@valentinkolb/cloud 0.5.0 → 0.5.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@valentinkolb/cloud",
-  "version": "0.5.0",
+  "version": "0.5.2",
   "description": "Modular Hono+SolidJS framework for building per-app docker services behind a dynamic gateway. Powers cloud.stuve-ulm.de.",
   "license": "MIT",
   "repository": {

package/scripts/build.ts

@@ -21,11 +21,13 @@
  * it ships a `scripts/build-extras.ts` that this script runs at the end.
  */
 import { existsSync } from "node:fs";
-import { cp, mkdir, readdir, rm } from "node:fs/promises";
-import { dirname, resolve } from "node:path";
+import { cp, mkdir, readdir, readFile, rm, writeFile } from "node:fs/promises";
+import { dirname, extname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
+import { brotliCompress, constants as zlibConstants, gzip } from "node:zlib";
 import tailwind from "bun-plugin-tailwind";
 import { Glob, CryptoHasher } from "bun";
+import { promisify } from "node:util";
 
 const appId = process.env.APP_ID;
 if (!appId) throw new Error("APP_ID env var required");
@@ -47,6 +49,8 @@ if (!existsSync(appDir)) throw new Error(`Unknown app dir: ${appDir} (set APP_DI
 
 const dist = resolve(root, "dist");
 const distPublic = resolve(dist, "public");
+const compressBrotli = promisify(brotliCompress);
+const compressGzip = promisify(gzip);
 
 await rm(dist, { recursive: true, force: true });
 await mkdir(distPublic, { recursive: true });
@@ -59,6 +63,29 @@ const islandId = (file: string): string => {
   return new CryptoHasher("md5").update(rel).digest("hex").slice(0, 12);
 };
 
+const compressibleExtensions = new Set([".css", ".html", ".js", ".json", ".map", ".svg", ".txt", ".xml"]);
+
+async function precompressDistAssets(dir: string): Promise<void> {
+  if (!existsSync(dir)) return;
+
+  for await (const file of new Glob("**/*").scan({ cwd: dir, absolute: true, onlyFiles: true })) {
+    if (file.endsWith(".br") || file.endsWith(".gz")) continue;
+    if (!compressibleExtensions.has(extname(file))) continue;
+
+    const source = await readFile(file);
+    const [br, gz] = await Promise.all([
+      compressBrotli(source, {
+        params: {
+          [zlibConstants.BROTLI_PARAM_QUALITY]: zlibConstants.BROTLI_MAX_QUALITY,
+        },
+      }),
+      compressGzip(source, { level: zlibConstants.Z_BEST_COMPRESSION }),
+    ]);
+
+    await Promise.all([writeFile(`${file}.br`, br), writeFile(`${file}.gz`, gz)]);
+  }
+}
+
 // Register the app's SSR plugin (Solid JSX transform + island bundler).
 // In the monorepo this resolves via `packages/<id>/src/config`; in standalone
 // it resolves via the appDir path (because the script's relative imports
@@ -133,4 +160,7 @@ if (existsSync(extras)) {
   await import(extras);
 }
 
+await precompressDistAssets(resolve(dist, "public"));
+await precompressDistAssets(resolve(dist, "_ssr"));
+
 console.log(`Built ${appId} → ${dist}`);

package/src/_internal/define-app.ts

@@ -9,7 +9,6 @@ import type { SsrConfig } from "@valentinkolb/ssr";
 import { createConfig as createSsrConfig } from "@valentinkolb/ssr";
 import { createSSRHandler, routes } from "@valentinkolb/ssr/hono";
 import { Hono } from "hono";
-import { serveStatic } from "hono/bun";
 import { generateSpecs } from "hono-openapi";
 import type { AppCapabilities, AppLifecycle, AppMeta, AppSearchContext, CloudContext } from "../contracts/app";
 import type { AppRegistryEntry } from "../contracts/registry";
@@ -23,6 +22,7 @@ import { createSettingsAPI, type SettingsAPI } from "../services/settings/api";
 import { registerSettings, type SettingDef } from "../services/settings/defaults";
 import { createHeartbeat } from "./heartbeat";
 import { ensureRuntimeWatcher, getCurrentRuntime, stopRuntimeWatcher } from "./runtime-watcher";
+import { servePublicAsset } from "./static-assets";
 
