Add grpcserver test coverage

- Add comprehensive test file for internal/grpcserver package - Cover interceptors, system, engine, policy, and auth handlers - Cover pbToRule/ruleToPB conversion helpers - 37 tests total; CA/PKI/ACME and Login/Logout skipped (require live deps) Co-authored-by: Junie <junie@jetbrains.com>
2026-03-15 13:07:42 -07:00
parent ad167aed9b
commit 8215aaccc5
40 changed files with 8865 additions and 519 deletions
--- a/web/static/style.css
+++ b/web/static/style.css
@@ -1,31 +1,456 @@
-* { margin: 0; padding: 0; box-sizing: border-box; }
-body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif; background: #f5f5f5; color: #333; line-height: 1.6; }
-.container { max-width: 800px; margin: 0 auto; padding: 2rem; }
-header h1 { margin-bottom: 2rem; }
-header h1 a { color: #333; text-decoration: none; }
-main { background: #fff; border-radius: 8px; padding: 2rem; box-shadow: 0 1px 3px rgba(0,0,0,0.1); }
-h2 { margin-bottom: 1rem; color: #222; }
-h3 { margin: 1.5rem 0 0.5rem; color: #444; }
-p { margin-bottom: 1rem; }
+/* Metacrypt — Nord dark theme */
+
+/* ===========================
+   Colour tokens (Nord palette)
+   =========================== */
+:root {
+  /* Polar Night */
+  --n0: #2E3440;
+  --n1: #3B4252;
+  --n2: #434C5E;
+  --n3: #4C566A;
+  /* Snow Storm */
+  --s0: #D8DEE9;
+  --s1: #E5E9F0;
+  --s2: #ECEFF4;
+  /* Frost */
+  --f0: #8FBCBB;
+  --f1: #88C0D0;
+  --f2: #81A1C1;
+  --f3: #5E81AC;
+  /* Aurora */
+  --red:    #BF616A;
+  --orange: #D08770;
+  --yellow: #EBCB8B;
+  --green:  #A3BE8C;
+  --green-dark: #4C7A4A;
+  --purple: #B48EAD;
+}
+
+/* ===========================
+   Reset
+   =========================== */
+*, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+html { font-size: 16px; }
+
+/* ===========================
+   Base
+   =========================== */
+body {
+  font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", sans-serif;
+  background: var(--n0);
+  color: var(--s0);
+  line-height: 1.6;
+  min-height: 100vh;
+}
+a { color: var(--f1); text-decoration: none; }
+a:hover { color: var(--f0); text-decoration: underline; }
+p { margin-bottom: 0.875rem; }
+h2 { font-size: 1.375rem; font-weight: 600; color: var(--s2); margin-bottom: 0.25rem; }
+h3 { font-size: 1.0625rem; font-weight: 600; color: var(--s1); margin: 0; }
+code {
+  font-family: "SF Mono", "Cascadia Code", "Fira Code", Consolas, monospace;
+  font-size: 0.8125rem;
+  color: var(--f0);
+  background: var(--n2);
+  padding: 0.125rem 0.375rem;
+  border-radius: 3px;
+}
+small { font-size: 0.8125rem; color: var(--s0); }
+
+/* ===========================
+   Top navigation
+   =========================== */
+.topnav {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  padding: 0 2rem;
+  height: 52px;
+  background: var(--n1);
+  border-bottom: 1px solid var(--n3);
+  position: sticky;
+  top: 0;
+  z-index: 100;
+}
+.topnav-brand {
+  font-size: 1rem;
+  font-weight: 700;
+  color: var(--s2);
+  text-decoration: none;
+  letter-spacing: 0.04em;
+}
+.topnav-brand:hover { color: var(--f1); text-decoration: none; }
+.topnav-right {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+}
+.topnav-user {
+  font-size: 0.875rem;
+  color: var(--s1);
+}
+
+/* ===========================
+   Page containers
+   =========================== */
+.page-container {
+  max-width: 1100px;
+  margin: 0 auto;
+  padding: 2rem;
+}
+.auth-container {
+  max-width: 420px;
+  margin: 5rem auto 2rem;
+  padding: 0 1rem;
+}
+
+/* ===========================
+   Page header
+   =========================== */
+.page-header {
+  margin-bottom: 1.5rem;
+  padding-bottom: 1rem;
+  border-bottom: 1px solid var(--n2);
+}
+.page-header h2 { margin-bottom: 0; }
+.page-meta {
+  margin-top: 0.375rem;
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+  font-size: 0.8125rem;
+  color: var(--n3);
+}
+.page-meta a { color: var(--f2); font-size: 0.8125rem; }
+.page-meta a:hover { color: var(--f1); }
+
+/* ===========================
+   Auth pages
+   =========================== */
+.auth-header {
+  text-align: center;
+  margin-bottom: 1.75rem;
+}
+.auth-header .brand {
+  font-size: 1.5rem;
+  font-weight: 700;
+  color: var(--s2);
+  letter-spacing: 0.04em;
+}
+.auth-header .tagline {
+  font-size: 0.6875rem;
+  color: var(--f2);
+  text-transform: uppercase;
+  letter-spacing: 0.12em;
+  margin-top: 0.25rem;
+}
+
+/* ===========================
+   Cards
+   =========================== */
+.card {
+  background: var(--n1);
+  border: 1px solid var(--n3);
+  border-radius: 6px;
+  padding: 1.5rem;
+  margin-bottom: 1.25rem;
+}
+.card:last-child { margin-bottom: 0; }
+.card-title {
+  font-size: 0.6875rem;
+  font-weight: 700;
+  text-transform: uppercase;
+  letter-spacing: 0.09em;
+  color: var(--f2);
+  margin-bottom: 1rem;
+  padding-bottom: 0.625rem;
+  border-bottom: 1px solid var(--n2);
+}
+.card p:last-child { margin-bottom: 0; }
+
+/* ===========================
+   State chip
+   =========================== */
+.state-chip {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.4rem;
+  font-size: 0.8125rem;
+  color: var(--s0);
+}
+.state-chip::before {
+  content: '';
+  width: 7px;
+  height: 7px;
+  border-radius: 50%;
+  background: var(--n3);
+  flex-shrink: 0;
+}
+.state-chip.state-unsealed::before {
+  background: var(--green);
+  box-shadow: 0 0 5px rgba(163, 190, 140, 0.55);
+}
+.state-chip.state-sealed::before { background: var(--red); }
+
+/* ===========================
+   Badges
+   =========================== */
+.badge {
+  display: inline-block;
+  padding: 0.125rem 0.5rem;
+  border-radius: 3px;
+  font-size: 0.6875rem;
+  font-weight: 700;
+  text-transform: uppercase;
+  letter-spacing: 0.06em;
+  background: rgba(94, 129, 172, 0.2);
+  color: var(--f1);
+  border: 1px solid rgba(94, 129, 172, 0.35);
