i18ntk 2.5.0 → 2.5.1

package/CODE_OF_CONDUCT.md

@@ -0,0 +1,133 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances
+of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+GitHub Security Advisories for sensitive reports, or GitHub issues for non-sensitive community concerns.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder][Mozilla CoC].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

package/CONTRIBUTING.md

@@ -0,0 +1,41 @@
+# Contributing to i18ntk
+
+Thanks for helping improve i18ntk.
+
+## Project Priorities
+
+- Keep the npm package zero-dependency.
+- Keep the published package minimal and free of tests, local setup state, reports, backups, logs, credentials, and generated artifacts.
+- Preserve backward compatibility unless a breaking change is intentional and documented.
+- Prefer small, well-tested fixes over broad refactors.
+
+## Development Setup
+
+Clone the repository, install with npm, and run the project validation checks before opening a pull request.
+
+## Release Validation
+
+Maintainer release commands are documented in the repository development guide. The package published to npm uses a stripped public manifest.
+
+## Security
+
+Follow the security guidance in `SECURITY.md` and `docs/development/AGENTS.md`.
+
+Report vulnerabilities through GitHub Security Advisories. Do not open public issues for sensitive security reports.
+
+## Translations
+
+When editing `ui-locales/`, preserve JSON structure, placeholders, command names, file paths, and config keys.
+
+Run:
+
+Run the locale lint check before submitting translation changes.
+
+## Pull Requests
+
+Include:
+
+- the problem being fixed
+- the user-visible behavior change
+- validation commands that were run
+- any remaining risk or unverified behavior

package/FUNDING.md

@@ -0,0 +1,5 @@
+# Funding
+
+i18ntk does not request project donations.
+
+If you wanted to give something, please give it to a charity or community cause you trust.

package/README.md

@@ -1,20 +1,60 @@
-# i18ntk v2.5.0
+# i18ntk v2.5.1
 
 Zero-dependency internationalization toolkit for setup, scanning, analysis, validation, usage tracking, and translation completion.
 
-![i18ntk Logo](docs/screenshots/i18ntk-logo-public.PNG)
+![i18ntk Logo](https://raw.githubusercontent.com/vladnoskv/i18ntk/main/docs/screenshots/i18ntk-logo-public.PNG)
 
 [![npm version](https://img.shields.io/npm/v/i18ntk.svg?color=brightgreen)](https://www.npmjs.com/package/i18ntk)
 [![npm downloads](https://img.shields.io/npm/dt/i18ntk.svg)](https://www.npmjs.com/package/i18ntk)
 [![node](https://img.shields.io/badge/node-%3E%3D16-339933)](https://nodejs.org)
 [![dependencies](https://img.shields.io/badge/dependencies-0-success)](https://www.npmjs.com/package/i18ntk)
 [![license](https://img.shields.io/badge/license-MIT-yellow.svg)](LICENSE)
-[![socket](https://socket.dev/api/badge/npm/package/i18ntk/2.5.0)](https://socket.dev/npm/package/i18ntk/overview/2.5.0)
+[![socket](https://socket.dev/api/badge/npm/package/i18ntk/2.5.1)](https://socket.dev/npm/package/i18ntk/overview/2.5.1)
 
