@openparachute/hub 0.5.7 → 0.5.10-rc.10

package/src/supervisor.ts

@@ -0,0 +1,411 @@
+/**
+ * Per-module child supervisor for container-mode hub.
+ *
+ * The on-box flow (`parachute start <svc>`) spawns module daemons
+ * detached + unref'd, writes a pidfile, and walks away — process
+ * lifecycle becomes the operator's problem (launchd, systemd, or a
+ * follow-up `parachute restart`). That shape doesn't work in a
+ * container:
+ *
+ *   - There's no external supervisor watching the children. If vault
+ *     crashes, nothing brings it back.
+ *   - Render's log viewer only surfaces hub's stdout. A detached child
+ *     whose stdout goes to `~/.parachute/<svc>/logs/<svc>.log` is
+ *     invisible to the operator clicking through the dashboard.
+ *
+ * This supervisor solves both. It spawns each module attached (no
+ * `detached: true`, no `unref()`), pipes their stdout/stderr through a
+ * line-prefixing tap into hub's own stdout (`[vault] …`,
+ * `[scribe] …`), watches `proc.exited`, and restarts crashed children
+ * up to a small budget before giving up + marking the module
+ * `crashed`. The budget keeps a wedged-on-boot module from chewing
+ * forever; once it's exhausted the operator sees the crash via /api/modules
+ * (or, post-1B, the per-module log view).
+ *
+ * Out of scope for this module: spawning the hub HTTP server itself
+ * (that's `Bun.serve` in the same process), driving the on-box
+ * `parachute start <svc>` path (still uses `commands/lifecycle.ts`),
+ * persisting child state to disk (transient — re-derived from
+ * services.json on boot).
+ */
+
+export type ModuleStatus = "starting" | "running" | "stopped" | "crashed" | "restarting";
+
+export interface ModuleState {
+  /** Short name (vault / notes / scribe / …). */
+  readonly short: string;
+  /** Last-observed lifecycle phase. */
+  readonly status: ModuleStatus;
+  /** PID of the current Bun.spawn child, if any. */
+  readonly pid?: number;
+  /** ISO timestamp of the most recent spawn. */
+  readonly startedAt?: string;
+  /** Crash count within the current restart window. Resets after the window passes without a crash. */
+  readonly restartsInWindow: number;
+  /** ISO timestamp of the most recent crash, or undefined if never crashed. */
+  readonly lastCrashAt?: string;
+  /** Exit code of the most recent crash. */
+  readonly lastExitCode?: number | null;
+}
+
+export interface SpawnRequest {
+  /** Short name — used as the log prefix and the supervisor map key. */
+  readonly short: string;
+  /** argv passed to `Bun.spawn`. */
+  readonly cmd: readonly string[];
+  /** Optional cwd for the child. */
+  readonly cwd?: string;
+  /**
+   * Optional env merged on top of `process.env`. The supervisor doesn't
+   * mutate `process.env`; the merge happens at spawn time.
+   */
+  readonly env?: Record<string, string>;
+}
+
+export interface SupervisorOpts {
+  /**
+   * Max crashes within `restartWindowMs` before the supervisor gives up
+   * and marks the module `crashed`. Default 3 — enough to ride out a
+   * transient race (DB lock, port still releasing), few enough to stop
+   * a wedged-on-boot module from looping forever.
+   */
+  readonly maxRestarts?: number;
+  /**
+   * Sliding window for the restart budget, in ms. A crash older than
+   * this falls out of the count. Default 60_000 (1 minute).
+   */
+  readonly restartWindowMs?: number;
+  /**
+   * Delay between a crash being observed and the restart spawn, in ms.
+   * Default 500 — gives sockets time to release on EADDRINUSE.
