palaryn 0.1.0 → 0.3.2

package/src/admin/templates.ts

@@ -0,0 +1,572 @@
+export interface DashboardStats {
+  total_requests: number;
+  pending_approvals: number;
+  active_workspaces: number;
+  policy_rules: number;
+  recent_events: any[];
+}
+
+export interface BudgetInfo {
+  key: string;
+  type: 'task' | 'user_daily' | 'user_monthly' | 'workspace_daily' | 'workspace_monthly';
+  label: string;
+  spent: number;
+  limit: number | undefined;
+}
+
+export interface ApiKeyInfo {
+  key: string;
+  workspace_id: string;
+  description?: string;
+  roles?: string[];
+  created_at?: string;
+  last_used_at?: string;
+  revoked?: boolean;
+  expires_at?: string;
+}
+
+export function escapeHtml(str: string): string {
+  return String(str)
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#039;');
+}
+
+export function layoutTemplate(title: string, activeNav: string, content: string): string {
+  return `<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'">
+  <title>Palaryn Admin - ${escapeHtml(title)}</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; display: flex; min-height: 100vh; background: #f5f7fa; }
+    .sidebar { width: 240px; background: #1a1d23; color: #fff; padding: 20px 0; }
+    .sidebar h1 { font-size: 18px; padding: 0 20px 20px; border-bottom: 1px solid #2d3139; }
+    .sidebar nav a { display: block; padding: 12px 20px; color: #9ca3af; text-decoration: none; }
+    .sidebar nav a:hover, .sidebar nav a.active { background: #2d3139; color: #fff; }
+    .main { flex: 1; padding: 30px; }
+    .card { background: #fff; border-radius: 8px; padding: 20px; margin-bottom: 20px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+    .stats-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 16px; margin-bottom: 24px; }
+    .stat-card { background: #fff; border-radius: 8px; padding: 20px; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
+    .stat-card .value { font-size: 28px; font-weight: 700; color: #1a1d23; }
+    .stat-card .label { font-size: 13px; color: #6b7280; margin-top: 4px; }
+    .badge { display: inline-block; padding: 2px 8px; border-radius: 12px; font-size: 12px; font-weight: 600; }
+    .badge-green { background: #d1fae5; color: #065f46; }
+    .badge-red { background: #fee2e2; color: #991b1b; }
+    .badge-yellow { background: #fef3c7; color: #92400e; }
+    .badge-blue { background: #dbeafe; color: #1e40af; }
+    table { width: 100%; border-collapse: collapse; }
+    th, td { text-align: left; padding: 10px 12px; border-bottom: 1px solid #e5e7eb; }
+    th { font-size: 12px; text-transform: uppercase; color: #6b7280; font-weight: 600; }
+    .btn { display: inline-block; padding: 6px 14px; border-radius: 6px; border: none; cursor: pointer; font-size: 13px; font-weight: 500; }
+    .btn-primary { background: #3b82f6; color: #fff; }
+    .btn-danger { background: #ef4444; color: #fff; }
+    .btn-success { background: #10b981; color: #fff; }
+    input, textarea, select { padding: 8px 12px; border: 1px solid #d1d5db; border-radius: 6px; font-size: 14px; width: 100%; }
+    textarea { min-height: 200px; font-family: monospace; }
+    .form-group { margin-bottom: 16px; }
+    .form-group label { display: block; font-size: 13px; font-weight: 600; margin-bottom: 6px; color: #374151; }
+    pre { background: #1a1d23; color: #e5e7eb; padding: 16px; border-radius: 8px; overflow-x: auto; font-size: 13px; }
+    .alert { padding: 12px 16px; border-radius: 8px; margin-bottom: 16px; }
+    .alert-success { background: #d1fae5; color: #065f46; }
+    .alert-error { background: #fee2e2; color: #991b1b; }
+  </style>
+</head>
+<body>
+  <div class="sidebar">
+    <h1>Palaryn Admin</h1>
+    <nav>
+      <a href="/admin" class="${activeNav === 'dashboard' ? 'active' : ''}">Dashboard</a>
+      <a href="/admin/approvals" class="${activeNav === 'approvals' ? 'active' : ''}">Approvals</a>
+      <a href="/admin/policies" class="${activeNav === 'policies' ? 'active' : ''}">Policies</a>
