paskia 0.8.1__py3-none-any.whl → 0.9.1__py3-none-any.whl

paskia/fastapi/reset.py

@@ -10,13 +10,11 @@ display name. If multiple users match, they are listed and the command
 aborts. A new one-time reset link is always created.
 """
 
-from __future__ import annotations
-
 import asyncio
 from uuid import UUID
 
 from paskia import authsession as _authsession
-from paskia import db as _db
+from paskia import db
 from paskia.util import hostutil, passphrase
 
 
@@ -26,23 +24,30 @@ async def _resolve_targets(query: str | None):
         targets: list[tuple] = []
         try:
             q_uuid = UUID(query)
-            perm_orgs = _db.get_permission_organizations("auth:admin")
-            for o in perm_orgs:
-                users = _db.get_organization_users(str(o.uuid))
-                for u, role_name in users:
-                    if u.uuid == q_uuid:
-                        return [(u, role_name)]
+            p = next(
+                (p for p in db.data().permissions.values() if p.scope == "auth:admin"),
+                None,
+            )
+            if p:
+                for org_uuid in p.orgs:
+                    users = db.get_organization_users(org_uuid)
+                    for u, role_name in users:
+                        if u.uuid == q_uuid:
+                            return [(u, role_name)]
             # UUID not found among admin orgs -> fall back to substring search (rare case)
         except ValueError:
             pass
         # Substring search
         needle = query.lower()
-        perm_orgs = _db.get_permission_organizations("auth:admin")
-        for o in perm_orgs:
-            users = _db.get_organization_users(str(o.uuid))
-            for u, role_name in users:
-                if needle in (u.display_name or "").lower():
-                    targets.append((u, role_name))
+        p = next(
+            (p for p in db.data().permissions.values() if p.scope == "auth:admin"), None
+        )
+        if p:
+            for org_uuid in p.orgs:
+                users = db.get_organization_users(org_uuid)
+                for u, role_name in users:
+                    if needle in (u.display_name or "").lower():
+                        targets.append((u, role_name))
         # De-duplicate
         seen = set()
         deduped = []
@@ -52,10 +57,13 @@ async def _resolve_targets(query: str | None):
                 deduped.append((u, role_name))
         return deduped
     # No query -> master admin
-    perm_orgs = _db.get_permission_organizations("auth:admin")
-    if not perm_orgs:
+    p = next(
+        (p for p in db.data().permissions.values() if p.scope == "auth:admin"), None
+    )
+    if not p or not p.orgs:
         return []
-    users = _db.get_organization_users(str(perm_orgs[0].uuid))
+    first_org_uuid = next(iter(p.orgs))
+    users = db.get_organization_users(first_org_uuid)
     admin_users = [pair for pair in users if pair[1] == "Administration"]
     return admin_users[:1]
 
@@ -63,7 +71,7 @@ async def _resolve_targets(query: str | None):
 async def _create_reset(user, role_name: str):
     token = passphrase.generate()
     expiry = _authsession.reset_expires()
-    _db.create_reset_token(
+    db.create_reset_token(
         passphrase=token,
         user_uuid=user.uuid,
         expiry=expiry,

paskia/fastapi/response.py

@@ -0,0 +1,22 @@
+"""FastAPI response utilities for msgspec.Struct serialization."""
+
+import msgspec
+from fastapi import Response
+
+
+class MsgspecResponse(Response):
+    """Response that uses msgspec for JSON encoding.
+
+    Use this for returning msgspec.Struct, dict, or list with proper serialization.
+    """
+
+    media_type = "application/json"
+
+    def __init__(
+        self,
+        content: msgspec.Struct | dict | list,
+        status_code: int = 200,
+        headers: dict | None = None,
+    ):
+        body = msgspec.json.encode(content)
+        super().__init__(content=body, status_code=status_code, headers=headers)

paskia/fastapi/session.py

@@ -19,8 +19,8 @@ AUTH_COOKIE = Cookie(None, alias=AUTH_COOKIE_NAME)
 def infodict(request: Request | WebSocket, type: str) -> dict:
     """Extract client information from request."""
     return {
-        "ip": request.client.host if request.client else None,
-        "user_agent": request.headers.get("user-agent", "")[:500] or None,
+        "ip": request.client.host if request.client else "",
+        "user_agent": request.headers.get("user-agent", "")[:500],
         "session_type": type,
     }
 

paskia/fastapi/user.py

@@ -1,4 +1,4 @@
-from datetime import timezone
+from datetime import UTC
 from uuid import UUID
 
 from fastapi import (
@@ -14,13 +14,12 @@ from paskia import db
 from paskia.authsession import (
     delete_credential,
     expires,
-    get_session,
 )
 from paskia.fastapi import authz, session
 from paskia.fastapi.session import AUTH_COOKIE
 from paskia.util import hostutil, passphrase
 
-app = FastAPI()
+app = FastAPI(docs_url=None, redoc_url=None, openapi_url=None)
 
