MyFSIO v0.3.0 Release

Reviewed-on: #22

.gitignore

@@ -26,6 +26,10 @@ dist/
 *.egg-info/
 .eggs/
 
+# Rust / maturin build artifacts
+myfsio_core/target/
+myfsio_core/Cargo.lock
+
 # Local runtime artifacts
 logs/
 *.log

Dockerfile

@@ -6,14 +6,26 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 WORKDIR /app
 
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends build-essential \ 
+    && apt-get install -y --no-install-recommends build-essential curl \
+    && curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --profile minimal \
     && rm -rf /var/lib/apt/lists/*
 
+ENV PATH="/root/.cargo/bin:${PATH}"
+
 COPY requirements.txt ./
 RUN pip install --no-cache-dir -r requirements.txt
 
 COPY . .
 
+RUN pip install --no-cache-dir maturin \
+    && cd myfsio_core \
+    && maturin build --release \
+    && pip install target/wheels/*.whl \
+    && cd .. \
+    && rm -rf myfsio_core/target \
+    && pip uninstall -y maturin \
+    && rustup self uninstall -y
+
 RUN chmod +x docker-entrypoint.sh
 
 RUN mkdir -p /app/data \

app/__init__.py

@@ -3,6 +3,7 @@ from __future__ import annotations
 import html as html_module
 import logging
 import mimetypes
+import os
 import shutil
 import sys
 import time
@@ -93,7 +94,14 @@ def create_app(
         app.config.setdefault("WTF_CSRF_ENABLED", False)
 
     # Trust X-Forwarded-* headers from proxies
-    app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_prefix=1)
+    num_proxies = app.config.get("NUM_TRUSTED_PROXIES", 1)
+    if num_proxies:
+        if "NUM_TRUSTED_PROXIES" not in os.environ:
+            logging.getLogger(__name__).warning(
+                "NUM_TRUSTED_PROXIES not set, defaulting to 1. "
+                "Set NUM_TRUSTED_PROXIES=0 if not behind a reverse proxy."
+            )
+        app.wsgi_app = ProxyFix(app.wsgi_app, x_for=num_proxies, x_proto=num_proxies, x_host=num_proxies, x_prefix=num_proxies)
 
     # Enable gzip compression for responses (10-20x smaller JSON payloads)
     if app.config.get("ENABLE_GZIP", True):

app/admin_api.py

@@ -17,7 +17,7 @@ from .extensions import limiter
 from .iam import IamError, Principal
 from .replication import ReplicationManager
 from .site_registry import PeerSite, SiteInfo, SiteRegistry
-from .website_domains import WebsiteDomainStore
+from .website_domains import WebsiteDomainStore, normalize_domain, is_valid_domain
 
 
 def _is_safe_url(url: str, allow_internal: bool = False) -> bool:
@@ -704,10 +704,12 @@ def create_website_domain():
     if not current_app.config.get("WEBSITE_HOSTING_ENABLED", False):
         return _json_error("InvalidRequest", "Website hosting is not enabled", 400)
     payload = request.get_json(silent=True) or {}
-    domain = (payload.get("domain") or "").strip().lower()
+    domain = normalize_domain(payload.get("domain") or "")
     bucket = (payload.get("bucket") or "").strip()
     if not domain:
         return _json_error("ValidationError", "domain is required", 400)
+    if not is_valid_domain(domain):
+        return _json_error("ValidationError", f"Invalid domain: '{domain}'", 400)
     if not bucket:
         return _json_error("ValidationError", "bucket is required", 400)
     storage = _storage()
@@ -730,10 +732,11 @@ def get_website_domain(domain: str):
         return error
     if not current_app.config.get("WEBSITE_HOSTING_ENABLED", False):
         return _json_error("InvalidRequest", "Website hosting is not enabled", 400)
+    domain = normalize_domain(domain)
     bucket = _website_domains().get_bucket(domain)
     if not bucket:
         return _json_error("NotFound", f"No mapping found for domain '{domain}'", 404)
-    return jsonify({"domain": domain.lower(), "bucket": bucket})
+    return jsonify({"domain": domain, "bucket": bucket})
 
 
 @admin_api_bp.route("/website-domains/<domain>", methods=["PUT"])
@@ -744,6 +747,7 @@ def update_website_domain(domain: str):
         return error
     if not current_app.config.get("WEBSITE_HOSTING_ENABLED", False):
         return _json_error("InvalidRequest", "Website hosting is not enabled", 400)
+    domain = normalize_domain(domain)
     payload = request.get_json(silent=True) or {}
     bucket = (payload.get("bucket") or "").strip()
     if not bucket:
@@ -752,9 +756,11 @@ def update_website_domain(domain: str):
     if not storage.bucket_exists(bucket):
         return _json_error("NoSuchBucket", f"Bucket '{bucket}' does not exist", 404)
     store = _website_domains()
+    if not store.get_bucket(domain):
+        return _json_error("NotFound", f"No mapping found for domain '{domain}'", 404)
     store.set_mapping(domain, bucket)
     logger.info("Website domain mapping updated: %s -> %s", domain, bucket)
-    return jsonify({"domain": domain.lower(), "bucket": bucket})
+    return jsonify({"domain": domain, "bucket": bucket})
 
 
 @admin_api_bp.route("/website-domains/<domain>", methods=["DELETE"])
@@ -765,6 +771,7 @@ def delete_website_domain(domain: str):
         return error
     if not current_app.config.get("WEBSITE_HOSTING_ENABLED", False):
         return _json_error("InvalidRequest", "Website hosting is not enabled", 400)
+    domain = normalize_domain(domain)
     if not _website_domains().delete_mapping(domain):
         return _json_error("NotFound", f"No mapping found for domain '{domain}'", 404)
     logger.info("Website domain mapping deleted: %s", domain)

app/bucket_policies.py

@@ -75,7 +75,7 @@ def _evaluate_condition_operator(
         expected_null = condition_values[0].lower() in ("true", "1", "yes") if condition_values else True
         return is_null == expected_null
 
-    return True
+    return False
 
 ACTION_ALIASES = {
     "s3:listbucket": "list",

app/config.py

@@ -314,7 +314,7 @@ class AppConfig:
         site_region = str(_get("SITE_REGION", "us-east-1"))
         site_priority = int(_get("SITE_PRIORITY", 100))
         ratelimit_admin = _validate_rate_limit(str(_get("RATE_LIMIT_ADMIN", "60 per minute")))
-        num_trusted_proxies = int(_get("NUM_TRUSTED_PROXIES", 0))
+        num_trusted_proxies = int(_get("NUM_TRUSTED_PROXIES", 1))
         allowed_redirect_hosts_raw = _get("ALLOWED_REDIRECT_HOSTS", "")
         allowed_redirect_hosts = [h.strip() for h in str(allowed_redirect_hosts_raw).split(",") if h.strip()]
         allow_internal_endpoints = str(_get("ALLOW_INTERNAL_ENDPOINTS", "0")).lower() in {"1", "true", "yes", "on"}

app/iam.py

@@ -164,9 +164,14 @@ class IamService:
         self._clear_failed_attempts(access_key)
         return self._build_principal(access_key, record)
 
+    _MAX_LOCKOUT_KEYS = 10000
+
     def _record_failed_attempt(self, access_key: str) -> None:
         if not access_key:
             return
+        if access_key not in self._failed_attempts and len(self._failed_attempts) >= self._MAX_LOCKOUT_KEYS:
+            oldest_key = min(self._failed_attempts, key=lambda k: self._failed_attempts[k][0] if self._failed_attempts[k] else datetime.min.replace(tzinfo=timezone.utc))
+            del self._failed_attempts[oldest_key]
         attempts = self._failed_attempts.setdefault(access_key, deque())
         self._prune_attempts(attempts)
         attempts.append(datetime.now(timezone.utc))

app/notifications.py

@@ -15,29 +15,23 @@ from typing import Any, Dict, List, Optional
 from urllib.parse import urlparse
 
 import requests
+from urllib3.util.connection import create_connection as _urllib3_create_connection
 
 
-def _is_safe_url(url: str, allow_internal: bool = False) -> bool:
+def _resolve_and_check_url(url: str, allow_internal: bool = False) -> Optional[str]:
-    """Check if a URL is safe to make requests to (not internal/private).
-
-    Args:
-        url: The URL to check.
-        allow_internal: If True, allows internal/private IP addresses.
-                       Use for self-hosted deployments on internal networks.
-    """
     try:
         parsed = urlparse(url)
         hostname = parsed.hostname
         if not hostname:
-            return False
+            return None
         cloud_metadata_hosts = {
             "metadata.google.internal",
             "169.254.169.254",
         }
         if hostname.lower() in cloud_metadata_hosts:
-            return False
+            return None
         if allow_internal:
-            return True
+            return hostname
         blocked_hosts = {
             "localhost",
             "127.0.0.1",
@@ -46,17 +40,46 @@ def _is_safe_url(url: str, allow_internal: bool = False) -> bool:
             "[::1]",
         }
         if hostname.lower() in blocked_hosts:
-            return False
+            return None
         try:
             resolved_ip = socket.gethostbyname(hostname)
             ip = ipaddress.ip_address(resolved_ip)
             if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_reserved:
-                return False
+                return None
+            return resolved_ip
         except (socket.gaierror, ValueError):
-            return False
+            return None
-        return True
     except Exception:
-        return False
+        return None
+
+
+def _is_safe_url(url: str, allow_internal: bool = False) -> bool:
+    return _resolve_and_check_url(url, allow_internal) is not None
+
+
+_dns_pin_lock = threading.Lock()
+
+
+def _pinned_post(url: str, pinned_ip: str, **kwargs: Any) -> requests.Response:
+    parsed = urlparse(url)
+    hostname = parsed.hostname or ""
+    session = requests.Session()
+    original_create = _urllib3_create_connection
+
+    def _create_pinned(address: Any, *args: Any, **kw: Any) -> Any:
+        host, req_port = address
+        if host == hostname:
+            return original_create((pinned_ip, req_port), *args, **kw)
+        return original_create(address, *args, **kw)
+
+    import urllib3.util.connection as _conn_mod
+    with _dns_pin_lock:
+        _conn_mod.create_connection = _create_pinned
+        try:
+            return session.post(url, **kwargs)
+        finally:
+            _conn_mod.create_connection = original_create
+
 
 logger = logging.getLogger(__name__)
 
@@ -344,16 +367,18 @@ class NotificationService:
                 self._queue.task_done()
 
     def _send_notification(self, event: NotificationEvent, destination: WebhookDestination) -> None:
-        if not _is_safe_url(destination.url, allow_internal=self._allow_internal_endpoints):
+        resolved_ip = _resolve_and_check_url(destination.url, allow_internal=self._allow_internal_endpoints)
-            raise RuntimeError(f"Blocked request to cloud metadata service (SSRF protection): {destination.url}")
+        if not resolved_ip:
+            raise RuntimeError(f"Blocked request (SSRF protection): {destination.url}")
         payload = event.to_s3_event()
         headers = {"Content-Type": "application/json", **destination.headers}
 
         last_error = None
         for attempt in range(destination.retry_count):
             try:
-                response = requests.post(
+                response = _pinned_post(
                     destination.url,
+                    resolved_ip,
                     json=payload,
                     headers=headers,
                     timeout=destination.timeout_seconds,

app/operation_metrics.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import json
 import logging
+import random
 import threading
 import time
 from dataclasses import dataclass, field
@@ -9,6 +10,8 @@ from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any, Dict, List, Optional
 
+MAX_LATENCY_SAMPLES = 5000
+
 logger = logging.getLogger(__name__)
 
 
@@ -22,6 +25,17 @@ class OperationStats:
     latency_max_ms: float = 0.0
     bytes_in: int = 0
     bytes_out: int = 0
+    latency_samples: List[float] = field(default_factory=list)
+
+    @staticmethod
+    def _compute_percentile(sorted_data: List[float], p: float) -> float:
+        if not sorted_data:
+            return 0.0
+        k = (len(sorted_data) - 1) * (p / 100.0)
+        f = int(k)
+        c = min(f + 1, len(sorted_data) - 1)
+        d = k - f
+        return sorted_data[f] + d * (sorted_data[c] - sorted_data[f])
 
     def record(self, latency_ms: float, success: bool, bytes_in: int = 0, bytes_out: int = 0) -> None:
         self.count += 1
@@ -36,10 +50,17 @@ class OperationStats:
             self.latency_max_ms = latency_ms
         self.bytes_in += bytes_in
         self.bytes_out += bytes_out
+        if len(self.latency_samples) < MAX_LATENCY_SAMPLES:
+            self.latency_samples.append(latency_ms)
+        else:
+            j = random.randint(0, self.count - 1)
+            if j < MAX_LATENCY_SAMPLES:
+                self.latency_samples[j] = latency_ms
 
     def to_dict(self) -> Dict[str, Any]:
         avg_latency = self.latency_sum_ms / self.count if self.count > 0 else 0.0
         min_latency = self.latency_min_ms if self.latency_min_ms != float("inf") else 0.0
+        sorted_latencies = sorted(self.latency_samples)
         return {
             "count": self.count,
             "success_count": self.success_count,
@@ -47,6 +68,9 @@ class OperationStats:
             "latency_avg_ms": round(avg_latency, 2),
             "latency_min_ms": round(min_latency, 2),
             "latency_max_ms": round(self.latency_max_ms, 2),
+            "latency_p50_ms": round(self._compute_percentile(sorted_latencies, 50), 2),
+            "latency_p95_ms": round(self._compute_percentile(sorted_latencies, 95), 2),
+            "latency_p99_ms": round(self._compute_percentile(sorted_latencies, 99), 2),
             "bytes_in": self.bytes_in,
             "bytes_out": self.bytes_out,
         }
@@ -62,6 +86,11 @@ class OperationStats:
             self.latency_max_ms = other.latency_max_ms
         self.bytes_in += other.bytes_in
         self.bytes_out += other.bytes_out
+        combined = self.latency_samples + other.latency_samples
+        if len(combined) > MAX_LATENCY_SAMPLES:
+            random.shuffle(combined)
+            combined = combined[:MAX_LATENCY_SAMPLES]
+        self.latency_samples = combined
 
 
 @dataclass

app/s3_api.py

@@ -17,6 +17,13 @@ from urllib.parse import quote, urlencode, urlparse, unquote
 from xml.etree.ElementTree import Element, SubElement, tostring, ParseError
 from defusedxml.ElementTree import fromstring
 
+try:
+    import myfsio_core as _rc
+    _HAS_RUST = True
+except ImportError:
+    _rc = None
+    _HAS_RUST = False
+
 from flask import Blueprint, Response, current_app, jsonify, request, g
 from werkzeug.http import http_date
 
@@ -192,11 +199,16 @@ _SIGNING_KEY_CACHE_MAX_SIZE = 256
 
 
 def clear_signing_key_cache() -> None:
+    if _HAS_RUST:
+        _rc.clear_signing_key_cache()
     with _SIGNING_KEY_CACHE_LOCK:
         _SIGNING_KEY_CACHE.clear()
 
 
 def _get_signature_key(key: str, date_stamp: str, region_name: str, service_name: str) -> bytes:
+    if _HAS_RUST:
+        return bytes(_rc.derive_signing_key(key, date_stamp, region_name, service_name))
+
     cache_key = (key, date_stamp, region_name, service_name)
     now = time.time()
 
@@ -255,39 +267,6 @@ def _verify_sigv4_header(req: Any, auth_header: str) -> Principal | None:
     if not secret_key:
         raise IamError("SignatureDoesNotMatch")
 
-    method = req.method
-    canonical_uri = _get_canonical_uri(req)
-    
-    query_args = []
-    for key, value in req.args.items(multi=True):
-        query_args.append((key, value))
-    query_args.sort(key=lambda x: (x[0], x[1]))
-    
-    canonical_query_parts = []
-    for k, v in query_args:
-        canonical_query_parts.append(f"{quote(k, safe='-_.~')}={quote(v, safe='-_.~')}")
-    canonical_query_string = "&".join(canonical_query_parts)
-
-    signed_headers_list = signed_headers_str.split(";")
-    canonical_headers_parts = []
-    for header in signed_headers_list:
-        header_val = req.headers.get(header)
-        if header_val is None:
-             header_val = ""
-        
-        if header.lower() == 'expect' and header_val == "":
-            header_val = "100-continue"
-        
-        header_val = " ".join(header_val.split())
-        canonical_headers_parts.append(f"{header.lower()}:{header_val}\n")
-    canonical_headers = "".join(canonical_headers_parts)
-
-    payload_hash = req.headers.get("X-Amz-Content-Sha256")
-    if not payload_hash:
-        payload_hash = hashlib.sha256(req.get_data()).hexdigest()
-
-    canonical_request = f"{method}\n{canonical_uri}\n{canonical_query_string}\n{canonical_headers}\n{signed_headers_str}\n{payload_hash}"
-
     amz_date = req.headers.get("X-Amz-Date") or req.headers.get("Date")
     if not amz_date:
         raise IamError("Missing Date header")
@@ -313,15 +292,56 @@ def _verify_sigv4_header(req: Any, auth_header: str) -> Principal | None:
         if not required_headers.issubset(signed_headers_set):
              raise IamError("Required headers not signed")
 
-    credential_scope = f"{date_stamp}/{region}/{service}/aws4_request"
+    canonical_uri = _get_canonical_uri(req)
-    string_to_sign = f"AWS4-HMAC-SHA256\n{amz_date}\n{credential_scope}\n{hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()}"
+    payload_hash = req.headers.get("X-Amz-Content-Sha256")
-    signing_key = _get_signature_key(secret_key, date_stamp, region, service)
+    if not payload_hash:
-    calculated_signature = hmac.new(signing_key, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest()
+        payload_hash = hashlib.sha256(req.get_data()).hexdigest()
 
-    if not hmac.compare_digest(calculated_signature, signature):
+    if _HAS_RUST:
-        if current_app.config.get("DEBUG_SIGV4"):
+        query_params = list(req.args.items(multi=True))
-            logger.warning("SigV4 signature mismatch for %s %s", method, req.path)
+        header_values = [(h, req.headers.get(h) or "") for h in signed_headers_str.split(";")]
-        raise IamError("SignatureDoesNotMatch")
+        if not _rc.verify_sigv4_signature(
+            req.method, canonical_uri, query_params, signed_headers_str,
+            header_values, payload_hash, amz_date, date_stamp, region,
+            service, secret_key, signature,
+        ):
+            if current_app.config.get("DEBUG_SIGV4"):
+                logger.warning("SigV4 signature mismatch for %s %s", req.method, req.path)
+            raise IamError("SignatureDoesNotMatch")
+    else:
+        method = req.method
+        query_args = []
+        for key, value in req.args.items(multi=True):
+            query_args.append((key, value))
+        query_args.sort(key=lambda x: (x[0], x[1]))
+
+        canonical_query_parts = []
+        for k, v in query_args:
+            canonical_query_parts.append(f"{quote(k, safe='-_.~')}={quote(v, safe='-_.~')}")
+        canonical_query_string = "&".join(canonical_query_parts)
+
+        signed_headers_list = signed_headers_str.split(";")
+        canonical_headers_parts = []
+        for header in signed_headers_list:
+            header_val = req.headers.get(header)
+            if header_val is None:
+                 header_val = ""
+            if header.lower() == 'expect' and header_val == "":
+                header_val = "100-continue"
+            header_val = " ".join(header_val.split())
+            canonical_headers_parts.append(f"{header.lower()}:{header_val}\n")
+        canonical_headers = "".join(canonical_headers_parts)
+
+        canonical_request = f"{method}\n{canonical_uri}\n{canonical_query_string}\n{canonical_headers}\n{signed_headers_str}\n{payload_hash}"
+
+        credential_scope = f"{date_stamp}/{region}/{service}/aws4_request"
+        signing_key = _get_signature_key(secret_key, date_stamp, region, service)
+        string_to_sign = f"AWS4-HMAC-SHA256\n{amz_date}\n{credential_scope}\n{hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()}"
+        calculated_signature = hmac.new(signing_key, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest()
+        if not hmac.compare_digest(calculated_signature, signature):
+            if current_app.config.get("DEBUG_SIGV4"):
+                logger.warning("SigV4 signature mismatch for %s %s", method, req.path)
+            raise IamError("SignatureDoesNotMatch")
 
     session_token = req.headers.get("X-Amz-Security-Token")
     if session_token:
@@ -352,12 +372,19 @@ def _verify_sigv4_query(req: Any) -> Principal | None:
         raise IamError("Invalid Date format")
 
     now = datetime.now(timezone.utc)
+    tolerance = timedelta(seconds=current_app.config.get("SIGV4_TIMESTAMP_TOLERANCE_SECONDS", 900))
+    if req_time > now + tolerance:
+        raise IamError("Request date is too far in the future")
     try:
         expires_seconds = int(expires)
         if expires_seconds <= 0:
             raise IamError("Invalid Expires value: must be positive")
     except ValueError:
         raise IamError("Invalid Expires value: must be an integer")
+    min_expiry = current_app.config.get("PRESIGNED_URL_MIN_EXPIRY_SECONDS", 1)
+    max_expiry = current_app.config.get("PRESIGNED_URL_MAX_EXPIRY_SECONDS", 604800)
+    if expires_seconds < min_expiry or expires_seconds > max_expiry:
+        raise IamError(f"Expiration must be between {min_expiry} second(s) and {max_expiry} seconds")
     if now > req_time + timedelta(seconds=expires_seconds):
         raise IamError("Request expired")
 
@@ -365,56 +392,58 @@ def _verify_sigv4_query(req: Any) -> Principal | None:
     if not secret_key:
         raise IamError("Invalid access key")
 
-    method = req.method
     canonical_uri = _get_canonical_uri(req)
 
-    query_args = []
+    if _HAS_RUST:
-    for key, value in req.args.items(multi=True):
+        query_params = [(k, v) for k, v in req.args.items(multi=True) if k != "X-Amz-Signature"]
-        if key != "X-Amz-Signature":
+        header_values = [(h, req.headers.get(h) or "") for h in signed_headers_str.split(";")]
-            query_args.append((key, value))
+        if not _rc.verify_sigv4_signature(
-    query_args.sort(key=lambda x: (x[0], x[1]))
+            req.method, canonical_uri, query_params, signed_headers_str,
+            header_values, "UNSIGNED-PAYLOAD", amz_date, date_stamp, region,
+            service, secret_key, signature,
+        ):
+            raise IamError("SignatureDoesNotMatch")
+    else:
+        method = req.method
+        query_args = []
+        for key, value in req.args.items(multi=True):
+            if key != "X-Amz-Signature":
+                query_args.append((key, value))
+        query_args.sort(key=lambda x: (x[0], x[1]))
 
-    canonical_query_parts = []
+        canonical_query_parts = []
-    for k, v in query_args:
+        for k, v in query_args:
-        canonical_query_parts.append(f"{quote(k, safe='-_.~')}={quote(v, safe='-_.~')}")
+            canonical_query_parts.append(f"{quote(k, safe='-_.~')}={quote(v, safe='-_.~')}")
-    canonical_query_string = "&".join(canonical_query_parts)
+        canonical_query_string = "&".join(canonical_query_parts)
 
-    signed_headers_list = signed_headers_str.split(";")
+        signed_headers_list = signed_headers_str.split(";")
-    canonical_headers_parts = []
+        canonical_headers_parts = []
-    for header in signed_headers_list:
+        for header in signed_headers_list:
-        val = req.headers.get(header, "").strip()
+            val = req.headers.get(header, "").strip()
-        if header.lower() == 'expect' and val == "":
+            if header.lower() == 'expect' and val == "":
-            val = "100-continue"
+                val = "100-continue"
-        val = " ".join(val.split())
+            val = " ".join(val.split())
-        canonical_headers_parts.append(f"{header.lower()}:{val}\n")
+            canonical_headers_parts.append(f"{header.lower()}:{val}\n")
-    canonical_headers = "".join(canonical_headers_parts)
+        canonical_headers = "".join(canonical_headers_parts)
 
-    payload_hash = "UNSIGNED-PAYLOAD"
+        payload_hash = "UNSIGNED-PAYLOAD"
 
-    canonical_request = "\n".join([
+        canonical_request = "\n".join([
-        method,
+            method,
-        canonical_uri,
+            canonical_uri,
-        canonical_query_string,
+            canonical_query_string,
-        canonical_headers,
+            canonical_headers,
-        signed_headers_str,
+            signed_headers_str,
-        payload_hash
+            payload_hash
-    ])
+        ])
 
-    algorithm = "AWS4-HMAC-SHA256"
+        credential_scope = f"{date_stamp}/{region}/{service}/aws4_request"
-    credential_scope = f"{date_stamp}/{region}/{service}/aws4_request"
+        signing_key = _get_signature_key(secret_key, date_stamp, region, service)
-    hashed_request = hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()
+        hashed_request = hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()
-    string_to_sign = "\n".join([
+        string_to_sign = f"AWS4-HMAC-SHA256\n{amz_date}\n{credential_scope}\n{hashed_request}"
-        algorithm,
+        calculated_signature = hmac.new(signing_key, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest()
-        amz_date,
+        if not hmac.compare_digest(calculated_signature, signature):
-        credential_scope,
+            raise IamError("SignatureDoesNotMatch")
-        hashed_request
-    ])
-    
-    signing_key = _get_signature_key(secret_key, date_stamp, region, service)
-    calculated_signature = hmac.new(signing_key, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest()
-
-    if not hmac.compare_digest(calculated_signature, signature):
-        raise IamError("SignatureDoesNotMatch")
 
     session_token = req.args.get("X-Amz-Security-Token")
     if session_token:
@@ -573,7 +602,11 @@ def _validate_presigned_request(action: str, bucket_name: str, object_key: str)
         request_time = datetime.strptime(amz_date, "%Y%m%dT%H%M%SZ").replace(tzinfo=timezone.utc)
     except ValueError as exc:
         raise IamError("Invalid X-Amz-Date") from exc
-    if datetime.now(timezone.utc) > request_time + timedelta(seconds=expiry):
+    now = datetime.now(timezone.utc)
+    tolerance = timedelta(seconds=current_app.config.get("SIGV4_TIMESTAMP_TOLERANCE_SECONDS", 900))
+    if request_time > now + tolerance:
+        raise IamError("Request date is too far in the future")
+    if now > request_time + timedelta(seconds=expiry):
         raise IamError("Presigned URL expired")
 
     signed_headers_list = [header.strip().lower() for header in signed_headers.split(";") if header]
@@ -973,7 +1006,7 @@ def _render_encryption_document(config: dict[str, Any]) -> Element:
     return root
 
