@dupecom/botcha-cloudflare 0.3.3 → 0.10.0

package/dist/dashboard/auth.d.ts

@@ -0,0 +1,183 @@
+/**
+ * BOTCHA Dashboard Authentication
+ *
+ * Two auth flows, both require an agent:
+ *
+ * Flow 1 — Challenge-Based Login (agent direct):
+ *   POST /v1/auth/dashboard              → get challenge
+ *   POST /v1/auth/dashboard/verify       → solve challenge → session token
+ *
+ * Flow 2 — Device Code (agent → human handoff):
+ *   POST /v1/auth/device-code            → get challenge
+ *   POST /v1/auth/device-code/verify     → solve challenge → device code
+ *   Human visits /dashboard/code, enters code → dashboard session
+ *
+ * Legacy — App ID + Secret login (still valid, agent created the app):
+ *   POST /dashboard/login                → app_id + app_secret → session
+ *
+ * All paths require an agent to be involved. No agent, no access.
+ */
+import type { Context, MiddlewareHandler } from 'hono';
+import type { KVNamespace } from '../challenges';
+type Bindings = {
+    CHALLENGES: KVNamespace;
+    RATE_LIMITS: KVNamespace;
+    APPS: KVNamespace;
+    ANALYTICS?: AnalyticsEngineDataset;
+    JWT_SECRET: string;
+    BOTCHA_VERSION: string;
+};
+type Variables = {
+    dashboardAppId?: string;
+};
+/**
+ * Middleware: Require dashboard authentication.
+ *
+ * Checks for session in two places:
+ *   1. Cookie `botcha_session` (browser sessions)
+ *   2. Authorization: Bearer header (agent API access)
+ *
+ * On success: sets c.get('dashboardAppId') for downstream handlers
+ * On failure: redirects to /dashboard/login (browser) or returns 401 (API)
+ */
+export declare const requireDashboardAuth: MiddlewareHandler<{
+    Bindings: Bindings;
+    Variables: Variables;
+}>;
+/**
+ * POST /v1/auth/dashboard
+ *
+ * Agent requests a speed challenge to prove it's an agent.
+ * Requires app_id in the request body.
+ */
+export declare function handleDashboardAuthChallenge(c: Context<{
+    Bindings: Bindings;
+}>): Promise<(Response & import("hono").TypedResponse<{
+    error: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    error: string;
+}, 404, "json">) | (Response & import("hono").TypedResponse<{
+    challenge_id: string;
+    type: string;
+    problems: number[];
+    time_limit_ms: number;
+    instructions: string;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">)>;
+/**
+ * POST /v1/auth/dashboard/verify
+ *
+ * Agent submits challenge solution. On success, returns a session token
+ * usable as Bearer header or cookie.
+ */
+export declare function handleDashboardAuthVerify(c: Context<{
+    Bindings: Bindings;
+}>): Promise<(Response & import("hono").TypedResponse<{
+    error: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    error: string;
+}, 403, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    session_token: string;
+    expires_in: number;
+    app_id: string;
+    dashboard_url: string;
+    usage: string;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">)>;
+/**
+ * POST /v1/auth/device-code
+ *
+ * Same challenge as dashboard auth. Agent must solve it to get a device code.
+ */
+export declare function handleDeviceCodeChallenge(c: Context<{
+    Bindings: Bindings;
+}>): Promise<(Response & import("hono").TypedResponse<{
+    error: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    error: string;
+}, 404, "json">) | (Response & import("hono").TypedResponse<{
+    challenge_id: string;
+    type: string;
+    problems: number[];
+    time_limit_ms: number;
+    instructions: string;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">)>;
+/**
+ * POST /v1/auth/device-code/verify
+ *
+ * Agent submits challenge solution. On success, returns a short-lived
+ * device code (BOTCHA-XXXX) that a human can enter at /dashboard/code.
