data-boar 1.7.4__py3-none-any.whl

api/app.py

@@ -0,0 +1,8 @@
+"""
+Re-export the single FastAPI app from api.routes for backward compatibility.
+Use: from api.routes import app (or from api.app import app).
+"""
+
+from api.routes import app
+
+__all__ = ["app"]

api/locale_i18n.py

@@ -0,0 +1,209 @@
+"""
+Dashboard HTML locale: JSON catalogs (no gettext in v1), slug negotiation, and t(key).
+
+See docs/plans/completed/PLAN_DASHBOARD_I18N.md (M-LOCALE-V1).
+"""
+
+from __future__ import annotations
+
+import json
+import re
+from functools import lru_cache
+from pathlib import Path
+from typing import Any
+
+from starlette.requests import Request
+
+# BCP 47 tag -> URL path segment (slug). Slugs are lowercase in paths; tags use
+# standard BCP 47 casing (e.g. pt-BR) and match api/locales/<tag>.json and config.
+LOCALE_SLUG_BY_TAG: dict[str, str] = {"en": "en", "pt-BR": "pt-br"}
+LOCALE_TAG_BY_SLUG: dict[str, str] = {v: k for k, v in LOCALE_SLUG_BY_TAG.items()}
+VALID_SLUGS = frozenset(LOCALE_TAG_BY_SLUG.keys())
+
+_LOCALES_DIR = Path(__file__).resolve().parent / "locales"
+
+
+def _flatten_keys(obj: Any, prefix: str = "") -> set[str]:
+    """Collect dot-separated keys for parity checks (leaf values must be str)."""
+    keys: set[str] = set()
+    if isinstance(obj, dict):
+        for k, v in obj.items():
+            p = f"{prefix}.{k}" if prefix else str(k)
+            if isinstance(v, dict):
+                keys |= _flatten_keys(v, p)
+            elif isinstance(v, str):
+                keys.add(p)
+            else:
+                keys |= _flatten_keys(v, p)
+    return keys
+
+
+@lru_cache(maxsize=8)
+def _load_locale_json(tag: str) -> dict[str, Any]:
+    path = _LOCALES_DIR / f"{tag}.json"
+    if not path.is_file():
+        return {}
+    raw = path.read_text(encoding="utf-8")
+    data = json.loads(raw)
+    return data if isinstance(data, dict) else {}
+
+
+def locale_catalog_keys(tag: str) -> set[str]:
+    """All translation keys for a locale file (flattened)."""
+    return _flatten_keys(_load_locale_json(tag))
+
+
+def get_fallback_chain(supported_locales: list[str], default_locale: str) -> list[str]:
+    """Locales to try after the active tag (missing-key fallback), ending with English."""
+    seen: set[str] = set()
+    out: list[str] = []
+    for t in list(supported_locales) + [default_locale]:
+        if t and t not in seen:
+            seen.add(t)
+            out.append(t)
+    if "en" not in seen:
+        out.append("en")
+    return out
+
+
+def _get_leaf(catalog: dict[str, Any], key: str) -> str | None:
+    parts = key.split(".")
+    cur: Any = catalog
+    for p in parts:
+        if not isinstance(cur, dict) or p not in cur:
+            return None
+        cur = cur[p]
+    return cur if isinstance(cur, str) else None
+
+
+def translate(
+    catalogs: dict[str, dict[str, Any]],
+    key: str,
+    locale_tag: str,
+    fallback_chain: list[str],
+) -> str:
+    """Return translated string; try active locale, then fallback_chain order."""
+    order: list[str] = [locale_tag]
+    for t in fallback_chain:
+        if t not in order:
+            order.append(t)
+    for tag in order:
+        cat = catalogs.get(tag)
+        if cat is None:
+            cat = _load_locale_json(tag)
+            catalogs[tag] = cat
+        val = _get_leaf(cat, key)
+        if val is not None:
+            return val
+    return key
+
+
+def make_t(
+    locale_tag: str,
+    supported_locales: list[str],
+    default_locale: str,
+    catalogs: dict[str, dict[str, Any]] | None = None,
+):
+    """Build t(key) -> str for Jinja."""
