palmier 0.7.4 → 0.7.7

package/palmier-server/pwa/src/components/HostMenu.tsx

@@ -64,6 +64,15 @@ interface DndAccessPlugin {
   check(): Promise<DndAccessResult>;
 }
 
+interface FullScreenIntentResult {
+  granted: boolean;
+}
+
+interface FullScreenIntentPlugin {
+  request(): Promise<FullScreenIntentResult>;
+  check(): Promise<FullScreenIntentResult>;
+}
+
 const NotificationListener = Capacitor.isNativePlatform()
   ? registerPlugin<NotificationListenerPlugin>("NotificationListener")
   : null;
@@ -83,6 +92,10 @@ const CalendarPermission = Capacitor.isNativePlatform()
 const DndAccess = Capacitor.isNativePlatform()
   ? registerPlugin<DndAccessPlugin>("DndAccess")
   : null;
+
+const FullScreenIntent = Capacitor.isNativePlatform()
+  ? registerPlugin<FullScreenIntentPlugin>("FullScreenIntent")
+  : null;
 import { useHostStore } from "../contexts/HostStoreContext";
 import { useMediaQuery } from "../hooks/useMediaQuery";
 
@@ -92,13 +105,13 @@ const isNative = Capacitor.isNativePlatform();
 
 interface HostMenuProps {
   daemonVersion?: string | null;
-  locationClientToken?: string | null;
+  capabilityTokens?: Record<string, string | null>;
   activeClientToken?: string | null;
   request?<T = unknown>(method: string, params?: unknown): Promise<T>;
-  onLocationClientTokenChange?(token: string | null): void;
+  onCapabilityTokensChange?(tokens: Record<string, string | null>): void;
 }
 
-export default function HostMenu({ daemonVersion, locationClientToken, activeClientToken, request, onLocationClientTokenChange }: HostMenuProps) {
+export default function HostMenu({ daemonVersion, capabilityTokens, activeClientToken, request, onCapabilityTokensChange }: HostMenuProps) {
   const { pairedHosts, activeHostId, setActiveHostId, removePairedHost, renamePairedHost } = useHostStore();
   const navigate = useNavigate();
   const isDesktop = useMediaQuery("(min-width: 768px)");
@@ -109,22 +122,36 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
   const [renameValue, setRenameValue] = useState("");
   const [confirmingDeleteId, setConfirmingDeleteId] = useState<string | null>(null);
   const [togglingLocation, setTogglingLocation] = useState(false);
-  const [notificationListenerEnabled, setNotificationListenerEnabled] = useState(false);
   const [togglingNotificationListener, setTogglingNotificationListener] = useState(false);
-  const [smsEnabled, setSmsEnabled] = useState(false);
   const [togglingSms, setTogglingSms] = useState(false);
-  const [contactsEnabled, setContactsEnabled] = useState(false);
   const [togglingContacts, setTogglingContacts] = useState(false);
-  const [calendarEnabled, setCalendarEnabled] = useState(false);
   const [togglingCalendar, setTogglingCalendar] = useState(false);
-  const [dndEnabled, setDndEnabled] = useState(false);
   const [togglingDnd, setTogglingDnd] = useState(false);
-  const [alarmEnabled, setAlarmEnabled] = useState(false);
   const [togglingAlarm, setTogglingAlarm] = useState(false);
-  const [batteryEnabled, setBatteryEnabled] = useState(false);
   const [togglingBattery, setTogglingBattery] = useState(false);
+  const [togglingEmail, setTogglingEmail] = useState(false);
 
-  const locationEnabled = !!(activeClientToken && locationClientToken === activeClientToken);
+  // Capability enabled = this device's client token matches the registered device for that capability
+  function isCapEnabled(cap: string): boolean {
+    return !!(activeClientToken && capabilityTokens?.[cap] === activeClientToken);
+  }
+  const locationEnabled = isCapEnabled("location");
+  const notificationListenerEnabled = isCapEnabled("notifications");
+  const smsEnabled = isCapEnabled("sms");
+  const contactsEnabled = isCapEnabled("contacts");
+  const calendarEnabled = isCapEnabled("calendar");
+  const dndEnabled = isCapEnabled("dnd");
+  const alarmEnabled = isCapEnabled("alert");
+  const batteryEnabled = isCapEnabled("battery");
+  const emailEnabled = isCapEnabled("email");
+
+  /** Update local capability tokens state after a toggle change */
+  function setCapEnabled(cap: string, enabled: boolean) {
+    const updated: Record<string, string | null> = {};
+    for (const [k, v] of Object.entries(capabilityTokens ?? {})) updated[k] = v ?? null;
+    updated[cap] = enabled ? (activeClientToken ?? null) : null;
+    onCapabilityTokensChange?.(updated);
+  }
 
