+
- """
- script = ""
- if callback_url:
- script = """
- """
- return f"""
-
-
-
-
-
Authsome - {html.escape(display_name)}
-
-
-
-
- {html.escape(display_name)}
- {docs}
- {callback_hint}
- {warning}
-
- {script}
-
-"""
-
def _field_row(field: dict[str, Any]) -> str:
name = html.escape(str(field["name"]))
@@ -361,11 +464,14 @@ def _field_row(field: dict[str, Any]) -> str:
value = html.escape(str(field.get("default") or ""))
required = " required" if field.get("default") is None else ""
pattern = f' pattern="{html.escape(str(field["pattern"]))}"' if field.get("pattern") else ""
- hint = f"
{html.escape(str(field['pattern_hint']))} " if field.get("pattern_hint") else ""
+ hint = ""
+ if field.get("pattern_hint"):
+ hint = f"
{html.escape(str(field['pattern_hint']))} "
return (
f'
'
f'{label} '
- f'
"
)
@@ -376,85 +482,54 @@ def device_code_page(
verification_uri: str,
verification_uri_complete: str | None,
) -> str:
- """Generate a device code verification page with a premium theme."""
+ """Generate a device code verification page."""
link = verification_uri_complete or verification_uri
return f"""
-
+
-
Authsome - Device Login
+
Authsome — Device login
{DEVICE_BRIDGE_STYLE}
-
Authsome
+
Authsome.
{html.escape(display_name)}
-
Enter the following code on your device to complete the login.
-
+
Enter this code on the login page to complete authentication.
+
- Copy
-
-
Open Login Page
-
-
- After completing the login on your device, return to your terminal.
-
+
+
+ Open login page ↗
+
+
+
After completing login in your browser, return to your terminal.
diff --git a/src/authsome/server/web_pages/web_theme.py b/src/authsome/server/web_pages/web_theme.py
index b0567cfd..6cbea41a 100644
--- a/src/authsome/server/web_pages/web_theme.py
+++ b/src/authsome/server/web_pages/web_theme.py
@@ -1,203 +1,291 @@
-"""Web UI themes and styles for Authsome local server."""
+"""Web UI themes and styles for Authsome local server.
+
+Design system: Authsome Secure Console (see src/authsome/ui/DESIGN.md).
+Palette: Deep Emerald (#10B981) + Obsidian (#09090B), dark-first.
+Fonts: Hanken Grotesk (UI) + JetBrains Mono (data/code).
+"""
from __future__ import annotations
-DARK_THEME_CSS = """
-:root {
- color-scheme: dark;
- --bg: #000000;
- --panel: #0a0a0a;
- --text: #ededed;
- --muted: #a1a1aa;
- --line: #27272a;
- --accent: #83ca16;
- --focus: var(--accent);
- --primary: #ededed;
- --primary-text: #000000;
-}
-* { box-sizing: border-box; }
-body {
- margin: 0;
- min-height: 100vh;
- background: var(--bg);
- color: var(--text);
- font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
- -webkit-font-smoothing: antialiased;
- display: flex;
- align-items: center;
- justify-content: center;
- padding: 20px;
-}
-main {
- width: 100%;
- max-width: 440px;
- background: var(--panel);
- border: 1px solid var(--line);
- border-radius: 8px;
- padding: 32px;
-}
-h1 {
- margin: 0 0 4px;
- font-size: 20px;
- font-weight: 500;
- letter-spacing: -0.02em;
-}
-p {
- margin: 0 0 24px;
- color: var(--muted);
- font-size: 14px;
-}
-a {
- color: var(--text);
- text-decoration: none;
-}
-a:hover { color: var(--accent); }
-form { margin-top: 16px; }
-.field-group { margin-bottom: 16px; }
-label {
- display: block;
- font-size: 13px;
- font-weight: 500;
- margin-bottom: 6px;
- color: var(--text);
-}
-input {
- width: 100%;
- background: var(--bg);
- border: 1px solid var(--line);
- border-radius: 6px;
- color: var(--text);
- font-family: inherit;
- font-size: 14px;
- padding: 10px 12px;
- transition: border-color 0.15s;
-}
-input:focus {
- outline: none;
- border-color: var(--focus);
-}
-small {
- display: block;
- margin-top: 6px;
- color: var(--muted);
- font-size: 12px;
-}
-button {
- width: 100%;
- background: var(--primary);
- color: var(--primary-text);
- border: none;
- border-radius: 6px;
- padding: 10px 12px;
- font-size: 14px;
- font-weight: 500;
- cursor: pointer;
- margin-top: 12px;
- transition: opacity 0.15s;
-}
-button:hover { opacity: 0.9; }
-details {
- margin: 24px 0;
-}
-summary {
- font-size: 13px;
- font-weight: 500;
- color: var(--muted);
- cursor: pointer;
- user-select: none;
- transition: color 0.15s;
-}
-summary:hover {
- color: var(--accent);
-}
-details[open] summary { margin-bottom: 16px; }
+_FONT_IMPORT = """
+ @import url('https://fonts.googleapis.com/css2?family=Hanken+Grotesk:wght@400;500;600&family=JetBrains+Mono:wght@400;500;700&display=swap');
"""
-DEVICE_BRIDGE_STYLE = """
-
-"""
+ box-shadow: 0 0 20px -8px var(--accent);
+}}
+a.verify:hover {{ opacity: 0.88; }}
+.note {{ font-size: 13px; color: var(--muted); text-align: center; line-height: 1.5; }}
+"""
diff --git a/src/authsome/ui/static/app.js b/src/authsome/ui/static/app.js
deleted file mode 100644
index f89e396d..00000000
--- a/src/authsome/ui/static/app.js
+++ /dev/null
@@ -1,124 +0,0 @@
-(() => {
- const ready = (fn) =>
- document.readyState === "loading"
- ? document.addEventListener("DOMContentLoaded", fn)
- : fn();
-
- function initSearchAndFilter() {
- const grid = document.getElementById("connectionList") || document.getElementById("appGrid");
- const search = document.getElementById("appSearch");
- const empty = document.getElementById("appEmpty");
- if (!grid) return;
-
- let activeFilter = "all";
- const cards = Array.from(grid.querySelectorAll(".app-card, .connection-row"));
-
- const applyFilters = () => {
- const q = (search?.value || "").trim().toLowerCase();
- let visible = 0;
- cards.forEach((card) => {
- const matchesQuery = !q || card.dataset.name.includes(q);
- const status = card.dataset.status;
- const matchesFilter =
- !document.querySelector(".filter-pill") ||
- activeFilter === "all" ||
- (activeFilter === "connected" && status !== "available") ||
- (activeFilter === "available" && status === "available");
- const show = matchesQuery && matchesFilter;
- card.classList.toggle("hidden", !show);
- if (show) visible += 1;
- });
- if (empty) empty.classList.toggle("hidden", visible !== 0);
- };
-
- document.querySelectorAll(".filter-pill").forEach((pill) => {
- pill.addEventListener("click", () => {
- document
- .querySelectorAll(".filter-pill")
- .forEach((p) => p.classList.remove("active"));
- pill.classList.add("active");
- activeFilter = pill.dataset.filter || "all";
- applyFilters();
- });
- });
-
- if (search) search.addEventListener("input", applyFilters);
- }
-
- function initSecretToggles() {
- document.querySelectorAll("[data-toggle-secret]").forEach((btn) => {
- btn.addEventListener("click", () => {
- const row = btn.closest(".field-row");
- const target = row?.querySelector("[data-secret]");
- if (!target) return;
- const real = target.dataset.secretValue;
- if (!real) return;
- const isMasked = target.classList.contains("mask");
- if (isMasked) {
- target.dataset.maskedDisplay = target.textContent;
- target.textContent = real;
- target.classList.remove("mask");
- } else {
- target.textContent = target.dataset.maskedDisplay || "••••••••••••••••";
- target.classList.add("mask");
- }
- });
- });
- }
-
- function initCopyButtons() {
- document.querySelectorAll("[data-copy]").forEach((btn) => {
- btn.addEventListener("click", async () => {
- const value = btn.dataset.copy;
- if (!value) return;
- try {
- await navigator.clipboard.writeText(value);
- const original = btn.title;
- btn.title = "Copied";
- btn.classList.add("active");
- setTimeout(() => {
- btn.title = original;
- btn.classList.remove("active");
- }, 900);
- } catch {
- /* clipboard write failed; nothing fatal to do here */
- }
- });
- });
- }
-
- function initLoginModal() {
- const modal = document.getElementById("loginModal");
- const form = document.getElementById("loginModalForm");
- const hiddenConnection = document.getElementById("loginConnectionName");
- const input = document.getElementById("connectionNameInput");
- if (!modal || !form || !hiddenConnection || !input) return;
-
- document.querySelectorAll("[data-open-login-modal]").forEach((btn) => {
- btn.addEventListener("click", () => {
- const provider = btn.dataset.provider;
- if (!provider) return;
- form.action = `/apps/${provider}/connect`;
- hiddenConnection.value = "";
- input.value = "";
- modal.showModal();
- input.focus();
- });
- });
-
- document.querySelectorAll("[data-close-login-modal]").forEach((btn) => {
- btn.addEventListener("click", () => modal.close());
- });
-
- form.addEventListener("submit", () => {
- hiddenConnection.value = input.value.trim();
- });
- }
-
- ready(() => {
- initSearchAndFilter();
- initSecretToggles();
- initCopyButtons();
- initLoginModal();
- });
-})();
diff --git a/src/authsome/ui/static/style.css b/src/authsome/ui/static/style.css
deleted file mode 100644
index 8704117f..00000000
--- a/src/authsome/ui/static/style.css
+++ /dev/null
@@ -1,1130 +0,0 @@
-:root {
- --bg-body: #f5f6f8;
- --bg-sidebar: #ffffff;
- --bg-surface: #ffffff;
- --bg-subtle: #eef2f5;
- --bg-muted: #e6ebf0;
- --border: #d7dde5;
- --border-strong: #b9c3cf;
- --accent: #1f6f5b;
- --accent-dark: #155041;
- --accent-soft: #e5f1ed;
- --blue: #2f5d88;
- --blue-soft: #e7eef6;
- --warn: #9a5b13;
- --warn-soft: #fff3dd;
- --danger: #a33a3a;
- --danger-soft: #f9e4e4;
- --text: #16202a;
- --text-secondary: #3d4a57;
- --text-muted: #6d7a86;
- --shadow: 0 1px 2px rgba(22, 32, 42, 0.06);
- --radius-sm: 5px;
- --radius-md: 6px;
- --radius-lg: 8px;
- --font-sans: Aptos, "Segoe UI", -apple-system, BlinkMacSystemFont, "Helvetica Neue", sans-serif;
- --font-mono: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, monospace;
-}
-
-* {
- box-sizing: border-box;
-}
-
-html,
-body {
- margin: 0;
- padding: 0;
- min-height: 100vh;
- background: var(--bg-body);
- color: var(--text);
- font-family: var(--font-sans);
- font-size: 14px;
- line-height: 1.5;
-}
-
-body {
- display: grid;
- grid-template-columns: 232px minmax(0, 1fr);
-}
-
-a {
- color: inherit;
- text-decoration: none;
-}
-
-button,
-input {
- font: inherit;
-}
-
-.sidebar {
- position: sticky;
- top: 0;
- height: 100vh;
- display: flex;
- flex-direction: column;
- gap: 6px;
- padding: 18px 14px 16px;
- background: var(--bg-sidebar);
- border-right: 1px solid var(--border);
-}
-
-.brand {
- padding: 5px 10px 16px;
- font-size: 15px;
- font-weight: 700;
- letter-spacing: 0;
-}
-
-.brand::after {
- content: ".";
- color: var(--accent);
-}
-
-.nav-primary,
-.nav-secondary {
- display: flex;
- flex-direction: column;
- gap: 2px;
-}
-
-.nav-spacer {
- flex: 1;
-}
-
-.nav-item {
- display: flex;
- align-items: center;
- gap: 10px;
- min-height: 36px;
- padding: 8px 10px;
- border: 1px solid transparent;
- border-radius: var(--radius-md);
- color: var(--text-secondary);
- font-size: 13px;
- transition: background-color 120ms ease, border-color 120ms ease, color 120ms ease;
-}
-
-.nav-item:hover {
- background: var(--bg-subtle);
- color: var(--text);
-}
-
-.nav-item.active {
- background: var(--accent-soft);
- border-color: #b8d9cf;
- color: var(--accent-dark);
- font-weight: 600;
-}
-
-.nav-item.disabled {
- opacity: 0.45;
- pointer-events: none;
-}
-
-.nav-item svg {
- width: 16px;
- height: 16px;
- flex-shrink: 0;
-}
-
-.brand-foot {
- padding: 8px 10px 2px;
- color: var(--text-muted);
- font-size: 11px;
-}
-
-.main {
- min-width: 0;
- display: flex;
- flex-direction: column;
-}
-
-.topbar {
- min-height: 57px;
- display: flex;
- align-items: center;
- justify-content: space-between;
- gap: 16px;
- padding: 12px 30px;
- background: rgba(255, 255, 255, 0.88);
- border-bottom: 1px solid var(--border);
- backdrop-filter: blur(8px);
-}
-
-.topbar-meta,
-.topbar-actions,
-.page-actions {
- display: flex;
- align-items: center;
- gap: 8px;
-}
-
-.topbar-actions {
- justify-content: flex-end;
-}
-
-.topbar-actions form {
- margin: 0;
-}
-
-.meta {
- color: var(--text-muted);
- font-size: 12.5px;
-}
-
-.page {
- width: 100%;
- max-width: 1220px;
- padding: 26px 30px 48px;
-}
-
-.page-header {
- display: flex;
- align-items: flex-end;
- justify-content: space-between;
- gap: 16px;
- margin-bottom: 22px;