+ */
+export declare function handleDeviceCodeVerify(c: Context<{
+    Bindings: Bindings;
+}>): Promise<(Response & import("hono").TypedResponse<{
+    error: string;
+}, 400, "json">) | (Response & import("hono").TypedResponse<{
+    error: string;
+}, 403, "json">) | (Response & import("hono").TypedResponse<{
+    success: true;
+    code: string;
+    login_url: string;
+    expires_in: number;
+    instructions: string;
+}, import("hono/utils/http-status").ContentfulStatusCode, "json">)>;
+/**
+ * GET /dashboard/code
+ *
+ * Renders the device code redemption page for humans.
+ */
+export declare function renderDeviceCodePage(c: Context<{
+    Bindings: Bindings;
+}>): Promise<Response>;
+/**
+ * POST /dashboard/code
+ *
+ * Human submits device code. If valid, creates session and redirects to dashboard.
+ */
+export declare function handleDeviceCodeRedeem(c: Context<{
+    Bindings: Bindings;
+}>): Promise<Response & import("hono").TypedResponse<undefined, 302, "redirect">>;
+/**
+ * POST /dashboard/login
+ *
+ * Login with app_id + app_secret. The agent created the app (so an agent
+ * was involved at creation time). Still supported as a convenience.
+ */
+export declare function handleLogin(c: Context<{
+    Bindings: Bindings;
+}>): Promise<Response & import("hono").TypedResponse<undefined, 302, "redirect">>;
+/**
+ * GET /dashboard/logout
+ */
+export declare function handleLogout(c: Context<{
+    Bindings: Bindings;
+}>): Promise<Response & import("hono").TypedResponse<undefined, 302, "redirect">>;
+/**
+ * POST /dashboard/email-login
+ *
+ * Human enters their email. If a verified app exists for that email,
+ * a device code is generated and emailed. The human then enters the
+ * code at /dashboard/code to get a session.
+ *
+ * This doesn't violate agent-first: the agent was involved at account
+ * creation and email verification. This is just session resumption.
+ *
+ * Anti-enumeration: always shows the same "check your email" message
+ * regardless of whether the email exists.
+ */
+export declare function handleEmailLogin(c: Context<{
+    Bindings: Bindings;
+}>): Promise<Response & import("hono").TypedResponse<undefined, 302, "redirect">>;
+/**
+ * GET /dashboard/login
+ *
+ * Four ways in:
+ *   1. Device code (agent generated the code) — primary
+ *   2. Email login (returning users — code emailed to verified address)
+ *   3. App ID + Secret (agent created the app)
+ *   4. Create new app (triggers POST /v1/apps)
+ */
+export declare function renderLoginPage(c: Context<{
+    Bindings: Bindings;
+}>): Promise<Response>;
+export {};
+//# sourceMappingURL=auth.d.ts.map

package/dist/dashboard/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/dashboard/auth.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAMvD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAKjD,KAAK,QAAQ,GAAG;IACd,UAAU,EAAE,WAAW,CAAC;IACxB,WAAW,EAAE,WAAW,CAAC;IACzB,IAAI,EAAE,WAAW,CAAC;IAClB,SAAS,CAAC,EAAE,sBAAsB,CAAC;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAGF,KAAK,SAAS,GAAG;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB,CAAC;AAsCF;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,EAAE,iBAAiB,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAC;IAAC,SAAS,EAAE,SAAS,CAAA;CAAE,CAmChG,CAAC;AAIF;;;;;GAKG;AACH,wBAAsB,4BAA4B,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC;;;;;;;;;;oEA2CpF;AAgDD;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC;;;;;;;;;;;oEAwBjF;AAID;;;;GAIG;AACH,wBAAsB,yBAAyB,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC;;;;;;;;;;oEAEjF;AAED;;;;;GAKG;AACH,wBAAsB,sBAAsB,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC;;;;;;;;;;oEA2B9E;AAID;;;;GAIG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC,qBAkE5E;AAED;;;;GAIG;AACH,wBAAsB,sBAAsB,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC,gFAqB9E;AAID;;;;;GAKG;AACH,wBAAsB,WAAW,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC,gFAyBnE;AAED;;GAEG;AACH,wBAAsB,YAAY,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC,gFAGpE;AAID;;;;;;;;;;;;GAYG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC,gFA2BxE;AAID;;;;;;;;GAQG;AACH,wBAAsB,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAAC,qBA0HvE"}

package/dist/dashboard/auth.js

@@ -0,0 +1,401 @@
+import { jsxs as _jsxs, jsx as _jsx } from "hono/jsx/jsx-runtime";
+import { getCookie, setCookie, deleteCookie } from 'hono/cookie';
+import { SignJWT } from 'jose';
+import { verifyToken } from '../auth';
+import { validateAppSecret, getAppByEmail } from '../apps';
+import { sendEmail, recoveryEmail } from '../email';
+import { generateDeviceCode, storeDeviceCode, redeemDeviceCode } from './device-code';
+import { LoginLayout, Card, Divider } from './layout';
+// ============ SESSION HELPERS ============
+/**
+ * Generate a 1-hour dashboard session JWT for the given app_id.
