# B-auth Implementation Plan

> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.

**Goal:** Add an in-app login flow to `cm-web-next` with WebAuthn passkey + `CM_AGENT_ID`/`CM_AGENT_PASSWORD` password fallback, all gated by Next.js middleware. Auth state lives entirely in `cm-web-next` — no api-server changes, no mysql schema change.

**Architecture:** `iron-session` signed `httpOnly` cookie for sessions. `@simplewebauthn/server` + `@simplewebauthn/browser` for WebAuthn flows, called via Server Actions (no public `/api/*`). Passkeys stored as JSON in a docker volume (`/data/auth/passkeys.json`) with atomic writes serialized by an in-process write lock. Middleware redirects unauthenticated requests to `/cm-auth` (avoiding the well-known `/login` path scanners hit by default).

**Tech Stack:** Next.js 15 App Router, React 19, Tailwind v4, `iron-session ^8.0.0`, `@simplewebauthn/server ^11.0.0`, `@simplewebauthn/browser ^11.0.0`. Node `crypto.timingSafeEqual` for constant-time password compare.

**Spec:** [docs/superpowers/specs/2026-05-02-b-auth-design.md](../specs/2026-05-02-b-auth-design.md)

---

## File Map

| File | Operation | Owner |
|---|---|---|
| `web/package.json` | Modify | hand — add three deps |
| `web/lib/auth.ts` | Create | hand — iron-session wrapper, session CRUD |
| `web/lib/auth-store.ts` | Create | hand — JSON-file passkey store with atomic writes + write lock |
| `web/lib/auth-rp.ts` | Create | hand — WebAuthn relying-party helpers (rpID, origin) |
| `web/app/auth-actions.ts` | Create | hand — all Server Actions |
| `web/middleware.ts` | Create | hand — gate routes |
| `web/app/cm-auth/page.tsx` | Create | hand (Server Component shell, reads passkey-exists flag) |
| `web/app/cm-auth/auth-form.tsx` | Create | frontend-design — login form Client Component |
| `web/app/cm-passkeys/page.tsx` | Create | hand (Server Component shell, fetches passkey list) |
| `web/app/cm-passkeys/passkey-list.tsx` | Create | frontend-design — passkey list + add/remove Client Component |
| `web/components/nav.tsx` | Modify | frontend-design — add account menu (username, settings, sign out) |
| `docker-compose.yml` | Modify | hand — add `web-next-auth-data` named volume + mount |
| `docker-compose.override.yml` | Modify | hand — same mount in dev override |
| `envs/dev/.env.example` | Modify | hand — add `CM_AUTH_SECRET` placeholder |
| `envs/rex/.env.example` | Modify | hand — same |
| `envs/siong/.env.example` | Modify | hand — same |
| `AGENTS.md` | Modify | hand — Auth subsection |

Three frontend-design invocations for the UI (auth form, passkey list, nav account menu).

---

## Task 1: Add auth dependencies to package.json

**Files:**
- Modify: `web/package.json`

- [ ] **Step 1: Update dependencies block**

In `web/package.json`, add three entries to `dependencies`:

```json
{
  "name": "cm-web-next",
  "version": "0.1.0",
  "private": true,
  "scripts": {
    "dev": "next dev",
    "build": "next build",
    "start": "next start",
    "lint": "next lint"
  },
  "dependencies": {
    "next": "15.1.0",
    "react": "19.0.0",
    "react-dom": "19.0.0",
    "iron-session": "^8.0.0",
    "@simplewebauthn/server": "^11.0.0",
    "@simplewebauthn/browser": "^11.0.0"
  },
  "devDependencies": {
    "@tailwindcss/postcss": "^4.1.0",
    "@types/node": "^22.10.0",
    "@types/react": "^19.0.0",
    "@types/react-dom": "^19.0.0",
    "tailwindcss": "^4.1.0",
    "typescript": "^5.7.2"
  }
}
```

(The Docker build runs `npm install` and resolves these on first build — no host-side `npm install` needed; we don't commit a lockfile per the established pattern from B1.)

- [ ] **Step 2: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add web/package.json && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "build(web): add iron-session and simplewebauthn deps"
```

---

## Task 2: Add `CM_AUTH_SECRET` to all env.example files

**Files:**
- Modify: `envs/dev/.env.example`
- Modify: `envs/rex/.env.example`
- Modify: `envs/siong/.env.example`

- [ ] **Step 1: Generate sample secrets per env (32 bytes hex)**

For dev, a stable known secret is fine since dev .env is committed-as-template. For rex/siong, the example shows the format and instructs the operator to rotate.

In `envs/dev/.env.example`, find the `=== Runtime ===` section and add immediately after `CM_DEBUG`:

```
# === Auth (cm-web-next session signing) ===
# 64-character hex (32 bytes). Generate with: openssl rand -hex 32
# Rotating this secret invalidates all existing sessions (forces re-login).
CM_AUTH_SECRET=devsecret-replace-with-openssl-rand-hex-32-for-real-deploys
```

In `envs/rex/.env.example`, append the same block at the end.

In `envs/siong/.env.example`, append the same block at the end.

- [ ] **Step 2: Verify all three files have the new line**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
grep -H "^CM_AUTH_SECRET=" envs/*/.env.example
```

Expected: three lines, one per deployment.