+    catalogs = catalogs if catalogs is not None else {}
+    chain = get_fallback_chain(supported_locales, default_locale)
+
+    def t(key: str) -> str:
+        return translate(catalogs, key, locale_tag, chain)
+
+    return t
+
+
+def _normalize_tag(tag: str) -> str:
+    t = tag.strip().replace("_", "-")
+    if t.lower() in ("pt-br", "pt_br"):
+        return "pt-BR"
+    return t
+
+
+def parse_accept_language(header: str | None, supported: list[str]) -> str | None:
+    """
+    Pick first supported locale from Accept-Language (RFC 7231-ish).
+    supported tags: e.g. ['en', 'pt-BR'].
+    """
+    if not header or not supported:
+        return None
+    supported_norm = {_normalize_tag(x): x for x in supported}
+    # Parse "en-US,en;q=0.9,pt-BR;q=0.8"
+    entries: list[tuple[str, float]] = []
+    for part in header.split(","):
+        part = part.strip()
+        if not part:
+            continue
+        if ";" in part:
+            lang, _, rest = part.partition(";")
+            lang = lang.strip()
+            q = 1.0
+            if "q=" in rest:
+                try:
+                    q = float(re.search(r"q=([\d.]+)", rest).group(1))  # type: ignore[union-attr]
+                except (AttributeError, ValueError):
+                    q = 1.0
+        else:
+            lang = part
+            q = 1.0
+        base = lang.split("-")[0].lower() if lang else ""
+        entries.append((lang, q))
+        if base and base != lang.lower():
+            entries.append((base, q * 0.9))
+    entries.sort(key=lambda x: -x[1])
+    for lang, _ in entries:
+        nt = _normalize_tag(lang)
+        if nt in supported_norm:
+            return supported_norm[nt]
+        # en-US -> en
+        base = lang.split("-")[0].lower()
+        for sup in supported:
+            if sup.lower() == base:
+                return sup
+    return None
+
+
+def negotiate_locale_tag(request: Request, cfg: dict[str, Any]) -> str:
+    """
+    (1) Cookie (2) Accept-Language (3) default_locale from config.locale.
+    """
+    loc = cfg.get("locale") or {}
+    supported = list(loc.get("supported_locales") or ["en", "pt-BR"])
+    default_locale = str(loc.get("default_locale") or "en")
+    if default_locale.lower() in ("pt-br", "pt_br"):
+        default_locale = "pt-BR"
+    cookie_name = str(loc.get("cookie_name") or "db_locale")
+    raw = request.cookies.get(cookie_name)
+    if raw:
+        nt = _normalize_tag(raw)
+        if nt in supported:
+            return nt
+        if nt.lower() == "en":
+            return "en"
+    al = request.headers.get("accept-language")
+    picked = parse_accept_language(al, supported)
+    if picked:
+        return picked
+    return default_locale if default_locale in supported else supported[0]
+
+
+def html_base_path(locale_slug: str) -> str:
+    """Prefix for dashboard HTML links, e.g. /en or /pt-br."""
+    return f"/{locale_slug}".rstrip("/") or "/"
+
+
+def strip_locale_prefix(path: str) -> tuple[str | None, str]:
+    """
+    If path starts with /{slug}/..., return (slug, remainder path starting with /).
+    Otherwise (None, path).
