@jagilber-org/index-server 1.22.0 → 1.26.1

package/dist/dashboard/client/admin.html

@@ -1,28 +1,29 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
-    <meta name="dashboard-build-version" content="1.22.0-e21c1bf9">
+    <meta name="dashboard-build-version" content="1.26.1-9badd8dd">
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Index Server Admin</title>
-    <link rel="stylesheet" href="css/admin.css?v=1.22.0-e21c1bf9">
-    <script defer src="js/admin.utils.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.auth.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.overview.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.sessions.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.monitor.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.graph.js?v=1.22.0-e21c1bf9"></script>
+    <link rel="stylesheet" href="css/admin.css?v=1.26.1-9badd8dd">
+    <script defer src="js/admin.utils.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.auth.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.overview.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.sessions.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.monitor.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.graph.js?v=1.26.1-9badd8dd"></script>
     <script defer src="js/marked.umd.js"></script>
-    <script defer src="js/admin.instructions.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.logs.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.maintenance.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.config.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.performance.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.instances.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.embeddings.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.messaging.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.sqlite.js?v=1.22.0-e21c1bf9"></script>
-    <script defer src="js/admin.boot.js?v=1.22.0-e21c1bf9"></script>
+    <script defer src="js/admin.instructions.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.logs.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.maintenance.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.config.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.performance.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.instances.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.embeddings.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.messaging.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.sqlite.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.boot.js?v=1.26.1-9badd8dd"></script>
+    <script defer src="js/admin.feedback.js?v=1.26.1-9badd8dd"></script>
 </head>
 <body>
     <div class="admin-container admin-root">
@@ -52,6 +53,7 @@
                 <button class="nav-btn" data-section="graph" onclick="window.showSection && window.showSection('graph')">Graph</button>
                 <button class="nav-btn" data-section="embeddings" onclick="window.showSection && window.showSection('embeddings')">Embeddings</button>
                 <button class="nav-btn" data-section="messaging" onclick="window.showSection && window.showSection('messaging')">Messaging</button>
+                <button class="nav-btn" data-section="feedback" onclick="window.showSection && window.showSection('feedback')">Feedback</button>
                 <button class="nav-btn" data-section="sqlite" id="nav-sqlite" onclick="window.showSection && window.showSection('sqlite')" style="display:none">SQLite</button>
             </div>
         </div>
@@ -596,6 +598,90 @@
             <div id="messaging-detail"></div>
         </div>
 
