npm - @lifeaitools/clauth - Versions diffs - 0.3.11 → 0.3.12 - Mend

@lifeaitools/clauth 0.3.11 → 0.3.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/.clauth-skill/SKILL.md +184 -184
package/.clauth-skill/references/keys-guide.md +270 -270
package/.clauth-skill/references/operator-guide.md +148 -148
package/README.md +125 -125
package/cli/api.js +113 -112
package/cli/commands/install.js +265 -264
package/cli/commands/scrub.js +231 -231
package/cli/commands/serve.js +1213 -1213
package/cli/commands/uninstall.js +164 -164
package/cli/conf-path.js +21 -0
package/cli/fingerprint.js +91 -91
package/cli/index.js +493 -492
package/install.ps1 +44 -44
package/install.sh +38 -38
package/package.json +54 -54
package/scripts/bin/bootstrap-linux +0 -0
package/scripts/bin/bootstrap-macos +0 -0
package/scripts/bootstrap.cjs +43 -43
package/scripts/build.sh +45 -45
package/supabase/functions/auth-vault/index.ts +235 -235
package/supabase/migrations/001_clauth_schema.sql +103 -103
package/supabase/migrations/002_vault_helpers.sql +90 -90
package/supabase/migrations/20260317_lockout.sql +26 -26

package/cli/commands/serve.js CHANGED Viewed

@@ -1,1213 +1,1213 @@
-// cli/commands/serve.js
-// Localhost-only credential daemon with daemon lifecycle management
-// Binds 127.0.0.1 ONLY — unreachable from outside the machine
-// 3 failed requests of any kind → process exits, requires manual restart
-// Supports: start (background daemon), stop, restart, ping, foreground
-import http from "http";
-import fs from "fs";
-import os from "os";
-import path from "path";
-import { fileURLToPath } from "url";
-import { getMachineHash, deriveToken, deriveSeedHash } from "../fingerprint.js";
-import * as api from "../api.js";
-import chalk from "chalk";
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf8"));
-const VERSION = pkg.version;
-const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
-const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
-// ── PID helpers ──────────────────────────────────────────────
-function readPid() {
-  try {
-    const raw = fs.readFileSync(PID_FILE, "utf8").trim();
-    const [pid, port] = raw.split(":");
-    return { pid: parseInt(pid, 10), port: parseInt(port, 10) };
-  } catch { return null; }
-}
-function writePid(pid, port) {
-  fs.writeFileSync(PID_FILE, `${pid}:${port}`, "utf8");
-}
-function removePid() {
-  try { fs.unlinkSync(PID_FILE); } catch {}
-}
-function isProcessAlive(pid) {
-  try { process.kill(pid, 0); return true; } catch { return false; }
-}
-// ── Dashboard HTML ───────────────────────────────────────────
-function dashboardHtml(port, whitelist) {
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width,initial-scale=1">
-<title>clauth vault v${VERSION}</title>
-<style>
-  *{margin:0;padding:0;box-sizing:border-box}
-  body{background:#0a0f1a;color:#e2e8f0;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;min-height:100vh}
-  /* ── Lock screen ── */
-  #lock-screen{display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh;padding:2rem}
-  .lock-card{background:#1e293b;border:1px solid #334155;border-radius:12px;padding:2.5rem 2rem;width:100%;max-width:380px;text-align:center}
-  .lock-icon{font-size:2.5rem;margin-bottom:1rem}
-  .lock-title{font-size:1.25rem;font-weight:600;color:#f8fafc;margin-bottom:.4rem}
-  .lock-sub{font-size:.85rem;color:#64748b;margin-bottom:1.75rem}
-  .lock-input{width:100%;background:#0f172a;border:1px solid #334155;border-radius:8px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:1rem;padding:10px 14px;outline:none;text-align:center;letter-spacing:.1em;transition:border-color .2s;margin-bottom:1rem}
-  .lock-input:focus{border-color:#3b82f6}
-  .lock-input.error{border-color:#ef4444;animation:shake .3s}
-  @keyframes shake{0%,100%{transform:translateX(0)}25%{transform:translateX(-6px)}75%{transform:translateX(6px)}}
-  .btn-unlock{width:100%;background:#3b82f6;color:#fff;border:none;border-radius:8px;padding:10px;font-size:.95rem;font-weight:600;cursor:pointer;transition:background .15s}
-  .btn-unlock:hover{background:#2563eb}
-  .btn-unlock:disabled{background:#1e3a5f;color:#4a6fa5;cursor:not-allowed}
-  .lock-err{color:#f87171;font-size:.82rem;margin-top:.75rem;min-height:1.2em}
-  /* ── Main view ── */
-  #main-view{display:none;padding:2rem}
-  .header{display:flex;align-items:center;gap:10px;margin-bottom:1.5rem;flex-wrap:wrap}
-  .header h1{font-size:1.4rem;font-weight:600;flex:1}
-  .dot{width:10px;height:10px;border-radius:50%;background:#22c55e;animation:pulse 2s infinite;flex-shrink:0}
-  @keyframes pulse{0%,100%{opacity:1}50%{opacity:.4}}
-  .status-bar{display:flex;gap:1.5rem;margin-bottom:1.5rem;font-size:.82rem;color:#94a3b8;flex-wrap:wrap}
-  .status-bar span{color:#e2e8f0;font-weight:500}
-  .toolbar{display:flex;gap:8px;margin-bottom:1rem;flex-wrap:wrap;align-items:center}
-  .chpw-panel{display:none;background:#1a1f2e;border:1px solid #334155;border-radius:8px;padding:1.25rem;margin-bottom:1.5rem}
-  .chpw-panel h3{font-size:.9rem;font-weight:600;color:#f8fafc;margin-bottom:1rem}
-  .chpw-row{display:flex;gap:10px;flex-wrap:wrap;align-items:flex-end;margin-bottom:.75rem}
-  .chpw-field{display:flex;flex-direction:column;gap:4px}
-  .chpw-field label{font-size:.75rem;color:#64748b}
-  .chpw-input{background:#0f172a;border:1px solid #334155;border-radius:6px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.88rem;padding:7px 12px;outline:none;width:200px;transition:border-color .2s}
-  .chpw-input:focus{border-color:#3b82f6}
-  .chpw-foot{display:flex;gap:8px;align-items:center}
-  .btn-chpw-save{background:#1e3a5f;color:#60a5fa;padding:7px 18px;font-size:.85rem;border-radius:6px;border:none;cursor:pointer;font-weight:500;transition:background .15s}
-  .btn-chpw-save:hover{background:#1e4a7f}
-  .chpw-msg{font-size:.82rem}
-  .chpw-msg.ok{color:#4ade80} .chpw-msg.fail{color:#f87171}
-  .btn-refresh{background:#3b82f6;color:#fff;padding:7px 18px;font-size:.85rem;border-radius:7px;border:none;cursor:pointer;font-weight:500}
-  .btn-refresh:hover{background:#2563eb}
-  .btn-lock{background:#1e293b;color:#f87171;border:1px solid #334155;padding:7px 16px;font-size:.85rem;border-radius:7px;cursor:pointer;font-weight:500}
-  .btn-lock:hover{background:#2d1f1f;border-color:#f87171}
-  .grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(300px,1fr));gap:1rem}
-  .card{background:#1e293b;border:1px solid #334155;border-radius:8px;padding:1.25rem;transition:border-color .2s}
-  .card:hover{border-color:#3b82f6}
-  .card-name{font-size:1rem;font-weight:600;color:#f8fafc;margin-bottom:3px}
-  .card-type{font-size:.78rem;color:#64748b;text-transform:uppercase;letter-spacing:.5px}
-  .card-getkey{font-size:.75rem;color:#3b82f6;text-decoration:none;opacity:.7;transition:opacity .15s}
-  .card-getkey:hover{opacity:1;text-decoration:underline}
-  .card-value{font-family:'Courier New',monospace;font-size:.82rem;color:#22c55e;background:#0f172a;border-radius:4px;padding:8px 10px;margin-top:10px;word-break:break-all;max-height:80px;overflow:auto;display:none}
-  .card-actions{margin-top:10px;display:flex;gap:7px;flex-wrap:wrap}
-  .set-panel{display:none;margin-top:10px;background:#0f172a;border-radius:6px;padding:10px;border:1px solid #1e3a5f}
-  .set-panel label{font-size:.75rem;color:#64748b;display:block;margin-bottom:6px}
-  .set-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;resize:vertical;min-height:58px;transition:border-color .2s}
-  .set-input:focus{border-color:#3b82f6}
-  .set-foot{margin-top:8px;display:flex;gap:8px;align-items:center}
-  .set-msg{font-size:.8rem}
-  .set-msg.ok{color:#4ade80} .set-msg.fail{color:#f87171}
-  .btn{padding:6px 13px;border-radius:6px;border:none;cursor:pointer;font-size:.8rem;font-weight:500;transition:all .15s}
-  .btn-reveal{background:#1e3a5f;color:#60a5fa}.btn-reveal:hover{background:#1e4a7f}
-  .btn-copy{background:#1a3328;color:#4ade80}.btn-copy:hover{background:#1a4338}
-  .btn-set{background:#2d1f4a;color:#a78bfa}.btn-set:hover{background:#3d2f5a}
-  .btn-save{background:#1e3a5f;color:#60a5fa;padding:6px 16px}.btn-save:hover{background:#1e4a7f}
-  .btn-cancel{background:transparent;color:#64748b;padding:6px 10px}.btn-cancel:hover{color:#94a3b8}
-  .btn-check{background:#0f2d2d;color:#34d399;border:1px solid #064e3b;padding:7px 16px;font-size:.85rem;border-radius:7px;cursor:pointer;font-weight:500;transition:all .15s}
-  .btn-check:hover{background:#134e4a;border-color:#34d399}.btn-check:disabled{opacity:.5;cursor:not-allowed}
-  .btn-enable{background:#14291a;color:#4ade80;border:1px solid #166534}.btn-enable:hover{background:#1a3d22;border-color:#4ade80}
-  .btn-disable{background:#2d1f1f;color:#f87171;border:1px solid #7f1d1d}.btn-disable:hover{background:#3d2525;border-color:#f87171}
-  .svc-badge{font-size:.7rem;font-weight:600;padding:2px 7px;border-radius:4px;letter-spacing:.4px;text-transform:uppercase}
-  .svc-badge.on{background:rgba(74,222,128,.12);color:#4ade80;border:1px solid rgba(74,222,128,.25)}
-  .svc-badge.off{background:rgba(248,113,113,.1);color:#f87171;border:1px solid rgba(248,113,113,.2)}
-  .status-dot{width:8px;height:8px;border-radius:50%;flex-shrink:0;opacity:0;transition:opacity .3s;margin-top:4px;cursor:default}
-  .status-dot.checking{background:#f59e0b;opacity:1;animation:pulse 1s infinite}
-  .status-dot.ok{background:#22c55e;opacity:1}
-  .status-dot.fail{background:#ef4444;opacity:1}
-  @keyframes sdot-fade{to{opacity:0}} .status-dot.fading{animation:sdot-fade 1.5s forwards}
-  .error-bar{background:#7f1d1d;color:#fca5a5;border:1px solid #991b1b;padding:10px 14px;border-radius:8px;margin-bottom:1rem;display:none;font-size:.85rem}
-  .loading{color:#64748b;font-style:italic}
-  .footer{margin-top:2rem;font-size:.75rem;color:#475569;text-align:center}
-  .oauth-fields{display:flex;flex-direction:column;gap:8px;margin-bottom:8px}
-  .oauth-field{display:flex;flex-direction:column;gap:3px}
-  .oauth-label{font-size:.75rem;color:#94a3b8;font-weight:500}
-  .oauth-hint{font-size:.71rem;color:#475569;font-style:italic}
-  .oauth-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;transition:border-color .2s}
-  .oauth-input:focus{border-color:#3b82f6}
-</style>
-</head>
-<body>
-<!-- ── Lock screen ──────────────────────────── -->
-<div id="lock-screen">
-  <div class="lock-card">
-    <div class="lock-icon">🔒</div>
-    <div class="lock-title">clauth vault</div>
-    <div class="lock-sub">Paste your password to unlock</div>
-    <input class="lock-input" id="lock-input" type="password" placeholder="••••••••••••" autocomplete="off">
-    <button class="btn-unlock" id="unlock-btn" onclick="unlock()">Unlock</button>
-    <div class="lock-err" id="lock-err"></div>
-  </div>
-</div>
-<!-- ── Main view (shown after unlock) ──────── -->
-<div id="main-view">
-  <div class="header">
-    <div class="dot" id="dot"></div>
-    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span></h1>
-  </div>
-  <div id="error-bar" class="error-bar"></div>
-  <div class="status-bar">
-    <div>PID: <span id="s-pid">—</span></div>
-    <div>Port: <span id="s-port">${port}</span></div>
-    <div>Services: <span id="s-services">${whitelist ? whitelist.join(", ") : "all"}</span></div>
-    <div>Failures: <span id="s-fails">—</span></div>
-  </div>
-  <div class="toolbar">
-    <button class="btn-refresh" onclick="loadServices()">↻ Refresh</button>
-    <button class="btn-check" id="check-btn" onclick="checkAll()">⬤ Check All</button>
-    <button class="btn-lock" onclick="lockVault()">🔒 Lock</button>
-    <button class="btn-cancel" style="margin-left:auto" onclick="toggleChangePw()">Change Password</button>
-  </div>
-  <div class="chpw-panel" id="chpw-panel">
-    <h3>Change Master Password</h3>
-    <div class="chpw-row">
-      <div class="chpw-field">
-        <label>New password</label>
-        <input class="chpw-input" id="chpw-new" type="password" placeholder="min 8 chars" autocomplete="new-password">
-      </div>
-      <div class="chpw-field">
-        <label>Confirm</label>
-        <input class="chpw-input" id="chpw-confirm" type="password" placeholder="repeat" autocomplete="new-password">
-      </div>
-    </div>
-    <div class="chpw-foot">
-      <button class="btn-chpw-save" onclick="changePassword()">Update Password</button>
-      <button class="btn-cancel" onclick="toggleChangePw()">Cancel</button>
-      <span class="chpw-msg" id="chpw-msg"></span>
-    </div>
-  </div>
-  <div id="grid" class="grid"><p class="loading">Loading services…</p></div>
-  <div class="footer">localhost:${port} · 127.0.0.1 only · 3-strike lockout</div>
-</div>
-<script>
-const BASE = "http://127.0.0.1:${port}";
-const SERVICE_HINTS = {
-  "neo4j":           "neo4j+s://username:password@instance.databases.neo4j.io",
-  "supabase-db":     "postgresql://postgres:password@db.ref.supabase.co:5432/postgres",
-  "r2":              "accountId:accessKeyId:secretAccessKey",
-  "namecheap":       "apiUser:apiKey",
-};
-const KEY_URLS = {
-  "github":          "https://github.com/settings/tokens",
-  "vercel":          "https://vercel.com/account/tokens",
-  "supabase-anon":   "https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/api",
-  "supabase-service":"https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/api",
-  "supabase-db":     "https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/database",
-  "anthropic":       "https://console.anthropic.com/settings/keys",
-  "cloudflare":      "https://dash.cloudflare.com/profile/api-tokens",
-  "r2":              "https://dash.cloudflare.com/profile/api-tokens",
-  "r2-bucket":       "https://dash.cloudflare.com/profile/api-tokens",
-  "rocketreach":     "https://rocketreach.co/account?section=security",
-  "namecheap":       "https://ap.www.namecheap.com/settings/tools/apiaccess/",
-  "neo4j":           "https://console.neo4j.io/",
-  "npm":             "https://www.npmjs.com/settings/~/tokens",
-  "gmail":           "https://console.cloud.google.com/apis/credentials",
-};
-// ── OAuth import config ─────────────────────
-// OAuth services with atomic fields — each field saved as clauth.<service>.<key>
-// No JSON blob parsing. Each field is its own vault secret.
