'use client'; import { API_BASE } from '@/lib/api'; import { clearAdminSession, hasAdminSession, primeAdminSession } from '@/lib/adminSession'; import { controlPlaneFetch, controlPlaneJson } from '@/lib/controlPlane'; import { fetchPrivacyProfileSnapshot, fetchRnsStatusSnapshot, invalidatePrivacyProfileCache, invalidateRnsStatusCache, } from '@/mesh/controlPlaneStatusClient'; import { clearBrowserIdentityState, purgeBrowserContactGraph, purgeBrowserSigningMaterial, setSecureModeCached, } from '@/mesh/meshIdentity'; import { purgeBrowserDmState } from '@/mesh/meshDmWorkerClient'; import { connectWormhole, disconnectWormhole, fetchWormholeSettings, fetchWormholeState, invalidateWormholeRuntimeCache, joinWormhole, restartWormhole, type WormholeState, } from '@/mesh/wormholeClient'; import { fetchWormholeIdentity } from '@/mesh/wormholeIdentityClient'; import React, { useState, useEffect, useCallback } from 'react'; import { motion, AnimatePresence } from 'framer-motion'; import { Settings, ExternalLink, Key, Shield, X, Save, ChevronDown, ChevronUp, Rss, Plus, Trash2, RotateCcw, Satellite, Eye, EyeOff, Copy, Check, } from 'lucide-react'; import { clearSentinelCredentials, getSentinelCredentialStorageMode, getSentinelCredentials, setSentinelCredentials, } from '@/lib/sentinelHub'; import { getPrivacyProfilePreference, getPrivacyStrictPreference, getSessionModePreference, migrateSensitiveBrowserItems, setPrivacyProfilePreference, setPrivacyStrictPreference, setSessionModePreference, } from '@/lib/privacyBrowserStorage'; interface ApiEntry { id: string; name: string; description: string; category: string; url: string | null; required: boolean; has_key: boolean; env_key: string | null; value_obfuscated: string | null; is_set: boolean; } interface FeedEntry { name: string; url: string; weight: number; } const WEIGHT_LABELS: Record = { 1: 'LOW', 2: 'MED', 3: 'STD', 4: 'HIGH', 5: 'CRIT', }; const WEIGHT_COLORS: Record = { 1: 'text-gray-400 border-gray-600', 2: 'text-blue-400 border-blue-600', 3: 'text-cyan-400 border-cyan-600', 4: 'text-orange-400 border-orange-600', 5: 'text-red-400 border-red-600', }; const SETTINGS_FOCUS_KEY = 'sb_settings_focus'; const WORMHOLE_RETURN_KEY = 'sb_wormhole_return_target'; const WORMHOLE_READY_EVENT = 'sb:wormhole-ready'; const PRIVACY_SENSITIVE_BROWSER_KEYS = [ 'sb_sentinel_client_id', 'sb_sentinel_client_secret', 'sb_sentinel_instance_id', 'sb_infonet_head', 'sb_infonet_head_history', 'sb_infonet_peers', ] as const; async function applySecureModeBoundary(enabled: boolean): Promise { setSecureModeCached(enabled); if (!enabled) return; purgeBrowserSigningMaterial(); purgeBrowserContactGraph(); await purgeBrowserDmState(); } function migratePrivacySensitiveBrowserState(): void { migrateSensitiveBrowserItems([...PRIVACY_SENSITIVE_BROWSER_KEYS]); } const MAX_FEEDS = 50; // Category colors for the tactical UI const CATEGORY_COLORS: Record = { Aviation: 'text-cyan-400 border-cyan-500/30 bg-cyan-950/20', Maritime: 'text-blue-400 border-blue-500/30 bg-blue-950/20', Geophysical: 'text-orange-400 border-orange-500/30 bg-orange-950/20', Space: 'text-purple-400 border-purple-500/30 bg-purple-950/20', Intelligence: 'text-red-400 border-red-500/30 bg-red-950/20', Geolocation: 'text-green-400 border-green-500/30 bg-green-950/20', Weather: 'text-yellow-400 border-yellow-500/30 bg-yellow-950/20', Markets: 'text-emerald-400 border-emerald-500/30 bg-emerald-950/20', SIGINT: 'text-rose-400 border-rose-500/30 bg-rose-950/20', Reconnaissance: 'text-green-400 border-green-500/30 bg-green-950/20', }; type Tab = 'api-keys' | 'news-feeds' | 'sentinel' | 'protocol'; const SettingsPanel = React.memo(function SettingsPanel({ isOpen, onClose, }: { isOpen: boolean; onClose: () => void; }) { const [activeTab, setActiveTab] = useState('api-keys'); // --- Admin Key (for protected endpoints) --- const [adminKey, setAdminKey] = useState(''); const [adminSessionReady, setAdminSessionReady] = useState(false); const [adminSessionBusy, setAdminSessionBusy] = useState(false); const [adminSessionMsg, setAdminSessionMsg] = useState(null); const [, setStrictPrivacy] = useState(() => getPrivacyStrictPreference()); const [privacyProfile, setPrivacyProfile] = useState(() => getPrivacyProfilePreference()); const [sessionMode, setSessionMode] = useState(() => getSessionModePreference()); const [browserWipeBusy, setBrowserWipeBusy] = useState(false); const [browserWipeMsg, setBrowserWipeMsg] = useState<{ type: 'ok' | 'err'; text: string } | null>( null, ); const [wormholeEnabled, setWormholeEnabled] = useState(false); const [wormholeSaving, setWormholeSaving] = useState(false); const [wormholeMsg, setWormholeMsg] = useState<{ type: 'ok' | 'err'; text: string } | null>( null, ); const [wormholeTransport, setWormholeTransport] = useState('direct'); const [wormholeSocksProxy, setWormholeSocksProxy] = useState(''); const [wormholeSocksDns, setWormholeSocksDns] = useState(true); const [wormholeAnonymousMode, setWormholeAnonymousMode] = useState(false); const [wormholeDirty, setWormholeDirty] = useState(false); const [wormholeStatus, setWormholeStatus] = useState(null); const [wormholeGuideNotice, setWormholeGuideNotice] = useState(null); const [showAdvancedWormhole, setShowAdvancedWormhole] = useState(false); const [wormholeQuickState, setWormholeQuickState] = useState<'idle' | 'ready' | 'connecting' | 'active'>('idle'); const [showOperatorTools, setShowOperatorTools] = useState(false); const [wormholeNodeId, setWormholeNodeId] = useState(null); const [wormholeKeyCopied, setWormholeKeyCopied] = useState(false); const clearSessionIdentity = () => { if (typeof window === 'undefined') return; const keys = [ 'sb_mesh_pubkey', 'sb_mesh_privkey', 'sb_mesh_node_id', 'sb_mesh_sovereignty_accepted', 'sb_mesh_dh_pubkey', 'sb_mesh_dh_privkey', 'sb_mesh_dh_algo', 'sb_mesh_dh_last_ts', 'sb_mesh_contacts', 'sb_mesh_dm_notify', 'sb_mesh_sequence', 'sb_mesh_algo', ]; for (const key of keys) { try { sessionStorage.removeItem(key); } catch { /* ignore */ } } }; const [rnsStatus, setRnsStatus] = useState<{ enabled: boolean; ready: boolean; configured_peers: number; active_peers: number; } | null>(null); const wipeLocalMeshTraces = useCallback(async () => { setBrowserWipeBusy(true); setBrowserWipeMsg(null); try { await clearBrowserIdentityState(); await purgeBrowserDmState(); for (const key of PRIVACY_SENSITIVE_BROWSER_KEYS) { try { localStorage.removeItem(key); sessionStorage.removeItem(key); } catch { /* ignore */ } } setSessionModePreference(true); setSessionMode(true); setBrowserWipeMsg({ type: 'ok', text: wormholeEnabled ? 'Browser-held mesh traces cleared. The local Wormhole agent stays running, but this tab will need to reconnect to it.' : 'Browser-held mesh traces cleared from this browser.', }); } catch (error) { const message = error instanceof Error ? error.message : 'unknown error'; setBrowserWipeMsg({ type: 'err', text: `Could not clear browser-held mesh traces: ${message}`, }); } finally { setBrowserWipeBusy(false); } }, [wormholeEnabled]); const refreshAdminSession = useCallback(async () => { const ready = await hasAdminSession(); setAdminSessionReady(ready); if (!ready) { setAdminSessionMsg((prev) => (prev === 'LOCAL SESSION PRIMED' ? null : prev)); } return ready; }, []); useEffect(() => { if (activeTab !== 'protocol') { setShowOperatorTools(true); } }, [activeTab]); const ensureAdminSession = useCallback(async () => { try { await primeAdminSession(adminKey.trim() || undefined); setAdminSessionReady(true); if (adminKey.trim()) { setAdminKey(''); setAdminSessionMsg('LOCAL SESSION PRIMED'); } else { setAdminSessionMsg(null); } } catch (e) { const ready = await refreshAdminSession(); setAdminSessionReady(ready); const message = e instanceof Error && e.message === 'admin_session_required' ? 'ADMIN SESSION REQUIRED' : e instanceof Error ? e.message : 'ADMIN SESSION FAILED'; setAdminSessionMsg(message); throw e; } }, [adminKey, refreshAdminSession]); // --- API Keys state --- const [apis, setApis] = useState([]); const [editingId, setEditingId] = useState(null); const [editValue, setEditValue] = useState(''); const [saving, setSaving] = useState(false); const [expandedCategories, setExpandedCategories] = useState>( new Set(['Aviation', 'Maritime']), ); // --- News Feeds state --- const [feeds, setFeeds] = useState([]); const [feedsDirty, setFeedsDirty] = useState(false); const [feedSaving, setFeedSaving] = useState(false); const [feedMsg, setFeedMsg] = useState<{ type: 'ok' | 'err'; text: string } | null>(null); const handleProtectedSettingsError = useCallback( async (error: unknown) => { const message = error instanceof Error ? error.message : 'Protected settings request failed'; if ( message === 'Forbidden — admin key not configured' || message === 'Forbidden — invalid or missing admin key' ) { await clearAdminSession(); setAdminSessionReady(false); setAdminSessionMsg( message === 'Forbidden — admin key not configured' ? 