Upload folder using huggingface_hub

PLANS.md

@@ -103,3 +103,8 @@ Note: see `docs/PASSWORD_MANAGER_SCOPE.md` for the current (non-vault) stance an
 
 - Support GitHub token auth via HF Secrets (`GITHUB_TOKEN`/`GITHUB_PAT`) and document it in `.env.example`.
 - Merge Aunomous mode and chat mode to single chat UI.
+- Include password reset by email too.
+- Also include one password manager/passowrd vault too.
+- Get started on landing page should go to a documentaion page.
+- Open App and Login should point to login page.
+- Provider setting on path /app should be only on settings page.

README.md

@@ -73,6 +73,7 @@ This repo includes a manual workflow at `.github/workflows/codex-autofix.yml`.
 - **Secrets**: don’t hardcode API keys in source. GitHub push protection will block pushes containing tokens.
 - **Security**: the web terminal and agent/Codex endpoints are gated by Supabase auth. Keep Supabase configured and avoid exposing execution features publicly without auth.
 - **Terminal PTY**: the host/container must have PTY devices (`/dev/pts`) available for interactive terminals.
+- **Password reset**: the Login page supports Supabase password recovery links. Ensure your Supabase redirect URLs include `/login`.
 - **Codex login (Hugging Face Spaces/web terminal)**: Spaces expose a single port, so localhost callback URLs (like `http://localhost:1455/auth/callback?...`) won’t work; use device auth: `codex login --device-auth` (alias: `codex-login`).
 - **Codex login persistence (Spaces)**: on startup the container will use `/data/.codex` (if available) for `~/.codex`, so device-auth stays logged in across restarts.
 - **Codex tokens (Spaces Secrets)**: if you already have tokens, set `CODEX_ID_TOKEN`, `CODEX_ACCESS_TOKEN`, `CODEX_REFRESH_TOKEN` (and optionally `CODEX_ACCOUNT_ID`) as Spaces Secrets; the container will write `~/.codex/.auth.json` (and `~/.codex/auth.json`) on startup.

TASKS.md

@@ -56,7 +56,7 @@ Legend:
 - [x] Jobs UI (MVP: start/cancel/list crawl jobs).
 
 ## P3 — P2P pubsub chat + account manager
-- [ ] Account manager: identities/devices, memberships, permissions, moderation.
+- [~] Account manager: identities/devices, memberships, permissions, moderation.
 - [~] Transport: WebRTC DataChannel + signaling, with server pubsub fallback.
 - [~] UX: rooms, presence, delivery status, network mode indicators.
 
@@ -67,3 +67,6 @@ Legend:
 
 ## P2/P3 — UI consolidation (nice-to-have)
 - [ ] Merge Autonomous mode and chat mode to a single chat UI.
+
+## P2 — Auth UX
+- [x] Password reset by email (Supabase recovery flow).

app/rooms_store.py

@@ -38,6 +38,8 @@ class Room:
     created_at: str
     owner_user_id: str
     members: set[str] = field(default_factory=set)
+    roles: dict[str, str] = field(default_factory=dict)  # user_id -> role
+    banned: set[str] = field(default_factory=set)  # user_id
 
     def to_public(self, *, for_user_id: str) -> dict[str, Any]:
         return {
@@ -47,6 +49,7 @@ class Room:
             "ownerUserId": self.owner_user_id,
             "memberCount": len(self.members),
             "isMember": for_user_id in self.members,
+            "myRole": self.roles.get(for_user_id) if for_user_id in self.members else None,
         }
 
 
@@ -82,9 +85,26 @@ class RoomsStore:
             created_at = str(r.get("createdAt") or _now_iso()).strip()
             owner = str(r.get("ownerUserId") or "").strip()
             members = set(str(x) for x in (r.get("members") or []) if str(x).strip())
+            roles_raw = r.get("roles") if isinstance(r, dict) else None
+            roles: dict[str, str] = {}
+            if isinstance(roles_raw, dict):
+                for k, v in roles_raw.items():
+                    uid = str(k).strip()
+                    role = str(v).strip().lower()
+                    if uid and role:
+                        roles[uid] = role
+            banned = set(str(x) for x in (r.get("banned") or []) if str(x).strip())
             if not rid or not owner:
                 continue
-            self._rooms[rid] = Room(id=rid, name=name, created_at=created_at, owner_user_id=owner, members=members)
+            self._rooms[rid] = Room(
+                id=rid,
+                name=name,
+                created_at=created_at,
+                owner_user_id=owner,
+                members=members,
+                roles=roles,
+                banned=banned,
+            )
 