 ## Upgrade Notice
 
-Versions earlier than `2.5.0` may contain known stability and security issues.
-They are considered unsupported for production use. Upgrade to `2.5.0` or newer.
+Versions earlier than `2.5.1` may contain known stability and security issues.
+They are considered unsupported for production use. Upgrade to `2.5.1` or newer.
+
+## v2.5.1 Security Update
+
+`v2.5.1` is a security and packaging-process update for the `2.5.x` release line.
+
+### Change Summary
+
+- Hardened `utils/admin-auth.js` so `verifyPin()` fails closed when admin config is missing, disabled, or malformed.
+- Hardened auth-required checks so enabled PIN protection does not silently bypass authentication when admin config is unusable.
+- Normalized admin session expiry handling by storing both `expires` and `expiresAt` and cleaning up either format consistently.
+- Marked the root `package.json` as development-only and added a separate public manifest flow.
+- Added package scripts to stage, pack, and publish the public npm package from `package.public.json`.
+- Added a root publish guard via `prepack` and `prepublishOnly` to block accidental publishing of the development manifest.
+- Updated ignore rules to exclude release staging artifacts and public package metadata from the repo/package payload.
+- Replaced the expanded `SECURITY.md` policy with a shorter reporting-oriented policy and added community docs links.
+- Updated docs and release reset automation to use `npm run package:public` instead of `npm pack --dry-run`.
+
+### Files Changed
+
+- `utils/admin-auth.js`: fixed fail-open PIN verification and session expiry consistency.
+- `tests/security.test.js`: added admin-auth fail-closed and session cleanup coverage.
+- `package.json`: set development-only metadata, adjusted included files, and added public packaging/publish scripts.
+- `package.public.json`: introduced the stripped public npm manifest.
+- `scripts/build-public-package.js`: added the public package staging, pack, and publish workflow.
+- `scripts/prevent-root-publish.js`: added a guard against publishing the root development manifest.
+- `scripts/reset-release-state.js`: switched release validation to the public package build flow.
+- `README.md`, `docs/README.md`, `docs/development/AGENTS.md`, `docs/migration-guide-v2.5.1.md`, `docs/migration-guide-v2.5.0.md`: documented the security fix, packaging, and community file layout.
+- `SECURITY.md`, `CODE_OF_CONDUCT.md`, `CONTRIBUTING.md`, `FUNDING.md`: updated or added community and security-facing docs.
+- `.gitignore`, `.npmignore`: excluded release staging output and public-package metadata.
+
+### Audit Trail
+
+- Risk addressed: AI-based analysis flagged `verifyPin()` as fail-open when admin config was missing or disabled.
+- Behavior change: direct `verifyPin()` calls now return `false` unless a usable enabled PIN config exists.
+- Behavior change: when settings require PIN auth but admin config is broken, protected auth checks now require authentication and verification fails closed.
+- Risk: the root manifest is intentionally non-publishable, so publishing flows must use the public-package scripts.
+- Behavior change: `npm pack` and `npm publish` at the repo root are blocked by guard scripts.
+- Behavior change: the public npm payload is staged from `package.public.json` rather than the development manifest.
+- Validation note: release-state reset now exercises `npm run package:public` as part of its checks.
+- Validation note: this documentation update describes the working tree changes used for the packaging split.
 
