palmier 0.7.6 → 0.7.7

package/dist/pwa/assets/{web-DnuoxUd4.js → web-CkWrlNwc.js}

@@ -1 +1 @@
-import{W as t}from"./index-uSwkmHBs.js";class s extends t{constructor(){super(),this.handleVisibilityChange=()=>{const e={isActive:document.hidden!==!0};this.notifyListeners("appStateChange",e),document.hidden?this.notifyListeners("pause",null):this.notifyListeners("resume",null)},document.addEventListener("visibilitychange",this.handleVisibilityChange,!1)}exitApp(){throw this.unimplemented("Not implemented on web.")}async getInfo(){throw this.unimplemented("Not implemented on web.")}async getLaunchUrl(){return{url:""}}async getState(){return{isActive:document.hidden!==!0}}async minimizeApp(){throw this.unimplemented("Not implemented on web.")}async toggleBackButtonHandler(){throw this.unimplemented("Not implemented on web.")}async getAppLanguage(){return{value:navigator.language.split("-")[0].toLowerCase()}}}export{s as AppWeb};
+import{W as t}from"./index-Bt8Hhaw3.js";class s extends t{constructor(){super(),this.handleVisibilityChange=()=>{const e={isActive:document.hidden!==!0};this.notifyListeners("appStateChange",e),document.hidden?this.notifyListeners("pause",null):this.notifyListeners("resume",null)},document.addEventListener("visibilitychange",this.handleVisibilityChange,!1)}exitApp(){throw this.unimplemented("Not implemented on web.")}async getInfo(){throw this.unimplemented("Not implemented on web.")}async getLaunchUrl(){return{url:""}}async getState(){return{isActive:document.hidden!==!0}}async minimizeApp(){throw this.unimplemented("Not implemented on web.")}async toggleBackButtonHandler(){throw this.unimplemented("Not implemented on web.")}async getAppLanguage(){return{value:navigator.language.split("-")[0].toLowerCase()}}}export{s as AppWeb};

package/dist/pwa/assets/{web-7raT3zOZ.js → web-lx34oBi7.js}

@@ -1 +1 @@
-import{W as p}from"./index-uSwkmHBs.js";class f extends p{constructor(){super(...arguments),this.group="CapacitorStorage"}async configure({group:e}){typeof e=="string"&&(this.group=e)}async get(e){return{value:this.impl.getItem(this.applyPrefix(e.key))}}async set(e){this.impl.setItem(this.applyPrefix(e.key),e.value)}async remove(e){this.impl.removeItem(this.applyPrefix(e.key))}async keys(){return{keys:this.rawKeys().map(t=>t.substring(this.prefix.length))}}async clear(){for(const e of this.rawKeys())this.impl.removeItem(e)}async migrate(){var e;const t=[],s=[],n="_cap_",o=Object.keys(this.impl).filter(i=>i.indexOf(n)===0);for(const i of o){const r=i.substring(n.length),a=(e=this.impl.getItem(i))!==null&&e!==void 0?e:"",{value:l}=await this.get({key:r});typeof l=="string"?s.push(r):(await this.set({key:r,value:a}),t.push(r))}return{migrated:t,existing:s}}async removeOld(){const e="_cap_",t=Object.keys(this.impl).filter(s=>s.indexOf(e)===0);for(const s of t)this.impl.removeItem(s)}get impl(){return window.localStorage}get prefix(){return this.group==="NativeStorage"?"":`${this.group}.`}rawKeys(){return Object.keys(this.impl).filter(e=>e.indexOf(this.prefix)===0)}applyPrefix(e){return this.prefix+e}}export{f as PreferencesWeb};
+import{W as p}from"./index-Bt8Hhaw3.js";class f extends p{constructor(){super(...arguments),this.group="CapacitorStorage"}async configure({group:e}){typeof e=="string"&&(this.group=e)}async get(e){return{value:this.impl.getItem(this.applyPrefix(e.key))}}async set(e){this.impl.setItem(this.applyPrefix(e.key),e.value)}async remove(e){this.impl.removeItem(this.applyPrefix(e.key))}async keys(){return{keys:this.rawKeys().map(t=>t.substring(this.prefix.length))}}async clear(){for(const e of this.rawKeys())this.impl.removeItem(e)}async migrate(){var e;const t=[],s=[],n="_cap_",o=Object.keys(this.impl).filter(i=>i.indexOf(n)===0);for(const i of o){const r=i.substring(n.length),a=(e=this.impl.getItem(i))!==null&&e!==void 0?e:"",{value:l}=await this.get({key:r});typeof l=="string"?s.push(r):(await this.set({key:r,value:a}),t.push(r))}return{migrated:t,existing:s}}async removeOld(){const e="_cap_",t=Object.keys(this.impl).filter(s=>s.indexOf(e)===0);for(const s of t)this.impl.removeItem(s)}get impl(){return window.localStorage}get prefix(){return this.group==="NativeStorage"?"":`${this.group}.`}rawKeys(){return Object.keys(this.impl).filter(e=>e.indexOf(this.prefix)===0)}applyPrefix(e){return this.prefix+e}}export{f as PreferencesWeb};

package/dist/pwa/index.html

@@ -8,7 +8,7 @@
     <link rel="apple-touch-icon" href="/apple-touch-icon.png" />
     <title>Palmier</title>
     <meta name="description" content="Remote control for AI agents running on your own machine. Schedule tasks, approve permissions, and get push notifications." />
-    <script type="module" crossorigin src="/assets/index-uSwkmHBs.js"></script>
+    <script type="module" crossorigin src="/assets/index-Bt8Hhaw3.js"></script>
     <link rel="stylesheet" crossorigin href="/assets/index-B-ByUHPS.css">
   <link rel="manifest" href="/manifest.webmanifest"><script id="vite-plugin-pwa:register-sw" src="/registerSW.js"></script></head>
   <body>

