@openparachute/hub 0.6.5-rc.7 → 0.7.0

package/src/api-modules-config.ts

@@ -1,421 +0,0 @@
-/**
- * `/api/modules/:short/config[/schema]` — admin SPA's module-config surface.
- *
- * The admin SPA renders a generic per-module config form at
- * `/admin/modules/<short>/config`. It fetches three things off this hub-side
- * endpoint:
- *
- *   - `GET /api/modules/:short/config/schema` → the module's draft-07 JSON
- *     Schema (`{type:"object", properties:{...}, required:[...]}`).
- *   - `GET /api/modules/:short/config`         → the module's current
- *     resolved values (keys present in the schema; `writeOnly` keys omitted).
- *   - `PUT /api/modules/:short/config`         → write new values; module
- *     validates against its own schema and 4xx's on shape errors.
- *
- * Hub doesn't own the schema or the values — it just proxies to the module's
- * own runtime endpoints (`/.parachute/config/schema`, `/.parachute/config`).
- * Two reasons to wrap rather than expose the proxy directly:
- *
- *   1. **Scope translation (Option A).** Modules enforce per-module scopes
- *      on `/.parachute/config*` (e.g. scribe requires `scribe:admin`). The
- *      admin SPA's session-derived bearer carries `parachute:host:admin`,
- *      not `<short>:admin`. We mint a fresh short-lived `<short>:admin`
- *      JWT at proxy time so the upstream auth gate is satisfied without
- *      handing the operator a permanent module-scoped bearer.
- *   2. **Curated set + clean errors.** We restrict the surface to
- *      `CURATED_MODULES` (vault / notes / scribe) and surface a clean
- *      "module not installed" / "module has no config schema" empty state
- *      rather than the upstream's raw 404. The admin UI gets a consistent
- *      contract across modules even if individual modules drift on shape.
- *
- * Bearer-gated on `parachute:host:admin` (same scope as install / upgrade —
- * config writes are destructive operator-only state changes). A read-only
- * `parachute:host:auth` token gets 403 here. The SPA's host-admin mint at
- * `/admin/host-admin-token` carries both scopes so the SPA path works.
- *
- * Option A vs B trade-off (Aaron's hub#260 brief): hub mints a one-shot
- * `<short>:admin` JWT (audience = module short, ttl = 60s) and proxies
- * the request with that bearer. The alternative (modules accept
- * `parachute:host:admin` as a master scope) would centralize the override
- * in the wrong place — each module would need to know hub's scope vocabulary
- * and the master-scope concept would creep into module auth surfaces. The
- * mint-and-forward shape keeps every module ignorant of hub's session model
- * — they enforce their own scope as if a real `<short>:admin` token came
- * over the wire, which is exactly what hub gave them.
- */
-
-import type { Database } from "bun:sqlite";
-import { CURATED_MODULES, type CuratedModuleShort } from "./api-modules.ts";
-import { signAccessToken, validateAccessToken } from "./jwt-sign.ts";
-import { FIRST_PARTY_FALLBACKS, KNOWN_MODULES } from "./service-spec.ts";
-import { readManifestLenient } from "./services-manifest.ts";
-
-/**
- * Resolve a curated short to its services.json `manifestName` key. Consults
- * both FIRST_PARTY_FALLBACKS (notes / channel) and KNOWN_MODULES
- * (vault / scribe / runner — post-FALLBACK retirement, hub#310). Returns
- * undefined when the short is unknown (shouldn't happen in this file — the
- * parsing layer restricts to CURATED_MODULES).
- */
-function manifestNameForShort(short: string): string | undefined {
-  return FIRST_PARTY_FALLBACKS[short]?.manifest.manifestName ?? KNOWN_MODULES[short]?.manifestName;
-}
-
-/**
- * Vendored fallback paths for the FIRST_PARTY_FALLBACKS shorts (notes /
- * channel). KNOWN_MODULES shorts (vault / scribe / runner) don't carry
- * vendored paths — they self-register and services.json is authoritative;
- * absent a services.json entry the module is "not installed."
- */
-function fallbackPathsForShort(short: string): readonly string[] | undefined {
-  return FIRST_PARTY_FALLBACKS[short]?.manifest.paths;
-}
-
-function fallbackStripPrefixForShort(short: string): boolean | undefined {
-  return FIRST_PARTY_FALLBACKS[short]?.manifest.stripPrefix;
-}
-
-/** Scope required on the SPA's bearer to call any of these endpoints. */
-export const API_MODULES_CONFIG_REQUIRED_SCOPE = "parachute:host:admin";
-
-/** TTL on the minted module-scoped JWT we forward upstream. */
-export const MODULE_CONFIG_PROXY_TOKEN_TTL_SECONDS = 60;
-
-/** client_id stamped on the minted proxy token. Audit-friendly. */
-export const MODULE_CONFIG_PROXY_CLIENT_ID = "parachute-hub-module-config-proxy";
-
-export interface ApiModulesConfigDeps {
-  db: Database;
-  /** Hub origin — sets `iss` on the minted proxy token AND validates the SPA bearer. */
-  issuer: string;
-  /** services.json path. Module-mount + port come from here. */
-  manifestPath: string;
-  /**
-   * Loopback fetch — production calls `fetch()`; tests inject a fake that
-   * returns a canned Response without binding a port. Defaults to global
-   * `fetch`.
