@openparachute/hub 0.6.3 → 0.6.4-rc.2

package/src/scope-attenuation.ts

@@ -83,3 +83,22 @@ export function hasMintingAuthority(bearerScopes: string[]): boolean {
     bearerScopes.some((s) => isVaultAdminScope(s))
   );
 }
+
+/**
+ * Is this an *operator* bearer — i.e. does it hold host-level minting authority
+ * (`parachute:host:auth` or `parachute:host:admin`)?
+ *
+ * The distinction matters for the `subject` override on the mint endpoint: an
+ * operator bearer is the on-box host administrator (or a service account it
+ * delegated to), so it may legitimately mint a token whose `sub` names a
+ * service account other than its own — the documented service-account override.
+ * A merely vault-scoped bearer (`vault:<N>:admin` only) has NO host authority,
+ * so letting it set an arbitrary `sub` is audit-attribution forgery: it could
+ * mint a token that the registry + revocation list attribute to a foreign
+ * subject. Non-operator bearers are therefore pinned to their own `sub`.
+ */
+export function isOperatorBearer(bearerScopes: string[]): boolean {
+  return (
+    bearerScopes.includes(MINT_HOST_AUTH_SCOPE) || bearerScopes.includes(MINT_HOST_ADMIN_SCOPE)
+  );
+}

package/src/scope-explanations.ts

@@ -270,7 +270,15 @@ export function isNonRequestableScope(scope: string): boolean {
   // consent path and through `canGrant` rule 1, capped to the consenting
   // user's held authority at the `issueAuthCodeRedirect` choke-point. Only
   // the host-level operator scopes stay non-requestable here.
-  return NON_REQUESTABLE_SCOPES.has(scope);
+  //
+  // Item C — case-insensitive guard. The membership check is exact-string,
+  // but Parachute scope tokens are canonically lowercase. A casing variant
+  // like `PARACHUTE:HOST:AUTH` would slip past a raw `Set.has` and be treated
+  // as requestable — minting a junk-but-harmless token today (consumers are
+  // case-sensitive + anchored, so it grants nothing), but a backstop against
+  // a future consumer that case-folds. Normalize to lowercase before the
+  // membership check so every casing of a host-level scope is refused.
+  return NON_REQUESTABLE_SCOPES.has(scope.toLowerCase());
 }
 
 /** True when the scope can appear in a public `/oauth/authorize` request. */

package/src/service-spec.ts

@@ -39,9 +39,14 @@ import type { ServiceEntry } from "./services-manifest.ts";
  *
  * Operator override is now "edit services.json" (or `parachute config`
  * once that lands), not "edit `.env`". Pre-#206 stale `.env` PORT lines on
- * existing operator machines stay where they are — harmless, since the
- * boot-time ladder reads services.json before falling through to the bare
- * PORT env tier — and future installs no longer touch them.
+ * existing operator machines stay where they are — harmless to the module's
+ * own resolvePort ladder, which reads services.json before falling through to
+ * the bare PORT env tier — and future installs no longer touch them. (Caveat,
+ * hub#537: the supervisor's spawn-env builder used to echo a stale `.env` PORT
+ * into the injected `PORT`, and its readiness probe trusted that — so a `.env`
+ * PORT disagreeing with services.json yielded a false `started_but_unbound`.
+ * Fixed by making `entry.port` authoritative: `buildModuleSpawnRequest` drops a
+ * `.env` PORT.)
  *
  * **No speculative reservations.** Future first-party modules claim a slot
  * the moment they ship, not before — pre-reservation for unbuilt things has

package/src/spawn-path.ts

@@ -0,0 +1,148 @@
+/**
+ * PATH enrichment for spawned modules + the hub's own boot env.
+ *
+ * The hub-as-supervisor unit bakes a hardcoded base PATH (see
+ * `enrichedUnitPath` below), and `Bun.spawn` defaults to an empty env, so
+ * supervised children only ever see the PATH the unit handed the hub. On a
+ * launchd-managed Mac that PATH omits the two dirs operator tools actually live
+ * in — `$HOME/.local/bin` (scribe's `parakeet-mlx`) and the Homebrew bin
+ * (`ffmpeg`, `/opt/homebrew/bin` on Apple Silicon). The result: scribe's
+ * `Bun.which("ffmpeg")` / `Bun.which("parakeet-mlx")` probes come up empty and
+ * transcription is dead on canonical installs.
+ *
+ * `enrichedPath` is the shared fix. It takes a base env (defaults to
+ * `process.env`), keeps whatever PATH was inherited, and APPENDS the operator-
+ * tool dirs that exist on disk and aren't already present. Inherited PATH wins
+ * (append, not prepend) so an operator's explicit PATH ordering is never
+ * reordered out from under them. `PARACHUTE_EXTRA_PATH` (colon-joined) is
+ * PREPENDED so an operator can intentionally shadow a system binary.
+ *
+ * Two consumers:
+ *   1. The spawn side (`buildModuleSpawnRequest` in `commands/serve-boot.ts` +
+ *      `spawnSupervised` in `api-modules-ops.ts`) injects `enrichedPath()` into
+ *      every supervised child's env. This is the PRIMARY fix — it self-heals
+ *      every existing install at the next hub restart, no re-init needed.
+ *   2. The hub's own `serve` startup enriches `process.env.PATH` so the hub's
+ *      own `Bun.which` probes (cloudflared / tailscale detection, etc.) also
+ *      see brew + `.local`.
+ *
+ * The unit generator (`enrichedUnitPath`, used by `hub-unit.ts` +
+ * `commands/migrate-cutover.ts`) bakes the same dirs into the launchd/systemd
+ * unit PATH as belt-and-suspenders for fresh installs.
+ */
+
+import { existsSync } from "node:fs";
+import { homedir } from "node:os";
+
+/** Injectable seams so tests don't touch the real fs / os / platform. */
+export interface EnrichedPathDeps {
+  /** Operator home dir. */
+  homeDir: () => string;
+  /** True when `path` exists on disk. */
+  exists: (path: string) => boolean;
+  /** `process.platform` value (e.g. "darwin", "linux"). */
+  platform: NodeJS.Platform;
+  /** `process.arch` value (e.g. "arm64", "x64"). */
+  arch: string;
+}
+
+export const defaultEnrichedPathDeps: EnrichedPathDeps = {
+  homeDir: () => homedir(),
+  exists: (path) => existsSync(path),
+  platform: process.platform,
+  arch: process.arch,
+};
+
+/**
+ * The Homebrew bin dir for the current platform/arch, or null when there
+ * isn't a canonical one (non-darwin — Linux brew is opt-in + non-canonical, so
+ * we only contribute `$HOME/.local/bin` there).
+ *
+ * Apple Silicon brew installs under `/opt/homebrew`; Intel macOS brew under
+ * `/usr/local`.
+ */
+function brewBinDir(platform: NodeJS.Platform, arch: string): string | null {
+  if (platform !== "darwin") return null;
+  return arch === "arm64" ? "/opt/homebrew/bin" : "/usr/local/bin";
+}
+
+/**
+ * Operator-tool dirs to APPEND (in this order): `$HOME/.local/bin` (pipx /
+ * `pip install --user` — scribe's `parakeet-mlx`), the platform brew bin
+ * (`ffmpeg`), and `$HOME/.bun/bin` (bun-linked binaries on a cold boot). Order
+ * is deterministic and stable. Pure of fs — the runtime enrichment filters by
+ * existence, the unit generator includes them unconditionally.
+ */
+export function operatorToolDirs(home: string, platform: NodeJS.Platform, arch: string): string[] {
+  const dirs = [`${home}/.local/bin`];
+  const brew = brewBinDir(platform, arch);
+  if (brew) dirs.push(brew);
+  dirs.push(`${home}/.bun/bin`);
+  return dirs;
+}
+
+function candidateDirs(deps: EnrichedPathDeps): string[] {
+  return operatorToolDirs(deps.homeDir(), deps.platform, deps.arch);
+}
+
+function dedupe(entries: string[]): string[] {
+  const seen = new Set<string>();
+  const out: string[] = [];
+  for (const entry of entries) {
+    if (seen.has(entry)) continue;
+    seen.add(entry);
+    out.push(entry);
+  }
+  return out;
+}
+
+/**
+ * The PATH baked into the launchd/systemd hub unit at generation time.
+ *
+ * `${bunInstall}/bin` first (so supervised children resolve a bun-linked binary
+ * on cold boot, R20), then the usual system dirs, then the operator-tool dirs
+ * (`$HOME/.local/bin`, the platform brew bin) so a managed hub — and the modules
+ * it spawns — can find scribe's `parakeet-mlx` + `ffmpeg`. `PARACHUTE_EXTRA_PATH`
+ * (if set at generation time) is PREPENDED for intentional operator shadowing.
+ * Deduped end-to-end.
+ *
+ * Unlike `enrichedPath`, the unit-side dirs are included UNCONDITIONALLY (no
+ * existence check): the unit is generated once at install/migrate time but
+ * brew/tools may be installed afterward, and a non-existent PATH entry is simply
+ * skipped by the OS — so baking them in is the robust choice for fresh installs.
+ *
+ * Shared by `hub-unit.ts` (init bringup) + `commands/migrate-cutover.ts`
+ * (`--to-supervised` cutover) so the two unit-generation paths can't drift.
+ */
+export function enrichedUnitPath(
+  bunInstall: string,
+  home: string,
+  platform: NodeJS.Platform = process.platform,
+  arch: string = process.arch,
+  extraPath: string | undefined = process.env.PARACHUTE_EXTRA_PATH,
+): string {
+  const extra = (extraPath ?? "").split(":").filter((e) => e.length > 0);
+  const base = [`${bunInstall}/bin`, "/usr/local/bin", "/usr/bin", "/bin"];
+  return dedupe([...extra, ...base, ...operatorToolDirs(home, platform, arch)]).join(":");
+}
+
+/**
+ * Build a PATH that enriches `env.PATH` with operator-tool dirs.
+ *
+ * Ordering: `PARACHUTE_EXTRA_PATH` (prepended) : inherited PATH : appended
+ * operator-tool dirs that exist and aren't already present. Deduped end-to-end
+ * (first occurrence wins, so an inherited entry is never reordered).
+ */
+export function enrichedPath(
+  env: NodeJS.ProcessEnv = process.env,
+  deps: EnrichedPathDeps = defaultEnrichedPathDeps,
+): string {
+  const inherited = (env.PATH ?? "").split(":").filter((e) => e.length > 0);
+  const extra = (env.PARACHUTE_EXTRA_PATH ?? "").split(":").filter((e) => e.length > 0);
+  const appended = candidateDirs(deps).filter((d) => deps.exists(d));
+
+  // PARACHUTE_EXTRA_PATH first (intentional operator shadow), then the
+  // inherited PATH (inherited wins over our appended defaults), then our
+  // appended operator-tool dirs.
+  return dedupe([...extra, ...inherited, ...appended]).join(":");
+}

