@lifeaitools/clauth 0.3.12 → 0.4.1

package/cli/commands/serve.js

@@ -1,1213 +1,1653 @@
-// cli/commands/serve.js
-// Localhost-only credential daemon with daemon lifecycle management
-// Binds 127.0.0.1 ONLY — unreachable from outside the machine
-// 3 failed requests of any kind → process exits, requires manual restart
-// Supports: start (background daemon), stop, restart, ping, foreground
-
-import http from "http";
-import fs from "fs";
-import os from "os";
-import path from "path";
-import { fileURLToPath } from "url";
-import { getMachineHash, deriveToken, deriveSeedHash } from "../fingerprint.js";
-import * as api from "../api.js";
-import chalk from "chalk";
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf8"));
-const VERSION = pkg.version;
-
-const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
-const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
-
-// ── PID helpers ──────────────────────────────────────────────
-function readPid() {
-  try {
-    const raw = fs.readFileSync(PID_FILE, "utf8").trim();
-    const [pid, port] = raw.split(":");
-    return { pid: parseInt(pid, 10), port: parseInt(port, 10) };
-  } catch { return null; }
-}
-
-function writePid(pid, port) {
-  fs.writeFileSync(PID_FILE, `${pid}:${port}`, "utf8");
-}
-
-function removePid() {
-  try { fs.unlinkSync(PID_FILE); } catch {}
-}
-
-function isProcessAlive(pid) {
-  try { process.kill(pid, 0); return true; } catch { return false; }
-}
-
-// ── Dashboard HTML ───────────────────────────────────────────
-function dashboardHtml(port, whitelist) {
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width,initial-scale=1">
-<title>clauth vault v${VERSION}</title>
-<style>
-  *{margin:0;padding:0;box-sizing:border-box}
-  body{background:#0a0f1a;color:#e2e8f0;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;min-height:100vh}
-  /* ── Lock screen ── */
-  #lock-screen{display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh;padding:2rem}
-  .lock-card{background:#1e293b;border:1px solid #334155;border-radius:12px;padding:2.5rem 2rem;width:100%;max-width:380px;text-align:center}
-  .lock-icon{font-size:2.5rem;margin-bottom:1rem}
-  .lock-title{font-size:1.25rem;font-weight:600;color:#f8fafc;margin-bottom:.4rem}
-  .lock-sub{font-size:.85rem;color:#64748b;margin-bottom:1.75rem}
-  .lock-input{width:100%;background:#0f172a;border:1px solid #334155;border-radius:8px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:1rem;padding:10px 14px;outline:none;text-align:center;letter-spacing:.1em;transition:border-color .2s;margin-bottom:1rem}
-  .lock-input:focus{border-color:#3b82f6}
-  .lock-input.error{border-color:#ef4444;animation:shake .3s}
-  @keyframes shake{0%,100%{transform:translateX(0)}25%{transform:translateX(-6px)}75%{transform:translateX(6px)}}
-  .btn-unlock{width:100%;background:#3b82f6;color:#fff;border:none;border-radius:8px;padding:10px;font-size:.95rem;font-weight:600;cursor:pointer;transition:background .15s}
-  .btn-unlock:hover{background:#2563eb}
-  .btn-unlock:disabled{background:#1e3a5f;color:#4a6fa5;cursor:not-allowed}
-  .lock-err{color:#f87171;font-size:.82rem;margin-top:.75rem;min-height:1.2em}
-  /* ── Main view ── */
-  #main-view{display:none;padding:2rem}
-  .header{display:flex;align-items:center;gap:10px;margin-bottom:1.5rem;flex-wrap:wrap}
-  .header h1{font-size:1.4rem;font-weight:600;flex:1}
-  .dot{width:10px;height:10px;border-radius:50%;background:#22c55e;animation:pulse 2s infinite;flex-shrink:0}
-  @keyframes pulse{0%,100%{opacity:1}50%{opacity:.4}}
-  .status-bar{display:flex;gap:1.5rem;margin-bottom:1.5rem;font-size:.82rem;color:#94a3b8;flex-wrap:wrap}
-  .status-bar span{color:#e2e8f0;font-weight:500}
-  .toolbar{display:flex;gap:8px;margin-bottom:1rem;flex-wrap:wrap;align-items:center}
-  .chpw-panel{display:none;background:#1a1f2e;border:1px solid #334155;border-radius:8px;padding:1.25rem;margin-bottom:1.5rem}
-  .chpw-panel h3{font-size:.9rem;font-weight:600;color:#f8fafc;margin-bottom:1rem}
-  .chpw-row{display:flex;gap:10px;flex-wrap:wrap;align-items:flex-end;margin-bottom:.75rem}
-  .chpw-field{display:flex;flex-direction:column;gap:4px}
-  .chpw-field label{font-size:.75rem;color:#64748b}
-  .chpw-input{background:#0f172a;border:1px solid #334155;border-radius:6px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.88rem;padding:7px 12px;outline:none;width:200px;transition:border-color .2s}
-  .chpw-input:focus{border-color:#3b82f6}
-  .chpw-foot{display:flex;gap:8px;align-items:center}
-  .btn-chpw-save{background:#1e3a5f;color:#60a5fa;padding:7px 18px;font-size:.85rem;border-radius:6px;border:none;cursor:pointer;font-weight:500;transition:background .15s}
-  .btn-chpw-save:hover{background:#1e4a7f}
-  .chpw-msg{font-size:.82rem}
-  .chpw-msg.ok{color:#4ade80} .chpw-msg.fail{color:#f87171}
-  .btn-refresh{background:#3b82f6;color:#fff;padding:7px 18px;font-size:.85rem;border-radius:7px;border:none;cursor:pointer;font-weight:500}
-  .btn-refresh:hover{background:#2563eb}
-  .btn-lock{background:#1e293b;color:#f87171;border:1px solid #334155;padding:7px 16px;font-size:.85rem;border-radius:7px;cursor:pointer;font-weight:500}
-  .btn-lock:hover{background:#2d1f1f;border-color:#f87171}
-  .grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(300px,1fr));gap:1rem}
-  .card{background:#1e293b;border:1px solid #334155;border-radius:8px;padding:1.25rem;transition:border-color .2s}
-  .card:hover{border-color:#3b82f6}
-  .card-name{font-size:1rem;font-weight:600;color:#f8fafc;margin-bottom:3px}
-  .card-type{font-size:.78rem;color:#64748b;text-transform:uppercase;letter-spacing:.5px}
-  .card-getkey{font-size:.75rem;color:#3b82f6;text-decoration:none;opacity:.7;transition:opacity .15s}
-  .card-getkey:hover{opacity:1;text-decoration:underline}
-  .card-value{font-family:'Courier New',monospace;font-size:.82rem;color:#22c55e;background:#0f172a;border-radius:4px;padding:8px 10px;margin-top:10px;word-break:break-all;max-height:80px;overflow:auto;display:none}
-  .card-actions{margin-top:10px;display:flex;gap:7px;flex-wrap:wrap}
-  .set-panel{display:none;margin-top:10px;background:#0f172a;border-radius:6px;padding:10px;border:1px solid #1e3a5f}
-  .set-panel label{font-size:.75rem;color:#64748b;display:block;margin-bottom:6px}
-  .set-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;resize:vertical;min-height:58px;transition:border-color .2s}
-  .set-input:focus{border-color:#3b82f6}
-  .set-foot{margin-top:8px;display:flex;gap:8px;align-items:center}
-  .set-msg{font-size:.8rem}
-  .set-msg.ok{color:#4ade80} .set-msg.fail{color:#f87171}
-  .btn{padding:6px 13px;border-radius:6px;border:none;cursor:pointer;font-size:.8rem;font-weight:500;transition:all .15s}
-  .btn-reveal{background:#1e3a5f;color:#60a5fa}.btn-reveal:hover{background:#1e4a7f}
-  .btn-copy{background:#1a3328;color:#4ade80}.btn-copy:hover{background:#1a4338}
-  .btn-set{background:#2d1f4a;color:#a78bfa}.btn-set:hover{background:#3d2f5a}
-  .btn-save{background:#1e3a5f;color:#60a5fa;padding:6px 16px}.btn-save:hover{background:#1e4a7f}
-  .btn-cancel{background:transparent;color:#64748b;padding:6px 10px}.btn-cancel:hover{color:#94a3b8}
-  .btn-check{background:#0f2d2d;color:#34d399;border:1px solid #064e3b;padding:7px 16px;font-size:.85rem;border-radius:7px;cursor:pointer;font-weight:500;transition:all .15s}
-  .btn-check:hover{background:#134e4a;border-color:#34d399}.btn-check:disabled{opacity:.5;cursor:not-allowed}
-  .btn-enable{background:#14291a;color:#4ade80;border:1px solid #166534}.btn-enable:hover{background:#1a3d22;border-color:#4ade80}
-  .btn-disable{background:#2d1f1f;color:#f87171;border:1px solid #7f1d1d}.btn-disable:hover{background:#3d2525;border-color:#f87171}
-  .svc-badge{font-size:.7rem;font-weight:600;padding:2px 7px;border-radius:4px;letter-spacing:.4px;text-transform:uppercase}
-  .svc-badge.on{background:rgba(74,222,128,.12);color:#4ade80;border:1px solid rgba(74,222,128,.25)}
-  .svc-badge.off{background:rgba(248,113,113,.1);color:#f87171;border:1px solid rgba(248,113,113,.2)}
-  .status-dot{width:8px;height:8px;border-radius:50%;flex-shrink:0;opacity:0;transition:opacity .3s;margin-top:4px;cursor:default}
-  .status-dot.checking{background:#f59e0b;opacity:1;animation:pulse 1s infinite}
-  .status-dot.ok{background:#22c55e;opacity:1}
-  .status-dot.fail{background:#ef4444;opacity:1}
-  @keyframes sdot-fade{to{opacity:0}} .status-dot.fading{animation:sdot-fade 1.5s forwards}
-  .error-bar{background:#7f1d1d;color:#fca5a5;border:1px solid #991b1b;padding:10px 14px;border-radius:8px;margin-bottom:1rem;display:none;font-size:.85rem}
-  .loading{color:#64748b;font-style:italic}
-  .footer{margin-top:2rem;font-size:.75rem;color:#475569;text-align:center}
-  .oauth-fields{display:flex;flex-direction:column;gap:8px;margin-bottom:8px}
-  .oauth-field{display:flex;flex-direction:column;gap:3px}
-  .oauth-label{font-size:.75rem;color:#94a3b8;font-weight:500}
-  .oauth-hint{font-size:.71rem;color:#475569;font-style:italic}
-  .oauth-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;transition:border-color .2s}
-  .oauth-input:focus{border-color:#3b82f6}
-</style>
-</head>
-<body>
-
-<!-- ── Lock screen ──────────────────────────── -->
-<div id="lock-screen">
-  <div class="lock-card">
-    <div class="lock-icon">🔒</div>
-    <div class="lock-title">clauth vault</div>
-    <div class="lock-sub">Paste your password to unlock</div>
-    <input class="lock-input" id="lock-input" type="password" placeholder="••••••••••••" autocomplete="off">
-    <button class="btn-unlock" id="unlock-btn" onclick="unlock()">Unlock</button>
-    <div class="lock-err" id="lock-err"></div>
-  </div>
-</div>
-
-<!-- ── Main view (shown after unlock) ──────── -->
-<div id="main-view">
-  <div class="header">
-    <div class="dot" id="dot"></div>
-    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span></h1>
-  </div>
-  <div id="error-bar" class="error-bar"></div>
-  <div class="status-bar">
-    <div>PID: <span id="s-pid">—</span></div>
-    <div>Port: <span id="s-port">${port}</span></div>
-    <div>Services: <span id="s-services">${whitelist ? whitelist.join(", ") : "all"}</span></div>
-    <div>Failures: <span id="s-fails">—</span></div>
-  </div>
-  <div class="toolbar">
-    <button class="btn-refresh" onclick="loadServices()">↻ Refresh</button>
-    <button class="btn-check" id="check-btn" onclick="checkAll()">⬤ Check All</button>
-    <button class="btn-lock" onclick="lockVault()">🔒 Lock</button>
-    <button class="btn-cancel" style="margin-left:auto" onclick="toggleChangePw()">Change Password</button>
-  </div>
-
-  <div class="chpw-panel" id="chpw-panel">
-    <h3>Change Master Password</h3>
-    <div class="chpw-row">
-      <div class="chpw-field">
-        <label>New password</label>
-        <input class="chpw-input" id="chpw-new" type="password" placeholder="min 8 chars" autocomplete="new-password">
-      </div>
-      <div class="chpw-field">
-        <label>Confirm</label>
-        <input class="chpw-input" id="chpw-confirm" type="password" placeholder="repeat" autocomplete="new-password">
-      </div>
-    </div>
-    <div class="chpw-foot">
-      <button class="btn-chpw-save" onclick="changePassword()">Update Password</button>
-      <button class="btn-cancel" onclick="toggleChangePw()">Cancel</button>
-      <span class="chpw-msg" id="chpw-msg"></span>
-    </div>
-  </div>
-
-  <div id="grid" class="grid"><p class="loading">Loading services…</p></div>
-  <div class="footer">localhost:${port} · 127.0.0.1 only · 3-strike lockout</div>
-</div>
-
-<script>
-const BASE = "http://127.0.0.1:${port}";
-
-const SERVICE_HINTS = {
-  "neo4j":           "neo4j+s://username:password@instance.databases.neo4j.io",
-  "supabase-db":     "postgresql://postgres:password@db.ref.supabase.co:5432/postgres",
-  "r2":              "accountId:accessKeyId:secretAccessKey",
-  "namecheap":       "apiUser:apiKey",
-};
-
-const KEY_URLS = {
-  "github":          "https://github.com/settings/tokens",
-  "vercel":          "https://vercel.com/account/tokens",
-  "supabase-anon":   "https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/api",
-  "supabase-service":"https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/api",
-  "supabase-db":     "https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/database",
-  "anthropic":       "https://console.anthropic.com/settings/keys",
-  "cloudflare":      "https://dash.cloudflare.com/profile/api-tokens",
-  "r2":              "https://dash.cloudflare.com/profile/api-tokens",
-  "r2-bucket":       "https://dash.cloudflare.com/profile/api-tokens",
-  "rocketreach":     "https://rocketreach.co/account?section=security",
-  "namecheap":       "https://ap.www.namecheap.com/settings/tools/apiaccess/",
-  "neo4j":           "https://console.neo4j.io/",
-  "npm":             "https://www.npmjs.com/settings/~/tokens",
-  "gmail":           "https://console.cloud.google.com/apis/credentials",
-};
-
-// ── OAuth import config ─────────────────────
-// OAuth services with atomic fields — each field saved as clauth.<service>.<key>
-// No JSON blob parsing. Each field is its own vault secret.