- [ ] **Step 3: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add envs/dev/.env.example envs/rex/.env.example envs/siong/.env.example && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(envs): add CM_AUTH_SECRET to all .env.example templates"
```

---

## Task 3: Mount the auth-data volume on `web-next`

**Files:**
- Modify: `docker-compose.yml`
- Modify: `docker-compose.override.yml`

- [ ] **Step 1: Add the volume + mount in base compose**

In `docker-compose.yml`, find the existing `web-next` service block and add a `volumes:` directive that mounts the named volume at `/data/auth`:

Find:

```yaml
  web-next:
    image: "${CM_IMAGE_PREFIX:-your-registry/namespace}/cm-web-next:${DOCKER_IMAGE_TAG:-latest}"
    container_name: ${CM_DEPLOY_NAME:-cm}-web-next
    restart: unless-stopped
    ports:
      - "${CM_WEB_NEXT_HOST_PORT:-8010}:3000"
    environment:
      NODE_ENV: production
      NEXT_TELEMETRY_DISABLED: "1"
      API_BASE_URL: http://api-server:3000
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - bot-network
    depends_on:
      - api-server
```

Add `CM_AUTH_SECRET` to the `environment:` block, add a new mount to `volumes:`, and append a top-level `volumes:` declaration if there isn't one already (the existing override has `mysql-data`; we add the auth-data volume next to it):

```yaml
  web-next:
    image: "${CM_IMAGE_PREFIX:-your-registry/namespace}/cm-web-next:${DOCKER_IMAGE_TAG:-latest}"
    container_name: ${CM_DEPLOY_NAME:-cm}-web-next
    restart: unless-stopped
    ports:
      - "${CM_WEB_NEXT_HOST_PORT:-8010}:3000"
    environment:
      NODE_ENV: production
      NEXT_TELEMETRY_DISABLED: "1"
      API_BASE_URL: http://api-server:3000
      CM_AUTH_SECRET: ${CM_AUTH_SECRET}
    volumes:
      - web-next-auth-data:/data/auth
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - bot-network
    depends_on:
      - api-server
```

Append a top-level `volumes:` block at the end of `docker-compose.yml` (or extend the existing one if present):

```yaml
volumes:
  web-next-auth-data:
    name: ${CM_DEPLOY_NAME:-cm}-web-next-auth-data
```

- [ ] **Step 2: Override file gets the same mount path implicitly via base merge**

Compose merges service definitions across files. The `volumes:` array on `web-next` in base is what dev compose sees, no override change needed for the mount itself. But the dev override needs the top-level `volumes:` declaration (since mysql-data is also there) to know about the named volume.

Open `docker-compose.override.yml`. Find the existing top-level `volumes:` block (already declares `mysql-data`). Add `web-next-auth-data` next to it:

```yaml
volumes:
  mysql-data:
    name: ${CM_DEPLOY_NAME:-cm}-mysql-data
  web-next-auth-data:
    name: ${CM_DEPLOY_NAME:-cm}-web-next-auth-data
```

- [ ] **Step 3: YAML structural validation**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
.venv/bin/python -c "
import yaml
with open('docker-compose.yml') as f:
    base = yaml.safe_load(f)
wn = base['services']['web-next']
assert any('web-next-auth-data:/data/auth' in v for v in wn['volumes']), 'auth volume mount missing on web-next'
assert wn['environment']['CM_AUTH_SECRET'] == '\${CM_AUTH_SECRET}'
assert 'web-next-auth-data' in base.get('volumes', {}), 'top-level volume missing in base'
print('base: web-next-auth-data wired')

with open('docker-compose.override.yml') as f:
    over = yaml.safe_load(f)
assert 'web-next-auth-data' in over['volumes']
print('override: web-next-auth-data declared')
"
```

Expected:

```
base: web-next-auth-data wired
override: web-next-auth-data declared
```

- [ ] **Step 4: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add docker-compose.yml docker-compose.override.yml && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(compose): mount web-next-auth-data volume + pass CM_AUTH_SECRET"
```

---

## Task 4: Session helper (`web/lib/auth.ts`)

**Files:**
- Create: `web/lib/auth.ts`

- [ ] **Step 1: Write the session helper**

Create `web/lib/auth.ts`:

```typescript
import "server-only";
import { cookies } from "next/headers";
import { sealData, unsealData } from "iron-session";

const COOKIE_NAME = "cm_auth";
const COOKIE_TTL_SECONDS = 30 * 24 * 60 * 60; // 30 days

export type Session = {
  username: string;
  authenticatedAt: number;
  // Transient WebAuthn challenge held while a register/authenticate flow
  // is in progress. Cleared on the next finish*() call.
  pendingChallenge?: {
    kind: "register" | "authenticate";
    challenge: string;
    expiresAt: number;
  };
};

function secret(): string {
  const s = process.env.CM_AUTH_SECRET;
  if (!s || s.length < 32) {
    throw new Error("CM_AUTH_SECRET missing or shorter than 32 chars");
  }
  return s;
}

export async function getSession(): Promise<Session | null> {
  const jar = await cookies();
  const raw = jar.get(COOKIE_NAME)?.value;
  if (!raw) return null;
  try {
    return await unsealData<Session>(raw, { password: secret() });
  } catch {
    return null;
  }
}

export async function setSession(session: Session): Promise<void> {
  const sealed = await sealData(session, {
    password: secret(),
    ttl: COOKIE_TTL_SECONDS,
  });
  const jar = await cookies();
  jar.set(COOKIE_NAME, sealed, {
    httpOnly: true,
    secure: process.env.NODE_ENV === "production",
    sameSite: "lax",
    path: "/",
    maxAge: COOKIE_TTL_SECONDS,
  });
}

export async function clearSession(): Promise<void> {
  const jar = await cookies();
  jar.delete(COOKIE_NAME);
}

export async function requireSession(): Promise<Session> {
  const s = await getSession();
  if (!s) throw new Error("Unauthenticated");
  return s;
}
```

`server-only` is a Next.js poison-import: the build will fail if any client component transitively imports this file.

- [ ] **Step 2: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add web/lib/auth.ts && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(web): add iron-session wrapper (web/lib/auth.ts)"
```