+   */
+  readonly restartDelayMs?: number;
+  /**
+   * Max time to wait for a child to exit after SIGTERM before
+   * escalating to SIGKILL, in ms. Default 5000 — long enough for a
+   * well-behaved module to flush its log buffer + drop its listeners,
+   * short enough that a wedged child doesn't keep `stop()` (and the
+   * container shutdown path that calls it) hanging indefinitely.
+   *
+   * Tests pass a short timeout (1–10ms) to exercise the SIGKILL
+   * escalation path without real waiting.
+   */
+  readonly killTimeoutMs?: number;
+  /**
+   * Where prefixed child output goes. Default `process.stdout.write`.
+   * Tests inject a collector so they can assert on the multiplexed
+   * stream without spelunking stdout.
+   */
+  readonly output?: (line: string) => void;
+  /**
+   * Test seam over `Bun.spawn`. Returns a Subprocess-shaped handle.
+   */
+  readonly spawnFn?: SpawnFn;
+  /**
+   * Test seam over wall-clock. Production passes `Date.now`.
+   */
+  readonly now?: () => number;
+  /**
+   * Test seam over `setTimeout`. Production resolves a real Promise
+   * with `setTimeout`. Tests stub to advance time deterministically.
+   */
+  readonly sleep?: (ms: number) => Promise<void>;
+}
+
+/**
+ * Subprocess-shaped seam. Production passes through to `Bun.spawn`;
+ * tests construct a fake that exposes a controllable `exited` Promise
+ * and pipe-able stdout/stderr.
+ */
+export type SpawnFn = (req: SpawnRequest) => SupervisedProc;
+
+/**
+ * The minimal Subprocess shape the supervisor depends on. Bun's real
+ * `Subprocess` matches this; the test fake mirrors it.
+ */
+export interface SupervisedProc {
+  readonly pid: number;
+  readonly exited: Promise<number | null>;
+  readonly stdout: ReadableStream<Uint8Array> | null;
+  readonly stderr: ReadableStream<Uint8Array> | null;
+  kill(signal?: NodeJS.Signals | number): void;
+}
+
+const DEFAULT_MAX_RESTARTS = 3;
+const DEFAULT_RESTART_WINDOW_MS = 60_000;
+const DEFAULT_RESTART_DELAY_MS = 500;
+const DEFAULT_KILL_TIMEOUT_MS = 5_000;
+
+/**
+ * Per-module supervisor. Owns the spawn → watch → restart loop.
+ *
+ * Single-process semantics: instances of `Supervisor` aren't safe to
+ * share across processes (the underlying Subprocess handles are
+ * process-local). Hub creates one Supervisor per `parachute serve`
+ * boot and threads it into the API handlers.
+ */
+export class Supervisor {
+  private readonly opts: Required<Omit<SupervisorOpts, "spawnFn">> & {
+    readonly spawnFn: SpawnFn;
+  };
+  private readonly modules = new Map<string, ModuleEntry>();
+
+  constructor(opts: SupervisorOpts = {}) {
+    this.opts = {
+      maxRestarts: opts.maxRestarts ?? DEFAULT_MAX_RESTARTS,
+      restartWindowMs: opts.restartWindowMs ?? DEFAULT_RESTART_WINDOW_MS,
+      restartDelayMs: opts.restartDelayMs ?? DEFAULT_RESTART_DELAY_MS,
+      killTimeoutMs: opts.killTimeoutMs ?? DEFAULT_KILL_TIMEOUT_MS,
+      output: opts.output ?? ((line) => process.stdout.write(line)),
+      spawnFn: opts.spawnFn ?? defaultSpawnFn,
+      now: opts.now ?? Date.now,
+      sleep: opts.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms))),
+    };
+  }
+
+  /**
+   * Spawn a module under supervision. Idempotent: re-spawning an
+   * already-running module is a no-op (returns the existing state).
+   * Re-spawning a previously-crashed module clears the crash budget
+   * and starts fresh.
