chore: gitignore go.work for /tmp worktree resolution

go.work resolves the fn-registry replace to an absolute path when the worktree lives outside the parent tree; it is local-only and must not be committed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
docs(unibus): bump 0.12.0 — accounts via single-use invites + hard-delete
2026-06-07 22:14:44 +02:00 · 2026-06-07 22:14:44 +02:00 · 2026-06-07 22:14:44 +02:00 · 2026-06-07 22:14:44 +02:00 · 2026-06-07 22:14:44 +02:00 · 2026-06-07 22:14:25 +02:00
29 changed files with 1851 additions and 1317 deletions
@@ -14,3 +14,7 @@ worker.id
 /chat
 *.exe
 registry.db
+
+# local worktree resolution (do not commit)
+go.work
+go.work.sum
@@ -2,7 +2,7 @@
 name: unibus
 lang: go
 domain: infra
-version: 0.10.0
+version: 0.12.0
 description: "Bus de mensajería unificado sobre NATS+JetStream con cifrado E2E por room (megolm/olm reducido): service de membresía/claves, librería cliente y peers demo."
 tags: [service, messaging, nats, e2e]
 uses_functions:
@@ -137,6 +137,26 @@ Para apuntar a un NATS externo en producción: `--nats-url nats://host:4222` en
  firme el primer `POST /users`); a partir de ahí toda la gestión es HTTP admin-only. El
  alta es idempotente igual que la CLI: re-alta de una clave ya registrada = 409, sin
  sobrescribir ni elevar rol; el revoke es un flip de status (sin hard-delete), auditable.
+- **Cuentas estilo WhatsApp: alta por invitación, baja por hard-delete.** Sobre la API
+  admin anterior, `unibus` añade el modelo wallet de cuentas. El admin NO genera claves:
+  `POST /invites` (admin-only) acuña un enlace de invitación de un solo uso con caducidad
+  (token de 32 bytes `crypto/rand` en hex; TTL default 7 días), fijando `handle` y `role`.
+  El nuevo usuario abre el enlace en SU cliente, que genera el par de claves localmente
+  (la privada nunca sale del dispositivo) y llama `POST /register` con `{token, sign_pub,
+  kex_pub}`. `/register` es la ÚNICA ruta que añade al allowlist sin firma admin —
+  autorizada por el TOKEN, porque la identidad nueva aún no está en el allowlist y no puede
+  firmar. Está endurecida: token fuerte de un solo uso (consumo atómico, doble uso → 409),
+  caducidad (→ 410), `handle`/`role` fijados por el invite (sin escalado), validación
+  estricta de ambas claves hex de 64 chars, y rate-limit por IP heredado del control plane
+  (solo `/healthz` está exento). El borrado de cuenta es `DELETE /users/{signpub}`
+  (admin-only): hard-delete real del allowlist, distinto del `revoke` (que se mantiene:
+  revoke = quitar acceso dejando rastro auditable; delete = purga). Tras hard-delete, las
+  membresías de rooms del ex-usuario quedan inertes (ya no puede autenticarse en ningún
+  plano); NO se limpian a medias — un owner expulsa/rekey su room si quiere forward secrecy.
+  Invites y users viven en el MISMO store (SQLite `invites`/`users`, KV `UNIBUS_invites`/
+  `UNIBUS_users`). `pkg/client` gana `CreateInvite/ListInvites/CancelInvite/Register/
+  DeleteUser`; solo `Register` va sin firmar. Recovery: hard-delete del último admin se
+  recupera con la CLI local `membershipd user add` (mismo seam que siembra el admin #0).
 - **Identidad = secreto crítico.** El archivo de identidad (`worker.id`,
  `chat.id`) contiene las claves privadas (Ed25519 + X25519). Se escribe 0600.
  Perderlo = mensajes ilegibles, sin recuperación. Trátalo como una clave SSH.
@@ -169,6 +189,55 @@ agent.<nombre>.{in,out}   inbox/outbox de agente LLM (agent.scout.in)