---

## Task 5: Passkey JSON store (`web/lib/auth-store.ts`)

**Files:**
- Create: `web/lib/auth-store.ts`

- [ ] **Step 1: Write the store**

Create `web/lib/auth-store.ts`:

```typescript
import "server-only";
import { promises as fs } from "node:fs";
import path from "node:path";
import type { AuthenticatorTransportFuture } from "@simplewebauthn/server";

const FILE_PATH = process.env.CM_AUTH_STORE_PATH ?? "/data/auth/passkeys.json";

export type PasskeyRecord = {
  id: string;
  publicKey: string;
  counter: number;
  transports: AuthenticatorTransportFuture[];
  name: string;
  createdAt: string;
};

type StoreShape = Record<string, PasskeyRecord[]>;

// Single-process write lock. Each mutation chains onto this promise so
// concurrent requests serialize. Sufficient for one container; if we
// ever scale horizontally, switch to a real lockfile or move to mysql.
let writeLock: Promise<void> = Promise.resolve();

async function readAll(): Promise<StoreShape> {
  try {
    const raw = await fs.readFile(FILE_PATH, "utf8");
    const parsed = JSON.parse(raw);
    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
      return parsed as StoreShape;
    }
    return {};
  } catch (err) {
    if ((err as NodeJS.ErrnoException).code === "ENOENT") return {};
    throw err;
  }
}

async function writeAtomic(data: StoreShape): Promise<void> {
  const dir = path.dirname(FILE_PATH);
  await fs.mkdir(dir, { recursive: true });
  const tmp = `${FILE_PATH}.tmp`;
  const handle = await fs.open(tmp, "w");
  try {
    await handle.writeFile(JSON.stringify(data, null, 2));
    await handle.sync();
  } finally {
    await handle.close();
  }
  await fs.rename(tmp, FILE_PATH);
}

function withLock<T>(fn: () => Promise<T>): Promise<T> {
  const next = writeLock.then(fn, fn);
  // Keep the chain going regardless of whether `fn` resolved or threw.
  writeLock = next.then(
    () => undefined,
    () => undefined,
  );
  return next;
}

export async function readPasskeys(username: string): Promise<PasskeyRecord[]> {
  const all = await readAll();
  return all[username] ?? [];
}

export async function appendPasskey(username: string, rec: PasskeyRecord): Promise<void> {
  await withLock(async () => {
    const all = await readAll();
    const list = all[username] ?? [];
    list.push(rec);
    all[username] = list;
    await writeAtomic(all);
  });
}

export async function removePasskey(username: string, credentialId: string): Promise<boolean> {
  return withLock(async () => {
    const all = await readAll();
    const list = all[username] ?? [];
    const next = list.filter((p) => p.id !== credentialId);
    if (next.length === list.length) return false;
    all[username] = next;
    await writeAtomic(all);
    return true;
  });
}

export async function bumpCounter(
  username: string,
  credentialId: string,
  counter: number,
): Promise<void> {
  await withLock(async () => {
    const all = await readAll();
    const list = all[username] ?? [];
    const idx = list.findIndex((p) => p.id === credentialId);
    if (idx === -1) return;
    list[idx] = { ...list[idx], counter };
    all[username] = list;
    await writeAtomic(all);
  });
}
```

- [ ] **Step 2: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add web/lib/auth-store.ts && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(web): JSON-file passkey store with atomic writes + write lock"
```

---

## Task 6: WebAuthn relying-party helpers (`web/lib/auth-rp.ts`)

**Files:**
- Create: `web/lib/auth-rp.ts`

- [ ] **Step 1: Write the helpers**

WebAuthn requires a relying-party identifier (rpID = the domain) and an origin (`https://...`). These come from request headers in production (since the public domain is set at the aaPanel layer, not in `cm-web-next`'s env). We derive them from the `Host` header on every Server Action invocation.

Create `web/lib/auth-rp.ts`:

```typescript
import "server-only";
import { headers } from "next/headers";

export type RpInfo = {
  rpID: string;
  origin: string;
  rpName: string;
};

export async function getRpInfo(): Promise<RpInfo> {
  const hdrs = await headers();
  // x-forwarded-host is what aaPanel sets; fall back to host for direct dev.
  const host = hdrs.get("x-forwarded-host") ?? hdrs.get("host") ?? "localhost:8010";
  // Drop any port from the rpID (WebAuthn requires hostname only, no port).
  const rpID = host.split(":")[0];
  // Origin includes protocol + host + port.
  const proto = hdrs.get("x-forwarded-proto") ?? "http";
  const origin = `${proto}://${host}`;
  return {
    rpID,
    origin,
    rpName: "CM Bot V2",
  };
}
```

Why derive from headers: same `cm-web-next` image runs at `http://localhost:8010` (dev) and `https://heng.04080616.xyz` (prod) — the rpID/origin differs. Hardcoding either breaks the other. Headers from the real request always reflect the user's actual origin.

- [ ] **Step 2: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add web/lib/auth-rp.ts && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(web): WebAuthn relying-party helper (host-derived rpID/origin)"
```

