@nordbyte/nordrelay 0.4.1 → 0.5.1

package/dist/web-dashboard.js

@@ -1,4 +1,3 @@
-import { createReadStream } from "node:fs";
 import { createServer } from "node:http";
 import os from "node:os";
 import path from "node:path";
@@ -6,28 +5,34 @@ import { URL } from "node:url";
 import { enabledAgents } from "./agent-factory.js";
 import { listAgentAdapterDescriptors } from "./agent-adapter.js";
 import { isAgentId } from "./agent.js";
+import { AuditLogStore } from "./audit-log.js";
 import { listChannelDescriptors } from "./channel-adapter.js";
+import { permissionForWebRequest } from "./access-control.js";
 import { loadConfig } from "./config.js";
 import { friendlyErrorText } from "./error-messages.js";
-import { escapeHTML } from "./format.js";
 import { RelayRuntime } from "./relay-runtime.js";
 import { resolveDashboardEnvPath, SettingsService } from "./settings-service.js";
-import { dashboardJs } from "./web-dashboard-client.js";
-import { dashboardCss } from "./web-dashboard-style.js";
-import { renderDashboardNav } from "./web-dashboard-ui.js";
+import { UserStore, publicUser } from "./user-management.js";
+import { handleDashboardAccessRoute } from "./web-dashboard-access-routes.js";
+import { handleDashboardArtifactRoute } from "./web-dashboard-artifact-routes.js";
+import { dashboardCss, dashboardJs } from "./web-dashboard-assets.js";
+import { objectRecord, optionalStringField, parseCookies, readJsonBody, sendJson, sendText, } from "./web-dashboard-http.js";
+import { renderDashboardApp, renderLoginPage } from "./web-dashboard-pages.js";
+import { handleDashboardRuntimeRoute } from "./web-dashboard-runtime-routes.js";
+import { handleDashboardSessionRoute } from "./web-dashboard-session-routes.js";
 const DEFAULT_HOME = path.join(os.homedir(), ".nordrelay");
-const JSON_HEADERS = { "content-type": "application/json; charset=utf-8", "cache-control": "no-store" };
 const options = parseOptions(process.argv.slice(2));
-const auth = resolveDashboardAuth(options.host);
-if (auth.publicBind && !auth.token && !(auth.user && auth.password)) {
-    throw new Error("Dashboard bound to 0.0.0.0 requires NORDRELAY_DASHBOARD_TOKEN or NORDRELAY_DASHBOARD_USER/PASSWORD.");
-}
 const config = loadConfig();
 const runtime = new RelayRuntime(config);
 const settings = new SettingsService(resolveDashboardEnvPath(options.home));
+const users = new UserStore(options.home);
+const auditLog = new AuditLogStore(config.workspace, config.stateBackend, config.auditMaxEvents);
+const loginAttempts = new Map();
+class AccessDeniedError extends Error {
+}
 const server = createServer((req, res) => {
     void handleRequest(req, res).catch((error) => {
-        sendJson(res, 500, { error: friendlyErrorText(error) });
+        sendJson(res, error instanceof AccessDeniedError ? 403 : 500, { error: friendlyErrorText(error) });
     });
 });
 await new Promise((resolve) => server.listen(options.port, options.host, resolve));
@@ -36,35 +41,41 @@ process.once("SIGINT", () => shutdown());
 process.once("SIGTERM", () => shutdown());
 async function handleRequest(req, res) {
     const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
-    const queryToken = url.searchParams.get("token");
-    if (queryToken && isAuthorizedToken(queryToken) && !url.pathname.startsWith("/api/")) {
-        setAuthCookie(res, queryToken);
-        res.writeHead(302, { location: url.pathname || "/" });
-        res.end();
-        return;
-    }
     if (url.pathname === "/api/auth" && req.method === "POST") {
         await handleLogin(req, res);
         return;
     }
-    if (auth.required && !isAuthorizedRequest(req) && !isAuthorizedToken(queryToken ?? "")) {
-        if (url.pathname === "/" || url.pathname === "/index.html") {
-            sendText(res, 200, renderLoginPage(auth), "text/html; charset=utf-8");
+    if (url.pathname === "/api/dashboard/logout" && req.method === "POST") {
+        handleLogout(req, res);
+        return;
+    }
+    const authenticated = authenticateRequest(req);
+    if (url.pathname === "/api/auth/me" && req.method === "GET") {
+        if (!authenticated) {
+            sendJson(res, 401, { error: "Authentication required", adminConfigured: users.hasAdminUser() });
             return;
         }
-        if (url.pathname.startsWith("/api/") || url.pathname === "/healthz") {
-            sendJson(res, 401, { error: "Authentication required" });
+        sendJson(res, 200, currentUserDto(authenticated));
+        return;
+    }
+    if (!authenticated) {
+        if (url.pathname === "/" || url.pathname === "/index.html") {
+            sendText(res, 200, renderLoginPage({ adminConfigured: users.hasAdminUser() }), "text/html; charset=utf-8");
             return;
         }
-        sendText(res, 401, "Authentication required\n", "text/plain; charset=utf-8");
+        sendJson(res, 401, { error: "Authentication required", adminConfigured: users.hasAdminUser() });
         return;
     }
     if (url.pathname === "/healthz") {
+        if (!users.hasPermission(authenticated, "inspect")) {
+            sendText(res, 403, "access denied\n", "text/plain; charset=utf-8");
+            return;
+        }
         sendText(res, 200, "ok\n", "text/plain; charset=utf-8");
         return;
     }
     if (url.pathname === "/" || url.pathname === "/index.html") {
-        sendText(res, 200, renderDashboardApp({ authRequired: auth.required }), "text/html; charset=utf-8");
+        sendText(res, 200, renderDashboardApp(), "text/html; charset=utf-8");
         return;
     }
     if (url.pathname === "/assets/dashboard.css") {
@@ -76,109 +87,79 @@ async function handleRequest(req, res) {
         return;
     }
     if (url.pathname === "/api/events" && req.method === "GET") {
-        handleEvents(req, res);
+        await handleEvents(req, res);
         return;
     }
     if (!url.pathname.startsWith("/api/")) {
         sendText(res, 404, "not found\n", "text/plain; charset=utf-8");
         return;
     }
-    await handleApi(req, res, url);
+    await handleApi(req, res, url, authenticated);
 }
-async function handleApi(req, res, url) {
+async function handleApi(req, res, url, authUser) {
+    const permission = permissionForWebRequest(req.method, url.pathname);
+    if (!permission) {
+        audit({
+            action: "permission_denied",
+            status: "denied",
+            channelId: "web",
+            contextKey: "web",
+            actorId: authUser.user.id,
+            actorRole: authUser.groups.map((group) => group.name).join(", "),