 ## Capability growth log

+- v0.12.0 (2026-06-07) — capa de CUENTAS estilo WhatsApp sobre el modelo wallet: alta de
+  usuario por enlace de invitación de un solo uso + baja por hard-delete real. El admin
+  nunca ve la clave privada del usuario. (1) **Invites**: nuevo backend de datos en ambos
+  stores (SQLite `invites` vía migración aditiva `003_invites.sql`; KV `UNIBUS_invites`).
+  Tipo `Invite{Token, Handle, Role, ExpiresAt, Used, CreatedAt}` + campos de auditoría del
+  consumo (`UsedAt/UsedSignPub/UsedKexPub`). Métodos `Store.CreateInvite` (token 32 bytes
+  `crypto/rand` hex, TTL default 7d), `GetInvite`, `ListInvites`, `ConsumeInvite` (valida
+  existe/no-usado/no-caducado → registra el sign_pub con el handle/role del invite → marca
+  usado, atómico) y `CancelInvite`. Consumo single-use garantizado en ambos backends: tx
+  SQLite (mark guard `used=0` + insert) y CAS sobre la revisión KV (mark-first); burn-on-
+  claim idéntico si la clave ya existe. (2) **Hard-delete**: `Store.DeleteUser` (SQLite
+  `DELETE FROM users`, KV `users.Delete`) purga el allowlist — distinto del `revoke`
+  (status flip, conservado). Las membresías de rooms del ex-usuario quedan inertes
+  (documentado, sin limpieza parcial). (3) **Endpoints HTTP**: `POST /invites`, `GET
+  /invites` (solo pendientes), `DELETE /invites/{token}`, `DELETE /users/{signpub}`
+  (todos admin-only vía `requireAdmin`) y `POST /register` — la única ruta auth-exempt de
+  firma admin (autorizada por el token), rate-limited (se separa `isRateExempt`, solo
+  `/healthz`, de `isAuthExempt`) y con validación hex estricta de `sign_pub`+`kex_pub`
+  ANTES de gastar el token. Errores mapeados: token desconocido 404, usado 409, caducado
+  410, identidad ya registrada 409. (4) **pkg/client**: `CreateInvite/ListInvites/
+  CancelInvite/Register/DeleteUser`; `Register` va sin firma vía un helper `doUnsigned`.
+  (5) Fix de consistencia: el `GetUser` de SQLite ahora mapea `sql.ErrNoRows` → `ErrNotFound`
+  como el KV y como documenta `store.go`. Tests nuevos: suite de invites store-level en
+  AMBOS backends (golden + single-use + token desconocido + caducado + cancel + hard-delete
+  + burn-on-claim), suite HTTP (crear invite → register sin auth → aparece en allowlist →
+  re-register 409 → caducado 410 → no-admin 403 en las 4 rutas admin → hard-delete purga),
+  y test de cliente end-to-end (admin acuña invite → joiner no-registrado redime sin firma →
+  aparece → hard-delete desaparece). Cambios 100% aditivos: el comportamiento previo no
+  cambia; build/vet/test verdes (`CGO_ENABLED=0`).
+- v0.11.0 (2026-06-07) — flag dedicado `UNIBUS_NATS_MONITOR` que abre el endpoint
+  de monitoring HTTP del nats-server embebido (`127.0.0.1:8222`, loopback only) de
+  forma DESACOPLADA del debug-log. Antes el monitoring solo se abría con
+  `UNIBUS_NATS_DEBUG=1`, que además encendía el log verboso del nats-server
+  (rutas/RAFT/subjects a journald en claro) — incompatible con el endurecimiento
+  del issue 0007. El cómputo de los toggles se extrae a una función pura
+  `natsLogOpts(debugEnv, monitorEnv) (noLog, debug, trace, monitor)`: `MONITOR=1`
+  abre el endpoint dejando el log en silencio (`NoLog` true / `Debug` false), y se
+  mantiene el acoplamiento inverso por compatibilidad (`DEBUG` sigue implicando
+  `MONITOR`). El bind loopback `127.0.0.1` queda hardcoded — el monitoring NUNCA es
+  público y no lleva auth; lo lee un scraper local que empuja a VictoriaMetrics
+  (dashboard `unibus-nats` en `fleet_monitoring`). Se versiona el cableado de
+  deploy: drop-in systemd aditivo `membershipd-cluster.service.d/nats-monitor.conf`
+  (`Environment=UNIBUS_NATS_MONITOR=1`) + sección "NATS server metrics" en el
+  README del cluster con el runbook de activación rolling (magnus→homer→datardos)
+  y gate de reconvergencia R3 (`followers 2/2`) entre nodos. Tests nuevos: tabla
+  pura del desacoplamiento (monitor on ⇒ log NO debug; debug ⇒ monitor; default
+  cerrado) + server real con `MONITOR=1` que confirma `/varz` 200 en loopback:8222
+  y server sin flag con el endpoint cerrado. Cambios 100% aditivos: sin el flag el
+  comportamiento es idéntico; build/test verdes.
 - v0.10.0 (2026-06-07) — API HTTP admin-only de gestión de usuarios, cerrando la
  última asimetría del control plane: las rooms tenían superficie HTTP firmada
  (`POST /rooms`, etc.) pero los users solo se gestionaban por CLI local o acceso
@@ -1,246 +0,0 @@
-package main
-
-import (
-	"encoding/hex"
-	"fmt"
-	"strings"
-	"sync"
-
-	cs "fn-registry/functions/cybersecurity"
-
-	"github.com/enmanuel/unibus/pkg/busauth"
-	"github.com/enmanuel/unibus/pkg/client"
-	"github.com/enmanuel/unibus/pkg/frame"
-	"github.com/enmanuel/unibus/pkg/room"
-)
-
-// gateway is the live web gateway: it owns the operator's identity and a single
-// connected unibus client, and turns the bus's crypto-bearing API into the plain
-// REST/SSE surface the browser consumes. The browser never signs, never speaks
-// NATS, and never sees a private key — the gateway is the legitimate room member
-// that seals/opens payloads on the browser's behalf.
-//
-// TRUST MODEL: content stays end-to-end encrypted on the wire. The gateway can
-// read plaintext because it acts AS the operator's client — a real member of
-// each room, holding the room key K like any peer. It is the same trust a native
-// desktop client has. In the wallet phase (per-browser WebCrypto identity) the
-// decryption can move into the browser; today, for the single-operator MVP, the
-// gateway decrypts server-side and pushes cleartext over a loopback/authenticated
-// SSE channel.
-type gateway struct {
-	id         cs.Identity
-	endpoint   string
-	cli        *client.Client
-	refreshACL bool // call RefreshSession after a membership change (needed under a per-subject ACL bus)
-
-	mu   sync.Mutex
-	hubs map[string]*roomHub // roomID -> live fan-out of decrypted frames to SSE clients
-}
-
-// gatewayConfig wires a live gateway.
-type gatewayConfig struct {
-	Identity cs.Identity
-	NatsURL  string
-	CtrlURL  string
-	CtrlURLs []string
-	NatsURLs []string
-	CAPath   string // bus CA; empty => plaintext dev connection (matches a loopback membershipd)
-}
-
-// newGateway connects the unibus client with the operator identity following the
-// same posture seam every peer uses: a non-empty CA path means TLS + nkey, empty
-// means plaintext dev. When a CA is configured the bus is assumed to enforce a
-// per-subject ACL, so membership changes trigger a session refresh.
-func newGateway(cfg gatewayConfig) (*gateway, error) {
-	opts := client.Options{
-		CtrlURLs:    cfg.CtrlURLs,
-		NatsServers: cfg.NatsURLs,
-	}
-	if cfg.CAPath != "" {
-		tlsCfg, err := busauth.LoadCATLSConfig(cfg.CAPath)
-		if err != nil {
-			return nil, fmt.Errorf("webgw: load bus CA %q: %w", cfg.CAPath, err)
-		}
-		opts.UseNkey = true
-		opts.TLS = tlsCfg
-		opts.CtrlTLS = tlsCfg
-	}
-	cli, err := client.NewWithOptions(cfg.NatsURL, cfg.CtrlURL, cfg.Identity, opts)
-	if err != nil {
-		return nil, fmt.Errorf("webgw: connect bus client: %w", err)
-	}
-	return &gateway{
-		id:         cfg.Identity,
-		endpoint:   frame.EndpointID(cfg.Identity.SignPub),
-		cli:        cli,
-		refreshACL: cfg.CAPath != "",
-		hubs:       map[string]*roomHub{},
-	}, nil
-}
-
-// Close stops every hub and releases the bus client connection.
-func (g *gateway) Close() error {
-	g.mu.Lock()
-	for _, h := range g.hubs {
-		h.stop()
-	}
-	g.hubs = map[string]*roomHub{}
-	g.mu.Unlock()
-	if g.cli != nil {
-		return g.cli.Close()
-	}
-	return nil
-}
-
-// ---- wire types (browser-facing JSON) ------------------------------------
-
-// meInfo is what GET /api/me returns: the operator identity the gateway acts as.
-type meInfo struct {
-	Endpoint string `json:"endpoint"`
-	SignPub  string `json:"sign_pub"`
-}
-
-// roomWire is the browser view of a room. It deliberately omits messages: those
-// stream over SSE (GET /api/rooms/{id}/stream), not in the room list.
-type roomWire struct {
-	ID       string `json:"id"`
-	Subject  string `json:"subject"`
-	Name     string `json:"name"`
-	Epoch    int    `json:"epoch"`
-	Encrypt  bool   `json:"encrypt"`
-	Persist  bool   `json:"persist"`
-	SignMsgs bool   `json:"sign_msgs"`
-	Role     string `json:"role"`
-}
-
-// createRoomReq is the POST /api/rooms body. Encrypt/Persist/SignMsgs are
-// pointers so an omitted field falls back to the chat default rather than to the
-// Go zero value (false). The common case — the browser sending only {subject,
-// encrypted} — maps encrypted onto all three (the Matrix-like chat policy).
-type createRoomReq struct {
-	Subject   string `json:"subject"`
-	Encrypted *bool  `json:"encrypted,omitempty"`
-	Encrypt   *bool  `json:"encrypt,omitempty"`
-	Persist   *bool  `json:"persist,omitempty"`
-	SignMsgs  *bool  `json:"sign_msgs,omitempty"`
-}
-
-// policy resolves the requested policy. A bare {subject} defaults to the
-// Matrix-like chat room (encrypted + persisted + signed) so a created room keeps
-// durable, end-to-end-encrypted, authored history. Callers can override any leg.
-func (r createRoomReq) policy() room.Policy {
-	enc, per, sig := true, true, true
-	if r.Encrypted != nil {
-		enc, per, sig = *r.Encrypted, *r.Encrypted, *r.Encrypted
-	}
-	if r.Encrypt != nil {
-		enc = *r.Encrypt
-	}
-	if r.Persist != nil {
-		per = *r.Persist
-	}
-	if r.SignMsgs != nil {
-		sig = *r.SignMsgs
-	}
-	return room.Policy{Encrypt: enc, Persist: per, SignMsgs: sig}
-}
-
-// sendReq is the POST /api/rooms/{id}/send body.
-type sendReq struct {
-	Body string `json:"body"`
-}
-
-// msgWire is one decrypted message pushed over SSE.
-type msgWire struct {
-	ID     string `json:"id"`
-	Sender string `json:"sender"`
-	Body   string `json:"body"`
-	TS     int64  `json:"ts"` // epoch ms (decoded from the frame's ULID id)
-	Mine   bool   `json:"mine"`
-}
-
-// ---- operations -----------------------------------------------------------
-
-func (g *gateway) me() meInfo {
-	return meInfo{Endpoint: g.endpoint, SignPub: hex.EncodeToString(g.id.SignPub)}
-}
-
-// subjectName derives a short, human-friendly room name from its bus subject by
-// dropping the leading namespace segment (room., test., proc., agent.). It is a
-// display nicety only; the canonical identity stays the subject/room id.
-func subjectName(subject string) string {
-	for _, p := range []string{"room.", "test.", "proc.", "agent.", "rpc."} {
-		if strings.HasPrefix(subject, p) {
-			return strings.TrimPrefix(subject, p)
-		}
-	}
-	return subject
-}
-
-func (g *gateway) listRooms() ([]roomWire, error) {
-	rooms, err := g.cli.ListMyRooms()
-	if err != nil {
-		return nil, err
-	}
-	out := make([]roomWire, 0, len(rooms))
-	for _, rm := range rooms {
-		out = append(out, roomWire{
-			ID:       rm.RoomID,
-			Subject:  rm.Subject,
-			Name:     subjectName(rm.Subject),
-			Epoch:    rm.Epoch,
-			Encrypt:  rm.Policy.Encrypt,
-			Persist:  rm.Policy.Persist,
-			SignMsgs: rm.Policy.SignMsgs,
-			Role:     rm.Role,
-		})
-	}
-	return out, nil
-}
-
-func (g *gateway) createRoom(req createRoomReq) (roomWire, error) {
-	subject := strings.TrimSpace(req.Subject)
-	if subject == "" {
-		return roomWire{}, fmt.Errorf("webgw: subject required")
-	}
-	p := req.policy()
-	roomID, err := g.cli.CreateRoom(subject, p)
-	if err != nil {
-		return roomWire{}, err
-	}
-	// Under a per-subject ACL the operator's frozen NATS permissions do not yet
-	// cover the new room's subject; refresh so subsequent data-plane use works. On
-	// a plaintext/non-ACL dev bus this is unnecessary and would needlessly drop any
-	// live SSE subscriptions, so it is gated on the secured posture.
-	if g.refreshACL {
-		_ = g.cli.RefreshSession()
-	}
-	return roomWire{
-		ID:       roomID,
-		Subject:  subject,
-		Name:     subjectName(subject),
-		Epoch:    1,
-		Encrypt:  p.Encrypt,
-		Persist:  p.Persist,
-		SignMsgs: p.SignMsgs,
-		Role:     "owner",
-	}, nil
-}
-
-// join resolves room metadata and (for encrypted rooms) fetches the room key so
-// the gateway can later open payloads. Idempotent.
-func (g *gateway) join(roomID string) error {
-	if err := g.cli.Join(roomID); err != nil {
-		return err
-	}
-	if g.refreshACL {
-		_ = g.cli.RefreshSession()
-	}
-	return nil
-}
-
-// send publishes plaintext to a room. The unibus client seals it with the room
-// key (encrypted rooms) and signs it (signed rooms) before it leaves the process.
-func (g *gateway) send(roomID, body string) error {
-	return g.cli.Publish(roomID, []byte(body))
-}
@@ -1,140 +0,0 @@
-package main
-
-import (
-	"sync"
-
-	"github.com/enmanuel/unibus/pkg/client"
-	"github.com/enmanuel/unibus/pkg/frame"
-	"github.com/oklog/ulid/v2"
-)
-
-// roomHub multiplexes ONE unibus room subscription to MANY SSE clients. The
-// unibus client derives a per-(room, endpoint) durable consumer name, so a
-// second Subscribe for the same room from the same operator would contend for
-// the same durable (load-balanced delivery) rather than each browser receiving
-// every message. The hub holds a single subscription per room and fans each
-// decrypted frame out to every connected browser, which also means the gateway
-// opens at most one bus subscription per room regardless of how many tabs watch
-// it.
-type roomHub struct {
-	roomID     string
-	myEndpoint string
-	sub        *client.Sub
-
-	mu      sync.Mutex
-	clients map[chan msgWire]struct{}
-}
-
-// frameTS decodes the millisecond timestamp embedded in a frame's ULID id. A
-// malformed id (should not happen for bus-produced frames) yields 0, which the
-// browser renders without crashing.
-func frameTS(msgID string) int64 {
-	id, err := ulid.Parse(msgID)
-	if err != nil {
-		return 0
-	}
-	return int64(id.Time())
-}
-
-// newRoomHub opens the single bus subscription for roomID and starts fanning
-// decrypted frames out to registered clients. The room must already be joined
-// (so the gateway holds the room key) before this is called.
-func newRoomHub(cli *client.Client, roomID, myEndpoint string) (*roomHub, error) {
-	h := &roomHub{
-		roomID:     roomID,
-		myEndpoint: myEndpoint,
-		clients:    map[chan msgWire]struct{}{},
-	}
-	sub, err := cli.Subscribe(roomID, func(f frame.Frame, plaintext []byte) {
-		m := msgWire{
-			ID:     f.MsgID,
-			Sender: f.Sender,
-			Body:   string(plaintext),
-			TS:     frameTS(f.MsgID),
-			Mine:   f.Sender == myEndpoint,
-		}
-		h.broadcast(m)
-	})
-	if err != nil {
-		return nil, err
-	}
-	h.sub = sub
-	return h, nil
-}
-
-// broadcast delivers a message to every registered client without blocking the
-// NATS delivery goroutine: a client whose buffer is full (a stalled browser)
-// drops this frame rather than stalling the whole room.
-func (h *roomHub) broadcast(m msgWire) {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-	for ch := range h.clients {
-		select {
-		case ch <- m:
-		default:
-		}
-	}
-}
-
-// add registers a new SSE client channel.
-func (h *roomHub) add(ch chan msgWire) {
-	h.mu.Lock()
-	defer h.mu.Unlock()
-	h.clients[ch] = struct{}{}
-}
-
-// stop unsubscribes from the bus. Local delivery ends; for a persisted room the
-// durable consumer's ack position stays on the server, so a later subscription
-// with the same operator resumes from where it left off.
-func (h *roomHub) stop() {
-	if h.sub != nil {
-		_ = h.sub.Unsubscribe()
-	}
-}
-
-// openStream joins the room (idempotent; fetches the room key for encrypted
-// rooms), attaches an SSE client to the room's hub (creating it on first watcher),
-// and returns the client's message channel plus a cleanup func. The cleanup
-// detaches the client and, when it was the last watcher, tears down the room's
-// single bus subscription.
-func (g *gateway) openStream(roomID string) (chan msgWire, func(), error) {
-	if err := g.join(roomID); err != nil {
-		return nil, nil, err
-	}
-	g.mu.Lock()
-	h := g.hubs[roomID]
-	if h == nil {
-		var err error
-		h, err = newRoomHub(g.cli, roomID, g.endpoint)
-		if err != nil {
-			g.mu.Unlock()
-			return nil, nil, err
-		}
-		g.hubs[roomID] = h
-	}
-	g.mu.Unlock()
-
-	// Buffer so a brief render hitch in the browser does not drop live frames; a
-	// sustained stall still drops (broadcast is non-blocking) rather than wedging
-	// the room.
-	ch := make(chan msgWire, 64)
-	h.add(ch)
-
-	// cleanup takes g.mu before h.mu (the single, consistent lock order) so a
-	// concurrent openStream that re-creates the hub cannot race the teardown.
-	cleanup := func() {
-		g.mu.Lock()
-		defer g.mu.Unlock()
-		h.mu.Lock()
-		delete(h.clients, ch)
-		empty := len(h.clients) == 0
-		h.mu.Unlock()
-		if empty {
-			if cur := g.hubs[roomID]; cur == h {
-				delete(g.hubs, roomID)
-				h.stop()
-			}
-		}
-	}
-	return ch, cleanup, nil
-}
@@ -1,98 +0,0 @@
-package main
-
-import (
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"os"
-	"os/exec"
-
-	cs "fn-registry/functions/cybersecurity"
-)
-
-// identityJSON mirrors the on-disk / pass-stored identity format shared across
-// the unibus tooling: the four keypair halves, each std-base64. It is the SAME
-// shape the bus client persists (pkg/client identity file) and the operator's
-// `pass` entry unibus/operator-identity, so the web gateway loads the operator's
-// identity without a divergent serialization. Kept in lockstep with
-// unibus_admin/internal/admin/identity.go.
-type identityJSON struct {
-	SignPub  string `json:"sign_pub"`
-	SignPriv string `json:"sign_priv"`
-	KexPub   string `json:"kex_pub"`
-	KexPriv  string `json:"kex_priv"`
-}
-
-// decodeIdentity turns the JSON identity bytes into a cs.Identity. The private
-// halves stay only in memory; this never writes them anywhere.
-func decodeIdentity(raw []byte) (cs.Identity, error) {
-	var f identityJSON
-	if err := json.Unmarshal(raw, &f); err != nil {
-		return cs.Identity{}, fmt.Errorf("webgw: parse identity json: %w", err)
-	}
-	dec := base64.StdEncoding.DecodeString
-	signPub, err := dec(f.SignPub)
-	if err != nil {
-		return cs.Identity{}, fmt.Errorf("webgw: decode sign_pub: %w", err)
-	}
-	signPriv, err := dec(f.SignPriv)
-	if err != nil {
-		return cs.Identity{}, fmt.Errorf("webgw: decode sign_priv: %w", err)
-	}
-	kexPub, err := dec(f.KexPub)
-	if err != nil {
-		return cs.Identity{}, fmt.Errorf("webgw: decode kex_pub: %w", err)
-	}
-	kexPriv, err := dec(f.KexPriv)
-	if err != nil {
-		return cs.Identity{}, fmt.Errorf("webgw: decode kex_priv: %w", err)
-	}
-	if len(signPub) != 32 || len(signPriv) != 64 || len(kexPub) != 32 || len(kexPriv) != 32 {
-		return cs.Identity{}, fmt.Errorf("webgw: identity has wrong key sizes (sign_pub=%d sign_priv=%d kex_pub=%d kex_priv=%d)",
-			len(signPub), len(signPriv), len(kexPub), len(kexPriv))
-	}
-	return cs.Identity{SignPub: signPub, SignPriv: signPriv, KexPub: kexPub, KexPriv: kexPriv}, nil
-}
-
-// loadIdentityFromFile reads a 0600 identity JSON file (the same format the bus
-// client writes) and decodes it. Used on a deploy host where `pass` is not
-// available and the operator identity is delivered as a protected file.
-func loadIdentityFromFile(path string) (cs.Identity, error) {
-	raw, err := os.ReadFile(path)
-	if err != nil {
-		return cs.Identity{}, fmt.Errorf("webgw: read identity file %q: %w", path, err)
-	}
-	return decodeIdentity(raw)
-}
-
-// loadIdentityFromPass shells out to `pass show <entry>` and decodes the JSON
-// identity it returns. The secret is held only in memory; this process never
-// writes it to disk or argv. Used in local operator workflows where the GNU
-// password store holds unibus/operator-identity.
-func loadIdentityFromPass(entry string) (cs.Identity, error) {
-	out, err := exec.Command("pass", "show", entry).Output()
-	if err != nil {
-		return cs.Identity{}, fmt.Errorf("webgw: pass show %q: %w", entry, err)
-	}
-	return decodeIdentity(out)
-}
-
-// loadPassValue returns the first line of a `pass show <entry>` for non-identity
-// secrets (e.g. the unlock passphrase). Empty entry yields an empty string and
-// no error, so callers can treat "no pass entry configured" as "not set".
-func loadPassValue(entry string) (string, error) {
-	if entry == "" {
-		return "", nil
-	}
-	out, err := exec.Command("pass", "show", entry).Output()
-	if err != nil {
-		return "", fmt.Errorf("webgw: pass show %q: %w", entry, err)
-	}
-	s := string(out)
-	for i := 0; i < len(s); i++ {
-		if s[i] == '\n' || s[i] == '\r' {
-			return s[:i], nil
-		}
-	}
-	return s, nil
-}
@@ -1,180 +0,0 @@
-// Command webgw is the web gateway for the unibus chat SPA. It is a single Go
-// binary that holds the operator's bus identity, connects to the bus as a real
-// authenticated peer (pkg/client), and exposes a small REST + SSE API the
-// browser consumes. The browser never signs, never speaks NATS, and never sees a
-// private key: it authenticates to the gateway with a passphrase and thereafter
-// holds only an opaque session cookie.
-//
-// TRUST MODEL (MVP, single operator): room content stays end-to-end encrypted on
-// the bus. The gateway can read plaintext because it acts AS the operator's
-// client — a legitimate member of each room holding the room key. Decryption
-// happens server-side in this process; cleartext then crosses an authenticated
-// (loopback or TLS-fronted) SSE channel to the browser. The wallet phase (issue:
-// per-browser WebCrypto identity) can move decryption into the browser; see the
-// report for the FASE 2 plan.
-//
-//	# local dev against a loopback membershipd (plaintext), operator from pass:
-//	webgw --identity-pass unibus/operator-identity \
-//	  --ctrl-url http://127.0.0.1:8470 --nats-url nats://127.0.0.1:4250
-//
-//	# secured cluster (TLS + nkey on both planes), identity from a 0600 file:
-//	webgw --ca ca.crt --identity-file operator.id \
-//	  --ctrl-url https://node-a:8470 --nats-url nats://node-a:4250 \
-//	  --ctrl-urls https://node-b:8470,https://node-c:8470 \
-//	  --nats-urls nats://node-b:4250,nats://node-c:4250
-package main
-
-import (
-	"context"
-	"flag"
-	"log"
-	"net/http"
-	"os"
-	"os/signal"
-	"path/filepath"
-	"strings"
-	"syscall"
-	"time"
-
-	cs "fn-registry/functions/cybersecurity"
-)
-
-func main() {
-	var (
-		bind         = flag.String("bind", "127.0.0.1", "interface to bind the gateway HTTP server to (loopback by default)")
-		port         = flag.String("port", "8481", "gateway HTTP port")
-		ctrlURL      = flag.String("ctrl-url", "http://127.0.0.1:8470", "primary unibus control-plane base URL")
-		ctrlURLs     = flag.String("ctrl-urls", "", "comma-separated ADDITIONAL control-plane base URLs (cluster failover)")
-		natsURL      = flag.String("nats-url", "nats://127.0.0.1:4250", "primary NATS URL")
-		natsURLs     = flag.String("nats-urls", "", "comma-separated ADDITIONAL NATS seed URLs (cluster failover)")
-		caPath       = flag.String("ca", "", "bus CA cert path; set to talk TLS+nkey to a secured bus (empty = plaintext dev)")
-		identityFile = flag.String("identity-file", "", "path to the operator identity JSON file (0600). Mutually exclusive with --identity-pass")
-		identityPass = flag.String("identity-pass", "", "pass(1) entry holding the operator identity JSON, e.g. unibus/operator-identity")
-		unlockPass   = flag.String("unlock-pass", "", "literal passphrase the browser must send to unlock a session (dev). Prefer --unlock-pass-entry")
-		unlockEntry  = flag.String("unlock-pass-entry", "unibus/admin-panel-password", "pass(1) entry holding the unlock passphrase (used when --unlock-pass is empty)")
-		webDir       = flag.String("web-dir", "", "OPTIONAL path to the built SPA (web/dist) to serve. Empty = API only (use vite dev server)")
-	)
-	flag.Parse()
-
-	log.SetFlags(log.LstdFlags | log.Lmsgprefix)
-	log.SetPrefix("[webgw] ")
-
-	id, err := loadIdentity(*identityFile, *identityPass)
-	if err != nil {
-		log.Fatalf("%v", err)
-	}
-
-	unlock := *unlockPass
-	if unlock == "" {
-		unlock, err = loadPassValue(*unlockEntry)
-		if err != nil {
-			log.Fatalf("resolve unlock passphrase: %v", err)
-		}
-	}
-	if unlock == "" {
-		log.Fatalf("an unlock passphrase is required: set --unlock-pass or a non-empty --unlock-pass-entry (default unibus/admin-panel-password)")
-	}
-
-	resolvedWebDir := resolveWebDir(*webDir)
-
-	gw, err := newGateway(gatewayConfig{
-		Identity: id,
-		NatsURL:  *natsURL,
-		CtrlURL:  *ctrlURL,
-		CtrlURLs: splitCSV(*ctrlURLs),
-		NatsURLs: splitCSV(*natsURLs),
-		CAPath:   *caPath,
-	})
-	if err != nil {
-		log.Fatalf("%v", err)
-	}
-	defer gw.Close()
-
-	log.Printf("operator endpoint: %s", gw.endpoint)
-	log.Printf("control plane: %s (+%d failover)", *ctrlURL, len(splitCSV(*ctrlURLs)))
-	tls := "OFF (plaintext dev)"
-	if *caPath != "" {
-		tls = "ON (CA " + *caPath + ")"
-	}
-	log.Printf("bus TLS+nkey: %s", tls)
-	if resolvedWebDir != "" {
-		log.Printf("serving SPA from: %s", resolvedWebDir)
-	} else {
-		log.Printf("API only (no --web-dir): use the vite dev server with a /api+stream proxy")
-	}
-
-	srv := newServer(gw, unlock, resolvedWebDir)
-	addr := *bind + ":" + *port
-	httpSrv := &http.Server{
-		Addr:    addr,
-		Handler: srv,
-		// No global write timeout: SSE streams are long-lived. Header timeout still
-		// bounds slowloris on the request line/headers.
-		ReadHeaderTimeout: 10 * time.Second,
-	}
-
-	go func() {
-		log.Printf("web gateway: http://%s", addr)
-		if err := httpSrv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-			log.Fatalf("http server: %v", err)
-		}
-	}()
-
-	stop := make(chan os.Signal, 1)
-	signal.Notify(stop, syscall.SIGINT, syscall.SIGTERM)
-	<-stop
-	log.Printf("shutting down...")
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-	_ = httpSrv.Shutdown(ctx)
-	log.Printf("bye")
-}
-
-// loadIdentity resolves the operator identity from exactly one of --identity-file
-// or --identity-pass.
-func loadIdentity(file, passEntry string) (cs.Identity, error) {
-	switch {
-	case file != "" && passEntry != "":
-		return cs.Identity{}, errFlag("set only one of --identity-file or --identity-pass")
-	case file != "":
-		return loadIdentityFromFile(file)
-	case passEntry != "":
-		return loadIdentityFromPass(passEntry)
-	default:
-		return cs.Identity{}, errFlag("an identity is required: pass --identity-file <path> or --identity-pass <entry>")
-	}
-}
-
-// resolveWebDir validates the --web-dir flag. An empty flag means API-only. A
-// non-empty dir is kept only if it actually holds an index.html, so a typo logs
-// "API only" rather than serving 404s.
-func resolveWebDir(dir string) string {
-	if dir == "" {
-		return ""
-	}
-	abs, err := filepath.Abs(dir)
-	if err != nil {
-		log.Printf("WARN --web-dir %q: %v; serving API only", dir, err)
-		return ""
-	}
-	if !statFile(filepath.Join(abs, "index.html")) {
-		log.Printf("WARN --web-dir %q has no index.html; serving API only", abs)
-		return ""
-	}
-	return abs
-}
-
-type flagErr string
-
-func (e flagErr) Error() string { return string(e) }
-func errFlag(s string) error    { return flagErr("webgw: " + s) }
-
-func splitCSV(s string) []string {
-	var out []string
-	for _, p := range strings.Split(s, ",") {
-		if p = strings.TrimSpace(p); p != "" {
-			out = append(out, p)
-		}
-	}
-	return out
-}
@@ -1,301 +0,0 @@
-package main
-
-import (
-	"crypto/rand"
-	"crypto/subtle"
-	"encoding/hex"
-	"encoding/json"
-	"net/http"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-	"time"
-)
-
-// sessionCookie is the name of the gateway's session cookie. The browser sends
-// it automatically on same-origin fetches AND on EventSource (SSE) connections —
-// EventSource cannot set custom headers, so a cookie is the only way to
-// authenticate the stream. It is HttpOnly so page JS can never read the token.
-const sessionCookie = "unibus_session"
-
-// server is the gateway's HTTP surface: a small REST/SSE API under /api gated by
-// a session cookie, plus an optional static file server for the built SPA. The
-// gateway's privileged operator identity never leaves the process; the browser
-// authenticates with a passphrase and thereafter holds only an opaque session
-// token.
-type server struct {
-	gw     *gateway
-	unlock string // passphrase that unlocks a session (compared in constant time)
-	webDir string // optional path to the built SPA (web/dist); empty = API only
-	mux    *http.ServeMux
-
-	mu       sync.Mutex
-	sessions map[string]time.Time // token -> issued-at
-}
-
-func newServer(gw *gateway, unlock, webDir string) *server {
-	s := &server{
-		gw:       gw,
-		unlock:   unlock,
-		webDir:   webDir,
-		mux:      http.NewServeMux(),
-		sessions: map[string]time.Time{},
-	}
-	s.routes()
-	return s
-}
-
-func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) { s.mux.ServeHTTP(w, r) }
-
-func (s *server) routes() {
-	// Liveness, unauthenticated (systemd / deploy smoke).
-	s.mux.HandleFunc("GET /healthz", func(w http.ResponseWriter, _ *http.Request) {
-		writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
-	})
-
-	// Auth: login is the only /api route reachable without a session.
-	s.mux.HandleFunc("POST /api/login", s.handleLogin)
-	s.mux.HandleFunc("POST /api/logout", s.auth(s.handleLogout))
-	s.mux.HandleFunc("GET /api/me", s.auth(s.handleMe))
-
-	s.mux.HandleFunc("GET /api/rooms", s.auth(s.handleListRooms))
-	s.mux.HandleFunc("POST /api/rooms", s.auth(s.handleCreateRoom))
-	s.mux.HandleFunc("POST /api/rooms/{id}/join", s.auth(s.handleJoin))
-	s.mux.HandleFunc("POST /api/rooms/{id}/send", s.auth(s.handleSend))
-	s.mux.HandleFunc("GET /api/rooms/{id}/stream", s.auth(s.handleStream))
-
-	// Everything else is the SPA (when --web-dir is set). Registered last.
-	if s.webDir != "" {
-		s.mux.Handle("/", s.spaHandler())
-	}
-}
-
-// ---- auth -----------------------------------------------------------------
-
-// auth wraps a handler so it runs only with a valid session cookie. A missing or
-// unknown token yields 401, which the SPA treats as "show the login screen".
-func (s *server) auth(next http.HandlerFunc) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		c, err := r.Cookie(sessionCookie)
-		if err != nil || !s.validSession(c.Value) {
-			writeErr(w, http.StatusUnauthorized, "not authenticated")
-			return
-		}
-		next(w, r)
-	}
-}
-
-func (s *server) validSession(token string) bool {
-	if token == "" {
-		return false
-	}
-	s.mu.Lock()
-	defer s.mu.Unlock()
-	_, ok := s.sessions[token]
-	return ok
-}
-
-func (s *server) handleLogin(w http.ResponseWriter, r *http.Request) {
-	var req struct {
-		Passphrase string `json:"passphrase"`
-	}
-	if !decode(w, r, &req) {
-		return
-	}
-	// Constant-time compare so a wrong passphrase cannot be timed character by
-	// character. An empty configured passphrase never matches (main refuses to
-	// start without one, so this is defense in depth).
-	if s.unlock == "" || subtle.ConstantTimeCompare([]byte(req.Passphrase), []byte(s.unlock)) != 1 {
-		writeErr(w, http.StatusUnauthorized, "wrong passphrase")
-		return
-	}
-	tok := newToken()
-	s.mu.Lock()
-	s.sessions[tok] = time.Now()
-	s.mu.Unlock()
-
-	http.SetCookie(w, &http.Cookie{
-		Name:     sessionCookie,
-		Value:    tok,
-		Path:     "/",
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-	})
-	writeJSON(w, http.StatusOK, s.gw.me())
-}
-
-func (s *server) handleLogout(w http.ResponseWriter, r *http.Request) {
-	if c, err := r.Cookie(sessionCookie); err == nil {
-		s.mu.Lock()
-		delete(s.sessions, c.Value)
-		s.mu.Unlock()
-	}
-	http.SetCookie(w, &http.Cookie{Name: sessionCookie, Value: "", Path: "/", MaxAge: -1, HttpOnly: true})
-	writeJSON(w, http.StatusOK, map[string]string{"status": "logged_out"})
-}
-
-func (s *server) handleMe(w http.ResponseWriter, _ *http.Request) {
-	writeJSON(w, http.StatusOK, s.gw.me())
-}
-
-// ---- rooms ----------------------------------------------------------------
-
-func (s *server) handleListRooms(w http.ResponseWriter, _ *http.Request) {
-	rooms, err := s.gw.listRooms()
-	if err != nil {
-		writeErr(w, http.StatusBadGateway, err.Error())
-		return
-	}
-	writeJSON(w, http.StatusOK, rooms)
-}
-
-func (s *server) handleCreateRoom(w http.ResponseWriter, r *http.Request) {
-	var req createRoomReq
-	if !decode(w, r, &req) {
-		return
-	}
-	rv, err := s.gw.createRoom(req)
-	if err != nil {
-		writeErr(w, http.StatusBadGateway, err.Error())
-		return
-	}
-	writeJSON(w, http.StatusCreated, rv)
-}
-
-func (s *server) handleJoin(w http.ResponseWriter, r *http.Request) {
-	if err := s.gw.join(r.PathValue("id")); err != nil {
-		writeErr(w, http.StatusBadGateway, err.Error())
-		return
-	}
-	writeJSON(w, http.StatusOK, map[string]string{"status": "joined"})
-}
-
-func (s *server) handleSend(w http.ResponseWriter, r *http.Request) {
-	var req sendReq
-	if !decode(w, r, &req) {
-		return
-	}
-	if strings.TrimSpace(req.Body) == "" {
-		writeErr(w, http.StatusBadRequest, "body required")
-		return
-	}
-	if err := s.gw.send(r.PathValue("id"), req.Body); err != nil {
-		writeErr(w, http.StatusBadGateway, err.Error())
-		return
-	}
-	writeJSON(w, http.StatusOK, map[string]string{"status": "sent"})
-}
-
-// handleStream is the SSE endpoint: it joins the room, attaches to the room's
-// fan-out hub, and streams each decrypted message as a `data:` event. For a
-// persisted room the hub's underlying subscription delivers history first
-// (scrollback) and then live messages; for an ephemeral room only live messages
-// flow. The stream ends when the browser disconnects (ctx cancelled).
-func (s *server) handleStream(w http.ResponseWriter, r *http.Request) {
-	flusher, ok := w.(http.Flusher)
-	if !ok {
-		writeErr(w, http.StatusInternalServerError, "streaming unsupported")
-		return
-	}
-	ch, cleanup, err := s.gw.openStream(r.PathValue("id"))
-	if err != nil {
-		writeErr(w, http.StatusBadGateway, err.Error())
-		return
-	}
-	defer cleanup()
-
-	w.Header().Set("Content-Type", "text/event-stream")
-	w.Header().Set("Cache-Control", "no-cache")
-	w.Header().Set("Connection", "keep-alive")
-	w.Header().Set("X-Accel-Buffering", "no") // disable proxy buffering (nginx/caddy)
-	w.WriteHeader(http.StatusOK)
-	// An initial comment opens the stream immediately so the browser's
-	// EventSource fires `onopen` without waiting for the first message.
-	_, _ = w.Write([]byte(": connected\n\n"))
-	flusher.Flush()
-
-	ctx := r.Context()
-	ping := time.NewTicker(25 * time.Second)
-	defer ping.Stop()
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-ping.C:
-			// Comment line keeps idle proxies from closing the connection.
-			if _, err := w.Write([]byte(": ping\n\n")); err != nil {
-				return
-			}
-			flusher.Flush()
-		case m := <-ch:
-			b, err := json.Marshal(m)
-			if err != nil {
-				continue
-			}
-			if _, err := w.Write([]byte("data: " + string(b) + "\n\n")); err != nil {
-				return
-			}
-			flusher.Flush()
-		}
-	}
-}
-
-// ---- SPA serving (optional) -----------------------------------------------
-
-// spaHandler serves the built SPA from s.webDir. A request for an existing asset
-// is served directly; any other path (a client-side route) falls back to
-// index.html so the SPA router can take over. /api and /healthz are matched first.
-func (s *server) spaHandler() http.Handler {
-	root := http.Dir(s.webDir)
-	fileServer := http.FileServer(root)
-	index := filepath.Join(s.webDir, "index.html")
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		p := strings.TrimPrefix(r.URL.Path, "/")
-		if p == "" {
-			http.ServeFile(w, r, index)
-			return
-		}
-		if f, err := root.Open(p); err == nil {
-			_ = f.Close()
-			fileServer.ServeHTTP(w, r)
-			return
-		}
-		http.ServeFile(w, r, index) // unknown path -> SPA client-side routing
-	})
-}
-
-// ---- helpers --------------------------------------------------------------
-
-func newToken() string {
-	b := make([]byte, 32)
-	_, _ = rand.Read(b)
-	return hex.EncodeToString(b)
-}
-
-func writeJSON(w http.ResponseWriter, code int, v any) {
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(code)
-	_ = json.NewEncoder(w).Encode(v)
-}
-
-func writeErr(w http.ResponseWriter, code int, msg string) {
-	writeJSON(w, code, map[string]string{"error": msg})
-}
-
-// decode reads a JSON body into v, writing a 400 and returning false on failure.
-func decode(w http.ResponseWriter, r *http.Request, v any) bool {
-	defer r.Body.Close()
-	if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 1<<20)).Decode(v); err != nil {
-		writeErr(w, http.StatusBadRequest, "bad json: "+err.Error())
-		return false
-	}
-	return true
-}
-
-// statFile reports whether path exists and is a regular file (used to validate
-// --web-dir at startup so a typo surfaces as a clear log line, not 404s later).
-func statFile(path string) bool {
-	fi, err := os.Stat(path)
-	return err == nil && !fi.IsDir()
-}
@@ -283,3 +283,61 @@ ssh dd 'sudo systemctl start membershipd-cluster'   # rejoins, catches up
 the unit and start it without `--store kv`/`--cluster-name`; the KV buckets remain
 for a later retry. To rotate the cluster CA, re-run `generate-cluster-certs.sh
 --force` and re-stage (every node must get the new `cluster-ca.crt` together).
+
+## NATS server metrics (loopback monitoring — optional)
+
+The embedded NATS server can expose its own monitoring HTTP endpoint so a local
+scraper reads server-level metrics that `/healthz` does not surface: msgs/s,
+connections, slow consumers, memory, KV bucket message counts, the RAFT leader per
+stream and per-stream restarts. This feeds the `unibus-nats` dashboard in
+`fleet_monitoring` (the scraper hits `127.0.0.1:8222/varz|/connz|/jsz` over
+loopback and pushes to VictoriaMetrics).
+
+The endpoint is opened by the **dedicated** environment toggle `UNIBUS_NATS_MONITOR=1`
+(0.11.0+ binary). It is **decoupled** from `UNIBUS_NATS_DEBUG`: it opens the
+monitoring endpoint WITHOUT enabling the verbose nats-server debug log, so no room
+subjects or routing metadata leak to journald (keeps the hardened posture, issue
+0007). The endpoint binds `127.0.0.1:8222` **only** — the binary hardcodes the
+loopback bind, so it is never reachable from the network and needs no auth. Never
+use `UNIBUS_NATS_DEBUG` in production just to get the endpoint.
+
+### Enable it (HUMAN — requires the 0.11.0+ binary on the node)
+
+The clean way is the additive systemd drop-in in this directory:
+
+```bash
+# On each node, AFTER the 0.11.0+ binary is in /opt/unibus/membershipd:
+ssh <node> 'sudo mkdir -p /etc/systemd/system/membershipd-cluster.service.d'
+scp membershipd-cluster.service.d/nats-monitor.conf <node>:/tmp/nats-monitor.conf
+ssh <node> 'sudo cp /tmp/nats-monitor.conf /etc/systemd/system/membershipd-cluster.service.d/ \
+  && sudo systemctl daemon-reload && sudo systemctl restart membershipd-cluster'
+```
+
+(Equivalently, add `UNIBUS_NATS_MONITOR=1` to `/opt/unibus/cluster.env`, which the
+unit already sources via `EnvironmentFile`; the drop-in is preferred because it is
+self-documenting and does not edit the generated env file.)
+
+### Rolling restart with the R3 reconvergence gate (CRITICAL)
+
+`systemctl restart membershipd-cluster` restarts that node's JetStream RAFT member.
+**Never restart two nodes at once** — that would drop the cluster below quorum
+(2/3) and fail the control plane closed. Roll **one node at a time**, in the order
+`magnus → homer → datardos`, and between each node wait until the cluster has
+reconverged to R3 (every control-plane bucket back to `followers_current=2/2`):
+
+```bash
+# After restarting ONE node, gate on R3 reconvergence before touching the next:
+ssh root@magnus 'for s in KV_UNIBUS_users KV_UNIBUS_rooms KV_UNIBUS_members \
+  KV_UNIBUS_room_keys KV_UNIBUS_rooms_by_member KV_UNIBUS_nonces; do
+    nats --server nats://127.0.0.1:4250 stream info "$s" -j \
+      | jq -r --arg s "$s" \"\\($s): replicas=\\(.cluster.replicas|length) leader=\\(.cluster.leader)\"
+  done'
+# Proceed to the next node ONLY when all six show 3 replicas with a leader
+# (i.e. 2/2 followers current). Also confirm healthz is green on the just-restarted
+# node first:
+ssh <node> 'curl -fsS https://127.0.0.1:8470/healthz --cacert /opt/unibus/tls/ca.crt'
+```
+
+This restart is normally **not** done as a standalone step: the 0.11.0 binary that
+carries the flag is rolled to the three nodes in the consolidated rollout, and the
+drop-in is installed during that same rolling restart.
@@ -0,0 +1,27 @@
+# Drop-in: enable the embedded NATS server monitoring HTTP endpoint so a local
+# metrics scraper can read /varz, /connz and /jsz for server-level metrics
+# (msgs/s, connections, KV bucket msgs, RAFT leader per stream, restarts).
+#
+# ADDITIVE and minimal: it only sets one environment variable; the base unit
+# (membershipd-cluster.service) is otherwise unchanged.
+#
+# UNIBUS_NATS_MONITOR is DECOUPLED from UNIBUS_NATS_DEBUG: it opens the monitoring
+# endpoint WITHOUT enabling the verbose nats-server debug log, so no room subjects
+# or routing metadata are written to journald (keeps the hardened posture, issue
+# 0007). Do NOT use UNIBUS_NATS_DEBUG in production just to get the endpoint.
+#
+# The endpoint binds 127.0.0.1:8222 ONLY — the binary hardcodes the loopback bind,
+# so it is never reachable from the network and needs no auth. The scraper runs on
+# the same host and reads it over loopback.
+#
+# Requires the 0.11.0+ membershipd binary (the one that honors UNIBUS_NATS_MONITOR).
+# Install on a node:
+#   sudo mkdir -p /etc/systemd/system/membershipd-cluster.service.d
+#   sudo cp nats-monitor.conf /etc/systemd/system/membershipd-cluster.service.d/
+#   sudo systemctl daemon-reload && sudo systemctl restart membershipd-cluster
+#
+# Restarting a node restarts its JetStream RAFT member, so roll ONE node at a time
+# and wait for R3 reconvergence (followers 2/2) before touching the next. See the
+# "NATS server metrics" section of this directory's README for the full runbook.
+[Service]
+Environment=UNIBUS_NATS_MONITOR=1
@@ -0,0 +1,28 @@
+-- 003_invites.sql — single-use registration invites (issue: user accounts / wallet model).
+--
+-- An admin mints an invite so a brand-new identity can join the bus allowlist
+-- WITHOUT the admin ever handling its private key. The token is the bearer
+-- secret that authorizes POST /register: the registering client generates its
+-- keypair locally and publishes only its public keys, fixing the link between an
+-- invite and the identity it creates via the audit columns below. The handle and
+-- role are fixed by the admin at mint time and cannot be changed by the client
+-- (no privilege escalation).
+--
+-- Additive and idempotent: safe to apply repeatedly. Never modify this file;
+-- further schema changes go in new numbered migrations (see
+-- .claude/rules/db_migrations.md). The embedded copy under
+-- pkg/membership/migrations/003_invites.sql mirrors this file byte-for-byte.
+
+CREATE TABLE IF NOT EXISTS invites (
+  token         TEXT PRIMARY KEY,                -- 32 random bytes in lowercase hex (the bearer secret)
+  handle        TEXT NOT NULL,                   -- handle the new user will get (fixed by admin)
+  role          TEXT NOT NULL DEFAULT 'member',  -- 'admin' | 'member' (fixed by admin)
+  expires_at    TEXT NOT NULL,                   -- RFC3339; past this the invite is dead
+  used          INTEGER NOT NULL DEFAULT 0,      -- 0 pending, 1 consumed (single-use)
+  created_at    TEXT NOT NULL,
+  used_at       TEXT,                            -- RFC3339 when consumed (NULL until used)
+  used_sign_pub TEXT,                            -- Ed25519 key that consumed it (audit; NULL until used)
+  used_kex_pub  TEXT                             -- X25519 key presented at registration (audit; NULL until used)
+);
+
+CREATE INDEX IF NOT EXISTS idx_invites_used ON invites(used);
@@ -331,6 +331,60 @@ func (c *Client) doJSON(method, path string, body, out any) error {
 	return fmt.Errorf("client: %s %s: all control planes failed: %w", method, path, lastErr)
 }