package/dist/pwa/service-worker.js

@@ -1,2 +1,2 @@
 try{self["workbox:core:7.3.0"]&&_()}catch{}const N=(n,...e)=>{let t=n;return e.length>0&&(t+=` :: ${JSON.stringify(e)}`),t},E=N;class h extends Error{constructor(e,t){const s=E(e,t);super(s),this.name=e,this.details=t}}const f={googleAnalytics:"googleAnalytics",precache:"precache-v2",prefix:"workbox",runtime:"runtime",suffix:typeof registration<"u"?registration.scope:""},U=n=>[f.prefix,n,f.suffix].filter(e=>e&&e.length>0).join("-"),O=n=>{for(const e of Object.keys(f))n(e)},L={updateDetails:n=>{O(e=>{typeof n[e]=="string"&&(f[e]=n[e])})},getGoogleAnalyticsName:n=>n||U(f.googleAnalytics),getPrecacheName:n=>n||U(f.precache),getPrefix:()=>f.prefix,getRuntimeName:n=>n||U(f.runtime),getSuffix:()=>f.suffix};function v(n,e){const t=e();return n.waitUntil(t),t}try{self["workbox:precaching:7.3.0"]&&_()}catch{}const A="__WB_REVISION__";function M(n){if(!n)throw new h("add-to-cache-list-unexpected-type",{entry:n});if(typeof n=="string"){const i=new URL(n,location.href);return{cacheKey:i.href,url:i.href}}const{revision:e,url:t}=n;if(!t)throw new h("add-to-cache-list-unexpected-type",{entry:n});if(!e){const i=new URL(t,location.href);return{cacheKey:i.href,url:i.href}}const s=new URL(t,location.href),a=new URL(t,location.href);return s.searchParams.set(A,e),{cacheKey:s.href,url:a.href}}class W{constructor(){this.updatedURLs=[],this.notUpdatedURLs=[],this.handlerWillStart=async({request:e,state:t})=>{t&&(t.originalRequest=e)},this.cachedResponseWillBeUsed=async({event:e,state:t,cachedResponse:s})=>{if(e.type==="install"&&t&&t.originalRequest&&t.originalRequest instanceof Request){const a=t.originalRequest.url;s?this.notUpdatedURLs.push(a):this.updatedURLs.push(a)}return s}}}class q{constructor({precacheController:e}){this.cacheKeyWillBeUsed=async({request:t,params:s})=>{const a=(s==null?void 0:s.cacheKey)||this._precacheController.getCacheKeyForURL(t.url);return a?new Request(a,{headers:t.headers}):t},this._precacheController=e}}let w;function S(){if(w===void 0){const n=new Response("");if("body"in n)try{new Response(n.body),w=!0}catch{w=!1}w=!1}return w}async function j(n,e){let t=null;if(n.url&&(t=new URL(n.url).origin),t!==self.location.origin)throw new h("cross-origin-copy-response",{origin:t});const s=n.clone(),i={headers:new Headers(s.headers),status:s.status,statusText:s.statusText},r=S()?s.body:await s.blob();return new Response(r,i)}const D=n=>new URL(String(n),location.href).href.replace(new RegExp(`^${location.origin}`),"");function T(n,e){const t=new URL(n);for(const s of e)t.searchParams.delete(s);return t.href}async function H(n,e,t,s){const a=T(e.url,t);if(e.url===a)return n.match(e,s);const i=Object.assign(Object.assign({},s),{ignoreSearch:!0}),r=await n.keys(e,i);for(const c of r){const o=T(c.url,t);if(a===o)return n.match(c,s)}}class F{constructor(){this.promise=new Promise((e,t)=>{this.resolve=e,this.reject=t})}}const B=new Set;async function $(){for(const n of B)await n()}function V(n){return new Promise(e=>setTimeout(e,n))}try{self["workbox:strategies:7.3.0"]&&_()}catch{}function C(n){return typeof n=="string"?new Request(n):n}class G{constructor(e,t){this._cacheKeys={},Object.assign(this,t),this.event=t.event,this._strategy=e,this._handlerDeferred=new F,this._extendLifetimePromises=[],this._plugins=[...e.plugins],this._pluginStateMap=new Map;for(const s of this._plugins)this._pluginStateMap.set(s,{});this.event.waitUntil(this._handlerDeferred.promise)}async fetch(e){const{event:t}=this;let s=C(e);if(s.mode==="navigate"&&t instanceof FetchEvent&&t.preloadResponse){const r=await t.preloadResponse;if(r)return r}const a=this.hasCallback("fetchDidFail")?s.clone():null;try{for(const r of this.iterateCallbacks("requestWillFetch"))s=await r({request:s.clone(),event:t})}catch(r){if(r instanceof Error)throw new h("plugin-error-request-will-fetch",{thrownErrorMessage:r.message})}const i=s.clone();try{let r;r=await fetch(s,s.mode==="navigate"?void 0:this._strategy.fetchOptions);for(const c of this.iterateCallbacks("fetchDidSucceed"))r=await c({event:t,request:i,response:r});return r}catch(r){throw a&&await this.runCallbacks("fetchDidFail",{error:r,event:t,originalRequest:a.clone(),request:i.clone()}),r}}async fetchAndCachePut(e){const t=await this.fetch(e),s=t.clone();return this.waitUntil(this.cachePut(e,s)),t}async cacheMatch(e){const t=C(e);let s;const{cacheName:a,matchOptions:i}=this._strategy,r=await this.getCacheKey(t,"read"),c=Object.assign(Object.assign({},i),{cacheName:a});s=await caches.match(r,c);for(const o of this.iterateCallbacks("cachedResponseWillBeUsed"))s=await o({cacheName:a,matchOptions:i,cachedResponse:s,request:r,event:this.event})||void 0;return s}async cachePut(e,t){const s=C(e);await V(0);const a=await this.getCacheKey(s,"write");if(!t)throw new h("cache-put-with-no-response",{url:D(a.url)});const i=await this._ensureResponseSafeToCache(t);if(!i)return!1;const{cacheName:r,matchOptions:c}=this._strategy,o=await self.caches.open(r),l=this.hasCallback("cacheDidUpdate"),d=l?await H(o,a.clone(),["__WB_REVISION__"],c):null;try{await o.put(a,l?i.clone():i)}catch(u){if(u instanceof Error)throw u.name==="QuotaExceededError"&&await $(),u}for(const u of this.iterateCallbacks("cacheDidUpdate"))await u({cacheName:r,oldResponse:d,newResponse:i.clone(),request:a,event:this.event});return!0}async getCacheKey(e,t){const s=`${e.url} | ${t}`;if(!this._cacheKeys[s]){let a=e;for(const i of this.iterateCallbacks("cacheKeyWillBeUsed"))a=C(await i({mode:t,request:a,event:this.event,params:this.params}));this._cacheKeys[s]=a}return this._cacheKeys[s]}hasCallback(e){for(const t of this._strategy.plugins)if(e in t)return!0;return!1}async runCallbacks(e,t){for(const s of this.iterateCallbacks(e))await s(t)}*iterateCallbacks(e){for(const t of this._strategy.plugins)if(typeof t[e]=="function"){const s=this._pluginStateMap.get(t);yield i=>{const r=Object.assign(Object.assign({},i),{state:s});return t[e](r)}}}waitUntil(e){return this._extendLifetimePromises.push(e),e}async doneWaiting(){for(;this._extendLifetimePromises.length;){const e=this._extendLifetimePromises.splice(0),s=(await Promise.allSettled(e)).find(a=>a.status==="rejected");if(s)throw s.reason}}destroy(){this._handlerDeferred.resolve(null)}async _ensureResponseSafeToCache(e){let t=e,s=!1;for(const a of this.iterateCallbacks("cacheWillUpdate"))if(t=await a({request:this.request,response:t,event:this.event})||void 0,s=!0,!t)break;return s||t&&t.status!