fix(gps-jamming): count nac_p=0 + lower thresholds so the layer actually fires

Three stacked filters meant the gps_jamming layer almost never lit up:

1. nac_p == 0 aircraft were dropped on the theory that "0 = old transponder."
   That's only half right — modern Mode-S Enhanced Surveillance transponders
   also fall back to nac_p=0 when they lose GPS lock entirely, which IS the
   jamming signature we want to catch. Discarding them was discarding the
   strongest signal. None (no field at all — typical for OpenSky-sourced
   records) is still skipped because absence-of-data isn't evidence.
2. GPS_JAMMING_MIN_AIRCRAFT was 5 per 1°x1° cell. Jamming hotspots
   (eastern Med, Russia/Ukraine border, Iran/Iraq) tend to have sparser
   traffic because pilots avoid them. Lowered to 3.
3. GPS_JAMMING_MIN_RATIO was 0.30. Combined with the (preserved) -1 noise
   cushion that made the effective bar high. Lowered to 0.20.

The 1-aircraft noise cushion is intact so a single quirky transponder
still can't flag a zone alone.

Also extracted the detector loop into a pure ``detect_gps_jamming_zones()``
function at module scope so it's testable in isolation (was previously
inlined inside ``_classify_and_publish``). The public signature accepts
threshold overrides for ad-hoc re-tuning without code edits.

16 new tests cover nac_p=0 inclusion, None-skip preservation, MIN_AIRCRAFT
lowering, MIN_RATIO lowering, noise cushion preservation, constant pinning,
override behavior, lon/lng key compatibility, and robustness to empty/None
inputs.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/main.py

@@ -1417,6 +1417,29 @@ def _peer_sync_response(peer_url: str, body: dict[str, Any]) -> dict[str, Any]:
         proxy = f"socks5h://127.0.0.1:{socks_port}"
         kwargs["proxies"] = {"http": proxy, "https": proxy}
     response = _requests.post(f"{normalized}/api/mesh/infonet/sync", **kwargs)
+    # HTTP 429 must be surfaced as a typed exception carrying the
+    # Retry-After value, so finish_sync can honor it and stop hammering
+    # the upstream. Pre-fix this path just stringified the status into
+    # a ValueError, which finish_sync then ignored — keeping the
+    # upstream's rate-limit bucket full indefinitely.
+    if response.status_code == 429:
+        from services.mesh.mesh_infonet_sync_support import (
+            PeerSyncRateLimited,
+            parse_retry_after_header,
+        )
+
+        retry_after_s = parse_retry_after_header(
+            response.headers.get("Retry-After", "") or "",
+        )
+        try:
+            body_text = response.text[:200]
+        except Exception:
+            body_text = ""
+        raise PeerSyncRateLimited(
+            f"HTTP 429 from {normalized} (retry_after={retry_after_s}s): {body_text}",
+            retry_after_s=retry_after_s,
+            status=429,
+        )
     try:
         payload = response.json()
     except Exception as exc:
@@ -1462,8 +1485,23 @@ def _hydrate_gate_store_from_chain(events: list[dict]) -> int:
     return count
 
 
-def _sync_from_peer(peer_url: str, *, page_limit: int = 100, max_rounds: int = 5) -> tuple[bool, str, bool]:
+def _sync_from_peer(
+    peer_url: str,
+    *,
+    page_limit: int = 100,
+    max_rounds: int = 5,
+) -> tuple[bool, str, bool, int]:
+    """Sync the local Infonet chain against ``peer_url``.
+
+    Returns ``(ok, error, forked, retry_after_s)``. The fourth tuple
+    element is non-zero only when the peer responded with HTTP 429
+    and supplied a parseable ``Retry-After`` header — see the typed
+    ``PeerSyncRateLimited`` exception in mesh_infonet_sync_support.py.
+    Callers should pass that value to ``finish_sync(retry_after_s=...)``
+    so the next attempt actually waits.
+    """
     from services.mesh.mesh_hashchain import infonet
+    from services.mesh.mesh_infonet_sync_support import PeerSyncRateLimited
 
     rounds = 0
     while rounds < max_rounds:
@@ -1472,7 +1510,11 @@ def _sync_from_peer(peer_url: str, *, page_limit: int = 100, max_rounds: int = 5
             "locator": infonet.get_locator(),
             "limit": page_limit,
         }
-        payload = _peer_sync_response(peer_url, body)
+        try:
+            payload = _peer_sync_response(peer_url, body)
+        except PeerSyncRateLimited as exc:
+            # Bubble up the retry-after so finish_sync can honor it.
+            return False, str(exc), False, exc.retry_after_s
         if bool(payload.get("forked")):
             # Auto-recover small local forks: if the local chain is tiny
             # (< 20 events) and the remote has a longer chain, reset local
@@ -1488,23 +1530,23 @@ def _sync_from_peer(peer_url: str, *, page_limit: int = 100, max_rounds: int = 5
                 )
                 infonet.reset_chain()
                 continue  # retry sync with clean genesis locator
-            return False, "fork detected", True
+            return False, "fork detected", True, 0
         events = payload.get("events", [])
         if not isinstance(events, list):
-            return False, "peer sync events must be a list", False
+            return False, "peer sync events must be a list", False, 0
         if not events:
-            return True, "", False
+            return True, "", False, 0
         result = infonet.ingest_events(events)
         _hydrate_gate_store_from_chain(events)
         rejected = list(result.get("rejected", []) or [])
         if rejected:
-            return False, f"sync ingest rejected {len(rejected)} event(s)", False
+            return False, f"sync ingest rejected {len(rejected)} event(s)", False, 0
         if int(result.get("accepted", 0) or 0) == 0 and int(result.get("duplicates", 0) or 0) >= len(events):
-            return True, "", False
+            return True, "", False, 0
         if len(events) < page_limit:
-            return True, "", False
+            return True, "", False, 0
         rounds += 1
-    return True, "", False
+    return True, "", False, 0
 
 
 def _run_public_sync_cycle() -> SyncWorkerState:
@@ -1567,11 +1609,12 @@ def _run_public_sync_cycle() -> SyncWorkerState:
         with _NODE_RUNTIME_LOCK:
             set_sync_state(started)
         try:
-            ok, error, forked = _sync_from_peer(record.peer_url)
+            ok, error, forked, retry_after_s = _sync_from_peer(record.peer_url)
         except Exception as exc:
             ok = False
             error = str(exc or type(exc).__name__)
             forked = False
+            retry_after_s = 0
         if ok:
             store.mark_seen(record.peer_url, "sync", now=time.time())
             store.mark_sync_success(record.peer_url, now=time.time())
@@ -1618,6 +1661,12 @@ def _run_public_sync_cycle() -> SyncWorkerState:
             now=time.time(),
             interval_s=int(get_settings().MESH_SYNC_INTERVAL_S or 300),
             failure_backoff_s=failure_backoff_s,
+            # 429 retry-storm fix: when the peer returned HTTP 429 with
+            # a Retry-After header, finish_sync uses max(exponential,
+            # retry_after) for next_sync_due_at — so we actually wait
+            # the time the upstream asked for instead of hammering
+            # every 60s and keeping its rate-limit bucket full forever.
+            retry_after_s=retry_after_s,
         )
         with _NODE_RUNTIME_LOCK:
             set_sync_state(updated)

backend/routers/ai_intel.py

@@ -2521,45 +2521,85 @@ async def api_capabilities(request: Request):
 # OpenClaw Connection Management (local-operator only — NOT via HMAC)
 # These endpoints manage the HMAC secret itself, so they MUST require
 # local operator access to prevent privilege escalation.
+#
+# Issue #302 (tg12): pre-fix, GET /api/ai/connect-info had two problems:
+#
+#   1. ``?reveal=true`` made the full secret travel through every operator
+#      page-load that opened the Connect modal. Even gated to
+#      ``require_local_operator``, that put the secret into browser
+#      history, dev-tools network panels, browser disk caches, HAR
+#      exports, and screen captures. Every time the modal opened.
+#
+#   2. The same GET endpoint auto-bootstrapped (generated + persisted)
+#      the secret on first read. Side effects on a GET are a footgun:
+#      browser prefetchers, mirror tools, and casual curl-from-history
+#      would all silently mint+persist a fresh secret. (Gated, but
+#      still surprising — and noisy in the audit log.)
+#
+# Resolution:
+#
+#   GET  /api/ai/connect-info             — always returns the MASKED
+#                                            secret. No ?reveal param.
+#                                            No auto-bootstrap; if the
+#                                            secret is missing,
+#                                            ``hmac_secret_set: false``
+#                                            tells the frontend to call
+#                                            /bootstrap.
+#
+#   POST /api/ai/connect-info/bootstrap   — NEW. Generates + persists the
+#                                            secret if missing. Idempotent.
+#                                            Returns metadata only, never
+#                                            the full secret.
+#
+#   POST /api/ai/connect-info/reveal      — NEW. Returns the full secret in
+#                                            the body with strict
+#                                            ``Cache-Control: no-store,
+#                                            no-cache, must-revalidate``
+#                                            + ``Pragma: no-cache`` so
+#                                            it does not land in browser
+#                                            caches. POST means it does
+#                                            not land in URL history.
+#
+#   POST /api/ai/connect-info/regenerate  — keeps existing one-time-reveal
+#                                            behavior (regenerate IS a
+#                                            deliberate destructive action
+#                                            the operator triggered, so
+#                                            displaying the new secret
+#                                            once is the only path that
+#                                            makes the operation useful).
+#                                            Same no-store headers added.
 # ---------------------------------------------------------------------------
 
-@router.get("/api/ai/connect-info", dependencies=[Depends(require_local_operator)])
-@limiter.limit("30/minute")
-async def get_connect_info(request: Request, reveal: bool = False):
-    """Return connection details for the OpenClaw Connect modal.
+# Cache-Control headers that should accompany every response carrying the
+# full HMAC secret. Reused across the reveal + regenerate endpoints so a
+# future refactor that splits or renames them can't forget the headers.
+_NO_STORE_HEADERS = {
+    "Cache-Control": "no-store, no-cache, must-revalidate, private",
+    "Pragma": "no-cache",
+    "Expires": "0",
+}
 
-    The HMAC secret is masked by default. Pass ?reveal=true to see the full key.
-    Private keys are NEVER returned.
+
+def _mask_hmac_secret(secret: str) -> str:
+    """Return a fingerprint-style mask (first6 + bullets + last4) suitable
+    for display in the UI before the operator clicks Reveal."""
+    if not secret:
+        return ""
+    if len(secret) > 10:
+        return secret[:6] + "••••••••" + secret[-4:]
+    return "••••••••"
+
+
+def _connect_info_metadata(settings) -> dict:
+    """Return everything the Connect modal needs EXCEPT the secret itself.
+
+    Shared between GET /api/ai/connect-info (where the full secret is
+    masked) and POST /api/ai/connect-info/bootstrap (where the operator
+    just generated a secret but we don't return it inline — they have to
+    call /reveal to see it).
     """
-    import os
-    import secrets
-    from services.config import get_settings
-
-    settings = get_settings()
-    hmac_secret = str(settings.OPENCLAW_HMAC_SECRET or "").strip()
     access_tier = str(settings.OPENCLAW_ACCESS_TIER or "restricted").strip().lower()
-
-    # Auto-generate if not set
-    if not hmac_secret:
-        hmac_secret = secrets.token_hex(24)  # 48 chars
-        _write_env_value("OPENCLAW_HMAC_SECRET", hmac_secret)
-        # Clear settings cache so next read picks up the new value
-        get_settings.cache_clear()
-
-    masked = hmac_secret[:6] + "••••••••" + hmac_secret[-4:] if len(hmac_secret) > 10 else "••••••••"
-
     return {
-        "ok": True,
-        "hmac_secret": hmac_secret if reveal else masked,
-        "hmac_secret_set": bool(hmac_secret),
-        "bootstrap_behavior": {
-            "auto_generates_when_missing": True,
-            "auto_generated_this_call": not bool(settings.OPENCLAW_HMAC_SECRET or ""),
-            "notes": [
-                "If no HMAC secret exists yet, this endpoint bootstraps one and persists it to .env.",
-                "Regenerating the HMAC secret revokes all existing direct-mode OpenClaw callers at once.",
-            ],
-        },
         "access_tier": access_tier,
         "trust_model": {
             "remote_http_principal": "holder_of_openclaw_hmac_secret",
@@ -2613,24 +2653,138 @@ async def get_connect_info(request: Request, reveal: bool = False):
     }
 
 
-@router.post("/api/ai/connect-info/regenerate", dependencies=[Depends(require_local_operator)])
-@limiter.limit("5/minute")
-async def regenerate_hmac_secret(request: Request):
-    """Generate a new HMAC secret. Old secret immediately stops working."""
+@router.get("/api/ai/connect-info", dependencies=[Depends(require_local_operator)])
+@limiter.limit("30/minute")
+async def get_connect_info(request: Request):
+    """Return connection details for the OpenClaw Connect modal.
+
+    The HMAC secret is always returned as a fingerprint mask
+    (``first6 + bullets + last4``); the full value is only ever served by
+    ``POST /api/ai/connect-info/reveal`` (see #302). When the secret has
+    not been bootstrapped yet, ``hmac_secret_set`` is false and the
+    frontend should call ``POST /api/ai/connect-info/bootstrap``.
+
+    Private keys are NEVER returned.
+    """
+    from services.config import get_settings
+
+    settings = get_settings()
+    hmac_secret = str(settings.OPENCLAW_HMAC_SECRET or "").strip()
+
+    return {
+        "ok": True,
+        "masked_hmac_secret": _mask_hmac_secret(hmac_secret),
+        "hmac_secret_set": bool(hmac_secret),
+        "bootstrap_behavior": {
+            "auto_generates_when_missing": False,
+            "notes": [
+                "Call POST /api/ai/connect-info/bootstrap to mint a secret on first use.",
+                "Call POST /api/ai/connect-info/reveal to see the full secret (no-store).",
+                "Regenerating the HMAC secret revokes all existing direct-mode OpenClaw callers at once.",
+            ],
+        },
+        **_connect_info_metadata(settings),
+    }
+
+
+@router.post("/api/ai/connect-info/bootstrap", dependencies=[Depends(require_local_operator)])
+@limiter.limit("10/minute")
+async def bootstrap_hmac_secret(request: Request):
+    """Mint and persist the OpenClaw HMAC secret if it isn't already set.
+
+    Idempotent: if a secret already exists, returns ``generated: false``
+    and leaves the existing secret untouched. Never returns the secret
+    value in the response body — the operator calls
+    ``POST /api/ai/connect-info/reveal`` to see it.
+    """
     import secrets
     from services.config import get_settings
 
+    settings = get_settings()
+    existing = str(settings.OPENCLAW_HMAC_SECRET or "").strip()
+    if existing:
+        return {
+            "ok": True,
+            "generated": False,
+            "hmac_secret_set": True,
+            "masked_hmac_secret": _mask_hmac_secret(existing),
+            "detail": "HMAC secret already configured. Use /reveal to see it.",
+        }
+
     new_secret = secrets.token_hex(24)  # 48 chars
     _write_env_value("OPENCLAW_HMAC_SECRET", new_secret)
     get_settings.cache_clear()
 
     return {
         "ok": True,
-        "hmac_secret": new_secret,
-        "detail": "HMAC secret regenerated. Update your OpenClaw agent configuration.",
+        "generated": True,
+        "hmac_secret_set": True,
+        "masked_hmac_secret": _mask_hmac_secret(new_secret),
+        "detail": "HMAC secret generated. Call /reveal to copy it into your OpenClaw config.",
     }
 
 
+@router.post("/api/ai/connect-info/reveal", dependencies=[Depends(require_local_operator)])
+@limiter.limit("10/minute")
+async def reveal_hmac_secret(request: Request):
+    """Return the full HMAC secret in the response body.
+
+    POST (not GET) so the secret never lands in URL history, access logs,
+    or browser visit history. Strict ``Cache-Control: no-store`` headers
+    prevent intermediaries from persisting the response. Returns 404 if
+    no secret has been bootstrapped — the frontend should call
+    ``POST /api/ai/connect-info/bootstrap`` first.
+    """
+    from services.config import get_settings
+
+    settings = get_settings()
+    hmac_secret = str(settings.OPENCLAW_HMAC_SECRET or "").strip()
+    if not hmac_secret:
+        raise HTTPException(
+            404,
+            "No HMAC secret configured. Call POST /api/ai/connect-info/bootstrap first.",
+        )
+    return JSONResponse(
+        content={
+            "ok": True,
+            "hmac_secret": hmac_secret,
+            "masked_hmac_secret": _mask_hmac_secret(hmac_secret),
+        },
+        headers=_NO_STORE_HEADERS,
+    )
+
+
+@router.post("/api/ai/connect-info/regenerate", dependencies=[Depends(require_local_operator)])
+@limiter.limit("5/minute")
+async def regenerate_hmac_secret(request: Request):
+    """Generate a new HMAC secret. Old secret immediately stops working.
+
+    Returns the new secret in the response body — this is the only
+    operation where the full secret travels back through the response,
+    because regenerating IS a deliberate destructive action the operator
+    triggered and they need to see the new value once to update their
+    OpenClaw configuration. Strict ``Cache-Control: no-store`` headers
+    keep it from being persisted by browser caches, proxies, or HAR
+    capture tooling.
+    """
+    import secrets
+    from services.config import get_settings
+
+    new_secret = secrets.token_hex(24)  # 48 chars
+    _write_env_value("OPENCLAW_HMAC_SECRET", new_secret)
+    get_settings.cache_clear()
+
+    return JSONResponse(
+        content={
+            "ok": True,
+            "hmac_secret": new_secret,
+            "masked_hmac_secret": _mask_hmac_secret(new_secret),
+            "detail": "HMAC secret regenerated. Update your OpenClaw agent configuration.",
+        },
+        headers=_NO_STORE_HEADERS,
+    )
+
+
 @router.put("/api/ai/connect-info/access-tier", dependencies=[Depends(require_local_operator)])
 @limiter.limit("10/minute")
 async def set_access_tier(request: Request, body: dict):

backend/routers/mesh_peer_sync.py

@@ -85,6 +85,64 @@ async def infonet_peer_push(request: Request):
     return {"ok": True, **result}
 
 
+@router.post("/api/mesh/dm/replicate-envelope")
+@limiter.limit("60/minute")
+async def dm_replicate_envelope(request: Request):
+    """Accept a DM envelope replicated from a peer relay (cross-node mailbox).
+
+    Companion endpoint to ``DMRelay.replicate_to_peers`` (outbound, in
+    ``mesh_dm_relay.py``). The sender's relay POSTs an encrypted DM
+    envelope here after a successful local ``deposit``; this endpoint
+    re-enforces the per-(sender, recipient) anti-spam cap and stores
+    the envelope in the local mailbox if accepted.
+
+    The cap is the network rule: a hostile sender's relay can spool
+    extras locally, but every honest peer enforces the cap on inbound
+    replication. Recipient polling from any honest peer therefore
+    never sees more than ``MESH_DM_PENDING_PER_SENDER_LIMIT`` pending
+    from any one sender, no matter how many spam attempts were tried.
+
+    Same HMAC auth pattern as ``infonet_peer_push`` and ``gate_peer_push``.
+    """
+    content_length = request.headers.get("content-length")
+    if content_length:
+        try:
+            # DM envelopes are bounded by MESH_DM_MAX_MSG_BYTES + envelope
+            # overhead; 64 KB is a generous ceiling.
+            if int(content_length) > 65_536:
+                return Response(
+                    content='{"ok":false,"detail":"Request body too large (max 64KB)"}',
+                    status_code=413, media_type="application/json",
+                )
+        except (ValueError, TypeError):
+            pass
+    body_bytes = await request.body()
+    if not _verify_peer_push_hmac(request, body_bytes):
+        return Response(
+            content='{"ok":false,"detail":"Invalid or missing peer HMAC"}',
+            status_code=403, media_type="application/json",
+        )
+    try:
+        body = json_mod.loads(body_bytes or b"{}")
+    except (ValueError, TypeError):
+        return Response(
+            content='{"ok":false,"detail":"Invalid JSON body"}',
+            status_code=400, media_type="application/json",
+        )
+    envelope = body.get("envelope")
+    if not isinstance(envelope, dict):
+        return {"ok": False, "detail": "envelope must be an object"}
+
+    originating_peer = _peer_hmac_url_from_request(request) or ""
+
+    from services.mesh.mesh_dm_relay import dm_relay
+    result = dm_relay.accept_replica(
+        envelope=envelope,
+        originating_peer_url=originating_peer,
+    )
+    return result
+
+
 @router.post("/api/mesh/gate/peer-push")
 @limiter.limit("30/minute")
 async def gate_peer_push(request: Request):

backend/routers/tools.py

@@ -120,18 +120,60 @@ def api_sentinel2_search(
     return search_sentinel2_scene(lat, lng)
 