 
 @app.exception_handler(authz.AuthException)
@@ -43,18 +42,18 @@ async def user_update_display_name(
         raise authz.AuthException(
             status_code=401, detail="Authentication Required", mode="login"
         )
-    try:
-        s = await get_session(auth, host=request.headers.get("host"))
-    except ValueError as e:
+    host = request.headers.get("host")
+    ctx = db.data().session_ctx(auth, host)
+    if not ctx:
         raise authz.AuthException(
             status_code=401, detail="Session expired", mode="login"
-        ) from e
+        )
     new_name = (payload.get("display_name") or "").strip()
     if not new_name:
         raise HTTPException(status_code=400, detail="display_name required")
     if len(new_name) > 64:
         raise HTTPException(status_code=400, detail="display_name too long")
-    db.update_user_display_name(s.user_uuid, new_name)
+    db.update_user_display_name(ctx.user.uuid, new_name, ctx=ctx)
     return {"status": "ok"}
 
 
@@ -62,13 +61,13 @@ async def user_update_display_name(
 async def api_logout_all(request: Request, response: Response, auth=AUTH_COOKIE):
     if not auth:
         return {"message": "Already logged out"}
-    try:
-        s = await get_session(auth, host=request.headers.get("host"))
-    except ValueError:
+    host = request.headers.get("host")
+    ctx = db.data().session_ctx(auth, host)
+    if not ctx:
         raise authz.AuthException(
             status_code=401, detail="Session expired", mode="login"
         )
-    db.delete_sessions_for_user(s.user_uuid)
+    db.delete_sessions_for_user(ctx.user.uuid, ctx=ctx)
     session.clear_session_cookie(response)
     return {"message": "Logged out from all hosts"}
 
@@ -84,18 +83,18 @@ async def api_delete_session(
         raise authz.AuthException(
             status_code=401, detail="Authentication Required", mode="login"
         )
-    try:
-        current_session = await get_session(auth, host=request.headers.get("host"))
-    except ValueError as exc:
+    host = request.headers.get("host")
+    ctx = db.data().session_ctx(auth, host)
+    if not ctx:
         raise authz.AuthException(
             status_code=401, detail="Session expired", mode="login"
-        ) from exc
+        )
 
-    target_session = db.get_session(session_id)
-    if not target_session or target_session.user_uuid != current_session.user_uuid:
+    target_session = db.data().sessions.get(session_id)
+    if not target_session or target_session.user_uuid != ctx.user.uuid:
         raise HTTPException(status_code=404, detail="Session not found")
 
-    db.delete_session(session_id)
+    db.delete_session(session_id, ctx=ctx)
     current_terminated = session_id == auth
     if current_terminated:
         session.clear_session_cookie(response)  # explicit because 200
@@ -112,7 +111,7 @@ async def api_delete_credential(
     # Require recent authentication for sensitive operation
     await authz.verify(auth, [], host=request.headers.get("host"), max_age="5m")
     try:
-        await delete_credential(uuid, auth, host=request.headers.get("host"))
+        delete_credential(uuid, auth, host=request.headers.get("host"))
     except ValueError as e:
         raise authz.AuthException(
             status_code=401, detail="Session expired", mode="login"
@@ -127,28 +126,23 @@ async def api_create_link(
     auth=AUTH_COOKIE,
 ):
     # Require recent authentication for sensitive operation
-    await authz.verify(auth, [], host=request.headers.get("host"), max_age="5m")
-    try:
-        s = await get_session(auth, host=request.headers.get("host"))
-    except ValueError as e:
-        raise authz.AuthException(
-            status_code=401, detail="Session expired", mode="login"
-        ) from e
+    ctx = await authz.verify(auth, [], host=request.headers.get("host"), max_age="5m")
     token = passphrase.generate()
     expiry = expires()
     db.create_reset_token(
-        user_uuid=s.user_uuid,
+        user_uuid=ctx.user.uuid,
         passphrase=token,
         expiry=expiry,
         token_type="device addition",
+        ctx=ctx,
     )
     url = hostutil.reset_link_url(token)
     return {
         "message": "Registration link generated successfully",
         "url": url,
         "expires": (
-            expiry.astimezone(timezone.utc).isoformat().replace("+00:00", "Z")
+            expiry.astimezone(UTC).isoformat().replace("+00:00", "Z")
             if expiry.tzinfo
-            else expiry.replace(tzinfo=timezone.utc).isoformat().replace("+00:00", "Z")
+            else expiry.replace(tzinfo=UTC).isoformat().replace("+00:00", "Z")
         ),
     }

paskia/fastapi/ws.py

@@ -1,40 +1,21 @@
-from uuid import UUID
-
 from fastapi import FastAPI, WebSocket
 
 from paskia import db
-from paskia.authsession import expires, get_reset, get_session
+from paskia.authsession import expires, get_reset
 from paskia.fastapi import authz, remote
 from paskia.fastapi.session import AUTH_COOKIE, infodict
+from paskia.fastapi.wschat import authenticate_chat, register_chat
 from paskia.fastapi.wsutil import validate_origin, websocket_error_handler
 from paskia.globals import passkey
 from paskia.util import hostutil, passphrase
 