+// doUnsigned performs a control-plane request WITHOUT the transport signature
+// headers, for the one endpoint a not-yet-registered identity must reach: POST
+// /register. The registering peer is not in the allowlist, so it cannot produce
+// an accepted signature; authorization is the single-use invite token inside the
+// body. Like doJSON it fails over across the control-plane endpoints (any node
+// serves the same state) and surfaces the server's structured error message.
+func (c *Client) doUnsigned(method, path string, body, out any) error {
+	var bodyBytes []byte
+	if body != nil {
+		b, err := json.Marshal(body)
+		if err != nil {
+			return fmt.Errorf("client: marshal request: %w", err)
+		}
+		bodyBytes = b
+	}
+	var lastErr error
+	for _, base := range c.ctrlURLs {
+		var rdr io.Reader
+		if bodyBytes != nil {
+			rdr = bytes.NewReader(bodyBytes)
+		}
+		req, err := http.NewRequest(method, base+path, rdr)
+		if err != nil {
+			return fmt.Errorf("client: new request: %w", err)
+		}
+		if body != nil {
+			req.Header.Set("Content-Type", "application/json")
+		}
+		resp, err := c.http.Do(req)
+		if err != nil {
+			lastErr = err
+			continue // dead node: try the next control plane
+		}
+		defer resp.Body.Close()
+		respBody, _ := io.ReadAll(resp.Body)
+		if resp.StatusCode >= 300 {
+			var er struct {
+				Error string `json:"error"`
+			}
+			if json.Unmarshal(respBody, &er) == nil && er.Error != "" {
+				return fmt.Errorf("%s (HTTP %d)", er.Error, resp.StatusCode)
+			}
+			return fmt.Errorf("client: %s %s -> %d: %s", method, path, resp.StatusCode, string(respBody))
+		}
+		if out != nil {
+			if err := json.Unmarshal(respBody, out); err != nil {
+				return fmt.Errorf("client: decode response: %w", err)
+			}
+		}
+		return nil
+	}
+	return fmt.Errorf("client: %s %s: all control planes failed: %w", method, path, lastErr)
+}
+
 // signRequest signs the canonical bytes of req (req must already have its Sig
 // field cleared) with the client's Ed25519 key. It is symmetric with the
 // server's verifyOwnerSig. This is the PAYLOAD-level owner signature that
@@ -473,6 +527,35 @@ type addUserReq struct {
 	Role    string `json:"role"`
 }

+// createInviteReq / createInviteResp mirror the server's POST /invites types.
+type createInviteReq struct {
+	Handle  string `json:"handle"`
+	Role    string `json:"role"`
+	TTLSecs int    `json:"ttl_secs"`
+}
+
+type createInviteResp struct {
+	Token     string `json:"token"`
+	ExpiresAt string `json:"expires_at"`
+}
+
+// inviteJSON mirrors the server's GET /invites row.
+type inviteJSON struct {
+	Token     string `json:"token"`
+	Handle    string `json:"handle"`
+	Role      string `json:"role"`
+	ExpiresAt string `json:"expires_at"`
+	Used      bool   `json:"used"`
+	CreatedAt string `json:"created_at"`
+}
+
+// registerReq mirrors the server's POST /register body.
+type registerReq struct {
+	Token   string `json:"token"`
+	SignPub string `json:"sign_pub"`
+	KexPub  string `json:"kex_pub"`
+}
+
 // ---- room operations ------------------------------------------------------

 // RoomRef is a room this peer belongs to, returned by ListMyRooms. It is the
@@ -560,6 +643,82 @@ func (c *Client) RevokeUser(signPub string) error {
 	return c.doJSON("POST", "/users/"+signPub+"/revoke", nil, nil)
 }