 
-def _stream_file(path, chunk_size: int = 64 * 1024):
+def _stream_file(path, chunk_size: int = 256 * 1024):
     with path.open("rb") as handle:
         while True:
             chunk = handle.read(chunk_size)
@@ -1026,6 +1059,7 @@ def _maybe_handle_bucket_subresource(bucket_name: str) -> Response | None:
         "logging": _bucket_logging_handler,
         "uploads": _bucket_uploads_handler,
         "policy": _bucket_policy_handler,
+        "policyStatus": _bucket_policy_status_handler,
         "replication": _bucket_replication_handler,
         "website": _bucket_website_handler,
     }
@@ -1308,8 +1342,8 @@ def _bucket_cors_handler(bucket_name: str) -> Response:
 
 
 def _bucket_encryption_handler(bucket_name: str) -> Response:
-    if request.method not in {"GET", "PUT"}:
+    if request.method not in {"GET", "PUT", "DELETE"}:
-        return _method_not_allowed(["GET", "PUT"])
+        return _method_not_allowed(["GET", "PUT", "DELETE"])
     principal, error = _require_principal()
     if error:
         return error
@@ -1330,6 +1364,13 @@ def _bucket_encryption_handler(bucket_name: str) -> Response:
                 404,
             )
         return _xml_response(_render_encryption_document(config))
+    if request.method == "DELETE":
+        try:
+            storage.set_bucket_encryption(bucket_name, None)
+        except StorageError as exc:
+            return _error_response("NoSuchBucket", str(exc), 404)
+        current_app.logger.info("Bucket encryption deleted", extra={"bucket": bucket_name})
+        return Response(status=204)
     ct_error = _require_xml_content_type()
     if ct_error:
         return ct_error
@@ -1426,6 +1467,99 @@ def _bucket_acl_handler(bucket_name: str) -> Response:
     return _xml_response(root)
 
 
+def _object_acl_handler(bucket_name: str, object_key: str) -> Response:
+    from .acl import create_canned_acl, GRANTEE_ALL_USERS, GRANTEE_AUTHENTICATED_USERS
+
+    if request.method not in {"GET", "PUT"}:
+        return _method_not_allowed(["GET", "PUT"])
+    storage = _storage()
+    try:
+        path = storage.get_object_path(bucket_name, object_key)
+    except (StorageError, FileNotFoundError):
+        return _error_response("NoSuchKey", "Object not found", 404)
+
+    if request.method == "PUT":
+        principal, error = _object_principal("write", bucket_name, object_key)
+        if error:
+            return error
+        owner_id = principal.access_key if principal else "anonymous"
+        canned_acl = request.headers.get("x-amz-acl", "private")
+        acl = create_canned_acl(canned_acl, owner_id)
+        acl_service = _acl()
+        metadata = storage.get_object_metadata(bucket_name, object_key)
+        metadata.update(acl_service.create_object_acl_metadata(acl))
+        safe_key = storage._sanitize_object_key(object_key, storage._object_key_max_length_bytes)
+        storage._write_metadata(bucket_name, safe_key, metadata)
+        current_app.logger.info("Object ACL set", extra={"bucket": bucket_name, "key": object_key, "acl": canned_acl})
+        return Response(status=200)
+
+    principal, error = _object_principal("read", bucket_name, object_key)
+    if error:
+        return error
+    owner_id = principal.access_key if principal else "anonymous"
+    acl_service = _acl()
+    metadata = storage.get_object_metadata(bucket_name, object_key)
+    acl = acl_service.get_object_acl(bucket_name, object_key, metadata)
+    if not acl:
+        acl = create_canned_acl("private", owner_id)
+
+    root = Element("AccessControlPolicy")
+    owner_el = SubElement(root, "Owner")
+    SubElement(owner_el, "ID").text = acl.owner
+    SubElement(owner_el, "DisplayName").text = acl.owner
+    acl_el = SubElement(root, "AccessControlList")
+    for grant in acl.grants:
+        grant_el = SubElement(acl_el, "Grant")
+        grantee = SubElement(grant_el, "Grantee")
+        if grant.grantee == GRANTEE_ALL_USERS:
+            grantee.set("{http://www.w3.org/2001/XMLSchema-instance}type", "Group")
+            SubElement(grantee, "URI").text = "http://acs.amazonaws.com/groups/global/AllUsers"
+        elif grant.grantee == GRANTEE_AUTHENTICATED_USERS:
+            grantee.set("{http://www.w3.org/2001/XMLSchema-instance}type", "Group")
+            SubElement(grantee, "URI").text = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+        else:
+            grantee.set("{http://www.w3.org/2001/XMLSchema-instance}type", "CanonicalUser")
+            SubElement(grantee, "ID").text = grant.grantee
+            SubElement(grantee, "DisplayName").text = grant.grantee
+        SubElement(grant_el, "Permission").text = grant.permission
+    return _xml_response(root)
+
+
+def _object_attributes_handler(bucket_name: str, object_key: str) -> Response:
+    if request.method != "GET":
+        return _method_not_allowed(["GET"])
+    principal, error = _object_principal("read", bucket_name, object_key)
+    if error:
+        return error
+    storage = _storage()
+    try:
+        path = storage.get_object_path(bucket_name, object_key)
+        file_stat = path.stat()
+        metadata = storage.get_object_metadata(bucket_name, object_key)
+    except (StorageError, FileNotFoundError):
+        return _error_response("NoSuchKey", "Object not found", 404)
+
+    requested = request.headers.get("x-amz-object-attributes", "")
+    attrs = {a.strip() for a in requested.split(",") if a.strip()}
+
+    root = Element("GetObjectAttributesResponse")
+    if "ETag" in attrs:
+        etag = metadata.get("__etag__") or storage._compute_etag(path)
+        SubElement(root, "ETag").text = etag
+    if "StorageClass" in attrs:
+        SubElement(root, "StorageClass").text = "STANDARD"
+    if "ObjectSize" in attrs:
+        SubElement(root, "ObjectSize").text = str(file_stat.st_size)
+    if "Checksum" in attrs:
+        SubElement(root, "Checksum")
+    if "ObjectParts" in attrs:
+        SubElement(root, "ObjectParts")
+
+    response = _xml_response(root)
+    response.headers["Last-Modified"] = http_date(file_stat.st_mtime)
+    return response
+
+
 def _bucket_list_versions_handler(bucket_name: str) -> Response:
     """Handle ListObjectVersions (GET /<bucket>?versions)."""
     if request.method != "GET":
@@ -2347,6 +2481,10 @@ def _post_object(bucket_name: str) -> Response:
     if success_action_redirect:
         allowed_hosts = current_app.config.get("ALLOWED_REDIRECT_HOSTS", [])
         if not allowed_hosts:
+            current_app.logger.warning(
+                "ALLOWED_REDIRECT_HOSTS not configured, falling back to request Host header. "
+                "Set ALLOWED_REDIRECT_HOSTS for production deployments."
+            )
             allowed_hosts = [request.host]
         parsed = urlparse(success_action_redirect)
         if parsed.scheme not in ("http", "https"):
@@ -2656,6 +2794,12 @@ def object_handler(bucket_name: str, object_key: str):
     if "legal-hold" in request.args:
         return _object_legal_hold_handler(bucket_name, object_key)
 
+    if "acl" in request.args:
+        return _object_acl_handler(bucket_name, object_key)
+
+    if "attributes" in request.args:
+        return _object_attributes_handler(bucket_name, object_key)
+
     if request.method == "POST":
         if "uploads" in request.args:
             return _initiate_multipart_upload(bucket_name, object_key)
@@ -2803,7 +2947,7 @@ def object_handler(bucket_name: str, object_key: str):
                             f.seek(start_pos)
                             remaining = length_to_read
                             while remaining > 0:
-                                chunk_size = min(65536, remaining)
+                                chunk_size = min(262144, remaining)
                                 chunk = f.read(chunk_size)
                                 if not chunk:
                                     break
@@ -2980,6 +3124,32 @@ def _bucket_policy_handler(bucket_name: str) -> Response:
     return Response(status=204)
 
 
+def _bucket_policy_status_handler(bucket_name: str) -> Response:
+    if request.method != "GET":
+        return _method_not_allowed(["GET"])
+    principal, error = _require_principal()
+    if error:
+        return error
+    try:
+        _authorize_action(principal, bucket_name, "policy")
+    except IamError as exc:
+        return _error_response("AccessDenied", str(exc), 403)
+    storage = _storage()
+    if not storage.bucket_exists(bucket_name):
+        return _error_response("NoSuchBucket", "Bucket does not exist", 404)
+    store = _bucket_policies()
+    policy = store.get_policy(bucket_name)
+    is_public = False
+    if policy:
+        for statement in policy.get("Statement", []):
+            if statement.get("Effect") == "Allow" and statement.get("Principal") == "*":
+                is_public = True
+                break
+    root = Element("PolicyStatus")
+    SubElement(root, "IsPublic").text = "TRUE" if is_public else "FALSE"
+    return _xml_response(root)
+
+
 def _bucket_replication_handler(bucket_name: str) -> Response:
     if request.method not in {"GET", "PUT", "DELETE"}:
         return _method_not_allowed(["GET", "PUT", "DELETE"])
@@ -3193,7 +3363,7 @@ def head_object(bucket_name: str, object_key: str) -> Response:
         path = _storage().get_object_path(bucket_name, object_key)
         metadata = _storage().get_object_metadata(bucket_name, object_key)
         stat = path.stat()
-        etag = _storage()._compute_etag(path)
+        etag = metadata.get("__etag__") or _storage()._compute_etag(path)
         
         response = Response(status=200)
         _apply_object_headers(response, file_stat=stat, metadata=metadata, etag=etag)

app/storage.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import copy
 import hashlib
 import json
 import os
@@ -18,6 +19,13 @@ from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any, BinaryIO, Dict, Generator, List, Optional
 
+try:
+    import myfsio_core as _rc
+    _HAS_RUST = True
+except ImportError:
+    _rc = None
+    _HAS_RUST = False
+
 # Platform-specific file locking
 if os.name == "nt":
     import msvcrt
@@ -189,6 +197,8 @@ class ObjectStorage:
         self._object_key_max_length_bytes = object_key_max_length_bytes
         self._sorted_key_cache: Dict[str, tuple[list[str], int]] = {}
         self._meta_index_locks: Dict[str, threading.Lock] = {}
+        self._meta_read_cache: OrderedDict[tuple, Optional[Dict[str, Any]]] = OrderedDict()
+        self._meta_read_cache_max = 2048
         self._cleanup_executor = ThreadPoolExecutor(max_workers=1, thread_name_prefix="ParentCleanup")
 
     def _get_bucket_lock(self, bucket_id: str) -> threading.Lock:
@@ -220,6 +230,11 @@ class ObjectStorage:
             raise BucketNotFoundError("Bucket does not exist")
 
     def _validate_bucket_name(self, bucket_name: str) -> None:
+        if _HAS_RUST:
+            error = _rc.validate_bucket_name(bucket_name)
+            if error:
+                raise StorageError(error)
+            return
         if len(bucket_name) < 3 or len(bucket_name) > 63:
             raise StorageError("Bucket name must be between 3 and 63 characters")
         if not re.match(r"^[a-z0-9][a-z0-9.-]*[a-z0-9]$", bucket_name):
@@ -1892,14 +1907,38 @@ class ObjectStorage:
             return self._meta_index_locks[index_path]
 
     def _read_index_entry(self, bucket_name: str, key: Path) -> Optional[Dict[str, Any]]:
+        cache_key = (bucket_name, str(key))
+        with self._cache_lock:
+            hit = self._meta_read_cache.get(cache_key)
+            if hit is not None:
+                self._meta_read_cache.move_to_end(cache_key)
+                cached = hit[0]
+                return copy.deepcopy(cached) if cached is not None else None
+
         index_path, entry_name = self._index_file_for_key(bucket_name, key)
-        if not index_path.exists():
+        if _HAS_RUST:
-            return None
+            result = _rc.read_index_entry(str(index_path), entry_name)
-        try:
+        else:
-            index_data = json.loads(index_path.read_text(encoding="utf-8"))
+            if not index_path.exists():
-            return index_data.get(entry_name)
+                result = None
-        except (OSError, json.JSONDecodeError):
+            else:
-            return None
+                try:
+                    index_data = json.loads(index_path.read_text(encoding="utf-8"))
+                    result = index_data.get(entry_name)
+                except (OSError, json.JSONDecodeError):
+                    result = None
+
+        with self._cache_lock:
+            while len(self._meta_read_cache) >= self._meta_read_cache_max:
+                self._meta_read_cache.popitem(last=False)
+            self._meta_read_cache[cache_key] = (copy.deepcopy(result) if result is not None else None,)
+
+        return result
+
+    def _invalidate_meta_read_cache(self, bucket_name: str, key: Path) -> None:
+        cache_key = (bucket_name, str(key))
+        with self._cache_lock:
+            self._meta_read_cache.pop(cache_key, None)
 
     def _write_index_entry(self, bucket_name: str, key: Path, entry: Dict[str, Any]) -> None:
         index_path, entry_name = self._index_file_for_key(bucket_name, key)
@@ -1914,16 +1953,19 @@ class ObjectStorage:
                     pass
             index_data[entry_name] = entry
             index_path.write_text(json.dumps(index_data), encoding="utf-8")
+        self._invalidate_meta_read_cache(bucket_name, key)
 
     def _delete_index_entry(self, bucket_name: str, key: Path) -> None:
         index_path, entry_name = self._index_file_for_key(bucket_name, key)
         if not index_path.exists():
+            self._invalidate_meta_read_cache(bucket_name, key)
             return
         lock = self._get_meta_index_lock(str(index_path))
         with lock:
             try:
                 index_data = json.loads(index_path.read_text(encoding="utf-8"))
             except (OSError, json.JSONDecodeError):
+                self._invalidate_meta_read_cache(bucket_name, key)
                 return
             if entry_name in index_data:
                 del index_data[entry_name]
@@ -1934,6 +1976,7 @@ class ObjectStorage:
                         index_path.unlink()
                     except OSError:
                         pass
+        self._invalidate_meta_read_cache(bucket_name, key)
 
     def _normalize_metadata(self, metadata: Optional[Dict[str, str]]) -> Optional[Dict[str, str]]:
         if not metadata:
@@ -2133,6 +2176,18 @@ class ObjectStorage:
 
     @staticmethod
     def _sanitize_object_key(object_key: str, max_length_bytes: int = 1024) -> Path:
+        if _HAS_RUST:
+            error = _rc.validate_object_key(object_key, max_length_bytes, os.name == "nt")
+            if error:
+                raise StorageError(error)
+            normalized = unicodedata.normalize("NFC", object_key)
+            candidate = Path(normalized)
+            if candidate.is_absolute():
+                raise StorageError("Absolute object keys are not allowed")
+            if getattr(candidate, "drive", ""):
+                raise StorageError("Object key cannot include a drive letter")
+            return Path(*candidate.parts) if candidate.parts else candidate
+
         if not object_key:
             raise StorageError("Object key required")
         if "\x00" in object_key:
@@ -2174,6 +2229,8 @@ class ObjectStorage:
 
     @staticmethod
     def _compute_etag(path: Path) -> str:
+        if _HAS_RUST:
+            return _rc.md5_file(str(path))
         checksum = hashlib.md5()
         with path.open("rb") as handle:
             for chunk in iter(lambda: handle.read(8192), b""):

app/ui.py

@@ -51,6 +51,7 @@ from .s3_client import (
 from .secret_store import EphemeralSecretStore
 from .site_registry import SiteRegistry, SiteInfo, PeerSite
 from .storage import ObjectStorage, StorageError
+from .website_domains import normalize_domain, is_valid_domain
 
 ui_bp = Blueprint("ui", __name__, template_folder="../templates", url_prefix="/ui")
 
@@ -507,11 +508,15 @@ def bucket_detail(bucket_name: str):
     can_manage_quota = is_replication_admin
 
     website_config = None
+    website_domains = []
     if website_hosting_enabled:
         try:
             website_config = storage.get_bucket_website(bucket_name)
         except StorageError:
             website_config = None
+        domain_store = current_app.extensions.get("website_domains")
+        if domain_store:
+            website_domains = domain_store.get_domains_for_bucket(bucket_name)
 
     objects_api_url = url_for("ui.list_bucket_objects", bucket_name=bucket_name)
     objects_stream_url = url_for("ui.stream_bucket_objects", bucket_name=bucket_name)
@@ -557,6 +562,7 @@ def bucket_detail(bucket_name: str):
         site_sync_enabled=site_sync_enabled,
         website_hosting_enabled=website_hosting_enabled,
         website_config=website_config,
+        website_domains=website_domains,
         can_manage_website=can_edit_policy,
     )
 
@@ -737,7 +743,6 @@ def initiate_multipart_upload(bucket_name: str):
 
 
 @ui_bp.put("/buckets/<bucket_name>/multipart/<upload_id>/parts")
-@limiter.exempt
 @csrf.exempt
 def upload_multipart_part(bucket_name: str, upload_id: str):
     principal = _current_principal()
@@ -2042,16 +2047,17 @@ def update_connection(connection_id: str):
     secret_key = request.form.get("secret_key", "").strip()
     region = request.form.get("region", "us-east-1").strip()
 
-    if not all([name, endpoint, access_key, secret_key]):
+    if not all([name, endpoint, access_key]):
         if _wants_json():
-            return jsonify({"error": "All fields are required"}), 400
+            return jsonify({"error": "Name, endpoint, and access key are required"}), 400
-        flash("All fields are required", "danger")
+        flash("Name, endpoint, and access key are required", "danger")
         return redirect(url_for("ui.connections_dashboard"))
 
     conn.name = name
     conn.endpoint_url = endpoint
     conn.access_key = access_key
-    conn.secret_key = secret_key
+    if secret_key:
+        conn.secret_key = secret_key
     conn.region = region
 
     _connections().save()
@@ -2372,7 +2378,10 @@ def website_domains_dashboard():
     store = current_app.extensions.get("website_domains")
     mappings = store.list_all() if store else []
     storage = _storage()
-    buckets = [b.name for b in storage.list_buckets()]
+    buckets = [
+        b.name for b in storage.list_buckets()
+        if storage.get_bucket_website(b.name)
+    ]
     return render_template(
         "website_domains.html",
         mappings=mappings,
@@ -2399,7 +2408,7 @@ def create_website_domain():
         flash("Website hosting is not enabled", "warning")
         return redirect(url_for("ui.buckets_overview"))
 
-    domain = (request.form.get("domain") or "").strip().lower()
+    domain = normalize_domain(request.form.get("domain") or "")
     bucket = (request.form.get("bucket") or "").strip()
 
     if not domain:
@@ -2408,6 +2417,12 @@ def create_website_domain():
         flash("Domain is required", "danger")
         return redirect(url_for("ui.website_domains_dashboard"))
 
+    if not is_valid_domain(domain):
+        if _wants_json():
+            return jsonify({"error": f"Invalid domain format: '{domain}'"}), 400
+        flash(f"Invalid domain format: '{domain}'. Use a hostname like www.example.com", "danger")
+        return redirect(url_for("ui.website_domains_dashboard"))
+
     if not bucket:
         if _wants_json():
             return jsonify({"error": "Bucket is required"}), 400
@@ -2446,6 +2461,7 @@ def update_website_domain(domain: str):
         flash("Access denied", "danger")
         return redirect(url_for("ui.website_domains_dashboard"))
 
+    domain = normalize_domain(domain)
     bucket = (request.form.get("bucket") or "").strip()
     if not bucket:
         if _wants_json():
@@ -2461,9 +2477,14 @@ def update_website_domain(domain: str):
         return redirect(url_for("ui.website_domains_dashboard"))
 
     store = current_app.extensions.get("website_domains")
+    if not store.get_bucket(domain):
+        if _wants_json():
+            return jsonify({"error": f"No mapping for domain '{domain}'"}), 404
+        flash(f"No mapping for domain '{domain}'", "danger")
+        return redirect(url_for("ui.website_domains_dashboard"))
     store.set_mapping(domain, bucket)
     if _wants_json():
-        return jsonify({"success": True, "domain": domain.lower(), "bucket": bucket})
+        return jsonify({"success": True, "domain": domain, "bucket": bucket})
     flash(f"Domain '{domain}' updated to bucket '{bucket}'", "success")
     return redirect(url_for("ui.website_domains_dashboard"))
 
@@ -2479,6 +2500,7 @@ def delete_website_domain(domain: str):
         flash("Access denied", "danger")
         return redirect(url_for("ui.website_domains_dashboard"))
 
+    domain = normalize_domain(domain)
     store = current_app.extensions.get("website_domains")
     if not store.delete_mapping(domain):
         if _wants_json():
@@ -3278,9 +3300,12 @@ def sites_dashboard():
 @ui_bp.post("/sites/local")
 def update_local_site():
     principal = _current_principal()
+    wants_json = request.headers.get("X-Requested-With") == "XMLHttpRequest"
     try:
         _iam().authorize(principal, None, "iam:*")
     except IamError:
+        if wants_json:
+            return jsonify({"error": "Access denied"}), 403
         flash("Access denied", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
@@ -3291,6 +3316,8 @@ def update_local_site():
     display_name = request.form.get("display_name", "").strip()
 
     if not site_id:
+        if wants_json:
+            return jsonify({"error": "Site ID is required"}), 400
         flash("Site ID is required", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
@@ -3312,6 +3339,8 @@ def update_local_site():
     )
     registry.set_local_site(site)
 
+    if wants_json:
+        return jsonify({"message": "Local site configuration updated"})
     flash("Local site configuration updated", "success")
     return redirect(url_for("ui.sites_dashboard"))
 
@@ -3319,9 +3348,12 @@ def update_local_site():
 @ui_bp.post("/sites/peers")
 def add_peer_site():
     principal = _current_principal()
+    wants_json = request.headers.get("X-Requested-With") == "XMLHttpRequest"
     try:
         _iam().authorize(principal, None, "iam:*")
     except IamError:
+        if wants_json:
+            return jsonify({"error": "Access denied"}), 403
         flash("Access denied", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
@@ -3333,9 +3365,13 @@ def add_peer_site():
     connection_id = request.form.get("connection_id", "").strip() or None
 
     if not site_id:
+        if wants_json:
+            return jsonify({"error": "Site ID is required"}), 400
         flash("Site ID is required", "danger")
         return redirect(url_for("ui.sites_dashboard"))
     if not endpoint:
+        if wants_json:
+            return jsonify({"error": "Endpoint is required"}), 400
         flash("Endpoint is required", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
@@ -3347,10 +3383,14 @@ def add_peer_site():
     registry = _site_registry()
 
     if registry.get_peer(site_id):
+        if wants_json:
+            return jsonify({"error": f"Peer site '{site_id}' already exists"}), 409
         flash(f"Peer site '{site_id}' already exists", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
     if connection_id and not _connections().get(connection_id):
+        if wants_json:
+            return jsonify({"error": f"Connection '{connection_id}' not found"}), 404
         flash(f"Connection '{connection_id}' not found", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
@@ -3364,6 +3404,11 @@ def add_peer_site():
     )
     registry.add_peer(peer)
 
+    if wants_json:
+        redirect_url = None
+        if connection_id:
+            redirect_url = url_for("ui.replication_wizard", site_id=site_id)
+        return jsonify({"message": f"Peer site '{site_id}' added", "redirect": redirect_url})
     flash(f"Peer site '{site_id}' added", "success")
 
     if connection_id:
@@ -3374,9 +3419,12 @@ def add_peer_site():
 @ui_bp.post("/sites/peers/<site_id>/update")
 def update_peer_site(site_id: str):
     principal = _current_principal()
+    wants_json = request.headers.get("X-Requested-With") == "XMLHttpRequest"
     try:
         _iam().authorize(principal, None, "iam:*")
     except IamError:
+        if wants_json:
+            return jsonify({"error": "Access denied"}), 403
         flash("Access denied", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
@@ -3384,6 +3432,8 @@ def update_peer_site(site_id: str):
     existing = registry.get_peer(site_id)
 
     if not existing:
+        if wants_json:
+            return jsonify({"error": f"Peer site '{site_id}' not found"}), 404
         flash(f"Peer site '{site_id}' not found", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
@@ -3391,7 +3441,10 @@ def update_peer_site(site_id: str):
     region = request.form.get("region", existing.region).strip()
     priority = request.form.get("priority", str(existing.priority))
     display_name = request.form.get("display_name", existing.display_name).strip()
-    connection_id = request.form.get("connection_id", "").strip() or existing.connection_id
+    if "connection_id" in request.form:
+        connection_id = request.form["connection_id"].strip() or None
+    else:
+        connection_id = existing.connection_id
 
     try:
         priority_int = int(priority)
@@ -3399,6 +3452,8 @@ def update_peer_site(site_id: str):
         priority_int = existing.priority
 
     if connection_id and not _connections().get(connection_id):
+        if wants_json:
+            return jsonify({"error": f"Connection '{connection_id}' not found"}), 404
         flash(f"Connection '{connection_id}' not found", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
@@ -3415,6 +3470,8 @@ def update_peer_site(site_id: str):
     )
     registry.update_peer(peer)
 
+    if wants_json:
+        return jsonify({"message": f"Peer site '{site_id}' updated"})
     flash(f"Peer site '{site_id}' updated", "success")
     return redirect(url_for("ui.sites_dashboard"))
 
