docs(blueprint+gate): drop hstore from Tech Stack; note gate-vs-timeout interaction

Two review-pass nits from the v1.1.0-foundation review:

  - Blueprint §6 Tech Stack table still listed the database as
    "PostgreSQL + hstore" with an hstore-for-KV rationale — directly
    contradicting the §8.1 KV rewrite that explicitly rejected hstore
    in favour of JSONB. Updates the row so the high-level summary
    matches the §8.1 reasoning.
  - LocalExecutorClient::execute now documents the permit-vs-timeout
    interaction: when tokio::time::timeout fires the future drops and
    the permit returns, but the detached spawn_blocking thread keeps
    running until the Rhai script winds down. In-use blocking threads
    can briefly exceed the gate's permit count after a timeout. Calling
    it out so future readers don't read the implementation as buggy.

No behaviour change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -30,6 +30,17 @@ config.local.toml
 /dashboard/build
 /dashboard/.env
 
+# Dashboard — Playwright E2E
+/dashboard/tests/e2e/.auth
+/dashboard/tests/e2e/.results
+/dashboard/playwright-report
+/dashboard/test-results
+/dashboard/.playwright
+# When playwright is invoked from the repo root by accident, these
+# also land here.
+/playwright-report
+/test-results
+
 # Caddy
 /caddy/data
 /caddy/config

CLAUDE.md

@@ -8,7 +8,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 Authoritative design: [serverless_cloud_blueprint.md](serverless_cloud_blueprint.md). The blueprint is a living document — when architecture decisions are made in conversation that contradict it, treat the latest decision as truth and update the blueprint.
 
-**Current focus (Phase 4, v1.1):** data-plane SDKs — KV store, then document store, then HTTP client, then cron triggers. See blueprint §12. Phase 3 (admin auth + multi-app scoping) shipped; every v1.1+ table starts with `app_id UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE` and every Rhai SDK call resolves its app from the execution context.
+**Current focus (Phase 4, v1.1.0):** SDK foundation + stdlib utilities — the shape every v1.1.x service module hangs off, see [docs/sdk-shape.md](docs/sdk-shape.md). Subsequent v1.1.x releases (KV in v1.1.1, docs in v1.1.2, …) fill it in; see blueprint §12 for the full table. Phase 3 shipped end-to-end: admin auth, multi-app scoping, and Phase 3.5 capability gating (`manager-core::authz::{can, require, Capability}` + migration `0006_users_authz.sql`). Every v1.1+ table starts with `app_id UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE` and every Rhai SDK call resolves its app from the execution context.
 
 ## Three-Service Architecture
 
@@ -48,7 +48,7 @@ Caddy fronts everything. Same Caddyfile shape works for single-node and cluster
 - **Rust 1.92+** workspace, pinned via `rust-toolchain.toml`
 - **Axum** for HTTP, **Tokio** async, **sqlx** for Postgres
 - **Rhai** embedded scripting (in `executor-core`)
-- **PostgreSQL 15+** with `pgcrypto` and (v1.1+) `hstore`
+- **PostgreSQL 15+** with `pgcrypto`. v1.1+ data-plane tables use JSONB for value columns (hstore was considered for KV and rejected — see blueprint §8.1).
 - **SvelteKit** dashboard, static adapter, CodeMirror 6 for the script editor
 - **Caddy 2** reverse proxy (auto-HTTPS in prod)
 - **Docker Compose** for dev and single-node prod
@@ -103,9 +103,22 @@ docs/
 - **Honor the three-service boundary.** Don't reach across `*-core` crates. If `orchestrator-core` needs something from `manager-core`, define a trait in `shared` and inject the impl.
 - **`executor-core` has no Postgres dependency.** Data-plane services (kv, docs, users — v1.1+) come in via injected `ServiceProvider` traits.
 - **Database writes only from `manager-core`.** `orchestrator-core` reads scripts (cached); `executor-core` doesn't touch the DB.
+- **Stateful SDK services use the handle pattern + `SdkCallCx`.** Collection-scoped surfaces look like `kv::collection("x").get(k)`, not `kv::get("x", k)`. Every service trait method takes `&SdkCallCx` and **MUST** derive `app_id` from `cx.app_id` — never trust a script-passed `app_id`. That is the cross-app isolation boundary. See [docs/sdk-shape.md](docs/sdk-shape.md).
 - **MVP builds only the `picloud` all-in-one binary.** The three split binaries exist as skeletons so the crate boundaries stay honest; flesh them out only when cluster mode is being implemented.
 - **Trunk-based dev.** See [docs/git-workflow.md](docs/git-workflow.md). No long-lived branches. Feature flags for incomplete work.
 
+## Runtime configuration
+
+Environment variables consumed by the `picloud` binary:
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `PICLOUD_BIND` | `0.0.0.0:8080` | HTTP listen address. Port 8080 is owned by another process on this host — override locally. |
+| `PICLOUD_MAX_CONCURRENT_EXECUTIONS` | `32` | Global concurrency cap on data-plane script executions. Overflow returns HTTP 503 with `Retry-After: 1` immediately (no queue). |
+| `DATABASE_URL` | — | Required. Postgres connection string. |
+| `PICLOUD_SESSION_TTL_HOURS` | `24` | Sliding-window session lifetime. |
+| `PICLOUD_SANDBOX_MAX_*` | conservative defaults | Per-knob admin ceilings on Rhai sandbox overrides. See `manager-core::sandbox::SandboxCeiling`. |
+
 ## Out of MVP
 
 Queue triggers, cron triggers, SMTP ingress, KV / docs / email / users / HTTP SDKs in scripts, interceptors, workflows, function-to-function `invoke()`, secrets, metrics dashboard. All deferred to v1.1+ per the blueprint. Don't pre-build for them — but don't make decisions that close the door on them either.

Cargo.lock

@@ -40,6 +40,56 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "anstream"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"
+
+[[package]]
+name = "anstyle-parse"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
+dependencies = [
+ "anstyle",
+ "once_cell_polyfill",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "anyhow"
 version = "1.0.102"
@@ -68,6 +118,21 @@ dependencies = [
  "serde_json",
 ]
 
+[[package]]
+name = "assert_cmd"
+version = "2.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2aa3a22042e45de04255c7bf3626e239f450200fd0493c1e382263544b20aea6"
+dependencies = [
+ "anstyle",
+ "bstr",
+ "libc",
+ "predicates",
+ "predicates-core",
+ "predicates-tree",
+ "wait-timeout",
+]
+
 [[package]]
 name = "async-trait"
 version = "0.1.89"
@@ -236,6 +301,17 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "bstr"
+version = "1.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63044e1ae8e69f3b5a92c736ca6269b8d12fa7efe39bf34ddb06d102cf0e2cab"
+dependencies = [
+ "memchr",
+ "regex-automata",
+ "serde",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.20.3"
@@ -302,6 +378,52 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "clap"
+version = "4.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ddb117e43bbf7dacf0a4190fef4d345b9bad68dfc649cb349e7d17d28428e51"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2ce8604710f6733aa641a2b3731eaa1e8b3d9973d5e3565da11800813f997a9"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "clap_lex"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
+
+[[package]]
+name = "colorchoice"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
+
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -408,6 +530,12 @@ dependencies = [
  "typenum",
 ]
 
+[[package]]
+name = "data-encoding"
+version = "2.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4ae5f15dda3c708c0ade84bfee31ccab44a3da4f88015ed22f63732abe300c8"
+
 [[package]]
 name = "der"
 version = "0.7.10"
@@ -434,6 +562,12 @@ version = "0.1.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8"
 
+[[package]]
+name = "difflib"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6184e33543162437515c2e2b48714794e37845ec9851711914eec9d308f6ebe8"
+
 [[package]]
 name = "digest"
 version = "0.10.7"
@@ -446,6 +580,27 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "directories"
+version = "5.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a49173b84e034382284f27f1af4dcbbd231ffa358c0fe316541a7337f376a35"
+dependencies = [
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c"
+dependencies = [
+ "libc",
+ "option-ext",
+ "redox_users",
+ "windows-sys 0.48.0",
+]
+
 [[package]]
 name = "displaydoc"
 version = "0.2.5"
@@ -510,6 +665,12 @@ dependencies = [
  "pin-project-lite",
 ]
 
+[[package]]
+name = "fastrand"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
+
 [[package]]
 name = "figment"
 version = "0.10.19"
@@ -530,6 +691,15 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
 
+[[package]]
+name = "float-cmp"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b09cf3155332e944990140d967ff5eceb70df778b34f77d8075db46e4704e6d8"
+dependencies = [
+ "num-traits",
+]
+
 [[package]]
 name = "flume"
 version = "0.11.1"
@@ -1004,6 +1174,12 @@ version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
 
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
+
 [[package]]
 name = "itoa"
 version = "1.0.18"
@@ -1071,6 +1247,12 @@ dependencies = [
  "vcpkg",
 ]
 
+[[package]]
+name = "linux-raw-sys"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
+
 [[package]]
 name = "litemap"
 version = "0.8.2"
@@ -1155,6 +1337,12 @@ dependencies = [
  "spin 0.5.2",
 ]
 
+[[package]]
+name = "normalize-line-endings"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61807f77802ff30975e01f4f071c8ba10c022052f98b3294119f3e615d13e5be"
+
 [[package]]
 name = "nu-ansi-term"
 version = "0.50.3"
@@ -1225,6 +1413,18 @@ dependencies = [
  "portable-atomic",
 ]
 
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
+
+[[package]]
+name = "option-ext"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
+
 [[package]]
 name = "parking"
 version = "2.2.1"
@@ -1305,12 +1505,13 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 
 [[package]]
 name = "picloud"
-version = "0.5.1"
+version = "0.6.0"
 dependencies = [
  "anyhow",
  "async-trait",
  "axum",
  "axum-test",
+ "chrono",
  "figment",
  "picloud-executor-core",
  "picloud-manager-core",
@@ -1325,11 +1526,33 @@ dependencies = [
  "tower-http",
  "tracing",
  "tracing-subscriber",
+ "uuid",
+]
+
+[[package]]
+name = "picloud-cli"
+version = "0.6.0"
+dependencies = [
+ "anyhow",
+ "assert_cmd",
+ "chrono",
+ "clap",
+ "directories",
+ "libc",
+ "picloud-shared",
+ "predicates",
+ "reqwest",
+ "rpassword",
+ "serde",
+ "serde_json",
+ "tempfile",
+ "tokio",
+ "toml",
 ]
 
 [[package]]
 name = "picloud-executor"
-version = "0.5.1"
+version = "0.6.0"
 dependencies = [
  "anyhow",
  "picloud-executor-core",
@@ -1341,7 +1564,7 @@ dependencies = [
 
 [[package]]
 name = "picloud-executor-core"
-version = "0.5.1"
+version = "0.6.0"
 dependencies = [
  "chrono",
  "picloud-shared",
@@ -1355,7 +1578,7 @@ dependencies = [
 
 [[package]]
 name = "picloud-manager"
-version = "0.5.1"
+version = "0.6.0"
 dependencies = [
  "anyhow",
  "picloud-manager-core",
@@ -1367,13 +1590,14 @@ dependencies = [
 
 [[package]]
 name = "picloud-manager-core"
-version = "0.5.1"
+version = "0.6.0"
 dependencies = [
  "argon2",
  "async-trait",
  "axum",
  "base64",
  "chrono",
+ "data-encoding",
  "picloud-orchestrator-core",
  "picloud-shared",
  "rand 0.8.6",
@@ -1390,7 +1614,7 @@ dependencies = [
 
 [[package]]
 name = "picloud-orchestrator"
-version = "0.5.1"
+version = "0.6.0"
 dependencies = [
  "anyhow",
  "picloud-orchestrator-core",
@@ -1402,7 +1626,7 @@ dependencies = [
 
 [[package]]
 name = "picloud-orchestrator-core"
-version = "0.5.1"
+version = "0.6.0"
 dependencies = [
  "async-trait",
  "axum",
@@ -1421,7 +1645,7 @@ dependencies = [
 
 [[package]]
 name = "picloud-shared"
-version = "0.5.1"
+version = "0.6.0"
 dependencies = [
  "async-trait",
  "chrono",
@@ -1500,6 +1724,36 @@ dependencies = [
  "zerocopy",
 ]
 
+[[package]]
+name = "predicates"
+version = "3.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ada8f2932f28a27ee7b70dd6c1c39ea0675c55a36879ab92f3a715eaa1e63cfe"
+dependencies = [
+ "anstyle",
+ "difflib",
+ "float-cmp",
+ "normalize-line-endings",
+ "predicates-core",
+ "regex",
+]
+
+[[package]]
+name = "predicates-core"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cad38746f3166b4031b1a0d39ad9f954dd291e7854fcc0eed52ee41a0b50d144"
+
+[[package]]
+name = "predicates-tree"
+version = "1.0.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0de1b847b39c8131db0467e9df1ff60e6d0562ab8e9a16e568ad0fdb372e2f2"
+dependencies = [
+ "predicates-core",
+ "termtree",
+]
+
 [[package]]
 name = "pretty_assertions"
 version = "1.4.1"
@@ -1695,6 +1949,29 @@ dependencies = [
  "bitflags",
 ]
 
+[[package]]
+name = "redox_users"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43"
+dependencies = [
+ "getrandom 0.2.17",
+ "libredox",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "regex"
+version = "1.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
 [[package]]
 name = "regex-automata"
 version = "0.4.14"
@@ -1720,7 +1997,9 @@ checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
 dependencies = [
  "base64",
  "bytes",
+ "futures-channel",
  "futures-core",
+ "futures-util",
  "http",
  "http-body",
  "http-body-util",
@@ -1803,6 +2082,17 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "rpassword"
+version = "7.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "835a57a69104632d64deb0df2e09a69945cd7a6eab4070fc9b1d7e50cf6c3edc"
+dependencies = [
+ "libc",
+ "rtoolbox",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "rsa"
 version = "0.9.10"
@@ -1823,6 +2113,16 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rtoolbox"
+version = "0.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50a0e551c1e27e1731aba276dbeaeac73f53c7cd34d1bda485d02bd1e0f36844"
+dependencies = [
+ "libc",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "rust-multipart-rfc7578_2"
 version = "0.8.0"
@@ -1844,6 +2144,19 @@ version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe"
 
+[[package]]
+name = "rustix"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
+dependencies = [
+ "bitflags",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "rustls"
 version = "0.23.40"
@@ -2318,6 +2631,12 @@ dependencies = [
  "unicode-properties",
 ]
 
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
 [[package]]
 name = "subtle"
 version = "2.6.1"
@@ -2355,6 +2674,25 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "tempfile"
+version = "3.27.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+dependencies = [
+ "fastrand",
+ "getrandom 0.4.2",
+ "once_cell",
+ "rustix",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "termtree"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"
+
 [[package]]
 name = "thin-vec"
 version = "0.2.18"
@@ -2774,6 +3112,12 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
 [[package]]
 name = "uuid"
 version = "1.23.1"
@@ -2804,6 +3148,15 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
 
+[[package]]
+name = "wait-timeout"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ac3b126d3914f9849036f826e054cbabdc8519970b8998ddaf3b5bd3c65f11"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -3057,6 +3410,15 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets 0.52.6",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.60.2"

Cargo.toml

@@ -9,10 +9,11 @@ members = [
     "crates/picloud-manager",
     "crates/picloud-orchestrator",
     "crates/picloud-executor",
+    "crates/picloud-cli",
 ]
 
 [workspace.package]
-version = "0.5.1"
+version = "0.6.0"
 edition = "2021"
 rust-version = "1.92"
 license = "MIT OR Apache-2.0"
@@ -66,11 +67,12 @@ reqwest = { version = "0.12", default-features = false, features = ["json", "rus
 url = "2"
 urlencoding = "2"
 
-# Auth (admin users + sessions)
+# Auth (admin users + sessions + API keys)
 argon2 = "0.5"
 rand = { version = "0.8", features = ["getrandom"] }
 sha2 = "0.10"
 base64 = "0.22"
+data-encoding = "2.6"
 
 [workspace.lints.rust]
 unsafe_code = "forbid"

crates/executor-core/src/engine.rs

@@ -3,30 +3,38 @@ use std::sync::{Arc, Mutex};
 use std::time::Instant;
 
 use chrono::Utc;
-use picloud_shared::{ScriptValidator, ValidationError, SDK_VERSION};
+use picloud_shared::{ScriptValidator, SdkCallCx, Services, ValidationError, SDK_VERSION};
 use rhai::{Dynamic, Engine as RhaiEngine, EvalAltResult, Map, Module, Scope};
 use serde_json::Value as Json;
 
 use crate::sandbox::Limits;
+use crate::sdk;
+use crate::sdk::bridge::{dynamic_to_json, json_to_dynamic};
 use crate::types::{
     ExecError, ExecRequest, ExecResponse, ExecStats, InvocationType, LogEntry, LogLevel,
 };
 
-/// Preconfigured Rhai engine with sandbox limits applied.
+/// Preconfigured Rhai engine with sandbox limits applied and the SDK
+/// `Services` bundle attached.
 ///
 /// One `Engine` is constructed at process startup and reused across
 /// invocations. `execute` is **synchronous** — it owns the per-call
 /// scope and log buffer. Wall-clock timeouts and offloading off the
 /// async runtime belong to the caller (orchestrator-core's
 /// `LocalExecutorClient` wraps this with `spawn_blocking` + `timeout`).
+///
+/// The `Services` bundle is empty in v1.1.0; subsequent v1.1.x PRs add
+/// service handles (KV, docs, …) and `sdk::register_all` wires them
+/// into each per-call Rhai engine.
 pub struct Engine {
     limits: Limits,
+    services: Services,
 }
 
 impl Engine {
     #[must_use]
-    pub fn new(limits: Limits) -> Self {
+    pub fn new(limits: Limits, services: Services) -> Self {
-        Self { limits }
+        Self { limits, services }
     }
 
     #[must_use]
@@ -55,7 +63,20 @@ impl Engine {
     pub fn execute(&self, source: &str, req: ExecRequest) -> Result<ExecResponse, ExecError> {
         let effective_limits = self.limits.with_overrides(&req.sandbox_overrides);
         let logs: Arc<Mutex<Vec<LogEntry>>> = Arc::new(Mutex::new(Vec::new()));
-        let engine = build_engine(effective_limits, Some(logs.clone()));
+        let mut engine = build_engine(effective_limits, Some(logs.clone()));
+
+        // Per-call context handed to every stateful SDK service via the
+        // `sdk::register_all` hook. The Arc lets future service closures
+        // capture cheap clones of the cx for use at script-call time.
+        let cx = Arc::new(SdkCallCx {
+            app_id: req.app_id,
+            principal: req.principal.clone(),
+            execution_id: req.execution_id,
+            request_id: req.request_id,
+            trigger_depth: req.trigger_depth,
+            root_execution_id: req.root_execution_id,
+        });
+        sdk::register_all(&mut engine, &self.services, cx);
 
         let ast = engine
             .compile(source)
@@ -265,69 +286,6 @@ fn parse_structured_response(map: Map) -> Result<(u16, BTreeMap<String, String>,
     Ok((status_code, headers, body))
 }
 
-// ----------------------------------------------------------------------------
-// Rhai ↔ serde_json bridges
-// ----------------------------------------------------------------------------
-
-fn json_to_dynamic(value: Json) -> Dynamic {
-    match value {
-        Json::Null => Dynamic::UNIT,
-        Json::Bool(b) => b.into(),
-        Json::Number(n) => {
-            if let Some(i) = n.as_i64() {
-                i.into()
-            } else if let Some(f) = n.as_f64() {
-                f.into()
-            } else {
-                n.to_string().into()
-            }
-        }
-        Json::String(s) => s.into(),
-        Json::Array(arr) => arr
-            .into_iter()
-            .map(json_to_dynamic)
-            .collect::<Vec<Dynamic>>()
-            .into(),
-        Json::Object(obj) => {
-            let mut m = Map::new();
-            for (k, v) in obj {
-                m.insert(k.into(), json_to_dynamic(v));
-            }
-            Dynamic::from(m)
-        }
-    }
-}
-
-fn dynamic_to_json(value: &Dynamic) -> Json {
-    if value.is_unit() {
-        return Json::Null;
-    }
-    if let Ok(b) = value.as_bool() {
-        return Json::Bool(b);
-    }
-    if let Ok(i) = value.as_int() {
-        return Json::Number(i.into());
-    }
-    if let Ok(f) = value.as_float() {
-        return serde_json::Number::from_f64(f).map_or(Json::Null, Json::Number);
-    }
-    if value.is_string() {
-        return Json::String(value.clone().into_string().unwrap_or_default());
-    }
-    if let Some(arr) = value.clone().try_cast::<rhai::Array>() {
-        return Json::Array(arr.iter().map(dynamic_to_json).collect());
-    }
-    if let Some(map) = value.clone().try_cast::<Map>() {
-        let mut out = serde_json::Map::new();
-        for (k, v) in map {
-            out.insert(k.to_string(), dynamic_to_json(&v));
-        }
-        return Json::Object(out);
-    }
-    // Anything else (timestamps, custom types) — best-effort string form.
-    Json::String(value.to_string())
-}
-
 // ----------------------------------------------------------------------------
 // Error mapping
 // ----------------------------------------------------------------------------

crates/executor-core/src/lib.rs

@@ -8,6 +8,7 @@ pub mod context;
 pub mod engine;
 pub mod logging;
 pub mod sandbox;
+pub mod sdk;
 pub mod types;
 
 pub use engine::Engine;

crates/executor-core/src/sdk/bridge.rs

@@ -0,0 +1,77 @@
+//! JSON ↔ Rhai `Dynamic` value bridge.
+//!
+//! Originally inline in `engine.rs`; moved here for v1.1.0 so future
+//! service modules (KV in v1.1.1, docs in v1.1.2, …) can convert
+//! values without `engine.rs` being the only owner of the conversions.
+//! Behaviour is unchanged from the pre-extraction implementation —
+//! `sdk_contract.rs::json_round_trip_preserves_nested_shapes` pins the
+//! observable round-trip.
+
+use rhai::{Dynamic, Map};
+use serde_json::Value as Json;
+
+/// Convert a `serde_json::Value` into a Rhai `Dynamic` suitable for
+/// pushing into a script's scope. Numbers prefer the narrowest type
+/// (`i64` over `f64`); anything that can't round-trip falls back to a
+/// string so the script always sees a defined value.
+pub fn json_to_dynamic(value: Json) -> Dynamic {
+    match value {
+        Json::Null => Dynamic::UNIT,
+        Json::Bool(b) => b.into(),
+        Json::Number(n) => {
+            if let Some(i) = n.as_i64() {
+                i.into()
+            } else if let Some(f) = n.as_f64() {
+                f.into()
+            } else {
+                n.to_string().into()
+            }
+        }
+        Json::String(s) => s.into(),
+        Json::Array(arr) => arr
+            .into_iter()
+            .map(json_to_dynamic)
+            .collect::<Vec<Dynamic>>()
+            .into(),
+        Json::Object(obj) => {
+            let mut m = Map::new();
+            for (k, v) in obj {
+                m.insert(k.into(), json_to_dynamic(v));
+            }
+            Dynamic::from(m)
+        }
+    }
+}
+
+/// Convert a Rhai `Dynamic` back to a `serde_json::Value`. Custom Rhai
+/// types (timestamps, user-registered modules) fall back to their
+/// `Display` form so they appear as strings in JSON output rather than
+/// failing the response build.
+pub fn dynamic_to_json(value: &Dynamic) -> Json {
+    if value.is_unit() {
+        return Json::Null;
+    }
+    if let Ok(b) = value.as_bool() {
+        return Json::Bool(b);
+    }
+    if let Ok(i) = value.as_int() {
+        return Json::Number(i.into());
+    }
+    if let Ok(f) = value.as_float() {
+        return serde_json::Number::from_f64(f).map_or(Json::Null, Json::Number);
+    }
+    if value.is_string() {
+        return Json::String(value.clone().into_string().unwrap_or_default());
+    }
+    if let Some(arr) = value.clone().try_cast::<rhai::Array>() {
+        return Json::Array(arr.iter().map(dynamic_to_json).collect());
+    }
+    if let Some(map) = value.clone().try_cast::<Map>() {
+        let mut out = serde_json::Map::new();
+        for (k, v) in map {
+            out.insert(k.to_string(), dynamic_to_json(&v));
+        }
+        return Json::Object(out);
+    }
+    Json::String(value.to_string())
+}

crates/executor-core/src/sdk/cx.rs

@@ -0,0 +1,10 @@
+//! Re-export of `picloud_shared::SdkCallCx`.
+//!
+//! The type itself lives in `picloud-shared` because future stateful
+//! service impls live in `manager-core` (which `executor-core` must
+//! not depend on) and need to reference the same cx shape. This
+//! re-export lets executor-side code write
+//! `use picloud_executor_core::sdk::SdkCallCx;` instead of reaching
+//! into `picloud_shared` for one type.
+
+pub use picloud_shared::SdkCallCx;

crates/executor-core/src/sdk/mod.rs

@@ -0,0 +1,39 @@
+//! SDK plumbing — types and the per-call registration entry point.
+//!
+//! `executor-core` is responsible for building the per-invocation Rhai
+//! engine and wiring stateful services into it. v1.1.0 ships the
+//! shapes (`Services` bundle, `SdkCallCx`, `register_all` entry point)
+//! but no actual services — subsequent v1.1.x PRs (KV in v1.1.1,
+//! docs in v1.1.2, …) extend `register_all` rather than re-threading
+//! plumbing through `engine.rs`.
+//!
+//! Bridge functions (`json_to_dynamic` / `dynamic_to_json`) also live
+//! here so service modules can convert values without `engine.rs`
+//! being the only home for the conversion logic.
+
+pub mod bridge;
+pub mod cx;
+
+pub use bridge::{dynamic_to_json, json_to_dynamic};
+pub use cx::SdkCallCx;
+
+use std::sync::Arc;
+
+use picloud_shared::Services;
+use rhai::Engine as RhaiEngine;
+
+/// Single hook every v1.1.x stateful service registers into. Called
+/// once per invocation, just after `build_engine` constructs the
+/// sandboxed Rhai engine and just before script compilation.
+///
+/// v1.1.0 ships an intentionally empty body — the call site exists so
+/// future PRs (KV first) drop their registration logic here rather
+/// than reaching into `engine.rs::build_engine`. The signature is
+/// locked: subsequent PRs MUST keep the same parameter shape so that
+/// hosts don't have to re-thread the plumbing.
+pub fn register_all(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCallCx>) {
+    // Intentionally inert in v1.1.0. The unused-suppression below is a
+    // load-bearing placeholder: future PRs replace this `let _` with
+    // real `register_kv(engine, services, cx.clone())` calls etc.
+    let _ = (engine, services, cx);
+}

crates/executor-core/src/types.rs

@@ -1,7 +1,7 @@
 use std::collections::BTreeMap;
 
 use chrono::{DateTime, Utc};
-use picloud_shared::{ExecutionId, RequestId, ScriptId, ScriptSandbox};
+use picloud_shared::{AppId, ExecutionId, Principal, RequestId, ScriptId, ScriptSandbox};
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 
@@ -50,6 +50,35 @@ pub struct ExecRequest {
     /// override) before the Rhai engine is built.
     #[serde(default)]
     pub sandbox_overrides: ScriptSandbox,
+
+    /// Owning application. Source of truth for every `(app_id, …)`
+    /// storage lookup the script makes via stateful SDK services.
+    /// Internal-only; not surfaced via `ctx` (which the script sees).
+    pub app_id: AppId,
+
+    /// Caller identity, when authenticated. `None` for unauthenticated
+    /// data-plane HTTP requests (the common case for public scripts);
+    /// `Some` when a bearer token or session cookie was resolved.
+    /// Internal-only — exposed via `SdkCallCx` to service trait impls.
+    ///
+    /// `#[serde(skip)]`: `ExecRequest` is serializable so cluster mode
+    /// (v1.3+) can ship invocations to remote executors over HTTP, but
+    /// `Principal` has no wire derivation today. Skipping here keeps
+    /// v1.1.0 compiling; the cluster-mode PR will introduce a wire-safe
+    /// snapshot then.
+    #[serde(skip)]
+    pub principal: Option<Principal>,
+
+    /// Triggers-framework depth. `0` for direct invocations. The
+    /// dispatcher (v1.1.1) increments on each indirection to bound
+    /// runaway feedback loops.
+    #[serde(default)]
+    pub trigger_depth: u32,
+
+    /// Originating execution id of a trigger chain. Equal to
+    /// `execution_id` for direct invocations; preserves the root
+    /// across fan-out for audit log grouping.
+    pub root_execution_id: ExecutionId,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -100,4 +129,11 @@ pub enum ExecError {
 
     #[error("script runtime error: {0}")]
     Runtime(String),
+
+    /// Concurrency gate (orchestrator-core::ExecutionGate) refused
+    /// admission. Surfaced as HTTP 503 with a `Retry-After` header.
+    /// The gate enforces a global cap so a script storm can't park
+    /// every blocking thread.
+    #[error("execution declined: server at capacity (retry after {retry_after_secs}s)")]
+    Overloaded { retry_after_secs: u32 },
 }

crates/executor-core/tests/engine.rs

@@ -1,12 +1,13 @@
 use std::collections::BTreeMap;
 
 use picloud_executor_core::{Engine, ExecError, ExecRequest, InvocationType, Limits, LogLevel};
-use picloud_shared::{ExecutionId, RequestId, ScriptId, ScriptSandbox};
+use picloud_shared::{AppId, ExecutionId, RequestId, ScriptId, ScriptSandbox, Services};
 use serde_json::json;
 
 fn req(body: serde_json::Value) -> ExecRequest {
+    let execution_id = ExecutionId::new();
     ExecRequest {
-        execution_id: ExecutionId::new(),
+        execution_id,
         request_id: RequestId::new(),
         script_id: ScriptId::new(),
         script_name: "test".into(),
@@ -18,11 +19,15 @@ fn req(body: serde_json::Value) -> ExecRequest {
         query: BTreeMap::new(),
         rest: String::new(),
         sandbox_overrides: ScriptSandbox::default(),
+        app_id: AppId::new(),
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
     }
 }
 
 fn engine() -> Engine {
-    Engine::new(Limits::default())
+    Engine::new(Limits::default(), Services::new())
 }
 
 #[test]
@@ -121,7 +126,7 @@ fn enforces_operation_budget() {
         max_operations: 1_000,
         ..Limits::default()
     };
-    let engine = Engine::new(limits);
+    let engine = Engine::new(limits, Services::new());
     // 10_000 iterations vastly exceeds 1_000 ops.
     let src = r"let n = 0; for i in 0..10000 { n += 1; } n";
     let err = engine

crates/executor-core/tests/sdk_contract.rs

@@ -23,7 +23,7 @@
 use std::collections::BTreeMap;
 
 use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits, LogLevel};
-use picloud_shared::{ExecutionId, RequestId, ScriptId, ScriptSandbox};
+use picloud_shared::{AppId, ExecutionId, RequestId, ScriptId, ScriptSandbox, Services};
 use serde_json::{json, Value};
 
 // ----------------------------------------------------------------------------
@@ -31,12 +31,13 @@ use serde_json::{json, Value};
 // ----------------------------------------------------------------------------
 
 fn engine() -> Engine {
-    Engine::new(Limits::default())
+    Engine::new(Limits::default(), Services::new())
 }
 
 fn baseline_request() -> ExecRequest {
+    let execution_id = ExecutionId::new();
     ExecRequest {
-        execution_id: ExecutionId::new(),
+        execution_id,
         request_id: RequestId::new(),
         script_id: ScriptId::new(),
         script_name: "contract".into(),
@@ -48,6 +49,10 @@ fn baseline_request() -> ExecRequest {
         query: BTreeMap::new(),
         rest: String::new(),
         sandbox_overrides: ScriptSandbox::default(),
+        app_id: AppId::new(),
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
     }
 }
 

crates/manager-core/Cargo.toml

@@ -27,6 +27,7 @@ argon2.workspace = true
 rand.workspace = true
 sha2.workspace = true
 base64.workspace = true
+data-encoding.workspace = true
 
 [dev-dependencies]
 tokio.workspace = true

crates/manager-core/migrations/0006_users_authz.sql

@@ -0,0 +1,112 @@
+-- Phase 3.5 users, roles, and bearer-token auth — see blueprint §11.6.
+--
+-- Lays down the schema that the unified can(principal, capability) gate
+-- runs against, plus the api_keys table that backs `Authorization: Bearer
+-- pic_…` credentials. No data-plane impact; Phase 4 SDKs (KV, docs, HTTP,
+-- cron) will plug into this same authz pipeline.
+--
+-- Three changes:
+--   1. admin_users gains instance_role ('owner'/'admin'/'member') plus a
+--      reserved email column and mfa_secret slot (neither is read yet).
+--      Every pre-existing row becomes 'owner' via the DEFAULT — Phase 3a
+--      had no role concept, so promoting all current admins to owner is
+--      the only safe interpretation (and matches the spec). The Rust
+--      startup path logs a warning when more than one active owner
+--      exists, so operators can demote extras via the admin PATCH.
+--   2. app_members records explicit per-app grants for 'member' users.
+--      Owners and admins get implicit grants in code (owner→app_admin
+--      everywhere, admin→editor everywhere); no rows here.
+--   3. api_keys holds Argon2id-hashed bearer credentials. Lookup is
+--      prefix-indexed (first 8 chars after `pic_`) then hash-verified;
+--      raw token only ever exists in the POST response. Optional
+--      expires_at / app_id implement TTL and app-binding respectively.
+
+ALTER TABLE admin_users
+    -- DEFAULT 'owner' so the Phase 3a bootstrap admin (and any other
+    -- pre-existing rows) become full owners without a backfill step.
+    -- Multi-owner installs are flagged at startup; demotion is a
+    -- deliberate PATCH, not an automatic migration choice.
+    ADD COLUMN instance_role TEXT NOT NULL DEFAULT 'owner'
+        CHECK (instance_role IN ('owner', 'admin', 'member')),
+    -- Reserved for the eventual invite flow + Phase 4 user-management
+    -- SDK. UNIQUE so we never end up with two rows claiming the same
+    -- contact. Nullable because pre-existing admins have no email on
+    -- file and we don't want to force a backfill.
+    ADD COLUMN email TEXT UNIQUE,
+    -- Reserved slot for TOTP secrets. Not read in Phase 3.5 — present
+    -- now only to avoid a schema bump when MFA lands.
+    ADD COLUMN mfa_secret TEXT;
+
+CREATE INDEX admin_users_instance_role_idx ON admin_users (instance_role);
+
+-- Per-(user, app) explicit grant. Owners and admins do NOT appear here;
+-- their app authority is implicit in their instance_role and resolved in
+-- code. Only 'member' users need rows in this table — without one, a
+-- member has no access to the app at all.
+CREATE TABLE app_members (
+    app_id      UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    user_id     UUID NOT NULL REFERENCES admin_users(id) ON DELETE CASCADE,
+    role        TEXT NOT NULL CHECK (role IN ('app_admin', 'editor', 'viewer')),
+    created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (app_id, user_id)
+);
+
+-- Lookup pattern is "what apps can this user see?" — needed for the
+-- membership-filtered GET /admin/apps and GET /admin/scripts.
+CREATE INDEX app_members_user_id_idx ON app_members (user_id);
+
+-- Bearer API keys. Format on the wire: `pic_<base32(32 random bytes)>`.
+--   prefix = first 8 chars after `pic_` (indexed for O(1) candidate lookup)
+--   hash   = Argon2id PHC of the full body after `pic_`
+-- Raw value is returned exactly once at mint time and never persisted.
+--
+-- Optional fields:
+--   expires_at: TTL. Lookup always filters `expires_at IS NULL OR > NOW()`.
+--   app_id    : "bound key" — capability checks deny any App*(other_app),
+--               regardless of the owning user's role. Cannot combine with
+--               instance:* scopes (validated in the mint handler, not SQL).
+CREATE TABLE api_keys (
+    id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id       UUID NOT NULL REFERENCES admin_users(id) ON DELETE CASCADE,
+    hash          TEXT NOT NULL,
+    prefix        TEXT NOT NULL,
+    name          TEXT NOT NULL,
+    -- TEXT[] keeps the scope set open to additions without a migration;
+    -- the seven legal values are validated at mint time in Rust, not by
+    -- a CHECK constraint here (so new scopes can land without a schema
+    -- bump).
+    scopes        TEXT[] NOT NULL,
+    app_id        UUID NULL REFERENCES apps(id) ON DELETE CASCADE,
+    expires_at    TIMESTAMPTZ NULL,
+    last_used_at  TIMESTAMPTZ NULL,
+    created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX api_keys_prefix_idx  ON api_keys (prefix);
+CREATE INDEX api_keys_user_id_idx ON api_keys (user_id);
+
+-- ---------------------------------------------------------------------
+-- Reserved schema room (not built in Phase 3.5)
+-- ---------------------------------------------------------------------
+-- These tables are deliberately commented out, not created. They are
+-- listed here so the design intent is visible at the migration boundary
+-- and future authors don't reinvent the shape. Each lands in its own
+-- numbered migration when the corresponding flow ships.
+--
+-- CREATE TABLE invites (
+--     token         TEXT PRIMARY KEY,                     -- raw at email-link time, hashed at rest
+--     email         TEXT NOT NULL,
+--     instance_role TEXT NULL CHECK (instance_role IN ('owner','admin','member')),
+--     app_id        UUID NULL REFERENCES apps(id) ON DELETE CASCADE,
+--     app_role      TEXT NULL CHECK (app_role IN ('app_admin','editor','viewer')),
+--     invited_by    UUID NOT NULL REFERENCES admin_users(id) ON DELETE CASCADE,
+--     expires_at    TIMESTAMPTZ NOT NULL,
+--     consumed_at   TIMESTAMPTZ NULL
+-- );
+--
+-- CREATE TABLE service_accounts (
+--     id             UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+--     name           TEXT NOT NULL,
+--     owning_user_id UUID NOT NULL REFERENCES admin_users(id) ON DELETE RESTRICT,
+--     created_at     TIMESTAMPTZ NOT NULL DEFAULT NOW()
+-- );

crates/manager-core/src/admin_user_repo.rs

@@ -7,7 +7,7 @@
 
 use async_trait::async_trait;
 use chrono::{DateTime, Utc};
-use picloud_shared::AdminUserId;
+use picloud_shared::{AdminUserId, InstanceRole};
 use sqlx::PgPool;
 
 #[derive(Debug, thiserror::Error)]
@@ -20,6 +20,12 @@ pub enum AdminUserRepositoryError {
 
     #[error("username already taken: {0}")]
     DuplicateUsername(String),
+
+    #[error("email already taken: {0}")]
+    DuplicateEmail(String),
+
+    #[error("invalid instance_role stored in DB: {0}")]
+    InvalidInstanceRole(String),
 }
 
 /// Row returned to handlers and bootstrap. Never includes the password
@@ -30,6 +36,8 @@ pub struct AdminUserRow {
     pub id: AdminUserId,
     pub username: String,
     pub is_active: bool,
+    pub instance_role: InstanceRole,
+    pub email: Option<String>,
     pub created_at: DateTime<Utc>,
     pub updated_at: DateTime<Utc>,
     pub last_login_at: Option<DateTime<Utc>>,
@@ -44,6 +52,7 @@ pub struct AdminUserCredentials {
     pub username: String,
     pub password_hash: String,
     pub is_active: bool,
+    pub instance_role: InstanceRole,
 }
 
 #[async_trait]
@@ -58,10 +67,16 @@ pub trait AdminUserRepository: Send + Sync {
         username: &str,
     ) -> Result<Option<AdminUserCredentials>, AdminUserRepositoryError>;
     async fn list(&self) -> Result<Vec<AdminUserRow>, AdminUserRepositoryError>;
+    /// Create a new admin. `instance_role` defaults to `Owner` for the
+    /// env-var bootstrap path; admin-creates-admin flows pass an
+    /// explicit role. `email` is optional — pass `None` to leave the
+    /// column NULL.
     async fn create(
         &self,
         username: &str,
         password_hash: &str,
+        instance_role: InstanceRole,
+        email: Option<&str>,
     ) -> Result<AdminUserRow, AdminUserRepositoryError>;
     async fn update_username(
         &self,
@@ -73,6 +88,20 @@ pub trait AdminUserRepository: Send + Sync {
         id: AdminUserId,
         password_hash: &str,
     ) -> Result<AdminUserRow, AdminUserRepositoryError>;
+    /// Set or clear the email address. `None` writes NULL to the column.
+    async fn update_email(
+        &self,
+        id: AdminUserId,
+        email: Option<&str>,
+    ) -> Result<AdminUserRow, AdminUserRepositoryError>;
+    /// Update the instance_role. Used by `PATCH /api/v1/admin/admins/{id}`;
+    /// callers enforce the last-owner guard (`count_other_active_owners`)
+    /// before invoking when role transitions away from `Owner`.
+    async fn update_instance_role(
+        &self,
+        id: AdminUserId,
+        instance_role: InstanceRole,
+    ) -> Result<AdminUserRow, AdminUserRepositoryError>;
     async fn set_active(
         &self,
         id: AdminUserId,
@@ -90,6 +119,15 @@ pub trait AdminUserRepository: Send + Sync {
         &self,
         id: AdminUserId,
     ) -> Result<i64, AdminUserRepositoryError>;
+    /// All active owners — used for the multi-owner startup warning.
+    async fn list_active_owners(&self) -> Result<Vec<AdminUserRow>, AdminUserRepositoryError>;
+    /// Count of active owners excluding the given id. Used by the
+    /// last-owner guard when demoting / deactivating / deleting an
+    /// owner: "would this leave zero owners?"
+    async fn count_other_active_owners(
+        &self,
+        id: AdminUserId,
+    ) -> Result<i64, AdminUserRepositoryError>;
 }
 
 pub struct PostgresAdminUserRepository {
@@ -107,13 +145,14 @@ impl PostgresAdminUserRepository {
 impl AdminUserRepository for PostgresAdminUserRepository {
     async fn get(&self, id: AdminUserId) -> Result<Option<AdminUserRow>, AdminUserRepositoryError> {
         let row = sqlx::query_as::<_, AdminUserRecord>(
-            "SELECT id, username, is_active, created_at, updated_at, last_login_at \
+            "SELECT id, username, is_active, instance_role, email, \
+                    created_at, updated_at, last_login_at \
              FROM admin_users WHERE id = $1",
         )
         .bind(id.into_inner())
         .fetch_optional(&self.pool)
         .await?;
-        Ok(row.map(Into::into))
+        row.map(TryInto::try_into).transpose()
     }
 
     async fn get_by_username(
@@ -121,13 +160,14 @@ impl AdminUserRepository for PostgresAdminUserRepository {
         username: &str,
     ) -> Result<Option<AdminUserRow>, AdminUserRepositoryError> {
         let row = sqlx::query_as::<_, AdminUserRecord>(
-            "SELECT id, username, is_active, created_at, updated_at, last_login_at \
+            "SELECT id, username, is_active, instance_role, email, \
+                    created_at, updated_at, last_login_at \
              FROM admin_users WHERE username = $1",
         )
         .bind(username)
         .fetch_optional(&self.pool)
         .await?;
-        Ok(row.map(Into::into))
+        row.map(TryInto::try_into).transpose()
     }
 
     async fn get_credentials_by_username(
@@ -135,45 +175,62 @@ impl AdminUserRepository for PostgresAdminUserRepository {
         username: &str,
     ) -> Result<Option<AdminUserCredentials>, AdminUserRepositoryError> {
         let row = sqlx::query_as::<_, AdminCredsRecord>(
-            "SELECT id, username, password_hash, is_active \
+            "SELECT id, username, password_hash, is_active, instance_role \
              FROM admin_users WHERE username = $1",
         )
         .bind(username)
         .fetch_optional(&self.pool)
         .await?;
-        Ok(row.map(Into::into))
+        row.map(TryInto::try_into).transpose()
     }
 
     async fn list(&self) -> Result<Vec<AdminUserRow>, AdminUserRepositoryError> {
         let rows = sqlx::query_as::<_, AdminUserRecord>(
-            "SELECT id, username, is_active, created_at, updated_at, last_login_at \
+            "SELECT id, username, is_active, instance_role, email, \
+                    created_at, updated_at, last_login_at \
              FROM admin_users ORDER BY username",
         )
         .fetch_all(&self.pool)
         .await?;
-        Ok(rows.into_iter().map(Into::into).collect())
+        rows.into_iter().map(TryInto::try_into).collect()
     }
 
     async fn create(
         &self,
         username: &str,
         password_hash: &str,
+        instance_role: InstanceRole,
+        email: Option<&str>,
     ) -> Result<AdminUserRow, AdminUserRepositoryError> {
         let res = sqlx::query_as::<_, AdminUserRecord>(
-            "INSERT INTO admin_users (username, password_hash) \
+            "INSERT INTO admin_users (username, password_hash, instance_role, email) \
-             VALUES ($1, $2) \
+             VALUES ($1, $2, $3, $4) \
-             RETURNING id, username, is_active, created_at, updated_at, last_login_at",
+             RETURNING id, username, is_active, instance_role, email, \
+                       created_at, updated_at, last_login_at",
         )
         .bind(username)
         .bind(password_hash)
+        .bind(instance_role.as_str())
+        .bind(email)
         .fetch_one(&self.pool)
         .await;
 
         match res {
-            Ok(row) => Ok(row.into()),
+            Ok(row) => row.try_into(),
-            Err(sqlx::Error::Database(e)) if e.is_unique_violation() => Err(
+            Err(sqlx::Error::Database(e)) if e.is_unique_violation() => {
-                AdminUserRepositoryError::DuplicateUsername(username.to_string()),
+                // username and email both have unique constraints; the
-            ),
+                // create path can collide on either, so peek at the
+                // constraint name to surface the right error.
+                if e.constraint() == Some("admin_users_email_key") {
+                    Err(AdminUserRepositoryError::DuplicateEmail(
+                        email.unwrap_or("").to_string(),
+                    ))
+                } else {
+                    Err(AdminUserRepositoryError::DuplicateUsername(
+                        username.to_string(),
+                    ))
+                }
+            }
             Err(e) => Err(e.into()),
         }
     }
@@ -186,7 +243,8 @@ impl AdminUserRepository for PostgresAdminUserRepository {
         let res = sqlx::query_as::<_, AdminUserRecord>(
             "UPDATE admin_users SET username = $2, updated_at = NOW() \
              WHERE id = $1 \
-             RETURNING id, username, is_active, created_at, updated_at, last_login_at",
+             RETURNING id, username, is_active, instance_role, email, \
+                       created_at, updated_at, last_login_at",
         )
         .bind(id.into_inner())
         .bind(username)
@@ -194,7 +252,7 @@ impl AdminUserRepository for PostgresAdminUserRepository {
         .await;
 
         match res {
-            Ok(Some(row)) => Ok(row.into()),
+            Ok(Some(row)) => row.try_into(),
             Ok(None) => Err(AdminUserRepositoryError::NotFound(id)),
             Err(sqlx::Error::Database(e)) if e.is_unique_violation() => Err(
                 AdminUserRepositoryError::DuplicateUsername(username.to_string()),
@@ -211,14 +269,60 @@ impl AdminUserRepository for PostgresAdminUserRepository {
         let row = sqlx::query_as::<_, AdminUserRecord>(
             "UPDATE admin_users SET password_hash = $2, updated_at = NOW() \
              WHERE id = $1 \
-             RETURNING id, username, is_active, created_at, updated_at, last_login_at",
+             RETURNING id, username, is_active, instance_role, email, \
+                       created_at, updated_at, last_login_at",
         )
         .bind(id.into_inner())
         .bind(password_hash)
         .fetch_optional(&self.pool)
         .await?;
-        row.map(Into::into)
+        row.ok_or(AdminUserRepositoryError::NotFound(id))
-            .ok_or(AdminUserRepositoryError::NotFound(id))
+            .and_then(TryInto::try_into)
+    }
+
+    async fn update_email(
+        &self,
+        id: AdminUserId,
+        email: Option<&str>,
+    ) -> Result<AdminUserRow, AdminUserRepositoryError> {
+        let res = sqlx::query_as::<_, AdminUserRecord>(
+            "UPDATE admin_users SET email = $2, updated_at = NOW() \
+             WHERE id = $1 \
+             RETURNING id, username, is_active, instance_role, email, \
+                       created_at, updated_at, last_login_at",
+        )
+        .bind(id.into_inner())
+        .bind(email)
+        .fetch_optional(&self.pool)
+        .await;
+
+        match res {
+            Ok(Some(row)) => row.try_into(),
+            Ok(None) => Err(AdminUserRepositoryError::NotFound(id)),
+            Err(sqlx::Error::Database(e)) if e.is_unique_violation() => Err(
+                AdminUserRepositoryError::DuplicateEmail(email.unwrap_or("").to_string()),
+            ),
+            Err(e) => Err(e.into()),
+        }
+    }
+
+    async fn update_instance_role(
+        &self,
+        id: AdminUserId,
+        instance_role: InstanceRole,
+    ) -> Result<AdminUserRow, AdminUserRepositoryError> {
+        let row = sqlx::query_as::<_, AdminUserRecord>(
+            "UPDATE admin_users SET instance_role = $2, updated_at = NOW() \
+             WHERE id = $1 \
+             RETURNING id, username, is_active, instance_role, email, \
+                       created_at, updated_at, last_login_at",
+        )
+        .bind(id.into_inner())
+        .bind(instance_role.as_str())
+        .fetch_optional(&self.pool)
+        .await?;
+        row.ok_or(AdminUserRepositoryError::NotFound(id))
+            .and_then(TryInto::try_into)
     }
 
     async fn set_active(
@@ -229,14 +333,15 @@ impl AdminUserRepository for PostgresAdminUserRepository {
         let row = sqlx::query_as::<_, AdminUserRecord>(
             "UPDATE admin_users SET is_active = $2, updated_at = NOW() \
              WHERE id = $1 \
-             RETURNING id, username, is_active, created_at, updated_at, last_login_at",
+             RETURNING id, username, is_active, instance_role, email, \
+                       created_at, updated_at, last_login_at",
         )
         .bind(id.into_inner())
         .bind(is_active)
         .fetch_optional(&self.pool)
         .await?;
-        row.map(Into::into)
+        row.ok_or(AdminUserRepositoryError::NotFound(id))
-            .ok_or(AdminUserRepositoryError::NotFound(id))
+            .and_then(TryInto::try_into)
     }
 
     async fn delete(&self, id: AdminUserId) -> Result<(), AdminUserRepositoryError> {
@@ -277,6 +382,33 @@ impl AdminUserRepository for PostgresAdminUserRepository {
                 .await?;
         Ok(count)
     }
+
+    async fn list_active_owners(&self) -> Result<Vec<AdminUserRow>, AdminUserRepositoryError> {
+        let rows = sqlx::query_as::<_, AdminUserRecord>(
+            "SELECT id, username, is_active, instance_role, email, \
+                    created_at, updated_at, last_login_at \
+             FROM admin_users \
+             WHERE is_active AND instance_role = 'owner' \
+             ORDER BY username",
+        )
+        .fetch_all(&self.pool)
+        .await?;
+        rows.into_iter().map(TryInto::try_into).collect()
+    }
+
+    async fn count_other_active_owners(
+        &self,
+        id: AdminUserId,
+    ) -> Result<i64, AdminUserRepositoryError> {
+        let (count,): (i64,) = sqlx::query_as(
+            "SELECT COUNT(*)::BIGINT FROM admin_users \
+             WHERE is_active AND instance_role = 'owner' AND id <> $1",
+        )
+        .bind(id.into_inner())
+        .fetch_one(&self.pool)
+        .await?;
+        Ok(count)
+    }
 }
 
 #[derive(sqlx::FromRow)]
@@ -284,21 +416,28 @@ struct AdminUserRecord {
     id: uuid::Uuid,
     username: String,
     is_active: bool,
+    instance_role: String,
+    email: Option<String>,
     created_at: DateTime<Utc>,
     updated_at: DateTime<Utc>,
     last_login_at: Option<DateTime<Utc>>,
 }
 
-impl From<AdminUserRecord> for AdminUserRow {
+impl TryFrom<AdminUserRecord> for AdminUserRow {
-    fn from(r: AdminUserRecord) -> Self {
+    type Error = AdminUserRepositoryError;
-        Self {
+    fn try_from(r: AdminUserRecord) -> Result<Self, Self::Error> {
+        Ok(Self {
             id: r.id.into(),
             username: r.username,
             is_active: r.is_active,
+            instance_role: InstanceRole::from_db_str(&r.instance_role).ok_or(
+                AdminUserRepositoryError::InvalidInstanceRole(r.instance_role),
+            )?,
+            email: r.email,
             created_at: r.created_at,
             updated_at: r.updated_at,
             last_login_at: r.last_login_at,
-        }
+        })
     }
 }
 
@@ -308,15 +447,20 @@ struct AdminCredsRecord {
     username: String,
     password_hash: String,
     is_active: bool,
+    instance_role: String,
 }
 
-impl From<AdminCredsRecord> for AdminUserCredentials {
+impl TryFrom<AdminCredsRecord> for AdminUserCredentials {
-    fn from(r: AdminCredsRecord) -> Self {
+    type Error = AdminUserRepositoryError;
-        Self {
+    fn try_from(r: AdminCredsRecord) -> Result<Self, Self::Error> {
+        Ok(Self {
             id: r.id.into(),
             username: r.username,
             password_hash: r.password_hash,
             is_active: r.is_active,
-        }
+            instance_role: InstanceRole::from_db_str(&r.instance_role).ok_or(
+                AdminUserRepositoryError::InvalidInstanceRole(r.instance_role),
+            )?,
+        })
     }
 }

crates/manager-core/src/admin_users_api.rs

@@ -14,15 +14,17 @@ use axum::extract::{Path, State};
 use axum::http::StatusCode;
 use axum::response::{IntoResponse, Json, Response};
 use axum::routing::get;
-use axum::Router;
+use axum::{Extension, Router};
 use chrono::{DateTime, Utc};
-use picloud_shared::AdminUserId;
+use picloud_shared::{AdminUserId, InstanceRole, Principal};
 use serde::{Deserialize, Serialize};
 use serde_json::json;
 
 use crate::admin_session_repo::AdminSessionRepository;
 use crate::admin_user_repo::{AdminUserRepository, AdminUserRepositoryError, AdminUserRow};
+use crate::api_key_repo::ApiKeyRepository;
 use crate::auth::hash_password;
+use crate::authz::{require, AuthzDenied, AuthzRepo, Capability};
 
 /// Validation knobs are tuned by NIST 800-63B-ish guidance: username is
 /// a strict ASCII subset so the lookup column stays predictable, and
@@ -36,6 +38,13 @@ const PASSWORD_MIN: usize = 8;
 pub struct AdminsState {
     pub users: Arc<dyn AdminUserRepository>,
     pub sessions: Arc<dyn AdminSessionRepository>,
+    /// Phase 3.5 deactivation symmetry — flipping `is_active = false`
+    /// also expires every active API key for that user so cookie and
+    /// bearer credentials become inert at the same moment.
+    pub keys: Arc<dyn ApiKeyRepository>,
+    /// Capability gate: every endpoint here requires
+    /// `InstanceManageUsers` (owner / admin).
+    pub authz: Arc<dyn AuthzRepo>,
 }
 
 pub fn admins_router(state: AdminsState) -> Router {
@@ -57,6 +66,8 @@ pub struct AdminDto {
     pub id: AdminUserId,
     pub username: String,
     pub is_active: bool,
+    pub instance_role: InstanceRole,
+    pub email: Option<String>,
     pub created_at: DateTime<Utc>,
     pub last_login_at: Option<DateTime<Utc>>,
 }
@@ -67,6 +78,8 @@ impl From<AdminUserRow> for AdminDto {
             id: r.id,
             username: r.username,
             is_active: r.is_active,
+            instance_role: r.instance_role,
+            email: r.email,
             created_at: r.created_at,
             last_login_at: r.last_login_at,
         }
@@ -77,6 +90,18 @@ impl From<AdminUserRow> for AdminDto {
 pub struct CreateAdminRequest {
     pub username: String,
     pub password: String,
+    /// Defaults to `Admin` when absent — minting an owner via the API
+    /// is a deliberate step. The env-var bootstrap path is the only
+    /// channel that defaults to `Owner`.
+    #[serde(default = "default_create_role")]
+    pub instance_role: InstanceRole,
+    /// Optional contact email. Blank/whitespace is normalized to None.
+    #[serde(default)]
+    pub email: Option<String>,
+}
+
+const fn default_create_role() -> InstanceRole {
+    InstanceRole::Admin
 }
 
 #[derive(Debug, Deserialize, Default)]
@@ -84,6 +109,27 @@ pub struct PatchAdminRequest {
     pub username: Option<String>,
     pub password: Option<String>,
     pub is_active: Option<bool>,
+    pub instance_role: Option<InstanceRole>,
+    /// JSON Merge Patch (RFC 7396) semantics for email:
+    ///   absent      → don't change
+    ///   null        → clear (set DB column to NULL)
+    ///   "<string>"  → set to that string
+    /// `Option<Option<T>>` is the idiomatic Rust shape for that
+    /// tri-state; the custom deserializer below distinguishes the
+    /// "missing" case from the "present-and-null" case that serde
+    /// would otherwise collapse together.
+    #[allow(clippy::option_option)]
+    #[serde(default, deserialize_with = "deserialize_present_optional")]
+    pub email: Option<Option<String>>,
+}
+
+#[allow(clippy::option_option)]
+fn deserialize_present_optional<'de, T, D>(deserializer: D) -> Result<Option<Option<T>>, D::Error>
+where
+    T: serde::Deserialize<'de>,
+    D: serde::Deserializer<'de>,
+{
+    Ok(Some(Option::<T>::deserialize(deserializer)?))
 }
 
 // ----------------------------------------------------------------------------
@@ -92,15 +138,29 @@ pub struct PatchAdminRequest {
 
 async fn list_admins(
     State(state): State<AdminsState>,
+    Extension(principal): Extension<Principal>,
 ) -> Result<Json<Vec<AdminDto>>, AdminApiError> {
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::InstanceManageUsers,
+    )
+    .await?;
     let rows = state.users.list().await?;
     Ok(Json(rows.into_iter().map(Into::into).collect()))
 }
 
 async fn get_admin(
     State(state): State<AdminsState>,
+    Extension(principal): Extension<Principal>,
     Path(id): Path<AdminUserId>,
 ) -> Result<Json<AdminDto>, AdminApiError> {
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::InstanceManageUsers,
+    )
+    .await?;
     state
         .users
         .get(id)
@@ -112,24 +172,50 @@ async fn get_admin(
 
 async fn create_admin(
     State(state): State<AdminsState>,
+    Extension(principal): Extension<Principal>,
     Json(input): Json<CreateAdminRequest>,
 ) -> Result<(StatusCode, Json<AdminDto>), AdminApiError> {
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::InstanceManageUsers,
+    )
+    .await?;
+    // Minting an owner via the API requires the caller to ALSO be an
+    // owner — admin cannot self-elevate (or elevate someone else)
+    // beyond their own ceiling. Owner-creation by env-var bootstrap
+    // bypasses this path.
+    if input.instance_role == InstanceRole::Owner && principal.instance_role != InstanceRole::Owner
+    {
+        return Err(AdminApiError::CannotEscalate);
+    }
     let username = input.username.trim();
     validate_username(username)?;
     validate_password(&input.password)?;
+    let email = normalize_email(input.email.as_deref())?;
     let hash = hash_password(&input.password).map_err(|e| AdminApiError::Hash(e.to_string()))?;
-    let row = state.users.create(username, &hash).await?;
+    let row = state
+        .users
+        .create(username, &hash, input.instance_role, email.as_deref())
+        .await?;
     Ok((StatusCode::CREATED, Json(row.into())))
 }
 
 async fn patch_admin(
     State(state): State<AdminsState>,
+    Extension(principal): Extension<Principal>,
     Path(id): Path<AdminUserId>,
     Json(input): Json<PatchAdminRequest>,
 ) -> Result<Json<AdminDto>, AdminApiError> {
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::InstanceManageUsers,
+    )
+    .await?;
     // Verify the target exists upfront — keeps the error path uniform
     // for "rename a missing user" etc.
-    let _ = state
+    let current = state
         .users
         .get(id)
         .await?
@@ -154,6 +240,32 @@ async fn patch_admin(
         // for the initial cut.)
     }
 
+    if let Some(email_patch) = input.email.as_ref() {
+        // email_patch is Some(None) → clear, Some(Some(s)) → set.
+        let normalized = normalize_email(email_patch.as_deref())?;
+        latest = Some(state.users.update_email(id, normalized.as_deref()).await?);
+    }
+
+    if let Some(new_role) = input.instance_role {
+        // Self-elevation guard: only an owner can promote anyone TO
+        // owner. An admin cannot turn themselves (or anyone else)
+        // into one.
+        if new_role == InstanceRole::Owner && principal.instance_role != InstanceRole::Owner {
+            return Err(AdminApiError::CannotEscalate);
+        }
+        // Last-active-owner guard: a transition off of `Owner` cannot
+        // leave the install with zero owners. The check is on the
+        // source role (current.instance_role) so demoting an
+        // already-non-owner is always fine.
+        if current.instance_role == InstanceRole::Owner && new_role != InstanceRole::Owner {
+            let remaining = state.users.count_other_active_owners(id).await?;
+            if remaining == 0 {
+                return Err(AdminApiError::LastActiveOwner);
+            }
+        }
+        latest = Some(state.users.update_instance_role(id, new_role).await?);
+    }
+
     if let Some(new_active) = input.is_active {
         // Last-active-admin guard: only when transitioning to inactive.
         if !new_active {
@@ -161,14 +273,40 @@ async fn patch_admin(
             if remaining == 0 {
                 return Err(AdminApiError::LastActiveAdmin);
             }
+            // ALSO: if the target is currently the last active owner,
+            // deactivating them leaves no owner. Belt-and-suspenders to
+            // the role guard above (which only triggers on an explicit
+            // role transition).
+            let target_role = latest
+                .as_ref()
+                .map_or(current.instance_role, |r| r.instance_role);
+            if target_role == InstanceRole::Owner {
+                let remaining_owners = state.users.count_other_active_owners(id).await?;
+                if remaining_owners == 0 {
+                    return Err(AdminApiError::LastActiveOwner);
+                }
+            }
         }
         latest = Some(state.users.set_active(id, new_active).await?);
-        // Deactivation invalidates all of the user's sessions. Cheap
+        // Deactivation invalidates BOTH credential surfaces — sessions
-        // and safer than waiting for sliding-window expiry.
+        // (cookie / session bearer) and API keys. Both writes are
+        // logged on failure but do not undo the deactivation; the
+        // alternative (leaving the user active when one cascade fails)
+        // is worse than slightly stale credential rows on a DB blip.
         if !new_active {
             if let Err(err) = state.sessions.delete_for_user(id).await {
                 tracing::error!(?err, "failed to delete sessions for deactivated admin");
             }
+            match state.keys.expire_all_for_user(id).await {
+                Ok(n) => {
+                    if n > 0 {
+                        tracing::info!(user_id = %id, expired = n, "expired api keys on deactivation");
+                    }
+                }
+                Err(err) => {
+                    tracing::error!(?err, "failed to expire api keys for deactivated admin");
+                }
+            }
         }
     }
 
@@ -185,8 +323,15 @@ async fn patch_admin(
 
 async fn delete_admin(
     State(state): State<AdminsState>,
+    Extension(principal): Extension<Principal>,
     Path(id): Path<AdminUserId>,
 ) -> Result<StatusCode, AdminApiError> {
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::InstanceManageUsers,
+    )
+    .await?;
     let target = state
         .users
         .get(id)
@@ -197,9 +342,18 @@ async fn delete_admin(
         if remaining == 0 {
             return Err(AdminApiError::LastActiveAdmin);
         }
+        // Last-owner guard mirrors the role-transition guard in
+        // patch_admin — deleting the only owner is just as bad as
+        // demoting them.
+        if target.instance_role == InstanceRole::Owner {
+            let remaining_owners = state.users.count_other_active_owners(id).await?;
+            if remaining_owners == 0 {
+                return Err(AdminApiError::LastActiveOwner);
+            }
+        }
     }
     state.users.delete(id).await?;
-    // Sessions cascade via FK; no explicit delete needed.
+    // Sessions + api_keys cascade via FK; no explicit delete needed.
     Ok(StatusCode::NO_CONTENT)
 }
 