 ## What i18ntk Does
 
@@ -154,7 +194,7 @@ Example `.i18ntk-config`:
 
 ```json
 {
-  "version": "2.5.0",
+  "version": "2.5.1",
   "sourceDir": "./locales",
   "i18nDir": "./locales",
   "outputDir": "./i18ntk-reports",
@@ -170,16 +210,22 @@ See [docs/api/CONFIGURATION.md](docs/api/CONFIGURATION.md) for the full configur
 
 ## Docs
 
-- [Documentation Index](docs/README.md)
-- [Getting Started](docs/getting-started.md)
-- [API Reference](docs/api/API_REFERENCE.md)
-- [Configuration Guide](docs/api/CONFIGURATION.md)
-- [Runtime API Guide](docs/runtime.md)
-- [Scanner Guide](docs/scanner-guide.md)
-- [Environment Variables](docs/environment-variables.md)
-- [Migration Guide v2.5.0](docs/migration-guide-v2.5.0.md)
-- [Migration Guide v2.4.0](docs/migration-guide-v2.4.0.md)
-- [Optimization Prompt](docs/development/package-optimization-prompt.md)
+- [Documentation Index](https://github.com/vladnoskv/i18ntk/blob/main/docs/README.md)
+- [Getting Started](https://github.com/vladnoskv/i18ntk/blob/main/docs/getting-started.md)
+- [API Reference](https://github.com/vladnoskv/i18ntk/blob/main/docs/api/API_REFERENCE.md)
+- [Configuration Guide](https://github.com/vladnoskv/i18ntk/blob/main/docs/api/CONFIGURATION.md)
+- [Runtime API Guide](https://github.com/vladnoskv/i18ntk/blob/main/docs/runtime.md)
+- [Scanner Guide](https://github.com/vladnoskv/i18ntk/blob/main/docs/scanner-guide.md)
+- [Environment Variables](https://github.com/vladnoskv/i18ntk/blob/main/docs/environment-variables.md)
+- [Migration Guide v2.5.1](https://github.com/vladnoskv/i18ntk/blob/main/docs/migration-guide-v2.5.1.md)
+- [Migration Guide v2.5.0](https://github.com/vladnoskv/i18ntk/blob/main/docs/migration-guide-v2.5.0.md)
+
+## Community
+
+- [Contributing](CONTRIBUTING.md)
+- [Code of Conduct](CODE_OF_CONDUCT.md)
+- [Security Policy](SECURITY.md)
+- [Funding](FUNDING.md)
 
 ## Code of Conduct
 

package/SECURITY.md

@@ -0,0 +1,52 @@
+# Security Policy
+
+## Supported Versions
+
+The supported production line is `2.5.x`.
+
+Versions earlier than `2.5.0` are not recommended for production use because later releases include package, filesystem, environment, and admin-auth hardening.
+
+## Security Model
+
+i18ntk is a local developer CLI and runtime helper. It is expected to read and write project files, but it must do so with conservative path validation and without external runtime dependencies.
+
+Security priorities:
+
+- zero runtime dependencies
+- no install-time lifecycle commands in the public package manifest
+- no shipped local setup state, admin PINs, backups, reports, logs, credentials, or generated artifacts
+- centralized environment-variable access through `utils/env-manager.js`
+- path containment checks based on resolved paths and `path.relative()`
+- timing-safe comparison for authentication hashes or tokens
+- silent-by-default logging for production-like contexts
+
+## Published Package Controls
+
+The npm package uses a stripped public manifest. It must not contain install-time lifecycle commands, dependency fields, local setup state, or development tooling.
+
+## Reporting Vulnerabilities
+
+Do not report security vulnerabilities in public GitHub issues.
+
+Use GitHub Security Advisories for private vulnerability reports. Include:
+
+- affected version
+- clear reproduction steps
+- expected and actual behavior
+- impact assessment
+- proof of concept, if safe to share privately
+
+## Disclosure Process
+
+Security reports are reviewed privately first. Confirmed issues should receive:
+
+- a fix or mitigation
+- a release note or migration note when user action is required
+- an npm release when the fix affects published users
+
+## User Guidance
+
+- Keep i18ntk updated to `2.5.0` or newer.
+- Do not commit `.i18ntk-config`, admin PIN files, backup directories, generated reports, logs, npm credentials, or secret material.
+- Run i18ntk only in project directories you trust.
+- Review generated translation changes before committing them.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "i18ntk",
-  "version": "2.5.0",
