Fixed client mode flow args

.github/workflows/main.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [ubuntu-latest, windows-latest, macos-latest]
         include:
           - os: ubuntu-latest
             build_target: x86_64-unknown-linux-musl
@@ -23,6 +23,9 @@ jobs:
           - os: windows-latest
             build_target: x86_64-pc-windows-msvc
             platform_name: windows-amd64
+          - os: macos-latest
+            build_target: aarch64-apple-darwin
+            platform_name: macos-arm64
     permissions:
       contents: write
     steps:
@@ -54,10 +57,6 @@ jobs:
 
       - uses: dtolnay/rust-toolchain@stable
       
-      - uses: mbrobbel/rustfmt-check@master
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          
       - name: Install rust targets
         run: rustup target add ${{ matrix.build_target }}
         
@@ -67,8 +66,12 @@ jobs:
         with:
           args: cargo build --target ${{ matrix.build_target }} --release
           
+      - name: Build MacOS
+        if: matrix.os == 'macos-latest'
+        run: cargo build --target ${{ matrix.build_target }} --release
+          
       - name: Build Windows
-        if: matrix.os != 'ubuntu-latest'
+        if: matrix.os == 'windows-latest'
         run: cargo build --target ${{ matrix.build_target }} --release
           
       - name: Upload artifact
@@ -104,12 +107,14 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [ubuntu-latest, windows-latest, macos-latest]
         include:
           - os: ubuntu-latest
             platform_name: linux-amd64
           - os: windows-latest
             platform_name: windows-amd64
+          - os: macos-latest
+            platform_name: macos-arm64
     steps:
       - uses: actions/checkout@v4
       

.gitignore

@@ -1 +1,3 @@
 /target
+*.swp
+*.swo

Cargo.lock

@@ -1,6 +1,6 @@
 # This file is automatically @generated by Cargo.
 # It is not intended for manual editing.
-version = 3
+version = 4
 
 [[package]]
 name = "actix-codec"
@@ -836,6 +836,17 @@ dependencies = [
  "digest",
 ]
 
+[[package]]
+name = "hostname"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c731c3e10504cc8ed35cfe2f1db4c9274c3d35fa486e3b31df46f068ef3e867"
+dependencies = [
+ "libc",
+ "match_cfg",
+ "winapi",
+]
+
 [[package]]
 name = "http"
 version = "0.2.12"
@@ -1053,19 +1064,23 @@ dependencies = [
 
 [[package]]
 name = "khm"
-version = "0.2.0"
+version = "0.6.1"
 dependencies = [
  "actix-web",
+ "base64 0.21.7",
  "chrono",
  "clap",
  "env_logger",
+ "hostname",
  "log",
  "regex",
  "reqwest",
+ "rust-embed",
  "serde",
  "serde_json",
  "tokio",
  "tokio-postgres",
+ "tokio-util",
 ]
 
 [[package]]
@@ -1119,6 +1134,12 @@ version = "0.4.22"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
 
+[[package]]
+name = "match_cfg"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ffbee8634e0d45d258acb448e7eaab3fce7a0a467395d4d9f228e3c1f01fb2e4"
+
 [[package]]
 name = "md-5"
 version = "0.10.6"
@@ -1555,6 +1576,40 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "rust-embed"
+version = "8.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "025908b8682a26ba8d12f6f2d66b987584a4a87bc024abc5bbc12553a8cd178a"
+dependencies = [
+ "rust-embed-impl",
+ "rust-embed-utils",
+ "walkdir",
+]
+
+[[package]]
+name = "rust-embed-impl"
+version = "8.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6065f1a4392b71819ec1ea1df1120673418bf386f50de1d6f54204d836d4349c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "rust-embed-utils",
+ "syn",
+ "walkdir",
+]
+
+[[package]]
+name = "rust-embed-utils"
+version = "8.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6cc0c81648b20b70c491ff8cce00c1c3b223bb8ed2b5d41f0e54c6c4c0a3594"
+dependencies = [
+ "sha2",
+ "walkdir",
+]
+
 [[package]]
 name = "rustc-demangle"
 version = "0.1.24"
@@ -1629,6 +1684,15 @@ version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
 
+[[package]]
+name = "same-file"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
+dependencies = [
+ "winapi-util",
+]
+
 [[package]]
 name = "schannel"
 version = "0.1.23"
@@ -2114,6 +2178,16 @@ version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
 
+[[package]]
+name = "walkdir"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
+dependencies = [
+ "same-file",
+ "winapi-util",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -2222,6 +2296,37 @@ dependencies = [
  "web-sys",
 ]
 
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-util"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
+dependencies = [
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
 [[package]]
 name = "windows-core"
 version = "0.52.0"

Cargo.toml

@@ -1,8 +1,8 @@
 [package]
 name = "khm"
-version = "0.2.0"
+version = "0.6.2"
 edition = "2021"
-authors = ["AB <ab@hexor.cy>", "ChatGPT-4o"]
+authors = ["AB <ab@hexor.cy>"]
 
 [dependencies]
 actix-web = "4"
@@ -11,8 +11,12 @@ serde_json = "1.0"
 env_logger = "0.11.3"
 log = "0.4"
 regex = "1.10.5"
+base64 = "0.21"
 tokio = { version = "1", features = ["full"] }
 tokio-postgres = { version = "0.7", features = ["with-chrono-0_4"] }
+tokio-util = { version = "0.7", features = ["codec"] }
 clap = { version = "4", features = ["derive"] }
 chrono = "0.4.38"
-reqwest = { version = "0.12", features = ["json"] }
+reqwest = { version = "0.12", features = ["json"] }
+hostname = "0.3"
+rust-embed = "8.0"

LICENSE-WTFPL

@@ -0,0 +1,13 @@
+        DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+                    Version 2, December 2004 
+
+ Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> 
+
+ Everyone is permitted to copy and distribute verbatim or modified 
+ copies of this license document, and changing it is allowed as long 
+ as the name is changed. 
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.

README.MD

@@ -24,21 +24,24 @@ khm --server --ip 127.0.0.1 --port 8080 --db-host 127.0.0.1 --db-name khm --db-u
 To run the application in client mode, use the following command:
 
 ```bash
-khm --host http://khm.example.com:8080 --known-hosts ~/.ssh/known_hosts --in-place
+khm --host http://khm.example.com:8080/<FLOW_NAME>/ --known-hosts ~/.ssh/known_hosts --in-place
 ```
 
 ### Arguments
-- `--server`: Run in server mode (default: false).
-- `--ip`: IP address to bind the server or client to (default: 127.0.0.1).
-- `--port`: Port to bind the server or client to (default: 8080).
-- `--db-host`: Hostname or IP address of the PostgreSQL database (default: 127.0.0.1).
-- `--db-name`: Name of the PostgreSQL database (default: khm).
-- `--db-user`: Username for the PostgreSQL database (required in server mode).
-- `--db-password`: Password for the PostgreSQL database (required in server mode).
-- `--host`: Host address of the server to connect to in client mode (required in client mode).
-- `--known-hosts`: Path to the `known_hosts` file (default: ~/.ssh/known_hosts).
-- `--in-place`: Update the `known_hosts` file with keys from the server after sending keys (default: false).
-- `--flows`: Comma-separated list of flows to manage (default: default).
+Options:
+- `--server` Run in server mode
+- `--in-place` Server mode: Sync the known_hosts file with keys from the server
+- `--flows <FLOWS>...` Server mode: Comma-separated list of flows to manage [default: default]
+- `-i, --ip <IP>` Server mode: IP address to bind the server to [default: 127.0.0.1]
+- `-p, --port <PORT>` Server mode: Port to bind the server to [default: 8080]
+- `--db-host <DB_HOST>` Server mode: Hostname or IP address of the PostgreSQL database [default: 127.0.0.1]
+- `--db-name <DB_NAME>` Server mode: Name of the PostgreSQL database [default: khm]
+- `--db-user <DB_USER>` Server mode: Username for the PostgreSQL database
+- `--db-password <DB_PASSWORD>` Server mode: Password for the PostgreSQL database
+- `--basic-auth <BASIC_AUTH>` Client mode: Basic Auth credentials [default: ""]
+- `--host <HOST>` Client mode: Full host address of the server to connect to. Like `https://khm.example.com/<FLOW_NAME>`
+- `--known-hosts <KNOWN_HOSTS>` Client mode: Path to the known_hosts file [default: ~/.ssh/known_hosts]
+
 
 ## Installation
 
@@ -59,4 +62,4 @@ Contributions are welcome! Please open an issue or submit a pull request for any
 
 ## License
 
-This project is licensed under the WTFPL License.
+This project is licensed under the WTFPL License.

shell.nix

@@ -0,0 +1,11 @@
+{ pkgs ? import <nixpkgs> {} }:
+
+pkgs.mkShell {
+  buildInputs = [
+    pkgs.openssl
+    pkgs.pkg-config
+  ];
+  shellHook = ''
+    unset OPENSSL_DIR
+  '';
+}

src/client.rs

@@ -1,4 +1,6 @@
+use base64::{engine::general_purpose, Engine as _};
 use log::{error, info};
+use reqwest::header::{HeaderMap, HeaderValue, AUTHORIZATION};
 use reqwest::Client;
 use serde::{Deserialize, Serialize};
 use std::fs::File;
@@ -9,6 +11,8 @@ use std::path::Path;
 struct SshKey {
     server: String,
     public_key: String,
+    #[serde(default)]
+    deprecated: bool,
 }
 
 fn read_known_hosts(file_path: &str) -> io::Result<Vec<SshKey>> {
@@ -24,7 +28,11 @@ fn read_known_hosts(file_path: &str) -> io::Result<Vec<SshKey>> {
                 if parts.len() >= 2 {
                     let server = parts[0].to_string();
                     let public_key = parts[1..].join(" ");
-                    keys.push(SshKey { server, public_key });
+                    keys.push(SshKey {
+                        server,
+                        public_key,
+                        deprecated: false, // Keys from known_hosts are not deprecated
+                    });
                 }
             }
             Err(e) => {
@@ -40,18 +48,73 @@ fn write_known_hosts(file_path: &str, keys: &[SshKey]) -> io::Result<()> {
     let path = Path::new(file_path);
     let mut file = File::create(&path)?;
 
-    for key in keys {
+    // Filter out deprecated keys - they should not be written to known_hosts
+    let active_keys: Vec<&SshKey> = keys.iter().filter(|key| !key.deprecated).collect();
+    let active_count = active_keys.len();
+
+    for key in active_keys {
         writeln!(file, "{} {}", key.server, key.public_key)?;
     }
-    info!("Wrote {} keys to known_hosts file", keys.len());
+    info!(
+        "Wrote {} active keys to known_hosts file (filtered out deprecated keys)",
+        active_count
+    );
 
     Ok(())
 }
 
-async fn send_keys_to_server(host: &str, keys: Vec<SshKey>) -> Result<(), reqwest::Error> {
+// Get local hostname for request headers
+fn get_hostname() -> String {
+    match hostname::get() {
+        Ok(name) => name.to_string_lossy().to_string(),
+        Err(_) => "unknown-host".to_string(),
+    }
+}
+
+async fn send_keys_to_server(
+    host: &str,
+    keys: Vec<SshKey>,
+    auth_string: &str,
+) -> Result<(), reqwest::Error> {
     let client = Client::new();
     let url = format!("{}/keys", host);
-    let response = client.post(&url).json(&keys).send().await?;
+    info!("URL: {} ", url);
+
+    let mut headers = HeaderMap::new();
+
+    // Add hostname header
+    let hostname = get_hostname();
+    headers.insert(
+        "X-Client-Hostname",
+        HeaderValue::from_str(&hostname).unwrap_or_else(|_| {
+            error!("Failed to create hostname header value");
+            HeaderValue::from_static("unknown-host")
+        }),
+    );
+    info!("Adding hostname header: {}", hostname);
+
+    if !auth_string.is_empty() {
+        let parts: Vec<&str> = auth_string.splitn(2, ':').collect();
+        if parts.len() == 2 {
+            let username = parts[0];
+            let password = parts[1];
+
+            let auth_header_value = format!("{}:{}", username, password);
+            let encoded_auth = general_purpose::STANDARD.encode(auth_header_value);
+            let auth_header = format!("Basic {}", encoded_auth);
+
+            headers.insert(AUTHORIZATION, HeaderValue::from_str(&auth_header).unwrap());
+        } else {
+            error!("Invalid auth string format. Expected 'username:password'");
+        }
+    }
+
+    let response = client
+        .post(&url)
+        .headers(headers)
+        .json(&keys)
+        .send()
+        .await?;
 
     if response.status().is_success() {
         info!("Keys successfully sent to server.");
@@ -65,43 +128,102 @@ async fn send_keys_to_server(host: &str, keys: Vec<SshKey>) -> Result<(), reqwes
     Ok(())
 }
 
-async fn get_keys_from_server(host: &str) -> Result<Vec<SshKey>, reqwest::Error> {
+async fn get_keys_from_server(
+    host: &str,
+    auth_string: &str,
+) -> Result<Vec<SshKey>, reqwest::Error> {
     let client = Client::new();
     let url = format!("{}/keys", host);
-    let response = client.get(&url).send().await?;
 