     def _save(self) -> None:
         path = _rooms_path()
@@ -98,6 +118,8 @@ class RoomsStore:
                     "createdAt": r.created_at,
                     "ownerUserId": r.owner_user_id,
                     "members": sorted(r.members),
+                    "roles": r.roles,
+                    "banned": sorted(r.banned),
                 }
             )
         payload = {"version": 1, "rooms": rooms}
@@ -119,7 +141,14 @@ class RoomsStore:
             raise ValueError("user_id required")
         room_id = str(uuid.uuid4())
         nm = (name or "Room").strip()[:80] or "Room"
-        room = Room(id=room_id, name=nm, created_at=_now_iso(), owner_user_id=uid, members={uid})
+        room = Room(
+            id=room_id,
+            name=nm,
+            created_at=_now_iso(),
+            owner_user_id=uid,
+            members={uid},
+            roles={uid: "owner"},
+        )
         async with self._lock:
             self._rooms[room_id] = room
             self._save()
@@ -139,7 +168,11 @@ class RoomsStore:
             room = self._rooms.get(rid)
             if not room:
                 return None
+            if uid in room.banned:
+                return None
             room.members.add(uid)
+            if uid not in room.roles:
+                room.roles[uid] = "member"
             self._save()
             return room
 
@@ -153,12 +186,75 @@ class RoomsStore:
             if not room:
                 return False
             room.members.discard(uid)
+            room.roles.pop(uid, None)
             # Owner-less or empty rooms are pruned.
             if not room.members or room.owner_user_id not in room.members:
                 self._rooms.pop(rid, None)
             self._save()
             return True
 
+    async def list_members(self, *, room_id: str) -> list[dict[str, Any]] | None:
+        rid = str(room_id or "").strip()
+        async with self._lock:
+            room = self._rooms.get(rid)
+            if not room:
+                return None
+            members = []
+            for uid in sorted(room.members):
+                members.append({"userId": uid, "role": room.roles.get(uid, "member")})
+            return members
+
+    async def set_role(self, *, room_id: str, user_id: str, role: str) -> bool:
+        rid = str(room_id or "").strip()
+        uid = str(user_id or "").strip()
+        r = str(role or "").strip().lower()
+        if not rid or not uid:
+            return False
+        if r not in {"owner", "moderator", "member"}:
+            return False
+        async with self._lock:
+            room = self._rooms.get(rid)
+            if not room or uid not in room.members:
+                return False
+            room.roles[uid] = r
+            if r == "owner":
+                room.owner_user_id = uid
+            self._save()
+            return True
+
+    async def kick_member(self, *, room_id: str, user_id: str) -> bool:
+        rid = str(room_id or "").strip()
+        uid = str(user_id or "").strip()
+        if not rid or not uid:
+            return False
+        async with self._lock:
+            room = self._rooms.get(rid)
+            if not room:
+                return False
+            if uid == room.owner_user_id:
+                return False
+            room.members.discard(uid)
+            room.roles.pop(uid, None)
+            self._save()
+            return True
+
+    async def ban_member(self, *, room_id: str, user_id: str) -> bool:
+        rid = str(room_id or "").strip()
+        uid = str(user_id or "").strip()
+        if not rid or not uid:
+            return False
+        async with self._lock:
+            room = self._rooms.get(rid)
+            if not room:
+                return False
+            if uid == room.owner_user_id:
+                return False
+            room.banned.add(uid)
+            room.members.discard(uid)
+            room.roles.pop(uid, None)
+            self._save()
+            return True
+
     async def append_message(self, *, room_id: str, message: dict[str, Any]) -> None:
         rid = str(room_id or "").strip()
         if not rid:

app/routes/rooms.py

@@ -76,6 +76,9 @@ async def join_room(body: dict[str, Any], http_request: Request):
     if not room_id:
         raise HTTPException(status_code=400, detail={"code": "invalid_request", "message": "roomId is required"})
     store: RoomsStore = http_request.app.state.rooms_store
+    room = await store.get_room(room_id)
+    if room and user_id in room.banned:
+        raise HTTPException(status_code=403, detail={"code": "banned", "message": "You are banned from this room"})
     room = await store.join_room(room_id=room_id, user_id=user_id)
     if not room:
         raise HTTPException(status_code=404, detail={"code": "not_found", "message": "Unknown roomId"})
@@ -109,6 +112,93 @@ async def room_messages(room_id: str, http_request: Request, limit: int = 50):
     return {"messages": messages}
 
 
+@router.get("/api/rooms/{room_id}/members")
+async def room_members(room_id: str, http_request: Request):
+    if not feature_enabled("rooms"):
+        raise HTTPException(status_code=403, detail={"code": "feature_disabled", "message": "Rooms are disabled"})
+    user = await require_user_from_request(http_request)
+    user_id = str(user.get("id") or "")
+    store: RoomsStore = http_request.app.state.rooms_store
+    room = await store.get_room(room_id)
+    if not room:
+        raise HTTPException(status_code=404, detail={"code": "not_found", "message": "Unknown roomId"})
+    if user_id not in room.members:
+        raise HTTPException(status_code=403, detail={"code": "not_member", "message": "Join the room first"})
+    members = await store.list_members(room_id=room_id)
+    return {"members": members or [], "myRole": room.roles.get(user_id, "member")}
+
+
+@router.post("/api/rooms/{room_id}/kick")
+async def room_kick(room_id: str, body: dict[str, Any], http_request: Request):
+    if not feature_enabled("rooms"):
+        raise HTTPException(status_code=403, detail={"code": "feature_disabled", "message": "Rooms are disabled"})
+    user = await require_user_from_request(http_request)
+    actor_id = str(user.get("id") or "")
+    target_id = str((body or {}).get("userId") or "").strip()
+    if not target_id:
+        raise HTTPException(status_code=400, detail={"code": "invalid_request", "message": "userId is required"})
+    store: RoomsStore = http_request.app.state.rooms_store
+    room = await store.get_room(room_id)
+    if not room:
+        raise HTTPException(status_code=404, detail={"code": "not_found", "message": "Unknown roomId"})
+    if actor_id not in room.members:
+        raise HTTPException(status_code=403, detail={"code": "not_member", "message": "Join the room first"})
+    actor_role = (room.roles.get(actor_id) or "member").lower()
+    if actor_role not in {"owner", "moderator"}:
+        raise HTTPException(status_code=403, detail={"code": "forbidden", "message": "Insufficient privileges"})
+    if target_id == room.owner_user_id:
+        raise HTTPException(status_code=403, detail={"code": "forbidden", "message": "Cannot kick the owner"})
+    ok = await store.kick_member(room_id=room_id, user_id=target_id)