 # Create a FastAPI subapp for WebSocket endpoints
-app = FastAPI()
+app = FastAPI(docs_url=None, redoc_url=None, openapi_url=None)
 
 # Mount the remote auth WebSocket endpoints
 app.mount("/remote-auth", remote.app)
 
 
-async def register_chat(
-    ws: WebSocket,
-    user_uuid: UUID,
-    user_name: str,
-    origin: str,
-    credential_ids: list[bytes] | None = None,
-):
-    """Generate registration options and send them to the client."""
-    options, challenge = passkey.instance.reg_generate_options(
-        user_id=user_uuid,
-        user_name=user_name,
-        credential_ids=credential_ids,
-    )
-    await ws.send_json({"optionsJSON": options})
-    response = await ws.receive_json()
-    return passkey.instance.reg_verify(response, challenge, user_uuid, origin=origin)
-
-
 @app.websocket("/register")
 @websocket_error_handler
 async def websocket_register_add(
@@ -56,7 +37,7 @@ async def websocket_register_add(
             raise ValueError(
                 f"The reset link for {passkey.instance.rp_name} is invalid or has expired"
             )
-        s = await get_reset(reset)
+        s = get_reset(reset)
         user_uuid = s.user_uuid
     else:
         # Require recent authentication for adding a new passkey
@@ -65,16 +46,16 @@ async def websocket_register_add(
         s = ctx.session
 
     # Get user information and determine effective user_name for this registration
-    user = db.get_user_by_uuid(user_uuid)
+    user = db.data().users.get(user_uuid)
     user_name = user.display_name
     if name is not None:
         stripped = name.strip()
         if stripped:
             user_name = stripped
-    challenge_ids = db.get_credentials_by_user_uuid(user_uuid)
+    credential_ids = db.get_user_credential_ids(user_uuid) or None
 
     # WebAuthn registration
-    credential = await register_chat(ws, user_uuid, user_name, origin, challenge_ids)
+    credential = await register_chat(ws, user_uuid, user_name, origin, credential_ids)
 
     # Create a new session and store everything in database
     metadata = infodict(ws, "authenticated")
@@ -84,16 +65,16 @@ async def websocket_register_add(
         reset_key=(s.key if reset is not None else None),
         display_name=user_name,
         host=host,
-        ip=metadata.get("ip"),
-        user_agent=metadata.get("user_agent"),
+        ip=metadata["ip"],
+        user_agent=metadata["user_agent"],
     )
     auth = token
 
     assert isinstance(auth, str) and len(auth) == 16
     await ws.send_json(
         {
-            "user_uuid": str(user.uuid),
-            "credential_uuid": str(credential.uuid),
+            "user": str(user.uuid),
+            "credential": str(credential.uuid),
             "session_token": auth,
             "message": "New credential added successfully",
         }
@@ -110,36 +91,19 @@ async def websocket_authenticate(ws: WebSocket, auth=AUTH_COOKIE):
     session_user_uuid = None
     credential_ids = None
     if auth:
-        try:
-            session = await get_session(auth, host=host)
-            session_user_uuid = session.user_uuid
-            credential_ids = db.get_credentials_by_user_uuid(session_user_uuid)
-        except ValueError:
-            pass  # Invalid/expired session - allow normal authentication
-
-    options, challenge = passkey.instance.auth_generate_options(
-        credential_ids=credential_ids
-    )
-    await ws.send_json({"optionsJSON": options})
-    # Wait for the client to use his authenticator to authenticate
-    credential = passkey.instance.auth_parse(await ws.receive_json())
-    # Fetch from the database by credential ID
-    try:
-        stored_cred = db.get_credential_by_id(credential.raw_id)
-    except ValueError:
-        raise ValueError(
-            f"This passkey is no longer registered with {passkey.instance.rp_name}"
-        )
+        ctx = db.data().session_ctx(auth, host)
+        if ctx:
+            session_user_uuid = ctx.user.uuid
+            credential_ids = db.get_user_credential_ids(session_user_uuid) or None
+
+    cred, new_sign_count = await authenticate_chat(ws, origin, credential_ids)
 
     # If reauth mode, verify the credential belongs to the session's user
-    if session_user_uuid and stored_cred.user_uuid != session_user_uuid:
+    if session_user_uuid and cred.user_uuid != session_user_uuid:
         raise ValueError("This passkey belongs to a different account")
 