+            description: `Denied unknown endpoint ${req.method ?? "GET"} ${url.pathname}`,
+        });
+        sendJson(res, 403, { error: "Access denied." });
+        return;
+    }
+    if (!users.hasPermission(authUser, permission)) {
+        audit({
+            action: "permission_denied",
+            status: "denied",
+            channelId: "web",
+            contextKey: "web",
+            actorId: authUser.user.id,
+            actorRole: authUser.groups.map((group) => group.name).join(", "),
+            description: `${permission} required for ${req.method ?? "GET"} ${url.pathname}`,
+        });
+        sendJson(res, 403, { error: `Access denied: ${permission} permission required.` });
+        return;
+    }
+    if (await handleDashboardRuntimeRoute(req, res, url, {
+        runtime,
+        users,
+        authUser,
+        parseAgentIdRequired,
+        assertScopedAgent,
+        assertAgentUpdateJobScope,
+        assertCurrentSessionScope,
+        scopedTasks,
+    })) {
+        return;
+    }
     if (req.method === "GET" && url.pathname === "/api/bootstrap") {
+        await assertCurrentSessionScope(authUser);
         sendJson(res, 200, {
-            auth: { required: auth.required, publicBind: auth.publicBind },
+            auth: currentUserDto(authUser),
             channels: listChannelDescriptors(),
-            agentAdapters: listAgentAdapterDescriptors(),
-            enabledAgents: enabledAgents(config),
-            controls: await runtime.controlOptions(),
+            agentAdapters: listAgentAdapterDescriptors().filter((adapter) => users.canUseAgent(authUser, adapter.id)),
+            enabledAgents: enabledAgents(config).filter((agentId) => users.canUseAgent(authUser, agentId)),
+            controls: scopedControlOptions(authUser, await runtime.controlOptions()),
             status: await runtime.bootstrapStatus(),
         });
         return;
     }
     if (req.method === "GET" && url.pathname === "/api/control-options") {
-        sendJson(res, 200, await runtime.controlOptions(parseAgentId(url.searchParams.get("agent") ?? undefined)));
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/health") {
-        sendJson(res, 200, await runtime.status());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/version") {
-        sendJson(res, 200, await runtime.version());
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/update") {
-        sendJson(res, 202, runtime.updateConnector());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/agent-updates") {
-        sendJson(res, 200, { jobs: runtime.agentUpdateJobs() });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/agent-update") {
-        const body = await readJsonBody(req);
-        sendJson(res, 202, { job: runtime.startAgentUpdate(parseAgentIdRequired(stringField(body, "agentId"))) });
-        return;
-    }
-    const agentUpdateLogMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/log$/);
-    if (req.method === "GET" && agentUpdateLogMatch?.[1]) {
-        sendJson(res, 200, runtime.agentUpdateLog(decodeURIComponent(agentUpdateLogMatch[1])));
-        return;
-    }
-    const agentUpdateInputMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/input$/);
-    if (req.method === "POST" && agentUpdateInputMatch?.[1]) {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, { job: runtime.sendAgentUpdateInput(decodeURIComponent(agentUpdateInputMatch[1]), stringField(body, "input")) });
-        return;
-    }
-    const agentUpdateCancelMatch = url.pathname.match(/^\/api\/agent-update\/([^/]+)\/cancel$/);
-    if (req.method === "POST" && agentUpdateCancelMatch?.[1]) {
-        sendJson(res, 200, { job: runtime.cancelAgentUpdate(decodeURIComponent(agentUpdateCancelMatch[1])) });
-        return;
-    }
-    if (req.method === "GET" && (url.pathname === "/api/tasks" || url.pathname === "/api/progress")) {
-        sendJson(res, 200, runtime.tasks());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/adapters/health") {
-        sendJson(res, 200, { adapters: await runtime.adapterHealth() });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/permissions") {
-        sendJson(res, 200, runtime.permissions());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/audit") {
-        sendJson(res, 200, { events: runtime.audit(numberParam(url, "limit", 50)) });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/locks") {
-        sendJson(res, 200, { locks: runtime.locks() });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/locks") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, { lock: runtime.lockWebSession(optionalStringField(body, "ownerName")), locks: runtime.locks() });
-        return;
-    }
-    if (req.method === "DELETE" && url.pathname === "/api/locks") {
-        sendJson(res, 200, runtime.unlockWebSession());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/auth/status") {
-        sendJson(res, 200, await runtime.authStatus(parseAgentId(url.searchParams.get("agent") ?? undefined)));
+        const agentId = parseAgentId(url.searchParams.get("agent") ?? undefined);
+        assertScopedAgent(authUser, agentId);
+        sendJson(res, 200, scopedControlOptions(authUser, await runtime.controlOptions(agentId)));
         return;
     }
-    if (req.method === "POST" && url.pathname === "/api/auth/login") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, await runtime.login(parseAgentId(optionalStringField(body, "agentId"))));
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/auth/logout") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, await runtime.logout(parseAgentId(optionalStringField(body, "agentId"))));
+    if (await handleDashboardAccessRoute(req, res, url, {
+        users,
+        runtime,
+        authUser,
+        auditUserAction,
+    })) {
         return;
     }
     if (req.method === "GET" && url.pathname === "/api/settings") {
@@ -190,220 +171,63 @@ async function handleApi(req, res, url) {
         sendJson(res, 200, await settings.update(objectRecord(body?.settings)));
         return;
     }
-    if (req.method === "GET" && url.pathname === "/api/snapshot") {
-        sendJson(res, 200, await runtime.snapshot());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/sessions") {
-        sendJson(res, 200, await runtime.listSessionsPage(numberParam(url, "page", 1), numberParam(url, "limit", 50), url.searchParams.get("query") ?? "", parseAgentId(url.searchParams.get("agent") ?? undefined)));
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/agent") {