==200&&(t=void 0),t}}class J{constructor(e={}){this.cacheName=L.getRuntimeName(e.cacheName),this.plugins=e.plugins||[],this.fetchOptions=e.fetchOptions,this.matchOptions=e.matchOptions}handle(e){const[t]=this.handleAll(e);return t}handleAll(e){e instanceof FetchEvent&&(e={event:e,request:e.request});const t=e.event,s=typeof e.request=="string"?new Request(e.request):e.request,a="params"in e?e.params:void 0,i=new G(this,{event:t,request:s,params:a}),r=this._getResponse(i,s,t),c=this._awaitComplete(r,i,s,t);return[r,c]}async _getResponse(e,t,s){await e.runCallbacks("handlerWillStart",{event:s,request:t});let a;try{if(a=await this._handle(t,e),!a||a.type==="error")throw new h("no-response",{url:t.url})}catch(i){if(i instanceof Error){for(const r of e.iterateCallbacks("handlerDidError"))if(a=await r({error:i,event:s,request:t}),a)break}if(!a)throw i}for(const i of e.iterateCallbacks("handlerWillRespond"))a=await i({event:s,request:t,response:a});return a}async _awaitComplete(e,t,s,a){let i,r;try{i=await e}catch{}try{await t.runCallbacks("handlerDidRespond",{event:a,request:s,response:i}),await t.doneWaiting()}catch(c){c instanceof Error&&(r=c)}if(await t.runCallbacks("handlerDidComplete",{event:a,request:s,response:i,error:r}),t.destroy(),r)throw r}}class p extends J{constructor(e={}){e.cacheName=L.getPrecacheName(e.cacheName),super(e),this._fallbackToNetwork=e.fallbackToNetwork!==!1,this.plugins.push(p.copyRedirectedCacheableResponsesPlugin)}async _handle(e,t){const s=await t.cacheMatch(e);return s||(t.event&&t.event.type==="install"?await this._handleInstall(e,t):await this._handleFetch(e,t))}async _handleFetch(e,t){let s;const a=t.params||{};if(this._fallbackToNetwork){const i=a.integrity,r=e.integrity,c=!r||r===i;s=await t.fetch(new Request(e,{integrity:e.mode!=="no-cors"?r||i:void 0})),i&&c&&e.mode!=="no-cors"&&(this._useDefaultCacheabilityPluginIfNeeded(),await t.cachePut(e,s.clone()))}else throw new h("missing-precache-entry",{cacheName:this.cacheName,url:e.url});return s}async _handleInstall(e,t){this._useDefaultCacheabilityPluginIfNeeded();const s=await t.fetch(e);if(!await t.cachePut(e,s.clone()))throw new h("bad-precaching-response",{url:e.url,status:s.status});return s}_useDefaultCacheabilityPluginIfNeeded(){let e=null,t=0;for(const[s,a]of this.plugins.entries())a!==p.copyRedirectedCacheableResponsesPlugin&&(a===p.defaultPrecacheCacheabilityPlugin&&(e=s),a.cacheWillUpdate&&t++);t===0?this.plugins.push(p.defaultPrecacheCacheabilityPlugin):t>1&&e!==null&&this.plugins.splice(e,1)}}p.defaultPrecacheCacheabilityPlugin={async cacheWillUpdate({response:n}){return!n||n.status>=400?null:n}};p.copyRedirectedCacheableResponsesPlugin={async cacheWillUpdate({response:n}){return n.redirected?await j(n):n}};class Q{constructor({cacheName:e,plugins:t=[],fallbackToNetwork:s=!0}={}){this._urlsToCacheKeys=new Map,this._urlsToCacheModes=new Map,this._cacheKeysToIntegrities=new Map,this._strategy=new p({cacheName:L.getPrecacheName(e),plugins:[...t,new q({precacheController:this})],fallbackToNetwork:s}),this.install=this.install.bind(this),this.activate=this.activate.bind(this)}get strategy(){return this._strategy}precache(e){this.addToCacheList(e),this._installAndActiveListenersAdded||(self.addEventListener("install",this.install),self.addEventListener("activate",this.activate),this._installAndActiveListenersAdded=!0)}addToCacheList(e){const t=[];for(const s of e){typeof s=="string"?t.push(s):s&&s.revision===void 0&&t.push(s.url);const{cacheKey:a,url:i}=M(s),r=typeof s!="string"&&s.revision?"reload":"default";if(this._urlsToCacheKeys.has(i)&&this._urlsToCacheKeys.get(i)!==a)throw new h("add-to-cache-list-conflicting-entries",{firstEntry:this._urlsToCacheKeys.get(i),secondEntry:a});if(typeof s!="string"&&s.integrity){if(this._cacheKeysToIntegrities.has(a)&&this._cacheKeysToIntegrities.get(a)!==s.integrity)throw new h("add-to-cache-list-conflicting-integrities",{url:i});this._cacheKeysToIntegrities.set(a,s.integrity)}if(this._urlsToCacheKeys.set(i,a),this._urlsToCacheModes.set(i,r),t.length>0){const c=`Workbox is precaching URLs without revision info: ${t.join(", ")}
-This is generally NOT safe. Learn more at https://bit.ly/wb-precache`;console.warn(c)}}}install(e){return v(e,async()=>{const t=new W;this.strategy.plugins.push(t);for(const[i,r]of this._urlsToCacheKeys){const c=this._cacheKeysToIntegrities.get(r),o=this._urlsToCacheModes.get(i),l=new Request(i,{integrity:c,cache:o,credentials:"same-origin"});await Promise.all(this.strategy.handleAll({params:{cacheKey:r},request:l,event:e}))}const{updatedURLs:s,notUpdatedURLs:a}=t;return{updatedURLs:s,notUpdatedURLs:a}})}activate(e){return v(e,async()=>{const t=await self.caches.open(this.strategy.cacheName),s=await t.keys(),a=new Set(this._urlsToCacheKeys.values()),i=[];for(const r of s)a.has(r.url)||(await t.delete(r),i.push(r.url));return{deletedURLs:i}})}getURLsToCacheKeys(){return this._urlsToCacheKeys}getCachedURLs(){return[...this._urlsToCacheKeys.keys()]}getCacheKeyForURL(e){const t=new URL(e,location.href);return this._urlsToCacheKeys.get(t.href)}getIntegrityForCacheKey(e){return this._cacheKeysToIntegrities.get(e)}async matchPrecache(e){const t=e instanceof Request?e.url:e,s=this.getCacheKeyForURL(t);if(s)return(await self.caches.open(this.strategy.cacheName)).match(s)}createHandlerBoundToURL(e){const t=this.getCacheKeyForURL(e);if(!t)throw new h("non-precached-url",{url:e});return s=>(s.request=new Request(e),s.params=Object.assign({cacheKey:t},s.params),this.strategy.handle(s))}}let k;const x=()=>(k||(k=new Q),k);try{self["workbox:routing:7.3.0"]&&_()}catch{}const I="GET",b=n=>n&&typeof n=="object"?n:{handle:n};class R{constructor(e,t,s=I){this.handler=b(t),this.match=e,this.method=s}setCatchHandler(e){this.catchHandler=b(e)}}class z extends R{constructor(e,t,s){const a=({url:i})=>{const r=e.exec(i.href);if(r&&!(i.origin!==location.origin&&r.index!