@@ -3422,16 +3479,23 @@ def update_peer_site(site_id: str):
 @ui_bp.post("/sites/peers/<site_id>/delete")
 def delete_peer_site(site_id: str):
     principal = _current_principal()
+    wants_json = request.headers.get("X-Requested-With") == "XMLHttpRequest"
     try:
         _iam().authorize(principal, None, "iam:*")
     except IamError:
+        if wants_json:
+            return jsonify({"error": "Access denied"}), 403
         flash("Access denied", "danger")
         return redirect(url_for("ui.sites_dashboard"))
 
     registry = _site_registry()
     if registry.delete_peer(site_id):
+        if wants_json:
+            return jsonify({"message": f"Peer site '{site_id}' deleted"})
         flash(f"Peer site '{site_id}' deleted", "success")
     else:
+        if wants_json:
+            return jsonify({"error": f"Peer site '{site_id}' not found"}), 404
         flash(f"Peer site '{site_id}' not found", "danger")
 
     return redirect(url_for("ui.sites_dashboard"))

app/version.py

@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-APP_VERSION = "0.2.9"
+APP_VERSION = "0.3.0"
 
 
 def get_version() -> str:

app/website_domains.py

@@ -1,23 +1,50 @@
 from __future__ import annotations
 
 import json
+import re
 import threading
 from pathlib import Path
 from typing import Dict, List, Optional
 
+_DOMAIN_RE = re.compile(
+    r"^(?!-)[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)*$"
+)
+
+
+def normalize_domain(raw: str) -> str:
+    raw = raw.strip().lower()
+    for prefix in ("https://", "http://"):
+        if raw.startswith(prefix):
+            raw = raw[len(prefix):]
+    raw = raw.split("/", 1)[0]
+    raw = raw.split("?", 1)[0]
+    raw = raw.split("#", 1)[0]
+    if ":" in raw:
+        raw = raw.rsplit(":", 1)[0]
+    return raw
+
+
+def is_valid_domain(domain: str) -> bool:
+    if not domain or len(domain) > 253:
+        return False
+    return bool(_DOMAIN_RE.match(domain))
+
 
 class WebsiteDomainStore:
     def __init__(self, config_path: Path) -> None:
         self.config_path = config_path
         self._lock = threading.Lock()
         self._domains: Dict[str, str] = {}
+        self._last_mtime: float = 0.0
         self.reload()
 
     def reload(self) -> None:
         if not self.config_path.exists():
             self._domains = {}
+            self._last_mtime = 0.0
             return
         try:
+            self._last_mtime = self.config_path.stat().st_mtime
             with open(self.config_path, "r", encoding="utf-8") as f:
                 data = json.load(f)
                 if isinstance(data, dict):
@@ -27,19 +54,45 @@ class WebsiteDomainStore:
         except (OSError, json.JSONDecodeError):
             self._domains = {}
 
+    def _maybe_reload(self) -> None:
+        try:
+            if self.config_path.exists():
+                mtime = self.config_path.stat().st_mtime
+                if mtime != self._last_mtime:
+                    self._last_mtime = mtime
+                    with open(self.config_path, "r", encoding="utf-8") as f:
+                        data = json.load(f)
+                    if isinstance(data, dict):
+                        self._domains = {k.lower(): v for k, v in data.items()}
+                    else:
+                        self._domains = {}
+            elif self._domains:
+                self._domains = {}
+                self._last_mtime = 0.0
+        except (OSError, json.JSONDecodeError):
+            pass
+
     def _save(self) -> None:
         self.config_path.parent.mkdir(parents=True, exist_ok=True)
         with open(self.config_path, "w", encoding="utf-8") as f:
             json.dump(self._domains, f, indent=2)
+        self._last_mtime = self.config_path.stat().st_mtime
 
     def list_all(self) -> List[Dict[str, str]]:
         with self._lock:
+            self._maybe_reload()
             return [{"domain": d, "bucket": b} for d, b in self._domains.items()]
 
     def get_bucket(self, domain: str) -> Optional[str]:
         with self._lock:
+            self._maybe_reload()
             return self._domains.get(domain.lower())
 
+    def get_domains_for_bucket(self, bucket: str) -> List[str]:
+        with self._lock:
+            self._maybe_reload()
+            return [d for d, b in self._domains.items() if b == bucket]
+
     def set_mapping(self, domain: str, bucket: str) -> None:
         with self._lock:
             self._domains[domain.lower()] = bucket

myfsio_core/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "myfsio_core"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+name = "myfsio_core"
+crate-type = ["cdylib"]
+
+[dependencies]
+pyo3 = { version = "0.28", features = ["extension-module"] }
+hmac = "0.12"
+sha2 = "0.10"
+md-5 = "0.10"
+hex = "0.4"
+unicode-normalization = "0.1"
+serde_json = "1"
+regex = "1"
+lru = "0.14"
+parking_lot = "0.12"
+percent-encoding = "2"

myfsio_core/pyproject.toml

@@ -0,0 +1,11 @@
+[build-system]
+requires = ["maturin>=1.0,<2.0"]
+build-backend = "maturin"
+
+[project]
+name = "myfsio_core"
+version = "0.1.0"
+requires-python = ">=3.10"
+
+[tool.maturin]
+features = ["pyo3/extension-module"]

myfsio_core/src/hashing.rs

@@ -0,0 +1,90 @@
+use md5::{Digest, Md5};
+use pyo3::exceptions::PyIOError;
+use pyo3::prelude::*;
+use sha2::Sha256;
+use std::fs::File;
+use std::io::Read;
+
+const CHUNK_SIZE: usize = 65536;
+
+#[pyfunction]
+pub fn md5_file(py: Python<'_>, path: &str) -> PyResult<String> {
+    let path = path.to_owned();
+    py.detach(move || {
+        let mut file = File::open(&path)
+            .map_err(|e| PyIOError::new_err(format!("Failed to open file: {}", e)))?;
+        let mut hasher = Md5::new();
+        let mut buf = vec![0u8; CHUNK_SIZE];
+        loop {
+            let n = file
+                .read(&mut buf)
+                .map_err(|e| PyIOError::new_err(format!("Failed to read file: {}", e)))?;
+            if n == 0 {
+                break;
+            }
+            hasher.update(&buf[..n]);
+        }
+        Ok(format!("{:x}", hasher.finalize()))
+    })
+}
+
+#[pyfunction]
+pub fn md5_bytes(data: &[u8]) -> String {
+    let mut hasher = Md5::new();
+    hasher.update(data);
+    format!("{:x}", hasher.finalize())
+}
+
+#[pyfunction]
+pub fn sha256_file(py: Python<'_>, path: &str) -> PyResult<String> {
+    let path = path.to_owned();
+    py.detach(move || {
+        let mut file = File::open(&path)
+            .map_err(|e| PyIOError::new_err(format!("Failed to open file: {}", e)))?;
+        let mut hasher = Sha256::new();
+        let mut buf = vec![0u8; CHUNK_SIZE];
+        loop {
+            let n = file
+                .read(&mut buf)
+                .map_err(|e| PyIOError::new_err(format!("Failed to read file: {}", e)))?;
+            if n == 0 {
+                break;
+            }
+            hasher.update(&buf[..n]);
+        }
+        Ok(format!("{:x}", hasher.finalize()))
+    })
+}
+
+#[pyfunction]
+pub fn sha256_bytes(data: &[u8]) -> String {
+    let mut hasher = Sha256::new();
+    hasher.update(data);
+    format!("{:x}", hasher.finalize())
+}
+
+#[pyfunction]
+pub fn md5_sha256_file(py: Python<'_>, path: &str) -> PyResult<(String, String)> {
+    let path = path.to_owned();
+    py.detach(move || {
+        let mut file = File::open(&path)
+            .map_err(|e| PyIOError::new_err(format!("Failed to open file: {}", e)))?;
+        let mut md5_hasher = Md5::new();
+        let mut sha_hasher = Sha256::new();
+        let mut buf = vec![0u8; CHUNK_SIZE];
+        loop {
+            let n = file
+                .read(&mut buf)
+                .map_err(|e| PyIOError::new_err(format!("Failed to read file: {}", e)))?;
+            if n == 0 {
+                break;
+            }
+            md5_hasher.update(&buf[..n]);
+            sha_hasher.update(&buf[..n]);
+        }
+        Ok((
+            format!("{:x}", md5_hasher.finalize()),
+            format!("{:x}", sha_hasher.finalize()),
+        ))
+    })
+}

myfsio_core/src/lib.rs

@@ -0,0 +1,34 @@
+mod hashing;
+mod metadata;
+mod sigv4;
+mod validation;
+
+use pyo3::prelude::*;
+
+#[pymodule]
+mod myfsio_core {
+    use super::*;
+
+    #[pymodule_init]
+    fn init(m: &Bound<'_, PyModule>) -> PyResult<()> {
+        m.add_function(wrap_pyfunction!(sigv4::verify_sigv4_signature, m)?)?;
+        m.add_function(wrap_pyfunction!(sigv4::derive_signing_key, m)?)?;
+        m.add_function(wrap_pyfunction!(sigv4::compute_signature, m)?)?;
+        m.add_function(wrap_pyfunction!(sigv4::build_string_to_sign, m)?)?;
+        m.add_function(wrap_pyfunction!(sigv4::constant_time_compare, m)?)?;
+        m.add_function(wrap_pyfunction!(sigv4::clear_signing_key_cache, m)?)?;
+
+        m.add_function(wrap_pyfunction!(hashing::md5_file, m)?)?;
+        m.add_function(wrap_pyfunction!(hashing::md5_bytes, m)?)?;
+        m.add_function(wrap_pyfunction!(hashing::sha256_file, m)?)?;
+        m.add_function(wrap_pyfunction!(hashing::sha256_bytes, m)?)?;
+        m.add_function(wrap_pyfunction!(hashing::md5_sha256_file, m)?)?;
+
+        m.add_function(wrap_pyfunction!(validation::validate_object_key, m)?)?;
+        m.add_function(wrap_pyfunction!(validation::validate_bucket_name, m)?)?;
+
+        m.add_function(wrap_pyfunction!(metadata::read_index_entry, m)?)?;
+
+        Ok(())
+    }
+}

myfsio_core/src/metadata.rs

@@ -0,0 +1,71 @@
+use pyo3::exceptions::PyValueError;
+use pyo3::prelude::*;
+use pyo3::types::{PyDict, PyList, PyString};
+use serde_json::Value;
+use std::fs;
+
+const MAX_DEPTH: u32 = 64;
+
+fn value_to_py(py: Python<'_>, v: &Value, depth: u32) -> PyResult<Py<PyAny>> {
+    if depth > MAX_DEPTH {
+        return Err(PyValueError::new_err("JSON nesting too deep"));
+    }
+    match v {
+        Value::Null => Ok(py.None()),
+        Value::Bool(b) => Ok((*b).into_pyobject(py)?.to_owned().into_any().unbind()),
+        Value::Number(n) => {
+            if let Some(i) = n.as_i64() {
+                Ok(i.into_pyobject(py)?.into_any().unbind())
+            } else if let Some(f) = n.as_f64() {
+                Ok(f.into_pyobject(py)?.into_any().unbind())
+            } else {
+                Ok(py.None())
+            }
+        }
+        Value::String(s) => Ok(PyString::new(py, s).into_any().unbind()),
+        Value::Array(arr) => {
+            let list = PyList::empty(py);
+            for item in arr {
+                list.append(value_to_py(py, item, depth + 1)?)?;
+            }
+            Ok(list.into_any().unbind())
+        }
+        Value::Object(map) => {
+            let dict = PyDict::new(py);
+            for (k, val) in map {
+                dict.set_item(k, value_to_py(py, val, depth + 1)?)?;
+            }
+            Ok(dict.into_any().unbind())
+        }
+    }
+}
+
+#[pyfunction]
+pub fn read_index_entry(
+    py: Python<'_>,
+    path: &str,
+    entry_name: &str,
+) -> PyResult<Option<Py<PyAny>>> {
+    let path_owned = path.to_owned();
+    let entry_owned = entry_name.to_owned();
+
+    let entry: Option<Value> = py.detach(move || -> PyResult<Option<Value>> {
+        let content = match fs::read_to_string(&path_owned) {
+            Ok(c) => c,
+            Err(_) => return Ok(None),
+        };
+        let parsed: Value = match serde_json::from_str(&content) {
+            Ok(v) => v,
+            Err(_) => return Ok(None),
+        };
+        match parsed {
+            Value::Object(mut map) => Ok(map.remove(&entry_owned)),
+            _ => Ok(None),
+        }
+    })?;
+
+    match entry {
+        Some(val) => Ok(Some(value_to_py(py, &val, 0)?)),
+        None => Ok(None),
+    }
+}

myfsio_core/src/sigv4.rs

@@ -0,0 +1,193 @@
+use hmac::{Hmac, Mac};
+use lru::LruCache;
+use parking_lot::Mutex;
+use percent_encoding::{percent_encode, AsciiSet, NON_ALPHANUMERIC};
+use pyo3::prelude::*;
+use sha2::{Digest, Sha256};
+use std::num::NonZeroUsize;
+use std::sync::LazyLock;
+use std::time::Instant;
+
+type HmacSha256 = Hmac<Sha256>;
+
+struct CacheEntry {
+    key: Vec<u8>,
+    created: Instant,
+}
+
+static SIGNING_KEY_CACHE: LazyLock<Mutex<LruCache<(String, String, String, String), CacheEntry>>> =
+    LazyLock::new(|| Mutex::new(LruCache::new(NonZeroUsize::new(256).unwrap())));
+
+const CACHE_TTL_SECS: u64 = 60;
+
+const AWS_ENCODE_SET: &AsciiSet = &NON_ALPHANUMERIC
+    .remove(b'-')
+    .remove(b'_')
+    .remove(b'.')
+    .remove(b'~');
+
+fn hmac_sha256(key: &[u8], msg: &[u8]) -> Vec<u8> {
+    let mut mac = HmacSha256::new_from_slice(key).expect("HMAC key length is always valid");
+    mac.update(msg);
+    mac.finalize().into_bytes().to_vec()
+}
+
+fn sha256_hex(data: &[u8]) -> String {
+    let mut hasher = Sha256::new();
+    hasher.update(data);
+    hex::encode(hasher.finalize())
+}
+
+fn aws_uri_encode(input: &str) -> String {
+    percent_encode(input.as_bytes(), AWS_ENCODE_SET).to_string()
+}
+
+fn derive_signing_key_cached(
+    secret_key: &str,
+    date_stamp: &str,
+    region: &str,
+    service: &str,
+) -> Vec<u8> {
+    let cache_key = (
+        secret_key.to_owned(),
+        date_stamp.to_owned(),
+        region.to_owned(),
+        service.to_owned(),
+    );
+
+    {
+        let mut cache = SIGNING_KEY_CACHE.lock();
+        if let Some(entry) = cache.get(&cache_key) {
+            if entry.created.elapsed().as_secs() < CACHE_TTL_SECS {
+                return entry.key.clone();
+            }
+            cache.pop(&cache_key);
+        }
+    }
+
+    let k_date = hmac_sha256(format!("AWS4{}", secret_key).as_bytes(), date_stamp.as_bytes());
+    let k_region = hmac_sha256(&k_date, region.as_bytes());
+    let k_service = hmac_sha256(&k_region, service.as_bytes());
+    let k_signing = hmac_sha256(&k_service, b"aws4_request");
+
+    {
+        let mut cache = SIGNING_KEY_CACHE.lock();
+        cache.put(
+            cache_key,
+            CacheEntry {
+                key: k_signing.clone(),
+                created: Instant::now(),
+            },
+        );
+    }
+
+    k_signing
+}
+
+fn constant_time_compare_inner(a: &[u8], b: &[u8]) -> bool {
+    if a.len() != b.len() {
+        return false;
+    }
+    let mut result: u8 = 0;
+    for (x, y) in a.iter().zip(b.iter()) {
+        result |= x ^ y;
+    }
+    result == 0
+}
+
+#[pyfunction]
+pub fn verify_sigv4_signature(
+    method: &str,
+    canonical_uri: &str,
+    query_params: Vec<(String, String)>,
+    signed_headers_str: &str,
+    header_values: Vec<(String, String)>,
+    payload_hash: &str,
+    amz_date: &str,
+    date_stamp: &str,
+    region: &str,
+    service: &str,
+    secret_key: &str,
+    provided_signature: &str,
+) -> bool {
+    let mut sorted_params = query_params;
+    sorted_params.sort_by(|a, b| a.0.cmp(&b.0).then_with(|| a.1.cmp(&b.1)));
+
+    let canonical_query_string = sorted_params
+        .iter()
+        .map(|(k, v)| format!("{}={}", aws_uri_encode(k), aws_uri_encode(v)))
+        .collect::<Vec<_>>()
+        .join("&");
+
+    let mut canonical_headers = String::new();
+    for (name, value) in &header_values {
+        let lower_name = name.to_lowercase();
+        let normalized = value.split_whitespace().collect::<Vec<_>>().join(" ");
+        let final_value = if lower_name == "expect" && normalized.is_empty() {
+            "100-continue"
+        } else {
+            &normalized
+        };
+        canonical_headers.push_str(&lower_name);
+        canonical_headers.push(':');
+        canonical_headers.push_str(final_value);
+        canonical_headers.push('\n');
+    }
+
+    let canonical_request = format!(
+        "{}\n{}\n{}\n{}\n{}\n{}",
+        method, canonical_uri, canonical_query_string, canonical_headers, signed_headers_str, payload_hash
+    );
+
+    let credential_scope = format!("{}/{}/{}/aws4_request", date_stamp, region, service);
+    let cr_hash = sha256_hex(canonical_request.as_bytes());
+    let string_to_sign = format!(
+        "AWS4-HMAC-SHA256\n{}\n{}\n{}",
+        amz_date, credential_scope, cr_hash
+    );
+
+    let signing_key = derive_signing_key_cached(secret_key, date_stamp, region, service);
+    let calculated = hmac_sha256(&signing_key, string_to_sign.as_bytes());
+    let calculated_hex = hex::encode(&calculated);
+
+    constant_time_compare_inner(calculated_hex.as_bytes(), provided_signature.as_bytes())
+}
+
+#[pyfunction]
+pub fn derive_signing_key(
+    secret_key: &str,
+    date_stamp: &str,
+    region: &str,
+    service: &str,
+) -> Vec<u8> {
+    derive_signing_key_cached(secret_key, date_stamp, region, service)
+}
+
+#[pyfunction]
+pub fn compute_signature(signing_key: &[u8], string_to_sign: &str) -> String {
+    let sig = hmac_sha256(signing_key, string_to_sign.as_bytes());
+    hex::encode(sig)
+}
+
+#[pyfunction]
+pub fn build_string_to_sign(
+    amz_date: &str,
+    credential_scope: &str,
+    canonical_request: &str,
+) -> String {
+    let cr_hash = sha256_hex(canonical_request.as_bytes());
+    format!(
+        "AWS4-HMAC-SHA256\n{}\n{}\n{}",
+        amz_date, credential_scope, cr_hash
+    )
+}
+
+#[pyfunction]
+pub fn constant_time_compare(a: &str, b: &str) -> bool {
+    constant_time_compare_inner(a.as_bytes(), b.as_bytes())
+}
+
+#[pyfunction]
+pub fn clear_signing_key_cache() {
+    SIGNING_KEY_CACHE.lock().clear();
+}

myfsio_core/src/validation.rs

@@ -0,0 +1,149 @@
+use pyo3::prelude::*;
+use std::sync::LazyLock;
+use unicode_normalization::UnicodeNormalization;
+
+const WINDOWS_RESERVED: &[&str] = &[
+    "CON", "PRN", "AUX", "NUL", "COM0", "COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7",
+    "COM8", "COM9", "LPT0", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8",
+    "LPT9",
+];
+
+const WINDOWS_ILLEGAL_CHARS: &[char] = &['<', '>', ':', '"', '/', '\\', '|', '?', '*'];
+
+const INTERNAL_FOLDERS: &[&str] = &[".meta", ".versions", ".multipart"];
+const SYSTEM_ROOT: &str = ".myfsio.sys";
+
+static IP_REGEX: LazyLock<regex::Regex> =
+    LazyLock::new(|| regex::Regex::new(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$").unwrap());
+
+#[pyfunction]
+#[pyo3(signature = (object_key, max_length_bytes=1024, is_windows=false, reserved_prefixes=None))]
+pub fn validate_object_key(
+    object_key: &str,
+    max_length_bytes: usize,
+    is_windows: bool,
+    reserved_prefixes: Option<Vec<String>>,
+) -> PyResult<Option<String>> {
+    if object_key.is_empty() {
+        return Ok(Some("Object key required".to_string()));
+    }
+
+    if object_key.contains('\0') {
+        return Ok(Some("Object key contains null bytes".to_string()));
+    }
+
+    let normalized: String = object_key.nfc().collect();
+
+    if normalized.len() > max_length_bytes {
+        return Ok(Some(format!(
+            "Object key exceeds maximum length of {} bytes",
+            max_length_bytes
+        )));
+    }
+
+    if normalized.starts_with('/') || normalized.starts_with('\\') {
+        return Ok(Some("Object key cannot start with a slash".to_string()));
+    }
+
+    let parts: Vec<&str> = if cfg!(windows) || is_windows {
+        normalized.split(['/', '\\']).collect()
+    } else {
+        normalized.split('/').collect()
+    };
+
+    for part in &parts {
+        if part.is_empty() {
+            continue;
+        }
+
+        if *part == ".." {
+            return Ok(Some(
+                "Object key contains parent directory references".to_string(),
+            ));
+        }
+
+        if *part == "." {
+            return Ok(Some("Object key contains invalid segments".to_string()));
+        }
+
+        if part.chars().any(|c| (c as u32) < 32) {
+            return Ok(Some(
+                "Object key contains control characters".to_string(),
+            ));
+        }
+
+        if is_windows {
+            if part.chars().any(|c| WINDOWS_ILLEGAL_CHARS.contains(&c)) {
+                return Ok(Some(
+                    "Object key contains characters not supported on Windows filesystems"
+                        .to_string(),
+                ));
+            }
+            if part.ends_with(' ') || part.ends_with('.') {
+                return Ok(Some(
+                    "Object key segments cannot end with spaces or periods on Windows".to_string(),
+                ));
+            }
+            let trimmed = part.trim_end_matches(['.', ' ']).to_uppercase();
+            if WINDOWS_RESERVED.contains(&trimmed.as_str()) {
+                return Ok(Some(format!("Invalid filename segment: {}", part)));
+            }
+        }
+    }
+
+    let non_empty_parts: Vec<&str> = parts.iter().filter(|p| !p.is_empty()).copied().collect();
+    if let Some(top) = non_empty_parts.first() {
+        if INTERNAL_FOLDERS.contains(top) || *top == SYSTEM_ROOT {
+            return Ok(Some("Object key uses a reserved prefix".to_string()));
+        }
+
+        if let Some(ref prefixes) = reserved_prefixes {
+            for prefix in prefixes {
+                if *top == prefix.as_str() {
+                    return Ok(Some("Object key uses a reserved prefix".to_string()));
+                }
+            }
+        }
+    }
+
+    Ok(None)
+}
+
+#[pyfunction]
+pub fn validate_bucket_name(bucket_name: &str) -> Option<String> {
+    let len = bucket_name.len();
+    if len < 3 || len > 63 {
+        return Some("Bucket name must be between 3 and 63 characters".to_string());
+    }
+
+    let bytes = bucket_name.as_bytes();
+    if !bytes[0].is_ascii_lowercase() && !bytes[0].is_ascii_digit() {
+        return Some(
+            "Bucket name must start and end with a lowercase letter or digit".to_string(),
+        );
+    }
+    if !bytes[len - 1].is_ascii_lowercase() && !bytes[len - 1].is_ascii_digit() {
+        return Some(
+            "Bucket name must start and end with a lowercase letter or digit".to_string(),
+        );
+    }
+
+    for &b in bytes {
+        if !b.is_ascii_lowercase() && !b.is_ascii_digit() && b != b'.' && b != b'-' {
+            return Some(
+                "Bucket name can only contain lowercase letters, digits, dots, and hyphens"
+                    .to_string(),
+            );
+        }
+    }
+
+    if bucket_name.contains("..") {
+        return Some("Bucket name must not contain consecutive periods".to_string());
+    }
+
+    if IP_REGEX.is_match(bucket_name) {
+        return Some("Bucket name must not be formatted as an IP address".to_string());
+    }
+
+    None
+}

static/css/main.css

@@ -1151,17 +1151,123 @@ html.sidebar-will-collapse .sidebar-user {
 }
 
 .iam-user-card {
-	border: 1px solid var(--myfsio-card-border);
+	position: relative;
-	border-radius: 0.75rem;
+	border: 1px solid var(--myfsio-card-border) !important;
-	transition: box-shadow 0.2s ease, transform 0.2s ease;
+	border-radius: 1rem !important;
+	overflow: hidden;
+	transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1);
+}
+
+.iam-user-card::before {
+	content: '';
+	position: absolute;
+	top: 0;
+	left: 0;
+	right: 0;
+	height: 4px;
+	background: linear-gradient(90deg, #3b82f6, #8b5cf6);
+	opacity: 0;
+	transition: opacity 0.2s ease;
 }
 
 .iam-user-card:hover {
-	box-shadow: 0 4px 12px rgba(0, 0, 0, 0.1);
+	transform: translateY(-2px);
+	box-shadow: 0 8px 24px -4px rgba(0, 0, 0, 0.12), 0 4px 8px -4px rgba(0, 0, 0, 0.08);
+	border-color: var(--myfsio-accent) !important;
+}
+
+.iam-user-card:hover::before {
+	opacity: 1;
 }
 
