@bod.ee/db 0.9.1 → 0.10.2

package/admin/ui.html

@@ -9,7 +9,7 @@
 
   /* Metrics bar */
   #metrics-bar { display: flex; background: #0a0a0a; border-bottom: 1px solid #2a2a2a; flex-shrink: 0; overflow-x: auto; align-items: stretch; }
-  .metric-card { display: flex; flex-direction: column; padding: 5px 10px 4px; border-right: 1px solid #181818; width: 130px; flex-shrink: 0; gap: 1px; overflow: hidden; }
+  .metric-card { display: flex; flex-direction: column; padding: 5px 10px 4px; border-right: 1px solid #181818; min-width: 140px; flex-shrink: 0; gap: 1px; overflow: hidden; }
   .metric-card:last-child { border-right: none; width: auto; }
   .metric-right { margin-left: auto; }
   .metric-top { display: flex; justify-content: space-between; align-items: baseline; width: 100%; }
@@ -45,8 +45,8 @@
 
   /* Right pane */
   #right-pane { flex: 1; display: flex; flex-direction: column; overflow: hidden; }
-  .tabs { display: flex; background: #161616; border-bottom: 1px solid #2a2a2a; }
-  .tab { padding: 7px 16px; cursor: pointer; border-bottom: 2px solid transparent; color: #666; font-size: 12px; }
+  .tabs { display: flex; background: #161616; border-bottom: 1px solid #2a2a2a; overflow-x: auto; overflow-y: hidden; scrollbar-width: thin; }
+  .tab { padding: 7px 16px; cursor: pointer; border-bottom: 2px solid transparent; color: #666; font-size: 12px; white-space: nowrap; flex-shrink: 0; }
   .tab.active { color: #fff; border-bottom-color: #569cd6; }
   .panel { display: none; flex: 1; overflow-y: auto; padding: 12px; flex-direction: column; gap: 10px; }
   .panel.active { display: flex; }
@@ -161,6 +161,7 @@
     <div class="tab" onclick="showTab('repl');loadRepl()">Replication</div>
     <div class="tab" onclick="showTab('vfs');vfsNavigate(vfsPath)">VFS</div>
     <div class="tab" onclick="showTab('cache')">Cache</div>
+    <div class="tab" onclick="showTab('keyauth');loadKeyAuth()">KeyAuth</div>
     <div class="tab" onclick="showTab('stress')">Stress Tests</div>
     <div class="tab" onclick="showTab('view')">View</div>
   </div>
@@ -717,7 +718,7 @@
   </div>
 
   <div class="panel" id="panel-cache">
-    <h3 style="color:#569cd6;margin-bottom:8px">CachedClient Demo</h3>
+    <h3 style="color:#569cd6;margin-bottom:8px">BodClientCached Demo</h3>
     <p style="color:#666;font-size:11px;margin-bottom:10px">Two-tier cache (memory + IndexedDB) with stale-while-revalidate. Wraps BodClient for instant reads.</p>
 
     <div style="display:flex;gap:6px;margin-bottom:10px">
@@ -744,6 +745,84 @@
     <div id="cache-log" class="result" style="min-height:80px;margin-top:8px;color:#888;font-size:11px">Event log...</div>
   </div>
 
+  <!-- KeyAuth Panel -->
+  <div class="panel" id="panel-keyauth">
+    <div style="display:flex;gap:12px;flex-wrap:wrap">
+      <!-- LEFT: Accounts + Auth Flows -->
+      <div style="flex:2;min-width:400px">
+        <label>Accounts</label>
+        <div id="ka-accounts" style="margin-bottom:8px">Loading...</div>
+        <div class="row" style="margin-bottom:6px">
+          <input type="text" id="ka-new-pw" placeholder="Password" value="demo123">
+          <input type="text" id="ka-new-name" placeholder="Display name">
+          <input type="text" id="ka-new-roles" placeholder="Roles (comma-sep)">
+          <button onclick="kaCreateAccount()">+ Account</button>
+          <button onclick="kaRegisterDevice()">+ Device</button>
+        </div>
+        <!-- Auth Flows -->
+        <div style="margin-top:10px;border:1px solid #444;border-radius:6px;padding:10px">
+          <label>Auth Flows</label>
+          <!-- 1. Challenge-Response (password) -->
+          <div style="margin-bottom:8px">
+            <b>1. Challenge-Response (password)</b>
+            <div class="row" style="margin-top:4px">