==0))return r.slice(1)};super(a,t,s)}}class X{constructor(){this._routes=new Map,this._defaultHandlerMap=new Map}get routes(){return this._routes}addFetchListener(){self.addEventListener("fetch",(e=>{const{request:t}=e,s=this.handleRequest({request:t,event:e});s&&e.respondWith(s)}))}addCacheListener(){self.addEventListener("message",(e=>{if(e.data&&e.data.type==="CACHE_URLS"){const{payload:t}=e.data,s=Promise.all(t.urlsToCache.map(a=>{typeof a=="string"&&(a=[a]);const i=new Request(...a);return this.handleRequest({request:i,event:e})}));e.waitUntil(s),e.ports&&e.ports[0]&&s.then(()=>e.ports[0].postMessage(!0))}}))}handleRequest({request:e,event:t}){const s=new URL(e.url,location.href);if(!s.protocol.startsWith("http"))return;const a=s.origin===location.origin,{params:i,route:r}=this.findMatchingRoute({event:t,request:e,sameOrigin:a,url:s});let c=r&&r.handler;const o=e.method;if(!c&&this._defaultHandlerMap.has(o)&&(c=this._defaultHandlerMap.get(o)),!c)return;let l;try{l=c.handle({url:s,request:e,event:t,params:i})}catch(u){l=Promise.reject(u)}const d=r&&r.catchHandler;return l instanceof Promise&&(this._catchHandler||d)&&(l=l.catch(async u=>{if(d)try{return await d.handle({url:s,request:e,event:t,params:i})}catch(g){g instanceof Error&&(u=g)}if(this._catchHandler)return this._catchHandler.handle({url:s,request:e,event:t});throw u})),l}findMatchingRoute({url:e,sameOrigin:t,request:s,event:a}){const i=this._routes.get(s.method)||[];for(const r of i){let c;const o=r.match({url:e,sameOrigin:t,request:s,event:a});if(o)return c=o,(Array.isArray(c)&&c.length===0||o.constructor===Object&&Object.keys(o).length===0||typeof o=="boolean")&&(c=void 0),{route:r,params:c}}return{}}setDefaultHandler(e,t=I){this._defaultHandlerMap.set(t,b(e))}setCatchHandler(e){this._catchHandler=b(e)}registerRoute(e){this._routes.has(e.method)||this._routes.set(e.method,[]),this._routes.get(e.method).push(e)}unregisterRoute(e){if(!this._routes.has(e.method))throw new h("unregister-route-but-not-found-with-method",{method:e.method});const t=this._routes.get(e.method).indexOf(e);if(t>-1)this._routes.get(e.method).splice(t,1);else throw new h("unregister-route-route-not-registered")}}let m;const Y=()=>(m||(m=new X,m.addFetchListener(),m.addCacheListener()),m);function Z(n,e,t){let s;if(typeof n=="string"){const i=new URL(n,location.href),r=({url:c})=>c.href===i.href;s=new R(r,e,t)}else if(n instanceof RegExp)s=new z(n,e,t);else if(typeof n=="function")s=new R(n,e,t);else if(n instanceof R)s=n;else throw new h("unsupported-route-type",{moduleName:"workbox-routing",funcName:"registerRoute",paramName:"capture"});return Y().registerRoute(s),s}function ee(n,e=[]){for(const t of[...n.searchParams.keys()])e.some(s=>s.test(t))&&n.searchParams.delete(t);return n}function*te(n,{ignoreURLParametersMatching:e=[/^utm_/,/^fbclid$/],directoryIndex:t="index.html",cleanURLs:s=!0,urlManipulation:a}={}){const i=new URL(n,location.href);i.hash="",yield i.href;const r=ee(i,e);if(yield r.href,t&&r.pathname.endsWith("/")){const c=new URL(r.href);c.pathname+=t,yield c.href}if(s){const c=new URL(r.href);c.pathname+=".html",yield c.href}if(a){const c=a({url:i});for(const o of c)yield o.href}}class se extends R{constructor(e,t){const s=({request:a})=>{const i=e.getURLsToCacheKeys();for(const r of te(a.url,t)){const c=i.get(r);if(c){const o=e.getIntegrityForCacheKey(c);return{cacheKey:c,integrity:o}}}};super(s,e.strategy)}}function ne(n){const e=x(),t=new se(e,n);Z(t)}function ae(n){x().precache(n)}function ie(n,e){ae(n),ne(e)}ie([{"revision":"38013143dc2183340ede8bc1c5124507","url":"registerSW.js"},{"revision":"478ef5ebdaf80fed88fcc601cd2ae175","url":"index.html"},{"revision":null,"url":"assets/web-DnuoxUd4.js"},{"revision":null,"url":"assets/web-7raT3zOZ.js"},{"revision":null,"url":"assets/index-uSwkmHBs.js"},{"revision":null,"url":"assets/index-B-ByUHPS.css"},{"revision":"fcc457fce855ad0df7178e0786c0d4ef","url":"apple-touch-icon.png"},{"revision":"276650c30bc4effc7d649ec66519aab6","url":"favicon.ico"},{"revision":"2e46512b835c05e17787059909305f22","url":"pwa-192x192.png"},{"revision":"ec5652b5834b4711337743e80e506a41","url":"pwa-512x512.png"},{"revision":"9f51698004b9cc4d787c75695b74de9d","url":"manifest.webmanifest"}]);const re="/api/push/respond";self.addEventListener("message",n=>{});self.addEventListener("push",n=>{var r;if(!n.data)return;let e;try{e=n.data.json()}catch{e={title:"Palmier",body:n.data.text()}}const t=e.type??((r=e.data)==null?void 0:r.type);if(t==="confirm-dismiss"||t==="permission-dismiss"||t==="input-dismiss"){const c=e.data??e,o=c.host_id,l=c.session_id,d=c.task_id;n.waitUntil(self.registration.getNotifications().then(u=>{var g,P,K;for(const y of u)if(((g=y.data)==null?void 0:g.host_id)===o){if(l&&((P=y.data)==null?void 0:P.session_id)===l){y.close();continue}d&&((K=y.data)==null?void 0:K.task_id)===d&&y.close()}}));return}const s=e.title??"Palmier";let a=e.body??"";!a&&t==="confirm"&&(a="A task requires confirmation to run."),!a&&t==="permission"&&(a="A task needs additional permissions to continue."),!a&&t==="input"&&(a="A task needs your input to continue.");const i={body:a,icon:"/pwa-192x192.png",badge:"/pwa-192x192.png",data:e.data??e,vibrate:[100,50,100]};t==="confirm"&&(i.actions=[{action:"confirm",title:"Confirm"},{action:"abort",title:"Abort"}]),n.waitUntil(self.registration.showNotification(s,i))});self.addEventListener("notificationclick",n=>{const e=n.notification;e.close();const t=e.data??{},s=n.action;if(s&&t.type==="confirm"&&t.session_id&&t.host_id){const a=s==="confirm"?"confirmed":"aborted";n.waitUntil(fetch(re,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({session_id:t.session_id,host_id:t.host_id,response:a})}).catch(i=>{console.error("Failed to send push response:",i)}))}else{const a=t.task_id,i=t.run_id,r=a&&i?`/runs/${encodeURIComponent(a)}/${encodeURIComponent(i)}`:a?`/runs/${encodeURIComponent(a)}/latest`:"/";n.waitUntil(self.clients.matchAll({type:"window",includeUncontrolled:!0}).then(c=>{for(const o of c)if(o.url.includes(self.location.origin)&&"focus"in o)return o.navigate(r),o.focus();return self.clients.openWindow(r)}))}});self.addEventListener("install",()=>{self.skipWaiting()});self.addEventListener("activate",n=>{n.waitUntil(self.clients.claim())});
+This is generally NOT safe. Learn more at https://bit.ly/wb-precache`;console.warn(c)}}}install(e){return v(e,async()=>{const t=new W;this.strategy.plugins.push(t);for(const[i,r]of this._urlsToCacheKeys){const c=this._cacheKeysToIntegrities.get(r),o=this._urlsToCacheModes.get(i),l=new Request(i,{integrity:c,cache:o,credentials:"same-origin"});await Promise.all(this.strategy.handleAll({params:{cacheKey:r},request:l,event:e}))}const{updatedURLs:s,notUpdatedURLs:a}=t;return{updatedURLs:s,notUpdatedURLs:a}})}activate(e){return v(e,async()=>{const t=await self.caches.open(this.strategy.cacheName),s=await t.keys(),a=new Set(this._urlsToCacheKeys.values()),i=[];for(const r of s)a.has(r.url)||(await t.delete(r),i.push(r.url));return{deletedURLs:i}})}getURLsToCacheKeys(){return this._urlsToCacheKeys}getCachedURLs(){return[...this._urlsToCacheKeys.keys()]}getCacheKeyForURL(e){const t=new URL(e,location.href);return this._urlsToCacheKeys.get(t.href)}getIntegrityForCacheKey(e){return this._cacheKeysToIntegrities.get(e)}async matchPrecache(e){const t=e instanceof Request?e.url:e,s=this.getCacheKeyForURL(t);if(s)return(await self.caches.open(this.strategy.cacheName)).match(s)}createHandlerBoundToURL(e){const t=this.getCacheKeyForURL(e);if(!t)throw new h("non-precached-url",{url:e});return s=>(s.request=new Request(e),s.params=Object.assign({cacheKey:t},s.params),this.strategy.handle(s))}}let k;const x=()=>(k||(k=new Q),k);try{self["workbox:routing:7.3.0"]&&_()}catch{}const I="GET",b=n=>n&&typeof n=="object"?n:{handle:n};class R{constructor(e,t,s=I){this.handler=b(t),this.match=e,this.method=s}setCatchHandler(e){this.catchHandler=b(e)}}class z extends R{constructor(e,t,s){const a=({url:i})=>{const r=e.exec(i.href);if(r&&!