+// DeleteUser hard-deletes a bus user by their signing public key (64-hex) — the
+// purge counterpart of RevokeUser. The allowlist row is removed entirely (no
+// audit trail); the ex-user can no longer authenticate, so their room
+// memberships become inert. The caller must be signing as an admin.
+func (c *Client) DeleteUser(signPub string) error {
+	return c.doJSON("DELETE", "/users/"+signPub, nil, nil)
+}
+
+// InviteInfo is a single-use registration invite as returned by the admin invite
+// endpoints. It is a flat view for the admin panel: the bearer token (to build
+// the join link), the handle and role the new user will receive, the absolute
+// expiry, whether it has been used, and when it was minted.
+type InviteInfo struct {
+	Token     string
+	Handle    string
+	Role      string
+	ExpiresAt string
+	Used      bool
+	CreatedAt string
+}
+
+// CreateInvite mints a single-use registration invite. handle and role are fixed
+// here (the registering client cannot change them); role is "admin" or "member"
+// (empty defaults to member). ttlSecs sets the link lifetime (non-positive uses
+// the server's 7-day default). The returned InviteInfo carries the token and
+// expiry; the caller turns the token into a join link. Caller must sign as admin.
+func (c *Client) CreateInvite(handle, role string, ttlSecs int) (InviteInfo, error) {
+	var resp createInviteResp
+	if err := c.doJSON("POST", "/invites", createInviteReq{Handle: handle, Role: role, TTLSecs: ttlSecs}, &resp); err != nil {
+		return InviteInfo{}, err
+	}
+	r := role
+	if r == "" {
+		r = "member"
+	}
+	return InviteInfo{Token: resp.Token, Handle: handle, Role: r, ExpiresAt: resp.ExpiresAt}, nil
+}
+
+// ListInvites returns the pending invites (not used, not expired). Caller must
+// sign as admin.
+func (c *Client) ListInvites() ([]InviteInfo, error) {
+	var resp []inviteJSON
+	if err := c.doJSON("GET", "/invites", nil, &resp); err != nil {
+		return nil, err
+	}
+	out := make([]InviteInfo, 0, len(resp))
+	for _, inv := range resp {
+		out = append(out, InviteInfo{
+			Token:     inv.Token,
+			Handle:    inv.Handle,
+			Role:      inv.Role,
+			ExpiresAt: inv.ExpiresAt,
+			Used:      inv.Used,
+			CreatedAt: inv.CreatedAt,
+		})
+	}
+	return out, nil
+}
+
+// CancelInvite cancels (deletes) a pending invite by its token, so an admin can
+// revoke a link before it is redeemed. Caller must sign as admin.
+func (c *Client) CancelInvite(token string) error {
+	return c.doJSON("DELETE", "/invites/"+token, nil, nil)
+}
+
+// Register redeems a single-use invite token, joining the bus allowlist. It is
+// the wallet-model join call: the registering peer generated its own keypair
+// locally and publishes ONLY its public keys here (signPub Ed25519, kexPub
+// X25519, both 64-hex). It is UNSIGNED — the bearer token is the authorization,
+// because this identity is not yet in the allowlist and so cannot sign an
+// accepted request. On success the identity is registered with the invite's
+// handle and role and can connect like any other peer.
+func (c *Client) Register(token, signPub, kexPub string) error {
+	return c.doUnsigned("POST", "/register", registerReq{Token: token, SignPub: signPub, KexPub: kexPub}, nil)
+}
+
 // newRoomKey returns 32 random bytes for a symmetric room key.
 func newRoomKey() ([]byte, error) {
 	k := make([]byte, 32)
@@ -0,0 +1,104 @@
+package client_test
+
+import (
+	"encoding/hex"
+	"testing"
+
+	"github.com/enmanuel/unibus/pkg/client"
+	"github.com/enmanuel/unibus/pkg/membership"
+)
+
+// TestClientInvitesAdminAPI drives the wallet-model account flow through the real
+// pkg/client methods against an in-process membershipd under enforce: an admin
+// mints an invite, a brand-new identity redeems it via the UNSIGNED Register call
+// (it is not yet in the allowlist), the admin then sees the user, and finally the
+// admin hard-deletes it and it vanishes. This is the exact path the admin panel +
+// the /join client page depend on, so it locks the client/server contract.
+func TestClientInvitesAdminAPI(t *testing.T) {
+	h := newHarnessMode(t, membership.AuthEnforce)
+	waitHealth(t, h.ctrlURL)
+
+	admin, err := client.New(h.natsURL, h.ctrlURL, mustIdentity(t))
+	if err != nil {
+		t.Fatalf("connect admin: %v", err)
+	}
+	defer admin.Close()
+	registerClient(t, h, admin, "admin", membership.RoleAdmin)
+
+	// Admin mints a single-use invite fixing handle + role.
+	inv, err := admin.CreateInvite("dora", membership.RoleMember, 0)
+	if err != nil {
+		t.Fatalf("admin CreateInvite: %v", err)
+	}
+	if len(inv.Token) != 64 || inv.ExpiresAt == "" {
+		t.Fatalf("invite malformed: %+v", inv)
+	}
+	if inv.Handle != "dora" || inv.Role != membership.RoleMember {
+		t.Fatalf("invite echo wrong: %+v", inv)
+	}
+
+	// It appears among the pending invites.
+	pend, err := admin.ListInvites()
+	if err != nil {
+		t.Fatalf("admin ListInvites: %v", err)
+	}
+	if !containsToken(pend, inv.Token) {
+		t.Fatalf("minted invite not pending: %+v", pend)
+	}
+
+	// A brand-new identity (NOT in the allowlist) redeems the invite via the
+	// UNSIGNED Register. We model its locally-generated keypair with a fresh
+	// identity and present its two public keys. Redeeming through this joiner
+	// client — which never registered and never seeded an admin — proves Register
+	// needs no admin signature; the bearer token is the sole authorization.
+	newID := mustIdentity(t)
+	signPub := hex.EncodeToString(newID.SignPub)
+	kexPub := hex.EncodeToString(newID.KexPub)
+	joiner, err := client.New(h.natsURL, h.ctrlURL, newID)
+	if err != nil {
+		t.Fatalf("connect joiner: %v", err)
+	}
+	defer joiner.Close()
+	if err := joiner.Register(inv.Token, signPub, kexPub); err != nil {
+		t.Fatalf("joiner Register: %v", err)
+	}
+
+	// Admin now sees dora in the allowlist with the invite's handle/role.
+	users, err := admin.ListUsers()
+	if err != nil {
+		t.Fatalf("admin ListUsers: %v", err)
+	}
+	row, ok := findUserInfo(users, signPub)
+	if !ok {
+		t.Fatalf("registered dora missing from allowlist: %+v", users)
+	}
+	if row.Handle != "dora" || row.Role != membership.RoleMember || row.Status != membership.StatusActive {
+		t.Fatalf("dora row wrong: %+v", row)
+	}
+
+	// Single-use: redeeming again is an error.
+	if err := joiner.Register(inv.Token, signPub, kexPub); err == nil {
+		t.Fatalf("second Register should error (used token)")
+	}
+
+	// Admin hard-deletes dora; she vanishes from the allowlist entirely.
+	if err := admin.DeleteUser(signPub); err != nil {
+		t.Fatalf("admin DeleteUser: %v", err)
+	}
+	users, err = admin.ListUsers()
+	if err != nil {
+		t.Fatalf("admin ListUsers after delete: %v", err)
+	}
+	if _, ok := findUserInfo(users, signPub); ok {
+		t.Fatalf("hard-deleted dora must NOT appear: %+v", users)
+	}
+}
+
+func containsToken(invites []client.InviteInfo, token string) bool {
+	for _, i := range invites {
+		if i.Token == token {
+			return true
+		}
+	}
+	return false
+}
@@ -103,17 +103,38 @@ func StartHostAuth(storeDir, host string, port int, auth server.Authentication)
 	return StartServer(ServerConfig{StoreDir: storeDir, Host: host, Port: port, Auth: auth})
 }