-const OAUTH_FIELDS = {
-  "gmail": [
-    { key: "client_id",     label: "Client ID",     hint: "From Google Cloud Console → APIs & Services → Credentials → OAuth client", required: true },
-    { key: "client_secret", label: "Client Secret", hint: "From Google Cloud Console OAuth client",                                    required: true },
-    { key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground or your app's auth callback",                 required: true },
-    { key: "from_address",  label: "From Address",  hint: "Gmail address to send from (e.g. dave@life.ai)",                           required: false },
-  ]
-};
-function renderSetPanel(name) {
-  const fields = OAUTH_FIELDS[name];
-  if (fields) {
-    const fieldsHtml = fields.map(f => \`
-      <div class="oauth-field">
-        <label class="oauth-label">\${f.label}\${f.required ? "" : " <span style='color:#475569'>(optional)</span>"}</label>
-        \${f.hint ? \`<div class="oauth-hint">\${f.hint}</div>\` : ""}
-        <input type="text" class="oauth-input" id="ofield-\${name}-\${f.key}" placeholder="Paste \${f.label}…" spellcheck="false" autocomplete="off">
-      </div>
-    \`).join("");
-    return \`
-      <div class="set-panel" id="set-panel-\${name}">
-        <label>Set <strong>\${name}</strong> credentials — paste directly from source, never in chat</label>
-        <div class="oauth-fields">
-          \${fieldsHtml}
-        </div>
-        <div class="set-foot">
-          <button class="btn btn-save" onclick="saveKey('\${name}')">Save</button>
-          <button class="btn btn-cancel" onclick="toggleSet('\${name}')">Cancel</button>
-          <span class="set-msg" id="set-msg-\${name}"></span>
-        </div>
-      </div>
-    \`;
-  }
-  return \`
-    <div class="set-panel" id="set-panel-\${name}">
-      <label>New value for <strong>\${name}</strong> — paste here, never in chat</label>
-      <textarea class="set-input" id="set-input-\${name}" placeholder="\${SERVICE_HINTS[name] || "Paste credential…"}" spellcheck="false"></textarea>
-      \${SERVICE_HINTS[name] ? \`<div style="font-size:.72rem;color:#475569;margin-top:4px;font-family:'Courier New',monospace">\${SERVICE_HINTS[name]}</div>\` : ""}
-      <div class="set-foot">
-        <button class="btn btn-save" onclick="saveKey('\${name}')">Save</button>
-        <button class="btn btn-cancel" onclick="toggleSet('\${name}')">Cancel</button>
-        <span class="set-msg" id="set-msg-\${name}"></span>
-      </div>
-    </div>
-  \`;
-}
-// ── Boot: check lock state ──────────────────
-async function boot() {
-  try {
-    const ping = await fetch(BASE + "/ping").then(r => r.json());
-    if (ping.locked) {
-      showLockScreen();
-    } else {
-      showMain(ping);
-      loadServices();
-    }
-  } catch {
-    showLockScreen();
-  }
-}
-function showLockScreen() {
-  document.getElementById("lock-screen").style.display = "flex";
-  document.getElementById("main-view").style.display = "none";
-  setTimeout(() => document.getElementById("lock-input").focus(), 50);
-}
-function showMain(ping) {
-  document.getElementById("lock-screen").style.display = "none";
-  document.getElementById("main-view").style.display = "block";
-  if (ping) {
-    document.getElementById("s-pid").textContent = ping.pid || "—";
-    document.getElementById("s-fails").textContent =
-      ping.failures + "/" + (ping.failures + ping.failures_remaining);
-  }
-}
-// ── Unlock ──────────────────────────────────
-async function unlock() {
-  const input = document.getElementById("lock-input");
-  const btn   = document.getElementById("unlock-btn");
-  const err   = document.getElementById("lock-err");
-  const pw    = input.value;
-  if (!pw) { err.textContent = "Password is required."; return; }
-  btn.disabled = true; btn.textContent = "Verifying…"; err.textContent = "";
-  try {
-    const r = await fetch(BASE + "/auth", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ password: pw })
-    }).then(r => r.json());
-    if (r.error) throw new Error(r.error);
-    input.value = "";
-    const ping = await fetch(BASE + "/ping").then(r => r.json());
-    showMain(ping);
-    loadServices();
-  } catch (e) {
-    input.value = "";
-    input.className = "lock-input error";
-    err.textContent = "✗ " + (e.message || "Invalid password");
-    setTimeout(() => input.className = "lock-input", 600);
-  } finally {
-    btn.disabled = false; btn.textContent = "Unlock";
-  }
-}
-// ── Lock ────────────────────────────────────
-async function lockVault() {
-  await fetch(BASE + "/lock", { method: "POST" }).catch(() => {});
-  showLockScreen();
-}
-// ── Load services ───────────────────────────
-async function loadServices() {
-  const grid = document.getElementById("grid");
-  const err  = document.getElementById("error-bar");
-  err.style.display = "none";
-  grid.innerHTML = '<p class="loading">Loading…</p>';
-  try {
-    const status = await fetch(BASE + "/status").then(r => r.json());
-    if (status.locked) { showLockScreen(); return; }
-    if (status.error) throw new Error(status.error);
-    const services = status.services || [];
-    if (!services.length) { grid.innerHTML = '<p class="loading">No services registered.</p>'; return; }
-    grid.innerHTML = services.map(s => \`
-      <div class="card">
-        <div style="display:flex;align-items:flex-start;justify-content:space-between">
-          <div>
-            <div class="card-name">\${s.name}</div>
-            <div style="display:flex;align-items:center;gap:6px;margin-top:2px">
-              <div class="card-type">\${s.key_type || "secret"}</div>
-              <span class="svc-badge \${s.enabled === false ? "off" : "on"}" id="badge-\${s.name}">\${s.enabled === false ? "disabled" : "enabled"}</span>
-            </div>
-            \${KEY_URLS[s.name] ? \`<a class="card-getkey" href="\${KEY_URLS[s.name]}" target="_blank" rel="noopener">↗ Get / rotate key</a>\` : ""}
-          </div>
-          <div class="status-dot" id="sdot-\${s.name}" title=""></div>
-        </div>
-        <div class="card-value" id="val-\${s.name}"></div>
-        <div class="card-actions">
-          <button class="btn btn-reveal" onclick="reveal('\${s.name}', this)">Reveal</button>
-          <button class="btn btn-copy" id="copybtn-\${s.name}" style="display:none" onclick="copyKey('\${s.name}')">Copy</button>
-          <button class="btn btn-set" onclick="toggleSet('\${s.name}')">Set</button>
-          <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
-        </div>
-        \${renderSetPanel(s.name)}
-      </div>
-    \`).join("");
-  } catch (e) {
-    err.textContent = "⚠ " + e.message;
-    err.style.display = "block";
-    document.getElementById("dot").style.background = "#ef4444";
-    grid.innerHTML = "";
-  }
-}
-// ── Reveal ──────────────────────────────────
-async function reveal(name, btn) {
-  const valEl   = document.getElementById("val-" + name);
-  const copyBtn = document.getElementById("copybtn-" + name);
-  if (valEl.style.display === "block") {
-    valEl.style.display = "none"; copyBtn.style.display = "none";
-    btn.textContent = "Reveal"; return;
-  }
-  valEl.textContent = "fetching…"; valEl.style.display = "block"; btn.textContent = "Hide";
-  try {
-    const r = await fetch(BASE + "/get/" + name).then(r => r.json());
-    if (r.locked) { showLockScreen(); return; }
-    if (r.error) throw new Error(r.error);
-    const imp = OAUTH_IMPORT[name];
-    if (imp) {
-      try {
-        const parsed = JSON.parse(r.value);
-        const allKeys = [...imp.jsonFields, ...imp.extra.map(f => f.key)];
-        valEl.innerHTML = allKeys.map(k =>
-          '<div style="margin-bottom:6px"><span style="color:#64748b;font-size:.72rem;text-transform:uppercase;letter-spacing:.4px">' + k.replace(/_/g," ") + '</span><br>' + (parsed[k] || "—") + '</div>'
-        ).join("");
-      } catch { valEl.textContent = r.value; }
-    } else {
-      valEl.textContent = r.value;
-    }
-    copyBtn.style.display = "inline-block";
-  } catch (e) {
-    valEl.textContent = "Error: " + e.message; valEl.style.color = "#ef4444";
-  }
-}
-async function copyKey(name) {
-  const val = document.getElementById("val-" + name).textContent;
-  try {
-    await navigator.clipboard.writeText(val);
-    const btn = document.getElementById("copybtn-" + name);
-    btn.textContent = "Copied!"; setTimeout(() => btn.textContent = "Copy", 1500);
-  } catch {}
-}
-// ── Set key ─────────────────────────────────
-function toggleSet(name) {
-  const panel = document.getElementById("set-panel-" + name);
-  const msg   = document.getElementById("set-msg-" + name);
-  const open  = panel.style.display === "block";
-  panel.style.display = open ? "none" : "block";
-  if (!open) {
-    if (msg) msg.textContent = "";
-    const imp = OAUTH_IMPORT[name];
-    if (imp) {
-      const jsonEl = document.getElementById("ofield-" + name + "-json");
-      if (jsonEl) { jsonEl.value = ""; jsonEl.focus(); }
-      imp.extra.forEach(f => { const el = document.getElementById("ofield-" + name + "-" + f.key); if (el) el.value = ""; });
-    } else {
-      const input = document.getElementById("set-input-" + name);
-      if (input) { input.value = ""; input.focus(); }
-    }
-  }
-}
-async function saveKey(name) {
-  const msg = document.getElementById("set-msg-" + name);
-  const fields = OAUTH_FIELDS[name];
-  if (fields) {
-    // Validate required fields first
-    for (const f of fields) {
-      if (!f.required) continue;
-      const el = document.getElementById("ofield-" + name + "-" + f.key);
-      if (!el || !el.value.trim()) {
-        msg.className = "set-msg fail"; msg.textContent = f.label + " is required."; return;
-      }
-    }
-    // Save each field as an atomic vault key: clauth.<service>.<key>
-    msg.className = "set-msg"; msg.textContent = "Saving…";
-    try {
-      for (const f of fields) {
-        const el = document.getElementById("ofield-" + name + "-" + f.key);
-        const v = el ? el.value.trim() : "";
-        if (!v) continue; // skip optional empty fields
-        const r = await fetch(BASE + "/set/" + name + "." + f.key, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ value: v })
-        }).then(r => r.json());
-        if (r.locked) { showLockScreen(); return; }
-        if (r.error) throw new Error(r.error);
-      }
-      msg.className = "set-msg ok"; msg.textContent = "✓ Saved";
-      fields.forEach(f => { const el = document.getElementById("ofield-" + name + "-" + f.key); if (el) el.value = ""; });
-    } catch (e) {
-      msg.className = "set-msg fail"; msg.textContent = e.message || "Save failed";
-      return;
-    }
-  } else {
-    const input = document.getElementById("set-input-" + name);
-    const value = input ? input.value.trim() : "";
-    if (!value) { msg.className = "set-msg fail"; msg.textContent = "Value is empty."; return; }
-    msg.className = "set-msg"; msg.textContent = "Saving…";
-    try {
-      const r = await fetch(BASE + "/set/" + name, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ value })
-      }).then(r => r.json());
-      if (r.locked) { showLockScreen(); return; }
-      if (r.error) throw new Error(r.error);
-      msg.className = "set-msg ok"; msg.textContent = "✓ Saved";
-      const inp = document.getElementById("set-input-" + name);
-      if (inp) inp.value = "";
-    } catch (e) {
-      msg.className = "set-msg fail"; msg.textContent = e.message || "Save failed";
-      return;
-    }
-  }
-  const dot = document.getElementById("sdot-" + name);
-  if (dot) { dot.className = "status-dot"; dot.title = ""; }
-  setTimeout(() => {
-    document.getElementById("set-panel-" + name).style.display = "none";
-    msg.textContent = "";
-  }, 1800);
-}
-// ── Enable / Disable service ────────────────
-async function toggleService(name) {
-  const badge  = document.getElementById("badge-" + name);
-  const btn    = document.getElementById("togbtn-" + name);
-  const currently = badge.classList.contains("on");
-  const newState  = !currently;
-  btn.disabled = true; btn.textContent = "…";
-  try {
-    const r = await fetch(BASE + "/toggle/" + name, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ enabled: newState })