(i.origin!==location.origin&&r.index!==0))return r.slice(1)};super(a,t,s)}}class X{constructor(){this._routes=new Map,this._defaultHandlerMap=new Map}get routes(){return this._routes}addFetchListener(){self.addEventListener("fetch",(e=>{const{request:t}=e,s=this.handleRequest({request:t,event:e});s&&e.respondWith(s)}))}addCacheListener(){self.addEventListener("message",(e=>{if(e.data&&e.data.type==="CACHE_URLS"){const{payload:t}=e.data,s=Promise.all(t.urlsToCache.map(a=>{typeof a=="string"&&(a=[a]);const i=new Request(...a);return this.handleRequest({request:i,event:e})}));e.waitUntil(s),e.ports&&e.ports[0]&&s.then(()=>e.ports[0].postMessage(!0))}}))}handleRequest({request:e,event:t}){const s=new URL(e.url,location.href);if(!s.protocol.startsWith("http"))return;const a=s.origin===location.origin,{params:i,route:r}=this.findMatchingRoute({event:t,request:e,sameOrigin:a,url:s});let c=r&&r.handler;const o=e.method;if(!c&&this._defaultHandlerMap.has(o)&&(c=this._defaultHandlerMap.get(o)),!c)return;let l;try{l=c.handle({url:s,request:e,event:t,params:i})}catch(u){l=Promise.reject(u)}const d=r&&r.catchHandler;return l instanceof Promise&&(this._catchHandler||d)&&(l=l.catch(async u=>{if(d)try{return await d.handle({url:s,request:e,event:t,params:i})}catch(g){g instanceof Error&&(u=g)}if(this._catchHandler)return this._catchHandler.handle({url:s,request:e,event:t});throw u})),l}findMatchingRoute({url:e,sameOrigin:t,request:s,event:a}){const i=this._routes.get(s.method)||[];for(const r of i){let c;const o=r.match({url:e,sameOrigin:t,request:s,event:a});if(o)return c=o,(Array.isArray(c)&&c.length===0||o.constructor===Object&&Object.keys(o).length===0||typeof o=="boolean")&&(c=void 0),{route:r,params:c}}return{}}setDefaultHandler(e,t=I){this._defaultHandlerMap.set(t,b(e))}setCatchHandler(e){this._catchHandler=b(e)}registerRoute(e){this._routes.has(e.method)||this._routes.set(e.method,[]),this._routes.get(e.method).push(e)}unregisterRoute(e){if(!this._routes.has(e.method))throw new h("unregister-route-but-not-found-with-method",{method:e.method});const t=this._routes.get(e.method).indexOf(e);if(t>-1)this._routes.get(e.method).splice(t,1);else throw new h("unregister-route-route-not-registered")}}let m;const Y=()=>(m||(m=new X,m.addFetchListener(),m.addCacheListener()),m);function Z(n,e,t){let s;if(typeof n=="string"){const i=new URL(n,location.href),r=({url:c})=>c.href===i.href;s=new R(r,e,t)}else if(n instanceof RegExp)s=new z(n,e,t);else if(typeof n=="function")s=new R(n,e,t);else if(n instanceof R)s=n;else throw new h("unsupported-route-type",{moduleName:"workbox-routing",funcName:"registerRoute",paramName:"capture"});return Y().registerRoute(s),s}function ee(n,e=[]){for(const t of[...n.searchParams.keys()])e.some(s=>s.test(t))&&n.searchParams.delete(t);return n}function*te(n,{ignoreURLParametersMatching:e=[/^utm_/,/^fbclid$/],directoryIndex:t="index.html",cleanURLs:s=!0,urlManipulation:a}={}){const i=new URL(n,location.href);i.hash="",yield i.href;const r=ee(i,e);if(yield r.href,t&&r.pathname.endsWith("/")){const c=new URL(r.href);c.pathname+=t,yield c.href}if(s){const c=new URL(r.href);c.pathname+=".html",yield c.href}if(a){const c=a({url:i});for(const o of c)yield o.href}}class se extends R{constructor(e,t){const s=({request:a})=>{const i=e.getURLsToCacheKeys();for(const r of te(a.url,t)){const c=i.get(r);if(c){const o=e.getIntegrityForCacheKey(c);return{cacheKey:c,integrity:o}}}};super(s,e.strategy)}}function ne(n){const e=x(),t=new se(e,n);Z(t)}function ae(n){x().precache(n)}function ie(n,e){ae(n),ne(e)}ie([{"revision":"38013143dc2183340ede8bc1c5124507","url":"registerSW.js"},{"revision":"23ecab08d0815501f6e332dae8cf9986","url":"index.html"},{"revision":null,"url":"assets/web-lx34oBi7.js"},{"revision":null,"url":"assets/web-CkWrlNwc.js"},{"revision":null,"url":"assets/index-Bt8Hhaw3.js"},{"revision":null,"url":"assets/index-B-ByUHPS.css"},{"revision":"fcc457fce855ad0df7178e0786c0d4ef","url":"apple-touch-icon.png"},{"revision":"276650c30bc4effc7d649ec66519aab6","url":"favicon.ico"},{"revision":"2e46512b835c05e17787059909305f22","url":"pwa-192x192.png"},{"revision":"ec5652b5834b4711337743e80e506a41","url":"pwa-512x512.png"},{"revision":"9f51698004b9cc4d787c75695b74de9d","url":"manifest.webmanifest"}]);const re="/api/push/respond";self.addEventListener("message",n=>{});self.addEventListener("push",n=>{var r;if(!n.data)return;let e;try{e=n.data.json()}catch{e={title:"Palmier",body:n.data.text()}}const t=e.type??((r=e.data)==null?void 0:r.type);if(t==="confirm-dismiss"||t==="permission-dismiss"||t==="input-dismiss"){const c=e.data??e,o=c.host_id,l=c.session_id,d=c.task_id;n.waitUntil(self.registration.getNotifications().then(u=>{var g,P,K;for(const y of u)if(((g=y.data)==null?void 0:g.host_id)===o){if(l&&((P=y.data)==null?void 0:P.session_id)===l){y.close();continue}d&&((K=y.data)==null?void 0:K.task_id)===d&&y.close()}}));return}const s=e.title??"Palmier";let a=e.body??"";!a&&t==="confirm"&&(a="A task requires confirmation to run."),!a&&t==="permission"&&(a="A task needs additional permissions to continue."),!a&&t==="input"&&(a="A task needs your input to continue.");const i={body:a,icon:"/pwa-192x192.png",badge:"/pwa-192x192.png",data:e.data??e,vibrate:[100,50,100]};t==="confirm"&&(i.actions=[{action:"confirm",title:"Confirm"},{action:"abort",title:"Abort"}]),n.waitUntil(self.registration.showNotification(s,i))});self.addEventListener("notificationclick",n=>{const e=n.notification;e.close();const t=e.data??{},s=n.action;if(s&&t.type==="confirm"&&t.session_id&&t.host_id){const a=s==="confirm"?"confirmed":"aborted";n.waitUntil(fetch(re,{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({session_id:t.session_id,host_id:t.host_id,response:a})}).catch(i=>{console.error("Failed to send push response:",i)}))}else{const a=t.task_id,i=t.run_id,r=a&&i?`/runs/${encodeURIComponent(a)}/${encodeURIComponent(i)}`:a?`/runs/${encodeURIComponent(a)}/latest`:"/";n.waitUntil(self.clients.matchAll({type:"window",includeUncontrolled:!0}).then(c=>{for(const o of c)if(o.url.includes(self.location.origin)&&"focus"in o)return o.navigate(r),o.focus();return self.clients.openWindow(r)}))}});self.addEventListener("install",()=>{self.skipWaiting()});self.addEventListener("activate",n=>{n.waitUntil(self.clients.claim())});