+}
+.badge-danger {
+  background: rgba(191, 97, 106, 0.15);
+  color: #e07c82;
+  border-color: rgba(191, 97, 106, 0.35);
+}
+
+/* ===========================
+   Alerts
+   =========================== */
+.error {
+  background: rgba(191, 97, 106, 0.12);
+  color: #e07c82;
+  border: 1px solid rgba(191, 97, 106, 0.3);
+  padding: 0.75rem 1rem;
+  border-radius: 4px;
+  margin-bottom: 1rem;
+  font-size: 0.875rem;
+}
+.success {
+  background: rgba(163, 190, 140, 0.1);
+  border: 1px solid rgba(163, 190, 140, 0.3);
+  border-radius: 4px;
+  padding: 1rem;
+  margin-bottom: 1rem;
+}
+.success p { color: var(--green); }
+
+/* ===========================
+   Buttons
+   =========================== */
+button, .btn {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  gap: 0.375rem;
+  padding: 0.5rem 1.25rem;
+  font-size: 0.875rem;
+  font-weight: 600;
+  font-family: inherit;
+  border: 1px solid var(--f3);
+  border-radius: 4px;
+  cursor: pointer;
+  text-decoration: none;
+  white-space: nowrap;
+  transition: background 0.12s, border-color 0.12s, color 0.12s;
+  line-height: 1.4;
+  background: var(--f3);
+  color: var(--s2);
+}
+button:hover, .btn:hover {
+  background: var(--f2);
+  border-color: var(--f2);
+  text-decoration: none;
+  color: var(--s2);
+}
+.btn-danger {
+  background: var(--red);
+  color: var(--s2);
+  border-color: var(--red);
+}
+.btn-danger:hover {
+  background: #a8535b;
+  border-color: #a8535b;
+  color: var(--s2);
+}
+.btn-ghost {
+  background: transparent;
+  color: var(--s0);
+  border-color: var(--n3);
+}
+.btn-ghost:hover {
+  background: var(--n2);
+  color: var(--s1);
+  border-color: var(--n3);
+  text-decoration: none;
+}
+.btn-sm {
+  padding: 0.3125rem 0.875rem;
+  font-size: 0.8125rem;
+}
+
+/* ===========================
+   Forms
+   =========================== */
 .form-group { margin-bottom: 1rem; }
-.form-group label { display: block; margin-bottom: 0.25rem; font-weight: 600; }
-.form-group input { width: 100%; padding: 0.5rem; border: 1px solid #ccc; border-radius: 4px; font-size: 1rem; }
-button { padding: 0.5rem 1.5rem; background: #2563eb; color: #fff; border: none; border-radius: 4px; font-size: 1rem; cursor: pointer; }
-button:hover { background: #1d4ed8; }
-.error { background: #fee2e2; color: #991b1b; padding: 0.75rem; border-radius: 4px; margin-bottom: 1rem; }
-.badge { background: #dbeafe; color: #1e40af; padding: 0.125rem 0.5rem; border-radius: 4px; font-size: 0.875rem; }
-.status-bar { display: flex; gap: 1rem; align-items: center; padding: 0.75rem; background: #f9fafb; border-radius: 4px; margin-bottom: 1.5rem; flex-wrap: wrap; }
-.status-bar a { margin-left: auto; color: #2563eb; }
-table { width: 100%; border-collapse: collapse; margin: 0.5rem 0; }
-th, td { text-align: left; padding: 0.5rem; border-bottom: 1px solid #e5e7eb; }
-th { font-weight: 600; background: #f9fafb; }
-.admin-actions { margin-top: 0.5rem; }
-.admin-actions button { background: #dc2626; }
-.admin-actions button:hover { background: #b91c1c; }
-.badge-danger { background: #fee2e2; color: #991b1b; }
-.form-group textarea, .pem-input { width: 100%; padding: 0.5rem; border: 1px solid #ccc; border-radius: 4px; font-family: monospace; font-size: 0.875rem; resize: vertical; }
-.form-group input[type="file"] { padding: 0.25rem 0; border: none; }
+.form-group label {
+  display: block;
+  font-size: 0.6875rem;
+  font-weight: 700;
+  color: var(--s0);
+  margin-bottom: 0.375rem;
+  text-transform: uppercase;
+  letter-spacing: 0.06em;
+}
+.form-group input,
+.form-group select,
+.form-group textarea {
+  width: 100%;
+  padding: 0.5rem 0.75rem;
+  background: var(--n0);
+  border: 1px solid var(--n3);
+  border-radius: 4px;
+  color: var(--s1);
+  font-size: 0.9375rem;
+  font-family: inherit;
+  transition: border-color 0.12s, box-shadow 0.12s;
+  -webkit-appearance: none;
+  appearance: none;
+}
+.form-group input:focus,
+.form-group select:focus,
+.form-group textarea:focus {
+  outline: none;
+  border-color: var(--f3);
+  box-shadow: 0 0 0 3px rgba(94, 129, 172, 0.2);
+}
+.form-group input::placeholder,
+.form-group textarea::placeholder { color: var(--n3); }
+.form-group input[type="file"] {
+  padding: 0.375rem 0.5rem;
+  font-size: 0.875rem;
+  color: var(--s0);
+  cursor: pointer;
+  border-style: dashed;
+}
+.form-group select {
+  background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' viewBox='0 0 24 24' fill='none' stroke='%2381A1C1' stroke-width='2.5' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpolyline points='6 9 12 15 18 9'%3E%3C/polyline%3E%3C/svg%3E");
+  background-repeat: no-repeat;
+  background-position: right 0.75rem center;
+  padding-right: 2.25rem;
+  cursor: pointer;
+}
 .form-row { display: flex; gap: 1rem; }
-.form-row .form-group { flex: 1; }
+.form-row .form-group { flex: 1; min-width: 0; }
+.form-actions { margin-top: 0.25rem; }
+.pem-input,
+.form-group textarea.pem-input {
+  font-family: "SF Mono", "Cascadia Code", "Fira Code", Consolas, monospace;
+  font-size: 0.8125rem;
+  resize: vertical;
+}
+
+/* ===========================
+   Details / Summary
+   =========================== */
 details { margin: 0.75rem 0; }
-details summary { cursor: pointer; color: #2563eb; font-weight: 600; margin-bottom: 0.5rem; }
+details summary {
+  cursor: pointer;
+  color: var(--f2);
+  font-size: 0.875rem;
+  font-weight: 600;
+  padding: 0.375rem 0;
+  user-select: none;
+  list-style: none;
+}
+details summary::-webkit-details-marker { display: none; }
+details summary::before {
+  content: '▸  ';
+  color: var(--n3);
+  font-size: 0.75rem;
+}
+details[open] summary::before { content: '▾  '; }
+details summary:hover { color: var(--f1); }
+details[open] > summary { margin-bottom: 0.75rem; }
+details > :not(summary):first-of-type { margin-top: 0.25rem; }
+
