-500 rounded-full badge-pulse"></div>
-                    <span>System Online</span>
+                <div class="flex flex-col space-y-2">
+                    <div class="flex items-center space-x-2 text-xs text-gray-500">
+                        <div class="w-2 h-2 bg-green-500 rounded-full badge-pulse"></div>
+                        <span>System Online</span>
+                    </div>
+                    <div class="flex items-center justify-between pt-2 border-t border-gray-100">
+                        <span id="user-email" class="text-xs text-gray-400 truncate max-w-[150px]"></span>
+                        <button id="logout-btn" class="text-xs text-red-500 hover:text-red-700 font-medium">Sign Out</button>
+                    </div>
                 </div>
             </div>
         </aside>
@@ -361,8 +252,8 @@
             <div id="home-view" class="p-8">
                 <!-- Header -->
                 <div class="mb-8">
-                    <h2 class="text-3xl font-bold text-gray-900 mb-2">Welcome to KROW Launchpad</h2>
-                    <p class="text-gray-600">Your central hub for workforce management infrastructure</p>
+                    <h2 class="text-3xl font-bold text-gray-900 mb-2">Krow DevOps Launchpad</h2>
+                    <p class="text-gray-600">Central hub for KROW development and operations infrastructure</p>
                 </div>
 
                 <div id="links-container" class="grid grid-cols-1 lg:grid-cols-2 gap-6">
@@ -428,6 +319,131 @@
     <!-- Panzoom -->
     <script src="https://cdn.jsdelivr.net/npm/@panzoom/panzoom@4.5.1/dist/panzoom.min.js"></script>
 
+    <!-- Firebase Auth Logic -->
+    <script type="module">
+        import { initializeApp } from 'https://www.gstatic.com/firebasejs/10.8.0/firebase-app.js';
+        import { getAuth, GoogleAuthProvider, signInWithPopup, onAuthStateChanged, signOut } from 'https://www.gstatic.com/firebasejs/10.8.0/firebase-auth.js';
+
+        // Elements
+        const authLoading = document.getElementById('auth-loading');
+        const loginScreen = document.getElementById('login-screen');
+        const appContent = document.getElementById('app-content');
+        const googleBtn = document.getElementById('google-signin-btn');
+        const logoutBtn = document.getElementById('logout-btn');
+        const loginError = document.getElementById('login-error');
+        const userEmailSpan = document.getElementById('user-email');
+
+        let pendingError = null;
+
+        // Initialize Firebase
+        // Note: fetch('/__/firebase/init.json') works only on deployed Firebase Hosting or firebase serve
+        async function initAuth() {
+            try {
+                let config;
+                // Fetch config from hosting environment
+                const res = await fetch('/__/firebase/init.json');
+                if (!res.ok) throw new Error('Failed to load Firebase config. Ensure you are running via "make launchpad-dev" or deployed on Hosting.');
+                config = await res.json();
+                console.log("Firebase Config Loaded:", config.projectId);
+
+                const app = initializeApp(config);
+                const auth = getAuth(app);
+                
+                // Auth State Observer
+                onAuthStateChanged(auth, async (user) => {
+                    if (user) {
+                        // User is signed in, check if allowed
+                        const allowed = await checkAccess(user.email);
+                        if (allowed) {
+                            showApp(user);
+                        } else {
+                            pendingError = `Access Denied: <b>${user.email}</b> is not authorized.<br>Please contact the Krow Internal Developers or an Administrator to request access.`;
+                            signOut(auth);
+                        }
+                    } else {
+                        // User is signed out
+                        if (pendingError) {
+                            showLogin(pendingError);
+                            pendingError = null;
+                        } else {
+                            showLogin();
+                        }
+                    }
+                });
+
+                // Login Handler
+                googleBtn.addEventListener('click', () => {
+                    // Clear previous errors
+                    loginError.classList.add('hidden');
+                    const provider = new GoogleAuthProvider();
+                    signInWithPopup(auth, provider).catch((error) => {
+                        console.error("Login failed:", error);
+                        showLogin("Login failed: " + error.message);
+                    });
+                });
+
+                // Logout Handler
+                logoutBtn.addEventListener('click', () => {
+                    signOut(auth);
+                });
+
+            } catch (e) {
+                console.error("Auth init error:", e);
+                // Fallback for local dev without firebase serving
+                if (window.location.hostname === 'localhost') {
+                     alert("Firebase Auth failed to load. Ensure you are using 'firebase serve' or have configured local auth.");
+                }
+            }
+        }
+
+        async function checkAccess(email) {
+            try {
+                // 1. Fetch the secure list of hashes
+                const res = await fetch('allowed-hashes.json');
+                if (!res.ok) return false;
+                const allowedHashes = await res.json();
+                
+                // 2. Hash the user's email (SHA-256)
+                const normalizedEmail = email.trim().toLowerCase();
+                const msgBuffer = new TextEncoder().encode(normalizedEmail);
+                const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
+                const hashArray = Array.from(new Uint8Array(hashBuffer));
+                const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+
+                // 3. Compare
+                return allowedHashes.includes(hashHex);
+            } catch (e) {
+                console.error("Failed to check access list:", e);
+                return false;
+            }
+        }
+
+        function showApp(user) {
+            authLoading.style.display = 'none';
+            loginScreen.style.display = 'none';
+            appContent.classList.remove('hidden');
+            userEmailSpan.textContent = user.email;
+            
+            // Trigger link loading if not already done
+            if (typeof loadLinks === 'function') loadLinks();
+        }
+
+        function showLogin(errorMsg) {
+            authLoading.style.display = 'none';
+            appContent.classList.add('hidden');
+            loginScreen.style.display = 'flex';
+            if (errorMsg) {
+                loginError.innerHTML = errorMsg;
+                loginError.classList.remove('hidden');
+            } else {
+                loginError.classList.add('hidden');
+            }
+        }
+
+        // Start
+        initAuth();
+    </script>
+
     <script>
         let allDiagrams = [];
         let allDocuments = [];
diff --git a/mobile-apps/apps/krow_client/.keep b/mobile-apps/apps/krow_client/.keep
new file mode 100644
index 00000000..e69de29b
diff --git a/scripts/generate-allowed-hashes.js b/scripts/generate-allowed-hashes.js
new file mode 100644
index 00000000..57a09784
--- /dev/null
+++ b/scripts/generate-allowed-hashes.js
@@ -0,0 +1,31 @@
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const INPUT_FILE = path.join(__dirname, '../firebase/internal-launchpad/iap-users.txt');
+const OUTPUT_FILE = path.join(__dirname, '../firebase/internal-launchpad/allowed-hashes.json');
+
+try {
+    const data = fs.readFileSync(INPUT_FILE, 'utf8');
+    const lines = data.split('\n');
+
+    const hashes = lines
+        .map(line => line.trim())
+        .filter(line => line && !line.startsWith('#')) // Ignore empty lines and comments
+        .map(line => line.replace(/^user:/, '').trim().toLowerCase()) // Clean email
+        .map(email => {
+            // Create SHA-256 hash
+            return crypto.createHash('sha256').update(email).digest('hex');
+        });
+
+    const jsonContent = JSON.stringify(hashes, null, 2);
+    fs.writeFileSync(OUTPUT_FILE, jsonContent);
+
+    console.log(`✅ Successfully generated ${hashes.length} secure hashes from iap-users.txt`);
+    console.log(`   Output: ${OUTPUT_FILE}`);
+
+} catch (err) {
+    console.error('❌ Error generating hashes:', err);
+    process.exit(1);
+}
+