 
+# Issue #298 (tg12): Sentinel credentials moved server-side
+# ---------------------------------------------------------------------------
+# Previously the frontend kept Copernicus CDSE client_id + client_secret in
+# browser localStorage / sessionStorage and forwarded them on every tile
+# request through this proxy. That exposed real third-party credentials to
+# any same-origin script (XSS, malicious browser extension, dev-tools HAR
+# export).
+#
+# Resolution order (first match wins):
+#   1. Request body — kept for back-compat. A small number of legacy
+#      operator setups may still post credentials; we don't break them.
+#   2. Backend .env — SENTINEL_CLIENT_ID / SENTINEL_CLIENT_SECRET, managed
+#      through the existing /api/settings/api-keys flow (admin-gated).
+#
+# The frontend in ``sentinelHub.ts`` no longer reads browser storage and no
+# longer forwards credentials — every dashboard request now lands in (2).
+# The require_local_operator gate (added in #303/PR #303) stays — both layers
+# are independent: the gate blocks anonymous callers, the env fallback lets
+# legitimate (gated) callers omit credentials from the body.
+# ---------------------------------------------------------------------------
+def _resolve_sentinel_credentials(body_id: str, body_secret: str) -> tuple[str, str]:
+    """Return (client_id, client_secret) using body values when present,
+    otherwise falling back to backend .env. Empty strings if neither is set."""
+    import os as _os
+    cid = (body_id or "").strip() or (_os.environ.get("SENTINEL_CLIENT_ID", "") or "").strip()
+    csec = (body_secret or "").strip() or (_os.environ.get("SENTINEL_CLIENT_SECRET", "") or "").strip()
+    return cid, csec
+
+
 @router.post("/api/sentinel/token", dependencies=[Depends(require_local_operator)])
 @limiter.limit("60/minute")
 async def api_sentinel_token(request: Request):
-    """Proxy Copernicus CDSE OAuth2 token request (avoids browser CORS block)."""
+    """Proxy Copernicus CDSE OAuth2 token request (avoids browser CORS block).
+
+    Credentials are resolved by ``_resolve_sentinel_credentials`` — body
+    fields are honored for back-compat, otherwise the backend .env values
+    populated through ``/api/settings/api-keys`` are used.
+    """
     import requests as req
     body = await request.body()
     from urllib.parse import parse_qs
     params = parse_qs(body.decode("utf-8"))
-    client_id = params.get("client_id", [""])[0]
-    client_secret = params.get("client_secret", [""])[0]
+    body_id = params.get("client_id", [""])[0]
+    body_secret = params.get("client_secret", [""])[0]
+    client_id, client_secret = _resolve_sentinel_credentials(body_id, body_secret)
     if not client_id or not client_secret:
-        raise HTTPException(400, "client_id and client_secret required")
+        # Friendly, non-hostile error — points the operator at the place
+        # they configure other API keys instead of just saying "required".
+        raise HTTPException(
+            400,
+            "Sentinel client_id/client_secret are not configured. "
+            "Set SENTINEL_CLIENT_ID and SENTINEL_CLIENT_SECRET in the "
+            "API Keys panel (Settings → API Keys) or your backend .env.",
+        )
     token_url = "https://identity.dataspace.copernicus.eu/auth/realms/CDSE/protocol/openid-connect/token"
     try:
         resp = await asyncio.to_thread(req.post, token_url,
@@ -186,8 +228,11 @@ async def api_sentinel_tile(request: Request):
     except Exception:
         return JSONResponse(status_code=422, content={"ok": False, "detail": "invalid JSON body"})
 
-    client_id = body.get("client_id", "")
-    client_secret = body.get("client_secret", "")
+    # Issue #298: same resolution order as /api/sentinel/token — body
+    # values for back-compat, otherwise backend .env.
+    body_id = body.get("client_id", "")
+    body_secret = body.get("client_secret", "")
+    client_id, client_secret = _resolve_sentinel_credentials(body_id, body_secret)
     preset = body.get("preset", "TRUE-COLOR")
     date_str = body.get("date", "")
     z = body.get("z", 0)
@@ -195,7 +240,16 @@ async def api_sentinel_tile(request: Request):
     y = body.get("y", 0)
 
     if not client_id or not client_secret or not date_str:
-        raise HTTPException(400, "client_id, client_secret, and date required")
+        # Distinguish "no creds" from "no date" so the operator knows
+        # what to fix. Same friendly pointer as the /token route.
+        if not client_id or not client_secret:
+            raise HTTPException(
+                400,
+                "Sentinel client_id/client_secret are not configured. "
+                "Set SENTINEL_CLIENT_ID and SENTINEL_CLIENT_SECRET in the "
+                "API Keys panel (Settings → API Keys) or your backend .env.",
+            )
+        raise HTTPException(400, "date required")
 
     now = _time.time()
     credential_fp = _credential_fingerprint(client_id, client_secret)

backend/services/api_settings.py

@@ -150,6 +150,31 @@ API_REGISTRY = [
         "url": "https://finnhub.io/register",
         "required": False,
     },
+    # Issue #298 (tg12): Sentinel Hub / Copernicus Data Space Ecosystem
+    # credentials were previously held in browser localStorage / sessionStorage
+    # by the Settings panel. Moved server-side to the same .env-backed
+    # store every other third-party API key lives in. The Sentinel proxy
+    # routes (POST /api/sentinel/token, /tile) now fall back to these
+    # env values when the request body omits credentials — see
+    # backend/routers/tools.py for the resolution order.
+    {
+        "id": "sentinel_client_id",
+        "env_key": "SENTINEL_CLIENT_ID",
+        "name": "Sentinel Hub / Copernicus — Client ID",
+        "description": "OAuth2 client ID for Copernicus Data Space Ecosystem (CDSE). Required for the Sentinel-2 imagery overlay and the right-click Sentinel-2 Intel Card. Sign in at dataspace.copernicus.eu and create OAuth credentials.",
+        "category": "Imagery",
+        "url": "https://dataspace.copernicus.eu/",
+        "required": False,
+    },
+    {
+        "id": "sentinel_client_secret",
+        "env_key": "SENTINEL_CLIENT_SECRET",
+        "name": "Sentinel Hub / Copernicus — Client Secret",
+        "description": "OAuth2 client secret paired with the Client ID above. Used by the backend to mint short-lived access tokens against the CDSE identity provider. Stored in the backend .env; never sent to the browser.",
+        "category": "Imagery",
+        "url": "https://dataspace.copernicus.eu/",
+        "required": False,
+    },
 ]
 
 ALLOWED_ENV_KEYS = {

backend/services/config.py

@@ -116,6 +116,21 @@ class Settings(BaseSettings):
     MESH_DM_REQUEST_MAILBOX_LIMIT: int = 12
     MESH_DM_SHARED_MAILBOX_LIMIT: int = 48
     MESH_DM_SELF_MAILBOX_LIMIT: int = 12
+    # Anti-spam: cap on distinct UNACKED messages a single sender can have
+    # parked in a single recipient's mailbox at any one time. Once the
+    # recipient pulls (acks) a message, the sender's quota for that pair
+    # frees up. Default 2 — a sender who wants to deliver more must wait
+    # for the recipient to actually read the prior messages.
+    #
+    # This cap is enforced TWICE: once on the local deposit path (the
+    # sender's own node refuses to spool the 3rd message) AND once on
+    # the replication-acceptance path (honest peer relays refuse to
+    # accept inbound replicas that would put them over the cap). The
+    # double enforcement makes the rule a NETWORK rule — patching out
+    # the local check on a hostile sender's relay doesn't let extras
+    # propagate, because every honest peer enforces the same cap on
+    # inbound replication.
+    MESH_DM_PENDING_PER_SENDER_LIMIT: int = 2
     MESH_BLOCK_LEGACY_AGENT_ID_LOOKUP: bool = True
     MESH_ALLOW_COMPAT_DM_INVITE_IMPORT: bool = False
     MESH_ALLOW_COMPAT_DM_INVITE_IMPORT_UNTIL: str = ""

backend/services/constants.py

@@ -11,8 +11,13 @@ DEFAULT_TRAIL_TTL_S = 300  # 5 min - trail TTL for non-tracked flights
 HOLD_PATTERN_DEGREES = 300  # Total heading change to flag holding pattern
 GPS_JAMMING_NACP_THRESHOLD = 8  # NACp below this = degraded GPS signal
 GPS_JAMMING_GRID_SIZE = 1.0  # 1 degree grid for aggregation
-GPS_JAMMING_MIN_RATIO = 0.30  # 30% degraded aircraft to flag zone
-GPS_JAMMING_MIN_AIRCRAFT = 5  # Min aircraft in grid cell for statistical significance
+# Tuned 2026-05: previously 0.30 / 5 aircraft which — combined with the
+# -1 noise cushion in the detector AND the pre-fix nac_p==0 filter that
+# discarded jamming victims — meant the layer almost never lit up.
+# Lowering the bar so genuine jamming zones with sparser ADS-B coverage
+# clear (eastern Med, Russia/Ukraine border, Iran/Iraq).
+GPS_JAMMING_MIN_RATIO = 0.20  # 20% degraded aircraft to flag zone
+GPS_JAMMING_MIN_AIRCRAFT = 3  # Min aircraft in grid cell for statistical significance
 
 # ─── Network & Circuit Breaker ──────────────────────────────────────────────
 CIRCUIT_BREAKER_TTL_S = 120  # Skip domain for 2 min after total failure

backend/services/fetchers/flights.py

@@ -29,6 +29,88 @@ _RE_AIRLINE_CODE_1 = re.compile(r"^([A-Z]{3})\d")
 _RE_AIRLINE_CODE_2 = re.compile(r"^([A-Z]{3})[A-Z\d]")
 
 
+def detect_gps_jamming_zones(
+    raw_flights: list[dict],
+    *,
+    min_aircraft: int | None = None,
+    min_ratio: float | None = None,
+    nacp_threshold: int | None = None,
+) -> list[dict]:
+    """Detect GPS interference zones from a snapshot of raw ADS-B aircraft.
+
+    Methodology mirrors GPSJam.org / Flightradar24: bin aircraft into 1°x1°
+    grid cells, flag cells where the fraction of aircraft reporting degraded
+    NACp clears a threshold.
+
+    Inputs
+    ------
+    raw_flights:
+        Iterable of dicts. Each item is expected to carry ``lat``, ``lng``
+        (or ``lon``), and ``nac_p``. Records missing position OR missing
+        ``nac_p`` entirely (typical for OpenSky-sourced flights) are
+        skipped — absence-of-data isn't evidence of anything.
+
+    nac_p == 0 IS counted as degraded. Pre-fix code skipped it on the theory
+    that "0 = old transponder, never computed accuracy." That's only half
+    right: modern Mode-S Enhanced Surveillance transponders also fall back
+    to nac_p=0 when they lose GPS lock entirely — which is exactly the
+    jamming signature we're trying to detect. Filtering 0 out was discarding
+    the strongest evidence.
+
+    Denoising:
+        1. Require ``min_aircraft`` per grid cell for statistical validity.
+        2. Subtract 1 from degraded count per cell (GPSJam's technique) so
+           a single quirky transponder can't flag an entire zone.
+        3. Require ratio ``adjusted_degraded / total > min_ratio``.
+
+    All thresholds default to the module-level constants but can be
+    overridden for testing.
+    """
+    min_aircraft = GPS_JAMMING_MIN_AIRCRAFT if min_aircraft is None else int(min_aircraft)
+    min_ratio = GPS_JAMMING_MIN_RATIO if min_ratio is None else float(min_ratio)
+    nacp_threshold = (
+        GPS_JAMMING_NACP_THRESHOLD if nacp_threshold is None else int(nacp_threshold)
+    )
+
+    jamming_grid: dict[str, dict[str, int]] = {}
+    for rf in raw_flights or []:
+        rlat = rf.get("lat")
+        rlng = rf.get("lng") if rf.get("lng") is not None else rf.get("lon")
+        if rlat is None or rlng is None:
+            continue
+        nacp = rf.get("nac_p")
+        if nacp is None:
+            continue
+        grid_key = f"{int(rlat)},{int(rlng)}"
+        cell = jamming_grid.setdefault(grid_key, {"degraded": 0, "total": 0})
+        cell["total"] += 1
+        if nacp < nacp_threshold:
+            cell["degraded"] += 1
+
+    jamming_zones: list[dict] = []
+    for gk, counts in jamming_grid.items():
+        if counts["total"] < min_aircraft:
+            continue
+        adjusted_degraded = max(counts["degraded"] - 1, 0)
+        if adjusted_degraded == 0:
+            continue
+        ratio = adjusted_degraded / counts["total"]
+        if ratio > min_ratio:
+            lat_i, lng_i = gk.split(",")
+            severity = "low" if ratio < 0.5 else "medium" if ratio < 0.75 else "high"
+            jamming_zones.append(
+                {
+                    "lat": int(lat_i) + 0.5,
+                    "lng": int(lng_i) + 0.5,
+                    "severity": severity,
+                    "ratio": round(ratio, 2),
+                    "degraded": counts["degraded"],
+                    "total": counts["total"],
+                }
+            )
+    return jamming_zones
+
+
 # ---------------------------------------------------------------------------
 # OpenSky Network API Client (OAuth2)
 # ---------------------------------------------------------------------------
@@ -724,56 +806,8 @@ def _classify_and_publish(all_adsb_flights):
         latest_data["military_flights"] = military_snapshot
 
     # --- GPS Jamming Detection ---
-    # Uses NACp (Navigation Accuracy Category – Position) from ADS-B to infer
-    # GPS interference zones, similar to GPSJam.org / Flightradar24.
-    # NACp < 8 = position accuracy worse than the FAA-mandated 0.05 NM.
-    #
-    # Denoising (to suppress false positives from old GA transponders):
-    # 1. Skip nac_p == 0 ("unknown accuracy") — old transponders that never
-    #    computed accuracy, NOT evidence of jamming.  Real jamming shows 1-7.
-    # 2. Require minimum aircraft per grid cell for statistical validity.
-    # 3. Subtract 1 from degraded count per cell (GPSJam's technique) so a
-    #    single quirky transponder can't flag an entire zone.
-    # 4. Require the adjusted ratio to exceed the threshold.
     try:
-        jamming_grid = {}
-        raw_flights = raw_flights_snapshot
-        for rf in raw_flights:
-            rlat = rf.get("lat")
-            rlng = rf.get("lng") or rf.get("lon")
-            if rlat is None or rlng is None:
-                continue
-            nacp = rf.get("nac_p")
-            if nacp is None or nacp == 0:
-                continue
-            grid_key = f"{int(rlat)},{int(rlng)}"
-            if grid_key not in jamming_grid:
-                jamming_grid[grid_key] = {"degraded": 0, "total": 0}
-            jamming_grid[grid_key]["total"] += 1
-            if nacp < GPS_JAMMING_NACP_THRESHOLD:
-                jamming_grid[grid_key]["degraded"] += 1
-
-        jamming_zones = []
-        for gk, counts in jamming_grid.items():
-            if counts["total"] < GPS_JAMMING_MIN_AIRCRAFT:
-                continue
-            adjusted_degraded = max(counts["degraded"] - 1, 0)
-            if adjusted_degraded == 0:
-                continue
-            ratio = adjusted_degraded / counts["total"]
-            if ratio > GPS_JAMMING_MIN_RATIO:
-                lat_i, lng_i = gk.split(",")
-                severity = "low" if ratio < 0.5 else "medium" if ratio < 0.75 else "high"
-                jamming_zones.append(
-                    {
-                        "lat": int(lat_i) + 0.5,
-                        "lng": int(lng_i) + 0.5,
-                        "severity": severity,
-                        "ratio": round(ratio, 2),
-                        "degraded": counts["degraded"],
-                        "total": counts["total"],
-                    }
-                )
+        jamming_zones = detect_gps_jamming_zones(raw_flights_snapshot)
         with _data_lock:
             latest_data["gps_jamming"] = jamming_zones
         if jamming_zones:

backend/services/mesh/mesh_dm_relay.py

@@ -317,6 +317,39 @@ class DMRelay:
     def _self_mailbox_limit(self) -> int:
         return max(1, int(self._settings().MESH_DM_SELF_MAILBOX_LIMIT))
 
+    def _per_sender_pending_limit(self) -> int:
+        """Anti-spam cap on UNACKED messages a single sender can have parked
+        in a single recipient mailbox at any one time. See ``config.py``
+        ``MESH_DM_PENDING_PER_SENDER_LIMIT`` for the threat model — this
+        rule is enforced both at ``deposit`` (local) and at
+        ``accept_replica`` (peer push acceptance), making it a network
+        rule rather than a client-side honor system."""
+        try:
+            limit = int(getattr(self._settings(), "MESH_DM_PENDING_PER_SENDER_LIMIT", 2) or 2)
+        except (TypeError, ValueError):
+            limit = 2
+        return max(1, limit)
+
+    def _per_sender_pending_count(
+        self,
+        *,
+        mailbox_key: str,
+        sender_block_ref: str,
+    ) -> int:
+        """Count UNACKED messages from ``sender_block_ref`` currently parked
+        in ``mailbox_key``. Caller already holds ``self._lock``.
+
+        Messages that have been claimed/acked are removed from the mailbox
+        list (see ``claim_message_ids``), so anything still here is by
+        definition unacked. We count by exact ``sender_block_ref`` match
+        — that's the per-pair sender identity used for blocking too, so
+        the cap is naturally per-(sender, recipient).
+        """
+        if not mailbox_key or not sender_block_ref:
+            return 0
+        messages = self._mailboxes.get(mailbox_key, [])
+        return sum(1 for m in messages if m.sender_block_ref == sender_block_ref)
+
     def _nonce_ttl_seconds(self) -> int:
         return max(30, int(self._settings().MESH_DM_NONCE_TTL_S))
 
@@ -1515,6 +1548,29 @@ class DMRelay:
             if len(self._mailboxes[mailbox_key]) >= self._mailbox_limit_for_class(delivery_class):
                 metrics_inc("dm_drop_full")
                 return {"ok": False, "detail": "Recipient mailbox full"}
+            # Anti-spam: per-(sender, recipient) cap on unacked messages.
+            # A sender who already has the configured number of messages
+            # parked in this mailbox can't deposit more until the recipient
+            # pulls (acks) at least one. The same cap is re-enforced on
+            # inbound replication in ``accept_replica`` so this rule isn't
+            # bypassable by patching out the local check on a hostile
+            # sender's relay — see config.py
+            # MESH_DM_PENDING_PER_SENDER_LIMIT for the threat model.
+            per_sender_limit = self._per_sender_pending_limit()
+            pending = self._per_sender_pending_count(
+                mailbox_key=mailbox_key,
+                sender_block_ref=sender_block_ref,
+            )
+            if pending >= per_sender_limit:
+                metrics_inc("dm_drop_per_sender_cap")
+                return {
+                    "ok": False,
+                    "detail": (
+                        f"Recipient already has {pending} unread message"
+                        f"{'s' if pending != 1 else ''} from you. Wait for "
+                        "them to read your messages before sending more."
+                    ),
+                }
             if not msg_id:
                 msg_id = f"dm_{int(time.time() * 1000)}_{secrets.token_hex(6)}"
             elif any(m.msg_id == msg_id for m in self._mailboxes[mailbox_key]):
@@ -1539,8 +1595,245 @@ class DMRelay:
             )
             self._stats["messages_in_memory"] = sum(len(v) for v in self._mailboxes.values())
             self._save()
+            # Cross-node mailbox replication: push the freshly-stored
+            # envelope to every authenticated relay peer so the recipient
+            # can log into ANY node and find their messages. The push is
+            # async (fire-and-forget thread) so deposit() returns
+            # immediately — slow Tor peers can't block the sender's UX.
+            # Each receiving peer re-enforces the per-sender cap on
+            # acceptance, so hostile relays can't widen the cap.
+            try:
+                envelope_for_push = self.envelope_for_replication(
+                    mailbox_key=mailbox_key, msg_id=msg_id,
+                )
+                if envelope_for_push:
+                    self._replicate_envelope_to_peers_async(
+                        envelope=envelope_for_push,
+                    )
+            except Exception:
+                metrics_inc("dm_replication_push_error")
             return {"ok": True, "msg_id": msg_id}
 