-    if response.status().is_success() {
-        let keys: Vec<SshKey> = response.json().await?;
-        info!("Received {} keys from server", keys.len());
-        Ok(keys)
-    } else {
-        error!(
-            "Failed to get keys from server. Status: {}",
-            response.status()
-        );
-        Ok(vec![])
+    let mut headers = HeaderMap::new();
+
+    // Add hostname header
+    let hostname = get_hostname();
+    headers.insert(
+        "X-Client-Hostname",
+        HeaderValue::from_str(&hostname).unwrap_or_else(|_| {
+            error!("Failed to create hostname header value");
+            HeaderValue::from_static("unknown-host")
+        }),
+    );
+    info!("Adding hostname header: {}", hostname);
+
+    if !auth_string.is_empty() {
+        let parts: Vec<&str> = auth_string.splitn(2, ':').collect();
+        if parts.len() == 2 {
+            let username = parts[0];
+            let password = parts[1];
+
+            let auth_header_value = format!("{}:{}", username, password);
+            let encoded_auth = general_purpose::STANDARD.encode(auth_header_value);
+            let auth_header = format!("Basic {}", encoded_auth);
+
+            headers.insert(AUTHORIZATION, HeaderValue::from_str(&auth_header).unwrap());
+        } else {
+            error!("Invalid auth string format. Expected 'username:password'");
+        }
     }
+
+    let response = client.get(&url).headers(headers).send().await?;
+
+    let response = response.error_for_status()?;
+
+    let keys: Vec<SshKey> = response.json().await?;
+    info!("Received {} keys from server", keys.len());
+    Ok(keys)
 }
 
 pub async fn run_client(args: crate::Args) -> std::io::Result<()> {
     info!("Client mode: Reading known_hosts file");
-    let keys = read_known_hosts(&args.known_hosts).expect("Failed to read known hosts file");
+
+    let keys = match read_known_hosts(&args.known_hosts) {
+        Ok(keys) => keys,
+        Err(e) => {
+            if e.kind() == io::ErrorKind::NotFound {
+                info!(
+                    "known_hosts file not found: {}. Starting with empty key list.",
+                    args.known_hosts
+                );
+                Vec::new()
+            } else {
+                error!("Failed to read known_hosts file: {}", e);
+                return Err(e);
+            }
+        }
+    };
 
     let host = args.host.expect("host is required in client mode");
-    info!("Client mode: Sending keys to server at {}", host);
-    send_keys_to_server(&host, keys)
-        .await
-        .expect("Failed to send keys to server");
+    let flow = args.flow.expect("flow is required in client mode");
+    let url = format!("{}/{}", host, flow);
+
+    info!("Client mode: Sending keys to server at {}", url);
+
+    if let Err(e) = send_keys_to_server(&url, keys, &args.basic_auth).await {
+        error!("Failed to send keys to server: {}", e);
+        return Err(io::Error::new(
+            io::ErrorKind::Other,
+            format!("Network error: {}", e),
+        ));
+    }
 
     if args.in_place {
         info!("Client mode: In-place update is enabled. Fetching keys from server.");
-        let server_keys = get_keys_from_server(&host)
-            .await
-            .expect("Failed to get keys from server");
+        let server_keys = match get_keys_from_server(&url, &args.basic_auth).await {
+            Ok(keys) => keys,
+            Err(e) => {
+                error!("Failed to get keys from server: {}", e);
+                return Err(io::Error::new(
+                    io::ErrorKind::Other,
+                    format!("Network error: {}", e),
+                ));
+            }
+        };
 
         info!("Client mode: Writing updated known_hosts file");
-        write_known_hosts(&args.known_hosts, &server_keys)
-            .expect("Failed to write known hosts file");
+        if let Err(e) = write_known_hosts(&args.known_hosts, &server_keys) {
+            error!("Failed to write known_hosts file: {}", e);
+            return Err(e);
+        }
     }
 
     info!("Client mode: Finished operations");

src/db.rs

@@ -0,0 +1,676 @@
+use crate::server::SshKey;
+use log::{error, info};
+use std::collections::HashMap;
+use std::collections::HashSet;
+use tokio_postgres::tls::NoTlsStream;
+use tokio_postgres::Socket;
+use tokio_postgres::{Client, Connection, NoTls};
+
+// Structure for storing key processing statistics
+pub struct KeyInsertStats {
+    pub total: usize,                   // Total number of received keys
+    pub inserted: usize,                // Number of new keys
+    pub unchanged: usize,               // Number of unchanged keys
+    pub key_id_map: Vec<(SshKey, i32)>, // Mapping of keys to their IDs in the database
+}
+
+// Simple database client that exits on connection errors
+pub struct DbClient {
+    client: Client,
+}
+
+impl DbClient {
+    pub async fn connect(
+        connection_string: &str,
+    ) -> Result<(Self, Connection<Socket, NoTlsStream>), tokio_postgres::Error> {
+        info!("Connecting to database...");
+        let (client, connection) = tokio_postgres::connect(connection_string, NoTls).await?;
+        info!("Successfully connected to database");
+
+        Ok((DbClient { client }, connection))
+    }
+
+    // Helper function to handle database errors - exits the application on connection errors
+    fn handle_db_error<T>(
+        result: Result<T, tokio_postgres::Error>,
+        operation: &str,
+    ) -> Result<T, tokio_postgres::Error> {
+        match result {
+            Ok(value) => Ok(value),
+            Err(e) => {
+                if Self::is_connection_error(&e) {
+                    error!("Database connection lost during {}: {}", operation, e);
+                    error!("Exiting application due to database connection failure");
+                    std::process::exit(1);
+                } else {
+                    // For non-connection errors, just return the error
+                    Err(e)
+                }
+            }
+        }
+    }
+
+    fn is_connection_error(error: &tokio_postgres::Error) -> bool {
+        // Check if the error is related to connection issues
+        let error_str = error.to_string();
+        error_str.contains("connection closed")
+            || error_str.contains("connection reset")
+            || error_str.contains("broken pipe")
+            || error_str.contains("Connection refused")
+            || error_str.contains("connection terminated")
+            || error.as_db_error().is_none() // Non-database errors are often connection issues
+    }
+
+    pub async fn initialize_schema(&self) -> Result<(), tokio_postgres::Error> {
+        info!("Checking and initializing database schema if needed");
+
+        // Check if tables exist by querying information_schema
+        let result = self
+            .client
+            .query(
+                "SELECT EXISTS (
+                    SELECT FROM information_schema.tables 
+                    WHERE table_schema = 'public' 
+                    AND table_name = 'keys'
+                ) AND EXISTS (
+                    SELECT FROM information_schema.tables 
+                    WHERE table_schema = 'public' 
+                    AND table_name = 'flows'
+                )",
+                &[],
+            )
+            .await;
+
+        let tables_exist = Self::handle_db_error(result, "checking table existence")?
+            .get(0)
+            .map(|row| row.get::<_, bool>(0))
+            .unwrap_or(false);
+
+        if !tables_exist {
+            info!("Database schema doesn't exist. Creating tables...");
+
+            // Create the keys table
+            let result = self
+                .client
+                .execute(
+                    "CREATE TABLE IF NOT EXISTS public.keys (
+                        key_id SERIAL PRIMARY KEY,
+                        host VARCHAR(255) NOT NULL,
+                        key TEXT NOT NULL,
+                        updated TIMESTAMP WITH TIME ZONE NOT NULL,
+                        deprecated BOOLEAN NOT NULL DEFAULT FALSE,
+                        CONSTRAINT unique_host_key UNIQUE (host, key)
+                    )",
+                    &[],
+                )
+                .await;
+            Self::handle_db_error(result, "creating keys table")?;
+
+            // Create the flows table
+            let result = self
+                .client
+                .execute(
+                    "CREATE TABLE IF NOT EXISTS public.flows (
+                        flow_id SERIAL PRIMARY KEY,
+                        name VARCHAR(255) NOT NULL,
+                        key_id INTEGER NOT NULL,
+                        CONSTRAINT fk_key
+                            FOREIGN KEY(key_id)
+                            REFERENCES public.keys(key_id)
+                            ON DELETE CASCADE,
+                        CONSTRAINT unique_flow_key UNIQUE (name, key_id)
+                    )",
+                    &[],
+                )
+                .await;
+            Self::handle_db_error(result, "creating flows table")?;
+
+            // Create an index for faster lookups
+            let result = self
+                .client
+                .execute(
+                    "CREATE INDEX IF NOT EXISTS idx_flows_name ON public.flows(name)",
+                    &[],
+                )
+                .await;
+            Self::handle_db_error(result, "creating index")?;
+
+            info!("Database schema created successfully");
+        } else {
+            info!("Database schema already exists");
+
+            // Check if deprecated column exists, add it if missing (migration)
+            let result = self
+                .client
+                .query(
+                    "SELECT EXISTS (
+                        SELECT FROM information_schema.columns 
+                        WHERE table_schema = 'public' 
+                        AND table_name = 'keys' 
+                        AND column_name = 'deprecated'
+                    )",
+                    &[],
+                )
+                .await;
+
+            let column_exists = Self::handle_db_error(result, "checking deprecated column")?
+                .get(0)
+                .map(|row| row.get::<_, bool>(0))
+                .unwrap_or(false);
+
+            if !column_exists {
+                info!("Adding deprecated column to existing keys table...");
+                let result = self.client
+                    .execute(
+                        "ALTER TABLE public.keys ADD COLUMN deprecated BOOLEAN NOT NULL DEFAULT FALSE",
+                        &[],
+                    )
+                    .await;
+                Self::handle_db_error(result, "adding deprecated column")?;
+                info!("Migration completed: deprecated column added");
+            }
+        }
+
+        Ok(())
+    }
+
+    pub async fn batch_insert_keys(
+        &self,
+        keys: &[SshKey],
+    ) -> Result<KeyInsertStats, tokio_postgres::Error> {
+        if keys.is_empty() {
+            return Ok(KeyInsertStats {
+                total: 0,
+                inserted: 0,
+                unchanged: 0,
+                key_id_map: Vec::new(),
+            });
+        }
+
+        // Prepare arrays for batch insertion
+        let mut host_values: Vec<&str> = Vec::with_capacity(keys.len());
+        let mut key_values: Vec<&str> = Vec::with_capacity(keys.len());
+
+        for key in keys {
+            host_values.push(&key.server);
+            key_values.push(&key.public_key);
+        }
+
+        // First, check which keys already exist in the database (including deprecated status)
+        let mut existing_keys = HashMap::new();
+        let mut key_query =
+            String::from("SELECT host, key, key_id, deprecated FROM public.keys WHERE ");
+
+        for i in 0..keys.len() {
+            if i > 0 {
+                key_query.push_str(" OR ");
+            }
+            key_query.push_str(&format!("(host = ${} AND key = ${})", i * 2 + 1, i * 2 + 2));
+        }
+
+        let mut params: Vec<&(dyn tokio_postgres::types::ToSql + Sync)> =
+            Vec::with_capacity(keys.len() * 2);
+        for i in 0..keys.len() {
+            params.push(&host_values[i]);
+            params.push(&key_values[i]);
+        }
+
+        let result = self.client.query(&key_query, &params[..]).await;
+        let rows = Self::handle_db_error(result, "checking existing keys")?;
+
+        for row in rows {
+            let host: String = row.get(0);
+            let key: String = row.get(1);
+            let key_id: i32 = row.get(2);
+            let deprecated: bool = row.get(3);
+            existing_keys.insert((host, key), (key_id, deprecated));
+        }
+
+        // Determine which keys need to be inserted and which already exist
+        let mut keys_to_insert = Vec::new();
+        let mut unchanged_keys = Vec::new();
+        let mut ignored_deprecated = 0;
+
+        for key in keys {
+            let key_tuple = (key.server.clone(), key.public_key.clone());
+            if let Some((key_id, is_deprecated)) = existing_keys.get(&key_tuple) {
+                if *is_deprecated {
+                    // Ignore deprecated keys - don't add them to any flow
+                    ignored_deprecated += 1;
+                } else {
+                    // Key exists and is not deprecated - add to unchanged
+                    unchanged_keys.push((key.clone(), *key_id));
+                }
+            } else {
+                // Key doesn't exist - add to insert list
+                keys_to_insert.push(key.clone());
+            }
+        }
+
+        let mut inserted_keys = Vec::new();
+
+        // If there are keys to insert, perform the insertion
+        if !keys_to_insert.is_empty() {
+            let mut insert_sql =
+                String::from("INSERT INTO public.keys (host, key, updated) VALUES ");
+
+            let mut insert_params: Vec<&(dyn tokio_postgres::types::ToSql + Sync)> = Vec::new();
+            let mut param_count = 1;
+
+            for (i, key) in keys_to_insert.iter().enumerate() {
+                if i > 0 {
+                    insert_sql.push_str(", ");
+                }
+                insert_sql.push_str(&format!("(${}, ${}, NOW())", param_count, param_count + 1));
+                insert_params.push(&key.server);
+                insert_params.push(&key.public_key);
+                param_count += 2;
+            }
+
+            insert_sql.push_str(" RETURNING key_id, host, key");
+
+            let result = self.client.query(&insert_sql, &insert_params[..]).await;
+            let inserted_rows = Self::handle_db_error(result, "inserting keys")?;
+
+            for row in inserted_rows {
+                let host: String = row.get(1);
+                let key_text: String = row.get(2);
+                let key_id: i32 = row.get(0);
+
+                if let Some(orig_key) = keys_to_insert
+                    .iter()
+                    .find(|k| k.server == host && k.public_key == key_text)
+                {
+                    inserted_keys.push((orig_key.clone(), key_id));
+                }
+            }
+        }
+
+        // Save the number of elements before combining
+        let inserted_count = inserted_keys.len();
+        let unchanged_count = unchanged_keys.len();
+
+        // Combine results and generate statistics
+        let mut key_id_map = Vec::with_capacity(unchanged_count + inserted_count);
+        key_id_map.extend(unchanged_keys);
+        key_id_map.extend(inserted_keys);
+
+        let stats = KeyInsertStats {
+            total: keys.len(),
+            inserted: inserted_count,
+            unchanged: unchanged_count,
+            key_id_map,
+        };
+
+        info!(
+            "Keys stats: received={}, new={}, unchanged={}, ignored_deprecated={}",
+            stats.total, stats.inserted, stats.unchanged, ignored_deprecated
+        );
+
+        Ok(stats)
+    }
+
+    pub async fn batch_insert_flow_keys(
+        &self,
+        flow_name: &str,
+        key_ids: &[i32],
+    ) -> Result<usize, tokio_postgres::Error> {
+        if key_ids.is_empty() {
+            info!("No keys to associate with flow '{}'", flow_name);
+            return Ok(0);
+        }
+
+        // First, check which associations already exist
+        let mut existing_query =
+            String::from("SELECT key_id FROM public.flows WHERE name = $1 AND key_id IN (");
+
+        for i in 0..key_ids.len() {
+            if i > 0 {
+                existing_query.push_str(", ");
+            }
+            existing_query.push_str(&format!("${}", i + 2));
+        }
+        existing_query.push_str(")");
+
+        let mut params: Vec<&(dyn tokio_postgres::types::ToSql + Sync)> =
+            Vec::with_capacity(key_ids.len() + 1);
+        params.push(&flow_name);
+        for key_id in key_ids {
+            params.push(key_id);
+        }
+
+        let result = self.client.query(&existing_query, &params[..]).await;
+        let rows = Self::handle_db_error(result, "checking existing flow associations")?;
+
+        let mut existing_associations = HashSet::new();
+        for row in rows {
+            let key_id: i32 = row.get(0);
+            existing_associations.insert(key_id);
+        }
+
+        // Filter only keys that are not yet associated with the flow
+        let new_key_ids: Vec<&i32> = key_ids
+            .iter()
+            .filter(|&id| !existing_associations.contains(id))
+            .collect();
+
+        if new_key_ids.is_empty() {
+            info!(
+                "All {} keys are already associated with flow '{}'",
+                key_ids.len(),
+                flow_name
+            );
+            return Ok(0);
+        }
+
+        // Build SQL query with multiple values only for new associations
+        let mut sql = String::from("INSERT INTO public.flows (name, key_id) VALUES ");
+
+        for i in 0..new_key_ids.len() {
+            if i > 0 {
+                sql.push_str(", ");
+            }
+            sql.push_str(&format!("($1, ${})", i + 2));
+        }
+
+        sql.push_str(" ON CONFLICT (name, key_id) DO NOTHING");
+
+        // Prepare parameters for the query
+        let mut insert_params: Vec<&(dyn tokio_postgres::types::ToSql + Sync)> =
+            Vec::with_capacity(new_key_ids.len() + 1);
+        insert_params.push(&flow_name);
+        for key_id in &new_key_ids {
+            insert_params.push(*key_id);
+        }
+
+        // Execute query
+        let result = self.client.execute(&sql, &insert_params[..]).await;
+        let affected = Self::handle_db_error(result, "inserting flow associations")?;
+
+        let affected_usize = affected as usize;
+
+        info!(
+            "Added {} new key-flow associations for flow '{}' (skipped {} existing)",
+            affected_usize,
+            flow_name,
+            existing_associations.len()
+        );
+
+        Ok(affected_usize)
+    }
+
+    pub async fn get_keys_from_db(
+        &self,
+    ) -> Result<Vec<crate::server::Flow>, tokio_postgres::Error> {
+        let result = self.client.query(
+            "SELECT k.host, k.key, k.deprecated, f.name FROM public.keys k INNER JOIN public.flows f ON k.key_id = f.key_id",
+            &[]
+        ).await;
+        let rows = Self::handle_db_error(result, "getting keys from database")?;
+
+        let mut flows_map: HashMap<String, crate::server::Flow> = HashMap::new();
+
+        for row in rows {
+            let host: String = row.get(0);
+            let key: String = row.get(1);
+            let deprecated: bool = row.get(2);
+            let flow: String = row.get(3);
+
+            let ssh_key = SshKey {
+                server: host,
+                public_key: key,
+                deprecated,
+            };
+
+            if let Some(flow_entry) = flows_map.get_mut(&flow) {
+                flow_entry.servers.push(ssh_key);
+            } else {
+                flows_map.insert(
+                    flow.clone(),
+                    crate::server::Flow {
+                        name: flow,
+                        servers: vec![ssh_key],
+                    },
+                );
+            }
+        }
+
+        info!("Retrieved {} flows from database", flows_map.len());
+        Ok(flows_map.into_values().collect())
+    }
+
+    pub async fn deprecate_key_by_server(
+        &self,
+        server_name: &str,
+        flow_name: &str,
+    ) -> Result<u64, tokio_postgres::Error> {
+        // Update keys to deprecated status for the given server
+        let result = self
+            .client
+            .execute(
+                "UPDATE public.keys 
+                 SET deprecated = TRUE, updated = NOW() 
+                 WHERE host = $1 
+                 AND key_id IN (
+                     SELECT key_id FROM public.flows WHERE name = $2
+                 )",
+                &[&server_name, &flow_name],
+            )
+            .await;
+        let affected = Self::handle_db_error(result, "deprecating key")?;
+
+        info!(
+            "Deprecated {} key(s) for server '{}' in flow '{}'",
+            affected, server_name, flow_name
+        );
+
+        Ok(affected)
+    }
+
+    pub async fn restore_key_by_server(
+        &self,
+        server_name: &str,
+        flow_name: &str,
+    ) -> Result<u64, tokio_postgres::Error> {
+        // Update keys to active status for the given server in the flow
+        let result = self
+            .client
+            .execute(
+                "UPDATE public.keys 
+                 SET deprecated = FALSE, updated = NOW() 
+                 WHERE host = $1 
+                 AND deprecated = TRUE
+                 AND key_id IN (
+                     SELECT key_id FROM public.flows WHERE name = $2
+                 )",
+                &[&server_name, &flow_name],
+            )
+            .await;
+        let affected = Self::handle_db_error(result, "restoring key")?;
+
+        info!(
+            "Restored {} key(s) for server '{}' in flow '{}'",
+            affected, server_name, flow_name
+        );
+
+        Ok(affected)
+    }
+
+    pub async fn permanently_delete_key_by_server(
+        &self,
+        server_name: &str,
+        flow_name: &str,
+    ) -> Result<u64, tokio_postgres::Error> {
+        // First, find the key_ids for the given server in the flow
+        let result = self
+            .client
+            .query(
+                "SELECT k.key_id FROM public.keys k 
+                 INNER JOIN public.flows f ON k.key_id = f.key_id 
+                 WHERE k.host = $1 AND f.name = $2",
+                &[&server_name, &flow_name],
+            )
+            .await;
+        let key_rows = Self::handle_db_error(result, "finding keys to delete")?;
+
+        if key_rows.is_empty() {
+            return Ok(0);
+        }
+
+        let key_ids: Vec<i32> = key_rows.iter().map(|row| row.get::<_, i32>(0)).collect();
+
+        // Delete flow associations first
+        let mut flow_delete_count = 0;
+        for key_id in &key_ids {
+            let result = self
+                .client
+                .execute(
+                    "DELETE FROM public.flows WHERE name = $1 AND key_id = $2",
+                    &[&flow_name, key_id],
+                )
+                .await;
+            let deleted = Self::handle_db_error(result, "deleting flow association")?;
+            flow_delete_count += deleted;
+        }
+
+        // Check if any of these keys are used in other flows
+        let mut keys_to_delete = Vec::new();
+        for key_id in &key_ids {
+            let result = self
+                .client
+                .query_one(
+                    "SELECT COUNT(*) FROM public.flows WHERE key_id = $1",
+                    &[key_id],
+                )
+                .await;
+            let count: i64 = Self::handle_db_error(result, "checking key references")?.get(0);
+
+            if count == 0 {
+                keys_to_delete.push(*key_id);
+            }
+        }
+
+        // Permanently delete keys that are no longer referenced by any flow
+        let mut total_deleted = 0;
+        for key_id in keys_to_delete {
+            let result = self
+                .client
+                .execute("DELETE FROM public.keys WHERE key_id = $1", &[&key_id])
+                .await;
+            let deleted = Self::handle_db_error(result, "deleting key")?;
+            total_deleted += deleted;
+        }
+
+        info!(
+            "Permanently deleted {} flow associations and {} orphaned keys for server '{}' in flow '{}'",
+            flow_delete_count, total_deleted, server_name, flow_name
+        );
+
+        Ok(std::cmp::max(flow_delete_count, total_deleted))
+    }
+}
+
+// Compatibility wrapper for transition
+pub struct ReconnectingDbClient {
+    inner: Option<DbClient>,
+}
+
+impl ReconnectingDbClient {
+    pub fn new(_connection_string: String) -> Self {
+        Self { inner: None }
+    }
+
+    pub async fn connect(&mut self, connection_string: &str) -> Result<(), tokio_postgres::Error> {
+        let (client, connection) = DbClient::connect(connection_string).await?;
+
+        // Spawn connection handler that will exit on error
+        tokio::spawn(async move {
+            if let Err(e) = connection.await {
+                error!("Database connection error: {}", e);
+                error!("Exiting application due to database connection failure");
+                std::process::exit(1);
+            }
+        });
+
+        self.inner = Some(client);
+        Ok(())
+    }
+
+    pub async fn initialize_schema(&self) -> Result<(), tokio_postgres::Error> {
+        match &self.inner {
+            Some(client) => client.initialize_schema().await,
+            None => panic!("Database client not initialized"),
+        }
+    }
+
+    pub async fn batch_insert_keys_reconnecting(
+        &self,
+        keys: Vec<SshKey>,
+    ) -> Result<KeyInsertStats, tokio_postgres::Error> {
+        match &self.inner {
+            Some(client) => client.batch_insert_keys(&keys).await,
+            None => panic!("Database client not initialized"),
+        }
+    }
+
+    pub async fn batch_insert_flow_keys_reconnecting(
+        &self,
+        flow_name: String,
+        key_ids: Vec<i32>,
+    ) -> Result<usize, tokio_postgres::Error> {
+        match &self.inner {
+            Some(client) => client.batch_insert_flow_keys(&flow_name, &key_ids).await,
+            None => panic!("Database client not initialized"),
+        }
+    }
+
+    pub async fn get_keys_from_db_reconnecting(
+        &self,
+    ) -> Result<Vec<crate::server::Flow>, tokio_postgres::Error> {
+        match &self.inner {
+            Some(client) => client.get_keys_from_db().await,
+            None => panic!("Database client not initialized"),
+        }
+    }
+
+    pub async fn deprecate_key_by_server_reconnecting(
+        &self,
+        server_name: String,
+        flow_name: String,
+    ) -> Result<u64, tokio_postgres::Error> {
+        match &self.inner {
+            Some(client) => {
+                client
+                    .deprecate_key_by_server(&server_name, &flow_name)
+                    .await
+            }
+            None => panic!("Database client not initialized"),
+        }
+    }
+
+    pub async fn restore_key_by_server_reconnecting(
+        &self,
+        server_name: String,
+        flow_name: String,
+    ) -> Result<u64, tokio_postgres::Error> {
+        match &self.inner {
+            Some(client) => client.restore_key_by_server(&server_name, &flow_name).await,
+            None => panic!("Database client not initialized"),
+        }
+    }
+
+    pub async fn permanently_delete_key_by_server_reconnecting(
+        &self,
+        server_name: String,
+        flow_name: String,
+    ) -> Result<u64, tokio_postgres::Error> {
+        match &self.inner {
+            Some(client) => {
+                client
+                    .permanently_delete_key_by_server(&server_name, &flow_name)
+                    .await
+            }
+            None => panic!("Database client not initialized"),
+        }
+    }
+}

