@bsb/config-vault 9.6.8 → 9.6.10

package/README.md

@@ -11,15 +11,14 @@ Runtime containers do not choose applications, groups, profiles, or versions. Th
 
 ## Runtime
 
-```yaml
-config-vault:
-  plugin: config-vault
-  package: "@bsb/config-vault"
-  enabled: true
-  config:
-    vaultUrl: https://vault.example.com
-    apiKeyId: vk_xxx
-    apiSecret: vs_xxx
+Runtime containers activate Vault as the BSB config plugin with env vars:
+
+```bash
+BSB_CONFIG_PLUGIN=config-vault
+BSB_CONFIG_PLUGIN_PACKAGE=@bsb/config-vault
+vaultUrl=https://vault.example.com
+apiKeyId=vk_xxx
+apiSecret=vs_xxx
 ```
 
 When a container restarts, it pulls the active published version for the API key's bound deployment profile.
@@ -38,6 +37,7 @@ service-config-vault:
     production: true
     databaseUrl: postgres://vault:secret@postgres:5432/vault
     masterKey: BASE64_32_BYTE_KEY
+    registryUrl: https://io.bsbcode.dev
 ```
 
 `masterKey` must be a base64 encoded 32-byte key. Generate one with:
@@ -58,4 +58,16 @@ After enrollment, every admin login requires password, TOTP, and a browser passk
 
 ## Admin UI
 
-Vault has separate pages for Overview, Applications, Deployments, Configs, Runtime Keys, Plugins, and Profile. Passkey accounts are managed from Profile; first-login passkey enrollment is only separate because it happens before an authenticated session exists.
+Vault has pages for Overview, Applications, Deployments, Plugins, and Profile. Deployment profiles own config drafts, publishing, and container key create/rotate flows.
+
+When editing a profile config, enter only the profile body:
+
+```json
+{
+  "observable": {},
+  "events": {},
+  "services": {}
+}
+```
+
+Vault wraps that body under the profile name internally. Container keys are generated from the deployment profile page and the UI shows the BSB container env vars once on creation or rotation.

package/lib/plugins/service-config-vault/http-server.d.ts

@@ -4,6 +4,7 @@ export interface VaultHttpOptions {
     host: string;
     port: number;
     publicUrl: string;
+    registryUrl: string;
     production: boolean;
     obs: Observable;
     vault: VaultService;

package/lib/plugins/service-config-vault/http-server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http-server.d.ts","sourceRoot":"","sources":["../../../src/plugins/service-config-vault/http-server.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,OAAO,CAAC;IACpB,GAAG,EAAE,UAAU,CAAC;IAChB,KAAK,EAAE,YAAY,CAAC;CACrB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAmB;IAC3C,OAAO,CAAC,MAAM,CAAC,CAAS;gBAEZ,OAAO,EAAE,gBAAgB;IAI/B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoNtB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAUb,WAAW;YAUX,gBAAgB;IAY9B,OAAO,CAAC,IAAI;CAGb"}
+{"version":3,"file":"http-server.d.ts","sourceRoot":"","sources":["../../../src/plugins/service-config-vault/http-server.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,OAAO,CAAC;IACpB,GAAG,EAAE,UAAU,CAAC;IAChB,KAAK,EAAE,YAAY,CAAC;CACrB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAmB;IAC3C,OAAO,CAAC,MAAM,CAAC,CAAS;gBAEZ,OAAO,EAAE,gBAAgB;IAI/B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAyTtB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;YAUb,WAAW;YAUX,gBAAgB;IAY9B,OAAO,CAAC,IAAI;CAGb"}

package/lib/plugins/service-config-vault/http-server.js

@@ -90,21 +90,72 @@ export class VaultHttpServer {
             deleteCookie(event, 'vault_passkey_setup', { path: '/' });
             return sendRedirect(event, '/login');
         }));
+        app.use('/api/applications/update', defineEventHandler(async (event) => {
+            const user = await this.requireUser(event);
+            const body = await readBody(event);
+            await this.options.vault.updateApplication(user.userId, String(body.id ?? ''), String(body.name ?? ''), stringOrUndefined(body.description));
+            return { success: true };
+        }));
+        app.use('/api/applications/delete', defineEventHandler(async (event) => {
+            const user = await this.requireUser(event);
+            const body = await readBody(event);
+            await this.options.vault.deleteApplication(user.userId, String(body.id ?? ''));
+            return { success: true };
+        }));
         app.use('/api/applications', defineEventHandler(async (event) => {
             const user = await this.requireUser(event);
             const body = await readBody(event);