-    }).then(r => r.json());
-    if (r.locked) { showLockScreen(); return; }
-    if (r.error) throw new Error(r.error);
-    badge.className = "svc-badge " + (newState ? "on" : "off");
-    badge.textContent = newState ? "enabled" : "disabled";
-    btn.className = "btn " + (newState ? "btn-disable" : "btn-enable");
-    btn.textContent = newState ? "Disable" : "Enable";
-  } catch (e) {
-    btn.textContent = "Error";
-    setTimeout(() => {
-      btn.textContent = currently ? "Disable" : "Enable";
-    }, 2000);
-  } finally {
-    btn.disabled = false;
-  }
-}
-// ── Check all credentials ───────────────────
-async function checkAll() {
-  const btn = document.getElementById("check-btn");
-  btn.disabled = true; btn.textContent = "Checking…";
-  // Show checking state on every visible dot
-  document.querySelectorAll(".status-dot").forEach(d => {
-    d.className = "status-dot checking"; d.title = "Checking…";
-  });
-  try {
-    const r = await fetch(BASE + "/check-all").then(r => r.json());
-    if (r.locked) { showLockScreen(); return; }
-    if (r.error) throw new Error(r.error);
-    const results = r.results || {};
-    for (const [name, result] of Object.entries(results)) {
-      const dot = document.getElementById("sdot-" + name);
-      if (!dot) continue;
-      if (result.ok) {
-        dot.className = "status-dot ok"; dot.title = "OK";
-      } else {
-        dot.className = "status-dot fail";
-        dot.title = result.reason || "No key stored";
-      }
-    }
-    // Fade green dots after 3 s — red dots stay until next check
-    setTimeout(() => {
-      document.querySelectorAll(".status-dot.ok").forEach(d => d.classList.add("fading"));
-    }, 3000);
-  } catch (e) {
-    document.querySelectorAll(".status-dot").forEach(d => { d.className = "status-dot"; d.title = ""; });
-    const errBar = document.getElementById("error-bar");
-    errBar.textContent = "⚠ Check failed: " + e.message;
-    errBar.style.display = "block";
-  } finally {
-    btn.disabled = false; btn.textContent = "⬤ Check All";
-  }
-}
-// ── Change password ─────────────────────────
-function toggleChangePw() {
-  const panel = document.getElementById("chpw-panel");
-  const open  = panel.style.display === "block";
-  panel.style.display = open ? "none" : "block";
-  if (!open) {
-    document.getElementById("chpw-new").value = "";
-    document.getElementById("chpw-confirm").value = "";
-    document.getElementById("chpw-msg").textContent = "";
-    document.getElementById("chpw-new").focus();
-  }
-}
-async function changePassword() {
-  const newPw  = document.getElementById("chpw-new").value;
-  const confPw = document.getElementById("chpw-confirm").value;
-  const msg    = document.getElementById("chpw-msg");
-  if (!newPw) { msg.className = "chpw-msg fail"; msg.textContent = "Enter a new password."; return; }
-  if (newPw.length < 8) { msg.className = "chpw-msg fail"; msg.textContent = "Minimum 8 characters."; return; }
-  if (newPw !== confPw) { msg.className = "chpw-msg fail"; msg.textContent = "Passwords don't match."; return; }
-  msg.className = "chpw-msg"; msg.textContent = "Updating…";
-  try {
-    const r = await fetch(BASE + "/change-pw", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ newPassword: newPw })
-    }).then(r => r.json());
-    if (r.locked) { showLockScreen(); return; }
-    if (r.error) throw new Error(r.error);
-    msg.className = "chpw-msg ok"; msg.textContent = "✓ Password updated";
-    document.getElementById("chpw-new").value = "";
-    document.getElementById("chpw-confirm").value = "";
-    setTimeout(() => {
-      document.getElementById("chpw-panel").style.display = "none";
-      msg.textContent = "";
-    }, 2000);
-  } catch (e) {
-    msg.className = "chpw-msg fail"; msg.textContent = "✗ " + e.message;
-  }
-}
-// Enter key on lock screen
-document.addEventListener("DOMContentLoaded", () => {
-  document.getElementById("lock-input").addEventListener("keydown", e => {
-    if (e.key === "Enter") unlock();
-  });
-});
-boot();
-</script>
-</body>
-</html>`;
-}
-// ── Body parser helper ────────────────────────────────────────
-function readBody(req) {
-  return new Promise((resolve, reject) => {
-    let data = "";
-    req.on("data", chunk => { data += chunk; if (data.length > 65536) reject(new Error("Body too large")); });
-    req.on("end", () => { try { resolve(JSON.parse(data)); } catch { reject(new Error("Invalid JSON")); } });
-    req.on("error", reject);
-  });
-}
-// ── Server logic (shared by foreground + daemon) ─────────────
-function createServer(initPassword, whitelist, port) {
-  const MAX_FAILS = 3;
-  let failCount = 0;
-  let password = initPassword || null;   // null = locked; set via POST /auth
-  const machineHash = getMachineHash();
-  const CORS = {
-    "Access-Control-Allow-Origin": "*",
-    "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type",
-  };
-  function strike(res, code, message) {
-    failCount++;
-    const remaining = MAX_FAILS - failCount;
-    const logLine = `[${new Date().toISOString()}] [FAIL ${failCount}/${MAX_FAILS}] ${message}\n`;
-    try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-    const body = JSON.stringify({
-      error: message,
-      failures: failCount,
-      failures_remaining: remaining,
-      ...(failCount >= MAX_FAILS ? { shutdown: true } : {})
-    });
-    res.writeHead(code, { "Content-Type": "application/json", ...CORS });
-    res.end(body);
-    if (failCount >= MAX_FAILS) {
-      const msg = `[${new Date().toISOString()}] Failure limit reached — shutting down\n`;
-      try { fs.appendFileSync(LOG_FILE, msg); } catch {}
-      removePid();
-      setTimeout(() => process.exit(1), 100);
-    }
-  }
-  function ok(res, data) {
-    res.writeHead(200, { "Content-Type": "application/json", ...CORS });
-    res.end(JSON.stringify(data));
-  }
-  const server = http.createServer(async (req, res) => {
-    // Hard reject anything not from loopback
-    const remote = req.socket.remoteAddress;
-    const isLocal = remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
-    if (!isLocal) {
-      return strike(res, 403, `Rejected non-local address: ${remote}`);
-    }
-    // CORS preflight
-    if (req.method === "OPTIONS") {
-      res.writeHead(204, CORS);
-      return res.end();
-    }
-    const url    = new URL(req.url, `http://127.0.0.1:${port}`);
-    const reqPath = url.pathname;
-    const method = req.method;
-    // GET / — built-in web dashboard
-    if (method === "GET" && reqPath === "/") {
-      res.writeHead(200, { "Content-Type": "text/html", ...CORS });
-      return res.end(dashboardHtml(port, whitelist));
-    }
-    // GET /ping
-    if (method === "GET" && reqPath === "/ping") {
-      return ok(res, {
-        status: "ok",
-        pid: process.pid,
-        locked: !password,
-        failures: failCount,
-        failures_remaining: MAX_FAILS - failCount,
-        services: whitelist || "all",
-        port
-      });
-    }
-    // GET /shutdown (for daemon stop)
-    if (method === "GET" && reqPath === "/shutdown") {
-      ok(res, { ok: true, message: "shutting down" });
-      removePid();
-      setTimeout(() => process.exit(0), 100);
-      return;
-    }
-    // Locked guard — returns true if locked and already responded
-    function lockedGuard(res) {
-      if (!password) {
-        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
-        res.end(JSON.stringify({ error: "Vault is locked", locked: true }));
-        return true;
-      }
-      return false;
-    }
-    // GET /status
-    if (method === "GET" && reqPath === "/status") {
-      if (lockedGuard(res)) return;
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.status(password, machineHash, token, timestamp);
-        if (result.error) return strike(res, 502, result.error);
-        if (whitelist) {
-          result.services = (result.services || []).filter(
-            s => whitelist.includes(s.name.toLowerCase())
-          );
-        }
-        return ok(res, result);
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-    // GET /get/:service
-    const getMatch = reqPath.match(/^\/get\/([a-zA-Z0-9_.-]+)$/);
-    if (method === "GET" && getMatch) {
-      if (lockedGuard(res)) return;
-      const service = getMatch[1].toLowerCase();
-      if (whitelist && !whitelist.includes(service)) {
-        return strike(res, 403, `Service '${service}' not in whitelist`);
-      }
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.retrieve(password, machineHash, token, timestamp, service);
-        if (result.error) return strike(res, 502, result.error);
-        return ok(res, { service, value: result.value, key_type: result.key_type });
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-    // POST /auth — unlock the vault with a password (verifies against Edge Function)
-    if (method === "POST" && reqPath === "/auth") {
-      let body;
-      try { body = await readBody(req); } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
-      }
-      const pw = body.password;
-      if (!pw || typeof pw !== "string") {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "password is required" }));
-      }
-      try {
-        const { token, timestamp } = deriveToken(pw, machineHash);
-        const result = await api.test(pw, machineHash, token, timestamp);
-        if (result.error) throw new Error(result.error);
-        password = pw;   // unlock — store in process memory only
-        const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
-        try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-        return ok(res, { ok: true, locked: false });
-      } catch {
-        // Wrong password — not a lockout strike, just a UI auth attempt
-        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "Invalid password" }));
-      }
-    }
-    // POST /lock — clear password from memory
-    if (method === "POST" && reqPath === "/lock") {
-      password = null;
-      const logLine = `[${new Date().toISOString()}] Vault locked\n`;
-      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-      return ok(res, { ok: true, locked: true });
-    }
-    // POST /toggle/:service — enable or disable a service
-    const toggleMatch = reqPath.match(/^\/toggle\/([a-zA-Z0-9_-]+)$/);
-    if (method === "POST" && toggleMatch) {
-      if (lockedGuard(res)) return;
-      const service = toggleMatch[1].toLowerCase();
-      let body;
-      try { body = await readBody(req); } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
-      }
-      const { enabled } = body;
-      if (typeof enabled !== "boolean") {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "enabled must be boolean" }));
-      }
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.enable(password, machineHash, token, timestamp, service, enabled);
-        if (result.error) return strike(res, 502, result.error);
-        return ok(res, { ok: true, service, enabled });
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-    // GET /check-all — soft health check, no strikes for missing/disabled keys
-    if (method === "GET" && reqPath === "/check-all") {
-      if (lockedGuard(res)) return;
-      try {
-        const { token: st, timestamp: sts } = deriveToken(password, machineHash);
-        const statusResult = await api.status(password, machineHash, st, sts);
-        if (statusResult.error) return strike(res, 502, statusResult.error);
-        const services = (statusResult.services || []).filter(
-          s => !whitelist || whitelist.includes(s.name.toLowerCase())
-        );
-        const results = {};
-        for (const svc of services) {
-          try {
-            const { token, timestamp } = deriveToken(password, machineHash);
-            const r = await api.retrieve(password, machineHash, token, timestamp, svc.name);
-            results[svc.name] = r.error
-              ? { ok: false, reason: r.error }
-              : { ok: true };
-          } catch (e) {
-            results[svc.name] = { ok: false, reason: e.message };
-          }
-        }
-        return ok(res, { results });