-    # Verify the credential matches the stored data
-    passkey.instance.auth_verify(credential, challenge, stored_cred, origin)
-
     # Create session and update user/credential in a single transaction
-    assert stored_cred.uuid is not None
+    assert cred.uuid is not None
     metadata = infodict(ws, "auth")
     normalized_host = hostutil.normalize_host(host)
     if not normalized_host:
@@ -150,17 +114,18 @@ async def websocket_authenticate(ws: WebSocket, auth=AUTH_COOKIE):
         raise ValueError(f"Host must be the same as or a subdomain of {rp_id}")
 
     token = db.login(
-        user_uuid=stored_cred.user_uuid,
-        credential=stored_cred,
+        user_uuid=cred.user_uuid,
+        credential_uuid=cred.uuid,
+        sign_count=new_sign_count,
         host=normalized_host,
-        ip=metadata.get("ip") or "",
-        user_agent=metadata.get("user_agent") or "",
+        ip=metadata["ip"],
+        user_agent=metadata["user_agent"],
         expiry=expires(),
     )
 
     await ws.send_json(
         {
-            "user_uuid": str(stored_cred.user_uuid),
+            "user": str(cred.user_uuid),
             "session_token": token,
         }
     )

paskia/fastapi/wschat.py

@@ -0,0 +1,62 @@
+"""
+WebSocket chat functions for WebAuthn registration and authentication flows.
+"""
+
+from uuid import UUID
+
+from fastapi import WebSocket
+
+from paskia import db
+from paskia.db import Credential
+from paskia.globals import passkey
+
+
+async def register_chat(
+    ws: WebSocket,
+    user_uuid: UUID,
+    user_name: str,
+    origin: str,
+    credential_ids: list[bytes] | None = None,
+):
+    """Run WebAuthn registration flow and return the verified credential."""
+    options, challenge = passkey.instance.reg_generate_options(
+        user_id=user_uuid,
+        user_name=user_name,
+        credential_ids=credential_ids,
+    )
+    await ws.send_json({"optionsJSON": options})
+    response = await ws.receive_json()
+    return passkey.instance.reg_verify(response, challenge, user_uuid, origin=origin)
+
+
+async def authenticate_chat(
+    ws: WebSocket,
+    origin: str,
+    credential_ids: list[bytes] | None = None,
+) -> tuple[Credential, int]:
+    """Run WebAuthn authentication flow and return the credential and new sign count.
+
+    Returns:
+        tuple of (credential, new_sign_count) where new_sign_count comes from WebAuthn verification
+    """
+    options, challenge = passkey.instance.auth_generate_options(
+        credential_ids=credential_ids
+    )
+    await ws.send_json({"optionsJSON": options})
+    authcred = passkey.instance.auth_parse(await ws.receive_json())
+
+    cred = next(
+        (
+            c
+            for c in db.data().credentials.values()
+            if c.credential_id == authcred.raw_id
+        ),
+        None,
+    )
+    if not cred:
+        raise ValueError(
+            f"This passkey is no longer registered with {passkey.instance.rp_name}"
+        )
+
+    verification = passkey.instance.auth_verify(authcred, challenge, cred, origin)
+    return cred, verification.new_sign_count

paskia/fastapi/wsutil.py

@@ -3,6 +3,7 @@ Shared WebSocket utilities for FastAPI endpoints.
 """
 
 import logging
+import time
 from functools import wraps
 
 import base64url
@@ -10,6 +11,7 @@ from fastapi import WebSocket, WebSocketDisconnect
 from webauthn.helpers.exceptions import InvalidAuthenticationResponse
 
 from paskia.fastapi import authz
+from paskia.fastapi.logging import log_ws_close, log_ws_open
 from paskia.globals import passkey
 from paskia.util import pow
 
@@ -19,11 +21,19 @@ def websocket_error_handler(func):
 
     @wraps(func)
     async def wrapper(ws: WebSocket, *args, **kwargs):
+        client = ws.client.host if ws.client else "-"
+        host = ws.headers.get("host", "-")
+        path = ws.url.path
+
+        start = time.perf_counter()
+        ws_id = log_ws_open(client, host, path)
+        close_code = None
+
         try:
             await ws.accept()
             return await func(ws, *args, **kwargs)
-        except WebSocketDisconnect:
-            pass
+        except WebSocketDisconnect as e:
+            close_code = e.code
         except authz.AuthException as e:
             await ws.send_json(
                 {
@@ -36,6 +46,9 @@ def websocket_error_handler(func):
         except Exception:
             logging.exception("Internal Server Error")
             await ws.send_json({"status": 500, "detail": "Internal Server Error"})
+        finally:
+            duration_ms = (time.perf_counter() - start) * 1000
+            log_ws_close(client, ws_id, close_code, duration_ms)
 
     return wrapper
 

paskia/frontend-build/auth/admin/index.html

@@ -4,13 +4,13 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
   <title>Admin</title>
-    <script type="module" crossorigin src="/auth/assets/admin-tVs8oyLv.js"></script>
-    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-rKFEraYH.js">
+    <script type="module" crossorigin src="/auth/assets/admin-CPE1pLMm.js"></script>
+    <link rel="modulepreload" crossorigin href="/auth/assets/_plugin-vue_export-helper-nhjnO_bd.js">
     <link rel="modulepreload" crossorigin href="/auth/assets/helpers-DzjFIx78.js">
-    <link rel="modulepreload" crossorigin href="/auth/assets/AccessDenied-aTdCvz9k.js">
+    <link rel="modulepreload" crossorigin href="/auth/assets/AccessDenied-Fmeb6EtF.js">
     <link rel="stylesheet" crossorigin href="/auth/assets/_plugin-vue_export-helper-BTzJAQlS.css">
-    <link rel="stylesheet" crossorigin href="/auth/assets/AccessDenied-Bc249ASC.css">
-    <link rel="stylesheet" crossorigin href="/auth/assets/admin-BeNu48FR.css">
+    <link rel="stylesheet" crossorigin href="/auth/assets/AccessDenied-DPkUS8LZ.css">
+    <link rel="stylesheet" crossorigin href="/auth/assets/admin-DzzjSg72.css">
   </head>
   <body>
     <div id="admin-app"></div>