   // Sync location toggle with permission state — on mount and when app resumes from background
   useEffect(() => {
@@ -136,7 +163,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
         if (!fine) {
           // Permission revoked — disable on host
           request!("device.location.disable").then(() => {
-            onLocationClientTokenChange?.(null);
+            setCapEnabled("location", false);
           }).catch(() => {});
         }
       });
@@ -151,29 +178,6 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
     return () => { listener.then((h) => h.remove()); };
   }, [locationEnabled, activeClientToken]);
 
-  // Sync notification listener toggle with system state — on mount and when app resumes
-  useEffect(() => {
-    if (!isNative || !NotificationListener) return;
-
-    function syncNotificationListenerState() {
-      Promise.all([
-        NotificationListener!.check(),
-        Preferences.get({ key: "notificationListenerEnabled" }),
-      ]).then(([{ enabled: systemEnabled }, { value: prefValue }]) => {
-        // Enabled only if both system permission is granted AND user toggled on
-        setNotificationListenerEnabled(systemEnabled && prefValue !== "false");
-      });
-    }
-
-    syncNotificationListenerState();
-
-    const listener = CapApp.addListener("resume", () => {
-      syncNotificationListenerState();
-    });
-
-    return () => { listener.then((h) => h.remove()); };
-  }, []);
-
   async function handleNotificationListenerToggle() {
     if (!NotificationListener || !request) return;
     setTogglingNotificationListener(true);
@@ -181,7 +185,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
       if (notificationListenerEnabled) {
         await Preferences.set({ key: "notificationListenerEnabled", value: "false" });
         await request("device.capability.disable", { capability: "notifications" });
-        setNotificationListenerEnabled(false);
+        setCapEnabled("notifications", false);
       } else {
         const { enabled: systemEnabled } = await NotificationListener.check();
         if (!systemEnabled) {
@@ -192,7 +196,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
         if (!fcmToken) { console.warn("No FCM token available"); return; }
         await Preferences.set({ key: "notificationListenerEnabled", value: "true" });
         await request("device.capability.enable", { capability: "notifications", fcmToken });
-        setNotificationListenerEnabled(true);
+        setCapEnabled("notifications", true);
       }
     } catch (err) {
       console.error("Failed to toggle notification listener:", err);
@@ -201,28 +205,6 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
     }
   }
 
-  // Sync SMS toggle with permission state — on mount and when app resumes
-  useEffect(() => {
-    if (!isNative || !SmsPermission) return;
-
-    function syncSmsState() {
-      Promise.all([
-        SmsPermission!.check(),
-        Preferences.get({ key: "smsListenerEnabled" }),
-      ]).then(([{ granted }, { value: prefValue }]) => {
-        setSmsEnabled(granted && prefValue !== "false");
-      });
-    }
-
-    syncSmsState();
-
-    const listener = CapApp.addListener("resume", () => {
-      syncSmsState();
-    });
-
-    return () => { listener.then((h) => h.remove()); };
-  }, []);
-
   async function handleSmsToggle() {
     if (!SmsPermission || !request) return;
     setTogglingSms(true);
@@ -230,7 +212,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
       if (smsEnabled) {
         await Preferences.set({ key: "smsListenerEnabled", value: "false" });
         await request("device.capability.disable", { capability: "sms" });
-        setSmsEnabled(false);
+        setCapEnabled("sms", false);
       } else {
         const { granted } = await SmsPermission.check();
         if (!granted) {
@@ -241,7 +223,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
         if (!fcmToken) { console.warn("No FCM token available"); return; }
         await Preferences.set({ key: "smsListenerEnabled", value: "true" });
         await request("device.capability.enable", { capability: "sms", fcmToken });
-        setSmsEnabled(true);
+        setCapEnabled("sms", true);
       }
     } catch (err) {
       console.error("Failed to toggle SMS access:", err);
@@ -250,28 +232,6 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
     }
   }
 