-}
-
-.eyebrow {
- margin-bottom: 4px;
- color: var(--text-muted);
- font-size: 11px;
- font-weight: 700;
- letter-spacing: 0;
- text-transform: uppercase;
-}
-
-h1,
-h2 {
- margin: 0;
- letter-spacing: 0;
-}
-
-h1 {
- font-size: 24px;
- line-height: 1.2;
- font-weight: 700;
-}
-
-h2 {
- font-size: 14px;
- font-weight: 700;
-}
-
-.subtitle {
- margin: 5px 0 0;
- color: var(--text-muted);
- font-size: 13px;
-}
-
-.muted,
-.subtle {
- color: var(--text-muted);
-}
-
-.link {
- color: var(--accent-dark);
- font-size: 13px;
- font-weight: 600;
-}
-
-.link:hover {
- text-decoration: underline;
-}
-
-.btn,
-.icon-btn {
- border: 1px solid var(--border);
- border-radius: var(--radius-md);
- background: var(--bg-surface);
- color: var(--text);
- cursor: pointer;
- transition: background-color 120ms ease, border-color 120ms ease, color 120ms ease;
-}
-
-.btn {
- display: inline-flex;
- align-items: center;
- justify-content: center;
- gap: 6px;
- min-height: 34px;
- padding: 7px 12px;
- font-size: 13px;
- font-weight: 600;
- white-space: nowrap;
-}
-
-.btn:hover,
-.icon-btn:hover {
- background: var(--bg-subtle);
- border-color: var(--border-strong);
-}
-
-.btn svg {
- width: 14px;
- height: 14px;
- flex-shrink: 0;
-}
-
-.btn[disabled] {
- cursor: not-allowed;
- opacity: 0.55;
-}
-
-.btn-sm {
- min-height: 30px;
- padding: 5px 10px;
- font-size: 12px;
-}
-
-.btn-primary {
- background: var(--accent);
- border-color: var(--accent);
- color: #ffffff;
-}
-
-.btn-primary:hover {
- background: var(--accent-dark);
- border-color: var(--accent-dark);
-}
-
-.btn-secondary {
- background: var(--bg-surface);
- color: var(--text-secondary);
-}
-
-.btn-light {
- background: var(--blue-soft);
- border-color: #c8d6e5;
- color: var(--blue);
-}
-
-.btn-warn-ghost {
- background: var(--warn-soft);
- border-color: #eed09f;
- color: var(--warn);
-}
-
-.btn-danger-ghost {
- background: var(--danger-soft);
- border-color: #efc3c3;
- color: var(--danger);
-}
-
-.btn-block {
- width: 100%;
-}
-
-.icon-btn {
- width: 30px;
- height: 30px;
- display: inline-flex;
- align-items: center;
- justify-content: center;
- flex: 0 0 auto;
- padding: 0;
-}
-
-.icon-btn svg {
- width: 15px;
- height: 15px;
-}
-
-.pill {
- display: inline-flex;
- align-items: center;
- gap: 4px;
- max-width: 100%;
- padding: 3px 8px;
- border: 1px solid var(--border);
- border-radius: 999px;
- background: var(--bg-subtle);
- color: var(--text-secondary);
- font-size: 11.5px;
- font-weight: 600;
- line-height: 1.35;
- white-space: nowrap;
-}
-
-.pill-accent {
- background: var(--accent-soft);
- border-color: #b8d9cf;
- color: var(--accent-dark);
-}
-
-.pill-neutral {
- background: var(--bg-subtle);
- border-color: var(--border);
- color: var(--text-secondary);
-}
-
-.pill-warn {
- background: var(--warn-soft);
- border-color: #efd4aa;
- color: var(--warn);
-}
-
-.stat-grid {
- display: grid;
- grid-template-columns: repeat(3, minmax(0, 1fr));
- gap: 14px;
- margin-bottom: 26px;
-}
-
-.stat-card,
-.card,
-.panel,
-.notice-band,
-.provider-card,
-.app-card,
-.empty,
-.docs-card,
-.connection-row {
- background: var(--bg-surface);
- border: 1px solid var(--border);
- border-radius: var(--radius-lg);
- box-shadow: var(--shadow);
-}
-
-.stat-card {
- min-height: 118px;
- display: flex;
- flex-direction: column;
- gap: 6px;
- padding: 16px 18px;
-}
-
-.stat-label,
-.card-title {
- color: var(--text-muted);
- font-size: 11px;
- font-weight: 700;
- letter-spacing: 0;
- text-transform: uppercase;
-}
-
-.stat-value {
- font-size: 31px;
- line-height: 1.1;
- font-weight: 700;
- letter-spacing: 0;
-}
-
-.stat-value-sm {
- font-size: 19px;
- line-height: 1.25;
-}
-
-.stat-foot {
- margin-top: auto;
- color: var(--text-muted);
- font-size: 12px;
-}
-
-.section {
- margin-bottom: 26px;
-}
-
-.section-header {
- display: flex;
- align-items: center;
- justify-content: space-between;
- gap: 12px;
- margin-bottom: 12px;
-}
-
-.provider-grid,
-.app-grid {
- display: grid;
- grid-template-columns: repeat(3, minmax(0, 1fr));
- gap: 12px;
-}
-
-.provider-card {
- min-height: 166px;
- display: flex;
- flex-direction: column;
- gap: 9px;
- padding: 15px;
- transition: border-color 120ms ease, box-shadow 120ms ease, transform 120ms ease;
-}
-
-.provider-card:hover,
-.app-card:hover,
-.connection-row:hover,
-.docs-card:hover {
- border-color: var(--border-strong);
- box-shadow: 0 2px 7px rgba(22, 32, 42, 0.08);
-}
-
-.provider-card-top {
- display: flex;
- align-items: center;
- justify-content: space-between;
- gap: 8px;
-}
-
-.logo {
- width: 32px;
- height: 32px;
- border-radius: var(--radius-md);
- display: inline-flex;
- align-items: center;
- justify-content: center;
- flex: 0 0 auto;
- background: var(--blue-soft);
- color: var(--blue);
- font-size: 13px;
- font-weight: 700;
-}
-
-.logo-lg {
- width: 44px;
- height: 44px;
- font-size: 16px;
-}
-
-.provider-card-name {
- color: var(--text);
- font-size: 14px;
- font-weight: 700;
-}
-
-.provider-card-desc {
- min-height: 18px;
- color: var(--text-muted);
- font-size: 12.5px;
- overflow: hidden;
- text-overflow: ellipsis;
- white-space: nowrap;
-}
-
-.provider-card-foot {
- margin-top: auto;
- padding-top: 10px;
- border-top: 1px solid var(--border);
- display: flex;
- align-items: center;
- justify-content: space-between;
- gap: 10px;
- color: var(--text-muted);
- font-size: 12px;
-}
-
-.icon-gear {
- display: inline-flex;
- color: var(--text-muted);
-}
-
-.notice-band {
- display: flex;
- align-items: center;
- justify-content: space-between;
- gap: 18px;
- padding: 18px 20px;
-}
-
-.notice-title {
- margin-bottom: 3px;
- font-size: 14px;
- font-weight: 700;
-}
-
-.notice-body {
- max-width: 680px;
- margin: 0;
- color: var(--text-muted);
- font-size: 13px;
-}
-
-.toolbar {
- display: flex;
- align-items: center;
- gap: 12px;
- margin-bottom: 18px;
-}
-
-.search {
- min-height: 38px;
- display: flex;
- align-items: center;
- gap: 8px;
- flex: 1;
- padding: 8px 12px;
- border: 1px solid var(--border);
- border-radius: var(--radius-lg);
- background: var(--bg-surface);
- color: var(--text-muted);
- box-shadow: var(--shadow);
-}
-
-.search input {
- width: 100%;
- min-width: 0;
- border: 0;
- outline: 0;
- background: transparent;
- color: var(--text);
- font-size: 13px;
-}
-
-.filter-pills {
- display: flex;
- gap: 4px;
- padding: 3px;
- border: 1px solid var(--border);
- border-radius: var(--radius-lg);
- background: var(--bg-surface);
-}
-
-.filter-pill {
- display: inline-flex;
- align-items: center;
- gap: 6px;
- min-height: 29px;
- padding: 5px 11px;
- border: 0;
- border-radius: var(--radius-md);
- background: transparent;
- color: var(--text-secondary);
- cursor: pointer;
- font-size: 12.5px;
-}
-
-.filter-pill.active {
- background: var(--bg-subtle);
- color: var(--text);
-}
-
-.filter-pill .count {
- color: var(--accent-dark);
- font-size: 12px;
- font-weight: 700;
-}
-
-.app-card {
- position: relative;
- min-height: 76px;
- display: flex;
- align-items: center;
- gap: 12px;
- padding: 13px 14px;
-}
-
-.app-card.is-connected {
- border-color: #b8d9cf;
-}
-
-.app-card-hit {
- position: absolute;
- inset: 0;
- z-index: 1;
- border-radius: inherit;
-}
-
-.app-card-text {
- min-width: 0;
- flex: 1;
-}
-
-.app-card-name {
- overflow: hidden;
- color: var(--text);
- font-size: 13.5px;
- font-weight: 700;
- text-overflow: ellipsis;
- white-space: nowrap;
-}
-
-.app-card-sub {
- color: var(--text-muted);
- font-size: 12px;
-}
-
-.inline-action {
- position: relative;
- z-index: 2;
- margin: 0;
-}
-
-.as-button {
- cursor: pointer;
-}
-
-.empty {
- padding: 38px 24px;
- color: var(--text-muted);
- text-align: center;
-}
-
-.empty-grid {
- grid-column: 1 / -1;
-}
-
-.empty-title {
- margin-bottom: 4px;
- color: var(--text);
- font-size: 14px;
- font-weight: 700;
-}
-
-.empty-body {
- margin-bottom: 14px;
- font-size: 13px;
-}
-
-.empty .btn {
- margin-top: 4px;
-}
-
-.hidden {
- display: none !important;
-}
-
-.breadcrumb {
- margin-bottom: 12px;
- color: var(--text-muted);
- font-size: 12.5px;
-}
-
-.breadcrumb a {
- color: var(--text-secondary);
-}
-
-.breadcrumb a:hover {
- color: var(--accent-dark);
-}
-
-.breadcrumb .sep {
- margin: 0 6px;
- opacity: 0.6;
-}
-
-.detail-header {
- display: flex;
- align-items: center;
- gap: 14px;
- margin-bottom: 18px;
-}
-
-.detail-title {
- display: flex;
- flex-wrap: wrap;
- align-items: center;
- gap: 10px;
- font-size: 23px;
-}
-
-.detail-meta {
- margin-top: 3px;
- color: var(--text-muted);
- font-size: 12.5px;
-}
-
-.detail-grid {
- display: grid;
- grid-template-columns: minmax(0, 1fr) 260px;
- gap: 18px;
- align-items: start;
-}
-
-.detail-main,
-.detail-side,
-.connection-list,
-.action-stack {
- display: flex;
- flex-direction: column;
- gap: 12px;
-}
-
-.detail-side {
- position: sticky;
- top: 72px;
-}
-
-.docs-card {
- display: flex;
- align-items: center;
- gap: 10px;
- padding: 12px 14px;
-}
-
-.docs-icon {
- width: 30px;
- height: 30px;
- border-radius: var(--radius-md);
- display: inline-flex;
- align-items: center;
- justify-content: center;
- flex: 0 0 auto;
- background: var(--accent-soft);
- color: var(--accent-dark);
-}
-
-.docs-icon svg {
- width: 16px;
- height: 16px;
-}
-
-.docs-title {
- display: block;
- font-size: 13px;
- font-weight: 700;
-}
-
-.docs-subtitle {
- display: block;
- margin-top: 1px;
- color: var(--text-muted);
- font-size: 12px;
-}
-
-.card,
-.panel {
- padding: 16px 18px;
-}
-
-.card-title {
- margin-bottom: 10px;
-}
-
-.card-body {
- margin: 0;
- color: var(--text-secondary);
- font-size: 13px;
-}
-
-.card-warn {
- background: var(--warn-soft);
- border-color: #efd4aa;
-}
-
-.field {
- margin-bottom: 12px;
-}
-
-.field:last-child {
- margin-bottom: 0;
-}
-
-.field-label {
- margin-bottom: 4px;
- color: var(--text-muted);
- font-size: 12px;
- font-weight: 600;
-}
-
-.field-row {
- min-height: 34px;
- display: flex;
- align-items: center;
- gap: 6px;
- padding: 7px 10px;
- border: 1px solid var(--border);
- border-radius: var(--radius-md);
- background: #fbfcfd;
-}
-
-.field-row .mono {
- min-width: 0;
- flex: 1;
- overflow: hidden;
- color: var(--text-secondary);
- text-overflow: ellipsis;
- white-space: nowrap;
-}
-
-.mono {
- font-family: var(--font-mono);
- font-size: 12.5px;
-}
-
-.mask {
- letter-spacing: 0;
-}
-
-.scope-row {
- display: flex;
- flex-wrap: wrap;
- gap: 6px;
-}
-
-.scope {
- display: inline-flex;
- align-items: center;
- gap: 6px;
- padding: 4px 8px 4px 10px;
- border: 1px solid #b8d9cf;
- border-radius: 999px;
- background: var(--accent-soft);
- color: var(--accent-dark);
- font-family: var(--font-mono);
- font-size: 12px;
-}
-
-.scope-x {
- padding: 0 2px;
- border: 0;
- background: transparent;
- color: var(--accent-dark);
- cursor: pointer;
- font-size: 14px;
- line-height: 1;
-}
-
-.scope.scope-add {
- border-color: var(--border);
- border-style: dashed;
- background: var(--bg-surface);
- color: var(--text-muted);
- cursor: pointer;
-}
-
-.kv {
- display: grid;
- grid-template-columns: max-content minmax(0, 1fr);
- column-gap: 12px;
- row-gap: 8px;
- margin: 0;
- font-size: 12.5px;
-}
-
-.kv dt {
- color: var(--text-muted);
-}
-
-.kv dd {
- min-width: 0;
- margin: 0;
- color: var(--text);
-}
-
-.action-stack form {
- margin: 0;
-}
-
-.connection-row {
- display: flex;
- align-items: center;
- justify-content: space-between;
- gap: 12px;
- padding: 12px 14px;
-}
-
-.connection-row-main {
- min-width: 0;
- display: flex;
- flex-direction: column;
- gap: 2px;
-}
-
-.connection-row-name {
- color: var(--text);
- font-size: 13.5px;
- font-weight: 700;
-}
-
-.connection-row-meta {
- overflow: hidden;
- color: var(--text-muted);
- font-size: 12px;
- text-overflow: ellipsis;
- white-space: nowrap;
-}
-
-.connection-row-readonly {
- padding: 10px 12px;
- box-shadow: none;
-}
-
-.connection-group + .connection-group {
- margin-top: 14px;
-}
-
-.identity-row {
- display: flex;
- align-items: center;
- justify-content: space-between;
- gap: 12px;
- padding: 12px 0;