+   */
+  async start(req: SpawnRequest): Promise<ModuleState> {
+    const existing = this.modules.get(req.short);
+    if (existing && (existing.state.status === "running" || existing.state.status === "starting")) {
+      return existing.state;
+    }
+    // Crashed → operator intent is "try again." Wipe the budget.
+    const entry: ModuleEntry = {
+      req,
+      state: {
+        short: req.short,
+        status: "starting",
+        restartsInWindow: 0,
+      },
+      crashStamps: [],
+    };
+    this.modules.set(req.short, entry);
+    this.spawnAndWatch(entry);
+    return entry.state;
+  }
+
+  /**
+   * Stop a supervised module. Sends SIGTERM, awaits the child's exit
+   * (so the log-pump drains the final flush before our stdout closes),
+   * and escalates to SIGKILL if the child doesn't exit within
+   * `killTimeoutMs`. Marks the state `stopped` and detaches the exit
+   * watcher so a normal termination isn't seen as a crash. Idempotent
+   * on already-stopped modules.
+   *
+   * The await matters in two places:
+   *   - Container shutdown (hub PID 1 receiving SIGTERM from Render):
+   *     without it, children's final log lines never make it through
+   *     hub's stdout pipe before the platform reaps the pod.
+   *   - `restart()`: a fresh spawn that races a still-listening prior
+   *     PID will fail with EADDRINUSE.
+   *
+   * The SIGKILL escalation handles a wedged module (e.g. a broken
+   * native binding ignoring SIGTERM). Without it, `stop()` would hang
+   * forever and a re-deploy would leak the orphaned child until the
+   * container itself was recycled.
+   */
+  async stop(short: string): Promise<ModuleState | undefined> {
+    const entry = this.modules.get(short);
+    if (!entry) return undefined;
+    entry.stopRequested = true;
+    const proc = entry.proc;
+    if (proc) {
+      try {
+        proc.kill("SIGTERM");
+      } catch {
+        // Process may already be dead — fall through.
+      }
+      // Race the child's exit against the kill timeout. If the timer
+      // wins, escalate to SIGKILL. Either way we end up awaiting the
+      // exit promise so the log pump drains.
+      let timer: ReturnType<typeof setTimeout> | undefined;
+      const timeout = new Promise<"timeout">((resolve) => {
+        timer = setTimeout(() => resolve("timeout"), this.opts.killTimeoutMs);
+      });
+      try {
+        const winner = await Promise.race([proc.exited.then(() => "exited" as const), timeout]);
+        if (winner === "timeout") {
+          this.opts.output(
+            `[supervisor] ${entry.req.short} did not exit ${this.opts.killTimeoutMs}ms after SIGTERM — escalating to SIGKILL.\n`,
+          );
+          try {
+            proc.kill("SIGKILL");
+          } catch {
+            // Process may already be dead between the timeout firing
+            // and us reaching kill() — fall through to the await.
+          }
+          try {
+            await proc.exited;
+            // SIGKILL cannot be caught; OS reaps the child promptly.
+          } catch {
+            // exited rejection is non-fatal — we're stopping anyway.
+          }
+        }
+      } finally {
+        clearTimeout(timer!);
+      }
+    }
+    entry.state = { ...entry.state, status: "stopped" };
+    return entry.state;
+  }
+
+  /** Snapshot of every supervised module's current state. */
+  list(): ModuleState[] {
+    return Array.from(this.modules.values(), (e) => e.state);
+  }
+
+  /** Snapshot of a single module's state, or undefined if not supervised. */
+  get(short: string): ModuleState | undefined {
+    return this.modules.get(short)?.state;
+  }
+
+  /**
+   * Restart a supervised module: stop, wait for exit, start with the
+   * same SpawnRequest. Used by the `/api/modules/:name/restart`
+   * handler. The on-box `parachute restart <svc>` path stays on
+   * `commands/lifecycle.ts` — different surface, different ownership.
