Added panic mode protections to make the server more secure

Fixed the device sign
Removed Test Data from the git
2025-08-22 18:54:10 -04:00 · 2025-08-22 18:24:24 -04:00 · 2025-08-22 12:42:22 -04:00
16 changed files with 1006 additions and 993 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,4 @@ data/
 # Env/config overrides
 shard.yaml
 .env
 testdata/*
--- a/client/app.js
+++ b/client/app.js
@@ -1,10 +1,13 @@
 import { encryptString, decryptToString, toBlob } from "./crypto.js";
 // ---------- DOM ----------
 const els = {
  shardUrl: document.getElementById("shardUrl"),
  bearer: document.getElementById("bearer"),
  passphrase: document.getElementById("passphrase"),
  saveConn: document.getElementById("saveConn"),
  keySignIn: document.getElementById("keySignIn"),
  panicWipe: document.getElementById("panicWipe"),
  health: document.getElementById("health"),
  visibility: document.getElementById("visibility"),
  title: document.getElementById("title"),
@@ -15,23 +18,72 @@ const els = {
  discordStart: document.getElementById("discordStart"),
 };
 // ---------- Config (no bearer in localStorage) ----------
 const LS_KEY = "gc_client_config_v1";
 const POSTS_KEY = "gc_posts_index_v1";
-const DEVKEY_KEY = "gc_device_key_v1"; // stores p256 private/public (pkcs8/spki b64)
+function loadConfig(){ try { return JSON.parse(localStorage.getItem(LS_KEY)) ?? {}; } catch { return {}; } }
 function saveConfig(c){ localStorage.setItem(LS_KEY, JSON.stringify({ url: c.url, passphrase: c.passphrase })); Object.assign(cfg, c); }
 function getPosts(){ try { return JSON.parse(localStorage.getItem(POSTS_KEY)) ?? []; } catch { return []; } }
 function setPosts(v){ localStorage.setItem(POSTS_KEY, JSON.stringify(v)); renderPosts(); }
 function norm(u){ return (u||"").replace(/\/+$/,""); }
 function getBearer(){ return sessionStorage.getItem("gc_bearer") || ""; }
 function setBearer(tok){ if (!tok) sessionStorage.removeItem("gc_bearer"); else sessionStorage.setItem("gc_bearer", tok); els.bearer.value = tok ? "••• (session)" : ""; }
 const cfg = loadConfig();
 // ---------- Security helpers ----------
 const enc = new TextEncoder();
 const dec = new TextDecoder();
 const b64 = (u) => { let s=""; u=new Uint8Array(u); for (let i=0;i<u.length;i++) s+=String.fromCharCode(u[i]); return btoa(s).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,""); };
 const ub64 = (s) => { s=s.replace(/-/g,"+").replace(/_/g,"/"); while(s.length%4) s+="="; const bin=atob(s); const b=new Uint8Array(bin.length); for(let i=0;i<bin.length;i++) b[i]=bin.charCodeAt(i); return b.buffer; };
 async function sha256Hex(buf){ const h = await crypto.subtle.digest("SHA-256", buf); return [...new Uint8Array(h)].map(x=>x.toString(16).padStart(2,"0")).join(""); }
 // Device key (P-256), stored locally (not a bearer)
 async function getDevice() {
  let dev = JSON.parse(localStorage.getItem('gc_device_key_v1')||'null');
  if (!dev) {
    const kp = await crypto.subtle.generateKey({name:"ECDSA", namedCurve:"P-256"}, true, ["sign","verify"]);
    const pkcs8 = await crypto.subtle.exportKey("pkcs8", kp.privateKey);
    const rawPub = await crypto.subtle.exportKey("raw", kp.publicKey); // 65B 0x04||X||Y
    dev = { alg:"p256", priv: b64(pkcs8), pub: b64(rawPub) };
    localStorage.setItem('gc_device_key_v1', JSON.stringify(dev));
  }
  return dev;
 }
 // Proof-of-Possession headers for this request
 async function popHeaders(method, pathOnly, bodyBuf){
  const dev = await getDevice();
  const ts = Math.floor(Date.now()/1000).toString();
  const hashHex = await sha256Hex(bodyBuf || new Uint8Array());
  const msg = enc.encode(method.toUpperCase()+"\n"+pathOnly+"\n"+ts+"\n"+hashHex);
  const priv = await crypto.subtle.importKey("pkcs8", ub64(dev.priv), { name:"ECDSA", namedCurve:"P-256" }, false, ["sign"]);
  const sig = await crypto.subtle.sign({ name:"ECDSA", hash:"SHA-256" }, priv, msg);
  return {
    "X-GC-Key": "p256:"+dev.pub,
    "X-GC-TS": ts,
    "X-GC-Proof": b64(sig),
  };
 }
 // Idle timeout → clear bearer
 (function idleGuard(){
  let idle;
  const bump=()=>{ clearTimeout(idle); idle=setTimeout(()=>setBearer(""), 30*60*1000); }; // 30 min
  ["click","keydown","mousemove","touchstart","focus","visibilitychange"].forEach(ev=>addEventListener(ev,bump,{passive:true}));
  bump();
 })();
 // ---------- API base detection ----------
 function defaultApiBase() {
  try {
    const qs = new URLSearchParams(window.location.search);
-    const qApi = qs.get("api");
+    const qApi = qs.get("api"); if (qApi) return qApi.replace(/\/+$/, "");
    if (qApi) return qApi.replace(/\/+$/, "");
  } catch {}
  const m = document.querySelector('meta[name="gc-api-base"]');
  if (m && m.content) return m.content.replace(/\/+$/, "");
  try {
    const u = new URL(window.location.href);
-    const proto = u.protocol;
+    const proto = u.protocol, host = u.hostname, portStr = u.port;
    const host = u.hostname;
    const portStr = u.port;
    const bracketHost = host.includes(":") ? `[${host}]` : host;
    const port = portStr ? parseInt(portStr, 10) : null;
    let apiPort = port;
@@ -44,126 +96,72 @@ function defaultApiBase() {
  }
 }
-const cfg = loadConfig(); applyConfig(); (async () => {
+// ---------- App init ----------
-  await ensureDeviceKey();
+function applyConfig(){
-  await checkHealth(); await syncIndex(); sse();
+  els.shardUrl.value = cfg.url ?? defaultApiBase();
-})();
+  els.passphrase.value = cfg.passphrase ?? "";
  els.bearer.value = getBearer() ? "••• (session)" : "";
 }
 applyConfig(); checkHealth(); syncIndex(); sse();
 // ---------- UI wiring ----------
 els.saveConn.onclick = async () => {
-  const c = { url: norm(els.shardUrl.value), bearer: els.bearer.value.trim(), passphrase: els.passphrase.value };
+  const c = { url: norm(els.shardUrl.value), passphrase: els.passphrase.value };
-  saveConfig(c);
+  saveConfig(c); await checkHealth(); await syncIndex(); sse(true);
  await checkHealth(); await syncIndex(); sse(true);
 };
