npm - @openparachute/hub - Versions diffs - 0.5.14-rc.8 → 0.6.0 - Mend

@openparachute/hub 0.5.14-rc.8 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (87) hide show

package/README.md +109 -15
package/package.json +7 -3
package/src/__tests__/account-home-ui.test.ts +251 -15
package/src/__tests__/account-vault-token.test.ts +355 -0
package/src/__tests__/admin-vaults.test.ts +70 -4
package/src/__tests__/api-mint-token.test.ts +693 -5
package/src/__tests__/api-modules-ops.test.ts +45 -0
package/src/__tests__/api-revoke-token.test.ts +384 -0
package/src/__tests__/api-users.test.ts +7 -2
package/src/__tests__/auth.test.ts +157 -30
package/src/__tests__/cli.test.ts +44 -5
package/src/__tests__/expose-2fa-warning.test.ts +31 -17
package/src/__tests__/expose-auth-preflight.test.ts +71 -72
package/src/__tests__/expose-cloudflare.test.ts +482 -14
package/src/__tests__/expose.test.ts +52 -2
package/src/__tests__/hub-server.test.ts +97 -0
package/src/__tests__/hub.test.ts +85 -6
package/src/__tests__/init.test.ts +102 -1
package/src/__tests__/lifecycle.test.ts +464 -2
package/src/__tests__/oauth-handlers.test.ts +1252 -83
package/src/__tests__/oauth-ui.test.ts +12 -1
package/src/__tests__/operator-token-issuer-self-heal.test.ts +412 -0
package/src/__tests__/resource-binding.test.ts +97 -0
package/src/__tests__/scope-explanations.test.ts +77 -12
package/src/__tests__/services-manifest.test.ts +122 -4
package/src/__tests__/setup-wizard.test.ts +335 -15
package/src/__tests__/status.test.ts +36 -0
package/src/__tests__/two-factor-flow.test.ts +602 -0
package/src/__tests__/two-factor.test.ts +183 -0
package/src/__tests__/upgrade.test.ts +78 -1
package/src/__tests__/users.test.ts +68 -0
package/src/__tests__/vault-auth-status.test.ts +47 -6
package/src/__tests__/vault-hub-origin-env.test.ts +263 -0
package/src/account-home-ui.ts +488 -38
package/src/account-vault-token.ts +282 -0
package/src/admin-handlers.ts +159 -4
package/src/admin-login-ui.ts +49 -5
package/src/admin-vaults.ts +48 -15
package/src/api-account.ts +14 -0
package/src/api-mint-token.ts +132 -24
package/src/api-modules-ops.ts +49 -11
package/src/api-revoke-token.ts +107 -21
package/src/api-users.ts +29 -3
package/src/cli.ts +26 -21
package/src/clients.ts +18 -6
package/src/cloudflare/config.ts +10 -4
package/src/cloudflare/detect.ts +39 -44
package/src/commands/auth.ts +165 -24
package/src/commands/expose-2fa-warning.ts +34 -32
package/src/commands/expose-auth-preflight.ts +89 -78
package/src/commands/expose-cloudflare.ts +370 -12
package/src/commands/expose.ts +8 -0
package/src/commands/init.ts +33 -2
package/src/commands/lifecycle.ts +386 -17
package/src/commands/status.ts +22 -0
package/src/commands/upgrade.ts +55 -11
package/src/commands/wizard.ts +8 -4
package/src/env-file.ts +10 -0
package/src/help.ts +3 -1
package/src/hub-db.ts +39 -1
package/src/hub-server.ts +52 -0
package/src/hub.ts +82 -14
package/src/oauth-handlers.ts +298 -21
package/src/oauth-ui.ts +10 -0
package/src/operator-token.ts +151 -0
package/src/pending-login.ts +116 -0
package/src/rate-limit.ts +51 -0
package/src/resource-binding.ts +134 -0
package/src/scope-attenuation.ts +85 -0
package/src/scope-explanations.ts +131 -14
package/src/services-manifest.ts +112 -0
package/src/setup-wizard.ts +77 -7
package/src/tailscale/run.ts +28 -11
package/src/totp.ts +201 -0
package/src/two-factor-handlers.ts +287 -0
package/src/two-factor-store.ts +181 -0
package/src/two-factor-ui.ts +462 -0
package/src/users.ts +58 -0
package/src/vault/auth-status.ts +71 -19
package/src/vault-hub-origin-env.ts +163 -0
package/web/ui/dist/assets/index-BiBlvEaj.css +1 -0
package/web/ui/dist/assets/index-CIN3mnmf.js +61 -0
package/web/ui/dist/index.html +2 -2
package/src/__tests__/vault-tokens-create-interactive.test.ts +0 -183
package/src/commands/vault-tokens-create-interactive.ts +0 -143
package/web/ui/dist/assets/index-7DtAXz7y.css +0 -1
package/web/ui/dist/assets/index-tRmPbbC7.js +0 -61

package/src/vault-hub-origin-env.ts ADDED Viewed

@@ -0,0 +1,163 @@
+/**
+ * Persist the resolved hub PUBLIC origin into `<configDir>/vault/.env` so the
+ * launchd / systemd daemon validates hub-minted JWTs against it.
