@openparachute/hub 0.5.7 → 0.5.10-rc.2

package/src/admin-handlers.ts

@@ -1,67 +1,29 @@
 /**
- * HTTP handlers for the hub admin surface — login (`/admin/login`) and the
- * config portal (`/admin/config`, `/admin/config/<name>`). Sessions ride the
- * same `parachute_hub_session` cookie that the OAuth login mints, since PR
- * #112 widened the cookie path from `/oauth/` to `/`.
+ * HTTP handlers for the hub admin surface — login + logout. Sessions ride
+ * the same `parachute_hub_session` cookie that the OAuth login mints, since
+ * PR #112 widened the cookie path from `/oauth/` to `/`.
+ *
+ * `/login` (was `/admin/login` pre-#231-followup) is the canonical entry
+ * for ALL parachute auth — admin operators, OAuth user flows, etc. The
+ * `/admin/login` and `/admin/logout` paths 301-redirect for back-compat.
  *
  * Every state-changing POST is double-submit-CSRF protected
- * (`parachute_hub_csrf` cookie + `__csrf` form field, constant-time compare),
- * and every authenticated GET issues a 302 to `/admin/login?next=<path>`
- * when no session is found rather than rendering an inline login form —
- * keeps each route's intent clean and lets the operator bookmark
- * `/admin/config` without thinking about state.
+ * (`parachute_hub_csrf` cookie + `__csrf` form field, constant-time compare).
  */
 import type { Database } from "bun:sqlite";
-import {
-  type AdminConfigModuleView,
-  type ModuleStatus,
-  renderAdminConfigPage,
-  renderAdminError,
-  renderAdminLogin,
-} from "./admin-config-ui.ts";
-import {
-  type ConfigurableModule,
-  configPathFor,
-  discoverConfigurableModules,
-  readModuleConfig,
-  validateAndCoerce,
-  writeModuleConfig,
-} from "./admin-config.ts";
-import { restart as lifecycleRestart } from "./commands/lifecycle.ts";
-import { CONFIG_DIR } from "./config.ts";
+import { renderAdminError, renderAdminLogin } from "./admin-login-ui.ts";
 import { CSRF_FIELD_NAME, ensureCsrfToken, verifyCsrfToken } from "./csrf.ts";
-import type { ModuleManifest } from "./module-manifest.ts";
 import { checkAndRecord, clientIpFromRequest } from "./rate-limit.ts";
-import {
-  type ServicesManifest,
-  readManifest as readServicesManifest,
-} from "./services-manifest.ts";
 import {
   SESSION_TTL_MS,
   buildSessionClearCookie,
   buildSessionCookie,
   createSession,
   deleteSession,
-  findActiveSession,
   parseSessionCookie,
 } from "./sessions.ts";
 import { getUserByUsername, verifyPassword } from "./users.ts";
 
-export interface AdminDeps {
-  /** Resolves the installed-services manifest (production: `services-manifest.readManifest`). */
-  loadServicesManifest?: () => ServicesManifest;
-  /** Per-module `.parachute/module.json` reader (production: `module-manifest.readModuleManifest`). */
-  readManifest?: (installDir: string) => Promise<ModuleManifest | null>;
-  /** `~/.parachute` (defaults to `CONFIG_DIR`). Module configs land at `<configDir>/<name>/config.json`. */
-  configDir?: string;
-  /** Test seam — defaults to `commands/lifecycle.restart`. */
-  restartService?: (name: string) => Promise<number>;
-  /** Test seam — defaults to logging to stderr. */
-  log?: (line: string) => void;
-  /** Test seam — defaults to real clock. */
-  now?: () => Date;
-}
-
 function htmlResponse(body: string, status = 200, extra: Record<string, string> = {}): Response {
   return new Response(body, {
     status,
@@ -73,22 +35,27 @@ function redirect(location: string, extra: Record<string, string> = {}): Respons
   return new Response(null, { status: 302, headers: { location, ...extra } });
 }
 
