version 5.3.4

fix: run full reload after HTTP config publish, not just config.reload()
HTTP config-mutating endpoints (publish, rollback, channel CRUD, user self-update) were calling config.reload() directly, which only refreshed the in-memory config dict. This skipped re-applying host.dyn/host.watched flags to live Host objects, so enabling dyndns via the UI had no effect until a SIGHUP was sent. Wire a reload_callback through http.start() that calls the same reload_configuration() function used by the SIGHUP handler, ensuring host attributes, notify module, users, and threshold checker are all updated on every config publish. Also fix unmatched quote in udp.py f-string log message. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-12 15:06:24 -04:00 · 2026-05-12 15:05:52 -04:00 · 2026-05-12 14:34:58 -04:00 · 2026-05-12 14:34:11 -04:00 · 2026-05-12 11:42:54 -04:00 · 2026-05-12 10:57:03 -04:00
40 changed files with 8991 additions and 599 deletions
@@ -12,3 +12,4 @@ dist/
 ssl/
 uv.lock
 .hb.yaml
 .superpowers/
@@ -8,7 +8,7 @@ A lightweight daemon that listens for UDP heartbeat messages and acts on them: k
 - Receive and parse heartbeat datagrams (text or zlib-compressed) ✅
 - Maintain host state and detect up/down transitions ✅
- Queue DNS updates via `nsupdate` and run them in a background thread ✅
+- Queue DNS updates via `nsupdate` and run them in an asyncio background task ✅
 - WebSocket API for live updates (hosts & messages) ✅
 - Notification pipeline (email, Pushover, Mattermost, Signal) ✅
 - **User management & access control** ✅
@@ -398,6 +398,7 @@ hosts:
    owner: alice
    managers: [bob]
    monitors: [carol]
    dyndns: true          # update DNS record when IP changes
 ```
 ```bash
@@ -645,7 +646,7 @@ Set breakpoints in modules such as `hbd/server/udp.py`, `hbd/server/dns.py`, or
 - `logfile`: path to log file
 - `pushsrv`: push service (`pushover`|`mattermost`|`all`)
 - `interval` / `grace`: heartbeat timing configuration
- `dyndomains`: list of dyndomains to update via `nsupdate`
+- `dyndomains`: list of DNS domains to update via `nsupdate` for hosts with `dyndns` set
 - `nsupdate_bin`: path to nsupdate binary
 - `ws_port`: port for plain WebSocket connections (default: 50005)
 - `wss_port`: port for secure WebSocket (WSS) connections (default: none).
@@ -666,6 +667,9 @@ dyndomains:
  - example.com
 nsupdate_bin: /usr/bin/nsupdate
 pushsrv: pushover
 hosts:
  myhost:
    dyndns: true          # update DNS when this host's IP changes
 ```
 > Tip: `SERVER_DEFAULTS` in `hbd/server/config.py` contains the canonical defaults and accepted configuration keys.
@@ -769,10 +773,3 @@ Contributions welcome! Please:
 This repository is licensed under the MIT license. See `LICENSE` for details.
 ---
 If you'd like, I can also:
 - add a **GitHub Actions** workflow that runs tests and lint on push/PR 🔁
 - add a `CONTRIBUTING.md` template for PRs and code style 💬
 Which one should I do next? ✨
@@ -53,6 +53,17 @@ See [User Management](USERS.md) for full authentication documentation.
 |--------|------|-------------|------|
 | `GET` | `/api/0/users` | List all users | Admin |
 | `GET` | `/api/0/users/me` | Own profile | Authenticated |
 | `PUT` | `/api/0/users/me` | Update own profile | Authenticated |
 ### Notification Channels
 | Method | Path | Description | Role |
 |--------|------|-------------|------|
 | `GET` | `/api/0/notification_channel_types` | Channel type schemas | Authenticated |
 | `GET` | `/api/0/notification_channels` | List visible channels | Authenticated |
 | `POST` | `/api/0/notification_channels` | Create a channel | Authenticated |
 | `PUT` | `/api/0/notification_channels/{name}` | Update a channel | Owner or Admin |
 | `DELETE` | `/api/0/notification_channels/{name}` | Delete a channel | Owner or Admin |
 ### Host Management
@@ -203,6 +214,101 @@ Changes take effect immediately but are not written back to the config file. Upd
 ---
 ---
 ### Notification Channel Endpoints
 Channels are visible to all users by default. Channels marked `private: true` are only visible to their owner. Admins see all channels.
 #### GET /api/0/notification_channel_types
 Return the schema for every supported notifier type. Used by the web UI to dynamically render the channel creation form.
 **Response:**
 ```json
 {
  "pushover": {
    "label": "Pushover",
    "fields": [
      {"key": "token",  "label": "App token",  "type": "secret", "required": true},
      {"key": "user",   "label": "User key",   "type": "secret", "required": true},
      {"key": "sound",  "label": "Sound",      "type": "text",   "required": false}
    ]
  },
  "email": { "label": "E-mail", "fields": [ ... ] },
  ...
 }
 ```
 ---
 #### GET /api/0/notification_channels
 List channels visible to the current user (public channels + own private channels). Admins receive all channels.
 **Response:**
 ```json
 [
  {
    "name": "pushover_ops",
    "type": "pushover",
    "type_label": "Pushover",
    "owner": null,
    "private": false,
    "min_level": "WARNING",
    "fields": [
      {"key": "token", "label": "App token", "value": "•••", "sensitive": true},
      {"key": "user",  "label": "User key",  "value": "•••", "sensitive": true}
    ]
  }
 ]
 ```
 Sensitive fields (`type: "secret"`) are always returned as `"•••"`.
 ---
 #### POST /api/0/notification_channels
 Create a new channel. The creating user becomes the channel's `owner`.
 **Request body:**
 ```json
 {
  "name": "my_pushover",
  "type": "pushover",
  "token": "app-token",
  "user": "user-key",
  "min_level": "WARNING",
  "private": true
 }
 ```
 **Response:** `{"ok": true, "name": "my_pushover"}`
 **Status codes:** `200 OK`, `400` (missing required field or unknown type), `409` (name already exists)
 ---
 #### PUT /api/0/notification_channels/{name}
 Update an existing channel. Only the channel owner or an admin may update it.
 Secret fields sent as `"•••"` are preserved from the existing config (same pattern as OAuth secrets in the admin config editor).
 **Request body:** same shape as POST, `name` ignored (taken from URL).
 **Response:** `{"ok": true}`
 **Status codes:** `200 OK`, `403 Forbidden`, `404 Not Found`
 ---
 #### DELETE /api/0/notification_channels/{name}
 Delete a channel. Only the channel owner or an admin may delete it.
 **Response:** `{"ok": true}`
 **Status codes:** `200 OK`, `403 Forbidden`, `404 Not Found`
 ---
 ### Alert Endpoints
 #### GET /api/0/hosts/{hostname}/alerts
@@ -30,9 +30,17 @@ Set `base_url` so notification links point to your hbd instance:
 base_url: https://hbd.example.com
 ```
-### Global channel definitions
+### Channel definitions
-Define channels once; reference them by name from user configs:
+Channels are defined under `notification_channels`. Each entry specifies a delivery type and its credentials. Two optional metadata fields control visibility:
 | Field | Default | Description |
 |---|---|---|
 | `owner` | *(absent)* | Username who created/owns this channel. Absent = admin-created. |
 | `private` | `false` | When `true`, only the owner can see and select this channel. |
 | `min_level` | `WARNING` | Minimum alert level this channel receives. |
 **Admin-created channels** (set in the config file or via the admin settings UI) are public by default — all users can select them:
 ```yaml
 notification_channels:
@@ -41,7 +49,7 @@ notification_channels:
    type: pushover
    token: your-app-token
    user: your-user-key
-    min_level: WARNING        # optional, default: WARNING
+    min_level: WARNING
  email_ops:
    type: email
@@ -58,14 +66,14 @@ notification_channels:
    homeserver: https://matrix.example.org
    access_token: syt_xxx
    room_id: "!abc:matrix.example.org"
-    min_level: CRITICAL       # only send critical alerts to this room
+    min_level: CRITICAL
  sms_oncall:
    type: sms_voipms
    api_user: me@example.com
    api_password: secret
-    did: "5551234567"         # your voip.ms DID number
+    did: "5551234567"
-    dst: "5559876543"         # destination number
+    dst: "5559876543"
    min_level: CRITICAL
  signal_ops:
@@ -82,9 +90,30 @@ notification_channels:
    username: heartbeat-bot
 ```
 **User-created channels** are written by authenticated users through the API or their profile page. They carry an `owner` field and optionally `private: true`:
 ```yaml
 notification_channels:
  alice_personal:
    type: pushover
    token: personal-token
    user: personal-key
    owner: alice          # created by alice
    private: true         # only alice can see this channel
 ```
 ### Channel visibility
 | Channel | Who can see / select it |
 |---|---|
 | No `private` field (or `private: false`) | All users |
 | `private: true` | Only the `owner` |
 | Any channel | Admins always see everything |
 ### Users with notification channels
-Each user lists which global channels they receive notifications on:
+Each user lists which channels they receive notifications on. Users can manage their own selection from the profile page:
 ```yaml
 users:
@@ -270,6 +299,7 @@ Called once at startup from `main.py`. Pass the running asyncio event loop so Ma
 - Check that the host has an `owner` or `managers` set
 - Check that users have `notification_channels` listed
 - Check that the channel names in user config match keys under `notification_channels:`
 - If a user can't select a channel, check whether it is `private: true` and owned by someone else
 **min_level filtering too aggressive:**
 - Default is `WARNING` — both WARNING and CRITICAL are sent
@@ -36,7 +36,7 @@ users:
  bob:
    full_name: Bob Smith
    password: pbkdf2:sha256:...
-    notification_channels: [pushover_standard]
+    notification_channels: [pushover_standard]   # channels bob has selected
  carol:
    full_name: Carol Jones
@@ -188,6 +188,32 @@ Return the currently authenticated user's profile.
 ---
 #### PUT /api/0/users/me
 Update the current user's profile. All fields are optional — send only what you want to change.
 **Update display name and avatar:**
 ```json
 { "full_name": "Carol Jones", "avatar": "/avatars/carol.png" }
 ```
 **Change notification channel selection:**
 ```json
 { "notification_channels": ["pushover_ops", "email_ops"] }
 ```
 Only channels visible to the user (public + own private) are accepted; others are silently dropped.
 **Change password:**
 ```json
 { "password": { "current": "oldpass", "new": "newpass" } }
 ```
 Requires the correct current password. New password is hashed before storage.
 **Response:** `{"ok": true}`
 **Status codes:** `200 OK`, `400` (missing/invalid field), `401` (unauthenticated), `403` (wrong current password)
 ---
 ### Host Access
 #### GET /api/0/hosts/{hostname}/access
@@ -0,0 +1,539 @@
 # Host Overview Info Section — Implementation Plan
 > **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
 **Goal:** Add an always-visible info section to each host card on `/plugins`, showing owner, managers, agent version/type, last packet timestamp, and effective thresholds; move hbc_version/hbc_type out of the os_info accordion.
 **Architecture:** A new `_build_host_info` module-level helper in `http.py` assembles the info dict from the host object and threshold_checker. A new `GET /api/0/hosts/{hostname}/info` closure inside `serve()` calls it and returns JSON. The `plugins.html` template adds a static placeholder div per host; JS fetches the endpoint on first card expand, caches the result, and renders it.
 **Tech Stack:** Python/aiohttp (backend), Jinja2 (template), vanilla JS/HTML/CSS (frontend). Tests with pytest and unittest.mock.
 ---
 ### Task 1: `_build_host_info` helper — tests first
 **Files:**
 - Create: `tests/test_http_host_info.py`
 - Modify: `hbd/server/http.py` (add module-level helper after `_mask_config_for_api`, around line 128)
 - [ ] **Step 1: Write the failing tests**
 Create `tests/test_http_host_info.py`:
 ```python
 """Tests for _build_host_info helper in http.py."""
 import pytest
 from unittest.mock import MagicMock
 from hbd.server.http import _build_host_info
 class _FakeConn:
    def __init__(self, lastbeat):
        self.lastbeat = lastbeat
 class _FakeHost:
    def __init__(self, name="myhost", owner=None, managers=None,
                 connections=None, os_data=None):
        self.name = name
        self.owner = owner
        self.managers = managers or []
        self.connections = connections or {}
        self._os_data = os_data
    def get_latest_plugin_data(self, plugin_name):
        if plugin_name == "os_info" and self._os_data is not None:
            return (1234567890.0, self._os_data)
        return None
 def test_build_host_info_basic_fields():
    host = _FakeHost(owner="alice", managers=["bob", "carol"])
    result = _build_host_info(host)
    assert result["owner"] == "alice"
    assert result["managers"] == ["bob", "carol"]
    assert result["hbc_version"] is None
    assert result["hbc_type"] is None
    assert result["last_packet"] is None
    assert result["thresholds"] is None
 def test_build_host_info_no_owner():
    host = _FakeHost()
    result = _build_host_info(host)
    assert result["owner"] is None
    assert result["managers"] == []
 def test_build_host_info_reads_hbc_from_os_info():
    host = _FakeHost(os_data={"hbc_version": "5.3.0", "hbc_type": "full"})
    result = _build_host_info(host)
    assert result["hbc_version"] == "5.3.0"
    assert result["hbc_type"] == "full"
 def test_build_host_info_hbc_none_when_no_os_info():
    host = _FakeHost(os_data=None)
    result = _build_host_info(host)
    assert result["hbc_version"] is None
    assert result["hbc_type"] is None
 def test_build_host_info_last_packet_is_max_lastbeat():
    host = _FakeHost(connections={
        "IPv4": _FakeConn(1000.0),
        "IPv6": _FakeConn(2000.0),
    })
    result = _build_host_info(host)
    assert result["last_packet"] == 2000.0
 def test_build_host_info_last_packet_none_when_no_connections():
    host = _FakeHost(connections={})
    result = _build_host_info(host)
    assert result["last_packet"] is None
 def test_build_host_info_thresholds_none_without_checker():
    host = _FakeHost()
    result = _build_host_info(host, threshold_checker=None)
    assert result["thresholds"] is None
 def test_build_host_info_thresholds_sorted_by_metric():
    from hbd.server.threshold import ThresholdConfig
    tc_cpu = ThresholdConfig("cpu_monitor.cpu_percent", warning=80.0, critical=95.0)
    tc_mem = ThresholdConfig("memory_monitor.memory_percent", warning=85.0, critical=98.0)
    checker = MagicMock()
    checker.get_thresholds_for_host.return_value = {
        "memory_monitor.memory_percent": tc_mem,
        "cpu_monitor.cpu_percent": tc_cpu,
    }
    host = _FakeHost()
    result = _build_host_info(host, threshold_checker=checker)
    assert result["thresholds"] is not None
    assert len(result["thresholds"]) == 2
    assert result["thresholds"][0]["metric"] == "cpu_monitor.cpu_percent"
    assert result["thresholds"][0]["warning"] == 80.0
    assert result["thresholds"][0]["critical"] == 95.0
    assert result["thresholds"][0]["operator"] == ">"
    assert result["thresholds"][1]["metric"] == "memory_monitor.memory_percent"
 def test_build_host_info_thresholds_empty_list_when_no_thresholds():
    checker = MagicMock()
    checker.get_thresholds_for_host.return_value = {}
    host = _FakeHost()
    result = _build_host_info(host, threshold_checker=checker)
    assert result["thresholds"] == []
 def test_build_host_info_threshold_null_warning_critical():
    from hbd.server.threshold import ThresholdConfig
    tc = ThresholdConfig("rtt.myhost", warning=None, critical=500.0)
    checker = MagicMock()
    checker.get_thresholds_for_host.return_value = {"rtt.myhost": tc}
    host = _FakeHost()
    result = _build_host_info(host, threshold_checker=checker)
    assert result["thresholds"][0]["warning"] is None
    assert result["thresholds"][0]["critical"] == 500.0
 ```
 - [ ] **Step 2: Run tests to confirm they fail**
 ```bash
 pytest tests/test_http_host_info.py -v
 ```
 Expected: `ImportError` or `AttributeError` — `_build_host_info` does not exist yet.
 - [ ] **Step 3: Implement `_build_host_info` in `hbd/server/http.py`**
 Insert after `_mask_config_for_api` (around line 128, before `def serve(`):
 ```python
 def _build_host_info(host, threshold_checker=None):
    """Assemble the info payload for GET /api/0/hosts/{hostname}/info."""
    hbc_version = None
    hbc_type = None
    latest_os = host.get_latest_plugin_data("os_info")
    if latest_os:
        _, os_data = latest_os
        hbc_version = os_data.get("hbc_version")
        hbc_type = os_data.get("hbc_type")
    last_packet = None
    if host.connections:
        last_packet = max(conn.lastbeat for conn in host.connections.values())
    thresholds = None
    if threshold_checker is not None:
        raw = threshold_checker.get_thresholds_for_host(host.name)
        thresholds = sorted(
            [
                {
                    "metric": tc.metric_path,
                    "warning": tc.warning,
                    "critical": tc.critical,
                    "operator": tc.operator.value,
                }
                for tc in raw.values()
            ],
            key=lambda x: x["metric"],
        )
    return {
        "owner": getattr(host, "owner", None),
        "managers": list(getattr(host, "managers", [])),
        "hbc_version": hbc_version,
        "hbc_type": hbc_type,
        "last_packet": last_packet,
        "thresholds": thresholds,
    }
 ```
 - [ ] **Step 4: Run tests to confirm they pass**
 ```bash
 pytest tests/test_http_host_info.py -v
 ```
 Expected: all 11 tests PASS.
 - [ ] **Step 5: Commit**
 ```bash
 git add tests/test_http_host_info.py hbd/server/http.py
 git commit -m "feat: add _build_host_info helper for host info endpoint"
 ```
 ---
 ### Task 2: `api_host_info` route handler
 **Files:**
 - Modify: `hbd/server/http.py`
  - Add `api_host_info` closure inside `serve()` (after `api_host_access_put`, around line 829)
  - Register route (around line 1271)
 - [ ] **Step 1: Add `api_host_info` closure inside `serve()`**
 Insert after `api_host_access_put` (after line 829, before the comment `# User profile page`):
 ```python
    # -------------------------------------------------------------------------
    # Host info endpoint
    # -------------------------------------------------------------------------
    async def api_host_info(request):
        """GET /api/0/hosts/{hostname}/info"""
        user, err = _require_auth(request)
        if err:
            return err
        hostname = request.match_info.get("hostname")
        if hostname not in hbdclass.Host.hosts:
            return web.json_response({"error": f"Host '{hostname}' not found"}, status=404)
        host = hbdclass.Host.hosts[hostname]
        if not _can_view_host(user, host):
            return web.json_response({"error": "Forbidden"}, status=403)
        return web.json_response(_build_host_info(host, threshold_checker=threshold_checker))
 ```
 - [ ] **Step 2: Register the route**
 In the route list (around line 1271, after the existing `/api/0/hosts/{hostname}/access` routes):
 ```python
            web.get("/api/0/hosts/{hostname}/info", api_host_info),
 ```
 - [ ] **Step 3: Verify the full test suite still passes**
 ```bash
 pytest tests/ -q
 ```
 Expected: all tests PASS (no regressions).
 - [ ] **Step 4: Smoke-test the endpoint manually** (if a dev server is running)
 ```bash
 curl -s http://localhost:50004/api/0/hosts/<hostname>/info | python3 -m json.tool
 ```
 Expected: JSON with `owner`, `managers`, `hbc_version`, `hbc_type`, `last_packet`, `thresholds` keys.
 - [ ] **Step 5: Commit**
 ```bash
 git add hbd/server/http.py
 git commit -m "feat: add GET /api/0/hosts/{hostname}/info endpoint"
 ```
 ---
 ### Task 3: Info section HTML and CSS in `plugins.html`
 **Files:**
 - Modify: `hbd/server/templates/plugins.html`
 - [ ] **Step 1: Add CSS for the info section**
 In the `<style>` block (find the closing `</style>` tag around line 391 and insert before it):
 ```css
    /* ── Host info section ──────────────────────────────────────────────────── */
    .host-info-section {
      padding: 12px 16px;
      background: #fafafa;
      border-bottom: 1px solid #e0e0e0;
      font-size: 0.85em;
    }
    .info-meta {
      display: grid;
      grid-template-columns: max-content 1fr;
      gap: 3px 14px;
      margin-bottom: 10px;
    }
    .info-label { font-weight: 600; color: #555; white-space: nowrap; }
    .info-value { color: #222; }
    .info-thresholds-title {
      font-weight: 600;
      color: #555;
      margin-bottom: 6px;
    }
    .info-note { color: #888; font-style: italic; }
    .info-loading { color: #bbb; font-style: italic; }
 ```
 - [ ] **Step 2: Add info section placeholder to each host card**
 Inside the host loop, at the very start of `.host-body` (before the `{% set plugin_order %}` line, around line 438):
 ```html
          <div class="host-body">
            <div class="host-info-section" id="info-{{ host.name }}">
              <div class="info-loading">Loading…</div>
            </div>
 ```
 The existing `{% set plugin_order %}` line and everything after stays unchanged. Only add the two new lines between `<div class="host-body">` and `{% set plugin_order %}`.
 - [ ] **Step 3: Verify the page still renders without JS errors**
 Start the dev server and open `/plugins` in a browser. Expand any host card — you should see the "Loading…" italic line above the plugin accordions (it will not be replaced yet, that comes in Task 4).
 - [ ] **Step 4: Commit**
 ```bash
 git add hbd/server/templates/plugins.html
 git commit -m "feat: add host info section placeholder and CSS to plugins.html"
 ```
 ---
 ### Task 4: JS — `infoCache`, `fetchHostInfo`, `renderInfoSection`
 **Files:**
 - Modify: `hbd/server/templates/plugins.html` (JS `<script>` block)
 - [ ] **Step 1: Add `infoCache` constant**
 After the `pluginCache` declaration (after `const pluginCache = {};`, around line 489), add:
 ```javascript
      // infoCache[hostname] = info data object from /api/0/hosts/{hostname}/info
      const infoCache = {};
 ```
 - [ ] **Step 2: Add `fetchHostInfo` function**
 After the existing `fetchPlugin` function (around line 522, before `fetchHostGlance`), add:
 ```javascript
      async function fetchHostInfo(hostname) {
        const r = await fetch(`/api/0/hosts/${encodeURIComponent(hostname)}/info`);
        if (!r.ok) throw new Error(`HTTP ${r.status}`);
        return r.json();
      }
 ```
 - [ ] **Step 3: Add `renderInfoSection` function**
 After `fetchHostInfo` (before `fetchHostGlance`), add:
 ```javascript
      function renderInfoSection(hostname, data) {
        const el = document.getElementById(`info-${hostname}`);
        if (!el) return;
        const owner    = data.owner ? escHtml(data.owner) : '—';
        const managers = data.managers && data.managers.length
          ? data.managers.map(escHtml).join(', ') : '—';
        const hbcVer  = data.hbc_version ? escHtml(String(data.hbc_version)) : '—';
        const hbcType = data.hbc_type    ? escHtml(String(data.hbc_type))    : '—';
        const lastPkt = data.last_packet
          ? new Date(data.last_packet * 1000).toLocaleString() : '—';
        let html = `<div class="info-meta">
          <span class="info-label">Owner</span><span class="info-value">${owner}</span>
          <span class="info-label">Managers</span><span class="info-value">${managers}</span>
          <span class="info-label">Agent Version</span><span class="info-value">${hbcVer}</span>
          <span class="info-label">Agent Type</span><span class="info-value">${hbcType}</span>
          <span class="info-label">Last Packet</span><span class="info-value">${lastPkt}</span>
        </div>`;
        if (data.thresholds === null) {
          html += `<div class="info-note">Threshold alerting not configured.</div>`;
        } else if (data.thresholds.length === 0) {
          html += `<div class="info-note">No thresholds defined.</div>`;
        } else {
          html += `<div class="info-thresholds-title">Effective Thresholds</div>
            <table class="data-table"><thead><tr>
              <th>Metric</th><th>Op</th><th>Warning</th><th>Critical</th>
            </tr></thead><tbody>`;
          for (const t of data.thresholds) {
            const w = t.warning  !== null && t.warning  !== undefined ? t.warning  : '—';
            const c = t.critical !== null && t.critical !== undefined ? t.critical : '—';
            html += `<tr>
              <td class="key">${escHtml(t.metric)}</td>
              <td>${escHtml(t.operator)}</td>
              <td>${w}</td>
              <td>${c}</td>
            </tr>`;
          }
          html += `</tbody></table>`;
        }
        el.innerHTML = html;
      }
 ```
 - [ ] **Step 4: Commit**
 ```bash
 git add hbd/server/templates/plugins.html
 git commit -m "feat: add fetchHostInfo and renderInfoSection JS functions"
 ```
 ---
 ### Task 5: Wire `fetchHostInfo` into `toggleHost`
 **Files:**
 - Modify: `hbd/server/templates/plugins.html` (the `toggleHost` function, around line 643)
 - [ ] **Step 1: Replace `toggleHost` with the updated version**
 Find the existing `toggleHost` function:
 ```javascript
      function toggleHost(hostname) {
        const card = document.querySelector(`.host-card[data-hostname="${hostname}"]`);
        const wasCollapsed = card.classList.contains('collapsed');
        card.classList.toggle('collapsed');
        if (wasCollapsed && !pluginCache[hostname]) {
          fetchHostGlance(hostname);
        }
      }
 ```
 Replace with:
 ```javascript
      function toggleHost(hostname) {
        const card = document.querySelector(`.host-card[data-hostname="${hostname}"]`);
        const wasCollapsed = card.classList.contains('collapsed');
        card.classList.toggle('collapsed');
        if (wasCollapsed) {
          if (!pluginCache[hostname]) {
            fetchHostGlance(hostname);
          }
          if (!infoCache[hostname]) {
            const infoEl = document.getElementById(`info-${hostname}`);
            if (infoEl) infoEl.innerHTML = '<div class="info-loading">Loading…</div>';
            fetchHostInfo(hostname).then(data => {
              infoCache[hostname] = data;
              renderInfoSection(hostname, data);
            }).catch(() => {
              const el = document.getElementById(`info-${hostname}`);
              if (el) el.innerHTML = '<div class="info-loading">Could not load host info.</div>';
            });
          }
        }
      }
 ```
 - [ ] **Step 2: Test in browser**
 Open `/plugins`, expand a host card. Verify:
 - The info section appears above the plugin accordions.
 - Owner, managers (or "—"), agent version, agent type, last packet render correctly.
 - Threshold table renders (or the appropriate "not configured" / "none defined" message).
 - Collapsing and re-expanding does not re-fetch (no second network request).
 - [ ] **Step 3: Commit**
 ```bash
 git add hbd/server/templates/plugins.html
 git commit -m "feat: fetch and render host info section on card expand"
 ```
 ---
 ### Task 6: Remove `hbc_version` and `hbc_type` from `renderOsInfoTable`
 **Files:**
 - Modify: `hbd/server/templates/plugins.html` (the `renderOsInfoTable` function, around line 794)
 - [ ] **Step 1: Update `renderOsInfoTable`**
 Find the existing function:
 ```javascript
      function renderOsInfoTable(d) {
        const ORDER = ['distro_pretty_name','system','release','version','machine',
                       'processor','architecture','node','python_version',
                       'python_implementation','hbc_version',
                       'distro_name','distro_version','distro_id','distro_version_id'];
        const shown = new Set(ORDER);
        const keys = [...ORDER, ...Object.keys(d).filter(k => !shown.has(k) && !SKIP_FIELDS.has(k))];
 ```
 Replace with:
 ```javascript
      function renderOsInfoTable(d) {
        const ORDER = ['distro_pretty_name','system','release','version','machine',
                       'processor','architecture','node','python_version',
                       'python_implementation',
                       'distro_name','distro_version','distro_id','distro_version_id'];
        const INFO_FIELDS = new Set(['hbc_version', 'hbc_type']);
        const shown = new Set(ORDER);
        const keys = [...ORDER, ...Object.keys(d).filter(k => !shown.has(k) && !SKIP_FIELDS.has(k) && !INFO_FIELDS.has(k))];
 ```
 - [ ] **Step 2: Verify in browser**
 Expand a host card, then expand the "Os Info" accordion. Confirm:
 - `hbc_version` no longer appears in the os_info table.
 - `hbc_type` no longer appears in the os_info table.
 - Both values are shown correctly in the info section at the top.
 - [ ] **Step 3: Run the full test suite**
 ```bash
 pytest tests/ -q
 ```
 Expected: all tests PASS.
 - [ ] **Step 4: Commit**
 ```bash
 git add hbd/server/templates/plugins.html
 git commit -m "feat: move hbc_version and hbc_type out of os_info into host info section"
 ```
@@ -0,0 +1,210 @@
 # Config Editor — Design Spec
 **Date:** 2026-05-09
 **Status:** Approved
 ## Goal
 Allow admins to edit the full `.hb.yaml` config through the Settings page UI, and allow regular users to manage their own notification channels and profile fields through the Profile page. The YAML file remains the single authoritative source; comments are preserved on every write.