 [data-theme='dark'] .iam-user-card:hover {
-	box-shadow: 0 4px 12px rgba(0, 0, 0, 0.3);
+	box-shadow: 0 8px 24px -4px rgba(0, 0, 0, 0.4), 0 4px 8px -4px rgba(0, 0, 0, 0.3);
+}
+
+.iam-admin-card::before {
+	background: linear-gradient(90deg, #f59e0b, #ef4444);
+}
+
+.iam-role-badge {
+	display: inline-flex;
+	align-items: center;
+	padding: 0.25em 0.65em;
+	border-radius: 999px;
+	font-size: 0.7rem;
+	font-weight: 600;
+	text-transform: uppercase;
+	letter-spacing: 0.03em;
+}
+
+.iam-role-admin {
+	background: rgba(245, 158, 11, 0.15);
+	color: #d97706;
+}
+
+[data-theme='dark'] .iam-role-admin {
+	background: rgba(245, 158, 11, 0.25);
+	color: #fbbf24;
+}
+
+.iam-role-user {
+	background: rgba(59, 130, 246, 0.12);
+	color: #2563eb;
+}
+
+[data-theme='dark'] .iam-role-user {
+	background: rgba(59, 130, 246, 0.2);
+	color: #60a5fa;
+}
+
+.iam-perm-badge {
+	display: inline-flex;
+	align-items: center;
+	gap: 0.25rem;
+	padding: 0.3em 0.6em;
+	border-radius: 999px;
+	font-size: 0.75rem;
+	font-weight: 500;
+	background: rgba(59, 130, 246, 0.08);
+	color: var(--myfsio-text);
+	border: 1px solid rgba(59, 130, 246, 0.15);
+}
+
+[data-theme='dark'] .iam-perm-badge {
+	background: rgba(59, 130, 246, 0.15);
+	border-color: rgba(59, 130, 246, 0.25);
+}
+
+.iam-copy-key {
+	display: inline-flex;
+	align-items: center;
+	justify-content: center;
+	width: 22px;
+	height: 22px;
+	padding: 0;
+	border: none;
+	background: transparent;
+	color: var(--myfsio-muted);
+	border-radius: 4px;
+	cursor: pointer;
+	transition: all 0.15s ease;
+	flex-shrink: 0;
+}
+
+.iam-copy-key:hover {
+	background: var(--myfsio-hover-bg);
+	color: var(--myfsio-text);
+}
+
+.iam-no-results {
+	text-align: center;
+	padding: 2rem 1rem;
+	color: var(--myfsio-muted);
+}
+
+@media (max-width: 768px) {
+	.iam-user-card:hover {
+		transform: none;
+	}
 }
 
 .user-avatar-lg {
@@ -2819,6 +2925,112 @@ body:has(.login-card) .main-wrapper {
 	padding-top: 0 !important;
 }
 
+.context-menu {
+	position: fixed;
+	z-index: 1060;
+	min-width: 180px;
+	background: var(--myfsio-card-bg);
+	border: 1px solid var(--myfsio-card-border);
+	border-radius: 0.5rem;
+	box-shadow: 0 10px 25px -5px rgba(0, 0, 0, 0.15), 0 8px 10px -6px rgba(0, 0, 0, 0.1);
+	padding: 0.25rem 0;
+	font-size: 0.875rem;
+}
+
+[data-theme='dark'] .context-menu {
+	box-shadow: 0 10px 25px -5px rgba(0, 0, 0, 0.4), 0 8px 10px -6px rgba(0, 0, 0, 0.3);
+}
+
+.context-menu-item {
+	display: flex;
+	align-items: center;
+	gap: 0.625rem;
+	padding: 0.5rem 0.875rem;
+	color: var(--myfsio-text);
+	cursor: pointer;
+	transition: background-color 0.1s ease;
+	border: none;
+	background: none;
+	width: 100%;
+	text-align: left;
+	font-size: inherit;
+}
+
+.context-menu-item:hover {
+	background-color: var(--myfsio-hover-bg);
+}
+
+.context-menu-item.text-danger:hover {
+	background-color: rgba(239, 68, 68, 0.1);
+}
+
+.context-menu-divider {
+	height: 1px;
+	background: var(--myfsio-card-border);
+	margin: 0.25rem 0;
+}
+
+.context-menu-shortcut {
+	margin-left: auto;
+	font-size: 0.75rem;
+	color: var(--myfsio-muted);
+}
+
+.kbd-shortcuts-list {
+	display: flex;
+	flex-direction: column;
+	gap: 0.5rem;
+}
+
+.kbd-shortcuts-list .shortcut-row {
+	display: flex;
+	align-items: center;
+	justify-content: space-between;
+	padding: 0.375rem 0;
+}
+
+.kbd-shortcuts-list kbd {
+	display: inline-flex;
+	align-items: center;
+	justify-content: center;
+	min-width: 1.75rem;
+	padding: 0.2rem 0.5rem;
+	font-family: inherit;
+	font-size: 0.75rem;
+	font-weight: 600;
+	background: var(--myfsio-preview-bg);
+	border: 1px solid var(--myfsio-card-border);
+	border-radius: 0.25rem;
+	box-shadow: 0 1px 0 1px rgba(0, 0, 0, 0.05);
+	color: var(--myfsio-text);
+}
+
+[data-theme='dark'] .kbd-shortcuts-list kbd {
+	background: rgba(255, 255, 255, 0.1);
+	box-shadow: 0 1px 0 1px rgba(0, 0, 0, 0.2);
+}
+
+.sort-dropdown .dropdown-item.active,
+.sort-dropdown .dropdown-item:active {
+	background-color: var(--myfsio-hover-bg);
+	color: var(--myfsio-text);
+}
+
+.sort-dropdown .dropdown-item {
+	font-size: 0.875rem;
+	padding: 0.375rem 1rem;
+}
+
+@media (prefers-reduced-motion: reduce) {
+	*,
+	*::before,
+	*::after {
+		animation-duration: 0.01ms !important;
+		animation-iteration-count: 1 !important;
+		transition-duration: 0.01ms !important;
+	}
+}
+
 @media print {
 	.sidebar,
 	.mobile-header {

static/js/bucket-detail-main.js

@@ -162,6 +162,8 @@
   let isLoadingObjects = false;
   let hasMoreObjects = false;
   let currentFilterTerm = '';
+  let currentSortField = 'name';
+  let currentSortDir = 'asc';
   let pageSize = 5000;
   let currentPrefix = '';
   let allObjects = [];
@@ -348,14 +350,18 @@
     const currentInputs = {
       objectCount: allObjects.length,
       prefix: currentPrefix,
-      filterTerm: currentFilterTerm
+      filterTerm: currentFilterTerm,
+      sortField: currentSortField,
+      sortDir: currentSortDir
     };
 
     if (!forceRecompute &&
         memoizedVisibleItems !== null &&
         memoizedInputs.objectCount === currentInputs.objectCount &&
         memoizedInputs.prefix === currentInputs.prefix &&
-        memoizedInputs.filterTerm === currentInputs.filterTerm) {
+        memoizedInputs.filterTerm === currentInputs.filterTerm &&
+        memoizedInputs.sortField === currentInputs.sortField &&
+        memoizedInputs.sortDir === currentInputs.sortDir) {
       return memoizedVisibleItems;
     }
 
@@ -394,9 +400,19 @@
     items.sort((a, b) => {
       if (a.type === 'folder' && b.type === 'file') return -1;
       if (a.type === 'file' && b.type === 'folder') return 1;
-      const aKey = a.type === 'folder' ? a.path : a.data.key;
+      if (a.type === 'folder' && b.type === 'folder') {
-      const bKey = b.type === 'folder' ? b.path : b.data.key;
+        return a.path.localeCompare(b.path);
-      return aKey.localeCompare(bKey);
+      }
+      const dir = currentSortDir === 'asc' ? 1 : -1;
+      if (currentSortField === 'size') {
+        return (a.data.size - b.data.size) * dir;
+      }
+      if (currentSortField === 'date') {
+        const aTime = new Date(a.data.lastModified || a.data.last_modified || 0).getTime();
+        const bTime = new Date(b.data.lastModified || b.data.last_modified || 0).getTime();
+        return (aTime - bTime) * dir;
+      }
+      return a.data.key.localeCompare(b.data.key) * dir;
     });
 
     memoizedVisibleItems = items;
@@ -2034,6 +2050,128 @@
     refreshVirtualList();
   });
 
+  document.querySelectorAll('[data-sort-field]').forEach(el => {
+    el.addEventListener('click', (e) => {
+      e.preventDefault();
+      const field = el.dataset.sortField;
+      const dir = el.dataset.sortDir || 'asc';
+      currentSortField = field;
+      currentSortDir = dir;
+      document.querySelectorAll('[data-sort-field]').forEach(s => s.classList.remove('active'));
+      el.classList.add('active');
+      var label = document.getElementById('sort-dropdown-label');
+      if (label) label.textContent = el.textContent.trim();
+      refreshVirtualList();
+    });
+  });
+
+  document.addEventListener('keydown', (e) => {
+    if (e.target.tagName === 'INPUT' || e.target.tagName === 'TEXTAREA' || e.target.tagName === 'SELECT' || e.target.isContentEditable) return;
+
+    if (e.key === '/' && !e.ctrlKey && !e.metaKey) {
+      e.preventDefault();
+      document.getElementById('object-search')?.focus();
+    }
+
+    if (e.key === '?' && !e.ctrlKey && !e.metaKey) {
+      e.preventDefault();
+      var kbModal = document.getElementById('keyboardShortcutsModal');
+      if (kbModal) {
+        var instance = bootstrap.Modal.getOrCreateInstance(kbModal);
+        instance.toggle();
+      }
+    }
+
+    if (e.key === 'Escape') {
+      var searchInput = document.getElementById('object-search');
+      if (searchInput && document.activeElement === searchInput) {
+        searchInput.value = '';
+        currentFilterTerm = '';
+        refreshVirtualList();
+        searchInput.blur();
+      }
+    }
+
+    if (e.key === 'Delete' && !e.ctrlKey && !e.metaKey) {
+      if (selectedRows.size > 0 && bulkDeleteButton && !bulkDeleteButton.disabled) {
+        bulkDeleteButton.click();
+      }
+    }
+
+    if (e.key === 'a' && (e.ctrlKey || e.metaKey)) {
+      if (visibleItems.length > 0 && selectAllCheckbox) {
+        e.preventDefault();
+        selectAllCheckbox.checked = true;
+        selectAllCheckbox.dispatchEvent(new Event('change'));
+      }
+    }
+  });
+
+  const ctxMenu = document.getElementById('objectContextMenu');
+  let ctxTargetRow = null;
+
+  const hideContextMenu = () => {
+    if (ctxMenu) ctxMenu.classList.add('d-none');
+    ctxTargetRow = null;
+  };
+
+  if (ctxMenu) {
+    document.addEventListener('click', hideContextMenu);
+    document.addEventListener('contextmenu', (e) => {
+      const row = e.target.closest('[data-object-row]');
+      if (!row) { hideContextMenu(); return; }
+      e.preventDefault();
+      ctxTargetRow = row;
+
+      const x = Math.min(e.clientX, window.innerWidth - 200);
+      const y = Math.min(e.clientY, window.innerHeight - 200);
+      ctxMenu.style.left = x + 'px';
+      ctxMenu.style.top = y + 'px';
+      ctxMenu.classList.remove('d-none');
+    });
+
+    ctxMenu.querySelectorAll('[data-ctx-action]').forEach(btn => {
+      btn.addEventListener('click', () => {
+        if (!ctxTargetRow) return;
+        const action = btn.dataset.ctxAction;
+        const key = ctxTargetRow.dataset.key;
+        const bucket = objectsContainer?.dataset.bucket || '';
+
+        if (action === 'download') {
+          const url = ctxTargetRow.dataset.downloadUrl;
+          if (url) window.open(url, '_blank');
+        } else if (action === 'copy-path') {
+          const s3Path = 's3://' + bucket + '/' + key;
+          if (navigator.clipboard) {
+            navigator.clipboard.writeText(s3Path).then(() => {
+              if (window.showToast) window.showToast('Copied: ' + s3Path, 'Copied', 'success');
+            });
+          }
+        } else if (action === 'presign') {
+          selectRow(ctxTargetRow);
+          presignLink.value = '';
+          presignModal?.show();
+          requestPresignedUrl();
+        } else if (action === 'delete') {
+          const deleteEndpoint = ctxTargetRow.dataset.deleteEndpoint;
+          if (deleteEndpoint) {
+            selectRow(ctxTargetRow);
+            const deleteModalEl = document.getElementById('deleteObjectModal');
+            const deleteModal = deleteModalEl ? bootstrap.Modal.getOrCreateInstance(deleteModalEl) : null;
+            const deleteObjectForm = document.getElementById('deleteObjectForm');
+            const deleteObjectKey = document.getElementById('deleteObjectKey');
+            if (deleteModal && deleteObjectForm) {
+              deleteObjectForm.setAttribute('action', deleteEndpoint);
+              if (deleteObjectKey) deleteObjectKey.textContent = key;
+              deleteModal.show();
+            }
+          }
+        }
+        hideContextMenu();
+      });
+    });
+  }
+
   refreshVersionsButton?.addEventListener('click', () => {
     if (!activeRow) {
       versionList.innerHTML = '<p class="text-muted small mb-0">Select an object to view versions.</p>';

static/js/connections-management.js

@@ -78,7 +78,7 @@ window.ConnectionsManagement = (function() {
 
     try {
       var controller = new AbortController();
-      var timeoutId = setTimeout(function() { controller.abort(); }, 15000);
+      var timeoutId = setTimeout(function() { controller.abort(); }, 10000);
 
       var response = await fetch(endpoints.healthTemplate.replace('CONNECTION_ID', connectionId), {
         signal: controller.signal
@@ -147,7 +147,7 @@ window.ConnectionsManagement = (function() {
       '<button type="button" class="btn btn-outline-secondary" data-bs-toggle="modal" data-bs-target="#editConnectionModal" ' +
       'data-id="' + window.UICore.escapeHtml(conn.id) + '" data-name="' + window.UICore.escapeHtml(conn.name) + '" ' +
       'data-endpoint="' + window.UICore.escapeHtml(conn.endpoint_url) + '" data-region="' + window.UICore.escapeHtml(conn.region) + '" ' +
-      'data-access="' + window.UICore.escapeHtml(conn.access_key) + '" data-secret="' + window.UICore.escapeHtml(conn.secret_key || '') + '" title="Edit connection">' +
+      'data-access="' + window.UICore.escapeHtml(conn.access_key) + '" title="Edit connection">' +
       '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">' +
       '<path d="M12.146.146a.5.5 0 0 1 .708 0l3 3a.5.5 0 0 1 0 .708l-10 10a.5.5 0 0 1-.168.11l-5 2a.5.5 0 0 1-.65-.65l2-5a.5.5 0 0 1 .11-.168l10-10zM11.207 2.5 13.5 4.793 14.793 3.5 12.5 1.207 11.207 2.5zm1.586 3L10.5 3.207 4 9.707V10h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.293l6.5-6.5z"/></svg></button>' +
       '<button type="button" class="btn btn-outline-danger" data-bs-toggle="modal" data-bs-target="#deleteConnectionModal" ' +
@@ -185,7 +185,9 @@ window.ConnectionsManagement = (function() {
         document.getElementById('edit_endpoint_url').value = button.getAttribute('data-endpoint') || '';
         document.getElementById('edit_region').value = button.getAttribute('data-region') || '';
         document.getElementById('edit_access_key').value = button.getAttribute('data-access') || '';
-        document.getElementById('edit_secret_key').value = button.getAttribute('data-secret') || '';
+        document.getElementById('edit_secret_key').value = '';
+        document.getElementById('edit_secret_key').placeholder = '(unchanged — leave blank to keep current)';
+        document.getElementById('edit_secret_key').required = false;
         document.getElementById('editTestResult').innerHTML = '';
 
         var form = document.getElementById('editConnectionForm');
@@ -288,9 +290,6 @@ window.ConnectionsManagement = (function() {
                 editBtn.setAttribute('data-endpoint', data.connection.endpoint_url);
                 editBtn.setAttribute('data-region', data.connection.region);
                 editBtn.setAttribute('data-access', data.connection.access_key);
-                if (data.connection.secret_key) {
-                  editBtn.setAttribute('data-secret', data.connection.secret_key);
-                }
               }
 
               var deleteBtn = row.querySelector('[data-bs-target="#deleteConnectionModal"]');

static/js/iam-management.js

@@ -15,12 +15,39 @@ window.IAMManagement = (function() {
   var currentEditKey = null;
   var currentDeleteKey = null;
 
+  var ALL_S3_ACTIONS = ['list', 'read', 'write', 'delete', 'share', 'policy', 'replication', 'lifecycle', 'cors'];
+
   var policyTemplates = {
     full: [{ bucket: '*', actions: ['list', 'read', 'write', 'delete', 'share', 'policy', 'replication', 'lifecycle', 'cors', 'iam:*'] }],
     readonly: [{ bucket: '*', actions: ['list', 'read'] }],
     writer: [{ bucket: '*', actions: ['list', 'read', 'write'] }]
   };
 
+  function isAdminUser(policies) {
+    if (!policies || !policies.length) return false;
+    return policies.some(function(p) {
+      return p.actions && (p.actions.indexOf('iam:*') >= 0 || p.actions.indexOf('*') >= 0);
+    });
+  }
+
+  function getPermissionLevel(actions) {
+    if (!actions || !actions.length) return 'Custom (0)';
+    if (actions.indexOf('*') >= 0) return 'Full Access';
+    if (actions.length >= ALL_S3_ACTIONS.length) {
+      var hasAll = ALL_S3_ACTIONS.every(function(a) { return actions.indexOf(a) >= 0; });
+      if (hasAll) return 'Full Access';
+    }
+    var has = function(a) { return actions.indexOf(a) >= 0; };
+    if (has('list') && has('read') && has('write') && has('delete')) return 'Read + Write + Delete';
+    if (has('list') && has('read') && has('write')) return 'Read + Write';
+    if (has('list') && has('read')) return 'Read Only';
+    return 'Custom (' + actions.length + ')';
+  }
+
+  function getBucketLabel(bucket) {
+    return bucket === '*' ? 'All Buckets' : bucket;
+  }
+
   function init(config) {
     users = config.users || [];
     currentUserKey = config.currentUserKey || null;
@@ -39,6 +66,8 @@ window.IAMManagement = (function() {
     setupDeleteUserModal();
     setupRotateSecretModal();
     setupFormHandlers();
+    setupSearch();
+    setupCopyAccessKeyButtons();
   }
 
   function initModals() {
@@ -243,22 +272,29 @@ window.IAMManagement = (function() {
   }
 
   function createUserCardHtml(accessKey, displayName, policies) {
+    var admin = isAdminUser(policies);
+    var cardClass = 'card h-100 iam-user-card' + (admin ? ' iam-admin-card' : '');
+    var roleBadge = admin
+      ? '<span class="iam-role-badge iam-role-admin" data-role-badge>Admin</span>'
+      : '<span class="iam-role-badge iam-role-user" data-role-badge>User</span>';
+
     var policyBadges = '';
     if (policies && policies.length > 0) {
       policyBadges = policies.map(function(p) {
-        var actionText = p.actions && p.actions.includes('*') ? 'full' : (p.actions ? p.actions.length : 0);
+        var bucketLabel = getBucketLabel(p.bucket);
-        return '<span class="badge bg-primary bg-opacity-10 text-primary">' +
+        var permLevel = getPermissionLevel(p.actions);
+        return '<span class="iam-perm-badge">' +
           '<svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" fill="currentColor" class="me-1" viewBox="0 0 16 16">' +
           '<path d="M2.522 5H2a.5.5 0 0 0-.494.574l1.372 9.149A1.5 1.5 0 0 0 4.36 16h7.278a1.5 1.5 0 0 0 1.483-1.277l1.373-9.149A.5.5 0 0 0 14 5h-.522A5.5 5.5 0 0 0 2.522 5zm1.005 0a4.5 4.5 0 0 1 8.945 0H3.527z"/>' +
-          '</svg>' + window.UICore.escapeHtml(p.bucket) +
+          '</svg>' + window.UICore.escapeHtml(bucketLabel) + ' &middot; ' + window.UICore.escapeHtml(permLevel) + '</span>';
-          '<span class="opacity-75">(' + actionText + ')</span></span>';
       }).join('');
     } else {
       policyBadges = '<span class="badge bg-secondary bg-opacity-10 text-secondary">No policies</span>';
     }
 
-    return '<div class="col-md-6 col-xl-4">' +
+    var esc = window.UICore.escapeHtml;
-      '<div class="card h-100 iam-user-card">' +
+    return '<div class="col-md-6 col-xl-4 iam-user-item" data-display-name="' + esc(displayName.toLowerCase()) + '" data-access-key-filter="' + esc(accessKey.toLowerCase()) + '">' +
+      '<div class="' + cardClass + '">' +
       '<div class="card-body">' +
       '<div class="d-flex align-items-start justify-content-between mb-3">' +
       '<div class="d-flex align-items-center gap-3 min-width-0 overflow-hidden">' +
@@ -267,8 +303,18 @@ window.IAMManagement = (function() {
       '<path d="M8 8a3 3 0 1 0 0-6 3 3 0 0 0 0 6zm2-3a2 2 0 1 1-4 0 2 2 0 0 1 4 0zm4 8c0 1-1 1-1 1H3s-1 0-1-1 1-4 6-4 6 3 6 4zm-1-.004c-.001-.246-.154-.986-.832-1.664C11.516 10.68 10.289 10 8 10c-2.29 0-3.516.68-4.168 1.332-.678.678-.83 1.418-.832 1.664h10z"/>' +
       '</svg></div>' +
       '<div class="min-width-0">' +
-      '<h6 class="fw-semibold mb-0 text-truncate" title="' + window.UICore.escapeHtml(displayName) + '">' + window.UICore.escapeHtml(displayName) + '</h6>' +
+      '<div class="d-flex align-items-center gap-2 mb-0">' +
-      '<code class="small text-muted d-block text-truncate" title="' + window.UICore.escapeHtml(accessKey) + '">' + window.UICore.escapeHtml(accessKey) + '</code>' +
+      '<h6 class="fw-semibold mb-0 text-truncate" title="' + esc(displayName) + '">' + esc(displayName) + '</h6>' +
+      roleBadge +
+      '</div>' +
+      '<div class="d-flex align-items-center gap-1">' +
+      '<code class="small text-muted text-truncate" title="' + esc(accessKey) + '">' + esc(accessKey) + '</code>' +
+      '<button type="button" class="iam-copy-key" title="Copy access key" data-copy-access-key="' + esc(accessKey) + '">' +
+      '<svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="currentColor" viewBox="0 0 16 16">' +
+      '<path d="M4 1.5H3a2 2 0 0 0-2 2V14a2 2 0 0 0 2 2h10a2 2 0 0 0 2-2V3.5a2 2 0 0 0-2-2h-1v1h1a1 1 0 0 1 1 1V14a1 1 0 0 1-1 1H3a1 1 0 0 1-1-1V3.5a1 1 0 0 1 1-1h1v-1z"/>' +
+      '<path d="M9.5 1a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-.5.5h-3a.5.5 0 0 1-.5-.5v-1a.5.5 0 0 1 .5-.5h3zm-3-1A1.5 1.5 0 0 0 5 1.5v1A1.5 1.5 0 0 0 6.5 4h3A1.5 1.5 0 0 0 11 2.5v-1A1.5 1.5 0 0 0 9.5 0h-3z"/>' +
+      '</svg></button>' +
+      '</div>' +
       '</div></div>' +
       '<div class="dropdown flex-shrink-0">' +
       '<button class="btn btn-sm btn-icon" type="button" data-bs-toggle="dropdown" aria-expanded="false">' +
@@ -276,18 +322,18 @@ window.IAMManagement = (function() {
       '<path d="M9.5 13a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0zm0-5a1.5 1.5 0 1 1-3 0 1.5 1.5 0 0 1 3 0z"/>' +
       '</svg></button>' +
       '<ul class="dropdown-menu dropdown-menu-end">' +
-      '<li><button class="dropdown-item" type="button" data-edit-user="' + window.UICore.escapeHtml(accessKey) + '" data-display-name="' + window.UICore.escapeHtml(displayName) + '">' +
+      '<li><button class="dropdown-item" type="button" data-edit-user="' + esc(accessKey) + '" data-display-name="' + esc(displayName) + '">' +
       '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16"><path d="M12.146.146a.5.5 0 0 1 .708 0l3 3a.5.5 0 0 1 0 .708l-10 10a.5.5 0 0 1-.168.11l-5 2a.5.5 0 0 1-.65-.65l2-5a.5.5 0 0 1 .11-.168l10-10zM11.207 2.5 13.5 4.793 14.793 3.5 12.5 1.207 11.207 2.5zm1.586 3L10.5 3.207 4 9.707V10h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.293l6.5-6.5z"/></svg>Edit Name</button></li>' +
-      '<li><button class="dropdown-item" type="button" data-rotate-user="' + window.UICore.escapeHtml(accessKey) + '">' +
+      '<li><button class="dropdown-item" type="button" data-rotate-user="' + esc(accessKey) + '">' +
       '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16"><path d="M11.534 7h3.932a.25.25 0 0 1 .192.41l-1.966 2.36a.25.25 0 0 1-.384 0l-1.966-2.36a.25.25 0 0 1 .192-.41zm-11 2h3.932a.25.25 0 0 0 .192-.41L2.692 6.23a.25.25 0 0 0-.384 0L.342 8.59A.25.25 0 0 0 .534 9z"/><path fill-rule="evenodd" d="M8 3c-1.552 0-2.94.707-3.857 1.818a.5.5 0 1 1-.771-.636A6.002 6.002 0 0 1 13.917 7H12.9A5.002 5.002 0 0 0 8 3zM3.1 9a5.002 5.002 0 0 0 8.757 2.182.5.5 0 1 1 .771.636A6.002 6.002 0 0 1 2.083 9H3.1z"/></svg>Rotate Secret</button></li>' +
       '<li><hr class="dropdown-divider"></li>' +
-      '<li><button class="dropdown-item text-danger" type="button" data-delete-user="' + window.UICore.escapeHtml(accessKey) + '">' +
+      '<li><button class="dropdown-item text-danger" type="button" data-delete-user="' + esc(accessKey) + '">' +
       '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16"><path d="M5.5 5.5a.5.5 0 0 1 .5.5v6a.5.5 0 0 1-1 0v-6a.5.5 0 0 1 .5-.5zm2.5 0a.5.5 0 0 1 .5.5v6a.5.5 0 0 1-1 0v-6a.5.5 0 0 1 .5-.5zm3 .5v6a.5.5 0 0 1-1 0v-6a.5.5 0 0 1 1 0z"/><path fill-rule="evenodd" d="M14.5 3a1 1 0 0 1-1 1H13v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V4h-.5a1 1 0 0 1-1-1V2a1 1 0 0 1 1-1H6a1 1 0 0 1 1-1h2a1 1 0 0 1 1 1h3.5a1 1 0 0 1 1 1v1zM4.118 4 4 4.059V13a1 1 0 0 0 1 1h6a1 1 0 0 0 1-1V4.059L11.882 4H4.118zM2.5 3V2h11v1h-11z"/></svg>Delete User</button></li>' +
       '</ul></div></div>' +
       '<div class="mb-3">' +
       '<div class="small text-muted mb-2">Bucket Permissions</div>' +
-      '<div class="d-flex flex-wrap gap-1">' + policyBadges + '</div></div>' +
+      '<div class="d-flex flex-wrap gap-1" data-policy-badges>' + policyBadges + '</div></div>' +
-      '<button class="btn btn-outline-primary btn-sm w-100" type="button" data-policy-editor data-access-key="' + window.UICore.escapeHtml(accessKey) + '">' +
+      '<button class="btn btn-outline-primary btn-sm w-100" type="button" data-policy-editor data-access-key="' + esc(accessKey) + '">' +
       '<svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-1" viewBox="0 0 16 16"><path d="M8 4.754a3.246 3.246 0 1 0 0 6.492 3.246 3.246 0 0 0 0-6.492zM5.754 8a2.246 2.246 0 1 1 4.492 0 2.246 2.246 0 0 1-4.492 0z"/><path d="M9.796 1.343c-.527-1.79-3.065-1.79-3.592 0l-.094.319a.873.873 0 0 1-1.255.52l-.292-.16c-1.64-.892-3.433.902-2.54 2.541l.159.292a.873.873 0 0 1-.52 1.255l-.319.094c-1.79.527-1.79 3.065 0 3.592l.319.094a.873.873 0 0 1 .52 1.255l-.16.292c-.892 1.64.901 3.434 2.541 2.54l.292-.159a.873.873 0 0 1 1.255.52l.094.319c.527 1.79 3.065 1.79 3.592 0l.094-.319a.873.873 0 0 1 1.255-.52l.292.16c1.64.893 3.434-.902 2.54-2.541l-.159-.292a.873.873 0 0 1 .52-1.255l.319-.094c1.79-.527 1.79-3.065 0-3.592l-.319-.094a.873.873 0 0 1-.52-1.255l.16-.292c.893-1.64-.902-3.433-2.541-2.54l-.292.159a.873.873 0 0 1-1.255-.52l-.094-.319z"/></svg>Manage Policies</button>' +
       '</div></div></div>';
   }
@@ -342,6 +388,13 @@ window.IAMManagement = (function() {
         policyModal.show();
       });
     }
+
+    var copyBtn = cardElement.querySelector('[data-copy-access-key]');
+    if (copyBtn) {
+      copyBtn.addEventListener('click', function() {
+        copyAccessKey(copyBtn);
+      });
+    }
   }
 