'BACKEND ADMIN KEY NOT CONFIGURED' : 'ADMIN KEY INVALID OR EXPIRED', ); setApis([]); setFeeds([]); setFeedsDirty(false); } return message; }, [], ); const fetchKeys = useCallback(async () => { try { setApis(await controlPlaneJson('/api/settings/api-keys')); return true; } catch (e) { await handleProtectedSettingsError(e); return false; } }, [handleProtectedSettingsError]); const fetchFeeds = useCallback(async () => { try { setFeeds(await controlPlaneJson('/api/settings/news-feeds')); setFeedsDirty(false); return true; } catch (e) { await handleProtectedSettingsError(e); return false; } }, [handleProtectedSettingsError]); const fetchWormhole = useCallback(async () => { try { const data = await fetchWormholeSettings(true); setWormholeEnabled(Boolean(data?.enabled)); await applySecureModeBoundary(Boolean(data?.enabled)); setWormholeTransport(String(data?.transport || 'direct')); setWormholeSocksProxy(String(data?.socks_proxy || '')); setWormholeSocksDns(Boolean(data?.socks_dns ?? true)); setWormholeAnonymousMode(Boolean(data?.anonymous_mode)); setWormholeDirty(false); } catch (e) { console.error('Failed to fetch wormhole settings', e); } }, []); const fetchPrivacyProfile = useCallback(async () => { try { const data = await fetchPrivacyProfileSnapshot(true); const profile = String(data?.profile || 'default'); setPrivacyProfile(profile); if (typeof data?.wormhole_enabled === 'boolean') { setWormholeEnabled(Boolean(data.wormhole_enabled)); await applySecureModeBoundary(Boolean(data.wormhole_enabled)); } const high = profile === 'high'; setStrictPrivacy(high); const nextSessionMode = high || getSessionModePreference(); setSessionMode(nextSessionMode); setSessionModePreference(nextSessionMode); setPrivacyStrictPreference(high, { sessionMode: nextSessionMode }); setPrivacyProfilePreference(profile, { sessionMode: nextSessionMode }); migratePrivacySensitiveBrowserState(); } catch (e) { console.error('Failed to fetch privacy profile', e); } }, []); const fetchRnsStatus = useCallback(async () => { try { setRnsStatus(await fetchRnsStatusSnapshot(true)); } catch (e) { console.error('Failed to fetch RNS status', e); } }, []); const fetchWormholeStatus = useCallback(async () => { try { const state = await fetchWormholeState(true); setWormholeStatus(state); if (state.ready && !wormholeNodeId) { try { const id = await fetchWormholeIdentity(); if (id?.node_id) setWormholeNodeId(id.node_id); } catch { /* identity fetch is best-effort */ } } } catch (e) { console.error('Failed to fetch wormhole status', e); } }, [wormholeNodeId]); useEffect(() => { if (isOpen) { if (typeof window !== 'undefined') { const focusTarget = sessionStorage.getItem(SETTINGS_FOCUS_KEY); if (focusTarget === 'wormhole-gates') { setActiveTab('protocol'); setWormholeGuideNotice( 'Gates use the Wormhole-backed experimental obfuscation lane. Press GET WORMHOLE KEY and we will walk the rest from here.', ); sessionStorage.removeItem(SETTINGS_FOCUS_KEY); } else { setWormholeGuideNotice(null); } } void (async () => { const ready = await refreshAdminSession(); if (ready) { await Promise.all([fetchKeys(), fetchFeeds()]); } else { setApis([]); setFeeds([]); setFeedsDirty(false); } void fetchWormhole(); void fetchRnsStatus(); void fetchPrivacyProfile(); void fetchWormholeStatus(); })(); } }, [ isOpen, fetchKeys, fetchFeeds, fetchWormhole, fetchRnsStatus, fetchPrivacyProfile, fetchWormholeStatus, refreshAdminSession, ]); useEffect(() => { if (!wormholeEnabled) { setWormholeQuickState('idle'); return; } if (wormholeStatus?.ready) { setWormholeQuickState('active'); if (typeof window !== 'undefined') { const returnTarget = sessionStorage.getItem(WORMHOLE_RETURN_KEY); if (returnTarget) { sessionStorage.removeItem(WORMHOLE_RETURN_KEY); sessionStorage.removeItem(SETTINGS_FOCUS_KEY); window.dispatchEvent(new CustomEvent(WORMHOLE_READY_EVENT, { detail: { target: returnTarget } })); onClose(); } } return; } if (wormholeSaving || wormholeStatus?.running) { setWormholeQuickState('connecting'); return; } setWormholeQuickState('ready'); }, [onClose, wormholeEnabled, wormholeSaving, wormholeStatus]); useEffect(() => { if (!isOpen || !adminSessionReady) return; if (activeTab === 'api-keys') { void fetchKeys(); return; } if (activeTab === 'news-feeds') { void fetchFeeds(); } }, [isOpen, adminSessionReady, activeTab, fetchKeys, fetchFeeds]); // API Keys handlers const startEditing = (api: ApiEntry) => { setEditingId(api.id); setEditValue(''); }; const saveKey = async (api: ApiEntry) => { if (!api.env_key) return; setSaving(true); try { const res = await controlPlaneFetch('/api/settings/api-keys', { method: 'PUT', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ env_key: api.env_key, value: editValue }), }); if (res.ok) { setEditingId(null); fetchKeys(); } } catch (e) { console.error('Failed to save API key', e); } finally { setSaving(false); } }; const toggleCategory = (cat: string) => { setExpandedCategories((prev) => { const next = new Set(prev); if (next.has(cat)) next.delete(cat); else next.add(cat); return next; }); }; const grouped = apis.reduce>((acc, api) => { if (!acc[api.category]) acc[api.category] = []; acc[api.category].push(api); return acc; }, {}); // News Feeds handlers const updateFeed = (idx: number, field: keyof FeedEntry, value: string | number) => { setFeeds((prev) => prev.map((f, i) => (i === idx ? { ...f, [field]: value } : f))); setFeedsDirty(true); setFeedMsg(null); }; const removeFeed = (idx: number) => { setFeeds((prev) => prev.filter((_, i) => i !