paskia/frontend-build/auth/assets/{AccessDenied-Bc249ASC.css → AccessDenied-DPkUS8LZ.css}

@@ -1 +1 @@
-.breadcrumbs[data-v-6344dbb8]{margin:.25rem 0 .5rem;line-height:1.2;color:var(--color-text-muted)}.breadcrumbs ol[data-v-6344dbb8]{list-style:none;padding:0;margin:0;display:flex;flex-wrap:wrap;align-items:center;gap:.25rem}.breadcrumbs li[data-v-6344dbb8]{display:inline-flex;align-items:center;gap:.25rem;font-size:.9rem}.breadcrumbs a[data-v-6344dbb8]{text-decoration:none;color:var(--color-link);padding:0 .25rem;border-radius:4px;transition:color .2s ease,background .2s ease}.breadcrumbs .sep[data-v-6344dbb8]{color:var(--color-text-muted);margin:0}.btn-card-delete{display:none}.credential-item:focus .btn-card-delete{display:block}.user-info.has-extra[data-v-ce373d6c]{grid-template-columns:auto 1fr 2fr;grid-template-areas:"heading heading extra" "org org extra" "label1 value1 extra" "label2 value2 extra" "label3 value3 extra"}.user-info[data-v-ce373d6c]:not(.has-extra){grid-template-columns:auto 1fr;grid-template-areas:"heading heading" "org org" "label1 value1" "label2 value2" "label3 value3"}@media(max-width:720px){.user-info.has-extra[data-v-ce373d6c]{grid-template-columns:auto 1fr;grid-template-areas:"heading heading" "org org" "label1 value1" "label2 value2" "label3 value3" "extra extra"}}.user-name-heading[data-v-ce373d6c]{grid-area:heading;display:flex;align-items:center;flex-wrap:wrap;margin:0 0 .25rem}.org-role-sub[data-v-ce373d6c]{grid-area:org;display:flex;flex-direction:column;margin:-.15rem 0 .25rem}.org-line[data-v-ce373d6c]{font-size:.7rem;font-weight:600;line-height:1.1;color:var(--color-text-muted);text-transform:uppercase;letter-spacing:.05em}.role-line[data-v-ce373d6c]{font-size:.65rem;color:var(--color-text-muted);line-height:1.1}.info-label[data-v-ce373d6c]:nth-of-type(1){grid-area:label1}.info-value[data-v-ce373d6c]:nth-of-type(2){grid-area:value1}.info-label[data-v-ce373d6c]:nth-of-type(3){grid-area:label2}.info-value[data-v-ce373d6c]:nth-of-type(4){grid-area:value2}.info-label[data-v-ce373d6c]:nth-of-type(5){grid-area:label3}.info-value[data-v-ce373d6c]:nth-of-type(6){grid-area:value3}.user-info-extra[data-v-ce373d6c]{grid-area:extra;padding-left:2rem;border-left:1px solid var(--color-border)}.user-name-row[data-v-ce373d6c]{display:inline-flex;align-items:center;gap:.35rem;max-width:100%}.user-name-row.editing[data-v-ce373d6c]{flex:1 1 auto}.display-name[data-v-ce373d6c]{font-weight:600;font-size:1.05em;line-height:1.2;max-width:14ch;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.name-input[data-v-ce373d6c]{width:auto;flex:1 1 140px;min-width:120px;padding:6px 8px;font-size:.9em;border:1px solid var(--color-border-strong);border-radius:6px;background:var(--color-surface);color:var(--color-text)}.user-name-heading .name-input[data-v-ce373d6c]{width:auto}.name-input[data-v-ce373d6c]:focus{outline:none;border-color:var(--color-accent);box-shadow:var(--focus-ring)}.mini-btn[data-v-ce373d6c]{width:auto;padding:4px 6px;margin:0;font-size:.75em;line-height:1;cursor:pointer}.mini-btn[data-v-ce373d6c]:hover:not(:disabled){background:var(--color-accent-soft);color:var(--color-accent)}.mini-btn[data-v-ce373d6c]:active:not(:disabled){transform:translateY(1px)}.mini-btn[data-v-ce373d6c]:disabled{opacity:.5;cursor:not-allowed}@media(max-width:720px){.user-info-extra[data-v-ce373d6c]{padding-left:0;padding-top:1rem;margin-top:1rem;border-left:none;border-top:1px solid var(--color-border)}}dialog[data-v-2ebcbb0a]{background:var(--color-surface);border:1px solid var(--color-border);border-radius:var(--radius-lg);box-shadow:var(--shadow-xl);padding:calc(var(--space-lg) - var(--space-xs));max-width:500px;width:min(500px,90vw);max-height:90vh;overflow-y:auto;position:fixed;inset:0;margin:auto;height:fit-content}dialog[data-v-2ebcbb0a]::backdrop{background:transparent;backdrop-filter:blur(.1rem) brightness(.7);-webkit-backdrop-filter:blur(.1rem) brightness(.7)}dialog[data-v-2ebcbb0a] .modal-title,dialog[data-v-2ebcbb0a] h3{margin:0 