 ---
 ## Architecture Overview
 ```
 Browser (admin)                     Browser (user)
  staged edits (JS state)             form fields
        │                                  │
        │ POST /api/0/config               │ PUT /api/0/users/me
        ▼                                  ▼
  http.py handlers ────────────────────────┘
        │
        ▼
  configio.py   ←── ruamel.yaml (round-trip, comment-preserving)
        │
        ├── backup .hb.yaml.bak.YYYYMMDD-HHMMSS  (keep last 10)
        ├── write atomically (temp file → os.replace)
        └── ReloadableConfig.reload()
 ```
 ---
 ## New Dependency
 Add `ruamel.yaml>=0.18` to `[project.optional-dependencies] server` in `pyproject.toml`. `PyYAML` stays (used by the client and config loader for reads); `ruamel.yaml` is used only for write-back.
 ---
 ## New Module: `hbd/server/configio.py`
 Single responsibility: all YAML read/write for `.hb.yaml`.
 ```python
 _write_lock = threading.Lock()
 def read_roundtrip(path: str) -> CommentedMap:
    """Load .hb.yaml with ruamel.yaml, preserving comments and ordering."""
 def write_config(path: str, data: CommentedMap) -> None:
    """Backup current file, then atomically write data.
    Backup naming: {path}.bak.YYYYMMDD-HHMMSS
    Rotation: keep the 10 most recent backups, delete older ones.
    Atomic write: write to {path}.tmp, then os.replace({path}.tmp, path).
    Acquires _write_lock for the full backup+write sequence.
    """
 def list_backups(path: str) -> list[str]:
    """Return backup paths sorted newest-first."""
 def apply_structured_section(data: CommentedMap, section: str, values: dict) -> None:
    """Merge a dict of scalar/list values into data[section], key by key.
    Preserves comments on unmodified keys.
    """
 def apply_yaml_section(data: CommentedMap, section: str, yaml_text: str) -> None:
    """Replace data[section] entirely by parsing yaml_text.
    Used for YAML-editor sections (notification_channels, thresholds, hosts, dns).
    """
 ```
 ---
 ## API Endpoints
 All endpoints require authentication. Admin-only endpoints return 403 for non-admins.
 | Method | Path | Auth | Purpose |
 |--------|------|------|---------|
 | GET | `/api/0/config` | admin | Full config as JSON (secrets masked) |
 | POST | `/api/0/config` | admin | Publish staged changes to `.hb.yaml` |
 | GET | `/api/0/config/section/{name}` | admin | Raw YAML text for one section (for YAML editors) |
 | GET | `/api/0/config/backups` | admin | List of backup timestamps, newest first |
 | POST | `/api/0/config/rollback` | admin | `{"backup": "…"}` → restore backup and reload |
 | PUT | `/api/0/users/me` | any user | Update own `full_name`, `avatar`, `notification_channels`, `password` |
 ### `POST /api/0/config` payload
 ```json
 {
  "server":                 { "hbd_port": 50004, "interval": 20, ... },
  "users":                  { "alice": { "full_name": "Alice", "admin": true, ... }, ... },
  "oauth":                  { "gitea": { "type": "gitea", "url": "...", ... }, ... },
  "notification_channels":  "<raw yaml text>",
  "thresholds":             "<raw yaml text>",
  "hosts":                  "<raw yaml text>",
  "dns":                    "<raw yaml text>"
 }
 ```
 Only sections present in the payload are updated; omitted sections are left unchanged in the file.
 **Section-to-key mapping:** Most config fields are top-level keys in `.hb.yaml` (not nested under a section key). The API uses logical section names that map to specific top-level keys:
 | Logical section | Top-level YAML keys covered |
 |---|---|
 | `server` | `hbd_port`, `hbd_host`, `ws_port`, `wss_port`, `hb_port`, `interval`, `grace`, `base_url`, `threshold_renotify_interval`, `logfile`, `pidfile`, `pickfile`, `journal_enabled`, `journal_dir`, `journal_max_size`, `journal_max_backups`, `default_owner` |
 | `users` | `users` (top-level dict) |
 | `oauth` | `oauth` (top-level dict) |
 | `notification_channels` | `notification_channels` (top-level dict, YAML text) |
 | `thresholds` | `threshold_configs` (top-level dict if present, YAML text) |
 | `hosts` | `hosts` (top-level dict, YAML text) |
 | `dns` | `nsupdate_bin`, `dyndomains`, `dyndnshosts`, `drophosts` (YAML text of just these keys) |
 `apply_structured_section` for `server` iterates the known key list and updates each present key individually, preserving comments on unchanged keys. `apply_yaml_section` for dict-valued sections (notification_channels, hosts, oauth) replaces the entire subtree. For `dns`, it replaces each of the four top-level keys listed.
 ### `PUT /api/0/users/me` payload
 ```json
 {
  "full_name": "Alice Smith",
  "avatar": "/avatars/alice.png",
  "notification_channels": ["pushover_ops", "matrix_alerts"],
  "password": { "current": "oldpass", "new": "newpass" }
 }
 ```
 All fields are optional. `password` change requires `current` to match; server re-hashes with PBKDF2-HMAC-SHA256 before writing. Both `full_name`/`avatar`/`notification_channels` and password can be sent in one request or separately.
 ---
 ## Settings Page Changes (`/settings`)
 ### Section split
 | Section | Edit mode | Notes |
 |---------|-----------|-------|
 | Server settings | Form | Scalar fields: ports, intervals, base_url, grace, renotify interval, log/pid/pickle paths, journal settings |
 | Users | Form | CRUD list: add/edit/delete users; fields: username, full_name, avatar, admin toggle, notification_channels multiselect. Password field: leave blank to keep existing hash; enter a new plain-text password to replace it (server hashes before writing). New users require a password. |
 | OAuth providers | Form | CRUD list: add/edit/delete providers; fields: name (slug), type, url, client_id, client_secret, label, logo |
 | Notification channels | YAML editor | Too many provider-specific credential shapes for typed forms |
 | Thresholds | YAML editor | Complex nested rules |
 | Hosts | YAML editor | Complex per-host config |
 | DNS / DynDNS | YAML editor | nsupdate settings, dyndomains, drophosts |
 ### Publish flow
 1. Each section has a **"Stage changes"** button. Clicking it stores that section's current form/editor values in browser JS state. A banner appears: *"N pending changes — not yet saved to .hb.yaml"*.
 2. **"Publish to .hb.yaml"** sends `POST /api/0/config` with all staged sections.
 3. On success: banner clears, page reloads to show current saved state.
 4. **"Discard all"** clears JS state and reloads from server without writing.
 ### Rollback UI
 A "View backups / rollback" link at the bottom of the settings sidebar opens a modal listing available backups (timestamp + approximate age). Clicking a backup shows a confirmation prompt before calling `POST /api/0/config/rollback`.
 ### `settings.py` changes
 - Set `"editable": True` on all fields that now have form inputs.
 - The existing field descriptor structure (`key`, `type`, `label`, `value`, `sensitive`) is already designed for this — no structural changes needed.
 - Add `"section_mode": "form" | "yaml"` per section, used by the template to render the appropriate editor.
 ---
 ## Profile Page Changes (`/profile`)
 New editable fields alongside the existing read-only display:
 **Identity card** (saves via `PUT /api/0/users/me`):
 - Display name — text input, current `full_name`
 - Avatar — text input, current `avatar` URL or path
 - Save button → immediate write, no publish step
 **Change password** (saves via `PUT /api/0/users/me`):
 - Current password, new password inputs
 - Save button → validates current password server-side, re-hashes new password, writes
 **Notification channels** (saves via `PUT /api/0/users/me`):
 - Checkbox list of all globally-defined channels (from `config["notification_channels"]`)
 - Shows channel type and `min_level` as secondary text
 - Pre-checked based on user's current `notification_channels` list
 - Save button → writes user's channel list immediately
 Host access list remains read-only (existing behaviour).
 ---
 ## Write Safety
 - `configio._write_lock` serializes all writes (admin publish and user self-service can race if multiple requests arrive simultaneously).
 - All writes are atomic: temp file written in same directory as `.hb.yaml`, then `os.replace()`. A crash mid-write leaves the backup intact and the original file unchanged.
 - If `.hb.yaml` cannot be written (permissions, disk full), the API returns `500` with an error message; no partial write occurs.
 ---
 ## Secrets Handling
 - `GET /api/0/config` masks sensitive fields (passwords, tokens, API keys) with `"•••"` — same logic as the existing read-only settings page.
 - `GET /api/0/config/section/{name}` for YAML-editor sections returns the raw YAML text including real credential values, since the admin needs to edit them. This endpoint requires admin auth and must only be served over HTTPS in production.
 - Secrets in backups are unmasked (they are copies of the real file). Backup directory should have the same file permissions as `.hb.yaml` itself.
 ---
 ## Out of Scope
 - Conflict detection if `.hb.yaml` is modified externally between page load and publish (the last write wins; the previous state is always recoverable from a backup)
 - Multi-admin concurrent edit awareness
 - Config validation UI beyond what the server returns as errors
 - Diff view before publish
 - Audit log of who published what (beyond the event log entry already added for login/logout)
 - Per-host threshold editing via UI (thresholds section uses YAML editor)
@@ -0,0 +1,149 @@
 # Multi-Provider OAuth2 — Design Spec
 **Date:** 2026-05-09
 **Status:** Approved
 ## Goal
 Allow multiple OAuth2 providers to be configured simultaneously. All enabled providers appear as login buttons on the login panel. Supported provider types: Gitea, GitHub, Nextcloud. Existing single-Gitea configs continue to work without changes.
 ---
 ## Config Format
 Each entry in the `oauth` dict is a named provider instance. The dict key becomes the route slug.
 ```yaml
 oauth:
  work-gitea:          # /login/oauth/work-gitea
    type: gitea        # optional — defaults to "gitea" when absent (backward compat)
    url: https://git.example.com
    client_id: xxx
    client_secret: yyy
    label: "Work Gitea"   # optional display name; falls back to provider default
    logo: https://…       # optional logo URL for button
  github:
    type: github       # no url needed — fixed SaaS endpoints
    client_id: xxx
    client_secret: yyy
  nextcloud:
    type: nextcloud
    url: https://cloud.example.com
    client_id: xxx
    client_secret: yyy
 ```
 **Backward compatibility:** The existing `oauth.gitea.{url,client_id,client_secret}` config (no `type` field) is treated as `type: gitea`. No migration required.
 **Validation:** Entries missing `client_id`, `client_secret`, or `url` (when the provider type requires it) are skipped with a warning log. This prevents a misconfigured entry from disabling all OAuth.
 ---
 ## Provider Registry (`oauth.py`)
 A `PROVIDER_DEFS` dict holds static knowledge about each supported provider type:
 | | gitea | github | nextcloud |
 |---|---|---|---|
 | authorize URL | `{url}/login/oauth/authorize` | `https://github.com/login/oauth/authorize` | `{url}/apps/oauth2/authorize` |
 | token URL | `{url}/login/oauth/access_token` | `https://github.com/login/oauth/access_token` | `{url}/apps/oauth2/api/v1/token` |
 | profile URL | `{url}/api/v1/user` | `https://api.github.com/user` | `{url}/ocs/v2.php/cloud/user?format=json` |
 | scope | `user:email` | `read:user` | *(empty)* |
 | username field | `login` | `login` | nested: `ocs.data.id` |
 | display name field | `full_name` | `name` | nested: `ocs.data.display-name` |
 | avatar field | `avatar_url` | `avatar_url` | *(absent — left empty)* |
 | requires `url` | yes | no | yes |
 | default label | `Gitea` | `GitHub` | `Nextcloud` |
 Nextcloud's profile response is nested (`ocs → data`). The registry entry includes a `profile_data_path: ["ocs", "data"]` that is navigated before field extraction.
 ---
 ## New / Changed API in `oauth.py`
 ### `ResolvedProvider` (new dataclass)
 All endpoint URLs are pre-computed strings (no more template substitution at call time):
 ```python
@dataclass
 class ResolvedProvider:
    name: str            # route slug (dict key)
    type: str            # "gitea" | "github" | "nextcloud"
    label: str           # display name for login button
    logo: str            # URL or ""
    authorize_url: str
    token_url: str
    profile_url: str
    scope: str
    client_id: str
    client_secret: str
    field_map: dict      # {"username": "<provider_field>", "full_name": ..., "avatar": ...}
    profile_data_path: list[str]  # e.g. ["ocs", "data"] or []
 ```
 ### `get_providers(config) → list[ResolvedProvider]` (new)
 Iterates `config.get("oauth", {})`, resolves each valid entry against `PROVIDER_DEFS`, skips invalid entries. Returns providers in config declaration order (determines button order on login page).
 ### `build_auth_url(provider, state, redirect_uri)` (updated signature)
 Takes a `ResolvedProvider`. Uses `provider.authorize_url`, `provider.scope`, `provider.client_id`.
 ### `exchange_code(provider, code, redirect_uri)` (updated signature)
 Takes a `ResolvedProvider`. Sets `Accept: application/json` on all token requests (required for GitHub, harmless for others).
 ### `fetch_user(provider, access_token)` (updated signature)
 Takes a `ResolvedProvider`. After fetching the profile JSON, navigates `provider.profile_data_path` before applying `provider.field_map`. Missing fields (e.g., Nextcloud avatar) are mapped to `""`.
 ### `is_enabled(config)` (updated)
 Returns `True` if `get_providers(config)` returns at least one provider.
 ---
 ## Routes (`http.py`)
 Replace the two hardcoded Gitea routes with generic ones:
 ```
 GET /login/oauth/{name}            initiate OAuth flow
 GET /login/oauth/{name}/callback   receive code, provision user, set session
 ```
 Both handlers resolve `{name}` via `get_providers(config)`. If the name is not found, return 404. Existing `/login/oauth/gitea` URLs continue to work as long as the config has a `gitea` key.
 ---
 ## Login Page (`http.py`)
 The "or" divider appears once if any providers are configured. Below it, one button per provider stacks vertically. Button appearance mirrors the current Gitea button (same CSS class, optional logo img). Button `href` is `/login/oauth/{provider.name}`.
 ---
 ## Tests (`tests/test_oauth.py`)
 **Updated:** Existing tests for `build_auth_url`, `exchange_code`, `fetch_user`, `is_enabled` ported to new `ResolvedProvider`-based signatures.
 **New:**
 - `get_providers()` with old single-Gitea config (no `type`) → one provider, backward compat confirmed
 - `get_providers()` with Gitea + GitHub + Nextcloud → correct count, types, and labels
 - `get_providers()` skips entry missing `client_id` or `client_secret`
 - `get_providers()` skips Gitea/Nextcloud entry missing `url`
 - `get_providers()` skips entry with unknown `type` (logs warning)
 - `build_auth_url` for each provider type → correct authorize URL
 - `exchange_code` for GitHub → `Accept: application/json` header present
 - `fetch_user` for Nextcloud → `ocs.data` navigation, missing avatar handled as `""`
 - Login page HTML → one button per provider; no buttons when `oauth` is empty
 ---
 ## Out of Scope
 - Generic/custom provider with user-specified endpoints
 - OIDC / token introspection
 - Restricting login to specific GitHub orgs or Nextcloud groups
 - Automatic admin promotion from OAuth
 - Token refresh
@@ -0,0 +1,135 @@
 # Host Overview Info Section
 **Date:** 2026-05-10  
 **Status:** Approved
 ## Summary
 Add an always-visible info section to each host card on the Host Overview (`/plugins`) page. The section shows owner, managers, agent version/type, last packet timestamp, and the host's effective alert thresholds. The fields `hbc_version` and `hbc_type` are moved out of the `os_info` plugin accordion into this section.
 ---
 ## Backend: New API Endpoint
 **Route:** `GET /api/0/hosts/{hostname}/info`
 **Auth:** Same as other per-host endpoints (`_can_view_host`).
 **Response schema:**
 ```json
 {
  "owner":       "alice",
  "managers":    ["bob", "carol"],
  "hbc_version": "5.3.0",
  "hbc_type":    "full",
  "last_packet": 1746894000.0,
  "thresholds": [
    {
      "metric":    "cpu_monitor.cpu_percent",
      "warning":   80.0,
      "critical":  95.0,
      "operator":  ">"
    }
  ]
 }
 ```
 **Field details:**
 - `owner` — `host.owner`, or `null` if unset.
 - `managers` — `host.managers` list (may be empty).
 - `hbc_version` — from `host.get_latest_plugin_data("os_info")`, key `hbc_version`; `null` if no os_info data.
 - `hbc_type` — same source, key `hbc_type`; `null` if unavailable.
 - `last_packet` — `max(conn.lastbeat for conn in host.connections.values())`, or `null` if no connections.
 - `thresholds` — list derived from `threshold_checker.get_thresholds_for_host(hostname)`, sorted by `metric` ascending. Each entry includes `metric`, `warning` (null if unset), `critical` (null if unset), `operator`. Returns `null` (not `[]`) if no `threshold_checker` is configured, so the frontend can distinguish "not configured" from "configured but empty".
 **Location:** `hbd/server/http.py`, added alongside the other `api_host_*` functions. Registered as `web.get("/api/0/hosts/{hostname}/info", api_host_info)`.
 ---
 ## Frontend: Info Section
 ### HTML structure
 Inserted as the first child of `.host-body`, before the plugin accordions. It is not a collapsible accordion — it is always visible when the host card is expanded.
 ```html
 <div class="host-info-section" id="info-{hostname}">
  <div class="loading">Loading…</div>
 </div>
 ```
 ### Fetch lifecycle
 - Fetched once per host on the first expansion of the host card (same trigger as the glance/plugin data).
 - Result cached in a new per-host `infoCache` object (parallel to `pluginCache`).
 - On subsequent expansions the cached data is rendered immediately without a new request.
 ### Rendered layout
 Two logical areas rendered client-side from the JSON:
 **Meta row** — a CSS-grid or simple `<dl>` showing:
 | Label         | Value                        |
 |---------------|------------------------------|
 | Owner         | alice (or "—" if null)       |
 | Managers      | bob, carol (or "—" if empty) |
 | Agent Version | 5.3.0 (or "—")               |
 | Agent Type    | full (or "—")                |
 | Last Packet   | localized datetime string (or "—") |
 **Threshold table** — rendered with the existing `data-table` CSS class:
 | Metric | Operator | Warning | Critical |
 |--------|----------|---------|----------|
 | cpu_monitor.cpu_percent | > | 80 | 95 |
 | … | … | … | … |
 - If `thresholds` is `null`: show "Threshold alerting not configured."
 - If `thresholds` is `[]`: show "No thresholds defined."
 - Numeric threshold values rendered as-is (no units); `null` warning/critical shown as "—".
 ### CSS
 New `.host-info-section` styles added in the `<style>` block of `plugins.html`. The section gets a subtle background (e.g. `#fafafa`) and a bottom border to separate it visually from the plugin accordions below. The meta row uses a two-column grid layout for compactness.
 ---
 ## Changes to `renderOsInfoTable()`
 - Remove `hbc_version` from the `ORDER` array.
 - Add `hbc_type` to the `SKIP_FIELDS` set (or the local `shown` set) so it is excluded from the os_info table.
 Both fields will now appear only in the info section.
 ---
 ## Data Flow Summary
 ```
 User expands host card
  → toggleHost()
    → fetchGlanceData(hostname)   [existing, unchanged]
    → fetchInfoData(hostname)     [new]
        GET /api/0/hosts/{hostname}/info
        → renderInfoSection(hostname, data)
          → writes into #info-{hostname}
 ```
 ---
 ## Error Handling
 - If the info fetch fails (non-200), show a one-line error message in the info section ("Could not load host info.").
 - If `hbc_version`/`hbc_type` are null (host has never sent os_info), display "—".
 - If `last_packet` is null (no connections recorded), display "—".
 ---
 ## Out of Scope
 - Editing owner/managers from this section (covered by existing profile/access UI).
 - Editing thresholds from this section.
 - Monitors list (not shown — monitors are operational, not informational in this context).
@@ -14,4 +14,4 @@ Install options:
 """
 __all__ = ["__version__"]
-__version__ = "5.2.6"
+__version__ = "5.3.4"
@@ -518,31 +518,43 @@ async def async_main(args, config):
    logger.info(f"hbc {__version__} on {iam} -> {hb_hosts} port={hb_port}, interval={interval}s")
    af_filter = (socket.AF_INET if getattr(args, "ipv4_only", False)
                 else socket.AF_INET6 if getattr(args, "ipv6_only", False)
                 else 0)
    # Create connections
    connections = []
    conn_id = 1
-    
+    _retry_delay = 5
    for host in hb_hosts:
        try:
            addrs = socket.getaddrinfo(host, hb_port, 0, 0, socket.SOL_UDP)
        except socket.gaierror as e:
            logger.error(f"Cannot resolve {host}: {e}")
            continue
        for addr_info in addrs:
            af = addr_info[0]
            addr = addr_info[4][0]
-            conn = AsyncConnection(conn_id, addr, hb_port, af, iam)
+    while running and not connections:
-            if not await conn.open():
+        for host in hb_hosts:
-                logger.warning(f"Initial open to {addr} failed, heartbeat sender will retry")
+            try:
-            connections.append(conn)
+                addrs = socket.getaddrinfo(host, hb_port, af_filter, 0, socket.SOL_UDP)
-            conn_id += 1
+            except socket.gaierror as e:
                logger.warning(f"Cannot resolve {host}: {e} — retrying in {_retry_delay}s")
                continue
            for addr_info in addrs:
                af = addr_info[0]
                addr = addr_info[4][0]
                conn = AsyncConnection(conn_id, addr, hb_port, af, iam)
                if not await conn.open():
                    logger.warning(f"Initial open to {addr} failed, heartbeat sender will retry")
                connections.append(conn)
                conn_id += 1
        if not connections:
            try:
                if shutdown_event:
                    await asyncio.wait_for(shutdown_event.wait(), timeout=_retry_delay)
                else:
                    await asyncio.sleep(_retry_delay)
            except asyncio.TimeoutError:
                pass
            _retry_delay = min(_retry_delay * 2, 60)
    if not connections:
        logger.error("No connections established (DNS resolution failed for all hosts)")
        return 1
-    
+
    logger.info(f"Created {len(connections)} connections")
    # Send boot/message if requested
@@ -726,6 +738,9 @@ def build_parser():
        default=0,
        help="Increase debug level"
    )
    af_group = parser.add_mutually_exclusive_group()
    af_group.add_argument("-4", dest="ipv4_only", action="store_true", help="Use IPv4 only")
    af_group.add_argument("-6", dest="ipv6_only", action="store_true", help="Use IPv6 only")
    parser.add_argument(
        "hosts",
        nargs="+",
@@ -27,7 +27,7 @@ SERVER_DEFAULTS = {
    # Monitoring settings
    "interval": 20,             # Expected heartbeat interval (for server checks)
-    "grace": 2,                 # Grace multiplier (interval * grace = timeout)
+    "grace": 2,                 # Grace period (extra seconds before notifying after a missed heartbeat)
    "threshold_renotify_interval": 3600,  # Seconds between threshold re-notifications
    # User management
@@ -39,10 +39,8 @@ SERVER_DEFAULTS = {
    # Host management
    "hosts": {},                # Unified host definitions
    "dyndnshosts": [],          # Hosts with dynamic DNS (legacy)
    "drophosts": [],            # Hosts to ignore
    "dyndomains": ["wrede.org"],
-    
+
    # DNS updates
    "nsupdate_bin": "/usr/bin/nsupdate",
@@ -79,9 +77,13 @@ THRESHOLD_DEFAULTS = {
                }
            },
            'memory_monitor': {
-                'percent': {
+                'memory_percent': {
                    'warning': 85.0,
                    'critical': 95.0
                },
                'swap_percent': {
                    'warning': 40.0,
                    'critical': 75.0
                }
            },
            'disk_monitor': {
@@ -109,11 +111,15 @@ THRESHOLD_DEFAULTS = {
                'pools': {
                    '*': {
                        'status': {
-                            'warning': 1,  
+                            'warning': 1,
-                            'critical': 2,  
+                            'critical': 2,
                            'operator': '>',
                            'hysteresis': 0.0,
                            'display': 'ZFS pool {pool_name} is {health}'
                        },
                        'capacity': {
                            'warning': 80.0,
                            'critical': 90.0,
                        }
                    }
                }
@@ -241,7 +247,7 @@ def get_watchhosts(config):
    """Extract watched hostnames from config (hosts with watch: true).
    Returns:
-        List of hostnames to watch
+#        List of hostnames to watch
    """
    watchhosts = []
    hosts_config = config.get("hosts", {})
@@ -253,31 +259,14 @@ def get_watchhosts(config):
 def get_dyndnshosts(config):
-    """Extract dyndnshosts from config, supporting both new and legacy formats.
+    """Return hostnames that have a dyndns setting in the hosts section."""
-    
+    hosts_config = config.get("hosts", {})
-    Args:
+    if not isinstance(hosts_config, dict):
-        config: Configuration dictionary
+        return []
-        
+    return [
-    Returns:
+        name for name, attrs in hosts_config.items()
-        List of hostnames with dynamic DNS
+        if isinstance(attrs, dict) and attrs.get("dyndns")
-    """
+    ]
    dyndnshosts = []
    # New format: hosts section with dyndns attribute
    if "hosts" in config:
        hosts_config = config["hosts"]
        if isinstance(hosts_config, dict):
            for host_name, host_attrs in hosts_config.items():
                if isinstance(host_attrs, dict) and host_attrs.get("dyndns", False):
                    dyndnshosts.append(host_name)
    # Legacy format: dyndnshosts list/set
    if "dyndnshosts" in config:
        legacy_dyndnshosts = config.get("dyndnshosts", [])
        if isinstance(legacy_dyndnshosts, (list, set)):
            dyndnshosts.extend(legacy_dyndnshosts)
    return list(set(dyndnshosts))  # Remove duplicates
 def get_host_config(config, hostname):
@@ -0,0 +1,130 @@
 """YAML round-trip read/write for .hb.yaml, with backup and atomic writes."""
 import glob
 import os
 import threading
 from datetime import datetime
 from ruamel.yaml import YAML
 _write_lock = threading.Lock()
 def _make_yaml() -> YAML:
    y = YAML()
    y.preserve_quotes = True
    return y
 # Top-level keys managed by the 'server' logical section
 _SERVER_KEYS = [
    "hbd_port", "hbd_host", "ws_port", "wss_port", "hb_port",
    "interval", "grace", "base_url", "threshold_renotify_interval",
    "logfile", "pidfile", "pickfile", "journal_enabled", "journal_dir",
    "journal_max_size", "journal_max_backups", "default_owner",
    "default_threshold_config",
 ]
 # Top-level keys managed by the 'dns' logical section
 _DNS_KEYS = ["nsupdate_bin", "rndc_key", "dyndomains"]
 def read_roundtrip(path: str):
    """Load .hb.yaml with ruamel.yaml, preserving comments and ordering."""
    with open(path, "r", encoding="utf-8") as f:
        return _make_yaml().load(f)
 def write_config(path: str, data) -> None:
    """Backup current file then atomically write data.
    Backup naming: {path}.bak.YYYYMMDD-HHMMSS
    Rotation: keep the 10 most recent backups, delete older ones.
    Atomic write: write to {path}.tmp then os.replace({path}.tmp, path).
    Acquires _write_lock for the full backup+write sequence.
    """
    with _write_lock:
        ts = datetime.now().strftime("%Y%m%d-%H%M%S")
        backup_path = f"{path}.bak.{ts}"
        n = 0
        while os.path.exists(backup_path):
            n += 1
            backup_path = f"{path}.bak.{ts}-{n}"
        orig_mode = None
        if os.path.exists(path):
            orig_mode = os.stat(path).st_mode
            with open(path, "rb") as src, open(backup_path, "wb") as dst:
                dst.write(src.read())
            os.chmod(backup_path, orig_mode)
        backups = sorted(glob.glob(f"{path}.bak.*"), reverse=True)
        for old in backups[10:]:
            os.unlink(old)
        tmp = f"{path}.tmp"
        try:
            with open(tmp, "w", encoding="utf-8") as f:
                _make_yaml().dump(data, f)
            if orig_mode is not None:
                os.chmod(tmp, orig_mode)
            os.replace(tmp, path)
        except Exception:
            try:
                os.unlink(tmp)
            except OSError:
                pass
            raise
 def list_backups(path: str) -> list:
    """Return backup paths sorted newest-first."""
    return sorted(glob.glob(f"{path}.bak.*"), reverse=True)
 def apply_structured_section(data, section: str, values: dict) -> None:
    """Merge a dict of scalar/list values into data for the named logical section.
    For 'server': updates each known key individually, preserving comments on
    unchanged keys. For 'users': replaces the entire users dict.