package/src/supervisor.ts

@@ -196,6 +196,19 @@ export interface SupervisorOpts {
   readonly startReadyMs?: number;
   /** Poll interval while waiting for the port to bind, in ms. Default 200. */
   readonly startReadyPollMs?: number;
+  /**
+   * How long the background late-bind watch keeps re-probing AFTER the
+   * readiness window elapsed with the port unbound, in ms. Heavy modules
+   * (vault — SQLite + git mirror + well-known init) can legitimately take
+   * longer than `startReadyMs` to bind; without a re-probe the recorded
+   * `started_but_unbound` note sticks for the module's whole lifetime and
+   * `parachute status` shows a perpetual "failed to start" on a healthy
+   * module. The watch clears the note once the port binds. Default 60s;
+   * `0` disables the watch (the note then behaves as before).
+   */
+  readonly lateBindWatchMs?: number;
+  /** Poll interval for the late-bind watch, in ms. Default 1000. */
+  readonly lateBindPollMs?: number;
   /**
    * PATH-resolution seam for the pre-spawn `ensureExecutable` preflight
    * (`@openparachute/depcheck`). Production uses the real `Bun.which`; a
@@ -242,6 +255,8 @@ const DEFAULT_KILL_TIMEOUT_MS = 5_000;
 const DEFAULT_LOG_BUFFER_BYTES = 64 * 1024;
 const DEFAULT_START_READY_MS = 4_000;
 const DEFAULT_START_READY_POLL_MS = 200;
+const DEFAULT_LATE_BIND_WATCH_MS = 60_000;
+const DEFAULT_LATE_BIND_POLL_MS = 1_000;
 
 /**
  * Bounded, line-oriented ring buffer (§6.5). Holds the most-recent lines of a
@@ -318,6 +333,8 @@ export class Supervisor {
       startReadyMs:
         opts.startReadyMs ?? (isProductionPath || readinessOptedIn ? DEFAULT_START_READY_MS : 0),
       startReadyPollMs: opts.startReadyPollMs ?? DEFAULT_START_READY_POLL_MS,
+      lateBindWatchMs: opts.lateBindWatchMs ?? DEFAULT_LATE_BIND_WATCH_MS,
+      lateBindPollMs: opts.lateBindPollMs ?? DEFAULT_LATE_BIND_POLL_MS,
       which: opts.which ?? (isProductionPath ? Bun.which : () => "/stub/bin/preflight-skipped"),
     };
   }
@@ -453,6 +470,44 @@ export class Supervisor {
           at: new Date(this.opts.now()).toISOString(),
         },
       };
+      // Keep watching in the background: heavy modules (vault) routinely bind
+      // a moment after the window. Without the re-probe the note above would
+      // stick for the module's whole lifetime — `parachute status` then shows
+      // a perpetual "failed to start" on a healthy module. Fire-and-forget so
+      // `start()`'s latency stays bounded by `startReadyMs`.
+      if (this.opts.lateBindWatchMs > 0) {
+        void this.lateBindWatch(entry, port).catch(() => {});
+      }
+    }
+  }
+
+  /**
+   * Background re-probe after `awaitPortReadiness` recorded a
+   * `started_but_unbound` note: poll (slower cadence, bounded window) and
+   * clear the note once the port binds. Exits early when the module stops,
+   * crashes, or the note is replaced by a different startError (a later
+   * crash-restart's missing-dependency note must not be wiped).
+   *
+   * Restart safety: a crash-auto-restart reuses the same `entry` object and
+   * clears `startError` on respawn — this watch's `error_type` guard then sees
+   * `undefined` and exits, so a stale watch from spawn-1 never clobbers
+   * spawn-2's state. If spawn-2 also misses its window, its own gate records a
+   * fresh note and launches its own watch; two live watches clearing the same
+   * note is idempotent. `stop()`/teardown set `stopRequested` before any entry
+   * removal, so a watch holding a stale entry ref exits cleanly.
+   */
+  private async lateBindWatch(entry: ModuleEntry, port: number): Promise<void> {
+    const deadline = this.opts.now() + this.opts.lateBindWatchMs;
+    while (this.opts.now() < deadline) {
+      await this.opts.sleep(this.opts.lateBindPollMs);
+      if (entry.stopRequested || entry.state.status !== "running") return;
+      // Only OUR note is clearable — anything else was recorded after us.
+      if (entry.state.startError?.error_type !== "started_but_unbound") return;
+      if (await this.opts.portListening(port)) {
+        const { startError: _drop, ...rest } = entry.state;
+        entry.state = rest;
+        return;
+      }
     }
   }
 