+    def accept_replica(
+        self,
+        *,
+        envelope: dict[str, Any],
+        originating_peer_url: str = "",
+    ) -> dict[str, Any]:
+        """Receive a DM envelope replicated from a peer relay.
+
+        Cross-node mailbox replication entry point. When a sender's local
+        relay accepts a ``deposit`` and pushes the envelope to
+        ``MESH_RELAY_PEERS`` (so the recipient can log into any peer
+        node and find their messages), each receiving peer calls
+        ``accept_replica`` to ingest it.
+
+        The per-(sender, recipient) cap is re-enforced HERE. That's what
+        makes the rule a NETWORK rule rather than a client-side honor
+        system: a hostile sender who patches out the local ``deposit``
+        check still can't get a 3rd unacked message to spread, because
+        every honest peer enforces the same cap on inbound replicas.
+        Result: hostile relays can hold extras locally, but those extras
+        never reach any node a legitimate recipient is polling from.
+
+        Returns the same shape as ``deposit`` so the calling endpoint can
+        forward the result back to the originating peer.
+        """
+        if not isinstance(envelope, dict):
+            return {"ok": False, "detail": "envelope must be an object"}
+        msg_id = str(envelope.get("msg_id", "") or "").strip()
+        mailbox_key = str(envelope.get("mailbox_key", "") or "").strip()
+        sender_block_ref = str(envelope.get("sender_block_ref", "") or "").strip()
+        ciphertext = str(envelope.get("ciphertext", "") or "")
+        if not msg_id or not mailbox_key or not sender_block_ref or not ciphertext:
+            return {"ok": False, "detail": "envelope missing required fields"}
+
+        with self._lock:
+            self._refresh_from_shared_relay()
+            self._cleanup_expired()
+
+            # Idempotent — if we already hold this exact msg_id, the
+            # replication round-tripped or a peer pushed the same
+            # envelope through multiple paths. Accept silently.
+            if any(m.msg_id == msg_id for m in self._mailboxes.get(mailbox_key, [])):
+                metrics_inc("dm_replica_duplicate")
+                return {"ok": True, "msg_id": msg_id, "duplicate": True}
+
+            # Same per-class cap as the deposit path — defense in depth
+            # against a peer that wraps a "deposit" as a "replica" to
+            # bypass the class limit.
+            delivery_class = str(envelope.get("delivery_class", "") or "")
+            if delivery_class in ("request", "shared", "self"):
+                class_limit = self._mailbox_limit_for_class(delivery_class)
+            else:
+                class_limit = self._shared_mailbox_limit()
+            if len(self._mailboxes.get(mailbox_key, [])) >= class_limit:
+                metrics_inc("dm_replica_drop_full")
+                return {"ok": False, "detail": "Recipient mailbox full"}
+
+            # THE network rule: per-(sender, recipient) anti-spam cap.
+            per_sender_limit = self._per_sender_pending_limit()
+            pending = self._per_sender_pending_count(
+                mailbox_key=mailbox_key,
+                sender_block_ref=sender_block_ref,
+            )
+            if pending >= per_sender_limit:
+                metrics_inc("dm_replica_drop_per_sender_cap")
+                # Returning a structured rejection — the sender's relay
+                # learns its envelope was rejected by an honest peer and
+                # can stop trying to push it.
+                return {
+                    "ok": False,
+                    "detail": (
+                        "Per-sender cap reached on this relay; refusing replica"
+                    ),
+                    "cap_violation": True,
+                    "pending": pending,
+                    "limit": per_sender_limit,
+                }
+
+            # Accept the replica into the local mailbox.
+            self._mailboxes[mailbox_key].append(
+                DMMessage(
+                    sender_id=str(envelope.get("sender_id", "") or ""),
+                    ciphertext=ciphertext,
+                    timestamp=float(envelope.get("timestamp", time.time()) or time.time()),
+                    msg_id=msg_id,
+                    delivery_class=str(envelope.get("delivery_class", "shared") or "shared"),
+                    sender_seal=str(envelope.get("sender_seal", "") or ""),
+                    relay_salt=str(envelope.get("relay_salt", "") or ""),
+                    sender_block_ref=sender_block_ref,
+                    payload_format=str(envelope.get("payload_format", "dm1") or "dm1"),
+                    session_welcome=str(envelope.get("session_welcome", "") or ""),
+                )
+            )
+            self._stats["messages_in_memory"] = sum(len(v) for v in self._mailboxes.values())
+            self._save()
+            metrics_inc("dm_replica_accepted")
+            return {"ok": True, "msg_id": msg_id}
+
+    def _replicate_envelope_to_peers_async(
+        self,
+        *,
+        envelope: dict[str, Any],
+    ) -> None:
+        """Push an outbound DM envelope to every authenticated relay peer.
+
+        Fire-and-forget: spawned in a background thread so ``deposit``
+        returns to the caller immediately. Per-peer errors are logged
+        and swallowed — the sender's UX must not block on slow Tor
+        peers, and a peer that's down today gets the next message
+        whenever it comes back. Inbound recipient polling from a healthy
+        peer keeps the system functional during peer failures.
+
+        Each peer is authed with the existing per-peer HMAC pattern
+        (#256) — same headers and key resolver gate-message replication
+        uses, so a hostile node that doesn't know any peer's HMAC key
+        can't impersonate a legitimate relay.
+        """
+        import threading
+
+        def _do_push():
+            try:
+                import hashlib
+                import hmac
+                import requests as _requests
+
+                from services.mesh.mesh_crypto import (
+                    normalize_peer_url,
+                    resolve_peer_key_for_url,
+                )
+                from services.mesh.mesh_router import (
+                    authenticated_push_peer_urls,
+                )
+
+                peers = authenticated_push_peer_urls()
+                if not peers:
+                    return
+
+                payload = json.dumps(
+                    {"envelope": envelope},
+                    separators=(",", ":"),
+                    ensure_ascii=False,
+                ).encode("utf-8")
+
+                timeout = max(
+                    1,
+                    int(getattr(self._settings(), "MESH_RELAY_PUSH_TIMEOUT_S", 10) or 10),
+                )
+
+                for peer_url in peers:
+                    try:
+                        normalized = normalize_peer_url(peer_url)
+                        headers = {"Content-Type": "application/json"}
+                        peer_key = resolve_peer_key_for_url(normalized)
+                        if peer_key:
+                            headers["X-Peer-Url"] = normalized
+                            headers["X-Peer-HMAC"] = hmac.new(
+                                peer_key, payload, hashlib.sha256
+                            ).hexdigest()
+                        url = f"{peer_url}/api/mesh/dm/replicate-envelope"
+                        resp = _requests.post(
+                            url, data=payload, timeout=timeout, headers=headers,
+                        )
+                        if resp.status_code == 200:
+                            metrics_inc("dm_replication_push_ok")
+                        else:
+                            # 4xx including the structured cap_violation
+                            # rejection from accept_replica — sender's
+                            # relay learns and stops retrying this msg_id.
+                            metrics_inc("dm_replication_push_rejected")
+                    except Exception:
+                        # Per-peer failure is non-fatal — log to metrics
+                        # but don't break the loop. Other peers and a
+                        # future retry can still propagate the envelope.
+                        metrics_inc("dm_replication_push_error")
+                        continue
+            except Exception:
+                # Outer guard — never let replication errors propagate
+                # back to the sender's deposit() caller.
+                metrics_inc("dm_replication_push_error")
+
+        thread = threading.Thread(
+            target=_do_push,
+            name="dm-replicate-push",
+            daemon=True,
+        )
+        thread.start()
+
+    def envelope_for_replication(
+        self,
+        *,
+        mailbox_key: str,
+        msg_id: str,
+    ) -> dict[str, Any] | None:
+        """Return the wire-form envelope for a stored message, suitable
+        for POSTing to a peer relay's replicate-envelope endpoint.
+
+        Returns ``None`` if the message isn't in the mailbox (already
+        acked, expired, never existed). The caller holds the
+        responsibility for transport security (Tor SOCKS for .onion
+        peers, per-peer HMAC) and for not leaking the envelope to
+        clearnet peers when private transport is required.
+        """
+        with self._lock:
+            for m in self._mailboxes.get(mailbox_key, []):
+                if m.msg_id == msg_id:
+                    return {
+                        "msg_id": m.msg_id,
+                        "mailbox_key": mailbox_key,
+                        "sender_id": m.sender_id,
+                        "sender_block_ref": m.sender_block_ref,
+                        "sender_seal": m.sender_seal,
+                        "ciphertext": m.ciphertext,
+                        "timestamp": m.timestamp,
+                        "delivery_class": m.delivery_class,
+                        "relay_salt": m.relay_salt,
+                        "payload_format": m.payload_format,
+                        "session_welcome": m.session_welcome,
+                    }
+        return None
+
     def is_blocked(self, recipient_id: str, sender_id: str) -> bool:
         with self._lock:
             self._refresh_from_shared_relay()

backend/services/mesh/mesh_infonet_sync_support.py

@@ -2,10 +2,64 @@ from __future__ import annotations
 
 import time
 from dataclasses import asdict, dataclass
+from email.utils import parsedate_to_datetime
+from datetime import timezone
 
 from services.mesh.mesh_peer_store import PeerRecord
 
 
+class PeerSyncRateLimited(Exception):
+    """Upstream peer returned HTTP 429 — Too Many Requests.
+
+    Carries the ``Retry-After`` header value (parsed to seconds) so
+    the caller can pass it to ``finish_sync(retry_after_s=...)`` and
+    actually wait that long instead of hammering the upstream every
+    60s and keeping its rate-limit bucket full.
+
+    ``retry_after_s`` is 0 when the upstream didn't provide a header.
+    Caller should still apply the exponential backoff in that case.
+    """
+
+    def __init__(self, message: str, retry_after_s: int = 0, status: int = 429):
+        super().__init__(message)
+        self.retry_after_s = max(0, int(retry_after_s or 0))
+        self.status = int(status or 429)
+
+
+def parse_retry_after_header(header_value: str, *, now: float | None = None) -> int:
+    """Parse the ``Retry-After`` HTTP header.
+
+    Two valid forms per RFC 7231 §7.1.3:
+
+      * Delay-seconds: a non-negative integer (e.g. ``Retry-After: 120``)
+      * HTTP-date: an absolute time (e.g. ``Retry-After: Wed, 21 Oct 2026 07:28:00 GMT``)
+
+    Returns the wait in **seconds from now**. Unparseable / empty headers
+    return 0 (caller falls back to exponential backoff). Clamped at a
+    sane upper bound (1 hour) so a typo'd or hostile peer can't pin us
+    silent for days.
+    """
+    value = str(header_value or "").strip()
+    if not value:
+        return 0
+    upper_bound = 3600  # never trust a peer to silence us > 1h
+    # Form 1: pure integer seconds.
+    if value.isdigit():
+        return min(max(0, int(value)), upper_bound)
+    # Form 2: HTTP-date.
+    try:
+        target = parsedate_to_datetime(value)
+        if target is None:
+            return 0
+        if target.tzinfo is None:
+            target = target.replace(tzinfo=timezone.utc)
+        current = float(now if now is not None else time.time())
+        delta = int(target.timestamp() - current)
+        return min(max(0, delta), upper_bound)
+    except (TypeError, ValueError):
+        return 0
+
+
 @dataclass(frozen=True)
 class SyncWorkerState:
     last_sync_started_at: int = 0
@@ -72,6 +126,59 @@ def begin_sync(
     )
 
 
+def _failure_backoff_seconds(
+    *,
+    base_backoff_s: int,
+    consecutive_failures: int,
+    retry_after_s: int,
+    cap_s: int = 1800,
+) -> int:
+    """Compute the next-attempt delay after a failed sync.
+
+    Two inputs combine:
+
+    * ``retry_after_s`` — when an upstream peer answered HTTP 429
+      with a ``Retry-After`` header, we honor it exactly. Continuing
+      to hammer the upstream every 60s is the bug this fix exists to
+      close: it keeps the upstream's rate-limit bucket full
+      indefinitely and no sync ever lands.
+
+    * Exponential growth on ``consecutive_failures`` — even without an
+      explicit Retry-After, repeated failures should slow us down. The
+      first failure waits ``base`` (preserves pre-fix behavior for
+      one-off blips). Each subsequent failure doubles the wait, capped
+      to ``cap_s`` (default 30 minutes). With base=60 and cap=1800,
+      the schedule is 60s → 120s → 240s → 480s → 960s → 1800s →
+      1800s → … .
+
+    The actual delay is the MAX of the two — whichever asks for more
+    patience wins. ``retry_after_s == 0`` (no header) falls back to
+    pure exponential. An aggressive ``Retry-After`` (say 600s while
+    we're only at 1 failure) wins over the exponential ladder.
+    """
+    base = max(0, int(base_backoff_s or 0))
+    failures = max(0, int(consecutive_failures or 0))
+    cap = max(0, int(cap_s or 0))
+    retry_after = max(0, int(retry_after_s or 0))
+    # ``cap_s=0`` explicitly disables the exponential ladder entirely
+    # — operators who want the pre-fix "honor Retry-After only" behavior
+    # can set this. The default cap of 1800s is what saturates the
+    # ladder at the 5th-6th failure for base=60.
+    if cap == 0:
+        return retry_after
+    # 2^(failures-1) — so failure #1 = base (preserves the pre-fix
+    # default for transient blips), failure #2 = 2*base, etc. Cap on
+    # the exponent (16) is defense against integer overflow on a
+    # hostile or very large failures counter.
+    if base > 0 and failures > 0:
+        exponent = min(max(0, failures - 1), 16)
+        grown = base * (2 ** exponent)
+    else:
+        grown = 0
+    exponential = min(max(0, grown), cap)
+    return max(exponential, retry_after)
+
+
 def finish_sync(
     state: SyncWorkerState,
     *,
@@ -83,7 +190,26 @@ def finish_sync(
     now: float | None = None,
     interval_s: int = 300,
     failure_backoff_s: int = 60,
+    retry_after_s: int = 0,
+    failure_backoff_cap_s: int = 1800,
 ) -> SyncWorkerState:
+    """Finalise a sync attempt and compute when the next one should run.
+
+    New args (added for the 429 retry storm fix):
+
+    * ``retry_after_s`` — if the peer responded with HTTP 429 + a
+      ``Retry-After`` header, pass that value here. ``finish_sync``
+      will use ``max(exponential, retry_after_s)`` for the delay so
+      we never hammer a peer that asked us to back off.
+    * ``failure_backoff_cap_s`` — upper bound on the exponential
+      ladder. Default 1800 (30 min) — keeps a sync queue from going
+      silent for hours while still cutting the request rate to
+      something the upstream can absorb.
+
+    The pre-fix behavior (constant 60s on every failure) is recoverable
+    by passing ``failure_backoff_cap_s=0`` and ``retry_after_s=0``, but
+    there's no reason to.
+    """
     timestamp = int(now if now is not None else time.time())
     if ok:
         return SyncWorkerState(
@@ -99,17 +225,25 @@ def finish_sync(
             consecutive_failures=0,
         )
 
+    next_failures = state.consecutive_failures + 1
+    delay_s = _failure_backoff_seconds(
+        base_backoff_s=failure_backoff_s,
+        consecutive_failures=next_failures,
+        retry_after_s=retry_after_s,
+        cap_s=failure_backoff_cap_s,
+    )
+
     return SyncWorkerState(
         last_sync_started_at=state.last_sync_started_at,
         last_sync_finished_at=timestamp,
         last_sync_ok_at=state.last_sync_ok_at,
-        next_sync_due_at=timestamp + max(0, int(failure_backoff_s or 0)),
+        next_sync_due_at=timestamp + delay_s,
         last_peer_url=peer_url or state.last_peer_url,
         last_error=str(error or "").strip(),
         last_outcome="fork" if fork_detected else "error",
         current_head=current_head or state.current_head,
         fork_detected=bool(fork_detected),
-        consecutive_failures=state.consecutive_failures + 1,
+        consecutive_failures=next_failures,
     )
 
 

backend/tests/mesh/test_infonet_sync_429_backoff.py

@@ -0,0 +1,261 @@
+"""Infonet sync respects upstream HTTP 429 + applies exponential backoff.
+
+Background
+----------
+Before this fix, ``finish_sync`` used a constant 60s ``failure_backoff_s``
+regardless of how many consecutive failures preceded. When an upstream
+peer (e.g. the seed onion) returned HTTP 429 "Too Many Requests", the
+sync worker would:
+
+  1. Receive 429
+  2. Stringify the status into a generic ``ValueError``
+  3. Call ``finish_sync(error=str(exc))`` -- losing the status code
+  4. Schedule next attempt for ``now + 60s``
+  5. Retry. Upstream's rate-limit bucket is still full. 429 again. Loop.
+
+Net effect: a node with one transient 429 would hammer the upstream
+every 60s forever, keeping the bucket full and never recovering. This
+is what kept the user's Infonet node from reaching the seed peer.
+
+What the fix does
+-----------------
+* New typed exception ``PeerSyncRateLimited`` carries the parsed
+  ``Retry-After`` value out of the HTTP layer.
+* ``_sync_from_peer`` returns ``(ok, error, forked, retry_after_s)``
+  instead of the old 3-tuple.
+* ``finish_sync`` honors ``retry_after_s`` AND applies exponential
+  backoff: ``delay = max(retry_after_s, base * 2^failures, cap=1800)``.
+* ``parse_retry_after_header`` handles both RFC 7231 forms (delay
+  seconds, and HTTP-date).
+
+These tests pin every part of the new contract.
+"""
+
+from __future__ import annotations
+
+import time
+
+import pytest
+
+
+# ---------------------------------------------------------------------------
+# parse_retry_after_header — both RFC 7231 forms + edge cases
+# ---------------------------------------------------------------------------
+
+
+class TestParseRetryAfter:
+    def test_integer_seconds(self):
+        from services.mesh.mesh_infonet_sync_support import parse_retry_after_header
+        assert parse_retry_after_header("120") == 120
+        assert parse_retry_after_header("  30  ") == 30
+        assert parse_retry_after_header("0") == 0
+
+    def test_http_date(self):
+        """RFC 7231 §7.1.3 explicitly allows ``Retry-After: <HTTP-date>``.
+        We compute seconds-from-now so callers can use the same field
+        regardless of which form the upstream chose."""
+        from services.mesh.mesh_infonet_sync_support import parse_retry_after_header
+        # Pin "now" so the test is deterministic.
+        now = 1_700_000_000.0  # 2023-11-14T22:13:20Z
+        # 300 seconds in the future, formatted per RFC 7231.
+        future = "Tue, 14 Nov 2023 22:18:20 GMT"
+        result = parse_retry_after_header(future, now=now)
+        assert 295 <= result <= 305, f"expected ~300s, got {result}"
+
+    def test_http_date_in_past_returns_zero(self):
+        from services.mesh.mesh_infonet_sync_support import parse_retry_after_header
+        now = 1_700_000_000.0
+        past = "Mon, 13 Nov 2023 00:00:00 GMT"
+        assert parse_retry_after_header(past, now=now) == 0
+
+    def test_empty_and_whitespace_return_zero(self):
+        from services.mesh.mesh_infonet_sync_support import parse_retry_after_header
+        assert parse_retry_after_header("") == 0
+        assert parse_retry_after_header("   ") == 0
+
+    def test_malformed_returns_zero(self):
+        from services.mesh.mesh_infonet_sync_support import parse_retry_after_header
+        assert parse_retry_after_header("not a header") == 0
+        assert parse_retry_after_header("xyz") == 0
+
+    def test_clamps_to_one_hour(self):
+        """A hostile peer can't silence us for a week by claiming a
+        24h Retry-After. We cap at 1 hour."""
+        from services.mesh.mesh_infonet_sync_support import parse_retry_after_header
+        assert parse_retry_after_header("86400") == 3600  # 24h -> 1h
+        assert parse_retry_after_header("99999999") == 3600
+
+    def test_negative_returns_zero(self):
+        """RFC 7231 says ``Retry-After`` is a non-negative integer;
+        leading-minus parses as a non-digit and yields 0 here."""
+        from services.mesh.mesh_infonet_sync_support import parse_retry_after_header
+        assert parse_retry_after_header("-10") == 0
+
+
+# ---------------------------------------------------------------------------
+# _failure_backoff_seconds — exponential growth, retry-after override, cap
+# ---------------------------------------------------------------------------
+
+
+class TestFailureBackoffSeconds:
+    def test_exponential_growth(self):
+        """First failure uses the base (preserves pre-fix behavior
+        for one-off blips). Each subsequent failure doubles the wait,
+        capped at 1800s. With base=60: 60, 120, 240, 480, 960, 1800,
+        1800, 1800."""
+        from services.mesh.mesh_infonet_sync_support import _failure_backoff_seconds
+        delays = [
+            _failure_backoff_seconds(
+                base_backoff_s=60,
+                consecutive_failures=n,
+                retry_after_s=0,
+                cap_s=1800,
+            )
+            for n in range(1, 9)
+        ]
+        assert delays == [60, 120, 240, 480, 960, 1800, 1800, 1800], delays
+
+    def test_retry_after_wins_when_larger(self):
+        """If the upstream says ``Retry-After: 600`` but exponential
+        would only ask for 60s (one failure), we honor the upstream."""
+        from services.mesh.mesh_infonet_sync_support import _failure_backoff_seconds
+        assert _failure_backoff_seconds(
+            base_backoff_s=60,
+            consecutive_failures=1,
+            retry_after_s=600,
+            cap_s=1800,
+        ) == 600
+
+    def test_exponential_wins_when_larger(self):
+        """If exponential is asking for 1800s (6+ failures) but
+        upstream only sent ``Retry-After: 30``, we honor exponential.
+        The 30s was the upstream's view at one moment; our exponential
+        reflects sustained failure."""
+        from services.mesh.mesh_infonet_sync_support import _failure_backoff_seconds
+        result = _failure_backoff_seconds(
+            base_backoff_s=60,
+            consecutive_failures=7,
+            retry_after_s=30,
+            cap_s=1800,
+        )
+        assert result == 1800
+
+    def test_cap_zero_disables_exponential(self):
+        """Operators who want pre-fix behavior can set cap=0; only the
+        upstream's Retry-After is respected. (Pre-fix had no
+        exponential growth at all.)"""
+        from services.mesh.mesh_infonet_sync_support import _failure_backoff_seconds
+        assert _failure_backoff_seconds(
+            base_backoff_s=60,
+            consecutive_failures=10,
+            retry_after_s=120,
+            cap_s=0,
+        ) == 120
+
+    def test_zero_inputs_return_zero(self):
+        from services.mesh.mesh_infonet_sync_support import _failure_backoff_seconds
+        assert _failure_backoff_seconds(
+            base_backoff_s=0,
+            consecutive_failures=0,
+            retry_after_s=0,
+        ) == 0
+
+
+# ---------------------------------------------------------------------------
+# finish_sync end-to-end — failure path with retry-after + growing counter
+# ---------------------------------------------------------------------------
+
+
+class TestFinishSyncBackoff:
+    def _state(self, **overrides):
+        from services.mesh.mesh_infonet_sync_support import SyncWorkerState
+        base = {
+            "last_sync_started_at": 0,
+            "last_sync_finished_at": 0,
+            "last_sync_ok_at": 0,
+            "next_sync_due_at": 0,
+            "last_peer_url": "",
+            "last_error": "",
+            "last_outcome": "idle",
+            "current_head": "",
+            "fork_detected": False,
+            "consecutive_failures": 0,
+        }
+        base.update(overrides)
+        return SyncWorkerState(**base)
+
+    def test_first_failure_uses_base_unchanged(self):
+        """One failure means consecutive_failures becomes 1, which uses
+        ``base * 2^0 = base``. Preserves the pre-fix behavior so a
+        single transient upstream blip doesn't suddenly take 2 minutes
+        to retry — that change has to be earned by sustained failure."""
+        from services.mesh.mesh_infonet_sync_support import finish_sync
+        result = finish_sync(
+            self._state(),
+            ok=False,
+            error="some upstream blip",
+            now=1000.0,
+            failure_backoff_s=60,
+        )
+        assert result.consecutive_failures == 1
+        assert result.next_sync_due_at == 1000 + 60
+        assert result.last_error == "some upstream blip"
+        assert result.last_outcome == "error"
+
+    def test_consecutive_failures_grow_the_delay(self):
+        """After 5 prior failures already in state, the next failure
+        sets consecutive=6 and uses the cap (1800s = 60 * 2^5)."""
+        from services.mesh.mesh_infonet_sync_support import finish_sync
+        result = finish_sync(
+            self._state(consecutive_failures=5),
+            ok=False,
+            error="HTTP 429",
+            now=2000.0,
+            failure_backoff_s=60,
+        )
+        assert result.consecutive_failures == 6
+        assert result.next_sync_due_at == 2000 + 1800
+
+    def test_retry_after_honored_at_low_failure_count(self):
+        """When the upstream says ``Retry-After: 900`` but we'd
+        otherwise only wait 240s (4 failures = 60*2^3), wait 900s."""
+        from services.mesh.mesh_infonet_sync_support import finish_sync
+        result = finish_sync(
+            self._state(consecutive_failures=3),
+            ok=False,
+            error="HTTP 429",
+            now=5000.0,
+            failure_backoff_s=60,
+            retry_after_s=900,
+        )
+        assert result.consecutive_failures == 4
+        assert result.next_sync_due_at == 5000 + 900
+
+    def test_success_resets_consecutive_failures(self):
+        from services.mesh.mesh_infonet_sync_support import finish_sync
+        result = finish_sync(
+            self._state(consecutive_failures=4),
+            ok=True,
+            now=7000.0,
+            interval_s=300,
+        )
+        assert result.consecutive_failures == 0
+        assert result.next_sync_due_at == 7000 + 300
+        assert result.last_outcome == "ok"
+
+    def test_last_error_carries_status_string(self):
+        """The pre-fix path stringified exceptions into ``last_error``
+        but the string was often empty (HTTP layer raised ValueError
+        with no message). We now require callers to pass something
+        meaningful — see the typed exception path in main.py."""
+        from services.mesh.mesh_infonet_sync_support import finish_sync
+        result = finish_sync(
+            self._state(),
+            ok=False,
+            error="HTTP 429 from peer (retry_after=120s): rate-limited",
+            now=1000.0,
+            failure_backoff_s=60,
+            retry_after_s=120,
+        )
+        assert "HTTP 429" in result.last_error
+        assert "retry_after=120s" in result.last_error

