Blaming LocalAuthority/scripts/host_manager.pl at b155c66db7b812ac473cd00cfbb8db96b1570825 · bogdan/LocalAuthority

LocalAuthority / scripts / host_manager.pl

Newer ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ Older

Xdev Host Manager Tighten login bottom spacing

1690 lines | 63.687kb

Initial host manager registr... Xdev Host Manager authored 2 days ago	1	#!/usr/bin/env perl
	2	#
	3	# host_manager.pl - Minimal host registry web app with no CPAN dependencies.
	4	#
	5
	6	use strict;
	7	use warnings;
	8
	9	use Cwd qw(abs_path);
	10	use Digest::SHA qw(hmac_sha1 hmac_sha256_hex sha256_hex);
	11	use File::Basename qw(dirname);
	12	use File::Path qw(make_path);
	13	use IO::Socket::INET;
	14	use POSIX qw(strftime);
	15	use Time::HiRes qw(time);
	16
	17	my $script_dir = dirname(abs_path($0));
	18	my $project_dir = dirname($script_dir);
	19
	20	my %opt = (
	21	bind => $ENV{HOST_MANAGER_BIND} \|\| '127.0.0.1',
	22	port => $ENV{HOST_MANAGER_PORT} \|\| 8088,
	23	data => $ENV{HOST_MANAGER_DATA} \|\| "$project_dir/config/hosts.yaml",
	24	local_hosts_tsv => $ENV{HOST_MANAGER_LOCAL_HOSTS_TSV} \|\| "$project_dir/config/local-hosts.tsv",
Add work order workflow for ... Xdev Host Manager authored 2 days ago	25	work_orders => $ENV{HOST_MANAGER_WORK_ORDERS} \|\| "$project_dir/config/work-orders.yaml",
Initial host manager registr... Xdev Host Manager authored 2 days ago	26	);
	27
	28	while (@ARGV) {
	29	my $arg = shift @ARGV;
	30	if ($arg eq '--bind') {
	31	$opt{bind} = shift @ARGV;
	32	} elsif ($arg eq '--port') {
	33	$opt{port} = shift @ARGV;
	34	} elsif ($arg eq '--data') {
	35	$opt{data} = shift @ARGV;
	36	} elsif ($arg eq '--local-hosts-tsv') {
	37	$opt{local_hosts_tsv} = shift @ARGV;
Add work order workflow for ... Xdev Host Manager authored 2 days ago	38	} elsif ($arg eq '--work-orders') {
	39	$opt{work_orders} = shift @ARGV;
Initial host manager registr... Xdev Host Manager authored 2 days ago	40	} elsif ($arg eq '--help' \|\| $arg eq '-h') {
	41	usage();
	42	exit 0;
	43	} else {
	44	die "Unknown option: $arg\n";
	45	}
	46	}
	47
	48	my $session_secret = $ENV{HOST_MANAGER_SESSION_SECRET} \|\| random_hex(32);
	49	my %sessions;
	50
	51	my $server = IO::Socket::INET->new(
	52	LocalHost => $opt{bind},
	53	LocalPort => $opt{port},
	54	Proto => 'tcp',
	55	Listen => 10,
	56	ReuseAddr => 1,
	57	) or die "Cannot listen on $opt{bind}:$opt{port}: $!\n";
	58
	59	print "host-manager listening on http://$opt{bind}:$opt{port}\n";
	60	print "data file: $opt{data}\n";
	61	print "OTP login: " . ($ENV{HOST_MANAGER_TOTP_SECRET} ? "enabled\n" : "disabled; set HOST_MANAGER_TOTP_SECRET\n");
	62
	63	while (my $client = $server->accept) {
	64	eval {
	65	$client->autoflush(1);
	66	handle_client($client);
	67	};
	68	if ($@) {
	69	eval { send_json($client, 500, { error => 'internal_error', detail => "$@" }); };
	70	}
	71	close $client;
	72	}
	73
	74	sub usage {
	75	print <<"EOF";
	76	Usage: perl scripts/host_manager.pl [--bind 127.0.0.1] [--port 8088]
	77
	78	Environment:
	79	HOST_MANAGER_TOTP_SECRET Base32 TOTP secret required for write access.
	80	HOST_MANAGER_SESSION_SECRET Optional session signing secret.
	81	HOST_MANAGER_DATA Defaults to config/hosts.yaml.
	82	HOST_MANAGER_LOCAL_HOSTS_TSV Defaults to config/local-hosts.tsv.
Add work order workflow for ... Xdev Host Manager authored 2 days ago	83	HOST_MANAGER_WORK_ORDERS Defaults to config/work-orders.yaml.
Initial host manager registr... Xdev Host Manager authored 2 days ago	84
Add work order workflow for ... Xdev Host Manager authored 2 days ago	85	The nginx vhost keeps registry, CA, work order and download endpoints behind OTP.
Initial host manager registr... Xdev Host Manager authored 2 days ago	86	EOF
	87	}
	88
	89	sub handle_client {
	90	my ($client) = @_;
	91	my $request_line = <$client>;
	92	return unless defined $request_line;
	93	$request_line =~ s/\r?\n$//;
	94	my ($method, $target) = $request_line =~ m{^([A-Z]+)\s+(\S+)\s+HTTP/};
	95	return send_text($client, 400, 'bad request') unless $method && $target;
	96
	97	my %headers;
	98	while (my $line = <$client>) {
	99	$line =~ s/\r?\n$//;
	100	last if $line eq '';
	101	my ($k, $v) = split /:\s*/, $line, 2;
	102	$headers{lc $k} = $v if defined $k && defined $v;
	103	}
	104
	105	my $body = '';
	106	if (($headers{'content-length'} \|\| 0) > 0) {
	107	read($client, $body, int($headers{'content-length'}));
	108	}
	109
	110	my ($path, $query) = split /\?/, $target, 2;
	111	my %query = parse_params($query \|\| '');
	112
	113	if ($method eq 'GET' && $path eq '/') {
	114	return send_html($client, 200, app_html());
	115	}
	116	if ($method eq 'GET' && $path eq '/healthz') {
Require authentication for h... Xdev Host Manager authored 2 days ago	117	return send_json($client, 200, { ok => json_bool(1) });
Initial host manager registr... Xdev Host Manager authored 2 days ago	118	}
	119	if ($method eq 'GET' && $path eq '/api/session') {
	120	return send_json($client, 200, { authenticated => is_authenticated(\%headers) ? json_bool(1) : json_bool(0) });
	121	}
Require authentication for h... Xdev Host Manager authored 2 days ago	122	if ($method eq 'POST' && $path eq '/api/login') {
	123	return send_json($client, 503, { error => 'otp_not_configured' }) unless $ENV{HOST_MANAGER_TOTP_SECRET};
	124	my $payload = request_payload(\%headers, $body);
	125	my $otp = $payload->{otp} \|\| '';
	126	if (!verify_totp($ENV{HOST_MANAGER_TOTP_SECRET} \|\| '', $otp)) {
	127	return send_json($client, 401, { error => 'invalid_otp' });
	128	}
	129	my $token = create_session();
	130	return send_json($client, 200, { ok => json_bool(1) }, [ "Set-Cookie: hm_session=$token; HttpOnly; SameSite=Strict; Path=/" ]);
	131	}
	132	if ($method eq 'POST' && $path eq '/api/logout') {
	133	expire_session(\%headers);
	134	return send_json($client, 200, { ok => json_bool(1) }, [ "Set-Cookie: hm_session=deleted; Max-Age=0; Path=/" ]);
	135	}
	136
	137	return send_json($client, 401, { error => 'authentication_required' }) unless is_authenticated(\%headers);
	138
Initial host manager registr... Xdev Host Manager authored 2 days ago	139	if ($method eq 'GET' && $path eq '/api/hosts') {
	140	my $registry = load_registry();
	141	return send_json($client, 200, registry_payload($registry));
	142	}
Add work order workflow for ... Xdev Host Manager authored 2 days ago	143	if ($method eq 'GET' && $path eq '/api/work-orders') {
	144	return send_json($client, 200, work_orders_payload(load_work_orders()));
	145	}
Initial host manager registr... Xdev Host Manager authored 2 days ago	146	if ($method eq 'GET' && $path eq '/download/hosts.yaml') {
	147	return send_file($client, $opt{data}, 'application/x-yaml; charset=utf-8', 'hosts.yaml');
	148	}
	149	if ($method eq 'GET' && $path eq '/download/local-hosts.tsv') {
	150	my $registry = load_registry();
	151	return send_download($client, 200, render_local_hosts_tsv($registry), 'text/tab-separated-values; charset=utf-8', 'local-hosts.tsv');
	152	}
	153	if ($method eq 'GET' && $path eq '/download/monitoring.json') {
	154	my $registry = load_registry();
	155	return send_download($client, 200, json_encode(render_monitoring($registry)), 'application/json; charset=utf-8', 'monitoring-hosts.json');
	156	}
Add local host certificate a... Xdev Host Manager authored 2 days ago	157	if ($method eq 'GET' && $path eq '/api/ca/status') {
	158	return send_json_raw($client, 200, ca_manager_json('status-json'));
	159	}
	160	if ($method eq 'GET' && $path eq '/api/ca/certificates') {
	161	return send_json_raw($client, 200, ca_manager_json('list-json'));
	162	}
	163	if ($method eq 'GET' && $path eq '/download/ca.crt') {
	164	return send_file($client, ca_cert_path(), 'application/x-pem-file; charset=utf-8', 'xdev-madagascar-host-ca.crt');
	165	}
Initial host manager registr... Xdev Host Manager authored 2 days ago	166
	167	if ($method eq 'POST' && $path =~ m{^/api/}) {
	168	if ($path eq '/api/hosts/upsert') {
	169	my $payload = request_payload(\%headers, $body);
	170	return upsert_host($client, $payload);
	171	}
	172	if ($path eq '/api/hosts/delete') {
	173	my $payload = request_payload(\%headers, $body);
	174	return delete_host($client, $payload->{id} \|\| '');
	175	}
Add work order workflow for ... Xdev Host Manager authored 2 days ago	176	if ($path eq '/api/work-orders/confirm') {
	177	my $payload = request_payload(\%headers, $body);
	178	return confirm_work_order($client, $payload);
	179	}
Require work order checklist... Xdev Host Manager authored 2 days ago	180	if ($path eq '/api/work-orders/checklist') {
	181	my $payload = request_payload(\%headers, $body);
	182	return update_work_order_checklist($client, $payload);
	183	}
Initial host manager registr... Xdev Host Manager authored 2 days ago	184	if ($path eq '/api/render/local-hosts-tsv') {
	185	my $registry = load_registry();
	186	my $content = render_local_hosts_tsv($registry);
	187	backup_file($opt{local_hosts_tsv});
	188	write_file($opt{local_hosts_tsv}, $content);
	189	return send_json($client, 200, { ok => json_bool(1), file => $opt{local_hosts_tsv} });
	190	}
	191	}
	192
	193	return send_json($client, 404, { error => 'not_found' });
	194	}
	195
	196	sub load_registry {
	197	return parse_hosts_yaml(read_file($opt{data}));
	198	}
	199
	200	sub save_registry {
	201	my ($registry) = @_;
	202	$registry->{updated_at} = iso_now();
	203	backup_file($opt{data});
	204	write_file($opt{data}, render_hosts_yaml($registry));