-const OAUTH_FIELDS = {
-  "gmail": [
-    { key: "client_id",     label: "Client ID",     hint: "From Google Cloud Console → APIs & Services → Credentials → OAuth client", required: true },
-    { key: "client_secret", label: "Client Secret", hint: "From Google Cloud Console OAuth client",                                    required: true },
-    { key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground or your app's auth callback",                 required: true },
-    { key: "from_address",  label: "From Address",  hint: "Gmail address to send from (e.g. dave@life.ai)",                           required: false },
-  ]
-};
-
-function renderSetPanel(name) {
-  const fields = OAUTH_FIELDS[name];
-  if (fields) {
-    const fieldsHtml = fields.map(f => \`
-      <div class="oauth-field">
-        <label class="oauth-label">\${f.label}\${f.required ? "" : " <span style='color:#475569'>(optional)</span>"}</label>
-        \${f.hint ? \`<div class="oauth-hint">\${f.hint}</div>\` : ""}
-        <input type="text" class="oauth-input" id="ofield-\${name}-\${f.key}" placeholder="Paste \${f.label}…" spellcheck="false" autocomplete="off">
-      </div>
-    \`).join("");
-    return \`
-      <div class="set-panel" id="set-panel-\${name}">
-        <label>Set <strong>\${name}</strong> credentials — paste directly from source, never in chat</label>
-        <div class="oauth-fields">
-          \${fieldsHtml}
-        </div>
-        <div class="set-foot">
-          <button class="btn btn-save" onclick="saveKey('\${name}')">Save</button>
-          <button class="btn btn-cancel" onclick="toggleSet('\${name}')">Cancel</button>
-          <span class="set-msg" id="set-msg-\${name}"></span>
-        </div>
-      </div>
-    \`;
-  }
-  return \`
-    <div class="set-panel" id="set-panel-\${name}">
-      <label>New value for <strong>\${name}</strong> — paste here, never in chat</label>
-      <textarea class="set-input" id="set-input-\${name}" placeholder="\${SERVICE_HINTS[name] || "Paste credential…"}" spellcheck="false"></textarea>
-      \${SERVICE_HINTS[name] ? \`<div style="font-size:.72rem;color:#475569;margin-top:4px;font-family:'Courier New',monospace">\${SERVICE_HINTS[name]}</div>\` : ""}
-      <div class="set-foot">
-        <button class="btn btn-save" onclick="saveKey('\${name}')">Save</button>
-        <button class="btn btn-cancel" onclick="toggleSet('\${name}')">Cancel</button>
-        <span class="set-msg" id="set-msg-\${name}"></span>
-      </div>
-    </div>
-  \`;
-}
-
-// ── Boot: check lock state ──────────────────
-async function boot() {
-  try {
-    const ping = await fetch(BASE + "/ping").then(r => r.json());
-    if (ping.locked) {
-      showLockScreen();
-    } else {
-      showMain(ping);
-      loadServices();
-    }
-  } catch {
-    showLockScreen();
-  }
-}
-
-function showLockScreen() {
-  document.getElementById("lock-screen").style.display = "flex";
-  document.getElementById("main-view").style.display = "none";
-  setTimeout(() => document.getElementById("lock-input").focus(), 50);
-}
-
-function showMain(ping) {
-  document.getElementById("lock-screen").style.display = "none";
-  document.getElementById("main-view").style.display = "block";
-  if (ping) {
-    document.getElementById("s-pid").textContent = ping.pid || "—";
-    document.getElementById("s-fails").textContent =
-      ping.failures + "/" + (ping.failures + ping.failures_remaining);
-  }
-}
-
-// ── Unlock ──────────────────────────────────
-async function unlock() {
-  const input = document.getElementById("lock-input");
-  const btn   = document.getElementById("unlock-btn");
-  const err   = document.getElementById("lock-err");
-  const pw    = input.value;
-
-  if (!pw) { err.textContent = "Password is required."; return; }
-
-  btn.disabled = true; btn.textContent = "Verifying…"; err.textContent = "";
-
-  try {
-    const r = await fetch(BASE + "/auth", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ password: pw })
-    }).then(r => r.json());
-
-    if (r.error) throw new Error(r.error);
-
-    input.value = "";
-    const ping = await fetch(BASE + "/ping").then(r => r.json());
-    showMain(ping);
-    loadServices();
-  } catch (e) {
-    input.value = "";
-    input.className = "lock-input error";
-    err.textContent = "✗ " + (e.message || "Invalid password");
-    setTimeout(() => input.className = "lock-input", 600);
-  } finally {
-    btn.disabled = false; btn.textContent = "Unlock";
-  }
-}
-
-// ── Lock ────────────────────────────────────
-async function lockVault() {
-  await fetch(BASE + "/lock", { method: "POST" }).catch(() => {});
-  showLockScreen();
-}
-
-// ── Load services ───────────────────────────
-async function loadServices() {
-  const grid = document.getElementById("grid");
-  const err  = document.getElementById("error-bar");
-  err.style.display = "none";
-  grid.innerHTML = '<p class="loading">Loading…</p>';
-
-  try {
-    const status = await fetch(BASE + "/status").then(r => r.json());
-    if (status.locked) { showLockScreen(); return; }
-    if (status.error) throw new Error(status.error);
-
-    const services = status.services || [];
-    if (!services.length) { grid.innerHTML = '<p class="loading">No services registered.</p>'; return; }
-
-    grid.innerHTML = services.map(s => \`
-      <div class="card">
-        <div style="display:flex;align-items:flex-start;justify-content:space-between">
-          <div>
-            <div class="card-name">\${s.name}</div>
-            <div style="display:flex;align-items:center;gap:6px;margin-top:2px">
-              <div class="card-type">\${s.key_type || "secret"}</div>
-              <span class="svc-badge \${s.enabled === false ? "off" : "on"}" id="badge-\${s.name}">\${s.enabled === false ? "disabled" : "enabled"}</span>
-            </div>
-            \${KEY_URLS[s.name] ? \`<a class="card-getkey" href="\${KEY_URLS[s.name]}" target="_blank" rel="noopener">↗ Get / rotate key</a>\` : ""}
-          </div>
-          <div class="status-dot" id="sdot-\${s.name}" title=""></div>
-        </div>
-        <div class="card-value" id="val-\${s.name}"></div>
-        <div class="card-actions">
-          <button class="btn btn-reveal" onclick="reveal('\${s.name}', this)">Reveal</button>
-          <button class="btn btn-copy" id="copybtn-\${s.name}" style="display:none" onclick="copyKey('\${s.name}')">Copy</button>
-          <button class="btn btn-set" onclick="toggleSet('\${s.name}')">Set</button>
-          <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
-        </div>
-        \${renderSetPanel(s.name)}
-      </div>
-    \`).join("");
-  } catch (e) {
-    err.textContent = "⚠ " + e.message;
-    err.style.display = "block";
-    document.getElementById("dot").style.background = "#ef4444";
-    grid.innerHTML = "";
-  }
-}
-
-// ── Reveal ──────────────────────────────────
-async function reveal(name, btn) {
-  const valEl   = document.getElementById("val-" + name);
-  const copyBtn = document.getElementById("copybtn-" + name);
-  if (valEl.style.display === "block") {
-    valEl.style.display = "none"; copyBtn.style.display = "none";
-    btn.textContent = "Reveal"; return;
-  }
-  valEl.textContent = "fetching…"; valEl.style.display = "block"; btn.textContent = "Hide";
-  try {
-    const r = await fetch(BASE + "/get/" + name).then(r => r.json());
-    if (r.locked) { showLockScreen(); return; }
-    if (r.error) throw new Error(r.error);
-    const imp = OAUTH_IMPORT[name];
-    if (imp) {
-      try {
-        const parsed = JSON.parse(r.value);
-        const allKeys = [...imp.jsonFields, ...imp.extra.map(f => f.key)];
-        valEl.innerHTML = allKeys.map(k =>
-          '<div style="margin-bottom:6px"><span style="color:#64748b;font-size:.72rem;text-transform:uppercase;letter-spacing:.4px">' + k.replace(/_/g," ") + '</span><br>' + (parsed[k] || "—") + '</div>'
-        ).join("");
-      } catch { valEl.textContent = r.value; }
-    } else {
-      valEl.textContent = r.value;
-    }
-    copyBtn.style.display = "inline-block";
-  } catch (e) {
-    valEl.textContent = "Error: " + e.message; valEl.style.color = "#ef4444";
-  }
-}
-
-async function copyKey(name) {
-  const val = document.getElementById("val-" + name).textContent;
-  try {
-    await navigator.clipboard.writeText(val);
-    const btn = document.getElementById("copybtn-" + name);
-    btn.textContent = "Copied!"; setTimeout(() => btn.textContent = "Copy", 1500);
-  } catch {}
-}
-
-// ── Set key ─────────────────────────────────
-function toggleSet(name) {
-  const panel = document.getElementById("set-panel-" + name);
-  const msg   = document.getElementById("set-msg-" + name);
-  const open  = panel.style.display === "block";
-  panel.style.display = open ? "none" : "block";
-  if (!open) {
-    if (msg) msg.textContent = "";
-    const imp = OAUTH_IMPORT[name];
-    if (imp) {
-      const jsonEl = document.getElementById("ofield-" + name + "-json");
-      if (jsonEl) { jsonEl.value = ""; jsonEl.focus(); }
-      imp.extra.forEach(f => { const el = document.getElementById("ofield-" + name + "-" + f.key); if (el) el.value = ""; });
-    } else {
-      const input = document.getElementById("set-input-" + name);
-      if (input) { input.value = ""; input.focus(); }
-    }
-  }
-}
-
-async function saveKey(name) {
-  const msg = document.getElementById("set-msg-" + name);
-  const fields = OAUTH_FIELDS[name];
-
-  if (fields) {
-    // Validate required fields first
-    for (const f of fields) {
-      if (!f.required) continue;
-      const el = document.getElementById("ofield-" + name + "-" + f.key);
-      if (!el || !el.value.trim()) {
-        msg.className = "set-msg fail"; msg.textContent = f.label + " is required."; return;
-      }
-    }
-    // Save each field as an atomic vault key: clauth.<service>.<key>
-    msg.className = "set-msg"; msg.textContent = "Saving…";
-    try {
-      for (const f of fields) {
-        const el = document.getElementById("ofield-" + name + "-" + f.key);
-        const v = el ? el.value.trim() : "";
-        if (!v) continue; // skip optional empty fields
-        const r = await fetch(BASE + "/set/" + name + "." + f.key, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ value: v })
-        }).then(r => r.json());
-        if (r.locked) { showLockScreen(); return; }
-        if (r.error) throw new Error(r.error);
-      }
-      msg.className = "set-msg ok"; msg.textContent = "✓ Saved";
-      fields.forEach(f => { const el = document.getElementById("ofield-" + name + "-" + f.key); if (el) el.value = ""; });
-    } catch (e) {
-      msg.className = "set-msg fail"; msg.textContent = e.message || "Save failed";
-      return;
-    }
-  } else {
-    const input = document.getElementById("set-input-" + name);
-    const value = input ? input.value.trim() : "";
-    if (!value) { msg.className = "set-msg fail"; msg.textContent = "Value is empty."; return; }
-
-    msg.className = "set-msg"; msg.textContent = "Saving…";
-    try {
-      const r = await fetch(BASE + "/set/" + name, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ value })
-      }).then(r => r.json());
-
-      if (r.locked) { showLockScreen(); return; }
-      if (r.error) throw new Error(r.error);
-      msg.className = "set-msg ok"; msg.textContent = "✓ Saved";
-      const inp = document.getElementById("set-input-" + name);
-      if (inp) inp.value = "";
-    } catch (e) {
-      msg.className = "set-msg fail"; msg.textContent = e.message || "Save failed";
-      return;
-    }
-  }
-
-  const dot = document.getElementById("sdot-" + name);
-  if (dot) { dot.className = "status-dot"; dot.title = ""; }
-  setTimeout(() => {
-    document.getElementById("set-panel-" + name).style.display = "none";
-    msg.textContent = "";
-  }, 1800);
-}
-
-// ── Enable / Disable service ────────────────
-async function toggleService(name) {
-  const badge  = document.getElementById("badge-" + name);
-  const btn    = document.getElementById("togbtn-" + name);
-  const currently = badge.classList.contains("on");
-  const newState  = !currently;
-
-  btn.disabled = true; btn.textContent = "…";
-
-  try {
-    const r = await fetch(BASE + "/toggle/" + name, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ enabled: newState })
-    }).then(r => r.json());
-
-    if (r.locked) { showLockScreen(); return; }
-    if (r.error) throw new Error(r.error);
-
-    badge.className = "svc-badge " + (newState ? "on" : "off");
-    badge.textContent = newState ? "enabled" : "disabled";
-    btn.className = "btn " + (newState ? "btn-disable" : "btn-enable");
-    btn.textContent = newState ? "Disable" : "Enable";
-  } catch (e) {
-    btn.textContent = "Error";
-    setTimeout(() => {
-      btn.textContent = currently ? "Disable" : "Enable";
-    }, 2000);
-  } finally {
-    btn.disabled = false;
-  }
-}
-
-// ── Check all credentials ───────────────────
-async function checkAll() {
-  const btn = document.getElementById("check-btn");
-  btn.disabled = true; btn.textContent = "Checking…";
-
-  // Show checking state on every visible dot
-  document.querySelectorAll(".status-dot").forEach(d => {
-    d.className = "status-dot checking"; d.title = "Checking…";
-  });
-
-  try {
-    const r = await fetch(BASE + "/check-all").then(r => r.json());
-    if (r.locked) { showLockScreen(); return; }
-    if (r.error) throw new Error(r.error);
-
-    const results = r.results || {};
-    for (const [name, result] of Object.entries(results)) {
-      const dot = document.getElementById("sdot-" + name);
-      if (!dot) continue;
-      if (result.ok) {
-        dot.className = "status-dot ok"; dot.title = "OK";
-      } else {
-        dot.className = "status-dot fail";
-        dot.title = result.reason || "No key stored";
-      }
-    }
-
-    // Fade green dots after 3 s — red dots stay until next check
-    setTimeout(() => {
-      document.querySelectorAll(".status-dot.ok").forEach(d => d.classList.add("fading"));
-    }, 3000);
-
-  } catch (e) {
-    document.querySelectorAll(".status-dot").forEach(d => { d.className = "status-dot"; d.title = ""; });