backend/tests/test_dm_relay_per_sender_cap.py

@@ -0,0 +1,270 @@
+"""Per-(sender, recipient) anti-spam cap on the DM relay.
+
+The user-stated rule: a single sender can have at most N UNACKED messages
+parked in a single recipient's mailbox at any one time (N=2 by default).
+Once the recipient pulls a message, the sender's quota for that pair
+frees up.
+
+Network rule, not local rule
+-----------------------------
+The cap is enforced TWICE:
+
+1. ``DMRelay.deposit(...)`` -- local check on the sender's own node.
+   Refuses to spool the (N+1)th message before it can be replicated.
+
+2. ``DMRelay.accept_replica(...)`` -- replication-acceptance check on
+   every receiving peer. Refuses to accept an inbound replica that
+   would put the local mailbox over the cap, even if the originating
+   peer claims it had cap room.
+
+The double enforcement matters because cap (1) is client-side -- a
+hostile relay could patch it out and continue to spool extras locally.
+Cap (2) means those extras can't propagate: every honest peer rejects
+them on the way in. A recipient who polls from honest peers therefore
+never sees more than N pending from any one sender, regardless of how
+many spam attempts the sender's own relay accepted.
+
+These tests pin both halves of the rule.
+"""
+
+from __future__ import annotations
+
+import time
+
+import pytest
+
+
+@pytest.fixture
+def relay():
+    """Fresh ``DMRelay`` per test."""
+    from services.mesh.mesh_dm_relay import DMRelay
+    r = DMRelay()
+    r._mailboxes.clear()
+    r._blocks.clear()
+    r._stats = {"messages_in_memory": 0}
+    return r
+
+
+def _deposit(
+    relay,
+    *,
+    sender: str = "alice",
+    recipient_token: str = "bob_mailbox_token_abc",
+    ciphertext: str = "ciphertext-blob",
+    msg_id: str = "",
+):
+    """Convenience wrapper using ``shared`` delivery class."""
+    return relay.deposit(
+        sender_id=sender,
+        raw_sender_id=sender,
+        recipient_id="bob",
+        ciphertext=ciphertext,
+        msg_id=msg_id,
+        delivery_class="shared",
+        recipient_token=recipient_token,
+    )
+
+
+# ---------------------------------------------------------------------------
+# Local cap on ``deposit``
+# ---------------------------------------------------------------------------
+
+
+class TestDepositCap:
+    def test_two_deposits_from_same_sender_succeed(self, relay):
+        r1 = _deposit(relay)
+        r2 = _deposit(relay)
+        assert r1["ok"] is True
+        assert r2["ok"] is True
+        assert r1["msg_id"] != r2["msg_id"]
+
+    def test_third_deposit_from_same_sender_rejected(self, relay):
+        _deposit(relay)
+        _deposit(relay)
+        r3 = _deposit(relay)
+        assert r3["ok"] is False
+        detail = r3["detail"].lower()
+        assert "unread" in detail or "read your messages" in detail
+
+    def test_different_senders_have_independent_quotas(self, relay):
+        for _ in range(2):
+            assert _deposit(relay, sender="alice")["ok"] is True
+        for _ in range(2):
+            assert _deposit(relay, sender="carol")["ok"] is True
+        assert _deposit(relay, sender="carol")["ok"] is False
+
+    def test_different_recipients_have_independent_quotas(self, relay):
+        for _ in range(2):
+            assert _deposit(relay, sender="alice", recipient_token="bob_token")["ok"] is True
+        for _ in range(2):
+            assert _deposit(relay, sender="alice", recipient_token="dave_token")["ok"] is True
+
+    def test_ack_frees_quota(self, relay):
+        r1 = _deposit(relay)
+        _deposit(relay)
+        assert _deposit(relay)["ok"] is False
+
+        mailbox_key = relay._hashed_mailbox_token("bob_mailbox_token_abc")
+        relay._mailboxes[mailbox_key] = [
+            m for m in relay._mailboxes[mailbox_key]
+            if m.msg_id != r1["msg_id"]
+        ]
+        relay._stats["messages_in_memory"] = sum(
+            len(v) for v in relay._mailboxes.values()
+        )
+
+        r3 = _deposit(relay)
+        assert r3["ok"] is True, f"expected quota free after ack, got: {r3}"
+
+    def test_cap_is_env_tunable(self, relay, monkeypatch):
+        import services.mesh.mesh_dm_relay as mdr
+        monkeypatch.setattr(
+            mdr.DMRelay,
+            "_per_sender_pending_limit",
+            lambda self: 1,
+        )
+
+        assert _deposit(relay)["ok"] is True
+        assert _deposit(relay)["ok"] is False
+
+
+# ---------------------------------------------------------------------------
+# Replication-acceptance cap (the half that makes this a network rule)
+# ---------------------------------------------------------------------------
+
+
+class TestAcceptReplicaCap:
+    def _envelope(self, *, msg_id: str, sender_block_ref: str, mailbox_key: str):
+        return {
+            "msg_id": msg_id,
+            "mailbox_key": mailbox_key,
+            "sender_block_ref": sender_block_ref,
+            "sender_id": "alice",
+            "sender_seal": "",
+            "ciphertext": f"ciphertext-{msg_id}",
+            "timestamp": time.time(),
+            "delivery_class": "shared",
+            "relay_salt": "",
+            "payload_format": "dm1",
+            "session_welcome": "",
+        }
+
+    def test_replica_accepted_under_cap(self, relay):
+        env = self._envelope(
+            msg_id="dm_replica_1",
+            sender_block_ref="alice_block_ref",
+            mailbox_key="mailbox_xyz",
+        )
+        result = relay.accept_replica(envelope=env)
+        assert result["ok"] is True
+
+    def test_replica_idempotent_on_duplicate_msg_id(self, relay):
+        mailbox_key = "mailbox_xyz"
+        env = self._envelope(
+            msg_id="dm_dup_1",
+            sender_block_ref="alice_block_ref",
+            mailbox_key=mailbox_key,
+        )
+        r1 = relay.accept_replica(envelope=env)
+        r2 = relay.accept_replica(envelope=env)
+        assert r1["ok"] is True
+        assert r2["ok"] is True
+        assert r2.get("duplicate") is True
+        assert len(relay._mailboxes[mailbox_key]) == 1
+
+    def test_replica_rejected_when_local_count_already_at_cap(self, relay):
+        mailbox_key = "mailbox_xyz"
+        for i in (1, 2):
+            relay.accept_replica(envelope=self._envelope(
+                msg_id=f"dm_seeded_{i}",
+                sender_block_ref="alice_block_ref",
+                mailbox_key=mailbox_key,
+            ))
+
+        result = relay.accept_replica(envelope=self._envelope(
+            msg_id="dm_overcap_3",
+            sender_block_ref="alice_block_ref",
+            mailbox_key=mailbox_key,
+        ))
+        assert result["ok"] is False
+        assert result.get("cap_violation") is True
+        assert result.get("pending") == 2
+        assert result.get("limit") == 2
+        assert len(relay._mailboxes[mailbox_key]) == 2
+
+    def test_replica_from_different_sender_passes_when_one_is_at_cap(self, relay):
+        mailbox_key = "mailbox_xyz"
+        for i in (1, 2):
+            relay.accept_replica(envelope=self._envelope(
+                msg_id=f"dm_alice_{i}",
+                sender_block_ref="alice_block_ref",
+                mailbox_key=mailbox_key,
+            ))
+        assert relay.accept_replica(envelope=self._envelope(
+            msg_id="dm_alice_3",
+            sender_block_ref="alice_block_ref",
+            mailbox_key=mailbox_key,
+        ))["ok"] is False
+        assert relay.accept_replica(envelope=self._envelope(
+            msg_id="dm_carol_1",
+            sender_block_ref="carol_block_ref",
+            mailbox_key=mailbox_key,
+        ))["ok"] is True
+
+    def test_replica_rejects_malformed_envelopes(self, relay):
+        for bad in (
+            {},
+            {"msg_id": "x"},
+            {"msg_id": "x", "mailbox_key": "y"},
+            "not an object at all",
+        ):
+            result = relay.accept_replica(envelope=bad)
+            assert result["ok"] is False
+
+
+# ---------------------------------------------------------------------------
+# ``envelope_for_replication`` -- helper for the outbound replication path
+# ---------------------------------------------------------------------------
+
+
+class TestEnvelopeForReplication:
+    def test_returns_envelope_for_stored_message(self, relay):
+        r = _deposit(relay, ciphertext="hello-ciphertext")
+        msg_id = r["msg_id"]
+        mailbox_key = relay._hashed_mailbox_token("bob_mailbox_token_abc")
+
+        env = relay.envelope_for_replication(mailbox_key=mailbox_key, msg_id=msg_id)
+        assert env is not None
+        assert env["msg_id"] == msg_id
+        assert env["mailbox_key"] == mailbox_key
+        assert env["ciphertext"] == "hello-ciphertext"
+        assert env["delivery_class"] == "shared"
+        for k in ("msg_id", "mailbox_key", "sender_block_ref", "ciphertext"):
+            assert env.get(k), f"envelope missing required field {k!r}"
+
+    def test_returns_none_for_unknown_message(self, relay):
+        env = relay.envelope_for_replication(
+            mailbox_key="never_existed", msg_id="never_existed",
+        )
+        assert env is None
+
+    def test_envelope_round_trips_through_accept_replica(self, relay):
+        from services.mesh.mesh_dm_relay import DMRelay
+        receiver_relay = DMRelay()
+        receiver_relay._mailboxes.clear()
+        receiver_relay._stats = {"messages_in_memory": 0}
+
+        r = _deposit(relay)
+        msg_id = r["msg_id"]
+        mailbox_key = relay._hashed_mailbox_token("bob_mailbox_token_abc")
+        env = relay.envelope_for_replication(
+            mailbox_key=mailbox_key, msg_id=msg_id,
+        )
+        assert env is not None
+
+        result = receiver_relay.accept_replica(envelope=env)
+        assert result["ok"] is True
+        stored = receiver_relay._mailboxes.get(mailbox_key, [])
+        assert len(stored) == 1
+        assert stored[0].msg_id == msg_id
+        assert stored[0].ciphertext == "ciphertext-blob"

backend/tests/test_dm_replicate_envelope_endpoint.py

@@ -0,0 +1,150 @@
+"""POST /api/mesh/dm/replicate-envelope — receiving side of cross-node DM
+mailbox replication.
+
+This is the endpoint that peer relays call when they want to hand off an
+encrypted DM envelope to us (so the recipient can log into our node and
+find their messages). It re-enforces the per-(sender, recipient) anti-spam
+cap so hostile sender relays can't widen the cap by skipping the local
+check on their own deposit path.
+
+The endpoint:
+
+  * authenticates the caller via the existing per-peer HMAC pattern
+    (same one /api/mesh/infonet/peer-push and /api/mesh/gate/peer-push
+    use, introduced in #256 — ``X-Peer-Url`` + ``X-Peer-HMAC`` headers
+    keyed off ``resolve_peer_key_for_url``)
+  * rejects bodies > 64 KB (DM envelope size is bounded by
+    ``MESH_DM_MAX_MSG_BYTES`` — 64KB ceiling has generous headroom)
+  * rejects requests without a valid peer HMAC with 403
+  * passes the envelope to ``DMRelay.accept_replica`` which enforces
+    the cap
+
+This file pins the endpoint contract. The cap enforcement itself is
+tested in ``test_dm_relay_per_sender_cap.py`` against the relay's
+``accept_replica`` method directly.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import hashlib
+import hmac
+import json
+
+import pytest
+from httpx import ASGITransport, AsyncClient
+
+
+@pytest.fixture
+def remote_client():
+    """ASGI client with peer IP 1.2.3.4 — never on the local-operator
+    allowlist. Used to prove the endpoint isn't accidentally reachable
+    by random remote callers without peer HMAC."""
+    from main import app
+
+    class _RemoteClient:
+        def __init__(self):
+            self._loop = asyncio.new_event_loop()
+            self._transport = ASGITransport(app=app, client=("1.2.3.4", 12345))
+            self._base = "http://1.2.3.4:8000"
+
+        def post(self, url, **kw):
+            async def go():
+                async with AsyncClient(transport=self._transport, base_url=self._base) as ac:
+                    return await ac.post(url, **kw)
+            return self._loop.run_until_complete(go())
+
+        def close(self):
+            self._loop.close()
+
+    c = _RemoteClient()
+    yield c
+    c.close()
+
+
+class TestReplicateEndpointAuth:
+    def test_rejects_request_without_peer_hmac(self, remote_client):
+        """A peer push that does NOT carry X-Peer-Url + X-Peer-HMAC
+        must be rejected with 403 before the envelope is ever passed
+        to the relay. Same gate the existing infonet/gate peer-push
+        endpoints enforce."""
+        payload = {
+            "envelope": {
+                "msg_id": "dm_unauth_1",
+                "mailbox_key": "mb",
+                "sender_block_ref": "sender",
+                "ciphertext": "x",
+            },
+        }
+        r = remote_client.post(
+            "/api/mesh/dm/replicate-envelope",
+            json=payload,
+        )
+        assert r.status_code == 403
+        assert "peer HMAC" in r.text or "peer hmac" in r.text.lower()
+
+    def test_rejects_wrong_peer_hmac(self, remote_client, monkeypatch):
+        """A request with a peer HMAC header keyed off the WRONG secret
+        is rejected. Confirms the HMAC is actually verified — a tampered
+        body or a key-substitution attack doesn't sneak through."""
+        # Plant a known peer secret. The request will sign with a
+        # DIFFERENT key, so verification must fail.
+        from services.config import get_settings
+        monkeypatch.setenv("MESH_PEER_PUSH_SECRET", "real-secret-32-chars-min-padding-padding")
+        get_settings.cache_clear()
+
+        body = json.dumps({
+            "envelope": {
+                "msg_id": "dm_wronghmac",
+                "mailbox_key": "mb",
+                "sender_block_ref": "sender",
+                "ciphertext": "x",
+            },
+        }).encode("utf-8")
+        wrong_hmac = hmac.new(b"wrong-key", body, hashlib.sha256).hexdigest()
+        r = remote_client.post(
+            "/api/mesh/dm/replicate-envelope",
+            content=body,
+            headers={
+                "Content-Type": "application/json",
+                "X-Peer-Url": "http://example-peer.onion:8000",
+                "X-Peer-HMAC": wrong_hmac,
+            },
+        )
+        assert r.status_code == 403
+
+    def test_rejects_oversize_body(self, remote_client):
+        """64 KB ceiling — anything bigger doesn't even get parsed.
+        Defends against memory amplification via giant ciphertexts."""
+        # 100 KB body is well over the 64 KB cap.
+        big = b"{" + b"x" * 100_000 + b"}"
+        r = remote_client.post(
+            "/api/mesh/dm/replicate-envelope",
+            content=big,
+            headers={
+                "Content-Type": "application/json",
+                "Content-Length": str(len(big)),
+            },
+        )
+        assert r.status_code in (400, 413), (
+            f"oversize body should be rejected with 400/413, got {r.status_code}"
+        )
+
+
+class TestReplicateEndpointRegistered:
+    def test_route_present_in_app(self):
+        """Static check that the route is actually wired into the app.
+        Catches a future refactor that drops the router include or
+        deletes the endpoint by accident."""
+        from main import app
+
+        paths_methods = set()
+        for route in app.routes:
+            path = getattr(route, "path", None)
+            methods = getattr(route, "methods", set()) or set()
+            for m in methods:
+                paths_methods.add((m, path))
+
+        assert ("POST", "/api/mesh/dm/replicate-envelope") in paths_methods, (
+            "POST /api/mesh/dm/replicate-envelope is not registered on the app"
+        )