+      <a href="/admin/budgets" class="${activeNav === 'budgets' ? 'active' : ''}">Budgets</a>
+      <a href="/admin/traces" class="${activeNav === 'traces' ? 'active' : ''}">Traces</a>
+      <a href="/admin/api-keys" class="${activeNav === 'api-keys' ? 'active' : ''}">API Keys</a>
+    </nav>
+  </div>
+  <div class="main">
+    <h2 style="margin-bottom: 24px; color: #1a1d23;">${escapeHtml(title)}</h2>
+    ${content}
+  </div>
+</body>
+</html>`;
+}
+
+export function dashboardTemplate(stats: DashboardStats): string {
+  const recentEventsRows = stats.recent_events.slice(0, 20).map(event => {
+    const eventType = escapeHtml(event.event_type || '');
+    const badgeClass = eventType.includes('DENIED') || eventType.includes('INCIDENT')
+      ? 'badge-red'
+      : eventType.includes('APPROVAL_REQUESTED') || eventType.includes('APPROVAL_EXPIRED')
+        ? 'badge-yellow'
+        : eventType.includes('APPROVED') || eventType.includes('EXECUTED') || eventType.includes('RETURNED')
+          ? 'badge-green'
+          : 'badge-blue';
+
+    return `<tr>
+      <td><span class="badge ${badgeClass}">${eventType}</span></td>
+      <td>${escapeHtml(event.tool_name || '-')}</td>
+      <td>${escapeHtml(event.actor_id || '-')}</td>
+      <td>${escapeHtml(event.timestamp || '-')}</td>
+    </tr>`;
+  }).join('\n');
+
+  const content = `
+    <div class="stats-grid">
+      <div class="stat-card">
+        <div class="value">${stats.total_requests}</div>
+        <div class="label">Total Requests</div>
+      </div>
+      <div class="stat-card">
+        <div class="value">${stats.pending_approvals}</div>
+        <div class="label">Pending Approvals</div>
+      </div>
+      <div class="stat-card">
+        <div class="value">${stats.active_workspaces}</div>
+        <div class="label">Active Workspaces</div>
+      </div>
+      <div class="stat-card">
+        <div class="value">${stats.policy_rules}</div>
+        <div class="label">Policy Rules</div>
+      </div>
+    </div>
+    <div class="card">
+      <h3 style="margin-bottom: 16px; color: #374151;">Recent Events</h3>
+      ${stats.recent_events.length === 0
+        ? '<p style="color: #6b7280;">No events recorded yet.</p>'
+        : `<table>
+        <thead>
+          <tr>
+            <th>Event</th>
+            <th>Tool</th>
+            <th>Actor</th>
+            <th>Time</th>
+          </tr>
+        </thead>
+        <tbody>
+          ${recentEventsRows}
+        </tbody>
+      </table>`
+      }
+    </div>`;
+
+  return layoutTemplate('Dashboard', 'dashboard', content);
+}
+
+export function approvalsTemplate(approvals: any[], csrfToken?: string): string {
+  const csrfField = csrfToken ? `<input type="hidden" name="_csrf" value="${escapeHtml(csrfToken)}">` : '';
+
+  const rows = approvals.map(a => {
+    const statusBadge = a.status === 'pending'
+      ? '<span class="badge badge-yellow">pending</span>'
+      : a.status === 'approved'
+        ? '<span class="badge badge-green">approved</span>'
+        : a.status === 'denied'
+          ? '<span class="badge badge-red">denied</span>'
+          : '<span class="badge badge-blue">' + escapeHtml(a.status) + '</span>';
+
+    const actions = a.status === 'pending'
+      ? `<form method="POST" action="/admin/approvals/${escapeHtml(a.approval_id)}/approve" style="display:inline;">
+           ${csrfField}
+           <button type="submit" class="btn btn-success">Approve</button>
+         </form>
+         <form method="POST" action="/admin/approvals/${escapeHtml(a.approval_id)}/deny" style="display:inline; margin-left:4px;">
+           ${csrfField}
+           <button type="submit" class="btn btn-danger">Deny</button>
+         </form>`
+      : '-';
+
+    return `<tr>
+      <td>${escapeHtml(a.approval_id)}</td>
+      <td>${escapeHtml(a.tool_name || '-')}</td>
+      <td>${escapeHtml(a.actor_id || '-')}</td>
+      <td>${escapeHtml(a.scope || '-')}</td>
+      <td>${statusBadge}</td>