---

## Task 7: Server Actions (`web/app/auth-actions.ts`)

**Files:**
- Create: `web/app/auth-actions.ts`

- [ ] **Step 1: Write the actions**

Create `web/app/auth-actions.ts`:

```typescript
"use server";

import { redirect } from "next/navigation";
import { revalidatePath } from "next/cache";
import { timingSafeEqual } from "node:crypto";
import {
  generateAuthenticationOptions,
  generateRegistrationOptions,
  verifyAuthenticationResponse,
  verifyRegistrationResponse,
  type AuthenticationResponseJSON,
  type RegistrationResponseJSON,
} from "@simplewebauthn/server";
import {
  getSession,
  setSession,
  clearSession,
  requireSession,
} from "@/lib/auth";
import { getRpInfo } from "@/lib/auth-rp";
import {
  readPasskeys,
  appendPasskey,
  removePasskey,
  bumpCounter,
} from "@/lib/auth-store";

export type ActionResult = { ok: true } | { ok: false; error: string };

function constantTimeEqual(a: string, b: string): boolean {
  // timingSafeEqual requires equal-length buffers. Pad both to the
  // longer length with NULs (which won't appear in either real value)
  // so the compare itself is constant-time. Then check the original
  // lengths matched as a final guard.
  const ab = Buffer.from(a);
  const bb = Buffer.from(b);
  const len = Math.max(ab.length, bb.length);
  const ap = Buffer.alloc(len);
  const bp = Buffer.alloc(len);
  ab.copy(ap);
  bb.copy(bp);
  return timingSafeEqual(ap, bp) && ab.length === bb.length;
}

// ---- Password login ----

export async function loginWithPassword(
  username: string,
  password: string,
): Promise<ActionResult> {
  const expectedUsername = process.env.CM_AGENT_ID ?? "";
  const expectedPassword = process.env.CM_AGENT_PASSWORD ?? "";
  if (!expectedUsername || !expectedPassword) {
    return { ok: false, error: "Server credentials not configured" };
  }
  const usernameOk = constantTimeEqual(username, expectedUsername);
  const passwordOk = constantTimeEqual(password, expectedPassword);
  if (!usernameOk || !passwordOk) {
    return { ok: false, error: "Invalid credentials" };
  }
  await setSession({
    username: expectedUsername,
    authenticatedAt: Date.now(),
  });
  return { ok: true };
}

export async function logout(): Promise<void> {
  await clearSession();
  redirect("/cm-auth");
}

// ---- WebAuthn registration (requires authenticated session) ----

export async function beginRegistration() {
  const session = await requireSession();
  const { rpID, rpName } = await getRpInfo();
  const existing = await readPasskeys(session.username);
  const options = await generateRegistrationOptions({
    rpName,
    rpID,
    userName: session.username,
    userID: new TextEncoder().encode(session.username),
    attestationType: "none",
    authenticatorSelection: {
      residentKey: "preferred",
      userVerification: "preferred",
      authenticatorAttachment: "platform",
    },
    excludeCredentials: existing.map((p) => ({
      id: p.id,
      transports: p.transports,
    })),
  });
  await setSession({
    ...session,
    pendingChallenge: {
      kind: "register",
      challenge: options.challenge,
      expiresAt: Date.now() + 5 * 60 * 1000,
    },
  });
  return options;
}

export async function finishRegistration(
  response: RegistrationResponseJSON,
  deviceName: string,
): Promise<ActionResult> {
  const session = await requireSession();
  const pending = session.pendingChallenge;
  if (!pending || pending.kind !== "register" || pending.expiresAt < Date.now()) {
    return { ok: false, error: "Registration challenge expired or missing" };
  }
  const { rpID, origin } = await getRpInfo();
  let verification;
  try {
    verification = await verifyRegistrationResponse({
      response,
      expectedChallenge: pending.challenge,
      expectedOrigin: origin,
      expectedRPID: rpID,
      requireUserVerification: false,
    });
  } catch (err) {
    return {
      ok: false,
      error: err instanceof Error ? err.message : "Verification failed",
    };
  }
  if (!verification.verified || !verification.registrationInfo) {
    return { ok: false, error: "Registration not verified" };
  }
  const info = verification.registrationInfo;
  const cred = info.credential;
  const trimmedName = (deviceName || "").trim() || "Unnamed device";
  await appendPasskey(session.username, {
    id: cred.id,
    publicKey: Buffer.from(cred.publicKey).toString("base64url"),
    counter: cred.counter,
    transports: response.response.transports ?? [],
    name: trimmedName,
    createdAt: new Date().toISOString(),
  });
  // Clear the pending challenge.
  await setSession({
    username: session.username,
    authenticatedAt: session.authenticatedAt,
  });
  revalidatePath("/cm-passkeys");
  return { ok: true };
}

// ---- WebAuthn authentication (NO session required — this IS the login) ----

export async function beginAuthentication() {
  const expectedUsername = process.env.CM_AGENT_ID ?? "";
  const passkeys = await readPasskeys(expectedUsername);
  const { rpID } = await getRpInfo();
  const options = await generateAuthenticationOptions({
    rpID,
    userVerification: "preferred",
    allowCredentials: passkeys.map((p) => ({
      id: p.id,
      transports: p.transports,
    })),
  });
  // Store challenge in a fresh session-shell (no auth yet). On verify
  // we'll upgrade this shell to a full session.
  const existing = (await getSession()) ?? {
    username: "",
    authenticatedAt: 0,
  };
  await setSession({
    ...existing,
    pendingChallenge: {
      kind: "authenticate",
      challenge: options.challenge,
      expiresAt: Date.now() + 5 * 60 * 1000,
    },
  });
  return options;
}

export async function finishAuthentication(
  response: AuthenticationResponseJSON,
): Promise<ActionResult> {
  const expectedUsername = process.env.CM_AGENT_ID ?? "";
  if (!expectedUsername) {
    return { ok: false, error: "Server identity not configured" };
  }
  const session = await getSession();
  const pending = session?.pendingChallenge;
  if (!pending || pending.kind !== "authenticate" || pending.expiresAt < Date.now()) {
    return { ok: false, error: "Authentication challenge expired or missing" };
  }
  const passkeys = await readPasskeys(expectedUsername);
  const stored = passkeys.find((p) => p.id === response.id);
  if (!stored) {
    return { ok: false, error: "Unknown credential" };
  }
  const { rpID, origin } = await getRpInfo();
  let verification;
  try {
    verification = await verifyAuthenticationResponse({
      response,
      expectedChallenge: pending.challenge,
      expectedOrigin: origin,
      expectedRPID: rpID,
      credential: {
        id: stored.id,
        publicKey: Buffer.from(stored.publicKey, "base64url"),
        counter: stored.counter,
        transports: stored.transports,
      },
      requireUserVerification: false,
    });
  } catch (err) {
    return {
      ok: false,
      error: err instanceof Error ? err.message : "Verification failed",
    };
  }
  if (!verification.verified) {
    return { ok: false, error: "Authentication not verified" };
  }
  await bumpCounter(expectedUsername, stored.id, verification.authenticationInfo.newCounter);
  await setSession({
    username: expectedUsername,
    authenticatedAt: Date.now(),
  });
  return { ok: true };
}

// ---- Passkey management ----

export async function deletePasskey(credentialId: string): Promise<ActionResult> {
  const session = await requireSession();
  const removed = await removePasskey(session.username, credentialId);
  if (!removed) return { ok: false, error: "Passkey not found" };
  revalidatePath("/cm-passkeys");
  return { ok: true };
}

export async function hasPasskeysForLogin(): Promise<boolean> {
  const expectedUsername = process.env.CM_AGENT_ID ?? "";
  if (!expectedUsername) return false;
  const list = await readPasskeys(expectedUsername);
  return list.length > 0;
}
```