== idx)); setFeedsDirty(true); setFeedMsg(null); }; const addFeed = () => { if (feeds.length >= MAX_FEEDS) return; setFeeds((prev) => [...prev, { name: '', url: '', weight: 3 }]); setFeedsDirty(true); setFeedMsg(null); }; const saveFeeds = async () => { setFeedSaving(true); setFeedMsg(null); try { const res = await controlPlaneFetch('/api/settings/news-feeds', { method: 'PUT', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(feeds), }); if (res.ok) { setFeedsDirty(false); setFeedMsg({ type: 'ok', text: 'Feeds saved. Changes take effect on next news refresh (~30min) or manual /api/refresh.', }); } else { const d = await res.json().catch(() => ({})); setFeedMsg({ type: 'err', text: d.message || 'Save failed' }); } } catch { setFeedMsg({ type: 'err', text: 'Network error' }); } finally { setFeedSaving(false); } }; const resetFeeds = async () => { try { const res = await controlPlaneFetch('/api/settings/news-feeds/reset', { method: 'POST', }); if (res.ok) { const d = await res.json(); setFeeds(d.feeds || []); setFeedsDirty(false); setFeedMsg({ type: 'ok', text: 'Reset to defaults' }); } } catch { setFeedMsg({ type: 'err', text: 'Reset failed' }); } }; const saveWormholeSettings = async (enabledOverride?: boolean) => { setWormholeSaving(true); setWormholeMsg(null); try { invalidateWormholeRuntimeCache(); const next = typeof enabledOverride === 'boolean' ? enabledOverride : wormholeEnabled; const res = await controlPlaneFetch('/api/settings/wormhole', { method: 'PUT', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ enabled: next, transport: wormholeTransport, socks_proxy: wormholeSocksProxy, socks_dns: wormholeSocksDns, anonymous_mode: wormholeAnonymousMode, }), }); if (res.ok) { const data = await res.json(); invalidateWormholeRuntimeCache(); setWormholeEnabled(Boolean(data?.enabled)); await applySecureModeBoundary(Boolean(data?.enabled)); setWormholeTransport(String(data?.transport || wormholeTransport)); setWormholeSocksProxy(String(data?.socks_proxy || wormholeSocksProxy)); setWormholeSocksDns(Boolean(data?.socks_dns ?? wormholeSocksDns)); setWormholeAnonymousMode(Boolean(data?.anonymous_mode ?? wormholeAnonymousMode)); setWormholeDirty(false); if (data?.runtime) setWormholeStatus(data.runtime as WormholeState); setWormholeMsg({ type: 'ok', text: next ? data?.runtime?.ready ? 'Local agent connected with the updated settings.' : 'Settings saved. Local agent is starting.' : 'Local agent disabled and disconnected.', }); } else { setWormholeMsg({ type: 'err', text: 'Failed to update local agent settings' }); } } catch { setWormholeMsg({ type: 'err', text: 'Network error updating local agent settings' }); } finally { setWormholeSaving(false); } }; const toggleWormhole = async () => { await saveWormholeSettings(!wormholeEnabled); }; const quickStartWormhole = async () => { setWormholeSaving(true); setWormholeQuickState('ready'); setWormholeMsg(null); try { const data = await joinWormhole(); invalidateWormholeRuntimeCache(); if (data?.identity?.node_id) { setWormholeNodeId(data.identity.node_id); } setWormholeEnabled(Boolean(data?.settings?.enabled ?? data?.runtime?.configured ?? true)); setWormholeTransport(String(data?.settings?.transport || 'direct')); setWormholeSocksProxy(String(data?.settings?.socks_proxy || '')); setWormholeSocksDns(Boolean(data?.settings?.socks_dns ?? true)); setWormholeAnonymousMode(Boolean(data?.settings?.anonymous_mode ?? false)); setWormholeDirty(false); await applySecureModeBoundary(true); setWormholeQuickState('connecting'); const runtime = (data?.runtime as WormholeState | undefined) ?? (await fetchWormholeState(true)); invalidateWormholeRuntimeCache(); setWormholeStatus(runtime); setWormholeEnabled(Boolean(runtime.configured)); setWormholeQuickState(runtime.ready ? 'active' : 'connecting'); setWormholeMsg({ type: 'ok', text: runtime.ready ? 