             return this.options.vault.createApplication(user.userId, String(body.name ?? ''), stringOrUndefined(body.description));
         }));
+        app.use('/api/groups/update', defineEventHandler(async (event) => {
+            const user = await this.requireUser(event);
+            const body = await readBody(event);
+            await this.options.vault.updateGroup(user.userId, String(body.id ?? ''), String(body.applicationId ?? ''), String(body.name ?? ''));
+            return { success: true };
+        }));
+        app.use('/api/groups/delete', defineEventHandler(async (event) => {
+            const user = await this.requireUser(event);
+            const body = await readBody(event);
+            await this.options.vault.deleteGroup(user.userId, String(body.id ?? ''));
+            return { success: true };
+        }));
         app.use('/api/groups', defineEventHandler(async (event) => {
             const user = await this.requireUser(event);
             const body = await readBody(event);
-            return this.options.vault.createGroup(user.userId, String(body.applicationId ?? ''), String(body.name ?? ''));
+            return this.options.vault.createDeployment(user.userId, String(body.applicationId ?? ''), String(body.name ?? ''));
+        }));
+        app.use('/api/profiles/update', defineEventHandler(async (event) => {
+            const user = await this.requireUser(event);
+            const body = await readBody(event);
+            await this.options.vault.updateProfile(user.userId, String(body.id ?? ''), String(body.groupId ?? ''), String(body.name ?? ''));
+            return { success: true };
+        }));
+        app.use('/api/profiles/delete', defineEventHandler(async (event) => {
+            const user = await this.requireUser(event);
+            const body = await readBody(event);
+            await this.options.vault.deleteProfile(user.userId, String(body.id ?? ''));
+            return { success: true };
         }));
         app.use('/api/profiles', defineEventHandler(async (event) => {
             const user = await this.requireUser(event);
             const body = await readBody(event);
             return this.options.vault.createProfile(user.userId, String(body.groupId ?? ''), String(body.name ?? 'default'));
         }));
+        app.use('/api/plugins/import', defineEventHandler(async (event) => {
+            const user = await this.requireUser(event);
+            const body = await readBody(event);
+            return this.options.vault.createPlugin(user.userId, {
+                org: String(body.org ?? '_'),
+                name: String(body.name ?? ''),
+                pluginId: String(body.pluginId ?? body.name ?? ''),
+                packageName: body.packageName === undefined || body.packageName === '' ? null : String(body.packageName),
+                version: String(body.version ?? '0.0.0'),
+                kind: parseKind(body.kind),
+                source: 'registry',
+                configSchema: parseJsonObject(body.configSchema) ?? null,
+                eventSchema: parseJsonObject(body.eventSchema) ?? null,
+            });
+        }));
         app.use('/api/plugins', defineEventHandler(async (event) => {
             const user = await this.requireUser(event);
             const body = await readBody(event);
@@ -126,7 +177,7 @@ export class VaultHttpServer {
             const config = parseJsonObject(body.config);
             if (!config)
                 throw new Error('Config must be a JSON object');
-            await this.options.vault.saveDraft(user.userId, String(body.profileId ?? ''), config);
+            await this.options.vault.saveProfileDraft(user.userId, String(body.profileId ?? ''), config);
             return { success: true };
         }));
         app.use('/api/publish', defineEventHandler(async (event) => {
@@ -134,16 +185,21 @@ export class VaultHttpServer {
             const body = await readBody(event);
             return this.options.vault.publishDraft(user.userId, String(body.profileId ?? ''));
         }));
+        app.use('/api/runtime-keys/rotate', defineEventHandler(async (event) => {
+            const user = await this.requireUser(event);
+            const body = await readBody(event);
+            return this.options.vault.rotateProfileRuntimeKey(user.userId, {
+                keyId: String(body.keyId ?? ''),
+                name: stringOrUndefined(body.name),
+            });