+ */
+async function generateSessionToken(appId, jwtSecret) {
+    const encoder = new TextEncoder();
+    const secretKey = encoder.encode(jwtSecret);
+    return new SignJWT({
+        type: 'botcha-verified',
+        solveTime: 0,
+        jti: crypto.randomUUID(),
+        app_id: appId,
+    })
+        .setProtectedHeader({ alg: 'HS256' })
+        .setSubject('dashboard-session')
+        .setIssuedAt()
+        .setExpirationTime('1h')
+        .sign(secretKey);
+}
+/**
+ * Set the dashboard session cookie on a response context.
+ */
+function setSessionCookie(c, token) {
+    setCookie(c, 'botcha_session', token, {
+        path: '/dashboard',
+        httpOnly: true,
+        secure: true,
+        sameSite: 'Lax',
+        maxAge: 3600,
+    });
+}
+// ============ MIDDLEWARE ============
+/**
+ * Middleware: Require dashboard authentication.
+ *
+ * Checks for session in two places:
+ *   1. Cookie `botcha_session` (browser sessions)
+ *   2. Authorization: Bearer header (agent API access)
+ *
+ * On success: sets c.get('dashboardAppId') for downstream handlers
+ * On failure: redirects to /dashboard/login (browser) or returns 401 (API)
+ */
+export const requireDashboardAuth = async (c, next) => {
+    // Try cookie first (browser sessions)
+    let sessionToken = getCookie(c, 'botcha_session');
+    // Fall back to Bearer header (agent API access)
+    if (!sessionToken) {
+        const authHeader = c.req.header('Authorization');
+        if (authHeader?.startsWith('Bearer ')) {
+            sessionToken = authHeader.slice(7);
+        }
+    }
+    if (!sessionToken) {
+        const isApi = c.req.header('Accept')?.includes('application/json') ||
+            c.req.header('HX-Request');
+        if (isApi) {
+            return c.json({ error: 'Authentication required', login: '/dashboard/login' }, 401);
+        }
+        return c.redirect('/dashboard/login');
+    }
+    const result = await verifyToken(sessionToken, c.env.JWT_SECRET, c.env);
+    if (!result.valid || !result.payload?.app_id) {
+        deleteCookie(c, 'botcha_session', { path: '/dashboard' });
+        const isApi = c.req.header('Accept')?.includes('application/json') ||
+            c.req.header('HX-Request');
+        if (isApi) {
+            return c.json({ error: 'Session expired', login: '/dashboard/login' }, 401);
+        }
+        return c.redirect('/dashboard/login');
+    }
+    c.set('dashboardAppId', result.payload.app_id);
+    await next();
+};
+// ============ CHALLENGE-BASED LOGIN (Flow 1: agent direct) ============
+/**
+ * POST /v1/auth/dashboard
+ *
+ * Agent requests a speed challenge to prove it's an agent.
+ * Requires app_id in the request body.