 /** Cache-busting version stamp — changes on every server start / rebuild. */
 const v = Date.now();
@@ -252,6 +252,9 @@ export const defineApp = <const S extends AppSettingsMap = {}>(opts: AppOptions<
     <meta name="mobile-web-app-capable" content="yes">
     <link rel="icon" href="/branding/favicon">
     <style data-cloud-css-layers>@layer theme, base, components, utilities;</style>
+    <link rel="preload" href="/public/tabler-icons.woff2" as="font" type="font/woff2" crossorigin>
+    <link rel="stylesheet" href="/public/fonts.css?v=${v}">
+    <link rel="stylesheet" href="/public/tabler-icons.css?v=${v}">
     <link rel="stylesheet" href="/public/${opts.id}/app.css?v=${v}">
     <link rel="stylesheet" href="/public/global.css?v=${v}">
     <script>${themeBootstrapScript}</script>
@@ -349,19 +352,7 @@ export const defineApp = <const S extends AppSettingsMap = {}>(opts: AppOptions<
 
     const server = new Hono()
       .route(ssrMountPath, routes(config))
-      .use(
-        "/public/*",
-        serveStatic({
-          root: "./",
-          onFound: (_path, c) => {
-            c.header("Cache-Control", isDevelopment ? "no-store" : "public, max-age=31536000, immutable");
-          },
-        }),
-      )
-      // serveStatic calls next() on miss — terminate /public/* here so a
-      // missing asset is a clean 404 instead of falling through to the app
-      // fetch (which might render an HTML page for the missing path).
-      .all("/public/*", (c) => c.notFound());
+      .all("/public/*", servePublicAsset(isDevelopment));
 
     if (startOpts.capabilities?.search) {
       const searchRun = startOpts.capabilities.search.run;

package/src/_internal/static-assets.ts

@@ -0,0 +1,86 @@
+import { resolve, sep } from "node:path";
+import type { Context } from "hono";
+
+const publicRoot = resolve(process.cwd(), "public");
+
+function decodePathname(pathname: string): string | null {
+  try {
+    return decodeURIComponent(pathname);
+  } catch {
+    return null;
+  }
+}
+
+function resolvePublicAsset(pathname: string): string | null {
+  const decoded = decodePathname(pathname);
+  if (!decoded?.startsWith("/public/")) return null;
+
+  const path = resolve(process.cwd(), decoded.slice(1));
+  if (path !== publicRoot && !path.startsWith(`${publicRoot}${sep}`)) return null;
+  return path;
+}
+
+function acceptsEncoding(header: string | null, encoding: "br" | "gzip"): boolean {
+  if (!header) return false;
+
+  return header.split(",").some((part) => {
+    const [name, ...params] = part.trim().split(";");
+    if (name?.trim().toLowerCase() !== encoding) return false;
+    return !params.some((param) => {
+      const [key, value] = param.trim().split("=");
+      return key?.toLowerCase() === "q" && Number(value) === 0;
+    });
+  });
+}
+
+async function encodedFile(path: string, encoding: "br" | "gzip"): Promise<Bun.BunFile | null> {
+  const suffix = encoding === "br" ? ".br" : ".gz";
+  const file = Bun.file(`${path}${suffix}`);
+  return (await file.exists()) ? file : null;
+}
+
+export function servePublicAsset(isDevelopment: boolean) {
+  return async (c: Context) => {
+    if (c.req.method !== "GET" && c.req.method !== "HEAD") {
+      c.header("Allow", "GET, HEAD");
+      return c.text("Method Not Allowed", 405);
+    }
+
+    const path = resolvePublicAsset(new URL(c.req.url).pathname);
+    if (!path) return c.notFound();
+
+    const sourceFile = Bun.file(path);
+    if (!(await sourceFile.exists())) return c.notFound();
+
+    const acceptEncoding = c.req.header("Accept-Encoding") ?? null;
+    let selected = sourceFile;
+    let selectedEncoding: "br" | "gzip" | null = null;
+
+    if (acceptsEncoding(acceptEncoding, "br")) {
+      const br = await encodedFile(path, "br");
+      if (br) {
+        selected = br;
+        selectedEncoding = "br";
+      }
+    }
+
+    if (!selectedEncoding && acceptsEncoding(acceptEncoding, "gzip")) {
+      const gz = await encodedFile(path, "gzip");
+      if (gz) {
+        selected = gz;
+        selectedEncoding = "gzip";
+      }
+    }
+
+    const headers = new Headers({
+      "Cache-Control": isDevelopment ? "no-store" : "public, max-age=31536000, immutable",
+      "Content-Length": String(selected.size),
+      "Content-Type": sourceFile.type || "application/octet-stream",
+      Vary: "Accept-Encoding",
+    });
+
+    if (selectedEncoding) headers.set("Content-Encoding", selectedEncoding);
+
+    return new Response(c.req.method === "HEAD" ? null : selected, { headers });
+  };
+}