- [ ] **Step 2: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add web/app/auth-actions.ts && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(web): Server Actions for password login + WebAuthn passkey flows"
```

---

## Task 8: Middleware (`web/middleware.ts`)

**Files:**
- Create: `web/middleware.ts`

- [ ] **Step 1: Write the middleware**

Create `web/middleware.ts`:

```typescript
import { NextRequest, NextResponse } from "next/server";
import { unsealData } from "iron-session";

const COOKIE_NAME = "cm_auth";
const PUBLIC_PATHS = new Set<string>(["/cm-auth"]);

type SessionShape = {
  username: string;
  authenticatedAt: number;
};

async function isAuthenticated(req: NextRequest): Promise<boolean> {
  const raw = req.cookies.get(COOKIE_NAME)?.value;
  if (!raw) return false;
  const secret = process.env.CM_AUTH_SECRET;
  if (!secret || secret.length < 32) return false;
  try {
    const session = await unsealData<SessionShape>(raw, { password: secret });
    return Boolean(session?.username);
  } catch {
    return false;
  }
}

export async function middleware(req: NextRequest) {
  const path = req.nextUrl.pathname;
  // Strip trailing slash for the comparison.
  const normalized = path.length > 1 && path.endsWith("/") ? path.slice(0, -1) : path;
  if (PUBLIC_PATHS.has(normalized)) return NextResponse.next();

  if (await isAuthenticated(req)) return NextResponse.next();

  const url = req.nextUrl.clone();
  url.pathname = "/cm-auth";
  url.searchParams.set("next", path);
  return NextResponse.redirect(url);
}

export const config = {
  // Skip framework internals, the manifest endpoint, and the auto-generated
  // icon/apple-icon routes (those need to be reachable for the PWA install).
  matcher: [
    "/((?!_next|icon$|apple-icon$|manifest.webmanifest|favicon.ico).*)",
  ],
};
```

The matcher regex excludes Next.js internal paths and the public manifest/icon endpoints. Server Actions are routed through Next.js's framework layer (POST to the page URL with `Next-Action` header) — middleware sees them as POST requests to a page path. Since the page path requires auth, the action is also gated. Login-related Server Actions live OFF `/cm-auth`, so they go through the public path.

Wait — Server Actions are bound to where they're imported, but the request URL is the page that triggered them. If the user calls `loginWithPassword` from `/cm-auth/auth-form.tsx`, the request URL is `/cm-auth`. That's in `PUBLIC_PATHS`, so middleware lets it through. 

For Server Actions called from authenticated pages (like `deletePasskey` from `/cm-passkeys`), middleware sees `/cm-passkeys` and requires auth — correct, since the action checks `requireSession()` internally too.

- [ ] **Step 2: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add web/middleware.ts && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(web): middleware redirects unauthenticated requests to /cm-auth"
```

---

## Task 9: `/cm-auth` page shell + frontend-design auth form

**Files:**
- Create: `web/app/cm-auth/page.tsx`
- Create: `web/app/cm-auth/auth-form.tsx` (frontend-design)

- [ ] **Step 1: Create the directory**

```bash
mkdir -p /home/yiekheng/projects/cm_bot_v2/web/app/cm-auth
```

- [ ] **Step 2: Write the Server Component shell**

Create `web/app/cm-auth/page.tsx`:

```typescript
import { hasPasskeysForLogin } from "@/app/auth-actions";
import { getSession } from "@/lib/auth";
import { redirect } from "next/navigation";
import AuthForm from "./auth-form";

type SearchParams = { next?: string };

export default async function AuthPage({
  searchParams,
}: {
  searchParams: Promise<SearchParams>;
}) {
  // If already authenticated, bounce to the destination.
  const session = await getSession();
  if (session) {
    const dest = (await searchParams).next ?? "/";
    redirect(dest);
  }
  const passkeysAvailable = await hasPasskeysForLogin();
  const next = (await searchParams).next ?? "/";
  return <AuthForm passkeysAvailable={passkeysAvailable} next={next} />;
}

// Don't pre-render — the passkey-availability flag and session check both
// depend on runtime state.
export const dynamic = "force-dynamic";
```