+        <!-- Feedback Section -->
+        <div id="feedback-section" class="admin-section hidden">
+            <div class="admin-card">
+                <div class="card-header">
+                    <div class="card-icon">💬</div>
+                    <div class="card-title">Feedback Entries</div>
+                </div>
+                <div class="feedback-toolbar">
+                    <button id="feedback-create-btn" class="action-btn" data-fb-action="create">➕ New Entry</button>
+                    <button class="action-btn" data-fb-action="refresh">🔄 Refresh</button>
+                    <input id="feedback-filter" class="form-input" type="text" placeholder="Filter entries…" />
+                    <select id="feedback-status-filter" class="form-input feedback-status-filter">
+                        <option value="">All Status</option>
+                        <option value="new">New</option>
+                        <option value="acknowledged">Acknowledged</option>
+                        <option value="in-progress">In Progress</option>
+                        <option value="resolved">Resolved</option>
+                        <option value="closed">Closed</option>
+                    </select>
+                </div>
+                <div id="feedback-table" class="feedback-table-wrap" role="region" aria-label="Feedback entries">
+                    <div class="feedback-empty">Click <strong>Refresh</strong> or <strong>New Entry</strong> to get started.</div>
+                </div>
+            </div>
+
+            <!-- Detail / edit area -->
+            <div id="feedback-detail" class="admin-card hidden feedback-detail-card">
+                <div class="card-header">
+                    <div class="card-icon">📝</div>
+                    <div class="card-title" id="feedback-detail-title">Entry Details</div>
+                </div>
+                <div class="feedback-form">
+                    <div class="form-group">
+                        <label class="form-label" for="feedback-entry-title">Title <span class="feedback-required">*</span></label>
+                        <input id="feedback-entry-title" class="form-input" type="text" placeholder="Short summary" aria-required="true" />
+                    </div>
+                    <div class="feedback-form-row">
+                        <div class="form-group">
+                            <label class="form-label" for="feedback-entry-type">Type</label>
+                            <select id="feedback-entry-type" class="form-input">
+                                <option value="bug-report">Bug Report</option>
+                                <option value="feature-request">Feature Request</option>
+                                <option value="issue">Issue</option>
+                                <option value="performance">Performance</option>
+                                <option value="usability">Usability</option>
+                                <option value="security">Security</option>
+                                <option value="status">Status</option>
+                                <option value="other">Other</option>
+                            </select>
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label" for="feedback-entry-severity">Severity</label>
+                            <select id="feedback-entry-severity" class="form-input">
+                                <option value="low">Low</option>
+                                <option value="medium" selected>Medium</option>
+                                <option value="high">High</option>
+                                <option value="critical">Critical</option>
+                            </select>
+                        </div>
+                        <div class="form-group">
+                            <label class="form-label" for="feedback-entry-status">Status</label>
+                            <select id="feedback-entry-status" class="form-input">
+                                <option value="new">New</option>
+                                <option value="acknowledged">Acknowledged</option>
+                                <option value="in-progress">In Progress</option>
+                                <option value="resolved">Resolved</option>
+                                <option value="closed">Closed</option>
+                            </select>
+                        </div>
+                    </div>
+                    <div class="form-group">
+                        <label class="form-label" for="feedback-entry-description">Description</label>
+                        <textarea id="feedback-entry-description" class="form-input feedback-entry-description" rows="5" placeholder="Detailed description…"></textarea>
+                    </div>
+                </div>
+                <div class="feedback-detail-actions">
+                    <button id="feedback-save-btn" class="action-btn" data-fb-action="save">💾 Save</button>
+                    <button id="feedback-delete-btn" class="action-btn danger" data-fb-action="delete">🗑️ Delete</button>
+                    <button id="feedback-github-btn" class="action-btn btn-info" data-fb-action="github" title="Open as GitHub issue in jagilber-org/index-server (client-side only)">🐙 Open GitHub Issue</button>
+                    <button class="action-btn warning" data-fb-action="cancel">✖ Cancel</button>
+                </div>
+            </div>
+        </div>
+
         <!-- SQLite Section -->
         <div id="sqlite-section" class="admin-section hidden">
             <div class="admin-grid">
@@ -787,13 +873,16 @@
                 case 'messaging':
                     if (window.initMessaging) window.initMessaging();
                     break;
+                case 'feedback':
+                    if (window.initFeedback) window.initFeedback();
+                    break;
             }
         }
 
-        // Graph logic was extracted to js/admin.graph.js?v=1.22.0-e21c1bf9
+        // Graph logic was extracted to js/admin.graph.js?v=1.26.1-9badd8dd
         // Functions available globally: reloadGraphMermaid, initGraphScopeDefaults, copyMermaidSource, toggleGraphEdit, applyGraphEdit, cancelGraphEdit, refreshDrillCategories, loadDrillInstructions, clearSelections
 
-        <!-- overview functions moved to js/admin.overview.js?v=1.22.0-e21c1bf9 -->
+        <!-- overview functions moved to js/admin.overview.js?v=1.26.1-9badd8dd -->
 
         // Lightweight overview-level maintenance display (optional)
         // Intentionally minimal to avoid blocking overview rendering.
@@ -873,11 +962,12 @@
                 if (statusOverride === 'healthy') statusOverride = 'unknown';
             }
             const statusClass = `status-${statusOverride}`;
+            const safeStatus = escapeHtml(statusOverride.toUpperCase());
             let html = `
                 <div class="stat-row">
                     <span class="stat-label">Overall Status</span>
                     <span class="stat-value">
-                        ${statusOverride.toUpperCase()}
+                        ${safeStatus}
                         <span class="${statusClass} status-indicator"></span>
                     </span>
                 </div>
@@ -888,7 +978,7 @@
                 const checkKeys = Object.keys(normalized.checks);
                 if(checkKeys.length){
                     html += '<div class="health-mt"><strong>Checks:</strong><ul class="health-list">' +
-                        checkKeys.map(k => `<li class="${normalized.checks[k]?'text-ok':'text-fail'}">${k}: ${normalized.checks[k]?'ok':'fail'}</li>`).join('') + '</ul></div>';
+                        checkKeys.map(k => `<li class="${normalized.checks[k]?'text-ok':'text-fail'}">${escapeHtml(k)}: ${normalized.checks[k]?'ok':'fail'}</li>`).join('') + '</ul></div>';
                 }
             } catch { /* ignore */ }
 