-    const errBar = document.getElementById("error-bar");
-    errBar.textContent = "⚠ Check failed: " + e.message;
-    errBar.style.display = "block";
-  } finally {
-    btn.disabled = false; btn.textContent = "⬤ Check All";
-  }
-}
-
-// ── Change password ─────────────────────────
-function toggleChangePw() {
-  const panel = document.getElementById("chpw-panel");
-  const open  = panel.style.display === "block";
-  panel.style.display = open ? "none" : "block";
-  if (!open) {
-    document.getElementById("chpw-new").value = "";
-    document.getElementById("chpw-confirm").value = "";
-    document.getElementById("chpw-msg").textContent = "";
-    document.getElementById("chpw-new").focus();
-  }
-}
-
-async function changePassword() {
-  const newPw  = document.getElementById("chpw-new").value;
-  const confPw = document.getElementById("chpw-confirm").value;
-  const msg    = document.getElementById("chpw-msg");
-
-  if (!newPw) { msg.className = "chpw-msg fail"; msg.textContent = "Enter a new password."; return; }
-  if (newPw.length < 8) { msg.className = "chpw-msg fail"; msg.textContent = "Minimum 8 characters."; return; }
-  if (newPw !== confPw) { msg.className = "chpw-msg fail"; msg.textContent = "Passwords don't match."; return; }
-
-  msg.className = "chpw-msg"; msg.textContent = "Updating…";
-  try {
-    const r = await fetch(BASE + "/change-pw", {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ newPassword: newPw })
-    }).then(r => r.json());
-
-    if (r.locked) { showLockScreen(); return; }
-    if (r.error) throw new Error(r.error);
-
-    msg.className = "chpw-msg ok"; msg.textContent = "✓ Password updated";
-    document.getElementById("chpw-new").value = "";
-    document.getElementById("chpw-confirm").value = "";
-    setTimeout(() => {
-      document.getElementById("chpw-panel").style.display = "none";
-      msg.textContent = "";
-    }, 2000);
-  } catch (e) {
-    msg.className = "chpw-msg fail"; msg.textContent = "✗ " + e.message;
-  }
-}
-
-// Enter key on lock screen
-document.addEventListener("DOMContentLoaded", () => {
-  document.getElementById("lock-input").addEventListener("keydown", e => {
-    if (e.key === "Enter") unlock();
-  });
-});
-
-boot();
-</script>
-</body>
-</html>`;
-}
-
-// ── Body parser helper ────────────────────────────────────────
-function readBody(req) {
-  return new Promise((resolve, reject) => {
-    let data = "";
-    req.on("data", chunk => { data += chunk; if (data.length > 65536) reject(new Error("Body too large")); });
-    req.on("end", () => { try { resolve(JSON.parse(data)); } catch { reject(new Error("Invalid JSON")); } });
-    req.on("error", reject);
-  });
-}
-
-// ── Server logic (shared by foreground + daemon) ─────────────
-function createServer(initPassword, whitelist, port) {
-  const MAX_FAILS = 3;
-  let failCount = 0;
-  let password = initPassword || null;   // null = locked; set via POST /auth
-  const machineHash = getMachineHash();
-
-  const CORS = {
-    "Access-Control-Allow-Origin": "*",
-    "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type",
-  };
-
-  function strike(res, code, message) {
-    failCount++;
-    const remaining = MAX_FAILS - failCount;
-    const logLine = `[${new Date().toISOString()}] [FAIL ${failCount}/${MAX_FAILS}] ${message}\n`;
-    try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-
-    const body = JSON.stringify({
-      error: message,
-      failures: failCount,
-      failures_remaining: remaining,
-      ...(failCount >= MAX_FAILS ? { shutdown: true } : {})
-    });
-
-    res.writeHead(code, { "Content-Type": "application/json", ...CORS });
-    res.end(body);
-
-    if (failCount >= MAX_FAILS) {
-      const msg = `[${new Date().toISOString()}] Failure limit reached — shutting down\n`;
-      try { fs.appendFileSync(LOG_FILE, msg); } catch {}
-      removePid();
-      setTimeout(() => process.exit(1), 100);
-    }
-  }
-
-  function ok(res, data) {
-    res.writeHead(200, { "Content-Type": "application/json", ...CORS });
-    res.end(JSON.stringify(data));
-  }
-
-  const server = http.createServer(async (req, res) => {
-    // Hard reject anything not from loopback
-    const remote = req.socket.remoteAddress;
-    const isLocal = remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
-    if (!isLocal) {
-      return strike(res, 403, `Rejected non-local address: ${remote}`);
-    }
-
-    // CORS preflight
-    if (req.method === "OPTIONS") {
-      res.writeHead(204, CORS);
-      return res.end();
-    }
-
-    const url    = new URL(req.url, `http://127.0.0.1:${port}`);
-    const reqPath = url.pathname;
-    const method = req.method;
-
-    // GET / — built-in web dashboard
-    if (method === "GET" && reqPath === "/") {
-      res.writeHead(200, { "Content-Type": "text/html", ...CORS });
-      return res.end(dashboardHtml(port, whitelist));
-    }
-
-    // GET /ping
-    if (method === "GET" && reqPath === "/ping") {
-      return ok(res, {
-        status: "ok",
-        pid: process.pid,
-        locked: !password,
-        failures: failCount,
-        failures_remaining: MAX_FAILS - failCount,
-        services: whitelist || "all",
-        port
-      });
-    }
-
-    // GET /shutdown (for daemon stop)
-    if (method === "GET" && reqPath === "/shutdown") {
-      ok(res, { ok: true, message: "shutting down" });
-      removePid();
-      setTimeout(() => process.exit(0), 100);
-      return;
-    }
-
-    // Locked guard — returns true if locked and already responded
-    function lockedGuard(res) {
-      if (!password) {
-        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
-        res.end(JSON.stringify({ error: "Vault is locked", locked: true }));
-        return true;
-      }
-      return false;
-    }
-
-    // GET /status
-    if (method === "GET" && reqPath === "/status") {
-      if (lockedGuard(res)) return;
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.status(password, machineHash, token, timestamp);
-        if (result.error) return strike(res, 502, result.error);
-        if (whitelist) {
-          result.services = (result.services || []).filter(
-            s => whitelist.includes(s.name.toLowerCase())
-          );
-        }
-        return ok(res, result);
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-
-    // GET /get/:service
-    const getMatch = reqPath.match(/^\/get\/([a-zA-Z0-9_.-]+)$/);
-    if (method === "GET" && getMatch) {
-      if (lockedGuard(res)) return;
-      const service = getMatch[1].toLowerCase();
-
-      if (whitelist && !whitelist.includes(service)) {
-        return strike(res, 403, `Service '${service}' not in whitelist`);
-      }
-
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.retrieve(password, machineHash, token, timestamp, service);
-        if (result.error) return strike(res, 502, result.error);
-        return ok(res, { service, value: result.value, key_type: result.key_type });
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-
-    // POST /auth — unlock the vault with a password (verifies against Edge Function)
-    if (method === "POST" && reqPath === "/auth") {
-      let body;
-      try { body = await readBody(req); } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
-      }
-
-      const pw = body.password;
-      if (!pw || typeof pw !== "string") {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "password is required" }));
-      }
-
-      try {
-        const { token, timestamp } = deriveToken(pw, machineHash);
-        const result = await api.test(pw, machineHash, token, timestamp);
-        if (result.error) throw new Error(result.error);
-        password = pw;   // unlock — store in process memory only
-        const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
-        try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-        return ok(res, { ok: true, locked: false });
-      } catch {
-        // Wrong password — not a lockout strike, just a UI auth attempt
-        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "Invalid password" }));
-      }
-    }
-
-    // POST /lock — clear password from memory
-    if (method === "POST" && reqPath === "/lock") {
-      password = null;
-      const logLine = `[${new Date().toISOString()}] Vault locked\n`;
-      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-      return ok(res, { ok: true, locked: true });
-    }
-
-    // POST /toggle/:service — enable or disable a service
-    const toggleMatch = reqPath.match(/^\/toggle\/([a-zA-Z0-9_-]+)$/);
-    if (method === "POST" && toggleMatch) {
-      if (lockedGuard(res)) return;
-      const service = toggleMatch[1].toLowerCase();
-
-      let body;
-      try { body = await readBody(req); } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
-      }
-
-      const { enabled } = body;
-      if (typeof enabled !== "boolean") {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "enabled must be boolean" }));
-      }
-
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.enable(password, machineHash, token, timestamp, service, enabled);
-        if (result.error) return strike(res, 502, result.error);
-        return ok(res, { ok: true, service, enabled });
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-
-    // GET /check-all — soft health check, no strikes for missing/disabled keys
-    if (method === "GET" && reqPath === "/check-all") {
-      if (lockedGuard(res)) return;
-      try {
-        const { token: st, timestamp: sts } = deriveToken(password, machineHash);
-        const statusResult = await api.status(password, machineHash, st, sts);
-        if (statusResult.error) return strike(res, 502, statusResult.error);
-
-        const services = (statusResult.services || []).filter(
-          s => !whitelist || whitelist.includes(s.name.toLowerCase())
-        );
-
-        const results = {};
-        for (const svc of services) {
-          try {
-            const { token, timestamp } = deriveToken(password, machineHash);
-            const r = await api.retrieve(password, machineHash, token, timestamp, svc.name);
-            results[svc.name] = r.error
-              ? { ok: false, reason: r.error }
-              : { ok: true };
-          } catch (e) {
-            results[svc.name] = { ok: false, reason: e.message };
-          }
-        }
-        return ok(res, { results });
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-
-    // POST /change-pw — change master password (must be unlocked)
-    if (method === "POST" && reqPath === "/change-pw") {
-      if (lockedGuard(res)) return;
-
-      let body;
-      try { body = await readBody(req); } catch {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
-      }
-
-      const { newPassword } = body;
-      if (!newPassword || typeof newPassword !== "string" || newPassword.length < 8) {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "newPassword must be at least 8 characters" }));
-      }
-
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const newSeedHash = deriveSeedHash(machineHash, newPassword);
-        const result = await api.changePassword(password, machineHash, token, timestamp, newSeedHash);
-        if (result.error) throw new Error(result.error);
-        password = newPassword;  // update in-memory password to new one
-        const logLine = `[${new Date().toISOString()}] Password changed\n`;
-        try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
-        return ok(res, { ok: true });
-      } catch (err) {
-        res.writeHead(502, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: err.message }));
-      }
-    }
-
-    // POST /set/:service — write a new key value into vault
-    const setMatch = reqPath.match(/^\/set\/([a-zA-Z0-9_.-]+)$/);
-    if (method === "POST" && setMatch) {
-      if (lockedGuard(res)) return;
-      const service = setMatch[1].toLowerCase();
-
-      if (whitelist && !whitelist.includes(service)) {
-        return strike(res, 403, `Service '${service}' not in whitelist`);
-      }
-
-      let body;
-      try { body = await readBody(req); } catch {
-        return strike(res, 400, "Invalid JSON body");
-      }
-
-      const value = body.value;
-      if (!value || typeof value !== "string" || !value.trim()) {
-        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
-        return res.end(JSON.stringify({ error: "value is required" }));
-      }
-
-      try {
-        const { token, timestamp } = deriveToken(password, machineHash);
-        const result = await api.write(password, machineHash, token, timestamp, service, value.trim());
-        if (result.error) return strike(res, 502, result.error);
-        return ok(res, { ok: true, service });
-      } catch (err) {
-        return strike(res, 502, err.message);
-      }
-    }
-
-    // Unknown route
-    return strike(res, 404, `Unknown endpoint: ${reqPath}`);
-  });
-
-  return server;
-}
-
-// ── Actions ──────────────────────────────────────────────────
-
-async function verifyAuth(password) {
-  const machineHash = getMachineHash();
-  const { token, timestamp } = deriveToken(password, machineHash);
-  const result = await api.test(password, machineHash, token, timestamp);
-  if (result.error) throw new Error(result.error);
-}
-
-async function actionStart(opts) {
-  const port     = parseInt(opts.port || "52437", 10);
-  const password = opts.pw;
-  const whitelist = opts.services
-    ? opts.services.split(",").map(s => s.trim().toLowerCase())
-    : null;
-
-  // Check for existing instance
-  const existing = readPid();
-  if (existing && isProcessAlive(existing.pid)) {
-    console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
-    console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
-    process.exit(1);
-  }
-
-  // If we're the daemon child, run the server directly
-  if (process.env.__CLAUTH_DAEMON === "1") {
-    // Verify password only if one was provided at start (optional — browser can unlock later)
-    if (password) {
-      try {
-        await verifyAuth(password);
-      } catch (err) {
-        const msg = `[${new Date().toISOString()}] Auth failed: ${err.message}\n`;
-        fs.appendFileSync(LOG_FILE, msg);