+      <td>${escapeHtml(a.reason || '-')}</td>
+      <td>${escapeHtml(a.created_at || '-')}</td>
+      <td>${actions}</td>
+    </tr>`;
+  }).join('\n');
+
+  const content = `
+    <div class="card">
+      ${approvals.length === 0
+        ? '<p style="color: #6b7280;">No pending approvals.</p>'
+        : `<table>
+        <thead>
+          <tr>
+            <th>ID</th>
+            <th>Tool</th>
+            <th>Actor</th>
+            <th>Scope</th>
+            <th>Status</th>
+            <th>Reason</th>
+            <th>Created</th>
+            <th>Actions</th>
+          </tr>
+        </thead>
+        <tbody>
+          ${rows}
+        </tbody>
+      </table>`
+      }
+    </div>`;
+
+  return layoutTemplate('Approvals', 'approvals', content);
+}
+
+export function policiesTemplate(policy: any, validationResult?: any, csrfToken?: string, policyYaml?: string, applyResult?: { success: boolean; message: string }): string {
+  const csrfField = csrfToken ? `<input type="hidden" name="_csrf" value="${escapeHtml(csrfToken)}">` : '';
+  const policyJson = JSON.stringify(policy, null, 2);
+
+  const validationAlert = validationResult
+    ? validationResult.valid
+      ? '<div class="alert alert-success">Policy is valid.</div>'
+      : `<div class="alert alert-error">Validation errors: ${escapeHtml((validationResult.errors || []).join('; '))}</div>`
+    : '';
+
+  const applyAlert = applyResult
+    ? applyResult.success
+      ? `<div class="alert alert-success">${escapeHtml(applyResult.message)}</div>`
+      : `<div class="alert alert-error">${escapeHtml(applyResult.message)}</div>`
+    : '';
+
+  const yamlContent = policyYaml || '';
+
+  const content = `
+    ${applyAlert}
+    ${validationAlert}
+    <div class="card">
+      <h3 style="margin-bottom: 16px; color: #374151;">Edit Policy (YAML)</h3>
+      <form method="POST" action="/admin/policies/apply">
+        ${csrfField}
+        <div class="form-group">
+          <label for="policy_editor">Policy Pack YAML</label>
+          <div style="position: relative;">
+            <pre id="policy_highlight" aria-hidden="true" style="position: absolute; top: 0; left: 0; right: 0; bottom: 0; margin: 0; padding: 8px 12px; border: 1px solid #d1d5db; border-radius: 6px; font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace; font-size: 13px; line-height: 1.5; tab-size: 2; overflow: auto; pointer-events: none; white-space: pre-wrap; word-wrap: break-word; color: transparent; background: transparent;"></pre>
+            <textarea id="policy_editor" name="policy_yaml" style="position: relative; min-height: 400px; font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace; font-size: 13px; line-height: 1.5; tab-size: 2; background: transparent; caret-color: #1a1d23; z-index: 1;">${escapeHtml(yamlContent)}</textarea>
+          </div>
+          <script>
+          (function() {
+            var ta = document.getElementById('policy_editor');
+            var pre = document.getElementById('policy_highlight');
+            if (!ta || !pre) return;
+            function highlightYaml(text) {
+              var escaped = text.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
+              return escaped
+                .replace(/^(\\s*#.*)$/gm, '<span style="color:#6b7280;font-style:italic;">$1</span>')
+                .replace(/^(\\s*[\\w][\\w.-]*)(\\s*:)/gm, '<span style="color:#2563eb;">$1</span>$2')
+                .replace(/:\\s*("(?:[^"\\\\]|\\\\.)*")/g, ': <span style="color:#059669;">$1</span>')
+                .replace(/:\\s*('(?:[^'\\\\]|\\\\.)*')/g, ': <span style="color:#059669;">$1</span>')
+                .replace(/:\\s*(\\d+\\.?\\d*)/g, ': <span style="color:#d97706;">$1</span>')
+                .replace(/:\\s*(true|false|null|yes|no)/gi, ': <span style="color:#dc2626;">$1</span>')
+                .replace(/(ALLOW|DENY|TRANSFORM|REQUIRE_APPROVAL)/g, '<span style="color:#7c3aed;font-weight:600;">$1</span>');
+            }