 els.publish.onclick = publish;
 els.discordStart.onclick = discordStart;
 els.keySignIn.onclick = keySignIn;
 els.panicWipe.onclick = panicWipe;
-// -------- local state helpers --------
+// Panic wipe hotkey (double-tap ESC)
-
+let escT=0;
-function loadConfig(){ try { return JSON.parse(localStorage.getItem(LS_KEY)) ?? {}; } catch { return {}; } }
+addEventListener("keydown", (e) => {
-function saveConfig(c){ localStorage.setItem(LS_KEY, JSON.stringify(c)); Object.assign(cfg, c); }
+  if (e.key === "Escape") {
-function getPosts(){ try { return JSON.parse(localStorage.getItem(POSTS_KEY)) ?? []; } catch { return []; } }
+    const now = Date.now();
-function setPosts(v){ localStorage.setItem(POSTS_KEY, JSON.stringify(v)); renderPosts(); }
+    if (now - escT < 600) panicWipe();
-function norm(u){ return (u||"").replace(/\/+$/,""); }
+    escT = now;
 function applyConfig(){ els.shardUrl.value = cfg.url ?? defaultApiBase(); els.bearer.value = cfg.bearer ?? ""; els.passphrase.value = cfg.passphrase ?? ""; }
 function msg(t, err=false){ els.publishStatus.textContent=t; els.publishStatus.style.color = err ? "#ff6b6b" : "#8b949e"; }
 // Prefer session bearer
 function getBearer() { return sessionStorage.getItem("gc_bearer") || cfg.bearer || ""; }
 // -------- device key (P-256) + PoP --------
 async function ensureDeviceKey() {
  try {
    const stored = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "null");
    if (stored && stored.priv && stored.pub) return;
  } catch {}
  const kp = await crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign", "verify"]);
  const pkcs8 = await crypto.subtle.exportKey("pkcs8", kp.privateKey);
  const rawPub = await crypto.subtle.exportKey("raw", kp.publicKey); // 65-byte uncompressed
  const b64pk = b64(rawPub);
  const b64sk = b64(pkcs8);
  localStorage.setItem(DEVKEY_KEY, JSON.stringify({ priv: b64sk, pub: b64pk, alg: "p256" }));
  }
 });
-async function getDevicePriv() {
+// ---------- Health / Index / SSE ----------
  const s = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "{}");
  if (s.alg !== "p256") throw new Error("unsupported alg");
  const pkcs8 = ub64(s.priv);
  return crypto.subtle.importKey("pkcs8", pkcs8, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
 }
 function getDevicePubHdr() {
  const s = JSON.parse(localStorage.getItem(DEVKEY_KEY) || "{}");
  if (!s.pub) return "";
  return s.alg === "p256" ? ("p256:" + s.pub) : "";
 }
 async function popHeaders(method, url, body) {
  const ts = Math.floor(Date.now()/1000).toString();
  const pub = getDevicePubHdr();
  const digest = await sha256Hex(body || new Uint8Array());
  const msg = (method.toUpperCase()+"\n"+url+"\n"+ts+"\n"+digest);
  const priv = await getDevicePriv();
  const sig = await crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, priv, new TextEncoder().encode(msg));
  return { "X-GC-Key": pub, "X-GC-TS": ts, "X-GC-Proof": b64(new Uint8Array(sig)) };
 }
 async function fetchAPI(path, opts = {}, bodyBytes) {
  if (!cfg.url) throw new Error("Set shard URL first.");
  const url = cfg.url + path;
  const method = (opts.method || "GET").toUpperCase();
  const headers = Object.assign({}, opts.headers || {});
  const bearer = getBearer();
  if (bearer) headers["Authorization"] = "Bearer " + bearer;
  const pop = await popHeaders(method, url, bodyBytes);
  Object.assign(headers, pop);
  const init = Object.assign({}, opts, { method, headers, body: opts.body });
  const r = await fetch(url, init);
  return r;
 }
 // -------- health, index, sse --------
 async function checkHealth() {
  if (!cfg.url) return; els.health.textContent = "Checking…";
-  try {
+  try { const r = await fetch(cfg.url + "/healthz"); els.health.textContent = r.ok ? "Connected ✔" : `Error: ${r.status}`; }
-    const r = await fetch(cfg.url + "/healthz");
+  catch { els.health.textContent = "Not reachable"; }
    els.health.textContent = r.ok ? "Connected ✔" : `Error: ${r.status}`;
  } catch { els.health.textContent = "Not reachable"; }
 }
 async function syncIndex() {
  if (!cfg.url) return;
  try {
-    const r = await fetchAPI("/v1/index");
+    const hdrs = {};
    const b = getBearer();
    if (b) Object.assign(hdrs, await popHeaders("GET", "/v1/index", new Uint8Array()));
    const r = await fetch(cfg.url + "/v1/index", { headers: Object.assign(hdrs, b?{Authorization:"Bearer "+b}:{}) });
    if (!r.ok) throw new Error("index fetch failed");
    const entries = await r.json();
-    setPosts(entries.map(e => ({ hash:e.hash, title:"(title unknown — fetch)", bytes:e.bytes, ts:e.stored_at, enc:e.private, tz:e.creator_tz })));
+    setPosts(entries.map(e => ({ hash:e.hash, title:"(title unknown — fetch)", bytes:e.bytes, ts:e.stored_at, enc:e.private, tz:e.creator_tz||"" })));
  } catch(e){ console.warn("index sync failed", e); }
 }
 let sseCtrl;
-function sse(restart){
+function sse(reset){
  if (!cfg.url) return;
  if (sseCtrl) { sseCtrl.abort(); sseCtrl = undefined; }
  sseCtrl = new AbortController();
  const url = cfg.url + "/v1/index/stream";
-  const headers = {};
+  const b = getBearer();
-  const b = getBearer(); if (b) headers["Authorization"] = "Bearer " + b;
+  const start = async () => {
-  headers["X-GC-Key"] = getDevicePubHdr();
+    const hdrs = {};
-  headers["X-GC-TS"] = Math.floor(Date.now()/1000).toString();
+    if (b) Object.assign(hdrs, await popHeaders("GET", "/v1/index/stream", new Uint8Array()), { Authorization: "Bearer "+b });
-  headers["X-GC-Proof"] = "dummy"; // server ignores body hash for GET; proof not required for initial request in this demo SSE; if required, switch to EventSource polyfill
+    fetch(url, { headers: hdrs, signal: sseCtrl.signal }).then(async resp => {
  fetch(url, { headers, signal: sseCtrl.signal }).then(async resp => {
      if (!resp.ok) return;
      const reader = resp.body.getReader(); const decoder = new TextDecoder();
      let buf = "";
      while (true) {
        const { value, done } = await reader.read(); if (done) break;
