fix(admin-keys): address crew review findings for #32

R1 (blocking) — Renew button no longer disables debug:
  - Detail page now uses two separate forms: one POSTs debug_enabled=0
    (disable), the other POSTs action=renew (refresh TTL). Route handler
    treats action=renew as setDebugEnabled(id, true) and audits
    key.debug_renew. Added a test that verifies debug_expires_at moves
    forward.

R2 (blocking) — Server-side debug gate + CSP-clean scripts:
  - CSP default-src 'self' was blocking the inline confirmation modal
    AND the inline onclick/onsubmit handlers — the entire "two-click"
    debug gate was effectively bypassed.
  - Moved all admin keys JS to src/admin/assets/keys.js (loaded via
    <script src>), eliminating dangerouslySetInnerHTML and inline event
    handlers. Forms now use data-confirm attributes wired by
    addEventListener in keys.js.
  - Added a real server-side gate: POST /admin/keys/new and
    /:id/debug REJECT debug_enabled=1 unless body[debug_confirm]==yes.
    The modal sets the field to "yes" after acknowledgement; without JS
    debug cannot be enabled at all (safer default).

R3 (blocking) — Stale-aware debug-active checks:
  - Added isDebugActive(row) helper: single source of truth combining
    debug_enabled, revoked_at, and debug_expires_at vs now.
  - countActiveDebugKeys() now filters by debug_expires_at > now in SQL,
    so the banner cannot lie between sweeps.
  - List/detail components use isDebugActive() everywhere.
  - Shortened sweeper interval from 5 min to 60 s.

C3+C4 — Empty allowed_models + NaN page param:
  - parseAllowedModels returns {explicit, models}; empty-when-explicit
    is rejected with 400 instead of silently widening to ["*"].
  - Hidden allowed_models_present=1 sentinel in the form distinguishes
    "no field" (default to ["*"]) from "field cleared" (reject).
  - parsePageParam guards against NaN: ?page=abc → page 1.

C11 — Best-effort audit:
  - safeAudit() wraps audit() calls so a failed JSONL append (disk full,
    etc.) logs to consola.error instead of returning 500 to the user.
    The mutation is already durable in the DB at that point.

C9 — Missing tests (10 new):
  - renew bumps debug_expires_at forward
  - server rejects debug_enabled=1 without debug_confirm
  - countActiveDebugKeys + isDebugActive exclude TTL-expired keys
  - GET /admin/keys/<non-uuid> → 404 (no DB hit)
  - POST /admin/keys/<non-uuid>/revoke → 404
  - Label >200 chars rejected
  - Label with <script> rendered as escaped text on list page
  - Empty allowed_models rejected with explicit error
  - Missing allowed_models field still defaults to ["*"]
  - GET /admin/keys?page=abc → page 1 (no NaN)
  - GET /admin/keys/created?flash=<unknown> → 410 with explicit error
  - Static asset /admin/assets/keys.js served with javascript MIME

Also: per C2, the consumeFlash miss now renders 410 Gone with an
explicit error message instead of silently redirecting to /admin/keys.

416/416 tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: HXYerror

eslint.config.js

@@ -4,4 +4,5 @@ export default config({
   prettier: {
     plugins: ["prettier-plugin-packagejson"],
   },
+  ignores: ["src/admin/assets/**/*.js"],
 })