+ *
+ * The OAuth issuer-mismatch P0 (this module's reason to exist): hub stamps the
+ * public origin (e.g. `https://parachute-x.ts.net`) on every JWT it mints.
+ * Vault, as the resource server, validates the `iss` claim against
+ * `getHubOrigin()` (`parachute-vault/src/hub-jwt.ts`), which reads ONLY
+ * `PARACHUTE_HUB_ORIGIN` from its process env and falls back to loopback
+ * `http://127.0.0.1:1939` when unset.
+ *
+ * `parachute start|restart vault` injects `PARACHUTE_HUB_ORIGIN` into the
+ * *spawn* env (see `commands/lifecycle.ts`). But the real-world boot path on an
+ * owner-operated box is the autostart daemon: `parachute-vault init` registers
+ * a launchd agent (macOS) / systemd unit (Linux) with `KeepAlive`/`Restart`,
+ * and that daemon boots vault out-of-band via `~/.parachute/vault/start.sh`.
+ * The wrapper sources `~/.parachute/vault/.env` and never reads expose-state,
+ * and the launchd plist carries no `EnvironmentVariables`. So on every reboot
+ * or crash-restart, launchd starts vault with NO `PARACHUTE_HUB_ORIGIN`, vault
+ * falls back to loopback, and every token stamped with the public FQDN fails
+ * the `iss` check → `HubJwtError('issuer')` → 401 on every OAuth/MCP reconnect.
+ * Bricks team onboarding on any exposed deploy.
+ *
+ * The durable fix: write `PARACHUTE_HUB_ORIGIN` into `vault/.env` so the daemon
+ * boot path picks it up too. Mirrors `auto-wire.ts`'s vault-.env writes
+ * (SCRIBE_AUTH_TOKEN / SCRIBE_URL) — hub owns these keys, vault's boot wrapper
+ * reads them.
+ */
+import { join } from "node:path";
+import { parseEnvFile, removeEnvLine, upsertEnvLine, writeEnvFile } from "./env-file.ts";
+import { EXPOSE_STATE_PATH, readExposeState } from "./expose-state.ts";
+import { HUB_ORIGIN_ENV } from "./hub-origin.ts";
+/**
+ * Loopback origins (`http://127.0.0.1:<port>`, `localhost`, `[::1]`) are the
+ * local-dev fallback `deriveHubOrigin` returns when no exposure is active. We
+ * never *persist* one — baking a loopback value into `.env` would SHADOW a
+ * later exposure on the daemon boot path (which has no other source of truth),
+ * recreating the exact `iss` mismatch this fix prevents. Worse than absent.
+ */
+export function isLoopbackOrigin(origin: string): boolean {
+  try {
+    // URL.hostname keeps IPv6 in bracket form (`[::1]`); strip them so the
+    // comparison is on the bare address.
+    const hostname = new URL(origin).hostname.replace(/^\[|\]$/g, "");
+    // `0.0.0.0` is a bind-all wildcard, not a reachable origin — `deriveHubOrigin`
+    // never emits it, but `--hub-origin http://0.0.0.0:1939` flows straight
+    // through `persistVaultHubOrigin`. Baking it into vault/.env would advertise
+    // a non-functional issuer and recreate the iss-mismatch class this guard
+    // exists to prevent. Refuse it like any other loopback.