        buf += decoder.decode(value, { stream:true });
-      let idx;
+        let idx; while ((idx = buf.indexOf("\n\n")) >= 0) {
      while ((idx = buf.indexOf("\n\n")) >= 0) {
          const chunk = buf.slice(0, idx); buf = buf.slice(idx+2);
          if (chunk.startsWith("data: ")) {
            try {
@@ -172,7 +170,7 @@ function sse(restart){
                const e = ev.data;
                const posts = getPosts();
                if (!posts.find(p => p.hash === e.hash)) {
-                posts.unshift({ hash:e.hash, title:"(title unknown — fetch)", bytes:e.bytes, ts:e.stored_at, enc:e.private, tz:e.creator_tz });
+                  posts.unshift({ hash:e.hash, title:"(title unknown — fetch)", bytes:e.bytes, ts:e.stored_at, enc:e.private, tz:e.creator_tz||"" });
                  setPosts(posts);
                }
              } else if (ev.event === "delete") {
@@ -183,41 +181,93 @@ function sse(restart){
        }
      }
    }).catch(()=>{});
  };
  start();
 }
-// -------- actions --------
+// ---------- Auth ----------
 async function keySignIn(){
  try {
    if (!cfg.url) { alert("Set shard URL first."); return; }
    // 1) challenge
    const cResp = await fetch(cfg.url + "/v1/auth/key/challenge", { method:"POST" });
    const cTxt = await cResp.text();
    if (!cResp.ok) { alert("Challenge failed: " + cTxt); return; }
    const c = JSON.parse(cTxt);
    // 2) sign and verify
    const dev = await getDevice();
    const priv = await crypto.subtle.importKey("pkcs8", ub64(dev.priv), { name:"ECDSA", namedCurve:"P-256" }, false, ["sign"]);
    const msg = enc.encode("key-verify\n" + c.nonce);
    const sig = await crypto.subtle.sign({ name:"ECDSA", hash:"SHA-256" }, priv, msg);
    const vResp = await fetch(cfg.url + "/v1/auth/key/verify", {
      method:"POST",
      headers: { "Content-Type":"application/json" },
      body: JSON.stringify({ nonce:c.nonce, alg:"p256", pub: dev.pub, sig: b64(sig) })
    });
    const vTxt = await vResp.text();
    if (!vResp.ok) { alert("Verify failed: " + vTxt); return; }
    const j = JSON.parse(vTxt);
    setBearer(j.bearer);
    alert("Signed in ✔ (session)");
    await syncIndex();
  } catch (e) {
    alert("Key sign-in exception: " + (e?.message || e));
  }
 }
 async function panicWipe(){
  try {
    if (cfg.url) await fetch(cfg.url + "/v1/session/clear", { method:"POST" });
  } catch {}
  sessionStorage.clear();
  localStorage.clear();
  caches && caches.keys().then(keys => keys.forEach(k => caches.delete(k)));
  location.replace("about:blank");
 }
 // ---------- Publishing / Viewing ----------
 function msg(t, err=false){ els.publishStatus.textContent=t; els.publishStatus.style.color = err ? "#ff6b6b" : "inherit"; }
 async function publish() {
  if (!cfg.url) return msg("Set shard URL first.", true);
-  const title = els.title.value.trim(); const body = els.body.value; const vis = els.visibility.value;
+  const b = getBearer(); if (!b) return msg("Sign in first (device key).", true);
  const title = els.title.value.trim();
  const body = els.body.value;
  const vis = els.visibility.value;
  try {
-    let blob, enc=false;
+    let blob, encp=false;
    if (vis === "private") {
      if (!cfg.passphrase) return msg("Set a passphrase for private posts.", true);
      const payload = await encryptString(JSON.stringify({ title, body }), cfg.passphrase);
-      blob = toBlob(payload); enc=true;
+      blob = toBlob(payload); encp=true;
-    } else { blob = toBlob(JSON.stringify({ title, body })); }
+    } else {
-    const tz = Intl.DateTimeFormat().resolvedOptions().timeZone || "";
+      blob = toBlob(JSON.stringify({ title, body }));
-    const headers = { "Content-Type":"application/octet-stream", "X-GC-TZ": tz };
+    }
-    const bearer = getBearer(); if (bearer) headers["Authorization"] = "Bearer " + bearer;
+    const buf = new Uint8Array(await blob.arrayBuffer());
-    if (enc) headers["X-GC-Private"] = "1";
+    const path = "/v1/object";
-    const bodyBytes = new Uint8Array(await blob.arrayBuffer());
+    const headers = { "Content-Type":"application/octet-stream", Authorization: "Bearer "+b };
-    const pop = await popHeaders("PUT", cfg.url + "/v1/object", bodyBytes);
+    if (encp) headers["X-GC-Private"] = "1";
    const pop = await popHeaders("PUT", path, buf);
    Object.assign(headers, pop);
-    const r = await fetch(cfg.url + "/v1/object", { method:"PUT", headers, body: blob });
+    const r = await fetch(cfg.url + path, { method:"PUT", headers, body: buf });
    if (!r.ok) throw new Error(await r.text());
    const j = await r.json();
    const posts = getPosts();
-    posts.unshift({ hash:j.hash, title: title || "(untitled)", bytes:j.bytes, ts:j.stored_at, enc:j.private, tz:j.creator_tz });
+    posts.unshift({ hash:j.hash, title: title || "(untitled)", bytes:j.bytes, ts:j.stored_at, enc:j.private, tz:j.creator_tz||"" });
    setPosts(posts);
-    els.body.value = ""; msg(`Published ${enc?"private":"public"} post. Hash: ${j.hash}`);
+    els.body.value = ""; msg(`Published ${encp?"private":"public"} post. Hash: ${j.hash}`);
  } catch(e){ msg("Publish failed: " + (e?.message||e), true); }
 }
 async function viewPost(p, pre) {
  pre.textContent = "Loading…";
  try {
-    const r = await fetchAPI("/v1/object/" + p.hash);
+    const path = "/v1/object/" + p.hash;
    const headers = {};
    const b = getBearer();
    if (b) Object.assign(headers, await popHeaders("GET", path, new Uint8Array()), { Authorization: "Bearer "+b });
    const r = await fetch(cfg.url + path, { headers });
    if (!r.ok) throw new Error("fetch failed " + r.status);
    const buf = new Uint8Array(await r.arrayBuffer());
    let text;
@@ -233,63 +283,52 @@ async function viewPost(p, pre) {
 }
 async function saveBlob(p) {
-  const r = await fetchAPI("/v1/object/" + p.hash);
+  const path = "/v1/object/" + p.hash;
  const headers = {};
  const b = getBearer();
  if (b) Object.assign(headers, await popHeaders("GET", path, new Uint8Array()), { Authorization: "Bearer "+b });