package/dist/types.d.ts

@@ -3,7 +3,8 @@ export interface HostConfig {
     projectRoot: string;
     natsUrl?: string;
     natsWsUrl?: string;
-    natsToken?: string;
+    natsJwt?: string;
+    natsNkeySeed?: string;
     agents?: Array<{
         key: string;
         label: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "palmier",
-  "version": "0.7.6",
+  "version": "0.7.7",
   "description": "Palmier host CLI - provisions, executes tasks, and serves NATS RPC",
   "license": "Apache-2.0",
   "author": "Hongxu Cai",

package/palmier-server/PRODUCTION.md

@@ -99,7 +99,7 @@ No need to configure TLS in NATS itself.
 sudo systemctl enable --now caddy
 ```
 
-## 2. Docker Compose for NATS + PostgreSQL
+## 2. NATS + PostgreSQL
 
 Create a directory for production Docker config:
 
@@ -107,7 +107,30 @@ Create a directory for production Docker config:
 mkdir -p ~/palmier-prod
 ```
 
-### docker-compose.yml
+### 2a. Generate NATS auth keys and config
+
+```bash
+cd server && pnpm nats-setup
+```
+
+Follow the on-screen instructions — it outputs the `NATS_ACCOUNT_SEED` env var (for step 6) and the NATS config snippet (for `nats.conf` below). Store the operator seed securely as a backup.
+
+### 2b. nats.conf
+
+Create `~/palmier-prod/nats.conf`. Paste the auth snippet from step 2a after the websocket block:
+
+```
+listen: 0.0.0.0:4222
+
+websocket {
+  listen: "0.0.0.0:9222"
+  no_tls: true
+}
+
+# Paste the operator/resolver/resolver_preload output from nats-setup here
+```
+
+### 2c. docker-compose.yml
 
 Create `~/palmier-prod/docker-compose.yml`:
 
@@ -141,34 +164,13 @@ volumes:
   pgdata:
 ```
 
-### nats.conf
-
-Create `~/palmier-prod/nats.conf`:
-
-```
-listen: 0.0.0.0:4222
-
-websocket {
-  listen: "0.0.0.0:9222"
-  no_tls: true
-}
-
-authorization {
-  token: "<generate-a-new-token>"
-}
-```
-
-Generate secrets:
+Generate a Postgres password:
 
 ```bash
-# NATS token
-openssl rand -hex 32
-
-# Postgres password
 openssl rand -hex 16
 ```
 
-Start the containers:
+### 2d. Start containers
 
 ```bash
 cd ~/palmier-prod
@@ -177,9 +179,9 @@ docker compose up -d
 
 ## 3. NATS TCP for Remote Hosts
 
-Hosts connect to NATS over TCP (port 4222). Since Caddy only handles HTTP/WebSocket, port 4222 must be open on the firewall for hosts to connect. The NATS token provides authentication.
+Hosts connect to NATS over TCP (port 4222). Since Caddy only handles HTTP/WebSocket, port 4222 must be open on the firewall for hosts to connect. Each host authenticates with its own JWT (issued during `palmier init`), scoped to only its own NATS subjects.
 
-For encrypted host connections, you can add a TLS-terminating TCP proxy (e.g., nginx stream block) in front of port 4222. For a single-user setup, token auth alone is sufficient.
+For encrypted host connections, you can add a TLS-terminating TCP proxy (e.g., nginx stream block) in front of port 4222.
 
 ## 4. Firewall
 
@@ -215,7 +217,7 @@ DATABASE_URL=postgresql://palmier:<your-pg-password>@localhost:5432/palmier
 NATS_URL=nats://localhost:4222
 NATS_HOST_URL=nats://nats.palmier.me:4222
 NATS_WS_URL=wss://nats.palmier.me
-NATS_TOKEN=<your-nats-token-from-nats.conf>
+NATS_ACCOUNT_SEED=<from-nats-setup>
 
 VAPID_PUBLIC_KEY=<generated>
 VAPID_PRIVATE_KEY=<generated>
@@ -226,6 +228,7 @@ Key differences from development:
 
 - `NATS_WS_URL` uses `wss://` through Caddy (not direct `ws://`)
 - `NATS_HOST_URL` uses your public domain so remote hosts can reach NATS
+- `NATS_ACCOUNT_SEED` from step 2a (`pnpm nats-setup`)
 
 Generate VAPID keys:
 

package/palmier-server/README.md

@@ -83,7 +83,7 @@ Palmier is a platform for remotely scheduling, managing, and executing autonomou
    nats-server -c nats.conf
    ```
 
-   The config enables WebSocket on port 9222 and token-based auth.
+   The config enables WebSocket on port 9222. See **NATS JWT Auth Setup** below.
 