-        const body = await readJsonBody(req);
-        const agentId = stringField(body, "agentId");
-        if (!isAgentId(agentId)) {
-            throw new Error(`Invalid agent: ${agentId}`);
-        }
-        sendJson(res, 200, { session: await runtime.setAgent(agentId) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/sessions/new") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, {
-            session: await runtime.newSession({
-                agentId: parseAgentId(optionalStringField(body, "agentId")),
-                workspace: optionalStringField(body, "workspace"),
-                model: optionalStringField(body, "model"),
-                reasoningEffort: optionalStringField(body, "reasoningEffort"),
-                launchProfileId: optionalStringField(body, "launchProfileId"),
-                fastMode: optionalBooleanField(body, "fastMode"),
-            }),
-        });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/sessions/switch") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, { session: await runtime.switchSession(stringField(body, "threadId")) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/sessions/attach") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, { session: await runtime.attachSession(stringField(body, "threadId")) });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/sessions/detail") {
-        sendJson(res, 200, await runtime.sessionDetail(requiredSearch(url, "threadId")));
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/models") {
-        sendJson(res, 200, { models: await runtime.listModels() });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/session/model") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, { session: await runtime.setModel(stringField(body, "model")) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/session/reasoning") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, { session: await runtime.setReasoningEffort(stringField(body, "reasoning")) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/session/fast") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, { session: await runtime.setFastMode(Boolean(body?.enabled)) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/session/launch") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, { session: await runtime.setLaunchProfile(stringField(body, "profileId")) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/prompt") {
-        const body = await readJsonBody(req);
-        sendJson(res, 202, await runtime.sendPrompt(stringField(body, "text")));
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/prompt/upload") {
-        const body = await readJsonBody(req);
-        sendJson(res, 202, await runtime.sendUploadPrompt({
-            text: optionalStringField(body, "text"),
-            files: parseUploadFiles(body.files),
-        }));
-        return;
-    }
-    if (req.method === "POST" && (url.pathname === "/api/abort" || url.pathname === "/api/stop")) {
-        await runtime.abort();
-        sendJson(res, 200, { ok: true });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/handback") {
-        sendJson(res, 200, await runtime.handback());
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/retry") {
-        sendJson(res, 202, await runtime.retry());
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/sync") {
-        sendJson(res, 200, await runtime.sync());
+    if (await handleDashboardSessionRoute(req, res, url, {
+        runtime,
+        authUser,
+        parseAgentId,
+        assertScopedAgent,
+        assertScopedWorkspace,
+        assertCurrentSessionScope,
+        assertSessionScope,
+        assertSessionDetailScope,
+        scopedSessionPage,
+        filterActivityByScope,
+    })) {
         return;
     }
-    if (req.method === "GET" && url.pathname === "/api/queue") {
-        sendJson(res, 200, { queue: runtime.queue(), paused: runtime.queuePaused() });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/queue") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, { queue: runtime.queueAction(stringField(body, "action"), optionalStringField(body, "id")), paused: runtime.queuePaused() });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/chat/history") {
-        sendJson(res, 200, { messages: await runtime.chatHistory(numberParam(url, "limit", 200)) });
-        return;
-    }
-    if (req.method === "DELETE" && url.pathname === "/api/chat/history") {
-        sendJson(res, 200, await runtime.clearChatHistory());
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/activity") {
-        sendJson(res, 200, {
-            events: runtime.activity({
-                limit: numberParam(url, "limit", 100),
-                source: (url.searchParams.get("source") || "all"),
-                status: (url.searchParams.get("status") || "all"),
-            }),
-        });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/artifacts") {
-        sendJson(res, 200, { reports: await runtime.artifacts() });
-        return;
-    }
-    if (req.method === "DELETE" && url.pathname === "/api/artifacts") {
-        sendJson(res, 200, { removed: await runtime.deleteArtifact(requiredSearch(url, "turnId")) });
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/artifacts/bulk") {
-        const body = await readJsonBody(req);
-        const action = stringField(body, "action");
-        const turnIds = Array.isArray(body.turnIds) ? body.turnIds.filter((item) => typeof item === "string") : [];
-        if (action !== "delete") {
-            throw new Error("Unsupported artifact bulk action.");
-        }
-        const removed = [];
-        for (const turnId of turnIds) {
-            if (await runtime.deleteArtifact(turnId)) {
-                removed.push(turnId);
-            }
-        }
-        sendJson(res, 200, { removed });
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/artifacts/zip") {
-        const bundle = await runtime.createArtifactZip(requiredSearch(url, "turnId"));
-        if (!bundle) {
-            sendJson(res, 404, { error: "Artifact turn not found or ZIP could not be created" });
-            return;
-        }
-        sendFile(res, bundle.path, bundle.name);
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/artifacts/file") {
-        const turnId = requiredSearch(url, "turnId");
-        const relativePath = requiredSearch(url, "path");
-        const report = await runtime.artifact(turnId);
-        const artifact = report?.artifacts.find((candidate) => candidate.relativePath === relativePath);