+ */
+export async function handleDashboardAuthChallenge(c) {
+    const body = await c.req.json().catch(() => ({}));
+    const appId = body.app_id;
+    if (!appId) {
+        return c.json({ error: 'app_id is required' }, 400);
+    }
+    // Verify the app exists
+    const appData = await c.env.APPS.get(`app:${appId}`, 'text');
+    if (!appData) {
+        return c.json({ error: 'App not found' }, 404);
+    }
+    // Generate a speed challenge (5 SHA256 hashes)
+    const challengeId = crypto.randomUUID();
+    const problems = [];
+    for (let i = 0; i < 5; i++) {
+        const buf = new Uint8Array(4);
+        crypto.getRandomValues(buf);
+        const num = ((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]) >>> 0;
+        problems.push(num % 1000000);
+    }
+    // Store challenge in KV with 60s TTL (KV minimum)
+    await c.env.CHALLENGES.put(`dashboard-auth:${challengeId}`, JSON.stringify({
+        problems,
+        app_id: appId,
+        created_at: Date.now(),
+        type: 'dashboard-login',
+    }), { expirationTtl: 60 });
+    return c.json({
+        challenge_id: challengeId,
+        type: 'speed',
+        problems,
+        time_limit_ms: 500,
+        instructions: 'Compute SHA-256 hex digest of each number (as string). Return first 8 chars of each hash.',
+    });
+}
+/**
+ * Verify challenge answers. Shared between dashboard login and device code flows.
+ * Returns the challenge data on success, or null with an error response sent.
+ */
+async function verifyChallengeAnswers(c, challengeId, answers) {
+    // Retrieve and delete challenge (one attempt only)
+    const raw = await c.env.CHALLENGES.get(`dashboard-auth:${challengeId}`, 'text');
+    await c.env.CHALLENGES.delete(`dashboard-auth:${challengeId}`);
+    if (!raw) {
+        return null;
+    }
+    const challenge = JSON.parse(raw);
+    // Check timing (2s generous limit including network)
+    const elapsed = Date.now() - challenge.created_at;
+    if (elapsed > 2000) {
+        return null;
+    }
+    // Verify answers: SHA-256 of each number as string, first 8 hex chars
+    const problems = challenge.problems;
+    if (answers.length !== problems.length) {
+        return null;
+    }
+    for (let i = 0; i < problems.length; i++) {
+        const data = new TextEncoder().encode(String(problems[i]));
+        const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+        const hashArray = Array.from(new Uint8Array(hashBuffer));
+        const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+        const expected = hashHex.substring(0, 8);
+        if (answers[i]?.toLowerCase() !== expected) {
+            return null;
+        }
+    }
+    return { app_id: challenge.app_id, problems };
+}
+/**
+ * POST /v1/auth/dashboard/verify
+ *
+ * Agent submits challenge solution. On success, returns a session token
+ * usable as Bearer header or cookie.
+ */
+export async function handleDashboardAuthVerify(c) {
+    const body = await c.req.json().catch(() => ({}));
+    const challengeId = body.challenge_id;
+    const answers = body.answers;
+    if (!challengeId || !answers || !Array.isArray(answers)) {
+        return c.json({ error: 'challenge_id and answers[] are required' }, 400);
+    }
+    const result = await verifyChallengeAnswers(c, challengeId, answers);
+    if (!result) {
+        return c.json({ error: 'Challenge failed: not found, expired, or wrong answers' }, 403);
+    }
+    const sessionToken = await generateSessionToken(result.app_id, c.env.JWT_SECRET);
+    return c.json({
+        success: true,
+        session_token: sessionToken,
+        expires_in: 3600,
+        app_id: result.app_id,
+        dashboard_url: '/dashboard',
+        usage: 'Use as cookie "botcha_session" or Authorization: Bearer header',
+    });
+}
+// ============ DEVICE CODE (Flow 2: agent → human handoff) ============
+/**
+ * POST /v1/auth/device-code
+ *
+ * Same challenge as dashboard auth. Agent must solve it to get a device code.
+ */
+export async function handleDeviceCodeChallenge(c) {
+    return handleDashboardAuthChallenge(c);
+}
+/**
+ * POST /v1/auth/device-code/verify
+ *
+ * Agent submits challenge solution. On success, returns a short-lived
+ * device code (BOTCHA-XXXX) that a human can enter at /dashboard/code.