-  // Sync contacts toggle with permission state — on mount and when app resumes
-  useEffect(() => {
-    if (!isNative || !ContactsPermission) return;
-
-    function syncContactsState() {
-      Promise.all([
-        ContactsPermission!.check(),
-        Preferences.get({ key: "contactsAccessEnabled" }),
-      ]).then(([{ granted }, { value: prefValue }]) => {
-        setContactsEnabled(granted && prefValue !== "false");
-      });
-    }
-
-    syncContactsState();
-
-    const listener = CapApp.addListener("resume", () => {
-      syncContactsState();
-    });
-
-    return () => { listener.then((h) => h.remove()); };
-  }, []);
-
   async function handleContactsToggle() {
     if (!ContactsPermission || !request) return;
     setTogglingContacts(true);
@@ -279,7 +239,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
       if (contactsEnabled) {
         await Preferences.set({ key: "contactsAccessEnabled", value: "false" });
         await request("device.capability.disable", { capability: "contacts" });
-        setContactsEnabled(false);
+        setCapEnabled("contacts", false);
       } else {
         const { granted } = await ContactsPermission.check();
         if (!granted) {
@@ -290,7 +250,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
         if (!fcmToken) { console.warn("No FCM token available"); return; }
         await Preferences.set({ key: "contactsAccessEnabled", value: "true" });
         await request("device.capability.enable", { capability: "contacts", fcmToken });
-        setContactsEnabled(true);
+        setCapEnabled("contacts", true);
       }
     } catch (err) {
       console.error("Failed to toggle contacts access:", err);
@@ -299,28 +259,6 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
     }
   }
 
-  // Sync calendar toggle with permission state — on mount and when app resumes
-  useEffect(() => {
-    if (!isNative || !CalendarPermission) return;
-
-    function syncCalendarState() {
-      Promise.all([
-        CalendarPermission!.check(),
-        Preferences.get({ key: "calendarAccessEnabled" }),
-      ]).then(([{ granted }, { value: prefValue }]) => {
-        setCalendarEnabled(granted && prefValue !== "false");
-      });
-    }
-
-    syncCalendarState();
-
-    const listener = CapApp.addListener("resume", () => {
-      syncCalendarState();
-    });
-
-    return () => { listener.then((h) => h.remove()); };
-  }, []);
-
   async function handleCalendarToggle() {
     if (!CalendarPermission || !request) return;
     setTogglingCalendar(true);
@@ -328,7 +266,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
       if (calendarEnabled) {
         await Preferences.set({ key: "calendarAccessEnabled", value: "false" });
         await request("device.capability.disable", { capability: "calendar" });
-        setCalendarEnabled(false);
+        setCapEnabled("calendar", false);
       } else {
         const { granted } = await CalendarPermission.check();
         if (!granted) {
@@ -339,7 +277,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
         if (!fcmToken) { console.warn("No FCM token available"); return; }
         await Preferences.set({ key: "calendarAccessEnabled", value: "true" });
         await request("device.capability.enable", { capability: "calendar", fcmToken });
-        setCalendarEnabled(true);
+        setCapEnabled("calendar", true);
       }
     } catch (err) {
       console.error("Failed to toggle calendar access:", err);
@@ -348,33 +286,13 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
     }
   }
 
-  // Sync DND access toggle with system state — on mount and when app resumes
-  useEffect(() => {
-    if (!isNative || !DndAccess) return;
-
-    function syncDndState() {
-      DndAccess!.check().then(({ enabled }) => {
-        setDndEnabled(enabled);
-      });
-    }
-
-    syncDndState();
-
-    const listener = CapApp.addListener("resume", () => {
-      syncDndState();
-    });
-
-    return () => { listener.then((h) => h.remove()); };
-  }, []);
-
   async function handleDndToggle() {
     if (!DndAccess || !request) return;
     setTogglingDnd(true);
     try {
       if (dndEnabled) {
-        // DND access can only be revoked in system settings, but we unregister from host
         await request("device.capability.disable", { capability: "dnd" });
-        setDndEnabled(false);
+        setCapEnabled("dnd", false);
       } else {
         const { enabled: systemEnabled } = await DndAccess.check();
         if (!systemEnabled) {
@@ -384,7 +302,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
         const { value: fcmToken } = await Preferences.get({ key: "fcmToken" });
         if (!fcmToken) { console.warn("No FCM token available"); return; }
         await request("device.capability.enable", { capability: "dnd", fcmToken });
-        setDndEnabled(true);
+        setCapEnabled("dnd", true);
       }
     } catch (err) {
       console.error("Failed to toggle DND access:", err);
@@ -393,58 +311,69 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
     }
   }
 