	205	}
	206
Add work order workflow for ... Xdev Host Manager authored 2 days ago	207	sub load_work_orders {
	208	return { version => 1, work_orders => [] } unless -f $opt{work_orders};
	209	return parse_work_orders_yaml(read_file($opt{work_orders}));
	210	}
	211
	212	sub save_work_orders {
	213	my ($orders) = @_;
	214	backup_file($opt{work_orders});
	215	write_file($opt{work_orders}, render_work_orders_yaml($orders));
	216	}
	217
	218	sub work_orders_payload {
	219	my ($orders) = @_;
	220	my $pending = 0;
	221	for my $wo (@{ $orders->{work_orders} \|\| [] }) {
	222	$pending++ if ($wo->{status} \|\| 'pending') eq 'pending';
	223	}
	224	return {
	225	version => $orders->{version},
	226	work_orders => $orders->{work_orders} \|\| [],
	227	counts => {
	228	work_orders => scalar @{ $orders->{work_orders} \|\| [] },
	229	pending => $pending,
	230	},
	231	};
	232	}
	233
	234	sub confirm_work_order {
	235	my ($client, $payload) = @_;
	236	my $id = clean_scalar($payload->{id} \|\| '');
	237	return send_json($client, 400, { error => 'invalid_work_order_id' }) unless $id =~ /\AWO-[A-Za-z0-9_.-]+\z/;
	238	return send_json($client, 400, { error => 'confirmation_required' }) unless clean_scalar($payload->{confirm} \|\| '') eq $id;
	239
	240	my $orders = load_work_orders();
	241	my $work_order;
	242	for my $wo (@{ $orders->{work_orders} \|\| [] }) {
	243	if (($wo->{id} \|\| '') eq $id) {
	244	$work_order = $wo;
	245	last;
	246	}
	247	}
	248	return send_json($client, 404, { error => 'work_order_not_found' }) unless $work_order;
	249	return send_json($client, 409, { error => 'work_order_not_pending' }) unless ($work_order->{status} \|\| 'pending') eq 'pending';
Require work order checklist... Xdev Host Manager authored 2 days ago	250	my $incomplete = incomplete_work_order_items($work_order);
	251	return send_json($client, 409, {
	252	error => 'work_order_incomplete',
	253	incomplete => $incomplete,
	254	}) if @$incomplete;
Add work order workflow for ... Xdev Host Manager authored 2 days ago	255
	256	my $registry = load_registry();
	257	my $results = apply_work_order($registry, $work_order);
	258	$work_order->{status} = 'confirmed';
	259	$work_order->{confirmed_at} = iso_now();
	260	$work_order->{result} = scalar(@$results) . ' action(s) applied';
	261
	262	save_registry($registry);
	263	save_work_orders($orders);
	264	backup_file($opt{local_hosts_tsv});
	265	write_file($opt{local_hosts_tsv}, render_local_hosts_tsv($registry));
	266
	267	return send_json($client, 200, {
	268	ok => json_bool(1),
	269	work_order => $work_order,
	270	results => $results,
	271	local_hosts_tsv => $opt{local_hosts_tsv},
	272	});
	273	}
	274
Require work order checklist... Xdev Host Manager authored 2 days ago	275	sub update_work_order_checklist {
	276	my ($client, $payload) = @_;
	277	my $id = clean_scalar($payload->{id} \|\| '');
	278	my $item_id = clean_scalar($payload->{item_id} \|\| '');
	279	my $status = clean_scalar($payload->{status} \|\| '');
	280	my $notes = clean_scalar($payload->{notes} \|\| '');
	281	return send_json($client, 400, { error => 'invalid_work_order_id' }) unless $id =~ /\AWO-[A-Za-z0-9_.-]+\z/;
	282	return send_json($client, 400, { error => 'invalid_checklist_item' }) unless $item_id =~ /\A[A-Za-z0-9_.-]+\z/;
	283	return send_json($client, 400, { error => 'invalid_checklist_status' }) unless $status =~ /\A(?:pending\|done\|blocked)\z/;
	284
	285	my $orders = load_work_orders();
	286	my $work_order;
	287	for my $wo (@{ $orders->{work_orders} \|\| [] }) {
	288	if (($wo->{id} \|\| '') eq $id) {
	289	$work_order = $wo;
	290	last;
	291	}
	292	}
	293	return send_json($client, 404, { error => 'work_order_not_found' }) unless $work_order;
	294	return send_json($client, 409, { error => 'work_order_not_pending' }) unless ($work_order->{status} \|\| 'pending') eq 'pending';
	295
	296	my $item;
	297	for my $candidate (@{ $work_order->{checklist} \|\| [] }) {
	298	if (($candidate->{id} \|\| '') eq $item_id) {
	299	$item = $candidate;
	300	last;
	301	}
	302	}
	303	return send_json($client, 404, { error => 'checklist_item_not_found' }) unless $item;
	304
	305	$item->{status} = $status;
	306	$item->{updated_at} = iso_now();
	307	$item->{notes} = $notes if length $notes;
	308	save_work_orders($orders);
	309	return send_json($client, 200, { ok => json_bool(1), work_order => $work_order });
	310	}
	311
	312	sub incomplete_work_order_items {
	313	my ($work_order) = @_;
	314	my @incomplete;
	315	for my $item (@{ $work_order->{checklist} \|\| [] }) {
	316	push @incomplete, $item unless ($item->{status} \|\| 'pending') eq 'done';
	317	}
	318	return \@incomplete;
	319	}
	320
Add work order workflow for ... Xdev Host Manager authored 2 days ago	321	sub apply_work_order {
	322	my ($registry, $work_order) = @_;
	323	my @results;
	324	for my $action (@{ $work_order->{actions} \|\| [] }) {
	325	my $type = $action->{type} \|\| '';
	326	if ($type eq 'remove_name') {
	327	my $host_id = $action->{host_id} \|\| '';
	328	my $name = $action->{name} \|\| '';
	329	my $removed = 0;
	330	for my $host (@{ $registry->{hosts} \|\| [] }) {
	331	next unless ($host->{id} \|\| '') eq $host_id;
	332	my @kept = grep { $_ ne $name } @{ $host->{names} \|\| [] };
	333	$removed = @kept != @{ $host->{names} \|\| [] };
	334	$host->{names} = \@kept;
	335	last;
	336	}
	337	push @results, {
	338	type => $type,
	339	host_id => $host_id,
	340	name => $name,
	341	removed => json_bool($removed),
	342	};
	343	} else {
	344	die "Unsupported work order action: $type\n";
	345	}
	346	}
	347	return \@results;
	348	}
	349
Initial host manager registr... Xdev Host Manager authored 2 days ago	350	sub registry_payload {
	351	my ($registry) = @_;
	352	my $problems = analyze_hosts($registry->{hosts});
Derive short names from defa... Xdev Host Manager authored 2 days ago	353	my @hosts = map { host_payload($_) } @{ $registry->{hosts} };
Initial host manager registr... Xdev Host Manager authored 2 days ago	354	return {
	355	version => $registry->{version},
	356	updated_at => $registry->{updated_at},
	357	policy => $registry->{policy},
Derive short names from defa... Xdev Host Manager authored 2 days ago	358	hosts => \@hosts,
Initial host manager registr... Xdev Host Manager authored 2 days ago	359	problems => $problems,
	360	counts => {
	361	hosts => scalar @{ $registry->{hosts} },
	362	problems => scalar @$problems,
	363	},
	364	};
	365	}
	366
	367	sub upsert_host {
	368	my ($client, $payload) = @_;
	369	my $id = clean_id($payload->{id} \|\| '');
	370	return send_json($client, 400, { error => 'invalid_id' }) unless $id;
	371
	372	my $hosts_ip = clean_scalar($payload->{hosts_ip} \|\| '');
	373	my $dns_ip = clean_scalar($payload->{dns_ip} \|\| '');
	374	return send_json($client, 400, { error => 'missing_ip' }) unless $hosts_ip && $dns_ip;
	375
Derive short names from defa... Xdev Host Manager authored 2 days ago	376	my @names = remove_derived_names(clean_list($payload->{names}));
Initial host manager registr... Xdev Host Manager authored 2 days ago	377	return send_json($client, 400, { error => 'missing_names' }) unless @names;
	378
	379	my $registry = load_registry();
	380	my %host = (
	381	id => $id,
	382	status => clean_scalar($payload->{status} \|\| 'active'),
	383	hosts_ip => $hosts_ip,
	384	dns_ip => $dns_ip,
	385	names => \@names,
	386	roles => [ clean_list($payload->{roles}) ],
	387	sources => [ clean_list($payload->{sources}) ],
	388	monitoring => clean_scalar($payload->{monitoring} \|\| 'pending'),
	389	notes => clean_scalar($payload->{notes} \|\| ''),
	390	);
	391
	392	my $replaced = 0;
	393	for my $i (0 .. $#{ $registry->{hosts} }) {
	394	if ($registry->{hosts}->[$i]{id} eq $id) {
	395	$registry->{hosts}->[$i] = \%host;
	396	$replaced = 1;
	397	last;
	398	}
	399	}
	400	push @{ $registry->{hosts} }, \%host unless $replaced;
	401	save_registry($registry);
	402	return send_json($client, 200, { ok => json_bool(1), host => \%host });
	403	}
	404
	405	sub delete_host {
	406	my ($client, $id) = @_;
	407	$id = clean_id($id);
	408	return send_json($client, 400, { error => 'invalid_id' }) unless $id;
	409
	410	my $registry = load_registry();
	411	my @kept = grep { $_->{id} ne $id } @{ $registry->{hosts} };
	412	return send_json($client, 404, { error => 'not_found' }) if @kept == @{ $registry->{hosts} };
	413	$registry->{hosts} = \@kept;
	414	save_registry($registry);
	415	return send_json($client, 200, { ok => json_bool(1) });
	416	}
	417
	418	sub analyze_hosts {
	419	my ($hosts) = @_;
	420	my @problems;
	421	my (%names, %ids);
	422	for my $host (@$hosts) {
	423	push @problems, problem($host, 'duplicate-id', "Duplicate id $host->{id}") if $ids{ $host->{id} }++;
	424	my @fqdn = grep { /\.madagascar\.xdev\.ro$/ } @{ $host->{names} \|\| [] };
	425	push @problems, problem($host, 'missing-fqdn', 'No madagascar.xdev.ro FQDN') unless @fqdn \|\| ($host->{status} \|\| '') ne 'active';
	426	push @problems, problem($host, 'deprecated-vad-is', 'Deprecated vad.is.xdev.ro name present')
	427	if grep { /\.vad\.is\.xdev\.ro$/ } @{ $host->{names} \|\| [] };
	428	push @problems, problem($host, 'legacy-prefix', 'Legacy prefix should be normalized out')
	429	if grep { /^(is\|vad\|b)-/ } @{ $host->{names} \|\| [] };
	430	for my $name (@{ $host->{names} \|\| [] }) {
	431	push @problems, problem($host, 'duplicate-name', "Duplicate name $name") if $names{$name}++;
	432	}