+    return (
+      hostname === "127.0.0.1" ||
+      hostname === "localhost" ||
+      hostname === "::1" ||
+      hostname === "0.0.0.0"
+    );
+  } catch {
+    return false;
+  }
+}
+function vaultEnvPath(configDir: string): string {
+  return join(configDir, "vault", ".env");
+}
+/**
+ * Upsert `PARACHUTE_HUB_ORIGIN=<origin>` into `vault/.env` when `origin` is a
+ * non-loopback public origin. Idempotent — skips the write (and the log) when
+ * the value is already current so repeated `start`s don't churn the file.
+ * Returns true iff the file was written this call.
+ */
+export function persistVaultHubOrigin(
+  configDir: string,
+  origin: string,
+  log: (line: string) => void,
+): boolean {
+  if (isLoopbackOrigin(origin)) return false;
+  const path = vaultEnvPath(configDir);
+  const parsed = parseEnvFile(path);
+  if (parsed.values[HUB_ORIGIN_ENV] === origin) return false;
+  writeEnvFile(path, upsertEnvLine(parsed.lines, HUB_ORIGIN_ENV, origin));
+  log(`  persisted ${HUB_ORIGIN_ENV}=${origin} to ${path} (survives daemon restart)`);
+  return true;
+}
+/**
+ * Drop a previously-persisted `PARACHUTE_HUB_ORIGIN` from `vault/.env`. Called
+ * on `expose … off`: once exposure is torn down, a local-only hub mints tokens
+ * with a loopback `iss`, so a stale public origin left in `.env` would itself
+ * cause the mismatch. Removing the line reverts vault to its loopback default
+ * (`getHubOrigin`), which matches what the local hub now stamps. No-op (returns
+ * false) when the key isn't present. Returns true iff the file was rewritten.
+ */
+export function clearVaultHubOrigin(configDir: string, log: (line: string) => void): boolean {
+  const path = vaultEnvPath(configDir);
+  const parsed = parseEnvFile(path);
+  if (parsed.values[HUB_ORIGIN_ENV] === undefined) return false;
+  writeEnvFile(path, removeEnvLine(parsed.lines, HUB_ORIGIN_ENV));
+  log(`  cleared ${HUB_ORIGIN_ENV} from ${path} (exposure torn down)`);
+  return true;
+}
+/**
+ * The public origin a live exposure advertises, or undefined when no exposure
+ * is active. Both the Tailscale and Cloudflare expose paths populate
+ * `expose-state.json` with a `hubOrigin` (the URL stamped into OAuth tokens'
+ * `iss` claim); older state files predating Phase 0 may carry only
+ * `canonicalFqdn`, so we synthesize `https://<fqdn>` as a fallback. Loopback /
+ * empty values resolve to undefined — there's no public origin to persist.
+ */
+export function publicOriginFromExposeState(
+  exposeStatePath: string = EXPOSE_STATE_PATH,
+): string | undefined {
+  let state: ReturnType<typeof readExposeState>;
+  try {
+    state = readExposeState(exposeStatePath);
+  } catch {
+    // A malformed expose-state must never block a vault start — treat it as
+    // "no exposure" and let the loopback default stand.
+    return undefined;
+  }
+  if (!state) return undefined;
+  const origin = state.hubOrigin ?? (state.canonicalFqdn ? `https://${state.canonicalFqdn}` : "");
+  if (!origin || isLoopbackOrigin(origin)) return undefined;
+  return origin.replace(/\/+$/, "");
+}
+/**
+ * Self-heal vault's persisted `PARACHUTE_HUB_ORIGIN` from `expose-state.json`.
+ *
+ * The bug this closes (the Cloudflare 401 P0): on a Cloudflare-tunnel deploy the
+ * expose path writes a public `hubOrigin` into `expose-state.json`, but — unlike
+ * the Tailscale path, which auto-restarts vault and so flows the public origin
+ * into `vault/.env` via `persistVaultHubOrigin` — it never wrote vault's `.env`.