+    return {"ok": True, "kicked": ok}
+
+
+@router.post("/api/rooms/{room_id}/ban")
+async def room_ban(room_id: str, body: dict[str, Any], http_request: Request):
+    if not feature_enabled("rooms"):
+        raise HTTPException(status_code=403, detail={"code": "feature_disabled", "message": "Rooms are disabled"})
+    user = await require_user_from_request(http_request)
+    actor_id = str(user.get("id") or "")
+    target_id = str((body or {}).get("userId") or "").strip()
+    if not target_id:
+        raise HTTPException(status_code=400, detail={"code": "invalid_request", "message": "userId is required"})
+    store: RoomsStore = http_request.app.state.rooms_store
+    room = await store.get_room(room_id)
+    if not room:
+        raise HTTPException(status_code=404, detail={"code": "not_found", "message": "Unknown roomId"})
+    if actor_id not in room.members:
+        raise HTTPException(status_code=403, detail={"code": "not_member", "message": "Join the room first"})
+    actor_role = (room.roles.get(actor_id) or "member").lower()
+    if actor_role not in {"owner", "moderator"}:
+        raise HTTPException(status_code=403, detail={"code": "forbidden", "message": "Insufficient privileges"})
+    if target_id == room.owner_user_id:
+        raise HTTPException(status_code=403, detail={"code": "forbidden", "message": "Cannot ban the owner"})
+    ok = await store.ban_member(room_id=room_id, user_id=target_id)
+    return {"ok": True, "banned": ok}
+
+
+@router.put("/api/rooms/{room_id}/roles")
+async def room_set_role(room_id: str, body: dict[str, Any], http_request: Request):
+    if not feature_enabled("rooms"):
+        raise HTTPException(status_code=403, detail={"code": "feature_disabled", "message": "Rooms are disabled"})
+    user = await require_user_from_request(http_request)
+    actor_id = str(user.get("id") or "")
+    target_id = str((body or {}).get("userId") or "").strip()
+    role = str((body or {}).get("role") or "").strip().lower()
+    if not target_id or not role:
+        raise HTTPException(status_code=400, detail={"code": "invalid_request", "message": "userId and role are required"})
+    store: RoomsStore = http_request.app.state.rooms_store
+    room = await store.get_room(room_id)
+    if not room:
+        raise HTTPException(status_code=404, detail={"code": "not_found", "message": "Unknown roomId"})
+    if actor_id not in room.members:
+        raise HTTPException(status_code=403, detail={"code": "not_member", "message": "Join the room first"})
+    actor_role = (room.roles.get(actor_id) or "member").lower()
+    if actor_role != "owner":
+        raise HTTPException(status_code=403, detail={"code": "forbidden", "message": "Owner privileges required"})
+    ok = await store.set_role(room_id=room_id, user_id=target_id, role=role)
+    return {"ok": True, "updated": ok}
+
+
 @router.get("/api/rooms/{room_id}/peers")
 async def room_peers(room_id: str, http_request: Request):
     if not feature_enabled("rooms"):
@@ -166,6 +256,11 @@ async def websocket_rooms(websocket: WebSocket):
 