src/main.rs

@@ -1,5 +1,7 @@
 mod client;
+mod db;
 mod server;
+mod web;
 
 use clap::Parser;
 use env_logger;
@@ -19,12 +21,27 @@ use log::{error, info};
     Running in server mode:\n\
     khm --server --ip 0.0.0.0 --port 1337 --db-host psql.psql.svc --db-name khm --db-user admin --db-password <SECRET> --flows work,home\n\
     \n\
-    Running in client mode to send diff and sync ~/.ssh/known_hosts with remote flow in place:\n\
-    khm --host http://kh.example.com:8080 --known-hosts ~/.ssh/known_hosts --in-place\n\
+    Running in client mode to send diff and sync ~/.ssh/known_hosts with remote flow `work` in place:\n\
+    khm --host https://khm.example.com --flow work --known-hosts ~/.ssh/known_hosts --in-place\n\
     \n\
     "
 )]
 struct Args {
+    /// Run in server mode (default: false)
+    #[arg(long, help = "Run in server mode")]
+    server: bool,
+
+    /// Update the known_hosts file with keys from the server after sending keys (default: false)
+    #[arg(
+        long,
+        help = "Server mode: Sync the known_hosts file with keys from the server"
+    )]
+    in_place: bool,
+
+    /// Comma-separated list of flows to manage (default: default)
+    #[arg(long, default_value = "default", value_parser, num_args = 1.., value_delimiter = ',', help = "Server mode: Comma-separated list of flows to manage")]
+    flows: Vec<String>,
+
     /// IP address to bind the server or client to (default: 127.0.0.1)
     #[arg(
         short,
@@ -79,13 +96,17 @@ struct Args {
     #[arg(
         long,
         required_if_eq("server", "false"),
-        help = "Client mode: Host address of the server to connect to"
+        help = "Client mode: Full host address of the server to connect to. Like https://khm.example.com"
     )]
     host: Option<String>,
 
-    /// Run in server mode (default: false)
-    #[arg(long, help = "Run in server mode")]
-    server: bool,
+    /// Flow name to use on the server
+    #[arg(
+        long,
+        required_if_eq("server", "false"),
+        help = "Client mode: Flow name to use on the server"
+    )]
+    flow: Option<String>,
 
     /// Path to the known_hosts file (default: ~/.ssh/known_hosts)
     #[arg(
@@ -95,16 +116,9 @@ struct Args {
     )]
     known_hosts: String,
 
-    /// Update the known_hosts file with keys from the server after sending keys (default: false)
-    #[arg(
-        long,
-        help = "Server mode: Sync the known_hosts file with keys from the server"
-    )]
-    in_place: bool,
-
-    /// Comma-separated list of flows to manage (default: default)
-    #[arg(long, default_value = "default", value_parser, num_args = 1.., value_delimiter = ',', help = "Comma-separated list of flows to manage")]
-    flows: Vec<String>,
+    /// Basic auth string for client mode. Format: user:pass
+    #[arg(long, default_value = "", help = "Client mode: Basic Auth credentials")]
+    basic_auth: String,
 }
 
 #[actix_web::main]
@@ -114,6 +128,25 @@ async fn main() -> std::io::Result<()> {
 
     let args = Args::parse();
 