package/src/api/auth.ts

@@ -49,8 +49,8 @@ const app = new Hono<AuthContext>()
 
       const loginResult = await authFlows.ipa.login({ username, password });
       if (!loginResult.ok && loginResult.reason === "password_expired") {
-        log.info("Login failed", { uid: username, reason: "password_expired" });
-        return c.json({ message: "Password expired", passwordExpired: true }, 401);
+        log.info("Login failed", { uid: loginResult.uid, reason: "password_expired" });
+        return c.json({ message: "Password expired", passwordExpired: true, ipaUid: loginResult.uid }, 401);
       }
       if (!loginResult.ok) {
         log.info("Login failed", {
@@ -63,7 +63,7 @@ const app = new Hono<AuthContext>()
       // Store minimal session in Redis
       const sessionToken = await auth.session.create(c, loginResult.userId);
 
-      log.info("Login successful", { uid: username });
+      log.info("Login successful", { uid: loginResult.user.uid });
       return c.json({
         session_token: sessionToken,
         user: loginResult.user,

package/src/services/auth-flows/ipa.ts

@@ -1,10 +1,11 @@
 import { sql } from "bun";
 import { accounts } from "../accounts";
+import { logger } from "../logging";
 import { providers } from "../providers";
 import type { User } from "../../contracts/shared";
 
 type IpaLoginFailure =
-  | { ok: false; status: 401; reason: "password_expired"; message: string }
+  | { ok: false; status: 401; reason: "password_expired"; message: string; uid: string }
   | { ok: false; status: 401; reason: "invalid_credentials"; message: string }
   | { ok: false; status: 400; reason: "user_not_synced"; message: string }
   | { ok: false; status: 400; reason: "user_not_found"; message: string }
@@ -20,6 +21,42 @@ type IpaLoginSuccess = {
 
 export type IpaLoginFlowResult = IpaLoginSuccess | IpaLoginFailure;
 
+const log = logger("auth:ipa");
+const DUMMY_LOGIN_UID = "__cloud_invalid_ipa_email_login__";
+
+const normalizeEmail = (value: string): string => value.trim().toLowerCase();
+
+const resolveIpaLoginUid = async (identifier: string): Promise<string | null> => {
+  const trimmed = identifier.trim();
+  if (!trimmed) return null;
+  if (!trimmed.includes("@")) return trimmed;
+
+  const rows = await sql<{ uid: string }[]>`
+    SELECT uid
+    FROM auth.users
+    WHERE provider = 'ipa'
+      AND lower(btrim(mail)) = ${normalizeEmail(trimmed)}
+  `;
+
+  if (rows.length !== 1) {
+    if (rows.length > 1) {
+      log.warn("FreeIPA email login skipped: ambiguous email", {
+        email: normalizeEmail(trimmed),
+        matches: rows.length,
+      });
+    }
+    return null;
+  }
+  return rows[0]!.uid;
+};
+
+const failInvalidCredentials = async (params: { identifier: string; password: string }): Promise<IpaLoginFailure> => {
+  if (params.identifier.trim().includes("@")) {
+    await providers.ipa.auth.login(DUMMY_LOGIN_UID, params.password).catch(() => undefined);
+  }
+  return { ok: false, status: 401, reason: "invalid_credentials", message: "Invalid username or password" };
+};
+
 const loadSyncedIpaUser = async (uid: string): Promise<{ ok: true; userId: string; user: User } | IpaLoginFailure> => {
   const userRows = await sql`
     SELECT id FROM auth.users
@@ -50,9 +87,14 @@ const loadSyncedIpaUser = async (uid: string): Promise<{ ok: true; userId: strin
 };
 