- [ ] **Step 3: Invoke frontend-design for the form**

Use the Skill tool with `skill="frontend-design:frontend-design"` and:

```
Generate a Next.js 15 + Tailwind v4 Client Component at
`web/app/cm-auth/auth-form.tsx`.

Visual identity matches the rest of the dashboard: refined SaaS,
white card on zinc-50, ring-1 zinc-200, no hard 2px borders, rounded-2xl,
emerald-100 accents, sans for chrome (no font-mono on the chrome).

The component is the login form for an internal CRUD dashboard. One
operator per deployment; identity = CM_AGENT_ID env var.

Props:
  type Props = {
    passkeysAvailable: boolean;
    next: string;
  };

Imports:
  import { loginWithPassword, beginAuthentication, finishAuthentication } from "@/app/auth-actions";
  import { startAuthentication } from "@simplewebauthn/browser";
  import { useRouter } from "next/navigation";
  // useState, useTransition from react

Behavior:

1. If passkeysAvailable && (browser supports
   PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() —
   feature-detect at mount time with useEffect+useState), render a
   primary "Sign in with passkey" button at the top.

2. The passkey button click flow:
   - Call await beginAuthentication() to get options.
   - Call await startAuthentication({ optionsJSON: options }) — triggers
     Face ID / fingerprint UI.
   - Call await finishAuthentication(response).
   - On { ok: true }: router.push(next || "/").
   - On error: show inline red error below the button.

3. Always render the username + password form below the passkey button
   (or as the only option when no passkey is enrolled). On submit:
   - await loginWithPassword(username, password).
   - On { ok: true }: router.push(next || "/").
   - On error: show inline red error below the form.

4. Inputs use text-base (16px) on mobile, sm:text-[13px] on desktop —
   the established iOS auto-zoom fix.

5. autoFocus on the username input only on pointer devices
   (matchMedia '(hover: hover) and (pointer: fine)') — phones skip.

6. Centered card on the workbench backdrop. Width max-w-md.

7. Brand mark at the top of the card: a small "CM" 8x8 zinc-900 tile
   (matches the nav brand mark) and the title "Sign in".

8. Below the form: a small zinc-500 footer line:
   "Forgot the password? Check the deployment's .env file for CM_AGENT_PASSWORD."

9. While a transition is pending, disable both the passkey button and
   the form. Use useTransition().

The component should be self-contained — Tailwind utility classes only,
no external deps beyond the imports listed.
```

- [ ] **Step 4: Save the returned file**

Save the skill's output to `web/app/cm-auth/auth-form.tsx`.

- [ ] **Step 5: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add web/app/cm-auth/page.tsx web/app/cm-auth/auth-form.tsx && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(web): /cm-auth login page with passkey + password options"
```

---

## Task 10: `/cm-passkeys` page shell + frontend-design passkey list

**Files:**
- Create: `web/app/cm-passkeys/page.tsx`
- Create: `web/app/cm-passkeys/passkey-list.tsx` (frontend-design)

- [ ] **Step 1: Create the directory**

```bash
mkdir -p /home/yiekheng/projects/cm_bot_v2/web/app/cm-passkeys
```

- [ ] **Step 2: Write the Server Component shell**

Create `web/app/cm-passkeys/page.tsx`:

```typescript
import { requireSession } from "@/lib/auth";
import { readPasskeys } from "@/lib/auth-store";
import PasskeyList from "./passkey-list";

export default async function PasskeysPage() {
  const session = await requireSession();
  const list = await readPasskeys(session.username);
  // Strip the publicKey field — clients don't need it; reduces payload size.
  const visible = list.map(({ publicKey: _pk, ...rest }) => rest);
  return <PasskeyList initial={visible} username={session.username} />;
}

export const dynamic = "force-dynamic";
```

- [ ] **Step 3: Invoke frontend-design for the list**

Use the Skill tool with `skill="frontend-design:frontend-design"` and:

```
Generate a Next.js 15 + Tailwind v4 Client Component at
`web/app/cm-passkeys/passkey-list.tsx`.

Visual identity: refined SaaS dashboard (matches accounts-table,
users-table) — white card on zinc-50, ring-1 zinc-200, rounded-2xl,
sans for chrome with mono only for the credential ID display.

Props:
  type Passkey = {
    id: string;
    counter: number;
    transports: string[];
    name: string;
    createdAt: string;
  };
  type Props = {
    initial: Passkey[];
    username: string;
  };

Imports:
  import { beginRegistration, finishRegistration, deletePasskey } from "@/app/auth-actions";
  import { startRegistration } from "@simplewebauthn/browser";
  import ConfirmDialog from "@/components/confirm-dialog";
  import FormDialogShell, { Field, inputClass } from "@/components/form-dialog-shell";
  import Toast, { type ToastMessage } from "@/components/toast";
  // useState, useTransition, useRouter from react/next

Behavior:

1. Page head similar to AccountsTable's PageHead: eyebrow "Settings",
   heading "Passkeys", count of enrolled. No Refresh button (the list
   is server-revalidated on enroll/delete). An "Add passkey" primary
   button on the right (zinc-900 pill).

2. Empty state: if initial.length === 0, a centered card with text
   "No passkeys enrolled yet. Add one to sign in with Face ID, Touch
   ID, or fingerprint on this device."

3. List of passkeys: each row in a rounded-xl bg-white ring-1
   zinc-200/60 card. Show: device name (font-semibold), small zinc-500
   line "Added <relative-time>", and an x button on the right that
   opens a ConfirmDialog "Remove passkey 'X'?".

4. "Add passkey" button opens a FormDialogShell with:
   - One field: "Device name" (e.g., "iPhone 15"), required.
   - Submit calls beginRegistration() → startRegistration() → 
     finishRegistration({ response, deviceName }).
   - On { ok: true }: dialog closes, success toast "Passkey added".
   - On error: inline error in the dialog.
   - autoFocus only on pointer devices (matchMedia same as create-account-dialog.tsx).

5. Remove flow: ConfirmDialog → click confirm → deletePasskey(id) →
   on success, success toast "Passkey removed".

6. Mobile responsive — passkey list cards stack with full width.

The component imports ConfirmDialog from @/components/confirm-dialog,
FormDialogShell from @/components/form-dialog-shell, and Toast from
@/components/toast (all already exist in the codebase). Tailwind v4
utility classes only, no other external deps.
```

- [ ] **Step 4: Save the returned file**

Save to `web/app/cm-passkeys/passkey-list.tsx`.

- [ ] **Step 5: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add web/app/cm-passkeys/page.tsx web/app/cm-passkeys/passkey-list.tsx && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(web): /cm-passkeys settings page for passkey enroll/remove"
```

---

## Task 11: Nav account menu (modify nav.tsx via frontend-design)

**Files:**
- Modify: `web/components/nav.tsx`

The current nav has the Accounts/Users tab pills. Add an account menu on the right that shows the operator's username with a dropdown for "Passkey settings" and "Sign out".