-   */
-  upstreamFetch?: (url: string, init: RequestInit) => Promise<Response>;
-  /** Test seam over wall-clock — passed through to `signAccessToken`. */
-  now?: () => Date;
-}
-
-interface PathMatch {
-  short: CuratedModuleShort;
-  /** `""` for `/api/modules/<short>/config`, `"schema"` for `.../schema`. */
-  suffix: "" | "schema";
-}
-
-/**
- * Parse `/api/modules/<short>/config` or `/api/modules/<short>/config/schema`.
- * Returns undefined for any other shape so the caller can fall through to
- * other `/api/modules/...` handlers (install / upgrade / etc.).
- */
-export function parseModulesConfigPath(pathname: string): PathMatch | undefined {
-  const prefix = "/api/modules/";
-  if (!pathname.startsWith(prefix)) return undefined;
-  const tail = pathname.slice(prefix.length);
-  // Accept exactly `<short>/config` or `<short>/config/schema`.
-  const m = tail.match(/^([a-z][a-z0-9-]*)\/config(\/schema)?$/);
-  if (!m) return undefined;
-  const short = m[1];
-  if (!CURATED_MODULES.includes(short as CuratedModuleShort)) return undefined;
-  return {
-    short: short as CuratedModuleShort,
-    suffix: m[2] ? "schema" : "",
-  };
-}
-
-/**
- * Look up a module's upstream `http://127.0.0.1:<port>/<mount>` base URL.
- * Returns `{installed: false}` when the module isn't in services.json —
- * the SPA renders an empty state pointing the operator at /admin/modules
- * to install it first.
- *
- * `hostsBareParachute` is true when the module declares `/.parachute` in
- * its `paths[]`, meaning it serves the universal module-protocol endpoints
- * at the bare URL (no module-name prefix) — runner is the first example.
- * This is independent of `stripPrefix`: runner ships
- * `paths: ["/runner", "/.parachute"]` with `stripPrefix: false` because its
- * `/runner/jobs` admin endpoints want the literal `/runner` prefix, but
- * `/.parachute/config` is hosted bare. See `buildUpstreamPath`.
- */
-function resolveUpstream(
-  short: CuratedModuleShort,
-  manifestPath: string,
-):
-  | {
-      installed: true;
-      port: number;
-      mount: string;
-      stripPrefix: boolean;
-      hostsBareParachute: boolean;
-    }
-  | { installed: false } {
-  const manifestName = manifestNameForShort(short);
-  if (!manifestName) return { installed: false };
-  // Lenient — see hub#406.
-  const manifest = readManifestLenient(manifestPath);
-  const entry = manifest.services.find((s) => s.name === manifestName);
-  if (!entry) return { installed: false };
-  // Mount = the first path the service registers (canonical convention
-  // matches `findServiceUpstream` in hub-server.ts). Strip prefix mirrors
-  // the proxy's `stripPrefixFor` — explicit on-entry wins, fallback supplies
-  // the default. We compute it here rather than threading the proxy helper
-  // because we're constructing the upstream URL ourselves, not piggy-backing
-  // on `proxyRequest`.
-  //
-  // KNOWN_MODULES shorts (vault / scribe / runner) self-register their
-  // canonical `paths` + `stripPrefix` into the entry on boot, so the
-  // fallback-paths consultation below is a no-op for them — only notes /
-  // channel still need the vendored fallback shape.
-  const fbPaths = fallbackPathsForShort(short);
-  const fbStripPrefix = fallbackStripPrefixForShort(short);
-  const mount = entry.paths[0] ?? fbPaths?.[0] ?? "/";
-  const stripPrefix =
-    entry.stripPrefix !== undefined ? entry.stripPrefix : (fbStripPrefix ?? false);
-  // Check both the live services.json entry (operator-authoritative) and the
-  // vendored fallback (so a `bun link` install without a written entry still
-  // routes correctly for notes / channel). Match a trailing slash too —
-  // `["/.parachute/"]` is the same intent as `["/.parachute"]`.
-  const isBareParachute = (p: string): boolean =>
-    p === "/.parachute" || p === "/.parachute/" || p.startsWith("/.parachute/");
-  const hostsBareParachute =
-    entry.paths.some(isBareParachute) || (fbPaths?.some(isBareParachute) ?? false);
-  return { installed: true, port: entry.port, mount, stripPrefix, hostsBareParachute };
-}
-
-/**
- * Build the upstream URL for `.parachute/config[/schema]`.
