feat: full embedded dashboard + auth fix + dev mode key logging

Dashboard:
- Overview: key stats, active connections, uptime, recent audit
- Keys: list with state filter tabs, create, activate, revoke, detail view
- Connections: active KMIP client connections
- Audit: full audit log with operation/status/client detail
- Shared dark theme (same as PKI server)
- Auth via ?key= URL parameter when API key is set
- Dashboard auth-protected when API key configured

Fixes:
- Dev mode logs full API key (needed for usage, it's auto-generated)
- Dashboard auth conditional on API key being set

Author: lgutschow

internal/api/api.go

@@ -152,8 +152,15 @@ func (a *API) Serve(addr string) error {
 	mux.HandleFunc("GET /v1/status", a.auth(a.handleStatus))
 	mux.HandleFunc("GET /v1/audit", a.auth(a.handleAuditLog))
 	mux.HandleFunc("GET /v1/inventory", a.auth(a.handleInventory))
-	mux.HandleFunc("GET /metrics", a.handleMetrics)
-	mux.Handle("/ui/", http.StripPrefix("/ui", dashboard.Handler()))
+	mux.HandleFunc("GET /metrics", a.handleMetrics) // public for Prometheus scraping
+	// Dashboard auth-protected when API key is set
+	if a.apiKey != "" {
+		mux.HandleFunc("/ui/", a.auth(func(w http.ResponseWriter, r *http.Request) {
+			http.StripPrefix("/ui", dashboard.Handler()).ServeHTTP(w, r)
+		}))
+	} else {
+		mux.Handle("/ui/", http.StripPrefix("/ui", dashboard.Handler()))
+	}
 
 	handler := a.rateLimitMiddleware(a.limitBodyMiddleware(a.corsMiddleware(mux)))
 