+    // Check if we have the minimum required arguments
+    if !args.server && (args.host.is_none() || args.flow.is_none()) {
+        // Neither server mode nor client mode properly configured
+        eprintln!("Error: You must specify either server mode (--server) or client mode (--host and --flow)");
+        eprintln!();
+        eprintln!("Examples:");
+        eprintln!(
+            "  Server mode: {} --server --db-user admin --db-password pass --flows work,home",
+            env!("CARGO_PKG_NAME")
+        );
+        eprintln!(
+            "  Client mode: {} --host https://khm.example.com --flow work",
+            env!("CARGO_PKG_NAME")
+        );
+        eprintln!();
+        eprintln!("Use --help for more information.");
+        std::process::exit(1);
+    }
+
     if args.server {
         info!("Running in server mode");
         if let Err(e) = server::run_server(args).await {

src/server.rs

@@ -1,15 +1,17 @@
-use actix_web::{web, App, HttpResponse, HttpServer, Responder};
+use actix_web::{web, App, HttpRequest, HttpResponse, HttpServer, Responder};
 use log::{error, info};
 use regex::Regex;
 use serde::{Deserialize, Serialize};
-use std::collections::HashMap;
 use std::sync::{Arc, Mutex};
-use tokio_postgres::{Client, NoTls};
+
+use crate::db::ReconnectingDbClient;
 
 #[derive(Serialize, Deserialize, Clone, Debug)]
 pub struct SshKey {
     pub server: String,
     pub public_key: String,
+    #[serde(default)]
+    pub deprecated: bool,
 }
 
 #[derive(Serialize, Deserialize, Clone, Debug)]
@@ -33,104 +35,69 @@ pub fn is_valid_ssh_key(key: &str) -> bool {
         || ed25519_re.is_match(key)
 }
 
-pub async fn insert_key_if_not_exists(
-    client: &Client,
-    key: &SshKey,
-) -> Result<i32, tokio_postgres::Error> {
-    let row = client
-        .query_opt(
-            "SELECT key_id FROM public.keys WHERE host = $1 AND key = $2",
-            &[&key.server, &key.public_key],
-        )
-        .await?;
-
-    if let Some(row) = row {
-        client
-            .execute(
-                "UPDATE public.keys SET updated = NOW() WHERE key_id = $1",
-                &[&row.get::<_, i32>(0)],
-            )
-            .await?;
-        info!("Updated existing key for server: {}", key.server);
-        Ok(row.get(0))
-    } else {
-        let row = client.query_one(
-            "INSERT INTO public.keys (host, key, updated) VALUES ($1, $2, NOW()) RETURNING key_id",
-            &[&key.server, &key.public_key]
-        ).await?;
-        info!("Inserted new key for server: {}", key.server);
-        Ok(row.get(0))
-    }
-}
-
-pub async fn insert_flow_key(
-    client: &Client,
-    flow_name: &str,
-    key_id: i32,
-) -> Result<(), tokio_postgres::Error> {
-    client
-        .execute(
-            "INSERT INTO public.flows (name, key_id) VALUES ($1, $2) ON CONFLICT DO NOTHING",
-            &[&flow_name, &key_id],
-        )
-        .await?;
-    info!("Inserted key_id {} into flow: {}", key_id, flow_name);
-    Ok(())
-}
-
-pub async fn get_keys_from_db(client: &Client) -> Result<Vec<Flow>, tokio_postgres::Error> {
-    let rows = client.query(
-        "SELECT k.host, k.key, f.name FROM public.keys k INNER JOIN public.flows f ON k.key_id = f.key_id",
-        &[]
-    ).await?;
-
-    let mut flows_map: HashMap<String, Flow> = HashMap::new();
-
-    for row in rows {
-        let host: String = row.get(0);
-        let key: String = row.get(1);
-        let flow: String = row.get(2);
-
-        let ssh_key = SshKey {
-            server: host,
-            public_key: key,
-        };
-
-        if let Some(flow_entry) = flows_map.get_mut(&flow) {
-            flow_entry.servers.push(ssh_key);
-        } else {
-            flows_map.insert(
-                flow.clone(),
-                Flow {
-                    name: flow,
-                    servers: vec![ssh_key],
-                },
-            );
+// Extract client hostname from request headers
+fn get_client_hostname(req: &HttpRequest) -> String {
+    if let Some(hostname) = req.headers().get("X-Client-Hostname") {
+        if let Ok(hostname_str) = hostname.to_str() {
+            return hostname_str.to_string();
         }
     }
-
-    info!("Retrieved {} flows from database", flows_map.len());
-    Ok(flows_map.into_values().collect())
+    "unknown-client".to_string()
 }
 
 pub async fn get_keys(
     flows: web::Data<Flows>,
     flow_id: web::Path<String>,
     allowed_flows: web::Data<Vec<String>>,
+    req: HttpRequest,
+    query: web::Query<std::collections::HashMap<String, String>>,
 ) -> impl Responder {
+    let client_hostname = get_client_hostname(&req);
     let flow_id_str = flow_id.into_inner();
+
+    info!(
+        "Received keys request from client '{}' for flow '{}'",
+        client_hostname, flow_id_str
+    );
+
     if !allowed_flows.contains(&flow_id_str) {
-        error!("Flow ID not allowed: {}", flow_id_str);
+        error!(
+            "Flow ID not allowed for client '{}': {}",
+            client_hostname, flow_id_str
+        );
         return HttpResponse::Forbidden().body("Flow ID not allowed");
     }
 
     let flows = flows.lock().unwrap();
     if let Some(flow) = flows.iter().find(|flow| flow.name == flow_id_str) {
-        let servers: Vec<&SshKey> = flow.servers.iter().collect();
-        info!("Returning {} keys for flow: {}", servers.len(), flow_id_str);
+        // Check if we should include deprecated keys (default: false for CLI clients)
+        let include_deprecated = query
+            .get("include_deprecated")
+            .map(|v| v == "true")
+            .unwrap_or(false);
+
+        let servers: Vec<&SshKey> = if include_deprecated {
+            // Return all keys (for web interface)
+            flow.servers.iter().collect()
+        } else {
+            // Return only active keys (for CLI clients)
+            flow.servers.iter().filter(|key| !key.deprecated).collect()
+        };
+
+        info!(
+            "Returning {} keys ({} total, deprecated filtered: {}) for flow '{}' to client '{}'",
+            servers.len(),
+            flow.servers.len(),
+            !include_deprecated,
+            flow_id_str,
+            client_hostname
+        );
         HttpResponse::Ok().json(servers)
     } else {
-        error!("Flow ID not found: {}", flow_id_str);
+        error!(
+            "Flow ID not found for client '{}': {}",
+            client_hostname, flow_id_str
+        );
         HttpResponse::NotFound().body("Flow ID not found")
     }
 }
@@ -139,44 +106,106 @@ pub async fn add_keys(
     flows: web::Data<Flows>,
     flow_id: web::Path<String>,
     new_keys: web::Json<Vec<SshKey>>,
-    db_client: web::Data<Arc<Client>>,
+    db_client: web::Data<Arc<ReconnectingDbClient>>,
     allowed_flows: web::Data<Vec<String>>,
+    req: HttpRequest,
 ) -> impl Responder {
+    let client_hostname = get_client_hostname(&req);
     let flow_id_str = flow_id.into_inner();
+
+    info!(
+        "Received {} keys from client '{}' for flow '{}'",
+        new_keys.len(),
+        client_hostname,
+        flow_id_str
+    );
+
     if !allowed_flows.contains(&flow_id_str) {
-        error!("Flow ID not allowed: {}", flow_id_str);
+        error!(
+            "Flow ID not allowed for client '{}': {}",
+            client_hostname, flow_id_str
+        );
         return HttpResponse::Forbidden().body("Flow ID not allowed");
     }
 
+    // Check SSH key format
+    let mut valid_keys = Vec::new();
     for new_key in new_keys.iter() {
         if !is_valid_ssh_key(&new_key.public_key) {
-            error!("Invalid SSH key format for server: {}", new_key.server);
+            error!(
+                "Invalid SSH key format from client '{}' for server: {}",
+                client_hostname, new_key.server
+            );
             return HttpResponse::BadRequest().body(format!(
                 "Invalid SSH key format for server: {}",
                 new_key.server
             ));
         }
-
-        match insert_key_if_not_exists(&db_client, new_key).await {
-            Ok(key_id) => {
-                if let Err(e) = insert_flow_key(&db_client, &flow_id_str, key_id).await {
-                    error!("Failed to insert flow key into database: {}", e);
-                    return HttpResponse::InternalServerError()
-                        .body("Failed to insert flow key into database");
-                }
-            }
-            Err(e) => {
-                error!("Failed to insert key into database: {}", e);
-                return HttpResponse::InternalServerError()
-                    .body("Failed to insert key into database");
-            }
-        }
+        valid_keys.push(new_key.clone());
     }
 
-    let updated_flows = match get_keys_from_db(&db_client).await {
+    info!(
+        "Processing batch of {} keys from client '{}' for flow: {}",
+        valid_keys.len(),
+        client_hostname,
+        flow_id_str
+    );
+
+    // Batch insert keys with statistics
+    let key_stats = match db_client
+        .batch_insert_keys_reconnecting(valid_keys.clone())
+        .await
+    {
+        Ok(stats) => stats,
+        Err(e) => {
+            error!(
+                "Failed to batch insert keys from client '{}' into database: {}",
+                client_hostname, e
+            );
+            return HttpResponse::InternalServerError()
+                .body("Failed to batch insert keys into database");
+        }
+    };
+
+    // Always try to associate all keys with the flow, regardless of whether they're new or existing
+    if !key_stats.key_id_map.is_empty() {
+        // Extract all key IDs from statistics, both new and existing
+        let key_ids: Vec<i32> = key_stats.key_id_map.iter().map(|(_, id)| *id).collect();
+
+        // Batch insert key-flow associations
+        if let Err(e) = db_client
+            .batch_insert_flow_keys_reconnecting(flow_id_str.clone(), key_ids.clone())
+            .await
+        {
+            error!(
+                "Failed to batch insert flow keys from client '{}' into database: {}",
+                client_hostname, e
+            );
+            return HttpResponse::InternalServerError()
+                .body("Failed to batch insert flow keys into database");
+        }
+
+        info!(
+            "Added flow associations for {} keys from client '{}' in flow '{}'",
+            key_ids.len(),
+            client_hostname,
+            flow_id_str
+        );
+    } else {
+        info!(
+            "No keys to associate from client '{}' with flow '{}'",
+            client_hostname, flow_id_str
+        );
+    }
+
+    // Get updated data
+    let updated_flows = match db_client.get_keys_from_db_reconnecting().await {
         Ok(flows) => flows,
         Err(e) => {
-            error!("Failed to get updated flows from database: {}", e);
+            error!(
+                "Failed to get updated flows from database after client '{}' request: {}",
+                client_hostname, e
+            );
             return HttpResponse::InternalServerError()
                 .body("Failed to refresh flows from database");
         }
@@ -188,10 +217,28 @@ pub async fn add_keys(
     let updated_flow = flows_guard.iter().find(|flow| flow.name == flow_id_str);
     if let Some(flow) = updated_flow {
         let servers: Vec<&SshKey> = flow.servers.iter().collect();
-        info!("Updated flow: {} with {} keys", flow_id_str, servers.len());
-        HttpResponse::Ok().json(servers)
+        info!(
+            "Keys summary for client '{}', flow '{}': total received={}, new={}, unchanged={}, total in flow={}",
+            client_hostname,
+            flow_id_str,
+            key_stats.total,
+            key_stats.inserted,
+            key_stats.unchanged,
+            servers.len()
+        );
+
+        // Add statistics to HTTP response headers
+        let mut response = HttpResponse::Ok();
+        response.append_header(("X-Keys-Total", key_stats.total.to_string()));
+        response.append_header(("X-Keys-New", key_stats.inserted.to_string()));
+        response.append_header(("X-Keys-Unchanged", key_stats.unchanged.to_string()));
+
+        response.json(servers)
     } else {
-        error!("Flow ID not found after update: {}", flow_id_str);
+        error!(
+            "Flow ID not found after update from client '{}': {}",
+            client_hostname, flow_id_str
+        );
         HttpResponse::NotFound().body("Flow ID not found")
     }
 }
@@ -207,17 +254,30 @@ pub async fn run_server(args: crate::Args) -> std::io::Result<()> {
         args.db_host, db_user, db_password, args.db_name
     );
 
-    let (db_client, connection) = tokio_postgres::connect(&db_conn_str, NoTls).await.unwrap();
-    let db_client = Arc::new(db_client);
+    info!("Creating database client for {}", args.db_host);
+    let mut db_client_temp = ReconnectingDbClient::new(db_conn_str.clone());
 
-    // Spawn a new thread to run the database connection
-    tokio::spawn(async move {
-        if let Err(e) = connection.await {
-            error!("Connection error: {}", e);
-        }
-    });
+    // Initial connection
+    if let Err(e) = db_client_temp.connect(&db_conn_str).await {
+        error!("Failed to connect to the database: {}", e);
+        return Err(std::io::Error::new(
+            std::io::ErrorKind::ConnectionRefused,
+            format!("Database connection error: {}", e),
+        ));
+    }
 