- *
- * The `/.parachute/*` endpoints (info, config, config/schema, clear-credential)
- * are the **universal module protocol** — every module speaks them, and the
- * shape they take depends on how the module exposes its mount(s):
- *
- *   1. **Module declares `/.parachute` in its `paths[]`** (runner-shape):
- *      the module hosts the bare URL `/.parachute/config[/schema]` directly
- *      and the proxy forwards there with no prefix, regardless of
- *      `stripPrefix`. This is the explicit "I serve the universal endpoints
- *      at the bare URL" declaration.
- *   2. **`stripPrefix: true`** (scribe-shape): the proxy strips the module
- *      mount on every request, so the bare `/.parachute/config[/schema]`
- *      is what the module sees on the wire — same result as case 1.
- *   3. **`stripPrefix: false` and no `/.parachute` in paths** (vault/notes-
- *      shape): the proxy preserves the mount prefix
- *      (`/vault/default/.parachute/config`). Vault routes its
- *      `.parachute/config` per-vault, scoped under the `/vault/<name>` mount,
- *      so it explicitly NEEDS the prefix to know which vault the request
- *      targets.
- *
- * Case 1 was the gap that hub#307 fixed: runner ships
- * `paths: ["/runner", "/.parachute"]` with `stripPrefix: false`. Before this
- * fix, the proxy built `/runner/.parachute/config` because it only saw
- * `paths[0]` and the stripPrefix flag — runner's HTTP server matches
- * `/.parachute/config` literally and 404'd. Detecting the `/.parachute`
- * declaration in `paths[]` lets runner (and any future module with the same
- * shape) route correctly without affecting vault.
- */
-function buildUpstreamPath(
-  mount: string,
-  stripPrefix: boolean,
-  hostsBareParachute: boolean,
-  suffix: "" | "schema",
-): string {
-  const inner = suffix === "schema" ? "/.parachute/config/schema" : "/.parachute/config";
-  // Universal-protocol short-circuit: a module that declares `/.parachute`
-  // in its paths[] hosts the bare URL — same upstream path whether
-  // stripPrefix is true or false.
-  if (hostsBareParachute) return inner;
-  if (stripPrefix) return inner;
-  // Normalize trailing slash (mirrors `findServiceUpstream`'s normalization
-  // so a `paths: ["/scribe/"]` entry doesn't double-slash).
-  const norm = mount.replace(/\/+$/, "") || "";
-  return `${norm}${inner}`;
-}
-
-/**
- * Validate the SPA's bearer + extract its scopes. Returns either an error
- * response or the parsed sub.
- */
-async function authorize(
-  req: Request,
-  deps: ApiModulesConfigDeps,
-): Promise<Response | { sub: string }> {
-  const auth = req.headers.get("authorization");
-  if (!auth || !auth.startsWith("Bearer ")) {
-    return jsonError(401, "unauthenticated", "Authorization: Bearer <token> required");
-  }
-  const bearer = auth.slice("Bearer ".length).trim();
-  if (!bearer) return jsonError(401, "unauthenticated", "empty bearer token");
-  try {
-    const validated = await validateAccessToken(deps.db, bearer, deps.issuer);
-    const sub = validated.payload.sub;
-    if (typeof sub !== "string" || sub.length === 0) {
-      return jsonError(401, "unauthenticated", "bearer token has no sub claim");
-    }
-    const scopes =
-      typeof validated.payload.scope === "string"
-        ? validated.payload.scope.split(/\s+/).filter((s) => s.length > 0)
-        : [];
-    if (!scopes.includes(API_MODULES_CONFIG_REQUIRED_SCOPE)) {
-      return jsonError(
-        403,
-        "insufficient_scope",
-        `bearer token lacks ${API_MODULES_CONFIG_REQUIRED_SCOPE}`,
-      );
-    }
-    return { sub };
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    return jsonError(401, "unauthenticated", `bearer token invalid — ${msg}`);
-  }
-}
-
-/**
- * Mint a short-lived `<short>:admin` JWT to forward upstream. Re-uses the
- * existing `signAccessToken` plumbing (active signing key from the DB,
- * RS256, iss-stamped); audience = `short` so the module's audience check
- * passes. The token is NOT recorded in the tokens registry — it's a
- * one-shot proxy artifact, dies on its own in 60s, and we never hand it
- * to a caller.
- */
-async function mintProxyToken(
-  short: CuratedModuleShort,
-  sub: string,
-  deps: ApiModulesConfigDeps,
-): Promise<string> {
-  const opts: Parameters<typeof signAccessToken>[1] = {
-    sub,
-    scopes: [`${short}:admin`],
-    audience: short,
-    clientId: MODULE_CONFIG_PROXY_CLIENT_ID,
-    issuer: deps.issuer,
-    ttlSeconds: MODULE_CONFIG_PROXY_TOKEN_TTL_SECONDS,
-  };
-  if (deps.now) opts.now = deps.now;
-  const signed = await signAccessToken(deps.db, opts);
-  return signed.token;
-}
-
-/**
- * Top-level dispatcher for `/api/modules/:short/config[/schema]`.