0 var(--space-md);font-size:1.25rem;font-weight:600;color:var(--color-heading)}dialog[data-v-2ebcbb0a] form{display:flex;flex-direction:column;gap:var(--space-md)}dialog[data-v-2ebcbb0a] .modal-form{display:flex;flex-direction:column;gap:var(--space-md)}dialog[data-v-2ebcbb0a] .modal-form label{display:flex;flex-direction:column;gap:var(--space-xs);font-weight:500}dialog[data-v-2ebcbb0a] .modal-form input,dialog[data-v-2ebcbb0a] .modal-form textarea{padding:var(--space-md);border:1px solid var(--color-border);border-radius:var(--radius-sm);background:var(--color-bg);color:var(--color-text);font-size:1rem;line-height:1.4;min-height:2.5rem}dialog[data-v-2ebcbb0a] .modal-form input:focus,dialog[data-v-2ebcbb0a] .modal-form textarea:focus{outline:none;border-color:var(--color-accent);box-shadow:0 0 0 2px #c7d2fe}dialog[data-v-2ebcbb0a] .modal-actions{display:flex;justify-content:flex-end;gap:var(--space-sm);margin-top:var(--space-md);margin-bottom:var(--space-xs)}.name-edit-form[data-v-b73321cf]{display:flex;flex-direction:column;gap:var(--space-md)}.error[data-v-b73321cf]{color:var(--color-danger-text)}.small[data-v-b73321cf]{font-size:.9rem}.qr-display[data-v-727427c4]{display:flex;flex-direction:column;align-items:center;gap:.75rem}.qr-section[data-v-727427c4]{display:flex;flex-direction:column;align-items:center;gap:.5rem}.qr-link[data-v-727427c4]{display:flex;flex-direction:column;align-items:center;text-decoration:none;color:inherit;border-radius:var(--radius-sm, 6px);overflow:hidden}.qr-code[data-v-727427c4]{display:block;width:200px;height:200px;max-width:100%;object-fit:contain;border-radius:var(--radius-sm, 6px);background:#fff;cursor:pointer}.link-text[data-v-727427c4]{padding:.5rem;font-size:.75rem;color:var(--color-text-muted);font-family:monospace;word-break:break-all;line-height:1.2;transition:color .2s ease}.qr-link:hover .link-text[data-v-727427c4]{color:var(--color-text)}dialog[data-v-e04dd463]{border:none;background:transparent;padding:0;max-width:none;width:fit-content;height:fit-content;position:fixed;inset:0;margin:auto}dialog[data-v-e04dd463]::backdrop{-webkit-backdrop-filter:blur(.2rem) brightness(.5);backdrop-filter:blur(.2rem) brightness(.5)}.icon-btn[data-v-e04dd463]{background:none;border:none;cursor:pointer;font-size:1rem;opacity:.6}.icon-btn[data-v-e04dd463]:hover{opacity:1}.reg-header-row[data-v-e04dd463]{display:flex;justify-content:space-between;align-items:center;gap:.75rem;margin-bottom:.75rem}.reg-title[data-v-e04dd463]{margin:0;font-size:1.25rem;font-weight:600}.device-dialog[data-v-e04dd463]{background:var(--color-surface);padding:1.25rem 1.25rem 1rem;border-radius:var(--radius-md);max-width:480px;width:100%;box-shadow:0 6px 28px #00000040}.reg-help[data-v-e04dd463]{margin:.5rem 0 .75rem;font-size:.85rem;line-height:1.4;text-align:center;color:var(--color-text-muted)}.reg-actions[data-v-e04dd463]{display:flex;justify-content:flex-end;gap:.5rem;margin-top:1rem}.expiry-note[data-v-e04dd463]{font-size:.75rem;color:var(--color-text-muted);text-align:center;margin-top:.75rem}.loading-container[data-v-130f5abf]{display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;gap:1rem}.loading-spinner[data-v-130f5abf]{width:40px;height:40px;border:4px solid var(--color-border);border-top:4px solid var(--color-primary);border-radius:50%;animation:spin-130f5abf 1s linear infinite}@keyframes spin-130f5abf{0%{transform:rotate(0)}to{transform:rotate(360deg)}}.loading-container p[data-v-130f5abf]{color:var(--color-text-muted);margin:0}.message-container[data-v-744305d5]{display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;padding:2rem}.message-content[data-v-744305d5]{text-align:center;max-width:480px}.message-content h2[data-v-744305d5]{margin:0 0 1.5rem;color:var(--color-heading)}.message-content .button-row[data-v-744305d5]{display:flex;gap:.75rem;justify-content:center}