-        if (!artifact) {
-            sendJson(res, 404, { error: "Artifact not found" });
-            return;
-        }
-        sendFile(res, artifact.localPath, artifact.name);
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/artifacts/preview") {
-        const preview = await runtime.artifactPreview(requiredSearch(url, "turnId"), requiredSearch(url, "path"));
-        if (!preview) {
-            sendJson(res, 404, { error: "Artifact not found" });
-            return;
-        }
-        sendJson(res, 200, preview);
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/logs") {
-        sendJson(res, 200, await runtime.logs(parseLogTarget(url.searchParams.get("target") ?? undefined), numberParam(url, "lines", 120)));
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/logs/clear") {
-        const body = await readJsonBody(req);
-        sendJson(res, 200, runtime.clearLogs(parseLogTarget(optionalStringField(body, "target"))));
-        return;
-    }
-    if (req.method === "GET" && url.pathname === "/api/diagnostics") {
-        sendJson(res, 200, await runtime.diagnostics());
-        return;
-    }
-    if (req.method === "POST" && url.pathname === "/api/runtime/restart") {
-        sendJson(res, 202, runtime.restartConnector());
+    if (await handleDashboardArtifactRoute(req, res, url, {
+        runtime,
+        authUser,
+        assertCurrentSessionScope,
+    })) {
         return;
     }
     sendJson(res, 404, { error: "Unknown endpoint" });
 }
-function handleEvents(req, res) {
-    const url = new URL(req.url ?? "/", `http://${req.headers.host ?? "localhost"}`);
-    const token = url.searchParams.get("token");
-    if (auth.required && !(isAuthorizedRequest(req) || (token && isAuthorizedToken(token)))) {
+async function handleEvents(req, res) {
+    const authUser = authenticateRequest(req);
+    if (!authUser) {
         sendJson(res, 401, { error: "Authentication required" });
         return;
     }
+    if (!users.hasPermission(authUser, "sessions.read")) {
+        sendJson(res, 403, { error: "Access denied: sessions.read permission required." });
+        return;
+    }
+    await assertCurrentSessionScope(authUser);
     res.writeHead(200, {
         "content-type": "text/event-stream; charset=utf-8",
         "cache-control": "no-cache, no-transform",
         connection: "keep-alive",
     });
     const send = (event) => {
-        res.write(`event: ${event.type}\n`);
-        res.write(`data: ${JSON.stringify(event)}\n\n`);
+        void scopeRelayEvent(authUser, event, canUseCurrentSession).then((scopedEvent) => {
+            if (!scopedEvent || res.destroyed || res.writableEnded) {
+                return;
+            }
+            res.write(`event: ${scopedEvent.type}\n`);
+            res.write(`data: ${JSON.stringify(scopedEvent)}\n\n`);
+        }).catch(() => { });
+    };
+    let currentScopeCache = null;
+    const canUseCurrentSession = async () => {
+        const now = Date.now();
+        if (currentScopeCache && currentScopeCache.expiresAt > now) {
+            return currentScopeCache.allowed;
+        }
+        const allowed = await canUseCurrentSessionScope(authUser);
+        currentScopeCache = { allowed, expiresAt: now + 1_000 };
+        return allowed;
     };
     const unsubscribe = runtime.subscribe(send);
     const heartbeat = setInterval(() => {
@@ -417,20 +241,60 @@ function handleEvents(req, res) {
 }
 async function handleLogin(req, res) {
     const body = await readJsonBody(req);
-    const token = optionalStringField(body, "token");
-    const user = optionalStringField(body, "user");
+    const email = optionalStringField(body, "email");
     const password = optionalStringField(body, "password");
-    if (token && isAuthorizedToken(token)) {
-        setAuthCookie(res, token);
-        sendJson(res, 200, { ok: true, mode: "token" });
+    const rateLimitKey = `${req.socket.remoteAddress ?? "unknown"}:${email ?? "-"}`;
+    const limited = consumeRateLimit(loginAttempts, rateLimitKey, 5, 15 * 60 * 1000, 15 * 60 * 1000);
+    if (limited.limited) {
+        audit({
+            action: "auth_login_failed",
+            status: "denied",
+            channelId: "web",
+            contextKey: "web",
+            description: `Rate limited login attempt for ${email ?? "unknown"}`,
+            detail: `${Math.ceil((limited.retryAfterMs ?? 0) / 1000)}s retry-after`,
+        });
+        sendJson(res, 429, { error: "Too many login attempts. Try again later.", retryAfterMs: limited.retryAfterMs });
         return;
     }
-    if (user && password && isAuthorizedBasic(user, password)) {
-        setBasicCookie(res, user, password);
-        sendJson(res, 200, { ok: true, mode: "basic" });
+    if (!users.hasAdminUser()) {
+        sendJson(res, 503, { error: "No admin user exists. Run nordrelay user create-admin first." });
         return;
     }
-    sendJson(res, 401, { error: "Invalid dashboard credentials" });
+    const authUser = email && password ? users.verifyPassword(email, password) : null;
+    if (!authUser) {
+        audit({
+            action: "auth_login_failed",
+            status: "failed",
+            channelId: "web",
+            contextKey: "web",
+            description: `Failed login for ${email ?? "unknown"}`,
+        });
+        sendJson(res, 401, { error: "Invalid credentials" });
+        return;
+    }
+    resetRateLimit(loginAttempts, rateLimitKey);
+    const session = users.createWebSession(authUser.user.id);
+    audit({
+        action: "auth_login",
+        status: "ok",
+        channelId: "web",
+        contextKey: "web",
+        actorId: authUser.user.id,
+        actorRole: authUser.groups.map((group) => group.name).join(", "),
+        description: `Login ${authUser.user.email}`,
+    });
+    setSessionCookie(res, session.token);
+    sendJson(res, 200, currentUserDto(authUser));
+}
+function handleLogout(req, res) {
+    const authUser = authenticateRequest(req);
+    users.destroyWebSession(parseCookies(req.headers.cookie ?? "").nr_session);
+    if (authUser) {
+        auditUserAction(authUser, "auth_logout", authUser.user.email);
+    }
+    clearSessionCookie(res);
+    sendJson(res, 200, { ok: true });
 }
 function parseOptions(argv) {
     let host = process.env.NORDRELAY_DASHBOARD_HOST || "127.0.0.1";
@@ -450,127 +314,177 @@ function parseOptions(argv) {
     }
     return { host, port, home };
 }
-function resolveDashboardAuth(host) {
-    const token = optionalEnv("NORDRELAY_DASHBOARD_TOKEN");