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-    // POST /change-pw — change master password (must be unlocked)
-    if (method === "POST" && reqPath === "/change-pw") {
-      if (lockedGuard(res)) return;
-      let body;
-      try { body = await readBody(req); } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
-      }
-      const { newPassword } = body;
-      if (!newPassword || typeof newPassword !== "string" || newPassword.length < 8) {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "newPassword must be at least 8 characters" }));
-      }
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const newSeedHash = deriveSeedHash(machineHash, newPassword);
-        const result = await api.changePassword(password, machineHash, token, timestamp, newSeedHash);
-        if (result.error) throw new Error(result.error);
-        password = newPassword;  // update in-memory password to new one
-        const logLine = `[${new Date().toISOString()}] Password changed\n`;
-        try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-        return ok(res, { ok: true });
-      } catch (err) {
-        res.writeHead(502, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: err.message }));
-      }
-    }
-    // POST /set/:service — write a new key value into vault
-    const setMatch = reqPath.match(/^\/set\/([a-zA-Z0-9_.-]+)$/);
-    if (method === "POST" && setMatch) {
-      if (lockedGuard(res)) return;
-      const service = setMatch[1].toLowerCase();
-      if (whitelist && !whitelist.includes(service)) {
-        return strike(res, 403, `Service '${service}' not in whitelist`);
-      }
-      let body;
-      try { body = await readBody(req); } catch {
-        return strike(res, 400, "Invalid JSON body");
-      }
-      const value = body.value;
-      if (!value || typeof value !== "string" || !value.trim()) {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "value is required" }));
-      }
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.write(password, machineHash, token, timestamp, service, value.trim());
-        if (result.error) return strike(res, 502, result.error);
-        return ok(res, { ok: true, service });
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-    // Unknown route
-    return strike(res, 404, `Unknown endpoint: ${reqPath}`);
-  });
-  return server;
-}
-// ── Actions ──────────────────────────────────────────────────
-async function verifyAuth(password) {
-  const machineHash = getMachineHash();
-  const { token, timestamp } = deriveToken(password, machineHash);
-  const result = await api.test(password, machineHash, token, timestamp);
-  if (result.error) throw new Error(result.error);
-}
-async function actionStart(opts) {
-  const port     = parseInt(opts.port || "52437", 10);
-  const password = opts.pw;
-  const whitelist = opts.services
-    ? opts.services.split(",").map(s => s.trim().toLowerCase())
-    : null;
-  // Check for existing instance
-  const existing = readPid();
-  if (existing && isProcessAlive(existing.pid)) {
-    console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
-    console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
-    process.exit(1);
-  }
-  // If we're the daemon child, run the server directly
-  if (process.env.__CLAUTH_DAEMON === "1") {
-    // Verify password only if one was provided at start (optional — browser can unlock later)
-    if (password) {
-      try {
-        await verifyAuth(password);
-      } catch (err) {
-        const msg = `[${new Date().toISOString()}] Auth failed: ${err.message}\n`;
-        fs.appendFileSync(LOG_FILE, msg);
-        process.exit(1);
-      }
-    }
-    const server = createServer(password, whitelist, port);
-    server.listen(port, "127.0.0.1", () => {
-      writePid(process.pid, port);
-      const msg = `[${new Date().toISOString()}] clauth serve started — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
-      fs.appendFileSync(LOG_FILE, msg);
-    });
-    server.on("error", err => {
-      const msg = `[${new Date().toISOString()}] Server error: ${err.message}\n`;
-      fs.appendFileSync(LOG_FILE, msg);
-      process.exit(1);
-    });
-    const shutdown = () => { removePid(); process.exit(0); };
-    process.on("SIGTERM", shutdown);
-    process.on("SIGINT", shutdown);
-    return;
-  }
-  // If --pw provided, verify it before spawning (fast-fail on wrong password)
-  if (password) {
-    console.log(chalk.gray("\n  Verifying vault credentials..."));
-    try {
-      await verifyAuth(password);
-    } catch (err) {
-      console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
-      process.exit(1);
-    }
-    console.log(chalk.green("  ✓ Vault auth verified"));
-  } else {
-    console.log(chalk.yellow("\n  Starting in locked state — open browser to unlock"));
-  }
-  // Spawn detached daemon child via the clauth CLI entry point
-  const { spawn } = await import("child_process");
-  const { fileURLToPath } = await import("url");
-  const { dirname, join } = await import("path");
-  const __filename = fileURLToPath(import.meta.url);
-  const cliEntry = join(dirname(__filename), "..", "index.js");
-  // Build args: node index.js serve start --port N [--pw PW] [--services S]
-  const childArgs = [cliEntry, "serve", "start", "--port", String(port)];
-  if (password) childArgs.push("--pw", password);
-  if (opts.services) childArgs.push("--services", opts.services);
-  const out = fs.openSync(LOG_FILE, "a");
-  const child = spawn(process.execPath, childArgs, {
-    detached: true,
-    stdio: ["ignore", out, out],
-    env: { ...process.env, __CLAUTH_DAEMON: "1" },
-  });
-  child.unref();
-  // Give it time to bind and write PID file (Windows spawn is slower)
-  // Verify via HTTP ping (process.kill(pid,0) fails on Windows for detached processes)
-  let started = false;
-  for (let attempt = 0; attempt < 5; attempt++) {
-    await new Promise(r => setTimeout(r, 1000));
-    try {
-      const resp = await fetch(`http://127.0.0.1:${port}/ping`);
-      if (resp.ok) { started = true; break; }
-    } catch {}
-  }
-  const info = readPid();
-  if (started && info) {
-    console.log(chalk.green(`\n  🔐 clauth serve started`));
-    console.log(chalk.gray(`  PID:      ${info.pid}`));
-    console.log(chalk.gray(`  Port:     127.0.0.1:${info.port}`));
-    console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
-    console.log(chalk.gray(`  Log:      ${LOG_FILE}`));
-    if (!password) {
-      console.log(chalk.cyan(`\n  👉 Open http://127.0.0.1:${info.port} to unlock the vault`));
-    }
-    console.log(chalk.gray(`  Stop:     clauth serve stop\n`));
-  } else {
-    console.log(chalk.red(`\n  ❌ Failed to start daemon — check ${LOG_FILE}\n`));
-    process.exit(1);
-  }
-}
-async function actionStop() {
-  const info = readPid();
-  if (!info) {
-    console.log(chalk.yellow("\n  No clauth serve PID file found — not running.\n"));
-    return;
-  }
-  if (!isProcessAlive(info.pid)) {
-    console.log(chalk.yellow(`\n  PID ${info.pid} is not running (stale PID file). Cleaning up.\n`));
-    removePid();
-    return;
-  }
-  // Try HTTP shutdown first (clean)
-  try {
-    const resp = await fetch(`http://127.0.0.1:${info.port}/shutdown`);
-    if (resp.ok) {
-      await new Promise(r => setTimeout(r, 300));
-      console.log(chalk.green(`\n  🛑 clauth serve stopped (was PID ${info.pid}, port ${info.port})\n`));
-      removePid();
-      return;
-    }
-  } catch {}
-  // Fallback: kill the process
-  try {
-    process.kill(info.pid, "SIGTERM");
-    await new Promise(r => setTimeout(r, 300));
-    console.log(chalk.green(`\n  🛑 clauth serve stopped via SIGTERM (PID ${info.pid})\n`));
-  } catch (err) {
-    console.log(chalk.yellow(`\n  Could not kill PID ${info.pid}: ${err.message}\n`));
-  }
-  removePid();
-}
-async function actionPing() {
-  const info = readPid();
-  if (!info) {
-    console.log(chalk.red("\n  clauth serve is not running (no PID file)\n"));
-    process.exit(1);
-  }
-  if (!isProcessAlive(info.pid)) {
-    console.log(chalk.red(`\n  PID ${info.pid} is not alive (stale PID file)\n`));
-    removePid();
-    process.exit(1);
-  }
-  try {
-    const resp = await fetch(`http://127.0.0.1:${info.port}/ping`);
-    const data = await resp.json();
-    if (data.status === "ok") {
-      console.log(chalk.green(`\n  ✅ clauth serve running`));
-      console.log(chalk.gray(`  PID:     ${info.pid}`));
-      console.log(chalk.gray(`  Port:    ${info.port}`));
-      console.log(chalk.gray(`  Fails:   ${data.failures}/${data.failures + data.failures_remaining}`));
-      console.log(chalk.gray(`  Services: ${Array.isArray(data.services) ? data.services.join(", ") : data.services}\n`));
-    } else {
-      console.log(chalk.yellow(`\n  PID alive but /ping returned unexpected response\n`));
-    }
-  } catch (err) {
-    console.log(chalk.yellow(`\n  PID ${info.pid} alive but HTTP failed: ${err.message}\n`));
-  }
-}
-async function actionRestart(opts) {
-  const info = readPid();
-  if (info && isProcessAlive(info.pid)) {
-    await actionStop();
-    await new Promise(r => setTimeout(r, 500));
-  }
-  await actionStart(opts);
-}
-async function actionForeground(opts) {
-  const port      = parseInt(opts.port || "52437", 10);
-  const password  = opts.pw || null;
-  const whitelist = opts.services
-    ? opts.services.split(",").map(s => s.trim().toLowerCase())
-    : null;
-  if (password) {
-    console.log(chalk.gray("\n  Verifying vault credentials..."));
-    try {
-      await verifyAuth(password);
-    } catch (err) {
-      console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
-      process.exit(1);
-    }
-    console.log(chalk.green("  ✓ Vault auth verified"));
-  } else {
-    console.log(chalk.yellow("\n  Starting in locked state — open browser to unlock"));
-  }
-  console.log(chalk.gray(`  Port:     127.0.0.1:${port}`));
-  console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
-  console.log(chalk.gray(`  Lockout:  3 failures → exit\n`));
-  const server = createServer(password, whitelist, port);
-  server.listen(port, "127.0.0.1", () => {
-    writePid(process.pid, port);
-    console.log(chalk.green(`  clauth serve → http://127.0.0.1:${port}`));
-    if (!password) console.log(chalk.cyan(`  👉 Open http://127.0.0.1:${port} to unlock`));
-    console.log(chalk.gray("  Ctrl+C to stop\n"));
-  });
-  server.on("error", err => {
-    if (err.code === "EADDRINUSE") {
-      console.log(chalk.red(`\n  Port ${port} already in use. Use --port to choose another.\n`));
-    } else {
-      console.log(chalk.red(`\n  Server error: ${err.message}\n`));
-    }
-    process.exit(1);
-  });
-  process.on("SIGINT", () => {
-    console.log(chalk.yellow("\n  Stopping clauth serve...\n"));
-    removePid();
-    server.close(() => process.exit(0));
-  });
-}
-// ── Export ────────────────────────────────────────────────────
-export async function runServe(opts) {
-  const action = opts.action || "foreground";
-  switch (action) {
-    case "start":     return actionStart(opts);
-    case "stop":      return actionStop();
-    case "restart":   return actionRestart(opts);
-    case "ping":      return actionPing();
-    case "foreground": return actionForeground(opts);
-    default:
-      console.log(chalk.red(`\n  Unknown serve action: ${action}`));
-      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground\n"));
-      process.exit(1);
-  }
-}
+// cli/commands/serve.js
+// Localhost-only credential daemon with daemon lifecycle management
+// Binds 127.0.0.1 ONLY — unreachable from outside the machine
+// 3 failed requests of any kind → process exits, requires manual restart
+// Supports: start (background daemon), stop, restart, ping, foreground
+import http from "http";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { fileURLToPath } from "url";
+import { getMachineHash, deriveToken, deriveSeedHash } from "../fingerprint.js";
+import * as api from "../api.js";
+import chalk from "chalk";
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf8"));
+const VERSION = pkg.version;
+const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
+const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