+        }));
         app.use('/api/runtime-keys', defineEventHandler(async (event) => {
             const user = await this.requireUser(event);
             const body = await readBody(event);
-            return this.options.vault.createRuntimeKey(user.userId, {
+            return this.options.vault.createProfileRuntimeKey(user.userId, {
                 name: String(body.name ?? ''),
-                applicationId: String(body.applicationId ?? ''),
-                groupId: String(body.groupId ?? ''),
                 profileId: String(body.profileId ?? ''),
                 containerName: body.containerName === undefined ? null : String(body.containerName),
-                configPluginId: String(body.configPluginId ?? 'config-vault'),
             });
         }));
         app.use('/applications', defineEventHandler(async (event) => {
@@ -156,21 +212,45 @@ export class VaultHttpServer {
             const dashboard = await this.options.vault.dashboard();
             return this.page('Deployments', deploymentsPage(dashboard), 'deployments');
         }));
+        app.use('/deployment', defineEventHandler(async (event) => {
+            await this.requireUser(event);
+            const query = getQuery(event);
+            const profileId = String(query.profileId ?? '');
+            if (!profileId)
+                return sendRedirect(event, '/deployments');
+            const profile = await this.options.vault.deploymentProfile(profileId);
+            return this.page('Deployment', deploymentDetailPage(profile, {
+                publicUrl: this.options.publicUrl,
+                keyId: String(query.keyId ?? ''),
+                secret: String(query.secret ?? ''),
+            }), 'deployments');
+        }));
         app.use('/configs', defineEventHandler(async (event) => {
             await this.requireUser(event);
             const dashboard = await this.options.vault.dashboard();
-            return this.page('Configs', configsPage(dashboard), 'configs');
+            const firstProfile = dashboard.profiles[0];
+            return firstProfile ? sendRedirect(event, `/deployment?profileId=${encodeURIComponent(firstProfile.id)}`) : sendRedirect(event, '/deployments');
         }));
         app.use('/runtime-keys', defineEventHandler(async (event) => {
             await this.requireUser(event);
             const query = getQuery(event);
             const dashboard = await this.options.vault.dashboard();
-            return this.page('Runtime Keys', runtimeKeysPage(dashboard, String(query.secret ?? '')), 'runtime-keys');
+            const firstProfile = dashboard.profiles[0];
+            if (!String(query.secret ?? '') && firstProfile) {
+                return sendRedirect(event, `/deployment?profileId=${encodeURIComponent(firstProfile.id)}`);
+            }
+            return this.page('Container Key', runtimeKeysPage(dashboard, {
+                publicUrl: this.options.publicUrl,
+                keyId: String(query.keyId ?? ''),
+                secret: String(query.secret ?? ''),
+            }), 'runtime-keys');
         }));
         app.use('/plugins', defineEventHandler(async (event) => {
             await this.requireUser(event);
+            const query = getQuery(event);
             const dashboard = await this.options.vault.dashboard();
-            return this.page('Plugins', pluginsPage(dashboard), 'plugins');
+            const registry = await registrySearch(this.options.registryUrl, String(query.query ?? ''));
+            return this.page('Plugins', pluginsPage(dashboard, registry, String(query.query ?? '')), 'plugins');
         }));
         app.use('/profile', defineEventHandler(async (event) => {
             const session = await this.requireUser(event);
@@ -259,6 +339,7 @@ function html(title, body, active, authenticated) {
     .form-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(220px,1fr));gap:12px}
     .metric{font-size:28px;font-weight:750}.page-head{display:flex;justify-content:space-between;align-items:flex-start;gap:16px;margin:0 0 18px}
     .inline-form{display:flex;gap:10px;align-items:end;flex-wrap:wrap}.inline-form label{min-width:190px}
+    .tabs{display:flex;gap:8px;flex-wrap:wrap;margin:0 0 16px}.tabs a{padding:8px 10px;border:1px solid var(--line);border-radius:6px;text-decoration:none;color:#344054;background:#fff;font-weight:650}.tabs a.active{background:#eaf1ff;color:#155eef;border-color:#b8cdfd}