-    const user = optionalEnv("NORDRELAY_DASHBOARD_USER");
-    const password = optionalEnv("NORDRELAY_DASHBOARD_PASSWORD");
-    const publicBind = isPublicBindHost(host);
+function authenticateRequest(req) {
+    const cookies = parseCookies(req.headers.cookie ?? "");
+    return users.resolveWebSession(cookies.nr_session);
+}
+function setSessionCookie(res, token) {
+    res.setHeader("set-cookie", `nr_session=${encodeURIComponent(token)}; HttpOnly; SameSite=Strict; Path=/`);
+}
+function clearSessionCookie(res) {
+    res.setHeader("set-cookie", "nr_session=; HttpOnly; SameSite=Strict; Path=/; Max-Age=0");
+}
+function currentUserDto(authUser) {
     return {
-        required: publicBind || Boolean(token || (user && password)),
-        publicBind,
-        token,
-        user,
-        password,
+        user: publicUser(authUser.user),
+        groups: authUser.groups,
+        permissions: authUser.permissions,
     };
 }
-function isPublicBindHost(host) {
-    return host === "0.0.0.0" || host === "::" || host === "";
-}
-function isAuthorizedRequest(req) {
-    if (!auth.required) {
-        return true;
+function audit(event) {
+    try {
+        auditLog.append(event);
     }
-    const header = req.headers.authorization;
-    if (header?.startsWith("Bearer ") && isAuthorizedToken(header.slice("Bearer ".length).trim())) {
-        return true;
-    }
-    if (header?.startsWith("Basic ")) {
-        const decoded = Buffer.from(header.slice("Basic ".length), "base64").toString("utf8");
-        const [user, ...passwordParts] = decoded.split(":");
-        if (isAuthorizedBasic(user ?? "", passwordParts.join(":"))) {
-            return true;
-        }
+    catch (error) {
+        console.warn("Failed to write audit event:", error instanceof Error ? error.message : String(error));
     }
-    const cookies = parseCookies(req.headers.cookie ?? "");
-    if (cookies.nrdash && isAuthorizedToken(cookies.nrdash)) {
+}
+function auditUserAction(authUser, action, description) {
+    audit({
+        action,
+        status: "ok",
+        channelId: "web",
+        contextKey: "web",
+        actorId: authUser.user.id,
+        actorRole: authUser.groups.map((group) => group.name).join(", "),
+        description,
+    });
+}
+function scopedControlOptions(authUser, options) {
+    return {
+        ...options,
+        workspaces: options.workspaces.filter((workspace) => users.canUseWorkspace(authUser, workspace)),
+    };
+}
+function scopedSessionPage(authUser, page) {
+    return {
+        ...page,
+        sessions: page.sessions.filter((session) => canUseSession(authUser, session)),
+    };
+}
+async function scopedTasks(authUser, tasks) {
+    const currentAllowed = await canUseCurrentSessionScope(authUser);
+    return {
+        ...tasks,
+        current: tasks.current && canUseSession(authUser, tasks.current) ? tasks.current : null,
+        external: tasks.external && canUseSession(authUser, tasks.external) ? tasks.external : null,
+        queue: currentAllowed ? tasks.queue : [],
+        recent: filterActivityByScope(authUser, tasks.recent),
+    };
+}
+async function scopeRelayEvent(authUser, event, canUseCurrentSession = () => canUseCurrentSessionScope(authUser)) {
+    switch (event.type) {
+        case "snapshot":
+            return canUseSession(authUser, event.data.session) ? event : null;
+        case "session_update":
+            return canUseSession(authUser, event.session) ? event : null;
+        case "activity_update":
+            return { ...event, events: filterActivityByScope(authUser, event.events) };
+        case "agent_update":
+            return users.canUseAgent(authUser, event.job.agentId) ? event : null;
+        case "status":
+            return event;
+        case "chat_history":
+        case "queue_update":
+        case "turn_start":
+        case "text_delta":
+        case "tool_start":
+        case "tool_update":
+        case "tool_end":
+        case "todo_update":
+        case "turn_complete":
+        case "turn_error":
+            return await canUseCurrentSession() ? event : null;
+    }
+}
+function filterActivityByScope(authUser, events) {
+    return events.filter((event) => canUseSession(authUser, event));
+}
+async function canUseCurrentSessionScope(authUser) {
+    try {
+        await assertCurrentSessionScope(authUser);
         return true;
     }
-    if (cookies.nrdash_basic) {
-        const decoded = Buffer.from(cookies.nrdash_basic, "base64").toString("utf8");
-        const [user, ...passwordParts] = decoded.split(":");
-        if (isAuthorizedBasic(user ?? "", passwordParts.join(":"))) {
-            return true;
+    catch (error) {
+        if (error instanceof AccessDeniedError) {
+            return false;
         }
+        throw error;
     }
-    return false;
 }
-function isAuthorizedToken(token) {
-    return Boolean(auth.token && constantTimeEqual(token, auth.token));
+function canUseSession(authUser, session) {
+    const agentId = typeof session.agentId === "string" ? session.agentId : undefined;
+    const workspace = typeof session.workspace === "string"
+        ? session.workspace
+        : typeof session.cwd === "string"
+            ? session.cwd
+            : undefined;
+    return users.canUseAgent(authUser, agentId) && users.canUseWorkspace(authUser, workspace);
 }
-function isAuthorizedBasic(user, password) {
-    return Boolean(auth.user && auth.password && constantTimeEqual(user, auth.user) && constantTimeEqual(password, auth.password));
-}
-function constantTimeEqual(left, right) {
-    const leftBuffer = Buffer.from(left);
-    const rightBuffer = Buffer.from(right);
-    if (leftBuffer.length !== rightBuffer.length) {
-        return false;
+function assertAgentUpdateJobScope(authUser, id) {
+    const job = runtime.agentUpdateJobs().find((candidate) => candidate.id === id);
+    if (job) {
+        assertScopedAgent(authUser, job.agentId);
     }
-    return cryptoTimingSafeEqual(leftBuffer, rightBuffer);
 }
-function cryptoTimingSafeEqual(left, right) {
-    let diff = 0;
-    for (let index = 0; index < left.length; index += 1) {
-        diff |= left[index] ^ right[index];
+function assertSessionDetailScope(authUser, threadId, detail) {
+    const record = objectValue(detail.record);
+    if (record) {
+        assertSessionScope(authUser, record);
+        return;
     }
-    return diff === 0;
-}
-function setAuthCookie(res, token) {
-    res.setHeader("set-cookie", `nrdash=${encodeURIComponent(token)}; HttpOnly; SameSite=Strict; Path=/`);