@@ -234,6 +388,26 @@ fn validate_password(s: &str) -> Result<(), AdminApiError> {
     Ok(())
 }
 
+/// Trim and reject empty / pathological emails, returning the
+/// canonical form (or None when the input was blank). The shape
+/// check is intentionally loose — we mainly want to reject blanks
+/// and obvious junk; real verification is a future concern.
+fn normalize_email(raw: Option<&str>) -> Result<Option<String>, AdminApiError> {
+    let Some(raw) = raw else {
+        return Ok(None);
+    };
+    let trimmed = raw.trim();
+    if trimmed.is_empty() {
+        return Ok(None);
+    }
+    if trimmed.len() > 254 || !trimmed.contains('@') {
+        return Err(AdminApiError::InvalidEmail(
+            "email must contain '@' and be at most 254 characters".to_string(),
+        ));
+    }
+    Ok(Some(trimmed.to_string()))
+}
+
 // ----------------------------------------------------------------------------
 // Errors
 // ----------------------------------------------------------------------------
@@ -249,9 +423,24 @@ pub enum AdminApiError {
     #[error("{0}")]
     InvalidPassword(String),
 
+    #[error("{0}")]
+    InvalidEmail(String),
+
     #[error("cannot leave the system with zero active admins")]
     LastActiveAdmin,
 
+    #[error("cannot leave the system with zero active owners")]
+    LastActiveOwner,
+
+    #[error("only an owner can grant the owner role")]
+    CannotEscalate,
+
+    #[error("forbidden")]
+    Forbidden,
+
+    #[error("authorization repo error: {0}")]
+    AuthzRepo(String),
+
     #[error("failed to hash password: {0}")]
     Hash(String),
 
@@ -259,16 +448,40 @@ pub enum AdminApiError {
     Repo(#[from] AdminUserRepositoryError),
 }
 
+impl From<AuthzDenied> for AdminApiError {
+    fn from(d: AuthzDenied) -> Self {
+        match d {
+            AuthzDenied::Denied => Self::Forbidden,
+            AuthzDenied::Repo(e) => Self::AuthzRepo(e.to_string()),
+        }
+    }
+}
+
 impl IntoResponse for AdminApiError {
     fn into_response(self) -> Response {
         let (status, message) = match &self {
             Self::NotFound(_) => (StatusCode::NOT_FOUND, self.to_string()),
-            Self::Repo(AdminUserRepositoryError::DuplicateUsername(_)) => {
+            Self::Repo(
-                (StatusCode::CONFLICT, self.to_string())
+                AdminUserRepositoryError::DuplicateUsername(_)
-            }
+                | AdminUserRepositoryError::DuplicateEmail(_),
-            Self::InvalidUsername(_) | Self::InvalidPassword(_) | Self::LastActiveAdmin => {
+            ) => (StatusCode::CONFLICT, self.to_string()),
+            Self::InvalidUsername(_)
+            | Self::InvalidPassword(_)
+            | Self::InvalidEmail(_)
+            | Self::LastActiveAdmin
+            | Self::LastActiveOwner
+            | Self::CannotEscalate
+            | Self::Repo(AdminUserRepositoryError::InvalidInstanceRole(_)) => {
                 (StatusCode::UNPROCESSABLE_ENTITY, self.to_string())
             }
+            Self::Forbidden => (StatusCode::FORBIDDEN, self.to_string()),
+            Self::AuthzRepo(e) => {
+                tracing::error!(error = %e, "admin_users authz error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    "internal error".to_string(),
+                )
+            }
             Self::Repo(AdminUserRepositoryError::NotFound(_)) => {
                 (StatusCode::NOT_FOUND, self.to_string())
             }

crates/manager-core/src/api.rs

@@ -9,14 +9,16 @@ use axum::{
     http::StatusCode,
     response::{IntoResponse, Response},
     routing::get,
-    Json, Router,
+    Extension, Json, Router,
 };
 use picloud_shared::{
-    AppId, ExecutionLog, Script, ScriptId, ScriptSandbox, ScriptValidator, ValidationError,
+    AppId, ExecutionLog, InstanceRole, Principal, Script, ScriptId, ScriptSandbox, ScriptValidator,
+    ValidationError,
 };
 use serde::Deserialize;
 
 use crate::app_repo::AppRepository;
+use crate::authz::{require, AuthzDenied, AuthzRepo, Capability};
 use crate::repo::{
     ExecutionLogRepository, NewScript, ScriptPatch, ScriptRepository, ScriptRepositoryError,
 };
@@ -31,6 +33,10 @@ pub struct AdminState<R, L> {
     /// App lookups: validates `app_id` on create, resolves `?app=<slug>`
     /// filter on list. Trait-object so apps_repo can stay separate.
     pub apps: Arc<dyn AppRepository>,
+    /// Phase 3.5 capability checks — every script handler resolves
+    /// `AppRead/Write/LogRead(script.app_id)` against this repo after
+    /// loading the resource.
+    pub authz: Arc<dyn AuthzRepo>,
     pub validator: Arc<dyn ScriptValidator>,
     pub sandbox_ceiling: SandboxCeiling,
 }
@@ -41,6 +47,7 @@ impl<R, L> Clone for AdminState<R, L> {
             repo: self.repo.clone(),
             logs: self.logs.clone(),
             apps: self.apps.clone(),
+            authz: self.authz.clone(),
             validator: self.validator.clone(),
             sandbox_ceiling: self.sandbox_ceiling,
         }
@@ -129,14 +136,22 @@ where
 
 async fn list_scripts<R: ScriptRepository, L: ExecutionLogRepository>(
     State(state): State<AdminState<R, L>>,
+    Extension(principal): Extension<Principal>,
     Query(q): Query<ListScriptsQuery>,
 ) -> Result<Json<Vec<Script>>, ApiError> {
+    // Membership filter: `member` users see only scripts in apps they
+    // belong to. `?app=` filters further by app and additionally
+    // requires the member to belong to that app (the read check uses
+    // the resource's app_id).
     if let Some(ident) = q.app {
         let app = resolve_app_ident(state.apps.as_ref(), &ident).await?;
-        Ok(Json(state.repo.list_for_app(app).await?))
+        require(state.authz.as_ref(), &principal, Capability::AppRead(app)).await?;
-    } else {
+        return Ok(Json(state.repo.list_for_app(app).await?));
-        Ok(Json(state.repo.list().await?))
     }
+    if principal.instance_role == InstanceRole::Member {
+        return Ok(Json(state.repo.list_for_user(principal.user_id).await?));
+    }
+    Ok(Json(state.repo.list().await?))
 }
 
 /// Accept `?app=<uuid>` OR `?app=<slug>`. Slugs route through history
@@ -159,20 +174,34 @@ async fn resolve_app_ident(apps: &dyn AppRepository, ident: &str) -> Result<AppI
 
 async fn get_script<R: ScriptRepository, L: ExecutionLogRepository>(
     State(state): State<AdminState<R, L>>,
+    Extension(principal): Extension<Principal>,
     Path(id): Path<ScriptId>,
 ) -> Result<Json<Script>, ApiError> {
-    state
+    let script = state.repo.get(id).await?.ok_or(ApiError::NotFound(id))?;
-        .repo
+    require(
-        .get(id)
+        state.authz.as_ref(),
-        .await?
+        &principal,
-        .map(Json)
+        Capability::AppRead(script.app_id),
-        .ok_or(ApiError::NotFound(id))
+    )
+    .await?;
+    Ok(Json(script))
 }
 
 async fn create_script<R: ScriptRepository, L: ExecutionLogRepository>(
     State(state): State<AdminState<R, L>>,
+    Extension(principal): Extension<Principal>,
     Json(input): Json<CreateScriptRequest>,
 ) -> Result<(StatusCode, Json<Script>), ApiError> {
+    // Capability is bound to the *requested* app_id since there's no
+    // resource to load yet. If the app doesn't exist we 422 below;
+    // checking authz first means a Member trying to create against an
+    // unknown app gets 403 (no enumeration of app existence).
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::AppWriteScript(input.app_id),
+    )
+    .await?;
     state.validator.validate(&input.source)?;
     state.sandbox_ceiling.check(&input.sandbox)?;
     // Refuse early if the app_id doesn't exist — a clean 422 beats a
@@ -201,9 +230,17 @@ async fn create_script<R: ScriptRepository, L: ExecutionLogRepository>(
 
 async fn update_script<R: ScriptRepository, L: ExecutionLogRepository>(
     State(state): State<AdminState<R, L>>,
+    Extension(principal): Extension<Principal>,
     Path(id): Path<ScriptId>,
     Json(input): Json<UpdateScriptRequest>,
 ) -> Result<Json<Script>, ApiError> {
+    let script = state.repo.get(id).await?.ok_or(ApiError::NotFound(id))?;
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::AppWriteScript(script.app_id),
+    )
+    .await?;
     if let Some(src) = input.source.as_deref() {
         state.validator.validate(src)?;
     }
@@ -229,8 +266,19 @@ async fn update_script<R: ScriptRepository, L: ExecutionLogRepository>(
 
 async fn delete_script<R: ScriptRepository, L: ExecutionLogRepository>(
     State(state): State<AdminState<R, L>>,
+    Extension(principal): Extension<Principal>,
     Path(id): Path<ScriptId>,
 ) -> Result<StatusCode, ApiError> {
+    let script = state.repo.get(id).await?.ok_or(ApiError::NotFound(id))?;
+    // Delete is gated tighter than Save: editors can edit scripts but
+    // only app_admin / instance admin / owner can remove them. See
+    // blueprint §11.6.
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::AppAdmin(script.app_id),
+    )
+    .await?;
     state.repo.delete(id).await?;
     Ok(StatusCode::NO_CONTENT)
 }
@@ -249,9 +297,17 @@ const fn default_limit() -> i64 {
 
 async fn list_logs<R: ScriptRepository, L: ExecutionLogRepository>(
     State(state): State<AdminState<R, L>>,
+    Extension(principal): Extension<Principal>,
     Path(id): Path<ScriptId>,
     axum::extract::Query(q): axum::extract::Query<LogsQuery>,
 ) -> Result<Json<Vec<ExecutionLog>>, ApiError> {
+    let script = state.repo.get(id).await?.ok_or(ApiError::NotFound(id))?;
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::AppLogRead(script.app_id),
+    )
+    .await?;
     // Cap to keep the dashboard responsive; the data plane writes are
     // unbounded over time so a paged read is the only sane default.
     let limit = q.limit.clamp(1, 200);
@@ -281,10 +337,25 @@ pub enum ApiError {
     #[error("{0}")]
     Ceiling(#[from] CeilingError),
 
+    #[error("forbidden")]
+    Forbidden,
+
+    #[error("authorization repo error: {0}")]
+    AuthzRepo(String),
+
     #[error("repository error: {0}")]
     Repo(#[from] ScriptRepositoryError),
 }
 
+impl From<AuthzDenied> for ApiError {
+    fn from(d: AuthzDenied) -> Self {
+        match d {
+            AuthzDenied::Denied => Self::Forbidden,
+            AuthzDenied::Repo(e) => Self::AuthzRepo(e.to_string()),
+        }
+    }
+}
+
 impl IntoResponse for ApiError {
     fn into_response(self) -> Response {
         let (status, message) = match &self {
@@ -294,6 +365,14 @@ impl IntoResponse for ApiError {
             Self::Invalid(_) | Self::Ceiling(_) => {
                 (StatusCode::UNPROCESSABLE_ENTITY, self.to_string())
             }
+            Self::Forbidden => (StatusCode::FORBIDDEN, self.to_string()),
+            Self::AuthzRepo(e) => {
+                tracing::error!(error = %e, "authz repo error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    "internal error".to_string(),
+                )
+            }
             Self::Repo(ScriptRepositoryError::NotFound(_)) => {
                 (StatusCode::NOT_FOUND, self.to_string())
             }

crates/manager-core/src/api_key_repo.rs

@@ -0,0 +1,292 @@
+//! CRUD over the `api_keys` table — backs the `Authorization: Bearer
+//! pic_…` credential flow from blueprint §11.6.
+//!
+//! The repo never sees the raw token; only the 8-char `prefix` and the
+//! Argon2id `hash`. Mint logic (random-bytes generation, prefix split,
+//! hash compute) lives in `api_keys_api.rs`. Verification logic
+//! (prefix lookup + Argon2 verify per candidate) lives in
+//! `auth_middleware.rs`. Both call this repo for the storage layer.
+
+use async_trait::async_trait;
+use chrono::{DateTime, Utc};
+use picloud_shared::{AdminUserId, ApiKeyId, AppId, Scope};
+use sqlx::PgPool;
+
+#[derive(Debug, thiserror::Error)]
+pub enum ApiKeyRepositoryError {
+    #[error("database error: {0}")]
+    Db(#[from] sqlx::Error),
+
+    #[error("api key not found: {0}")]
+    NotFound(ApiKeyId),
+
+    #[error("invalid scope stored in DB: {0}")]
+    InvalidScope(String),
+}
+
+/// Insert payload — built by `api_keys_api` after generating the raw
+/// token and hashing it. `hash` is an Argon2id PHC string covering the
+/// body of the token (everything after `pic_`); `prefix` is the first
+/// 8 chars of that body, indexed for fast candidate lookup.
+#[derive(Debug, Clone)]
+pub struct NewApiKey {
+    pub user_id: AdminUserId,
+    pub hash: String,
+    pub prefix: String,
+    pub name: String,
+    pub scopes: Vec<Scope>,
+    pub app_id: Option<AppId>,
+    pub expires_at: Option<DateTime<Utc>>,
+}
+
+/// Public-facing row — never exposes the hash. Used for `GET
+/// /admin/api-keys` and the `POST` response (alongside the
+/// one-shot raw token).
+#[derive(Debug, Clone)]
+pub struct ApiKeyRow {
+    pub id: ApiKeyId,
+    pub user_id: AdminUserId,
+    pub prefix: String,
+    pub name: String,
+    pub scopes: Vec<Scope>,
+    pub app_id: Option<AppId>,
+    pub expires_at: Option<DateTime<Utc>>,
+    pub last_used_at: Option<DateTime<Utc>>,
+    pub created_at: DateTime<Utc>,
+}
+
+/// Verification candidate — includes the Argon2id `hash` and `user_id`
+/// so middleware can verify the supplied token and assemble the
+/// `Principal`. Kept separate from `ApiKeyRow` so handlers can't leak
+/// the hash through a careless `Json(row)`.
+#[derive(Debug, Clone)]
+pub struct ApiKeyVerification {
+    pub id: ApiKeyId,
+    pub user_id: AdminUserId,
+    pub hash: String,
+    pub scopes: Vec<Scope>,
+    pub app_id: Option<AppId>,
+}
+
+#[async_trait]
+pub trait ApiKeyRepository: Send + Sync {
+    /// Mint. Caller has already hashed the raw token + computed prefix.
+    async fn create(&self, key: NewApiKey) -> Result<ApiKeyRow, ApiKeyRepositoryError>;
+
+    /// Return every non-expired key with the given 8-char prefix. The
+    /// caller (middleware) Argon2-verifies the supplied token against
+    /// each candidate's `hash`. Returning a Vec rather than one row
+    /// keeps the contract correct even if two keys happen to share a
+    /// prefix (statistically near-zero but possible).
+    async fn find_active_by_prefix(
+        &self,
+        prefix: &str,
+    ) -> Result<Vec<ApiKeyVerification>, ApiKeyRepositoryError>;
+
+    /// Update `last_used_at` for an authenticated request. Inline (not
+    /// fire-and-forget) so a DB blip surfaces as a 500 rather than
+    /// silent stale timestamps.
+    async fn touch_last_used(&self, id: ApiKeyId) -> Result<(), ApiKeyRepositoryError>;
+
+    /// Caller's own keys, for `GET /admin/api-keys`.
+    async fn list_for_user(
+        &self,
+        user_id: AdminUserId,
+    ) -> Result<Vec<ApiKeyRow>, ApiKeyRepositoryError>;
+
+    /// Look up a key by id — used by `DELETE` to verify ownership
+    /// before issuing the delete.
+    async fn get(&self, id: ApiKeyId) -> Result<Option<ApiKeyRow>, ApiKeyRepositoryError>;
+
+    /// Delete the row only if it belongs to `user_id`. Returns whether
+    /// a row was actually deleted (false = key didn't exist OR wasn't
+    /// theirs — handlers map both to 404 to avoid leaking the
+    /// distinction).
+    async fn delete_by_id_and_user(
+        &self,
+        id: ApiKeyId,
+        user_id: AdminUserId,
+    ) -> Result<bool, ApiKeyRepositoryError>;
+
+    /// Set `expires_at = NOW()` on every active key for a user. Wired
+    /// into `set_active(false)` so deactivation invalidates both
+    /// sessions (already done by `AdminSessionRepository::delete_for_user`)
+    /// and bearer keys at the same moment.
+    async fn expire_all_for_user(&self, user_id: AdminUserId)
+        -> Result<u64, ApiKeyRepositoryError>;
+}
+
+pub struct PostgresApiKeyRepository {
+    pool: PgPool,
+}
+
+impl PostgresApiKeyRepository {
+    #[must_use]
+    pub fn new(pool: PgPool) -> Self {
+        Self { pool }
+    }
+}
+
+#[async_trait]
+impl ApiKeyRepository for PostgresApiKeyRepository {
+    async fn create(&self, key: NewApiKey) -> Result<ApiKeyRow, ApiKeyRepositoryError> {
+        let scope_strings: Vec<String> =
+            key.scopes.iter().map(|s| s.as_str().to_string()).collect();
+        let row = sqlx::query_as::<_, ApiKeyRecord>(
+            "INSERT INTO api_keys \
+                (user_id, hash, prefix, name, scopes, app_id, expires_at) \
+             VALUES ($1, $2, $3, $4, $5, $6, $7) \
+             RETURNING id, user_id, prefix, name, scopes, app_id, \
+                       expires_at, last_used_at, created_at",
+        )
+        .bind(key.user_id.into_inner())
+        .bind(&key.hash)
+        .bind(&key.prefix)
+        .bind(&key.name)
+        .bind(&scope_strings)
+        .bind(key.app_id.map(picloud_shared::AppId::into_inner))
+        .bind(key.expires_at)
+        .fetch_one(&self.pool)
+        .await?;
+        row.try_into()
+    }
+
+    async fn find_active_by_prefix(
+        &self,
+        prefix: &str,
+    ) -> Result<Vec<ApiKeyVerification>, ApiKeyRepositoryError> {
+        let rows = sqlx::query_as::<_, ApiKeyVerifyRecord>(
+            "SELECT id, user_id, hash, scopes, app_id \
+             FROM api_keys \
+             WHERE prefix = $1 \
+               AND (expires_at IS NULL OR expires_at > NOW())",
+        )
+        .bind(prefix)
+        .fetch_all(&self.pool)
+        .await?;
+        rows.into_iter().map(TryInto::try_into).collect()
+    }
+
+    async fn touch_last_used(&self, id: ApiKeyId) -> Result<(), ApiKeyRepositoryError> {
+        sqlx::query("UPDATE api_keys SET last_used_at = NOW() WHERE id = $1")
+            .bind(id.into_inner())
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    async fn list_for_user(
+        &self,
+        user_id: AdminUserId,
+    ) -> Result<Vec<ApiKeyRow>, ApiKeyRepositoryError> {
+        let rows = sqlx::query_as::<_, ApiKeyRecord>(
+            "SELECT id, user_id, prefix, name, scopes, app_id, \
+                    expires_at, last_used_at, created_at \
+             FROM api_keys WHERE user_id = $1 \
+             ORDER BY created_at DESC",
+        )
+        .bind(user_id.into_inner())
+        .fetch_all(&self.pool)
+        .await?;
+        rows.into_iter().map(TryInto::try_into).collect()
+    }
+
+    async fn get(&self, id: ApiKeyId) -> Result<Option<ApiKeyRow>, ApiKeyRepositoryError> {
+        let row = sqlx::query_as::<_, ApiKeyRecord>(
+            "SELECT id, user_id, prefix, name, scopes, app_id, \
+                    expires_at, last_used_at, created_at \
+             FROM api_keys WHERE id = $1",
+        )
+        .bind(id.into_inner())
+        .fetch_optional(&self.pool)
+        .await?;
+        row.map(TryInto::try_into).transpose()
+    }
+
+    async fn delete_by_id_and_user(
+        &self,
+        id: ApiKeyId,
+        user_id: AdminUserId,
+    ) -> Result<bool, ApiKeyRepositoryError> {
+        let res = sqlx::query("DELETE FROM api_keys WHERE id = $1 AND user_id = $2")
+            .bind(id.into_inner())
+            .bind(user_id.into_inner())
+            .execute(&self.pool)
+            .await?;
+        Ok(res.rows_affected() > 0)
+    }
+
+    async fn expire_all_for_user(
+        &self,
+        user_id: AdminUserId,
+    ) -> Result<u64, ApiKeyRepositoryError> {
+        let res = sqlx::query(
+            "UPDATE api_keys \
+             SET expires_at = NOW() \
+             WHERE user_id = $1 \
+               AND (expires_at IS NULL OR expires_at > NOW())",
+        )
+        .bind(user_id.into_inner())
+        .execute(&self.pool)
+        .await?;
+        Ok(res.rows_affected())
+    }
+}
+
+#[derive(sqlx::FromRow)]
+struct ApiKeyRecord {
+    id: uuid::Uuid,
+    user_id: uuid::Uuid,
+    prefix: String,
+    name: String,
+    scopes: Vec<String>,
+    app_id: Option<uuid::Uuid>,
+    expires_at: Option<DateTime<Utc>>,
+    last_used_at: Option<DateTime<Utc>>,
+    created_at: DateTime<Utc>,
+}
+
+impl TryFrom<ApiKeyRecord> for ApiKeyRow {
+    type Error = ApiKeyRepositoryError;
+    fn try_from(r: ApiKeyRecord) -> Result<Self, Self::Error> {
+        Ok(Self {
+            id: r.id.into(),
+            user_id: r.user_id.into(),
+            prefix: r.prefix,
+            name: r.name,
+            scopes: parse_scopes(r.scopes)?,
+            app_id: r.app_id.map(Into::into),
+            expires_at: r.expires_at,
+            last_used_at: r.last_used_at,
+            created_at: r.created_at,
+        })
+    }
+}
+
+#[derive(sqlx::FromRow)]
+struct ApiKeyVerifyRecord {
+    id: uuid::Uuid,
+    user_id: uuid::Uuid,
+    hash: String,
+    scopes: Vec<String>,
+    app_id: Option<uuid::Uuid>,
+}
+
+impl TryFrom<ApiKeyVerifyRecord> for ApiKeyVerification {
+    type Error = ApiKeyRepositoryError;
+    fn try_from(r: ApiKeyVerifyRecord) -> Result<Self, Self::Error> {
+        Ok(Self {
+            id: r.id.into(),
+            user_id: r.user_id.into(),
+            hash: r.hash,
+            scopes: parse_scopes(r.scopes)?,
+            app_id: r.app_id.map(Into::into),
+        })
+    }
+}
+
+fn parse_scopes(raw: Vec<String>) -> Result<Vec<Scope>, ApiKeyRepositoryError> {
+    raw.into_iter()
+        .map(|s| Scope::from_wire(&s).ok_or(ApiKeyRepositoryError::InvalidScope(s)))
+        .collect()
+}

crates/manager-core/src/api_keys_api.rs

@@ -0,0 +1,251 @@
+//! `/api/v1/admin/api-keys/*` — bearer API key CRUD (blueprint §11.6).
+//!
+//! All endpoints are guarded by `require_authenticated`. Capability
+//! checks: none — every authenticated user manages **their own** keys.
+//! The repo enforces caller ownership on `delete`, and `list` is
+//! scoped to the caller's user_id. No instance-level authority is
+//! exposed (no listing other users' keys, no admin-issued keys for
+//! another user — those flows belong with the invite system).
+//!
+//! Mint semantics:
+//!   * raw token is returned **exactly once** in the POST response and
+//!     never logged. Lose it = mint a new key.
+//!   * `app_id` (optional) binds the key to one app; capability checks
+//!     deny every `App*(other_app)`.
+//!   * scopes containing `instance:*` are rejected when `app_id` is
+//!     set — the combination is irreconcilable.
+
+use std::sync::Arc;
+
+use axum::extract::{Path, State};
+use axum::http::StatusCode;
+use axum::response::{IntoResponse, Json, Response};
+use axum::routing::{delete, get};
+use axum::{Extension, Router};
+use chrono::{DateTime, Utc};
+use picloud_shared::{ApiKeyId, AppId, Principal, Scope};
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+
+use crate::api_key_repo::{ApiKeyRepository, ApiKeyRepositoryError, ApiKeyRow, NewApiKey};
+use crate::auth::generate_api_key;
+
+/// Validation bounds for the user-supplied `name` field — keeps the
+/// dashboard's list view tidy and rejects accidental whole-token
+/// pastes.
+const NAME_MIN: usize = 1;
+const NAME_MAX: usize = 64;
+
+#[derive(Clone)]
+pub struct ApiKeysState {
+    pub keys: Arc<dyn ApiKeyRepository>,
+}
+
+pub fn api_keys_router(state: ApiKeysState) -> Router {
+    Router::new()
+        .route("/api-keys", get(list_keys).post(mint_key))
+        .route("/api-keys/{id}", delete(delete_key))
+        .with_state(state)
+}
+
+// ----------------------------------------------------------------------------
+// DTOs
+// ----------------------------------------------------------------------------
+
+#[derive(Debug, Deserialize)]
+pub struct MintApiKeyRequest {
+    pub name: String,
+    pub scopes: Vec<Scope>,
+    /// When set, the key is bound to this app — every `App*(other)`
+    /// capability is denied regardless of role.
+    #[serde(default)]
+    pub app_id: Option<AppId>,
+    /// When set, lookup rejects the key after this instant. Absent =
+    /// never expires (until explicit DELETE).
+    #[serde(default)]
+    pub expires_at: Option<DateTime<Utc>>,
+}
+
+/// Response body for a freshly-minted key. `raw_token` only appears
+/// here — `GET /api-keys` returns `ApiKeyDto` without it.
+#[derive(Debug, Serialize)]
+pub struct MintApiKeyResponse {
+    #[serde(flatten)]
+    pub key: ApiKeyDto,
+    /// The full wire-format token (`pic_<base32>`). Shown exactly once;
+    /// store it client-side immediately.
+    pub raw_token: String,
+}
+
+#[derive(Debug, Serialize)]
+pub struct ApiKeyDto {
+    pub id: ApiKeyId,
+    pub prefix: String,
+    pub name: String,
+    pub scopes: Vec<Scope>,
+    pub app_id: Option<AppId>,
+    pub expires_at: Option<DateTime<Utc>>,
+    pub last_used_at: Option<DateTime<Utc>>,
+    pub created_at: DateTime<Utc>,
+}
+
+impl From<ApiKeyRow> for ApiKeyDto {
+    fn from(r: ApiKeyRow) -> Self {
+        Self {
+            id: r.id,
+            prefix: r.prefix,
+            name: r.name,
+            scopes: r.scopes,
+            app_id: r.app_id,
+            expires_at: r.expires_at,
+            last_used_at: r.last_used_at,
+            created_at: r.created_at,
+        }
+    }
+}
+
+// ----------------------------------------------------------------------------
+// Handlers
+// ----------------------------------------------------------------------------
+
+async fn mint_key(
+    State(state): State<ApiKeysState>,
+    Extension(principal): Extension<Principal>,
+    Json(input): Json<MintApiKeyRequest>,
+) -> Result<(StatusCode, Json<MintApiKeyResponse>), ApiKeysError> {
+    validate_name(&input.name)?;
+    validate_scopes(&input.scopes, input.app_id)?;
+
+    let minted = generate_api_key().map_err(|e| ApiKeysError::Hash(e.to_string()))?;
+    let row = state
+        .keys
+        .create(NewApiKey {
+            user_id: principal.user_id,
+            hash: minted.hash,
+            prefix: minted.prefix,
+            name: input.name,
+            scopes: input.scopes,
+            app_id: input.app_id,
+            expires_at: input.expires_at,
+        })
+        .await?;
+    Ok((
+        StatusCode::CREATED,
+        Json(MintApiKeyResponse {
+            key: row.into(),
+            raw_token: minted.raw,
+        }),
+    ))
+}
+
+async fn list_keys(
+    State(state): State<ApiKeysState>,
+    Extension(principal): Extension<Principal>,
+) -> Result<Json<Vec<ApiKeyDto>>, ApiKeysError> {
+    let rows = state.keys.list_for_user(principal.user_id).await?;
+    Ok(Json(rows.into_iter().map(Into::into).collect()))
+}
+
+async fn delete_key(
+    State(state): State<ApiKeysState>,
+    Extension(principal): Extension<Principal>,
+    Path(id): Path<ApiKeyId>,
+) -> Result<StatusCode, ApiKeysError> {
+    let deleted = state
+        .keys
+        .delete_by_id_and_user(id, principal.user_id)
+        .await?;
+    if !deleted {
+        // 404 covers both "doesn't exist" and "exists but not yours" —
+        // we deliberately don't leak the distinction.
+        return Err(ApiKeysError::NotFound(id));
+    }
+    Ok(StatusCode::NO_CONTENT)
+}
+
+// ----------------------------------------------------------------------------
+// Validation
+// ----------------------------------------------------------------------------
+
+fn validate_name(s: &str) -> Result<(), ApiKeysError> {
+    let trimmed = s.trim();
+    if trimmed.len() < NAME_MIN || trimmed.len() > NAME_MAX {
+        return Err(ApiKeysError::InvalidName(format!(
+            "name must be {NAME_MIN}-{NAME_MAX} characters after trimming"
+        )));
+    }
+    Ok(())
+}
+
+fn validate_scopes(scopes: &[Scope], app_id: Option<AppId>) -> Result<(), ApiKeysError> {
+    if scopes.is_empty() {
+        return Err(ApiKeysError::InvalidScopes(
+            "scopes must be non-empty".into(),
+        ));
+    }
+    // Bound key + any instance:* scope → irreconcilable.
+    if app_id.is_some() && scopes.iter().any(|s| s.is_instance()) {
+        return Err(ApiKeysError::InvalidScopes(
+            "bound keys (app_id set) cannot carry instance:* scopes".into(),
+        ));
+    }
+    Ok(())
+}
+
+// ----------------------------------------------------------------------------
+// Errors
+// ----------------------------------------------------------------------------
+
+#[derive(Debug, thiserror::Error)]
+pub enum ApiKeysError {
+    #[error("api key not found: {0}")]
+    NotFound(ApiKeyId),
+
+    #[error("{0}")]
+    InvalidName(String),
+
+    #[error("{0}")]
+    InvalidScopes(String),
+
+    #[error("failed to hash key: {0}")]
+    Hash(String),
+
+    #[error("repository error: {0}")]
+    Repo(#[from] ApiKeyRepositoryError),
+}
+
+impl IntoResponse for ApiKeysError {
+    fn into_response(self) -> Response {
+        let (status, message) = match &self {
+            Self::NotFound(_) => (StatusCode::NOT_FOUND, self.to_string()),
+            Self::InvalidName(_) | Self::InvalidScopes(_) => {
+                (StatusCode::UNPROCESSABLE_ENTITY, self.to_string())
+            }
+            Self::Hash(_) => {
+                tracing::error!(error = %self, "api key hash failure");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    "internal error".to_string(),
+                )
+            }
+            Self::Repo(ApiKeyRepositoryError::NotFound(_)) => {
+                (StatusCode::NOT_FOUND, self.to_string())
+            }
+            Self::Repo(ApiKeyRepositoryError::InvalidScope(_)) => {
+                tracing::error!(error = %self, "api key row carries an unknown scope");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    "internal error".to_string(),
+                )
+            }
+            Self::Repo(ApiKeyRepositoryError::Db(e)) => {
+                tracing::error!(error = %e, "api_keys db error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    "internal error".to_string(),
+                )
+            }
+        };
+        (status, Json(json!({ "error": message }))).into_response()
+    }
+}

crates/manager-core/src/app_members_api.rs

@@ -0,0 +1,331 @@
+//! `/api/v1/admin/apps/{id_or_slug}/members/*` — CRUD over the
+//! `app_members` table (blueprint §11.6).
+//!
+//! Every endpoint is gated on `Capability::AppAdmin(app_id)` after
+//! resolving the app from `id_or_slug`. Editors and viewers receive
+//! 403 from list and never see the dashboard's Members tab.
+//!
+//! POST is **non-idempotent on purpose**: a duplicate `(app_id,
+//! user_id)` returns 409 rather than upsert-200, so the UI can show
+//! "already a member — promote / demote them instead" cleanly. Role
+//! changes go through PATCH.
+//!
+//! No last-app-admin guard: owners always implicitly satisfy
+//! `Capability::AppAdmin(_)` (authz::role_grants), so removing the
+//! final explicit `app_admin` membership cannot orphan an app.
+
+use std::sync::Arc;
+
+use axum::extract::{Path, State};
+use axum::http::StatusCode;
+use axum::response::{IntoResponse, Json, Response};
+use axum::routing::{get, patch};
+use axum::{Extension, Router};
+use chrono::{DateTime, Utc};
+use picloud_shared::{AdminUserId, AppRole, InstanceRole, Principal};
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use uuid::Uuid;
+
+use crate::admin_user_repo::{AdminUserRepository, AdminUserRepositoryError, AdminUserRow};
+use crate::app_members_repo::{
+    AppMembersRepository, AppMembersRepositoryError, AppMembershipDetail, AppMembershipRow,
+};
+use crate::app_repo::AppRepository;
+use crate::authz::{require, AuthzDenied, AuthzRepo, Capability};
+use crate::repo::ScriptRepositoryError;
+
+#[derive(Clone)]
+pub struct AppMembersState {
+    pub apps: Arc<dyn AppRepository>,
+    pub users: Arc<dyn AdminUserRepository>,
+    pub members: Arc<dyn AppMembersRepository>,
+    pub authz: Arc<dyn AuthzRepo>,
+}
+
+pub fn app_members_router(state: AppMembersState) -> Router {
+    Router::new()
+        .route(
+            "/apps/{id_or_slug}/members",
+            get(list_members).post(grant_member),
+        )
+        .route(
+            "/apps/{id_or_slug}/members/{user_id}",
+            patch(patch_member).delete(remove_member),
+        )
+        .with_state(state)
+}
+
+// ----------------------------------------------------------------------------
+// DTOs
+// ----------------------------------------------------------------------------
+
+#[derive(Debug, Serialize)]
+pub struct AppMemberDto {
+    pub user_id: AdminUserId,
+    pub username: String,
+    pub email: Option<String>,
+    pub instance_role: InstanceRole,
+    pub is_active: bool,
+    pub role: AppRole,
+    pub created_at: DateTime<Utc>,
+}
+
+impl From<AppMembershipDetail> for AppMemberDto {
+    fn from(d: AppMembershipDetail) -> Self {
+        Self {
+            user_id: d.user_id,
+            username: d.username,
+            email: d.email,
+            instance_role: d.instance_role,
+            is_active: d.is_active,
+            role: d.role,
+            created_at: d.created_at,
+        }
+    }
+}
+
+/// Compose a DTO from an `AdminUserRow` (fetched for validation) and
+/// the `AppMembershipRow` returned by `upsert`. Saves a re-fetch on
+/// POST/PATCH at the cost of trusting the two inputs reference the
+/// same user_id — caller's responsibility.
+fn compose_dto(user: AdminUserRow, membership: AppMembershipRow) -> AppMemberDto {
+    AppMemberDto {
+        user_id: user.id,
+        username: user.username,
+        email: user.email,
+        instance_role: user.instance_role,
+        is_active: user.is_active,
+        role: membership.role,
+        created_at: membership.created_at,
+    }
+}
+
+#[derive(Debug, Deserialize)]
+pub struct GrantMemberRequest {
+    pub user_id: AdminUserId,
+    pub role: AppRole,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct PatchMemberRequest {
+    pub role: AppRole,
+}
+
+// ----------------------------------------------------------------------------
+// Handlers
+// ----------------------------------------------------------------------------
+
+async fn list_members(
+    State(s): State<AppMembersState>,
+    Extension(principal): Extension<Principal>,
+    Path(id_or_slug): Path<String>,
+) -> Result<Json<Vec<AppMemberDto>>, AppMembersApiError> {
+    let app = resolve_app(&*s.apps, &id_or_slug).await?;
+    require(s.authz.as_ref(), &principal, Capability::AppAdmin(app.id)).await?;
+    let rows = s.members.list_for_app_enriched(app.id).await?;
+    Ok(Json(rows.into_iter().map(Into::into).collect()))
+}
+
+async fn grant_member(
+    State(s): State<AppMembersState>,
+    Extension(principal): Extension<Principal>,
+    Path(id_or_slug): Path<String>,
+    Json(input): Json<GrantMemberRequest>,
+) -> Result<(StatusCode, Json<AppMemberDto>), AppMembersApiError> {
+    let app = resolve_app(&*s.apps, &id_or_slug).await?;
+    require(s.authz.as_ref(), &principal, Capability::AppAdmin(app.id)).await?;
+
+    let user = s
+        .users
+        .get(input.user_id)
+        .await?
+        .ok_or(AppMembersApiError::UserNotFound(input.user_id))?;
+    validate_grant_target(&user)?;
+
+    // Atomic insert — if a row already exists, returns None and we 409.
+    // Avoids the find-then-upsert race where two concurrent POSTs would
+    // both pass the existence check and the second `upsert` would
+    // silently rewrite the role.
+    let row = s
+        .members
+        .try_insert(app.id, user.id, input.role)
+        .await?
+        .ok_or_else(|| AppMembersApiError::AlreadyMember {
+            username: user.username.clone(),
+        })?;
+    Ok((StatusCode::CREATED, Json(compose_dto(user, row))))
+}
+
+async fn patch_member(
+    State(s): State<AppMembersState>,
+    Extension(principal): Extension<Principal>,
+    Path((id_or_slug, user_id)): Path<(String, Uuid)>,
+    Json(input): Json<PatchMemberRequest>,
+) -> Result<Json<AppMemberDto>, AppMembersApiError> {
+    let app = resolve_app(&*s.apps, &id_or_slug).await?;
+    require(s.authz.as_ref(), &principal, Capability::AppAdmin(app.id)).await?;
+
+    let user_id = AdminUserId::from(user_id);
+    let user = s
+        .users
+        .get(user_id)
+        .await?
+        .ok_or(AppMembersApiError::UserNotFound(user_id))?;
+
+    // Atomic update — returns None if no row exists, so 404 is decided
+    // by the same statement that does the write. Eliminates the
+    // find-then-upsert race where a concurrent DELETE between the two
+    // calls would let PATCH silently re-create the row.
+    let row = s
+        .members
+        .update_role(app.id, user_id, input.role)
+        .await?
+        .ok_or(AppMembersApiError::MembershipNotFound)?;
+    Ok(Json(compose_dto(user, row)))
+}
+
+async fn remove_member(
+    State(s): State<AppMembersState>,
+    Extension(principal): Extension<Principal>,
+    Path((id_or_slug, user_id)): Path<(String, Uuid)>,
+) -> Result<StatusCode, AppMembersApiError> {
+    let app = resolve_app(&*s.apps, &id_or_slug).await?;
+    require(s.authz.as_ref(), &principal, Capability::AppAdmin(app.id)).await?;
+    s.members.remove(app.id, AdminUserId::from(user_id)).await?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+// ----------------------------------------------------------------------------
+// Validation + helpers
+// ----------------------------------------------------------------------------
+
+fn validate_grant_target(user: &AdminUserRow) -> Result<(), AppMembersApiError> {
+    if !user.is_active {
+        return Err(AppMembersApiError::TargetInactive {
+            username: user.username.clone(),
+        });
+    }
+    if user.instance_role != InstanceRole::Member {
+        return Err(AppMembersApiError::TargetNotMember {
+            username: user.username.clone(),
+            instance_role: user.instance_role,
+        });
+    }
+    Ok(())
+}
+
+async fn resolve_app(
+    apps: &dyn AppRepository,
+    ident: &str,
+) -> Result<picloud_shared::App, AppMembersApiError> {
+    crate::app_repo::resolve_app(apps, ident)
+        .await?
+        .map(|l| l.app)
+        .ok_or_else(|| AppMembersApiError::AppNotFound(ident.to_string()))
+}
+
+// ----------------------------------------------------------------------------
+// Errors
+// ----------------------------------------------------------------------------
+
+#[derive(Debug, thiserror::Error)]
+pub enum AppMembersApiError {
+    #[error("app not found: {0}")]
+    AppNotFound(String),
+
+    #[error("user not found: {0}")]
+    UserNotFound(AdminUserId),
+
+    #[error("no membership exists for this user on this app")]
+    MembershipNotFound,
+
+    #[error("{username} is already a member of this app — use PATCH to change their role")]
+    AlreadyMember { username: String },
+
+    #[error("{username} is deactivated and cannot be added as a member")]
+    TargetInactive { username: String },
+
+    #[error(
+        "{username} has instance_role {instance_role:?} and already has implicit access \
+         on every app — no explicit membership needed"
+    )]
+    TargetNotMember {
+        username: String,
+        instance_role: InstanceRole,
+    },
+
+    #[error("forbidden")]
+    Forbidden,
+
+    #[error("authorization repo error: {0}")]
+    AuthzRepo(String),
+
+    #[error("repository error: {0}")]
+    Members(#[from] AppMembersRepositoryError),
+
+    #[error("user repository error: {0}")]
+    Users(#[from] AdminUserRepositoryError),
+
+    #[error("repository error: {0}")]
+    Apps(#[from] ScriptRepositoryError),
+}
+
+impl From<AuthzDenied> for AppMembersApiError {
+    fn from(d: AuthzDenied) -> Self {
+        match d {
+            AuthzDenied::Denied => Self::Forbidden,
+            AuthzDenied::Repo(e) => Self::AuthzRepo(e.to_string()),
+        }
+    }
+}
+
+impl IntoResponse for AppMembersApiError {
+    fn into_response(self) -> Response {
+        let (status, body) = match &self {
+            Self::AppNotFound(_)
+            | Self::UserNotFound(_)
+            | Self::MembershipNotFound
+            | Self::Apps(ScriptRepositoryError::NotFound(_)) => {
+                (StatusCode::NOT_FOUND, json!({ "error": self.to_string() }))
+            }
+            Self::AlreadyMember { .. } | Self::Apps(ScriptRepositoryError::Conflict(_)) => {
+                (StatusCode::CONFLICT, json!({ "error": self.to_string() }))
+            }
+            Self::TargetInactive { .. } | Self::TargetNotMember { .. } => (
+                StatusCode::UNPROCESSABLE_ENTITY,
+                json!({ "error": self.to_string() }),
+            ),
+            Self::Forbidden => (StatusCode::FORBIDDEN, json!({ "error": self.to_string() })),
+            Self::AuthzRepo(e) => {
+                tracing::error!(error = %e, "app members authz repo error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    json!({ "error": "internal error" }),
+                )
+            }
+            Self::Members(e) => {
+                tracing::error!(error = %e, "app members repo error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    json!({ "error": "internal error" }),
+                )
+            }
+            Self::Users(e) => {
+                tracing::error!(error = %e, "admin users repo error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    json!({ "error": "internal error" }),
+                )
+            }
+            Self::Apps(ScriptRepositoryError::Db(e)) => {
+                tracing::error!(error = %e, "apps repo error in app_members");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    json!({ "error": "internal error" }),
+                )
+            }
+        };
+        (status, Json(body)).into_response()
+    }
+}

crates/manager-core/src/app_members_repo.rs

@@ -0,0 +1,340 @@
+//! CRUD over the `app_members` table — explicit per-(user, app) role
+//! grants for `member` instance-role users. Owners and admins do NOT
+//! appear here; their app authority is implicit (see authz.rs).
+//!
+//! Doubles as the production `AuthzRepo` implementation: the
+//! membership lookup `can()` needs is the same single-row SELECT as
+//! `find` here.
+
+use async_trait::async_trait;
+use chrono::{DateTime, Utc};
+use picloud_shared::{AdminUserId, AppId, AppRole, InstanceRole};
+use sqlx::PgPool;
+
+use crate::authz::{AuthzError, AuthzRepo};
+
+#[derive(Debug, thiserror::Error)]
+pub enum AppMembersRepositoryError {
+    #[error("database error: {0}")]
+    Db(#[from] sqlx::Error),
+
+    #[error("membership row not found: app={app_id}, user={user_id}")]
+    NotFound { app_id: AppId, user_id: AdminUserId },
+
+    #[error("invalid app_role stored in DB: {0}")]
+    InvalidRole(String),
+}
+
+/// One row of `app_members`. Returned by `list_for_user` / `list_for_app`
+/// so handlers can render the cross-reference without joining to apps
+/// or admin_users themselves.
+#[derive(Debug, Clone)]
+pub struct AppMembershipRow {
+    pub app_id: AppId,
+    pub user_id: AdminUserId,
+    pub role: AppRole,
+    pub created_at: DateTime<Utc>,
+}
+
+/// `app_members` row joined with `admin_users` so the dashboard's
+/// Members tab can render usernames / emails / status without an N+1
+/// fetch per row. Drives `GET /apps/{id}/members`.
+#[derive(Debug, Clone)]
+pub struct AppMembershipDetail {
+    pub user_id: AdminUserId,
+    pub username: String,
+    pub email: Option<String>,
+    pub instance_role: InstanceRole,
+    pub is_active: bool,
+    pub role: AppRole,
+    pub created_at: DateTime<Utc>,
+}
+
+#[async_trait]
+pub trait AppMembersRepository: Send + Sync {
+    /// Single (user, app) lookup. Returns `None` for non-members and
+    /// for unrelated apps. This is the hot path for `authz::can`.
+    async fn find(
+        &self,
+        user_id: AdminUserId,
+        app_id: AppId,
+    ) -> Result<Option<AppRole>, AppMembersRepositoryError>;
+
+    /// Upsert a membership. Used both for first-time grants and role
+    /// promotions/demotions on an existing row.
+    async fn upsert(
+        &self,
+        app_id: AppId,
+        user_id: AdminUserId,
+        role: AppRole,
+    ) -> Result<AppMembershipRow, AppMembersRepositoryError>;
+
+    /// Atomic insert. Returns `Some(row)` on success, `None` if a
+    /// membership already exists. Lets the HTTP handler return 409
+    /// without a separate `find` round-trip (no TOCTOU between check
+    /// and insert).
+    async fn try_insert(
+        &self,
+        app_id: AppId,
+        user_id: AdminUserId,
+        role: AppRole,
+    ) -> Result<Option<AppMembershipRow>, AppMembersRepositoryError>;
+
+    /// Atomic role update. Returns `Some(row)` on success, `None` if no
+    /// membership row exists. Lets PATCH return 404 without a separate
+    /// `find` round-trip (no TOCTOU between check and update).
+    async fn update_role(
+        &self,
+        app_id: AppId,
+        user_id: AdminUserId,
+        role: AppRole,
+    ) -> Result<Option<AppMembershipRow>, AppMembersRepositoryError>;
+
+    /// Remove a membership. No-op (Ok) when the row doesn't exist —
+    /// the user wasn't a member, which is the desired post-condition.
+    async fn remove(
+        &self,
+        app_id: AppId,
+        user_id: AdminUserId,
+    ) -> Result<(), AppMembersRepositoryError>;
+
+    /// Every membership the user holds. Drives the membership-filtered
+    /// list endpoints (`GET /admin/apps`, `GET /admin/scripts` for
+    /// `member` callers).
+    async fn list_for_user(
+        &self,
+        user_id: AdminUserId,
+    ) -> Result<Vec<AppMembershipRow>, AppMembersRepositoryError>;
+
+    /// Every membership on a given app. Used by `GET
+    /// /admin/apps/{id}/members` once that surface lands; included now
+    /// so the trait is complete enough for tests.
+    async fn list_for_app(
+        &self,
+        app_id: AppId,
+    ) -> Result<Vec<AppMembershipRow>, AppMembersRepositoryError>;
+
+    /// Like `list_for_app` but joined with `admin_users` so the
+    /// dashboard can render member rows in one round-trip. Ordered by
+    /// username for a stable list.
+    async fn list_for_app_enriched(
+        &self,
+        app_id: AppId,
+    ) -> Result<Vec<AppMembershipDetail>, AppMembersRepositoryError>;
+}
+
+pub struct PostgresAppMembersRepository {
+    pool: PgPool,
+}
+
+impl PostgresAppMembersRepository {
+    #[must_use]
+    pub fn new(pool: PgPool) -> Self {
+        Self { pool }
+    }
+}
+
+#[async_trait]
+impl AppMembersRepository for PostgresAppMembersRepository {
+    async fn find(
+        &self,
+        user_id: AdminUserId,
+        app_id: AppId,
+    ) -> Result<Option<AppRole>, AppMembersRepositoryError> {
+        let row: Option<(String,)> =
+            sqlx::query_as("SELECT role FROM app_members WHERE user_id = $1 AND app_id = $2")
+                .bind(user_id.into_inner())
+                .bind(app_id.into_inner())
+                .fetch_optional(&self.pool)
+                .await?;
+        row.map(|(role,)| {
+            AppRole::from_db_str(&role).ok_or(AppMembersRepositoryError::InvalidRole(role))
+        })
+        .transpose()
+    }
+
+    async fn upsert(
+        &self,
+        app_id: AppId,
+        user_id: AdminUserId,
+        role: AppRole,
+    ) -> Result<AppMembershipRow, AppMembersRepositoryError> {
+        let row = sqlx::query_as::<_, AppMembershipRecord>(
+            "INSERT INTO app_members (app_id, user_id, role) \
+             VALUES ($1, $2, $3) \
+             ON CONFLICT (app_id, user_id) DO UPDATE SET role = EXCLUDED.role \
+             RETURNING app_id, user_id, role, created_at",
+        )
+        .bind(app_id.into_inner())
+        .bind(user_id.into_inner())
+        .bind(role.as_str())
+        .fetch_one(&self.pool)
+        .await?;
+        row.try_into()
+    }
+
+    async fn remove(
+        &self,
+        app_id: AppId,
+        user_id: AdminUserId,
+    ) -> Result<(), AppMembersRepositoryError> {
+        sqlx::query("DELETE FROM app_members WHERE app_id = $1 AND user_id = $2")
+            .bind(app_id.into_inner())
+            .bind(user_id.into_inner())
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    async fn try_insert(
+        &self,
+        app_id: AppId,
+        user_id: AdminUserId,
+        role: AppRole,
+    ) -> Result<Option<AppMembershipRow>, AppMembersRepositoryError> {
+        let row = sqlx::query_as::<_, AppMembershipRecord>(
+            "INSERT INTO app_members (app_id, user_id, role) \
+             VALUES ($1, $2, $3) \
+             ON CONFLICT (app_id, user_id) DO NOTHING \
+             RETURNING app_id, user_id, role, created_at",
+        )
+        .bind(app_id.into_inner())
+        .bind(user_id.into_inner())
+        .bind(role.as_str())
+        .fetch_optional(&self.pool)
+        .await?;
+        row.map(TryInto::try_into).transpose()
+    }
+
+    async fn update_role(
+        &self,
+        app_id: AppId,
+        user_id: AdminUserId,
+        role: AppRole,
+    ) -> Result<Option<AppMembershipRow>, AppMembersRepositoryError> {
+        let row = sqlx::query_as::<_, AppMembershipRecord>(
+            "UPDATE app_members SET role = $1 \
+             WHERE app_id = $2 AND user_id = $3 \
+             RETURNING app_id, user_id, role, created_at",
+        )
+        .bind(role.as_str())
+        .bind(app_id.into_inner())
+        .bind(user_id.into_inner())
+        .fetch_optional(&self.pool)
+        .await?;
+        row.map(TryInto::try_into).transpose()
+    }
+
+    async fn list_for_user(
+        &self,
+        user_id: AdminUserId,
+    ) -> Result<Vec<AppMembershipRow>, AppMembersRepositoryError> {
+        let rows = sqlx::query_as::<_, AppMembershipRecord>(
+            "SELECT app_id, user_id, role, created_at \
+             FROM app_members WHERE user_id = $1 \
+             ORDER BY created_at",
+        )
+        .bind(user_id.into_inner())
+        .fetch_all(&self.pool)
+        .await?;
+        rows.into_iter().map(TryInto::try_into).collect()
+    }
+
+    async fn list_for_app(
+        &self,
+        app_id: AppId,
+    ) -> Result<Vec<AppMembershipRow>, AppMembersRepositoryError> {
+        let rows = sqlx::query_as::<_, AppMembershipRecord>(
+            "SELECT app_id, user_id, role, created_at \
+             FROM app_members WHERE app_id = $1 \
+             ORDER BY created_at",
+        )
+        .bind(app_id.into_inner())
+        .fetch_all(&self.pool)
+        .await?;
+        rows.into_iter().map(TryInto::try_into).collect()
+    }
+
+    async fn list_for_app_enriched(
+        &self,
+        app_id: AppId,
+    ) -> Result<Vec<AppMembershipDetail>, AppMembersRepositoryError> {
+        let rows = sqlx::query_as::<_, AppMembershipDetailRecord>(
+            "SELECT au.id, au.username, au.email, au.instance_role, au.is_active, \
+                    am.role, am.created_at \
+             FROM app_members am \
+             JOIN admin_users au ON au.id = am.user_id \
+             WHERE am.app_id = $1 \
+             ORDER BY au.username",
+        )
+        .bind(app_id.into_inner())
+        .fetch_all(&self.pool)
+        .await?;
+        rows.into_iter().map(TryInto::try_into).collect()
+    }
+}
+
+/// Forwarding impl so the Postgres repo satisfies `AuthzRepo` directly
+/// — handlers store a single `Arc<dyn AppMembersRepository>` and pass
+/// it to `authz::can` without casting.
+#[async_trait]
+impl AuthzRepo for PostgresAppMembersRepository {
+    async fn membership(
+        &self,
+        user_id: AdminUserId,
+        app_id: AppId,
+    ) -> Result<Option<AppRole>, AuthzError> {
+        self.find(user_id, app_id)
+            .await
+            .map_err(|e| AuthzError::Repo(e.to_string()))
+    }
+}
+
+#[derive(sqlx::FromRow)]
+struct AppMembershipRecord {
+    app_id: uuid::Uuid,
+    user_id: uuid::Uuid,
+    role: String,
+    created_at: DateTime<Utc>,
+}
+
+impl TryFrom<AppMembershipRecord> for AppMembershipRow {
+    type Error = AppMembersRepositoryError;
+    fn try_from(r: AppMembershipRecord) -> Result<Self, Self::Error> {
+        Ok(Self {
+            app_id: r.app_id.into(),
+            user_id: r.user_id.into(),
+            role: AppRole::from_db_str(&r.role)
+                .ok_or(AppMembersRepositoryError::InvalidRole(r.role))?,
+            created_at: r.created_at,
+        })
+    }
+}
+
+#[derive(sqlx::FromRow)]
+struct AppMembershipDetailRecord {
+    id: uuid::Uuid,
+    username: String,
+    email: Option<String>,
+    instance_role: String,
+    is_active: bool,
+    role: String,
+    created_at: DateTime<Utc>,
+}
+
+impl TryFrom<AppMembershipDetailRecord> for AppMembershipDetail {
+    type Error = AppMembersRepositoryError;
+    fn try_from(r: AppMembershipDetailRecord) -> Result<Self, Self::Error> {
+        Ok(Self {
+            user_id: r.id.into(),
+            username: r.username,
+            email: r.email,
+            instance_role: InstanceRole::from_db_str(&r.instance_role)
+                .ok_or(AppMembersRepositoryError::InvalidRole(r.instance_role))?,
+            is_active: r.is_active,
+            role: AppRole::from_db_str(&r.role)
+                .ok_or(AppMembersRepositoryError::InvalidRole(r.role))?,
+            created_at: r.created_at,
+        })
+    }
+}

crates/manager-core/src/app_repo.rs

@@ -6,8 +6,9 @@
 //! that writes the history row in the same transaction.
 
 use async_trait::async_trait;
-use picloud_shared::{App, AppId};
+use picloud_shared::{AdminUserId, App, AppId};
 use sqlx::PgPool;
+use uuid::Uuid;
 
 use crate::repo::ScriptRepositoryError;
 
@@ -20,9 +21,40 @@ pub struct AppLookup {
     pub redirected: bool,
 }
 
+/// Resolve a free-form path param (UUID *or* slug *or* historical slug)
+/// to an `AppLookup`. UUID lookups never set `redirected`; slug lookups
+/// fall through to `app_slug_history` and set `redirected: true` when
+/// they hit it.
+///
+/// Returns `Ok(None)` when nothing matches — callers map that to their
+/// own not-found error variant.
+///
+/// # Errors
+/// Propagates any underlying repository error.
+pub async fn resolve_app(
+    apps: &dyn AppRepository,
+    ident: &str,
+) -> Result<Option<AppLookup>, ScriptRepositoryError> {
+    if let Ok(uuid) = ident.parse::<Uuid>() {
+        return Ok(apps
+            .get_by_id(AppId::from(uuid))
+            .await?
+            .map(|app| AppLookup {
+                app,
+                redirected: false,
+            }));
+    }
+    apps.get_by_slug_or_history(ident).await
+}
+
 #[async_trait]
 pub trait AppRepository: Send + Sync {
+    /// Every app on the instance. For owner/admin callers — `member`
+    /// users go through `list_for_user`.
     async fn list(&self) -> Result<Vec<App>, ScriptRepositoryError>;
+    /// Only apps the user has an `app_members` row for. Drives the
+    /// membership-filtered `GET /admin/apps` for `member` callers.
+    async fn list_for_user(&self, user_id: AdminUserId) -> Result<Vec<App>, ScriptRepositoryError>;
     async fn get_by_id(&self, id: AppId) -> Result<Option<App>, ScriptRepositoryError>;
     async fn get_by_slug(&self, slug: &str) -> Result<Option<App>, ScriptRepositoryError>;
     async fn get_by_slug_or_history(
@@ -92,6 +124,20 @@ impl AppRepository for PostgresAppRepository {
         Ok(rows.into_iter().map(Into::into).collect())
     }
 
+    async fn list_for_user(&self, user_id: AdminUserId) -> Result<Vec<App>, ScriptRepositoryError> {
+        let rows = sqlx::query_as::<_, AppRow>(
+            "SELECT a.id, a.slug, a.name, a.description, a.created_at, a.updated_at \
+             FROM apps a \
+             JOIN app_members m ON m.app_id = a.id \
+             WHERE m.user_id = $1 \
+             ORDER BY a.name",
+        )
+        .bind(user_id.into_inner())
+        .fetch_all(&self.pool)
+        .await?;
+        Ok(rows.into_iter().map(Into::into).collect())
+    }
+
     async fn get_by_id(&self, id: AppId) -> Result<Option<App>, ScriptRepositoryError> {
         let row = sqlx::query_as::<_, AppRow>(
             "SELECT id, slug, name, description, created_at, updated_at \

crates/manager-core/src/apps_api.rs

@@ -15,15 +15,16 @@ use axum::extract::{Path, Query, State};
 use axum::http::StatusCode;
 use axum::response::{IntoResponse, Json, Response};
 use axum::routing::{delete, get, post};
-use axum::Router;
+use axum::{Extension, Router};
 use picloud_orchestrator_core::routing::{pattern, AppDomainTable, CompiledAppDomain};
-use picloud_shared::{App, AppDomain, AppId};
+use picloud_shared::{App, AppDomain, AppId, AppRole, InstanceRole, Principal};
 use serde::{Deserialize, Serialize};
 use serde_json::json;
 use uuid::Uuid;
 
 use crate::app_domain_repo::{AppDomainRepository, NewAppDomain};
 use crate::app_repo::AppRepository;
+use crate::authz::{require, AuthzDenied, AuthzError, AuthzRepo, Capability};
 use crate::repo::ScriptRepositoryError;
 use crate::route_repo::RouteRepository;
 
@@ -41,6 +42,8 @@ pub struct AppsState {
     /// Cached host → app_id lookup; replaced after every domain CRUD
     /// operation so the orchestrator sees changes immediately.
     pub domain_table: Arc<AppDomainTable>,
+    /// Capability gate — Phase 3.5.
+    pub authz: Arc<dyn AuthzRepo>,
 }
 
 pub fn apps_router(state: AppsState) -> Router {
@@ -138,20 +141,39 @@ pub struct AppLookupResponse {
     /// at the live slug so dashboards can redirect.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub redirect_to: Option<String>,
+    /// The caller's role on this app, used by the dashboard to decide
+    /// whether to render admin-only surfaces (Members tab, settings).
+    /// `Owner` and `Admin` both map to `app_admin` (implicit per
+    /// blueprint §11.6); `Member` carries its explicit
+    /// `app_members.role`.
+    pub my_role: Option<AppRole>,
 }
 
 // ----------------------------------------------------------------------------
 // Handlers
 // ----------------------------------------------------------------------------
 
-async fn list_apps(State(s): State<AppsState>) -> Result<Json<Vec<App>>, AppsApiError> {
+async fn list_apps(
-    Ok(Json(s.apps.list().await?))
+    State(s): State<AppsState>,
+    Extension(principal): Extension<Principal>,
+) -> Result<Json<Vec<App>>, AppsApiError> {
+    // Member callers see only apps they're a member of; owner/admin
+    // see everything. Filter at the SQL layer (not just in the
+    // dashboard) — that's the strict-isolation guarantee from §11.6.
+    let apps = if principal.instance_role == InstanceRole::Member {
+        s.apps.list_for_user(principal.user_id).await?
+    } else {
+        s.apps.list().await?
+    };
+    Ok(Json(apps))
 }
 
 async fn create_app(
     State(s): State<AppsState>,
+    Extension(principal): Extension<Principal>,
     Json(input): Json<CreateAppRequest>,
 ) -> Result<(StatusCode, Json<App>), AppsApiError> {
+    require(s.authz.as_ref(), &principal, Capability::InstanceCreateApp).await?;
     validate_slug(&input.slug)?;
 
     // Historical-slug check before insert: if the slug is in history
@@ -178,26 +200,58 @@ async fn create_app(
 
 async fn get_app(
     State(s): State<AppsState>,
+    Extension(principal): Extension<Principal>,
     Path(id_or_slug): Path<String>,
 ) -> Result<Json<AppLookupResponse>, AppsApiError> {
     let lookup = resolve_app(&*s.apps, &id_or_slug).await?;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppRead(lookup.app.id),
+    )
+    .await?;
     let redirect_to = if lookup.redirected {
         Some(lookup.app.slug.clone())
     } else {
         None
     };
+    let my_role = compute_my_role(s.authz.as_ref(), &principal, lookup.app.id).await?;
     Ok(Json(AppLookupResponse {
         app: lookup.app,
         redirect_to,
+        my_role,
     }))
 }
 
+/// Compute the caller's effective `AppRole` on a specific app. Mirrors
+/// the implicit-grant logic in `authz::role_grants` but returns the
+/// role itself (for UI gating) rather than a yes/no decision. `Owner`
+/// and `Admin` are both implicit `AppAdmin` everywhere; `Member`
+/// consults `app_members`.
+async fn compute_my_role(
+    authz: &dyn AuthzRepo,
+    principal: &Principal,
+    app_id: AppId,
+) -> Result<Option<AppRole>, AppsApiError> {
+    match principal.instance_role {
+        InstanceRole::Owner | InstanceRole::Admin => Ok(Some(AppRole::AppAdmin)),
+        InstanceRole::Member => Ok(authz.membership(principal.user_id, app_id).await?),
+    }
+}
+
 async fn patch_app(
     State(s): State<AppsState>,
+    Extension(principal): Extension<Principal>,
     Path(id_or_slug): Path<String>,
     Json(input): Json<PatchAppRequest>,
 ) -> Result<Json<App>, AppsApiError> {
     let current = resolve_app(&*s.apps, &id_or_slug).await?.app;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppAdmin(current.id),
+    )
+    .await?;
 