     .muted{color:var(--muted)}.danger{color:var(--danger)}.ok{color:var(--ok)}
     .auth{max-width:480px;margin:32px auto}.stack{display:flex;flex-direction:column;gap:12px}.actions{display:flex;gap:10px;align-items:center;flex-wrap:wrap}
     .status{margin-top:12px;color:var(--muted);font-size:14px}.code{word-break:break-all;background:#f2f4f7;border:1px solid var(--line);border-radius:6px;padding:10px}
@@ -276,8 +357,6 @@ function nav(active) {
         ['overview', 'Overview', '/'],
         ['applications', 'Applications', '/applications'],
         ['deployments', 'Deployments', '/deployments'],
-        ['configs', 'Configs', '/configs'],
-        ['runtime-keys', 'Runtime Keys', '/runtime-keys'],
         ['plugins', 'Plugins', '/plugins'],
         ['profile', 'Profile', '/profile'],
     ];
@@ -403,11 +482,11 @@ function overviewPage(data) {
     return `<div class="page-head"><div><h1>Overview</h1><p class="muted">Current Vault inventory and deployment configuration status.</p></div></div>
   <div class="grid">
     ${metric('Applications', data.applications.length)}
-    ${metric('Service Groups', data.groups.length)}
+    ${metric('Deployments', data.groups.length)}
     ${metric('Deployment Profiles', data.profiles.length)}
-    ${metric('Runtime Keys', data.runtimeKeys.length)}
+    ${metric('Container Keys', data.runtimeKeys.length)}
   </div>
-  <section><h2>Recent Runtime Keys</h2>${runtimeKeyTable(data.runtimeKeys.slice(0, 8), data)}</section>`;
+  <section><h2>Recent Container Keys</h2>${runtimeKeyTable(data.runtimeKeys.slice(0, 8), data)}</section>`;
 }
 function applicationsPage(data) {
     return `<div class="page-head"><div><h1>Applications</h1><p class="muted">Create product or system boundaries for deployment profiles.</p></div></div>
@@ -420,70 +499,74 @@ function applicationsPage(data) {
       <button>Create Application</button><p class="status"></p>
     </form>
   </section>
-  <section><h2>Applications</h2>${table(data.applications.map((x) => [x.name, x.description ?? '', x.id]))}</section>
+  <section><h2>Applications</h2>${applicationsTable(data)}</section>
   ${formScript()}`;
 }
 function deploymentsPage(data) {
-    return `<div class="page-head"><div><h1>Deployments</h1><p class="muted">Model service groups and deployment profiles for containers.</p></div></div>
-  <div class="grid">
-    <section><h2>Create Service Group</h2>
+    return `<div class="page-head"><div><h1>Deployments</h1><p class="muted">A deployment represents the container group that will receive one selected profile.</p></div></div>
+  <section><h2>Create Deployment</h2>
       <form data-api="/api/groups" data-redirect="/deployments">
         ${select('applicationId', 'Application', data.applications.map((x) => [x.id, x.name]))}
-        ${input('name', 'Group Name', true)}
-        <button>Create Group</button><p class="status"></p>
+        ${input('name', 'Deployment Name', true)}
+        <button>Create Deployment</button><p class="status"></p>
       </form>
     </section>
-    <section><h2>Create Deployment Profile</h2>
-      <form data-api="/api/profiles" data-redirect="/deployments">
-        ${select('groupId', 'Service Group', data.groups.map((x) => [x.id, groupLabel(x, data)]))}
-        ${input('name', 'Profile Name', true, 'default')}
+  <section><h2>Deployments</h2>${groupsTable(data)}</section>
+  <section><h2>Profiles</h2>${profilesTable(data)}</section>
+  ${formScript()}`;
+}
+function runtimeKeysPage(data, credential) {
+    return `<div class="page-head"><div><h1>Container Key</h1><p class="muted">Use these env vars in the target BSB container.</p></div></div>
+  ${credential.secret ? runtimeEnvBlock(credential) : ''}
+  <section><h2>Container Keys</h2>${runtimeKeyTable(data.runtimeKeys, data)}</section>`;
+}
+function deploymentDetailPage(data, credential) {
+    const draft = data.draft ?? { observable: {}, events: {}, services: {} };
+    const redirect = `/deployment?profileId=${encodeURIComponent(data.profile.id)}`;
+    return `<div class="page-head"><div><h1>${escapeHtml(data.group.name)}</h1><p class="muted">${escapeHtml(data.application.name)} / ${escapeHtml(data.profile.name)}</p></div><a class="button secondary" href="/deployments">Back</a></div>
+  <div class="tabs">${data.profiles.map((profile) => `<a class="${profile.id === data.profile.id ? 'active' : ''}" href="/deployment?profileId=${encodeURIComponent(profile.id)}">${escapeHtml(profile.name)}</a>`).join('')}</div>