Derive short names from defa... Xdev Host Manager authored 2 days ago	433	my %declared = map { $_ => 1 } @{ $host->{names} \|\| [] };
	434	for my $derived (derived_names($host)) {
	435	push @problems, problem($host, 'redundant-derived-name', "Name $derived is derived from madagascar.xdev.ro")
	436	if $declared{$derived};
	437	}
Initial host manager registr... Xdev Host Manager authored 2 days ago	438	if (($host->{hosts_ip} \|\| '') ne ($host->{dns_ip} \|\| '') && ($host->{hosts_ip} \|\| '') ne '127.0.0.1') {
	439	push @problems, problem($host, 'split-ip', 'hosts_ip differs from dns_ip; check that this is intentional');
	440	}
	441	}
	442	return \@problems;
	443	}
	444
Derive short names from defa... Xdev Host Manager authored 2 days ago	445	sub host_payload {
	446	my ($host) = @_;
	447	my %copy = %$host;
	448	$copy{names} = [ effective_names($host) ];
	449	$copy{declared_names} = [ @{ $host->{names} \|\| [] } ];
	450	$copy{derived_names} = [ derived_names($host) ];
	451	return \%copy;
	452	}
	453
	454	sub effective_names {
	455	my ($host) = @_;
	456	my @names = @{ $host->{names} \|\| [] };
	457	push @names, derived_names($host);
	458	return unique_preserve(@names);
	459	}
	460
	461	sub derived_names {
	462	my ($host) = @_;
	463	my @derived;
	464	for my $name (@{ $host->{names} \|\| [] }) {
	465	next unless $name =~ /^(.+)\.madagascar\.xdev\.ro$/;
	466	push @derived, $1 if length $1;
	467	}
	468	return unique_preserve(@derived);
	469	}
	470
	471	sub remove_derived_names {
	472	my @names = @_;
	473	my %derived;
	474	for my $name (@names) {
	475	next unless $name =~ /^(.+)\.madagascar\.xdev\.ro$/;
	476	$derived{$1} = 1;
	477	}
	478	return grep { !$derived{$_} } @names;
	479	}
	480
	481	sub unique_preserve {
	482	my @values = @_;
	483	my %seen;
	484	return grep { !$seen{$_}++ } @values;
	485	}
	486
Initial host manager registr... Xdev Host Manager authored 2 days ago	487	sub problem {
	488	my ($host, $code, $message) = @_;
	489	return { host_id => $host->{id}, code => $code, message => $message };
	490	}
	491
	492	sub render_local_hosts_tsv {
	493	my ($registry) = @_;
	494	my $out = "# Local DNS manifest for the madagascar network.\n";
	495	$out .= "# Generated by scripts/host_manager.pl from config/hosts.yaml.\n";
	496	$out .= "#\n";
	497	$out .= "# Format:\n";
	498	$out .= "# hosts_ip<TAB>dns_ip<TAB>name [aliases...]\n";
	499	$out .= "#\n";
	500	$out .= "# Priority rule:\n";
	501	$out .= "# - DHCP lease/reservation on 192.168.2.1 is canonical for LAN IP allocation.\n";
	502	$out .= "# - madagascar.json is canonical for cluster roles and service interfaces.\n";
	503	$out .= "# - This file publishes approved local DNS records derived from those sources.\n";
	504	for my $host (sort { $a->{id} cmp $b->{id} } @{ $registry->{hosts} }) {
	505	next unless ($host->{status} \|\| 'active') eq 'active';
Derive short names from defa... Xdev Host Manager authored 2 days ago	506	my @names = effective_names($host);
	507	next unless @names;
	508	$out .= join("\t", $host->{hosts_ip}, $host->{dns_ip}, join(' ', @names)) . "\n";
Initial host manager registr... Xdev Host Manager authored 2 days ago	509	}
	510	return $out;
	511	}
	512
	513	sub render_monitoring {
	514	my ($registry) = @_;
	515	my @hosts;
	516	for my $host (sort { $a->{id} cmp $b->{id} } @{ $registry->{hosts} }) {
	517	next unless ($host->{status} \|\| 'active') eq 'active';
	518	next if ($host->{monitoring} \|\| 'pending') eq 'disabled';
Derive short names from defa... Xdev Host Manager authored 2 days ago	519	my @names = effective_names($host);
Initial host manager registr... Xdev Host Manager authored 2 days ago	520	push @hosts, {
	521	id => $host->{id},
Derive short names from defa... Xdev Host Manager authored 2 days ago	522	primary_name => $names[0],
Initial host manager registr... Xdev Host Manager authored 2 days ago	523	address => $host->{dns_ip},
Derive short names from defa... Xdev Host Manager authored 2 days ago	524	aliases => \@names,
	525	declared_names => [ @{ $host->{names} \|\| [] } ],
	526	derived_names => [ derived_names($host) ],
Initial host manager registr... Xdev Host Manager authored 2 days ago	527	roles => [ @{ $host->{roles} \|\| [] } ],
	528	monitoring => $host->{monitoring} \|\| 'pending',
	529	notes => $host->{notes} \|\| '',
	530	};
	531	}
	532	return {
	533	version => $registry->{version},
	534	generated_at => iso_now(),
	535	source => 'config/hosts.yaml',
	536	hosts => \@hosts,
	537	};
	538	}
	539
Add local host certificate a... Xdev Host Manager authored 2 days ago	540	sub ca_script_path {
	541	return "$project_dir/scripts/ca_manager.sh";
	542	}
	543
	544	sub ca_dir {
	545	return $ENV{HOST_MANAGER_CA_DIR} \|\| "$project_dir/var/ca";
	546	}
	547
	548	sub ca_cert_path {
	549	return ca_dir() . "/certs/ca.cert.pem";
	550	}
	551
	552	sub ca_manager_json {
	553	my ($command) = @_;
	554	my $script = ca_script_path();
	555	die "CA manager script is missing\n" unless -x $script;
	556	local $ENV{HOST_MANAGER_CA_DIR} = ca_dir();
	557	open my $fh, '-\|', $script, $command or die "Cannot run CA manager\n";
	558	local $/;
	559	my $out = <$fh>;
	560	close $fh or die "CA manager failed\n";
	561	return $out \|\| '{}';
	562	}
	563
Initial host manager registr... Xdev Host Manager authored 2 days ago	564	sub parse_hosts_yaml {
	565	my ($text) = @_;
	566	my %registry = (
	567	version => 1,
	568	updated_at => '',
	569	policy => {},
	570	hosts => [],
	571	);
	572	my ($section, $current, $list_key);
	573	for my $line (split /\n/, $text) {
	574	next if $line =~ /^\s$/ \|\| $line =~ /^\s#/;
	575	if ($line =~ /^version:\s*(\d+)/) {
	576	$registry{version} = int($1);
	577	} elsif ($line =~ /^updated_at:\s*(.+)$/) {
	578	$registry{updated_at} = yaml_unquote($1);
	579	} elsif ($line =~ /^policy:\s*$/) {
	580	$section = 'policy';
	581	} elsif ($line =~ /^hosts:\s*$/) {
	582	$section = 'hosts';
	583	} elsif (($section \|\| '') eq 'policy' && $line =~ /^ ([A-Za-z0-9_]+):\s*(.+)$/) {
	584	$registry{policy}{$1} = yaml_unquote($2);
	585	} elsif (($section \|\| '') eq 'hosts' && $line =~ /^ - id:\s*(.+)$/) {
	586	$current = {
	587	id => yaml_unquote($1),
	588	status => 'active',
	589	hosts_ip => '',
	590	dns_ip => '',
	591	names => [],
	592	roles => [],
	593	sources => [],
	594	monitoring => 'pending',
	595	notes => '',
	596	};
	597	push @{ $registry{hosts} }, $current;
	598	$list_key = undef;
	599	} elsif ($current && $line =~ /^ ([A-Za-z0-9_]+):\s*$/) {
	600	$list_key = $1;
	601	$current->{$list_key} \|\|= [];
	602	} elsif ($current && defined $list_key && $line =~ /^ -\s*(.+)$/) {
	603	push @{ $current->{$list_key} }, yaml_unquote($1);
	604	} elsif ($current && $line =~ /^ ([A-Za-z0-9_]+):\s(.)$/) {
	605	$current->{$1} = yaml_unquote($2);
	606	$list_key = undef;
	607	}
	608	}
	609	return \%registry;
	610	}
	611
	612	sub render_hosts_yaml {
	613	my ($registry) = @_;
	614	my $out = "version: " . int($registry->{version} \|\| 1) . "\n";
	615	$out .= "updated_at: " . yq($registry->{updated_at} \|\| iso_now()) . "\n";
	616	$out .= "policy:\n";
	617	for my $key (sort keys %{ $registry->{policy} \|\| {} }) {
	618	$out .= " $key: " . yq($registry->{policy}{$key}) . "\n";
	619	}
	620	$out .= "hosts:\n";
	621	for my $host (sort { $a->{id} cmp $b->{id} } @{ $registry->{hosts} \|\| [] }) {
	622	$out .= " - id: " . yq($host->{id}) . "\n";
	623	for my $key (qw(status hosts_ip dns_ip)) {
	624	$out .= " $key: " . yq($host->{$key} \|\| '') . "\n";
	625	}
	626	for my $key (qw(names roles sources)) {
	627	$out .= " $key:\n";
	628	for my $value (@{ $host->{$key} \|\| [] }) {
	629	$out .= " - " . yq($value) . "\n";
	630	}
	631	}
	632	$out .= " monitoring: " . yq($host->{monitoring} \|\| 'pending') . "\n";
	633	$out .= " notes: " . yq($host->{notes} \|\| '') . "\n";
	634	}
	635	return $out;
	636	}
	637
Add work order workflow for ... Xdev Host Manager authored 2 days ago	638	sub parse_work_orders_yaml {
	639	my ($text) = @_;
	640	my %orders = (
	641	version => 1,
	642	work_orders => [],
	643	);
Require work order checklist... Xdev Host Manager authored 2 days ago	644	my ($section, $current, $list_section, $current_action, $current_item);
Add work order workflow for ... Xdev Host Manager authored 2 days ago	645	for my $line (split /\n/, $text) {
	646	next if $line =~ /^\s$/ \|\| $line =~ /^\s#/;
	647	if ($line =~ /^version:\s*(\d+)/) {
	648	$orders{version} = int($1);
	649	} elsif ($line =~ /^work_orders:\s*$/) {
	650	$section = 'work_orders';
	651	} elsif (($section \|\| '') eq 'work_orders' && $line =~ /^ - id:\s*(.+)$/) {
	652	$current = {
	653	id => yaml_unquote($1),
	654	status => 'pending',
Require work order checklist... Xdev Host Manager authored 2 days ago	655	checklist => [],
Add work order workflow for ... Xdev Host Manager authored 2 days ago	656	actions => [],
	657	};
	658	push @{ $orders{work_orders} }, $current;
Require work order checklist... Xdev Host Manager authored 2 days ago	659	$list_section = '';
Add work order workflow for ... Xdev Host Manager authored 2 days ago	660	$current_action = undef;
Require work order checklist... Xdev Host Manager authored 2 days ago	661	$current_item = undef;
	662	} elsif ($current && $line =~ /^ checklist:\s*$/) {
	663	$list_section = 'checklist';
	664	$current->{checklist} \|\|= [];
	665	} elsif ($current && $list_section eq 'checklist' && $line =~ /^ - id:\s*(.+)$/) {
	666	$current_item = { id => yaml_unquote($1), status => 'pending' };
	667	push @{ $current->{checklist} }, $current_item;