     // Edits to name/description go first (separate from rename so we
     // don't conflate the two errors).
@@ -240,10 +294,12 @@ async fn patch_app(
 
 async fn delete_app(
     State(s): State<AppsState>,
+    Extension(principal): Extension<Principal>,
     Path(id_or_slug): Path<String>,
     Query(q): Query<DeleteAppQuery>,
 ) -> Result<StatusCode, AppsApiError> {
     let app = resolve_app(&*s.apps, &id_or_slug).await?.app;
+    require(s.authz.as_ref(), &principal, Capability::AppAdmin(app.id)).await?;
 
     if q.force {
         s.apps.delete_cascade(app.id).await?;
@@ -262,9 +318,12 @@ async fn delete_app(
 
 async fn slug_check(
     State(s): State<AppsState>,
-    Path(_id_or_slug): Path<String>,
+    Extension(principal): Extension<Principal>,
+    Path(id_or_slug): Path<String>,
     Json(input): Json<SlugCheckRequest>,
 ) -> Result<Json<SlugCheckResponse>, AppsApiError> {
+    let app = resolve_app(&*s.apps, &id_or_slug).await?.app;
+    require(s.authz.as_ref(), &principal, Capability::AppAdmin(app.id)).await?;
     match validate_slug(&input.new_slug) {
         Err(AppsApiError::InvalidSlug(reason)) => {
             return Ok(Json(SlugCheckResponse {
@@ -303,18 +362,27 @@ async fn slug_check(
 
 async fn list_domains(
     State(s): State<AppsState>,
+    Extension(principal): Extension<Principal>,
     Path(id_or_slug): Path<String>,
 ) -> Result<Json<Vec<AppDomain>>, AppsApiError> {
     let app = resolve_app(&*s.apps, &id_or_slug).await?.app;
+    require(s.authz.as_ref(), &principal, Capability::AppRead(app.id)).await?;
     Ok(Json(s.domains.list_for_app(app.id).await?))
 }
 
 async fn create_domain(
     State(s): State<AppsState>,
+    Extension(principal): Extension<Principal>,
     Path(id_or_slug): Path<String>,
     Json(input): Json<CreateDomainRequest>,
 ) -> Result<(StatusCode, Json<AppDomain>), AppsApiError> {
     let app = resolve_app(&*s.apps, &id_or_slug).await?.app;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppManageDomains(app.id),
+    )
+    .await?;
     let parsed = pattern::parse_app_domain(&input.pattern)?;
     let created = s
         .domains
@@ -331,9 +399,16 @@ async fn create_domain(
 
 async fn delete_domain(
     State(s): State<AppsState>,
+    Extension(principal): Extension<Principal>,
     Path((id_or_slug, domain_id)): Path<(String, Uuid)>,
 ) -> Result<StatusCode, AppsApiError> {
     let app = resolve_app(&*s.apps, &id_or_slug).await?.app;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppManageDomains(app.id),
+    )
+    .await?;
     let Some(domain) = s.domains.get(domain_id).await? else {
         return Err(AppsApiError::DomainNotFound(domain_id));
     };
@@ -378,16 +453,7 @@ async fn resolve_app(
     apps: &dyn AppRepository,
     ident: &str,
 ) -> Result<crate::app_repo::AppLookup, AppsApiError> {
-    if let Ok(uuid) = ident.parse::<Uuid>() {
+    crate::app_repo::resolve_app(apps, ident)
-        if let Some(app) = apps.get_by_id(AppId::from(uuid)).await? {
-            return Ok(crate::app_repo::AppLookup {
-                app,
-                redirected: false,
-            });
-        }
-        return Err(AppsApiError::AppNotFound(ident.to_string()));
-    }
-    apps.get_by_slug_or_history(ident)
         .await?
         .ok_or_else(|| AppsApiError::AppNotFound(ident.to_string()))
 }
@@ -476,10 +542,31 @@ pub enum AppsApiError {
     #[error("conflict: {0}")]
     Conflict(String),
 
+    #[error("forbidden")]
+    Forbidden,
+
+    #[error("authorization repo error: {0}")]
+    AuthzRepo(String),
+
     #[error("repository error: {0}")]
     Repo(#[from] ScriptRepositoryError),
 }
 
+impl From<AuthzDenied> for AppsApiError {
+    fn from(d: AuthzDenied) -> Self {
+        match d {
+            AuthzDenied::Denied => Self::Forbidden,
+            AuthzDenied::Repo(e) => Self::AuthzRepo(e.to_string()),
+        }
+    }
+}
+
+impl From<AuthzError> for AppsApiError {
+    fn from(e: AuthzError) -> Self {
+        Self::AuthzRepo(e.to_string())
+    }
+}
+
 impl IntoResponse for AppsApiError {
     fn into_response(self) -> Response {
         let (status, body) = match &self {
@@ -511,6 +598,14 @@ impl IntoResponse for AppsApiError {
             Self::Conflict(_) | Self::Repo(ScriptRepositoryError::Conflict(_)) => {
                 (StatusCode::CONFLICT, json!({ "error": self.to_string() }))
             }
+            Self::Forbidden => (StatusCode::FORBIDDEN, json!({ "error": self.to_string() })),
+            Self::AuthzRepo(e) => {
+                tracing::error!(error = %e, "apps authz repo error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    json!({ "error": "internal error" }),
+                )
+            }
             Self::Repo(ScriptRepositoryError::Db(e)) => {
                 tracing::error!(error = %e, "apps api db error");
                 (

crates/manager-core/src/auth.rs

@@ -13,6 +13,7 @@ use argon2::password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, Salt
 use argon2::Argon2;
 use base64::engine::general_purpose::URL_SAFE_NO_PAD;
 use base64::Engine as _;
+use data_encoding::BASE32_NOPAD;
 use rand::rngs::OsRng;
 use rand::RngCore;
 use sha2::{Digest, Sha256};
@@ -93,6 +94,66 @@ fn hex(bytes: &[u8]) -> String {
     out
 }
 
+// ----------------------------------------------------------------------------
+// API key generation (Phase 3.5)
+// ----------------------------------------------------------------------------
+
+/// Wire-format prefix that marks a Bearer value as an API key (vs. a
+/// session token). Mirrors `auth_middleware::API_KEY_PREFIX` so the
+/// generator and the verifier agree.
+pub const API_KEY_WIRE_PREFIX: &str = "pic_";
+
+/// Length of the indexed prefix portion (the first 8 chars of the
+/// `pic_`-stripped body). Mirrors `auth_middleware::API_KEY_PREFIX_LEN`.
+pub const API_KEY_INDEX_PREFIX_LEN: usize = 8;
+
+/// Newly minted API key — returned exactly once by `POST /api/v1/admin/api-keys`.
+///
+/// * `raw` is the full wire-format token (`pic_<base32>`) shown to the
+///   caller in the response body and never persisted.
+/// * `prefix` is the indexed 8-char slice persisted to
+///   `api_keys.prefix` for lookup.
+/// * `hash` is the Argon2id PHC string persisted to `api_keys.hash`;
+///   covers the body after `pic_` (i.e., `raw[4..]`).
+pub struct GeneratedApiKey {
+    pub raw: String,
+    pub prefix: String,
+    pub hash: String,
+}
+
+/// Generate a fresh API key. 32 random bytes → unpadded base32, then
+/// `pic_` prefix on the wire. The first 8 base32 chars are the index
+/// key; everything after `pic_` is what the verifier hashes.
+///
+/// # Errors
+///
+/// Returns `argon2::password_hash::Error` if the Argon2 hash step
+/// fails (which it shouldn't under normal conditions).
+pub fn generate_api_key() -> Result<GeneratedApiKey, argon2::password_hash::Error> {
+    let mut bytes = [0u8; 32];
+    OsRng.fill_bytes(&mut bytes);
+    let body = BASE32_NOPAD.encode(&bytes);
+    debug_assert!(
+        body.len() >= API_KEY_INDEX_PREFIX_LEN,
+        "32 bytes base32 must exceed the 8-char prefix length"
+    );
+    let prefix = body[..API_KEY_INDEX_PREFIX_LEN].to_string();
+    let salt = SaltString::generate(&mut ArgonRng);
+    let hash = Argon2::default()
+        .hash_password(body.as_bytes(), &salt)?
+        .to_string();
+    let raw = format!("{API_KEY_WIRE_PREFIX}{body}");
+    Ok(GeneratedApiKey { raw, prefix, hash })
+}
+
+/// Verify a wire-format token body (the portion *after* `pic_`)
+/// against a stored Argon2id hash. Convenience wrapper around
+/// `verify_password` named to reflect its caller.
+#[must_use]
+pub fn verify_api_key(stored_hash: &str, presented_body: &str) -> bool {
+    verify_password(stored_hash, presented_body)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -129,4 +190,42 @@ mod tests {
         assert_eq!(a.hash, hash_token(&a.raw), "hash must be reproducible");
         assert_eq!(a.hash.len(), 64, "sha256-hex is 64 chars");
     }
+
+    #[test]
+    fn generate_api_key_round_trip() {
+        let key = generate_api_key().expect("mint");
+        assert!(
+            key.raw.starts_with(API_KEY_WIRE_PREFIX),
+            "raw must carry the pic_ prefix"
+        );
+        let body = key
+            .raw
+            .strip_prefix(API_KEY_WIRE_PREFIX)
+            .expect("starts with prefix");
+        assert_eq!(
+            &body[..API_KEY_INDEX_PREFIX_LEN],
+            key.prefix,
+            "stored prefix matches the first 8 chars of the body"
+        );
+        assert!(
+            verify_api_key(&key.hash, body),
+            "Argon2 verify must accept the original body"
+        );
+        assert!(
+            !verify_api_key(&key.hash, "wrong-body-entirely"),
+            "Argon2 verify must reject anything else"
+        );
+    }
+
+    #[test]
+    fn generate_api_key_unique() {
+        let a = generate_api_key().expect("mint a");
+        let b = generate_api_key().expect("mint b");
+        assert_ne!(a.raw, b.raw);
+        assert_ne!(a.hash, b.hash);
+        assert_ne!(
+            a.prefix, b.prefix,
+            "32 random bytes → prefix collision is negligible"
+        );
+    }
 }

crates/manager-core/src/auth_api.rs

@@ -18,12 +18,14 @@ use axum::response::{IntoResponse, Json, Response};
 use axum::routing::{get, post};
 use axum::Router;
 use chrono::{DateTime, Duration as ChronoDuration, Utc};
-use picloud_shared::AdminUserId;
+use picloud_shared::{AdminUserId, InstanceRole};
 use serde::{Deserialize, Serialize};
 use serde_json::json;
 
+use picloud_shared::Principal;
+
 use crate::auth::{generate_session_token, hash_token, verify_password};
-use crate::auth_middleware::{require_admin, AuthState, AuthedAdmin, SESSION_COOKIE};
+use crate::auth_middleware::{require_authenticated, AuthState, SESSION_COOKIE};
 
 pub fn auth_router(state: AuthState) -> Router {
     // /login + /logout are unguarded (login is how you get in; logout
@@ -31,7 +33,7 @@ pub fn auth_router(state: AuthState) -> Router {
     // who you are, so the middleware must run first.
     let guarded = Router::new()
         .route("/auth/me", get(me))
-        .route_layer(from_fn_with_state(state.clone(), require_admin));
+        .route_layer(from_fn_with_state(state.clone(), require_authenticated));
 
     Router::new()
         .route("/auth/login", post(login))
@@ -61,6 +63,8 @@ pub struct LoginResponse {
 pub struct AdminUserDto {
     pub id: AdminUserId,
     pub username: String,
+    pub instance_role: InstanceRole,
+    pub email: Option<String>,
 }
 
 // ----------------------------------------------------------------------------
@@ -85,9 +89,11 @@ async fn login(State(state): State<AuthState>, Json(input): Json<LoginRequest>)
         }
     };
 
-    let (stored_hash, user_id, username, is_active) = match creds {
+    // username from creds is discarded — the re-fetch below carries the
-        Some(c) => (c.password_hash, Some(c.id), c.username, c.is_active),
+    // canonical row used in the response DTO.
-        None => (DUMMY_HASH.to_string(), None, String::new(), false),
+    let (stored_hash, user_id, is_active) = match creds {
+        Some(c) => (c.password_hash, Some(c.id), c.is_active),
+        None => (DUMMY_HASH.to_string(), None, false),
     };
 
     let password_ok = verify_password(&stored_hash, &input.password);
@@ -96,6 +102,18 @@ async fn login(State(state): State<AuthState>, Json(input): Json<LoginRequest>)
     }
     let user_id = user_id.unwrap();
 
+    // Re-fetch the full row so the login response carries the same
+    // shape /me does (instance_role, email). The credentials struct
+    // intentionally omits email; one extra query per login is fine.
+    let user_row = match state.users.get(user_id).await {
+        Ok(Some(row)) => row,
+        Ok(None) => return invalid_credentials(),
+        Err(err) => {
+            tracing::error!(?err, "admin_users lookup after login failed");
+            return internal_error();
+        }
+    };
+
     let token = generate_session_token();
     let expires_at = Utc::now()
         + ChronoDuration::from_std(state.ttl).unwrap_or_else(|_| ChronoDuration::hours(24));
@@ -128,8 +146,10 @@ async fn login(State(state): State<AuthState>, Json(input): Json<LoginRequest>)
         headers,
         Json(LoginResponse {
             user: AdminUserDto {
-                id: user_id,
+                id: user_row.id,
-                username,
+                username: user_row.username,
+                instance_role: user_row.instance_role,
+                email: user_row.email,
             },
             token: token.raw,
             expires_at,
@@ -158,11 +178,27 @@ async fn logout(State(state): State<AuthState>, req: Request<Body>) -> Response
     (StatusCode::NO_CONTENT, headers).into_response()
 }
 
-async fn me(Extension(admin): Extension<AuthedAdmin>) -> Json<AdminUserDto> {
+async fn me(
-    Json(AdminUserDto {
+    State(state): State<AuthState>,
-        id: admin.id,
+    Extension(principal): Extension<Principal>,
-        username: admin.username,
+) -> Response {
+    // /me consumes the resolved Principal directly; we re-fetch the
+    // user row only to surface a fresh username (it can change via
+    // PATCH while a session/key is still valid).
+    match state.users.get(principal.user_id).await {
+        Ok(Some(row)) => Json(AdminUserDto {
+            id: row.id,
+            username: row.username,
+            instance_role: row.instance_role,
+            email: row.email,
         })
+        .into_response(),
+        Ok(None) => invalid_credentials(),
+        Err(err) => {
+            tracing::error!(?err, "admin_users lookup for /me failed");
+            internal_error()
+        }
+    }
 }
 
 // ----------------------------------------------------------------------------

crates/manager-core/src/auth_bootstrap.rs

@@ -116,7 +116,16 @@ pub async fn bootstrap_first_admin_with<R: AdminUserRepository + ?Sized>(
         (None, None) => return Err(BootstrapError::MissingPassword),
     };
 
-    repo.create(&username, &password_hash).await?;
+    // Bootstrap admin is always seeded as Owner — Phase 3.5 keys the
+    // first row to full instance control. Subsequent admins minted via
+    // the API default to Admin and can be promoted explicitly.
+    repo.create(
+        &username,
+        &password_hash,
+        picloud_shared::InstanceRole::Owner,
+        None,
+    )
+    .await?;
     info!(username = %username, "bootstrapped initial admin user");
     Ok(())
 }
@@ -130,7 +139,7 @@ mod tests {
     use super::*;
     use async_trait::async_trait;
     use chrono::Utc;
-    use picloud_shared::AdminUserId;
+    use picloud_shared::{AdminUserId, InstanceRole};
     use std::sync::Mutex;
 
     use crate::admin_user_repo::{AdminUserCredentials, AdminUserRepositoryError, AdminUserRow};
@@ -167,11 +176,15 @@ mod tests {
             &self,
             username: &str,
             _password_hash: &str,
+            instance_role: InstanceRole,
+            email: Option<&str>,
         ) -> Result<AdminUserRow, AdminUserRepositoryError> {
             let row = AdminUserRow {
                 id: AdminUserId::new(),
                 username: username.to_string(),
                 is_active: true,
+                instance_role,
+                email: email.map(str::to_string),
                 created_at: Utc::now(),
                 updated_at: Utc::now(),
                 last_login_at: None,
@@ -193,6 +206,20 @@ mod tests {
         ) -> Result<AdminUserRow, AdminUserRepositoryError> {
             unimplemented!()
         }
+        async fn update_email(
+            &self,
+            _i: AdminUserId,
+            _e: Option<&str>,
+        ) -> Result<AdminUserRow, AdminUserRepositoryError> {
+            unimplemented!()
+        }
+        async fn update_instance_role(
+            &self,
+            _i: AdminUserId,
+            _r: InstanceRole,
+        ) -> Result<AdminUserRow, AdminUserRepositoryError> {
+            unimplemented!()
+        }
         async fn set_active(
             &self,
             _i: AdminUserId,
@@ -215,6 +242,15 @@ mod tests {
         ) -> Result<i64, AdminUserRepositoryError> {
             unimplemented!()
         }
+        async fn list_active_owners(&self) -> Result<Vec<AdminUserRow>, AdminUserRepositoryError> {
+            unimplemented!()
+        }
+        async fn count_other_active_owners(
+            &self,
+            _i: AdminUserId,
+        ) -> Result<i64, AdminUserRepositoryError> {
+            unimplemented!()
+        }
     }
 
     #[tokio::test]
@@ -245,7 +281,9 @@ mod tests {
     #[tokio::test]
     async fn populated_db_is_noop() {
         let repo = InMemoryRepo::default();
-        repo.create("seeded", "x").await.unwrap();
+        repo.create("seeded", "x", InstanceRole::Owner, None)
+            .await
+            .unwrap();
         let env = BootstrapEnv {
             username: Some("alice".into()),
             password: Some("supersecret".into()),

crates/manager-core/src/auth_middleware.rs

@@ -1,12 +1,17 @@
-//! `require_admin` axum middleware: gates a router on a valid admin
+//! Authentication middleware — resolves the caller's `Principal` from
-//! session. Accepts the token from either the `picloud_session` cookie
+//! either a session cookie / Bearer session-token OR an API key
-//! or an `Authorization: Bearer …` header — same token system serves
+//! (`Authorization: Bearer pic_…`). Both paths converge on the same
-//! the dashboard and CLI/CI clients.
+//! request extension so downstream handlers see one shape.
 //!
-//! On success, injects `AuthedAdmin` as a request extension so handlers
+//! Capability checks live in `crate::authz` and are called per-handler
-//! can `Extension<AuthedAdmin>` to know who's calling. On failure,
+//! (after the relevant resource is loaded, so the capability binds to
-//! returns 401 with a generic JSON body (no enumeration about whether
+//! the actual resource's `app_id`). This middleware is gate-only: it
-//! the token was wrong vs. the user was deactivated).
+//! ensures *some* `Principal` is attached, or returns 401.
+//!
+//! Token discriminator: the `pic_` prefix on a Bearer value selects
+//! the API-key path; anything else (raw 32-byte base64-url-encoded
+//! string) takes the session path. The session cookie can only ever
+//! carry a session token (cookies are never API keys).
 
 use std::sync::Arc;
 use std::time::Duration;
@@ -17,35 +22,51 @@ use axum::http::{header, StatusCode};
 use axum::middleware::Next;
 use axum::response::{IntoResponse, Json, Response};
 use chrono::Utc;
-use picloud_shared::AdminUserId;
+use picloud_shared::{AdminUserId, Principal};
 use serde_json::json;
 
 use crate::admin_session_repo::AdminSessionRepository;
 use crate::admin_user_repo::AdminUserRepository;
-use crate::auth::hash_token;
+use crate::api_key_repo::{ApiKeyRepository, ApiKeyVerification};
+use crate::auth::{hash_token, verify_password};
 
 pub const SESSION_COOKIE: &str = "picloud_session";
 
-/// Shared state for auth: the two repos plus the configured sliding
+/// Prefix on the wire that selects the API-key path. The body that
-/// session TTL. Cheap to clone (`Arc` everywhere).
+/// follows is `base32(32 random bytes)`; the first 8 chars of the body
+/// index into `api_keys.prefix` for verification.
+pub const API_KEY_PREFIX: &str = "pic_";
+
+/// Length of the indexed prefix portion of an API key (the 8 chars
+/// immediately after `pic_`). Schema-side index is on this slice.
+pub const API_KEY_PREFIX_LEN: usize = 8;
+
+/// Shared state for auth: the user / session / API-key repos plus the
+/// configured sliding session TTL. Cheap to clone (`Arc` everywhere).
 #[derive(Clone)]
 pub struct AuthState {
     pub users: Arc<dyn AdminUserRepository>,
     pub sessions: Arc<dyn AdminSessionRepository>,
+    pub keys: Arc<dyn ApiKeyRepository>,
     pub ttl: Duration,
 }
 
-/// Request-extension type that authenticated handlers extract via
+/// Legacy request-extension alias retained so the (only remaining)
-/// `Extension<AuthedAdmin>`. Available only inside guarded routers.
+/// handler that pulled `AuthedAdmin` out — `GET /admin/auth/me` —
+/// keeps compiling during the migration. New handlers should pull
+/// `Extension<Principal>` directly.
+#[deprecated(note = "use Extension<Principal> directly")]
 #[derive(Debug, Clone)]
 pub struct AuthedAdmin {
     pub id: AdminUserId,
     pub username: String,
 }
 
-/// Middleware function. Wire with
+/// Middleware entry point. Wire with
-/// `axum::middleware::from_fn_with_state(auth_state, require_admin)`.
+/// `axum::middleware::from_fn_with_state(auth_state, require_authenticated)`.
-pub async fn require_admin(
+/// Inserts `Principal` (and the legacy `AuthedAdmin`) as request
+/// extensions on success; returns 401 on any failure mode.
+pub async fn require_authenticated(
     State(state): State<AuthState>,
     mut req: Request<Body>,
     next: Next,
@@ -53,48 +74,191 @@ pub async fn require_admin(
     let Some(token) = extract_token(&req) else {
         return unauthorized();
     };
-    let token_hash = hash_token(&token);
+    let principal = match resolve_principal(&state, &token).await {
+        Ok(Some(p)) => p,
+        Ok(None) => return unauthorized(),
+        Err(InternalError) => return internal_error(),
+    };
+
+    let username_for_legacy = username_for(&state, principal.user_id).await;
+    req.extensions_mut().insert(principal.clone());
+    #[allow(deprecated)]
+    if let Some(username) = username_for_legacy {
+        req.extensions_mut().insert(AuthedAdmin {
+            id: principal.user_id,
+            username,
+        });
+    }
+    next.run(req).await
+}
+
+/// Backwards-compatible alias — the single callsite that still names
+/// `require_admin` keeps working without an immediate rename. New
+/// wiring should call `require_authenticated`.
+#[deprecated(note = "renamed to require_authenticated")]
+pub async fn require_admin(state: State<AuthState>, req: Request<Body>, next: Next) -> Response {
+    require_authenticated(state, req, next).await
+}
+
+/// Opportunistic data-plane variant: always inserts an
+/// `Extension<Option<Principal>>` and forwards the request. Used on
+/// `/execute/{id}` and the user-route fallback, where most invocations
+/// are anonymous public HTTP and the few authed ones (dashboard
+/// test-runs, API keys) should still let scripts see the caller via
+/// `cx.principal` once services consume it.
+///
+/// Failure modes — all degrade to `None` rather than rejecting:
+///   * No bearer / cookie → `None`.
+///   * Malformed or unknown token → `None`.
+///   * DB blip while resolving → `None` (fail-open; the data plane
+///     should not 500 on transient infra failures for an *optional*
+///     identity check).
+///
+/// Admin-side routes that REQUIRE an identity keep using
+/// `require_authenticated`.
+pub async fn attach_principal_if_present(
+    State(state): State<AuthState>,
+    mut req: Request<Body>,
+    next: Next,
+) -> Response {
+    let principal: Option<Principal> = match extract_token(&req) {
+        Some(token) => resolve_principal(&state, &token).await.unwrap_or(None),
+        None => None,
+    };
+    req.extensions_mut().insert(principal);
+    next.run(req).await
+}
+
+/// Decide whether the token is an API key (pic_ prefix) or a session
+/// token, then resolve the corresponding `Principal`. `Ok(None)`
+/// means the token was structurally valid but didn't match any active
+/// credential; `Err(InternalError)` means a DB blip.
+async fn resolve_principal(
+    state: &AuthState,
+    token: &str,
+) -> Result<Option<Principal>, InternalError> {
+    if let Some(rest) = token.strip_prefix(API_KEY_PREFIX) {
+        return verify_api_key(state, rest).await;
+    }
+    verify_session(state, token).await
+}
+
+async fn verify_session(
+    state: &AuthState,
+    token: &str,
+) -> Result<Option<Principal>, InternalError> {
+    let token_hash = hash_token(token);
 
     let lookup = match state.sessions.lookup(&token_hash).await {
-        Ok(Some(lookup)) => lookup,
+        Ok(Some(l)) => l,
-        Ok(None) => return unauthorized(),
+        Ok(None) => return Ok(None),
         Err(err) => {
             tracing::error!(?err, "admin_sessions lookup failed");
-            return internal_error();
+            return Err(InternalError);
         }
     };
 
-    // Resolve the user. A deleted user is impossible here (FK cascade
-    // wipes their sessions), but a deactivated user still needs to be
-    // rejected — and so does the edge case of a session predating the
-    // deactivate (we wipe their sessions on deactivate, but a race
-    // could land a request in flight).
     let user = match state.users.get(lookup.user_id).await {
         Ok(Some(u)) if u.is_active => u,
-        Ok(_) => return unauthorized(),
+        Ok(_) => return Ok(None),
         Err(err) => {
             tracing::error!(?err, "admin_users lookup failed");
-            return internal_error();
+            return Err(InternalError);
         }
     };
 
-    // Sliding window bump. Inline (not fire-and-forget) so a DB blip
+    // Sliding-window bump — inline so a DB blip surfaces as 500 rather
-    // surfaces as a request error rather than silent stale sessions.
+    // than silent stale sessions. Same shape as Phase 3a.
     let new_expires_at = Utc::now() + chrono::Duration::from_std(state.ttl).unwrap_or_default();
     if let Err(err) = state.sessions.touch(&token_hash, new_expires_at).await {
         tracing::error!(?err, "admin_sessions touch failed");
-        return internal_error();
+        return Err(InternalError);
     }
 
-    req.extensions_mut().insert(AuthedAdmin {
+    Ok(Some(Principal {
-        id: user.id,
+        user_id: user.id,
-        username: user.username,
+        instance_role: user.instance_role,
-    });
+        scopes: None,
-    next.run(req).await
+        app_binding: None,
+    }))
+}
+
+/// API-key verification path. `rest` is the portion of the bearer
+/// value *after* `pic_`. We slice off the first 8 chars as the
+/// indexed lookup key, then Argon2id-verify each candidate's hash
+/// against the full `rest`. At most one match is expected; multiple
+/// candidates with the same prefix is statistically negligible but
+/// handled correctly (verify each, take the first match).
+async fn verify_api_key(state: &AuthState, rest: &str) -> Result<Option<Principal>, InternalError> {
+    if rest.len() <= API_KEY_PREFIX_LEN {
+        return Ok(None);
+    }
+    let prefix = &rest[..API_KEY_PREFIX_LEN];
+
+    let candidates = match state.keys.find_active_by_prefix(prefix).await {
+        Ok(v) => v,
+        Err(err) => {
+            tracing::error!(?err, "api_keys lookup failed");
+            return Err(InternalError);
+        }
+    };
+
+    let matched: Option<ApiKeyVerification> = candidates
+        .into_iter()
+        .find(|c| verify_password(&c.hash, rest));
+    let Some(matched) = matched else {
+        return Ok(None);
+    };
+
+    // Resolve the owning user. is_active = false → reject even if the
+    // key itself hasn't been expired yet (the expire_all_for_user
+    // cascade on deactivation is the primary defense; this is the
+    // belt-and-suspenders check at request time).
+    let user = match state.users.get(matched.user_id).await {
+        Ok(Some(u)) if u.is_active => u,
+        Ok(_) => return Ok(None),
+        Err(err) => {
+            tracing::error!(?err, "admin_users lookup for api key failed");
+            return Err(InternalError);
+        }
+    };
+
+    if let Err(err) = state.keys.touch_last_used(matched.id).await {
+        tracing::error!(?err, "api_keys touch_last_used failed");
+        // Soft-fail: a timestamp blip should not invalidate the
+        // request. Continue with the resolved Principal.
+    }
+
+    Ok(Some(Principal {
+        user_id: user.id,
+        instance_role: user.instance_role,
+        scopes: Some(matched.scopes),
+        app_binding: matched.app_id,
+    }))
+}
+
+/// Best-effort username lookup for the legacy `AuthedAdmin` extension.
+/// Returns `None` on DB error (the caller treats `None` as "skip the
+/// legacy extension"). New handlers use `Principal` and don't depend
+/// on this.
+async fn username_for(state: &AuthState, id: AdminUserId) -> Option<String> {
+    match state.users.get(id).await {
+        Ok(Some(u)) => Some(u.username),
+        Ok(None) => None,
+        Err(err) => {
+            tracing::warn!(
+                ?err,
+                "username lookup for AuthedAdmin failed; skipping legacy ext"
+            );
+            None
+        }
+    }
 }
 
 /// Pull the bearer token out of an `Authorization` header (preferred)
 /// or the `picloud_session` cookie (fallback for browser clients).
+/// Same shape as Phase 3a; the cookie only ever carries session
+/// tokens — no `pic_` prefix expected there.
 fn extract_token(req: &Request<Body>) -> Option<String> {
     if let Some(value) = req.headers().get(header::AUTHORIZATION) {
         if let Ok(s) = value.to_str() {
@@ -121,6 +285,11 @@ fn extract_token(req: &Request<Body>) -> Option<String> {
     None
 }
 
+/// Sentinel returned from the resolve functions when a DB error should
+/// produce a 500 rather than a 401. Empty struct because the actual
+/// error is already logged at the failure site.
+struct InternalError;
+
 fn unauthorized() -> Response {
     (
         StatusCode::UNAUTHORIZED,
@@ -141,6 +310,7 @@ fn internal_error() -> Response {
 mod tests {
     use super::*;
     use axum::http::Request;
+    use picloud_shared::InstanceRole;
 
     fn req_with_header(name: &str, value: &str) -> Request<Body> {
         Request::builder()
@@ -155,6 +325,12 @@ mod tests {
         assert_eq!(extract_token(&r).as_deref(), Some("abc123"));
     }
 
+    #[test]
+    fn extracts_bearer_pic_prefixed_token() {
+        let r = req_with_header("authorization", "Bearer pic_abcdefghIJKL");
+        assert_eq!(extract_token(&r).as_deref(), Some("pic_abcdefghIJKL"));
+    }
+
     #[test]
     fn ignores_bearer_with_no_token() {
         let r = req_with_header("authorization", "Bearer ");
@@ -182,4 +358,20 @@ mod tests {
         let r = Request::builder().body(Body::empty()).unwrap();
         assert_eq!(extract_token(&r), None);
     }
+
+    // Round-trip test for the unused-variable to keep `Principal`
+    // visibly tied to InstanceRole — caught a real bug during dev when
+    // the field order in the struct literal had drifted.
+    #[test]
+    fn principal_construction_is_explicit() {
+        let p = Principal {
+            user_id: AdminUserId::new(),
+            instance_role: InstanceRole::Owner,
+            scopes: None,
+            app_binding: None,
+        };
+        assert_eq!(p.instance_role, InstanceRole::Owner);
+        assert!(p.scopes.is_none());
+        assert!(p.app_binding.is_none());
+    }
 }

crates/manager-core/src/authz.rs

@@ -0,0 +1,614 @@
+//! Capability-based authorization — see blueprint §11.6.
+//!
+//! Single entry point for every admin endpoint: `can(repo, principal,
+//! capability)` returns whether the caller can perform the action.
+//! Handlers call `require` (which wraps `can` + a `Forbidden` error)
+//! after loading the resource so the capability binds to the resource's
+//! actual `app_id`, not a path param the caller controls.
+//!
+//! Three layers of intersection, evaluated in order:
+//!
+//!   1. **Role grant** — does the caller's `InstanceRole` plus any
+//!      `app_members` row authorize this capability?
+//!   2. **Scope intersection** — if the principal came from an API key
+//!      (`principal.scopes.is_some()`), does the key's scope set cover
+//!      the capability's required scope?
+//!   3. **App binding** — if the key was minted bound to a specific
+//!      app (`principal.app_binding`), does the capability target the
+//!      same app? (Instance-level capabilities are denied for bound
+//!      keys; the mint handler also rejects the combination upfront.)
+//!
+//! The capability set is intentionally finer-grained than the seven
+//! scopes (e.g., `AppWriteScript` vs `AppWriteRoute` both fall under
+//! the `script:write` / `route:write` scopes respectively). Keeping
+//! capabilities precise lets a `script:write`-only key write scripts
+//! without also being able to mutate routes. The scope set stays at
+//! seven values — capabilities are the internal check, scopes are the
+//! external user-facing label.
+
+use async_trait::async_trait;
+use picloud_shared::{AppId, AppRole, InstanceRole, Principal, Scope, UserId};
+
+/// Things a caller can attempt to do. Each app-scoped variant carries
+/// the `AppId` of the resource the action targets — handlers compute
+/// it from the loaded resource (e.g., `script.app_id`), not from a
+/// path param.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum Capability {
+    /// Create a new app. Owner / admin only.
+    InstanceCreateApp,
+    /// Create / update / delete admin_users rows (other than self
+    /// password change, which is a separate flow). Owner / admin.
+    InstanceManageUsers,
+    /// Mutate instance-wide configuration (sandbox ceiling, etc.).
+    /// Owner only.
+    InstanceManageSettings,
+    /// Read app metadata, scripts, routes. Viewer / editor / app_admin
+    /// (member); implicit for admin / owner.
+    AppRead(AppId),
+    /// Create / update / delete a script in this app.
+    AppWriteScript(AppId),
+    /// Create / update / delete a route in this app.
+    AppWriteRoute(AppId),
+    /// Manage domain claims on this app (add / remove).
+    AppManageDomains(AppId),
+    /// App settings + delete app. app_admin only (or owner via
+    /// implicit grant).
+    AppAdmin(AppId),
+    /// Read execution logs for scripts in this app.
+    AppLogRead(AppId),
+}
+
+impl Capability {
+    /// Extract the `AppId` for app-scoped capabilities; `None` for
+    /// instance-scoped ones. Used by the app-binding check on API keys.
+    #[must_use]
+    pub const fn app_id(self) -> Option<AppId> {
+        match self {
+            Self::InstanceCreateApp | Self::InstanceManageUsers | Self::InstanceManageSettings => {
+                None
+            }
+            Self::AppRead(id)
+            | Self::AppWriteScript(id)
+            | Self::AppWriteRoute(id)
+            | Self::AppManageDomains(id)
+            | Self::AppAdmin(id)
+            | Self::AppLogRead(id) => Some(id),
+        }
+    }
+
+    /// The single scope that authorizes this capability on an API key.
+    /// Strict mapping — a `script:write` key cannot read scripts unless
+    /// it also carries `script:read`. The intent is predictability: a
+    /// key has exactly the scopes it was minted with, no implicit
+    /// upgrades.
+    #[must_use]
+    pub const fn required_scope(self) -> Scope {
+        match self {
+            Self::InstanceCreateApp | Self::InstanceManageUsers | Self::InstanceManageSettings => {
+                Scope::InstanceAdmin
+            }
+            Self::AppRead(_) => Scope::ScriptRead,
+            Self::AppWriteScript(_) => Scope::ScriptWrite,
+            Self::AppWriteRoute(_) => Scope::RouteWrite,
+            Self::AppManageDomains(_) => Scope::DomainManage,
+            Self::AppAdmin(_) => Scope::AppAdmin,
+            Self::AppLogRead(_) => Scope::LogRead,
+        }
+    }
+}
+
+/// Repo seam for membership lookups. Implemented in the DB-backed
+/// repos crate (`app_members_repo.rs`); keeping it as a trait here
+/// means unit tests can stub it.
+#[async_trait]
+pub trait AuthzRepo: Send + Sync {
+    async fn membership(
+        &self,
+        user_id: UserId,
+        app_id: AppId,
+    ) -> Result<Option<AppRole>, AuthzError>;
+}
+
+/// Repo errors surface here so handlers can map them to 500 without
+/// dragging sqlx types across the boundary.
+#[derive(Debug, thiserror::Error)]
+pub enum AuthzError {
+    #[error("authorization repo error: {0}")]
+    Repo(String),
+}
+
+/// Decision flavor returned by `can` — distinguishes outright denial
+/// from a partial answer that requires further checks (none today,
+/// but the shape lets us add audit/explain mode later without rewriting
+/// every caller).
+#[must_use = "an authorization decision must be acted on"]
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum Decision {
+    Allow,
+    Deny,
+}
+
+impl Decision {
+    #[must_use]
+    pub const fn is_allow(self) -> bool {
+        matches!(self, Self::Allow)
+    }
+}
+
+/// Core authorization check. Walks the three intersection layers in
+/// order and returns the resulting `Decision`.
+pub async fn can(
+    repo: &dyn AuthzRepo,
+    principal: &Principal,
+    cap: Capability,
+) -> Result<Decision, AuthzError> {
+    if !role_grants(repo, principal, cap).await? {
+        return Ok(Decision::Deny);
+    }
+    if !scope_allows(principal, cap) {
+        return Ok(Decision::Deny);
+    }
+    if !binding_allows(principal, cap) {
+        return Ok(Decision::Deny);
+    }
+    Ok(Decision::Allow)
+}
+
+/// Helper: returns `Ok(())` on Allow, `Err(AuthzDenied)` on Deny.
+/// Handlers call this so the `?` operator threads the 403 through
+/// naturally.
+///
+/// # Errors
+///
+/// Returns `AuthzDenied::Denied` when the capability is not granted,
+/// or `AuthzDenied::Repo` if the underlying membership lookup fails.
+pub async fn require(
+    repo: &dyn AuthzRepo,
+    principal: &Principal,
+    cap: Capability,
+) -> Result<(), AuthzDenied> {
+    match can(repo, principal, cap).await {
+        Ok(Decision::Allow) => Ok(()),
+        Ok(Decision::Deny) => Err(AuthzDenied::Denied),
+        Err(e) => Err(AuthzDenied::Repo(e)),
+    }
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum AuthzDenied {
+    #[error("forbidden")]
+    Denied,
+    #[error(transparent)]
+    Repo(#[from] AuthzError),
+}
+
+// ----------------------------------------------------------------------------
+// Layer 1: role-derived grant
+// ----------------------------------------------------------------------------
+
+async fn role_grants(
+    repo: &dyn AuthzRepo,
+    principal: &Principal,
+    cap: Capability,
+) -> Result<bool, AuthzError> {
+    match principal.instance_role {
+        InstanceRole::Owner => Ok(true),
+        InstanceRole::Admin => Ok(admin_grants(cap)),
+        InstanceRole::Member => member_grants(repo, principal.user_id, cap).await,
+    }
+}
+
+/// Admin is implicit `app_admin` on every app (per blueprint §11.6).
+/// They can create apps, manage users, and take any app-scoped action
+/// on any app without an explicit `app_members` row — single-human
+/// installs would otherwise need to add themselves to every new app.
+/// Only `InstanceManageSettings` (sandbox ceiling, etc.) stays
+/// owner-only.
+const fn admin_grants(cap: Capability) -> bool {
+    !matches!(cap, Capability::InstanceManageSettings)
+}
+
+/// Member has zero instance authority. App authority requires an
+/// explicit `app_members` row with sufficient `AppRole`.
+async fn member_grants(
+    repo: &dyn AuthzRepo,
+    user_id: UserId,
+    cap: Capability,
+) -> Result<bool, AuthzError> {
+    let Some(app_id) = cap.app_id() else {
+        return Ok(false);
+    };
+    let Some(role) = repo.membership(user_id, app_id).await? else {
+        return Ok(false);
+    };
+    Ok(role_satisfies(role, cap))
+}
+
+/// Does the per-app `AppRole` cover the capability? Viewer can read;
+/// Editor adds script/route/log mutations; AppAdmin adds settings,
+/// domain claims, and delete. Roles form a strict subset chain, so
+/// the check is "is this capability in the role's set?".
+const fn role_satisfies(role: AppRole, cap: Capability) -> bool {
+    let in_viewer = matches!(cap, Capability::AppRead(_) | Capability::AppLogRead(_));
+    let in_editor = in_viewer
+        || matches!(
+            cap,
+            Capability::AppWriteScript(_) | Capability::AppWriteRoute(_)
+        );
+    let in_app_admin = in_editor
+        || matches!(
+            cap,
+            Capability::AppManageDomains(_) | Capability::AppAdmin(_)
+        );
+    match role {
+        AppRole::Viewer => in_viewer,
+        AppRole::Editor => in_editor,
+        AppRole::AppAdmin => in_app_admin,
+    }
+}
+
+// ----------------------------------------------------------------------------
+// Layer 2: API-key scope intersection
+// ----------------------------------------------------------------------------
+
+fn scope_allows(principal: &Principal, cap: Capability) -> bool {
+    match &principal.scopes {
+        None => true, // cookie session — full role authority
+        Some(scopes) => scopes.contains(&cap.required_scope()),
+    }
+}
+
+// ----------------------------------------------------------------------------
+// Layer 3: API-key app binding
+// ----------------------------------------------------------------------------
+
+fn binding_allows(principal: &Principal, cap: Capability) -> bool {
+    let Some(bound_app) = principal.app_binding else {
+        return true;
+    };
+    match cap.app_id() {
+        // Instance-scoped capability + bound key → always denied. The
+        // mint handler also rejects this combination upfront, but
+        // defending in depth here means a stale/malformed row can't
+        // escalate.
+        None => false,
+        Some(target_app) => target_app == bound_app,
+    }
+}
+
+// ----------------------------------------------------------------------------
+// Tests
+// ----------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use picloud_shared::{AdminUserId, AppId};
+    use std::collections::HashMap;
+    use tokio::sync::Mutex;
+
+    /// In-memory `AuthzRepo` so the unit tests don't need a database.
+    #[derive(Default)]
+    struct InMemoryAuthzRepo {
+        memberships: Mutex<HashMap<(UserId, AppId), AppRole>>,
+    }
+
+    impl InMemoryAuthzRepo {
+        async fn grant(&self, user: UserId, app: AppId, role: AppRole) {
+            self.memberships.lock().await.insert((user, app), role);
+        }
+    }
+
+    #[async_trait]
+    impl AuthzRepo for InMemoryAuthzRepo {
+        async fn membership(
+            &self,
+            user_id: UserId,
+            app_id: AppId,
+        ) -> Result<Option<AppRole>, AuthzError> {
+            Ok(self
+                .memberships
+                .lock()
+                .await
+                .get(&(user_id, app_id))
+                .copied())
+        }
+    }
+
+    fn principal(role: InstanceRole) -> Principal {
+        Principal {
+            user_id: AdminUserId::new(),
+            instance_role: role,
+            scopes: None,
+            app_binding: None,
+        }
+    }
+
+    #[tokio::test]
+    async fn owner_can_do_everything() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Owner);
+        let app = AppId::new();
+        for cap in [
+            Capability::InstanceCreateApp,
+            Capability::InstanceManageUsers,
+            Capability::InstanceManageSettings,
+            Capability::AppRead(app),
+            Capability::AppWriteScript(app),
+            Capability::AppWriteRoute(app),
+            Capability::AppManageDomains(app),
+            Capability::AppAdmin(app),
+            Capability::AppLogRead(app),
+        ] {
+            assert_eq!(
+                can(&repo, &p, cap).await.unwrap(),
+                Decision::Allow,
+                "owner denied {cap:?}"
+            );
+        }
+    }
+
+    #[tokio::test]
+    async fn admin_cannot_manage_instance_settings() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Admin);
+        assert_eq!(
+            can(&repo, &p, Capability::InstanceManageSettings)
+                .await
+                .unwrap(),
+            Decision::Deny,
+        );
+    }
+
+    #[tokio::test]
+    async fn admin_is_implicit_app_admin_on_every_app() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Admin);
+        let app = AppId::new();
+        // Instance-scoped allowances.
+        assert_eq!(
+            can(&repo, &p, Capability::InstanceCreateApp).await.unwrap(),
+            Decision::Allow,
+        );
+        assert_eq!(
+            can(&repo, &p, Capability::InstanceManageUsers)
+                .await
+                .unwrap(),
+            Decision::Allow,
+        );
+        // Editor-like + app-admin grants both succeed without any
+        // app_members row.
+        for cap in [
+            Capability::AppRead(app),
+            Capability::AppWriteScript(app),
+            Capability::AppWriteRoute(app),
+            Capability::AppLogRead(app),
+            Capability::AppManageDomains(app),
+            Capability::AppAdmin(app),
+        ] {
+            assert_eq!(
+                can(&repo, &p, cap).await.unwrap(),
+                Decision::Allow,
+                "admin denied app-scoped capability {cap:?}"
+            );
+        }
+    }
+
+    #[tokio::test]
+    async fn member_without_row_is_denied_everywhere() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Member);
+        let app = AppId::new();
+        for cap in [
+            Capability::InstanceCreateApp,
+            Capability::InstanceManageUsers,
+            Capability::InstanceManageSettings,
+            Capability::AppRead(app),
+            Capability::AppWriteScript(app),
+            Capability::AppWriteRoute(app),
+            Capability::AppAdmin(app),
+            Capability::AppLogRead(app),
+        ] {
+            assert_eq!(
+                can(&repo, &p, cap).await.unwrap(),
+                Decision::Deny,
+                "member granted {cap:?} without a membership row"
+            );
+        }
+    }
+
+    #[tokio::test]
+    async fn member_with_viewer_role_can_read_but_not_write() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Member);
+        let app = AppId::new();
+        repo.grant(p.user_id, app, AppRole::Viewer).await;
+
+        assert!(can(&repo, &p, Capability::AppRead(app))
+            .await
+            .unwrap()
+            .is_allow());
+        assert!(can(&repo, &p, Capability::AppLogRead(app))
+            .await
+            .unwrap()
+            .is_allow());
+        assert_eq!(
+            can(&repo, &p, Capability::AppWriteScript(app))
+                .await
+                .unwrap(),
+            Decision::Deny
+        );
+        assert_eq!(
+            can(&repo, &p, Capability::AppAdmin(app)).await.unwrap(),
+            Decision::Deny
+        );
+    }
+
+    #[tokio::test]
+    async fn member_with_editor_role_can_write_scripts_and_routes() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Member);
+        let app = AppId::new();
+        repo.grant(p.user_id, app, AppRole::Editor).await;
+
+        assert!(can(&repo, &p, Capability::AppWriteScript(app))
+            .await
+            .unwrap()
+            .is_allow());
+        assert!(can(&repo, &p, Capability::AppWriteRoute(app))
+            .await
+            .unwrap()
+            .is_allow());
+        assert_eq!(
+            can(&repo, &p, Capability::AppAdmin(app)).await.unwrap(),
+            Decision::Deny
+        );
+    }
+
+    /// Editors hold `AppWriteScript` (Save) but **not** `AppAdmin`
+    /// (Delete). The script-delete handler gates on the latter so the
+    /// API can't be tricked into letting an editor remove the script
+    /// they were only allowed to edit.
+    #[tokio::test]
+    async fn editor_can_write_scripts_but_not_delete_them() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Member);
+        let app = AppId::new();
+        repo.grant(p.user_id, app, AppRole::Editor).await;
+
+        assert!(can(&repo, &p, Capability::AppWriteScript(app))
+            .await
+            .unwrap()
+            .is_allow());
+        // Delete is gated on AppAdmin in the handler — editors must be
+        // denied here for that gate to bite.
+        assert_eq!(
+            can(&repo, &p, Capability::AppAdmin(app)).await.unwrap(),
+            Decision::Deny,
+        );
+    }
+
+    #[tokio::test]
+    async fn member_with_app_admin_role_can_do_app_admin_actions() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Member);
+        let app = AppId::new();
+        repo.grant(p.user_id, app, AppRole::AppAdmin).await;
+
+        assert!(can(&repo, &p, Capability::AppAdmin(app))
+            .await
+            .unwrap()
+            .is_allow());
+        assert!(can(&repo, &p, Capability::AppManageDomains(app))
+            .await
+            .unwrap()
+            .is_allow());
+        // Membership in App A does NOT grant access to App B
+        let other_app = AppId::new();
+        assert_eq!(
+            can(&repo, &p, Capability::AppAdmin(other_app))
+                .await
+                .unwrap(),
+            Decision::Deny
+        );
+    }
+
+    #[tokio::test]
+    async fn scoped_key_intersects_with_role() {
+        let repo = InMemoryAuthzRepo::default();
+        let app = AppId::new();
+        // Owner key with only script:read — cannot write
+        let p = Principal {
+            user_id: AdminUserId::new(),
+            instance_role: InstanceRole::Owner,
+            scopes: Some(vec![Scope::ScriptRead]),
+            app_binding: None,
+        };
+        assert!(can(&repo, &p, Capability::AppRead(app))
+            .await
+            .unwrap()
+            .is_allow());
+        assert_eq!(
+            can(&repo, &p, Capability::AppWriteScript(app))
+                .await
+                .unwrap(),
+            Decision::Deny
+        );
+        // Even though the user is owner — the key's scope set is the
+        // hard ceiling.
+        assert_eq!(
+            can(&repo, &p, Capability::AppAdmin(app)).await.unwrap(),
+            Decision::Deny
+        );
+    }
+
+    #[tokio::test]
+    async fn bound_key_cannot_escape_its_app() {
+        let repo = InMemoryAuthzRepo::default();
+        let bound_app = AppId::new();
+        let other_app = AppId::new();
+        let p = Principal {
+            user_id: AdminUserId::new(),
+            instance_role: InstanceRole::Owner,
+            scopes: Some(vec![Scope::ScriptWrite]),
+            app_binding: Some(bound_app),
+        };
+        assert!(can(&repo, &p, Capability::AppWriteScript(bound_app))
+            .await
+            .unwrap()
+            .is_allow());
+        assert_eq!(
+            can(&repo, &p, Capability::AppWriteScript(other_app))
+                .await
+                .unwrap(),
+            Decision::Deny
+        );
+    }
+
+    #[tokio::test]
+    async fn bound_key_cannot_do_instance_actions() {
+        let repo = InMemoryAuthzRepo::default();
+        let bound_app = AppId::new();
+        let p = Principal {
+            user_id: AdminUserId::new(),
+            instance_role: InstanceRole::Owner,
+            scopes: Some(vec![Scope::InstanceAdmin]), // mint handler also rejects this combo
+            app_binding: Some(bound_app),
+        };
+        assert_eq!(
+            can(&repo, &p, Capability::InstanceCreateApp).await.unwrap(),
+            Decision::Deny,
+            "bound key with instance scope must still be denied at the binding layer"
+        );
+    }
+
+    #[test]
+    fn capability_app_id_extraction() {
+        let app = AppId::new();
+        assert_eq!(Capability::InstanceCreateApp.app_id(), None);
+        assert_eq!(Capability::AppRead(app).app_id(), Some(app));
+        assert_eq!(Capability::AppAdmin(app).app_id(), Some(app));
+    }
+
+    #[test]
+    fn capability_required_scope_mapping_is_complete() {
+        // Sanity: every variant returns a scope. Compiler-enforced
+        // exhaustiveness lives in the match itself; this test guards
+        // against accidental drift to a default branch.
+        let app = AppId::new();
+        for cap in [
+            Capability::InstanceCreateApp,
+            Capability::InstanceManageUsers,
+            Capability::InstanceManageSettings,
+            Capability::AppRead(app),
+            Capability::AppWriteScript(app),
+            Capability::AppWriteRoute(app),
+            Capability::AppManageDomains(app),
+            Capability::AppAdmin(app),
+            Capability::AppLogRead(app),
+        ] {
+            let _ = cap.required_scope(); // does not panic
+        }
+    }
+}

crates/manager-core/src/lib.rs

@@ -8,14 +8,19 @@ pub mod admin_session_repo;
 pub mod admin_user_repo;
 pub mod admin_users_api;
 pub mod api;
+pub mod api_key_repo;
+pub mod api_keys_api;
 pub mod app_bootstrap;
 pub mod app_domain_repo;
+pub mod app_members_api;
+pub mod app_members_repo;
 pub mod app_repo;
 pub mod apps_api;
 pub mod auth;
 pub mod auth_api;
 pub mod auth_bootstrap;
 pub mod auth_middleware;
+pub mod authz;
 pub mod log_sink;
 pub mod migrations;
 pub mod repo;
@@ -34,15 +39,30 @@ pub use admin_user_repo::{
 };
 pub use admin_users_api::{admins_router, AdminsState};
 pub use api::{admin_router, AdminState};
+pub use api_key_repo::{
+    ApiKeyRepository, ApiKeyRepositoryError, ApiKeyRow, ApiKeyVerification, NewApiKey,
+    PostgresApiKeyRepository,
+};
+pub use api_keys_api::{api_keys_router, ApiKeysState};
 pub use app_bootstrap::{seed_hello_world_if_fresh, HelloWorldOutcome};
 pub use app_domain_repo::{AppDomainRepository, NewAppDomain, PostgresAppDomainRepository};
-pub use app_repo::{AppLookup, AppRepository, PostgresAppRepository};
+pub use app_members_api::{app_members_router, AppMembersApiError, AppMembersState};
+pub use app_members_repo::{
+    AppMembersRepository, AppMembersRepositoryError, AppMembershipDetail, AppMembershipRow,
+    PostgresAppMembersRepository,
+};
+pub use app_repo::{resolve_app, AppLookup, AppRepository, PostgresAppRepository};
 pub use apps_api::{apps_router, AppsState};
 pub use auth_api::auth_router;
 pub use auth_bootstrap::{
     bootstrap_first_admin, bootstrap_first_admin_with, BootstrapEnv, BootstrapError,
 };
-pub use auth_middleware::{require_admin, AuthState, AuthedAdmin, SESSION_COOKIE};
+#[allow(deprecated)]
+pub use auth_middleware::{
+    attach_principal_if_present, require_admin, require_authenticated, AuthState, AuthedAdmin,
+    API_KEY_PREFIX, API_KEY_PREFIX_LEN, SESSION_COOKIE,
+};
+pub use authz::{can, require, AuthzDenied, AuthzError, AuthzRepo, Capability, Decision};
 pub use log_sink::PostgresExecutionLogSink;
 pub use repo::{
     ExecutionLogRepository, NewScript, PostgresExecutionLogRepository, PostgresScriptRepository,

crates/manager-core/src/repo.rs

@@ -3,7 +3,7 @@ use std::collections::BTreeMap;
 use async_trait::async_trait;
 use picloud_orchestrator_core::{ResolverError, ScriptResolver};
 use picloud_shared::{
-    AppId, ExecutionLog, ExecutionStatus, RequestId, Script, ScriptId, ScriptSandbox,
+    AdminUserId, AppId, ExecutionLog, ExecutionStatus, RequestId, Script, ScriptId, ScriptSandbox,
 };
 use sqlx::PgPool;
 
@@ -27,6 +27,14 @@ pub trait ScriptRepository: Send + Sync {
     /// "global" views; the dashboard reaches scripts via `list_for_app`.
     async fn list(&self) -> Result<Vec<Script>, ScriptRepositoryError>;
     async fn list_for_app(&self, app_id: AppId) -> Result<Vec<Script>, ScriptRepositoryError>;
+    /// Every script in any app the user is a member of. Drives
+    /// `GET /admin/scripts` for `member` instance-role callers so the
+    /// API never returns scripts they shouldn't see — even before the
+    /// per-handler capability check fires.
+    async fn list_for_user(
+        &self,
+        user_id: AdminUserId,
+    ) -> Result<Vec<Script>, ScriptRepositoryError>;
     async fn create(&self, input: NewScript) -> Result<Script, ScriptRepositoryError>;
     async fn update(
         &self,
@@ -117,6 +125,24 @@ impl ScriptRepository for PostgresScriptRepository {
         Ok(rows.into_iter().map(Into::into).collect())
     }
 
+    async fn list_for_user(
+        &self,
+        user_id: AdminUserId,
+    ) -> Result<Vec<Script>, ScriptRepositoryError> {
+        let rows = sqlx::query_as::<_, ScriptRow>(
+            "SELECT s.id, s.app_id, s.name, s.description, s.version, s.source, \
+                    s.timeout_seconds, s.memory_limit_mb, s.sandbox, s.created_at, s.updated_at \
+             FROM scripts s \
+             JOIN app_members m ON m.app_id = s.app_id \
+             WHERE m.user_id = $1 \
+             ORDER BY s.name",
+        )
+        .bind(user_id.into_inner())
+        .fetch_all(&self.pool)
+        .await?;
+        Ok(rows.into_iter().map(Into::into).collect())
+    }
+
     async fn create(&self, input: NewScript) -> Result<Script, ScriptRepositoryError> {
         let sandbox_json = serde_json::to_value(input.sandbox.unwrap_or_default())
             .unwrap_or_else(|_| serde_json::json!({}));

crates/manager-core/src/route_admin.rs

@@ -10,14 +10,15 @@ use axum::{
     http::StatusCode,
     response::{IntoResponse, Response},
     routing::{delete, get, post},
-    Json, Router,
+    Extension, Json, Router,
 };
 use picloud_orchestrator_core::routing::{conflict, matcher::CompiledRoute, pattern, RouteTable};
-use picloud_shared::{AppId, HostKind, PathKind, Route, ScriptId};
+use picloud_shared::{AppId, HostKind, PathKind, Principal, Route, ScriptId};
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
 use crate::app_domain_repo::AppDomainRepository;
+use crate::authz::{require, AuthzDenied, AuthzRepo, Capability};
 use crate::repo::{ScriptRepository, ScriptRepositoryError};
 use crate::route_repo::{NewRoute, RouteRepository};
 
@@ -30,6 +31,8 @@ pub struct RouteAdminState<RR, SR> {
     /// declared domain claims.
     pub domains: Arc<dyn AppDomainRepository>,
     pub table: Arc<RouteTable>,
+    /// Capability gate — Phase 3.5.
+    pub authz: Arc<dyn AuthzRepo>,
 }
 
 impl<RR, SR> Clone for RouteAdminState<RR, SR> {
@@ -39,6 +42,7 @@ impl<RR, SR> Clone for RouteAdminState<RR, SR> {
             scripts: self.scripts.clone(),
             domains: self.domains.clone(),
             table: self.table.clone(),
+            authz: self.authz.clone(),
         }
     }
 }
@@ -130,13 +134,26 @@ pub struct MatchedRoute {
 
 async fn list_routes<RR: RouteRepository, SR: ScriptRepository>(
     State(state): State<RouteAdminState<RR, SR>>,
+    Extension(principal): Extension<Principal>,
     Path(script_id): Path<ScriptId>,
 ) -> Result<Json<Vec<Route>>, RouteApiError> {
+    let script = state
+        .scripts
+        .get(script_id)
+        .await?
+        .ok_or(RouteApiError::ScriptNotFound(script_id))?;
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::AppRead(script.app_id),
+    )
+    .await?;
     Ok(Json(state.routes.list_for_script(script_id).await?))
 }
 
 async fn create_route<RR: RouteRepository, SR: ScriptRepository>(
     State(state): State<RouteAdminState<RR, SR>>,
+    Extension(principal): Extension<Principal>,
     Path(script_id): Path<ScriptId>,
     Json(input): Json<CreateRouteRequest>,
 ) -> Result<(StatusCode, Json<Route>), RouteApiError> {
@@ -154,6 +171,12 @@ async fn create_route<RR: RouteRepository, SR: ScriptRepository>(
         .await?
         .ok_or(RouteApiError::ScriptNotFound(script_id))?;
     let app_id = script.app_id;
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::AppWriteRoute(app_id),
+    )
+    .await?;
 
     // Validate the route's host is consistent with one of the app's
     // domain claims. `HostKind::Any` is always permitted (catches every
@@ -196,8 +219,22 @@ async fn create_route<RR: RouteRepository, SR: ScriptRepository>(
 
 async fn delete_route<RR: RouteRepository, SR: ScriptRepository>(
     State(state): State<RouteAdminState<RR, SR>>,
+    Extension(principal): Extension<Principal>,
     Path(route_id): Path<Uuid>,
 ) -> Result<StatusCode, RouteApiError> {
+    // Resolve the route's app before we delete, so the capability
+    // binds to the actual route's app_id (not a path param).
+    let route = state
+        .routes
+        .get(route_id)
+        .await?
+        .ok_or(RouteApiError::RouteNotFound(route_id))?;
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::AppWriteRoute(route.app_id),
+    )
+    .await?;
     state.routes.delete(route_id).await?;
     refresh_table(&state).await?;
     Ok(StatusCode::NO_CONTENT)
@@ -205,8 +242,18 @@ async fn delete_route<RR: RouteRepository, SR: ScriptRepository>(
 
 async fn check_route<RR: RouteRepository, SR: ScriptRepository>(
     State(state): State<RouteAdminState<RR, SR>>,
+    Extension(principal): Extension<Principal>,
     Json(input): Json<CheckRouteRequest>,
 ) -> Result<Json<CheckRouteResponse>, RouteApiError> {
+    // routes:check is read-only — peeking at a hypothetical conflict
+    // is bounded by AppRead on the target app (otherwise members
+    // could probe other apps).
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::AppRead(input.app_id),
+    )
+    .await?;
     let normalized_path = parse_and_normalize_path(input.path_kind, &input.path)?;
     pattern::parse_host(input.host_kind, &input.host, None)?;
 
@@ -235,8 +282,15 @@ async fn check_route<RR: RouteRepository, SR: ScriptRepository>(
 
 async fn match_route<RR: RouteRepository, SR: ScriptRepository>(
     State(state): State<RouteAdminState<RR, SR>>,
+    Extension(principal): Extension<Principal>,
     Json(input): Json<MatchRouteRequest>,
 ) -> Result<Json<MatchRouteResponse>, RouteApiError> {
+    require(
+        state.authz.as_ref(),
+        &principal,
+        Capability::AppRead(input.app_id),
+    )
+    .await?;
     let parsed = url::Url::parse(&input.url)
         .map_err(|e| RouteApiError::BadRequest(format!("invalid url: {e}")))?;
     let host = parsed.host_str().unwrap_or("").to_string();
@@ -415,16 +469,34 @@ pub enum RouteApiError {
     #[error("script not found: {0}")]
     ScriptNotFound(ScriptId),
 
+    #[error("route not found: {0}")]
+    RouteNotFound(Uuid),
+
     #[error("host {host:?} is not claimed by this app")]
     HostNotClaimed {
         host: String,
         available_claims: Vec<String>,
     },
 
+    #[error("forbidden")]
+    Forbidden,
+
+    #[error("authorization repo error: {0}")]
+    AuthzRepo(String),
+
     #[error("repository error: {0}")]
     Repo(#[from] ScriptRepositoryError),
 }
 
+impl From<AuthzDenied> for RouteApiError {
+    fn from(d: AuthzDenied) -> Self {
+        match d {
+            AuthzDenied::Denied => Self::Forbidden,
+            AuthzDenied::Repo(e) => Self::AuthzRepo(e.to_string()),
+        }
+    }
+}
+
 impl IntoResponse for RouteApiError {
     fn into_response(self) -> Response {
         let (status, body) = match &self {
@@ -443,10 +515,23 @@ impl IntoResponse for RouteApiError {
                 StatusCode::UNPROCESSABLE_ENTITY,
                 serde_json::json!({ "error": self.to_string() }),
             ),
-            Self::ScriptNotFound(_) | Self::Repo(ScriptRepositoryError::NotFound(_)) => (
+            Self::ScriptNotFound(_)
+            | Self::RouteNotFound(_)
+            | Self::Repo(ScriptRepositoryError::NotFound(_)) => (
                 StatusCode::NOT_FOUND,
                 serde_json::json!({ "error": self.to_string() }),
             ),
+            Self::Forbidden => (
+                StatusCode::FORBIDDEN,
+                serde_json::json!({ "error": self.to_string() }),
+            ),
+            Self::AuthzRepo(e) => {
+                tracing::error!(error = %e, "route authz repo error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    serde_json::json!({ "error": "internal error" }),
+                )
+            }
             Self::HostNotClaimed {
                 host,
                 available_claims,

crates/manager-core/src/route_repo.rs

@@ -25,6 +25,10 @@ pub struct NewRoute {
 #[async_trait]
 pub trait RouteRepository: Send + Sync {
     async fn list_all(&self) -> Result<Vec<Route>, ScriptRepositoryError>;
+    /// Single-row lookup. Used by `DELETE /api/v1/admin/routes/{id}` so
+    /// the capability check binds to the route's actual `app_id`
+    /// (not a path param).
+    async fn get(&self, route_id: Uuid) -> Result<Option<Route>, ScriptRepositoryError>;
     async fn list_for_app(&self, app_id: AppId) -> Result<Vec<Route>, ScriptRepositoryError>;
     async fn list_for_script(
         &self,
@@ -66,6 +70,18 @@ impl RouteRepository for PostgresRouteRepository {
         Ok(rows.into_iter().map(Into::into).collect())
     }
 