internal/dashboard/static/index.html

@@ -1,4 +1,257 @@
 <!DOCTYPE html>
-<html><head><title>Cyphera Open KMIP Server</title></head>
-<body><h1>Open KMIP Server</h1><p>Dashboard coming soon.</p></body>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Cyphera Open KMIP Server</title>
+<link rel="stylesheet" href="theme.css">
+</head>
+<body>
+<div class="shell">
+  <div class="sidebar">
+    <div class="logo">
+      <h1>Open KMIP</h1>
+      <span>Cyphera Labs</span>
+    </div>
+    <nav>
+      <a href="#" data-page="overview" class="active">Overview</a>
+      <a href="#" data-page="keys">Keys</a>
+      <a href="#" data-page="connections">Connections</a>
+      <a href="#" data-page="audit">Audit Log</a>
+    </nav>
+  </div>
+  <div class="main">
+
+    <!-- Overview -->
+    <div id="page-overview" class="page active">
+      <h2>Overview</h2>
+      <div class="stats" id="stats"></div>
+      <div class="section">
+        <h3 style="margin-bottom:12px">Recent Activity</h3>
+        <div id="recent-audit"></div>
+      </div>
+    </div>
+
+    <!-- Keys -->
+    <div id="page-keys" class="page">
+      <div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:16px">
+        <h2>Managed Keys</h2>
+        <button class="btn btn-primary btn-sm" onclick="showCreateKey()">Create Key</button>
+      </div>
+      <div class="filter-tabs">
+        <button class="btn btn-sm" style="background:var(--surface2);color:var(--text)" onclick="loadKeys()">All</button>
+        <button class="btn btn-sm" style="background:rgba(99,102,241,0.15);color:var(--accent2)" onclick="loadKeys('pre-active')">Pre-Active</button>
+        <button class="btn btn-sm" style="background:rgba(34,197,94,0.15);color:var(--green)" onclick="loadKeys('active')">Active</button>
+        <button class="btn btn-sm" style="background:rgba(239,68,68,0.15);color:var(--red)" onclick="loadKeys('compromised')">Revoked</button>
+      </div>
+      <table>
+        <thead><tr><th>Name</th><th>UID</th><th>Algorithm</th><th>Length</th><th>State</th><th>Created</th><th></th></tr></thead>
+        <tbody id="key-table"></tbody>
+      </table>
+    </div>
+
+    <!-- Key Detail -->
+    <div id="page-key-detail" class="page">
+      <h2>Key Detail</h2>
+      <div id="key-detail-content"></div>
+    </div>
+
+    <!-- Create Key -->
+    <div id="page-create-key" class="page">
+      <h2>Create Key</h2>
+      <div class="detail">
+        <div class="detail-grid" style="max-width:400px">
+          <div class="label">Name</div><div><input id="ck-name" style="background:var(--bg);border:1px solid var(--border);color:var(--text);padding:6px 10px;border-radius:4px;width:100%" placeholder="my-aes-key"></div>
+          <div class="label">Algorithm</div><div><select id="ck-algo" style="background:var(--bg);border:1px solid var(--border);color:var(--text);padding:6px 10px;border-radius:4px"><option value="AES">AES</option><option value="CHACHA20">ChaCha20</option></select></div>
+          <div class="label">Length</div><div><select id="ck-length" style="background:var(--bg);border:1px solid var(--border);color:var(--text);padding:6px 10px;border-radius:4px"><option value="128">128</option><option value="256" selected>256</option></select></div>
+        </div>
+        <div style="margin-top:16px">
+          <button class="btn btn-primary" onclick="createKey()">Create</button>
+          <button class="btn btn-sm" style="background:var(--surface2);color:var(--text);margin-left:8px" onclick="showPage('keys')">Cancel</button>
+        </div>
+      </div>
+    </div>
+
+    <!-- Connections -->
+    <div id="page-connections" class="page">
+      <h2>Active Connections</h2>
+      <table>
+        <thead><tr><th>Client CN</th><th>Remote Address</th><th>Connected</th><th>Operations</th><th>Last Op</th></tr></thead>
+        <tbody id="conn-table"></tbody>
+      </table>
+    </div>