+/* ===========================
+   Tables
+   =========================== */
+.table-wrapper { overflow-x: auto; }
+table { width: 100%; border-collapse: collapse; }
+th {
+  text-align: left;
+  padding: 0.5rem 0.875rem;
+  font-size: 0.6875rem;
+  font-weight: 700;
+  text-transform: uppercase;
+  letter-spacing: 0.07em;
+  color: var(--f2);
+  border-bottom: 1px solid var(--n3);
+  white-space: nowrap;
+}
+td {
+  text-align: left;
+  padding: 0.625rem 0.875rem;
+  font-size: 0.875rem;
+  color: var(--s0);
+  border-bottom: 1px solid var(--n2);
+}
+tbody tr:last-child td { border-bottom: none; }
+tbody tr:hover td { background: rgba(76, 86, 106, 0.25); }
+
+/* Key–value table (cert info) */
+.kv-table { border-collapse: collapse; width: 100%; }
+.kv-table th {
+  width: 140px;
+  font-size: 0.75rem;
+  font-weight: 700;
+  color: var(--f2);
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  padding: 0.375rem 1rem 0.375rem 0;
+  border-bottom: none;
+  vertical-align: top;
+  white-space: nowrap;
+}
+.kv-table td {
+  font-size: 0.9375rem;
+  color: var(--s1);
+  padding: 0.375rem 0;
+  border-bottom: none;
+}
+.kv-table tbody tr:hover td { background: transparent; }
+
+.checkbox-group {
+  display: flex;
+  flex-direction: column;
+  gap: 0.375rem;
+  margin-top: 0.25rem;
+}
+.form-group .checkbox-label {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  font-size: 0.9375rem;
+  font-weight: normal;
+  text-transform: none;
+  letter-spacing: 0;
+  color: var(--s1);
+  cursor: pointer;
+}
+.form-group .checkbox-label input[type="checkbox"] {
+  width: 1rem;
+  height: 1rem;
+  padding: 0;
+  cursor: pointer;
+  flex-shrink: 0;
+  accent-color: var(--green-dark);
+}
+.form-group .checkbox-label input[type="checkbox"]:checked {
+  outline: 2px solid var(--green-dark);
+  outline-offset: 1px;
+}
+.form-group .checkbox-label:has(input[type="checkbox"]:checked) {
+  color: var(--green);
+}
--- a/web/templates/dashboard.html
+++ b/web/templates/dashboard.html
@@ -1,63 +1,85 @@
 {{define "title"}} - Dashboard{{end}}
 {{define "content"}}
-<h2>Dashboard</h2>
-<div class="status-bar">
-    <span>Logged in as <strong>{{.Username}}</strong></span>
-    {{if .IsAdmin}}<span class="badge">Admin</span>{{end}}
-    <span>State: <strong>{{.State}}</strong></span>
-    <span class="version">v{{.Version}}</span>
-    <a href="/login" onclick="fetch('/v1/auth/logout',{method:'POST'})">Logout</a>
+<div class="page-header">
+    <h2>Dashboard</h2>
+    <div class="page-meta">
+        <span class="state-chip state-{{.State}}">{{.State}}</span>
+    </div>
 </div>

-<h3>Engine Mounts</h3>
-{{if .Mounts}}
-<table>
-    <thead><tr><th>Name</th><th>Type</th><th>Path</th></tr></thead>
-    <tbody>
-    {{range .Mounts}}
-    <tr>
-        <td>{{if eq (printf "%s" .Type) "ca"}}<a href="/pki">{{.Name}}</a>{{else}}{{.Name}}{{end}}</td>
-        <td>{{.Type}}</td>
-        <td>{{.MountPath}}</td>
-    </tr>
+<div class="card">
+    <div class="card-title">Engine Mounts</div>
+    {{if .Mounts}}
+    <div class="table-wrapper">
+        <table>
+            <thead>
+                <tr>
+                    <th>Name</th>
+                    <th>Type</th>
+                    <th>Path</th>
+                </tr>
+            </thead>
+            <tbody>
+            {{range .Mounts}}
+            <tr>
+                <td>
+                    {{if eq (printf "%s" .Type) "ca"}}
+                    <a href="/pki">{{.Name}}</a>
+                    {{else}}
+                    {{.Name}}
+                    {{end}}
+                </td>
+                <td><code>{{.Type}}</code></td>
+                <td><code>{{.MountPath}}</code></td>
+            </tr>
+            {{end}}
+            </tbody>
+        </table>
+    </div>
+    {{else}}
+    <p>No engines mounted.</p>
    {{end}}
-    </tbody>
-</table>
-{{else}}
-<p>No engines mounted.</p>
-{{end}}
+</div>

 {{if .IsAdmin}}
-<h3>Mount CA Engine</h3>
-{{if .MountError}}<div class="error">{{.MountError}}</div>{{end}}
-<form method="post" action="/dashboard/mount-ca" enctype="multipart/form-data">
-    <div class="form-row">
-        <div class="form-group">
-            <label for="mount_name">Mount Name</label>
-            <input type="text" id="mount_name" name="name" placeholder="pki" required>
-        </div>
-        <div class="form-group">
-            <label for="organization">Organization</label>
-            <input type="text" id="organization" name="organization" placeholder="Metacircular">
-        </div>
-    </div>
+<div class="card">
+    <div class="card-title">Mount Engine</div>
+    {{if .MountError}}<div class="error">{{.MountError}}</div>{{end}}
    <details>
-        <summary>Import existing root CA (optional)</summary>
-        <div class="form-group">
-            <label for="cert_file">Certificate PEM file</label>
-            <input type="file" id="cert_file" name="cert_file" accept=".pem,.crt">
-        </div>
-        <div class="form-group">
-            <label for="key_file">Private Key PEM file</label>
-            <input type="file" id="key_file" name="key_file" accept=".pem,.key">
-        </div>
+        <summary>Mount a CA engine</summary>
+        <form method="post" action="/dashboard/mount-ca" enctype="multipart/form-data">
+            <div class="form-row">
+                <div class="form-group">
+                    <label for="mount_name">Mount Name</label>
+                    <input type="text" id="mount_name" name="name" placeholder="pki" required>
+                </div>
+                <div class="form-group">
+                    <label for="organization">Organization</label>
+                    <input type="text" id="organization" name="organization" placeholder="Metacircular">
+                </div>
+            </div>
+            <details>