+    async fn get(&self, route_id: Uuid) -> Result<Option<Route>, ScriptRepositoryError> {
+        let row = sqlx::query_as::<_, RouteRow>(
+            "SELECT id, app_id, script_id, host_kind, host, host_param_name, \
+                    path_kind, path, method, created_at \
+             FROM routes WHERE id = $1",
+        )
+        .bind(route_id)
+        .fetch_optional(&self.pool)
+        .await?;
+        Ok(row.map(Into::into))
+    }
+
     async fn list_for_app(&self, app_id: AppId) -> Result<Vec<Route>, ScriptRepositoryError> {
         let rows = sqlx::query_as::<_, RouteRow>(
             "SELECT id, app_id, script_id, host_kind, host, host_param_name, \

crates/manager-core/tests/expected_schema.txt

@@ -18,6 +18,21 @@ table: admin_users
   created_at: timestamp with time zone NOT NULL default=now()
   updated_at: timestamp with time zone NOT NULL default=now()
   last_login_at: timestamp with time zone NULL
+  instance_role: text NOT NULL default='owner'::text
+  email: text NULL
+  mfa_secret: text NULL
+
+table: api_keys
+  id: uuid NOT NULL default=gen_random_uuid()
+  user_id: uuid NOT NULL
+  hash: text NOT NULL
+  prefix: text NOT NULL
+  name: text NOT NULL
+  scopes: ARRAY NOT NULL
+  app_id: uuid NULL
+  expires_at: timestamp with time zone NULL
+  last_used_at: timestamp with time zone NULL
+  created_at: timestamp with time zone NOT NULL default=now()
 
 table: app_domains
   id: uuid NOT NULL default=gen_random_uuid()
@@ -27,6 +42,12 @@ table: app_domains
   shape_key: text NOT NULL
   created_at: timestamp with time zone NOT NULL default=now()
 
+table: app_members
+  app_id: uuid NOT NULL
+  user_id: uuid NOT NULL
+  role: text NOT NULL
+  created_at: timestamp with time zone NOT NULL default=now()
+
 table: app_slug_history
   slug: text NOT NULL
   current_app_id: uuid NOT NULL
@@ -88,14 +109,25 @@ indexes on admin_sessions:
   admin_sessions_user_idx: public.admin_sessions USING btree (user_id)
 
 indexes on admin_users:
+  admin_users_email_key: public.admin_users USING btree (email)
+  admin_users_instance_role_idx: public.admin_users USING btree (instance_role)
   admin_users_pkey: public.admin_users USING btree (id)
   admin_users_username_key: public.admin_users USING btree (username)
 
+indexes on api_keys:
+  api_keys_pkey: public.api_keys USING btree (id)
+  api_keys_prefix_idx: public.api_keys USING btree (prefix)
+  api_keys_user_id_idx: public.api_keys USING btree (user_id)
+
 indexes on app_domains:
   app_domains_app_id_idx: public.app_domains USING btree (app_id)
   app_domains_pkey: public.app_domains USING btree (id)
   app_domains_shape_key_key: public.app_domains USING btree (shape_key)
 
+indexes on app_members:
+  app_members_pkey: public.app_members USING btree (app_id, user_id)
+  app_members_user_id_idx: public.app_members USING btree (user_id)
+
 indexes on app_slug_history:
   app_slug_history_pkey: public.app_slug_history USING btree (slug)
 
@@ -127,15 +159,28 @@ constraints on admin_sessions:
   [PRIMARY KEY] admin_sessions_pkey: PRIMARY KEY (token_hash)
 
 constraints on admin_users:
+  [CHECK] admin_users_instance_role_check: CHECK ((instance_role = ANY (ARRAY['owner'::text, 'admin'::text, 'member'::text])))
   [PRIMARY KEY] admin_users_pkey: PRIMARY KEY (id)
+  [UNIQUE] admin_users_email_key: UNIQUE (email)
   [UNIQUE] admin_users_username_key: UNIQUE (username)
 
+constraints on api_keys:
+  [FOREIGN KEY] api_keys_app_id_fkey: FOREIGN KEY (app_id) REFERENCES apps(id) ON DELETE CASCADE
+  [FOREIGN KEY] api_keys_user_id_fkey: FOREIGN KEY (user_id) REFERENCES admin_users(id) ON DELETE CASCADE
+  [PRIMARY KEY] api_keys_pkey: PRIMARY KEY (id)
+
 constraints on app_domains:
   [CHECK] app_domains_shape_check: CHECK ((shape = ANY (ARRAY['exact'::text, 'wildcard'::text, 'parameterized'::text])))
   [FOREIGN KEY] app_domains_app_id_fkey: FOREIGN KEY (app_id) REFERENCES apps(id) ON DELETE CASCADE
   [PRIMARY KEY] app_domains_pkey: PRIMARY KEY (id)
   [UNIQUE] app_domains_shape_key_key: UNIQUE (shape_key)
 
+constraints on app_members:
+  [CHECK] app_members_role_check: CHECK ((role = ANY (ARRAY['app_admin'::text, 'editor'::text, 'viewer'::text])))
+  [FOREIGN KEY] app_members_app_id_fkey: FOREIGN KEY (app_id) REFERENCES apps(id) ON DELETE CASCADE
+  [FOREIGN KEY] app_members_user_id_fkey: FOREIGN KEY (user_id) REFERENCES admin_users(id) ON DELETE CASCADE
+  [PRIMARY KEY] app_members_pkey: PRIMARY KEY (app_id, user_id)
+
 constraints on app_slug_history:
   [FOREIGN KEY] app_slug_history_current_app_id_fkey: FOREIGN KEY (current_app_id) REFERENCES apps(id) ON DELETE CASCADE
   [PRIMARY KEY] app_slug_history_pkey: PRIMARY KEY (slug)
@@ -169,3 +214,4 @@ constraints on scripts:
   0003: routes
   0004: admin auth
   0005: apps
+  0006: users authz

crates/orchestrator-core/src/api.rs

@@ -12,12 +12,13 @@ use axum::{
     http::{HeaderMap, HeaderName, HeaderValue, StatusCode},
     response::{IntoResponse, Response},
     routing::post,
-    Json, Router,
+    Extension, Json, Router,
 };
 use chrono::Utc;
 use picloud_executor_core::{ExecError, ExecRequest, ExecResponse, InvocationType};
 use picloud_shared::{
-    AppId, ExecutionId, ExecutionLog, ExecutionLogSink, ExecutionStatus, RequestId, ScriptId,
+    AppId, ExecutionId, ExecutionLog, ExecutionLogSink, ExecutionStatus, Principal, RequestId,
+    ScriptId,
 };
 use serde_json::Value as Json_;
 use uuid::Uuid;
@@ -54,6 +55,11 @@ impl<E, R> Clone for DataPlaneState<E, R> {
 
 /// Build the data-plane router. Handles `POST /execute/:id` — the
 /// always-available ID-based bypass.
+///
+/// Handlers expect an `Extension<Option<Principal>>` to be attached by
+/// upstream middleware (`manager-core::attach_principal_if_present`);
+/// requests without that extension panic at extraction time. The
+/// picloud binary wires this in `build_app`.
 pub fn data_plane_router<E, R>(state: DataPlaneState<E, R>) -> Router
 where
     E: ExecutorClient + 'static,
@@ -67,6 +73,10 @@ where
 /// Build a router that handles ALL paths via the user-defined routing
 /// table. Intended to be merged into the picloud app router as a
 /// fallback (after the system routes are mounted).
+///
+/// Same middleware expectation as `data_plane_router` — wrap with
+/// `attach_principal_if_present` so handlers can extract
+/// `Extension<Option<Principal>>`.
 pub fn user_routes_router<E, R>(state: DataPlaneState<E, R>) -> Router
 where
     E: ExecutorClient + 'static,
@@ -84,6 +94,7 @@ where
 async fn execute_by_id<E, R>(
     State(state): State<DataPlaneState<E, R>>,
     Path(id): Path<ScriptId>,
+    Extension(principal): Extension<Option<Principal>>,
     headers: HeaderMap,
     body: Bytes,
 ) -> Result<Response, ApiError>
@@ -97,7 +108,7 @@ where
         .await?
         .ok_or(ApiError::NotFound(id))?;
 
-    let mut req = build_exec_request(id, &script.name, &headers, &body)?;
+    let mut req = build_exec_request(id, &script.name, &headers, &body, script.app_id, principal)?;
     req.sandbox_overrides = script.sandbox;
     let request_id = req.request_id;
     let request_path = req.path.clone();
@@ -133,6 +144,7 @@ where
 
 async fn user_route_handler<E, R>(
     State(state): State<DataPlaneState<E, R>>,
+    Extension(principal): Extension<Option<Principal>>,
     request: Request,
 ) -> Result<Response, ApiError>
 where
@@ -195,6 +207,8 @@ where
         &script.name,
         &headers,
         &body_bytes,
+        app_id,
+        principal,
     )?;
     req.path = path;
     req.params = matched.params;
@@ -264,6 +278,8 @@ fn build_exec_request(
     name: &str,
     headers: &HeaderMap,
     body: &Bytes,
+    app_id: AppId,
+    principal: Option<Principal>,
 ) -> Result<ExecRequest, ApiError> {
     let mut hmap = BTreeMap::new();
     for (k, v) in headers {
@@ -279,8 +295,9 @@ fn build_exec_request(
             .map_err(|e| ApiError::BadRequest(format!("invalid JSON body: {e}")))?
     };
 
+    let execution_id = ExecutionId::new();
     Ok(ExecRequest {
-        execution_id: ExecutionId::new(),
+        execution_id,
         request_id: RequestId::new(),
         script_id: id,
         script_name: name.to_string(),
@@ -293,6 +310,13 @@ fn build_exec_request(
         rest: String::new(),
         // Overwritten by the handler after the script is resolved.
         sandbox_overrides: picloud_shared::ScriptSandbox::default(),
+        app_id,
+        principal,
+        // Direct invocations are at depth 0 with a self-referential
+        // root. The triggers framework (v1.1.1) increments depth and
+        // preserves the original root for chained executions.
+        trigger_depth: 0,
+        root_execution_id: execution_id,
     })
 }
 
@@ -396,7 +420,22 @@ pub enum ApiError {
 
 impl IntoResponse for ApiError {
     fn into_response(self) -> Response {
+        // Overloaded is the only variant that needs to attach an HTTP
+        // header (Retry-After), so it short-circuits the (status, body)
+        // reduction below. Axum's tuple builder makes per-arm header
+        // injection awkward otherwise.
         use ApiError as E;
+        if let E::Exec(ExecError::Overloaded { retry_after_secs }) = &self {
+            let retry = retry_after_secs.to_string();
+            let body = Json(serde_json::json!({ "error": self.to_string() }));
+            return (
+                StatusCode::SERVICE_UNAVAILABLE,
+                [(axum::http::header::RETRY_AFTER, retry)],
+                body,
+            )
+                .into_response();
+        }
+
         let (status, message) = match &self {
             E::NotFound(_) => (StatusCode::NOT_FOUND, self.to_string()),
             E::BadRequest(_) => (StatusCode::BAD_REQUEST, self.to_string()),
@@ -416,6 +455,7 @@ impl IntoResponse for ApiError {
                     (StatusCode::INSUFFICIENT_STORAGE, e.to_string())
                 }
                 ExecError::Runtime(_) => (StatusCode::BAD_GATEWAY, e.to_string()),
+                ExecError::Overloaded { .. } => unreachable!("handled above"),
             },
         };
         (status, Json(serde_json::json!({ "error": message }))).into_response()

crates/orchestrator-core/src/client.rs

@@ -4,6 +4,8 @@ use std::time::Duration;
 use async_trait::async_trait;
 use picloud_executor_core::{Engine, ExecError, ExecRequest, ExecResponse};
 
+use crate::gate::{AcquireError, ExecutionGate};
+
 /// Maximum wall-clock time we'll wait for a single invocation, regardless
 /// of the per-script `timeout_seconds`. Provides a hard ceiling on
 /// resource usage independent of misconfigured scripts.
@@ -30,14 +32,19 @@ pub trait ExecutorClient: Send + Sync {
 /// `executor-core::Engine::execute` is synchronous; we offload it to a
 /// blocking thread so it doesn't park a Tokio worker, and apply the
 /// wall-clock timeout here.
+///
+/// Holds an `ExecutionGate` and acquires a permit before `spawn_blocking`
+/// so a script storm can't drain the blocking-thread pool. The permit
+/// drops with the future, returning the slot.
 pub struct LocalExecutorClient {
     engine: Arc<Engine>,
+    gate: Arc<ExecutionGate>,
 }
 
 impl LocalExecutorClient {
     #[must_use]
-    pub fn new(engine: Arc<Engine>) -> Self {
+    pub fn new(engine: Arc<Engine>, gate: Arc<ExecutionGate>) -> Self {
-        Self { engine }
+        Self { engine, gate }
     }
 }
 
@@ -49,6 +56,24 @@ impl ExecutorClient for LocalExecutorClient {
         req: ExecRequest,
         timeout: Duration,
     ) -> Result<ExecResponse, ExecError> {
+        // Acquire before spending any wall-clock budget. The permit is
+        // held by this future; on `tokio::time::timeout` firing, the
+        // future drops and the permit returns to the pool — but the
+        // detached `spawn_blocking` thread keeps running until the
+        // Rhai script finishes (or panics). So in-use blocking threads
+        // can briefly exceed the gate's permit count after a timeout.
+        // That is intentional: a new admission can be served while the
+        // already-doomed script winds down, which is preferable to
+        // wedging the slot for the worst-case timeout duration.
+        let _permit =
+            self.gate
+                .try_acquire()
+                .map_err(
+                    |AcquireError::Overloaded { retry_after_secs }| ExecError::Overloaded {
+                        retry_after_secs,
+                    },
+                )?;
+
         let timeout = timeout.min(HARD_TIMEOUT_CAP);
         let timeout_secs = u32::try_from(timeout.as_secs()).unwrap_or(u32::MAX);
 

crates/orchestrator-core/src/gate.rs

@@ -0,0 +1,155 @@
+//! Global concurrency gate for the data plane.
+//!
+//! Wraps a single `tokio::sync::Semaphore` so the executor can refuse
+//! admission immediately when too many invocations are already in
+//! flight. Designed for v1.1.0's single-node MVP — one cap across all
+//! apps and scripts. Per-app or per-script caps come later when a real
+//! workload surfaces the need.
+//!
+//! Policy: **non-blocking, no queue**. If a permit isn't free right
+//! now, the call returns `AcquireError::Overloaded` and the data-plane
+//! HTTP layer translates that to a 503 with `Retry-After: 1`. Pushing
+//! back hard beats letting requests pile up against a finite pool of
+//! blocking threads (executor work runs under `spawn_blocking`).
+//!
+//! Configured via the `PICLOUD_MAX_CONCURRENT_EXECUTIONS` env var.
+//! Default is 32 — comfortable for a single-node Pi, low enough that
+//! a script storm doesn't park every blocking thread.
+
+use std::sync::Arc;
+
+use thiserror::Error;
+use tokio::sync::{OwnedSemaphorePermit, Semaphore, TryAcquireError};
+
+/// Env var consulted by `from_env`.
+pub const ENV_MAX_CONCURRENT: &str = "PICLOUD_MAX_CONCURRENT_EXECUTIONS";
+
+/// Default cap when the env var is unset or invalid.
+pub const DEFAULT_MAX_CONCURRENT: u32 = 32;
+
+/// `Retry-After` header value (seconds) returned alongside the 503
+/// when the gate refuses. Fixed for v1.1.0; later versions may compute
+/// a smarter value from in-flight latency.
+pub const DEFAULT_RETRY_AFTER_SECS: u32 = 1;
+
+/// Refused admission. The HTTP layer translates this to 503 with a
+/// `Retry-After` header.
+#[derive(Debug, Error)]
+pub enum AcquireError {
+    #[error("at capacity (retry after {retry_after_secs}s)")]
+    Overloaded { retry_after_secs: u32 },
+}
+
+/// Global execution gate. Constructed once at orchestrator startup and
+/// shared via `Arc`. Holds an inner `Arc<Semaphore>` so permits are
+/// owned (they release on drop independent of the gate's lifetime).
+pub struct ExecutionGate {
+    permits: Arc<Semaphore>,
+    max_permits: u32,
+}
+
+impl ExecutionGate {
+    /// Construct with an explicit cap. Mostly for tests; production
+    /// uses `from_env`.
+    #[must_use]
+    pub fn new(max_permits: u32) -> Self {
+        Self {
+            permits: Arc::new(Semaphore::new(max_permits as usize)),
+            max_permits,
+        }
+    }
+
+    /// Read `PICLOUD_MAX_CONCURRENT_EXECUTIONS` from the environment.
+    /// Falls back to `DEFAULT_MAX_CONCURRENT` on absence; warns and
+    /// falls back on parse failure or non-positive value. Mirrors the
+    /// `SandboxCeiling::from_env` ergonomics so operators see a
+    /// consistent shape across the env-tunables.
+    #[must_use]
+    pub fn from_env() -> Self {
+        let max = match std::env::var(ENV_MAX_CONCURRENT) {
+            Err(_) => DEFAULT_MAX_CONCURRENT,
+            Ok(v) => match v.parse::<u32>() {
+                Ok(n) if n > 0 => n,
+                Ok(_) => {
+                    tracing::warn!(
+                        env = ENV_MAX_CONCURRENT,
+                        value = %v,
+                        "value must be > 0; using default {DEFAULT_MAX_CONCURRENT}"
+                    );
+                    DEFAULT_MAX_CONCURRENT
+                }
+                Err(e) => {
+                    tracing::warn!(
+                        env = ENV_MAX_CONCURRENT,
+                        value = %v,
+                        error = %e,
+                        "invalid value; using default {DEFAULT_MAX_CONCURRENT}"
+                    );
+                    DEFAULT_MAX_CONCURRENT
+                }
+            },
+        };
+        Self::new(max)
+    }
+
+    /// Maximum concurrent permits this gate was configured for. Useful
+    /// for diagnostics / future metrics.
+    #[must_use]
+    pub fn max_permits(&self) -> u32 {
+        self.max_permits
+    }
+
+    /// Non-blocking permit acquisition. Returns the owned permit on
+    /// success (drop releases the slot) or `AcquireError::Overloaded`
+    /// when saturated. Sync because the semaphore's non-blocking try is
+    /// sync — no runtime hop needed.
+    pub fn try_acquire(&self) -> Result<OwnedSemaphorePermit, AcquireError> {
+        self.permits
+            .clone()
+            .try_acquire_owned()
+            .map_err(|err| match err {
+                TryAcquireError::NoPermits | TryAcquireError::Closed => AcquireError::Overloaded {
+                    retry_after_secs: DEFAULT_RETRY_AFTER_SECS,
+                },
+            })
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn acquire_succeeds_under_capacity() {
+        let gate = ExecutionGate::new(2);
+        let _p1 = gate.try_acquire().expect("first permit available");
+        let _p2 = gate.try_acquire().expect("second permit available");
+    }
+
+    #[test]
+    fn acquire_overloaded_when_saturated() {
+        let gate = ExecutionGate::new(1);
+        let _p = gate.try_acquire().expect("first permit available");
+        let AcquireError::Overloaded { retry_after_secs } = gate
+            .try_acquire()
+            .expect_err("second permit must be refused");
+        assert!(retry_after_secs > 0, "retry-after must be positive");
+    }
+
+    #[test]
+    fn permit_drop_releases_slot() {
+        let gate = ExecutionGate::new(1);
+        {
+            let _p = gate.try_acquire().expect("first permit available");
+        }
+        let _ = gate
+            .try_acquire()
+            .expect("slot must be returned after permit drops");
+    }
+
+    #[test]
+    fn max_permits_exposed() {
+        let gate = ExecutionGate::new(7);
+        assert_eq!(gate.max_permits(), 7);
+    }
+}

crates/orchestrator-core/src/lib.rs

@@ -10,9 +10,11 @@
 
 pub mod api;
 pub mod client;
+pub mod gate;
 pub mod resolver;
 pub mod routing;
 
 pub use api::{data_plane_router, user_routes_router, DataPlaneState};
 pub use client::{ExecutorClient, LocalExecutorClient, RemoteExecutorClient};
+pub use gate::{AcquireError, ExecutionGate};
 pub use resolver::{ResolverError, ScriptResolver};

crates/picloud-cli/Cargo.toml

@@ -0,0 +1,42 @@
+[package]
+name = "picloud-cli"
+version.workspace = true
+edition.workspace = true
+rust-version.workspace = true
+license.workspace = true
+repository.workspace = true
+authors.workspace = true
+description = "PiCloud command-line client"
+# Each top-level `tests/*.rs` would otherwise auto-discover as its own
+# test binary, respawning picloud once per file. We want one binary
+# with module sub-files (auth.rs, apps.rs, …) so the LazyLock fixture
+# is genuinely shared.
+autotests = false
+
+[[bin]]
+name = "pic"
+path = "src/main.rs"
+
+[[test]]
+name = "cli"
+path = "tests/cli.rs"
+
+[dependencies]
+picloud-shared.workspace = true
+reqwest = { workspace = true, features = ["json"] }
+serde.workspace = true
+serde_json.workspace = true
+tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
+chrono = { workspace = true }
+clap = { version = "4", features = ["derive"] }
+toml = "0.8"
+directories = "5"
+rpassword = "7"
+anyhow = "1"
+
+[dev-dependencies]
+assert_cmd = "2"
+predicates = "3"
+tempfile = "3"
+reqwest = { workspace = true, features = ["json", "blocking"] }
+libc = "0.2"

crates/picloud-cli/src/client.rs

@@ -0,0 +1,501 @@
+//! Reqwest-backed HTTP client + minimal wire DTOs.
+//!
+//! The CLI deliberately re-declares small request/response structs here
+//! rather than depending on `manager-core` (and pulling its Postgres
+//! transitive surface). Fields kept to what the CLI actually sends or
+//! reads.
+
+use std::collections::BTreeMap;
+
+use anyhow::{anyhow, Context, Result};
+use chrono::{DateTime, Utc};
+use picloud_shared::{
+    AdminUserId, ApiKeyId, App, AppId, AppRole, ExecutionLog, InstanceRole, Scope, Script,
+};
+use reqwest::{header, Method, RequestBuilder, StatusCode};
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+
+use crate::config::Credentials;
+
+pub struct Client {
+    http: reqwest::Client,
+    url: String,
+    token: String,
+}
+
+impl Client {
+    pub fn from_creds(creds: &Credentials) -> Result<Self> {
+        Self::new(&creds.url, &creds.token)
+    }
+
+    pub fn new(url: &str, token: &str) -> Result<Self> {
+        let http = reqwest::Client::builder()
+            .user_agent(concat!("pic/", env!("CARGO_PKG_VERSION")))
+            .build()
+            .context("building HTTP client")?;
+        Ok(Self {
+            http,
+            url: url.trim_end_matches('/').to_string(),
+            token: token.to_string(),
+        })
+    }
+
+    #[allow(dead_code)] // used by the trailing-slash unit test below.
+    pub fn url(&self) -> &str {
+        &self.url
+    }
+
+    fn request(&self, method: Method, path: &str) -> RequestBuilder {
+        self.http
+            .request(method, format!("{}{path}", self.url))
+            .header(header::AUTHORIZATION, format!("Bearer {}", self.token))
+    }
+
+    /// `GET /api/v1/admin/auth/me`
+    pub async fn auth_me(&self) -> Result<AuthMeDto> {
+        let resp = self
+            .request(Method::GET, "/api/v1/admin/auth/me")
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `GET /api/v1/admin/apps`
+    pub async fn apps_list(&self) -> Result<Vec<App>> {
+        let resp = self
+            .request(Method::GET, "/api/v1/admin/apps")
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `GET /api/v1/admin/apps/{id_or_slug}` — slug or UUID accepted.
+    pub async fn apps_get(&self, ident: &str) -> Result<AppLookupDto> {
+        let resp = self
+            .request(Method::GET, &format!("/api/v1/admin/apps/{ident}"))
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `POST /api/v1/admin/apps`
+    pub async fn apps_create(&self, body: &CreateAppBody<'_>) -> Result<App> {
+        let resp = self
+            .request(Method::POST, "/api/v1/admin/apps")
+            .json(body)
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `GET /api/v1/admin/scripts?app={ident}`
+    pub async fn scripts_list_by_app(&self, ident: &str) -> Result<Vec<Script>> {
+        let resp = self
+            .request(
+                Method::GET,
+                &format!("/api/v1/admin/scripts?app={}", urlencoded(ident)),
+            )
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `GET /api/v1/admin/scripts` — every script the caller can see
+    /// (server filters by membership for `Member`). Lets `pic scripts ls`
+    /// (no `--app`) collapse what used to be an N+1 per-app walk into a
+    /// single request that can't be partially-broken by a concurrent app
+    /// delete.
+    pub async fn scripts_list_all(&self) -> Result<Vec<Script>> {
+        let resp = self
+            .request(Method::GET, "/api/v1/admin/scripts")
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `DELETE /api/v1/admin/apps/{id_or_slug}` with optional `?force=true`.
+    /// Server requires `AppAdmin` capability; without `force`, returns
+    /// 409 if the app still has scripts.
+    pub async fn apps_delete(&self, ident: &str, force: bool) -> Result<()> {
+        let path = if force {
+            format!("/api/v1/admin/apps/{ident}?force=true")
+        } else {
+            format!("/api/v1/admin/apps/{ident}")
+        };
+        let resp = self.request(Method::DELETE, &path).send().await?;
+        decode_status(resp).await
+    }
+
+    /// `DELETE /api/v1/admin/scripts/{id}` — requires `AppAdmin` on the
+    /// owning app (stricter than the edit endpoints, by design).
+    pub async fn scripts_delete(&self, id: &str) -> Result<()> {
+        let resp = self
+            .request(Method::DELETE, &format!("/api/v1/admin/scripts/{id}"))
+            .send()
+            .await?;
+        decode_status(resp).await
+    }
+
+    /// `POST /api/v1/admin/scripts`
+    pub async fn scripts_create(&self, body: &CreateScriptBody<'_>) -> Result<Script> {
+        let resp = self
+            .request(Method::POST, "/api/v1/admin/scripts")
+            .json(body)
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `PUT /api/v1/admin/scripts/{id}` — matches the dashboard, which
+    /// uses PUT despite the field-level update semantics.
+    pub async fn scripts_update_source(&self, id: &str, source: &str) -> Result<Script> {
+        let body = UpdateScriptBody { source };
+        let resp = self
+            .request(Method::PUT, &format!("/api/v1/admin/scripts/{id}"))
+            .json(&body)
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `POST /api/v1/execute/{id}` — returns the raw HTTP status, headers,
+    /// and JSON body (the orchestrator marshals the script's output as
+    /// the HTTP response itself, not a wrapper object).
+    pub async fn execute(
+        &self,
+        id: &str,
+        body: Value,
+        headers: &[(String, String)],
+    ) -> Result<ExecuteResponse> {
+        let mut req = self
+            .request(Method::POST, &format!("/api/v1/execute/{id}"))
+            .json(&body);
+        for (k, v) in headers {
+            req = req.header(k, v);
+        }
+        let resp = req.send().await?;
+        let status = resp.status().as_u16();
+        let mut headers_out: BTreeMap<String, String> = BTreeMap::new();
+        for (k, v) in resp.headers() {
+            if let Ok(val) = v.to_str() {
+                headers_out.insert(k.as_str().to_string(), val.to_string());
+            }
+        }
+        let bytes = resp.bytes().await.context("reading execute response")?;
+        let body_json: Value = if bytes.is_empty() {
+            Value::Null
+        } else {
+            serde_json::from_slice(&bytes)
+                .unwrap_or(Value::String(String::from_utf8_lossy(&bytes).into_owned()))
+        };
+        Ok(ExecuteResponse {
+            status_code: status,
+            headers: headers_out,
+            body: body_json,
+        })
+    }
+
+    /// `GET /api/v1/admin/scripts/{id}/logs?limit=N`
+    pub async fn logs_list(&self, script_id: &str, limit: u32) -> Result<Vec<ExecutionLog>> {
+        let resp = self
+            .request(
+                Method::GET,
+                &format!("/api/v1/admin/scripts/{script_id}/logs?limit={limit}"),
+            )
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `POST /api/v1/admin/auth/logout` — best-effort: server returns
+    /// 204 whether or not the token matched a live session, so we just
+    /// fire and discard the body. Caller still wipes the local creds.
+    pub async fn auth_logout(&self) -> Result<()> {
+        let resp = self
+            .request(Method::POST, "/api/v1/admin/auth/logout")
+            .send()
+            .await?;
+        decode_status(resp).await
+    }
+
+    /// `GET /api/v1/admin/api-keys` — caller's keys only (server filters
+    /// by user_id, no cross-user enumeration).
+    pub async fn apikeys_list(&self) -> Result<Vec<ApiKeyDto>> {
+        let resp = self
+            .request(Method::GET, "/api/v1/admin/api-keys")
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `POST /api/v1/admin/api-keys` — `raw_token` is in the response
+    /// **once** and never appears in `GET /api-keys` afterward.
+    pub async fn apikeys_mint(&self, body: &MintApiKeyBody<'_>) -> Result<MintApiKeyResponseDto> {
+        let resp = self
+            .request(Method::POST, "/api/v1/admin/api-keys")
+            .json(body)
+            .send()
+            .await?;
+        decode(resp).await
+    }
+
+    /// `DELETE /api/v1/admin/api-keys/{id}` — 404 covers both "doesn't
+    /// exist" and "not yours" (server flattens to avoid enumeration).
+    pub async fn apikeys_delete(&self, id: &str) -> Result<()> {
+        let resp = self
+            .request(Method::DELETE, &format!("/api/v1/admin/api-keys/{id}"))
+            .send()
+            .await?;
+        decode_status(resp).await
+    }
+}
+
+/// `POST /api/v1/admin/auth/login` — sits outside the `Client` because
+/// it runs before any token exists. Mirrors the dashboard's login.ts
+/// wire shape (see `manager-core/src/auth_api.rs:49-60`).
+pub async fn auth_login(url: &str, username: &str, password: &str) -> Result<LoginResponseDto> {
+    let http = reqwest::Client::builder()
+        .user_agent(concat!("pic/", env!("CARGO_PKG_VERSION")))
+        .build()
+        .context("building HTTP client")?;
+    let body = LoginRequestBody { username, password };
+    let resp = http
+        .post(format!(
+            "{}/api/v1/admin/auth/login",
+            url.trim_end_matches('/')
+        ))
+        .json(&body)
+        .send()
+        .await?;
+    decode(resp).await
+}
+
+// ---------- DTOs (CLI-local, wire-shape-matched) ----------
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct AuthMeDto {
+    // Part of the wire shape (and kept for symmetry with the dashboard's
+    // MeDto), even though the CLI never displays it.
+    pub id: String,
+    pub username: String,
+    pub instance_role: InstanceRole,
+    #[serde(default)]
+    pub email: Option<String>,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct AppLookupDto {
+    #[serde(flatten)]
+    pub app: App,
+    // Not surfaced yet — `pic apps ls` only shows what `apps_list` returns.
+    // Kept on the DTO so future `pic apps inspect <slug>` work is one-line.
+    #[serde(default)]
+    pub my_role: Option<AppRole>,
+}
+
+#[derive(Debug, Serialize)]
+pub struct CreateAppBody<'a> {
+    pub slug: &'a str,
+    pub name: &'a str,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub description: Option<&'a str>,
+}
+
+#[derive(Debug, Serialize)]
+pub struct CreateScriptBody<'a> {
+    pub app_id: AppId,
+    pub name: &'a str,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub description: Option<&'a str>,
+    pub source: &'a str,
+}
+
+#[derive(Debug, Serialize)]
+struct UpdateScriptBody<'a> {
+    source: &'a str,
+}
+
+#[derive(Debug, Serialize)]
+struct LoginRequestBody<'a> {
+    username: &'a str,
+    password: &'a str,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct LoginResponseDto {
+    pub user: LoginUserDto,
+    pub token: String,
+    pub expires_at: DateTime<Utc>,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct LoginUserDto {
+    pub id: AdminUserId,
+    pub username: String,
+    pub instance_role: InstanceRole,
+    #[serde(default)]
+    pub email: Option<String>,
+}
+
+#[derive(Debug, Serialize)]
+pub struct MintApiKeyBody<'a> {
+    pub name: &'a str,
+    pub scopes: &'a [Scope],
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub app_id: Option<AppId>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub expires_at: Option<DateTime<Utc>>,
+}
+
+/// Fresh-mint response. The `raw_token` field is the one and only
+/// chance to capture the bearer string; subsequent `GET /api-keys`
+/// returns the `ApiKeyDto` portion without it.
+#[derive(Debug, Deserialize)]
+pub struct MintApiKeyResponseDto {
+    #[serde(flatten)]
+    pub key: ApiKeyDto,
+    pub raw_token: String,
+}
+
+#[allow(dead_code)]
+#[derive(Debug, Deserialize)]
+pub struct ApiKeyDto {
+    pub id: ApiKeyId,
+    pub prefix: String,
+    pub name: String,
+    pub scopes: Vec<Scope>,
+    pub app_id: Option<AppId>,
+    pub expires_at: Option<DateTime<Utc>>,
+    pub last_used_at: Option<DateTime<Utc>>,
+    pub created_at: DateTime<Utc>,
+}
+
+#[allow(dead_code)]
+#[derive(Debug)]
+pub struct ExecuteResponse {
+    pub status_code: u16,
+    // Captured for completeness; not displayed today, but `pic invoke -v`
+    // could surface them later without changing this struct.
+    pub headers: BTreeMap<String, String>,
+    pub body: Value,
+}
+
+// ---------- helpers ----------
+
+/// Parse `-H "Key: value"` or `-H "Key=value"` into a `(name, value)`
+/// pair. Trims surrounding whitespace on both sides.
+pub fn parse_kv_header(raw: &str) -> Result<(String, String), String> {
+    let (k, v) = raw
+        .split_once(':')
+        .or_else(|| raw.split_once('='))
+        .ok_or_else(|| format!("expected `Key: value` or `Key=value`, got {raw:?}"))?;
+    let k = k.trim();
+    let v = v.trim();
+    if k.is_empty() {
+        return Err(format!("empty header name in {raw:?}"));
+    }
+    Ok((k.to_string(), v.to_string()))
+}
+
+fn urlencoded(s: &str) -> String {
+    // Minimal pass: percent-encode the few chars that break the query.
+    // Slugs and UUIDs don't contain them in practice, but be safe.
+    let mut out = String::with_capacity(s.len());
+    for ch in s.chars() {
+        match ch {
+            '&' | '=' | '?' | '#' | ' ' => {
+                out.push_str(&format!("%{:02X}", u32::from(ch)));
+            }
+            _ => out.push(ch),
+        }
+    }
+    out
+}
+
+async fn decode<T: for<'de> Deserialize<'de>>(resp: reqwest::Response) -> Result<T> {
+    if resp.status().is_success() {
+        return resp.json::<T>().await.context("parsing response body");
+    }
+    Err(server_error(resp).await)
+}
+
+/// Like `decode` but for endpoints whose 2xx response has no body
+/// (204 No Content) — DELETE handlers, logout.
+async fn decode_status(resp: reqwest::Response) -> Result<()> {
+    if resp.status().is_success() {
+        return Ok(());
+    }
+    Err(server_error(resp).await)
+}
+
+async fn server_error(resp: reqwest::Response) -> anyhow::Error {
+    let status = resp.status();
+    let body = resp.text().await.unwrap_or_default();
+    let msg = parse_error_body(&body).unwrap_or(body);
+    let hint = role_hint(status);
+    if hint.is_empty() {
+        anyhow!("HTTP {}: {}", status.as_u16(), msg)
+    } else {
+        anyhow!("HTTP {}: {} ({})", status.as_u16(), msg, hint)
+    }
+}
+
+fn parse_error_body(s: &str) -> Option<String> {
+    let v: Value = serde_json::from_str(s).ok()?;
+    let obj = v.as_object()?;
+    if let Some(m) = obj.get("message").and_then(Value::as_str) {
+        return Some(m.to_string());
+    }
+    if let Some(e) = obj.get("error").and_then(Value::as_str) {
+        return Some(e.to_string());
+    }
+    None
+}
+
+fn role_hint(status: StatusCode) -> &'static str {
+    match status {
+        StatusCode::FORBIDDEN => "your role may lack the required capability; check `pic whoami`",
+        StatusCode::UNAUTHORIZED => "token rejected; re-run `pic login`",
+        _ => "",
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn parse_kv_colon() {
+        let (k, v) = parse_kv_header("X-Foo: bar").unwrap();
+        assert_eq!(k, "X-Foo");
+        assert_eq!(v, "bar");
+    }
+
+    #[test]
+    fn parse_kv_equals() {
+        let (k, v) = parse_kv_header("X-Foo=bar").unwrap();
+        assert_eq!(k, "X-Foo");
+        assert_eq!(v, "bar");
+    }
+
+    #[test]
+    fn parse_kv_rejects_no_separator() {
+        assert!(parse_kv_header("X-Foo").is_err());
+    }
+
+    #[test]
+    fn parse_kv_rejects_empty_name() {
+        assert!(parse_kv_header(": bar").is_err());
+    }
+
+    #[test]
+    fn url_strip_trailing_slash() {
+        let c = Client::new("http://localhost:8000/", "pic_x").unwrap();
+        assert_eq!(c.url(), "http://localhost:8000");
+    }
+}

crates/picloud-cli/src/cmds/api_keys.rs

@@ -0,0 +1,201 @@
+//! `pic api-keys` — long-lived bearer-key management.
+//!
+//! Server semantics (mirrored from `manager-core/src/api_keys_api.rs`):
+//!   * `raw_token` is returned **once** on mint and never again.
+//!   * `app_id` (optional `--app`) binds the key to one app; instance
+//!     scopes (`instance:*`) are rejected when `--app` is also set.
+//!   * `scopes` is a `text[]` in the wire form (`script:read`, …).
+
+use anyhow::{anyhow, Result};
+use chrono::{DateTime, Utc};
+use picloud_shared::Scope;
+
+use crate::client::{Client, MintApiKeyBody};
+use crate::config;
+use crate::output::{KvBlock, OutputMode, Table};
+
+pub async fn mint(
+    name: &str,
+    scope_strs: &[String],
+    app_ident: Option<&str>,
+    expires: Option<&str>,
+    mode: OutputMode,
+) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+
+    let scopes = parse_scopes(scope_strs)?;
+    let expires_at = expires.map(parse_expires).transpose()?;
+    let app_id = match app_ident {
+        Some(ident) => Some(client.apps_get(ident).await?.app.id),
+        None => None,
+    };
+
+    let body = MintApiKeyBody {
+        name,
+        scopes: &scopes,
+        app_id,
+        expires_at,
+    };
+    let resp = client.apikeys_mint(&body).await?;
+
+    let mut block = KvBlock::new();
+    block
+        .field("id", resp.key.id.to_string())
+        .field("name", resp.key.name.clone())
+        .field("prefix", resp.key.prefix.clone())
+        .field(
+            "scopes",
+            resp.key
+                .scopes
+                .iter()
+                .map(|s| s.as_str())
+                .collect::<Vec<_>>()
+                .join(","),
+        )
+        .field(
+            "app_id",
+            resp.key
+                .app_id
+                .map(|a| a.to_string())
+                .unwrap_or_else(|| "-".into()),
+        )
+        .field(
+            "expires_at",
+            resp.key
+                .expires_at
+                .map(|t| t.to_rfc3339())
+                .unwrap_or_else(|| "-".into()),
+        )
+        .field("token", resp.raw_token.clone());
+    block.print(mode);
+    if matches!(mode, OutputMode::Tsv) {
+        // The token row is human-easy-to-miss in a wall of metadata;
+        // call it out exactly once on the human path. Skip on JSON
+        // since machine consumers don't need the nudge.
+        eprintln!("Save this token — it will not be shown again.");
+    }
+    Ok(())
+}
+
+pub async fn ls(mode: OutputMode) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+    let keys = client.apikeys_list().await?;
+    let mut table = Table::new([
+        "id",
+        "name",
+        "prefix",
+        "scopes",
+        "app_id",
+        "expires_at",
+        "last_used_at",
+        "created_at",
+    ]);
+    for k in keys {
+        table.row([
+            k.id.to_string(),
+            k.name,
+            k.prefix,
+            k.scopes
+                .iter()
+                .map(|s| s.as_str())
+                .collect::<Vec<_>>()
+                .join(","),
+            k.app_id
+                .map(|a| a.to_string())
+                .unwrap_or_else(|| "-".into()),
+            k.expires_at
+                .map(|t| t.to_rfc3339())
+                .unwrap_or_else(|| "-".into()),
+            k.last_used_at
+                .map(|t| t.to_rfc3339())
+                .unwrap_or_else(|| "-".into()),
+            k.created_at.to_rfc3339(),
+        ]);
+    }
+    table.print(mode);
+    Ok(())
+}
+
+pub async fn rm(id: &str) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+    client.apikeys_delete(id).await?;
+    println!("Revoked api-key {id}");
+    Ok(())
+}
+
+fn parse_scopes(raw: &[String]) -> Result<Vec<Scope>> {
+    if raw.is_empty() {
+        return Err(anyhow!(
+            "at least one `--scope` is required (e.g. --scope script:read)"
+        ));
+    }
+    raw.iter()
+        .map(|s| Scope::from_wire(s).ok_or_else(|| anyhow!("unknown scope: {s}")))
+        .collect()
+}
+
+/// `--expires` accepts either RFC 3339 (`2026-12-31T23:59:59Z`) or a
+/// shorthand `<N>d` / `<N>h` / `<N>m` (days / hours / minutes from now).
+/// Shorthand wins for the common "key good for 30 days" case; full
+/// RFC 3339 keeps the door open for precise cutoffs.
+fn parse_expires(raw: &str) -> Result<DateTime<Utc>> {
+    if let Some(spec) = raw.strip_suffix('d') {
+        let days: i64 = spec.parse().map_err(|_| anyhow!("bad days: {raw}"))?;
+        return Ok(Utc::now() + chrono::Duration::days(days));
+    }
+    if let Some(spec) = raw.strip_suffix('h') {
+        let hours: i64 = spec.parse().map_err(|_| anyhow!("bad hours: {raw}"))?;
+        return Ok(Utc::now() + chrono::Duration::hours(hours));
+    }
+    if let Some(spec) = raw.strip_suffix('m') {
+        let mins: i64 = spec.parse().map_err(|_| anyhow!("bad minutes: {raw}"))?;
+        return Ok(Utc::now() + chrono::Duration::minutes(mins));
+    }
+    DateTime::parse_from_rfc3339(raw)
+        .map(|d| d.with_timezone(&Utc))
+        .map_err(|e| anyhow!("expected RFC 3339 or `<N>d/h/m`, got {raw:?}: {e}"))
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn parse_scopes_accepts_wire_form() {
+        let scopes = parse_scopes(&["script:read".into(), "log:read".into()]).unwrap();
+        assert_eq!(scopes, vec![Scope::ScriptRead, Scope::LogRead]);
+    }
+
+    #[test]
+    fn parse_scopes_rejects_empty() {
+        let err = parse_scopes(&[]).unwrap_err();
+        assert!(format!("{err}").contains("at least one"));
+    }
+
+    #[test]
+    fn parse_scopes_rejects_unknown() {
+        let err = parse_scopes(&["script:nope".into()]).unwrap_err();
+        assert!(format!("{err}").contains("unknown scope"));
+    }
+
+    #[test]
+    fn parse_expires_days_shorthand() {
+        let d = parse_expires("7d").unwrap();
+        let diff = (d - Utc::now()).num_days();
+        assert!((6..=7).contains(&diff), "got {diff}");
+    }
+
+    #[test]
+    fn parse_expires_rfc3339_passes_through() {
+        let d = parse_expires("2030-01-01T00:00:00Z").unwrap();
+        assert_eq!(d.timestamp(), 1893456000);
+    }
+
+    #[test]
+    fn parse_expires_garbage_errors() {
+        assert!(parse_expires("tomorrow").is_err());
+    }
+}

crates/picloud-cli/src/cmds/apps.rs

@@ -0,0 +1,84 @@
+//! `pic apps` subcommands: `ls`, `create`, `show`, `delete`.
+
+use anyhow::Result;
+use picloud_shared::AppRole;
+
+use crate::client::{Client, CreateAppBody};
+use crate::config;
+use crate::output::{KvBlock, OutputMode, Table};
+
+pub async fn ls(mode: OutputMode) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+    let apps = client.apps_list().await?;
+    let mut table = Table::new(["slug", "name", "my_role", "created_at"]);
+    for app in apps {
+        // The list endpoint returns App without my_role. We do a per-app
+        // lookup only on demand; for `ls` we leave the column dashed so
+        // the call stays cheap (one HTTP request).
+        table.row([
+            app.slug.clone(),
+            app.name.clone(),
+            "-".to_string(),
+            app.created_at.to_rfc3339(),
+        ]);
+    }
+    table.print(mode);
+    Ok(())
+}
+
+pub async fn create(slug: &str, name: Option<&str>, description: Option<&str>) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+    let body = CreateAppBody {
+        slug,
+        name: name.unwrap_or(slug),
+        description,
+    };
+    let app = client.apps_create(&body).await?;
+    println!("Created app {}", app.slug);
+    Ok(())
+}
+
+/// `pic apps show <slug>` — single-app inspect using the lookup
+/// endpoint, which carries `my_role` for the caller (the `ls` endpoint
+/// doesn't).
+pub async fn show(ident: &str, mode: OutputMode) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+    let lookup = client.apps_get(ident).await?;
+    let mut block = KvBlock::new();
+    block
+        .field("id", lookup.app.id.to_string())
+        .field("slug", lookup.app.slug.clone())
+        .field("name", lookup.app.name.clone())
+        .field(
+            "description",
+            lookup.app.description.clone().unwrap_or_else(|| "-".into()),
+        )
+        .field("my_role", role_label(lookup.my_role.as_ref()))
+        .field("created_at", lookup.app.created_at.to_rfc3339())
+        .field("updated_at", lookup.app.updated_at.to_rfc3339());
+    block.print(mode);
+    Ok(())
+}
+
+/// `pic apps delete <slug> [--force]`. Without `--force` the server
+/// returns 409 if the app still owns scripts — surface that as a
+/// useful error rather than swallowing.
+pub async fn delete(ident: &str, force: bool) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+    client.apps_delete(ident, force).await?;
+    println!("Deleted app {ident}");
+    Ok(())
+}
+
+fn role_label(role: Option<&AppRole>) -> String {
+    // Use the wire form so the CLI label matches what the dashboard
+    // shows and what the membership APIs accept.
+    match role {
+        Some(r) => r.as_str().to_string(),
+        None => "-".into(),
+    }
+}

crates/picloud-cli/src/cmds/login.rs

@@ -0,0 +1,129 @@
+//! `pic login` — primary auth entry point.
+//!
+//! Two flows:
+//!   * **username + password** (default, interactive): POST
+//!     `/api/v1/admin/auth/login` with the credentials and persist the
+//!     returned session token. Mirrors the dashboard's login form.
+//!   * **paste-a-token** (`--token <T>`, or `PICLOUD_TOKEN` env): skip
+//!     the credential exchange and persist a bearer string directly.
+//!     Used by CI and by anyone using a long-lived API key minted via
+//!     `pic api-keys mint`. Validated against `/auth/me` before save.
+//!
+//! `--url <U>` (or `PICLOUD_URL`) overrides the URL prompt non-interactively.
+
+use std::io::{self, BufRead, Write};
+
+use anyhow::{Context, Result};
+use picloud_shared::InstanceRole;
+
+use crate::client::{self, Client};
+use crate::config::{save, Credentials};
+
+const DEFAULT_URL: &str = "http://localhost:8000";
+
+pub async fn run(url_arg: Option<&str>, token_arg: Option<&str>) -> Result<()> {
+    let url = resolve_url(url_arg)?;
+    let token_from_env = std::env::var("PICLOUD_TOKEN")
+        .ok()
+        .filter(|s| !s.is_empty());
+    let bearer_token = token_arg.map(str::to_string).or(token_from_env);
+
+    let (token, username, role) = match bearer_token {
+        Some(t) => login_with_bearer(&url, &t).await?,
+        None => login_with_password(&url).await?,
+    };
+
+    let creds = Credentials {
+        url: url.clone(),
+        token,
+        username: username.clone(),
+    };
+    save(&creds)?;
+    println!(
+        "Logged in as {username} ({}) at {url}",
+        instance_role_label(&role)
+    );
+    Ok(())
+}
+
+async fn login_with_password(url: &str) -> Result<(String, String, InstanceRole)> {
+    let username = prompt_line("Username: ")?;
+    if username.is_empty() {
+        anyhow::bail!("username is required");
+    }
+    let password = read_password()?;
+    let resp = client::auth_login(url, &username, &password).await?;
+    Ok((resp.token, resp.user.username, resp.user.instance_role))
+}
+
+/// Read a password without echoing it where possible. Falls back to a
+/// plain stdin read when no controlling terminal is attached — CI
+/// systems and `cargo test`'s piped stdin both land here, and dying
+/// outright would block scripted use entirely. The fallback is louder
+/// (visible characters), but it's that or no functioning login.
+fn read_password() -> Result<String> {
+    match rpassword::prompt_password("Password: ") {
+        Ok(p) => Ok(p),
+        Err(_) => {
+            eprint!("Password: ");
+            io::stderr().flush()?;
+            let mut buf = String::new();
+            io::stdin()
+                .lock()
+                .read_line(&mut buf)
+                .context("reading password from stdin")?;
+            Ok(buf.trim_end_matches(['\r', '\n']).to_string())
+        }
+    }
+}
+
+/// Bearer-token path: validate against `/auth/me` so a typo doesn't get
+/// persisted, then trust the username the server reports rather than
+/// whatever the user typed (which they didn't type at all in this mode).
+async fn login_with_bearer(url: &str, token: &str) -> Result<(String, String, InstanceRole)> {
+    let client = Client::new(url, token)?;
+    let me = client.auth_me().await?;
+    Ok((token.to_string(), me.username, me.instance_role))
+}
+
+fn instance_role_label(role: &InstanceRole) -> &'static str {
+    match role {
+        InstanceRole::Owner => "owner",
+        InstanceRole::Admin => "admin",
+        InstanceRole::Member => "member",
+    }
+}
+
+fn resolve_url(url_arg: Option<&str>) -> Result<String> {
+    if let Some(u) = url_arg {
+        return Ok(u.trim_end_matches('/').to_string());
+    }
+    if let Ok(env_url) = std::env::var("PICLOUD_URL") {
+        if !env_url.is_empty() {
+            return Ok(env_url.trim_end_matches('/').to_string());
+        }
+    }
+    let typed = prompt_with_default("PiCloud URL", DEFAULT_URL)?;
+    Ok(typed.trim_end_matches('/').to_string())
+}
+
+fn prompt_line(label: &str) -> Result<String> {
+    print!("{label}");
+    io::stdout().flush()?;
+    let mut buf = String::new();
+    io::stdin().lock().read_line(&mut buf)?;
+    Ok(buf.trim().to_string())
+}
+
+fn prompt_with_default(label: &str, default: &str) -> Result<String> {
+    print!("{label} [{default}]: ");
+    io::stdout().flush()?;
+    let mut buf = String::new();
+    io::stdin().lock().read_line(&mut buf)?;
+    let trimmed = buf.trim();
+    Ok(if trimmed.is_empty() {
+        default.to_string()
+    } else {
+        trimmed.to_string()
+    })
+}

crates/picloud-cli/src/cmds/logout.rs

@@ -0,0 +1,29 @@
+//! `pic logout` — revoke the saved session server-side, then wipe the
+//! local credentials file.
+//!
+//! Idempotent: if the file doesn't exist or the server already forgot
+//! the session, we still succeed. The point is leaving the user in a
+//! clean "no token" state, not enforcing that a session existed.
+
+use anyhow::Result;
+
+use crate::client::Client;
+use crate::config;
+
+pub async fn run() -> Result<()> {
+    // Load before delete so we have a token to POST /logout with; if
+    // there's no creds file there's also nothing to revoke server-side.
+    let creds = config::load().ok();
+
+    if let Some(creds) = creds {
+        let client = Client::from_creds(&creds)?;
+        // Best-effort: a 4xx (token already invalid) or network error
+        // shouldn't block the local wipe. The whole point of logout is
+        // leaving no credentials on disk.
+        let _ = client.auth_logout().await;
+    }
+
+    config::delete()?;
+    println!("Logged out");
+    Ok(())
+}

crates/picloud-cli/src/cmds/logs.rs

@@ -0,0 +1,79 @@
+//! `pic logs <script-id>` — print recent execution log rows.
+//!
+//! In TSV mode emits a header + truncated-summary rows (`pic logs` was
+//! previously headerless — inconsistent with `apps ls` / `scripts ls`).
+//! In JSON mode emits the raw `ExecutionLog` array (no truncation),
+//! letting `jq` consumers see request/response bodies in full.
+
+use anyhow::Result;
+use picloud_shared::{ExecutionLog, ExecutionStatus};
+
+use crate::client::Client;
+use crate::config;
+use crate::output::{OutputMode, Table};
+
+pub async fn run(script_id: &str, limit: u32, mode: OutputMode) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+    let entries = client.logs_list(script_id, limit).await?;
+    match mode {
+        OutputMode::Tsv => render_tsv(&entries),
+        OutputMode::Json => render_json(&entries),
+    }
+    Ok(())
+}
+
+fn render_tsv(entries: &[ExecutionLog]) {
+    let mut table = Table::new(["created_at", "status", "summary"]);
+    for e in entries {
+        let summary = summarize(&e.response_body, &e.script_logs);
+        table.row([
+            e.created_at.to_rfc3339(),
+            status_label(&e.status).to_string(),
+            truncate(&summary, 120),
+        ]);
+    }
+    table.print(OutputMode::Tsv);
+}
+
+fn render_json(entries: &[ExecutionLog]) {
+    // Pretty for human jq-piping; consumers that want compact can pipe
+    // through `jq -c`.
+    let s = serde_json::to_string_pretty(entries).unwrap_or_else(|_| "[]".to_string());
+    println!("{s}");
+}
+
+fn status_label(s: &ExecutionStatus) -> &'static str {
+    match s {
+        ExecutionStatus::Success => "success",
+        ExecutionStatus::Error => "error",
+        ExecutionStatus::Timeout => "timeout",
+        ExecutionStatus::BudgetExceeded => "budget_exceeded",
+    }
+}
+
+fn summarize(response_body: &Option<serde_json::Value>, script_logs: &serde_json::Value) -> String {
+    // Prefer the last script-side log line (often the most useful for
+    // grepping). Fall back to the response body.
+    if let Some(arr) = script_logs.as_array() {
+        if let Some(last) = arr.last() {
+            if let Some(msg) = last.get("message").and_then(|m| m.as_str()) {
+                return msg.to_string();
+            }
+        }
+    }
+    response_body
+        .as_ref()
+        .map(ToString::to_string)
+        .unwrap_or_else(|| "-".to_string())
+}
+
+fn truncate(s: &str, n: usize) -> String {
+    let normalized = s.replace('\n', " ");
+    if normalized.chars().count() <= n {
+        normalized
+    } else {
+        let head: String = normalized.chars().take(n).collect();
+        format!("{head}…")
+    }
+}

crates/picloud-cli/src/cmds/mod.rs

@@ -0,0 +1,7 @@
+pub mod api_keys;
+pub mod apps;
+pub mod login;
+pub mod logout;
+pub mod logs;
+pub mod scripts;
+pub mod whoami;

crates/picloud-cli/src/cmds/scripts.rs

@@ -0,0 +1,197 @@
+//! `pic scripts ls | deploy | invoke | delete`.
+
+use std::collections::HashMap;
+use std::io::{self, Read, Write};
+use std::path::Path;
+
+use anyhow::{anyhow, Context, Result};
+use picloud_shared::AppId;
+use serde_json::Value;
+
+use crate::client::{Client, CreateScriptBody};
+use crate::config;
+use crate::output::{OutputMode, Table};
+
+pub async fn ls(app: Option<&str>, mode: OutputMode) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+
+    let mut table = Table::new(["id", "app_slug", "name", "version", "updated_at"]);
+
+    if let Some(ident) = app {
+        let app = client.apps_get(ident).await?;
+        let scripts = client.scripts_list_by_app(&app.app.slug).await?;
+        for s in scripts {
+            table.row([
+                s.id.to_string(),
+                app.app.slug.clone(),
+                s.name,
+                s.version.to_string(),
+                s.updated_at.to_rfc3339(),
+            ]);
+        }
+    } else {
+        // No filter → use the single `GET /admin/scripts` call. Server
+        // filters by membership for `Member`; for `Admin`/`Owner` it
+        // returns every script. Two requests total (apps + scripts) run
+        // in parallel; the per-app walk we used to do here aborted on
+        // the first 404 when another caller deleted an app mid-listing,
+        // and was the entire reason a 5× retry existed in the tests.
+        let (apps, scripts) = tokio::try_join!(client.apps_list(), client.scripts_list_all())?;
+        let slug_by_id: HashMap<AppId, String> = apps.into_iter().map(|a| (a.id, a.slug)).collect();
+        for s in scripts {
+            let app_slug = slug_by_id
+                .get(&s.app_id)
+                .cloned()
+                .unwrap_or_else(|| "-".to_string());
+            table.row([
+                s.id.to_string(),
+                app_slug,
+                s.name,
+                s.version.to_string(),
+                s.updated_at.to_rfc3339(),
+            ]);
+        }
+    }
+    table.print(mode);
+    Ok(())
+}
+
+pub async fn deploy(
+    file: &Path,
+    app_ident: &str,
+    name_override: Option<&str>,
+    description: Option<&str>,
+) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+
+    let source =
+        std::fs::read_to_string(file).with_context(|| format!("reading {}", file.display()))?;
+    let name = match name_override {
+        Some(n) => n.to_string(),
+        None => file
+            .file_stem()
+            .and_then(|s| s.to_str())
+            .map(str::to_string)
+            .ok_or_else(|| {
+                anyhow!(
+                    "could not derive script name from path {} (use --name)",
+                    file.display()
+                )
+            })?,
+    };
+
+    // Slug-or-id resolution: a single GET satisfies both lookups and
+    // gives us the canonical app_id needed for create.
+    let app = client.apps_get(app_ident).await?;
+
+    let existing = client.scripts_list_by_app(app_ident).await?;
+    if let Some(s) = existing.into_iter().find(|s| s.name == name) {
+        let updated = client
+            .scripts_update_source(&s.id.to_string(), &source)
+            .await?;
+        println!("Updated {} v{}", updated.name, updated.version);
+    } else {
+        let body = CreateScriptBody {
+            app_id: app.app.id,
+            name: &name,
+            description,
+            source: &source,
+        };
+        let created = client.scripts_create(&body).await?;
+        println!("Created {} v{}", created.name, created.version);
+    }
+    Ok(())
+}
+
+pub async fn invoke(id: &str, body_arg: Option<&str>, headers: &[(String, String)]) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+
+    let body = parse_body_arg(body_arg)?;
+    let resp = client.execute(id, body, headers).await?;
+    // Status to stderr so stdout stays JSON for piping into jq.
+    let _ = writeln!(io::stderr(), "<- HTTP {}", resp.status_code);
+    let pretty = serde_json::to_string_pretty(&resp.body).unwrap_or_else(|_| resp.body.to_string());
+    println!("{pretty}");
+    if (200..400).contains(&resp.status_code) {
+        Ok(())
+    } else {
+        Err(anyhow!("execute returned HTTP {}", resp.status_code))
+    }
+}
+
+/// `pic scripts delete <id>`. Requires `AppAdmin` on the owning app
+/// server-side, which is stricter than the edit endpoints — Editor
+/// can deploy/update but not destroy. Surfaces that as a 403 with the
+/// usual role hint.
+pub async fn delete(id: &str) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+    client.scripts_delete(id).await?;
+    println!("Deleted script {id}");
+    Ok(())
+}
+
+fn parse_body_arg(arg: Option<&str>) -> Result<Value> {
+    match arg {
+        None => Ok(Value::Object(serde_json::Map::new())),
+        Some("@-") => {
+            let mut buf = String::new();
+            io::stdin()
+                .read_to_string(&mut buf)
+                .context("reading stdin")?;
+            parse_or_string(&buf)
+        }
+        Some(raw) if raw.starts_with('@') => {
+            let path = &raw[1..];
+            let text = std::fs::read_to_string(path)
+                .with_context(|| format!("reading body file {path}"))?;
+            parse_or_string(&text)
+        }
+        Some(raw) => parse_or_string(raw),
+    }
+}
+
+fn parse_or_string(s: &str) -> Result<Value> {
+    let trimmed = s.trim();
+    if trimmed.is_empty() {
+        return Ok(Value::Object(serde_json::Map::new()));
+    }
+    serde_json::from_str(trimmed)
+        .with_context(|| format!("body is not valid JSON: {}", truncate(trimmed, 80)))
+}
+
+fn truncate(s: &str, n: usize) -> String {
+    if s.len() <= n {
+        s.to_string()
+    } else {
+        format!("{}…", &s[..n])
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn parse_body_inline_json() {
+        let v = parse_body_arg(Some(r#"{"x":1}"#)).unwrap();
+        assert_eq!(v["x"], 1);
+    }
+
+    #[test]
+    fn parse_body_none_is_empty_object() {
+        let v = parse_body_arg(None).unwrap();
+        assert!(v.is_object());
+        assert_eq!(v.as_object().unwrap().len(), 0);
+    }
+
+    #[test]
+    fn parse_body_invalid_json_reports() {
+        let err = parse_body_arg(Some("not-json{")).unwrap_err();
+        let msg = format!("{err:#}");
+        assert!(msg.contains("not valid JSON"), "got: {msg}");
+    }
+}

crates/picloud-cli/src/cmds/whoami.rs

@@ -0,0 +1,34 @@
+//! `pic whoami` — re-validates the saved token by hitting `/auth/me`
+//! every time. Cached username in the credentials file is for
+//! display-only contexts; this command is the source of truth.
+//!
+//! TSV output uses `KvBlock` (aligned `key: value` rows), JSON output
+//! is a flat object — both downstream-friendly without the user having
+//! to parse a headerless tab-line.
+
+use anyhow::Result;
+use picloud_shared::InstanceRole;
+
+use crate::client::Client;
+use crate::config;
+use crate::output::{KvBlock, OutputMode};
+
+pub async fn run(mode: OutputMode) -> Result<()> {
+    let creds = config::resolve()?;
+    let client = Client::from_creds(&creds)?;
+    let me = client.auth_me().await?;
+    let role = match me.instance_role {
+        InstanceRole::Owner => "owner",
+        InstanceRole::Admin => "admin",
+        InstanceRole::Member => "member",
+    };
+    let email = me.email.as_deref().unwrap_or("-");
+    let mut block = KvBlock::new();
+    block
+        .field("username", me.username)
+        .field("role", role)
+        .field("email", email)
+        .field("url", creds.url.clone());
+    block.print(mode);
+    Ok(())
+}