     user_id = str(user.get("id") or "")
     store: RoomsStore = websocket.app.state.rooms_store
+    room = await store.get_room(room_id)
+    if room and user_id in room.banned:
+        await websocket.send_text(_ws_json({"type": "error", "message": "banned"}))
+        await websocket.close()
+        return
     room = await store.join_room(room_id=room_id, user_id=user_id)
     if not room:
         await websocket.send_text(_ws_json({"type": "error", "message": "unknown_room"}))

docs/TROUBLESHOOTING.md

@@ -75,3 +75,8 @@ Admins can also toggle feature overrides from Settings → Admin.
 
 The Rooms view uses WebRTC DataChannels (optional, behind “Prefer P2P”). Some networks block UDP/WebRTC.
 If P2P fails, keep “Prefer P2P” off and it will use server WebSockets for messaging.
+
+## Password reset emails aren’t arriving
+
+Supabase email delivery depends on your project auth settings and SMTP configuration.
+Check Supabase → Authentication → Settings (and SMTP) and verify your site URL/redirect URLs include `/login`.

static/dashboard.html

@@ -884,13 +884,13 @@
                 <div id="rooms-list" class="flex-grow overflow-y-auto p-2 text-sm space-y-1"></div>
             </div>
 
-            <div class="flex-grow min-w-0 flex flex-col">
-                <div class="p-3 border-b border-gray-700 bg-gray-800 flex items-center justify-between gap-2">
-                    <div class="min-w-0">
-                        <div class="text-sm font-semibold text-gray-200 truncate" id="rooms-active-title">Select a room</div>
-                        <div class="text-xs text-gray-400 truncate" id="rooms-active-subtitle">Create or join a room to start chatting.</div>
-                    </div>
-                    <div class="flex items-center gap-2 shrink-0">
+                <div class="flex-grow min-w-0 flex flex-col">
+                    <div class="p-3 border-b border-gray-700 bg-gray-800 flex items-center justify-between gap-2">
+                        <div class="min-w-0">
+                            <div class="text-sm font-semibold text-gray-200 truncate" id="rooms-active-title">Select a room</div>
+                            <div class="text-xs text-gray-400 truncate" id="rooms-active-subtitle">Create or join a room to start chatting.</div>
+                        </div>
+                        <div class="flex items-center gap-2 shrink-0">
                         <label class="flex items-center gap-2 text-xs text-gray-300 bg-gray-700/60 px-2 py-1 rounded-lg">
                             <input id="rooms-prefer-p2p" type="checkbox" class="h-4 w-4 accent-blue-600">
                             Prefer P2P
@@ -899,12 +899,26 @@
                             class="bg-gray-700 hover:bg-gray-600 text-white px-2 py-1 rounded text-xs">Copy ID</button>
                         <button onclick="leaveActiveRoom()"
                             class="bg-red-600 hover:bg-red-700 text-white px-2 py-1 rounded text-xs">Leave</button>
+                        </div>
+                    </div>
+                    <div class="px-3 py-2 border-b border-gray-700 bg-gray-900/40 flex items-center justify-between gap-3">
+                        <div class="text-xs text-gray-400">
+                            <span class="font-semibold text-gray-200" id="rooms-my-role">role: —</span>
+                            <span class="mx-2">•</span>
+                            <button onclick="toggleRoomsMembers()" class="text-gray-300 hover:text-white underline underline-offset-2">members</button>
+                        </div>
+                        <div class="flex items-center gap-2">
+                            <button onclick="loadRoomMembers()" class="bg-gray-700 hover:bg-gray-600 text-white px-2 py-1 rounded text-xs">Refresh</button>
+                        </div>
+                    </div>
+                    <div id="rooms-members-panel" class="hidden border-b border-gray-700 bg-gray-900/30 p-3">
+                        <div id="rooms-members" class="grid grid-cols-1 md:grid-cols-2 gap-2 text-xs"></div>
+                        <div id="rooms-members-status" class="text-xs text-gray-500 mt-2"></div>
                     </div>
-                </div>
 
-                <div class="flex-grow min-h-0 overflow-y-auto p-4 space-y-3" id="rooms-messages">
-                    <div class="text-sm text-gray-500">No room selected.</div>
-                </div>
+                    <div class="flex-grow min-h-0 overflow-y-auto p-4 space-y-3" id="rooms-messages">
+                        <div class="text-sm text-gray-500">No room selected.</div>
+                    </div>
 
                 <div class="border-t border-gray-700 bg-gray-800 p-3">
                     <div class="flex items-end gap-2">

static/dashboard.js

@@ -913,6 +913,7 @@ let supabase;
                     const { data: userData } = await supabase.auth.getUser();
                     const user = userData?.user;
                     if (user) {
+                        window.__sbUserId = (user.id || '').trim();
                         const username =
                             user.user_metadata?.username ||
                             user.user_metadata?.name ||
@@ -3205,6 +3206,135 @@ let supabase;
             if (el) el.textContent = text || '';
         }
 