+   */
+  async restart(short: string): Promise<ModuleState | undefined> {
+    const entry = this.modules.get(short);
+    if (!entry) return undefined;
+    const req = entry.req;
+    entry.state = { ...entry.state, status: "restarting" };
+    // stop() now awaits the prior process's exit (with SIGKILL
+    // escalation) before returning, so the fresh spawn below doesn't
+    // race on EADDRINUSE — no separate await needed here.
+    await this.stop(short);
+    // Drop the entry so `start` treats this as a clean spawn.
+    this.modules.delete(short);
+    return this.start(req);
+  }
+
+  private spawnAndWatch(entry: ModuleEntry): void {
+    const proc = this.opts.spawnFn(entry.req);
+    entry.proc = proc;
+    entry.state = {
+      ...entry.state,
+      status: "running",
+      pid: proc.pid,
+      startedAt: new Date(this.opts.now()).toISOString(),
+    };
+    this.pipeOutput(entry.req.short, proc);
+    void proc.exited.then((exitCode) => this.handleExit(entry, exitCode));
+  }
+
+  private async handleExit(entry: ModuleEntry, exitCode: number | null): Promise<void> {
+    // Operator-driven stop: not a crash, don't restart.
+    if (entry.stopRequested) {
+      entry.state = {
+        ...entry.state,
+        status: "stopped",
+        pid: undefined,
+        lastExitCode: exitCode,
+      };
+      return;
+    }
+
+    const now = this.opts.now();
+    // Drop crashes older than the window before counting.
+    const cutoff = now - this.opts.restartWindowMs;
+    entry.crashStamps = entry.crashStamps.filter((t) => t >= cutoff);
+    entry.crashStamps.push(now);
+
+    if (entry.crashStamps.length >= this.opts.maxRestarts) {
+      this.opts.output(
+        `[supervisor] ${entry.req.short} crashed ${entry.crashStamps.length}x within ${this.opts.restartWindowMs}ms — giving up.\n`,
+      );
+      entry.state = {
+        ...entry.state,
+        status: "crashed",
+        pid: undefined,
+        lastCrashAt: new Date(now).toISOString(),
+        lastExitCode: exitCode,
+        restartsInWindow: entry.crashStamps.length,
+      };
+      return;
+    }
+
+    entry.state = {
+      ...entry.state,
+      status: "restarting",
+      pid: undefined,
+      lastCrashAt: new Date(now).toISOString(),
+      lastExitCode: exitCode,
+      restartsInWindow: entry.crashStamps.length,
+    };
+    this.opts.output(
+      `[supervisor] ${entry.req.short} exited (code=${exitCode ?? "?"}); restart ${entry.crashStamps.length}/${this.opts.maxRestarts} in window.\n`,
+    );
+    await this.opts.sleep(this.opts.restartDelayMs);
+    // Operator may have called stop() during the sleep — re-check.
+    if (entry.stopRequested) return;
+    this.spawnAndWatch(entry);
+  }
+
+  /**
+   * Tap a child's stdout + stderr into the supervisor's `output`
+   * callback (hub's stdout by default), prefixing each line with the
+   * module's short name. Line-buffered: partial chunks accumulate
+   * until a newline arrives so multi-byte log lines don't get
+   * scrambled across modules.
+   */
+  private pipeOutput(short: string, proc: SupervisedProc): void {
+    const prefix = `[${short}] `;
+    if (proc.stdout) void pumpLines(proc.stdout, prefix, this.opts.output);
+    if (proc.stderr) void pumpLines(proc.stderr, prefix, this.opts.output);
+  }
+}
+
+interface ModuleEntry {
+  req: SpawnRequest;
+  state: ModuleState;
+  proc?: SupervisedProc;
+  crashStamps: number[];
+  stopRequested?: boolean;
+}
+
+async function pumpLines(
+  stream: ReadableStream<Uint8Array>,
+  prefix: string,
+  output: (line: string) => void,
+): Promise<void> {
+  const reader = stream.getReader();
+  const decoder = new TextDecoder();
+  let buf = "";
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      buf += decoder.decode(value, { stream: true });
+      // Flush every complete line; keep the partial tail buffered.