@@ -898,7 +988,7 @@
                     <div class="health-mt">
                         <strong>CPU Trend:</strong>
                         <span class="${health.cpuTrend === 'stable' ? 'text-ok' : health.cpuTrend === 'increasing' ? 'text-warn' : 'text-fail'}">
-                            ${health.cpuTrend}
+                            ${escapeHtml(health.cpuTrend)}
                         </span>
                     </div>
                 `;
@@ -911,14 +1001,17 @@
                     if (Math.abs(rate) < 1024 * 1024) return `${(rate / 1024).toFixed(1)} KB/min`;
                     return `${(rate / (1024 * 1024)).toFixed(1)} MB/min`;
                 };
+                const safeMemoryGrowthRate = health.memoryGrowthRate
+                    ? escapeHtml(formatGrowthRate(health.memoryGrowthRate))
+                    : '';
 
                 html += `
                     <div class="health-mt">
                         <strong>Memory Trend:</strong>
                         <span class="${health.memoryTrend === 'stable' ? 'text-ok' : health.memoryTrend === 'increasing' ? 'text-warn' : 'text-fail'}">
-                            ${health.memoryTrend}
+                            ${escapeHtml(health.memoryTrend)}
                         </span>
-                        ${health.memoryGrowthRate ? ` (${formatGrowthRate(health.memoryGrowthRate)})` : ''}
+                        ${safeMemoryGrowthRate ? ` (${safeMemoryGrowthRate})` : ''}
                     </div>
                 `;
             }
@@ -928,7 +1021,7 @@
                     <div class="health-mt-lg">
                         <strong>Issues:</strong>
                         <ul class="health-list">
-                            ${normalized.issues.map(issue => `<li class="text-fail">${issue}</li>`).join('')}
+                            ${normalized.issues.map(issue => `<li class="text-fail">${escapeHtml(issue)}</li>`).join('')}
                         </ul>
                     </div>
                 `;
@@ -939,7 +1032,7 @@
                     <div class="health-mt-lg">
                         <strong>Recommendations:</strong>
                         <ul class="health-list">
-                            ${normalized.recommendations.map(rec => `<li class="text-warn">${rec}</li>`).join('')}
+                            ${normalized.recommendations.map(rec => `<li class="text-warn">${escapeHtml(rec)}</li>`).join('')}
                         </ul>
                     </div>
                 `;
@@ -955,12 +1048,12 @@
                             <div class="resource-trend-col">
                                 <div class="spark-col">
                                     <span class="spark-label">CPU Spark (last ${Math.min(40, t.sampleCount || 0)} samples)</span>
-                                    <span class="spark-value">${t.spark || ''}</span>
+                                    <span class="spark-value">${escapeHtml(t.spark || '')}</span>
                                     <span class="spark-stats">Latest ${t.latestCpu?.toFixed ? t.latestCpu.toFixed(1) : '0'}% • Min ${(t.minCpu??0).toFixed(1)}% • Max ${(t.maxCpu??0).toFixed(1)}%</span>
                                 </div>
                                 <div class="spark-col">
                                     <span class="spark-label">Mem Spark (heap)</span>
-                                    <span class="spark-value">${t.memSpark || ''}</span>
+                                    <span class="spark-value">${escapeHtml(t.memSpark || '')}</span>
                                     <span class="spark-stats">Latest ${(t.latestHeap/1024/1024).toFixed(2)} MB • Min ${(t.minHeap/1024/1024).toFixed(2)} MB • Max ${(t.maxHeap/1024/1024).toFixed(2)} MB</span>
                                 </div>
                             </div>
@@ -974,7 +1067,7 @@
         }
 