-}
-function setBasicCookie(res, user, password) {
-    const value = Buffer.from(`${user}:${password}`).toString("base64");
-    res.setHeader("set-cookie", `nrdash_basic=${encodeURIComponent(value)}; HttpOnly; SameSite=Strict; Path=/`);
-}
-function parseCookies(cookieHeader) {
-    const cookies = {};
-    for (const part of cookieHeader.split(";")) {
-        const [key, ...valueParts] = part.trim().split("=");
-        if (key)
-            cookies[key] = decodeURIComponent(valueParts.join("=") ?? "");
+    const active = objectValue(detail.active);
+    if (active && active.threadId === threadId) {
+        assertSessionScope(authUser, active);
+        return;
     }
-    return cookies;
+    throw new AccessDeniedError("Access denied: session is outside your group scope.");
 }
-async function readJsonBody(req) {
-    const chunks = [];
-    for await (const chunk of req) {
-        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+function assertScopedAgent(authUser, agentId) {
+    if (!users.canUseAgent(authUser, agentId)) {
+        throw new AccessDeniedError(`Access denied: agent ${agentId} is outside your group scope.`);
     }
-    const text = Buffer.concat(chunks).toString("utf8").trim();
-    if (!text) {
-        return {};
+}
+function assertScopedWorkspace(authUser, workspace) {
+    if (!users.canUseWorkspace(authUser, workspace)) {
+        throw new AccessDeniedError(`Access denied: workspace ${workspace} is outside your group scope.`);
     }
-    return JSON.parse(text);
 }
-function sendJson(res, status, value) {
-    res.writeHead(status, JSON_HEADERS);
-    res.end(`${JSON.stringify(value)}\n`);
+function assertSessionScope(authUser, session) {
+    const agentId = typeof session.agentId === "string" ? session.agentId : undefined;
+    const workspace = typeof session.workspace === "string"
+        ? session.workspace
+        : typeof session.cwd === "string"
+            ? session.cwd
+            : undefined;
+    assertScopedAgent(authUser, agentId);
+    assertScopedWorkspace(authUser, workspace);
 }
-function sendText(res, status, text, contentType) {
-    res.writeHead(status, { "content-type": contentType, "cache-control": "no-store" });
-    res.end(text);
+async function assertCurrentSessionScope(authUser) {
+    const snapshot = await runtime.snapshot();
+    assertSessionScope(authUser, snapshot.session);
 }
-function sendFile(res, filePath, filename) {
-    res.writeHead(200, {
-        "content-type": "application/octet-stream",
-        "content-disposition": `attachment; filename="${filename.replace(/"/g, "")}"`,
-    });
-    createReadStream(filePath).pipe(res);
+function objectValue(value) {
+    return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-function stringField(value, key) {
-    const field = value[key];
-    if (typeof field !== "string" || !field.trim()) {
-        throw new Error(`${key} is required`);
+function consumeRateLimit(buckets, key, limit, windowMs, blockMs) {
+    const now = Date.now();
+    const existing = buckets.get(key);
+    if (existing?.blockedUntil && existing.blockedUntil > now) {
+        return { limited: true, retryAfterMs: existing.blockedUntil - now };
     }
-    return field.trim();
-}
-function optionalStringField(value, key) {
-    const field = value[key];
-    return typeof field === "string" && field.trim() ? field.trim() : undefined;
+    const bucket = !existing || existing.resetAt <= now ? { count: 0, resetAt: now + windowMs } : existing;
+    bucket.count += 1;
+    if (bucket.count > limit) {
+        bucket.blockedUntil = now + blockMs;
+        buckets.set(key, bucket);
+        return { limited: true, retryAfterMs: blockMs };
+    }
+    buckets.set(key, bucket);
+    return { limited: false };
 }
-function optionalBooleanField(value, key) {
-    const field = value[key];
-    return typeof field === "boolean" ? field : undefined;
+function resetRateLimit(buckets, key) {
+    buckets.delete(key);
 }
 function parseAgentId(value) {
     if (!value) {
@@ -584,61 +498,13 @@ function parseAgentIdRequired(value) {
     }
     return value;
 }
-function parseLogTarget(value) {
-    return value === "update" || value === "agent-updates" ? value : "connector";
-}
-function objectRecord(value) {
-    if (!value || typeof value !== "object" || Array.isArray(value)) {
-        return {};
-    }
-    return value;
-}
-function parseUploadFiles(value) {
-    if (!Array.isArray(value)) {
-        return [];
-    }
-    return value.map((item, index) => {
-        if (!item || typeof item !== "object" || Array.isArray(item)) {
-            throw new Error(`files[${index}] must be an object`);
-        }
-        const record = item;
-        const name = typeof record.name === "string" && record.name.trim() ? record.name.trim() : `upload-${index + 1}`;
-        const mimeType = typeof record.mimeType === "string" ? record.mimeType.trim() : undefined;
-        const dataBase64 = typeof record.dataBase64 === "string" ? record.dataBase64 : "";
-        if (!dataBase64) {
-            throw new Error(`files[${index}].dataBase64 is required`);
-        }
-        return { name, mimeType, data: Buffer.from(stripDataUrlPrefix(dataBase64), "base64") };
-    });
-}
-function stripDataUrlPrefix(value) {
-    const comma = value.indexOf(",");
-    return value.startsWith("data:") && comma !== -1 ? value.slice(comma + 1) : value;
-}
-function numberParam(url, key, fallback) {
-    const value = Number(url.searchParams.get(key));
-    return Number.isFinite(value) && value > 0 ? Math.floor(value) : fallback;
-}
-function requiredSearch(url, key) {
-    const value = url.searchParams.get(key);
-    if (!value) {
-        throw new Error(`${key} is required`);
-    }
-    return value;
-}
 function optionalEnv(key) {
     const value = process.env[key]?.trim();
     return value || undefined;
 }
 function activeSettingsValues(current) {
     return {
-        TELEGRAM_ALLOW_ANY_CHAT: boolValue(current.telegramAllowAnyChat),
         TELEGRAM_BOT_TOKEN: current.telegramBotToken,
-        TELEGRAM_ADMIN_USER_IDS: current.telegramAdminUserIds.join(","),
-        TELEGRAM_ALLOWED_USER_IDS: current.telegramAllowedUserIds.join(","),
-        TELEGRAM_READONLY_USER_IDS: current.telegramReadOnlyUserIds.join(","),
-        TELEGRAM_ALLOWED_CHAT_IDS: current.telegramAllowedChatIds.join(","),
-        TELEGRAM_ROLE_POLICIES_JSON: optionalEnv("TELEGRAM_ROLE_POLICIES_JSON"),
         TELEGRAM_TRANSPORT: current.telegramTransport,