+// ── PID helpers ──────────────────────────────────────────────
+function readPid() {
+  try {
+    const raw = fs.readFileSync(PID_FILE, "utf8").trim();
+    const [pid, port] = raw.split(":");
+    return { pid: parseInt(pid, 10), port: parseInt(port, 10) };
+  } catch { return null; }
+}
+function writePid(pid, port) {
+  fs.writeFileSync(PID_FILE, `${pid}:${port}`, "utf8");
+}
+function removePid() {
+  try { fs.unlinkSync(PID_FILE); } catch {}
+}
+function isProcessAlive(pid) {
+  try { process.kill(pid, 0); return true; } catch { return false; }
+}
+// ── Dashboard HTML ───────────────────────────────────────────
+function dashboardHtml(port, whitelist) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>clauth vault v${VERSION}</title>
+<style>
+  *{margin:0;padding:0;box-sizing:border-box}
+  body{background:#0a0f1a;color:#e2e8f0;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;min-height:100vh}
+  /* ── Lock screen ── */
+  #lock-screen{display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh;padding:2rem}
+  .lock-card{background:#1e293b;border:1px solid #334155;border-radius:12px;padding:2.5rem 2rem;width:100%;max-width:380px;text-align:center}
+  .lock-icon{font-size:2.5rem;margin-bottom:1rem}
+  .lock-title{font-size:1.25rem;font-weight:600;color:#f8fafc;margin-bottom:.4rem}
+  .lock-sub{font-size:.85rem;color:#64748b;margin-bottom:1.75rem}
+  .lock-input{width:100%;background:#0f172a;border:1px solid #334155;border-radius:8px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:1rem;padding:10px 14px;outline:none;text-align:center;letter-spacing:.1em;transition:border-color .2s;margin-bottom:1rem}
+  .lock-input:focus{border-color:#3b82f6}
+  .lock-input.error{border-color:#ef4444;animation:shake .3s}
+  @keyframes shake{0%,100%{transform:translateX(0)}25%{transform:translateX(-6px)}75%{transform:translateX(6px)}}
+  .btn-unlock{width:100%;background:#3b82f6;color:#fff;border:none;border-radius:8px;padding:10px;font-size:.95rem;font-weight:600;cursor:pointer;transition:background .15s}
+  .btn-unlock:hover{background:#2563eb}
+  .btn-unlock:disabled{background:#1e3a5f;color:#4a6fa5;cursor:not-allowed}
+  .lock-err{color:#f87171;font-size:.82rem;margin-top:.75rem;min-height:1.2em}
+  /* ── Main view ── */
+  #main-view{display:none;padding:2rem}
+  .header{display:flex;align-items:center;gap:10px;margin-bottom:1.5rem;flex-wrap:wrap}
+  .header h1{font-size:1.4rem;font-weight:600;flex:1}
+  .dot{width:10px;height:10px;border-radius:50%;background:#22c55e;animation:pulse 2s infinite;flex-shrink:0}
+  @keyframes pulse{0%,100%{opacity:1}50%{opacity:.4}}
+  .status-bar{display:flex;gap:1.5rem;margin-bottom:1.5rem;font-size:.82rem;color:#94a3b8;flex-wrap:wrap}
+  .status-bar span{color:#e2e8f0;font-weight:500}
+  .toolbar{display:flex;gap:8px;margin-bottom:1rem;flex-wrap:wrap;align-items:center}
+  .chpw-panel{display:none;background:#1a1f2e;border:1px solid #334155;border-radius:8px;padding:1.25rem;margin-bottom:1.5rem}
+  .chpw-panel h3{font-size:.9rem;font-weight:600;color:#f8fafc;margin-bottom:1rem}
+  .chpw-row{display:flex;gap:10px;flex-wrap:wrap;align-items:flex-end;margin-bottom:.75rem}
+  .chpw-field{display:flex;flex-direction:column;gap:4px}
+  .chpw-field label{font-size:.75rem;color:#64748b}
+  .chpw-input{background:#0f172a;border:1px solid #334155;border-radius:6px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.88rem;padding:7px 12px;outline:none;width:200px;transition:border-color .2s}
+  .chpw-input:focus{border-color:#3b82f6}
+  .chpw-foot{display:flex;gap:8px;align-items:center}
+  .btn-chpw-save{background:#1e3a5f;color:#60a5fa;padding:7px 18px;font-size:.85rem;border-radius:6px;border:none;cursor:pointer;font-weight:500;transition:background .15s}
+  .btn-chpw-save:hover{background:#1e4a7f}
+  .chpw-msg{font-size:.82rem}
+  .chpw-msg.ok{color:#4ade80} .chpw-msg.fail{color:#f87171}
+  .btn-refresh{background:#3b82f6;color:#fff;padding:7px 18px;font-size:.85rem;border-radius:7px;border:none;cursor:pointer;font-weight:500}
+  .btn-refresh:hover{background:#2563eb}
+  .btn-lock{background:#1e293b;color:#f87171;border:1px solid #334155;padding:7px 16px;font-size:.85rem;border-radius:7px;cursor:pointer;font-weight:500}
+  .btn-lock:hover{background:#2d1f1f;border-color:#f87171}
+  .grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(300px,1fr));gap:1rem}
+  .card{background:#1e293b;border:1px solid #334155;border-radius:8px;padding:1.25rem;transition:border-color .2s}
+  .card:hover{border-color:#3b82f6}
+  .card-name{font-size:1rem;font-weight:600;color:#f8fafc;margin-bottom:3px}
+  .card-type{font-size:.78rem;color:#64748b;text-transform:uppercase;letter-spacing:.5px}
+  .card-getkey{font-size:.75rem;color:#3b82f6;text-decoration:none;opacity:.7;transition:opacity .15s}
+  .card-getkey:hover{opacity:1;text-decoration:underline}
+  .card-value{font-family:'Courier New',monospace;font-size:.82rem;color:#22c55e;background:#0f172a;border-radius:4px;padding:8px 10px;margin-top:10px;word-break:break-all;max-height:80px;overflow:auto;display:none}
+  .card-actions{margin-top:10px;display:flex;gap:7px;flex-wrap:wrap}
+  .set-panel{display:none;margin-top:10px;background:#0f172a;border-radius:6px;padding:10px;border:1px solid #1e3a5f}
+  .set-panel label{font-size:.75rem;color:#64748b;display:block;margin-bottom:6px}
+  .set-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;resize:vertical;min-height:58px;transition:border-color .2s}
+  .set-input:focus{border-color:#3b82f6}
+  .set-foot{margin-top:8px;display:flex;gap:8px;align-items:center}
+  .set-msg{font-size:.8rem}
+  .set-msg.ok{color:#4ade80} .set-msg.fail{color:#f87171}
+  .btn{padding:6px 13px;border-radius:6px;border:none;cursor:pointer;font-size:.8rem;font-weight:500;transition:all .15s}
+  .btn-reveal{background:#1e3a5f;color:#60a5fa}.btn-reveal:hover{background:#1e4a7f}
+  .btn-copy{background:#1a3328;color:#4ade80}.btn-copy:hover{background:#1a4338}
+  .btn-set{background:#2d1f4a;color:#a78bfa}.btn-set:hover{background:#3d2f5a}
+  .btn-save{background:#1e3a5f;color:#60a5fa;padding:6px 16px}.btn-save:hover{background:#1e4a7f}
+  .btn-cancel{background:transparent;color:#64748b;padding:6px 10px}.btn-cancel:hover{color:#94a3b8}
+  .btn-check{background:#0f2d2d;color:#34d399;border:1px solid #064e3b;padding:7px 16px;font-size:.85rem;border-radius:7px;cursor:pointer;font-weight:500;transition:all .15s}
+  .btn-check:hover{background:#134e4a;border-color:#34d399}.btn-check:disabled{opacity:.5;cursor:not-allowed}
+  .btn-enable{background:#14291a;color:#4ade80;border:1px solid #166534}.btn-enable:hover{background:#1a3d22;border-color:#4ade80}
+  .btn-disable{background:#2d1f1f;color:#f87171;border:1px solid #7f1d1d}.btn-disable:hover{background:#3d2525;border-color:#f87171}
+  .svc-badge{font-size:.7rem;font-weight:600;padding:2px 7px;border-radius:4px;letter-spacing:.4px;text-transform:uppercase}
+  .svc-badge.on{background:rgba(74,222,128,.12);color:#4ade80;border:1px solid rgba(74,222,128,.25)}
+  .svc-badge.off{background:rgba(248,113,113,.1);color:#f87171;border:1px solid rgba(248,113,113,.2)}
+  .status-dot{width:8px;height:8px;border-radius:50%;flex-shrink:0;opacity:0;transition:opacity .3s;margin-top:4px;cursor:default}
+  .status-dot.checking{background:#f59e0b;opacity:1;animation:pulse 1s infinite}
+  .status-dot.ok{background:#22c55e;opacity:1}
+  .status-dot.fail{background:#ef4444;opacity:1}
+  @keyframes sdot-fade{to{opacity:0}} .status-dot.fading{animation:sdot-fade 1.5s forwards}
+  .error-bar{background:#7f1d1d;color:#fca5a5;border:1px solid #991b1b;padding:10px 14px;border-radius:8px;margin-bottom:1rem;display:none;font-size:.85rem}
+  .loading{color:#64748b;font-style:italic}
+  .footer{margin-top:2rem;font-size:.75rem;color:#475569;text-align:center}
+  .oauth-fields{display:flex;flex-direction:column;gap:8px;margin-bottom:8px}
+  .oauth-field{display:flex;flex-direction:column;gap:3px}
+  .oauth-label{font-size:.75rem;color:#94a3b8;font-weight:500}
+  .oauth-hint{font-size:.71rem;color:#475569;font-style:italic}
+  .oauth-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;transition:border-color .2s}
+  .oauth-input:focus{border-color:#3b82f6}
+</style>
+</head>
+<body>
+<!-- ── Lock screen ──────────────────────────── -->
+<div id="lock-screen">
+  <div class="lock-card">
+    <div class="lock-icon">🔒</div>
+    <div class="lock-title">clauth vault</div>
+    <div class="lock-sub">Paste your password to unlock</div>
+    <input class="lock-input" id="lock-input" type="password" placeholder="••••••••••••" autocomplete="off">
+    <button class="btn-unlock" id="unlock-btn" onclick="unlock()">Unlock</button>
+    <div class="lock-err" id="lock-err"></div>
+  </div>
+</div>
+<!-- ── Main view (shown after unlock) ──────── -->
+<div id="main-view">
+  <div class="header">
+    <div class="dot" id="dot"></div>
+    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span></h1>
+  </div>
+  <div id="error-bar" class="error-bar"></div>
+  <div class="status-bar">
+    <div>PID: <span id="s-pid">—</span></div>
+    <div>Port: <span id="s-port">${port}</span></div>
+    <div>Services: <span id="s-services">${whitelist ? whitelist.join(", ") : "all"}</span></div>
+    <div>Failures: <span id="s-fails">—</span></div>
+  </div>
+  <div class="toolbar">
+    <button class="btn-refresh" onclick="loadServices()">↻ Refresh</button>
+    <button class="btn-check" id="check-btn" onclick="checkAll()">⬤ Check All</button>
+    <button class="btn-lock" onclick="lockVault()">🔒 Lock</button>
+    <button class="btn-cancel" style="margin-left:auto" onclick="toggleChangePw()">Change Password</button>
+  </div>
+  <div class="chpw-panel" id="chpw-panel">
+    <h3>Change Master Password</h3>
+    <div class="chpw-row">
+      <div class="chpw-field">
+        <label>New password</label>
+        <input class="chpw-input" id="chpw-new" type="password" placeholder="min 8 chars" autocomplete="new-password">
+      </div>
+      <div class="chpw-field">
+        <label>Confirm</label>
+        <input class="chpw-input" id="chpw-confirm" type="password" placeholder="repeat" autocomplete="new-password">
+      </div>
+    </div>
+    <div class="chpw-foot">
+      <button class="btn-chpw-save" onclick="changePassword()">Update Password</button>
+      <button class="btn-cancel" onclick="toggleChangePw()">Cancel</button>
+      <span class="chpw-msg" id="chpw-msg"></span>
+    </div>
+  </div>
+  <div id="grid" class="grid"><p class="loading">Loading services…</p></div>
+  <div class="footer">localhost:${port} · 127.0.0.1 only · 3-strike lockout</div>
+</div>
+<script>
+const BASE = "http://127.0.0.1:${port}";
+const SERVICE_HINTS = {
+  "neo4j":           "neo4j+s://username:password@instance.databases.neo4j.io",
+  "supabase-db":     "postgresql://postgres:password@db.ref.supabase.co:5432/postgres",
+  "r2":              "accountId:accessKeyId:secretAccessKey",
+  "namecheap":       "apiUser:apiKey",
+};
+const KEY_URLS = {
+  "github":          "https://github.com/settings/tokens",
+  "vercel":          "https://vercel.com/account/tokens",
+  "supabase-anon":   "https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/api",
+  "supabase-service":"https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/api",
+  "supabase-db":     "https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/database",
+  "anthropic":       "https://console.anthropic.com/settings/keys",
+  "cloudflare":      "https://dash.cloudflare.com/profile/api-tokens",
+  "r2":              "https://dash.cloudflare.com/profile/api-tokens",
+  "r2-bucket":       "https://dash.cloudflare.com/profile/api-tokens",
+  "rocketreach":     "https://rocketreach.co/account?section=security",
+  "namecheap":       "https://ap.www.namecheap.com/settings/tools/apiaccess/",
+  "neo4j":           "https://console.neo4j.io/",
+  "npm":             "https://www.npmjs.com/settings/~/tokens",
+  "gmail":           "https://console.cloud.google.com/apis/credentials",
+};
+// ── OAuth import config ─────────────────────
+// OAuth services with atomic fields — each field saved as clauth.<service>.<key>
+// No JSON blob parsing. Each field is its own vault secret.