-    let mut initial_flows = match get_keys_from_db(&db_client).await {
+    let db_client = Arc::new(db_client_temp);
+
+    // Initialize database schema if needed
+    if let Err(e) = db_client.initialize_schema().await {
+        error!("Failed to initialize database schema: {}", e);
+        return Err(std::io::Error::new(
+            std::io::ErrorKind::Other,
+            format!("Database schema initialization error: {}", e),
+        ));
+    }
+
+    let mut initial_flows = match db_client.get_keys_from_db_reconnecting().await {
         Ok(flows) => flows,
         Err(e) => {
             error!("Failed to get initial flows from database: {}", e);
@@ -244,8 +304,29 @@ pub async fn run_server(args: crate::Args) -> std::io::Result<()> {
             .app_data(web::Data::new(flows.clone()))
             .app_data(web::Data::new(db_client.clone()))
             .app_data(allowed_flows.clone())
+            // API routes
+            .route("/api/flows", web::get().to(crate::web::get_flows_api))
+            .route(
+                "/{flow_id}/keys/{server}",
+                web::delete().to(crate::web::delete_key_by_server),
+            )
+            .route(
+                "/{flow_id}/keys/{server}/restore",
+                web::post().to(crate::web::restore_key_by_server),
+            )
+            .route(
+                "/{flow_id}/keys/{server}/delete",
+                web::delete().to(crate::web::permanently_delete_key_by_server),
+            )
+            // Original API routes
             .route("/{flow_id}/keys", web::get().to(get_keys))
             .route("/{flow_id}/keys", web::post().to(add_keys))
+            // Web interface routes
+            .route("/", web::get().to(crate::web::serve_web_interface))
+            .route(
+                "/static/{filename:.*}",
+                web::get().to(crate::web::serve_static_file),
+            )
     })
     .bind((args.ip.as_str(), args.port))?
     .run()

src/web.rs

@@ -0,0 +1,238 @@
+use actix_web::{web, HttpResponse, Result};
+use log::info;
+use rust_embed::RustEmbed;
+use serde_json::json;
+use std::sync::Arc;
+
+use crate::db::ReconnectingDbClient;
+use crate::server::Flows;
+
+#[derive(RustEmbed)]
+#[folder = "static/"]
+struct StaticAssets;
+
+// API endpoint to get list of available flows
+pub async fn get_flows_api(allowed_flows: web::Data<Vec<String>>) -> Result<HttpResponse> {
+    info!("API request for available flows");
+    Ok(HttpResponse::Ok().json(&**allowed_flows))
+}
+
+// API endpoint to deprecate a specific key by server name
+pub async fn delete_key_by_server(
+    flows: web::Data<Flows>,
+    path: web::Path<(String, String)>,
+    db_client: web::Data<Arc<ReconnectingDbClient>>,
+    allowed_flows: web::Data<Vec<String>>,
+) -> Result<HttpResponse> {
+    let (flow_id_str, server_name) = path.into_inner();
+
+    info!(
+        "API request to deprecate key for server '{}' in flow '{}'",
+        server_name, flow_id_str
+    );
+
+    if !allowed_flows.contains(&flow_id_str) {
+        return Ok(HttpResponse::Forbidden().json(json!({
+            "error": "Flow ID not allowed"
+        })));
+    }
+
+    // Deprecate in database
+    match db_client
+        .deprecate_key_by_server_reconnecting(server_name.clone(), flow_id_str.clone())
+        .await
+    {
+        Ok(deprecated_count) => {
+            if deprecated_count > 0 {
+                info!(
+                    "Deprecated {} key(s) for server '{}' in flow '{}'",
+                    deprecated_count, server_name, flow_id_str
+                );
+
+                // Refresh the in-memory flows
+                let updated_flows = match db_client.get_keys_from_db_reconnecting().await {
+                    Ok(flows) => flows,
+                    Err(e) => {
+                        return Ok(HttpResponse::InternalServerError().json(json!({
+                            "error": format!("Failed to refresh flows: {}", e)
+                        })));
+                    }
+                };
+
+                let mut flows_guard = flows.lock().unwrap();
+                *flows_guard = updated_flows;
+
+                Ok(HttpResponse::Ok().json(json!({
+                    "message": format!("Successfully deprecated {} key(s) for server '{}'", deprecated_count, server_name),
+                    "deprecated_count": deprecated_count
+                })))
+            } else {
+                Ok(HttpResponse::NotFound().json(json!({
+                    "error": format!("No keys found for server '{}'", server_name)
+                })))
+            }
+        }
+        Err(e) => Ok(HttpResponse::InternalServerError().json(json!({
+            "error": format!("Failed to deprecate key: {}", e)
+        }))),
+    }
+}
+
+// API endpoint to restore a deprecated key
+pub async fn restore_key_by_server(
+    flows: web::Data<Flows>,
+    path: web::Path<(String, String)>,
+    db_client: web::Data<Arc<ReconnectingDbClient>>,
+    allowed_flows: web::Data<Vec<String>>,
+) -> Result<HttpResponse> {
+    let (flow_id_str, server_name) = path.into_inner();
+
+    info!(
+        "API request to restore key for server '{}' in flow '{}'",
+        server_name, flow_id_str
+    );
+
+    if !allowed_flows.contains(&flow_id_str) {
+        return Ok(HttpResponse::Forbidden().json(json!({
+            "error": "Flow ID not allowed"
+        })));
+    }
+
+    // Restore in database
+    match db_client
+        .restore_key_by_server_reconnecting(server_name.clone(), flow_id_str.clone())
+        .await
+    {
+        Ok(restored_count) => {
+            if restored_count > 0 {
+                info!(
+                    "Restored {} key(s) for server '{}' in flow '{}'",
+                    restored_count, server_name, flow_id_str
+                );
+
+                // Refresh the in-memory flows
+                let updated_flows = match db_client.get_keys_from_db_reconnecting().await {
+                    Ok(flows) => flows,
+                    Err(e) => {
+                        return Ok(HttpResponse::InternalServerError().json(json!({
+                            "error": format!("Failed to refresh flows: {}", e)
+                        })));
+                    }
+                };
+
+                let mut flows_guard = flows.lock().unwrap();
+                *flows_guard = updated_flows;
+
+                Ok(HttpResponse::Ok().json(json!({
+                    "message": format!("Successfully restored {} key(s) for server '{}'", restored_count, server_name),
+                    "restored_count": restored_count
+                })))
+            } else {
+                Ok(HttpResponse::NotFound().json(json!({
+                    "error": format!("No deprecated keys found for server '{}'", server_name)
+                })))
+            }
+        }
+        Err(e) => Ok(HttpResponse::InternalServerError().json(json!({
+            "error": format!("Failed to restore key: {}", e)
+        }))),
+    }
+}
+
+// API endpoint to permanently delete a key
+pub async fn permanently_delete_key_by_server(
+    flows: web::Data<Flows>,
+    path: web::Path<(String, String)>,
+    db_client: web::Data<Arc<ReconnectingDbClient>>,
+    allowed_flows: web::Data<Vec<String>>,
+) -> Result<HttpResponse> {
+    let (flow_id_str, server_name) = path.into_inner();
+
+    info!(
+        "API request to permanently delete key for server '{}' in flow '{}'",
+        server_name, flow_id_str
+    );
+
+    if !allowed_flows.contains(&flow_id_str) {
+        return Ok(HttpResponse::Forbidden().json(json!({
+            "error": "Flow ID not allowed"
+        })));
+    }
+
+    // Permanently delete from database
+    match db_client
+        .permanently_delete_key_by_server_reconnecting(server_name.clone(), flow_id_str.clone())
+        .await
+    {
+        Ok(deleted_count) => {
+            if deleted_count > 0 {
+                info!(
+                    "Permanently deleted {} key(s) for server '{}' in flow '{}'",
+                    deleted_count, server_name, flow_id_str
+                );
+
+                // Refresh the in-memory flows
+                let updated_flows = match db_client.get_keys_from_db_reconnecting().await {
+                    Ok(flows) => flows,
+                    Err(e) => {
+                        return Ok(HttpResponse::InternalServerError().json(json!({
+                            "error": format!("Failed to refresh flows: {}", e)
+                        })));
+                    }
+                };
+
+                let mut flows_guard = flows.lock().unwrap();
+                *flows_guard = updated_flows;
+
+                Ok(HttpResponse::Ok().json(json!({
+                    "message": format!("Successfully deleted {} key(s) for server '{}'", deleted_count, server_name),
+                    "deleted_count": deleted_count
+                })))
+            } else {
+                Ok(HttpResponse::NotFound().json(json!({
+                    "error": format!("No keys found for server '{}'", server_name)
+                })))
+            }
+        }
+        Err(e) => Ok(HttpResponse::InternalServerError().json(json!({
+            "error": format!("Failed to delete key: {}", e)
+        }))),
+    }
+}
+
+// Serve static files from embedded assets
+pub async fn serve_static_file(path: web::Path<String>) -> Result<HttpResponse> {
+    let file_path = path.into_inner();
+
+    match StaticAssets::get(&file_path) {
+        Some(content) => {
+            let content_type = match std::path::Path::new(&file_path)
+                .extension()
+                .and_then(|s| s.to_str())
+            {
+                Some("html") => "text/html; charset=utf-8",
+                Some("css") => "text/css; charset=utf-8",
+                Some("js") => "application/javascript; charset=utf-8",
+                Some("png") => "image/png",
+                Some("jpg") | Some("jpeg") => "image/jpeg",
+                Some("svg") => "image/svg+xml",
+                _ => "application/octet-stream",
+            };
+
+            Ok(HttpResponse::Ok()
+                .content_type(content_type)
+                .body(content.data.as_ref().to_vec()))
+        }
+        None => Ok(HttpResponse::NotFound().body(format!("File not found: {}", file_path))),
+    }
+}
+
+// Serve the main web interface from embedded assets
+pub async fn serve_web_interface() -> Result<HttpResponse> {
+    match StaticAssets::get("index.html") {
+        Some(content) => Ok(HttpResponse::Ok()
+            .content_type("text/html; charset=utf-8")
+            .body(content.data.as_ref().to_vec())),
+        None => Ok(HttpResponse::NotFound().body("Web interface not found")),
+    }
+}

static/index.html

@@ -0,0 +1,143 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>SSH Key Manager</title>
+    <link rel="stylesheet" href="/static/style.css">
+    <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600&display=swap" rel="stylesheet">
+</head>
+<body>
+    <div class="container">
+        <header>
+            <h1>SSH Key Manager</h1>
+            <div class="flow-selector">
+                <label for="flowSelect">Flow:</label>
+                <select id="flowSelect">
+                    <option value="">Select a flow...</option>
+                </select>
+                <button id="refreshBtn" class="btn btn-secondary">Refresh</button>
+            </div>
+        </header>
+
+        <main>
+            <div class="stats-panel">
+                <div class="stat-item">
+                    <span class="stat-value" id="totalKeys">0</span>
+                    <span class="stat-label">Total Keys</span>
+                </div>
+                <div class="stat-item">
+                    <span class="stat-value" id="uniqueServers">0</span>
+                    <span class="stat-label">Unique Servers</span>
+                </div>
+            </div>
+
+            <div class="actions-panel">
+                <button id="addKeyBtn" class="btn btn-primary">Add SSH Key</button>
+                <button id="bulkDeleteBtn" class="btn btn-danger" disabled>Deprecate Selected</button>
+                <button id="bulkPermanentDeleteBtn" class="btn btn-danger" disabled style="display: none;">Delete Selected</button>
+                
+                <div class="filter-controls">
+                    <label class="filter-label">
+                        <input type="checkbox" id="showDeprecatedOnly"> 
+                        <span>Show only deprecated keys</span>
+                    </label>
+                </div>
+                
+                <div class="search-box">
+                    <input type="text" id="searchInput" placeholder="Search servers or keys...">
+                </div>
+            </div>
+
+            <div class="keys-table-container">
+                <table class="keys-table">
+                    <thead>
+                        <tr>
+                            <th>
+                                <input type="checkbox" id="selectAll">
+                            </th>
+                            <th>Server/Type</th>
+                            <th>Key Preview</th>
+                            <th></th>
+                            <th>Actions</th>
+                        </tr>
+                    </thead>
+                    <tbody id="keysTableBody">
+                        <!-- Keys will be populated here -->
+                    </tbody>
+                </table>
+                <div id="noKeysMessage" class="no-keys-message" style="display: none;">
+                    No SSH keys found for this flow.
+                </div>
+            </div>
+
+            <div class="pagination">
+                <button id="prevPage" class="btn btn-secondary" disabled>Previous</button>
+                <span id="pageInfo">Page 1 of 1</span>
+                <button id="nextPage" class="btn btn-secondary" disabled>Next</button>
+            </div>
+        </main>
+    </div>
+
+    <!-- Add Key Modal -->
+    <div id="addKeyModal" class="modal">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h2>Add SSH Key</h2>
+                <span class="close">&times;</span>
+            </div>
+            <div class="modal-body">
+                <form id="addKeyForm">
+                    <div class="form-group">
+                        <label for="serverInput">Server/Hostname:</label>
+                        <input type="text" id="serverInput" required placeholder="example.com">
+                    </div>
+                    <div class="form-group">
+                        <label for="keyInput">SSH Public Key:</label>
+                        <textarea id="keyInput" required placeholder="ssh-rsa AAAAB3..."></textarea>
+                    </div>
+                    <div class="form-actions">
+                        <button type="button" class="btn btn-secondary" id="cancelAdd">Cancel</button>
+                        <button type="submit" class="btn btn-primary">Add Key</button>
+                    </div>
+                </form>
+            </div>
+        </div>
+    </div>
+
+    <!-- View Key Modal -->
+    <div id="viewKeyModal" class="modal">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h2>SSH Key Details</h2>
+                <span class="close">&times;</span>
+            </div>
+            <div class="modal-body">
+                <div class="form-group">
+                    <label>Server:</label>
+                    <div id="viewServer" class="read-only-field"></div>
+                </div>
+                <div class="form-group">
+                    <label>SSH Public Key:</label>
+                    <textarea id="viewKey" class="read-only-field" readonly></textarea>
+                </div>
+                <div class="form-actions">
+                    <button type="button" class="btn btn-secondary" id="closeView">Close</button>
+                    <button type="button" class="btn btn-primary" id="copyKey">Copy Key</button>
+                </div>
+            </div>
+        </div>
+    </div>
+
+    <!-- Loading Overlay -->
+    <div id="loadingOverlay" class="loading-overlay">
+        <div class="loading-spinner"></div>
+        <div class="loading-text">Loading...</div>
+    </div>
+
+    <!-- Toast Notifications -->
+    <div id="toastContainer" class="toast-container"></div>
+
+    <script src="/static/script.js"></script>
+</body>
+</html>