+              <select id="ka-auth-fp" style="flex:1"><option value="">— select account —</option></select>
+              <input type="text" id="ka-auth-pw" placeholder="Password" value="demo123">
+              <button class="success" onclick="kaChallengeResponse()">Authenticate</button>
+            </div>
+          </div>
+          <!-- 2. Device Auth (keypair) -->
+          <div style="margin-bottom:8px">
+            <b>2. Device Auth (keypair)</b>
+            <div class="row" style="margin-top:4px">
+              <button onclick="kaDeviceAuth()">Authenticate with Stored Keypair</button>
+            </div>
+          </div>
+          <!-- 3. QR Cross-Device Auth -->
+          <div>
+            <b>3. QR Cross-Device Auth</b>
+            <div class="row" style="margin-top:4px">
+              <button onclick="kaShowQR()">Show QR (new device)</button>
+              <input type="text" id="ka-qr-request-id" placeholder="Request ID to approve">
+              <button class="success" onclick="kaApproveQR()">Approve (signed-in device)</button>
+            </div>
+            <div id="ka-qr-display" style="display:none;margin-top:6px;padding:8px;background:#1a1a2e;border-radius:4px;font-family:monospace;font-size:12px"></div>
+          </div>
+          <div id="ka-auth-result" class="result" style="min-height:40px;margin-top:6px">Select an auth flow above</div>
+        </div>
+      </div>
+      <!-- RIGHT: Roles & IAM + Server -->
+      <div style="flex:1;min-width:280px">
+        <label>Roles & IAM</label>
+        <div id="ka-roles" class="result" style="min-height:80px;margin-bottom:8px">Loading...</div>
+        <div class="row" style="margin-bottom:6px">
+          <input type="text" id="ka-role-id" placeholder="Role ID" value="editor">
+          <input type="text" id="ka-role-name" placeholder="Name" value="Editor">
+          <button onclick="kaCreateRole()">+ Role</button>
+        </div>
+        <div class="row" style="margin-bottom:8px">
+          <input type="text" id="ka-perm-path" placeholder="Path pattern" value="posts/$postId">
+          <label style="display:inline;margin:0"><input type="checkbox" id="ka-perm-read" checked> R</label>
+          <label style="display:inline;margin:0"><input type="checkbox" id="ka-perm-write" checked> W</label>
+          <button class="sm" onclick="kaAddPermission()">+ Perm</button>
+        </div>
+        <!-- Assign Roles -->
+        <div style="border:1px solid #444;border-radius:6px;padding:8px;margin-bottom:8px">
+          <label>Assign Roles</label>
+          <div class="row" style="margin-top:4px">
+            <select id="ka-assign-account" style="flex:1"></select>
+            <input type="text" id="ka-assign-roles" placeholder="Roles (comma-sep)">
+            <button onclick="kaUpdateRoles()">Update</button>
+          </div>
+        </div>
+        <!-- Server Info -->
+        <label>Server Info</label>
+        <div id="ka-server" class="result" style="min-height:60px">Loading...</div>
+      </div>
+    </div>
+    <div id="ka-status" class="status" style="margin-top:6px"></div>
+  </div>
+
   <!-- Stress Tests Panel -->
   <div class="panel" id="panel-stress">
     <div class="stress-grid">
@@ -891,7 +970,7 @@ class ClientQueryBuilder {
 }
 
 class ZuzClient {
-  constructor(url = `${location.protocol === 'https:' ? 'wss' : 'ws'}://${location.host}`) {
+  constructor(url = window.__BODDB_URL__ || new URLSearchParams(location.search).get('url') || `${location.protocol === 'https:' ? 'wss' : 'ws'}://${location.host}`) {
     this._url = url;
     this._ws = null;
     this._msgId = 0;
@@ -1185,6 +1264,20 @@ db.on('_admin/stats', (snap) => {
 // Connect after all subscriptions are registered so onopen re-subscribes them all
 db.connect();
 