	668	$current_action = undef;
	669	} elsif ($current_item && $list_section eq 'checklist' && $line =~ /^ ([A-Za-z0-9_]+):\s(.)$/) {
	670	$current_item->{$1} = yaml_unquote($2);
Add work order workflow for ... Xdev Host Manager authored 2 days ago	671	} elsif ($current && $line =~ /^ actions:\s*$/) {
Require work order checklist... Xdev Host Manager authored 2 days ago	672	$list_section = 'actions';
Add work order workflow for ... Xdev Host Manager authored 2 days ago	673	$current->{actions} \|\|= [];
Require work order checklist... Xdev Host Manager authored 2 days ago	674	} elsif ($current && $list_section eq 'actions' && $line =~ /^ - type:\s*(.+)$/) {
Add work order workflow for ... Xdev Host Manager authored 2 days ago	675	$current_action = { type => yaml_unquote($1) };
	676	push @{ $current->{actions} }, $current_action;
Require work order checklist... Xdev Host Manager authored 2 days ago	677	$current_item = undef;
	678	} elsif ($current_action && $list_section eq 'actions' && $line =~ /^ ([A-Za-z0-9_]+):\s(.)$/) {
Add work order workflow for ... Xdev Host Manager authored 2 days ago	679	$current_action->{$1} = yaml_unquote($2);
	680	} elsif ($current && $line =~ /^ ([A-Za-z0-9_]+):\s(.)$/) {
	681	$current->{$1} = yaml_unquote($2);
Require work order checklist... Xdev Host Manager authored 2 days ago	682	$list_section = '';
Add work order workflow for ... Xdev Host Manager authored 2 days ago	683	$current_action = undef;
Require work order checklist... Xdev Host Manager authored 2 days ago	684	$current_item = undef;
Add work order workflow for ... Xdev Host Manager authored 2 days ago	685	}
	686	}
	687	return \%orders;
	688	}
	689
	690	sub render_work_orders_yaml {
	691	my ($orders) = @_;
	692	my $out = "version: " . int($orders->{version} \|\| 1) . "\n";
	693	$out .= "work_orders:\n";
	694	for my $wo (@{ $orders->{work_orders} \|\| [] }) {
	695	$out .= " - id: " . yq($wo->{id}) . "\n";
	696	for my $key (qw(status title reason created_at confirmed_at result)) {
	697	next unless exists $wo->{$key} && length($wo->{$key} \|\| '');
	698	$out .= " $key: " . yq($wo->{$key}) . "\n";
	699	}
Require work order checklist... Xdev Host Manager authored 2 days ago	700	$out .= " checklist:\n";
	701	for my $item (@{ $wo->{checklist} \|\| [] }) {
	702	$out .= " - id: " . yq($item->{id}) . "\n";
	703	for my $key (qw(text status owner notes updated_at)) {
	704	next unless exists $item->{$key} && length($item->{$key} \|\| '');
	705	$out .= " $key: " . yq($item->{$key}) . "\n";
	706	}
	707	}
Add work order workflow for ... Xdev Host Manager authored 2 days ago	708	$out .= " actions:\n";
	709	for my $action (@{ $wo->{actions} \|\| [] }) {
	710	$out .= " - type: " . yq($action->{type}) . "\n";
	711	for my $key (qw(host_id name)) {
	712	next unless exists $action->{$key} && length($action->{$key} \|\| '');
	713	$out .= " $key: " . yq($action->{$key}) . "\n";
	714	}
	715	}
	716	}
	717	return $out;
	718	}
	719
Initial host manager registr... Xdev Host Manager authored 2 days ago	720	sub request_payload {
	721	my ($headers, $body) = @_;
	722	my $type = $headers->{'content-type'} \|\| '';
	723	if ($type =~ m{application/json}) {
	724	return json_decode($body \|\| '{}');
	725	}
	726	return { parse_params($body \|\| '') };
	727	}
	728
	729	sub json_bool {
	730	my ($value) = @_;
	731	return bless \(my $bool = $value ? 1 : 0), 'HostManager::JSONBool';
	732	}
	733
	734	sub json_encode {
	735	my ($value) = @_;
	736	if (!defined $value) {
	737	return 'null';
	738	}
	739	my $ref = ref($value);
	740	if (!$ref) {
	741	return $value if $value =~ /\A-?(?:0\|[1-9][0-9]*)(?:\.[0-9]+)?\z/;
	742	return json_string($value);
	743	}
	744	if ($ref eq 'HostManager::JSONBool') {
	745	return $$value ? 'true' : 'false';
	746	}
	747	if ($ref eq 'ARRAY') {
	748	return '[' . join(',', map { json_encode($_) } @$value) . ']';
	749	}
	750	if ($ref eq 'HASH') {
	751	return '{' . join(',', map { json_string($_) . ':' . json_encode($value->{$_}) } sort keys %$value) . '}';
	752	}
	753	return json_string("$value");
	754	}
	755
	756	sub json_string {
	757	my ($value) = @_;
	758	$value = '' unless defined $value;
	759	$value =~ s/\\/\\\\/g;
	760	$value =~ s/"/\\"/g;
	761	$value =~ s/\n/\\n/g;
	762	$value =~ s/\r/\\r/g;
	763	$value =~ s/\t/\\t/g;
	764	$value =~ s/([\x00-\x1f])/sprintf("\\u%04x", ord($1))/eg;
	765	return qq("$value");
	766	}
	767
	768	sub json_decode {
	769	my ($text) = @_;
	770	my $i = 0;
	771	my $len = length($text);
	772	my ($parse_value, $parse_string, $parse_array, $parse_object, $parse_number, $skip_ws);
	773
	774	$skip_ws = sub {
	775	$i++ while $i < $len && substr($text, $i, 1) =~ /\s/;
	776	};
	777
	778	$parse_string = sub {
	779	die "Expected JSON string\n" unless substr($text, $i, 1) eq '"';
	780	$i++;
	781	my $out = '';
	782	while ($i < $len) {
	783	my $ch = substr($text, $i++, 1);
	784	return $out if $ch eq '"';
	785	if ($ch eq "\\") {
	786	die "Bad JSON escape\n" if $i >= $len;
	787	my $esc = substr($text, $i++, 1);
	788	if ($esc eq '"' \|\| $esc eq "\\" \|\| $esc eq '/') {
	789	$out .= $esc;
	790	} elsif ($esc eq 'b') {
	791	$out .= "\b";
	792	} elsif ($esc eq 'f') {
	793	$out .= "\f";
	794	} elsif ($esc eq 'n') {
	795	$out .= "\n";
	796	} elsif ($esc eq 'r') {
	797	$out .= "\r";
	798	} elsif ($esc eq 't') {
	799	$out .= "\t";
	800	} elsif ($esc eq 'u') {
	801	my $hex = substr($text, $i, 4);
	802	die "Bad JSON unicode escape\n" unless $hex =~ /\A[0-9A-Fa-f]{4}\z/;
	803	$out .= chr(hex($hex));
	804	$i += 4;
	805	} else {
	806	die "Bad JSON escape\n";
	807	}
	808	} else {
	809	$out .= $ch;
	810	}
	811	}
	812	die "Unterminated JSON string\n";
	813	};
	814
	815	$parse_number = sub {
	816	my $start = $i;
	817	$i++ if substr($text, $i, 1) eq '-';
	818	$i++ while $i < $len && substr($text, $i, 1) =~ /[0-9]/;
	819	if ($i < $len && substr($text, $i, 1) eq '.') {
	820	$i++;
	821	$i++ while $i < $len && substr($text, $i, 1) =~ /[0-9]/;
	822	}
	823	if ($i < $len && substr($text, $i, 1) =~ /[eE]/) {
	824	$i++;
	825	$i++ if $i < $len && substr($text, $i, 1) =~ /[+-]/;
	826	$i++ while $i < $len && substr($text, $i, 1) =~ /[0-9]/;
	827	}
	828	return 0 + substr($text, $start, $i - $start);
	829	};
	830
	831	$parse_array = sub {
	832	die "Expected JSON array\n" unless substr($text, $i, 1) eq '[';
	833	$i++;
	834	my @out;
	835	$skip_ws->();
	836	if ($i < $len && substr($text, $i, 1) eq ']') {
	837	$i++;
	838	return \@out;
	839	}
	840	while (1) {
	841	push @out, $parse_value->();
	842	$skip_ws->();
	843	my $ch = substr($text, $i++, 1);
	844	last if $ch eq ']';
	845	die "Expected JSON array comma\n" unless $ch eq ',';
	846	}
	847	return \@out;
	848	};
	849
	850	$parse_object = sub {
	851	die "Expected JSON object\n" unless substr($text, $i, 1) eq '{';
	852	$i++;
	853	my %out;
	854	$skip_ws->();
	855	if ($i < $len && substr($text, $i, 1) eq '}') {
	856	$i++;
	857	return \%out;
	858	}
	859	while (1) {
	860	$skip_ws->();
	861	my $key = $parse_string->();
	862	$skip_ws->();
	863	die "Expected JSON object colon\n" unless substr($text, $i++, 1) eq ':';
	864	$out{$key} = $parse_value->();
	865	$skip_ws->();
	866	my $ch = substr($text, $i++, 1);
	867	last if $ch eq '}';
	868	die "Expected JSON object comma\n" unless $ch eq ',';
	869	}
	870	return \%out;
	871	};
	872
	873	$parse_value = sub {
	874	$skip_ws->();
	875	die "Unexpected end of JSON\n" if $i >= $len;
	876	my $ch = substr($text, $i, 1);
	877	return $parse_string->() if $ch eq '"';
	878	return $parse_object->() if $ch eq '{';
	879	return $parse_array->() if $ch eq '[';
	880	if (substr($text, $i, 4) eq 'true') {
	881	$i += 4;
	882	return json_bool(1);
	883	}
	884	if (substr($text, $i, 5) eq 'false') {
	885	$i += 5;
	886	return json_bool(0);
	887	}
	888	if (substr($text, $i, 4) eq 'null') {
	889	$i += 4;
	890	return undef;
	891	}
	892	return $parse_number->() if $ch =~ /[-0-9]/;
	893	die "Unexpected JSON token\n";
	894	};
	895
	896	my $value = $parse_value->();
	897	$skip_ws->();
	898	die "Trailing JSON content\n" if $i != $len;
	899	return $value;
	900	}
	901
	902	sub parse_params {
	903	my ($text) = @_;
	904	my %out;
	905	for my $pair (split /&/, $text) {
	906	next unless length $pair;
	907	my ($k, $v) = split /=/, $pair, 2;
	908	$out{url_decode($k)} = url_decode($v \|\| '');
	909	}
	910	return %out;
	911	}
	912
	913	sub clean_id {
	914	my ($value) = @_;
	915	$value = lc clean_scalar($value);
	916	$value =~ s/[^a-z0-9_.-]+/-/g;
	917	$value =~ s/^-+\|-+$//g;
	918	return $value;
	919	}
	920
	921	sub clean_scalar {
	922	my ($value) = @_;
	923	$value = '' unless defined $value;
	924	$value =~ s/[\r\n\t]+/ /g;
	925	$value =~ s/^\s+\|\s+$//g;
	926	return $value;
	927	}
	928
	929	sub clean_list {
	930	my ($value) = @_;
	931	return () unless defined $value;
	932	my @items = ref($value) eq 'ARRAY' ? @$value : split /[\s,]+/, $value;
	933	my @clean;
	934	for my $item (@items) {
	935	$item = clean_scalar($item);
	936	push @clean, $item if length $item;
	937	}
	938	return @clean;
	939	}
	940
	941	sub yq {
	942	my ($value) = @_;
	943	$value = '' unless defined $value;
	944	$value =~ s/\\/\\\\/g;
	945	$value =~ s/"/\\"/g;
	946	return qq("$value");
	947	}
	948
	949	sub yaml_unquote {
	950	my ($value) = @_;
	951	$value = '' unless defined $value;
	952	$value =~ s/^\s+\|\s+$//g;
	953	if ($value =~ /^"(.*)"$/) {
	954	$value = $1;
	955	$value =~ s/\\"/"/g;
	956	$value =~ s/\\\\/\\/g;
	957	}
	958	return $value;
	959	}