+      let nl = buf.indexOf("\n");
+      while (nl !== -1) {
+        const line = buf.slice(0, nl + 1);
+        output(prefix + line);
+        buf = buf.slice(nl + 1);
+        nl = buf.indexOf("\n");
+      }
+    }
+    // Flush any trailing partial line so we don't drop a module's
+    // last log message (it's likely the most important one — the
+    // exit cause).
+    if (buf.length > 0) output(`${prefix + buf}\n`);
+  } finally {
+    reader.releaseLock();
+  }
+}
+
+const defaultSpawnFn: SpawnFn = (req) => {
+  const spawnOpts: Parameters<typeof Bun.spawn>[1] = {
+    stdio: ["ignore", "pipe", "pipe"],
+  };
+  if (req.cwd) spawnOpts.cwd = req.cwd;
+  if (req.env) spawnOpts.env = { ...process.env, ...req.env };
+  const proc = Bun.spawn([...req.cmd], spawnOpts);
+  return proc as unknown as SupervisedProc;
+};

package/src/vault-name.ts

@@ -0,0 +1,71 @@
+/**
+ * Vault-name validation, mirrored from `@openparachute/vault`'s
+ * `src/vault-name.ts`.
+ *
+ * The vault package owns the canonical validator (used by `init`, the
+ * `--vault-name` flag, and the `PARACHUTE_VAULT_NAME` env var on
+ * first-boot). Hub doesn't depend on vault at runtime, so we keep a
+ * byte-identical contract here and pin parity with a test that exercises
+ * the same rule set:
+ *
+ *   * lowercase alphanumeric + hyphens or underscores
+ *   * 2–32 chars
+ *   * `list` is reserved
+ *
+ * If vault's validator changes (e.g. additional reserved name, length
+ * relaxation), the two must move in lockstep — hub passing the typed
+ * name through `PARACHUTE_VAULT_NAME` only works as long as vault accepts
+ * what hub validates. Cross-repo drift here would silently fall back to
+ * `default` at vault first-boot (vault's `resolveFirstBootVaultName`
+ * downgrades env-invalid values).
+ *
+ * Out of scope: collision against existing vaults on the same hub — the
+ * wizard only ever creates the first vault, so name reuse can't happen.
+ * Subsequent vaults go through the admin SPA, which talks to vault's own
+ * `/vault/list` endpoint.
+ */
+
+const VAULT_NAME_RE = /^[a-z0-9_-]+$/;
+const VAULT_NAME_MIN_LEN = 2;
+const VAULT_NAME_MAX_LEN = 32;
+
+const RESERVED_NAMES = new Set([
+  // Mirrors vault's reservation. Collides with the legacy `/vaults/list`
+  // discovery endpoint; the routes have moved under `/vault/<name>/` but
+  // vault's `cmdCreate` still rejects "list" and cross-repo consistency
+  // is cheap.
+  "list",
+]);
+
+export type VaultNameValidation = { ok: true; name: string } | { ok: false; error: string };
+
+/**
+ * Validate a vault name against vault's strict contract. Trims
+ * surrounding whitespace before checking. Returns the trimmed name on
+ * success so callers don't double-trim.
+ */
+export function validateVaultName(raw: string): VaultNameValidation {
+  const name = raw.trim();
+  if (!name) {
+    return { ok: false, error: "vault name cannot be empty." };
+  }
+  if (name.length < VAULT_NAME_MIN_LEN || name.length > VAULT_NAME_MAX_LEN) {
+    return {
+      ok: false,
+      error: `vault names must be ${VAULT_NAME_MIN_LEN}–${VAULT_NAME_MAX_LEN} characters long.`,
+    };
+  }
+  if (!VAULT_NAME_RE.test(name)) {
+    return {
+      ok: false,
+      error: "vault names must be lowercase alphanumeric with hyphens or underscores.",
+    };
+  }
+  if (RESERVED_NAMES.has(name)) {
+    return { ok: false, error: `"${name}" is a reserved vault name.` };
+  }
+  return { ok: true, name };
+}
+
+/** The default vault name when the operator leaves the field blank. */
+export const DEFAULT_VAULT_NAME = "default";

package/src/well-known.ts

@@ -26,6 +26,14 @@ export interface WellKnownVaultEntry {
  * to iterate without having to know every service's shortName ahead of time.