-// --- session gate ----------------------------------------------------------
-
-function loginRedirect(req: Request, extra: Record<string, string> = {}): Response {
-  const url = new URL(req.url);
-  const next = `${url.pathname}${url.search}`;
-  return redirect(`/admin/login?next=${encodeURIComponent(next)}`, extra);
-}
+/**
+ * Post-login default landing. The admin SPA mounts at `/admin/*` and treats
+ * `/admin/vaults` as its home (vault list, the default tab). Anywhere else
+ * would either bounce the operator out of the SPA shell or land on a
+ * legacy server-rendered page — `/admin/vaults` is the canonical entry.
+ */
+const POST_LOGIN_DEFAULT = "/admin/vaults";
 
 function safeNext(raw: string | null): string {
-  if (!raw) return "/admin/config";
+  if (!raw) return POST_LOGIN_DEFAULT;
   // Only allow same-origin paths — never honor an absolute URL or scheme.
-  if (!raw.startsWith("/") || raw.startsWith("//")) return "/admin/config";
+  if (!raw.startsWith("/") || raw.startsWith("//")) return POST_LOGIN_DEFAULT;
   return raw;
 }
 
-// --- /admin/login ----------------------------------------------------------
+// --- /login ---------------------------------------------------------------
+//
+// Renamed from `/admin/login` so the surface name reflects what it is — the
+// canonical entry for ALL parachute auth (operators, OAuth user flows,
+// etc.), not an admin-only door. `/admin/login` and `/admin/logout` 301
+// to here from `hub-server.ts` for back-compat.
 
 export function handleAdminLoginGet(_db: Database, req: Request): Response {
   const url = new URL(req.url);
@@ -164,25 +131,24 @@ export async function handleAdminLoginPost(
 /**
  * Test-injection seam for `handleAdminLoginPost`. Production callers omit
  * `deps`; tests pass a deterministic clock so the rate-limit assertions
- * don't race wall-clock time. Kept narrow — login doesn't share the wider
- * `AdminDeps` because it doesn't load services / module manifests.
+ * don't race wall-clock time.
  */
 export interface AdminLoginDeps {
   /** Test seam — defaults to real clock. */
   now?: () => Date;
 }
 
-// --- /admin/logout ---------------------------------------------------------
+// --- /logout --------------------------------------------------------------
 