+        function setRoomsMembersStatus(text) {
+            const el = document.getElementById('rooms-members-status');
+            if (el) el.textContent = text || '';
+        }
+
+        function setRoomsMyRole(role) {
+            const el = document.getElementById('rooms-my-role');
+            if (!el) return;
+            el.textContent = `role: ${role || '—'}`;
+        }
+
+        function toggleRoomsMembers(forceOpen = null) {
+            const panel = document.getElementById('rooms-members-panel');
+            if (!panel) return;
+            const open = forceOpen == null ? panel.classList.contains('hidden') : !!forceOpen;
+            panel.classList.toggle('hidden', !open);
+        }
+
+        function renderRoomMembers(data) {
+            const el = document.getElementById('rooms-members');
+            if (!el) return;
+            el.innerHTML = '';
+            const members = Array.isArray(data?.members) ? data.members : [];
+            const myRole = String(data?.myRole || '').trim();
+            setRoomsMyRole(myRole || 'member');
+
+            if (!members.length) {
+                const empty = document.createElement('div');
+                empty.className = 'text-gray-500';
+                empty.textContent = 'No members.';
+                el.appendChild(empty);
+                return;
+            }
+            for (const m of members) {
+                const uid = String(m?.userId || '').trim();
+                const role = String(m?.role || 'member').trim();
+                if (!uid) continue;
+
+                const card = document.createElement('div');
+                card.className = 'bg-gray-800/40 border border-gray-700 rounded-lg px-3 py-2 flex items-center justify-between gap-2';
+
+                const left = document.createElement('div');
+                left.className = 'min-w-0';
+                const a = document.createElement('div');
+                a.className = 'text-gray-100 font-semibold truncate';
+                a.textContent = uid.slice(0, 12);
+                const b = document.createElement('div');
+                b.className = 'text-gray-400 truncate';
+                b.textContent = role;
+                left.appendChild(a);
+                left.appendChild(b);
+
+                const actions = document.createElement('div');
+                actions.className = 'flex items-center gap-2 shrink-0';
+
+                const canModerate = myRole === 'owner' || myRole === 'moderator';
+                const selfUserId = (window.__sbUserId || '').trim();
+                const isSelf = selfUserId && uid === selfUserId;
+                const isOwner = role === 'owner';
+                if (canModerate && !isSelf && !isOwner) {
+                    const kick = document.createElement('button');
+                    kick.className = 'bg-gray-700 hover:bg-gray-600 text-white px-2 py-1 rounded text-xs';
+                    kick.textContent = 'Kick';
+                    kick.onclick = () => kickRoomMember(uid);
+
+                    const ban = document.createElement('button');
+                    ban.className = 'bg-red-700 hover:bg-red-600 text-white px-2 py-1 rounded text-xs';
+                    ban.textContent = 'Ban';
+                    ban.onclick = () => banRoomMember(uid);
+
+                    actions.appendChild(kick);
+                    actions.appendChild(ban);
+                }
+
+                card.appendChild(left);
+                card.appendChild(actions);
+                el.appendChild(card);
+            }
+        }
+
+        async function loadRoomMembers() {
+            const rid = roomsActiveRoomId;
+            if (!rid) return;
+            try {
+                setRoomsMembersStatus('Loading…');
+                const res = await authFetch(`/api/rooms/${encodeURIComponent(rid)}/members`);
+                if (!res.ok) throw new Error(await res.text());
+                const data = await res.json();
+                renderRoomMembers(data);
+                setRoomsMembersStatus('');
+            } catch (e) {
+                setRoomsMembersStatus(`Failed: ${e?.message || e}`);
+            }
+        }
+
+        async function kickRoomMember(userId) {
+            const rid = roomsActiveRoomId;
+            if (!rid) return;
+            if (!confirm(`Kick ${String(userId).slice(0, 12)}?`)) return;
+            try {
+                const res = await authFetch(`/api/rooms/${encodeURIComponent(rid)}/kick`, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ userId }),
+                });
+                if (!res.ok) throw new Error(await res.text());
+                await loadRoomMembers();
+            } catch (e) {
+                alert(`Kick failed: ${e?.message || e}`);
+            }
+        }
+
+        async function banRoomMember(userId) {
+            const rid = roomsActiveRoomId;
+            if (!rid) return;
+            if (!confirm(`Ban ${String(userId).slice(0, 12)}?`)) return;
+            try {
+                const res = await authFetch(`/api/rooms/${encodeURIComponent(rid)}/ban`, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ userId }),
+                });
+                if (!res.ok) throw new Error(await res.text());
+                await loadRoomMembers();
+            } catch (e) {
+                alert(`Ban failed: ${e?.message || e}`);
+            }
+        }
+
         function renderRoomsMessagesEmpty(text) {
             const box = document.getElementById('rooms-messages');
             if (!box) return;
@@ -3390,8 +3520,11 @@ let supabase;
             roomsMessageEls = new Map();
             updateRoomsHeader(roomsActiveRoomId, name || 'Room');
             renderRoomsMessagesEmpty('Loading…');
+            setRoomsMyRole('');
+            toggleRoomsMembers(false);
             await loadRoomsList();
             await loadRoomHistory();
+            await loadRoomMembers();
             await connectRoomsWs();
         }
 