  * `infoUrl` points at the service's `/.parachute/info` endpoint (relative to
  * its mount path) which the hub fetches client-side for displayName/tagline.
+ *
+ * `displayName` and `uiUrl` are both optional — the discovery page renders
+ * a Services tile when `uiUrl` is present, falling back to the manifest
+ * short name when `displayName` is absent. Both are sourced via hub-server's
+ * `loadUiUrls`/`loadManagementUrls`-style readers from the module's
+ * `installDir/.parachute/module.json`, NOT from services.json (which gets
+ * overwritten on service boot per the "services own the write side"
+ * contract — see hub#238 commit message for the C-not-B trace).
  */
 export interface WellKnownServicesEntry {
   name: string;
@@ -33,6 +41,16 @@ export interface WellKnownServicesEntry {
   path: string;
   version: string;
   infoUrl: string;
+  /**
+   * Human-readable label for the discovery page. Sourced from
+   * `module.json:displayName` when available; falls back to
+   * `services.json:displayName` written at install time.
+   */
+  displayName?: string;
+  /** Where the service's primary user-facing UI lives, sourced from `module.json:uiUrl`. */
+  uiUrl?: string;
+  /** One-line subtitle for the discovery tile, sourced from `services.json:tagline`. */
+  tagline?: string;
 }
 
 /**
@@ -107,6 +125,19 @@ export interface BuildWellKnownOpts {
    * in. Returning `undefined` means "no admin SPA" and hub renders no link.
    */
   managementUrlFor?: (entry: ServiceEntry) => string | undefined;
+  /**
+   * Optional resolver mapping a `ServiceEntry` to its `module.json:uiUrl`,
+   * if any. Same shape as `managementUrlFor`. Returning `undefined` means
+   * "no user-facing UI" and discovery omits the Services tile (e.g. vault
+   * has no `uiUrl` — its content browses through Notes).
+   */
+  uiUrlFor?: (entry: ServiceEntry) => string | undefined;
+  /**
+   * Optional resolver mapping a `ServiceEntry` to its `module.json:displayName`.
+   * Hub-server reads this at request time; falls back to the entry's own
+   * `displayName` (from services.json) when absent.
+   */
+  displayNameFor?: (entry: ServiceEntry) => string | undefined;
 }
 
 /** Join a base origin and a path without double slashes — "/" stays "/". */
@@ -131,7 +162,29 @@ export function buildWellKnown(opts: BuildWellKnownOpts): WellKnownDocument {
     for (const path of pathsToEmit) {
       const url = new URL(path, `${base}/`).toString();
       const infoUrl = new URL(joinInfoPath(path), `${base}/`).toString();
-      doc.services.push({ name: s.name, url, path, version: s.version, infoUrl });
+      const entry: WellKnownServicesEntry = {
+        name: s.name,
+        url,
+        path,
+        version: s.version,
+        infoUrl,
+      };
+      const displayName = opts.displayNameFor?.(s) ?? s.displayName;
+      if (displayName !== undefined) entry.displayName = displayName;
+      // Tagline rides on services.json (set by service-spec at install or
+      // by the service's own boot-time upsert). Read directly from the
+      // entry — no installDir round-trip needed since it's already
+      // persisted server-side and reasonably stable across reboots.