'Wormhole key ready. Gates and the obfuscated inbox can open now.' : 'Wormhole key is provisioning. Wait for LOCAL AGENT ACTIVE.', }); } catch (e) { const message = e instanceof Error ? e.message : 'Wormhole quick start failed'; setWormholeMsg({ type: 'err', text: message }); setWormholeQuickState('idle'); } finally { setWormholeSaving(false); } }; const controlWormhole = async (action: 'connect' | 'disconnect' | 'restart') => { setWormholeSaving(true); setWormholeMsg(null); try { await ensureAdminSession(); const runtime = action === 'connect' ? await connectWormhole() : action === 'disconnect' ? await disconnectWormhole() : await restartWormhole(); invalidateWormholeRuntimeCache(); setWormholeStatus(runtime); setWormholeEnabled(Boolean(runtime.configured)); await applySecureModeBoundary(Boolean(runtime.configured)); setWormholeMsg({ type: 'ok', text: action === 'disconnect' ? 'Local agent disconnected.' : runtime.ready ? `Local agent ${action === 'restart' ? 'restarted' : 'connected'}.` : 'Local agent is starting. Mesh actions will unlock when ready.', }); } catch (e) { const message = e instanceof Error ? e.message : 'Local agent request failed'; setWormholeMsg({ type: 'err', text: message }); } finally { setWormholeSaving(false); } }; const setHighPrivacy = async (enabled: boolean) => { const profile = enabled ? 'high' : 'default'; const nextSessionMode = enabled || getSessionModePreference(); setSessionModePreference(nextSessionMode); setPrivacyStrictPreference(enabled, { sessionMode: nextSessionMode }); setPrivacyProfilePreference(profile, { sessionMode: nextSessionMode }); setPrivacyProfile(profile); setStrictPrivacy(enabled); setSessionMode(nextSessionMode); migratePrivacySensitiveBrowserState(); if (nextSessionMode) clearSessionIdentity(); try { const res = await controlPlaneFetch('/api/settings/privacy-profile', { method: 'PUT', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ profile }), }); if (!res.ok) { setWormholeMsg({ type: 'err', text: 'Failed to save privacy profile' }); } else { invalidatePrivacyProfileCache(); invalidateRnsStatusCache(); const data = await res.json().catch(() => ({})); const forcedWormhole = Boolean(data?.wormhole_enabled); if (forcedWormhole) { setWormholeEnabled(true); await applySecureModeBoundary(true); } setWormholeMsg({ type: 'ok', text: forcedWormhole ? 'High Privacy requires the local agent. It was enabled for this device.' : 'Privacy profile saved.', }); } } catch { setWormholeMsg({ type: 'err', text: 'Failed to save privacy profile' }); } }; const unlockAdminSession = async () => { setAdminSessionBusy(true); setAdminSessionMsg(null); try { await ensureAdminSession(); await Promise.all([fetchKeys(), fetchFeeds()]); } catch (e) { const message = e instanceof Error ? e.message : 'ADMIN SESSION FAILED'; if (message === 'Forbidden — admin key not configured') { await clearAdminSession(); setAdminSessionReady(false); setAdminSessionMsg('BACKEND ADMIN KEY NOT CONFIGURED'); return; } setAdminSessionMsg(message.toUpperCase()); } finally { setAdminSessionBusy(false); } }; const lockAdminSession = async () => { setAdminSessionBusy(true); setAdminSessionMsg(null); try { await clearAdminSession(); setAdminKey(''); setAdminSessionReady(false); setAdminSessionMsg('LOCAL SESSION CLEARED'); } finally { setAdminSessionBusy(false); } }; const configuredTransport = (wormholeStatus?.transport || wormholeTransport || '').toLowerCase(); const activeTransport = (wormholeStatus?.transport_active || '').toLowerCase(); const effectiveTransport = activeTransport || configuredTransport || 'direct'; const anonModeReady = Boolean(wormholeEnabled) && Boolean(wormholeStatus?.ready) && ['tor', 'tor_arti', 'i2p', 'mixnet'].includes(effectiveTransport) && wormholeAnonymousMode; const rnsReady = Boolean(wormholeStatus?.rns_ready ?? rnsStatus?.ready); const recentPrivateFallback = Boolean(wormholeStatus?.recent_private_clearnet_fallback); const recentPrivateFallbackReason = wormholeStatus?.recent_private_clearnet_fallback_reason || 'An obfuscated-tier payload recently fell back to clearnet relay.'; const trustModeLabel = !wormholeEnabled ? 'PUBLIC / DEGRADED' : wormholeStatus?.ready && rnsReady ? 'EXPERIMENTAL / OBFUSCATED+' : 'EXPERIMENTAL / OBFUSCATED'; const transportMismatch = Boolean(activeTransport) && Boolean(configuredTransport) && activeTransport !== configuredTransport; const wormholeQuickButtonLabel = wormholeQuickState === 'active' ? 'ACTIVE' : wormholeQuickState === 'connecting' ? 'CONNECTING' : wormholeQuickState === 'ready' ? 'READY' : 'GET WORMHOLE KEY'; return ( {isOpen && ( <> {/* Backdrop */} {/* Settings Panel */} {/* Header */}