static/index.html

@@ -30,6 +30,11 @@
                     required>
             </div>
 
+            <div class="flex items-center justify-between text-sm">
+                <button type="button" id="forgot-btn"
+                    class="text-gray-300 hover:text-white underline underline-offset-2">Forgot password?</button>
+            </div>
+
             <div class="flex space-x-4">
                 <button type="submit" id="login-btn"
                     class="w-full px-5 py-2.5 text-sm font-medium bg-blue-600 rounded-lg hover:bg-blue-700 focus:ring-4 focus:ring-blue-800">Login</button>
@@ -37,6 +42,47 @@
                     class="w-full px-5 py-2.5 text-sm font-medium bg-green-600 rounded-lg hover:bg-green-700 focus:ring-4 focus:ring-green-800">Register</button>
             </div>
         </form>
+
+        <div id="reset-panel" class="hidden space-y-4">
+            <div class="text-sm text-gray-300">
+                <div class="font-semibold text-gray-100">Reset password</div>
+                <div class="text-gray-400">Enter your email to receive a reset link.</div>
+            </div>
+            <div>
+                <label for="reset-email" class="block mb-2 text-sm font-medium">Email</label>
+                <input type="email" id="reset-email"
+                    class="w-full p-2.5 bg-gray-700 border border-gray-600 rounded-lg focus:ring-blue-500 focus:border-blue-500">
+            </div>
+            <div class="flex gap-2">
+                <button type="button" id="send-reset-btn"
+                    class="flex-1 px-5 py-2.5 text-sm font-medium bg-indigo-600 rounded-lg hover:bg-indigo-700 focus:ring-4 focus:ring-indigo-800">Send link</button>
+                <button type="button" id="cancel-reset-btn"
+                    class="px-5 py-2.5 text-sm font-medium bg-gray-700 rounded-lg hover:bg-gray-600">Cancel</button>
+            </div>
+        </div>
+
+        <div id="update-panel" class="hidden space-y-4">
+            <div class="text-sm text-gray-300">
+                <div class="font-semibold text-gray-100">Set a new password</div>
+                <div class="text-gray-400">You opened a password recovery link. Choose a new password.</div>
+            </div>
+            <div>
+                <label for="new-password" class="block mb-2 text-sm font-medium">New password</label>
+                <input type="password" id="new-password"
+                    class="w-full p-2.5 bg-gray-700 border border-gray-600 rounded-lg focus:ring-blue-500 focus:border-blue-500">
+            </div>
+            <div>
+                <label for="confirm-password" class="block mb-2 text-sm font-medium">Confirm password</label>
+                <input type="password" id="confirm-password"
+                    class="w-full p-2.5 bg-gray-700 border border-gray-600 rounded-lg focus:ring-blue-500 focus:border-blue-500">
+            </div>
+            <div class="flex gap-2">
+                <button type="button" id="update-password-btn"
+                    class="flex-1 px-5 py-2.5 text-sm font-medium bg-green-600 rounded-lg hover:bg-green-700 focus:ring-4 focus:ring-green-800">Update password</button>
+                <button type="button" id="cancel-update-btn"
+                    class="px-5 py-2.5 text-sm font-medium bg-gray-700 rounded-lg hover:bg-gray-600">Cancel</button>
+            </div>
+        </div>
     </div>
     <script src="/static/login.js"></script>
 </body>

static/login.js

@@ -16,10 +16,27 @@ let supabase;
                     registerBtn.style.display = 'none';
                 }
 
-                // Check if already logged in
+                supabase.auth.onAuthStateChange((event, session) => {
+                    if (event === 'PASSWORD_RECOVERY') {
+                        showUpdatePanel();
+                        return;
+                    }
+                    const recovery = isRecoveryUrl();
+                    if (session && !recovery) {
+                        window.location.href = '/app';
+                    }
+                });
+
+                const recovery = isRecoveryUrl();
                 const { data: { session } } = await supabase.auth.getSession();
-                if (session) {
+                if (session && !recovery) {
                     window.location.href = '/app';
+                    return;
+                }
+                if (recovery) {
+                    showUpdatePanel();
+                } else {
+                    showLoginPanel();
                 }
             } catch (error) {
                 console.error('Error initializing Supabase:', error);
@@ -27,6 +44,45 @@ let supabase;
             }
         }
 