+  ${credential.secret ? runtimeEnvBlock(credential) : ''}
+  <div class="grid">
+    <section><h2>Create Profile</h2>
+      <form data-api="/api/profiles" data-redirect="${escapeHtml(redirect)}">
+        <input type="hidden" name="groupId" value="${escapeHtml(data.group.id)}">
+        ${input('name', 'Profile Name', true)}
         <button>Create Profile</button><p class="status"></p>
       </form>
     </section>
+    <section><h2>Container Key</h2>
+      <form data-api="/api/runtime-keys" data-secret-redirect="${escapeHtml(redirect)}">
+        <input type="hidden" name="profileId" value="${escapeHtml(data.profile.id)}">
+        ${input('name', 'Key Name', true, `${data.group.name}-${data.profile.name}`)}
+        ${input('containerName', 'Container Name')}
+        <button>Create Key</button><p class="status"></p>
+      </form>
+    </section>
   </div>
-  <section><h2>Service Groups</h2>${table(data.groups.map((x) => [groupLabel(x, data), x.id]))}</section>
-  <section><h2>Deployment Profiles</h2>${table(data.profiles.map((x) => [profileLabel(x, data), x.activeVersionId ? 'published' : 'no published config', x.id]))}</section>
-  ${formScript()}`;
-}
-function configsPage(data) {
-    return `<div class="page-head"><div><h1>Configs</h1><p class="muted">Save draft runtime config for a deployment profile, then publish it when ready.</p></div></div>
-  <section><h2>Edit Draft</h2>
-    <form data-api="/api/drafts" data-redirect="/configs">
-      ${select('profileId', 'Deployment Profile', data.profiles.map((x) => [x.id, profileLabel(x, data)]))}
-      <label>Config JSON</label><textarea name="config" required placeholder='{"default":{"observable":{},"events":{},"services":{}}}'></textarea>
+  <section><h2>Profile Config</h2>
+    <form data-api="/api/drafts" data-redirect="${escapeHtml(redirect)}">
+      <input type="hidden" name="profileId" value="${escapeHtml(data.profile.id)}">
+      <label>Config JSON</label><textarea name="config" required>${escapeHtml(JSON.stringify(draft, null, 2))}</textarea>
       <button>Save Draft</button><p class="status"></p>
     </form>
-  </section>
-  <section><h2>Publish Draft</h2>
-    <form data-api="/api/publish" data-redirect="/configs">
-      ${select('profileId', 'Deployment Profile', data.profiles.map((x) => [x.id, profileLabel(x, data)]))}
-      <button>Publish Active Version</button><p class="status"></p>
+    <form data-api="/api/publish" data-redirect="${escapeHtml(redirect)}">
+      <input type="hidden" name="profileId" value="${escapeHtml(data.profile.id)}">
+      <button class="secondary">Publish Draft</button><p class="status"></p>
     </form>
   </section>
+  <section><h2>Container Keys</h2>${profileRuntimeKeyTable(data.runtimeKeys, data)}</section>
   ${formScript()}`;
 }
-function runtimeKeysPage(data, secret) {
-    return `<div class="page-head"><div><h1>Runtime Keys</h1><p class="muted">Bind a container credential to one application, service group, deployment profile, and config plugin.</p></div></div>
-  ${secret ? `<section><h2>Runtime Secret</h2><p class="muted">Shown once. Store it in the container environment now.</p><p class="code"><code>${escapeHtml(secret)}</code></p></section>` : ''}
-  <section><h2>Create Runtime Key</h2>
-    <form data-api="/api/runtime-keys" data-secret-redirect="/runtime-keys">
-      <div class="form-grid">
-        ${input('name', 'Name', true)}
-        ${select('applicationId', 'Application', data.applications.map((x) => [x.id, x.name]))}
-        ${select('groupId', 'Service Group', data.groups.map((x) => [x.id, groupLabel(x, data)]))}
-        ${select('profileId', 'Deployment Profile', data.profiles.map((x) => [x.id, profileLabel(x, data)]))}
-        ${input('containerName', 'Container Name')}
-        ${input('configPluginId', 'Config Plugin', true, 'config-vault')}
-      </div>
-      <button>Create Runtime Key</button><p class="status"></p>
+function pluginsPage(data, registry, query) {
+    return `<div class="page-head"><div><h1>Plugin Catalog</h1><p class="muted">Import registry plugins for config authoring, or create private plugin entries manually.</p></div></div>
+  <section><h2>Registry Search</h2>
+    <form method="get" action="/plugins" class="inline-form">
+      ${input('query', 'Search', false, query)}
+      <button>Search Registry</button>
     </form>