+ */
+export async function handleDeviceCodeVerify(c) {
+    const body = await c.req.json().catch(() => ({}));
+    const challengeId = body.challenge_id;
+    const answers = body.answers;
+    if (!challengeId || !answers || !Array.isArray(answers)) {
+        return c.json({ error: 'challenge_id and answers[] are required' }, 400);
+    }
+    const result = await verifyChallengeAnswers(c, challengeId, answers);
+    if (!result) {
+        return c.json({ error: 'Challenge failed: not found, expired, or wrong answers' }, 403);
+    }
+    // Generate device code
+    const code = generateDeviceCode();
+    await storeDeviceCode(c.env.CHALLENGES, code, result.app_id);
+    const baseUrl = new URL(c.req.url).origin;
+    return c.json({
+        success: true,
+        code,
+        login_url: `${baseUrl}/dashboard/code`,
+        expires_in: 600,
+        instructions: `Tell your human: Visit ${baseUrl}/dashboard/code and enter code: ${code}`,
+    });
+}
+// ============ DEVICE CODE REDEMPTION (human-facing) ============
+/**
+ * GET /dashboard/code
+ *
+ * Renders the device code redemption page for humans.
+ */
+export async function renderDeviceCodePage(c) {
+    const url = new URL(c.req.url);
+    const error = url.searchParams.get('error');
+    const prefill = url.searchParams.get('code') || '';
+    const emailSent = url.searchParams.get('email_sent') === '1';
+    const errorMap = {
+        invalid: 'Invalid or expired code. Ask your agent for a new one.',
+        missing: 'Please enter a device code.',
+    };
+    return c.html(_jsxs(LoginLayout, { title: "Enter Device Code - BOTCHA", children: [_jsxs("div", { style: "font-size: 0.875rem; font-weight: 700; letter-spacing: 0.15em; text-transform: uppercase; text-align: center; margin-bottom: 2rem;", children: ['>', "_\u00A0BOTCHA"] }), _jsx("form", { method: "post", action: "/dashboard/code", children: _jsxs(Card, { title: "Device Code", children: [emailSent && (_jsx("div", { class: "success-message", style: "background: #f0faf0; border: 1px solid #1a8a2a; color: #1a6a1a; padding: 0.75rem; font-size: 0.75rem; margin-bottom: 1rem;", children: "If an account with that email exists, a login code has been sent. Check your inbox." })), error && errorMap[error] && (_jsx("div", { class: "error-message", children: errorMap[error] })), _jsx("p", { class: "text-muted mb-2", style: "font-size: 0.75rem;", children: emailSent
+                                ? 'Enter the code from your email below.'
+                                : 'Your AI agent generated a login code for you. Enter it below to access the dashboard.' }), _jsxs("div", { class: "form-group", children: [_jsx("label", { for: "code", children: "Code" }), _jsxs("div", { style: "display: flex; align-items: stretch; gap: 0;", children: [_jsx("span", { style: "display: flex; align-items: center; font-size: 1.5rem; font-weight: 700; letter-spacing: 0.15em; padding: 0 0.25rem 0 1rem; border: 1px solid var(--border); border-right: none; background: var(--bg-raised); color: var(--text-muted);", children: "BOTCHA-" }), _jsx("input", { type: "text", id: "code", name: "code", placeholder: "XXXX", value: prefill, required: true, autocomplete: "off", maxlength: 11, style: "font-size: 1.5rem; font-weight: 700; text-align: center; letter-spacing: 0.15em; padding: 1rem; flex: 1; border-left: none;" })] })] }), _jsx("script", { dangerouslySetInnerHTML: { __html: `
+            document.getElementById('code').addEventListener('input', function(e) {
+              var v = e.target.value.toUpperCase().replace(/[^A-Z0-9-]/g, '');
+              if (v.startsWith('BOTCHA-')) v = v.slice(7);
+              else if (v.startsWith('BOTCHA')) v = v.slice(6);
+              e.target.value = v.slice(0, 4);
+            });
+          ` } }), _jsxs("button", { type: "submit", children: ["Verify Code ", '>'] })] }) }), _jsxs("div", { class: "hint", style: "text-align: center; line-height: 1.8; margin-top: 1.5rem;", children: ["Don't have a code? Ask your AI agent to run:", _jsx("br", {}), _jsx("code", { children: "POST /v1/auth/device-code" }), _jsx("br", {}), _jsx("br", {}), _jsx("a", { href: "/dashboard/login", children: "Back to login" })] })] }));
+}
+/**
+ * POST /dashboard/code
+ *
+ * Human submits device code. If valid, creates session and redirects to dashboard.