-        process.exit(1);
-      }
-    }
-
-    const server = createServer(password, whitelist, port);
-    server.listen(port, "127.0.0.1", () => {
-      writePid(process.pid, port);
-      const msg = `[${new Date().toISOString()}] clauth serve started — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
-      fs.appendFileSync(LOG_FILE, msg);
-    });
-
-    server.on("error", err => {
-      const msg = `[${new Date().toISOString()}] Server error: ${err.message}\n`;
-      fs.appendFileSync(LOG_FILE, msg);
-      process.exit(1);
-    });
-
-    const shutdown = () => { removePid(); process.exit(0); };
-    process.on("SIGTERM", shutdown);
-    process.on("SIGINT", shutdown);
-    return;
-  }
-
-  // If --pw provided, verify it before spawning (fast-fail on wrong password)
-  if (password) {
-    console.log(chalk.gray("\n  Verifying vault credentials..."));
-    try {
-      await verifyAuth(password);
-    } catch (err) {
-      console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
-      process.exit(1);
-    }
-    console.log(chalk.green("  ✓ Vault auth verified"));
-  } else {
-    console.log(chalk.yellow("\n  Starting in locked state — open browser to unlock"));
-  }
-
-  // Spawn detached daemon child via the clauth CLI entry point
-  const { spawn } = await import("child_process");
-  const { fileURLToPath } = await import("url");
-  const { dirname, join } = await import("path");
-  const __filename = fileURLToPath(import.meta.url);
-  const cliEntry = join(dirname(__filename), "..", "index.js");
-
-  // Build args: node index.js serve start --port N [--pw PW] [--services S]
-  const childArgs = [cliEntry, "serve", "start", "--port", String(port)];
-  if (password) childArgs.push("--pw", password);
-  if (opts.services) childArgs.push("--services", opts.services);
-
-  const out = fs.openSync(LOG_FILE, "a");
-  const child = spawn(process.execPath, childArgs, {
-    detached: true,
-    stdio: ["ignore", out, out],
-    env: { ...process.env, __CLAUTH_DAEMON: "1" },
-  });
-  child.unref();
-
-  // Give it time to bind and write PID file (Windows spawn is slower)
-  // Verify via HTTP ping (process.kill(pid,0) fails on Windows for detached processes)
-  let started = false;
-  for (let attempt = 0; attempt < 5; attempt++) {
-    await new Promise(r => setTimeout(r, 1000));
-    try {
-      const resp = await fetch(`http://127.0.0.1:${port}/ping`);
-      if (resp.ok) { started = true; break; }
-    } catch {}
-  }
-
-  const info = readPid();
-  if (started && info) {
-    console.log(chalk.green(`\n  🔐 clauth serve started`));
-    console.log(chalk.gray(`  PID:      ${info.pid}`));
-    console.log(chalk.gray(`  Port:     127.0.0.1:${info.port}`));
-    console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
-    console.log(chalk.gray(`  Log:      ${LOG_FILE}`));
-    if (!password) {
-      console.log(chalk.cyan(`\n  👉 Open http://127.0.0.1:${info.port} to unlock the vault`));
-    }
-    console.log(chalk.gray(`  Stop:     clauth serve stop\n`));
-  } else {
-    console.log(chalk.red(`\n  ❌ Failed to start daemon — check ${LOG_FILE}\n`));
-    process.exit(1);
-  }
-}
-
-async function actionStop() {
-  const info = readPid();
-  if (!info) {
-    console.log(chalk.yellow("\n  No clauth serve PID file found — not running.\n"));
-    return;
-  }
-
-  if (!isProcessAlive(info.pid)) {
-    console.log(chalk.yellow(`\n  PID ${info.pid} is not running (stale PID file). Cleaning up.\n`));
-    removePid();
-    return;
-  }
-
-  // Try HTTP shutdown first (clean)
-  try {
-    const resp = await fetch(`http://127.0.0.1:${info.port}/shutdown`);
-    if (resp.ok) {
-      await new Promise(r => setTimeout(r, 300));
-      console.log(chalk.green(`\n  🛑 clauth serve stopped (was PID ${info.pid}, port ${info.port})\n`));
-      removePid();
-      return;
-    }
-  } catch {}
-
-  // Fallback: kill the process
-  try {
-    process.kill(info.pid, "SIGTERM");
-    await new Promise(r => setTimeout(r, 300));
-    console.log(chalk.green(`\n  🛑 clauth serve stopped via SIGTERM (PID ${info.pid})\n`));
-  } catch (err) {
-    console.log(chalk.yellow(`\n  Could not kill PID ${info.pid}: ${err.message}\n`));
-  }
-  removePid();
-}
-
-async function actionPing() {
-  const info = readPid();
-  if (!info) {
-    console.log(chalk.red("\n  clauth serve is not running (no PID file)\n"));
-    process.exit(1);
-  }
-
-  if (!isProcessAlive(info.pid)) {
-    console.log(chalk.red(`\n  PID ${info.pid} is not alive (stale PID file)\n`));
-    removePid();
-    process.exit(1);
-  }
-
-  try {
-    const resp = await fetch(`http://127.0.0.1:${info.port}/ping`);
-    const data = await resp.json();
-    if (data.status === "ok") {
-      console.log(chalk.green(`\n  ✅ clauth serve running`));
-      console.log(chalk.gray(`  PID:     ${info.pid}`));
-      console.log(chalk.gray(`  Port:    ${info.port}`));
-      console.log(chalk.gray(`  Fails:   ${data.failures}/${data.failures + data.failures_remaining}`));
-      console.log(chalk.gray(`  Services: ${Array.isArray(data.services) ? data.services.join(", ") : data.services}\n`));
-    } else {
-      console.log(chalk.yellow(`\n  PID alive but /ping returned unexpected response\n`));
-    }
-  } catch (err) {
-    console.log(chalk.yellow(`\n  PID ${info.pid} alive but HTTP failed: ${err.message}\n`));
-  }
-}
-
-async function actionRestart(opts) {
-  const info = readPid();
-  if (info && isProcessAlive(info.pid)) {
-    await actionStop();
-    await new Promise(r => setTimeout(r, 500));
-  }
-  await actionStart(opts);
-}
-
-async function actionForeground(opts) {
-  const port      = parseInt(opts.port || "52437", 10);
-  const password  = opts.pw || null;
-  const whitelist = opts.services
-    ? opts.services.split(",").map(s => s.trim().toLowerCase())
-    : null;
-
-  if (password) {
-    console.log(chalk.gray("\n  Verifying vault credentials..."));
-    try {
-      await verifyAuth(password);
-    } catch (err) {
-      console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
-      process.exit(1);
-    }
-    console.log(chalk.green("  ✓ Vault auth verified"));
-  } else {
-    console.log(chalk.yellow("\n  Starting in locked state — open browser to unlock"));
-  }
-
-  console.log(chalk.gray(`  Port:     127.0.0.1:${port}`));
-  console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
-  console.log(chalk.gray(`  Lockout:  3 failures → exit\n`));
-
-  const server = createServer(password, whitelist, port);
-  server.listen(port, "127.0.0.1", () => {
-    writePid(process.pid, port);
-    console.log(chalk.green(`  clauth serve → http://127.0.0.1:${port}`));
-    if (!password) console.log(chalk.cyan(`  👉 Open http://127.0.0.1:${port} to unlock`));
-    console.log(chalk.gray("  Ctrl+C to stop\n"));
-  });
-
-  server.on("error", err => {
-    if (err.code === "EADDRINUSE") {
-      console.log(chalk.red(`\n  Port ${port} already in use. Use --port to choose another.\n`));
-    } else {
-      console.log(chalk.red(`\n  Server error: ${err.message}\n`));
-    }
-    process.exit(1);
-  });
-
-  process.on("SIGINT", () => {
-    console.log(chalk.yellow("\n  Stopping clauth serve...\n"));
-    removePid();
-    server.close(() => process.exit(0));
-  });
-}
-
-// ── Export ────────────────────────────────────────────────────
-export async function runServe(opts) {
-  const action = opts.action || "foreground";
-
-  switch (action) {
-    case "start":     return actionStart(opts);
-    case "stop":      return actionStop();
-    case "restart":   return actionRestart(opts);
-    case "ping":      return actionPing();
-    case "foreground": return actionForeground(opts);
-    default:
-      console.log(chalk.red(`\n  Unknown serve action: ${action}`));
-      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground\n"));
-      process.exit(1);
-  }
-}
+// cli/commands/serve.js
+// Localhost-only credential daemon with daemon lifecycle management
+// Binds 127.0.0.1 ONLY — unreachable from outside the machine
+// 3 failed requests of any kind → process exits, requires manual restart
+// Supports: start (background daemon), stop, restart, ping, foreground
+
+import http from "http";
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { fileURLToPath } from "url";
+import { getMachineHash, deriveToken, deriveSeedHash } from "../fingerprint.js";
+import * as api from "../api.js";
+import chalk from "chalk";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf8"));
+const VERSION = pkg.version;
+
+const PID_FILE = path.join(os.tmpdir(), "clauth-serve.pid");
+const LOG_FILE = path.join(os.tmpdir(), "clauth-serve.log");
+
+// ── PID helpers ──────────────────────────────────────────────
+function readPid() {
+  try {
+    const raw = fs.readFileSync(PID_FILE, "utf8").trim();
+    const [pid, port] = raw.split(":");
+    return { pid: parseInt(pid, 10), port: parseInt(port, 10) };
+  } catch { return null; }
+}
+
+function writePid(pid, port) {
+  fs.writeFileSync(PID_FILE, `${pid}:${port}`, "utf8");
+}
+
+function removePid() {
+  try { fs.unlinkSync(PID_FILE); } catch {}
+}
+
+function isProcessAlive(pid) {
+  try { process.kill(pid, 0); return true; } catch { return false; }
+}
+
+// ── Dashboard HTML ───────────────────────────────────────────
+function dashboardHtml(port, whitelist) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>clauth vault v${VERSION}</title>
+<style>
+  *{margin:0;padding:0;box-sizing:border-box}
+  body{background:#0a0f1a;color:#e2e8f0;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;min-height:100vh}
+  /* ── Lock screen ── */
+  #lock-screen{display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh;padding:2rem}
+  .lock-card{background:#1e293b;border:1px solid #334155;border-radius:12px;padding:2.5rem 2rem;width:100%;max-width:380px;text-align:center}
+  .lock-icon{font-size:2.5rem;margin-bottom:1rem}
+  .lock-title{font-size:1.25rem;font-weight:600;color:#f8fafc;margin-bottom:.4rem}
+  .lock-sub{font-size:.85rem;color:#64748b;margin-bottom:1.75rem}
+  .lock-input{width:100%;background:#0f172a;border:1px solid #334155;border-radius:8px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:1rem;padding:10px 14px;outline:none;text-align:center;letter-spacing:.1em;transition:border-color .2s;margin-bottom:1rem}
+  .lock-input:focus{border-color:#3b82f6}
+  .lock-input.error{border-color:#ef4444;animation:shake .3s}
+  @keyframes shake{0%,100%{transform:translateX(0)}25%{transform:translateX(-6px)}75%{transform:translateX(6px)}}
+  .btn-unlock{width:100%;background:#3b82f6;color:#fff;border:none;border-radius:8px;padding:10px;font-size:.95rem;font-weight:600;cursor:pointer;transition:background .15s}
+  .btn-unlock:hover{background:#2563eb}
+  .btn-unlock:disabled{background:#1e3a5f;color:#4a6fa5;cursor:not-allowed}
+  .lock-err{color:#f87171;font-size:.82rem;margin-top:.75rem;min-height:1.2em}
+  /* ── Main view ── */
+  #main-view{display:none;padding:2rem}
+  .header{display:flex;align-items:center;gap:10px;margin-bottom:1.5rem;flex-wrap:wrap}
+  .header h1{font-size:1.4rem;font-weight:600;flex:1}
+  .dot{width:10px;height:10px;border-radius:50%;background:#22c55e;animation:pulse 2s infinite;flex-shrink:0}
+  @keyframes pulse{0%,100%{opacity:1}50%{opacity:.4}}
+  .status-bar{display:flex;gap:1.5rem;margin-bottom:1.5rem;font-size:.82rem;color:#94a3b8;flex-wrap:wrap}
+  .status-bar span{color:#e2e8f0;font-weight:500}
+  .toolbar{display:flex;gap:8px;margin-bottom:1rem;flex-wrap:wrap;align-items:center}
+  .chpw-panel{display:none;background:#1a1f2e;border:1px solid #334155;border-radius:8px;padding:1.25rem;margin-bottom:1.5rem}
+  .chpw-panel h3{font-size:.9rem;font-weight:600;color:#f8fafc;margin-bottom:1rem}
+  .chpw-row{display:flex;gap:10px;flex-wrap:wrap;align-items:flex-end;margin-bottom:.75rem}
+  .chpw-field{display:flex;flex-direction:column;gap:4px}
+  .chpw-field label{font-size:.75rem;color:#64748b}
+  .chpw-input{background:#0f172a;border:1px solid #334155;border-radius:6px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.88rem;padding:7px 12px;outline:none;width:200px;transition:border-color .2s}
+  .chpw-input:focus{border-color:#3b82f6}
+  .chpw-foot{display:flex;gap:8px;align-items:center}
+  .btn-chpw-save{background:#1e3a5f;color:#60a5fa;padding:7px 18px;font-size:.85rem;border-radius:6px;border:none;cursor:pointer;font-weight:500;transition:background .15s}
+  .btn-chpw-save:hover{background:#1e4a7f}
+  .chpw-msg{font-size:.82rem}
+  .chpw-msg.ok{color:#4ade80} .chpw-msg.fail{color:#f87171}
+  .btn-refresh{background:#3b82f6;color:#fff;padding:7px 18px;font-size:.85rem;border-radius:7px;border:none;cursor:pointer;font-weight:500}
+  .btn-refresh:hover{background:#2563eb}
+  .btn-lock{background:#1e293b;color:#f87171;border:1px solid #334155;padding:7px 16px;font-size:.85rem;border-radius:7px;cursor:pointer;font-weight:500}
+  .btn-lock:hover{background:#2d1f1f;border-color:#f87171}
+  .grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(300px,1fr));gap:1rem}
+  .card{background:#1e293b;border:1px solid #334155;border-radius:8px;padding:1.25rem;transition:border-color .2s}
+  .card:hover{border-color:#3b82f6}
+  .card-name{font-size:1rem;font-weight:600;color:#f8fafc;margin-bottom:3px}
+  .card-type{font-size:.78rem;color:#64748b;text-transform:uppercase;letter-spacing:.5px}
+  .card-getkey{font-size:.75rem;color:#3b82f6;text-decoration:none;opacity:.7;transition:opacity .15s}
+  .card-getkey:hover{opacity:1;text-decoration:underline}
+  .card-value{font-family:'Courier New',monospace;font-size:.82rem;color:#22c55e;background:#0f172a;border-radius:4px;padding:8px 10px;margin-top:10px;word-break:break-all;max-height:80px;overflow:auto;display:none}
+  .card-actions{margin-top:10px;display:flex;gap:7px;flex-wrap:wrap}
+  .set-panel{display:none;margin-top:10px;background:#0f172a;border-radius:6px;padding:10px;border:1px solid #1e3a5f}
+  .set-panel label{font-size:.75rem;color:#64748b;display:block;margin-bottom:6px}
+  .set-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;resize:vertical;min-height:58px;transition:border-color .2s}