+const OAUTH_FIELDS = {
+  "gmail": [
+    { key: "client_id",     label: "Client ID",     hint: "From Google Cloud Console → APIs & Services → Credentials → OAuth client", required: true },
+    { key: "client_secret", label: "Client Secret", hint: "From Google Cloud Console OAuth client",                                    required: true },
+    { key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground or your app's auth callback",                 required: true },
+    { key: "from_address",  label: "From Address",  hint: "Gmail address to send from (e.g. dave@life.ai)",                           required: false },
+  ]
+};
+function renderSetPanel(name) {
+  const fields = OAUTH_FIELDS[name];
+  if (fields) {
+    const fieldsHtml = fields.map(f => \`
+      <div class="oauth-field">
+        <label class="oauth-label">\${f.label}\${f.required ? "" : " <span style='color:#475569'>(optional)</span>"}</label>
+        \${f.hint ? \`<div class="oauth-hint">\${f.hint}</div>\` : ""}
+        <input type="text" class="oauth-input" id="ofield-\${name}-\${f.key}" placeholder="Paste \${f.label}…" spellcheck="false" autocomplete="off">
+      </div>
+    \`).join("");
+    return \`
+      <div class="set-panel" id="set-panel-\${name}">
+        <label>Set <strong>\${name}</strong> credentials — paste directly from source, never in chat</label>
+        <div class="oauth-fields">
+          \${fieldsHtml}
+        </div>
+        <div class="set-foot">
+          <button class="btn btn-save" onclick="saveKey('\${name}')">Save</button>
+          <button class="btn btn-cancel" onclick="toggleSet('\${name}')">Cancel</button>
+          <span class="set-msg" id="set-msg-\${name}"></span>
+        </div>
+      </div>
+    \`;
+  }
+  return \`
+    <div class="set-panel" id="set-panel-\${name}">
+      <label>New value for <strong>\${name}</strong> — paste here, never in chat</label>
+      <textarea class="set-input" id="set-input-\${name}" placeholder="\${SERVICE_HINTS[name] || "Paste credential…"}" spellcheck="false"></textarea>
+      \${SERVICE_HINTS[name] ? \`<div style="font-size:.72rem;color:#475569;margin-top:4px;font-family:'Courier New',monospace">\${SERVICE_HINTS[name]}</div>\` : ""}
+      <div class="set-foot">
+        <button class="btn btn-save" onclick="saveKey('\${name}')">Save</button>
+        <button class="btn btn-cancel" onclick="toggleSet('\${name}')">Cancel</button>
+        <span class="set-msg" id="set-msg-\${name}"></span>
+      </div>
+    </div>
+  \`;
+}
+// ── Boot: check lock state ──────────────────
+async function boot() {
+  try {
+    const ping = await fetch(BASE + "/ping").then(r => r.json());
+    if (ping.locked) {
+      showLockScreen();
+    } else {
+      showMain(ping);
+      loadServices();
+    }
+  } catch {
+    showLockScreen();
+  }
+}
+function showLockScreen() {
+  document.getElementById("lock-screen").style.display = "flex";
+  document.getElementById("main-view").style.display = "none";
+  setTimeout(() => document.getElementById("lock-input").focus(), 50);
+}
+function showMain(ping) {
+  document.getElementById("lock-screen").style.display = "none";
+  document.getElementById("main-view").style.display = "block";
+  if (ping) {
+    document.getElementById("s-pid").textContent = ping.pid || "—";
+    document.getElementById("s-fails").textContent =
+      ping.failures + "/" + (ping.failures + ping.failures_remaining);
+  }
+}
+// ── Unlock ──────────────────────────────────
+async function unlock() {
+  const input = document.getElementById("lock-input");
+  const btn   = document.getElementById("unlock-btn");
+  const err   = document.getElementById("lock-err");
+  const pw    = input.value;
+  if (!pw) { err.textContent = "Password is required."; return; }
+  btn.disabled = true; btn.textContent = "Verifying…"; err.textContent = "";
+  try {
+    const r = await fetch(BASE + "/auth", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ password: pw })
+    }).then(r => r.json());
+    if (r.error) throw new Error(r.error);
+    input.value = "";
+    const ping = await fetch(BASE + "/ping").then(r => r.json());
+    showMain(ping);
+    loadServices();
+  } catch (e) {
+    input.value = "";
+    input.className = "lock-input error";
+    err.textContent = "✗ " + (e.message || "Invalid password");
+    setTimeout(() => input.className = "lock-input", 600);
+  } finally {
+    btn.disabled = false; btn.textContent = "Unlock";
+  }
+}
+// ── Lock ────────────────────────────────────
+async function lockVault() {
+  await fetch(BASE + "/lock", { method: "POST" }).catch(() => {});
+  showLockScreen();
+}
+// ── Load services ───────────────────────────
+async function loadServices() {
+  const grid = document.getElementById("grid");
+  const err  = document.getElementById("error-bar");
+  err.style.display = "none";
+  grid.innerHTML = '<p class="loading">Loading…</p>';
+  try {
+    const status = await fetch(BASE + "/status").then(r => r.json());
+    if (status.locked) { showLockScreen(); return; }
+    if (status.error) throw new Error(status.error);
+    const services = status.services || [];
+    if (!services.length) { grid.innerHTML = '<p class="loading">No services registered.</p>'; return; }
+    grid.innerHTML = services.map(s => \`
+      <div class="card">
+        <div style="display:flex;align-items:flex-start;justify-content:space-between">
+          <div>
+            <div class="card-name">\${s.name}</div>
+            <div style="display:flex;align-items:center;gap:6px;margin-top:2px">
+              <div class="card-type">\${s.key_type || "secret"}</div>
+              <span class="svc-badge \${s.enabled === false ? "off" : "on"}" id="badge-\${s.name}">\${s.enabled === false ? "disabled" : "enabled"}</span>
+            </div>
+            \${KEY_URLS[s.name] ? \`<a class="card-getkey" href="\${KEY_URLS[s.name]}" target="_blank" rel="noopener">↗ Get / rotate key</a>\` : ""}
+          </div>
+          <div class="status-dot" id="sdot-\${s.name}" title=""></div>
+        </div>
+        <div class="card-value" id="val-\${s.name}"></div>
+        <div class="card-actions">
+          <button class="btn btn-reveal" onclick="reveal('\${s.name}', this)">Reveal</button>
+          <button class="btn btn-copy" id="copybtn-\${s.name}" style="display:none" onclick="copyKey('\${s.name}')">Copy</button>
+          <button class="btn btn-set" onclick="toggleSet('\${s.name}')">Set</button>
+          <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
+        </div>
+        \${renderSetPanel(s.name)}
+      </div>
+    \`).join("");
+  } catch (e) {
+    err.textContent = "⚠ " + e.message;
+    err.style.display = "block";
+    document.getElementById("dot").style.background = "#ef4444";
+    grid.innerHTML = "";
+  }
+}
+// ── Reveal ──────────────────────────────────
+async function reveal(name, btn) {
+  const valEl   = document.getElementById("val-" + name);
+  const copyBtn = document.getElementById("copybtn-" + name);
+  if (valEl.style.display === "block") {
+    valEl.style.display = "none"; copyBtn.style.display = "none";
+    btn.textContent = "Reveal"; return;
+  }
+  valEl.textContent = "fetching…"; valEl.style.display = "block"; btn.textContent = "Hide";
+  try {
+    const r = await fetch(BASE + "/get/" + name).then(r => r.json());
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+    const imp = OAUTH_IMPORT[name];
+    if (imp) {
+      try {
+        const parsed = JSON.parse(r.value);
+        const allKeys = [...imp.jsonFields, ...imp.extra.map(f => f.key)];
+        valEl.innerHTML = allKeys.map(k =>
+          '<div style="margin-bottom:6px"><span style="color:#64748b;font-size:.72rem;text-transform:uppercase;letter-spacing:.4px">' + k.replace(/_/g," ") + '</span><br>' + (parsed[k] || "—") + '</div>'
+        ).join("");
+      } catch { valEl.textContent = r.value; }
+    } else {
+      valEl.textContent = r.value;
+    }
+    copyBtn.style.display = "inline-block";
+  } catch (e) {
+    valEl.textContent = "Error: " + e.message; valEl.style.color = "#ef4444";
+  }
+}
+async function copyKey(name) {
+  const val = document.getElementById("val-" + name).textContent;
+  try {
+    await navigator.clipboard.writeText(val);
+    const btn = document.getElementById("copybtn-" + name);
+    btn.textContent = "Copied!"; setTimeout(() => btn.textContent = "Copy", 1500);
+  } catch {}
+}
+// ── Set key ─────────────────────────────────
+function toggleSet(name) {
+  const panel = document.getElementById("set-panel-" + name);
+  const msg   = document.getElementById("set-msg-" + name);
+  const open  = panel.style.display === "block";
+  panel.style.display = open ? "none" : "block";
+  if (!open) {
+    if (msg) msg.textContent = "";
+    const imp = OAUTH_IMPORT[name];
+    if (imp) {
+      const jsonEl = document.getElementById("ofield-" + name + "-json");
+      if (jsonEl) { jsonEl.value = ""; jsonEl.focus(); }
+      imp.extra.forEach(f => { const el = document.getElementById("ofield-" + name + "-" + f.key); if (el) el.value = ""; });
+    } else {
+      const input = document.getElementById("set-input-" + name);
+      if (input) { input.value = ""; input.focus(); }
+    }
+  }
+}
+async function saveKey(name) {
+  const msg = document.getElementById("set-msg-" + name);
+  const fields = OAUTH_FIELDS[name];
+  if (fields) {
+    // Validate required fields first
+    for (const f of fields) {
+      if (!f.required) continue;
+      const el = document.getElementById("ofield-" + name + "-" + f.key);
+      if (!el || !el.value.trim()) {
+        msg.className = "set-msg fail"; msg.textContent = f.label + " is required."; return;
+      }
+    }
+    // Save each field as an atomic vault key: clauth.<service>.<key>
+    msg.className = "set-msg"; msg.textContent = "Saving…";
+    try {
+      for (const f of fields) {
+        const el = document.getElementById("ofield-" + name + "-" + f.key);
+        const v = el ? el.value.trim() : "";
+        if (!v) continue; // skip optional empty fields
+        const r = await fetch(BASE + "/set/" + name + "." + f.key, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ value: v })
+        }).then(r => r.json());
+        if (r.locked) { showLockScreen(); return; }
+        if (r.error) throw new Error(r.error);
+      }
+      msg.className = "set-msg ok"; msg.textContent = "✓ Saved";
+      fields.forEach(f => { const el = document.getElementById("ofield-" + name + "-" + f.key); if (el) el.value = ""; });
+    } catch (e) {
+      msg.className = "set-msg fail"; msg.textContent = e.message || "Save failed";
+      return;
+    }
+  } else {
+    const input = document.getElementById("set-input-" + name);
+    const value = input ? input.value.trim() : "";
+    if (!value) { msg.className = "set-msg fail"; msg.textContent = "Value is empty."; return; }
+    msg.className = "set-msg"; msg.textContent = "Saving…";
+    try {
+      const r = await fetch(BASE + "/set/" + name, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ value })
+      }).then(r => r.json());
+      if (r.locked) { showLockScreen(); return; }
+      if (r.error) throw new Error(r.error);
+      msg.className = "set-msg ok"; msg.textContent = "✓ Saved";
+      const inp = document.getElementById("set-input-" + name);
+      if (inp) inp.value = "";
+    } catch (e) {
+      msg.className = "set-msg fail"; msg.textContent = e.message || "Save failed";
+      return;
+    }
+  }
+  const dot = document.getElementById("sdot-" + name);
+  if (dot) { dot.className = "status-dot"; dot.title = ""; }
+  setTimeout(() => {
+    document.getElementById("set-panel-" + name).style.display = "none";
+    msg.textContent = "";
+  }, 1800);
+}