    """
    if section == "server":
        for key in _SERVER_KEYS:
            if key in values:
                data[key] = values[key]
    elif section == "users":
        data["users"] = values
    elif section == "hosts":
        data["hosts"] = values
    else:
        raise ValueError(f"Unknown structured section: {section!r}")
 def apply_channel(data, name: str, channel_cfg: dict) -> None:
    """Insert or replace a single notification channel entry, preserving others."""
    if not data.get("notification_channels"):
        data["notification_channels"] = {}
    data["notification_channels"][name] = channel_cfg
 def delete_channel(data, name: str) -> None:
    """Remove a notification channel by name. No-op if not found."""
    nc = data.get("notification_channels") or {}
    nc.pop(name, None)
 def apply_yaml_section(data, section: str, yaml_text: str) -> None:
    """Replace the named logical section by parsing yaml_text."""
    parsed = _make_yaml().load(yaml_text)
    if section == "notification_channels":
        data["notification_channels"] = parsed
    elif section == "thresholds":
        data["threshold_configs"] = parsed
    elif section == "hosts":
        data["hosts"] = parsed
    elif section == "dns":
        if parsed:
            for key in _DNS_KEYS:
                if key in parsed:
                    data[key] = parsed[key]
        else:
            for key in _DNS_KEYS:
                data.pop(key, None)
    else:
        raise ValueError(f"Unknown YAML section: {section!r}")
@@ -4,6 +4,9 @@ from __future__ import annotations
 from subprocess import Popen, PIPE, STDOUT
 from typing import Optional
 import asyncio
 import logging
 logger = logging.getLogger(__name__)
 def create_nsupdate_payload(
@@ -123,7 +126,6 @@ async def dns_update_worker(
                pass
            continue
        m = f"changed address to {addr}"
        for dyndomain in cfg.get("dyndomains", []):
            err = await loop.run_in_executor(
                None,
@@ -135,28 +137,29 @@ async def dns_update_worker(
                cfg.get("rndc_key", "/etc/dhcpc/rndc-key"),
            )
            if err:
-                m += f", DNS update failed: {err}"
+                m = f"DNS update failed for {addr} ({dyndomain}): {err}"
                logger.error("DNS update failed for %s: %s", name, err)
                if log:
                    try:
                        await loop.run_in_executor(None, log, name, "ERROR", m)
                    except Exception:
                        pass
            else:
-                m += ", DNS updated."
+                m = f"DNS updated {name}.dy.{dyndomain} → {addr}"
                if log:
                    try:
                        await loop.run_in_executor(None, log, name, "INFO", m)
                    except Exception:
                        pass
        if not cfg.get("dyndomains"):
            logger.warning("DNS update triggered for %s but no dyndomains configured", name)
        try:
            dnsq.task_done()
        except Exception:
            pass
        if log:
            try:
                await loop.run_in_executor(None, log, name, m)
            except Exception:
                pass
    if log:
        try:
            await loop.run_in_executor(None, log, None, "dns_update_worker exiting")
        except Exception:
            pass
 def start_dns_worker(
    hbdclass,
@@ -2,6 +2,7 @@
 import asyncio
 import datetime
 import html as _html
 import json
 import platform
 import socket
@@ -18,11 +19,80 @@ from . import settings as settings_mod
 from . import users as users_mod
 from . import oauth as oauth_mod
 from . import ws as ws_mod
 from . import configio as configio_mod
 logger = logging.getLogger(__name__)
 eventlog = notify_mod.eventlog
 def _build_threshold_configs_from_form(form_data: dict) -> dict:
    """Convert form-submitted flat threshold data to nested threshold_configs YAML structure.
    Input:  {config_name: {metric_path: {warning, critical, operator, hysteresis, enabled, count, display}}}
    Output: {config_name: {thresholds: {plugin: {metric: {warning, critical, ...}}}}}
    """
    result = {}
    for config_name, metrics in form_data.items():
        if not isinstance(metrics, dict):
            continue
        thresholds = {}
        for metric_path, values in metrics.items():
            _insert_threshold_metric(thresholds, metric_path, values)
        result[config_name] = {"thresholds": thresholds}
    return result
 def _insert_threshold_metric(thresholds: dict, metric_path: str, values: dict) -> None:
    """Insert a single metric into the nested threshold YAML structure."""
    if not isinstance(values, dict):
        return
    cfg = {}
    op = values.get("operator", ">")
    if op and op != ">":
        cfg["operator"] = op
    for key, cast in (("warning", float), ("critical", float), ("hysteresis", float)):
        v = values.get(key)
        if v is not None:
            try:
                cfg[key] = cast(v)
            except (TypeError, ValueError):
                pass
    count = values.get("count")
    if count is not None:
        try:
            cfg["count"] = int(count)
        except (TypeError, ValueError):
            pass
    display = values.get("display", "")
    if display:
        cfg["display"] = display
    if not values.get("enabled", True):
        cfg["enabled"] = False
    parts = metric_path.split(".", 2)
    if len(parts) == 1:
        # e.g. "rtt"
        thresholds[metric_path] = cfg
    elif len(parts) == 2:
        plugin, metric = parts
        thresholds.setdefault(plugin, {})[metric] = cfg
    else:
        plugin, intermediate, leaf = parts
        thresholds.setdefault(plugin, {})
        if plugin == "disk_monitor":
            thresholds[plugin].setdefault("partitions", {}).setdefault(intermediate, {})[leaf] = cfg
        elif plugin == "zfs_monitor":
            thresholds[plugin].setdefault("pools", {}).setdefault(intermediate, {})[leaf] = cfg
        else:
            thresholds[plugin].setdefault(intermediate, {})[leaf] = cfg
 def _render_template(html_str: str, **context) -> str:
    tmpl = jinja2.Template(html_str)
    return tmpl.render(**context)
@@ -100,6 +170,90 @@ def _can_own_host(user, host) -> bool:
    return host.is_owner(user.username)
 def _mask_config_for_api(config) -> dict:
    """Return a JSON-serializable config dict with secrets masked."""
    result = {}
    result["server"] = {k: config.get(k) for k in configio_mod._SERVER_KEYS}
    users = {}
    for username, attrs in (config.get("users") or {}).items():
        u = dict(attrs)
        if "password" in u:
            u["password"] = "•••"
        users[username] = u
    result["users"] = users
    oauth = {}
    for name, attrs in (config.get("oauth") or {}).items():
        o = dict(attrs)
        if "client_secret" in o:
            o["client_secret"] = "•••"
        oauth[name] = o
    result["oauth"] = oauth
    return result
 def _build_host_info(host, threshold_checker=None) -> dict:
    """Assemble the info payload for GET /api/0/hosts/{hostname}/info."""
    hbc_version = None
    hbc_type = None
    latest_os = host.get_latest_plugin_data("os_info")
    if latest_os:
        _, os_data = latest_os
        hbc_version = os_data.get("hbc_version")
        hbc_type = os_data.get("hbc_type")
    last_packet = None
    if host.connections:
        last_packet = max(conn.lastbeat for conn in host.connections.values())
    thresholds = None
    if threshold_checker is not None:
        raw = threshold_checker.get_thresholds_for_host(host.name)
        # Build reverse coverage: which metric paths suffix-match to each threshold.
        # Mirrors the logic in ThresholdChecker._find_threshold.
        coverage: dict = {}
        for plugin_name, samples in host.plugin_data.items():
            if not samples:
                continue
            _, pdata = samples[-1]
            for field_name in pdata:
                full_path = f"{plugin_name}.{field_name}"
                if full_path in raw:
                    continue  # exact match — the threshold IS this metric
                parts = field_name.split("_")
                for i in range(1, len(parts)):
                    candidate = f"{plugin_name}." + "_".join(parts[i:])
                    if candidate in raw:
                        coverage.setdefault(candidate, []).append(full_path)
                        break
        thresholds = sorted(
            [
                {
                    "metric": tc.metric_path,
                    "warning": tc.warning,
                    "critical": tc.critical,
                    "operator": tc.operator.value,
                    "covers": sorted(coverage.get(tc.metric_path, [])),
                }
                for tc in raw.values()
            ],
            key=lambda x: x["metric"],
        )
    return {
        "owner": getattr(host, "owner", None),
        "managers": list(getattr(host, "managers", [])),
        "hbc_version": hbc_version,
        "hbc_type": hbc_type,
        "last_packet": last_packet,
        "thresholds": thresholds,
    }
 async def start(
    host: str,
    port: int,
@@ -110,6 +264,7 @@ async def start(
    get_now=None,
    VER="",
    threshold_checker=None,
    reload_callback=None,
 ):
    """Start an aiohttp web server and block until cancelled.
@@ -588,6 +743,7 @@ async def start(
        if user is None:
            return web.json_response({"error": "Invalid credentials"}, status=401)
        token = users_mod.create_session(username)
        eventlog("hbd", "INFO", f"Login: {username} via api")
        resp = web.json_response({"token": token, "username": username})
        resp.set_cookie(
            SESSION_COOKIE,
@@ -611,6 +767,7 @@ async def start(
            user = users_mod.authenticate(username, password)
            if user:
                token = users_mod.create_session(username)
                eventlog("hbd", "INFO", f"Login: {username} via password")
                redirect_to = request.rel_url.query.get("next", "/")
                resp = web.HTTPFound(redirect_to)
                resp.set_cookie(
@@ -625,15 +782,18 @@ async def start(
        elif request.rel_url.query.get("error"):
            error = "Sign-in failed. Please try again."
-        gitea_button = ""
+        oauth_buttons = ""
-        if oauth_mod.is_enabled(config):
+        _providers = oauth_mod.get_providers(config)
-            logo_url = config.get("oauth", {}).get("gitea", {}).get("logo", "")
+        if _providers:
-            logo_img = f'<img src="{logo_url}" alt="" class="gitea-logo">' if logo_url else ""
+            buttons_html = ""
-            gitea_button = f"""
+            for _p in _providers:
-    <div class="divider">or</div>
+                _logo = f'<img src="{_html.escape(_p.logo)}" alt="" class="oauth-logo">' if _p.logo else ""
-    <a href="/login/oauth/gitea" class="gitea-btn">
+                buttons_html += f"""
-      {logo_img}Sign in with Gitea
+    <a href="/login/oauth/{_html.escape(_p.name)}" class="oauth-btn">
      {_logo}{_html.escape(_p.label)}
    </a>"""
            oauth_buttons = f"""
    <div class="divider">or</div>{buttons_html}"""
        html = f"""<!DOCTYPE html>
 <html>
@@ -656,12 +816,12 @@ async def start(
    .field {{ margin-bottom: .9em; }}
    .divider {{ text-align: center; margin: 1.2em 0 .8em; color: #999;
                font-size: .85em; border-top: 1px solid #eee; padding-top: .8em; }}
-    .gitea-btn {{ display: flex; align-items: center; justify-content: center;
+    .oauth-btn {{ display: flex; align-items: center; justify-content: center;
                  gap: .5em; width: 100%; padding: .6em; background: #16191d;
                  color: #fff; border-radius: 4px; font-size: 1em; text-align: center;
-                  text-decoration: none; box-sizing: border-box; }}
+                  text-decoration: none; box-sizing: border-box; margin-top: .5em; }}
-    .gitea-btn:hover {{ background: #4e7d1e; }}
+    .oauth-btn:hover {{ background: #444; }}
-    .gitea-logo {{ height: 1.2em; width: auto; vertical-align: middle; }}
+    .oauth-logo {{ height: 1.2em; width: auto; vertical-align: middle; }}
  </style>
 </head>
 <body>
@@ -672,7 +832,7 @@ async def start(
      <div class="field"><label>Username</label><input name="username" autofocus></div>
      <div class="field"><label>Password</label><input name="password" type="password"></div>
      <button type="submit">Sign in</button>
-    </form>{gitea_button}
+    </form>{oauth_buttons}
  </div>
 </body>
 </html>"""
@@ -681,7 +841,10 @@ async def start(
    async def web_logout(request):
        """GET /logout — clear session cookie and redirect to /login."""
        token = request.cookies.get(SESSION_COOKIE, "")
        _user = users_mod.get_session_user(token)
        users_mod.delete_session(token)
        if _user:
            eventlog("hbd", "INFO", f"Logout: {_user.username}")
        resp = web.HTTPFound("/login")
        resp.del_cookie(SESSION_COOKIE)
        raise resp
@@ -689,7 +852,10 @@ async def start(
    async def api_logout(request):
        """POST /api/0/auth/logout"""
        token = _get_token(request)
        _user = users_mod.get_session_user(token)
        users_mod.delete_session(token)
        if _user:
            eventlog("hbd", "INFO", f"Logout: {_user.username}")
        resp = web.json_response({"success": True})
        resp.del_cookie(SESSION_COOKIE)
        return resp
@@ -791,6 +957,23 @@ async def start(
        return web.json_response(host.access_dict())
    # -------------------------------------------------------------------------
    # Host info endpoint
    # -------------------------------------------------------------------------
    async def api_host_info(request):
        """GET /api/0/hosts/{hostname}/info"""
        user, err = _require_auth(request)
        if err:
            return err
        hostname = request.match_info.get("hostname")
        if hostname not in hbdclass.Host.hosts:
            return web.json_response({"error": f"Host '{hostname}' not found"}, status=404)
        host = hbdclass.Host.hosts[hostname]
        if not _can_view_host(user, host):
            return web.json_response({"error": "Forbidden"}, status=403)
        return web.json_response(_build_host_info(host, threshold_checker=threshold_checker))
    # -------------------------------------------------------------------------
    # User profile page
    # -------------------------------------------------------------------------
@@ -842,6 +1025,24 @@ async def start(
                ch_cfg = config.get("notification_channels", {}).get(ch_name, {})
                notif_channels.append({"name": ch_name, "type": ch_cfg.get("type", "")})
        # Build visible channels list for chip picker and My Channels management.
        visible_channels = _visible_channels_for_user(current_user) if current_user else {}
        all_channels = sorted(
            [
                {
                    "name": name,
                    "type": cfg.get("type", ""),
                    "owner": cfg.get("owner"),
                    "private": bool(cfg.get("private", False)),
                }
                for name, cfg in visible_channels.items()
                if isinstance(cfg, dict)
            ],
            key=lambda c: c["name"],
        )
        # Keep all_channel_names for backwards-compat with any template references.
        all_channel_names = [c["name"] for c in all_channels]
        tmpl = env.get_template("profile.html")
        body = tmpl.render(
            title="Profile - Heartbeat",
@@ -851,6 +1052,8 @@ async def start(
            managed_hosts=managed,
            monitored_hosts=monitored,
            notification_channels=notif_channels,
            all_channels=all_channels,
            all_channel_names=all_channel_names,
            active_page="profile",
        )
        return web.Response(text=body, content_type="text/html")
@@ -910,29 +1113,46 @@ async def start(
        templates_dir = config.get("templates_dir", os.path.join(pkg_dir, "templates"))
        env = jinja2.Environment(loader=jinja2.FileSystemLoader(templates_dir))
        tmpl = env.get_template("settings.html")
        settings_data = settings_mod.get_settings_data(config, threshold_checker=threshold_checker)
        body = tmpl.render(
            title="Settings - Heartbeat",
-            sections=settings_mod.get_settings_sections(config, threshold_checker=threshold_checker),
+            sections=settings_data["sections"],
            all_channel_names=settings_data["all_channel_names"],
            all_usernames=settings_data["all_usernames"],
            all_threshold_configs=settings_data["all_threshold_configs"],
            current_user=current_user.to_dict() if current_user else None,
            active_page="settings",
        )
        return web.Response(text=body, content_type="text/html")
-    def _oauth_redirect_uri(request) -> str:
+    def _oauth_redirect_uri(request, provider_name: str) -> str:
        base = config.get("base_url", "").rstrip("/") or str(request.url.origin())
-        return f"{base}/login/oauth/gitea/callback"
+        return f"{base}/login/oauth/{provider_name}/callback"
-    async def oauth_gitea_redirect(request):
+    def _get_oauth_provider(name: str):
-        """GET /login/oauth/gitea — kick off the Gitea OAuth2 flow."""
+        """Return the ResolvedProvider for *name*, or None if not found."""
-        if not oauth_mod.is_enabled(config):
+        return next(
-            return web.Response(status=404, text="OAuth not configured")
+            (p for p in oauth_mod.get_providers(config) if p.name == name),
            None,
        )
    async def oauth_redirect(request):
        """GET /login/oauth/{name} — kick off the OAuth2 flow for the named provider."""
        name = request.match_info["name"]
        provider = _get_oauth_provider(name)
        if provider is None:
            return web.Response(status=404, text="OAuth provider not found")
        state = oauth_mod.make_state()
-        raise web.HTTPFound(oauth_mod.authorization_url(config, state, _oauth_redirect_uri(request)))
+        raise web.HTTPFound(
            oauth_mod.build_auth_url(provider, state, _oauth_redirect_uri(request, name))
        )
-    async def oauth_gitea_callback(request):
+    async def oauth_callback(request):
-        """GET /login/oauth/gitea/callback — handle Gitea's redirect back."""
+        """GET /login/oauth/{name}/callback — handle the provider's redirect back."""
-        if not oauth_mod.is_enabled(config):
+        name = request.match_info["name"]
-            return web.Response(status=404, text="OAuth not configured")
+        provider = _get_oauth_provider(name)
        if provider is None:
            return web.Response(status=404, text="OAuth provider not found")
        code = request.rel_url.query.get("code", "")
        state = request.rel_url.query.get("state", "")
        if not code or not state:
@@ -941,8 +1161,8 @@ async def start(
            logger.warning("OAuth: invalid or expired state token from %s", request.remote)
            raise web.HTTPFound("/login?error=1")
        try:
-            token = await oauth_mod.exchange_code(config, code, _oauth_redirect_uri(request))
+            token = await oauth_mod.exchange_code(provider, code, _oauth_redirect_uri(request, name))
-            profile = await oauth_mod.fetch_user(config, token)
+            profile = await oauth_mod.fetch_user(provider, token)
        except oauth_mod.OAuthError as exc:
            logger.warning("OAuth error: %s", exc)
            raise web.HTTPFound("/login?error=1")
@@ -952,6 +1172,7 @@ async def start(
            profile["avatar_url"],
        )
        session_token = users_mod.create_session(user.username)
        eventlog("hbd", "INFO", f"Login: {user.username} via {provider.type}")
        resp = web.HTTPFound("/")
        resp.set_cookie(
            SESSION_COOKIE,
@@ -962,6 +1183,473 @@ async def start(
        )
        raise resp
    # -------------------------------------------------------------------------
    # Config API (admin only)
    # -------------------------------------------------------------------------
    _config_path = getattr(config, "_config_path", "") or ""
    async def api_config_get(request):
        """GET /api/0/config — full config as JSON, secrets masked. Admin only."""
        user, err = _require_auth(request)
        if err:
            return err
        if user and not user.admin:
            return web.json_response({"error": "Forbidden"}, status=403)
        return web.json_response(_mask_config_for_api(config))
    _YAML_EXTRACTORS = {
        "notification_channels": lambda d: d.get("notification_channels") or {},
        "thresholds": lambda d: d.get("threshold_configs") or {},
        "hosts": lambda d: d.get("hosts") or {},
        "dns": lambda d: {k: d[k] for k in configio_mod._DNS_KEYS if k in d},
    }
    async def api_config_section_get(request):
        """GET /api/0/config/section/{name} — raw YAML text for a YAML-editor section."""
        user, err = _require_auth(request)
        if err:
            return err
        if user and not user.admin:
            return web.json_response({"error": "Forbidden"}, status=403)
        if not _config_path:
            return web.json_response({"error": "Config path not available"}, status=503)
        name = request.match_info["name"]
        if name not in _YAML_EXTRACTORS:
            return web.json_response({"error": "Unknown section"}, status=404)
        import io as _io
        from ruamel.yaml import YAML as _YAML
        try:
            data = configio_mod.read_roundtrip(_config_path)
            section_data = _YAML_EXTRACTORS[name](data)
            _sy = _YAML()
            _sy.preserve_quotes = True
            buf = _io.StringIO()
            _sy.dump(section_data, buf)
        except Exception as exc:
            logger.error("Config section read failed: %s", exc)
            return web.json_response({"error": str(exc)}, status=500)
        return web.json_response({"yaml": buf.getvalue()})
    async def api_config_backups_get(request):
        """GET /api/0/config/backups — list of backup paths, newest first."""
        user, err = _require_auth(request)
        if err:
            return err
        if user and not user.admin:
            return web.json_response({"error": "Forbidden"}, status=403)
        if not _config_path:
            return web.json_response({"backups": []})
        backups = configio_mod.list_backups(_config_path)
        return web.json_response({"backups": backups})
    async def api_config_post(request):
        """POST /api/0/config — publish staged changes to .hb.yaml. Admin only."""
        user, err = _require_auth(request)
        if err:
            return err
        if user and not user.admin:
            return web.json_response({"error": "Forbidden"}, status=403)
        if not _config_path:
            return web.json_response({"error": "Config path not available"}, status=503)
        try:
            payload = await request.json()
        except Exception:
            return web.json_response({"error": "Invalid JSON"}, status=400)
        if not isinstance(payload, dict):
            return web.json_response({"error": "Invalid JSON"}, status=400)
        try:
            data = configio_mod.read_roundtrip(_config_path)
            if "server" in payload:
                configio_mod.apply_structured_section(data, "server", payload["server"])
            if "users" in payload:
                # Hash any plaintext passwords; preserve existing hashes when omitted or "•••"
                existing_users = data.get("users") or {}
                users_payload = payload["users"]
                for username, attrs in users_payload.items():
                    pw = attrs.get("password", "")
                    if pw and pw != "•••" and not pw.startswith("pbkdf2:"):
                        attrs["password"] = users_mod.hash_password(pw)
                    elif not pw or pw == "•••":
                        existing_hash = (existing_users.get(username) or {}).get("password", "")
                        if existing_hash:
                            attrs["password"] = existing_hash
                        else:
                            attrs.pop("password", None)
                configio_mod.apply_structured_section(data, "users", users_payload)
            if "oauth" in payload:
                existing_oauth = data.get("oauth") or {}
                new_oauth = payload["oauth"]
                for name, attrs in new_oauth.items():
                    cs = attrs.get("client_secret", "")
                    if not cs or cs == "•••":
                        existing_cs = (existing_oauth.get(name) or {}).get("client_secret", "")
                        if existing_cs:
                            attrs["client_secret"] = existing_cs
                        else:
                            attrs.pop("client_secret", None)
                data["oauth"] = new_oauth
            for section in ("notification_channels", "dns"):
                if section in payload:
                    configio_mod.apply_yaml_section(data, section, payload[section])
            if "thresholds" in payload:
                tc = payload["thresholds"]
                if isinstance(tc, str):
                    configio_mod.apply_yaml_section(data, "thresholds", tc)
                elif isinstance(tc, dict):
                    data["threshold_configs"] = _build_threshold_configs_from_form(tc)
            if "hosts" in payload:
                h = payload["hosts"]
                if isinstance(h, dict):
                    configio_mod.apply_structured_section(data, "hosts", h)
                else:
                    configio_mod.apply_yaml_section(data, "hosts", h)
            configio_mod.write_config(_config_path, data)
        except Exception as exc:
            logger.error("Config write failed: %s", exc)
            return web.json_response({"error": str(exc)}, status=500)
        if reload_callback:
            await reload_callback()
        elif hasattr(config, "reload"):
            await config.reload()
            users_mod.load_users(config)
        return web.json_response({"ok": True})
    async def api_config_rollback(request):
        """POST /api/0/config/rollback — restore a backup. Admin only."""
        user, err = _require_auth(request)
        if err:
            return err
        if user and not user.admin:
            return web.json_response({"error": "Forbidden"}, status=403)
        if not _config_path:
            return web.json_response({"error": "Config path not available"}, status=503)
        try:
            body = await request.json()
        except Exception:
            return web.json_response({"error": "Invalid JSON"}, status=400)
        backup = body.get("backup", "")
        if not backup or backup not in configio_mod.list_backups(_config_path):
            return web.json_response({"error": "Invalid or missing backup"}, status=400)
        try:
            backup_data = configio_mod.read_roundtrip(backup)
            configio_mod.write_config(_config_path, backup_data)
        except Exception as exc:
            logger.error("Rollback failed: %s", exc)
            return web.json_response({"error": str(exc)}, status=500)
        if reload_callback:
            await reload_callback()
        elif hasattr(config, "reload"):
            await config.reload()
            users_mod.load_users(config)
        return web.json_response({"ok": True})
    # -------------------------------------------------------------------------
    # Notification channel helpers
    # -------------------------------------------------------------------------
    def _visible_channels_for_user(user):
        """Return {name: cfg} of channels visible to user (public + own private)."""
        all_channels = config.get("notification_channels") or {}
        if user is None:
            return {}
        if user.admin:
            return dict(all_channels)
        visible = {}
        for name, cfg in all_channels.items():
            if not isinstance(cfg, dict):
                continue
            if not cfg.get("private") or cfg.get("owner") == user.username:
                visible[name] = cfg
        return visible
    def _build_channel_response(ch_name, ch_cfg):
        """Serialize a channel config dict for the API response."""
        ch_type = ch_cfg.get("type", "")
        schema_fields = settings_mod.CHANNEL_TYPE_SCHEMAS.get(ch_type, {}).get("fields", [])
        fields = []
        for sf in schema_fields:
            k = sf["key"]
            v = ch_cfg.get(k, "")
            sensitive = sf["type"] == "secret"
            fields.append({
                "key": k,
                "label": sf["label"],
                "value": "•••" if (sensitive and v) else (
                    ", ".join(v) if isinstance(v, list) else str(v or "")
                ),
                "sensitive": sensitive,
            })
        return {
            "name": ch_name,
            "type": ch_type,
            "type_label": settings_mod._CHANNEL_TYPE_LABELS.get(ch_type, ch_type.title()),
            "owner": ch_cfg.get("owner"),
            "private": bool(ch_cfg.get("private", False)),
            "min_level": ch_cfg.get("min_level", "WARNING"),
            "fields": fields,
        }
    # -------------------------------------------------------------------------
    # Notification channel API (any authenticated user)
    # -------------------------------------------------------------------------
    async def api_notification_channel_types(request):
        """GET /api/0/notification_channel_types — channel type schemas."""
        user, err = _require_auth(request)
        if err:
            return err
        return web.json_response(settings_mod.CHANNEL_TYPE_SCHEMAS)
    async def api_notification_channels_get(request):
        """GET /api/0/notification_channels — list channels visible to current user."""
        user, err = _require_auth(request)
        if err:
            return err
        visible = _visible_channels_for_user(user)
        result = [
            _build_channel_response(name, cfg)
            for name, cfg in visible.items()
            if isinstance(cfg, dict)
        ]
        return web.json_response(result)
    async def api_notification_channels_post(request):
        """POST /api/0/notification_channels — create a new channel."""
        user, err = _require_auth(request)
        if err:
            return err
        if user is None:
            return web.json_response({"error": "Authentication required"}, status=401)
        if not _config_path:
            return web.json_response({"error": "Config path not available"}, status=503)
        try:
            body = await request.json()
        except Exception:
            return web.json_response({"error": "Invalid JSON"}, status=400)
        name = (body.get("name") or "").strip()
        if not name:
            return web.json_response({"error": "Channel name is required"}, status=400)
        ch_type = (body.get("type") or "").strip()
        if ch_type not in settings_mod.CHANNEL_TYPE_SCHEMAS:
            return web.json_response({"error": f"Unknown channel type: {ch_type!r}"}, status=400)
        if name in (config.get("notification_channels") or {}):
            return web.json_response({"error": f"Channel {name!r} already exists"}, status=409)
        schema = settings_mod.CHANNEL_TYPE_SCHEMAS[ch_type]
        channel_cfg = {"type": ch_type}
        for sf in schema["fields"]:
            k = sf["key"]
            v = body.get(k, "")
            if v:
                channel_cfg[k] = v
            elif sf["required"]:
                return web.json_response({"error": f"Field {k!r} is required"}, status=400)
        if body.get("min_level"):
            channel_cfg["min_level"] = body["min_level"]
        channel_cfg["owner"] = user.username
        if body.get("private"):
            channel_cfg["private"] = True
        try:
            disk_data = configio_mod.read_roundtrip(_config_path)
            configio_mod.apply_channel(disk_data, name, channel_cfg)
            configio_mod.write_config(_config_path, disk_data)
        except Exception as exc:
            logger.error("Channel create failed: %s", exc)
            return web.json_response({"error": str(exc)}, status=500)
        if reload_callback:
            await reload_callback()
        elif hasattr(config, "reload"):
            await config.reload()
        return web.json_response({"ok": True, "name": name})
    async def api_notification_channel_put(request):
        """PUT /api/0/notification_channels/{name} — update a channel."""