 /**
  * POST-only — logout is state-changing, so it rides the same double-submit
- * CSRF discipline as login + config posts. Without CSRF, a malicious
- * cross-origin form could log the operator out (annoyance, not catastrophe,
- * but the safety belt is already on the bus).
+ * CSRF discipline as login. Without CSRF, a malicious cross-origin form
+ * could log the operator out (annoyance, not catastrophe, but the safety
+ * belt is already on the bus).
  *
  * Always idempotent: clearing the cookie succeeds even if there's no
- * matching session row. Returns 302 → /admin/login so the operator lands
- * back on the form ready to re-authenticate.
+ * matching session row. Returns 302 → /login so the operator lands back
+ * on the form ready to re-authenticate.
  */
 export async function handleAdminLogoutPost(db: Database, req: Request): Promise<Response> {
   const form = await req.formData();
@@ -198,193 +164,5 @@ export async function handleAdminLogoutPost(db: Database, req: Request): Promise
   }
   const sid = parseSessionCookie(req.headers.get("cookie"));
   if (sid) deleteSession(db, sid);
-  return redirect("/admin/login", { "set-cookie": buildSessionClearCookie() });
-}
-
-// --- /admin/config ---------------------------------------------------------
-
-export async function handleAdminConfigGet(
-  db: Database,
-  req: Request,
-  deps: AdminDeps = {},
-): Promise<Response> {
-  const session = findActiveSession(db, req);
-  if (!session) return loginRedirect(req);
-
-  const csrf = ensureCsrfToken(req);
-  const setCookieExtra: Record<string, string> = csrf.setCookie
-    ? { "set-cookie": csrf.setCookie }
-    : {};
-
-  const modules = await loadModuleViews(deps);
-  const flash = parseFlash(req);
-  if (flash) applyFlashTo(modules, flash);
-  return htmlResponse(
-    renderAdminConfigPage({ modules, csrfToken: csrf.token }),
-    200,
-    setCookieExtra,
-  );
-}
-
-export async function handleAdminConfigPost(
-  db: Database,
-  req: Request,
-  moduleName: string,
-  deps: AdminDeps = {},
-): Promise<Response> {
-  const session = findActiveSession(db, req);
-  if (!session) return loginRedirect(req);
-
-  const form = await req.formData();
-  const formCsrf = form.get(CSRF_FIELD_NAME);
-  if (!verifyCsrfToken(req, typeof formCsrf === "string" ? formCsrf : null)) {
-    return htmlResponse(
-      renderAdminError({
-        title: "Invalid form submission",
-        message: "The form's CSRF token did not match. Reload the page and try again.",
-      }),
-      400,
-    );
-  }
-
-  const modules = await discoverConfigurableModules(discoverDeps(deps));
-  const target = modules.find((m) => m.name === moduleName);
-  if (!target) {
-    return htmlResponse(
-      renderAdminError({
-        title: "Unknown module",
-        message: `No installed module named "${moduleName}" declares a config schema on this hub.`,
-      }),
-      404,
-    );
-  }
-
-  const csrfToken = typeof formCsrf === "string" ? formCsrf : "";
-  const submitted = collectFormValues(form, target);
-  const result = validateAndCoerce(submitted, target.schema);
-  if (!result.ok) {
-    return rerenderWithStatus(deps, target, csrfToken, {
-      fieldErrors: result.errors,
-      pending: submitted,
-      errorMessage: "Some fields need attention before this config can be saved.",
-    });
-  }
-
-  try {
-    writeModuleConfig(target.configPath, result.data ?? {});
-  } catch (err) {
-    return rerenderWithStatus(deps, target, csrfToken, {
-      pending: submitted,
-      errorMessage: `Failed to write ${target.configPath}: ${err instanceof Error ? err.message : String(err)}`,
-    });
-  }
-
-  const restartFn = deps.restartService ?? defaultRestart(deps);
-  let restartCode = 0;
-  try {
-    restartCode = await restartFn(target.name);
-  } catch (err) {
-    return successRedirect(target.name, "saved-restart-failed", err);
-  }