+// ── Enable / Disable service ────────────────
+async function toggleService(name) {
+  const badge  = document.getElementById("badge-" + name);
+  const btn    = document.getElementById("togbtn-" + name);
+  const currently = badge.classList.contains("on");
+  const newState  = !currently;
+  btn.disabled = true; btn.textContent = "…";
+  try {
+    const r = await fetch(BASE + "/toggle/" + name, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ enabled: newState })
+    }).then(r => r.json());
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+    badge.className = "svc-badge " + (newState ? "on" : "off");
+    badge.textContent = newState ? "enabled" : "disabled";
+    btn.className = "btn " + (newState ? "btn-disable" : "btn-enable");
+    btn.textContent = newState ? "Disable" : "Enable";
+  } catch (e) {
+    btn.textContent = "Error";
+    setTimeout(() => {
+      btn.textContent = currently ? "Disable" : "Enable";
+    }, 2000);
+  } finally {
+    btn.disabled = false;
+  }
+}
+// ── Check all credentials ───────────────────
+async function checkAll() {
+  const btn = document.getElementById("check-btn");
+  btn.disabled = true; btn.textContent = "Checking…";
+  // Show checking state on every visible dot
+  document.querySelectorAll(".status-dot").forEach(d => {
+    d.className = "status-dot checking"; d.title = "Checking…";
+  });
+  try {
+    const r = await fetch(BASE + "/check-all").then(r => r.json());
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+    const results = r.results || {};
+    for (const [name, result] of Object.entries(results)) {
+      const dot = document.getElementById("sdot-" + name);
+      if (!dot) continue;
+      if (result.ok) {
+        dot.className = "status-dot ok"; dot.title = "OK";
+      } else {
+        dot.className = "status-dot fail";
+        dot.title = result.reason || "No key stored";
+      }
+    }
+    // Fade green dots after 3 s — red dots stay until next check
+    setTimeout(() => {
+      document.querySelectorAll(".status-dot.ok").forEach(d => d.classList.add("fading"));
+    }, 3000);
+  } catch (e) {
+    document.querySelectorAll(".status-dot").forEach(d => { d.className = "status-dot"; d.title = ""; });
+    const errBar = document.getElementById("error-bar");
+    errBar.textContent = "⚠ Check failed: " + e.message;
+    errBar.style.display = "block";
+  } finally {
+    btn.disabled = false; btn.textContent = "⬤ Check All";
+  }
+}
+// ── Change password ─────────────────────────
+function toggleChangePw() {
+  const panel = document.getElementById("chpw-panel");
+  const open  = panel.style.display === "block";
+  panel.style.display = open ? "none" : "block";
+  if (!open) {
+    document.getElementById("chpw-new").value = "";
+    document.getElementById("chpw-confirm").value = "";
+    document.getElementById("chpw-msg").textContent = "";
+    document.getElementById("chpw-new").focus();
+  }
+}
+async function changePassword() {
+  const newPw  = document.getElementById("chpw-new").value;
+  const confPw = document.getElementById("chpw-confirm").value;
+  const msg    = document.getElementById("chpw-msg");
+  if (!newPw) { msg.className = "chpw-msg fail"; msg.textContent = "Enter a new password."; return; }
+  if (newPw.length < 8) { msg.className = "chpw-msg fail"; msg.textContent = "Minimum 8 characters."; return; }
+  if (newPw !== confPw) { msg.className = "chpw-msg fail"; msg.textContent = "Passwords don't match."; return; }
+  msg.className = "chpw-msg"; msg.textContent = "Updating…";
+  try {
+    const r = await fetch(BASE + "/change-pw", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ newPassword: newPw })
+    }).then(r => r.json());
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+    msg.className = "chpw-msg ok"; msg.textContent = "✓ Password updated";
+    document.getElementById("chpw-new").value = "";
+    document.getElementById("chpw-confirm").value = "";
+    setTimeout(() => {
+      document.getElementById("chpw-panel").style.display = "none";
+      msg.textContent = "";
+    }, 2000);
+  } catch (e) {
+    msg.className = "chpw-msg fail"; msg.textContent = "✗ " + e.message;
+  }
+}
+// Enter key on lock screen
+document.addEventListener("DOMContentLoaded", () => {
+  document.getElementById("lock-input").addEventListener("keydown", e => {
+    if (e.key === "Enter") unlock();
+  });
+});
+boot();
+</script>
+</body>
+</html>`;
+}
+// ── Body parser helper ────────────────────────────────────────
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    let data = "";
+    req.on("data", chunk => { data += chunk; if (data.length > 65536) reject(new Error("Body too large")); });
+    req.on("end", () => { try { resolve(JSON.parse(data)); } catch { reject(new Error("Invalid JSON")); } });
+    req.on("error", reject);
+  });
+}
+// ── Server logic (shared by foreground + daemon) ─────────────
+function createServer(initPassword, whitelist, port) {
+  const MAX_FAILS = 3;
+  let failCount = 0;
+  let password = initPassword || null;   // null = locked; set via POST /auth
+  const machineHash = getMachineHash();
+  const CORS = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+    "Access-Control-Allow-Headers": "Content-Type",
+  };
+  function strike(res, code, message) {
+    failCount++;
+    const remaining = MAX_FAILS - failCount;
+    const logLine = `[${new Date().toISOString()}] [FAIL ${failCount}/${MAX_FAILS}] ${message}\n`;
+    try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+    const body = JSON.stringify({
+      error: message,
+      failures: failCount,
+      failures_remaining: remaining,
+      ...(failCount >= MAX_FAILS ? { shutdown: true } : {})
+    });
+    res.writeHead(code, { "Content-Type": "application/json", ...CORS });
+    res.end(body);
+    if (failCount >= MAX_FAILS) {
+      const msg = `[${new Date().toISOString()}] Failure limit reached — shutting down\n`;
+      try { fs.appendFileSync(LOG_FILE, msg); } catch {}
+      removePid();
+      setTimeout(() => process.exit(1), 100);
+    }
+  }
+  function ok(res, data) {
+    res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+    res.end(JSON.stringify(data));
+  }
+  const server = http.createServer(async (req, res) => {
+    // Hard reject anything not from loopback
+    const remote = req.socket.remoteAddress;
+    const isLocal = remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
+    if (!isLocal) {
+      return strike(res, 403, `Rejected non-local address: ${remote}`);
+    }
+    // CORS preflight
+    if (req.method === "OPTIONS") {
+      res.writeHead(204, CORS);
+      return res.end();
+    }
+    const url    = new URL(req.url, `http://127.0.0.1:${port}`);
+    const reqPath = url.pathname;
+    const method = req.method;
+    // GET / — built-in web dashboard
+    if (method === "GET" && reqPath === "/") {
+      res.writeHead(200, { "Content-Type": "text/html", ...CORS });
+      return res.end(dashboardHtml(port, whitelist));
+    }
+    // GET /ping
+    if (method === "GET" && reqPath === "/ping") {
+      return ok(res, {
+        status: "ok",
+        pid: process.pid,
+        locked: !password,
+        failures: failCount,
+        failures_remaining: MAX_FAILS - failCount,
+        services: whitelist || "all",
+        port
+      });
+    }
+    // GET /shutdown (for daemon stop)
+    if (method === "GET" && reqPath === "/shutdown") {
+      ok(res, { ok: true, message: "shutting down" });
+      removePid();
+      setTimeout(() => process.exit(0), 100);
+      return;
+    }
+    // Locked guard — returns true if locked and already responded
+    function lockedGuard(res) {
+      if (!password) {
+        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
+        res.end(JSON.stringify({ error: "Vault is locked", locked: true }));
+        return true;
+      }
+      return false;
+    }
+    // GET /status
+    if (method === "GET" && reqPath === "/status") {
+      if (lockedGuard(res)) return;
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.status(password, machineHash, token, timestamp);
+        if (result.error) return strike(res, 502, result.error);
+        if (whitelist) {
+          result.services = (result.services || []).filter(
+            s => whitelist.includes(s.name.toLowerCase())
+          );
+        }
+        return ok(res, result);
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // GET /get/:service
+    const getMatch = reqPath.match(/^\/get\/([a-zA-Z0-9_.-]+)$/);
+    if (method === "GET" && getMatch) {
+      if (lockedGuard(res)) return;
+      const service = getMatch[1].toLowerCase();
+      if (whitelist && !whitelist.includes(service)) {
+        return strike(res, 403, `Service '${service}' not in whitelist`);
+      }
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.retrieve(password, machineHash, token, timestamp, service);
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { service, value: result.value, key_type: result.key_type });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // POST /auth — unlock the vault with a password (verifies against Edge Function)
+    if (method === "POST" && reqPath === "/auth") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+      const pw = body.password;
+      if (!pw || typeof pw !== "string") {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "password is required" }));
+      }
+      try {
+        const { token, timestamp } = deriveToken(pw, machineHash);
+        const result = await api.test(pw, machineHash, token, timestamp);
+        if (result.error) throw new Error(result.error);
+        password = pw;   // unlock — store in process memory only
+        const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
+        try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+        return ok(res, { ok: true, locked: false });
+      } catch {
+        // Wrong password — not a lockout strike, just a UI auth attempt
+        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid password" }));
+      }
+    }
+    // POST /lock — clear password from memory
+    if (method === "POST" && reqPath === "/lock") {
+      password = null;
+      const logLine = `[${new Date().toISOString()}] Vault locked\n`;
+      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+      return ok(res, { ok: true, locked: true });
+    }
+    // POST /toggle/:service — enable or disable a service
+    const toggleMatch = reqPath.match(/^\/toggle\/([a-zA-Z0-9_-]+)$/);
+    if (method === "POST" && toggleMatch) {
+      if (lockedGuard(res)) return;
+      const service = toggleMatch[1].toLowerCase();
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+      const { enabled } = body;
+      if (typeof enabled !== "boolean") {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "enabled must be boolean" }));
+      }
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.enable(password, machineHash, token, timestamp, service, enabled);
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { ok: true, service, enabled });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // GET /check-all — soft health check, no strikes for missing/disabled keys
+    if (method === "GET" && reqPath === "/check-all") {
+      if (lockedGuard(res)) return;
+      try {
+        const { token: st, timestamp: sts } = deriveToken(password, machineHash);
+        const statusResult = await api.status(password, machineHash, st, sts);
+        if (statusResult.error) return strike(res, 502, statusResult.error);
+        const services = (statusResult.services || []).filter(
+          s => !whitelist || whitelist.includes(s.name.toLowerCase())
+        );
+        const results = {};
+        for (const svc of services) {
+          try {
