npm - s3db.js - Versions diffs - 13.4.0 → 13.6.0 - Mend

s3db.js 13.4.0 → 13.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (110) hide show

package/README.md +25 -10
package/dist/{s3db.cjs.js → s3db.cjs} +38801 -32446
package/dist/s3db.cjs.map +1 -0
package/dist/s3db.es.js +38653 -32291
package/dist/s3db.es.js.map +1 -1
package/package.json +218 -22
package/src/concerns/id.js +90 -6
package/src/concerns/index.js +2 -1
package/src/concerns/password-hashing.js +150 -0
package/src/database.class.js +6 -2
package/src/plugins/api/auth/basic-auth.js +40 -10
package/src/plugins/api/auth/index.js +49 -3
package/src/plugins/api/auth/oauth2-auth.js +171 -0
package/src/plugins/api/auth/oidc-auth.js +789 -0
package/src/plugins/api/auth/oidc-client.js +462 -0
package/src/plugins/api/auth/path-auth-matcher.js +284 -0
package/src/plugins/api/concerns/event-emitter.js +134 -0
package/src/plugins/api/concerns/failban-manager.js +651 -0
package/src/plugins/api/concerns/guards-helpers.js +402 -0
package/src/plugins/api/concerns/metrics-collector.js +346 -0
package/src/plugins/api/index.js +510 -57
package/src/plugins/api/middlewares/failban.js +305 -0
package/src/plugins/api/middlewares/rate-limit.js +301 -0
package/src/plugins/api/middlewares/request-id.js +74 -0
package/src/plugins/api/middlewares/security-headers.js +120 -0
package/src/plugins/api/middlewares/session-tracking.js +194 -0
package/src/plugins/api/routes/auth-routes.js +119 -78
package/src/plugins/api/routes/resource-routes.js +73 -30
package/src/plugins/api/server.js +1139 -45
package/src/plugins/api/utils/custom-routes.js +102 -0
package/src/plugins/api/utils/guards.js +213 -0
package/src/plugins/api/utils/mime-types.js +154 -0
package/src/plugins/api/utils/openapi-generator.js +91 -12
package/src/plugins/api/utils/path-matcher.js +173 -0
package/src/plugins/api/utils/static-filesystem.js +262 -0
package/src/plugins/api/utils/static-s3.js +231 -0
package/src/plugins/api/utils/template-engine.js +188 -0
package/src/plugins/cloud-inventory/drivers/alibaba-driver.js +853 -0
package/src/plugins/cloud-inventory/drivers/aws-driver.js +2554 -0
package/src/plugins/cloud-inventory/drivers/azure-driver.js +637 -0
package/src/plugins/cloud-inventory/drivers/base-driver.js +99 -0
package/src/plugins/cloud-inventory/drivers/cloudflare-driver.js +620 -0
package/src/plugins/cloud-inventory/drivers/digitalocean-driver.js +698 -0
package/src/plugins/cloud-inventory/drivers/gcp-driver.js +645 -0
package/src/plugins/cloud-inventory/drivers/hetzner-driver.js +559 -0
package/src/plugins/cloud-inventory/drivers/linode-driver.js +614 -0
package/src/plugins/cloud-inventory/drivers/mock-drivers.js +449 -0
package/src/plugins/cloud-inventory/drivers/mongodb-atlas-driver.js +771 -0
package/src/plugins/cloud-inventory/drivers/oracle-driver.js +768 -0
package/src/plugins/cloud-inventory/drivers/vultr-driver.js +636 -0
package/src/plugins/cloud-inventory/index.js +20 -0
package/src/plugins/cloud-inventory/registry.js +146 -0
package/src/plugins/cloud-inventory/terraform-exporter.js +362 -0
package/src/plugins/cloud-inventory.plugin.js +1333 -0
package/src/plugins/concerns/plugin-dependencies.js +62 -2
package/src/plugins/eventual-consistency/analytics.js +1 -0
package/src/plugins/eventual-consistency/consolidation.js +2 -2
package/src/plugins/eventual-consistency/garbage-collection.js +2 -2
package/src/plugins/eventual-consistency/install.js +2 -2
package/src/plugins/identity/README.md +335 -0
package/src/plugins/identity/concerns/mfa-manager.js +204 -0
package/src/plugins/identity/concerns/password.js +138 -0
package/src/plugins/identity/concerns/resource-schemas.js +273 -0
package/src/plugins/identity/concerns/token-generator.js +172 -0
package/src/plugins/identity/email-service.js +422 -0
package/src/plugins/identity/index.js +1052 -0
package/src/plugins/identity/oauth2-server.js +1033 -0