+// Handle #approve=<requestId> deep link (from QR scan)
+if (location.hash.startsWith('#approve=')) {
+  const rid = location.hash.slice('#approve='.length);
+  location.hash = '';
+  // Wait for WS to connect, switch to KeyAuth tab, fill & prompt
+  const _awaitApprove = setInterval(() => {
+    if (!db.connected) return;
+    clearInterval(_awaitApprove);
+    showTab('keyauth'); loadKeyAuth();
+    document.getElementById('ka-qr-request-id').value = rid;
+    kaStatus('QR scanned — click "Approve" to authorize the device');
+  }, 300);
+}
+
 // ── Live tree via child subscriptions ──────────────────────────────────────────
 const _treeUnsubs = new Map(); // key → unsub fn
 const showAdmin = new URLSearchParams(location.search).has('showAdmin');
@@ -1235,7 +1328,7 @@ function fmtUptime(sec) {
 }
 
 // ── Tab switching ──────────────────────────────────────────────────────────────
-const TAB_IDS = ['rw','query','subs','auth','advanced','streams','mq','repl','vfs','cache','stress','view'];
+const TAB_IDS = ['rw','query','subs','auth','advanced','streams','mq','repl','vfs','cache','keyauth','stress','view'];
 function showTab(id) {
   document.querySelectorAll('.tab').forEach((t, i) => t.classList.toggle('active', TAB_IDS[i] === id));
   document.querySelectorAll('.panel').forEach(p => p.classList.remove('active'));
@@ -1243,6 +1336,7 @@ function showTab(id) {
   const url = new URL(location.href);
   url.searchParams.set('tab', id);
   history.replaceState(null, '', url);
+  localStorage.setItem('zuzdb:tab', id);
 }
 
 // ── Field persistence ──────────────────────────────────────────────────────────
@@ -1294,6 +1388,7 @@ function restoreFields() {
       if (tab === 'vfs') vfsNavigate(vfsPath);
       if (tab === 'repl') loadRepl();
       if (tab === 'auth') loadRules();
+      if (tab === 'keyauth') loadKeyAuth();
     }, 0);
   }
 }
@@ -2987,6 +3082,435 @@ function cacheStats() {
   document.getElementById('cache-result').textContent = JSON.stringify(stats, null, 2);
   _cacheLog(`Stats: ${_cache.memory.size} entries in memory`);
 }
+
+// ── KeyAuth ──────────────────────────────────────────────────────────────────
+let _kaPerms = [];
+let _kaLastFp = '';
+let _kaExpandedFp = null;
+let _kaDeviceKeys = null; // { publicKey, privateKeyDer } stored in sessionStorage-like
+let _kaQrPollTimer = null;
+let _kaAccounts = [];
+
+function kaSend(op, params = {}) {
+  return db._send(op, params);
+}
+
+async function loadKeyAuth() {
+  if (!db.connected) { setTimeout(loadKeyAuth, 300); return; }
+  try {
+    const [server, accounts, roles] = await Promise.all([
+      db.get('_auth/server'),
+      kaSend('auth-list-accounts'),
+      kaSend('auth-list-roles'),
+    ]);
+    _kaAccounts = accounts || [];
+
+    // Server info
+    const sEl = document.getElementById('ka-server');
+    if (server) {
+      sEl.textContent = 'fp: ' + (server.fingerprint || '—') + '\nkey: ' + (server.publicKey || '—').slice(0, 40) + '…';
+    } else {
+      sEl.textContent = 'KeyAuth not enabled.\nAdd keyAuth: {} to config.ts';
+    }
+
+    // Accounts list
+    const aEl = document.getElementById('ka-accounts');
+    if (_kaAccounts.length) {
+      aEl.innerHTML = _kaAccounts.map(a => {
+        const fp = a.fingerprint;
+        const name = a.displayName || '—';
+        const rls = (a.roles || []).join(', ') || 'none';
+        const isDevice = !a.encryptedPrivateKey;
+        const expanded = _kaExpandedFp === fp;
+        return `<div style="border:1px solid #333;border-radius:4px;padding:6px;margin-bottom:4px;cursor:pointer" onclick="kaExpandAccount('${fp}')">
+          <span style="font-weight:bold">${name}</span> [${rls}] ${isDevice ? '<span style="color:#888">(device)</span>' : ''}
+          <span style="color:#666;font-size:11px;float:right">${fp.slice(0,12)}… ${expanded?'▼':'▶'}</span>