+// natsLogOpts maps the two independent environment toggles to the embedded
+// nats-server logging and monitoring flags. It is a pure function (no I/O) so the
+// decoupling between the two toggles can be unit-tested directly.
+//
+//   - UNIBUS_NATS_DEBUG="1" enables the nats-server logger (route/RAFT/JetStream
+//     errors); "2" additionally enables protocol tracing. Off by default so the
+//     server stays silent (NoLog) and production behavior is unchanged.
+//   - UNIBUS_NATS_MONITOR="1" opens the monitoring HTTP endpoint (loopback only)
+//     for a local metrics scraper to read /varz, /connz and /jsz.
+//
+// The two are DECOUPLED on purpose: enabling the monitoring endpoint must NOT turn
+// on the verbose debug log, which would write room subjects and routing metadata
+// to journald in clear and regress the hardened posture (issue 0007). The reverse
+// coupling is kept for backward compatibility: debug mode still exposes the
+// monitoring endpoint as well (debug implies monitor), so existing debugging
+// workflows are unchanged.
+func natsLogOpts(debugEnv, monitorEnv string) (noLog, debug, trace, monitor bool) {
+	debug = debugEnv == "1" || debugEnv == "2"
+	trace = debugEnv == "2"
+	monitor = monitorEnv == "1" || debug
+	noLog = !debug
+	return noLog, debug, trace, monitor
+}
+
 // StartServer launches an embedded nats-server with JetStream from cfg. It
 // blocks until the server is ready to accept connections (up to 5s) and returns
 // the running server; the caller must Shutdown it.
 func StartServer(cfg ServerConfig) (*server.Server, error) {
-	// Diagnostic toggle: UNIBUS_NATS_DEBUG=1 enables the embedded nats-server's own
-	// logger (route/RAFT/JetStream errors), which is otherwise silenced. Off by
-	// default so production behavior is unchanged; only set it when debugging the
-	// cluster route layer.
-	debugLevel := os.Getenv("UNIBUS_NATS_DEBUG")
-	debugNATS := debugLevel == "1" || debugLevel == "2"
-	traceNATS := debugLevel == "2"
+	// Map the two independent env toggles to the nats-server logging + monitoring
+	// flags. See natsLogOpts for the decoupling rationale (issue 0007).
+	noLog, debugNATS, traceNATS, monitorNATS := natsLogOpts(
+		os.Getenv("UNIBUS_NATS_DEBUG"), os.Getenv("UNIBUS_NATS_MONITOR"))
 	opts := &server.Options{
 		JetStream:  true,
 		StoreDir:   cfg.StoreDir,
@@ -122,15 +143,17 @@ func StartServer(cfg ServerConfig) (*server.Server, error) {
 		ServerName: cfg.ServerName,
 		DontListen: false,
 		// Keep the embedded server quiet by default; the host app logs the URLs.
-		NoLog:   !debugNATS,
+		NoLog:   noLog,
 		Debug:   debugNATS,
 		Trace:   traceNATS,
 		Logtime: true,
 		NoSigs:  true,
 	}
-	if debugNATS {
-		// Expose the nats-server monitoring endpoint (loopback) so the operator can
-		// inspect /jsz, /routez, /varz while debugging the cluster meta-group.
+	if monitorNATS {
+		// Expose the nats-server monitoring endpoint on LOOPBACK ONLY (never public):
+		// the operator (or a local metrics scraper) inspects /varz, /connz, /jsz,
+		// /routez. The 127.0.0.1 bind is mandatory because this endpoint has no auth;
+		// it must stay unreachable from the network.
 		opts.HTTPHost = "127.0.0.1"
 		opts.HTTPPort = 8222
 	}
@@ -0,0 +1,134 @@
+package embeddednats
+
+import (
+	"io"
+	"net"
+	"net/http"
+	"testing"
+	"time"
+)
+
+// TestNatsLogOptsDecoupled is the core regression guard for issue 0007: turning
+// on the monitoring endpoint must NEVER turn on the verbose nats-server debug log
+// (which would leak room subjects/routing metadata to journald). It also checks
+// the backward-compatible coupling (debug still implies monitoring) and the quiet
+// default.
+func TestNatsLogOptsDecoupled(t *testing.T) {
+	cases := []struct {
+		name                         string
+		debugEnv, monitorEnv         string
+		noLog, debug, trace, monitor bool
+	}{
+		{"default off — quiet, no monitor", "", "", true, false, false, false},
+		{"monitor only — endpoint on, log stays quiet", "", "1", true, false, false, true},
+		{"debug implies monitor", "1", "", false, true, false, true},
+		{"trace implies debug+monitor", "2", "", false, true, true, true},
+		{"both set", "1", "1", false, true, false, true},
+		{"monitor garbage value ignored", "", "yes", true, false, false, false},
+		{"debug garbage value ignored", "true", "", true, false, false, false},
+	}
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			noLog, debug, trace, monitor := natsLogOpts(c.debugEnv, c.monitorEnv)
+			if noLog != c.noLog || debug != c.debug || trace != c.trace || monitor != c.monitor {
+				t.Fatalf("natsLogOpts(%q,%q) = (noLog=%v debug=%v trace=%v monitor=%v), want (noLog=%v debug=%v trace=%v monitor=%v)",
+					c.debugEnv, c.monitorEnv, noLog, debug, trace, monitor,
+					c.noLog, c.debug, c.trace, c.monitor)
+			}
+		})
+	}
+
+	// Explicit golden assertion of the security property: monitor on, log off.
+	noLog, debug, _, monitor := natsLogOpts("", "1")
+	if !monitor {
+		t.Fatal("UNIBUS_NATS_MONITOR=1 must open the monitoring endpoint")
+	}
+	if debug || !noLog {
+		t.Fatalf("UNIBUS_NATS_MONITOR=1 must NOT enable the debug log (got debug=%v noLog=%v)", debug, noLog)
+	}
+}
+
+// TestMonitorEndpointLoopback boots a real embedded server with
+// UNIBUS_NATS_MONITOR=1 (and DEBUG explicitly off) and proves the monitoring HTTP
+// endpoint answers on loopback only — the exact contract the metrics scraper
+// relies on. The pure decoupling check above already guarantees the log stays out
+// of debug mode for this same env combination.
+func TestMonitorEndpointLoopback(t *testing.T) {
+	t.Setenv("UNIBUS_NATS_DEBUG", "")
+	t.Setenv("UNIBUS_NATS_MONITOR", "1")
+
+	ns, err := StartServer(ServerConfig{
+		StoreDir: t.TempDir(),
+		Host:     "127.0.0.1",
+		Port:     freeLoopbackPort(t),
+	})
+	if err != nil {
+		t.Fatalf("start server with monitoring: %v", err)
+	}
+	defer func() { ns.Shutdown(); ns.WaitForShutdown() }()
+
+	addr := ns.MonitorAddr()
+	if addr == nil {
+		t.Fatal("monitoring endpoint not open with UNIBUS_NATS_MONITOR=1 (MonitorAddr is nil)")
+	}
+	if !addr.IP.IsLoopback() {
+		t.Fatalf("monitoring endpoint bound to %s, must be loopback only", addr.IP)
+	}
+	if addr.Port != 8222 {
+		t.Fatalf("monitoring endpoint on port %d, want the fixed loopback port 8222", addr.Port)
+	}
+
+	// /varz must answer 200 with a non-empty body on loopback.
+	url := "http://" + addr.String() + "/varz"
+	var resp *http.Response
+	deadline := time.Now().Add(3 * time.Second)
+	for time.Now().Before(deadline) {
+		resp, err = http.Get(url) //nolint:gosec // loopback monitoring endpoint, no auth by design
+		if err == nil {
+			break
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+	if err != nil {
+		t.Fatalf("GET %s: %v", url, err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("GET %s -> %d, want 200", url, resp.StatusCode)
+	}
+	body, _ := io.ReadAll(resp.Body)
+	if len(body) == 0 {
+		t.Fatalf("GET %s returned an empty body", url)
+	}
+}
+
+// TestMonitorDisabledByDefault proves a server started without either toggle does
+// NOT open the monitoring endpoint, so production stays closed unless opted in.
+func TestMonitorDisabledByDefault(t *testing.T) {
+	t.Setenv("UNIBUS_NATS_DEBUG", "")
+	t.Setenv("UNIBUS_NATS_MONITOR", "")
+
+	ns, err := StartServer(ServerConfig{
+		StoreDir: t.TempDir(),
+		Host:     "127.0.0.1",
+		Port:     freeLoopbackPort(t),
+	})
+	if err != nil {
+		t.Fatalf("start server: %v", err)
+	}
+	defer func() { ns.Shutdown(); ns.WaitForShutdown() }()
+
+	if addr := ns.MonitorAddr(); addr != nil {
+		t.Fatalf("monitoring endpoint open (%s) without UNIBUS_NATS_MONITOR — must stay closed by default", addr)
+	}
+}
+
+func freeLoopbackPort(t *testing.T) int {
+	t.Helper()
+	l, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("free port: %v", err)
+	}
+	defer l.Close()
+	return l.Addr().(*net.TCPAddr).Port
+}
@@ -0,0 +1,296 @@
+package membership
+
+import (
+	"crypto/rand"
+	"database/sql"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+)
+
+// Invite is a single-use registration token the admin mints so a brand-new
+// identity can join the bus allowlist WITHOUT the admin ever handling its
+// private key (the wallet model: the key is born and stays on the user's
+// device; only the public key is published, via POST /register).
+//
+// The admin fixes the handle and role at mint time; the registering client may
+// NOT change them (no privilege escalation). Token is 32 random bytes in
+// lowercase hex (64 chars). ExpiresAt and CreatedAt are RFC3339Nano UTC. Used
+// flips to true the instant the invite is consumed, and an invite can be
+// consumed at most once. The audit fields (UsedAt/UsedSignPub/UsedKexPub) are
+// empty until the invite is consumed; they record which keys claimed it, so the
+// link between an invite and the identity it created stays traceable even though
+// the allowlist row itself stores only the signing key.
+type Invite struct {
+	Token     string `json:"token"`
+	Handle    string `json:"handle"`
+	Role      string `json:"role"`
+	ExpiresAt string `json:"expires_at"`
+	Used      bool   `json:"used"`
+	CreatedAt string `json:"created_at"`
+
+	// Audit (populated on consume; omitted on the wire while pending).
+	UsedAt      string `json:"used_at,omitempty"`
+	UsedSignPub string `json:"used_sign_pub,omitempty"`
+	UsedKexPub  string `json:"used_kex_pub,omitempty"`
+}
+
+// Invite-flow sentinels. They let callers (and the HTTP layer) map a failed
+// consume to a precise status code without string-matching: an unknown token is
+// ErrNotFound (reused from the store), a spent token is ErrInviteUsed, a
+// past-deadline token is ErrInviteExpired. ErrUserExists (from users.go) is
+// reused when the presented signing key is already registered.
+var (
+	ErrInviteUsed    = errors.New("membership: invite already used")
+	ErrInviteExpired = errors.New("membership: invite expired")
+)
+
+// defaultInviteTTL is the lifetime of an invite when the caller passes a
+// non-positive ttlSecs. Seven days mirrors a typical "share this link this
+// week" expectation while keeping the un-authenticated /register window bounded.
+const defaultInviteTTL = 7 * 24 * time.Hour
+
+// newInviteToken returns 32 cryptographically-random bytes as lowercase hex (64
+// chars). The token IS the bearer secret that authorizes /register, so it must
+// be unguessable; crypto/rand is the only acceptable source.
+func newInviteToken() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", fmt.Errorf("membership: generate invite token: %w", err)
+	}
+	return hex.EncodeToString(b), nil
+}
+
+// inviteTTL resolves a caller-supplied ttlSecs into a concrete duration,
+// defaulting to defaultInviteTTL when non-positive.
+func inviteTTL(ttlSecs int) time.Duration {
+	if ttlSecs <= 0 {
+		return defaultInviteTTL
+	}
+	return time.Duration(ttlSecs) * time.Second
+}
+
+// inviteIsExpired reports whether the RFC3339 expiry has passed. A token whose
+// expiry cannot be parsed is treated as expired (fail closed): a corrupt
+// deadline must never widen the unauthenticated registration window.
+func inviteIsExpired(expiresAt string) bool {
+	exp, err := time.Parse(time.RFC3339Nano, expiresAt)
+	if err != nil {
+		return true
+	}
+	return time.Now().UTC().After(exp)
+}
+
+// validateInviteRole normalizes and validates the role an invite may carry. It
+// mirrors AddUser: empty defaults to member, and only admin|member are allowed
+// (an admin minting an admin invite is deliberate and permitted).
+func validateInviteRole(role string) (string, error) {
+	if role == "" {
+		return RoleMember, nil
+	}
+	if role != RoleAdmin && role != RoleMember {
+		return "", fmt.Errorf("membership: invalid role %q (want %q or %q)", role, RoleAdmin, RoleMember)
+	}
+	return role, nil
+}
+
+// ---- SQLite implementation ------------------------------------------------
+
+// CreateInvite mints a single-use invite for a future user. handle is required;
+// role defaults to member and must be admin|member. ttlSecs sets the lifetime
+// (non-positive uses the 7-day default). The token is 32 random bytes in hex.
+func (s *sqliteStore) CreateInvite(handle, role string, ttlSecs int) (Invite, error) {
+	if handle == "" {
+		return Invite{}, fmt.Errorf("membership: CreateInvite: handle required")
+	}
+	role, err := validateInviteRole(role)
+	if err != nil {
+		return Invite{}, err
+	}
+	token, err := newInviteToken()
+	if err != nil {
+		return Invite{}, err
+	}
+	now := time.Now().UTC()
+	inv := Invite{
+		Token:     token,
+		Handle:    handle,
+		Role:      role,
+		ExpiresAt: now.Add(inviteTTL(ttlSecs)).Format(time.RFC3339Nano),
+		Used:      false,
+		CreatedAt: now.Format(time.RFC3339Nano),
+	}
+	if _, err := s.db.Exec(
+		`INSERT INTO invites (token, handle, role, expires_at, used, created_at) VALUES (?, ?, ?, ?, 0, ?)`,
+		inv.Token, inv.Handle, inv.Role, inv.ExpiresAt, inv.CreatedAt,
+	); err != nil {
+		return Invite{}, fmt.Errorf("membership: insert invite: %w", err)
+	}
+	return inv, nil
+}
+
+// GetInvite returns the invite with the given token, or ErrNotFound (wrapped)
+// when there is none.
+func (s *sqliteStore) GetInvite(token string) (Invite, error) {
+	var inv Invite
+	var used int
+	var usedAt, usedSign, usedKex sql.NullString
+	err := s.db.QueryRow(
+		`SELECT token, handle, role, expires_at, used, created_at, used_at, used_sign_pub, used_kex_pub
+		 FROM invites WHERE token = ?`, token,
+	).Scan(&inv.Token, &inv.Handle, &inv.Role, &inv.ExpiresAt, &used, &inv.CreatedAt, &usedAt, &usedSign, &usedKex)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return Invite{}, fmt.Errorf("membership: get invite %q: %w", token, ErrNotFound)
+		}
+		return Invite{}, fmt.Errorf("membership: get invite %q: %w", token, err)
+	}
+	inv.Used = used != 0
+	inv.UsedAt, inv.UsedSignPub, inv.UsedKexPub = usedAt.String, usedSign.String, usedKex.String
+	return inv, nil
+}
+
+// ListInvites returns every invite ordered newest-first (by created_at). It
+// includes consumed invites so the admin panel can show the full picture; the
+// caller filters to "pending" when it wants only live links.
+func (s *sqliteStore) ListInvites() ([]Invite, error) {
+	rows, err := s.db.Query(
+		`SELECT token, handle, role, expires_at, used, created_at, used_at, used_sign_pub, used_kex_pub
+		 FROM invites ORDER BY created_at DESC, token`,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("membership: list invites: %w", err)
+	}
+	defer rows.Close()
+
+	var out []Invite
+	for rows.Next() {
+		var inv Invite
+		var used int
+		var usedAt, usedSign, usedKex sql.NullString
+		if err := rows.Scan(&inv.Token, &inv.Handle, &inv.Role, &inv.ExpiresAt, &used, &inv.CreatedAt, &usedAt, &usedSign, &usedKex); err != nil {
+			return nil, fmt.Errorf("membership: scan invite: %w", err)
+		}
+		inv.Used = used != 0
+		inv.UsedAt, inv.UsedSignPub, inv.UsedKexPub = usedAt.String, usedSign.String, usedKex.String
+		out = append(out, inv)
+	}
+	return out, rows.Err()
+}
+
+// ConsumeInvite atomically validates and spends an invite, registering the
+// presented signing key as a bus user with the invite's handle and role. It is
+// the ONLY path that adds to the allowlist without an admin signature: the
+// bearer token is the authorization, so the checks here are the security
+// boundary.
+//
+// Atomicity (single transaction): the invite is marked used FIRST (guarded by
+// `used = 0`, so two concurrent consumers cannot both win), then the user is
+// inserted. A token that passes validation is therefore spent exactly once.
+// Special case: if the signing key is already registered, the user INSERT hits
+// the PRIMARY KEY and we return ErrUserExists — but the invite stays SPENT (we
+// commit the mark), matching the JetStream backend's burn-on-claim semantics so
+// the two stores behave identically. A genuine backend error rolls everything
+// back, leaving the invite reusable.
+func (s *sqliteStore) ConsumeInvite(token, signPub, kexPub string) error {
+	signPub = normalizeSignPub(signPub)
+	kexPub = normalizeSignPub(kexPub)
+	if signPub == "" {
+		return fmt.Errorf("membership: ConsumeInvite: sign_pub required")
+	}
+
+	tx, err := s.db.Begin()
+	if err != nil {
+		return fmt.Errorf("membership: ConsumeInvite: begin: %w", err)
+	}
+	defer tx.Rollback()
+
+	var handle, role, expiresAt string
+	var used int
+	err = tx.QueryRow(
+		`SELECT handle, role, expires_at, used FROM invites WHERE token = ?`, token,
+	).Scan(&handle, &role, &expiresAt, &used)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return fmt.Errorf("membership: consume invite %q: %w", token, ErrNotFound)
+		}
+		return fmt.Errorf("membership: consume invite %q: %w", token, err)
+	}
+	if used != 0 {
+		return fmt.Errorf("membership: consume invite %q: %w", token, ErrInviteUsed)
+	}
+	if inviteIsExpired(expiresAt) {
+		return fmt.Errorf("membership: consume invite %q: %w", token, ErrInviteExpired)
+	}
+
+	// Mark used first, guarded by used = 0 so a concurrent consumer that already
+	// flipped it (rows affected = 0) is rejected as used rather than double-spending.
+	now := nowRFC3339()
+	res, err := tx.Exec(
+		`UPDATE invites SET used = 1, used_at = ?, used_sign_pub = ?, used_kex_pub = ? WHERE token = ? AND used = 0`,
+		now, signPub, kexPub, token,
+	)
+	if err != nil {
+		return fmt.Errorf("membership: consume invite %q: mark used: %w", token, err)
+	}
+	n, err := res.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("membership: consume invite %q: rows affected: %w", token, err)
+	}
+	if n == 0 {
+		return fmt.Errorf("membership: consume invite %q: %w", token, ErrInviteUsed)
+	}
+
+	// Register the user with the invite-fixed handle and role.
+	_, err = tx.Exec(
+		`INSERT INTO users (sign_pub, handle, role, status, created_at) VALUES (?, ?, ?, ?, ?)`,
+		signPub, handle, role, StatusActive, now,
+	)
+	if err != nil {
+		// Already-registered key: the invite is still spent (commit the mark) so
+		// the burn-on-claim contract matches the KV store. Any other failure rolls back.
+		if isUniqueViolation(err) {
+			if cErr := tx.Commit(); cErr != nil {
+				return fmt.Errorf("membership: consume invite %q: commit: %w", token, cErr)
+			}
+			return ErrUserExists
+		}
+		return fmt.Errorf("membership: consume invite %q: insert user: %w", token, err)
+	}
+	if err := tx.Commit(); err != nil {
+		return fmt.Errorf("membership: consume invite %q: commit: %w", token, err)
+	}
+	return nil
+}
+
+// CancelInvite removes a pending invite (the admin revoked the link before it
+// was used). It hard-deletes the row; a consumed invite stays for audit only if
+// the caller targets a pending token. Deleting an unknown token returns
+// ErrNotFound so the HTTP layer can answer 404.
+func (s *sqliteStore) CancelInvite(token string) error {
+	res, err := s.db.Exec(`DELETE FROM invites WHERE token = ?`, token)
+	if err != nil {
+		return fmt.Errorf("membership: cancel invite %q: %w", token, err)
+	}
+	n, err := res.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("membership: cancel invite %q: rows affected: %w", token, err)
+	}
+	if n == 0 {
+		return fmt.Errorf("membership: cancel invite %q: %w", token, ErrNotFound)
+	}
+	return nil
+}
+
+// isUniqueViolation reports whether err is a SQLite UNIQUE/PRIMARY KEY conflict.
+// modernc.org/sqlite surfaces it as a message fragment; matching it here keeps
+// the string-matching in one place (the same fragments AddUser checks inline).
+func isUniqueViolation(err error) bool {
+	if err == nil {
+		return false
+	}
+	msg := err.Error()
+	return strings.Contains(msg, "UNIQUE constraint") || strings.Contains(msg, "PRIMARY KEY")
+}
@@ -0,0 +1,194 @@
+package membership
+
+import (
+	"bytes"
+	"encoding/hex"
+	"encoding/json"
+	"io"
+	"net/http"
+	"testing"
+	"time"
+
+	cs "fn-registry/functions/cybersecurity"
+)
+
+// postRegister posts an UNSIGNED /register request (the wallet-model join: the
+// new identity is not yet in the allowlist, so it cannot sign). It returns the
+// status and body so a test can assert the precise code.
+func postRegister(t *testing.T, h *authHarness, body registerReq) (int, string) {
+	t.Helper()
+	b, err := json.Marshal(body)
+	if err != nil {
+		t.Fatalf("marshal register: %v", err)
+	}
+	resp, err := http.Post(h.ts.URL+"/register", "application/json", bytes.NewReader(b))
+	if err != nil {
+		t.Fatalf("post register: %v", err)
+	}
+	defer resp.Body.Close()
+	rb, _ := io.ReadAll(resp.Body)
+	return resp.StatusCode, string(rb)
+}
+
+// TestInvitesHTTP_Golden is the end-to-end wallet-model flow over real HTTP:
+// alice (admin) mints an invite, a brand-new identity redeems it UNSIGNED via
+// /register, the user then appears in the admin allowlist, and a second redeem of
+// the same token is rejected as used.
+func TestInvitesHTTP_Golden(t *testing.T) {
+	h := newAuthHarness(t, AuthEnforce)
+
+	// Admin mints an invite.
+	var inv createInviteResp
+	code, body := signedJSON(t, h, "POST", "/invites",
+		createInviteReq{Handle: "newbie", Role: RoleMember}, h.alice, 1)
+	if code != http.StatusCreated {
+		t.Fatalf("admin create invite should be 201, got %d (%s)", code, body)
+	}
+	if err := json.Unmarshal([]byte(body), &inv); err != nil {
+		t.Fatalf("decode invite: %v (%s)", err, body)
+	}
+	if len(inv.Token) != 64 || inv.ExpiresAt == "" {
+		t.Fatalf("invite token/expiry malformed: %+v", inv)
+	}
+
+	// A brand-new identity redeems it WITHOUT any admin signature.
+	id, _ := cs.GenerateIdentity()
+	signPub := hex.EncodeToString(id.SignPub)
+	kexPub := hex.EncodeToString(id.KexPub)
+	if code, body := postRegister(t, h, registerReq{Token: inv.Token, SignPub: signPub, KexPub: kexPub}); code != http.StatusCreated {
+		t.Fatalf("register should be 201, got %d (%s)", code, body)
+	}
+
+	// The user now appears in the admin allowlist with the invite's handle/role.
+	users := listUsers(t, h, 2)
+	row, ok := findUser(users, signPub)
+	if !ok {
+		t.Fatalf("registered user missing from allowlist: %+v", users)
+	}
+	if row.Handle != "newbie" || row.Role != RoleMember || row.Status != StatusActive {
+		t.Fatalf("registered user row wrong: %+v", row)
+	}
+
+	// The invite is no longer pending.
+	if code, body := signedJSON(t, h, "GET", "/invites", nil, h.alice, 3); code == http.StatusOK {
+		var pend []inviteJSON
+		_ = json.Unmarshal([]byte(body), &pend)
+		for _, p := range pend {
+			if p.Token == inv.Token {
+				t.Fatalf("consumed invite should not be listed as pending: %+v", pend)
+			}
+		}
+	}
+
+	// Single-use: a second redeem of the same token is 409 used.
+	id2, _ := cs.GenerateIdentity()
+	if code, body := postRegister(t, h, registerReq{
+		Token: inv.Token, SignPub: hex.EncodeToString(id2.SignPub), KexPub: hex.EncodeToString(id2.KexPub),
+	}); code != http.StatusConflict {
+		t.Fatalf("second redeem should be 409, got %d (%s)", code, body)
+	}
+}
+
+// TestInvitesHTTP_RegisterValidation covers /register input + state errors: an
+// unknown token is 404, an expired token is 410, and malformed hex keys are 400 —
+// each WITHOUT registering anything.
+func TestInvitesHTTP_RegisterValidation(t *testing.T) {
+	h := newAuthHarness(t, AuthEnforce)
+	id, _ := cs.GenerateIdentity()
+	signPub := hex.EncodeToString(id.SignPub)
+	kexPub := hex.EncodeToString(id.KexPub)
+
+	// Unknown token -> 404.
+	if code, body := postRegister(t, h, registerReq{Token: "deadbeef", SignPub: signPub, KexPub: kexPub}); code != http.StatusNotFound {
+		t.Fatalf("unknown token should be 404, got %d (%s)", code, body)
+	}
+
+	// Malformed sign_pub -> 400.
+	if code, body := postRegister(t, h, registerReq{Token: "x", SignPub: "abcd", KexPub: kexPub}); code != http.StatusBadRequest {
+		t.Fatalf("malformed sign_pub should be 400, got %d (%s)", code, body)
+	}
+
+	// Malformed kex_pub -> 400.
+	if code, body := postRegister(t, h, registerReq{Token: "x", SignPub: signPub, KexPub: "zzzz"}); code != http.StatusBadRequest {
+		t.Fatalf("malformed kex_pub should be 400, got %d (%s)", code, body)
+	}
+
+	// Expired token -> 410. Mint via the admin API, then force its deadline past
+	// directly in the store (white-box).
+	var inv createInviteResp
+	_, body := signedJSON(t, h, "POST", "/invites", createInviteReq{Handle: "late", Role: RoleMember}, h.alice, 1)
+	if err := json.Unmarshal([]byte(body), &inv); err != nil {
+		t.Fatalf("decode invite: %v (%s)", err, body)
+	}
+	ss, ok := h.store.(*sqliteStore)
+	if !ok {
+		t.Fatalf("expected sqliteStore harness")
+	}
+	past := time.Now().Add(-time.Hour).UTC().Format(time.RFC3339Nano)
+	if _, err := ss.db.Exec(`UPDATE invites SET expires_at = ? WHERE token = ?`, past, inv.Token); err != nil {
+		t.Fatalf("force expire: %v", err)
+	}
+	if code, rb := postRegister(t, h, registerReq{Token: inv.Token, SignPub: signPub, KexPub: kexPub}); code != http.StatusGone {
+		t.Fatalf("expired token should be 410, got %d (%s)", code, rb)
+	}
+}
+
+// TestInvitesHTTP_NonAdminForbidden is the security spine for the new endpoints:
+// a REGISTERED non-admin (bob) is denied on POST /invites, GET /invites,
+// DELETE /invites/{token}, and DELETE /users/{signpub} — each a 403 by role.
+func TestInvitesHTTP_NonAdminForbidden(t *testing.T) {
+	h := newAuthHarness(t, AuthEnforce)
+
+	bob, _ := cs.GenerateIdentity()
+	register(t, h, bob, "bob") // role member
+	bobPub := hex.EncodeToString(bob.SignPub)
+
+	checks := []struct {
+		name   string
+		method string
+		path   string
+		body   any
+	}{
+		{"create invite", "POST", "/invites", createInviteReq{Handle: "x", Role: RoleMember}},
+		{"list invites", "GET", "/invites", nil},
+		{"cancel invite", "DELETE", "/invites/sometoken", nil},
+		{"delete user", "DELETE", "/users/" + bobPub, nil},
+	}
+	for i, c := range checks {
+		code, body := signedJSON(t, h, c.method, c.path, c.body, bob, i+1)
+		if code != http.StatusForbidden {
+			t.Fatalf("non-admin %s should be 403, got %d (%s)", c.name, code, body)
+		}
+	}
+}
+
+// TestUsersHTTP_HardDelete proves DELETE /users/{signpub} purges a user (distinct
+// from revoke's status flip): alice adds carol, hard-deletes her, and carol then
+// vanishes from the allowlist entirely (not merely flagged revoked).
+func TestUsersHTTP_HardDelete(t *testing.T) {
+	h := newAuthHarness(t, AuthEnforce)
+
+	carol, _ := cs.GenerateIdentity()
+	carolPub := hex.EncodeToString(carol.SignPub)
+	if code, body := signedJSON(t, h, "POST", "/users",
+		addUserReq{SignPub: carolPub, Handle: "carol", Role: RoleMember}, h.alice, 1); code != http.StatusCreated {
+		t.Fatalf("add carol should be 201, got %d (%s)", code, body)
+	}
+
+	// Hard-delete carol.
+	if code, body := signedJSON(t, h, "DELETE", "/users/"+carolPub, nil, h.alice, 2); code != http.StatusOK {
+		t.Fatalf("hard-delete carol should be 200, got %d (%s)", code, body)
+	}
+
+	// She is gone entirely — not present in the list at all (vs revoke, which
+	// keeps her as status=revoked).
+	users := listUsers(t, h, 3)
+	if _, ok := findUser(users, carolPub); ok {
+		t.Fatalf("hard-deleted carol must NOT appear in the allowlist: %+v", users)
+	}
+
+	// Deleting her again is a 404.
+	if code, body := signedJSON(t, h, "DELETE", "/users/"+carolPub, nil, h.alice, 4); code != http.StatusNotFound {
+		t.Fatalf("re-delete should be 404, got %d (%s)", code, body)
+	}
+}
@@ -0,0 +1,186 @@
+package membership
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"testing"
+	"time"
+
+	cs "fn-registry/functions/cybersecurity"
+)
+
+// newIDHex generates a fresh identity and returns its signing and key-exchange
+// public keys as lowercase hex — the two keys a client presents to /register.
+func newIDHex(t *testing.T) (signPub, kexPub string) {
+	t.Helper()
+	id, err := cs.GenerateIdentity()
+	if err != nil {
+		t.Fatalf("identity: %v", err)
+	}
+	return hex.EncodeToString(id.SignPub), hex.EncodeToString(id.KexPub)
+}
+
+// inviteSuite drives the full invite lifecycle against any Store backend: mint,
+// look up, redeem (which registers the user), reject a second redeem (single-use)
+// and a non-existent token, reject an expired token (forced past via the
+// backend-specific forceExpire closure), and hard-delete a user. It is shared by
+// the SQLite and JetStream tests so both backends prove identical behavior.
+func inviteSuite(t *testing.T, s Store, forceExpire func(token string)) {
+	t.Helper()
+
+	// Mint an invite fixing handle + role.
+	inv, err := s.CreateInvite("alice-new", RoleMember, 3600)
+	if err != nil {
+		t.Fatalf("CreateInvite: %v", err)
+	}
+	if len(inv.Token) != 64 {
+		t.Fatalf("token should be 64 hex chars, got %d (%q)", len(inv.Token), inv.Token)
+	}
+	if inv.Used {
+		t.Fatalf("fresh invite must not be used")
+	}
+
+	// GetInvite round-trips it.
+	got, err := s.GetInvite(inv.Token)
+	if err != nil || got.Handle != "alice-new" || got.Role != RoleMember {
+		t.Fatalf("GetInvite mismatch: %+v err=%v", got, err)
+	}
+
+	// Redeem it: the presented signing key joins the allowlist with the invite's
+	// handle and role.
+	signPub, kexPub := newIDHex(t)
+	if err := s.ConsumeInvite(inv.Token, signPub, kexPub); err != nil {
+		t.Fatalf("ConsumeInvite (golden): %v", err)
+	}
+	u, err := s.GetUser(signPub)
+	if err != nil {
+		t.Fatalf("GetUser after register: %v", err)
+	}
+	if u.Handle != "alice-new" || u.Role != RoleMember || u.Status != StatusActive {
+		t.Fatalf("registered user wrong: %+v", u)
+	}
+	if !s.IsAuthorized(signPub) {
+		t.Fatalf("registered user should be authorized")
+	}
+
+	// Single-use: redeeming the same token again (even with a different identity)
+	// is rejected as used.
+	sp2, kp2 := newIDHex(t)
+	if err := s.ConsumeInvite(inv.Token, sp2, kp2); !errors.Is(err, ErrInviteUsed) {
+		t.Fatalf("second redeem should be ErrInviteUsed, got %v", err)
+	}
+	if _, err := s.GetUser(sp2); !errors.Is(err, ErrNotFound) {
+		t.Fatalf("second identity must NOT be registered, got %v", err)
+	}
+
+	// Unknown token is ErrNotFound.
+	if err := s.ConsumeInvite("deadbeef", "ab", "cd"); !errors.Is(err, ErrNotFound) {
+		t.Fatalf("unknown token should be ErrNotFound, got %v", err)
+	}
+
+	// Expired invite: mint one, force its deadline into the past, redeem -> rejected.
+	exp, err := s.CreateInvite("late", RoleMember, 3600)
+	if err != nil {
+		t.Fatalf("CreateInvite expired: %v", err)
+	}
+	forceExpire(exp.Token)
+	sp3, kp3 := newIDHex(t)
+	if err := s.ConsumeInvite(exp.Token, sp3, kp3); !errors.Is(err, ErrInviteExpired) {
+		t.Fatalf("expired redeem should be ErrInviteExpired, got %v", err)
+	}
+
+	// CancelInvite removes a pending invite; redeeming it afterward is ErrNotFound.
+	canc, err := s.CreateInvite("cancelme", RoleMember, 3600)
+	if err != nil {
+		t.Fatalf("CreateInvite cancel: %v", err)
+	}
+	if err := s.CancelInvite(canc.Token); err != nil {
+		t.Fatalf("CancelInvite: %v", err)
+	}
+	if err := s.ConsumeInvite(canc.Token, sp3, kp3); !errors.Is(err, ErrNotFound) {
+		t.Fatalf("cancelled invite redeem should be ErrNotFound, got %v", err)
+	}
+
+	// Hard-delete the registered user: it disappears from the allowlist entirely.
+	if err := s.DeleteUser(signPub); err != nil {
+		t.Fatalf("DeleteUser: %v", err)
+	}
+	if _, err := s.GetUser(signPub); !errors.Is(err, ErrNotFound) {
+		t.Fatalf("deleted user should be ErrNotFound, got %v", err)
+	}
+	if s.IsAuthorized(signPub) {
+		t.Fatalf("deleted user must not be authorized")
+	}
+	// Deleting an unknown key is ErrNotFound.
+	if err := s.DeleteUser(signPub); !errors.Is(err, ErrNotFound) {
+		t.Fatalf("re-delete should be ErrNotFound, got %v", err)
+	}
+}
+
+// TestInvitesSQLite runs the suite against the default SQLite backend, forcing
+// expiry with a direct UPDATE on the embedded DB (white-box, same package).
+func TestInvitesSQLite(t *testing.T) {
+	s := openTestStore(t)
+	inviteSuite(t, s, func(token string) {
+		past := time.Now().Add(-time.Hour).UTC().Format(time.RFC3339Nano)
+		if _, err := s.db.Exec(`UPDATE invites SET expires_at = ? WHERE token = ?`, past, token); err != nil {
+			t.Fatalf("force expire: %v", err)
+		}
+	})
+}
+
+// TestInvitesJetStream runs the same suite against the replicated KV backend,
+// forcing expiry by re-Putting the invite JSON with a past deadline.
+func TestInvitesJetStream(t *testing.T) {
+	s, _, _ := newKVStore(t)
+	inviteSuite(t, s, func(token string) {
+		inv, err := s.GetInvite(token)
+		if err != nil {
+			t.Fatalf("force expire: get invite: %v", err)
+		}
+		inv.ExpiresAt = time.Now().Add(-time.Hour).UTC().Format(time.RFC3339Nano)
+		b, err := json.Marshal(inv)
+		if err != nil {
+			t.Fatalf("force expire: marshal: %v", err)
+		}
+		ctx, cancel := s.ctx()
+		defer cancel()
+		if _, err := s.invites.Put(ctx, token, b); err != nil {
+			t.Fatalf("force expire: put: %v", err)
+		}
+	})
+}
+
+// TestConsumeInvite_AlreadyRegistered covers the burn-on-claim edge: redeeming a
+// valid invite with a signing key that is already registered surfaces
+// ErrUserExists AND spends the invite (both backends behave identically).
+func TestConsumeInvite_AlreadyRegistered(t *testing.T) {
+	for _, tc := range []struct {
+		name string
+		open func(t *testing.T) Store
+	}{
+		{"sqlite", func(t *testing.T) Store { return openTestStore(t) }},
+		{"jetstream", func(t *testing.T) Store { s, _, _ := newKVStore(t); return s }},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			s := tc.open(t)
+			signPub, kexPub := newIDHex(t)
+			if err := s.AddUser(signPub, "existing", RoleMember); err != nil {
+				t.Fatalf("seed user: %v", err)
+			}
+			inv, err := s.CreateInvite("dup", RoleMember, 3600)
+			if err != nil {
+				t.Fatalf("CreateInvite: %v", err)
+			}
+			if err := s.ConsumeInvite(inv.Token, signPub, kexPub); !errors.Is(err, ErrUserExists) {
+				t.Fatalf("redeem with registered key should be ErrUserExists, got %v", err)
+			}
+			// The invite is spent (burn-on-claim): a fresh identity cannot reuse it.
+			sp2, kp2 := newIDHex(t)
+			if err := s.ConsumeInvite(inv.Token, sp2, kp2); !errors.Is(err, ErrInviteUsed) {
+				t.Fatalf("invite should be spent after a burned claim, got %v", err)
+			}
+		})
+	}
+}
@@ -50,6 +50,7 @@ const (
 	bucketByMember  = "UNIBUS_rooms_by_member"
 	bucketRoomKeys  = "UNIBUS_room_keys"
 	bucketUsers     = "UNIBUS_users"
+	bucketInvites   = "UNIBUS_invites"
 	defaultKVOpTime = 5 * time.Second
 )