+                <summary>Import existing root CA (optional)</summary>
+                <div class="form-group">
+                    <label for="cert_file">Certificate PEM</label>
+                    <input type="file" id="cert_file" name="cert_file" accept=".pem,.crt">
+                </div>
+                <div class="form-group">
+                    <label for="key_file">Private Key PEM</label>
+                    <input type="file" id="key_file" name="key_file" accept=".pem,.key">
+                </div>
+            </details>
+            <div class="form-actions">
+                <button type="submit">Mount</button>
+            </div>
+        </form>
    </details>
-    <button type="submit">Mount</button>
-</form>
+</div>

-<h3>Admin Actions</h3>
-<div class="admin-actions">
-    <button hx-post="/v1/seal" hx-confirm="Are you sure you want to seal the service?">Seal Service</button>
+<div class="card">
+    <div class="card-title">Administration</div>
+    <p>Sealing the service will require the seal password to restore access.</p>
+    <button class="btn-danger" hx-post="/v1/seal" hx-confirm="Are you sure you want to seal the service?">Seal Service</button>
 </div>
 {{end}}
 {{end}}
--- a/web/templates/init.html
+++ b/web/templates/init.html
@@ -1,17 +1,26 @@
 {{define "title"}} - Initialize{{end}}
+{{define "container-class"}}auth-container{{end}}
 {{define "content"}}
-<h2>Initialize Metacrypt</h2>
-<p>Set the seal password for this Metacrypt instance. This password will be required to unseal the service after each restart.</p>
-{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
-<form method="POST" action="/init">
-    <div class="form-group">
-        <label for="password">Seal Password</label>
-        <input type="password" id="password" name="password" required autofocus>
-    </div>
-    <div class="form-group">
-        <label for="confirm">Confirm Password</label>
-        <input type="password" id="confirm" name="confirm" required>
-    </div>
-    <button type="submit">Initialize</button>
-</form>
+<div class="auth-header">
+    <div class="brand">Metacrypt</div>
+    <div class="tagline">Cryptographic Services</div>
+</div>
+<div class="card">
+    <div class="card-title">Initialize</div>
+    <p>Set the seal password for this instance. This password will be required to unseal the service after each restart.</p>
+    {{if .Error}}<div class="error">{{.Error}}</div>{{end}}
+    <form method="POST" action="/init">
+        <div class="form-group">
+            <label for="password">Seal Password</label>
+            <input type="password" id="password" name="password" required autofocus autocomplete="new-password">
+        </div>
+        <div class="form-group">
+            <label for="confirm">Confirm Password</label>
+            <input type="password" id="confirm" name="confirm" required autocomplete="new-password">
+        </div>
+        <div class="form-actions">
+            <button type="submit">Initialize</button>
+        </div>
+    </form>
+</div>
 {{end}}
--- a/web/templates/initializing.html
+++ b/web/templates/initializing.html
@@ -1,9 +1,16 @@
 {{define "title"}} - Initializing{{end}}
+{{define "container-class"}}auth-container{{end}}
 {{define "content"}}
-<h2>Initializing...</h2>
-<p>Metacrypt is being initialized. Please wait.</p>
-<div hx-get="/v1/status" hx-trigger="every 2s" hx-swap="none"
-     hx-on::after-request="if(JSON.parse(event.detail.xhr.responseText).state==='unsealed')window.location='/dashboard'">
-    <p>Checking status...</p>
+<div class="auth-header">
+    <div class="brand">Metacrypt</div>
+    <div class="tagline">Cryptographic Services</div>
+</div>
+<div class="card">
+    <div class="card-title">Initializing</div>
+    <p>Metacrypt is being initialized. This will only take a moment.</p>
+    <div hx-get="/v1/status" hx-trigger="every 2s" hx-swap="none"
+         hx-on::after-request="if(JSON.parse(event.detail.xhr.responseText).state==='unsealed')window.location='/dashboard'">
+        <p style="color: var(--f2); font-size: 0.875rem;">Waiting for service to come online&hellip;</p>
+    </div>
 </div>
 {{end}}
--- a/web/templates/issuer_detail.html
+++ b/web/templates/issuer_detail.html
@@ -1,60 +1,63 @@
 {{define "title"}} - Issuer: {{.IssuerName}}{{end}}
 {{define "content"}}
-<h2>Issuer: {{.IssuerName}}</h2>
-
-<p>
-    <a href="/pki">&larr; PKI: {{.MountName}}</a>
-    &nbsp;&mdash;&nbsp;
-    <a href="/pki/{{.IssuerName}}" download="{{.IssuerName}}.pem">Download Issuer Cert (PEM)</a>
-</p>
-
-<h3>Certificates</h3>
-
-<form method="get" action="/pki/issuer/{{.IssuerName}}" style="margin-bottom: 1rem;">
-    <div class="form-row">
-        <div class="form-group">
-            <label for="name_filter">Filter by name</label>
-            <input type="text" id="name_filter" name="name" value="{{.NameFilter}}" placeholder="common name contains...">
-        </div>
-        <div class="form-group">
-            <label for="sort_by">Sort by</label>
-            <select id="sort_by" name="sort">
-                <option value="cn"{{if eq .SortBy "cn"}} selected{{end}}>Common Name</option>
-                <option value="expiry"{{if eq .SortBy "expiry"}} selected{{end}}>Expiry Date</option>
-            </select>
-        </div>
-        <div class="form-group" style="align-self: flex-end;">
-            <button type="submit">Apply</button>
-        </div>
+<div class="page-header">
+    <h2>Issuer: {{.IssuerName}}</h2>
+    <div class="page-meta">
+        <a href="/pki">&larr; PKI: {{.MountName}}</a>
+        &ensp;&middot;&ensp;
+        <a href="/pki/{{.IssuerName}}" download="{{.IssuerName}}.pem">Download Issuer Cert (PEM)</a>
    </div>
-</form>
+</div>

-{{if .Certs}}
-<table>
-    <thead>
-        <tr>
-            <th>Common Name</th>