-  "description": "🚀 The fastest internationalization toolkit with 97% performance boost! Zero-dependency, enterprise-grade internationalization for React, Vue, Angular, Python, Java, PHP & more. Features PIN protection, auto framework detection, 7+ UI languages, and comprehensive translation management. Perfect for startups to enterprises.",
+  "version": "2.5.1",
+  "description": "Zero-dependency internationalization toolkit for setup, scanning, analysis, validation, usage tracking, fixing, reporting, and runtime translation loading.",
   "keywords": [
     "i18n",
     "internationalization",
@@ -9,94 +9,22 @@
     "translation",
     "l10n",
     "multilingual",
-    "globalization",
     "i18next",
     "react-i18next",
     "vue-i18n",
     "angular-i18n",
     "next-i18next",
-    "nuxt-i18n",
-    "svelte-i18n",
-    "django",
-    "flask",
-    "fastapi",
-    "laravel",
-    "spring-boot",
     "nodejs",
     "javascript",
     "typescript",
     "cli",
     "command-line",
-    "automation",
     "developer-tools",
-    "productivity",
     "translation-management",
-    "language-support",
     "framework-detection",
     "zero-dependency",
-    "lightweight",
-    "fast",
-    "performance",
     "security",
-    "enterprise",
-    "devops",
-    "ci-cd",
-    "json",
-    "yaml",
-    "csv",
-    "po",
-    "xliff",
-    "android",
-    "ios",
-    "react-native",
-    "flutter",
-    "expo",
-    "electron",
-    "desktop",
-    "mobile",
-    "web",
-    "full-stack",
-    "backend",
-    "frontend",
-    "api",
-    "microservices",
-    "serverless",
-    "docker",
-    "kubernetes",
-    "cloud",
-    "aws",
-    "azure",
-    "gcp",
-    "saas",
-    "paas",
-    "open-source",
-    "free",
-    "npm",
-    "package",
-    "tool",
-    "utility",
-    "workflow",
-    "efficiency",
-    "best-practices",
-    "standards",
-    "compliance",
-    "accessibility",
-    "a11y",
-    "seo",
-    "marketing",
-    "growth",
-    "scale",
-    "startup",
-    "business",
-    "professional",
-    "expert",
-    "advanced",
-    "comprehensive",
-    "complete",
-    "all-in-one",
-    "suite",
-    "platform",
-    "solution"
+    "json"
   ],
   "homepage": "https://github.com/vladnoskv/i18ntk#readme",
   "bugs": {
@@ -107,8 +35,8 @@
     "url": "git+https://github.com/vladnoskv/i18ntk.git"
   },
   "funding": {
-    "type": "github",
-    "url": "https://github.com/sponsors/vladnoskv"
+    "type": "individual",
+    "url": "https://www.charitynavigator.org/"
   },
   "license": "MIT",
   "author": {
@@ -150,10 +78,6 @@
     "i18ntk-scanner": "main/i18ntk-scanner.js",
     "i18ntk-backup": "main/i18ntk-backup.js"
   },
-  "directories": {
-    "doc": "docs",
-    "test": "tests"
-  },
   "files": [
     "main/i18ntk-analyze.js",
     "main/i18ntk-backup-class.js",
@@ -207,49 +131,13 @@
     "utils/version-utils.js",
     "utils/watch-locales.js",
     "LICENSE",
-    "package.json",
-    "README.md"
+    "README.md",
+    "CODE_OF_CONDUCT.md",
+    "CONTRIBUTING.md",
+    "FUNDING.md",
+    "SECURITY.md"
   ],
   "sideEffects": false,
-  "scripts": {
-    "i18ntk": "node main/manage/index.js",
-    "i18ntk-setup": "node main/i18ntk-setup.js",
-    "i18ntk-manage": "node main/manage/index.js",
-    "i18ntk-init": "node main/i18ntk-init.js",
-    "i18ntk-analyze": "node main/i18ntk-analyze.js",
-    "i18ntk-validate": "node main/i18ntk-validate.js",
-    "i18ntk-usage": "node main/i18ntk-usage.js",
-    "i18ntk-complete": "node main/i18ntk-complete.js",
-    "i18ntk-sizing": "node main/i18ntk-sizing.js",
-    "i18ntk-summary": "node main/i18ntk-summary.js",
-    "i18ntk-doctor": "node main/i18ntk-doctor.js",
-    "i18ntk-fixer": "node main/i18ntk-fixer.js",
-    "i18ntk-scanner": "node main/i18ntk-scanner.js",
-    "i18ntk-backup": "node main/i18ntk-backup.js",
-    "i18ntk-py": "node main/i18ntk-py.js",
-    "i18ntk-js": "node main/i18ntk-js.js",
-    "i18ntk-java": "node main/i18ntk-java.js",
-    "i18ntk-php": "node main/i18ntk-php.js",
-    "i18ntk-go": "node main/i18ntk-go.js",
-    "start": "node main/manage/index.js",
-    "security:check": "node utils/security-check-improved.js",