+            function sync() { pre.innerHTML = highlightYaml(ta.value) + '\\n'; }
+            ta.addEventListener('input', sync);
+            ta.addEventListener('scroll', function() { pre.scrollTop = ta.scrollTop; pre.scrollLeft = ta.scrollLeft; });
+            sync();
+          })();
+          </script>
+        </div>
+        <div style="display: flex; gap: 12px; align-items: center;">
+          <button type="submit" class="btn btn-success" style="font-size: 15px; padding: 10px 24px;">Save &amp; Apply</button>
+        </div>
+      </form>
+      <form method="POST" action="/admin/policies/reload" style="margin-top: 12px;">
+        ${csrfField}
+        <button type="submit" class="btn btn-primary">Reload from Disk</button>
+      </form>
+    </div>
+    <div class="card">
+      <h3 style="margin-bottom: 16px; color: #374151;">Active Policy Pack (read-only)</h3>
+      <pre>${escapeHtml(policyJson)}</pre>
+    </div>
+    <div class="card">
+      <h3 style="margin-bottom: 16px; color: #374151;">Validate Policy</h3>
+      <form method="POST" action="/admin/policies/validate">
+        ${csrfField}
+        <div class="form-group">
+          <label for="policy_validate_json">Policy Pack (JSON)</label>
+          <textarea id="policy_validate_json" name="policy_json" placeholder='{"name": "test", "version": "1.0", "rules": []}'></textarea>
+        </div>
+        <button type="submit" class="btn btn-primary">Validate</button>
+      </form>
+    </div>`;
+
+  return layoutTemplate('Policies', 'policies', content);
+}
+
+export interface CostSummary {
+  estimated_total: number;
+  actual_total: number;
+  top_tools: { tool_name: string; cost: number }[];
+}
+
+export function budgetsTemplate(budgets: BudgetInfo[], costSummary?: CostSummary): string {
+  const rows = budgets.map(b => {
+    const limitStr = b.limit !== undefined ? `$${b.limit.toFixed(2)}` : 'unlimited';
+    const pct = b.limit !== undefined && b.limit > 0 ? Math.min(100, (b.spent / b.limit) * 100) : 0;
+    const barColor = pct > 80 ? '#ef4444' : pct > 50 ? '#f59e0b' : '#10b981';
+
+    return `<tr>
+      <td>${escapeHtml(b.key)}</td>
+      <td>${escapeHtml(b.label)}</td>
+      <td>$${b.spent.toFixed(4)}</td>
+      <td>${limitStr}</td>
+      <td>
+        <div style="background:#e5e7eb; border-radius:4px; height:8px; width:120px; display:inline-block; vertical-align:middle;">
+          <div style="background:${barColor}; border-radius:4px; height:8px; width:${pct}%;"></div>
+        </div>
+        <span style="font-size:12px; color:#6b7280; margin-left:6px;">${pct.toFixed(0)}%</span>
+      </td>
+    </tr>`;
+  }).join('\n');
+
+  const costSummaryHtml = costSummary ? `
+    <div class="stats-grid" style="margin-bottom: 24px;">
+      <div class="stat-card">
+        <div class="value">$${costSummary.estimated_total.toFixed(4)}</div>
+        <div class="label">Estimated Cost (Total)</div>
+      </div>
+      <div class="stat-card">
+        <div class="value">$${costSummary.actual_total.toFixed(4)}</div>
+        <div class="label">Actual Cost (Total)</div>
+      </div>
+    </div>
+    ${costSummary.top_tools.length > 0 ? `<div class="card" style="margin-bottom: 20px;">
+      <h3 style="margin-bottom: 16px; color: #374151;">Top Tools by Cost</h3>
+      <table>
+        <thead><tr><th>Tool</th><th>Cost (USD)</th></tr></thead>
+        <tbody>
+          ${costSummary.top_tools.map(t =>
+            `<tr><td>${escapeHtml(t.tool_name)}</td><td>$${t.cost.toFixed(4)}</td></tr>`
+          ).join('\n')}
+        </tbody>
+      </table>
+    </div>` : ''}` : '';
+
+  const content = `
+    ${costSummaryHtml}
+    <div class="card">
+      ${budgets.length === 0
+        ? '<p style="color: #6b7280;">No budget data available.</p>'
+        : `<table>
+        <thead>
+          <tr>
+            <th>Key</th>
+            <th>Type</th>
+            <th>Spent</th>
+            <th>Limit</th>
+            <th>Usage</th>
+          </tr>
+        </thead>