-  if (restartCode !== 0) return successRedirect(target.name, "saved-restart-failed");
-  return successRedirect(target.name, "saved");
-}
-
-function defaultRestart(deps: AdminDeps): (name: string) => Promise<number> {
-  return (name) =>
-    lifecycleRestart(name, {
-      configDir: deps.configDir ?? CONFIG_DIR,
-      log: deps.log,
-    });
-}
-
-function discoverDeps(deps: AdminDeps) {
-  const out: Parameters<typeof discoverConfigurableModules>[0] = {
-    loadServicesManifest: deps.loadServicesManifest ?? readServicesManifest,
-    configDir: deps.configDir ?? CONFIG_DIR,
-  };
-  if (deps.readManifest) out.readManifest = deps.readManifest;
-  return out;
-}
-
-async function loadModuleViews(deps: AdminDeps): Promise<AdminConfigModuleView[]> {
-  const modules = await discoverConfigurableModules(discoverDeps(deps));
-  return modules.map((module) => {
-    const { data, parseError } = readModuleConfig(module.configPath);
-    const view: AdminConfigModuleView = { module, current: data };
-    if (parseError) view.parseError = parseError;
-    return view;
-  });
-}
-
-function collectFormValues(
-  form: Awaited<ReturnType<Request["formData"]>>,
-  module: ConfigurableModule,
-): Record<string, string | boolean | undefined> {
-  const out: Record<string, string | boolean | undefined> = {};
-  for (const [key, prop] of Object.entries(module.schema.properties)) {
-    if (prop.type === "boolean") {
-      // Unchecked checkboxes don't appear in form data — absence = false.
-      out[key] = form.has(key);
-      continue;
-    }
-    const v = form.get(key);
-    out[key] = typeof v === "string" ? v : undefined;
-  }
-  return out;
-}
-
-// --- flash + redirect helpers ---------------------------------------------
-
-const FLASH_PARAM = "_status";
-const FLASH_MODULE_PARAM = "_module";
-
-function successRedirect(moduleName: string, status: string, err?: unknown): Response {
-  const target = new URL("/admin/config", "http://placeholder");
-  target.searchParams.set(FLASH_PARAM, status);
-  target.searchParams.set(FLASH_MODULE_PARAM, moduleName);
-  if (err) target.searchParams.set("_err", err instanceof Error ? err.message : String(err));
-  target.hash = `module-${moduleName}`;
-  return redirect(`${target.pathname}${target.search}${target.hash}`);
-}
-
-function parseFlash(req: Request): { module: string; status: string; errMessage?: string } | null {
-  const url = new URL(req.url);
-  const status = url.searchParams.get(FLASH_PARAM);
-  const mod = url.searchParams.get(FLASH_MODULE_PARAM);
-  if (!status || !mod) return null;
-  const errMessage = url.searchParams.get("_err") ?? undefined;
-  const out: { module: string; status: string; errMessage?: string } = { module: mod, status };
-  if (errMessage) out.errMessage = errMessage;
-  return out;
-}
-
-function applyFlashTo(
-  views: AdminConfigModuleView[],
-  flash: { module: string; status: string; errMessage?: string },
-): void {
-  const view = views.find((v) => v.module.name === flash.module);
-  if (!view) return;
-  if (flash.status === "saved") {
-    view.status = { successMessage: `Saved and restarted ${view.module.displayName}.` };
-    return;
-  }
-  if (flash.status === "saved-restart-failed") {
-    const tail = flash.errMessage ? ` (${flash.errMessage})` : "";
-    view.status = {
-      errorMessage: `Saved ${view.module.displayName} config but the restart did not succeed${tail}. Run \`parachute restart ${view.module.name}\` and check logs.`,
-    };
-  }
-}
-
-async function rerenderWithStatus(
-  deps: AdminDeps,
-  target: ConfigurableModule,
-  csrfToken: string,
-  status: ModuleStatus,
-): Promise<Response> {
-  const views = await loadModuleViews(deps);
-  const view = views.find((v) => v.module.name === target.name);
-  if (view) view.status = status;
-  return htmlResponse(renderAdminConfigPage({ modules: views, csrfToken }), 422);
+  return redirect("/login", { "set-cookie": buildSessionClearCookie() });
 }