+    """
+    segments = [s for s in path.split("/") if s]
+    if not segments:
+        return None, path
+    first = segments[0].lower()
+    if first in LOCALE_TAG_BY_SLUG:
+        slug = LOCALE_TAG_BY_SLUG[first]
+        rest = "/" + "/".join(segments[1:]) if len(segments) > 1 else "/"
+        return slug, rest
+    return None, path

api/locales/en.json

@@ -0,0 +1,254 @@
+{
+  "nav": {
+    "dashboard": "Dashboard (dashBOARd)",
+    "reports": "Reports",
+    "config": "Configuration",
+    "help": "Help & Docs",
+    "about": "About",
+    "assessment": "Self-assessment (POC)",
+    "locale_en": "English",
+    "locale_pt": "Portuguese (Brazil)"
+  },
+  "banner": {
+    "insecure_title": "Plaintext HTTP",
+    "insecure_body": "this dashboard is not using TLS. Traffic can be read or modified on the network path. Use --https-cert-file / --https-key-file or terminate TLS on a reverse proxy. See GET /status (dashboard_transport).",
+    "gov_title": "Governance / trust",
+    "gov_body": "severity {severity} (license {license_state}). Global API key surface: {mode}. Optional per-route RBAC (api.rbac, Pro+ dashboard_rbac) — see GET /status (enterprise_surface.access_surface.rbac)."
+  },
+  "meta": {
+    "title_suffix": "Data Boar"
+  },
+  "assessment": {
+    "page_title": "Self-assessment (POC) — Data Boar",
+    "h1": "Organizational self-assessment",
+    "pack_intro": "Below is a YAML-loaded placeholder questionnaire (generic copy in the public repo). Replace with a private or licensed pack via config.",
+    "pack_note": "Submitted answers are stored in the local SQLite database (same file as scan results) for this POC.",
+    "saved_ok": "Responses saved.",
+    "summary_title": "Submission summary",
+    "summary_rows_stored": "Stored {count} answer row(s) for this submission.",
+    "summary_score": "Rubric score: {total} / {maximum} ({pct}%).",
+    "summary_score_none": "No rubric weights are defined in the YAML pack (all scores zero); add optional per-question scores to enable a percentage.",
+    "summary_disclaimer": "Outputs are self-reported signals only — not legal advice, audit, or certification. Keep proprietary questionnaire text in a private pack.",
+    "export_csv": "Download CSV",
+    "export_md": "Download Markdown",
+    "export_contract": "Exports use this authenticated download URL (attachment). There is no separate on-disk export path in the product; redirect curl or your browser to save a file. When api.require_api_key is enabled, send X-API-Key or Authorization: Bearer like other dashboard requests.",
+    "history_title": "Recent submissions",
+    "history_intro": "Stored batches in this SQLite database (newest first). Open a summary or export; highlighted row matches the batch in the URL.",
+    "history_th_submitted": "Submitted (UTC)",
+    "history_th_batch": "Batch id",
+    "history_th_locale": "Locale",
+    "history_th_pack": "Pack",
+    "history_th_rows": "Rows",
+    "history_th_actions": "Actions",
+    "history_view": "Summary",
+    "summary_integrity_heading": "Integrity (POC — HMAC)",
+    "summary_integrity_detail": "{ok} verified · {mismatch} failed verification · {unsealed} without seal · {unknown} sealed but key unavailable",
+    "summary_integrity_none": "No HMAC secret was configured when saving; rows are stored without seals.",
+    "form_submit": "Save responses",
+    "answer_unset": "—",
+    "answer_yes": "Yes",
+    "answer_no": "No",
+    "answer_na": "Not applicable",
+    "lead": "This page is an optional product placeholder. The open repository does not ship proprietary questionnaire items.",
+    "body_p1": "Scope and architecture options are described in docs/plans/PLAN_MATURITY_SELF_ASSESSMENT_GRC_QUESTIONNAIRE.md.",
+    "body_p2": "Any future output is a self-reported maturity signal only—not legal advice, audit, or certification."