SYSTEM CONFIG

SETTINGS & DATA SOURCES
{/* Operator Tools */} {activeTab === 'protocol' && !showOperatorTools ? (
WORMHOLE FIRST-RUN
Wormhole join below does not need operator tools. API/news tabs do.
) : ( <>
OPERATOR TOOLS setAdminKey(e.target.value)} onKeyDown={(e) => { if (e.key === 'Enter' && adminKey.trim() && !adminSessionBusy) { void unlockAdminSession(); } }} placeholder={ adminSessionReady ? 'Operator tools unlocked. Enter key only to reseed or recover...' : 'Enter operator key for protected settings tabs...' } className="flex-1 bg-[var(--bg-primary)]/60 border border-[var(--border-primary)] px-2 py-1 text-[10px] font-mono text-[var(--text-secondary)] outline-none focus:border-cyan-700 placeholder:text-[var(--text-muted)]/50" /> {adminSessionReady ? ( ) : ( )} {activeTab === 'protocol' && ( )} {adminSessionReady ? 'ACTIVE' : 'LOCKED'}
{adminSessionMsg && (
{adminSessionMsg}
)} )} {adminSessionMsg === 'BACKEND ADMIN KEY NOT CONFIGURED' && activeTab !== 'protocol' && (
This is not an old market/API key problem. The backend admin secret itself is not configured, so protected Settings tabs cannot load.
Add ADMIN_KEY to{' '} backend/.env, restart the backend, then paste that same key above and unlock.
)}
{/* ==================== API KEYS TAB ==================== */} {/* ==================== MESH PROTOCOL TAB ==================== */} {activeTab === 'protocol' && (
WORMHOLE KEY SETUP
One click enters Wormhole on the recommended path for gates and the obfuscated inbox. Manual transport tuning stays hidden unless you ask for it.
STATUS
{wormholeStatus?.ready ? 'ACTIVE' : wormholeEnabled ? 'TURN ON CONNECT' : 'OFF'}
1. Press GET WORMHOLE KEY.
2. We handle the recommended setup path in the background.
3. Wait for ACTIVE.
4. We send you straight back into gates.
{wormholeGuideNotice && (
{wormholeGuideNotice}
)} {adminSessionMsg === 'BACKEND ADMIN KEY NOT CONFIGURED' && (
Operator key is only needed for protected Settings tabs. Wormhole join below now works without it.
)}
{wormholeMsg && (
{wormholeMsg.text}
)} {wormholeNodeId && (
YOUR WORMHOLE IDENTITY
{wormholeNodeId}
)}
{showAdvancedWormhole && ( <> {/* Privacy Mode */}
HIGH PRIVACY MODE (OPT-IN)

Enables High Privacy profile: session-only identity, stronger jitter, sharded transport (when available), and stricter sync behavior. High Privacy requires the local agent for mesh traffic and refuses clearnet fallback for obfuscated sends. This does not make you anonymous or fully hidden.

{privacyProfile === 'high' && (
Recommendation: use a reputable VPN or hidden transport. A VPN can help hide your IP from the backend and peers, but it does not eliminate metadata, endpoint compromise, or traffic analysis risks.
)}
{/* Session Identity Mode */}
EPHEMERAL SESSION ID (RECOMMENDED)

When enabled, agent keys are stored in session storage and reset on browser close. Your identity will not persist across restarts.

WIPE LOCAL MESH TRACES

Clears browser-held mesh identities, DM ratchet state, cached contacts, and privacy-sensitive browser storage. The local agent is not shut down.

{browserWipeMsg && (
{browserWipeMsg.text}
)}
{/* Wormhole Mode */}
LOCAL MESH AGENT (OPT-IN)

Runs a local mesh agent that handles traffic directly, removing the backend as a central observer. Experimental — does not guarantee privacy or anonymity.