@@ -71,6 +72,7 @@ type jetstreamStore struct {
 	byMember  jetstream.KeyValue
 	keys      jetstream.KeyValue
 	users     jetstream.KeyValue
+	invites   jetstream.KeyValue
 	opTimeout time.Duration
 }

@@ -108,6 +110,7 @@ func OpenJetStream(js jetstream.JetStream, cfg JetStreamConfig) (Store, error) {
 		{bucketByMember, &s.byMember},
 		{bucketRoomKeys, &s.keys},
 		{bucketUsers, &s.users},
+		{bucketInvites, &s.invites},
 	} {
 		var kv jetstream.KeyValue
 		var lastErr error
@@ -498,6 +501,28 @@ func (s *jetstreamStore) RevokeUser(signPub string) error {
 	return nil
 }

+// DeleteUser hard-deletes a user from the KV allowlist (the purge counterpart of
+// RevokeUser's status flip). It checks existence first so deleting an unknown key
+// is ErrNotFound (KV Delete is otherwise idempotent and would not signal a miss).
+// Only the allowlist key is removed; room memberships the ex-user holds become
+// inert because they can no longer authenticate — see the SQLite DeleteUser for
+// the full rationale on why room state is left untouched.
+func (s *jetstreamStore) DeleteUser(signPub string) error {
+	signPub = normalizeSignPub(signPub)
+	ctx, cancel := s.ctx()
+	defer cancel()
+	if _, err := s.users.Get(ctx, signPub); err != nil {
+		if errors.Is(err, jetstream.ErrKeyNotFound) {
+			return fmt.Errorf("membership: delete user %q: %w", signPub, ErrNotFound)
+		}
+		return fmt.Errorf("membership: delete user %q: %w", signPub, err)
+	}
+	if err := s.users.Delete(ctx, signPub); err != nil {
+		return fmt.Errorf("membership: delete user %q: %w", signPub, err)
+	}
+	return nil
+}
+
 // IsAuthorized reports whether signPub is an active bus user. Any backend error
 // (including a KV quorum loss or timeout) yields false: fail closed.
 func (s *jetstreamStore) IsAuthorized(signPub string) bool {
@@ -533,6 +558,173 @@ func (s *jetstreamStore) HasAdmin() bool {
 	return false
 }

+// ---- invites (single-use registration tokens) ----------------------------
+
+func (s *jetstreamStore) CreateInvite(handle, role string, ttlSecs int) (Invite, error) {
+	if handle == "" {
+		return Invite{}, fmt.Errorf("membership: CreateInvite: handle required")
+	}
+	role, err := validateInviteRole(role)
+	if err != nil {
+		return Invite{}, err
+	}
+	token, err := newInviteToken()
+	if err != nil {
+		return Invite{}, err
+	}
+	now := time.Now().UTC()
+	inv := Invite{
+		Token:     token,
+		Handle:    handle,
+		Role:      role,
+		ExpiresAt: now.Add(inviteTTL(ttlSecs)).Format(time.RFC3339Nano),
+		Used:      false,
+		CreatedAt: now.Format(time.RFC3339Nano),
+	}
+	b, err := json.Marshal(inv)
+	if err != nil {
+		return Invite{}, fmt.Errorf("membership: marshal invite: %w", err)
+	}
+	ctx, cancel := s.ctx()
+	defer cancel()
+	// Create (not Put) so a token collision is rejected rather than silently
+	// overwriting a live invite — a 32-byte random collision is astronomically
+	// unlikely, but Create makes the single-use guarantee unconditional.
+	if _, err := s.invites.Create(ctx, token, b); err != nil {
+		if errors.Is(err, jetstream.ErrKeyExists) {
+			return Invite{}, fmt.Errorf("membership: create invite: token collision")
+		}
+		return Invite{}, fmt.Errorf("membership: create invite: %w", err)
+	}
+	return inv, nil
+}
+
+func (s *jetstreamStore) GetInvite(token string) (Invite, error) {
+	ctx, cancel := s.ctx()
+	defer cancel()
+	e, err := s.invites.Get(ctx, token)
+	if err != nil {
+		if errors.Is(err, jetstream.ErrKeyNotFound) {
+			return Invite{}, fmt.Errorf("membership: get invite %q: %w", token, ErrNotFound)
+		}
+		return Invite{}, fmt.Errorf("membership: get invite %q: %w", token, err)
+	}
+	var inv Invite
+	if err := json.Unmarshal(e.Value(), &inv); err != nil {
+		return Invite{}, fmt.Errorf("membership: unmarshal invite: %w", err)
+	}
+	return inv, nil
+}
+
+func (s *jetstreamStore) ListInvites() ([]Invite, error) {
+	ctx, cancel := s.ctx()
+	w, err := s.invites.WatchAll(ctx, jetstream.IgnoreDeletes())
+	if err != nil {
+		cancel()
+		return nil, fmt.Errorf("membership: list invites: %w", err)
+	}
+	defer cancel()
+	defer w.Stop()
+	var out []Invite
+	for {
+		select {
+		case e := <-w.Updates():
+			if e == nil {
+				sort.Slice(out, func(i, j int) bool {
+					if out[i].CreatedAt != out[j].CreatedAt {
+						return out[i].CreatedAt > out[j].CreatedAt // newest first
+					}
+					return out[i].Token < out[j].Token
+				})
+				return out, nil
+			}
+			var inv Invite
+			if err := json.Unmarshal(e.Value(), &inv); err != nil {
+				return nil, fmt.Errorf("membership: unmarshal invite: %w", err)
+			}
+			out = append(out, inv)
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		}
+	}
+}
+
+// ConsumeInvite spends a KV invite and registers the presented signing key. With
+// no multi-key transaction, single-use is enforced by a compare-and-swap on the
+// invite: the token is marked used via Update against the revision read by Get,
+// so only ONE concurrent consumer can win the swap; the loser sees a revision
+// mismatch and is rejected as used. The user is registered AFTER the successful
+// swap. Burn-on-claim: if the signing key is already registered the swap has
+// already spent the token and we surface ErrUserExists — the SQLite store commits
+// the same way, so both backends behave identically.
+func (s *jetstreamStore) ConsumeInvite(token, signPub, kexPub string) error {
+	signPub = normalizeSignPub(signPub)
+	kexPub = normalizeSignPub(kexPub)
+	if signPub == "" {
+		return fmt.Errorf("membership: ConsumeInvite: sign_pub required")
+	}
+
+	ctx, cancel := s.ctx()
+	defer cancel()
+	e, err := s.invites.Get(ctx, token)
+	if err != nil {
+		if errors.Is(err, jetstream.ErrKeyNotFound) {
+			return fmt.Errorf("membership: consume invite %q: %w", token, ErrNotFound)
+		}
+		return fmt.Errorf("membership: consume invite %q: %w", token, err)
+	}
+	var inv Invite
+	if err := json.Unmarshal(e.Value(), &inv); err != nil {
+		return fmt.Errorf("membership: unmarshal invite: %w", err)
+	}
+	if inv.Used {
+		return fmt.Errorf("membership: consume invite %q: %w", token, ErrInviteUsed)
+	}
+	if inviteIsExpired(inv.ExpiresAt) {
+		return fmt.Errorf("membership: consume invite %q: %w", token, ErrInviteExpired)
+	}
+
+	inv.Used = true
+	inv.UsedAt = nowRFC3339()
+	inv.UsedSignPub = signPub
+	inv.UsedKexPub = kexPub
+	b, err := json.Marshal(inv)
+	if err != nil {
+		return fmt.Errorf("membership: marshal invite: %w", err)
+	}
+	// CAS: Update only succeeds if the invite is still at the revision we read, so
+	// a racing consumer that already flipped it loses here. A failed swap is
+	// conservatively treated as "already used" (the common cause); the caller can
+	// re-read to learn the precise state.
+	if _, err := s.invites.Update(ctx, token, b, e.Revision()); err != nil {
+		return fmt.Errorf("membership: consume invite %q: %w", token, ErrInviteUsed)
+	}
+
+	// Token is now spent. Register the user with the invite-fixed handle and role.
+	if err := s.AddUser(signPub, inv.Handle, inv.Role); err != nil {
+		if errors.Is(err, ErrUserExists) {
+			return ErrUserExists
+		}
+		return fmt.Errorf("membership: consume invite %q: register user: %w", token, err)
+	}
+	return nil
+}
+
+func (s *jetstreamStore) CancelInvite(token string) error {
+	ctx, cancel := s.ctx()
+	defer cancel()
+	if _, err := s.invites.Get(ctx, token); err != nil {
+		if errors.Is(err, jetstream.ErrKeyNotFound) {
+			return fmt.Errorf("membership: cancel invite %q: %w", token, ErrNotFound)
+		}
+		return fmt.Errorf("membership: cancel invite %q: %w", token, err)
+	}
+	if err := s.invites.Delete(ctx, token); err != nil {
+		return fmt.Errorf("membership: cancel invite %q: %w", token, err)
+	}
+	return nil
+}
+
 // ---- snapshot import / export (issue 0003c migration) ---------------------

 // importSnapshot writes a full Snapshot into the KV buckets, preserving each
@@ -0,0 +1,28 @@
+-- 003_invites.sql — single-use registration invites (issue: user accounts / wallet model).
+--
+-- An admin mints an invite so a brand-new identity can join the bus allowlist
+-- WITHOUT the admin ever handling its private key. The token is the bearer
+-- secret that authorizes POST /register: the registering client generates its
+-- keypair locally and publishes only its public keys, fixing the link between an
+-- invite and the identity it creates via the audit columns below. The handle and
+-- role are fixed by the admin at mint time and cannot be changed by the client
+-- (no privilege escalation).
+--
+-- Additive and idempotent: safe to apply repeatedly. Never modify this file;
+-- further schema changes go in new numbered migrations (see
+-- .claude/rules/db_migrations.md). The embedded copy under
+-- pkg/membership/migrations/003_invites.sql mirrors this file byte-for-byte.
+
+CREATE TABLE IF NOT EXISTS invites (
+  token         TEXT PRIMARY KEY,                -- 32 random bytes in lowercase hex (the bearer secret)
+  handle        TEXT NOT NULL,                   -- handle the new user will get (fixed by admin)
+  role          TEXT NOT NULL DEFAULT 'member',  -- 'admin' | 'member' (fixed by admin)
+  expires_at    TEXT NOT NULL,                   -- RFC3339; past this the invite is dead
+  used          INTEGER NOT NULL DEFAULT 0,      -- 0 pending, 1 consumed (single-use)
+  created_at    TEXT NOT NULL,
+  used_at       TEXT,                            -- RFC3339 when consumed (NULL until used)
+  used_sign_pub TEXT,                            -- Ed25519 key that consumed it (audit; NULL until used)
+  used_kex_pub  TEXT                             -- X25519 key presented at registration (audit; NULL until used)
+);
+
+CREATE INDEX IF NOT EXISTS idx_invites_used ON invites(used);
@@ -144,9 +144,11 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	now := time.Now()

 	// Per-IP rate limit runs first, ahead of auth and body reads, so a flood is
-	// shed at the cheapest possible point. The health probe is exempt so liveness
-	// checks are never throttled.
-	if !isAuthExempt(r) && !s.limiter.allow(clientIP(r), now) {
+	// shed at the cheapest possible point. ONLY the health probe is exempt so
+	// liveness checks are never throttled — note this is isRateExempt, NOT
+	// isAuthExempt: POST /register is auth-exempt (no admin signature) but stays
+	// rate-limited, since it is the one un-signed path that mutates the allowlist.
+	if !isRateExempt(r) && !s.limiter.allow(clientIP(r), now) {
 		writeErr(w, http.StatusTooManyRequests, "rate limit exceeded")
 		return
 	}
@@ -308,13 +310,29 @@ func (s *Server) requireAdmin(w http.ResponseWriter, r *http.Request) (string, b
 	return pubHex, true
 }

-// isAuthExempt lists requests that bypass control-plane auth even under enforce.
-// Only the unauthenticated health probe qualifies: it carries no data and is
-// needed by load balancers / smoke checks / systemd before any identity exists.
-func isAuthExempt(r *http.Request) bool {
+// isRateExempt lists requests that bypass the per-IP rate limiter. Only the
+// health probe qualifies: a load balancer / systemd / smoke check polls it and
+// must never be throttled. Everything else — including POST /register — is rate
+// limited.
+func isRateExempt(r *http.Request) bool {
 	return r.Method == http.MethodGet && r.URL.Path == "/healthz"
 }