         // --- Backup / Restore ---
-        // Extracted to js/admin.maintenance.js?v=1.22.0-e21c1bf9
+        // Extracted to js/admin.maintenance.js?v=1.26.1-9badd8dd
 
         async function performBackup() {
             try {
@@ -1040,7 +1133,7 @@
         }
 
                 async function loadConfiguration() {
-                    // Primary implementation in js/admin.config.js?v=1.22.0-e21c1bf9 (loaded via defer).
+                    // Primary implementation in js/admin.config.js?v=1.26.1-9badd8dd (loaded via defer).
                     // This inline fallback only fires if the external script failed to load.
                     if (window.__configExternalLoaded) return;
                     try {
@@ -1048,11 +1141,13 @@
                         var data = await res.json();
                         if (!data.success) throw new Error('Failed to load config');
                         var cfg = data.config;
+                        var safeMaxConnections = escapeHtml(String(cfg.serverSettings.maxConnections ?? ''));
+                        var safeRequestTimeout = escapeHtml(String(cfg.serverSettings.requestTimeout ?? ''));
                         var html = '<form onsubmit="return updateConfiguration(event)">'
                             + '<div class="form-group"><label class="form-label">Max Connections</label>'
-                            + '<input class="form-input" type="number" id="cfg-maxConnections" value="' + cfg.serverSettings.maxConnections + '" /></div>'
+                            + '<input class="form-input" type="number" id="cfg-maxConnections" value="' + safeMaxConnections + '" /></div>'
                             + '<div class="form-group"><label class="form-label">Request Timeout (ms)</label>'
-                            + '<input class="form-input" type="number" id="cfg-requestTimeout" value="' + cfg.serverSettings.requestTimeout + '" /></div>'
+                            + '<input class="form-input" type="number" id="cfg-requestTimeout" value="' + safeRequestTimeout + '" /></div>'
                             + '<div class="form-group"><label class="form-label">Verbose Logging</label>'
                             + '<select class="form-input" id="cfg-verbose"><option value="1"' + (cfg.serverSettings.enableVerboseLogging ? ' selected' : '') + '>Enabled</option>'
                             + '<option value="0"' + (!cfg.serverSettings.enableVerboseLogging ? ' selected' : '') + '>Disabled</option></select></div>'
@@ -1098,10 +1193,10 @@
                         return false;
                 }
 
-        // Monitoring functions moved to js/admin.monitor.js?v=1.22.0-e21c1bf9
+        // Monitoring functions moved to js/admin.monitor.js?v=1.26.1-9badd8dd
 
         // ===== Log Viewer =====
-        // Extracted to js/admin.logs.js?v=1.22.0-e21c1bf9
+        // Extracted to js/admin.logs.js?v=1.26.1-9badd8dd
 
         // ===== Instruction Management =====
         let instructionEditing = null;
@@ -1240,18 +1335,23 @@
                             let short = rawSummary.slice(0, 160);
                             if (rawSummary.length > 160) short += '…';
                             const safeSummary = escapeHtml(short);
+                            const safeName = escapeHtml(instr.name || '');
+                            const safeCategory = escapeHtml(instr.category || '—');
+                            const safeSize = escapeHtml(String(instr.size ?? '0'));
+                            const safeSizeCategory = escapeHtml(instr.sizeCategory || 'unknown');
+                            const safeModified = escapeHtml(new Date(instr.mtime).toLocaleString());
                             return `
                 <div class="session-item instr-item-bg">
                     <div class="session-header">
-                        <span class="session-id instr-id-bg">${instr.name}</span>
+                        <span class="session-id instr-id-bg">${safeName}</span>
                         <div>
-                           <button class="action-btn" onclick="editInstruction('${instr.name}')">✏ Edit</button>
-                           <button class="action-btn danger" onclick="deleteInstruction('${instr.name}')">🗑 Delete</button>
+                           <button class="action-btn" data-instruction-action="edit" data-instruction-name="${safeName}">✏ Edit</button>
+                           <button class="action-btn danger" data-instruction-action="delete" data-instruction-name="${safeName}">🗑 Delete</button>
                         </div>
                     </div>
-                    <div class="stat-row"><span class="stat-label">Category</span><span class="stat-value">${instr.category || '—'}</span></div>
-                    <div class="stat-row"><span class="stat-label">Size</span><span class="stat-value">${instr.size} bytes (${instr.sizeCategory})</span></div>
-                    <div class="stat-row"><span class="stat-label">Modified</span><span class="stat-value">${new Date(instr.mtime).toLocaleString()}</span></div>
+                    <div class="stat-row"><span class="stat-label">Category</span><span class="stat-value">${safeCategory}</span></div>
+                    <div class="stat-row"><span class="stat-label">Size</span><span class="stat-value">${safeSize} bytes (${safeSizeCategory})</span></div>
+                    <div class="stat-row"><span class="stat-label">Modified</span><span class="stat-value">${safeModified}</span></div>
                     <div class="stat-row stat-row-top">
                         <span class="stat-label stat-label-pt">Summary</span>
                         <span class="stat-value stat-value-wrap">
@@ -1261,6 +1361,7 @@
                 </div>`;
                         }).join('');
             document.getElementById('instructions-list').innerHTML = rows;
+                        wireLegacyInstructionActions(document.getElementById('instructions-list'));
                         buildInstructionPaginationControls(totalFiltered);
         }
 