+ */
+export async function handleDeviceCodeRedeem(c) {
+    const body = await c.req.parseBody();
+    let code = (body.code || '').trim().toUpperCase();
+    if (!code) {
+        return c.redirect('/dashboard/code?error=missing');
+    }
+    // Normalize: accept both "AR8C" and "BOTCHA-AR8C", always look up with prefix
+    if (!code.startsWith('BOTCHA-')) {
+        code = `BOTCHA-${code}`;
+    }
+    const data = await redeemDeviceCode(c.env.CHALLENGES, code);
+    if (!data) {
+        return c.redirect('/dashboard/code?error=invalid');
+    }
+    const sessionToken = await generateSessionToken(data.app_id, c.env.JWT_SECRET);
+    setSessionCookie(c, sessionToken);
+    return c.redirect('/dashboard');
+}
+// ============ LEGACY LOGIN (app_id + app_secret) ============
+/**
+ * POST /dashboard/login
+ *
+ * Login with app_id + app_secret. The agent created the app (so an agent
+ * was involved at creation time). Still supported as a convenience.
+ */
+export async function handleLogin(c) {
+    try {
+        const body = await c.req.parseBody();
+        const app_id = body.app_id;
+        const app_secret = body.app_secret;
+        if (!app_id || !app_secret) {
+            return c.redirect('/dashboard/login?error=missing');
+        }
+        const trimmedAppId = app_id.trim();
+        const trimmedSecret = app_secret.trim();
+        const isValid = await validateAppSecret(c.env.APPS, trimmedAppId, trimmedSecret);
+        if (!isValid) {
+            return c.redirect('/dashboard/login?error=invalid');
+        }
+        const sessionToken = await generateSessionToken(trimmedAppId, c.env.JWT_SECRET);
+        setSessionCookie(c, sessionToken);
+        return c.redirect('/dashboard');
+    }
+    catch (error) {
+        console.error('Login error:', error);
+        return c.redirect('/dashboard/login?error=server');
+    }
+}
+/**
+ * GET /dashboard/logout
+ */
+export async function handleLogout(c) {
+    deleteCookie(c, 'botcha_session', { path: '/dashboard' });
+    return c.redirect('/dashboard/login');
+}
+// ============ EMAIL LOGIN (session re-entry) ============
+/**
+ * POST /dashboard/email-login
+ *
+ * Human enters their email. If a verified app exists for that email,
+ * a device code is generated and emailed. The human then enters the
+ * code at /dashboard/code to get a session.
+ *
+ * This doesn't violate agent-first: the agent was involved at account
+ * creation and email verification. This is just session resumption.
+ *
+ * Anti-enumeration: always shows the same "check your email" message
+ * regardless of whether the email exists.