        user, err = _require_auth(request)
        if err:
            return err
        if user is None:
            return web.json_response({"error": "Authentication required"}, status=401)
        if not _config_path:
            return web.json_response({"error": "Config path not available"}, status=503)
        ch_name = request.match_info["name"]
        existing_channels = config.get("notification_channels") or {}
        if ch_name not in existing_channels:
            return web.json_response({"error": f"Channel {ch_name!r} not found"}, status=404)
        existing_cfg = existing_channels[ch_name]
        if not isinstance(existing_cfg, dict):
            return web.json_response({"error": "Invalid channel config"}, status=500)
        owner = existing_cfg.get("owner")
        if not user.admin and owner != user.username:
            return web.json_response({"error": "Forbidden"}, status=403)
        try:
            body = await request.json()
        except Exception:
            return web.json_response({"error": "Invalid JSON"}, status=400)
        ch_type = existing_cfg.get("type", "")
        schema_fields = settings_mod.CHANNEL_TYPE_SCHEMAS.get(ch_type, {}).get("fields", [])
        secret_keys = {sf["key"] for sf in schema_fields if sf["type"] == "secret"}
        try:
            disk_data = configio_mod.read_roundtrip(_config_path)
            existing_on_disk = (disk_data.get("notification_channels") or {}).get(ch_name, {})
            channel_cfg = {"type": ch_type}
            for sf in schema_fields:
                k = sf["key"]
                v = body.get(k, "")
                if k in secret_keys and (not v or v == "•••"):
                    existing_val = existing_on_disk.get(k, "")
                    if existing_val:
                        channel_cfg[k] = existing_val
                elif v:
                    channel_cfg[k] = v
            if body.get("min_level"):
                channel_cfg["min_level"] = body["min_level"]
            if owner is not None:
                channel_cfg["owner"] = owner
            if "private" in body:
                channel_cfg["private"] = bool(body["private"])
            elif existing_on_disk.get("private"):
                channel_cfg["private"] = True
            configio_mod.apply_channel(disk_data, ch_name, channel_cfg)
            configio_mod.write_config(_config_path, disk_data)
        except Exception as exc:
            logger.error("Channel update failed: %s", exc)
            return web.json_response({"error": str(exc)}, status=500)
        if reload_callback:
            await reload_callback()
        elif hasattr(config, "reload"):
            await config.reload()
        return web.json_response({"ok": True})
    async def api_notification_channel_delete(request):
        """DELETE /api/0/notification_channels/{name} — delete a channel."""
        user, err = _require_auth(request)
        if err:
            return err
        if user is None:
            return web.json_response({"error": "Authentication required"}, status=401)
        if not _config_path:
            return web.json_response({"error": "Config path not available"}, status=503)
        ch_name = request.match_info["name"]
        existing_channels = config.get("notification_channels") or {}
        if ch_name not in existing_channels:
            return web.json_response({"error": f"Channel {ch_name!r} not found"}, status=404)
        existing_cfg = existing_channels[ch_name]
        owner = existing_cfg.get("owner") if isinstance(existing_cfg, dict) else None
        if not user.admin and owner != user.username:
            return web.json_response({"error": "Forbidden"}, status=403)
        try:
            disk_data = configio_mod.read_roundtrip(_config_path)
            configio_mod.delete_channel(disk_data, ch_name)
            configio_mod.write_config(_config_path, disk_data)
        except Exception as exc:
            logger.error("Channel delete failed: %s", exc)
            return web.json_response({"error": str(exc)}, status=500)
        if reload_callback:
            await reload_callback()
        elif hasattr(config, "reload"):
            await config.reload()
        return web.json_response({"ok": True})
    async def api_user_self_put(request):
        """PUT /api/0/users/me — update own full_name, avatar, notification_channels, password."""
        user, err = _require_auth(request)
        if err:
            return err
        if user is None:
            return web.json_response({"error": "Authentication required"}, status=401)
        if not _config_path:
            return web.json_response({"error": "Config path not available"}, status=503)
        try:
            body = await request.json()
        except Exception:
            return web.json_response({"error": "Invalid JSON"}, status=400)
        if not isinstance(body, dict):
            return web.json_response({"error": "Invalid JSON"}, status=400)
        username = user.username
        password_change = body.get("password")
        if password_change:
            if not isinstance(password_change, dict):
                return web.json_response({"error": "Invalid JSON"}, status=400)
            current_pw = password_change.get("current", "")
            new_pw = password_change.get("new", "")
            if not new_pw:
                return web.json_response({"error": "New password cannot be empty"}, status=400)
            if not users_mod.authenticate(username, current_pw):
                return web.json_response({"error": "Current password incorrect"}, status=403)
        try:
            data = configio_mod.read_roundtrip(_config_path)
            if "users" not in data or data["users"] is None:
                data["users"] = {}
            user_entry = dict(data["users"].get(username) or {})
            if "full_name" in body:
                user_entry["full_name"] = str(body["full_name"])
            if "avatar" in body:
                user_entry["avatar"] = str(body["avatar"])
            if "notification_channels" in body:
                visible = _visible_channels_for_user(user)
                user_entry["notification_channels"] = [
                    str(ch) for ch in body["notification_channels"] if ch in visible
                ]
            if password_change:
                user_entry["password"] = users_mod.hash_password(password_change["new"])
            data["users"][username] = user_entry
            configio_mod.write_config(_config_path, data)
        except Exception as exc:
            logger.error("User self-update failed: %s", exc)
            return web.json_response({"error": str(exc)}, status=500)
        if reload_callback:
            await reload_callback()
        elif hasattr(config, "reload"):
            await config.reload()
            users_mod.load_users(config)
        return web.json_response({"ok": True})
    app = web.Application()
    app.add_routes(
        [
@@ -973,12 +1661,25 @@ async def start(
            web.get("/logout", web_logout),
            web.post("/api/0/auth/login", api_login),
            web.post("/api/0/auth/logout", api_logout),
-            web.get("/login/oauth/gitea",          oauth_gitea_redirect),
+            web.get("/login/oauth/{name}",          oauth_redirect),
-            web.get("/login/oauth/gitea/callback", oauth_gitea_callback),
+            web.get("/login/oauth/{name}/callback", oauth_callback),
            # Users
            web.get("/api/0/users", api_users),
            web.get("/api/0/users/me", api_user_self),
            web.put("/api/0/users/me",  api_user_self_put),
            web.get("/api/0/users/{username}/avatar", api_user_avatar),
            # Config API (admin)
            web.get("/api/0/config",                 api_config_get),
            web.get("/api/0/config/section/{name}",  api_config_section_get),
            web.get("/api/0/config/backups",         api_config_backups_get),
            web.post("/api/0/config",                api_config_post),
            web.post("/api/0/config/rollback",       api_config_rollback),
            # Notification channel API (any authenticated user)
            web.get("/api/0/notification_channel_types",      api_notification_channel_types),
            web.get("/api/0/notification_channels",            api_notification_channels_get),
            web.post("/api/0/notification_channels",           api_notification_channels_post),
            web.put("/api/0/notification_channels/{name}",     api_notification_channel_put),
            web.delete("/api/0/notification_channels/{name}",  api_notification_channel_delete),
            # Hosts
            web.get("/api/0/hosts", api_hosts),
            web.get("/api/0/alert_summary", api_alert_summary),
@@ -988,6 +1689,7 @@ async def start(
            web.get("/api/0/hosts/{hostname}/alerts", api_host_alerts),
            web.get("/api/0/hosts/{hostname}/access", api_host_access_get),
            web.put("/api/0/hosts/{hostname}/access", api_host_access_put),
            web.get("/api/0/hosts/{hostname}/info", api_host_info),
            web.get("/api/0/alerts", api_all_alerts),
            web.post("/api/0/alerts/acknowledge", api_acknowledge_alert),
            web.get("/c", cmd),
@@ -78,9 +78,7 @@ async def reload_configuration(config_obj, config_path, components):
        True if reload succeeded, False otherwise
    """
    try:
        logger.info("=" * 60)
        logger.info("Starting configuration reload...")
        logger.info("=" * 60)
        # Reload config file
        new_config = await config_obj.reload(config_path)
@@ -115,13 +113,11 @@ async def reload_configuration(config_obj, config_path, components):
        # These are reloadable and effective immediately:
        # - notification_channels
        # - threshold_configs
-        # - hosts (watchhosts, dyndnshosts, notification_channels)
+        # - hosts (watchhosts, dyndns, notification_channels)
        # - grace period (used on next heartbeat)
        # - debug/verbose flags (used on next message)
        logger.info("=" * 60)
        logger.info("Configuration reload completed successfully")
        logger.info("=" * 60)
        return True
    except Exception as e:
@@ -246,6 +242,9 @@ async def _run_async(config, config_path=None):
    # upgrade or config change between runs).
    threshold_checker.purge_stale_alerts(hbdclass)
    async def _http_reload_callback():
        await reload_configuration(config, config_path, components)
    # HTTP server (asyncio-based via aiohttp)
    try:
        http_task = asyncio.create_task(
@@ -259,6 +258,7 @@ async def _run_async(config, config_path=None):
                verbose=config.get("verbose", False),
                get_now=lambda: time.time(),
                VER="",
                reload_callback=_http_reload_callback,
            )
        )
        logger.info(
@@ -422,7 +422,6 @@ def load_pickled_hosts(config, hbdclass):
    pickfile = config.get("pickfile", "hbd.pickle")
    dyndnshosts = config_mod.get_dyndnshosts(config)
    watchhosts = config_mod.get_watchhosts(config)
    drophosts = config.get("drophosts", [])
    if 1 and os.path.exists(pickfile):
        if config.get("verbose", False):
            logger.info("opening pickls %s", pickfile)
@@ -448,9 +447,6 @@ def load_pickled_hosts(config, hbdclass):
            hbdclass.Host.hosts[h].apply_access(
                access["owner"], access["managers"], access["monitors"]
            )
        for h in drophosts:
            if h in hbdclass.Host.hosts:
                del hbdclass.Host.hosts[h]
        if config.get("verbose", False):
            logger.info("%s pickled hosts loaded", len(hbdclass.Host.hosts))
    else:
@@ -366,6 +366,9 @@ _TIMEOUT = 15  # seconds per channel send
 async def _dispatch_to_channel(channel_name: str, channel_cfg: dict, notif: Notification) -> bool:
    """Send *notif* to a single named channel, honouring min_level."""
    # Strip ownership metadata — notifier drivers only need delivery credentials.
    channel_cfg = {k: v for k, v in channel_cfg.items() if k not in ("owner", "private")}
    level = notif.level.upper()
    if level != "RECOVER":
        min_level = channel_cfg.get("min_level", "WARNING").upper()
@@ -1,23 +1,37 @@
-"""Gitea OAuth2 support.
+"""OAuth2 provider support.
 Config shape (in ~/.hb.yaml):
    oauth:
-      gitea:
+      my-gitea:                          # route slug → /login/oauth/my-gitea
-        url: https://git.example.com
+        type: gitea                      # "gitea" | "github" | "nextcloud"
                                         # omit type to default to "gitea"
        url: https://git.example.com     # required for gitea and nextcloud
        client_id: <client-id>
        client_secret: <client-secret>
        label: "Work Gitea"              # optional display name on login button
        logo: https://example.com/logo.png  # optional logo URL
      github:
        type: github
        client_id: <client-id>
        client_secret: <client-secret>
-Register a Gitea OAuth2 application at:
+      nextcloud:
-  Gitea → Settings → Applications → OAuth2
+        type: nextcloud
-Set the redirect URI to:
+        url: https://cloud.example.com
-  https://<hbd-host>/login/oauth/gitea/callback
+        client_id: <client-id>
        client_secret: <client-secret>
 Register the OAuth app with each provider and set the redirect URI to:
  https://<hbd-host>/login/oauth/<name>/callback
 """
 import logging
 import secrets
 import time
 import urllib.parse
 from dataclasses import dataclass
 import aiohttp
@@ -57,44 +71,129 @@ class OAuthError(Exception):
    """Raised when the OAuth2 flow fails for any reason."""
-def _gitea_cfg(config: dict) -> dict:
+PROVIDER_DEFS: dict = {
-    """Return the gitea sub-dict or {} if absent/incomplete."""
+    "gitea": {
-    return config.get("oauth", {}).get("gitea", {})
+        "authorize_url_tmpl": "{url}/login/oauth/authorize",
        "token_url_tmpl":     "{url}/login/oauth/access_token",
        "profile_url_tmpl":   "{url}/api/v1/user",
        "scope":              "user:email",
        "field_map":          {"username": "login", "full_name": "full_name", "avatar": "avatar_url"},
        "profile_data_path":  [],
        "requires_url":       True,
        "default_label":      "Gitea",
    },
    "github": {
        "authorize_url_tmpl": "https://github.com/login/oauth/authorize",
        "token_url_tmpl":     "https://github.com/login/oauth/access_token",
        "profile_url_tmpl":   "https://api.github.com/user",
        "scope":              "read:user",
        "field_map":          {"username": "login", "full_name": "name", "avatar": "avatar_url"},
        "profile_data_path":  [],
        "requires_url":       False,
        "default_label":      "GitHub",
    },
    "nextcloud": {
        "authorize_url_tmpl": "{url}/apps/oauth2/authorize",
        "token_url_tmpl":     "{url}/apps/oauth2/api/v1/token",
        "profile_url_tmpl":   "{url}/ocs/v2.php/cloud/user?format=json",
        "scope":              "",
        "field_map":          {"username": "id", "full_name": "display-name", "avatar": None},
        "profile_data_path":  ["ocs", "data"],
        "requires_url":       True,
        "default_label":      "Nextcloud",
    },
 }
@dataclass
 class ResolvedProvider:
    """A fully resolved OAuth2 provider instance, ready to use."""
    name: str
    type: str
    label: str
    logo: str
    authorize_url: str
    token_url: str
    profile_url: str
    scope: str
    client_id: str
    client_secret: str
    field_map: dict
    profile_data_path: list
 def get_providers(config: dict) -> list[ResolvedProvider]:
    """Return a ResolvedProvider for every valid entry in config['oauth'].
    Entries with missing required fields or unknown types are skipped with
    a warning log.  Order follows config declaration order.
    """
    result = []
    oauth_cfg = config.get("oauth", {})
    if not isinstance(oauth_cfg, dict):
        return result
    for name, entry in oauth_cfg.items():
        if not isinstance(entry, dict):
            continue
        provider_type = entry.get("type", "gitea")
        defn = PROVIDER_DEFS.get(provider_type)
        if defn is None:
            logger.warning("OAuth: unknown provider type %r for %r, skipping", provider_type, name)
            continue
        client_id = entry.get("client_id", "")
        client_secret = entry.get("client_secret", "")
        if not client_id or not client_secret:
            logger.warning("OAuth: %r missing client_id or client_secret, skipping", name)
            continue
        url = entry.get("url", "").rstrip("/")
        if defn["requires_url"] and not url:
            logger.warning("OAuth: %r requires url but none configured, skipping", name)
            continue
        label = entry.get("label") or defn["default_label"]
        logo = entry.get("logo", "")
        result.append(ResolvedProvider(
            name=name,
            type=provider_type,
            label=label,
            logo=logo,
            authorize_url=defn["authorize_url_tmpl"].format(url=url),
            token_url=defn["token_url_tmpl"].format(url=url),
            profile_url=defn["profile_url_tmpl"].format(url=url),
            scope=defn["scope"],
            client_id=client_id,
            client_secret=client_secret,
            field_map=dict(defn["field_map"]),
            profile_data_path=list(defn["profile_data_path"]),
        ))
    return result
 def is_enabled(config: dict) -> bool:
-    """Return True when all three required Gitea OAuth keys are present."""
+    """Return True when at least one OAuth provider is fully configured."""
-    g = _gitea_cfg(config)
+    return bool(get_providers(config))
    return bool(g.get("url") and g.get("client_id") and g.get("client_secret"))
-def authorization_url(config: dict, state: str, redirect_uri: str) -> str:
+def build_auth_url(provider: ResolvedProvider, state: str, redirect_uri: str) -> str:
-    """Return the Gitea OAuth2 authorization URL to redirect the browser to."""
+    """Return the provider's OAuth2 authorization URL to redirect the browser to."""
-    g = _gitea_cfg(config)
+    params: dict = {
-    if not (g.get("url") and g.get("client_id") and g.get("client_secret")):
+        "client_id": provider.client_id,
        raise OAuthError("Gitea OAuth2 is not configured")
    params = urllib.parse.urlencode({
        "client_id": g["client_id"],
        "redirect_uri": redirect_uri,
        "response_type": "code",
        "scope": "user:email",
        "state": state,
-    })
+    }
-    return f"{g['url'].rstrip('/')}/login/oauth/authorize?{params}"
+    if provider.scope:
        params["scope"] = provider.scope
    return f"{provider.authorize_url}?{urllib.parse.urlencode(params)}"
-async def exchange_code(config: dict, code: str, redirect_uri: str) -> str:
+async def exchange_code(provider: ResolvedProvider, code: str, redirect_uri: str) -> str:
-    """Exchange an authorization *code* for a Gitea access token.
+    """Exchange an authorization *code* for an access token.
    Returns the access token string.  Raises OAuthError on any failure.
    """
    g = _gitea_cfg(config)
    if not (g.get("url") and g.get("client_id") and g.get("client_secret")):
        raise OAuthError("Gitea OAuth2 is not configured")
    url = f"{g['url'].rstrip('/')}/login/oauth/access_token"
    payload = {
-        "client_id": g["client_id"],
+        "client_id": provider.client_id,
-        "client_secret": g["client_secret"],
+        "client_secret": provider.client_secret,
        "code": code,
        "grant_type": "authorization_code",
        "redirect_uri": redirect_uri,
@@ -102,7 +201,11 @@ async def exchange_code(config: dict, code: str, redirect_uri: str) -> str:
    timeout = aiohttp.ClientTimeout(total=10)
    try:
        async with aiohttp.ClientSession(timeout=timeout) as session:
-            async with session.post(url, json=payload, headers={"Accept": "application/json"}) as resp:
+            async with session.post(
                provider.token_url,
                json=payload,
                headers={"Accept": "application/json"},
            ) as resp:
                if resp.status != 200:
                    text = await resp.text()
                    raise OAuthError(f"Token exchange failed ({resp.status}): {text}")
@@ -115,28 +218,37 @@ async def exchange_code(config: dict, code: str, redirect_uri: str) -> str:
    return token
-async def fetch_user(config: dict, token: str) -> dict:
+async def fetch_user(provider: ResolvedProvider, token: str) -> dict:
-    """Fetch the authenticated user's profile from Gitea.
+    """Fetch the authenticated user's profile from the provider.
    Returns a dict with keys: login, full_name, avatar_url.
    Raises OAuthError on any failure.
    """
    g = _gitea_cfg(config)
    if not (g.get("url") and g.get("client_id") and g.get("client_secret")):
        raise OAuthError("Gitea OAuth2 is not configured")
    url = f"{g['url'].rstrip('/')}/api/v1/user"
    timeout = aiohttp.ClientTimeout(total=10)
    try:
        async with aiohttp.ClientSession(timeout=timeout) as session:
-            async with session.get(url, headers={"Authorization": f"token {token}"}) as resp:
+            async with session.get(
                provider.profile_url,
                headers={
                    "Authorization": f"Bearer {token}",
                    "Accept": "application/json",
                },
            ) as resp:
                if resp.status != 200:
                    text = await resp.text()
                    raise OAuthError(f"User fetch failed ({resp.status}): {text}")
                data = await resp.json()
    except aiohttp.ClientError as exc:
        raise OAuthError(f"User fetch network error: {exc}") from exc
-    return {
+
-        "login": data.get("login", ""),
+    try:
-        "full_name": data.get("full_name", ""),
+        for key in provider.profile_data_path:
-        "avatar_url": data.get("avatar_url", ""),
+            data = data.get(key, {})
-    }
+        avatar_field = provider.field_map.get("avatar")
        return {
            "login":      data.get(provider.field_map["username"], ""),
            "full_name":  data.get(provider.field_map["full_name"], ""),
            "avatar_url": data.get(avatar_field, "") if avatar_field else "",
        }
    except AttributeError:
        raise OAuthError(f"Unexpected profile response structure from {provider.type}")
@@ -27,13 +27,65 @@ _SECRET_KEYS = frozenset({
    "smtp_password", "smtp_user", "api_password", "access_token",
 })
-_CHANNEL_TYPE_LABELS = {
+CHANNEL_TYPE_SCHEMAS = {
-    "pushover":   "Pushover",
+    "pushover": {
-    "email":      "E-mail",
+        "label": "Pushover",
-    "signal":     "Signal",
+        "fields": [
-    "mattermost": "Mattermost",
+            {"key": "token",  "label": "App token",  "type": "secret", "required": True},
            {"key": "user",   "label": "User key",   "type": "secret", "required": True},
            {"key": "sound",  "label": "Sound",      "type": "text",   "required": False},
        ],
    },
    "email": {
        "label": "E-mail",
        "fields": [
            {"key": "recipients",    "label": "Recipients (comma-separated)", "type": "list",   "required": True},
            {"key": "sender",        "label": "From address",                 "type": "text",   "required": True},
            {"key": "smtp_server",   "label": "SMTP server",                  "type": "text",   "required": True},
            {"key": "smtp_port",     "label": "SMTP port",                    "type": "port",   "required": False},
            {"key": "smtp_user",     "label": "SMTP username",                "type": "text",   "required": False},
            {"key": "smtp_password", "label": "SMTP password",                "type": "secret", "required": False},
        ],
    },
    "signal": {
        "label": "Signal",
        "fields": [
            {"key": "user",      "label": "Sender number",    "type": "text", "required": True},
            {"key": "recipient", "label": "Recipient number", "type": "text", "required": True},
            {"key": "cli_path",  "label": "signal-cli path",  "type": "text", "required": False},
        ],
    },
    "matrix": {
        "label": "Matrix",
        "fields": [
            {"key": "homeserver",   "label": "Homeserver URL", "type": "text",   "required": True},
            {"key": "access_token", "label": "Access token",   "type": "secret", "required": True},
            {"key": "room_id",      "label": "Room ID",        "type": "text",   "required": True},
        ],
    },
    "sms_voipms": {
        "label": "SMS (voip.ms)",
        "fields": [
            {"key": "api_user",     "label": "API username", "type": "text",   "required": True},
            {"key": "api_password", "label": "API password", "type": "secret", "required": True},
            {"key": "did",          "label": "DID (from)",   "type": "text",   "required": True},
            {"key": "dst",          "label": "Destination",  "type": "text",   "required": True},
        ],
    },
    "mattermost": {
        "label": "Mattermost",
        "fields": [
            {"key": "host",     "label": "Host",          "type": "text",   "required": True},
            {"key": "token",    "label": "Webhook token", "type": "secret", "required": True},
            {"key": "channel",  "label": "Channel",       "type": "text",   "required": True},
            {"key": "username", "label": "Bot username",  "type": "text",   "required": False},
            {"key": "icon",     "label": "Icon URL",      "type": "text",   "required": False},
        ],
    },
 }
 _CHANNEL_TYPE_LABELS = {k: v["label"] for k, v in CHANNEL_TYPE_SCHEMAS.items()}
 def _mask(value):
    """Return a masked placeholder for sensitive values."""
@@ -143,6 +195,7 @@ def get_settings_sections(config: dict, threshold_checker=None) -> list:
        }
    # ---- Notification channels (complex, built separately) ----------------
    _METADATA_KEYS = {"type", "owner", "private", "min_level"}
    notif_channels = []
    for ch_name, ch_cfg in (config.get("notification_channels") or {}).items():
        if not isinstance(ch_cfg, dict):
@@ -150,7 +203,7 @@ def get_settings_sections(config: dict, threshold_checker=None) -> list:
        ch_type = ch_cfg.get("type", "")
        fields = []
        for k, v in ch_cfg.items():
-            if k == "type":
+            if k in _METADATA_KEYS:
                continue
            sensitive = k in _SECRET_KEYS
            fields.append({
@@ -165,6 +218,9 @@ def get_settings_sections(config: dict, threshold_checker=None) -> list:
            "name": ch_name,
            "type": ch_type,
            "type_label": _CHANNEL_TYPE_LABELS.get(ch_type, ch_type.title()),
            "owner": ch_cfg.get("owner"),
            "private": bool(ch_cfg.get("private", False)),
            "min_level": ch_cfg.get("min_level", "WARNING"),
            "fields": fields,
        })
@@ -191,6 +247,7 @@ def get_settings_sections(config: dict, threshold_checker=None) -> list:
            "hysteresis": tc.hysteresis,
            "count": tc.count,
            "enabled": tc.enabled,
            "display": tc.display or "",
        }
    threshold_config_list = []
@@ -228,32 +285,55 @@ def get_settings_sections(config: dict, threshold_checker=None) -> list:
            "owner": hcfg.get("owner", ""),
            "managers": hcfg.get("managers", []),
            "monitors": hcfg.get("monitors", []),
-            "threshold_config": hcfg.get("threshold_config", ""),
+            "threshold_configs": (
                list(v) if isinstance(v := hcfg.get("threshold_config"), list)
                else ([v] if v else [])
            ),
            "notification_channels": hcfg.get("notification_channels", []),
        })
    # ---- OAuth providers -------------------------------------------------------
    oauth_providers = []
    for pname, pattrs in (config.get("oauth") or {}).items():
        if not isinstance(pattrs, dict):
            continue
        cs = pattrs.get("client_secret", "")
        oauth_providers.append({
            "name": pname,
            "type": pattrs.get("type", "gitea"),
            "url": pattrs.get("url", ""),
            "client_id": pattrs.get("client_id", ""),
            "client_secret": "•••" if cs else "",
            "label": pattrs.get("label", ""),
            "logo": pattrs.get("logo", ""),
        })
    return [
        {
            "id": "network",
            "title": "Network",
            "description": "Ports and bind addresses for all server sockets.",
            "section_mode": "form",
            "api_section": "server",
            "fields": [
                field("hb_port",  "Heartbeat UDP port",  "port",
-                      "UDP port the server listens on for heartbeat datagrams."),
+                      "UDP port the server listens on for heartbeat datagrams.", editable=True),
                field("hbd_host", "HTTP bind address",   "text",
-                      "Interface to bind the HTTP server to. Empty = all interfaces."),
+                      "Interface to bind the HTTP server to. Empty = all interfaces.", editable=True),
                field("hbd_port", "HTTP API port",       "port",
-                      "TCP port for the HTTP API and web UI."),
+                      "TCP port for the HTTP API and web UI.", editable=True),
                field("ws_port",  "WebSocket port",      "port",
-                      "TCP port for the plain WebSocket server."),
+                      "TCP port for the plain WebSocket server.", editable=True),
                field("wss_port", "Secure WebSocket port", "port",
-                      "TCP port for WSS (TLS WebSocket). Leave empty to disable."),
+                      "TCP port for WSS (TLS WebSocket). Leave empty to disable.", editable=True),
            ],
        },
        {
            "id": "tls",
            "title": "TLS / WebSocket Security",
            "description": "Certificate paths used when wss_port is set.",
            "section_mode": "form",
            "api_section": None,
            "fields": [
                field("cert_path", "Certificate directory", "path",
                      "Directory containing the TLS certificate and key files."),
@@ -267,73 +347,89 @@ def get_settings_sections(config: dict, threshold_checker=None) -> list:
            "id": "monitoring",
            "title": "Monitoring",
            "description": "Heartbeat timing and alert re-notification behaviour.",
            "section_mode": "form",
            "api_section": "server",
            "fields": [
                field("interval",  "Heartbeat interval", "duration",
-                      "Expected time between heartbeat messages from each client."),
+                      "Expected time between heartbeat messages from each client.", editable=True),
-                field("grace",     "Grace multiplier",   "number",
+                field("grace",     "Grace period",        "number",
-                      "A host is marked overdue after interval × grace seconds of silence."),
+                      "Extra seconds to wait after a missed heartbeat before sending notifications.", editable=True),
                field("threshold_renotify_interval", "Re-notify interval", "duration",
-                      "How often to re-send notifications for ongoing threshold alerts."),
+                      "How often to re-send notifications for ongoing threshold alerts.", editable=True),
                field("autosave_interval", "Autosave interval", "duration",
                      "How often the server saves its state to disk."),
                field("base_url", "Base URL", "text",
                      "Base URL for notification links.", editable=True),
            ],
        },
        {
            "id": "persistence",
            "title": "Persistence & Logging",
            "description": "State file and event log settings.",
            "section_mode": "form",
            "api_section": "server",
            "fields": [
                field("pickfile", "State file",   "path",
-                      "Path to the pickle file used to persist host state across restarts."),
+                      "Path to the pickle file used to persist host state across restarts.", editable=True),
                field("logfile",  "Event log",    "path",
-                      "Path to the event log file."),
+                      "Path to the event log file.", editable=True),
            ],
        },
        {
            "id": "journal",
            "title": "Message Journal",
            "description": "All received heartbeat and plugin messages are journalled here.",
            "section_mode": "form",
            "api_section": "server",
            "fields": [
                field("journal_enabled",     "Enabled",          "boolean",
-                      "Turn journalling on or off."),
+                      "Turn journalling on or off.", editable=True),
                field("journal_dir",         "Journal directory","path",
-                      "Directory where journal files are written."),
+                      "Directory where journal files are written.", editable=True),
                field("journal_file",        "Journal filename", "text",
                      "Base filename for the journal (rotated copies get a numeric suffix)."),
                field("journal_max_size",    "Max file size",    "size",
-                      "Rotate the journal when it exceeds this size."),
+                      "Rotate the journal when it exceeds this size.", editable=True),
                field("journal_max_backups", "Backup count",     "number",
-                      "Number of rotated journal files to keep."),
+                      "Number of rotated journal files to keep.", editable=True),
            ],
        },
        {
            "id": "dns",
            "title": "Dynamic DNS",
-            "description": "nsupdate-based DNS registration for dynamic hosts.",
+            "description": "nsupdate-based DNS registration — edit raw YAML.",
-            "fields": [
+            "section_mode": "yaml",
-                field("nsupdate_bin", "nsupdate binary", "path",
+            "api_section": "dns",
-                      "Full path to the nsupdate executable."),
+            "fields": [],
                field("dyndomains",   "Dynamic domains", "list",
                      "DNS zones managed by nsupdate for dynamic hosts."),
                field("drophosts",    "Drop hosts",      "list",
                      "Hostnames to silently ignore — no state, no alerts."),
            ],
        },
        {
            "id": "users",
            "title": "Users",
            "description": "Accounts defined in the config file. Password hashes are never shown.",
            "section_mode": "form",
            "api_section": "users",
            "users": users_list,
            "fields": [
                field("default_owner", "Default owner", "text",
                      "Username that owns hosts with no explicit owner. "
-                      "Falls back to the first admin user."),
+                      "Falls back to the first admin user.", editable=True),
            ],
        },
        {
            "id": "oauth",
            "title": "OAuth Providers",
            "description": "OAuth2 login providers. Client secrets are masked.",
            "section_mode": "form",
            "api_section": "oauth",
            "providers": oauth_providers,
            "fields": [],
        },
        {
            "id": "channels",
            "title": "Notification Channels",
            "description": "Named notification providers. Credentials are masked.",
            "section_mode": "channels",
            "api_section": "notification_channels",
            "channels": notif_channels,
            "fields": [
                field("default_notification_channels", "Default channels", "list",
@@ -344,6 +440,8 @@ def get_settings_sections(config: dict, threshold_checker=None) -> list:
            "id": "hosts",
            "title": "Hosts",
            "description": "Host definitions loaded from the config file.",
            "section_mode": "hosts",
            "api_section": "hosts",
            "hosts": hosts_list,
            "fields": [],
        },
@@ -351,16 +449,20 @@ def get_settings_sections(config: dict, threshold_checker=None) -> list:
            "id": "thresholds",
            "title": "Threshold Configurations",
            "description": "Named alert threshold sets. Each defines warning/critical levels per metric.",
            "section_mode": "thresholds",
            "api_section": "thresholds",
            "threshold_configs": threshold_config_list,
            "fields": [
                field("default_threshold_config", "Default config", "text",
-                      "Threshold config used for hosts with no explicit mapping."),
+                      "Threshold config used for hosts with no explicit mapping.", editable=True),
            ],
        },
        {
            "id": "runtime",
            "title": "Runtime",
            "description": "Flags set at startup (require restart to change).",
            "section_mode": "form",
            "api_section": None,
            "fields": [
                field("foreground", "Foreground mode", "boolean",
                      "Run in the foreground instead of daemonising."),
@@ -371,3 +473,17 @@ def get_settings_sections(config: dict, threshold_checker=None) -> list:
            ],
        },
    ]
 def get_settings_data(config: dict, threshold_checker=None) -> dict:
    """Return sections list + auxiliary data for the settings template."""