package/src/admin-host-admin-token.ts

@@ -1,25 +1,40 @@
 /**
  * `GET /admin/host-admin-token` — exchange a valid admin session cookie for a
- * short-lived JWT carrying `parachute:host:admin`.
+ * short-lived JWT carrying both `parachute:host:admin` and
+ * `parachute:host:auth` (the same superset an `--scope-set admin` operator
+ * token holds).
  *
- * Why this exists: the hub's vault-management SPA (served under `/hub/`)
- * needs a Bearer to call admin endpoints like `POST /vaults`, but
- * `parachute:host:admin` is in `NON_REQUESTABLE_SCOPES` — the public
- * `/oauth/authorize` endpoint refuses to mint it so third-party apps can't
- * acquire cross-vault provisioning capability via consent.
+ * Why this exists: the hub's admin SPA (served under `/hub/`) needs a Bearer
+ * to call:
+ *   - `parachute:host:admin` surfaces — `POST /vaults` (vault provisioning),
+ *     `/api/grants` (OAuth consent grant management).
+ *   - `parachute:host:auth` surfaces — `GET /api/auth/tokens`,
+ *     `POST /api/auth/mint-token`, `POST /api/auth/revoke-token` (the token
+ *     registry endpoints from hub#212 Phase 2).
+ *
+ * Both scopes are in `NON_REQUESTABLE_SCOPES` — the public `/oauth/authorize`
+ * endpoint refuses to mint either, so third-party apps can't acquire these
+ * capabilities via consent. This local mint path is the SPA's only way in.
  *
  * The local mint path now has two surfaces:
- *   1. `parachute auth ...` — operator-token file (~1y, on-disk, mode 0600).
+ *   1. `parachute auth ...` — operator-token file (90d, on-disk, mode 0600).
  *   2. THIS endpoint — short-lived JWT (10 min) handed to the SPA in memory.
  *
  * Both paths require already-proved local-operator identity:
  *   - operator-token mint runs as the operator's unix user.
  *   - this endpoint requires a valid `parachute_hub_session` cookie, which
- *     was set by `/admin/login` after a password check.
+ *     was set by `/login` after a password check.
  *
  * Tokens minted here are deliberately NOT persisted in the `tokens` table
  * (no refresh, no revocation tracking). They expire on their own; the SPA
  * re-fetches when the JWT is about to lapse.
+ *
+ * Background on the dual-scope shape: prior to hub#212 Phase 2 this endpoint
+ * minted `parachute:host:admin` only. The Phase 2 admin endpoints
+ * (`/api/auth/*`) gate on `parachute:host:auth`, which the SPA's bearer
+ * lacked — `/hub/tokens` failed with `bearer token lacks parachute:host:auth`
+ * on first end-to-end load. Adding `:host:auth` here brings the SPA bearer
+ * in line with the admin scope-set semantics from hub#214 / #222.
  */
 import type { Database } from "bun:sqlite";
 import { signAccessToken } from "./jwt-sign.ts";
@@ -29,7 +44,7 @@ import { findSession, parseSessionCookie } from "./sessions.ts";
 export const HOST_ADMIN_TOKEN_TTL_SECONDS = 10 * 60;
 const HOST_ADMIN_AUDIENCE = "hub";
 const HOST_ADMIN_CLIENT_ID = "parachute-hub-spa";
-export const HOST_ADMIN_SCOPES = ["parachute:host:admin"] as const;
+export const HOST_ADMIN_SCOPES = ["parachute:host:admin", "parachute:host:auth"] as const;
 
 export interface MintHostAdminTokenDeps {
   db: Database;
@@ -47,7 +62,7 @@ export async function handleHostAdminToken(
   const sid = parseSessionCookie(req.headers.get("cookie"));
   const session = sid ? findSession(deps.db, sid) : null;
   if (!session) {
-    return jsonError(401, "unauthenticated", "no admin session — sign in at /admin/login first");
+    return jsonError(401, "unauthenticated", "no admin session — sign in at /login first");
   }
   const minted = await signAccessToken(deps.db, {
     sub: session.userId,