- border-bottom: 1px solid var(--border);
-}
-
-.identity-row:first-child {
- padding-top: 0;
-}
-
-.identity-row:last-child {
- padding-bottom: 0;
- border-bottom: 0;
-}
-
-.identity-name {
- color: var(--text);
- font-weight: 700;
-}
-
-.identity-meta {
- color: var(--text-muted);
- font-size: 12px;
-}
-
-.table-wrap {
- width: 100%;
- overflow-x: auto;
-}
-
-.data-table {
- width: 100%;
- min-width: 760px;
- border-collapse: collapse;
- font-size: 13px;
-}
-
-.data-table th,
-.data-table td {
- padding: 11px 12px;
- border-bottom: 1px solid var(--border);
- text-align: left;
- vertical-align: top;
-}
-
-.data-table th {
- color: var(--text-muted);
- font-size: 11px;
- font-weight: 700;
- letter-spacing: 0;
- text-transform: uppercase;
-}
-
-.data-table tbody tr:last-child td {
- border-bottom: 0;
-}
-
-.table-primary {
- color: var(--text);
- font-weight: 700;
-}
-
-.table-secondary {
- margin-top: 2px;
- color: var(--text-muted);
- font-size: 11.5px;
-}
-
-.audit-table td:nth-child(1) {
- white-space: nowrap;
-}
-
-.audit-metadata-row td {
- padding-top: 0;
- background: #fbfcfd;
-}
-
-.metadata-list {
- display: flex;
- flex-wrap: wrap;
- gap: 8px 14px;
- margin: 0;
- color: var(--text-muted);
- font-size: 12px;
-}
-
-.metadata-list div {
- display: inline-flex;
- gap: 5px;
-}
-
-.metadata-list dt {
- color: var(--text-muted);
- font-weight: 700;
-}
-
-.metadata-list dd {
- margin: 0;
- color: var(--text-secondary);
-}
-
-.login-modal {
- width: min(420px, calc(100vw - 32px));
- padding: 0;
- border: 1px solid var(--border);
- border-radius: var(--radius-lg);
- background: var(--bg-surface);
- color: var(--text);
- box-shadow: 0 18px 44px rgba(22, 32, 42, 0.22);
-}
-
-.login-modal::backdrop {
- background: rgba(20, 29, 38, 0.44);
-}
-
-.login-modal form {
- display: flex;
- flex-direction: column;
- gap: 14px;
- margin: 0;
- padding: 18px;
-}
-
-.login-modal-input {
- width: 100%;
- padding: 9px 10px;
- border: 1px solid var(--border);
- border-radius: var(--radius-md);
- background: #fbfcfd;
- color: var(--text);
- font: inherit;
-}
-
-@media (max-width: 980px) {
- body {
- grid-template-columns: 1fr;
- }
-
- .sidebar {
- position: static;
- height: auto;
- border-right: 0;
- border-bottom: 1px solid var(--border);
- }
-
- .nav-primary,
- .nav-secondary {
- flex-flow: row wrap;
- }
-
- .nav-spacer,
- .brand-foot {
- display: none;
- }
-
- .topbar,
- .page-header,
- .notice-band {
- align-items: flex-start;
- flex-direction: column;
- }
-
- .topbar-actions,
- .page-actions {
- flex-wrap: wrap;
- }
-
- .page {
- padding: 22px 18px 36px;
- }
-
- .stat-grid,
- .provider-grid,
- .app-grid,
- .detail-grid {
- grid-template-columns: 1fr;
- }
-
- .detail-side {
- position: static;
- }
-}
diff --git a/src/authsome/ui/templates/_app_detail_shell.html b/src/authsome/ui/templates/_app_detail_shell.html
deleted file mode 100644
index 94f113dc..00000000
--- a/src/authsome/ui/templates/_app_detail_shell.html
+++ /dev/null
@@ -1,71 +0,0 @@
-{% extends "_layout.html" %}
-{% block title %}{{ provider.display_name }}{% endblock %}
-{% block content %}
-
- Connections
- /
- {{ provider.display_name }}
-
-
-
-
-
-
- {% block credentials %}{% endblock %}
-
-
-
-
-{% endblock %}
diff --git a/src/authsome/ui/templates/_layout.html b/src/authsome/ui/templates/_layout.html
deleted file mode 100644
index eb0bb9cc..00000000
--- a/src/authsome/ui/templates/_layout.html
+++ /dev/null
@@ -1,117 +0,0 @@
-
-
-
-
-
-
{% block title %}Authsome{% endblock %} · Authsome
-
-
-
-
-
-
-
- {% if show_identity %}
-
- {% if role_label %}{{ role_label }} {% endif %}
- Signed in as {{ ui_email or ui_identity }}
-
- {% endif %}
-
-
- {% block content %}{% endblock %}
-
-
-
-
-
-
-
diff --git a/src/authsome/ui/templates/app_detail_apikey.html b/src/authsome/ui/templates/app_detail_apikey.html
deleted file mode 100644
index de701484..00000000
--- a/src/authsome/ui/templates/app_detail_apikey.html
+++ /dev/null
@@ -1,41 +0,0 @@
-{% extends "_app_detail_shell.html" %}
-{% block detail_meta %}API Key{% endblock %}
-
-{% block credentials %}
-
- API Credentials
-
-
API Key
-
-
{% if api_key %}••••••••••••••••{% else %}—{% endif %}
- {% if api_key %}
-
-
-
-
- {% endif %}
-
-
-
-
- Configuration
-
-
Base URL
-
{{ base_url or '—' }}
-
-{% endblock %}
-
-{% block side_rows %}
-
Auth type API Key
-{% endblock %}
-
-{% block actions %}
-
Save changes
-
-{% endblock %}
diff --git a/src/authsome/ui/templates/app_detail_disconnected.html b/src/authsome/ui/templates/app_detail_disconnected.html
deleted file mode 100644
index 1399dba8..00000000
--- a/src/authsome/ui/templates/app_detail_disconnected.html
+++ /dev/null
@@ -1,79 +0,0 @@
-{% extends "_app_detail_shell.html" %}
-{% block detail_meta %}{{ auth_type_label }}{% endblock %}
-
-{% block credentials %}
-
- Setup
-
- {{ provider.display_name }} is not connected yet. Review the provider configuration and use Connect when you're ready.
-
-
-
-{% if provider.auth_type.value == "oauth2" %}
-
- {{ provider_management_label }}
- {% if show_provider_client_details %}
-
-
Client ID
-
{{ client_id or 'Required during setup' }}
-
-
Client Secret
-
{% if has_client_secret %}••••••••••••••••{% else %}Required during setup{% endif %}
-
- Authsome manages the OAuth application for {{ provider.display_name }}. Start the connection flow and Authsome will use the configured client automatically.
-
- {% endif %}
-
-
Redirect URI
-
-
{{ redirect_uri }}
-
-
-
-
-
-
- Endpoints
-
-
Authorization URL
-
{{ auth_url or '—' }}
-
-
Token URL
-
{{ token_url or '—' }}
-
-{% else %}
-
- API Credentials
-
-
API Key
-
Required during setup
-
-
-
- Configuration
-
-
Base URL
-
{{ base_url or '—' }}
-
-{% endif %}
-{% endblock %}
-
-{% block side_rows %}
-
Auth type {{ auth_type_label }}
-{% endblock %}
-
-{% block actions %}
-
-{% endblock %}
diff --git a/src/authsome/ui/templates/app_detail_managed.html b/src/authsome/ui/templates/app_detail_managed.html
deleted file mode 100644
index 6c070ed6..00000000
--- a/src/authsome/ui/templates/app_detail_managed.html
+++ /dev/null
@@ -1,25 +0,0 @@
-{% extends "_layout.html" %}
-{% block title %}{{ provider.display_name }}{% endblock %}
-{% block content %}
-
- Applications
- /
- {{ provider.display_name }}
-
-
-
-
-
- Provider configuration
-
- Authsome manages the OAuth application and related connections for {{ provider.display_name }}.
- Provider configuration is available only to administrators.
-
-
-{% endblock %}
diff --git a/src/authsome/ui/templates/app_detail_oauth.html b/src/authsome/ui/templates/app_detail_oauth.html
deleted file mode 100644
index 6007f851..00000000
--- a/src/authsome/ui/templates/app_detail_oauth.html
+++ /dev/null
@@ -1,70 +0,0 @@
-{% extends "_app_detail_shell.html" %}
-{% block detail_meta %}OAuth 2.0{% endblock %}
-
-{% block credentials %}
-
- Scopes
-
- {% for scope in scopes %}
- {{ scope }}×
- {% endfor %}
- + Add scope
-
-
-
-
- Tokens
-
-
Access Token
-
-
{% if access_token %}••••••••••••••••{% else %}—{% endif %}
- {% if access_token %}
-
-
-
-
- {% endif %}
-
-
-
Refresh Token
-
-
••••••••••••••••
-
-
-
-
-
-
-
Expires
-
{{ expires_label }}
-
-{% endblock %}
-
-{% block side_rows %}
-{% if connection.account and connection.account.label %}
-
Account {{ connection.account.label }}
-{% endif %}
-{% endblock %}
-
-{% block actions %}
-
Save changes
-
-
-{% endblock %}
diff --git a/src/authsome/ui/templates/app_provider.html b/src/authsome/ui/templates/app_provider.html
deleted file mode 100644
index 1e901983..00000000
--- a/src/authsome/ui/templates/app_provider.html
+++ /dev/null
@@ -1,128 +0,0 @@
-{% extends "_layout.html" %}
-{% block title %}{{ provider.display_name }}{% endblock %}
-{% block content %}
-
- Applications
- /
- {{ provider.display_name }}
-
-
-
-
-
-
- {% if provider.auth_type.value == "oauth2" %}
-
- {{ provider_management_label }}
- {% if show_provider_client_details %}
-
-
Client ID
-
{{ client_id or 'Required during setup' }}
-
-
Client Secret
-
{% if has_client_secret %}••••••••••••••••{% else %}Required during setup{% endif %}
-
-
Redirect URI
-
-
{{ redirect_uri }}
-
-
-
-
- This deployment manages the OAuth application for {{ provider.display_name }}.
-
- {% endif %}
-
-
-
- Replace provider credentials
- Changing these credentials revokes existing connections for this provider. Continue only if you intend to reconnect them.
-
-
-
- Endpoints
-
-
Authorization URL
-
{{ auth_url or '—' }}
-
-
Token URL
-
{{ token_url or '—' }}
-
- {% endif %}
-
-
- Existing connections
- {% if grouped_connections %}
- {% for group in grouped_connections %}
-
-
{{ group.vault_label }}
-
-
No connections for this provider yet.
- {% endif %}
-
-
-
-
-
-
-
-
-
-{% endblock %}
diff --git a/src/authsome/ui/templates/applications.html b/src/authsome/ui/templates/applications.html
deleted file mode 100644
index 4565d363..00000000
--- a/src/authsome/ui/templates/applications.html
+++ /dev/null
@@ -1,73 +0,0 @@
-{% extends "_layout.html" %}
-{% block title %}Applications{% endblock %}
-{% block content %}
-
-
-
-
-
- {% for p in providers %}
-
-
-
{{ p.logo_initial }}
-
-
{{ p.display_name }}
-
{{ p.auth_type_label }}
-
-
-
- {% endfor %}
-
-
-
-
No applications found
-
Try a different search.
-
-
-
-
-
-{% endblock %}
diff --git a/src/authsome/ui/templates/audit.html b/src/authsome/ui/templates/audit.html
deleted file mode 100644
index d785d33c..00000000
--- a/src/authsome/ui/templates/audit.html
+++ /dev/null
@@ -1,71 +0,0 @@
-{% extends "_layout.html" %}
-{% block title %}Audit{% endblock %}
-{% block content %}
-
-
-{% if audit_events %}
-
-
-
-
-
- Time
- Event
- Actor
- Target
- Status
- Source
-
-
-
- {% for event in audit_events %}
-
- {{ event.time }}
- {{ event.event }}
- {{ event.event_id }}
-
- {{ event.actor }} {{ event.target }}
-
- {% if event.status != "-" %}
- {{ event.status }}
- {% else %}
- -
- {% endif %}
-
- {{ event.source }}
- {% if event.metadata %}
-
-
-
- {% for key, value in event.metadata.items() %}
-
-
{{ key }}
- {{ value }}
-
- {% endfor %}
-
-
-
- {% endif %}
- {% endfor %}
-
-
-
-{% else %}
-
-
No audit events yet
-
Events will appear here after authentication, provider, or proxy activity is recorded.
-
-{% endif %}
-{% endblock %}
diff --git a/src/authsome/ui/templates/connections.html b/src/authsome/ui/templates/connections.html
deleted file mode 100644
index f08cb16c..00000000
--- a/src/authsome/ui/templates/connections.html
+++ /dev/null
@@ -1,52 +0,0 @@
-{% extends "_layout.html" %}
-{% block title %}Connections{% endblock %}
-{% block content %}
-
-
-
-
-{% if connection_rows %}
-
-{% else %}
-
-
No connections yet
-
Go to Applications to configure a provider and start a new login.
-
Add new connection
-
-{% endif %}
-
-
-
No matches
-
Try a different search.
-
-{% endblock %}
diff --git a/src/authsome/ui/templates/identity.html b/src/authsome/ui/templates/identity.html
deleted file mode 100644
index 5d953dc2..00000000
--- a/src/authsome/ui/templates/identity.html
+++ /dev/null
@@ -1,23 +0,0 @@
-{% extends "_layout.html" %}
-{% block title %}Identity{% endblock %}
-{% block content %}
-
-
-
-{% for identity in identities %}
-
-
-
{{ identity.handle }}
-
Accepted principal claim
-
-
Active
-
-{% endblock %}
diff --git a/src/authsome/ui/templates/overview.html b/src/authsome/ui/templates/overview.html
deleted file mode 100644
index 9e49f410..00000000
--- a/src/authsome/ui/templates/overview.html
+++ /dev/null
@@ -1,94 +0,0 @@
-{% extends "_layout.html" %}
-{% block title %}Overview{% endblock %}
-{% block content %}
-
-
-
-
-
Connected Apps
-
{{ stats.connected }}
-
-
-
Next Expiry
-
{{ last_activity }}
-
-
-
Auth Types
-
{{ stats.oauth }} / {{ stats.api_key }}
-
-
-
-
-
-
- {% if connected_providers %}
-
- {% else %}
-
-
No connections yet
-
Connect your first provider to get started.
-
Browse providers
-
-
-{% if show_admin_sections %}
-
-
-
Administrative controls
-
Provider configuration and audit events are restricted to administrators.