package/src/plugins/identity/oidc-discovery.js +285 -0
package/src/plugins/identity/rsa-keys.js +323 -0
package/src/plugins/identity/server.js +500 -0
package/src/plugins/identity/session-manager.js +453 -0
package/src/plugins/identity/ui/layouts/base.js +251 -0
package/src/plugins/identity/ui/middleware.js +135 -0
package/src/plugins/identity/ui/pages/admin/client-form.js +247 -0
package/src/plugins/identity/ui/pages/admin/clients.js +179 -0
package/src/plugins/identity/ui/pages/admin/dashboard.js +181 -0
package/src/plugins/identity/ui/pages/admin/user-form.js +283 -0
package/src/plugins/identity/ui/pages/admin/users.js +263 -0
package/src/plugins/identity/ui/pages/consent.js +262 -0
package/src/plugins/identity/ui/pages/forgot-password.js +104 -0
package/src/plugins/identity/ui/pages/login.js +144 -0
package/src/plugins/identity/ui/pages/mfa-backup-codes.js +180 -0
package/src/plugins/identity/ui/pages/mfa-enrollment.js +187 -0
package/src/plugins/identity/ui/pages/mfa-verification.js +178 -0
package/src/plugins/identity/ui/pages/oauth-error.js +225 -0
package/src/plugins/identity/ui/pages/profile.js +361 -0
package/src/plugins/identity/ui/pages/register.js +226 -0
package/src/plugins/identity/ui/pages/reset-password.js +128 -0
package/src/plugins/identity/ui/pages/verify-email.js +172 -0
package/src/plugins/identity/ui/routes.js +2541 -0
package/src/plugins/identity/ui/styles/main.css +465 -0
package/src/plugins/index.js +4 -1
package/src/plugins/ml/base-model.class.js +65 -16
package/src/plugins/ml/classification-model.class.js +1 -1
package/src/plugins/ml/timeseries-model.class.js +3 -1
package/src/plugins/ml.plugin.js +584 -31
package/src/plugins/shared/error-handler.js +147 -0
package/src/plugins/shared/index.js +9 -0
package/src/plugins/shared/middlewares/compression.js +117 -0
package/src/plugins/shared/middlewares/cors.js +49 -0
package/src/plugins/shared/middlewares/index.js +11 -0
package/src/plugins/shared/middlewares/logging.js +54 -0
package/src/plugins/shared/middlewares/rate-limit.js +73 -0
package/src/plugins/shared/middlewares/security.js +158 -0
package/src/plugins/shared/response-formatter.js +264 -0
package/src/plugins/state-machine.plugin.js +57 -2
package/src/resource.class.js +140 -12
package/src/schema.class.js +30 -1
package/src/validator.class.js +57 -6
package/dist/s3db.cjs.js.map +0 -1

package/src/plugins/identity/ui/middleware.js ADDED Viewed

@@ -0,0 +1,135 @@
+/**
+ * Identity Provider Middleware
+ * Session validation and authentication middleware
+ */
+/**
+ * Session authentication middleware
+ * Validates session and attaches user data to context
+ * @param {Object} sessionManager - SessionManager instance
+ * @param {Object} options - Middleware options
+ * @param {boolean} options.required - Require authentication (redirect if not logged in)
+ * @param {boolean} options.requireAdmin - Require admin role
+ * @param {string} options.redirectTo - Redirect URL if not authenticated
+ * @returns {Function} Hono middleware function
+ */
+export function sessionAuth(sessionManager, options = {}) {
+  const {
+    required = false,
+    requireAdmin = false,
+    redirectTo = '/login'
+  } = options;
+  return async (c, next) => {
+    const sessionId = sessionManager.getSessionIdFromRequest(c.req);
+    let user = null;
+    let session = null;
+    if (sessionId) {
+      const { valid, session: validSession, reason } = await sessionManager.validateSession(sessionId);
+      if (valid) {
+        session = validSession;
+        user = validSession.metadata || null;
+      } else {
+        // Clear invalid session cookie
+        sessionManager.clearSessionCookie(c);
+        if (required) {
+          const currentUrl = c.req.url;
+          return c.redirect(`${redirectTo}?redirect=${encodeURIComponent(currentUrl)}&error=${encodeURIComponent('Your session has expired. Please log in again.')}`);