+          <div id="ka-detail-${fp}" style="display:${expanded?'block':'none'};margin-top:6px;padding-top:6px;border-top:1px solid #333"></div>
+        </div>`;
+      }).join('');
+      // If expanded, load detail
+      if (_kaExpandedFp) kaLoadDetail(_kaExpandedFp);
+    } else {
+      aEl.innerHTML = '<div class="result">No accounts yet.</div>';
+    }
+
+    // Roles
+    const rEl = document.getElementById('ka-roles');
+    if (roles && roles.length) {
+      rEl.innerHTML = roles.map(r => {
+        const perms = (r.permissions || []).map(p => `${p.path||'/'} R:${!!p.read} W:${!!p.write}`).join(', ');
+        return `<div style="margin-bottom:2px">${r.id}: ${r.name||r.id} → ${perms||'none'} <button class="sm" onclick="kaDeleteRole('${r.id}')" style="float:right">×</button></div>`;
+      }).join('');
+    } else {
+      rEl.textContent = 'No roles.';
+    }
+
+    // Populate dropdowns
+    const sel = document.getElementById('ka-assign-account');
+    sel.innerHTML = _kaAccounts.map(a => `<option value="${a.fingerprint}">${a.displayName||a.fingerprint.slice(0,12)}</option>`).join('');
+    const authSel = document.getElementById('ka-auth-fp');
+    const prevFp = authSel.value;
+    const pwAccounts = _kaAccounts.filter(a => !!a.encryptedPrivateKey);
+    authSel.innerHTML = '<option value="">— select account —</option>' + pwAccounts.map(a => `<option value="${a.fingerprint}"${a.fingerprint===prevFp?' selected':''}>${a.displayName||a.fingerprint.slice(0,12)} [${(a.roles||[]).join(',')||'none'}]</option>`).join('');
+  } catch (e) {
+    document.getElementById('ka-server').textContent = 'Error: ' + e.message;
+  }
+}
+
+async function kaExpandAccount(fp) {
+  _kaExpandedFp = _kaExpandedFp === fp ? null : fp;
+  // Auto-fill auth fingerprint field when expanding
+  document.getElementById('ka-auth-fp').value = fp;
+  loadKeyAuth();
+}
+
+async function kaLoadDetail(fp) {
+  const el = document.getElementById('ka-detail-' + fp);
+  if (!el) return;
+  try {
+    const [devices, sessions] = await Promise.all([
+      kaSend('auth-list-devices', { accountFingerprint: fp }),
+      kaSend('auth-list-sessions', { accountFingerprint: fp }),
+    ]);
+    const acct = _kaAccounts.find(a => a.fingerprint === fp);
+    const isDevice = acct && !acct.encryptedPrivateKey;
+    let html = '<div style="font-size:12px">';
+    // Devices
+    html += '<b>Devices:</b> ';
+    if (devices && devices.length) {
+      html += devices.map(d => `${d.name||d.fingerprint.slice(0,8)} <button class="sm" onclick="event.stopPropagation();kaRevokeDevice('${fp}','${d.fingerprint}')">×</button>`).join(' | ');
+    } else {
+      html += '<span style="color:#666">none</span>';
+    }
+    // Sessions
+    html += '<br><b>Sessions:</b> ';
+    if (sessions && sessions.length) {
+      html += sessions.map(s => `${s.sid.slice(0,8)}… exp:${new Date(s.expiresAt).toLocaleTimeString()} <button class="sm" onclick="event.stopPropagation();kaRevokeSession('${s.sid}')">×</button>`).join(' | ');
+    } else {
+      html += '<span style="color:#666">none</span>';
+    }
+    // Actions
+    html += '<br>';
+    if (!isDevice) {
+      html += `<button class="sm" onclick="event.stopPropagation();kaLinkDevice('${fp}')">Link Device</button> `;
+      html += `<button class="sm" onclick="event.stopPropagation();kaChangePassword('${fp}')">Change Pw</button>`;
+    }
+    html += '</div>';
+    el.innerHTML = html;
+  } catch (e) {
+    el.textContent = 'Error: ' + e.message;
+  }
+}
+
+async function kaRevokeDevice(accountFp, deviceFp) {
+  try {
+    await kaSend('auth-revoke-device', { accountFingerprint: accountFp, deviceFingerprint: deviceFp });
+    kaStatus('Device revoked');
+    loadKeyAuth();
+  } catch (e) { kaStatus('Revoke failed: ' + e.message, true); }