- [ ] **Step 1: Read current nav for context**

```bash
cat /home/yiekheng/projects/cm_bot_v2/web/components/nav.tsx
```

This is the existing file the next step modifies.

- [ ] **Step 2: Invoke frontend-design**

Use the Skill tool with `skill="frontend-design:frontend-design"` and:

```
Modify `web/components/nav.tsx` to add an account menu next to the
existing Accounts/Users tab pills.

Current file: see context paste below the brief.

Visual identity: same as the rest of the SaaS dashboard. Account menu
should feel like a quiet, secondary affordance — not competing with
the tab pills.

Requirements:

1. Keep the existing brand mark (left) and tab pills (center/right).
2. Add a new account button to the FAR right (after the tab pills):
   - Small button with: a 6x6 zinc-900 circle showing the first letter
     of the username (uppercase), then the username text in zinc-700.
   - Hover: bg-zinc-100.
   - On click: open a small dropdown menu.
3. Dropdown menu (anchored under the account button):
   - Two items:
     a. "Passkey settings" → next/link to "/cm-passkeys".
     b. "Sign out" → button that calls the `logout` Server Action from
        "@/app/auth-actions". Logout already redirects to /cm-auth so
        no client-side redirect needed.
   - Closes on Esc, on outside-click, and on item-click.
4. Username comes from a new prop `username: string`.
5. Mobile: the username text hides below sm:; only the avatar
   circle remains. Dropdown still works.
6. Keep `"use client"` and `usePathname()` exactly as today.
7. Account menu: vanilla useState + click-outside via a ref, no
   external deps.

Component context (current file):

[paste the contents of web/components/nav.tsx here when invoking the skill]

Output the COMPLETE rewritten nav.tsx file ready to drop in. Default
export Nav() unchanged in name and required props — but Nav now takes
a `username` prop.
```

- [ ] **Step 3: Update layout.tsx to pass `username` to Nav**

The new nav requires a `username` prop. The layout is a Server Component, so it can read the session and pass it down:

Modify `web/app/layout.tsx`:

```typescript
import "./globals.css";
import type { Metadata, Viewport } from "next";
import Nav from "@/components/nav";
import AutoRefresh from "@/components/auto-refresh";
import { getSession } from "@/lib/auth";

export const metadata: Metadata = {
  title: "CM Bot V2",
  description: "CM Bot account and user dashboard",
};

export const viewport: Viewport = {
  themeColor: "#18181b",
  viewportFit: "cover",
};

export default async function RootLayout({
  children,
}: {
  children: React.ReactNode;
}) {
  const session = await getSession();
  return (
    <html lang="en">
      <body className="min-h-screen bg-zinc-50 text-zinc-900 antialiased">
        {session && <Nav username={session.username} />}
        <main className="mx-auto max-w-6xl px-4 pb-16 pt-8 sm:px-6 sm:pt-12">
          {children}
        </main>
        <AutoRefresh />
      </body>
    </html>
  );
}
```

The `Nav` only renders when there's a session (the `/cm-auth` page renders inside the layout but without a session, so we hide the nav there).

- [ ] **Step 4: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add web/components/nav.tsx web/app/layout.tsx && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "feat(web): nav account menu with sign out + passkey settings link"
```

---

## Task 12: AGENTS.md Auth subsection

**Files:**
- Modify: `AGENTS.md`

- [ ] **Step 1: Add an Auth subsection**

In `AGENTS.md`, find the `## Dev Tier (Local Development)` heading. Insert a new `## Auth` section immediately above it:

```
## Auth
- The Next.js dashboard (`cm-web-next`) gates every route except `/cm-auth` behind a session cookie.
- **Password sign-in** uses `CM_AGENT_ID` and `CM_AGENT_PASSWORD` from the deployment's `.env` (constant-time compare). No separate user table.
- **WebAuthn passkey** sign-in is the preferred path on devices with platform authenticators (Face ID, Touch ID, Android fingerprint). Enroll one at `/cm-passkeys` after the first password login.
- Session: signed `httpOnly` cookie (`cm_auth`), 30-day rolling. Requires `CM_AUTH_SECRET` env var (≥32 chars). Generate with `openssl rand -hex 32`.
- Passkey storage: `/data/auth/passkeys.json` inside the container, mounted from the `${CM_DEPLOY_NAME}-web-next-auth-data` named volume. Atomic writes; persists across container restarts and image rebuilds.
- "Forgot password" recovery: look at the deployment's `.env`. There's no email reset flow.
- Rotating `CM_AUTH_SECRET` invalidates all sessions (forces everyone to re-login).
```

- [ ] **Step 2: Commit**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
git add AGENTS.md && \
git -c user.name='yiekheng' -c user.email='yiekheng@04080616.xyz' \
  commit -m "docs(agents): document the auth model and passkey storage"
```

---

## Task 13: Build + integration verification

**Files:** none modified.

This requires `docker compose v2` on the deploy host plus a `CM_AUTH_SECRET` set in the live `.env`.

- [ ] **Step 1: Set the secret in the live `.env`**

Generate and copy:

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
openssl rand -hex 32
```

Append the resulting line to the repo-root `.env` (or your `envs/dev/.env`):

```
CM_AUTH_SECRET=<the 64-char hex string from above>
```

- [ ] **Step 2: Rebuild + bring up**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
sudo docker compose -f docker-compose.yml -f docker-compose.override.yml down --remove-orphans && \
sudo docker compose -f docker-compose.yml -f docker-compose.override.yml build --no-cache web-next 2>&1 | tail -30 && \
bash scripts/dev.sh up
```

Expected: build succeeds (npm install resolves iron-session and @simplewebauthn/* against the registry). Stack comes up with mysql, api-server, web-view, web-next.