-            <th>Profile</th>
-            <th>Serial</th>
-            <th>Issued By</th>
-            <th>Issued At</th>
-            <th>Expires At</th>
-        </tr>
-    </thead>
-    <tbody>
-    {{range .Certs}}
-    <tr>
-        <td>{{index . "cn"}}</td>
-        <td>{{index . "profile"}}</td>
-        <td><code>{{index . "serial"}}</code></td>
-        <td>{{index . "issued_by"}}</td>
-        <td>{{index . "issued_at"}}</td>
-        <td>{{index . "expires_at"}}</td>
-    </tr>
+<div class="card">
+    <div class="card-title">Certificates</div>
+    <form method="get" action="/pki/issuer/{{.IssuerName}}">
+        <div class="form-row" style="align-items: flex-end; margin-bottom: 1rem;">
+            <div class="form-group" style="margin-bottom: 0;">
+                <label for="name_filter">Filter by name</label>
+                <input type="text" id="name_filter" name="name" value="{{.NameFilter}}" placeholder="common name contains&hellip;">
+            </div>
+            <div class="form-group" style="margin-bottom: 0;">
+                <label for="sort_by">Sort by</label>
+                <select id="sort_by" name="sort">
+                    <option value="cn"{{if eq .SortBy "cn"}} selected{{end}}>Common Name</option>
+                    <option value="expiry"{{if eq .SortBy "expiry"}} selected{{end}}>Expiry Date</option>
+                </select>
+            </div>
+            <div style="flex-shrink: 0; padding-bottom: 1px;">
+                <button type="submit">Apply</button>
+            </div>
+        </div>
+    </form>
+    {{if .Certs}}
+    <div class="table-wrapper">
+        <table>
+            <thead>
+                <tr>
+                    <th>Common Name</th>
+                    <th>Profile</th>
+                    <th>Serial</th>
+                    <th>Issued By</th>
+                    <th>Issued At</th>
+                    <th>Expires At</th>
+                </tr>
+            </thead>
+            <tbody>
+            {{range .Certs}}
+            <tr>
+                <td>{{index . "cn"}}</td>
+                <td>{{index . "profile"}}</td>
+                <td><code>{{index . "serial"}}</code></td>
+                <td>{{index . "issued_by"}}</td>
+                <td>{{index . "issued_at"}}</td>
+                <td>{{index . "expires_at"}}</td>
+            </tr>
+            {{end}}
+            </tbody>
+        </table>
+    </div>
+    {{else}}
+    <p>No certificates found{{if .NameFilter}} matching &ldquo;{{.NameFilter}}&rdquo;{{end}}.</p>
    {{end}}
-    </tbody>
-</table>
-{{else}}
-<p>No certificates found{{if .NameFilter}} matching &ldquo;{{.NameFilter}}&rdquo;{{end}}.</p>
-{{end}}
+</div>
 {{end}}
--- a/web/templates/layout.html
+++ b/web/templates/layout.html
@@ -8,13 +8,18 @@
    <link rel="stylesheet" href="/static/style.css">
 </head>
 <body>
-    <div class="container">
-        <header>
-            <h1><a href="/">Metacrypt</a></h1>
-        </header>
-        <main>
-            {{template "content" .}}
-        </main>
+    <nav class="topnav">
+        <a class="topnav-brand" href="/">Metacrypt</a>
+        <div class="topnav-right">
+            {{if .Username}}
+            <span class="topnav-user">{{.Username}}</span>
+            {{if .IsAdmin}}<span class="badge">admin</span>{{end}}
+            <a href="/login" class="btn btn-ghost btn-sm" onclick="fetch('/v1/auth/logout',{method:'POST'})">Logout</a>
+            {{end}}
+        </div>
+    </nav>
+    <div class="{{block "container-class" .}}page-container{{end}}">
+        {{template "content" .}}
    </div>
 </body>
 </html>{{end}}
--- a/web/templates/login.html
+++ b/web/templates/login.html
@@ -1,21 +1,30 @@
 {{define "title"}} - Login{{end}}
+{{define "container-class"}}auth-container{{end}}
 {{define "content"}}
-<h2>Login</h2>
-<p>Authenticate with your MCIAS credentials.</p>
-{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
-<form method="POST" action="/login">
-    <div class="form-group">
-        <label for="username">Username</label>
-        <input type="text" id="username" name="username" required autofocus>
-    </div>
-    <div class="form-group">
-        <label for="password">Password</label>
-        <input type="password" id="password" name="password" required>
-    </div>
-    <div class="form-group">
-        <label for="totp_code">TOTP Code (if enabled)</label>
-        <input type="text" id="totp_code" name="totp_code" autocomplete="one-time-code">
-    </div>
-    <button type="submit">Login</button>
-</form>
+<div class="auth-header">
+    <div class="brand">Metacrypt</div>
+    <div class="tagline">Cryptographic Services</div>
+</div>
+<div class="card">
+    <div class="card-title">Sign In</div>
+    <p>Authenticate with your MCIAS credentials.</p>
+    {{if .Error}}<div class="error">{{.Error}}</div>{{end}}
+    <form method="POST" action="/login">
+        <div class="form-group">
+            <label for="username">Username</label>
+            <input type="text" id="username" name="username" required autofocus autocomplete="username">
+        </div>
+        <div class="form-group">
+            <label for="password">Password</label>
+            <input type="password" id="password" name="password" required autocomplete="current-password">
+        </div>
+        <div class="form-group">
+            <label for="totp_code">TOTP Code <small style="text-transform:none;letter-spacing:0;">(if enabled)</small></label>
+            <input type="text" id="totp_code" name="totp_code" autocomplete="one-time-code" inputmode="numeric">
+        </div>
+        <div class="form-actions">
+            <button type="submit">Login</button>
+        </div>
+    </form>
+</div>
 {{end}}
--- a/web/templates/pki.html
+++ b/web/templates/pki.html
@@ -1,82 +1,115 @@