@@ -1592,7 +1693,7 @@
             setInterval(fetchResourceTrends, 10000);
         })();
 
-        // Instruction management logic extracted to js/admin.instructions.js?v=1.22.0-e21c1bf9
+        // Instruction management logic extracted to js/admin.instructions.js?v=1.26.1-9badd8dd
         // Functions exposed globally: loadInstructions, renderInstructionList, editInstruction, saveInstruction, deleteInstruction, etc.
 
         function startAutoRefresh() {
@@ -1606,11 +1707,12 @@
                 }
             }, 30000); // Refresh every 30 seconds
     }
-    // Build metadata loader
+    // Build metadata loader — uses plain fetch (no auth needed for /api/status)
     (async function fetchBuildMeta(){
             try {
         // Cache bust query param to avoid any intermediary caching of status response
-        const r = await adminAuth.adminFetch('/api/status?t=' + Date.now());
+        const r = await fetch('/api/status?t=' + Date.now());
+                if (!r.ok) throw new Error(r.statusText);
                 const j = await r.json();
                 const el = document.getElementById('buildMeta');
                 const ver = j.version || '?.?.?';
@@ -1674,14 +1776,29 @@
             const i = Math.floor(Math.log(bytes) / Math.log(1024));
             return Math.round(bytes / Math.pow(1024, i) * 100) / 100 + ' ' + sizes[i];
         }
-        function escapeHtml(str) {
-            if (str == null) return '';
-            return String(str)
-                .replace(/&/g, '&amp;')
-                .replace(/</g, '&lt;')
-                .replace(/>/g, '&gt;')
-                .replace(/"/g, '&quot;')
-                .replace(/'/g, '&#39;');
+        // Defensive: window.adminUtils is provided by the deferred admin.utils.js
+        // script which runs AFTER this inline script, so direct access throws and
+        // permanently leaves this binding in TDZ — breaking every inline function
+        // that references escapeHtml (notably displaySystemHealth, which would
+        // silently exit and leave the System Health card stuck on its loading
+        // placeholder). Wrap in a function that resolves the helper at call time.
+        const escapeHtml = function(s) {
+            const fn = (window.adminUtils && window.adminUtils.escapeHtml) || window.escapeHtml;
+            if (fn) return fn(s);
+            return String(s == null ? '' : s).replace(/[&<>"']/g, c => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' })[c]);
+        };
+        function wireLegacyInstructionActions(listEl) {
+            if (!listEl) return;
+            listEl.querySelectorAll('[data-instruction-action]').forEach((button) => {
+                if (button.__legacyInstructionActionBound) return;
+                button.addEventListener('click', () => {
+                    const action = button.getAttribute('data-instruction-action');
+                    const instructionName = button.getAttribute('data-instruction-name') || '';
+                    if (action === 'edit') editInstruction(instructionName);
+                    if (action === 'delete') deleteInstruction(instructionName);
+                });
+                button.__legacyInstructionActionBound = true;
+            });
         }
         // ---------------- Drilldown Layered SVG (Experimental) -----------------
         // ELK auto-layout integration (Option A): dynamically load elkjs for layered layout.
@@ -2026,13 +2143,15 @@
         }
         function updateDrillLegend(data){
             const el = document.getElementById('drill-legend'); if(!el) return;
+            const safeSelected = escapeHtml(data.selected);
+            const safeLayout = escapeHtml(data.layout);
             el.innerHTML = `<div class="drill-legend-title">Legend / Stats</div>` +
                 `<div class="drill-legend-body">`+
-                `Selected: <b>${data.selected}</b>${data.expansionEnabled? ' (expand '+(data.expanded||0)+')':''}<br>`+
+                `Selected: <b>${safeSelected}</b>${data.expansionEnabled? ' (expand '+(data.expanded||0)+')':''}<br>`+
                 `Rendered Instructions: <b>${data.total}</b><br>`+
                 `Instruction Edges: <b>${data.edges}</b><br>`+
                 `Membership Lines: <b>${data.membership}</b> ${data.membership? '(primary category connectors)':''}<br>`+
-                `Layout: <b>${data.layout}</b>${data.expansionEnabled? ' + expand':''}`+
+                `Layout: <b>${safeLayout}</b>${data.expansionEnabled? ' + expand':''}`+
                 `</div>`;
         }
         function exportDrillSvg(){