 ## Development
 
@@ -142,7 +142,7 @@ The host runs on a separate Linux machine. See the [palmier README](https://gith
 | `NATS_URL` | NATS server URL (TCP, for server's own connection) | `nats://localhost:4222` |
 | `NATS_HOST_URL` | NATS URL sent to hosts during registration (use LAN IP) | `nats://192.168.1.100:4222` |
 | `NATS_WS_URL` | NATS WebSocket URL sent to PWA clients | `wss://nats.palmier.me` (prod) or `ws://192.168.1.100:9222` (LAN) |
-| `NATS_TOKEN` | NATS authentication token | *(from nats.conf)* |
+| `NATS_ACCOUNT_SEED` | NATS account NKey seed for signing JWTs | *(from nats-setup)* |
 | `VAPID_PUBLIC_KEY` | VAPID public key for web push | *(generated via web-push)* |
 | `VAPID_PRIVATE_KEY` | VAPID private key for web push | *(generated via web-push)* |
 | `VAPID_MAILTO` | Contact email for VAPID | `mailto:admin@example.com` |
@@ -156,8 +156,9 @@ All endpoints are prefixed with `/api`. No user authentication is required.
 
 | Method | Path | Description |
 |---|---|---|
-| `POST` | `/api/hosts/register` | Register a new host (returns hostId + NATS config) |
-| `GET` | `/api/config` | Get NATS WebSocket credentials for the PWA |
+| `POST` | `/api/hosts/register` | Register a new host (returns hostId + NATS JWT credentials) |
+| `GET` | `/api/config` | Get pairing-only NATS credentials (can only publish to `pair.*`) |
+| `GET` | `/api/nats-credentials/:hostId` | Get host-scoped NATS credentials for PWA (RPC + events for one host) |
 | `POST` | `/api/push/subscribe` | Register a push notification subscription |
 | `DELETE` | `/api/push/subscribe` | Remove a push notification subscription |
 | `GET` | `/api/push/vapid-key` | Get the VAPID public key |
@@ -192,7 +193,36 @@ All endpoints are prefixed with `/api`. No user authentication is required.
 - **Markdown rendering** — Task results are rendered as rich formatted text using `react-markdown` with `remark-gfm` (GitHub Flavored Markdown), supporting tables, strikethrough, task lists, and autolinks.
 - **Task confirmation** — the Dashboard discovers pending confirmations from the `task.list` RPC response (tasks with a pending request in the serve daemon's in-memory registry, reported via `task.status`). When found, it shows a full-screen confirmation modal. Push notification action buttons trigger `POST /api/push/respond`, which forwards to the `task.user_input` NATS RPC.
 - **Task event tracking** — task lifecycle events are persisted to `status.json` on the host (for crash detection) and broadcast via `host-event.<host_id>.<task_id>` pub/sub and HTTP SSE. The PWA loads initial status from `task.list` and subscribes to events for real-time updates.
-- **NATS config** (`nats.conf`) enables WebSocket on port 9222 (for browser clients) and token-based auth.
+- **NATS auth** uses decentralized JWT/NKey authentication. Each host receives scoped credentials (can only access its own subjects). PWA clients get two-phase credentials: pairing-only JWT for the pairing flow, then host-scoped JWT after pairing. The server signs all user JWTs with the account key. Run `pnpm --filter palmier-server nats-setup` to generate keys and NATS config. See **NATS JWT Auth Setup** below.
+
+## NATS JWT Auth Setup
+
+NATS uses decentralized JWT/NKey authentication. Each host gets scoped credentials that restrict it to its own subjects — one host cannot read or impersonate another.
+
+**One-time setup:**
+
+```bash
+# Generate operator/account NKey pairs and NATS config
+cd server && pnpm nats-setup
+```
+
+This outputs:
+1. An `NATS_ACCOUNT_SEED` value — add it to `server/.env`
+2. A NATS config snippet — replace the `authorization` block in `nats.conf`
+
+**How it works:**
+
+| Role | Publish | Subscribe |
+|------|---------|-----------|
+| **Host** (id=X) | `host-event.X.>`, `host.X.>` | `host.X.>`, `pair.*` |
+| **PWA** (pairing) | `pair.*` | *(none)* |
+| **PWA** (connected to X) | `host.X.rpc.>` | `host-event.X.>` |
+| **Server** | `>` | `>` |
+
+- The **operator** key signs the **account** JWT (embedded in NATS server config, one-time)
+- The **account** key signs **user** JWTs at runtime (per host registration, per PWA session)
+- Host credentials are generated during `POST /api/hosts/register` and stored in `~/.config/palmier/host.json`
+- PWA uses two-phase credentials: `GET /api/config` returns pairing-only JWT, then `GET /api/nats-credentials/:hostId` returns host-scoped JWT after pairing. A PWA client can only access the specific host it paired with.
 
 ## Related Repositories
 

package/palmier-server/nats.conf

@@ -1,6 +1,6 @@
 # NATS Server Configuration for Palmier
 
-# TCP listener (for server + agent)
+# TCP listener (for server + host)
 listen: 0.0.0.0:4222
 
 # WebSocket listener (for PWA browser clients)
@@ -9,7 +9,11 @@ websocket {
   no_tls: true
 }
 
-# Token-based authentication
-authorization {
-  token: "592b229f9df46e9ecaedbfcf9e2e5bcc6432367c114b20a0c7854b6f4542184a"
-}
+# JWT/NKey authentication
+# Generate these values by running: cd server && pnpm nats-setup
+# Paste the auth snippet from the output below.
+# operator: <OPERATOR_JWT>
+# resolver: MEMORY
+# resolver_preload: {
+#   <ACCOUNT_PUBLIC_KEY>: <ACCOUNT_JWT>
+# }

package/palmier-server/package.json

@@ -9,6 +9,7 @@
     ]
   },
   "dependencies": {
-    "firebase-admin": "^13.8.0"
+    "firebase-admin": "^13.8.0",
+    "nkeys.js": "^1.1.0"
   }
 }

package/palmier-server/pnpm-lock.yaml

@@ -11,6 +11,9 @@ importers:
       firebase-admin:
         specifier: ^13.8.0
         version: 13.8.0
+      nkeys.js:
+        specifier: ^1.1.0
+        version: 1.1.0
 
   pwa:
     dependencies:
@@ -96,6 +99,9 @@ importers:
       nats:
         specifier: ^2.29.1
         version: 2.29.3
+      nkeys.js:
+        specifier: ^1.1.0
+        version: 1.1.0
       pg:
         specifier: ^8.13.1
         version: 8.20.0

package/palmier-server/pwa/src/components/HostMenu.tsx

@@ -64,6 +64,15 @@ interface DndAccessPlugin {
   check(): Promise<DndAccessResult>;
 }
 
+interface FullScreenIntentResult {
+  granted: boolean;
+}
+
+interface FullScreenIntentPlugin {
+  request(): Promise<FullScreenIntentResult>;
+  check(): Promise<FullScreenIntentResult>;
+}
+
 const NotificationListener = Capacitor.isNativePlatform()
   ? registerPlugin<NotificationListenerPlugin>("NotificationListener")
   : null;
@@ -83,6 +92,10 @@ const CalendarPermission = Capacitor.isNativePlatform()
 const DndAccess = Capacitor.isNativePlatform()
   ? registerPlugin<DndAccessPlugin>("DndAccess")
   : null;
+
+const FullScreenIntent = Capacitor.isNativePlatform()
+  ? registerPlugin<FullScreenIntentPlugin>("FullScreenIntent")
+  : null;
 import { useHostStore } from "../contexts/HostStoreContext";
 import { useMediaQuery } from "../hooks/useMediaQuery";
 
@@ -116,6 +129,7 @@ export default function HostMenu({ daemonVersion, capabilityTokens, activeClient
   const [togglingDnd, setTogglingDnd] = useState(false);
   const [togglingAlarm, setTogglingAlarm] = useState(false);
   const [togglingBattery, setTogglingBattery] = useState(false);
+  const [togglingEmail, setTogglingEmail] = useState(false);
 