static/script.js

@@ -0,0 +1,857 @@
+class SSHKeyManager {
+    constructor() {
+        this.currentFlow = null;
+        this.keys = [];
+        this.filteredKeys = [];
+        this.groupedKeys = {};
+        this.expandedGroups = new Set();
+        this.currentPage = 1;
+        this.keysPerPage = 20;
+        this.serversPerPage = 10;
+        this.selectedKeys = new Set();
+        this.showDeprecatedOnly = false;
+        
+        this.initializeEventListeners();
+        this.loadFlows();
+    }
+
+    initializeEventListeners() {
+        // Flow selection
+        document.getElementById('flowSelect').addEventListener('change', (e) => {
+            this.currentFlow = e.target.value;
+            if (this.currentFlow) {
+                this.loadKeys();
+            } else {
+                this.clearTable();
+            }
+        });
+
+        // Refresh button
+        document.getElementById('refreshBtn').addEventListener('click', () => {
+            this.loadFlows();
+            if (this.currentFlow) {
+                this.loadKeys();
+            }
+        });
+
+        // Add key button
+        document.getElementById('addKeyBtn').addEventListener('click', () => {
+            this.showAddKeyModal();
+        });
+
+        // Bulk delete button
+        document.getElementById('bulkDeleteBtn').addEventListener('click', () => {
+            this.deleteSelectedKeys();
+        });
+
+        // Bulk permanent delete button
+        document.getElementById('bulkPermanentDeleteBtn').addEventListener('click', () => {
+            this.permanentlyDeleteSelectedKeys();
+        });
+
+        // Search input
+        document.getElementById('searchInput').addEventListener('input', (e) => {
+            this.filterKeys(e.target.value);
+        });
+
+        // Deprecated filter checkbox
+        document.getElementById('showDeprecatedOnly').addEventListener('change', (e) => {
+            this.showDeprecatedOnly = e.target.checked;
+            
+            // Update visual state
+            const filterLabel = e.target.closest('.filter-label');
+            if (e.target.checked) {
+                filterLabel.classList.add('active');
+            } else {
+                filterLabel.classList.remove('active');
+            }
+            
+            this.filterKeys(document.getElementById('searchInput').value);
+        });
+
+        // Select all checkbox
+        document.getElementById('selectAll').addEventListener('change', (e) => {
+            this.toggleSelectAll(e.target.checked);
+        });
+
+        // Pagination
+        document.getElementById('prevPage').addEventListener('click', () => {
+            this.changePage(this.currentPage - 1);
+        });
+
+        document.getElementById('nextPage').addEventListener('click', () => {
+            this.changePage(this.currentPage + 1);
+        });
+
+        // Modal events
+        this.initializeModalEvents();
+    }
+
+    initializeModalEvents() {
+        // Add key modal
+        const addModal = document.getElementById('addKeyModal');
+        const addForm = document.getElementById('addKeyForm');
+        
+        addForm.addEventListener('submit', (e) => {
+            e.preventDefault();
+            this.addKey();
+        });
+
+        document.getElementById('cancelAdd').addEventListener('click', () => {
+            this.hideModal('addKeyModal');
+        });
+
+        // View key modal
+        document.getElementById('closeView').addEventListener('click', () => {
+            this.hideModal('viewKeyModal');
+        });
+
+        document.getElementById('copyKey').addEventListener('click', () => {
+            this.copyKeyToClipboard();
+        });
+
+        // Close modals when clicking on close button or outside
+        document.querySelectorAll('.modal .close').forEach(closeBtn => {
+            closeBtn.addEventListener('click', (e) => {
+                this.hideModal(e.target.closest('.modal').id);
+            });
+        });
+
+        document.querySelectorAll('.modal').forEach(modal => {
+            modal.addEventListener('click', (e) => {
+                if (e.target === modal) {
+                    this.hideModal(modal.id);
+                }
+            });
+        });
+    }
+
+    async loadFlows() {
+        try {
+            this.showLoading();
+            const response = await fetch('/api/flows');
+            if (!response.ok) throw new Error('Failed to load flows');
+            
+            const flows = await response.json();
+            this.populateFlowSelector(flows);
+        } catch (error) {
+            this.showToast('Failed to load flows: ' + error.message, 'error');
+        } finally {
+            this.hideLoading();
+        }
+    }
+
+    populateFlowSelector(flows) {
+        const select = document.getElementById('flowSelect');
+        select.innerHTML = '<option value="">Select a flow...</option>';
+        
+        flows.forEach(flow => {
+            const option = document.createElement('option');
+            option.value = flow;
+            option.textContent = flow;
+            select.appendChild(option);
+        });
+        
+        // Auto-select the first flow if available
+        if (flows.length > 0) {
+            select.value = flows[0];
+            this.currentFlow = flows[0];
+            this.loadKeys();
+        }
+    }
+
+    async loadKeys() {
+        if (!this.currentFlow) return;
+
+        try {
+            this.showLoading();
+            const response = await fetch(`/${this.currentFlow}/keys?include_deprecated=true`);
+            if (!response.ok) throw new Error('Failed to load keys');
+            
+            this.keys = await response.json();
+            this.groupKeys();
+            this.filterKeys();
+            this.updateStats();
+            this.renderTable();
+            this.selectedKeys.clear();
+            this.updateBulkDeleteButton();
+        } catch (error) {
+            this.showToast('Failed to load keys: ' + error.message, 'error');
+            this.clearTable();
+        } finally {
+            this.hideLoading();
+        }
+    }
+
+    groupKeys() {
+        this.groupedKeys = {};
+        this.keys.forEach(key => {
+            if (!this.groupedKeys[key.server]) {
+                this.groupedKeys[key.server] = [];
+            }
+            this.groupedKeys[key.server].push(key);
+        });
+        
+        // Groups are closed by default - no auto-expand
+    }
+
+    filterKeys(searchTerm) {
+        let keys = [...this.keys];
+        
+        // Apply deprecated filter first
+        if (this.showDeprecatedOnly) {
+            keys = keys.filter(key => key.deprecated);
+        }
+        
+        // Then apply search filter
+        if (!searchTerm || !searchTerm.trim()) {
+            this.filteredKeys = keys;
+        } else {
+            const term = searchTerm.toLowerCase();
+            this.filteredKeys = keys.filter(key => 
+                key.server.toLowerCase().includes(term) || 
+                key.public_key.toLowerCase().includes(term)
+            );
+        }
+        
+        this.currentPage = 1;
+        this.renderTable();
+    }
+
+    updateStats() {
+        document.getElementById('totalKeys').textContent = this.keys.length;
+        
+        const uniqueServers = new Set(this.keys.map(key => key.server));
+        document.getElementById('uniqueServers').textContent = uniqueServers.size;
+    }
+
+    getGroupedFilteredKeys() {
+        const groupedFilteredKeys = {};
+        this.filteredKeys.forEach(key => {
+            if (!groupedFilteredKeys[key.server]) {
+                groupedFilteredKeys[key.server] = [];
+            }
+            groupedFilteredKeys[key.server].push(key);
+        });
+        return groupedFilteredKeys;
+    }
+
+    renderTable() {
+        const tbody = document.getElementById('keysTableBody');
+        const noKeysMessage = document.getElementById('noKeysMessage');
+        
+        if (this.filteredKeys.length === 0) {
+            tbody.innerHTML = '';
+            noKeysMessage.style.display = 'block';
+            this.updatePagination();
+            return;
+        }
+
+        noKeysMessage.style.display = 'none';
+        
+        // Group filtered keys by server
+        const groupedFilteredKeys = this.getGroupedFilteredKeys();
+        
+        // Calculate pagination for grouped view
+        const servers = Object.keys(groupedFilteredKeys).sort();
+        
+        // For pagination, we'll show a reasonable number of server groups per page
+        const startServerIndex = (this.currentPage - 1) * this.serversPerPage;
+        const endServerIndex = startServerIndex + this.serversPerPage;
+        const pageServers = servers.slice(startServerIndex, endServerIndex);
+        
+        let html = '';
+        
+        pageServers.forEach(server => {
+            const serverKeys = groupedFilteredKeys[server];
+            const activeCount = serverKeys.filter(k => !k.deprecated).length;
+            const deprecatedCount = serverKeys.filter(k => k.deprecated).length;
+            const isExpanded = this.expandedGroups.has(server);
+            
+            // Server group header
+            html += `
+                <tr class="host-group-header ${isExpanded ? '' : 'collapsed'}">
+                    <td>
+                        <input type="checkbox" 
+                               data-group="${this.escapeHtml(server)}" 
+                               onchange="sshKeyManager.toggleGroupSelection('${this.escapeHtml(server)}', this.checked)"
+                               onclick="event.stopPropagation()">
+                    </td>
+                    <td colspan="4" onclick="sshKeyManager.toggleGroup('${this.escapeHtml(server)}')" style="cursor: pointer;">
+                        <span class="expand-icon">${isExpanded ? '▼' : '▶'}</span>
+                        <strong>${this.escapeHtml(server)}</strong>
+                        <span class="host-summary">
+                            <span class="key-count">${serverKeys.length} keys</span>
+                            ${deprecatedCount > 0 ? `<span class="deprecated-count">${deprecatedCount} deprecated</span>` : ''}
+                        </span>
+                    </td>
+                </tr>
+            `;
+            
+            // Server keys (if expanded)
+            if (isExpanded) {
+                serverKeys.forEach(key => {
+                    const keyType = this.getKeyType(key.public_key);
+                    const keyPreview = this.getKeyPreview(key.public_key);
+                    const keyId = `${key.server}-${key.public_key}`;
+                    
+                    html += `
+                        <tr class="key-row${key.deprecated ? ' deprecated' : ''}">
+                            <td>
+                                <input type="checkbox" data-key-id="${keyId}" ${this.selectedKeys.has(keyId) ? 'checked' : ''}>
+                            </td>
+                            <td style="padding-left: 2rem;">
+                                <span class="key-type ${keyType.toLowerCase()}">${keyType}</span>
+                                ${key.deprecated ? '<span class="deprecated-badge">DEPRECATED</span>' : ''}
+                            </td>
+                            <td><span class="key-preview">${keyPreview}</span></td>
+                            <td></td>
+                            <td class="table-actions">
+                                <button class="btn btn-sm btn-secondary" onclick="sshKeyManager.viewKey('${keyId}')">View</button>
+                                ${key.deprecated ? 
+                                    `<button class="btn btn-sm btn-success" onclick="sshKeyManager.restoreKey('${keyId}')">Restore</button>
+                                     <button class="btn btn-sm btn-danger" onclick="sshKeyManager.permanentlyDeleteKey('${keyId}')">Delete</button>` : 
+                                    `<button class="btn btn-sm btn-danger" onclick="sshKeyManager.deleteKey('${keyId}')">Deprecate</button>`
+                                }
+                            </td>
+                        </tr>
+                    `;
+                });
+            }
+        });
+        
+        tbody.innerHTML = html;
+
+        // Add event listeners for checkboxes
+        tbody.querySelectorAll('input[type="checkbox"]').forEach(checkbox => {
+            checkbox.addEventListener('change', (e) => {
+                const keyId = e.target.dataset.keyId;
+                if (e.target.checked) {
+                    this.selectedKeys.add(keyId);
+                } else {
+                    this.selectedKeys.delete(keyId);
+                }
+                this.updateBulkDeleteButton();
+                this.updateSelectAllCheckbox();
+                this.updateGroupCheckboxes(); // Update group checkboxes when individual keys change
+            });
+        });
+
+        // Update group checkboxes to show correct indeterminate state
+        this.updateGroupCheckboxes();
+        this.updatePagination();
+    }
+
+    toggleGroup(server) {
+        if (this.expandedGroups.has(server)) {
+            this.expandedGroups.delete(server);
+        } else {
+            this.expandedGroups.add(server);
+        }
+        this.renderTable();
+    }
+
+    toggleGroupSelection(server, isChecked) {
+        const groupedFilteredKeys = this.getGroupedFilteredKeys();
+        const serverKeys = groupedFilteredKeys[server] || [];
+        
+        serverKeys.forEach(key => {
+            const keyId = `${key.server}-${key.public_key}`;
+            if (isChecked) {
+                this.selectedKeys.add(keyId);
+            } else {
+                this.selectedKeys.delete(keyId);
+            }
+        });
+        
+        this.updateBulkDeleteButton();
+        this.updateSelectAllCheckbox();
+        this.updateGroupCheckboxes();
+        
+        // Update individual checkboxes without full re-render
+        const tbody = document.getElementById('keysTableBody');
+        serverKeys.forEach(key => {
+            const keyId = `${key.server}-${key.public_key}`;
+            const checkbox = tbody.querySelector(`input[data-key-id="${keyId}"]`);
+            if (checkbox) {
+                checkbox.checked = this.selectedKeys.has(keyId);
+            }
+        });
+    }
+
+    updateGroupCheckboxes() {
+        const groupedFilteredKeys = this.getGroupedFilteredKeys();
+        const tbody = document.getElementById('keysTableBody');
+        
+        Object.keys(groupedFilteredKeys).forEach(server => {
+            const serverKeys = groupedFilteredKeys[server];
+            const groupCheckbox = tbody.querySelector(`input[data-group="${server}"]`);
+            
+            if (groupCheckbox) {
+                const allSelected = serverKeys.every(key => 
+                    this.selectedKeys.has(`${key.server}-${key.public_key}`)
+                );
+                const someSelected = serverKeys.some(key => 
+                    this.selectedKeys.has(`${key.server}-${key.public_key}`)
+                );
+                
+                groupCheckbox.checked = allSelected;
+                groupCheckbox.indeterminate = someSelected && !allSelected;
+            }
+        });
+    }
+
+    updatePagination() {
+        const groupedFilteredKeys = this.getGroupedFilteredKeys();