-  // Sync alarm toggle — no permission needed, just device registration
-  useEffect(() => {
-    if (!isNative) return;
-    Preferences.get({ key: "alertAccessEnabled" }).then(({ value }) => {
-      setAlarmEnabled(value === "true");
-    });
-  }, []);
+  /** Ensure full-screen intent permission is granted (needed for alert + email). */
+  async function ensureFullScreenIntent(): Promise<boolean> {
+    if (!FullScreenIntent) return true;
+    const { granted } = await FullScreenIntent.check();
+    if (granted) return true;
+    const result = await FullScreenIntent.request();
+    return result.granted;
+  }
 
   async function handleAlarmToggle() {
     if (!request) return;
     setTogglingAlarm(true);
     try {
       if (alarmEnabled) {
-        await Preferences.set({ key: "alertAccessEnabled", value: "false" });
         await request("device.capability.disable", { capability: "alert" });
-        setAlarmEnabled(false);
+        setCapEnabled("alert", false);
       } else {
+        if (!await ensureFullScreenIntent()) return;
         const { value: fcmToken } = await Preferences.get({ key: "fcmToken" });
         if (!fcmToken) { console.warn("No FCM token available"); return; }
-        await Preferences.set({ key: "alertAccessEnabled", value: "true" });
         await request("device.capability.enable", { capability: "alert", fcmToken });
-        setAlarmEnabled(true);
+        setCapEnabled("alert", true);
       }
     } catch (err) {
-      console.error("Failed to toggle alarm access:", err);
+      console.error("Failed to toggle alert access:", err);
     } finally {
       setTogglingAlarm(false);
     }
   }
 
-  // Sync battery toggle — no permission needed, just device registration
-  useEffect(() => {
-    if (!isNative) return;
-    Preferences.get({ key: "batteryAccessEnabled" }).then(({ value }) => {
-      setBatteryEnabled(value === "true");
-    });
-  }, []);
+  async function handleEmailToggle() {
+    if (!request) return;
+    setTogglingEmail(true);
+    try {
+      if (emailEnabled) {
+        await request("device.capability.disable", { capability: "email" });
+        setCapEnabled("email", false);
+      } else {
+        if (!await ensureFullScreenIntent()) return;
+        const { value: fcmToken } = await Preferences.get({ key: "fcmToken" });
+        if (!fcmToken) { console.warn("No FCM token available"); return; }
+        await request("device.capability.enable", { capability: "email", fcmToken });
+        setCapEnabled("email", true);
+      }
+    } catch (err) {
+      console.error("Failed to toggle email access:", err);
+    } finally {
+      setTogglingEmail(false);
+    }
+  }
 
   async function handleBatteryToggle() {
     if (!request) return;
     setTogglingBattery(true);
     try {
       if (batteryEnabled) {
-        await Preferences.set({ key: "batteryAccessEnabled", value: "false" });
         await request("device.capability.disable", { capability: "battery" });
-        setBatteryEnabled(false);
+        setCapEnabled("battery", false);
       } else {
         const { value: fcmToken } = await Preferences.get({ key: "fcmToken" });
         if (!fcmToken) { console.warn("No FCM token available"); return; }
-        await Preferences.set({ key: "batteryAccessEnabled", value: "true" });
         await request("device.capability.enable", { capability: "battery", fcmToken });
-        setBatteryEnabled(true);
+        setCapEnabled("battery", true);
       }
     } catch (err) {
       console.error("Failed to toggle battery access:", err);
@@ -459,13 +388,12 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
     try {
       if (locationEnabled) {
         await request("device.location.disable");
-        onLocationClientTokenChange?.(null);
+        setCapEnabled("location", false);
       } else {
-        // Request location permissions before enabling
         if (LocationPermission) {
           const result = await LocationPermission.request();
           if (!result.fine) {
-            return; // User denied permission
+            return;
           }
         }
 