   // Capability enabled = this device's client token matches the registered device for that capability
   function isCapEnabled(cap: string): boolean {
@@ -129,6 +143,7 @@ export default function HostMenu({ daemonVersion, capabilityTokens, activeClient
   const dndEnabled = isCapEnabled("dnd");
   const alarmEnabled = isCapEnabled("alert");
   const batteryEnabled = isCapEnabled("battery");
+  const emailEnabled = isCapEnabled("email");
 
   /** Update local capability tokens state after a toggle change */
   function setCapEnabled(cap: string, enabled: boolean) {
@@ -296,6 +311,15 @@ export default function HostMenu({ daemonVersion, capabilityTokens, activeClient
     }
   }
 
+  /** Ensure full-screen intent permission is granted (needed for alert + email). */
+  async function ensureFullScreenIntent(): Promise<boolean> {
+    if (!FullScreenIntent) return true;
+    const { granted } = await FullScreenIntent.check();
+    if (granted) return true;
+    const result = await FullScreenIntent.request();
+    return result.granted;
+  }
+
   async function handleAlarmToggle() {
     if (!request) return;
     setTogglingAlarm(true);
@@ -304,6 +328,7 @@ export default function HostMenu({ daemonVersion, capabilityTokens, activeClient
         await request("device.capability.disable", { capability: "alert" });
         setCapEnabled("alert", false);
       } else {
+        if (!await ensureFullScreenIntent()) return;
         const { value: fcmToken } = await Preferences.get({ key: "fcmToken" });
         if (!fcmToken) { console.warn("No FCM token available"); return; }
         await request("device.capability.enable", { capability: "alert", fcmToken });
@@ -316,6 +341,27 @@ export default function HostMenu({ daemonVersion, capabilityTokens, activeClient
     }
   }
 
+  async function handleEmailToggle() {
+    if (!request) return;
+    setTogglingEmail(true);
+    try {
+      if (emailEnabled) {
+        await request("device.capability.disable", { capability: "email" });
+        setCapEnabled("email", false);
+      } else {
+        if (!await ensureFullScreenIntent()) return;
+        const { value: fcmToken } = await Preferences.get({ key: "fcmToken" });
+        if (!fcmToken) { console.warn("No FCM token available"); return; }
+        await request("device.capability.enable", { capability: "email", fcmToken });
+        setCapEnabled("email", true);
+      }
+    } catch (err) {
+      console.error("Failed to toggle email access:", err);
+    } finally {
+      setTogglingEmail(false);
+    }
+  }
+
   async function handleBatteryToggle() {
     if (!request) return;
     setTogglingBattery(true);
@@ -641,6 +687,18 @@ export default function HostMenu({ daemonVersion, capabilityTokens, activeClient
                 <span className="toggle-switch-thumb" />
               </button>
             </label>
+            <label className="drawer-toggle">
+              <span className="drawer-toggle-label">Email Access</span>
+              <button
+                className={`toggle-switch ${emailEnabled ? "toggle-switch-on" : ""}`}
+                onClick={handleEmailToggle}
+                disabled={togglingEmail}
+                role="switch"
+                aria-checked={emailEnabled}
+              >
+                <span className="toggle-switch-thumb" />
+              </button>
+            </label>
           </div>
         </>
       )}

package/palmier-server/pwa/src/constants.ts

@@ -1,2 +1,2 @@
 /** Bump when a breaking host change is made. */
-export const MIN_HOST_VERSION = "0.7.4";
+export const MIN_HOST_VERSION = "0.7.6";

package/palmier-server/pwa/src/contexts/HostConnectionContext.tsx

@@ -7,7 +7,7 @@ import {
   useCallback,
   type ReactNode,
 } from "react";
-import { connect, StringCodec, type NatsConnection, type Subscription } from "nats.ws";
+import { connect, jwtAuthenticator, StringCodec, type NatsConnection, type Subscription } from "nats.ws";
 import { SERVER_URL } from "../api";
 import { useHostStore } from "./HostStoreContext";
 import type { PairedHost } from "../types";
@@ -90,12 +90,13 @@ export function HostConnectionProvider({ children }: { children: ReactNode }) {
 
     async function init() {
       try {
-        const res = await fetch(`${SERVER_URL}/api/config`);
+        // Fetch host-scoped NATS credentials (can only access this host's subjects)
+        const res = await fetch(`${SERVER_URL}/api/nats-credentials/${activeHost!.hostId}`);
         if (!res.ok) {
-          console.error("[NATS] Failed to fetch config");
+          console.error("[NATS] Failed to fetch credentials");
           return;
         }
-        const config = await res.json() as { natsWsUrl: string; natsToken: string };
+        const config = await res.json() as { natsWsUrl: string; natsJwt: string; natsNkeySeed: string };
         if (!config.natsWsUrl) {
           console.warn("[NATS] No WebSocket URL configured");
           return;
@@ -105,7 +106,10 @@ export function HostConnectionProvider({ children }: { children: ReactNode }) {
         console.log("[NATS] Connecting to", config.natsWsUrl);
         const conn = await connect({
           servers: config.natsWsUrl,
-          token: config.natsToken,
+          authenticator: jwtAuthenticator(
+            config.natsJwt,
+            new TextEncoder().encode(config.natsNkeySeed),
+          ),
         });
         if (cancelled) { conn.close().catch(() => {}); return; }
         console.log("[NATS] Connected");

package/palmier-server/pwa/src/pages/PairHost.tsx

@@ -1,6 +1,6 @@
 import { useState } from "react";
 import { useNavigate } from "react-router-dom";
-import { connect, StringCodec } from "nats.ws";
+import { connect, jwtAuthenticator, StringCodec } from "nats.ws";
 import { Capacitor } from "@capacitor/core";
 import { Preferences } from "@capacitor/preferences";
 import { useHostStore } from "../contexts/HostStoreContext";
@@ -54,12 +54,15 @@ export default function PairHost() {
         // Server mode — pair via NATS
         const configRes = await fetch(`${SERVER_URL}/api/config`);
         if (!configRes.ok) throw new Error("Failed to fetch server config");
-        const config = await configRes.json() as { natsWsUrl: string; natsToken: string };
+        const config = await configRes.json() as { natsWsUrl: string; natsJwt: string; natsNkeySeed: string };
         if (!config.natsWsUrl) throw new Error("Server has no NATS WebSocket URL configured");
 
         const nc = await connect({
           servers: config.natsWsUrl,
-          token: config.natsToken,
+          authenticator: jwtAuthenticator(
+            config.natsJwt,
+            new TextEncoder().encode(config.natsNkeySeed),
+          ),
         });
 
         const sc = StringCodec();

package/palmier-server/server/package.json

@@ -5,7 +5,8 @@
   "scripts": {
     "dev": "tsx watch src/index.ts",
     "build": "tsc",
-    "start": "node dist/index.js"
+    "start": "node dist/index.js",
+    "nats-setup": "tsx src/nats-setup.ts"
   },
   "dependencies": {
     "bcrypt": "^5.1.1",
@@ -16,6 +17,7 @@
     "helmet": "^8.0.0",
     "jsonwebtoken": "^9.0.2",
     "nats": "^2.29.1",
+    "nkeys.js": "^1.1.0",
     "pg": "^8.13.1",
     "uuid": "^11.0.5",
     "web-push": "^3.6.7"