  const r = await fetch(cfg.url + path, { headers });
  if (!r.ok) return alert("download failed " + r.status);
-  const b = await r.blob();
+  const bl = await r.blob();
-  const a = document.createElement("a"); a.href = URL.createObjectURL(b);
+  const a = document.createElement("a"); a.href = URL.createObjectURL(bl);
  a.download = p.hash + (p.enc ? ".gcenc" : ".json"); a.click(); URL.revokeObjectURL(a.href);
 }
 async function delServer(p) {
  const path = "/v1/object/" + p.hash;
  const b = getBearer(); if (!b) return alert("Sign in first.");
  const headers = { Authorization: "Bearer "+b };
  Object.assign(headers, await popHeaders("DELETE", path, new Uint8Array()));
  if (!confirm("Delete blob from server by hash?")) return;
-  const r = await fetchAPI("/v1/object/" + p.hash, { method:"DELETE" });
+  const r = await fetch(cfg.url + path, { method:"DELETE", headers });
  if (!r.ok) return alert("delete failed " + r.status);
  setPosts(getPosts().filter(x=>x.hash!==p.hash));
 }
 // ---------- Discord SSO ----------
 async function discordStart() {
  if (!cfg.url) { alert("Set shard URL first."); return; }
-  const headers = { "X-GC-3P-Assent":"1", "X-GC-Key": getDevicePubHdr() };
+  const r = await fetch(cfg.url + "/v1/auth/discord/start", { headers: { "X-GC-3P-Assent":"1" }});
  const r = await fetch(cfg.url + "/v1/auth/discord/start", { headers });
  if (!r.ok) { alert("Discord SSO not available"); return; }
  const j = await r.json();
  location.href = j.url;
 }
-// Optional: Key-based login (no OAuth)
+// ---------- Render ----------
 async function signInWithDeviceKey(){
  if (!cfg.url) { alert("Set shard URL first."); return; }
  const c = await fetch(cfg.url + "/v1/auth/key/challenge", { method:"POST" }).then(r=>r.json());
  const msg = "key-verify\n" + c.nonce;
  const priv = await getDevicePriv();
  const sig = await crypto.subtle.sign({ name:"ECDSA", hash:"SHA-256" }, priv, new TextEncoder().encode(msg));
  const body = JSON.stringify({ nonce:c.nonce, alg:"p256", pub: getDevicePubHdr().slice("p256:".length), sig: b64(new Uint8Array(sig)) });
  const r = await fetch(cfg.url + "/v1/auth/key/verify", { method:"POST", headers:{ "Content-Type":"application/json" }, body });
  if (!r.ok) { alert("Key sign-in failed"); return; }
  const j = await r.json();
  sessionStorage.setItem("gc_bearer", j.bearer);
  const k = "gc_client_config_v1"; const cfg0 = JSON.parse(localStorage.getItem(k) || "{}"); cfg0.bearer = j.bearer; localStorage.setItem(k, JSON.stringify(cfg0));
  alert("Signed in");
 }
 // -------- render --------
 function renderPosts() {
  const posts = getPosts(); els.posts.innerHTML = "";
  for (const p of posts) {
    const div = document.createElement("div"); div.className = "post";
    const badge = p.enc ? `<span class="badge">private</span>` : `<span class="badge">public</span>`;
    const tsLocal = new Date(p.ts).toLocaleString();
    const tz = p.tz ? ` · author TZ: ${p.tz}` : "";
    div.innerHTML = `
-      <div class="meta"><code>${p.hash.slice(0,10)}…</code> · ${p.bytes} bytes · ${tsLocal}${tz} ${badge}</div>
+      <div class="meta"><code>${p.hash.slice(0,10)}…</code> · ${p.bytes} bytes · ${p.ts} ${badge}</div>
      <div class="actions">
        <button data-act="view">View</button>
        <button data-act="save">Save blob</button>
        <button data-act="delete">Delete (server)</button>
        <button data-act="remove">Remove (local)</button>
      </div>
-      <pre class="content" style="white-space:pre-wrap;margin-top:.5rem;"></pre>`;
+      <pre class="content"></pre>`;
    const pre = div.querySelector(".content");
    div.querySelector('[data-act="view"]').onclick = () => viewPost(p, pre);
    div.querySelector('[data-act="save"]').onclick = () => saveBlob(p);
@@ -298,27 +337,3 @@ function renderPosts() {
    els.posts.appendChild(div);
  }
 }
 // -------- utils --------
 function b64(buf){ return base64url(buf); }
 function ub64(s){ return base64urlDecode(s); }
 async function sha256Hex(bytes){
  const d = await crypto.subtle.digest("SHA-256", bytes);
  return Array.from(new Uint8Array(d)).map(b=>b.toString(16).padStart(2,"0")).join("");
 }
 // minimal base64url helpers
 function base64url(buf){
  let b = (buf instanceof Uint8Array) ? buf : new Uint8Array(buf);
  let str = "";
  for (let i=0; i<b.length; i++) str += String.fromCharCode(b[i]);
  return btoa(str).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"");
 }
 function base64urlDecode(s){
  s = s.replace(/-/g,"+").replace(/_/g,"/");
  while (s.length % 4) s += "=";
  const bin = atob(s); const b = new Uint8Array(bin.length);
  for (let i=0;i<bin.length;i++) b[i] = bin.charCodeAt(i);
  return b;
 }
--- a/client/index.html
+++ b/client/index.html
@@ -4,9 +4,9 @@
  <meta charset="utf-8"/>
  <title>GreenCoast — Client</title>
  <meta name="viewport" content="width=device-width,initial-scale=1"/>
  <!-- Force API base for Cloudflare tunneled API -->
  <meta name="gc-api-base" content="https://api-gc.fullmooncyberworks.com">
  <link rel="stylesheet" href="./styles.css"/>
  <!-- Optional: explicit API base -->
  <meta name="gc-api-base" content="https://api-gc.fullmooncyberworks.com">
 </head>
 <body>
  <div class="container">
@@ -19,8 +19,8 @@
        <input id="shardUrl" placeholder="https://api-gc.fullmooncyberworks.com" />
      </div>
      <div class="row">
-        <label>Bearer (optional)</label>
+        <label>Bearer (session)</label>
-        <input id="bearer" placeholder="dev-local-token" />
+        <input id="bearer" placeholder="(auto after sign-in)" disabled />
      </div>
      <div class="row">
        <label>Passphrase (private posts)</label>
@@ -30,12 +30,16 @@
        <label>3rd-party SSO</label>
        <div>
          <button id="discordStart">Sign in with Discord</button>
-          <div class="muted" style="margin-top:.4rem;">
+          <div class="muted" id="ssoNote">
            We use external providers only if you choose to. We cannot vouch for their security.