+}
+
+async function kaRevokeSession(sid) {
+  try {
+    await kaSend('auth-revoke-session', { sid });
+    kaStatus('Session revoked');
+    loadKeyAuth();
+  } catch (e) { kaStatus('Revoke failed: ' + e.message, true); }
+}
+
+async function kaChangePassword(fp) {
+  const oldPw = prompt('Current password:');
+  if (!oldPw) return;
+  const newPw = prompt('New password:');
+  if (!newPw) return;
+  try {
+    await kaSend('auth-change-password', { fingerprint: fp, oldPassword: oldPw, newPassword: newPw });
+    kaStatus('Password changed');
+  } catch (e) { kaStatus('Change failed: ' + e.message, true); }
+}
+
+async function kaLinkDevice(accountFp) {
+  const pw = prompt('Account password (to authorize linking):');
+  if (!pw) return;
+  const name = prompt('Device name:', 'New Device');
+  try {
+    const kp = await crypto.subtle.generateKey({ name: 'Ed25519' }, true, ['sign', 'verify']);
+    const spki = await crypto.subtle.exportKey('spki', kp.publicKey);
+    const pubB64 = btoa(String.fromCharCode(...new Uint8Array(spki)));
+    const result = await kaSend('auth-link-device', { accountFingerprint: accountFp, password: pw, devicePublicKey: pubB64, deviceName: name });
+    kaStatus('Device linked: ' + result.fingerprint.slice(0, 12));
+    loadKeyAuth();
+  } catch (e) { kaStatus('Link failed: ' + e.message, true); }
+}
+
+async function kaDeleteRole(roleId) {
+  try {
+    await kaSend('auth-delete-role', { roleId });
+    kaStatus('Role deleted');
+    loadKeyAuth();
+  } catch (e) { kaStatus('Delete failed: ' + e.message, true); }
+}
+
+async function kaUpdateRoles() {
+  const fp = document.getElementById('ka-assign-account').value;
+  const rolesStr = document.getElementById('ka-assign-roles').value.trim();
+  if (!fp || !rolesStr) { kaStatus('Select account and enter roles', true); return; }
+  const roles = rolesStr.split(',').map(r => r.trim()).filter(Boolean);
+  try {
+    await kaSend('auth-update-roles', { accountFingerprint: fp, roles });
+    kaStatus('Roles updated');
+    loadKeyAuth();
+  } catch (e) { kaStatus('Update failed: ' + e.message, true); }
+}
+
+async function kaCreateAccount() {
+  const pw = document.getElementById('ka-new-pw').value.trim();
+  if (!pw) { kaStatus('Password required', true); return; }
+  const displayName = document.getElementById('ka-new-name').value.trim() || undefined;
+  const rolesStr = document.getElementById('ka-new-roles').value.trim();
+  const roles = rolesStr ? rolesStr.split(',').map(r => r.trim()) : [];
+  try {
+    const result = await kaSend('auth-create-account', { password: pw, roles, displayName });
+    _kaLastFp = result.fingerprint;
+    document.getElementById('ka-auth-fp').value = result.fingerprint;
+    kaStatus('Account created: ' + result.fingerprint.slice(0, 12));
+    loadKeyAuth();
+  } catch (e) {
+    kaStatus('Create failed: ' + e.message, true);
+  }
+}
+
+async function kaRegisterDevice() {
+  const el = document.getElementById('ka-auth-result');
+  try {
+    const kp = await crypto.subtle.generateKey({ name: 'Ed25519' }, true, ['sign', 'verify']);
+    const spki = await crypto.subtle.exportKey('spki', kp.publicKey);
+    const pkcs8 = await crypto.subtle.exportKey('pkcs8', kp.privateKey);
+    const pubB64 = btoa(String.fromCharCode(...new Uint8Array(spki)));
+    _kaDeviceKeys = { publicKey: pubB64, privateKeyDer: new Uint8Array(pkcs8) };
+    sessionStorage.setItem('ka-device-pub', pubB64);
+    sessionStorage.setItem('ka-device-priv', btoa(String.fromCharCode(...new Uint8Array(pkcs8))));
+    const result = await kaSend('auth-register-device', { publicKey: pubB64, displayName: 'Browser Device' });
+    kaStatus('Device registered: ' + result.fingerprint.slice(0, 12));