TRANSPORT
{(wormholeTransport === 'tor' || wormholeTransport === 'i2p' || wormholeTransport === 'mixnet') && ( <> { setWormholeSocksProxy(e.target.value); setWormholeDirty(true); }} placeholder="SOCKS5 proxy (e.g. 127.0.0.1:9050)" className="w-full bg-black/30 border border-[var(--border-primary)]/40 px-2 py-1 text-[10px] font-mono text-[var(--text-muted)] outline-none focus:border-cyan-500/50" />
PROXY DNS
Hidden transport requires a local SOCKS5 proxy (Tor/I2P/Mixnet) already running. Save applies the new transport immediately.
)}
HIDDEN TRANSPORT MODE
Public mesh writes fail closed unless the local agent is active on Tor/I2P/Mixnet. Direct transport is blocked while this is on.
{wormholeAnonymousMode && (
{trustModeLabel} {anonModeReady ? 'Hidden transport is active. Public gate posting routes through the local agent.' : 'Connect the local agent over Tor, I2P, or Mixnet before posting publicly.'}
Mesh Terminal stays read-only for sensitive posting and DM actions while the hidden transport policy is active. Use MeshChat for the hardened path.
Relay fallback reduces metadata protection compared with direct obfuscated transport. Meshtastic/APRS remain degraded, integrity-only channels in this phase.
)} {!wormholeAnonymousMode && (
{trustModeLabel} Hidden transport is off. Public posting may use public or degraded transports until you require Tor, I2P, or Mixnet.
Meshtastic/APRS/JS8 remain public or degraded in this phase unless a separate obfuscated transport is explicitly enabled.
)}
{rnsStatus && (
RNS {rnsStatus.ready ? 'READY' : rnsStatus.enabled ? 'STARTING' : 'OFF'} peers {rnsStatus.active_peers}/{rnsStatus.configured_peers}
)} {wormholeStatus && (
{wormholeStatus.ready ? 'LOCAL AGENT ACTIVE' : wormholeStatus.running ? 'LOCAL AGENT STARTING' : wormholeStatus.configured ? 'LOCAL AGENT IDLE' : 'LOCAL AGENT OFF'} {wormholeStatus.pid > 0 && pid {wormholeStatus.pid}}
ACTIVE {effectiveTransport.toUpperCase()} {transportMismatch && ( FALLBACK )} {recentPrivateFallback && ( PRIVACY DOWNGRADE )} {wormholeStatus.proxy_active && ( proxy {wormholeStatus.proxy_active} )}
Public transport identity, gate personas, and the obfuscated DM alias are compartmentalized inside the local agent.
{recentPrivateFallback && (
{recentPrivateFallbackReason}
)} {wormholeStatus.last_error && (
{wormholeStatus.last_error}
)}
)}
)}
)} {activeTab === 'api-keys' && ( <> {/* Info Banner */}

API keys are stored locally in the backend{' '} .env file. Keys marked with{' '} are required for full functionality. Public APIs need no key.

{/* API List */}
{Object.entries(grouped).map(([category, categoryApis]) => { const colorClass = CATEGORY_COLORS[category] || 'text-gray-400 border-gray-700 bg-gray-900/20'; const isExpanded = expandedCategories.has(category); return (
{isExpanded && ( {categoryApis.map((api) => (
{api.required && ( )} {api.name}
{api.has_key ? ( api.is_set ? ( KEY SET ) : ( MISSING ) ) : ( PUBLIC )} {api.url && ( e.stopPropagation()} > )}

{api.description}

{api.has_key && (
{editingId === api.id ? (
setEditValue(e.target.value)} className="flex-1 bg-black/60 border border-cyan-900/50 px-2 py-1.5 text-[11px] font-mono text-cyan-300 outline-none focus:border-cyan-500/70 transition-colors" placeholder="Enter API key..." autoFocus />
) : (
startEditing(api)} > {api.is_set ? api.value_obfuscated : 'Click to set key...'}
)}
)}
))} )}
); })}
{/* Footer */}
{apis.length} REGISTERED APIs {apis.filter((a) => a.has_key).length} KEYS CONFIGURED
)} {/* ==================== NEWS FEEDS TAB ==================== */} {activeTab === 'news-feeds' && ( <> {/* Info Banner */}

Configure RSS/Atom feeds for the Threat Intel news panel. Each feed is scored by keyword heuristics and weighted by the priority you set. Up to{' '} {MAX_FEEDS} sources.