+  },
+  "dashboard": {
+    "page_title": "Dashboard — Data Boar",
+    "h1": "Audit Dashboard",
+    "license_h2": "License status",
+    "scan_h2": "Scan status",
+    "state": "State:",
+    "running": "Running",
+    "idle": "Idle",
+    "current_session": "Current session:",
+    "findings_run": "Findings this run:",
+    "tenant_label": "Customer / tenant name (optional)",
+    "tenant_ph": "e.g. Acme Corp",
+    "tech_label": "Technician / operator (optional)",
+    "tech_ph": "e.g. Colleague-W Colleague-V",
+    "cli_parity": "CLI parity for one-shot scans:",
+    "cli_parity_link": "Help & Docs",
+    "cli_parity_tail": "From the CLI (--scan-compressed, --content-type-check, --scan-stego, --jurisdiction-hint).",
+    "scan_compressed": "Also scan inside compressed files (zip, tar, 7z, …)",
+    "scan_compressed_hint": "May significantly increase run time and I/O. Use only when you need to inspect contents of archives.",
+    "content_type": "Use content-type detection (magic bytes) for file format",
+    "content_type_hint": "Helps find renamed or cloaked files (e.g. PDF saved as .txt). Reads the start of each file—may increase I/O and run time.",
+    "scan_stego": "Steganography hints on rich media (entropy heuristic)",
+    "scan_stego_hint": "Optional byte-entropy hint for images/audio/video—not proof of hidden data. Extra read per file; use only when investigating concealment.",
+    "jurisdiction": "Heuristic jurisdiction hints (Report info — DPO / counsel)",
+    "jurisdiction_hint": "Optional notes when metadata may suggest CCPA/CPRA, Colorado, or Japan APPI scope. Not a legal conclusion; configure report.jurisdiction_hints for defaults.",
+    "start_scan": "Start scan",
+    "discovery_h2": "Data discovery (last run)",
+    "stat_db": "Database findings",
+    "stat_fs": "Filesystem findings",
+    "stat_fail": "Scan failures",
+    "stat_total": "Total findings",
+    "session_line": "Session:",
+    "tenant_kv": "Tenant:",
+    "tech_kv": "Technician:",
+    "chart_h2": "Progress over time",
+    "chart_intro": "Total findings and risk score (0–100) per scan, in chronological order.",
+    "chart_empty": "Run at least one scan to see the progress graph.",
+    "chart_aria": "Findings and score over sequential scans",
+    "sessions_h2": "Recent sessions",
+    "view_reports": "View all reports",
+    "th_session": "Session",
+    "th_started": "Started",
+    "th_tenant": "Tenant / Customer",
+    "th_technician": "Technician / Operator",
+    "th_db": "DB",
+    "th_fs": "FS",
+    "th_failures": "Failures",
+    "th_report": "Report",
+    "download": "Download",
+    "no_sessions_row": "No sessions yet. Start a scan.",
+    "about_app_h2": "About this application",
+    "about_app_p": "Reports (Excel and heatmap) and this dashboard are generated by this application; see About for full details.",
+    "about_link": "About"
+  },
+  "config": {
+    "page_title": "Configuration — Data Boar",
+    "h1": "Scan configuration",
+    "intro": "Edit the audit configuration (YAML). Saved file:",
+    "intro_tail": "Changes apply to the next scan.",
+    "error_prefix": "Error:",
+    "no_yaml_error": "No YAML content provided.",
+    "saved_ok": "Configuration saved successfully.",
+    "yaml_label": "YAML configuration",
+    "save": "Save configuration",
+    "readme_blurb": "See README and docs/USAGE.md for target types (database, filesystem, api, powerbi, dataverse, shares) and options."