   function updateUserCount() {
@@ -442,17 +495,33 @@ window.IAMManagement = (function() {
 
             var userCard = document.querySelector('[data-access-key="' + key + '"]');
             if (userCard) {
-              var badgeContainer = userCard.closest('.iam-user-card').querySelector('.d-flex.flex-wrap.gap-1');
+              var cardEl = userCard.closest('.iam-user-card');
+              var badgeContainer = cardEl ? cardEl.querySelector('[data-policy-badges]') : null;
               if (badgeContainer && data.policies) {
                 var badges = data.policies.map(function(p) {
-                  return '<span class="badge bg-primary bg-opacity-10 text-primary">' +
+                  var bl = getBucketLabel(p.bucket);
+                  var pl = getPermissionLevel(p.actions);
+                  return '<span class="iam-perm-badge">' +
                     '<svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" fill="currentColor" class="me-1" viewBox="0 0 16 16">' +
                     '<path d="M2.522 5H2a.5.5 0 0 0-.494.574l1.372 9.149A1.5 1.5 0 0 0 4.36 16h7.278a1.5 1.5 0 0 0 1.483-1.277l1.373-9.149A.5.5 0 0 0 14 5h-.522A5.5 5.5 0 0 0 2.522 5zm1.005 0a4.5 4.5 0 0 1 8.945 0H3.527z"/>' +
-                    '</svg>' + window.UICore.escapeHtml(p.bucket) +
+                    '</svg>' + window.UICore.escapeHtml(bl) + ' &middot; ' + window.UICore.escapeHtml(pl) + '</span>';
-                    '<span class="opacity-75">(' + (p.actions.includes('*') ? 'full' : p.actions.length) + ')</span></span>';
                 }).join('');
                 badgeContainer.innerHTML = badges || '<span class="badge bg-secondary bg-opacity-10 text-secondary">No policies</span>';
               }
+              if (cardEl) {
+                var nowAdmin = isAdminUser(data.policies);
+                cardEl.classList.toggle('iam-admin-card', nowAdmin);
+                var roleBadgeEl = cardEl.querySelector('[data-role-badge]');
+                if (roleBadgeEl) {
+                  if (nowAdmin) {
+                    roleBadgeEl.className = 'iam-role-badge iam-role-admin';
+                    roleBadgeEl.textContent = 'Admin';
+                  } else {
+                    roleBadgeEl.className = 'iam-role-badge iam-role-user';
+                    roleBadgeEl.textContent = 'User';
+                  }
+                }
+              }
             }
 
             var userIndex = users.findIndex(function(u) { return u.access_key === key; });
@@ -485,6 +554,10 @@ window.IAMManagement = (function() {
                   nameEl.textContent = newName;
                   nameEl.title = newName;
                 }
+                var itemWrapper = card.closest('.iam-user-item');
+                if (itemWrapper) {
+                  itemWrapper.setAttribute('data-display-name', newName.toLowerCase());
+                }
               }
             }
 
@@ -539,6 +612,52 @@ window.IAMManagement = (function() {
     }
   }
 
+  function setupSearch() {
+    var searchInput = document.getElementById('iam-user-search');
+    if (!searchInput) return;
+
+    searchInput.addEventListener('input', function() {
+      var query = searchInput.value.toLowerCase().trim();
+      var items = document.querySelectorAll('.iam-user-item');
+      var noResults = document.getElementById('iam-no-results');
+      var visibleCount = 0;
+
+      items.forEach(function(item) {
+        var name = item.getAttribute('data-display-name') || '';
+        var key = item.getAttribute('data-access-key-filter') || '';
+        var matches = !query || name.indexOf(query) >= 0 || key.indexOf(query) >= 0;
+        item.classList.toggle('d-none', !matches);
+        if (matches) visibleCount++;
+      });
+
+      if (noResults) {
+        noResults.classList.toggle('d-none', visibleCount > 0);
+      }
+    });
+  }
+
+  function copyAccessKey(btn) {
+    var key = btn.getAttribute('data-copy-access-key');
+    if (!key) return;
+    var originalHtml = btn.innerHTML;
+    navigator.clipboard.writeText(key).then(function() {
+      btn.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="currentColor" viewBox="0 0 16 16"><path d="M13.854 3.646a.5.5 0 0 1 0 .708l-7 7a.5.5 0 0 1-.708 0l-3.5-3.5a.5.5 0 1 1 .708-.708L6.5 10.293l6.646-6.647a.5.5 0 0 1 .708 0z"/></svg>';
+      btn.style.color = '#22c55e';
+      setTimeout(function() {
+        btn.innerHTML = originalHtml;
+        btn.style.color = '';
+      }, 1200);
+    }).catch(function() {});
+  }
+
+  function setupCopyAccessKeyButtons() {
+    document.querySelectorAll('[data-copy-access-key]').forEach(function(btn) {
+      btn.addEventListener('click', function() {
+        copyAccessKey(btn);
+      });
+    });
+  }
+
   return {
     init: init
   };

static/js/ui-core.js

@@ -191,6 +191,10 @@ window.UICore = (function() {
     }
   });
 
+  window.addEventListener('beforeunload', function() {
+    pollingManager.stopAll();
+  });
+
   return {
     getCsrfToken: getCsrfToken,
     formatBytes: formatBytes,

templates/bucket_detail.html

@@ -100,8 +100,26 @@
               </svg>
               Upload
             </button>
+            <div class="dropdown sort-dropdown">
+              <button class="btn btn-outline-secondary btn-sm dropdown-toggle" type="button" data-bs-toggle="dropdown" aria-expanded="false" title="Sort objects">
+                <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-1" viewBox="0 0 16 16">
+                  <path d="M3.5 2.5a.5.5 0 0 0-1 0v8.793l-1.146-1.147a.5.5 0 0 0-.708.708l2 1.999.007.007a.497.497 0 0 0 .7-.006l2-2a.5.5 0 0 0-.707-.708L3.5 11.293V2.5zm3.5 1a.5.5 0 0 1 .5-.5h7a.5.5 0 0 1 0 1h-7a.5.5 0 0 1-.5-.5zM7.5 6a.5.5 0 0 0 0 1h5a.5.5 0 0 0 0-1h-5zm0 3a.5.5 0 0 0 0 1h3a.5.5 0 0 0 0-1h-3zm0 3a.5.5 0 0 0 0 1h1a.5.5 0 0 0 0-1h-1z"/>
+                </svg>
+                <span id="sort-dropdown-label">Name A-Z</span>
+              </button>
+              <ul class="dropdown-menu dropdown-menu-end">
+                <li><button class="dropdown-item active" type="button" data-sort-field="name" data-sort-dir="asc">Name A-Z</button></li>
+                <li><button class="dropdown-item" type="button" data-sort-field="name" data-sort-dir="desc">Name Z-A</button></li>
+                <li><hr class="dropdown-divider"></li>
+                <li><button class="dropdown-item" type="button" data-sort-field="size" data-sort-dir="desc">Size (largest)</button></li>
+                <li><button class="dropdown-item" type="button" data-sort-field="size" data-sort-dir="asc">Size (smallest)</button></li>
+                <li><hr class="dropdown-divider"></li>
+                <li><button class="dropdown-item" type="button" data-sort-field="date" data-sort-dir="desc">Date (newest)</button></li>
+                <li><button class="dropdown-item" type="button" data-sort-field="date" data-sort-dir="asc">Date (oldest)</button></li>
+              </ul>
+            </div>
             <div class="position-relative search-wrapper">
-              <input id="object-search" class="form-control form-control-sm" type="search" placeholder="Filter objects" style="max-width: 180px;" />
+              <input id="object-search" class="form-control form-control-sm" type="search" placeholder="Filter objects (press /)" style="max-width: 180px;" />
             </div>
             <div class="bulk-actions d-none" id="bulk-actions-wrapper">
               <button class="btn btn-outline-danger btn-sm" type="button" data-bulk-delete-trigger disabled>
@@ -1002,6 +1020,28 @@
               </div>
               {% endif %}
 
+              {% if website_domains %}
+              <div class="mb-4">
+                <label class="form-label fw-medium mb-2">Mapped Domains</label>
+                {% for domain in website_domains %}
+                <div class="d-flex align-items-center mb-1">
+                  <span class="badge bg-success-subtle text-success-emphasis me-2">
+                    <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="currentColor" class="me-1" viewBox="0 0 16 16">
+                      <path fill-rule="evenodd" d="M7.21 1.293a1 1 0 0 1 1.58 0l.612.72a1 1 0 0 0 .88.332l.94-.134a1 1 0 0 1 1.118.7l.248.912a1 1 0 0 0 .59.659l.876.388a1 1 0 0 1 .435 1.505l-.546.766a1 1 0 0 0-.156.935l.306.899a1 1 0 0 1-.725 1.282l-.92.216a1 1 0 0 0-.72.555l-.41.856a1 1 0 0 1-1.396.478l-.803-.49a1 1 0 0 0-1.04 0l-.802.49a1 1 0 0 1-1.397-.478l-.41-.857a1 1 0 0 0-.72-.554l-.919-.216a1 1 0 0 1-.725-1.282l.306-.9a1 1 0 0 0-.156-.934l-.546-.766a1 1 0 0 1 .435-1.505l.877-.388a1 1 0 0 0 .589-.66l.248-.911a1 1 0 0 1 1.118-.7l.94.133a1 1 0 0 0 .88-.331l.612-.72zM11 7a.5.5 0 0 0-.5-.5h-5a.5.5 0 0 0 0 1H6v1.5a.5.5 0 0 0 1 0V7.5h1v2a.5.5 0 0 0 1 0v-2h1.5a.5.5 0 0 0 0-1H10V7z"/>
+                    </svg>
+                    connected
+                  </span>
+                  <code class="small">{{ domain }}</code>
+                </div>
+                {% endfor %}
+              </div>
+              {% elif website_config %}
+              <div class="mb-4">
+                <label class="form-label fw-medium mb-2">Mapped Domains</label>
+                <p class="text-muted small mb-0">No domains mapped to this bucket. <a href="{{ url_for('ui.website_domains_dashboard') }}">Manage domains</a></p>
+              </div>
+              {% endif %}
+
               {% if can_manage_website %}
               <form method="post" action="{{ url_for('ui.update_bucket_website', bucket_name=bucket_name) }}" id="websiteForm">
                 <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" />
@@ -2663,6 +2703,63 @@
     </div>
   </div>
 </div>
+
+<div class="context-menu d-none" id="objectContextMenu">
+  <button class="context-menu-item" data-ctx-action="download">
+    <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
+      <path d="M.5 9.9a.5.5 0 0 1 .5.5v2.5a1 1 0 0 0 1 1h12a1 1 0 0 0 1-1v-2.5a.5.5 0 0 1 1 0v2.5a2 2 0 0 1-2 2H2a2 2 0 0 1-2-2v-2.5a.5.5 0 0 1 .5-.5z"/>
+      <path d="M7.646 11.854a.5.5 0 0 0 .708 0l3-3a.5.5 0 0 0-.708-.708L8.5 10.293V1.5a.5.5 0 0 0-1 0v8.793L5.354 8.146a.5.5 0 1 0-.708.708l3 3z"/>
+    </svg>
+    Download
+  </button>
+  <button class="context-menu-item" data-ctx-action="copy-path">
+    <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
+      <path fill-rule="evenodd" d="M4 2a2 2 0 0 1 2-2h8a2 2 0 0 1 2 2v8a2 2 0 0 1-2 2H6a2 2 0 0 1-2-2V2Zm2-1a1 1 0 0 0-1 1v8a1 1 0 0 0 1 1h8a1 1 0 0 0 1-1V2a1 1 0 0 0-1-1H6ZM2 5a1 1 0 0 0-1 1v8a1 1 0 0 0 1 1h8a1 1 0 0 0 1-1v-1h1v1a2 2 0 0 1-2 2H2a2 2 0 0 1-2-2V6a2 2 0 0 1 2-2h1v1H2Z"/>
+    </svg>
+    Copy S3 Path
+  </button>
+  <button class="context-menu-item" data-ctx-action="presign">
+    <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
+      <path d="M4.715 6.542 3.343 7.914a3 3 0 1 0 4.243 4.243l1.828-1.829A3 3 0 0 0 8.586 5.5L8 6.086a1.002 1.002 0 0 0-.154.199 2 2 0 0 1 .861 3.337L6.88 11.45a2 2 0 1 1-2.83-2.83l.793-.792a4.018 4.018 0 0 1-.128-1.287z"/>
+      <path d="M6.586 4.672A3 3 0 0 0 7.414 9.5l.775-.776a2 2 0 0 1-.896-3.346L9.12 3.55a2 2 0 1 1 2.83 2.83l-.793.792c.112.42.155.855.128 1.287l1.372-1.372a3 3 0 1 0-4.243-4.243L6.586 4.672z"/>
+    </svg>
+    Share Link
+  </button>
+  <div class="context-menu-divider"></div>
+  <button class="context-menu-item text-danger" data-ctx-action="delete">
+    <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
+      <path d="M5.5 5.5A.5.5 0 0 1 6 6v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm2.5 0a.5.5 0 0 1 .5.5v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm3 .5a.5.5 0 0 0-1 0v6a.5.5 0 0 0 1 0V6z"/>
+      <path fill-rule="evenodd" d="M14.5 3a1 1 0 0 1-1 1H13v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V4h-.5a1 1 0 0 1-1-1V2a1 1 0 0 1 1-1H6a1 1 0 0 1 1-1h2a1 1 0 0 1 1 1h3.5a1 1 0 0 1 1 1v1zM4.118 4 4 4.059V13a1 1 0 0 0 1 1h6a1 1 0 0 0 1-1V4.059L11.882 4H4.118zM2.5 3V2h11v1h-11z"/>
+    </svg>
+    Delete
+  </button>
+</div>
+
+<div class="modal fade" id="keyboardShortcutsModal" tabindex="-1" aria-hidden="true">
+  <div class="modal-dialog modal-dialog-centered modal-sm">
+    <div class="modal-content">
+      <div class="modal-header border-0 pb-0">
+        <h5 class="modal-title fw-semibold">
+          <svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" fill="currentColor" class="text-primary me-1" viewBox="0 0 16 16">
+            <path d="M14 5a1 1 0 0 1 1 1v5a1 1 0 0 1-1 1H2a1 1 0 0 1-1-1V6a1 1 0 0 1 1-1h12zM2 4a2 2 0 0 0-2 2v5a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V6a2 2 0 0 0-2-2H2z"/>
+            <path d="M13 10.25a.25.25 0 0 1 .25-.25h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5a.25.25 0 0 1-.25-.25v-.5zm0-2a.25.25 0 0 1 .25-.25h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5a.25.25 0 0 1-.25-.25v-.5zm-5 0A.25.25 0 0 1 8.25 8h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5A.25.25 0 0 1 8 8.75v-.5zm2 0a.25.25 0 0 1 .25-.25h1.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-1.5a.25.25 0 0 1-.25-.25v-.5zm1 2a.25.25 0 0 1 .25-.25h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5a.25.25 0 0 1-.25-.25v-.5zm-5-2A.25.25 0 0 1 6.25 8h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5A.25.25 0 0 1 6 8.75v-.5zm-2 0A.25.25 0 0 1 4.25 8h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5A.25.25 0 0 1 4 8.75v-.5zm-2 0A.25.25 0 0 1 2.25 8h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5A.25.25 0 0 1 2 8.75v-.5zm11-2a.25.25 0 0 1 .25-.25h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5a.25.25 0 0 1-.25-.25v-.5zm-2 0a.25.25 0 0 1 .25-.25h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5a.25.25 0 0 1-.25-.25v-.5zm-2 0A.25.25 0 0 1 9.25 6h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5A.25.25 0 0 1 9 6.75v-.5zm-2 0A.25.25 0 0 1 7.25 6h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5A.25.25 0 0 1 7 6.75v-.5zm-2 0A.25.25 0 0 1 5.25 6h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5A.25.25 0 0 1 5 6.75v-.5zm-3 0A.25.25 0 0 1 2.25 6h1.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-1.5A.25.25 0 0 1 2 6.75v-.5zm0 4a.25.25 0 0 1 .25-.25h.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-.5a.25.25 0 0 1-.25-.25v-.5zm2 0a.25.25 0 0 1 .25-.25h5.5a.25.25 0 0 1 .25.25v.5a.25.25 0 0 1-.25.25h-5.5a.25.25 0 0 1-.25-.25v-.5z"/>
+          </svg>
+          Keyboard Shortcuts
+        </h5>
+        <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+      </div>
+      <div class="modal-body pt-2">
+        <div class="kbd-shortcuts-list">
+          <div class="shortcut-row"><span class="text-muted">Search objects</span><kbd>/</kbd></div>
+          <div class="shortcut-row"><span class="text-muted">Select all</span><span><kbd>Ctrl</kbd> + <kbd>A</kbd></span></div>
+          <div class="shortcut-row"><span class="text-muted">Delete selected</span><kbd>Del</kbd></div>
+          <div class="shortcut-row"><span class="text-muted">Clear search</span><kbd>Esc</kbd></div>
+          <div class="shortcut-row"><span class="text-muted">Show shortcuts</span><kbd>?</kbd></div>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
 {% endblock %}
 
 {% block extra_scripts %}

templates/buckets.html

@@ -89,6 +89,14 @@
     </div>
   </div>
   {% endfor %}
+  <div class="col-12 d-none" id="bucket-no-results">
+    <div class="text-center py-5 text-muted">
+      <svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" fill="currentColor" class="mb-3 opacity-50" viewBox="0 0 16 16">
+        <path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"/>
+      </svg>
+      <p class="mb-0 fw-medium">No buckets match your filter.</p>
+    </div>
+  </div>
 </div>
 
 <div class="modal fade" id="createBucketModal" tabindex="-1" aria-hidden="true">
@@ -149,6 +157,15 @@
             item.classList.add('d-none');
           }
         });
+
+        var noResults = document.getElementById('bucket-no-results');
+        if (noResults) {
+          if (term && visibleCount === 0) {
+            noResults.classList.remove('d-none');
+          } else {
+            noResults.classList.add('d-none');
+          }
+        }
       });
     }
 

templates/connections.html

@@ -145,7 +145,6 @@
                                             data-endpoint="{{ conn.endpoint_url }}"
                                             data-region="{{ conn.region }}"
                                             data-access="{{ conn.access_key }}"
-                                            data-secret="{{ conn.secret_key }}"
                                             title="Edit connection">
                                             <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
                                                 <path d="M12.146.146a.5.5 0 0 1 .708 0l3 3a.5.5 0 0 1 0 .708l-10 10a.5.5 0 0 1-.168.11l-5 2a.5.5 0 0 1-.65-.65l2-5a.5.5 0 0 1 .11-.168l10-10zM11.207 2.5 13.5 4.793 14.793 3.5 12.5 1.207 11.207 2.5zm1.586 3L10.5 3.207 4 9.707V10h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.293l6.5-6.5z"/>

templates/iam.html

@@ -110,10 +110,26 @@
   {% else %}
   <div class="card-body px-4 pb-4">
     {% if users %}
+    {% if users|length > 1 %}
+    <div class="mb-3">
+      <div class="search-input-wrapper">
+        <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="search-icon" viewBox="0 0 16 16">
+          <path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"/>
+        </svg>
+        <input type="text" class="form-control" id="iam-user-search" placeholder="Filter users by name or access key..." autocomplete="off" />
+      </div>
+    </div>
+    {% endif %}
     <div class="row g-3">
       {% for user in users %}
-      <div class="col-md-6 col-xl-4">
+      {% set ns = namespace(is_admin=false) %}
-        <div class="card h-100 iam-user-card">
+      {% for policy in user.policies %}
+        {% if 'iam:*' in policy.actions or '*' in policy.actions %}
+          {% set ns.is_admin = true %}
+        {% endif %}
+      {% endfor %}
+      <div class="col-md-6 col-xl-4 iam-user-item" data-display-name="{{ user.display_name|lower }}" data-access-key-filter="{{ user.access_key|lower }}">
+        <div class="card h-100 iam-user-card{{ ' iam-admin-card' if ns.is_admin else '' }}">
           <div class="card-body">
             <div class="d-flex align-items-start justify-content-between mb-3">
               <div class="d-flex align-items-center gap-3 min-width-0 overflow-hidden">
@@ -123,8 +139,23 @@
                   </svg>
                 </div>
                 <div class="min-width-0">
-                  <h6 class="fw-semibold mb-0 text-truncate" title="{{ user.display_name }}">{{ user.display_name }}</h6>
+                  <div class="d-flex align-items-center gap-2 mb-0">
-                  <code class="small text-muted d-block text-truncate" title="{{ user.access_key }}">{{ user.access_key }}</code>
+                    <h6 class="fw-semibold mb-0 text-truncate" title="{{ user.display_name }}">{{ user.display_name }}</h6>
+                    {% if ns.is_admin %}
+                    <span class="iam-role-badge iam-role-admin" data-role-badge>Admin</span>
+                    {% else %}
+                    <span class="iam-role-badge iam-role-user" data-role-badge>User</span>
+                    {% endif %}
+                  </div>
+                  <div class="d-flex align-items-center gap-1">
+                    <code class="small text-muted text-truncate" title="{{ user.access_key }}">{{ user.access_key }}</code>
+                    <button type="button" class="iam-copy-key" title="Copy access key" data-copy-access-key="{{ user.access_key }}">
+                      <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="currentColor" viewBox="0 0 16 16">
+                        <path d="M4 1.5H3a2 2 0 0 0-2 2V14a2 2 0 0 0 2 2h10a2 2 0 0 0 2-2V3.5a2 2 0 0 0-2-2h-1v1h1a1 1 0 0 1 1 1V14a1 1 0 0 1-1 1H3a1 1 0 0 1-1-1V3.5a1 1 0 0 1 1-1h1v-1z"/>
+                        <path d="M9.5 1a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-.5.5h-3a.5.5 0 0 1-.5-.5v-1a.5.5 0 0 1 .5-.5h3zm-3-1A1.5 1.5 0 0 0 5 1.5v1A1.5 1.5 0 0 0 6.5 4h3A1.5 1.5 0 0 0 11 2.5v-1A1.5 1.5 0 0 0 9.5 0h-3z"/>
+                      </svg>
+                    </button>
+                  </div>
                 </div>
               </div>
               <div class="dropdown flex-shrink-0">
@@ -166,18 +197,27 @@
             </div>
             <div class="mb-3">
               <div class="small text-muted mb-2">Bucket Permissions</div>
-              <div class="d-flex flex-wrap gap-1">
+              <div class="d-flex flex-wrap gap-1" data-policy-badges>
                 {% for policy in user.policies %}
-                  <span class="badge bg-primary bg-opacity-10 text-primary">
+                  {% set bucket_label = 'All Buckets' if policy.bucket == '*' else policy.bucket %}
+                  {% if '*' in policy.actions %}
+                    {% set perm_label = 'Full Access' %}
+                  {% elif policy.actions|length >= 9 %}
+                    {% set perm_label = 'Full Access' %}
+                  {% elif 'list' in policy.actions and 'read' in policy.actions and 'write' in policy.actions and 'delete' in policy.actions %}
+                    {% set perm_label = 'Read + Write + Delete' %}
+                  {% elif 'list' in policy.actions and 'read' in policy.actions and 'write' in policy.actions %}
+                    {% set perm_label = 'Read + Write' %}
+                  {% elif 'list' in policy.actions and 'read' in policy.actions %}
+                    {% set perm_label = 'Read Only' %}
+                  {% else %}
+                    {% set perm_label = 'Custom (' ~ policy.actions|length ~ ')' %}
+                  {% endif %}
+                  <span class="iam-perm-badge">
                     <svg xmlns="http://www.w3.org/2000/svg" width="10" height="10" fill="currentColor" class="me-1" viewBox="0 0 16 16">
                       <path d="M2.522 5H2a.5.5 0 0 0-.494.574l1.372 9.149A1.5 1.5 0 0 0 4.36 16h7.278a1.5 1.5 0 0 0 1.483-1.277l1.373-9.149A.5.5 0 0 0 14 5h-.522A5.5 5.5 0 0 0 2.522 5zm1.005 0a4.5 4.5 0 0 1 8.945 0H3.527z"/>
                     </svg>
-                    {{ policy.bucket }}
+                    {{ bucket_label }} · {{ perm_label }}
-                    {% if '*' in policy.actions %}
-                      <span class="opacity-75">(full)</span>
-                    {% else %}
-                      <span class="opacity-75">({{ policy.actions|length }})</span>
-                    {% endif %}
                   </span>
                 {% else %}
                   <span class="badge bg-secondary bg-opacity-10 text-secondary">No policies</span>
@@ -196,6 +236,12 @@
       </div>
       {% endfor %}
     </div>
+    <div class="iam-no-results d-none" id="iam-no-results">
+      <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" fill="currentColor" class="mb-2" viewBox="0 0 16 16">
+        <path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"/>
+      </svg>
+      <p class="mb-0">No users match your filter.</p>
+    </div>
     {% else %}
     <div class="empty-state text-center py-5">
       <div class="empty-state-icon mx-auto mb-3">

templates/login.html

@@ -74,7 +74,7 @@
           </button>
         </form>
         <div class="text-center mt-4">
-          <small class="text-muted">Need help? Check the <a href="#" class="text-decoration-none">documentation</a></small>
+          <small class="text-muted">Need help? Check the <a href="{{ url_for('ui.docs_page') }}" class="text-decoration-none">documentation</a></small>
         </div>
       </div>
     </div>

templates/sites.html

@@ -14,7 +14,15 @@
     </h1>
     <p class="text-muted mb-0 mt-1">Configure this site's identity and manage peer sites for geo-distribution.</p>
   </div>
-  <div class="d-none d-md-block">
+  <div class="d-none d-md-flex align-items-center gap-2">
+    {% if local_site and local_site.site_id %}
+    <span class="badge bg-secondary bg-opacity-10 text-secondary fs-6 px-3 py-2">
+      {{ local_site.site_id }}
+    </span>
+    <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-muted" viewBox="0 0 16 16">
+      <path fill-rule="evenodd" d="M1 8a.5.5 0 0 1 .5-.5h11.793l-3.147-3.146a.5.5 0 0 1 .708-.708l4 4a.5.5 0 0 1 0 .708l-4 4a.5.5 0 0 1-.708-.708L13.293 8.5H1.5A.5.5 0 0 1 1 8z"/>
+    </svg>
+    {% endif %}
     <span class="badge bg-primary bg-opacity-10 text-primary fs-6 px-3 py-2">
       {{ peers|length }} peer{{ 's' if peers|length != 1 else '' }}
     </span>
@@ -34,7 +42,7 @@
                 <p class="text-muted small mb-0">This site's configuration</p>
             </div>
             <div class="card-body px-4 pb-4">
-                <form method="POST" action="{{ url_for('ui.update_local_site') }}">
+                <form method="POST" action="{{ url_for('ui.update_local_site') }}" id="localSiteForm">
                     <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                     <div class="mb-3">
                         <label for="site_id" class="form-label fw-medium">Site ID</label>
@@ -82,66 +90,75 @@
         </div>
 