- *
- *   - `GET    /api/modules/:short/config/schema` → upstream `/.parachute/config/schema`
- *   - `GET    /api/modules/:short/config`        → upstream `/.parachute/config`
- *   - `PUT    /api/modules/:short/config`        → upstream `/.parachute/config` (PUT)
- *
- * Other verbs return 405.
- */
-export async function handleApiModulesConfig(
-  req: Request,
-  match: PathMatch,
-  deps: ApiModulesConfigDeps,
-): Promise<Response> {
-  // Method gate per route. PUT only valid on the bare `config` path.
-  if (match.suffix === "schema") {
-    if (req.method !== "GET") return jsonError(405, "method_not_allowed", "use GET");
-  } else {
-    if (req.method !== "GET" && req.method !== "PUT") {
-      return jsonError(405, "method_not_allowed", "use GET or PUT");
-    }
-  }
-
-  // Auth.
-  const authOut = await authorize(req, deps);
-  if (authOut instanceof Response) return authOut;
-  const { sub } = authOut;
-
-  // Resolve upstream from services.json. Not-installed = clean empty state
-  // so the SPA can prompt the operator to install first.
-  const upstream = resolveUpstream(match.short, deps.manifestPath);
-  if (!upstream.installed) {
-    return jsonError(
-      404,
-      "module_not_installed",
-      `module "${match.short}" is not installed; visit /admin/modules to install it first`,
-    );
-  }
-
-  // Mint the per-request `<short>:admin` proxy token (Option A).
-  let proxyToken: string;
-  try {
-    proxyToken = await mintProxyToken(match.short, sub, deps);
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    return jsonError(500, "mint_failed", `failed to mint proxy token — ${msg}`);
-  }
-
-  // Build upstream URL.
-  const path = buildUpstreamPath(
-    upstream.mount,
-    upstream.stripPrefix,
-    upstream.hostsBareParachute,
-    match.suffix,
-  );
-  const url = `http://127.0.0.1:${upstream.port}${path}`;
-
-  // Forward. We carry method + body through. The SPA's Authorization
-  // header is dropped (it's the host-admin scope, not what the module
-  // wants); we substitute the freshly-minted module-scoped JWT.
-  const init: RequestInit & { duplex?: "half" } = {
-    method: req.method,
-    headers: {
-      authorization: `Bearer ${proxyToken}`,
-      // Preserve content-type on PUT — modules parse JSON bodies based on
-      // it. Default to application/json so a SPA that forgot the header
-      // doesn't accidentally hit a text/plain body path upstream.
-      "content-type": req.headers.get("content-type") ?? "application/json",
-      accept: req.headers.get("accept") ?? "application/json",
-    },
-    redirect: "manual",
-  };
-  if (req.method === "PUT") {
-    init.body = req.body;
-    init.duplex = "half";
-  }
-
-  let upstreamRes: Response;
-  try {
-    const fetchFn = deps.upstreamFetch ?? fetch;
-    upstreamRes = await fetchFn(url, init);
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    return jsonError(
-      502,
-      "upstream_unreachable",
-      `module "${match.short}" upstream unreachable: ${msg}`,
-    );
-  }
-
-  // Special case: a module GET-schema that returns 404 means the module
-  // is up but doesn't expose `.parachute/config/schema`. Surface a
-  // distinguishable error so the SPA can render "this module has no
-  // operator-editable config" rather than a generic 404. Same for the
-  // bare `/.parachute/config` GET (some module versions may ship one
-  // without the other; we treat both upstream 404s as "no schema").
-  if (upstreamRes.status === 404 && req.method === "GET") {
-    return jsonError(
-      404,
-      "no_config_schema",
-      `module "${match.short}" does not expose a config schema at /.parachute/config/schema`,
-    );
-  }
-
-  // For all other responses, forward verbatim — body, status, and
-  // content-type. Modules already shape their own error bodies (scribe
-  // uses `{error, message, errors[]}` on a 400 validation fail); the
-  // SPA renders the module's message inline.