+  },
+  "reports": {
+    "page_title": "Reports — Data Boar",
+    "h1": "Reports",
+    "intro": "Download Excel reports (and heatmap) for each scan session. “Download” regenerates the report for that session.",
+    "sort_newest": "Newest first",
+    "sort_oldest": "Oldest first",
+    "order_label": "Order by date:",
+    "th_session": "Session ID",
+    "th_started": "Started",
+    "th_finished": "Finished",
+    "th_status": "Status",
+    "th_tenant": "Tenant / Customer",
+    "th_technician": "Technician / Operator",
+    "th_db": "DB findings",
+    "th_fs": "FS findings",
+    "th_failures": "Failures",
+    "th_report": "Report",
+    "download": "Download",
+    "no_sessions": "No sessions yet. Run a scan from the",
+    "dashboard_link": "dashboard"
+  },
+  "about": {
+    "page_title": "About — Data Boar (dashBOARd)",
+    "h1": "About",
+    "dashmuted": "(dashBOARd)",
+    "app_h2": "Application",
+    "web_dash": "Web dashboard experience:",
+    "author_h2": "Author",
+    "license_h2": "Subscription / runtime license status",
+    "license_intro": "Operational status of optional commercial enforcement (default: open distribution). See docs/LICENSING_SPEC.md.",
+    "state": "State:",
+    "mode": "Mode:",
+    "licensed_customer": "Licensed customer (token):",
+    "expires": "Expiration (UTC):",
+    "issuer": "Issuer (token):"
+  },
+  "help": {
+    "page_title": "Help & Docs — Data Boar",
+    "h1": "Help & documentation",
+    "what_h2": "What Data Boar does",
+    "what_p1": "Data Boar is an enterprise data discovery and risk governance engine: it scans configured data sources (databases, filesystems, APIs and shares) for personal and sensitive data, stores only metadata in a local SQLite database, and generates Excel reports, heatmaps, executive Markdown (APG + evidence), and optional GRC-oriented exports.",
+    "what_p2": "Each run is a scan session with optional tenant / customer and technician / operator tags, so you can attribute results.",
+    "run_h2": "How to run a scan",
+    "run_web_h3": "From the web dashboard",
+    "run_web_li1": "Go to the Dashboard page.",
+    "run_web_li2": "Ensure your Configuration (see Config page) has the desired targets (databases, filesystems, APIs, etc.). The scan will run exactly those targets.",
+    "run_web_li3": "(Optional) Fill in Customer / tenant and Technician / operator.",
+    "run_web_li4": "Click Start scan. This triggers a full audit of all targets in the current config. The status panel will update and the page will auto-refresh when the run finishes.",
+    "run_web_tail": "Recent sessions are listed at the bottom of the dashboard and on the Reports page, with download links.",
+    "run_web_shot_alt": "Dashboard scan form with Start scan button highlighted",
+    "run_web_shot_caption": "Dashboard — optional tenant/technician fields and Start scan (no shell required).",
+    "run_auto_h3": "For automation / scripting",
+    "run_cli_h3": "From the CLI",
+    "run_cli_p1": "From the repo root, prefer uv run python main.py (or activate your venv and run python main.py). Full flag list: python main.py --help. Packaged installs: man 1 data-boar (command) and man 5 data-boar (config file format).",
+    "run_cli_oneshot": "One-shot audit (same targets as a dashboard scan):",
+    "run_cli_api": "Start the API / dashBOARd (no scan until you use the browser or HTTP):",
+    "run_cli_tls": "You must either terminate TLS at the process (--https-cert-file + --https-key-file, or the same under api: in config) or explicitly accept plaintext with --allow-insecure-http (or api.allow_insecure_http: true). The official Docker image passes --allow-insecure-http by default; mount certs and remove it for HTTPS.",
+    "run_cli_bind": "Bind order when using --web: --host overrides api.host in config and API_HOST; if none are set, the default is 127.0.0.1 (Docker image often sets API_HOST=0.0.0.0). Port: api.port in config vs --port. Transport: GET /status and GET /health include dashboard_transport — see docs/USAGE.md.",