src/admin/assets/keys.js

@@ -0,0 +1,137 @@
+// Copilot API Admin — keys management interactivity
+// Loaded as an external script under default-src 'self' CSP.
+// No inline event handlers — all DOM wiring via addEventListener.
+(function () {
+  "use strict"
+
+  // ---------------------------------------------------------------------------
+  // Debug-checkbox confirmation modal (new key form)
+  // ---------------------------------------------------------------------------
+  function wireNewKeyDebugModal() {
+    var cb = document.getElementById("debug-checkbox")
+    var modal = document.getElementById("debug-modal")
+    var confirmBtn = document.getElementById("debug-confirm")
+    var cancelBtn = document.getElementById("debug-cancel")
+    var hiddenConfirm = document.getElementById("debug-confirm-field")
+    if (!cb || !modal || !confirmBtn || !cancelBtn || !hiddenConfirm) return
+    var confirmed = false
+
+    cb.addEventListener("change", function () {
+      if (cb.checked && !confirmed) {
+        cb.checked = false
+        modal.style.display = "flex"
+      } else if (!cb.checked) {
+        confirmed = false
+        hiddenConfirm.value = ""
+      }
+    })
+
+    confirmBtn.addEventListener("click", function () {
+      confirmed = true
+      cb.checked = true
+      hiddenConfirm.value = "yes"
+      modal.style.display = "none"
+    })
+
+    cancelBtn.addEventListener("click", function () {
+      confirmed = false
+      cb.checked = false
+      hiddenConfirm.value = ""
+      modal.style.display = "none"
+    })
+  }
+
+  // ---------------------------------------------------------------------------
+  // Debug-enable button confirmation modal (detail page)
+  // ---------------------------------------------------------------------------
+  function wireDetailDebugModal() {
+    var btn = document.getElementById("debug-btn")
+    var modal = document.getElementById("debug-modal")
+    var form = document.getElementById("debug-form")
+    var confirmBtn = document.getElementById("debug-confirm")
+    var cancelBtn = document.getElementById("debug-cancel")
+    var hiddenConfirm = document.getElementById("debug-confirm-field")
+    if (!btn || !modal || !form || !confirmBtn || !cancelBtn || !hiddenConfirm)
+      return
+
+    btn.addEventListener("click", function (e) {
+      e.preventDefault()
+      modal.style.display = "flex"
+    })
+
+    confirmBtn.addEventListener("click", function () {
+      hiddenConfirm.value = "yes"
+      modal.style.display = "none"
+      form.submit()
+    })
+
+    cancelBtn.addEventListener("click", function () {
+      modal.style.display = "none"
+    })
+  }
+
+  // ---------------------------------------------------------------------------
+  // Revoke-confirm dialogs (replaces inline onsubmit="return confirm(...)")
+  // ---------------------------------------------------------------------------
+  function wireRevokeForms() {
+    var forms = document.querySelectorAll("form[data-confirm]")
+    Array.prototype.forEach.call(forms, function (form) {
+      form.addEventListener("submit", function (e) {
+        var msg = form.getAttribute("data-confirm") || "Are you sure?"
+        if (!window.confirm(msg)) e.preventDefault()
+      })
+    })
+  }
+
+  // ---------------------------------------------------------------------------
+  // Created-page: copy button + "I have copied" gate + beforeunload guard
+  // ---------------------------------------------------------------------------
+  function wireKeyCreatedPage() {
+    var keyEl = document.getElementById("plain-key")
+    var copyBtn = document.getElementById("copy-btn")
+    var gate = document.getElementById("copied-gate")
+    var link = document.getElementById("continue-link")
+    if (!keyEl || !copyBtn || !gate || !link) return
+
+    copyBtn.addEventListener("click", function () {
+      var text = keyEl.textContent || ""
+      if (navigator.clipboard && navigator.clipboard.writeText) {
+        navigator.clipboard.writeText(text).then(
+          function () {
+            copyBtn.textContent = "Copied!"
+          },
+          function () {
+            copyBtn.textContent = "Copy failed"
+          },
+        )
+      }
+    })
+
+    gate.addEventListener("change", function () {
+      link.style.pointerEvents = gate.checked ? "" : "none"
+      link.style.opacity = gate.checked ? "1" : "0.5"
+    })
+
+    window.addEventListener("beforeunload", function (e) {
+      if (!gate.checked) {
+        e.preventDefault()
+        e.returnValue = "Have you copied your API key?"
+      }
+    })
+  }
+
+  // Run all wirings once the DOM is ready.
+  if (document.readyState === "loading") {
+    document.addEventListener("DOMContentLoaded", function () {
+      wireNewKeyDebugModal()
+      wireDetailDebugModal()
+      wireRevokeForms()
+      wireKeyCreatedPage()
+    })
+  } else {
+    wireNewKeyDebugModal()
+    wireDetailDebugModal()
+    wireRevokeForms()
+    wireKeyCreatedPage()
+  }
+})()

src/admin/keys/detail.tsx

@@ -3,6 +3,8 @@ import type { FC } from "hono/jsx"
 
 import type { KeyRow } from "~/services/keys"
 
+import { isDebugActive } from "~/services/keys"
+
 import { fmtDate, fmtModels } from "./list"
 
 // ---------------------------------------------------------------------------
@@ -13,7 +15,7 @@ const KeyMeta: FC<{ row: KeyRow; expiresStr: string }> = ({
   row,
   expiresStr,
 }) => {
-  const debugOn = row.debug_enabled === 1
+  const debugOn = isDebugActive(row)
   return (
     <div class="key-meta">
       <dl>
@@ -96,37 +98,35 @@ const DebugEnabledControls: FC<{
       Debug is <strong>ON</strong>. Traces persist in plaintext. Retention:{" "}
       {tracesDays} days.{expiresStr}
     </p>
-    <form method="post" action={`/admin/keys/${row.id}/debug`}>
+    {/* Disable form */}
+    <form
+      method="post"
+      action={`/admin/keys/${row.id}/debug`}
+      style="display:inline"
+    >
       <input type="hidden" name="csrf_token" value={csrfToken} />
       <input type="hidden" name="debug_enabled" value="0" />
       <button type="submit" class="btn btn-sm">
         Disable Debug
       </button>
-      <button
-        type="submit"
-        name="renew"
-        value="1"
-        class="btn btn-sm btn-warning"
-      >
+    </form>
+    {/* Renew form: separate POST with action=renew so the handler bumps TTL
+        instead of clearing it (the previous shared form silently disabled). */}
+    <form
+      method="post"
+      action={`/admin/keys/${row.id}/debug`}
+      style="display:inline"
+    >
+      <input type="hidden" name="csrf_token" value={csrfToken} />
+      <input type="hidden" name="action" value="renew" />
+      <input type="hidden" name="debug_confirm" value="yes" />
+      <button type="submit" class="btn btn-sm btn-warning">
         Renew 24h TTL
       </button>
     </form>
   </>
 )
 