+  .set-input:focus{border-color:#3b82f6}
+  .set-foot{margin-top:8px;display:flex;gap:8px;align-items:center}
+  .set-msg{font-size:.8rem}
+  .set-msg.ok{color:#4ade80} .set-msg.fail{color:#f87171}
+  .btn{padding:6px 13px;border-radius:6px;border:none;cursor:pointer;font-size:.8rem;font-weight:500;transition:all .15s}
+  .btn-reveal{background:#1e3a5f;color:#60a5fa}.btn-reveal:hover{background:#1e4a7f}
+  .btn-copy{background:#1a3328;color:#4ade80}.btn-copy:hover{background:#1a4338}
+  .btn-set{background:#2d1f4a;color:#a78bfa}.btn-set:hover{background:#3d2f5a}
+  .btn-save{background:#1e3a5f;color:#60a5fa;padding:6px 16px}.btn-save:hover{background:#1e4a7f}
+  .btn-cancel{background:transparent;color:#64748b;padding:6px 10px}.btn-cancel:hover{color:#94a3b8}
+  .btn-check{background:#0f2d2d;color:#34d399;border:1px solid #064e3b;padding:7px 16px;font-size:.85rem;border-radius:7px;cursor:pointer;font-weight:500;transition:all .15s}
+  .btn-check:hover{background:#134e4a;border-color:#34d399}.btn-check:disabled{opacity:.5;cursor:not-allowed}
+  .btn-enable{background:#14291a;color:#4ade80;border:1px solid #166534}.btn-enable:hover{background:#1a3d22;border-color:#4ade80}
+  .btn-disable{background:#2d1f1f;color:#f87171;border:1px solid #7f1d1d}.btn-disable:hover{background:#3d2525;border-color:#f87171}
+  .svc-badge{font-size:.7rem;font-weight:600;padding:2px 7px;border-radius:4px;letter-spacing:.4px;text-transform:uppercase}
+  .svc-badge.on{background:rgba(74,222,128,.12);color:#4ade80;border:1px solid rgba(74,222,128,.25)}
+  .svc-badge.off{background:rgba(248,113,113,.1);color:#f87171;border:1px solid rgba(248,113,113,.2)}
+  .status-dot{width:8px;height:8px;border-radius:50%;flex-shrink:0;opacity:0;transition:opacity .3s;margin-top:4px;cursor:default}
+  .status-dot.checking{background:#f59e0b;opacity:1;animation:pulse 1s infinite}
+  .status-dot.ok{background:#22c55e;opacity:1}
+  .status-dot.fail{background:#ef4444;opacity:1}
+  @keyframes sdot-fade{to{opacity:0}} .status-dot.fading{animation:sdot-fade 1.5s forwards}
+  .error-bar{background:#7f1d1d;color:#fca5a5;border:1px solid #991b1b;padding:10px 14px;border-radius:8px;margin-bottom:1rem;display:none;font-size:.85rem}
+  .loading{color:#64748b;font-style:italic}
+  .footer{margin-top:2rem;font-size:.75rem;color:#475569;text-align:center}
+  .oauth-fields{display:flex;flex-direction:column;gap:8px;margin-bottom:8px}
+  .oauth-field{display:flex;flex-direction:column;gap:3px}
+  .oauth-label{font-size:.75rem;color:#94a3b8;font-weight:500}
+  .oauth-hint{font-size:.71rem;color:#475569;font-style:italic}
+  .oauth-input{width:100%;background:#0a0f1a;border:1px solid #1e3a5f;border-radius:4px;color:#e2e8f0;font-family:'Courier New',monospace;font-size:.85rem;padding:7px 10px;outline:none;transition:border-color .2s}
+  .oauth-input:focus{border-color:#3b82f6}
+</style>
+</head>
+<body>
+
+<!-- ── Lock screen ──────────────────────────── -->
+<div id="lock-screen">
+  <div class="lock-card">
+    <div class="lock-icon">🔒</div>
+    <div class="lock-title">clauth vault</div>
+    <div class="lock-sub">Paste your password to unlock</div>
+    <input class="lock-input" id="lock-input" type="password" placeholder="••••••••••••" autocomplete="off">
+    <button class="btn-unlock" id="unlock-btn" onclick="unlock()">Unlock</button>
+    <div class="lock-err" id="lock-err"></div>
+  </div>
+</div>
+
+<!-- ── Main view (shown after unlock) ──────── -->
+<div id="main-view">
+  <div class="header">
+    <div class="dot" id="dot"></div>
+    <h1>🔐 clauth vault <span style="font-size:0.55em;opacity:0.45;font-weight:400">v${VERSION}</span></h1>
+  </div>
+  <div id="error-bar" class="error-bar"></div>
+  <div class="status-bar">
+    <div>PID: <span id="s-pid">—</span></div>
+    <div>Port: <span id="s-port">${port}</span></div>
+    <div>Services: <span id="s-services">${whitelist ? whitelist.join(", ") : "all"}</span></div>
+    <div>Failures: <span id="s-fails">—</span></div>
+  </div>
+  <div class="toolbar">
+    <button class="btn-refresh" onclick="loadServices()">↻ Refresh</button>
+    <button class="btn-check" id="check-btn" onclick="checkAll()">⬤ Check All</button>
+    <button class="btn-lock" onclick="lockVault()">🔒 Lock</button>
+    <button class="btn-cancel" style="margin-left:auto" onclick="toggleChangePw()">Change Password</button>
+  </div>
+
+  <div class="chpw-panel" id="chpw-panel">
+    <h3>Change Master Password</h3>
+    <div class="chpw-row">
+      <div class="chpw-field">
+        <label>New password</label>
+        <input class="chpw-input" id="chpw-new" type="password" placeholder="min 8 chars" autocomplete="new-password">
+      </div>
+      <div class="chpw-field">
+        <label>Confirm</label>
+        <input class="chpw-input" id="chpw-confirm" type="password" placeholder="repeat" autocomplete="new-password">
+      </div>
+    </div>
+    <div class="chpw-foot">
+      <button class="btn-chpw-save" onclick="changePassword()">Update Password</button>
+      <button class="btn-cancel" onclick="toggleChangePw()">Cancel</button>
+      <span class="chpw-msg" id="chpw-msg"></span>
+    </div>
+  </div>
+
+  <div id="grid" class="grid"><p class="loading">Loading services…</p></div>
+  <div class="footer">localhost:${port} · 127.0.0.1 only · 3-strike lockout</div>
+</div>
+
+<script>
+const BASE = "http://127.0.0.1:${port}";
+
+const SERVICE_HINTS = {
+  "neo4j":           "neo4j+s://username:password@instance.databases.neo4j.io",
+  "supabase-db":     "postgresql://postgres:password@db.ref.supabase.co:5432/postgres",
+  "r2":              "accountId:accessKeyId:secretAccessKey",
+  "namecheap":       "apiUser:apiKey",
+};
+
+const KEY_URLS = {
+  "github":          "https://github.com/settings/tokens",
+  "vercel":          "https://vercel.com/account/tokens",
+  "supabase-anon":   "https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/api",
+  "supabase-service":"https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/api",
+  "supabase-db":     "https://supabase.com/dashboard/project/uvojezuorjgqzmhhgluu/settings/database",
+  "anthropic":       "https://console.anthropic.com/settings/keys",
+  "cloudflare":      "https://dash.cloudflare.com/profile/api-tokens",
+  "r2":              "https://dash.cloudflare.com/profile/api-tokens",
+  "r2-bucket":       "https://dash.cloudflare.com/profile/api-tokens",
+  "rocketreach":     "https://rocketreach.co/account?section=security",
+  "namecheap":       "https://ap.www.namecheap.com/settings/tools/apiaccess/",
+  "neo4j":           "https://console.neo4j.io/",
+  "npm":             "https://www.npmjs.com/settings/~/tokens",
+  "gmail":           "https://console.cloud.google.com/apis/credentials",
+};
+
+// ── OAuth import config ─────────────────────
+// Services where Google downloads a JSON file. jsonFields = keys to extract
+// from the downloaded JSON (top-level or under an "installed"/"web" wrapper).
+// extra = additional fields the user must provide separately.
+const OAUTH_IMPORT = {
+  "gmail": {
+    jsonFields: ["client_id", "client_secret"],
+    extra: [{ key: "refresh_token", label: "Refresh Token", hint: "From Google OAuth Playground or your app's auth callback" }]
+  }
+};
+
+function renderSetPanel(name) {
+  const imp = OAUTH_IMPORT[name];
+  if (imp) {
+    const extraHtml = imp.extra.map(f => \`
+      <div class="oauth-field">
+        <label class="oauth-label">\${f.label}</label>
+        \${f.hint ? \`<div class="oauth-hint">\${f.hint}</div>\` : ""}
+        <input type="text" class="oauth-input" id="ofield-\${name}-\${f.key}" placeholder="Paste \${f.label}…" spellcheck="false" autocomplete="off">
+      </div>
+    \`).join("");
+    return \`
+      <div class="set-panel" id="set-panel-\${name}">
+        <label>Set <strong>\${name}</strong> credentials — paste directly from Google, never in chat</label>
+        <div class="oauth-fields">
+          <div class="oauth-field">
+            <label class="oauth-label">OAuth JSON from Google Cloud Console</label>
+            <div class="oauth-hint">Download from APIs & Services → Credentials → your OAuth client → ↓ Download JSON</div>
+            <textarea class="set-input" id="ofield-\${name}-json" placeholder='{"installed":{"client_id":"…","client_secret":"…",...}}' spellcheck="false" rows="3"></textarea>
+          </div>
+          \${extraHtml}
+        </div>
+        <div class="set-foot">
+          <button class="btn btn-save" onclick="saveKey('\${name}')">Save</button>
+          <button class="btn btn-cancel" onclick="toggleSet('\${name}')">Cancel</button>
+          <span class="set-msg" id="set-msg-\${name}"></span>
+        </div>
+      </div>
+    \`;
+  }
+  return \`
+    <div class="set-panel" id="set-panel-\${name}">
+      <label>New value for <strong>\${name}</strong> — paste here, never in chat</label>
+      <textarea class="set-input" id="set-input-\${name}" placeholder="\${SERVICE_HINTS[name] || "Paste credential…"}" spellcheck="false"></textarea>
+      \${SERVICE_HINTS[name] ? \`<div style="font-size:.72rem;color:#475569;margin-top:4px;font-family:'Courier New',monospace">\${SERVICE_HINTS[name]}</div>\` : ""}
+      <div class="set-foot">
+        <button class="btn btn-save" onclick="saveKey('\${name}')">Save</button>
+        <button class="btn btn-cancel" onclick="toggleSet('\${name}')">Cancel</button>
+        <span class="set-msg" id="set-msg-\${name}"></span>
+      </div>
+    </div>
+  \`;
+}
+
+// ── Boot: check lock state ──────────────────
+async function boot() {
+  try {
+    const ping = await fetch(BASE + "/ping").then(r => r.json());
+    if (ping.locked) {
+      showLockScreen();
+    } else {
+      showMain(ping);
+      loadServices();
+    }
+  } catch {
+    showLockScreen();
+  }
+}
+
+function showLockScreen() {
+  document.getElementById("lock-screen").style.display = "flex";
+  document.getElementById("main-view").style.display = "none";
+  setTimeout(() => document.getElementById("lock-input").focus(), 50);
+}
+
+function showMain(ping) {
+  document.getElementById("lock-screen").style.display = "none";
+  document.getElementById("main-view").style.display = "block";
+  if (ping) {
+    document.getElementById("s-pid").textContent = ping.pid || "—";
+    document.getElementById("s-fails").textContent =
+      ping.failures + "/" + (ping.failures + ping.failures_remaining);
+  }
+}
+
+// ── Unlock ──────────────────────────────────
+async function unlock() {
+  const input = document.getElementById("lock-input");
+  const btn   = document.getElementById("unlock-btn");
+  const err   = document.getElementById("lock-err");
+  const pw    = input.value;
+
+  if (!pw) { err.textContent = "Password is required."; return; }
+
+  btn.disabled = true; btn.textContent = "Verifying…"; err.textContent = "";
+
+  try {
+    const r = await fetch(BASE + "/auth", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ password: pw })
+    }).then(r => r.json());
+
+    if (r.error) throw new Error(r.error);
+
+    input.value = "";
+    const ping = await fetch(BASE + "/ping").then(r => r.json());
+    showMain(ping);
+    loadServices();
+  } catch (e) {
+    input.value = "";
+    input.className = "lock-input error";
+    err.textContent = "✗ " + (e.message || "Invalid password");
+    setTimeout(() => input.className = "lock-input", 600);
+  } finally {
+    btn.disabled = false; btn.textContent = "Unlock";
+  }
+}
+
+// ── Lock ────────────────────────────────────
+async function lockVault() {
+  await fetch(BASE + "/lock", { method: "POST" }).catch(() => {});
+  showLockScreen();
+}
+
+// ── Load services ───────────────────────────
+async function loadServices() {
+  const grid = document.getElementById("grid");
+  const err  = document.getElementById("error-bar");
+  err.style.display = "none";
+  grid.innerHTML = '<p class="loading">Loading…</p>';
+
+  try {
+    const status = await fetch(BASE + "/status").then(r => r.json());
+    if (status.locked) { showLockScreen(); return; }
+    if (status.error) throw new Error(status.error);
+
+    const services = status.services || [];
+    if (!services.length) { grid.innerHTML = '<p class="loading">No services registered.</p>'; return; }
+
+    grid.innerHTML = services.map(s => \`
+      <div class="card">
+        <div style="display:flex;align-items:flex-start;justify-content:space-between">
+          <div>
+            <div class="card-name">\${s.name}</div>
+            <div style="display:flex;align-items:center;gap:6px;margin-top:2px">
+              <div class="card-type">\${s.key_type || "secret"}</div>
+              <span class="svc-badge \${s.enabled === false ? "off" : "on"}" id="badge-\${s.name}">\${s.enabled === false ? "disabled" : "enabled"}</span>
+            </div>
+            \${KEY_URLS[s.name] ? \`<a class="card-getkey" href="\${KEY_URLS[s.name]}" target="_blank" rel="noopener">↗ Get / rotate key</a>\` : ""}
+          </div>
+          <div class="status-dot" id="sdot-\${s.name}" title=""></div>
+        </div>
+        <div class="card-value" id="val-\${s.name}"></div>
+        <div class="card-actions">
+          <button class="btn btn-reveal" onclick="reveal('\${s.name}', this)">Reveal</button>
+          <button class="btn btn-copy" id="copybtn-\${s.name}" style="display:none" onclick="copyKey('\${s.name}')">Copy</button>
+          <button class="btn btn-set" onclick="toggleSet('\${s.name}')">Set</button>
+          <button class="btn \${s.enabled === false ? "btn-enable" : "btn-disable"}" id="togbtn-\${s.name}" onclick="toggleService('\${s.name}')">\${s.enabled === false ? "Enable" : "Disable"}</button>
+        </div>
+        \${renderSetPanel(s.name)}
+      </div>
+    \`).join("");
+  } catch (e) {
+    err.textContent = "⚠ " + e.message;
+    err.style.display = "block";
+    document.getElementById("dot").style.background = "#ef4444";
+    grid.innerHTML = "";
+  }
+}
+
+// ── Reveal ──────────────────────────────────
+async function reveal(name, btn) {
+  const valEl   = document.getElementById("val-" + name);
+  const copyBtn = document.getElementById("copybtn-" + name);
+  if (valEl.style.display === "block") {