+    ${registry.length === 0 ? '<p class="muted">No registry results loaded.</p>' : registryTable(registry)}
   </section>
-  <section><h2>Runtime Keys</h2>${runtimeKeyTable(data.runtimeKeys, data)}</section>
-  ${formScript()}`;
-}
-function pluginsPage(data) {
-    return `<div class="page-head"><div><h1>Plugin Catalog</h1><p class="muted">Register public, private, or uploaded plugin schemas for config authoring.</p></div></div>
-  <section><h2>Create Plugin</h2>
+  <section><h2>Private Plugin</h2>
     <form data-api="/api/plugins" data-redirect="/plugins">
       <div class="form-grid">
         ${input('org', 'Org', true, '_')}
@@ -501,6 +584,27 @@ function pluginsPage(data) {
   <section><h2>Catalog</h2>${table(data.plugins.map((x) => [x.pluginId, x.version, x.kind, x.source, x.packageName ?? '']))}</section>
   ${formScript()}`;
 }
+function registryTable(items) {
+    return `<table>${items.map((item) => `<tr>
+    <td>${escapeHtml(item.pluginId)}</td>
+    <td>${escapeHtml(item.version)}</td>
+    <td>${escapeHtml(item.kind)}</td>
+    <td>${escapeHtml(item.packageName ?? '')}</td>
+    <td>
+      <form data-api="/api/plugins/import" data-redirect="/plugins">
+        <input type="hidden" name="org" value="${escapeHtml(item.org)}">
+        <input type="hidden" name="name" value="${escapeHtml(item.name)}">
+        <input type="hidden" name="pluginId" value="${escapeHtml(item.pluginId)}">
+        <input type="hidden" name="packageName" value="${escapeHtml(item.packageName ?? '')}">
+        <input type="hidden" name="version" value="${escapeHtml(item.version)}">
+        <input type="hidden" name="kind" value="${escapeHtml(item.kind)}">
+        <input type="hidden" name="configSchema" value="${escapeHtml(JSON.stringify(item.configSchema ?? {}))}">
+        <input type="hidden" name="eventSchema" value="${escapeHtml(JSON.stringify(item.eventSchema ?? {}))}">
+        <button class="secondary">Import</button><p class="status"></p>
+      </form>
+    </td>
+  </tr>`).join('')}</table>`;
+}
 function profilePage(data) {
     return `<div class="page-head"><div><h1>Profile</h1><p class="muted">Account security and admin authentication settings.</p></div></div>
   <section><h2>Account</h2>${table([[data.user.email, data.user.createdAt]])}</section>
@@ -509,6 +613,59 @@ function profilePage(data) {
     <p><a class="button" href="/passkeys/setup">Add Passkey</a></p>
   </section>`;
 }
+function applicationsTable(data) {
+    if (data.applications.length === 0)
+        return '<p class="muted">None</p>';
+    return `<table>${data.applications.map((app) => `<tr><td>
+    <form data-api="/api/applications/update" data-redirect="/applications" class="inline-form">
+      <input type="hidden" name="id" value="${escapeHtml(app.id)}">
+      ${input('name', 'Name', true, app.name)}
+      ${input('description', 'Description', false, app.description ?? '')}
+      <button>Save</button><p class="status"></p>
+    </form>
+  </td><td class="actions">
+    <a class="button secondary" href="/deployments">Deployments</a>
+    ${deleteForm('/api/applications/delete', app.id, '/applications', 'Delete application and related deployments, profiles, configs, and keys?')}
+  </td></tr>`).join('')}</table>`;
+}
+function groupsTable(data) {
+    if (data.groups.length === 0)
+        return '<p class="muted">None</p>';
+    const defaultProfileFor = (groupId) => data.profiles.find((profile) => profile.groupId === groupId && profile.name === 'default') ?? data.profiles.find((profile) => profile.groupId === groupId);
+    return `<table>${data.groups.map((group) => `<tr><td>
+    <form data-api="/api/groups/update" data-redirect="/deployments" class="inline-form">
+      <input type="hidden" name="id" value="${escapeHtml(group.id)}">
+      ${select('applicationId', 'Application', selectedOptions(data.applications.map((x) => [x.id, x.name]), group.applicationId))}
+      ${input('name', 'Name', true, group.name)}
+      <button>Save</button><p class="status"></p>
+    </form>
+  </td><td class="actions">
+    ${defaultProfileFor(group.id) ? `<a class="button secondary" href="/deployment?profileId=${encodeURIComponent(defaultProfileFor(group.id).id)}">Open</a>` : ''}
+    ${deleteForm('/api/groups/delete', group.id, '/deployments', 'Delete deployment and related profiles, configs, and keys?')}
+  </td></tr>`).join('')}</table>`;
+}
+function profilesTable(data) {
+    if (data.profiles.length === 0)
+        return '<p class="muted">None</p>';