+        }
+      }
+    }
+    // Check if authentication is required
+    if (required && !user) {
+      const currentUrl = c.req.url;
+      return c.redirect(`${redirectTo}?redirect=${encodeURIComponent(currentUrl)}`);
+    }
+    // Check if admin is required
+    if (requireAdmin && (!user || !user.isAdmin)) {
+      return c.html('<h1>403 Forbidden</h1><p>You do not have permission to access this page.</p>', 403);
+    }
+    // Attach user and session to context
+    c.set('user', user);
+    c.set('session', session);
+    c.set('isAuthenticated', !!user);
+    c.set('isAdmin', user?.isAdmin || false);
+    await next();
+  };
+}
+/**
+ * Admin-only middleware (shorthand)
+ * @param {Object} sessionManager - SessionManager instance
+ * @returns {Function} Hono middleware function
+ */
+export function adminOnly(sessionManager) {
+  return sessionAuth(sessionManager, {
+    required: true,
+    requireAdmin: true
+  });
+}
+/**
+ * Optional authentication middleware
+ * Attaches user if logged in, but doesn't require it
+ * @param {Object} sessionManager - SessionManager instance
+ * @returns {Function} Hono middleware function
+ */
+export function optionalAuth(sessionManager) {
+  return sessionAuth(sessionManager, {
+    required: false,
+    requireAdmin: false
+  });
+}
+/**
+ * CSRF protection middleware
+ * Validates CSRF token for POST/PUT/PATCH/DELETE requests
+ * @param {Object} options - CSRF options
+ * @param {string[]} options.excludePaths - Paths to exclude from CSRF check
+ * @returns {Function} Hono middleware function
+ */
+export function csrfProtection(options = {}) {
+  const {
+    excludePaths = []
+  } = options;
+  return async (c, next) => {
+    const method = c.req.method;
+    const path = c.req.path;
+    // Skip CSRF check for safe methods
+    if (['GET', 'HEAD', 'OPTIONS'].includes(method)) {
+      await next();
+      return;
+    }
+    // Skip CSRF check for excluded paths
+    if (excludePaths.some(p => path.startsWith(p))) {
+      await next();
+      return;
+    }
+    // For now, skip CSRF validation - will be implemented in polish phase
+    // TODO: Implement proper CSRF token generation and validation
+    // - Generate token on GET requests, store in session
+    // - Include token in forms as hidden field
+    // - Validate token on POST/PUT/PATCH/DELETE
+    await next();
+  };
+}
+export default {
+  sessionAuth,
+  adminOnly,
+  optionalAuth,
+  csrfProtection
+};

package/src/plugins/identity/ui/pages/admin/client-form.js ADDED Viewed

@@ -0,0 +1,247 @@
+/**
+ * Admin OAuth2 Client Form Page (Create/Edit)
+ */
+import { html } from 'hono/html';
+import { BaseLayout } from '../../layouts/base.js';
+/**
+ * Render OAuth2 client form page
+ * @param {Object} props - Page properties
+ * @param {Object} [props.client] - Client data (for edit mode)
+ * @param {Object} props.user - Current user
+ * @param {string} [props.error] - Error message
+ * @param {Array} [props.availableScopes] - Available OAuth2 scopes
+ * @param {Array} [props.availableGrantTypes] - Available grant types
+ * @param {Object} [props.config] - UI configuration
+ * @returns {string} HTML string
+ */
+export function AdminClientFormPage(props = {}) {
+  const {
+    client = null,
+    user = {},
+    error = null,
+    availableScopes = [],
+    availableGrantTypes = [],
+    config = {}
+  } = props;
+  const isEditMode = !!client;
+  const clientData = client || {
+    name: '',
+    redirectUris: [''],
+    grantTypes: ['authorization_code', 'refresh_token'],
+    allowedScopes: ['openid', 'profile', 'email'],
+    active: true
+  };
+  const inputClasses = [
+    'block w-full rounded-2xl border border-white/10 bg-white/[0.08]',
+    'px-4 py-2.5 text-sm text-white placeholder:text-slate-300/70',
+    'shadow-[0_1px_0_rgba(255,255,255,0.05)] transition focus:border-white/40 focus:outline-none focus:ring-2 focus:ring-white/30'