{/* Feed List */}
{feeds.map((feed, idx) => (
{/* Row 1: Name + Weight + Delete */}
updateFeed(idx, 'name', e.target.value)} className="flex-1 bg-transparent border-b border-[var(--border-primary)] text-xs font-mono text-[var(--text-primary)] outline-none focus:border-cyan-500/70 transition-colors px-1 py-0.5" placeholder="Source name..." /> {/* Weight selector */}
{[1, 2, 3, 4, 5].map((w) => ( ))} {WEIGHT_LABELS[feed.weight] || 'STD'}
{/* Row 2: URL */} updateFeed(idx, 'url', e.target.value)} className="w-full bg-black/30 border border-[var(--border-primary)]/40 px-2 py-1 text-[10px] font-mono text-[var(--text-muted)] outline-none focus:border-cyan-500/50 focus:text-cyan-300 transition-colors" placeholder="https://example.com/rss.xml" />
))} {/* Add Feed Button */}
{/* Status message */} {feedMsg && (
{feedMsg.text}
)} {/* Footer */}
{feeds.length}/{MAX_FEEDS} SOURCES WEIGHT: 1=LOW 5=CRITICAL
)} {/* ==================== SENTINEL HUB TAB ==================== */} {activeTab === 'sentinel' && } )} ); }); // ─── Sentinel Hub Settings Tab ───────────────────────────────────────────── function SentinelTab() { const [clientId, setClientId] = useState(() => getSentinelCredentials().clientId); const [clientSecret, setClientSecret] = useState(() => getSentinelCredentials().clientSecret); const [testing, setTesting] = useState(false); const [status, setStatus] = useState<{ ok: boolean; msg: string } | null>(null); const [dirty, setDirty] = useState(false); const [showSecret, setShowSecret] = useState(false); const storageMode = getSentinelCredentialStorageMode(); const save = () => { setSentinelCredentials(clientId.trim(), clientSecret.trim()); setDirty(false); setStatus({ ok: true, msg: `Credentials saved to browser ${storageMode === 'session' ? 'session' : 'local'} storage.`, }); }; const testConnection = async () => { setTesting(true); setStatus(null); try { const resp = await fetch(`${API_BASE}/api/sentinel/token`, { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: new URLSearchParams({ client_id: clientId.trim(), client_secret: clientSecret.trim(), }), }); if (resp.ok) { setStatus({ ok: true, msg: 'Connected — token acquired successfully.' }); } else { const text = await resp.text().catch(() => ''); setStatus({ ok: false, msg: `Auth failed (${resp.status}): ${text.slice(0, 120)}` }); } } catch (err) { const msg = typeof err === 'object' && err !== null && 'message' in err ? String((err as { message?: string }).message) : 'unknown'; setStatus({ ok: false, msg: `Network error: ${msg}` }); } finally { setTesting(false); } }; const clear = () => { clearSentinelCredentials(); setClientId(''); setClientSecret(''); setDirty(false); setStatus({ ok: true, msg: 'Credentials cleared.' }); }; const inputCls = 'w-full bg-[var(--bg-primary)]/60 border border-[var(--border-primary)] px-3 py-2 text-[11px] font-mono text-[var(--text-secondary)] outline-none focus:border-purple-500 placeholder:text-[var(--text-muted)]/50 transition-colors'; return (
{/* Setup Guide */}

COPERNICUS SENTINEL HUB SETUP

Sentinel Hub gives you access to ESA satellite imagery (Sentinel-2 true color, NDVI vegetation, false color IR, moisture index). Free tier: 10,000 processing units/month. Follow each step below:

STEP 1:{' '} Go to{' '} dataspace.copernicus.eu {' '}→ click Register (top right) → create a free account. Pick Public for User Category.

STEP 2:{' '} Once logged in, go to{' '} Sentinel Hub Dashboard {' '}→ click your user icon (top right) {' '}→ User Settings {' '}→ OAuth clients tab →{' '} click "+ Create new". Give it any name (e.g. "ShadowBroker"). Copy the{' '} Client ID and{' '} Client Secret it shows you.

STEP 3:{' '} Paste both values in the fields below, hit{' '} SAVE, then{' '} TEST CONNECTION to verify. That's it!

{/* Credential Inputs */}
{ setClientId(e.target.value); setDirty(true); }} placeholder="sh-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" spellCheck={false} autoComplete="off" className={inputCls} />
{ setClientSecret(e.target.value); setDirty(true); }} placeholder="Paste client secret here..." spellCheck={false} autoComplete="new-password" className={inputCls} />
{/* Status */} {status && (
{status.msg}
)} {/* Actions */}
{/* Usage Meter */}

Credentials stay in browser-only storage and never touch ShadowBroker servers. {storageMode === 'session' ? ' Current privacy mode keeps them in session storage only.' : ' Current privacy mode keeps them in local storage for persistence.'}

); } function UsageMeter() { const [usage, setUsage] = useState({ month: '', tiles: 0, pu: 0 }); useEffect(() => { // Import dynamically to avoid SSR issues import('@/lib/sentinelHub').then(({ getSentinelUsage }) => { setUsage(getSentinelUsage()); }); // Refresh every 10s when tab is active const id = setInterval(() => { import('@/lib/sentinelHub').then(({ getSentinelUsage }) => { setUsage(getSentinelUsage()); }); }, 10_000); return () => clearInterval(id); }, []); const maxRequests = 10_000; const maxPU = 10_000; const pct = Math.min(100, (usage.tiles / maxRequests) * 100); const barColor = pct < 50 ? 'bg-purple-500' : pct < 80 ? 'bg-yellow-500' : 'bg-red-500'; const textColor = pct < 50 ? 'text-purple-400' : pct < 80 ? 'text-yellow-400' : 'text-red-400'; return (
MONTHLY USAGE {usage.month || '—'}
{/* Progress bar */}
{usage.tiles.toLocaleString()}
/ {maxRequests.toLocaleString()} tiles
{usage.pu.toLocaleString()}
/ {maxPU.toLocaleString()} PU
{Math.round(100 - pct)}%
remaining
); } export default SettingsPanel;