+
+    <!-- Audit -->
+    <div id="page-audit" class="page">
+      <h2>Audit Log</h2>
+      <div id="audit-list"></div>
+    </div>
+  </div>
+</div>
+
+<script>
+const API_KEY = new URLSearchParams(window.location.search).get('key') || '';
+const headers = API_KEY ? {'Authorization': `Bearer ${API_KEY}`} : {};
+
+async function api(path) {
+  const r = await fetch(path, {headers});
+  return r.json();
+}
+async function apiPost(path, body) {
+  const r = await fetch(path, {method:'POST', headers:{...headers,'Content-Type':'application/json'}, body:JSON.stringify(body)});
+  return r.json();
+}
+
+const algoName = {3:'AES',4:'RSA',6:'ECDSA',0x1E:'ChaCha20'};
+
+// Nav
+document.querySelectorAll('[data-page]').forEach(a => {
+  a.addEventListener('click', e => { e.preventDefault(); showPage(a.dataset.page); });
+});
+function showPage(name) {
+  document.querySelectorAll('.page').forEach(p => p.classList.remove('active'));
+  document.querySelectorAll('[data-page]').forEach(a => a.classList.remove('active'));
+  document.getElementById('page-'+name).classList.add('active');
+  document.querySelector('[data-page="'+name+'"]')?.classList.add('active');
+  if(name==='overview') loadOverview();
+  if(name==='keys') loadKeys();
+  if(name==='connections') loadConnections();
+  if(name==='audit') loadAudit();
+}
+
+// Overview
+async function loadOverview() {
+  const s = await api('/v1/status');
+  const k = s.keys || {};
+  document.getElementById('stats').innerHTML = `
+    <div class="stat"><div class="label">Total Keys</div><div class="value">${k.total||0}</div></div>
+    <div class="stat"><div class="label">Active</div><div class="value green">${k.active||0}</div></div>
+    <div class="stat"><div class="label">Pre-Active</div><div class="value">${k.pre_active||0}</div></div>
+    <div class="stat"><div class="label">Revoked</div><div class="value red">${k.compromised||0}</div></div>
+    <div class="stat"><div class="label">Connections</div><div class="value">${s.connections||0}</div></div>
+    <div class="stat"><div class="label">Uptime</div><div class="value">${Math.floor((s.uptime_seconds||0)/60)}m</div></div>
+  `;
+  const audit = await api('/v1/audit?limit=10');
+  const entries = audit.entries || [];
+  document.getElementById('recent-audit').innerHTML = entries.map(e => `
+    <div class="audit-entry">
+      <span class="audit-action">${e.operation}</span>
+      <span class="mono" style="margin-left:8px">${e.object_uid||''}</span>
+      <span class="badge badge-${e.status==='success'?'active':'revoked'}" style="margin-left:8px">${e.status}</span>
+      <div class="audit-details">${e.source} — ${e.client_id||'anonymous'} — ${e.remote_addr||''}</div>
+    </div>
+  `).join('') || '<div class="loading">No events yet</div>';
+}
+
+// Keys
+async function loadKeys(stateFilter) {
+  const data = await api('/v1/keys');
+  let keys = data.keys || [];
+  if(stateFilter) keys = keys.filter(k => k.state === stateFilter);
+  document.getElementById('key-table').innerHTML = keys.map(k => `
+    <tr>
+      <td><a href="#" onclick="showKeyDetail('${k.uid}');return false">${k.name||'(unnamed)'}</a></td>
+      <td class="mono truncate">${k.uid}</td>
+      <td>${algoName[k.algorithm]||k.algorithm}</td>
+      <td>${k.length}</td>
+      <td><span class="badge badge-${k.state}">${k.state}</span></td>
+      <td class="mono">${(k.created_at||'').split('T')[0]}</td>
+      <td>
+        ${k.state==='pre-active'?`<button class="btn btn-primary btn-sm" onclick="activateKey('${k.uid}')">Activate</button>`:''}
+        ${k.state==='active'?`<button class="btn btn-danger btn-sm" onclick="revokeKey('${k.uid}')">Revoke</button>`:''}
+      </td>
+    </tr>
+  `).join('') || '<tr><td colspan="7" class="loading">No keys</td></tr>';
+}
+
+async function showKeyDetail(uid) {
+  const k = await api('/v1/keys/'+uid);