 export const login = async (params: { username: string; password: string }): Promise<IpaLoginFlowResult> => {
-  const loginResult = await providers.ipa.auth.login(params.username, params.password);
+  const uid = await resolveIpaLoginUid(params.username);
+  if (!uid) {
+    return failInvalidCredentials({ identifier: params.username, password: params.password });
+  }
+
+  const loginResult = await providers.ipa.auth.login(uid, params.password);
   if (loginResult.status === "password_expired") {
-    return { ok: false, status: 401, reason: "password_expired", message: "Password expired" };
+    return { ok: false, status: 401, reason: "password_expired", message: "Password expired", uid };
   }
   if (loginResult.status !== "success") {
     return { ok: false, status: 401, reason: "invalid_credentials", message: "Invalid username or password" };
@@ -61,7 +103,7 @@ export const login = async (params: { username: string; password: string }): Pro
   // Must reach a "synced" outcome before granting a session. Stale mirror rows
   // (expired remotely, dropped from sync scope, or fetch failures) must never
   // grant a fresh local session on the back of successful FreeIPA credentials.
-  const syncOutcome = await providers.ipa.sync.user(params.username);
+  const syncOutcome = await providers.ipa.sync.user(uid);
   switch (syncOutcome.status) {
     case "synced":
       break;
@@ -97,7 +139,7 @@ export const login = async (params: { username: string; password: string }): Pro
       };
   }
 
-  const userResult = await loadSyncedIpaUser(params.username);
+  const userResult = await loadSyncedIpaUser(uid);
   if (!userResult.ok) return userResult;
 
   return {

package/src/services/auth-flows/magic-link.ts

@@ -1,4 +1,4 @@
-import { sql } from "bun";
+import { redis, sql } from "bun";
 import { accounts } from "../accounts";
 import { notifications } from "../notifications";
 import { providers } from "../providers";
@@ -6,33 +6,95 @@ import * as settings from "../settings";
 import { renderTemplate } from "../settings/templates";
 import type { User } from "../../contracts/shared";
 import { createAuthLoginUrl } from "../../shared/redirect";
+import { logger } from "../logging";
+
+const log = logger("auth:magic-link");
+const IPA_HINT_COOLDOWN_SECONDS = 300;
+
+const normalizeEmail = (email: string): string => email.trim().toLowerCase();
+const ipaHintCooldownKey = (email: string): string => `ipa-email-login-hint-cooldown:${email}`;
+
+const getAppUrl = async (): Promise<string> => {
+  const rawAppUrl = await settings.get<string>("app.url");
+  return rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
+};
+
+const hasIpaAccountForEmail = async (email: string): Promise<boolean> => {
+  const rows = await sql<{ exists: boolean }[]>`
+    SELECT EXISTS (
+      SELECT 1
+      FROM auth.users
+      WHERE provider = 'ipa'
+        AND lower(btrim(mail)) = ${email}
+    ) AS exists
+  `;
+  return Boolean(rows[0]?.exists);
+};
+
+const claimIpaHintCooldown = async (email: string): Promise<boolean> => {
+  const result = await redis.send("SET", [
+    ipaHintCooldownKey(email),
+    "1",
+    "EX",
+    String(IPA_HINT_COOLDOWN_SECONDS),
+    "NX",
+  ]);
+  return result === "OK";
+};
+
+const sendIpaEmailLoginHint = async (params: { email: string; redirectTo?: string }): Promise<void> => {
+  const appUrl = await getAppUrl();
+  const loginUrl = createAuthLoginUrl(appUrl, {
+    method: "ipa",
+    redirectTo: params.redirectTo,
+  });
+  const [appName, contactEmail, template] = await Promise.all([
+    settings.get<string>("app.name"),
+    settings.get<string>("app.contact_email"),
+    settings.get<string>("mail.ipa_email_login_hint"),
+  ]);
+
+  await notifications.send({
+    type: "email",
+    recipient: params.email,
+    subject: `${appName} FreeIPA Sign In`,
+    rawHtml: renderTemplate(template, {
+      EMAIL: params.email,
+      LOGIN_URL: loginUrl,
+      APP_NAME: appName,
+      CONTACT_EMAIL: contactEmail?.trim() ?? "",
+    }),
+  });
+};
 