backend/tests/test_gps_jamming_detector.py

@@ -0,0 +1,333 @@
+"""GPS jamming detection — nac_p=0 counted, lowered thresholds.
+
+Background
+----------
+Pre-fix, the detector had three stacked filters that together meant the
+``gps_jamming`` layer almost never lit up:
+
+  1. ``nac_p == 0`` aircraft were dropped on the theory that "0 = old
+     transponder." But modern Mode-S Enhanced Surveillance transponders
+     also fall back to ``nac_p == 0`` when they lose GPS lock entirely —
+     which is *exactly* the jamming signature we want to catch.
+  2. ``GPS_JAMMING_MIN_AIRCRAFT = 5`` per 1°x1° cell.
+  3. ``GPS_JAMMING_MIN_RATIO = 0.30`` adjusted ratio.
+
+Combined with the existing ``-1`` noise cushion (``adjusted = degraded - 1``)
+the bar to clear required dense, busy airspace — but jamming hotspots
+(eastern Med, eastern Ukraine, Iran/Iraq) tend to have sparser traffic
+precisely because pilots avoid them.
+
+These tests pin the new behavior:
+
+  * ``nac_p == 0`` is now counted as degraded.
+  * ``nac_p == None`` (no field — typical for OpenSky records) is still
+    skipped — absence isn't evidence.
+  * Thresholds lowered to 3 aircraft / 0.20 ratio.
+  * Public function signature accepts overrides so callers / future
+    operators can re-tune without code edits.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+
+# ---------------------------------------------------------------------------
+# nac_p == 0 inclusion (the headline fix)
+# ---------------------------------------------------------------------------
+
+
+class TestNacpZeroCounted:
+    def test_cell_dominated_by_nacp_zero_now_fires(self):
+        """Three aircraft all reporting nac_p=0 in one cell, plus two
+        with valid GPS. Pre-fix the three nac_p=0 records were skipped
+        entirely (cell would have total=2, degraded=0, no zone). Post-fix
+        they count as degraded — this IS the jamming signature."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        # All in 1°x1° cell at int(lat)=40, int(lng)=-100
+        feed = [
+            {"hex": "a1", "lat": 40.1, "lng": -100.1, "nac_p": 0},
+            {"hex": "a2", "lat": 40.5, "lng": -100.5, "nac_p": 0},
+            {"hex": "a3", "lat": 40.9, "lng": -100.9, "nac_p": 0},
+            {"hex": "b1", "lat": 40.2, "lng": -100.3, "nac_p": 9},
+            {"hex": "b2", "lat": 40.7, "lng": -100.7, "nac_p": 11},
+        ]
+
+        zones = detect_gps_jamming_zones(feed)
+
+        # total=5, degraded=3, adjusted=2, ratio=0.40 > 0.20 → zone fires.
+        assert len(zones) == 1
+        assert zones[0]["degraded"] == 3
+        assert zones[0]["total"] == 5
+        assert zones[0]["ratio"] == 0.40
+        # Grid-cell center coords.
+        assert zones[0]["lat"] == 40.5
+        assert zones[0]["lng"] == -99.5
+
+    def test_nacp_zero_alone_clears_min_aircraft(self):
+        """A cell with exactly 3 aircraft all reporting nac_p=0 must
+        fire under the new MIN_AIRCRAFT=3 + MIN_RATIO=0.20 regime."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        feed = [
+            {"hex": "a1", "lat": 50.1, "lng": 30.1, "nac_p": 0},
+            {"hex": "a2", "lat": 50.5, "lng": 30.5, "nac_p": 0},
+            {"hex": "a3", "lat": 50.9, "lng": 30.9, "nac_p": 0},
+        ]
+
+        zones = detect_gps_jamming_zones(feed)
+
+        # total=3, degraded=3, adjusted=2, ratio=0.667 > 0.20 → fires.
+        # severity is "medium" because 0.5 ≤ ratio < 0.75.
+        assert len(zones) == 1
+        assert zones[0]["severity"] == "medium"
+
+
+# ---------------------------------------------------------------------------
+# nac_p == None is still skipped (preserve OpenSky behavior)
+# ---------------------------------------------------------------------------
+
+
+class TestNoneStillSkipped:
+    def test_none_records_dont_add_to_grid(self):
+        """OpenSky's /states/all doesn't include nac_p, so its records
+        arrive with the field absent (``rf.get("nac_p") is None``). These
+        records must NOT count toward total — absence-of-data isn't
+        evidence of either jamming OR working GPS."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        # 3 jammed + 4 OpenSky-style (no nac_p). Pre-fix and post-fix
+        # behavior should be identical here: None always skipped.
+        feed = [
+            {"hex": "a1", "lat": 40.1, "lng": -100.1, "nac_p": 0},
+            {"hex": "a2", "lat": 40.2, "lng": -100.2, "nac_p": 0},
+            {"hex": "a3", "lat": 40.3, "lng": -100.3, "nac_p": 0},
+            # OpenSky-style: no nac_p at all
+            {"hex": "o1", "lat": 40.4, "lng": -100.4},
+            {"hex": "o2", "lat": 40.5, "lng": -100.5},
+            {"hex": "o3", "lat": 40.6, "lng": -100.6},
+            {"hex": "o4", "lat": 40.7, "lng": -100.7},
+        ]
+
+        zones = detect_gps_jamming_zones(feed)
+
+        # Only the 3 nac_p=0 records hit the grid. total=3, not 7.
+        assert len(zones) == 1
+        assert zones[0]["total"] == 3
+        assert zones[0]["degraded"] == 3
+
+    def test_explicit_none_skipped(self):
+        """Same behavior when ``nac_p`` is present but set to None
+        (defensive — adsb.lol shouldn't do this, but downstream
+        normalizers might)."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        feed = [
+            {"hex": "a1", "lat": 0.1, "lng": 0.1, "nac_p": None},
+            {"hex": "a2", "lat": 0.2, "lng": 0.2, "nac_p": None},
+            {"hex": "a3", "lat": 0.3, "lng": 0.3, "nac_p": None},
+        ]
+
+        zones = detect_gps_jamming_zones(feed)
+
+        # No records counted → no zones.
+        assert zones == []
+
+
+# ---------------------------------------------------------------------------
+# Lowered MIN_AIRCRAFT (5 → 3)
+# ---------------------------------------------------------------------------
+
+
+class TestMinAircraftLowered:
+    def test_three_aircraft_cell_now_qualifies(self):
+        """Pre-fix MIN_AIRCRAFT=5 blocked sparse cells entirely. Post-fix
+        the bar is 3 aircraft per cell, which is realistic for the actual
+        jamming hotspots where traffic is thinner."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        feed = [
+            {"hex": "a1", "lat": 33.1, "lng": 44.1, "nac_p": 3},
+            {"hex": "a2", "lat": 33.2, "lng": 44.2, "nac_p": 5},
+            {"hex": "a3", "lat": 33.3, "lng": 44.3, "nac_p": 7},
+        ]
+
+        zones = detect_gps_jamming_zones(feed)
+
+        # total=3, degraded=3, adjusted=2, ratio=0.667 — fires under new
+        # rules, would have been blocked by MIN_AIRCRAFT=5 pre-fix.
+        assert len(zones) == 1
+
+    def test_two_aircraft_cell_still_blocked(self):
+        """We didn't lower the bar to 2 — that would create too much
+        single-transponder noise. Two aircraft per cell still doesn't
+        qualify."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        feed = [
+            {"hex": "a1", "lat": 33.1, "lng": 44.1, "nac_p": 3},
+            {"hex": "a2", "lat": 33.2, "lng": 44.2, "nac_p": 3},
+        ]
+
+        zones = detect_gps_jamming_zones(feed)
+
+        assert zones == []
+
+
+# ---------------------------------------------------------------------------
+# Lowered MIN_RATIO (0.30 → 0.20)
+# ---------------------------------------------------------------------------
+
+
+class TestMinRatioLowered:
+    def test_ratio_between_old_and_new_threshold_fires(self):
+        """Construct a cell whose ratio sits in the (0.20, 0.30) window:
+        fires under the new bar, would have been blocked pre-fix."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        # 10 aircraft, 4 degraded → adjusted=3, ratio=3/10=0.30.
+        # Pre-fix threshold was > 0.30 strict — would NOT fire.
+        # Post-fix threshold is > 0.20 — fires.
+        feed = (
+            [{"hex": f"d{i}", "lat": 40.1, "lng": -100.1, "nac_p": 3} for i in range(4)]
+            + [{"hex": f"c{i}", "lat": 40.5, "lng": -100.5, "nac_p": 9} for i in range(6)]
+        )
+
+        zones = detect_gps_jamming_zones(feed)
+
+        assert len(zones) == 1
+        assert zones[0]["degraded"] == 4
+        assert zones[0]["total"] == 10
+        assert zones[0]["ratio"] == 0.30
+
+    def test_ratio_at_or_below_new_threshold_does_not_fire(self):
+        """Ratio of exactly 0.20 must NOT fire (strict ``>`` comparison)."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        # 15 aircraft, 4 degraded → adjusted=3, ratio=3/15=0.20. Strictly
+        # not greater than 0.20, so doesn't qualify.
+        feed = (
+            [{"hex": f"d{i}", "lat": 40.1, "lng": -100.1, "nac_p": 3} for i in range(4)]
+            + [{"hex": f"c{i}", "lat": 40.5, "lng": -100.5, "nac_p": 9} for i in range(11)]
+        )
+
+        zones = detect_gps_jamming_zones(feed)
+
+        assert zones == []
+
+
+# ---------------------------------------------------------------------------
+# Pre-existing noise cushion (-1) preserved
+# ---------------------------------------------------------------------------
+
+
+class TestNoiseCushionPreserved:
+    def test_single_quirky_transponder_doesnt_fire(self):
+        """One degraded aircraft in a healthy cell shouldn't fire even
+        under the relaxed thresholds. The ``-1`` adjustment in the
+        detector exists for this reason."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        feed = (
+            [{"hex": "d1", "lat": 40.1, "lng": -100.1, "nac_p": 3}]
+            + [{"hex": f"c{i}", "lat": 40.5, "lng": -100.5, "nac_p": 9} for i in range(10)]
+        )
+
+        zones = detect_gps_jamming_zones(feed)
+
+        # total=11, degraded=1, adjusted=0 → cell short-circuits.
+        assert zones == []
+
+
+# ---------------------------------------------------------------------------
+# Constants pinned (catches accidental rollback)
+# ---------------------------------------------------------------------------
+
+
+class TestConstantsPinned:
+    def test_min_aircraft_is_three(self):
+        from services.constants import GPS_JAMMING_MIN_AIRCRAFT
+        assert GPS_JAMMING_MIN_AIRCRAFT == 3, (
+            "MIN_AIRCRAFT must be 3; raising it back to 5 brings back the "
+            "'jamming never shows' bug."
+        )
+
+    def test_min_ratio_is_0_20(self):
+        from services.constants import GPS_JAMMING_MIN_RATIO
+        assert GPS_JAMMING_MIN_RATIO == 0.20, (
+            "MIN_RATIO must be 0.20; raising it back to 0.30 brings back "
+            "the 'jamming never shows' bug."
+        )
+
+
+# ---------------------------------------------------------------------------
+# Overrides honored
+# ---------------------------------------------------------------------------
+
+
+class TestOverridesHonored:
+    def test_overrides_supersede_constants(self):
+        """The public signature accepts overrides so an operator can
+        re-tune at the call site (e.g. for a more aggressive setup in
+        an active conflict zone) without editing the module constants."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        feed = [
+            {"hex": "a1", "lat": 40.1, "lng": -100.1, "nac_p": 3},
+            {"hex": "a2", "lat": 40.2, "lng": -100.2, "nac_p": 3},
+        ]
+
+        # With defaults (min_aircraft=3) this is blocked. With override=2 it fires.
+        assert detect_gps_jamming_zones(feed) == []
+        zones = detect_gps_jamming_zones(feed, min_aircraft=2)
+        assert len(zones) == 1
+
+
+# ---------------------------------------------------------------------------
+# lon vs lng compatibility
+# ---------------------------------------------------------------------------
+
+
+class TestLonLngCompat:
+    def test_lon_key_accepted(self):
+        """adsb.lol records arrive with ``lon`` (no g). The OpenSky merge
+        normalizes to ``lng`` but raw records flowing into the detector
+        may use either. Make sure both work."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+
+        feed = [
+            {"hex": "a1", "lat": 40.1, "lon": -100.1, "nac_p": 0},
+            {"hex": "a2", "lat": 40.2, "lon": -100.2, "nac_p": 0},
+            {"hex": "a3", "lat": 40.3, "lon": -100.3, "nac_p": 0},
+        ]
+
+        zones = detect_gps_jamming_zones(feed)
+
+        assert len(zones) == 1
+
+
+# ---------------------------------------------------------------------------
+# Empty / malformed inputs don't crash
+# ---------------------------------------------------------------------------
+
+
+class TestRobustness:
+    def test_empty_feed(self):
+        from services.fetchers.flights import detect_gps_jamming_zones
+        assert detect_gps_jamming_zones([]) == []
+
+    def test_none_feed(self):
+        """The wrapper at the call site passes ``raw_flights_snapshot``
+        which could in principle be None on a startup race. Handle it."""
+        from services.fetchers.flights import detect_gps_jamming_zones
+        assert detect_gps_jamming_zones(None) == []
+
+    def test_records_missing_position_skipped(self):
+        from services.fetchers.flights import detect_gps_jamming_zones
+        feed = [
+            {"hex": "noloc", "nac_p": 0},
+            {"hex": "nolat", "lng": -100.0, "nac_p": 0},
+            {"hex": "nolng", "lat": 40.0, "nac_p": 0},
+        ]
+        assert detect_gps_jamming_zones(feed) == []

backend/tests/test_openclaw_connect_info_reveal.py

@@ -0,0 +1,334 @@
+"""Issue #302 (tg12): OpenClaw connect-info HMAC secret disclosure.
+
+Before this change, ``GET /api/ai/connect-info?reveal=true`` returned the
+full HMAC secret in the response body on every modal open AND the same
+GET endpoint auto-bootstrapped (generated + persisted) the secret on a
+mere read. Even gated to ``require_local_operator``, that put the full
+secret into:
+
+  * browser visit history
+  * dev-tools network panel
+  * browser disk cache
+  * HAR exports
+  * screen captures / shoulder-surfing
+
+Every single time the OpenClaw Connect modal opened.
+
+After this change:
+
+  GET  /api/ai/connect-info            — always returns the MASKED
+                                          fingerprint. No ?reveal param.
+                                          No side effects (auto-bootstrap
+                                          gone).
+  POST /api/ai/connect-info/bootstrap  — mints+persists the secret if
+                                          missing. Idempotent. Never
+                                          returns the full secret.
+  POST /api/ai/connect-info/reveal     — returns the full secret with
+                                          strict Cache-Control: no-store
+                                          headers. POST so the body
+                                          doesn't land in URL history.
+  POST /api/ai/connect-info/regenerate — keeps the one-time-disclosure
+                                          for the new secret (regen IS a
+                                          deliberate destructive action).
+                                          Same no-store headers added.
+
+These tests pin every property.
+"""
+
+from __future__ import annotations
+
+import asyncio
+from unittest.mock import patch
+
+import pytest
+from httpx import ASGITransport, AsyncClient
+
+
+# ---------------------------------------------------------------------------
+# Loopback test client. ``require_local_operator`` resolves true for
+# request.client.host == "127.0.0.1"; FastAPI's TestClient sets it to
+# "testclient" which isn't on the allowlist. Use raw ASGITransport.
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+def loopback():
+    from main import app
+
+    class _Client:
+        def __init__(self, peer_ip: str = "127.0.0.1"):
+            self._loop = asyncio.new_event_loop()
+            self._transport = ASGITransport(app=app, client=(peer_ip, 12345))
+            self._base = f"http://{peer_ip}:8000"
+
+        def _do(self, method: str, url: str, **kw):
+            async def go():
+                async with AsyncClient(transport=self._transport, base_url=self._base) as ac:
+                    return await ac.request(method, url, **kw)
+            return self._loop.run_until_complete(go())
+
+        def get(self, url, **kw):  return self._do("GET", url, **kw)
+        def post(self, url, **kw): return self._do("POST", url, **kw)
+        def close(self): self._loop.close()
+
+    c = _Client()
+    yield c
+    c.close()
+
+
+@pytest.fixture
+def remote():
+    from main import app
+
+    class _Client:
+        def __init__(self):
+            self._loop = asyncio.new_event_loop()
+            self._transport = ASGITransport(app=app, client=("1.2.3.4", 12345))
+            self._base = "http://1.2.3.4:8000"
+
+        def _do(self, method: str, url: str, **kw):
+            async def go():
+                async with AsyncClient(transport=self._transport, base_url=self._base) as ac:
+                    return await ac.request(method, url, **kw)
+            return self._loop.run_until_complete(go())
+
+        def get(self, url, **kw):  return self._do("GET", url, **kw)
+        def post(self, url, **kw): return self._do("POST", url, **kw)
+        def close(self): self._loop.close()
+
+    c = _Client()
+    yield c
+    c.close()
+
+
+@pytest.fixture
+def stub_env(monkeypatch):
+    """Isolate connect-info tests from the dev's real backend .env.
+
+    Pydantic ``Settings()`` reads from ``.env`` file directly on
+    instantiation, so monkey-patching ``os.environ`` isn't sufficient
+    — the real ``OPENCLAW_HMAC_SECRET`` would leak through. Instead we
+    override ``get_settings()`` in the route module to return a fresh
+    ``Settings`` instance whose env values are driven entirely by an
+    in-test dict, AND we replace ``_write_env_value`` so writes update
+    that same dict instead of touching the developer's filesystem.
+
+    Yields the dict so individual tests can pre-seed values or assert
+    that writes happened.
+    """
+    import routers.ai_intel as ai_intel
+    import services.config as config
+
+    state: dict[str, str] = {}
+
+    class _FakeSettings:
+        @property
+        def OPENCLAW_HMAC_SECRET(self) -> str:
+            return state.get("OPENCLAW_HMAC_SECRET", "")
+
+        @property
+        def OPENCLAW_ACCESS_TIER(self) -> str:
+            return state.get("OPENCLAW_ACCESS_TIER", "restricted")
+
+    fake = _FakeSettings()
+
+    def _fake_get_settings():
+        return fake
+
+    # Route code calls ``get_settings.cache_clear()`` after writing the
+    # env. The production version is wrapped with ``@lru_cache``, so
+    # cache_clear exists. Attach a no-op shim here.
+    _fake_get_settings.cache_clear = lambda: None  # type: ignore[attr-defined]
+
+    monkeypatch.setattr(config, "get_settings", _fake_get_settings)
+
+    def _fake_write_env_value(key: str, value: str) -> None:
+        state[key] = value
+
+    monkeypatch.setattr(ai_intel, "_write_env_value", _fake_write_env_value)
+
+    yield state
+
+
+# ---------------------------------------------------------------------------
+# GET /api/ai/connect-info — always masked, no auto-bootstrap
+# ---------------------------------------------------------------------------
+
+
+class TestGetConnectInfoMasking:
+    def test_returns_masked_when_secret_set(self, loopback, stub_env):
+        secret = "abcdef" + "0" * 38 + "wxyz"
+        stub_env["OPENCLAW_HMAC_SECRET"] = secret
+
+        r = loopback.get("/api/ai/connect-info")
+        assert r.status_code == 200
+        body = r.json()
+        # Body must NOT carry the full secret value anywhere.
+        assert secret not in r.text, (
+            "GET /api/ai/connect-info MUST NOT include the full HMAC "
+            "secret. Response body contained the secret value."
+        )
+        assert body["hmac_secret_set"] is True
+        assert body["masked_hmac_secret"].startswith("abcdef")
+        assert body["masked_hmac_secret"].endswith("wxyz")
+        assert "•" in body["masked_hmac_secret"]
+        # Pre-fix field is gone.
+        assert "hmac_secret" not in body
+
+    def test_no_auto_bootstrap_when_secret_missing(self, loopback, stub_env):
+        """Side-effect-on-GET was the second half of issue #302. A GET
+        with no secret configured must NOT mint one — that should
+        require an explicit POST /bootstrap."""
+        r = loopback.get("/api/ai/connect-info")
+        assert r.status_code == 200
+        body = r.json()
+        assert body["hmac_secret_set"] is False
+        assert body["masked_hmac_secret"] == ""
+        # The bootstrap_behavior block should advertise the new flow.
+        assert body["bootstrap_behavior"]["auto_generates_when_missing"] is False
+        # And no _write_env_value call happened.
+        assert "OPENCLAW_HMAC_SECRET" not in stub_env
+
+    def test_no_reveal_query_param(self, loopback, stub_env):
+        """Pre-fix, ?reveal=true would return the full secret. Post-fix
+        the param is silently ignored — the response is the same as
+        without it (still masked, no leak)."""
+        secret = "abcdef" + "0" * 38 + "wxyz"
+        stub_env["OPENCLAW_HMAC_SECRET"] = secret
+
+        r = loopback.get("/api/ai/connect-info?reveal=true")
+        assert r.status_code == 200
+        assert secret not in r.text, (
+            "?reveal=true must be a no-op on GET — the full secret "
+            "MUST NOT come back in the response body."
+        )
+
+
+# ---------------------------------------------------------------------------
+# POST /api/ai/connect-info/bootstrap
+# ---------------------------------------------------------------------------
+
+
+class TestBootstrap:
+    def test_mints_when_missing(self, loopback, stub_env):
+        r = loopback.post("/api/ai/connect-info/bootstrap")
+        assert r.status_code == 200
+        body = r.json()
+        assert body["ok"] is True
+        assert body["generated"] is True
+        assert body["hmac_secret_set"] is True
+        # Bootstrap must NOT return the full secret in-line.
+        assert "hmac_secret" not in body or not body.get("hmac_secret")
+        assert "•" in body["masked_hmac_secret"]
+        # _write_env_value was actually called.
+        assert stub_env.get("OPENCLAW_HMAC_SECRET")
+        # The full value isn't echoed back in the response text either.
+        assert stub_env["OPENCLAW_HMAC_SECRET"] not in r.text
+
+    def test_idempotent_when_already_set(self, loopback, stub_env):
+        existing = "abcdef" + "0" * 38 + "wxyz"
+        stub_env["OPENCLAW_HMAC_SECRET"] = existing
+
+        r = loopback.post("/api/ai/connect-info/bootstrap")
+        assert r.status_code == 200
+        body = r.json()
+        assert body["ok"] is True
+        assert body["generated"] is False
+        assert body["hmac_secret_set"] is True
+        # Existing secret untouched — value is still the seeded one.
+        assert stub_env["OPENCLAW_HMAC_SECRET"] == existing
+        # No full secret in the response.
+        assert existing not in r.text
+
+
+# ---------------------------------------------------------------------------
+# POST /api/ai/connect-info/reveal
+# ---------------------------------------------------------------------------
+
+
+class TestReveal:
+    def test_returns_full_secret_when_set(self, loopback, stub_env):
+        secret = "abcdef" + "0" * 38 + "wxyz"
+        stub_env["OPENCLAW_HMAC_SECRET"] = secret
+
+        r = loopback.post("/api/ai/connect-info/reveal")
+        assert r.status_code == 200
+        body = r.json()
+        assert body["ok"] is True
+        assert body["hmac_secret"] == secret
+
+    def test_strict_cache_control_headers(self, loopback, stub_env):
+        """The whole point of POST /reveal vs GET ?reveal=true is that
+        the response carries headers that prevent every cache layer
+        from persisting the secret."""
+        secret = "abcdef" + "0" * 38 + "wxyz"
+        stub_env["OPENCLAW_HMAC_SECRET"] = secret
+
+        r = loopback.post("/api/ai/connect-info/reveal")
+        cc = r.headers.get("cache-control", "")
+        assert "no-store" in cc, (
+            f"reveal MUST set Cache-Control: no-store — got {cc!r}"
+        )
+        assert "no-cache" in cc
+        # Pragma + Expires as well for HTTP/1.0 caches.
+        assert r.headers.get("pragma", "").lower() == "no-cache"
+        assert r.headers.get("expires") == "0"
+
+    def test_404_when_no_secret_configured(self, loopback, stub_env):
+        r = loopback.post("/api/ai/connect-info/reveal")
+        assert r.status_code == 404
+        # Hint should point at the bootstrap endpoint, not just say "404".
+        detail = r.json().get("detail", "")
+        assert "/bootstrap" in detail or "bootstrap" in detail.lower()
+
+
+# ---------------------------------------------------------------------------
+# POST /api/ai/connect-info/regenerate — still returns the new secret
+# inline (deliberate destructive action), but with no-store headers.
+# ---------------------------------------------------------------------------
+
+
+class TestRegenerate:
+    def test_returns_new_secret_with_no_store_headers(self, loopback, stub_env):
+        # Seed an existing secret so we can prove it changes.
+        old = "oldold" + "0" * 38 + "1234"
+        stub_env["OPENCLAW_HMAC_SECRET"] = old
+
+        r = loopback.post("/api/ai/connect-info/regenerate")
+        assert r.status_code == 200
+        body = r.json()
+        assert body["ok"] is True
+        assert body["hmac_secret"]
+        assert body["hmac_secret"] != old
+        # no-store headers MUST be present so the new secret doesn't
+        # land in browser disk cache after the regenerate click.
+        cc = r.headers.get("cache-control", "")
+        assert "no-store" in cc and "no-cache" in cc
+        assert r.headers.get("pragma", "").lower() == "no-cache"
+
+
+# ---------------------------------------------------------------------------
+# Auth-gate regression — every endpoint still rejects anonymous remote
+# callers. This is the property we already enforce for the rest of the
+# operator-only surface; adding the three new endpoints to the audit
+# coverage prevents a future refactor from dropping the dependency.
+# ---------------------------------------------------------------------------
+
+
+class TestAnonymousRejection:
+    @pytest.mark.parametrize(
+        "method,path,body",
+        [
+            ("get",  "/api/ai/connect-info",            None),
+            ("post", "/api/ai/connect-info/bootstrap",  None),
+            ("post", "/api/ai/connect-info/reveal",     None),
+            ("post", "/api/ai/connect-info/regenerate", None),
+        ],
+    )
+    def test_remote_rejected(self, remote, method, path, body):
+        fn = getattr(remote, method)
+        r = fn(path, json=body) if body is not None else fn(path)
+        assert r.status_code == 403, (
+            f"{method.upper()} {path} must reject anonymous remote callers; "
+            f"got {r.status_code}"
+        )