          </div>
        </div>
      </div>
      <div class="actions">
        <button id="saveConn">Save</button>
        <button id="keySignIn">Sign in (device key)</button>
        <button id="panicWipe" class="danger">Panic wipe</button>
      </div>
      <div id="health" class="muted"></div>
    </section>
@@ -44,8 +48,8 @@
      <div class="row">
        <label>Visibility</label>
        <select id="visibility">
          <option value="public">Public (plaintext)</option>
          <option value="private">Private (E2EE via passphrase)</option>
          <option value="public">Public (plaintext)</option>
        </select>
      </div>
      <div class="row">
@@ -56,10 +60,9 @@
        <label>Body</label>
        <textarea id="body" rows="6" placeholder="Write your post..."></textarea>
      </div>
-      <div class="row">
+      <div class="actions">
        <label><input type="checkbox" id="shareTZ" checked> Include my time zone on this post</label>
      </div>
        <button id="publish">Publish</button>
      </div>
      <div id="publishStatus" class="muted"></div>
    </section>
--- a/client/styles.css
+++ b/client/styles.css
@@ -1,18 +1,15 @@
-:root { --bg:#0b1117; --card:#0f1621; --fg:#e6edf3; --muted:#8b949e; --accent:#2ea043; }
+:root { color-scheme: light dark; }
-* { box-sizing: border-box; }
+body { font-family: system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell, "Noto Sans", sans-serif; margin: 0; padding: 2rem; }
-body { margin:0; font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Arial; background:var(--bg); color:var(--fg); }
+.container { max-width: 860px; margin: 0 auto; }
-.container { max-width: 900px; margin: 2rem auto; padding: 0 1rem; }
+h1 { margin: 0 0 1rem 0; }
-h1 { font-size: 1.5rem; margin-bottom: 1rem; }
+.card { border: 1px solid #30363d; border-radius: 16px; padding: 1rem; margin: 1rem 0; box-shadow: 0 2px 6px rgba(0,0,0,.1); }
-.card { background: var(--card); border-radius: 14px; padding: 1rem; margin-bottom: 1rem; box-shadow: 0 8px 24px rgba(0,0,0,.3); }
+.row { display: grid; grid-template-columns: 160px 1fr; gap: .8rem; align-items: center; margin: .6rem 0; }
-h2 { margin-top: 0; font-size: 1.1rem; }
+label { opacity: .8; }
-.row { display: grid; grid-template-columns: 160px 1fr; gap: .75rem; align-items: center; margin: .5rem 0; }
+input, textarea, select, button { font: inherit; padding: .6rem .7rem; border-radius: 10px; border: 1px solid #30363d; background: transparent; color: inherit; }
-label { color: var(--muted); }
+button { cursor: pointer; }
-input, select, textarea { width: 100%; padding: .6rem .7rem; border-radius: 10px; border: 1px solid #233; background: #0b1520; color: var(--fg); }
+button.danger { border-color: #a4002a; color: #a4002a; }
-button { background: var(--accent); color: #08130b; border: none; padding: .6rem .9rem; border-radius: 10px; cursor: pointer; font-weight: 700; }
+.actions { display: flex; gap: .6rem; flex-wrap: wrap; margin-top: .4rem; }
-button:hover { filter: brightness(1.05); }
+.muted { opacity: .7; font-size: .9rem; }
-.muted { color: var(--muted); margin-top: .5rem; font-size: .9rem; }
+.badge { display: inline-block; padding: .1rem .4rem; border-radius: 8px; border: 1px solid #30363d; font-size: .75rem; margin-left: .4rem; }
-.post { border: 1px solid #1d2734; border-radius: 12px; padding: .75rem; margin: .5rem 0; background: #0c1824; }
+.post { border-top: 1px dashed #30363d; padding: .6rem 0; }
-.post .meta { font-size: .85rem; color: var(--muted); margin-bottom: .4rem; }
+pre.content { white-space: pre-wrap; margin-top: .5rem; }
 .post .actions { margin-top: .5rem; display:flex; gap:.5rem; }
 code { background:#0a1320; padding:.15rem .35rem; border-radius:6px; }
 .badge { font-size:.75rem; padding:.1rem .4rem; border-radius: 999px; background:#132235; color:#9fb7d0; margin-left:.5rem; }
--- a/cmd/shard/main.go
+++ b/cmd/shard/main.go
@@ -25,8 +25,9 @@ func getenvBool(key string, def bool) bool {
 }
 func staticHeaders(next http.Handler) http.Handler {
 	onion := os.Getenv("GC_ONION_LOCATION") // optional: e.g., http://xxxxxxxx.onion/
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Security posture for static client
+		// Security headers + strict CSP (no inline) + COEP
 		w.Header().Set("Referrer-Policy", "no-referrer")
 		w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
 		w.Header().Set("Cross-Origin-Resource-Policy", "same-site")
@@ -34,11 +35,21 @@ func staticHeaders(next http.Handler) http.Handler {
 		w.Header().Set("X-Frame-Options", "DENY")
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("Strict-Transport-Security", "max-age=15552000; includeSubDomains; preload")
 		w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
 		// Allow only self + HTTPS for fetch/SSE; no inline styles/scripts
 		w.Header().Set("Content-Security-Policy",
 			"default-src 'self'; "+
 				"script-src 'self'; "+
 				"style-src 'self'; "+
 				"img-src 'self' data:; "+
 				"connect-src 'self' https:; "+
 				"frame-ancestors 'none'; object-src 'none'; base-uri 'none'; form-action 'self'; "+
 				"require-trusted-types-for 'script'")
 		if onion != "" {
 			w.Header().Set("Onion-Location", onion)
 		}
-		// Strong CSP to block XSS/token theft (enumerate your API host)
+		// Basic CORS for static (GET only effectively)
 		w.Header().Set("Content-Security-Policy", "default-src 'self'; base-uri 'none'; object-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; connect-src 'self' https://api-gc.fullmooncyberworks.com; frame-ancestors 'none'")
 		// CORS for assets
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		if r.Method == http.MethodOptions {
 			w.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS")
@@ -51,6 +62,7 @@ func staticHeaders(next http.Handler) http.Handler {
 }
 func main() {
 	// ---- Config ----
 	httpAddr := os.Getenv("GC_HTTP_ADDR")
 	if httpAddr == "" {
 		httpAddr = ":9080"
@@ -59,52 +71,61 @@ func main() {
 	certFile := os.Getenv("GC_TLS_CERT")
 	keyFile := os.Getenv("GC_TLS_KEY")
 	staticAddr := os.Getenv("GC_STATIC_ADDR")
 	if staticAddr == "" {
 		staticAddr = ":9082"