+    valEl.style.display = "none"; copyBtn.style.display = "none";
+    btn.textContent = "Reveal"; return;
+  }
+  valEl.textContent = "fetching…"; valEl.style.display = "block"; btn.textContent = "Hide";
+  try {
+    const r = await fetch(BASE + "/get/" + name).then(r => r.json());
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+    const imp = OAUTH_IMPORT[name];
+    if (imp) {
+      try {
+        const parsed = JSON.parse(r.value);
+        const allKeys = [...imp.jsonFields, ...imp.extra.map(f => f.key)];
+        valEl.innerHTML = allKeys.map(k =>
+          '<div style="margin-bottom:6px"><span style="color:#64748b;font-size:.72rem;text-transform:uppercase;letter-spacing:.4px">' + k.replace(/_/g," ") + '</span><br>' + (parsed[k] || "—") + '</div>'
+        ).join("");
+      } catch { valEl.textContent = r.value; }
+    } else {
+      valEl.textContent = r.value;
+    }
+    copyBtn.style.display = "inline-block";
+  } catch (e) {
+    valEl.textContent = "Error: " + e.message; valEl.style.color = "#ef4444";
+  }
+}
+
+async function copyKey(name) {
+  const val = document.getElementById("val-" + name).textContent;
+  try {
+    await navigator.clipboard.writeText(val);
+    const btn = document.getElementById("copybtn-" + name);
+    btn.textContent = "Copied!"; setTimeout(() => btn.textContent = "Copy", 1500);
+  } catch {}
+}
+
+// ── Set key ─────────────────────────────────
+function toggleSet(name) {
+  const panel = document.getElementById("set-panel-" + name);
+  const msg   = document.getElementById("set-msg-" + name);
+  const open  = panel.style.display === "block";
+  panel.style.display = open ? "none" : "block";
+  if (!open) {
+    if (msg) msg.textContent = "";
+    const imp = OAUTH_IMPORT[name];
+    if (imp) {
+      const jsonEl = document.getElementById("ofield-" + name + "-json");
+      if (jsonEl) { jsonEl.value = ""; jsonEl.focus(); }
+      imp.extra.forEach(f => { const el = document.getElementById("ofield-" + name + "-" + f.key); if (el) el.value = ""; });
+    } else {
+      const input = document.getElementById("set-input-" + name);
+      if (input) { input.value = ""; input.focus(); }
+    }
+  }
+}
+
+async function saveKey(name) {
+  const msg = document.getElementById("set-msg-" + name);
+  const imp = OAUTH_IMPORT[name];
+  let value;
+
+  if (imp) {
+    const jsonEl = document.getElementById("ofield-" + name + "-json");
+    const raw = jsonEl ? jsonEl.value.trim() : "";
+    if (!raw) { msg.className = "set-msg fail"; msg.textContent = "Paste the OAuth JSON first."; return; }
+    let parsed;
+    try { parsed = JSON.parse(raw); } catch { msg.className = "set-msg fail"; msg.textContent = "Invalid JSON — copy the full file content."; return; }
+    // Google wraps fields under "installed" or "web"
+    const src = parsed.installed || parsed.web || parsed;
+    const obj = {};
+    for (const k of imp.jsonFields) {
+      if (!src[k]) { msg.className = "set-msg fail"; msg.textContent = k + " not found in JSON."; return; }
+      obj[k] = src[k];
+    }
+    for (const f of imp.extra) {
+      const el = document.getElementById("ofield-" + name + "-" + f.key);
+      const v = el ? el.value.trim() : "";
+      if (!v) { msg.className = "set-msg fail"; msg.textContent = f.label + " is required."; return; }
+      obj[f.key] = v;
+    }
+    value = JSON.stringify(obj);
+  } else {
+    const input = document.getElementById("set-input-" + name);
+    value = input ? input.value.trim() : "";
+    if (!value) { msg.className = "set-msg fail"; msg.textContent = "Value is empty."; return; }
+  }
+
+  msg.className = "set-msg"; msg.textContent = "Saving…";
+  try {
+    const r = await fetch(BASE + "/set/" + name, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ value })
+    }).then(r => r.json());
+
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+    msg.className = "set-msg ok"; msg.textContent = "✓ Saved";
+    if (imp) {
+      const jsonEl = document.getElementById("ofield-" + name + "-json");
+      if (jsonEl) jsonEl.value = "";
+      imp.extra.forEach(f => { const el = document.getElementById("ofield-" + name + "-" + f.key); if (el) el.value = ""; });
+    } else {
+      const inp = document.getElementById("set-input-" + name);
+      if (inp) inp.value = "";
+    }
+    const dot = document.getElementById("sdot-" + name);
+    if (dot) { dot.className = "status-dot"; dot.title = ""; }
+    setTimeout(() => {
+      document.getElementById("set-panel-" + name).style.display = "none";
+      msg.textContent = "";
+    }, 1800);
+  } catch (e) {
+    msg.className = "set-msg fail"; msg.textContent = "✗ " + e.message;
+  }
+}
+
+// ── Enable / Disable service ────────────────
+async function toggleService(name) {
+  const badge  = document.getElementById("badge-" + name);
+  const btn    = document.getElementById("togbtn-" + name);
+  const currently = badge.classList.contains("on");
+  const newState  = !currently;
+
+  btn.disabled = true; btn.textContent = "…";
+
+  try {
+    const r = await fetch(BASE + "/toggle/" + name, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ enabled: newState })
+    }).then(r => r.json());
+
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+
+    badge.className = "svc-badge " + (newState ? "on" : "off");
+    badge.textContent = newState ? "enabled" : "disabled";
+    btn.className = "btn " + (newState ? "btn-disable" : "btn-enable");
+    btn.textContent = newState ? "Disable" : "Enable";
+  } catch (e) {
+    btn.textContent = "Error";
+    setTimeout(() => {
+      btn.textContent = currently ? "Disable" : "Enable";
+    }, 2000);
+  } finally {
+    btn.disabled = false;
+  }
+}
+
+// ── Check all credentials ───────────────────
+async function checkAll() {
+  const btn = document.getElementById("check-btn");
+  btn.disabled = true; btn.textContent = "Checking…";
+
+  // Show checking state on every visible dot
+  document.querySelectorAll(".status-dot").forEach(d => {
+    d.className = "status-dot checking"; d.title = "Checking…";
+  });
+
+  try {
+    const r = await fetch(BASE + "/check-all").then(r => r.json());
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+
+    const results = r.results || {};
+    for (const [name, result] of Object.entries(results)) {
+      const dot = document.getElementById("sdot-" + name);
+      if (!dot) continue;
+      if (result.ok) {
+        dot.className = "status-dot ok"; dot.title = "OK";
+      } else {
+        dot.className = "status-dot fail";
+        dot.title = result.reason || "No key stored";
+      }
+    }
+
+    // Fade green dots after 3 s — red dots stay until next check
+    setTimeout(() => {
+      document.querySelectorAll(".status-dot.ok").forEach(d => d.classList.add("fading"));
+    }, 3000);
+
+  } catch (e) {
+    document.querySelectorAll(".status-dot").forEach(d => { d.className = "status-dot"; d.title = ""; });
+    const errBar = document.getElementById("error-bar");
+    errBar.textContent = "⚠ Check failed: " + e.message;
+    errBar.style.display = "block";
+  } finally {
+    btn.disabled = false; btn.textContent = "⬤ Check All";
+  }
+}
+
+// ── Change password ─────────────────────────
+function toggleChangePw() {
+  const panel = document.getElementById("chpw-panel");
+  const open  = panel.style.display === "block";
+  panel.style.display = open ? "none" : "block";
+  if (!open) {
+    document.getElementById("chpw-new").value = "";
+    document.getElementById("chpw-confirm").value = "";
+    document.getElementById("chpw-msg").textContent = "";
+    document.getElementById("chpw-new").focus();
+  }
+}
+
+async function changePassword() {
+  const newPw  = document.getElementById("chpw-new").value;
+  const confPw = document.getElementById("chpw-confirm").value;
+  const msg    = document.getElementById("chpw-msg");
+
+  if (!newPw) { msg.className = "chpw-msg fail"; msg.textContent = "Enter a new password."; return; }
+  if (newPw.length < 8) { msg.className = "chpw-msg fail"; msg.textContent = "Minimum 8 characters."; return; }
+  if (newPw !== confPw) { msg.className = "chpw-msg fail"; msg.textContent = "Passwords don't match."; return; }
+
+  msg.className = "chpw-msg"; msg.textContent = "Updating…";
+  try {
+    const r = await fetch(BASE + "/change-pw", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ newPassword: newPw })
+    }).then(r => r.json());
+
+    if (r.locked) { showLockScreen(); return; }
+    if (r.error) throw new Error(r.error);
+
+    msg.className = "chpw-msg ok"; msg.textContent = "✓ Password updated";
+    document.getElementById("chpw-new").value = "";
+    document.getElementById("chpw-confirm").value = "";
+    setTimeout(() => {
+      document.getElementById("chpw-panel").style.display = "none";
+      msg.textContent = "";
+    }, 2000);
+  } catch (e) {
+    msg.className = "chpw-msg fail"; msg.textContent = "✗ " + e.message;
+  }
+}
+
+// Enter key on lock screen
+document.addEventListener("DOMContentLoaded", () => {
+  document.getElementById("lock-input").addEventListener("keydown", e => {
+    if (e.key === "Enter") unlock();
+  });
+});
+
+boot();
+</script>
+</body>
+</html>`;
+}
+
+// ── Body parser helper ────────────────────────────────────────
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    let data = "";
+    req.on("data", chunk => { data += chunk; if (data.length > 65536) reject(new Error("Body too large")); });
+    req.on("end", () => { try { resolve(JSON.parse(data)); } catch { reject(new Error("Invalid JSON")); } });
+    req.on("error", reject);
+  });
+}
+
+// ── Server logic (shared by foreground + daemon) ─────────────
+function createServer(initPassword, whitelist, port) {
+  const MAX_FAILS = 3;
+  let failCount = 0;
+  let password = initPassword || null;   // null = locked; set via POST /auth
+  const machineHash = getMachineHash();
+
+  const CORS = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
+    "Access-Control-Allow-Headers": "Content-Type",
+  };
+
+  function strike(res, code, message) {
+    failCount++;
+    const remaining = MAX_FAILS - failCount;
+    const logLine = `[${new Date().toISOString()}] [FAIL ${failCount}/${MAX_FAILS}] ${message}\n`;
+    try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+
+    const body = JSON.stringify({
+      error: message,
+      failures: failCount,
+      failures_remaining: remaining,
+      ...(failCount >= MAX_FAILS ? { shutdown: true } : {})
+    });
+
+    res.writeHead(code, { "Content-Type": "application/json", ...CORS });
+    res.end(body);
+
+    if (failCount >= MAX_FAILS) {
+      const msg = `[${new Date().toISOString()}] Failure limit reached — shutting down\n`;
+      try { fs.appendFileSync(LOG_FILE, msg); } catch {}
+      removePid();
+      setTimeout(() => process.exit(1), 100);
+    }
+  }
+
+  function ok(res, data) {
+    res.writeHead(200, { "Content-Type": "application/json", ...CORS });
+    res.end(JSON.stringify(data));
+  }
+
+  const server = http.createServer(async (req, res) => {
+    // Hard reject anything not from loopback
+    const remote = req.socket.remoteAddress;
+    const isLocal = remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
+    if (!isLocal) {
+      return strike(res, 403, `Rejected non-local address: ${remote}`);
+    }
+
+    // CORS preflight
+    if (req.method === "OPTIONS") {
+      res.writeHead(204, CORS);
+      return res.end();
+    }
+
+    const url    = new URL(req.url, `http://127.0.0.1:${port}`);
+    const reqPath = url.pathname;
+    const method = req.method;
+
+    // GET / — built-in web dashboard
+    if (method === "GET" && reqPath === "/") {
+      res.writeHead(200, { "Content-Type": "text/html", ...CORS });
+      return res.end(dashboardHtml(port, whitelist));
+    }
+
+    // GET /ping
+    if (method === "GET" && reqPath === "/ping") {
+      return ok(res, {
+        status: "ok",
+        pid: process.pid,
+        locked: !password,
+        failures: failCount,
+        failures_remaining: MAX_FAILS - failCount,
+        services: whitelist || "all",
+        port
+      });
+    }
+
+    // GET /shutdown (for daemon stop)
+    if (method === "GET" && reqPath === "/shutdown") {
+      ok(res, { ok: true, message: "shutting down" });
+      removePid();
+      setTimeout(() => process.exit(0), 100);
+      return;
+    }
+
+    // Locked guard — returns true if locked and already responded
+    function lockedGuard(res) {
+      if (!password) {
+        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
+        res.end(JSON.stringify({ error: "Vault is locked", locked: true }));
+        return true;
+      }
+      return false;
+    }
+
+    // GET /status
+    if (method === "GET" && reqPath === "/status") {
+      if (lockedGuard(res)) return;
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.status(password, machineHash, token, timestamp);
+        if (result.error) return strike(res, 502, result.error);
+        if (whitelist) {
+          result.services = (result.services || []).filter(
+            s => whitelist.includes(s.name.toLowerCase())
+          );
+        }
+        return ok(res, result);
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // GET /get/:service
+    const getMatch = reqPath.match(/^\/get\/([a-zA-Z0-9_-]+)$/);
+    if (method === "GET" && getMatch) {
+      if (lockedGuard(res)) return;
+      const service = getMatch[1].toLowerCase();
+
+      if (whitelist && !whitelist.includes(service)) {
+        return strike(res, 403, `Service '${service}' not in whitelist`);
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.retrieve(password, machineHash, token, timestamp, service);
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { service, value: result.value, key_type: result.key_type });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // POST /auth — unlock the vault with a password (verifies against Edge Function)
+    if (method === "POST" && reqPath === "/auth") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+
+      const pw = body.password;
+      if (!pw || typeof pw !== "string") {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "password is required" }));