+.breadcrumbs[data-v-6344dbb8]{margin:.25rem 0 .5rem;line-height:1.2;color:var(--color-text-muted)}.breadcrumbs ol[data-v-6344dbb8]{list-style:none;padding:0;margin:0;display:flex;flex-wrap:wrap;align-items:center;gap:.25rem}.breadcrumbs li[data-v-6344dbb8]{display:inline-flex;align-items:center;gap:.25rem;font-size:.9rem}.breadcrumbs a[data-v-6344dbb8]{text-decoration:none;color:var(--color-link);padding:0 .25rem;border-radius:4px;transition:color .2s ease,background .2s ease}.breadcrumbs .sep[data-v-6344dbb8]{color:var(--color-text-muted);margin:0}.btn-card-delete{display:none}.credential-item:focus .btn-card-delete{display:block}.user-info.has-extra[data-v-ce373d6c]{grid-template-columns:auto 1fr 2fr;grid-template-areas:"heading heading extra" "org org extra" "label1 value1 extra" "label2 value2 extra" "label3 value3 extra"}.user-info[data-v-ce373d6c]:not(.has-extra){grid-template-columns:auto 1fr;grid-template-areas:"heading heading" "org org" "label1 value1" "label2 value2" "label3 value3"}@media(max-width:720px){.user-info.has-extra[data-v-ce373d6c]{grid-template-columns:auto 1fr;grid-template-areas:"heading heading" "org org" "label1 value1" "label2 value2" "label3 value3" "extra extra"}}.user-name-heading[data-v-ce373d6c]{grid-area:heading;display:flex;align-items:center;flex-wrap:wrap;margin:0 0 .25rem}.org-role-sub[data-v-ce373d6c]{grid-area:org;display:flex;flex-direction:column;margin:-.15rem 0 .25rem}.org-line[data-v-ce373d6c]{font-size:.7rem;font-weight:600;line-height:1.1;color:var(--color-text-muted);text-transform:uppercase;letter-spacing:.05em}.role-line[data-v-ce373d6c]{font-size:.65rem;color:var(--color-text-muted);line-height:1.1}.info-label[data-v-ce373d6c]:nth-of-type(1){grid-area:label1}.info-value[data-v-ce373d6c]:nth-of-type(2){grid-area:value1}.info-label[data-v-ce373d6c]:nth-of-type(3){grid-area:label2}.info-value[data-v-ce373d6c]:nth-of-type(4){grid-area:value2}.info-label[data-v-ce373d6c]:nth-of-type(5){grid-area:label3}.info-value[data-v-ce373d6c]:nth-of-type(6){grid-area:value3}.user-info-extra[data-v-ce373d6c]{grid-area:extra;padding-left:2rem;border-left:1px solid var(--color-border)}.user-name-row[data-v-ce373d6c]{display:inline-flex;align-items:center;gap:.35rem;max-width:100%}.user-name-row.editing[data-v-ce373d6c]{flex:1 1 auto}.display-name[data-v-ce373d6c]{font-weight:600;font-size:1.05em;line-height:1.2;max-width:14ch;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.name-input[data-v-ce373d6c]{width:auto;flex:1 1 140px;min-width:120px;padding:6px 8px;font-size:.9em;border:1px solid var(--color-border-strong);border-radius:6px;background:var(--color-surface);color:var(--color-text)}.user-name-heading .name-input[data-v-ce373d6c]{width:auto}.name-input[data-v-ce373d6c]:focus{outline:none;border-color:var(--color-accent);box-shadow:var(--focus-ring)}.mini-btn[data-v-ce373d6c]{width:auto;padding:4px 6px;margin:0;font-size:.75em;line-height:1;cursor:pointer}.mini-btn[data-v-ce373d6c]:hover:not(:disabled){background:var(--color-accent-soft);color:var(--color-accent)}.mini-btn[data-v-ce373d6c]:active:not(:disabled){transform:translateY(1px)}.mini-btn[data-v-ce373d6c]:disabled{opacity:.5;cursor:not-allowed}@media(max-width:720px){.user-info-extra[data-v-ce373d6c]{padding-left:0;padding-top:1rem;margin-top:1rem;border-left:none;border-top:1px solid var(--color-border)}}dialog[data-v-2ebcbb0a]{background:var(--color-surface);border:1px solid var(--color-border);border-radius:var(--radius-lg);box-shadow:var(--shadow-xl);padding:calc(var(--space-lg) - var(--space-xs));max-width:500px;width:min(500px,90vw);max-height:90vh;overflow-y:auto;position:fixed;inset:0;margin:auto;height:fit-content}dialog[data-v-2ebcbb0a]::backdrop{background:transparent;backdrop-filter:blur(.1rem) brightness(.7);-webkit-backdrop-filter:blur(.1rem) brightness(.7)}dialog[data-v-2ebcbb0a] .modal-title,dialog[data-v-2ebcbb0a] h3{margin:0 0 