+            const { token, timestamp } = deriveToken(password, machineHash);
+            const r = await api.retrieve(password, machineHash, token, timestamp, svc.name);
+            results[svc.name] = r.error
+              ? { ok: false, reason: r.error }
+              : { ok: true };
+          } catch (e) {
+            results[svc.name] = { ok: false, reason: e.message };
+          }
+        }
+        return ok(res, { results });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // POST /change-pw — change master password (must be unlocked)
+    if (method === "POST" && reqPath === "/change-pw") {
+      if (lockedGuard(res)) return;
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+      const { newPassword } = body;
+      if (!newPassword || typeof newPassword !== "string" || newPassword.length < 8) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "newPassword must be at least 8 characters" }));
+      }
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const newSeedHash = deriveSeedHash(machineHash, newPassword);
+        const result = await api.changePassword(password, machineHash, token, timestamp, newSeedHash);
+        if (result.error) throw new Error(result.error);
+        password = newPassword;  // update in-memory password to new one
+        const logLine = `[${new Date().toISOString()}] Password changed\n`;
+        try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+        return ok(res, { ok: true });
+      } catch (err) {
+        res.writeHead(502, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: err.message }));
+      }
+    }
+    // POST /set/:service — write a new key value into vault
+    const setMatch = reqPath.match(/^\/set\/([a-zA-Z0-9_.-]+)$/);
+    if (method === "POST" && setMatch) {
+      if (lockedGuard(res)) return;
+      const service = setMatch[1].toLowerCase();
+      if (whitelist && !whitelist.includes(service)) {
+        return strike(res, 403, `Service '${service}' not in whitelist`);
+      }
+      let body;
+      try { body = await readBody(req); } catch {
+        return strike(res, 400, "Invalid JSON body");
+      }
+      const value = body.value;
+      if (!value || typeof value !== "string" || !value.trim()) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "value is required" }));
+      }
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.write(password, machineHash, token, timestamp, service, value.trim());
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { ok: true, service });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+    // Unknown route
+    return strike(res, 404, `Unknown endpoint: ${reqPath}`);
+  });
+  return server;
+}
+// ── Actions ──────────────────────────────────────────────────
+async function verifyAuth(password) {
+  const machineHash = getMachineHash();
+  const { token, timestamp } = deriveToken(password, machineHash);
+  const result = await api.test(password, machineHash, token, timestamp);
+  if (result.error) throw new Error(result.error);
+}
+async function actionStart(opts) {
+  const port     = parseInt(opts.port || "52437", 10);
+  const password = opts.pw;
+  const whitelist = opts.services
+    ? opts.services.split(",").map(s => s.trim().toLowerCase())
+    : null;
+  // Check for existing instance
+  const existing = readPid();
+  if (existing && isProcessAlive(existing.pid)) {
+    console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
+    console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
+    process.exit(1);
+  }
+  // If we're the daemon child, run the server directly
+  if (process.env.__CLAUTH_DAEMON === "1") {
+    // Verify password only if one was provided at start (optional — browser can unlock later)
+    if (password) {
+      try {
+        await verifyAuth(password);
+      } catch (err) {
+        const msg = `[${new Date().toISOString()}] Auth failed: ${err.message}\n`;
+        fs.appendFileSync(LOG_FILE, msg);
+        process.exit(1);
+      }
+    }
+    const server = createServer(password, whitelist, port);
+    server.listen(port, "127.0.0.1", () => {
+      writePid(process.pid, port);
+      const msg = `[${new Date().toISOString()}] clauth serve started — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+    });
+    server.on("error", err => {
+      const msg = `[${new Date().toISOString()}] Server error: ${err.message}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+      process.exit(1);
+    });
+    const shutdown = () => { removePid(); process.exit(0); };
+    process.on("SIGTERM", shutdown);
+    process.on("SIGINT", shutdown);
+    return;
+  }
+  // If --pw provided, verify it before spawning (fast-fail on wrong password)
+  if (password) {
+    console.log(chalk.gray("\n  Verifying vault credentials..."));
+    try {
+      await verifyAuth(password);
+    } catch (err) {
+      console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
+      process.exit(1);
+    }
+    console.log(chalk.green("  ✓ Vault auth verified"));
+  } else {
+    console.log(chalk.yellow("\n  Starting in locked state — open browser to unlock"));
+  }
+  // Spawn detached daemon child via the clauth CLI entry point
+  const { spawn } = await import("child_process");
+  const { fileURLToPath } = await import("url");
+  const { dirname, join } = await import("path");
+  const __filename = fileURLToPath(import.meta.url);
+  const cliEntry = join(dirname(__filename), "..", "index.js");
+  // Build args: node index.js serve start --port N [--pw PW] [--services S]
+  const childArgs = [cliEntry, "serve", "start", "--port", String(port)];
+  if (password) childArgs.push("--pw", password);
+  if (opts.services) childArgs.push("--services", opts.services);
+  const out = fs.openSync(LOG_FILE, "a");
+  const child = spawn(process.execPath, childArgs, {
+    detached: true,
+    stdio: ["ignore", out, out],
+    env: { ...process.env, __CLAUTH_DAEMON: "1" },
+  });
+  child.unref();
+  // Give it time to bind and write PID file (Windows spawn is slower)
+  // Verify via HTTP ping (process.kill(pid,0) fails on Windows for detached processes)
+  let started = false;
+  for (let attempt = 0; attempt < 5; attempt++) {
+    await new Promise(r => setTimeout(r, 1000));
+    try {
+      const resp = await fetch(`http://127.0.0.1:${port}/ping`);
+      if (resp.ok) { started = true; break; }
+    } catch {}
+  }
+  const info = readPid();
+  if (started && info) {
+    console.log(chalk.green(`\n  🔐 clauth serve started`));
+    console.log(chalk.gray(`  PID:      ${info.pid}`));
+    console.log(chalk.gray(`  Port:     127.0.0.1:${info.port}`));
+    console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
+    console.log(chalk.gray(`  Log:      ${LOG_FILE}`));
+    if (!password) {
+      console.log(chalk.cyan(`\n  👉 Open http://127.0.0.1:${info.port} to unlock the vault`));
+    }
+    console.log(chalk.gray(`  Stop:     clauth serve stop\n`));
+  } else {
+    console.log(chalk.red(`\n  ❌ Failed to start daemon — check ${LOG_FILE}\n`));
+    process.exit(1);
+  }
+}
+async function actionStop() {
+  const info = readPid();
+  if (!info) {
+    console.log(chalk.yellow("\n  No clauth serve PID file found — not running.\n"));
+    return;
+  }
+  if (!isProcessAlive(info.pid)) {
+    console.log(chalk.yellow(`\n  PID ${info.pid} is not running (stale PID file). Cleaning up.\n`));
+    removePid();
+    return;
+  }
+  // Try HTTP shutdown first (clean)
+  try {
+    const resp = await fetch(`http://127.0.0.1:${info.port}/shutdown`);
+    if (resp.ok) {
+      await new Promise(r => setTimeout(r, 300));
+      console.log(chalk.green(`\n  🛑 clauth serve stopped (was PID ${info.pid}, port ${info.port})\n`));
+      removePid();
+      return;
+    }
+  } catch {}
+  // Fallback: kill the process
+  try {
+    process.kill(info.pid, "SIGTERM");
+    await new Promise(r => setTimeout(r, 300));
+    console.log(chalk.green(`\n  🛑 clauth serve stopped via SIGTERM (PID ${info.pid})\n`));
+  } catch (err) {
+    console.log(chalk.yellow(`\n  Could not kill PID ${info.pid}: ${err.message}\n`));
+  }
+  removePid();
+}
+async function actionPing() {
+  const info = readPid();
+  if (!info) {
+    console.log(chalk.red("\n  clauth serve is not running (no PID file)\n"));
+    process.exit(1);
+  }
+  if (!isProcessAlive(info.pid)) {
+    console.log(chalk.red(`\n  PID ${info.pid} is not alive (stale PID file)\n`));
+    removePid();
+    process.exit(1);
+  }
+  try {
+    const resp = await fetch(`http://127.0.0.1:${info.port}/ping`);
+    const data = await resp.json();
+    if (data.status === "ok") {
+      console.log(chalk.green(`\n  ✅ clauth serve running`));
+      console.log(chalk.gray(`  PID:     ${info.pid}`));
+      console.log(chalk.gray(`  Port:    ${info.port}`));
+      console.log(chalk.gray(`  Fails:   ${data.failures}/${data.failures + data.failures_remaining}`));
+      console.log(chalk.gray(`  Services: ${Array.isArray(data.services) ? data.services.join(", ") : data.services}\n`));
+    } else {
+      console.log(chalk.yellow(`\n  PID alive but /ping returned unexpected response\n`));
+    }
+  } catch (err) {
+    console.log(chalk.yellow(`\n  PID ${info.pid} alive but HTTP failed: ${err.message}\n`));
+  }
+}
+async function actionRestart(opts) {
+  const info = readPid();
+  if (info && isProcessAlive(info.pid)) {
+    await actionStop();
+    await new Promise(r => setTimeout(r, 500));
+  }
+  await actionStart(opts);
+}
+async function actionForeground(opts) {
+  const port      = parseInt(opts.port || "52437", 10);
+  const password  = opts.pw || null;
+  const whitelist = opts.services
+    ? opts.services.split(",").map(s => s.trim().toLowerCase())
+    : null;
+  if (password) {
+    console.log(chalk.gray("\n  Verifying vault credentials..."));
+    try {
+      await verifyAuth(password);
+    } catch (err) {
+      console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
+      process.exit(1);
+    }
+    console.log(chalk.green("  ✓ Vault auth verified"));
+  } else {
+    console.log(chalk.yellow("\n  Starting in locked state — open browser to unlock"));
+  }
+  console.log(chalk.gray(`  Port:     127.0.0.1:${port}`));
+  console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
+  console.log(chalk.gray(`  Lockout:  3 failures → exit\n`));
+  const server = createServer(password, whitelist, port);
+  server.listen(port, "127.0.0.1", () => {
+    writePid(process.pid, port);
+    console.log(chalk.green(`  clauth serve → http://127.0.0.1:${port}`));
+    if (!password) console.log(chalk.cyan(`  👉 Open http://127.0.0.1:${port} to unlock`));
+    console.log(chalk.gray("  Ctrl+C to stop\n"));
+  });
+  server.on("error", err => {
+    if (err.code === "EADDRINUSE") {
+      console.log(chalk.red(`\n  Port ${port} already in use. Use --port to choose another.\n`));
+    } else {
+      console.log(chalk.red(`\n  Server error: ${err.message}\n`));
+    }
+    process.exit(1);
+  });
+  process.on("SIGINT", () => {
+    console.log(chalk.yellow("\n  Stopping clauth serve...\n"));
+    removePid();
+    server.close(() => process.exit(0));
+  });
+}
+// ── Export ────────────────────────────────────────────────────
+export async function runServe(opts) {
+  const action = opts.action || "foreground";
+  switch (action) {
+    case "start":     return actionStart(opts);
+    case "stop":      return actionStop();
+    case "restart":   return actionRestart(opts);
+    case "ping":      return actionPing();
+    case "foreground": return actionForeground(opts);
+    default:
+      console.log(chalk.red(`\n  Unknown serve action: ${action}`));
+      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground\n"));
+      process.exit(1);
+  }
+}