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(pw, machineHash);
+        const result = await api.test(pw, machineHash, token, timestamp);
+        if (result.error) throw new Error(result.error);
+        password = pw;   // unlock — store in process memory only
+        const logLine = `[${new Date().toISOString()}] Vault unlocked\n`;
+        try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+        return ok(res, { ok: true, locked: false });
+      } catch {
+        // Wrong password — not a lockout strike, just a UI auth attempt
+        res.writeHead(401, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid password" }));
+      }
+    }
+
+    // POST /lock — clear password from memory
+    if (method === "POST" && reqPath === "/lock") {
+      password = null;
+      const logLine = `[${new Date().toISOString()}] Vault locked\n`;
+      try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+      return ok(res, { ok: true, locked: true });
+    }
+
+    // POST /toggle/:service — enable or disable a service
+    const toggleMatch = reqPath.match(/^\/toggle\/([a-zA-Z0-9_-]+)$/);
+    if (method === "POST" && toggleMatch) {
+      if (lockedGuard(res)) return;
+      const service = toggleMatch[1].toLowerCase();
+
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+
+      const { enabled } = body;
+      if (typeof enabled !== "boolean") {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "enabled must be boolean" }));
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.enable(password, machineHash, token, timestamp, service, enabled);
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { ok: true, service, enabled });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // GET /check-all — soft health check, no strikes for missing/disabled keys
+    if (method === "GET" && reqPath === "/check-all") {
+      if (lockedGuard(res)) return;
+      try {
+        const { token: st, timestamp: sts } = deriveToken(password, machineHash);
+        const statusResult = await api.status(password, machineHash, st, sts);
+        if (statusResult.error) return strike(res, 502, statusResult.error);
+
+        const services = (statusResult.services || []).filter(
+          s => !whitelist || whitelist.includes(s.name.toLowerCase())
+        );
+
+        const results = {};
+        for (const svc of services) {
+          try {
+            const { token, timestamp } = deriveToken(password, machineHash);
+            const r = await api.retrieve(password, machineHash, token, timestamp, svc.name);
+            results[svc.name] = r.error
+              ? { ok: false, reason: r.error }
+              : { ok: true };
+          } catch (e) {
+            results[svc.name] = { ok: false, reason: e.message };
+          }
+        }
+        return ok(res, { results });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // POST /change-pw — change master password (must be unlocked)
+    if (method === "POST" && reqPath === "/change-pw") {
+      if (lockedGuard(res)) return;
+
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON body" }));
+      }
+
+      const { newPassword } = body;
+      if (!newPassword || typeof newPassword !== "string" || newPassword.length < 8) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "newPassword must be at least 8 characters" }));
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const newSeedHash = deriveSeedHash(machineHash, newPassword);
+        const result = await api.changePassword(password, machineHash, token, timestamp, newSeedHash);
+        if (result.error) throw new Error(result.error);
+        password = newPassword;  // update in-memory password to new one
+        const logLine = `[${new Date().toISOString()}] Password changed\n`;
+        try { fs.appendFileSync(LOG_FILE, logLine); } catch {}
+        return ok(res, { ok: true });
+      } catch (err) {
+        res.writeHead(502, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: err.message }));
+      }
+    }
+
+    // POST /set/:service — write a new key value into vault
+    const setMatch = reqPath.match(/^\/set\/([a-zA-Z0-9_-]+)$/);
+    if (method === "POST" && setMatch) {
+      if (lockedGuard(res)) return;
+      const service = setMatch[1].toLowerCase();
+
+      if (whitelist && !whitelist.includes(service)) {
+        return strike(res, 403, `Service '${service}' not in whitelist`);
+      }
+
+      let body;
+      try { body = await readBody(req); } catch {
+        return strike(res, 400, "Invalid JSON body");
+      }
+
+      const value = body.value;
+      if (!value || typeof value !== "string" || !value.trim()) {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "value is required" }));
+      }
+
+      try {
+        const { token, timestamp } = deriveToken(password, machineHash);
+        const result = await api.write(password, machineHash, token, timestamp, service, value.trim());
+        if (result.error) return strike(res, 502, result.error);
+        return ok(res, { ok: true, service });
+      } catch (err) {
+        return strike(res, 502, err.message);
+      }
+    }
+
+    // Unknown route
+    return strike(res, 404, `Unknown endpoint: ${reqPath}`);
+  });
+
+  return server;
+}
+
+// ── Actions ──────────────────────────────────────────────────
+
+async function verifyAuth(password) {
+  const machineHash = getMachineHash();
+  const { token, timestamp } = deriveToken(password, machineHash);
+  const result = await api.test(password, machineHash, token, timestamp);
+  if (result.error) throw new Error(result.error);
+}
+
+async function actionStart(opts) {
+  const port     = parseInt(opts.port || "52437", 10);
+  const password = opts.pw;
+  const whitelist = opts.services
+    ? opts.services.split(",").map(s => s.trim().toLowerCase())
+    : null;
+
+  // Check for existing instance
+  const existing = readPid();
+  if (existing && isProcessAlive(existing.pid)) {
+    console.log(chalk.yellow(`\n  clauth serve already running (PID ${existing.pid}, port ${existing.port})`));
+    console.log(chalk.gray(`  Stop it first: clauth serve stop\n`));
+    process.exit(1);
+  }
+
+  // If we're the daemon child, run the server directly
+  if (process.env.__CLAUTH_DAEMON === "1") {
+    // Verify password only if one was provided at start (optional — browser can unlock later)
+    if (password) {
+      try {
+        await verifyAuth(password);
+      } catch (err) {
+        const msg = `[${new Date().toISOString()}] Auth failed: ${err.message}\n`;
+        fs.appendFileSync(LOG_FILE, msg);
+        process.exit(1);
+      }
+    }
+
+    const server = createServer(password, whitelist, port);
+    server.listen(port, "127.0.0.1", () => {
+      writePid(process.pid, port);
+      const msg = `[${new Date().toISOString()}] clauth serve started — PID ${process.pid}, port ${port}, services: ${whitelist ? whitelist.join(",") : "all"}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+    });
+
+    server.on("error", err => {
+      const msg = `[${new Date().toISOString()}] Server error: ${err.message}\n`;
+      fs.appendFileSync(LOG_FILE, msg);
+      process.exit(1);
+    });
+
+    const shutdown = () => { removePid(); process.exit(0); };
+    process.on("SIGTERM", shutdown);
+    process.on("SIGINT", shutdown);
+    return;
+  }
+
+  // If --pw provided, verify it before spawning (fast-fail on wrong password)
+  if (password) {
+    console.log(chalk.gray("\n  Verifying vault credentials..."));
+    try {
+      await verifyAuth(password);
+    } catch (err) {
+      console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
+      process.exit(1);
+    }
+    console.log(chalk.green("  ✓ Vault auth verified"));
+  } else {
+    console.log(chalk.yellow("\n  Starting in locked state — open browser to unlock"));
+  }
+
+  // Spawn detached daemon child via the clauth CLI entry point
+  const { spawn } = await import("child_process");
+  const { fileURLToPath } = await import("url");
+  const { dirname, join } = await import("path");
+  const __filename = fileURLToPath(import.meta.url);
+  const cliEntry = join(dirname(__filename), "..", "index.js");
+
+  // Build args: node index.js serve start --port N [--pw PW] [--services S]
+  const childArgs = [cliEntry, "serve", "start", "--port", String(port)];
+  if (password) childArgs.push("--pw", password);
+  if (opts.services) childArgs.push("--services", opts.services);
+
+  const out = fs.openSync(LOG_FILE, "a");
+  const child = spawn(process.execPath, childArgs, {
+    detached: true,
+    stdio: ["ignore", out, out],
+    env: { ...process.env, __CLAUTH_DAEMON: "1" },
+  });
+  child.unref();
+
+  // Give it time to bind and write PID file (Windows spawn is slower)
+  // Verify via HTTP ping (process.kill(pid,0) fails on Windows for detached processes)
+  let started = false;
+  for (let attempt = 0; attempt < 5; attempt++) {
+    await new Promise(r => setTimeout(r, 1000));
+    try {
+      const resp = await fetch(`http://127.0.0.1:${port}/ping`);
+      if (resp.ok) { started = true; break; }
+    } catch {}
+  }
+
+  const info = readPid();
+  if (started && info) {
+    console.log(chalk.green(`\n  🔐 clauth serve started`));
+    console.log(chalk.gray(`  PID:      ${info.pid}`));
+    console.log(chalk.gray(`  Port:     127.0.0.1:${info.port}`));
+    console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
+    console.log(chalk.gray(`  Log:      ${LOG_FILE}`));
+    if (!password) {
+      console.log(chalk.cyan(`\n  👉 Open http://127.0.0.1:${info.port} to unlock the vault`));
+    }
+    console.log(chalk.gray(`  Stop:     clauth serve stop\n`));
+  } else {
+    console.log(chalk.red(`\n  ❌ Failed to start daemon — check ${LOG_FILE}\n`));
+    process.exit(1);
+  }
+}
+
+async function actionStop() {
+  const info = readPid();
+  if (!info) {
+    console.log(chalk.yellow("\n  No clauth serve PID file found — not running.\n"));
+    return;
+  }
+
+  if (!isProcessAlive(info.pid)) {
+    console.log(chalk.yellow(`\n  PID ${info.pid} is not running (stale PID file). Cleaning up.\n`));
+    removePid();
+    return;
+  }
+
+  // Try HTTP shutdown first (clean)
+  try {
+    const resp = await fetch(`http://127.0.0.1:${info.port}/shutdown`);
+    if (resp.ok) {
+      await new Promise(r => setTimeout(r, 300));
+      console.log(chalk.green(`\n  🛑 clauth serve stopped (was PID ${info.pid}, port ${info.port})\n`));
+      removePid();
+      return;
+    }
+  } catch {}
+
+  // Fallback: kill the process
+  try {
+    process.kill(info.pid, "SIGTERM");
+    await new Promise(r => setTimeout(r, 300));
+    console.log(chalk.green(`\n  🛑 clauth serve stopped via SIGTERM (PID ${info.pid})\n`));
+  } catch (err) {
+    console.log(chalk.yellow(`\n  Could not kill PID ${info.pid}: ${err.message}\n`));
+  }
+  removePid();
+}
+
+async function actionPing() {
+  const info = readPid();
+  if (!info) {
+    console.log(chalk.red("\n  clauth serve is not running (no PID file)\n"));
+    process.exit(1);
+  }
+
+  if (!isProcessAlive(info.pid)) {
+    console.log(chalk.red(`\n  PID ${info.pid} is not alive (stale PID file)\n`));
+    removePid();
+    process.exit(1);
+  }
+
+  try {
+    const resp = await fetch(`http://127.0.0.1:${info.port}/ping`);
+    const data = await resp.json();
+    if (data.status === "ok") {
+      console.log(chalk.green(`\n  ✅ clauth serve running`));
+      console.log(chalk.gray(`  PID:     ${info.pid}`));
+      console.log(chalk.gray(`  Port:    ${info.port}`));
+      console.log(chalk.gray(`  Fails:   ${data.failures}/${data.failures + data.failures_remaining}`));
+      console.log(chalk.gray(`  Services: ${Array.isArray(data.services) ? data.services.join(", ") : data.services}\n`));
+    } else {
+      console.log(chalk.yellow(`\n  PID alive but /ping returned unexpected response\n`));
+    }
+  } catch (err) {
+    console.log(chalk.yellow(`\n  PID ${info.pid} alive but HTTP failed: ${err.message}\n`));
+  }
+}
+
+async function actionRestart(opts) {
+  const info = readPid();
+  if (info && isProcessAlive(info.pid)) {
+    await actionStop();
+    await new Promise(r => setTimeout(r, 500));
+  }
+  await actionStart(opts);
+}
+
+async function actionForeground(opts) {
+  const port      = parseInt(opts.port || "52437", 10);
+  const password  = opts.pw || null;
+  const whitelist = opts.services
+    ? opts.services.split(",").map(s => s.trim().toLowerCase())
+    : null;
+
+  if (password) {
+    console.log(chalk.gray("\n  Verifying vault credentials..."));
+    try {
+      await verifyAuth(password);
+    } catch (err) {
+      console.log(chalk.red(`\n  Auth failed: ${err.message}\n`));
+      process.exit(1);
+    }
+    console.log(chalk.green("  ✓ Vault auth verified"));
+  } else {
+    console.log(chalk.yellow("\n  Starting in locked state — open browser to unlock"));
+  }
+
+  console.log(chalk.gray(`  Port:     127.0.0.1:${port}`));
+  console.log(chalk.gray(`  Services: ${whitelist ? whitelist.join(", ") : "all"}`));
+  console.log(chalk.gray(`  Lockout:  3 failures → exit\n`));
+
+  const server = createServer(password, whitelist, port);
+  server.listen(port, "127.0.0.1", () => {
+    writePid(process.pid, port);
+    console.log(chalk.green(`  clauth serve → http://127.0.0.1:${port}`));
+    if (!password) console.log(chalk.cyan(`  👉 Open http://127.0.0.1:${port} to unlock`));
+    console.log(chalk.gray("  Ctrl+C to stop\n"));
+  });
+
+  server.on("error", err => {
+    if (err.code === "EADDRINUSE") {
+      console.log(chalk.red(`\n  Port ${port} already in use. Use --port to choose another.\n`));
+    } else {
+      console.log(chalk.red(`\n  Server error: ${err.message}\n`));
+    }
+    process.exit(1);
+  });
+
+  process.on("SIGINT", () => {
+    console.log(chalk.yellow("\n  Stopping clauth serve...\n"));
+    removePid();
+    server.close(() => process.exit(0));
+  });
+}
+
+// ── MCP stdio server ──────────────────────────────────────────
+// JSON-RPC 2.0 over stdin/stdout for Claude Code integration.
+// Reuses the same auth model as the HTTP daemon.
+// Secrets are delivered via temp files — never in the MCP response.