package/src/admin-login-ui.ts

@@ -0,0 +1,256 @@
+/**
+ * Branded HTML for the hub's pre-auth surfaces: the `/login` form and the
+ * generic admin error page surfaced when CSRF or rate-limit gates fire on
+ * `/login` and `/logout`. Same privacy posture as `oauth-ui.ts` (no third-
+ * party fonts, inline CSS, no JS) — these pages are pre-auth and have to
+ * stand alone without the SPA shell.
+ *
+ * History: this file was `admin-config-ui.ts` and held the server-rendered
+ * `/admin/config` module-config portal (hub#46). #240 retired the portal
+ * post-SPA-rework; the file shed everything except the two renderers below.
+ * Renamed to `admin-login-ui.ts` in #241 so the filename matches the content.
+ *
+ * Pure functions — DB, sessions live in `admin-handlers.ts`.
+ */
+import { renderCsrfHiddenInput } from "./csrf.ts";
+import { escapeHtml } from "./oauth-ui.ts";
+
+// --- shared chrome ---------------------------------------------------------
+
+const PALETTE = {
+  bg: "#faf8f4",
+  bgSoft: "#f3f0ea",
+  fg: "#2c2a26",
+  fgMuted: "#6b6860",
+  fgDim: "#9a9690",
+  accent: "#4a7c59",
+  accentHover: "#3d6849",
+  accentSoft: "rgba(74, 124, 89, 0.08)",
+  border: "#e4e0d8",
+  borderLight: "#ece9e2",
+  cardBg: "#ffffff",
+  danger: "#a3392b",
+  dangerSoft: "rgba(163, 57, 43, 0.08)",
+  success: "#3d6849",
+  successSoft: "rgba(61, 104, 73, 0.08)",
+} as const;
+
+const FONT_SERIF = `Georgia, "Times New Roman", serif`;
+const FONT_SANS = `-apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif`;
+const FONT_MONO = `ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace`;
+
+function escapeAttr(s: string): string {
+  return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;");
+}
+
+function baseDocument(title: string, body: string): string {
+  return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <title>${escapeHtml(title)}</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <meta name="referrer" content="no-referrer" />
+  <style>${STYLES}</style>
+</head>
+<body>
+  <main>
+${body}
+  </main>
+</body>
+</html>`;
+}
+
+function header(): string {
+  return `
+        <div class="brand">
+          <span class="brand-mark">⌬</span>
+          <span class="brand-name">Parachute</span>
+          <span class="brand-tag">admin</span>
+        </div>`;
+}
+
+// --- /login ---------------------------------------------------------------
+
+export interface AdminLoginProps {
+  /** Continuation path after successful login — submitted as a hidden field. */
+  next: string;
+  csrfToken: string;
+  errorMessage?: string;
+}
+
+export function renderAdminLogin(props: AdminLoginProps): string {
+  const { next, csrfToken, errorMessage } = props;
+  const error = errorMessage ? `<p class="error-banner">${escapeHtml(errorMessage)}</p>` : "";
+  const body = `
+    <div class="card">
+      <div class="card-header">
+        ${header()}
+        <h1>Sign in</h1>
+        <p class="subtitle">to administer this hub</p>
+      </div>
+      ${error}
+      <form method="POST" action="/login" class="auth-form">
+        ${renderCsrfHiddenInput(csrfToken)}
+        <input type="hidden" name="next" value="${escapeAttr(next)}" />
+        <label class="field">
+          <span class="field-label">Username</span>
+          <input type="text" name="username" autocomplete="username" autofocus required />
+        </label>
+        <label class="field">
+          <span class="field-label">Password</span>
+          <input type="password" name="password" autocomplete="current-password" required />
+        </label>
+        <button type="submit" class="btn btn-primary">Sign in</button>
+      </form>
+    </div>`;
+  return baseDocument("Sign in to Parachute Hub admin", body);
+}
+
+// --- error page ------------------------------------------------------------
+
+export function renderAdminError(props: { title: string; message: string }): string {
+  const body = `
+    <div class="card">
+      ${header()}
+      <h1 class="error-title">${escapeHtml(props.title)}</h1>
+      <p class="subtitle">${escapeHtml(props.message)}</p>
+    </div>`;
+  return baseDocument(props.title, body);
+}
+
+// --- styles ----------------------------------------------------------------
+
+const STYLES = `
+  *, *::before, *::after { box-sizing: border-box; }