    sections = get_settings_sections(config, threshold_checker=threshold_checker)
    all_channel_names = sorted((config.get("notification_channels") or {}).keys())
    all_usernames = sorted((config.get("users") or {}).keys())
    all_threshold_configs = sorted((config.get("threshold_configs") or {}).keys())
    return {
        "sections": sections,
        "all_channel_names": all_channel_names,
        "all_usernames": all_usernames,
        "all_threshold_configs": all_threshold_configs,
    }
@@ -125,6 +125,23 @@
        .nav-links a { margin-right: 0; padding: 6px 0; font-size: 1em; }
      }
      /* Pending config publish button */
      .nav-publish-btn {
        background: #e65100;
        color: #fff;
        border: none;
        border-radius: 4px;
        padding: 4px 10px;
        font-size: 0.82em;
        font-weight: 600;
        cursor: pointer;
        flex-shrink: 0;
        white-space: nowrap;
        margin-left: auto;
      }
      .nav-publish-btn:hover { background: #bf360c; }
      .nav-publish-btn:disabled { opacity: 0.7; cursor: default; }
      /* Swiss railway clock — nav */
      .nav-pie {
        flex-shrink: 0;
@@ -201,6 +201,43 @@
    .log-recover .log-level  { color: #2a7a2a; }
    .log-info .log-level     { color: #555; }
    .log-section-header {
      display: flex;
      align-items: center;
      gap: 12px;
      flex-wrap: wrap;
      margin-bottom: 10px;
      background: white;
      border-radius: 6px;
      box-shadow: 0 1px 4px rgba(0,0,0,0.1);
      padding: 8px 15px;
    }
    .log-section-title {
      font-size: 1.2em;
      font-weight: bold;
      color: #333;
      white-space: nowrap;
    }
    .log-filter-bar {
      display: flex;
      gap: 6px;
      align-items: center;
      flex-wrap: wrap;
    }
    .log-filter-bar input[type="text"],
    .log-filter-bar select {
      padding: 3px 7px;
      border: 1px solid #ccc;
      border-radius: 4px;
      font-size: 0.85em;
      color: #333;
    }
    .log-filter-bar input[type="text"] { width: 110px; }
    /* Modal for connection status messages */
    .connection-modal {
      display: none;
@@ -445,6 +482,22 @@
      updateRowAlert(name_idx[data.name], data);
    }
    function applyLogFilters() {
      var hostFilter = document.getElementById('filter-host').value.toLowerCase().trim();
      var levelFilter = document.getElementById('filter-level').value;
      var msgFilter = document.getElementById('filter-msg').value.toLowerCase().trim();
      document.querySelectorAll('#messages .log-entry').forEach(function(entry) {
        var show = true;
        if (hostFilter && !(entry.dataset.host || '').toLowerCase().includes(hostFilter)) show = false;
        if (levelFilter && entry.dataset.level !== levelFilter) show = false;
        if (msgFilter) {
          var msgEl = entry.querySelector('.log-msg');
          if (!msgEl || !msgEl.textContent.toLowerCase().includes(msgFilter)) show = false;
        }
        entry.style.display = show ? '' : 'none';
      });
    }
    function WS_Connect() {
      if ("WebSocket" in window) {
        //N.B: subprotocol field causes chrome to error 1006
@@ -479,7 +532,8 @@
            var ts_str = _d.getFullYear() + '-' + _p(_d.getMonth()+1) + '-' + _p(_d.getDate())
                       + ' ' + _p(_d.getHours()) + ':' + _p(_d.getMinutes()) + ':' + _p(_d.getSeconds());
            var lvl = (msg.level || "INFO").toLowerCase();
-            var html = '<div class="log-entry log-' + lvl + '">';
+            var hostVal = msg.host || '';
            var html = '<div class="log-entry log-' + lvl + '" data-level="' + lvl + '" data-host="' + hostVal.replace(/"/g, '&quot;') + '">';
            html += '<span class="log-ts">' + ts_str + '</span>';
            html += '<span class="log-level">' + (msg.level || "") + '</span>';
            if (msg.host) html += '<span class="log-host">' + msg.host + '</span>';
@@ -487,6 +541,7 @@
            html += '<span class="log-msg">' + msg.message + '</span>';
            html += '</div>';
            msgs.insertAdjacentHTML("afterbegin", html);
            applyLogFilters();
          }
          cnt++;
        };
@@ -575,7 +630,20 @@
      </div>
      <div class="log-section">
-        <h2>Log of Events</h2>
+        <div class="log-section-header">
          <span class="log-section-title">Log of Events</span>
          <div class="log-filter-bar">
            <input type="text" id="filter-host" placeholder="Host…" title="Filter by host" />
            <select id="filter-level" title="Filter by level">
              <option value="">All levels</option>
              <option value="info">INFO</option>
              <option value="warning">WARNING</option>
              <option value="critical">CRITICAL</option>
              <option value="recover">RECOVER</option>
            </select>
            <input type="text" id="filter-msg" placeholder="Message…" title="Filter by message text" />
          </div>
        </div>
        <div id="messages"></div>
      </div>
    </div>
@@ -591,6 +659,9 @@
    <script>
      setup();
      document.getElementById('filter-host').addEventListener('input', applyLogFilters);
      document.getElementById('filter-level').addEventListener('change', applyLogFilters);
      document.getElementById('filter-msg').addEventListener('input', applyLogFilters);
    </script>
  </body>
 </html>
@@ -11,6 +11,9 @@
    {% endif %}
    <a href="/about"{% if active_page == "about" %} class="active"{% endif %}>About</a>
  </div>
  {% if current_user and current_user.admin %}
  <button id="nav-publish-btn" class="nav-publish-btn" onclick="navPublishConfig()" style="display:none" title="Publish pending config changes to .hb.yaml">&#9888; Publish Config</button>
  {% endif %}
  <div class="nav-pie" title="Host alert status">
    <canvas id="alert-pie" width="44" height="44"></canvas>
  </div>
@@ -92,5 +95,40 @@
  document.addEventListener('DOMContentLoaded', function() {
    updateAlertPie();
    setInterval(updateAlertPie, 30000);
    navCheckPendingConfig();
    window.addEventListener('storage', navCheckPendingConfig);
  });
  function navCheckPendingConfig() {
    var btn = document.getElementById('nav-publish-btn');
    if (!btn) return;
    btn.style.display = localStorage.getItem('hbd_pending_config') ? '' : 'none';
  }
  async function navPublishConfig() {
    var btn = document.getElementById('nav-publish-btn');
    var pending = localStorage.getItem('hbd_pending_config');
    if (!pending) return;
    var staged;
    try { staged = JSON.parse(pending); } catch(e) { return; }
    if (btn) { btn.disabled = true; btn.textContent = 'Saving…'; }
    try {
      var resp = await fetch('/api/0/config', {
        method: 'POST',
        headers: {'Content-Type': 'application/json'},
        body: pending
      });
      if (resp.ok) {
        localStorage.removeItem('hbd_pending_config');
        window.location.reload();
      } else {
        var err = await resp.json().catch(function() { return {}; });
        alert('Error: ' + (err.error || resp.statusText));
        if (btn) { btn.disabled = false; btn.textContent = '⚠ Publish Config'; }
      }
    } catch(e) {
      alert('Network error: ' + e.message);
      if (btn) { btn.disabled = false; btn.textContent = '⚠ Publish Config'; }
    }
  }
 </script>
@@ -388,6 +388,30 @@
    .container::-webkit-scrollbar-track { background: #f1f1f1; border-radius: 4px; }
    .container::-webkit-scrollbar-thumb { background: #ccc; border-radius: 4px; }
    .container::-webkit-scrollbar-thumb:hover { background: #999; }
    /* ── Host info section ──────────────────────────────────────────────────── */
    .host-info-section {
      padding: 12px 16px;
      background: #fafafa;
      border-bottom: 1px solid #e0e0e0;
      font-size: 0.85em;
    }
    .info-meta {
      display: grid;
      grid-template-columns: max-content 1fr;
      gap: 3px 14px;
      margin-bottom: 10px;
    }
    .info-label { font-weight: 600; color: #555; white-space: nowrap; }
    .info-value { color: #222; }
    .info-thresholds-title {
      font-weight: 600;
      color: #555;
      margin-bottom: 6px;
    }
    .info-note { color: #888; font-style: italic; }
    .info-loading { color: #bbb; font-style: italic; }
    .threshold-covers { font-size: 0.85em; color: #777; font-style: italic; }
  </style>
  <body>
@@ -436,6 +460,9 @@
          </div>
          <div class="host-body">
            <div class="host-info-section" id="info-{{ host.name }}">
              <div class="info-loading">Loading…</div>
            </div>
            {% set plugin_order = ['os_info','cpu_monitor','memory_monitor','disk_monitor','network_monitor','zfs_monitor','nagios_runner','filesystem_info'] %}
            {% for plugin in plugin_order if plugin in host.plugins %}
            <div class="plugin-accordion collapsed"
@@ -488,6 +515,9 @@
      // pluginCache[hostname][pluginName] = { data, timestamp, fetchedAt }
      const pluginCache = {};
      // infoCache[hostname] = info data object from /api/0/hosts/{hostname}/info
      const infoCache = {};
      function setCache(hostname, pluginName, sample) {
        if (!pluginCache[hostname]) pluginCache[hostname] = {};
        pluginCache[hostname][pluginName] = {
@@ -521,6 +551,61 @@
        return json.samples?.[0] ?? null;
      }
      async function fetchHostInfo(hostname) {
        const r = await fetch(`/api/0/hosts/${encodeURIComponent(hostname)}/info`);
        if (!r.ok) throw new Error(`HTTP ${r.status}`);
        return await r.json();
      }
      function renderInfoSection(hostname, data) {
        const el = document.getElementById(`info-${hostname}`);
        if (!el) return;
        const owner    = data.owner ? escHtml(data.owner) : '—';
        const managers = data.managers && data.managers.length
          ? data.managers.map(escHtml).join(', ') : '—';
        const hbcVer  = data.hbc_version ? escHtml(String(data.hbc_version)) : '—';
        const hbcType = data.hbc_type    ? escHtml(String(data.hbc_type))    : '—';
        const lastPkt = data.last_packet != null
          ? new Date(data.last_packet * 1000).toLocaleString() : '—';
        let html = `<div class="info-meta">
          <span class="info-label">Owner</span><span class="info-value">${owner}</span>
          <span class="info-label">Managers</span><span class="info-value">${managers}</span>
          <span class="info-label">Agent Version</span><span class="info-value">${hbcVer}</span>
          <span class="info-label">Agent Type</span><span class="info-value">${hbcType}</span>
          <span class="info-label">Last Packet</span><span class="info-value">${lastPkt}</span>
        </div>`;
        if (data.thresholds === null) {
          html += `<div class="info-note">Threshold alerting not configured.</div>`;
        } else if (data.thresholds.length === 0) {
          html += `<div class="info-note">No thresholds defined.</div>`;
        } else {
          html += `<div class="info-thresholds-title">Effective Thresholds</div>
            <table class="data-table"><thead><tr>
              <th>Metric</th><th>Op</th><th>Warning</th><th>Critical</th>
            </tr></thead><tbody>`;
          for (const t of data.thresholds) {
            const w = t.warning  != null ? escHtml(String(t.warning))  : '—';
            const c = t.critical != null ? escHtml(String(t.critical)) : '—';
            let metricCell = escHtml(t.metric);
            if (t.covers && t.covers.length > 0) {
              metricCell += `<br><span class="threshold-covers">↳ ${t.covers.map(escHtml).join(', ')}</span>`;
            }
            html += `<tr>
              <td class="key">${metricCell}</td>
              <td>${escHtml(t.operator)}</td>
              <td>${w}</td>
              <td>${c}</td>
            </tr>`;
          }
          html += `</tbody></table>`;
        }
        el.innerHTML = html;
      }
      async function fetchHostGlance(hostname) {
        const card = document.querySelector(`.host-card[data-hostname="${hostname}"]`);
        const availablePlugins = (card?.dataset.plugins || '').split(',').filter(Boolean);
@@ -644,8 +729,21 @@
        const card = document.querySelector(`.host-card[data-hostname="${hostname}"]`);
        const wasCollapsed = card.classList.contains('collapsed');
        card.classList.toggle('collapsed');
-        if (wasCollapsed && !pluginCache[hostname]) {
+        if (wasCollapsed) {
-          fetchHostGlance(hostname);
+          if (!pluginCache[hostname]) {
            fetchHostGlance(hostname);
          }
          if (!infoCache[hostname]) {
            const infoEl = document.getElementById(`info-${hostname}`);
            if (infoEl) infoEl.innerHTML = '<div class="info-loading">Loading…</div>';
            fetchHostInfo(hostname).then(data => {
              infoCache[hostname] = data;
              renderInfoSection(hostname, data);
            }).catch(() => {
              const el = document.getElementById(`info-${hostname}`);
              if (el) el.innerHTML = '<div class="info-loading">Could not load host info.</div>';
            });
          }
        }
      }
@@ -794,10 +892,11 @@
      function renderOsInfoTable(d) {
        const ORDER = ['distro_pretty_name','system','release','version','machine',
                       'processor','architecture','node','python_version',
-                       'python_implementation','hbc_version',
+                       'python_implementation',
                       'distro_name','distro_version','distro_id','distro_version_id'];
        const INFO_FIELDS = new Set(['hbc_version', 'hbc_type']);
        const shown = new Set(ORDER);
-        const keys = [...ORDER, ...Object.keys(d).filter(k => !shown.has(k) && !SKIP_FIELDS.has(k))];
+        const keys = [...ORDER, ...Object.keys(d).filter(k => !shown.has(k) && !SKIP_FIELDS.has(k) && !INFO_FIELDS.has(k))];
        let html = '<table class="data-table"><thead><tr><th>Field</th><th>Value</th></tr></thead><tbody>';
        for (const k of keys) {
@@ -1206,9 +1305,12 @@
      // ── Auto-refresh (30 s) ─────────────────────────────────────────────────
      setInterval(() => {
        document.querySelectorAll('.host-card').forEach(card => {
          fetchHostGlance(card.dataset.hostname);
        });
        document.querySelectorAll('.host-card:not(.collapsed)').forEach(card => {
          const hostname = card.dataset.hostname;
          fetchHostGlance(hostname);
          card.querySelectorAll('.plugin-accordion:not(.collapsed)').forEach(acc => {
            const pname = acc.dataset.plugin;
@@ -1228,24 +1330,39 @@
      // ── Init ────────────────────────────────────────────────────────────────
      document.addEventListener('DOMContentLoaded', () => {
-        // If a host fragment is in the URL, expand and scroll to that host;
+        // Fetch glance data for every host immediately so the strip is always populated.
-        // otherwise expand the first host as before.
+        document.querySelectorAll('.host-card').forEach(card => {
          fetchHostGlance(card.dataset.hostname);
        });
        // Expand and load info for the target host (URL hash or first host).
        function expandHost(hostname) {
          const card = document.querySelector(`.host-card[data-hostname="${hostname}"]`);
          if (!card) return false;
          card.classList.remove('collapsed');
          fetchHostInfo(hostname).then(data => {
            infoCache[hostname] = data;
            renderInfoSection(hostname, data);
          }).catch(() => {
            const el = document.getElementById(`info-${hostname}`);
            if (el) el.innerHTML = '<div class="info-loading">Could not load host info.</div>';
          });
          return true;
        }
        const hash = window.location.hash;
        if (hash) {
          const hostname = decodeURIComponent(hash.slice(1));
-          const card = document.querySelector(`.host-card[data-hostname="${hostname}"]`);
+          if (expandHost(hostname)) {
-          if (card) {
+            setTimeout(() => {
-            card.classList.remove('collapsed');
+              const card = document.querySelector(`.host-card[data-hostname="${hostname}"]`);
-            fetchHostGlance(hostname);
+              if (card) card.scrollIntoView({ behavior: 'smooth', block: 'start' });
-            setTimeout(() => card.scrollIntoView({ behavior: 'smooth', block: 'start' }), 150);
+            }, 150);
            return;
          }
        }
        const first = document.querySelector('.host-card');
-        if (first) {
+        if (first) expandHost(first.dataset.hostname);
          first.classList.remove('collapsed');
          fetchHostGlance(first.dataset.hostname);
        }
      });
      // ── Host action helpers ──────────────────────────────────────
@@ -204,6 +204,70 @@
    }
    .channel-name { color: #333; }
    .edit-section { margin-top: 20px; }
    .edit-section h4 { font-size: .88em; font-weight: 600; color: #333; margin: 0 0 10px; text-transform: uppercase; letter-spacing: .04em; border-bottom: 1px solid #eee; padding-bottom: 6px; }
    .edit-field { margin-bottom: 10px; }
    .edit-field label { display: block; font-size: .82em; color: #666; margin-bottom: 3px; }
    .edit-input { width: 100%; border: 1px solid #ccc; border-radius: 4px; padding: 5px 8px; font-size: .88em; box-sizing: border-box; }
    .edit-input:focus { border-color: #0066cc; outline: none; }
    .status-msg { font-size: .82em; margin-left: 8px; }
    .save-row { display: flex; align-items: center; margin-top: 8px; }
    .btn-save { background: #0066cc; color: #fff; border: none; border-radius: 4px; padding: 5px 14px; font-size: .85em; cursor: pointer; }
    .btn-save:hover { background: #0055aa; }
    /* ---- Channel chip picker ---- */
    .ch-picker { }
    .ch-picker-label { font-size: .8em; font-weight: 600; color: #888; text-transform: uppercase; letter-spacing: .04em; margin-bottom: 6px; }
    .ch-chips { display: flex; flex-wrap: wrap; gap: 6px; min-height: 32px; margin-bottom: 10px; }
    .ch-chip {
      display: inline-flex; align-items: center; gap: 5px;
      padding: 4px 10px; border-radius: 14px; font-size: .85em; font-weight: 500; cursor: pointer;
      border: none; font-family: inherit;
    }
    .ch-chip.selected { background: #e3f2fd; color: #1565c0; }
    .ch-chip.selected:hover { background: #bbdefb; }
    .ch-chip.available { background: #f1f3f4; color: #555; }
    .ch-chip.available:hover { background: #e8eaf6; color: #283593; }
    .ch-chip-x { font-size: .9em; line-height: 1; color: inherit; opacity: .7; }
    /* ---- My Channels card list ---- */
    .my-ch-card {
      border: 1px solid #e8eaf6; border-radius: 6px; margin-bottom: 8px; overflow: hidden;
    }
    .my-ch-header {
      display: flex; align-items: center; gap: 8px; padding: 8px 12px;
      background: #f8f9ff; border-bottom: 1px solid #e8eaf6;
    }
    .my-ch-name { font-weight: 600; font-size: .9em; color: #222; }
    .my-ch-type { padding: 2px 7px; border-radius: 8px; font-size: .72em; font-weight: 600; background: #e8eaf6; color: #3949ab; }
    .my-ch-private { padding: 2px 7px; border-radius: 8px; font-size: .72em; font-weight: 600; background: #fce4ec; color: #c62828; }
    .my-ch-actions { margin-left: auto; display: flex; gap: 5px; }
    .btn-sm-edit { background: #888; color: #fff; border: none; border-radius: 4px; padding: 2px 8px; font-size: .78em; cursor: pointer; }
    .btn-sm-edit:hover { background: #666; }
    .btn-sm-del { background: transparent; color: #c62828; border: 1px solid #e0e0e0; border-radius: 4px; padding: 2px 7px; font-size: .78em; cursor: pointer; }
    .btn-sm-del:hover { background: #fce4ec; }
    /* ---- Channel modal (for My Channels CRUD) ---- */
    .ch-modal-overlay {
      position: fixed; inset: 0; background: rgba(0,0,0,.4);
      display: flex; align-items: center; justify-content: center; z-index: 1001;
    }
    .ch-modal-box {
      background: #fff; border-radius: 8px; padding: 24px;
      min-width: 360px; max-width: 520px; width: 95%;
      box-shadow: 0 8px 32px rgba(0,0,0,.2);
    }
    .ch-modal-box h3 { margin: 0 0 16px; font-size: 1em; }
    .ch-form-row { margin-bottom: 12px; }
    .ch-form-row label { display: block; font-size: .83em; font-weight: 600; color: #555; margin-bottom: 3px; }
    .ch-form-row input[type=text], .ch-form-row input[type=password], .ch-form-row select {
      width: 100%; border: 1px solid #ccc; border-radius: 4px; padding: 5px 8px;
      font-size: .88em; box-sizing: border-box; font-family: inherit;
    }
    .ch-form-row input:focus, .ch-form-row select:focus { border-color: #0066cc; outline: none; }
    .ch-form-divider { font-size: .78em; font-weight: 700; text-transform: uppercase; letter-spacing: .05em; color: #888; margin: 14px 0 8px; border-top: 1px solid #eee; padding-top: 10px; }
    .ch-modal-footer { display: flex; justify-content: flex-end; gap: 8px; margin-top: 18px; }
    .ch-modal-status { font-size: .83em; margin-top: 8px; }
  </style>
  <body>
@@ -266,21 +330,153 @@
        </div>
      </div>
-      <!-- Notification channels -->
+      {% if current_user %}
      <!-- ---- Editable identity ---- -->
      <div class="section edit-section">
        <h4>Identity</h4>
        <div class="edit-field">
          <label for="profile-fullname">Display name</label>
          <input id="profile-fullname" class="edit-input" type="text" value="{{ current_user.full_name | e }}" placeholder="Full name">
        </div>
        <div class="edit-field">
          <label for="profile-avatar">Avatar URL or path</label>
          <input id="profile-avatar" class="edit-input" type="text" value="{{ current_user.avatar | e }}" placeholder="/path/to/avatar.png or https://…">
        </div>
        <div class="save-row">
          <button class="btn-save" onclick="saveIdentity()">Save</button>
          <span id="identity-status" class="status-msg"></span>
        </div>
      </div>
      <!-- ---- Change password ---- -->
      <div class="section edit-section">
        <h4>Change password</h4>
        <div class="edit-field">
          <label for="profile-current-pw">Current password</label>
          <input id="profile-current-pw" class="edit-input" type="password" autocomplete="current-password">
        </div>
        <div class="edit-field">
          <label for="profile-new-pw">New password</label>
          <input id="profile-new-pw" class="edit-input" type="password" autocomplete="new-password">
        </div>
        <div class="save-row">
          <button class="btn-save" onclick="changePassword()">Change password</button>
          <span id="password-status" class="status-msg"></span>
        </div>
      </div>
      {% endif %}
      <!-- Notification channels — chip picker -->
      <div class="section">
        <h2>Notification Channels</h2>
-        {% if notification_channels %}
+        {% if current_user %}
-        {% for ch in notification_channels %}
+        <p style="font-size:.82em;color:#888;margin:0 0 12px">Click a channel to add or remove it from your alert list.</p>
-        <div class="channel-row">
+        {% if all_channels %}
-          <span class="channel-type">{{ ch.type }}</span>
+        <div class="ch-picker">
-          <span class="channel-name">{{ ch.name }}</span>
+          <div class="ch-picker-label">Selected</div>
          <div id="selected-chips" class="ch-chips">
            {% for ch in all_channels %}
            {% if ch.name in (current_user.notification_channels or []) %}
            <button class="ch-chip selected" data-ch="{{ ch.name | e }}" onclick="toggleChip(this)">
              {{ ch.name | e }} <span class="ch-chip-x">×</span>
            </button>
            {% endif %}
            {% endfor %}
            {% set selected_set = current_user.notification_channels or [] %}
            {% set has_selected = selected_set | length > 0 %}
            {% if not has_selected %}
            <span style="font-size:.83em;color:#bbb;font-style:italic;align-self:center">None selected</span>
            {% endif %}
          </div>
          <div class="ch-picker-label">Available</div>
          <div id="available-chips" class="ch-chips">
            {% for ch in all_channels %}
            {% if ch.name not in (current_user.notification_channels or []) %}
            <button class="ch-chip available" data-ch="{{ ch.name | e }}" onclick="toggleChip(this)">
              + {{ ch.name | e }}
            </button>
            {% endif %}
            {% endfor %}
          </div>
        </div>
        {% endfor %}
        {% else %}
-        <span class="no-hosts">No personal notification channels configured.</span>
+        <p style="font-size:.83em;color:#bbb;font-style:italic">No notification channels available. You can create your own below.</p>
        {% endif %}
        <div class="save-row">
          <button class="btn-save" onclick="saveChannels()">Save channels</button>
          <span id="channels-status" class="status-msg"></span>
        </div>
        {% else %}
        <span class="no-hosts">Log in to manage notification channels.</span>
        {% endif %}
      </div>
      <!-- My Channels — create/edit/delete own channels -->
      {% if current_user %}
      <div class="section">
        <h2>My Channels</h2>
        <p style="font-size:.82em;color:#888;margin:0 0 12px">Channels you own. Public channels are available to all users; private channels are visible only to you.</p>
        <div id="my-channels-list">
          {% set my_channels = all_channels | selectattr('owner', 'equalto', current_user.username) | list %}
          {% for ch in my_channels %}
          <div class="my-ch-card" id="mychcard-{{ ch.name | e }}">
            <div class="my-ch-header">
              <span class="my-ch-name">{{ ch.name | e }}</span>
              <span class="my-ch-type">{{ ch.type | e }}</span>
              {% if ch.private %}<span class="my-ch-private">private</span>{% endif %}
              <span class="my-ch-actions">
                <button class="btn-sm-edit" onclick="openMyChModal('{{ ch.name | e }}')">Edit</button>
                <button class="btn-sm-del" onclick="deleteMyChannel('{{ ch.name | e }}')">✕</button>
              </span>
            </div>
          </div>
          {% endfor %}
          {% if not my_channels %}
          <p id="my-channels-empty" style="font-size:.83em;color:#bbb;font-style:italic">No channels yet.</p>
          {% endif %}
        </div>
        <div class="save-row" style="margin-top:8px">
          <button class="btn-save" onclick="openMyChModal()">+ New channel</button>
        </div>
      </div>
      <!-- My Channels modal -->
      <div id="my-ch-modal" class="ch-modal-overlay" style="display:none" onclick="if(event.target===this)closeMyChModal()">
        <div class="ch-modal-box">
          <h3 id="my-ch-modal-title">New Channel</h3>
          <div class="ch-form-row">
            <label>Channel name</label>
            <input type="text" id="my-ch-name" placeholder="e.g. my_pushover" autocomplete="off">
          </div>
          <div class="ch-form-row">
            <label>Type</label>
            <select id="my-ch-type" onchange="onMyChTypeChange()">
              <option value="">— select —</option>
            </select>
          </div>
          <div id="my-ch-type-fields"></div>
          <div class="ch-form-divider">Options</div>
          <div class="ch-form-row">
            <label>Minimum alert level</label>
            <select id="my-ch-min-level">
              <option value="WARNING">WARNING (and above)</option>
              <option value="CRITICAL">CRITICAL only</option>
            </select>
          </div>
          <div class="ch-form-row">
            <label style="display:flex;align-items:center;gap:6px;cursor:pointer">
              <input type="checkbox" id="my-ch-private"> Private — visible only to you
            </label>
          </div>
          <div id="my-ch-modal-status" class="ch-modal-status"></div>
          <div class="ch-modal-footer">
            <button class="btn-save" style="background:#888" onclick="closeMyChModal()">Cancel</button>
            <button class="btn-save" onclick="saveMyChannel()">Save</button>
          </div>
        </div>
      </div>
      {% endif %}
      <!-- Host access -->
      <div class="section">
        <h2>Host Access</h2>
@@ -326,5 +522,236 @@
      </div>
    </div>
    <script>
      // ---- Identity ----
      async function saveIdentity() {
        const full_name = document.getElementById('profile-fullname').value;
        const avatar = document.getElementById('profile-avatar').value;
        const resp = await fetch('/api/0/users/me', {
          method: 'PUT',
          headers: {'Content-Type': 'application/json'},
          body: JSON.stringify({full_name, avatar}),
        });
        if (resp.ok) {
          showStatus('identity-status', 'Saved', '#2e7d32');
        } else {
          const err = await resp.json().catch(() => ({}));
          showStatus('identity-status', err.error || 'Error saving', '#c62828');
        }
      }
      // ---- Password ----
      async function changePassword() {
        const current = document.getElementById('profile-current-pw').value;
        const newpw = document.getElementById('profile-new-pw').value;
        if (!current || !newpw) {
          showStatus('password-status', 'Both fields are required', '#c62828');
          return;
        }
        const resp = await fetch('/api/0/users/me', {
          method: 'PUT',
          headers: {'Content-Type': 'application/json'},
          body: JSON.stringify({password: {current, new: newpw}}),
        });
        if (resp.ok) {