	960
	961	sub verify_totp {
	962	my ($secret, $otp) = @_;
	963	return 0 unless $secret && $otp =~ /^\d{6}$/;
	964	my $key = eval { base32_decode($secret) };
	965	return 0 if $@ \|\| !length $key;
	966	my $counter = int(time() / 30);
	967	for my $offset (-1, 0, 1) {
	968	return 1 if totp_code($key, $counter + $offset) eq $otp;
	969	}
	970	return 0;
	971	}
	972
	973	sub totp_code {
	974	my ($key, $counter) = @_;
	975	my $msg = pack('NN', int($counter / 4294967296), $counter & 0xffffffff);
	976	my $hash = hmac_sha1($msg, $key);
	977	my $offset = ord(substr($hash, -1)) & 0x0f;
	978	my $bin = unpack('N', substr($hash, $offset, 4)) & 0x7fffffff;
	979	return sprintf('%06d', $bin % 1_000_000);
	980	}
	981
	982	sub base32_decode {
	983	my ($text) = @_;
	984	$text = uc($text \|\| '');
	985	$text =~ s/[^A-Z2-7]//g;
	986	my %map;
	987	my @chars = ('A'..'Z', '2'..'7');
	988	@map{@chars} = (0..31);
	989	my ($bits, $value, $out) = (0, 0, '');
	990	for my $char (split //, $text) {
	991	die "Invalid base32\n" unless exists $map{$char};
	992	$value = ($value << 5) \| $map{$char};
	993	$bits += 5;
	994	while ($bits >= 8) {
	995	$bits -= 8;
	996	$out .= chr(($value >> $bits) & 0xff);
	997	}
	998	}
	999	return $out;
	1000	}
	1001
	1002	sub create_session {
	1003	my $nonce = random_hex(24);
	1004	my $expires = int(time() + 8 * 3600);
	1005	my $sig = hmac_sha256_hex("$nonce:$expires", $session_secret);
	1006	my $token = "$nonce:$expires:$sig";
	1007	$sessions{$token} = $expires;
	1008	return $token;
	1009	}
	1010
	1011	sub is_authenticated {
	1012	my ($headers) = @_;
	1013	my $token = cookie_value($headers->{'cookie'} \|\| '', 'hm_session');
	1014	return 0 unless $token;
	1015	my ($nonce, $expires, $sig) = split /:/, $token;
	1016	return 0 unless $nonce && $expires && $sig;
	1017	return 0 if $expires < time();
	1018	return 0 unless hmac_sha256_hex("$nonce:$expires", $session_secret) eq $sig;
	1019	return exists $sessions{$token};
	1020	}
	1021
	1022	sub expire_session {
	1023	my ($headers) = @_;
	1024	my $token = cookie_value($headers->{'cookie'} \|\| '', 'hm_session');
	1025	delete $sessions{$token} if $token;
	1026	}
	1027
	1028	sub cookie_value {
	1029	my ($cookie, $name) = @_;
	1030	for my $part (split /;\s*/, $cookie) {
	1031	my ($k, $v) = split /=/, $part, 2;
	1032	return $v if defined $k && $k eq $name;
	1033	}
	1034	return '';
	1035	}
	1036
	1037	sub send_json {
	1038	my ($client, $status, $payload, $extra_headers) = @_;
	1039	return send_response($client, $status, json_encode($payload), 'application/json; charset=utf-8', $extra_headers);
	1040	}
	1041
Add local host certificate a... Xdev Host Manager authored 2 days ago	1042	sub send_json_raw {
	1043	my ($client, $status, $json_body, $extra_headers) = @_;
	1044	return send_response($client, $status, $json_body, 'application/json; charset=utf-8', $extra_headers);
	1045	}
	1046
Initial host manager registr... Xdev Host Manager authored 2 days ago	1047	sub send_html {
	1048	my ($client, $status, $html) = @_;
	1049	return send_response($client, $status, $html, 'text/html; charset=utf-8');
	1050	}
	1051
	1052	sub send_text {
	1053	my ($client, $status, $text) = @_;
	1054	return send_response($client, $status, $text, 'text/plain; charset=utf-8');
	1055	}
	1056
	1057	sub send_download {
	1058	my ($client, $status, $content, $type, $filename) = @_;
	1059	return send_response($client, $status, $content, $type, [ qq(Content-Disposition: attachment; filename="$filename") ]);
	1060	}
	1061
	1062	sub send_file {
	1063	my ($client, $path, $type, $filename) = @_;
	1064	return send_json($client, 404, { error => 'missing_file' }) unless -f $path;
	1065	return send_download($client, 200, read_file($path), $type, $filename);
	1066	}
	1067
	1068	sub send_response {
	1069	my ($client, $status, $body, $type, $extra_headers) = @_;
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1070	my %reason = (200 => 'OK', 400 => 'Bad Request', 401 => 'Unauthorized', 404 => 'Not Found', 409 => 'Conflict', 500 => 'Internal Server Error', 503 => 'Service Unavailable');
Initial host manager registr... Xdev Host Manager authored 2 days ago	1071	$body = '' unless defined $body;
	1072	print $client "HTTP/1.1 $status " . ($reason{$status} \|\| 'OK') . "\r\n";
	1073	print $client "Content-Type: $type\r\n";
	1074	print $client "Content-Length: " . length($body) . "\r\n";
	1075	print $client "Cache-Control: no-store\r\n";
	1076	print $client "$_\r\n" for @{ $extra_headers \|\| [] };
	1077	print $client "Connection: close\r\n\r\n";
	1078	print $client $body;
	1079	}
	1080
	1081	sub read_file {
	1082	my ($path) = @_;
	1083	open my $fh, '<', $path or die "Cannot read $path: $!";
	1084	local $/;
	1085	return <$fh>;
	1086	}
	1087
	1088	sub write_file {
	1089	my ($path, $content) = @_;
	1090	open my $fh, '>', $path or die "Cannot write $path: $!";
	1091	print {$fh} $content;
	1092	close $fh or die "Cannot close $path: $!";
	1093	}
	1094
	1095	sub backup_file {
	1096	my ($path) = @_;
	1097	return unless -f $path;
	1098	my $backup_dir = "$project_dir/backups/host-manager";
	1099	make_path($backup_dir) unless -d $backup_dir;
	1100	my $name = $path;
	1101	$name =~ s{.*/}{};
	1102	my $stamp = strftime('%Y%m%d_%H%M%S', localtime);
	1103	write_file("$backup_dir/$name.$stamp.bak", read_file($path));
	1104	}
	1105
	1106	sub url_decode {
	1107	my ($value) = @_;
	1108	$value = '' unless defined $value;
	1109	$value =~ tr/+/ /;
	1110	$value =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;
	1111	return $value;
	1112	}
	1113
	1114	sub random_hex {
	1115	my ($bytes) = @_;
	1116	if (open my $fh, '<:raw', '/dev/urandom') {
	1117	read($fh, my $raw, $bytes);
	1118	close $fh;
	1119	return unpack('H*', $raw);
	1120	}
	1121	return sha256_hex(rand() . time() . $$);
	1122	}
	1123
	1124	sub iso_now {
	1125	return strftime('%Y-%m-%dT%H:%M:%SZ', gmtime);
	1126	}
	1127
	1128	sub app_html {
	1129	return <<'HTML';
	1130	<!doctype html>
	1131	<html lang="ro">
	1132	<head>
	1133	<meta charset="utf-8">
	1134	<meta name="viewport" content="width=device-width, initial-scale=1">
	1135	<title>Host Manager</title>
	1136	<style>
	1137	:root {
	1138	color-scheme: light;
	1139	--ink: #152033;
	1140	--muted: #647084;
	1141	--line: #d8dee8;
	1142	--soft: #f4f6f9;
	1143	--panel: #ffffff;
	1144	--accent: #1267d8;
	1145	--bad: #b42318;
	1146	--warn: #946200;
	1147	--ok: #137333;
	1148	}
	1149	* { box-sizing: border-box; }
	1150	body { margin: 0; font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif; color: var(--ink); background: #eef2f6; font-size: 14px; }
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1151
	1152	/* ── Login screen ── */
	1153	#login-screen {
	1154	display: flex;
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1155	align-items: flex-start;
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1156	justify-content: center;
	1157	min-height: 100dvh;
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1158	padding: clamp(48px, 10vh, 96px) 24px clamp(140px, 20vh, 220px);
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1159	background: #13182a;
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1160	overflow: auto;
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1161	}
	1162	.login-card {
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1163	--otp-size: 48px;
Tighten login bottom spacing Xdev Host Manager authored 2 days ago	1164	--otp-gap: 18px;
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1165	--login-form-width: calc((var(--otp-size) * 6) + (var(--otp-gap) * 5));
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1166	background: #fff;
	1167	border-radius: 16px;
Use vertical wide login layo... Xdev Host Manager authored 2 days ago	1168	padding: 54px 64px 48px;
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1169	width: 100%;
Use vertical wide login layo... Xdev Host Manager authored 2 days ago	1170	max-width: 680px;
Tighten login bottom spacing Xdev Host Manager authored 2 days ago	1171	min-height: 440px;
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1172	display: grid;
Use vertical wide login layo... Xdev Host Manager authored 2 days ago	1173	align-content: start;
	1174	justify-items: center;
	1175	gap: 28px;
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1176	box-shadow: 0 8px 40px rgba(0,0,0,.28);
	1177	}
Use vertical wide login layo... Xdev Host Manager authored 2 days ago	1178	.login-card .brand { text-align: center; display: grid; gap: 8px; justify-items: center; }
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1179	.login-card .brand .icon {
Use vertical wide login layo... Xdev Host Manager authored 2 days ago	1180	margin: 0 0 8px;
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1181	width: 64px; height: 64px; border-radius: 18px;
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1182	background: #e8f0fe; display: flex; align-items: center; justify-content: center;
	1183	}
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1184	.login-card .brand .icon svg { width: 38px; height: 38px; fill: none; stroke: var(--accent); stroke-width: 2.4; stroke-linecap: round; stroke-linejoin: round; }
	1185	.login-card .brand h1 { margin: 0; font-size: 32px; line-height: 1.05; font-weight: 750; color: var(--ink); }
	1186	.login-card .brand p { margin: 0; color: var(--muted); font-size: 16px; }
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1187	.login-card form {