@@ -540,21 +595,43 @@ export class Supervisor {
   }
 
   /**
-   * Restart a supervised module: stop, wait for exit, start with the
-   * same SpawnRequest. Used by the `/api/modules/:name/restart`
-   * handler. The on-box `parachute restart <svc>` path stays on
-   * `commands/lifecycle.ts` — different surface, different ownership.
+   * Restart a supervised module: stop, wait for exit, start again. Used by
+   * the `/api/modules/:name/restart` handler. The on-box
+   * `parachute restart <svc>` path stays on `commands/lifecycle.ts` —
+   * different surface, different ownership.
+   *
+   * `nextReq` (hub#532): when the caller supplies a freshly-rebuilt
+   * SpawnRequest (current `PARACHUTE_HUB_ORIGIN` / enriched PATH /
+   * re-resolved cwd), the re-spawn uses it AND it becomes the entry's new
+   * `req` — so subsequent CRASH-restarts (`handleExit` → `spawnAndWatch`,
+   * which reuse `entry.req`) also carry the refreshed env, not the original
+   * first-start snapshot. When omitted, the prior `entry.req` is replayed
+   * (legacy behavior, e.g. an internal restart with no state change).
+   *
+   * `nextReq.short` MUST match `short`: `start(req)` keys the supervisor map
+   * on `req.short`, so a mismatch would silently register the restarted
+   * module under the WRONG key (orphaning the original entry + breaking every
+   * subsequent `get`/`stop`/`restart` lookup). Throws on mismatch rather than
+   * trusting the caller — a one-line invariant that turns a silent
+   * state-corruption bug into a loud one.
    */
-  async restart(short: string): Promise<ModuleState | undefined> {
+  async restart(short: string, nextReq?: SpawnRequest): Promise<ModuleState | undefined> {
+    if (nextReq && nextReq.short !== short) {
+      throw new Error(
+        `restart(${short}): nextReq.short is "${nextReq.short}" — it must match the restarted short or the module re-registers under the wrong key`,
+      );
+    }
     const entry = this.modules.get(short);
     if (!entry) return undefined;
-    const req = entry.req;
+    const req = nextReq ?? entry.req;
     entry.state = { ...entry.state, status: "restarting" };
     // stop() now awaits the prior process's exit (with SIGKILL
     // escalation) before returning, so the fresh spawn below doesn't
     // race on EADDRINUSE — no separate await needed here.
     await this.stop(short);
-    // Drop the entry so `start` treats this as a clean spawn.
+    // Drop the entry so `start` treats this as a clean spawn. `start` stores
+    // `req` as the new entry's `req`, so a refreshed `nextReq` propagates to
+    // the crash-restart path too.
     this.modules.delete(short);
     return this.start(req);
   }

package/src/users.ts

@@ -232,6 +232,26 @@ export interface CreateUserOpts {
    * each name against `services.json` before passing through.
    */
   assignedVaults?: string[];
+  /**
+   * The `user_vaults.role` to write for every entry in `assignedVaults`.
+   * Default `'write'` (= owner; `vaultVerbsForRole('write')` grants the
+   * full read/write/admin triple). The invite-redeem path passes the
+   * invite's baked-in role so a future shared-into-existing-vault invite
+   * can land a narrower `'read'` role without a second migration. All
+   * existing call sites omit it and keep the historical `'write'` default.
+   */
+  role?: string;
+  /**
+   * Optional hook run INSIDE the same transaction as the user + user_vaults
+   * inserts, after them, with the new user's id. Throwing from it rolls the
+   * whole insert back (no orphan user row). The invite-redeem path uses this
+   * to atomically re-check + consume a single-use invite together with the
+   * account creation — so two concurrent redeems of one invite can't both
+   * create an account (the loser throws here and its user insert rolls back),
+   * while a failure still leaves the invite re-usable (nothing committed).
+   * Must be synchronous — bun:sqlite transactions can't await.
+   */
+  withinTx?: (userId: string) => void;
 }
 
 export async function createUser(
@@ -268,14 +288,18 @@ export async function createUser(
          VALUES (?, ?, ?, ?, ?, ?)`,
       ).run(id, username, passwordHash, stamp, stamp, passwordChanged);
       if (assignedVaults.length > 0) {
+        const role = opts.role ?? "write";
         const insertVault = db.prepare(
           `INSERT INTO user_vaults (user_id, vault_name, role, created_at)
-           VALUES (?, ?, 'write', ?)`,
+           VALUES (?, ?, ?, ?)`,
         );
         for (const vaultName of assignedVaults) {
-          insertVault.run(id, vaultName, stamp);
+          insertVault.run(id, vaultName, role, stamp);
         }
       }
+      // In-transaction hook (e.g. consume a single-use invite). Throwing here
+      // rolls back the user + user_vaults inserts above — no orphan row.
+      opts.withinTx?.(id);
     })();
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
@@ -468,7 +492,7 @@ export async function setPassword(
  * only Phase-1 recovery was delete+recreate, which is destructive-feeling
  * even though it's safe (vaults are independent of accounts).
  *
- * Three writes inside one transaction:
+ * Four writes inside one transaction:
  *
  *   1. Rotate `password_hash` to the new argon2id hash and flip
  *      `password_changed` back to 0 so the user is force-redirected
@@ -482,7 +506,15 @@ export async function setPassword(
  *      would defeat the purpose. We keep the rows (don't NULL `user_id`
  *      like `deleteUser` does) because the audit trail naturally re-
  *      anchors to the still-existing user row.
- *   3. Bump `updated_at` so the SPA's row reflects the rotation.
+ *   3. Delete every active SESSION for the user (item G). Revoking tokens
+ *      alone left a live session cookie valid — an attacker who already had
+ *      a session (the very "old password / stolen device" shape this reset
+ *      recovers from) kept browsing post-reset until the session aged out.
+ *      Killing sessions in the same transaction makes the reset a true cut:
+ *      the user (and any attacker) must re-authenticate with the new
+ *      password. Sessions carry no audit value (unlike tokens), so we hard-
+ *      delete — same shape as `deleteUser`'s `DELETE FROM sessions`.
+ *   4. Bump `updated_at` so the SPA's row reflects the rotation.
  *
  * Hash OUTSIDE the transaction — argon2id is async and `db.transaction()`
  * on bun:sqlite is sync; doing it inside silently breaks atomicity (same
@@ -547,6 +579,12 @@ export async function resetUserPassword(
       stamp,
       userId,
     );
+    // Item G — also kill active sessions in the same transaction. A token
+    // revoke alone left a live session cookie valid; an admin reset must
+    // force re-auth with the new password (the "old password leaked / stolen
+    // device" recovery shape). Sessions carry no audit value, so hard-delete
+    // (same shape as deleteUser).
+    db.prepare("DELETE FROM sessions WHERE user_id = ?").run(userId);
   })();
   return updated;
 }

package/src/vault-hub-origin-env.ts

@@ -59,6 +59,34 @@ export function isLoopbackOrigin(origin: string): boolean {
   }
 }
 
+/**
+ * Canonicalize a candidate public origin for use as the hub's OAuth issuer:
+ * strip trailing slashes, then accept it only when it parses as an absolute
+ * `http(s)` URL that is NOT loopback. Returns the canonical origin or
+ * undefined when it fails any check.
+ *
+ * Shared by the two expose-state issuer fallbacks (`resolveStartupIssuer` in
+ * commands/serve.ts and `exposeIssuerOrigin` in hub-server.ts) so the guard
+ * — never let a non-http(s) or loopback value pin the issuer — stays
+ * identical on both origin-resolution chokepoints (#531). The loopback
+ * rejection is defensive: expose-state.hubOrigin should always be the public
+ * origin, but a stray loopback value would re-pin the degraded
+ * request-origin mode the fix exists to escape.
+ */
+export function sanitizePublicOrigin(raw: string | undefined): string | undefined {
+  const trimmed = raw?.replace(/\/+$/, "");
+  if (!trimmed) return undefined;
+  let proto: string;
+  try {
+    proto = new URL(trimmed).protocol;
+  } catch {
+    return undefined;
+  }
+  if (proto !== "http:" && proto !== "https:") return undefined;
+  if (isLoopbackOrigin(trimmed)) return undefined;
+  return trimmed;
+}
+
 function vaultEnvPath(configDir: string): string {
   return join(configDir, "vault", ".env");
 }