 {{define "title"}} - PKI: {{.MountName}}{{end}}
 {{define "content"}}
-<h2>PKI Engine: {{.MountName}}</h2>
+<div class="page-header">
+    <h2>PKI: {{.MountName}}</h2>
+    <div class="page-meta">
+        <a href="/dashboard">&larr; Dashboard</a>
+    </div>
+</div>

-<p><a href="/dashboard">&larr; Dashboard</a></p>
+{{if .Error}}<div class="error">{{.Error}}</div>{{end}}

-{{if .Error}}
-<div class="error">{{.Error}}</div>
-{{end}}
-
-<h3>Root CA</h3>
-{{if .HasRoot}}
-<table>
-    <tr><th>Common Name</th><td>{{.RootCN}}</td></tr>
-    <tr><th>Organization</th><td>{{.RootOrg}}</td></tr>
-    <tr><th>Valid From</th><td>{{.RootNotBefore}}</td></tr>
-    <tr>
-        <th>Valid Until</th>
-        <td>
-            {{.RootNotAfter}}
-            {{if .RootExpired}} <span class="badge badge-danger">Expired</span>{{end}}
-        </td>
-    </tr>
-</table>
-<p style="margin-top: 0.5rem;">
-    <a href="/v1/pki/{{.MountName}}/ca" download="root-ca.pem">Download Root CA (PEM)</a>
-</p>
-{{else}}
-<p>No root CA configured.</p>
-{{end}}
+<div class="card">
+    <div class="card-title">Root CA</div>
+    {{if .HasRoot}}
+    <table class="kv-table">
+        <tbody>
+            <tr><th>Common Name</th><td>{{.RootCN}}</td></tr>
+            <tr><th>Organization</th><td>{{.RootOrg}}</td></tr>
+            <tr><th>Valid From</th><td>{{.RootNotBefore}}</td></tr>
+            <tr>
+                <th>Valid Until</th>
+                <td>
+                    {{.RootNotAfter}}
+                    {{if .RootExpired}}&ensp;<span class="badge badge-danger">Expired</span>{{end}}
+                </td>
+            </tr>
+        </tbody>
+    </table>
+    <p style="margin-top: 1rem; margin-bottom: 0;">
+        <a href="/v1/pki/{{.MountName}}/ca" download="root-ca.pem">Download Root CA (PEM)</a>
+    </p>
+    {{else}}
+    <p>No root CA configured.</p>
+    {{end}}
+</div>

 {{if .IsAdmin}}
 {{if or (not .HasRoot) .RootExpired}}
-<h3>Import Root CA</h3>
-<p>{{if .RootExpired}}The current root CA has expired. Import a new one.{{else}}No root CA is present. Import one to get started.{{end}}</p>
-<form method="post" action="/pki/import-root" enctype="multipart/form-data">
-    <div class="form-group">
-        <label for="cert_file">Certificate PEM</label>
-        <input type="file" id="cert_file" name="cert_file" accept=".pem,.crt">
-    </div>
-    <div class="form-group">
-        <label for="cert_pem">Or paste certificate PEM</label>
-        <textarea id="cert_pem" name="cert_pem" rows="6" class="pem-input" placeholder="-----BEGIN CERTIFICATE-----"></textarea>
-    </div>
-    <div class="form-group">
-        <label for="key_file">Private Key PEM</label>
-        <input type="file" id="key_file" name="key_file" accept=".pem,.key">
-    </div>
-    <div class="form-group">
-        <label for="key_pem">Or paste private key PEM</label>
-        <textarea id="key_pem" name="key_pem" rows="6" class="pem-input" placeholder="-----BEGIN PRIVATE KEY-----"></textarea>
-    </div>
-    <button type="submit">Import Root CA</button>
-</form>
+<div class="card">
+    <div class="card-title">Import Root CA</div>
+    <p>{{if .RootExpired}}The current root CA has expired. Import a new one to continue issuing certificates.{{else}}No root CA is present. Import one to get started.{{end}}</p>
+    <form method="post" action="/pki/import-root" enctype="multipart/form-data">
+        <div class="form-row">
+            <div class="form-group">
+                <label for="cert_file">Certificate PEM file</label>
+                <input type="file" id="cert_file" name="cert_file" accept=".pem,.crt">
+            </div>
+            <div class="form-group">
+                <label for="key_file">Private Key PEM file</label>
+                <input type="file" id="key_file" name="key_file" accept=".pem,.key">
+            </div>
+        </div>
+        <details>
+            <summary>Or paste PEM directly</summary>
+            <div class="form-group">
+                <label for="cert_pem">Certificate PEM</label>
+                <textarea id="cert_pem" name="cert_pem" rows="6" class="pem-input" placeholder="-----BEGIN CERTIFICATE-----"></textarea>
+            </div>
+            <div class="form-group">
+                <label for="key_pem">Private Key PEM</label>
+                <textarea id="key_pem" name="key_pem" rows="6" class="pem-input" placeholder="-----BEGIN PRIVATE KEY-----"></textarea>
+            </div>
+        </details>
+        <div class="form-actions">
+            <button type="submit">Import Root CA</button>
+        </div>
+    </form>
+</div>
 {{end}}
 {{end}}

-<h3>Issuers</h3>
-{{if .Issuers}}
-<table>
-    <thead><tr><th>Name</th><th>Actions</th></tr></thead>
-    <tbody>
-    {{range .Issuers}}
-    <tr>
-        <td><a href="/pki/issuer/{{.}}">{{.}}</a></td>
-        <td><a href="/pki/{{.}}" download="{{.}}.pem">Download Cert (PEM)</a></td>
-    </tr>
+<div class="card">
+    <div class="card-title">Issuers</div>
+    {{if .Issuers}}
+    <div class="table-wrapper">
+        <table>
+            <thead>
+                <tr>
+                    <th>Name</th>
+                    <th>Actions</th>
+                </tr>
+            </thead>
+            <tbody>
+            {{range .Issuers}}
+            <tr>
+                <td><a href="/pki/issuer/{{.}}">{{.}}</a></td>
+                <td><a href="/pki/{{.}}" download="{{.}}.pem">Download Cert (PEM)</a></td>
+            </tr>
+            {{end}}
+            </tbody>
+        </table>
+    </div>
+    {{else}}
+    <p>No issuers configured.</p>
    {{end}}
-    </tbody>
-</table>
-{{else}}
-<p>No issuers configured.</p>
-{{end}}
+</div>

 {{if and .HasRoot .Issuers}}
-<h3>Issue Certificate</h3>
-{{if .IssuedCert}}
-<div class="success">
-    <p>Certificate issued successfully.</p>