+ */
+export async function handleEmailLogin(c) {
+    const body = await c.req.parseBody();
+    const email = (body.email || '').trim().toLowerCase();
+    if (!email) {
+        return c.redirect('/dashboard/login?error=email_missing');
+    }
+    // Look up app by email — but always show same response (anti-enumeration)
+    const lookup = await getAppByEmail(c.env.APPS, email);
+    if (lookup && lookup.email_verified) {
+        // Generate a device code and email it
+        const code = generateDeviceCode();
+        await storeDeviceCode(c.env.CHALLENGES, code, lookup.app_id);
+        const baseUrl = new URL(c.req.url).origin;
+        const loginUrl = `${baseUrl}/dashboard/code`;
+        const template = recoveryEmail(code, loginUrl);
+        await sendEmail(c.env.RESEND_API_KEY, {
+            ...template,
+            to: email,
+        });
+    }
+    // Always redirect to code page with success message (anti-enumeration)
+    return c.redirect('/dashboard/code?email_sent=1');
+}
+// ============ LOGIN PAGE ============
+/**
+ * GET /dashboard/login
+ *
+ * Four ways in:
+ *   1. Device code (agent generated the code) — primary
+ *   2. Email login (returning users — code emailed to verified address)
+ *   3. App ID + Secret (agent created the app)
+ *   4. Create new app (triggers POST /v1/apps)
+ */
+export async function renderLoginPage(c) {
+    const url = new URL(c.req.url);
+    const error = url.searchParams.get('error');
+    const errorMap = {
+        invalid: 'Invalid app ID or secret',
+        missing: 'Please provide both app ID and secret',
+        server: 'Server error. Please try again.',
+        email_missing: 'Please enter your email address.',
+    };
+    const CREATE_APP_SCRIPT = `
+    async function createApp() {
+      var btn = document.getElementById('create-btn');
+      btn.classList.add('loading');
+      btn.textContent = 'Creating...';
+      try {
+        var resp = await fetch('/v1/apps', { method: 'POST' });
+        var data = await resp.json();
+        if (data.app_id && data.app_secret) {
+          document.getElementById('new-app-id').textContent = data.app_id;
+          document.getElementById('new-app-secret').textContent = data.app_secret;
+          document.getElementById('create-result').classList.add('show');
+          btn.style.display = 'none';
+        } else {
+          btn.textContent = '[ERR] try again >';
+          btn.classList.remove('loading');
+        }
+      } catch (e) {
+        btn.textContent = '[ERR] try again >';
+        btn.classList.remove('loading');
+      }
+    }
+    function fillAndLogin() {
+      var appId = document.getElementById('new-app-id').textContent;
+      var secret = document.getElementById('new-app-secret').textContent;
+      document.getElementById('app_id').value = appId;
+      document.getElementById('app_secret').value = secret;
+      document.querySelector('form').submit();
+    }
+  `;
+    return c.html(_jsxs(LoginLayout, { title: "Dashboard Login - BOTCHA", children: [_jsx("div", { class: "ascii-logo", children: ` ____   ___ _____ ____ _   _   _
+| __ ) / _ \\_   _/ ___| | | | / \\
+|  _ \\| | | || || |   | |_| |/ _ \\
+| |_) | |_| || || |___|  _  / ___ \\
+|____/ \\___/ |_| \\____|_| |_/_/   \\_\\
+    >_ prove you're a bot` }), _jsxs(Card, { title: "Device Code", badge: "agent required", children: [_jsx("p", { class: "text-muted mb-2", style: "font-size: 0.75rem;", children: "Your AI agent can generate a login code for you." }), _jsxs("a", { href: "/dashboard/code", class: "button btn", children: ["Enter Device Code ", '>'] }), _jsxs("div", { class: "hint", children: ["Agent: ", _jsx("code", { children: "POST /v1/auth/device-code" }), " then solve the challenge."] })] }), _jsx(Divider, { text: "or" }), _jsx("form", { method: "post", action: "/dashboard/email-login", children: _jsxs(Card, { title: "Email Login", badge: "returning users", children: [error === 'email_missing' && (_jsx("div", { class: "error-message", children: errorMap[error] })), _jsx("p", { class: "text-muted mb-2", style: "font-size: 0.75rem;", children: "Enter the email you used when creating your app. We'll send a login code to your inbox." }), _jsxs("div", { class: "form-group", children: [_jsx("label", { for: "email", children: "Email" }), _jsx("input", { type: "email", id: "email", name: "email", placeholder: "you@example.com", required: true, autocomplete: "email" })] }), _jsxs("button", { type: "submit", children: ["Email Me a Code ", '>'] })] }) }), _jsx(Divider, { text: "or sign in with credentials" }), _jsx("form", { method: "post", action: "/dashboard/login", children: _jsxs(Card, { title: "App Credentials", children: [error && error !