crates/picloud-cli/src/config.rs

@@ -0,0 +1,153 @@
+//! On-disk credentials store.
+//!
+//! Path is resolved via `directories::ProjectDirs` so the file lives in
+//! the platform-appropriate config dir (XDG on Linux, Library on macOS,
+//! AppData on Windows). On POSIX the file is forced to mode 0600 so the
+//! pasted bearer token isn't world-readable.
+
+use std::fs;
+use std::io::Write;
+use std::path::{Path, PathBuf};
+
+use anyhow::{anyhow, Context, Result};
+use directories::ProjectDirs;
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+pub struct Credentials {
+    pub url: String,
+    pub token: String,
+    pub username: String,
+}
+
+/// Resolve the credentials file path. Honors `PICLOUD_CONFIG_DIR` as an
+/// override (used by tests to redirect to a tempdir) before falling
+/// back to the platform default.
+pub fn credentials_path() -> Result<PathBuf> {
+    if let Ok(dir) = std::env::var("PICLOUD_CONFIG_DIR") {
+        return Ok(PathBuf::from(dir).join("credentials"));
+    }
+    let dirs = ProjectDirs::from("dev", "picloud", "picloud")
+        .ok_or_else(|| anyhow!("could not determine config directory"))?;
+    Ok(dirs.config_dir().join("credentials"))
+}
+
+pub fn load() -> Result<Credentials> {
+    let path = credentials_path()?;
+    let body = fs::read_to_string(&path).with_context(|| {
+        format!(
+            "no credentials at {}. run `pic login` first",
+            path.display()
+        )
+    })?;
+    toml::from_str(&body).with_context(|| format!("failed to parse {}", path.display()))
+}
+
+/// Resolution order used by every non-login command:
+///   1. If both `PICLOUD_URL` and `PICLOUD_TOKEN` are set (and non-empty),
+///      use them directly. Matches gcloud/aws/kubectl semantics — env
+///      wins so CI never accidentally reads a developer's stale file.
+///   2. Otherwise fall back to the on-disk credentials file.
+///
+/// Username is best-effort: env mode has no way to know the real one
+/// (no round-trip to `/auth/me`), so it shows as `"-"` in `whoami`
+/// output. Callers that need the canonical username re-fetch via
+/// `Client::auth_me`.
+pub fn resolve() -> Result<Credentials> {
+    if let (Ok(url), Ok(token)) = (std::env::var("PICLOUD_URL"), std::env::var("PICLOUD_TOKEN")) {
+        if !url.is_empty() && !token.is_empty() {
+            return Ok(Credentials {
+                url,
+                token,
+                username: "-".to_string(),
+            });
+        }
+    }
+    load()
+}
+
+/// Delete the on-disk credentials file. Idempotent — silently succeeds
+/// if the file is already gone (the user already logged out, or never
+/// logged in to begin with).
+pub fn delete() -> Result<()> {
+    let path = credentials_path()?;
+    match fs::remove_file(&path) {
+        Ok(()) => Ok(()),
+        Err(err) if err.kind() == std::io::ErrorKind::NotFound => Ok(()),
+        Err(err) => Err(err).with_context(|| format!("removing {}", path.display())),
+    }
+}
+
+pub fn save(creds: &Credentials) -> Result<()> {
+    let path = credentials_path()?;
+    if let Some(parent) = path.parent() {
+        fs::create_dir_all(parent).with_context(|| format!("creating {}", parent.display()))?;
+    }
+    let body = toml::to_string(creds).context("serializing credentials")?;
+    write_private(&path, body.as_bytes())?;
+    Ok(())
+}
+
+#[cfg(unix)]
+fn write_private(path: &Path, bytes: &[u8]) -> Result<()> {
+    use std::os::unix::fs::OpenOptionsExt;
+    let mut f = fs::OpenOptions::new()
+        .write(true)
+        .create(true)
+        .truncate(true)
+        .mode(0o600)
+        .open(path)
+        .with_context(|| format!("opening {}", path.display()))?;
+    f.write_all(bytes)
+        .with_context(|| format!("writing {}", path.display()))?;
+    // Belt-and-suspenders: re-set perms in case the file already existed
+    // with a wider mode (mode() on create doesn't downgrade existing).
+    let mut perms = fs::metadata(path)?.permissions();
+    use std::os::unix::fs::PermissionsExt;
+    perms.set_mode(0o600);
+    fs::set_permissions(path, perms)?;
+    Ok(())
+}
+
+#[cfg(not(unix))]
+fn write_private(path: &Path, bytes: &[u8]) -> Result<()> {
+    fs::write(path, bytes).with_context(|| format!("writing {}", path.display()))?;
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::tempdir;
+
+    #[test]
+    fn roundtrip_toml() {
+        let creds = Credentials {
+            url: "http://localhost:8000".to_string(),
+            token: "pic_abc".to_string(),
+            username: "admin".to_string(),
+        };
+        let serialized = toml::to_string(&creds).unwrap();
+        let parsed: Credentials = toml::from_str(&serialized).unwrap();
+        assert_eq!(creds, parsed);
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn posix_mode_is_0600() {
+        use std::os::unix::fs::PermissionsExt;
+
+        let dir = tempdir().unwrap();
+        std::env::set_var("PICLOUD_CONFIG_DIR", dir.path());
+        let creds = Credentials {
+            url: "http://localhost:8000".to_string(),
+            token: "pic_secret".to_string(),
+            username: "admin".to_string(),
+        };
+        save(&creds).unwrap();
+        let path = credentials_path().unwrap();
+        let mode = fs::metadata(&path).unwrap().permissions().mode() & 0o777;
+        assert_eq!(mode, 0o600, "credentials must be readable only by owner");
+        std::env::remove_var("PICLOUD_CONFIG_DIR");
+    }
+}

crates/picloud-cli/src/main.rs

@@ -0,0 +1,268 @@
+//! PiCloud command-line client.
+//!
+//! Thin client over the existing admin + execute HTTP surface — the
+//! server gains nothing for the CLI; the CLI is just a developer
+//! ergonomics layer over endpoints the dashboard already uses.
+
+use std::path::PathBuf;
+use std::process::ExitCode;
+
+use clap::{Args, Parser, Subcommand};
+
+mod client;
+mod cmds;
+mod config;
+mod output;
+
+use crate::output::OutputMode;
+
+#[derive(Parser)]
+#[command(name = "pic", version, about = "PiCloud command-line client")]
+struct Cli {
+    /// Output format for `ls` / `show` / `whoami` / `logs` commands.
+    /// TSV stays pipe-friendly; JSON is `jq`-ready.
+    #[arg(long, value_enum, global = true, default_value_t = OutputMode::Tsv)]
+    output: OutputMode,
+
+    #[command(subcommand)]
+    cmd: Cmd,
+}
+
+#[derive(Subcommand)]
+enum Cmd {
+    /// Authenticate with the server. Default flow prompts for username
+    /// + password and saves the returned session token; `--token` skips
+    ///   the password exchange and persists a bearer string directly (use
+    ///   this for long-lived API keys minted via `pic api-keys mint`).
+    Login(LoginArgs),
+
+    /// Revoke the saved session server-side and delete the local
+    /// credentials file. Idempotent.
+    Logout,
+
+    /// Print the principal the saved token resolves to.
+    Whoami,
+
+    /// App management.
+    Apps {
+        #[command(subcommand)]
+        cmd: AppsCmd,
+    },
+
+    /// Script management.
+    Scripts {
+        #[command(subcommand)]
+        cmd: ScriptsCmd,
+    },
+
+    /// Long-lived bearer API key management.
+    #[command(name = "api-keys")]
+    ApiKeys {
+        #[command(subcommand)]
+        cmd: ApiKeysCmd,
+    },
+
+    /// Tail recent execution logs for a script.
+    Logs(LogsArgs),
+
+    /// Top-level alias for `pic scripts invoke <id>`.
+    Invoke(InvokeArgs),
+
+    /// Top-level alias for `pic scripts deploy <file> --app <slug>`.
+    Deploy(DeployArgs),
+}
+
+#[derive(Args)]
+struct LoginArgs {
+    /// Override the URL prompt non-interactively. Also reads
+    /// `PICLOUD_URL`.
+    #[arg(long)]
+    url: Option<String>,
+
+    /// Skip the username + password exchange and persist this bearer
+    /// directly (validated against `/auth/me` first). Also reads
+    /// `PICLOUD_TOKEN`.
+    #[arg(long)]
+    token: Option<String>,
+}
+
+#[derive(Subcommand)]
+enum AppsCmd {
+    /// List apps the caller can see.
+    Ls,
+
+    /// Create a new app.
+    Create {
+        slug: String,
+        #[arg(long)]
+        name: Option<String>,
+        #[arg(long)]
+        description: Option<String>,
+    },
+
+    /// Show a single app, including the caller's role in it.
+    Show { ident: String },
+
+    /// Delete an app. Without `--force`, the server rejects if the app
+    /// still owns scripts.
+    Delete {
+        ident: String,
+        #[arg(long)]
+        force: bool,
+    },
+}
+
+#[derive(Subcommand)]
+enum ScriptsCmd {
+    /// List scripts. With `--app`, scoped to one app; without, one
+    /// `GET /admin/scripts` for everything the caller can see.
+    Ls {
+        #[arg(long)]
+        app: Option<String>,
+    },
+
+    /// Upload a `.rhai` file. Patches the existing script with the
+    /// matching name in `--app` if one exists, otherwise creates it.
+    Deploy(DeployArgs),
+
+    /// POST to `/api/v1/execute/{id}`. Body via `--body @path`,
+    /// `--body @-` for stdin, or inline JSON.
+    Invoke(InvokeArgs),
+
+    /// Delete a script. Requires AppAdmin on the owning app.
+    Delete { id: String },
+}
+
+#[derive(Args)]
+struct DeployArgs {
+    file: PathBuf,
+    #[arg(long)]
+    app: String,
+    #[arg(long)]
+    name: Option<String>,
+    #[arg(long)]
+    description: Option<String>,
+}
+
+#[derive(Args)]
+struct InvokeArgs {
+    id: String,
+    #[arg(long)]
+    body: Option<String>,
+    #[arg(short = 'H', long = "header", value_parser = client::parse_kv_header)]
+    headers: Vec<(String, String)>,
+}
+
+#[derive(Subcommand)]
+enum ApiKeysCmd {
+    /// Mint a new long-lived bearer key. Token printed exactly once.
+    Mint {
+        name: String,
+        /// Repeat for multiple scopes: `--scope script:read --scope log:read`.
+        #[arg(long = "scope", required = true)]
+        scopes: Vec<String>,
+        /// Bind the key to a single app (slug or id). Rejects
+        /// `instance:*` scopes when set.
+        #[arg(long)]
+        app: Option<String>,
+        /// Absolute RFC 3339 (`2026-12-31T23:59:59Z`) or shorthand
+        /// `<N>d`/`<N>h`/`<N>m`.
+        #[arg(long)]
+        expires: Option<String>,
+    },
+
+    /// List the caller's keys (no `raw_token` after mint).
+    Ls,
+
+    /// Revoke a key by id.
+    Rm { id: String },
+}
+
+#[derive(Args)]
+struct LogsArgs {
+    script_id: String,
+    #[arg(long, default_value_t = 50)]
+    limit: u32,
+}
+
+#[tokio::main(flavor = "current_thread")]
+async fn main() -> ExitCode {
+    let cli = Cli::parse();
+    let mode = cli.output;
+    let result = match cli.cmd {
+        Cmd::Login(args) => cmds::login::run(args.url.as_deref(), args.token.as_deref()).await,
+        Cmd::Logout => cmds::logout::run().await,
+        Cmd::Whoami => cmds::whoami::run(mode).await,
+        Cmd::Apps { cmd: AppsCmd::Ls } => cmds::apps::ls(mode).await,
+        Cmd::Apps {
+            cmd:
+                AppsCmd::Create {
+                    slug,
+                    name,
+                    description,
+                },
+        } => cmds::apps::create(&slug, name.as_deref(), description.as_deref()).await,
+        Cmd::Apps {
+            cmd: AppsCmd::Show { ident },
+        } => cmds::apps::show(&ident, mode).await,
+        Cmd::Apps {
+            cmd: AppsCmd::Delete { ident, force },
+        } => cmds::apps::delete(&ident, force).await,
+        Cmd::Scripts {
+            cmd: ScriptsCmd::Ls { app },
+        } => cmds::scripts::ls(app.as_deref(), mode).await,
+        Cmd::Scripts {
+            cmd: ScriptsCmd::Deploy(args),
+        } => {
+            cmds::scripts::deploy(
+                &args.file,
+                &args.app,
+                args.name.as_deref(),
+                args.description.as_deref(),
+            )
+            .await
+        }
+        Cmd::Scripts {
+            cmd: ScriptsCmd::Invoke(args),
+        } => cmds::scripts::invoke(&args.id, args.body.as_deref(), &args.headers).await,
+        Cmd::Scripts {
+            cmd: ScriptsCmd::Delete { id },
+        } => cmds::scripts::delete(&id).await,
+        Cmd::ApiKeys {
+            cmd:
+                ApiKeysCmd::Mint {
+                    name,
+                    scopes,
+                    app,
+                    expires,
+                },
+        } => cmds::api_keys::mint(&name, &scopes, app.as_deref(), expires.as_deref(), mode).await,
+        Cmd::ApiKeys {
+            cmd: ApiKeysCmd::Ls,
+        } => cmds::api_keys::ls(mode).await,
+        Cmd::ApiKeys {
+            cmd: ApiKeysCmd::Rm { id },
+        } => cmds::api_keys::rm(&id).await,
+        Cmd::Logs(LogsArgs { script_id, limit }) => cmds::logs::run(&script_id, limit, mode).await,
+        Cmd::Invoke(args) => {
+            cmds::scripts::invoke(&args.id, args.body.as_deref(), &args.headers).await
+        }
+        Cmd::Deploy(args) => {
+            cmds::scripts::deploy(
+                &args.file,
+                &args.app,
+                args.name.as_deref(),
+                args.description.as_deref(),
+            )
+            .await
+        }
+    };
+
+    match result {
+        Ok(()) => ExitCode::SUCCESS,
+        Err(err) => {
+            output::print_error(&err);
+            ExitCode::FAILURE
+        }
+    }
+}

crates/picloud-cli/src/output.rs

@@ -0,0 +1,252 @@
+//! Output rendering for the CLI.
+//!
+//! Two formats:
+//!   * **TSV** (default): aligned columns separated by `\t`. Stays
+//!     pipe-friendly — `pic apps ls | awk -F'\t' '{print $1}'` works
+//!     without parsing box-drawing.
+//!   * **JSON**: array of `{column: value, …}` objects (for tables) or
+//!     a flat object (for single-row `show`/`whoami`). Designed to be
+//!     `jq`-friendly without escaping the table column names.
+//!
+//! Mode is set globally by the top-level `--output` flag and threaded
+//! through every command. Single-row commands (`whoami`, `apps show`)
+//! use `KvBlock`; everything plural uses `Table`.
+
+use std::io::{self, Write};
+
+use clap::ValueEnum;
+use serde_json::{Map, Value};
+
+#[derive(Debug, Clone, Copy, Default, PartialEq, Eq, ValueEnum)]
+#[clap(rename_all = "lowercase")]
+pub enum OutputMode {
+    #[default]
+    Tsv,
+    Json,
+}
+
+// ----------------------------------------------------------------------------
+// Table — list views (`apps ls`, `scripts ls`, `logs`)
+// ----------------------------------------------------------------------------
+
+pub struct Table {
+    headers: Vec<String>,
+    rows: Vec<Vec<String>>,
+}
+
+impl Table {
+    pub fn new<I, S>(headers: I) -> Self
+    where
+        I: IntoIterator<Item = S>,
+        S: Into<String>,
+    {
+        Self {
+            headers: headers.into_iter().map(Into::into).collect(),
+            rows: Vec::new(),
+        }
+    }
+
+    pub fn row<I, S>(&mut self, cells: I) -> &mut Self
+    where
+        I: IntoIterator<Item = S>,
+        S: Into<String>,
+    {
+        self.rows.push(cells.into_iter().map(Into::into).collect());
+        self
+    }
+
+    pub fn render_tsv(&self) -> String {
+        let mut widths: Vec<usize> = self.headers.iter().map(String::len).collect();
+        for row in &self.rows {
+            for (i, cell) in row.iter().enumerate() {
+                if i >= widths.len() {
+                    widths.push(cell.len());
+                } else if cell.len() > widths[i] {
+                    widths[i] = cell.len();
+                }
+            }
+        }
+
+        let mut out = String::new();
+        write_row(&mut out, &self.headers, &widths);
+        for row in &self.rows {
+            write_row(&mut out, row, &widths);
+        }
+        out
+    }
+
+    /// JSON form: `[{header: cell, …}, …]`. Cells go in as strings even
+    /// when they happen to look like numbers — the CLI doesn't carry
+    /// type information all the way through (e.g., `version` is already
+    /// `to_string`'d at the call site). Consumers that need typed
+    /// numbers should parse `jq -r '.[].version|tonumber'`.
+    pub fn render_json(&self) -> String {
+        let arr: Vec<Value> = self
+            .rows
+            .iter()
+            .map(|row| {
+                let mut obj = Map::new();
+                for (i, header) in self.headers.iter().enumerate() {
+                    let cell = row.get(i).cloned().unwrap_or_default();
+                    obj.insert(header.clone(), Value::String(cell));
+                }
+                Value::Object(obj)
+            })
+            .collect();
+        serde_json::to_string_pretty(&Value::Array(arr)).unwrap_or_else(|_| "[]".to_string())
+    }
+
+    pub fn print(&self, mode: OutputMode) {
+        let s = match mode {
+            OutputMode::Tsv => self.render_tsv(),
+            OutputMode::Json => {
+                let mut s = self.render_json();
+                s.push('\n');
+                s
+            }
+        };
+        // Best-effort write — broken pipe from `| head` etc. shouldn't
+        // surface as an error.
+        let _ = io::stdout().write_all(s.as_bytes());
+    }
+}
+
+fn write_row(out: &mut String, row: &[String], widths: &[usize]) {
+    for (i, cell) in row.iter().enumerate() {
+        if i > 0 {
+            out.push('\t');
+        }
+        out.push_str(cell);
+        // Right-pad with spaces so tabs land on the column grid for
+        // human readers. Skip on the final column.
+        if i + 1 < row.len() {
+            let w = widths.get(i).copied().unwrap_or(cell.len());
+            for _ in cell.len()..w {
+                out.push(' ');
+            }
+        }
+    }
+    out.push('\n');
+}
+
+// ----------------------------------------------------------------------------
+// KvBlock — single-row views (`whoami`, `apps show`)
+// ----------------------------------------------------------------------------
+
+/// One row's worth of fields, rendered as aligned `key: value` lines in
+/// TSV mode (one line per field — easier on the eye than a 1-row table)
+/// or a flat JSON object.
+pub struct KvBlock {
+    fields: Vec<(String, String)>,
+}
+
+impl KvBlock {
+    pub fn new() -> Self {
+        Self { fields: Vec::new() }
+    }
+
+    pub fn field(&mut self, key: impl Into<String>, value: impl Into<String>) -> &mut Self {
+        self.fields.push((key.into(), value.into()));
+        self
+    }
+
+    pub fn render_tsv(&self) -> String {
+        let key_width = self.fields.iter().map(|(k, _)| k.len()).max().unwrap_or(0);
+        let mut out = String::new();
+        for (k, v) in &self.fields {
+            out.push_str(k);
+            for _ in k.len()..key_width {
+                out.push(' ');
+            }
+            out.push('\t');
+            out.push_str(v);
+            out.push('\n');
+        }
+        out
+    }
+
+    pub fn render_json(&self) -> String {
+        let mut obj = Map::new();
+        for (k, v) in &self.fields {
+            obj.insert(k.clone(), Value::String(v.clone()));
+        }
+        serde_json::to_string_pretty(&Value::Object(obj)).unwrap_or_else(|_| "{}".to_string())
+    }
+
+    pub fn print(&self, mode: OutputMode) {
+        let s = match mode {
+            OutputMode::Tsv => self.render_tsv(),
+            OutputMode::Json => {
+                let mut s = self.render_json();
+                s.push('\n');
+                s
+            }
+        };
+        let _ = io::stdout().write_all(s.as_bytes());
+    }
+}
+
+// ----------------------------------------------------------------------------
+// Errors
+// ----------------------------------------------------------------------------
+
+pub fn print_error(err: &anyhow::Error) {
+    let mut stderr = io::stderr();
+    let _ = writeln!(stderr, "error: {err:#}");
+}
+
+// ----------------------------------------------------------------------------
+// Tests
+// ----------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn table_aligns_columns_tsv() {
+        let mut t = Table::new(["slug", "name"]);
+        t.row(["a", "Alpha"]).row(["bravo", "B"]);
+        let out = t.render_tsv();
+        assert_eq!(out, "slug \tname\na    \tAlpha\nbravo\tB\n");
+    }
+
+    #[test]
+    fn table_empty_rows_tsv() {
+        let t = Table::new(["a", "b"]);
+        assert_eq!(t.render_tsv(), "a\tb\n");
+    }
+
+    #[test]
+    fn table_render_json_is_array_of_objects() {
+        let mut t = Table::new(["slug", "name"]);
+        t.row(["a", "Alpha"]).row(["bravo", "B"]);
+        let raw = t.render_json();
+        let v: Value = serde_json::from_str(&raw).expect("valid JSON");
+        let arr = v.as_array().expect("array");
+        assert_eq!(arr.len(), 2);
+        assert_eq!(arr[0]["slug"], "a");
+        assert_eq!(arr[0]["name"], "Alpha");
+        assert_eq!(arr[1]["slug"], "bravo");
+        assert_eq!(arr[1]["name"], "B");
+    }
+
+    #[test]
+    fn kv_block_tsv_aligns_keys() {
+        let mut b = KvBlock::new();
+        b.field("username", "admin").field("role", "owner");
+        let out = b.render_tsv();
+        // username (8 chars) defines the key width.
+        assert_eq!(out, "username\tadmin\nrole    \towner\n");
+    }
+
+    #[test]
+    fn kv_block_json_is_flat_object() {
+        let mut b = KvBlock::new();
+        b.field("username", "admin").field("role", "owner");
+        let raw = b.render_json();
+        let v: Value = serde_json::from_str(&raw).expect("valid JSON");
+        assert_eq!(v["username"], "admin");
+        assert_eq!(v["role"], "owner");
+    }
+}

crates/picloud-cli/tests/api_keys.rs

@@ -0,0 +1,170 @@
+//! `pic api-keys` — mint / ls / rm journeys.
+//!
+//! Server semantics asserted here:
+//!   * `mint` emits the `raw_token` *exactly once* and never on `ls`.
+//!   * A minted key is a valid bearer for `/auth/me`.
+//!   * After `rm`, the same token is rejected (401).
+
+use predicates::prelude::*;
+use serde_json::Value;
+
+use crate::common;
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn mint_prints_raw_token_once_and_ls_omits_it() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let name = format!("pic-cli-mint-{}", common::unique_slug("k"));
+
+    let out = common::pic_as(&env)
+        .args([
+            "--output",
+            "json",
+            "api-keys",
+            "mint",
+            &name,
+            "--scope",
+            "script:read",
+        ])
+        .output()
+        .expect("api-keys mint");
+    assert!(out.status.success(), "mint failed: {out:?}");
+    let body: Value = serde_json::from_slice(&out.stdout).expect("JSON");
+    let token = body["token"]
+        .as_str()
+        .expect("mint should expose `token`")
+        .to_string();
+    let key_id = body["id"]
+        .as_str()
+        .expect("mint should expose `id`")
+        .to_string();
+    assert!(
+        token.starts_with("pic_"),
+        "tokens are pic_-prefixed: {token}"
+    );
+
+    // `ls` must NEVER carry the raw token. The key row should appear,
+    // identified by name, but `token` is mint-only.
+    let ls = common::pic_as(&env)
+        .args(["--output", "json", "api-keys", "ls"])
+        .output()
+        .expect("api-keys ls");
+    assert!(ls.status.success(), "ls failed: {ls:?}");
+    let ls_body: Value = serde_json::from_slice(&ls.stdout).expect("JSON");
+    let arr = ls_body.as_array().expect("array");
+    let row = arr
+        .iter()
+        .find(|r| r.get("id").and_then(Value::as_str) == Some(key_id.as_str()))
+        .expect("our key in ls");
+    assert!(
+        row.get("token").is_none(),
+        "ls must not expose raw_token: {row}"
+    );
+
+    // Cleanup so we don't leak keys across runs.
+    common::pic_as(&env)
+        .args(["api-keys", "rm", &key_id])
+        .assert()
+        .success();
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn minted_key_works_as_bearer() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let name = format!("pic-cli-bearer-{}", common::unique_slug("k"));
+
+    let mint = common::pic_as(&env)
+        .args([
+            "--output",
+            "json",
+            "api-keys",
+            "mint",
+            &name,
+            "--scope",
+            "script:read",
+        ])
+        .output()
+        .expect("mint");
+    assert!(mint.status.success());
+    let body: Value = serde_json::from_slice(&mint.stdout).unwrap();
+    let token = body["token"].as_str().unwrap().to_string();
+    let id = body["id"].as_str().unwrap().to_string();
+
+    // Drive whoami with the minted token — proves the bearer string we
+    // captured really is what the server stamped.
+    let key_env = common::custom_env(&fx.url, &token);
+    common::seed_credentials(&key_env, &fx.admin_username);
+    common::pic_as(&key_env)
+        .args(["whoami"])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains(fx.admin_username.as_str()));
+
+    common::pic_as(&env)
+        .args(["api-keys", "rm", &id])
+        .assert()
+        .success();
+}
+
+/// After `rm`, the bearer token is dead server-side: a follow-up
+/// `whoami` driven by it must 401, not 500.
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn rm_revokes_the_token() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let name = format!("pic-cli-rm-{}", common::unique_slug("k"));
+
+    let mint = common::pic_as(&env)
+        .args([
+            "--output",
+            "json",
+            "api-keys",
+            "mint",
+            &name,
+            "--scope",
+            "script:read",
+        ])
+        .output()
+        .expect("mint");
+    let body: Value = serde_json::from_slice(&mint.stdout).unwrap();
+    let token = body["token"].as_str().unwrap().to_string();
+    let id = body["id"].as_str().unwrap().to_string();
+
+    common::pic_as(&env)
+        .args(["api-keys", "rm", &id])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains(format!("Revoked api-key {id}")));
+
+    let dead = common::custom_env(&fx.url, &token);
+    common::pic_as(&dead)
+        .args(["whoami"])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("HTTP 401"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn mint_with_unknown_scope_is_rejected_client_side() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+
+    common::pic_as(&env)
+        .args(["api-keys", "mint", "doomed", "--scope", "script:nope"])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("unknown scope"));
+}

crates/picloud-cli/tests/apps.rs

@@ -0,0 +1,268 @@
+//! `pic apps create` / `pic apps ls` edge cases. The integration smoke
+//! test covers the happy path; this module covers conflict, validation,
+//! and the persistence of the optional `--name` / `--description` flags
+//! (which `apps ls` doesn't surface).
+
+use predicates::prelude::*;
+use serde_json::Value;
+
+use crate::common;
+use crate::common::cleanup::AppGuard;
+use crate::common::member;
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn create_with_name_and_description_persists() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("apps-named");
+
+    common::pic_as(&env)
+        .args([
+            "apps",
+            "create",
+            &slug,
+            "--name",
+            "Pretty Name",
+            "--description",
+            "test description",
+        ])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    // `apps ls` only shows slug+name+role+created_at, so verify the
+    // persisted shape via the admin GET endpoint.
+    let client = reqwest::blocking::Client::new();
+    let resp = client
+        .get(format!("{}/api/v1/admin/apps/{}", env.url, slug))
+        .bearer_auth(&env.token)
+        .send()
+        .expect("GET app");
+    assert!(resp.status().is_success(), "GET app failed: {resp:?}");
+    let body: Value = resp.json().expect("app json");
+    assert_eq!(body["slug"].as_str(), Some(slug.as_str()));
+    assert_eq!(body["name"].as_str(), Some("Pretty Name"));
+    assert_eq!(body["description"].as_str(), Some("test description"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn create_duplicate_slug_conflicts() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("apps-dup");
+
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("409").or(predicate::str::contains("conflict")));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn create_invalid_slug_rejected() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+
+    // Server slug regex is `^[a-z0-9][a-z0-9-]{0,62}$` — uppercase
+    // breaks the rule on the very first char. The server returns 422
+    // (`InvalidSlug` → `UNPROCESSABLE_ENTITY`), not 400 — the previous
+    // `"HTTP 4"` predicate would have silently matched any other 4xx
+    // (a regressed 401 from broken auth, for example).
+    common::pic_as(&env)
+        .args(["apps", "create", "NotALowerSlug"])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("HTTP 422"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn ls_includes_created_app_with_expected_columns() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("apps-ls");
+
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    let out = common::pic_as(&env)
+        .args(["apps", "ls"])
+        .output()
+        .expect("apps ls");
+    assert!(out.status.success(), "apps ls failed: {out:?}");
+    let stdout = String::from_utf8(out.stdout).expect("utf8 stdout");
+    let mut lines = stdout.lines();
+    let header = lines.next().expect("header row");
+    assert_eq!(
+        common::cells(header),
+        vec!["slug", "name", "my_role", "created_at"]
+    );
+
+    // The slug must appear in some data row and its row's my_role column
+    // is dashed (the ls endpoint doesn't compute it per-app).
+    let row = lines
+        .map(common::cells)
+        .find(|c| c.first().copied() == Some(slug.as_str()))
+        .unwrap_or_else(|| panic!("slug {slug} not in apps ls output: {stdout}"));
+    assert_eq!(row.len(), 4, "row should have 4 cells: {row:?}");
+    assert_eq!(row[2], "-", "my_role column should be dashed: {row:?}");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn delete_removes_app_from_ls() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("apps-del");
+
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+
+    common::pic_as(&env)
+        .args(["apps", "delete", &slug])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains(format!("Deleted app {slug}")));
+
+    let out = common::pic_as(&env)
+        .args(["apps", "ls"])
+        .output()
+        .expect("apps ls");
+    assert!(out.status.success());
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    assert!(
+        !stdout.lines().any(|l| l.starts_with(&slug)),
+        "deleted slug should not appear in ls: {stdout}"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn delete_with_scripts_errors_without_force() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("apps-del-busy");
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    // AppGuard is the safety net: if the no-force delete fails (as
+    // expected) the app stays around; AppGuard force-deletes on drop.
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    let fixture = common::fixture_path("hello.rhai");
+    common::pic_as(&env)
+        .args([
+            "scripts",
+            "deploy",
+            fixture.to_str().unwrap(),
+            "--app",
+            &slug,
+        ])
+        .assert()
+        .success();
+
+    common::pic_as(&env)
+        .args(["apps", "delete", &slug])
+        .assert()
+        .failure()
+        // Server `HasScripts` → 409 with a "scripts present" message.
+        .stderr(predicate::str::contains("HTTP 409"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn delete_with_scripts_succeeds_with_force() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("apps-del-force");
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+
+    let fixture = common::fixture_path("hello.rhai");
+    common::pic_as(&env)
+        .args([
+            "scripts",
+            "deploy",
+            fixture.to_str().unwrap(),
+            "--app",
+            &slug,
+        ])
+        .assert()
+        .success();
+
+    common::pic_as(&env)
+        .args(["apps", "delete", &slug, "--force"])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains(format!("Deleted app {slug}")));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn show_prints_my_role_for_member() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let admin_env = common::admin_env(fx);
+    let slug = common::unique_slug("apps-show");
+    common::pic_as(&admin_env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _g = AppGuard::new(&admin_env.url, &admin_env.token, &slug);
+
+    let m = member::member_user(fx, &common::unique_username("show"));
+    member::grant_membership(fx, &slug, &m.id, "viewer");
+
+    let member_env = common::custom_env(&fx.url, &m.token);
+    common::seed_credentials(&member_env, &m.username);
+
+    let out = common::pic_as(&member_env)
+        .args(["apps", "show", &slug])
+        .output()
+        .expect("apps show");
+    assert!(out.status.success(), "apps show failed: {out:?}");
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    // KvBlock output: `my_role` row carries the wire form (`viewer`).
+    assert!(
+        stdout
+            .lines()
+            .any(|l| l.starts_with("my_role") && l.trim_end().ends_with("viewer")),
+        "show should surface my_role=viewer, got: {stdout}"
+    );
+    assert!(
+        stdout.lines().any(|l| l.starts_with("slug")),
+        "show should include slug row: {stdout}"
+    );
+}

crates/picloud-cli/tests/auth.rs

@@ -0,0 +1,288 @@
+//! Login + whoami journeys beyond the happy path: bad tokens, missing
+//! credentials file, stale on-disk creds, and the role-label rendered
+//! by `pic login`.
+
+use predicates::prelude::*;
+
+use crate::common;
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn login_persists_credentials_with_correct_perms() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+
+    common::pic_as(&env).args(["login"]).assert().success();
+
+    let creds_path = env.config_dir.path().join("credentials");
+    let body = std::fs::read_to_string(&creds_path).expect("credentials file");
+    assert!(
+        body.contains(&format!("url = \"{}\"", env.url)),
+        "creds missing url line: {body}",
+    );
+    assert!(
+        body.contains(&format!("token = \"{}\"", env.token)),
+        "creds missing token line: {body}",
+    );
+    assert!(
+        body.contains(&format!("username = \"{}\"", fx.admin_username)),
+        "creds missing username line: {body}",
+    );
+
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        let mode = std::fs::metadata(&creds_path).unwrap().permissions().mode() & 0o777;
+        assert_eq!(mode, 0o600, "credentials file must be 0600, got {mode:o}");
+    }
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn login_rejects_bad_token() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::custom_env(&fx.url, "pic_garbage_token");
+
+    common::pic_as(&env)
+        .args(["login"])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("401").or(predicate::str::contains("token rejected")));
+
+    let creds_path = env.config_dir.path().join("credentials");
+    assert!(
+        !creds_path.exists(),
+        "failed login must not persist credentials"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn whoami_without_credentials_errors() {
+    let Some(_fx) = common::fixture_or_skip() else {
+        return;
+    };
+    // Build a TestEnv directly so the config dir stays empty —
+    // `admin_env` would seed a credentials file, masking the bug
+    // this test is supposed to catch.
+    let env = common::TestEnv {
+        url: String::new(),
+        token: String::new(),
+        config_dir: tempfile::TempDir::new().unwrap(),
+        home: tempfile::TempDir::new().unwrap(),
+    };
+
+    common::pic_no_env(&env)
+        .args(["whoami"])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("pic login"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn whoami_with_stale_token_errors() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+
+    let body = format!(
+        "url = \"{}\"\ntoken = \"pic_stale_token\"\nusername = \"ghost\"\n",
+        env.url
+    );
+    std::fs::write(env.config_dir.path().join("credentials"), body).unwrap();
+
+    common::pic_no_env(&env)
+        .args(["whoami"])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("401").or(predicate::str::contains("token rejected")));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn login_prints_member_role_label() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let username = common::unique_username("auth");
+    let m = common::member::member_user(fx, &username);
+    let env = common::custom_env(&fx.url, &m.token);
+
+    common::pic_as(&env)
+        .args(["login"])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains(format!(
+            "Logged in as {} (member)",
+            m.username
+        )));
+}
+
+/// Drive the real username+password flow end-to-end. `pic_no_env`
+/// strips `PICLOUD_TOKEN` so login can't short-circuit through the
+/// bearer path; stdin feeds `username\npassword\n` (the URL is supplied
+/// via `--url` to avoid the third prompt).
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn login_with_username_and_password_persists() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let username = common::unique_username("lpw");
+    let m = common::member::member_user(fx, &username);
+    let env = common::custom_env(&fx.url, ""); // empty token — file gets written by login
+
+    let stdin_payload = format!("{}\n{}\n", m.username, common::member::MEMBER_PASSWORD);
+    common::pic_no_env(&env)
+        .args(["login", "--url", &fx.url])
+        .write_stdin(stdin_payload)
+        .assert()
+        .success()
+        .stdout(predicate::str::contains(format!(
+            "Logged in as {} (member)",
+            m.username
+        )));
+
+    let creds_path = env.config_dir.path().join("credentials");
+    let body = std::fs::read_to_string(&creds_path).expect("credentials file");
+    assert!(
+        body.contains(&format!("username = \"{}\"", m.username)),
+        "creds should carry the canonical username: {body}",
+    );
+    // The token persisted must be a real session token, not whatever
+    // the user typed — a regression where we accidentally saved the
+    // password as the token would fail this check.
+    assert!(
+        !body.contains(common::member::MEMBER_PASSWORD),
+        "password leaked into credentials file: {body}",
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn login_with_wrong_password_errors() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let username = common::unique_username("lpwbad");
+    let m = common::member::member_user(fx, &username);
+    let env = common::custom_env(&fx.url, "");
+
+    let stdin_payload = format!("{}\nwrong-password\n", m.username);
+    common::pic_no_env(&env)
+        .args(["login", "--url", &fx.url])
+        .write_stdin(stdin_payload)
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("HTTP 401"));
+
+    let creds_path = env.config_dir.path().join("credentials");
+    assert!(
+        !creds_path.exists(),
+        "failed login must not persist credentials"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logout_clears_local_credentials() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    // Use a member's token so we don't yank the admin session out from
+    // under parallel tests. The local-file cleanup is the same.
+    let username = common::unique_username("lout");
+    let m = common::member::member_user(fx, &username);
+    let env = common::custom_env(&fx.url, &m.token);
+    common::seed_credentials(&env, &m.username);
+
+    let creds_path = env.config_dir.path().join("credentials");
+    assert!(creds_path.exists(), "precondition: creds file seeded");
+
+    common::pic_no_env(&env)
+        .args(["logout"])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains("Logged out"));
+    assert!(
+        !creds_path.exists(),
+        "credentials file should be removed after logout"
+    );
+}
+
+/// `pic logout` is meant to be idempotent: running it with no
+/// credentials file present is not an error.
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logout_is_idempotent_when_already_logged_out() {
+    let Some(_fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::TestEnv {
+        url: String::new(),
+        token: String::new(),
+        config_dir: tempfile::TempDir::new().unwrap(),
+        home: tempfile::TempDir::new().unwrap(),
+    };
+    common::pic_no_env(&env)
+        .args(["logout"])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains("Logged out"));
+}
+
+/// Server-side session invalidation: after `pic logout`, a subsequent
+/// `pic whoami` driven by the same (now-stale) token must 401.
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logout_invalidates_server_session() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let username = common::unique_username("lout2");
+    let m = common::member::member_user(fx, &username);
+    let env = common::custom_env(&fx.url, &m.token);
+    common::seed_credentials(&env, &m.username);
+
+    common::pic_no_env(&env).args(["logout"]).assert().success();
+
+    // Replay the member's old token explicitly — pic_no_env reads the
+    // (now-deleted) file, so we go back to env-driven mode with the
+    // stale bearer.
+    let stale = common::custom_env(&fx.url, &m.token);
+    common::pic_as(&stale)
+        .args(["whoami"])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("HTTP 401"));
+}
+
+/// Env vars must override the on-disk credentials file globally. Write
+/// garbage into the file, set env to the real admin creds, and prove
+/// every read-side command (here `whoami`) goes via env.
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn env_vars_override_credentials_file() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::custom_env(&fx.url, &fx.admin_token);
+    // Garbage in the file: would 401 if used.
+    let body = format!(
+        "url = \"{}\"\ntoken = \"pic_stale_garbage_token\"\nusername = \"ghost\"\n",
+        env.url
+    );
+    std::fs::write(env.config_dir.path().join("credentials"), body).unwrap();
+
+    common::pic_as(&env)
+        .args(["whoami"])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains(fx.admin_username.as_str()));
+}

crates/picloud-cli/tests/cli.rs

@@ -0,0 +1,23 @@
+//! Integration-test binary for the `pic` CLI.
+//!
+//! Every `#[test]` in this binary routes through `common::fixture()`, a
+//! `LazyLock` that spawns picloud once on a private port and reuses it
+//! across all journey modules. Mirrors the dashboard Playwright suite,
+//! which spins backend + Vite up once for 63 specs.
+//!
+//! Gated on `DATABASE_URL`. To run:
+//!
+//!   docker compose up -d postgres
+//!   DATABASE_URL=postgres://picloud:picloud@127.0.0.1:15432/picloud \
+//!     cargo test -p picloud-cli --test cli -- --include-ignored
+
+mod common;
+
+mod api_keys;
+mod apps;
+mod auth;
+mod invoke;
+mod logs;
+mod output;
+mod roles;
+mod scripts;

crates/picloud-cli/tests/common/cleanup.rs

@@ -0,0 +1,61 @@
+//! RAII guards that delete server-side resources on `Drop`.
+//!
+//! Each guard owns the minimum it needs to issue a single DELETE: the
+//! base URL, an admin bearer token, and the resource identifier.
+//! Failures are swallowed because Drop runs during teardown — a panic
+//! here would just mask the real failure that the test was reporting.
+
+pub struct AppGuard {
+    url: String,
+    token: String,
+    slug: String,
+}
+
+impl AppGuard {
+    pub fn new(url: &str, token: &str, slug: &str) -> Self {
+        Self {
+            url: url.to_string(),
+            token: token.to_string(),
+            slug: slug.to_string(),
+        }
+    }
+}
+
+impl Drop for AppGuard {
+    fn drop(&mut self) {
+        let client = reqwest::blocking::Client::new();
+        let _ = client
+            .delete(format!(
+                "{}/api/v1/admin/apps/{}?force=true",
+                self.url, self.slug
+            ))
+            .bearer_auth(&self.token)
+            .send();
+    }
+}
+
+pub struct UserGuard {
+    url: String,
+    token: String,
+    user_id: String,
+}
+
+impl UserGuard {
+    pub fn new(url: &str, token: &str, user_id: &str) -> Self {
+        Self {
+            url: url.to_string(),
+            token: token.to_string(),
+            user_id: user_id.to_string(),
+        }
+    }
+}
+
+impl Drop for UserGuard {
+    fn drop(&mut self) {
+        let client = reqwest::blocking::Client::new();
+        let _ = client
+            .delete(format!("{}/api/v1/admin/admins/{}", self.url, self.user_id))
+            .bearer_auth(&self.token)
+            .send();
+    }
+}

crates/picloud-cli/tests/common/member.rs

@@ -0,0 +1,99 @@
+//! Helpers for non-admin (`instance_role: Member`) user lifecycle plus
+//! direct API calls for granting / updating app memberships.
+//!
+//! These talk to the manager HTTP surface directly instead of going
+//! through the CLI, so role-gated tests can stage state without
+//! requiring `pic` to grow new commands.
+
+use serde_json::{json, Value};
+
+use super::cleanup::UserGuard;
+use super::Fixture;
+
+pub const MEMBER_PASSWORD: &str = "pic-cli-test-pw-12345678";
+
+pub struct MemberUser {
+    pub id: String,
+    pub username: String,
+    pub token: String,
+    pub _guard: UserGuard,
+}
+
+/// Mint a fresh `instance_role: Member` user, log them in for a bearer
+/// token, and register a `UserGuard` for teardown.
+pub fn member_user(fx: &Fixture, username: &str) -> MemberUser {
+    let client = reqwest::blocking::Client::new();
+
+    let create = client
+        .post(format!("{}/api/v1/admin/admins", fx.url))
+        .bearer_auth(&fx.admin_token)
+        .json(&json!({
+            "username": username,
+            "password": MEMBER_PASSWORD,
+            // InstanceRole / AppRole serialize via `rename_all =
+            // "snake_case"` — wire forms are always lowercase.
+            "instance_role": "member",
+        }))
+        .send()
+        .expect("create member user");
+    assert!(
+        create.status().is_success(),
+        "create member user failed: {} {}",
+        create.status(),
+        create.text().unwrap_or_default(),
+    );
+    let body: Value = create.json().expect("admin create json");
+    let id = body["id"]
+        .as_str()
+        .expect("admin create returns id")
+        .to_string();
+
+    // Register cleanup before we attempt anything else that could fail.
+    let guard = UserGuard::new(&fx.url, &fx.admin_token, &id);
+
+    let token = super::server::login_for_bearer_token(&fx.url, username, MEMBER_PASSWORD);
+
+    MemberUser {
+        id,
+        username: username.to_string(),
+        token,
+        _guard: guard,
+    }
+}
+
+/// `POST /api/v1/admin/apps/{slug}/members` — grant `role` to `user_id`.
+pub fn grant_membership(fx: &Fixture, app_slug: &str, user_id: &str, role: &str) {
+    let client = reqwest::blocking::Client::new();
+    let resp = client
+        .post(format!("{}/api/v1/admin/apps/{}/members", fx.url, app_slug))
+        .bearer_auth(&fx.admin_token)
+        .json(&json!({ "user_id": user_id, "role": role }))
+        .send()
+        .expect("grant membership");
+    assert!(
+        resp.status().is_success(),
+        "grant membership failed: {} {}",
+        resp.status(),
+        resp.text().unwrap_or_default(),
+    );
+}
+
+/// `PATCH /api/v1/admin/apps/{slug}/members/{user_id}` — promote/demote.
+pub fn update_membership(fx: &Fixture, app_slug: &str, user_id: &str, role: &str) {
+    let client = reqwest::blocking::Client::new();
+    let resp = client
+        .patch(format!(
+            "{}/api/v1/admin/apps/{}/members/{}",
+            fx.url, app_slug, user_id
+        ))
+        .bearer_auth(&fx.admin_token)
+        .json(&json!({ "role": role }))
+        .send()
+        .expect("update membership");
+    assert!(
+        resp.status().is_success(),
+        "update membership failed: {} {}",
+        resp.status(),
+        resp.text().unwrap_or_default(),
+    );
+}

crates/picloud-cli/tests/common/mod.rs

@@ -0,0 +1,314 @@
+//! Shared fixture and helpers for the CLI integration test binary.
+//!
+//! All tests in `tests/cli.rs` route through `fixture()`, a `LazyLock`
+//! that spawns picloud on a private port the first time it's touched
+//! and reuses that subprocess for every subsequent test. The dashboard
+//! Playwright suite pays the same cost once for 63 tests; we do the
+//! same here.
+
+#![allow(dead_code)] // shared helpers — not every module uses every fn.
+
+pub mod cleanup;
+pub mod member;
+pub mod server;
+
+use std::path::PathBuf;
+use std::process::Child;
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::sync::{LazyLock, Mutex, OnceLock};
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
+
+use assert_cmd::Command as AssertCommand;
+use tempfile::TempDir;
+
+// --------------------------------------------------------------------
+// Fixture
+// --------------------------------------------------------------------
+
+pub struct Fixture {
+    pub url: String,
+    pub admin_token: String,
+    pub admin_username: String,
+    // Held in a Mutex so Drop can kill it without UB; we never re-enter.
+    child: Mutex<Option<Child>>,
+}
+
+impl Drop for Fixture {
+    fn drop(&mut self) {
+        if let Ok(mut guard) = self.child.lock() {
+            if let Some(mut child) = guard.take() {
+                server::kill_subprocess(&mut child);
+            }
+        }
+    }
+}
+
+static FIXTURE: LazyLock<Fixture> = LazyLock::new(init_fixture);
+
+fn init_fixture() -> Fixture {
+    let database_url =
+        std::env::var("DATABASE_URL").expect("DATABASE_URL is required to spawn picloud");
+    let username = admin_username();
+    let password = admin_password();
+    let port = server::pick_free_port();
+    let url = format!("http://127.0.0.1:{port}");
+    let mut child = server::spawn_picloud(&database_url, port, &username, &password);
+    if let Err(e) = server::wait_for_health(&url, Duration::from_secs(60)) {
+        server::kill_subprocess(&mut child);
+        panic!("picloud failed to become healthy: {e}");
+    }
+    let token = server::login_for_bearer_token(&url, &username, &password);
+    Fixture {
+        url,
+        admin_token: token,
+        admin_username: username,
+        child: Mutex::new(Some(child)),
+    }
+}
+
+/// Returns the shared fixture, spawning the picloud subprocess on first
+/// call. Returns `None` (and prints a skip message) when `DATABASE_URL`
+/// is absent — matching the existing convention so the suite is a
+/// no-op outside the integration environment.
+pub fn fixture_or_skip() -> Option<&'static Fixture> {
+    if std::env::var("DATABASE_URL").is_err() {
+        eprintln!("skipping: DATABASE_URL not set");
+        return None;
+    }
+    Some(&FIXTURE)
+}
+
+// --------------------------------------------------------------------
+// Per-test env
+// --------------------------------------------------------------------
+
+pub struct TestEnv {
+    pub url: String,
+    pub token: String,
+    pub config_dir: TempDir,
+    pub home: TempDir,
+}
+
+/// Per-test env pre-loaded with the admin token, and a credentials
+/// file already on disk so non-login commands ("pic apps create", …)
+/// can run without first calling `pic login`. As of the env-var
+/// consistency fix, `PICLOUD_URL`/`PICLOUD_TOKEN` (set by `pic_as`)
+/// also work for *every* command, not just `login` — `config::resolve`
+/// reads them first and falls back to the on-disk file.
+pub fn admin_env(fx: &Fixture) -> TestEnv {
+    let env = TestEnv {
+        url: fx.url.clone(),
+        token: fx.admin_token.clone(),
+        config_dir: TempDir::new().expect("config tempdir"),
+        home: TempDir::new().expect("home tempdir"),
+    };
+    seed_credentials(&env, &fx.admin_username);
+    env
+}
+
+/// Per-test env pre-loaded with a specific (URL, token) pair. Used by
+/// tests that want a non-admin token, a bogus token, or an unreachable
+/// URL. Does **not** seed a credentials file — call `seed_credentials`
+/// explicitly when the test needs to run non-login commands.
+pub fn custom_env(url: &str, token: &str) -> TestEnv {
+    TestEnv {
+        url: url.to_string(),
+        token: token.to_string(),
+        config_dir: TempDir::new().expect("config tempdir"),
+        home: TempDir::new().expect("home tempdir"),
+    }
+}
+
+/// Write a valid credentials TOML into `env.config_dir` so subsequent
+/// `pic_as(&env)` invocations can issue non-login subcommands. Mirrors
+/// the file shape `pic login` produces (url/token/username). Tests that
+/// exercise the "no credentials" / "stale token" error paths construct
+/// `TestEnv` directly to keep the config dir empty.
+pub fn seed_credentials(env: &TestEnv, username: &str) {
+    let body = format!(
+        "url = \"{}\"\ntoken = \"{}\"\nusername = \"{}\"\n",
+        env.url, env.token, username,
+    );
+    std::fs::write(env.config_dir.path().join("credentials"), body).expect("seed credentials file");
+}
+
+/// `pic` invocation with the env wired up — credentials dir, HOME, and
+/// the `PICLOUD_URL`/`PICLOUD_TOKEN` shortcut env vars.
+pub fn pic_as(env: &TestEnv) -> AssertCommand {
+    let mut cmd = AssertCommand::cargo_bin("pic").expect("pic binary");
+    cmd.env("PICLOUD_URL", &env.url)
+        .env("PICLOUD_TOKEN", &env.token)
+        .env("PICLOUD_CONFIG_DIR", env.config_dir.path())
+        .env("HOME", env.home.path());
+    cmd
+}
+
+/// `pic` invocation with `PICLOUD_URL`/`PICLOUD_TOKEN` *cleared*, so the
+/// command sees only the on-disk credentials file (or lack thereof).
+pub fn pic_no_env(env: &TestEnv) -> AssertCommand {
+    let mut cmd = AssertCommand::cargo_bin("pic").expect("pic binary");
+    cmd.env_remove("PICLOUD_URL")
+        .env_remove("PICLOUD_TOKEN")
+        .env("PICLOUD_CONFIG_DIR", env.config_dir.path())
+        .env("HOME", env.home.path());
+    cmd
+}
+
+// --------------------------------------------------------------------
+// Unique slugs / usernames
+// --------------------------------------------------------------------
+
+static UNIQUE_COUNTER: AtomicU64 = AtomicU64::new(0);
+
+pub fn unique_slug(prefix: &str) -> String {
+    let ms = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap()
+        .as_millis();
+    let n = UNIQUE_COUNTER.fetch_add(1, Ordering::Relaxed);
+    format!("pic-cli-{prefix}-{ms}-{n:x}")
+}
+
+pub fn unique_username(prefix: &str) -> String {
+    // Server regex: [a-z0-9._-]{2,32}. Build out of lowercase
+    // alphanumerics only; "piccli" prefix keeps collisions with other
+    // test suites obvious. Caller's `prefix` must be ≤8 chars and
+    // already match the regex.
+    let ms = SystemTime::now()
+        .duration_since(UNIX_EPOCH)
+        .unwrap()
+        .as_millis();
+    let n = UNIQUE_COUNTER.fetch_add(1, Ordering::Relaxed);
+    let name = format!("piccli{prefix}{ms:x}{n:x}");
+    assert!(name.len() <= 32, "username overflow: {name}");
+    name
+}
+
+// --------------------------------------------------------------------
+// Misc helpers
+// --------------------------------------------------------------------
+
+pub fn admin_username() -> String {
+    std::env::var("PICLOUD_CLI_E2E_USERNAME").unwrap_or_else(|_| "admin".to_string())
+}
+
+pub fn admin_password() -> String {
+    std::env::var("PICLOUD_CLI_E2E_PASSWORD").unwrap_or_else(|_| "admin".to_string())
+}
+
+pub fn fixture_path(name: &str) -> PathBuf {
+    PathBuf::from(env!("CARGO_MANIFEST_DIR"))
+        .join("tests")
+        .join("fixtures")
+        .join(name)
+}
+
+/// Create a fresh app and deploy a `tests/fixtures/<fixture_name>` into
+/// it. Returns the new script id plus the `AppGuard` that cleans the
+/// app (and its scripts via `force=true`) on Drop. Used by invoke /
+/// logs / output journeys that all need "deploy something, then drive
+/// `pic` against it".
+pub fn deploy_fixture(
+    env: &TestEnv,
+    app_label: &str,
+    fixture_name: &str,
+) -> (String, cleanup::AppGuard) {
+    let slug = unique_slug(app_label);
+    pic_as(env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let guard = cleanup::AppGuard::new(&env.url, &env.token, &slug);
+
+    let fixture = fixture_path(fixture_name);
+    pic_as(env)
+        .args([
+            "scripts",
+            "deploy",
+            fixture.to_str().unwrap(),
+            "--app",
+            &slug,
+        ])
+        .assert()
+        .success();
+
+    let out = pic_as(env)
+        .args(["scripts", "ls", "--app", &slug])
+        .output()
+        .expect("scripts ls");
+    let id = parse_first_id(std::str::from_utf8(&out.stdout).unwrap())
+        .expect("scripts ls should produce one row");
+    (id, guard)
+}
+
+/// Split a row from `pic apps ls` / `pic scripts ls` into trimmed
+/// cells. The output writer space-pads each cell to its column's max
+/// width before the tab, so raw `split('\t')` leaves trailing spaces;
+/// this helper hides that detail from tests that only care about the
+/// logical values.
+pub fn cells(row: &str) -> Vec<&str> {
+    row.split('\t').map(str::trim).collect()
+}
+
+/// First data row's first tab-delimited cell, used to extract IDs from
+/// `pic scripts ls` output. The header is expected to start with "id".
+pub fn parse_first_id(table: &str) -> Option<String> {
+    let mut lines = table.lines().filter(|l| !l.trim().is_empty());
+    let header = lines.next()?;
+    if !header.starts_with("id") {
+        return None;
+    }
+    let row = lines.next()?;
+    let first = row.split('\t').next()?.trim();
+    if first.is_empty() {
+        None
+    } else {
+        Some(first.to_string())
+    }
+}
+
+// --------------------------------------------------------------------
+// Fixture-sharing sanity check
+// --------------------------------------------------------------------
+//
+// Two tests record `fixture().url` into the same `OnceLock` — if the
+// fixture isn't actually shared, the second test sees a different URL
+// and panics. Belt-and-suspenders: pointer identity on `&Fixture`.
+
+static OBSERVED_URL: OnceLock<String> = OnceLock::new();
+
+fn observe_fixture_url(label: &str) {
+    let Some(fx) = fixture_or_skip() else {
+        return;
+    };
+    let url = fx.url.clone();
+    match OBSERVED_URL.get() {
+        Some(prev) => assert_eq!(
+            prev, &url,
+            "{label} observed a different fixture URL: prior={prev} now={url}"
+        ),
+        None => {
+            let _ = OBSERVED_URL.set(url);
+        }
+    }
+    // Same `&'static Fixture` from every call — proves the LazyLock is
+    // sharing, not respawning.
+    let a = fixture_or_skip().unwrap();
+    let b = fixture_or_skip().unwrap();
+    assert!(
+        std::ptr::eq(a, b),
+        "fixture_or_skip should return the same &'static Fixture"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn fixture_url_is_shared_a() {
+    observe_fixture_url("fixture_url_is_shared_a");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn fixture_url_is_shared_b() {
+    observe_fixture_url("fixture_url_is_shared_b");
+}

crates/picloud-cli/tests/common/server.rs

@@ -0,0 +1,166 @@
+//! Picloud subprocess lifecycle for the CLI integration test binary.
+//!
+//! Mirrors what the original seed test did inline, lifted out so it can
+//! be shared across modules via `common::fixture()`. The Fixture lives
+//! in a `LazyLock` — and `LazyLock<T>` never drops, so we register an
+//! `atexit` handler that SIGTERMs the child when the test binary exits
+//! normally (which is the common case under `cargo test`).
+//!
+//! `PR_SET_PDEATHSIG` is intentionally *not* used: it fires when the
+//! creating thread dies, and cargo runs each `#[test]` on its own
+//! worker thread that exits as soon as the test returns — which would
+//! kill picloud after the first test that triggered the LazyLock,
+//! breaking every test after it.
+//!
+//! Abnormal exit (SIGKILL of the test binary) leaks the child; the
+//! dashboard Playwright suite accepts the same tradeoff.
+
+use std::io::{BufRead, BufReader};
+use std::path::PathBuf;
+use std::process::{Child, Command as StdCommand, Stdio};
+use std::sync::atomic::{AtomicI32, Ordering};
+use std::sync::mpsc;
+use std::thread;
+use std::time::{Duration, Instant};
+
+use serde_json::Value;
+
+pub fn pick_free_port() -> u16 {
+    let listener =
+        std::net::TcpListener::bind("127.0.0.1:0").expect("bind 127.0.0.1:0 to pick port");
+    listener.local_addr().expect("local addr").port()
+}
+
+pub fn picloud_binary_path() -> PathBuf {
+    // The integration test binary lives at
+    // `<target>/debug/deps/cli-<hash>`. Walk up two levels to reach
+    // `<target>/debug` and look for `picloud` next to ourselves.
+    let exe = std::env::current_exe().expect("current_exe");
+    let debug_dir = exe
+        .parent()
+        .and_then(|p| p.parent())
+        .expect("test binary should live under target/debug/deps");
+    debug_dir.join(if cfg!(windows) {
+        "picloud.exe"
+    } else {
+        "picloud"
+    })
+}
+
+pub fn spawn_picloud(database_url: &str, port: u16, admin_user: &str, admin_pass: &str) -> Child {
+    let binary = picloud_binary_path();
+    assert!(
+        binary.exists(),
+        "expected picloud binary at {}. Run `cargo build -p picloud` first \
+         (or use `cargo test --workspace -- --include-ignored` which builds it)",
+        binary.display()
+    );
+    let mut child = StdCommand::new(&binary)
+        .env("PICLOUD_BIND", format!("127.0.0.1:{port}"))
+        .env("DATABASE_URL", database_url)
+        .env("PICLOUD_ADMIN_USERNAME", admin_user)
+        .env("PICLOUD_ADMIN_PASSWORD", admin_pass)
+        .env("RUST_LOG", "warn")
+        .stdout(Stdio::null())
+        .stderr(Stdio::piped())
+        .spawn()
+        .expect("spawn picloud");
+
+    // Drain stderr in a side thread so the pipe buffer doesn't fill and
+    // block the server.
+    if let Some(err) = child.stderr.take().map(BufReader::new) {
+        let (tx, _rx) = mpsc::channel::<String>();
+        thread::spawn(move || {
+            for line in err.lines().map_while(Result::ok) {
+                let _ = tx.send(line);
+            }
+        });
+    }
+
+    register_atexit_killer(child.id());
+    child
+}
+
+// --------------------------------------------------------------------
+// atexit-based child cleanup
+// --------------------------------------------------------------------
+
+static PICLOUD_PID: AtomicI32 = AtomicI32::new(0);
+
+fn register_atexit_killer(pid: u32) {
+    // First spawn wins; subsequent spawns (none expected today) would
+    // overwrite, but the previous child would already be tracked via
+    // its Drop path on the Fixture.
+    PICLOUD_PID.store(pid as i32, Ordering::SeqCst);
+
+    #[cfg(unix)]
+    {
+        use std::sync::Once;
+        static REGISTERED: Once = Once::new();
+        REGISTERED.call_once(|| {
+            // SAFETY: atexit's contract is a `extern "C" fn()` callback;
+            // ours signals a child PID we own.
+            unsafe {
+                libc::atexit(kill_picloud_at_exit);
+            }
+        });
+    }
+}
+
+#[cfg(unix)]
+extern "C" fn kill_picloud_at_exit() {
+    let pid = PICLOUD_PID.swap(0, Ordering::SeqCst);
+    if pid > 0 {
+        // SAFETY: SIGTERM to a PID we recorded; if PID has been reused
+        // we're killing the wrong process — accepted risk for a test
+        // helper.
+        unsafe {
+            libc::kill(pid, libc::SIGTERM);
+        }
+    }
+}
+
+pub fn wait_for_health(url: &str, timeout: Duration) -> Result<(), String> {
+    let deadline = Instant::now() + timeout;
+    let client = reqwest::blocking::Client::builder()
+        .timeout(Duration::from_secs(2))
+        .build()
+        .map_err(|e| e.to_string())?;
+    while Instant::now() < deadline {
+        if let Ok(resp) = client.get(format!("{url}/healthz")).send() {
+            if resp.status().is_success() {
+                return Ok(());
+            }
+        }
+        thread::sleep(Duration::from_millis(250));
+    }
+    Err(format!("/healthz never returned 200 within {timeout:?}"))
+}
+
+pub fn login_for_bearer_token(url: &str, username: &str, password: &str) -> String {
+    let client = reqwest::blocking::Client::new();
+    let resp = client
+        .post(format!("{url}/api/v1/admin/auth/login"))
+        .json(&serde_json::json!({
+            "username": username,
+            "password": password,
+        }))
+        .send()
+        .expect("login request");
+    assert!(
+        resp.status().is_success(),
+        "login should succeed, got {}: {}",
+        resp.status(),
+        resp.text().unwrap_or_default()
+    );
+    let v: Value = resp.json().expect("login json");
+    v["token"]
+        .as_str()
+        .expect("login returns token")
+        .to_string()
+}
+
+pub fn kill_subprocess(child: &mut Child) {
+    let _ = child.kill();
+    let _ = child.wait();
+}

crates/picloud-cli/tests/fixtures/boom.rhai

@@ -0,0 +1,7 @@
+// Returns a structured 500. The execution is still `Success` in the
+// log because the script ran cleanly — for an `Error`-status log entry
+// use throw.rhai instead.
+#{
+    statusCode: 500,
+    body: #{ ok: false, why: "intentional" },
+}

crates/picloud-cli/tests/fixtures/echo.rhai

@@ -0,0 +1,6 @@
+// Echoes the request body and headers back so invoke tests can verify
+// that `--body` (inline / @file / @-) and `-H` flow through end-to-end.
+#{
+    body: ctx.request.body,
+    headers: ctx.request.headers,
+}

crates/picloud-cli/tests/fixtures/hello.rhai

@@ -0,0 +1,4 @@
+// Smallest possible Rhai script for the integration test: returns a JSON
+// object so the orchestrator wraps it as the HTTP response body.
+let body = #{ ok: true, greeting: "hello from pic" };
+body