+    el.textContent = 'Device registered! fp: ' + result.fingerprint + '\nUse "Device Auth" to authenticate.';
+    loadKeyAuth();
+  } catch (e) {
+    kaStatus('Register failed: ' + e.message, true);
+  }
+}
+
+async function kaDeviceAuth() {
+  const el = document.getElementById('ka-auth-result');
+  // Restore from sessionStorage if needed
+  if (!_kaDeviceKeys) {
+    const pub = sessionStorage.getItem('ka-device-pub');
+    const priv = sessionStorage.getItem('ka-device-priv');
+    if (pub && priv) {
+      _kaDeviceKeys = { publicKey: pub, privateKeyDer: Uint8Array.from(atob(priv), c => c.charCodeAt(0)) };
+    }
+  }
+  if (!_kaDeviceKeys) {
+    el.textContent = 'No device keys. Click "Register Device" first.';
+    kaStatus('No device keys', true);
+    return;
+  }
+  try {
+    el.textContent = 'Requesting challenge…';
+    const challenge = await kaSend('auth-challenge');
+    el.textContent = 'Signing with device key…';
+    const sigKey = await crypto.subtle.importKey('pkcs8', _kaDeviceKeys.privateKeyDer, { name: 'Ed25519' }, false, ['sign']);
+    const sigBuf = await crypto.subtle.sign('Ed25519', sigKey, new TextEncoder().encode(challenge.nonce));
+    const sigB64 = btoa(String.fromCharCode(...new Uint8Array(sigBuf)));
+    const result = await kaSend('auth-verify', { publicKey: _kaDeviceKeys.publicKey, signature: sigB64, nonce: challenge.nonce });
+    el.textContent = 'Device authenticated!\nToken: ' + result.token.slice(0, 60) + '…\nExpires: ' + new Date(result.expiresAt).toLocaleString();
+    kaStatus('Device auth succeeded');
+    loadKeyAuth();
+  } catch (e) {
+    el.textContent = 'Error: ' + e.message;
+    kaStatus('Device auth failed: ' + e.message, true);
+  }
+}
+
+async function kaShowQR() {
+  const el = document.getElementById('ka-auth-result');
+  const qrEl = document.getElementById('ka-qr-display');
+  try {
+    // Generate ephemeral keypair for new device
+    const kp = await crypto.subtle.generateKey({ name: 'Ed25519' }, true, ['sign', 'verify']);
+    const spki = await crypto.subtle.exportKey('spki', kp.publicKey);
+    const pkcs8 = await crypto.subtle.exportKey('pkcs8', kp.privateKey);
+    const pubB64 = btoa(String.fromCharCode(...new Uint8Array(spki)));
+    _kaDeviceKeys = { publicKey: pubB64, privateKeyDer: new Uint8Array(pkcs8) };
+
+    const result = await kaSend('auth-request-approval', { publicKey: pubB64 });
+    const requestId = result.requestId;
+    const approveUrl = `${location.origin}${location.pathname}#approve=${requestId}`;
+
+    qrEl.style.display = 'block';
+    const qrImg = await generateQRSvg(approveUrl, 150);
+    qrEl.innerHTML = `<div style="display:flex;gap:12px;align-items:flex-start">` +
+      `<div style="background:#fff;padding:4px;border-radius:4px;line-height:0">${qrImg}</div>` +
+      `<div style="flex:1">` +
+      `<div style="margin-bottom:6px"><b>Scan QR</b> or copy Request ID:</div>` +
+      `<input type="text" value="${requestId}" readonly onclick="this.select();navigator.clipboard?.writeText(this.value)" style="width:100%;font-size:13px;padding:6px;background:#0d1117;color:#58a6ff;border:1px solid #58a6ff;border-radius:3px;cursor:pointer" title="Click to copy">` +
+      `<div style="margin-top:8px;color:#0f0">⏳ Waiting for approval…</div>` +
+      `</div></div>`;
+    // Auto-fill the approve field too for same-tab testing
+    document.getElementById('ka-qr-request-id').value = requestId;
+    el.textContent = 'Waiting for a signed-in device to approve…';
+
+    // Poll for approval
+    if (_kaQrPollTimer) clearInterval(_kaQrPollTimer);
+    _kaQrPollTimer = setInterval(async () => {
+      try {
+        const poll = await kaSend('auth-poll-approval', { requestId });
+        if (poll.status === 'approved') {
+          clearInterval(_kaQrPollTimer);
+          _kaQrPollTimer = null;