	1188	display: grid;
	1189	width: min(100%, var(--login-form-width));
Use vertical wide login layo... Xdev Host Manager authored 2 days ago	1190	justify-self: center;
Tighten login bottom spacing Xdev Host Manager authored 2 days ago	1191	padding-bottom: clamp(44px, 6vh, 64px);
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1192	}
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1193	.login-card form.busy { opacity: .72; pointer-events: none; }
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1194	/* 6 separate OTP digit boxes */
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1195	.otp-row {
	1196	display: flex;
	1197	gap: var(--otp-gap);
	1198	justify-content: center;
	1199	}
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1200	.otp-row input {
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1201	width: var(--otp-size); height: 56px; border: 1.5px solid #dde2ec; border-radius: 10px;
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1202	font-size: 22px; font-weight: 600; text-align: center; color: var(--ink);
	1203	background: #f8fafc; caret-color: transparent; outline: none;
	1204	transition: border-color .15s, background .15s;
	1205	}
	1206	.otp-row input:focus { border-color: var(--accent); background: #fff; }
	1207	.otp-row input.filled { border-color: #b3c6f0; background: #fff; }
	1208	#login-error {
	1209	color: var(--bad); font-size: 13px; text-align: center;
Tighten login bottom spacing Xdev Host Manager authored 2 days ago	1210	min-height: 18px; margin-top: -52px;
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1211	}
	1212	@media (max-width: 760px) {
	1213	.login-card {
Use vertical wide login layo... Xdev Host Manager authored 2 days ago	1214	max-width: 520px;
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1215	min-height: 0;
	1216	padding: 48px 36px 44px;
	1217	gap: 26px;
	1218	}
	1219	.login-card .brand h1 { font-size: 24px; }
	1220	.login-card .brand p { font-size: 14px; }
Tighten login bottom spacing Xdev Host Manager authored 2 days ago	1221	.login-card form { padding-bottom: 52px; }
	1222	#login-error { margin-top: -42px; }
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1223	}
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1224	@media (max-width: 430px) {
	1225	#login-screen { padding: 24px 16px 120px; }
	1226	.login-card {
	1227	--otp-size: 42px;
Tighten login bottom spacing Xdev Host Manager authored 2 days ago	1228	--otp-gap: 12px;
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1229	padding: 36px 22px 34px;
	1230	}
	1231	.otp-row input { height: 52px; }
Tighten login bottom spacing Xdev Host Manager authored 2 days ago	1232	.login-card form { padding-bottom: 48px; }
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1233	}
	1234	@media (max-height: 720px) {
	1235	#login-screen { padding-top: 28px; padding-bottom: 96px; }
	1236	.login-card { padding-top: 34px; padding-bottom: 34px; gap: 20px; }
Tighten login bottom spacing Xdev Host Manager authored 2 days ago	1237	.login-card form { padding-bottom: 40px; }
	1238	#login-error { margin-top: -32px; }
Adjust login layout for OTP ... Xdev Host Manager authored 2 days ago	1239	}
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1240
	1241	/* ── App shell (hidden until authenticated) ── */
	1242	#app { display: none; }
	1243	header { display: flex; align-items: center; justify-content: space-between; gap: 16px; padding: 12px 18px; background: var(--panel); border-bottom: 1px solid var(--line); position: sticky; top: 0; z-index: 2; }
	1244	h1 { margin: 0; font-size: 17px; font-weight: 700; }
	1245	.header-right { display: flex; align-items: center; gap: 10px; }
Initial host manager registr... Xdev Host Manager authored 2 days ago	1246	main { padding: 16px; display: grid; gap: 16px; max-width: 1280px; margin: 0 auto; }
	1247	.toolbar, .panel { background: var(--panel); border: 1px solid var(--line); border-radius: 8px; }
	1248	.toolbar { display: flex; flex-wrap: wrap; align-items: center; gap: 8px; padding: 10px; }
	1249	.panel { overflow: hidden; }
	1250	.panel-head { display: flex; justify-content: space-between; align-items: center; gap: 12px; padding: 12px 14px; border-bottom: 1px solid var(--line); background: #fafbfc; }
	1251	.panel-head h2 { margin: 0; font-size: 14px; }
	1252	.stats { display: flex; gap: 8px; flex-wrap: wrap; }
	1253	.stat { padding: 6px 8px; border: 1px solid var(--line); border-radius: 6px; background: var(--soft); font-size: 12px; color: var(--muted); }
	1254	button, input, select, textarea { font: inherit; }
	1255	button, .linkbtn { border: 1px solid var(--line); background: #fff; color: var(--ink); border-radius: 6px; padding: 7px 10px; min-height: 34px; cursor: pointer; text-decoration: none; display: inline-flex; align-items: center; gap: 6px; }
	1256	button.primary { background: var(--accent); border-color: var(--accent); color: #fff; }
Require work order checklist... Xdev Host Manager authored 2 days ago	1257	button:disabled { opacity: .45; cursor: not-allowed; }
Initial host manager registr... Xdev Host Manager authored 2 days ago	1258	button.danger { color: var(--bad); }
Require authentication for h... Xdev Host Manager authored 2 days ago	1259	button:disabled, .linkbtn[aria-disabled="true"] { opacity: .55; cursor: not-allowed; pointer-events: none; }
Initial host manager registr... Xdev Host Manager authored 2 days ago	1260	input, select, textarea { width: 100%; border: 1px solid var(--line); border-radius: 6px; padding: 8px; background: #fff; color: var(--ink); }
	1261	textarea { min-height: 74px; resize: vertical; }
	1262	table { width: 100%; border-collapse: collapse; table-layout: fixed; }
	1263	th, td { padding: 9px 10px; border-bottom: 1px solid var(--line); text-align: left; vertical-align: top; overflow-wrap: anywhere; }
	1264	th { color: var(--muted); font-size: 12px; font-weight: 700; background: #fafbfc; }
	1265	tr:hover td { background: #f8fafc; }
	1266	.pill { display: inline-block; padding: 2px 6px; border-radius: 999px; background: var(--soft); border: 1px solid var(--line); color: var(--muted); font-size: 12px; margin: 0 4px 4px 0; }
	1267	.pill.ok { color: var(--ok); border-color: #b7dfc1; background: #edf8ef; }
	1268	.pill.warn { color: var(--warn); border-color: #f1d184; background: #fff7df; }
	1269	.pill.bad { color: var(--bad); border-color: #f0b8b3; background: #fff0ee; }
	1270	.grid { display: grid; grid-template-columns: repeat(2, minmax(0, 1fr)); gap: 10px; padding: 14px; }
	1271	.span2 { grid-column: 1 / -1; }
	1272	label { display: grid; gap: 5px; color: var(--muted); font-size: 12px; font-weight: 650; }
	1273	.muted { color: var(--muted); }
	1274	.problems { padding: 10px 14px; display: grid; gap: 8px; }
	1275	.problem { border-left: 3px solid var(--warn); padding: 7px 9px; background: #fffaf0; }
	1276	@media (max-width: 760px) {
	1277	.grid { grid-template-columns: 1fr; }
	1278	table { min-width: 760px; }
	1279	.table-wrap { overflow-x: auto; }
	1280	}
	1281	</style>
	1282	</head>
	1283	<body>
	1284
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1285	<!-- ── Login screen ── -->
	1286	<div id="login-screen">
	1287	<div class="login-card">
	1288	<div class="brand">
	1289	<div class="icon">
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1290	<svg viewBox="0 0 64 64" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
	1291	<rect x="16" y="10" width="32" height="44" rx="4"/>
	1292	<rect x="21" y="16" width="22" height="8" rx="2"/>
	1293	<rect x="21" y="28" width="22" height="8" rx="2"/>
	1294	<rect x="21" y="40" width="22" height="8" rx="2"/>
	1295	<path d="M26 20h8M26 32h8M26 44h8"/>
	1296	<path d="M40 20h.01M40 32h.01M40 44h.01"/>
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1297	</svg>
	1298	</div>
	1299	<h1>Host Manager</h1>
	1300	<p>madagascar.xdev.ro</p>
Initial host manager registr... Xdev Host Manager authored 2 days ago	1301	</div>
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1302	<form id="login-form">
	1303	<div class="otp-row">
	1304	<input type="text" inputmode="numeric" maxlength="1" pattern="[0-9]" class="otp-digit" autocomplete="one-time-code">
	1305	<input type="text" inputmode="numeric" maxlength="1" pattern="[0-9]" class="otp-digit">
	1306	<input type="text" inputmode="numeric" maxlength="1" pattern="[0-9]" class="otp-digit">
	1307	<input type="text" inputmode="numeric" maxlength="1" pattern="[0-9]" class="otp-digit">
	1308	<input type="text" inputmode="numeric" maxlength="1" pattern="[0-9]" class="otp-digit">
	1309	<input type="text" inputmode="numeric" maxlength="1" pattern="[0-9]" class="otp-digit">
	1310	</div>
	1311	</form>
	1312	<div id="login-error"></div>
	1313	</div>
	1314	</div>
	1315
	1316	<!-- ── App (shown after login) ── -->
	1317	<div id="app">
	1318	<header>
	1319	<h1>Host Manager</h1>
	1320	<div class="header-right">
	1321	<span class="muted" id="app-updated"></span>
	1322	<button type="button" id="logout">Logout</button>
Initial host manager registr... Xdev Host Manager authored 2 days ago	1323	</div>
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1324	</header>
	1325	<main>
	1326	<section class="toolbar">
	1327	<button id="refresh">Refresh</button>
	1328	<a class="linkbtn" href="/download/hosts.yaml">hosts.yaml</a>
	1329	<a class="linkbtn" href="/download/local-hosts.tsv">local-hosts.tsv</a>
	1330	<a class="linkbtn" href="/download/monitoring.json">monitoring.json</a>