+<div class="card">
+    <div class="card-title">Issue Certificate</div>
+    {{if .IssuedCert}}
+    <div class="success">
+        <p><strong>Certificate issued successfully.</strong></p>
+    </div>
+    <div class="form-group">
+        <label>Serial</label>
+        <input type="text" class="pem-input" value="{{index .IssuedCert "serial"}}" readonly>
+    </div>
+    <div class="form-group">
+        <label>Expires</label>
+        <input type="text" value="{{index .IssuedCert "expires_at"}}" readonly>
+    </div>
    <div class="form-group">
        <label>Certificate PEM</label>
        <textarea rows="8" class="pem-input" readonly>{{index .IssuedCert "cert_pem"}}</textarea>
@@ -89,89 +122,122 @@
        <label>Chain PEM</label>
        <textarea rows="8" class="pem-input" readonly>{{index .IssuedCert "chain_pem"}}</textarea>
    </div>
-    <p><small>Serial: {{index .IssuedCert "serial"}} &mdash; Expires: {{index .IssuedCert "expires_at"}}</small></p>
-</div>
-{{else}}
-<form method="post" action="/pki/issue">
-    <div class="form-row">
-        <div class="form-group">
-            <label for="issue_cn">Common Name</label>
-            <input type="text" id="issue_cn" name="common_name" placeholder="example.com" required>
-        </div>
-        <div class="form-group">
-            <label for="issue_issuer">Issuer</label>
-            <select id="issue_issuer" name="issuer" required>
-                <option value="">-- select issuer --</option>
-                {{range .Issuers}}<option value="{{.}}">{{.}}</option>{{end}}
-            </select>
-        </div>
-    </div>
-    <div class="form-row">
-        <div class="form-group">
-            <label for="issue_profile">Profile</label>
-            <select id="issue_profile" name="profile">
-                <option value="server">server (default)</option>
-                <option value="client">client</option>
-                <option value="peer">peer</option>
-            </select>
-        </div>
-        <div class="form-group">
-            <label for="issue_ttl">TTL (optional)</label>
-            <input type="text" id="issue_ttl" name="ttl" placeholder="2160h">
-        </div>
-    </div>
-    <details>
-        <summary>SANs</summary>
+    {{else}}
+    <form method="post" action="/pki/issue">
        <div class="form-row">
            <div class="form-group">
-                <label for="issue_dns">DNS Names (one per line)</label>
-                <textarea id="issue_dns" name="dns_names" rows="3" placeholder="example.com&#10;www.example.com"></textarea>
+                <label for="issue_cn">Common Name</label>
+                <input type="text" id="issue_cn" name="common_name" placeholder="example.com" required>
            </div>
            <div class="form-group">
-                <label for="issue_ips">IP Addresses (one per line)</label>
-                <textarea id="issue_ips" name="ip_addresses" rows="3" placeholder="10.0.0.1"></textarea>
+                <label for="issue_issuer">Issuer</label>
+                <select id="issue_issuer" name="issuer" required>
+                    <option value="">— select issuer —</option>
+                    {{range .Issuers}}<option value="{{.}}">{{.}}</option>{{end}}
+                </select>
            </div>
        </div>
-    </details>
-    <button type="submit">Issue Certificate</button>
-</form>
-{{end}}
+        <div class="form-row">
+            <div class="form-group">
+                <label for="issue_profile">Profile</label>
+                <select id="issue_profile" name="profile">
+                    <option value="server">server (default)</option>
+                    <option value="client">client</option>
+                    <option value="peer">peer</option>
+                </select>
+            </div>
+            <div class="form-group">
+                <label for="issue_ttl">TTL <small style="text-transform:none;letter-spacing:0;">(optional)</small></label>
+                <input type="text" id="issue_ttl" name="ttl" placeholder="2160h">
+            </div>
+        </div>
+        <details>
+            <summary>Subject Alternative Names</summary>
+            <div class="form-row">
+                <div class="form-group">
+                    <label for="issue_dns">DNS Names <small style="text-transform:none;letter-spacing:0;">(one per line)</small></label>
+                    <textarea id="issue_dns" name="dns_names" rows="3" placeholder="example.com&#10;www.example.com"></textarea>
+                </div>
+                <div class="form-group">
+                    <label for="issue_ips">IP Addresses <small style="text-transform:none;letter-spacing:0;">(one per line)</small></label>
+                    <textarea id="issue_ips" name="ip_addresses" rows="3" placeholder="10.0.0.1"></textarea>
+                </div>
+            </div>
+        </details>
+        <details open>
+            <summary>Key Usages</summary>
+            <div class="form-row">
+                <div class="form-group">
+                    <label>Key Usages</label>
+                    <div class="checkbox-group">
+                        <label class="checkbox-label"><input type="checkbox" name="key_usages" value="digital signature"> Digital Signature</label>
+                        <label class="checkbox-label"><input type="checkbox" name="key_usages" value="key encipherment"> Key Encipherment</label>
+                        <label class="checkbox-label"><input type="checkbox" name="key_usages" value="content commitment"> Content Commitment</label>
+                        <label class="checkbox-label"><input type="checkbox" name="key_usages" value="data encipherment"> Data Encipherment</label>
+                        <label class="checkbox-label"><input type="checkbox" name="key_usages" value="key agreement"> Key Agreement</label>