         TELEGRAM_WEBHOOK_URL: current.telegramWebhookUrl,
         TELEGRAM_WEBHOOK_HOST: current.telegramWebhookHost,
@@ -745,246 +611,3 @@ function shutdown() {
     runtime.dispose();
     server.close(() => process.exit(0));
 }
-function renderLoginPage(currentAuth) {
-    return `<!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>NordRelay Login</title>
-  <style>
-    body{margin:0;min-height:100vh;display:grid;place-items:center;background:#f4f5f2;color:#181c19;font-family:Inter,system-ui,-apple-system,Segoe UI,sans-serif}
-    form{width:min(420px,calc(100vw - 32px));background:white;border:1px solid #dfe3dc;border-radius:8px;padding:24px;box-shadow:0 20px 60px rgba(20,30,24,.08)}
-    h1{font-size:24px;margin:0 0 8px}
-    p{color:#5d665d;margin:0 0 18px}
-    label{display:block;font-size:13px;color:#4b544d;margin:14px 0 6px}
-    input{box-sizing:border-box;width:100%;height:40px;border:1px solid #cfd6ce;border-radius:6px;padding:0 10px;font:inherit}
-    button{margin-top:18px;width:100%;height:42px;border:0;border-radius:6px;background:#205c43;color:white;font-weight:650;cursor:pointer}
-    .error{color:#9b1c1c;min-height:22px;margin-top:12px}
-  </style>
-</head>
-<body>
-  <form id="login">
-    <h1>NordRelay Dashboard</h1>
-    <p>${currentAuth.publicBind ? "Remote dashboard access requires authentication." : "Authentication required."}</p>
-    ${currentAuth.token ? '<label>Token</label><input id="token" name="token" type="password" autocomplete="current-password">' : ""}
-    ${currentAuth.user ? '<label>User</label><input id="user" name="user" autocomplete="username"><label>Password</label><input id="password" name="password" type="password" autocomplete="current-password">' : ""}
-    <button>Sign in</button>
-    <div class="error" id="error"></div>
-  </form>
-  <script>
-    document.getElementById('login').addEventListener('submit', async (event) => {
-      event.preventDefault();
-      const payload = {
-        token: document.getElementById('token')?.value || undefined,
-        user: document.getElementById('user')?.value || undefined,
-        password: document.getElementById('password')?.value || undefined,
-      };
-      const res = await fetch('/api/auth', { method:'POST', headers:{'content-type':'application/json'}, body: JSON.stringify(payload) });
-      if (!res.ok) {
-        document.getElementById('error').textContent = 'Invalid credentials';
-        return;
-      }
-      if (payload.token) localStorage.setItem('nordrelayDashboardToken', payload.token);
-      location.href = '/';
-    });
-  </script>
-</body>
-</html>`;
-}
-function renderDashboardApp(options) {
-    return `<!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>NordRelay Dashboard</title>
-  <script>document.documentElement.dataset.theme = localStorage.getItem('nordrelayTheme') || 'light';</script>
-  <link rel="stylesheet" href="/assets/dashboard.css">
-</head>
-<body>
-  <div class="app">
-    <aside class="sidebar" id="sidebar">
-      <div class="brand"><span class="mark">NR</span><div><strong>NordRelay</strong><small>Remote control</small></div></div>
-      <nav>
-        ${renderDashboardNav()}
-      </nav>
-    </aside>
-    <main>
-      <header>
-        <button class="menu" id="menuBtn">Menu</button>
-        <div>
-          <h1 id="pageTitle">Overview</h1>
-          <p id="sessionLine">Loading session...</p>
-        </div>
-        <div class="header-actions">
-          <span id="connectionStatus" class="badge">Connecting</span>
-          <select id="agentSelect"></select>
-          <button id="themeBtn" class="secondary" title="Toggle dark theme">Dark</button>
-          <button id="refreshBtn">Refresh</button>
-        </div>
-      </header>
-
-      <section class="page active" id="page-overview">
-        <div class="metrics" id="metrics"></div>
-        <div class="stack">
-          <div class="panel"><h2>Current Session</h2><pre id="sessionText"></pre></div>
-          <div class="overview-adapter-grid">
-            <div class="panel"><h2>Agent Adapters</h2><div id="agentAdapters"></div></div>
-            <div class="panel"><h2>Chat Adapters</h2><div id="chatAdapters"></div></div>
-          </div>
-        </div>
-      </section>
-
-      <section class="page" id="page-chat">
-        <div class="chat-layout">
-          <div class="panel chat-panel">
-            <div class="chat-toolbar">
-              <button id="newSessionBtn">New session</button>
-              <button id="retryBtn" class="secondary">Retry</button>
-              <button id="editLastBtn" class="secondary">Edit last</button>
-              <button id="syncBtn" class="secondary">Sync</button>
-              <button id="notifyBtn" class="secondary">Notify</button>
-              <button id="clearChatBtn" class="secondary">Clear history</button>
-              <button id="abortBtn">Abort</button>
-              <button id="handbackBtn">Handback</button>
-            </div>
-            <div class="control-grid" id="sessionControls"></div>
-            <div id="messages" class="messages"></div>
-            <form id="promptForm" class="composer">
-              <div class="composer-fields">
-                <textarea id="promptInput" placeholder="Send a message to the active coding agent..." rows="3"></textarea>
-                <div class="attachment-row">
-                  <label class="file-button" for="fileInput">Attach files</label>
-                  <input id="fileInput" type="file" multiple>
-                  <button type="button" id="recordBtn" class="secondary">Record voice</button>
-                  <span id="fileSummary">No files selected</span>
-                  <button type="button" id="clearFilesBtn" class="secondary">Clear</button>
-                </div>
-              </div>
-              <button>Send</button>
-            </form>
-          </div>
-          <div class="panel side-panel"><h2>Tools / Plan</h2><div id="toolStream" class="tool-stream"></div></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-tasks">
-        <div class="panel">
-          <div class="row"><button id="reloadTasksBtn">Reload tasks</button></div>
-          <div id="tasksList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-sessions">
-        <div class="panel">
-          <div class="sessions-toolbar">
-            <div class="row search-row"><input id="sessionSearch" placeholder="Search sessions"><button id="sessionSearchBtn">Search</button></div>
-            <div class="row attach-row"><input id="attachInput" placeholder="Thread ID to attach/switch"><button id="attachBtn">Attach</button></div>