 	}
 	staticDir := os.Getenv("GC_STATIC_DIR")
 	if staticDir == "" {
 		staticDir = "/opt/greencoast/client"
 	}
 	dataDir := os.Getenv("GC_DATA_DIR")
 	if dataDir == "" {
 		dataDir = "/var/lib/greencoast"
 	}
-	staticDir := os.Getenv("GC_STATIC_DIR")
+	coarseTS := getenvBool("GC_COARSE_TS", true) // safer default (less precise metadata)
 	if staticDir == "" {
 		staticDir = "/opt/greencoast/client"
 	}
 	staticAddr := os.Getenv("GC_STATIC_ADDR")
 	if staticAddr == "" {
 		staticAddr = ":9082"
 	}
 	coarseTS := getenvBool("GC_COARSE_TS", false)
 	zeroTrust := getenvBool("GC_ZERO_TRUST", true)
 	encRequired := getenvBool("GC_ENCRYPTION_REQUIRED", true) // operator-blind by default
 	requirePOP := getenvBool("GC_REQUIRE_POP", true)          // logged only here
 	signingSecretHex := os.Getenv("GC_SIGNING_SECRET_HEX")
 	if len(signingSecretHex) < 64 {
 		log.Printf("WARN: GC_SIGNING_SECRET_HEX length=%d (need >=64 hex chars)", len(signingSecretHex))
 	} else {
 		log.Printf("GC_SIGNING_SECRET_HEX OK (len=%d)", len(signingSecretHex))
 	}
 	discID := os.Getenv("GC_DISCORD_CLIENT_ID")
 	discSecret := os.Getenv("GC_DISCORD_CLIENT_SECRET")
 	discRedirect := os.Getenv("GC_DISCORD_REDIRECT_URI")
 	// ---- Storage & Index ----
 	store, err := storage.NewFS(dataDir)
 	if err != nil {
 		log.Fatalf("storage init: %v", err)
 	}
 	ix := index.New()
-	// Auto-reindex on boot if possible
+	// Reindex on boot from existing files (coarse time if enabled)
-	if w, ok := any(store).(interface {
+	if err := store.Walk(func(hash string, size int64, mod time.Time) error {
-		Walk(func(hash string, size int64, mod time.Time) error) error
+		when := mod.UTC()
-	}); ok {
+		if coarseTS {
-		if err := w.Walk(func(hash string, size int64, mod time.Time) error {
+			when = when.Truncate(time.Minute)
 		}
 		return ix.Put(index.Entry{
 			Hash:     hash,
 			Bytes:    size,
-				StoredAt: mod.UTC().Format(time.RFC3339Nano),
+			StoredAt: when.Format(time.RFC3339Nano),
-				Private:  false,
+			Private:  false, // unknown here
 		})
 	}); err != nil {
 		log.Printf("reindex on boot: %v", err)
 	}
 	}
-	ap := api.AuthProviders{
+	// ---- Auth providers ----
 	providers := api.AuthProviders{
 		SigningSecretHex: signingSecretHex,
 		Discord: api.DiscordProvider{
 			Enabled:      discID != "" && discSecret != "" && discRedirect != "",
@@ -114,35 +135,28 @@ func main() {
 		},
 	}
-	srv := api.New(store, ix, coarseTS, zeroTrust, ap)
+	// ---- API server ----
 	srv := api.New(store, ix, coarseTS, zeroTrust, providers, encRequired)
-	// Static client server (9082)
+	// ---- Static file server (separate listener) ----
 	go func() {
-		if st, err := os.Stat(staticDir); err != nil || !st.IsDir() {
+		fs := http.FileServer(http.Dir(staticDir))
-			log.Printf("WARN: GC_STATIC_DIR %q not found or not a dir; client may 404", staticDir)
+		h := staticHeaders(fs)
 		}
 		mux := http.NewServeMux()
 		// Optional: forward API paths to API host to avoid 404 if user hits wrong host
 		mux.Handle("/v1/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			http.Redirect(w, r, "https://api-gc.fullmooncyberworks.com"+r.URL.Path, http.StatusTemporaryRedirect)
 		}))
 		mux.Handle("/", http.FileServer(http.Dir(staticDir)))
 		log.Printf("static listening on %s (dir=%s)", staticAddr, staticDir)
-		if err := http.ListenAndServe(staticAddr, staticHeaders(mux)); err != nil {
+		if err := http.ListenAndServe(staticAddr, h); err != nil {
 			log.Fatalf("static server: %v", err)
 		}
 	}()
 	// ---- Start API (HTTP or HTTPS) ----
 	if httpsAddr != "" && certFile != "" && keyFile != "" {
-		log.Printf("starting HTTPS API on %s", httpsAddr)
+		log.Printf("API HTTPS %s  POP:%v ENC_REQUIRED:%v", httpsAddr, requirePOP, encRequired)
 		if err := srv.ListenHTTPS(httpsAddr, certFile, keyFile); err != nil {
 			log.Fatal(err)
 		}
 		return
 	}
-	log.Printf("starting HTTP API on %s", httpAddr)
+	log.Printf("API HTTP %s  POP:%v ENC_REQUIRED:%v", httpAddr, requirePOP, encRequired)
 	if err := srv.ListenHTTP(httpAddr); err != nil {
 		log.Fatal(err)
 	}
--- a/docker-compose.test.yml
+++ b/docker-compose.test.yml
@@ -12,6 +12,7 @@ services:
      - "9082:9082"   # Frontend
    environment:
      - GC_DEV_ALLOW_UNAUTH=true
      - GC_SIGNING_SECRET_HEX=92650f92d67d55368c852713a5007b90d933bff507bc77c980de7bf5442844ca
    volumes:
      - ./testdata:/var/lib/greencoast
      - ./configs/shard.test.yaml:/app/shard.yaml:ro
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,6 +11,7 @@ services:
      - "8081:8081"
    environment:
      - GC_DEV_ALLOW_UNAUTH=false
      - GC_SIGNING_SECRET_HEX=92650f92d67d55368c852713a5007b90d933bff507bc77c980de7bf5442844ca
    volumes:
      - gc_data:/var/lib/greencoast
      - ./configs/shard.sample.yaml:/app/shard.yaml:ro
--- a/internal/api/http.go
+++ b/internal/api/http.go
--- a/internal/api/ratelimit.go
+++ b/internal/api/ratelimit.go
@@ -0,0 +1,78 @@
 package api
 import (
 	"net"
 	"net/http"
 	"sync"
 	"time"
 )
 type rateLimiter struct {
 	mu     sync.Mutex
 	bk     map[string]*bucket
 	rate   float64 // tokens per second
 	burst  float64
 	window time.Duration
 }
 type bucket struct {
 	tokens float64
 	last   time.Time
 }
 func newRateLimiter(rps float64, burst int, window time.Duration) *rateLimiter {
 	return &rateLimiter{
 		bk:     make(map[string]*bucket),
 		rate:   rps,
 		burst:  float64(burst),
 		window: window,
 	}
 }
 func (rl *rateLimiter) allow(key string) bool {
 	now := time.Now()
 	rl.mu.Lock()
 	defer rl.mu.Unlock()
 	b := rl.bk[key]
 	if b == nil {
 		b = &bucket{tokens: rl.burst, last: now}
 		rl.bk[key] = b
 	}
 	// refill
 	elapsed := now.Sub(b.last).Seconds()
 	b.tokens = min(rl.burst, b.tokens+elapsed*rl.rate)
 	b.last = now
 	if b.tokens < 1.0 {
 		return false
 	}
 	b.tokens -= 1.0
 	// occasional cleanup
 	for k, v := range rl.bk {
 		if now.Sub(v.last) > rl.window {
 			delete(rl.bk, k)
 		}
 	}
 	return true
 }
 func min(a, b float64) float64 {
 	if a < b {
 		return a
 	}
 	return b
 }
 func clientIP(r *http.Request) string {
 	// Prefer Cloudflare’s header if present; fall back to RemoteAddr.