 export const request = async (params: { email: string; redirectTo?: string }): Promise<
   | { ok: true }
   | { ok: false; status: 400; message: string }
 > => {
-  const userRows = await sql`SELECT uid, provider FROM auth.users WHERE mail = ${params.email}`;
+  const email = normalizeEmail(params.email);
+  const hasIpaUser = await hasIpaAccountForEmail(email);
+  const userRows = hasIpaUser ? [] : await sql`SELECT uid, provider FROM auth.users WHERE lower(btrim(mail)) = ${email}`;
   const hasLocalUser = userRows.some((row: { provider: string | null }) => row.provider === "local");
-  const hasIpaUser = userRows.some((row: { provider: string | null }) => row.provider === "ipa");
   const allowSelfRegistration = await settings.get<boolean>("user.allow_self_registration");
 
-  if (!hasLocalUser && !allowSelfRegistration) {
-    return {
-      ok: false,
-      status: 400,
-      message: "Only existing local accounts can sign in with email. Contact an administrator if you need access.",
-    };
+  if (hasIpaUser) {
+    if (await claimIpaHintCooldown(email)) {
+      void sendIpaEmailLoginHint({ email, redirectTo: params.redirectTo }).catch((error) => {
+        log.warn("Failed to send FreeIPA email-login hint", {
+          email,
+          error: error instanceof Error ? error.message : String(error),
+        });
+      });
+    }
+    return { ok: true };
   }
 
-  if (!hasLocalUser && hasIpaUser) {
-    // Return ok without sending email to prevent account enumeration.
-    // IPA-only users must authenticate via Kerberos, not magic-link.
+  if (!hasLocalUser && !allowSelfRegistration) {
     return { ok: true };
   }
 
-  const token = await providers.local.auth.createMagicLinkToken({ email: params.email, ttlSeconds: 300 });
-  const rawAppUrl = await settings.get<string>("app.url");
-  const appUrl = rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
+  const token = await providers.local.auth.createMagicLinkToken({ email, ttlSeconds: 300 });
+  const appUrl = await getAppUrl();
   const magicLink = createAuthLoginUrl(appUrl, { token, redirectTo: params.redirectTo });
 
   const appName = await settings.get<string>("app.name");
@@ -40,7 +102,7 @@ export const request = async (params: { email: string; redirectTo?: string }): P
 
   await notifications.send({
     type: "email",
-    recipient: params.email,
+    recipient: email,
     subject: `${appName} Login Code`,
     rawHtml: renderTemplate(template, {
       TOKEN: token,
@@ -63,13 +125,22 @@ export const verify = async (params: { token: string }): Promise<
   }
 
   const { email } = payload;
+  const normalizedEmail = normalizeEmail(email);
+  if (await hasIpaAccountForEmail(normalizedEmail)) {
+    return {
+      ok: false,
+      status: 401,
+      message: "This email address belongs to a FreeIPA-managed account. Sign in with FreeIPA.",
+    };
+  }
+
   // Reject expired accounts at login time, not just during cleanup. Without
   // this, an expired local user / guest could still authenticate in the
   // window between expiry and the next lifecycle run.
   const userRows = await sql`
     SELECT id, account_expires
     FROM auth.users
-    WHERE mail = ${email} AND provider = 'local'
+    WHERE lower(btrim(mail)) = ${normalizedEmail} AND provider = 'local'
       AND (account_expires IS NULL OR account_expires > now())
     ORDER BY profile = 'user' DESC
     LIMIT 1
@@ -84,7 +155,7 @@ export const verify = async (params: { token: string }): Promise<
     const expiredRows = await sql`
       SELECT id
       FROM auth.users
-      WHERE mail = ${email} AND provider = 'local'
+      WHERE lower(btrim(mail)) = ${normalizedEmail} AND provider = 'local'
         AND account_expires IS NOT NULL AND account_expires <= now()
       LIMIT 1
     `;

package/src/services/notifications/index.ts

@@ -1,13 +1,14 @@
 import { sql } from "bun";
-import { sendEmail } from "./email";
 import type { PaginationParams } from "../../contracts/shared";
-import { escapeLikePattern } from "../postgres";
 import { logger } from "../logging";
+import { escapeLikePattern } from "../postgres";
+import { sendEmail } from "./email";
 
 const log = logger("notifications");
 
 export type NotificationType = "email";
 export type NotificationStatus = "sent" | "pending" | "error";
+export type NotificationStatusSummary = Record<NotificationStatus, number>;
 