package/dist/dashboard/client/css/admin.css

@@ -166,6 +166,25 @@ body {
     padding-bottom: 8px;
 }
 
+.feedback-btn {
+    position: absolute;
+    top: 12px;
+    right: 24px;
+    font-size: 12px;
+    color: var(--admin-text-dim);
+    background: transparent;
+    border: 1px solid var(--admin-border);
+    border-radius: 4px;
+    padding: 4px 10px;
+    text-decoration: none;
+    cursor: pointer;
+    transition: color 0.15s, border-color 0.15s;
+}
+.feedback-btn:hover {
+    color: var(--admin-accent);
+    border-color: var(--admin-accent);
+}
+
 /* --- Horizontal nav bar --- */
 .admin-nav {
     display: flex;
@@ -1585,3 +1604,135 @@ a.mermaid-link { color: var(--admin-accent); }
 }
 
 /* .admin-root marker (used by tests, no visual styling) */
+
+/* ==========================================================================
+   Feedback Tab
+   ========================================================================== */
+
+.feedback-toolbar {
+    display: flex;
+    align-items: center;
+    gap: 8px;
+    flex-wrap: wrap;
+    margin-bottom: 12px;
+}
+
+.feedback-status-filter {
+    max-width: 160px;
+}
+
+.feedback-table-wrap {
+    overflow-x: auto;
+    min-height: 60px;
+}
+
+.feedback-empty {
+    padding: 24px;
+    color: var(--admin-text-dim);
+    font-size: 13px;
+    text-align: center;
+}
+
+.fb-table {
+    width: 100%;
+    border-collapse: collapse;
+    font-size: 13px;
+}
+
+.fb-th {
+    padding: 6px 10px;
+    text-align: left;
+    font-size: 11px;
+    font-weight: 600;
+    letter-spacing: 0.5px;
+    text-transform: uppercase;
+    color: var(--admin-text-dim);
+    border-bottom: 1px solid var(--admin-border);
+    white-space: nowrap;
+}
+
+.fb-cell {
+    padding: 8px 10px;
+    border-bottom: 1px solid var(--admin-border-muted);
+    color: var(--admin-text);
+    vertical-align: middle;
+}
+
+.feedback-row {
+    cursor: pointer;
+    transition: background 0.1s;
+}
+
+.feedback-row:hover { background: var(--admin-surface-alt); }
+.feedback-row.selected { background: rgba(59,130,246,0.10); }
+
+.fb-id { font-family: monospace; font-size: 11px; color: var(--admin-text-dim); }
+.fb-title { max-width: 280px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; font-weight: 500; }
+.fb-type { white-space: nowrap; }
+.fb-ts { font-size: 11px; white-space: nowrap; }
+.fb-actions { white-space: nowrap; }
+
+.fb-badge {
+    display: inline-block;
+    padding: 2px 7px;
+    border-radius: 10px;
+    font-size: 11px;
+    font-weight: 600;
+    letter-spacing: 0.3px;
+    white-space: nowrap;
+}
+
+.feedback-form {
+    padding: 8px 0 12px;
+    display: flex;
+    flex-direction: column;
+    gap: 12px;
+}
+
+.feedback-form-row {
+    display: flex;
+    gap: 12px;
+    flex-wrap: wrap;
+}
+
+.feedback-form-row .form-group {
+    flex: 1;
+    min-width: 130px;
+}
+
+.feedback-detail-card {
+    margin-top: 16px;
+}
+
+.feedback-entry-description {
+    width: 100%;
+    resize: vertical;
+}
+
+.feedback-required {
+    color: var(--admin-danger);
+}
+
+.feedback-detail-actions {
+    display: flex;
+    gap: 8px;
+    flex-wrap: wrap;
+    padding-top: 8px;
+    border-top: 1px solid var(--admin-border);
+    margin-top: 4px;
+}
+
+/* Rate-limit banner (issue #63) */
+#rate-limit-banner {
+    animation: rl-fade-in 0.3s ease-out;
+}
+
+@keyframes rl-fade-in {
+    from { opacity: 0; transform: translateY(-8px); }
+    to   { opacity: 1; transform: translateY(0); }
+}
+
+/* Backup warning banner (issue #121) */
+#backup-warning-banner {
+    animation: rl-fade-in 0.3s ease-out;
+}