+  ].join(' ');
+  const checkboxClasses = [
+    'h-4 w-4 rounded border-white/30 bg-slate-900/70 text-primary',
+    'focus:ring-2 focus:ring-primary/40 focus:ring-offset-0 focus:outline-none'
+  ].join(' ');
+  const primaryButtonClass = [
+    'inline-flex items-center justify-center rounded-2xl bg-gradient-to-r',
+    'from-primary via-primary to-secondary px-5 py-2.5 text-sm font-semibold text-white',
+    'transition hover:-translate-y-0.5 focus:outline-none focus:ring-2 focus:ring-white/30'
+  ].join(' ');
+  const secondaryButtonClass = [
+    'inline-flex items-center justify-center rounded-2xl border border-white/15 bg-white/[0.06]',
+    'px-4 py-2.5 text-sm font-semibold text-white transition hover:bg-white/[0.12]',
+    'focus:outline-none focus:ring-2 focus:ring-white/20'
+  ].join(' ');
+  const dangerButtonClass = [
+    'inline-flex items-center justify-center rounded-2xl border border-red-400/40 bg-red-500/10',
+    'px-4 py-2 text-sm font-semibold text-red-100 transition hover:bg-red-500/15 focus:outline-none focus:ring-2 focus:ring-red-400/40'
+  ].join(' ');
+  const content = html`
+    <section class="mx-auto w-full max-w-4xl space-y-8 text-slate-100">
+      <header>
+        <a href="/admin/clients" class="text-sm font-semibold text-primary transition hover:text-white">
+          ← Back to Clients
+        </a>
+        <h1 class="mt-3 text-3xl font-semibold text-white md:text-4xl">
+          ${isEditMode ? 'Edit' : 'Create'} OAuth2 Client
+        </h1>
+        <p class="mt-2 text-sm text-slate-300">
+          Configure redirect URIs, grant types, and scopes available for this client.
+        </p>
+      </header>
+      <div class="rounded-3xl border border-white/10 bg-white/[0.05] p-8 shadow-xl shadow-black/30 backdrop-blur">
+        <form method="POST" action="${isEditMode ? `/admin/clients/${client.id}/update` : '/admin/clients/create'}" class="space-y-6">
+          <div class="space-y-2">
+            <label for="name" class="text-sm font-semibold text-slate-200">Client Name</label>
+            <input
+              type="text"
+              class="${inputClasses} ${error ? 'border-red-400/60 focus:border-red-400 focus:ring-red-400/40' : ''}"
+              id="name"
+              name="name"
+              value="${clientData.name}"
+              required
+              autofocus
+              placeholder="My Application"
+            />
+            <p class="text-xs text-slate-400">A friendly name for this OAuth2 client</p>
+            ${error ? html`<p class="text-xs text-red-200">${error}</p>` : ''}
+          </div>
+          <div class="space-y-3">
+            <label class="text-sm font-semibold text-slate-200">Redirect URIs</label>
+            <div id="redirect-uris-container" class="space-y-2">
+              ${(Array.isArray(clientData.redirectUris) ? clientData.redirectUris : ['']).map((uri, index) => html`
+                <div class="flex flex-col gap-2 sm:flex-row sm:items-start sm:gap-3">
+                  <input
+                    type="url"
+                    class="${inputClasses}"
+                    name="redirectUris[]"
+                    value="${uri}"
+                    required
+                    placeholder="https://example.com/callback"
+                  />
+                  ${index > 0 ? html`
+                    <button type="button" class="${dangerButtonClass} shrink-0" onclick="this.parentElement.remove()">
+                      ✕
+                    </button>
+                  ` : ''}
+                </div>
+              `)}
+            </div>
+            <button type="button" class="${secondaryButtonClass}" onclick="addRedirectUri()">
+              + Add Another URI
+            </button>
+            <p class="text-xs text-slate-400">
+              Where users will be redirected after authorization.