+      if (s.tagline !== undefined) entry.tagline = s.tagline;
+      // Resolve uiUrl: relative path → absolute URL against `base`; full
+      // http(s) URL → verbatim. Same rule managementUrl uses.
+      const uiUrlRaw = opts.uiUrlFor?.(s);
+      if (uiUrlRaw !== undefined) {
+        entry.uiUrl = /^https?:\/\//i.test(uiUrlRaw)
+          ? uiUrlRaw
+          : new URL(uiUrlRaw, `${base}/`).toString();
+      }
+      doc.services.push(entry);
       if (isVault) {
         const managementUrl = opts.managementUrlFor?.(s);
         const entry: WellKnownVaultEntry = {

package/web/ui/dist/assets/index-BDSEsaBY.css

@@ -0,0 +1 @@
+:root{--bg: #faf8f4;--bg-soft: #f3f0ea;--fg: #2c2a26;--fg-muted: #6b6860;--fg-dim: #9a9690;--accent: #4a7c59;--accent-soft: rgba(74, 124, 89, .08);--accent-hover: #3d6849;--border: #e4e0d8;--border-light: #ece9e2;--card-bg: #ffffff;--error: #a3392b;--error-soft: rgba(163, 57, 43, .08);--warn: #b08023;--warn-soft: rgba(176, 128, 35, .08);--success: #3d6849;--success-soft: rgba(61, 104, 73, .08);--font-serif: Georgia, "Times New Roman", serif;--font-sans: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;--font-mono: ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace;font-family:var(--font-sans)}*{box-sizing:border-box}html,body{margin:0;padding:0;background:var(--bg);color:var(--fg)}a{color:var(--accent);text-decoration:none}a:hover{text-decoration:underline}button{font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease}button:hover{background:var(--accent-hover)}button:disabled{opacity:.5;cursor:not-allowed}button.secondary{background:#fff;color:var(--fg);border:1px solid var(--border)}button.secondary:hover{background:var(--bg-soft)}input,select,textarea{font:inherit;background:#fff;border:1px solid var(--border);border-radius:6px;padding:.55rem .75rem;color:var(--fg)}input:focus,select:focus,textarea:focus{outline:none;border-color:var(--accent)}code{font-family:var(--font-mono);font-size:.85em;background:var(--bg-soft);padding:.1em .3em;border-radius:3px}.page{max-width:880px;margin:0 auto;padding:1.5rem 1.5rem 6rem}.nav{display:flex;gap:1rem;align-items:center;padding-bottom:1rem;border-bottom:1px solid var(--border);margin-bottom:2rem}.nav .brand{font-weight:600;font-family:var(--font-serif);font-size:1.15rem;margin-right:auto}.nav .brand .sub{color:var(--fg-dim);font-size:.78rem;font-weight:400;margin-left:.4rem;font-family:var(--font-sans)}.nav a{color:var(--fg-muted);font-size:.95rem}.nav a:hover{text-decoration:none;color:var(--fg)}.nav .nav-divider{display:inline-block;width:1px;height:1.1em;background:var(--border);align-self:center}.nav .auth-spa{font-size:.85rem;color:var(--fg-muted)}.nav .auth-spa strong{font-weight:600;color:var(--fg)}.nav .auth-spa-signout{background:none;border:none;padding:0;color:var(--accent);font:inherit;cursor:pointer;text-decoration:underline;text-decoration-thickness:1px;text-underline-offset:2px}.nav .auth-spa-signout:hover:not(:disabled){color:var(--accent-hover)}.nav .auth-spa-signout:disabled{color:var(--fg-dim);cursor:not-allowed}h2{margin:0 0 1rem;font-size:1.4rem;font-weight:500}.muted{color:var(--fg-muted);font-size:.92rem}.dim{color:var(--fg-dim);font-size:.85rem}.error-banner{background:var(--error-soft);border:1px solid var(--error);color:var(--error);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.warn-banner{background:var(--warn-soft);border:1px solid