var(--space-md);font-size:1.25rem;font-weight:600;color:var(--color-heading)}dialog[data-v-2ebcbb0a] form{display:flex;flex-direction:column;gap:var(--space-md)}dialog[data-v-2ebcbb0a] .modal-form{display:flex;flex-direction:column;gap:var(--space-md)}dialog[data-v-2ebcbb0a] .modal-form label{display:flex;flex-direction:column;gap:var(--space-xs);font-weight:500}dialog[data-v-2ebcbb0a] .modal-form input,dialog[data-v-2ebcbb0a] .modal-form textarea{padding:var(--space-md);border:1px solid var(--color-border);border-radius:var(--radius-sm);background:var(--color-bg);color:var(--color-text);font-size:1rem;line-height:1.4;min-height:2.5rem}dialog[data-v-2ebcbb0a] .modal-form input:focus,dialog[data-v-2ebcbb0a] .modal-form textarea:focus{outline:none;border-color:var(--color-accent);box-shadow:0 0 0 2px #c7d2fe}dialog[data-v-2ebcbb0a] .modal-actions{display:flex;justify-content:flex-end;gap:var(--space-sm);margin-top:var(--space-md);margin-bottom:var(--space-xs)}.name-edit-form[data-v-b73321cf]{display:flex;flex-direction:column;gap:var(--space-md)}.error[data-v-b73321cf]{color:var(--color-danger-text)}.small[data-v-b73321cf]{font-size:.9rem}.qr-display[data-v-727427c4]{display:flex;flex-direction:column;align-items:center;gap:.75rem}.qr-section[data-v-727427c4]{display:flex;flex-direction:column;align-items:center;gap:.5rem}.qr-link[data-v-727427c4]{display:flex;flex-direction:column;align-items:center;text-decoration:none;color:inherit;border-radius:var(--radius-sm, 6px);overflow:hidden}.qr-code[data-v-727427c4]{display:block;width:200px;height:200px;max-width:100%;object-fit:contain;border-radius:var(--radius-sm, 6px);background:#fff;cursor:pointer}.link-text[data-v-727427c4]{padding:.5rem;font-size:.75rem;color:var(--color-text-muted);font-family:monospace;word-break:break-all;line-height:1.2;transition:color .2s ease}.qr-link:hover .link-text[data-v-727427c4]{color:var(--color-text)}dialog[data-v-e04dd463]{border:none;background:transparent;padding:0;max-width:none;width:fit-content;height:fit-content;position:fixed;inset:0;margin:auto}dialog[data-v-e04dd463]::backdrop{-webkit-backdrop-filter:blur(.2rem) brightness(.5);backdrop-filter:blur(.2rem) brightness(.5)}.icon-btn[data-v-e04dd463]{background:none;border:none;cursor:pointer;font-size:1rem;opacity:.6}.icon-btn[data-v-e04dd463]:hover{opacity:1}.reg-header-row[data-v-e04dd463]{display:flex;justify-content:space-between;align-items:center;gap:.75rem;margin-bottom:.75rem}.reg-title[data-v-e04dd463]{margin:0;font-size:1.25rem;font-weight:600}.device-dialog[data-v-e04dd463]{background:var(--color-surface);padding:1.25rem 1.25rem 1rem;border-radius:var(--radius-md);max-width:480px;width:100%;box-shadow:0 6px 28px #00000040}.reg-help[data-v-e04dd463]{margin:.5rem 0 .75rem;font-size:.85rem;line-height:1.4;text-align:center;color:var(--color-text-muted)}.reg-actions[data-v-e04dd463]{display:flex;justify-content:flex-end;gap:.5rem;margin-top:1rem}.expiry-note[data-v-e04dd463]{font-size:.75rem;color:var(--color-text-muted);text-align:center;margin-top:.75rem}.loading-container[data-v-130f5abf]{display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;gap:1rem}.loading-spinner[data-v-130f5abf]{width:40px;height:40px;border:4px solid var(--color-border);border-top:4px solid var(--color-primary);border-radius:50%;animation:spin-130f5abf 1s linear infinite}@keyframes spin-130f5abf{0%{transform:rotate(0)}to{transform:rotate(360deg)}}.loading-container p[data-v-130f5abf]{color:var(--color-text-muted);margin:0}.message-container[data-v-a7b258e7]{display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;padding:2rem}.message-content[data-v-a7b258e7]{text-align:center;max-width:480px}.message-content h2[data-v-a7b258e7]{margin:0 0 1rem;color:var(--color-heading)}.message-content .error-detail[data-v-a7b258e7]{margin:0 0 1.5rem;color:var(--color-text-muted)}.message-content .button-row[data-v-a7b258e7]{display:flex;gap:.75rem;justify-content:center}