         <div class="card shadow-sm border-0" style="border-radius: 1rem;">
-            <div class="card-header bg-transparent border-0 pt-4 pb-0 px-4">
+            <div class="card-header bg-transparent border-0 pt-3 pb-0 px-4">
-                <h5 class="fw-semibold d-flex align-items-center gap-2 mb-1">
+                <button class="btn btn-link text-decoration-none p-0 w-100 d-flex align-items-center justify-content-between"
-                    <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="text-primary" viewBox="0 0 16 16">
+                    type="button" data-bs-toggle="collapse" data-bs-target="#addPeerCollapse"
-                        <path fill-rule="evenodd" d="M8 2a.5.5 0 0 1 .5.5v5h5a.5.5 0 0 1 0 1h-5v5a.5.5 0 0 1-1 0v-5h-5a.5.5 0 0 1 0-1h5v-5A.5.5 0 0 1 8 2Z"/>
+                    aria-expanded="false" aria-controls="addPeerCollapse">
+                    <span class="d-flex align-items-center gap-2">
+                        <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="text-primary" viewBox="0 0 16 16">
+                            <path fill-rule="evenodd" d="M8 2a.5.5 0 0 1 .5.5v5h5a.5.5 0 0 1 0 1h-5v5a.5.5 0 0 1-1 0v-5h-5a.5.5 0 0 1 0-1h5v-5A.5.5 0 0 1 8 2Z"/>
+                        </svg>
+                        <span class="fw-semibold h5 mb-0">Add Peer Site</span>
+                    </span>
+                    <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-muted add-peer-chevron" viewBox="0 0 16 16">
+                        <path fill-rule="evenodd" d="M1.646 4.646a.5.5 0 0 1 .708 0L8 10.293l5.646-5.647a.5.5 0 0 1 .708.708l-6 6a.5.5 0 0 1-.708 0l-6-6a.5.5 0 0 1 0-.708z"/>
                     </svg>
-                    Add Peer Site
+                </button>
-                </h5>
+                <p class="text-muted small mb-0 mt-1">Register a remote site</p>
-                <p class="text-muted small mb-0">Register a remote site</p>
             </div>
-            <div class="card-body px-4 pb-4">
+            <div class="collapse" id="addPeerCollapse">
-                <form method="POST" action="{{ url_for('ui.add_peer_site') }}">
+                <div class="card-body px-4 pb-4">
-                    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
+                    <form method="POST" action="{{ url_for('ui.add_peer_site') }}" id="addPeerForm">
-                    <div class="mb-3">
+                        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
-                        <label for="peer_site_id" class="form-label fw-medium">Site ID</label>
+                        <div class="mb-3">
-                        <input type="text" class="form-control" id="peer_site_id" name="site_id" required placeholder="us-east-1">
+                            <label for="peer_site_id" class="form-label fw-medium">Site ID</label>
-                    </div>
+                            <input type="text" class="form-control" id="peer_site_id" name="site_id" required placeholder="us-east-1">
-                    <div class="mb-3">
-                        <label for="peer_endpoint" class="form-label fw-medium">Endpoint URL</label>
-                        <input type="url" class="form-control" id="peer_endpoint" name="endpoint" required placeholder="https://s3.us-east-1.example.com">
-                    </div>
-                    <div class="mb-3">
-                        <label for="peer_region" class="form-label fw-medium">Region</label>
-                        <input type="text" class="form-control" id="peer_region" name="region" value="us-east-1">
-                    </div>
-                    <div class="row mb-3">
-                        <div class="col-6">
-                            <label for="peer_priority" class="form-label fw-medium">Priority</label>
-                            <input type="number" class="form-control" id="peer_priority" name="priority" value="100" min="0">
                         </div>
-                        <div class="col-6">
+                        <div class="mb-3">
-                            <label for="peer_display_name" class="form-label fw-medium">Display Name</label>
+                            <label for="peer_endpoint" class="form-label fw-medium">Endpoint URL</label>
-                            <input type="text" class="form-control" id="peer_display_name" name="display_name" placeholder="US East DR">
+                            <input type="url" class="form-control" id="peer_endpoint" name="endpoint" required placeholder="https://s3.us-east-1.example.com">
                         </div>
-                    </div>
+                        <div class="mb-3">
-                    <div class="mb-3">
+                            <label for="peer_region" class="form-label fw-medium">Region</label>
-                        <label for="peer_connection_id" class="form-label fw-medium">Connection</label>
+                            <input type="text" class="form-control" id="peer_region" name="region" value="us-east-1">
-                        <select class="form-select" id="peer_connection_id" name="connection_id">
+                        </div>
-                            <option value="">No connection</option>
+                        <div class="row mb-3">
-                            {% for conn in connections %}
+                            <div class="col-6">
-                            <option value="{{ conn.id }}">{{ conn.name }} ({{ conn.endpoint_url }})</option>
+                                <label for="peer_priority" class="form-label fw-medium">Priority</label>
-                            {% endfor %}
+                                <input type="number" class="form-control" id="peer_priority" name="priority" value="100" min="0">
-                        </select>
+                            </div>
-                        <div class="form-text">Link to a remote connection for health checks</div>
+                            <div class="col-6">
-                    </div>
+                                <label for="peer_display_name" class="form-label fw-medium">Display Name</label>
-                    <div class="d-grid">
+                                <input type="text" class="form-control" id="peer_display_name" name="display_name" placeholder="US East DR">
-                        <button type="submit" class="btn btn-primary">
+                            </div>
-                            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-1" viewBox="0 0 16 16">
+                        </div>
-                                <path fill-rule="evenodd" d="M8 2a.5.5 0 0 1 .5.5v5h5a.5.5 0 0 1 0 1h-5v5a.5.5 0 0 1-1 0v-5h-5a.5.5 0 0 1 0-1h5v-5A.5.5 0 0 1 8 2Z"/>
+                        <div class="mb-3">
-                            </svg>
+                            <label for="peer_connection_id" class="form-label fw-medium">Connection</label>
-                            Add Peer Site
+                            <select class="form-select" id="peer_connection_id" name="connection_id">
-                        </button>
+                                <option value="">No connection</option>
-                    </div>
+                                {% for conn in connections %}
-                </form>
+                                <option value="{{ conn.id }}">{{ conn.name }} ({{ conn.endpoint_url }})</option>
+                                {% endfor %}
+                            </select>
+                            <div class="form-text">Link to a remote connection for health checks</div>
+                        </div>
+                        <div class="d-grid">
+                            <button type="submit" class="btn btn-primary">
+                                <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-1" viewBox="0 0 16 16">
+                                    <path fill-rule="evenodd" d="M8 2a.5.5 0 0 1 .5.5v5h5a.5.5 0 0 1 0 1h-5v5a.5.5 0 0 1-1 0v-5h-5a.5.5 0 0 1 0-1h5v-5A.5.5 0 0 1 8 2Z"/>
+                                </svg>
+                                Add Peer Site
+                            </button>
+                        </div>
+                    </form>
+                </div>
             </div>
         </div>
     </div>
 
     <div class="col-lg-8 col-md-7">
         <div class="card shadow-sm border-0" style="border-radius: 1rem;">
-            <div class="card-header bg-transparent border-0 pt-4 pb-0 px-4 d-flex justify-content-between align-items-center">
+            <div class="card-header bg-transparent border-0 pt-4 pb-0 px-4 d-flex justify-content-between align-items-start">
                 <div>
                     <h5 class="fw-semibold d-flex align-items-center gap-2 mb-1">
                         <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="text-muted" viewBox="0 0 16 16">
@@ -151,6 +168,14 @@
                     </h5>
                     <p class="text-muted small mb-0">Known remote sites in the cluster</p>
                 </div>
+                {% if peers %}
+                <button type="button" class="btn btn-outline-secondary btn-sm" id="btnCheckAllHealth" title="Check health of all peers">
+                    <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-1" viewBox="0 0 16 16">
+                        <path d="M11.251.068a.5.5 0 0 1 .227.58L9.677 6.5H13a.5.5 0 0 1 .364.843l-8 8.5a.5.5 0 0 1-.842-.49L6.323 9.5H3a.5.5 0 0 1-.364-.843l8-8.5a.5.5 0 0 1 .615-.09z"/>
+                    </svg>
+                    Check All
+                </button>
+                {% endif %}
             </div>
             <div class="card-body px-4 pb-4">
                 {% if peers %}
@@ -172,7 +197,10 @@
                             {% set peer = item.peer %}
                             <tr data-site-id="{{ peer.site_id }}">
                                 <td class="text-center">
-                                    <span class="peer-health-status" data-site-id="{{ peer.site_id }}" title="{% if peer.is_healthy == true %}Healthy{% elif peer.is_healthy == false %}Unhealthy{% else %}Unknown{% endif %}">
+                                    <span class="peer-health-status" data-site-id="{{ peer.site_id }}"
+                                        data-last-checked="{{ peer.last_health_check or '' }}"
+                                        title="{% if peer.is_healthy == true %}Healthy{% elif peer.is_healthy == false %}Unhealthy{% else %}Not checked{% endif %}{% if peer.last_health_check %} (checked {{ peer.last_health_check }}){% endif %}"
+                                        style="cursor: help;">
                                         {% if peer.is_healthy == true %}
                                         <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-success" viewBox="0 0 16 16">
                                             <path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zm-3.97-3.03a.75.75 0 0 0-1.08.022L7.477 9.417 5.384 7.323a.75.75 0 0 0-1.06 1.06L6.97 11.03a.75.75 0 0 0 1.079-.02l3.992-4.99a.75.75 0 0 0-.01-1.05z"/>
@@ -205,64 +233,43 @@
                                     </div>
                                 </td>
                                 <td>
-                                    <span class="text-muted small text-truncate d-inline-block" style="max-width: 180px;" title="{{ peer.endpoint }}">{{ peer.endpoint }}</span>
+                                    <span class="endpoint-display text-muted small" data-full-url="{{ peer.endpoint }}" title="{{ peer.endpoint }}" style="cursor: pointer;">
+                                        {% set parsed = peer.endpoint.split('//') %}
+                                        {% if parsed|length > 1 %}{{ parsed[1].split('/')[0] }}{% else %}{{ peer.endpoint }}{% endif %}
+                                    </span>
+                                    <button type="button" class="btn btn-link btn-sm p-0 ms-1 btn-copy-endpoint" data-url="{{ peer.endpoint }}" title="Copy full URL">
+                                        <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="currentColor" class="text-muted" viewBox="0 0 16 16">
+                                            <path d="M4 1.5H3a2 2 0 0 0-2 2V14a2 2 0 0 0 2 2h10a2 2 0 0 0 2-2V3.5a2 2 0 0 0-2-2h-1v1h1a1 1 0 0 1 1 1V14a1 1 0 0 1-1 1H3a1 1 0 0 1-1-1V3.5a1 1 0 0 1 1-1h1v-1z"/>
+                                            <path d="M9.5 1a.5.5 0 0 1 .5.5v1a.5.5 0 0 1-.5.5h-3a.5.5 0 0 1-.5-.5v-1a.5.5 0 0 1 .5-.5h3zm-3-1A1.5 1.5 0 0 0 5 1.5v1A1.5 1.5 0 0 0 6.5 4h3A1.5 1.5 0 0 0 11 2.5v-1A1.5 1.5 0 0 0 9.5 0h-3z"/>
+                                        </svg>
+                                    </button>
                                 </td>
-                                <td><span class="badge bg-primary bg-opacity-10 text-primary">{{ peer.region }}</span></td>
+                                <td><span class="text-muted small">{{ peer.region }}</span></td>
-                                <td><span class="badge bg-secondary bg-opacity-10 text-secondary">{{ peer.priority }}</span></td>
+                                <td><span class="text-muted small">{{ peer.priority }}</span></td>
                                 <td class="sync-stats-cell" data-site-id="{{ peer.site_id }}">
                                     {% if item.has_connection %}
                                     <div class="d-flex align-items-center gap-2">
                                         <span class="badge bg-primary bg-opacity-10 text-primary">{{ item.buckets_syncing }} bucket{{ 's' if item.buckets_syncing != 1 else '' }}</span>
                                         {% if item.has_bidirectional %}
-                                        <span class="bidir-status-icon" data-site-id="{{ peer.site_id }}" title="Bidirectional sync configured - click to verify">
+                                        <span class="bidir-status-icon" data-site-id="{{ peer.site_id }}" title="Bidirectional sync - click to verify">
                                             <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="text-info" viewBox="0 0 16 16" style="cursor: pointer;">
                                                 <path fill-rule="evenodd" d="M1 11.5a.5.5 0 0 0 .5.5h11.793l-3.147 3.146a.5.5 0 0 0 .708.708l4-4a.5.5 0 0 0 0-.708l-4-4a.5.5 0 0 0-.708.708L13.293 11H1.5a.5.5 0 0 0-.5.5zm14-7a.5.5 0 0 1-.5.5H2.707l3.147 3.146a.5.5 0 1 1-.708.708l-4-4a.5.5 0 0 1 0-.708l4-4a.5.5 0 1 1 .708.708L2.707 4H14.5a.5.5 0 0 1 .5.5z"/>
                                             </svg>
                                         </span>
                                         {% endif %}
-                                        {% if item.buckets_syncing > 0 %}
-                                        <button type="button" class="btn btn-sm btn-outline-secondary btn-load-stats py-0 px-1"
-                                            data-site-id="{{ peer.site_id }}" title="Load sync details">
-                                            <svg xmlns="http://www.w3.org/2000/svg" width="12" height="12" fill="currentColor" viewBox="0 0 16 16">
-                                                <path fill-rule="evenodd" d="M8 3a5 5 0 1 0 4.546 2.914.5.5 0 0 1 .908-.417A6 6 0 1 1 8 2v1z"/>
-                                                <path d="M8 4.466V.534a.25.25 0 0 1 .41-.192l2.36 1.966c.12.1.12.284 0 .384L8.41 4.658A.25.25 0 0 1 8 4.466z"/>
-                                            </svg>
-                                        </button>
-                                        {% endif %}
                                     </div>
                                     <div class="sync-stats-detail d-none mt-2 small" id="stats-{{ peer.site_id }}">
                                         <span class="spinner-border spinner-border-sm text-muted" style="width: 12px; height: 12px;"></span>
                                     </div>
                                     {% else %}
-                                    <span class="text-muted small">No connection</span>
+                                    <a href="#" class="text-muted small link-no-connection"
+                                        data-site-id="{{ peer.site_id }}"
+                                        title="Click to link a connection">Link a connection</a>
                                     {% endif %}
                                 </td>
                                 <td class="text-end">
-                                    <div class="btn-group btn-group-sm" role="group">
+                                    <div class="d-flex align-items-center justify-content-end gap-1">
-                                        <a href="{{ url_for('ui.replication_wizard', site_id=peer.site_id) }}"
+                                        <button type="button" class="btn btn-outline-secondary btn-sm"
-                                            class="btn btn-outline-primary {% if not item.has_connection %}disabled{% endif %}"
-                                            title="Set up replication">
-                                            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
-                                                <path d="M11.534 7h3.932a.25.25 0 0 1 .192.41l-1.966 2.36a.25.25 0 0 1-.384 0l-1.966-2.36a.25.25 0 0 1 .192-.41zm-11 2h3.932a.25.25 0 0 0 .192-.41L2.692 6.23a.25.25 0 0 0-.384 0L.342 8.59A.25.25 0 0 0 .534 9z"/>
-                                                <path fill-rule="evenodd" d="M8 3c-1.552 0-2.94.707-3.857 1.818a.5.5 0 1 1-.771-.636A6.002 6.002 0 0 1 13.917 7H12.9A5.002 5.002 0 0 0 8 3zM3.1 9a5.002 5.002 0 0 0 8.757 2.182.5.5 0 1 1 .771.636A6.002 6.002 0 0 1 2.083 9H3.1z"/>
-                                            </svg>
-                                        </a>
-                                        <button type="button" class="btn btn-outline-info btn-check-bidir {% if not item.has_connection %}disabled{% endif %}"
-                                            data-site-id="{{ peer.site_id }}"
-                                            data-display-name="{{ peer.display_name or peer.site_id }}"
-                                            title="Check bidirectional sync status">
-                                            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
-                                                <path fill-rule="evenodd" d="M1 11.5a.5.5 0 0 0 .5.5h11.793l-3.147 3.146a.5.5 0 0 0 .708.708l4-4a.5.5 0 0 0 0-.708l-4-4a.5.5 0 0 0-.708.708L13.293 11H1.5a.5.5 0 0 0-.5.5zm14-7a.5.5 0 0 1-.5.5H2.707l3.147 3.146a.5.5 0 1 1-.708.708l-4-4a.5.5 0 0 1 0-.708l4-4a.5.5 0 1 1 .708.708L2.707 4H14.5a.5.5 0 0 1 .5.5z"/>
-                                            </svg>
-                                        </button>
-                                        <button type="button" class="btn btn-outline-secondary btn-check-health"
-                                            data-site-id="{{ peer.site_id }}"
-                                            title="Check health">
-                                            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
-                                                <path d="M11.251.068a.5.5 0 0 1 .227.58L9.677 6.5H13a.5.5 0 0 1 .364.843l-8 8.5a.5.5 0 0 1-.842-.49L6.323 9.5H3a.5.5 0 0 1-.364-.843l8-8.5a.5.5 0 0 1 .615-.09z"/>
-                                            </svg>
-                                        </button>
-                                        <button type="button" class="btn btn-outline-secondary"
                                             data-bs-toggle="modal"
                                             data-bs-target="#editPeerModal"
                                             data-site-id="{{ peer.site_id }}"
@@ -276,17 +283,68 @@
                                                 <path d="M12.146.146a.5.5 0 0 1 .708 0l3 3a.5.5 0 0 1 0 .708l-10 10a.5.5 0 0 1-.168.11l-5 2a.5.5 0 0 1-.65-.65l2-5a.5.5 0 0 1 .11-.168l10-10zM11.207 2.5 13.5 4.793 14.793 3.5 12.5 1.207 11.207 2.5zm1.586 3L10.5 3.207 4 9.707V10h.5a.5.5 0 0 1 .5.5v.5h.5a.5.5 0 0 1 .5.5v.5h.293l6.5-6.5z"/>
                                             </svg>
                                         </button>
-                                        <button type="button" class="btn btn-outline-danger"
+                                        <div class="dropdown peer-actions-dropdown">
-                                            data-bs-toggle="modal"
+                                            <button class="btn btn-outline-secondary btn-sm" type="button" data-bs-toggle="dropdown" aria-expanded="false" title="More actions">
-                                            data-bs-target="#deletePeerModal"
+                                                <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
-                                            data-site-id="{{ peer.site_id }}"
+                                                    <path d="M3 9.5a1.5 1.5 0 1 1 0-3 1.5 1.5 0 0 1 0 3zm5 0a1.5 1.5 0 1 1 0-3 1.5 1.5 0 0 1 0 3zm5 0a1.5 1.5 0 1 1 0-3 1.5 1.5 0 0 1 0 3z"/>
-                                            data-display-name="{{ peer.display_name or peer.site_id }}"
+                                                </svg>
-                                            title="Delete peer">
+                                            </button>
-                                            <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" viewBox="0 0 16 16">
+                                            <ul class="dropdown-menu dropdown-menu-end">
-                                                <path d="M5.5 5.5A.5.5 0 0 1 6 6v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm2.5 0a.5.5 0 0 1 .5.5v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm3 .5a.5.5 0 0 0-1 0v6a.5.5 0 0 0 1 0V6z"/>
+                                                <li>
-                                                <path fill-rule="evenodd" d="M14.5 3a1 1 0 0 1-1 1H13v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V4h-.5a1 1 0 0 1-1-1V2a1 1 0 0 1 1-1H6a1 1 0 0 1 1-1h2a1 1 0 0 1 1 1h3.5a1 1 0 0 1 1 1v1zM4.118 4 4 4.059V13a1 1 0 0 0 1 1h6a1 1 0 0 0 1-1V4.059L11.882 4H4.118zM2.5 3V2h11v1h-11z"/>
+                                                    <button type="button" class="dropdown-item btn-check-health" data-site-id="{{ peer.site_id }}">
-                                            </svg>
+                                                        <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2 text-warning" viewBox="0 0 16 16">
-                                        </button>
+                                                            <path d="M11.251.068a.5.5 0 0 1 .227.58L9.677 6.5H13a.5.5 0 0 1 .364.843l-8 8.5a.5.5 0 0 1-.842-.49L6.323 9.5H3a.5.5 0 0 1-.364-.843l8-8.5a.5.5 0 0 1 .615-.09z"/>
+                                                        </svg>
+                                                        Check Health
+                                                    </button>
+                                                </li>
+                                                <li>
+                                                    <button type="button" class="dropdown-item btn-check-bidir {% if not item.has_connection %}disabled{% endif %}"
+                                                        data-site-id="{{ peer.site_id }}"
+                                                        data-display-name="{{ peer.display_name or peer.site_id }}">
+                                                        <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2 text-info" viewBox="0 0 16 16">
+                                                            <path fill-rule="evenodd" d="M1 11.5a.5.5 0 0 0 .5.5h11.793l-3.147 3.146a.5.5 0 0 0 .708.708l4-4a.5.5 0 0 0 0-.708l-4-4a.5.5 0 0 0-.708.708L13.293 11H1.5a.5.5 0 0 0-.5.5zm14-7a.5.5 0 0 1-.5.5H2.707l3.147 3.146a.5.5 0 1 1-.708.708l-4-4a.5.5 0 0 1 0-.708l4-4a.5.5 0 1 1 .708.708L2.707 4H14.5a.5.5 0 0 1 .5.5z"/>
+                                                        </svg>
+                                                        Bidirectional Status
+                                                    </button>
+                                                </li>
+                                                {% if item.has_connection and item.buckets_syncing > 0 %}
+                                                <li>
+                                                    <button type="button" class="dropdown-item btn-load-stats" data-site-id="{{ peer.site_id }}">
+                                                        <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2 text-primary" viewBox="0 0 16 16">
+                                                            <path fill-rule="evenodd" d="M8 3a5 5 0 1 0 4.546 2.914.5.5 0 0 1 .908-.417A6 6 0 1 1 8 2v1z"/>
+                                                            <path d="M8 4.466V.534a.25.25 0 0 1 .41-.192l2.36 1.966c.12.1.12.284 0 .384L8.41 4.658A.25.25 0 0 1 8 4.466z"/>
+                                                        </svg>
+                                                        Load Sync Stats
+                                                    </button>
+                                                </li>
+                                                {% endif %}
+                                                <li>
+                                                    <a href="{{ url_for('ui.replication_wizard', site_id=peer.site_id) }}"
+                                                        class="dropdown-item {% if not item.has_connection %}disabled{% endif %}">
+                                                        <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2 text-primary" viewBox="0 0 16 16">
+                                                            <path d="M11.534 7h3.932a.25.25 0 0 1 .192.41l-1.966 2.36a.25.25 0 0 1-.384 0l-1.966-2.36a.25.25 0 0 1 .192-.41zm-11 2h3.932a.25.25 0 0 0 .192-.41L2.692 6.23a.25.25 0 0 0-.384 0L.342 8.59A.25.25 0 0 0 .534 9z"/>
+                                                            <path fill-rule="evenodd" d="M8 3c-1.552 0-2.94.707-3.857 1.818a.5.5 0 1 1-.771-.636A6.002 6.002 0 0 1 13.917 7H12.9A5.002 5.002 0 0 0 8 3zM3.1 9a5.002 5.002 0 0 0 8.757 2.182.5.5 0 1 1 .771.636A6.002 6.002 0 0 1 2.083 9H3.1z"/>
+                                                        </svg>
+                                                        Replication Wizard
+                                                    </a>
+                                                </li>
+                                                <li><hr class="dropdown-divider"></li>
+                                                <li>
+                                                    <button type="button" class="dropdown-item text-danger"
+                                                        data-bs-toggle="modal"
+                                                        data-bs-target="#deletePeerModal"
+                                                        data-site-id="{{ peer.site_id }}"
+                                                        data-display-name="{{ peer.display_name or peer.site_id }}">
+                                                        <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-2" viewBox="0 0 16 16">
+                                                            <path d="M5.5 5.5A.5.5 0 0 1 6 6v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm2.5 0a.5.5 0 0 1 .5.5v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm3 .5a.5.5 0 0 0-1 0v6a.5.5 0 0 0 1 0V6z"/>
+                                                            <path fill-rule="evenodd" d="M14.5 3a1 1 0 0 1-1 1H13v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V4h-.5a1 1 0 0 1-1-1V2a1 1 0 0 1 1-1H6a1 1 0 0 1 1-1h2a1 1 0 0 1 1 1h3.5a1 1 0 0 1 1 1v1zM4.118 4 4 4.059V13a1 1 0 0 0 1 1h6a1 1 0 0 0 1-1V4.059L11.882 4H4.118zM2.5 3V2h11v1h-11z"/>
+                                                        </svg>
+                                                        Delete Peer
+                                                    </button>
+                                                </li>
+                                            </ul>
+                                        </div>
                                     </div>
                                 </td>
                             </tr>
@@ -445,99 +503,159 @@
 