+        <tbody>
+          ${rows}
+        </tbody>
+      </table>`
+      }
+    </div>`;
+
+  return layoutTemplate('Budgets', 'budgets', content);
+}
+
+export interface PaginationInfo {
+  page: number;
+  limit: number;
+  total: number;
+  totalPages: number;
+}
+
+function paginationControls(info: PaginationInfo, baseUrl: string): string {
+  if (info.totalPages <= 1) return '';
+  const prevDisabled = info.page <= 1;
+  const nextDisabled = info.page >= info.totalPages;
+  return `<div style="display: flex; align-items: center; justify-content: center; gap: 12px; margin-top: 16px; padding-top: 16px; border-top: 1px solid #e5e7eb;">
+    ${prevDisabled
+      ? '<span class="btn" style="opacity: 0.5; cursor: default;">&larr; Previous</span>'
+      : `<a href="${baseUrl}?page=${info.page - 1}&limit=${info.limit}" class="btn btn-primary">&larr; Previous</a>`}
+    <span style="font-size: 14px; color: #374151;">Page ${info.page} of ${info.totalPages} (${info.total} total)</span>
+    ${nextDisabled
+      ? '<span class="btn" style="opacity: 0.5; cursor: default;">Next &rarr;</span>'
+      : `<a href="${baseUrl}?page=${info.page + 1}&limit=${info.limit}" class="btn btn-primary">Next &rarr;</a>`}
+  </div>`;
+}
+
+export function traceListTemplate(traces: any[], pagination?: PaginationInfo): string {
+  const content = `
+    <div class="card">
+      <h3 style="margin-bottom: 16px; color: #374151;">Search Traces</h3>
+      <form method="GET" action="/admin/traces" style="display: flex; gap: 8px; align-items: flex-end;">
+        <div class="form-group" style="flex: 1; margin-bottom: 0;">
+          <label for="task_id">Task ID</label>
+          <input type="text" id="task_id" name="task_id" placeholder="Enter a task_id to search..." />
+        </div>
+        <button type="submit" class="btn btn-primary" style="height: 38px;">Search</button>
+      </form>
+    </div>
+    <div class="card">
+      <h3 style="margin-bottom: 16px; color: #374151;">Recent Task IDs</h3>
+      ${traces.length === 0
+        ? '<p style="color: #6b7280;">No trace data available.</p>'
+        : `<table>
+        <thead>
+          <tr>
+            <th>Task ID</th>
+            <th>Events</th>
+            <th>First Seen</th>
+            <th>Actions</th>
+          </tr>
+        </thead>
+        <tbody>
+          ${traces.map(t => `<tr>
+            <td>${escapeHtml(t.task_id)}</td>
+            <td>${t.event_count}</td>
+            <td>${escapeHtml(t.first_seen || '-')}</td>
+            <td><a href="/admin/traces/${escapeHtml(t.task_id)}" class="btn btn-primary">View</a></td>
+          </tr>`).join('\n')}
+        </tbody>
+      </table>
+      ${pagination ? paginationControls(pagination, '/admin/traces') : ''}`
+      }
+    </div>`;
+
+  return layoutTemplate('Traces', 'traces', content);
+}
+
+export function traceDetailTemplate(taskId: string, events: any[]): string {
+  const rows = events.map(e => {
+    const eventType = escapeHtml(e.event_type || '');
+    const badgeClass = eventType.includes('DENIED') || eventType.includes('INCIDENT')
+      ? 'badge-red'
+      : eventType.includes('APPROVAL_REQUESTED') || eventType.includes('APPROVAL_EXPIRED')
+        ? 'badge-yellow'
+        : eventType.includes('APPROVED') || eventType.includes('EXECUTED') || eventType.includes('RETURNED')
+          ? 'badge-green'
+          : 'badge-blue';
+
+    return `<tr>
+      <td>${escapeHtml(e.event_id || '-')}</td>
+      <td><span class="badge ${badgeClass}">${eventType}</span></td>
+      <td>${escapeHtml(e.tool_name || '-')}</td>
+      <td>${escapeHtml(e.actor_id || '-')}</td>
+      <td>${escapeHtml(e.timestamp || '-')}</td>
+      <td><pre style="margin:0; padding:4px 8px; font-size:11px; max-width:400px; overflow-x:auto; white-space:pre-wrap; word-break:break-word;">${escapeHtml(JSON.stringify(e.metadata || {}, null, 2))}</pre></td>
+    </tr>`;
+  }).join('\n');
+
+  const content = `
+    <div style="margin-bottom: 16px;">