+// isAuthExempt lists requests that bypass control-plane signature auth even under
+// enforce. Two qualify:
+//   - GET /healthz: carries no data, needed before any identity exists.
+//   - POST /register: the wallet-model join path. The registering identity is not
+//     yet in the allowlist, so it CANNOT produce an accepted admin signature;
+//     authorization is the single-use bearer invite token, validated inside the
+//     handler (ConsumeInvite). It stays rate-limited (see isRateExempt) and
+//     strictly validates the hex keys before spending the token.
+func isAuthExempt(r *http.Request) bool {
+	if r.Method == http.MethodGet && r.URL.Path == "/healthz" {
+		return true
+	}
+	return r.Method == http.MethodPost && r.URL.Path == "/register"
+}
+
 func (s *Server) routes() {
 	s.mux.HandleFunc("GET /healthz", s.handleHealth)
 	s.mux.HandleFunc("POST /rooms", s.handleCreateRoom)
@@ -333,6 +351,16 @@ func (s *Server) routes() {
 	s.mux.HandleFunc("GET /users", s.handleListUsers)
 	s.mux.HandleFunc("POST /users", s.handleAddUser)
 	s.mux.HandleFunc("POST /users/{signpub}/revoke", s.handleRevokeUser)
+	// Hard-delete (purge) a user — distinct from revoke (status flip). Admin-only.
+	s.mux.HandleFunc("DELETE /users/{signpub}", s.handleDeleteUser)
+	// Invites — the wallet-model account-creation path. The admin mints a
+	// single-use link (POST /invites, admin-only); the new user's client redeems
+	// it without an admin signature (POST /register, token-authorized). Listing
+	// and cancelling a pending invite are admin-only.
+	s.mux.HandleFunc("POST /invites", s.handleCreateInvite)
+	s.mux.HandleFunc("GET /invites", s.handleListInvites)
+	s.mux.HandleFunc("DELETE /invites/{token}", s.handleCancelInvite)
+	s.mux.HandleFunc("POST /register", s.handleRegister)
 }

 // ---- wire types -----------------------------------------------------------
@@ -431,6 +459,46 @@ type addUserReq struct {
 	Role    string `json:"role"`
 }

+// createInviteReq is the POST /invites body (admin-only): the handle and role the
+// future user will receive (fixed here, NOT chosen by the registering client) and
+// an optional TTL in seconds (non-positive uses the 7-day default).
+type createInviteReq struct {
+	Handle  string `json:"handle"`
+	Role    string `json:"role"`
+	TTLSecs int    `json:"ttl_secs"`
+}
+
+// createInviteResp is the POST /invites reply: the bearer token to put in the
+// join link and its absolute expiry. The token is shown ONCE here; the admin
+// copies the link immediately.
+type createInviteResp struct {
+	Token     string `json:"token"`
+	ExpiresAt string `json:"expires_at"`
+}
+
+// inviteJSON is the wire representation of a pending invite on GET /invites. It
+// omits the audit fields (used_*) because the listing is of pending invites only;
+// used_at is carried so a client can render "expires in N".
+type inviteJSON struct {
+	Token     string `json:"token"`
+	Handle    string `json:"handle"`
+	Role      string `json:"role"`
+	ExpiresAt string `json:"expires_at"`
+	Used      bool   `json:"used"`
+	CreatedAt string `json:"created_at"`
+}
+
+// registerReq is the POST /register body. It is the ONLY allowlist-mutating
+// request that carries no admin signature: the bearer Token authorizes it. The
+// client supplies its freshly-generated public keys (sign_pub = Ed25519 identity,
+// kex_pub = X25519 key-exchange), both 64-hex. The handle and role come from the
+// invite, never from this body — the client cannot escalate.
+type registerReq struct {
+	Token   string `json:"token"`
+	SignPub string `json:"sign_pub"`
+	KexPub  string `json:"kex_pub"`
+}
+
 // ---- helpers --------------------------------------------------------------

 func writeJSON(w http.ResponseWriter, code int, v any) {
@@ -840,3 +908,161 @@ func (s *Server) handleRevokeUser(w http.ResponseWriter, r *http.Request) {
 	}
 	writeJSON(w, http.StatusOK, map[string]string{"status": "revoked"})
 }
+
+// handleDeleteUser hard-deletes a bus user by signing key — the purge that the
+// admin panel's "Eliminar" (permanent) action maps to, distinct from revoke's
+// status flip. The row is removed entirely (no audit trail kept); use revoke when
+// an auditable record must remain. Deleting an unknown key is a 404. Admin-only.
+//
+// Security note: like revoke, this does NOT special-case the last admin — an
+// admin can delete the final admin and lock the HTTP user-management surface. The
+// recovery seam is the local `membershipd user add` CLI (which re-seeds an admin
+// directly against the store), the same chicken-egg breaker that seeds the first
+// admin.
+func (s *Server) handleDeleteUser(w http.ResponseWriter, r *http.Request) {
+	if _, ok := s.requireAdmin(w, r); !ok {
+		return
+	}
+	signPub := r.PathValue("signpub")
+	if err := ValidateSignPubHex(signPub); err != nil {
+		writeErr(w, http.StatusBadRequest, err.Error())
+		return
+	}
+	if err := s.store.DeleteUser(signPub); err != nil {
+		if errors.Is(err, ErrNotFound) {
+			writeErr(w, http.StatusNotFound, "no user with that key")
+			return
+		}
+		writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "deleted"})
+}
+
+// ---- invite handlers ------------------------------------------------------
+
+// handleCreateInvite mints a single-use registration invite. The handle and role
+// are fixed here by the admin; the role is validated (admin|member, empty ->
+// member) so an unknown role is a clean 400 rather than an opaque 500. The reply
+// carries the bearer token and its expiry — the admin turns the token into the
+// join link. Admin-only.
+func (s *Server) handleCreateInvite(w http.ResponseWriter, r *http.Request) {
+	if _, ok := s.requireAdmin(w, r); !ok {
+		return
+	}
+	var req createInviteReq
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErr(w, http.StatusBadRequest, "bad json: "+err.Error())
+		return
+	}
+	if req.Handle == "" {
+		writeErr(w, http.StatusBadRequest, "handle required")
+		return
+	}
+	if req.Role != "" && req.Role != RoleAdmin && req.Role != RoleMember {
+		writeErr(w, http.StatusBadRequest,
+			fmt.Sprintf("invalid role %q (want %q or %q)", req.Role, RoleAdmin, RoleMember))
+		return
+	}
+	inv, err := s.store.CreateInvite(req.Handle, req.Role, req.TTLSecs)
+	if err != nil {
+		writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
+		return
+	}
+	writeJSON(w, http.StatusCreated, createInviteResp{Token: inv.Token, ExpiresAt: inv.ExpiresAt})
+}
+
+// handleListInvites returns the PENDING invites (not yet used and not expired), so
+// the admin panel shows only live links worth copying. Consumed/expired invites
+// are filtered out here rather than at the store, which exposes the full set for
+// other callers. Admin-only.
+func (s *Server) handleListInvites(w http.ResponseWriter, r *http.Request) {
+	if _, ok := s.requireAdmin(w, r); !ok {
+		return
+	}
+	invites, err := s.store.ListInvites()
+	if err != nil {
+		writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
+		return
+	}
+	out := make([]inviteJSON, 0, len(invites))
+	for _, inv := range invites {
+		if inv.Used || inviteIsExpired(inv.ExpiresAt) {
+			continue // pending only
+		}
+		out = append(out, inviteJSON{
+			Token:     inv.Token,
+			Handle:    inv.Handle,
+			Role:      inv.Role,
+			ExpiresAt: inv.ExpiresAt,
+			Used:      inv.Used,
+			CreatedAt: inv.CreatedAt,
+		})
+	}
+	writeJSON(w, http.StatusOK, out)
+}
+
+// handleCancelInvite cancels (hard-deletes) a pending invite, so an admin can
+// revoke a link before it is redeemed. Cancelling an unknown token is a 404.
+// Admin-only.
+func (s *Server) handleCancelInvite(w http.ResponseWriter, r *http.Request) {
+	if _, ok := s.requireAdmin(w, r); !ok {
+		return
+	}
+	token := r.PathValue("token")
+	if token == "" {
+		writeErr(w, http.StatusBadRequest, "token required")
+		return
+	}
+	if err := s.store.CancelInvite(token); err != nil {
+		if errors.Is(err, ErrNotFound) {
+			writeErr(w, http.StatusNotFound, "no such invite")
+			return
+		}
+		writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "cancelled"})
+}
+
+// handleRegister redeems an invite: the wallet-model join path. It is auth-exempt
+// (no admin signature; see isAuthExempt) but rate-limited and strictly validated.
+// The client presents the single-use token plus its freshly-generated public keys
+// (sign_pub Ed25519, kex_pub X25519). Both keys are validated as 64-hex BEFORE the
+// token is spent, the handle and role come from the invite (never this body), and
+// ConsumeInvite enforces single-use atomically. Errors map to precise codes so a
+// client can tell "unknown" from "used" from "expired".
+func (s *Server) handleRegister(w http.ResponseWriter, r *http.Request) {
+	var req registerReq
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErr(w, http.StatusBadRequest, "bad json: "+err.Error())
+		return
+	}
+	if req.Token == "" {
+		writeErr(w, http.StatusBadRequest, "token required")
+		return
+	}
+	if err := ValidateSignPubHex(req.SignPub); err != nil {
+		writeErr(w, http.StatusBadRequest, err.Error())
+		return
+	}
+	if err := ValidateKexPubHex(req.KexPub); err != nil {
+		writeErr(w, http.StatusBadRequest, err.Error())
+		return
+	}
+	err := s.store.ConsumeInvite(req.Token, req.SignPub, req.KexPub)
+	switch {
+	case err == nil:
+		writeJSON(w, http.StatusCreated, map[string]string{"status": "registered"})
+	case errors.Is(err, ErrNotFound):
+		writeErr(w, http.StatusNotFound, "invalid or unknown invite token")
+	case errors.Is(err, ErrInviteUsed):
+		writeErr(w, http.StatusConflict, "invite already used")
+	case errors.Is(err, ErrInviteExpired):
+		writeErr(w, http.StatusGone, "invite expired")
+	case errors.Is(err, ErrUserExists):
+		writeErr(w, http.StatusConflict, "identity already registered")
+	default:
+		writeServerErr(w, r, http.StatusInternalServerError, "internal error", err)
+	}
+}
@@ -80,9 +80,23 @@ type Store interface {
 	GetUser(signPub string) (User, error)
 	ListUsers() ([]User, error)
 	RevokeUser(signPub string) error
+	// DeleteUser hard-deletes a user (the purge counterpart of RevokeUser's
+	// status flip): the row is removed, not just flagged. The ex-user can no
+	// longer authenticate, so any room memberships they hold become inert.
+	DeleteUser(signPub string) error
 	IsAuthorized(signPub string) bool
 	HasAdmin() bool

+	// Invites (single-use registration tokens; the wallet-model join path).
+	// CreateInvite mints a token fixing handle+role; ConsumeInvite is the only
+	// path that adds to the allowlist without an admin signature (the bearer
+	// token is the authorization), spending the token exactly once.
+	CreateInvite(handle, role string, ttlSecs int) (Invite, error)
+	GetInvite(token string) (Invite, error)
+	ListInvites() ([]Invite, error)
+	ConsumeInvite(token, signPub, kexPub string) error
+	CancelInvite(token string) error
+
 	// Lifecycle.
 	Close() error
 }
@@ -53,6 +53,23 @@ func ValidateSignPubHex(signPub string) error {
 	return nil
 }

+// ValidateKexPubHex ensures kexPub is exactly a 32-byte X25519 public key in hex
+// (64 hex chars). It is the registration-side counterpart of ValidateSignPubHex:
+// POST /register receives both the new identity's signing key and its key-exchange
+// key, and both must be well-formed before the invite is consumed. An X25519
+// public key is 32 bytes, identical in length to Ed25519, so the check is the
+// same shape with a key-exchange-specific message.
+func ValidateKexPubHex(kexPub string) error {
+	b, err := hex.DecodeString(kexPub)
+	if err != nil {
+		return fmt.Errorf("kex-pub is not valid hex: %w", err)
+	}
+	if len(b) != 32 {
+		return fmt.Errorf("kex-pub must be a 32-byte X25519 public key (64 hex chars), got %d bytes", len(b))
+	}
+	return nil
+}
+
 // normalizeSignPub lowercases the hex key so lookups are case-insensitive: the
 // primary key is stored lowercase and every query normalizes its input the same
 // way, so a caller passing uppercase hex still matches.
@@ -90,8 +107,10 @@ func (s *sqliteStore) AddUser(signPub, handle, role string) error {
 	return nil
 }

-// GetUser returns the user with the given signing public key. It returns
-// sql.ErrNoRows (wrapped) when there is no such user.
+// GetUser returns the user with the given signing public key. A miss returns
+// ErrNotFound (wrapped), matching the storage-agnostic contract in store.go and
+// the JetStream backend, so callers can branch on ErrNotFound regardless of which
+// store is active (the SQLite-specific sql.ErrNoRows is mapped here).
 func (s *sqliteStore) GetUser(signPub string) (User, error) {
 	signPub = normalizeSignPub(signPub)
 	var u User
@@ -101,6 +120,9 @@ func (s *sqliteStore) GetUser(signPub string) (User, error) {
 		signPub,
 	).Scan(&u.SignPub, &u.Handle, &u.Role, &u.Status, &u.CreatedAt, &revoked)
 	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return User{}, fmt.Errorf("membership: get user %q: %w", signPub, ErrNotFound)
+		}
 		return User{}, fmt.Errorf("membership: get user %q: %w", signPub, err)
 	}
 	u.RevokedAt = revoked.String
@@ -153,6 +175,31 @@ func (s *sqliteStore) RevokeUser(signPub string) error {
 	return nil
 }

+// DeleteUser hard-deletes a user from the allowlist (admin "remove user", the
+// purge counterpart of RevokeUser's status flip). It removes ONLY the allowlist
+// row: the ex-user can no longer authenticate on either plane, so any room
+// memberships they still hold become inert (they cannot fetch a sealed key, sign
+// a request, or open a NATS connection). We deliberately do NOT chase down and
+// rewrite those room memberships here — that would be a partial, racy cleanup of
+// state owned by each room's owner; a room owner kicks/rekeys to achieve forward
+// secrecy when needed. Deleting an unknown key returns ErrNotFound (wrapped) so
+// the HTTP layer can answer 404.
+func (s *sqliteStore) DeleteUser(signPub string) error {
+	signPub = normalizeSignPub(signPub)
+	res, err := s.db.Exec(`DELETE FROM users WHERE sign_pub = ?`, signPub)
+	if err != nil {
+		return fmt.Errorf("membership: delete user %q: %w", signPub, err)
+	}
+	n, err := res.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("membership: delete user %q: rows affected: %w", signPub, err)
+	}
+	if n == 0 {
+		return fmt.Errorf("membership: delete user %q: %w", signPub, ErrNotFound)
+	}
+	return nil
+}
+
 // IsAuthorized reports whether signPub belongs to an active (non-revoked) bus
 // user. It is the single authorization predicate consulted by both the control
 // plane (HTTP request middleware) and the data plane (NATS nkey authenticator),
@@ -1,44 +1,11 @@
-import { useEffect, useState } from "react";
-import { Center, Loader } from "@mantine/core";
+import { useState } from "react";
 import { Login } from "./Login";
 import { ChatShell } from "./ChatShell";
-import { api } from "./api";
 import type { User } from "./types";

-// shortEndpoint hace legible el endpoint id del operador para mostrarlo como
-// handle por defecto cuando no se escribió uno en el login.
-function shortEndpoint(ep: string) {
-  return ep.slice(0, 8);
-}
-
 export function App() {
  const [user, setUser] = useState<User | null>(null);
-  const [checking, setChecking] = useState(true);

-  // Al montar, comprueba si ya hay una sesión viva en el gateway (cookie). Si la
-  // hay, entra directo; si no (401), muestra el login.
-  useEffect(() => {
-    api
-      .me()
-      .then((me) =>
-        setUser({ id: me.endpoint, handle: shortEndpoint(me.endpoint) }),
-      )
-      .catch(() => {})
-      .finally(() => setChecking(false));
-  }, []);
-
-  const logout = () => {
-    void api.logout().catch(() => {});
-    setUser(null);
-  };
-
-  if (checking) {
-    return (
-      <Center h="100vh" bg="dark.9">
-        <Loader color="brand" />
-      </Center>
-    );
-  }
  if (!user) return <Login onLogin={setUser} />;
-  return <ChatShell user={user} onLogout={logout} />;
+  return <ChatShell user={user} onLogout={() => setUser(null)} />;
 }
@@ -19,8 +19,7 @@ import {
  IconDotsVertical,
  IconPaperclip,
 } from "@tabler/icons-react";
-import { api, streamRoom } from "./api";
-import type { Message, Room } from "./types";
+import type { Message, Room, User } from "./types";

 function initials(s: string) {
  return s.replace(/[^a-z0-9]/gi, "").slice(0, 2).toUpperCase() || "?";
@@ -55,30 +54,22 @@ function MessageRow({ msg }: { msg: Message }) {
  );
 }

-export function ChatPanel({ room }: { room: Room | undefined }) {
+export function ChatPanel({
+  room,
+  user,
+}: {
+  room: Room | undefined;
+  user: User;
+}) {
  const [draft, setDraft] = useState("");
-  const [messages, setMessages] = useState<Message[]>([]);
-  const [sendError, setSendError] = useState<string | null>(null);
+  const [extra, setExtra] = useState<Record<string, Message[]>>({});
  const viewport = useRef<HTMLDivElement>(null);

-  // Abre el stream SSE de la room activa. El gateway entrega historia (rooms
-  // persistidas) y luego mensajes en vivo, ya descifrados. Dedup por id porque
-  // un re-render no debe duplicar y el eco del propio envío llega por aquí.
-  useEffect(() => {
-    setMessages([]);
-    setSendError(null);
-    if (!room) return;
-    const close = streamRoom(room.id, (m) => {
-      setMessages((prev) =>
-        prev.some((p) => p.id === m.id) ? prev : [...prev, m],
-      );
-    });
-    return close;
-  }, [room?.id]);
+  const msgs = room ? [...room.messages, ...(extra[room.id] ?? [])] : [];

  useEffect(() => {
    viewport.current?.scrollTo({ top: viewport.current.scrollHeight });
-  }, [room?.id, messages.length]);
+  }, [room?.id, msgs.length]);

  if (!room) {
    return (
@@ -88,19 +79,18 @@ export function ChatPanel({ room }: { room: Room | undefined }) {
    );
  }

-  const send = async () => {
+  const send = () => {
    const body = draft.trim();
    if (!body) return;
+    const msg: Message = {
+      id: `local-${Date.now()}`,
+      sender: user.handle,
+      body,
+      ts: Date.now(),
+      mine: true,
+    };
+    setExtra((e) => ({ ...e, [room.id]: [...(e[room.id] ?? []), msg] }));
    setDraft("");
-    setSendError(null);
-    try {
-      // No optimista: el mensaje propio vuelve por SSE con su id real (mine:true),
-      // evitando duplicados.
-      await api.send(room.id, body);
-    } catch (e) {
-      setDraft(body); // restaura el borrador si el envío falló
-      setSendError(e instanceof Error ? e.message : "No se pudo enviar");
-    }
  };

  return (
@@ -136,18 +126,13 @@ export function ChatPanel({ room }: { room: Room | undefined }) {