 	if ip := r.Header.Get("CF-Connecting-IP"); ip != "" {
 		return ip
 	}
 	host, _, err := net.SplitHostPort(r.RemoteAddr)
 	if err != nil {
 		return r.RemoteAddr
 	}
 	return host
 }
--- a/internal/api/static.go
+++ b/internal/api/static.go
@@ -1,86 +1,29 @@
 package api
 import (
 	"log"
 	"mime"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 )
-func init() {
+// secureHeaders adds strict, privacy-preserving headers to static responses.
-	// Ensure common types are known (some distros are sparse by default)
+func (s *Server) secureHeaders(next http.Handler) http.Handler {
 	_ = mime.AddExtensionType(".js", "application/javascript; charset=utf-8")
 	_ = mime.AddExtensionType(".css", "text/css; charset=utf-8")
 	_ = mime.AddExtensionType(".html", "text/html; charset=utf-8")
 	_ = mime.AddExtensionType(".map", "application/json; charset=utf-8")
 }
 func (s *Server) MountStatic(dir string, baseURL string) {
 	if dir == "" {
 		return
 	}
 	if baseURL == "" {
 		baseURL = "/"
 	}
 	s.mux.Handle(baseURL, s.staticHandler(dir, baseURL))
 	if !strings.HasSuffix(baseURL, "/") {
 		s.mux.Handle(baseURL+"/", s.staticHandler(dir, baseURL))
 	}
 }
 func (s *Server) ListenFrontendHTTP(addr, dir, baseURL string) error {
 	if dir == "" || addr == "" {
 		return nil
 	}
 	log.Printf("frontend listening on %s (dir=%s base=%s)", addr, dir, baseURL)
 	mx := http.NewServeMux()
 	mx.Handle(baseURL, s.staticHandler(dir, baseURL))
 	if !strings.HasSuffix(baseURL, "/") {
 		mx.Handle(baseURL+"/", s.staticHandler(dir, baseURL))
 	}
 	server := &http.Server{
 		Addr:              addr,
 		Handler:           mx,
 		ReadHeaderTimeout: 5 * time.Second,
 	}
 	return server.ListenAndServe()
 }
 func (s *Server) staticHandler(dir, baseURL string) http.Handler {
 	if baseURL == "" {
 		baseURL = "/"
 	}
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		s.secureHeaders(w)
+		w.Header().Set("Referrer-Policy", "no-referrer")
-
+		w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")
-		up := strings.TrimPrefix(r.URL.Path, baseURL)
+		w.Header().Set("Cross-Origin-Resource-Policy", "same-site")
-		if up == "" || strings.HasSuffix(r.URL.Path, "/") {
+		w.Header().Set("Permissions-Policy", "camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()")
-			up = "index.html"
+		w.Header().Set("X-Frame-Options", "DENY")
-		}
+		w.Header().Set("X-Content-Type-Options", "nosniff")
-		full := filepath.Join(dir, filepath.FromSlash(up))
+		w.Header().Set("Strict-Transport-Security", "max-age=15552000; includeSubDomains; preload")
-		if !strings.HasPrefix(filepath.Clean(full), filepath.Clean(dir)) {
+		next.ServeHTTP(w, r)
 			http.NotFound(w, r)
 			return
 		}
 		// Serve file if it exists, else SPA-fallback to index.html
 		if st, err := os.Stat(full); err == nil && !st.IsDir() {
 			// Set Content-Type explicitly based on extension
 			if ctype := mime.TypeByExtension(filepath.Ext(full)); ctype != "" {
 				w.Header().Set("Content-Type", ctype)
 			}
 			http.ServeFile(w, r, full)
 			return
 		}
 		fallback := filepath.Join(dir, "index.html")
 		if _, err := os.Stat(fallback); err == nil {
 			w.Header().Set("Content-Type", "text/html; charset=utf-8")
 			http.ServeFile(w, r, fallback)
 			return
 		}
 		http.NotFound(w, r)
 	})
 }
 // MountStatic mounts a static file server under a prefix onto the provided mux.
 // Usage (from main): s.MountStatic(mux, "/", http.Dir(staticDir))
 func (s *Server) MountStatic(mux *http.ServeMux, prefix string, fs http.FileSystem) {
 	if prefix == "" {
 		prefix = "/"
 	}
 	h := http.StripPrefix(prefix, http.FileServer(fs))
 	mux.Handle(prefix, s.secureHeaders(h))
 }
--- a/internal/index/index.go
+++ b/internal/index/index.go
@@ -1,88 +1,63 @@
 package index
 import (
-	"sort"
+	"errors"
 	"sync"
 	"time"
 )
 // Entry is the minimal metadata we expose to clients.
 type Entry struct {
 	Hash      string `json:"hash"`
 	Bytes     int64  `json:"bytes"`
-	StoredAt  string `json:"stored_at"`
+	StoredAt  string `json:"stored_at"`            // RFC3339Nano
-	Private   bool   `json:"private"`
+	Private   bool   `json:"private"`              // true if client marked encrypted
-	CreatorTZ string `json:"creator_tz,omitempty"`
+	CreatorTZ string `json:"creator_tz,omitempty"` // optional IANA TZ from client
 }
 type rec struct {
 	Hash      string
 	Bytes     int64
 	StoredAt  time.Time
 	Private   bool
 	CreatorTZ string
 }
 // Index is an in-memory map from hash -> Entry, safe for concurrent use.