var(--warn);color:var(--warn);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.empty{padding:3rem 1.5rem;text-align:center;color:var(--fg-muted);background:var(--bg-soft);border-radius:10px}.empty-rich{text-align:left;padding:2rem 1.75rem;background:#fff;border:1px solid var(--border)}.empty-rich .empty-headline{font-size:1.05rem;color:var(--fg);margin:0 0 .5rem;font-weight:500}.list-header{display:flex;align-items:baseline;justify-content:space-between;gap:1rem;margin-bottom:1rem}.list-header h2{margin:0}.tag{display:inline-block;padding:.1em .55em;background:var(--accent-soft);color:var(--accent);border-radius:4px;font-size:.78rem;font-weight:500}.tag.muted{background:var(--bg-soft);color:var(--fg-muted)}.tag.source-oauth{background:#4a7cc61f;color:#3b6aa6}.tag.source-operator{background:#c6984a24;color:#8a5e1f}.tag.source-cli{background:#4a7c5924;color:#2f5a3f}.tag.source-unknown{background:var(--bg-soft);color:var(--fg-muted)}@media(prefers-color-scheme:dark){.tag.source-oauth{background:#7a9cdc24;color:#9bb6d8}.tag.source-operator{background:#dcb46e24;color:#d4b27a}.tag.source-cli{background:#7ab08a24;color:#8fc49e}.tag.source-unknown{background:#e8e4dc0f;color:#a8a49a}}.vault-row{display:flex;align-items:center;gap:1rem;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;margin-bottom:.5rem;text-decoration:none;color:inherit;transition:border-color .15s ease}.vault-row:hover{border-color:var(--accent);text-decoration:none}.vault-row .body{flex:1;min-width:0}.vault-row .name{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap}.vault-row .name code{font-size:.95em}.vault-row .url{margin-top:.25rem;word-break:break-all}.vault-row .chev{color:var(--fg-dim);font-size:1.2rem}form .row{margin-bottom:1rem}form label{display:block;font-size:.9rem;color:var(--fg-muted);margin-bottom:.3rem;font-weight:500}form input[type=text]{width:100%}form .actions{display:flex;gap:.6rem;align-items:center;margin-top:1rem}form .field-hint{margin-top:.35rem;font-size:.82rem;color:var(--fg-dim)}form .field-error{margin-top:.35rem;font-size:.85rem;color:var(--error)}.section{background:#fff;border:1px solid var(--border);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner{background:var(--success-soft);border:1px solid var(--success);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner h3{margin:0 0 .5rem;font-size:1rem;color:var(--success)}.mint-banner .token-box{display:flex;align-items:center;gap:.5rem;margin:.85rem 0 .5rem}.mint-banner code{flex:1;font-size:.9rem;padding:.6rem .75rem;background:#fff;border:1px solid var(--border);word-break:break-all;-webkit-user-select:all;user-select:all}.mint-banner .warn{margin:.75rem 0 0;font-size:.85rem;color:var(--warn)}.mint-banner .actions{margin-top:1rem;display:flex;gap:.5rem}.kv{display:grid;grid-template-columns:8.5rem 1fr;gap:.5rem 1rem;font-size:.92rem}.kv>div:nth-child(odd){color:var(--fg-muted)}.kv code{word-break:break-all}.channel-toggle{margin:1.25rem 0 1.5rem;padding:.75rem 1rem;border:1px solid var(--border, #ddd);border-radius:6px;background:var(--bg-soft, #fafafa)}.channel-toggle legend{padding:0 .25rem;font-weight:600;font-size:.95rem}.channel-toggle label{display:inline-flex;align-items:center;gap:.4rem;margin-right:1.5rem;cursor:pointer;font-size:.95rem}.channel-toggle label input[type=radio]:disabled+*{opacity:.5}.channel-toggle code{font-size:.85em}.channel-toggle p.muted{margin:.4rem 0 0;font-size:.85rem}