-          </div>
-          <div id="sessionsList" class="list"></div>
-          <div id="sessionsPager" class="pager"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-queue">
-        <div class="panel">
-          <div class="row"><button data-queue="pause">Pause</button><button data-queue="resume">Resume</button><button data-queue="clear" class="danger">Clear</button><span id="queueStatus"></span></div>
-          <div id="queueList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-activity">
-        <div class="panel">
-          <div class="row"><select id="activitySource"><option value="all">All sources</option><option value="web">Web</option><option value="cli">CLI</option></select><select id="activityStatus"><option value="all">All statuses</option><option value="queued">Queued</option><option value="running">Running</option><option value="completed">Completed</option><option value="failed">Failed</option><option value="aborted">Aborted</option><option value="info">Info</option></select><input id="activitySince" type="datetime-local"><input id="activityLimit" type="number" value="100" min="1" max="500"><button id="loadActivityBtn">Load activity</button><button id="exportActivityBtn" class="secondary">Export</button></div>
-          <div id="activityList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-artifacts">
-        <div class="panel">
-          <div class="row"><button id="reloadArtifactsBtn">Reload artifacts</button><input id="artifactSearch" placeholder="Search artifacts"><select id="artifactKind"><option value="all">All files</option><option value="images">Images</option><option value="docs">Docs/code</option></select><button id="zipSelectedArtifactsBtn" class="secondary">ZIP selected</button><button id="deleteSelectedArtifactsBtn" class="danger">Delete selected</button></div>
-          <div id="artifactPreview" class="preview"></div>
-          <div id="artifactList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-adapters">
-        <div class="panel">
-          <div class="row"><button id="reloadAdaptersBtn">Reload adapters</button></div>
-          <div id="adapterHealth" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-access">
-        <div class="panel">
-          <div class="row"><button id="loadAccessBtn">Reload access</button><button id="saveAccessBtn">Save access settings</button><button id="lockSessionBtn" class="secondary">Lock web session</button><button id="unlockSessionBtn" class="secondary">Unlock web session</button></div>
-          <div id="accessPanel" class="settings-grid"></div>
-          <h2>Locks</h2>
-          <div id="locksList" class="list"></div>
-          <h2>Audit</h2>
-          <div class="row"><input id="auditLimit" type="number" value="50" min="1" max="200"><button id="loadAuditBtn">Load audit</button></div>
-          <div id="auditList" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-version">
-        <div class="panel">
-          <div class="row version-actions"><button id="loadVersionBtn">Check versions</button><button id="updateBtn" class="secondary">Update NordRelay</button></div>
-          <div id="versionPanel" class="list"></div>
-          <h2 class="version-update-title">Agent update jobs</h2>
-          <div id="agentUpdateJobs" class="list"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-settings">
-        <div class="panel">
-          <div class="row"><button id="saveSettingsBtn">Save settings</button><button id="restartBtn" class="secondary">Restart NordRelay</button><span id="settingsStatus"></span></div>
-          <div id="settingsTabs" class="tabs"></div>
-          <div id="settingsForm" class="settings-grid"></div>
-        </div>
-      </section>
-
-      <section class="page" id="page-logs">
-        <div class="panel">
-          <div class="row"><select id="logTarget"><option value="connector">Connector</option><option value="update">NordRelay Update</option><option value="agent-updates">Agent Updates</option></select><select id="logLevel"><option value="all">All levels</option><option value="ERROR">Error</option><option value="WARN">Warn</option><option value="INFO">Info</option></select><input id="logSearch" placeholder="Search logs"><input id="logSince" type="datetime-local" title="Show entries after this time"><input id="logLines" type="number" value="120" min="1" max="300"><label class="checkbox"><input id="logAutoRefresh" type="checkbox"> Auto</label><label class="checkbox"><input id="logFollow" type="checkbox"> Follow</label><button id="loadLogsBtn">Load logs</button><button id="downloadLogsBtn" class="secondary">Download</button><button id="clearLogsBtn" class="danger">Clear</button></div>
-          <pre id="logs" class="log-view"></pre>
-        </div>
-      </section>
-
-      <section class="page" id="page-diagnostics">
-        <div class="panel"><div id="diagnostics" class="list"></div></div>
-      </section>
-
-      <footer>
-        <span id="footerVersion">NordRelay</span>
-        <span id="footerHealth">Health: loading</span>
-        <span>Dashboard bind: ${escapeHTML(options.authRequired ? "authenticated" : "local")}</span>
-      </footer>
-    </main>
-  </div>
-  <dialog id="newSessionDialog">
-    <form method="dialog" id="newSessionForm">
-      <h2>New Session</h2>
-      <div class="form-grid">
-        <label>Agent<select id="newAgent"></select></label>
-        <label>Workspace<input id="newWorkspace" list="workspaceOptions" placeholder="Current workspace"></label>
-        <label>Model<select id="newModel"></select></label>
-        <label id="newReasoningWrap">Reasoning<select id="newReasoning"></select></label>
-        <label id="newLaunchWrap">Launch profile<select id="newLaunch"></select></label>
-        <label id="newFastWrap" class="checkbox"><input id="newFast" type="checkbox"> Fast mode</label>
-      </div>
-      <datalist id="workspaceOptions"></datalist>
-      <div class="row dialog-actions"><button type="button" id="cancelSessionBtn" class="secondary">Cancel</button><button id="createSessionBtn" value="default">Create session</button></div>
-    </form>
-  </dialog>
-  <dialog id="sessionDetailDialog">
-    <div id="sessionDetail"></div>
-    <div class="row dialog-actions"><button id="closeSessionDetailBtn" class="secondary">Close</button></div>
-  </dialog>
-  <div id="toolTooltip" class="tool-tooltip"></div>
-  <div id="toast"></div>
-  <script src="/assets/dashboard.js"></script>
-</body>
-</html>`;
-}