+    "run_cli_danger": "Dangerous maintenance (lab/demo only): --reset-data wipes SQLite sessions/findings and deletes generated reports under report.output_dir. See SECURITY.md before using in production.",
+    "run_cli_audit": "Audit trail export (CLI only): --export-audit-trail or --export-audit-trail path.json writes a JSON snapshot (wipe log, session summary; future: integrity rows). Does not modify the database. Omit the path or use - for stdout.",
+    "dl_h2": "Downloading reports, heatmaps and logs",
+    "dl_web_h3": "From the web dashboard",
+    "dl_web_li1": "Open Reports from the top menu (or go to /en/reports or /pt-br/reports).",
+    "dl_web_li2": "Click Download on the session row to save the Excel report (the heatmap is generated with the workbook).",
+    "dl_web_shot_alt": "Reports table with Download button on each session row",
+    "dl_web_shot_caption": "Reports — click Download on the row you need (no curl required).",
+    "dl_auto_h3": "For automation / scripting",
+    "dl_auto_p": "Use curl or your HTTP client when you need scripted downloads (CI, cron, integrations):",
+    "dl_li1": "Use the Reports page to see all sessions and click Download to get the Excel report for a specific run.",
+    "dl_li2_intro": "Use the API to script downloads:",
+    "findings_h3": "Findings export (JSON / CSV)",
+    "findings_p": "Download unified findings (same schema as the dashboard) for the latest session or a specific session_id. UTF-8 CSV uses attachment headers on /findings/csv and /findings/<session_id>/csv.",
+    "sql_env_h2": "Database sampling (optional env overrides)",
+    "sql_env_p": "Break-glass knobs without editing YAML: DATA_BOAR_SQL_SAMPLE_LIMIT (integer, clamped 1–10000) replaces file_scan.sample_limit for SQLAlchemy and Snowflake column sampling; DATA_BOAR_SAMPLE_STATEMENT_TIMEOUT_MS overrides the short-read timeout budget on database targets. See docs/USAGE.md (Relational database sampling; SRE sampling knobs).",
+    "cfg_h2": "Configuration examples",
+    "cfg_p1": "The configuration file (YAML or JSON) defines which targets are scanned. Minimal YAML example:",
+    "cfg_tail": "Place this file alongside the application (default name config.yaml) or set the CONFIG_PATH environment variable to point to a different location.",
+    "rate_h2": "Rate limiting & safety",
+    "rate_p1": "To avoid accidental overload (for example, many scans triggered in a row or too many sessions in parallel via the API/dashboard), you can enable a rate_limit block in the main config:",
+    "rate_tail": "When enabled, API endpoints that start scans may return HTTP 429 with a JSON body indicating why the request was rate-limited (too many running scans, or minimum interval not elapsed). The CLI only prints warnings using the same rules. See docs/USAGE.md (EN), docs/USAGE.pt_BR.md (pt-BR) and docs/data_boar.5 for details.",
+    "sense_h2": "Sensitivity detection and reporting",
+    "sense_p1": "The app detects personal and sensitive data using regex, ML (TF-IDF + classifier), and optional DL (sentence embeddings). Out-of-the-box it recognises PII (CPF, email, phone, etc.) and sensitive categories (health, religion, political affiliation, gender, biometric, genetic, race, union, PEP, sex life). You can:",
+    "sense_li1": "Add your own terms via ml_patterns_file or sensitivity_detection.ml_terms in config.",
+    "sense_li2": "Use the example file docs/sensitivity_terms_sensitive_categories.example.yaml and set ml_patterns_file (or dl_patterns_file) to it.",
+    "sense_li3": "Customise the Recommendations sheet with report.recommendation_overrides: map norm_tag patterns (e.g. health, religious, political) to Base legal, Risk, Priority, and “Relevante para”.",