- [ ] **Step 3: Cold-start redirect check**

```bash
curl -s -o /dev/null -w "code=%{http_code}\nlocation=%{redirect_url}\n" -L=0 http://localhost:8010/
```

Expected: `code=307` (or 308) with `location=http://localhost:8010/cm-auth?next=%2F`. A fresh browser would land on `/cm-auth`.

- [ ] **Step 4: Password login (browser)**

Open `http://localhost:8010/` in a browser. Redirected to `/cm-auth?next=%2F`. Enter `CM_AGENT_ID` and `CM_AGENT_PASSWORD` from the dev `.env`. Submit. Browser redirects to `/`. Accounts table renders.

DevTools → Application → Cookies → `cm_auth` cookie present, `httpOnly`, `secure` only if `NODE_ENV=production` (in the dev override container it's set, so should be secure-flagged in prod compose only).

- [ ] **Step 5: Wrong password**

Sign out (account menu → Sign out — redirects to `/cm-auth`). Try wrong password. Inline red error appears. No cookie set. No redirect.

- [ ] **Step 6: Passkey enrollment (Chrome desktop with Touch ID, or iPhone PWA)**

Sign in with password. Click account menu → "Passkey settings". Page renders an empty state. Click "Add passkey". Dialog appears. Type "MacBook" (or your device name). Submit → Touch ID prompt → success toast "Passkey added" → dialog closes → row appears in the list.

Verify the JSON file exists:

```bash
sudo docker exec dev-cm-web-next cat /data/auth/passkeys.json
```

Expected: JSON with one entry under your `CM_AGENT_ID` key.

- [ ] **Step 7: Passkey login**

Sign out. `/cm-auth` now shows "Sign in with passkey" as the primary CTA (because passkeys exist for this username). Click → Touch ID → redirect to `/`.

- [ ] **Step 8: Passkey persistence across rebuild**

```bash
sudo docker compose -f docker-compose.yml -f docker-compose.override.yml down && \
sudo docker compose -f docker-compose.yml -f docker-compose.override.yml build --no-cache web-next && \
bash scripts/dev.sh up
```

After up, the passkey JSON file still has the previously enrolled credential (volume persisted). Login via passkey still works.

- [ ] **Step 9: Passkey removal**

Sign in. `/cm-passkeys`. Click × on the device → ConfirmDialog → confirm → success toast. Row gone. JSON file no longer contains that credential.

- [ ] **Step 10: Full unit suite (existing tests)**

```bash
cd /home/yiekheng/projects/cm_bot_v2 && \
.venv/bin/python -m unittest tests.test_debug_enabled tests.test_bot_cli tests.test_cm_bot_scraper 2>&1 | tail -3
```

Expected: `OK` (B-auth doesn't change Python behavior; this is a regression check).

- [ ] **Step 11: Constant-time compare manual check**

```bash
grep -A 15 "constantTimeEqual" /home/yiekheng/projects/cm_bot_v2/web/app/auth-actions.ts
```

Expected: function uses `Buffer.alloc` to pad to equal length, calls `timingSafeEqual` on the padded buffers, then ANDs in a length check. No early-return on length mismatch (which would leak length). No string `==` comparison. (This is a code-review step — read it manually.)

- [ ] **Step 12: Middleware coverage**

While signed out:

```bash
# All these should redirect to /cm-auth:
curl -sIo /dev/null -w "/  → %{http_code} %{redirect_url}\n" http://localhost:8010/
curl -sIo /dev/null -w "/users  → %{http_code} %{redirect_url}\n" http://localhost:8010/users/
curl -sIo /dev/null -w "/cm-passkeys → %{http_code} %{redirect_url}\n" http://localhost:8010/cm-passkeys
# But /cm-auth itself should NOT redirect:
curl -sIo /dev/null -w "/cm-auth → %{http_code}\n" http://localhost:8010/cm-auth
# Static assets should NOT be gated:
curl -sIo /dev/null -w "/manifest.webmanifest → %{http_code}\n" http://localhost:8010/manifest.webmanifest
curl -sIo /dev/null -w "/icon → %{http_code}\n" http://localhost:8010/icon
```

Expected: protected paths return 307/308 with `redirect_url=...cm-auth?next=...`. `/cm-auth` returns 200. Manifest and icon both return 200 (PWA install needs them reachable while logged out — they're in the matcher's negative lookahead).

---

## Spec Coverage Check (self-review)

| Spec requirement | Task |
|---|---|
| `iron-session` cookie session | Task 4 |
| `CM_AUTH_SECRET` env var documented | Task 2, Task 12 |
| Constant-time password compare | Task 7 (`constantTimeEqual`) |
| WebAuthn registration flow (begin/finish) | Task 7 (`beginRegistration`, `finishRegistration`) |
| WebAuthn authentication flow (begin/finish) | Task 7 (`beginAuthentication`, `finishAuthentication`) |
| Passkey JSON store with atomic writes + write lock | Task 5 |
| Per-username keyed passkey storage | Task 5 (`StoreShape = Record<string, PasskeyRecord[]>`) |
| `/cm-auth` login page | Task 9 |
| `/cm-passkeys` settings page | Task 10 |
| Middleware gating, only `/cm-auth` public | Task 8 |
| Manifest/icon endpoints stay reachable | Task 8 (matcher) |
| Account menu in nav with sign out + settings link | Task 11 |
| Layout passes username to nav | Task 11 step 3 |
| Docker volume `web-next-auth-data` | Task 3 |
| `CM_AUTH_SECRET` env templates | Task 2 |
| AGENTS.md Auth subsection | Task 12 |
| Verification: cold start, password login, wrong password, enroll passkey, passkey login, persistence, remove, middleware coverage | Task 13 |

No gaps. Function and prop names consistent across tasks. The `username` prop on `Nav` is introduced in Task 11 and the layout updated in the same task to provide it, so no inter-task type drift. The `Passkey` shape consumed by `passkey-list.tsx` (Task 10) matches the projection done in `cm-passkeys/page.tsx` Server Component (drops `publicKey`).