crates/picloud-cli/tests/fixtures/loud.rhai

@@ -0,0 +1,5 @@
+// Logs a long line so the logs-truncation test has something to chew on.
+// `pic logs` truncates the summary cell to 120 characters; this line is
+// 240 chars after the prefix so the truncation is unambiguous.
+log::info("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
+#{ ok: true }

crates/picloud-cli/tests/fixtures/throw.rhai

@@ -0,0 +1,4 @@
+// Throws a Rhai runtime error. The orchestrator records this as
+// `ExecutionStatus::Error` in the execution log (a structured 5xx
+// response is recorded as `Success`).
+throw "boom";

crates/picloud-cli/tests/invoke.rs

@@ -0,0 +1,171 @@
+//! `pic scripts invoke` — body sources (inline, `@file`, `@-`), header
+//! propagation, exit-code semantics for non-2xx responses, and 404
+//! handling for unknown ids.
+
+use predicates::prelude::*;
+use serde_json::Value;
+
+use crate::common;
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn invoke_with_inline_json_body_echoes() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "invoke-inline", "echo.rhai");
+
+    let out = common::pic_as(&env)
+        .args(["scripts", "invoke", &id, "--body", r#"{"x":1}"#])
+        .output()
+        .expect("invoke");
+    assert!(out.status.success(), "invoke failed: {out:?}");
+    let parsed: Value = serde_json::from_slice(&out.stdout).expect("stdout JSON");
+    assert_eq!(parsed["body"]["x"], 1, "echoed body: {parsed}");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn invoke_with_file_body() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "invoke-file", "echo.rhai");
+
+    let tmp = tempfile::NamedTempFile::new().expect("tempfile");
+    std::fs::write(tmp.path(), r#"{"src":"file"}"#).unwrap();
+    let body_arg = format!("@{}", tmp.path().display());
+
+    let out = common::pic_as(&env)
+        .args(["scripts", "invoke", &id, "--body", &body_arg])
+        .output()
+        .expect("invoke");
+    assert!(out.status.success(), "invoke failed: {out:?}");
+    let parsed: Value = serde_json::from_slice(&out.stdout).expect("stdout JSON");
+    assert_eq!(parsed["body"]["src"], "file", "echoed body: {parsed}");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn invoke_with_stdin_body() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "invoke-stdin", "echo.rhai");
+
+    let assert = common::pic_as(&env)
+        .args(["scripts", "invoke", &id, "--body", "@-"])
+        .write_stdin(r#"{"src":"stdin"}"#)
+        .assert()
+        .success();
+    let out = assert.get_output();
+    let parsed: Value = serde_json::from_slice(&out.stdout).expect("stdout JSON");
+    assert_eq!(parsed["body"]["src"], "stdin", "echoed body: {parsed}");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn invoke_propagates_headers() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "invoke-hdr", "echo.rhai");
+
+    let out = common::pic_as(&env)
+        .args([
+            "scripts",
+            "invoke",
+            &id,
+            "-H",
+            "X-Foo: bar",
+            "-H",
+            "X-Baz=qux",
+        ])
+        .output()
+        .expect("invoke");
+    assert!(out.status.success(), "invoke failed: {out:?}");
+    let parsed: Value = serde_json::from_slice(&out.stdout).expect("stdout JSON");
+    // HTTP normalises header names to lowercase.
+    assert_eq!(parsed["headers"]["x-foo"], "bar", "echoed: {parsed}");
+    assert_eq!(parsed["headers"]["x-baz"], "qux", "echoed: {parsed}");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn invoke_unknown_script_id_errors() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+
+    // Any well-formed UUID that doesn't exist server-side. The
+    // orchestrator's `/execute/{id}` handler returns 404 specifically
+    // for unknown ids — tighten the predicate so a regressed 401
+    // wouldn't sneak through.
+    let bogus = "00000000-0000-0000-0000-000000000000";
+    common::pic_as(&env)
+        .args(["scripts", "invoke", bogus])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("HTTP 404"));
+}
+
+/// `pic invoke <id>` (top-level alias) and `pic scripts invoke <id>`
+/// must hit the same handler and produce identical-shape stdout.
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn top_level_invoke_alias_works() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "inv-alias", "hello.rhai");
+
+    let nested = common::pic_as(&env)
+        .args(["scripts", "invoke", &id])
+        .output()
+        .expect("scripts invoke");
+    assert!(nested.status.success());
+    let nested_body: Value = serde_json::from_slice(&nested.stdout).unwrap();
+
+    let aliased = common::pic_as(&env)
+        .args(["invoke", &id])
+        .output()
+        .expect("invoke (top-level)");
+    assert!(aliased.status.success());
+    let aliased_body: Value = serde_json::from_slice(&aliased.stdout).unwrap();
+
+    assert_eq!(
+        nested_body, aliased_body,
+        "top-level alias should produce identical body to scripts invoke"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn invoke_non_2xx_exits_nonzero_but_prints_body() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "invoke-500", "boom.rhai");
+
+    let out = common::pic_as(&env)
+        .args(["scripts", "invoke", &id])
+        .output()
+        .expect("invoke");
+    assert!(!out.status.success(), "expected non-zero exit: {out:?}");
+    let stderr = String::from_utf8_lossy(&out.stderr);
+    assert!(
+        stderr.contains("<- HTTP 500"),
+        "stderr should report HTTP 500: {stderr}"
+    );
+    let parsed: Value = serde_json::from_slice(&out.stdout)
+        .unwrap_or_else(|e| panic!("stdout was not JSON ({e}): {:?}", out.stdout));
+    assert_eq!(parsed["ok"], false, "boom body: {parsed}");
+    assert_eq!(parsed["why"], "intentional", "boom body: {parsed}");
+}

crates/picloud-cli/tests/logs.rs

@@ -0,0 +1,179 @@
+//! `pic logs <script-id>` — emptiness, status labels, `--limit`
+//! clamping, error path for unknown ids, and the 120-char truncate
+//! applied to the summary column.
+
+use predicates::prelude::*;
+
+use crate::common;
+
+/// Pick out the data rows from `pic logs` TSV output — the header line
+/// (`created_at\tstatus\tsummary`) is now always present, so the old
+/// "no non-empty lines means no logs" check needs to skip it.
+fn data_rows(stdout: &str) -> Vec<&str> {
+    stdout
+        .lines()
+        .filter(|l| !l.trim().is_empty())
+        .filter(|l| !l.starts_with("created_at"))
+        .collect()
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logs_for_fresh_script_is_empty() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "logs-empty", "hello.rhai");
+
+    let out = common::pic_as(&env)
+        .args(["logs", &id])
+        .output()
+        .expect("logs");
+    assert!(out.status.success(), "logs failed: {out:?}");
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    assert!(
+        data_rows(&stdout).is_empty(),
+        "expected no log rows (header is allowed), got: {stdout}"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logs_after_invoke_records_success_row() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "logs-ok", "hello.rhai");
+
+    common::pic_as(&env)
+        .args(["scripts", "invoke", &id])
+        .assert()
+        .success();
+
+    let out = common::pic_as(&env)
+        .args(["logs", &id])
+        .output()
+        .expect("logs");
+    assert!(out.status.success(), "logs failed: {out:?}");
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    let rows = data_rows(&stdout);
+    assert_eq!(rows.len(), 1, "expected 1 data row, got: {stdout}");
+    let cols: Vec<&str> = rows[0].split('\t').map(str::trim).collect();
+    assert_eq!(
+        cols.len(),
+        3,
+        "row should be 3 tab-delimited cells: {rows:?}"
+    );
+    assert_eq!(cols[1], "success");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logs_records_error_for_throwing_script() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "logs-err", "throw.rhai");
+
+    // The invoke is expected to fail — we only care that the execution
+    // gets recorded with `Error` status.
+    let _ = common::pic_as(&env)
+        .args(["scripts", "invoke", &id])
+        .output();
+
+    let out = common::pic_as(&env)
+        .args(["logs", &id])
+        .output()
+        .expect("logs");
+    assert!(out.status.success(), "logs failed: {out:?}");
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    let row = data_rows(&stdout)
+        .into_iter()
+        .next()
+        .expect("at least one data row");
+    let cols: Vec<&str> = row.split('\t').map(str::trim).collect();
+    assert_eq!(cols[1], "error", "expected error status, got row: {row}");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logs_respects_limit_flag() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "logs-limit", "hello.rhai");
+
+    for _ in 0..3 {
+        common::pic_as(&env)
+            .args(["scripts", "invoke", &id])
+            .assert()
+            .success();
+    }
+
+    let out = common::pic_as(&env)
+        .args(["logs", &id, "--limit", "1"])
+        .output()
+        .expect("logs");
+    assert!(out.status.success(), "logs failed: {out:?}");
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    let rows = data_rows(&stdout).len();
+    assert_eq!(rows, 1, "expected --limit 1, got rows: {stdout}");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logs_for_unknown_id_errors() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+
+    let bogus = "00000000-0000-0000-0000-000000000000";
+    common::pic_as(&env)
+        .args(["logs", bogus])
+        .assert()
+        .failure()
+        // 404 specifically — same `NotFound(ScriptId)` path the get/edit
+        // endpoints use.
+        .stderr(predicate::str::contains("HTTP 404"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logs_truncates_long_summary() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "logs-loud", "loud.rhai");
+
+    common::pic_as(&env)
+        .args(["scripts", "invoke", &id])
+        .assert()
+        .success();
+
+    let out = common::pic_as(&env)
+        .args(["logs", &id])
+        .output()
+        .expect("logs");
+    assert!(out.status.success(), "logs failed: {out:?}");
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    let row = data_rows(&stdout)
+        .into_iter()
+        .next()
+        .expect("at least one data row");
+    let summary = row.split('\t').nth(2).expect("summary column");
+    assert!(
+        summary.ends_with('…'),
+        "summary should be truncated with `…`, got: {summary}"
+    );
+    let chars = summary.chars().count();
+    assert!(
+        chars <= 121,
+        "summary should be ≤120 chars + the truncation marker, got {chars}: {summary}"
+    );
+}

crates/picloud-cli/tests/output.rs

@@ -0,0 +1,289 @@
+//! Output-shape invariants — the contracts downstream `jq`/`awk`
+//! pipelines depend on: column headers, stdout-vs-stderr separation,
+//! and RFC3339 timestamps.
+
+use serde_json::Value;
+
+use crate::common;
+use crate::common::cleanup::AppGuard;
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn apps_ls_header_columns() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+
+    let out = common::pic_as(&env)
+        .args(["apps", "ls"])
+        .output()
+        .expect("apps ls");
+    assert!(out.status.success());
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    let header = stdout.lines().next().expect("header row");
+    assert_eq!(
+        common::cells(header),
+        vec!["slug", "name", "my_role", "created_at"]
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn scripts_ls_header_columns() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("out-ls");
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    let out = common::pic_as(&env)
+        .args(["scripts", "ls", "--app", &slug])
+        .output()
+        .expect("scripts ls");
+    assert!(out.status.success());
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    let header = stdout.lines().next().expect("header row");
+    assert_eq!(
+        common::cells(header),
+        vec!["id", "app_slug", "name", "version", "updated_at"]
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn invoke_separates_stdout_and_stderr() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "out-inv", "hello.rhai");
+
+    let out = common::pic_as(&env)
+        .args(["scripts", "invoke", &id])
+        .output()
+        .expect("invoke");
+    assert!(out.status.success());
+
+    let stderr = String::from_utf8(out.stderr).unwrap();
+    assert!(
+        stderr.starts_with("<- HTTP 200"),
+        "stderr should announce HTTP status: {stderr:?}"
+    );
+
+    let parsed: Value = serde_json::from_slice(&out.stdout)
+        .expect("stdout should be JSON only, with no status prefix");
+    assert_eq!(parsed["ok"], true, "body: {parsed}");
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn error_goes_to_stderr_not_stdout() {
+    let Some(_fx) = common::fixture_or_skip() else {
+        return;
+    };
+    // Use a pristine env (no credentials file) so `whoami` is guaranteed
+    // to fail at the `config::load` step — `admin_env` would pre-seed
+    // creds and the command would succeed.
+    let env = common::TestEnv {
+        url: String::new(),
+        token: String::new(),
+        config_dir: tempfile::TempDir::new().unwrap(),
+        home: tempfile::TempDir::new().unwrap(),
+    };
+
+    let out = common::pic_no_env(&env)
+        .args(["whoami"])
+        .output()
+        .expect("whoami");
+    assert!(!out.status.success(), "expected failure, got: {out:?}");
+    assert!(
+        out.stdout.is_empty(),
+        "stdout should be empty on error, got: {:?}",
+        String::from_utf8_lossy(&out.stdout),
+    );
+    let stderr = String::from_utf8(out.stderr).unwrap();
+    assert!(
+        stderr.contains("error:"),
+        "stderr should be prefixed with `error:`: {stderr}"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn apps_ls_created_at_is_rfc3339() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("out-date");
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    let out = common::pic_as(&env)
+        .args(["apps", "ls"])
+        .output()
+        .expect("apps ls");
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    let row = stdout
+        .lines()
+        .map(common::cells)
+        .find(|c| c.first().copied() == Some(slug.as_str()))
+        .unwrap_or_else(|| panic!("slug {slug} missing in: {stdout}"));
+    let created_at = row.get(3).expect("created_at cell");
+
+    // Accept the RFC3339 shape without pulling in chrono — `YYYY-MM-DDTHH:MM:SS`
+    // with optional fraction + timezone is enough of a contract for the test.
+    assert!(
+        created_at.len() >= 20
+            && created_at.as_bytes()[4] == b'-'
+            && created_at.as_bytes()[7] == b'-'
+            && created_at.as_bytes()[10] == b'T'
+            && created_at.as_bytes()[13] == b':'
+            && created_at.as_bytes()[16] == b':',
+        "created_at not RFC3339-shaped: {created_at}"
+    );
+}
+
+/// `--output json` is the global pipeline-friendly format. Validates
+/// `apps ls` returns a real JSON array (not a TSV-with-quotes hack).
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn apps_ls_json_output_is_valid_array() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("out-json-apps");
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    let out = common::pic_as(&env)
+        .args(["--output", "json", "apps", "ls"])
+        .output()
+        .expect("apps ls --output json");
+    assert!(out.status.success(), "apps ls failed: {out:?}");
+    let v: Value = serde_json::from_slice(&out.stdout).expect("stdout should be JSON");
+    let arr = v.as_array().expect("apps ls JSON should be an array");
+    assert!(
+        arr.iter()
+            .any(|row| row.get("slug").and_then(Value::as_str) == Some(slug.as_str())),
+        "json should include created slug: {v}"
+    );
+    // The header row must NOT bleed into JSON output — the rendered
+    // objects use header *keys*, not data cells.
+    assert!(
+        arr.iter().all(|row| row.get("slug").is_some()),
+        "every row should have a `slug` key: {v}"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn scripts_ls_json_output_has_app_slug() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("out-json-scr");
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+    let fixture = common::fixture_path("hello.rhai");
+    common::pic_as(&env)
+        .args([
+            "scripts",
+            "deploy",
+            fixture.to_str().unwrap(),
+            "--app",
+            &slug,
+        ])
+        .assert()
+        .success();
+
+    let out = common::pic_as(&env)
+        .args(["--output", "json", "scripts", "ls", "--app", &slug])
+        .output()
+        .expect("scripts ls --output json");
+    assert!(out.status.success());
+    let v: Value = serde_json::from_slice(&out.stdout).expect("stdout JSON");
+    let arr = v.as_array().expect("array");
+    let row = arr
+        .iter()
+        .find(|r| r.get("name").and_then(Value::as_str) == Some("hello"))
+        .expect("hello row");
+    assert_eq!(row["app_slug"].as_str(), Some(slug.as_str()));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn logs_json_output_is_array_of_objects() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "out-json-log", "hello.rhai");
+    common::pic_as(&env)
+        .args(["scripts", "invoke", &id])
+        .assert()
+        .success();
+
+    let out = common::pic_as(&env)
+        .args(["--output", "json", "logs", &id])
+        .output()
+        .expect("logs --output json");
+    assert!(out.status.success());
+    let v: Value = serde_json::from_slice(&out.stdout).expect("stdout JSON");
+    let arr = v.as_array().expect("array");
+    assert!(!arr.is_empty(), "expected at least one log");
+    // Schema: each row carries the raw `ExecutionLog`, not the
+    // truncated summary the TSV form uses.
+    assert!(
+        arr[0].get("status").is_some(),
+        "log row missing status: {arr:?}"
+    );
+}
+
+/// TSV `whoami` used to be a single tab-separated line with no labels;
+/// downstream tools couldn't tell which column was the role. Now it's
+/// a key/value block with stable labels.
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn whoami_tsv_has_labeled_rows() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+
+    let out = common::pic_as(&env)
+        .args(["whoami"])
+        .output()
+        .expect("whoami");
+    assert!(out.status.success());
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    let labels: Vec<&str> = stdout
+        .lines()
+        .filter_map(|l| l.split('\t').next())
+        .map(str::trim)
+        .collect();
+    assert!(
+        labels.contains(&"username"),
+        "missing username row: {stdout}"
+    );
+    assert!(labels.contains(&"role"), "missing role row: {stdout}");
+    assert!(labels.contains(&"email"), "missing email row: {stdout}");
+    assert!(labels.contains(&"url"), "missing url row: {stdout}");
+}

crates/picloud-cli/tests/roles.rs

@@ -0,0 +1,146 @@
+//! RBAC mirror of the dashboard's role-shadowing specs. A Member user
+//! is minted via the admin API, granted (or denied) membership on an
+//! app, then `pic` is driven against the member's bearer token to
+//! confirm the server's capability gates surface as expected exit
+//! codes / error messages.
+
+use predicates::prelude::*;
+
+use crate::common;
+use crate::common::cleanup::AppGuard;
+use crate::common::member;
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn member_apps_ls_only_shows_their_apps() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let admin_env = common::admin_env(fx);
+
+    let slug_visible = common::unique_slug("roles-visible");
+    let slug_hidden = common::unique_slug("roles-hidden");
+    common::pic_as(&admin_env)
+        .args(["apps", "create", &slug_visible])
+        .assert()
+        .success();
+    let _g1 = AppGuard::new(&admin_env.url, &admin_env.token, &slug_visible);
+    common::pic_as(&admin_env)
+        .args(["apps", "create", &slug_hidden])
+        .assert()
+        .success();
+    let _g2 = AppGuard::new(&admin_env.url, &admin_env.token, &slug_hidden);
+
+    let m = member::member_user(fx, &common::unique_username("rls"));
+    member::grant_membership(fx, &slug_visible, &m.id, "viewer");
+    let member_env = common::custom_env(&fx.url, &m.token);
+    common::seed_credentials(&member_env, &m.username);
+
+    let out = common::pic_as(&member_env)
+        .args(["apps", "ls"])
+        .output()
+        .expect("apps ls");
+    assert!(out.status.success(), "apps ls failed: {out:?}");
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    assert!(
+        stdout.contains(&slug_visible),
+        "member should see {slug_visible}, got: {stdout}"
+    );
+    assert!(
+        !stdout.contains(&slug_hidden),
+        "member should NOT see {slug_hidden}, got: {stdout}"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn viewer_cannot_deploy_but_editor_can() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let admin_env = common::admin_env(fx);
+    let slug = common::unique_slug("roles-write");
+    common::pic_as(&admin_env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _g = AppGuard::new(&admin_env.url, &admin_env.token, &slug);
+
+    let m = member::member_user(fx, &common::unique_username("vw"));
+    member::grant_membership(fx, &slug, &m.id, "viewer");
+    let member_env = common::custom_env(&fx.url, &m.token);
+    common::seed_credentials(&member_env, &m.username);
+
+    let fixture = common::fixture_path("hello.rhai");
+    common::pic_as(&member_env)
+        .args([
+            "scripts",
+            "deploy",
+            fixture.to_str().unwrap(),
+            "--app",
+            &slug,
+        ])
+        .assert()
+        .failure()
+        // `Forbidden` → 403. A regressed predicate of `"HTTP 4"` would
+        // have masked an auth break (401) as an authz issue.
+        .stderr(predicate::str::contains("HTTP 403"));
+
+    // Promote to Editor and retry — the same command should now succeed.
+    member::update_membership(fx, &slug, &m.id, "editor");
+    common::pic_as(&member_env)
+        .args([
+            "scripts",
+            "deploy",
+            fixture.to_str().unwrap(),
+            "--app",
+            &slug,
+        ])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains("Created hello v1"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn member_can_invoke_any_script_with_id() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    // `/api/v1/execute/{id}` is the unguarded data-plane ingress — even
+    // a member with no app membership can hit it as long as they hold
+    // a valid token (the orchestrator doesn't gate it).
+    let admin_env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&admin_env, "roles-inv", "hello.rhai");
+
+    let m = member::member_user(fx, &common::unique_username("inv"));
+    let member_env = common::custom_env(&fx.url, &m.token);
+    common::seed_credentials(&member_env, &m.username);
+
+    common::pic_as(&member_env)
+        .args(["scripts", "invoke", &id])
+        .assert()
+        .success();
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn non_member_cannot_read_logs() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let admin_env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&admin_env, "roles-log", "hello.rhai");
+
+    let m = member::member_user(fx, &common::unique_username("rl"));
+    let member_env = common::custom_env(&fx.url, &m.token);
+    common::seed_credentials(&member_env, &m.username);
+
+    common::pic_as(&member_env)
+        .args(["logs", &id])
+        .assert()
+        .failure()
+        // Non-member → 403 from the authz layer, not 404 — the script
+        // exists; the caller just can't see it.
+        .stderr(predicate::str::contains("HTTP 403"));
+}

crates/picloud-cli/tests/scripts.rs

@@ -0,0 +1,240 @@
+//! `pic scripts deploy` / `pic scripts ls` edge cases beyond the
+//! smoke test: unknown app, name override, version bumping, missing
+//! file, and the no-`--app` walk across every accessible app.
+
+use predicates::prelude::*;
+
+use crate::common;
+use crate::common::cleanup::AppGuard;
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn deploy_against_unknown_app_errors() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let fixture = common::fixture_path("hello.rhai");
+    let bogus_slug = common::unique_slug("nope");
+
+    common::pic_as(&env)
+        .args([
+            "scripts",
+            "deploy",
+            fixture.to_str().unwrap(),
+            "--app",
+            &bogus_slug,
+        ])
+        .assert()
+        .failure()
+        // Specifically 404 — `apps_get` short-circuits before the deploy
+        // request even starts. Loose `"HTTP 4"` would have matched a
+        // regressed 401 from broken auth.
+        .stderr(predicate::str::contains("HTTP 404"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn deploy_with_name_override() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("scripts-named");
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    let fixture = common::fixture_path("hello.rhai");
+    common::pic_as(&env)
+        .args([
+            "scripts",
+            "deploy",
+            fixture.to_str().unwrap(),
+            "--app",
+            &slug,
+            "--name",
+            "custom-name",
+        ])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains("Created custom-name v1"));
+
+    common::pic_as(&env)
+        .args([
+            "scripts",
+            "deploy",
+            fixture.to_str().unwrap(),
+            "--app",
+            &slug,
+            "--name",
+            "custom-name",
+        ])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains("Updated custom-name v2"));
+
+    let out = common::pic_as(&env)
+        .args(["scripts", "ls", "--app", &slug])
+        .output()
+        .expect("scripts ls");
+    assert!(out.status.success());
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    assert!(
+        stdout
+            .lines()
+            .map(common::cells)
+            .any(|c| c.get(2).copied() == Some("custom-name") && c.get(3).copied() == Some("2")),
+        "expected custom-name v2 row, got: {stdout}",
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn deploy_bumps_version_each_redeploy() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("scripts-bump");
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    let fixture = common::fixture_path("hello.rhai");
+    for expected in ["Created hello v1", "Updated hello v2", "Updated hello v3"] {
+        common::pic_as(&env)
+            .args([
+                "scripts",
+                "deploy",
+                fixture.to_str().unwrap(),
+                "--app",
+                &slug,
+            ])
+            .assert()
+            .success()
+            .stdout(predicate::str::contains(expected));
+    }
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn deploy_missing_file_errors() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug = common::unique_slug("scripts-missing");
+    common::pic_as(&env)
+        .args(["apps", "create", &slug])
+        .assert()
+        .success();
+    let _guard = AppGuard::new(&env.url, &env.token, &slug);
+
+    let missing = std::env::temp_dir().join(common::unique_slug("ghost") + ".rhai");
+    common::pic_as(&env)
+        .args([
+            "scripts",
+            "deploy",
+            missing.to_str().unwrap(),
+            "--app",
+            &slug,
+        ])
+        .assert()
+        .failure()
+        .stderr(predicate::str::contains("reading"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn ls_without_app_walks_every_accessible_app() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let slug_a = common::unique_slug("scripts-walk-a");
+    let slug_b = common::unique_slug("scripts-walk-b");
+
+    common::pic_as(&env)
+        .args(["apps", "create", &slug_a])
+        .assert()
+        .success();
+    let _guard_a = AppGuard::new(&env.url, &env.token, &slug_a);
+    common::pic_as(&env)
+        .args(["apps", "create", &slug_b])
+        .assert()
+        .success();
+    let _guard_b = AppGuard::new(&env.url, &env.token, &slug_b);
+
+    let fixture = common::fixture_path("hello.rhai");
+    for slug in [&slug_a, &slug_b] {
+        common::pic_as(&env)
+            .args([
+                "scripts",
+                "deploy",
+                fixture.to_str().unwrap(),
+                "--app",
+                slug,
+            ])
+            .assert()
+            .success();
+    }
+
+    // `pic scripts ls` (no `--app`) issues a single `GET /admin/scripts`
+    // against the server now — there's nothing per-app to race against
+    // a concurrent AppGuard drop. The previous implementation walked
+    // `apps_list` followed by per-app `scripts_list_by_app` calls and
+    // aborted on the first 404, which forced this test to retry 5× to
+    // paper over the bug. Both the walk and the retry are gone.
+    let out = common::pic_as(&env)
+        .args(["scripts", "ls"])
+        .output()
+        .expect("scripts ls");
+    assert!(out.status.success(), "scripts ls failed: {out:?}");
+    let stdout = String::from_utf8(out.stdout).unwrap();
+
+    let slugs: std::collections::HashSet<&str> = stdout
+        .lines()
+        .map(common::cells)
+        .filter_map(|c| c.get(1).copied())
+        .collect();
+    assert!(
+        slugs.contains(slug_a.as_str()),
+        "missing app A in: {stdout}"
+    );
+    assert!(
+        slugs.contains(slug_b.as_str()),
+        "missing app B in: {stdout}"
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[test]
+fn delete_removes_script_from_ls() {
+    let Some(fx) = common::fixture_or_skip() else {
+        return;
+    };
+    let env = common::admin_env(fx);
+    let (id, _guard) = common::deploy_fixture(&env, "scripts-del", "hello.rhai");
+
+    common::pic_as(&env)
+        .args(["scripts", "delete", &id])
+        .assert()
+        .success()
+        .stdout(predicate::str::contains(format!("Deleted script {id}")));
+
+    let out = common::pic_as(&env)
+        .args(["scripts", "ls"])
+        .output()
+        .expect("scripts ls");
+    assert!(out.status.success());
+    let stdout = String::from_utf8(out.stdout).unwrap();
+    assert!(
+        !stdout.contains(&id),
+        "deleted script id should not appear in ls: {stdout}"
+    );
+}

crates/picloud/Cargo.toml

@@ -39,3 +39,5 @@ figment.workspace = true
 axum-test = "17"
 serde.workspace = true
 serde_json.workspace = true
+uuid.workspace = true
+chrono.workspace = true

crates/picloud/src/lib.rs

@@ -10,20 +10,23 @@ use axum::middleware::from_fn_with_state;
 use axum::{routing::get, Json, Router};
 use picloud_executor_core::{Engine, Limits};
 use picloud_manager_core::{
-    admin_router, admins_router, apps_api, apps_router, auth_router, compile_routes, migrations,
+    admin_router, admins_router, api_keys_router, app_members_router, apps_api, apps_router,
-    require_admin, route_admin_router, AdminSessionRepository, AdminState, AdminUserRepository,
+    attach_principal_if_present, auth_router, compile_routes, migrations, require_authenticated,
-    AdminsState, AppDomainRepository, AppRepository, AppsState, AuthState,
+    route_admin_router, AdminSessionRepository, AdminState, AdminUserRepository, AdminsState,
-    PostgresAdminSessionRepository, PostgresAdminUserRepository, PostgresAppDomainRepository,
+    ApiKeyRepository, ApiKeysState, AppDomainRepository, AppMembersRepository, AppMembersState,
-    PostgresAppRepository, PostgresExecutionLogRepository, PostgresExecutionLogSink,
+    AppRepository, AppsState, AuthState, AuthzRepo, PostgresAdminSessionRepository,
-    PostgresRouteRepository, PostgresScriptRepository, RepoResolver, RouteAdminState,
+    PostgresAdminUserRepository, PostgresApiKeyRepository, PostgresAppDomainRepository,
-    RouteRepository, SandboxCeiling,
+    PostgresAppMembersRepository, PostgresAppRepository, PostgresExecutionLogRepository,
+    PostgresExecutionLogSink, PostgresRouteRepository, PostgresScriptRepository, RepoResolver,
+    RouteAdminState, RouteRepository, SandboxCeiling,
 };
 use picloud_orchestrator_core::routing::{AppDomainTable, RouteTable};
 use picloud_orchestrator_core::{
-    data_plane_router, user_routes_router, DataPlaneState, LocalExecutorClient,
+    data_plane_router, user_routes_router, DataPlaneState, ExecutionGate, LocalExecutorClient,
 };
 use picloud_shared::{
-    ExecutionLogSink, ScriptValidator, API_VERSION, PRODUCT_VERSION, SDK_VERSION, WIRE_VERSION,
+    ExecutionLogSink, ScriptValidator, Services, API_VERSION, PRODUCT_VERSION, SDK_VERSION,
+    WIRE_VERSION,
 };
 use sqlx::postgres::PgPoolOptions;
 use sqlx::PgPool;
@@ -37,6 +40,7 @@ const DEFAULT_SESSION_TTL_HOURS: u64 = 24;
 pub struct AuthDeps {
     pub users: Arc<dyn AdminUserRepository>,
     pub sessions: Arc<dyn AdminSessionRepository>,
+    pub keys: Arc<dyn ApiKeyRepository>,
     pub ttl: Duration,
 }
 
@@ -46,7 +50,8 @@ impl AuthDeps {
     pub fn from_pool(pool: PgPool) -> Self {
         Self {
             users: Arc::new(PostgresAdminUserRepository::new(pool.clone())),
-            sessions: Arc::new(PostgresAdminSessionRepository::new(pool)),
+            sessions: Arc::new(PostgresAdminSessionRepository::new(pool.clone())),
+            keys: Arc::new(PostgresApiKeyRepository::new(pool)),
             ttl: read_session_ttl(),
         }
     }
@@ -76,8 +81,11 @@ fn read_session_ttl() -> Duration {
 /// the `require_admin` middleware. The data plane
 /// (`/api/v1/execute/{id}`, the user-route fallthrough, `/healthz`,
 /// `/version`) stays open — it's the public ingress for user scripts.
+#[allow(clippy::too_many_lines)]
 pub async fn build_app(pool: PgPool, auth: AuthDeps) -> anyhow::Result<Router> {
-    let engine = Arc::new(Engine::new(Limits::default()));
+    // `Services` is the SDK service bundle. Empty in v1.1.0; the
+    // v1.1.1 KV PR will populate it with `kv: Arc::new(...)` here.
+    let engine = Arc::new(Engine::new(Limits::default(), Services::new()));
 
     let script_repo = Arc::new(PostgresScriptRepository::new(pool.clone()));
     let log_repo = Arc::new(PostgresExecutionLogRepository::new(pool.clone()));
@@ -85,7 +93,14 @@ pub async fn build_app(pool: PgPool, auth: AuthDeps) -> anyhow::Result<Router> {
     let route_repo = Arc::new(PostgresRouteRepository::new(pool.clone()));
     let apps_repo: Arc<dyn AppRepository> = Arc::new(PostgresAppRepository::new(pool.clone()));
     let domains_repo: Arc<dyn AppDomainRepository> =
-        Arc::new(PostgresAppDomainRepository::new(pool));
+        Arc::new(PostgresAppDomainRepository::new(pool.clone()));
+    // The Postgres app_members repo implements both `AppMembersRepository`
+    // (CRUD over the table) and `AuthzRepo` (single-row membership lookup
+    // for capability checks). Construct it once and clone the Arc into
+    // both trait views — same allocation, two vtables.
+    let members_concrete = Arc::new(PostgresAppMembersRepository::new(pool));
+    let members: Arc<dyn AppMembersRepository> = members_concrete.clone();
+    let authz: Arc<dyn AuthzRepo> = members_concrete;
 
     // Compile the routes table once at startup; admin writes refresh it.
     let route_table = Arc::new(RouteTable::new());
@@ -114,12 +129,16 @@ pub async fn build_app(pool: PgPool, auth: AuthDeps) -> anyhow::Result<Router> {
     let resolver = Arc::new(RepoResolver::new(PostgresScriptRepoHandle(
         script_repo.clone(),
     )));
-    let executor = Arc::new(LocalExecutorClient::new(engine.clone()));
+    // Single global gate — overflow is rejected with 503 + Retry-After.
+    // See `ExecutionGate` docs and `PICLOUD_MAX_CONCURRENT_EXECUTIONS`.
+    let gate = Arc::new(ExecutionGate::from_env());
+    let executor = Arc::new(LocalExecutorClient::new(engine.clone(), gate));
 
     let admin = AdminState {
         repo: Arc::new(PostgresScriptRepoHandle(script_repo.clone())),
         logs: log_repo,
         apps: apps_repo.clone(),
+        authz: authz.clone(),
         validator: engine as Arc<dyn ScriptValidator>,
         sandbox_ceiling: SandboxCeiling::from_env(),
     };
@@ -128,6 +147,7 @@ pub async fn build_app(pool: PgPool, auth: AuthDeps) -> anyhow::Result<Router> {
         scripts: Arc::new(PostgresScriptRepoHandle(script_repo)),
         domains: domains_repo.clone(),
         table: route_table.clone(),
+        authz: authz.clone(),
     };
     let data_plane = DataPlaneState {
         executor,
@@ -141,43 +161,76 @@ pub async fn build_app(pool: PgPool, auth: AuthDeps) -> anyhow::Result<Router> {
         domains: domains_repo,
         routes: route_repo,
         domain_table: app_domain_table,
+        authz: authz.clone(),
     };
 
     let auth_state = AuthState {
         users: auth.users.clone(),
         sessions: auth.sessions.clone(),
+        keys: auth.keys.clone(),
         ttl: auth.ttl,
     };
     let admins_state = AdminsState {
-        users: auth.users,
+        users: auth.users.clone(),
         sessions: auth.sessions,
+        keys: auth.keys.clone(),
+        authz: authz.clone(),
     };
+    let app_members_state = AppMembersState {
+        apps: apps_state.apps.clone(),
+        users: auth.users,
+        members,
+        authz,
+    };
+    let api_keys_state = ApiKeysState { keys: auth.keys };
 
     // /admin/auth/login + /logout are unguarded by design (login is how
     // you get in). /admin/auth/me applies the middleware internally so
     // the same Router::with_state machinery composes cleanly. Everything
-    // else under /admin gets the require_admin layer.
+    // else under /admin gets the require_authenticated layer; capability
+    // checks live in each handler (after the resource is loaded so the
+    // capability binds to the resource's actual app_id).
     let guarded_admin = Router::new()
         .merge(admin_router(admin))
         .merge(route_admin_router(route_admin))
         .merge(admins_router(admins_state))
         .merge(apps_router(apps_state))
-        .layer(from_fn_with_state(auth_state.clone(), require_admin));
+        .merge(app_members_router(app_members_state))
+        .merge(api_keys_router(api_keys_state))
+        .layer(from_fn_with_state(
+            auth_state.clone(),
+            require_authenticated,
+        ));
 
     // Silence "unused import" lint on `apps_api` — we re-export via the
     // facade above; the bare module path is retained so it's discoverable.
     let _ = apps_api::AppsState::clone;
 
+    // Opportunistic principal extraction on every data-plane request.
+    // Always inserts `Extension<Option<Principal>>`: Some for authed
+    // ingress (bearer / cookie), None otherwise. Handlers depend on
+    // this layer being applied — scoped to the data-plane routers so
+    // the admin path (which uses `require_authenticated`) doesn't
+    // double-resolve the same token.
+    let data_plane_routed = data_plane_router(data_plane.clone()).layer(from_fn_with_state(
+        auth_state.clone(),
+        attach_principal_if_present,
+    ));
+    let user_routes = user_routes_router(data_plane).layer(from_fn_with_state(
+        auth_state.clone(),
+        attach_principal_if_present,
+    ));
+
     let api_v1 = Router::new()
         .nest("/admin", auth_router(auth_state))
         .nest("/admin", guarded_admin)
-        .merge(data_plane_router(data_plane.clone()));
+        .merge(data_plane_routed);
 
     Ok(Router::new()
         .route("/healthz", get(healthz))
         .route("/version", get(version))
         .nest(&format!("/api/v{API_VERSION}"), api_v1)
-        .merge(user_routes_router(data_plane))
+        .merge(user_routes)
         .layer(TraceLayer::new_for_http()))
 }
 
@@ -244,6 +297,12 @@ impl picloud_manager_core::ScriptRepository for PostgresScriptRepoHandle {
     ) -> Result<Vec<picloud_shared::Script>, picloud_manager_core::ScriptRepositoryError> {
         self.0.list_for_app(app_id).await
     }
+    async fn list_for_user(
+        &self,
+        user_id: picloud_shared::AdminUserId,
+    ) -> Result<Vec<picloud_shared::Script>, picloud_manager_core::ScriptRepositoryError> {
+        self.0.list_for_user(user_id).await
+    }
     async fn create(
         &self,
         input: picloud_manager_core::NewScript,

crates/picloud/src/main.rs

@@ -45,6 +45,7 @@ async fn run_server() -> anyhow::Result<()> {
 
     let auth = AuthDeps::from_pool(pool.clone());
     bootstrap_first_admin(&*auth.users).await?;
+    warn_on_multi_owner_install(&*auth.users).await;
 
     // Seed Hello World into the default app when this is a fresh
     // install (no scripts and no routes). Idempotent on upgrades.
@@ -79,6 +80,34 @@ async fn run_server() -> anyhow::Result<()> {
     Ok(())
 }
 
+/// Multi-owner startup warning — Phase 3.5 migration upgraded every
+/// pre-existing admin_users row to `Owner` via DEFAULT, which for
+/// installs with several Phase 3a admins means several co-owners.
+/// Surface this once at boot so the operator can demote extras via
+/// `PATCH /api/v1/admin/admins/{id}` with `instance_role: "admin"`.
+/// Soft-fail: a DB blip should not block startup.
+async fn warn_on_multi_owner_install(users: &dyn AdminUserRepository) {
+    match users.list_active_owners().await {
+        Ok(owners) if owners.len() > 1 => {
+            let names: Vec<String> = owners.into_iter().map(|u| u.username).collect();
+            tracing::warn!(
+                count = names.len(),
+                owners = ?names,
+                "multiple active owners detected — Phase 3.5 promoted every \
+                 pre-existing admin to owner. Demote extras via \
+                 PATCH /api/v1/admin/admins/{{id}} with instance_role."
+            );
+        }
+        Ok(_) => {}
+        Err(err) => {
+            tracing::warn!(
+                ?err,
+                "could not count active owners for multi-owner startup check"
+            );
+        }
+    }
+}
+
 fn spawn_session_pruner(sessions: Arc<dyn AdminSessionRepository>) {
     tokio::spawn(async move {
         let mut ticker = tokio::time::interval(Duration::from_secs(600));

crates/picloud/tests/api.rs

@@ -31,11 +31,12 @@ async fn server(pool: PgPool) -> TestServer {
 /// any test that creates scripts (every script now requires `app_id`).
 async fn server_with_app(pool: PgPool) -> (TestServer, String) {
     use picloud_manager_core::auth::hash_password;
+    use picloud_shared::InstanceRole;
 
     let auth = picloud::AuthDeps::from_pool(pool.clone());
     let hash = hash_password("test-pw").expect("hash");
     auth.users
-        .create("test-admin", &hash)
+        .create("test-admin", &hash, InstanceRole::Owner, None)
         .await
         .expect("seed admin");
 
@@ -92,6 +93,68 @@ async fn healthz_responds_ok(pool: PgPool) {
     assert_eq!(r.text(), "ok");
 }
 
+// ============================================================================
+// Auth
+// ============================================================================
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[sqlx::test(migrations = "../manager-core/migrations")]
+async fn auth_me_returns_principal_with_role_and_email(pool: PgPool) {
+    let s = server(pool).await;
+    let r = s.get("/api/v1/admin/auth/me").await;
+    r.assert_status_ok();
+    let body: Value = r.json();
+    assert_eq!(body["username"], "test-admin");
+    assert_eq!(body["instance_role"], "owner");
+    // Seeded admin has no email — must round-trip as null, not be missing.
+    assert!(
+        body.get("email").is_some_and(Value::is_null),
+        "email should be present and null, got: {body}"
+    );
+    assert!(body["id"].as_str().is_some());
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[sqlx::test(migrations = "../manager-core/migrations")]
+async fn create_admin_accepts_email_and_patch_clears_it(pool: PgPool) {
+    let s = server(pool).await;
+    // Create with email set.
+    let created = s
+        .post("/api/v1/admin/admins")
+        .json(&json!({
+            "username": "alice",
+            "password": "correct-horse-battery",
+            "instance_role": "member",
+            "email": "alice@example.com",
+        }))
+        .await;
+    created.assert_status(axum::http::StatusCode::CREATED);
+    let body: Value = created.json();
+    let alice_id = body["id"].as_str().expect("id").to_string();
+    assert_eq!(body["email"], "alice@example.com");
+
+    // Patch with email present-and-null clears it.
+    let cleared = s
+        .patch(&format!("/api/v1/admin/admins/{alice_id}"))
+        .json(&json!({ "email": null }))
+        .await;
+    cleared.assert_status_ok();
+    assert!(cleared.json::<Value>()["email"].is_null());
+
+    // Patch with email omitted is a no-op (doesn't clobber a re-set).
+    let reset = s
+        .patch(&format!("/api/v1/admin/admins/{alice_id}"))
+        .json(&json!({ "email": "alice2@example.com" }))
+        .await;
+    reset.assert_status_ok();
+    let omit = s
+        .patch(&format!("/api/v1/admin/admins/{alice_id}"))
+        .json(&json!({ "username": "alice" })) // no email key
+        .await;
+    omit.assert_status_ok();
+    assert_eq!(omit.json::<Value>()["email"], "alice2@example.com");
+}
+
 // ============================================================================
 // Script CRUD
 // ============================================================================
@@ -821,7 +884,7 @@ async fn version_includes_public_base_url(pool: PgPool) {
     let v: Value = r.json();
     assert!(v["public_base_url"].is_string());
     assert_eq!(v["api"], 1);
-    assert_eq!(v["schema"], 5);
+    assert_eq!(v["schema"], 6);
     assert_eq!(v["sdk"], "1.1");
 }
 

crates/shared/src/auth.rs

@@ -0,0 +1,242 @@
+//! Cross-crate authn/authz types — Phase 3.5, see blueprint §11.6.
+//!
+//! The `Principal` extracted by `manager-core::auth_middleware` lives
+//! here so handlers in every crate (and, later, the v1.1 SDKs in
+//! `executor-core`) can refer to the same shape without pulling in the
+//! manager crate. The authorization rules themselves live in
+//! `manager-core::authz` — this module is data only.
+//!
+//! `UserId` is a transitional alias for `AdminUserId`. Phase 3a named
+//! the table `admin_users` to leave room for the v1.1 script-level
+//! `users` SDK feature (see blueprint §11.4 "Naming"); from the
+//! authorization layer's perspective an admin row is the principal
+//! identity, so we expose the alias rather than renaming the existing
+//! id type.
+
+use serde::{Deserialize, Serialize};
+
+use crate::{AdminUserId, AppId};
+
+/// Transitional alias — see module docs.
+pub type UserId = AdminUserId;
+
+/// Instance-wide role carried by every `admin_users` row. The DB
+/// representation is `text` (`'owner'|'admin'|'member'`), checked via
+/// a CHECK constraint in migration `0006_users_authz.sql`; this enum
+/// is the Rust mirror.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum InstanceRole {
+    /// Full instance control, manage other owners, implicit `app_admin`
+    /// on every app. Multiple allowed.
+    Owner,
+    /// Create apps, invite users, implicit `editor` on every app. No
+    /// instance-settings authority and no owner-management.
+    Admin,
+    /// Invited into specific apps via `app_members` only. No app
+    /// creation, no invite authority. List endpoints filter strictly
+    /// by membership at SQL.
+    Member,
+}
+
+impl InstanceRole {
+    /// Stable string form — matches the DB CHECK constraint values
+    /// exactly. Used by repos and the seed/audit paths.
+    #[must_use]
+    pub const fn as_str(self) -> &'static str {
+        match self {
+            Self::Owner => "owner",
+            Self::Admin => "admin",
+            Self::Member => "member",
+        }
+    }
+
+    /// Inverse of `as_str` — used when reading a row out of Postgres.
+    /// Returns `None` for unknown values so the caller can decide
+    /// between failing loudly or skipping a bad row.
+    #[must_use]
+    pub fn from_db_str(s: &str) -> Option<Self> {
+        match s {
+            "owner" => Some(Self::Owner),
+            "admin" => Some(Self::Admin),
+            "member" => Some(Self::Member),
+            _ => None,
+        }
+    }
+}
+
+/// Per-app role recorded in `app_members`. Members hold zero-or-one row
+/// per (user, app); owners and admins are not represented in the table
+/// (their app authority is implicit via `InstanceRole`).
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
+pub enum AppRole {
+    /// App settings, domain claims, delete.
+    AppAdmin,
+    /// CRUD on scripts, routes, sandbox config.
+    Editor,
+    /// Read scripts + execution logs.
+    Viewer,
+}
+
+impl AppRole {
+    #[must_use]
+    pub const fn as_str(self) -> &'static str {
+        match self {
+            Self::AppAdmin => "app_admin",
+            Self::Editor => "editor",
+            Self::Viewer => "viewer",
+        }
+    }
+
+    #[must_use]
+    pub fn from_db_str(s: &str) -> Option<Self> {
+        match s {
+            "app_admin" => Some(Self::AppAdmin),
+            "editor" => Some(Self::Editor),
+            "viewer" => Some(Self::Viewer),
+            _ => None,
+        }
+    }
+}
+
+/// API-key scope. Exactly seven values; new scopes need a blueprint
+/// edit before they're added here. Wire form is the colon-separated
+/// string (`"script:read"`, etc.) — matches the `text[]` stored in
+/// `api_keys.scopes` and the strings shown to operators.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+pub enum Scope {
+    ScriptRead,
+    ScriptWrite,
+    RouteWrite,
+    DomainManage,
+    LogRead,
+    AppAdmin,
+    InstanceAdmin,
+}
+
+impl Scope {
+    pub const ALL: &'static [Scope] = &[
+        Scope::ScriptRead,
+        Scope::ScriptWrite,
+        Scope::RouteWrite,
+        Scope::DomainManage,
+        Scope::LogRead,
+        Scope::AppAdmin,
+        Scope::InstanceAdmin,
+    ];
+
+    #[must_use]
+    pub const fn as_str(self) -> &'static str {
+        match self {
+            Self::ScriptRead => "script:read",
+            Self::ScriptWrite => "script:write",
+            Self::RouteWrite => "route:write",
+            Self::DomainManage => "domain:manage",
+            Self::LogRead => "log:read",
+            Self::AppAdmin => "app:admin",
+            Self::InstanceAdmin => "instance:admin",
+        }
+    }
+
+    #[must_use]
+    pub fn from_wire(s: &str) -> Option<Self> {
+        Self::ALL.iter().copied().find(|sc| sc.as_str() == s)
+    }
+
+    /// True for scopes that only make sense on an unbound key — bound
+    /// keys (api_keys.app_id IS NOT NULL) cannot claim instance-wide
+    /// authority and the mint handler rejects the combination at 422.
+    #[must_use]
+    pub const fn is_instance(self) -> bool {
+        matches!(self, Self::InstanceAdmin)
+    }
+}
+
+// Custom serde so the wire form is the colon-separated string. The
+// stored DB value lives in a `text[]`, so the repo converts between
+// `Vec<String>` and `Vec<Scope>` using `as_str`/`from_wire`.
+impl Serialize for Scope {
+    fn serialize<S: serde::Serializer>(&self, s: S) -> Result<S::Ok, S::Error> {
+        s.serialize_str(self.as_str())
+    }
+}
+
+impl<'de> Deserialize<'de> for Scope {
+    fn deserialize<D: serde::Deserializer<'de>>(d: D) -> Result<Self, D::Error> {
+        let s = String::deserialize(d)?;
+        Self::from_wire(&s).ok_or_else(|| serde::de::Error::custom(format!("unknown scope: {s}")))
+    }
+}
+
+/// Resolved caller identity. Produced by `manager-core::auth_middleware`
+/// for both the cookie-session path (then `scopes`/`app_binding` are
+/// `None`) and the bearer-API-key path (then both fields carry the
+/// key's constraints).
+///
+/// The capability check in `manager-core::authz::can` intersects
+/// `instance_role` with `scopes` and `app_binding` to decide whether
+/// a given `Capability` is granted.
+#[derive(Debug, Clone)]
+pub struct Principal {
+    pub user_id: UserId,
+    pub instance_role: InstanceRole,
+    /// `None` for cookie sessions (no scope restriction beyond the
+    /// role itself); `Some` for API keys, in which case the effective
+    /// authority is `role ∩ scopes`.
+    pub scopes: Option<Vec<Scope>>,
+    /// `Some(app)` for keys bound to a single app at mint time. Every
+    /// `App*(other)` capability is denied regardless of role.
+    pub app_binding: Option<AppId>,
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn instance_role_round_trip() {
+        for role in [
+            InstanceRole::Owner,
+            InstanceRole::Admin,
+            InstanceRole::Member,
+        ] {
+            assert_eq!(InstanceRole::from_db_str(role.as_str()), Some(role));
+        }
+        assert_eq!(InstanceRole::from_db_str("bogus"), None);
+    }
+
+    #[test]
+    fn app_role_round_trip() {
+        for role in [AppRole::AppAdmin, AppRole::Editor, AppRole::Viewer] {
+            assert_eq!(AppRole::from_db_str(role.as_str()), Some(role));
+        }
+        assert_eq!(AppRole::from_db_str("bogus"), None);
+    }
+
+    #[test]
+    fn scope_round_trip_covers_all() {
+        for &scope in Scope::ALL {
+            assert_eq!(Scope::from_wire(scope.as_str()), Some(scope));
+        }
+        assert_eq!(Scope::from_wire("script:nope"), None);
+    }
+
+    #[test]
+    fn scope_is_instance_flags_only_instance_admin() {
+        for &scope in Scope::ALL {
+            let expected = scope == Scope::InstanceAdmin;
+            assert_eq!(scope.is_instance(), expected, "scope {}", scope.as_str());
+        }
+    }
+
+    #[test]
+    fn scope_serde_uses_wire_form() {
+        let s = serde_json::to_string(&Scope::ScriptWrite).unwrap();
+        assert_eq!(s, "\"script:write\"");
+        let back: Scope = serde_json::from_str(&s).unwrap();
+        assert_eq!(back, Scope::ScriptWrite);
+        let err = serde_json::from_str::<Scope>("\"unknown\"").unwrap_err();
+        assert!(err.to_string().contains("unknown scope"));
+    }
+}

crates/shared/src/events.rs

@@ -0,0 +1,119 @@
+//! `ServiceEventEmitter` — the contract every stateful SDK service uses
+//! to publish events into the (future) triggers framework.
+//!
+//! v1.1.0 ships only the trait shape and a `NoopEventEmitter` that
+//! drops every event. The real outbox-backed implementation lands with
+//! the triggers PR in v1.1.1; locking the trait now means services
+//! written in subsequent v1.1.x PRs (KV, docs, files, …) don't have to
+//! re-thread their plumbing when the dispatcher arrives.
+//!
+//! Design rationale (full discussion: `docs/sdk-shape.md`):
+//!   * Async — outbox writes hit Postgres.
+//!   * Cx is passed in so the emitter can attribute the event to the
+//!     `app_id` / `principal` / `execution_id` that produced it.
+//!   * Events carry their semantic identity (`source` + `op`) plus
+//!     optional locator (`collection` + `key`) and optional payloads
+//!     (`payload` for the new value, `old_payload` for the previous on
+//!     updates). The dispatcher matches on (source, op, collection)
+//!     filters to decide which scripts to fan out to.
+
+use async_trait::async_trait;
+use thiserror::Error;
+
+use crate::SdkCallCx;
+
+/// Trait every stateful service depends on to emit events. The host
+/// binary constructs one instance and clones the Arc into each service.
+#[async_trait]
+pub trait ServiceEventEmitter: Send + Sync {
+    /// Publish a single event. Implementations are expected to be
+    /// fire-and-forget from the caller's perspective: the outbox impl
+    /// will return `Ok(())` once the event is durably persisted, the
+    /// dispatcher reads it out-of-band.
+    async fn emit(&self, cx: &SdkCallCx, event: ServiceEvent) -> Result<(), EmitError>;
+}
+
+/// One service event. `source` and `op` are `&'static str` because they
+/// come from a fixed enumeration baked into each service (`"kv"` +
+/// `"insert"`/`"update"`/`"delete"`, etc.) — never from user data.
+/// `collection`/`key`/payloads come from user data and are owned.
+#[derive(Debug, Clone)]
+pub struct ServiceEvent {
+    /// Service namespace. Matches the Rhai module name: `"kv"`,
+    /// `"docs"`, `"files"`, etc.
+    pub source: &'static str,
+
+    /// Operation verb. Each service defines its own vocabulary;
+    /// dispatcher filters match on the literal string.
+    pub op: &'static str,
+
+    /// Affected collection, when the service is collection-scoped
+    /// (`kv`, `docs`, `files`). `None` for collection-less events.
+    pub collection: Option<String>,
+
+    /// Affected key/id within the collection, when applicable.
+    pub key: Option<String>,
+
+    /// New value after the operation, when carrying it is cheap and
+    /// useful. `None` for deletes.
+    pub payload: Option<serde_json::Value>,
+
+    /// Previous value before the operation, populated on `update` /
+    /// `delete` so triggers can diff. `None` on `insert`.
+    pub old_payload: Option<serde_json::Value>,
+}
+
+/// Errors an emitter can surface upward. The noop impl never returns
+/// these; the v1.1.1 outbox impl uses `Unavailable` for pool/connection
+/// failures and `Rejected` for malformed payloads (e.g. event JSON too
+/// large for the outbox row).
+#[derive(Debug, Error)]
+pub enum EmitError {
+    #[error("event sink unavailable: {0}")]
+    Unavailable(String),
+    #[error("event sink rejected event: {0}")]
+    Rejected(String),
+}
+
+/// Default emitter for v1.1.0. Accepts every event, persists nothing,
+/// always returns `Ok(())`. Wired in the picloud binary; the v1.1.1
+/// triggers PR swaps this for a Postgres outbox writer.
+#[derive(Debug, Default, Clone, Copy)]
+pub struct NoopEventEmitter;
+
+#[async_trait]
+impl ServiceEventEmitter for NoopEventEmitter {
+    async fn emit(&self, _cx: &SdkCallCx, _event: ServiceEvent) -> Result<(), EmitError> {
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    // Compile-time check that ServiceEventEmitter is dyn-safe — every
+    // service holds it as `Arc<dyn ServiceEventEmitter>` and would
+    // silently break the workspace if a non-object-safe method snuck
+    // in. Behavioural tests for the noop impl come for free once a
+    // service exercises it (v1.1.1+); avoid pulling tokio into
+    // `picloud-shared` just for a one-line `emit().await` check.
+    #[allow(dead_code)]
+    fn assert_dyn_compatible(_e: &dyn ServiceEventEmitter) {}
+
+    #[test]
+    fn service_event_construction_is_explicit() {
+        // Pin the field layout so a re-ordering in a future PR causes a
+        // compile failure here rather than silently misattributing
+        // events. Hash-derive isn't appropriate (serde_json::Value isn't
+        // Hash), so structural construction is the assertion.
+        let _ = ServiceEvent {
+            source: "kv",
+            op: "insert",
+            collection: Some("widgets".into()),
+            key: Some("k1".into()),
+            payload: Some(serde_json::json!({"v": 1})),
+            old_payload: None,
+        };
+    }
+}

crates/shared/src/ids.rs

@@ -52,3 +52,4 @@ id_type!(ExecutionId);
 id_type!(RequestId);
 id_type!(AdminUserId);
 id_type!(AppId);
+id_type!(ApiKeyId);

crates/shared/src/lib.rs

@@ -5,23 +5,31 @@
 //! entity, error roots, transport DTOs).
 