+  document.querySelectorAll('.page').forEach(p => p.classList.remove('active'));
+  document.getElementById('page-key-detail').classList.add('active');
+  document.getElementById('key-detail-content').innerHTML = `
+    <div class="detail">
+      <h3>${k.name||'(unnamed)'}</h3>
+      <div class="detail-grid">
+        <div class="label">UID</div><div class="val mono">${k.uid}</div>
+        <div class="label">Algorithm</div><div class="val">${algoName[k.algorithm]||k.algorithm}</div>
+        <div class="label">Length</div><div class="val">${k.length} bits</div>
+        <div class="label">State</div><div class="val"><span class="badge badge-${k.state}">${k.state}</span></div>
+        <div class="label">Object Type</div><div class="val">${k.object_type===2?'Symmetric Key':k.object_type===3?'Public Key':k.object_type===4?'Private Key':'Type '+k.object_type}</div>
+        <div class="label">Usage Mask</div><div class="val mono">0x${(k.usage_mask||0).toString(16).padStart(8,'0')}</div>
+        <div class="label">Created</div><div class="val mono">${k.created_at||''}</div>
+      </div>
+      <div style="margin-top:16px;display:flex;gap:8px">
+        ${k.state==='pre-active'?'<button class="btn btn-primary btn-sm" onclick="activateKey(\''+k.uid+'\')">Activate</button>':''}
+        ${k.state==='active'?'<button class="btn btn-danger btn-sm" onclick="revokeKey(\''+k.uid+'\')">Revoke</button>':''}
+        <button class="btn btn-sm" style="background:var(--surface2);color:var(--text)" onclick="showPage('keys')">Back</button>
+      </div>
+    </div>
+  `;
+}
+
+function showCreateKey() {
+  document.querySelectorAll('.page').forEach(p => p.classList.remove('active'));
+  document.getElementById('page-create-key').classList.add('active');
+}
+
+async function createKey() {
+  const name = document.getElementById('ck-name').value;
+  const algo = document.getElementById('ck-algo').value;
+  const length = parseInt(document.getElementById('ck-length').value);
+  if(!name) { alert('Name required'); return; }
+  const result = await apiPost('/v1/keys', {name, algorithm:algo, length});
+  if(result.uid) {
+    showKeyDetail(result.uid);
+  } else {
+    alert(result.error || 'Failed');
+  }
+}
+
+async function activateKey(uid) {
+  await apiPost('/v1/keys/'+uid+'/activate', {});
+  loadKeys();
+}
+
+async function revokeKey(uid) {
+  if(!confirm('Revoke key '+uid+'?')) return;
+  await apiPost('/v1/keys/'+uid+'/revoke', {reason:1});
+  loadKeys();
+}
+
+// Connections
+async function loadConnections() {
+  const data = await api('/v1/connections');
+  const conns = data.connections || [];
+  document.getElementById('conn-table').innerHTML = conns.map(c => `
+    <tr>
+      <td>${c.client_cn||'unknown'}</td>
+      <td class="mono">${c.remote_addr}</td>
+      <td class="mono">${(c.connected_at||'').replace('T',' ').split('.')[0]}</td>
+      <td>${c.operations}</td>
+      <td>${c.last_op||''}</td>
+    </tr>
+  `).join('') || '<tr><td colspan="5" class="loading">No active connections</td></tr>';
+}
+
+// Audit
+async function loadAudit() {
+  const data = await api('/v1/audit?limit=100');
+  const entries = data.entries || [];
+  document.getElementById('audit-list').innerHTML = entries.map(e => `
+    <div class="audit-entry">
+      <div>
+        <span class="audit-action">${e.operation}</span>
+        <span class="mono" style="margin-left:8px">${e.object_uid||''}</span>
+        <span class="badge badge-${e.status==='success'?'active':'revoked'}" style="margin-left:8px;font-size:10px">${e.status}</span>
+        <span class="audit-time" style="float:right">${(e.timestamp||'').replace('T',' ').split('.')[0]}</span>
+      </div>
+      <div class="audit-details">${e.source} — ${e.client_id||'anonymous'} — ${e.message||''}</div>
+    </div>
+  `).join('') || '<div class="loading">No audit events</div>';
+}
+
+// Init
+loadOverview();
+</script>
+</body>
 </html>