-    "security:test": "node --test tests/security.test.js",
-    "security:audit": "npm run security:check && npm run security:test",
-    "test": "npm run security:test",
-    "test:all": "npm run security:audit",
-    "release:reset": "node scripts/reset-release-state.js",
-    "prepublishOnly": "npm run security:audit",
-    "prepare": "npm run security:check",
-    "backup:create": "node main/i18ntk-backup.js create",
-    "backup:restore": "node main/i18ntk-backup.js restore",
-    "backup:list": "node main/i18ntk-backup.js list",
-    "backup:verify": "node main/i18ntk-backup.js verify",
-    "backup:cleanup": "node main/i18ntk-backup.js cleanup",
-    "languages:select": "node settings/settings-cli.js",
-    "languages:list": "node settings/settings-cli.js --list-languages",
-    "languages:status": "node settings/settings-cli.js --language-status",
-    "lint:locales": "node scripts/lint-locales.js"
-  },
   "engines": {
     "node": ">=16.0.0",
     "npm": ">=8.0.0"
@@ -257,47 +145,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "preferGlobal": true,
-  "versionInfo": {
-    "version": "2.5.0",
-    "releaseDate": "29/04/2026",
-    "lastUpdated": "29/04/2026",
-    "maintainer": "Vlad Noskov",
-    "changelog": "./CHANGELOG.md",
-    "documentation": "./README.md",
-    "apiReference": "./docs/api/API_REFERENCE.md",
-    "majorChanges": [
-      "SECURITY: Centralized environment-variable access behind an explicit allowlist.",
-      "SECURITY: Hardened path containment checks to reject sibling-prefix traversal cases.",
-      "SECURITY: Added timing-safe admin PIN hash comparison and fixed expired-session cleanup.",
-      "SECURITY: Expanded release security scanning to nested production source files.",
-      "FIXER: Fixed translation fixer writes for absolute source directories and confirmed applied fixes persist.",
-      "PACKAGING: Updated package and documentation metadata for the 2.5.0 release."
-    ],
-    "breakingChanges": [],
-    "nextVersion": "2.5.1",
-    "supportedNodeVersions": ">=16.0.0",
-    "supportedFrameworks": {
-      "react-i18next": ">=11.0.0",
-      "vue-i18n": ">=9.0.0",
-      "angular-i18n": ">=12.0.0",
-      "next-i18next": ">=13.0.0",
-      "nuxt-i18n": ">=8.0.0",
-      "svelte-i18n": ">=3.0.0",
-      "sveltekit-i18n": ">=2.0.0",
-      "react-native-localize": ">=2.0.0",
-      "expo-localization": ">=14.0.0",
-      "ionic-angular": ">=6.0.0",
-      "ember-intl": ">=5.0.0",
-      "formatjs": ">=2.0.0",
-      "i18next": ">=21.0.0",
-      "django": ">=3.0.0",
-      "flask-babel": ">=2.0.0",
-      "fastapi": ">=0.70.0",
-      "spring-boot": ">=2.5.0",
-      "laravel": ">=8.0.0"
-    },
-    "supportPolicy": "Versions earlier than 2.5.0 may be unstable or insecure. Upgrade to 2.5.0 or newer."
-  },
-  "_comment": "This package is zero-dependency and uses only native Node.js modules"
+  "preferGlobal": true
 }

package/utils/admin-auth.js

@@ -188,14 +188,60 @@ class AdminAuth {
     return crypto.timingSafeEqual(left, right);
   }
 
+  hasUsablePinConfig(config) {
+    return Boolean(
+      config &&
+      config.enabled === true &&
+      typeof config.pinHash === 'string' &&
+      config.pinHash.length > 0 &&
+      typeof config.salt === 'string' &&
+      config.salt.length > 0
+    );
+  }
+
+  logMissingPinConfig(context) {
+    SecurityUtils.logSecurityEvent(
+      'admin_auth_config_invalid',
+      'warning',
+      { message: `Admin PIN is required but not usable during ${context}` }
+    );
+  }
+
+  getSessionExpiryTime(session) {
+    if (!session || typeof session !== 'object') {
+      return NaN;
+    }
+
+    if (Number.isFinite(session.expiresAt)) {
+      return session.expiresAt;
+    }
+
+    if (typeof session.expiresAt === 'string') {
+      const parsedExpiresAt = Date.parse(session.expiresAt);
+      if (Number.isFinite(parsedExpiresAt)) {
+        return parsedExpiresAt;
+      }
+    }
+
+    if (typeof session.expires === 'string') {
+      const parsedExpires = Date.parse(session.expires);
+      if (Number.isFinite(parsedExpires)) {
+        return parsedExpires;
+      }
+    }