-  const body = await upstreamRes.text();
-  const headers = new Headers();
-  const ct = upstreamRes.headers.get("content-type");
-  if (ct) headers.set("content-type", ct);
-  else headers.set("content-type", "application/json");
-  return new Response(body, { status: upstreamRes.status, headers });
-}
-
-function jsonError(status: number, code: string, description: string): Response {
-  return new Response(JSON.stringify({ error: code, error_description: description }), {
-    status,
-    headers: { "content-type": "application/json" },
-  });
-}

package/web/ui/dist/assets/index-BYYUeLGA.css

@@ -1 +0,0 @@
-:root{--bg: #faf8f4;--bg-soft: #f3f0ea;--fg: #2c2a26;--fg-muted: #6b6860;--fg-dim: #9a9690;--accent: #4a7c59;--accent-soft: rgba(74, 124, 89, .08);--accent-hover: #3d6849;--border: #e4e0d8;--border-light: #ece9e2;--card-bg: #ffffff;--error: #a3392b;--error-soft: rgba(163, 57, 43, .08);--warn: #b08023;--warn-soft: rgba(176, 128, 35, .08);--success: #3d6849;--success-soft: rgba(61, 104, 73, .08);--font-serif: Georgia, "Times New Roman", serif;--font-sans: -apple-system, BlinkMacSystemFont, "Segoe UI", system-ui, sans-serif;--font-mono: ui-monospace, "SF Mono", Menlo, Monaco, "Cascadia Mono", monospace;font-family:var(--font-sans)}*{box-sizing:border-box}html,body{margin:0;padding:0;background:var(--bg);color:var(--fg)}a{color:var(--accent);text-decoration:none}a:hover{text-decoration:underline}button{font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease}button:hover{background:var(--accent-hover)}button:disabled{opacity:.5;cursor:not-allowed}button.secondary{background:#fff;color:var(--fg);border:1px solid var(--border)}button.secondary:hover{background:var(--bg-soft)}input,select,textarea{font:inherit;background:#fff;border:1px solid var(--border);border-radius:6px;padding:.55rem .75rem;color:var(--fg)}input:focus,select:focus,textarea:focus{outline:none;border-color:var(--accent)}code{font-family:var(--font-mono);font-size:.85em;background:var(--bg-soft);padding:.1em .3em;border-radius:3px}.page{max-width:880px;margin:0 auto;padding:1.5rem 1.5rem 6rem}.nav{display:flex;flex-wrap:wrap;gap:.6rem 1rem;align-items:center;padding-bottom:1rem;border-bottom:1px solid var(--border);margin-bottom:2rem}.nav .brand{font-weight:600;font-family:var(--font-serif);font-size:1.15rem;margin-right:auto;display:inline-flex;align-items:center;gap:.45rem;color:var(--accent);text-decoration:none}.nav .brand:hover{color:var(--accent-hover);text-decoration:none}.nav .brand-mark-icon{flex-shrink:0;line-height:0}.nav .brand-wordmark{color:var(--fg);letter-spacing:-.005em}.nav .brand .sub{color:var(--fg-dim);font-size:.78rem;font-weight:400;margin-left:.4rem;font-family:var(--font-sans)}.nav a{color:var(--fg-muted);font-size:.95rem}.nav a:hover{text-decoration:none;color:var(--fg)}.nav a.nav-link-active{color:var(--accent);font-weight:500;text-decoration:underline;text-underline-offset:.3em;text-decoration-thickness:2px}.nav .nav-divider{display:inline-block;width:1px;height:1.1em;background:var(--border);align-self:center}.nav .nav-dropdown{position:relative}.nav .nav-dropdown-summary{list-style:none;cursor:pointer;color:var(--fg-muted);font-size:.95rem;-webkit-user-select:none;user-select:none}.nav .nav-dropdown-summary::-webkit-details-marker{display:none}.nav .nav-dropdown-summary:hover{color:var(--fg)}.nav .nav-dropdown[open]>.nav-dropdown-summary{color:var(--fg)}.nav .nav-dropdown-summary:after{content:" ▾";font-size:.7em;color:var(--fg-dim)}.nav .nav-dropdown-panel{position:absolute;top:calc(100% + .4rem);left:0;z-index:10;min-width:12rem;background:var(--card-bg);border:1px solid var(--border);border-radius:8px;box-shadow:0 4px 12px #00000014;padding:.4rem 0;display:flex;flex-direction:column}.nav .nav-dropdown-item{padding:.4rem .85rem;color:var(--fg);font-size:.9rem;text-decoration:none}.nav .nav-dropdown-item:hover{background:var(--bg-soft);color:var(--fg);text-decoration:none}.nav .nav-dropdown-item-disabled{color:var(--fg-dim);cursor:not-allowed}.nav .nav-dropdown-item-disabled:hover{background:transparent;color:var(--fg-dim)}.nav .auth-spa{font-size:.85rem;color:var(--fg-muted)}.nav .auth-spa strong{font-weight:600;color:var(--fg)}.nav .auth-spa-signout{background:none;border:none;padding:0;color:var(--accent);font:inherit;cursor:pointer;text-decoration:underline;text-decoration-thickness:1px;text-underline-offset:2px}.nav .auth-spa-signout:hover:not(:disabled){color:var(--accent-hover)}.nav .auth-spa-signout:disabled{color:var(--fg-dim);cursor:not-allowed}h1{margin:0 0 .5rem;font-family:var(--font-serif);font-size:1.85rem;font-weight:400;letter-spacing:-.01em;line-height:1.2;color:var(--fg)}h2{margin:0 0 1rem;font-size:1.4rem;font-weight:500}.muted{color:var(--fg-muted);font-size:.92rem}.dim{color:var(--fg-dim);font-size:.85rem}.error-banner{background:var(--error-soft);border:1px solid var(--error);color:var(--error);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.warn-banner{background:var(--warn-soft);border:1px solid var(--warn);color:var(--warn);padding:.75rem 1rem;border-radius:8px;margin-bottom:1rem;font-size:.9rem}.empty{padding:3rem 1.5rem;text-align:center;color:var(--fg-muted);background:var(--bg-soft);border-radius:10px}@keyframes pc-loading-pulse{0%,to{opacity:.55}50%{opacity:1}}[data-loading=true]{animation:pc-loading-pulse 1.4s ease-in-out infinite}.user-table tbody tr,.tokens-table tbody tr{transition:background-color .12s ease}.user-table tbody tr:hover,.tokens-table tbody tr:hover{background:var(--bg-soft)}@keyframes pc-route-fade-up{0%{opacity:0;transform:translateY(6px)}to{opacity:1;transform:translateY(0)}}[data-route-content]{animation:pc-route-fade-up .32s ease forwards}@media(prefers-reduced-motion:reduce){[data-loading=true],[data-route-content]{animation:none}}.table-scroll{overflow-x:auto;-webkit-overflow-scrolling:touch;background:linear-gradient(to right,var(--card-bg),var(--card-bg)) left center / 20px 100% no-repeat,linear-gradient(to right,#2c2a2614,#2c2a2600) left center / 8px 100% no-repeat,linear-gradient(to left,var(--card-bg),var(--card-bg)) right center / 20px 100% no-repeat,linear-gradient(to left,#2c2a2614,#2c2a2600) right center / 8px 100% no-repeat;background-attachment:local,scroll,local,scroll}.table-scroll>table{min-width:100%}.empty-rich{text-align:left;padding:2rem 1.75rem;background:#fff;border:1px solid var(--border)}.empty-rich .empty-headline{font-size:1.05rem;color:var(--fg);margin:0 0 .5rem;font-weight:500}.list-header{display:flex;align-items:baseline;justify-content:space-between;gap:1rem;margin-bottom:1rem}.list-header h1,.list-header h2{margin:0}.tag{display:inline-block;padding:.1em .55em;background:var(--accent-soft);color:var(--accent);border-radius:4px;font-size:.78rem;font-weight:500}.tag.muted{background:var(--bg-soft);color:var(--fg-muted)}.tag.source-oauth{background:#4a7cc61f;color:#3b6aa6}.tag.source-operator{background:#c6984a24;color:#8a5e1f}.tag.source-cli{background:#4a7c5924;color:#2f5a3f}.tag.source-unknown{background:var(--bg-soft);color:var(--fg-muted)}@media(prefers-color-scheme:dark){.tag.source-oauth{background:#7a9cdc24;color:#9bb6d8}.tag.source-operator{background:#dcb46e24;color:#d4b27a}.tag.source-cli{background:#7ab08a24;color:#8fc49e}.tag.source-unknown{background:#e8e4dc0f;color:#a8a49a}}.vault-row{display:flex;align-items:center;gap:1rem;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;margin-bottom:.5rem;text-decoration:none;color:inherit;transition:border-color .15s ease}.vault-row:hover{border-color:var(--accent);text-decoration:none}.vault-row .body{flex:1;min-width:0}.vault-row .name{display:flex;align-items:center;gap:.5rem;flex-wrap:wrap}.vault-row .name code{font-size:.95em}.vault-row .url{margin-top:.25rem;word-break:break-all}.vault-row .chev{color:var(--fg-dim);font-size:1.2rem}.vault-row-group{margin-bottom:.5rem}.vault-row-group .vault-row{margin-bottom:0}.vault-row-actions{display:flex;gap:.5rem;align-items:center;flex-shrink:0}.mcp-connect-card{background:var(--bg-soft);border:1px solid var(--border);border-radius:8px;padding:1.1rem 1.25rem;margin:0 0 .5rem}.mcp-connect-card-embedded{background:#fff;margin-bottom:0}.mcp-connect-card h3{margin:0 0 .4rem;font-size:1rem}.mcp-connect-card>p{margin-top:0}.mcp-connect-card .token-box{display:flex;align-items:center;gap:.5rem;margin:.35rem 0 .25rem}.mcp-connect-card .token-box code{flex:1;font-size:.85rem;padding:.55rem .7rem;background:#fff;border:1px solid var(--border);border-radius:6px;word-break:break-all;-webkit-user-select:all;user-select:all}.mcp-field{margin-top:.9rem}.mcp-field-label{display:block;font-size:.82rem;font-weight:600;color:var(--fg-muted)}.mcp-field .dim{margin:.3rem 0 0}.mcp-token-path{margin-top:1rem;border-top:1px solid var(--border);padding-top:.75rem}.mcp-token-path>summary{cursor:pointer;font-size:.9rem;color:var(--fg-muted)}.mcp-token-path>summary:hover{color:var(--accent)}.mcp-token-path .mint-banner{margin-top:.75rem;margin-bottom:0}.mcp-docs-link{margin:.9rem 0 0}form .row{margin-bottom:1rem}form label{display:block;font-size:.9rem;color:var(--fg-muted);margin-bottom:.3rem;font-weight:500}form input[type=text]{width:100%}form .actions{display:flex;gap:.6rem;align-items:center;margin-top:1rem}form .field-hint{margin-top:.35rem;font-size:.82rem;color:var(--fg-dim)}form .field-error{margin-top:.35rem;font-size:.85rem;color:var(--error)}.section{background:#fff;border:1px solid var(--border);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner{background:var(--success-soft);border:1px solid var(--success);border-radius:10px;padding:1.25rem 1.5rem;margin-bottom:1.5rem}.mint-banner h3{margin:0 0 .5rem;font-size:1rem;color:var(--success)}.mint-banner .token-box{display:flex;align-items:center;gap:.5rem;margin:.85rem 0 .5rem}.mint-banner code{flex:1;font-size:.9rem;padding:.6rem .75rem;background:#fff;border:1px solid var(--border);word-break:break-all;-webkit-user-select:all;user-select:all}.mint-banner .warn{margin:.75rem 0 0;font-size:.85rem;color:var(--warn)}.mint-banner .actions{margin-top:1rem;display:flex;gap:.5rem}.kv{display:grid;grid-template-columns:8.5rem 1fr;gap:.5rem 1rem;font-size:.92rem}.kv>div:nth-child(odd){color:var(--fg-muted)}.kv code{word-break:break-all}.channel-toggle{margin:1.25rem 0 1.5rem;padding:.75rem 1rem;border:1px solid var(--border, #ddd);border-radius:6px;background:var(--bg-soft, #fafafa)}.channel-toggle legend{padding:0 .25rem;font-weight:600;font-size:.95rem}.channel-toggle label{display:inline-flex;align-items:center;gap:.4rem;margin-right:1.5rem;cursor:pointer;font-size:.95rem}.channel-toggle label input[type=radio]:disabled+*{opacity:.5}.channel-toggle code{font-size:.85em}.channel-toggle p.muted{margin:.4rem 0 0;font-size:.85rem}.module-config{display:flex;flex-direction:column;gap:1.25rem}.module-config-header h1{margin-bottom:.35rem}.module-config-form fieldset{border:0;padding:0;margin:0;display:flex;flex-direction:column;gap:1rem}.module-config-form .field{display:flex;flex-direction:column;gap:.25rem}.module-config-form .field input,.module-config-form .field select,.module-config-form .field textarea{width:100%}.module-config-form .field-inline{flex-direction:row;align-items:center;flex-wrap:wrap;gap:.5rem}.module-config-form .field-inline label{display:inline-flex;align-items:center;gap:.5rem}.module-config-form .field-inline .field-hint{flex-basis:100%;margin-left:1.6rem}.module-config-form .field-invalid input,.module-config-form .field-invalid select,.module-config-form .field-invalid textarea{border-color:var(--error)}.module-config-form .actions{display:flex;gap:.6rem;align-items:center;margin-top:.5rem}.module-config-form .actions button.destructive{background:#fff;color:var(--fg);border:1px solid var(--border)}.module-config-form .actions button.destructive:hover{background:var(--bg-soft)}.module-config-form .banner{margin:0;padding:.75rem 1rem;border-radius:6px;border:1px solid transparent;font-size:.9rem}.module-config-form .banner-success{background:var(--success-soft);border-color:var(--success);color:var(--success)}.module-config-form .banner-success p,.module-config-form .banner-success ul{margin:.4rem 0 0}.module-config-form .banner-error{background:var(--error-soft, rgba(163, 57, 43, .08));border-color:var(--error);color:var(--error)}.modules-installed,.modules-installable{margin-top:1.75rem}.modules-installed>h2,.modules-installable>h2{font-size:1.15rem;font-weight:600;margin:0 0 .75rem;color:var(--fg)}.modules-installed>p.muted,.modules-installable>p.muted{margin:0 0 .5rem}.install-list{list-style:none;padding:0;margin:0;display:flex;flex-direction:column;gap:.6rem}.install-card{display:flex;flex-direction:row;align-items:center;gap:1rem;flex-wrap:wrap;padding:.85rem 1rem;background:#fff;border:1px solid var(--border);border-radius:8px;transition:border-color .15s ease}.install-card:hover{border-color:var(--accent)}.install-card-body{flex:1 1 0;min-width:0}.install-card-body h3{margin:0 0 .2rem;font-size:1rem;font-weight:600;color:var(--fg)}.install-card-body .tagline{margin:0 0 .35rem;color:var(--fg-muted);font-size:.92rem}.install-card-meta{margin:0;font-size:.82rem}.install-card-actions{flex:0 0 auto}.install-card .error{flex-basis:100%;margin-top:.5rem;color:var(--error);font-size:.85rem}.hub-upgrade-card{border-left:3px solid var(--accent);margin-top:1.25rem}.hub-upgrade-card .warn-banner,.hub-upgrade-card .error-banner{flex-basis:100%;margin:.5rem 0 0;font-size:.85rem}.module-row .actions .btn,a.btn{display:inline-block;font:inherit;background:var(--accent);color:#fff;border:0;border-radius:6px;padding:.55rem 1.1rem;cursor:pointer;transition:background .15s ease;text-decoration:none}.module-row .actions .btn:hover,a.btn:hover{background:var(--accent-hover);text-decoration:none}.module-uis{margin:.5rem 0 0;padding:.5rem 0 0;border-top:1px solid var(--border-light)}.module-uis>summary{cursor:pointer;font-size:.88rem;color:var(--fg-muted);font-weight:500;padding:.15rem 0;list-style:revert}.module-uis>summary:hover{color:var(--fg)}.ui-sub-units{list-style:none;padding:0;margin:.5rem 0 0 1.1rem;display:flex;flex-direction:column;gap:.35rem}.ui-sub-unit{display:flex;flex-direction:row;align-items:center;gap:.65rem;padding:.5rem .75rem;background:var(--bg-soft);border:1px solid var(--border-light);border-radius:6px;transition:border-color .15s ease,background .15s ease}.ui-sub-unit:hover{border-color:var(--accent);background:#fff}.ui-icon{flex:0 0 auto;width:20px;height:20px;border-radius:4px;object-fit:contain}.ui-sub-unit-body{flex:1 1 0;min-width:0}.ui-sub-unit-link{color:var(--fg);font-size:.95rem;text-decoration:none}.ui-sub-unit-link:hover{color:var(--accent);text-decoration:underline}.ui-sub-unit-link strong{font-weight:600}.ui-sub-unit .tagline{margin:.2rem 0 0;font-size:.82rem;color:var(--fg-muted)}.status{flex:0 0 auto;display:inline-block;padding:.1em .55em;background:var(--bg-soft);color:var(--fg-muted);border-radius:4px;font-size:.78rem;font-weight:500;white-space:nowrap}.status-active{background:var(--success-soft);color:var(--success)}.status-pending{background:var(--warn-soft);color:var(--warn)}.status-inactive{background:var(--bg-soft);color:var(--fg-dim)}.status-failing{background:var(--error-soft);color:var(--error)}.status-absent{background:var(--bg-soft);color:var(--fg-dim)}.status-redeemed{background:var(--success-soft);color:var(--success)}.status-expired,.status-revoked{background:var(--bg-soft);color:var(--fg-dim)}.status-pending-oauth{background:var(--warn-soft);color:var(--warn)}.status-disabled{background:var(--bg-soft);color:var(--fg-dim)}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0}.hub-version-badge{margin-top:3rem;padding-top:1rem;border-top:1px solid var(--border-light);display:flex;flex-direction:column;align-items:flex-start;gap:.75rem;color:var(--fg-muted);font-size:.8rem}.hub-version-badge-summary{background:transparent;border:0;padding:0;margin:0;color:var(--fg-muted);font:inherit;cursor:pointer;text-align:left;border-radius:4px}.hub-version-badge-summary:hover{color:var(--fg);background:transparent}.hub-version-badge-summary strong{color:var(--fg);font-weight:600}.hub-version-badge-source{font-variant:small-caps;letter-spacing:.04em}.hub-version-badge-panel{background:var(--card-bg);border:1px solid var(--border);border-radius:8px;padding:.85rem 1rem;font-size:.85rem;color:var(--fg);width:100%;max-width:28rem}.hub-version-badge-panel dl{margin:0 0 .75rem;display:grid;grid-template-columns:max-content 1fr;gap:.3rem .85rem}.hub-version-badge-panel dt{color:var(--fg-muted);font-size:.78rem;text-transform:uppercase;letter-spacing:.06em;padding-top:.1rem}.hub-version-badge-panel dd{margin:0;color:var(--fg);word-break:break-all}.hub-version-badge-refresh{font-size:.8rem;padding:.35rem .85rem}.depcard-wrap{margin-top:.6rem}.depcard{border:1px solid var(--warn);background:var(--warn-soft);border-radius:8px;padding:.9rem 1rem}.depcard-heading{margin:0 0 .25rem;font-size:1rem}.depcard-why{margin:0 0 .75rem;font-size:.9rem}.depcard-installs-label{margin:0 0 .4rem;font-size:.85rem;font-weight:600}.depcard-install{margin-bottom:.55rem}.depcard-install.preferred .depcard-os{color:var(--accent);font-weight:600}.depcard-os{display:block;font-size:.78rem;text-transform:uppercase;letter-spacing:.05em;color:var(--fg-muted);margin-bottom:.2rem}.depcard-cmd{display:flex;align-items:stretch;gap:.4rem}.depcard-cmd-text{flex:1;margin:0;padding:.45rem .6rem;background:var(--card-bg, #fff);border:1px solid var(--border);border-radius:6px;font-size:.82rem;white-space:pre-wrap;overflow-x:auto}.depcard-copy{flex:0 0 auto;font-size:.8rem;padding:.35rem .7rem;align-self:flex-start}.depcard-docs{margin:.5rem 0 .4rem;font-size:.88rem}.depcard-hint{margin:0;font-size:.82rem}.depcard-fallback{color:var(--error);font-size:.9rem}