+ * So the launchd / systemd daemon kept booting vault with NO `PARACHUTE_HUB_ORIGIN`,
+ * vault fell back to loopback as its expected issuer, and every hub-minted token
+ * (whose `iss` is the public origin) failed the `iss` check → 401 on every vault
+ * request → "You're not signed in to the hub."
+ *
+ * Called on `parachute start|restart vault`: when expose-state advertises a
+ * public origin AND vault's persisted value is unset or loopback, write the
+ * public origin. Existing broken deploys self-correct on the next restart, not
+ * just fresh ones. We deliberately do NOT overwrite a *different* non-loopback
+ * value already in `.env` — that could be a deliberate `--hub-origin` override;
+ * `persistVaultHubOrigin` (the explicit, resolved-origin path) owns that case.
+ *
+ * Returns true iff `.env` was written this call.
+ */
+export function selfHealVaultHubOrigin(
+  configDir: string,
+  log: (line: string) => void,
+  exposeStatePath: string = EXPOSE_STATE_PATH,
+): boolean {
+  const publicOrigin = publicOriginFromExposeState(exposeStatePath);
+  if (!publicOrigin) return false;
+  const current = parseEnvFile(vaultEnvPath(configDir)).values[HUB_ORIGIN_ENV];
+  // Only heal the broken shapes: unset (daemon falls back to loopback) or an
+  // already-persisted loopback (a value that itself causes the iss mismatch).
+  // A current public value — including one equal to publicOrigin — is left to
+  // persistVaultHubOrigin's idempotent path so we don't double-log.
+  if (current !== undefined && !isLoopbackOrigin(current)) return false;
+  return persistVaultHubOrigin(configDir, publicOrigin, log);
+}

package/web/ui/dist/assets/index-BiBlvEaj.css ADDED Viewed

@@ -0,0 +1 @@

+ :root{--bg: #faf8f4;--bg-soft: #f3f0ea;--fg: #2c2a26;--fg-muted: #6b6860;--fg-dim: #9a9690;--accent: #4a7c59;--accent-soft: rgba(74, 124, 89, .08);--accent-hover: #3d6849;--border: #e4e0d8;--border-light: #ece9e2;--card-bg: #ffffff;--error: #a3392b;--error-soft: rgba(163, 57, 43, .08);--warn: #b08023;--warn-soft: rgba(176, 128, 35, .08);--success: #3d6849;--success-soft: rgba(61, 104, 73, .08);--font-serif: Georgia, "Times New Roman", serif;--font-sans: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;--font-mono: ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace;font-family:var(--font-sans)}*{box-sizing:border-box}html,body{margin:0;padding:0;background:var(--bg);color:var(--fg)}a{color:var(--accent);text-decoration:none}a:hover{text-decoration:underline}button{font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease}button:hover{background:var(--accent-hover)}button:disabled{opacity:.5;cursor:not-allowed}button.secondary{background:#fff;color:var(--fg);border:1px solid var(--border)}button.secondary:hover{background:var(--bg-soft)}input,select,textarea{font:inherit;background:#fff;border:1px solid var(--border);border-radius:6px;padding:.55rem .75rem;color:var(--fg)}input:focus,select:focus,textarea:focus{outline:none;border-color:var(--accent)}code{font-family:var(--font-mono);font-size:.85em;background:var(--bg-soft);padding:.1em .3em;border-radius:3px}.page{max-width:880px;margin:0 auto;padding:1.5rem 1.5rem 6rem}.nav{display:flex;flex-wrap:wrap;gap:.6rem 1rem;align-items:center;padding-bottom:1rem;border-bottom:1px solid var(--border);margin-bottom:2rem}.nav .brand{font-weight:600;font-family:var(--font-serif);font-size:1.15rem;margin-right:auto;display:inline-flex;align-items:center;gap:.45rem;color:var(--accent);text-decoration:none}.nav .brand:hover{color:var(--accent-hover);text-decoration:none}.nav .brand-mark-icon{flex-shrink:0;line-height:0}.nav .brand-wordmark{color:var(--fg);letter-spacing:-.005em}.nav .brand .sub{color:var(--fg-dim);font-size:.78rem;font-weight:400;margin-left:.4rem;font-family:var(--font-sans)}.nav a{color:var(--fg-muted);font-size:.95rem}.nav a:hover{text-decoration:none;color:var(--fg)}.nav a.nav-link-active{color:var(--accent);font-weight:500;text-decoration:underline;text-underline-offset:.3em;text-decoration-thickness:2px}.nav .nav-divider{display:inline-block;width:1px;height:1.1em;background:var(--border);align-self:center}.nav .nav-dropdown{position:relative}.nav .nav-dropdown-summary{list-style:none;cursor:pointer;color:var(--fg-muted);font-size:.95rem;-webkit-user-select:none;user-select:none}.nav .nav-dropdown-summary::-webkit-details-marker{display:none}.nav .nav-dropdown-summary:hover{color:var(--fg)}.nav .nav-dropdown[open]>.nav-dropdown-summary{color:var(--fg)}.nav .nav-dropdown-summary:after{content:" ▾";font-size:.7em;color:var(--fg-dim)}.nav .nav-dropdown-panel{position:absolute;top:calc(100% + .4rem);left:0;z-index:10;min-width:12rem;background:var(--card-bg);border:1px solid var(--border);border-radius:8px;box-shadow:0 4px 12px #00000014;padding:.4rem 0;display:flex;flex-direction:column}.nav .nav-dropdown-item{padding:.4rem .85rem;color:var(--fg);font-size:.9rem;text-decoration:none}.nav .nav-dropdown-item:hover{background:var(--bg-soft);color:var(--fg);text-decoration:none}.nav .nav-dropdown-item-disabled{color:var(--fg-dim);cursor:not-allowed}.nav .nav-dropdown-item-disabled:hover{background:transparent;color:var(--fg-dim)}.nav .auth-spa{font-size:.85rem;color:var(--fg-muted)}.nav .auth-spa strong{font-weight:600;color:var(--fg)}.nav .auth-spa-signout{background:none;border:none;padding:0;color:var(--accent);font:inherit;cursor:pointer;text-decoration:underline;text-decoration-thickness:1px;text-underline-offset:2px}.nav .auth-spa-signout:hover:not(:disabled){color:var(--accent-hover)}.nav .auth-spa-signout:disabled{color:var(--fg-dim);cursor:not-allowed}h1{margin:0 0 .5rem;font-family:var(--font-serif);font-size:1.85rem;font-weight:400;letter-spacing:-.01em;line-height:1.2;color:var(--fg)}h2{margin:0 0 1rem;font-size:1.4rem;font-weight:500}.muted{color:var(--fg-muted);font-size:.92rem}.dim{color:var(--fg-dim);font-size:.85rem}.error-banner{background:var(--error-soft);border:1px solid var(--error);color:var(--error);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.warn-banner{background:var(--warn-soft);border:1px solid var(--warn);color:var(--warn);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.empty{padding:3rem 1.5rem;text-align:center;color:var(--fg-muted);background:var(--bg-soft);border-radius:10px}@keyframes pc-loading-pulse{0%,to{opacity:.55}50%{opacity:1}}[data-loading=true]{animation:pc-loading-pulse 1.4s ease-in-out infinite}.user-table tbody tr,.tokens-table tbody tr{transition:background-color .12s ease}.user-table tbody tr:hover,.tokens-table tbody tr:hover{background:var(--bg-soft)}@keyframes pc-route-fade-up{0%{opacity:0;transform:translateY(6px)}to{opacity:1;transform:translateY(0)}}[data-route-content]{animation:pc-route-fade-up .32s ease forwards}@media(prefers-reduced-motion:reduce){[data-loading=true],[data-route-content]{animation:none}}.table-scroll{overflow-x:auto;-webkit-overflow-scrolling:touch;background:linear-gradient(to right,var(--card-bg),var(--card-bg)) left center / 20px 100% no-repeat,linear-gradient(to right,#2c2a2614,#2c2a2600) left center / 8px 100% no-repeat,linear-gradient(to left,var(--card-bg),var(--card-bg)) right center / 20px 100% no-repeat,linear-gradient(to left,#2c2a2614,#2c2a2600) right center / 8px 100% no-repeat;background-attachment:local,scroll,local,scroll}.table-scroll>table{min-width:100%}.empty-rich{text-align:left;padding:2rem 