+            </p>
+          </div>
+          <div class="space-y-2">
+            <label class="text-sm font-semibold text-slate-200">Grant Types</label>
+            <div class="grid gap-2 sm:grid-cols-2">
+              ${(availableGrantTypes.length > 0 ? availableGrantTypes : ['authorization_code', 'refresh_token', 'client_credentials']).map(type => {
+                const isChecked = Array.isArray(clientData.grantTypes) && clientData.grantTypes.includes(type);
+                return html`
+                  <label class="flex items-center gap-3 rounded-2xl border border-white/10 bg-white/[0.04] px-4 py-3 text-sm text-slate-200">
+                    <input
+                      type="checkbox"
+                      class="${checkboxClasses}"
+                      id="grant_${type}"
+                      name="grantTypes[]"
+                      value="${type}"
+                      ${isChecked ? 'checked' : ''}
+                    />
+                    <span><code>${type}</code></span>
+                  </label>
+                `;
+              })}
+            </div>
+            <p class="text-xs text-slate-400">OAuth2 grant types this client can use.</p>
+          </div>
+          <div class="space-y-2">
+            <label class="text-sm font-semibold text-slate-200">Allowed Scopes</label>
+            <div class="grid gap-2 sm:grid-cols-2">
+              ${(availableScopes.length > 0 ? availableScopes : ['openid', 'profile', 'email', 'offline_access']).map(scope => {
+                const isChecked = Array.isArray(clientData.allowedScopes) && clientData.allowedScopes.includes(scope);
+                return html`
+                  <label class="flex items-center gap-3 rounded-2xl border border-white/10 bg-white/[0.04] px-4 py-3 text-sm text-slate-200">
+                    <input
+                      type="checkbox"
+                      class="${checkboxClasses}"
+                      id="scope_${scope}"
+                      name="allowedScopes[]"
+                      value="${scope}"
+                      ${isChecked ? 'checked' : ''}
+                    />
+                    <span><code>${scope}</code></span>
+                  </label>
+                `;
+              })}
+            </div>
+            <p class="text-xs text-slate-400">Scopes this client is allowed to request.</p>
+          </div>
+          <label class="flex items-start gap-3 rounded-2xl border border-white/10 bg-white/[0.04] px-4 py-3 text-sm text-slate-200">
+            <input
+              type="checkbox"
+              class="${checkboxClasses} mt-1"
+              id="active"
+              name="active"
+              value="1"
+              ${clientData.active !== false ? 'checked' : ''}
+            />
+            <span>
+              <strong class="text-white">Active</strong>
+              <br>
+              Client can authenticate and receive tokens.
+            </span>
+          </label>
+          <div class="flex flex-col gap-3 sm:flex-row sm:items-center sm:justify-start">
+            <button type="submit" class="${primaryButtonClass} sm:w-auto" style="box-shadow: 0 18px 45px var(--color-primary-glow);">
+              ${isEditMode ? 'Update Client' : 'Create Client'}
+            </button>
+            <a href="/admin/clients" class="${secondaryButtonClass}">
+              Cancel
+            </a>
+          </div>
+        </form>
+      </div>
+      ${isEditMode ? html`
+        <div class="rounded-3xl border border-white/15 bg-white/[0.06] px-6 py-4 text-sm text-slate-200 shadow-inner shadow-black/20">
+          <strong class="text-white">Note:</strong>
+          The client secret cannot be displayed again after creation. If you need a new secret, use the "Rotate Secret"
+          action on the clients list page.
