feat: add legacy security warning API and UI modal for pre-factory-seal machines

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/f7c8f11b-873b-403f-ac55-8b5b7cd9f1fb

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>

app/sovran_systemsos_web/static/css/security.css

@@ -0,0 +1,55 @@
+/* ── Legacy security warning modal ──────────────────────────────── */
+
+.security-warning-dialog {
+  max-width: 520px;
+}
+
+.security-warning-header {
+  background-color: #3b1212;
+  border-bottom-color: #7a2020;
+}
+
+.security-warning-body {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 16px;
+  padding: 24px 20px;
+}
+
+.security-warning-icon {
+  font-size: 2.5rem;
+}
+
+.security-warning-message {
+  text-align: center;
+  color: var(--text-primary);
+  line-height: 1.6;
+  margin: 0;
+}
+
+.security-warning-actions {
+  width: 100%;
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 12px;
+}
+
+.security-warning-hint {
+  color: var(--text-secondary);
+  font-size: 0.85rem;
+  margin: 0;
+  text-align: center;
+}
+
+.security-warning-links {
+  display: flex;
+  gap: 12px;
+  flex-wrap: wrap;
+  justify-content: center;
+}
+
+.security-warning-link {
+  text-decoration: none;
+}

app/sovran_systemsos_web/static/js/events.js

@@ -38,6 +38,9 @@ if ($upgradeCloseBtn) $upgradeCloseBtn.addEventListener("click", closeUpgradeMod
 if ($upgradeCancelBtn) $upgradeCancelBtn.addEventListener("click", closeUpgradeModal);
 if ($upgradeModal) $upgradeModal.addEventListener("click", function(e) { if (e.target === $upgradeModal) closeUpgradeModal(); });
 
+// Legacy security warning modal — dismiss closes the modal only
+if ($securityWarningDismiss) $securityWarningDismiss.addEventListener("click", closeSecurityWarningModal);
+
 // ── Upgrade modal functions ───────────────────────────────────────
 
 function openUpgradeModal() {
@@ -84,6 +87,9 @@ async function init() {
     // If we can't reach the endpoint, continue to normal dashboard
   }
 
+  // Check for legacy machine security warning
+  await checkLegacySecurity();
+
   try {
     var cfg = await apiFetch("/api/config");
     _currentRole = cfg.role || "server_plus_desktop";

app/sovran_systemsos_web/static/js/security.js

@@ -0,0 +1,23 @@
+"use strict";
+
+// ── Legacy security warning ───────────────────────────────────────
+
+function openSecurityWarningModal(message) {
+  if ($securityWarningMessage) $securityWarningMessage.textContent = message;
+  if ($securityWarningModal) $securityWarningModal.classList.add("open");
+}
+
+function closeSecurityWarningModal() {
+  if ($securityWarningModal) $securityWarningModal.classList.remove("open");
+}
+
+async function checkLegacySecurity() {
+  try {
+    var data = await apiFetch("/api/security/status");
+    if (data && data.status === "legacy") {
+      openSecurityWarningModal(data.warning || "This machine may have a known factory password. Please change your passwords immediately.");
+    }
+  } catch (_) {
+    // Non-fatal — silently ignore if the endpoint is unreachable
+  }
+}

app/sovran_systemsos_web/static/js/state.js

@@ -99,5 +99,10 @@ const $upgradeConfirmBtn  = document.getElementById("upgrade-confirm-btn");
 const $upgradeCancelBtn   = document.getElementById("upgrade-cancel-btn");
 const $upgradeCloseBtn    = document.getElementById("upgrade-close-btn");
 
+// Legacy security warning modal
+const $securityWarningModal   = document.getElementById("security-warning-modal");
+const $securityWarningMessage = document.getElementById("security-warning-message");
+const $securityWarningDismiss = document.getElementById("security-warning-dismiss-btn");
+
 // System status banner
 // (removed — health is now shown per-tile via the composite health field)