+  html, body { margin: 0; padding: 0; }
+  body {
+    font-family: ${FONT_SANS};
+    background: ${PALETTE.bg};
+    color: ${PALETTE.fg};
+    line-height: 1.55;
+    min-height: 100vh;
+    -webkit-font-smoothing: antialiased;
+    -moz-osx-font-smoothing: grayscale;
+  }
+  main {
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    min-height: 100vh;
+    padding: 1.5rem;
+  }
+  .card {
+    width: 100%;
+    max-width: 30rem;
+    background: ${PALETTE.cardBg};
+    border: 1px solid ${PALETTE.border};
+    border-radius: 12px;
+    padding: 2rem 1.75rem;
+    box-shadow: 0 1px 2px rgba(44, 42, 38, 0.04), 0 8px 24px rgba(44, 42, 38, 0.06);
+  }
+  .card-header { margin-bottom: 1.5rem; }
+  .brand {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+    color: ${PALETTE.accent};
+    font-weight: 500;
+    font-size: 0.95rem;
+    margin-bottom: 1.25rem;
+  }
+  .brand-mark { font-size: 1.1rem; line-height: 1; }
+  .brand-name { letter-spacing: 0.01em; }
+  .brand-tag {
+    text-transform: uppercase;
+    letter-spacing: 0.06em;
+    font-size: 0.7rem;
+    color: ${PALETTE.fgMuted};
+    border: 1px solid ${PALETTE.borderLight};
+    padding: 0.05rem 0.4rem;
+    border-radius: 999px;
+  }
+  h1 {
+    font-family: ${FONT_SERIF};
+    font-weight: 400;
+    font-size: 1.75rem;
+    line-height: 1.2;
+    margin: 0 0 0.4rem;
+    color: ${PALETTE.fg};
+  }
+  .subtitle { margin: 0; color: ${PALETTE.fgMuted}; font-size: 0.95rem; }
+
+  .auth-form { display: flex; flex-direction: column; gap: 0.9rem; }
+  .field { display: flex; flex-direction: column; gap: 0.35rem; }
+  .field-label {
+    font-size: 0.85rem;
+    font-weight: 500;
+    color: ${PALETTE.fgMuted};
+    letter-spacing: 0.01em;
+    font-family: ${FONT_MONO};
+  }
+  input[type=text], input[type=password] {
+    font: inherit;
+    width: 100%;
+    padding: 0.6rem 0.75rem;
+    border: 1px solid ${PALETTE.border};
+    border-radius: 6px;
+    background: ${PALETTE.bg};
+    color: ${PALETTE.fg};
+    transition: border-color 0.15s ease, background 0.15s ease;
+  }
+  input[type=text]:focus, input[type=password]:focus {
+    outline: none;
+    border-color: ${PALETTE.accent};
+    background: ${PALETTE.cardBg};
+    box-shadow: 0 0 0 3px ${PALETTE.accentSoft};
+  }
+
+  .btn {
+    font: inherit;
+    font-weight: 500;
+    padding: 0.65rem 1.25rem;
+    border-radius: 6px;
+    border: 1px solid transparent;
+    cursor: pointer;
+    transition: background 0.15s ease, color 0.15s ease, border-color 0.15s ease;
+    min-height: 2.5rem;
+  }
+  .btn-primary {
+    background: ${PALETTE.accent};
+    color: ${PALETTE.cardBg};
+    margin-top: 0.4rem;
+  }
+  .btn-primary:hover { background: ${PALETTE.accentHover}; }
+
+  .error-banner {
+    background: ${PALETTE.dangerSoft};
+    border: 1px solid ${PALETTE.danger};
+    border-radius: 6px;
+    color: ${PALETTE.danger};
+    padding: 0.6rem 0.8rem;
+    margin: 0 0 1rem;
+    font-size: 0.9rem;
+  }
+  .error-title { color: ${PALETTE.danger}; }
+
+  @media (max-width: 480px) {
+    main { padding: 0.75rem; }
+    .card { padding: 1.5rem 1.25rem; border-radius: 10px; }
+    h1 { font-size: 1.5rem; }
+  }
+
+  @media (prefers-color-scheme: dark) {
+    body { background: #1a1815; color: #e8e4dc; }
+    .card { background: #25221d; border-color: #3a362f; box-shadow: 0 8px 24px rgba(0, 0, 0, 0.3); }
+    h1 { color: #f0ece4; }
+    .subtitle, .field-label { color: #a8a29a; }
+    input[type=text], input[type=password] {
+      background: #1f1c18; border-color: #3a362f; color: #e8e4dc;
+    }
+    input[type=text]:focus, input[type=password]:focus {
+      background: #25221d;
+    }
+    .brand-tag { border-color: #3a362f; color: #a8a29a; }
+  }
+`;

package/src/admin-vault-admin-token.ts

@@ -55,7 +55,7 @@ export async function handleVaultAdminToken(
   const sid = parseSessionCookie(req.headers.get("cookie"));
   const session = sid ? findSession(deps.db, sid) : null;
   if (!session) {
-    return jsonError(401, "unauthenticated", "no admin session — sign in at /admin/login first");
+    return jsonError(401, "unauthenticated", "no admin session — sign in at /login first");
   }
   const scope = `vault:${vaultName}:admin`;
   // Per-vault audience: vault validates the JWT's `aud` claim against