          document.getElementById('profile-current-pw').value = '';
          document.getElementById('profile-new-pw').value = '';
          showStatus('password-status', 'Password changed', '#2e7d32');
        } else {
          const err = await resp.json().catch(() => ({}));
          showStatus('password-status', err.error || 'Error', '#c62828');
        }
      }
      // ---- Channel chip picker ----
      function toggleChip(btn) {
        const name = btn.dataset.ch;
        const isSelected = btn.classList.contains('selected');
        if (isSelected) {
          // Move to available
          btn.classList.remove('selected');
          btn.classList.add('available');
          btn.innerHTML = '+ ' + escHtml(name);
          btn.onclick = function() { toggleChip(this); };
          document.getElementById('available-chips').appendChild(btn);
          // Remove "None selected" placeholder if it exists
        } else {
          // Move to selected
          btn.classList.remove('available');
          btn.classList.add('selected');
          btn.innerHTML = escHtml(name) + ' <span class="ch-chip-x">×</span>';
          btn.onclick = function() { toggleChip(this); };
          document.getElementById('selected-chips').appendChild(btn);
        }
        // Update placeholder visibility
        const sel = document.getElementById('selected-chips');
        const placeholder = sel.querySelector('span[style]');
        const hasChips = sel.querySelectorAll('.ch-chip.selected').length > 0;
        if (placeholder) placeholder.style.display = hasChips ? 'none' : '';
      }
      async function saveChannels() {
        const notification_channels = [
          ...document.querySelectorAll('#selected-chips .ch-chip.selected')
        ].map(b => b.dataset.ch);
        const resp = await fetch('/api/0/users/me', {
          method: 'PUT',
          headers: {'Content-Type': 'application/json'},
          body: JSON.stringify({notification_channels}),
        });
        if (resp.ok) {
          showStatus('channels-status', 'Saved', '#2e7d32');
        } else {
          const err = await resp.json().catch(() => ({}));
          showStatus('channels-status', err.error || 'Error saving', '#c62828');
        }
      }
      // ---- My Channels CRUD ----
      let _myChSchemas = {};
      let _myChEditName = null;
      async function _loadMyChSchemas() {
        try {
          const r = await fetch('/api/0/notification_channel_types');
          _myChSchemas = await r.json();
          const sel = document.getElementById('my-ch-type');
          if (!sel) return;
          Object.entries(_myChSchemas).forEach(([k, v]) => {
            const opt = document.createElement('option');
            opt.value = k; opt.textContent = v.label;
            sel.appendChild(opt);
          });
        } catch(e) { console.warn('Could not load channel schemas', e); }
      }
      function onMyChTypeChange() {
        const type = document.getElementById('my-ch-type').value;
        const container = document.getElementById('my-ch-type-fields');
        container.innerHTML = '';
        if (!type || !_myChSchemas[type]) return;
        const divider = document.createElement('div');
        divider.className = 'ch-form-divider';
        divider.textContent = _myChSchemas[type].label + ' settings';
        container.appendChild(divider);
        (_myChSchemas[type].fields || []).forEach(sf => {
          const row = document.createElement('div');
          row.className = 'ch-form-row';
          const lbl = document.createElement('label');
          lbl.textContent = sf.label + (sf.required ? ' *' : '');
          const inp = document.createElement('input');
          inp.type = sf.type === 'secret' ? 'password' : 'text';
          inp.id = 'mychf-' + sf.key;
          inp.placeholder = sf.required ? '(required)' : '(optional)';
          inp.autocomplete = 'off';
          row.appendChild(lbl);
          row.appendChild(inp);
          container.appendChild(row);
        });
      }
      async function openMyChModal(name) {
        _myChEditName = name || null;
        document.getElementById('my-ch-modal-status').textContent = '';
        document.getElementById('my-ch-modal-title').textContent = name ? 'Edit Channel' : 'New Channel';
        document.getElementById('my-ch-name').value = name || '';
        document.getElementById('my-ch-name').disabled = !!name;
        document.getElementById('my-ch-type').value = '';
        document.getElementById('my-ch-type-fields').innerHTML = '';
        document.getElementById('my-ch-min-level').value = 'WARNING';
        document.getElementById('my-ch-private').checked = false;
        if (name) {
          try {
            const r = await fetch('/api/0/notification_channels');
            const channels = await r.json();
            const ch = channels.find(c => c.name === name);
            if (ch) {
              document.getElementById('my-ch-type').value = ch.type;
              onMyChTypeChange();
              document.getElementById('my-ch-min-level').value = ch.min_level || 'WARNING';
              document.getElementById('my-ch-private').checked = ch.private || false;
              (ch.fields || []).forEach(f => {
                const inp = document.getElementById('mychf-' + f.key);
                if (inp) inp.value = f.value || '';
              });
            }
          } catch(e) { console.warn('Failed to load channel', e); }
        }
        document.getElementById('my-ch-modal').style.display = 'flex';
      }
      function closeMyChModal() {
        document.getElementById('my-ch-modal').style.display = 'none';
      }
      async function saveMyChannel() {
        const name = document.getElementById('my-ch-name').value.trim();
        const type = document.getElementById('my-ch-type').value;
        const minLevel = document.getElementById('my-ch-min-level').value;
        const isPrivate = document.getElementById('my-ch-private').checked;
        const statusEl = document.getElementById('my-ch-modal-status');
        statusEl.textContent = '';
        if (!name) { statusEl.textContent = 'Name is required.'; statusEl.style.color = '#c62828'; return; }
        if (!type) { statusEl.textContent = 'Please select a type.'; statusEl.style.color = '#c62828'; return; }
        const body = { name, type, min_level: minLevel, private: isPrivate };
        if (_myChSchemas[type]) {
          (_myChSchemas[type].fields || []).forEach(sf => {
            const inp = document.getElementById('mychf-' + sf.key);
            if (inp) body[sf.key] = inp.value;
          });
        }
        const isEdit = !!_myChEditName;
        const url = isEdit
          ? '/api/0/notification_channels/' + encodeURIComponent(_myChEditName)
          : '/api/0/notification_channels';
        const method = isEdit ? 'PUT' : 'POST';
        try {
          const r = await fetch(url, { method, headers: {'Content-Type': 'application/json'}, body: JSON.stringify(body) });
          if (r.ok) {
            closeMyChModal();
            window.location.reload();
          } else {
            const err = await r.json().catch(() => ({}));
            statusEl.textContent = err.error || 'Error saving.';
            statusEl.style.color = '#c62828';
          }
        } catch(e) {
          statusEl.textContent = 'Network error: ' + e.message;
          statusEl.style.color = '#c62828';
        }
      }
      async function deleteMyChannel(name) {
        if (!confirm('Delete channel "' + name + '"?')) return;
        try {
          const r = await fetch('/api/0/notification_channels/' + encodeURIComponent(name), { method: 'DELETE' });
          if (r.ok) {
            window.location.reload();
          } else {
            const err = await r.json().catch(() => ({}));
            alert('Error: ' + (err.error || 'Could not delete.'));
          }
        } catch(e) { alert('Network error: ' + e.message); }
      }
      // ---- Utilities ----
      function showStatus(id, msg, color) {
        const el = document.getElementById(id);
        if (!el) return;
        el.textContent = msg;
        el.style.color = color;
        setTimeout(() => { el.textContent = ''; }, 3000);
      }
      function escHtml(s) {
        return String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;');
      }
      document.addEventListener('DOMContentLoaded', _loadMyChSchemas);
    </script>
  </body>
 </html>
@@ -492,7 +492,27 @@ class ThresholdChecker:
            raw_overrides: Dict[str, ThresholdConfig] = {}
            thresholds_config = config_data["thresholds"]
            for plugin_name, plugin_thresholds in thresholds_config.items():
-                if isinstance(plugin_thresholds, dict):
+                if not isinstance(plugin_thresholds, dict):
                    continue
                plugin_enabled = plugin_thresholds.get('enabled', plugin_thresholds.get('enable', True))
                if not plugin_enabled:
                    # raw_overrides is empty at this point so there's nothing to delete.
                    # Instead, inject disabled stubs for every matching effective_default so
                    # the merge step overwrites the inherited defaults.
                    for key, tc in effective_defaults.items():
                        if key.startswith(f"{plugin_name}."):
                            raw_overrides[key] = ThresholdConfig(
                                metric_path=key,
                                warning=tc.warning,
                                critical=tc.critical,
                                operator=tc.operator.value,
                                enabled=False,
                            )
                    logger.info(
                        "Plugin-level disable in config '%s': disabled all thresholds for %s",
                        config_name, plugin_name,
                    )
                else:
                    self._parse_plugin_thresholds(plugin_name, plugin_thresholds, target_dict=raw_overrides)
            self.threshold_raw_configs[config_name] = raw_overrides
@@ -570,7 +590,16 @@ class ThresholdChecker:
        if plugin_name == "rtt":
            self._parse_rtt_thresholds(thresholds, target_dict)
            return
-        
+
        # Plugin-level enabled: false (also accept 'enable' as a common typo) removes all
        # thresholds for this plugin — e.g. memory_monitor: {enabled: false}.
        plugin_enabled = thresholds.get('enabled', thresholds.get('enable', True))
        if not plugin_enabled:
            for key in [k for k in target_dict if k.startswith(f"{plugin_name}.")]:
                del target_dict[key]
            logger.info("Plugin-level disable: removed all thresholds for %s", plugin_name)
            return
        for metric_name, threshold_config in thresholds.items():
            if not isinstance(threshold_config, dict):
                continue
@@ -1389,6 +1418,9 @@ class ThresholdChecker:
                    host_name, lvl, message, metric_path, AlertLevel.OK, alert_state.level, value
                )
                alert_state.pending_since = None
                now = time.time()
                alert_state.last_notification = now
                alert_state.notification_count = 1
            # else: still within grace window, do nothing
        else:
            self._check_renotify(host_name, alert_state, metric_path, value, threshold, plugin_data, check_name=check_name, metric_name=metric_name)
@@ -1497,7 +1529,16 @@ class ThresholdChecker:
            if not host.alert_states:
                continue
            configured = self.get_thresholds_for_host(hostname)
-            stale = [mp for mp in host.alert_states if self._find_threshold(configured, mp)[0] is None]
+            stale = []
            for mp in host.alert_states:
                if self._find_threshold(configured, mp)[0] is not None:
                    continue
                # Also match wildcard pool/partition thresholds (e.g. "zfs_monitor.*.status"
                # covers alert state "zfs_monitor.tank.status").
                parts = mp.split(".")
                if len(parts) == 3 and f"{parts[0]}.*.{parts[2]}" in configured:
                    continue
                stale.append(mp)
            for mp in stale:
                logger.info(
                    "Purging stale alert state for %s / %s (no threshold configured)",
@@ -377,7 +377,7 @@ def handle_datagram(msg: dict, addr, transport, ctx: dict):
                default_owner = config_mod.get_default_owner(cfg)
                inferred_owner = plugin_data.get("owner", config_owner or default_owner)    
                host.owner = inferred_owner
-                logger.info(f"owner for {uname} is '{host.owner}")
+                logger.info(f"owner for {uname} is {host.owner}")
            if DEBUG > 1:
                print(f"Stored plugin data for {uname}: {plugin_name}")
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "hbd"
-version = "5.2.6"
+version = "5.3.4"
 description = "Heartbeat monitoring system — client (hbc) and server (hbd)"
 readme = "README.md"
 requires-python = ">=3.11"
@@ -32,6 +32,7 @@ server = [
  "aiohttp>=3.11",
  "Jinja2>=3.1.6",
  "matrix-nio>=0.24",
  "ruamel.yaml>=0.18",
 ]
 # Minimal client — hbc_mini only, no external dependencies
@@ -1264,6 +1264,8 @@ static void usage(const char *prog) {
        "  -c FILE     Config file (JSON)\n"
        "  -m MSG      Send one-shot message\n"
        "  -n NAME     Override hostname\n"
        "  -4          Use IPv4 only\n"
        "  -6          Use IPv6 only\n"
        "  -d          Daemonize\n"
        "  -v          Verbose (info)\n"
        "  -x          Debug\n"
@@ -1276,9 +1278,10 @@ int main(int argc, char **argv) {
    const char *cfgpath   = NULL;
    const char *message   = NULL;
    const char *nameov    = NULL;
    int         af_filter = 0;
    int opt;
-    while ((opt = getopt(argc, argv, "bc:m:n:dvxh")) != -1) {
+    while ((opt = getopt(argc, argv, "bc:m:n:dvxh46")) != -1) {
        switch (opt) {
        case 'b': do_boot   = true;   break;
        case 'c': cfgpath   = optarg; break;
@@ -1287,6 +1290,8 @@ int main(int argc, char **argv) {
        case 'd': do_daemon = true;   break;
        case 'v': g_log_level = LL_INFO;  break;
        case 'x': g_log_level = LL_DEBUG; break;
        case '4': af_filter = AF_INET;  break;
        case '6': af_filter = AF_INET6; break;
        case 'h': usage(argv[0]); return 0;
        default:  usage(argv[0]); return 1;
        }
@@ -1313,37 +1318,46 @@ int main(int argc, char **argv) {
        char *dot = strchr(iam, '.'); if (dot) *dot = '\0';
    }
    int conn_id = 1;
    for (int i = 0; i < nhost; i++) {
        struct addrinfo hints = {0}, *res = NULL;
        hints.ai_socktype = SOCK_DGRAM;
        hints.ai_protocol = IPPROTO_UDP;
        char ps[16]; snprintf(ps, sizeof(ps), "%d", cfg.hb_port);
        if (getaddrinfo(hosts[i], ps, &hints, &res) != 0) {
            LOGE("cannot resolve %s", hosts[i]); continue;
        }
        for (struct addrinfo *ai = res; ai && g_nconns < MAX_HOSTS; ai = ai->ai_next) {
            conn_t *c = &g_conns[g_nconns];
            memset(c, 0, sizeof(*c));
            c->conn_id = conn_id++; c->port = cfg.hb_port;
            c->af = ai->ai_family; c->sockfd = -1;
            snprintf(c->name, sizeof(c->name), "%s", iam);
            void *addr = (ai->ai_family == AF_INET)
                ? (void *)&((struct sockaddr_in  *)ai->ai_addr)->sin_addr
                : (void *)&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr;
            inet_ntop(ai->ai_family, addr, c->addr, sizeof(c->addr));
            if (conn_open(c)) { g_nconns++; LOGI("connected to %s", c->addr); }
        }
        freeaddrinfo(res);
    }
    if (!g_nconns) { LOGE("no connections established"); return 1; }
    struct sigaction sa = {0};
    sa.sa_handler = sig_handler;
    sigaction(SIGTERM, &sa, NULL);
    sigaction(SIGINT,  &sa, NULL);
    sigaction(SIGHUP,  &sa, NULL);
    int conn_id = 1;
    int retry_delay = 5;
    while (g_running && !g_nconns) {
        for (int i = 0; i < nhost; i++) {
            struct addrinfo hints = {0}, *res = NULL;
            hints.ai_socktype = SOCK_DGRAM;
            hints.ai_protocol = IPPROTO_UDP;
            hints.ai_family   = af_filter;
            char ps[16]; snprintf(ps, sizeof(ps), "%d", cfg.hb_port);
            if (getaddrinfo(hosts[i], ps, &hints, &res) != 0) {
                LOGW("cannot resolve %s — retrying in %ds", hosts[i], retry_delay);
                continue;
            }
            for (struct addrinfo *ai = res; ai && g_nconns < MAX_HOSTS; ai = ai->ai_next) {
                conn_t *c = &g_conns[g_nconns];
                memset(c, 0, sizeof(*c));
                c->conn_id = conn_id++; c->port = cfg.hb_port;
                c->af = ai->ai_family; c->sockfd = -1;
                snprintf(c->name, sizeof(c->name), "%s", iam);
                void *addr = (ai->ai_family == AF_INET)
                    ? (void *)&((struct sockaddr_in  *)ai->ai_addr)->sin_addr
                    : (void *)&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr;
                inet_ntop(ai->ai_family, addr, c->addr, sizeof(c->addr));
                if (conn_open(c)) { g_nconns++; LOGI("connected to %s", c->addr); }
            }
            freeaddrinfo(res);
        }
        if (!g_nconns) {
            sleep(retry_delay);
            if (retry_delay < 60) retry_delay *= 2;
        }
    }
    if (!g_nconns) return 1;
    conn_t *primary = &g_conns[0];
    LOGI("hbc_mini-c %s on %s -> %s port=%d interval=%ds",
         HBC_VERSION, iam, hosts[0], cfg.hb_port, cfg.interval);
@@ -41,7 +41,7 @@ from pathlib import Path
 from typing import Any, Dict, List, Optional, Tuple
 # updated by scripts/bumpminor.sh
-__version__ = "5.2.6"
+__version__ = "5.3.4"
 # ---------------------------------------------------------------------------
 # Protocol  (mirrors hbd/common/proto.py)
@@ -1059,22 +1059,30 @@ async def _async_main(args, cfg: Dict[str, Any]) -> int:
    log.info("hbc_mini %s on %s -> %s port=%d interval=%ds",__version__, iam, args.hosts, port, interval)
    af_filter = (socket.AF_INET if getattr(args, "ipv4_only", False)
                 else socket.AF_INET6 if getattr(args, "ipv6_only", False)
                 else 0)
    connections: List[AsyncConnection] = []
    conn_id = 1
-    for host in args.hosts:
+    _retry_delay = 5
-        try:
+    while _running and not connections:
-            addrs = socket.getaddrinfo(host, port, 0, 0, socket.SOL_UDP)
+        for host in args.hosts:
-        except socket.gaierror as e:
+            try:
-            log.error("cannot resolve %s: %s", host, e)
+                addrs = socket.getaddrinfo(host, port, af_filter, 0, socket.SOL_UDP)
-            continue
+            except socket.gaierror as e:
-        for ai in addrs:
+                log.warning("cannot resolve %s: %s — retrying in %ds", host, e, _retry_delay)
-            conn = AsyncConnection(conn_id, ai[4][0], port, ai[0], iam)
+                continue
-            if await conn.open():
+            for ai in addrs:
-                connections.append(conn)
+                conn = AsyncConnection(conn_id, ai[4][0], port, ai[0], iam)
-                conn_id += 1
+                if await conn.open():
                    connections.append(conn)
                    conn_id += 1
        if not connections:
            await _sleep(_retry_delay)
            _retry_delay = min(_retry_delay * 2, 60)
    if not connections:
        log.error("no connections established")
        return 1
    # Boot / one-shot message
@@ -1153,6 +1161,9 @@ def main(argv=None):
    parser.add_argument("-d", "--daemon", action="store_true", help="Run as daemon")
    parser.add_argument("-v", "--verbose", action="store_true", help="Verbose output")
    parser.add_argument("-x", "--debug", action="count", default=0, help="Debug level")
    af_group = parser.add_mutually_exclusive_group()
    af_group.add_argument("-4", dest="ipv4_only", action="store_true", help="Use IPv4 only")
    af_group.add_argument("-6", dest="ipv6_only", action="store_true", help="Use IPv6 only")
    parser.add_argument("hosts", nargs="+", help="HBD server(s)")
    args = parser.parse_args(argv)
@@ -0,0 +1,162 @@
 import glob
 import os
 import pytest
 from hbd.server import configio
 SAMPLE_YAML = """\
 # Server configuration
 hbd_port: 50004  # HTTP API port
 interval: 20
 users:
  alice:
    full_name: Alice Smith
    admin: true
 notification_channels:
  pushover_ops:
    type: pushover
    token: abc123
 """
 def test_read_roundtrip_loads_values(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    assert data["hbd_port"] == 50004
    assert data["interval"] == 20
    assert data["users"]["alice"]["full_name"] == "Alice Smith"
 def test_write_config_creates_backup(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    data["interval"] = 30
    configio.write_config(str(f), data)
    backups = configio.list_backups(str(f))
    assert len(backups) == 1
    assert ".bak." in backups[0]
 def test_write_config_preserves_comments(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    data["interval"] = 30
    configio.write_config(str(f), data)
    content = f.read_text()
    assert "# Server configuration" in content
    assert "# HTTP API port" in content
 def test_write_config_atomically_replaces_file(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    data["interval"] = 99
    configio.write_config(str(f), data)
    assert not (tmp_path / ".hb.yaml.tmp").exists()
    data2 = configio.read_roundtrip(str(f))
    assert data2["interval"] == 99
 def test_write_config_backup_rotation(tmp_path):
    cfg = tmp_path / ".hb.yaml"
    cfg.write_text(SAMPLE_YAML)
    # Pre-create 10 existing backups with old timestamps
    for i in range(10):
        (tmp_path / f".hb.yaml.bak.20260101-{i:06d}").write_text("old")
    data = configio.read_roundtrip(str(cfg))
    configio.write_config(str(cfg), data)
    backups = configio.list_backups(str(cfg))
    assert len(backups) == 10
    assert not (tmp_path / ".hb.yaml.bak.20260101-000000").exists()
 def test_list_backups_newest_first(tmp_path):
    cfg = tmp_path / ".hb.yaml"
    cfg.write_text(SAMPLE_YAML)
    for i in range(3):
        (tmp_path / f".hb.yaml.bak.20260101-{i:02d}0000").write_text("b")
    backups = configio.list_backups(str(cfg))
    assert len(backups) == 3
    assert backups == sorted(backups, reverse=True)
 def test_apply_structured_section_server_updates_keys(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    configio.apply_structured_section(data, "server", {"interval": 60, "hbd_port": 8080})
    assert data["interval"] == 60
    assert data["hbd_port"] == 8080
 def test_apply_structured_section_server_ignores_unknown_keys(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    configio.apply_structured_section(data, "server", {"interval": 60, "not_a_key": "x"})
    assert "not_a_key" not in data
 def test_apply_structured_section_users_replaces_dict(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    new_users = {"bob": {"full_name": "Bob Jones", "admin": False}}
    configio.apply_structured_section(data, "users", new_users)
    assert "alice" not in data["users"]
    assert data["users"]["bob"]["full_name"] == "Bob Jones"
 def test_apply_yaml_section_notification_channels(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    new_yaml = "email_ops:\n  type: email\n  recipients: [ops@example.com]\n"
    configio.apply_yaml_section(data, "notification_channels", new_yaml)
    assert "email_ops" in data["notification_channels"]
    assert "pushover_ops" not in data["notification_channels"]
 def test_apply_yaml_section_thresholds_maps_to_threshold_configs(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    configio.apply_yaml_section(data, "thresholds", "default:\n  cpu: 80\n")
    assert "threshold_configs" in data
    assert data["threshold_configs"]["default"]["cpu"] == 80
 def test_apply_yaml_section_dns_replaces_each_key(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    configio.apply_yaml_section(
        data, "dns",
        "nsupdate_bin: /usr/bin/nsupdate\ndyndomains: [dyn.example.com]\n"
    )
    assert data["nsupdate_bin"] == "/usr/bin/nsupdate"
    assert data["dyndomains"] == ["dyn.example.com"]
 def test_apply_yaml_section_unknown_raises(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    with pytest.raises(ValueError, match="Unknown YAML section"):
        configio.apply_yaml_section(data, "nope", "x: 1\n")
 def test_apply_structured_section_unknown_raises(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    with pytest.raises(ValueError, match="Unknown structured section"):
        configio.apply_structured_section(data, "nope", {"x": 1})
 def test_read_roundtrip_missing_file_raises(tmp_path):
    with pytest.raises(FileNotFoundError):
        configio.read_roundtrip(str(tmp_path / "nonexistent.yaml"))
@@ -20,7 +20,7 @@ def test_handle_cmd_sends_command():
    import hbdclass
    ctx = {
-        "config": {"watchhosts": [], "dyndnshosts": []},
+        "config": {"watchhosts": []},
        "hbdclass": hbdclass,
        "log": dummy_noop,
        "email": dummy_noop,
@@ -0,0 +1,173 @@
 """Tests for the config read/write API helpers in http.py."""
 import pytest
 from hbd.server import http
 def test_mask_config_for_api_masks_user_passwords():
    config = {
        "hbd_port": 50004,
        "interval": 20,
        "users": {
            "alice": {"full_name": "Alice", "admin": True, "password": "pbkdf2:sha256:abc"},
        },
        "oauth": {},
    }
    result = http._mask_config_for_api(config)
    assert result["users"]["alice"]["password"] == "•••"
    assert result["users"]["alice"]["full_name"] == "Alice"
 def test_mask_config_for_api_masks_oauth_client_secret():
    config = {
        "hbd_port": 50004,
        "interval": 20,
        "users": {},
        "oauth": {
            "gitea": {"type": "gitea", "url": "https://git.example.com",
                      "client_id": "cid", "client_secret": "verysecret"},
        },
    }
    result = http._mask_config_for_api(config)
    assert result["oauth"]["gitea"]["client_secret"] == "•••"
    assert result["oauth"]["gitea"]["client_id"] == "cid"
 def test_mask_config_for_api_includes_server_keys():
    config = {"hbd_port": 50004, "interval": 20, "users": {}, "oauth": {}}
    result = http._mask_config_for_api(config)
    assert result["server"]["hbd_port"] == 50004
    assert result["server"]["interval"] == 20
 def test_mask_config_for_api_no_password_in_users_leaves_no_key():
    config = {
        "hbd_port": 50004,
        "users": {"bob": {"full_name": "Bob", "admin": False}},
        "oauth": {},
    }
    result = http._mask_config_for_api(config)
    assert "password" not in result["users"]["bob"]
 # ---- configio integration for write path ----
 def test_write_path_applies_server_section(tmp_path):
    cfg = tmp_path / ".hb.yaml"
    cfg.write_text("hbd_port: 50004\ninterval: 20\nusers: {}\n")
    from hbd.server import configio
    data = configio.read_roundtrip(str(cfg))
    configio.apply_structured_section(data, "server", {"interval": 60})
    configio.write_config(str(cfg), data)
    data2 = configio.read_roundtrip(str(cfg))
    assert data2["interval"] == 60
    assert data2["hbd_port"] == 50004  # unchanged
 def test_write_path_applies_yaml_section(tmp_path):
    cfg = tmp_path / ".hb.yaml"
    cfg.write_text(
        "hbd_port: 50004\nnotification_channels:\n  old_ch:\n    type: email\n"
    )
    from hbd.server import configio
    data = configio.read_roundtrip(str(cfg))
    configio.apply_yaml_section(data, "notification_channels", "new_ch:\n  type: pushover\n")
    configio.write_config(str(cfg), data)
    data2 = configio.read_roundtrip(str(cfg))
    assert "new_ch" in data2["notification_channels"]
    assert "old_ch" not in data2["notification_channels"]
 def test_write_path_hashes_plaintext_password(tmp_path):
    cfg = tmp_path / ".hb.yaml"
    cfg.write_text("hbd_port: 50004\nusers:\n  alice:\n    full_name: Alice\n    admin: true\n    password: pbkdf2:sha256:old\n")
    from hbd.server import configio
    from hbd.server import users as users_mod
    data = configio.read_roundtrip(str(cfg))
    # Simulate what the POST handler does: hash plaintext password
    new_users = {"alice": {"full_name": "Alice", "admin": True, "password": "newplaintext"}}
    for username, attrs in new_users.items():
        pw = attrs.get("password", "")
        if pw and not pw.startswith("pbkdf2:"):
            attrs["password"] = users_mod.hash_password(pw)
    configio.apply_structured_section(data, "users", new_users)
    configio.write_config(str(cfg), data)
    data2 = configio.read_roundtrip(str(cfg))
    assert data2["users"]["alice"]["password"].startswith("pbkdf2:")
    assert data2["users"]["alice"]["password"] != "newplaintext"
 def test_rollback_restores_backup(tmp_path):
    cfg = tmp_path / ".hb.yaml"
    cfg.write_text("hbd_port: 50004\ninterval: 20\n")
    from hbd.server import configio
    # Make a change to create a backup
    data = configio.read_roundtrip(str(cfg))
    data["interval"] = 99
    configio.write_config(str(cfg), data)
    backups = configio.list_backups(str(cfg))
    assert len(backups) == 1
    # Read the backup and write it back (simulating rollback)
    backup_data = configio.read_roundtrip(backups[0])
    configio.write_config(str(cfg), backup_data)
    restored = configio.read_roundtrip(str(cfg))
    assert restored["interval"] == 20
 def test_write_path_preserves_masked_password(tmp_path):
    """The "•••" sentinel must preserve the existing hash, not write "•••" to disk."""