 /**
  * Computes notification delivery status from sent/error timestamps.
@@ -56,6 +57,12 @@ export type NotificationMessage = {
   status: NotificationStatus;
 };
 
+const emptyStatusSummary = (): NotificationStatusSummary => ({
+  sent: 0,
+  pending: 0,
+  error: 0,
+});
+
 type DbNotificationRow = {
   id: string;
   type: NotificationType;
@@ -143,23 +150,26 @@ export const sendToUser = async (params: SendToUserParams): Promise<{ ok: true;
  */
 export const list = async (
   pagination: PaginationParams,
-  options?: { sentBy?: string; isAdmin?: boolean; search?: string },
+  options?: { sentBy?: string; isAdmin?: boolean; search?: string; status?: NotificationStatus },
 ): Promise<{ notifications: NotificationMessage[]; total: number }> => {
   const { offset, perPage } = pagination;
-  const { sentBy, isAdmin, search } = options ?? {};
+  const { sentBy, isAdmin, search, status } = options ?? {};
 
   // Build query based on permissions
   let countRows: Array<{ count: number | string }> = [];
   let dataRows: DbNotificationRow[] = [];
 
   const searchPattern = search ? `%${escapeLikePattern(search)}%` : null;
+  const statusFilter = status ?? null;
 
   if (isAdmin) {
     // Admins see all notifications
     if (searchPattern) {
       countRows = await sql`
         SELECT COUNT(*)::int as count FROM notifications.messages
-        WHERE subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\'
+        WHERE
+          (${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\')
       `;
       dataRows = await sql`
         SELECT
@@ -168,12 +178,17 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
-        WHERE m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\'
+        WHERE
+          (${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\')
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
     } else {
-      countRows = await sql`SELECT COUNT(*)::int as count FROM notifications.messages`;
+      countRows = await sql`
+        SELECT COUNT(*)::int as count FROM notifications.messages
+        WHERE ${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter}
+      `;
       dataRows = await sql`
         SELECT
           m.id, m.type, m.recipient, m.subject, m.content,
@@ -181,6 +196,7 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
+        WHERE ${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter}
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
@@ -190,7 +206,10 @@ export const list = async (
     if (searchPattern) {
       countRows = await sql`
         SELECT COUNT(*)::int as count FROM notifications.messages
-        WHERE sent_by = ${sentBy} AND (subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\')
+        WHERE
+          sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (subject ILIKE ${searchPattern} ESCAPE '\' OR content ILIKE ${searchPattern} ESCAPE '\' OR recipient ILIKE ${searchPattern} ESCAPE '\')
       `;
       dataRows = await sql`
         SELECT
@@ -199,12 +218,20 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
-        WHERE m.sent_by = ${sentBy} AND (m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\')
+        WHERE
+          m.sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+          AND (m.subject ILIKE ${searchPattern} ESCAPE '\' OR m.content ILIKE ${searchPattern} ESCAPE '\' OR m.recipient ILIKE ${searchPattern} ESCAPE '\')
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
     } else {
-      countRows = await sql`SELECT COUNT(*)::int as count FROM notifications.messages WHERE sent_by = ${sentBy}`;
+      countRows = await sql`
+        SELECT COUNT(*)::int as count FROM notifications.messages
+        WHERE
+          sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
+      `;
       dataRows = await sql`
         SELECT
           m.id, m.type, m.recipient, m.subject, m.content,
@@ -212,7 +239,9 @@ export const list = async (
           u.display_name as sent_by_name
         FROM notifications.messages m
         LEFT JOIN auth.users u ON m.sent_by = u.id
-        WHERE m.sent_by = ${sentBy}
+        WHERE
+          m.sent_by = ${sentBy}
+          AND (${statusFilter}::text IS NULL OR CASE WHEN m.sent_at IS NOT NULL THEN 'sent' WHEN m.error IS NOT NULL THEN 'error' ELSE 'pending' END = ${statusFilter})
         ORDER BY m.created_at DESC
         LIMIT ${perPage} OFFSET ${offset}
       `;
@@ -246,6 +275,47 @@ export const list = async (
   return { notifications, total };
 };
 