-
Review audit
-
-{% endif %}
-{% endblock %}
diff --git a/src/authsome/ui/web/.gitkeep b/src/authsome/ui/web/.gitkeep
new file mode 100644
index 00000000..196661a7
--- /dev/null
+++ b/src/authsome/ui/web/.gitkeep
@@ -0,0 +1 @@
+Generated static UI assets are copied here by scripts/build-ui.sh.
diff --git a/tests/proxy/test_proxy.py b/tests/proxy/test_proxy.py
index 292095ed..d078a119 100644
--- a/tests/proxy/test_proxy.py
+++ b/tests/proxy/test_proxy.py
@@ -567,7 +567,7 @@ async def test_addon_denies_no_credentials_with_provider_hint_in_configured_deny
body = flow.response.content.decode("utf-8")
assert "openai" in body
assert "authsome login openai" in body
- assert f"{DEFAULT_SERVER_BASE_URL}/apps/openai" in body
+ assert f"{DEFAULT_SERVER_BASE_URL}/" in body
events = [call.args[0] for call in auth.record_audit_event.await_args_list]
assert {
"event": "proxy_no_credentials",
diff --git a/tests/server/test_ui_dashboard.py b/tests/server/test_ui_dashboard.py
deleted file mode 100644
index cee00c55..00000000
--- a/tests/server/test_ui_dashboard.py
+++ /dev/null
@@ -1,548 +0,0 @@
-import asyncio
-from datetime import timedelta
-from pathlib import Path
-from urllib.parse import urlparse
-
-from fastapi.testclient import TestClient
-
-from authsome import audit
-from authsome.auth.models.connection import ConnectionRecord, ProviderClientRecord, ProviderMetadataRecord
-from authsome.auth.models.enums import AuthType, ConnectionStatus
-from authsome.identity import create_identity, load_private_key
-from authsome.identity.proof import create_proof_jwt
-from authsome.server.app import create_app
-from authsome.server.credential_repository import build_store_key
-from authsome.utils import utc_now
-
-
-def _auth_header(tmp_path: Path, method: str, path: str, *, handle: str) -> dict[str, str]:
- identity = create_identity(tmp_path, handle)
- token = create_proof_jwt(
- private_key=load_private_key(tmp_path, identity.handle),
- issuer=identity.did,
- subject=identity.handle,
- method=method,
- path_query=path,
- body=b"",
- )
- return {"Authorization": f"PoP {token}"}
-
-
-def _register_identity_for_claim(client: TestClient, tmp_path: Path, handle: str) -> str:
- identity = create_identity(tmp_path, handle)
- response = client.post("/identities/register", json={"handle": identity.handle, "did": identity.did})
- assert response.status_code == 200
- return urlparse(response.json()["claim_url"]).path
-
-
-def _register_identity(client: TestClient, tmp_path: Path, handle: str, *, email: str = "dev@example.com") -> None:
- """Register an identity and drive the browser claim flow, leaving the client logged in."""
- claim_path = _register_identity_for_claim(client, tmp_path, handle)
- registered = client.post(
- "/auth/register",
- data={"email": email, "password": "password-1", "next": claim_path},
- follow_redirects=False,
- )
- assert registered.status_code == 303
- assert client.post(f"{claim_path}/confirm", follow_redirects=False).status_code == 303
-
-
-def _seed_connection(
- client: TestClient,
- *,
- identity: str,
- provider: str,
- auth_type: AuthType,
- connection_name: str = "default",
- access_token: str | None = None,
- refresh_token: str | None = None,
- api_key: str | None = None,
-) -> None:
- resolved = asyncio.run(client.app.state.ownership_resolver.resolve(identity=identity))
- record = ConnectionRecord(
- provider=provider,
- identity=identity,
- principal_id=resolved.principal_id,
- vault_id=resolved.vault_id,
- connection_name=connection_name,
- auth_type=auth_type,
- status=ConnectionStatus.CONNECTED,
- access_token=access_token,
- refresh_token=refresh_token,
- api_key=api_key,
- expires_at=utc_now() + timedelta(hours=1),
- )
- asyncio.run(
- client.app.state.vault.put(
- build_store_key(
- vault=resolved.vault_id,
- provider=provider,
- record_type="connection",
- connection=connection_name,
- ),
- record.model_dump_json(),
- collection=f"vault:{resolved.vault_id}",
- )
- )
- asyncio.run(
- client.app.state.vault.put(
- build_store_key(vault=resolved.vault_id, provider=provider, record_type="metadata"),
- ProviderMetadataRecord(
- identity=identity,
- principal_id=resolved.principal_id,
- vault_id=resolved.vault_id,
- provider=provider,
- connection_names=[connection_name],
- default_connection=connection_name,
- last_used_connection=connection_name,
- ).model_dump_json(),
- collection=f"vault:{resolved.vault_id}",
- )
- )
-
-
-def _seed_provider_client(
- client: TestClient,
- *,
- provider: str,
- client_id: str,
- client_secret: str | None = None,
-) -> None:
- from authsome.auth.models.connection import ProviderClientRecord
-
- asyncio.run(
- client.app.state.vault.put(
- build_store_key(provider=provider, record_type="server"),
- ProviderClientRecord(
- provider=provider,
- client_id=client_id,
- client_secret=client_secret,
- ).model_dump_json(),
- collection="server",
- )
- )
-
-
-def test_overview_navigation_shows_applications_connections_and_identity(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- response = client.get("/")
-
- assert response.status_code == 200
- assert "Overview" in response.text
- assert "Applications" in response.text
- assert "Connections" in response.text
- assert "Identity" in response.text
- assert 'href="/audit"' in response.text
-
-
-def test_applications_page_renders_provider_catalog(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- response = client.get("/applications")
-
- assert response.status_code == 200
- assert "Applications" in response.text
-
-
-def test_applications_page_shows_provider_login_action(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- response = client.get("/applications")
-
- assert response.status_code == 200
- assert 'action="/apps/github/connect"' in response.text
- assert "Login" in response.text
-
-
-def test_identity_page_renders_informational_identity_view(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- response = client.get("/identity")
-
- assert response.status_code == 200
- assert "Identity" in response.text
- assert "steady-wisely-boldly-0042" in response.text
-
-
-def test_account_identity_page_lists_all_account_claims(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- first_claim = _register_identity_for_claim(client, tmp_path, "steady-wisely-boldly-0042")
- registered = client.post(
- "/auth/register",
- data={"email": "dev@example.com", "password": "password-1", "next": first_claim},
- follow_redirects=False,
- )
- assert registered.status_code == 303
- assert client.post(f"{first_claim}/confirm", follow_redirects=False).status_code == 303
-
- second_claim = _register_identity_for_claim(client, tmp_path, "brave-softly-surely-0043")
- assert "dev@example.com" in client.get(second_claim).text
- assert client.post(f"{second_claim}/confirm", follow_redirects=False).status_code == 303
-
- response = client.get("/identity")
-
- assert response.status_code == 200
- assert "Signed in as dev@example.com" in response.text
- assert "steady-wisely-boldly-0042" in response.text
- assert "brave-softly-surely-0043" in response.text
-
-
-def test_audit_page_renders_recent_events_for_admin(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- audit.emit_event(
- "credentials_exported",
- source="external",
- identity="steady-wisely-boldly-0042",
- provider="github",
- status="ok",
- request_id="req-123",
- )
- response = client.get("/audit")
-
- assert response.status_code == 200
- assert "Audit Log" in response.text
- assert "Credentials exported" in response.text
- assert "steady-wisely-boldly-0042" in response.text
- assert "github" in response.text
- assert "req-123" in response.text
-
-
-def test_non_admin_ui_hides_audit_and_provider_configuration(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "admin-steadily-surely-0041", email="admin@example.com")
- _register_identity(client, tmp_path, "user-steadily-surely-0042", email="user@example.com")
- _seed_provider_client(client, provider="github", client_id="cid-123", client_secret="secret-123")
-
- overview = client.get("/")
- provider = client.get("/apps/github")
- configure = client.post("/apps/github/configure", follow_redirects=False)
- audit_page = client.get("/audit")
-
- assert overview.status_code == 200
- assert 'href="/audit"' not in overview.text
- assert provider.status_code == 200
- assert 'action="/apps/github/configure"' not in provider.text
- assert "Client ID" not in provider.text
- assert configure.status_code == 403
- assert "Provider configuration is available only to administrators." in configure.text
- assert audit_page.status_code == 403
- assert "Audit events are available only to administrators." in audit_page.text
-
-
-def test_account_applications_redirects_to_ui_login_entry(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- response = client.get("/applications", follow_redirects=False)
-
- assert response.status_code == 303
- assert response.headers["location"] == "/?next=%2Fapplications"
-
-
-def test_provider_page_shows_provider_configuration_not_connection_tokens(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="github",
- auth_type=AuthType.OAUTH2,
- access_token="gh-access-token",
- refresh_token="gh-refresh-token",
- )
- response = client.get("/apps/github")
-
- assert response.status_code == 200
- assert "OAuth Application" in response.text or "Managed by Authsome" in response.text
- assert "Access Token" not in response.text
-
-
-def test_named_connection_detail_route_exists(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="github",
- auth_type=AuthType.OAUTH2,
- access_token="gh-access-token",
- refresh_token="gh-refresh-token",
- )
- response = client.get("/apps/github/connections/default")
-
- assert response.status_code == 200
-
-
-def test_named_connection_detail_page_shows_oauth_tokens(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="github",
- auth_type=AuthType.OAUTH2,
- access_token="gh-access-token",
- refresh_token="gh-refresh-token",
- )
- response = client.get("/apps/github/connections/default")
-
- assert response.status_code == 200
- assert "Access Token" in response.text
- assert "Refresh Token" in response.text
- assert "Client ID" not in response.text
- assert "Client Secret" not in response.text
- assert "Redirect URI" not in response.text
- assert "Authorization URL" not in response.text
- assert "Token URL" not in response.text
-
-
-def test_named_connection_detail_page_shows_api_key(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="openai",
- auth_type=AuthType.API_KEY,
- api_key="sk-test-key",
- )
- response = client.get("/apps/openai/connections/default")
-
- assert response.status_code == 200
- assert "API Credentials" in response.text
-
-
-def test_provider_page_for_api_key_provider_omits_provider_setup_section(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="openai",
- auth_type=AuthType.API_KEY,
- api_key="sk-test-key",
- )
- response = client.get("/apps/openai")
-
- assert response.status_code == 200
- assert "OAuth Application" not in response.text
- assert "API Credentials" not in response.text
-
-
-def test_provider_page_lists_existing_connections_as_read_only_context(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="github",
- auth_type=AuthType.OAUTH2,
- access_token="gh-access-token",
- refresh_token="gh-refresh-token",
- )
- response = client.get("/apps/github")
-
- assert response.status_code == 200
- assert "Existing connections" in response.text
-
-
-def test_connections_page_renders_connection_rows(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="github",
- auth_type=AuthType.OAUTH2,
- access_token="gh-access-token",
- refresh_token="gh-refresh-token",
- )
- response = client.get("/manage/connections")
-
- assert response.status_code == 200
- assert "Add new connection" in response.text
- assert "connection-row" in response.text
-
-
-def test_provider_login_modal_copy_is_rendered_when_default_exists(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="github",
- auth_type=AuthType.OAUTH2,
- access_token="gh-access-token",
- refresh_token="gh-refresh-token",
- )
- response = client.get("/applications")
-
- assert response.status_code == 200
- assert "Connection name" in response.text
-
-
-def test_connect_app_accepts_connection_name_fallback(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="github",
- auth_type=AuthType.OAUTH2,
- access_token="gh-access-token",
- refresh_token="gh-refresh-token",
- )
- response = client.post(
- "/apps/github/connect",
- data={"connection_name": "work"},
- follow_redirects=False,
- )
-
- assert response.status_code == 303
- assert "/auth/sessions/" in response.headers["location"]
- assert any(
- session.provider == "github" and session.connection_name == "work"
- for session in client.app.state.auth_sessions._sessions.values()
- )
-
-
-def test_provider_page_shows_configure_action_for_oauth(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_provider_client(client, provider="github", client_id="cid-123", client_secret="secret-123")
- response = client.get("/apps/github")
-
- assert response.status_code == 200
- assert 'action="/apps/github/configure"' in response.text
- assert "Replace" in response.text
-
-
-def test_provider_configure_route_opens_edit_flow_with_existing_values(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_provider_client(client, provider="github", client_id="cid-123", client_secret="secret-123")
- response = client.post("/apps/github/configure", follow_redirects=False)
-
- assert response.status_code == 303
- assert "/auth/sessions/" in response.headers["location"]
- session = next(iter(client.app.state.auth_sessions._sessions.values()))
- assert session.payload["provider_config_only"] is True
- fields = session.payload["input_fields"]
- assert any(field["name"] == "client_id" and field["default"] == "cid-123" for field in fields)
-
-
-def test_account_admin_provider_configure_route_opens_edit_flow(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- claim_path = _register_identity_for_claim(client, tmp_path, "steady-wisely-boldly-0042")
- registered = client.post(
- "/auth/register",
- data={"email": "dev@example.com", "password": "password-1", "next": claim_path},
- follow_redirects=False,
- )
- assert registered.status_code == 303
- assert client.post(f"{claim_path}/confirm", follow_redirects=False).status_code == 303
-
- _seed_provider_client(client, provider="github", client_id="cid-123", client_secret="secret-123")
- response = client.post("/apps/github/configure", follow_redirects=False)
-
- assert response.status_code == 303
- assert "/auth/sessions/" in response.headers["location"]
- session = next(iter(client.app.state.auth_sessions._sessions.values()))
- assert session.payload["provider_config_only"] is True
- fields = session.payload["input_fields"]
- assert any(field["name"] == "client_id" and field["default"] == "cid-123" for field in fields)
-
-
-def test_provider_configure_input_page_shows_revoke_warning(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_provider_client(client, provider="github", client_id="cid-123", client_secret="secret-123")
- configure = client.post("/apps/github/configure", follow_redirects=False)
- response = client.get(configure.headers["location"])
-
- assert response.status_code == 200
- assert "Changing these credentials will revoke existing connections for this provider." in response.text