@@ -475,7 +403,7 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
           return;
         }
         await request("device.location.enable", { fcmToken });
-        onLocationClientTokenChange?.(activeClientToken ?? null);
+        setCapEnabled("location", true);
       }
     } catch (err) {
       console.error("Failed to toggle location:", err);
@@ -759,6 +687,18 @@ export default function HostMenu({ daemonVersion, locationClientToken, activeCli
                 <span className="toggle-switch-thumb" />
               </button>
             </label>
+            <label className="drawer-toggle">
+              <span className="drawer-toggle-label">Email Access</span>
+              <button
+                className={`toggle-switch ${emailEnabled ? "toggle-switch-on" : ""}`}
+                onClick={handleEmailToggle}
+                disabled={togglingEmail}
+                role="switch"
+                aria-checked={emailEnabled}
+              >
+                <span className="toggle-switch-thumb" />
+              </button>
+            </label>
           </div>
         </>
       )}

package/palmier-server/pwa/src/components/TaskListView.tsx

@@ -26,10 +26,10 @@ interface TaskListViewProps {
   onViewRun(taskId: string, runId?: string): void;
   onUpdateRequired?(required: boolean): void;
   onVersion?(version: string | null): void;
-  onLocationClientToken?(token: string | null): void;
+  onCapabilityTokens?(tokens: Record<string, string | null>): void;
 }
 
-export default function TaskListView({ connected, hostId, request, subscribeEvents, onViewRun, onUpdateRequired, onVersion, onLocationClientToken }: TaskListViewProps) {
+export default function TaskListView({ connected, hostId, request, subscribeEvents, onViewRun, onUpdateRequired, onVersion, onCapabilityTokens }: TaskListViewProps) {
   const [tasks, setTasks] = useState<Task[]>([]);
   const [loadingTasks, setLoadingTasks] = useState(false);
   const [taskError, setTaskError] = useState<string | null>(null);
@@ -53,7 +53,7 @@ export default function TaskListView({ connected, hostId, request, subscribeEven
     setLoadingTasks(true);
     setTaskError(null);
     try {
-      const result = await request<{ tasks?: (Task & { status?: TaskStatus })[]; agents?: AgentInfo[]; version?: string | null; host_platform?: string; location_client_token?: string | null }>("task.list");
+      const result = await request<{ tasks?: (Task & { status?: TaskStatus })[]; agents?: AgentInfo[]; version?: string | null; host_platform?: string; location_client_token?: string | null; capability_tokens?: Record<string, string | null> }>("task.list");
       const taskList = result.tasks ?? [];
       const initialEvents = new Map<string, TaskStatus>();
       const initialConfirms = new Map<string, { description: string; agentName?: string }>();
@@ -82,7 +82,7 @@ export default function TaskListView({ connected, hostId, request, subscribeEven
       setAgentLabels(result.agents ?? []);
       const version = result.version ?? null;
       onVersion?.(version);
-      onLocationClientToken?.(result.location_client_token ?? null);
+      onCapabilityTokens?.(result.capability_tokens ?? {});
       onUpdateRequired?.(!!version && isOlderThan(version, MIN_HOST_VERSION));
     } catch (err) {
       const errMsg = err instanceof Error ? err.message : String(err);

package/palmier-server/pwa/src/constants.ts

@@ -1,2 +1,2 @@
 /** Bump when a breaking host change is made. */
-export const MIN_HOST_VERSION = "0.7.3";
+export const MIN_HOST_VERSION = "0.7.6";

package/palmier-server/pwa/src/contexts/HostConnectionContext.tsx

@@ -7,7 +7,7 @@ import {
   useCallback,
   type ReactNode,
 } from "react";
-import { connect, StringCodec, type NatsConnection, type Subscription } from "nats.ws";
+import { connect, jwtAuthenticator, StringCodec, type NatsConnection, type Subscription } from "nats.ws";
 import { SERVER_URL } from "../api";
 import { useHostStore } from "./HostStoreContext";
 import type { PairedHost } from "../types";
@@ -90,12 +90,13 @@ export function HostConnectionProvider({ children }: { children: ReactNode }) {
 
     async function init() {
       try {
-        const res = await fetch(`${SERVER_URL}/api/config`);
+        // Fetch host-scoped NATS credentials (can only access this host's subjects)
+        const res = await fetch(`${SERVER_URL}/api/nats-credentials/${activeHost!.hostId}`);
         if (!res.ok) {
-          console.error("[NATS] Failed to fetch config");
+          console.error("[NATS] Failed to fetch credentials");
           return;
         }
-        const config = await res.json() as { natsWsUrl: string; natsToken: string };
+        const config = await res.json() as { natsWsUrl: string; natsJwt: string; natsNkeySeed: string };
         if (!config.natsWsUrl) {
           console.warn("[NATS] No WebSocket URL configured");
           return;
@@ -105,7 +106,10 @@ export function HostConnectionProvider({ children }: { children: ReactNode }) {
         console.log("[NATS] Connecting to", config.natsWsUrl);
         const conn = await connect({
           servers: config.natsWsUrl,
-          token: config.natsToken,
+          authenticator: jwtAuthenticator(
+            config.natsJwt,
+            new TextEncoder().encode(config.natsNkeySeed),
+          ),
         });
         if (cancelled) { conn.close().catch(() => {}); return; }
         console.log("[NATS] Connected");