	1331	<button id="write-tsv">Write local-hosts.tsv</button>
	1332	<span id="message" class="muted"></span>
	1333	</section>
	1334
	1335	<section class="panel">
	1336	<div class="panel-head">
	1337	<h2>Overview</h2>
	1338	<div class="stats" id="stats"></div>
	1339	</div>
	1340	<div class="problems" id="problems"></div>
	1341	</section>
Initial host manager registr... Xdev Host Manager authored 2 days ago	1342
Add local host certificate a... Xdev Host Manager authored 2 days ago	1343	<section class="panel">
	1344	<div class="panel-head">
	1345	<h2>Certificate Authority</h2>
	1346	<a class="linkbtn" href="/download/ca.crt">ca.crt</a>
	1347	</div>
	1348	<div class="problems" id="ca-status"></div>
	1349	</section>
	1350
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1351	<section class="panel">
	1352	<div class="panel-head">
	1353	<h2>Work Orders</h2>
	1354	<div class="stats" id="wo-stats"></div>
	1355	</div>
	1356	<div class="problems" id="work-orders"></div>
	1357	</section>
	1358
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1359	<section class="panel">
	1360	<div class="panel-head">
	1361	<h2>Hosts</h2>
	1362	<input id="filter" placeholder="filter" style="max-width: 240px">
Initial host manager registr... Xdev Host Manager authored 2 days ago	1363	</div>
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1364	<div class="table-wrap">
	1365	<table>
	1366	<thead>
	1367	<tr>
	1368	<th style="width: 120px">ID</th>
	1369	<th style="width: 130px">hosts_ip</th>
	1370	<th style="width: 130px">dns_ip</th>
	1371	<th>Names</th>
	1372	<th style="width: 150px">Roles</th>
	1373	<th style="width: 110px">Monitoring</th>
	1374	<th style="width: 90px">Status</th>
	1375	</tr>
	1376	</thead>
	1377	<tbody id="hosts"></tbody>
	1378	</table>
	1379	</div>
	1380	</section>
	1381
	1382	<section class="panel">
	1383	<div class="panel-head">
	1384	<h2>Edit host</h2>
	1385	</div>
	1386	<form id="host-form" class="grid">
	1387	<label>ID<input name="id" required></label>
	1388	<label>Status<select name="status"><option>active</option><option>planned</option><option>retired</option></select></label>
	1389	<label>hosts_ip<input name="hosts_ip" required></label>
	1390	<label>dns_ip<input name="dns_ip" required></label>
	1391	<label class="span2">Names<textarea name="names" required></textarea></label>
	1392	<label>Roles<input name="roles"></label>
	1393	<label>Sources<input name="sources"></label>
	1394	<label>Monitoring<select name="monitoring"><option>pending</option><option>enabled</option><option>disabled</option></select></label>
	1395	<label>Notes<input name="notes"></label>
	1396	<div class="span2">
	1397	<button class="primary" type="submit">Save host</button>
	1398	<button class="danger" type="button" id="delete-host">Delete host</button>
	1399	</div>
	1400	</form>
	1401	</section>
	1402	</main>
	1403	</div>
	1404
Initial host manager registr... Xdev Host Manager authored 2 days ago	1405	<script>
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1406	let state = { hosts: [], problems: [], workOrders: [], authenticated: false };
Initial host manager registr... Xdev Host Manager authored 2 days ago	1407
	1408	const $ = (id) => document.getElementById(id);
	1409	const msg = (text) => { $('message').textContent = text \|\| ''; };
	1410
	1411	async function api(path, options = {}) {
	1412	const res = await fetch(path, options);
	1413	const body = await res.json();
	1414	if (!res.ok) throw new Error(body.error \|\| res.statusText);
	1415	return body;
	1416	}
	1417
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1418	function showLogin(errorText) {
	1419	$('app').style.display = 'none';
	1420	$('login-screen').style.display = 'flex';
	1421	$('login-error').textContent = errorText \|\| '';
	1422	document.querySelectorAll('.otp-digit').forEach(i => { i.value = ''; i.classList.remove('filled'); });
	1423	const first = document.querySelector('.otp-digit');
	1424	if (first) first.focus();
	1425	}
	1426
	1427	function showApp() {
	1428	$('login-screen').style.display = 'none';
	1429	$('app').style.display = 'block';
	1430	}
	1431
Initial host manager registr... Xdev Host Manager authored 2 days ago	1432	async function refresh() {
	1433	const session = await api('/api/session');
	1434	state.authenticated = session.authenticated;
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1435	if (!state.authenticated) { showLogin(); return; }
	1436	showApp();
Initial host manager registr... Xdev Host Manager authored 2 days ago	1437	const data = await api('/api/hosts');
	1438	state.hosts = data.hosts \|\| [];
	1439	state.problems = data.problems \|\| [];
	1440	render(data);
Add local host certificate a... Xdev Host Manager authored 2 days ago	1441	await renderCa();
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1442	await renderWorkOrders();
Initial host manager registr... Xdev Host Manager authored 2 days ago	1443	}
	1444
	1445	function render(data) {
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1446	$('app-updated').textContent = data.updated_at ? 'updated ' + data.updated_at : '';
	1447
Initial host manager registr... Xdev Host Manager authored 2 days ago	1448	$('stats').innerHTML = [
	1449	['hosts', data.counts.hosts],
	1450	['problems', data.counts.problems],
	1451	].map(([k, v]) => `<span class="stat">${k}: ${escapeHtml(String(v))}</span>`).join('');
	1452
	1453	$('problems').innerHTML = state.problems.length
	1454	? state.problems.map(p => `<div class="problem"><strong>${escapeHtml(p.host_id)}</strong> ${escapeHtml(p.code)}: ${escapeHtml(p.message)}</div>`).join('')
	1455	: '<div class="muted" style="padding: 8px 0">No registry problems detected.</div>';
	1456
	1457	renderHosts();
	1458	}
	1459
Add local host certificate a... Xdev Host Manager authored 2 days ago	1460	async function renderCa() {
	1461	try {
	1462	const status = await api('/api/ca/status');
	1463	if (!status.initialized) {
	1464	$('ca-status').innerHTML = '<div class="problem"><strong>not initialized</strong> Run <code>sudo scripts/ca_manager.sh init</code> on jumper.</div>';
	1465	return;
	1466	}
	1467	const certs = await api('/api/ca/certificates');
	1468	$('ca-status').innerHTML = `
	1469	<div class="muted" style="display:grid;gap:6px">
	1470	<div><strong>${escapeHtml(status.subject \|\| '')}</strong></div>
	1471	<div>SHA256 ${escapeHtml(status.fingerprint_sha256 \|\| '')}</div>
	1472	<div>valid ${escapeHtml(status.not_before \|\| '')} - ${escapeHtml(status.not_after \|\| '')}</div>
	1473	<div>${certs.length} issued certificate(s)</div>
	1474	</div>`;
	1475	} catch (e) {
	1476	$('ca-status').innerHTML = `<div class="problem"><strong>CA status unavailable</strong> ${escapeHtml(e.message)}</div>`;
	1477	}
	1478	}
	1479
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1480	async function renderWorkOrders() {
	1481	try {
	1482	const data = await api('/api/work-orders');
	1483	state.workOrders = data.work_orders \|\| [];
	1484	$('wo-stats').innerHTML = [
	1485	['pending', data.counts.pending],
	1486	['total', data.counts.work_orders],
	1487	].map(([k, v]) => `<span class="stat">${k}: ${escapeHtml(String(v))}</span>`).join('');
	1488
	1489	if (!state.workOrders.length) {
	1490	$('work-orders').innerHTML = '<div class="muted" style="padding: 8px 0">No work orders.</div>';
	1491	return;
	1492	}
	1493
	1494	$('work-orders').innerHTML = state.workOrders.map(wo => {
Require work order checklist... Xdev Host Manager authored 2 days ago	1495	const checklist = wo.checklist \|\| [];
	1496	const doneItems = checklist.filter(item => (item.status \|\| 'pending') === 'done').length;
	1497	const checklistComplete = checklist.length === 0 \|\| doneItems === checklist.length;
	1498	const checklistHtml = checklist.map(item => {
	1499	const checked = (item.status \|\| 'pending') === 'done' ? 'checked' : '';
	1500	return `<label style="display:flex;align-items:flex-start;gap:8px">
	1501	<input type="checkbox" data-wo-checklist="${escapeHtml(wo.id)}" data-item-id="${escapeHtml(item.id \|\| '')}" ${checked}>
	1502	<span><strong>${escapeHtml(item.id \|\| '')}</strong> ${escapeHtml(item.text \|\| '')}</span>
	1503	</label>`;
	1504	}).join('');
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1505	const actions = (wo.actions \|\| []).map(a => {
	1506	const target = [a.host_id, a.name].filter(Boolean).join(' ');
	1507	return `<div><span class="pill">${escapeHtml(a.type \|\| '')}</span> ${escapeHtml(target)}</div>`;
	1508	}).join('');
	1509	const statusClass = (wo.status \|\| 'pending') === 'pending' ? 'warn' : 'ok';
	1510	const button = (wo.status \|\| 'pending') === 'pending'
Require work order checklist... Xdev Host Manager authored 2 days ago	1511	? `<button type="button" class="primary" data-confirm-wo="${escapeHtml(wo.id)}" ${checklistComplete ? '' : 'disabled'}>Confirm</button>`
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1512	: '';
	1513	return `<div class="problem" style="display:grid;gap:8px">
	1514	<div style="display:flex;align-items:center;justify-content:space-between;gap:12px;flex-wrap:wrap">
Require work order checklist... Xdev Host Manager authored 2 days ago	1515	<div><strong>${escapeHtml(wo.id \|\| '')}</strong> <span class="pill ${statusClass}">${escapeHtml(wo.status \|\| 'pending')}</span> <span class="pill">${doneItems}/${checklist.length} done</span></div>
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1516	${button}