- client_id_position = response.text.index('for="client_id">Client ID')
- client_secret_position = response.text.index('for="client_secret">Client Secret')
- advanced_position = response.text.index("
Advanced options ")
- assert client_id_position < client_secret_position < advanced_position
- assert "Client Secret (Optional)" not in response.text
-
-
-def test_provider_config_submit_replaces_client_and_revokes_connections(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- _seed_connection(
- client,
- identity="steady-wisely-boldly-0042",
- provider="github",
- auth_type=AuthType.OAUTH2,
- access_token="gh-access-token",
- refresh_token="gh-refresh-token",
- )
- _seed_provider_client(client, provider="github", client_id="cid-123", client_secret="secret-123")
-
- configure = client.post("/apps/github/configure", follow_redirects=False)
- session_id = configure.headers["location"].rstrip("/").split("/")[-2]
- response = client.post(
- f"/auth/sessions/{session_id}/input",
- data={"client_id": "cid-456", "client_secret": "secret-456"},
- follow_redirects=False,
- )
-
- provider_client = asyncio.run(
- client.app.state.vault.get(build_store_key(provider="github", record_type="server"), collection="server")
- )
- connections_page = client.get("/manage/connections")
-
- assert response.status_code == 303
- assert response.headers["location"].endswith("/apps/github")
- assert provider_client is not None
- provider_client_record = ProviderClientRecord.model_validate_json(provider_client)
- assert provider_client_record.client_id == "cid-456"
- assert provider_client_record.scopes == ["repo", "read:user"]
- assert "No connections yet" in connections_page.text
diff --git a/tests/server/test_ui_sessions.py b/tests/server/test_ui_sessions.py
deleted file mode 100644
index a2cb3721..00000000
--- a/tests/server/test_ui_sessions.py
+++ /dev/null
@@ -1,279 +0,0 @@
-import asyncio
-from pathlib import Path
-from urllib.parse import urlparse
-
-from fastapi.testclient import TestClient
-
-from authsome.auth.models.connection import ProviderClientRecord
-from authsome.identity import create_identity, load_private_key
-from authsome.identity.proof import create_proof_jwt
-from authsome.server.app import create_app
-from authsome.server.credential_repository import build_store_key
-from authsome.server.ui_sessions import UiSessionStore
-
-
-def _auth_header(tmp_path: Path, method: str, path: str, *, handle: str) -> dict[str, str]:
- identity = create_identity(tmp_path, handle)
- token = create_proof_jwt(
- private_key=load_private_key(tmp_path, identity.handle),
- issuer=identity.did,
- subject=identity.handle,
- method=method,
- path_query=path,
- body=b"",
- )
- return {"Authorization": f"PoP {token}"}
-
-
-def _register_identity(client: TestClient, tmp_path: Path, handle: str) -> None:
- identity = create_identity(tmp_path, handle)
- response = client.post("/identities/register", json={"handle": identity.handle, "did": identity.did})
- assert response.status_code == 200
-
-
-def _seed_provider_client(
- client: TestClient,
- *,
- provider: str,
- client_id: str,
- client_secret: str | None = None,
-) -> None:
- asyncio.run(
- client.app.state.vault.put(
- build_store_key(provider=provider, record_type="server"),
- ProviderClientRecord(
- provider=provider,
- client_id=client_id,
- client_secret=client_secret,
- ).model_dump_json(),
- collection="server",
- )
- )
-
-
-def _claim_identity_via_account_ui(client: TestClient, tmp_path: Path, handle: str, email: str) -> None:
- identity = create_identity(tmp_path, handle)
- response = client.post("/identities/register", json={"handle": identity.handle, "did": identity.did})
- assert response.status_code == 200
- claim_path = urlparse(response.json()["claim_url"]).path
- registered = client.post(
- "/auth/register",
- data={"email": email, "password": "password-1", "next": claim_path},
- follow_redirects=False,
- )
- assert registered.status_code == 303
- confirmed = client.post(f"{claim_path}/confirm", follow_redirects=False)
- assert confirmed.status_code == 303
-
-
-def test_create_pending_claim_and_consume_once() -> None:
- store = UiSessionStore("test-secret")
-
- token = store.create_pending_claim(identity="steady-wisely-boldly-0042")
- resolved = store.get_pending_claim(token.token)
- consumed = store.consume_pending_claim(token.token)
-
- assert resolved.identity == "steady-wisely-boldly-0042"
- assert consumed.identity == "steady-wisely-boldly-0042"
-
-
-def test_consume_pending_claim_rejects_reuse() -> None:
- store = UiSessionStore("test-secret")
-
- token = store.create_pending_claim(identity="steady-wisely-boldly-0042")
- store.consume_pending_claim(token.token)
-
- try:
- store.consume_pending_claim(token.token)
- except KeyError:
- pass
- else:
- raise AssertionError("Expected pending claim token reuse to fail")
-
-
-def test_build_cookie_round_trips_browser_session() -> None:
- store = UiSessionStore("test-secret")
-
- session = store.create_browser_session(principal_id="principal_123", email="dev@example.com")
- cookie_value = store.build_cookie_value(session.token)
- parsed = store.get_browser_session(cookie_value)
-
- assert parsed.principal_id == "principal_123"
- assert parsed.email == "dev@example.com"
-
-
-def test_account_ui_homepage_shows_auth_tabs(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- response = client.get("/")
-
- assert response.status_code == 200
- assert "Open dashboard" in response.text
- assert "Sign in" in response.text
- assert "Create account" in response.text
-
-
-def test_account_claim_page_shows_auth_tabs_for_unauthenticated_users(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- identity = create_identity(tmp_path, "steady-wisely-boldly-0042")
- response = client.post("/identities/register", json={"handle": identity.handle, "did": identity.did})
- assert response.status_code == 200
- claim_path = urlparse(response.json()["claim_url"]).path
-
- claim_response = client.get(claim_path)
-
- assert claim_response.status_code == 200
- assert "Sign in" in claim_response.text
- assert "Create account" in claim_response.text
-
-
-def test_account_ui_session_returns_dashboard_url_without_browser_cookie(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _claim_identity_via_account_ui(client, tmp_path, "steady-wisely-boldly-0042", "dev@example.com")
- bootstrap_response = client.post(
- "/session",
- headers=_auth_header(tmp_path, "POST", "/session", handle="steady-wisely-boldly-0042"),
- )
- assert bootstrap_response.status_code == 200
- assert urlparse(bootstrap_response.json()["url"]).path == "/"
- assert "authsome_ui_session=" not in bootstrap_response.headers.get("set-cookie", "")
-
- client.cookies.clear()
- dashboard_response = client.get("/")
-
- assert dashboard_response.status_code == 200
- assert "Open dashboard" in dashboard_response.text
-
-
-def test_account_homepage_registration_redirects_to_dashboard(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- registered = client.post(
- "/auth/register",
- data={"email": "dev@example.com", "password": "password-1", "next": "/"},
- follow_redirects=False,
- )
- dashboard_response = client.get("/")
-
- assert registered.status_code == 303
- assert registered.headers["location"] == "/"
- assert dashboard_response.status_code == 200
- assert "Overview" in dashboard_response.text
- assert "Signed in as dev@example.com" in dashboard_response.text
-
-
-def test_account_ui_hides_server_managed_oauth_client_details(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _claim_identity_via_account_ui(client, tmp_path, "admin-ready-boldly-0001", "admin@example.com")
- _claim_identity_via_account_ui(client, tmp_path, "steady-wisely-boldly-0042", "dev@example.com")
- vault = client.app.state.vault
- key = build_store_key(provider="github", record_type="server")
- record = ProviderClientRecord(provider="github", client_id="cid-123", client_secret="top-secret")
- asyncio.run(vault.put(key, record.model_dump_json(), collection="server"))
-
- response = client.get("/apps/github")
-
- assert response.status_code == 200
- assert "cid-123" not in response.text
- assert "manages the OAuth application" in response.text
- assert "Existing connections" not in response.text
-
-
-def test_account_admin_ui_shows_provider_client_details(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _claim_identity_via_account_ui(client, tmp_path, "steady-wisely-boldly-0042", "dev@example.com")
- _seed_provider_client(client, provider="github", client_id="cid-123", client_secret="top-secret")
- response = client.get("/apps/github")
-
- assert response.status_code == 200
- assert "cid-123" in response.text
- assert "Existing connections" in response.text
- assert "manages the OAuth application" not in response.text
- assert 'action="/apps/github/configure"' in response.text
-
-
-def test_account_ui_connect_starts_principal_scoped_session_without_pop(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- _claim_identity_via_account_ui(client, tmp_path, "steady-wisely-boldly-0042", "dev@example.com")
-
- response = client.post("/apps/openai/connect", follow_redirects=False)
- session = next(iter(client.app.state.auth_sessions._sessions.values()))
-
- assert response.status_code == 303
- assert "/auth/sessions/" in response.headers["location"]
- assert session.identity is None
- assert session.principal_id is not None
- assert session.payload["ui_session_required"] is True
-
-
-def test_account_auth_rejects_external_next_redirect(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- response = client.post(
- "/auth/register",
- data={"email": "dev@example.com", "password": "password-1", "next": "https://example.test"},
- follow_redirects=False,
- )
-
- assert response.status_code == 303
- assert response.headers["location"] == "/"
-
-
-def test_account_homepage_login_error_renders_auth_page(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- with TestClient(create_app()) as client:
- client.post(
- "/auth/register",
- data={"email": "dev@example.com", "password": "password-1", "next": "/"},
- follow_redirects=False,
- )
- client.cookies.clear()
- response = client.post(
- "/auth/login",
- data={"email": "dev@example.com", "password": "wrong-password", "next": "/"},
- follow_redirects=False,
- )
-
- assert response.status_code == 400
- assert "Invalid email or password" in response.text
- assert "Sign in" in response.text
- assert "Create account" in response.text
-
-
-def test_account_ui_auth_input_requires_matching_browser_session(monkeypatch, tmp_path: Path) -> None:
- monkeypatch.setenv("AUTHSOME_HOME", str(tmp_path))
-
- app = create_app()
- with TestClient(app) as client:
- _register_identity(client, tmp_path, "steady-wisely-boldly-0042")
- session = asyncio.run(
- client.app.state.auth_sessions.create(
- provider="github",
- identity="steady-wisely-boldly-0042",
- principal_id="principal_test",
- connection_name="default",
- flow_type="pkce",
- )
- )
- session.payload["ui_session_required"] = True
- session.payload["input_fields"] = [{"name": "client_id", "label": "Client ID", "secret": False}]
- asyncio.run(client.app.state.auth_sessions.save(session))
-
- response = client.get(f"/auth/sessions/{session.session_id}/input")
-
- assert response.status_code == 401
- assert "dashboard" in response.text
diff --git a/ui/.gitignore b/ui/.gitignore
new file mode 100644
index 00000000..cd7c35c7
--- /dev/null
+++ b/ui/.gitignore
@@ -0,0 +1,44 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# dependencies
+/node_modules
+/.pnp
+.pnp.*
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/versions
+
+# testing
+/coverage
+
+# next.js
+/.next/
+/out/
+
+# production
+/build
+
+# misc
+.DS_Store
+*.pem
+
+# debug
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+.pnpm-debug.log*
+
+# env files (can opt-in for committing if needed)
+.env*
+
+!/src/lib/
+!/src/lib/**
+
+# vercel
+.vercel
+
+# typescript
+*.tsbuildinfo
+!next-env.d.ts
diff --git a/ui/AGENTS.md b/ui/AGENTS.md
new file mode 100644
index 00000000..8bd0e390
--- /dev/null
+++ b/ui/AGENTS.md
@@ -0,0 +1,5 @@
+
+# This is NOT the Next.js you know
+
+This version has breaking changes — APIs, conventions, and file structure may all differ from your training data. Read the relevant guide in `node_modules/next/dist/docs/` before writing any code. Heed deprecation notices.
+
diff --git a/ui/CLAUDE.md b/ui/CLAUDE.md
new file mode 100644
index 00000000..43c994c2
--- /dev/null
+++ b/ui/CLAUDE.md
@@ -0,0 +1 @@
+@AGENTS.md
diff --git a/ui/DESIGN.md b/ui/DESIGN.md
new file mode 100644
index 00000000..97f7c5f2
--- /dev/null
+++ b/ui/DESIGN.md
@@ -0,0 +1,198 @@
+---
+name: Authsome Secure Console
+colors:
+ surface: '#131315'
+ surface-dim: '#0e0e10'
+ surface-bright: '#2a2a2c'
+ surface-container-lowest: '#0e0e10'
+ surface-container-low: '#1c1b1d'
+ surface-container: '#201f22'
+ surface-container-high: '#2a2a2c'
+ surface-container-highest: '#353437'
+ on-surface: '#e5e1e4'
+ on-surface-variant: '#bbcabf'
+ inverse-surface: '#e5e1e4'
+ inverse-on-surface: '#313032'
+ outline: '#86948a'
+ outline-variant: '#3c4a42'
+ surface-tint: '#4edea3'
+ primary: '#4edea3'
+ on-primary: '#003824'
+ primary-container: '#10b981'
+ on-primary-container: '#00422b'
+ inverse-primary: '#006c49'
+ secondary: '#a6d1ad'
+ on-secondary: '#10381f'
+ secondary-container: '#284f33'
+ on-secondary-container: '#95bf9d'
+ tertiary: '#bcc7de'
+ on-tertiary: '#263143'
+ tertiary-container: '#98a3ba'
+ on-tertiary-container: '#2e394c'
+ error: '#ffb4ab'
+ on-error: '#690005'
+ error-container: '#93000a'
+ on-error-container: '#ffdad6'
+ primary-fixed: '#6ffbbe'
+ primary-fixed-dim: '#4edea3'
+ on-primary-fixed: '#002113'
+ on-primary-fixed-variant: '#005236'
+ secondary-fixed: '#c1edc8'
+ secondary-fixed-dim: '#a6d1ad'
+ on-secondary-fixed: '#00210d'
+ on-secondary-fixed-variant: '#284f33'
+ tertiary-fixed: '#d8e3fb'
+ tertiary-fixed-dim: '#bcc7de'
+ on-tertiary-fixed: '#111c2d'
+ on-tertiary-fixed-variant: '#3c475a'
+ background: '#131315'
+ on-background: '#e5e1e4'
+ surface-variant: '#353437'
+typography:
+ headline-lg:
+ fontFamily: Hanken Grotesk
+ fontSize: 30px
+ fontWeight: '600'
+ lineHeight: 36px
+ letterSpacing: -0.02em
+ headline-md:
+ fontFamily: Hanken Grotesk
+ fontSize: 24px
+ fontWeight: '600'
+ lineHeight: 32px
+ letterSpacing: -0.01em
+ body-lg:
+ fontFamily: Hanken Grotesk
+ fontSize: 16px
+ fontWeight: '400'
+ lineHeight: 24px
+ body-sm:
+ fontFamily: Hanken Grotesk
+ fontSize: 14px
+ fontWeight: '400'
+ lineHeight: 20px
+ code-md:
+ fontFamily: JetBrains Mono
+ fontSize: 14px
+ fontWeight: '450'
+ lineHeight: 20px
+ code-sm:
+ fontFamily: JetBrains Mono
+ fontSize: 12px
+ fontWeight: '400'
+ lineHeight: 16px
+ label-caps:
+ fontFamily: JetBrains Mono
+ fontSize: 11px
+ fontWeight: '700'
+ lineHeight: 16px
+ letterSpacing: 0.05em
+rounded:
+ sm: 0.125rem
+ DEFAULT: 0.25rem
+ md: 0.375rem
+ lg: 0.5rem
+ xl: 0.75rem
+ full: 9999px
+spacing:
+ margin-page: 2rem
+ gutter-grid: 1rem
+ stack-sm: 0.5rem
+ stack-md: 1.5rem
+ container-width: 1200px
+---
+
+## Brand & Style
+
+The brand identity centers on **Secure Developer Console**: the calm, precise feeling of a well-instrumented control plane for agent credentials. It is built for engineers, platform teams, and security reviewers who need to trust the product before they try it.