package/dist/dashboard/client/js/admin.auth.js

@@ -1,32 +1,33 @@
 /* eslint-disable */
 // admin.auth.js
 // Dashboard authentication — manages admin API key for non-loopback access.
-// Stores token in sessionStorage (cleared on tab close). On 401/403, shows a
-// login modal and retries the request once after the user enters a key.
+// Token is held in module-scoped memory only (never written to sessionStorage
+// or localStorage). It is cleared on tab close / reload by virtue of being a
+// JavaScript variable, and cleared on 401/403 + explicit logout. On 401/403,
+// shows a login modal and retries the request once after the user enters a
+// key. This avoids js/clear-text-storage-of-sensitive-data exposure to XSS.
 (function(window) {
   'use strict';
 
-  var STORAGE_KEY = 'indexserver_admin_token';
+  // In-memory only. Re-prompt on page reload.
+  var _token = '';
   var _loginPromise = null;
   var _overlay = null;
 
   function getToken() {
-    try { return sessionStorage.getItem(STORAGE_KEY) || ''; } catch (_) { return ''; }
+    return _token || '';
   }
 
   function setToken(token) {
-    try {
-      if (token) sessionStorage.setItem(STORAGE_KEY, token);
-      else sessionStorage.removeItem(STORAGE_KEY);
-    } catch (_) { /* private browsing or quota */ }
+    _token = token ? String(token) : '';
   }
 
   function clearToken() {
-    try { sessionStorage.removeItem(STORAGE_KEY); } catch (_) { /* ignore */ }
+    _token = '';
   }
 
   function isAuthenticated() {
-    return !!getToken();
+    return !!_token;
   }
 
   function applyAuthHeader(headers, token) {
@@ -49,6 +50,19 @@
 
     var response = await fetch(url, options);
 
+    // Rate-limit detection: surface 429 visibly (issue #63)
+    if (response.status === 429) {
+      try {
+        var rlBody = await response.clone().json();
+        var retryAfter = rlBody.retryAfterSeconds || Number(response.headers.get('Retry-After')) || 60;
+        var tier = rlBody.tier || 'global';
+        if (window.adminUtils && window.adminUtils.showRateLimitBanner) {
+          window.adminUtils.showRateLimitBanner(retryAfter, tier);
+        }
+      } catch (_e) { /* couldn't parse 429 body — still return the response */ }
+      return response;
+    }
+
     if (response.status !== 401 && response.status !== 403) return response;
 
     // Deduplicate: if login prompt is already showing, wait for the same promise
@@ -144,7 +158,7 @@
     if (isAuthenticated()) {
       badge.textContent = '🔓 Authenticated';
       badge.className = 'auth-indicator auth-ok';
-      badge.title = 'Admin API key active (sessionStorage). Click to logout.';
+      badge.title = 'Admin API key active (in-memory; cleared on reload). Click to logout.';
       badge.onclick = logout;
       badge.style.cursor = 'pointer';
     } else {