+        const totalServers = Object.keys(groupedFilteredKeys).length;
+        const totalPages = Math.ceil(totalServers / this.serversPerPage);
+        
+        document.getElementById('pageInfo').textContent = `Page ${this.currentPage} of ${totalPages}`;
+        document.getElementById('prevPage').disabled = this.currentPage <= 1;
+        document.getElementById('nextPage').disabled = this.currentPage >= totalPages;
+    }
+
+    changePage(newPage) {
+        const groupedFilteredKeys = this.getGroupedFilteredKeys();
+        const totalServers = Object.keys(groupedFilteredKeys).length;
+        const totalPages = Math.ceil(totalServers / this.serversPerPage);
+        
+        if (newPage >= 1 && newPage <= totalPages) {
+            this.currentPage = newPage;
+            this.renderTable();
+        }
+    }
+
+    toggleSelectAll(checked) {
+        this.selectedKeys.clear();
+        
+        if (checked) {
+            this.filteredKeys.forEach(key => {
+                const keyId = `${key.server}-${key.public_key}`;
+                this.selectedKeys.add(keyId);
+            });
+        }
+        
+        this.renderTable();
+        this.updateBulkDeleteButton();
+    }
+
+    updateSelectAllCheckbox() {
+        const selectAllCheckbox = document.getElementById('selectAll');
+        const visibleKeys = this.filteredKeys.length;
+        const selectedVisibleKeys = this.filteredKeys.filter(key => 
+            this.selectedKeys.has(`${key.server}-${key.public_key}`)
+        ).length;
+        
+        if (selectedVisibleKeys === 0) {
+            selectAllCheckbox.indeterminate = false;
+            selectAllCheckbox.checked = false;
+        } else if (selectedVisibleKeys === visibleKeys) {
+            selectAllCheckbox.indeterminate = false;
+            selectAllCheckbox.checked = true;
+        } else {
+            selectAllCheckbox.indeterminate = true;
+        }
+    }
+
+    updateBulkDeleteButton() {
+        const bulkDeleteBtn = document.getElementById('bulkDeleteBtn');
+        const bulkPermanentDeleteBtn = document.getElementById('bulkPermanentDeleteBtn');
+        
+        if (this.selectedKeys.size === 0) {
+            // No keys selected - hide both buttons
+            bulkDeleteBtn.disabled = true;
+            bulkDeleteBtn.textContent = 'Deprecate Selected';
+            bulkPermanentDeleteBtn.style.display = 'none';
+            bulkPermanentDeleteBtn.disabled = true;
+            return;
+        }
+
+        // Count selected active and deprecated keys
+        let activeCount = 0;
+        let deprecatedCount = 0;
+        
+        Array.from(this.selectedKeys).forEach(keyId => {
+            const key = this.findKeyById(keyId);
+            if (key) {
+                if (key.deprecated) {
+                    deprecatedCount++;
+                } else {
+                    activeCount++;
+                }
+            }
+        });
+
+        // Show/hide deprecate button
+        if (activeCount > 0) {
+            bulkDeleteBtn.disabled = false;
+            bulkDeleteBtn.textContent = `Deprecate Selected (${activeCount})`;
+        } else {
+            bulkDeleteBtn.disabled = true;
+            bulkDeleteBtn.textContent = 'Deprecate Selected';
+        }
+
+        // Show/hide permanent delete button
+        if (deprecatedCount > 0) {
+            bulkPermanentDeleteBtn.style.display = 'inline-flex';
+            bulkPermanentDeleteBtn.disabled = false;
+            bulkPermanentDeleteBtn.textContent = `Delete Selected (${deprecatedCount})`;
+        } else {
+            bulkPermanentDeleteBtn.style.display = 'none';
+            bulkPermanentDeleteBtn.disabled = true;
+        }
+    }
+
+    showAddKeyModal() {
+        if (!this.currentFlow) {
+            this.showToast('Please select a flow first', 'warning');
+            return;
+        }
+        
+        document.getElementById('serverInput').value = '';
+        document.getElementById('keyInput').value = '';
+        this.showModal('addKeyModal');
+    }
+
+    async addKey() {
+        const server = document.getElementById('serverInput').value.trim();
+        const publicKey = document.getElementById('keyInput').value.trim();
+        
+        if (!server || !publicKey) {
+            this.showToast('Please fill in all fields', 'warning');
+            return;
+        }
+
+        if (!this.validateSSHKey(publicKey)) {
+            this.showToast('Invalid SSH key format', 'error');
+            return;
+        }
+
+        try {
+            this.showLoading();
+            const response = await fetch(`/${this.currentFlow}/keys`, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                },
+                body: JSON.stringify([{
+                    server: server,
+                    public_key: publicKey
+                }])
+            });
+
+            if (!response.ok) {
+                const errorText = await response.text();
+                throw new Error(errorText || 'Failed to add key');
+            }
+
+            this.hideModal('addKeyModal');
+            this.showToast('SSH key added successfully', 'success');
+            await this.loadKeys();
+        } catch (error) {
+            this.showToast('Failed to add key: ' + error.message, 'error');
+        } finally {
+            this.hideLoading();
+        }
+    }
+
+    viewKey(keyId) {
+        const key = this.findKeyById(keyId);
+        if (!key) return;
+
+        document.getElementById('viewServer').textContent = key.server;
+        document.getElementById('viewKey').value = key.public_key;
+        this.showModal('viewKeyModal');
+    }
+
+    async deleteKey(keyId) {
+        const key = this.findKeyById(keyId);
+        if (!key) return;
+        
+        if (key.deprecated) {
+            this.showToast('This key is already deprecated', 'warning');
+            return;
+        }
+
+        if (!confirm('Are you sure you want to deprecate this SSH key?')) {
+            return;
+        }
+
+        try {
+            this.showLoading();
+            const response = await fetch(`/${this.currentFlow}/keys/${encodeURIComponent(key.server)}`, {
+                method: 'DELETE'
+            });
+
+            if (!response.ok) {
+                const errorText = await response.text();
+                throw new Error(errorText || 'Failed to deprecate key');
+            }
+
+            this.showToast('SSH key deprecated successfully', 'success');
+            await this.loadKeys();
+        } catch (error) {
+            this.showToast('Failed to deprecate key: ' + error.message, 'error');
+        } finally {
+            this.hideLoading();
+        }
+    }
+
+    async restoreKey(keyId) {
+        const key = this.findKeyById(keyId);
+        if (!key) return;
+        
+        if (!key.deprecated) {
+            this.showToast('This key is not deprecated', 'warning');
+            return;
+        }
+
+        if (!confirm('Are you sure you want to restore this SSH key from deprecated status?')) {
+            return;
+        }
+
+        try {
+            this.showLoading();
+            const response = await fetch(`/${this.currentFlow}/keys/${encodeURIComponent(key.server)}/restore`, {
+                method: 'POST'
+            });
+
+            if (!response.ok) {
+                const errorText = await response.text();
+                throw new Error(errorText || 'Failed to restore key');
+            }
+
+            this.showToast('SSH key restored successfully', 'success');
+            await this.loadKeys();
+        } catch (error) {
+            this.showToast('Failed to restore key: ' + error.message, 'error');
+        } finally {
+            this.hideLoading();
+        }
+    }
+
+    async permanentlyDeleteKey(keyId) {
+        const key = this.findKeyById(keyId);
+        if (!key) return;
+
+        if (!confirm('⚠️ Are you sure you want to PERMANENTLY DELETE this SSH key?\n\nThis action cannot be undone!')) {
+            return;
+        }
+
+        // Double confirmation for permanent deletion
+        if (!confirm('This will permanently remove the key from the database.\n\nConfirm permanent deletion?')) {
+            return;
+        }
+
+        try {
+            this.showLoading();
+            const response = await fetch(`/${this.currentFlow}/keys/${encodeURIComponent(key.server)}/delete`, {
+                method: 'DELETE'
+            });
+
+            if (!response.ok) {
+                const errorText = await response.text();
+                throw new Error(errorText || 'Failed to permanently delete key');
+            }
+
+            this.showToast('SSH key permanently deleted', 'success');
+            await this.loadKeys();
+        } catch (error) {
+            this.showToast('Failed to permanently delete key: ' + error.message, 'error');
+        } finally {
+            this.hideLoading();
+        }
+    }
+
+    async deleteSelectedKeys() {
+        if (this.selectedKeys.size === 0) return;
+
+        // Filter out already deprecated keys
+        const activeKeys = Array.from(this.selectedKeys).filter(keyId => {
+            const key = this.findKeyById(keyId);
+            return key && !key.deprecated;
+        });
+
+        if (activeKeys.length === 0) {
+            this.showToast('All selected keys are already deprecated', 'warning');
+            return;
+        }
+
+        if (!confirm(`Are you sure you want to deprecate ${activeKeys.length} selected SSH keys?`)) {
+            return;
+        }
+
+        try {
+            this.showLoading();
+            
+            const deprecatePromises = activeKeys.map(keyId => {
+                const key = this.findKeyById(keyId);
+                if (!key) return Promise.resolve();
+                
+                return fetch(`/${this.currentFlow}/keys/${encodeURIComponent(key.server)}`, {
+                    method: 'DELETE'
+                });
+            });
+
+            await Promise.all(deprecatePromises);
+            this.showToast(`${activeKeys.length} SSH keys deprecated successfully`, 'success');
+            await this.loadKeys();
+        } catch (error) {
+            this.showToast('Failed to deprecate selected keys: ' + error.message, 'error');
+        } finally {
+            this.hideLoading();
+        }
+    }
+
+    async permanentlyDeleteSelectedKeys() {
+        if (this.selectedKeys.size === 0) return;
+
+        // Filter only deprecated keys
+        const deprecatedKeys = Array.from(this.selectedKeys).filter(keyId => {
+            const key = this.findKeyById(keyId);
+            return key && key.deprecated;
+        });
+
+        if (deprecatedKeys.length === 0) {
+            this.showToast('No deprecated keys selected', 'warning');
+            return;
+        }
+
+        if (!confirm(`⚠️ Are you sure you want to PERMANENTLY DELETE ${deprecatedKeys.length} deprecated SSH keys?\n\nThis action cannot be undone!`)) {
+            return;
+        }
+
+        // Double confirmation for permanent deletion
+        if (!confirm('This will permanently remove the keys from the database.\n\nConfirm permanent deletion?')) {
+            return;
+        }
+
+        try {
+            this.showLoading();
+            
+            const deletePromises = deprecatedKeys.map(keyId => {
+                const key = this.findKeyById(keyId);
+                if (!key) return Promise.resolve();
+                
+                return fetch(`/${this.currentFlow}/keys/${encodeURIComponent(key.server)}/delete`, {
+                    method: 'DELETE'
+                });
+            });
+
+            await Promise.all(deletePromises);
+            this.showToast(`${deprecatedKeys.length} SSH keys permanently deleted`, 'success');
+            await this.loadKeys();
+        } catch (error) {
+            this.showToast('Failed to permanently delete selected keys: ' + error.message, 'error');
+        } finally {
+            this.hideLoading();
+        }
+    }
+
+    findKeyById(keyId) {
+        return this.keys.find(key => `${key.server}-${key.public_key}` === keyId);
+    }
+
+    validateSSHKey(key) {
+        const sshKeyRegex = /^(ssh-rsa|ssh-dss|ecdsa-sha2-nistp(256|384|521)|ssh-ed25519)\s+[A-Za-z0-9+/]+=*(\s+.*)?$/;
+        return sshKeyRegex.test(key.trim());
+    }
+
+    getKeyType(publicKey) {
+        if (publicKey.startsWith('ssh-rsa')) return 'RSA';
+        if (publicKey.startsWith('ssh-ed25519')) return 'ED25519';
+        if (publicKey.startsWith('ecdsa-sha2-nistp')) return 'ECDSA';
+        if (publicKey.startsWith('ssh-dss')) return 'DSA';
+        return 'Unknown';
+    }
+
+    getKeyPreview(publicKey) {
+        const parts = publicKey.split(' ');
+        if (parts.length >= 2) {
+            const keyPart = parts[1];
+            if (keyPart.length > 20) {
+                return keyPart.substring(0, 20) + '...';
+            }
+            return keyPart;
+        }
+        return publicKey.substring(0, 20) + '...';
+    }
+
+    escapeHtml(text) {
+        const map = {
+            '&': '&amp;',
+            '<': '&lt;',
+            '>': '&gt;',
+            '"': '&quot;',
+            "'": '&#039;'
+        };
+        return text.replace(/[&<>"']/g, (m) => map[m]);
+    }
+
+    copyKeyToClipboard() {
+        const keyTextarea = document.getElementById('viewKey');
+        keyTextarea.select();
+        keyTextarea.setSelectionRange(0, 99999);
+        
+        try {
+            document.execCommand('copy');
+            this.showToast('SSH key copied to clipboard', 'success');
+        } catch (error) {
+            this.showToast('Failed to copy to clipboard', 'error');
+        }
+    }
+
+    clearTable() {
+        document.getElementById('keysTableBody').innerHTML = '';
+        document.getElementById('noKeysMessage').style.display = 'block';
+        document.getElementById('totalKeys').textContent = '0';
+        document.getElementById('uniqueServers').textContent = '0';
+        this.selectedKeys.clear();
+        this.updateBulkDeleteButton();
+    }
+
+    showModal(modalId) {
+        document.getElementById(modalId).style.display = 'block';
+        document.body.style.overflow = 'hidden';
+    }
+
+    hideModal(modalId) {
+        document.getElementById(modalId).style.display = 'none';
+        document.body.style.overflow = 'auto';
+    }
+
+    showLoading() {
+        document.getElementById('loadingOverlay').style.display = 'block';
+    }
+
+    hideLoading() {
+        document.getElementById('loadingOverlay').style.display = 'none';
+    }
+
+    showToast(message, type = 'info') {
+        const toastContainer = document.getElementById('toastContainer');
+        const toast = document.createElement('div');
+        toast.className = `toast ${type}`;
+        toast.textContent = message;
+        
+        toastContainer.appendChild(toast);
+        
+        // Trigger animation
+        setTimeout(() => toast.classList.add('show'), 100);
+        
+        // Remove toast after 4 seconds
+        setTimeout(() => {
+            toast.classList.remove('show');
+            setTimeout(() => {
+                if (toast.parentNode) {
+                    toast.parentNode.removeChild(toast);
+                }
+            }, 300);
+        }, 4000);
+    }
+}
+
+// Initialize the SSH Key Manager when the page loads
+document.addEventListener('DOMContentLoaded', () => {
+    window.sshKeyManager = new SSHKeyManager();
+});