+                        <label class="checkbox-label"><input type="checkbox" name="key_usages" value="cert sign"> Cert Sign</label>
+                        <label class="checkbox-label"><input type="checkbox" name="key_usages" value="crl sign"> CRL Sign</label>
+                    </div>
+                </div>
+                <div class="form-group">
+                    <label>Extended Key Usages</label>
+                    <div class="checkbox-group">
+                        <label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="server auth"> Server Auth</label>
+                        <label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="client auth"> Client Auth</label>
+                        <label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="code signing"> Code Signing</label>
+                        <label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="email protection"> Email Protection</label>
+                        <label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="time stamping"> Time Stamping</label>
+                        <label class="checkbox-label"><input type="checkbox" name="ext_key_usages" value="ocsp signing"> OCSP Signing</label>
+                    </div>
+                </div>
+            </div>
+        </details>
+        <div class="form-actions">
+            <button type="submit">Issue Certificate</button>
+        </div>
+    </form>
+    {{end}}
+</div>
 {{end}}

 {{if .IsAdmin}}
 {{if .HasRoot}}
-<h3>Create Issuer</h3>
-{{if .IssuerError}}<div class="error">{{.IssuerError}}</div>{{end}}
-<form method="post" action="/pki/create-issuer">
-    <div class="form-row">
-        <div class="form-group">
-            <label for="issuer_name">Issuer Name</label>
-            <input type="text" id="issuer_name" name="name" placeholder="default" required>
-        </div>
-        <div class="form-group">
-            <label for="issuer_expiry">Expiry</label>
-            <input type="text" id="issuer_expiry" name="expiry" placeholder="26280h (3 years)">
-        </div>
-    </div>
-    <details>
-        <summary>Advanced options</summary>
+<div class="card">
+    <div class="card-title">Create Issuer</div>
+    {{if .IssuerError}}<div class="error">{{.IssuerError}}</div>{{end}}
+    <form method="post" action="/pki/create-issuer">
        <div class="form-row">
            <div class="form-group">
-                <label for="issuer_key_alg">Key Algorithm</label>
-                <input type="text" id="issuer_key_alg" name="key_algorithm" placeholder="ecdsa (default)">
+                <label for="issuer_name">Issuer Name</label>
+                <input type="text" id="issuer_name" name="name" placeholder="default" required>
            </div>
            <div class="form-group">
-                <label for="issuer_key_size">Key Size</label>
-                <input type="text" id="issuer_key_size" name="key_size" placeholder="521 (default)">
+                <label for="issuer_expiry">Expiry</label>
+                <input type="text" id="issuer_expiry" name="expiry" placeholder="26280h (3 years)">
            </div>
        </div>
-        <div class="form-group">
-            <label for="issuer_max_ttl">Max Leaf TTL</label>
-            <input type="text" id="issuer_max_ttl" name="max_ttl" placeholder="2160h (90 days)">
+        <details>
+            <summary>Advanced options</summary>
+            <div class="form-row">
+                <div class="form-group">
+                    <label for="issuer_key_alg">Key Algorithm</label>
+                    <input type="text" id="issuer_key_alg" name="key_algorithm" placeholder="ecdsa (default)">
+                </div>
+                <div class="form-group">
+                    <label for="issuer_key_size">Key Size</label>
+                    <input type="text" id="issuer_key_size" name="key_size" placeholder="521 (default)">
+                </div>
+            </div>
+            <div class="form-group">
+                <label for="issuer_max_ttl">Max Leaf TTL</label>
+                <input type="text" id="issuer_max_ttl" name="max_ttl" placeholder="2160h (90 days)">
+            </div>
+        </details>
+        <div class="form-actions">
+            <button type="submit">Create Issuer</button>
        </div>
-    </details>
-    <button type="submit">Create Issuer</button>
-</form>
+    </form>
+</div>
 {{end}}
 {{end}}
 {{end}}
--- a/web/templates/unseal.html
+++ b/web/templates/unseal.html
@@ -1,13 +1,22 @@
 {{define "title"}} - Unseal{{end}}
+{{define "container-class"}}auth-container{{end}}
 {{define "content"}}
-<h2>Unseal Metacrypt</h2>
-<p>The service is sealed. Enter the seal password to unseal.</p>
-{{if .Error}}<div class="error">{{.Error}}</div>{{end}}
-<form method="POST" action="/unseal">
-    <div class="form-group">
-        <label for="password">Seal Password</label>
-        <input type="password" id="password" name="password" required autofocus>
-    </div>
-    <button type="submit">Unseal</button>
-</form>
+<div class="auth-header">
+    <div class="brand">Metacrypt</div>
+    <div class="tagline">Cryptographic Services</div>
+</div>
+<div class="card">
+    <div class="card-title">Unseal</div>
+    <p>The service is sealed. Enter the seal password to restore access.</p>
+    {{if .Error}}<div class="error">{{.Error}}</div>{{end}}
+    <form method="POST" action="/unseal">
+        <div class="form-group">
+            <label for="password">Seal Password</label>
+            <input type="password" id="password" name="password" required autofocus autocomplete="current-password">
+        </div>
+        <div class="form-actions">
+            <button type="submit">Unseal</button>
+        </div>
+    </form>
+</div>
 {{end}}