1.75rem;background:#fff;border:1px solid var(--border)}.empty-rich .empty-headline{font-size:1.05rem;color:var(--fg);margin:0 0 .5rem;font-weight:500}.list-header{display:flex;align-items:baseline;justify-content:space-between;gap:1rem;margin-bottom:1rem}.list-header h1,.list-header h2{margin:0}.tag{display:inline-block;padding:.1em .55em;background:var(--accent-soft);color:var(--accent);border-radius:4px;font-size:.78rem;font-weight:500}.tag.muted{background:var(--bg-soft);color:var(--fg-muted)}.tag.source-oauth{background:#4a7cc61f;color:#3b6aa6}.tag.source-operator{background:#c6984a24;color:#8a5e1f}.tag.source-cli{background:#4a7c5924;color:#2f5a3f}.tag.source-unknown{background:var(--bg-soft);color:var(--fg-muted)}@media(prefers-color-scheme:dark){.tag.source-oauth{background:#7a9cdc24;color:#9bb6d8}.tag.source-operator{background:#dcb46e24;color:#d4b27a}.tag.source-cli{background:#7ab08a24;color:#8fc49e}.tag.source-unknown{background:#e8e4dc0f;color:#a8a49a}}.vault-row{display:flex;align-items:center;gap:1rem;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;margin-bottom:.5rem;text-decoration:none;color:inherit;transition:border-color .15s ease}.vault-row:hover{border-color:var(--accent);text-decoration:none}.vault-row .body{flex:1;min-width:0}.vault-row .name{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap}.vault-row .name code{font-size:.95em}.vault-row .url{margin-top:.25rem;word-break:break-all}.vault-row .chev{color:var(--fg-dim);font-size:1.2rem}.vault-row-group{margin-bottom:.5rem}.vault-row-group .vault-row{margin-bottom:0}.vault-row-actions{display:flex;gap:.5rem;align-items:center;flex-shrink:0}.mcp-connect-card{background:var(--bg-soft);border:1px solid var(--border);border-radius:8px;padding:1.1rem 1.25rem;margin:0 0 .5rem}.mcp-connect-card-embedded{background:#fff;margin-bottom:0}.mcp-connect-card h3{margin:0 0 .4rem;font-size:1rem}.mcp-connect-card>p{margin-top:0}.mcp-connect-card .token-box{display:flex;align-items:center;gap:.5rem;margin:.35rem 0 .25rem}.mcp-connect-card .token-box code{flex:1;font-size:.85rem;padding:.55rem .7rem;background:#fff;border:1px solid var(--border);border-radius:6px;word-break:break-all;-webkit-user-select:all;user-select:all}.mcp-field{margin-top:.9rem}.mcp-field-label{display:block;font-size:.82rem;font-weight:600;color:var(--fg-muted)}.mcp-field .dim{margin:.3rem 0 0}.mcp-token-path{margin-top:1rem;border-top:1px solid var(--border);padding-top:.75rem}.mcp-token-path>summary{cursor:pointer;font-size:.9rem;color:var(--fg-muted)}.mcp-token-path>summary:hover{color:var(--accent)}.mcp-token-path .mint-banner{margin-top:.75rem;margin-bottom:0}.mcp-docs-link{margin:.9rem 0 0}form .row{margin-bottom:1rem}form label{display:block;font-size:.9rem;color:var(--fg-muted);margin-bottom:.3rem;font-weight:500}form input[type=text]{width:100%}form .actions{display:flex;gap:.6rem;align-items:center;margin-top:1rem}form .field-hint{margin-top:.35rem;font-size:.82rem;color:var(--fg-dim)}form .field-error{margin-top:.35rem;font-size:.85rem;color:var(--error)}.section{background:#fff;border:1px solid var(--border);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner{background:var(--success-soft);border:1px solid var(--success);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner h3{margin:0 0 .5rem;font-size:1rem;color:var(--success)}.mint-banner .token-box{display:flex;align-items:center;gap:.5rem;margin:.85rem 0 .5rem}.mint-banner code{flex:1;font-size:.9rem;padding:.6rem .75rem;background:#fff;border:1px solid var(--border);word-break:break-all;-webkit-user-select:all;user-select:all}.mint-banner .warn{margin:.75rem 0 