backend/tests/test_sentinel_credentials_server_side.py

@@ -0,0 +1,277 @@
+"""Issue #298 (tg12): Sentinel credentials must live server-side.
+
+Before the fix, ``frontend/src/components/SettingsPanel.tsx`` stored
+``client_id`` and ``client_secret`` in ``localStorage`` /
+``sessionStorage`` via the privacy storage helper, and the proxy routes
+in ``backend/routers/tools.py`` REQUIRED those values to come in the
+request body. Any same-origin script (XSS, malicious extension,
+dev-tools HAR export) had read access to real third-party Sentinel
+credentials.
+
+After the fix:
+
+  * ``SENTINEL_CLIENT_ID`` and ``SENTINEL_CLIENT_SECRET`` are entries
+    in the ``api_settings.API_REGISTRY`` and are persisted via the
+    existing ``/api/settings/api-keys`` flow (admin-gated, .env-backed,
+    never returned to the browser).
+  * The proxy routes prefer request-body values for back-compat but
+    fall back to ``os.environ.get("SENTINEL_CLIENT_ID")`` /
+    ``os.environ.get("SENTINEL_CLIENT_SECRET")`` when the body omits
+    them. The dashboard's ``sentinelHub.ts`` no longer sends credentials
+    in the body — every request now hits the env path.
+  * When neither source has a value, the route returns a 400 with a
+    pointer to the API Keys panel rather than a curt "client_id and
+    client_secret required" message.
+
+These tests cover the resolution order and the registry surface.
+"""
+
+from __future__ import annotations
+
+from unittest.mock import patch, MagicMock
+
+import pytest
+
+
+# ---------------------------------------------------------------------------
+# Helper: import the routes module fresh per test so monkey-patched
+# environment variables are picked up by the route's os.environ.get call.
+# (The lookup is per-request, not at import time, so this isn't strictly
+# required — but it makes the test layout obvious.)
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+def loopback_client():
+    """ASGI client with peer IP 127.0.0.1 so the Sentinel routes' (post-#303)
+    ``require_local_operator`` gate passes.
+
+    Built without a context manager so the privacy-core lifespan check
+    doesn't run in the test env.
+    """
+    import asyncio
+    from httpx import ASGITransport, AsyncClient
+    from main import app
+
+    class _Loop:
+        def __init__(self):
+            self._loop = asyncio.new_event_loop()
+            self._transport = ASGITransport(app=app, client=("127.0.0.1", 12345))
+            self._base = "http://127.0.0.1:8000"
+
+        def _do(self, method: str, url: str, **kw):
+            async def go():
+                async with AsyncClient(transport=self._transport, base_url=self._base) as ac:
+                    return await ac.request(method, url, **kw)
+            return self._loop.run_until_complete(go())
+
+        def get(self, url, **kw):  return self._do("GET", url, **kw)
+        def post(self, url, **kw): return self._do("POST", url, **kw)
+        def put(self, url, **kw):  return self._do("PUT", url, **kw)
+
+        def close(self): self._loop.close()
+
+    c = _Loop()
+    yield c
+    c.close()
+
+
+# ---------------------------------------------------------------------------
+# API_REGISTRY surface
+# ---------------------------------------------------------------------------
+
+
+class TestApiRegistry:
+    def test_sentinel_keys_registered(self):
+        """Both Sentinel keys must be entries in API_REGISTRY so the
+        existing /api/settings/api-keys PUT flow can write them to .env."""
+        from services.api_settings import API_REGISTRY, ALLOWED_ENV_KEYS
+
+        ids = {row["id"] for row in API_REGISTRY}
+        assert "sentinel_client_id" in ids
+        assert "sentinel_client_secret" in ids
+
+        # Critical: ALLOWED_ENV_KEYS is the gate on which .env keys the
+        # API can mutate. If we forgot to add the env_key field on the
+        # registry rows, callers couldn't actually save the values.
+        assert "SENTINEL_CLIENT_ID" in ALLOWED_ENV_KEYS
+        assert "SENTINEL_CLIENT_SECRET" in ALLOWED_ENV_KEYS
+
+    def test_api_keys_put_accepts_sentinel_keys(self, loopback_client, monkeypatch, tmp_path):
+        """End-to-end: PUT /api/settings/api-keys with SENTINEL_CLIENT_ID
+        + SENTINEL_CLIENT_SECRET must persist to .env."""
+        import services.api_settings as api_settings
+
+        # Redirect both .env paths to tmp so the test doesn't mutate
+        # the developer's real backend .env.
+        tmp_env = tmp_path / ".env"
+        monkeypatch.setattr(api_settings, "ENV_PATH", tmp_env)
+        monkeypatch.setattr(api_settings, "OPERATOR_KEYS_ENV_PATH", tmp_path / "operator_api_keys.env")
+
+        r = loopback_client.put(
+            "/api/settings/api-keys",
+            json={
+                "SENTINEL_CLIENT_ID": "test-sentinel-id",
+                "SENTINEL_CLIENT_SECRET": "test-sentinel-secret",
+            },
+        )
+        assert r.status_code == 200, f"PUT failed: {r.text}"
+        body = r.json()
+        assert body.get("ok") is True
+
+        # File on disk should now carry both keys.
+        parsed = api_settings._parse_env_file(tmp_env)
+        assert parsed.get("SENTINEL_CLIENT_ID") == "test-sentinel-id"
+        assert parsed.get("SENTINEL_CLIENT_SECRET") == "test-sentinel-secret"
+
+
+# ---------------------------------------------------------------------------
+# Credential resolution — body wins, env is fallback, neither is 400
+# ---------------------------------------------------------------------------
+
+
+class TestSentinelTokenCredResolution:
+    def test_env_fallback_when_body_empty(self, loopback_client, monkeypatch):
+        """No body credentials → backend reads .env values."""
+        monkeypatch.setenv("SENTINEL_CLIENT_ID", "env-id")
+        monkeypatch.setenv("SENTINEL_CLIENT_SECRET", "env-secret")
+
+        # Mock the upstream Copernicus call so we don't hit the network.
+        # Capture what was sent so we can prove env values were used.
+        captured: dict = {}
+        fake_resp = MagicMock()
+        fake_resp.status_code = 200
+        fake_resp.content = b'{"access_token": "stub", "expires_in": 300}'
+
+        def fake_post(url, *args, **kwargs):
+            captured["url"] = url
+            captured["data"] = kwargs.get("data", {})
+            return fake_resp
+
+        with patch("requests.post", side_effect=fake_post):
+            r = loopback_client.post(
+                "/api/sentinel/token",
+                data={},  # ← deliberately empty body
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+            )
+
+        assert r.status_code == 200
+        # The forwarded creds must come from env, not from a stale cache
+        # or fallback string.
+        assert captured.get("data", {}).get("client_id") == "env-id"
+        assert captured.get("data", {}).get("client_secret") == "env-secret"
+
+    def test_body_credentials_win_over_env(self, loopback_client, monkeypatch):
+        """Body values (back-compat path) must win when both sources
+        are present. This preserves the pre-#298 behavior for any
+        legacy callers that still post credentials."""
+        monkeypatch.setenv("SENTINEL_CLIENT_ID", "env-id")
+        monkeypatch.setenv("SENTINEL_CLIENT_SECRET", "env-secret")
+
+        captured: dict = {}
+        fake_resp = MagicMock()
+        fake_resp.status_code = 200
+        fake_resp.content = b'{"access_token": "stub"}'
+
+        def fake_post(url, *args, **kwargs):
+            captured["data"] = kwargs.get("data", {})
+            return fake_resp
+
+        with patch("requests.post", side_effect=fake_post):
+            r = loopback_client.post(
+                "/api/sentinel/token",
+                data={"client_id": "body-id", "client_secret": "body-secret"},
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+            )
+
+        assert r.status_code == 200
+        assert captured["data"]["client_id"] == "body-id"
+        assert captured["data"]["client_secret"] == "body-secret"
+
+    def test_400_when_neither_source_has_credentials(self, loopback_client, monkeypatch):
+        """If body is empty AND env is empty, return 400 with a
+        friendly pointer to the API Keys panel — not a curt
+        "required" message and not a 500."""
+        monkeypatch.delenv("SENTINEL_CLIENT_ID", raising=False)
+        monkeypatch.delenv("SENTINEL_CLIENT_SECRET", raising=False)
+
+        # If the route ever calls requests.post here, the gate is broken
+        # — empty creds should never produce an outbound HTTP call.
+        fake = MagicMock(side_effect=AssertionError(
+            "requests.post should not be called when no credentials are configured"
+        ))
+        with patch("requests.post", fake):
+            r = loopback_client.post(
+                "/api/sentinel/token",
+                data={},
+                headers={"Content-Type": "application/x-www-form-urlencoded"},
+            )
+
+        assert r.status_code == 400
+        detail = r.json().get("detail", "")
+        # The pointer to the API Keys panel is what makes this non-hostile.
+        assert "API Keys panel" in detail or "SENTINEL_CLIENT_ID" in detail
+        assert fake.call_count == 0
+
+
+class TestSentinelTileCredResolution:
+    def test_env_fallback_when_body_omits_credentials(self, loopback_client, monkeypatch):
+        """Tile route: no body credentials → uses env values."""
+        monkeypatch.setenv("SENTINEL_CLIENT_ID", "env-id")
+        monkeypatch.setenv("SENTINEL_CLIENT_SECRET", "env-secret")
+
+        token_resp = MagicMock()
+        token_resp.status_code = 200
+        token_resp.json = MagicMock(return_value={"access_token": "stub", "expires_in": 300})
+
+        process_resp = MagicMock()
+        process_resp.status_code = 200
+        process_resp.content = b"<png bytes>"
+        process_resp.headers = {"content-type": "image/png"}
+
+        captured: list = []
+
+        def fake_post(url, *args, **kwargs):
+            captured.append({"url": url, "data": kwargs.get("data"), "json": kwargs.get("json")})
+            if "openid-connect/token" in url:
+                return token_resp
+            return process_resp
+
+        with patch("requests.post", side_effect=fake_post):
+            r = loopback_client.post(
+                "/api/sentinel/tile",
+                json={
+                    # Note: no client_id / client_secret in body
+                    "preset": "TRUE-COLOR",
+                    "date": "2026-01-01",
+                    "z": 6, "x": 30, "y": 20,
+                },
+            )
+
+        assert r.status_code == 200
+        # First call was the token mint; verify it used env creds.
+        token_call = next(c for c in captured if "openid-connect/token" in c["url"])
+        assert token_call["data"]["client_id"] == "env-id"
+        assert token_call["data"]["client_secret"] == "env-secret"
+
+    def test_400_when_neither_source_has_credentials(self, loopback_client, monkeypatch):
+        monkeypatch.delenv("SENTINEL_CLIENT_ID", raising=False)
+        monkeypatch.delenv("SENTINEL_CLIENT_SECRET", raising=False)
+
+        fake = MagicMock(side_effect=AssertionError(
+            "requests.post should not be called when no credentials are configured"
+        ))
+        with patch("requests.post", fake):
+            r = loopback_client.post(
+                "/api/sentinel/tile",
+                json={
+                    "preset": "TRUE-COLOR",
+                    "date": "2026-01-01",
+                    "z": 6, "x": 30, "y": 20,
+                },
+            )
+
+        assert r.status_code == 400
+        detail = r.json().get("detail", "")
+        assert "API Keys panel" in detail or "SENTINEL_CLIENT_ID" in detail
+        assert fake.call_count == 0

frontend/src/__tests__/utils/sentinelHub.test.ts

@@ -0,0 +1,169 @@
+/**
+ * Issue #298 (tg12): Sentinel credentials must no longer live in browser
+ * storage, and the proxy calls must not forward them in request bodies.
+ * These tests pin both invariants on ``lib/sentinelHub``:
+ *
+ *  1. ``migrateLegacySentinelBrowserKeys()`` clears the legacy keys
+ *     idempotently and reports what it cleared.
+ *  2. ``fetchSentinelTile()`` and ``getSentinelToken()`` POST WITHOUT
+ *     ``client_id`` or ``client_secret`` in the body — the backend
+ *     resolves credentials from its ``.env``. A future refactor that
+ *     accidentally re-introduces browser-storage reads (e.g. by
+ *     restoring ``getSentinelCredentials()`` and forwarding it) gets a
+ *     loud test failure here rather than a silent privacy regression.
+ *  3. ``checkBackendSentinelStatus()`` queries ``/api/settings/api-keys``
+ *     and returns true only when both Sentinel keys report ``is_set``.
+ */
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+
+import {
+  migrateLegacySentinelBrowserKeys,
+  fetchSentinelTile,
+  getSentinelToken,
+  checkBackendSentinelStatus,
+  refreshSentinelStatus,
+} from '@/lib/sentinelHub';
+
+const originalFetch = globalThis.fetch;
+
+describe('lib/sentinelHub — issue #298 server-side credentials', () => {
+  beforeEach(() => {
+    window.localStorage.clear();
+    window.sessionStorage.clear();
+    refreshSentinelStatus();
+  });
+
+  afterEach(() => {
+    globalThis.fetch = originalFetch;
+    window.localStorage.clear();
+    window.sessionStorage.clear();
+    refreshSentinelStatus();
+  });
+
+  describe('migrateLegacySentinelBrowserKeys', () => {
+    it('clears legacy localStorage keys and reports what it cleared', () => {
+      window.localStorage.setItem('sb_sentinel_client_id', 'sh-leaked-id');
+      window.localStorage.setItem('sb_sentinel_client_secret', 'leaked-secret');
+      window.localStorage.setItem('sb_sentinel_instance_id', 'leaked-instance');
+
+      const result = migrateLegacySentinelBrowserKeys();
+
+      expect(window.localStorage.getItem('sb_sentinel_client_id')).toBeNull();
+      expect(window.localStorage.getItem('sb_sentinel_client_secret')).toBeNull();
+      expect(window.localStorage.getItem('sb_sentinel_instance_id')).toBeNull();
+      expect(result.cleared.sort()).toEqual([
+        'sb_sentinel_client_id',
+        'sb_sentinel_client_secret',
+        'sb_sentinel_instance_id',
+      ].sort());
+    });
+
+    it('clears sessionStorage too (privacy-strict mode used to put them there)', () => {
+      window.sessionStorage.setItem('sb_sentinel_client_id', 'sh-session-id');
+      window.sessionStorage.setItem('sb_sentinel_client_secret', 'session-secret');
+
+      const result = migrateLegacySentinelBrowserKeys();
+
+      expect(window.sessionStorage.getItem('sb_sentinel_client_id')).toBeNull();
+      expect(window.sessionStorage.getItem('sb_sentinel_client_secret')).toBeNull();
+      expect(result.cleared).toContain('sb_sentinel_client_id');
+      expect(result.cleared).toContain('sb_sentinel_client_secret');
+    });
+
+    it('is idempotent — calling it on a clean store reports nothing cleared', () => {
+      const result = migrateLegacySentinelBrowserKeys();
+      expect(result.cleared).toEqual([]);
+    });
+  });
+
+  describe('proxy requests no longer forward credentials', () => {
+    it('fetchSentinelTile POSTs without client_id/client_secret in the body', async () => {
+      // Plant credentials in browser storage to prove they would NOT be
+      // picked up even if present. Pre-#298, this would have been read
+      // from localStorage and posted in the body.
+      window.localStorage.setItem('sb_sentinel_client_id', 'sh-leaked-id');
+      window.localStorage.setItem('sb_sentinel_client_secret', 'leaked-secret');
+
+      const fetchMock = vi.fn(async () => new Response(new ArrayBuffer(0), { status: 200 }));
+      globalThis.fetch = fetchMock as unknown as typeof globalThis.fetch;
+
+      await fetchSentinelTile(6, 30, 20, 'TRUE-COLOR', '2026-01-01');
+
+      expect(fetchMock).toHaveBeenCalledTimes(1);
+      const [, init] = fetchMock.mock.calls[0] as [unknown, RequestInit];
+      const body = JSON.parse(String(init.body));
+      expect(body).not.toHaveProperty('client_id');
+      expect(body).not.toHaveProperty('client_secret');
+      // Sanity: the legitimate fields are still there.
+      expect(body).toMatchObject({ preset: 'TRUE-COLOR', date: '2026-01-01', z: 6, x: 30, y: 20 });
+    });
+
+    it('getSentinelToken POSTs with an empty form body (backend uses env)', async () => {
+      window.localStorage.setItem('sb_sentinel_client_id', 'sh-leaked-id');
+      window.localStorage.setItem('sb_sentinel_client_secret', 'leaked-secret');
+
+      const fetchMock = vi.fn(async () =>
+        new Response(JSON.stringify({ access_token: 'stub', expires_in: 300 }), { status: 200 }),
+      );
+      globalThis.fetch = fetchMock as unknown as typeof globalThis.fetch;
+
+      const token = await getSentinelToken();
+
+      expect(token).toBe('stub');
+      expect(fetchMock).toHaveBeenCalledTimes(1);
+      const [, init] = fetchMock.mock.calls[0] as [unknown, RequestInit];
+      const body = String(init.body);
+      // Body is a URLSearchParams stringification. We assert that the
+      // leaked credential never appears in it.
+      expect(body).not.toContain('sh-leaked-id');
+      expect(body).not.toContain('leaked-secret');
+    });
+  });
+
+  describe('checkBackendSentinelStatus', () => {
+    it('returns true when both Sentinel keys report is_set on /api/settings/api-keys', async () => {
+      const fetchMock = vi.fn(async (input: unknown) => {
+        const url = String(input);
+        if (url.endsWith('/api/settings/api-keys')) {
+          return new Response(
+            JSON.stringify([
+              { id: 'sentinel_client_id', env_key: 'SENTINEL_CLIENT_ID', is_set: true },
+              { id: 'sentinel_client_secret', env_key: 'SENTINEL_CLIENT_SECRET', is_set: true },
+              { id: 'opensky_client_id', env_key: 'OPENSKY_CLIENT_ID', is_set: false },
+            ]),
+            { status: 200 },
+          );
+        }
+        return new Response('not found', { status: 404 });
+      });
+      globalThis.fetch = fetchMock as unknown as typeof globalThis.fetch;
+
+      const configured = await checkBackendSentinelStatus();
+      expect(configured).toBe(true);
+    });
+
+    it('returns false when only one of the two keys is set', async () => {
+      const fetchMock = vi.fn(async () =>
+        new Response(
+          JSON.stringify([
+            { id: 'sentinel_client_id', env_key: 'SENTINEL_CLIENT_ID', is_set: true },
+            { id: 'sentinel_client_secret', env_key: 'SENTINEL_CLIENT_SECRET', is_set: false },
+          ]),
+          { status: 200 },
+        ),
+      );
+      globalThis.fetch = fetchMock as unknown as typeof globalThis.fetch;
+
+      const configured = await checkBackendSentinelStatus();
+      expect(configured).toBe(false);
+    });
+
+    it('fails safely (false) when the backend errors', async () => {
+      const fetchMock = vi.fn(async () => { throw new Error('network down'); });
+      globalThis.fetch = fetchMock as unknown as typeof globalThis.fetch;
+
+      const configured = await checkBackendSentinelStatus();
+      expect(configured).toBe(false);
+    });
+  });
+});