+    return `<table>${data.profiles.map((profile) => `<tr><td>
+    <form data-api="/api/profiles/update" data-redirect="/deployments" class="inline-form">
+      <input type="hidden" name="id" value="${escapeHtml(profile.id)}">
+      ${select('groupId', 'Deployment', selectedOptions(data.groups.map((x) => [x.id, groupLabel(x, data)]), profile.groupId))}
+      ${input('name', 'Name', true, profile.name)}
+      <span class="muted">${profile.activeVersionId ? 'published' : 'no published config'}</span>
+      <button>Save</button><p class="status"></p>
+    </form>
+  </td><td class="actions">
+    <a class="button secondary" href="/deployment?profileId=${encodeURIComponent(profile.id)}">Open</a>
+    ${deleteForm('/api/profiles/delete', profile.id, '/deployments', 'Delete deployment profile and related configs and keys?')}
+  </td></tr>`).join('')}</table>`;
+}
+function deleteForm(action, id, redirect, confirm) {
+    return `<form data-api="${escapeHtml(action)}" data-redirect="${escapeHtml(redirect)}" data-confirm="${escapeHtml(confirm)}">
+    <input type="hidden" name="id" value="${escapeHtml(id)}">
+    <button class="secondary" type="submit">Delete</button><p class="status"></p>
+  </form>`;
+}
 function metric(label, value) {
     return `<section><p class="muted">${escapeHtml(label)}</p><div class="metric">${value}</div></section>`;
 }
@@ -518,9 +675,16 @@ function input(name, label, required = false, value = '') {
 function select(name, label, options) {
     const body = options.length === 0
         ? '<option value="">Create the required parent record first</option>'
-        : options.map(([value, optionLabel]) => `<option value="${escapeHtml(value)}">${escapeHtml(optionLabel)}</option>`).join('');
+        : options.map(([value, optionLabel]) => {
+            const selected = optionLabel.endsWith('\u0000selected');
+            const labelText = selected ? optionLabel.slice(0, -9) : optionLabel;
+            return `<option value="${escapeHtml(value)}" ${selected ? 'selected' : ''}>${escapeHtml(labelText)}</option>`;
+        }).join('');
     return `<label>${escapeHtml(label)}<select name="${escapeHtml(name)}" ${options.length === 0 ? 'disabled' : 'required'}>${body}</select></label>`;
 }
+function selectedOptions(options, selectedValue) {
+    return options.map(([value, label]) => [value, value === selectedValue ? `${label}\u0000selected` : label]);
+}
 function groupLabel(group, data) {
     const app = data.applications.find((candidate) => candidate.id === group.applicationId);
     return `${app?.name ?? 'Unknown'} / ${group.name}`;
@@ -538,6 +702,31 @@ function runtimeKeyTable(keys, data) {
         key.revokedAt ?? 'active',
     ]));
 }
+function profileRuntimeKeyTable(keys, data) {
+    if (keys.length === 0)
+        return '<p class="muted">No container keys created for this profile.</p>';
+    return `<table>${keys.map((key) => `<tr>
+    <td>${escapeHtml(key.name)}</td>
+    <td>${escapeHtml(key.id)}</td>
+    <td>${escapeHtml(data.profile.name)}</td>
+    <td>${escapeHtml(key.containerName ?? '')}</td>
+    <td>${escapeHtml(key.revokedAt ?? 'active')}</td>
+    <td>${key.revokedAt ? '' : `<form data-api="/api/runtime-keys/rotate" data-secret-redirect="/deployment?profileId=${escapeHtml(data.profile.id)}"><input type="hidden" name="keyId" value="${escapeHtml(key.id)}"><button class="secondary">Rotate</button><p class="status"></p></form>`}</td>
+  </tr>`).join('')}</table>`;
+}
+function runtimeEnvBlock(credential) {
+    const env = [
+        'BSB_CONFIG_PLUGIN=config-vault',
+        'BSB_CONFIG_PLUGIN_PACKAGE=@bsb/config-vault',
+        `vaultUrl=${credential.publicUrl}`,
+        `apiKeyId=${credential.keyId}`,
+        `apiSecret=${credential.secret}`,
+    ].join('\n');
+    return `<section><h2>Container Environment</h2>
+    <p class="muted">Shown once. Add these env vars to the BSB container that should load this deployment profile.</p>
+    <pre class="code"><code>${escapeHtml(env)}</code></pre>
+  </section>`;
+}
 function shortId(value) {
     return value.length > 18 ? `${value.slice(0, 10)}...${value.slice(-6)}` : value;
 }
@@ -546,6 +735,7 @@ function formScript() {
   document.querySelectorAll('form[data-api]').forEach((form) => {
     form.addEventListener('submit', async (event) => {
       event.preventDefault();
+      if (form.dataset.confirm && !confirm(form.dataset.confirm)) return;
       const status = form.querySelector('.status');