0;font-size:.85rem;color:var(--warn)}.mint-banner .actions{margin-top:1rem;display:flex;gap:.5rem}.kv{display:grid;grid-template-columns:8.5rem 1fr;gap:.5rem 1rem;font-size:.92rem}.kv>div:nth-child(odd){color:var(--fg-muted)}.kv code{word-break:break-all}.channel-toggle{margin:1.25rem 0 1.5rem;padding:.75rem 1rem;border:1px solid var(--border, #ddd);border-radius:6px;background:var(--bg-soft, #fafafa)}.channel-toggle legend{padding:0 .25rem;font-weight:600;font-size:.95rem}.channel-toggle label{display:inline-flex;align-items:center;gap:.4rem;margin-right:1.5rem;cursor:pointer;font-size:.95rem}.channel-toggle label input[type=radio]:disabled+*{opacity:.5}.channel-toggle code{font-size:.85em}.channel-toggle p.muted{margin:.4rem 0 0;font-size:.85rem}.module-config{display:flex;flex-direction:column;gap:1.25rem}.module-config-header h1{margin-bottom:.35rem}.module-config-form fieldset{border:0;padding:0;margin:0;display:flex;flex-direction:column;gap:1rem}.module-config-form .field{display:flex;flex-direction:column;gap:.25rem}.module-config-form .field input,.module-config-form .field select,.module-config-form .field textarea{width:100%}.module-config-form .field-inline{flex-direction:row;align-items:center;flex-wrap:wrap;gap:.5rem}.module-config-form .field-inline label{display:inline-flex;align-items:center;gap:.5rem}.module-config-form .field-inline .field-hint{flex-basis:100%;margin-left:1.6rem}.module-config-form .field-invalid input,.module-config-form .field-invalid select,.module-config-form .field-invalid textarea{border-color:var(--error)}.module-config-form .actions{display:flex;gap:.6rem;align-items:center;margin-top:.5rem}.module-config-form .actions button.destructive{background:#fff;color:var(--fg);border:1px solid var(--border)}.module-config-form .actions button.destructive:hover{background:var(--bg-soft)}.module-config-form .banner{margin:0;padding:.75rem 1rem;border-radius:6px;border:1px solid transparent;font-size:.9rem}.module-config-form .banner-success{background:var(--success-soft);border-color:var(--success);color:var(--success)}.module-config-form .banner-success p,.module-config-form .banner-success ul{margin:.4rem 0 0}.module-config-form .banner-error{background:var(--error-soft, rgba(163, 57, 43, .08));border-color:var(--error);color:var(--error)}.modules-installed,.modules-installable{margin-top:1.75rem}.modules-installed>h2,.modules-installable>h2{font-size:1.15rem;font-weight:600;margin:0 0 .75rem;color:var(--fg)}.modules-installed>p.muted,.modules-installable>p.muted{margin:0 0 .5rem}.install-list{list-style:none;padding:0;margin:0;display:flex;flex-direction:column;gap:.6rem}.install-card{display:flex;flex-direction:row;align-items:center;gap:1rem;flex-wrap:wrap;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;transition:border-color .15s ease}.install-card:hover{border-color:var(--accent)}.install-card-body{flex:1 1 0;min-width:0}.install-card-body h3{margin:0 0 .2rem;font-size:1rem;font-weight:600;color:var(--fg)}.install-card-body .tagline{margin:0 0 .35rem;color:var(--fg-muted);font-size:.92rem}.install-card-meta{margin:0;font-size:.82rem}.install-card-actions{flex:0 0 auto}.install-card .error{flex-basis:100%;margin-top:.5rem;color:var(--error);font-size:.85rem}.module-row .actions .btn,a.btn{display:inline-block;font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease;text-decoration:none}.module-row .actions .btn:hover,a.btn:hover{background:var(--accent-hover);text-decoration:none}.module-uis{margin:.5rem 0 0;padding:.5rem 0 0;border-top:1px solid var(--border-light)}.module-uis>summary{cursor:pointer;font-size:.88rem;color:var(--fg-muted);font-weight:500;padding:.15rem 