 <script>
 (function() {
-    const editPeerModal = document.getElementById('editPeerModal');
+    var escapeHtml = window.UICore ? window.UICore.escapeHtml : function(s) { return s; };
+
+    var editPeerModal = document.getElementById('editPeerModal');
     if (editPeerModal) {
         editPeerModal.addEventListener('show.bs.modal', function (event) {
-            const button = event.relatedTarget;
+            var button = event.relatedTarget;
-            const siteId = button.getAttribute('data-site-id');
+            var siteId = button.getAttribute('data-site-id');
-            const endpoint = button.getAttribute('data-endpoint');
-            const region = button.getAttribute('data-region');
-            const priority = button.getAttribute('data-priority');
-            const displayName = button.getAttribute('data-display-name');
-            const connectionId = button.getAttribute('data-connection-id');
-
             document.getElementById('edit_site_id').value = siteId;
-            document.getElementById('edit_endpoint').value = endpoint;
+            document.getElementById('edit_endpoint').value = button.getAttribute('data-endpoint');
-            document.getElementById('edit_region').value = region;
+            document.getElementById('edit_region').value = button.getAttribute('data-region');
-            document.getElementById('edit_priority').value = priority;
+            document.getElementById('edit_priority').value = button.getAttribute('data-priority');
-            document.getElementById('edit_display_name').value = displayName;
+            document.getElementById('edit_display_name').value = button.getAttribute('data-display-name');
-            document.getElementById('edit_connection_id').value = connectionId;
+            document.getElementById('edit_connection_id').value = button.getAttribute('data-connection-id');
-
             document.getElementById('editPeerForm').action = '/ui/sites/peers/' + encodeURIComponent(siteId) + '/update';
         });
     }
 
-    const deletePeerModal = document.getElementById('deletePeerModal');
+    document.querySelectorAll('.link-no-connection').forEach(function(link) {
+        link.addEventListener('click', function(e) {
+            e.preventDefault();
+            var siteId = this.getAttribute('data-site-id');
+            var row = this.closest('tr[data-site-id]');
+            if (row) {
+                var btn = row.querySelector('.btn[data-bs-target="#editPeerModal"]');
+                if (btn) btn.click();
+            }
+        });
+    });
+
+    var deletePeerModal = document.getElementById('deletePeerModal');
     if (deletePeerModal) {
         deletePeerModal.addEventListener('show.bs.modal', function (event) {
-            const button = event.relatedTarget;
+            var button = event.relatedTarget;
-            const siteId = button.getAttribute('data-site-id');
+            var siteId = button.getAttribute('data-site-id');
-            const displayName = button.getAttribute('data-display-name');
+            var displayName = button.getAttribute('data-display-name');
-
             document.getElementById('deletePeerName').textContent = displayName;
             document.getElementById('deletePeerForm').action = '/ui/sites/peers/' + encodeURIComponent(siteId) + '/delete';
         });
     }
 
+    function formatTimeAgo(date) {
+        var seconds = Math.floor((new Date() - date) / 1000);
+        if (seconds < 60) return 'just now';
+        var minutes = Math.floor(seconds / 60);
+        if (minutes < 60) return minutes + 'm ago';
+        var hours = Math.floor(minutes / 60);
+        if (hours < 24) return hours + 'h ago';
+        return Math.floor(hours / 24) + 'd ago';
+    }
+
+    function doHealthCheck(siteId) {
+        var row = document.querySelector('tr[data-site-id="' + CSS.escape(siteId) + '"]');
+        var statusSpan = row ? row.querySelector('.peer-health-status') : null;
+        if (!statusSpan) return Promise.resolve();
+
+        statusSpan.innerHTML = '<span class="spinner-border spinner-border-sm text-muted" role="status" style="width: 14px; height: 14px;"></span>';
+
+        return fetch('/ui/sites/peers/' + encodeURIComponent(siteId) + '/health')
+            .then(function(response) { return response.json(); })
+            .then(function(data) {
+                var now = new Date();
+                statusSpan.setAttribute('data-last-checked', now.toISOString());
+                if (data.is_healthy) {
+                    statusSpan.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-success" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zm-3.97-3.03a.75.75 0 0 0-1.08.022L7.477 9.417 5.384 7.323a.75.75 0 0 0-1.06 1.06L6.97 11.03a.75.75 0 0 0 1.079-.02l3.992-4.99a.75.75 0 0 0-.01-1.05z"/></svg>';
+                    statusSpan.title = 'Healthy (checked ' + formatTimeAgo(now) + ')';
+                    return { siteId: siteId, healthy: true };
+                } else {
+                    statusSpan.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-danger" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zM5.354 4.646a.5.5 0 1 0-.708.708L7.293 8l-2.647 2.646a.5.5 0 0 0 .708.708L8 8.707l2.646 2.647a.5.5 0 0 0 .708-.708L8.707 8l2.647-2.646a.5.5 0 0 0-.708-.708L8 7.293 5.354 4.646z"/></svg>';
+                    statusSpan.title = 'Unhealthy' + (data.error ? ': ' + data.error : '') + ' (checked ' + formatTimeAgo(now) + ')';
+                    return { siteId: siteId, healthy: false, error: data.error };
+                }
+            })
+            .catch(function(err) {
+                statusSpan.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-muted" viewBox="0 0 16 16"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="M5.255 5.786a.237.237 0 0 0 .241.247h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286zm1.557 5.763c0 .533.425.927 1.01.927.609 0 1.028-.394 1.028-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94z"/></svg>';
+                statusSpan.title = 'Check failed';
+                return { siteId: siteId, healthy: null };
+            });
+    }
+
     document.querySelectorAll('.btn-check-health').forEach(function(btn) {
         btn.addEventListener('click', function() {
-            const siteId = this.getAttribute('data-site-id');
+            var siteId = this.getAttribute('data-site-id');
-            const statusSpan = document.querySelector('.peer-health-status[data-site-id="' + siteId + '"]');
+            doHealthCheck(siteId).then(function(result) {
-
+                if (!result) return;
-            statusSpan.innerHTML = '<span class="spinner-border spinner-border-sm text-muted" role="status" style="width: 14px; height: 14px;"></span>';
+                if (result.healthy === true) {
-
+                    if (window.showToast) window.showToast('Peer site is healthy', 'Health Check', 'success');
-            fetch('/ui/sites/peers/' + encodeURIComponent(siteId) + '/health')
+                } else if (result.healthy === false) {
-                .then(response => response.json())
+                    if (window.showToast) window.showToast(result.error || 'Peer site is unhealthy', 'Health Check', 'error');
-                .then(data => {
+                } else {
-                    if (data.is_healthy) {
-                        statusSpan.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-success" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zm-3.97-3.03a.75.75 0 0 0-1.08.022L7.477 9.417 5.384 7.323a.75.75 0 0 0-1.06 1.06L6.97 11.03a.75.75 0 0 0 1.079-.02l3.992-4.99a.75.75 0 0 0-.01-1.05z"/></svg>';
-                        statusSpan.title = 'Healthy';
-                        if (window.showToast) window.showToast('Peer site is healthy', 'Health Check', 'success');
-                    } else {
-                        statusSpan.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-danger" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zM5.354 4.646a.5.5 0 1 0-.708.708L7.293 8l-2.647 2.646a.5.5 0 0 0 .708.708L8 8.707l2.646 2.647a.5.5 0 0 0 .708-.708L8.707 8l2.647-2.646a.5.5 0 0 0-.708-.708L8 7.293 5.354 4.646z"/></svg>';
-                        statusSpan.title = 'Unhealthy' + (data.error ? ': ' + data.error : '');
-                        if (window.showToast) window.showToast(data.error || 'Peer site is unhealthy', 'Health Check', 'error');
-                    }
-                })
-                .catch(err => {
-                    statusSpan.innerHTML = '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-muted" viewBox="0 0 16 16"><path d="M8 15A7 7 0 1 1 8 1a7 7 0 0 1 0 14zm0 1A8 8 0 1 0 8 0a8 8 0 0 0 0 16z"/><path d="M5.255 5.786a.237.237 0 0 0 .241.247h.825c.138 0 .248-.113.266-.25.09-.656.54-1.134 1.342-1.134.686 0 1.314.343 1.314 1.168 0 .635-.374.927-.965 1.371-.673.489-1.206 1.06-1.168 1.987l.003.217a.25.25 0 0 0 .25.246h.811a.25.25 0 0 0 .25-.25v-.105c0-.718.273-.927 1.01-1.486.609-.463 1.244-.977 1.244-2.056 0-1.511-1.276-2.241-2.673-2.241-1.267 0-2.655.59-2.75 2.286zm1.557 5.763c0 .533.425.927 1.01.927.609 0 1.028-.394 1.028-.927 0-.552-.42-.94-1.029-.94-.584 0-1.009.388-1.009.94z"/></svg>';
-                    statusSpan.title = 'Check failed';
                     if (window.showToast) window.showToast('Failed to check health', 'Health Check', 'error');
-                });
+                }
+            });
         });
     });
 
+    var checkAllBtn = document.getElementById('btnCheckAllHealth');
+    if (checkAllBtn) {
+        checkAllBtn.addEventListener('click', function() {
+            var btn = this;
+            var originalHtml = btn.innerHTML;
+            btn.disabled = true;
+            btn.innerHTML = '<span class="spinner-border spinner-border-sm me-1"></span>Checking...';
+
+            var siteIds = [];
+            document.querySelectorAll('.peer-health-status').forEach(function(el) {
+                siteIds.push(el.getAttribute('data-site-id'));
+            });
+
+            var promises = siteIds.map(function(id) { return doHealthCheck(id); });
+            Promise.all(promises).then(function(results) {
+                var healthy = results.filter(function(r) { return r && r.healthy === true; }).length;
+                var unhealthy = results.filter(function(r) { return r && r.healthy === false; }).length;
+                var failed = results.filter(function(r) { return r && r.healthy === null; }).length;
+
+                var msg = healthy + ' healthy';
+                if (unhealthy > 0) msg += ', ' + unhealthy + ' unhealthy';
+                if (failed > 0) msg += ', ' + failed + ' failed';
+                if (window.showToast) window.showToast(msg, 'Health Check', unhealthy > 0 ? 'warning' : 'success');
+
+                btn.disabled = false;
+                btn.innerHTML = originalHtml;
+            });
+        });
+    }
+
     document.querySelectorAll('.btn-load-stats').forEach(function(btn) {
         btn.addEventListener('click', function() {
-            const siteId = this.getAttribute('data-site-id');
+            var siteId = this.getAttribute('data-site-id');
-            const detailDiv = document.getElementById('stats-' + siteId);
+            var detailDiv = document.getElementById('stats-' + siteId);
             if (!detailDiv) return;
 
             detailDiv.classList.remove('d-none');
             detailDiv.innerHTML = '<span class="spinner-border spinner-border-sm text-muted" style="width: 12px; height: 12px;"></span> Loading...';
 
             fetch('/ui/sites/peers/' + encodeURIComponent(siteId) + '/sync-stats')
-                .then(response => response.json())
+                .then(function(response) { return response.json(); })
-                .then(data => {
+                .then(function(data) {
                     if (data.error) {
-                        detailDiv.innerHTML = '<span class="text-danger">' + data.error + '</span>';
+                        detailDiv.innerHTML = '<span class="text-danger">' + escapeHtml(data.error) + '</span>';
                     } else {
-                        const lastSync = data.last_sync_at
+                        var lastSync = data.last_sync_at
                             ? new Date(data.last_sync_at * 1000).toLocaleString()
                             : 'Never';
-                        detailDiv.innerHTML = `
+                        detailDiv.innerHTML =
-                            <div class="d-flex flex-wrap gap-2 mb-1">
+                            '<div class="d-flex flex-wrap gap-2 mb-1">' +
-                                <span class="text-success"><strong>${data.objects_synced}</strong> synced</span>
+                                '<span class="text-success"><strong>' + escapeHtml(String(data.objects_synced)) + '</strong> synced</span>' +
-                                <span class="text-warning"><strong>${data.objects_pending}</strong> pending</span>
+                                '<span class="text-warning"><strong>' + escapeHtml(String(data.objects_pending)) + '</strong> pending</span>' +
-                                <span class="text-danger"><strong>${data.objects_failed}</strong> failed</span>
+                                '<span class="text-danger"><strong>' + escapeHtml(String(data.objects_failed)) + '</strong> failed</span>' +
-                            </div>
+                            '</div>' +
-                            <div class="text-muted" style="font-size: 0.75rem;">
+                            '<div class="text-muted" style="font-size: 0.75rem;">Last sync: ' + escapeHtml(lastSync) + '</div>';
-                                Last sync: ${lastSync}
-                            </div>
-                        `;
                     }
                 })
-                .catch(err => {
+                .catch(function() {
                     detailDiv.innerHTML = '<span class="text-danger">Failed to load stats</span>';
                 });
         });
@@ -545,181 +663,117 @@
 
     document.querySelectorAll('.bidir-status-icon').forEach(function(icon) {
         icon.addEventListener('click', function() {
-            const siteId = this.getAttribute('data-site-id');
+            var siteId = this.getAttribute('data-site-id');
-            const btn = document.querySelector('.btn-check-bidir[data-site-id="' + siteId + '"]');
+            var row = this.closest('tr[data-site-id]');
+            var btn = row ? row.querySelector('.btn-check-bidir') : null;
             if (btn) btn.click();
         });
     });
 
     document.querySelectorAll('.btn-check-bidir').forEach(function(btn) {
         btn.addEventListener('click', function() {
-            const siteId = this.getAttribute('data-site-id');
+            var siteId = this.getAttribute('data-site-id');
-            const displayName = this.getAttribute('data-display-name');
+            var displayName = this.getAttribute('data-display-name');
-            const modal = new bootstrap.Modal(document.getElementById('bidirStatusModal'));
+            var modal = new bootstrap.Modal(document.getElementById('bidirStatusModal'));
-            const contentDiv = document.getElementById('bidirStatusContent');
+            var contentDiv = document.getElementById('bidirStatusContent');
-            const wizardLink = document.getElementById('bidirWizardLink');
+            var wizardLink = document.getElementById('bidirWizardLink');
 
-            contentDiv.innerHTML = `
+            contentDiv.innerHTML =
-                <div class="text-center py-4">
+                '<div class="text-center py-4">' +
-                    <span class="spinner-border text-primary" role="status"></span>
+                    '<span class="spinner-border text-primary" role="status"></span>' +
-                    <p class="text-muted mt-2 mb-0">Checking bidirectional configuration with ${displayName}...</p>
+                    '<p class="text-muted mt-2 mb-0">Checking bidirectional configuration with ' + escapeHtml(displayName) + '...</p>' +
-                </div>
+                '</div>';
-            `;
             wizardLink.classList.add('d-none');
             modal.show();
 
             fetch('/ui/sites/peers/' + encodeURIComponent(siteId) + '/bidirectional-status')
-                .then(response => response.json())
+                .then(function(response) { return response.json(); })
-                .then(data => {
+                .then(function(data) {
-                    let html = '';
+                    var html = '';
 
                     if (data.is_fully_configured) {
-                        html += `
+                        html += '<div class="alert alert-success d-flex align-items-center mb-4" role="alert">' +
-                            <div class="alert alert-success d-flex align-items-center mb-4" role="alert">
+                            '<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" fill="currentColor" class="flex-shrink-0 me-2" viewBox="0 0 16 16">' +
-                                <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" fill="currentColor" class="flex-shrink-0 me-2" viewBox="0 0 16 16">
+                                '<path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zm-3.97-3.03a.75.75 0 0 0-1.08.022L7.477 9.417 5.384 7.323a.75.75 0 0 0-1.06 1.06L6.97 11.03a.75.75 0 0 0 1.079-.02l3.992-4.99a.75.75 0 0 0-.01-1.05z"/>' +
-                                    <path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zm-3.97-3.03a.75.75 0 0 0-1.08.022L7.477 9.417 5.384 7.323a.75.75 0 0 0-1.06 1.06L6.97 11.03a.75.75 0 0 0 1.079-.02l3.992-4.99a.75.75 0 0 0-.01-1.05z"/>
+                            '</svg>' +
-                                </svg>
+                            '<div><strong>Bidirectional sync is fully configured!</strong><br><small>Both sites are set up to sync data in both directions.</small></div>' +
-                                <div>
+                        '</div>';
-                                    <strong>Bidirectional sync is fully configured!</strong><br>
-                                    <small>Both sites are set up to sync data in both directions.</small>
-                                </div>
-                            </div>
-                        `;
                     } else if (data.issues && data.issues.length > 0) {
-                        const errors = data.issues.filter(i => i.severity === 'error');
+                        var errors = data.issues.filter(function(i) { return i.severity === 'error'; });
-                        const warnings = data.issues.filter(i => i.severity === 'warning');
+                        var warnings = data.issues.filter(function(i) { return i.severity === 'warning'; });
 
                         if (errors.length > 0) {
-                            html += `
+                            html += '<div class="alert alert-danger mb-3" role="alert">' +
-                                <div class="alert alert-danger mb-3" role="alert">
+                                '<h6 class="alert-heading fw-bold mb-2">' +
-                                    <h6 class="alert-heading fw-bold mb-2">
+                                    '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="me-1" viewBox="0 0 16 16"><path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zM5.354 4.646a.5.5 0 1 0-.708.708L7.293 8l-2.647 2.646a.5.5 0 0 0 .708.708L8 8.707l2.646 2.647a.5.5 0 0 0 .708-.708L8.707 8l2.647-2.646a.5.5 0 0 0-.708-.708L8 7.293 5.354 4.646z"/></svg>' +
-                                        <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="me-1" viewBox="0 0 16 16">
+                                    ' Configuration Errors</h6><ul class="mb-0 ps-3">';
-                                            <path d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zM5.354 4.646a.5.5 0 1 0-.708.708L7.293 8l-2.647 2.646a.5.5 0 0 0 .708.708L8 8.707l2.646 2.647a.5.5 0 0 0 .708-.708L8.707 8l2.647-2.646a.5.5 0 0 0-.708-.708L8 7.293 5.354 4.646z"/>
+                            errors.forEach(function(issue) {
-                                        </svg>
+                                html += '<li><strong>' + escapeHtml(issue.code) + ':</strong> ' + escapeHtml(issue.message) + '</li>';
-                                        Configuration Errors
-                                    </h6>
-                                    <ul class="mb-0 ps-3">
-                            `;
-                            errors.forEach(issue => {
-                                html += `<li><strong>${issue.code}:</strong> ${issue.message}</li>`;
                             });
                             html += '</ul></div>';
                         }
 
                         if (warnings.length > 0) {
-                            html += `
+                            html += '<div class="alert alert-warning mb-3" role="alert">' +
-                                <div class="alert alert-warning mb-3" role="alert">
+                                '<h6 class="alert-heading fw-bold mb-2">' +
-                                    <h6 class="alert-heading fw-bold mb-2">
+                                    '<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="me-1" viewBox="0 0 16 16"><path d="M8.982 1.566a1.13 1.13 0 0 0-1.96 0L.165 13.233c-.457.778.091 1.767.98 1.767h13.713c.889 0 1.438-.99.98-1.767L8.982 1.566zM8 5c.535 0 .954.462.9.995l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 5.995A.905.905 0 0 1 8 5zm.002 6a1 1 0 1 1 0 2 1 1 0 0 1 0-2z"/></svg>' +
-                                        <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="me-1" viewBox="0 0 16 16">
+                                    ' Warnings</h6><ul class="mb-0 ps-3">';
-                                            <path d="M8.982 1.566a1.13 1.13 0 0 0-1.96 0L.165 13.233c-.457.778.091 1.767.98 1.767h13.713c.889 0 1.438-.99.98-1.767L8.982 1.566zM8 5c.535 0 .954.462.9.995l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 5.995A.905.905 0 0 1 8 5zm.002 6a1 1 0 1 1 0 2 1 1 0 0 1 0-2z"/>
+                            warnings.forEach(function(issue) {
-                                        </svg>
+                                html += '<li><strong>' + escapeHtml(issue.code) + ':</strong> ' + escapeHtml(issue.message) + '</li>';
-                                        Warnings
-                                    </h6>
-                                    <ul class="mb-0 ps-3">
-                            `;
-                            warnings.forEach(issue => {
-                                html += `<li><strong>${issue.code}:</strong> ${issue.message}</li>`;
                             });
                             html += '</ul></div>';
                         }
                     }
 
                     html += '<div class="row g-3">';
-
+                    html += '<div class="col-md-6"><div class="card h-100"><div class="card-header bg-light py-2"><strong>This Site (Local)</strong></div>' +
-                    html += `
+                        '<div class="card-body small">' +
-                        <div class="col-md-6">
+                            '<p class="mb-1"><strong>Site ID:</strong> ' + (data.local_site_id ? escapeHtml(data.local_site_id) : '<span class="text-danger">Not configured</span>') + '</p>' +
-                            <div class="card h-100">
+                            '<p class="mb-1"><strong>Endpoint:</strong> ' + (data.local_endpoint ? escapeHtml(data.local_endpoint) : '<span class="text-danger">Not configured</span>') + '</p>' +
-                                <div class="card-header bg-light py-2">
+                            '<p class="mb-1"><strong>Site Sync Worker:</strong> ' + (data.local_site_sync_enabled ? '<span class="text-success">Enabled</span>' : '<span class="text-warning">Disabled</span>') + '</p>' +
-                                    <strong>This Site (Local)</strong>
+                            '<p class="mb-0"><strong>Bidirectional Rules:</strong> ' + (data.local_bidirectional_rules ? data.local_bidirectional_rules.length : 0) + '</p>' +
-                                </div>
+                        '</div></div></div>';
-                                <div class="card-body small">
-                                    <p class="mb-1"><strong>Site ID:</strong> ${data.local_site_id || '<span class="text-danger">Not configured</span>'}</p>
-                                    <p class="mb-1"><strong>Endpoint:</strong> ${data.local_endpoint || '<span class="text-danger">Not configured</span>'}</p>
-                                    <p class="mb-1"><strong>Site Sync Worker:</strong> ${data.local_site_sync_enabled ? '<span class="text-success">Enabled</span>' : '<span class="text-warning">Disabled</span>'}</p>
-                                    <p class="mb-0"><strong>Bidirectional Rules:</strong> ${data.local_bidirectional_rules ? data.local_bidirectional_rules.length : 0}</p>
-                                </div>
-                            </div>
-                        </div>
-                    `;
 
                     if (data.remote_status) {
-                        const rs = data.remote_status;
+                        var rs = data.remote_status;
-                        html += `
+                        html += '<div class="col-md-6"><div class="card h-100"><div class="card-header bg-light py-2"><strong>Remote Site (' + escapeHtml(displayName) + ')</strong></div>' +
-                            <div class="col-md-6">
+                            '<div class="card-body small">';
-                                <div class="card h-100">
-                                    <div class="card-header bg-light py-2">
-                                        <strong>Remote Site (${displayName})</strong>
-                                    </div>
-                                    <div class="card-body small">
-                        `;
                         if (rs.admin_access_denied) {
                             html += '<p class="text-warning mb-0">Admin access denied - cannot verify remote configuration</p>';
                         } else if (rs.reachable === false) {
                             html += '<p class="text-danger mb-0">Could not reach remote admin API</p>';
                         } else {
-                            html += `
+                            html += '<p class="mb-1"><strong>Has Peer Entry for Us:</strong> ' + (rs.has_peer_for_us ? '<span class="text-success">Yes</span>' : '<span class="text-danger">No</span>') + '</p>' +
-                                <p class="mb-1"><strong>Has Peer Entry for Us:</strong> ${rs.has_peer_for_us ? '<span class="text-success">Yes</span>' : '<span class="text-danger">No</span>'}</p>
+                                '<p class="mb-1"><strong>Connection Configured:</strong> ' + (rs.peer_connection_configured ? '<span class="text-success">Yes</span>' : '<span class="text-danger">No</span>') + '</p>';
-                                <p class="mb-1"><strong>Connection Configured:</strong> ${rs.peer_connection_configured ? '<span class="text-success">Yes</span>' : '<span class="text-danger">No</span>'}</p>
-                            `;
                         }
                         html += '</div></div></div>';
                     } else {
-                        html += `
+                        html += '<div class="col-md-6"><div class="card h-100"><div class="card-header bg-light py-2"><strong>Remote Site (' + escapeHtml(displayName) + ')</strong></div>' +
-                            <div class="col-md-6">
+                            '<div class="card-body small"><p class="text-muted mb-0">Could not check remote status</p></div></div></div>';
-                                <div class="card h-100">
-                                    <div class="card-header bg-light py-2">
-                                        <strong>Remote Site (${displayName})</strong>
-                                    </div>
-                                    <div class="card-body small">
-                                        <p class="text-muted mb-0">Could not check remote status</p>
-                                    </div>
-                                </div>
-                            </div>
-                        `;
                     }
-
                     html += '</div>';
 