+      <a href="/admin/traces" style="color: #3b82f6; text-decoration: none;">&larr; Back to Traces</a>
+    </div>
+    <div class="card">
+      <h3 style="margin-bottom: 16px; color: #374151;">Task: ${escapeHtml(taskId)}</h3>
+      ${events.length === 0
+        ? '<p style="color: #6b7280;">No events found for this task.</p>'
+        : `<table>
+        <thead>
+          <tr>
+            <th>Event ID</th>
+            <th>Type</th>
+            <th>Tool</th>
+            <th>Actor</th>
+            <th>Time</th>
+            <th>Metadata</th>
+          </tr>
+        </thead>
+        <tbody>
+          ${rows}
+        </tbody>
+      </table>`
+      }
+    </div>`;
+
+  return layoutTemplate(`Trace: ${taskId}`, 'traces', content);
+}
+
+export function apiKeysTemplate(keys: ApiKeyInfo[], csrfToken?: string, createdKey?: string): string {
+  const csrfField = csrfToken ? `<input type="hidden" name="_csrf" value="${escapeHtml(csrfToken)}">` : '';
+
+  const createdAlert = createdKey
+    ? `<div class="alert alert-success">
+        New API key created: <code style="background:#065f46; color:#d1fae5; padding:2px 8px; border-radius:4px; font-size:14px; user-select:all;">${escapeHtml(createdKey)}</code>
+        <br><strong>Copy this key now &mdash; it won&rsquo;t be shown again.</strong>
+      </div>`
+    : '';
+
+  const rows = keys.map(k => {
+    const maskedKey = k.key.length > 8
+      ? k.key.substring(0, 4) + '...' + k.key.substring(k.key.length - 4)
+      : k.key;
+
+    const statusBadge = k.revoked
+      ? '<span class="badge badge-red">revoked</span>'
+      : k.expires_at && new Date(k.expires_at) < new Date()
+        ? '<span class="badge badge-yellow">expired</span>'
+        : '<span class="badge badge-green">active</span>';
+
+    const revokeAction = !k.revoked
+      ? `<form method="POST" action="/admin/api-keys/${escapeHtml(k.key)}/revoke" style="display:inline;">
+           ${csrfField}
+           <button type="submit" class="btn btn-danger">Revoke</button>
+         </form>`
+      : '-';
+
+    return `<tr>
+      <td>${escapeHtml(maskedKey)}</td>
+      <td>${escapeHtml(k.workspace_id)}</td>
+      <td>${escapeHtml(k.description || '-')}</td>
+      <td>${(k.roles || []).map(r => `<span class="badge badge-blue">${escapeHtml(r)}</span>`).join(' ') || '-'}</td>
+      <td>${statusBadge}</td>
+      <td>${escapeHtml(k.created_at || '-')}</td>
+      <td>${revokeAction}</td>
+    </tr>`;
+  }).join('\n');
+
+  const content = `
+    ${createdAlert}
+    <div class="card">
+      <h3 style="margin-bottom: 16px; color: #374151;">Create New API Key</h3>
+      <form method="POST" action="/admin/api-keys">
+        ${csrfField}
+        <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 16px;">
+          <div class="form-group">
+            <label for="workspace_id">Workspace ID</label>
+            <input type="text" id="workspace_id" name="workspace_id" placeholder="ws_example" required />
+          </div>
+          <div class="form-group">
+            <label for="description">Description</label>
+            <input type="text" id="description" name="description" placeholder="Key description" />
+          </div>
+        </div>
+        <button type="submit" class="btn btn-primary">Create Key</button>
+      </form>
+    </div>
+    <div class="card">
+      <h3 style="margin-bottom: 16px; color: #374151;">API Keys</h3>
+      ${keys.length === 0
+        ? '<p style="color: #6b7280;">No API keys configured.</p>'
+        : `<table>
+        <thead>
+          <tr>
+            <th>Key</th>
+            <th>Workspace</th>
+            <th>Description</th>
+            <th>Roles</th>
+            <th>Status</th>
+            <th>Created</th>
+            <th>Actions</th>
+          </tr>
+        </thead>
+        <tbody>
+          ${rows}
+        </tbody>
+      </table>`
+      }
+    </div>`;
+
+  return layoutTemplate('API Keys', 'api-keys', content);
+}