    cfg = tmp_path / ".hb.yaml"
    original_hash = "pbkdf2:sha256:original_hash"
    cfg.write_text(
        f"hbd_port: 50004\nusers:\n  alice:\n    full_name: Alice\n    admin: true\n    password: {original_hash}\n"
    )
    from hbd.server import configio
    from hbd.server import users as users_mod
    data = configio.read_roundtrip(str(cfg))
    # Simulate what api_config_post does when client sends "•••" back
    existing_users = data.get("users") or {}
    users_payload = {"alice": {"full_name": "Alice", "admin": True, "password": "•••"}}
    for username, attrs in users_payload.items():
        pw = attrs.get("password", "")
        if pw and pw != "•••" and not pw.startswith("pbkdf2:"):
            attrs["password"] = users_mod.hash_password(pw)
        elif not pw or pw == "•••":
            existing_hash = (existing_users.get(username) or {}).get("password", "")
            if existing_hash:
                attrs["password"] = existing_hash
            else:
                attrs.pop("password", None)
    configio.apply_structured_section(data, "users", users_payload)
    configio.write_config(str(cfg), data)
    data2 = configio.read_roundtrip(str(cfg))
    assert data2["users"]["alice"]["password"] == original_hash, (
        f"Expected original hash preserved, got: {data2['users']['alice']['password']!r}"
    )
 def test_write_path_preserves_oauth_client_secret(tmp_path):
    """The "•••" sentinel for oauth client_secret must preserve the existing secret."""
    cfg = tmp_path / ".hb.yaml"
    original_secret = "real_client_secret_value"
    cfg.write_text(
        f"hbd_port: 50004\noauth:\n  gitea:\n    type: gitea\n    url: https://git.example.com\n"
        f"    client_id: cid123\n    client_secret: {original_secret}\n"
    )
    from hbd.server import configio
    data = configio.read_roundtrip(str(cfg))
    # Simulate what api_config_post does when client sends "•••" back for client_secret
    existing_oauth = data.get("oauth") or {}
    new_oauth = {"gitea": {"type": "gitea", "url": "https://git.example.com", "client_id": "cid123", "client_secret": "•••"}}
    for name, attrs in new_oauth.items():
        cs = attrs.get("client_secret", "")
        if not cs or cs == "•••":
            existing_cs = (existing_oauth.get(name) or {}).get("client_secret", "")
            if existing_cs:
                attrs["client_secret"] = existing_cs
            else:
                attrs.pop("client_secret", None)
    data["oauth"] = new_oauth
    configio.write_config(str(cfg), data)
    data2 = configio.read_roundtrip(str(cfg))
    assert data2["oauth"]["gitea"]["client_secret"] == original_secret, (
        f"Expected original secret preserved, got: {data2['oauth']['gitea']['client_secret']!r}"
    )
@@ -0,0 +1,174 @@
 """Tests for _build_host_info helper in http.py."""
 import pytest
 from unittest.mock import MagicMock
 from hbd.server.http import _build_host_info
 class _FakeConn:
    def __init__(self, lastbeat):
        self.lastbeat = lastbeat
 class _FakeHost:
    def __init__(self, name="myhost", owner=None, managers=None,
                 connections=None, os_data=None, plugin_data=None):
        self.name = name
        self.owner = owner
        self.managers = managers or []
        self.connections = connections or {}
        self._os_data = os_data
        self.plugin_data = plugin_data or {}
    def get_latest_plugin_data(self, plugin_name):
        if plugin_name == "os_info" and self._os_data is not None:
            return (1234567890.0, self._os_data)
        return None
 def test_build_host_info_basic_fields():
    host = _FakeHost(owner="alice", managers=["bob", "carol"])
    result = _build_host_info(host)
    assert result["owner"] == "alice"
    assert result["managers"] == ["bob", "carol"]
    assert result["hbc_version"] is None
    assert result["hbc_type"] is None
    assert result["last_packet"] is None
    assert result["thresholds"] is None
 def test_build_host_info_no_owner():
    host = _FakeHost()
    result = _build_host_info(host)
    assert result["owner"] is None
    assert result["managers"] == []
 def test_build_host_info_reads_hbc_from_os_info():
    host = _FakeHost(os_data={"hbc_version": "5.3.0", "hbc_type": "full"})
    result = _build_host_info(host)
    assert result["hbc_version"] == "5.3.0"
    assert result["hbc_type"] == "full"
 def test_build_host_info_hbc_none_when_no_os_info():
    host = _FakeHost(os_data=None)
    result = _build_host_info(host)
    assert result["hbc_version"] is None
    assert result["hbc_type"] is None
 def test_build_host_info_last_packet_is_max_lastbeat():
    host = _FakeHost(connections={
        "IPv4": _FakeConn(1000.0),
        "IPv6": _FakeConn(2000.0),
    })
    result = _build_host_info(host)
    assert result["last_packet"] == 2000.0
 def test_build_host_info_last_packet_none_when_no_connections():
    host = _FakeHost(connections={})
    result = _build_host_info(host)
    assert result["last_packet"] is None
 def test_build_host_info_thresholds_none_without_checker():
    host = _FakeHost()
    result = _build_host_info(host, threshold_checker=None)
    assert result["thresholds"] is None
 def test_build_host_info_thresholds_sorted_by_metric():
    from hbd.server.threshold import ThresholdConfig
    tc_cpu = ThresholdConfig("cpu_monitor.cpu_percent", warning=80.0, critical=95.0)
    tc_mem = ThresholdConfig("memory_monitor.memory_percent", warning=85.0, critical=98.0)
    checker = MagicMock()
    checker.get_thresholds_for_host.return_value = {
        "memory_monitor.memory_percent": tc_mem,
        "cpu_monitor.cpu_percent": tc_cpu,
    }
    host = _FakeHost()
    result = _build_host_info(host, threshold_checker=checker)
    assert result["thresholds"] is not None
    assert len(result["thresholds"]) == 2
    assert result["thresholds"][0]["metric"] == "cpu_monitor.cpu_percent"
    assert result["thresholds"][0]["warning"] == 80.0
    assert result["thresholds"][0]["critical"] == 95.0
    assert result["thresholds"][0]["operator"] == ">"
    assert result["thresholds"][1]["metric"] == "memory_monitor.memory_percent"
 def test_build_host_info_thresholds_empty_list_when_no_thresholds():
    checker = MagicMock()
    checker.get_thresholds_for_host.return_value = {}
    host = _FakeHost()
    result = _build_host_info(host, threshold_checker=checker)
    assert result["thresholds"] == []
 def test_build_host_info_threshold_null_warning_critical():
    from hbd.server.threshold import ThresholdConfig
    tc = ThresholdConfig("rtt.myhost", warning=None, critical=500.0)
    checker = MagicMock()
    checker.get_thresholds_for_host.return_value = {"rtt.myhost": tc}
    host = _FakeHost()
    result = _build_host_info(host, threshold_checker=checker)
    assert result["thresholds"][0]["warning"] is None
    assert result["thresholds"][0]["critical"] == 500.0
 def test_build_host_info_nagios_operator_serialized():
    from hbd.server.threshold import ThresholdConfig
    tc = ThresholdConfig("nagios_runner.check_http", operator="nagios")
    checker = MagicMock()
    checker.get_thresholds_for_host.return_value = {"nagios_runner.check_http": tc}
    host = _FakeHost()
    result = _build_host_info(host, threshold_checker=checker)
    assert result["thresholds"][0]["operator"] == "nagios"
 def test_build_host_info_covers_suffix_matched_metrics():
    """memory_monitor.percent threshold covers swap_percent via suffix match."""
    from hbd.server.threshold import ThresholdConfig
    tc_pct = ThresholdConfig("memory_monitor.percent", warning=85.0, critical=95.0)
    checker = MagicMock()
    checker.get_thresholds_for_host.return_value = {"memory_monitor.percent": tc_pct}
    host = _FakeHost(
        connections={},
        os_data=None,
    )
    # Simulate plugin_data with both percent and swap_percent fields
    host.plugin_data = {
        "memory_monitor": [(1234567890.0, {
            "percent": 80.0,
            "swap_percent": 25.0,
            "available_mb": 2000,
        })]
    }
    result = _build_host_info(host, threshold_checker=checker)
    assert result["thresholds"] is not None
    t = result["thresholds"][0]
    assert t["metric"] == "memory_monitor.percent"
    assert t["covers"] == ["memory_monitor.swap_percent"]
 def test_build_host_info_covers_empty_when_exact_matches_only():
    """No covers when all plugin fields match their threshold exactly."""
    from hbd.server.threshold import ThresholdConfig
    tc_pct = ThresholdConfig("memory_monitor.percent", warning=85.0, critical=95.0)
    checker = MagicMock()
    checker.get_thresholds_for_host.return_value = {"memory_monitor.percent": tc_pct}
    host = _FakeHost()
    host.plugin_data = {
        "memory_monitor": [(1234567890.0, {"percent": 80.0})]
    }
    result = _build_host_info(host, threshold_checker=checker)
    t = result["thresholds"][0]
    assert t["covers"] == []
@@ -0,0 +1,123 @@
 """Tests for PUT /api/0/users/me logic."""
 import pytest
 from hbd.server import users as users_mod
 def test_hash_password_roundtrip():
    h = users_mod.hash_password("mysecret")
    assert h.startswith("pbkdf2:sha256:")
    assert users_mod.authenticate.__doc__ is not None  # module loaded
 def test_password_change_requires_correct_current(tmp_path):
    cfg = tmp_path / ".hb.yaml"
    initial_hash = users_mod.hash_password("oldpass")
    cfg.write_text(
        f"hbd_port: 50004\nusers:\n  alice:\n    full_name: Alice\n    admin: true\n    password: {initial_hash}\n"
    )
    users_mod.load_users({"users": {"alice": {"full_name": "Alice", "admin": True, "password": initial_hash}}})
    # Correct current password authenticates
    assert users_mod.authenticate("alice", "oldpass") is not None
    # Wrong current password does not authenticate
    assert users_mod.authenticate("alice", "wrongpass") is None
 def test_put_users_me_writes_new_fields(tmp_path):
    """Simulate the write path: read config, update user, write back."""
    initial_hash = users_mod.hash_password("secret")
    yaml_content = (
        "hbd_port: 50004\n"
        f"users:\n  alice:\n    full_name: Old Name\n    admin: true\n    password: {initial_hash}\n"
    )
    cfg = tmp_path / ".hb.yaml"
    cfg.write_text(yaml_content)
    from hbd.server import configio
    data = configio.read_roundtrip(str(cfg))
    # Simulate handler updating full_name and avatar
    user_entry = dict(data["users"]["alice"])
    user_entry["full_name"] = "New Name"
    user_entry["avatar"] = "/img/alice.png"
    data["users"]["alice"] = user_entry
    configio.write_config(str(cfg), data)
    result = configio.read_roundtrip(str(cfg))
    assert result["users"]["alice"]["full_name"] == "New Name"
    assert result["users"]["alice"]["avatar"] == "/img/alice.png"
    assert result["users"]["alice"]["password"] == initial_hash  # unchanged
 def test_put_users_me_changes_password(tmp_path):
    initial_hash = users_mod.hash_password("oldpass")
    cfg = tmp_path / ".hb.yaml"
    cfg.write_text(
        f"hbd_port: 50004\nusers:\n  alice:\n    full_name: Alice\n    password: {initial_hash}\n"
    )
    from hbd.server import configio
    data = configio.read_roundtrip(str(cfg))
    new_hash = users_mod.hash_password("newpass")
    data["users"]["alice"]["password"] = new_hash
    configio.write_config(str(cfg), data)
    result = configio.read_roundtrip(str(cfg))
    # Load users from new config and authenticate with new password
    new_config = {"users": dict(result["users"])}
    users_mod.load_users(new_config)
    assert users_mod.authenticate("alice", "newpass") is not None
    assert users_mod.authenticate("alice", "oldpass") is None
 def test_put_users_me_notification_channels(tmp_path):
    cfg = tmp_path / ".hb.yaml"
    cfg.write_text(
        "hbd_port: 50004\n"
        "notification_channels:\n  pushover_ops:\n    type: pushover\n"
        "users:\n  alice:\n    full_name: Alice\n    notification_channels: []\n"
    )
    from hbd.server import configio
    data = configio.read_roundtrip(str(cfg))
    data["users"]["alice"]["notification_channels"] = ["pushover_ops"]
    configio.write_config(str(cfg), data)
    result = configio.read_roundtrip(str(cfg))
    assert result["users"]["alice"]["notification_channels"] == ["pushover_ops"]
 def test_visible_channels_excludes_private_from_others():
    """Private channels owned by another user must not appear in the visible set."""
    from hbd.server import settings as settings_mod
    config = {
        "notification_channels": {
            "public_ch":  {"type": "pushover", "token": "t", "user": "u"},
            "alice_priv": {"type": "email", "owner": "alice", "private": True,
                           "recipients": ["a@b.com"], "sender": "s@b.com", "smtp_server": "s"},
            "bob_priv":   {"type": "email", "owner": "bob", "private": True,
                           "recipients": ["b@b.com"], "sender": "s@b.com", "smtp_server": "s"},
        }
    }
    class FakeUser:
        def __init__(self, username, admin=False):
            self.username = username
            self.admin = admin
    alice = FakeUser("alice")
    bob   = FakeUser("bob")
    admin = FakeUser("admin", admin=True)
    # Simulate _visible_channels_for_user logic (mirrors http.py implementation)
    def visible(user):
        all_channels = config.get("notification_channels") or {}
        if user.admin:
            return set(all_channels.keys())
        return {
            name for name, cfg in all_channels.items()
            if not cfg.get("private") or cfg.get("owner") == user.username
        }
    assert visible(alice) == {"public_ch", "alice_priv"}
    assert visible(bob)   == {"public_ch", "bob_priv"}
    assert visible(admin) == {"public_ch", "alice_priv", "bob_priv"}
@@ -0,0 +1,178 @@
 """Tests for notification channel CRUD via configio helpers and visibility logic."""
 import pytest
 from hbd.server import configio, settings as settings_mod
 SAMPLE_YAML = """\
 hbd_port: 50004
 notification_channels:
  pushover_ops:
    type: pushover
    token: abc123
    user: usr456
 """
 # ---------------------------------------------------------------------------
 # configio helpers
 # ---------------------------------------------------------------------------
 def test_apply_channel_adds_new_entry(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    configio.apply_channel(data, "email_ops", {"type": "email", "recipients": ["ops@example.com"]})
    assert "email_ops" in data["notification_channels"]
    assert data["notification_channels"]["email_ops"]["type"] == "email"
    # Existing channel preserved
    assert "pushover_ops" in data["notification_channels"]
 def test_apply_channel_updates_existing(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    configio.apply_channel(data, "pushover_ops", {"type": "pushover", "token": "new_tok", "user": "new_usr"})
    assert data["notification_channels"]["pushover_ops"]["token"] == "new_tok"
 def test_apply_channel_creates_section_if_absent():
    data = {"hbd_port": 50004}
    configio.apply_channel(data, "test_ch", {"type": "pushover", "token": "t", "user": "u"})
    assert "notification_channels" in data
    assert "test_ch" in data["notification_channels"]
 def test_delete_channel_removes_entry(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    configio.delete_channel(data, "pushover_ops")
    assert "pushover_ops" not in data["notification_channels"]
 def test_delete_channel_noop_for_missing():
    data = {"notification_channels": {"ch1": {"type": "pushover"}}}
    configio.delete_channel(data, "nonexistent")  # must not raise
    assert "ch1" in data["notification_channels"]
 def test_delete_channel_noop_when_no_section():
    data = {}
    configio.delete_channel(data, "anything")  # must not raise
 def test_apply_channel_persisted_after_write(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    configio.apply_channel(data, "signal_ops", {"type": "signal", "user": "+1", "recipient": "+2"})
    configio.write_config(str(f), data)
    result = configio.read_roundtrip(str(f))
    assert "signal_ops" in result["notification_channels"]
    assert result["notification_channels"]["signal_ops"]["user"] == "+1"
    # Original channel preserved
    assert "pushover_ops" in result["notification_channels"]
 def test_delete_channel_persisted_after_write(tmp_path):
    f = tmp_path / ".hb.yaml"
    f.write_text(SAMPLE_YAML)
    data = configio.read_roundtrip(str(f))
    configio.delete_channel(data, "pushover_ops")
    configio.write_config(str(f), data)
    result = configio.read_roundtrip(str(f))
    assert "pushover_ops" not in (result.get("notification_channels") or {})
 # ---------------------------------------------------------------------------
 # Visibility logic (mirrors http.py _visible_channels_for_user)
 # ---------------------------------------------------------------------------
 def _visible(config, user):
    """Local copy of the visibility helper for unit testing without the HTTP layer."""
    all_channels = config.get("notification_channels") or {}
    if user.get("admin"):
        return set(all_channels.keys())
    username = user["username"]
    return {
        name for name, cfg in all_channels.items()
        if isinstance(cfg, dict) and (not cfg.get("private") or cfg.get("owner") == username)
    }
 CONFIG_VISIBILITY = {
    "notification_channels": {
        "pub_ch":      {"type": "pushover", "token": "t", "user": "u"},
        "alice_priv":  {"type": "email", "owner": "alice", "private": True,
                        "recipients": ["a@a.com"], "sender": "s@a.com", "smtp_server": "s"},
        "bob_priv":    {"type": "signal", "owner": "bob", "private": True,
                        "user": "+1", "recipient": "+2"},
        "admin_owned": {"type": "pushover", "token": "t2", "user": "u2", "owner": "adminuser"},
    }
 }
 def test_public_channel_visible_to_all():
    for uname in ("alice", "bob", "carol"):
        user = {"username": uname, "admin": False}
        assert "pub_ch" in _visible(CONFIG_VISIBILITY, user)
 def test_private_channel_visible_only_to_owner():
    alice = {"username": "alice", "admin": False}
    bob   = {"username": "bob",   "admin": False}
    carol = {"username": "carol", "admin": False}
    assert "alice_priv" in _visible(CONFIG_VISIBILITY, alice)
    assert "alice_priv" not in _visible(CONFIG_VISIBILITY, bob)
    assert "alice_priv" not in _visible(CONFIG_VISIBILITY, carol)
    assert "bob_priv" in _visible(CONFIG_VISIBILITY, bob)
    assert "bob_priv" not in _visible(CONFIG_VISIBILITY, alice)
 def test_admin_sees_all_channels():
    admin = {"username": "adminuser", "admin": True}
    visible = _visible(CONFIG_VISIBILITY, admin)
    assert visible == {"pub_ch", "alice_priv", "bob_priv", "admin_owned"}
 def test_admin_owned_channel_is_public_by_default():
    alice = {"username": "alice", "admin": False}
    assert "admin_owned" in _visible(CONFIG_VISIBILITY, alice)
 # ---------------------------------------------------------------------------
 # Channel type schemas
 # ---------------------------------------------------------------------------
 def test_all_required_types_in_schema():
    for t in ("pushover", "email", "signal", "matrix", "sms_voipms"):
        assert t in settings_mod.CHANNEL_TYPE_SCHEMAS
 def test_schema_fields_have_required_keys():
    for type_id, schema in settings_mod.CHANNEL_TYPE_SCHEMAS.items():
        assert "label" in schema, f"{type_id} missing label"
        assert "fields" in schema, f"{type_id} missing fields"
        for f in schema["fields"]:
            for k in ("key", "label", "type", "required"):
                assert k in f, f"{type_id} field missing {k!r}"
 def test_secret_fields_use_secret_type():
    """Known secret fields must be typed 'secret' so the UI masks them."""
    secret_keys = {"token", "user_key", "api_key", "api_password",
                   "smtp_password", "access_token"}
    for type_id, schema in settings_mod.CHANNEL_TYPE_SCHEMAS.items():
        for f in schema["fields"]:
            if f["key"] in secret_keys:
                assert f["type"] == "secret", (
                    f"{type_id}.{f['key']} should be type 'secret'"
                )
 def test_channel_labels_not_empty():
    for type_id, schema in settings_mod.CHANNEL_TYPE_SCHEMAS.items():
        assert schema["label"].strip(), f"{type_id} has empty label"
@@ -1,3 +1,4 @@
 import logging
 import time as time_mod
 from unittest.mock import AsyncMock, MagicMock, patch
 from urllib.parse import urlparse, parse_qs
@@ -36,17 +37,6 @@ def reset_users_dict():
    users_mod.users = original
 def test_is_enabled_when_all_keys_present():
    assert oauth.is_enabled(CFG_ON) is True
 def test_is_enabled_false_when_no_oauth_key():
    assert oauth.is_enabled(CFG_OFF) is False
 def test_is_enabled_false_when_partial_config():
    assert oauth.is_enabled(CFG_PARTIAL) is False
 def test_make_state_returns_unique_tokens():
    s1 = oauth.make_state()
@@ -134,132 +124,6 @@ def test_provision_oauth_user_survives_config_reload():
    assert "oauthonly" in users_mod.users
 def test_authorization_url_shape():
    state = "teststate"
    redirect_uri = "https://hbd.example.com/login/oauth/gitea/callback"
    url = oauth.authorization_url(CFG_ON, state, redirect_uri)
    parsed = urlparse(url)
    qs = parse_qs(parsed.query)
    assert parsed.scheme == "https"
    assert parsed.netloc == "git.example.com"
    assert parsed.path == "/login/oauth/authorize"
    assert qs["client_id"] == ["cid"]
    assert qs["state"] == ["teststate"]
    assert qs["redirect_uri"] == [redirect_uri]
    assert qs["scope"] == ["user:email"]
    assert qs["response_type"] == ["code"]
@pytest.mark.asyncio
 async def test_exchange_code_returns_token():
    redirect_uri = "https://hbd.example.com/login/oauth/gitea/callback"
    mock_response = AsyncMock()
    mock_response.status = 200
    mock_response.json = AsyncMock(return_value={"access_token": "tok123"})
    mock_session = MagicMock()
    mock_session.post = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        token = await oauth.exchange_code(CFG_ON, "mycode", redirect_uri)
    assert token == "tok123"
@pytest.mark.asyncio
 async def test_exchange_code_raises_on_error_status():
    redirect_uri = "https://hbd.example.com/login/oauth/gitea/callback"
    mock_response = AsyncMock()
    mock_response.status = 401
    mock_response.text = AsyncMock(return_value="unauthorized")
    mock_session = MagicMock()
    mock_session.post = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        with pytest.raises(oauth.OAuthError):
            await oauth.exchange_code(CFG_ON, "badcode", redirect_uri)
@pytest.mark.asyncio
 async def test_fetch_user_returns_profile():
    mock_response = AsyncMock()
    mock_response.status = 200
    mock_response.json = AsyncMock(return_value={
        "login": "alice",
        "full_name": "Alice Smith",
        "avatar_url": "https://git.example.com/avatars/alice.png",
    })
    mock_session = MagicMock()
    mock_session.get = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        profile = await oauth.fetch_user(CFG_ON, "tok123")
    assert profile == {
        "login": "alice",
        "full_name": "Alice Smith",
        "avatar_url": "https://git.example.com/avatars/alice.png",
    }
@pytest.mark.asyncio
 async def test_exchange_code_raises_when_no_access_token():
    redirect_uri = "https://hbd.example.com/login/oauth/gitea/callback"
    mock_response = AsyncMock()
    mock_response.status = 200
    mock_response.json = AsyncMock(return_value={"error": "bad_request"})
    mock_session = MagicMock()
    mock_session.post = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        with pytest.raises(oauth.OAuthError):
            await oauth.exchange_code(CFG_ON, "mycode", redirect_uri)
@pytest.mark.asyncio
 async def test_fetch_user_raises_on_error_status():
    mock_response = AsyncMock()
    mock_response.status = 401
    mock_response.text = AsyncMock(return_value="unauthorized")
    mock_session = MagicMock()
    mock_session.get = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        with pytest.raises(oauth.OAuthError):
            await oauth.fetch_user(CFG_ON, "tok123")
 # ---------------------------------------------------------------------------
 # Integration-style tests: callback logic chain
@@ -276,13 +140,12 @@ async def test_callback_invalid_state_rejects():
@pytest.mark.asyncio
 async def test_full_oauth_flow_chain():
    """Integration-style test: state → exchange → fetch → provision chain."""
    p = _gitea_provider()
    redirect_uri = "https://hbd.example.com/login/oauth/gitea/callback"
    # Step 1: create a state token
    state = oauth.make_state()
-    assert oauth.validate_state(state) is True  # consumed; replay would return False
+    assert oauth.validate_state(state) is True
    # Step 2: exchange code → token (mocked)
    mock_token_response = AsyncMock()
    mock_token_response.status = 200
    mock_token_response.json = AsyncMock(return_value={"access_token": "flow_token"})
@@ -309,16 +172,431 @@ async def test_full_oauth_flow_chain():
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
-        token = await oauth.exchange_code(CFG_ON, "authcode", redirect_uri)
+        token = await oauth.exchange_code(p, "authcode", redirect_uri)
-        profile = await oauth.fetch_user(CFG_ON, token)
+        profile = await oauth.fetch_user(p, token)
    assert token == "flow_token"
    assert profile["login"] == "flowuser"
    # Step 3: provision user
    _reset_users()
    user = users_mod.provision_oauth_user(
        profile["login"], profile["full_name"], profile["avatar_url"]
    )
    assert user.username == "flowuser"
    assert user.check_password("anything") is False
 # ---------------------------------------------------------------------------
 # get_providers()
 # ---------------------------------------------------------------------------
 CFG_GITHUB = {
    "oauth": {
        "github": {"type": "github", "client_id": "ghid", "client_secret": "ghs"},
    }
 }
 CFG_NEXTCLOUD = {
    "oauth": {
        "nc": {
            "type": "nextcloud",
            "url": "https://nc.example.com",
            "client_id": "ncid",
            "client_secret": "ncs",
        }
    }
 }
 CFG_MULTI = {
    "oauth": {
        "mygitea": {
            "type": "gitea",
            "url": "https://git.example.com",
            "client_id": "cid",
            "client_secret": "cs",
            "label": "Work Gitea",
            "logo": "https://example.com/logo.png",
        },
        "github": {"type": "github", "client_id": "ghid", "client_secret": "ghs"},
        "nc": {
            "type": "nextcloud",
            "url": "https://nc.example.com",
            "client_id": "ncid",
            "client_secret": "ncs",
        },
    }
 }
 def test_get_providers_backward_compat_no_type_field():
    """Old config without 'type' defaults to gitea."""