+        </div>
+      ` : ''}
+    </section>
+    <script>
+      const redirectInputClasses = ${JSON.stringify(inputClasses)};
+      const dangerButtonClasses = ${JSON.stringify(dangerButtonClass)};
+      function addRedirectUri() {
+        const container = document.getElementById('redirect-uris-container');
+        const wrapper = document.createElement('div');
+        wrapper.className = 'flex flex-col gap-2 sm:flex-row sm:items-start sm:gap-3';
+        const input = document.createElement('input');
+        input.type = 'url';
+        input.name = 'redirectUris[]';
+        input.required = true;
+        input.placeholder = 'https://example.com/callback';
+        input.className = redirectInputClasses;
+        const button = document.createElement('button');
+        button.type = 'button';
+        button.className = dangerButtonClasses + ' shrink-0';
+        button.textContent = '✕';
+        button.addEventListener('click', () => wrapper.remove());
+        wrapper.appendChild(input);
+        wrapper.appendChild(button);
+        container.appendChild(wrapper);
+      }
+    </script>
+  `;
+  return BaseLayout({
+    title: `${isEditMode ? 'Edit' : 'Create'} OAuth2 Client - Admin`,
+    content,
+    config,
+    user,
+    error: null // Error shown in form
+  });
+}
+export default AdminClientFormPage;

package/src/plugins/identity/ui/pages/admin/clients.js ADDED Viewed

@@ -0,0 +1,179 @@
+/**
+ * Admin OAuth2 Clients Management Page
+ */
+import { html } from 'hono/html';
+import { BaseLayout } from '../../layouts/base.js';
+/**
+ * Render OAuth2 clients list page
+ * @param {Object} props - Page properties
+ * @param {Array} props.clients - List of OAuth2 clients
+ * @param {Object} props.user - Current user
+ * @param {string} [props.error] - Error message
+ * @param {string} [props.success] - Success message
+ * @param {Object} [props.config] - UI configuration
+ * @returns {string} HTML string
+ */
+export function AdminClientsPage(props = {}) {
+  const { clients = [], user = {}, error = null, success = null, config = {} } = props;
+  const primaryButtonClass = [
+    'inline-flex items-center justify-center rounded-2xl bg-gradient-to-r',
+    'from-primary via-primary to-secondary px-4 py-2.5 text-sm font-semibold text-white',
+    'transition hover:-translate-y-0.5 focus:outline-none focus:ring-2 focus:ring-white/30'
+  ].join(' ');
+  const secondaryButtonClass = [
+    'inline-flex items-center justify-center rounded-2xl border border-white/15 bg-white/[0.06]',
+    'px-4 py-2.5 text-sm font-semibold text-white transition hover:bg-white/[0.12]',
+    'focus:outline-none focus:ring-2 focus:ring-white/20'
+  ].join(' ');
+  const dangerButtonClass = [
+    'inline-flex items-center justify-center rounded-2xl border border-red-400/40 bg-red-500/10',
+    'px-4 py-2.5 text-sm font-semibold text-red-100 transition hover:bg-red-500/15 focus:outline-none focus:ring-2 focus:ring-red-400/40'
+  ].join(' ');
+  const successButtonClass = [
+    'inline-flex items-center justify-center rounded-2xl border border-emerald-400/40 bg-emerald-500/10',
+    'px-4 py-2.5 text-sm font-semibold text-emerald-100 transition hover:bg-emerald-500/15 focus:outline-none focus:ring-2 focus:ring-emerald-400/40'
+  ].join(' ');
+  const codeChipClass = 'rounded-xl border border-white/10 bg-white/[0.08] px-3 py-1 text-xs text-slate-200';
+  const badgeClass = 'rounded-full bg-primary/20 px-3 py-1 text-xs font-semibold text-primary';
+  const content = html`
+    <section class="mx-auto w-full max-w-6xl space-y-8 text-slate-100">
+      <header class="flex flex-col gap-4 sm:flex-row sm:items-center sm:justify-between">
+        <div>
+          <h1 class="text-3xl font-semibold text-white md:text-4xl">OAuth2 Clients</h1>
+          <p class="mt-1 text-sm text-slate-300">
+            Manage client credentials, redirect URIs, and allowed scopes.
+          </p>
+        </div>
+        <a href="/admin/clients/new" class="${primaryButtonClass}">
+          + New Client
+        </a>
+      </header>
+      ${clients.length === 0 ? html`
+        <div class="rounded-3xl border border-white/10 bg-white/[0.05] p-10 text-center shadow-xl shadow-black/30 backdrop-blur">
+          <p class="text-sm text-slate-300">
+            No OAuth2 clients registered yet. Create your first client to start integrating applications.