0;list-style:revert}.module-uis>summary:hover{color:var(--fg)}.ui-sub-units{list-style:none;padding:0;margin:.5rem 0 0 1.1rem;display:flex;flex-direction:column;gap:.35rem}.ui-sub-unit{display:flex;flex-direction:row;align-items:center;gap:.65rem;padding:.5rem .75rem;background:var(--bg-soft);border:1px solid var(--border-light);border-radius:6px;transition:border-color .15s ease,background .15s ease}.ui-sub-unit:hover{border-color:var(--accent);background:#fff}.ui-icon{flex:0 0 auto;width:20px;height:20px;border-radius:4px;object-fit:contain}.ui-sub-unit-body{flex:1 1 0;min-width:0}.ui-sub-unit-link{color:var(--fg);font-size:.95rem;text-decoration:none}.ui-sub-unit-link:hover{color:var(--accent);text-decoration:underline}.ui-sub-unit-link strong{font-weight:600}.ui-sub-unit .tagline{margin:.2rem 0 0;font-size:.82rem;color:var(--fg-muted)}.status{flex:0 0 auto;display:inline-block;padding:.1em .55em;background:var(--bg-soft);color:var(--fg-muted);border-radius:4px;font-size:.78rem;font-weight:500;white-space:nowrap}.status-active{background:var(--success-soft);color:var(--success)}.status-pending{background:var(--warn-soft);color:var(--warn)}.status-inactive{background:var(--bg-soft);color:var(--fg-dim)}.status-failing{background:var(--error-soft);color:var(--error)}.status-absent{background:var(--bg-soft);color:var(--fg-dim)}.status-pending-oauth{background:var(--warn-soft);color:var(--warn)}.status-disabled{background:var(--bg-soft);color:var(--fg-dim)}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0}.hub-version-badge{margin-top:3rem;padding-top:1rem;border-top:1px solid var(--border-light);display:flex;flex-direction:column;align-items:flex-start;gap:.75rem;color:var(--fg-muted);font-size:.8rem}.hub-version-badge-summary{background:transparent;border:0;padding:0;margin:0;color:var(--fg-muted);font:inherit;cursor:pointer;text-align:left;border-radius:4px}.hub-version-badge-summary:hover{color:var(--fg);background:transparent}.hub-version-badge-summary strong{color:var(--fg);font-weight:600}.hub-version-badge-source{font-variant:small-caps;letter-spacing:.04em}.hub-version-badge-panel{background:var(--card-bg);border:1px solid var(--border);border-radius:8px;padding:.85rem 1rem;font-size:.85rem;color:var(--fg);width:100%;max-width:28rem}.hub-version-badge-panel dl{margin:0 0 .75rem;display:grid;grid-template-columns:max-content 1fr;gap:.3rem .85rem}.hub-version-badge-panel dt{color:var(--fg-muted);font-size:.78rem;text-transform:uppercase;letter-spacing:.06em;padding-top:.1rem}.hub-version-badge-panel dd{margin:0;color:var(--fg);word-break:break-all}.hub-version-badge-refresh{font-size:.8rem;padding:.35rem .85rem}.depcard-wrap{margin-top:.6rem}.depcard{border:1px solid var(--warn);background:var(--warn-soft);border-radius:8px;padding:.9rem 1rem}.depcard-heading{margin:0 0 .25rem;font-size:1rem}.depcard-why{margin:0 0 .75rem;font-size:.9rem}.depcard-installs-label{margin:0 0 .4rem;font-size:.85rem;font-weight:600}.depcard-install{margin-bottom:.55rem}.depcard-install.preferred .depcard-os{color:var(--accent);font-weight:600}.depcard-os{display:block;font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;color:var(--fg-muted);margin-bottom:.2rem}.depcard-cmd{display:flex;align-items:stretch;gap:.4rem}.depcard-cmd-text{flex:1;margin:0;padding:.45rem .6rem;background:var(--card-bg, #fff);border:1px solid var(--border);border-radius:6px;font-size:.82rem;white-space:pre-wrap;overflow-x:auto}.depcard-copy{flex:0 0 auto;font-size:.8rem;padding:.35rem .7rem;align-self:flex-start}.depcard-docs{margin:.5rem 0 .4rem;font-size:.88rem}.depcard-hint{margin:0;font-size:.82rem}.depcard-fallback{color:var(--error);font-size:.9rem}