+
+The visual style is **minimal infrastructure with quiet depth**. It keeps shadcn component discipline, but avoids a page made of identical boxes. Sections should feel like layered panels, terminal surfaces, request traces, and security status bands rather than marketing cards. Gradients are allowed only as low-opacity light, edge glow, or inspection depth; they should never dominate the palette.
+
+The strongest emotional signals are:
+
+- **Developer-focused:** terminal fragments, command affordances, monospace metadata, request/audit language.
+- **Trustworthy:** stable layout, restrained contrast, no bouncy motion, no over-decorated cards.
+- **Secure:** emerald status accents, crisp boundaries, explicit policy/audit/vault language, subtle glow only around protected or verified states.
+- **Friendly:** clear hierarchy, readable copy, obvious actions, enough whitespace for scanning.
+
+## Colors
+
+The palette is anchored by **Deep Emerald** and **Obsidian**. We use a dark-first strategy to reduce eye strain for technical work and to evoke a code editor/control plane.
+
+- **Primary:** Emerald (#10B981) used sparingly for successful states, primary actions, verified markers, and active request paths. It represents secure access, not decoration.
+- **Secondary:** A deep Forest Green (#052E16) used for subtle backgrounds on active navigation items or success-themed containers.
+- **Neutral/Background:** We use a true Obsidian (#09090B) for the primary background to maximize contrast with borders.
+- **Accents:** Slate, zinc, and muted blue-gray tones support borders, secondary text, and architecture diagrams. Use them to create confidence without making the page monochrome.
+
+## Typography
+
+The typography system uses a dual-font approach to distinguish between "Interface" and "Data."
+
+**Hanken Grotesk** serves as the primary UI font. It provides a sharp, contemporary sans-serif look that is highly legible at small sizes. Headings use tighter letter-spacing and heavier weights to feel structural.
+
+**JetBrains Mono** is used for all "output" and system-related data, including IDs, terminal logs, audit event details, and credential strings. This distinction helps developers mentally categorize information: sans-serif is what the app is telling them, and monospace is the data they are managing. All labels for status or metadata use the `label-caps` role to mimic the appearance of a command-line header.
+
+## Layout & Spacing
+
+The layout uses a **fixed-fluid hybrid** grid. Marketing pages should feel like product surfaces, not brochure sections: wide enough for technical detail, constrained enough for scanability.
+
+- **Navigation:** Sticky, compact, and utility-like. The brand should read as a product in the first viewport.
+- **Content:** Uses a 1rem gutter between elements. Information is grouped into panels, rows, terminal surfaces, and connected grids rather than repeated boxes.
+- **Rhythm:** We follow a 4px base unit. Spacing between related items (label to input) is 8px, while spacing between unrelated sections is 24px or 32px.
+- **Mobile:** On mobile devices, the grid collapses to a single column, the sidebar becomes a bottom sheet or a hidden menu, and page margins reduce to 1rem.
+
+## Elevation, Depth & Animations
+
+This design system avoids high-elevation shadows in favor of **Tonal Layering**, **Crisp Outlines**, and **Subtle Glows (Linear-style)**.
+
+Depth is achieved through background contrast, hairline borders, and very soft gradients:
+
+- **Level 0 (Base):** The primary app background (#09090B), with a subtle grid/cross texture.
+- **Level 1 (Panel/Section):** A slightly lighter shade (#131315) with a subtle 1px border (#27272A).
+- **Level 2 (Terminal/Inspector):** A higher contrast surface (#0E0E10 or #1C1B1D), internal dividers, and a soft ambient shadow.
+- **Gradient Use:** Emerald gradients should sit at section edges, terminal glows, or hover borders at 5-12% opacity. They should imply protected flow, not decoration.
+
+Shadows, when used, are strictly ambient: no heavy offset, large blur, low opacity. Interaction feedback is represented by changing the border color, surface tone, or very subtle glow. Avoid scaling cards and buttons; the product should feel steady.
+
+**Animations & Micro-interactions:**
+- **Linear-style motion:** Animations should be minimal, spring-based or smooth ease-outs using Framer Motion.
+- Elements should fade in and slide up slightly (`y: 20` to `0`) as they enter the viewport.
+- Staggered entrances for list items and grid cards.
+- Hover states should include a subtle ease-in-out glow or border transition. Elements should feel responsive but not bouncy.
+
+## Shapes
+
+The shape language is **Soft-Technical**. Use small radii and occasional open or split panels so the UI does not become boxy.
+
+- **Inputs & Buttons:** 4px to 6px radius to provide just enough approachability.
+- **Containers:** 8px radius for primary panels. Avoid large rounded cards unless they are terminal or inspector surfaces.
+- **Pills:** Status badges (e.g., "Active", "Success") use a fully rounded/pill shape to distinguish them from interactive buttons.
+- **Section Grids:** Prefer connected panels, timeline rows, split layouts, and hairline dividers over repeating boxed cards.
+
+## Components
+
+### Buttons
+- **Primary:** Solid #10B981 with black text. No gradient. High contrast.
+- **Secondary:** Transparent background with a 1px border (#27272A) and white text.
+- **Ghost:** No border or background unless hovered.
+
+### Input Fields
+- Dark backgrounds (#09090B) with 1px borders. Focus state should change the border color to #10B981 with a subtle emerald outer glow (2px). Labels should be in `code-sm` or `body-sm`.
+
+### Cards & Panels
+- Cards must have a 1px border, but repeated cards should not all have the same box silhouette. Use connected grids, split panels, list rows, or asymmetric feature panels where possible.
+- Use tonal surfaces over heavy shadows. A card hover can reveal a faint emerald edge or gradient, but should not jump or scale.
+
+### Status Chips
+- Use the `code-sm` font. Backgrounds should be low-saturation (e.g., a very dark red for "Error" with light red text) to ensure the interface doesn't become too "noisy."
+
+### Code Blocks
+- Use a distinct background (#000000) with a 1px emerald border left-accent. Use JetBrains Mono for the content.
+
+### Homepage Sections
+- **Hero:** Must immediately communicate developer trust: install command, source link, runtime credential injection, and a real terminal/agent moment.
+- **Incident Proof:** Should feel like a security briefing, not blog cards. Use compact evidence panels with source metadata.
+- **Problem/Context:** Use a high-readability editorial block plus a connected claim grid.
+- **Features:** Should look like capability inventory for platform engineers. Numbering, labels, and borders matter.
+- **Audience:** Should feel human and clear, with less box weight than feature inventory.
+- **Architecture:** Should read like a layered control plane, with terminal/trace language and calm state indicators.
diff --git a/ui/README.md b/ui/README.md
new file mode 100644
index 00000000..e215bc4c
--- /dev/null
+++ b/ui/README.md
@@ -0,0 +1,36 @@
+This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).
+
+## Getting Started
+
+First, run the development server:
+
+```bash
+npm run dev
+# or
+yarn dev
+# or
+pnpm dev
+# or
+bun dev
+```
+
+Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
+
+You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
+
+This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel.
+
+## Learn More
+
+To learn more about Next.js, take a look at the following resources:
+
+- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
+- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
+
+You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome!
+
+## Deploy on Vercel
+
+The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
+
+Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details.
diff --git a/ui/components.json b/ui/components.json
new file mode 100644
index 00000000..8d886db5
--- /dev/null
+++ b/ui/components.json
@@ -0,0 +1,25 @@
+{
+ "$schema": "https://ui.shadcn.com/schema.json",
+ "style": "base-nova",
+ "rsc": true,
+ "tsx": true,
+ "tailwind": {
+ "config": "",
+ "css": "src/app/globals.css",
+ "baseColor": "neutral",
+ "cssVariables": true,
+ "prefix": ""
+ },
+ "iconLibrary": "lucide",
+ "rtl": false,
+ "aliases": {
+ "components": "@/components",
+ "utils": "@/lib/utils",
+ "ui": "@/components/ui",
+ "lib": "@/lib",
+ "hooks": "@/hooks"
+ },
+ "menuColor": "default",
+ "menuAccent": "subtle",
+ "registries": {}
+}
diff --git a/ui/eslint.config.mjs b/ui/eslint.config.mjs
new file mode 100644
index 00000000..05e726d1
--- /dev/null
+++ b/ui/eslint.config.mjs
@@ -0,0 +1,18 @@
+import { defineConfig, globalIgnores } from "eslint/config";
+import nextVitals from "eslint-config-next/core-web-vitals";
+import nextTs from "eslint-config-next/typescript";
+
+const eslintConfig = defineConfig([
+ ...nextVitals,
+ ...nextTs,
+ // Override default ignores of eslint-config-next.
+ globalIgnores([
+ // Default ignores of eslint-config-next:
+ ".next/**",
+ "out/**",
+ "build/**",
+ "next-env.d.ts",
+ ]),
+]);
+
+export default eslintConfig;
diff --git a/ui/next-env.d.ts b/ui/next-env.d.ts
new file mode 100644
index 00000000..9edff1c7
--- /dev/null
+++ b/ui/next-env.d.ts
@@ -0,0 +1,6 @@
+/// {children}
+
+
+ );
+}
diff --git a/ui/src/app/page.tsx b/ui/src/app/page.tsx
new file mode 100644
index 00000000..b867f5cf
--- /dev/null
+++ b/ui/src/app/page.tsx
@@ -0,0 +1,5 @@
+import { AuthsomeDashboard } from "@/components/authsome-dashboard";
+
+export default function Home() {
+ return
+
+ );
+ }
+ if (status === "reauth" || status === "expired" || status === "error") {
+ return (
+
+
+ );
+ }
+ return Available ;
+}
+
+function AuthGate() {
+ return (
+
+
+
+
+
+
+
Authsome
+
+ Local credential access for identities, vaults, providers, and audit history.
+
+
+
+
+
Local daemon
+
127.0.0.1:7998
+
+
+
Browser session
+
HttpOnly cookie
+
+
+
+
+ Open Dashboard
+ Use your Authsome account to continue.
+
+
+
+
+
+
+ );
+}
+
+function AccountForm({
+ action,
+ title,
+ submitLabel,
+}: {
+ action: string;
+ title: string;
+ submitLabel: string;
+}) {
+ return (
+
+ );
+}
+
+function LoadingScreen() {
+ return (
+
+
+
+ {Array.from({ length: 6 }).map((_, index) => (
+
+
+
+
+ {Array.from({ length: 3 }).map((_, index) => (
+
+
+
+ );
+}
+
+function ErrorState({ onRetry }: { onRetry: () => void }) {
+ return (
+
+
+
+
+
+ The daemon did not return dashboard data.
+
+
+
+
+
+
+
+ );
+}
+
+function Sidebar({
+ activeView,
+ data,
+ onChange,
+}: {
+ activeView: View;
+ data: DashboardData;
+ onChange: (view: View) => void;
+}) {
+ const items = NAV_ITEMS.filter((item) => !item.adminOnly || data.account.isAdmin);
+
+ return (
+
+
+
+
+
+
+
Authsome
+
v{data.version}
+
+
+
+
+ {items.map((item) => (
+ onChange(item.id)}
+ type="button"
+ >
+ {item.icon}
+ {item.label}
+
+ ))}
+
+
+
+
+
Signed in
+
{data.account.email || data.account.identity}
+ {data.account.roleLabel ? (
+
+ {data.account.roleLabel}
+
+ ) : null}
+
+
+ );
+}
+
+function Topbar() {
+ return (
+
+ );
+}
+
+function StatCards({ data }: { data: DashboardData }) {
+ const stats = [
+ { label: "Connected Apps", value: data.stats.connected, foot: `${data.stats.available} available`, icon:
+ {stats.map((stat) => (
+
+
+ {stat.label}
+ {stat.icon}
+
+
+ {stat.value}
+ {stat.foot}
+
+
+ ))}
+
+
+
+
+
+
+ Connected Providers
+ Active credential surfaces in the current vault.
+
+ onViewChange("connections")} size="sm" type="button" variant="outline">
+ Manage
+
+
+
+ {data.connectedProviders.length ? (
+
+ {data.connectedProviders.slice(0, 6).map((provider) => (
+
+ ))}
+
onViewChange("providers")} title="No connections yet" />
+ )}
+
+
+
+
+ Vault
+ Default credential namespace.
+
+
+
+
+
+
+
+
+
+
+
+ {provider.logoInitial}
+
+
+
{provider.displayName}
+
{provider.authTypeLabel}
+
+
+
+
+
{provider.description || provider.apiUrl}
+
+
{title}
+
+
+
(null);
+
+ const filteredProviders = useMemo(() => {
+ const normalized = query.trim().toLowerCase();
+ if (!normalized) {
+ return providers;
+ }
+ return providers.filter((provider) =>
+ `${provider.displayName} ${provider.name} ${provider.authTypeLabel}`.toLowerCase().includes(normalized),
+ );
+ }, [providers, query]);
+
+ return (
+
+
+
+
+ {filteredProviders.map((provider) => (
+
setDialogProvider(provider)} provider={provider} />
+ ))}
+
+ {!filteredProviders.length ?
No providers found.
: null}
+
+
+
+
+
+
+ {provider.logoInitial}
+
+
+ {provider.displayName}
+ {provider.name}
+
+
+
+
+
+ {provider.description || provider.apiUrl}
+
+ {provider.authTypeLabel}
+ {provider.source}
+ {provider.connectionCount ? {provider.connectionCount} connections : null}
+
+ {provider.requiresNamedLogin ? (
+
+
+ ) : (
+
+ )}
+
+
+ );
+}
+
+function NamedConnectionDialog({
+ onOpenChange,
+ provider,
+}: {
+ onOpenChange: (provider: ProviderView | null) => void;
+ provider: ProviderView | null;
+}) {
+ const [connectionName, setConnectionName] = useState("");
+
+ function handleSubmit(event: FormEvent) {
+ if (!connectionName.trim()) {
+ event.preventDefault();
+ }
+ }
+
+ return (
+ onOpenChange(open ? provider : null)}>
+
+
+ Connection name
+ {provider?.displayName} already has a default connection.