 pub mod app;
+pub mod auth;
 pub mod error;
+pub mod events;
 pub mod execution_log;
 pub mod ids;
 pub mod log_sink;
 pub mod route;
 pub mod sandbox;
 pub mod script;
+pub mod sdk_cx;
+pub mod services;
 pub mod validator;
 pub mod version;
 
 pub use app::{App, AppDomain, DomainShape};
+pub use auth::{AppRole, InstanceRole, Principal, Scope, UserId};
 pub use error::Error;
+pub use events::{EmitError, NoopEventEmitter, ServiceEvent, ServiceEventEmitter};
 pub use execution_log::{ExecutionLog, ExecutionStatus};
-pub use ids::{AdminUserId, AppId, ExecutionId, RequestId, ScriptId};
+pub use ids::{AdminUserId, ApiKeyId, AppId, ExecutionId, RequestId, ScriptId};
 pub use log_sink::{ExecutionLogSink, LogSinkError};
 pub use route::{HostKind, PathKind, Route};
 pub use sandbox::ScriptSandbox;
 pub use script::Script;
+pub use sdk_cx::SdkCallCx;
+pub use services::Services;
 pub use validator::{ScriptValidator, ValidationError};
 pub use version::{API_VERSION, PRODUCT_VERSION, SDK_VERSION, WIRE_VERSION};

crates/shared/src/sdk_cx.rs

@@ -0,0 +1,54 @@
+//! `SdkCallCx` — per-call context every stateful SDK service receives.
+//!
+//! Service trait methods (added by subsequent v1.1.x PRs starting with
+//! KV) all take `&SdkCallCx` so they can:
+//!   * scope by `app_id` for cross-app isolation,
+//!   * audit `principal` when authenticated,
+//!   * carry `execution_id` / `request_id` into emitted events,
+//!   * bound trigger chains via `trigger_depth` / `root_execution_id`.
+//!
+//! The struct lives in `picloud-shared` (not `executor-core`) because
+//! future service impls live in `manager-core` and the trait that hands
+//! the cx in is shared by both sides. Pure value type — no handles, no
+//! DB pool references, no allocations beyond what's in `Principal`.
+
+use crate::{AppId, ExecutionId, Principal, RequestId};
+
+/// Per-invocation context for every stateful SDK service call.
+///
+/// Constructed once at the start of an invocation by `executor-core`
+/// from the incoming `ExecRequest`, then handed (by reference) to every
+/// service trait method the script triggers during execution. Services
+/// MUST derive `app_id` from this struct — never from script-passed
+/// arguments — to preserve cross-app isolation.
+#[derive(Debug, Clone)]
+pub struct SdkCallCx {
+    /// Owning application for this invocation. Source of truth for
+    /// every `(app_id, …)` storage lookup the script makes.
+    pub app_id: AppId,
+
+    /// Caller identity, when authenticated. `None` for unauthenticated
+    /// data-plane HTTP requests (the common case for public endpoints);
+    /// `Some` when the call came in via the dashboard, an API key, or a
+    /// future authed surface.
+    pub principal: Option<Principal>,
+
+    /// Unique id for THIS execution. Matches `ExecRequest.execution_id`.
+    pub execution_id: ExecutionId,
+
+    /// Unique id for the ingress request that started the chain. The
+    /// same `request_id` is shared across every execution triggered by
+    /// the same request (direct + trigger fan-out).
+    pub request_id: RequestId,
+
+    /// `0` for direct invocations (HTTP request, manual run). Each
+    /// indirect invocation through the triggers framework (v1.1.1)
+    /// increments this; the dispatcher rejects beyond a configured
+    /// ceiling to prevent runaway feedback loops.
+    pub trigger_depth: u32,
+
+    /// `== execution_id` when `trigger_depth == 0`; otherwise the
+    /// `execution_id` of the original ingress execution. Lets the audit
+    /// log group every fan-out execution under the originating event.
+    pub root_execution_id: ExecutionId,
+}

crates/shared/src/services.rs

@@ -0,0 +1,38 @@
+//! `Services` — bundle of stateful SDK service handles plumbed from the
+//! host binary into every Rhai execution.
+//!
+//! v1.1.0 ships this struct empty. Subsequent PRs in the v1.1.x series
+//! add one field per service:
+//!
+//! ```ignore
+//! pub kv:   Arc<dyn KvService>,    // v1.1.1
+//! pub docs: Arc<dyn DocsService>,  // v1.1.2
+//! pub http: Arc<dyn HttpService>,  // v1.1.4
+//! // …
+//! ```
+//!
+//! The bundle is cheap to clone (`Arc` per service) and is constructed
+//! once at startup in the picloud binary. The executor takes it by
+//! reference per invocation, hands it (alongside an `SdkCallCx`) to
+//! `executor-core::sdk::register_all`, which wires the corresponding
+//! Rhai `::` namespace per service.
+//!
+//! `#[non_exhaustive]` so adding fields is a non-breaking change for
+//! consumers that only *pattern-match* a `&Services`; only crates that
+//! *construct* a `Services` (in practice, just the picloud binary) need
+//! to update their constructor when new services land.
+
+/// SDK service bundle. See module docs for the lifecycle and the v1.1.x
+/// expansion plan.
+#[non_exhaustive]
+#[derive(Default)]
+pub struct Services {}
+
+impl Services {
+    /// Construct an empty bundle. Replaced by a fielded `::new(...)`
+    /// once the first service (KV, v1.1.1) lands.
+    #[must_use]
+    pub fn new() -> Self {
+        Self {}
+    }
+}

dashboard/.prettierignore

@@ -2,3 +2,9 @@
 build
 node_modules
 package-lock.json
+
+# Playwright generated artifacts
+playwright-report
+test-results
+tests/e2e/.auth
+tests/e2e/.results

dashboard/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "picloud-dashboard",
-  "version": "0.5.1",
+  "version": "0.6.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "picloud-dashboard",
-      "version": "0.5.1",
+      "version": "0.6.0",
       "dependencies": {
         "@codemirror/autocomplete": "^6.20.2",
         "@codemirror/commands": "^6.10.3",
@@ -20,6 +20,7 @@
       },
       "devDependencies": {
         "@eslint/js": "^9.18.0",
+        "@playwright/test": "^1.60.0",
         "@sveltejs/adapter-static": "^3.0.8",
         "@sveltejs/kit": "^2.17.0",
         "@sveltejs/vite-plugin-svelte": "^5.0.3",
@@ -885,6 +886,22 @@
       "integrity": "sha512-l0h88YhZFyKdXIFNfSWpyjStDjGHwZ/U7iobcK1cQQD8sejsONdQtTVU+1wVN1PBw40PiiHB1vA5S7VTfQiP9g==",
       "license": "MIT"
     },
+    "node_modules/@playwright/test": {
+      "version": "1.60.0",
+      "resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.60.0.tgz",
+      "integrity": "sha512-O71yZIbAh/PxDMNGns37GHBIfrVkEVyn+AXyIa5dOTfb4/xNvRWV+Vv/NMbNCtODB/pO7vLlF2OTmMVLhmr7Ag==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright": "1.60.0"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/@polka/url": {
       "version": "1.0.0-next.29",
       "resolved": "https://registry.npmjs.org/@polka/url/-/url-1.0.0-next.29.tgz",
@@ -3010,6 +3027,53 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
+    "node_modules/playwright": {
+      "version": "1.60.0",
+      "resolved": "https://registry.npmjs.org/playwright/-/playwright-1.60.0.tgz",
+      "integrity": "sha512-hheHdokM8cdqCb0lcE3s+zT4t4W+vvjpGxsZlDnikarzx8tSzMebh3UiFtgqwFwnTnjYQcsyMF8ei2mCO/tpeA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "playwright-core": "1.60.0"
+      },
+      "bin": {
+        "playwright": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "optionalDependencies": {
+        "fsevents": "2.3.2"
+      }
+    },
+    "node_modules/playwright-core": {
+      "version": "1.60.0",
+      "resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.60.0.tgz",
+      "integrity": "sha512-9bW6zvX/m0lEbgTKJ6YppOKx8H3VOPBMOCFh2irXFOT4BbHgrx5hPjwJYLT40Lu+4qtD36qKc/Hn56StUW57IA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "playwright-core": "cli.js"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/playwright/node_modules/fsevents": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
+      "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
     "node_modules/postcss": {
       "version": "8.5.15",
       "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.15.tgz",

dashboard/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "picloud-dashboard",
-  "version": "0.5.1",
+	"version": "0.6.0",
 	"private": true,
 	"type": "module",
 	"scripts": {
@@ -11,10 +11,14 @@
 		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
 		"format": "prettier --write .",
 		"lint": "prettier --check . && eslint .",
-    "test": "vitest run"
+		"test": "vitest run",
+		"test:e2e": "playwright test",
+		"test:e2e:ui": "playwright test --ui",
+		"test:e2e:install": "playwright install --with-deps chromium"
 	},
 	"devDependencies": {
 		"@eslint/js": "^9.18.0",
+		"@playwright/test": "^1.60.0",
 		"@sveltejs/adapter-static": "^3.0.8",
 		"@sveltejs/kit": "^2.17.0",
 		"@sveltejs/vite-plugin-svelte": "^5.0.3",

dashboard/playwright.config.ts

@@ -0,0 +1,51 @@
+import { defineConfig, devices } from '@playwright/test';
+import { fileURLToPath } from 'node:url';
+import path from 'node:path';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+const DASHBOARD_PORT = Number(process.env.PICLOUD_DASHBOARD_PORT ?? 5173);
+// baseURL is the origin only — the SvelteKit dashboard is mounted at
+// `/admin` (svelte.config.js paths.base), so tests use full paths like
+// `/admin/login` rather than relying on baseURL path resolution.
+const DASHBOARD_BASE = process.env.E2E_BASE_URL ?? `http://localhost:${DASHBOARD_PORT}`;
+
+export default defineConfig({
+	testDir: './tests/e2e',
+	outputDir: './tests/e2e/.results',
+	fullyParallel: true,
+	forbidOnly: !!process.env.CI,
+	// Local: 1 retry to absorb dev-server warmup flakiness. CI: 2.
+	retries: process.env.CI ? 2 : 1,
+	// Cap at 4 workers locally to keep the shared Vite dev server
+	// from getting stampeded during cold-start compiles.
+	workers: process.env.CI ? 2 : 4,
+	reporter: process.env.CI ? [['html'], ['github']] : 'html',
+	globalSetup: './tests/e2e/global-setup.ts',
+	expect: { timeout: 5_000 },
+	use: {
+		baseURL: DASHBOARD_BASE,
+		actionTimeout: 10_000,
+		navigationTimeout: 30_000,
+		trace: 'on-first-retry',
+		screenshot: 'only-on-failure',
+		video: 'retain-on-failure'
+	},
+	projects: [
+		{
+			name: 'chromium',
+			use: {
+				...devices['Desktop Chrome'],
+				storageState: path.join(__dirname, 'tests/e2e/.auth/admin.json')
+			}
+		}
+	],
+	webServer: {
+		command: 'npm run dev',
+		url: `http://localhost:${DASHBOARD_PORT}/admin/`,
+		reuseExistingServer: !process.env.CI,
+		stdout: 'pipe',
+		stderr: 'pipe',
+		timeout: 60_000
+	}
+});

dashboard/src/lib/ActionMenu.svelte

@@ -0,0 +1,256 @@
+<!--
+  Per-row "⋮" kebab menu. Hides secondary actions (edit, deactivate,
+  delete, etc.) behind a single trigger so list rows stay tidy.
+
+  Usage:
+    <ActionMenu
+      items={[
+        { label: 'Edit', onClick: () => openEdit(row) },
+        { label: row.is_active ? 'Deactivate' : 'Reactivate',
+          onClick: () => toggleActive(row) },
+        { label: 'Delete', danger: true, onClick: () => openDelete(row),
+          disabled: !canDelete(row) },
+      ]}
+    />
+
+  Closes on: item click, click outside, ESC, scroll/resize. Keyboard:
+  Enter/Space opens; Up/Down navigate; Enter activates; ESC closes and
+  re-focuses the trigger. The popover is absolutely positioned relative
+  to the trigger and right-anchored — the parent must allow overflow
+  (`overflow: visible`) for it to extend past the row.
+-->
+<script lang="ts">
+	export interface MenuItem {
+		label: string;
+		onClick: () => void;
+		danger?: boolean;
+		disabled?: boolean;
+	}
+
+	interface Props {
+		items: MenuItem[];
+		/** Accessible label for the trigger button. */
+		label?: string;
+	}
+
+	let { items, label = 'More actions' }: Props = $props();
+
+	let open = $state(false);
+	let triggerEl = $state<HTMLButtonElement | null>(null);
+	let menuEl = $state<HTMLDivElement | null>(null);
+	let activeIndex = $state(-1);
+
+	let enabledIndices = $derived(
+		items
+			.map((it, i) => (it.disabled ? -1 : i))
+			.filter((i) => i >= 0)
+	);
+
+	function toggle() {
+		open ? close() : openMenu();
+	}
+
+	function openMenu() {
+		open = true;
+		activeIndex = enabledIndices[0] ?? -1;
+	}
+
+	function close(refocus = false) {
+		open = false;
+		activeIndex = -1;
+		if (refocus) triggerEl?.focus();
+	}
+
+	function activate(index: number) {
+		const item = items[index];
+		if (!item || item.disabled) return;
+		close();
+		item.onClick();
+	}
+
+	function moveActive(step: 1 | -1) {
+		if (enabledIndices.length === 0) return;
+		const cur = enabledIndices.indexOf(activeIndex);
+		const next =
+			cur === -1
+				? enabledIndices[0]
+				: enabledIndices[(cur + step + enabledIndices.length) % enabledIndices.length];
+		activeIndex = next;
+	}
+
+	function onTriggerKeydown(e: KeyboardEvent) {
+		if (e.key === 'ArrowDown' || e.key === 'Enter' || e.key === ' ') {
+			e.preventDefault();
+			if (!open) openMenu();
+		}
+	}
+
+	function onMenuKeydown(e: KeyboardEvent) {
+		switch (e.key) {
+			case 'ArrowDown':
+				e.preventDefault();
+				moveActive(1);
+				break;
+			case 'ArrowUp':
+				e.preventDefault();
+				moveActive(-1);
+				break;
+			case 'Enter':
+			case ' ':
+				e.preventDefault();
+				if (activeIndex >= 0) activate(activeIndex);
+				break;
+			case 'Escape':
+				e.preventDefault();
+				close(true);
+				break;
+			case 'Tab':
+				close();
+				break;
+		}
+	}
+
+	function onWindowMouseDown(e: MouseEvent) {
+		if (!open) return;
+		const target = e.target as Node;
+		if (menuEl?.contains(target) || triggerEl?.contains(target)) return;
+		close();
+	}
+
+	// Close on viewport changes — naive but enough; without a portal a
+	// scrolling list would otherwise leave the popover drifting away from
+	// its row.
+	function onViewportChange() {
+		if (open) close();
+	}
+</script>
+
+<svelte:window
+	onmousedown={onWindowMouseDown}
+	onscroll={onViewportChange}
+	onresize={onViewportChange}
+/>
+
+<div class="wrap">
+	<button
+		bind:this={triggerEl}
+		type="button"
+		class="trigger"
+		class:open
+		aria-label={label}
+		aria-haspopup="menu"
+		aria-expanded={open}
+		onclick={toggle}
+		onkeydown={onTriggerKeydown}
+	>
+		<!-- vertical ellipsis ⋮ — kept inline as text so it inherits color -->
+		<span aria-hidden="true">⋮</span>
+	</button>
+
+	{#if open}
+		<div
+			bind:this={menuEl}
+			class="menu"
+			role="menu"
+			tabindex="-1"
+			onkeydown={onMenuKeydown}
+		>
+			{#each items as item, i (i)}
+				<button
+					type="button"
+					role="menuitem"
+					class="item"
+					class:danger={item.danger}
+					class:active={i === activeIndex}
+					disabled={item.disabled}
+					onclick={() => activate(i)}
+					onmouseenter={() => {
+						if (!item.disabled) activeIndex = i;
+					}}
+				>
+					{item.label}
+				</button>
+			{/each}
+		</div>
+	{/if}
+</div>
+
+<style>
+	.wrap {
+		position: relative;
+		display: inline-flex;
+		justify-content: flex-end;
+	}
+
+	.trigger {
+		background: transparent;
+		color: #94a3b8;
+		border: 1px solid transparent;
+		width: 1.75rem;
+		height: 1.75rem;
+		border-radius: 0.25rem;
+		font: inherit;
+		font-size: 1.1rem;
+		line-height: 1;
+		cursor: pointer;
+		display: inline-flex;
+		align-items: center;
+		justify-content: center;
+		padding: 0;
+	}
+
+	.trigger:hover,
+	.trigger:focus-visible,
+	.trigger.open {
+		background: #1e293b;
+		color: #e2e8f0;
+		border-color: #334155;
+		outline: none;
+	}
+
+	.menu {
+		position: absolute;
+		top: calc(100% + 4px);
+		right: 0;
+		min-width: 9rem;
+		background: #0f172a;
+		border: 1px solid #334155;
+		border-radius: 0.375rem;
+		box-shadow: 0 10px 25px -10px rgba(0, 0, 0, 0.6);
+		padding: 0.25rem;
+		display: flex;
+		flex-direction: column;
+		z-index: 50;
+	}
+
+	.item {
+		background: transparent;
+		color: #cbd5e1;
+		border: none;
+		text-align: left;
+		padding: 0.4rem 0.6rem;
+		font: inherit;
+		font-size: 0.8rem;
+		border-radius: 0.25rem;
+		cursor: pointer;
+	}
+
+	.item.active:not(:disabled) {
+		background: #1e293b;
+		color: #e2e8f0;
+	}
+
+	.item.danger {
+		color: #fca5a5;
+	}
+
+	.item.danger.active:not(:disabled) {
+		background: #450a0a;
+		color: #fecaca;
+	}
+
+	.item:disabled {
+		opacity: 0.45;
+		cursor: not-allowed;
+	}
+</style>

dashboard/src/lib/CodeEditor.svelte

@@ -25,12 +25,18 @@
 		value = $bindable(''),
 		language = 'rhai' as Language,
 		placeholder = '',
-		minHeight = '12rem'
+		minHeight = '12rem',
+		readOnly = false
 	}: {
 		value?: string;
 		language?: Language;
 		placeholder?: string;
 		minHeight?: string;
+		/** When true the editor renders without a cursor and rejects
+		 *  keystrokes. Parent-driven `value` changes still apply via
+		 *  the dispatch path below — this only blocks user edits.
+		 *  Not reactive after mount; re-mount via `{#key}` if needed. */
+		readOnly?: boolean;
 	} = $props();
 
 	let host: HTMLDivElement | null = null;
@@ -48,6 +54,12 @@
 			keymap.of([indentWithTab]),
 			dashboardSyntaxHighlighting,
 			dashboardTheme,
+			// readOnly + editable together: readOnly blocks the
+			// underlying transactions, editable suppresses the caret
+			// + selection visuals so the user can see it's not
+			// editable.
+			EditorState.readOnly.of(readOnly),
+			EditorView.editable.of(!readOnly),
 			EditorView.updateListener.of((update) => {
 				if (update.docChanged && !pushingFromOutside) {
 					value = update.state.doc.toString();

dashboard/src/lib/RoleChip.svelte

@@ -0,0 +1,69 @@
+<script lang="ts">
+	import type { InstanceRole } from '$lib/auth';
+	import type { AppRole } from '$lib/api';
+
+	interface Props {
+		role?: InstanceRole;
+		appRole?: AppRole;
+		size?: 'sm' | 'md';
+	}
+
+	let { role, appRole, size = 'md' }: Props = $props();
+
+	// Display label: app roles read better with a space ("app admin")
+	// than their wire form ("app_admin").
+	const label = $derived(
+		appRole ? appRole.replace('_', ' ') : (role ?? '')
+	);
+	const cls = $derived(appRole ? `chip-${appRole}` : `chip-${role}`);
+</script>
+
+<span class="chip {cls}" class:sm={size === 'sm'}>{label}</span>
+
+<style>
+	.chip {
+		display: inline-flex;
+		align-items: center;
+		padding: 0.15rem 0.55rem;
+		border-radius: 999px;
+		font-size: 0.7rem;
+		font-weight: 600;
+		text-transform: uppercase;
+		letter-spacing: 0.04em;
+		border: 1px solid transparent;
+	}
+	.chip.sm {
+		font-size: 0.625rem;
+		padding: 0.1rem 0.45rem;
+	}
+	.chip-owner {
+		background: #78350f;
+		color: #fbbf24;
+		border-color: #b45309;
+	}
+	.chip-admin {
+		background: #164e63;
+		color: #67e8f9;
+		border-color: #0e7490;
+	}
+	.chip-member {
+		background: #1e293b;
+		color: #cbd5e1;
+		border-color: #334155;
+	}
+	.chip-app_admin {
+		background: #4c1d95;
+		color: #c4b5fd;
+		border-color: #6d28d9;
+	}
+	.chip-editor {
+		background: #1e3a8a;
+		color: #93c5fd;
+		border-color: #1d4ed8;
+	}
+	.chip-viewer {
+		background: #1f2937;
+		color: #9ca3af;
+		border-color: #374151;
+	}
+</style>

dashboard/src/lib/api.ts

@@ -8,7 +8,9 @@
 import { goto } from '$app/navigation';
 import { base } from '$app/paths';
 import { browser } from '$app/environment';
-import { clearSession, getToken, setSession, type AdminUser } from './auth';
+import { clearSession, getToken, setSession, type InstanceRole } from './auth';
+
+export type { InstanceRole };
 
 export interface ScriptSandbox {
 	max_operations?: number;
@@ -42,6 +44,8 @@ export interface App {
 	updated_at: string;
 }
 
+export type AppRole = 'app_admin' | 'editor' | 'viewer';
+
 export type DomainShape = 'exact' | 'wildcard' | 'parameterized';
 
 export interface AppDomain {
@@ -62,6 +66,11 @@ export interface AppLookupResponse {
 	updated_at: string;
 	/// Present only when the requested slug was a retired redirect.
 	redirect_to?: string;
+	/// The caller's role on this app — owners are implicit `app_admin`,
+	/// admins implicit `editor`, members carry their `app_members.role`.
+	/// `null` only when a member somehow reaches the endpoint without
+	/// a membership (the server normally 403s first).
+	my_role: AppRole | null;
 }
 
 export interface SlugCheckResponse {
@@ -232,10 +241,42 @@ function safeJson(text: string): unknown {
 	}
 }
 
-export interface AdminUserRecord {
+export type Scope =
+	| 'script:read'
+	| 'script:write'
+	| 'route:write'
+	| 'domain:manage'
+	| 'log:read'
+	| 'app:admin'
+	| 'instance:admin';
+
+export const ALL_SCOPES: readonly Scope[] = [
+	'script:read',
+	'script:write',
+	'route:write',
+	'domain:manage',
+	'log:read',
+	'app:admin',
+	'instance:admin'
+] as const;
+
+export function isInstanceScope(s: Scope): boolean {
+	return s.startsWith('instance:');
+}
+
+export interface MeDto {
+	id: string;
+	username: string;
+	instance_role: InstanceRole;
+	email: string | null;
+}
+
+export interface AdminDto {
 	id: string;
 	username: string;
 	is_active: boolean;
+	instance_role: InstanceRole;
+	email: string | null;
 	created_at: string;
 	last_login_at: string | null;
 }
@@ -243,16 +284,57 @@ export interface AdminUserRecord {
 export interface CreateAdminInput {
 	username: string;
 	password: string;
+	instance_role?: InstanceRole;
+	email?: string | null;
 }
 
 export interface PatchAdminInput {
 	username?: string;
 	password?: string;
 	is_active?: boolean;
+	instance_role?: InstanceRole;
+	email?: string | null;
+}
+
+export interface AppMemberDto {
+	user_id: string;
+	username: string;
+	email: string | null;
+	instance_role: InstanceRole;
+	is_active: boolean;
+	role: AppRole;
+	created_at: string;
+}
+
+export interface GrantAppMemberInput {
+	user_id: string;
+	role: AppRole;
+}
+
+export interface ApiKeyDto {
+	id: string;
+	prefix: string;
+	name: string;
+	scopes: Scope[];
+	app_id: string | null;
+	expires_at: string | null;
+	last_used_at: string | null;
+	created_at: string;
+}
+
+export interface MintApiKeyInput {
+	name: string;
+	scopes: Scope[];
+	app_id?: string | null;
+	expires_at?: string | null;
+}
+
+export interface MintApiKeyResponse extends ApiKeyDto {
+	raw_token: string;
 }
 
 interface LoginResponse {
-	user: AdminUser;
+	user: MeDto;
 	token: string;
 	expires_at: string;
 }
@@ -263,7 +345,7 @@ export const api = {
 	version: () => adminRequest<VersionInfo>('/version'),
 
 	auth: {
-		login: async (username: string, password: string): Promise<AdminUser> => {
+		login: async (username: string, password: string): Promise<MeDto> => {
 			const r = await adminRequest<LoginResponse>('/api/v1/admin/auth/login', {
 				method: 'POST',
 				body: JSON.stringify({ username, password })
@@ -282,19 +364,19 @@ export const api = {
 				clearSession();
 			}
 		},
-		me: () => adminRequest<AdminUser>('/api/v1/admin/auth/me')
+		me: () => adminRequest<MeDto>('/api/v1/admin/auth/me')
 	},
 
 	admins: {
-		list: () => adminRequest<AdminUserRecord[]>('/api/v1/admin/admins'),
+		list: () => adminRequest<AdminDto[]>('/api/v1/admin/admins'),
-		get: (id: string) => adminRequest<AdminUserRecord>(`/api/v1/admin/admins/${id}`),
+		get: (id: string) => adminRequest<AdminDto>(`/api/v1/admin/admins/${id}`),
 		create: (input: CreateAdminInput) =>
-			adminRequest<AdminUserRecord>('/api/v1/admin/admins', {
+			adminRequest<AdminDto>('/api/v1/admin/admins', {
 				method: 'POST',
 				body: JSON.stringify(input)
 			}),
 		update: (id: string, input: PatchAdminInput) =>
-			adminRequest<AdminUserRecord>(`/api/v1/admin/admins/${id}`, {
+			adminRequest<AdminDto>(`/api/v1/admin/admins/${id}`, {
 				method: 'PATCH',
 				body: JSON.stringify(input)
 			}),
@@ -302,6 +384,17 @@ export const api = {
 			adminRequest<null>(`/api/v1/admin/admins/${id}`, { method: 'DELETE' })
 	},
 
+	apiKeys: {
+		list: () => adminRequest<ApiKeyDto[]>('/api/v1/admin/api-keys'),
+		mint: (input: MintApiKeyInput) =>
+			adminRequest<MintApiKeyResponse>('/api/v1/admin/api-keys', {
+				method: 'POST',
+				body: JSON.stringify(input)
+			}),
+		revoke: (id: string) =>
+			adminRequest<null>(`/api/v1/admin/api-keys/${id}`, { method: 'DELETE' })
+	},
+
 	routes: {
 		listForScript: (scriptId: string) =>
 			adminRequest<Route[]>(`/api/v1/admin/scripts/${scriptId}/routes`),
@@ -401,6 +494,28 @@ export const api = {
 			)
 	},
 
+	appMembers: {
+		list: (idOrSlug: string) =>
+			adminRequest<AppMemberDto[]>(
+				`/api/v1/admin/apps/${encodeURIComponent(idOrSlug)}/members`
+			),
+		add: (idOrSlug: string, input: GrantAppMemberInput) =>
+			adminRequest<AppMemberDto>(
+				`/api/v1/admin/apps/${encodeURIComponent(idOrSlug)}/members`,
+				{ method: 'POST', body: JSON.stringify(input) }
+			),
+		setRole: (idOrSlug: string, userId: string, role: AppRole) =>
+			adminRequest<AppMemberDto>(
+				`/api/v1/admin/apps/${encodeURIComponent(idOrSlug)}/members/${userId}`,
+				{ method: 'PATCH', body: JSON.stringify({ role }) }
+			),
+		remove: (idOrSlug: string, userId: string) =>
+			adminRequest<null>(
+				`/api/v1/admin/apps/${encodeURIComponent(idOrSlug)}/members/${userId}`,
+				{ method: 'DELETE' }
+			)
+	},
+
 	execute: async (
 		id: string,
 		body: unknown,

dashboard/src/lib/auth.ts

@@ -10,9 +10,13 @@
 import { writable, get } from 'svelte/store';
 import { browser } from '$app/environment';
 
+export type InstanceRole = 'owner' | 'admin' | 'member';
+
 export interface AdminUser {
 	id: string;
 	username: string;
+	instance_role: InstanceRole;
+	email: string | null;
 }
 
 const TOKEN_KEY = 'picloud.admin.token';

dashboard/src/lib/capabilities.test.ts

@@ -0,0 +1,60 @@
+import { describe, it, expect } from 'vitest';
+import type { AppRole, MeDto } from './api';
+import { canAdminApp, canCreateApp, canManageUsers, canWriteApp } from './capabilities';
+
+function me(role: MeDto['instance_role']): MeDto {
+	return { id: 'u', username: 'u', instance_role: role, email: null };
+}
+
+const ROLES: MeDto['instance_role'][] = ['owner', 'admin', 'member'];
+const APP_ROLES: (AppRole | null)[] = ['app_admin', 'editor', 'viewer', null];
+
+describe('capabilities', () => {
+	it('null caller is denied everything', () => {
+		expect(canCreateApp(null)).toBe(false);
+		expect(canManageUsers(null)).toBe(false);
+		expect(canWriteApp(null, 'app_admin')).toBe(false);
+		expect(canAdminApp(null, 'app_admin')).toBe(false);
+	});
+
+	it('canCreateApp + canManageUsers: owner/admin yes, member no', () => {
+		expect(canCreateApp(me('owner'))).toBe(true);
+		expect(canCreateApp(me('admin'))).toBe(true);
+		expect(canCreateApp(me('member'))).toBe(false);
+		expect(canManageUsers(me('owner'))).toBe(true);
+		expect(canManageUsers(me('admin'))).toBe(true);
+		expect(canManageUsers(me('member'))).toBe(false);
+	});
+
+	it('owner + admin can write and admin every app regardless of my_role', () => {
+		for (const role of ['owner', 'admin'] as const) {
+			for (const appRole of APP_ROLES) {
+				expect(canWriteApp(me(role), appRole)).toBe(true);
+				expect(canAdminApp(me(role), appRole)).toBe(true);
+			}
+		}
+	});
+
+	it('member: write requires app_admin or editor; admin requires app_admin', () => {
+		const m = me('member');
+		expect(canWriteApp(m, 'app_admin')).toBe(true);
+		expect(canWriteApp(m, 'editor')).toBe(true);
+		expect(canWriteApp(m, 'viewer')).toBe(false);
+		expect(canWriteApp(m, null)).toBe(false);
+
+		expect(canAdminApp(m, 'app_admin')).toBe(true);
+		expect(canAdminApp(m, 'editor')).toBe(false);
+		expect(canAdminApp(m, 'viewer')).toBe(false);
+		expect(canAdminApp(m, null)).toBe(false);
+	});
+
+	it('canAdminApp implies canWriteApp for every combination', () => {
+		for (const role of ROLES) {
+			for (const appRole of APP_ROLES) {
+				if (canAdminApp(me(role), appRole)) {
+					expect(canWriteApp(me(role), appRole)).toBe(true);
+				}
+			}
+		}
+	});
+});

dashboard/src/lib/capabilities.ts

@@ -0,0 +1,43 @@
+// Permission predicates the dashboard uses to shadow create / edit /
+// delete affordances. Mirrors the canonical role → capability rules in
+// crates/manager-core/src/authz.rs:
+//
+//   owner / admin instance role → implicit app_admin on every app
+//   app_admin                   → settings, domain claims, delete app, delete scripts
+//   editor                      → CRUD on scripts, routes, sandbox config (no script delete)
+//   viewer                      → read scripts + execution logs
+//   member with no membership   → no access
+//
+// These helpers are read-only and have no Svelte runes — callers pass
+// the current `MeDto` and (when relevant) the per-app `my_role` they
+// already hold. Hiding here never authorizes anything; the backend's
+// `require(Capability::…)` is always the ground truth.
+
+import type { AppRole, MeDto } from './api';
+
+/** Owner + admin only. Members never see "New app". */
+export function canCreateApp(me: MeDto | null): boolean {
+	if (!me) return false;
+	return me.instance_role === 'owner' || me.instance_role === 'admin';
+}
+
+/** Owner + admin only — the "Users" admin page is also gated this way. */
+export function canManageUsers(me: MeDto | null): boolean {
+	if (!me) return false;
+	return me.instance_role === 'owner' || me.instance_role === 'admin';
+}
+
+/** Can mutate scripts and routes (Save, +Add route, remove route). */
+export function canWriteApp(me: MeDto | null, appMyRole: AppRole | null): boolean {
+	if (!me) return false;
+	if (me.instance_role === 'owner' || me.instance_role === 'admin') return true;
+	return appMyRole === 'app_admin' || appMyRole === 'editor';
+}
+
+/** Can take app-admin actions: app settings, domain claims, delete
+ *  app, delete scripts, manage members. */
+export function canAdminApp(me: MeDto | null, appMyRole: AppRole | null): boolean {
+	if (!me) return false;
+	if (me.instance_role === 'owner' || me.instance_role === 'admin') return true;
+	return appMyRole === 'app_admin';
+}

dashboard/src/lib/password-gen.test.ts

@@ -0,0 +1,54 @@
+import { describe, it, expect } from 'vitest';
+import { generatePassword } from './password-gen';
+
+const CHARSET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&*+-?@';
+
+describe('generatePassword', () => {
+	it('rejects lengths under 8', () => {
+		expect(() => generatePassword(7)).toThrowError(/at least 8/);
+	});
+
+	it('respects the requested length', () => {
+		for (const len of [8, 16, 32, 64]) {
+			expect(generatePassword(len)).toHaveLength(len);
+		}
+	});
+
+	it('uses only characters from the documented charset', () => {
+		const set = new Set(CHARSET);
+		for (let i = 0; i < 1000; i++) {
+			for (const c of generatePassword(32)) {
+				expect(set.has(c)).toBe(true);
+			}
+		}
+	});
+
+	// Rejection-sampling sanity. With N = 71 the expected count per
+	// char over 100k samples is ~1408 (σ ≈ 37). A 6σ band catches
+	// any byte-level bias (biased modulo would push the first 38
+	// chars by ~16 ppm — too small for this band to flag on its
+	// own, but a regression to `% N` over Uint16/Uint32 with a
+	// non-power-of-two charset would still produce visible drift in
+	// pathological codepaths). Mostly this guards against
+	// fundamental mistakes (off-by-one in the loop, returning the
+	// same byte stream every time, etc.).
+	it('distribution stays within a wide tolerance band', () => {
+		const samples = 100_000;
+		const counts = new Map<string, number>();
+		for (let i = 0; i < samples; i++) {
+			const c = generatePassword(8)[0];
+			counts.set(c, (counts.get(c) ?? 0) + 1);
+		}
+		const expected = samples / CHARSET.length;
+		const sigma = Math.sqrt(expected);
+		const band = 6 * sigma;
+		for (const c of CHARSET) {
+			const observed = counts.get(c) ?? 0;
+			const drift = Math.abs(observed - expected);
+			expect(
+				drift,
+				`char "${c}": observed ${observed}, expected ~${Math.round(expected)} (drift ${drift.toFixed(0)} > ${band.toFixed(0)})`
+			).toBeLessThan(band);
+		}
+	});
+});

dashboard/src/lib/password-gen.ts

@@ -0,0 +1,37 @@
+// Cryptographically random password generator for the user-create
+// and reset-password flows. PiCloud has no email yet, so the admin
+// invites a user by generating a password locally, posting it to the
+// backend, and copying the cleartext out of the one-time reveal panel
+// to share through whatever channel they trust.
+//
+// Charset is alphanumeric plus a small printable symbol set — enough
+// entropy at 16 chars (~95 bits) to be uncopyable by hand mistakes,
+// avoidant of characters that ship awkwardly through chat clients
+// (no quotes, slashes, or backticks).
+//
+// Sampling: rejection sampling against a Uint8 stream. The naive
+// `byte % CHARSET.length` would slightly overweight the first
+// (256 mod N) chars; with N = 71 that's ~16 ppm of bias which is
+// safe at 16 chars but easy to remove.
+
+const CHARSET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&*+-?@';
+
+export function generatePassword(length = 16): string {
+	if (length < 8) {
+		throw new Error('password length must be at least 8');
+	}
+	const n = CHARSET.length;
+	// Largest multiple of `n` that fits in a Uint8 — bytes ≥ MAX get
+	// rejected to remove modulo bias.
+	const max = 256 - (256 % n);
+	const buf = new Uint8Array(length);
+	let out = '';
+	while (out.length < length) {
+		crypto.getRandomValues(buf);
+		for (let i = 0; i < buf.length && out.length < length; i++) {
+			const byte = buf[i];
+			if (byte < max) out += CHARSET[byte % n];
+		}
+	}
+	return out;
+}

dashboard/src/routes/+layout.svelte

@@ -5,6 +5,7 @@
 	import { page } from '$app/state';
 	import { api } from '$lib/api';
 	import { currentUser, getToken } from '$lib/auth';
+	import RoleChip from '$lib/RoleChip.svelte';
 
 	let { children } = $props();
 
@@ -46,12 +47,17 @@
 		<a href={base + '/'} class="brand">PiCloud</a>
 		<nav>
 			<a href={base + '/apps'}>Apps</a>
-			<a href={base + '/admins'}>Admins</a>
+			{#if user && user.instance_role !== 'member'}
+				<a href={base + '/users'}>Users</a>
+			{/if}
 		</nav>
 		<div class="spacer"></div>
 		{#if user}
 			<div class="usermenu">
+				<a href={base + '/profile'} class="profile-chip" title="View profile">
+					<RoleChip role={user.instance_role} size="sm" />
 					<span class="username">{user.username}</span>
+				</a>
 				<button type="button" class="logout" onclick={handleLogout}>Logout</button>
 			</div>
 		{/if}
@@ -121,6 +127,20 @@
 		font-size: 0.875rem;
 	}
 
+	.profile-chip {
+		display: inline-flex;
+		align-items: center;
+		gap: 0.4rem;
+		padding: 0.25rem 0.55rem;
+		border-radius: 0.375rem;
+		text-decoration: none;
+		border: 1px solid transparent;
+	}
+	.profile-chip:hover {
+		background: #1e293b;
+		border-color: #334155;
+	}
+
 	.username {
 		color: #cbd5e1;
 	}

dashboard/src/routes/admins/+page.svelte

@@ -1,687 +0,0 @@
-<script lang="ts">
-	import { goto } from '$app/navigation';
-	import { base } from '$app/paths';
-	import { onMount } from 'svelte';
-	import { api, ApiError, type AdminUserRecord } from '$lib/api';
-	import { currentUser } from '$lib/auth';
-
-	let admins = $state<AdminUserRecord[]>([]);
-	let loadError = $state<string | null>(null);
-	let banner = $state<{ kind: 'error' | 'info'; message: string } | null>(null);
-
-	const me = $derived($currentUser);
-
-	let createOpen = $state(false);
-	let createForm = $state({ username: '', password: '', confirm: '' });
-	let createPending = $state(false);
-	let createError = $state<string | null>(null);
-
-	let passwordTarget = $state<AdminUserRecord | null>(null);
-	let passwordForm = $state({ password: '', confirm: '' });
-	let passwordPending = $state(false);
-	let passwordError = $state<string | null>(null);
-
-	let deleteTarget = $state<AdminUserRecord | null>(null);
-	let deletePending = $state(false);
-
-	let actionsOpenFor = $state<string | null>(null);
-
-	onMount(refresh);
-
-	async function refresh() {
-		loadError = null;
-		try {
-			admins = await api.admins.list();
-		} catch (e) {
-			loadError = e instanceof ApiError ? e.message : 'failed to load admins';
-		}
-	}
-
-	function flash(kind: 'error' | 'info', message: string) {
-		banner = { kind, message };
-		setTimeout(() => {
-			if (banner?.message === message) banner = null;
-		}, 6000);
-	}
-
-	function openCreate() {
-		createForm = { username: '', password: '', confirm: '' };
-		createError = null;
-		createOpen = true;
-	}
-
-	async function submitCreate(event: SubmitEvent) {
-		event.preventDefault();
-		createError = null;
-		if (createForm.password !== createForm.confirm) {
-			createError = 'Passwords do not match';
-			return;
-		}
-		createPending = true;
-		try {
-			await api.admins.create({
-				username: createForm.username.trim(),
-				password: createForm.password
-			});
-			createOpen = false;
-			await refresh();
-			flash('info', `Created admin "${createForm.username.trim()}".`);
-		} catch (e) {
-			createError = e instanceof ApiError ? e.message : 'failed to create admin';
-		} finally {
-			createPending = false;
-		}
-	}
-
-	function openPassword(row: AdminUserRecord) {
-		passwordTarget = row;
-		passwordForm = { password: '', confirm: '' };
-		passwordError = null;
-		actionsOpenFor = null;
-	}
-
-	async function submitPassword(event: SubmitEvent) {
-		event.preventDefault();
-		if (!passwordTarget) return;
-		passwordError = null;
-		if (passwordForm.password !== passwordForm.confirm) {
-			passwordError = 'Passwords do not match';
-			return;
-		}
-		passwordPending = true;
-		try {
-			await api.admins.update(passwordTarget.id, { password: passwordForm.password });
-			const name = passwordTarget.username;
-			passwordTarget = null;
-			flash('info', `Password updated for "${name}".`);
-		} catch (e) {
-			passwordError = e instanceof ApiError ? e.message : 'failed to update password';
-		} finally {
-			passwordPending = false;
-		}
-	}
-
-	async function toggleActive(row: AdminUserRecord) {
-		actionsOpenFor = null;
-		try {
-			const updated = await api.admins.update(row.id, { is_active: !row.is_active });
-			admins = admins.map((a) => (a.id === updated.id ? updated : a));
-			flash('info', `${updated.username} ${updated.is_active ? 'reactivated' : 'deactivated'}.`);
-		} catch (e) {
-			flash('error', e instanceof ApiError ? e.message : 'failed to update admin');
-		}
-	}
-
-	function openDelete(row: AdminUserRecord) {
-		deleteTarget = row;
-		actionsOpenFor = null;
-	}
-
-	async function confirmDelete() {
-		if (!deleteTarget) return;
-		deletePending = true;
-		const target = deleteTarget;
-		try {
-			await api.admins.remove(target.id);
-			deleteTarget = null;
-			if (me && me.id === target.id) {
-				// Just deleted ourselves — sign out and bounce.
-				await api.auth.logout();
-				await goto(`${base}/login`);
-				return;
-			}
-			await refresh();
-			flash('info', `Deleted "${target.username}".`);
-		} catch (e) {
-			flash('error', e instanceof ApiError ? e.message : 'failed to delete admin');
-		} finally {
-			deletePending = false;
-		}
-	}
-
-	function toggleActions(id: string) {
-		actionsOpenFor = actionsOpenFor === id ? null : id;
-	}
-
-	function relative(iso: string | null): string {
-		if (!iso) return 'Never';
-		const then = new Date(iso).getTime();
-		const now = Date.now();
-		const sec = Math.round((now - then) / 1000);
-		if (sec < 60) return `${sec} second${sec === 1 ? '' : 's'} ago`;
-		const min = Math.round(sec / 60);
-		if (min < 60) return `${min} minute${min === 1 ? '' : 's'} ago`;
-		const hr = Math.round(min / 60);
-		if (hr < 24) return `${hr} hour${hr === 1 ? '' : 's'} ago`;
-		const day = Math.round(hr / 24);
-		if (day === 1) return 'Yesterday';
-		if (day < 7) return `${day} days ago`;
-		return new Date(iso).toLocaleDateString();
-	}
-
-	function absolute(iso: string | null): string {
-		return iso ? new Date(iso).toISOString() : '';
-	}
-
-	function shortDate(iso: string): string {
-		return new Date(iso).toISOString().slice(0, 10);
-	}
-</script>
-
-<header class="head">
-	<h1>Admin Users</h1>
-	<button type="button" class="primary" onclick={openCreate}>+ New admin user</button>
-</header>
-
-{#if banner}
-	<div class="banner banner-{banner.kind}">{banner.message}</div>
-{/if}
-
-{#if loadError}
-	<div class="error">
-		{loadError}
-		<button type="button" class="retry" onclick={refresh}>Retry</button>
-	</div>
-{:else if admins.length === 0}
-	<p class="empty">No admin users yet. Add one to get started.</p>
-{:else}
-	<div class="table">
-		<div class="row head-row">
-			<div>Username</div>
-			<div>Status</div>
-			<div>Created</div>
-			<div>Last login</div>
-			<div class="actions-col"></div>
-		</div>
-		{#each admins as row (row.id)}
-			<div class="row">
-				<div class="username-cell">
-					<span class="name">{row.username}</span>
-					{#if me && me.id === row.id}
-						<span class="you-tag">(you)</span>
-					{/if}
-				</div>
-				<div>
-					{#if row.is_active}
-						<span class="status status-active">● Active</span>
-					{:else}
-						<span class="status status-inactive">○ Inactive</span>
-					{/if}
-				</div>
-				<div>{shortDate(row.created_at)}</div>
-				<div title={absolute(row.last_login_at)}>{relative(row.last_login_at)}</div>
-				<div class="actions-col">
-					<button
-						type="button"
-						class="kebab"
-						aria-label="Actions for {row.username}"
-						onclick={() => toggleActions(row.id)}
-					>
-						⋮
-					</button>
-					{#if actionsOpenFor === row.id}
-						<div class="menu">
-							<button type="button" onclick={() => openPassword(row)}>Change password</button>
-							<button type="button" onclick={() => toggleActive(row)}>
-								{row.is_active ? 'Deactivate' : 'Reactivate'}
-							</button>
-							<button type="button" class="danger" onclick={() => openDelete(row)}>Delete</button>
-						</div>
-					{/if}
-				</div>
-			</div>
-		{/each}
-	</div>
-{/if}
-
-<!-- New admin modal -->
-{#if createOpen}
-	<div
-		class="modal-backdrop"
-		role="presentation"
-		onclick={(e) => {
-			if (e.target === e.currentTarget) createOpen = false;
-		}}
-	>
-		<form class="modal" onsubmit={submitCreate}>
-			<div class="modal-head">
-				<h2>New admin user</h2>
-				<button
-					type="button"
-					class="x"
-					aria-label="Close"
-					onclick={() => (createOpen = false)}>✕</button
-				>
-			</div>
-			<label>
-				<span>Username</span>
-				<input
-					type="text"
-					autocomplete="off"
-					spellcheck="false"
-					bind:value={createForm.username}
-					required
-				/>
-				<small>Lowercase letters, digits, . _ -</small>
-			</label>
-			<label>
-				<span>Password</span>
-				<input
-					type="password"
-					autocomplete="new-password"
-					bind:value={createForm.password}
-					required
-				/>
-				<small>Minimum 8 characters</small>
-			</label>
-			<label>
-				<span>Confirm password</span>
-				<input
-					type="password"
-					autocomplete="new-password"
-					bind:value={createForm.confirm}
-					required
-				/>
-			</label>
-			{#if createError}
-				<div class="error">{createError}</div>
-			{/if}
-			<div class="modal-actions">
-				<button type="button" class="ghost" onclick={() => (createOpen = false)}>Cancel</button>
-				<button type="submit" class="primary" disabled={createPending}>
-					{createPending ? 'Creating…' : 'Create user'}
-				</button>
-			</div>
-		</form>
-	</div>
-{/if}
-
-<!-- Change password modal -->
-{#if passwordTarget}
-	<div
-		class="modal-backdrop"
-		role="presentation"
-		onclick={(e) => {
-			if (e.target === e.currentTarget) passwordTarget = null;
-		}}
-	>
-		<form class="modal" onsubmit={submitPassword}>
-			<div class="modal-head">
-				<h2>Change password — {passwordTarget.username}</h2>
-				<button type="button" class="x" aria-label="Close" onclick={() => (passwordTarget = null)}
-					>✕</button
-				>
-			</div>
-			<label>
-				<span>New password</span>
-				<input
-					type="password"
-					autocomplete="new-password"
-					bind:value={passwordForm.password}
-					required
-				/>
-			</label>
-			<label>
-				<span>Confirm password</span>
-				<input
-					type="password"
-					autocomplete="new-password"
-					bind:value={passwordForm.confirm}
-					required
-				/>
-			</label>
-			{#if passwordError}
-				<div class="error">{passwordError}</div>
-			{/if}
-			<div class="modal-actions">
-				<button type="button" class="ghost" onclick={() => (passwordTarget = null)}>Cancel</button>
-				<button type="submit" class="primary" disabled={passwordPending}>
-					{passwordPending ? 'Updating…' : 'Update'}
-				</button>
-			</div>
-		</form>
-	</div>
-{/if}
-
-<!-- Delete confirmation modal -->
-{#if deleteTarget}
-	<div
-		class="modal-backdrop"
-		role="presentation"
-		onclick={(e) => {
-			if (e.target === e.currentTarget) deleteTarget = null;
-		}}
-	>
-		<div class="modal">
-			<div class="modal-head">
-				<h2>Delete {deleteTarget.username}?</h2>
-				<button type="button" class="x" aria-label="Close" onclick={() => (deleteTarget = null)}
-					>✕</button
-				>
-			</div>
-			{#if me && me.id === deleteTarget.id}
-				<p>
-					You are about to delete <strong>your own</strong> account. You will be signed out immediately
-					and will not be able to sign back in with these credentials.
-				</p>
-			{:else}
-				<p>
-					This permanently removes <strong>{deleteTarget.username}</strong> and all their sessions.
-					This cannot be undone.
-				</p>
-			{/if}
-			<div class="modal-actions">
-				<button type="button" class="ghost" onclick={() => (deleteTarget = null)}>Cancel</button>
-				<button type="button" class="danger" disabled={deletePending} onclick={confirmDelete}>
-					{deletePending ? 'Deleting…' : 'Delete'}
-				</button>
-			</div>
-		</div>
-	</div>
-{/if}
-
-<style>
-	.head {
-		display: flex;
-		align-items: center;
-		justify-content: space-between;
-		margin-bottom: 1.5rem;
-	}
-
-	h1 {
-		font-size: 1.25rem;
-		margin: 0;
-		color: #e2e8f0;
-	}
-
-	.banner {
-		padding: 0.5rem 0.75rem;
-		border-radius: 0.375rem;
-		margin-bottom: 1rem;
-		font-size: 0.85rem;
-	}
-	.banner-error {
-		background: #450a0a;
-		border: 1px solid #b91c1c;
-		color: #fecaca;
-	}
-	.banner-info {
-		background: #0c2a36;
-		border: 1px solid #155e75;
-		color: #a5f3fc;
-	}
-
-	.empty {
-		color: #64748b;
-		text-align: center;
-		padding: 3rem 0;
-		border: 1px dashed #1e293b;
-		border-radius: 0.5rem;
-	}
-
-	.table {
-		display: flex;
-		flex-direction: column;
-		border: 1px solid #1e293b;
-		border-radius: 0.5rem;
-		overflow: visible;
-		background: #0b1220;
-	}
-
-	.row {
-		display: grid;
-		grid-template-columns: 1.5fr 0.9fr 1fr 1.2fr 3rem;
-		align-items: center;
-		gap: 1rem;
-		padding: 0.75rem 1rem;
-		border-bottom: 1px solid #1e293b;
-		font-size: 0.9rem;
-	}
-
-	.row:last-child {
-		border-bottom: none;
-	}
-
-	.head-row {
-		color: #94a3b8;
-		font-size: 0.75rem;
-		text-transform: uppercase;
-		letter-spacing: 0.05em;
-		background: #0f172a;
-	}
-
-	.username-cell {
-		display: flex;
-		align-items: baseline;
-		gap: 0.5rem;
-	}
-
-	.name {
-		color: #e2e8f0;
-		font-weight: 500;
-	}
-
-	.you-tag {
-		color: #64748b;
-		font-size: 0.75rem;
-	}
-
-	.status {
-		font-size: 0.8rem;
-	}
-	.status-active {
-		color: #34d399;
-	}
-	.status-inactive {
-		color: #64748b;
-	}
-
-	.actions-col {
-		position: relative;
-		display: flex;
-		justify-content: flex-end;
-	}
-
-	.kebab {
-		background: transparent;
-		border: none;
-		color: #94a3b8;
-		font-size: 1.25rem;
-		cursor: pointer;
-		padding: 0 0.5rem;
-		border-radius: 0.25rem;
-	}
-	.kebab:hover {
-		background: #1e293b;
-		color: #e2e8f0;
-	}
-
-	.menu {
-		position: absolute;
-		top: 100%;
-		right: 0;
-		background: #0b1220;
-		border: 1px solid #1e293b;
-		border-radius: 0.375rem;
-		display: flex;
-		flex-direction: column;
-		min-width: 12rem;
-		z-index: 10;
-		box-shadow: 0 6px 16px rgba(0, 0, 0, 0.4);
-	}
-
-	.menu button {
-		background: transparent;
-		border: none;
-		color: #cbd5e1;
-		text-align: left;
-		padding: 0.5rem 0.75rem;
-		cursor: pointer;
-		font-size: 0.85rem;
-	}
-	.menu button:hover {
-		background: #1e293b;
-		color: #e2e8f0;
-	}
-	.menu button.danger {
-		color: #fca5a5;
-	}
-	.menu button.danger:hover {
-		background: #450a0a;
-		color: #fecaca;
-	}
-
-	.error {
-		background: #450a0a;
-		border: 1px solid #b91c1c;
-		color: #fecaca;
-		padding: 0.5rem 0.75rem;
-		border-radius: 0.375rem;
-		font-size: 0.85rem;
-		display: flex;
-		align-items: center;
-		justify-content: space-between;
-		gap: 1rem;
-	}
-
-	.retry {
-		background: transparent;
-		border: 1px solid #b91c1c;
-		color: #fecaca;
-		padding: 0.25rem 0.6rem;
-		border-radius: 0.25rem;
-		cursor: pointer;
-		font-size: 0.75rem;
-	}
-
-	button.primary {
-		background: #38bdf8;
-		color: #0b1220;
-		border: none;
-		padding: 0.55rem 0.9rem;
-		border-radius: 0.375rem;
-		font-weight: 600;
-		cursor: pointer;
-		font-size: 0.875rem;
-	}
-	button.primary:disabled {
-		opacity: 0.6;
-		cursor: not-allowed;
-	}
-
-	button.ghost {
-		background: transparent;
-		color: #94a3b8;
-		border: 1px solid #334155;
-		padding: 0.5rem 0.9rem;
-		border-radius: 0.375rem;
-		cursor: pointer;
-		font-size: 0.875rem;
-	}
-	button.ghost:hover {
-		background: #1e293b;
-		color: #e2e8f0;
-	}
-
-	button.danger {
-		background: #b91c1c;
-		color: #fef2f2;
-		border: none;
-		padding: 0.55rem 0.9rem;
-		border-radius: 0.375rem;
-		cursor: pointer;
-		font-weight: 600;
-		font-size: 0.875rem;
-	}
-	button.danger:disabled {
-		opacity: 0.6;
-		cursor: not-allowed;
-	}
-
-	.modal-backdrop {
-		position: fixed;
-		inset: 0;
-		background: rgba(15, 23, 42, 0.7);
-		display: flex;
-		justify-content: center;
-		align-items: center;
-		z-index: 50;
-	}
-
-	.modal {
-		background: #0b1220;
-		border: 1px solid #1e293b;
-		border-radius: 0.5rem;
-		padding: 1.5rem;
-		min-width: 24rem;
-		max-width: 28rem;
-		display: flex;
-		flex-direction: column;
-		gap: 1rem;
-		box-shadow: 0 12px 32px rgba(0, 0, 0, 0.5);
-	}
-
-	.modal-head {
-		display: flex;
-		align-items: center;
-		justify-content: space-between;
-	}
-
-	.modal h2 {
-		margin: 0;
-		font-size: 1rem;
-		color: #e2e8f0;
-	}
-
-	.x {
-		background: transparent;
-		border: none;
-		color: #64748b;
-		font-size: 1.1rem;
-		cursor: pointer;
-	}
-	.x:hover {
-		color: #e2e8f0;
-	}
-
-	.modal label {
-		display: flex;
-		flex-direction: column;
-		gap: 0.4rem;
-		font-size: 0.85rem;
-		color: #cbd5e1;
-	}
-
-	.modal label small {
-		color: #64748b;
-		font-size: 0.75rem;
-	}
-
-	.modal input {
-		background: #0f172a;
-		color: #e2e8f0;
-		border: 1px solid #1e293b;
-		border-radius: 0.375rem;
-		padding: 0.55rem 0.75rem;
-		font-size: 0.9rem;
-		box-sizing: border-box;
-	}
-	.modal input:focus {
-		outline: none;
-		border-color: #38bdf8;
-	}
-
-	.modal-actions {
-		display: flex;
-		justify-content: flex-end;
-		gap: 0.75rem;
-		margin-top: 0.5rem;
-	}
-
-	p {
-		color: #cbd5e1;
-		font-size: 0.9rem;
-		margin: 0;
-		line-height: 1.5;
-	}
-</style>

dashboard/src/routes/apps/+page.svelte

@@ -2,6 +2,11 @@
 	import { base } from '$app/paths';
 	import { api, ApiError, type App } from '$lib/api';
 	import { slugify, SLUG_MAX } from '$lib/slugify';
+	import { canCreateApp } from '$lib/capabilities';
+	import { currentUser } from '$lib/auth';
+
+	const me = $derived($currentUser);
+	const canCreate = $derived(canCreateApp(me));
 
 	let apps = $state<App[] | null>(null);
 	let listError = $state<string | null>(null);
@@ -99,6 +104,7 @@
 <section>
 	<header class="page-header">
 		<h1>Apps</h1>
+		{#if canCreate}
 			<button
 				type="button"
 				onclick={() => {
@@ -108,9 +114,10 @@
 			>
 				{showCreate ? 'Cancel' : 'New app'}
 			</button>
+		{/if}
 	</header>
 
-	{#if showCreate}
+	{#if showCreate && canCreate}
 		<form class="create-form" onsubmit={(e) => submitCreate(e)}>
 			<div class="row">
 				<label>

dashboard/src/routes/apps/[slug]/+page.svelte

@@ -5,26 +5,44 @@
 	import {
 		api,
 		ApiError,
+		type AdminDto,
 		type App,
 		type AppDomain,
+		type AppMemberDto,
+		type AppRole,
 		type Script
 	} from '$lib/api';
 	import CodeEditor from '$lib/CodeEditor.svelte';
 	import ConfirmModal from '$lib/ConfirmModal.svelte';
+	import ActionMenu from '$lib/ActionMenu.svelte';
+	import RoleChip from '$lib/RoleChip.svelte';
+	import { currentUser } from '$lib/auth';
+	import { canAdminApp, canWriteApp } from '$lib/capabilities';
+
+	const me = $derived($currentUser);
 
 	const SAMPLE_SOURCE =
 		'#{\n  statusCode: 200,\n  body: #{ ok: true, echo: ctx.request.body }\n}';
 
-	type Tab = 'scripts' | 'domains' | 'settings';
+	type Tab = 'scripts' | 'domains' | 'members' | 'settings';
 
 	let slug = $derived(page.params.slug ?? '');
 	let app = $state<App | null>(null);
+	let myRole = $state<AppRole | null>(null);
 	let loadError = $state<string | null>(null);
 	let loading = $state(true);
 	let activeTab = $state<Tab>('scripts');
 
 	let scripts = $state<Script[]>([]);
 	let domains = $state<AppDomain[]>([]);
+	let members = $state<AppMemberDto[]>([]);
+
+	// Derive UI gates from the capabilities helper so the rules stay
+	// in lockstep with the backend's `can()`. canAdminApp also covers
+	// the Members + Settings + Domains-mutation tabs; canWriteApp
+	// covers New script.
+	const canWrite = $derived(canWriteApp(me, myRole));
+	const canAdmin = $derived(canAdminApp(me, myRole));
 
 	// Script create
 	let showCreateScript = $state(false);
@@ -55,6 +73,19 @@
 	let removingDomain = $state(false);
 	let removeDomainError = $state<string | null>(null);
 
+	// Members tab
+	let eligibleUsers = $state<AdminDto[]>([]);
+	let eligibleLoadError = $state<string | null>(null);
+	let addMemberUserId = $state('');
+	let addMemberRole = $state<AppRole>('viewer');
+	let addingMember = $state(false);
+	let addMemberError = $state<string | null>(null);
+	let memberToRemove = $state<AppMemberDto | null>(null);
+	let removingMember = $state(false);
+	let removeMemberError = $state<string | null>(null);
+	let roleChangeBusy = $state<string | null>(null);
+	let memberActionError = $state<string | null>(null);
+
 	async function loadApp() {
 		loading = true;
 		loadError = null;
@@ -72,10 +103,15 @@
 				created_at: fetched.created_at,
 				updated_at: fetched.updated_at
 			};
+			myRole = fetched.my_role;
 			editName = app.name;
 			editDescription = app.description ?? '';
 			editSlug = app.slug;
-			await Promise.all([loadScripts(app.id), loadDomains(app.id)]);
+			const loaders: Promise<unknown>[] = [loadScripts(app.id), loadDomains(app.id)];
+			if (canAdmin) {
+				loaders.push(loadMembers(app.id), loadEligibleUsers());
+			}
+			await Promise.all(loaders);
 		} catch (e) {
 			loadError = e instanceof Error ? e.message : String(e);
 		} finally {
@@ -101,6 +137,42 @@
 		}
 	}
 
+	async function loadMembers(appId: string) {
+		try {
+			members = await api.appMembers.list(appId);
+		} catch (e) {
+			members = [];
+			memberActionError = e instanceof Error ? e.message : String(e);
+		}
+	}
+
+	async function loadEligibleUsers() {
+		eligibleLoadError = null;
+		try {
+			const all = await api.admins.list();
+			// Only inactive=false members are valid invite targets — the
+			// API rejects everyone else anyway, so filter upfront.
+			eligibleUsers = all.filter(
+				(u) => u.is_active && u.instance_role === 'member'
+			);
+		} catch (e) {
+			eligibleUsers = [];
+			// member-with-app_admin can hit /apps/.../members but cannot
+			// browse /admins (gated on InstanceManageUsers). The add form
+			// will render disabled with the explanatory message below.
+			eligibleLoadError =
+				e instanceof ApiError && e.status === 403
+					? 'Only instance owners/admins can browse the user directory to invite new members.'
+					: e instanceof Error
+						? e.message
+						: String(e);
+		}
+	}
+
+	const eligibleAfterFilter = $derived(
+		eligibleUsers.filter((u) => !members.some((m) => m.user_id === u.id))
+	);
+
 	async function submitCreateScript(event: Event) {
 		event.preventDefault();
 		if (!app) return;
@@ -201,6 +273,76 @@
 		}
 	}
 
+	async function submitAddMember(event: Event) {
+		event.preventDefault();
+		if (!app || !addMemberUserId) return;
+		addingMember = true;
+		addMemberError = null;
+		try {
+			await api.appMembers.add(app.id, {
+				user_id: addMemberUserId,
+				role: addMemberRole
+			});
+			addMemberUserId = '';
+			addMemberRole = 'viewer';
+			await loadMembers(app.id);
+		} catch (e) {
+			addMemberError = e instanceof Error ? e.message : String(e);
+		} finally {
+			addingMember = false;
+		}
+	}
+
+	async function changeMemberRole(member: AppMemberDto, role: AppRole) {
+		if (!app || member.role === role) return;
+		roleChangeBusy = member.user_id;
+		memberActionError = null;
+		try {
+			await api.appMembers.setRole(app.id, member.user_id, role);
+			await loadMembers(app.id);
+		} catch (e) {
+			memberActionError = e instanceof Error ? e.message : String(e);
+		} finally {
+			roleChangeBusy = null;
+		}
+	}
+
+	function askRemoveMember(member: AppMemberDto) {
+		removeMemberError = null;
+		memberToRemove = member;
+	}
+
+	async function confirmRemoveMember() {
+		if (!app || !memberToRemove) return;
+		removingMember = true;
+		removeMemberError = null;
+		try {
+			const removedSelf = !!me && memberToRemove.user_id === me.id;
+			await api.appMembers.remove(app.id, memberToRemove.user_id);
+			memberToRemove = null;
+			if (removedSelf) {
+				// We just revoked our own access to this app; the next
+				// fetch of /apps/{slug} would 403. Bounce back to the
+				// apps list rather than render a broken tab.
+				await goto(`${base}/apps`);
+				return;
+			}
+			await loadMembers(app.id);
+		} catch (e) {
+			removeMemberError = e instanceof Error ? e.message : String(e);
+		} finally {
+			removingMember = false;
+		}
+	}
+
+	function shortDate(iso: string): string {
+		try {
+			return new Date(iso).toLocaleDateString();
+		} catch {
+			return iso;
+		}
+	}
+
 	function askDeleteApp() {
 		deleteAppError = null;
 		confirmingDeleteApp = true;
@@ -226,6 +368,16 @@
 	$effect(() => {
 		void loadApp();
 	});
+
+	// Defense-in-depth: a viewer / editor following a stale link to
+	// the Settings or Members tab gets bounced back to Scripts. The
+	// backend still 403s the underlying calls, but no point showing an
+	// empty tab.
+	$effect(() => {
+		if (!canAdmin && (activeTab === 'settings' || activeTab === 'members')) {
+			activeTab = 'scripts';
+		}
+	});
 </script>
 
 {#if loading && !app}
@@ -258,26 +410,35 @@
 			class:active={activeTab === 'domains'}
 			onclick={() => (activeTab = 'domains')}>Domains ({domains.length})</button
 		>
+		{#if canAdmin}
+			<button
+				type="button"
+				class:active={activeTab === 'members'}
+				onclick={() => (activeTab = 'members')}>Members ({members.length})</button
+			>
 			<button
 				type="button"
 				class:active={activeTab === 'settings'}
 				onclick={() => (activeTab = 'settings')}>Settings</button
 			>
+		{/if}
 	</nav>
 
 	{#if activeTab === 'scripts'}
 		<section>
 			<div class="row">
 				<h2>Scripts</h2>
+				{#if canWrite}
 					<button
 						type="button"
 						onclick={() => (showCreateScript = !showCreateScript)}
 					>
 						{showCreateScript ? 'Cancel' : 'New script'}
 					</button>
+				{/if}
 			</div>
 
-			{#if showCreateScript}
+			{#if showCreateScript && canWrite}
 				<form class="create-form" onsubmit={submitCreateScript}>
 					<div class="row">
 						<label>
@@ -330,6 +491,7 @@
 				these. Use <code>app.example.com</code> for exact, <code>*.example.com</code> for
 				wildcard, or <code>{'{'}tenant{'}'}.example.com</code> to bind a capture.
 			</p>
+			{#if canAdmin}
 				<form class="create-form inline" onsubmit={submitCreateDomain}>
 					<input
 						bind:value={createDomainPattern}
@@ -343,6 +505,7 @@
 				{#if createDomainError}
 					<div class="error">{createDomainError}</div>
 				{/if}
+			{/if}
 			{#if domains.length === 0}
 				<p class="muted">No domain claims yet.</p>
 			{:else}
@@ -353,6 +516,7 @@
 								<code>{d.pattern}</code>
 								<span class="muted">— {d.shape}</span>
 							</div>
+							{#if canAdmin}
 								<button
 									type="button"
 									class="secondary danger"
@@ -360,12 +524,128 @@
 								>
 									Delete
 								</button>
+							{/if}
 						</li>
 					{/each}
 				</ul>
 			{/if}
 		</section>
-	{:else if activeTab === 'settings'}
+	{:else if activeTab === 'members' && canAdmin}
+		<section>
+			<h2>Members</h2>
+			<p class="muted">
+				Users with explicit access to this app. Instance owners and admins
+				already have implicit access — they are not listed here. Use the Users
+				page to invite a <code>member</code> first, then grant them app access
+				below.
+			</p>
+
+			<form class="create-form" onsubmit={submitAddMember}>
+				<div class="row">
+					<label class="grow">
+						<span>User</span>
+						<select
+							bind:value={addMemberUserId}
+							disabled={!!eligibleLoadError || eligibleAfterFilter.length === 0}
+							required
+						>
+							<option value="" disabled>Pick a member to invite…</option>
+							{#each eligibleAfterFilter as u (u.id)}
+								<option value={u.id}>{u.username}{u.email ? ` (${u.email})` : ''}</option>
+							{/each}
+						</select>
+					</label>
+					<label>
+						<span>Role</span>
+						<select bind:value={addMemberRole} disabled={!!eligibleLoadError}>
+							<option value="viewer">viewer</option>
+							<option value="editor">editor</option>
+							<option value="app_admin">app admin</option>
+						</select>
+					</label>
+				</div>
+				{#if eligibleLoadError}
+					<p class="muted">{eligibleLoadError}</p>
+				{:else if eligibleAfterFilter.length === 0}
+					<p class="muted">
+						No eligible users to invite. Create a <code>member</code> on the Users
+						page first.
+					</p>
+				{/if}
+				{#if addMemberError}
+					<div class="error">{addMemberError}</div>
+				{/if}
+				<div class="actions">
+					<button
+						type="submit"
+						disabled={addingMember || !addMemberUserId || !!eligibleLoadError}
+					>
+						{addingMember ? 'Adding…' : 'Add member'}
+					</button>
+				</div>
+			</form>
+
+			{#if memberActionError}
+				<div class="error">{memberActionError}</div>
+			{/if}
+
+			{#if members.length === 0}
+				<p class="muted">No explicit members yet.</p>
+			{:else}
+				<div class="table">
+					<div class="row head-row">
+						<div>User</div>
+						<div>Instance</div>
+						<div>App role</div>
+						<div>Joined</div>
+						<div class="actions-col"></div>
+					</div>
+					{#each members as m (m.user_id)}
+						<div class="row member-row" class:inactive={!m.is_active}>
+							<div>
+								<strong>{m.username}</strong>
+								{#if m.email}<span class="muted">{m.email}</span>{/if}
+								{#if !m.is_active}<span class="muted">(inactive)</span>{/if}
+							</div>
+							<div><RoleChip role={m.instance_role} size="sm" /></div>
+							<div><RoleChip appRole={m.role} size="sm" /></div>
+							<div>{shortDate(m.created_at)}</div>
+							<div class="actions-col">
+								<ActionMenu
+									label="Member actions for {m.username}"
+									items={[
+										{
+											label: 'Make app admin',
+											disabled:
+												m.role === 'app_admin' || roleChangeBusy === m.user_id,
+											onClick: () => changeMemberRole(m, 'app_admin')
+										},
+										{
+											label: 'Make editor',
+											disabled:
+												m.role === 'editor' || roleChangeBusy === m.user_id,
+											onClick: () => changeMemberRole(m, 'editor')
+										},
+										{
+											label: 'Make viewer',
+											disabled:
+												m.role === 'viewer' || roleChangeBusy === m.user_id,
+											onClick: () => changeMemberRole(m, 'viewer')
+										},
+										{
+											label: 'Remove from app',
+											danger: true,
+											onClick: () => askRemoveMember(m)
+										}
+									]}
+								/>
+							</div>
+						</div>
+					{/each}
+				</div>
+			{/if}
+		</section>
+	{:else if activeTab === 'settings' && canAdmin}
 		<section>
 			<h2>Settings</h2>
 			<form class="create-form" onsubmit={(e) => saveSettings(e)}>
@@ -502,6 +782,26 @@
 			{/if}
 		</ConfirmModal>
 	{/if}
+
+	{#if memberToRemove}
+		<ConfirmModal
+			title="Remove {memberToRemove.username} from {app.name}"
+			variant="danger"
+			confirmLabel="Remove member"
+			busyLabel="Removing…"
+			busy={removingMember}
+			onConfirm={confirmRemoveMember}
+			onCancel={() => (memberToRemove = null)}
+		>
+			<p>
+				<strong>{memberToRemove.username}</strong> will lose access to this
+				app. Their other app memberships and account are untouched.
+			</p>
+			{#if removeMemberError}
+				<p class="modal-error">{removeMemberError}</p>
+			{/if}
+		</ConfirmModal>
+	{/if}
 {/if}
 