+/**
+ * Count current notification statuses for recent entries.
+ */
+export const getStatusSummary = async (options?: {
+  sentBy?: string;
+  isAdmin?: boolean;
+  days?: number;
+}): Promise<NotificationStatusSummary> => {
+  const { sentBy, isAdmin, days = 7 } = options ?? {};
+  const windowDays = Math.max(1, Math.floor(days));
+  const summary = emptyStatusSummary();
+
+  let rows: Array<{ status: NotificationStatus; count: number | string }> = [];
+  if (isAdmin) {
+    rows = await sql`
+      SELECT
+        CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END as status,
+        COUNT(*)::int as count
+      FROM notifications.messages
+      WHERE created_at >= now() - (${windowDays}::int * interval '1 day')
+      GROUP BY status
+    `;
+  } else if (sentBy) {
+    rows = await sql`
+      SELECT
+        CASE WHEN sent_at IS NOT NULL THEN 'sent' WHEN error IS NOT NULL THEN 'error' ELSE 'pending' END as status,
+        COUNT(*)::int as count
+      FROM notifications.messages
+      WHERE sent_by = ${sentBy} AND created_at >= now() - (${windowDays}::int * interval '1 day')
+      GROUP BY status
+    `;
+  }
+
+  for (const row of rows) {
+    const count = typeof row.count === "string" ? Number.parseInt(row.count, 10) : row.count;
+    summary[row.status] = Number.isFinite(count) ? count : 0;
+  }
+
+  return summary;
+};
+
 /**
  * Get a single notification by ID.
  */
@@ -410,4 +480,5 @@ export const notifications = {
   update,
   getPendingSystemCount,
   sendAllPendingSystem,
+  getStatusSummary,
 };

package/src/services/settings/defaults.ts

@@ -438,6 +438,21 @@ export const SETTINGS: SettingDef[] = [
     group: "mail",
     templateVars: ["TOKEN", "MAGIC_LINK", "APP_NAME"],
   },
+  {
+    key: "mail.ipa_email_login_hint",
+    label: "FreeIPA Email Login Hint Template",
+    kind: "template",
+    default: `<p>A sign-in link was requested for <code style="background:#f4f4f5;padding:2px 6px;border-radius:4px;">{{EMAIL}}</code>.</p>
+<p>This email address belongs to a FreeIPA-managed account. Please sign in with your FreeIPA username and password. If your email address is unique in FreeIPA, you can also use it instead of your username.</p>
+<p style="text-align:center;margin:24px 0;">
+  <a href="{{LOGIN_URL}}" target="_blank" style="color:#3b82f6;text-decoration:underline;">Open FreeIPA sign-in</a>
+</p>
+<p style="color:#71717a;font-size:12px;margin:0 0 8px 0;">No email login code was created. If you didn't request this, please ignore this email.</p>
+{{#CONTACT_EMAIL}}<p style="color:#71717a;font-size:12px;margin:0;">If you need help, contact <a href="mailto:{{CONTACT_EMAIL}}">{{CONTACT_EMAIL}}</a>.</p>{{/CONTACT_EMAIL}}`,
+    description: "FreeIPA email-login hint template (HTML). Subject: {{APP_NAME}} FreeIPA Sign In",
+    group: "mail",
+    templateVars: ["EMAIL", "LOGIN_URL", "CONTACT_EMAIL", "APP_NAME"],
+  },
   {
     key: "mail.password_reset",
     label: "Password Reset Template",

package/src/shared/redirect.test.ts

@@ -33,6 +33,15 @@ describe("redirect helpers", () => {
     expect(externalUrl).toBe("https://cloud.example/auth/login?token=token-id");
   });
 