+        function isRecoveryUrl() {
+            const hash = String(window.location.hash || '');
+            const search = String(window.location.search || '');
+            return hash.includes('type=recovery') || search.includes('type=recovery') || hash.includes('recovery');
+        }
+
+        function getPanels() {
+            return {
+                login: document.getElementById('auth-form'),
+                reset: document.getElementById('reset-panel'),
+                update: document.getElementById('update-panel'),
+            };
+        }
+
+        function showLoginPanel() {
+            const { login, reset, update } = getPanels();
+            if (login) login.classList.remove('hidden');
+            if (reset) reset.classList.add('hidden');
+            if (update) update.classList.add('hidden');
+        }
+
+        function showResetPanel() {
+            const { login, reset, update } = getPanels();
+            if (login) login.classList.add('hidden');
+            if (reset) reset.classList.remove('hidden');
+            if (update) update.classList.add('hidden');
+
+            const email = document.getElementById('email')?.value || '';
+            const el = document.getElementById('reset-email');
+            if (el && email) el.value = email;
+        }
+
+        function showUpdatePanel() {
+            const { login, reset, update } = getPanels();
+            if (login) login.classList.add('hidden');
+            if (reset) reset.classList.add('hidden');
+            if (update) update.classList.remove('hidden');
+        }
+
         function showAlert(message, type = 'error') {
             const alert = document.getElementById('alert');
             alert.textContent = message;
@@ -79,6 +135,58 @@ let supabase;
             handleAuth('login');
         });
 
+        document.getElementById('forgot-btn').addEventListener('click', () => {
+            showResetPanel();
+        });
+
+        document.getElementById('cancel-reset-btn').addEventListener('click', () => {
+            showLoginPanel();
+        });
+
+        document.getElementById('send-reset-btn').addEventListener('click', async () => {
+            const email = (document.getElementById('reset-email')?.value || '').trim();
+            if (!email) {
+                showAlert('Enter your email to receive a reset link.');
+                return;
+            }
+            try {
+                const redirectTo = `${window.location.origin}/login`;
+                const { error } = await supabase.auth.resetPasswordForEmail(email, { redirectTo });
+                if (error) throw error;
+                showAlert('Reset link sent. Check your email.', 'success');
+                showLoginPanel();
+            } catch (e) {
+                showAlert(e?.message || String(e));
+            }
+        });
+
+        document.getElementById('cancel-update-btn').addEventListener('click', async () => {
+            try { await supabase.auth.signOut(); } catch { }
+            window.location.replace('/login');
+        });
+
+        document.getElementById('update-password-btn').addEventListener('click', async () => {
+            const p1 = (document.getElementById('new-password')?.value || '').trim();
+            const p2 = (document.getElementById('confirm-password')?.value || '').trim();
+            if (!p1 || p1.length < 8) {
+                showAlert('Password must be at least 8 characters.');
+                return;
+            }
+            if (p1 !== p2) {
+                showAlert('Passwords do not match.');
+                return;
+            }
+            try {
+                const { error } = await supabase.auth.updateUser({ password: p1 });
+                if (error) throw error;
+                showAlert('Password updated. You can log in now.', 'success');
+                try { await supabase.auth.signOut(); } catch { }
+                window.location.replace('/login');
+            } catch (e) {
+                showAlert(e?.message || String(e));
+            }
+        });
+
         document.getElementById('register-btn').addEventListener('click', () => {
             if (localStorage.getItem('auth_allow_signup_v1') === '1') {
                 handleAuth('register');

tests/test_security_gates.py

@@ -51,6 +51,11 @@ def test_rooms_ws_requires_token(client: TestClient):
         assert "missing_token" in msg or msg == ""
 
 
+def test_room_members_requires_auth(client: TestClient):
+    res = client.get("/api/rooms/x/members")
+    assert res.status_code == 401
+
+
 def test_features_can_be_disabled(monkeypatch: pytest.MonkeyPatch):
     monkeypatch.setenv("SUPABASE_URL", "https://example.supabase.co")
     monkeypatch.setenv("SUPABASE_KEY", "dummy")