      <ScrollArea style={{ flex: 1 }} viewportRef={viewport}>
        <Stack gap="lg" p="md">
-          {messages.map((m) => (
+          {msgs.map((m) => (
            <MessageRow key={m.id} msg={m} />
          ))}
        </Stack>
      </ScrollArea>

      <Divider color="dark.4" />
-      {sendError && (
-        <Text c="red" size="xs" px="sm" pt={4}>
-          {sendError}
-        </Text>
-      )}
      <Group p="sm" gap="xs" wrap="nowrap">
        <ActionIcon variant="subtle" color="gray" size="lg">
          <IconPaperclip size={18} />
@@ -158,14 +143,14 @@ export function ChatPanel({ room }: { room: Room | undefined }) {
          placeholder={`Mensaje a ${room.name}`}
          value={draft}
          onChange={(e) => setDraft(e.currentTarget.value)}
-          onKeyDown={(e) => e.key === "Enter" && void send()}
+          onKeyDown={(e) => e.key === "Enter" && send()}
        />
        <ActionIcon
          size="lg"
          radius="xl"
          variant="filled"
          color="brand"
-          onClick={() => void send()}
+          onClick={send}
          disabled={!draft.trim()}
        >
          <IconSend size={18} />
@@ -1,9 +1,9 @@
-import { useCallback, useEffect, useState } from "react";
-import { Flex, Box, Center, Loader, Stack, Text, Button } from "@mantine/core";
+import { useState } from "react";
+import { Flex, Box } from "@mantine/core";
 import { Sidebar } from "./Sidebar";
 import { ChatPanel } from "./ChatPanel";
-import { api } from "./api";
-import type { Room, User } from "./types";
+import { MOCK_ROOMS } from "./mock";
+import type { User } from "./types";

 export function ChatShell({
  user,
@@ -12,59 +12,10 @@ export function ChatShell({
  user: User;
  onLogout: () => void;
 }) {
-  const [rooms, setRooms] = useState<Room[]>([]);
-  const [activeId, setActiveId] = useState<string>("");
-  const [loading, setLoading] = useState(true);
-  const [error, setError] = useState<string | null>(null);
-
-  const load = useCallback(() => {
-    setLoading(true);
-    api
-      .listRooms()
-      .then((rs) => {
-        setRooms(rs);
-        setActiveId((cur) => cur || rs[0]?.id || "");
-        setError(null);
-      })
-      .catch((e) => setError(e?.message ?? "No se pudieron cargar las rooms"))
-      .finally(() => setLoading(false));
-  }, []);
-
-  useEffect(() => {
-    load();
-  }, [load]);
-
+  const [rooms] = useState(MOCK_ROOMS);
+  const [activeId, setActiveId] = useState<string>(rooms[0]?.id ?? "");
  const active = rooms.find((r) => r.id === activeId);

-  // El panel derecho muestra el estado de carga/error/empty sin tocar el layout.
-  let panel = <ChatPanel room={active} />;
-  if (loading && rooms.length === 0) {
-    panel = (
-      <Center h="100%">
-        <Loader color="brand" />
-      </Center>
-    );
-  } else if (error) {
-    panel = (
-      <Center h="100%">
-        <Stack align="center" gap="sm">
-          <Text c="red" size="sm">
-            {error}
-          </Text>
-          <Button variant="light" color="brand" onClick={load}>
-            Reintentar
-          </Button>
-        </Stack>
-      </Center>
-    );
-  } else if (rooms.length === 0) {
-    panel = (
-      <Center h="100%">
-        <Text c="dimmed">No perteneces a ninguna room todavía</Text>
-      </Center>
-    );
-  }
-
  return (
    <Flex h="100vh" w="100vw" style={{ overflow: "hidden" }}>
      <Box
@@ -85,7 +36,7 @@ export function ChatShell({
        />
      </Box>
      <Box flex={1} h="100%" bg="dark.7" style={{ minWidth: 0 }}>
-        {panel}
+        <ChatPanel room={active} user={user} />
      </Box>
    </Flex>
  );
@@ -11,29 +11,15 @@ import {
  Title,
 } from "@mantine/core";
 import { IconShieldLock, IconKey } from "@tabler/icons-react";
-import { api, ApiError } from "./api";
 import type { User } from "./types";

 export function Login({ onLogin }: { onLogin: (u: User) => void }) {
  const [handle, setHandle] = useState("");
  const [password, setPassword] = useState("");
-  const [busy, setBusy] = useState(false);
-  const [error, setError] = useState<string | null>(null);
  const ready = handle.trim().length > 0 && password.length > 0;
-  const connect = async () => {
-    if (!ready || busy) return;
-    setBusy(true);
-    setError(null);
-    try {
-      // La contraseña desbloquea la sesión del gateway (passphrase del operador).
-      // El handle es solo el nombre a mostrar en esta iteración (wallet = fase 2).
-      const me = await api.login(password);
-      const h = handle.trim() || me.endpoint.slice(0, 8);
-      onLogin({ id: me.endpoint, handle: h });
-    } catch (e) {
-      setError(e instanceof ApiError ? e.message : "No se pudo conectar al gateway");
-      setBusy(false);
-    }
+  const connect = () => {
+    const h = handle.trim();
+    if (ready) onLogin({ id: h, handle: h });
  };

  return (
@@ -66,20 +52,9 @@ export function Login({ onLogin }: { onLogin: (u: User) => void }) {
            leftSection={<IconKey size={16} />}
            value={password}
            onChange={(e) => setPassword(e.currentTarget.value)}
-            onKeyDown={(e) => e.key === "Enter" && void connect()}
+            onKeyDown={(e) => e.key === "Enter" && connect()}
          />
-          {error && (
-            <Text c="red" size="sm" ta="center">
-              {error}
-            </Text>
-          )}
-          <Button
-            w="100%"
-            size="md"
-            onClick={() => void connect()}
-            disabled={!ready}
-            loading={busy}
-          >
+          <Button w="100%" size="md" onClick={connect} disabled={!ready}>
            Conectar
          </Button>
        </Stack>
@@ -1,131 +0,0 @@
-// La única capa por la que la SPA habla con el bus. Cada llamada va al gateway Go
-// bajo /api; el gateway mantiene la sesión `pkg/client` (peer autenticado del
-// bus), cifra/descifra por room y traduce a REST/SSE. El navegador nunca firma,
-// nunca habla NATS y nunca ve una clave privada: solo guarda una cookie de
-// sesión opaca (HttpOnly) que el gateway emite tras el login.
-import type { MeInfo, Message, MsgWire, Room, RoomWire } from "./types";
-
-export class ApiError extends Error {
-  status: number;
-  constructor(message: string, status: number) {
-    super(message);
-    this.status = status;
-  }
-}
-
-async function req<T>(path: string, init?: RequestInit): Promise<T> {
-  const res = await fetch(path, {
-    // same-origin envía la cookie de sesión automáticamente (también detrás del
-    // proxy de vite en dev).
-    credentials: "same-origin",
-    headers: { "Content-Type": "application/json" },
-    ...init,
-  });
-  const text = await res.text();
-  let body: unknown = null;
-  if (text) {
-    try {
-      body = JSON.parse(text);
-    } catch {
-      body = text;
-    }
-  }
-  if (!res.ok) {
-    const msg =
-      body && typeof body === "object" && "error" in body
-        ? String((body as { error: unknown }).error)
-        : `HTTP ${res.status}`;
-    throw new ApiError(msg, res.status);
-  }
-  return body as T;
-}
-
-// roomFromWire mapea la fila del gateway al tipo Room que consume la UI. Los
-// mensajes NO viven aquí: llegan por stream(). lastMessage/lastTs/unread se
-// rellenan de forma neutra para no inventar datos (la cabecera de la sidebar se
-// alimentará del stream en una iteración futura).
-export function roomFromWire(r: RoomWire): Room {
-  return {
-    id: r.id,
-    name: r.name || r.subject,
-    encrypted: r.encrypt,
-    lastMessage: "",
-    lastTs: 0,
-    unread: 0,
-    messages: [],
-  };
-}
-
-// messageFromWire mapea un frame descifrado del SSE al tipo Message de la UI.
-export function messageFromWire(m: MsgWire): Message {
-  return {
-    id: m.id,
-    sender: m.sender,
-    body: m.body,
-    ts: m.ts,
-    mine: m.mine,
-  };
-}
-
-export const api = {
-  // ---- sesión -------------------------------------------------------------
-  // login desbloquea la sesión del gateway con la passphrase del operador. El
-  // gateway responde con una cookie de sesión; me() comprueba si ya hay una.
-  login: (passphrase: string) =>
-    req<MeInfo>("/api/login", {
-      method: "POST",
-      body: JSON.stringify({ passphrase }),
-    }),
-  logout: () => req<{ status: string }>("/api/logout", { method: "POST" }),
-  me: () => req<MeInfo>("/api/me"),
-
-  // ---- rooms --------------------------------------------------------------
-  listRooms: async (): Promise<Room[]> => {
-    const wire = await req<RoomWire[]>("/api/rooms");
-    return wire.map(roomFromWire);
-  },
-  // createRoom: {subject, encrypted} basta — el gateway deriva la policy
-  // Matrix-like (cifrada + persistida + firmada) por defecto.
-  createRoom: async (subject: string, encrypted = true): Promise<Room> => {
-    const r = await req<RoomWire>("/api/rooms", {
-      method: "POST",
-      body: JSON.stringify({ subject, encrypted }),
-    });
-    return roomFromWire(r);
-  },
-  join: (roomID: string) =>
-    req<{ status: string }>(
-      `/api/rooms/${encodeURIComponent(roomID)}/join`,
-      { method: "POST" },
-    ),
-  send: (roomID: string, body: string) =>
-    req<{ status: string }>(
-      `/api/rooms/${encodeURIComponent(roomID)}/send`,
-      { method: "POST", body: JSON.stringify({ body }) },
-    ),
-};
-
-// streamRoom abre el SSE de una room y llama onMessage por cada frame descifrado
-// (historia primero en rooms persistidas, luego en vivo). Devuelve una función
-// de cierre. EventSource manda la cookie de sesión automáticamente y reconecta
-// solo si la conexión cae; onError se invoca en cada corte para que la UI pueda
-// reflejar el estado.
-export function streamRoom(
-  roomID: string,
-  onMessage: (m: Message) => void,
-  onError?: (e: Event) => void,
-): () => void {
-  const es = new EventSource(
-    `/api/rooms/${encodeURIComponent(roomID)}/stream`,
-  );
-  es.onmessage = (ev) => {
-    try {
-      const wire = JSON.parse(ev.data) as MsgWire;
-      onMessage(messageFromWire(wire));
-    } catch {
-      // frame malformado: se ignora, el stream sigue.
-    }
-  };
-  if (onError) es.onerror = onError;
-  return () => es.close();
-}
@@ -1,5 +1,5 @@
-// Tipos de dominio de la UI. Los datos vienen del gateway Go (REST/SSE), que es
-// un peer autenticado del bus. El navegador nunca firma ni habla NATS.
+// Tipos de dominio de la UI. En la iteración 1 se llenan con datos mock;
+// más adelante vendrán del gateway (REST/SSE) que es un peer del bus.

 export interface User {
  id: string;
@@ -8,7 +8,7 @@ export interface User {

 export interface Message {
  id: string;
-  sender: string; // endpoint id del remitente (handle legible es fase 2)
+  sender: string; // handle
  body: string;
  ts: number; // epoch ms
  mine?: boolean;
@@ -23,33 +23,3 @@ export interface Room {
  unread: number;
  messages: Message[];
 }
-
-// ---- formas de la API del gateway (wire) ---------------------------------
-
-// MeInfo es la identidad del operador que el gateway encarna (GET /api/me).
-export interface MeInfo {
-  endpoint: string;
-  sign_pub: string;
-}
-
-// RoomWire es la fila de room que devuelve el gateway (GET /api/rooms). No trae
-// mensajes: estos llegan por SSE (GET /api/rooms/{id}/stream).
-export interface RoomWire {
-  id: string;
-  subject: string;
-  name: string;
-  epoch: number;
-  encrypt: boolean;
-  persist: boolean;
-  sign_msgs: boolean;
-  role: string;
-}
-
-// MsgWire es un mensaje ya descifrado que el gateway empuja por SSE.
-export interface MsgWire {
-  id: string;
-  sender: string;
-  body: string;
-  ts: number;
-  mine: boolean;
-}
@@ -3,12 +3,5 @@ import react from "@vitejs/plugin-react";

 export default defineConfig({
  plugins: [react()],
-  // En dev, /api (REST + SSE) se proxea al gateway Go (cmd/webgw, puerto 8481).
-  // El proxy hace streaming, así que el SSE de /api/rooms/{id}/stream funciona a
-  // través de él. En producción el gateway sirve el dist embebido y no hay proxy.
-  server: {
-    host: true,
-    port: 5181,
-    proxy: { "/api": "http://127.0.0.1:8481" },
-  },
+  server: { host: true, port: 5181 },
 });
Author	SHA1	Message	Date
egutierrez	19bb0e56a6	chore: gitignore go.work for /tmp worktree resolution go.work resolves the fn-registry replace to an absolute path when the worktree lives outside the parent tree; it is local-only and must not be committed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 22:14:44 +02:00
egutierrez	7e2f62520d	docs(unibus): bump 0.12.0 — accounts via single-use invites + hard-delete Document the wallet-model account layer: invite-link account creation and real hard-delete, both gotcha and capability growth log entries. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 22:14:44 +02:00
egutierrez	52c80ac010	test(membership,client): invite lifecycle, register, hard-delete - Store-level suite over BOTH backends (SQLite + JetStream KV): golden redeem, single-use rejection, unknown token, expired token (forced past), cancel, and hard-delete. Plus the burn-on-claim edge (redeem with an already-registered key spends the invite and returns ErrUserExists on both backends). - HTTP suite: admin mints an invite, a brand-new identity redeems it UNSIGNED via /register, the user appears in the allowlist, a second redeem is 409, expired is 410, malformed keys are 400, a non-admin is 403 on all four admin routes, and DELETE /users purges (vs revoke's status flip). - Client end-to-end: admin mints an invite, an unregistered joiner redeems it without any admin signature, appears in the allowlist, then is hard-deleted. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 22:14:44 +02:00
egutierrez	ca801d16af	feat(client): invite and hard-delete admin methods, unsigned Register Add the client-library counterparts the admin panel and the /join client page consume: - CreateInvite, ListInvites, CancelInvite, DeleteUser: signed as admin. - Register(token, signPub, kexPub): UNSIGNED, via a new doUnsigned helper that fails over across control-plane endpoints and surfaces the server's structured error. The registering peer is not in the allowlist, so it cannot sign; the bearer token is the authorization. - InviteInfo flat view for the panel. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 22:14:44 +02:00
egutierrez	18987bbd2f	feat(membership): invite, register and hard-delete HTTP endpoints Expose the account-creation surface over the signed control plane: - POST /invites, GET /invites (pending only), DELETE /invites/{token}, DELETE /users/{signpub}: all admin-only via requireAdmin (default-deny by role). - POST /register: the wallet-model join path. It is the ONLY allowlist-mutating route exempt from the admin signature, because the registering identity is not yet in the allowlist and cannot sign — authorization is the bearer invite token. It validates both public keys (sign_pub Ed25519, kex_pub X25519, 64-hex) BEFORE spending the token, fixes handle/role from the invite (no client escalation), and maps state errors to precise codes (unknown 404, used 409, expired 410, already-registered 409). Split isRateExempt (only /healthz) from isAuthExempt (/healthz + POST /register) so /register skips the admin-signature middleware but stays per-IP rate limited. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 22:14:44 +02:00
egutierrez	d64b0c052d	feat(membership): single-use invites + hard-delete in the Store (SQLite + KV) Add the data layer for WhatsApp-style accounts on the wallet model: the admin mints a single-use invitation link, the new user redeems it by publishing only its public keys, and the admin can hard-delete a user. - Invite type and lifecycle (invites.go): 32-byte crypto/rand hex token, 7-day default TTL, fail-closed expiry parsing. Methods CreateInvite/GetInvite/ ListInvites/ConsumeInvite/CancelInvite on both backends. ConsumeInvite is atomic and single-use: SQLite uses a transaction guarded by `used = 0`, the KV store uses a compare-and-swap on the entry revision (mark-first). Both burn the token on claim, so an already-registered key surfaces ErrUserExists with the invite spent — identical semantics across backends. - DeleteUser (users.go + jetstream_store.go): hard-delete of the allowlist row, distinct from RevokeUser's status flip. Room memberships of the ex-user are intentionally left inert (they can no longer authenticate); no partial cleanup. - Migration 003_invites.sql (root + embedded copy, byte-identical): additive `invites` table with audit columns, per db_migrations rules. - Store interface gains DeleteUser, CreateInvite, GetInvite, ListInvites, ConsumeInvite, CancelInvite. New UNIBUS_invites KV bucket. - Consistency fix: SQLite GetUser now maps sql.ErrNoRows to ErrNotFound, matching the KV backend and the storage-agnostic contract documented in store.go. - ValidateKexPubHex added alongside ValidateSignPubHex for /register key checks. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 22:14:25 +02:00
egutierrez	f31580deec	Merge quick/nats-monitor-flag: UNIBUS_NATS_MONITOR loopback monitoring decoupled from debug log (bump 0.11.0)	2026-06-07 21:18:59 +02:00
Egutierrez	1c9325104c	feat(embeddednats): UNIBUS_NATS_MONITOR flag decoupled from debug log Add a dedicated UNIBUS_NATS_MONITOR=1 toggle that opens the embedded nats-server monitoring HTTP endpoint (127.0.0.1:8222, loopback only) so a local metrics scraper can read /varz, /connz and /jsz for server-level metrics (msgs/s, connections, KV bucket msgs, RAFT leader per stream, restarts). Previously the monitoring endpoint was only reachable via UNIBUS_NATS_DEBUG=1, which is coupled to the verbose nats-server debug log: enabling the endpoint also wrote routes/RAFT/room subjects to journald in clear, which regresses the hardened posture (issue 0007). The two concerns are now decoupled. The toggle computation is extracted to a pure function natsLogOpts(debugEnv, monitorEnv) (noLog, debug, trace, monitor): MONITOR=1 opens the endpoint while keeping the log quiet (NoLog true / Debug false). The inverse coupling is preserved for backward compatibility (DEBUG still implies MONITOR). The 127.0.0.1 bind stays hardcoded — the monitoring endpoint has no auth and must never be reachable from the network. Deploy wiring versioned: additive systemd drop-in membershipd-cluster.service.d/nats-monitor.conf (Environment=UNIBUS_NATS_MONITOR=1) plus a "NATS server metrics" section in the cluster README with the rolling activation runbook (magnus -> homer -> datardos) gated on R3 reconvergence (followers 2/2) between nodes. Tests: pure decoupling table (monitor on => log NOT debug; debug => monitor; default closed) + a real embedded server with MONITOR=1 asserting /varz answers 200 on loopback:8222, and a server without the flag with the endpoint closed. 100% additive: behavior is identical without the flag. Bump app.md 0.10.0 -> 0.11.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 20:57:46 +02:00