-const DEBUG_ENABLE_SCRIPT = `
-(function(){
-  var btn = document.getElementById('debug-btn');
-  var modal = document.getElementById('debug-modal');
-  var form = document.getElementById('debug-form');
-  var confirmBtn = document.getElementById('debug-confirm');
-  var cancelBtn = document.getElementById('debug-cancel');
-  btn.addEventListener('click', function(e){ e.preventDefault(); modal.style.display='flex'; });
-  confirmBtn.addEventListener('click', function(){ modal.style.display='none'; form.submit(); });
-  cancelBtn.addEventListener('click', function(){ modal.style.display='none'; });
-})();
-`.trim()
-
 const DebugDisabledControls: FC<{
   row: KeyRow
   csrfToken: string
@@ -158,14 +158,18 @@ const DebugDisabledControls: FC<{
     <form method="post" action={`/admin/keys/${row.id}/debug`} id="debug-form">
       <input type="hidden" name="csrf_token" value={csrfToken} />
       <input type="hidden" name="debug_enabled" value="1" />
+      {/* keys.js sets this to "yes" after the modal is acknowledged.
+          The server REJECTS debug_enabled=1 without it. */}
+      <input
+        type="hidden"
+        id="debug-confirm-field"
+        name="debug_confirm"
+        value=""
+      />
       <button type="submit" id="debug-btn" class="btn btn-warning">
         Enable Debug (24h)
       </button>
     </form>
-    <script
-      // biome-ignore lint/security/noDangerouslySetInnerHtml: intentional inline script for admin-only page
-      dangerouslySetInnerHTML={{ __html: DEBUG_ENABLE_SCRIPT }}
-    />
   </>
 )
 
@@ -178,7 +182,7 @@ const RevokeSection: FC<{ row: KeyRow; csrfToken: string }> = ({
     <form
       method="post"
       action={`/admin/keys/${row.id}/revoke`}
-      onsubmit="return confirm('Revoke this key? This cannot be undone.')"
+      data-confirm="Revoke this key? This cannot be undone."
     >
       <input type="hidden" name="csrf_token" value={csrfToken} />
       <button type="submit" class="btn btn-danger">
@@ -208,7 +212,7 @@ export const KeyDetail: FC<KeyDetailProps> = ({
   success,
 }) => {
   const isRevoked = row.revoked_at !== null
-  const debugOn = row.debug_enabled === 1
+  const debugOn = isDebugActive(row)
   const idSuffix = row.id.slice(-8)
   const expiresStr =
     row.debug_expires_at ?
@@ -264,6 +268,7 @@ export const KeyDetail: FC<KeyDetailProps> = ({
           <RevokeSection row={row} csrfToken={csrfToken} />
         </>
       )}
+      <script src="/admin/assets/keys.js" />
     </div>
   )
 }

src/admin/keys/list.tsx

@@ -3,6 +3,8 @@ import type { FC } from "hono/jsx"
 
 import type { KeyRow } from "~/services/keys"
 
+import { isDebugActive } from "~/services/keys"
+
 // ---------------------------------------------------------------------------
 // Shared helpers
 // ---------------------------------------------------------------------------
@@ -91,6 +93,7 @@ export const KeyList: FC<KeyListProps> = ({
           </a>
         )}
       </div>
+      <script src="/admin/assets/keys.js" />
     </div>
   )
 }
@@ -106,7 +109,7 @@ interface KeyRowProps {
 
 const KeyRow: FC<KeyRowProps> = ({ row, csrfToken }) => {
   const isRevoked = row.revoked_at !== null
-  const debugOn = row.debug_enabled === 1
+  const debugOn = isDebugActive(row)
   const idSuffix = row.id.slice(-8)
   const expiresStr =
     row.debug_expires_at ? ` (exp ${fmtDate(row.debug_expires_at)})` : ""
@@ -148,7 +151,7 @@ const KeyRow: FC<KeyRowProps> = ({ row, csrfToken }) => {
             method="post"
             action={`/admin/keys/${row.id}/revoke`}
             class="inline-form"
-            onsubmit="return confirm('Revoke this key? This cannot be undone.')"
+            data-confirm="Revoke this key? This cannot be undone."
           >
             <input type="hidden" name="csrf_token" value={csrfToken} />
             <button type="submit" class="btn btn-sm btn-danger">