package/src/vault-name.ts

@@ -25,7 +25,19 @@
  * `/vault/list` endpoint.
  */
 
-const VAULT_NAME_RE = /^[a-z0-9_-]+$/;
+/**
+ * Canonical vault-name charset: lowercase alphanumerics + hyphen/underscore.
+ * Exported as the single source of truth for the hub edge sites that mint /
+ * create vaults (item I) — `admin-vaults.ts`, `account-vault-token.ts`,
+ * `admin-vault-admin-token.ts` historically accepted `[a-zA-Z0-9_-]`, a
+ * superset of what vault's init enforces. The case drift was a real bug class:
+ * a hub-side `Work` would never match vault's URL-derived `work`, so the minted
+ * token's audience (`vault.Work`) wouldn't validate, and a created vault name
+ * could diverge from what vault persisted. Pinning every hub edge to THIS
+ * lowercase-only regex closes the drift.
+ */
+export const VAULT_NAME_CHARSET_RE = /^[a-z0-9_-]+$/;
+const VAULT_NAME_RE = VAULT_NAME_CHARSET_RE;
 const VAULT_NAME_MIN_LEN = 2;
 const VAULT_NAME_MAX_LEN = 32;
 

package/web/ui/dist/assets/{index-mz8XcVPP.css → index-BYYUeLGA.css}

@@ -1 +1 @@
-:root{--bg: #faf8f4;--bg-soft: #f3f0ea;--fg: #2c2a26;--fg-muted: #6b6860;--fg-dim: #9a9690;--accent: #4a7c59;--accent-soft: rgba(74, 124, 89, .08);--accent-hover: #3d6849;--border: #e4e0d8;--border-light: #ece9e2;--card-bg: #ffffff;--error: #a3392b;--error-soft: rgba(163, 57, 43, .08);--warn: #b08023;--warn-soft: rgba(176, 128, 35, .08);--success: #3d6849;--success-soft: rgba(61, 104, 73, .08);--font-serif: Georgia, "Times New Roman", serif;--font-sans: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;--font-mono: ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace;font-family:var(--font-sans)}*{box-sizing:border-box}html,body{margin:0;padding:0;background:var(--bg);color:var(--fg)}a{color:var(--accent);text-decoration:none}a:hover{text-decoration:underline}button{font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease}button:hover{background:var(--accent-hover)}button:disabled{opacity:.5;cursor:not-allowed}button.secondary{background:#fff;color:var(--fg);border:1px solid var(--border)}button.secondary:hover{background:var(--bg-soft)}input,select,textarea{font:inherit;background:#fff;border:1px solid var(--border);border-radius:6px;padding:.55rem .75rem;color:var(--fg)}input:focus,select:focus,textarea:focus{outline:none;border-color:var(--accent)}code{font-family:var(--font-mono);font-size:.85em;background:var(--bg-soft);padding:.1em .3em;border-radius:3px}.page{max-width:880px;margin:0 auto;padding:1.5rem 1.5rem 6rem}.nav{display:flex;flex-wrap:wrap;gap:.6rem 1rem;align-items:center;padding-bottom:1rem;border-bottom:1px solid var(--border);margin-bottom:2rem}.nav .brand{font-weight:600;font-family:var(--font-serif);font-size:1.15rem;margin-right:auto;display:inline-flex;align-items:center;gap:.45rem;color:var(--accent);text-decoration:none}.nav .brand:hover{color:var(--accent-hover);text-decoration:none}.nav .brand-mark-icon{flex-shrink:0;line-height:0}.nav .brand-wordmark{color:var(--fg);letter-spacing:-.005em}.nav .brand .sub{color:var(--fg-dim);font-size:.78rem;font-weight:400;margin-left:.4rem;font-family:var(--font-sans)}.nav a{color:var(--fg-muted);font-size:.95rem}.nav a:hover{text-decoration:none;color:var(--fg)}.nav a.nav-link-active{color:var(--accent);font-weight:500;text-decoration:underline;text-underline-offset:.3em;text-decoration-thickness:2px}.nav .nav-divider{display:inline-block;width:1px;height:1.1em;background:var(--border);align-self:center}.nav .nav-dropdown{position:relative}.nav .nav-dropdown-summary{list-style:none;cursor:pointer;color:var(--fg-muted);font-size:.95rem;-webkit-user-select:none;user-select:none}.nav .nav-dropdown-summary::-webkit-details-marker{display:none}.nav .nav-dropdown-summary:hover{color:var(--fg)}.nav .nav-dropdown[open]>.nav-dropdown-summary{color:var(--fg)}.nav .nav-dropdown-summary:after{content:" ▾";font-size:.7em;color:var(--fg-dim)}.nav .nav-dropdown-panel{position:absolute;top:calc(100% + .4rem);left:0;z-index:10;min-width:12rem;background:var(--card-bg);border:1px solid var(--border);border-radius:8px;box-shadow:0 4px 12px #00000014;padding:.4rem 0;display:flex;flex-direction:column}.nav .nav-dropdown-item{padding:.4rem .85rem;color:var(--fg);font-size:.9rem;text-decoration:none}.nav .nav-dropdown-item:hover{background:var(--bg-soft);color:var(--fg);text-decoration:none}.nav .nav-dropdown-item-disabled{color:var(--fg-dim);cursor:not-allowed}.nav .nav-dropdown-item-disabled:hover{background:transparent;color:var(--fg-dim)}.nav .auth-spa{font-size:.85rem;color:var(--fg-muted)}.nav .auth-spa strong{font-weight:600;color:var(--fg)}.nav .auth-spa-signout{background:none;border:none;padding:0;color:var(--accent);font:inherit;cursor:pointer;text-decoration:underline;text-decoration-thickness:1px;text-underline-offset:2px}.nav .auth-spa-signout:hover:not(:disabled){color:var(--accent-hover)}.nav .auth-spa-signout:disabled{color:var(--fg-dim);cursor:not-allowed}h1{margin:0 0 .5rem;font-family:var(--font-serif);font-size:1.85rem;font-weight:400;letter-spacing:-.01em;line-height:1.2;color:var(--fg)}h2{margin:0 0 1rem;font-size:1.4rem;font-weight:500}.muted{color:var(--fg-muted);font-size:.92rem}.dim{color:var(--fg-dim);font-size:.85rem}.error-banner{background:var(--error-soft);border:1px solid var(--error);color:var(--error);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.warn-banner{background:var(--warn-soft);border:1px solid var(--warn);color:var(--warn);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.empty{padding:3rem 1.5rem;text-align:center;color:var(--fg-muted);background:var(--bg-soft);border-radius:10px}@keyframes pc-loading-pulse{0%,to{opacity:.55}50%{opacity:1}}[data-loading=true]{animation:pc-loading-pulse 1.4s ease-in-out infinite}.user-table tbody tr,.tokens-table tbody tr{transition:background-color .12s ease}.user-table tbody tr:hover,.tokens-table tbody tr:hover{background:var(--bg-soft)}@keyframes pc-route-fade-up{0%{opacity:0;transform:translateY(6px)}to{opacity:1;transform:translateY(0)}}[data-route-content]{animation:pc-route-fade-up .32s ease forwards}@media(prefers-reduced-motion:reduce){[data-loading=true],[data-route-content]{animation:none}}.table-scroll{overflow-x:auto;-webkit-overflow-scrolling:touch;background:linear-gradient(to right,var(--card-bg),var(--card-bg)) left center / 20px 100% no-repeat,linear-gradient(to right,#2c2a2614,#2c2a2600) left center / 8px 100% no-repeat,linear-gradient(to left,var(--card-bg),var(--card-bg)) right center / 20px 100% no-repeat,linear-gradient(to left,#2c2a2614,#2c2a2600) right center / 8px 100% no-repeat;background-attachment:local,scroll,local,scroll}.table-scroll>table{min-width:100%}.empty-rich{text-align:left;padding:2rem 1.75rem;background:#fff;border:1px solid var(--border)}.empty-rich .empty-headline{font-size:1.05rem;color:var(--fg);margin:0 0 .5rem;font-weight:500}.list-header{display:flex;align-items:baseline;justify-content:space-between;gap:1rem;margin-bottom:1rem}.list-header