frontend/src/app/page.tsx

@@ -50,6 +50,7 @@ import {
   hasSentinelInfoBeenSeen,
   markSentinelInfoSeen,
   hasSentinelCredentials,
+  checkBackendSentinelStatus,
 } from '@/lib/sentinelHub';
 import { useTranslation } from '@/i18n';
 import { LocateBar } from './LocateBar';
@@ -107,6 +108,15 @@ export default function Dashboard() {
   useEffect(() => {
     localStorage.setItem('sb_ticker_open', tickerOpen.toString());
   }, [tickerOpen]);
+
+  // Issue #298: kick the one-time backend Sentinel-status check on mount.
+  // This populates the cached value that ``hasSentinelCredentials()`` reads
+  // synchronously elsewhere (MaplibreViewer's tile-URL memo, the
+  // Sentinel-info modal flow). Fire-and-forget — the cache stays false
+  // until resolved so the UI fails safely.
+  useEffect(() => {
+    void checkBackendSentinelStatus();
+  }, []);
   const [settingsOpen, setSettingsOpen] = useState(false);
   const [legendOpen, setLegendOpen] = useState(false);
   const [shortcutsOpen, setShortcutsOpen] = useState(false);

frontend/src/components/AIIntelPanel.tsx

@@ -357,8 +357,15 @@ function ConnectModalBody({ apiEndpoint, handleCopy, copied }: ConnectModalBodyP
   const [riskAccepted, setRiskAccepted] = React.useState(false);
   const [accessTier, setAccessTier] = React.useState<'restricted' | 'full'>('restricted');
   const [connectionMode, setConnectionMode] = React.useState<'local' | 'remote'>('local');
+  // hmacSecret holds the FULL secret once the operator has clicked
+  // Reveal (or after a regenerate). maskedHmacSecret is the safe-to-show
+  // fingerprint returned by GET /api/ai/connect-info and is loaded on
+  // mount. The two are independent state slots so a stale full secret
+  // can never leak back into the UI after a regenerate.
   const [hmacSecret, setHmacSecret] = React.useState('');
+  const [maskedHmacSecret, setMaskedHmacSecret] = React.useState('');
   const [hmacLoading, setHmacLoading] = React.useState(false);
+  const [revealing, setRevealing] = React.useState(false);
   const [tierSaving, setTierSaving] = React.useState(false);
   const [showAdvanced, setShowAdvanced] = React.useState(false);
   const [showResetConfirm, setShowResetConfirm] = React.useState(false);
@@ -381,16 +388,40 @@ function ConnectModalBody({ apiEndpoint, handleCopy, copied }: ConnectModalBodyP
   const [torError, setTorError] = React.useState('');
   const [torOnion, setTorOnion] = React.useState('');
 
-  // Fetch connect-info + node status on mount
+  // Issue #302 (tg12): the full HMAC secret no longer travels through
+  // GET /api/ai/connect-info on every modal open. The flow is now:
+  //
+  //   1. GET /api/ai/connect-info — always returns the masked fingerprint
+  //      (first6 + bullets + last4). `hmacSecret` stays empty until the
+  //      operator clicks the Reveal (eye) button below.
+  //   2. POST /api/ai/connect-info/bootstrap — fires once on mount if the
+  //      backend reports `hmac_secret_set: false`. Idempotent and never
+  //      returns the secret in the response.
+  //   3. POST /api/ai/connect-info/reveal — fires when the operator clicks
+  //      Reveal or Copy without the secret yet loaded. Returns the full
+  //      secret with strict `Cache-Control: no-store` so it doesn't land
+  //      in browser caches or HAR exports.
   React.useEffect(() => {
     (async () => {
       try {
         setHmacLoading(true);
-        const res = await fetch(`${API_BASE}/api/ai/connect-info?reveal=true`);
-        if (res.ok) {
-          const data = await res.json();
-          setHmacSecret(data.hmac_secret || '');
-          setAccessTier(data.access_tier === 'full' ? 'full' : 'restricted');
+        const res = await fetch(`${API_BASE}/api/ai/connect-info`);
+        if (!res.ok) return;
+        const data = await res.json();
+        setMaskedHmacSecret(data.masked_hmac_secret || '');
+        setAccessTier(data.access_tier === 'full' ? 'full' : 'restricted');
+
+        // Transparent first-use bootstrap. Mirrors the pre-#302 UX of
+        // "open modal → secret exists" without the GET side-effect.
+        if (!data.hmac_secret_set) {
+          const bootRes = await fetch(
+            `${API_BASE}/api/ai/connect-info/bootstrap`,
+            { method: 'POST' },
+          );
+          if (bootRes.ok) {
+            const bootData = await bootRes.json();
+            setMaskedHmacSecret(bootData.masked_hmac_secret || '');
+          }
         }
       } catch { /* ignore */ }
       finally { setHmacLoading(false); }
@@ -477,8 +508,17 @@ function ConnectModalBody({ apiEndpoint, handleCopy, copied }: ConnectModalBodyP
       const res = await fetch(`${API_BASE}/api/settings/agent/reset-all`, { method: 'POST' });
       const data = await res.json();
       if (data.ok) {
-        // Update local state with new credentials
-        if (data.new_hmac_secret) setHmacSecret(data.new_hmac_secret);
+        // Update local state with new credentials. reset-all returns
+        // the new HMAC secret in-band (same one-time-disclosure rule
+        // as /regenerate — a deliberate destructive action). Refresh
+        // both slots so the masked display stays in sync.
+        if (data.new_hmac_secret) {
+          setHmacSecret(data.new_hmac_secret);
+          const s = String(data.new_hmac_secret);
+          setMaskedHmacSecret(
+            s.length > 10 ? s.slice(0, 6) + '•'.repeat(8) + s.slice(-4) : '•'.repeat(16),
+          );
+        }
         if (data.new_onion) {
           setTorOnion(data.new_onion);
           setRemoteUrl(data.new_onion);
@@ -502,13 +542,41 @@ function ConnectModalBody({ apiEndpoint, handleCopy, copied }: ConnectModalBodyP
     finally { setTierSaving(false); }
   };
 
+  // Issue #302: POST /reveal returns the full secret with strict
+  // no-store headers. Lazily fetched — never on mount. Returns the
+  // secret string so callers can copy it immediately without waiting
+  // for React state propagation.
+  const revealHmacSecret = async (): Promise<string> => {
+    if (hmacSecret) return hmacSecret;
+    setRevealing(true);
+    try {
+      const res = await fetch(`${API_BASE}/api/ai/connect-info/reveal`, {
+        method: 'POST',
+      });
+      if (!res.ok) return '';
+      const data = await res.json();
+      const secret = String(data.hmac_secret || '');
+      setHmacSecret(secret);
+      return secret;
+    } catch {
+      return '';
+    } finally {
+      setRevealing(false);
+    }
+  };
+
   const handleRegenerate = async () => {
     setRegenerating(true);
     try {
       const res = await fetch(`${API_BASE}/api/ai/connect-info/regenerate`, { method: 'POST' });
       if (res.ok) {
         const data = await res.json();
+        // Regenerate is a deliberate destructive action — operator needs
+        // to see the new secret once to update their OpenClaw config.
+        // Both the full and masked forms refresh in one shot.
         setHmacSecret(data.hmac_secret || '');
+        setMaskedHmacSecret(data.masked_hmac_secret || '');
+        setShowSecret(true);
       }
     } catch { /* ignore */ }
     finally { setRegenerating(false); }
@@ -543,9 +611,17 @@ function ConnectModalBody({ apiEndpoint, handleCopy, copied }: ConnectModalBodyP
     finally { setNodeToggling(false); }
   };
 
-  const maskedSecret = hmacSecret
-    ? hmacSecret.slice(0, 6) + '\u2022'.repeat(8) + hmacSecret.slice(-4)
-    : '\u2022'.repeat(16);
+  // Issue #302: prefer the server-supplied fingerprint
+  // (maskedHmacSecret) \u2014 it's filled on mount via the (no-secret) GET.
+  // If the operator has clicked Reveal, fall through to deriving the
+  // mask from the in-memory full secret so we keep the same shape
+  // (first6 + bullets + last4) regardless of source. Final fallback
+  // (no secret loaded yet) is a generic bullet string.
+  const maskedSecret =
+    maskedHmacSecret ||
+    (hmacSecret
+      ? hmacSecret.slice(0, 6) + '\u2022'.repeat(8) + hmacSecret.slice(-4)
+      : '\u2022'.repeat(16));
 
   // Resolve the endpoint URL
   const resolvedUrl = connectionMode === 'local'
@@ -672,10 +748,15 @@ function ConnectModalBody({ apiEndpoint, handleCopy, copied }: ConnectModalBodyP
     return lines.join('\n');
   };
   const displaySnippet = buildSnippet(maskedSecret);
-  const copySnippet = buildSnippet(hmacSecret);
 
-  const handleCopySnippet = () => {
-    navigator.clipboard.writeText(copySnippet);
+  // Issue #302: the copy snippet needs the FULL secret. Pre-#302 we kept
+  // it in memory from the GET-with-reveal load; now we lazy-fetch via
+  // POST /reveal only when the operator actually clicks Copy. If they
+  // already revealed, the in-memory value is reused (no extra request).
+  const handleCopySnippet = async () => {
+    const secret = hmacSecret || (await revealHmacSecret());
+    if (!secret) return;
+    navigator.clipboard.writeText(buildSnippet(secret));
     setSnippetCopied(true);
     setTimeout(() => setSnippetCopied(false), 2000);
   };
@@ -913,18 +994,38 @@ function ConnectModalBody({ apiEndpoint, handleCopy, copied }: ConnectModalBodyP
                   </div>
                   <div className="flex items-center gap-2">
                     <code className="flex-1 bg-black/60 border border-violet-800/40 px-3 py-2 text-xs font-mono text-violet-300 overflow-hidden text-ellipsis">
-                      {showSecret ? hmacSecret : maskedSecret}
+                      {/* Issue #302: when the operator hasn't clicked
+                          Reveal yet, hmacSecret is empty and we fall
+                          back to maskedHmacSecret (the safe fingerprint
+                          returned by GET /api/ai/connect-info). */}
+                      {showSecret && hmacSecret ? hmacSecret : (maskedHmacSecret || maskedSecret)}
                     </code>
                     <button
-                      onClick={() => setShowSecret(!showSecret)}
-                      className="p-2 bg-violet-600/20 border border-violet-500/40 text-violet-400 hover:bg-violet-600/40 transition-colors shrink-0"
+                      onClick={async () => {
+                        if (showSecret) {
+                          setShowSecret(false);
+                          return;
+                        }
+                        // Need the full secret in state before showing it.
+                        const secret = await revealHmacSecret();
+                        if (secret) setShowSecret(true);
+                      }}
+                      disabled={revealing}
+                      className="p-2 bg-violet-600/20 border border-violet-500/40 text-violet-400 hover:bg-violet-600/40 transition-colors shrink-0 disabled:opacity-50"
                       title={showSecret ? 'Hide' : 'Reveal'}
                     >
                       {showSecret ? <EyeOff size={14} /> : <Eye size={14} />}
                     </button>
                     <button
-                      onClick={() => handleCopy(hmacSecret)}
-                      className="p-2 bg-violet-600/20 border border-violet-500/40 text-violet-400 hover:bg-violet-600/40 transition-colors shrink-0"
+                      onClick={async () => {
+                        // Copy needs the full secret. Fetch it lazily if
+                        // the operator hasn't clicked Reveal yet — no
+                        // point making them reveal first just to copy.
+                        const secret = hmacSecret || (await revealHmacSecret());
+                        if (secret) handleCopy(secret);
+                      }}
+                      disabled={revealing}
+                      className="p-2 bg-violet-600/20 border border-violet-500/40 text-violet-400 hover:bg-violet-600/40 transition-colors shrink-0 disabled:opacity-50"
                       title="Copy key"
                     >
                       {copied ? <Check size={14} /> : <Copy size={14} />}

frontend/src/components/OnboardingModal.tsx

@@ -140,17 +140,51 @@ const OnboardingModal = React.memo(function OnboardingModal({
   ].join('\n');
   const remoteAgentNeedsTor = agentMode === 'remote' && !torAddress;
 
+  // Issue #302 (tg12): the full HMAC secret no longer comes back from
+  // GET /api/ai/connect-info. We fetch metadata + the masked fingerprint
+  // first; if the operator has explicitly asked to see the key (the
+  // ``reveal`` flag), we follow up with POST /api/ai/connect-info/reveal
+  // (after a transparent POST /bootstrap if the secret hasn't been
+  // minted yet) which carries the secret with strict no-store headers.
   const fetchAgentConnectInfo = async (reveal = true) => {
     setAgentLoading(true);
     setAgentMsg(null);
     try {
-      const res = await fetch(`/api/ai/connect-info?reveal=${reveal ? 'true' : 'false'}`);
-      const data = await res.json().catch(() => ({}));
-      if (!res.ok || data?.ok === false) {
-        throw new Error(data?.detail || 'Could not prepare agent credentials.');
+      // 1) GET metadata + masked fingerprint.
+      const metaRes = await fetch('/api/ai/connect-info');
+      const metaData = await metaRes.json().catch(() => ({}));
+      if (!metaRes.ok || metaData?.ok === false) {
+        throw new Error(metaData?.detail || 'Could not prepare agent credentials.');
+      }
+      setAgentTier(metaData.access_tier === 'full' ? 'full' : 'restricted');
+
+      // 2) Mint the secret if it isn't set yet — transparent, idempotent.
+      let secretSet = !!metaData.hmac_secret_set;
+      if (!secretSet) {
+        const bootRes = await fetch('/api/ai/connect-info/bootstrap', {
+          method: 'POST',
+        });
+        const bootData = await bootRes.json().catch(() => ({}));
+        if (!bootRes.ok || bootData?.ok === false) {
+          throw new Error(bootData?.detail || 'Could not generate agent credentials.');
+        }
+        secretSet = !!bootData.hmac_secret_set;
+      }
+
+      // 3) If the caller asked to see the secret, fetch it explicitly.
+      //    Otherwise the masked fingerprint is enough for the UI.
+      if (reveal && secretSet) {
+        const revealRes = await fetch('/api/ai/connect-info/reveal', {
+          method: 'POST',
+        });
+        const revealData = await revealRes.json().catch(() => ({}));
+        if (!revealRes.ok || revealData?.ok === false) {
+          throw new Error(revealData?.detail || 'Could not reveal agent credentials.');
+        }
+        setAgentSecret(revealData.hmac_secret || '');
+      } else {
+        setAgentSecret(metaData.masked_hmac_secret || '');
       }
-      setAgentSecret(data.hmac_secret || '');
-      setAgentTier(data.access_tier === 'full' ? 'full' : 'restricted');
       setAgentMsg({ type: 'ok', text: 'Agent key is ready. Copy it into your local or remote agent runtime.' });
     } catch (error) {
       setAgentMsg({

frontend/src/components/SettingsPanel.tsx

@@ -74,17 +74,18 @@ import {
   Trash2,
   RotateCcw,
   Satellite,
-  Eye,
-  EyeOff,
   Copy,
   Check,
   Radar,
 } from 'lucide-react';
 import {
-  clearSentinelCredentials,
-  getSentinelCredentialStorageMode,
-  getSentinelCredentials,
-  setSentinelCredentials,
+  // Issue #298: Sentinel credentials now live server-side. The legacy
+  // browser-storage helpers (getSentinelCredentials / setSentinelCredentials
+  // / clearSentinelCredentials / getSentinelCredentialStorageMode) have
+  // been removed from sentinelHub.ts. We use the new status check + the
+  // one-time migration helper instead.
+  checkBackendSentinelStatus,
+  migrateLegacySentinelBrowserKeys,
 } from '@/lib/sentinelHub';
 import {
   getPrivacyProfilePreference,
@@ -143,10 +144,14 @@ const WEIGHT_COLORS: Record<number, string> = {
 const SETTINGS_FOCUS_KEY = 'sb_settings_focus';
 const WORMHOLE_RETURN_KEY = 'sb_wormhole_return_target';
 const WORMHOLE_READY_EVENT = 'sb:wormhole-ready';
+// Issue #298 (tg12): Sentinel credentials moved from browser storage to
+// the backend ``.env`` (managed through the API Keys panel). The legacy
+// keys (``sb_sentinel_client_id`` / ``sb_sentinel_client_secret`` /
+// ``sb_sentinel_instance_id``) are no longer treated as sensitive
+// browser state because they are no longer written. ``SentinelTab``
+// runs ``migrateLegacySentinelBrowserKeys()`` once on mount to clear
+// any leftover values from pre-#298 installs.
 const PRIVACY_SENSITIVE_BROWSER_KEYS = [
-  'sb_sentinel_client_id',
-  'sb_sentinel_client_secret',
-  'sb_sentinel_instance_id',
   'sb_infonet_head',
   'sb_infonet_head_history',
   'sb_infonet_peers',
@@ -2615,7 +2620,9 @@ const SettingsPanel = React.memo(function SettingsPanel({
             )}
 
             {/* ==================== SENTINEL HUB TAB ==================== */}
-            {activeTab === 'sentinel' && <SentinelTab />}
+            {activeTab === 'sentinel' && (
+              <SentinelTab onGoToApiKeys={() => setActiveTab('api-keys')} />
+            )}
             {activeTab === 'sar' && <SarSettingsTab />}
           </motion.div>
         </>
@@ -2625,63 +2632,58 @@ const SettingsPanel = React.memo(function SettingsPanel({
 });
 
 // ─── Sentinel Hub Settings Tab ─────────────────────────────────────────────
-function SentinelTab() {
-  const [clientId, setClientId] = useState(() => getSentinelCredentials().clientId);
-  const [clientSecret, setClientSecret] = useState(() => getSentinelCredentials().clientSecret);
-  const [testing, setTesting] = useState(false);
-  const [status, setStatus] = useState<{ ok: boolean; msg: string } | null>(null);
-  const [dirty, setDirty] = useState(false);
-  const [showSecret, setShowSecret] = useState(false);
-  const storageMode = getSentinelCredentialStorageMode();
+// Issue #298 (tg12): Sentinel credentials now live in the backend ``.env``
+// and are managed through the existing API Keys panel — same flow as every
+// other third-party API key (OpenSky, AIS Stream, Finnhub, …). This tab no
+// longer collects credentials. It does three things:
+//   1. Runs migrateLegacySentinelBrowserKeys() once to wipe pre-#298
+//      values out of localStorage / sessionStorage.
+//   2. Shows the operator whether the backend has the credentials.
+//   3. Offers a one-click jump to the API Keys panel where they enter them.
+function SentinelTab({ onGoToApiKeys }: { onGoToApiKeys: () => void }) {
+  const [backendConfigured, setBackendConfigured] = useState<boolean | null>(null);
+  const [migrationResult, setMigrationResult] = useState<{ cleared: string[] } | null>(null);
+  const [refreshing, setRefreshing] = useState(false);
 