+  test("builds method-specific login links with safe redirects only", () => {
+    const url = createAuthLoginUrl("https://cloud.example", {
+      method: "ipa",
+      redirectTo: "/app/dashboard",
+    });
+
+    expect(url).toBe("https://cloud.example/auth/login?method=ipa&redirectTo=%2Fapp%2Fdashboard");
+  });
+
   test("builds password reset links with safe redirects only", () => {
     const safeUrl = createAuthPasswordResetUrl("https://cloud.example", {
       token: "token-id",

package/src/shared/redirect.ts

@@ -30,9 +30,13 @@ export const createLoginRedirectUrl = (requestUrl: string): string => {
 };
 
 /** Build an absolute auth login URL while preserving only safe local redirects. */
-export const createAuthLoginUrl = (appUrl: string, params: { token?: string; redirectTo?: string | null | undefined } = {}): string => {
+export const createAuthLoginUrl = (
+  appUrl: string,
+  params: { token?: string; method?: "email" | "ipa" | "admin"; redirectTo?: string | null | undefined } = {},
+): string => {
   const url = new URL(`${appUrl.replace(/\/$/, "")}/auth/login`);
   if (params.token) url.searchParams.set("token", params.token);
+  if (params.method) url.searchParams.set("method", params.method);
 
   const redirectTo = normalizeRedirectTo(params.redirectTo);
   if (redirectTo) url.searchParams.set("redirectTo", redirectTo);

package/src/styles/global.css

@@ -9,25 +9,12 @@
 @custom-variant dark (&:where(.dark, .dark *));
 @custom-variant light (html:not(.dark) &);
 
-@import "@tabler/icons-webfont/dist/tabler-icons.css";
-
-/* IBM Plex family — Sans for body, Mono for code, Condensed for badges/tags.
-   Per-weight imports keep the network payload predictable; we deliberately
-   skip the lighter weights (100–300) and italic-condensed since the design
-   system never uses them. */
-@import "@fontsource/ibm-plex-sans/400.css";
-@import "@fontsource/ibm-plex-sans/400-italic.css";
-@import "@fontsource/ibm-plex-sans/500.css";
-@import "@fontsource/ibm-plex-sans/600.css";
-@import "@fontsource/ibm-plex-sans/700.css";
-@import "@fontsource/ibm-plex-mono/400.css";
-@import "@fontsource/ibm-plex-mono/400-italic.css";
-@import "@fontsource/ibm-plex-mono/500.css";
-@import "@fontsource/ibm-plex-mono/600.css";
-@import "@fontsource/ibm-plex-sans-condensed/400.css";
-@import "@fontsource/ibm-plex-sans-condensed/500.css";
-@import "@fontsource/ibm-plex-sans-condensed/600.css";
-@import "@fontsource/ibm-plex-sans-condensed/700.css";
+/* IBM Plex font-face rules are emitted as `/public/fonts.css` during the core
+   build. Keeping them out of global.css avoids Bun inlining the font binaries
+   as base64 into the render-blocking stylesheet. */
+/* Tabler icon font rules are emitted as `/public/tabler-icons.css` during the
+   core build and preloaded by the shared HTML template to reduce icon flicker
+   without changing icon layout semantics. */
 
 @import "./tokens.css";
 @import "./utilities-buttons.css";
@@ -174,7 +161,7 @@
    beat stdlib's one-class embedded <style> the same way the dark-mode
    overrides above do. font-family is otherwise unset by stdlib, so the
    chart would inherit the app sans — we pin the numeric labels to the
-   platform mono stack (IBM Plex Mono via @fontsource). */
+   platform mono stack (IBM Plex Mono via `/public/fonts.css`). */
 .stdlib-chart .stdlib-chart-tick-label,
 .stdlib-chart .stdlib-chart-bar-value,
 .stdlib-chart .stdlib-chart-axis-label {

package/src/styles/utilities-markdown-editor.css

@@ -146,8 +146,8 @@
        4. `text-rendering: geometricPrecision` — disables kerning so
           even non-monospace fallback fonts don't shift glyph X
           positions across layers. */
-  /* IBM Plex Mono is shipped via @fontsource (regular + italic + 500
-     + 600 weights — see global.css). Pinning the font here means the
+  /* IBM Plex Mono is shipped via `/public/fonts.css` (regular + italic +
+     500 + 600 weights). Pinning the font here means the
      editor looks identical across OSes and we control the italic
      variant precisely. The bold/heading "weight" is faked via
      text-shadow further down so we never actually request a weight