h1,.list-header h2{margin:0}.tag{display:inline-block;padding:.1em .55em;background:var(--accent-soft);color:var(--accent);border-radius:4px;font-size:.78rem;font-weight:500}.tag.muted{background:var(--bg-soft);color:var(--fg-muted)}.tag.source-oauth{background:#4a7cc61f;color:#3b6aa6}.tag.source-operator{background:#c6984a24;color:#8a5e1f}.tag.source-cli{background:#4a7c5924;color:#2f5a3f}.tag.source-unknown{background:var(--bg-soft);color:var(--fg-muted)}@media(prefers-color-scheme:dark){.tag.source-oauth{background:#7a9cdc24;color:#9bb6d8}.tag.source-operator{background:#dcb46e24;color:#d4b27a}.tag.source-cli{background:#7ab08a24;color:#8fc49e}.tag.source-unknown{background:#e8e4dc0f;color:#a8a49a}}.vault-row{display:flex;align-items:center;gap:1rem;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;margin-bottom:.5rem;text-decoration:none;color:inherit;transition:border-color .15s ease}.vault-row:hover{border-color:var(--accent);text-decoration:none}.vault-row .body{flex:1;min-width:0}.vault-row .name{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap}.vault-row .name code{font-size:.95em}.vault-row .url{margin-top:.25rem;word-break:break-all}.vault-row .chev{color:var(--fg-dim);font-size:1.2rem}.vault-row-group{margin-bottom:.5rem}.vault-row-group .vault-row{margin-bottom:0}.vault-row-actions{display:flex;gap:.5rem;align-items:center;flex-shrink:0}.mcp-connect-card{background:var(--bg-soft);border:1px solid var(--border);border-radius:8px;padding:1.1rem 1.25rem;margin:0 0 .5rem}.mcp-connect-card-embedded{background:#fff;margin-bottom:0}.mcp-connect-card h3{margin:0 0 .4rem;font-size:1rem}.mcp-connect-card>p{margin-top:0}.mcp-connect-card .token-box{display:flex;align-items:center;gap:.5rem;margin:.35rem 0 .25rem}.mcp-connect-card .token-box code{flex:1;font-size:.85rem;padding:.55rem .7rem;background:#fff;border:1px solid var(--border);border-radius:6px;word-break:break-all;-webkit-user-select:all;user-select:all}.mcp-field{margin-top:.9rem}.mcp-field-label{display:block;font-size:.82rem;font-weight:600;color:var(--fg-muted)}.mcp-field .dim{margin:.3rem 0 0}.mcp-token-path{margin-top:1rem;border-top:1px solid var(--border);padding-top:.75rem}.mcp-token-path>summary{cursor:pointer;font-size:.9rem;color:var(--fg-muted)}.mcp-token-path>summary:hover{color:var(--accent)}.mcp-token-path .mint-banner{margin-top:.75rem;margin-bottom:0}.mcp-docs-link{margin:.9rem 0 0}form .row{margin-bottom:1rem}form label{display:block;font-size:.9rem;color:var(--fg-muted);margin-bottom:.3rem;font-weight:500}form input[type=text]{width:100%}form .actions{display:flex;gap:.6rem;align-items:center;margin-top:1rem}form .field-hint{margin-top:.35rem;font-size:.82rem;color:var(--fg-dim)}form .field-error{margin-top:.35rem;font-size:.85rem;color:var(--error)}.section{background:#fff;border:1px solid var(--border);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner{background:var(--success-soft);border:1px solid var(--success);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner h3{margin:0 0 .5rem;font-size:1rem;color:var(--success)}.mint-banner .token-box{display:flex;align-items:center;gap:.5rem;margin:.85rem 0 .5rem}.mint-banner code{flex:1;font-size:.9rem;padding:.6rem .75rem;background:#fff;border:1px solid var(--border);word-break:break-all;-webkit-user-select:all;user-select:all}.mint-banner .warn{margin:.75rem 0 0;font-size:.85rem;color:var(--warn)}.mint-banner .actions{margin-top:1rem;display:flex;gap:.5rem}.kv{display:grid;grid-template-columns:8.5rem 1fr;gap:.5rem 1rem;font-size:.92rem}.kv>div:nth-child(odd){color:var(--fg-muted)}.kv code{word-break:break-all}.channel-toggle{margin:1.25rem 0 1.5rem;padding:.75rem 1rem;border:1px solid var(--border, #ddd);border-radius:6px;background:var(--bg-soft, #fafafa)}.channel-toggle legend{padding:0 .25rem;font-weight:600;font-size:.95rem}.channel-toggle label{display:inline-flex;align-items:center;gap:.4rem;margin-right:1.5rem;cursor:pointer;font-size:.95rem}.channel-toggle label input[type=radio]:disabled+*{opacity:.5}.channel-toggle code{font-size:.85em}.channel-toggle p.muted{margin:.4rem 0 0;font-size:.85rem}.module-config{display:flex;flex-direction:column;gap:1.25rem}.module-config-header h1{margin-bottom:.35rem}.module-config-form fieldset{border:0;padding:0;margin:0;display:flex;flex-direction:column;gap:1rem}.module-config-form .field{display:flex;flex-direction:column;gap:.25rem}.module-config-form .field input,.module-config-form .field select,.module-config-form .field textarea{width:100%}.module-config-form .field-inline{flex-direction:row;align-items:center;flex-wrap:wrap;gap:.5rem}.module-config-form .field-inline label{display:inline-flex;align-items:center;gap:.5rem}.module-config-form .field-inline .field-hint{flex-basis:100%;margin-left:1.6rem}.module-config-form .field-invalid input,.module-config-form .field-invalid select,.module-config-form .field-invalid textarea{border-color:var(--error)}.module-config-form .actions{display:flex;gap:.6rem;align-items:center;margin-top:.5rem}.module-config-form .actions button.destructive{background:#fff;color:var(--fg);border:1px solid var(--border)}.module-config-form .actions button.destructive:hover{background:var(--bg-soft)}.module-config-form .banner{margin:0;padding:.75rem 1rem;border-radius:6px;border:1px solid transparent;font-size:.9rem}.module-config-form .banner-success{background:var(--success-soft);border-color:var(--success);color:var(--success)}.module-config-form .banner-success p,.module-config-form .banner-success ul{margin:.4rem 0 0}.module-config-form .banner-error{background:var(--error-soft, rgba(163, 57, 43, .08));border-color:var(--error);color:var(--error)}.modules-installed,.modules-installable{margin-top:1.75rem}.modules-installed>h2,.modules-installable>h2{font-size:1.15rem;font-weight:600;margin:0 0 .75rem;color:var(--fg)}.modules-installed>p.muted,.modules-installable>p.muted{margin:0 0 .5rem}.install-list{list-style:none;padding:0;margin:0;display:flex;flex-direction:column;gap:.6rem}.install-card{display:flex;flex-direction:row;align-items:center;gap:1rem;flex-wrap:wrap;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;transition:border-color .15s ease}.install-card:hover{border-color:var(--accent)}.install-card-body{flex:1 1 0;min-width:0}.install-card-body h3{margin:0 0 .2rem;font-size:1rem;font-weight:600;color:var(--fg)}.install-card-body .tagline{margin:0 0 .35rem;color:var(--fg-muted);font-size:.92rem}.install-card-meta{margin:0;font-size:.82rem}.install-card-actions{flex:0 0 auto}.install-card .error{flex-basis:100%;margin-top:.5rem;color:var(--error);font-size:.85rem}.hub-upgrade-card{border-left:3px solid var(--accent);margin-top:1.25rem}.hub-upgrade-card .warn-banner,.hub-upgrade-card .error-banner{flex-basis:100%;margin:.5rem 0 0;font-size:.85rem}.module-row .actions .btn,a.btn{display:inline-block;font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease;text-decoration:none}.module-row .actions .btn:hover,a.btn:hover{background:var(--accent-hover);text-decoration:none}.module-uis{margin:.5rem 0 0;padding:.5rem 0 0;border-top:1px solid var(--border-light)}.module-uis>summary{cursor:pointer;font-size:.88rem;color:var(--fg-muted);font-weight:500;padding:.15rem 0;list-style:revert}.module-uis>summary:hover{color:var(--fg)}.ui-sub-units{list-style:none;padding:0;margin:.5rem 0 0 1.1rem;display:flex;flex-direction:column;gap:.35rem}.ui-sub-unit{display:flex;flex-direction:row;align-items:center;gap:.65rem;padding:.5rem .75rem;background:var(--bg-soft);border:1px solid var(--border-light);border-radius:6px;transition:border-color .15s ease,background .15s ease}.ui-sub-unit:hover{border-color:var(--accent);background:#fff}.ui-icon{flex:0 0 auto;width:20px;height:20px;border-radius:4px;object-fit:contain}.ui-sub-unit-body{flex:1 1 0;min-width:0}.ui-sub-unit-link{color:var(--fg);font-size:.95rem;text-decoration:none}.ui-sub-unit-link:hover{color:var(--accent);text-decoration:underline}.ui-sub-unit-link strong{font-weight:600}.ui-sub-unit .tagline{margin:.2rem 0 0;font-size:.82rem;color:var(--fg-muted)}.status{flex:0 0 auto;display:inline-block;padding:.1em .55em;background:var(--bg-soft);color:var(--fg-muted);border-radius:4px;font-size:.78rem;font-weight:500;white-space:nowrap}.status-active{background:var(--success-soft);color:var(--success)}.status-pending{background:var(--warn-soft);color:var(--warn)}.status-inactive{background:var(--bg-soft);color:var(--fg-dim)}.status-failing{background:var(--error-soft);color:var(--error)}.status-absent{background:var(--bg-soft);color:var(--fg-dim)}.status-pending-oauth{background:var(--warn-soft);color:var(--warn)}.status-disabled{background:var(--bg-soft);color:var(--fg-dim)}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0}.hub-version-badge{margin-top:3rem;padding-top:1rem;border-top:1px solid var(--border-light);display:flex;flex-direction:column;align-items:flex-start;gap:.75rem;color:var(--fg-muted);font-size:.8rem}.hub-version-badge-summary{background:transparent;border:0;padding:0;margin:0;color:var(--fg-muted);font:inherit;cursor:pointer;text-align:left;border-radius:4px}.hub-version-badge-summary:hover{color:var(--fg);background:transparent}.hub-version-badge-summary strong{color:var(--fg);font-weight:600}.hub-version-badge-source{font-variant:small-caps;letter-spacing:.04em}.hub-version-badge-panel{background:var(--card-bg);border:1px solid var(--border);border-radius:8px;padding:.85rem 1rem;font-size:.85rem;color:var(--fg);width:100%;max-width:28rem}.hub-version-badge-panel dl{margin:0 0 .75rem;display:grid;grid-template-columns:max-content 1fr;gap:.3rem .85rem}.hub-version-badge-panel dt{color:var(--fg-muted);font-size:.78rem;text-transform:uppercase;letter-spacing:.06em;padding-top:.1rem}.hub-version-badge-panel dd{margin:0;color:var(--fg);word-break:break-all}.hub-version-badge-refresh{font-size:.8rem;padding:.35rem .85rem}.depcard-wrap{margin-top:.6rem}.depcard{border:1px solid var(--warn);background:var(--warn-soft);border-radius:8px;padding:.9rem 1rem}.depcard-heading{margin:0 0 .25rem;font-size:1rem}.depcard-why{margin:0 0 .75rem;font-size:.9rem}.depcard-installs-label{margin:0 0 .4rem;font-size:.85rem;font-weight:600}.depcard-install{margin-bottom:.55rem}.depcard-install.preferred .depcard-os{color:var(--accent);font-weight:600}.depcard-os{display:block;font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;color:var(--fg-muted);margin-bottom:.2rem}.depcard-cmd{display:flex;align-items:stretch;gap:.4rem}.depcard-cmd-text{flex:1;margin:0;padding:.45rem .6rem;background:var(--card-bg, #fff);border:1px solid var(--border);border-radius:6px;font-size:.82rem;white-space:pre-wrap;overflow-x:auto}.depcard-copy{flex:0 0 auto;font-size:.8rem;padding:.35rem .7rem;align-self:flex-start}.depcard-docs{margin:.5rem 0 .4rem;font-size:.88rem}.depcard-hint{margin:0;font-size:.82rem}.depcard-fallback{color:var(--error);font-size:.9rem}
+:root{--bg: #faf8f4;--bg-soft: #f3f0ea;--fg: #2c2a26;--fg-muted: #6b6860;--fg-dim: #9a9690;--accent: #4a7c59;--accent-soft: rgba(74, 124, 89, .08);--accent-hover: #3d6849;--border: #e4e0d8;--border-light: #ece9e2;--card-bg: #ffffff;--error: #a3392b;--error-soft: rgba(163, 57, 43, .08);--warn: #b08023;--warn-soft: rgba(176, 128, 35, .08);--success: #3d6849;--success-soft: rgba(61, 104, 73, .08);--font-serif: Georgia, "Times New Roman", serif;--font-sans: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;--font-mono: ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace;font-family:var(--font-sans)}*{box-sizing:border-box}html,body{margin:0;padding:0;background:var(--bg);color:var(--fg)}a{color:var(--accent);text-decoration:none}a:hover{text-decoration:underline}button{font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease}button:hover{background:var(--accent-hover)}button:disabled{opacity:.5;cursor:not-allowed}button.secondary{background:#fff;color:var(--fg);border:1px solid var(--border)}button.secondary:hover{background:var(--bg-soft)}input,select,textarea{font:inherit;background:#fff;border:1px solid var(--border);border-radius:6px;padding:.55rem .75rem;color:var(--fg)}input:focus,select:focus,textarea:focus{outline:none;border-color:var(--accent)}code{font-family:var(--font-mono);font-size:.85em;background:var(--bg-soft);padding:.1em .3em;border-radius:3px}.page{max-width:880px;margin:0 auto;padding:1.5rem 1.5rem 6rem}.nav{display:flex;flex-wrap:wrap;gap:.6rem 1rem;align-items:center;padding-bottom:1rem;border-bottom:1px solid var(--border);margin-bottom:2rem}.nav .brand{font-weight:600;font-family:var(--font-serif);font-size:1.15rem;margin-right:auto;display:inline-flex;align-items:center;gap:.45rem;color:var(--accent);text-decoration:none}.nav .brand:hover{color:var(--accent-hover);text-decoration:none}.nav .brand-mark-icon{flex-shrink:0;line-height:0}.nav .brand-wordmark{color:var(--fg);letter-spacing:-.005em}.nav .brand .sub{color:var(--fg-dim);font-size:.78rem;font-weight:400;margin-left:.4rem;font-family:var(--font-sans)}.nav a{color:var(--fg-muted);font-size:.95rem}.nav a:hover{text-decoration:none;color:var(--fg)}.nav a.nav-link-active{color:var(--accent);font-weight:500;text-decoration:underline;text-underline-offset:.3em;text-decoration-thickness:2px}.nav .nav-divider{display:inline-block;width:1px;height:1.1em;background:var(--border);align-self:center}.nav .nav-dropdown{position:relative}.nav .nav-dropdown-summary{list-style:none;cursor:pointer;color:var(--fg-muted);font-size:.95rem;-webkit-user-select:none;user-select:none}.nav .nav-dropdown-summary::-webkit-details-marker{display:none}.nav .nav-dropdown-summary:hover{color:var(--fg)}.nav .nav-dropdown[open]>.nav-dropdown-summary{color:var(--fg)}.nav .nav-dropdown-summary:after{content:" ▾";font-size:.7em;color:var(--fg-dim)}.nav .nav-dropdown-panel{position:absolute;top:calc(100% + .4rem);left:0;z-index:10;min-width:12rem;background:var(--card-bg);border:1px solid var(--border);border-radius:8px;box-shadow:0 