 <style>
@@ -744,4 +1044,60 @@
 		border-radius: 0.5rem;
 		background: #1e0a0a;
 	}
+
+	.create-form select {
+		background: #0b1220;
+		color: #e2e8f0;
+		border: 1px solid #334155;
+		border-radius: 0.375rem;
+		padding: 0.5rem 0.75rem;
+		font: inherit;
+	}
+
+	.create-form .row > label.grow {
+		grid-column: span 2;
+	}
+
+	.table {
+		display: flex;
+		flex-direction: column;
+		gap: 0.25rem;
+	}
+
+	.table .row {
+		display: grid;
+		grid-template-columns: 2fr 1fr 1fr 1fr 3rem;
+		gap: 0.75rem;
+		padding: 0.85rem 1rem;
+		background: #1e293b;
+		border-radius: 0.375rem;
+		align-items: center;
+		margin: 0;
+	}
+
+	.table .head-row {
+		background: transparent;
+		padding: 0.25rem 1rem;
+		color: #64748b;
+		font-size: 0.75rem;
+		text-transform: uppercase;
+		letter-spacing: 0.05em;
+	}
+
+	.table .member-row.inactive {
+		opacity: 0.55;
+	}
+
+	.table .member-row strong {
+		margin-right: 0.4rem;
+	}
+
+	.table .member-row .muted {
+		font-size: 0.8rem;
+	}
+
+	.table .actions-col {
+		display: flex;
+		justify-content: flex-end;
+	}
 </style>

dashboard/src/routes/profile/+page.svelte

@@ -0,0 +1,760 @@
+<!--
+  /admin/profile — every authenticated principal lands here for their
+  own identity + API-key management. No role gating: a member can mint
+  keys for the apps they belong to just like an admin can. Users-admin
+  actions live under /admin/users.
+-->
+<script lang="ts">
+	import { onMount } from 'svelte';
+	import { page } from '$app/state';
+	import {
+		api,
+		ApiError,
+		ALL_SCOPES,
+		isInstanceScope,
+		type ApiKeyDto,
+		type App,
+		type MintApiKeyResponse,
+		type Scope
+	} from '$lib/api';
+	import { currentUser } from '$lib/auth';
+	import RoleChip from '$lib/RoleChip.svelte';
+	import ConfirmModal from '$lib/ConfirmModal.svelte';
+
+	const me = $derived($currentUser);
+
+	let keys = $state<ApiKeyDto[]>([]);
+	let apps = $state<App[]>([]);
+	let appBySlug = $derived(new Map(apps.map((a) => [a.id, a])));
+	let loadError = $state<string | null>(null);
+	let banner = $state<{ kind: 'error' | 'info'; message: string } | null>(null);
+
+	// Surface the cross-page "access denied" notice when /users bounces
+	// a member back here. One-shot — clears as soon as the user
+	// navigates away or dismisses.
+	const deniedFromUsers = $derived(page.url.searchParams.get('denied') === 'users');
+
+	let mintOpen = $state(false);
+	let mintForm = $state<{
+		name: string;
+		scopes: Set<Scope>;
+		app_id: string | '';
+		expires_at: string;
+	}>({ name: '', scopes: new Set(), app_id: '', expires_at: '' });
+	let mintPending = $state(false);
+	let mintError = $state<string | null>(null);
+
+	let reveal = $state<MintApiKeyResponse | null>(null);
+	let revealAck = $state(false);
+	let copyState = $state<'idle' | 'copied'>('idle');
+
+	let revokeTarget = $state<ApiKeyDto | null>(null);
+	let revokePending = $state(false);
+
+	const NAME_MAX = 64;
+	const scopeIsInstance = (s: Scope) => isInstanceScope(s);
+	const boundToApp = $derived(mintForm.app_id !== '');
+
+	const canSubmit = $derived(
+		mintForm.name.trim().length > 0 &&
+			mintForm.name.trim().length <= NAME_MAX &&
+			mintForm.scopes.size > 0 &&
+			!mintPending
+	);
+
+	onMount(async () => {
+		await Promise.all([refreshKeys(), loadApps()]);
+	});
+
+	async function refreshKeys() {
+		try {
+			keys = await api.apiKeys.list();
+			loadError = null;
+		} catch (e) {
+			loadError = e instanceof ApiError ? e.message : 'failed to load API keys';
+		}
+	}
+
+	async function loadApps() {
+		try {
+			apps = await api.apps.list();
+		} catch {
+			// Non-fatal: the form falls back to "no app options" and the
+			// list shows the bare UUID in the binding column.
+			apps = [];
+		}
+	}
+
+	function flash(kind: 'error' | 'info', message: string) {
+		banner = { kind, message };
+		setTimeout(() => {
+			if (banner?.message === message) banner = null;
+		}, 6000);
+	}
+
+	function openMint() {
+		mintForm = { name: '', scopes: new Set(), app_id: '', expires_at: '' };
+		mintError = null;
+		mintOpen = true;
+	}
+
+	function cancelMint() {
+		mintOpen = false;
+		mintError = null;
+	}
+
+	function toggleScope(s: Scope) {
+		const next = new Set(mintForm.scopes);
+		if (next.has(s)) next.delete(s);
+		else next.add(s);
+		mintForm = { ...mintForm, scopes: next };
+	}
+
+	// When the user binds the key to an app, instance:* scopes are
+	// mutually exclusive — drop them from the selection so submit
+	// doesn't 422.
+	$effect(() => {
+		if (!boundToApp) return;
+		const filtered = new Set<Scope>();
+		let dropped = false;
+		for (const s of mintForm.scopes) {
+			if (scopeIsInstance(s)) dropped = true;
+			else filtered.add(s);
+		}
+		if (dropped) {
+			mintForm = { ...mintForm, scopes: filtered };
+		}
+	});
+
+	async function submitMint(event: SubmitEvent) {
+		event.preventDefault();
+		if (!canSubmit) return;
+		mintPending = true;
+		mintError = null;
+		try {
+			const r = await api.apiKeys.mint({
+				name: mintForm.name.trim(),
+				scopes: Array.from(mintForm.scopes),
+				app_id: mintForm.app_id === '' ? null : mintForm.app_id,
+				expires_at: mintForm.expires_at === ''
+					? null
+					: new Date(mintForm.expires_at + 'T23:59:59Z').toISOString()
+			});
+			reveal = r;
+			revealAck = false;
+			copyState = 'idle';
+			mintOpen = false;
+			await refreshKeys();
+		} catch (e) {
+			mintError = e instanceof ApiError ? e.message : 'failed to mint API key';
+		} finally {
+			mintPending = false;
+		}
+	}
+
+	async function copyToken() {
+		if (!reveal) return;
+		try {
+			await navigator.clipboard.writeText(reveal.raw_token);
+			copyState = 'copied';
+			setTimeout(() => (copyState = 'idle'), 2000);
+		} catch {
+			flash('error', 'Clipboard write failed — select and copy manually.');
+		}
+	}
+
+	function dismissReveal() {
+		reveal = null;
+		revealAck = false;
+	}
+
+	function openRevoke(key: ApiKeyDto) {
+		revokeTarget = key;
+	}
+
+	async function confirmRevoke() {
+		if (!revokeTarget) return;
+		revokePending = true;
+		const target = revokeTarget;
+		try {
+			await api.apiKeys.revoke(target.id);
+			revokeTarget = null;
+			keys = keys.filter((k) => k.id !== target.id);
+			flash('info', `Revoked "${target.name}".`);
+		} catch (e) {
+			flash('error', e instanceof ApiError ? e.message : 'failed to revoke key');
+		} finally {
+			revokePending = false;
+		}
+	}
+
+	function appLabel(app_id: string | null): string {
+		if (!app_id) return 'Instance-wide';
+		const a = appBySlug.get(app_id);
+		return a ? a.slug : app_id.slice(0, 8) + '…';
+	}
+
+	function shortDate(iso: string | null): string {
+		if (!iso) return '—';
+		return new Date(iso).toISOString().slice(0, 10);
+	}
+
+	function relative(iso: string | null): string {
+		if (!iso) return 'Never';
+		const then = new Date(iso).getTime();
+		const sec = Math.round((Date.now() - then) / 1000);
+		if (sec < 60) return `${sec}s ago`;
+		const min = Math.round(sec / 60);
+		if (min < 60) return `${min}m ago`;
+		const hr = Math.round(min / 60);
+		if (hr < 24) return `${hr}h ago`;
+		const day = Math.round(hr / 24);
+		if (day < 7) return `${day}d ago`;
+		return shortDate(iso);
+	}
+</script>
+
+{#if me}
+	<section class="identity">
+		<div class="identity-head">
+			<h1>{me.username}</h1>
+			<RoleChip role={me.instance_role} />
+		</div>
+		<dl class="identity-meta">
+			<div>
+				<dt>Email</dt>
+				<dd>{me.email ?? 'No email set'}</dd>
+			</div>
+			<div>
+				<dt>User ID</dt>
+				<dd class="mono">{me.id}</dd>
+			</div>
+		</dl>
+	</section>
+{/if}
+
+{#if deniedFromUsers}
+	<div class="banner banner-info">
+		You don't have access to the Users page. Ask an admin if you need to manage users.
+	</div>
+{/if}
+
+{#if banner}
+	<div class="banner banner-{banner.kind}">{banner.message}</div>
+{/if}
+
+<section class="keys-section">
+	<header class="section-head">
+		<h2>API keys</h2>
+		{#if !mintOpen && !reveal}
+			<button type="button" class="primary" onclick={openMint}>+ Mint API key</button>
+		{/if}
+	</header>
+
+	{#if reveal}
+		<div class="reveal">
+			<h3>Save this token now — it will never be shown again.</h3>
+			<p class="reveal-sub">
+				Paste it into your CLI config or external integration. PiCloud only ever stores a hash; if
+				you lose it, mint a new one.
+			</p>
+			<div class="token-row">
+				<code class="token">{reveal.raw_token}</code>
+				<button type="button" class="ghost" onclick={copyToken}>
+					{copyState === 'copied' ? 'Copied ✓' : 'Copy'}
+				</button>
+			</div>
+			<label class="ack">
+				<input type="checkbox" bind:checked={revealAck} />
+				<span>I've saved this token somewhere safe.</span>
+			</label>
+			<div class="reveal-actions">
+				<button type="button" class="primary" disabled={!revealAck} onclick={dismissReveal}>
+					Done
+				</button>
+			</div>
+		</div>
+	{/if}
+
+	{#if mintOpen}
+		<form class="mint" onsubmit={submitMint}>
+			<div class="form-row">
+				<label class="field">
+					<span>Name</span>
+					<input
+						type="text"
+						bind:value={mintForm.name}
+						maxlength={NAME_MAX}
+						autocomplete="off"
+						placeholder="e.g. ci-deploy"
+						required
+					/>
+					<small>1–{NAME_MAX} chars. Only you see it.</small>
+				</label>
+
+				<label class="field">
+					<span>Binding</span>
+					<select bind:value={mintForm.app_id}>
+						<option value="">Instance-wide</option>
+						{#each apps as a (a.id)}
+							<option value={a.id}>{a.slug} ({a.name})</option>
+						{/each}
+					</select>
+					<small>Pick an app to scope this key, or leave instance-wide.</small>
+				</label>
+
+				<label class="field">
+					<span>Expires</span>
+					<input type="date" bind:value={mintForm.expires_at} />
+					<small>Leave blank for no expiry.</small>
+				</label>
+			</div>
+
+			<fieldset class="scopes">
+				<legend>Scopes</legend>
+				<div class="scope-grid">
+					{#each ALL_SCOPES as scope (scope)}
+						{@const instanceScope = scopeIsInstance(scope)}
+						{@const disabled = boundToApp && instanceScope}
+						<label
+							class="scope-chip"
+							class:disabled
+							title={disabled ? "Bound keys can't carry instance scopes" : undefined}
+						>
+							<input
+								type="checkbox"
+								checked={mintForm.scopes.has(scope)}
+								disabled={disabled || mintPending}
+								onchange={() => toggleScope(scope)}
+							/>
+							<span class="scope-name">{scope}</span>
+						</label>
+					{/each}
+				</div>
+				<small class="scope-hint">
+					{mintForm.scopes.size === 0
+						? 'Pick at least one scope.'
+						: `${mintForm.scopes.size} scope${mintForm.scopes.size === 1 ? '' : 's'} selected.`}
+				</small>
+			</fieldset>
+
+			{#if mintError}
+				<div class="error">{mintError}</div>
+			{/if}
+
+			<div class="form-actions">
+				<button type="button" class="ghost" onclick={cancelMint}>Cancel</button>
+				<button type="submit" class="primary" disabled={!canSubmit}>
+					{mintPending ? 'Minting…' : 'Mint key'}
+				</button>
+			</div>
+		</form>
+	{/if}
+
+	{#if loadError}
+		<div class="error">
+			{loadError}
+			<button type="button" class="retry" onclick={refreshKeys}>Retry</button>
+		</div>
+	{:else if keys.length === 0 && !reveal && !mintOpen}
+		<p class="empty">
+			No API keys yet. Mint one to authenticate the CLI or external integrations.
+		</p>
+	{:else if keys.length > 0}
+		<div class="table">
+			<div class="row head-row">
+				<div>Name</div>
+				<div>Prefix</div>
+				<div>Scopes</div>
+				<div>Binding</div>
+				<div>Created</div>
+				<div>Last used</div>
+				<div>Expires</div>
+				<div class="actions-col"></div>
+			</div>
+			{#each keys as key (key.id)}
+				<div class="row">
+					<div class="name-cell">{key.name}</div>
+					<div class="mono prefix">pic_{key.prefix}…</div>
+					<div class="scopes-cell">
+						{#each key.scopes as s (s)}
+							<span class="scope-pill">{s}</span>
+						{/each}
+					</div>
+					<div>{appLabel(key.app_id)}</div>
+					<div>{shortDate(key.created_at)}</div>
+					<div title={key.last_used_at ?? ''}>{relative(key.last_used_at)}</div>
+					<div>{key.expires_at ? shortDate(key.expires_at) : 'Never'}</div>
+					<div class="actions-col">
+						<button
+							type="button"
+							class="danger-link"
+							onclick={() => openRevoke(key)}
+							aria-label="Revoke {key.name}"
+						>
+							Revoke
+						</button>
+					</div>
+				</div>
+			{/each}
+		</div>
+	{/if}
+</section>
+
+{#if revokeTarget}
+	<ConfirmModal
+		title="Revoke API key?"
+		variant="danger"
+		confirmLabel="Revoke"
+		busy={revokePending}
+		busyLabel="Revoking…"
+		onConfirm={confirmRevoke}
+		onCancel={() => (revokeTarget = null)}
+	>
+		<p>
+			Revoking <strong>{revokeTarget.name}</strong> (<code>{revokeTarget.prefix}</code>) takes
+			effect immediately. Any CLI or integration using it will start returning <code>401</code>
+			on the next request.
+		</p>
+		<p class="muted">This can't be undone — mint a new key if you need one again.</p>
+	</ConfirmModal>
+{/if}
+
+<style>
+	.identity {
+		background: #0b1220;
+		border: 1px solid #1e293b;
+		border-radius: 0.5rem;
+		padding: 1.25rem 1.5rem;
+		margin-bottom: 1.5rem;
+	}
+	.identity-head {
+		display: flex;
+		align-items: center;
+		gap: 0.75rem;
+		margin-bottom: 0.75rem;
+	}
+	.identity h1 {
+		margin: 0;
+		font-size: 1.25rem;
+		color: #e2e8f0;
+	}
+	.identity-meta {
+		display: grid;
+		grid-template-columns: repeat(auto-fit, minmax(14rem, 1fr));
+		gap: 0.75rem 1.5rem;
+		margin: 0;
+	}
+	.identity-meta div {
+		display: flex;
+		flex-direction: column;
+		gap: 0.15rem;
+	}
+	.identity-meta dt {
+		color: #64748b;
+		font-size: 0.7rem;
+		text-transform: uppercase;
+		letter-spacing: 0.05em;
+	}
+	.identity-meta dd {
+		margin: 0;
+		color: #cbd5e1;
+		font-size: 0.9rem;
+	}
+
+	.banner {
+		padding: 0.55rem 0.85rem;
+		border-radius: 0.375rem;
+		margin-bottom: 1rem;
+		font-size: 0.85rem;
+	}
+	.banner-error {
+		background: #450a0a;
+		border: 1px solid #b91c1c;
+		color: #fecaca;
+	}
+	.banner-info {
+		background: #0c2a36;
+		border: 1px solid #155e75;
+		color: #a5f3fc;
+	}
+
+	.section-head {
+		display: flex;
+		align-items: center;
+		justify-content: space-between;
+		margin-bottom: 1rem;
+	}
+	.section-head h2 {
+		margin: 0;
+		font-size: 1.05rem;
+		color: #e2e8f0;
+	}
+
+	.reveal {
+		background: #0b1220;
+		border: 1px solid #ca8a04;
+		border-radius: 0.5rem;
+		padding: 1.25rem 1.5rem;
+		margin-bottom: 1.25rem;
+		display: flex;
+		flex-direction: column;
+		gap: 0.75rem;
+	}
+	.reveal h3 {
+		margin: 0;
+		font-size: 0.95rem;
+		color: #fbbf24;
+	}
+	.reveal-sub {
+		margin: 0;
+		color: #cbd5e1;
+		font-size: 0.85rem;
+		line-height: 1.4;
+	}
+	.token-row {
+		display: flex;
+		align-items: stretch;
+		gap: 0.5rem;
+	}
+	.token {
+		flex: 1;
+		background: #020617;
+		border: 1px solid #1e293b;
+		border-radius: 0.375rem;
+		padding: 0.6rem 0.75rem;
+		color: #e2e8f0;
+		font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
+		font-size: 0.85rem;
+		overflow-x: auto;
+		white-space: nowrap;
+	}
+	.ack {
+		display: flex;
+		align-items: center;
+		gap: 0.5rem;
+		font-size: 0.85rem;
+		color: #cbd5e1;
+		cursor: pointer;
+	}
+	.reveal-actions {
+		display: flex;
+		justify-content: flex-end;
+	}
+
+	.mint {
+		background: #0b1220;
+		border: 1px solid #1e293b;
+		border-radius: 0.5rem;
+		padding: 1.25rem 1.5rem;
+		margin-bottom: 1.5rem;
+		display: flex;
+		flex-direction: column;
+		gap: 1rem;
+	}
+	.form-row {
+		display: grid;
+		grid-template-columns: repeat(auto-fit, minmax(12rem, 1fr));
+		gap: 1rem;
+	}
+	.field {
+		display: flex;
+		flex-direction: column;
+		gap: 0.3rem;
+		font-size: 0.85rem;
+		color: #cbd5e1;
+	}
+	.field input,
+	.field select {
+		background: #0f172a;
+		color: #e2e8f0;
+		border: 1px solid #1e293b;
+		border-radius: 0.375rem;
+		padding: 0.5rem 0.7rem;
+		font-size: 0.9rem;
+	}
+	.field input:focus,
+	.field select:focus {
+		outline: none;
+		border-color: #38bdf8;
+	}
+	.field small {
+		color: #64748b;
+		font-size: 0.72rem;
+	}
+
+	.scopes {
+		border: 1px solid #1e293b;
+		border-radius: 0.375rem;
+		padding: 0.75rem 0.85rem;
+		color: #cbd5e1;
+	}
+	.scopes legend {
+		font-size: 0.75rem;
+		text-transform: uppercase;
+		letter-spacing: 0.05em;
+		color: #94a3b8;
+		padding: 0 0.4rem;
+	}
+	.scope-grid {
+		display: grid;
+		grid-template-columns: repeat(auto-fit, minmax(11rem, 1fr));
+		gap: 0.4rem 0.75rem;
+		margin-top: 0.25rem;
+	}
+	.scope-chip {
+		display: flex;
+		align-items: center;
+		gap: 0.4rem;
+		font-size: 0.85rem;
+		font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
+		cursor: pointer;
+	}
+	.scope-chip.disabled {
+		opacity: 0.45;
+		cursor: not-allowed;
+	}
+	.scope-hint {
+		display: block;
+		margin-top: 0.55rem;
+		font-size: 0.75rem;
+		color: #64748b;
+	}
+
+	.form-actions {
+		display: flex;
+		justify-content: flex-end;
+		gap: 0.5rem;
+	}
+
+	.error {
+		background: #450a0a;
+		border: 1px solid #b91c1c;
+		color: #fecaca;
+		padding: 0.55rem 0.8rem;
+		border-radius: 0.375rem;
+		font-size: 0.85rem;
+		display: flex;
+		align-items: center;
+		justify-content: space-between;
+		gap: 1rem;
+		margin-top: 0.25rem;
+	}
+	.retry {
+		background: transparent;
+		border: 1px solid #b91c1c;
+		color: #fecaca;
+		padding: 0.2rem 0.55rem;
+		border-radius: 0.25rem;
+		cursor: pointer;
+		font-size: 0.75rem;
+	}
+
+	.empty {
+		color: #64748b;
+		text-align: center;
+		padding: 2.5rem 0;
+		border: 1px dashed #1e293b;
+		border-radius: 0.5rem;
+	}
+
+	.table {
+		display: flex;
+		flex-direction: column;
+		border: 1px solid #1e293b;
+		border-radius: 0.5rem;
+		background: #0b1220;
+		overflow: hidden;
+	}
+	.row {
+		display: grid;
+		grid-template-columns: 1.3fr 0.9fr 2fr 1fr 0.8fr 0.8fr 0.8fr 0.7fr;
+		align-items: center;
+		gap: 0.75rem;
+		padding: 0.7rem 1rem;
+		border-bottom: 1px solid #1e293b;
+		font-size: 0.85rem;
+	}
+	.row:last-child {
+		border-bottom: none;
+	}
+	.head-row {
+		color: #94a3b8;
+		font-size: 0.7rem;
+		text-transform: uppercase;
+		letter-spacing: 0.05em;
+		background: #0f172a;
+	}
+	.name-cell {
+		color: #e2e8f0;
+		font-weight: 500;
+	}
+	.mono {
+		font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
+	}
+	.prefix {
+		color: #94a3b8;
+	}
+	.scopes-cell {
+		display: flex;
+		flex-wrap: wrap;
+		gap: 0.25rem;
+	}
+	.scope-pill {
+		background: #1e293b;
+		color: #cbd5e1;
+		font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
+		font-size: 0.7rem;
+		padding: 0.1rem 0.4rem;
+		border-radius: 0.25rem;
+	}
+	.actions-col {
+		display: flex;
+		justify-content: flex-end;
+	}
+	.danger-link {
+		background: transparent;
+		color: #fca5a5;
+		border: none;
+		font-size: 0.8rem;
+		cursor: pointer;
+		padding: 0.2rem 0.4rem;
+		border-radius: 0.25rem;
+	}
+	.danger-link:hover {
+		background: #450a0a;
+		color: #fecaca;
+	}
+
+	button.primary {
+		background: #38bdf8;
+		color: #0b1220;
+		border: none;
+		padding: 0.5rem 0.9rem;
+		border-radius: 0.375rem;
+		font-weight: 600;
+		cursor: pointer;
+		font-size: 0.85rem;
+	}
+	button.primary:disabled {
+		opacity: 0.6;
+		cursor: not-allowed;
+	}
+	button.ghost {
+		background: transparent;
+		color: #94a3b8;
+		border: 1px solid #334155;
+		padding: 0.45rem 0.85rem;
+		border-radius: 0.375rem;
+		cursor: pointer;
+		font-size: 0.85rem;
+	}
+	button.ghost:hover {
+		background: #1e293b;
+		color: #e2e8f0;
+	}
+
+	.muted {
+		color: #94a3b8;
+	}
+</style>

dashboard/src/routes/scripts/[id]/+page.svelte

@@ -6,12 +6,15 @@
 		api,
 		ApiError,
 		type AppDomain,
+		type AppRole,
 		type ExecutionLog,
 		type Route,
 		type RouteInput,
 		type Script,
 		type VersionInfo
 	} from '$lib/api';
+	import { currentUser } from '$lib/auth';
+	import { canAdminApp, canWriteApp } from '$lib/capabilities';
 	import { logLevelColor, statusColor } from '$lib/styles';
 	import {
 		checkHostAgainstClaims,
@@ -21,6 +24,7 @@
 		pathKindMismatchWarning
 	} from '$lib/route-utils';
 	import CodeEditor from '$lib/CodeEditor.svelte';
+	import ConfirmModal from '$lib/ConfirmModal.svelte';
 	import { format as formatRhai } from '$lib/rhai';
 
 	/// Pretty-print a JSON string in place, leaving it untouched if the
@@ -47,6 +51,11 @@
 
 	let appSlug = $state<string | null>(null);
 	let appDomains = $state<AppDomain[]>([]);
+	let appMyRole = $state<AppRole | null>(null);
+
+	const me = $derived($currentUser);
+	const canWrite = $derived(canWriteApp(me, appMyRole));
+	const canAdmin = $derived(canAdminApp(me, appMyRole));
 
 	async function loadScript() {
 		scriptLoading = true;
@@ -58,15 +67,16 @@
 			editableDescription = script.description ?? '';
 			editableTimeout = script.timeout_seconds;
 			editableSandbox = { ...(script.sandbox ?? {}) };
-			// Resolve the owning app's slug for the breadcrumb and its
+			// Resolve the owning app for the breadcrumb (slug),
-			// domain claims for the route form's suggestions + live
+			// route-form host suggestions (domain claims), and UI
-			// validation. Both are non-fatal — the page works without
+			// shadowing (my_role on this app). All non-fatal — the
-			// them.
+			// page renders without them, just with reduced fidelity.
 			const appId = script.app_id;
 			void api.apps
 				.get(appId)
 				.then((a) => {
 					appSlug = a.slug;
+					appMyRole = a.my_role ?? null;
 				})
 				.catch(() => {});
 			void api.domains
@@ -366,16 +376,25 @@
 	}
 
 	// ---------------- deletion ----------------
+	let confirmingDelete = $state(false);
 	let deleting = $state(false);
-	async function remove() {
+	let deleteError = $state<string | null>(null);
+
+	function askDelete() {
+		deleteError = null;
+		confirmingDelete = true;
+	}
+
+	async function confirmDelete() {
 		if (!script) return;
-		if (!confirm(`Delete script "${script.name}"? This cannot be undone.`)) return;
 		deleting = true;
+		deleteError = null;
 		try {
 			await api.scripts.remove(id);
 			await goto(base + '/');
 		} catch (e) {
-			alert(e instanceof Error ? e.message : String(e));
+			deleteError = e instanceof Error ? e.message : String(e);
+		} finally {
 			deleting = false;
 		}
 	}
@@ -386,6 +405,15 @@
 		void loadRoutes();
 		void loadLogs();
 	});
+
+	// Defense-in-depth: anyone non-admin who lands on the Settings
+	// tab via a stale link gets bounced back to Edit. The tab button
+	// itself is also hidden.
+	$effect(() => {
+		if (!canAdmin && tab === 'settings') {
+			tab = 'edit';
+		}
+	});
 </script>
 
 <section>
@@ -410,9 +438,11 @@
 					v{script.version} · timeout {script.timeout_seconds}s · {script.description ?? 'no description'}
 				</p>
 			</div>
-			<button type="button" class="danger" onclick={remove} disabled={deleting}>
+			{#if canAdmin}
+				<button type="button" class="danger" onclick={askDelete} disabled={deleting}>
 					{deleting ? 'Deleting…' : 'Delete'}
 				</button>
+			{/if}
 		</header>
 
 		<nav class="tabs">
@@ -423,7 +453,9 @@
 					<span class="badge-count">{routes.length}</span>
 				{/if}
 			</button>
+			{#if canAdmin}
 				<button class:active={tab === 'settings'} onclick={() => (tab = 'settings')}>Settings</button>
+			{/if}
 			<button class:active={tab === 'executions'} onclick={() => (tab = 'executions')}>
 				Executions
 			</button>
@@ -435,17 +467,25 @@
 				<section class="card">
 					<header class="editor-header">
 						<h2>Source</h2>
+						{#if canWrite}
 							<button type="button" class="ghost small" onclick={formatRhaiSource}>
 								Format
 							</button>
+						{/if}
 					</header>
-					<CodeEditor bind:value={editableSource} language="rhai" minHeight="22rem" />
+					<CodeEditor
+						bind:value={editableSource}
+						language="rhai"
+						minHeight="22rem"
+						readOnly={!canWrite}
+					/>
 					{#if rhaiFormatError}
 						<div class="error inline">{rhaiFormatError}</div>
 					{/if}
 					{#if saveSourceError}
 						<div class="error inline">{saveSourceError}</div>
 					{/if}
+					{#if canWrite}
 						<div class="actions">
 							<button
 								type="button"
@@ -455,6 +495,7 @@
 								{savingSource ? 'Saving…' : 'Save'}
 							</button>
 						</div>
+					{/if}
 				</section>
 
 				<section class="card">
@@ -510,12 +551,14 @@
 			<section class="card wide">
 				<header class="card-header">
 					<h2>Routes</h2>
+					{#if canWrite}
 						<button type="button" onclick={() => (showAddRoute = !showAddRoute)}>
 							{showAddRoute ? 'Cancel' : '+ Add route'}
 						</button>
+					{/if}
 				</header>
 
-				{#if showAddRoute}
+				{#if showAddRoute && canWrite}
 					<form class="route-form" onsubmit={submitRoute}>
 						<label class="full">
 							<span>Path</span>
@@ -626,9 +669,11 @@
 												: r.host}
 									</span>
 									<span class="path">{r.path}</span>
+									{#if canWrite}
 										<button type="button" class="link danger" onclick={() => removeRoute(r.id)}>
 											remove
 										</button>
+									{/if}
 								</div>
 								{#if info}
 									<div class="route-url muted">→ {fullUrlForRoute(r)}</div>
@@ -670,7 +715,7 @@
 			</section>
 
 			<!-- ===================================================== SETTINGS ===== -->
-		{:else if tab === 'settings'}
+		{:else if tab === 'settings' && canAdmin}
 			<section class="card wide">
 				<h2>General</h2>
 				<label>
@@ -786,6 +831,35 @@
 				{/if}
 			</section>
 		{/if}
+
+		{#if confirmingDelete && script}
+			<ConfirmModal
+				title="Delete script “{script.name}”"
+				variant="danger"
+				confirmLabel="Delete script"
+				busyLabel="Deleting…"
+				confirmPhrase={script.name}
+				confirmPhrasePrompt="Type the script name to confirm:"
+				busy={deleting}
+				onConfirm={confirmDelete}
+				onCancel={() => (confirmingDelete = false)}
+			>
+				<p>
+					This will <strong>permanently delete</strong>
+					<strong>{script.name}</strong>, all its routes, and all its
+					execution logs. There is no undo.
+				</p>
+				{#if routes.length > 0}
+					<p class="muted">
+						{routes.length} route{routes.length === 1 ? '' : 's'} bound to
+						this script will be removed.
+					</p>
+				{/if}
+				{#if deleteError}
+					<p class="modal-error">{deleteError}</p>
+				{/if}
+			</ConfirmModal>
+		{/if}
 	{/if}
 </section>
 

dashboard/src/routes/users/+page.svelte

@@ -0,0 +1,986 @@
+<!--
+  /admin/users — owner + admin only. Members get bounced to /profile
+  with ?denied=users. Replaces the pre-3.5 /admin/admins page; this
+  one knows about roles, email, and the last-owner/last-admin guards.
+-->
+<script lang="ts">
+	import { onMount } from 'svelte';
+	import { goto } from '$app/navigation';
+	import { base } from '$app/paths';
+	import {
+		api,
+		ApiError,
+		type AdminDto,
+		type InstanceRole
+	} from '$lib/api';
+	import { currentUser } from '$lib/auth';
+	import RoleChip from '$lib/RoleChip.svelte';
+	import ConfirmModal from '$lib/ConfirmModal.svelte';
+	import ActionMenu from '$lib/ActionMenu.svelte';
+	import { generatePassword } from '$lib/password-gen';
+
+	const me = $derived($currentUser);
+	const myRole = $derived(me?.instance_role);
+	const isOwner = $derived(myRole === 'owner');
+
+	// Member guard. The backend already 403s the list call, but
+	// surfacing a friendly redirect avoids the dead-end empty page.
+	$effect(() => {
+		if (me && me.instance_role === 'member') {
+			void goto(`${base}/profile?denied=users`);
+		}
+	});
+
+	let admins = $state<AdminDto[]>([]);
+	let loadError = $state<string | null>(null);
+	let banner = $state<{ kind: 'error' | 'info'; message: string } | null>(null);
+
+	let search = $state('');
+	const filtered = $derived(
+		(() => {
+			const q = search.trim().toLowerCase();
+			if (!q) return admins;
+			return admins.filter(
+				(a) =>
+					a.username.toLowerCase().includes(q) ||
+					(a.email ?? '').toLowerCase().includes(q)
+			);
+		})()
+	);
+
+	// Invite (create) modal --------------------------------------------------
+	let inviteOpen = $state(false);
+	let inviteForm = $state<{ username: string; email: string; instance_role: 'admin' | 'member' }>({
+		username: '',
+		email: '',
+		instance_role: 'admin'
+	});
+	let invitePending = $state(false);
+	let inviteError = $state<string | null>(null);
+
+	// One-time password reveal (used by both invite + reset)
+	let revealPassword = $state<string | null>(null);
+	let revealForUsername = $state<string>('');
+	let revealKind = $state<'invite' | 'reset'>('invite');
+	let revealAck = $state(false);
+	let copyState = $state<'idle' | 'copied'>('idle');
+
+	// Edit modal -------------------------------------------------------------
+	let editTarget = $state<AdminDto | null>(null);
+	let editForm = $state<{
+		username: string;
+		email: string;
+		instance_role: InstanceRole;
+	}>({ username: '', email: '', instance_role: 'admin' });
+	let editPending = $state(false);
+	let editError = $state<string | null>(null);
+
+	// Delete modal -----------------------------------------------------------
+	let deleteTarget = $state<AdminDto | null>(null);
+	let deletePending = $state(false);
+
+	// Deactivate modal -------------------------------------------------------
+	// Reactivate is one-click (non-destructive); deactivate routes
+	// through the modal because it signs the user out and expires
+	// every API key they hold.
+	let deactivateTarget = $state<AdminDto | null>(null);
+	let deactivatePending = $state(false);
+
+	// Validation rules (mirror backend: 2-32, [a-z0-9._-]) -------------------
+	const USERNAME_RE = /^[a-z0-9._-]{2,32}$/;
+	const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+
+	const inviteUsernameValid = $derived(USERNAME_RE.test(inviteForm.username));
+	const inviteEmailValid = $derived(
+		inviteForm.email.trim() === '' || EMAIL_RE.test(inviteForm.email.trim())
+	);
+	const canInvite = $derived(inviteUsernameValid && inviteEmailValid && !invitePending);
+
+	const editUsernameValid = $derived(USERNAME_RE.test(editForm.username));
+	const editEmailValid = $derived(
+		editForm.email.trim() === '' || EMAIL_RE.test(editForm.email.trim())
+	);
+	const canSubmitEdit = $derived(editUsernameValid && editEmailValid && !editPending);
+
+	// Admin (non-owner) cannot touch owner rows for delete or role demote.
+	function canDelete(row: AdminDto): boolean {
+		if (isOwner) return true;
+		return row.instance_role !== 'owner';
+	}
+
+	const editRoleOptions = $derived<InstanceRole[]>(
+		isOwner ? ['owner', 'admin', 'member'] : ['admin', 'member']
+	);
+
+	onMount(refresh);
+
+	async function refresh() {
+		loadError = null;
+		try {
+			admins = await api.admins.list();
+		} catch (e) {
+			loadError = e instanceof ApiError ? e.message : 'failed to load users';
+		}
+	}
+
+	function flash(kind: 'error' | 'info', message: string) {
+		banner = { kind, message };
+		setTimeout(() => {
+			if (banner?.message === message) banner = null;
+		}, 6000);
+	}
+
+	function openInvite() {
+		inviteForm = { username: '', email: '', instance_role: 'admin' };
+		inviteError = null;
+		inviteOpen = true;
+	}
+
+	async function submitInvite(event: SubmitEvent) {
+		event.preventDefault();
+		if (!canInvite) return;
+		invitePending = true;
+		inviteError = null;
+		const password = generatePassword(16);
+		try {
+			const created = await api.admins.create({
+				username: inviteForm.username,
+				password,
+				instance_role: inviteForm.instance_role,
+				email: inviteForm.email.trim() === '' ? null : inviteForm.email.trim()
+			});
+			admins = [...admins, created].sort((a, b) => a.username.localeCompare(b.username));
+			inviteOpen = false;
+			revealPassword = password;
+			revealForUsername = created.username;
+			revealKind = 'invite';
+			revealAck = false;
+			copyState = 'idle';
+		} catch (e) {
+			inviteError = e instanceof ApiError ? e.message : 'failed to create user';
+		} finally {
+			invitePending = false;
+		}
+	}
+
+	function openEdit(row: AdminDto) {
+		editTarget = row;
+		editForm = {
+			username: row.username,
+			email: row.email ?? '',
+			instance_role: row.instance_role
+		};
+		editError = null;
+	}
+
+	async function submitEdit(event: SubmitEvent) {
+		event.preventDefault();
+		if (!editTarget || !canSubmitEdit) return;
+		editPending = true;
+		editError = null;
+		const patch: {
+			username?: string;
+			email?: string | null;
+			instance_role?: InstanceRole;
+		} = {};
+		if (editForm.username !== editTarget.username) patch.username = editForm.username;
+		if ((editTarget.email ?? '') !== editForm.email.trim()) {
+			patch.email = editForm.email.trim() === '' ? null : editForm.email.trim();
+		}
+		if (editForm.instance_role !== editTarget.instance_role) {
+			patch.instance_role = editForm.instance_role;
+		}
+		try {
+			const updated = await api.admins.update(editTarget.id, patch);
+			admins = admins
+				.map((a) => (a.id === updated.id ? updated : a))
+				.sort((a, b) => a.username.localeCompare(b.username));
+			const name = updated.username;
+			editTarget = null;
+			flash('info', `Updated "${name}".`);
+		} catch (e) {
+			editError = e instanceof ApiError ? e.message : 'failed to update user';
+		} finally {
+			editPending = false;
+		}
+	}
+
+	async function resetPassword() {
+		if (!editTarget) return;
+		const target = editTarget;
+		const password = generatePassword(16);
+		editPending = true;
+		editError = null;
+		try {
+			await api.admins.update(target.id, { password });
+			editTarget = null;
+			revealPassword = password;
+			revealForUsername = target.username;
+			revealKind = 'reset';
+			revealAck = false;
+			copyState = 'idle';
+		} catch (e) {
+			editError = e instanceof ApiError ? e.message : 'failed to reset password';
+		} finally {
+			editPending = false;
+		}
+	}
+
+	async function reactivate(row: AdminDto) {
+		try {
+			const updated = await api.admins.update(row.id, { is_active: true });
+			admins = admins.map((a) => (a.id === updated.id ? updated : a));
+			flash('info', `${updated.username} reactivated.`);
+		} catch (e) {
+			flash('error', e instanceof ApiError ? e.message : 'failed to update user');
+		}
+	}
+
+	function askDeactivate(row: AdminDto) {
+		deactivateTarget = row;
+	}
+
+	async function confirmDeactivate() {
+		if (!deactivateTarget) return;
+		deactivatePending = true;
+		const target = deactivateTarget;
+		try {
+			const updated = await api.admins.update(target.id, { is_active: false });
+			admins = admins.map((a) => (a.id === updated.id ? updated : a));
+			deactivateTarget = null;
+			flash('info', `${updated.username} deactivated.`);
+		} catch (e) {
+			flash('error', e instanceof ApiError ? e.message : 'failed to update user');
+		} finally {
+			deactivatePending = false;
+		}
+	}
+
+	function openDelete(row: AdminDto) {
+		deleteTarget = row;
+	}
+
+	async function confirmDelete() {
+		if (!deleteTarget) return;
+		deletePending = true;
+		const target = deleteTarget;
+		try {
+			await api.admins.remove(target.id);
+			deleteTarget = null;
+			if (me && me.id === target.id) {
+				// Self-delete: bail out to login.
+				await api.auth.logout();
+				await goto(`${base}/login`);
+				return;
+			}
+			admins = admins.filter((a) => a.id !== target.id);
+			flash('info', `Deleted "${target.username}".`);
+		} catch (e) {
+			flash('error', e instanceof ApiError ? e.message : 'failed to delete user');
+		} finally {
+			deletePending = false;
+		}
+	}
+
+	async function copyPassword() {
+		if (!revealPassword) return;
+		try {
+			await navigator.clipboard.writeText(revealPassword);
+			copyState = 'copied';
+			setTimeout(() => (copyState = 'idle'), 2000);
+		} catch {
+			flash('error', 'Clipboard write failed — select and copy manually.');
+		}
+	}
+
+	function dismissReveal() {
+		revealPassword = null;
+		revealAck = false;
+	}
+
+	function relative(iso: string | null): string {
+		if (!iso) return 'Never';
+		const sec = Math.round((Date.now() - new Date(iso).getTime()) / 1000);
+		if (sec < 60) return `${sec}s ago`;
+		const min = Math.round(sec / 60);
+		if (min < 60) return `${min}m ago`;
+		const hr = Math.round(min / 60);
+		if (hr < 24) return `${hr}h ago`;
+		const day = Math.round(hr / 24);
+		if (day < 7) return `${day}d ago`;
+		return new Date(iso).toISOString().slice(0, 10);
+	}
+
+	function shortDate(iso: string): string {
+		return new Date(iso).toISOString().slice(0, 10);
+	}
+</script>
+
+<header class="head">
+	<h1>Users</h1>
+	<div class="head-controls">
+		<input
+			type="search"
+			placeholder="Search by username or email…"
+			bind:value={search}
+			class="search"
+		/>
+		<button type="button" class="primary" onclick={openInvite}>+ Invite user</button>
+	</div>
+</header>
+
+{#if banner}
+	<div class="banner banner-{banner.kind}">{banner.message}</div>
+{/if}
+
+{#if loadError}
+	<div class="error">
+		{loadError}
+		<button type="button" class="retry" onclick={refresh}>Retry</button>
+	</div>
+{:else if admins.length === 0}
+	<p class="empty">No users yet. Invite one to get started.</p>
+{:else}
+	<div class="table">
+		<div class="row head-row">
+			<div>Username</div>
+			<div>Role</div>
+			<div>Email</div>
+			<div>Status</div>
+			<div>Created</div>
+			<div>Last login</div>
+			<div class="actions-col"></div>
+		</div>
+		{#each filtered as row (row.id)}
+			<div class="row">
+				<div class="name-cell">
+					<span class="name">{row.username}</span>
+					{#if me && me.id === row.id}
+						<span class="you-tag">(you)</span>
+					{/if}
+				</div>
+				<div><RoleChip role={row.instance_role} size="sm" /></div>
+				<div class="email-cell">{row.email ?? '—'}</div>
+				<div>
+					{#if row.is_active}
+						<span class="status status-active">● Active</span>
+					{:else}
+						<span class="status status-inactive">○ Inactive</span>
+					{/if}
+				</div>
+				<div>{shortDate(row.created_at)}</div>
+				<div title={row.last_login_at ?? ''}>{relative(row.last_login_at)}</div>
+				<div class="actions-col">
+					<ActionMenu
+						label="User actions for {row.username}"
+						items={[
+							{ label: 'Edit', onClick: () => openEdit(row) },
+							{
+								label: row.is_active ? 'Deactivate' : 'Reactivate',
+								onClick: () =>
+									row.is_active ? askDeactivate(row) : reactivate(row)
+							},
+							{
+								label: 'Delete',
+								danger: true,
+								disabled: !canDelete(row),
+								onClick: () => openDelete(row)
+							}
+						]}
+					/>
+				</div>
+			</div>
+		{/each}
+		{#if filtered.length === 0 && admins.length > 0}
+			<div class="row empty-row">No matches for "{search}".</div>
+		{/if}
+	</div>
+{/if}
+
+<!-- Invite modal -->
+{#if inviteOpen}
+	<div
+		class="modal-backdrop"
+		role="presentation"
+		onclick={(e) => {
+			if (e.target === e.currentTarget && !invitePending) inviteOpen = false;
+		}}
+	>
+		<form class="modal" onsubmit={submitInvite}>
+			<div class="modal-head">
+				<h2>Invite user</h2>
+				<button
+					type="button"
+					class="x"
+					aria-label="Close"
+					disabled={invitePending}
+					onclick={() => (inviteOpen = false)}>✕</button
+				>
+			</div>
+			<p class="modal-intro">
+				A random password will be generated and shown to you exactly once. PiCloud cannot send
+				email — copy and share through your own channel.
+			</p>
+			<label class="field">
+				<span>Username</span>
+				<input
+					type="text"
+					autocomplete="off"
+					spellcheck="false"
+					bind:value={inviteForm.username}
+					required
+				/>
+				<small>2–32 chars. Lowercase letters, digits, <code>.</code> <code>_</code> <code>-</code>.</small>
+				{#if inviteForm.username && !inviteUsernameValid}
+					<small class="invalid">Doesn't match the allowed pattern.</small>
+				{/if}
+			</label>
+			<label class="field">
+				<span>Email <span class="opt">(optional)</span></span>
+				<input
+					type="email"
+					autocomplete="off"
+					spellcheck="false"
+					bind:value={inviteForm.email}
+				/>
+				{#if !inviteEmailValid}
+					<small class="invalid">Doesn't look like an email address.</small>
+				{/if}
+			</label>
+			<fieldset class="field">
+				<legend>Role</legend>
+				<label class="radio">
+					<input type="radio" bind:group={inviteForm.instance_role} value="admin" />
+					<span>Admin — can manage users, scripts, and all apps.</span>
+				</label>
+				<label class="radio">
+					<input type="radio" bind:group={inviteForm.instance_role} value="member" />
+					<span>Member — only sees apps they're added to.</span>
+				</label>
+				<small>
+					Owners can't be created here — promote via Edit after creation.
+				</small>
+			</fieldset>
+			{#if inviteError}
+				<div class="error">{inviteError}</div>
+			{/if}
+			<div class="modal-actions">
+				<button type="button" class="ghost" onclick={() => (inviteOpen = false)} disabled={invitePending}>
+					Cancel
+				</button>
+				<button type="submit" class="primary" disabled={!canInvite}>
+					{invitePending ? 'Creating…' : 'Create user'}
+				</button>
+			</div>
+		</form>
+	</div>
+{/if}
+
+<!-- Edit modal -->
+{#if editTarget}
+	{@const target = editTarget}
+	<div
+		class="modal-backdrop"
+		role="presentation"
+		onclick={(e) => {
+			if (e.target === e.currentTarget && !editPending) editTarget = null;
+		}}
+	>
+		<form class="modal" onsubmit={submitEdit}>
+			<div class="modal-head">
+				<h2>Edit {target.username}</h2>
+				<button
+					type="button"
+					class="x"
+					aria-label="Close"
+					disabled={editPending}
+					onclick={() => (editTarget = null)}>✕</button
+				>
+			</div>
+			<label class="field">
+				<span>Username</span>
+				<input
+					type="text"
+					autocomplete="off"
+					spellcheck="false"
+					bind:value={editForm.username}
+					required
+				/>
+				{#if editForm.username && !editUsernameValid}
+					<small class="invalid">2–32 chars, lowercase + digits + . _ - only.</small>
+				{/if}
+			</label>
+			<label class="field">
+				<span>Email <span class="opt">(optional)</span></span>
+				<input
+					type="email"
+					autocomplete="off"
+					spellcheck="false"
+					bind:value={editForm.email}
+				/>
+				{#if !editEmailValid}
+					<small class="invalid">Doesn't look like an email address.</small>
+				{/if}
+			</label>
+			<label class="field">
+				<span>Role</span>
+				<select bind:value={editForm.instance_role}>
+					{#each editRoleOptions as r (r)}
+						<option value={r}>{r}</option>
+					{/each}
+				</select>
+				<small>
+					{#if target.instance_role === 'owner' && !isOwner}
+						Only owners can change another owner's role.
+					{:else if !isOwner}
+						Admins can grant admin or member; only owners can grant owner.
+					{:else}
+						The last active owner can't be demoted — the request will 422 if that's the case.
+					{/if}
+				</small>
+			</label>
+			{#if editError}
+				<div class="error">{editError}</div>
+			{/if}
+			<div class="modal-actions split">
+				<button type="button" class="ghost" onclick={resetPassword} disabled={editPending}>
+					Reset password
+				</button>
+				<div class="modal-actions">
+					<button
+						type="button"
+						class="ghost"
+						onclick={() => (editTarget = null)}
+						disabled={editPending}
+					>
+						Cancel
+					</button>
+					<button type="submit" class="primary" disabled={!canSubmitEdit}>
+						{editPending ? 'Saving…' : 'Save'}
+					</button>
+				</div>
+			</div>
+		</form>
+	</div>
+{/if}
+
+<!-- Password reveal (post-invite or post-reset) -->
+{#if revealPassword}
+	<div class="modal-backdrop" role="presentation">
+		<div class="modal reveal-modal">
+			<div class="modal-head">
+				<h2>
+					{revealKind === 'invite' ? 'User created' : 'Password reset'} — {revealForUsername}
+				</h2>
+			</div>
+			<p class="banner banner-warn">
+				Save this password now — it will never be shown again. PiCloud cannot send email yet,
+				so copy it and share through your own channel.
+			</p>
+			<div class="token-row">
+				<code class="token">{revealPassword}</code>
+				<button type="button" class="ghost" onclick={copyPassword}>
+					{copyState === 'copied' ? 'Copied ✓' : 'Copy'}
+				</button>
+			</div>
+			<label class="ack">
+				<input type="checkbox" bind:checked={revealAck} />
+				<span>I've shared this with the user.</span>
+			</label>
+			<div class="modal-actions">
+				<button type="button" class="primary" disabled={!revealAck} onclick={dismissReveal}>
+					Done
+				</button>
+			</div>
+		</div>
+	</div>
+{/if}
+
+<!-- Deactivate confirmation -->
+{#if deactivateTarget}
+	{@const dt = deactivateTarget}
+	<ConfirmModal
+		title="Deactivate {dt.username}?"
+		variant="danger"
+		confirmLabel="Deactivate"
+		busyLabel="Deactivating…"
+		busy={deactivatePending}
+		onConfirm={confirmDeactivate}
+		onCancel={() => (deactivateTarget = null)}
+	>
+		<p>
+			Deactivating signs <strong>{dt.username}</strong> out immediately and
+			expires <strong>every API key</strong> they hold. Their sessions and keys
+			won't come back if you reactivate — they'll need to log in again and
+			mint new keys.
+		</p>
+		<p class="muted">
+			Reactivation is one click — this isn't permanent.
+		</p>
+	</ConfirmModal>
+{/if}
+
+<!-- Delete confirmation -->
+{#if deleteTarget}
+	{@const dt = deleteTarget}
+	<ConfirmModal
+		title="Delete user?"
+		variant="danger"
+		confirmLabel="Delete user"
+		confirmPhrase={dt.username}
+		confirmPhrasePrompt="Type the username to confirm:"
+		busy={deletePending}
+		busyLabel="Deleting…"
+		onConfirm={confirmDelete}
+		onCancel={() => (deleteTarget = null)}
+	>
+		{#if me && me.id === dt.id}
+			<p>
+				You're about to delete <strong>your own</strong> account. You'll be signed out
+				immediately and won't be able to sign back in.
+			</p>
+		{:else}
+			<p>
+				This permanently removes <strong>{dt.username}</strong>, all their sessions, and all
+				their API keys. This cannot be undone.
+			</p>
+		{/if}
+		<p class="muted">
+			If they're the only remaining owner or active admin the server will reject the request
+			with a 422 — promote/activate someone else first.
+		</p>
+	</ConfirmModal>
+{/if}
+
+<style>
+	.head {
+		display: flex;
+		align-items: center;
+		justify-content: space-between;
+		gap: 1rem;
+		margin-bottom: 1.5rem;
+		flex-wrap: wrap;
+	}
+	.head h1 {
+		font-size: 1.25rem;
+		margin: 0;
+		color: #e2e8f0;
+	}
+	.head-controls {
+		display: flex;
+		gap: 0.5rem;
+		align-items: center;
+	}
+	.search {
+		background: #0b1220;
+		border: 1px solid #1e293b;
+		border-radius: 0.375rem;
+		padding: 0.5rem 0.75rem;
+		color: #e2e8f0;
+		font-size: 0.85rem;
+		min-width: 16rem;
+	}
+	.search:focus {
+		outline: none;
+		border-color: #38bdf8;
+	}
+
+	.banner {
+		padding: 0.55rem 0.85rem;
+		border-radius: 0.375rem;
+		margin-bottom: 1rem;
+		font-size: 0.85rem;
+	}
+	.banner-error {
+		background: #450a0a;
+		border: 1px solid #b91c1c;
+		color: #fecaca;
+	}
+	.banner-info {
+		background: #0c2a36;
+		border: 1px solid #155e75;
+		color: #a5f3fc;
+	}
+	.banner-warn {
+		background: #2a1d04;
+		border: 1px solid #ca8a04;
+		color: #fde68a;
+		margin: 0;
+	}
+
+	.empty {
+		color: #64748b;
+		text-align: center;
+		padding: 2.5rem 0;
+		border: 1px dashed #1e293b;
+		border-radius: 0.5rem;
+	}
+
+	.table {
+		display: flex;
+		flex-direction: column;
+		border: 1px solid #1e293b;
+		border-radius: 0.5rem;
+		background: #0b1220;
+		overflow: visible;
+	}
+	.row {
+		display: grid;
+		grid-template-columns: 1.3fr 0.7fr 1.5fr 0.9fr 0.8fr 0.9fr 2.5rem;
+		align-items: center;
+		gap: 0.75rem;
+		padding: 0.7rem 1rem;
+		border-bottom: 1px solid #1e293b;
+		font-size: 0.85rem;
+	}
+	.row:last-child {
+		border-bottom: none;
+	}
+	.head-row {
+		color: #94a3b8;
+		font-size: 0.7rem;
+		text-transform: uppercase;
+		letter-spacing: 0.05em;
+		background: #0f172a;
+	}
+	.empty-row {
+		grid-column: 1 / -1;
+		color: #64748b;
+		text-align: center;
+		padding: 1.25rem;
+	}
+	.name-cell {
+		display: flex;
+		align-items: baseline;
+		gap: 0.4rem;
+	}
+	.name {
+		color: #e2e8f0;
+		font-weight: 500;
+	}
+	.you-tag {
+		color: #64748b;
+		font-size: 0.72rem;
+	}
+	.email-cell {
+		color: #cbd5e1;
+		font-size: 0.82rem;
+		overflow: hidden;
+		text-overflow: ellipsis;
+		white-space: nowrap;
+	}
+	.status {
+		font-size: 0.8rem;
+	}
+	.status-active {
+		color: #34d399;
+	}
+	.status-inactive {
+		color: #64748b;
+	}
+	.actions-col {
+		display: flex;
+		justify-content: flex-end;
+	}
+
+	button.primary {
+		background: #38bdf8;
+		color: #0b1220;
+		border: none;
+		padding: 0.5rem 0.9rem;
+		border-radius: 0.375rem;
+		font-weight: 600;
+		cursor: pointer;
+		font-size: 0.85rem;
+	}
+	button.primary:disabled {
+		opacity: 0.6;
+		cursor: not-allowed;
+	}
+	button.ghost {
+		background: transparent;
+		color: #94a3b8;
+		border: 1px solid #334155;
+		padding: 0.45rem 0.85rem;
+		border-radius: 0.375rem;
+		cursor: pointer;
+		font-size: 0.85rem;
+	}
+	button.ghost:hover {
+		background: #1e293b;
+		color: #e2e8f0;
+	}
+
+	.error {
+		background: #450a0a;
+		border: 1px solid #b91c1c;
+		color: #fecaca;
+		padding: 0.55rem 0.8rem;
+		border-radius: 0.375rem;
+		font-size: 0.85rem;
+		display: flex;
+		align-items: center;
+		justify-content: space-between;
+		gap: 1rem;
+	}
+	.retry {
+		background: transparent;
+		border: 1px solid #b91c1c;
+		color: #fecaca;
+		padding: 0.2rem 0.55rem;
+		border-radius: 0.25rem;
+		cursor: pointer;
+		font-size: 0.75rem;
+	}
+
+	.modal-backdrop {
+		position: fixed;
+		inset: 0;
+		background: rgba(2, 6, 23, 0.7);
+		display: flex;
+		align-items: center;
+		justify-content: center;
+		padding: 1rem;
+		z-index: 50;
+	}
+	.modal {
+		background: #0b1220;
+		border: 1px solid #334155;
+		border-radius: 0.5rem;
+		padding: 1.5rem;
+		width: 100%;
+		max-width: 28rem;
+		max-height: calc(100vh - 2rem);
+		overflow-y: auto;
+		display: flex;
+		flex-direction: column;
+		gap: 1rem;
+		box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.7);
+	}
+	.reveal-modal {
+		border-color: #ca8a04;
+	}
+	.modal-head {
+		display: flex;
+		align-items: center;
+		justify-content: space-between;
+	}
+	.modal h2 {
+		margin: 0;
+		font-size: 1rem;
+		color: #e2e8f0;
+	}
+	.x {
+		background: transparent;
+		border: none;
+		color: #64748b;
+		font-size: 1.1rem;
+		cursor: pointer;
+	}
+	.x:hover {
+		color: #e2e8f0;
+	}
+	.modal-intro {
+		margin: 0;
+		font-size: 0.82rem;
+		color: #94a3b8;
+		line-height: 1.45;
+	}
+	.field {
+		display: flex;
+		flex-direction: column;
+		gap: 0.3rem;
+		font-size: 0.85rem;
+		color: #cbd5e1;
+		border: none;
+		padding: 0;
+		margin: 0;
+	}
+	.field legend {
+		font-size: 0.85rem;
+		color: #cbd5e1;
+		padding: 0;
+		margin-bottom: 0.3rem;
+	}
+	.field input[type='text'],
+	.field input[type='email'],
+	.field select {
+		background: #0f172a;
+		color: #e2e8f0;
+		border: 1px solid #1e293b;
+		border-radius: 0.375rem;
+		padding: 0.5rem 0.7rem;
+		font-size: 0.9rem;
+	}
+	.field input:focus,
+	.field select:focus {
+		outline: none;
+		border-color: #38bdf8;
+	}
+	.field small {
+		color: #64748b;
+		font-size: 0.72rem;
+	}
+	.field small.invalid {
+		color: #fca5a5;
+	}
+	.field small code {
+		background: #1e293b;
+		color: #cbd5e1;
+		padding: 0 0.2rem;
+		border-radius: 0.2rem;
+	}
+	.opt {
+		color: #64748b;
+		font-weight: 400;
+	}
+
+	.radio {
+		display: flex;
+		align-items: center;
+		gap: 0.5rem;
+		padding: 0.25rem 0;
+		font-size: 0.82rem;
+		color: #cbd5e1;
+	}
+
+
+	.token-row {
+		display: flex;
+		align-items: stretch;
+		gap: 0.5rem;
+	}
+	.token {
+		flex: 1;
+		background: #020617;
+		border: 1px solid #1e293b;
+		border-radius: 0.375rem;
+		padding: 0.6rem 0.75rem;
+		color: #e2e8f0;
+		font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
+		font-size: 0.85rem;
+		overflow-x: auto;
+		white-space: nowrap;
+	}
+	.ack {
+		display: flex;
+		align-items: center;
+		gap: 0.5rem;
+		font-size: 0.85rem;
+		color: #cbd5e1;
+		cursor: pointer;
+	}
+
+	.modal-actions {
+		display: flex;
+		justify-content: flex-end;
+		gap: 0.5rem;
+	}
+	.modal-actions.split {
+		justify-content: space-between;
+	}
+
+	.muted {
+		color: #94a3b8;
+	}
+</style>

dashboard/tests/e2e/README.md

@@ -0,0 +1,75 @@
+# Dashboard E2E tests
+
+Browser-driven tests for the PiCloud dashboard, powered by [Playwright].
+
+## Prerequisites
+
+The tests drive a real dashboard against a real backend. Bring up both
+before running:
+
+```sh
+# 1. Postgres
+docker compose up -d postgres
+
+# 2. Backend (port 18080 matches dashboard/vite.config.ts dev proxy)
+PICLOUD_BIND=127.0.0.1:18080 \
+PICLOUD_ADMIN_USERNAME=admin \
+PICLOUD_ADMIN_PASSWORD=admin \
+DATABASE_URL=postgres://picloud:picloud@127.0.0.1:15432/picloud \
+cargo run -p picloud
+
+# 3. Browser binaries (one-time, ~200 MB)
+cd dashboard && npm run test:e2e:install
+```
+
+The Vite dev server is started automatically by Playwright's `webServer`
+config — you do not need to run `npm run dev` yourself.
+
+## Running
+
+```sh
+cd dashboard
+npm run test:e2e          # headless, full suite
+npm run test:e2e:ui       # interactive UI runner
+npx playwright test smoke # run a single spec
+npx playwright show-report
+```
+
+## Env vars
+
+| Var                      | Default                  | Notes                                                             |
+| ------------------------ | ------------------------ | ----------------------------------------------------------------- |
+| `E2E_BASE_URL`           | `http://localhost:5173`  | Origin tests navigate against (dashboard is mounted at `/admin`). |
+| `E2E_API_BASE`           | `http://127.0.0.1:18080` | Backend used by globalSetup health probe + admin login.           |
+| `E2E_DASHBOARD_ORIGIN`   | `http://localhost:5173`  | Used to seed `localStorage` during globalSetup.                   |
+| `E2E_ADMIN_USERNAME`     | `admin`                  | Bootstrap admin to log in as.                                     |
+| `E2E_ADMIN_PASSWORD`     | `admin`                  | Match `PICLOUD_ADMIN_PASSWORD` above.                             |
+| `PICLOUD_DASHBOARD_PORT` | `5173`                   | Dev server port — picked up by both Vite and Playwright.          |
+
+## How isolation works
+
+Tests share one backend + one Postgres. To avoid cross-test interference:
+
+- A shared bootstrap admin session is captured once in
+  `tests/e2e/.auth/admin.json` (gitignored) and reused by every test via
+  `storageState`.
+- Each test creates resources with a unique slug / username produced by
+  `fixtures/ids.ts` (`e2e-<prefix>-w<worker>-<random>`).
+- Each test registers cleanup via `fixtures/cleanup.ts` and tears down
+  in `afterEach`. Cleanup is best-effort: a missing resource doesn't
+  fail the suite, so a test can pre-delete and still register the entry.
+
+## Layout
+
+```
+tests/e2e/
+  global-setup.ts          # health probe + admin login + storageState seed
+  smoke.spec.ts            # A.5 smoke
+  fixtures/
+    auth.ts                # UI login/logout helpers (for login-flow specs)
+    api.ts                 # bearer-token-backed APIRequestContext
+    ids.ts                 # unique slug/username generators (test-fixture)
+    cleanup.ts             # afterEach resource teardown
+```
+
+[Playwright]: https://playwright.dev