internal/dashboard/static/theme.css

@@ -0,0 +1,93 @@
+:root {
+  --bg: #0f1117;
+  --surface: #1a1d27;
+  --surface2: #242836;
+  --border: #2e3344;
+  --text: #e4e5e9;
+  --text2: #8b8fa3;
+  --accent: #6366f1;
+  --accent2: #818cf8;
+  --green: #22c55e;
+  --yellow: #eab308;
+  --red: #ef4444;
+  --font: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
+  --mono: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace;
+}
+
+* { margin: 0; padding: 0; box-sizing: border-box; }
+body { background: var(--bg); color: var(--text); font-family: var(--font); font-size: 14px; line-height: 1.5; }
+a { color: var(--accent2); text-decoration: none; }
+a:hover { text-decoration: underline; }
+
+.shell { display: flex; min-height: 100vh; }
+
+/* Sidebar */
+.sidebar { width: 220px; background: var(--surface); border-right: 1px solid var(--border); padding: 20px 0; flex-shrink: 0; }
+.sidebar .logo { padding: 0 20px 20px; border-bottom: 1px solid var(--border); margin-bottom: 12px; }
+.sidebar .logo h1 { font-size: 15px; font-weight: 600; }
+.sidebar .logo span { font-size: 11px; color: var(--text2); }
+.sidebar nav a { display: block; padding: 8px 20px; color: var(--text2); font-size: 13px; transition: all 0.15s; }
+.sidebar nav a:hover, .sidebar nav a.active { color: var(--text); background: var(--surface2); text-decoration: none; }
+.sidebar nav a.active { border-left: 2px solid var(--accent); }
+
+/* Main */
+.main { flex: 1; padding: 24px 32px; overflow-x: auto; }
+.main h2 { font-size: 20px; font-weight: 600; margin-bottom: 20px; }
+
+/* Stats cards */
+.stats { display: grid; grid-template-columns: repeat(auto-fit, minmax(160px, 1fr)); gap: 16px; margin-bottom: 24px; }
+.stat { background: var(--surface); border: 1px solid var(--border); border-radius: 8px; padding: 16px; }
+.stat .label { font-size: 12px; color: var(--text2); text-transform: uppercase; letter-spacing: 0.5px; }
+.stat .value { font-size: 28px; font-weight: 700; margin-top: 4px; font-family: var(--mono); }
+.stat .value.green { color: var(--green); }
+.stat .value.yellow { color: var(--yellow); }
+.stat .value.red { color: var(--red); }
+
+/* Table */
+table { width: 100%; border-collapse: collapse; background: var(--surface); border: 1px solid var(--border); border-radius: 8px; overflow: hidden; }
+thead { background: var(--surface2); }
+th { font-size: 11px; text-transform: uppercase; letter-spacing: 0.5px; color: var(--text2); text-align: left; padding: 10px 14px; font-weight: 600; }
+td { padding: 10px 14px; border-top: 1px solid var(--border); font-size: 13px; }
+tr:hover td { background: var(--surface2); }
+
+/* Badges */
+.badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 11px; font-weight: 600; }
+.badge-active { background: rgba(34,197,94,0.15); color: var(--green); }
+.badge-revoked, .badge-compromised { background: rgba(239,68,68,0.15); color: var(--red); }
+.badge-expired, .badge-deactivated { background: rgba(234,179,8,0.15); color: var(--yellow); }
+.badge-pre-active { background: rgba(99,102,241,0.15); color: var(--accent2); }
+.badge-root, .badge-intermediate { background: rgba(99,102,241,0.1); color: var(--accent); }
+
+/* Utilities */
+.mono { font-family: var(--mono); font-size: 12px; color: var(--text2); }
+.truncate { max-width: 200px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+
+/* Buttons */
+.btn { display: inline-block; padding: 6px 14px; border-radius: 6px; font-size: 13px; font-weight: 500; border: none; cursor: pointer; transition: all 0.15s; }
+.btn-primary { background: var(--accent); color: white; }
+.btn-primary:hover { background: var(--accent2); }
+.btn-danger { background: var(--red); color: white; }
+.btn-sm { padding: 3px 10px; font-size: 12px; }
+
+/* Detail panel */
+.detail { background: var(--surface); border: 1px solid var(--border); border-radius: 8px; padding: 20px; margin-bottom: 16px; }
+.detail h3 { font-size: 16px; margin-bottom: 12px; }
+.detail-grid { display: grid; grid-template-columns: 140px 1fr; gap: 8px; }
+.detail-grid .label { color: var(--text2); font-size: 12px; }
+.detail-grid .val { font-size: 13px; word-break: break-all; }
+
+/* Filter tabs */
+.filter-tabs { display: flex; gap: 8px; margin-bottom: 12px; }
+
+/* Audit */
+.audit-entry { padding: 10px 0; border-bottom: 1px solid var(--border); }
+.audit-entry:last-child { border-bottom: none; }
+.audit-action { font-weight: 600; }
+.audit-time { font-size: 12px; color: var(--text2); font-family: var(--mono); }
+.audit-details { font-size: 12px; color: var(--text2); margin-top: 2px; }
+
+/* Pages */
+.page { display: none; }
+.page.active { display: block; }
+.loading { text-align: center; padding: 40px; color: var(--text2); }
+.section { margin-bottom: 24px; }