       if (status) { status.textContent = 'Saving...'; status.className = 'status'; }
       try {
@@ -563,7 +753,10 @@ function formScript() {
         const result = await res.json();
         if (!res.ok) throw new Error(result.message || 'Save failed');
         if (form.dataset.secretRedirect && result.secret) {
-          location.href = form.dataset.secretRedirect + '?secret=' + encodeURIComponent(result.secret);
+          const joiner = form.dataset.secretRedirect.includes('?') ? '&' : '?';
+          location.href = form.dataset.secretRedirect
+            + joiner + 'keyId=' + encodeURIComponent(result.keyId || result.id || '')
+            + '&secret=' + encodeURIComponent(result.secret);
           return;
         }
         location.href = form.dataset.redirect || location.pathname;
@@ -630,29 +823,63 @@ function webauthnClientScript() {
   }
   `;
 }
-function apiForm(action, fields, textarea) {
-    return `<form data-api="${action}" onsubmit="return submitJson(this)">
-    ${fields.map((field) => `<input name="${field}" placeholder="${field}" ${field === 'configPluginId' ? 'value="config-vault"' : ''}>`).join('')}
-    ${textarea ? `<textarea name="${textarea}" placeholder="${textarea} JSON"></textarea>` : ''}
-    <button>Submit</button>
-  </form>
-  <script>
-  async function submitJson(form){
-    const data={}; for(const item of new FormData(form).entries()){data[item[0]]=item[1]}
-    const csrf=document.cookie.split('; ').find(x=>x.startsWith('vault_csrf='))?.split('=')[1]||'';
-    const res=await fetch(form.dataset.api,{method:'POST',headers:{'content-type':'application/json','x-csrf-token':csrf},body:JSON.stringify(data)});
-    alert(JSON.stringify(await res.json(),null,2)); location.reload(); return false;
-  }
-  </script>`;
-}
-function pluginForm() {
-    return apiForm('/api/plugins', ['org', 'name', 'pluginId', 'packageName', 'version', 'kind', 'source'], 'configSchema');
-}
 function table(rows) {
     if (rows.length === 0)
         return '<p class="muted">None</p>';
     return `<table>${rows.map((row) => `<tr>${row.map((cell) => `<td>${escapeHtml(cell)}</td>`).join('')}</tr>`).join('')}</table>`;
 }
+async function registrySearch(registryUrl, query) {
+    const url = new URL('/plugins', registryUrl);
+    url.searchParams.set('language', 'nodejs');
+    url.searchParams.set('limit', '20');
+    if (query.trim())
+        url.searchParams.set('query', query.trim());
+    try {
+        const response = await fetch(url, { headers: { accept: 'application/json' } });
+        if (!response.ok)
+            return [];
+        const parsed = await response.json();
+        return (Array.isArray(parsed.plugins) ? parsed.plugins : [])
+            .map(normalizeRegistryCandidate)
+            .filter((item) => item !== null);
+    }
+    catch {
+        return [];
+    }
+}
+function normalizeRegistryCandidate(input) {
+    if (typeof input !== 'object' || input === null || Array.isArray(input))
+        return null;
+    const value = input;
+    const org = stringField(value.org) ?? orgFromPackage(value.packageName ?? value.package) ?? '_';
+    const name = stringField(value.name) ?? stringField(value.pluginId) ?? stringField(value.id);
+    if (!name)
+        return null;
+    const packageName = stringField(value.packageName) ?? stringField(value.package) ?? null;
+    const pluginId = stringField(value.pluginId) ?? stringField(value.id) ?? name;
+    return {
+        org,
+        name,
+        pluginId,
+        packageName,
+        version: stringField(value.version) ?? '0.0.0',
+        kind: parseKind(value.kind ?? value.category ?? value.type),
+        configSchema: objectField(value.configSchema) ?? objectField(value.schema) ?? objectField(value.validationSchema) ?? null,
+        eventSchema: objectField(value.eventSchema) ?? objectField(value.events) ?? null,
+    };
+}
+function stringField(value) {
+    return typeof value === 'string' && value.length > 0 ? value : undefined;
+}
+function objectField(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value) ? value : null;
+}
+function orgFromPackage(value) {
+    if (typeof value !== 'string' || !value.startsWith('@'))
+        return undefined;
+    const [org] = value.split('/');
+    return org || undefined;
+}
 function parseJsonObject(value) {
     if (typeof value === 'object' && value !== null && !Array.isArray(value))
         return value;