+          </p>
+          <a href="/admin/clients/new" class="${primaryButtonClass} mt-6 inline-flex" style="box-shadow: 0 18px 45px var(--color-primary-glow);">
+            Create Your First Client
+          </a>
+        </div>
+      ` : html`
+        <div class="grid gap-6">
+          ${clients.map(client => {
+            const grantTypes = Array.isArray(client.grantTypes) ? client.grantTypes : [];
+            const allowedScopes = Array.isArray(client.allowedScopes) ? client.allowedScopes : [];
+            const redirectUris = Array.isArray(client.redirectUris) ? client.redirectUris : [];
+            return html`
+              <article class="rounded-3xl border border-white/10 bg-white/[0.05] p-6 shadow-xl shadow-black/30 backdrop-blur">
+                <div class="flex flex-col gap-4 border-b border-white/10 pb-4 sm:flex-row sm:items-center sm:justify-between">
+                  <div class="flex flex-wrap items-center gap-3">
+                    <h2 class="text-lg font-semibold text-white">${client.name}</h2>
+                    ${client.active ? '' : html`
+                      <span class="rounded-full bg-red-500/20 px-3 py-1 text-xs font-semibold text-red-200">
+                        Inactive
+                      </span>
+                    `}
+                  </div>
+                  <div class="flex flex-wrap items-center gap-2">
+                    <a href="/admin/clients/${client.id}/edit" class="${secondaryButtonClass}">
+                      Edit
+                    </a>
+                    <form method="POST" action="/admin/clients/${client.id}/delete" class="inline-flex" onsubmit="return confirm('Are you sure you want to delete this client? This action cannot be undone.')">
+                      <button type="submit" class="${dangerButtonClass}">
+                        Delete
+                      </button>
+                    </form>
+                  </div>
+                </div>
+                <div class="mt-4 space-y-6 text-sm text-slate-200">
+                  <div>
+                    <div class="text-xs uppercase tracking-wide text-slate-400">Client ID</div>
+                    <code class="${codeChipClass} mt-2 block">${client.clientId}</code>
+                  </div>
+                  ${redirectUris.length > 0 ? html`
+                    <div>
+                      <div class="text-xs uppercase tracking-wide text-slate-400">
+                        Redirect URIs (${redirectUris.length})
+                      </div>
+                      <div class="mt-2 flex flex-wrap gap-2">
+                        ${redirectUris.map(uri => html`<code class="${codeChipClass}">${uri}</code>`)}
+                      </div>
+                    </div>
+                  ` : ''}
+                  ${grantTypes.length > 0 ? html`
+                    <div>
+                      <div class="text-xs uppercase tracking-wide text-slate-400">Grant Types</div>
+                      <div class="mt-2 flex flex-wrap gap-2">
+                        ${grantTypes.map(type => html`
+                          <span class="${badgeClass}">
+                            ${type}
+                          </span>
+                        `)}
+                      </div>
+                    </div>
+                  ` : ''}
+                  ${allowedScopes.length > 0 ? html`
+                    <div>
+                      <div class="text-xs uppercase tracking-wide text-slate-400">Allowed Scopes</div>
+                      <div class="mt-2 flex flex-wrap gap-2">
+                        ${allowedScopes.map(scope => html`
+                          <span class="rounded-full bg-emerald-500/20 px-3 py-1 text-xs font-semibold text-emerald-200">
+                            ${scope}
+                          </span>
+                        `)}
+                      </div>
+                    </div>
+                  ` : ''}
+                  ${client.createdAt ? html`
+                    <div class="text-xs text-slate-400">
+                      Created ${new Date(client.createdAt).toLocaleString()}
+                    </div>
+                  ` : ''}
+                </div>
+                <div class="mt-6 flex flex-wrap gap-3 border-t border-white/10 pt-4">
+                  <form method="POST" action="/admin/clients/${client.id}/rotate-secret" class="inline-flex">
+                    <button type="submit" class="${secondaryButtonClass}">
+                      🔄 Rotate Secret
+                    </button>
+                  </form>
+                  <form method="POST" action="/admin/clients/${client.id}/toggle-active" class="inline-flex">
+                    <button type="submit" class="${client.active ? dangerButtonClass : successButtonClass}">
+                      ${client.active ? '🔴 Deactivate' : '🟢 Activate'}
+                    </button>
+                  </form>
+                </div>
+              </article>
+            `;
+          })}
+        </div>
+      `}
+    </section>
+  `;
+  return BaseLayout({
+    title: 'OAuth2 Clients - Admin',
+    content,
+    config,
+    user,
+    error,
+    success
+  });
+}
+export default AdminClientsPage;