4px 12px #00000014;padding:.4rem 0;display:flex;flex-direction:column}.nav .nav-dropdown-item{padding:.4rem .85rem;color:var(--fg);font-size:.9rem;text-decoration:none}.nav .nav-dropdown-item:hover{background:var(--bg-soft);color:var(--fg);text-decoration:none}.nav .nav-dropdown-item-disabled{color:var(--fg-dim);cursor:not-allowed}.nav .nav-dropdown-item-disabled:hover{background:transparent;color:var(--fg-dim)}.nav .auth-spa{font-size:.85rem;color:var(--fg-muted)}.nav .auth-spa strong{font-weight:600;color:var(--fg)}.nav .auth-spa-signout{background:none;border:none;padding:0;color:var(--accent);font:inherit;cursor:pointer;text-decoration:underline;text-decoration-thickness:1px;text-underline-offset:2px}.nav .auth-spa-signout:hover:not(:disabled){color:var(--accent-hover)}.nav .auth-spa-signout:disabled{color:var(--fg-dim);cursor:not-allowed}h1{margin:0 0 .5rem;font-family:var(--font-serif);font-size:1.85rem;font-weight:400;letter-spacing:-.01em;line-height:1.2;color:var(--fg)}h2{margin:0 0 1rem;font-size:1.4rem;font-weight:500}.muted{color:var(--fg-muted);font-size:.92rem}.dim{color:var(--fg-dim);font-size:.85rem}.error-banner{background:var(--error-soft);border:1px solid var(--error);color:var(--error);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.warn-banner{background:var(--warn-soft);border:1px solid var(--warn);color:var(--warn);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.empty{padding:3rem 1.5rem;text-align:center;color:var(--fg-muted);background:var(--bg-soft);border-radius:10px}@keyframes pc-loading-pulse{0%,to{opacity:.55}50%{opacity:1}}[data-loading=true]{animation:pc-loading-pulse 1.4s ease-in-out infinite}.user-table tbody tr,.tokens-table tbody tr{transition:background-color .12s ease}.user-table tbody tr:hover,.tokens-table tbody tr:hover{background:var(--bg-soft)}@keyframes pc-route-fade-up{0%{opacity:0;transform:translateY(6px)}to{opacity:1;transform:translateY(0)}}[data-route-content]{animation:pc-route-fade-up .32s ease forwards}@media(prefers-reduced-motion:reduce){[data-loading=true],[data-route-content]{animation:none}}.table-scroll{overflow-x:auto;-webkit-overflow-scrolling:touch;background:linear-gradient(to right,var(--card-bg),var(--card-bg)) left center / 20px 100% no-repeat,linear-gradient(to right,#2c2a2614,#2c2a2600) left center / 8px 100% no-repeat,linear-gradient(to left,var(--card-bg),var(--card-bg)) right center / 20px 100% no-repeat,linear-gradient(to left,#2c2a2614,#2c2a2600) right center / 8px 100% no-repeat;background-attachment:local,scroll,local,scroll}.table-scroll>table{min-width:100%}.empty-rich{text-align:left;padding:2rem 1.75rem;background:#fff;border:1px solid var(--border)}.empty-rich .empty-headline{font-size:1.05rem;color:var(--fg);margin:0 0 .5rem;font-weight:500}.list-header{display:flex;align-items:baseline;justify-content:space-between;gap:1rem;margin-bottom:1rem}.list-header h1,.list-header h2{margin:0}.tag{display:inline-block;padding:.1em .55em;background:var(--accent-soft);color:var(--accent);border-radius:4px;font-size:.78rem;font-weight:500}.tag.muted{background:var(--bg-soft);color:var(--fg-muted)}.tag.source-oauth{background:#4a7cc61f;color:#3b6aa6}.tag.source-operator{background:#c6984a24;color:#8a5e1f}.tag.source-cli{background:#4a7c5924;color:#2f5a3f}.tag.source-unknown{background:var(--bg-soft);color:var(--fg-muted)}@media(prefers-color-scheme:dark){.tag.source-oauth{background:#7a9cdc24;color:#9bb6d8}.tag.source-operator{background:#dcb46e24;color:#d4b27a}.tag.source-cli{background:#7ab08a24;color:#8fc49e}.tag.source-unknown{background:#e8e4dc0f;color:#a8a49a}}.vault-row{display:flex;align-items:center;gap:1rem;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;margin-bottom:.5rem;text-decoration:none;color:inherit;transition:border-color .15s ease}.vault-row:hover{border-color:var(--accent);text-decoration:none}.vault-row .body{flex:1;min-width:0}.vault-row .name{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap}.vault-row .name code{font-size:.95em}.vault-row .url{margin-top:.25rem;word-break:break-all}.vault-row .chev{color:var(--fg-dim);font-size:1.2rem}.vault-row-group{margin-bottom:.5rem}.vault-row-group .vault-row{margin-bottom:0}.vault-row-actions{display:flex;gap:.5rem;align-items:center;flex-shrink:0}.mcp-connect-card{background:var(--bg-soft);border:1px solid var(--border);border-radius:8px;padding:1.1rem 1.25rem;margin:0 0 .5rem}.mcp-connect-card-embedded{background:#fff;margin-bottom:0}.mcp-connect-card h3{margin:0 0 .4rem;font-size:1rem}.mcp-connect-card>p{margin-top:0}.mcp-connect-card .token-box{display:flex;align-items:center;gap:.5rem;margin:.35rem 0 .25rem}.mcp-connect-card .token-box code{flex:1;font-size:.85rem;padding:.55rem .7rem;background:#fff;border:1px solid var(--border);border-radius:6px;word-break:break-all;-webkit-user-select:all;user-select:all}.mcp-field{margin-top:.9rem}.mcp-field-label{display:block;font-size:.82rem;font-weight:600;color:var(--fg-muted)}.mcp-field .dim{margin:.3rem 0 0}.mcp-token-path{margin-top:1rem;border-top:1px solid var(--border);padding-top:.75rem}.mcp-token-path>summary{cursor:pointer;font-size:.9rem;color:var(--fg-muted)}.mcp-token-path>summary:hover{color:var(--accent)}.mcp-token-path .mint-banner{margin-top:.75rem;margin-bottom:0}.mcp-docs-link{margin:.9rem 0 0}form .row{margin-bottom:1rem}form label{display:block;font-size:.9rem;color:var(--fg-muted);margin-bottom:.3rem;font-weight:500}form input[type=text]{width:100%}form .actions{display:flex;gap:.6rem;align-items:center;margin-top:1rem}form .field-hint{margin-top:.35rem;font-size:.82rem;color:var(--fg-dim)}form .field-error{margin-top:.35rem;font-size:.85rem;color:var(--error)}.section{background:#fff;border:1px solid var(--border);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner{background:var(--success-soft);border:1px solid var(--success);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner h3{margin:0 0 .5rem;font-size:1rem;color:var(--success)}.mint-banner .token-box{display:flex;align-items:center;gap:.5rem;margin:.85rem 0 .5rem}.mint-banner code{flex:1;font-size:.9rem;padding:.6rem .75rem;background:#fff;border:1px solid var(--border);word-break:break-all;-webkit-user-select:all;user-select:all}.mint-banner .warn{margin:.75rem 0 0;font-size:.85rem;color:var(--warn)}.mint-banner .actions{margin-top:1rem;display:flex;gap:.5rem}.kv{display:grid;grid-template-columns:8.5rem 1fr;gap:.5rem 1rem;font-size:.92rem}.kv>div:nth-child(odd){color:var(--fg-muted)}.kv code{word-break:break-all}.channel-toggle{margin:1.25rem 0 1.5rem;padding:.75rem 1rem;border:1px solid var(--border, #ddd);border-radius:6px;background:var(--bg-soft, #fafafa)}.channel-toggle legend{padding:0 .25rem;font-weight:600;font-size:.95rem}.channel-toggle label{display:inline-flex;align-items:center;gap:.4rem;margin-right:1.5rem;cursor:pointer;font-size:.95rem}.channel-toggle label input[type=radio]:disabled+*{opacity:.5}.channel-toggle code{font-size:.85em}.channel-toggle