+          qrEl.innerHTML += '<br><b style="color:#0f0">✓ APPROVED!</b>';
+          el.textContent = 'Cross-device auth complete!\nToken: ' + poll.token.slice(0, 60) + '…\nExpires: ' + new Date(poll.expiresAt).toLocaleString();
+          kaStatus('QR approval succeeded');
+          loadKeyAuth();
+        } else if (poll.status === 'expired') {
+          clearInterval(_kaQrPollTimer);
+          _kaQrPollTimer = null;
+          qrEl.innerHTML += '<br><b style="color:#f44">✗ Expired</b>';
+          kaStatus('QR request expired', true);
+        }
+      } catch {}
+    }, 2000);
+  } catch (e) {
+    el.textContent = 'Error: ' + e.message;
+    kaStatus('QR failed: ' + e.message, true);
+  }
+}
+
+async function kaApproveQR() {
+  const requestId = document.getElementById('ka-qr-request-id').value.trim();
+  if (!requestId) { kaStatus('Enter a Request ID', true); return; }
+  try {
+    const result = await kaSend('auth-approve-device', { requestId });
+    kaStatus('Approved! Device fp: ' + result.fingerprint.slice(0, 12));
+    loadKeyAuth();
+  } catch (e) {
+    kaStatus('Approve failed: ' + e.message, true);
+  }
+}
+
+async function kaCreateRole() {
+  const id = document.getElementById('ka-role-id').value.trim();
+  const name = document.getElementById('ka-role-name').value.trim();
+  if (!id) { kaStatus('Role ID required', true); return; }
+  const role = { id, name: name || id, permissions: [..._kaPerms] };
+  try {
+    await kaSend('auth-create-role', { role });
+    _kaPerms = [];
+    kaStatus('Role created: ' + id);
+    loadKeyAuth();
+  } catch (e) {
+    kaStatus('Create role failed: ' + e.message, true);
+  }
+}
+
+function kaAddPermission() {
+  const path = document.getElementById('ka-perm-path').value.trim();
+  const read = document.getElementById('ka-perm-read').checked;
+  const write = document.getElementById('ka-perm-write').checked;
+  if (!path) { kaStatus('Path required', true); return; }
+  _kaPerms.push({ path, read, write });
+  kaStatus(`Permission queued: ${path} (R:${read} W:${write}). ${_kaPerms.length} pending.`);
+}
+
+async function kaChallengeResponse() {
+  const fp = document.getElementById('ka-auth-fp').value.trim();
+  const pw = document.getElementById('ka-auth-pw').value.trim();
+  if (!fp) { kaStatus('Enter account fingerprint', true); return; }
+  const el = document.getElementById('ka-auth-result');
+  try {
+    el.textContent = 'Step 1: Fetching account + decrypting key…';
+    const account = await db.get('_auth/accounts/' + fp);
+    if (!account) { el.textContent = 'Account not found: ' + fp; return; }
+
+    const salt = Uint8Array.from(atob(account.salt), c => c.charCodeAt(0));
+    const iv = Uint8Array.from(atob(account.iv), c => c.charCodeAt(0));
+    const authTag = Uint8Array.from(atob(account.authTag), c => c.charCodeAt(0));
+    const encrypted = Uint8Array.from(atob(account.encryptedPrivateKey), c => c.charCodeAt(0));
+
+    const keyMaterial = await crypto.subtle.importKey('raw', new TextEncoder().encode(pw), 'PBKDF2', false, ['deriveKey']);
+    const aesKey = await crypto.subtle.deriveKey(
+      { name: 'PBKDF2', salt, iterations: 100000, hash: 'SHA-256' },
+      keyMaterial, { name: 'AES-GCM', length: 256 }, false, ['decrypt']
+    );
+
+    const ciphertext = new Uint8Array(encrypted.length + authTag.length);
+    ciphertext.set(encrypted);
+    ciphertext.set(authTag, encrypted.length);
+
+    let privateKeyDer;
+    try {
+      const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, aesKey, ciphertext);
+      privateKeyDer = new Uint8Array(decrypted);
+    } catch {
+      el.textContent = 'Wrong password — decryption failed';
+      kaStatus('Wrong password', true);
+      return;
+    }
+
+    el.textContent = 'Step 2: Requesting challenge nonce…';