+
+
+
+
+ );
+}
+
+function ConnectionsView({ connections }: { connections: DashboardData["connections"] }) {
+ const [query, setQuery] = useState("");
+ const filteredConnections = useMemo(() => {
+ const normalized = query.trim().toLowerCase();
+ if (!normalized) {
+ return connections;
+ }
+ return connections.filter((row) =>
+ `${row.connectionName} ${row.providerDisplayName} ${row.authTypeLabel}`.toLowerCase().includes(normalized),
+ );
+ }, [connections, query]);
+
+ return (
+
+
+
+
+
+ {filteredConnections.length ? (
+
+
+
+ Connection
+ Provider
+ Type
+ Status
+
+
+
+ {filteredConnections.map((row) => (
+
+ {row.connectionName}
+ {row.providerDisplayName}
+ {row.authTypeLabel}
+
+
+
+ ))}
+
+
+ ) : (
+ No connections found.
+ )}
+
+
+
+
+
+
+
+ Default Vault
+ {data.vault.isDefault ? "Active for this account" : "Vault binding"}
+
+
+
+
+
+
+ Identities
+ Claims accepted for this account.
+
+
+ {data.identities.map((identity) => (
+
+
+ {identity.handle}
+
+ {identity.isActive ?
Active : null}
+
+
+
+
+
+
+
+ {data.audit.events.length ? (
+
+
+
+ Time
+ Event
+ Actor
+ Target
+ Status
+
+
+
+ {data.audit.events.map((event) => (
+
+ {event.time}
+ {event.event}
+ {event.actor}
+ {event.target}
+ {event.status}
+
+ ))}
+
+
+ ) : (
+ No audit events found.
+ )}
+
+
+
+
+
+
+
+ Account
+
+
+
+
+
+
+
+
+ Daemon
+
+
+
+
+
+
+
+
+
setShow(!show)}
+ className="w-max -ml-2 h-8 text-xs text-muted-foreground"
+ type="button"
+ >
+ {show ? "Hide advanced" : "Show advanced"}
+
+ {show &&
{children}
}
+
+
{label}
+
+ {value}
+
+
+
{title}
+
{description}
+
+
+ );
+}
+
+function ActiveView({
+ data,
+ onViewChange,
+ view,
+}: {
+ data: DashboardData;
+ onViewChange: (view: View) => void;
+ view: View;
+}) {
+ if (view === "providers") {
+ return ("dashboard");
+ const { data, error, mutate } = useSWR("authsome-dashboard", fetchDashboard, {
+ dedupingInterval: 10_000,
+ revalidateOnFocus: true,
+ });
+
+ if (isUnauthorized(error)) {
+ return void mutate()} />;
+ }
+ if (!data) {
+ return
+
+
+
+
+
+
+
Authsome
+
v{data.version}
+
+
void mutate()} size="sm" type="button" variant="outline">
+
+
+
+
+
+
+ );
+}
diff --git a/ui/src/components/ui/badge.tsx b/ui/src/components/ui/badge.tsx
new file mode 100644
index 00000000..b20959dd
--- /dev/null
+++ b/ui/src/components/ui/badge.tsx
@@ -0,0 +1,52 @@
+import { mergeProps } from "@base-ui/react/merge-props"
+import { useRender } from "@base-ui/react/use-render"
+import { cva, type VariantProps } from "class-variance-authority"
+
+import { cn } from "@/lib/utils"
+
+const badgeVariants = cva(
+ "group/badge inline-flex h-5 w-fit shrink-0 items-center justify-center gap-1 overflow-hidden rounded-4xl border border-transparent px-2 py-0.5 text-xs font-medium whitespace-nowrap transition-all focus-visible:border-ring focus-visible:ring-[3px] focus-visible:ring-ring/50 has-data-[icon=inline-end]:pr-1.5 has-data-[icon=inline-start]:pl-1.5 aria-invalid:border-destructive aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 [&>svg]:pointer-events-none [&>svg]:size-3!",
+ {
+ variants: {
+ variant: {
+ default: "bg-primary text-primary-foreground [a]:hover:bg-primary/80",
+ secondary:
+ "bg-secondary text-secondary-foreground [a]:hover:bg-secondary/80",
+ destructive:
+ "bg-destructive/10 text-destructive focus-visible:ring-destructive/20 dark:bg-destructive/20 dark:focus-visible:ring-destructive/40 [a]:hover:bg-destructive/20",
+ outline:
+ "border-border text-foreground [a]:hover:bg-muted [a]:hover:text-muted-foreground",
+ ghost:
+ "hover:bg-muted hover:text-muted-foreground dark:hover:bg-muted/50",
+ link: "text-primary underline-offset-4 hover:underline",
+ },
+ },
+ defaultVariants: {
+ variant: "default",
+ },
+ }
+)
+
+function Badge({
+ className,
+ variant = "default",
+ render,
+ ...props
+}: useRender.ComponentProps<"span"> & VariantProps) {
+ return useRender({
+ defaultTagName: "span",
+ props: mergeProps<"span">(
+ {
+ className: cn(badgeVariants({ variant }), className),
+ },
+ props
+ ),
+ render,
+ state: {
+ slot: "badge",
+ variant,
+ },
+ })
+}
+
+export { Badge, badgeVariants }
diff --git a/ui/src/components/ui/button.tsx b/ui/src/components/ui/button.tsx
new file mode 100644
index 00000000..b0336017
--- /dev/null
+++ b/ui/src/components/ui/button.tsx
@@ -0,0 +1,58 @@
+import { Button as ButtonPrimitive } from "@base-ui/react/button"
+import { cva, type VariantProps } from "class-variance-authority"
+
+import { cn } from "@/lib/utils"
+
+const buttonVariants = cva(
+ "group/button inline-flex shrink-0 items-center justify-center rounded-lg border border-transparent bg-clip-padding text-sm font-medium whitespace-nowrap transition-all outline-none select-none focus-visible:border-ring focus-visible:ring-3 focus-visible:ring-ring/50 active:not-aria-[haspopup]:translate-y-px disabled:pointer-events-none disabled:opacity-50 aria-invalid:border-destructive aria-invalid:ring-3 aria-invalid:ring-destructive/20 dark:aria-invalid:border-destructive/50 dark:aria-invalid:ring-destructive/40 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+ {
+ variants: {
+ variant: {
+ default: "bg-primary text-primary-foreground hover:bg-primary/80",
+ outline:
+ "border-border bg-background hover:bg-muted hover:text-foreground aria-expanded:bg-muted aria-expanded:text-foreground dark:border-input dark:bg-input/30 dark:hover:bg-input/50",
+ secondary:
+ "bg-secondary text-secondary-foreground hover:bg-[color-mix(in_oklch,var(--secondary),var(--foreground)_5%)] aria-expanded:bg-secondary aria-expanded:text-secondary-foreground",
+ ghost:
+ "hover:bg-muted hover:text-foreground aria-expanded:bg-muted aria-expanded:text-foreground dark:hover:bg-muted/50",
+ destructive:
+ "bg-destructive/10 text-destructive hover:bg-destructive/20 focus-visible:border-destructive/40 focus-visible:ring-destructive/20 dark:bg-destructive/20 dark:hover:bg-destructive/30 dark:focus-visible:ring-destructive/40",
+ link: "text-primary underline-offset-4 hover:underline",
+ },
+ size: {
+ default:
+ "h-8 gap-1.5 px-2.5 has-data-[icon=inline-end]:pr-2 has-data-[icon=inline-start]:pl-2",
+ xs: "h-6 gap-1 rounded-[min(var(--radius-md),10px)] px-2 text-xs in-data-[slot=button-group]:rounded-lg has-data-[icon=inline-end]:pr-1.5 has-data-[icon=inline-start]:pl-1.5 [&_svg:not([class*='size-'])]:size-3",
+ sm: "h-7 gap-1 rounded-[min(var(--radius-md),12px)] px-2.5 text-[0.8rem] in-data-[slot=button-group]:rounded-lg has-data-[icon=inline-end]:pr-1.5 has-data-[icon=inline-start]:pl-1.5 [&_svg:not([class*='size-'])]:size-3.5",
+ lg: "h-9 gap-1.5 px-2.5 has-data-[icon=inline-end]:pr-2 has-data-[icon=inline-start]:pl-2",
+ icon: "size-8",
+ "icon-xs":
+ "size-6 rounded-[min(var(--radius-md),10px)] in-data-[slot=button-group]:rounded-lg [&_svg:not([class*='size-'])]:size-3",
+ "icon-sm":
+ "size-7 rounded-[min(var(--radius-md),12px)] in-data-[slot=button-group]:rounded-lg",
+ "icon-lg": "size-9",
+ },
+ },
+ defaultVariants: {
+ variant: "default",
+ size: "default",
+ },
+ }
+)
+
+function Button({
+ className,
+ variant = "default",
+ size = "default",
+ ...props
+}: ButtonPrimitive.Props & VariantProps) {
+ return (
+ img:first-child]:pt-0 data-[size=sm]:gap-3 data-[size=sm]:py-3 data-[size=sm]:has-data-[slot=card-footer]:pb-0 *:[img:first-child]:rounded-t-xl *:[img:last-child]:rounded-b-xl",
+ className
+ )}
+ {...props}
+ />
+ )
+}
+
+function CardHeader({ className, ...props }: React.ComponentProps<"div">) {
+ return (
+
+ )
+}
+
+function CardTitle({ className, ...props }: React.ComponentProps<"div">) {
+ return (
+
+ )
+}
+
+function CardDescription({ className, ...props }: React.ComponentProps<"div">) {
+ return (
+
+ )
+}
+
+function CardAction({ className, ...props }: React.ComponentProps<"div">) {
+ return (
+
+ )
+}
+
+function CardContent({ className, ...props }: React.ComponentProps<"div">) {
+ return (
+
+ )
+}
+
+function CardFooter({ className, ...props }: React.ComponentProps<"div">) {
+ return (
+
+ )
+}
+
+export {
+ Card,
+ CardHeader,
+ CardFooter,
+ CardTitle,
+ CardAction,
+ CardDescription,
+ CardContent,
+}
diff --git a/ui/src/components/ui/dialog.tsx b/ui/src/components/ui/dialog.tsx
new file mode 100644
index 00000000..014f5aa3
--- /dev/null
+++ b/ui/src/components/ui/dialog.tsx
@@ -0,0 +1,160 @@
+"use client"
+
+import * as React from "react"
+import { Dialog as DialogPrimitive } from "@base-ui/react/dialog"
+
+import { cn } from "@/lib/utils"
+import { Button } from "@/components/ui/button"
+import { XIcon } from "lucide-react"
+
+function Dialog({ ...props }: DialogPrimitive.Root.Props) {
+ return
+}
+
+function DialogTrigger({ ...props }: DialogPrimitive.Trigger.Props) {
+ return
+}
+
+function DialogPortal({ ...props }: DialogPrimitive.Portal.Props) {
+ return
+}
+
+function DialogClose({ ...props }: DialogPrimitive.Close.Props) {
+ return
+}
+
+function DialogOverlay({
+ className,
+ ...props
+}: DialogPrimitive.Backdrop.Props) {
+ return (
+
+ )
+}
+
+function DialogContent({
+ className,
+ children,
+ showCloseButton = true,
+ ...props
+}: DialogPrimitive.Popup.Props & {
+ showCloseButton?: boolean
+}) {
+ return (
+
+
+ {children}
+ {showCloseButton && (
+ Close
+
+ )}
+
+
+ )
+}
+
+function DialogHeader({ className, ...props }: React.ComponentProps<"div">) {
+ return (
+
+ )
+}
+
+function DialogFooter({
+ className,
+ showCloseButton = false,
+ children,
+ ...props
+}: React.ComponentProps<"div"> & {
+ showCloseButton?: boolean
+}) {
+ return (
+
+ {children}
+ {showCloseButton && (
+
+ )
+}
+
+function DialogTitle({ className, ...props }: DialogPrimitive.Title.Props) {
+ return (
+
+ )
+}
+
+function DialogDescription({
+ className,
+ ...props
+}: DialogPrimitive.Description.Props) {
+ return (
+
+ )
+}
+
+export {
+ Dialog,
+ DialogClose,
+ DialogContent,
+ DialogDescription,
+ DialogFooter,
+ DialogHeader,
+ DialogOverlay,
+ DialogPortal,
+ DialogTitle,
+ DialogTrigger,
+}
diff --git a/ui/src/components/ui/input.tsx b/ui/src/components/ui/input.tsx
new file mode 100644
index 00000000..7d21babb
--- /dev/null
+++ b/ui/src/components/ui/input.tsx
@@ -0,0 +1,20 @@
+import * as React from "react"
+import { Input as InputPrimitive } from "@base-ui/react/input"
+
+import { cn } from "@/lib/utils"
+
+function Input({ className, type, ...props }: React.ComponentProps<"input">) {
+ return (
+
+ )
+}
+
+export { Input }
diff --git a/ui/src/components/ui/scroll-area.tsx b/ui/src/components/ui/scroll-area.tsx
new file mode 100644
index 00000000..84c1e9fb
--- /dev/null
+++ b/ui/src/components/ui/scroll-area.tsx
@@ -0,0 +1,55 @@
+"use client"
+
+import * as React from "react"
+import { ScrollArea as ScrollAreaPrimitive } from "@base-ui/react/scroll-area"
+
+import { cn } from "@/lib/utils"
+
+function ScrollArea({
+ className,
+ children,
+ ...props
+}: ScrollAreaPrimitive.Root.Props) {
+ return (
+
+
+ {children}
+
+
+ )
+}
+
+function ScrollBar({
+ className,
+ orientation = "vertical",
+ ...props
+}: ScrollAreaPrimitive.Scrollbar.Props) {
+ return (
+
+
+ )
+}
+
+export { ScrollArea, ScrollBar }
diff --git a/ui/src/components/ui/separator.tsx b/ui/src/components/ui/separator.tsx
new file mode 100644
index 00000000..6e1369e4
--- /dev/null
+++ b/ui/src/components/ui/separator.tsx
@@ -0,0 +1,25 @@
+"use client"
+
+import { Separator as SeparatorPrimitive } from "@base-ui/react/separator"
+
+import { cn } from "@/lib/utils"
+
+function Separator({
+ className,
+ orientation = "horizontal",
+ ...props
+}: SeparatorPrimitive.Props) {
+ return (
+
+ )
+}
+
+export { Separator }
diff --git a/ui/src/components/ui/skeleton.tsx b/ui/src/components/ui/skeleton.tsx
new file mode 100644
index 00000000..0118624f
--- /dev/null
+++ b/ui/src/components/ui/skeleton.tsx
@@ -0,0 +1,13 @@
+import { cn } from "@/lib/utils"
+
+function Skeleton({ className, ...props }: React.ComponentProps<"div">) {
+ return (
+
+ )
+}
+
+export { Skeleton }
diff --git a/ui/src/components/ui/table.tsx b/ui/src/components/ui/table.tsx
new file mode 100644
index 00000000..abeaced4
--- /dev/null
+++ b/ui/src/components/ui/table.tsx
@@ -0,0 +1,116 @@
+"use client"
+
+import * as React from "react"
+
+import { cn } from "@/lib/utils"
+
+function Table({ className, ...props }: React.ComponentProps<"table">) {