+    "sense_tail": "See docs/SENSITIVITY_DETECTION.md (EN) and docs/SENSITIVITY_DETECTION.pt_BR.md (pt-BR); docs/plans/completed/PLAN_SENSITIVE_CATEGORIES_ML_DL.md for design; docs/USAGE.md (EN) and docs/USAGE.pt_BR.md (pt-BR) for full recommendation_overrides examples.",
+    "sec_h2": "Security headers and hardening",
+    "sec_p1": "The API and dashboard send security headers on every response (Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS when HTTPS). For deployment hardening (Docker, Kubernetes, non-root, NetworkPolicy, reverse proxy), see:",
+    "sec_li1": "SECURITY.md – HTTP security headers and optional API key",
+    "sec_li2": "docs/deploy/DEPLOY.md – section \"Security and hardening (optional)\"",
+    "sec_h3": "What to keep an eye out for (technicians)",
+    "sec_t1": "Passwords with special characters: Database and MongoDB passwords containing @, :, / or # are supported; the app encodes them in connection URLs automatically.",
+    "sec_t2": "Protecting the Configuration page: The config file may contain credentials. If the API is exposed to untrusted users or networks, set api.require_api_key: true and use a strong API key so only authenticated requests can access /config.",
+    "sec_t3": "Deployment: Run behind a reverse proxy with TLS when the dashboard or API is exposed to the internet; use the optional API key and rate limiting as an extra layer.",
+    "sec_tail": "For a full list of security fixes, regression tests, and recommendations, see docs/SECURITY.md (EN) and docs/SECURITY.pt_BR.md (pt-BR).",
+    "more_h2": "More documentation",
+    "more_p1": "For full details, including optional connectors (Power BI, Dataverse, REST APIs, shares) and advanced tuning, see:",
+    "more_li1": "README.md and docs/USAGE.md (English) · docs/USAGE.pt_BR.md (Português – Brasil)",
+    "more_li2": "docs/SENSITIVITY_DETECTION.md (EN) · docs/SENSITIVITY_DETECTION.pt_BR.md (pt-BR) – ML/DL terms and config",
+    "more_li3": "docs/plans/completed/PLAN_SENSITIVE_CATEGORIES_ML_DL.md – sensitive categories (health, religion, political, etc.)",
+    "more_tail": "These files live in the project repository and should be kept in sync with the behaviour you see here."
+  },
+  "login": {
+    "page_title": "Sign in — Data Boar",
+    "h1": "Sign in",
+    "disabled": "WebAuthn is not enabled in this deployment. Set api.webauthn.enabled and the token secret environment variable before starting the process.",
+    "help_link": "Help & Docs",
+    "intro": "Use a passkey (WebAuthn) to access the dashboard after the first passkey is registered. If none exist yet, open this page and choose Register passkey.",
+    "button_placeholder": "…",
+    "hint_https": "WebAuthn requires HTTPS or localhost. Match api.webauthn.origin and rp_id to the browser URL."
+  },
+  "js": {
+    "chart_total": "Total findings",
+    "chart_risk": "Risk score (0–100)",
+    "chart_y_total": "Total findings",
+    "chart_y_risk": "Risk score",
+    "status_running": "Running",
+    "status_idle": "Idle",
+    "starting": "Starting…",
+    "started_prefix": "Started:",
+    "err_scan_progress": "Scan already in progress.",
+    "err_scan_progress_guide": "Wait for the current scan to finish, or restart the API if it is stuck.",
+    "err_rate": "Rate limited; try again shortly.",
+    "err_rate_guide": "Wait and try again, or adjust rate_limit.max_concurrent_scans and min_interval_seconds in config.",
+    "err_auth": "Not authorized ({code}).",
+    "err_auth_guide": "Check API key or auth configuration if the API is protected.",
+    "err_network_guide": "Request did not reach the server. Check network, CORS, or ad-blockers; ensure the API is running.",
+    "err_server_guide": "Server error. Check API logs and try again.",
+    "err_what": "What to do:",
+    "err_prefix": "Error:",
+    "retry_after": "Retry after {n} seconds, or adjust rate_limit in config."
+  }
+}