+
+import { createInterface } from "readline";
+import { execSync } from "child_process";
+
+const ENV_MAP = {
+  "github":           "GITHUB_TOKEN",
+  "supabase-anon":    "NEXT_PUBLIC_SUPABASE_ANON_KEY",
+  "supabase-service": "SUPABASE_SERVICE_ROLE_KEY",
+  "supabase-db":      "SUPABASE_DB_URL",
+  "vercel":           "VERCEL_TOKEN",
+  "anthropic":        "ANTHROPIC_API_KEY",
+  "cloudflare":       "CLOUDFLARE_API_TOKEN",
+  "r2":               "R2_ACCESS_KEY_ID",
+  "r2-bucket":        "R2_BUCKET_NAME",
+  "neo4j":            "NEO4J_URI",
+  "rocketreach":      "ROCKETREACH_API_KEY",
+  "npm":              "NPM_TOKEN",
+  "namecheap":        "NAMECHEAP_API_KEY",
+  "gmail":            "GMAIL_CREDENTIALS",
+};
+
+const MCP_TOOLS = [
+  {
+    name: "clauth_ping",
+    description: "Check if the vault is locked or unlocked, show failure count",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false }
+  },
+  {
+    name: "clauth_unlock",
+    description: "Unlock the vault with the master password (password stays in MCP server memory only)",
+    inputSchema: { type: "object", properties: { password: { type: "string", description: "clauth master password" } }, required: ["password"], additionalProperties: false }
+  },
+  {
+    name: "clauth_lock",
+    description: "Lock the vault — clears password from memory",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false }
+  },
+  {
+    name: "clauth_status",
+    description: "List all services with type, enabled state, key presence, and last retrieval time",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false }
+  },
+  {
+    name: "clauth_list",
+    description: "List registered service names",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false }
+  },
+  {
+    name: "clauth_get",
+    description: "Retrieve a secret and deliver to a temp file (default), clipboard, or stdout. Temp files auto-delete after 30 seconds.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        service: { type: "string", description: "Service name (e.g. github, anthropic, vercel)" },
+        target: { type: "string", enum: ["file", "clipboard", "stdout"], default: "file", description: "Where to deliver the secret. 'file' writes a temp file, 'clipboard' copies to clipboard, 'stdout' returns the value in the response (DANGEROUS — enters transcript)" }
+      },
+      required: ["service"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "clauth_inject",
+    description: "Bulk retrieve multiple services into a single sourceable env file. Usage: source the returned file path before running commands.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        services: { type: "array", items: { type: "string" }, description: "Service names to inject (e.g. ['github', 'vercel', 'anthropic'])" }
+      },
+      required: ["services"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "clauth_enable",
+    description: "Enable a service in the vault",
+    inputSchema: { type: "object", properties: { service: { type: "string" } }, required: ["service"], additionalProperties: false }
+  },
+  {
+    name: "clauth_disable",
+    description: "Disable a service in the vault",
+    inputSchema: { type: "object", properties: { service: { type: "string" } }, required: ["service"], additionalProperties: false }
+  },
+  {
+    name: "clauth_test",
+    description: "Test the HMAC handshake without retrieving any keys",
+    inputSchema: { type: "object", properties: {}, additionalProperties: false }
+  },
+  {
+    name: "clauth_scrub",
+    description: "Scrub secrets from Claude Code transcript .jsonl files",
+    inputSchema: {
+      type: "object",
+      properties: {
+        target: { type: "string", enum: ["latest", "all"], default: "latest", description: "Scrub the most recent transcript or all transcripts" }
+      },
+      additionalProperties: false
+    }
+  },
+];
+
+function writeTempSecret(service, value) {
+  const filePath = path.join(os.tmpdir(), `.clauth-${service}`);
+  fs.writeFileSync(filePath, value, { mode: 0o600 });
+  setTimeout(() => { try { fs.unlinkSync(filePath); } catch {} }, 30_000);
+  return filePath;
+}
+
+function copyToClipboard(value) {
+  const platform = os.platform();
+  if (platform === "win32") {
+    execSync("clip", { input: value, stdio: ["pipe", "pipe", "pipe"] });
+  } else if (platform === "darwin") {
+    execSync("pbcopy", { input: value, stdio: ["pipe", "pipe", "pipe"] });
+  } else {
+    execSync("xclip -selection clipboard", { input: value, stdio: ["pipe", "pipe", "pipe"] });
+  }
+}
+
+function mcpResult(text) {
+  return { content: [{ type: "text", text }] };
+}
+
+function mcpError(text) {
+  return { content: [{ type: "text", text }], isError: true };
+}
+
+async function handleMcpTool(vault, name, args) {
+  switch (name) {
+    case "clauth_ping": {
+      return mcpResult(
+        vault.password
+          ? `unlocked | pid: ${process.pid} | failures: ${vault.failCount}/${vault.MAX_FAILS}`
+          : `locked | pid: ${process.pid} | failures: ${vault.failCount}/${vault.MAX_FAILS}`
+      );
+    }
+
+    case "clauth_unlock": {
+      const pw = args.password;
+      if (!pw) return mcpError("password is required");
+      try {
+        const { token, timestamp } = deriveToken(pw, vault.machineHash);
+        const result = await api.test(pw, vault.machineHash, token, timestamp);
+        if (result.error) return mcpError(`Unlock failed: ${result.error}`);
+        vault.password = pw;
+        return mcpResult("Vault unlocked");
+      } catch (err) {
+        return mcpError(`Unlock failed: ${err.message}`);
+      }
+    }
+
+    case "clauth_lock": {
+      vault.password = null;
+      return mcpResult("Vault locked — password cleared from memory");
+    }
+
+    case "clauth_status": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await api.status(vault.password, vault.machineHash, token, timestamp);
+        if (result.error) return mcpError(result.error);
+        let services = result.services || [];
+        if (vault.whitelist) {
+          services = services.filter(s => vault.whitelist.includes(s.name.toLowerCase()));
+        }
+        const lines = ["SERVICE              TYPE         STATUS       KEY    LAST RETRIEVED",
+                        "---              ----         ------       ---    --------------"];
+        for (const s of services) {
+          const status = s.enabled ? "ACTIVE" : (s.vault_key ? "SUSPENDED" : "NO KEY");
+          const hasKey = s.vault_key ? "yes" : "—";
+          const lastGet = s.last_retrieved ? new Date(s.last_retrieved).toLocaleDateString() : "never";
+          lines.push(`${s.name.padEnd(20)} ${(s.key_type || "").padEnd(12)} ${status.padEnd(12)} ${hasKey.padEnd(6)} ${lastGet}`);
+        }
+        return mcpResult(lines.join("\n"));
+      } catch (err) {
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_list": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await api.status(vault.password, vault.machineHash, token, timestamp);
+        if (result.error) return mcpError(result.error);
+        let services = result.services || [];
+        if (vault.whitelist) {
+          services = services.filter(s => vault.whitelist.includes(s.name.toLowerCase()));
+        }
+        return mcpResult(services.map(s => s.name).join(", "));
+      } catch (err) {
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_get": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      const service = (args.service || "").toLowerCase();
+      const target = args.target || "file";
+      if (!service) return mcpError("service is required");
+      if (vault.whitelist && !vault.whitelist.includes(service)) {
+        return mcpError(`Service '${service}' not in whitelist`);
+      }
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await api.retrieve(vault.password, vault.machineHash, token, timestamp, service);
+        if (result.error) return mcpError(result.error);
+        const value = typeof result.value === "string" ? result.value : JSON.stringify(result.value);
+
+        if (target === "clipboard") {
+          try {
+            copyToClipboard(value);
+            return mcpResult(`${service} copied to clipboard`);
+          } catch (err) {
+            return mcpError(`Clipboard failed: ${err.message}. Use target 'file' instead.`);
+          }
+        }
+
+        if (target === "stdout") {
+          return {
+            content: [{ type: "text", text: `WARNING: secret in response — will appear in transcript. Use 'file' or 'clipboard' mode instead.\n\n${value}` }],
+            isError: true
+          };
+        }
+
+        // Default: file
+        const envVar = ENV_MAP[service] || service.toUpperCase().replace(/-/g, "_");
+        const filePath = writeTempSecret(service, value);
+        return mcpResult(`${service} → ${filePath} (auto-deletes in 30s)\nEnv var: ${envVar}\nUsage: export ${envVar}=$(cat ${filePath.replace(/\\/g, "/")})`);
+      } catch (err) {
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_inject": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      const services = args.services || [];
+      if (!services.length) return mcpError("services array is required");
+
+      const lines = [];
+      const errors = [];
+      for (const svc of services) {
+        const service = svc.toLowerCase();
+        if (vault.whitelist && !vault.whitelist.includes(service)) {
+          errors.push(`${service}: not in whitelist`);
+          continue;
+        }
+        try {
+          const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+          const result = await api.retrieve(vault.password, vault.machineHash, token, timestamp, service);
+          if (result.error) { errors.push(`${service}: ${result.error}`); continue; }
+          const value = typeof result.value === "string" ? result.value : JSON.stringify(result.value);
+          const envVar = ENV_MAP[service] || service.toUpperCase().replace(/-/g, "_");
+          lines.push(`export ${envVar}="${value.replace(/"/g, '\\"')}"`);
+        } catch (err) {
+          errors.push(`${service}: ${err.message}`);
+        }
+      }
+
+      if (!lines.length) return mcpError(`No services retrieved:\n${errors.join("\n")}`);
+
+      const envFilePath = path.join(os.tmpdir(), ".clauth-env");
+      fs.writeFileSync(envFilePath, lines.join("\n") + "\n", { mode: 0o600 });
+      setTimeout(() => { try { fs.unlinkSync(envFilePath); } catch {} }, 30_000);
+
+      let msg = `${lines.length} service(s) → ${envFilePath.replace(/\\/g, "/")} (auto-deletes in 30s)\nUsage: source ${envFilePath.replace(/\\/g, "/")}`;
+      if (errors.length) msg += `\n\nErrors:\n${errors.join("\n")}`;
+      return mcpResult(msg);
+    }
+
+    case "clauth_enable": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      const service = (args.service || "").toLowerCase();
+      if (!service) return mcpError("service is required");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await api.enable(vault.password, vault.machineHash, token, timestamp, service, true);
+        if (result.error) return mcpError(result.error);
+        return mcpResult(`${service} enabled`);
+      } catch (err) {
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_disable": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      const service = (args.service || "").toLowerCase();
+      if (!service) return mcpError("service is required");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await api.enable(vault.password, vault.machineHash, token, timestamp, service, false);
+        if (result.error) return mcpError(result.error);
+        return mcpResult(`${service} disabled`);
+      } catch (err) {
+        return mcpError(err.message);
+      }
+    }
+
+    case "clauth_test": {
+      if (!vault.password) return mcpError("Vault is locked — call clauth_unlock first");
+      try {
+        const { token, timestamp } = deriveToken(vault.password, vault.machineHash);
+        const result = await api.test(vault.password, vault.machineHash, token, timestamp);
+        if (result.error) return mcpError(`FAIL: ${result.error}`);
+        return mcpResult(`PASS — machine: ${vault.machineHash.slice(0, 16)}... | window: ${new Date(result.timestamp).toISOString()}`);
+      } catch (err) {
+        return mcpError(`FAIL: ${err.message}`);
+      }
+    }
+
+    case "clauth_scrub": {
+      const target = args.target || "latest";
+      try {
+        const { runScrub: doScrub } = await import("./scrub.js");
+        // runScrub writes to stdout via chalk — capture isn't clean in MCP mode.
+        // Call it and trust it works; report success.
+        await doScrub(target === "all" ? "all" : undefined, {});
+        return mcpResult(`Scrub complete (target: ${target})`);
+      } catch (err) {
+        return mcpError(`Scrub failed: ${err.message}`);
+      }
+    }
+
+    default:
+      return mcpError(`Unknown tool: ${name}`);
+  }
+}
+
+function createMcpServer(initPassword, whitelist) {
+  // Ensure wmic is reachable — bash shells on Windows may not have
+  // C:\Windows\System32\Wbem on PATH, which getMachineHash() needs.
+  if (os.platform() === "win32" && !process.env.PATH?.includes("Wbem")) {
+    process.env.PATH = (process.env.PATH || "") + ";C:\\Windows\\System32\\Wbem";
+  }
+
+  // Lazy-init machineHash — defer to first tool call that needs auth.
+  let _machineHash = null;
+  function ensureMachineHash() {
+    if (!_machineHash) _machineHash = getMachineHash();
+    return _machineHash;
+  }
+
+  const vault = {
+    password: initPassword || null,
+    get machineHash() { return ensureMachineHash(); },
+    whitelist,
+    failCount: 0,
+    MAX_FAILS: 3,
+  };
+
+  const rl = createInterface({ input: process.stdin, terminal: false });
+
+  function send(msg) {
+    process.stdout.write(JSON.stringify(msg) + "\n");
+  }
+
+  rl.on("line", async (line) => {
+    let msg;
+    try {
+      msg = JSON.parse(line);
+    } catch {
+      send({ jsonrpc: "2.0", id: null, error: { code: -32700, message: "Parse error" } });
+      return;
+    }
+
+    const id = msg.id;
+
+    // notifications (no id) — handle initialized, etc.
+    if (msg.method === "notifications/initialized" || msg.method === "initialized") {
+      return; // no response needed for notifications
+    }
+
+    if (msg.method === "initialize") {
+      return send({
+        jsonrpc: "2.0", id,
+        result: {
+          protocolVersion: "2024-11-05",
+          serverInfo: { name: "clauth", version: VERSION },
+          capabilities: { tools: {} }
+        }
+      });
+    }
+
+    if (msg.method === "tools/list") {
+      return send({
+        jsonrpc: "2.0", id,
+        result: { tools: MCP_TOOLS }
+      });
+    }
+
+    if (msg.method === "tools/call") {
+      const { name, arguments: args } = msg.params || {};
+      try {
+        const result = await handleMcpTool(vault, name, args || {});
+        return send({ jsonrpc: "2.0", id, result });
+      } catch (err) {
+        return send({ jsonrpc: "2.0", id, result: mcpError(`Internal error: ${err.message}`) });
+      }
+    }
+
+    // Unknown method
+    send({ jsonrpc: "2.0", id, error: { code: -32601, message: `Unknown method: ${msg.method}` } });
+  });
+
+  rl.on("close", () => {
+    process.exit(0);
+  });
+
+  // Prevent unhandled errors from crashing the MCP server
+  process.on("uncaughtException", (err) => {
+    const msg = `[${new Date().toISOString()}] MCP uncaught: ${err.message}\n`;
+    try { fs.appendFileSync(LOG_FILE, msg); } catch {}
+  });
+}
+
+async function actionMcp(opts) {
+  const password  = opts.pw || null;
+  const whitelist = opts.services
+    ? opts.services.split(",").map(s => s.trim().toLowerCase())
+    : null;
+
+  if (password) {
+    try {
+      await verifyAuth(password);
+    } catch (err) {
+      // Can't use stderr for errors in MCP mode without careful framing
+      // Write to log file instead
+      const msg = `[${new Date().toISOString()}] MCP auth failed: ${err.message}\n`;
+      try { fs.appendFileSync(LOG_FILE, msg); } catch {}
+      process.exit(1);
+    }
+  }
+
+  createMcpServer(password, whitelist);
+}
+
+// ── Export ────────────────────────────────────────────────────
+export async function runServe(opts) {
+  const action = opts.action || "foreground";
+
+  switch (action) {
+    case "start":      return actionStart(opts);
+    case "stop":       return actionStop();
+    case "restart":    return actionRestart(opts);
+    case "ping":       return actionPing();
+    case "foreground": return actionForeground(opts);
+    case "mcp":        return actionMcp(opts);
+    default:
+      console.log(chalk.red(`\n  Unknown serve action: ${action}`));
+      console.log(chalk.gray("  Actions: start | stop | restart | ping | foreground | mcp\n"));
+      process.exit(1);
+  }
+}