+ return (
+
+ )
+}
+
+function TableHeader({ className, ...props }: React.ComponentProps<"thead">) {
+ return (
+
+ )
+}
+
+function TableBody({ className, ...props }: React.ComponentProps<"tbody">) {
+ return (
+
+ )
+}
+
+function TableFooter({ className, ...props }: React.ComponentProps<"tfoot">) {
+ return (
+
tr]:last:border-b-0",
+ className
+ )}
+ {...props}
+ />
+ )
+}
+
+function TableRow({ className, ...props }: React.ComponentProps<"tr">) {
+ return (
+ ) {
+ return (
+
+
+
+ {children}
+
+
+
+ )
+}
+
+export { Tooltip, TooltipTrigger, TooltipContent, TooltipProvider }
diff --git a/ui/src/lib/authsome-api.ts b/ui/src/lib/authsome-api.ts
new file mode 100644
index 00000000..7042189f
--- /dev/null
+++ b/ui/src/lib/authsome-api.ts
@@ -0,0 +1,329 @@
+export type DashboardStats = {
+ connected: number;
+ available: number;
+ oauth: number;
+ apiKey: number;
+};
+
+export type ProviderView = {
+ name: string;
+ displayName: string;
+ authType: "oauth2" | "api_key" | string;
+ authTypeLabel: string;
+ apiUrl: string;
+ description: string;
+ source: "bundled" | "custom" | string;
+ logoInitial: string;
+ status: "available" | "connected" | "reauth" | string;
+ scopeCount: number;
+ connectionCount: number;
+ requiresNamedLogin: boolean;
+};
+
+export type ConnectionRow = {
+ providerName: string;
+ providerDisplayName: string;
+ connectionName: string;
+ status: string;
+ authTypeLabel: string;
+};
+
+export type IdentityRow = {
+ handle: string;
+ isActive: boolean;
+};
+
+export type AuditRow = {
+ eventId: string;
+ time: string;
+ event: string;
+ source: string;
+ actor: string;
+ target: string;
+ status: string;
+ metadata: Record;
+};
+
+export type DashboardData = {
+ version: string;
+ account: {
+ email: string | null;
+ roleLabel: string | null;
+ isAdmin: boolean;
+ principalId: string | null;
+ identity: string | null;
+ };
+ stats: DashboardStats;
+ lastActivity: string;
+ providers: ProviderView[];
+ connectedProviders: ProviderView[];
+ connections: ConnectionRow[];
+ identities: IdentityRow[];
+ vault: {
+ vaultId: string | null;
+ handle: string;
+ isDefault: boolean;
+ };
+ audit: {
+ canView: boolean;
+ total: number;
+ events: AuditRow[];
+ };
+};
+
+type WhoamiResponse = {
+ version: string;
+ identity?: string;
+ active_identity?: string;
+ principal_id?: string;
+ principal_role?: string;
+ account_email?: string;
+ vault_id?: string;
+};
+
+type ConnectionSummary = {
+ connection_name: string;
+ auth_type?: string;
+ status?: string;
+ scopes?: string[];
+ expires_at?: string | null;
+};
+
+type ProviderResponse = {
+ name: string;
+ display_name?: string;
+ auth_type?: string;
+ api_url?: string | string[] | null;
+ oauth?: {
+ base_url?: string | null;
+ } | null;
+ metadata?: {
+ description?: string;
+ };
+};
+
+type ConnectionsResponse = {
+ connections: Array<{
+ name: string;
+ connections: ConnectionSummary[];
+ }>;
+ by_source: Record;
+};
+
+type AuditResponse = {
+ entries: Array>;
+};
+
+export class ApiError extends Error {
+ status: number;
+
+ constructor(status: number, message: string) {
+ super(message);
+ this.status = status;
+ }
+}
+
+async function requestJson(path: string): Promise {
+ const response = await fetch(path, {
+ credentials: "same-origin",
+ headers: {
+ Accept: "application/json",
+ },
+ });
+
+ if (!response.ok) {
+ let message = response.statusText || "Request failed";
+ try {
+ const payload = (await response.json()) as { detail?: string; message?: string };
+ message = payload.detail || payload.message || message;
+ } catch {
+ // Status is sufficient for the UI's failure modes.
+ }
+ throw new ApiError(response.status, message);
+ }
+
+ return response.json() as Promise;
+}
+
+function authTypeLabel(authType?: string): string {
+ return authType === "oauth2" ? "OAuth 2.0" : authType === "api_key" ? "API Key" : authType || "Provider";
+}
+
+function providerApiUrl(provider: ProviderResponse): string {
+ if (Array.isArray(provider.api_url)) {
+ return provider.api_url.filter(Boolean).join(", ") || provider.name;
+ }
+ return provider.api_url || provider.oauth?.base_url || provider.name;
+}
+
+function providerStatus(connections: ConnectionSummary[]): ProviderView["status"] {
+ if (!connections.length) {
+ return "available";
+ }
+ return connections.some((connection) => ["error", "expired"].includes(connection.status || ""))
+ ? "reauth"
+ : "connected";
+}
+
+function providerView(
+ provider: ProviderResponse,
+ source: string,
+ connections: ConnectionSummary[],
+): ProviderView {
+ const displayName = provider.display_name || provider.name;
+ return {
+ name: provider.name,
+ displayName,
+ authType: provider.auth_type || "provider",
+ authTypeLabel: authTypeLabel(provider.auth_type),
+ apiUrl: providerApiUrl(provider),
+ description: provider.metadata?.description || "",
+ source,
+ logoInitial: (displayName[0] || "?").toUpperCase(),
+ status: providerStatus(connections),
+ scopeCount: connections[0]?.scopes?.length || 0,
+ connectionCount: connections.length,
+ requiresNamedLogin: connections.some((connection) => connection.connection_name === "default"),
+ };
+}
+
+function buildProviders(data: ConnectionsResponse): ProviderView[] {
+ const connectionMap = new Map(data.connections.map((group) => [group.name, group.connections]));
+ return Object.entries(data.by_source).flatMap(([source, providers]) =>
+ providers.map((provider) => providerView(provider, source, connectionMap.get(provider.name) || [])),
+ );
+}
+
+function buildConnectionRows(data: ConnectionsResponse, providers: ProviderView[]): ConnectionRow[] {
+ const providerMap = new Map(providers.map((provider) => [provider.name, provider]));
+ return data.connections
+ .flatMap((group) => {
+ const provider = providerMap.get(group.name);
+ return group.connections.map((connection) => ({
+ providerName: group.name,
+ providerDisplayName: provider?.displayName || group.name,
+ connectionName: connection.connection_name,
+ status: connection.status || "unknown",
+ authTypeLabel: authTypeLabel(connection.auth_type || provider?.authType),
+ }));
+ })
+ .sort((a, b) => `${a.providerDisplayName}:${a.connectionName}`.localeCompare(`${b.providerDisplayName}:${b.connectionName}`));
+}
+
+function formatRelative(value: string | null | undefined): string | null {
+ if (!value) {
+ return null;
+ }
+ const parsed = new Date(value);
+ if (Number.isNaN(parsed.valueOf())) {
+ return null;
+ }
+ const deltaSeconds = Math.round((parsed.valueOf() - Date.now()) / 1000);
+ const absSeconds = Math.abs(deltaSeconds);
+ const direction = deltaSeconds >= 0 ? "in" : "ago";
+ const units: Array<[number, string]> = [
+ [86_400, "day"],
+ [3_600, "hour"],
+ [60, "minute"],
+ [1, "second"],
+ ];
+ const [unitSeconds, unit] = units.find(([seconds]) => absSeconds >= seconds) || [1, "second"];
+ const amount = Math.max(1, Math.floor(absSeconds / unitSeconds));
+ const label = `${amount} ${unit}${amount === 1 ? "" : "s"}`;
+ return direction === "in" ? `in ${label}` : `${label} ago`;
+}
+
+function lastActivity(data: ConnectionsResponse): string {
+ const latest = data.connections
+ .flatMap((group) => group.connections)
+ .map((connection) => connection.expires_at)
+ .filter((value): value is string => Boolean(value))
+ .sort((a, b) => new Date(b).valueOf() - new Date(a).valueOf())[0];
+ return formatRelative(latest) || "-";
+}
+
+function humanize(value: unknown): string {
+ const event = String(value || "audit_event").replaceAll("_", " ").replaceAll("-", " ").trim();
+ return event ? event[0].toUpperCase() + event.slice(1) : "Audit event";
+}
+
+function formatAuditTime(value: unknown): string {
+ if (!value) {
+ return "-";
+ }
+ const parsed = new Date(String(value));
+ if (Number.isNaN(parsed.valueOf())) {
+ return String(value);
+ }
+ return parsed.toISOString().replace("T", " ").slice(0, 16) + " UTC";
+}
+
+function buildAuditRows(entries: AuditResponse["entries"]): AuditRow[] {
+ const known = new Set(["event_id", "timestamp", "event", "source", "principal_id", "identity", "provider", "connection", "status"]);
+ return entries.map((entry, index) => {
+ const provider = entry.provider ? String(entry.provider) : "";
+ const connection = entry.connection ? String(entry.connection) : "";
+ const metadata = Object.fromEntries(Object.entries(entry).filter(([key, value]) => !known.has(key) && value != null));
+ return {
+ eventId: String(entry.event_id || `${entry.timestamp || "event"}-${index}`),
+ time: formatAuditTime(entry.timestamp),
+ event: humanize(entry.event),
+ source: String(entry.source || "internal"),
+ actor: String(entry.identity || entry.principal_id || "system"),
+ target: [provider, connection].filter(Boolean).join(" / ") || "Authsome",
+ status: String(entry.status || "-"),
+ metadata,
+ };
+ });
+}
+
+function roleLabel(role: string | undefined): string | null {
+ if (!role) {
+ return null;
+ }
+ return role.slice(0, 1).toUpperCase() + role.slice(1);
+}
+
+export async function fetchDashboard(): Promise {
+ const [whoami, connectionsData] = await Promise.all([
+ requestJson("/whoami"),
+ requestJson("/connections"),
+ ]);
+ const isAdmin = whoami.principal_role === "admin";
+ const audit = isAdmin ? await requestJson("/audit/events?limit=100") : { entries: [] };
+ const providers = buildProviders(connectionsData);
+ const connections = buildConnectionRows(connectionsData, providers);
+ const connectedProviders = providers.filter((provider) => provider.status !== "available");
+
+ return {
+ version: whoami.version,
+ account: {
+ email: whoami.account_email || null,
+ roleLabel: roleLabel(whoami.principal_role),
+ isAdmin,
+ principalId: whoami.principal_id || null,
+ identity: whoami.identity || whoami.active_identity || null,
+ },
+ stats: {
+ connected: connectedProviders.length,
+ available: providers.length - connectedProviders.length,
+ oauth: connectedProviders.filter((provider) => provider.authType === "oauth2").length,
+ apiKey: connectedProviders.filter((provider) => provider.authType === "api_key").length,
+ },
+ lastActivity: lastActivity(connectionsData),
+ providers,
+ connectedProviders: connectedProviders.slice(0, 6),
+ connections,
+ identities: whoami.identity ? [{ handle: whoami.identity, isActive: true }] : [],
+ vault: {
+ vaultId: whoami.vault_id || null,
+ handle: "default",
+ isDefault: true,
+ },
+ audit: {
+ canView: isAdmin,
+ total: audit.entries.length,
+ events: buildAuditRows(audit.entries),
+ },
+ };
+}
diff --git a/ui/src/lib/utils.ts b/ui/src/lib/utils.ts
new file mode 100644
index 00000000..bd0c391d
--- /dev/null
+++ b/ui/src/lib/utils.ts
@@ -0,0 +1,6 @@
+import { clsx, type ClassValue } from "clsx"
+import { twMerge } from "tailwind-merge"
+
+export function cn(...inputs: ClassValue[]) {
+ return twMerge(clsx(inputs))
+}
diff --git a/ui/tsconfig.json b/ui/tsconfig.json
new file mode 100644
index 00000000..cf9c65d3
--- /dev/null
+++ b/ui/tsconfig.json
@@ -0,0 +1,34 @@
+{
+ "compilerOptions": {
+ "target": "ES2017",
+ "lib": ["dom", "dom.iterable", "esnext"],
+ "allowJs": true,
+ "skipLibCheck": true,
+ "strict": true,
+ "noEmit": true,
+ "esModuleInterop": true,
+ "module": "esnext",
+ "moduleResolution": "bundler",
+ "resolveJsonModule": true,
+ "isolatedModules": true,
+ "jsx": "react-jsx",
+ "incremental": true,
+ "plugins": [
+ {
+ "name": "next"
+ }
+ ],
+ "paths": {
+ "@/*": ["./src/*"]
+ }
+ },
+ "include": [
+ "next-env.d.ts",
+ "**/*.ts",
+ "**/*.tsx",
+ ".next/types/**/*.ts",
+ ".next/dev/types/**/*.ts",
+ "**/*.mts"
+ ],
+ "exclude": ["node_modules"]
+}
diff --git a/uv.lock b/uv.lock
index e78d981f..d9009718 100644
--- a/uv.lock
+++ b/uv.lock
@@ -173,7 +173,6 @@ dependencies = [
{ name = "click" },
{ name = "cryptography" },
{ name = "fastapi" },
- { name = "jinja2" },
{ name = "keyring" },
{ name = "loguru" },
{ name = "mitmproxy" },
@@ -211,7 +210,6 @@ requires-dist = [
{ name = "cryptography", specifier = ">=41.0" },
{ name = "fastapi", specifier = ">=0.115" },
{ name = "httpx", marker = "extra == 'dev'", specifier = ">=0.28.1" },
- { name = "jinja2", specifier = ">=3.1" },
{ name = "keyring", specifier = ">=24.0" },
{ name = "loguru", specifier = ">=0.7" },
{ name = "mitmproxy", specifier = ">=11.0" },