package/palmier-server/pwa/src/pages/Dashboard.tsx

@@ -47,7 +47,7 @@ export default function Dashboard() {
   const [updating, setUpdating] = useState(false);
   const [updateError, setUpdateError] = useState<string | null>(null);
   const [daemonVersion, setDaemonVersion] = useState<string | null>(null);
-  const [locationClientToken, setLocationClientToken] = useState<string | null>(null);
+  const [capabilityTokens, setCapabilityTokens] = useState<Record<string, string | null>>({});
 
   // Register push subscription for the active host
   usePushSubscription();
@@ -88,11 +88,11 @@ export default function Dashboard() {
 
   return (
     <div className="dashboard">
-      {isDesktop && <HostMenu daemonVersion={daemonVersion} locationClientToken={locationClientToken} activeClientToken={activeClientToken} request={request} onLocationClientTokenChange={setLocationClientToken} />}
+      {isDesktop && <HostMenu daemonVersion={daemonVersion} capabilityTokens={capabilityTokens} activeClientToken={activeClientToken} request={request} onCapabilityTokensChange={setCapabilityTokens} />}
 
       <div className="dashboard-content">
         <div className="tab-bar">
-          {!isDesktop && <HostMenu daemonVersion={daemonVersion} locationClientToken={locationClientToken} activeClientToken={activeClientToken} request={request} onLocationClientTokenChange={setLocationClientToken} />}
+          {!isDesktop && <HostMenu daemonVersion={daemonVersion} capabilityTokens={capabilityTokens} activeClientToken={activeClientToken} request={request} onCapabilityTokensChange={setCapabilityTokens} />}
           <TabBar />
         </div>
 
@@ -141,7 +141,7 @@ export default function Dashboard() {
                 onViewRun={handleViewRun}
                 onUpdateRequired={setUpdateRequired}
                 onVersion={setDaemonVersion}
-                onLocationClientToken={setLocationClientToken}
+                onCapabilityTokens={setCapabilityTokens}
               />
             </div>
             {isRunDetail ? (

package/palmier-server/pwa/src/pages/PairHost.tsx

@@ -1,6 +1,6 @@
 import { useState } from "react";
 import { useNavigate } from "react-router-dom";
-import { connect, StringCodec } from "nats.ws";
+import { connect, jwtAuthenticator, StringCodec } from "nats.ws";
 import { Capacitor } from "@capacitor/core";
 import { Preferences } from "@capacitor/preferences";
 import { useHostStore } from "../contexts/HostStoreContext";
@@ -54,12 +54,15 @@ export default function PairHost() {
         // Server mode — pair via NATS
         const configRes = await fetch(`${SERVER_URL}/api/config`);
         if (!configRes.ok) throw new Error("Failed to fetch server config");
-        const config = await configRes.json() as { natsWsUrl: string; natsToken: string };
+        const config = await configRes.json() as { natsWsUrl: string; natsJwt: string; natsNkeySeed: string };
         if (!config.natsWsUrl) throw new Error("Server has no NATS WebSocket URL configured");
 
         const nc = await connect({
           servers: config.natsWsUrl,
-          token: config.natsToken,
+          authenticator: jwtAuthenticator(
+            config.natsJwt,
+            new TextEncoder().encode(config.natsNkeySeed),
+          ),
         });
 
         const sc = StringCodec();

package/palmier-server/server/package.json

@@ -5,7 +5,8 @@
   "scripts": {
     "dev": "tsx watch src/index.ts",
     "build": "tsc",
-    "start": "node dist/index.js"
+    "start": "node dist/index.js",
+    "nats-setup": "tsx src/nats-setup.ts"
   },
   "dependencies": {
     "bcrypt": "^5.1.1",
@@ -16,6 +17,7 @@
     "helmet": "^8.0.0",
     "jsonwebtoken": "^9.0.2",
     "nats": "^2.29.1",
+    "nkeys.js": "^1.1.0",
     "pg": "^8.13.1",
     "uuid": "^11.0.5",
     "web-push": "^3.6.7"