+    const challenge = await kaSend('auth-challenge');
+
+    el.textContent = 'Step 3: Signing nonce with Ed25519…';
+    const sigKey = await crypto.subtle.importKey('pkcs8', privateKeyDer, { name: 'Ed25519' }, false, ['sign']);
+    const sigBuf = await crypto.subtle.sign('Ed25519', sigKey, new TextEncoder().encode(challenge.nonce));
+    const sigB64 = btoa(String.fromCharCode(...new Uint8Array(sigBuf)));
+
+    el.textContent = 'Step 4: Verifying signature…';
+    const result = await kaSend('auth-verify', { publicKey: account.publicKey, signature: sigB64, nonce: challenge.nonce });
+
+    el.textContent = 'Authenticated!\n\nToken: ' + result.token.slice(0, 60) + '…\nExpires: ' + new Date(result.expiresAt).toLocaleString();
+    kaStatus('Challenge-response succeeded');
+    loadKeyAuth();
+  } catch (e) {
+    el.textContent = 'Error: ' + e.message;
+    kaStatus('Auth failed: ' + e.message, true);
+  }
+}
+
+// QR Code generation via qrcode-generator (loaded from CDN, ~4kb gzipped)
+let _qrLib = null;
+async function loadQRLib() {
+  if (_qrLib) return _qrLib;
+  return new Promise((resolve, reject) => {
+    const s = document.createElement('script');
+    s.src = 'https://cdn.jsdelivr.net/npm/qrcode-generator@1.4.4/qrcode.min.js';
+    s.onload = () => { _qrLib = window.qrcode; resolve(_qrLib); };
+    s.onerror = () => reject(new Error('Failed to load QR lib'));
+    document.head.appendChild(s);
+  });
+}
+
+async function generateQRSvg(text, size = 150) {
+  const qr = await loadQRLib();
+  const q = qr(0, 'L');
+  q.addData(text);
+  q.make();
+  const moduleCount = q.getModuleCount();
+  const cellSize = Math.floor(size / moduleCount);
+  const actualSize = cellSize * moduleCount;
+  let svg = `<svg xmlns="http://www.w3.org/2000/svg" width="${actualSize}" height="${actualSize}" viewBox="0 0 ${moduleCount} ${moduleCount}">`;
+  svg += `<rect width="${moduleCount}" height="${moduleCount}" fill="#fff"/>`;
+  for (let r = 0; r < moduleCount; r++)
+    for (let c = 0; c < moduleCount; c++)
+      if (q.isDark(r, c)) svg += `<rect x="${c}" y="${r}" width="1" height="1" fill="#000"/>`;
+  svg += '</svg>';
+  return svg;
+}
+
+function kaStatus(msg, isErr) {
+  const el = document.getElementById('ka-status');
+  el.textContent = msg;
+  el.className = 'status ' + (isErr ? 'err' : 'ok');
+}
 </script>
 </body>
 </html>

package/bun.lock

@@ -0,0 +1,33 @@
+{
+  "lockfileVersion": 1,
+  "workspaces": {
+    "": {
+      "name": "zuzdb",
+      "dependencies": {
+        "@noble/ed25519": "^3.0.0",
+      },
+      "devDependencies": {
+        "@types/bun": "latest",
+        "yaml": "^2.8.2",
+      },
+      "peerDependencies": {
+        "typescript": "^5",
+      },
+    },
+  },
+  "packages": {
+    "@noble/ed25519": ["@noble/ed25519@3.0.0", "", {}, "sha512-QyteqMNm0GLqfa5SoYbSC3+Pvykwpn95Zgth4MFVSMKBB75ELl9tX1LAVsN4c3HXOrakHsF2gL4zWDAYCcsnzg=="],
+
+    "@types/bun": ["@types/bun@1.3.9", "", { "dependencies": { "bun-types": "1.3.9" } }, "sha512-KQ571yULOdWJiMH+RIWIOZ7B2RXQGpL1YQrBtLIV3FqDcCu6FsbFUBwhdKUlCKUpS3PJDsHlJ1QKlpxoVR+xtw=="],
+
+    "@types/node": ["@types/node@25.3.0", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-4K3bqJpXpqfg2XKGK9bpDTc6xO/xoUP/RBWS7AtRMug6zZFaRekiLzjVtAoZMquxoAbzBvy5nxQ7veS5eYzf8A=="],
+
+    "bun-types": ["bun-types@1.3.9", "", { "dependencies": { "@types/node": "*" } }, "sha512-+UBWWOakIP4Tswh0Bt0QD0alpTY8cb5hvgiYeWCMet9YukHbzuruIEeXC2D7nMJPB12kbh8C7XJykSexEqGKJg=="],
+
+    "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
+
+    "undici-types": ["undici-types@7.18.2", "", {}, "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w=="],
+
+    "yaml": ["yaml@2.8.2", "", { "bin": { "yaml": "bin.mjs" } }, "sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A=="],
+  }
+}