+
+    return NaN;
+  }
+
   /**
    * Verify PIN
    */
   async verifyPin(pin) {
     try {
       const config = await this.loadConfig();
-      if (!config || !config.enabled) {
-        return true; // No authentication required if not enabled
+      if (!this.hasUsablePinConfig(config)) {
+        this.logMissingPinConfig('PIN verification');
+        return false;
       }
 
       // Check for lockout
@@ -256,7 +302,7 @@ class AdminAuth {
    */
   async isPinConfigured() {
     const config = await this.loadConfig();
-    return config && config.enabled && config.pinHash;
+    return this.hasUsablePinConfig(config);
   }
 
   /**
@@ -270,7 +316,10 @@ class AdminAuth {
     }
     
     const config = await this.loadConfig();
-    return config && config.enabled;
+    if (!this.hasUsablePinConfig(config)) {
+      this.logMissingPinConfig('auth-required check');
+    }
+    return true;
   }
 
   /**
@@ -283,12 +332,6 @@ class AdminAuth {
       return false;
     }
 
-    // Check if admin PIN is actually configured
-    const config = await this.loadConfig();
-    if (!config || !config.enabled || !config.pinHash) {
-      return false; // Don't require PIN if admin PIN is not configured
-    }
-
     // Check if PIN protection is enabled
     const pinProtection = globalSettings.security?.pinProtection;
     if (!pinProtection || !pinProtection.enabled) {
@@ -297,7 +340,16 @@ class AdminAuth {
 
     // Check if this specific script requires protection
     const protectedScripts = pinProtection.protectedScripts || {};
-    return protectedScripts[scriptName] !== false; // Default to true if not explicitly set
+    if (protectedScripts[scriptName] === false) {
+      return false;
+    }
+
+    const config = await this.loadConfig();
+    if (!this.hasUsablePinConfig(config)) {
+      this.logMissingPinConfig(`script auth-required check for ${scriptName}`);
+    }
+
+    return true; // Default to true if not explicitly set
   }
 
   /**
@@ -336,11 +388,14 @@ class AdminAuth {
       sessionId = this.generateSessionId();
     }
     
+    const now = Date.now();
+    const expiresAt = now + this.sessionTimeout;
     const session = {
       id: sessionId,
-      created: new Date().toISOString(),
-      lastActivity: new Date().toISOString(),
-      expires: new Date(Date.now() + this.sessionTimeout).toISOString()
+      created: new Date(now).toISOString(),
+      lastActivity: new Date(now).toISOString(),
+      expires: new Date(expiresAt).toISOString(),
+      expiresAt
     };
     
     this.activeSessions.set(sessionId, session);
@@ -373,10 +428,10 @@ class AdminAuth {
       return false;
     }
     
-    const now = new Date();
-    const expires = new Date(session.expires);
+    const now = Date.now();
+    const expiresAt = this.getSessionExpiryTime(session);
     
-    if (now > expires) {
+    if (!Number.isFinite(expiresAt) || now > expiresAt) {
       this.activeSessions.delete(sessionId);
       this.clearCurrentSession();
       SecurityUtils.logSecurityEvent(
@@ -388,8 +443,10 @@ class AdminAuth {
     }
     
     // Update last activity
-    session.lastActivity = now.toISOString();
-    session.expires = new Date(now.getTime() + this.sessionTimeout).toISOString();
+    const nextExpiresAt = now + this.sessionTimeout;
+    session.lastActivity = new Date(now).toISOString();
+    session.expires = new Date(nextExpiresAt).toISOString();
+    session.expiresAt = nextExpiresAt;
     this.activeSessions.set(sessionId, session);
     
     return true;
@@ -571,9 +628,13 @@ class AdminAuth {
     let cleaned = 0;
     
     for (const [sessionId, session] of this.activeSessions.entries()) {
-      const expiresAt = session.expiresAt || new Date(session.expires).getTime();
+      const expiresAt = this.getSessionExpiryTime(session);
       if (!Number.isFinite(expiresAt) || now > expiresAt) {
         this.activeSessions.delete(sessionId);
+        if (this.currentSession && this.currentSession.id === sessionId) {
+          this.currentSession = null;
+          this.sessionStartTime = null;
+        }
         cleaned++;
       }
     }