== 'email_missing' && errorMap[error] && (_jsx("div", { class: "error-message", children: errorMap[error] })), _jsxs("div", { id: "create-result", children: [_jsx("div", { class: "warning", children: "Save these credentials now. The secret will not be shown again." }), _jsxs("div", { class: "credentials-box", children: [_jsx("span", { class: "label", children: "app_id: " }), _jsx("span", { class: "value", id: "new-app-id" }), _jsx("br", {}), _jsx("span", { class: "label", children: "secret: " }), _jsx("span", { class: "value", id: "new-app-secret" })] }), _jsxs("button", { type: "button", onclick: "fillAndLogin()", style: "width: 100%; margin-bottom: 1rem;", children: ["Login With New Credentials ", '>'] })] }), _jsxs("div", { class: "form-group", children: [_jsx("label", { for: "app_id", children: "App ID" }), _jsx("input", { type: "text", id: "app_id", name: "app_id", placeholder: "app_...", required: true, autocomplete: "username" })] }), _jsxs("div", { class: "form-group", children: [_jsx("label", { for: "app_secret", children: "App Secret" }), _jsx("input", { type: "password", id: "app_secret", name: "app_secret", placeholder: "sk_...", required: true, autocomplete: "current-password" })] }), _jsxs("div", { style: "display: flex; gap: 0.75rem; align-items: center;", children: [_jsxs("button", { type: "submit", children: ["Login ", '>'] }), _jsxs("button", { type: "button", id: "create-btn", class: "btn-secondary", onclick: "createApp()", children: ["Create App ", '>'] })] })] }) }), _jsx("script", { dangerouslySetInnerHTML: { __html: CREATE_APP_SCRIPT } })] }));
+}

package/dist/dashboard/device-code.d.ts

@@ -0,0 +1,43 @@
+/**
+ * BOTCHA Dashboard — Device Code Authentication
+ *
+ * OAuth2 Device Authorization Grant adapted for agent→human handoff.
+ * An agent generates a short-lived device code by solving a BOTCHA challenge.
+ * The human redeems the code at /dashboard/code to get a dashboard session.
+ *
+ * Flow:
+ *   1. Agent: POST /v1/auth/device-code       → gets challenge
+ *   2. Agent: POST /v1/auth/device-code/verify → solves challenge, gets { code, login_url }
+ *   3. Human: visits /dashboard/code, enters code → dashboard session
+ *
+ * The agent MUST solve a challenge to generate a code. No agent, no code.
+ */
+import type { KVNamespace } from '../challenges';
+export interface DeviceCodeData {
+    code: string;
+    app_id: string;
+    created_at: number;
+    expires_at: number;
+    redeemed: boolean;
+}
+/**
+ * Generate a human-friendly device code.
+ * Format: BOTCHA-XXXX (4 alphanumeric chars, no ambiguous chars)
+ *
+ * Uses a restricted alphabet that avoids 0/O, 1/I/l confusion.
+ */
+export declare function generateDeviceCode(): string;
+/**
+ * Store a device code in KV with 10-minute TTL.
+ */
+export declare function storeDeviceCode(kv: KVNamespace, code: string, appId: string): Promise<DeviceCodeData>;
+/**
+ * Look up a device code from KV.
+ * Returns null if not found, expired, or already redeemed.
+ */
+export declare function lookupDeviceCode(kv: KVNamespace, code: string): Promise<DeviceCodeData | null>;
+/**
+ * Redeem a device code (mark as used so it can't be reused).
+ */
+export declare function redeemDeviceCode(kv: KVNamespace, code: string): Promise<DeviceCodeData | null>;
+//# sourceMappingURL=device-code.d.ts.map

package/dist/dashboard/device-code.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device-code.d.ts","sourceRoot":"","sources":["../../src/dashboard/device-code.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAIjD,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAID;;;;;GAKG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAM3C;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,EAAE,EAAE,WAAW,EACf,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,cAAc,CAAC,CAiBzB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,EAAE,EAAE,WAAW,EACf,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAchC;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,EAAE,EAAE,WAAW,EACf,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAahC"}