                     if (data.local_bidirectional_rules && data.local_bidirectional_rules.length > 0) {
-                        html += `
+                        html += '<div class="mt-3"><h6 class="fw-semibold">Local Bidirectional Rules</h6>' +
-                            <div class="mt-3">
+                            '<table class="table table-sm table-bordered mb-0"><thead class="table-light"><tr><th>Source Bucket</th><th>Target Bucket</th><th>Status</th></tr></thead><tbody>';
-                                <h6 class="fw-semibold">Local Bidirectional Rules</h6>
+                        data.local_bidirectional_rules.forEach(function(rule) {
-                                <table class="table table-sm table-bordered mb-0">
+                            html += '<tr><td>' + escapeHtml(rule.bucket_name) + '</td><td>' + escapeHtml(rule.target_bucket) + '</td>' +
-                                    <thead class="table-light">
+                                '<td>' + (rule.enabled ? '<span class="badge bg-success">Enabled</span>' : '<span class="badge bg-secondary">Disabled</span>') + '</td></tr>';
-                                        <tr>
-                                            <th>Source Bucket</th>
-                                            <th>Target Bucket</th>
-                                            <th>Status</th>
-                                        </tr>
-                                    </thead>
-                                    <tbody>
-                        `;
-                        data.local_bidirectional_rules.forEach(rule => {
-                            html += `
-                                <tr>
-                                    <td>${rule.bucket_name}</td>
-                                    <td>${rule.target_bucket}</td>
-                                    <td>${rule.enabled ? '<span class="badge bg-success">Enabled</span>' : '<span class="badge bg-secondary">Disabled</span>'}</td>
-                                </tr>
-                            `;
                         });
                         html += '</tbody></table></div>';
                     }
 
                     if (!data.is_fully_configured) {
-                        html += `
+                        html += '<div class="alert alert-info mt-3 mb-0" role="alert">' +
-                            <div class="alert alert-info mt-3 mb-0" role="alert">
+                            '<h6 class="alert-heading fw-bold">How to Fix</h6>' +
-                                <h6 class="alert-heading fw-bold">How to Fix</h6>
+                            '<ol class="mb-0 ps-3">' +
-                                <ol class="mb-0 ps-3">
+                                '<li>Ensure this site has a Site ID and Endpoint URL configured</li>' +
-                                    <li>Ensure this site has a Site ID and Endpoint URL configured</li>
+                                '<li>On the remote site, register this site as a peer with a connection</li>' +
-                                    <li>On the remote site, register this site as a peer with a connection</li>
+                                '<li>Create bidirectional replication rules on both sites</li>' +
-                                    <li>Create bidirectional replication rules on both sites</li>
+                                '<li>Enable SITE_SYNC_ENABLED=true on both sites</li>' +
-                                    <li>Enable SITE_SYNC_ENABLED=true on both sites</li>
+                            '</ol></div>';
-                                </ol>
+                        var blockingErrors = ['NO_CONNECTION', 'CONNECTION_NOT_FOUND', 'REMOTE_UNREACHABLE', 'ENDPOINT_NOT_ALLOWED'];
-                            </div>
+                        var hasBlockingError = data.issues && data.issues.some(function(i) { return blockingErrors.indexOf(i.code) !== -1; });
-                        `;
-                        const blockingErrors = ['NO_CONNECTION', 'CONNECTION_NOT_FOUND', 'REMOTE_UNREACHABLE', 'ENDPOINT_NOT_ALLOWED'];
-                        const hasBlockingError = data.issues && data.issues.some(i => blockingErrors.includes(i.code));
                         if (!hasBlockingError) {
                             wizardLink.href = '/ui/sites/peers/' + encodeURIComponent(siteId) + '/replication-wizard';
                             wizardLink.classList.remove('d-none');
@@ -728,15 +782,110 @@
 
                     contentDiv.innerHTML = html;
                 })
-                .catch(err => {
+                .catch(function(err) {
-                    contentDiv.innerHTML = `
+                    contentDiv.innerHTML = '<div class="alert alert-danger" role="alert"><strong>Error:</strong> Failed to check bidirectional status. ' + escapeHtml(err.message || '') + '</div>';
-                        <div class="alert alert-danger" role="alert">
-                            <strong>Error:</strong> Failed to check bidirectional status. ${err.message || ''}
-                        </div>
-                    `;
                 });
         });
     });
+
+    document.querySelectorAll('.btn-copy-endpoint').forEach(function(btn) {
+        btn.addEventListener('click', function(e) {
+            e.stopPropagation();
+            var url = this.getAttribute('data-url');
+            if (window.UICore && window.UICore.copyToClipboard) {
+                window.UICore.copyToClipboard(url).then(function(ok) {
+                    if (ok && window.showToast) window.showToast('Endpoint URL copied', 'Copied', 'success');
+                });
+            }
+        });
+    });
+
+    var localSiteForm = document.getElementById('localSiteForm');
+    if (localSiteForm) {
+        localSiteForm.addEventListener('submit', function(e) {
+            e.preventDefault();
+            window.UICore.submitFormAjax(this, {
+                successMessage: 'Local site configuration updated',
+                onSuccess: function() {
+                    setTimeout(function() { location.reload(); }, 800);
+                }
+            });
+        });
+    }
+
+    var addPeerForm = document.getElementById('addPeerForm');
+    if (addPeerForm) {
+        addPeerForm.addEventListener('submit', function(e) {
+            e.preventDefault();
+            window.UICore.submitFormAjax(this, {
+                successMessage: 'Peer site added',
+                onSuccess: function(data) {
+                    if (data.redirect) {
+                        setTimeout(function() { window.location.href = data.redirect; }, 800);
+                    } else {
+                        setTimeout(function() { location.reload(); }, 800);
+                    }
+                }
+            });
+        });
+    }
+
+    var editPeerForm = document.getElementById('editPeerForm');
+    if (editPeerForm) {
+        editPeerForm.addEventListener('submit', function(e) {
+            e.preventDefault();
+            var modal = bootstrap.Modal.getInstance(document.getElementById('editPeerModal'));
+            window.UICore.submitFormAjax(this, {
+                successMessage: 'Peer site updated',
+                onSuccess: function() {
+                    if (modal) modal.hide();
+                    setTimeout(function() { location.reload(); }, 800);
+                }
+            });
+        });
+    }
+
+    var deletePeerForm = document.getElementById('deletePeerForm');
+    if (deletePeerForm) {
+        deletePeerForm.addEventListener('submit', function(e) {
+            e.preventDefault();
+            var modal = bootstrap.Modal.getInstance(document.getElementById('deletePeerModal'));
+            window.UICore.submitFormAjax(this, {
+                successMessage: 'Peer site deleted',
+                onSuccess: function() {
+                    if (modal) modal.hide();
+                    setTimeout(function() { location.reload(); }, 800);
+                }
+            });
+        });
+    }
+    document.querySelectorAll('.peer-actions-dropdown').forEach(function(dd) {
+        dd.addEventListener('shown.bs.dropdown', function() {
+            var toggle = dd.querySelector('[data-bs-toggle="dropdown"]');
+            var menu = dd.querySelector('.dropdown-menu');
+            if (!toggle || !menu) return;
+            var rect = toggle.getBoundingClientRect();
+            menu.style.top = rect.bottom + 'px';
+            menu.style.left = (rect.right - menu.offsetWidth) + 'px';
+        });
+    });
 })();
 </script>
+
+<style>
+.add-peer-chevron {
+    transition: transform 0.2s ease;
+}
+[aria-expanded="true"] .add-peer-chevron {
+    transform: rotate(180deg);
+}
+.endpoint-display:hover {
+    text-decoration: underline;
+}
+.peer-actions-dropdown .dropdown-menu {
+    position: fixed !important;
+    inset: auto !important;
+    transform: none !important;
+}
+</style>
 {% endblock %}

templates/website_domains.html

@@ -38,8 +38,16 @@
           <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
           <div class="mb-3">
             <label for="domain" class="form-label fw-medium">Domain</label>
-            <input type="text" class="form-control" id="domain" name="domain" required placeholder="www.example.com">
+            <input type="text" class="form-control" id="domain" name="domain" required
-            <div class="form-text">The hostname that will serve website content.</div>
+                   placeholder="www.example.com"
+                   pattern="^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$"
+                   title="Enter a valid hostname (e.g. www.example.com). Do not include http:// or trailing slashes.">
+            <div class="form-text">Hostname only &mdash; no <code>http://</code> prefix or trailing slash.</div>
+            <div class="invalid-feedback">Enter a valid hostname like www.example.com</div>
+          </div>
+          <div id="domainPreview" class="alert alert-light border small py-2 px-3 mb-3 d-none">
+            <span class="text-muted">Will be accessible at:</span>
+            <code id="domainPreviewUrl" class="ms-1"></code>
           </div>
           <div class="mb-3">
             <label for="bucket" class="form-label fw-medium">Bucket</label>
@@ -56,7 +64,7 @@
             <div class="form-text">The bucket must have website hosting enabled.</div>
           </div>
           <div class="d-grid">
-            <button type="submit" class="btn btn-primary">
+            <button type="submit" class="btn btn-primary" id="addMappingBtn">
               <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-1" viewBox="0 0 16 16">
                 <path fill-rule="evenodd" d="M8 2a.5.5 0 0 1 .5.5v5h5a.5.5 0 0 1 0 1h-5v5a.5.5 0 0 1-1 0v-5h-5a.5.5 0 0 1 0-1h5v-5A.5.5 0 0 1 8 2Z"/>
               </svg>
@@ -86,22 +94,32 @@
 
   <div class="col-lg-8 col-md-7">
     <div class="card shadow-sm border-0" style="border-radius: 1rem;">
-      <div class="card-header bg-transparent border-0 pt-4 pb-0 px-4 d-flex justify-content-between align-items-center">
+      <div class="card-header bg-transparent border-0 pt-4 pb-0 px-4">
-        <div>
+        <div class="d-flex justify-content-between align-items-center mb-1">
-          <h5 class="fw-semibold d-flex align-items-center gap-2 mb-1">
+          <h5 class="fw-semibold d-flex align-items-center gap-2 mb-0">
             <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="text-muted" viewBox="0 0 16 16">
               <path d="M4.715 6.542 3.343 7.914a3 3 0 1 0 4.243 4.243l1.828-1.829A3 3 0 0 0 8.586 5.5L8 6.086a1.002 1.002 0 0 0-.154.199 2 2 0 0 1 .861 3.337L6.88 11.45a2 2 0 1 1-2.83-2.83l.793-.792a4.018 4.018 0 0 1-.128-1.287z"/>
               <path d="M6.586 4.672A3 3 0 0 0 7.414 9.5l.775-.776a2 2 0 0 1-.896-3.346L9.12 3.55a2 2 0 1 1 2.83 2.83l-.793.792c.112.42.155.855.128 1.287l1.372-1.372a3 3 0 1 0-4.243-4.243L6.586 4.672z"/>
             </svg>
             Active Mappings
           </h5>
-          <p class="text-muted small mb-0">Domains currently serving website content</p>
         </div>
+        <p class="text-muted small mb-0">Domains currently serving website content</p>
+        {% if mappings|length > 3 %}
+        <div class="mt-3">
+          <div class="search-input-wrapper">
+            <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="search-icon" viewBox="0 0 16 16">
+              <path d="M11.742 10.344a6.5 6.5 0 1 0-1.397 1.398h-.001c.03.04.062.078.098.115l3.85 3.85a1 1 0 0 0 1.415-1.414l-3.85-3.85a1.007 1.007 0 0 0-.115-.1zM12 6.5a5.5 5.5 0 1 1-11 0 5.5 5.5 0 0 1 11 0z"/>
+            </svg>
+            <input type="text" class="form-control" id="domainSearch" placeholder="Filter by domain or bucket..." autocomplete="off" />
+          </div>
+        </div>
+        {% endif %}
       </div>
       <div class="card-body px-4 pb-4">
         {% if mappings %}
         <div class="table-responsive">
-          <table class="table table-hover align-middle mb-0">
+          <table class="table table-hover align-middle mb-0" id="domainTable">
             <thead class="table-light">
               <tr>
                 <th scope="col">Domain</th>
@@ -111,13 +129,16 @@
             </thead>
             <tbody>
               {% for m in mappings %}
-              <tr>
+              <tr data-domain="{{ m.domain }}" data-bucket="{{ m.bucket }}">
                 <td>
                   <div class="d-flex align-items-center gap-2">
-                    <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-muted" viewBox="0 0 16 16">
+                    <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="text-success flex-shrink-0" viewBox="0 0 16 16">
                       <path d="M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8zm7.5-6.923c-.67.204-1.335.82-1.887 1.855A7.97 7.97 0 0 0 5.145 4H7.5V1.077zM4.09 4a9.267 9.267 0 0 1 .64-1.539 6.7 6.7 0 0 1 .597-.933A7.025 7.025 0 0 0 2.255 4H4.09zm-.582 3.5c.03-.877.138-1.718.312-2.5H1.674a6.958 6.958 0 0 0-.656 2.5h2.49zM4.847 5a12.5 12.5 0 0 0-.338 2.5H7.5V5H4.847zM8.5 5v2.5h2.99a12.495 12.495 0 0 0-.337-2.5H8.5zM4.51 8.5a12.5 12.5 0 0 0 .337 2.5H7.5V8.5H4.51zm3.99 0V11h2.653c.187-.765.306-1.608.338-2.5H8.5zM5.145 12c.138.386.295.744.468 1.068.552 1.035 1.218 1.65 1.887 1.855V12H5.145zm.182 2.472a6.696 6.696 0 0 1-.597-.933A9.268 9.268 0 0 1 4.09 12H2.255a7.024 7.024 0 0 0 3.072 2.472zM3.82 11a13.652 13.652 0 0 1-.312-2.5h-2.49c.062.89.291 1.733.656 2.5H3.82zm6.853 3.472A7.024 7.024 0 0 0 13.745 12H11.91a9.27 9.27 0 0 1-.64 1.539 6.688 6.688 0 0 1-.597.933zM8.5 12v2.923c.67-.204 1.335-.82 1.887-1.855.173-.324.33-.682.468-1.068H8.5zm3.68-1h2.146c.365-.767.594-1.61.656-2.5h-2.49a13.65 13.65 0 0 1-.312 2.5zm2.802-3.5a6.959 6.959 0 0 0-.656-2.5H12.18c.174.782.282 1.623.312 2.5h2.49zM11.27 2.461c.247.464.462.98.64 1.539h1.835a7.024 7.024 0 0 0-3.072-2.472c.218.284.418.598.597.933zM10.855 4a7.966 7.966 0 0 0-.468-1.068C9.835 1.897 9.17 1.282 8.5 1.077V4h2.355z"/>
                     </svg>
-                    <code class="fw-medium">{{ m.domain }}</code>
+                    <div>
+                      <code class="fw-medium">{{ m.domain }}</code>
+                      <div class="text-muted small">http://{{ m.domain }}</div>
+                    </div>
                   </div>
                 </td>
                 <td><span class="badge bg-primary bg-opacity-10 text-primary">{{ m.bucket }}</span></td>
@@ -151,6 +172,9 @@
             </tbody>
           </table>
         </div>
+        <div id="noSearchResults" class="text-center py-4 d-none">
+          <p class="text-muted mb-0">No mappings match your search.</p>
+        </div>
         {% else %}
         <div class="empty-state text-center py-5">
           <div class="empty-state-icon mx-auto mb-3">
@@ -184,7 +208,7 @@
         <div class="modal-body">
           <div class="mb-3">
             <label class="form-label fw-medium">Domain</label>
-            <input type="text" class="form-control" id="editDomainName" disabled>
+            <input type="text" class="form-control bg-light" id="editDomainName" disabled>
           </div>
           <div class="mb-3">
             <label for="editBucket" class="form-label fw-medium">Bucket</label>
@@ -216,29 +240,30 @@
 <div class="modal fade" id="deleteDomainModal" tabindex="-1" aria-hidden="true">
   <div class="modal-dialog modal-dialog-centered">
     <div class="modal-content">
-      <div class="modal-header border-0 pb-0">
+      <form method="POST" id="deleteDomainForm">
-        <h5 class="modal-title fw-semibold">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
-          <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="text-danger" viewBox="0 0 16 16">
+        <div class="modal-header border-0 pb-0">
-            <path d="M5.5 5.5A.5.5 0 0 1 6 6v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm2.5 0a.5.5 0 0 1 .5.5v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm3 .5a.5.5 0 0 0-1 0v6a.5.5 0 0 0 1 0V6z"/>
+          <h5 class="modal-title fw-semibold">
-            <path fill-rule="evenodd" d="M14.5 3a1 1 0 0 1-1 1H13v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V4h-.5a1 1 0 0 1-1-1V2a1 1 0 0 1 1-1H6a1 1 0 0 1 1-1h2a1 1 0 0 1 1 1h3.5a1 1 0 0 1 1 1v1zM4.118 4 4 4.059V13a1 1 0 0 0 1 1h6a1 1 0 0 0 1-1V4.059L11.882 4H4.118zM2.5 3V2h11v1h-11z"/>
+            <svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" fill="currentColor" class="text-danger" viewBox="0 0 16 16">
-          </svg>
+              <path d="M5.5 5.5A.5.5 0 0 1 6 6v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm2.5 0a.5.5 0 0 1 .5.5v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm3 .5a.5.5 0 0 0-1 0v6a.5.5 0 0 0 1 0V6z"/>
-          Delete Domain Mapping
+              <path fill-rule="evenodd" d="M14.5 3a1 1 0 0 1-1 1H13v9a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2V4h-.5a1 1 0 0 1-1-1V2a1 1 0 0 1 1-1H6a1 1 0 0 1 1-1h2a1 1 0 0 1 1 1h3.5a1 1 0 0 1 1 1v1zM4.118 4 4 4.059V13a1 1 0 0 0 1 1h6a1 1 0 0 0 1-1V4.059L11.882 4H4.118zM2.5 3V2h11v1h-11z"/>
-        </h5>
+            </svg>
-        <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+            Delete Domain Mapping
-      </div>
+          </h5>
-      <div class="modal-body">
+          <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
-        <p>Are you sure you want to delete the mapping for <strong><code id="deleteDomainName"></code></strong>?</p>
-        <div class="alert alert-warning d-flex align-items-start small" role="alert">
-          <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="flex-shrink-0 me-2 mt-0" viewBox="0 0 16 16">
-            <path d="M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16zm.93-9.412-1 4.705c-.07.34.029.533.304.533.194 0 .487-.07.686-.246l-.088.416c-.287.346-.92.598-1.465.598-.703 0-1.002-.422-.808-1.319l.738-3.468c.064-.293.006-.399-.287-.47l-.451-.081.082-.381 2.29-.287zM8 5.5a1 1 0 1 1 0-2 1 1 0 0 1 0 2z"/>
-          </svg>
-          <div>This domain will stop serving website content immediately.</div>
         </div>
-      </div>
+        <div class="modal-body">
-      <div class="modal-footer">
+          <p>Are you sure you want to delete the mapping for <strong><code id="deleteDomainName"></code></strong>?</p>
-        <button type="button" class="btn btn-outline-secondary" data-bs-dismiss="modal">Cancel</button>
+          <p class="text-muted small mb-0">Mapped to bucket: <code id="deleteBucketName"></code></p>
-        <form method="POST" id="deleteDomainForm">
+          <div class="alert alert-warning d-flex align-items-start small mt-3 mb-0" role="alert">
-          <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
+            <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="flex-shrink-0 me-2 mt-0" viewBox="0 0 16 16">
+              <path d="M8.982 1.566a1.13 1.13 0 0 0-1.96 0L.165 13.233c-.457.778.091 1.767.98 1.767h13.713c.889 0 1.438-.99.98-1.767L8.982 1.566zM8 5c.535 0 .954.462.9.995l-.35 3.507a.552.552 0 0 1-1.1 0L7.1 5.995A.905.905 0 0 1 8 5zm.002 6a1 1 0 1 1 0 2 1 1 0 0 1 0-2z"/>
+            </svg>
+            <div>This domain will stop serving website content immediately.</div>
+          </div>
+        </div>
+        <div class="modal-footer">
+          <button type="button" class="btn btn-outline-secondary" data-bs-dismiss="modal">Cancel</button>
           <button type="submit" class="btn btn-danger">
             <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" fill="currentColor" class="me-1" viewBox="0 0 16 16">
               <path d="M5.5 5.5A.5.5 0 0 1 6 6v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm2.5 0a.5.5 0 0 1 .5.5v6a.5.5 0 0 1-1 0V6a.5.5 0 0 1 .5-.5zm3 .5a.5.5 0 0 0-1 0v6a.5.5 0 0 0 1 0V6z"/>
@@ -246,8 +271,8 @@
             </svg>
             Delete
           </button>
-        </form>
+        </div>
-      </div>
+      </form>
     </div>
   </div>
 </div>
@@ -256,6 +281,43 @@
 {% block extra_scripts %}
 <script>
 (function () {
+  function normalizeDomain(val) {
+    val = val.trim().toLowerCase();
+    if (val.indexOf('https://') === 0) val = val.substring(8);
+    else if (val.indexOf('http://') === 0) val = val.substring(7);
+    var slashIdx = val.indexOf('/');
+    if (slashIdx !== -1) val = val.substring(0, slashIdx);
+    var qIdx = val.indexOf('?');
+    if (qIdx !== -1) val = val.substring(0, qIdx);
+    var hIdx = val.indexOf('#');
+    if (hIdx !== -1) val = val.substring(0, hIdx);
+    var colonIdx = val.indexOf(':');
+    if (colonIdx !== -1) val = val.substring(0, colonIdx);
+    return val;
+  }
+
+  var domainInput = document.getElementById('domain');
+  var preview = document.getElementById('domainPreview');
+  var previewUrl = document.getElementById('domainPreviewUrl');
+  if (domainInput && preview) {
+    domainInput.addEventListener('input', function () {
+      var clean = normalizeDomain(this.value);
+      if (clean && /^[a-z0-9]([a-z0-9\-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9\-]*[a-z0-9])?)*$/.test(clean)) {
+        previewUrl.textContent = 'http://' + clean;
+        preview.classList.remove('d-none');
+      } else {
+        preview.classList.add('d-none');
+      }
+    });
+
+    var createForm = document.getElementById('createDomainForm');
+    if (createForm) {
+      createForm.addEventListener('submit', function () {
+        domainInput.value = normalizeDomain(domainInput.value);
+      });
+    }
+  }
+
   var editModal = document.getElementById('editDomainModal');
   if (editModal) {
     editModal.addEventListener('show.bs.modal', function (event) {
@@ -264,11 +326,7 @@
       var bucket = btn.getAttribute('data-bucket');
       document.getElementById('editDomainName').value = domain;
       var editBucket = document.getElementById('editBucket');
-      if (editBucket.tagName === 'SELECT') {
+      editBucket.value = bucket;
-        editBucket.value = bucket;
-      } else {
-        editBucket.value = bucket;
-      }
       document.getElementById('editDomainForm').action = '{{ url_for("ui.update_website_domain", domain="__DOMAIN__") }}'.replace('__DOMAIN__', encodeURIComponent(domain));
     });
   }
@@ -278,10 +336,32 @@
     deleteModal.addEventListener('show.bs.modal', function (event) {
       var btn = event.relatedTarget;
       var domain = btn.getAttribute('data-domain');
+      var bucket = btn.getAttribute('data-bucket') || '';
       document.getElementById('deleteDomainName').textContent = domain;
+      document.getElementById('deleteBucketName').textContent = bucket;
       document.getElementById('deleteDomainForm').action = '{{ url_for("ui.delete_website_domain", domain="__DOMAIN__") }}'.replace('__DOMAIN__', encodeURIComponent(domain));
     });
   }
+
+  var searchInput = document.getElementById('domainSearch');
+  if (searchInput) {
+    searchInput.addEventListener('input', function () {
+      var q = this.value.toLowerCase();
+      var rows = document.querySelectorAll('#domainTable tbody tr');
+      var visible = 0;
+      rows.forEach(function (row) {
+        var domain = (row.getAttribute('data-domain') || '').toLowerCase();
+        var bucket = (row.getAttribute('data-bucket') || '').toLowerCase();
+        var match = !q || domain.indexOf(q) !== -1 || bucket.indexOf(q) !== -1;
+        row.style.display = match ? '' : 'none';
+        if (match) visible++;
+      });
+      var noResults = document.getElementById('noSearchResults');
+      if (noResults) {
+        noResults.classList.toggle('d-none', visible > 0);
+      }
+    });
+  }
 })();
 </script>
 {% endblock %}

tests/test_notifications.py

@@ -321,8 +321,9 @@ class TestNotificationService:
         assert "events_sent" in stats
         assert "events_failed" in stats
 
-    @patch("app.notifications.requests.post")
+    @patch("app.notifications._pinned_post")
-    def test_send_notification_success(self, mock_post, notification_service):
+    @patch("app.notifications._resolve_and_check_url", return_value="93.184.216.34")
+    def test_send_notification_success(self, mock_resolve, mock_post, notification_service):
         mock_response = MagicMock()
         mock_response.status_code = 200
         mock_post.return_value = mock_response
@@ -337,8 +338,9 @@ class TestNotificationService:
         notification_service._send_notification(event, destination)
         mock_post.assert_called_once()
 
-    @patch("app.notifications.requests.post")
+    @patch("app.notifications._pinned_post")
-    def test_send_notification_retry_on_failure(self, mock_post, notification_service):
+    @patch("app.notifications._resolve_and_check_url", return_value="93.184.216.34")
+    def test_send_notification_retry_on_failure(self, mock_resolve, mock_post, notification_service):
         mock_response = MagicMock()
         mock_response.status_code = 500
         mock_response.text = "Internal Server Error"