	1517	</div>
	1518	<div>${escapeHtml(wo.title \|\| '')}</div>
	1519	<div class="muted">${escapeHtml(wo.reason \|\| '')}</div>
Require work order checklist... Xdev Host Manager authored 2 days ago	1520	<div style="display:grid;gap:6px">${checklistHtml}</div>
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1521	<div style="display:grid;gap:4px">${actions}</div>
	1522	${wo.confirmed_at ? `<div class="muted">confirmed ${escapeHtml(wo.confirmed_at)}</div>` : ''}
	1523	</div>`;
	1524	}).join('');
Require work order checklist... Xdev Host Manager authored 2 days ago	1525	document.querySelectorAll('[data-wo-checklist]').forEach(input => input.addEventListener('change', () => updateWorkOrderChecklist(input.dataset.woChecklist, input.dataset.itemId, input.checked)));
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1526	document.querySelectorAll('[data-confirm-wo]').forEach(button => button.addEventListener('click', () => confirmWorkOrder(button.dataset.confirmWo)));
	1527	} catch (e) {
	1528	$('work-orders').innerHTML = `<div class="problem"><strong>Work orders unavailable</strong> ${escapeHtml(e.message)}</div>`;
	1529	}
	1530	}
	1531
Require work order checklist... Xdev Host Manager authored 2 days ago	1532	async function updateWorkOrderChecklist(id, itemId, checked) {
	1533	try {
	1534	await api('/api/work-orders/checklist', {
	1535	method: 'POST',
	1536	headers: { 'Content-Type': 'application/json' },
	1537	body: JSON.stringify({ id, item_id: itemId, status: checked ? 'done' : 'pending' })
	1538	});
	1539	msg('work order updated');
	1540	await refresh();
	1541	} catch (e) { msg(e.message); await refresh(); }
	1542	}
	1543
Add work order workflow for ... Xdev Host Manager authored 2 days ago	1544	async function confirmWorkOrder(id) {
	1545	const typed = prompt(`Type ${id} to confirm this work order`);
	1546	if (typed !== id) return;
	1547	try {
	1548	await api('/api/work-orders/confirm', {
	1549	method: 'POST',
	1550	headers: { 'Content-Type': 'application/json' },
	1551	body: JSON.stringify({ id, confirm: typed })
	1552	});
	1553	msg('work order confirmed; local-hosts.tsv written');
	1554	await refresh();
	1555	} catch (e) { msg(e.message); }
	1556	}
	1557
Initial host manager registr... Xdev Host Manager authored 2 days ago	1558	function renderHosts() {
	1559	const filter = $('filter').value.toLowerCase();
	1560	$('hosts').innerHTML = state.hosts
	1561	.filter(h => JSON.stringify(h).toLowerCase().includes(filter))
	1562	.map(h => {
	1563	const problems = state.problems.filter(p => p.host_id === h.id);
	1564	const cls = problems.length ? 'warn' : 'ok';
	1565	return `<tr data-id="${escapeHtml(h.id)}">
	1566	<td><button type="button" data-edit="${escapeHtml(h.id)}">${escapeHtml(h.id)}</button></td>
	1567	<td>${escapeHtml(h.hosts_ip \|\| '')}</td>
	1568	<td>${escapeHtml(h.dns_ip \|\| '')}</td>
	1569	<td>${(h.names \|\| []).map(n => `<span class="pill">${escapeHtml(n)}</span>`).join('')}</td>
	1570	<td>${(h.roles \|\| []).map(n => `<span class="pill">${escapeHtml(n)}</span>`).join('')}</td>
	1571	<td><span class="pill ${cls}">${escapeHtml(h.monitoring \|\| '')}</span></td>
	1572	<td>${escapeHtml(h.status \|\| '')}</td>
	1573	</tr>`;
	1574	}).join('');
	1575	document.querySelectorAll('[data-edit]').forEach(button => button.addEventListener('click', () => editHost(button.dataset.edit)));
	1576	}
	1577
	1578	function editHost(id) {
	1579	const host = state.hosts.find(h => h.id === id);
	1580	if (!host) return;
	1581	const form = $('host-form');
	1582	for (const key of ['id', 'status', 'hosts_ip', 'dns_ip', 'monitoring', 'notes']) form.elements[key].value = host[key] \|\| '';
	1583	form.elements.names.value = (host.names \|\| []).join('\n');
	1584	form.elements.roles.value = (host.roles \|\| []).join(' ');
	1585	form.elements.sources.value = (host.sources \|\| []).join(' ');
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1586	form.scrollIntoView({ behavior: 'smooth', block: 'start' });
Initial host manager registr... Xdev Host Manager authored 2 days ago	1587	}
	1588
	1589	function formObject(form) {
	1590	return Object.fromEntries(new FormData(form).entries());
	1591	}
	1592
	1593	function escapeHtml(value) {
	1594	return value.replace(/[&<>"']/g, ch => ({'&':'&','<':'<','>':'>','"':'"',"'":'''}[ch]));
	1595	}
	1596
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1597	// OTP digit boxes — auto-advance, backspace, paste
	1598	const otpDigits = Array.from(document.querySelectorAll('.otp-digit'));
	1599	otpDigits[0].focus();
	1600
	1601	otpDigits.forEach((input, idx) => {
	1602	input.addEventListener('keydown', (e) => {
	1603	if (e.key === 'Backspace') {
	1604	if (input.value) { input.value = ''; input.classList.remove('filled'); }
	1605	else if (idx > 0) { otpDigits[idx - 1].value = ''; otpDigits[idx - 1].classList.remove('filled'); otpDigits[idx - 1].focus(); }
	1606	e.preventDefault();
	1607	}
	1608	});
	1609	input.addEventListener('input', (e) => {
	1610	const val = input.value.replace(/\D/g, '').slice(-1);
	1611	input.value = val;
	1612	input.classList.toggle('filled', !!val);
	1613	if (val && idx < otpDigits.length - 1) otpDigits[idx + 1].focus();
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1614	if (val && idx === otpDigits.length - 1 && otpReady()) $('login-form').requestSubmit();
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1615	});
	1616	input.addEventListener('paste', (e) => {
	1617	const text = (e.clipboardData \|\| window.clipboardData).getData('text').replace(/\D/g, '');
	1618	e.preventDefault();
	1619	text.split('').slice(0, otpDigits.length).forEach((ch, i) => {
	1620	otpDigits[i].value = ch;
	1621	otpDigits[i].classList.add('filled');
	1622	});
	1623	const next = Math.min(text.length, otpDigits.length - 1);
	1624	otpDigits[next].focus();
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1625	if (otpReady()) $('login-form').requestSubmit();
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1626	});
	1627	});
	1628
	1629	function getOtp() { return otpDigits.map(i => i.value).join(''); }
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1630	function otpReady() { return otpDigits.every(i => /^\d$/.test(i.value)); }
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1631	function clearOtp() { otpDigits.forEach(i => { i.value = ''; i.classList.remove('filled'); }); otpDigits[0].focus(); }
Initial host manager registr... Xdev Host Manager authored 2 days ago	1632
	1633	$('login-form').addEventListener('submit', async (event) => {
	1634	event.preventDefault();
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1635	if (!otpReady()) return;
	1636	$('login-form').classList.add('busy');
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1637	$('login-error').textContent = '';
Initial host manager registr... Xdev Host Manager authored 2 days ago	1638	try {
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1639	await api('/api/login', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ otp: getOtp() }) });
Initial host manager registr... Xdev Host Manager authored 2 days ago	1640	await refresh();
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1641	} catch (e) {
	1642	showLogin(e.message === 'invalid_otp' ? 'Cod incorect.' : e.message);
	1643	} finally {
Make login form wide and aut... Xdev Host Manager authored 2 days ago	1644	$('login-form').classList.remove('busy');
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1645	}
Initial host manager registr... Xdev Host Manager authored 2 days ago	1646	});
	1647
	1648	$('logout').addEventListener('click', async () => {
	1649	await api('/api/logout', { method: 'POST' }).catch(() => {});
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1650	clearOtp();
	1651	showLogin();
Initial host manager registr... Xdev Host Manager authored 2 days ago	1652	});
	1653
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1654	$('refresh').addEventListener('click', () => refresh().catch(e => msg(e.message)));
	1655	$('filter').addEventListener('input', renderHosts);
	1656
Initial host manager registr... Xdev Host Manager authored 2 days ago	1657	$('host-form').addEventListener('submit', async (event) => {
	1658	event.preventDefault();
	1659	try {
	1660	await api('/api/hosts/upsert', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(formObject(event.target)) });
	1661	msg('host saved');
	1662	await refresh();
	1663	} catch (e) { msg(e.message); }
	1664	});
	1665
	1666	$('delete-host').addEventListener('click', async () => {
	1667	const id = $('host-form').elements.id.value;
	1668	if (!id \|\| !confirm(`Delete ${id}?`)) return;
	1669	try {
	1670	await api('/api/hosts/delete', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ id }) });
	1671	$('host-form').reset();
	1672	msg('host deleted');
	1673	await refresh();
	1674	} catch (e) { msg(e.message); }
	1675	});
	1676
	1677	$('write-tsv').addEventListener('click', async () => {
	1678	if (!confirm('Write config/local-hosts.tsv from hosts.yaml?')) return;
	1679	try {
	1680	await api('/api/render/local-hosts-tsv', { method: 'POST' });
	1681	msg('local-hosts.tsv written');
	1682	} catch (e) { msg(e.message); }
	1683	});
	1684
Add dedicated OTP login scre... Xdev Host Manager authored 2 days ago	1685	refresh().catch(() => showLogin());
Initial host manager registr... Xdev Host Manager authored 2 days ago	1686	</script>
	1687	</body>
	1688	</html>
	1689	HTML
	1690	}