    providers = oauth.get_providers(CFG_ON)
    assert len(providers) == 1
    p = providers[0]
    assert p.name == "gitea"
    assert p.type == "gitea"
    assert p.label == "Gitea"
    assert p.client_id == "cid"
    assert p.authorize_url == "https://git.example.com/login/oauth/authorize"
    assert p.token_url == "https://git.example.com/login/oauth/access_token"
    assert p.profile_url == "https://git.example.com/api/v1/user"
    assert p.scope == "user:email"
    assert p.profile_data_path == []
 def test_get_providers_multiple():
    providers = oauth.get_providers(CFG_MULTI)
    assert len(providers) == 3
    names = [p.name for p in providers]
    assert "mygitea" in names
    assert "github" in names
    assert "nc" in names
 def test_get_providers_custom_label_and_logo():
    providers = oauth.get_providers(CFG_MULTI)
    gitea = next(p for p in providers if p.name == "mygitea")
    assert gitea.label == "Work Gitea"
    assert gitea.logo == "https://example.com/logo.png"
 def test_get_providers_github_default_label():
    providers = oauth.get_providers(CFG_GITHUB)
    assert providers[0].label == "GitHub"
    assert providers[0].logo == ""
 def test_get_providers_github_fixed_urls():
    providers = oauth.get_providers(CFG_GITHUB)
    p = providers[0]
    assert p.authorize_url == "https://github.com/login/oauth/authorize"
    assert p.token_url == "https://github.com/login/oauth/access_token"
    assert p.profile_url == "https://api.github.com/user"
    assert p.scope == "read:user"
 def test_get_providers_nextcloud_urls_and_path():
    providers = oauth.get_providers(CFG_NEXTCLOUD)
    p = providers[0]
    assert p.authorize_url == "https://nc.example.com/apps/oauth2/authorize"
    assert p.token_url == "https://nc.example.com/apps/oauth2/api/v1/token"
    assert p.profile_url == "https://nc.example.com/ocs/v2.php/cloud/user?format=json"
    assert p.profile_data_path == ["ocs", "data"]
    assert p.scope == ""
 def test_get_providers_skips_missing_client_id(caplog):
    cfg = {"oauth": {"gitea": {"url": "https://git.example.com", "client_secret": "cs"}}}
    with caplog.at_level(logging.WARNING, logger="hbd.server.oauth"):
        result = oauth.get_providers(cfg)
    assert result == []
    assert "missing" in caplog.text.lower()
 def test_get_providers_skips_missing_client_secret(caplog):
    cfg = {"oauth": {"gitea": {"url": "https://git.example.com", "client_id": "cid"}}}
    with caplog.at_level(logging.WARNING, logger="hbd.server.oauth"):
        result = oauth.get_providers(cfg)
    assert result == []
    assert "missing" in caplog.text.lower()
 def test_get_providers_skips_missing_url_for_gitea(caplog):
    cfg = {"oauth": {"gitea": {"type": "gitea", "client_id": "cid", "client_secret": "cs"}}}
    with caplog.at_level(logging.WARNING, logger="hbd.server.oauth"):
        result = oauth.get_providers(cfg)
    assert result == []
    assert "url" in caplog.text.lower()
 def test_get_providers_skips_missing_url_for_nextcloud(caplog):
    cfg = {"oauth": {"nc": {"type": "nextcloud", "client_id": "cid", "client_secret": "cs"}}}
    with caplog.at_level(logging.WARNING, logger="hbd.server.oauth"):
        result = oauth.get_providers(cfg)
    assert result == []
    assert "url" in caplog.text.lower()
 def test_get_providers_github_no_url_required():
    providers = oauth.get_providers(CFG_GITHUB)
    assert len(providers) == 1
 def test_get_providers_skips_unknown_type(caplog):
    cfg = {"oauth": {"mystery": {"type": "saml", "client_id": "cid", "client_secret": "cs"}}}
    import logging
    with caplog.at_level(logging.WARNING, logger="hbd.server.oauth"):
        result = oauth.get_providers(cfg)
    assert result == []
    assert "saml" in caplog.text
 def test_get_providers_empty_config():
    assert oauth.get_providers({}) == []
    assert oauth.get_providers(CFG_OFF) == []
 # ---------------------------------------------------------------------------
 # build_auth_url / exchange_code / fetch_user (generic, ResolvedProvider-based)
 # ---------------------------------------------------------------------------
 def _gitea_provider() -> oauth.ResolvedProvider:
    return oauth.get_providers(CFG_ON)[0]
 def _github_provider() -> oauth.ResolvedProvider:
    return oauth.get_providers(CFG_GITHUB)[0]
 def _nextcloud_provider() -> oauth.ResolvedProvider:
    return oauth.get_providers(CFG_NEXTCLOUD)[0]
 def test_build_auth_url_gitea():
    p = _gitea_provider()
    url = oauth.build_auth_url(p, "teststate", "https://hbd.example.com/login/oauth/gitea/callback")
    parsed = urlparse(url)
    qs = parse_qs(parsed.query)
    assert parsed.netloc == "git.example.com"
    assert parsed.path == "/login/oauth/authorize"
    assert qs["client_id"] == ["cid"]
    assert qs["state"] == ["teststate"]
    assert qs["scope"] == ["user:email"]
    assert qs["response_type"] == ["code"]
    assert qs["redirect_uri"] == ["https://hbd.example.com/login/oauth/gitea/callback"]
 def test_build_auth_url_github():
    p = _github_provider()
    url = oauth.build_auth_url(p, "st", "https://hbd.example.com/login/oauth/github/callback")
    parsed = urlparse(url)
    qs = parse_qs(parsed.query)
    assert parsed.netloc == "github.com"
    assert qs["scope"] == ["read:user"]
 def test_build_auth_url_nextcloud_no_scope_param():
    """Nextcloud scope is empty — the 'scope' key must be absent from the URL."""
    p = _nextcloud_provider()
    url = oauth.build_auth_url(p, "st", "https://hbd.example.com/login/oauth/nc/callback")
    qs = parse_qs(urlparse(url).query)
    assert "scope" not in qs
@pytest.mark.asyncio
 async def test_exchange_code_generic_returns_token():
    p = _gitea_provider()
    redirect_uri = "https://hbd.example.com/login/oauth/gitea/callback"
    mock_response = AsyncMock()
    mock_response.status = 200
    mock_response.json = AsyncMock(return_value={"access_token": "tok123"})
    mock_session = MagicMock()
    mock_session.post = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        token = await oauth.exchange_code(p, "mycode", redirect_uri)
    assert token == "tok123"
@pytest.mark.asyncio
 async def test_exchange_code_sends_accept_json():
    """Accept: application/json must be present for all providers (required by GitHub)."""
    p = _github_provider()
    captured_headers = {}
    mock_response = AsyncMock()
    mock_response.status = 200
    mock_response.json = AsyncMock(return_value={"access_token": "ghtoken"})
    mock_session = MagicMock()
    def capture_post(url, **kwargs):
        captured_headers.update(kwargs.get("headers", {}))
        return AsyncMock(
            __aenter__=AsyncMock(return_value=mock_response),
            __aexit__=AsyncMock(return_value=False),
        )
    mock_session.post = capture_post
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        await oauth.exchange_code(p, "code", "https://hbd.example.com/login/oauth/github/callback")
    assert captured_headers.get("Accept") == "application/json"
@pytest.mark.asyncio
 async def test_exchange_code_raises_on_error_status():
    p = _gitea_provider()
    mock_response = AsyncMock()
    mock_response.status = 401
    mock_response.text = AsyncMock(return_value="unauthorized")
    mock_session = MagicMock()
    mock_session.post = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        with pytest.raises(oauth.OAuthError):
            await oauth.exchange_code(p, "badcode", "https://hbd.example.com/login/oauth/gitea/callback")
@pytest.mark.asyncio
 async def test_exchange_code_raises_when_no_access_token():
    p = _gitea_provider()
    mock_response = AsyncMock()
    mock_response.status = 200
    mock_response.json = AsyncMock(return_value={"error": "bad_request"})
    mock_session = MagicMock()
    mock_session.post = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        with pytest.raises(oauth.OAuthError):
            await oauth.exchange_code(p, "mycode", "https://hbd.example.com/login/oauth/gitea/callback")
@pytest.mark.asyncio
 async def test_fetch_user_gitea_returns_profile():
    p = _gitea_provider()
    mock_response = AsyncMock()
    mock_response.status = 200
    mock_response.json = AsyncMock(return_value={
        "login": "alice",
        "full_name": "Alice Smith",
        "avatar_url": "https://git.example.com/avatars/alice.png",
    })
    mock_session = MagicMock()
    mock_session.get = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        profile = await oauth.fetch_user(p, "tok123")
    assert profile == {
        "login": "alice",
        "full_name": "Alice Smith",
        "avatar_url": "https://git.example.com/avatars/alice.png",
    }
@pytest.mark.asyncio
 async def test_fetch_user_github_maps_name_field():
    p = _github_provider()
    mock_response = AsyncMock()
    mock_response.status = 200
    mock_response.json = AsyncMock(return_value={
        "login": "bobgh",
        "name": "Bob GitHub",
        "avatar_url": "https://avatars.githubusercontent.com/u/1",
    })
    mock_session = MagicMock()
    mock_session.get = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        profile = await oauth.fetch_user(p, "ghtoken")
    assert profile["login"] == "bobgh"
    assert profile["full_name"] == "Bob GitHub"
    assert profile["avatar_url"] == "https://avatars.githubusercontent.com/u/1"
@pytest.mark.asyncio
 async def test_fetch_user_nextcloud_nested_extraction():
    """Nextcloud profile is nested under ocs.data; avatar is absent."""
    p = _nextcloud_provider()
    mock_response = AsyncMock()
    mock_response.status = 200
    mock_response.json = AsyncMock(return_value={
        "ocs": {
            "meta": {"status": "ok", "statuscode": 200},
            "data": {
                "id": "ncuser",
                "display-name": "NC User",
                "email": "nc@example.com",
            },
        }
    })
    mock_session = MagicMock()
    mock_session.get = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        profile = await oauth.fetch_user(p, "nctoken")
    assert profile["login"] == "ncuser"
    assert profile["full_name"] == "NC User"
    assert profile["avatar_url"] == ""  # Nextcloud has no avatar field
@pytest.mark.asyncio
 async def test_fetch_user_raises_on_error_status():
    p = _gitea_provider()
    mock_response = AsyncMock()
    mock_response.status = 401
    mock_response.text = AsyncMock(return_value="unauthorized")
    mock_session = MagicMock()
    mock_session.get = MagicMock(return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_response),
        __aexit__=AsyncMock(return_value=False),
    ))
    with patch("hbd.server.oauth.aiohttp.ClientSession", return_value=AsyncMock(
        __aenter__=AsyncMock(return_value=mock_session),
        __aexit__=AsyncMock(return_value=False),
    )):
        with pytest.raises(oauth.OAuthError):
            await oauth.fetch_user(p, "badtoken")
 def test_is_enabled_with_valid_provider():
    assert oauth.is_enabled(CFG_ON) is True
 def test_is_enabled_false_when_no_providers():
    assert oauth.is_enabled(CFG_OFF) is False
 def test_is_enabled_false_partial_config():
    assert oauth.is_enabled(CFG_PARTIAL) is False
@@ -0,0 +1,114 @@
 import pytest
 from hbd.server import settings as settings_mod
 CFG = {
    "hbd_port": 50004,
    "interval": 20,
    "grace": 2,
    "users": {
        "alice": {"full_name": "Alice Smith", "admin": True, "password": "pbkdf2:sha256:abc",
                  "notification_channels": ["pushover_ops"]},
    },
    "oauth": {
        "gitea": {"type": "gitea", "url": "https://git.example.com",
                  "client_id": "cid", "client_secret": "csec", "label": "Sign in with Gitea"},
    },
    "notification_channels": {
        "pushover_ops": {"type": "pushover", "token": "tok", "user": "usr"},
    },
    "hosts": {},
 }
 def test_sections_have_section_mode():
    sections = settings_mod.get_settings_sections(CFG)
    for s in sections:
        assert "section_mode" in s, f"Section {s['id']} missing section_mode"
        assert s["section_mode"] in ("form", "yaml", "channels", "hosts")
 def test_sections_have_api_section():
    sections = settings_mod.get_settings_sections(CFG)
    for s in sections:
        assert "api_section" in s, f"Section {s['id']} missing api_section"
 def test_network_section_has_editable_fields():
    sections = settings_mod.get_settings_sections(CFG)
    network = next(s for s in sections if s["id"] == "network")
    assert network["section_mode"] == "form"
    assert network["api_section"] == "server"
    editable = [f for f in network["fields"] if f["editable"]]
    assert len(editable) >= 2  # hbd_port, ws_port at minimum
 def test_yaml_sections_have_correct_mode():
    sections = settings_mod.get_settings_sections(CFG)
    yaml_sections = {s["id"]: s for s in sections if s["section_mode"] == "yaml"}
    assert "channels" not in yaml_sections  # now uses "channels" mode
    assert "hosts" not in yaml_sections     # now uses "hosts" mode
    assert "thresholds" in yaml_sections
    assert "dns" in yaml_sections
    assert yaml_sections["thresholds"]["api_section"] == "thresholds"
    assert yaml_sections["dns"]["api_section"] == "dns"
 def test_hosts_section_uses_hosts_mode():
    sections = settings_mod.get_settings_sections(CFG)
    hosts_sec = next(s for s in sections if s["id"] == "hosts")
    assert hosts_sec["section_mode"] == "hosts"
    assert hosts_sec["api_section"] == "hosts"
 def test_channels_section_uses_channels_mode():
    sections = settings_mod.get_settings_sections(CFG)
    ch_sec = next(s for s in sections if s["id"] == "channels")
    assert ch_sec["section_mode"] == "channels"
    assert ch_sec["api_section"] == "notification_channels"
    assert len(ch_sec["channels"]) == 1
    ch = ch_sec["channels"][0]
    assert ch["name"] == "pushover_ops"
    assert ch["type"] == "pushover"
    assert "owner" in ch
    assert "private" in ch
 def test_channel_type_schemas_exported():
    assert hasattr(settings_mod, "CHANNEL_TYPE_SCHEMAS")
    for required_type in ("pushover", "email", "signal", "matrix", "sms_voipms"):
        assert required_type in settings_mod.CHANNEL_TYPE_SCHEMAS
        schema = settings_mod.CHANNEL_TYPE_SCHEMAS[required_type]
        assert "label" in schema
        assert "fields" in schema
        for f in schema["fields"]:
            assert "key" in f
            assert "type" in f
            assert "required" in f
 def test_oauth_section_exists():
    sections = settings_mod.get_settings_sections(CFG)
    oauth = next((s for s in sections if s["id"] == "oauth"), None)
    assert oauth is not None
    assert oauth["section_mode"] == "form"
    assert oauth["api_section"] == "oauth"
    assert len(oauth["providers"]) == 1
    assert oauth["providers"][0]["name"] == "gitea"
    assert oauth["providers"][0]["client_secret"] == "•••"
 def test_all_channel_names_returned():
    result = settings_mod.get_settings_data(CFG)
    assert "all_channel_names" in result
    assert "pushover_ops" in result["all_channel_names"]
 def test_users_section_has_user_list():
    sections = settings_mod.get_settings_sections(CFG)
    users_sec = next(s for s in sections if s["id"] == "users")
    assert users_sec["section_mode"] == "form"
    assert users_sec["api_section"] == "users"
    assert len(users_sec["users"]) == 1
    assert users_sec["users"][0]["username"] == "alice"
    # Password hash never exposed
    assert "password" not in users_sec["users"][0]
Author	SHA1	Message	Date
Andreas Wrede	4e5bafd26c	version 5.3.4 Release / release (push) Successful in 5s Details	2026-05-12 15:06:24 -04:00
Andreas Wrede	817ae064af	fix: run full reload after HTTP config publish, not just config.reload() HTTP config-mutating endpoints (publish, rollback, channel CRUD, user self-update) were calling config.reload() directly, which only refreshed the in-memory config dict. This skipped re-applying host.dyn/host.watched flags to live Host objects, so enabling dyndns via the UI had no effect until a SIGHUP was sent. Wire a reload_callback through http.start() that calls the same reload_configuration() function used by the SIGHUP handler, ensuring host attributes, notify module, users, and threshold checker are all updated on every config publish. Also fix unmatched quote in udp.py f-string log message. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 15:05:52 -04:00
Andreas Wrede	a00282913b	version 5.3.3 Release / release (push) Successful in 5s Details	2026-05-12 14:34:58 -04:00
Andreas Wrede	d699a29fa9	refactor: remove dyndnshosts/drophosts legacy config keys, fix DNS event logging - Remove dyndnshosts legacy list; dyndns is now set per-host in the hosts section - Remove drophosts config key and load-time deletion loop - Simplify get_dyndnshosts() to only read per-host dyndns attributes - Fix dns_update_worker to call eventlog with correct (host, level, msg) signature - Log INFO/ERROR events per domain on each DNS update instead of one batched message - Add logger to dns.py (was missing, causing NameError on update failure) - Update README and tests to reflect removed config keys Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 14:34:11 -04:00
Andreas Wrede	4ce7eacfdd	fix: remove container max-width and stop stretching inputs on settings page Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 11:42:54 -04:00
Andreas Wrede	1cefc2676e	feat: replace YAML editor with form UI for threshold configurations Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 10:57:03 -04:00
Andreas Wrede	668a135e53	feat: replace multi-select fields with dual-panel picker on settings page Replaces the 5 native <select multiple> fields (Managers, Monitors, Threshold config, Channels in Hosts; Channels in Users) with a compact picker widget: a truncated pill display with tooltip, and a click-to-open panel split into Available / Selected columns for moving items between sides. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 10:10:18 -04:00
Andreas Wrede	59e256a042	feat: add nav bar button to publish pending config changes Shows an orange "Publish Config" button to the left of the alert-pie for admin users when there are staged config changes. Uses localStorage to persist staged changes across page navigations so the button appears on any page, not just settings. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 09:32:32 -04:00
Andreas Wrede	708508157f	feat: add host, level, and message filters to Log of Events Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 08:29:26 -04:00
Andreas Wrede	f67fa9baff	version 5.3.2 Release / release (push) Successful in 5s Details	2026-05-12 08:16:04 -04:00
Andreas Wrede	588eb2a792	feat: retry DNS resolution indefinitely and add -4/-6 flags in hbc and hbc_mini.c Mirror the same changes from hbc_mini.py: retry host resolution with exponential backoff (5s→60s) instead of exiting on DNS failure, and add mutually exclusive -4 / -6 flags to restrict connections to IPv4 or IPv6. In hbc (main.py) the retry sleep is interruptible via the shutdown_event. In hbc_mini.c signal handlers are moved before the resolution loop so SIGINT/SIGTERM can break the retry during startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 08:15:53 -04:00
Andreas Wrede	b907343e36	feat: retry DNS resolution indefinitely and add -4/-6 flags in hbc_mini On startup, retry host resolution with exponential backoff (5s→60s) instead of exiting when DNS fails. Add mutually exclusive -4 / -6 CLI flags to restrict connections to IPv4 or IPv6 only. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-12 08:07:54 -04:00
Andreas Wrede	e50a3996ae	fix: support list-valued threshold_config in hosts table threshold_config in .hb.yaml can be a list (e.g. [local, zrepl]). The hosts table was treating it as a single string, so the pre-selected value never matched. Normalize to a list in settings.py, switch the select to multiple, and fix the JS to collect all selected options. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 08:22:07 -04:00
Andreas Wrede	e1056a0365	fix: derive hosts threshold config list from config file keys Previously all_threshold_configs was built from the threshold_checker object, which may not be populated at render time, leaving the select empty. Read directly from config["threshold_configs"] instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 08:09:27 -04:00
Andreas Wrede	1dbe0f8e64	feat: replace YAML hosts editor with form-based CRUD table Settings > Hosts now renders a table with per-column controls (watch, dyndns, owner, managers/monitors multi-select, threshold config, notification channels) instead of a raw YAML textarea. Changes stage via the existing Publish flow like other form sections. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 07:57:28 -04:00
Andreas Wrede	12e8812070	docs: update notification channel and API docs for form-based management - NOTIFICATIONS.md: document owner/private fields, channel visibility rules, and user-created channels; add troubleshooting note for private channel visibility - HTTP_API.md: add notification channel API endpoints table and full endpoint reference (GET types, GET/POST/PUT/DELETE channels) - USERS.md: add missing PUT /api/0/users/me endpoint documentation with all three update modes (identity, channels, password) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 07:45:30 -04:00
Andreas Wrede	9b5d8ac9b1	fix: replace channel checkboxes in Users table with multi-select The per-user notification channel selector in the admin settings Users section was a column of checkboxes; replaced with a <select multiple> for consistency with the profile chip picker and to reduce table width. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 07:38:56 -04:00
Andreas Wrede	500d256d76	feat: replace YAML notification channel editor with form-based UI Notification channels are now managed through a proper web form instead of a raw YAML textarea. Any authenticated user can create channels; private channels (owner-scoped) are hidden from other users. The user profile channel selector becomes a tag/chip picker with a "My Channels" CRUD section. - settings.py: add CHANNEL_TYPE_SCHEMAS for all 6 notifier types; channel section switches to section_mode="channels"; cards include owner/private/min_level - configio.py: add apply_channel() and delete_channel() for per-entry CRUD - notify.py: strip owner/private metadata before dispatching to drivers - http.py: add GET/POST /api/0/notification_channels, PUT/DELETE /{name}, GET /api/0/notification_channel_types; visibility helper filters private channels per user; PUT /api/0/users/me validates against visible channels - settings.html: card grid with edit/delete per channel; add/edit modal with type dropdown and dynamically rendered type-specific fields - profile.html: chip picker replaces checkbox list; My Channels section for creating/editing/deleting user-owned channels - tests: update test_settings_sections, test_http_users_me; add test_notification_channels_api (16 new tests, 46 total passing) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 07:34:26 -04:00
Andreas Wrede	a7a45bf8c3	fix: support plugin-level enabled: false in threshold config Setting enabled: false at the plugin level (e.g. memory_monitor: {enabled: false}) was silently ignored because the non-dict value was skipped by the metric parser, leaving THRESHOLD_DEFAULTS entries active. - _parse_plugin_thresholds: detect plugin-level enabled/enable flag and delete all matching entries from target_dict (covers legacy and default config paths) - _parse_multi_config named configs: inject disabled stubs from effective_defaults into raw_overrides so the merge step overwrites inherited defaults - Accept 'enable' as a tolerated alias for 'enabled' in both code paths Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 17:40:29 -04:00
Andreas Wrede	3e9b052f71	fix: always populate glance-strip for all hosts on page load fetchHostGlance was only called for the initially expanded host, leaving all other hosts showing "—" until manually expanded. Now fetches glance for every host-card on DOMContentLoaded and refreshes all (not just expanded) on the 30s auto-refresh interval. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 14:13:10 -04:00
Andreas Wrede	7444262985	fix: fetch host info on initial page load DOMContentLoaded was calling fetchHostGlance but not fetchHostInfo, leaving the info-meta section stuck on "Loading…". Both the URL-hash and default first-host paths now call fetchHostInfo and populate infoCache on load. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 14:08:37 -04:00
Andreas Wrede	3401cc0dbb	version 5.3.1 Release / release (push) Successful in 6s Details	2026-05-10 14:03:58 -04:00
Andreas Wrede	ab0132a38d	fix: correct THRESHOLD_DEFAULTS metric keys and add missing defaults - Rename memory_monitor threshold key from 'percent' to 'memory_percent' so it matches exactly rather than relying on suffix stripping, which was causing swap_percent to be evaluated against the memory threshold - Add swap_percent default thresholds (warning: 40%, critical: 75%) - Add zfs_monitor pool capacity default thresholds (warning: 80%, critical: 90%) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 14:03:44 -04:00
andreas	9e389736f8	feat: show suffix-matched metric coverage in host info threshold table Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 09:18:49 -04:00
andreas	b64a2a9313	feat: move hbc_version and hbc_type out of os_info into host info section	2026-05-10 08:33:28 -04:00
andreas	a52744a448	feat: fetch and render host info section on card expand	2026-05-10 08:31:32 -04:00
andreas	5e2b04b811	feat: add fetchHostInfo and renderInfoSection JS functions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 08:29:53 -04:00
andreas	8e07b09d7e	feat: add host info section placeholder and CSS to plugins.html	2026-05-10 08:21:17 -04:00
andreas	653e018e4f	feat: add GET /api/0/hosts/{hostname}/info endpoint	2026-05-10 08:18:49 -04:00
andreas	c7326da7d9	feat: add _build_host_info helper for host info endpoint Extracts host info assembly (owner, managers, hbc version/type, last packet timestamp, threshold configs) into a testable module-level helper, with 10 covering tests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 08:17:47 -04:00
andreas	0426a75d8c	docs: add implementation plan for host overview info section Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 08:09:47 -04:00
andreas	539f25d877	docs: add design spec for host overview info section Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-10 08:04:38 -04:00
andreas	3e3099fc6d	version 5.3.0 Release / release (push) Successful in 5s Details	2026-05-09 12:16:09 -04:00
andreas	c9f15a3f1c	fix: correct grace comment in config defaults — additional wait time, not a multiplier	2026-05-09 12:14:47 -04:00
andreas	6e396ad760	fix: correct grace field label and description — it is additional wait time, not a multiplier	2026-05-09 12:13:11 -04:00
andreas	2800de0b4a	fix: preserve .hb.yaml file permissions on backup and atomic write	2026-05-09 12:04:46 -04:00
andreas	15f7e6a64d	feat: profile page self-service for identity, password, and notification channels Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:57:47 -04:00
andreas	9768d13b88	feat: settings page editor with form sections, YAML editors, stage/publish/rollback Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:55:10 -04:00
andreas	8640d731aa	feat: add section_mode, api_section, editable flags and oauth section to settings Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:49:41 -04:00
andreas	de81751e59	fix: validate password body type and coerce notification_channels to strings in PUT /api/0/users/me	2026-05-09 11:46:58 -04:00
andreas	60c692cefc	feat: add PUT /api/0/users/me for user self-service profile updates Allows any authenticated user to update their own full_name, avatar, notification_channels, and password via the config YAML write path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:45:09 -04:00
andreas	9a0baf3c78	fix: preserve oauth client_secret on roundtrip, harden rollback path validation, guard non-dict payload Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:43:14 -04:00
andreas	55bdb9593a	feat: add config write API (POST /api/0/config, POST /api/0/config/rollback) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:35:45 -04:00
andreas	2009626fb4	fix: config read API error handling, consistent 403 messages, deduplicate key lists Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:33:18 -04:00
andreas	18769afd37	feat: add config read API (GET /api/0/config, /section/{name}, /backups) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:25:06 -04:00
andreas	31db5cf35e	fix: configio thread safety, tmp cleanup, backup collision, dns empty handling Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:21:03 -04:00
andreas	326f53f23d	feat: add configio module for comment-preserving YAML round-trip writes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:11:32 -04:00
andreas	4f9bc8c868	docs: add implementation plan for config editor feature Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 11:05:05 -04:00
andreas	259b4a3594	docs: design spec for config editor UI with per-user self-service	2026-05-09 10:42:42 -04:00
andreas	8646f68957	feat: log login/logout events to event log with auth source	2026-05-09 09:25:23 -04:00
andreas	a4a6c1e3d9	fix: extend fetch_user error guard; escape HTML in login page Move field-extraction inside the try/except in fetch_user so non-dict responses from providers with empty profile_data_path (Gitea, GitHub) raise OAuthError instead of an uncaught AttributeError. Apply html.escape() to provider name, label, and logo URL in the login page. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 08:57:25 -04:00
andreas	0e8250362e	feat: multi-provider OAuth2 login page and generic routes Replace hardcoded Gitea OAuth handlers with generic {name}-parameterized routes and update the login page to render a button for each configured provider via oauth_mod.get_providers(). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 08:48:23 -04:00
andreas	2f5da9fc5e	fix: coerce malformed profile JSON to OAuthError; add redirect_uri assertion Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 08:46:19 -04:00
andreas	87aeec5999	feat: generic build_auth_url/exchange_code/fetch_user for multi-provider OAuth2 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 08:38:11 -04:00
andreas	f24500a6b5	fix: copy field_map/profile_data_path in get_providers; improve caplog assertions	2026-05-09 08:34:48 -04:00
andreas	a7bb183222	test: assert warning logged when get_providers skips invalid entries	2026-05-09 08:31:09 -04:00
andreas	8207cd7b5f	feat: add PROVIDER_DEFS, ResolvedProvider, get_providers() to oauth.py Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 08:29:07 -04:00
andreas	11f1eefa8c	docs: implementation plan for multi-provider OAuth2	2026-05-09 08:25:52 -04:00
andreas	62f496e9f8	docs: spec for multi-provider OAuth2 support Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 08:19:52 -04:00
andreas	aef9e7769b	fix: zfs_monitor alerts dropped on restart with wildcard pool thresholds purge_stale_alerts used _find_threshold to validate alert state keys, but _find_threshold has no wildcard matching. A threshold configured as "zfs_monitor.*.status" never matched the concrete alert state key "zfs_monitor.tank.status", so every restart silently purged active ZFS pool alert states and reset the grace period from scratch. Also fix _check_pending_or_renotify to set last_notification after the grace-period notification fires, so the re-notification interval is anchored to when the alert was actually sent rather than the next PLG cycle. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-09 07:42:09 -04:00