p.muted{margin:.4rem 0 0;font-size:.85rem}.module-config{display:flex;flex-direction:column;gap:1.25rem}.module-config-header h1{margin-bottom:.35rem}.module-config-form fieldset{border:0;padding:0;margin:0;display:flex;flex-direction:column;gap:1rem}.module-config-form .field{display:flex;flex-direction:column;gap:.25rem}.module-config-form .field input,.module-config-form .field select,.module-config-form .field textarea{width:100%}.module-config-form .field-inline{flex-direction:row;align-items:center;flex-wrap:wrap;gap:.5rem}.module-config-form .field-inline label{display:inline-flex;align-items:center;gap:.5rem}.module-config-form .field-inline .field-hint{flex-basis:100%;margin-left:1.6rem}.module-config-form .field-invalid input,.module-config-form .field-invalid select,.module-config-form .field-invalid textarea{border-color:var(--error)}.module-config-form .actions{display:flex;gap:.6rem;align-items:center;margin-top:.5rem}.module-config-form .actions button.destructive{background:#fff;color:var(--fg);border:1px solid var(--border)}.module-config-form .actions button.destructive:hover{background:var(--bg-soft)}.module-config-form .banner{margin:0;padding:.75rem 1rem;border-radius:6px;border:1px solid transparent;font-size:.9rem}.module-config-form .banner-success{background:var(--success-soft);border-color:var(--success);color:var(--success)}.module-config-form .banner-success p,.module-config-form .banner-success ul{margin:.4rem 0 0}.module-config-form .banner-error{background:var(--error-soft, rgba(163, 57, 43, .08));border-color:var(--error);color:var(--error)}.modules-installed,.modules-installable{margin-top:1.75rem}.modules-installed>h2,.modules-installable>h2{font-size:1.15rem;font-weight:600;margin:0 0 .75rem;color:var(--fg)}.modules-installed>p.muted,.modules-installable>p.muted{margin:0 0 .5rem}.install-list{list-style:none;padding:0;margin:0;display:flex;flex-direction:column;gap:.6rem}.install-card{display:flex;flex-direction:row;align-items:center;gap:1rem;flex-wrap:wrap;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;transition:border-color .15s ease}.install-card:hover{border-color:var(--accent)}.install-card-body{flex:1 1 0;min-width:0}.install-card-body h3{margin:0 0 .2rem;font-size:1rem;font-weight:600;color:var(--fg)}.install-card-body .tagline{margin:0 0 .35rem;color:var(--fg-muted);font-size:.92rem}.install-card-meta{margin:0;font-size:.82rem}.install-card-actions{flex:0 0 auto}.install-card .error{flex-basis:100%;margin-top:.5rem;color:var(--error);font-size:.85rem}.hub-upgrade-card{border-left:3px solid var(--accent);margin-top:1.25rem}.hub-upgrade-card .warn-banner,.hub-upgrade-card .error-banner{flex-basis:100%;margin:.5rem 0 0;font-size:.85rem}.module-row .actions .btn,a.btn{display:inline-block;font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease;text-decoration:none}.module-row .actions .btn:hover,a.btn:hover{background:var(--accent-hover);text-decoration:none}.module-uis{margin:.5rem 0 0;padding:.5rem 0 0;border-top:1px solid var(--border-light)}.module-uis>summary{cursor:pointer;font-size:.88rem;color:var(--fg-muted);font-weight:500;padding:.15rem 0;list-style:revert}.module-uis>summary:hover{color:var(--fg)}.ui-sub-units{list-style:none;padding:0;margin:.5rem 0 0 1.1rem;display:flex;flex-direction:column;gap:.35rem}.ui-sub-unit{display:flex;flex-direction:row;align-items:center;gap:.65rem;padding:.5rem .75rem;background:var(--bg-soft);border:1px solid var(--border-light);border-radius:6px;transition:border-color .15s ease,background .15s ease}.ui-sub-unit:hover{border-color:var(--accent);background:#fff}.ui-icon{flex:0 0 auto;width:20px;height:20px;border-radius:4px;object-fit:contain}.ui-sub-unit-body{flex:1 1 0;min-width:0}.ui-sub-unit-link{color:var(--fg);font-size:.95rem;text-decoration:none}.ui-sub-unit-link:hover{color:var(--accent);text-decoration:underline}.ui-sub-unit-link strong{font-weight:600}.ui-sub-unit .tagline{margin:.2rem 0 0;font-size:.82rem;color:var(--fg-muted)}.status{flex:0 0 auto;display:inline-block;padding:.1em .55em;background:var(--bg-soft);color:var(--fg-muted);border-radius:4px;font-size:.78rem;font-weight:500;white-space:nowrap}.status-active{background:var(--success-soft);color:var(--success)}.status-pending{background:var(--warn-soft);color:var(--warn)}.status-inactive{background:var(--bg-soft);color:var(--fg-dim)}.status-failing{background:var(--error-soft);color:var(--error)}.status-absent{background:var(--bg-soft);color:var(--fg-dim)}.status-redeemed{background:var(--success-soft);color:var(--success)}.status-expired,.status-revoked{background:var(--bg-soft);color:var(--fg-dim)}.status-pending-oauth{background:var(--warn-soft);color:var(--warn)}.status-disabled{background:var(--bg-soft);color:var(--fg-dim)}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0}.hub-version-badge{margin-top:3rem;padding-top:1rem;border-top:1px solid var(--border-light);display:flex;flex-direction:column;align-items:flex-start;gap:.75rem;color:var(--fg-muted);font-size:.8rem}.hub-version-badge-summary{background:transparent;border:0;padding:0;margin:0;color:var(--fg-muted);font:inherit;cursor:pointer;text-align:left;border-radius:4px}.hub-version-badge-summary:hover{color:var(--fg);background:transparent}.hub-version-badge-summary strong{color:var(--fg);font-weight:600}.hub-version-badge-source{font-variant:small-caps;letter-spacing:.04em}.hub-version-badge-panel{background:var(--card-bg);border:1px solid var(--border);border-radius:8px;padding:.85rem 1rem;font-size:.85rem;color:var(--fg);width:100%;max-width:28rem}.hub-version-badge-panel dl{margin:0 0 .75rem;display:grid;grid-template-columns:max-content 1fr;gap:.3rem .85rem}.hub-version-badge-panel dt{color:var(--fg-muted);font-size:.78rem;text-transform:uppercase;letter-spacing:.06em;padding-top:.1rem}.hub-version-badge-panel dd{margin:0;color:var(--fg);word-break:break-all}.hub-version-badge-refresh{font-size:.8rem;padding:.35rem .85rem}.depcard-wrap{margin-top:.6rem}.depcard{border:1px solid var(--warn);background:var(--warn-soft);border-radius:8px;padding:.9rem 1rem}.depcard-heading{margin:0 0 .25rem;font-size:1rem}.depcard-why{margin:0 0 .75rem;font-size:.9rem}.depcard-installs-label{margin:0 0 .4rem;font-size:.85rem;font-weight:600}.depcard-install{margin-bottom:.55rem}.depcard-install.preferred .depcard-os{color:var(--accent);font-weight:600}.depcard-os{display:block;font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;color:var(--fg-muted);margin-bottom:.2rem}.depcard-cmd{display:flex;align-items:stretch;gap:.4rem}.depcard-cmd-text{flex:1;margin:0;padding:.45rem .6rem;background:var(--card-bg, #fff);border:1px solid var(--border);border-radius:6px;font-size:.82rem;white-space:pre-wrap;overflow-x:auto}.depcard-copy{flex:0 0 auto;font-size:.8rem;padding:.35rem .7rem;align-self:flex-start}.depcard-docs{margin:.5rem 0 .4rem;font-size:.88rem}.depcard-hint{margin:0;font-size:.82rem}.depcard-fallback{color:var(--error);font-size:.9rem}