-  const save = () => {
-    setSentinelCredentials(clientId.trim(), clientSecret.trim());
-    setDirty(false);
-    setStatus({
-      ok: true,
-      msg: `Credentials saved to browser ${storageMode === 'session' ? 'session' : 'local'} storage.`,
-    });
-  };
+  useEffect(() => {
+    // One-time legacy browser-key wipe. Idempotent — does nothing on a
+    // fresh install. We do NOT silently POST any browser-stored values
+    // to the backend; operators who relied on them re-enter once in the
+    // API Keys panel. Doing the wipe regardless ensures pre-#298 secrets
+    // don't linger in localStorage indefinitely.
+    setMigrationResult(migrateLegacySentinelBrowserKeys());
 
-  const testConnection = async () => {
-    setTesting(true);
-    setStatus(null);
+    // Check whether the backend has SENTINEL_CLIENT_ID/SECRET set.
+    void checkBackendSentinelStatus().then(setBackendConfigured);
+  }, []);
+
+  const refresh = async () => {
+    setRefreshing(true);
     try {
-      const resp = await fetch(`${API_BASE}/api/sentinel/token`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-        body: new URLSearchParams({
-          client_id: clientId.trim(),
-          client_secret: clientSecret.trim(),
-        }),
-      });
-      if (resp.ok) {
-        setStatus({ ok: true, msg: 'Connected — token acquired successfully.' });
-      } else {
-        const text = await resp.text().catch(() => '');
-        setStatus({ ok: false, msg: `Auth failed (${resp.status}): ${text.slice(0, 120)}` });
-      }
-    } catch (err) {
-      const msg =
-        typeof err === 'object' && err !== null && 'message' in err
-          ? String((err as { message?: string }).message)
-          : 'unknown';
-      setStatus({ ok: false, msg: `Network error: ${msg}` });
+      // refreshSentinelStatus() invalidates the module-level cache so the
+      // next check actually hits the backend instead of returning the
+      // memoized value. Lazy-imported so SSR/tests don't choke.
+      const { refreshSentinelStatus } = await import('@/lib/sentinelHub');
+      refreshSentinelStatus();
+      const ok = await checkBackendSentinelStatus();
+      setBackendConfigured(ok);
     } finally {
-      setTesting(false);
+      setRefreshing(false);
     }
   };
 
-  const clear = () => {
-    clearSentinelCredentials();
-    setClientId('');
-    setClientSecret('');
-    setDirty(false);
-    setStatus({ ok: true, msg: 'Credentials cleared.' });
-  };
-
-  const inputCls =
-    'w-full bg-[var(--bg-primary)]/60 border border-[var(--border-primary)] px-3 py-2 text-[11px] font-mono text-[var(--text-secondary)] outline-none focus:border-purple-500 placeholder:text-[var(--text-muted)]/50 transition-colors';
+  const statusColor =
+    backendConfigured === null
+      ? 'text-[var(--text-muted)]'
+      : backendConfigured
+      ? 'text-green-400'
+      : 'text-yellow-400';
+  const statusLabel =
+    backendConfigured === null
+      ? 'CHECKING…'
+      : backendConfigured
+      ? 'CONFIGURED ON BACKEND'
+      : 'NOT CONFIGURED';
 
   return (
     <div className="flex-1 flex flex-col overflow-y-auto styled-scrollbar">
@@ -2733,106 +2735,73 @@ function SentinelTab() {
               </p>
               <p>
                 <span className="text-purple-400 font-bold">STEP 3:</span>{' '}
-                Paste both values in the fields below, hit{' '}
-                <span className="text-cyan-400">SAVE</span>, then{' '}
-                <span className="text-cyan-400">TEST CONNECTION</span> to verify.
-                That&apos;s it!
+                Paste both values into the <span className="text-cyan-400">API Keys</span> panel
+                under <span className="text-white">SENTINEL_CLIENT_ID</span> and{' '}
+                <span className="text-white">SENTINEL_CLIENT_SECRET</span>, then hit Save.
+                The backend uses them to mint short-lived tokens — your browser never sees
+                the secret again.
               </p>
             </div>
           </div>
         </div>
       </div>
 
-      {/* Credential Inputs */}
-      <div className="p-4 space-y-3">
-        <div>
-          <label className="text-[13px] font-mono text-[var(--text-muted)] tracking-widest mb-1 block">
-            CLIENT ID
-          </label>
-          <input
-            type="text"
-            value={clientId}
-            onChange={(e) => {
-              setClientId(e.target.value);
-              setDirty(true);
-            }}
-            placeholder="sh-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-            spellCheck={false}
-            autoComplete="off"
-            className={inputCls}
-          />
+      {/* Backend status */}
+      <div className="mx-4 mt-3 p-3 border border-[var(--border-primary)] bg-[var(--bg-primary)]/30">
+        <div className="flex items-center justify-between mb-2">
+          <span className="text-[13px] font-mono text-[var(--text-muted)] tracking-widest">
+            BACKEND STATUS
+          </span>
+          <span className={`text-[11px] font-mono font-bold ${statusColor}`}>
+            {statusLabel}
+          </span>
         </div>
-        <div>
-          <label className="text-[13px] font-mono text-[var(--text-muted)] tracking-widest mb-1 block">
-            CLIENT SECRET
-          </label>
-          <input
-            type={showSecret ? 'text' : 'password'}
-            value={clientSecret}
-            onChange={(e) => {
-              setClientSecret(e.target.value);
-              setDirty(true);
-            }}
-            placeholder="Paste client secret here..."
-            spellCheck={false}
-            autoComplete="new-password"
-            className={inputCls}
-          />
+        <p className="text-[13px] text-[var(--text-muted)] font-mono leading-relaxed">
+          {backendConfigured === false
+            ? 'Sentinel credentials are not yet set in the backend .env. Open the API Keys panel to enter them — the tile overlay and Sentinel-2 Intel Card will work as soon as both fields are saved.'
+            : backendConfigured === true
+            ? 'Sentinel credentials are configured on the backend. The dashboard fetches tokens automatically; your browser does not handle the secret.'
+            : 'Checking backend configuration…'}
+        </p>
+        <div className="mt-3 flex items-center gap-2">
           <button
-            type="button"
-            onClick={() => setShowSecret((current) => !current)}
-            className="mt-2 inline-flex items-center gap-1.5 text-[13px] font-mono text-[var(--text-muted)] hover:text-[var(--text-secondary)] transition-colors"
+            onClick={onGoToApiKeys}
+            className="flex-1 px-4 py-2 bg-purple-500/20 border border-purple-500/40 text-purple-400 hover:bg-purple-500/30 transition-colors text-sm font-mono flex items-center justify-center gap-1.5"
           >
-            {showSecret ? <EyeOff size={10} /> : <Eye size={10} />}
-            {showSecret ? 'HIDE SECRET' : 'SHOW SECRET'}
+            OPEN API KEYS PANEL
+          </button>
+          <button
+            onClick={refresh}
+            disabled={refreshing}
+            className="px-3 py-2 border border-[var(--border-primary)] text-[var(--text-muted)] hover:text-cyan-400 hover:border-cyan-500/50 transition-all text-sm font-mono disabled:opacity-40"
+            title="Re-check backend status"
+          >
+            {refreshing ? 'CHECKING…' : 'REFRESH'}
           </button>
         </div>
       </div>
 
-      {/* Status */}
-      {status && (
-        <div
-          className={`mx-4 mb-2 px-3 py-2 text-sm font-mono ${status.ok ? 'text-green-400 bg-green-950/20 border border-green-900/30' : 'text-red-400 bg-red-950/20 border border-red-900/30'}`}
-        >
-          {status.msg}
+      {/* Migration notice (only if we actually cleared anything) */}
+      {migrationResult && migrationResult.cleared.length > 0 && (
+        <div className="mx-4 mt-3 px-3 py-2 text-sm font-mono text-cyan-400 bg-cyan-950/20 border border-cyan-900/30">
+          <p className="font-bold mb-1">LEGACY BROWSER CREDENTIALS CLEARED</p>
+          <p className="text-[13px] leading-relaxed text-[var(--text-muted)]">
+            Found and removed pre-#298 Sentinel credentials from browser storage
+            ({migrationResult.cleared.join(', ')}). Re-enter them in the API Keys panel
+            above; they&apos;ll be stored server-side from now on and never sent back to
+            the browser.
+          </p>
         </div>
       )}
 
-      {/* Actions */}
+      {/* Footer + Usage Meter */}
       <div className="p-4 border-t border-[var(--border-primary)]/80 mt-auto">
-        <div className="flex items-center gap-2">
-          <button
-            onClick={save}
-            disabled={!dirty}
-            className="flex-1 px-4 py-2 bg-purple-500/20 border border-purple-500/40 text-purple-400 hover:bg-purple-500/30 transition-colors text-sm font-mono flex items-center justify-center gap-1.5 disabled:opacity-30 disabled:cursor-not-allowed"
-          >
-            <Save size={10} />
-            SAVE
-          </button>
-          <button
-            onClick={testConnection}
-            disabled={testing || !clientId || !clientSecret}
-            className="flex-1 px-4 py-2 bg-cyan-500/20 border border-cyan-500/40 text-cyan-400 hover:bg-cyan-500/30 transition-colors text-sm font-mono flex items-center justify-center gap-1.5 disabled:opacity-30 disabled:cursor-not-allowed"
-          >
-            {testing ? 'TESTING...' : 'TEST CONNECTION'}
-          </button>
-          <button
-            onClick={clear}
-            className="px-3 py-2 border border-[var(--border-primary)] text-[var(--text-muted)] hover:text-red-400 hover:border-red-500/50 hover:bg-red-950/10 transition-all text-sm font-mono flex items-center gap-1.5"
-            title="Clear credentials"
-          >
-            <Trash2 size={10} />
-          </button>
-        </div>
-        {/* Usage Meter */}
         <UsageMeter />
-
         <div className="mt-2 p-2 border border-[var(--border-primary)]/40 bg-[var(--bg-primary)]/30">
           <p className="text-[13px] text-[var(--text-muted)] font-mono leading-relaxed">
-            Credentials stay in browser-only storage and never touch ShadowBroker servers.
-            {storageMode === 'session'
-              ? ' Current privacy mode keeps them in session storage only.'
-              : ' Current privacy mode keeps them in local storage for persistence.'}
+            Credentials are stored in the backend <span className="text-cyan-400">.env</span>{' '}
+            and never sent to the browser. The tile proxy mints short-lived OAuth tokens
+            on demand using those values.
           </p>
         </div>
       </div>

frontend/src/lib/sentinelHub.ts

@@ -1,77 +1,137 @@
 /**
- * Sentinel Hub (Copernicus CDSE) — client-side token management & Process API tile fetcher.
+ * Sentinel Hub (Copernicus CDSE) — client-side token + Process API tile fetcher.
  *
- * Credentials are stored in browser-controlled storage only. In privacy/session
- * mode they stay session-scoped; otherwise they persist in local storage. Token
- * exchange is proxied through the ShadowBroker backend (/api/sentinel/token) to
- * avoid CORS blocks from the Copernicus identity provider. Credentials are
- * forwarded, never stored server-side.
+ * Issue #298 (tg12): Credentials are now stored server-side in the backend
+ * ``.env`` (managed through the existing ``/api/settings/api-keys`` flow,
+ * same as every other third-party API key). The browser no longer holds
+ * ``client_id`` / ``client_secret`` in localStorage or sessionStorage and
+ * no longer forwards them in proxy requests.
  *
- * Uses the Process API with inline evalscripts — no Instance ID / Configuration needed.
+ * Old browser-storage keys (``sb_sentinel_client_id`` / ``sb_sentinel_client_secret``
+ * / ``sb_sentinel_instance_id``) are migrated out by ``SettingsPanel`` on
+ * first mount after the upgrade — see ``migrateLegacySentinelBrowserKeys()``
+ * exported below.
  */
 
 import { API_BASE } from '@/lib/api';
-import {
-  getSensitiveBrowserItem,
-  getSensitiveBrowserStorageMode,
-  removeSensitiveBrowserItem,
-  setSensitiveBrowserItem,
-} from '@/lib/privacyBrowserStorage';
 
-// Token exchange proxied through our backend (Copernicus blocks browser CORS)
+// Token exchange proxied through our backend (Copernicus blocks browser CORS).
 const TOKEN_PROXY_URL = `${API_BASE}/api/sentinel/token`;
 
-// browser-storage keys
-const LS_CLIENT_ID = 'sb_sentinel_client_id';
-const LS_CLIENT_SECRET = 'sb_sentinel_client_secret';
-
 // In-memory token cache (never persisted)
 let cachedToken: string | null = null;
 let tokenExpiry = 0;
 // Dedup: only one in-flight token request at a time
 let _tokenPromise: Promise<string | null> | null = null;
 
-// ─── Credential helpers ────────────────────────────────────────────────────
+// In-memory cache of "does the backend have Sentinel credentials configured?"
+// so the rest of the UI can short-circuit tile load attempts without a server
+// round-trip per tile. Refreshed by callers via `refreshSentinelStatus()`.
+let _backendCredentialsConfigured: boolean | null = null;
+let _backendStatusPromise: Promise<boolean> | null = null;
 
-export function getSentinelCredentials(): {
-  clientId: string;
-  clientSecret: string;
-} {
-  if (typeof window === 'undefined') return { clientId: '', clientSecret: '' };
-  return {
-    clientId: getSensitiveBrowserItem(LS_CLIENT_ID) || '',
-    clientSecret: getSensitiveBrowserItem(LS_CLIENT_SECRET) || '',
-  };
+// ─── Credential status (server-side) ───────────────────────────────────────
+
+/**
+ * Ask the backend whether Sentinel credentials are configured in ``.env``.
+ * Caches the result in memory; call ``refreshSentinelStatus()`` after the
+ * operator saves new API keys in the settings panel.
+ *
+ * Returns ``false`` on network errors so the UI fails safely (no broken
+ * tile requests). Never returns the secret itself — that stays server-side.
+ */
+export async function checkBackendSentinelStatus(): Promise<boolean> {
+  if (_backendCredentialsConfigured !== null) return _backendCredentialsConfigured;
+  if (_backendStatusPromise) return _backendStatusPromise;
+
+  _backendStatusPromise = (async () => {
+    try {
+      const resp = await fetch(`${API_BASE}/api/settings/api-keys`, {
+        headers: { Accept: 'application/json' },
+      });
+      if (!resp.ok) return false;
+      const list = await resp.json();
+      // /api/settings/api-keys returns an array of { id, env_key, is_set, ... }
+      const ids = new Set(['sentinel_client_id', 'sentinel_client_secret']);
+      const configured = Array.isArray(list)
+        && list.filter((row: { id?: string; is_set?: boolean }) =>
+              row && row.id && ids.has(row.id) && row.is_set === true,
+           ).length === 2;
+      _backendCredentialsConfigured = configured;
+      return configured;
+    } catch {
+      _backendCredentialsConfigured = false;
+      return false;
+    } finally {
+      _backendStatusPromise = null;
+    }
+  })();
+
+  return _backendStatusPromise;
 }
 
-export function setSentinelCredentials(clientId: string, clientSecret: string): void {
-  setSensitiveBrowserItem(LS_CLIENT_ID, clientId);
-  setSensitiveBrowserItem(LS_CLIENT_SECRET, clientSecret);
-  // Invalidate cached token when credentials change
+/** Invalidate the cached status — call this after the API Keys panel saves. */
+export function refreshSentinelStatus(): void {
+  _backendCredentialsConfigured = null;
+  // Drop any cached token too — credentials may have changed.
   cachedToken = null;
   tokenExpiry = 0;
 }
 
-export function clearSentinelCredentials(): void {
-  removeSensitiveBrowserItem(LS_CLIENT_ID);
-  removeSensitiveBrowserItem(LS_CLIENT_SECRET);
-  // Also remove legacy instance ID if present
-  removeSensitiveBrowserItem('sb_sentinel_instance_id');
-  if (typeof window !== 'undefined') {
-    localStorage.removeItem('sb_sentinel_instance_id');
-    sessionStorage.removeItem('sb_sentinel_instance_id');
-  }
-  cachedToken = null;
-  tokenExpiry = 0;
-}
-
-export function getSentinelCredentialStorageMode(): 'local' | 'session' {
-  return getSensitiveBrowserStorageMode();
+/**
+ * Synchronous getter — returns the last known status without a network call.
+ * Returns ``null`` until ``checkBackendSentinelStatus()`` has run at least once.
+ */
+export function getCachedSentinelStatus(): boolean | null {
+  return _backendCredentialsConfigured;
 }
 
+/**
+ * Back-compat shim. Pre-#298 callers asked ``hasSentinelCredentials()`` to
+ * decide whether to render the Sentinel layer / open the API key prompt.
+ * The credential now lives server-side, so this is just the cached
+ * server-status check. Returns ``false`` until the first
+ * ``checkBackendSentinelStatus()`` resolves (callers should kick that off
+ * once at app startup — see ``page.tsx`` mount effect).
+ */
 export function hasSentinelCredentials(): boolean {
-  const { clientId, clientSecret } = getSentinelCredentials();
-  return Boolean(clientId && clientSecret);
+  return _backendCredentialsConfigured === true;
+}
+
+/**
+ * One-time migration helper: clear the legacy browser-storage keys that
+ * pre-#298 versions used to persist Sentinel credentials. Idempotent and
+ * safe to call on every page load — does nothing if no keys are present.
+ *
+ * Called by ``SettingsPanel`` on mount. We do NOT auto-POST the legacy
+ * browser values to the backend, because doing so would silently migrate
+ * a secret across a trust boundary without operator consent. Operators
+ * who relied on browser-stored credentials will re-enter them once in
+ * the API Keys panel, and the legacy keys get wiped here.
+ */
+export function migrateLegacySentinelBrowserKeys(): { cleared: string[] } {
+  if (typeof window === 'undefined') return { cleared: [] };
+  const legacy = [
+    'sb_sentinel_client_id',
+    'sb_sentinel_client_secret',
+    'sb_sentinel_instance_id',
+  ];
+  const cleared: string[] = [];
+  for (const key of legacy) {
+    try {
+      if (window.localStorage?.getItem(key) !== null) {
+        window.localStorage.removeItem(key);
+        cleared.push(key);
+      }
+    } catch { /* ignore quota / privacy mode errors */ }
+    try {
+      if (window.sessionStorage?.getItem(key) !== null) {
+        window.sessionStorage.removeItem(key);
+        if (!cleared.includes(key)) cleared.push(key);
+      }
+    } catch { /* ignore */ }
+  }
+  return { cleared };
 }
 
 // ─── OAuth2 token ──────────────────────────────────────────────────────────
@@ -79,14 +139,16 @@ export function hasSentinelCredentials(): boolean {
 /**
  * Fetch an OAuth2 access token using the client_credentials grant.
  * Caches in memory; auto-refreshes 30 s before expiry.
+ *
+ * The request body NO LONGER carries client_id/secret — the backend
+ * resolves credentials from its ``.env`` via the API Keys flow. The
+ * server-side proxy still accepts body credentials for legacy callers,
+ * but the dashboard does not supply them.
  */
 export function getSentinelToken(): Promise<string | null> {
   // Return cached token if still valid (with 30 s margin)
   if (cachedToken && Date.now() < tokenExpiry - 30_000) return Promise.resolve(cachedToken);
 
-  const { clientId, clientSecret } = getSentinelCredentials();
-  if (!clientId || !clientSecret) return Promise.resolve(null);
-
   // Dedup: reuse in-flight request so 20 tiles don't each trigger a token fetch
   if (_tokenPromise) return _tokenPromise;
 
@@ -94,11 +156,9 @@ export function getSentinelToken(): Promise<string | null> {
     try {
       const resp = await fetch(TOKEN_PROXY_URL, {
         method: 'POST',
+        // Backend resolves credentials from env. Empty body = "use server-side".
         headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-        body: new URLSearchParams({
-          client_id: clientId,
-          client_secret: clientSecret,
-        }),
+        body: new URLSearchParams({}),
       });
 
       if (!resp.ok) {
@@ -131,6 +191,8 @@ const TILE_PROXY_URL = `${API_BASE}/api/sentinel/tile`;
 /**
  * Fetch a single 256×256 tile via backend proxy to Sentinel Hub Process API.
  * Returns a PNG ArrayBuffer or null on failure.
+ *
+ * Body no longer carries client_id/secret — the backend uses .env values.
  */
 export async function fetchSentinelTile(
   z: number,
@@ -139,21 +201,10 @@ export async function fetchSentinelTile(
   preset: string,
   date: string,
 ): Promise<ArrayBuffer | null> {
-  const { clientId, clientSecret } = getSentinelCredentials();
-  if (!clientId || !clientSecret) return null;
-
   const resp = await fetch(TILE_PROXY_URL, {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({
-      client_id: clientId,
-      client_secret: clientSecret,
-      preset,
-      date,
-      z,
-      x,
-      y,
-    }),
+    body: JSON.stringify({ preset, date, z, x, y }),
   });
 
   if (!resp.ok) return null;