 type Index struct {
 	mu sync.RWMutex
-	hash map[string]rec
+	m  map[string]Entry
 }
-func New() *Index { return &Index{hash: make(map[string]rec)} }
+func New() *Index {
 	return &Index{m: make(map[string]Entry)}
 }
 func (ix *Index) Put(e Entry) error {
 	if e.Hash == "" {
 		return errors.New("empty hash")
 	}
 	ix.mu.Lock()
-	defer ix.mu.Unlock()
+	ix.m[e.Hash] = e
-	t := parseWhen(e.StoredAt)
+	ix.mu.Unlock()
 	if t.IsZero() {
 		t = time.Now().UTC()
 	}
 	ix.hash[e.Hash] = rec{
 		Hash:      e.Hash,
 		Bytes:     e.Bytes,
 		StoredAt:  t,
 		Private:   e.Private,
 		CreatorTZ: e.CreatorTZ,
 	}
 	return nil
 }
 func (ix *Index) Delete(hash string) error {
 	if hash == "" {
 		return errors.New("empty hash")
 	}
 	ix.mu.Lock()
-	defer ix.mu.Unlock()
+	delete(ix.m, hash)
-	delete(ix.hash, hash)
+	ix.mu.Unlock()
 	return nil
 }
-func (ix *Index) List() ([]Entry, error) {
+func (ix *Index) Get(hash string) (Entry, bool) {
 	ix.mu.RLock()
-	defer ix.mu.RUnlock()
+	e, ok := ix.m[hash]
-	tmp := make([]rec, 0, len(ix.hash))
+	ix.mu.RUnlock()
-	for _, r := range ix.hash {
+	return e, ok
 		tmp = append(tmp, r)
 	}
 	sort.Slice(tmp, func(i, j int) bool { return tmp[i].StoredAt.After(tmp[j].StoredAt) })
 	out := make([]Entry, len(tmp))
 	for i, r := range tmp {
 		out[i] = Entry{
 			Hash:      r.Hash,
 			Bytes:     r.Bytes,
 			StoredAt:  r.StoredAt.UTC().Format(time.RFC3339Nano),
 			Private:   r.Private,
 			CreatorTZ: r.CreatorTZ,
 		}
 	}
 	return out, nil
 }
-func parseWhen(s string) time.Time {
+// All returns an unsorted copy of all entries.
-	if s == "" {
+func (ix *Index) All() []Entry {
-		return time.Time{}
+	ix.mu.RLock()
 	out := make([]Entry, 0, len(ix.m))
 	for _, v := range ix.m {
 		out = append(out, v)
 	}
-	if t, err := time.Parse(time.RFC3339Nano, s); err == nil {
+	ix.mu.RUnlock()
-		return t
+	return out
 	}
 	if t, err := time.Parse(time.RFC3339, s); err == nil {
 		return t
 	}
 	return time.Time{}
 }
--- a/testdata/objects/5dcfd2e73a6c3a17b0efb103f1a3b891fc06b0189a0c5d5916435d9e5d74e963
+++ b/testdata/objects/5dcfd2e73a6c3a17b0efb103f1a3b891fc06b0189a0c5d5916435d9e5d74e963
@@ -1 +0,0 @@
 {"title":"Timezone Publish","body":"You can now include your timezone on all of your posts. This is completely optional but lets others see when you posted"}
--- a/testdata/objects/6a/16/6a166437b9988bd11e911375f3ca1b4cd10b7db9a32812409c6d79a0753dd973
+++ b/testdata/objects/6a/16/6a166437b9988bd11e911375f3ca1b4cd10b7db9a32812409c6d79a0753dd973
@@ -1 +0,0 @@
 {"title":"Yarn is Testing!","body":"Hello, my name is Yarn. And I like to test. Test test 1 2 3."}
--- a/testdata/objects/96/28/9628e2adcd7a5e820fbdbe075027ac0ad78ef1a7a501971c2048bc5e5436b891
+++ b/testdata/objects/96/28/9628e2adcd7a5e820fbdbe075027ac0ad78ef1a7a501971c2048bc5e5436b891
@@ -1 +0,0 @@
 <01><><EFBFBD>d<EFBFBD>+V<><56><EFBFBD>+<2B>%!ݚ<>O<EFBFBD><4F>2ޒ$)<07><>zF<7A>î<EFBFBD>)4<><34><EFBFBD>O:z<><7A>*<2A>Ыe<D0AB><65>*5<><04>)<29><>#<23>V<EFBFBD><0B>H<EFBFBD><48>!i<><69><EFBFBD>S$e<><65><EFBFBD>dx<64>]<5D><>$<24><1F>t<EFBFBD><74>6۩<><DBA9>H<EFBFBD><48>
--- a/testdata/objects/a0/08/a008a13ade86edbd77f5c0fcfcf35bd295c93069be42fdbd46bc65b392ddf5fb
+++ b/testdata/objects/a0/08/a008a13ade86edbd77f5c0fcfcf35bd295c93069be42fdbd46bc65b392ddf5fb
@@ -1 +0,0 @@
 {"title":"Public Test","body":"Hello Everyone,\n\nWelcome to GreenCoast, a BlueSky Replacement\n\nMystiatech"}
--- a/testdata/objects/f4/52/f452402fadb6608bd6f9b613a1d58234e2135f045ea29262574e3e4b1e5f7292
+++ b/testdata/objects/f4/52/f452402fadb6608bd6f9b613a1d58234e2135f045ea29262574e3e4b1e5f7292
@@ -1 +0,0 @@
 {"title":"Test post","body":"Does this work?"}
Author	SHA1	Message	Date
Dani	5dfc710ae9	Added panic mode protections to make the server more secure	2025-08-22 18:54:10 -04:00
Dani	5067913c21	Fixed the device sign	2025-08-22 18:24:24 -04:00
Dani	b9fad16fa2	Removed Test Data from the git	2025-08-22 12:42:22 -04:00
		`@@ -1 +0,0 @@`
			`{"title":"Timezone Publish","body":"You can now include your timezone on all of your posts. This is completely optional but lets others see when you posted"}`
		`@@ -1 +0,0 @@`
			`{"title":"Yarn is Testing!","body":"Hello, my name is Yarn. And I like to test. Test test 1 2 3."}`
		`@@ -1 +0,0 @@`
			`<01><><EFBFBD>d<EFBFBD>+V<><56><EFBFBD>+<2B>%!ݚ<>O<EFBFBD><4F>2ޒ$)<07><>zF<7A>î<EFBFBD>)4<><34><EFBFBD>O:z<><7A><2A>Ыe<D0AB><65>5<><04>)<29><>#<23>V<EFBFBD><0B>H<EFBFBD><48>!i<><69><EFBFBD>S$e<><65><EFBFBD>dx<64>]<5D><>$<24><1F>t<EFBFBD><74>6۩<><DBA9>H<EFBFBD><48>`
		`@@ -1 +0,0 @@`
			`{"title":"Public Test","body":"Hello Everyone,\n\nWelcome to GreenCoast, a BlueSky Replacement\n\nMystiatech"}`
		`@@ -1 +0,0 @@`
			`{"title":"Test post","body":"Does this work?"}`