static/style.css

@@ -0,0 +1,665 @@
+:root {
+    --primary-color: #2563eb;
+    --primary-hover: #1d4ed8;
+    --secondary-color: #64748b;
+    --danger-color: #dc2626;
+    --danger-hover: #b91c1c;
+    --success-color: #16a34a;
+    --warning-color: #d97706;
+    --background: #f8fafc;
+    --surface: #ffffff;
+    --border: #e2e8f0;
+    --text-primary: #1e293b;
+    --text-secondary: #64748b;
+    --shadow: 0 1px 3px 0 rgb(0 0 0 / 0.1), 0 1px 2px -1px rgb(0 0 0 / 0.1);
+    --shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 0.1), 0 4px 6px -4px rgb(0 0 0 / 0.1);
+    --border-radius: 0.5rem;
+    --font-family: 'Inter', sans-serif;
+}
+
+* {
+    margin: 0;
+    padding: 0;
+    box-sizing: border-box;
+}
+
+body {
+    font-family: var(--font-family);
+    background-color: var(--background);
+    color: var(--text-primary);
+    line-height: 1.6;
+}
+
+.container {
+    max-width: 1400px;
+    margin: 0 auto;
+    padding: 2rem;
+    min-height: 100vh;
+}
+
+header {
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+    margin-bottom: 2rem;
+    padding-bottom: 1rem;
+    border-bottom: 2px solid var(--border);
+}
+
+header h1 {
+    font-size: 2.5rem;
+    font-weight: 600;
+    color: var(--text-primary);
+}
+
+.flow-selector {
+    display: flex;
+    align-items: center;
+    gap: 1rem;
+}
+
+.flow-selector label {
+    font-weight: 500;
+    color: var(--text-secondary);
+}
+
+.flow-selector select {
+    padding: 0.5rem 1rem;
+    border: 1px solid var(--border);
+    border-radius: var(--border-radius);
+    background: var(--surface);
+    color: var(--text-primary);
+    font-size: 1rem;
+    min-width: 200px;
+}
+
+.btn {
+    padding: 0.5rem 1rem;
+    border: none;
+    border-radius: var(--border-radius);
+    font-size: 0.875rem;
+    font-weight: 500;
+    cursor: pointer;
+    transition: all 0.2s ease;
+    display: inline-flex;
+    align-items: center;
+    gap: 0.5rem;
+    text-decoration: none;
+}
+
+.btn:disabled {
+    opacity: 0.6;
+    cursor: not-allowed;
+}
+
+.btn-primary {
+    background-color: var(--primary-color);
+    color: white;
+}
+
+.btn-primary:hover:not(:disabled) {
+    background-color: var(--primary-hover);
+}
+
+.btn-secondary {
+    background-color: var(--secondary-color);
+    color: white;
+}
+
+.btn-secondary:hover:not(:disabled) {
+    background-color: #475569;
+}
+
+.btn-danger {
+    background-color: var(--danger-color);
+    color: white;
+}
+
+.btn-danger:hover:not(:disabled) {
+    background-color: var(--danger-hover);
+}
+
+.btn-success {
+    background-color: var(--success-color);
+    color: white;
+}
+
+.btn-success:hover:not(:disabled) {
+    background-color: #059669;
+}
+
+.btn-sm {
+    padding: 0.25rem 0.5rem;
+    font-size: 0.75rem;
+}
+
+.stats-panel {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
+    gap: 1rem;
+    margin-bottom: 2rem;
+}
+
+.stat-item {
+    background: var(--surface);
+    padding: 1.5rem;
+    border-radius: var(--border-radius);
+    box-shadow: var(--shadow);
+    text-align: center;
+}
+
+.stat-value {
+    display: block;
+    font-size: 2rem;
+    font-weight: 600;
+    color: var(--primary-color);
+}
+
+.stat-label {
+    color: var(--text-secondary);
+    font-size: 0.875rem;
+    font-weight: 500;
+}
+
+.actions-panel {
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+    margin-bottom: 1.5rem;
+    gap: 1rem;
+    flex-wrap: wrap;
+}
+
+.filter-controls {
+    display: flex;
+    align-items: center;
+    gap: 1rem;
+}
+
+.filter-label {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+    font-size: 0.875rem;
+    color: var(--text-primary);
+    cursor: pointer;
+    user-select: none;
+    padding: 0.5rem 0.75rem;
+    border-radius: var(--border-radius);
+    transition: background-color 0.2s ease;
+}
+
+.filter-label:hover {
+    background-color: var(--background);
+}
+
+.filter-label.active {
+    background-color: var(--primary-color);
+    color: white;
+}
+
+.filter-label.active input[type="checkbox"] {
+    accent-color: white;
+}
+
+.filter-label input[type="checkbox"] {
+    margin: 0;
+}
+
+.filter-label span {
+    white-space: nowrap;
+}
+
+.search-box input {
+    padding: 0.5rem 1rem;
+    border: 1px solid var(--border);
+    border-radius: var(--border-radius);
+    background: var(--surface);
+    color: var(--text-primary);
+    font-size: 1rem;
+    width: 300px;
+}
+
+.keys-table-container {
+    background: var(--surface);
+    border-radius: var(--border-radius);
+    box-shadow: var(--shadow);
+    overflow: hidden;
+    margin-bottom: 1.5rem;
+}
+
+.keys-table {
+    width: 100%;
+    border-collapse: collapse;
+}
+
+.keys-table th,
+.keys-table td {
+    padding: 1rem;
+    text-align: left;
+    border-bottom: 1px solid var(--border);
+}
+
+.keys-table th {
+    background-color: #f1f5f9;
+    font-weight: 600;
+    color: var(--text-primary);
+}
+
+.keys-table tbody tr:hover {
+    background-color: #f8fafc;
+}
+
+.keys-table tbody tr.deprecated {
+    opacity: 0.6;
+    background-color: #fef2f2;
+}
+
+.keys-table tbody tr.deprecated:hover {
+    background-color: #fee2e2;
+}
+
+.keys-table tbody tr.deprecated .key-preview,
+.keys-table tbody tr.deprecated td:nth-child(2) {
+    text-decoration: line-through;
+    color: var(--text-secondary);
+}
+
+.host-group-header {
+    background-color: #f1f5f9;
+    font-weight: 600;
+    transition: background-color 0.2s ease;
+    border-left: 4px solid var(--primary-color);
+}
+
+.host-group-header:hover {
+    background-color: #e2e8f0;
+}
+
+.host-group-header.collapsed {
+    border-left-color: var(--secondary-color);
+}
+
+.host-group-header .expand-icon {
+    transition: transform 0.2s ease;
+    display: inline-block;
+    margin-right: 0.5rem;
+    user-select: none;
+}
+
+.host-group-header.collapsed .expand-icon {
+    transform: rotate(-90deg);
+}
+
+.host-group-header input[type="checkbox"] {
+    margin: 0;
+}
+
+.host-group-header td:first-child {
+    width: 50px;
+    text-align: center;
+}
+
+.host-group-header td:nth-child(2) {
+    cursor: pointer;
+    user-select: none;
+}
+
+.key-row {
+    border-left: 4px solid transparent;
+}
+
+.key-row.hidden {
+    display: none;
+}
+
+.host-summary {
+    font-size: 0.875rem;
+    color: var(--text-secondary);
+}
+
+.key-count {
+    background-color: var(--primary-color);
+    color: white;
+    padding: 0.125rem 0.375rem;
+    border-radius: 0.25rem;
+    font-size: 0.75rem;
+    font-weight: 500;
+    margin-left: 0.5rem;
+}
+
+.deprecated-count {
+    background-color: var(--danger-color);
+    color: white;
+    padding: 0.125rem 0.375rem;
+    border-radius: 0.25rem;
+    font-size: 0.75rem;
+    font-weight: 500;
+    margin-left: 0.25rem;
+}
+
+.key-preview {
+    font-family: 'Monaco', 'Menlo', 'Ubuntu Mono', monospace;
+    font-size: 0.875rem;
+    color: var(--text-secondary);
+    max-width: 200px;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    white-space: nowrap;
+}
+
+.key-type {
+    display: inline-block;
+    padding: 0.25rem 0.5rem;
+    background-color: #e0e7ff;
+    color: #3730a3;
+    border-radius: 0.25rem;
+    font-size: 0.75rem;
+    font-weight: 500;
+}
+
+.key-type.rsa { background-color: #fef3c7; color: #92400e; }
+.key-type.ed25519 { background-color: #dcfce7; color: #166534; }
+.key-type.ecdsa { background-color: #e0e7ff; color: #3730a3; }
+.key-type.dsa { background-color: #fce7f3; color: #9d174d; }
+
+.deprecated-badge {
+    display: inline-block;
+    padding: 0.25rem 0.5rem;
+    background-color: #fecaca;
+    color: #991b1b;
+    border-radius: 0.25rem;
+    font-size: 0.75rem;
+    font-weight: 500;
+    margin-left: 0.5rem;
+}
+
+.no-keys-message {
+    text-align: center;
+    padding: 3rem;
+    color: var(--text-secondary);
+    font-size: 1.125rem;
+}
+
+.pagination {
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    gap: 1rem;
+}
+
+.modal {
+    display: none;
+    position: fixed;
+    z-index: 1000;
+    left: 0;
+    top: 0;
+    width: 100%;
+    height: 100%;
+    background-color: rgba(0, 0, 0, 0.5);
+    backdrop-filter: blur(4px);
+}
+
+.modal-content {
+    background-color: var(--surface);
+    margin: 5% auto;
+    padding: 0;
+    border-radius: var(--border-radius);
+    box-shadow: var(--shadow-lg);
+    width: 90%;
+    max-width: 600px;
+    max-height: 80vh;
+    overflow: hidden;
+}
+
+.modal-header {
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+    padding: 1.5rem;
+    border-bottom: 1px solid var(--border);
+}
+
+.modal-header h2 {
+    font-size: 1.5rem;
+    font-weight: 600;
+}
+
+.close {
+    font-size: 1.5rem;
+    font-weight: bold;
+    cursor: pointer;
+    color: var(--text-secondary);
+    padding: 0.5rem;
+    border-radius: var(--border-radius);
+    transition: all 0.2s ease;
+}
+
+.close:hover {
+    background-color: var(--background);
+    color: var(--text-primary);
+}
+
+.modal-body {
+    padding: 1.5rem;
+    max-height: 60vh;
+    overflow-y: auto;
+}
+
+.form-group {
+    margin-bottom: 1.5rem;
+}
+
+.form-group label {
+    display: block;
+    margin-bottom: 0.5rem;
+    font-weight: 500;
+    color: var(--text-primary);
+}
+
+.form-group input,
+.form-group textarea {
+    width: 100%;
+    padding: 0.75rem;
+    border: 1px solid var(--border);
+    border-radius: var(--border-radius);
+    font-size: 1rem;
+    font-family: var(--font-family);
+    background: var(--surface);
+    color: var(--text-primary);
+    transition: border-color 0.2s ease;
+}
+
+.form-group input:focus,
+.form-group textarea:focus {
+    outline: none;
+    border-color: var(--primary-color);
+    box-shadow: 0 0 0 3px rgba(37, 99, 235, 0.1);
+}
+
+.form-group textarea {
+    resize: vertical;
+    min-height: 120px;
+    font-family: 'Monaco', 'Menlo', 'Ubuntu Mono', monospace;
+    font-size: 0.875rem;
+}
+
+.read-only-field {
+    background-color: var(--background) !important;
+    cursor: not-allowed;
+}
+
+.form-actions {
+    display: flex;
+    justify-content: flex-end;
+    gap: 1rem;
+    margin-top: 2rem;
+}
+
+.loading-overlay {
+    display: none;
+    position: fixed;
+    z-index: 9999;
+    left: 0;
+    top: 0;
+    width: 100%;
+    height: 100%;
+    background-color: rgba(255, 255, 255, 0.9);
+    backdrop-filter: blur(4px);
+}
+
+.loading-spinner {
+    position: absolute;
+    top: 50%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+    width: 40px;
+    height: 40px;
+    border: 4px solid var(--border);
+    border-top: 4px solid var(--primary-color);
+    border-radius: 50%;
+    animation: spin 1s linear infinite;
+}
+
+.loading-text {
+    position: absolute;
+    top: 60%;
+    left: 50%;
+    transform: translate(-50%, -50%);
+    color: var(--text-secondary);
+    font-weight: 500;
+}
+
+@keyframes spin {
+    0% { transform: translate(-50%, -50%) rotate(0deg); }
+    100% { transform: translate(-50%, -50%) rotate(360deg); }
+}
+
+.toast-container {
+    position: fixed;
+    top: 1rem;
+    right: 1rem;
+    z-index: 10000;
+    display: flex;
+    flex-direction: column;
+    gap: 0.5rem;
+}
+
+.toast {
+    padding: 1rem 1.5rem;
+    border-radius: var(--border-radius);
+    color: white;
+    font-weight: 500;
+    box-shadow: var(--shadow-lg);
+    transform: translateX(100%);
+    transition: transform 0.3s ease;
+    max-width: 400px;
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+}
+
+.toast.show {
+    transform: translateX(0);
+}
+
+.toast.success {
+    background-color: var(--success-color);
+}
+
+.toast.error {
+    background-color: var(--danger-color);
+}
+
+.toast.warning {
+    background-color: var(--warning-color);
+}
+
+.toast.info {
+    background-color: var(--primary-color);
+}
+
+@media (max-width: 768px) {
+    .container {
+        padding: 1rem;
+    }
+
+    header {
+        flex-direction: column;
+        gap: 1rem;
+        align-items: stretch;
+    }
+
+    .actions-panel {
+        flex-direction: column;
+        align-items: stretch;
+        gap: 1rem;
+    }
+
+    .filter-controls {
+        justify-content: center;
+    }
+
+    .search-box input {
+        width: 100%;
+    }
+
+    .keys-table-container {
+        overflow-x: auto;
+    }
+
+    .keys-table {
+        min-width: 600px;
+    }
+
+    .modal-content {
+        margin: 10% auto;
+        width: 95%;
+    }
+
+    .form-actions {
+        flex-direction: column;
+    }
+
+    .stats-panel {
+        grid-template-columns: 1fr;
+    }
+}
+
+/* Checkbox styles */
+input[type="checkbox"] {
+    width: 1rem;
+    height: 1rem;
+    accent-color: var(--primary-color);
+}
+
+/* Indeterminate checkbox styling */
+input[type="checkbox"]:indeterminate {
+    background-color: var(--primary-color);
+    background-image: linear-gradient(90deg, transparent 40%, white 40%, white 60%, transparent 60%);
+    border-color: var(--primary-color);
+}
+
+/* Action buttons in table */
+.table-actions {
+    display: flex;
+    gap: 0.5rem;
+    align-items: center;
+}
+
+/* Error states */
+.form-group input:invalid,
+.form-group textarea:invalid {
+    border-color: var(--danger-color);
+}
+
+.form-group input:invalid:focus,
+.form-group textarea:invalid:focus {
+    box-shadow: 0 0 0 3px rgba(220, 38, 38, 0.1);
+}
+
+/* Success states */
+.form-group input:valid,
+.form-group textarea:valid {
+    border-color: var(--success-color);
+}